[Freeipa-devel] [DESIGN] Kerberos principal alias handling
Alexander Bokovoy
abokovoy at redhat.com
Fri May 13 10:07:55 UTC 2016
On Thu, 12 May 2016, Martin Babinsky wrote:
>>We should not allow anything after @ not belonging to the list of
>>realm domains. We also will need to extend realm domains to include
>>non-domain-based UPN suffixes. This actually flies close to what I need
>>to finish in my AD trust UPN patches, so I need to make sure we have the
>>same approach there.
>>
>
>Does this mean that we would not be able to implement e-mail as
>principal alias [1]?
Why? I have not said that. I have said that you should not be able to
specify UPN with a suffix that does not belong to us. I don't want us to
allow to have Kerberos principals aliased to a trusted forest
namespaces as this is violation of a forest trust.
>>>>4. Will this RFE have any impact on AD trust (possibility of cross realm
>>>>routing, RFC 6806 section 9)
>>>>
>>>
>>>IIRC there should be no impact on trusts.
>>We should never allow to specify alias from the realm we don't own. This
>>means the code needs to look into the namespaces associated with any of
>>the trusted domains and reject them.
>>
>
>So if I understand correctly we should reject tickets incoming from
>trusted domains if they do not contain canonical principal name (i.e.
>UPN)?
Again, no, this is not what I said. For UPNs from trusted domains I
already have code to detect them and issue correct referral for clients
to go to the proper KDC.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list