Currently the handling of enterprise principals from the local realm is rejected in ipadb_is_princ_from_trusted_realm(). But if the request is send from a client in the an AD domain the AD DC tends so add a lower-case version of the realm instead of the correct upper-case version, e.g. user\@IPA.DOMAIN@ipa.domain.
Since the IPA KDC correctly handles the realm case-sensitive it does not recognize that it is a principal from the local realm and hands the processing down to the KDB drive. If ipadb_is_princ_from_trusted_realm() detects the local realm it should be checked if the principal exists in the database and return the needed entry if it was found.
Metadata Update from @sbose: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.5 backlog
Login to comment on this ticket.