Bug 924404

Summary: Allow usage of enterprise principals
Product: Red Hat Enterprise Linux 7 Reporter: Jakub Hrozek <jhrozek>
Component: sssdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED CURRENTRELEASE QA Contact: Kaushik Banerjee <kbanerje>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: dpal, grajaiya, jgalipea, pbrezina
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.10.0-10.el7.beta2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 10:14:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 877129    

Description Jakub Hrozek 2013-03-21 17:37:54 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/1842

This ticket is a sub-task of #364, but since this functionality might be useful for the AD provider even without trust, I thought it is a good idea to track it separately.

Enterprise principals are used in environments with more than one realm but the realms all belong to a large unit which is called enterprise in this context. See section 5 of http://tools.ietf.org/html/rfc6806 for more details.

A typical use case are AD environments with trust but also in an environment with only a single AD domain enterprise principals are useful when additional UPN suffixes are used. E.g. if there is a AD domain ad.com with an additional UPN suffix extra.dom and a user abc configured with the additional UPN suffix
{{{
kinit abc
}}}
will work, but neither
{{{
kinit abc
}}}
nor
{{{
kinit -C abc
}}}
What is needed is to handle the abc principal as enterprise principal
{{{
kinit -E abc
}}}
To make the last example work AD.COM must be the default realm in /etc/krb5.conf, which would be typical for an AD domain member.

SSSD should get a new boolean option krb5_use_enterprise_principal and the Kerberos child should make sure that the appropriate default realm is used for the AS_REQ. By default the new option should be false, but for the AD provider it should be true.
Comment 1 Jakub Hrozek 2013-04-22 13:45:44 UTC 
*** Bug 877127 has been marked as a duplicate of this bug. ***
Comment 2 Jakub Hrozek 2013-10-04 13:24:48 UTC 
Temporarily moving bugs to MODIFIED to work around errata tool bug
Comment 4 Kaushik Banerjee 2014-01-21 10:38:23 UTC 
Verified in version 1.11.2-29.el7

Output from beaker automation run:
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ad_forest_auth_03: bz 924404 support of enterprise principals
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Running 'su_success enterprise_user_dom1 Secret123' (Expected 0, got 0)
:: [   PASS   ] :: Running 'su_success enterprise_user_dom2 Secret123' (Expected 0, got 0)
:: [   PASS   ] :: Running 'su_wrong_password enterprise_user_dom1 Secret123' (Expected 0, got 0)
:: [   PASS   ] :: Running 'su_wrong_password enterprise_user_dom2 Secret123' (Expected 0, got 0)
:: [   LOG    ] :: Duration: 48s
:: [   LOG    ] :: Assertions: 4 good, 0 bad
:: [   PASS   ] :: RESULT: ad_forest_auth_03: bz 924404 support of enterprise principals
Comment 5 Ludek Smid 2014-06-13 10:14:04 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.