#8995 Integrate SID configuration into base IPA installers
Closed: fixed 6 months ago by frenaud. Opened 8 months ago by abbra.

Introduction

MS-PAC is a specification that defines how Kerberos KDC and clients should handle privilege attribute certificate (PAC) data. PAC record is generated by Active Directory KDCs to allow AD clients to receive most important details about a Kerberos principal they’d need to make decisions on access control or login details for the user.

Windows systems typically do not allow access to their services when PAC is not present in the Kerberos ticket presented to the server application. There are few cases where a lack of a PAC is considered to be anonymous access.

FreeIPA by default does not issue PAC in the Kerberos tickets. Content of PAC is built around Active Directory security concepts which are based on being able to address every resource and object through use of Security Identifiers (SIDs). Linux environments do not have SIDs associated with each user or group. SIDs are used extensively in SMB protocol and Active Directory-related activities. At the same time, use of PAC structure improves caching capabilities and allows to communicate more efficiently and securely a large set of user-specific details to identity clients.

When FreeIPA is configured to establish forest trust to Active Directory, it starts to associate SIDs with IPA users and groups. This information is used by IPA KDC to create the PAC record in Kerberos tickets for IPA users. When users from trusted AD domains are used to request service tickets to services in IPA domain, PAC records from their cross-realm tickets validated and re-issued, including local IPA group membership information and filtering unwanted SIDs.

In Active Directory a trust between domains requires the presence of a PAC in the cross-realm referral. This can be inferred from MS-KILE section 3.3.5.7.2 "TGT without a PAC" as cross-realm krbtgt principal does not have AuthenticationDataNotRequired field set. Since IPA-IPA trust support would be built on top of existing trust to Active Directory support, trusted IPA domains must have PAC generated and required by both sides.

Requested changes

Currently the configuration to enable IPA KDC to issue PAC records is only added when ipa-adtrust-install is run. We want to move this part of the configuration to the normal installers (ipa-server-install, ipa-replica-install) and make it possible to issue PACs in IPA environment by default. This way when IPA-IPA trust is added, we would be able to rely on PAC structure in trusted users' tickets similar to trust to Active Directory.


Metadata Update from @abbra:
- Issue assigned to frenaud

8 months ago

master:

  • bacddb8 Design: Integrate SID configuration into base IPA installers

master:

  • f9e95ce SID generation: define SIDInstallInterface
  • 5541b9d Installers: configure sid generation in server/replica installer
  • b054532 adtrust install: define constants for rid bases
  • ed001c9 ipa config: add --enable-sid option
  • 8dc064c ipatests: add test ensuring SIDs are generated for new installs
  • 2d468fa ipatests: interactive install prompts for netbios name
  • fdfde9c ipatests: adapt expected output with SID
  • fd53ed1 User lifecycle: ignore SID when moving from preserved to staged
  • c99b8bb ipatests: backup-reinstall-restore needs to clear sssd cache
  • 02b4241 Webui tests: new idrange now requires base RID
  • bede62b User plugin: do not return the SID on user creation
  • cc8a0bc ipatests: update the expected output of user-add cmd

ipa-4-9:

  • dd07db2 SID generation: define SIDInstallInterface
  • e527857 Installers: configure sid generation in server/replica installer
  • a91e671 adtrust install: define constants for rid bases
  • b98ecab ipa config: add --enable-sid option
  • 5bb56f9 ipatests: add test ensuring SIDs are generated for new installs
  • 31d095e ipatests: interactive install prompts for netbios name
  • efc9df0 ipatests: adapt expected output with SID
  • 86d1683 User lifecycle: ignore SID when moving from preserved to staged
  • c6fd0d0 ipatests: backup-reinstall-restore needs to clear sssd cache
  • 9c7e8c6 Webui tests: new idrange now requires base RID
  • 61f42ae User plugin: do not return the SID on user creation
  • 009a8cd ipatests: update the expected output of user-add cmd

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

6 months ago

master:

  • 2e7396b ipatests: fix get_user_result method

ipa-4-9:

  • 421e124 ipatests: fix get_user_result method

Metadata Update from @frenaud:
- Custom field changelog adjusted to New installations of IPA now configure the server to generate SIDs by default. Previously, this setup was executed as part the the ipa-adtrust-install command.

6 months ago

Metadata Update from @frenaud:
- Custom field changelog adjusted to New installations of IPA now configure the server to generate SIDs by default. Previously, this setup was executed as part of the ipa-adtrust-install command. (was: New installations of IPA now configure the server to generate SIDs by default. Previously, this setup was executed as part the the ipa-adtrust-install command.)

6 months ago

Metadata Update from @abbra:
- Issue tagged with: rfe

6 months ago

Login to comment on this ticket.

Metadata