On 08/08/2016 01:27 PM, Alexander Bokovoy wrote:
Attached two patches attempt to fix some of the issues we see with child
SSSD only 'sees' users from child domains if there is an ID range for
each of them. However, after refactoring of trust code when external
trust was introduced, part of the range creation had wrong assumption
that if a trusted domain exists, its range also exists. This is now
fixed to try to create range even if the domain exists. In fact, because
the older code was not going to the range creation for trusted domains
which already existed, adding ranges was done incorrectly: ID ranges use
full domain name and don't need <parent>-<child> hierarchy, but the code
was passing both parent and the child names. As result, an attempt to
create an ID range for parent was done instead of the child. Parent ID
range already existed so we never got to create child ID ranges at all
in that case.
Finally, there is a fix in SSSD to properly generate CA paths so that
libkrb5 can calculate correct trust path via forest root (parent)
domain. While looking at that, I also decided to simplify logic in
ipa-kdb driver because for cross-forest trust we never can transit to
the child domain directly, we always have to use the forest root domain.
However, old code could actually set a immediate domain's parent instead
of the forest root for deep level trust relationship within the forest
we trust. As we still cannot get to second level or beyond directly or
via their actual parent domain, we always have to go through the forest
root domain. The simplified code enforces this logic.
ACK, but patch 215 needs rebase for ipa-4-3 and ipa-4-2.
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code