Issue #8576: ipasam: derive parent domain for subdomains automatically - freeipa

freeipa

#8576 ipasam: derive parent domain for subdomains automatically

Closed: fixed 3 years ago by rcritten. Opened 3 years ago by abbra.

[MS-ADTS] 6.1.6.7.13 defines 'trustPartner' attribute as containing a FQDN of the trusted domain. In practice, for a subdomain of a forest, it would be FQDN of the subdomain itself in the trusted domain entry in the parent domain. This is reflected as ipaNTTrustPartner attribute in FreeIPA.

Remove ipaNTTrustPartner from the searches that use NetBIOS name. We match cn of that entry already.

Use RDN value of the entry to derive DNS domain name in case ipaNTTrustPartner is missing.

For subdomains, set trust attributes to 0 and trust flags to mark them as being within the forest. This will trigger winbindd to not ask for credentials to reach those domain controllers directly.

Finally, modify trust-fetch-domains to always upload the forest trust info from the trusted domain discovery to local smbd via LSA RSetForestTrustInformation. It will be used then by winbindd to properly establish routing information for each subdomain of the trust.

Metadata Update from @abbra:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1728015

3 years ago

Metadata Update from @abbra:
- Issue assigned to abbra

3 years ago

Metadata Update from @abbra:
- Issue set to the milestone: FreeIPA 4.8

3 years ago

rcritten commented 3 years ago

master:

968f8ad ipa-kdb: provide correct logon time in MS-PAC from authentication time
e6f8d8b ipasam: implement PASSDB getgrnam call
7588251 ipasam: allow search of users by user principal name (UPN)
a1e2fe9 ipasam: free trusted domain context on failure
08d7d90 ipasam: derive parent domain for subdomains automatically
214aeb7 ipaserver/dcerpc: store forest topology as a blob in ipasam
9d19c08 ipatests: use fully qualified name for AD admin when establishing trust
9424256 Update ipa_sam.c
ae7cd47 trust-fetch-domains: use custom krb5.conf overlay for all trust operations
54e5ffc use a constant instead of /var/lib/sss/keytabs

rcritten commented 3 years ago

ipa-4-9:

f8bf374 ipa-kdb: provide correct logon time in MS-PAC from authentication time
962052a ipasam: implement PASSDB getgrnam call
2e8eb0f ipasam: allow search of users by user principal name (UPN)
e8f927d ipasam: free trusted domain context on failure
f103172 ipasam: derive parent domain for subdomains automatically
3d706b6 ipaserver/dcerpc: store forest topology as a blob in ipasam
dc16c24 ipatests: use fully qualified name for AD admin when establishing trust
b535924 Update ipa_sam.c
c842d4b trust-fetch-domains: use custom krb5.conf overlay for all trust operations
9f63afb use a constant instead of /var/lib/sss/keytabs

Metadata Update from @rcritten:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

3 years ago

Metadata

Assignee

abbra

Tags

None

Blocking

None

Depending on

None

Priority

None

Milestone

FreeIPA 4.8

None

affects_doc

None

source

None

knownissue

None

type

None

blockedby

None

test_case

None

component

None

blocking

None

on_review

None

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=1728015

tester

None

changelog

None

design

None

freeipa

Source Code

#8576 ipasam: derive parent domain for subdomains automatically Closed: fixed 3 years ago by rcritten. Opened 3 years ago by abbra.

Metadata

#8576 ipasam: derive parent domain for subdomains automatically

Closed: fixed 3 years ago by rcritten. Opened 3 years ago by abbra.