Re: [Freeipa-devel] [PATCH] 0100 Enumerate UPN suffixes in ipasam
On 03/27/2013 12:46 PM, Sumit Bose wrote: On Wed, Mar 27, 2013 at 12:53:18PM +0200, Alexander Bokovoy wrote: Hi, On Wed, 27 Mar 2013, Sumit Bose wrote: Additionally, you can request Windows to update list of name suffixes via UI. Here is how it looks in Windows 2012 Server: http://abbra.fedorapeople.org/.paste/win2012-multiple-suffixes.png Part of ticket https://fedorahosted.org/freeipa/ticket/2848 I've tested the attached patch with the samba packages mentioned above and everything works as expect. As can be seen in the figure Alexander linked above the new suffixes are disabled by default on the Windows side. This is expected and exactly the same behaviour can be found in AD-AD trusts. Nevertheless it would be good if you can make sure this behaviour is explicitly mentioned e.g. in the design page or other documents to avoid confusion when this feature is tested by others. I'll add that, thanks for reminding. Review comments are in-line. bye, + + /* Since associatedDomain has attributeType MUST, there must be at least one domain */ + for (i = 0; i count ; i++) { + if (strcmp(ldap_state-domain_name, domains[i]) == 0) { + break; + } + } Since we area handling DNS domain names here strcasecmp() would be more fault tolerant? OTOH I think mixed cases here can only happen if some modifies IPA LDAP object manually. Technically it should be something that does utf-8 caseless lookups. We can go with strcasecmp as it is for time being, I'll add TODO there for future IDN handling. yes, good idea New patch attached. Survives Windows 2012 testing. Survives my testing with 2008 as well. ACK. bye, Sumit Also survived my testing without support of PASSDB API in samba (i.e. did not crash or disable existing functionality). Pushed to master. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0100 Enumerate UPN suffixes in ipasam
On Mon, Mar 25, 2013 at 08:07:44PM +0200, Alexander Bokovoy wrote: Hi, following patch allows to enumerate UPN suffixes associated with IPA domain and make them available to AD domain we trust. The patch relies on PASSDB API expansion I'm working on and as such requires Samba built with the change. You can find F18 scratch build at http://koji.fedoraproject.org/koji/taskinfo?taskID=5168969, these patches will be submitted to Samba upstream this week. In the patch I'm filtering out our own DNS domain since its value will be added by Samba by default -- if PASSDB module does not provide the function, its absence will be ignored in the new API. Filtering out is done by freeing the string and moving empty item to last position in the array, reducing the array size but not resizing it -- talloc will hardly win anything from resizing one (char *) pointer and actual lifetime of the array is until the packet is sent so it is acceptable. In order to test the patch, you need updated Samba, then rebuild FreeIPA packages. Once installed and configured, UPN suffixes can be managed via 'ipa realmdomains-mod --{add,dell}-domain' commands. These domains will be exposed to Windows. When you added realm domains, an attempt to establish trust will cause Windows to ask for name suffixes and Samba will serve expanded list of them via netr_GetTrustInformation (opnum 44). In Samba code I've also implemented partially opnum 43 which is giving out the same information via DsRGetTrustInformation but so far Windows AD DC haven't actually tried to use opnum 43. Additionally, you can request Windows to update list of name suffixes via UI. Here is how it looks in Windows 2012 Server: http://abbra.fedorapeople.org/.paste/win2012-multiple-suffixes.png Part of ticket https://fedorahosted.org/freeipa/ticket/2848 I've tested the attached patch with the samba packages mentioned above and everything works as expect. As can be seen in the figure Alexander linked above the new suffixes are disabled by default on the Windows side. This is expected and exactly the same behaviour can be found in AD-AD trusts. Nevertheless it would be good if you can make sure this behaviour is explicitly mentioned e.g. in the design page or other documents to avoid confusion when this feature is tested by others. Review comments are in-line. bye, Sumit -- / Alexander Bokovoy From f400d55eaec99b3e5440e90b6a6d055e26529e7e Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Fri, 22 Mar 2013 17:30:41 +0200 Subject: [PATCH 2/2] ipasam: add enumeration of UPN suffixes based on the realm domains PASSDB API in Samba adds support for specifying UPN suffixes. The change in ipasam will allow to pass through list of realm domains as UPN suffixes so that Active Directory domain controller will be able to recognize non-primary UPN suffixes as belonging to IPA and properly find our KDC for cross-realm TGT. Since Samba already returns primary DNS domain separately, filter it out from list of UPN suffixes. Also enclose provider of UPN suffixes into #ifdef to support both Samba with and without pdb_enum_upn_suffixes(). Part of https://fedorahosted.org/freeipa/ticket/2848 --- daemons/configure.ac | 10 +++ daemons/ipa-sam/ipa_sam.c | 172 -- 2 files changed, 177 insertions(+), 5 deletions(-) diff --git a/daemons/configure.ac b/daemons/configure.ac index d3b6b19..14dc04e 100644 --- a/daemons/configure.ac +++ b/daemons/configure.ac @@ -252,6 +252,16 @@ AC_CHECK_LIB([wbclient], [$SAMBA40EXTRA_LIBPATH]) AC_SUBST(WBCLIENT_LIBS) +AC_CHECK_LIB([pdb], + [make_pdb_method], + [HAVE_LIBPDB=1], + [AC_MSG_ERROR([libpdb does not have make_pdb_method])], + [$SAMBA40EXTRA_LIBPATH]) +AC_CHECK_LIB([pdb],[pdb_enum_upn_suffixes], + [AC_DEFINE([HAVE_PDB_ENUM_UPN_SUFFIXES], [1], [Ability to enumerate UPN suffixes])], + [AC_MSG_WARN([libpdb does not have pdb_enum_upn_suffixes, no support for realm domains in ipasam])], + [$SAMBA40EXTRA_LIBPATH]) any reason for the extra space in the indentation? + dnl --- dnl - Check for check unit test framework http://check.sourceforge.net/ dnl --- ... +static char **get_attribute_values(TALLOC_CTX *mem_ctx, LDAP *ldap_struct, +LDAPMessage *entry, const char *attribute, int *num_values) +{ + struct berval **values; + int count, i; + char **result = NULL; + size_t conv_size; + + if (attribute == NULL || entry == NULL) { + return NULL; + } + + values = ldap_get_values_len(ldap_struct, entry, attribute); + if (values == NULL) { +
Re: [Freeipa-devel] [PATCH] 0100 Enumerate UPN suffixes in ipasam
Hi, On Wed, 27 Mar 2013, Sumit Bose wrote: Additionally, you can request Windows to update list of name suffixes via UI. Here is how it looks in Windows 2012 Server: http://abbra.fedorapeople.org/.paste/win2012-multiple-suffixes.png Part of ticket https://fedorahosted.org/freeipa/ticket/2848 I've tested the attached patch with the samba packages mentioned above and everything works as expect. As can be seen in the figure Alexander linked above the new suffixes are disabled by default on the Windows side. This is expected and exactly the same behaviour can be found in AD-AD trusts. Nevertheless it would be good if you can make sure this behaviour is explicitly mentioned e.g. in the design page or other documents to avoid confusion when this feature is tested by others. I'll add that, thanks for reminding. Review comments are in-line. bye, Sumit -- / Alexander Bokovoy From f400d55eaec99b3e5440e90b6a6d055e26529e7e Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Fri, 22 Mar 2013 17:30:41 +0200 Subject: [PATCH 2/2] ipasam: add enumeration of UPN suffixes based on the realm domains PASSDB API in Samba adds support for specifying UPN suffixes. The change in ipasam will allow to pass through list of realm domains as UPN suffixes so that Active Directory domain controller will be able to recognize non-primary UPN suffixes as belonging to IPA and properly find our KDC for cross-realm TGT. Since Samba already returns primary DNS domain separately, filter it out from list of UPN suffixes. Also enclose provider of UPN suffixes into #ifdef to support both Samba with and without pdb_enum_upn_suffixes(). Part of https://fedorahosted.org/freeipa/ticket/2848 --- daemons/configure.ac | 10 +++ daemons/ipa-sam/ipa_sam.c | 172 -- 2 files changed, 177 insertions(+), 5 deletions(-) diff --git a/daemons/configure.ac b/daemons/configure.ac index d3b6b19..14dc04e 100644 --- a/daemons/configure.ac +++ b/daemons/configure.ac @@ -252,6 +252,16 @@ AC_CHECK_LIB([wbclient], [$SAMBA40EXTRA_LIBPATH]) AC_SUBST(WBCLIENT_LIBS) +AC_CHECK_LIB([pdb], + [make_pdb_method], + [HAVE_LIBPDB=1], + [AC_MSG_ERROR([libpdb does not have make_pdb_method])], + [$SAMBA40EXTRA_LIBPATH]) +AC_CHECK_LIB([pdb],[pdb_enum_upn_suffixes], + [AC_DEFINE([HAVE_PDB_ENUM_UPN_SUFFIXES], [1], [Ability to enumerate UPN suffixes])], + [AC_MSG_WARN([libpdb does not have pdb_enum_upn_suffixes, no support for realm domains in ipasam])], + [$SAMBA40EXTRA_LIBPATH]) any reason for the extra space in the indentation? No :) + dnl --- dnl - Check for check unit test framework http://check.sourceforge.net/ dnl --- ... +static char **get_attribute_values(TALLOC_CTX *mem_ctx, LDAP *ldap_struct, + LDAPMessage *entry, const char *attribute, int *num_values) +{ + struct berval **values; + int count, i; + char **result = NULL; + size_t conv_size; + + if (attribute == NULL || entry == NULL) { + return NULL; + } + + values = ldap_get_values_len(ldap_struct, entry, attribute); + if (values == NULL) { + DEBUG(10, (Attribute [%s] not found.\n, attribute)); + return NULL; + } if ldap_get_values_len() returns NULL in the case of an error (according to the man page), if there are no attributes, an empty array is returned. This also means that count can be 0 below. I ended up specifically checking count to zero and returning before allocating values. +#ifdef HAVE_PDB_ENUM_UPN_SUFFIXES +static NTSTATUS ipasam_enum_upn_suffixes(struct pdb_methods *pdb_methods, +TALLOC_CTX *mem_ctx, +uint32_t *num_suffixes, +char ***suffixes) +{ + int ret; + LDAPMessage *result; + LDAPMessage *entry = NULL; + int count, i; + char *realmdomains_dn = NULL; + char **domains = NULL; + struct ldapsam_privates *ldap_state; + struct smbldap_state *smbldap_state; + const char *attr_list[] = { + associatedDomain, would you mind to #define attribute names and directory paths at the beginning of ipa_sam.c? Yes, I was wondering about that before. We have another places where we use associatedDomain now. I've moved all of them to defines. + NULL + }; + + if ((suffixes == NULL) || (num_suffixes == NULL)) { + return NT_STATUS_UNSUCCESSFUL; + } + + ldap_state = (struct ldapsam_privates *)pdb_methods-private_data; +
Re: [Freeipa-devel] [PATCH] 0100 Enumerate UPN suffixes in ipasam
On Wed, Mar 27, 2013 at 12:53:18PM +0200, Alexander Bokovoy wrote: Hi, On Wed, 27 Mar 2013, Sumit Bose wrote: Additionally, you can request Windows to update list of name suffixes via UI. Here is how it looks in Windows 2012 Server: http://abbra.fedorapeople.org/.paste/win2012-multiple-suffixes.png Part of ticket https://fedorahosted.org/freeipa/ticket/2848 I've tested the attached patch with the samba packages mentioned above and everything works as expect. As can be seen in the figure Alexander linked above the new suffixes are disabled by default on the Windows side. This is expected and exactly the same behaviour can be found in AD-AD trusts. Nevertheless it would be good if you can make sure this behaviour is explicitly mentioned e.g. in the design page or other documents to avoid confusion when this feature is tested by others. I'll add that, thanks for reminding. Review comments are in-line. bye, + + /* Since associatedDomain has attributeType MUST, there must be at least one domain */ + for (i = 0; i count ; i++) { + if (strcmp(ldap_state-domain_name, domains[i]) == 0) { + break; + } + } Since we area handling DNS domain names here strcasecmp() would be more fault tolerant? OTOH I think mixed cases here can only happen if some modifies IPA LDAP object manually. Technically it should be something that does utf-8 caseless lookups. We can go with strcasecmp as it is for time being, I'll add TODO there for future IDN handling. yes, good idea New patch attached. Survives Windows 2012 testing. Survives my testing with 2008 as well. ACK. bye, Sumit -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel