Red Hat Bugzilla – Bug 1285162
[RFE] Support Windows 2012 R2 Kerberos Armoring enabled
Last modified: 2018-06-19 09:29:52 EDT
1. Proposed title of this feature request Issue with IPA/AD cross-realm trust integration with Windows 2012 R2 2. Who is the customer behind the request? Account: Optus Administration Pty Ltd #5576690 TAM customer: no SRM customer: no Strategic: no 3. What is the nature and description of the request? Centralized user authentication breaks when Kerberos Armoring service on the Windows 2012R2 server is enabled. This issue has been identified by Redhat consultants working on site. 4. Why does the customer need this? (List the business requirements here) Customer wants to enable Kerberos Armoring on their Windows servers for added security 5. How would the customer like to achieve this? (List the functional requirements here) They want Kerberos armoring support in the next IPA release 6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented. This can probably be arranged with the Redhat consultants if required. Please note that this is a secured environment so customer could not provide logging information. 7. Is there already an existing RFE upstream or in Red Hat Bugzilla? I have not found any related KCS article or bug related to this issue 8. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL5, RHEL6)? No 9. Is the sales team involved in this request and do they have any additional input? No 10. List any affected packages or components. RHEL 7.2 ipa-server-4.2 11. Would the customer be able to assist in testing this functionality if implemented? This can probably be arranged with the Redhat consultants if required. Please note that this is a secured environment so customer could not provide logging information.
If I understand it correctly 'Kerberos Armoring' is the same as FAST which we already support in SSSD. But we need to add support to be able to do FAST with multiple different domains. Currently we use the host key to get the FAST credentials and do this only against the realm the host has joined. If now the user authentication should happen against a different realm the FAST credentials we have are rejected because they do not related to the other realm. The change might be as easy as not using the realm of the host principal to get the FAST credential, but the realm of the user trying to authenticate. But of course this has to be tested carefully. Please note that there might be issues with IPA and one-way trusts because the AD KDC will reject the IPA host principal to establish FAST and the trust credentials cannot be used because it must work on all IPA clients.
Upstream ticket: https://fedorahosted.org/freeipa/ticket/5552
IdM team doesn't have capacity to implement this RFE in RHEL 7.4. Moving to next RHEL version. Implementing the RFE there will depend on capacity of FreeIPA upstream. Without sufficient justification there is a chance that it will be moved again later.