On Thu, 18 Oct 2012, Sumit Bose wrote:
On Thu, Oct 18, 2012 at 10:00:54PM +0300, Alexander Bokovoy wrote:
Hi,

this is work in progress, shared mostly to get comments.

Simo, Sumit, this is an attempt to resolve external group members from
trusted domains using their Global Catalog services.

The code quickly became complex because it needs to do a lot of
additional activity. A rough sequence is following:
1. Match external member against existing trusted domain
2. Find trusted domain's domain controller
3. Fetch trusted domain account auth info
4. Set up ccache in /tmp/krb5cc_TRUSTEDDOMAIN with principal
   ourdomain$@trusted.domain
5. Do LDAP SASL interactive bind using the ccache
6. Search for the member's SID
7. Decode SID
8. Replace an external member name by SID in the group-add-member
   command

Right now I'm failing at SASL interactive bind as Global Catalog does
not accept the credentials in DomainValidator.__resolve_against_gc(),
perhaps because I'm using LDAP SASL interactive bind wrongly. It is late
here so I might simply be blind already.

[Thu Oct 18 21:42:08.924696 2012] [:error] [pid 7831] [client
192.168.111.206:0] INVALID_CREDENTIALS: {'info': '8009030B: LdapErr:
DSID-0C0904DC, comment: AcceptSecurityContext error, data 0, v1db1',
'desc': 'Invalid credentials'}

Note that ccache is successfully created and populated and
is usable from command line via ldapsearch:

...
+
+    def __resolve_against_gc(self, info, name):
+        conn = IPAdmin(host=info['dc'], port=3268)
+        auth = self.__extract_trusted_auth(info)
+        if auth:
+            (ccache_name, principal) = self.__kinit_as_trusted_account(info, 
auth)
+            if ccache_name:
+                cb_info = dict()
+                (CB_USER, CB_GETREALM) = (0x4001, 0x4008)
+                cb_info[CB_USER] = principal
+                cb_info[CB_GETREALM] = info['dns_domain'].upper()
+                sasl_auth = _ldap.sasl.sasl(cb_info,'GSSAPI')
+                old_ccache = os.environ.get('KRB5CCNAME')
+                os.environ["KRB5CCNAME"] = ccache_name
+                conn.sasl_interactive_bind_s(None, sasl_auth)
+                os.environ["KRB5CCNAME"] = old_ccache

Are you sure the bind is already finished here? I haven't looked at the
implementation, but if it does a lazy bind, i.e. only bind when the
first request is made, it will see the wrong  ccache. Can you try to
set KRB5CCNAME to the old value after calling conn.getEntry()?
Yes, I'm sure because it raises exception from within
sasl_interactive_bind_s() call, it never ever gets to the next line.

[Thu Oct 18 23:28:12.421356 2012] [:error] [pid 8183] [client 
192.168.111.206:0]     conn.sasl_interactive_bind_s(None, sasl_auth)
[Thu Oct 18 23:28:12.421412 2012] [:error] [pid 8183] [client 192.168.111.206:0]   File 
"/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 556, in 
sasl_interactive_bind_s
[Thu Oct 18 23:28:12.421832 2012] [:error] [pid 8183] [client 
192.168.111.206:0]     return self.conn.sasl_interactive_bind_s(who, auth, 
serverctrls, clientctrls, sasl_flags)
[Thu Oct 18 23:28:12.421854 2012] [:error] [pid 8183] [client 192.168.111.206:0]   File 
"/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 229, in
sasl_interactive_bind_s
[Thu Oct 18 23:28:12.422086 2012] [:error] [pid 8183] [client 
192.168.111.206:0]     return 
self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags)
[Thu Oct 18 23:28:12.422108 2012] [:error] [pid 8183] [client 192.168.111.206:0]   File 
"/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, in _ldap_call
[Thu Oct 18 23:28:12.422134 2012] [:error] [pid 8183] [client 
192.168.111.206:0]     result = func(*args,**kwargs)
[Thu Oct 18 23:28:12.422196 2012] [:error] [pid 8183] [client 
192.168.111.206:0] INVALID_CREDENTIALS: {'info': '8009030B: LdapErr: 
DSID-0C0904DC, comment: AcceptSecurityContext error, data 0, v1db1', 'desc': 
'Invalid credentials'}

--
/ Alexander Bokovoy

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to