On Wed, 02 Oct 2013, Tomas Babej wrote:
I'll send new patchset shortly.
New patchset is attached.

1. Added test update for ipalib/frontend.py changes
2. Used LDAPQuery as base for trustdomain_enable|disable commands as
 suggested by Honza.
3. Fixed issues with removal of trust account password authentication
4. Added support to use AD administrator credentials when fetching
 subdomains information when we establish trust as Kerberos will not
 be available for cross-realm operations yet.
5. Patch 0123 is not part of the patchset and should not be committed,
 we will discuss exact semantics of transition checks with MIT
 Kerberos upstream first.
6. Fixed few error paths and dead-end cases like attempt to disable root
 domain of the trust (renders trust dead) or enabling it (it is always
 enabled).
7. Made clear that deleting root domain of the trust is not possible,
 use trust-del instead.
8. Removed whitespaces where saw.




Thanks!

This fixes most of the issues I had.

To summarize, two issues from the today's functional testing we already discussed on IRC:

1.) The blacklisting for the child domain does not work (it works fine for the root domain). Thus, ipa trustdomain-disable for the child domain does not reject access to the IPA's resources:

[tbabej@vm-147 labtool]$ ipa trustdomain-disable tbad.idm.lab.eng.brq.redhat.com child.tbad.idm.lab.eng.brq.redhat.com
------------------------------------------------------------------------------------------------------------------------------------
Domain child.tbad.idm.lab.eng.brq.redhat.com of trust tbad.idm.lab.eng.brq.redhat.com is already not allowed to access IPA resources
------------------------------------------------------------------------------------------------------------------------------------
[tbabej@vm-147 labtool]$ kdestroy
[tbabej@vm-147 labtool]$ kvno -S ldap `hostname`
kvno: Credentials cache file '/run/user/536/krb5cc/tkt1sLaOS' not found while getting client principal name [tbabej@vm-147 labtool]$ kinit administra...@child.tbad.idm.lab.eng.brq.redhat.com
Password for administra...@child.tbad.idm.lab.eng.brq.redhat.com:
[tbabej@vm-147 labtool]$ klist
Ticket cache: DIR::/run/user/536/krb5cc/tktS7Bkhj
Default principal: administra...@child.tbad.idm.lab.eng.brq.redhat.com

Valid starting       Expires              Service principal
10/02/2013 21:28:52  10/03/2013 07:28:52 
krbtgt/child.tbad.idm.lab.eng.brq.redhat....@child.tbad.idm.lab.eng.brq.redhat.com
       renew until 10/03/2013 21:28:46
[tbabej@vm-147 labtool]$ kvno -S ldap `hostname`
ldap/vm-147.dom147.tbad.idm.lab.eng.brq.redhat....@dom147.tbad.idm.lab.eng.brq.redhat.com: kvno = 2

We should have been denied access here.
Right. This is *very good* finding. Since we put information about black
list only to the root level domain of the trust, we need to reference
the root level domain when checking a subdomain. We don't do that right
now and it is needed also in Sumit's patches so I'll work on merging
them.

Here is my plan: make a helper that identifies root domain for the trusted domain (Sumit's code already has this), fetch root domain of the trust
and validate this domain's SID against black list associated with the
root domain in filter_logon_info().

Here is MS-PAC dump I've got for the user from a subdomain. Note that
its info.info.info3.sids array contains a SID of root domain's object.

  Successfully validated Kerberos PAC
      pac_data: struct PAC_DATA
          num_buffers              : 0x00000005 (5)
          version                  : 0x00000000 (0)
          buffers: ARRAY(5)
              buffers: struct PAC_BUFFER
                  type                     : PAC_TYPE_LOGON_INFO (1)
                  _ndr_size                : 0x000001e8 (488)
                  info                     : *
                      info                     : union PAC_INFO(case 1)
                      logon_info: struct PAC_LOGON_INFO_CTR
                          info                     : *
                              info: struct PAC_LOGON_INFO
                                  info3: struct netr_SamInfo3
                                      base: struct netr_SamBaseInfo
                                          logon_time               : Wed Oct  2 
10:00:50 PM 2013 CEST
                                          logoff_time              : Thu Sep 14 
04:48:05 AM 30828 CEST
                                          kickoff_time             : Thu Sep 14 
04:48:05 AM 30828 CEST
                                          last_password_change     : Wed Mar 13 
05:15:57 PM 2013 CET
                                          allow_password_change    : Thu Mar 14 
05:15:57 PM 2013 CET
                                          force_password_change    : Thu Sep 14 
04:48:05 AM 30828 CEST
                                          account_name: struct lsa_String
                                              length                   : 0x001a 
(26)
                                              size                     : 0x001a 
(26)
                                              string                   : *
                                                  string                   : 
'Administrator'
                                          full_name: struct lsa_String
                                              length                   : 0x0000 
(0)
                                              size                     : 0x0000 
(0)
                                              string                   : *
                                                  string                   : ''
                                          logon_script: struct lsa_String
                                              length                   : 0x0000 
(0)
                                              size                     : 0x0000 
(0)
                                              string                   : *
                                                  string                   : ''
                                          profile_path: struct lsa_String
                                              length                   : 0x0000 
(0)
                                              size                     : 0x0000 
(0)
                                              string                   : *
                                                  string                   : ''
                                          home_directory: struct lsa_String
                                              length                   : 0x0000 
(0)
                                              size                     : 0x0000 
(0)
                                              string                   : *
                                                  string                   : ''
                                          home_drive: struct lsa_String
                                              length                   : 0x0000 
(0)
                                              size                     : 0x0000 
(0)
                                              string                   : *
                                                  string                   : ''
                                          logon_count              : 0x0053 (83)
                                          bad_password_count       : 0x0002 (2)
                                          rid                      : 0x000001f4 
(500)
                                          primary_gid              : 0x00000201 
(513)
                                          groups: struct 
samr_RidWithAttributeArray
                                              count                    : 
0x00000003 (3)
                                              rids                     : *
                                                  rids: ARRAY(3)
                                                      rids: struct 
samr_RidWithAttribute
                                                          rid                   
   : 0x00000201 (513)
                                                          attributes            
   : 0x00000007 (7)
1: SE_GROUP_MANDATORY 1: SE_GROUP_ENABLED_BY_DEFAULT 1: SE_GROUP_ENABLED 0: SE_GROUP_OWNER 0: SE_GROUP_USE_FOR_DENY_ONLY 0: SE_GROUP_RESOURCE 0x00: SE_GROUP_LOGON_ID (0)
                                                      rids: struct 
samr_RidWithAttribute
                                                          rid                   
   : 0x00000200 (512)
                                                          attributes            
   : 0x00000007 (7)
1: SE_GROUP_MANDATORY 1: SE_GROUP_ENABLED_BY_DEFAULT 1: SE_GROUP_ENABLED 0: SE_GROUP_OWNER 0: SE_GROUP_USE_FOR_DENY_ONLY 0: SE_GROUP_RESOURCE 0x00: SE_GROUP_LOGON_ID (0)
                                                      rids: struct 
samr_RidWithAttribute
                                                          rid                   
   : 0x00000208 (520)
                                                          attributes            
   : 0x00000007 (7)
1: SE_GROUP_MANDATORY 1: SE_GROUP_ENABLED_BY_DEFAULT 1: SE_GROUP_ENABLED 0: SE_GROUP_OWNER 0: SE_GROUP_USE_FOR_DENY_ONLY 0: SE_GROUP_RESOURCE 0x00: SE_GROUP_LOGON_ID (0)
                                          user_flags               : 0x00000020 
(32)
0: NETLOGON_GUEST 0: NETLOGON_NOENCRYPTION 0: NETLOGON_CACHED_ACCOUNT 0: NETLOGON_USED_LM_PASSWORD 1: NETLOGON_EXTRA_SIDS 0: NETLOGON_SUBAUTH_SESSION_KEY
                                                 0: 
NETLOGON_SERVER_TRUST_ACCOUNT
0: NETLOGON_NTLMV2_ENABLED 0: NETLOGON_RESOURCE_GROUPS 0: NETLOGON_PROFILE_PATH_RETURNED 0: NETLOGON_GRACE_LOGON key: struct netr_UserSessionKey
                                              key                      : 
00000000000000000000000000000000
                                          logon_server: struct lsa_StringLarge
                                              length                   : 0x000c 
(12)
                                              size                     : 0x000e 
(14)
                                              string                   : *
                                                  string                   : 
'ADSUB2'
                                          logon_domain: struct lsa_StringLarge
                                              length                   : 0x000c 
(12)
                                              size                     : 0x000e 
(14)
                                              string                   : *
                                                  string                   : 
'SUBDOM'
                                          domain_sid               : *
                                              domain_sid               : 
S-1-5-21-1497370719-3066148852-2058531780
                                          LMSessKey: struct netr_LMSessionKey
                                              key                      : 
0000000000000000
                                          acct_flags               : 0x00000210 
(528)
0: ACB_DISABLED 0: ACB_HOMDIRREQ 0: ACB_PWNOTREQ 0: ACB_TEMPDUP 1: ACB_NORMAL 0: ACB_MNS 0: ACB_DOMTRUST 0: ACB_WSTRUST 0: ACB_SVRTRUST 1: ACB_PWNOEXP 0: ACB_AUTOLOCK 0: ACB_ENC_TXT_PWD_ALLOWED 0: ACB_SMARTCARD_REQUIRED 0: ACB_TRUSTED_FOR_DELEGATION 0: ACB_NOT_DELEGATED 0: ACB_USE_DES_KEY_ONLY 0: ACB_DONT_REQUIRE_PREAUTH 0: ACB_PW_EXPIRED 0: ACB_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION 0: ACB_NO_AUTH_DATA_REQD 0: ACB_PARTIAL_SECRETS_ACCOUNT 0: ACB_USE_AES_KEYS sub_auth_status : 0x00000000 (0)
                                          last_successful_logon    : NTTIME(0)
                                          last_failed_logon        : NTTIME(0)
                                          failed_logon_count       : 0x00000000 
(0)
                                          reserved                 : 0x00000000 
(0)
                                      sidcount                 : 0x00000001 (1)
                                      sids                     : *
                                          sids: ARRAY(1)
                                              sids: struct netr_SidAttr
                                                  sid                      : *
                                                      sid                      
: S-1-5-21-2662603575-1345047739-3284616891-1114
                                                  attributes               : 
0x00000007 (7)
1: SE_GROUP_MANDATORY 1: SE_GROUP_ENABLED_BY_DEFAULT 1: SE_GROUP_ENABLED 0: SE_GROUP_OWNER 0: SE_GROUP_USE_FOR_DENY_ONLY 0: SE_GROUP_RESOURCE 0x00: SE_GROUP_LOGON_ID (0)
                                  res_group_dom_sid        : NULL
                                  res_groups: struct samr_RidWithAttributeArray
                                      count                    : 0x00000000 (0)
                                      rids                     : NULL
                  _pad                     : 0x00000000 (0)
              buffers: struct PAC_BUFFER
                  type                     : PAC_TYPE_LOGON_NAME (10)
                  _ndr_size                : 0x00000024 (36)
                  info                     : *
                      info                     : union PAC_INFO(case 10)
                      logon_name: struct PAC_LOGON_NAME
                          logon_time               : Wed Oct  2 10:17:42 PM 
2013 CEST
                          size                     : 0x001a (26)
                          account_name             : 'Administrator'
                  _pad                     : 0x00000000 (0)
              buffers: struct PAC_BUFFER
                  type                     : PAC_TYPE_UNKNOWN_12 (12)
                  _ndr_size                : 0x00000058 (88)
                  info                     : *
                      info                     : union PAC_INFO(case 12)
                      unknown: struct DATA_BLOB_REM
                          remaining                : DATA_BLOB length=88
 [0000] 30 00 10 00 14 00 40 00   01 00 00 00 00 00 00 00   0.....@. ........
  [0010] 41 00 64 00 6D 00 69 00   6E 00 69 00 73 00 74 00   A.d.m.i. n.i.s.t.
  [0020] 72 00 61 00 74 00 6F 00   72 00 40 00 73 00 75 00   r.a.t.o. r.@.s.u.
  [0030] 62 00 64 00 6F 00 6D 00   2E 00 73 00 75 00 62 00   b.d.o.m. ..s.u.b.
  [0040] 53 00 55 00 42 00 44 00   4F 00 4D 00 2E 00 53 00   S.U.B.D. O.M...S.
[0050] 55 00 42 00 00 00 00 00 U.B..... _pad : 0x00000000 (0)
              buffers: struct PAC_BUFFER
                  type                     : PAC_TYPE_SRV_CHECKSUM (6)
                  _ndr_size                : 0x00000010 (16)
                  info                     : *
                      info                     : union PAC_INFO(case 6)
                      srv_cksum: struct PAC_SIGNATURE_DATA
                          type                     : 0x00000010 (16)
                          signature                : DATA_BLOB length=12
  [0000] 99 ED 78 89 9B D2 42 7B   8B 14 1C B3              .<ED>x..<D2>B{ 
...<B3>
                  _pad                     : 0x00000000 (0)
              buffers: struct PAC_BUFFER
                  type                     : PAC_TYPE_KDC_CHECKSUM (7)
                  _ndr_size                : 0x00000010 (16)
                  info                     : *
                      info                     : union PAC_INFO(case 7)
                      kdc_cksum: struct PAC_SIGNATURE_DATA
                          type                     : 0x00000010 (16)
                          signature                : DATA_BLOB length=12
  [0000] E7 CE 8A 2E 26 38 1F 54   13 7B 5E AE              <E7><CE>..&8.T 
.{^<AE>
                  _pad                     : 0x00000000 (0)







2.) The trust-fetch-domains has somewhat confusing options:

[tbabej@vm-147 labtool]$ ipa trust-fetch-domains tbad.idm.lab.eng.brq.redhat.com --help
Usage: ipa [global-options] trust-fetch-domains REALM [options]

Refresh list of the domains associated with the trust
Options:
 -h, --help  show this help message and exit
 --rights    Display the access rights of this entry (requires --all). See
             ipa man page for details.
 --all       Retrieve and print all attributes from the server. Affects
             command output.
 --raw       Print entries as stored on the server. Only affects output
             format.
Yep, I'll switch it to use the same LDAPQuery class as
trustdomain-enable/disable use now.

--
/ Alexander Bokovoy

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to