Re: [Freeipa-devel] [PATCH 1/1] Resolve external members from trusted domain via Global Catalog
On Wed, 2012-10-31 at 22:52 +0200, Alexander Bokovoy wrote: A sequence is following: 1. Match external member against existing trusted domain 2. Find trusted domain's domain controller and preferred GC hosts 3. Fetch trusted domain account auth info 4. Set up ccache in /var/run/ipa_memcached/krb5cc_TDdomain with principal ourdomain$@trusted.domain 5. Do LDAP SASL interactive bind using the ccache 6. Search for the member's SID 7. Decode SID 8. Replace external member name by SID --- ipalib/plugins/group.py | 32 --- ipalib/plugins/trust.py | 17 ++-- ipaserver/dcerpc.py | 233 +++- 3 files changed, 257 insertions(+), 25 deletions(-) Ack! Pushed to master and ipa-3-0 Thanks a lot! Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 1/1] Resolve external members from trusted domain via Global Catalog
A sequence is following:
1. Match external member against existing trusted domain
2. Find trusted domain's domain controller and preferred GC hosts
3. Fetch trusted domain account auth info
4. Set up ccache in /var/run/ipa_memcached/krb5cc_TDdomain with principal
ourdomain$@trusted.domain
5. Do LDAP SASL interactive bind using the ccache
6. Search for the member's SID
7. Decode SID
8. Replace external member name by SID
---
ipalib/plugins/group.py | 32 ---
ipalib/plugins/trust.py | 17 ++--
ipaserver/dcerpc.py | 233 +++-
3 files changed, 257 insertions(+), 25 deletions(-)
diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py
index
a174ba62cc32a7fb83474f52e2621521553889af..f86b134e61fc8c7518a64d25329babee3398c6ef
100644
--- a/ipalib/plugins/group.py
+++ b/ipalib/plugins/group.py
@@ -83,28 +83,30 @@ External members should be added to groups that
specifically created as
external and non-POSIX. Such group later should be included into one of POSIX
groups.
-An external group member is currently a Security Identifier as defined by
-the trusted domain.
+An external group member is currently a Security Identifier (SID) as defined by
+the trusted domain. When adding external group members, it is possible to
+specify them in either SID, or DOM\\name, or name@domain format. IPA will
attempt
+to resolve passed name to SID with the use of Global Catalog of the trusted
domain.
Example:
-1. Make note of the trusted domain security identifier
-
- domainsid = `ipa trust-show ad.domain | grep Identifier | cut -d: -f2`
-
-2. Create group for the trusted domain admins' mapping and their local POSIX
group:
+1. Create group for the trusted domain admins' mapping and their local POSIX
group:
ipa group-add --desc='ad.domain admins external map' ad_admins_external
--external
ipa group-add --desc='ad.domain admins' ad_admins
-3. Add security identifier of Domain Admins of the ad.domain to the
ad_admins_external
- group (security identifier of ad.domain SID-513 is Domain Admins group):
+2. Add security identifier of Domain Admins of the ad.domain to the
ad_admins_external
+ group:
- ipa group-add-member ad_admins_external --external ${domainsid}-513
+ ipa group-add-member ad_admins_external --external 'AD\\Domain Admins'
-4. Allow members of ad_admins_external group to be associated with ad_admins
POSIX group:
+3. Allow members of ad_admins_external group to be associated with ad_admins
POSIX group:
ipa group-add-member ad_admins --groups ad_admins_external
+
+4. List members of external members of ad_admins_external group to see their
SIDs:
+
+ ipa group-show ad_admins_external
)
PROTECTED_GROUPS = (u'admins', u'trust admins', u'default smb group')
@@ -165,7 +167,7 @@ api.register(group)
ipaexternalmember_param = Str('ipaexternalmember*',
cli_name='external',
label=_('External member'),
-doc=_('comma-separated SIDs of members of a trusted domain'),
+doc=_('comma-separated list of members of a trusted domain in
DOM\\name or name@domain form'),
csv=True,
flags=['no_create', 'no_update', 'no_search'],
)
@@ -382,7 +384,11 @@ class group_add_member(LDAPAddMember):
if domain_validator.is_trusted_sid_valid(sid):
sids.append(sid)
else:
-failed_sids.append((sid, 'Not a trusted domain SID'))
+actual_sid =
domain_validator.get_sid_trusted_domain_object(sid)
+if isinstance(actual_sid, unicode):
+sids.append(actual_sid)
+else:
+failed_sids.append((sid, 'Not a trusted domain SID'))
if len(sids) == 0:
raise errors.ValidationError(name=_('external member'),
error=_('values are not
recognized as valid SIDs from trusted domain'))
diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index
44679e7a26c2fd70dc5ad25b312ccfd363df15a7..1e2fc0684484bd962f21c6ad0695d5d52054
100644
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -78,24 +78,23 @@ should be included into one of local POSIX groups.
Example:
-1. Make note of the trusted domain security identifier
-
- domainsid = `ipa trust-show ad.domain | grep Identifier | cut -d: -f2`
-
-2. Create group for the trusted domain admins' mapping and their local POSIX
group:
+1. Create group for the trusted domain admins' mapping and their local POSIX
group:
ipa group-add --desc='ad.domain admins external map' ad_admins_external
--external
ipa group-add --desc='ad.domain admins' ad_admins
-3. Add security identifier of Domain Admins of the ad.domain to the
ad_admins_external
- group (security identifier of ad.domain SID-512 is Domain Admins group):
+2. Add security identifier of Domain Admins
Re: [Freeipa-devel] [PATCH 1/1] Resolve external members from trusted domain via Global Catalog
On Tue, 2012-10-30 at 06:50 +0200, Alexander Bokovoy wrote:
I remember in my case that was the issue, i.e. finddc did discover
proper DC via DNS and returned winda.ad.local but something within
SASL/krb5 library wanted to see reverse lookup working which was not
set
up at the point.
I was able to get it to work with this patch on top of yours:
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index 2c53faf..c619188 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -257,7 +257,7 @@ class DomainValidator(object):
return clear
def __kinit_as_trusted_account(self, info, password):
-ccache_name = /var/run/ipa/ipa_memcached/krb5cc_TRUSTEDDOMAIN
+ccache_name = /var/run/ipa_memcached/krb5cc_TRUSTEDDOMAIN
principal = '%s$@%s' % (self.flatname, info['dns_domain'].upper())
(stdout, stderr, returncode) = ipautil.run(['/usr/bin/kinit',
principal],
env={'KRB5CCNAME':ccache_name},
@@ -271,6 +271,7 @@ class DomainValidator(object):
if auth:
(ccache_name, principal) = self.__kinit_as_trusted_account(info,
auth)
if ccache_name:
+conn.set_option(_ldap._ldap.OPT_X_SASL_NOCANON, _ldap.OPT_ON)
cb_info = dict()
# pass empty dict, SASL GSSAPI is able to get all from the
ccache
sasl_auth = _ldap.sasl.sasl(cb_info,'GSSAPI')
If you are ok with the changes can you merge it in and send a new
patch ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 1/1] Resolve external members from trusted domain via Global Catalog
A sequence is following:
1. Match external member against existing trusted domain
2. Find trusted domain's domain controller
3. Fetch trusted domain account auth info
4. Set up ccache in /var/run/ipa/ipa_memcached/krb5cc_TRUSTEDDOMAIN with
principal ourdomain$@trusted.domain
5. Do LDAP SASL interactive bind using the ccache
6. Search for the member's SID
7. Decode SID
8. Replace external member name by SID
https://fedorahosted.org/freeipa/ticket/3211
---
ipalib/plugins/group.py| 32 +
ipaserver/dcerpc.py| 172 +
ipaserver/plugins/ldap2.py | 3 +
3 files changed, 181 insertions(+), 26 deletions(-)
diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py
index
a174ba62cc32a7fb83474f52e2621521553889af..f86b134e61fc8c7518a64d25329babee3398c6ef
100644
--- a/ipalib/plugins/group.py
+++ b/ipalib/plugins/group.py
@@ -83,28 +83,30 @@ External members should be added to groups that
specifically created as
external and non-POSIX. Such group later should be included into one of POSIX
groups.
-An external group member is currently a Security Identifier as defined by
-the trusted domain.
+An external group member is currently a Security Identifier (SID) as defined by
+the trusted domain. When adding external group members, it is possible to
+specify them in either SID, or DOM\\name, or name@domain format. IPA will
attempt
+to resolve passed name to SID with the use of Global Catalog of the trusted
domain.
Example:
-1. Make note of the trusted domain security identifier
-
- domainsid = `ipa trust-show ad.domain | grep Identifier | cut -d: -f2`
-
-2. Create group for the trusted domain admins' mapping and their local POSIX
group:
+1. Create group for the trusted domain admins' mapping and their local POSIX
group:
ipa group-add --desc='ad.domain admins external map' ad_admins_external
--external
ipa group-add --desc='ad.domain admins' ad_admins
-3. Add security identifier of Domain Admins of the ad.domain to the
ad_admins_external
- group (security identifier of ad.domain SID-513 is Domain Admins group):
+2. Add security identifier of Domain Admins of the ad.domain to the
ad_admins_external
+ group:
- ipa group-add-member ad_admins_external --external ${domainsid}-513
+ ipa group-add-member ad_admins_external --external 'AD\\Domain Admins'
-4. Allow members of ad_admins_external group to be associated with ad_admins
POSIX group:
+3. Allow members of ad_admins_external group to be associated with ad_admins
POSIX group:
ipa group-add-member ad_admins --groups ad_admins_external
+
+4. List members of external members of ad_admins_external group to see their
SIDs:
+
+ ipa group-show ad_admins_external
)
PROTECTED_GROUPS = (u'admins', u'trust admins', u'default smb group')
@@ -165,7 +167,7 @@ api.register(group)
ipaexternalmember_param = Str('ipaexternalmember*',
cli_name='external',
label=_('External member'),
-doc=_('comma-separated SIDs of members of a trusted domain'),
+doc=_('comma-separated list of members of a trusted domain in
DOM\\name or name@domain form'),
csv=True,
flags=['no_create', 'no_update', 'no_search'],
)
@@ -382,7 +384,11 @@ class group_add_member(LDAPAddMember):
if domain_validator.is_trusted_sid_valid(sid):
sids.append(sid)
else:
-failed_sids.append((sid, 'Not a trusted domain SID'))
+actual_sid =
domain_validator.get_sid_trusted_domain_object(sid)
+if isinstance(actual_sid, unicode):
+sids.append(actual_sid)
+else:
+failed_sids.append((sid, 'Not a trusted domain SID'))
if len(sids) == 0:
raise errors.ValidationError(name=_('external member'),
error=_('values are not
recognized as valid SIDs from trusted domain'))
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index
c40313a697fa6ff842129944b7ad9c1f5fc14a77..2c53fafe532414a3ad6624a3583cf3f853ccc72c
100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -29,6 +29,7 @@ from ipalib import Command
from ipalib import errors
from ipapython import ipautil
from ipapython.ipa_log_manager import *
+from ipapython.dn import DN
from ipaserver.install import installutils
import os, string, struct, copy
@@ -46,6 +47,7 @@ try:
except ImportError:
from ldap.controls import LDAPControl as LDAPControl#pylint:
disable=F0401
import ldap as _ldap
+from ipaserver.ipaldap import IPAdmin
__doc__ = _(
Classes to manage trust joins using DCE-RPC calls
@@ -102,6 +104,8 @@ class DomainValidator(object):
ATTR_FLATNAME = 'ipantflatname'
ATTR_SID = 'ipantsecurityidentifier'
ATTR_TRUSTED_SID = 'ipanttrusteddomainsid'
+ATTR_TRUST_PARTNER =
Re: [Freeipa-devel] [PATCH 1/1] Resolve external members from trusted domain via Global Catalog
On Mon, 2012-10-29 at 19:59 +0200, Alexander Bokovoy wrote:
A sequence is following:
1. Match external member against existing trusted domain
2. Find trusted domain's domain controller
3. Fetch trusted domain account auth info
4. Set up ccache in /var/run/ipa/ipa_memcached/krb5cc_TRUSTEDDOMAIN with
principal ourdomain$@trusted.domain
5. Do LDAP SASL interactive bind using the ccache
6. Search for the member's SID
7. Decode SID
8. Replace external member name by SID
https://fedorahosted.org/freeipa/ticket/3211
---
ipalib/plugins/group.py| 32 +
ipaserver/dcerpc.py| 172
+
ipaserver/plugins/ldap2.py | 3 +
3 files changed, 181 insertions(+), 26 deletions(-)
diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py
index
a174ba62cc32a7fb83474f52e2621521553889af..f86b134e61fc8c7518a64d25329babee3398c6ef
100644
--- a/ipalib/plugins/group.py
+++ b/ipalib/plugins/group.py
@@ -83,28 +83,30 @@ External members should be added to groups that
specifically created as
external and non-POSIX. Such group later should be included into one of POSIX
groups.
-An external group member is currently a Security Identifier as defined by
-the trusted domain.
+An external group member is currently a Security Identifier (SID) as defined
by
+the trusted domain. When adding external group members, it is possible to
+specify them in either SID, or DOM\\name, or name@domain format. IPA will
attempt
+to resolve passed name to SID with the use of Global Catalog of the trusted
domain.
Example:
-1. Make note of the trusted domain security identifier
-
- domainsid = `ipa trust-show ad.domain | grep Identifier | cut -d: -f2`
-
-2. Create group for the trusted domain admins' mapping and their local POSIX
group:
+1. Create group for the trusted domain admins' mapping and their local POSIX
group:
ipa group-add --desc='ad.domain admins external map' ad_admins_external
--external
ipa group-add --desc='ad.domain admins' ad_admins
-3. Add security identifier of Domain Admins of the ad.domain to the
ad_admins_external
- group (security identifier of ad.domain SID-513 is Domain Admins group):
+2. Add security identifier of Domain Admins of the ad.domain to the
ad_admins_external
+ group:
- ipa group-add-member ad_admins_external --external ${domainsid}-513
+ ipa group-add-member ad_admins_external --external 'AD\\Domain Admins'
-4. Allow members of ad_admins_external group to be associated with ad_admins
POSIX group:
+3. Allow members of ad_admins_external group to be associated with ad_admins
POSIX group:
ipa group-add-member ad_admins --groups ad_admins_external
+
+4. List members of external members of ad_admins_external group to see their
SIDs:
+
+ ipa group-show ad_admins_external
)
A text similar to this is available when you run ipa help trust, I guess
you should change that one too.
I am trying to add a windows group now and getting this trace in my http
server:
[Mon Oct 29 16:15:33 2012] [error] ipa: ERROR: release_ipa_ccache:
ccache_name (FILE:/var/run/ipa_memcached/krbcc_20825) != KRB5CCNAME
environment variable (/var/run/ipa/ipa_memcached/krb5cc_TRUSTEDDOMAIN)
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] mod_wsgi
(pid=20825): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'.
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] Traceback (most
recent call last):
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File
/usr/share/ipa/wsgi.py, line 49, in application
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] return
api.Backend.wsgi_dispatch(environ, start_response)
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File
/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py, line 248, in __call__
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] return
self.route(environ, start_response)
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File
/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py, line 260, in route
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] return
app(environ, start_response)
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File
/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py, line 1158, in
__call__
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] response =
super(xmlserver_session, self).__call__(environ, start_response)
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File
/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py, line 707, in __call__
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] response =
super(xmlserver, self).__call__(environ, start_response)
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File
/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py, line 375, in
Re: [Freeipa-devel] [PATCH 1/1] Resolve external members from trusted domain via Global Catalog
On Mon, 29 Oct 2012, Simo Sorce wrote:
On Mon, 2012-10-29 at 19:59 +0200, Alexander Bokovoy wrote:
A sequence is following:
1. Match external member against existing trusted domain
2. Find trusted domain's domain controller
3. Fetch trusted domain account auth info
4. Set up ccache in /var/run/ipa/ipa_memcached/krb5cc_TRUSTEDDOMAIN with
principal ourdomain$@trusted.domain
5. Do LDAP SASL interactive bind using the ccache
6. Search for the member's SID
7. Decode SID
8. Replace external member name by SID
https://fedorahosted.org/freeipa/ticket/3211
---
ipalib/plugins/group.py| 32 +
ipaserver/dcerpc.py| 172 +
ipaserver/plugins/ldap2.py | 3 +
3 files changed, 181 insertions(+), 26 deletions(-)
diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py
index
a174ba62cc32a7fb83474f52e2621521553889af..f86b134e61fc8c7518a64d25329babee3398c6ef
100644
--- a/ipalib/plugins/group.py
+++ b/ipalib/plugins/group.py
@@ -83,28 +83,30 @@ External members should be added to groups that
specifically created as
external and non-POSIX. Such group later should be included into one of POSIX
groups.
-An external group member is currently a Security Identifier as defined by
-the trusted domain.
+An external group member is currently a Security Identifier (SID) as defined by
+the trusted domain. When adding external group members, it is possible to
+specify them in either SID, or DOM\\name, or name@domain format. IPA will
attempt
+to resolve passed name to SID with the use of Global Catalog of the trusted
domain.
Example:
-1. Make note of the trusted domain security identifier
-
- domainsid = `ipa trust-show ad.domain | grep Identifier | cut -d: -f2`
-
-2. Create group for the trusted domain admins' mapping and their local POSIX
group:
+1. Create group for the trusted domain admins' mapping and their local POSIX
group:
ipa group-add --desc='ad.domain admins external map' ad_admins_external
--external
ipa group-add --desc='ad.domain admins' ad_admins
-3. Add security identifier of Domain Admins of the ad.domain to the
ad_admins_external
- group (security identifier of ad.domain SID-513 is Domain Admins group):
+2. Add security identifier of Domain Admins of the ad.domain to the
ad_admins_external
+ group:
- ipa group-add-member ad_admins_external --external ${domainsid}-513
+ ipa group-add-member ad_admins_external --external 'AD\\Domain Admins'
-4. Allow members of ad_admins_external group to be associated with ad_admins
POSIX group:
+3. Allow members of ad_admins_external group to be associated with ad_admins
POSIX group:
ipa group-add-member ad_admins --groups ad_admins_external
+
+4. List members of external members of ad_admins_external group to see their
SIDs:
+
+ ipa group-show ad_admins_external
)
A text similar to this is available when you run ipa help trust, I guess
you should change that one too.
Right. I'll fix that.
I am trying to add a windows group now and getting this trace in my http
server:
[Mon Oct 29 16:15:33 2012] [error] ipa: ERROR: release_ipa_ccache:
ccache_name (FILE:/var/run/ipa_memcached/krbcc_20825) != KRB5CCNAME
environment variable (/var/run/ipa/ipa_memcached/krb5cc_TRUSTEDDOMAIN)
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] mod_wsgi
(pid=20825): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'.
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] Traceback (most
recent call last):
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File
/usr/share/ipa/wsgi.py, line 49, in application
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] return
api.Backend.wsgi_dispatch(environ, start_response)
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File
/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py, line 248, in __call__
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] return
self.route(environ, start_response)
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File
/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py, line 260, in route
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] return
app(environ, start_response)
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File
/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py, line 1158, in
__call__
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] response =
super(xmlserver_session, self).__call__(environ, start_response)
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File
/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py, line 707, in __call__
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] response =
super(xmlserver, self).__call__(environ, start_response)
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File
/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py, line 375, in __call__
[Mon Oct 29
Re: [Freeipa-devel] [PATCH 1/1] Resolve external members from trusted domain via Global Catalog
Alexander Bokovoy wrote:
On Mon, 29 Oct 2012, Simo Sorce wrote:
On Mon, 2012-10-29 at 19:59 +0200, Alexander Bokovoy wrote:
A sequence is following:
1. Match external member against existing trusted domain
2. Find trusted domain's domain controller
3. Fetch trusted domain account auth info
4. Set up ccache in /var/run/ipa/ipa_memcached/krb5cc_TRUSTEDDOMAIN
with principal ourdomain$@trusted.domain
5. Do LDAP SASL interactive bind using the ccache
6. Search for the member's SID
7. Decode SID
8. Replace external member name by SID
https://fedorahosted.org/freeipa/ticket/3211
---
ipalib/plugins/group.py| 32 +
ipaserver/dcerpc.py| 172
+
ipaserver/plugins/ldap2.py | 3 +
3 files changed, 181 insertions(+), 26 deletions(-)
diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py
index
a174ba62cc32a7fb83474f52e2621521553889af..f86b134e61fc8c7518a64d25329babee3398c6ef
100644
--- a/ipalib/plugins/group.py
+++ b/ipalib/plugins/group.py
@@ -83,28 +83,30 @@ External members should be added to groups that
specifically created as
external and non-POSIX. Such group later should be included into one
of POSIX
groups.
-An external group member is currently a Security Identifier as
defined by
-the trusted domain.
+An external group member is currently a Security Identifier (SID) as
defined by
+the trusted domain. When adding external group members, it is
possible to
+specify them in either SID, or DOM\\name, or name@domain format. IPA
will attempt
+to resolve passed name to SID with the use of Global Catalog of the
trusted domain.
Example:
-1. Make note of the trusted domain security identifier
-
- domainsid = `ipa trust-show ad.domain | grep Identifier | cut
-d: -f2`
-
-2. Create group for the trusted domain admins' mapping and their
local POSIX group:
+1. Create group for the trusted domain admins' mapping and their
local POSIX group:
ipa group-add --desc='ad.domain admins external map'
ad_admins_external --external
ipa group-add --desc='ad.domain admins' ad_admins
-3. Add security identifier of Domain Admins of the ad.domain to
the ad_admins_external
- group (security identifier of ad.domain SID-513 is Domain
Admins group):
+2. Add security identifier of Domain Admins of the ad.domain to
the ad_admins_external
+ group:
- ipa group-add-member ad_admins_external --external ${domainsid}-513
+ ipa group-add-member ad_admins_external --external 'AD\\Domain
Admins'
-4. Allow members of ad_admins_external group to be associated with
ad_admins POSIX group:
+3. Allow members of ad_admins_external group to be associated with
ad_admins POSIX group:
ipa group-add-member ad_admins --groups ad_admins_external
+
+4. List members of external members of ad_admins_external group to
see their SIDs:
+
+ ipa group-show ad_admins_external
)
A text similar to this is available when you run ipa help trust, I guess
you should change that one too.
Right. I'll fix that.
I am trying to add a windows group now and getting this trace in my http
server:
[Mon Oct 29 16:15:33 2012] [error] ipa: ERROR: release_ipa_ccache:
ccache_name (FILE:/var/run/ipa_memcached/krbcc_20825) != KRB5CCNAME
environment variable (/var/run/ipa/ipa_memcached/krb5cc_TRUSTEDDOMAIN)
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] mod_wsgi
(pid=20825): Exception occurred processing WSGI script
'/usr/share/ipa/wsgi.py'.
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] Traceback
(most recent call last):
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File
/usr/share/ipa/wsgi.py, line 49, in application
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] return
api.Backend.wsgi_dispatch(environ, start_response)
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File
/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py, line 248,
in __call__
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] return
self.route(environ, start_response)
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File
/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py, line 260,
in route
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] return
app(environ, start_response)
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File
/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py, line 1158,
in __call__
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]
response = super(xmlserver_session, self).__call__(environ,
start_response)
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File
/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py, line 707,
in __call__
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]
response = super(xmlserver, self).__call__(environ, start_response)
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File
/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py, line 375,
in __call__
[Mon Oct 29 16:15:33 2012]
Re: [Freeipa-devel] [PATCH 1/1] Resolve external members from trusted domain via Global Catalog
On Mon, 29 Oct 2012, Rob Crittenden wrote:
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File
/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py, line
562, in sasl_interactive_bind_s
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] return
self.conn.sasl_interactive_bind_s(who, auth, serverctrls, clientctrls,
sasl_flags)
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File
/usr/lib64/python2.7/site-packages/ldap/ldapobject.py, line 229, in
sasl_interactive_bind_s
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] return
self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags)
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File
/usr/lib64/python2.7/site-packages/ldap/ldapobject.py, line 99, in
_ldap_call
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] result
= func(*args,**kwargs)
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]
LOCAL_ERROR: {'info': 'SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more information
(Cannot determine realm for numeric host address)', 'desc': 'Local
error'}
Somehow name resolution failed for you -- you probably need to restart
named before it actually would start working. I had similar issues with
caching of forwarder rules.
Should we catch sasl exceptions?
Yes, we should. I'm not sure how to present them to the user, though.
Actual outcome is that we were unable to resolve the referenced external
user or group and thus would not add it to the list of external members.
I.e., command should fail but what error message should be dispalyed
since the user is anyway unable to affect the situation -- we are using
trust password to auth against GC and if that doesn't work, whole trust
does not work either.
For cases like above ('Cannot determine realm for numeric host
address'), we would need to map it to misconfiguration and explain what
to fix. This step is rather open right now, since we don't really know
why it failes (barring DNS issues).
--
/ Alexander Bokovoy
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 1/1] Resolve external members from trusted domain via Global Catalog
On Mon, 2012-10-29 at 23:03 +0200, Alexander Bokovoy wrote:
On Mon, 29 Oct 2012, Simo Sorce wrote:
On Mon, 2012-10-29 at 19:59 +0200, Alexander Bokovoy wrote:
A sequence is following:
1. Match external member against existing trusted domain
2. Find trusted domain's domain controller
3. Fetch trusted domain account auth info
4. Set up ccache in /var/run/ipa/ipa_memcached/krb5cc_TRUSTEDDOMAIN with
principal ourdomain$@trusted.domain
5. Do LDAP SASL interactive bind using the ccache
6. Search for the member's SID
7. Decode SID
8. Replace external member name by SID
https://fedorahosted.org/freeipa/ticket/3211
---
ipalib/plugins/group.py| 32 +
ipaserver/dcerpc.py| 172
+
ipaserver/plugins/ldap2.py | 3 +
3 files changed, 181 insertions(+), 26 deletions(-)
diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py
index
a174ba62cc32a7fb83474f52e2621521553889af..f86b134e61fc8c7518a64d25329babee3398c6ef
100644
--- a/ipalib/plugins/group.py
+++ b/ipalib/plugins/group.py
@@ -83,28 +83,30 @@ External members should be added to groups that
specifically created as
external and non-POSIX. Such group later should be included into one of
POSIX
groups.
-An external group member is currently a Security Identifier as defined by
-the trusted domain.
+An external group member is currently a Security Identifier (SID) as
defined by
+the trusted domain. When adding external group members, it is possible to
+specify them in either SID, or DOM\\name, or name@domain format. IPA will
attempt
+to resolve passed name to SID with the use of Global Catalog of the
trusted domain.
Example:
-1. Make note of the trusted domain security identifier
-
- domainsid = `ipa trust-show ad.domain | grep Identifier | cut -d:
-f2`
-
-2. Create group for the trusted domain admins' mapping and their local
POSIX group:
+1. Create group for the trusted domain admins' mapping and their local
POSIX group:
ipa group-add --desc='ad.domain admins external map'
ad_admins_external --external
ipa group-add --desc='ad.domain admins' ad_admins
-3. Add security identifier of Domain Admins of the ad.domain to the
ad_admins_external
- group (security identifier of ad.domain SID-513 is Domain Admins
group):
+2. Add security identifier of Domain Admins of the ad.domain to the
ad_admins_external
+ group:
- ipa group-add-member ad_admins_external --external ${domainsid}-513
+ ipa group-add-member ad_admins_external --external 'AD\\Domain Admins'
-4. Allow members of ad_admins_external group to be associated with
ad_admins POSIX group:
+3. Allow members of ad_admins_external group to be associated with
ad_admins POSIX group:
ipa group-add-member ad_admins --groups ad_admins_external
+
+4. List members of external members of ad_admins_external group to see
their SIDs:
+
+ ipa group-show ad_admins_external
)
A text similar to this is available when you run ipa help trust, I guess
you should change that one too.
Right. I'll fix that.
I am trying to add a windows group now and getting this trace in my http
server:
[Mon Oct 29 16:15:33 2012] [error] ipa: ERROR: release_ipa_ccache:
ccache_name (FILE:/var/run/ipa_memcached/krbcc_20825) != KRB5CCNAME
environment variable (/var/run/ipa/ipa_memcached/krb5cc_TRUSTEDDOMAIN)
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] mod_wsgi
(pid=20825): Exception occurred processing WSGI script
'/usr/share/ipa/wsgi.py'.
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] Traceback (most
recent call last):
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File
/usr/share/ipa/wsgi.py, line 49, in application
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] return
api.Backend.wsgi_dispatch(environ, start_response)
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File
/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py, line 248, in
__call__
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] return
self.route(environ, start_response)
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File
/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py, line 260, in route
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] return
app(environ, start_response)
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File
/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py, line 1158, in
__call__
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] response =
super(xmlserver_session, self).__call__(environ, start_response)
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File
/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py, line 707, in
__call__
[Mon Oct 29 16:15:33 2012] [error] [client
Re: [Freeipa-devel] [PATCH 1/1] Resolve external members from trusted domain via Global Catalog
On Mon, 29 Oct 2012, Simo Sorce wrote:
On Mon, 2012-10-29 at 23:03 +0200, Alexander Bokovoy wrote:
On Mon, 29 Oct 2012, Simo Sorce wrote:
On Mon, 2012-10-29 at 19:59 +0200, Alexander Bokovoy wrote:
A sequence is following:
1. Match external member against existing trusted domain
2. Find trusted domain's domain controller
3. Fetch trusted domain account auth info
4. Set up ccache in /var/run/ipa/ipa_memcached/krb5cc_TRUSTEDDOMAIN with
principal ourdomain$@trusted.domain
5. Do LDAP SASL interactive bind using the ccache
6. Search for the member's SID
7. Decode SID
8. Replace external member name by SID
https://fedorahosted.org/freeipa/ticket/3211
---
ipalib/plugins/group.py| 32 +
ipaserver/dcerpc.py| 172
+
ipaserver/plugins/ldap2.py | 3 +
3 files changed, 181 insertions(+), 26 deletions(-)
diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py
index
a174ba62cc32a7fb83474f52e2621521553889af..f86b134e61fc8c7518a64d25329babee3398c6ef
100644
--- a/ipalib/plugins/group.py
+++ b/ipalib/plugins/group.py
@@ -83,28 +83,30 @@ External members should be added to groups that
specifically created as
external and non-POSIX. Such group later should be included into one of
POSIX
groups.
-An external group member is currently a Security Identifier as defined by
-the trusted domain.
+An external group member is currently a Security Identifier (SID) as
defined by
+the trusted domain. When adding external group members, it is possible to
+specify them in either SID, or DOM\\name, or name@domain format. IPA will
attempt
+to resolve passed name to SID with the use of Global Catalog of the trusted
domain.
Example:
-1. Make note of the trusted domain security identifier
-
- domainsid = `ipa trust-show ad.domain | grep Identifier | cut -d: -f2`
-
-2. Create group for the trusted domain admins' mapping and their local
POSIX group:
+1. Create group for the trusted domain admins' mapping and their local
POSIX group:
ipa group-add --desc='ad.domain admins external map'
ad_admins_external --external
ipa group-add --desc='ad.domain admins' ad_admins
-3. Add security identifier of Domain Admins of the ad.domain to the
ad_admins_external
- group (security identifier of ad.domain SID-513 is Domain Admins
group):
+2. Add security identifier of Domain Admins of the ad.domain to the
ad_admins_external
+ group:
- ipa group-add-member ad_admins_external --external ${domainsid}-513
+ ipa group-add-member ad_admins_external --external 'AD\\Domain Admins'
-4. Allow members of ad_admins_external group to be associated with
ad_admins POSIX group:
+3. Allow members of ad_admins_external group to be associated with
ad_admins POSIX group:
ipa group-add-member ad_admins --groups ad_admins_external
+
+4. List members of external members of ad_admins_external group to see
their SIDs:
+
+ ipa group-show ad_admins_external
)
A text similar to this is available when you run ipa help trust, I guess
you should change that one too.
Right. I'll fix that.
I am trying to add a windows group now and getting this trace in my http
server:
[Mon Oct 29 16:15:33 2012] [error] ipa: ERROR: release_ipa_ccache:
ccache_name (FILE:/var/run/ipa_memcached/krbcc_20825) != KRB5CCNAME
environment variable (/var/run/ipa/ipa_memcached/krb5cc_TRUSTEDDOMAIN)
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] mod_wsgi
(pid=20825): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'.
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] Traceback (most
recent call last):
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File
/usr/share/ipa/wsgi.py, line 49, in application
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] return
api.Backend.wsgi_dispatch(environ, start_response)
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File
/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py, line 248, in __call__
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] return
self.route(environ, start_response)
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File
/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py, line 260, in route
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] return
app(environ, start_response)
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File
/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py, line 1158, in __call__
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] response =
super(xmlserver_session, self).__call__(environ, start_response)
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File
/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py, line 707, in __call__
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] response =
super(xmlserver, self).__call__(environ, start_response)
[Mon Oct 29
