Attached patch should solve an issue when fetching subdomains fails
shortly after trust has been established due to MS-PAC caching effects
on KDC. We have already made an alternative path to use when AD admin
credentials are available but failed to actually use them here.

Details in the patch.

/ Alexander Bokovoy
>From d5cddafe5ca11c54ab2d06a12efddbd80b3da5c7 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <aboko...@redhat.com>
Date: Wed, 27 Nov 2013 12:17:43 +0200
Subject: [PATCH 2/2] subdomains: Use AD admin credentials when trust is being

When AD administrator credentials passed, they stored in realm_passwd,
not realm_password in the options.

Additionally, force Samba auth module to use NTLMSSP in case we have
credentials because at the point when trust is established, KDC is not
yet ready to issue tickets to a service in the other realm due to
MS-PAC information caching effects. The logic is a bit fuzzy because
credentials code makes decisions on what to use based on the smb.conf
parameters and Python bindings to set parameters to smb.conf make it so
that auth module believes these parameters were overidden by the user
through the command line and ignore some of options. We have to do calls
in the right order to forse NTLMSSP use instead of Kerberos.

Fixes https://fedorahosted.org/freeipa/ticket/4046
 ipalib/plugins/trust.py | 2 +-
 ipaserver/dcerpc.py     | 4 +++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index 5ba0905..5861d96 100644
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -1231,7 +1231,7 @@ api.register(trustdomain_del)
 def fetch_domains_from_trust(self, trustinstance, trust_entry, **options):
     trust_name = trust_entry['cn'][0]
     creds = None
-    password = options.get('realm_password', None)
+    password = options.get('realm_passwd', None)
     if password:
         creds = u"%s%%%s" % (options.get('realm_admin'), password)
     domains = ipaserver.dcerpc.fetch_domains(self.api, 
trustinstance.local_flatname, trust_name, creds=creds)
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index 0dde347..985360b 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -964,7 +964,6 @@ def fetch_domains(api, mydomain, trustdomain, creds=None):
                 NETR_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL  = 0x00000040)
     def communicate(td):
-        td.creds.guess(td.parm)
         netrc = net.Net(creds=td.creds, lp=td.parm)
             result = netrc.finddc(domain=trustdomain, 
@@ -988,10 +987,13 @@ def fetch_domains(api, mydomain, trustdomain, creds=None):
         if ccache_name:
             with installutils.private_ccache(path=ccache_name):
+                td.creds.guess(td.parm)
                 domains = communicate(td)
+        td.creds.guess(td.parm)
+        td.creds.set_workstation(api.env.host)
         domains = communicate(td)
     if domains is None:

Freeipa-devel mailing list

Reply via email to