[MS-ADTS] 6.1.6.7.13 defines 'trustPartner' attribute as containing a FQDN of the trusted domain. In practice, for a subdomain of a forest, it would be FQDN of the subdomain itself in the trusted domain entry in the parent domain. This is reflected as ipaNTTrustPartner attribute in FreeIPA.
Remove ipaNTTrustPartner from the searches that use NetBIOS name. We match cn of that entry already.
Use RDN value of the entry to derive DNS domain name in case ipaNTTrustPartner is missing.
For subdomains, set trust attributes to 0 and trust flags to mark them as being within the forest. This will trigger winbindd to not ask for credentials to reach those domain controllers directly.
Finally, modify trust-fetch-domains to always upload the forest trust info from the trusted domain discovery to local smbd via LSA RSetForestTrustInformation. It will be used then by winbindd to properly establish routing information for each subdomain of the trust.
Metadata Update from @abbra: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1728015
Metadata Update from @abbra: - Issue assigned to abbra
Metadata Update from @abbra: - Issue set to the milestone: FreeIPA 4.8
master:
ipa-4-9:
Metadata Update from @rcritten: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.