You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
With FreeIPA 4.2 a support of KDC proxy was added. This allows to proxy requests to KDCs not directly accessible by SSSD clients.
Since use of KDC proxy requires explicit configuration at a client side, and given that for trusted AD domains there is no information about trusted realms until the trust is established, it would be good to add a support of dynamically generating the configuration for proxying requests to these KDCs via IPA masters based on run time discovery done by SSSD.
SSSD already discovers list of trusted domains when using IPA id_provider and writes down a set of krb5.conf configurations. If IPA master SSSD talks to would show it has KDC proxy enabled, and configuration of IPA master allows to proxy to AD DCs, SSSD would then write down realm stanzas for these AD domains by pointing their KDCs to IPA master's proxy.
This is useful for cases like DMZ deployment where only IPA masters would have direct access to AD infrastructure.
Since the 1.14 branch is transitioning into maintenance mode and new functionality is being developed in master which will become 1.15 eventually, I'm mass-moving tickets from the 1.14 backlog milestone to the "Future releases" milestone.
milestone: SSSD 1.14 backlog => SSSD Future releases (no date set yet)
Thank you for taking time to submit this request for SSSD. Unfortunately this issue was not given priority and the team lacks the capacity to work on it at this time.
Given that we are unable to fulfill this request I am closing the issue as wontfix.
If the issue still persist on recent SSSD you can request re-consideration of this decision by reopening this issue. Please provide additional technical details about its importance to you.
Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/2728
With FreeIPA 4.2 a support of KDC proxy was added. This allows to proxy requests to KDCs not directly accessible by SSSD clients.
Since use of KDC proxy requires explicit configuration at a client side, and given that for trusted AD domains there is no information about trusted realms until the trust is established, it would be good to add a support of dynamically generating the configuration for proxying requests to these KDCs via IPA masters based on run time discovery done by SSSD.
SSSD already discovers list of trusted domains when using IPA id_provider and writes down a set of krb5.conf configurations. If IPA master SSSD talks to would show it has KDC proxy enabled, and configuration of IPA master allows to proxy to AD DCs, SSSD would then write down realm stanzas for these AD domains by pointing their KDCs to IPA master's proxy.
This is useful for cases like DMZ deployment where only IPA masters would have direct access to AD infrastructure.
Comments
Comment from cheimes at 2015-07-23 18:49:05
Fields changed
cc: => cheimes@fedoraproject.org
Comment from jhrozek at 2015-07-30 16:25:22
Fields changed
milestone: NEEDS_TRIAGE => SSSD 1.14 beta
Comment from jhrozek at 2015-08-18 12:15:37
Fields changed
rhbz: => todo
Comment from jhrozek at 2015-10-08 15:55:05
Looks like we're getting more and more interest in this use-case, bumping.
priority: major => critical
Comment from jhrozek at 2016-02-16 11:45:56
This would be nice-to-have for 1.14, but we have a number of high-priority tickets already.
milestone: SSSD 1.14 beta => SSSD 1.14 backlog
Comment from jhrozek at 2016-12-15 11:00:45
Since the 1.14 branch is transitioning into maintenance mode and new functionality is being developed in master which will become 1.15 eventually, I'm mass-moving tickets from the 1.14 backlog milestone to the "Future releases" milestone.
milestone: SSSD 1.14 backlog => SSSD Future releases (no date set yet)
Comment from abbra at 2017-02-24 14:41:36
Metadata Update from @abbra:
Comment from thalman at 2020-03-13 12:10:39
Metadata Update from @thalman:
Comment from pbrezina at 2020-03-24 14:06:26
Thank you for taking time to submit this request for SSSD. Unfortunately this issue was not given priority and the team lacks the capacity to work on it at this time.
Given that we are unable to fulfill this request I am closing the issue as wontfix.
If the issue still persist on recent SSSD you can request re-consideration of this decision by reopening this issue. Please provide additional technical details about its importance to you.
Thank you for understanding.
Comment from pbrezina at 2020-03-24 14:06:27
Metadata Update from @pbrezina:
The text was updated successfully, but these errors were encountered: