When AD trust is established, upon validation AD DC is capable to fetch information about trusted forest configuration, including additional name suffixes to use when creating routing to trusted domain (us). This gives an opportunity to make domain split configurations supported in AD trust.
Domain split configurations are setups where IPA Kerberos realm is different from DNS domain for all or part of clients.
Currently IPA does not store information about additional domains anywhere.
Following tasks need to be done: 1. Develop schema to store domain information 1. Modify ipasam to return required forest information, this may cause changes or addition to passdb API. 1. Modify source3/rpc_server/netlogon/srv_netlog_nt.c:fill_forest_trust_array() to use passdb information from ipasam 1. Add 'ipa dns' command to maintain domain name suffixes. Note that these suffixes may not be served by IPA DNS 1. Add configuration of 'domain_to_realm' section of krb5.conf when AD trust is added
It would be preferred if SSSD would pull in and publish domain name suffixes for 'domain_to_realm' configuration in krb5.conf instead of manual set up.
SSSD side ticket: https://fedorahosted.org/sssd/ticket/1380
Ticket to test this feature: https://fedorahosted.org/freeipa/ticket/2593
After discussing with Simo and Rob we decided this is bigger effort and not strictly required for beta2
I took a stab at point 1.
I think the simplest option is to have one object in the directory where we list the DNS domains our KDC recognize as 'mapped' to our realm. The nice thing is that we can do that we the schema currently available in the server so the change will not require new schema, just a new DIT object and CLI/UI tools to manage it.
My proposal is to create the following object:
dn: cn=Realm Domains,cn=ipa,cn=etc,$SUFFIX objectClass: domainRelatedObject objectClass: nsContainer objectClass: top cn: Realm Domains associatedDomain: foo.example.com associatedDomain: bar.example.net
This makes it easy to query for dumping into krb5.conf [domain_realm] section and for querying from ipasam to convey routing information to the Windows Domain.
Simo.
Looks simple and allows to manage this explicitly. At the same time it still gives flexibility to get helpers in CLI/UI for things like suggesting what domains are associated based on existing host records.
This is related to #2593 and #2945 and should be scheduled together with those.
Changing 3.2 priority
Some additional notes:
ipasam's ipasam_get_domain_name() needs to be modified to search domainRelatedObject only at top level and not in subtree because now that we can support more than one UPN suffix in IPA and objects in cn=Realm Domains,cn=ipa,cn=etc,$SUFFIX now interfere with the domain object at top level $SUFFIX.
MS-NRPC and MS-LSAD define that list of associated domains for the forest should be returned when trusted_domain_name is NULL by netr_DsRGetForestTrustInformation. Samba code does not support this in source3/ and rudimentary returns only own domain in source4.
There is no PASSDB call that could be used to infer UPN suffixes directly. One could redefine enum_trusted_domains() and pdb_enum_trusteddoms() to return UPN suffixes as well by utilizing wrong SID for the domain there but this would be a hack since these are not really domains. New call is preferred.
Reassigning to myself.
Move all uncompleted tickets to next month bucket.
ipa-sam plugin was updated to support UPN suffix enumeration:
master: cc56723
Moving unfinished March tickets to April milestone.
Keep the ticket open until Samba patches are accepted upstream.
Updated Samba 4.0.5 versions are on their way to Fedora 18, Fedora 19, and Rawhide.
Rename "trusts" component to "Trusts" to achieve correct sorting.
Metadata Update from @abbra: - Issue assigned to abbra - Issue set to the milestone: FreeIPA 3.2 - 2013/04 (Beta)
Login to comment on this ticket.