On Thu, May 30, 2013 at 05:05:52PM +0300, Alexander Bokovoy wrote:
On Thu, 30 May 2013, Jakub Hrozek wrote:
>On Thu, May 30, 2013 at 02:07:00PM +0200, Sumit Bose wrote:
>>On Tue, May 28, 2013 at 01:20:15PM +0200, Sumit Bose wrote:
>>> Hi,
>>>
>>> I have created a design page for one of the next major features of SSSD
>>> at
https://fedorahosted.org/sssd/wiki/DesignDocs/IPAServerMode . The
>>> basic idea is that if SSSD is running on a FreeIPA server it should help
>>> the FreeIPA server to look up users and groups from trusted domains.
>>>
>>> For your convenience the content can be found below as well.
>>>
>>> Comments are suggestions are welcome.
>>>
>>> bye,
>>> Sumit
>>>
>>
>>Thanks to Jakub and Dmitri for their suggestions. I have updated the
>>page accordingly. Comments are suggestions are still welcome :-)
>>
>>bye,
>>Sumit
>
>We had a discussion in the morning with Alexander on #sssd. He suggested
>that the SSSD might expose the list of trusted AD domains maybe via
>libnss_sss_idmap. I think this would work and this library would be the
>good place to add the functionality.
>
>Also I will open a new ticket to store additional information about
>trusted domains that IPA needs.
The reason I've asked about that API extension is to avoid duplicating
code paths in IPA and SSSD when running on the IPA server to support
transitive trusts in FreeIPA 3.4.
When IPA establishes trust to AD domain, we will need to run a query to
fetch trusted domain objects for the AD forest. This information is
available over secure channel in AD which has unfortunate serialization
requirement. Schannel is controlled by winbindd, we cannot open a
separate schannel as that would make first one obsolete.
So this means IPA would need to resort to fetch TDOs from Global
Catalog, essentially re-creating work that SSSD is putting into 1.11.
OK, thank you for the clarification, I filed two tickets to track these:
https://fedorahosted.org/sssd/ticket/1957
https://fedorahosted.org/sssd/ticket/1958
But since these are not needed to reach the goal of 1.11, I suspect the
enhancements will be implemented in 1.12.