freeipa

Clone
Source Code
GIT

#4799 Check realm domains list against AD domains list before establishing trust
Closed: Fixed None Opened 9 years ago by pvoborni.

Closed: Fixed
Reopen Issue

Realm domain list can contain a rogue domain - a domain controlled by AD. Trust won't work in that case. It can happen if a host which belongs to AD domain is added to IPA server, see #4798

IPA server should perform a check whether it contains such domain before establishing trust.

This check is limited for the case where trust is establish using shared secret because ipa lacks credentials to ask AD for list of its domains. Thus the only thing known, which should be checked, is the forest root DNS domain.

Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1170770 (Red Hat Enterprise Linux 7)

Should be done together with #4798.

This ticket is not critical for 4.2 GA and can be done in follow-up stabilization release - postponing.

master:

  • 45958d6 trusts: Check for AD root domain among our trusted domains

ipa-4-2:

  • ddec450 trusts: Check for AD root domain among our trusted domains

Metadata Update from @pvoborni:
- Issue assigned to tbabej
- Issue set to the milestone: FreeIPA 4.2.1
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
normal
None
None
None
None
defect
None
None
Trusts
None
1
None
None
pvoborni, ab
None
https://bugzilla.redhat.com/show_bug.cgi?id=1170770
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.