Re: [Freeipa-devel] [PATCH] 0109-0110 Support querying AD DC when establishing trust as HTTP/ipa.server principal
On 07/23/2013 04:31 PM, Simo Sorce wrote: On Tue, 2013-07-23 at 16:11 +0300, Alexander Bokovoy wrote: On Tue, 23 Jul 2013, Simo Sorce wrote: On Thu, 2013-07-18 at 18:37 +0300, Alexander Bokovoy wrote: Hi! Attached patches make possible to use HTTP/ipa.server@REALM to query AD DC over LDAP immediately after trust is established. We need this to get range discovery working prior to creating range for trusted domain. The patch 0109 makes KDC hostname cached on ipadb context to avoid resolving own hostname multiple times. The patch 0110 depends on ulc_casemap patches by Nathaniel and makes exception for HTTP/ipa.server@REALM when TGT is requested and MS-PAC is asked for -- we force refreshing list of trusted domains here. More details are available in the commit logs. I do not think that changing reinit interval is the right thing to do. I would rather pass a boolean that tells reinit to check if we have any trust info, and if not unconditionally try to reinit immediately. I see that you treat the interval sort of like a boolean but then you just race hoping the previous reload w/o trust info happened more than 1 second earlier. I think and explicit bool force_reload flag would be much clearer. Otherwise ack. Attached is modified patch that uses 'bool force_reinit' (as function is called ipadb_reinit_mspac). I tested it together with updated Tomas patch 0076 which relies on these patches so I'm going to commit whole set together. LGTM, please proceed. Simo. Just to close this thread - patch was pushed to master. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0109-0110 Support querying AD DC when establishing trust as HTTP/ipa.server principal
On Thu, 2013-07-18 at 18:37 +0300, Alexander Bokovoy wrote: Hi! Attached patches make possible to use HTTP/ipa.server@REALM to query AD DC over LDAP immediately after trust is established. We need this to get range discovery working prior to creating range for trusted domain. The patch 0109 makes KDC hostname cached on ipadb context to avoid resolving own hostname multiple times. The patch 0110 depends on ulc_casemap patches by Nathaniel and makes exception for HTTP/ipa.server@REALM when TGT is requested and MS-PAC is asked for -- we force refreshing list of trusted domains here. More details are available in the commit logs. I do not think that changing reinit interval is the right thing to do. I would rather pass a boolean that tells reinit to check if we have any trust info, and if not unconditionally try to reinit immediately. I see that you treat the interval sort of like a boolean but then you just race hoping the previous reload w/o trust info happened more than 1 second earlier. I think and explicit bool force_reload flag would be much clearer. Otherwise ack. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0109-0110 Support querying AD DC when establishing trust as HTTP/ipa.server principal
On Tue, 23 Jul 2013, Simo Sorce wrote: On Thu, 2013-07-18 at 18:37 +0300, Alexander Bokovoy wrote: Hi! Attached patches make possible to use HTTP/ipa.server@REALM to query AD DC over LDAP immediately after trust is established. We need this to get range discovery working prior to creating range for trusted domain. The patch 0109 makes KDC hostname cached on ipadb context to avoid resolving own hostname multiple times. The patch 0110 depends on ulc_casemap patches by Nathaniel and makes exception for HTTP/ipa.server@REALM when TGT is requested and MS-PAC is asked for -- we force refreshing list of trusted domains here. More details are available in the commit logs. I do not think that changing reinit interval is the right thing to do. I would rather pass a boolean that tells reinit to check if we have any trust info, and if not unconditionally try to reinit immediately. I see that you treat the interval sort of like a boolean but then you just race hoping the previous reload w/o trust info happened more than 1 second earlier. I think and explicit bool force_reload flag would be much clearer. Otherwise ack. Attached is modified patch that uses 'bool force_reinit' (as function is called ipadb_reinit_mspac). I tested it together with updated Tomas patch 0076 which relies on these patches so I'm going to commit whole set together. -- / Alexander Bokovoy From 620736888642102f32ad68f8a28a305488bcc401 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Thu, 18 Jul 2013 13:32:42 +0300 Subject: [PATCH 2/4] ipa-kdb: reinit mspac on HTTP TGT acquisition to aid trust-add case When trust is established, we also create idrange for the trusted domain. With FreeIPA 3.3 these ranges can have different types, and in order to detect which one is to create, we need to do lookup at AD LDAP server. Such lookup requires authenticated bind. We cannot bind as user because IPA framework operates under constrained delegation using the user's credentials and allowing HTTP/ipa.server@REALM to impersonate the user against trusted domain's services would require two major things: - first, as we don't really know exact AD LDAP server names (any AD DC can be used), constrained delegation would have to be defined against a wild-card - second, constrained delegation requires that target principal exists in IPA LDAP as DN. These two together limit use of user's ticket for the purpose of IPA framework looking up AD LDAP. Additionally, immediately after trust is established, issuing TGT with MS-PAC to HTTP/ipa.server@REALM may fail due to the fact that KDB driver did not yet refreshed its list of trusted domains -- we have limited refresh rate of 60 seconds by default. This patch makes possible to force re-initialization of trusted domains' view in KDB driver if we are asked for TGT for HTTP/ipa.server@REALM. We will need to improve refresh of trusted domains' view in KDB driver in future to notice changes in cn=etc,$SUFFIX tree automatically. This improvement is tracked in https://fedorahosted.org/freeipa/ticket/1302 and https://fedorahosted.org/freeipa/ticket/3626 Part of https://fedorahosted.org/freeipa/ticket/3649 --- daemons/ipa-kdb/ipa_kdb.c | 4 ++-- daemons/ipa-kdb/ipa_kdb.h | 2 +- daemons/ipa-kdb/ipa_kdb_mspac.c | 29 ++--- 3 files changed, 29 insertions(+), 6 deletions(-) diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c index 51b879c..5e4d047 100644 --- a/daemons/ipa-kdb/ipa_kdb.c +++ b/daemons/ipa-kdb/ipa_kdb.c @@ -393,8 +393,8 @@ int ipadb_get_connection(struct ipadb_context *ipactx) goto done; } -/* get adtrust options */ -ret = ipadb_reinit_mspac(ipactx); +/* get adtrust options using default refresh interval */ +ret = ipadb_reinit_mspac(ipactx, false); if (ret ret != ENOENT) { /* TODO: log that there is an issue with adtrust settings */ } diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h index a611bc2..f4d3555 100644 --- a/daemons/ipa-kdb/ipa_kdb.h +++ b/daemons/ipa-kdb/ipa_kdb.h @@ -250,7 +250,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context, krb5_authdata **tgt_auth_data, krb5_authdata ***signed_auth_data); -krb5_error_code ipadb_reinit_mspac(struct ipadb_context *ipactx); +krb5_error_code ipadb_reinit_mspac(struct ipadb_context *ipactx, bool force_reinit); void ipadb_mspac_struct_free(struct ipadb_mspac **mspac); diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index d6c4f9a..6ffab45 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -24,6 +24,7 @@ #include ipa_mspac.h #include talloc.h #include syslog.h +#include unicase.h #include util/time.h #include gen_ndr/ndr_krb5pac.h @@ -1282,7 +1283,8 @@ static struct ipadb_adtrusts *get_domain_from_realm_update(krb5_context
Re: [Freeipa-devel] [PATCH] 0109-0110 Support querying AD DC when establishing trust as HTTP/ipa.server principal
On Tue, 2013-07-23 at 16:11 +0300, Alexander Bokovoy wrote: On Tue, 23 Jul 2013, Simo Sorce wrote: On Thu, 2013-07-18 at 18:37 +0300, Alexander Bokovoy wrote: Hi! Attached patches make possible to use HTTP/ipa.server@REALM to query AD DC over LDAP immediately after trust is established. We need this to get range discovery working prior to creating range for trusted domain. The patch 0109 makes KDC hostname cached on ipadb context to avoid resolving own hostname multiple times. The patch 0110 depends on ulc_casemap patches by Nathaniel and makes exception for HTTP/ipa.server@REALM when TGT is requested and MS-PAC is asked for -- we force refreshing list of trusted domains here. More details are available in the commit logs. I do not think that changing reinit interval is the right thing to do. I would rather pass a boolean that tells reinit to check if we have any trust info, and if not unconditionally try to reinit immediately. I see that you treat the interval sort of like a boolean but then you just race hoping the previous reload w/o trust info happened more than 1 second earlier. I think and explicit bool force_reload flag would be much clearer. Otherwise ack. Attached is modified patch that uses 'bool force_reinit' (as function is called ipadb_reinit_mspac). I tested it together with updated Tomas patch 0076 which relies on these patches so I'm going to commit whole set together. LGTM, please proceed. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel