[Freeipa-devel] [PATCH] 0128 subdomains: Use AD admin credentials when trust is being established
Alexander Bokovoy
abokovoy at redhat.com
Wed Nov 27 10:27:55 UTC 2013
Hi!
Attached patch should solve an issue when fetching subdomains fails
shortly after trust has been established due to MS-PAC caching effects
on KDC. We have already made an alternative path to use when AD admin
credentials are available but failed to actually use them here.
Details in the patch.
https://fedorahosted.org/freeipa/ticket/4046
--
/ Alexander Bokovoy
-------------- next part --------------
>From d5cddafe5ca11c54ab2d06a12efddbd80b3da5c7 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Wed, 27 Nov 2013 12:17:43 +0200
Subject: [PATCH 2/2] subdomains: Use AD admin credentials when trust is being
established
When AD administrator credentials passed, they stored in realm_passwd,
not realm_password in the options.
Additionally, force Samba auth module to use NTLMSSP in case we have
credentials because at the point when trust is established, KDC is not
yet ready to issue tickets to a service in the other realm due to
MS-PAC information caching effects. The logic is a bit fuzzy because
credentials code makes decisions on what to use based on the smb.conf
parameters and Python bindings to set parameters to smb.conf make it so
that auth module believes these parameters were overidden by the user
through the command line and ignore some of options. We have to do calls
in the right order to forse NTLMSSP use instead of Kerberos.
Fixes https://fedorahosted.org/freeipa/ticket/4046
---
ipalib/plugins/trust.py | 2 +-
ipaserver/dcerpc.py | 4 +++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index 5ba0905..5861d96 100644
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -1231,7 +1231,7 @@ api.register(trustdomain_del)
def fetch_domains_from_trust(self, trustinstance, trust_entry, **options):
trust_name = trust_entry['cn'][0]
creds = None
- password = options.get('realm_password', None)
+ password = options.get('realm_passwd', None)
if password:
creds = u"%s%%%s" % (options.get('realm_admin'), password)
domains = ipaserver.dcerpc.fetch_domains(self.api, trustinstance.local_flatname, trust_name, creds=creds)
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index 0dde347..985360b 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -964,7 +964,6 @@ def fetch_domains(api, mydomain, trustdomain, creds=None):
NETR_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL = 0x00000040)
def communicate(td):
- td.creds.guess(td.parm)
netrc = net.Net(creds=td.creds, lp=td.parm)
try:
result = netrc.finddc(domain=trustdomain, flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS)
@@ -988,10 +987,13 @@ def fetch_domains(api, mydomain, trustdomain, creds=None):
td.creds.set_kerberos_state(credentials.MUST_USE_KERBEROS)
if ccache_name:
with installutils.private_ccache(path=ccache_name):
+ td.creds.guess(td.parm)
domains = communicate(td)
else:
td.creds.set_kerberos_state(credentials.DONT_USE_KERBEROS)
+ td.creds.guess(td.parm)
td.creds.parse_string(creds)
+ td.creds.set_workstation(api.env.host)
domains = communicate(td)
if domains is None:
--
1.8.4.2
More information about the Freeipa-devel
mailing list