[Freeipa-devel] Planning for v2: How to deal with kerberos trusts?

Dmitri Pal dpal at redhat.com
Mon Mar 31 15:38:02 UTC 2008 

Simo Sorce wrote:
> On Sun, 2008-03-30 at 21:26 -0400, Dmitri Pal wrote:
>   
>> Great questions but I agree that they are a bit technical.
>> The last one, however, is the question about use cases.
>> I think that is where we should start.
>> I might be wrong but user traveling with his laptop from realm a to 
>> realm b is probably the biggest case.
>> Any other major ones?
>>     
>
> I am not actually interested much in the mobility problem, given
> kerberos trusts are an all or nothing thing (all services of realm-a
> will trust all users of realm-b), it is highly unlikely a trust is
> created just for a "visiting" laptop.
>
> I am more interested in the cases where someone one to actually trust
> another Realm in its entirety.
> Possible use cases are merger between 2 companies or 2 divisions each
> one with their own IPA realm. Some cases may be about resource
> separation (like segregation of machines in a DMZ and use of a 1 way
> trust to let users use the resources), although I am not convinced this
> is a really good idea to support.
>
> Simo.
>
>   
I look at the trust between two API domains as more than just kerberos SSO. 
Trust is not only about authentication but about policies, access control and audit. 
While kerberos trust to some extent takes care of the authentication it does not take care about policies and access control. For those some mechanisms and rules need to be defined based on the use cases that we identify.
So far I see two main use cases:
1) "Visiting user" - this is the use case of visiting user or merger.
If you have different departments with different IPA servers and you want a traveling user to take advantage of the resources (print services, disk mounts, portals etc.) you need a trust. Similar situation happens during merger. There just more users to be worried about.
2) "Resource Isolation". The realm trust have been a way of solving thisissue to some extent. If we are asking questions about "how important the realm trust is" a would also ask the question "is the realm trust 
the only right solution to resource isolation"? Definitely resource isolation requirements are derived from security and compliance requirements and are extremely important for the customers but is setting realm and trusts between different realms the only solution? May be the problem can be solved by setting one realm in a specific way. 
This is our task to suggest different approaches and verify which ones will be accepted by the customers before implementing a specific approach and diving into technical details.

How Microsoft does it? They have a lot of experience there.
What are the good and the bad things about how they suggest doing 
resource separation?

Any other use cases?

Dmitri

More information about the Freeipa-devel mailing list