[Freeipa-devel] Planning for v2: How to deal with kerberos trusts?

Mon Mar 31 01:26:46 UTC 2008

Simo Sorce wrote:
> Hello list,
> today I was working on something unrelated to computers and IT and I
> found myself thinking about how we should support Cross realm trusts in
> FreeIPA (yeah what was I doing? can't remember ... :-).
>
> Dealing with them at the Kerberos level is quite simple, mostly because
> it is already implemented :-)
>
> But when we talk about identity and Posix attributes we hit the sore
> point.
>
> So while I was thinking of some possible technical solutions I came up
> with 9 questions instead that need to ne answered. I have some answers I
> am considering in my mind, but I'd like to seek for opinions from
> interested people.
>
> So here they are.
> They are not necessarily in a good order as some answers may depend on
> later questions, feel free to reorder them if you think of such
> dependencies.
> Also they may have different answers if you think of one-way vs two-way
> trusts.
> So far MIT Kerberos Trusts (afaik) are always transitive, so we do not
> have to concern ourselves with intransitive trusts (or should we?)
>
> - How do we get user and group info (posix attributes and other stuff)
> from the trusted realm ?
>
> - How to uniquely assign UIDs/GIDs to foreign objects (think of MMR
> problems) ?
>
> - "when" do we get/refresh information ?
>
> - "where" do we store information (also think in terms of
> client/server) ?
>
> - "who" (think in terms of credentials too) will access information in
> the trusted realm ?
>
> - should we allow groups to be "global" and be shared between realms ?
>   - can we allow a machine in realm-a to see the groups in realm-b ?
>     (and set an ACL in a file with such group ID ?)
>   - can we make a user of realm-a part of a group in realm-b ?
>
> - can we support 1 way trusts ?
>
> - How to avoid too much traffic between servers (caching, validation,
> etc..)?
>
> - should we distinguish between Realm/DNS Domain based hierarchies and
> other kind of trusts ?
>         (At the client level we have to because kerberos libraries can
>         try to use trusts walking a realm/dns domain hierarchy but
>         otherwise they have to be configured using the capaths
>         configuration option, if we want to make this dynamically
>         discoverable we may need to modify kerberos libraries so that
>         they can fetch this information from elsewhere)
>
>
> Though questions, if they are too technical here there is a simpler
> question:
>
> How much important do you think cross realm trust will be ?
>
> good thinking,
> Simo.
>
>   
Simo,

Great questions but I agree that they are a bit technical.
The last one, however, is the question about use cases.
I think that is where we should start.
I might be wrong but user traveling with his laptop from realm a to 
realm b is probably the biggest case.
Any other major ones?

Thanks,
Dmitri