On Thu, 07 Jul 2016, Petr Spacek wrote:

this is probably a silly idea ...

I wonder if there is some way to use Kerberos referrals on AD side in a way
which would return cross-realm referral to IPA realm.

Maybe it could be used in Frankenstein setup where IPA client belongs to a DNS
domain managed by AD ... I do not know, just throwing out the idea.
Yes, throw it out completely. :)

For each trust Active Directory has a name suffix routing table. This
table contains list of fully qualified domain names (TLNs) that belong to the
trusted domain/forest's namespace or excluded from it.

For those TLNs which belong to the trusted domain/forest namespace,
Kerberos cross-realm TGT is issued to the client together with the

For those TLNs which are excluded from the namespace belonging to the
trusted domain/forest namespace, no Kerberos cross-realm TGT is issued
and no referral is given.

If any of the TLNs from the trusted domain/forest conflicts with the
Active Directory's own table or from any other trusted domain/forest,
the trust is frozen and the conflict is marked as such. The whole forest
trust is non-operational then.

So there is only one possible solution: add exclusion TLNs for every
host that belongs to IPA but is in AD DNS namespace to the AD own table.
I talked to Microsoft people while at IOLab event and we verified that
this is not a solution. The routing table is a single list and is
consulted every single TGT request. This makes a solution of TLN
exclusion entries a highly inefficient and affecting performance of all
AD DCs for any requests.

/ Alexander Bokovoy

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to