[Freeipa-devel] [PATCH 1/1] Resolve external members from trusted domain via Global Catalog
Rob Crittenden
rcritten at redhat.com
Mon Oct 29 21:12:10 UTC 2012
Alexander Bokovoy wrote:
> On Mon, 29 Oct 2012, Simo Sorce wrote:
>> On Mon, 2012-10-29 at 19:59 +0200, Alexander Bokovoy wrote:
>>> A sequence is following:
>>> 1. Match external member against existing trusted domain
>>> 2. Find trusted domain's domain controller
>>> 3. Fetch trusted domain account auth info
>>> 4. Set up ccache in /var/run/ipa/ipa_memcached/krb5cc_TRUSTEDDOMAIN
>>> with principal ourdomain$@trusted.domain
>>> 5. Do LDAP SASL interactive bind using the ccache
>>> 6. Search for the member's SID
>>> 7. Decode SID
>>> 8. Replace external member name by SID
>>>
>>> https://fedorahosted.org/freeipa/ticket/3211
>>> ---
>>> ipalib/plugins/group.py | 32 +++++----
>>> ipaserver/dcerpc.py | 172
>>> +++++++++++++++++++++++++++++++++++++++++----
>>> ipaserver/plugins/ldap2.py | 3 +
>>> 3 files changed, 181 insertions(+), 26 deletions(-)
>>>
>>> diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py
>>> index
>>> a174ba62cc32a7fb83474f52e2621521553889af..f86b134e61fc8c7518a64d25329babee3398c6ef
>>> 100644
>>> --- a/ipalib/plugins/group.py
>>> +++ b/ipalib/plugins/group.py
>>> @@ -83,28 +83,30 @@ External members should be added to groups that
>>> specifically created as
>>> external and non-POSIX. Such group later should be included into one
>>> of POSIX
>>> groups.
>>>
>>> -An external group member is currently a Security Identifier as
>>> defined by
>>> -the trusted domain.
>>> +An external group member is currently a Security Identifier (SID) as
>>> defined by
>>> +the trusted domain. When adding external group members, it is
>>> possible to
>>> +specify them in either SID, or DOM\\name, or name at domain format. IPA
>>> will attempt
>>> +to resolve passed name to SID with the use of Global Catalog of the
>>> trusted domain.
>>>
>>> Example:
>>>
>>> -1. Make note of the trusted domain security identifier
>>> -
>>> - domainsid = `ipa trust-show <ad.domain> | grep Identifier | cut
>>> -d: -f2`
>>> -
>>> -2. Create group for the trusted domain admins' mapping and their
>>> local POSIX group:
>>> +1. Create group for the trusted domain admins' mapping and their
>>> local POSIX group:
>>>
>>> ipa group-add --desc='<ad.domain> admins external map'
>>> ad_admins_external --external
>>> ipa group-add --desc='<ad.domain> admins' ad_admins
>>>
>>> -3. Add security identifier of Domain Admins of the <ad.domain> to
>>> the ad_admins_external
>>> - group (security identifier of <ad.domain SID>-513 is Domain
>>> Admins group):
>>> +2. Add security identifier of Domain Admins of the <ad.domain> to
>>> the ad_admins_external
>>> + group:
>>>
>>> - ipa group-add-member ad_admins_external --external ${domainsid}-513
>>> + ipa group-add-member ad_admins_external --external 'AD\\Domain
>>> Admins'
>>>
>>> -4. Allow members of ad_admins_external group to be associated with
>>> ad_admins POSIX group:
>>> +3. Allow members of ad_admins_external group to be associated with
>>> ad_admins POSIX group:
>>>
>>> ipa group-add-member ad_admins --groups ad_admins_external
>>> +
>>> +4. List members of external members of ad_admins_external group to
>>> see their SIDs:
>>> +
>>> + ipa group-show ad_admins_external
>>> """)
>>
>> A text similar to this is available when you run ipa help trust, I guess
>> you should change that one too.
> Right. I'll fix that.
>
>>
>> I am trying to add a windows group now and getting this trace in my http
>> server:
>>
>> [Mon Oct 29 16:15:33 2012] [error] ipa: ERROR: release_ipa_ccache:
>> ccache_name (FILE:/var/run/ipa_memcached/krbcc_20825) != KRB5CCNAME
>> environment variable (/var/run/ipa/ipa_memcached/krb5cc_TRUSTEDDOMAIN)
>> [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] mod_wsgi
>> (pid=20825): Exception occurred processing WSGI script
>> '/usr/share/ipa/wsgi.py'.
>> [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] Traceback
>> (most recent call last):
>> [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File
>> "/usr/share/ipa/wsgi.py", line 49, in application
>> [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] return
>> api.Backend.wsgi_dispatch(environ, start_response)
>> [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File
>> "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 248,
>> in __call__
>> [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] return
>> self.route(environ, start_response)
>> [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File
>> "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 260,
>> in route
>> [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] return
>> app(environ, start_response)
>> [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File
>> "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 1158,
>> in __call__
>> [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]
>> response = super(xmlserver_session, self).__call__(environ,
>> start_response)
>> [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File
>> "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 707,
>> in __call__
>> [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]
>> response = super(xmlserver, self).__call__(environ, start_response)
>> [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File
>> "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 375,
>> in __call__
>> [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]
>> response = self.wsgi_execute(environ)
>> [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File
>> "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 334,
>> in wsgi_execute
>> [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] result
>> = self.Command[name](*args, **options)
>> [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File
>> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 435, in
>> __call__
>> [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] ret =
>> self.run(*args, **options)
>> [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File
>> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 747, in run
>> [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] return
>> self.execute(*args, **options)
>> [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File
>> "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", line
>> 1590, in execute
>> [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]
>> **options)
>> [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File
>> "/usr/lib/python2.7/site-packages/ipalib/plugins/group.py", line 387,
>> in post_callback
>> [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]
>> actual_sid = domain_validator.get_sid_trusted_domain_object(sid)
>> [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File
>> "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 227, in
>> get_sid_trusted_domain_object
>> [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] entry
>> = self.__resolve_against_gc(info, components['name'])
>> [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File
>> "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 279, in
>> __resolve_against_gc
>> [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]
>> conn.sasl_interactive_bind_s(None, sasl_auth)
>> [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File
>> "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line
>> 562, in sasl_interactive_bind_s
>> [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] return
>> self.conn.sasl_interactive_bind_s(who, auth, serverctrls, clientctrls,
>> sasl_flags)
>> [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File
>> "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 229, in
>> sasl_interactive_bind_s
>> [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] return
>> self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags)
>>
>> [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] File
>> "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, in
>> _ldap_call
>> [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] result
>> = func(*args,**kwargs)
>
>> [Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]
>> LOCAL_ERROR: {'info': 'SASL(-1): generic failure: GSSAPI Error:
>> Unspecified GSS failure. Minor code may provide more information
>> (Cannot determine realm for numeric host address)', 'desc': 'Local
>> error'}
> Somehow name resolution failed for you -- you probably need to restart
> named before it actually would start working. I had similar issues with
> caching of forwarder rules.
>
Should we catch sasl exceptions?
rob
More information about the Freeipa-devel
mailing list