924404 – Allow usage of enterprise principals

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 924404 - Allow usage of enterprise principals

Summary: Allow usage of enterprise principals

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Jakub Hrozek
QA Contact:	Kaushik Banerjee
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	877127 (view as bug list)
Depends On:
Blocks:	877129
TreeView+	depends on / blocked

Reported:	2013-03-21 17:37 UTC by Jakub Hrozek
Modified:	2020-05-02 17:18 UTC (History)
CC List:	4 users (show)
Fixed In Version:	sssd-1.10.0-10.el7.beta2
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-06-13 10:14:04 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 2884	0	None	closed	Allow usage of enterprise principals	2021-02-10 14:12:18 UTC

Description Jakub Hrozek 2013-03-21 17:37:54 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/1842

This ticket is a sub-task of #364, but since this functionality might be useful for the AD provider even without trust, I thought it is a good idea to track it separately.

Enterprise principals are used in environments with more than one realm but the realms all belong to a large unit which is called enterprise in this context. See section 5 of http://tools.ietf.org/html/rfc6806 for more details.

A typical use case are AD environments with trust but also in an environment with only a single AD domain enterprise principals are useful when additional UPN suffixes are used. E.g. if there is a AD domain ad.com with an additional UPN suffix extra.dom and a user abc configured with the additional UPN suffix
{{{
kinit abc
}}}
will work, but neither
{{{
kinit abc
}}}
nor
{{{
kinit -C abc
}}}
What is needed is to handle the abc principal as enterprise principal
{{{
kinit -E abc
}}}
To make the last example work AD.COM must be the default realm in /etc/krb5.conf, which would be typical for an AD domain member.

SSSD should get a new boolean option krb5_use_enterprise_principal and the Kerberos child should make sure that the appropriate default realm is used for the AS_REQ. By default the new option should be false, but for the AD provider it should be true.

Comment 1 Jakub Hrozek 2013-04-22 13:45:44 UTC

*** Bug 877127 has been marked as a duplicate of this bug. ***

Comment 2 Jakub Hrozek 2013-10-04 13:24:48 UTC

Temporarily moving bugs to MODIFIED to work around errata tool bug

Comment 4 Kaushik Banerjee 2014-01-21 10:38:23 UTC

Verified in version 1.11.2-29.el7

Output from beaker automation run:
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ad_forest_auth_03: bz 924404 support of enterprise principals
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Running 'su_success enterprise_user_dom1 Secret123' (Expected 0, got 0)
:: [   PASS   ] :: Running 'su_success enterprise_user_dom2 Secret123' (Expected 0, got 0)
:: [   PASS   ] :: Running 'su_wrong_password enterprise_user_dom1 Secret123' (Expected 0, got 0)
:: [   PASS   ] :: Running 'su_wrong_password enterprise_user_dom2 Secret123' (Expected 0, got 0)
:: [   LOG    ] :: Duration: 48s
:: [   LOG    ] :: Assertions: 4 good, 0 bad
:: [   PASS   ] :: RESULT: ad_forest_auth_03: bz 924404 support of enterprise principals

Comment 5 Ludek Smid 2014-06-13 10:14:04 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.