[RFE] Support KDC proxying of trusted domain operations to IPA master

[sssd-bot]

Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/2728

• Created at 2015-07-23 16:56:43 by abbra
• Closed at 2020-03-24 14:06:27 as wontfix
• Assigned to nobody

---

With FreeIPA 4.2 a support of KDC proxy was added. This allows to proxy requests to KDCs not directly accessible by SSSD clients.

Since use of KDC proxy requires explicit configuration at a client side, and given that for trusted AD domains there is no information about trusted realms until the trust is established, it would be good to add a support of dynamically generating the configuration for proxying requests to these KDCs via IPA masters based on run time discovery done by SSSD.

SSSD already discovers list of trusted domains when using IPA id_provider and writes down a set of krb5.conf configurations. If IPA master SSSD talks to would show it has KDC proxy enabled, and configuration of IPA master allows to proxy to AD DCs, SSSD would then write down realm stanzas for these AD domains by pointing their KDCs to IPA master's proxy.

This is useful for cases like DMZ deployment where only IPA masters would have direct access to AD infrastructure.

Comments

---

Comment from cheimes at 2015-07-23 18:49:05

Fields changed

cc: => cheimes@fedoraproject.org

---

Comment from jhrozek at 2015-07-30 16:25:22

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.14 beta

---

Comment from jhrozek at 2015-08-18 12:15:37

Fields changed

rhbz: => todo

---

Comment from jhrozek at 2015-10-08 15:55:05

Looks like we're getting more and more interest in this use-case, bumping.

priority: major => critical

---

Comment from jhrozek at 2016-02-16 11:45:56

This would be nice-to-have for 1.14, but we have a number of high-priority tickets already.

milestone: SSSD 1.14 beta => SSSD 1.14 backlog

---

Comment from jhrozek at 2016-12-15 11:00:45

Since the 1.14 branch is transitioning into maintenance mode and new functionality is being developed in master which will become 1.15 eventually, I'm mass-moving tickets from the 1.14 backlog milestone to the "Future releases" milestone.

milestone: SSSD 1.14 backlog => SSSD Future releases (no date set yet)

---

Comment from abbra at 2017-02-24 14:41:36

Metadata Update from @abbra:

• Issue set to the milestone: SSSD Future releases (no date set yet)

---

Comment from thalman at 2020-03-13 12:10:39

Metadata Update from @thalman:

• Custom field design_review reset (from 0)
• Custom field mark reset (from 0)
• Custom field patch reset (from 0)
• Custom field review reset (from 0)
• Custom field sensitive reset (from 0)
• Custom field testsupdated reset (from 0)
• Issue close_status updated to: None
• Issue tagged with: Canditate to close

---

Comment from pbrezina at 2020-03-24 14:06:26

Thank you for taking time to submit this request for SSSD. Unfortunately this issue was not given priority and the team lacks the capacity to work on it at this time.

Given that we are unable to fulfill this request I am closing the issue as wontfix.

If the issue still persist on recent SSSD you can request re-consideration of this decision by reopening this issue. Please provide additional technical details about its importance to you.

Thank you for understanding.

---

Comment from pbrezina at 2020-03-24 14:06:27

Metadata Update from @pbrezina:

• Issue close_status updated to: wontfix
• Issue status updated to: Closed (was: Open)