On Mon, 2012-10-29 at 23:03 +0200, Alexander Bokovoy wrote: > On Mon, 29 Oct 2012, Simo Sorce wrote: > >On Mon, 2012-10-29 at 19:59 +0200, Alexander Bokovoy wrote: > >> A sequence is following: > >> 1. Match external member against existing trusted domain > >> 2. Find trusted domain's domain controller > >> 3. Fetch trusted domain account auth info > >> 4. Set up ccache in /var/run/ipa/ipa_memcached/krb5cc_TRUSTEDDOMAIN with > >> principal ourdomain$@trusted.domain > >> 5. Do LDAP SASL interactive bind using the ccache > >> 6. Search for the member's SID > >> 7. Decode SID > >> 8. Replace external member name by SID > >> > >> https://fedorahosted.org/freeipa/ticket/3211 > >> --- > >> ipalib/plugins/group.py | 32 +++++---- > >> ipaserver/dcerpc.py | 172 > >> +++++++++++++++++++++++++++++++++++++++++---- > >> ipaserver/plugins/ldap2.py | 3 + > >> 3 files changed, 181 insertions(+), 26 deletions(-) > >> > >> diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py > >> index > >> a174ba62cc32a7fb83474f52e2621521553889af..f86b134e61fc8c7518a64d25329babee3398c6ef > >> 100644 > >> --- a/ipalib/plugins/group.py > >> +++ b/ipalib/plugins/group.py > >> @@ -83,28 +83,30 @@ External members should be added to groups that > >> specifically created as > >> external and non-POSIX. Such group later should be included into one of > >> POSIX > >> groups. > >> > >> -An external group member is currently a Security Identifier as defined by > >> -the trusted domain. > >> +An external group member is currently a Security Identifier (SID) as > >> defined by > >> +the trusted domain. When adding external group members, it is possible to > >> +specify them in either SID, or DOM\\name, or name@domain format. IPA will > >> attempt > >> +to resolve passed name to SID with the use of Global Catalog of the > >> trusted domain. > >> > >> Example: > >> > >> -1. Make note of the trusted domain security identifier > >> - > >> - domainsid = `ipa trust-show <ad.domain> | grep Identifier | cut -d: > >> -f2` > >> - > >> -2. Create group for the trusted domain admins' mapping and their local > >> POSIX group: > >> +1. Create group for the trusted domain admins' mapping and their local > >> POSIX group: > >> > >> ipa group-add --desc='<ad.domain> admins external map' > >> ad_admins_external --external > >> ipa group-add --desc='<ad.domain> admins' ad_admins > >> > >> -3. Add security identifier of Domain Admins of the <ad.domain> to the > >> ad_admins_external > >> - group (security identifier of <ad.domain SID>-513 is Domain Admins > >> group): > >> +2. Add security identifier of Domain Admins of the <ad.domain> to the > >> ad_admins_external > >> + group: > >> > >> - ipa group-add-member ad_admins_external --external ${domainsid}-513 > >> + ipa group-add-member ad_admins_external --external 'AD\\Domain Admins' > >> > >> -4. Allow members of ad_admins_external group to be associated with > >> ad_admins POSIX group: > >> +3. Allow members of ad_admins_external group to be associated with > >> ad_admins POSIX group: > >> > >> ipa group-add-member ad_admins --groups ad_admins_external > >> + > >> +4. List members of external members of ad_admins_external group to see > >> their SIDs: > >> + > >> + ipa group-show ad_admins_external > >> """) > > > >A text similar to this is available when you run ipa help trust, I guess > >you should change that one too. > Right. I'll fix that. > > > > >I am trying to add a windows group now and getting this trace in my http > >server: > > > >[Mon Oct 29 16:15:33 2012] [error] ipa: ERROR: release_ipa_ccache: > >ccache_name (FILE:/var/run/ipa_memcached/krbcc_20825) != KRB5CCNAME > >environment variable (/var/run/ipa/ipa_memcached/krb5cc_TRUSTEDDOMAIN) > >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] mod_wsgi > >(pid=20825): Exception occurred processing WSGI script > >'/usr/share/ipa/wsgi.py'. > >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] Traceback (most > >recent call last): > >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File > >"/usr/share/ipa/wsgi.py", line 49, in application > >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] return > >api.Backend.wsgi_dispatch(environ, start_response) > >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File > >"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 248, in > >__call__ > >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] return > >self.route(environ, start_response) > >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File > >"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 260, in route > >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] return > >app(environ, start_response) > >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File > >"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 1158, in > >__call__ > >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] response = > >super(xmlserver_session, self).__call__(environ, start_response) > >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File > >"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 707, in > >__call__ > >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] response = > >super(xmlserver, self).__call__(environ, start_response) > >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File > >"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 375, in > >__call__ > >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] response = > >self.wsgi_execute(environ) > >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File > >"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 334, in > >wsgi_execute > >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] result = > >self.Command[name](*args, **options) > >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File > >"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 435, in __call__ > >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] ret = > >self.run(*args, **options) > >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File > >"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 747, in run > >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] return > >self.execute(*args, **options) > >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File > >"/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", line 1590, in > >execute > >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] **options) > >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File > >"/usr/lib/python2.7/site-packages/ipalib/plugins/group.py", line 387, in > >post_callback > >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] actual_sid = > >domain_validator.get_sid_trusted_domain_object(sid) > >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File > >"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 227, in > >get_sid_trusted_domain_object > >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] entry = > >self.__resolve_against_gc(info, components['name']) > >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File > >"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 279, in > >__resolve_against_gc > >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] > >conn.sasl_interactive_bind_s(None, sasl_auth) > >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File > >"/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 562, in > >sasl_interactive_bind_s > >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] return > >self.conn.sasl_interactive_bind_s(who, auth, serverctrls, clientctrls, > >sasl_flags) > >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File > >"/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 229, in > >sasl_interactive_bind_s > >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] return > >self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags) > >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File > >"/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, in > >_ldap_call > >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] result = > >func(*args,**kwargs) > > >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] > >LOCAL_ERROR: {'info': 'SASL(-1): generic failure: GSSAPI Error: > >Unspecified GSS failure. Minor code may provide more information > >(Cannot determine realm for numeric host address)', 'desc': 'Local > >error'} > Somehow name resolution failed for you -- you probably need to restart > named before it actually would start working. I had similar issues with > caching of forwarder rules.
Name resolution is working just fine (this trust was established a few weeks ago), and even after restarting named the error persists. What is odd is that something is trying to resolve a *numeric* address ? Is something trying to do reverse resolution ? because *that* is certainly going to fail in my setup and we should not depend on it. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel