On Mon, 2012-10-29 at 19:59 +0200, Alexander Bokovoy wrote:
A sequence is following:
1. Match external member against existing trusted domain
2. Find trusted domain's domain controller
3. Fetch trusted domain account auth info
4. Set up ccache in /var/run/ipa/ipa_memcached/krb5cc_TRUSTEDDOMAIN
with principal ourdomain$@trusted.domain
5. Do LDAP SASL interactive bind using the ccache
6. Search for the member's SID
7. Decode SID
8. Replace external member name by SID
https://fedorahosted.org/freeipa/ticket/3211
---
ipalib/plugins/group.py | 32 +++++----
ipaserver/dcerpc.py | 172
+++++++++++++++++++++++++++++++++++++++++----
ipaserver/plugins/ldap2.py | 3 +
3 files changed, 181 insertions(+), 26 deletions(-)
diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py
index
a174ba62cc32a7fb83474f52e2621521553889af..f86b134e61fc8c7518a64d25329babee3398c6ef
100644
--- a/ipalib/plugins/group.py
+++ b/ipalib/plugins/group.py
@@ -83,28 +83,30 @@ External members should be added to groups that
specifically created as
external and non-POSIX. Such group later should be included into one
of POSIX
groups.
-An external group member is currently a Security Identifier as
defined by
-the trusted domain.
+An external group member is currently a Security Identifier (SID) as
defined by
+the trusted domain. When adding external group members, it is
possible to
+specify them in either SID, or DOM\\name, or name@domain format. IPA
will attempt
+to resolve passed name to SID with the use of Global Catalog of the
trusted domain.
Example:
-1. Make note of the trusted domain security identifier
-
- domainsid = `ipa trust-show <ad.domain> | grep Identifier | cut
-d: -f2`
-
-2. Create group for the trusted domain admins' mapping and their
local POSIX group:
+1. Create group for the trusted domain admins' mapping and their
local POSIX group:
ipa group-add --desc='<ad.domain> admins external map'
ad_admins_external --external
ipa group-add --desc='<ad.domain> admins' ad_admins
-3. Add security identifier of Domain Admins of the <ad.domain> to
the ad_admins_external
- group (security identifier of <ad.domain SID>-513 is Domain
Admins group):
+2. Add security identifier of Domain Admins of the <ad.domain> to
the ad_admins_external
+ group:
- ipa group-add-member ad_admins_external --external ${domainsid}-513
+ ipa group-add-member ad_admins_external --external 'AD\\Domain
Admins'
-4. Allow members of ad_admins_external group to be associated with
ad_admins POSIX group:
+3. Allow members of ad_admins_external group to be associated with
ad_admins POSIX group:
ipa group-add-member ad_admins --groups ad_admins_external
+
+4. List members of external members of ad_admins_external group to
see their SIDs:
+
+ ipa group-show ad_admins_external
""")
A text similar to this is available when you run ipa help trust, I guess
you should change that one too.
I am trying to add a windows group now and getting this trace in my http
server:
[Mon Oct 29 16:15:33 2012] [error] ipa: ERROR: release_ipa_ccache:
ccache_name (FILE:/var/run/ipa_memcached/krbcc_20825) != KRB5CCNAME
environment variable (/var/run/ipa/ipa_memcached/krb5cc_TRUSTEDDOMAIN)
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] mod_wsgi
(pid=20825): Exception occurred processing WSGI script
'/usr/share/ipa/wsgi.py'.
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] Traceback
(most recent call last):
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File
"/usr/share/ipa/wsgi.py", line 49, in application
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] return
api.Backend.wsgi_dispatch(environ, start_response)
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 248,
in __call__
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] return
self.route(environ, start_response)
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 260,
in route
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] return
app(environ, start_response)
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 1158,
in __call__
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]
response = super(xmlserver_session, self).__call__(environ,
start_response)
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 707,
in __call__
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]
response = super(xmlserver, self).__call__(environ, start_response)
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 375,
in __call__
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]
response = self.wsgi_execute(environ)
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 334,
in wsgi_execute
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] result
= self.Command[name](*args, **options)
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 435, in
__call__
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] ret =
self.run(*args, **options)
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 747, in run
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] return
self.execute(*args, **options)
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File
"/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", line
1590, in execute
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]
**options)
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File
"/usr/lib/python2.7/site-packages/ipalib/plugins/group.py", line 387,
in post_callback
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]
actual_sid = domain_validator.get_sid_trusted_domain_object(sid)
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File
"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 227, in
get_sid_trusted_domain_object
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] entry
= self.__resolve_against_gc(info, components['name'])
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File
"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 279, in
__resolve_against_gc
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]
conn.sasl_interactive_bind_s(None, sasl_auth)
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File
"/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line
562, in sasl_interactive_bind_s
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] return
self.conn.sasl_interactive_bind_s(who, auth, serverctrls, clientctrls,
sasl_flags)
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File
"/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 229, in
sasl_interactive_bind_s
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] return
self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags)
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File
"/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, in
_ldap_call
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] result
= func(*args,**kwargs)