On 25.8.2015 16:08, Alexander Bokovoy wrote:
> On Tue, 25 Aug 2015, Simo Sorce wrote:
>> On Tue, 2015-08-25 at 15:19 +0200, Petr Spacek wrote:
>>> On 1.8.2015 21:19, John Stein wrote:
>>> > Hi,
>>> >
>>> > Thanks for the reply. Any Idea when will the GSSAPI-updating bug fix get 
>>> > to
>>> > RHEL 7?
>>> You can watch the progress here:
>>> https://bugzilla.redhat.com/show_bug.cgi?id=1214827
>>> Unfortunately fixing this bug will not be sufficient for your particular
>>> scenario. FreeIPA does not allow ordinary host/ principals used by client
>>> machines (not to be confused with FreeIPA servers) to get tickets for AD
>>> Kerberos realms.
>>> It effectively means that nsupdate will properly detect the AD realm and
>>> generate correct request but the request will be refused because the client
>>> will not be able to get ticket.
>>> I.e. you will have to resort to manual PTR record update OR convince
>>> Alexander/Simo that allowing host/ principals from FreeIPA realm to get
>>> tickets for AD realm is not a security issue :-)
>> There is no security issue per se, host/ principals can get tickets just
>> fine but we do not attach a PAC here, and AD may refuse to operate w/o a
>> MS-PAC. Please open a RFE if this is breaking operations. We'll need to
>> decide how to assign a SID to hosts but that's the only "security" issue
>> that needs to be solved.

Here it is:

> For one-way trust you'll be unable to get the ticket at all as there is
> no cross-forest TGT on our side to issue. And this is a default
> configuration in FreeIPA 4.2. You will have to have bi-directional trust
> to get GSSAPI authentication in nsupdate working at all against a
> trusted forest.

Understood, that is the price users have to pay for using one-way trust.
Still, I think that we should support this use case if user is willing to use
bi-directional trust.

Petr^2 Spacek

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to