Re: [Freeipa-devel] [PATCH 1/1] Resolve external members from trusted domain via Global Catalog
On Wed, 2012-10-31 at 22:52 +0200, Alexander Bokovoy wrote: > A sequence is following: > 1. Match external member against existing trusted domain > 2. Find trusted domain's domain controller and preferred GC hosts > 3. Fetch trusted domain account auth info > 4. Set up ccache in /var/run/ipa_memcached/krb5cc_TD with > principal ourdomain$@trusted.domain > 5. Do LDAP SASL interactive bind using the ccache > 6. Search for the member's SID > 7. Decode SID > 8. Replace external member name by SID > --- > ipalib/plugins/group.py | 32 --- > ipalib/plugins/trust.py | 17 ++-- > ipaserver/dcerpc.py | 233 > +++- > 3 files changed, 257 insertions(+), 25 deletions(-) > > Ack! Pushed to master and ipa-3-0 Thanks a lot! Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 1/1] Resolve external members from trusted domain via Global Catalog
A sequence is following: 1. Match external member against existing trusted domain 2. Find trusted domain's domain controller and preferred GC hosts 3. Fetch trusted domain account auth info 4. Set up ccache in /var/run/ipa_memcached/krb5cc_TD with principal ourdomain$@trusted.domain 5. Do LDAP SASL interactive bind using the ccache 6. Search for the member's SID 7. Decode SID 8. Replace external member name by SID --- ipalib/plugins/group.py | 32 --- ipalib/plugins/trust.py | 17 ++-- ipaserver/dcerpc.py | 233 +++- 3 files changed, 257 insertions(+), 25 deletions(-) diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py index a174ba62cc32a7fb83474f52e2621521553889af..f86b134e61fc8c7518a64d25329babee3398c6ef 100644 --- a/ipalib/plugins/group.py +++ b/ipalib/plugins/group.py @@ -83,28 +83,30 @@ External members should be added to groups that specifically created as external and non-POSIX. Such group later should be included into one of POSIX groups. -An external group member is currently a Security Identifier as defined by -the trusted domain. +An external group member is currently a Security Identifier (SID) as defined by +the trusted domain. When adding external group members, it is possible to +specify them in either SID, or DOM\\name, or name@domain format. IPA will attempt +to resolve passed name to SID with the use of Global Catalog of the trusted domain. Example: -1. Make note of the trusted domain security identifier - - domainsid = `ipa trust-show | grep Identifier | cut -d: -f2` - -2. Create group for the trusted domain admins' mapping and their local POSIX group: +1. Create group for the trusted domain admins' mapping and their local POSIX group: ipa group-add --desc=' admins external map' ad_admins_external --external ipa group-add --desc=' admins' ad_admins -3. Add security identifier of Domain Admins of the to the ad_admins_external - group (security identifier of -513 is Domain Admins group): +2. Add security identifier of Domain Admins of the to the ad_admins_external + group: - ipa group-add-member ad_admins_external --external ${domainsid}-513 + ipa group-add-member ad_admins_external --external 'AD\\Domain Admins' -4. Allow members of ad_admins_external group to be associated with ad_admins POSIX group: +3. Allow members of ad_admins_external group to be associated with ad_admins POSIX group: ipa group-add-member ad_admins --groups ad_admins_external + +4. List members of external members of ad_admins_external group to see their SIDs: + + ipa group-show ad_admins_external """) PROTECTED_GROUPS = (u'admins', u'trust admins', u'default smb group') @@ -165,7 +167,7 @@ api.register(group) ipaexternalmember_param = Str('ipaexternalmember*', cli_name='external', label=_('External member'), -doc=_('comma-separated SIDs of members of a trusted domain'), +doc=_('comma-separated list of members of a trusted domain in DOM\\name or name@domain form'), csv=True, flags=['no_create', 'no_update', 'no_search'], ) @@ -382,7 +384,11 @@ class group_add_member(LDAPAddMember): if domain_validator.is_trusted_sid_valid(sid): sids.append(sid) else: -failed_sids.append((sid, 'Not a trusted domain SID')) +actual_sid = domain_validator.get_sid_trusted_domain_object(sid) +if isinstance(actual_sid, unicode): +sids.append(actual_sid) +else: +failed_sids.append((sid, 'Not a trusted domain SID')) if len(sids) == 0: raise errors.ValidationError(name=_('external member'), error=_('values are not recognized as valid SIDs from trusted domain')) diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index 44679e7a26c2fd70dc5ad25b312ccfd363df15a7..1e2fc0684484bd962f21c6ad0695d5d52054 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -78,24 +78,23 @@ should be included into one of local POSIX groups. Example: -1. Make note of the trusted domain security identifier - - domainsid = `ipa trust-show | grep Identifier | cut -d: -f2` - -2. Create group for the trusted domain admins' mapping and their local POSIX group: +1. Create group for the trusted domain admins' mapping and their local POSIX group: ipa group-add --desc=' admins external map' ad_admins_external --external ipa group-add --desc=' admins' ad_admins -3. Add security identifier of Domain Admins of the to the ad_admins_external - group (security identifier of -512 is Domain Admins group): +2. Add security identifier of Domain Admins of the to the ad_admins_external + group: - ipa group-add-member ad_admins_external --external ${domai
Re: [Freeipa-devel] [PATCH 1/1] Resolve external members from trusted domain via Global Catalog
On Tue, 2012-10-30 at 06:50 +0200, Alexander Bokovoy wrote: > I remember in my case that was the issue, i.e. finddc did discover > proper DC via DNS and returned winda.ad.local but something within > SASL/krb5 library wanted to see reverse lookup working which was not > set > up at the point. > I was able to get it to work with this patch on top of yours: diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index 2c53faf..c619188 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -257,7 +257,7 @@ class DomainValidator(object): return clear def __kinit_as_trusted_account(self, info, password): -ccache_name = "/var/run/ipa/ipa_memcached/krb5cc_TRUSTEDDOMAIN" +ccache_name = "/var/run/ipa_memcached/krb5cc_TRUSTEDDOMAIN" principal = '%s$@%s' % (self.flatname, info['dns_domain'].upper()) (stdout, stderr, returncode) = ipautil.run(['/usr/bin/kinit', principal], env={'KRB5CCNAME':ccache_name}, @@ -271,6 +271,7 @@ class DomainValidator(object): if auth: (ccache_name, principal) = self.__kinit_as_trusted_account(info, auth) if ccache_name: +conn.set_option(_ldap._ldap.OPT_X_SASL_NOCANON, _ldap.OPT_ON) cb_info = dict() # pass empty dict, SASL GSSAPI is able to get all from the ccache sasl_auth = _ldap.sasl.sasl(cb_info,'GSSAPI') If you are ok with the changes can you merge it in and send a new patch ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 1/1] Resolve external members from trusted domain via Global Catalog
On Mon, 29 Oct 2012, Simo Sorce wrote: On Mon, 2012-10-29 at 23:03 +0200, Alexander Bokovoy wrote: On Mon, 29 Oct 2012, Simo Sorce wrote: >On Mon, 2012-10-29 at 19:59 +0200, Alexander Bokovoy wrote: >> A sequence is following: >> 1. Match external member against existing trusted domain >> 2. Find trusted domain's domain controller >> 3. Fetch trusted domain account auth info >> 4. Set up ccache in /var/run/ipa/ipa_memcached/krb5cc_TRUSTEDDOMAIN with principal ourdomain$@trusted.domain >> 5. Do LDAP SASL interactive bind using the ccache >> 6. Search for the member's SID >> 7. Decode SID >> 8. Replace external member name by SID >> >> https://fedorahosted.org/freeipa/ticket/3211 >> --- >> ipalib/plugins/group.py| 32 + >> ipaserver/dcerpc.py| 172 + >> ipaserver/plugins/ldap2.py | 3 + >> 3 files changed, 181 insertions(+), 26 deletions(-) >> >> diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py >> index a174ba62cc32a7fb83474f52e2621521553889af..f86b134e61fc8c7518a64d25329babee3398c6ef 100644 >> --- a/ipalib/plugins/group.py >> +++ b/ipalib/plugins/group.py >> @@ -83,28 +83,30 @@ External members should be added to groups that specifically created as >> external and non-POSIX. Such group later should be included into one of POSIX >> groups. >> >> -An external group member is currently a Security Identifier as defined by >> -the trusted domain. >> +An external group member is currently a Security Identifier (SID) as defined by >> +the trusted domain. When adding external group members, it is possible to >> +specify them in either SID, or DOM\\name, or name@domain format. IPA will attempt >> +to resolve passed name to SID with the use of Global Catalog of the trusted domain. >> >> Example: >> >> -1. Make note of the trusted domain security identifier >> - >> - domainsid = `ipa trust-show | grep Identifier | cut -d: -f2` >> - >> -2. Create group for the trusted domain admins' mapping and their local POSIX group: >> +1. Create group for the trusted domain admins' mapping and their local POSIX group: >> >> ipa group-add --desc=' admins external map' ad_admins_external --external >> ipa group-add --desc=' admins' ad_admins >> >> -3. Add security identifier of Domain Admins of the to the ad_admins_external >> - group (security identifier of -513 is Domain Admins group): >> +2. Add security identifier of Domain Admins of the to the ad_admins_external >> + group: >> >> - ipa group-add-member ad_admins_external --external ${domainsid}-513 >> + ipa group-add-member ad_admins_external --external 'AD\\Domain Admins' >> >> -4. Allow members of ad_admins_external group to be associated with ad_admins POSIX group: >> +3. Allow members of ad_admins_external group to be associated with ad_admins POSIX group: >> >> ipa group-add-member ad_admins --groups ad_admins_external >> + >> +4. List members of external members of ad_admins_external group to see their SIDs: >> + >> + ipa group-show ad_admins_external >> """) > >A text similar to this is available when you run ipa help trust, I guess >you should change that one too. Right. I'll fix that. > >I am trying to add a windows group now and getting this trace in my http >server: > >[Mon Oct 29 16:15:33 2012] [error] ipa: ERROR: release_ipa_ccache: >ccache_name (FILE:/var/run/ipa_memcached/krbcc_20825) != KRB5CCNAME >environment variable (/var/run/ipa/ipa_memcached/krb5cc_TRUSTEDDOMAIN) >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] mod_wsgi (pid=20825): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] Traceback (most recent call last): >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File "/usr/share/ipa/wsgi.py", line 49, in application >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] return api.Backend.wsgi_dispatch(environ, start_response) >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 248, in __call__ >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] return self.route(environ, start_response) >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 260, in route >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] return app(environ, start_response) >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 1158, in __call__ >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] response = super(xmlserver_session, self).__call__(environ, start_response) >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 707, in __call__ >[Mon Oct 29 16:15:33 2012] [error] [client 192.
Re: [Freeipa-devel] [PATCH 1/1] Resolve external members from trusted domain via Global Catalog
On Mon, 2012-10-29 at 23:03 +0200, Alexander Bokovoy wrote: > On Mon, 29 Oct 2012, Simo Sorce wrote: > >On Mon, 2012-10-29 at 19:59 +0200, Alexander Bokovoy wrote: > >> A sequence is following: > >> 1. Match external member against existing trusted domain > >> 2. Find trusted domain's domain controller > >> 3. Fetch trusted domain account auth info > >> 4. Set up ccache in /var/run/ipa/ipa_memcached/krb5cc_TRUSTEDDOMAIN with > >> principal ourdomain$@trusted.domain > >> 5. Do LDAP SASL interactive bind using the ccache > >> 6. Search for the member's SID > >> 7. Decode SID > >> 8. Replace external member name by SID > >> > >> https://fedorahosted.org/freeipa/ticket/3211 > >> --- > >> ipalib/plugins/group.py| 32 + > >> ipaserver/dcerpc.py| 172 > >> + > >> ipaserver/plugins/ldap2.py | 3 + > >> 3 files changed, 181 insertions(+), 26 deletions(-) > >> > >> diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py > >> index > >> a174ba62cc32a7fb83474f52e2621521553889af..f86b134e61fc8c7518a64d25329babee3398c6ef > >> 100644 > >> --- a/ipalib/plugins/group.py > >> +++ b/ipalib/plugins/group.py > >> @@ -83,28 +83,30 @@ External members should be added to groups that > >> specifically created as > >> external and non-POSIX. Such group later should be included into one of > >> POSIX > >> groups. > >> > >> -An external group member is currently a Security Identifier as defined by > >> -the trusted domain. > >> +An external group member is currently a Security Identifier (SID) as > >> defined by > >> +the trusted domain. When adding external group members, it is possible to > >> +specify them in either SID, or DOM\\name, or name@domain format. IPA will > >> attempt > >> +to resolve passed name to SID with the use of Global Catalog of the > >> trusted domain. > >> > >> Example: > >> > >> -1. Make note of the trusted domain security identifier > >> - > >> - domainsid = `ipa trust-show | grep Identifier | cut -d: > >> -f2` > >> - > >> -2. Create group for the trusted domain admins' mapping and their local > >> POSIX group: > >> +1. Create group for the trusted domain admins' mapping and their local > >> POSIX group: > >> > >> ipa group-add --desc=' admins external map' > >> ad_admins_external --external > >> ipa group-add --desc=' admins' ad_admins > >> > >> -3. Add security identifier of Domain Admins of the to the > >> ad_admins_external > >> - group (security identifier of -513 is Domain Admins > >> group): > >> +2. Add security identifier of Domain Admins of the to the > >> ad_admins_external > >> + group: > >> > >> - ipa group-add-member ad_admins_external --external ${domainsid}-513 > >> + ipa group-add-member ad_admins_external --external 'AD\\Domain Admins' > >> > >> -4. Allow members of ad_admins_external group to be associated with > >> ad_admins POSIX group: > >> +3. Allow members of ad_admins_external group to be associated with > >> ad_admins POSIX group: > >> > >> ipa group-add-member ad_admins --groups ad_admins_external > >> + > >> +4. List members of external members of ad_admins_external group to see > >> their SIDs: > >> + > >> + ipa group-show ad_admins_external > >> """) > > > >A text similar to this is available when you run ipa help trust, I guess > >you should change that one too. > Right. I'll fix that. > > > > >I am trying to add a windows group now and getting this trace in my http > >server: > > > >[Mon Oct 29 16:15:33 2012] [error] ipa: ERROR: release_ipa_ccache: > >ccache_name (FILE:/var/run/ipa_memcached/krbcc_20825) != KRB5CCNAME > >environment variable (/var/run/ipa/ipa_memcached/krb5cc_TRUSTEDDOMAIN) > >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] mod_wsgi > >(pid=20825): Exception occurred processing WSGI script > >'/usr/share/ipa/wsgi.py'. > >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] Traceback (most > >recent call last): > >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File > >"/usr/share/ipa/wsgi.py", line 49, in application > >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] return > >api.Backend.wsgi_dispatch(environ, start_response) > >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File > >"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 248, in > >__call__ > >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] return > >self.route(environ, start_response) > >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File > >"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 260, in route > >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] return > >app(environ, start_response) > >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File > >"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 1158, in > >__call__ > >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] response =
Re: [Freeipa-devel] [PATCH 1/1] Resolve external members from trusted domain via Global Catalog
On Mon, 29 Oct 2012, Rob Crittenden wrote: [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 562, in sasl_interactive_bind_s [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] return self.conn.sasl_interactive_bind_s(who, auth, serverctrls, clientctrls, sasl_flags) [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 229, in sasl_interactive_bind_s [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] return self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags) [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, in _ldap_call [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] result = func(*args,**kwargs) [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] LOCAL_ERROR: {'info': 'SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Cannot determine realm for numeric host address)', 'desc': 'Local error'} Somehow name resolution failed for you -- you probably need to restart named before it actually would start working. I had similar issues with caching of forwarder rules. Should we catch sasl exceptions? Yes, we should. I'm not sure how to present them to the user, though. Actual outcome is that we were unable to resolve the referenced external user or group and thus would not add it to the list of external members. I.e., command should fail but what error message should be dispalyed since the user is anyway unable to affect the situation -- we are using trust password to auth against GC and if that doesn't work, whole trust does not work either. For cases like above ('Cannot determine realm for numeric host address'), we would need to map it to misconfiguration and explain what to fix. This step is rather open right now, since we don't really know why it failes (barring DNS issues). -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 1/1] Resolve external members from trusted domain via Global Catalog
Alexander Bokovoy wrote: On Mon, 29 Oct 2012, Simo Sorce wrote: On Mon, 2012-10-29 at 19:59 +0200, Alexander Bokovoy wrote: A sequence is following: 1. Match external member against existing trusted domain 2. Find trusted domain's domain controller 3. Fetch trusted domain account auth info 4. Set up ccache in /var/run/ipa/ipa_memcached/krb5cc_TRUSTEDDOMAIN with principal ourdomain$@trusted.domain 5. Do LDAP SASL interactive bind using the ccache 6. Search for the member's SID 7. Decode SID 8. Replace external member name by SID https://fedorahosted.org/freeipa/ticket/3211 --- ipalib/plugins/group.py| 32 + ipaserver/dcerpc.py| 172 + ipaserver/plugins/ldap2.py | 3 + 3 files changed, 181 insertions(+), 26 deletions(-) diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py index a174ba62cc32a7fb83474f52e2621521553889af..f86b134e61fc8c7518a64d25329babee3398c6ef 100644 --- a/ipalib/plugins/group.py +++ b/ipalib/plugins/group.py @@ -83,28 +83,30 @@ External members should be added to groups that specifically created as external and non-POSIX. Such group later should be included into one of POSIX groups. -An external group member is currently a Security Identifier as defined by -the trusted domain. +An external group member is currently a Security Identifier (SID) as defined by +the trusted domain. When adding external group members, it is possible to +specify them in either SID, or DOM\\name, or name@domain format. IPA will attempt +to resolve passed name to SID with the use of Global Catalog of the trusted domain. Example: -1. Make note of the trusted domain security identifier - - domainsid = `ipa trust-show | grep Identifier | cut -d: -f2` - -2. Create group for the trusted domain admins' mapping and their local POSIX group: +1. Create group for the trusted domain admins' mapping and their local POSIX group: ipa group-add --desc=' admins external map' ad_admins_external --external ipa group-add --desc=' admins' ad_admins -3. Add security identifier of Domain Admins of the to the ad_admins_external - group (security identifier of -513 is Domain Admins group): +2. Add security identifier of Domain Admins of the to the ad_admins_external + group: - ipa group-add-member ad_admins_external --external ${domainsid}-513 + ipa group-add-member ad_admins_external --external 'AD\\Domain Admins' -4. Allow members of ad_admins_external group to be associated with ad_admins POSIX group: +3. Allow members of ad_admins_external group to be associated with ad_admins POSIX group: ipa group-add-member ad_admins --groups ad_admins_external + +4. List members of external members of ad_admins_external group to see their SIDs: + + ipa group-show ad_admins_external """) A text similar to this is available when you run ipa help trust, I guess you should change that one too. Right. I'll fix that. I am trying to add a windows group now and getting this trace in my http server: [Mon Oct 29 16:15:33 2012] [error] ipa: ERROR: release_ipa_ccache: ccache_name (FILE:/var/run/ipa_memcached/krbcc_20825) != KRB5CCNAME environment variable (/var/run/ipa/ipa_memcached/krb5cc_TRUSTEDDOMAIN) [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] mod_wsgi (pid=20825): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] Traceback (most recent call last): [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File "/usr/share/ipa/wsgi.py", line 49, in application [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] return api.Backend.wsgi_dispatch(environ, start_response) [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 248, in __call__ [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] return self.route(environ, start_response) [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 260, in route [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] return app(environ, start_response) [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 1158, in __call__ [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] response = super(xmlserver_session, self).__call__(environ, start_response) [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 707, in __call__ [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] response = super(xmlserver, self).__call__(environ, start_response) [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 375, in __call__ [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] response =
Re: [Freeipa-devel] [PATCH 1/1] Resolve external members from trusted domain via Global Catalog
On Mon, 29 Oct 2012, Simo Sorce wrote: On Mon, 2012-10-29 at 19:59 +0200, Alexander Bokovoy wrote: A sequence is following: 1. Match external member against existing trusted domain 2. Find trusted domain's domain controller 3. Fetch trusted domain account auth info 4. Set up ccache in /var/run/ipa/ipa_memcached/krb5cc_TRUSTEDDOMAIN with principal ourdomain$@trusted.domain 5. Do LDAP SASL interactive bind using the ccache 6. Search for the member's SID 7. Decode SID 8. Replace external member name by SID https://fedorahosted.org/freeipa/ticket/3211 --- ipalib/plugins/group.py| 32 + ipaserver/dcerpc.py| 172 + ipaserver/plugins/ldap2.py | 3 + 3 files changed, 181 insertions(+), 26 deletions(-) diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py index a174ba62cc32a7fb83474f52e2621521553889af..f86b134e61fc8c7518a64d25329babee3398c6ef 100644 --- a/ipalib/plugins/group.py +++ b/ipalib/plugins/group.py @@ -83,28 +83,30 @@ External members should be added to groups that specifically created as external and non-POSIX. Such group later should be included into one of POSIX groups. -An external group member is currently a Security Identifier as defined by -the trusted domain. +An external group member is currently a Security Identifier (SID) as defined by +the trusted domain. When adding external group members, it is possible to +specify them in either SID, or DOM\\name, or name@domain format. IPA will attempt +to resolve passed name to SID with the use of Global Catalog of the trusted domain. Example: -1. Make note of the trusted domain security identifier - - domainsid = `ipa trust-show | grep Identifier | cut -d: -f2` - -2. Create group for the trusted domain admins' mapping and their local POSIX group: +1. Create group for the trusted domain admins' mapping and their local POSIX group: ipa group-add --desc=' admins external map' ad_admins_external --external ipa group-add --desc=' admins' ad_admins -3. Add security identifier of Domain Admins of the to the ad_admins_external - group (security identifier of -513 is Domain Admins group): +2. Add security identifier of Domain Admins of the to the ad_admins_external + group: - ipa group-add-member ad_admins_external --external ${domainsid}-513 + ipa group-add-member ad_admins_external --external 'AD\\Domain Admins' -4. Allow members of ad_admins_external group to be associated with ad_admins POSIX group: +3. Allow members of ad_admins_external group to be associated with ad_admins POSIX group: ipa group-add-member ad_admins --groups ad_admins_external + +4. List members of external members of ad_admins_external group to see their SIDs: + + ipa group-show ad_admins_external """) A text similar to this is available when you run ipa help trust, I guess you should change that one too. Right. I'll fix that. I am trying to add a windows group now and getting this trace in my http server: [Mon Oct 29 16:15:33 2012] [error] ipa: ERROR: release_ipa_ccache: ccache_name (FILE:/var/run/ipa_memcached/krbcc_20825) != KRB5CCNAME environment variable (/var/run/ipa/ipa_memcached/krb5cc_TRUSTEDDOMAIN) [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] mod_wsgi (pid=20825): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] Traceback (most recent call last): [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File "/usr/share/ipa/wsgi.py", line 49, in application [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] return api.Backend.wsgi_dispatch(environ, start_response) [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 248, in __call__ [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] return self.route(environ, start_response) [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 260, in route [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] return app(environ, start_response) [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 1158, in __call__ [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] response = super(xmlserver_session, self).__call__(environ, start_response) [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 707, in __call__ [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] response = super(xmlserver, self).__call__(environ, start_response) [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 375, in __call__ [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]
Re: [Freeipa-devel] [PATCH 1/1] Resolve external members from trusted domain via Global Catalog
On Mon, 2012-10-29 at 19:59 +0200, Alexander Bokovoy wrote: > A sequence is following: > 1. Match external member against existing trusted domain > 2. Find trusted domain's domain controller > 3. Fetch trusted domain account auth info > 4. Set up ccache in /var/run/ipa/ipa_memcached/krb5cc_TRUSTEDDOMAIN with > principal ourdomain$@trusted.domain > 5. Do LDAP SASL interactive bind using the ccache > 6. Search for the member's SID > 7. Decode SID > 8. Replace external member name by SID > > https://fedorahosted.org/freeipa/ticket/3211 > --- > ipalib/plugins/group.py| 32 + > ipaserver/dcerpc.py| 172 > + > ipaserver/plugins/ldap2.py | 3 + > 3 files changed, 181 insertions(+), 26 deletions(-) > > diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py > index > a174ba62cc32a7fb83474f52e2621521553889af..f86b134e61fc8c7518a64d25329babee3398c6ef > 100644 > --- a/ipalib/plugins/group.py > +++ b/ipalib/plugins/group.py > @@ -83,28 +83,30 @@ External members should be added to groups that > specifically created as > external and non-POSIX. Such group later should be included into one of POSIX > groups. > > -An external group member is currently a Security Identifier as defined by > -the trusted domain. > +An external group member is currently a Security Identifier (SID) as defined > by > +the trusted domain. When adding external group members, it is possible to > +specify them in either SID, or DOM\\name, or name@domain format. IPA will > attempt > +to resolve passed name to SID with the use of Global Catalog of the trusted > domain. > > Example: > > -1. Make note of the trusted domain security identifier > - > - domainsid = `ipa trust-show | grep Identifier | cut -d: -f2` > - > -2. Create group for the trusted domain admins' mapping and their local POSIX > group: > +1. Create group for the trusted domain admins' mapping and their local POSIX > group: > > ipa group-add --desc=' admins external map' ad_admins_external > --external > ipa group-add --desc=' admins' ad_admins > > -3. Add security identifier of Domain Admins of the to the > ad_admins_external > - group (security identifier of -513 is Domain Admins group): > +2. Add security identifier of Domain Admins of the to the > ad_admins_external > + group: > > - ipa group-add-member ad_admins_external --external ${domainsid}-513 > + ipa group-add-member ad_admins_external --external 'AD\\Domain Admins' > > -4. Allow members of ad_admins_external group to be associated with ad_admins > POSIX group: > +3. Allow members of ad_admins_external group to be associated with ad_admins > POSIX group: > > ipa group-add-member ad_admins --groups ad_admins_external > + > +4. List members of external members of ad_admins_external group to see their > SIDs: > + > + ipa group-show ad_admins_external > """) A text similar to this is available when you run ipa help trust, I guess you should change that one too. I am trying to add a windows group now and getting this trace in my http server: [Mon Oct 29 16:15:33 2012] [error] ipa: ERROR: release_ipa_ccache: ccache_name (FILE:/var/run/ipa_memcached/krbcc_20825) != KRB5CCNAME environment variable (/var/run/ipa/ipa_memcached/krb5cc_TRUSTEDDOMAIN) [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] mod_wsgi (pid=20825): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] Traceback (most recent call last): [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File "/usr/share/ipa/wsgi.py", line 49, in application [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] return api.Backend.wsgi_dispatch(environ, start_response) [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 248, in __call__ [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] return self.route(environ, start_response) [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 260, in route [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] return app(environ, start_response) [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 1158, in __call__ [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] response = super(xmlserver_session, self).__call__(environ, start_response) [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 707, in __call__ [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] response = super(xmlserver, self).__call__(environ, start_response) [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File "/usr/lib/python2.7/site-packages/ipaserver
[Freeipa-devel] [PATCH 1/1] Resolve external members from trusted domain via Global Catalog
A sequence is following: 1. Match external member against existing trusted domain 2. Find trusted domain's domain controller 3. Fetch trusted domain account auth info 4. Set up ccache in /var/run/ipa/ipa_memcached/krb5cc_TRUSTEDDOMAIN with principal ourdomain$@trusted.domain 5. Do LDAP SASL interactive bind using the ccache 6. Search for the member's SID 7. Decode SID 8. Replace external member name by SID https://fedorahosted.org/freeipa/ticket/3211 --- ipalib/plugins/group.py| 32 + ipaserver/dcerpc.py| 172 + ipaserver/plugins/ldap2.py | 3 + 3 files changed, 181 insertions(+), 26 deletions(-) diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py index a174ba62cc32a7fb83474f52e2621521553889af..f86b134e61fc8c7518a64d25329babee3398c6ef 100644 --- a/ipalib/plugins/group.py +++ b/ipalib/plugins/group.py @@ -83,28 +83,30 @@ External members should be added to groups that specifically created as external and non-POSIX. Such group later should be included into one of POSIX groups. -An external group member is currently a Security Identifier as defined by -the trusted domain. +An external group member is currently a Security Identifier (SID) as defined by +the trusted domain. When adding external group members, it is possible to +specify them in either SID, or DOM\\name, or name@domain format. IPA will attempt +to resolve passed name to SID with the use of Global Catalog of the trusted domain. Example: -1. Make note of the trusted domain security identifier - - domainsid = `ipa trust-show | grep Identifier | cut -d: -f2` - -2. Create group for the trusted domain admins' mapping and their local POSIX group: +1. Create group for the trusted domain admins' mapping and their local POSIX group: ipa group-add --desc=' admins external map' ad_admins_external --external ipa group-add --desc=' admins' ad_admins -3. Add security identifier of Domain Admins of the to the ad_admins_external - group (security identifier of -513 is Domain Admins group): +2. Add security identifier of Domain Admins of the to the ad_admins_external + group: - ipa group-add-member ad_admins_external --external ${domainsid}-513 + ipa group-add-member ad_admins_external --external 'AD\\Domain Admins' -4. Allow members of ad_admins_external group to be associated with ad_admins POSIX group: +3. Allow members of ad_admins_external group to be associated with ad_admins POSIX group: ipa group-add-member ad_admins --groups ad_admins_external + +4. List members of external members of ad_admins_external group to see their SIDs: + + ipa group-show ad_admins_external """) PROTECTED_GROUPS = (u'admins', u'trust admins', u'default smb group') @@ -165,7 +167,7 @@ api.register(group) ipaexternalmember_param = Str('ipaexternalmember*', cli_name='external', label=_('External member'), -doc=_('comma-separated SIDs of members of a trusted domain'), +doc=_('comma-separated list of members of a trusted domain in DOM\\name or name@domain form'), csv=True, flags=['no_create', 'no_update', 'no_search'], ) @@ -382,7 +384,11 @@ class group_add_member(LDAPAddMember): if domain_validator.is_trusted_sid_valid(sid): sids.append(sid) else: -failed_sids.append((sid, 'Not a trusted domain SID')) +actual_sid = domain_validator.get_sid_trusted_domain_object(sid) +if isinstance(actual_sid, unicode): +sids.append(actual_sid) +else: +failed_sids.append((sid, 'Not a trusted domain SID')) if len(sids) == 0: raise errors.ValidationError(name=_('external member'), error=_('values are not recognized as valid SIDs from trusted domain')) diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index c40313a697fa6ff842129944b7ad9c1f5fc14a77..2c53fafe532414a3ad6624a3583cf3f853ccc72c 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -29,6 +29,7 @@ from ipalib import Command from ipalib import errors from ipapython import ipautil from ipapython.ipa_log_manager import * +from ipapython.dn import DN from ipaserver.install import installutils import os, string, struct, copy @@ -46,6 +47,7 @@ try: except ImportError: from ldap.controls import LDAPControl as LDAPControl#pylint: disable=F0401 import ldap as _ldap +from ipaserver.ipaldap import IPAdmin __doc__ = _(""" Classes to manage trust joins using DCE-RPC calls @@ -102,6 +104,8 @@ class DomainValidator(object): ATTR_FLATNAME = 'ipantflatname' ATTR_SID = 'ipantsecurityidentifier' ATTR_TRUSTED_SID = 'ipanttrusteddomainsid' +ATTR_TRUST_PARTNER = 'ipanttrustpartner' +ATTR_TRUST_AUTHOUT = 'ipanttrustauthoutgoi