[Freeipa-users] IPA trust integration in AD Forests that been upgraded to higher functional level

Dmitri Pal dpal at redhat.com
Sat Jan 3 19:13:50 UTC 2015 

On 01/02/2015 10:13 PM, Genadi Postrilko wrote:
>
> Hello all.
>
> I'm working on integrating AD trust feature in the forest of a large 
> organization (Its network is not connected to the internet).
>
> First I tested the trust in "clean" environment (that i have deployed) 
> to simulate production forest deployment , in the following configuration:
>
>
> The forest root domain  : red.com <http://red.com>
>
> Second Domain tree      : blue.com <http://blue.com>
>
> IPA                             : linux.blue.com <http://linux.blue.com>
>
> All the AD DCs are 2008 R2 server and 2008 R2 functional level.
>
> IPA server in installed on RHEL 7.
>
> ipa-server-3.3.3-28.el7_0.1.x86_64
>
> ipa-server-trust-ad-3.3.3-28.el7_0.1.x86_64
>
> ipa-python-3.3.3-28.el7_0.1.x86_64
>
> With help of the mailing list, all works fine. Users from both red.com 
> <http://red.com> and blue.com <http://blue.com> are able to log into 
> IPA domain.
>
> After the success, I proceeded to test the trust in organization's 
> test environment.
>
> The installation of the trust itself has completed successfully. But 
> althoughusers from *red.com <http://red.com>* were able to log into 
> IPA domain, users from *blue.com <http://blue.com>* couldn't.
>
> After checking the sssd logs it seemed as blue.com <http://blue.com> 
> domain is unknown to IPA.
>
> Therefore I ran "*ipa trustdomain-find red.com <http://red.com>" *in 
> both environments, to see if there are any differences.
>
> And indeed there were:
>
> While in the "clean" environment,  the command returned both *red.com 
> <http://red.com>* and *blue.com <http://blue.com>* domains, in 
> organization's test environment it returned only *red.com 
> <http://red.com>*.
>
> I tried to re fetch the domain with "*ipa trust-fetch-domains red.com 
> <http://red.com>" *but it returned the message - " No new trust 
> domains were found".
>
> It made me think that maybe the AD is not returning all domains in the 
> forest.
>
> I opened wireshark on both environments and ran  "*ipa 
> trust-fetch-domains red.com <http://red.com>" *to see what is been 
> sent from AD to IPA.
>
> In both environments I seen the DsrEnumerateDomainTrusts request and 
> response.
>
> Reading the content of response showed that in both environments, the 
> responsecontained *red.com <http://red.com>* and *blue.com 
> <http://blue.com>* domain.
>
> After inspecting the structures that contain domains information 
> (DS_DOMAIN_TRUSTS)  , I noticed that in both environments the 
> *TrustAttribute *of red.com <http://red.com> is set to 0x0000000.
>
> But *TrustAttribute *of blue.com <http://blue.com> is set to 
> 0x00000020 (TRUST_ATTRIBUTE_WITHIN_FOREST) in the "clean" environment 
> and to 0x00800000 in the test environment.
>
> Reading MSDN for *TrustAttribute*, explains the following:
>
> http://msdn.microsoft.com/en-us/library/cc223779.aspx
>
> (TRUST_ATTRIBUTE_WITHIN_FOREST)
>
> 0x00000020
>
> If this bit is set, then the trusted domain is within the same forest.
>
> Only evaluated on Windows Server 2003, Windows Server 2008, Windows 
> Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.
>
> While I couldn't find specific information about 0x00800000, but this:
>
> 0x00400000 - 0x00800000
>
> Previously used trust bits, and are obsolete.
>
> I did not find more information on 0x00800000 or a reason why the 
> attributes would be different in the two deployments.
>
> I asked for advice from Microsoft IT guy in the organization. He said 
> that difference in the *TrustAttribute *is caused by the fact, that 
> the "clean" environment was created as Windows Server 2008, while the 
> test (and production) forest was created as windows 2000 servers 
> (about  12 years ago) and the forest was gradually upgraded to 2003 
> and 2008 along the years.
>
> Couldn't find more information on the attribute for windows server 
> 2000/2003 but the theory sounds quite logical.
>
> I decided  to check if *TrustAttribute *influences IPA's domain fetch.
>
> fetch_domains function in 
> /usr/lib/python2.7/site-packages/ipaserver/dcerpc.py
>
> contains the following lines of code:
>
>     trust_attributes = dict(
>
> NETR_TRUST_ATTRIBUTE_NON_TRANSITIVE = 0x00000001,
>
> NETR_TRUST_ATTRIBUTE_UPLEVEL_ONLY = 0x00000002,
>
> NETR_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN = 0x00000004,
>
> NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE = 0x00000008,
>
> NETR_TRUST_ATTRIBUTE_CROSS_ORGANIZATION = 0x00000010,
>
> NETR_TRUST_ATTRIBUTE_WITHIN_FOREST      = 0x00000020,
>
> NETR_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL = 0x00000040)
>
> .
>
> .
>
> .
>
> result = []
>
>     for t in domains.array:
>
> *if ((t.trust_attributes & 
> trust_attributes['NETR_TRUST_ATTRIBUTE_WITHIN_FOREST']) and*
>
> *(t.trust_flags & trust_flags['NETR_TRUST_FLAG_IN_FOREST'])):*
>
>             res = dict()
>
>             res['cn'] = unicode(t.dns_name)
>
>             res['ipantflatname'] = unicode(t.netbios_name)
>
>             res['ipanttrusteddomainsid'] = unicode(t.sid)
>
>             res['ipanttrustpartner'] = res['cn']
>
>             result.append(res)
>
> The bit-wise operation is preformed to check if the trust attribute is 
> set to TRUST_ATTRIBUTE_WITHIN_FOREST (0x00000020) and if so, the trust 
> is added to result array.
>
> It seems the value of *TrustAttribute *set to 0x00800000 is the reason 
> the domain wasn't fetched.
>
> To confirm it I changed the if statement to:
>
> **      if ((t.trust_attributes & 
> trust_attributes['NETR_TRUST_ATTRIBUTE_WITHIN_FOREST'] *|| *
>
> *(t.trust_attributes & 0x00800000)) *and (t.trust_flags & 
> trust_flags['NETR_TRUST_FLAG_IN_FOREST'])):
>
> **
>
> Then deleted and recreated the trust and finally ran "*ipa 
> trust-fetch-domains red.com <http://red.com>"-*
>
> this time the *blue.com <http://blue.com>* domain did appear!
>
> I was able to login with users from both red.com <http://red.com> and 
> blue.com <http://blue.com> to IPA domain.
>
> Checking both upstream 3.3 and 4.1 shows that the if statement was 
> changed to :
>
> *if*(*not*(t.trust_flags &trust_flags['NETR_TRUST_FLAG_PRIMARY'])*and*
>
> (t.trust_flags &trust_flags['NETR_TRUST_FLAG_IN_FOREST'])):
>
> https://git.fedorahosted.org/cgit/freeipa.git/tree/ipaserver/dcerpc.py?h=ipa-3-3#n1039
>
> https://git.fedorahosted.org/cgit/freeipa.git/tree/ipaserver/dcerpc.py?h=ipa-4-1#n1102
>
> From first sight it looks like blue.com <http://blue.com> will fetched.
>
> Haven't yet tested if upstream works in the test environment.
>
> Any thoughts on the subject will be great.
>
> (I hope i'm not mentioning something that was solved long ago).
>
> Genadi
>
>
>
Wow!

Sounds like a ticket is due...

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150103/bc46ad42/attachment.htm>

More information about the Freeipa-users mailing list