<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 01/02/2015 10:13 PM, Genadi
Postrilko wrote:<br>
</div>
<blockquote
cite="mid:CAPP+0v+WMh-=Pd+dNKpqG+PCHNOrkABdn036Fg+occa0Om4vYg@mail.gmail.com"
type="cite">
<div dir="rtl">
<div style="direction:ltr">
<p class="">Hello all.<br>
</p>
<p class="">I'm working on integrating AD trust feature in the
forest
of a large organization (Its network is not connected to the
internet).</p>
<p class="">First I tested the trust in "clean" environment
(that i have deployed) to simulate production forest
deployment , in the following configuration:</p>
<p class=""><br>
</p>
<p class=""><span style="color:rgb(42,42,42)">The forest root
domain</span>
: <a moz-do-not-send="true" href="http://red.com">red.com</a></p>
<p class=""><span style="color:rgb(42,42,42)">Second Domain
tree : <a moz-do-not-send="true"
href="http://blue.com">blue.com</a></span></p>
<p class=""><span style="color:rgb(42,42,42)">IPA
: <a moz-do-not-send="true"
href="http://linux.blue.com">linux.blue.com</a></span></p>
<p class=""><span style="color:rgb(42,42,42)">All the AD DCs
are 2008 R2
server and 2008 R2 functional level.</span></p>
<p class=""><span style="color:rgb(42,42,42)">IPA server in
installed on
RHEL 7.</span></p>
<p class=""><span style="color:rgb(42,42,42)">ipa-server-3.3.3-28.el7_0.1.x86_64</span></p>
<p class=""><span style="color:rgb(42,42,42)">ipa-server-trust-ad-3.3.3-28.el7_0.1.x86_64</span></p>
<p class=""><span style="color:rgb(42,42,42)">ipa-python-3.3.3-28.el7_0.1.x86_64</span></p>
<p class=""><span style="color:rgb(42,42,42)"> </span></p>
<p class=""><span style="color:rgb(42,42,42)">With help of the
mailing
list, all works fine. Users from both <a
moz-do-not-send="true" href="http://red.com">red.com</a>
and <a moz-do-not-send="true" href="http://blue.com">blue.com</a>
are able to log into
IPA domain.</span></p>
<p class=""><span style="color:rgb(42,42,42)">After the
success, I proceeded
to test the trust in organization's test environment.</span></p>
<p class=""><span style="color:rgb(42,42,42)">The installation
of the trust
itself has completed successfully. But </span><span
style="color:rgb(62,62,62);background-image:initial;background-repeat:initial">although</span><span
style="color:rgb(42,42,42)"> users from
<b><a moz-do-not-send="true" href="http://red.com">red.com</a></b>
were able to log into IPA domain, users from <b><a
moz-do-not-send="true" href="http://blue.com">blue.com</a></b>
couldn't.
</span></p>
<p class=""><span style="color:rgb(42,42,42)">After checking
the sssd logs
it seemed as <a moz-do-not-send="true"
href="http://blue.com">blue.com</a> domain is unknown to
IPA.</span></p>
<p class=""><font color="#2a2a2a">Therefore I ran "</font><b
style=""><font color="#2a2a2a">ipa trustdomain-find <a
moz-do-not-send="true" href="http://red.com">red.com</a>"
</font></b><font color="#2a2a2a">in both environments, to
see if there are any
differences.</font></p>
<p class=""><span style="color:rgb(42,42,42)">And indeed there
were:</span></p>
<p class=""><span style="color:rgb(42,42,42)">While in the
"clean"
</span>environment, the command <span
style="color:rgb(42,42,42)">returned both <b><a
moz-do-not-send="true" href="http://red.com">red.com</a></b>
and <b><a moz-do-not-send="true" href="http://blue.com">blue.com</a></b>
domains,
in organization's test environment it returned only <b><a
moz-do-not-send="true" href="http://red.com">red.com</a></b>.</span></p>
<p class=""><span style="color:rgb(42,42,42)">I tried to re
fetch the
domain with "<b>ipa trust-fetch-domains <a
moz-do-not-send="true" href="http://red.com">red.com</a>"
</b>but it returned the
message - "</span> <span style="color:rgb(42,42,42)">No
new trust domains were
found".</span></p>
<p class=""><span style="color:rgb(42,42,42)"> </span></p>
<p class=""><span style="color:rgb(42,42,42)">It made me think
that maybe the
AD is not returning all domains in the forest.</span></p>
<p class=""><span style="color:rgb(42,42,42)">I opened
wireshark on both environments
and ran "<b>ipa trust-fetch-domains
<a moz-do-not-send="true" href="http://red.com">red.com</a>"
</b>to see what is been sent from AD to IPA.</span></p>
<p class=""><span style="color:rgb(42,42,42)"> </span></p>
<p class=""><span style="color:rgb(42,42,42)">In both
environments I seen
the </span>DsrEnumerateDomainTrusts request and response.
</p>
<p class="">Reading the content of response showed that in
both <span style="color:rgb(42,42,42)">environments, the </span>response<span
style="color:rgb(42,42,42)">
contained <b><a moz-do-not-send="true"
href="http://red.com">red.com</a></b> and <b><a
moz-do-not-send="true" href="http://blue.com">blue.com</a></b>
domain. </span></p>
<p class="">After inspecting the structures that contain
domains information
(DS_DOMAIN_TRUSTS) , I noticed that in
both environments the <b>TrustAttribute </b>of <a
moz-do-not-send="true" href="http://red.com">red.com</a>
is set to 0x0000000.</p>
<p class="">But <b>TrustAttribute </b>of <a
moz-do-not-send="true" href="http://blue.com">blue.com</a>
is set to
0x00000020 (<span style="color:rgb(42,42,42)">TRUST_ATTRIBUTE_WITHIN_FOREST</span>)
in the "clean" environment and
to 0x00800000 in the test environment.</p>
<p class=""> </p>
<p class="">Reading MSDN for <b>TrustAttribute</b>, explains
the
following:</p>
<p class=""> </p>
<p class=""><a moz-do-not-send="true"
href="http://msdn.microsoft.com/en-us/library/cc223779.aspx">http://msdn.microsoft.com/en-us/library/cc223779.aspx</a></p>
<p class=""> </p>
<p class=""><span style="font-size:10pt;font-family:'Segoe
UI',sans-serif;color:rgb(42,42,42)">(TRUST_ATTRIBUTE_WITHIN_FOREST)</span></p>
<p class=""><span style="font-size:10pt;font-family:'Segoe
UI',sans-serif;color:rgb(42,42,42)">0x00000020</span></p>
<p class=""><span style="font-size:10pt;font-family:'Segoe
UI',sans-serif;color:rgb(42,42,42)">If this bit is set,
then the trusted domain is within the same
forest.</span></p>
<p class=""><span style="font-size:10pt;font-family:'Segoe
UI',sans-serif;color:rgb(42,42,42)">Only evaluated on
Windows
Server 2003, Windows Server 2008, Windows Server 2008 R2,
Windows Server 2012, and Windows Server 2012 R2.</span></p>
<p class=""> </p>
<p class=""><span style="color:rgb(42,42,42)">While I couldn't
find specific
information about </span>0x00800000, but this:</p>
<p class=""><span style="font-size:10pt;font-family:'Segoe
UI',sans-serif;color:rgb(42,42,42)">0x00400000 -
0x00800000</span></p>
<p class=""><span style="font-size:10pt;font-family:'Segoe
UI',sans-serif;color:rgb(42,42,42)">Previously used trust
bits, and are obsolete.</span></p>
<p class=""><span style="font-size:10pt;font-family:'Segoe
UI',sans-serif;color:rgb(42,42,42)"> </span></p>
<p class="">I did not find more information on <span
style="font-size:10pt;font-family:'Segoe
UI',sans-serif;color:rgb(42,42,42)">0x00800000</span>
or a reason why the attributes would be different in the two
deployments.</p>
<p class="">I asked for advice from Microsoft IT guy in the
organization.
He said that difference in the <b>TrustAttribute </b>is
caused by the fact,
that the "clean" environment was created as Windows Server
2008,
while the test (and production) forest was created as
windows 2000 servers (about 12 years ago) and the forest
was gradually upgraded
to 2003 and 2008 along the years.</p>
<p class="">Couldn't find more information on the attribute
for
windows server 2000/2003 but the theory sounds quite
logical.</p>
<p class=""> </p>
<p class="">I decided to check
if <b>TrustAttribute </b>influences IPA's domain fetch.</p>
<p class=""> </p>
<p class="">fetch_domains function in
/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py</p>
<p class="">contains the following lines of code:</p>
<p class=""> </p>
<p class=""><span style="font-size:10pt;font-family:'Courier
New'"> trust_attributes = dict(</span></p>
<p class=""><span style="font-size:10pt;font-family:'Courier
New'">
NETR_TRUST_ATTRIBUTE_NON_TRANSITIVE
= 0x00000001,</span></p>
<p class=""><span style="font-size:10pt;font-family:'Courier
New'">
NETR_TRUST_ATTRIBUTE_UPLEVEL_ONLY
= 0x00000002,</span></p>
<p class=""><span style="font-size:10pt;font-family:'Courier
New'">
NETR_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN = 0x00000004,</span></p>
<p class=""><span style="font-size:10pt;font-family:'Courier
New'">
NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE
= 0x00000008,</span></p>
<p class=""><span style="font-size:10pt;font-family:'Courier
New'">
NETR_TRUST_ATTRIBUTE_CROSS_ORGANIZATION = 0x00000010,</span></p>
<p class=""><span style="font-size:10pt;font-family:'Courier
New'">
NETR_TRUST_ATTRIBUTE_WITHIN_FOREST = 0x00000020,</span></p>
<p class=""><span style="font-size:10pt;font-family:'Courier
New'">
NETR_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL
= 0x00000040)</span></p>
<p class=""><span style="font-size:10pt;font-family:'Courier
New'">.</span></p>
<p class=""><span style="font-size:10pt;font-family:'Courier
New'">.</span></p>
<p class=""><span style="font-size:10pt;font-family:'Courier
New'">.</span></p>
<p class=""><span style="font-size:10pt;font-family:'Courier
New'"> </span></p>
<p class=""><span style="font-size:10pt;font-family:'Courier
New'">result
= []</span></p>
<p class=""><span style="font-size:10pt;font-family:'Courier
New'"> for t in domains.array:</span></p>
<p class=""><span style="font-size:10pt;font-family:'Courier
New'"> <b>if ((t.trust_attributes &
trust_attributes['NETR_TRUST_ATTRIBUTE_WITHIN_FOREST'])
and</b></span></p>
<p class=""><b><span
style="font-size:10pt;font-family:'Courier New'">
(t.trust_flags &
trust_flags['NETR_TRUST_FLAG_IN_FOREST'])):</span></b></p>
<p class=""><span style="font-size:10pt;font-family:'Courier
New'"> res = dict()</span></p>
<p class=""><span style="font-size:10pt;font-family:'Courier
New'"> res['cn'] = unicode(t.dns_name)</span></p>
<p class=""><span style="font-size:10pt;font-family:'Courier
New'"> res['ipantflatname'] =
unicode(t.netbios_name)</span></p>
<p class=""><span style="font-size:10pt;font-family:'Courier
New'"> res['ipanttrusteddomainsid'] =
unicode(t.sid)</span></p>
<p class=""><span style="font-size:10pt;font-family:'Courier
New'"> res['ipanttrustpartner'] =
res['cn']</span></p>
<p class=""><span style="font-size:10pt;font-family:'Courier
New'"> result.append(res)</span></p>
<p class=""> </p>
<p class="">The bit-wise operation is preformed to check if
the trust
attribute is set to TRUST_ATTRIBUTE_WITHIN_FOREST
(0x00000020) and if so, the trust is added to
result array.</p>
<p class=""> </p>
<p class="">It seems the value of <b>TrustAttribute </b>set
to
0x00800000 is the reason the domain wasn't fetched.</p>
<p class=""> </p>
<p class="">To confirm it I changed the if statement to: </p>
<p class=""> </p>
<p class=""><b><span
style="font-size:10pt;font-family:'Courier New'"> </span></b><span
style="font-size:10pt;font-family:'Courier New'"> if
((t.trust_attributes &
trust_attributes['NETR_TRUST_ATTRIBUTE_WITHIN_FOREST']
<b>|| </b></span></p>
<p class=""><b><span
style="font-size:10pt;font-family:'Courier New'">(t.trust_attributes
&
0x00800000)) </span></b><span
style="font-size:10pt;font-family:'Courier New'">and
(t.trust_flags &
trust_flags['NETR_TRUST_FLAG_IN_FOREST'])):</span></p>
<p class=""><b> </b></p>
<p class="">Then deleted and recreated the trust and finally
ran <span style="color:rgb(42,42,42)">"<b>ipa
trust-fetch-domains <a moz-do-not-send="true"
href="http://red.com">red.com</a>"-</b></span></p>
<p class=""><span style="color:rgb(42,42,42)">this time the <b><a
moz-do-not-send="true" href="http://blue.com">blue.com</a></b>
domain did appear!</span></p>
<p class=""><span style="color:rgb(42,42,42)">I was able to
login with
users from both <a moz-do-not-send="true"
href="http://red.com">red.com</a> and <a
moz-do-not-send="true" href="http://blue.com">blue.com</a>
to IPA domain.</span></p>
<p class=""><span style="color:rgb(42,42,42)"> </span></p>
<p class=""><span style="color:rgb(42,42,42)">Checking both
upstream 3.3
and 4.1 shows that the if statement was changed to :</span></p>
<p class=""><span style="color:rgb(42,42,42)"> </span></p>
<p class=""><b><span
style="font-size:10pt;font-family:'Courier
New';color:black">if</span></b><span
style="font-size:10pt;font-family:'Courier
New';color:black"> </span><span
style="font-size:10pt;font-family:'Courier
New';color:black">(<b>not</b></span><span
style="font-size:10pt;font-family:'Courier
New';color:black"> </span><span
style="font-size:10pt;font-family:'Courier
New';color:black">(</span><span
style="font-size:10pt;font-family:'Courier
New';color:black">t</span><span
style="font-size:10pt;font-family:'Courier
New';color:black">.</span><span
style="font-size:10pt;font-family:'Courier
New';color:black">trust_flags
</span><span style="font-size:10pt;font-family:'Courier
New';color:black">&</span><span
style="font-size:10pt;font-family:'Courier
New';color:black"> trust_flags</span><span
style="font-size:10pt;font-family:'Courier
New';color:black">[</span><span
style="font-size:10pt;font-family:'Courier New';color:red">'NETR_TRUST_FLAG_PRIMARY'</span><span
style="font-size:10pt;font-family:'Courier
New';color:black">])</span><span
style="font-size:10pt;font-family:'Courier
New';color:black"> </span><b><span
style="font-size:10pt;font-family:'Courier
New';color:black">and</span></b><span
style="font-size:10pt;font-family:'Courier
New';color:black"></span></p>
<p class=""><span style="font-size:10pt;font-family:'Courier
New';color:black"> </span><span
style="font-size:10pt;font-family:'Courier
New';color:black">(</span><span
style="font-size:10pt;font-family:'Courier
New';color:black">t</span><span
style="font-size:10pt;font-family:'Courier
New';color:black">.</span><span
style="font-size:10pt;font-family:'Courier
New';color:black">trust_flags
</span><span style="font-size:10pt;font-family:'Courier
New';color:black">&</span><span
style="font-size:10pt;font-family:'Courier
New';color:black"> trust_flags</span><span
style="font-size:10pt;font-family:'Courier
New';color:black">[</span><span
style="font-size:10pt;font-family:'Courier New';color:red">'NETR_TRUST_FLAG_IN_FOREST'</span><span
style="font-size:10pt;font-family:'Courier
New';color:black">])):</span></p>
<p class=""><span style="font-size:10pt;font-family:'Courier
New';color:black"> </span></p>
<p class=""><span style="font-size:10pt;font-family:'Courier
New';color:black"><a moz-do-not-send="true"
href="https://git.fedorahosted.org/cgit/freeipa.git/tree/ipaserver/dcerpc.py?h=ipa-3-3#n1039">https://git.fedorahosted.org/cgit/freeipa.git/tree/ipaserver/dcerpc.py?h=ipa-3-3#n1039</a></span></p>
<p class=""><span style="font-size:10pt;font-family:'Courier
New';color:black"> </span></p>
<p class=""><span style="font-size:10pt;font-family:'Courier
New';color:black"><a moz-do-not-send="true"
href="https://git.fedorahosted.org/cgit/freeipa.git/tree/ipaserver/dcerpc.py?h=ipa-4-1#n1102">https://git.fedorahosted.org/cgit/freeipa.git/tree/ipaserver/dcerpc.py?h=ipa-4-1#n1102</a></span></p>
<p class=""><span style="font-size:10pt;font-family:'Courier
New';color:black"> </span></p>
<p class=""><span style="color:black">From first sight it
looks like <a moz-do-not-send="true"
href="http://blue.com">blue.com</a> will fetched.</span></p>
<p class=""><span style="color:black">Haven't yet tested if
upstream works in the test environment. </span></p>
<p class=""><span style="color:black"> </span></p>
<p class=""><span style="color:black">Any thoughts on the
subject will be great. </span></p>
<p class=""><font color="#000000">(I hope i'm
not mentioning something that was solved long ago).</font></p>
<p class=""><span style="color:black">Genadi</span></p>
<p class=""><span style="color:black"> </span></p>
<p class=""><span style="color:black"> </span></p>
<p class=""><span style="color:black"> </span></p>
<p class=""> </p>
<p class=""><span style="color:rgb(42,42,42)"> </span></p>
<p class=""><span style="color:rgb(42,42,42)"> </span></p>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
Wow!<br>
<br>
Sounds like a ticket is due...<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>