On Wed, 02 Oct 2013, Tomas Babej wrote:
I'll send new patchset shortly.New patchset is attached.1. Added test update for ipalib/frontend.py changes 2. Used LDAPQuery as base for trustdomain_enable|disable commands as suggested by Honza. 3. Fixed issues with removal of trust account password authentication 4. Added support to use AD administrator credentials when fetching subdomains information when we establish trust as Kerberos will not be available for cross-realm operations yet. 5. Patch 0123 is not part of the patchset and should not be committed, we will discuss exact semantics of transition checks with MIT Kerberos upstream first. 6. Fixed few error paths and dead-end cases like attempt to disable root domain of the trust (renders trust dead) or enabling it (it is always enabled). 7. Made clear that deleting root domain of the trust is not possible, use trust-del instead. 8. Removed whitespaces where saw.Thanks! This fixes most of the issues I had.To summarize, two issues from the today's functional testing we already discussed on IRC:1.) The blacklisting for the child domain does not work (it works fine for the root domain). Thus, ipa trustdomain-disable for the child domain does not reject access to the IPA's resources:[tbabej@vm-147 labtool]$ ipa trustdomain-disable tbad.idm.lab.eng.brq.redhat.com child.tbad.idm.lab.eng.brq.redhat.com------------------------------------------------------------------------------------------------------------------------------------Domain child.tbad.idm.lab.eng.brq.redhat.com of trust tbad.idm.lab.eng.brq.redhat.com is already not allowed to access IPA resources------------------------------------------------------------------------------------------------------------------------------------ [tbabej@vm-147 labtool]$ kdestroy [tbabej@vm-147 labtool]$ kvno -S ldap `hostname`kvno: Credentials cache file '/run/user/536/krb5cc/tkt1sLaOS' not found while getting client principal name [tbabej@vm-147 labtool]$ kinit [email protected]Password for [email protected]: [tbabej@vm-147 labtool]$ klist Ticket cache: DIR::/run/user/536/krb5cc/tktS7Bkhj Default principal: [email protected] Valid starting Expires Service principal 10/02/2013 21:28:52 10/03/2013 07:28:52 krbtgt/child.tbad.idm.lab.eng.brq.redhat....@child.tbad.idm.lab.eng.brq.redhat.com renew until 10/03/2013 21:28:46 [tbabej@vm-147 labtool]$ kvno -S ldap `hostname`ldap/vm-147.dom147.tbad.idm.lab.eng.brq.redhat....@dom147.tbad.idm.lab.eng.brq.redhat.com: kvno = 2We should have been denied access here.
Right. This is *very good* finding. Since we put information about black list only to the root level domain of the trust, we need to reference the root level domain when checking a subdomain. We don't do that right now and it is needed also in Sumit's patches so I'll work on merging them.Here is my plan: make a helper that identifies root domain for the trusted domain (Sumit's code already has this), fetch root domain of the trust
and validate this domain's SID against black list associated with the
root domain in filter_logon_info().
Here is MS-PAC dump I've got for the user from a subdomain. Note that
its info.info.info3.sids array contains a SID of root domain's object.
Successfully validated Kerberos PAC
pac_data: struct PAC_DATA
num_buffers : 0x00000005 (5)
version : 0x00000000 (0)
buffers: ARRAY(5)
buffers: struct PAC_BUFFER
type : PAC_TYPE_LOGON_INFO (1)
_ndr_size : 0x000001e8 (488)
info : *
info : union PAC_INFO(case 1)
logon_info: struct PAC_LOGON_INFO_CTR
info : *
info: struct PAC_LOGON_INFO
info3: struct netr_SamInfo3
base: struct netr_SamBaseInfo
logon_time : Wed Oct 2
10:00:50 PM 2013 CEST
logoff_time : Thu Sep 14
04:48:05 AM 30828 CEST
kickoff_time : Thu Sep 14
04:48:05 AM 30828 CEST
last_password_change : Wed Mar 13
05:15:57 PM 2013 CET
allow_password_change : Thu Mar 14
05:15:57 PM 2013 CET
force_password_change : Thu Sep 14
04:48:05 AM 30828 CEST
account_name: struct lsa_String
length : 0x001a
(26)
size : 0x001a
(26)
string : *
string :
'Administrator'
full_name: struct lsa_String
length : 0x0000
(0)
size : 0x0000
(0)
string : *
string : ''
logon_script: struct lsa_String
length : 0x0000
(0)
size : 0x0000
(0)
string : *
string : ''
profile_path: struct lsa_String
length : 0x0000
(0)
size : 0x0000
(0)
string : *
string : ''
home_directory: struct lsa_String
length : 0x0000
(0)
size : 0x0000
(0)
string : *
string : ''
home_drive: struct lsa_String
length : 0x0000
(0)
size : 0x0000
(0)
string : *
string : ''
logon_count : 0x0053 (83)
bad_password_count : 0x0002 (2)
rid : 0x000001f4
(500)
primary_gid : 0x00000201
(513)
groups: struct
samr_RidWithAttributeArray
count :
0x00000003 (3)
rids : *
rids: ARRAY(3)
rids: struct
samr_RidWithAttribute
rid
: 0x00000201 (513)
attributes
: 0x00000007 (7)
1: SE_GROUP_MANDATORY
1: SE_GROUP_ENABLED_BY_DEFAULT
1: SE_GROUP_ENABLED
0: SE_GROUP_OWNER
0: SE_GROUP_USE_FOR_DENY_ONLY
0: SE_GROUP_RESOURCE
0x00: SE_GROUP_LOGON_ID (0)
rids: struct
samr_RidWithAttribute
rid
: 0x00000200 (512)
attributes
: 0x00000007 (7)
1: SE_GROUP_MANDATORY
1: SE_GROUP_ENABLED_BY_DEFAULT
1: SE_GROUP_ENABLED
0: SE_GROUP_OWNER
0: SE_GROUP_USE_FOR_DENY_ONLY
0: SE_GROUP_RESOURCE
0x00: SE_GROUP_LOGON_ID (0)
rids: struct
samr_RidWithAttribute
rid
: 0x00000208 (520)
attributes
: 0x00000007 (7)
1: SE_GROUP_MANDATORY
1: SE_GROUP_ENABLED_BY_DEFAULT
1: SE_GROUP_ENABLED
0: SE_GROUP_OWNER
0: SE_GROUP_USE_FOR_DENY_ONLY
0: SE_GROUP_RESOURCE
0x00: SE_GROUP_LOGON_ID (0)
user_flags : 0x00000020
(32)
0: NETLOGON_GUEST
0: NETLOGON_NOENCRYPTION
0: NETLOGON_CACHED_ACCOUNT
0: NETLOGON_USED_LM_PASSWORD
1: NETLOGON_EXTRA_SIDS
0: NETLOGON_SUBAUTH_SESSION_KEY
0:
NETLOGON_SERVER_TRUST_ACCOUNT
0: NETLOGON_NTLMV2_ENABLED
0: NETLOGON_RESOURCE_GROUPS
0: NETLOGON_PROFILE_PATH_RETURNED
0: NETLOGON_GRACE_LOGON
key: struct netr_UserSessionKey
key :
00000000000000000000000000000000
logon_server: struct lsa_StringLarge
length : 0x000c
(12)
size : 0x000e
(14)
string : *
string :
'ADSUB2'
logon_domain: struct lsa_StringLarge
length : 0x000c
(12)
size : 0x000e
(14)
string : *
string :
'SUBDOM'
domain_sid : *
domain_sid :
S-1-5-21-1497370719-3066148852-2058531780
LMSessKey: struct netr_LMSessionKey
key :
0000000000000000
acct_flags : 0x00000210
(528)
0: ACB_DISABLED
0: ACB_HOMDIRREQ
0: ACB_PWNOTREQ
0: ACB_TEMPDUP
1: ACB_NORMAL
0: ACB_MNS
0: ACB_DOMTRUST
0: ACB_WSTRUST
0: ACB_SVRTRUST
1: ACB_PWNOEXP
0: ACB_AUTOLOCK
0: ACB_ENC_TXT_PWD_ALLOWED
0: ACB_SMARTCARD_REQUIRED
0: ACB_TRUSTED_FOR_DELEGATION
0: ACB_NOT_DELEGATED
0: ACB_USE_DES_KEY_ONLY
0: ACB_DONT_REQUIRE_PREAUTH
0: ACB_PW_EXPIRED
0: ACB_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION
0: ACB_NO_AUTH_DATA_REQD
0: ACB_PARTIAL_SECRETS_ACCOUNT
0: ACB_USE_AES_KEYS
sub_auth_status : 0x00000000 (0)
last_successful_logon : NTTIME(0)
last_failed_logon : NTTIME(0)
failed_logon_count : 0x00000000
(0)
reserved : 0x00000000
(0)
sidcount : 0x00000001 (1)
sids : *
sids: ARRAY(1)
sids: struct netr_SidAttr
sid : *
sid
: S-1-5-21-2662603575-1345047739-3284616891-1114
attributes :
0x00000007 (7)
1: SE_GROUP_MANDATORY
1: SE_GROUP_ENABLED_BY_DEFAULT
1: SE_GROUP_ENABLED
0: SE_GROUP_OWNER
0: SE_GROUP_USE_FOR_DENY_ONLY
0: SE_GROUP_RESOURCE
0x00: SE_GROUP_LOGON_ID (0)
res_group_dom_sid : NULL
res_groups: struct samr_RidWithAttributeArray
count : 0x00000000 (0)
rids : NULL
_pad : 0x00000000 (0)
buffers: struct PAC_BUFFER
type : PAC_TYPE_LOGON_NAME (10)
_ndr_size : 0x00000024 (36)
info : *
info : union PAC_INFO(case 10)
logon_name: struct PAC_LOGON_NAME
logon_time : Wed Oct 2 10:17:42 PM
2013 CEST
size : 0x001a (26)
account_name : 'Administrator'
_pad : 0x00000000 (0)
buffers: struct PAC_BUFFER
type : PAC_TYPE_UNKNOWN_12 (12)
_ndr_size : 0x00000058 (88)
info : *
info : union PAC_INFO(case 12)
unknown: struct DATA_BLOB_REM
remaining : DATA_BLOB length=88
[0000] 30 00 10 00 14 00 40 00 01 00 00 00 00 00 00 00 0.....@. ........
[0010] 41 00 64 00 6D 00 69 00 6E 00 69 00 73 00 74 00 A.d.m.i. n.i.s.t.
[0020] 72 00 61 00 74 00 6F 00 72 00 40 00 73 00 75 00 r.a.t.o. [email protected].
[0030] 62 00 64 00 6F 00 6D 00 2E 00 73 00 75 00 62 00 b.d.o.m. ..s.u.b.
[0040] 53 00 55 00 42 00 44 00 4F 00 4D 00 2E 00 53 00 S.U.B.D. O.M...S.
[0050] 55 00 42 00 00 00 00 00 U.B.....
_pad : 0x00000000 (0)
buffers: struct PAC_BUFFER
type : PAC_TYPE_SRV_CHECKSUM (6)
_ndr_size : 0x00000010 (16)
info : *
info : union PAC_INFO(case 6)
srv_cksum: struct PAC_SIGNATURE_DATA
type : 0x00000010 (16)
signature : DATA_BLOB length=12
[0000] 99 ED 78 89 9B D2 42 7B 8B 14 1C B3 .<ED>x..<D2>B{
...<B3>
_pad : 0x00000000 (0)
buffers: struct PAC_BUFFER
type : PAC_TYPE_KDC_CHECKSUM (7)
_ndr_size : 0x00000010 (16)
info : *
info : union PAC_INFO(case 7)
kdc_cksum: struct PAC_SIGNATURE_DATA
type : 0x00000010 (16)
signature : DATA_BLOB length=12
[0000] E7 CE 8A 2E 26 38 1F 54 13 7B 5E AE <E7><CE>..&8.T
.{^<AE>
_pad : 0x00000000 (0)
2.) The trust-fetch-domains has somewhat confusing options:[tbabej@vm-147 labtool]$ ipa trust-fetch-domains tbad.idm.lab.eng.brq.redhat.com --helpUsage: ipa [global-options] trust-fetch-domains REALM [options] Refresh list of the domains associated with the trust Options: -h, --help show this help message and exit --rights Display the access rights of this entry (requires --all). See ipa man page for details. --all Retrieve and print all attributes from the server. Affects command output. --raw Print entries as stored on the server. Only affects output format.
Yep, I'll switch it to use the same LDAPQuery class as trustdomain-enable/disable use now. -- / Alexander Bokovoy _______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
