Re: [Freeipa-devel] [PATCH] 0154-0158 improve trust operations
On 08/29/2014 11:26 AM, Sumit Bose wrote: On Thu, Aug 21, 2014 at 01:43:35PM +0300, Alexander Bokovoy wrote: Hi! Attached patchset improves trust operations: 1. Ensures we only allow establishing trust to forest root domain 2. Ensures that we select primary domain controllers 3. Ensures first create trust and later set it to transitive state and update forest topology 4. Relaxes filtering of domains obtained from AD side to allow some of possible topology combinations which were not accounted for previously 5. Reverts to any PDC rather than a closest one if closest one is not available due to site mismanagement. Affected tickets: https://fedorahosted.org/freeipa/ticket/4463 https://fedorahosted.org/freeipa/ticket/4479 https://fedorahosted.org/freeipa/ticket/4458 The patches should apply cleanly to master and ipa-3-3 (and 4-0/4-1 branches). They were tested with Windows Server 2008R2 and Windows Server 2012 environments. Patches are looking good and I didn't found any issue in my tests, ACK. I only have a question about 158. I wonder if the admin calling ipa trust-add would be interested to see that setting the transitive attribute failed? Currently it is buried in the logs so chances are the nobody will recognise it. bye, Sumit Pushed all patches to master, ipa-4-1, ipa-4-0 and ipa-3-3. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0154-0158 improve trust operations
On Thu, Aug 21, 2014 at 01:43:35PM +0300, Alexander Bokovoy wrote: Hi! Attached patchset improves trust operations: 1. Ensures we only allow establishing trust to forest root domain 2. Ensures that we select primary domain controllers 3. Ensures first create trust and later set it to transitive state and update forest topology 4. Relaxes filtering of domains obtained from AD side to allow some of possible topology combinations which were not accounted for previously 5. Reverts to any PDC rather than a closest one if closest one is not available due to site mismanagement. Affected tickets: https://fedorahosted.org/freeipa/ticket/4463 https://fedorahosted.org/freeipa/ticket/4479 https://fedorahosted.org/freeipa/ticket/4458 The patches should apply cleanly to master and ipa-3-3 (and 4-0/4-1 branches). They were tested with Windows Server 2008R2 and Windows Server 2012 environments. Patches are looking good and I didn't found any issue in my tests, ACK. I only have a question about 158. I wonder if the admin calling ipa trust-add would be interested to see that setting the transitive attribute failed? Currently it is buried in the logs so chances are the nobody will recognise it. bye, Sumit -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0154-0158 improve trust operations
On Fri, 29 Aug 2014, Sumit Bose wrote: On Thu, Aug 21, 2014 at 01:43:35PM +0300, Alexander Bokovoy wrote: Hi! Attached patchset improves trust operations: 1. Ensures we only allow establishing trust to forest root domain 2. Ensures that we select primary domain controllers 3. Ensures first create trust and later set it to transitive state and update forest topology 4. Relaxes filtering of domains obtained from AD side to allow some of possible topology combinations which were not accounted for previously 5. Reverts to any PDC rather than a closest one if closest one is not available due to site mismanagement. Affected tickets: https://fedorahosted.org/freeipa/ticket/4463 https://fedorahosted.org/freeipa/ticket/4479 https://fedorahosted.org/freeipa/ticket/4458 The patches should apply cleanly to master and ipa-3-3 (and 4-0/4-1 branches). They were tested with Windows Server 2008R2 and Windows Server 2012 environments. Patches are looking good and I didn't found any issue in my tests, ACK. I only have a question about 158. I wonder if the admin calling ipa trust-add would be interested to see that setting the transitive attribute failed? Currently it is buried in the logs so chances are the nobody will recognise it. Unfortunately, we don't have means in the framework to return warnings nicely formatted and separated from the original output. Thus, I decided to leave it as it is, without additional Python exception raising because one can easily see the error message when enabling debug output, even without restarting Apache. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0154-0158 improve trust operations
On Fri, Aug 29, 2014 at 12:35:05PM +0300, Alexander Bokovoy wrote: On Fri, 29 Aug 2014, Sumit Bose wrote: On Thu, Aug 21, 2014 at 01:43:35PM +0300, Alexander Bokovoy wrote: Hi! Attached patchset improves trust operations: 1. Ensures we only allow establishing trust to forest root domain 2. Ensures that we select primary domain controllers 3. Ensures first create trust and later set it to transitive state and update forest topology 4. Relaxes filtering of domains obtained from AD side to allow some of possible topology combinations which were not accounted for previously 5. Reverts to any PDC rather than a closest one if closest one is not available due to site mismanagement. Affected tickets: https://fedorahosted.org/freeipa/ticket/4463 https://fedorahosted.org/freeipa/ticket/4479 https://fedorahosted.org/freeipa/ticket/4458 The patches should apply cleanly to master and ipa-3-3 (and 4-0/4-1 branches). They were tested with Windows Server 2008R2 and Windows Server 2012 environments. Patches are looking good and I didn't found any issue in my tests, ACK. I only have a question about 158. I wonder if the admin calling ipa trust-add would be interested to see that setting the transitive attribute failed? Currently it is buried in the logs so chances are the nobody will recognise it. Unfortunately, we don't have means in the framework to return warnings nicely formatted and separated from the original output. Thus, I decided to leave it as it is, without additional Python exception raising because one can easily see the error message when enabling debug output, even without restarting Apache. ok, I see. bye, Sumit -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0154-0158 improve trust operations
On 08/29/2014 11:35 AM, Alexander Bokovoy wrote: On Fri, 29 Aug 2014, Sumit Bose wrote: On Thu, Aug 21, 2014 at 01:43:35PM +0300, Alexander Bokovoy wrote: Hi! Attached patchset improves trust operations: 1. Ensures we only allow establishing trust to forest root domain 2. Ensures that we select primary domain controllers 3. Ensures first create trust and later set it to transitive state and update forest topology 4. Relaxes filtering of domains obtained from AD side to allow some of possible topology combinations which were not accounted for previously 5. Reverts to any PDC rather than a closest one if closest one is not available due to site mismanagement. Affected tickets: https://fedorahosted.org/freeipa/ticket/4463 https://fedorahosted.org/freeipa/ticket/4479 https://fedorahosted.org/freeipa/ticket/4458 The patches should apply cleanly to master and ipa-3-3 (and 4-0/4-1 branches). They were tested with Windows Server 2008R2 and Windows Server 2012 environments. Patches are looking good and I didn't found any issue in my tests, ACK. I only have a question about 158. I wonder if the admin calling ipa trust-add would be interested to see that setting the transitive attribute failed? Currently it is buried in the logs so chances are the nobody will recognise it. Unfortunately, we don't have means in the framework to return warnings nicely formatted and separated from the original output. What about http://www.freeipa.org/page/V3/Messages? We can do warnings already: # ipa dnszone-add example.test --forwarder 10.0.0.1 --name-server=`hostname`. Administrator e-mail address [hostmaster.example.test.]: ipa: WARNING: DNS forwarder semantics changed since IPA 4.0. You may want to use forward zones (dnsforwardzone-*) instead. For more details read the docs. Zone name: example.test. Active zone: TRUE Zone forwarders: 10.0.0.1 Authoritative nameserver: ipa.mkosek-fedora20.test. Administrator e-mail address: hostmaster.example.test. SOA serial: 1409322255 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant MKOSEK-FEDORA20.TEST krb5-self * A; grant MKOSEK-FEDORA20.TEST krb5-self * ; grant MKOSEK-FEDORA20.TEST krb5-self * SSHFP; Dynamic update: FALSE Allow query: any; Allow transfer: none; Thus, I decided to leave it as it is, without additional Python exception raising because one can easily see the error message when enabling debug output, even without restarting Apache. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0154-0158 improve trust operations
On Fri, 29 Aug 2014, Martin Kosek wrote: On 08/29/2014 11:35 AM, Alexander Bokovoy wrote: On Fri, 29 Aug 2014, Sumit Bose wrote: On Thu, Aug 21, 2014 at 01:43:35PM +0300, Alexander Bokovoy wrote: Hi! Attached patchset improves trust operations: 1. Ensures we only allow establishing trust to forest root domain 2. Ensures that we select primary domain controllers 3. Ensures first create trust and later set it to transitive state and update forest topology 4. Relaxes filtering of domains obtained from AD side to allow some of possible topology combinations which were not accounted for previously 5. Reverts to any PDC rather than a closest one if closest one is not available due to site mismanagement. Affected tickets: https://fedorahosted.org/freeipa/ticket/4463 https://fedorahosted.org/freeipa/ticket/4479 https://fedorahosted.org/freeipa/ticket/4458 The patches should apply cleanly to master and ipa-3-3 (and 4-0/4-1 branches). They were tested with Windows Server 2008R2 and Windows Server 2012 environments. Patches are looking good and I didn't found any issue in my tests, ACK. I only have a question about 158. I wonder if the admin calling ipa trust-add would be interested to see that setting the transitive attribute failed? Currently it is buried in the logs so chances are the nobody will recognise it. Unfortunately, we don't have means in the framework to return warnings nicely formatted and separated from the original output. What about http://www.freeipa.org/page/V3/Messages? We can do warnings already: # ipa dnszone-add example.test --forwarder 10.0.0.1 --name-server=`hostname`. Administrator e-mail address [hostmaster.example.test.]: ipa: WARNING: DNS forwarder semantics changed since IPA 4.0. You may want to use forward zones (dnsforwardzone-*) instead. For more details read the docs. We need to understand consequences. If setting transitive flag on the trust will fail, what does it mean for the trust's use? And what does it mean in the context of one-way trust work? Adding to that, there is another consideration: which leg of the trust failed? With two-way trust we have four of them, with one-way there will be two legs. Since code is structured in a such way that all of these calls are symmetrical, we'll need to pass up the warning to some higher caller and there decide what has happened. The task quickly goes beyond a simple use of messages. I don't have myself all answers yet. :) -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0154-0158 improve trust operations
Hi! Attached patchset improves trust operations: 1. Ensures we only allow establishing trust to forest root domain 2. Ensures that we select primary domain controllers 3. Ensures first create trust and later set it to transitive state and update forest topology 4. Relaxes filtering of domains obtained from AD side to allow some of possible topology combinations which were not accounted for previously 5. Reverts to any PDC rather than a closest one if closest one is not available due to site mismanagement. Affected tickets: https://fedorahosted.org/freeipa/ticket/4463 https://fedorahosted.org/freeipa/ticket/4479 https://fedorahosted.org/freeipa/ticket/4458 The patches should apply cleanly to master and ipa-3-3 (and 4-0/4-1 branches). They were tested with Windows Server 2008R2 and Windows Server 2012 environments. -- / Alexander Bokovoy From 18b27e8363799070cce57ab393787c99fa7ebc77 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Tue, 19 Aug 2014 16:19:45 +0300 Subject: [PATCH 1/5] ipaserver/dcerpc.py: if search of a closest GC failed, try to find any GC https://fedorahosted.org/freeipa/ticket/4458 --- ipaserver/dcerpc.py | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index f1c7508..b11476a 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -588,7 +588,11 @@ class DomainValidator(object): try: result = netrc.finddc(domain=domain, flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_GC | nbt.NBT_SERVER_CLOSEST) except RuntimeError, e: -finddc_error = e +try: +# If search of closest GC failed, attempt to find any one +result = netrc.finddc(domain=domain, flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_GC) +except RuntimeError, e: +finddc_error = e if not self._domains: self._domains = self.get_trusted_domains() -- 1.9.3 From 96e5022a65798f4f4961ea904ce639ffe4477dc1 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Tue, 19 Aug 2014 16:21:21 +0300 Subject: [PATCH 2/5] ipaserver/dcerpc.py: make PDC discovery more robust Certain operations against AD domain controller can only be done if its FSMO role is primary domain controller. We need to use writable DC and PDC when creating trust and updating name suffix routing information. https://fedorahosted.org/freeipa/ticket/4479 --- ipaserver/dcerpc.py | 21 - 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index b11476a..78bfc5d 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -706,16 +706,19 @@ class TrustDomainInstance(object): binding_template=lambda x,y,z: u'%s:%s[%s]' % (x, y, z) return [binding_template(t, remote_host, o) for t in transports for o in options] -def retrieve_anonymously(self, remote_host, discover_srv=False): +def retrieve_anonymously(self, remote_host, discover_srv=False, search_pdc=False): When retrieving DC information anonymously, we can't get SID of the domain netrc = net.Net(creds=self.creds, lp=self.parm) +flags = nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS | nbt.NBT_SERVER_WRITABLE +if search_pdc: +flags = flags | nbt.NBT_SERVER_PDC try: if discover_srv: -result = netrc.finddc(domain=remote_host, flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS) +result = netrc.finddc(domain=remote_host, flags=flags) else: -result = netrc.finddc(address=remote_host, flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS) +result = netrc.finddc(address=remote_host, flags=flags) except RuntimeError, e: raise assess_dcerpc_exception(message=str(e)) @@ -726,6 +729,7 @@ class TrustDomainInstance(object): self.info['dns_forest'] = unicode(result.forest) self.info['guid'] = unicode(result.domain_uuid) self.info['dc'] = unicode(result.pdc_dns_name) +self.info['is_pdc'] = (result.server_type nbt.NBT_SERVER_PDC) != 0 # Netlogon response doesn't contain SID of the domain. # We need to do rootDSE search with LDAP_SERVER_EXTENDED_DN_OID control to reveal the SID @@ -774,6 +778,13 @@ class TrustDomainInstance(object): self.info['sid'] = unicode(result.sid) self.info['dc'] = remote_host +try: +result = self._pipe.QueryInfoPolicy2(self._policy_handle, lsa.LSA_POLICY_INFO_ROLE) +except RuntimeError, (num, message): +raise assess_dcerpc_exception(num=num, message=message) + +self.info['is_pdc'] = (result.role == lsa.LSA_ROLE_PRIMARY) + def generate_auth(self, trustdom_secret): def arcfour_encrypt(key, data): c = RC4.RC4(key) @@ -1069,9 +1080,9 @@ class