On Thu, 07 Jul 2016, Petr Spacek wrote:
this is probably a silly idea ...
I wonder if there is some way to use Kerberos referrals on AD side in a way
which would return cross-realm referral to IPA realm.
Maybe it could be used in Frankenstein setup where IPA client belongs to a DNS
domain managed by AD ... I do not know, just throwing out the idea.
Yes, throw it out completely. :)
For each trust Active Directory has a name suffix routing table. This
table contains list of fully qualified domain names (TLNs) that belong to the
trusted domain/forest's namespace or excluded from it.
For those TLNs which belong to the trusted domain/forest namespace,
Kerberos cross-realm TGT is issued to the client together with the
For those TLNs which are excluded from the namespace belonging to the
trusted domain/forest namespace, no Kerberos cross-realm TGT is issued
and no referral is given.
If any of the TLNs from the trusted domain/forest conflicts with the
Active Directory's own table or from any other trusted domain/forest,
the trust is frozen and the conflict is marked as such. The whole forest
trust is non-operational then.
So there is only one possible solution: add exclusion TLNs for every
host that belongs to IPA but is in AD DNS namespace to the AD own table.
I talked to Microsoft people while at IOLab event and we verified that
this is not a solution. The routing table is a single list and is
consulted every single TGT request. This makes a solution of TLN
exclusion entries a highly inefficient and affecting performance of all
AD DCs for any requests.
/ Alexander Bokovoy
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code