[Freeipa-devel] [PATCH 0215-0216] Child domain fixes for AD trust
Martin Babinsky
mbabinsk at redhat.com
Wed Aug 17 15:25:54 UTC 2016
On 08/08/2016 01:27 PM, Alexander Bokovoy wrote:
> Hi!
>
> Attached two patches attempt to fix some of the issues we see with child
> domains.
>
> SSSD only 'sees' users from child domains if there is an ID range for
> each of them. However, after refactoring of trust code when external
> trust was introduced, part of the range creation had wrong assumption
> that if a trusted domain exists, its range also exists. This is now
> fixed to try to create range even if the domain exists. In fact, because
> the older code was not going to the range creation for trusted domains
> which already existed, adding ranges was done incorrectly: ID ranges use
> full domain name and don't need <parent>-<child> hierarchy, but the code
> was passing both parent and the child names. As result, an attempt to
> create an ID range for parent was done instead of the child. Parent ID
> range already existed so we never got to create child ID ranges at all
> in that case.
>
> Finally, there is a fix in SSSD to properly generate CA paths so that
> libkrb5 can calculate correct trust path via forest root (parent)
> domain. While looking at that, I also decided to simplify logic in
> ipa-kdb driver because for cross-forest trust we never can transit to
> the child domain directly, we always have to use the forest root domain.
> However, old code could actually set a immediate domain's parent instead
> of the forest root for deep level trust relationship within the forest
> we trust. As we still cannot get to second level or beyond directly or
> via their actual parent domain, we always have to go through the forest
> root domain. The simplified code enforces this logic.
>
>
>
>
ACK, but patch 215 needs rebase for ipa-4-3 and ipa-4-2.
--
Martin^3 Babinsky
More information about the Freeipa-devel
mailing list