[Freeipa-devel] Planning for v2: How to deal with kerberos trusts?

Geert Jansen gjansen at redhat.com
Mon Apr 7 20:02:55 UTC 2008 

Hi Simo, List,

tough questions :) First some things that I do not think we can do. 
Maybe this will make things clearer:

 - I do not think we can require posix user names to be unique across 
trusted realms. To make them unique, we could augment them with the 
realm (user at realm). However I don't think we can do this either... Some 
applications break with user names > 8 characters (notably older Oracle 
versions). It would also break the default aname to lname mapping in 
Kerberos as that just appends @domain to the posix name.

 - I do not think we can require numeric user id's to be unique across 
trusted realms. Here we don't even have an option of prefixing them with 
something else as our name space is too small.

So what is the use case for multiple realms? I can think of a few:

 - Delegation or administrative duties (user mgmt etc): should be 
achievable without trusted realms so not an argument.
 - Privilege separation: yes, as long as local administrators control 
what privileges are assigned to foreign principals.
 - A merger of two companies (or two independent naming domains): two 
trusted realms could be useful during the transition period where there 
is non-unique data across the realms.
 - Performance improvements. I assume there is no or very little 
synchronization traffic between the trusted realms so you could use this 
to separate different regions and save on inter-regional bandwidth cost.

So given these the idea that pops to my mind is to use some kind of user 
mapping process to map foreign principals onto local posix accounts. 
Essentially, the mapping information should be held in the local realm 
to ensure proper security separation. Administrators should be able to 
set up a default mapping such as "guest", and also per-user mappings.

Now is this useful, or is this scheme so watered down that it does not 
give you much value when compared to a single big realm and no user 
mapping? I think this depends on how many user mappings you will need. 
If the primary use case is to give foreign users access to data that 
requires authentication but no authorisation then a single default 
mapping could suffice and the whole scheme could be quite useful. If on 
the other hand every foreign user needs a locally mapped user then maybe 
there are not many advantages of a single big realm without user mapping.

Just my 2 cents.

Regards,
Geert

-- 
Geert Jansen
Product Manager EMEA
Red Hat Nederland B.V.         T: +31 6 293 191 57
Printerweg 44                  E: gjansen at redhat.com
3821 AD Amersfoort, NL

More information about the Freeipa-devel mailing list