RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1285162 - [RFE] Support Windows 2012 R2 Kerberos Armoring enabled
Summary: [RFE] Support Windows 2012 R2 Kerberos Armoring enabled
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.2
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Namita Soman
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-11-25 06:20 UTC by Glen Babiano
Modified: 2019-06-22 17:48 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-22 17:48:59 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Glen Babiano 2015-11-25 06:20:06 UTC
1. Proposed title of this feature request  
   Issue with IPA/AD cross-realm trust integration with Windows 2012 R2
      
2. Who is the customer behind the request?  
   Account: Optus Administration Pty Ltd #5576690   
   TAM customer: no  
   SRM customer: no  
   Strategic: no  
      
3. What is the nature and description of the request? 
   Centralized user authentication breaks when Kerberos Armoring service on the Windows 2012R2 server is enabled. This issue has been identified by Redhat consultants working on site.
      
4. Why does the customer need this? (List the business requirements here)  
   Customer wants to enable Kerberos Armoring on their Windows servers for added security 
      
5. How would the customer like to achieve this? (List the functional requirements here) 
   They want Kerberos armoring support in the next IPA release
      
6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented. 
   This can probably be arranged with the Redhat consultants if required. Please note that this is a secured environment so customer could not provide logging information.
      
7. Is there already an existing RFE upstream or in Red Hat Bugzilla?  
   I have not found any related KCS article or bug related to this issue
      
8. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL5, RHEL6)?  
   No
      
9. Is the sales team involved in this request and do they have any additional input?  
   No
      
10. List any affected packages or components.  
    RHEL 7.2
    ipa-server-4.2
      
11. Would the customer be able to assist in testing this functionality if implemented? 
    This can probably be arranged with the Redhat consultants if required. Please note that this is a secured environment so customer could not provide logging information.

Comment 1 Sumit Bose 2015-12-01 13:50:10 UTC
If I understand it correctly 'Kerberos Armoring' is the same as FAST which we already support in SSSD. But we need to add support to be able to do FAST with multiple different domains. Currently we use the host key to get the FAST credentials and do this only against the realm the host has joined. If now the user authentication should happen against a different realm the FAST credentials we have are rejected because they do not related to the other realm. 
 
The change might be as easy as not using the realm of the host principal to get the FAST credential, but the realm of the user trying to authenticate. But of course this has to be tested carefully.
 
Please note that there might be issues with IPA and one-way trusts because the AD KDC will reject the IPA host principal to establish FAST and the trust credentials cannot be used because it must work on all IPA clients.

Comment 2 Petr Vobornik 2015-12-15 11:58:49 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5552

Comment 4 Petr Vobornik 2017-04-06 16:01:55 UTC
IdM team doesn't have capacity to implement this RFE in RHEL 7.4. Moving to next RHEL version. Implementing the RFE there will depend on capacity of FreeIPA upstream. Without sufficient justification there is a chance that it will be moved again later.

Comment 7 Amy Farley 2019-06-22 17:48:59 UTC
Going to CLOSE this. 

Interoperability will be revisited with other current work in RHEL

Setting to CLOSE WONTFIX


Note You need to log in before you can comment on or make changes to this bug.