URL: https://github.com/freeipa/freeipa/pull/5298
Author: abbra
Title: #5298: [Backport][ipa-4-9] ipatests: support subordinate upn suffixes
Action: opened
PR body:
"""
This PR was opened automatically because PR #5254 was pushed to master and
backport to ipa-4-9 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5298/head:pr5298
git checkout pr5298
From d832de125c00ba60ff57eaa1e183803f842a9a1e Mon Sep 17 00:00:00 2001
From: Sudhir Menon <sume...@redhat.com>
Date: Wed, 11 Nov 2020 14:55:32 +0530
Subject: [PATCH 1/2] ipatests: support subordinate upn suffixes
This test adds new UPN Suffix on the AD side
within the ad.test subtree i.e new.ad.test and this
UPN is then assigned to aduser and then try to
kinit using aduser along with the UPN set, to ensure
that the kinit succeeds
Signed-off-by: Sudhir Menon <sume...@redhat.com>
---
ipatests/test_integration/test_trust.py | 45 +++++++++++++++++++++++++
1 file changed, 45 insertions(+)
diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
index 7e4dbcc6e30..31349ced76a 100644
--- a/ipatests/test_integration/test_trust.py
+++ b/ipatests/test_integration/test_trust.py
@@ -245,6 +245,51 @@ def test_upn_user_authentication_in_nonposix_trust(self):
self.master.run_command(['kinit', '-C', '-E', self.upn_principal],
stdin_text=self.upn_password)
+ def test_subordinate_suffix(self):
+ """Test subordinate UPN Suffixes"""
+ tasks.configure_dns_for_trust(self.master, self.ad)
+ tasks.establish_trust_with_ad(
+ self.master, self.ad_domain,
+ extra_args=['--range-type', 'ipa-ad-trust'])
+ # Clear all UPN Suffixes
+ ps_cmd = "Get-ADForest | Set-ADForest -UPNSuffixes $null"
+ self.ad.run_command(["powershell", "-c", ps_cmd])
+ result = self.master.run_command(["ipa", "trust-show", self.ad_domain])
+ assert (
+ "ipantadditionalsuffixes: {}".format(self.upn_suffix)
+ not in result.stdout_text
+ )
+ # Run Get-ADForest
+ ps_cmd1 = "Get-ADForest"
+ self.ad.run_command(["powershell", "-c", ps_cmd1])
+ # Add new UPN for AD
+ ps_cmd2 = (
+ 'Get-ADForest | Set-ADForest -UPNSuffixes '
+ '@{add="new.ad.test", "upn.dom"}'
+ )
+ self.ad.run_command(["powershell", "-c", ps_cmd2])
+ self.ad.run_command(["powershell", "-c", ps_cmd1])
+ self.master.run_command(
+ ["ipa", "trust-fetch-domains", self.ad_domain],
+ raiseonerr=False)
+ self.master.run_command(["ipa", "trust-show", self.ad_domain])
+ # Set UPN for the aduser
+ ps_cmd3 = (
+ 'set-aduser -UserPrincipalName '
+ 'administra...@new.ad.test -Identity Administrator'
+ )
+ self.ad.run_command(["powershell", "-c", ps_cmd3])
+ # kinit to IPA using AD user administra...@new.ad.test
+ result = self.master.run_command(
+ ["getent", "passwd", "administra...@new.ad.test"]
+ )
+ assert result.returncode == 0
+ self.master.run_command(
+ ["kinit", "-E", "administra...@new.ad.test"],
+ stdin_text="Secret123",
+ )
+ tasks.kdestroy_all(self.master)
+
def test_remove_nonposix_trust(self):
self.remove_trust(self.ad)
tasks.unconfigure_dns_for_trust(self.master, self.ad)
From bbe0ff66eaaa6b33bf5187622f6d83b8c85f316e Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <aboko...@redhat.com>
Date: Tue, 24 Nov 2020 16:03:36 +0200
Subject: [PATCH 2/2] ad trust: accept subordinate domains of the forest trust
root
Commit 8b6d1ab854387840f7526d6d59ddc7102231957f added support for
subordinate UPN suffixes but missed the case where subordinate UPN is a
subdomain of the forest root domain and not mentioned in the UPN
suffixes list.
Correct this situation by applying the same check to the trusted domain
name as well.
Fixes: https://pagure.io/freeipa/issue/8554
Signed-off-by: Alexander Bokovoy <aboko...@redhat.com>
---
daemons/ipa-kdb/ipa_kdb_mspac.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index bb9d85c104b..07c433e14f9 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -2975,10 +2975,20 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext,
/* Iterate through list of trusts and check if input realm belongs to any of the trust */
for(i = 0 ; i < ipactx->mspac->num_trusts ; i++) {
+ size_t len = 0;
result = strncasecmp(test_realm,
ipactx->mspac->trusts[i].domain_name,
size) == 0;
+ if (!result) {
+ len = strlen(ipactx->mspac->trusts[i].domain_name);
+ if ((size > len) && (test_realm[size - len - 1] == '.')) {
+ result = strncasecmp(test_realm + (size - len),
+ ipactx->mspac->trusts[i].domain_name,
+ len) == 0;
+ }
+ }
+
if (!result && (ipactx->mspac->trusts[i].flat_name != NULL)) {
result = strncasecmp(test_realm,
ipactx->mspac->trusts[i].flat_name,
@@ -2994,7 +3004,7 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext,
/* if UPN suffix did not match exactly, find if it is
* superior to the test_realm, e.g. if test_realm ends
* with the UPN suffix prefixed with dot*/
- size_t len = ipactx->mspac->trusts[i].upn_suffixes_len[j];
+ len = ipactx->mspac->trusts[i].upn_suffixes_len[j];
if ((size > len) && (test_realm[size - len - 1] == '.')) {
result = strncasecmp(test_realm + (size - len),
ipactx->mspac->trusts[i].upn_suffixes[j],
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
