[Freeipa-devel] Planning for v2: How to deal with kerberos trusts?

Ahmed Kamal email.ahmedkamal at googlemail.com
Mon Mar 31 07:23:12 UTC 2008 

recently I've been studying Microsoft's active directory, and I have to say
I am kind of impressed  .. I hope someone is analyzing the work they've done
:) Things like different kinds of groups, group nesting, and uid/gid clashes
.. etc, hmm Perhaps the old posix model is showing its age now!

On Mon, Mar 31, 2008 at 3:26 AM, Dmitri Pal <dpal at redhat.com> wrote:

> Simo Sorce wrote:
> > Hello list,
> > today I was working on something unrelated to computers and IT and I
> > found myself thinking about how we should support Cross realm trusts in
> > FreeIPA (yeah what was I doing? can't remember ... :-).
> >
> > Dealing with them at the Kerberos level is quite simple, mostly because
> > it is already implemented :-)
> >
> > But when we talk about identity and Posix attributes we hit the sore
> > point.
> >
> > So while I was thinking of some possible technical solutions I came up
> > with 9 questions instead that need to ne answered. I have some answers I
> > am considering in my mind, but I'd like to seek for opinions from
> > interested people.
> >
> > So here they are.
> > They are not necessarily in a good order as some answers may depend on
> > later questions, feel free to reorder them if you think of such
> > dependencies.
> > Also they may have different answers if you think of one-way vs two-way
> > trusts.
> > So far MIT Kerberos Trusts (afaik) are always transitive, so we do not
> > have to concern ourselves with intransitive trusts (or should we?)
> >
> > - How do we get user and group info (posix attributes and other stuff)
> > from the trusted realm ?
> >
> > - How to uniquely assign UIDs/GIDs to foreign objects (think of MMR
> > problems) ?
> >
> > - "when" do we get/refresh information ?
> >
> > - "where" do we store information (also think in terms of
> > client/server) ?
> >
> > - "who" (think in terms of credentials too) will access information in
> > the trusted realm ?
> >
> > - should we allow groups to be "global" and be shared between realms ?
> >   - can we allow a machine in realm-a to see the groups in realm-b ?
> >     (and set an ACL in a file with such group ID ?)
> >   - can we make a user of realm-a part of a group in realm-b ?
> >
> > - can we support 1 way trusts ?
> >
> > - How to avoid too much traffic between servers (caching, validation,
> > etc..)?
> >
> > - should we distinguish between Realm/DNS Domain based hierarchies and
> > other kind of trusts ?
> >         (At the client level we have to because kerberos libraries can
> >         try to use trusts walking a realm/dns domain hierarchy but
> >         otherwise they have to be configured using the capaths
> >         configuration option, if we want to make this dynamically
> >         discoverable we may need to modify kerberos libraries so that
> >         they can fetch this information from elsewhere)
> >
> >
> > Though questions, if they are too technical here there is a simpler
> > question:
> >
> > How much important do you think cross realm trust will be ?
> >
> > good thinking,
> > Simo.
> >
> >
> Simo,
>
> Great questions but I agree that they are a bit technical.
> The last one, however, is the question about use cases.
> I think that is where we should start.
> I might be wrong but user traveling with his laptop from realm a to
> realm b is probably the biggest case.
> Any other major ones?
>
> Thanks,
> Dmitri
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20080331/038d6b2f/attachment.htm>

More information about the Freeipa-devel mailing list