Bug 1285162 - [RFE] Support Windows 2012 R2 Kerberos Armoring enabled
[RFE] Support Windows 2012 R2 Kerberos Armoring enabled
Status: NEW
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.2
x86_64 Linux
unspecified Severity medium
: rc
: ---
Assigned To: IPA Maintainers
Namita Soman
: FutureFeature
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-25 01:20 EST by Glen Babiano
Modified: 2018-06-19 09:29 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Glen Babiano 2015-11-25 01:20:06 EST
1. Proposed title of this feature request  
   Issue with IPA/AD cross-realm trust integration with Windows 2012 R2
      
2. Who is the customer behind the request?  
   Account: Optus Administration Pty Ltd #5576690   
   TAM customer: no  
   SRM customer: no  
   Strategic: no  
      
3. What is the nature and description of the request? 
   Centralized user authentication breaks when Kerberos Armoring service on the Windows 2012R2 server is enabled. This issue has been identified by Redhat consultants working on site.
      
4. Why does the customer need this? (List the business requirements here)  
   Customer wants to enable Kerberos Armoring on their Windows servers for added security 
      
5. How would the customer like to achieve this? (List the functional requirements here) 
   They want Kerberos armoring support in the next IPA release
      
6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented. 
   This can probably be arranged with the Redhat consultants if required. Please note that this is a secured environment so customer could not provide logging information.
      
7. Is there already an existing RFE upstream or in Red Hat Bugzilla?  
   I have not found any related KCS article or bug related to this issue
      
8. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL5, RHEL6)?  
   No
      
9. Is the sales team involved in this request and do they have any additional input?  
   No
      
10. List any affected packages or components.  
    RHEL 7.2
    ipa-server-4.2
      
11. Would the customer be able to assist in testing this functionality if implemented? 
    This can probably be arranged with the Redhat consultants if required. Please note that this is a secured environment so customer could not provide logging information.
Comment 1 Sumit Bose 2015-12-01 08:50:10 EST
If I understand it correctly 'Kerberos Armoring' is the same as FAST which we already support in SSSD. But we need to add support to be able to do FAST with multiple different domains. Currently we use the host key to get the FAST credentials and do this only against the realm the host has joined. If now the user authentication should happen against a different realm the FAST credentials we have are rejected because they do not related to the other realm. 
 
The change might be as easy as not using the realm of the host principal to get the FAST credential, but the realm of the user trying to authenticate. But of course this has to be tested carefully.
 
Please note that there might be issues with IPA and one-way trusts because the AD KDC will reject the IPA host principal to establish FAST and the trust credentials cannot be used because it must work on all IPA clients.
Comment 2 Petr Vobornik 2015-12-15 06:58:49 EST
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5552
Comment 4 Petr Vobornik 2017-04-06 12:01:55 EDT
IdM team doesn't have capacity to implement this RFE in RHEL 7.4. Moving to next RHEL version. Implementing the RFE there will depend on capacity of FreeIPA upstream. Without sufficient justification there is a chance that it will be moved again later.

Note You need to log in before you can comment on or make changes to this bug.