[Freeipa-devel] [PATCH] 0170 AD Trust: improve trust validation
Alexander Bokovoy
abokovoy at redhat.com
Mon Nov 24 13:23:19 UTC 2014
Hi,
Trust validation requires AD DC to contact IPA server to verify that
trust account actually works. It can fail due to DNS or firewall issue
or if AD DC was able to resolve IPA master(s) via SRV records, it still
may contact a replica that has no trust data replicated yet.
In case AD DC still returns 'access denied', wait 5 seconds and try
validation again. Repeat validation until we hit a limit of 10
attempts, at which point raise exception telling what's happening.
https://fedorahosted.org/freeipa/ticket/4764
--
/ Alexander Bokovoy
-------------- next part --------------
From 9b2bbe9d229f7c720d39766d3b76646358dce6a8 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Mon, 24 Nov 2014 15:07:49 +0200
Subject: [PATCH] AD trust: improve trust validation
Trust validation requires AD DC to contact IPA server to verify that trust account
actually works. It can fail due to DNS or firewall issue or if AD DC was able to
resolve IPA master(s) via SRV records, it still may contact a replica that has
no trust data replicated yet.
In case AD DC still returns 'access denied', wait 5 seconds and try validation again.
Repeat validation until we hit a limit of 10 attempts, at which point raise
exception telling what's happening.
https://fedorahosted.org/freeipa/ticket/4764
---
ipaserver/dcerpc.py | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index caeca3c..e342c49 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -58,6 +58,7 @@ import pysss
from ipaplatform.paths import paths
from ldap.filter import escape_filter_chars
+from time import sleep
__doc__ = _("""
Classes to manage trust joins using DCE-RPC calls
@@ -93,6 +94,8 @@ dcerpc_error_codes = {
dcerpc_error_messages = {
"NT_STATUS_OBJECT_NAME_NOT_FOUND":
errors.NotFound(reason=_('Cannot find specified domain or server name')),
+ "WERR_NO_LOGON_SERVERS":
+ errors.RemoteRetrieveError(reason=_('AD DC was unable to reach any IPA domain controller. Most likely it is a DNS or firewall issue')),
"NT_STATUS_INVALID_PARAMETER_MIX":
errors.RequirementError(name=_('At least the domain or IP address should be specified')),
}
@@ -699,6 +702,7 @@ class TrustDomainInstance(object):
self._policy_handle = None
self.read_only = False
self.ftinfo_records = None
+ self.validation_attempts = 0
def __gen_lsa_connection(self, binding):
if self.creds is None:
@@ -1011,9 +1015,18 @@ class TrustDomainInstance(object):
netlogon.NETLOGON_CONTROL_TC_VERIFY,
another_domain.info['dns_domain'])
if (result and (result.flags and netlogon.NETLOGON_VERIFY_STATUS_RETURNED)):
- # netr_LogonControl2Ex() returns non-None result only if overall call
- # result was WERR_OK which means verification was correct.
- # We only check that it was indeed status for verification process
+ if (result.pdc_connection_status[0] != 0) and (result.tc_connection_status[0] != 0):
+ if result.pdc_connection_status[1] == "WERR_ACCESS_DENIED":
+ # Most likely AD DC hit another IPA replica which yet has no trust secret replicated
+ # Sleep and repeat again
+ self.validation_attempts += 1
+ if self.validation_attempts < 10:
+ sleep(5)
+ return self.verify_trust(another_domain)
+ raise errors.ACIError(reason=_('IPA master denied trust validation requests from AD DC '
+ '%(count)d times. Most likely AD DC contacted a replica '
+ 'that has no trust information replicated yet.' % (self.validation_attempts)))
+ raise assess_dcerpc_exception(*result.pdc_connection_status)
return True
return False
--
2.1.0
More information about the Freeipa-devel
mailing list