Improve handling of enterprise principals with multiple AD domains #3029
Assignees
Labels
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/1987
In https://bugzilla.redhat.com/show_bug.cgi?id=963818 two issue could be identified when SSSD was configured with two AD domains and enterprise principals were enabled for both domains. In this case there was a trust between both domains which mainly triggers the first issue. If there is no trust between the two AD domains the second issue would block authentication to one of the domains.
The two issues are:
The principal used in the TGS request was used to find a matching keytab entry for validation. Ideally a service principal from the realm of the user is taken for validation. When enterprise principals (or canonization) is used the realm of the principal used in the request and the realm in the returned ticket might differ. The realm from the ticket should be taken instead the one from the request.
When an enterprise principal is created the default realm is required and added to the given principal. As a result the TGS result is send to the KDC of the default realm. Currently the default realm is taken from krb5.conf (if it is not defined there, authentication fails). If there is more than one AD domains configured in SSSD this will in general fail because there is only one default realm which will only work for one of the two domains. the krb5_child should set the default realm explicitly if enterprise principals are used.
Comments
Comment from sbose at 2013-06-17 17:41:58
sorry, #1931 is already tracking the BZ ticket.
resolution: => duplicate
status: new => closed
Comment from sbose at 2017-02-24 14:39:53
Metadata Update from @sbose:
The text was updated successfully, but these errors were encountered: