Re: [Freeipa-devel] [PATCH] 0178 Fix AD trusts in Fedora 22
On 05/12/2015 04:03 PM, Alexander Bokovoy wrote: > On Tue, 12 May 2015, Alexander Bokovoy wrote: >> On Tue, 12 May 2015, Alexander Bokovoy wrote: >>> On Fri, 08 May 2015, Alexander Bokovoy wrote: Hi, attached patch fixes issues with Samba 4.2 in Fedora 22. See commit message for the details. Note that you'll also need Samba fixes from https://bugzilla.redhat.com/show_bug.cgi?id=1219832 to test the patch. Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1219834 >>> An update is available in Bodhi: >>> https://admin.fedoraproject.org/updates/samba-4.2.1-8.fc22,freeipa-4.1.4-3.fc22 >>> >>> >>> Please test and support. >> Attached please find an update of the patch 0178. I've found one typo >> which was missed in the original version due to exception handling. >> >> I'll update bodhi request when builds are ready. > Updated bodhi request: > https://admin.fedoraproject.org/updates/samba-4.2.1-8.fc22,freeipa-4.1.4-4.fc22 > > > Please test! > Works fine in my testing, code wise looks fine. Thanks for the catch! ACK. Pushed to: master: 5fd8e53f66bcc96afbcf08686c345e6f2b7ee775 ipa-4-1: d74f938bde65d2fad4dde06c56d7889fa053c7db Tomas -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0178 Fix AD trusts in Fedora 22
On Tue, 12 May 2015, Alexander Bokovoy wrote: On Tue, 12 May 2015, Alexander Bokovoy wrote: On Fri, 08 May 2015, Alexander Bokovoy wrote: Hi, attached patch fixes issues with Samba 4.2 in Fedora 22. See commit message for the details. Note that you'll also need Samba fixes from https://bugzilla.redhat.com/show_bug.cgi?id=1219832 to test the patch. Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1219834 An update is available in Bodhi: https://admin.fedoraproject.org/updates/samba-4.2.1-8.fc22,freeipa-4.1.4-3.fc22 Please test and support. Attached please find an update of the patch 0178. I've found one typo which was missed in the original version due to exception handling. I'll update bodhi request when builds are ready. Updated bodhi request: https://admin.fedoraproject.org/updates/samba-4.2.1-8.fc22,freeipa-4.1.4-4.fc22 Please test! -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0178 Fix AD trusts in Fedora 22
On Tue, 12 May 2015, Alexander Bokovoy wrote: On Fri, 08 May 2015, Alexander Bokovoy wrote: Hi, attached patch fixes issues with Samba 4.2 in Fedora 22. See commit message for the details. Note that you'll also need Samba fixes from https://bugzilla.redhat.com/show_bug.cgi?id=1219832 to test the patch. Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1219834 An update is available in Bodhi: https://admin.fedoraproject.org/updates/samba-4.2.1-8.fc22,freeipa-4.1.4-3.fc22 Please test and support. Attached please find an update of the patch 0178. I've found one typo which was missed in the original version due to exception handling. I'll update bodhi request when builds are ready. -- / Alexander Bokovoy From 28fccac07760764acc86f9c91850481ef2c1e1ae Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Fri, 8 May 2015 12:09:13 + Subject: [PATCH 2/3] ipaserver/dcerpc: Ensure LSA pipe has session key before using it With Samba 4.2 there is a bug that prevents Samba to consider Kerberos credentials used by IPA httpd process when talking to smbd. As result, LSA RPC connection is seen as anonymous by Samba client code and we cannot derive session key to use for encrypting trust secrets before transmitting them. Additionally, rewrite of the SMB protocol support in Samba caused previously working logic of choosing DCE RPC binding string to fail. We need to try a different set of priorities until they fail or succeed. Requires Samba fixes from https://bugzilla.redhat.com/show_bug.cgi?id=1219832 Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1219834 --- ipaserver/dcerpc.py | 19 ++- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index e342c49..44689cc 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -89,6 +89,10 @@ dcerpc_error_codes = { -1073741811: # NT_STATUS_INVALID_PARAMETER errors.RemoteRetrieveError( reason=_('AD domain controller complains about communication sequence. It may mean unsynchronized time on both sides, for example')), +-1073741776: # NT_STATUS_INVALID_PARAMETER_MIX, we simply will skip the binding +access_denied_error, +-1073741772: # NT_STATUS_OBJECT_NAME_NOT_FOUND +errors.RemoteRetrieveError(reason=_('CIFS server configuration does not allow access to pipe\\lsarpc')), } dcerpc_error_messages = { @@ -728,16 +732,20 @@ class TrustDomainInstance(object): return attempts = 0 +session_attempts = 0 bindings = self.__gen_lsa_bindings(remote_host) for binding in bindings: try: self._pipe = self.__gen_lsa_connection(binding) -if self._pipe: +if self._pipe and self._pipe.session_key: break except errors.ACIError, e: attempts = attempts + 1 +except RuntimeError, e: +# When session key is not available, we just skip this binding +session_attempts = session_attempts + 1 -if self._pipe is None and attempts == len(bindings): +if self._pipe is None and (attempts + session_attempts) == len(bindings): raise errors.ACIError( info=_('CIFS server %(host)s denied your credentials') % dict(host=remote_host)) @@ -745,6 +753,7 @@ class TrustDomainInstance(object): raise errors.RemoteRetrieveError( reason=_('Cannot establish LSA connection to %(host)s. Is CIFS server running?') % dict(host=remote_host)) self.binding = binding +self.session_key = self._pipe.session_key def __gen_lsa_bindings(self, remote_host): """ @@ -753,11 +762,11 @@ class TrustDomainInstance(object): Generate all we can use. init_lsa_pipe() will try them one by one until there is one working. -We try NCACN_NP before NCACN_IP_TCP and signed sessions before unsigned. +We try NCACN_NP before NCACN_IP_TCP and use SMB2 before SMB1 or defaults. """ transports = (u'ncacn_np', u'ncacn_ip_tcp') -options = ( u',', u'') -binding_template=lambda x,y,z: u'%s:%s[%s]' % (x, y, z) +options = ( u'smb2', u'smb1', u'') +binding_template=lambda x,y,z: u'%s:%s[%s,print]' % (x, y, z) return [binding_template(t, remote_host, o) for t in transports for o in options] def retrieve_anonymously(self, remote_host, discover_srv=False, search_pdc=False): -- 2.4.0 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0178 Fix AD trusts in Fedora 22
On Fri, 08 May 2015, Alexander Bokovoy wrote: Hi, attached patch fixes issues with Samba 4.2 in Fedora 22. See commit message for the details. Note that you'll also need Samba fixes from https://bugzilla.redhat.com/show_bug.cgi?id=1219832 to test the patch. Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1219834 An update is available in Bodhi: https://admin.fedoraproject.org/updates/samba-4.2.1-8.fc22,freeipa-4.1.4-3.fc22 Please test and support. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH] 0178 Fix AD trusts in Fedora 22
Hi, attached patch fixes issues with Samba 4.2 in Fedora 22. See commit message for the details. Note that you'll also need Samba fixes from https://bugzilla.redhat.com/show_bug.cgi?id=1219832 to test the patch. Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1219834 -- / Alexander Bokovoy From 35ab765554e3469daae204fb045eb4281f4f4f36 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Fri, 8 May 2015 12:09:13 + Subject: [PATCH] ipaserver/dcerpc: Ensure LSA pipe has session key before using it With Samba 4.2 there is a bug that prevents Samba to consider Kerberos credentials used by IPA httpd process when talking to smbd. As result, LSA RPC connection is seen as anonymous by Samba client code and we cannot derive session key to use for encrypting trust secrets before transmitting them. Additionally, rewrite of the SMB protocol support in Samba caused previously working logic of choosing DCE RPC binding string to fail. We need to try a different set of priorities until they fail or succeed. Requires Samba fixes from https://bugzilla.redhat.com/show_bug.cgi?id=1219832 Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1219834 --- ipaserver/dcerpc.py | 19 ++- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index e342c49..25f8bf8 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -89,6 +89,10 @@ dcerpc_error_codes = { -1073741811: # NT_STATUS_INVALID_PARAMETER errors.RemoteRetrieveError( reason=_('AD domain controller complains about communication sequence. It may mean unsynchronized time on both sides, for example')), +-1073741776: # NT_STATUS_INVALID_PARAMETER_MIX, we simply will skip the binding +access_denied_error, +-1073741772: # NT_STATUS_OBJECT_NAME_NOT_FOUND +errors.RemoteRetrieveError(reason=_('CIFS server configuration does not allow access to pipe\\lsarpc')), } dcerpc_error_messages = { @@ -728,16 +732,20 @@ class TrustDomainInstance(object): return attempts = 0 +session_attempts = 0 bindings = self.__gen_lsa_bindings(remote_host) for binding in bindings: try: self._pipe = self.__gen_lsa_connection(binding) -if self._pipe: +if self._pipe and self._pipe.session_key: break except errors.ACIError, e: attempts = attempts + 1 +except RuntimeError, e: +# When session key is not available, we just skip this binding +session_attempts = session_attempts + 1 -if self._pipe is None and attempts == len(bindings): +if self._pipe is None and (attempts + session_attemps) == len(bindings): raise errors.ACIError( info=_('CIFS server %(host)s denied your credentials') % dict(host=remote_host)) @@ -745,6 +753,7 @@ class TrustDomainInstance(object): raise errors.RemoteRetrieveError( reason=_('Cannot establish LSA connection to %(host)s. Is CIFS server running?') % dict(host=remote_host)) self.binding = binding +self.session_key = self._pipe.session_key def __gen_lsa_bindings(self, remote_host): """ @@ -753,11 +762,11 @@ class TrustDomainInstance(object): Generate all we can use. init_lsa_pipe() will try them one by one until there is one working. -We try NCACN_NP before NCACN_IP_TCP and signed sessions before unsigned. +We try NCACN_NP before NCACN_IP_TCP and use SMB2 before SMB1 or defaults. """ transports = (u'ncacn_np', u'ncacn_ip_tcp') -options = ( u',', u'') -binding_template=lambda x,y,z: u'%s:%s[%s]' % (x, y, z) +options = ( u'smb2', u'smb1', u'') +binding_template=lambda x,y,z: u'%s:%s[%s,print]' % (x, y, z) return [binding_template(t, remote_host, o) for t in transports for o in options] def retrieve_anonymously(self, remote_host, discover_srv=False, search_pdc=False): -- 2.4.0 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code