When IPA establishes a trust to another domain (Active Directory or IPA), SSSD consumes POSIX attributes from the remote source, if they are available. This is OK for most Active Directory deployments but for IPA-IPA trust it means POSIX attributes would come through unfiltered because they always exist on the remote side.
Most important attributes to make sure can be controlled are home directory and a shell. Imagine admin@trusted.domain has their home directory set to /home/admin which is already used by the local administrator. Even if the trusted user admin@trusted.domain has no direct control over that directory permission-wise, a login process happens as root initially and thus would first have access to /home/admin. This means login process would read files from the local root while setting up the login flow for this remote user.
admin@trusted.domain
/home/admin
IPA can use ID overrides to provide a mechanism to change these settings by default. SSSD applies ID overrides for trusted users by reading and resolving individual overrides on top of the POSIX attributes stored remotely: [remote DC] -> [Default Trust View] -> [local host ID view] -> [local SSSD override]. We can extend this logic by storing per-domain and global ID override for all authenticated trusted domain users.
ID overrides for trusted domain users are stored by referencing their SIDs. We can use well-known SIDs to create default ID overrides globally or per domain:
https://learn.microsoft.com/en-us/windows/win32/secauthz/well-known-sids describes well-known SIDs.
These two overrides could be added to any ID view (including 'Default Trust View'), making possible per-view enforcement of home directory and shell properties.
A prototype is available in https://github.com/abbra/freeipa/tree/wip-ipa-ipa-trust branch
Domain local groups are filtered out when a Kerberos ticket is processed at the cross-realm boundary already, so it is guaranteed that the RID 545 will not be present in the Kerberos ticket.
ID overrides in the 'Default Trust View' are also used for mapping to a DN when SASL GSSAPI is used to authenticate an LDAP connection. However, since local (or cross-realm) Kerberos ticket cannot be issued in the name of RID 545 from a trusted domain, it is guaranteed the ID override for RID 545 of the trusted domain will never match.
Log in to comment on this ticket.