On 11/29/2013 12:45 PM, Alexander Bokovoy wrote: > On Fri, 29 Nov 2013, Sumit Bose wrote: >> On Thu, Nov 28, 2013 at 03:04:49PM +0200, Alexander Bokovoy wrote: >>> On Wed, 27 Nov 2013, Alexander Bokovoy wrote: >>> >Hi! >>> > >>> >Attached patch should solve an issue when fetching subdomains fails >>> >shortly after trust has been established due to MS-PAC caching effects >>> >on KDC. We have already made an alternative path to use when AD admin >>> >credentials are available but failed to actually use them here. >>> > >>> >Details in the patch. >>> > >>> >https://fedorahosted.org/freeipa/ticket/4046 >>> New version attached. It makes sure we use correct domain name when >>> constructing credentials for NTLMSSP authentication if AD administrator >>> credentials do not include one. >>> >>> Many thanks to Scott Poore who kindly provided Windows Server 2008R2 >>> setup which failed for the original case and also for the first version >>> of this patch. >>> >>> -- >>> / Alexander Bokovoy >> >> Patch makes sense and is working in my tests, so ACK. There are only two >> cosmetic issues where I leave it up to you if they need fixing, see >> below. >> >> It's a pity that we have to fall back to NTLMSSP, but currently I do not >> see another solution as well. Do you think it would make sense to open a >> ticket as a reminder to do some more research how this can be done with >> Kerberos? > Well, we need to switch DAL driver implementation to syncrepl use, > that would be our best solution for the case. All issues here are not > really issues of communication with AD but the fact that we can't get > MS-PAC to an HTTP service ticket immediately after we established trust > without forcing DAL driver to update its view of the trusts. > > Since we have AD administrator credentials at the trust-add point, we simply > use them, as we use them to establish trust. At this point we have > sequence of three NTLMSSP authentication sessions: one for establishing > trust, one for updating trust configuration afterwards, and one to fetch > trust topology information. > > For trust-fetch-domains case, where we don't have AD administrator > credentials, we rely on HTTP/ service ticket and that works fine once > DAL driver is able to see newly established trust. > > So if we want to open a ticket, it should be a ticket to implement > syncrepl protocol support in the DAL driver rather than any research. > >> >>> that auth module believes these parameters were overidden by the user >>> through the command line and ignore some of options. We have to do calls >>> in the right order to forse NTLMSSP use instead of Kerberos. >> >> ^^^^^ > Thanks, fixed. > >>> >>> Fixes https://fedorahosted.org/freeipa/ticket/4046 >>> --- >>> ipalib/plugins/trust.py | 8 ++++++-- >>> ipaserver/dcerpc.py | 41 +++++++++++++++++++++++++++-------------- >>> 2 files changed, 33 insertions(+), 16 deletions(-) >>> >>> + if len(sp) == 1: >>> + sp.insert(0, trustinstance.remote_domain.info['name']) >>> + creds = u"{name}%{password}".format(name="\\".join(sp), >>> password=password) >> >> >> ^^ >> >>> + cr.set_workstation(domain_validator.flatname) >>> + netrc = net.Net(creds=cr, lp=td.parm) >>> + try: >>> + result = netrc.finddc(domain=trustdomain, flags=nbt.NBT_SERVER_LDAP >>> | nbt.NBT_SERVER_DS) >> >> >> ^^^^^^^^^^^^^^^ >> >> I'm not sure about any policy related to long lines in python, but you >> added 2 lines over 80 characters. > Fixed. >
Sumit acked - pushed to master, ipa-3-3. Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
