[Freeipa-devel] Search global catalog for trusted domain SIDs

Sumit Bose sbose at redhat.com
Thu Oct 18 21:15:25 UTC 2012 

On Thu, Oct 18, 2012 at 11:42:34PM +0300, Alexander Bokovoy wrote:
> On Thu, 18 Oct 2012, Sumit Bose wrote:
> >On Thu, Oct 18, 2012 at 10:00:54PM +0300, Alexander Bokovoy wrote:
> >>Hi,
> >>
> >>this is work in progress, shared mostly to get comments.
> >>
> >>Simo, Sumit, this is an attempt to resolve external group members from
> >>trusted domains using their Global Catalog services.
> >>
> >>The code quickly became complex because it needs to do a lot of
> >>additional activity. A rough sequence is following:
> >>1. Match external member against existing trusted domain
> >>2. Find trusted domain's domain controller
> >>3. Fetch trusted domain account auth info
> >>4. Set up ccache in /tmp/krb5cc_TRUSTEDDOMAIN with principal
> >>   ourdomain$@trusted.domain
> >>5. Do LDAP SASL interactive bind using the ccache
> >>6. Search for the member's SID
> >>7. Decode SID
> >>8. Replace an external member name by SID in the group-add-member
> >>   command
> >>
> >>Right now I'm failing at SASL interactive bind as Global Catalog does
> >>not accept the credentials in DomainValidator.__resolve_against_gc(),
> >>perhaps because I'm using LDAP SASL interactive bind wrongly. It is late
> >>here so I might simply be blind already.
> >>
> >>[Thu Oct 18 21:42:08.924696 2012] [:error] [pid 7831] [client
> >>192.168.111.206:0] INVALID_CREDENTIALS: {'info': '8009030B: LdapErr:
> >>DSID-0C0904DC, comment: AcceptSecurityContext error, data 0, v1db1',
> >>'desc': 'Invalid credentials'}
> >>
> >>Note that ccache is successfully created and populated and
> >>is usable from command line via ldapsearch:
> >>
> >...
> >>+
> >>+    def __resolve_against_gc(self, info, name):
> >>+        conn = IPAdmin(host=info['dc'], port=3268)
> >>+        auth = self.__extract_trusted_auth(info)
> >>+        if auth:
> >>+            (ccache_name, principal) = self.__kinit_as_trusted_account(info, auth)
> >>+            if ccache_name:
> >>+                cb_info = dict()
> >>+                (CB_USER, CB_GETREALM) = (0x4001, 0x4008)
> >>+                cb_info[CB_USER] = principal
> >>+                cb_info[CB_GETREALM] = info['dns_domain'].upper()
> >>+                sasl_auth = _ldap.sasl.sasl(cb_info,'GSSAPI')
> >>+                old_ccache = os.environ.get('KRB5CCNAME')
> >>+                os.environ["KRB5CCNAME"] = ccache_name
> >>+                conn.sasl_interactive_bind_s(None, sasl_auth)
> >>+                os.environ["KRB5CCNAME"] = old_ccache
> >
> >Are you sure the bind is already finished here? I haven't looked at the
> >implementation, but if it does a lazy bind, i.e. only bind when the
> >first request is made, it will see the wrong  ccache. Can you try to
> >set KRB5CCNAME to the old value after calling conn.getEntry()?
> Yes, I'm sure because it raises exception from within
> sasl_interactive_bind_s() call, it never ever gets to the next line.
> 
> [Thu Oct 18 23:28:12.421356 2012] [:error] [pid 8183] [client 192.168.111.206:0]     conn.sasl_interactive_bind_s(None, sasl_auth)
> [Thu Oct 18 23:28:12.421412 2012] [:error] [pid 8183] [client 192.168.111.206:0]   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 556, in sasl_interactive_bind_s
> [Thu Oct 18 23:28:12.421832 2012] [:error] [pid 8183] [client 192.168.111.206:0]     return self.conn.sasl_interactive_bind_s(who, auth, serverctrls, clientctrls, sasl_flags)
> [Thu Oct 18 23:28:12.421854 2012] [:error] [pid 8183] [client 192.168.111.206:0]   File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 229, in
> sasl_interactive_bind_s
> [Thu Oct 18 23:28:12.422086 2012] [:error] [pid 8183] [client 192.168.111.206:0]     return self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags)
> [Thu Oct 18 23:28:12.422108 2012] [:error] [pid 8183] [client 192.168.111.206:0]   File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, in _ldap_call
> [Thu Oct 18 23:28:12.422134 2012] [:error] [pid 8183] [client 192.168.111.206:0]     result = func(*args,**kwargs)
> [Thu Oct 18 23:28:12.422196 2012] [:error] [pid 8183] [client 192.168.111.206:0] INVALID_CREDENTIALS: {'info': '8009030B: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 0, v1db1', 'desc': 'Invalid credentials'}
> 

ok another guess. In the python docs it is said the "Such changes to the
environment affect subprocesses started with os.system(), popen() or
fork() and execv()." So I guess os.environ["KRB5CCNAME"]=something does
not change the environment of the running process, but only python data.
If I try to set a new env var in the python interpreter and look at
/proc/PID/environ from a different shell, I see no changes.

bye,
Sumit
> -- 
> / Alexander Bokovoy

More information about the Freeipa-devel mailing list