On Thu, 18 Oct 2012, Sumit Bose wrote:
>On Thu, Oct 18, 2012 at 10:00:54PM +0300, Alexander Bokovoy wrote:
>>Hi,
>>
>>this is work in progress, shared mostly to get comments.
>>
>>Simo, Sumit, this is an attempt to resolve external group members from
>>trusted domains using their Global Catalog services.
>>
>>The code quickly became complex because it needs to do a lot of
>>additional activity. A rough sequence is following:
>>1. Match external member against existing trusted domain
>>2. Find trusted domain's domain controller
>>3. Fetch trusted domain account auth info
>>4. Set up ccache in /tmp/krb5cc_TRUSTEDDOMAIN with principal
>> ourdomain$@trusted.domain
>>5. Do LDAP SASL interactive bind using the ccache
>>6. Search for the member's SID
>>7. Decode SID
>>8. Replace an external member name by SID in the group-add-member
>> command
>>
>>Right now I'm failing at SASL interactive bind as Global Catalog does
>>not accept the credentials in DomainValidator.__resolve_against_gc(),
>>perhaps because I'm using LDAP SASL interactive bind wrongly. It is late
>>here so I might simply be blind already.
>>
>>[Thu Oct 18 21:42:08.924696 2012] [:error] [pid 7831] [client
>>192.168.111.206:0] INVALID_CREDENTIALS: {'info': '8009030B: LdapErr:
>>DSID-0C0904DC, comment: AcceptSecurityContext error, data 0, v1db1',
>>'desc': 'Invalid credentials'}
>>
>>Note that ccache is successfully created and populated and
>>is usable from command line via ldapsearch:
>>
>...
>>+
>>+ def __resolve_against_gc(self, info, name):
>>+ conn = IPAdmin(host=info['dc'], port=3268)
>>+ auth = self.__extract_trusted_auth(info)
>>+ if auth:
>>+ (ccache_name, principal) = self.__kinit_as_trusted_account(info,
auth)
>>+ if ccache_name:
>>+ cb_info = dict()
>>+ (CB_USER, CB_GETREALM) = (0x4001, 0x4008)
>>+ cb_info[CB_USER] = principal
>>+ cb_info[CB_GETREALM] = info['dns_domain'].upper()
>>+ sasl_auth = _ldap.sasl.sasl(cb_info,'GSSAPI')
>>+ old_ccache = os.environ.get('KRB5CCNAME')
>>+ os.environ["KRB5CCNAME"] = ccache_name
>>+ conn.sasl_interactive_bind_s(None, sasl_auth)
>>+ os.environ["KRB5CCNAME"] = old_ccache
>
>Are you sure the bind is already finished here? I haven't looked at the
>implementation, but if it does a lazy bind, i.e. only bind when the
>first request is made, it will see the wrong ccache. Can you try to
>set KRB5CCNAME to the old value after calling conn.getEntry()?
Yes, I'm sure because it raises exception from within
sasl_interactive_bind_s() call, it never ever gets to the next line.
[Thu Oct 18 23:28:12.421356 2012] [:error] [pid 8183] [client
192.168.111.206:0] conn.sasl_interactive_bind_s(None, sasl_auth)
[Thu Oct 18 23:28:12.421412 2012] [:error] [pid 8183] [client 192.168.111.206:0] File
"/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 556, in
sasl_interactive_bind_s
[Thu Oct 18 23:28:12.421832 2012] [:error] [pid 8183] [client
192.168.111.206:0] return self.conn.sasl_interactive_bind_s(who, auth,
serverctrls, clientctrls, sasl_flags)
[Thu Oct 18 23:28:12.421854 2012] [:error] [pid 8183] [client 192.168.111.206:0] File
"/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 229, in
sasl_interactive_bind_s
[Thu Oct 18 23:28:12.422086 2012] [:error] [pid 8183] [client
192.168.111.206:0] return
self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags)
[Thu Oct 18 23:28:12.422108 2012] [:error] [pid 8183] [client 192.168.111.206:0] File
"/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, in _ldap_call
[Thu Oct 18 23:28:12.422134 2012] [:error] [pid 8183] [client
192.168.111.206:0] result = func(*args,**kwargs)
[Thu Oct 18 23:28:12.422196 2012] [:error] [pid 8183] [client
192.168.111.206:0] INVALID_CREDENTIALS: {'info': '8009030B: LdapErr:
DSID-0C0904DC, comment: AcceptSecurityContext error, data 0, v1db1', 'desc':
'Invalid credentials'}