[Freeipa-devel] [PATCH 1/1] Resolve external members from trusted domain via Global Catalog

Tue Oct 30 04:50:07 UTC 2012

On Mon, 29 Oct 2012, Simo Sorce wrote:
>On Mon, 2012-10-29 at 23:03 +0200, Alexander Bokovoy wrote:
>> On Mon, 29 Oct 2012, Simo Sorce wrote:
>> >On Mon, 2012-10-29 at 19:59 +0200, Alexander Bokovoy wrote:
>> >> A sequence is following:
>> >> 1. Match external member against existing trusted domain
>> >> 2. Find trusted domain's domain controller
>> >> 3. Fetch trusted domain account auth info
>> >> 4. Set up ccache in /var/run/ipa/ipa_memcached/krb5cc_TRUSTEDDOMAIN with principal ourdomain$@trusted.domain
>> >> 5. Do LDAP SASL interactive bind using the ccache
>> >> 6. Search for the member's SID
>> >> 7. Decode SID
>> >> 8. Replace external member name by SID
>> >>
>> >> https://fedorahosted.org/freeipa/ticket/3211
>> >> ---
>> >>  ipalib/plugins/group.py    |  32 +++++----
>> >>  ipaserver/dcerpc.py        | 172 +++++++++++++++++++++++++++++++++++++++++----
>> >>  ipaserver/plugins/ldap2.py |   3 +
>> >>  3 files changed, 181 insertions(+), 26 deletions(-)
>> >>
>> >> diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py
>> >> index a174ba62cc32a7fb83474f52e2621521553889af..f86b134e61fc8c7518a64d25329babee3398c6ef 100644
>> >> --- a/ipalib/plugins/group.py
>> >> +++ b/ipalib/plugins/group.py
>> >> @@ -83,28 +83,30 @@ External members should be added to groups that specifically created as
>> >>  external and non-POSIX. Such group later should be included into one of POSIX
>> >>  groups.
>> >>
>> >> -An external group member is currently a Security Identifier as defined by
>> >> -the trusted domain.
>> >> +An external group member is currently a Security Identifier (SID) as defined by
>> >> +the trusted domain. When adding external group members, it is possible to
>> >> +specify them in either SID, or DOM\\name, or name at domain format. IPA will attempt
>> >> +to resolve passed name to SID with the use of Global Catalog of the trusted domain.
>> >>
>> >>  Example:
>> >>
>> >> -1. Make note of the trusted domain security identifier
>> >> -
>> >> -   domainsid = `ipa trust-show <ad.domain> | grep Identifier | cut -d: -f2`
>> >> -
>> >> -2. Create group for the trusted domain admins' mapping and their local POSIX group:
>> >> +1. Create group for the trusted domain admins' mapping and their local POSIX group:
>> >>
>> >>     ipa group-add --desc='<ad.domain> admins external map' ad_admins_external --external
>> >>     ipa group-add --desc='<ad.domain> admins' ad_admins
>> >>
>> >> -3. Add security identifier of Domain Admins of the <ad.domain> to the ad_admins_external
>> >> -   group (security identifier of <ad.domain SID>-513 is Domain Admins group):
>> >> +2. Add security identifier of Domain Admins of the <ad.domain> to the ad_admins_external
>> >> +   group:
>> >>
>> >> -   ipa group-add-member ad_admins_external --external ${domainsid}-513
>> >> +   ipa group-add-member ad_admins_external --external 'AD\\Domain Admins'
>> >>
>> >> -4. Allow members of ad_admins_external group to be associated with ad_admins POSIX group:
>> >> +3. Allow members of ad_admins_external group to be associated with ad_admins POSIX group:
>> >>
>> >>     ipa group-add-member ad_admins --groups ad_admins_external
>> >> +
>> >> +4. List members of external members of ad_admins_external group to see their SIDs:
>> >> +
>> >> +   ipa group-show ad_admins_external
>> >>  """)
>> >
>> >A text similar to this is available when you run ipa help trust, I guess
>> >you should change that one too.
>> Right. I'll fix that.
>>
>> >
>> >I am trying to add a windows group now and getting this trace in my http
>> >server:
>> >
>> >[Mon Oct 29 16:15:33 2012] [error] ipa: ERROR: release_ipa_ccache:
>> >ccache_name (FILE:/var/run/ipa_memcached/krbcc_20825) != KRB5CCNAME
>> >environment variable (/var/run/ipa/ipa_memcached/krb5cc_TRUSTEDDOMAIN)
>> >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] mod_wsgi (pid=20825): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'.
>> >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] Traceback (most recent call last):
>> >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]   File "/usr/share/ipa/wsgi.py", line 49, in application
>> >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]     return api.Backend.wsgi_dispatch(environ, start_response)
>> >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 248, in __call__
>> >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]     return self.route(environ, start_response)
>> >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 260, in route
>> >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]     return app(environ, start_response)
>> >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 1158, in __call__
>> >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]     response = super(xmlserver_session, self).__call__(environ, start_response)
>> >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 707, in __call__
>> >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]     response = super(xmlserver, self).__call__(environ, start_response)
>> >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 375, in __call__
>> >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]     response = self.wsgi_execute(environ)
>> >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 334, in wsgi_execute
>> >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]     result = self.Command[name](*args, **options)
>> >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 435, in __call__
>> >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]     ret = self.run(*args, **options)
>> >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 747, in run
>> >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]     return self.execute(*args, **options)
>> >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]   File "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", line 1590, in execute
>> >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]     **options)
>> >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]   File "/usr/lib/python2.7/site-packages/ipalib/plugins/group.py", line 387, in post_callback
>> >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]     actual_sid = domain_validator.get_sid_trusted_domain_object(sid)
>> >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]   File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 227, in get_sid_trusted_domain_object
>> >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]     entry = self.__resolve_against_gc(info, components['name'])
>> >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]   File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 279, in __resolve_against_gc
>> >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]     conn.sasl_interactive_bind_s(None, sasl_auth)
>> >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 562, in sasl_interactive_bind_s
>> >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]     return self.conn.sasl_interactive_bind_s(who, auth, serverctrls, clientctrls, sasl_flags)
>> >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]   File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 229, in sasl_interactive_bind_s
>> >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]     return self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags)
>> >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]   File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, in _ldap_call
>> >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]     result = func(*args,**kwargs)
>>
>> >[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]
>> >LOCAL_ERROR: {'info': 'SASL(-1): generic failure: GSSAPI Error:
>> >Unspecified GSS failure.  Minor code may provide more information
>> >(Cannot determine realm for numeric host address)', 'desc': 'Local
>> >error'}
>> Somehow name resolution failed for you -- you probably need to restart
>> named before it actually would start working. I had similar issues with
>> caching of forwarder rules.
>
>Name resolution is working just fine (this trust was established a few
>weeks ago), and even after restarting named the error persists.
>
>What is odd is that something is trying to resolve a *numeric* address ?
>Is something trying to do reverse resolution ?
>because *that* is certainly going to fail in my setup and we should not
>depend on it.
I remember in my case that was the issue, i.e. finddc did discover
proper DC via DNS and returned winda.ad.local but something within
SASL/krb5 library wanted to see reverse lookup working which was not set
up at the point.


-- 
/ Alexander Bokovoy