Re: [Freeipa-devel] [PATCH 1/1] Resolve external members from trusted domain via Global Catalog

Simo Sorce Mon, 29 Oct 2012 13:31:53 -0700

On Mon, 2012-10-29 at 19:59 +0200, Alexander Bokovoy wrote:
> A sequence is following:
> 1. Match external member against existing trusted domain
> 2. Find trusted domain's domain controller
> 3. Fetch trusted domain account auth info
> 4. Set up ccache in /var/run/ipa/ipa_memcached/krb5cc_TRUSTEDDOMAIN with 
> principal ourdomain$@trusted.domain
> 5. Do LDAP SASL interactive bind using the ccache
> 6. Search for the member's SID
> 7. Decode SID
> 8. Replace external member name by SID
> 
> https://fedorahosted.org/freeipa/ticket/3211
> ---
>  ipalib/plugins/group.py    |  32 +++++----
>  ipaserver/dcerpc.py        | 172 
> +++++++++++++++++++++++++++++++++++++++++----
>  ipaserver/plugins/ldap2.py |   3 +
>  3 files changed, 181 insertions(+), 26 deletions(-)
> 
> diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py
> index 
> a174ba62cc32a7fb83474f52e2621521553889af..f86b134e61fc8c7518a64d25329babee3398c6ef
>  100644
> --- a/ipalib/plugins/group.py
> +++ b/ipalib/plugins/group.py
> @@ -83,28 +83,30 @@ External members should be added to groups that 
> specifically created as
>  external and non-POSIX. Such group later should be included into one of POSIX
>  groups.
>  
> -An external group member is currently a Security Identifier as defined by
> -the trusted domain.
> +An external group member is currently a Security Identifier (SID) as defined 
> by
> +the trusted domain. When adding external group members, it is possible to
> +specify them in either SID, or DOM\\name, or name@domain format. IPA will 
> attempt
> +to resolve passed name to SID with the use of Global Catalog of the trusted 
> domain.
>  
>  Example:
>  
> -1. Make note of the trusted domain security identifier
> -
> -   domainsid = `ipa trust-show <ad.domain> | grep Identifier | cut -d: -f2`
> -
> -2. Create group for the trusted domain admins' mapping and their local POSIX 
> group:
> +1. Create group for the trusted domain admins' mapping and their local POSIX 
> group:
>  
>     ipa group-add --desc='<ad.domain> admins external map' ad_admins_external 
> --external
>     ipa group-add --desc='<ad.domain> admins' ad_admins
>  
> -3. Add security identifier of Domain Admins of the <ad.domain> to the 
> ad_admins_external
> -   group (security identifier of <ad.domain SID>-513 is Domain Admins group):
> +2. Add security identifier of Domain Admins of the <ad.domain> to the 
> ad_admins_external
> +   group:
>  
> -   ipa group-add-member ad_admins_external --external ${domainsid}-513
> +   ipa group-add-member ad_admins_external --external 'AD\\Domain Admins'
>  
> -4. Allow members of ad_admins_external group to be associated with ad_admins 
> POSIX group:
> +3. Allow members of ad_admins_external group to be associated with ad_admins 
> POSIX group:
>  
>     ipa group-add-member ad_admins --groups ad_admins_external
> +
> +4. List members of external members of ad_admins_external group to see their 
> SIDs:
> +
> +   ipa group-show ad_admins_external
>  """)


A text similar to this is available when you run ipa help trust, I guess
you should change that one too.



I am trying to add a windows group now and getting this trace in my http
server:

[Mon Oct 29 16:15:33 2012] [error] ipa: ERROR: release_ipa_ccache:
ccache_name (FILE:/var/run/ipa_memcached/krbcc_20825) != KRB5CCNAME
environment variable (/var/run/ipa/ipa_memcached/krb5cc_TRUSTEDDOMAIN)
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] mod_wsgi 
(pid=20825): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'.
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] Traceback (most 
recent call last):
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]   File 
"/usr/share/ipa/wsgi.py", line 49, in application
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]     return 
api.Backend.wsgi_dispatch(environ, start_response)
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]   File 
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 248, in __call__
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]     return 
self.route(environ, start_response)
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]   File 
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 260, in route
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]     return 
app(environ, start_response)
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]   File 
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 1158, in 
__call__
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]     response = 
super(xmlserver_session, self).__call__(environ, start_response)
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]   File 
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 707, in __call__
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]     response = 
super(xmlserver, self).__call__(environ, start_response)
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]   File 
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 375, in __call__
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]     response = 
self.wsgi_execute(environ)
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]   File 
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 334, in 
wsgi_execute
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]     result = 
self.Command[name](*args, **options)
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]   File 
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 435, in __call__
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]     ret = 
self.run(*args, **options)
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]   File 
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 747, in run
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]     return 
self.execute(*args, **options)
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]   File 
"/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", line 1590, in 
execute
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]     **options)
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]   File 
"/usr/lib/python2.7/site-packages/ipalib/plugins/group.py", line 387, in 
post_callback
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]     actual_sid = 
domain_validator.get_sid_trusted_domain_object(sid)
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]   File 
"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 227, in 
get_sid_trusted_domain_object
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]     entry = 
self.__resolve_against_gc(info, components['name'])
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]   File 
"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 279, in 
__resolve_against_gc
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]     
conn.sasl_interactive_bind_s(None, sasl_auth)
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]   File 
"/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 562, in 
sasl_interactive_bind_s
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]     return 
self.conn.sasl_interactive_bind_s(who, auth, serverctrls, clientctrls, 
sasl_flags)
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]   File 
"/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 229, in 
sasl_interactive_bind_s
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]     return 
self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags)
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]   File 
"/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, in _ldap_call
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240]     result = 
func(*args,**kwargs)
[Mon Oct 29 16:15:33 2012] [error] [client 192.168.122.240] LOCAL_ERROR: 
{'info': 'SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  
Minor code may provide more information (Cannot determine realm for numeric 
host address)', 'desc': 'Local error'}


Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 1/1] Resolve external members from trusted domain via Global Catalog

Reply via email to