[Freeipa-devel] [PATCH 0215-0216] Child domain fixes for AD trust
Martin Babinsky
mbabinsk at redhat.com
Mon Aug 22 12:06:16 UTC 2016
On 08/19/2016 10:28 AM, Alexander Bokovoy wrote:
> On Wed, 17 Aug 2016, Martin Babinsky wrote:
>> On 08/08/2016 01:27 PM, Alexander Bokovoy wrote:
>>> Hi!
>>>
>>> Attached two patches attempt to fix some of the issues we see with child
>>> domains.
>>>
>>> SSSD only 'sees' users from child domains if there is an ID range for
>>> each of them. However, after refactoring of trust code when external
>>> trust was introduced, part of the range creation had wrong assumption
>>> that if a trusted domain exists, its range also exists. This is now
>>> fixed to try to create range even if the domain exists. In fact, because
>>> the older code was not going to the range creation for trusted domains
>>> which already existed, adding ranges was done incorrectly: ID ranges use
>>> full domain name and don't need <parent>-<child> hierarchy, but the code
>>> was passing both parent and the child names. As result, an attempt to
>>> create an ID range for parent was done instead of the child. Parent ID
>>> range already existed so we never got to create child ID ranges at all
>>> in that case.
>>>
>>> Finally, there is a fix in SSSD to properly generate CA paths so that
>>> libkrb5 can calculate correct trust path via forest root (parent)
>>> domain. While looking at that, I also decided to simplify logic in
>>> ipa-kdb driver because for cross-forest trust we never can transit to
>>> the child domain directly, we always have to use the forest root domain.
>>> However, old code could actually set a immediate domain's parent instead
>>> of the forest root for deep level trust relationship within the forest
>>> we trust. As we still cannot get to second level or beyond directly or
>>> via their actual parent domain, we always have to go through the forest
>>> root domain. The simplified code enforces this logic.
>>>
>>>
>>>
>>>
>>
>> ACK, but patch 215 needs rebase for ipa-4-3 and ipa-4-2.
>>
> Rebased version attached.
Thanks,
Pushed to:
master: a14ebbea895a20f5a68052e32ba65c4fd7fdf670
ipa-4-3: 775c868bacc01286eafc97e8126937d76ee53e1e
ipa-4-2: ac6248430ce3358e75e6eebf01db5b9dfc55cac0
--
Martin^3 Babinsky
More information about the Freeipa-devel
mailing list