Re: [Freeipa-devel] [PATCH] 0128 subdomains: Use AD admin credentials when trust is being established
On Fri, 2013-11-29 at 22:34 +0200, Alexander Bokovoy wrote: On Fri, 29 Nov 2013, Simo Sorce wrote: sorry if this has already been doced somewhere, but any reason why you can't use Kerberos auth with the AD user ? I think I had some issues with that early in the development, cannot remember right now what was it. Can you file a ticket so that we look at refactoring it later? Done. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0128 subdomains: Use AD admin credentials when trust is being established
On 11/29/2013 06:45 AM, Alexander Bokovoy wrote: So if we want to open a ticket, it should be a ticket to implement syncrepl protocol support in the DAL driver rather than any research. If we open such ticket we need to tell the whole story and explain why. Just having the RFE to switch DAL to syncrepl would not be enough information during triage and later prioritization. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0128 subdomains: Use AD admin credentials when trust is being established
On Sun, 01 Dec 2013, Dmitri Pal wrote: On 11/29/2013 06:45 AM, Alexander Bokovoy wrote: So if we want to open a ticket, it should be a ticket to implement syncrepl protocol support in the DAL driver rather than any research. If we open such ticket we need to tell the whole story and explain why. Just having the RFE to switch DAL to syncrepl would not be enough information during triage and later prioritization. There is actually one ticket: https://fedorahosted.org/freeipa/ticket/1302 It was filed before syncrepl appeared, I think. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0128 subdomains: Use AD admin credentials when trust is being established
On Thu, Nov 28, 2013 at 03:04:49PM +0200, Alexander Bokovoy wrote: On Wed, 27 Nov 2013, Alexander Bokovoy wrote: Hi! Attached patch should solve an issue when fetching subdomains fails shortly after trust has been established due to MS-PAC caching effects on KDC. We have already made an alternative path to use when AD admin credentials are available but failed to actually use them here. Details in the patch. https://fedorahosted.org/freeipa/ticket/4046 New version attached. It makes sure we use correct domain name when constructing credentials for NTLMSSP authentication if AD administrator credentials do not include one. Many thanks to Scott Poore who kindly provided Windows Server 2008R2 setup which failed for the original case and also for the first version of this patch. -- / Alexander Bokovoy Patch makes sense and is working in my tests, so ACK. There are only two cosmetic issues where I leave it up to you if they need fixing, see below. It's a pity that we have to fall back to NTLMSSP, but currently I do not see another solution as well. Do you think it would make sense to open a ticket as a reminder to do some more research how this can be done with Kerberos? that auth module believes these parameters were overidden by the user through the command line and ignore some of options. We have to do calls in the right order to forse NTLMSSP use instead of Kerberos. ^ Fixes https://fedorahosted.org/freeipa/ticket/4046 --- ipalib/plugins/trust.py | 8 ++-- ipaserver/dcerpc.py | 41 +++-- 2 files changed, 33 insertions(+), 16 deletions(-) +if len(sp) == 1: +sp.insert(0, trustinstance.remote_domain.info['name']) +creds = u{name}%{password}.format(name=\\.join(sp), password=password) ^^ +cr.set_workstation(domain_validator.flatname) +netrc = net.Net(creds=cr, lp=td.parm) +try: +result = netrc.finddc(domain=trustdomain, flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS) ^^^ I'm not sure about any policy related to long lines in python, but you added 2 lines over 80 characters. bye, Sumit ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0128 subdomains: Use AD admin credentials when trust is being established
On 11/29/2013 12:45 PM, Alexander Bokovoy wrote: On Fri, 29 Nov 2013, Sumit Bose wrote: On Thu, Nov 28, 2013 at 03:04:49PM +0200, Alexander Bokovoy wrote: On Wed, 27 Nov 2013, Alexander Bokovoy wrote: Hi! Attached patch should solve an issue when fetching subdomains fails shortly after trust has been established due to MS-PAC caching effects on KDC. We have already made an alternative path to use when AD admin credentials are available but failed to actually use them here. Details in the patch. https://fedorahosted.org/freeipa/ticket/4046 New version attached. It makes sure we use correct domain name when constructing credentials for NTLMSSP authentication if AD administrator credentials do not include one. Many thanks to Scott Poore who kindly provided Windows Server 2008R2 setup which failed for the original case and also for the first version of this patch. -- / Alexander Bokovoy Patch makes sense and is working in my tests, so ACK. There are only two cosmetic issues where I leave it up to you if they need fixing, see below. It's a pity that we have to fall back to NTLMSSP, but currently I do not see another solution as well. Do you think it would make sense to open a ticket as a reminder to do some more research how this can be done with Kerberos? Well, we need to switch DAL driver implementation to syncrepl use, that would be our best solution for the case. All issues here are not really issues of communication with AD but the fact that we can't get MS-PAC to an HTTP service ticket immediately after we established trust without forcing DAL driver to update its view of the trusts. Since we have AD administrator credentials at the trust-add point, we simply use them, as we use them to establish trust. At this point we have sequence of three NTLMSSP authentication sessions: one for establishing trust, one for updating trust configuration afterwards, and one to fetch trust topology information. For trust-fetch-domains case, where we don't have AD administrator credentials, we rely on HTTP/ service ticket and that works fine once DAL driver is able to see newly established trust. So if we want to open a ticket, it should be a ticket to implement syncrepl protocol support in the DAL driver rather than any research. that auth module believes these parameters were overidden by the user through the command line and ignore some of options. We have to do calls in the right order to forse NTLMSSP use instead of Kerberos. ^ Thanks, fixed. Fixes https://fedorahosted.org/freeipa/ticket/4046 --- ipalib/plugins/trust.py | 8 ++-- ipaserver/dcerpc.py | 41 +++-- 2 files changed, 33 insertions(+), 16 deletions(-) +if len(sp) == 1: +sp.insert(0, trustinstance.remote_domain.info['name']) +creds = u{name}%{password}.format(name=\\.join(sp), password=password) ^^ +cr.set_workstation(domain_validator.flatname) +netrc = net.Net(creds=cr, lp=td.parm) +try: +result = netrc.finddc(domain=trustdomain, flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS) ^^^ I'm not sure about any policy related to long lines in python, but you added 2 lines over 80 characters. Fixed. Sumit acked - pushed to master, ipa-3-3. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0128 subdomains: Use AD admin credentials when trust is being established
On Thu, 2013-11-28 at 15:04 +0200, Alexander Bokovoy wrote: On Wed, 27 Nov 2013, Alexander Bokovoy wrote: Hi! Attached patch should solve an issue when fetching subdomains fails shortly after trust has been established due to MS-PAC caching effects on KDC. We have already made an alternative path to use when AD admin credentials are available but failed to actually use them here. Details in the patch. https://fedorahosted.org/freeipa/ticket/4046 New version attached. It makes sure we use correct domain name when constructing credentials for NTLMSSP authentication if AD administrator credentials do not include one. Many thanks to Scott Poore who kindly provided Windows Server 2008R2 setup which failed for the original case and also for the first version of this patch. sorry if this has already been doced somewhere, but any reason why you can't use Kerberos auth with the AD user ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0128 subdomains: Use AD admin credentials when trust is being established
On Fri, 29 Nov 2013, Simo Sorce wrote: On Thu, 2013-11-28 at 15:04 +0200, Alexander Bokovoy wrote: On Wed, 27 Nov 2013, Alexander Bokovoy wrote: Hi! Attached patch should solve an issue when fetching subdomains fails shortly after trust has been established due to MS-PAC caching effects on KDC. We have already made an alternative path to use when AD admin credentials are available but failed to actually use them here. Details in the patch. https://fedorahosted.org/freeipa/ticket/4046 New version attached. It makes sure we use correct domain name when constructing credentials for NTLMSSP authentication if AD administrator credentials do not include one. Many thanks to Scott Poore who kindly provided Windows Server 2008R2 setup which failed for the original case and also for the first version of this patch. sorry if this has already been doced somewhere, but any reason why you can't use Kerberos auth with the AD user ? I think I had some issues with that early in the development, cannot remember right now what was it. Can you file a ticket so that we look at refactoring it later? -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0128 subdomains: Use AD admin credentials when trust is being established
On Wed, 27 Nov 2013, Alexander Bokovoy wrote: Hi! Attached patch should solve an issue when fetching subdomains fails shortly after trust has been established due to MS-PAC caching effects on KDC. We have already made an alternative path to use when AD admin credentials are available but failed to actually use them here. Details in the patch. https://fedorahosted.org/freeipa/ticket/4046 New version attached. It makes sure we use correct domain name when constructing credentials for NTLMSSP authentication if AD administrator credentials do not include one. Many thanks to Scott Poore who kindly provided Windows Server 2008R2 setup which failed for the original case and also for the first version of this patch. -- / Alexander Bokovoy From 2c96624d6a1ec00e2f80bc8a5790eeace2865f7d Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Wed, 27 Nov 2013 12:17:43 +0200 Subject: [PATCH 2/2] subdomains: Use AD admin credentials when trust is being established When AD administrator credentials passed, they stored in realm_passwd, not realm_password in the options. When passing credentials to ipaserver.dcerpc.fetch_domains(), make sure to normalize them. Additionally, force Samba auth module to use NTLMSSP in case we have credentials because at the point when trust is established, KDC is not yet ready to issue tickets to a service in the other realm due to MS-PAC information caching effects. The logic is a bit fuzzy because credentials code makes decisions on what to use based on the smb.conf parameters and Python bindings to set parameters to smb.conf make it so that auth module believes these parameters were overidden by the user through the command line and ignore some of options. We have to do calls in the right order to forse NTLMSSP use instead of Kerberos. Fixes https://fedorahosted.org/freeipa/ticket/4046 --- ipalib/plugins/trust.py | 8 ++-- ipaserver/dcerpc.py | 41 +++-- 2 files changed, 33 insertions(+), 16 deletions(-) diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index 5ba0905..b6ea099 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -1231,9 +1231,13 @@ api.register(trustdomain_del) def fetch_domains_from_trust(self, trustinstance, trust_entry, **options): trust_name = trust_entry['cn'][0] creds = None -password = options.get('realm_password', None) +password = options.get('realm_passwd', None) if password: -creds = u%s%%%s % (options.get('realm_admin'), password) +admin_name = options.get('realm_admin') +sp = admin_name.split('\\') +if len(sp) == 1: +sp.insert(0, trustinstance.remote_domain.info['name']) +creds = u{name}%{password}.format(name=\\.join(sp), password=password) domains = ipaserver.dcerpc.fetch_domains(self.api, trustinstance.local_flatname, trust_name, creds=creds) result = [] if not domains: diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index 0dde347..999dbcd 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -655,7 +655,7 @@ class TrustDomainInstance(object): except RuntimeError, (num, message): raise assess_dcerpc_exception(num=num, message=message) -def __init_lsa_pipe(self, remote_host): +def init_lsa_pipe(self, remote_host): Try to initialize connection to the LSA pipe at remote host. This method tries consequently all possible transport options @@ -692,7 +692,7 @@ class TrustDomainInstance(object): There are multiple transports to issue LSA calls. However, depending on a system in use they may be blocked by local operating system policies. -Generate all we can use. __init_lsa_pipe() will try them one by one until +Generate all we can use. init_lsa_pipe() will try them one by one until there is one working. We try NCACN_NP before NCACN_IP_TCP and signed sessions before unsigned. @@ -753,7 +753,7 @@ class TrustDomainInstance(object): return naming_ref.match(context).group(1) def retrieve(self, remote_host): -self.__init_lsa_pipe(remote_host) +self.init_lsa_pipe(remote_host) objectAttribute = lsa.ObjectAttribute() objectAttribute.sec_qos = lsa.QosInfo() @@ -964,34 +964,47 @@ def fetch_domains(api, mydomain, trustdomain, creds=None): NETR_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL = 0x0040) def communicate(td): -td.creds.guess(td.parm) -netrc = net.Net(creds=td.creds, lp=td.parm) -try: -result = netrc.finddc(domain=trustdomain, flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS) -except RuntimeError, e: -raise assess_dcerpc_exception(message=str(e)) -if not result: -return None -td.retrieve(unicode(result.pdc_dns_name)) - +td.init_lsa_pipe(td.info['dc']) netr_pipe =
[Freeipa-devel] [PATCH] 0128 subdomains: Use AD admin credentials when trust is being established
Hi! Attached patch should solve an issue when fetching subdomains fails shortly after trust has been established due to MS-PAC caching effects on KDC. We have already made an alternative path to use when AD admin credentials are available but failed to actually use them here. Details in the patch. https://fedorahosted.org/freeipa/ticket/4046 -- / Alexander Bokovoy From d5cddafe5ca11c54ab2d06a12efddbd80b3da5c7 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Wed, 27 Nov 2013 12:17:43 +0200 Subject: [PATCH 2/2] subdomains: Use AD admin credentials when trust is being established When AD administrator credentials passed, they stored in realm_passwd, not realm_password in the options. Additionally, force Samba auth module to use NTLMSSP in case we have credentials because at the point when trust is established, KDC is not yet ready to issue tickets to a service in the other realm due to MS-PAC information caching effects. The logic is a bit fuzzy because credentials code makes decisions on what to use based on the smb.conf parameters and Python bindings to set parameters to smb.conf make it so that auth module believes these parameters were overidden by the user through the command line and ignore some of options. We have to do calls in the right order to forse NTLMSSP use instead of Kerberos. Fixes https://fedorahosted.org/freeipa/ticket/4046 --- ipalib/plugins/trust.py | 2 +- ipaserver/dcerpc.py | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index 5ba0905..5861d96 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -1231,7 +1231,7 @@ api.register(trustdomain_del) def fetch_domains_from_trust(self, trustinstance, trust_entry, **options): trust_name = trust_entry['cn'][0] creds = None -password = options.get('realm_password', None) +password = options.get('realm_passwd', None) if password: creds = u%s%%%s % (options.get('realm_admin'), password) domains = ipaserver.dcerpc.fetch_domains(self.api, trustinstance.local_flatname, trust_name, creds=creds) diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index 0dde347..985360b 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -964,7 +964,6 @@ def fetch_domains(api, mydomain, trustdomain, creds=None): NETR_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL = 0x0040) def communicate(td): -td.creds.guess(td.parm) netrc = net.Net(creds=td.creds, lp=td.parm) try: result = netrc.finddc(domain=trustdomain, flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS) @@ -988,10 +987,13 @@ def fetch_domains(api, mydomain, trustdomain, creds=None): td.creds.set_kerberos_state(credentials.MUST_USE_KERBEROS) if ccache_name: with installutils.private_ccache(path=ccache_name): +td.creds.guess(td.parm) domains = communicate(td) else: td.creds.set_kerberos_state(credentials.DONT_USE_KERBEROS) +td.creds.guess(td.parm) td.creds.parse_string(creds) +td.creds.set_workstation(api.env.host) domains = communicate(td) if domains is None: -- 1.8.4.2 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel