Hi! Attached patch should solve an issue when fetching subdomains fails shortly after trust has been established due to MS-PAC caching effects on KDC. We have already made an alternative path to use when AD admin credentials are available but failed to actually use them here.
Details in the patch. https://fedorahosted.org/freeipa/ticket/4046 -- / Alexander Bokovoy
>From d5cddafe5ca11c54ab2d06a12efddbd80b3da5c7 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy <aboko...@redhat.com> Date: Wed, 27 Nov 2013 12:17:43 +0200 Subject: [PATCH 2/2] subdomains: Use AD admin credentials when trust is being established When AD administrator credentials passed, they stored in realm_passwd, not realm_password in the options. Additionally, force Samba auth module to use NTLMSSP in case we have credentials because at the point when trust is established, KDC is not yet ready to issue tickets to a service in the other realm due to MS-PAC information caching effects. The logic is a bit fuzzy because credentials code makes decisions on what to use based on the smb.conf parameters and Python bindings to set parameters to smb.conf make it so that auth module believes these parameters were overidden by the user through the command line and ignore some of options. We have to do calls in the right order to forse NTLMSSP use instead of Kerberos. Fixes https://fedorahosted.org/freeipa/ticket/4046 --- ipalib/plugins/trust.py | 2 +- ipaserver/dcerpc.py | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index 5ba0905..5861d96 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -1231,7 +1231,7 @@ api.register(trustdomain_del) def fetch_domains_from_trust(self, trustinstance, trust_entry, **options): trust_name = trust_entry['cn'][0] creds = None - password = options.get('realm_password', None) + password = options.get('realm_passwd', None) if password: creds = u"%s%%%s" % (options.get('realm_admin'), password) domains = ipaserver.dcerpc.fetch_domains(self.api, trustinstance.local_flatname, trust_name, creds=creds) diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index 0dde347..985360b 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -964,7 +964,6 @@ def fetch_domains(api, mydomain, trustdomain, creds=None): NETR_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL = 0x00000040) def communicate(td): - td.creds.guess(td.parm) netrc = net.Net(creds=td.creds, lp=td.parm) try: result = netrc.finddc(domain=trustdomain, flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS) @@ -988,10 +987,13 @@ def fetch_domains(api, mydomain, trustdomain, creds=None): td.creds.set_kerberos_state(credentials.MUST_USE_KERBEROS) if ccache_name: with installutils.private_ccache(path=ccache_name): + td.creds.guess(td.parm) domains = communicate(td) else: td.creds.set_kerberos_state(credentials.DONT_USE_KERBEROS) + td.creds.guess(td.parm) td.creds.parse_string(creds) + td.creds.set_workstation(api.env.host) domains = communicate(td) if domains is None: -- 1.8.4.2
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel