[Freeipa-devel] IPA clients in AD DNS domain & Kerberos referrals
Alexander Bokovoy
abokovoy at redhat.com
Thu Jul 7 13:32:26 UTC 2016
On Thu, 07 Jul 2016, Petr Spacek wrote:
>Hello,
>
>this is probably a silly idea ...
>
>I wonder if there is some way to use Kerberos referrals on AD side in a way
>which would return cross-realm referral to IPA realm.
>
>Maybe it could be used in Frankenstein setup where IPA client belongs to a DNS
>domain managed by AD ... I do not know, just throwing out the idea.
Yes, throw it out completely. :)
For each trust Active Directory has a name suffix routing table. This
table contains list of fully qualified domain names (TLNs) that belong to the
trusted domain/forest's namespace or excluded from it.
For those TLNs which belong to the trusted domain/forest namespace,
Kerberos cross-realm TGT is issued to the client together with the
referral.
For those TLNs which are excluded from the namespace belonging to the
trusted domain/forest namespace, no Kerberos cross-realm TGT is issued
and no referral is given.
If any of the TLNs from the trusted domain/forest conflicts with the
Active Directory's own table or from any other trusted domain/forest,
the trust is frozen and the conflict is marked as such. The whole forest
trust is non-operational then.
So there is only one possible solution: add exclusion TLNs for every
host that belongs to IPA but is in AD DNS namespace to the AD own table.
I talked to Microsoft people while at IOLab event and we verified that
this is not a solution. The routing table is a single list and is
consulted every single TGT request. This makes a solution of TLN
exclusion entries a highly inefficient and affecting performance of all
AD DCs for any requests.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list