Bug 924404 - Allow usage of enterprise principals
Summary: Allow usage of enterprise principals
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Jakub Hrozek
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Keywords:
: 877127 (view as bug list)
Depends On:
Blocks: 877129
TreeView+ depends on / blocked
 
Reported: 2013-03-21 17:37 UTC by Jakub Hrozek
Modified: 2014-06-18 04:01 UTC (History)
4 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2014-06-13 10:14:04 UTC


Attachments (Terms of Use)

Description Jakub Hrozek 2013-03-21 17:37:54 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/1842

This ticket is a sub-task of #364, but since this functionality might be useful for the AD provider even without trust, I thought it is a good idea to track it separately.

Enterprise principals are used in environments with more than one realm but the realms all belong to a large unit which is called enterprise in this context. See section 5 of http://tools.ietf.org/html/rfc6806 for more details.

A typical use case are AD environments with trust but also in an environment with only a single AD domain enterprise principals are useful when additional UPN suffixes are used. E.g. if there is a AD domain ad.com with an additional UPN suffix extra.dom and a user abc configured with the additional UPN suffix
{{{
kinit abc@AD.COM
}}}
will work, but neither
{{{
kinit abc@EXTRA.DOM
}}}
nor
{{{
kinit -C abc@EXTRA.DOM
}}}
What is needed is to handle the abc@EXTRA.DOM principal as enterprise principal
{{{
kinit -E abc@EXTRA.DOM
}}}
To make the last example work AD.COM must be the default realm in /etc/krb5.conf, which would be typical for an AD domain member.

SSSD should get a new boolean option krb5_use_enterprise_principal and the Kerberos child should make sure that the appropriate default realm is used for the AS_REQ. By default the new option should be false, but for the AD provider it should be true.

Comment 1 Jakub Hrozek 2013-04-22 13:45:44 UTC
*** Bug 877127 has been marked as a duplicate of this bug. ***

Comment 2 Jakub Hrozek 2013-10-04 13:24:48 UTC
Temporarily moving bugs to MODIFIED to work around errata tool bug

Comment 4 Kaushik Banerjee 2014-01-21 10:38:23 UTC
Verified in version 1.11.2-29.el7

Output from beaker automation run:
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ad_forest_auth_03: bz 924404 support of enterprise principals
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Running 'su_success enterprise_user_dom1@sssdad.com Secret123' (Expected 0, got 0)
:: [   PASS   ] :: Running 'su_success enterprise_user_dom2@sssdad_tree.com Secret123' (Expected 0, got 0)
:: [   PASS   ] :: Running 'su_wrong_password enterprise_user_dom1@sssdad.com Secret123' (Expected 0, got 0)
:: [   PASS   ] :: Running 'su_wrong_password enterprise_user_dom2@sssdad_tree.com Secret123' (Expected 0, got 0)
:: [   LOG    ] :: Duration: 48s
:: [   LOG    ] :: Assertions: 4 good, 0 bad
:: [   PASS   ] :: RESULT: ad_forest_auth_03: bz 924404 support of enterprise principals

Comment 5 Ludek Smid 2014-06-13 10:14:04 UTC
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.


Note You need to log in before you can comment on or make changes to this bug.