Description of problem: [MS-ADTS] 6.1.6.9.3.2 requires msDS-TrustForestTrustInfo attribute of trusted domain information in Active Directory to conform certain rules. One side-effect of those rules is that list of UPN suffixes reported through the netr_DsRGetForestTrustInformation function is dynamically filtered to deduplicate subordinate suffixes. It means that if list of UPN suffixes contains the following top level names (TLNs): fabrikam.com sub.fabrikam.com then netr_DsRGetForestTrustInformation would only return 'fabrikam.com' as the TLN, fully filtering 'sub.fabrikam.com'. IPA KDB driver used exact comparison of the UPN suffixes so any subordinate had to be specified exactly. Modify logic so that if exact check does not succeed, we validate a realm to test being a subordinate of the known UPN suffixes. The subordinate check is done by making sure UPN suffix is at the end of the test realm and is immediately preceded with a dot. Because the function to check suffixes potentially called for every Kerberos principal, precalculate and cache length for each UPN suffix at the time we retrieve the list of them. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: 6.1.6.9.3.2 Building Well-Formed msDS-TrustForestTrustInfo Messages https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/2994b19c-04ff-430d-b788-c82d334b31bc
https://github.com/freeipa/freeipa/pull/5206
Upstream ticket: https://pagure.io/freeipa/issue/8554
Fixed upstream master: https://pagure.io/freeipa/c/8b6d1ab854387840f7526d6d59ddc7102231957f
Fixed upstream ipa-4-8: https://pagure.io/freeipa/c/1f0702bf9231a4898a2d58325fc51c71fea25047
Additional commits: commit 442038c41aef9ce07d0491a08bec406ede5f6686 Author: Sudhir Menon <sumenon> Date: Wed Nov 11 14:55:32 2020 +0530 ipatests: support subordinate upn suffixes This test adds new UPN Suffix on the AD side within the ad.test subtree i.e new.ad.test and this UPN is then assigned to aduser and then try to kinit using aduser along with the UPN set, to ensure that the kinit succeeds Signed-off-by: Sudhir Menon <sumenon> Reviewed-By: Alexander Bokovoy <abokovoy> commit 0da6a57b406f538edf187c44760885c237261183 Author: Alexander Bokovoy <abokovoy> Date: Tue Nov 24 16:03:36 2020 +0200 ad trust: accept subordinate domains of the forest trust root Commit 8b6d1ab854387840f7526d6d59ddc7102231957f added support for subordinate UPN suffixes but missed the case where subordinate UPN is a subdomain of the forest root domain and not mentioned in the UPN suffixes list. Correct this situation by applying the same check to the trusted domain name as well. Fixes: https://pagure.io/freeipa/issue/8554 Signed-off-by: Alexander Bokovoy <abokovoy> Reviewed-By: Alexander Bokovoy <abokovoy> Fixed upstream master: https://pagure.io/freeipa/c/442038c41aef9ce07d0491a08bec406ede5f6686 https://pagure.io/freeipa/c/0da6a57b406f538edf187c44760885c237261183
Fixed upstream ipa-4-8: https://pagure.io/freeipa/c/d5cca835d5439331c05475d0ad2f993ac6f8b615 https://pagure.io/freeipa/c/6b224e57672e3f73f93bb9eddd9031e945529a1e
Fixed upstream ipa-4-9: https://pagure.io/freeipa/c/7e605e958ef6d41584afc238433669c15458ac67 https://pagure.io/freeipa/c/381cc5e8eae1b7437fc15cb699983887d398f498
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:1846