[Freeipa-devel] [PATCH 1/1] Resolve external members from trusted domain via Global Catalog

[Simo Sorce]

On Tue, 2012-10-30 at 06:50 +0200, Alexander Bokovoy wrote:
> I remember in my case that was the issue, i.e. finddc did discover
> proper DC via DNS and returned winda.ad.local but something within
> SASL/krb5 library wanted to see reverse lookup working which was not
> set
> up at the point.
> 

I was able to get it to work with this patch on top of yours:

diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index 2c53faf..c619188 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -257,7 +257,7 @@ class DomainValidator(object):
         return clear
 
     def __kinit_as_trusted_account(self, info, password):
-        ccache_name = "/var/run/ipa/ipa_memcached/krb5cc_TRUSTEDDOMAIN"
+        ccache_name = "/var/run/ipa_memcached/krb5cc_TRUSTEDDOMAIN"
         principal = '%s$@%s' % (self.flatname, info['dns_domain'].upper())
         (stdout, stderr, returncode) = ipautil.run(['/usr/bin/kinit', principal],
                                                    env={'KRB5CCNAME':ccache_name},
@@ -271,6 +271,7 @@ class DomainValidator(object):
         if auth:
             (ccache_name, principal) = self.__kinit_as_trusted_account(info, auth)
             if ccache_name:
+                conn.set_option(_ldap._ldap.OPT_X_SASL_NOCANON, _ldap.OPT_ON)
                 cb_info = dict()
                 # pass empty dict, SASL GSSAPI is able to get all from the ccache
                 sasl_auth = _ldap.sasl.sasl(cb_info,'GSSAPI')


If you are ok with the changes can you merge it in and send a new
patch ?

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York