[Freeipa-devel] Search global catalog for trusted domain SIDs

Sumit Bose sbose at redhat.com
Thu Oct 18 19:56:07 UTC 2012 

On Thu, Oct 18, 2012 at 10:00:54PM +0300, Alexander Bokovoy wrote:
> Hi,
> 
> this is work in progress, shared mostly to get comments.
> 
> Simo, Sumit, this is an attempt to resolve external group members from
> trusted domains using their Global Catalog services.
> 
> The code quickly became complex because it needs to do a lot of
> additional activity. A rough sequence is following:
> 1. Match external member against existing trusted domain
> 2. Find trusted domain's domain controller
> 3. Fetch trusted domain account auth info
> 4. Set up ccache in /tmp/krb5cc_TRUSTEDDOMAIN with principal
>    ourdomain$@trusted.domain
> 5. Do LDAP SASL interactive bind using the ccache
> 6. Search for the member's SID
> 7. Decode SID
> 8. Replace an external member name by SID in the group-add-member
>    command
> 
> Right now I'm failing at SASL interactive bind as Global Catalog does
> not accept the credentials in DomainValidator.__resolve_against_gc(),
> perhaps because I'm using LDAP SASL interactive bind wrongly. It is late
> here so I might simply be blind already.
> 
> [Thu Oct 18 21:42:08.924696 2012] [:error] [pid 7831] [client
> 192.168.111.206:0] INVALID_CREDENTIALS: {'info': '8009030B: LdapErr:
> DSID-0C0904DC, comment: AcceptSecurityContext error, data 0, v1db1',
> 'desc': 'Invalid credentials'}
> 
> Note that ccache is successfully created and populated and
> is usable from command line via ldapsearch:
> 
...
> +
> +    def __resolve_against_gc(self, info, name):
> +        conn = IPAdmin(host=info['dc'], port=3268)
> +        auth = self.__extract_trusted_auth(info)
> +        if auth:
> +            (ccache_name, principal) = self.__kinit_as_trusted_account(info, auth)
> +            if ccache_name:
> +                cb_info = dict()
> +                (CB_USER, CB_GETREALM) = (0x4001, 0x4008)
> +                cb_info[CB_USER] = principal
> +                cb_info[CB_GETREALM] = info['dns_domain'].upper()
> +                sasl_auth = _ldap.sasl.sasl(cb_info,'GSSAPI')
> +                old_ccache = os.environ.get('KRB5CCNAME')
> +                os.environ["KRB5CCNAME"] = ccache_name
> +                conn.sasl_interactive_bind_s(None, sasl_auth)
> +                os.environ["KRB5CCNAME"] = old_ccache

Are you sure the bind is already finished here? I haven't looked at the
implementation, but if it does a lazy bind, i.e. only bind when the
first request is made, it will see the wrong  ccache. Can you try to
set KRB5CCNAME to the old value after calling conn.getEntry()?

bye,
Sumit

> +        base = DN(*map(lambda p: ('dc', p), info['dns_domain'].split('.')))
> +        entry = conn.getEntry(base, _ldap.SCOPE_BASE,
> +                              '(&(sAMAccountName=%(name)s)(|(objectClass=user)(objectClass=group)))' % dict(name=name),
> +                              ['sAMAccountName', 'sAMAccountType', 'objectSid', 'groupType', 'description'])
> +        return entry

More information about the Freeipa-devel mailing list