On 05/09/2016 08:26 AM, Alexander Bokovoy wrote:
On Fri, 06 May 2016, Martin Babinsky wrote:
On 05/05/2016 02:58 PM, Milan Kubík wrote:
On 04/08/2016 05:10 PM, Martin Babinsky wrote:
Hi list,

I have put together a draft [1] outlining the effort to reimplement
the handling of Kerberos principals in both backend and frontend
layers of FreeIPA so that we may have multiple aliases per user, host
or service and thus implement stuff like
https://fedorahosted.org/freeipa/ticket/3961 and
https://fedorahosted.org/freeipa/ticket/5413 .

Since much of the plumbing was already implemented,[2] the document
mainly describes what the patches do. Some parts required by other use
cases may be missing so please point these out.

I would also be happy if you could correct all factual inacurracies, I
did research on this issue a long time ago and my knowledge turned a
bit rusty.

[1] http://www.freeipa.org/page/V4/Kerberos_principal_aliases


I went through the design document and the related email thread here on
the list and I have few questions:

1. Is there any progress on what's to happen if MODRDN would colide with
an existing alias on a different entry?

Both krbPrincipalName and krbCanonicalName will be guarded by
uniqueness plugin so this should raise an error in the DS backend.

It will need some more investigation though and will probably warrant
a separate test case in the future test plan.

2. How does this RFE change the behavior of stage user plugin? Is the
principal (as in the canonical name) assigned at this stage of user

I didn't think about staged users when designing/doing patches. Thank
you for pointing this out. The principal name is assigned when
creating the staged user and it is also checked during activation and
again added if it is not present. We will need to handle both of these
cases. I will update the design to reflect this.

3. Will there be any constraints on what string can be used as an alias?
(The document mentions email address as one use case)

The e-mail case can be tricky, since having two '@' in the principal
name can break parsing/unparsing of principal name in KDB DAL. We will
likely have to implement some sort of escaping to handle this
correctly. This should be discussed in more detail with
We should not allow anything after @ not belonging to the list of
realm domains. We also will need to extend realm domains to include
non-domain-based UPN suffixes. This actually flies close to what I need
to finish in my AD trust UPN patches, so I need to make sure we have the
same approach there.

Does this mean that we would not be able to implement e-mail as principal alias [1]?

4. Will this RFE have any impact on AD trust (possibility of cross realm
routing, RFC 6806 section 9)

IIRC there should be no impact on trusts.
We should never allow to specify alias from the realm we don't own. This
means the code needs to look into the namespaces associated with any of
the trusted domains and reject them.

So if I understand correctly we should reject tickets incoming from trusted domains if they do not contain canonical principal name (i.e. UPN)?

[1] https://fedorahosted.org/freeipa/ticket/5413

Martin^3 Babinsky

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to