On Thu, Oct 18, 2012 at 11:42:34PM +0300, Alexander Bokovoy wrote: > On Thu, 18 Oct 2012, Sumit Bose wrote: > >On Thu, Oct 18, 2012 at 10:00:54PM +0300, Alexander Bokovoy wrote: > >>Hi, > >> > >>this is work in progress, shared mostly to get comments. > >> > >>Simo, Sumit, this is an attempt to resolve external group members from > >>trusted domains using their Global Catalog services. > >> > >>The code quickly became complex because it needs to do a lot of > >>additional activity. A rough sequence is following: > >>1. Match external member against existing trusted domain > >>2. Find trusted domain's domain controller > >>3. Fetch trusted domain account auth info > >>4. Set up ccache in /tmp/krb5cc_TRUSTEDDOMAIN with principal > >> ourdomain$@trusted.domain > >>5. Do LDAP SASL interactive bind using the ccache > >>6. Search for the member's SID > >>7. Decode SID > >>8. Replace an external member name by SID in the group-add-member > >> command > >> > >>Right now I'm failing at SASL interactive bind as Global Catalog does > >>not accept the credentials in DomainValidator.__resolve_against_gc(), > >>perhaps because I'm using LDAP SASL interactive bind wrongly. It is late > >>here so I might simply be blind already. > >> > >>[Thu Oct 18 21:42:08.924696 2012] [:error] [pid 7831] [client > >>192.168.111.206:0] INVALID_CREDENTIALS: {'info': '8009030B: LdapErr: > >>DSID-0C0904DC, comment: AcceptSecurityContext error, data 0, v1db1', > >>'desc': 'Invalid credentials'} > >> > >>Note that ccache is successfully created and populated and > >>is usable from command line via ldapsearch: > >> > >... > >>+ > >>+ def __resolve_against_gc(self, info, name): > >>+ conn = IPAdmin(host=info['dc'], port=3268) > >>+ auth = self.__extract_trusted_auth(info) > >>+ if auth: > >>+ (ccache_name, principal) = > >>self.__kinit_as_trusted_account(info, auth) > >>+ if ccache_name: > >>+ cb_info = dict() > >>+ (CB_USER, CB_GETREALM) = (0x4001, 0x4008) > >>+ cb_info[CB_USER] = principal > >>+ cb_info[CB_GETREALM] = info['dns_domain'].upper() > >>+ sasl_auth = _ldap.sasl.sasl(cb_info,'GSSAPI') > >>+ old_ccache = os.environ.get('KRB5CCNAME') > >>+ os.environ["KRB5CCNAME"] = ccache_name > >>+ conn.sasl_interactive_bind_s(None, sasl_auth) > >>+ os.environ["KRB5CCNAME"] = old_ccache > > > >Are you sure the bind is already finished here? I haven't looked at the > >implementation, but if it does a lazy bind, i.e. only bind when the > >first request is made, it will see the wrong ccache. Can you try to > >set KRB5CCNAME to the old value after calling conn.getEntry()? > Yes, I'm sure because it raises exception from within > sasl_interactive_bind_s() call, it never ever gets to the next line. > > [Thu Oct 18 23:28:12.421356 2012] [:error] [pid 8183] [client > 192.168.111.206:0] conn.sasl_interactive_bind_s(None, sasl_auth) > [Thu Oct 18 23:28:12.421412 2012] [:error] [pid 8183] [client > 192.168.111.206:0] File > "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 556, in > sasl_interactive_bind_s > [Thu Oct 18 23:28:12.421832 2012] [:error] [pid 8183] [client > 192.168.111.206:0] return self.conn.sasl_interactive_bind_s(who, auth, > serverctrls, clientctrls, sasl_flags) > [Thu Oct 18 23:28:12.421854 2012] [:error] [pid 8183] [client > 192.168.111.206:0] File > "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 229, in > sasl_interactive_bind_s > [Thu Oct 18 23:28:12.422086 2012] [:error] [pid 8183] [client > 192.168.111.206:0] return > self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags) > [Thu Oct 18 23:28:12.422108 2012] [:error] [pid 8183] [client > 192.168.111.206:0] File > "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, in > _ldap_call > [Thu Oct 18 23:28:12.422134 2012] [:error] [pid 8183] [client > 192.168.111.206:0] result = func(*args,**kwargs) > [Thu Oct 18 23:28:12.422196 2012] [:error] [pid 8183] [client > 192.168.111.206:0] INVALID_CREDENTIALS: {'info': '8009030B: LdapErr: > DSID-0C0904DC, comment: AcceptSecurityContext error, data 0, v1db1', 'desc': > 'Invalid credentials'} >
ok another guess. In the python docs it is said the "Such changes to the environment affect subprocesses started with os.system(), popen() or fork() and execv()." So I guess os.environ["KRB5CCNAME"]=something does not change the environment of the running process, but only python data. If I try to set a new env var in the python interpreter and look at /proc/PID/environ from a different shell, I see no changes. bye, Sumit > -- > / Alexander Bokovoy _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel