Re: [Freeipa-devel] [PATCH 0215-0216] Child domain fixes for AD trust
On 08/19/2016 10:28 AM, Alexander Bokovoy wrote: On Wed, 17 Aug 2016, Martin Babinsky wrote: On 08/08/2016 01:27 PM, Alexander Bokovoy wrote: Hi! Attached two patches attempt to fix some of the issues we see with child domains. SSSD only 'sees' users from child domains if there is an ID range for each of them. However, after refactoring of trust code when external trust was introduced, part of the range creation had wrong assumption that if a trusted domain exists, its range also exists. This is now fixed to try to create range even if the domain exists. In fact, because the older code was not going to the range creation for trusted domains which already existed, adding ranges was done incorrectly: ID ranges use full domain name and don't need - hierarchy, but the code was passing both parent and the child names. As result, an attempt to create an ID range for parent was done instead of the child. Parent ID range already existed so we never got to create child ID ranges at all in that case. Finally, there is a fix in SSSD to properly generate CA paths so that libkrb5 can calculate correct trust path via forest root (parent) domain. While looking at that, I also decided to simplify logic in ipa-kdb driver because for cross-forest trust we never can transit to the child domain directly, we always have to use the forest root domain. However, old code could actually set a immediate domain's parent instead of the forest root for deep level trust relationship within the forest we trust. As we still cannot get to second level or beyond directly or via their actual parent domain, we always have to go through the forest root domain. The simplified code enforces this logic. ACK, but patch 215 needs rebase for ipa-4-3 and ipa-4-2. Rebased version attached. Thanks, Pushed to: master: a14ebbea895a20f5a68052e32ba65c4fd7fdf670 ipa-4-3: 775c868bacc01286eafc97e8126937d76ee53e1e ipa-4-2: ac6248430ce3358e75e6eebf01db5b9dfc55cac0 -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0215-0216] Child domain fixes for AD trust
On Wed, 17 Aug 2016, Martin Babinsky wrote: On 08/08/2016 01:27 PM, Alexander Bokovoy wrote: Hi! Attached two patches attempt to fix some of the issues we see with child domains. SSSD only 'sees' users from child domains if there is an ID range for each of them. However, after refactoring of trust code when external trust was introduced, part of the range creation had wrong assumption that if a trusted domain exists, its range also exists. This is now fixed to try to create range even if the domain exists. In fact, because the older code was not going to the range creation for trusted domains which already existed, adding ranges was done incorrectly: ID ranges use full domain name and don't need - hierarchy, but the code was passing both parent and the child names. As result, an attempt to create an ID range for parent was done instead of the child. Parent ID range already existed so we never got to create child ID ranges at all in that case. Finally, there is a fix in SSSD to properly generate CA paths so that libkrb5 can calculate correct trust path via forest root (parent) domain. While looking at that, I also decided to simplify logic in ipa-kdb driver because for cross-forest trust we never can transit to the child domain directly, we always have to use the forest root domain. However, old code could actually set a immediate domain's parent instead of the forest root for deep level trust relationship within the forest we trust. As we still cannot get to second level or beyond directly or via their actual parent domain, we always have to go through the forest root domain. The simplified code enforces this logic. ACK, but patch 215 needs rebase for ipa-4-3 and ipa-4-2. Rebased version attached. -- / Alexander Bokovoy From 62f3af93ca780921355d8ed17ab6d9c42e452cb3 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Sat, 6 Aug 2016 11:12:13 +0300 Subject: [PATCH 1/3] trust: make sure ID range is created for the child domain even if it exists ID ranges for child domains of a forest trust were created incorrectly in FreeIPA 4.4.0 due to refactoring of -- if the domain was already existing, we never attempted to create the ID range for it. At the same time, when domain was missing, we attempted to add ID range and passed both forest root and the child domain names to add_range(). However, add_range() only looks at the first positional argument which was the forest root name. That ID range always exists (it is created before child domains are processed). Modify the code to make sure child domain name is passed as the first positional argument. In addition, the oddjob helper should explicitly set context='server' so that idrange code will be able to see and use ipaserver/dcerpc.py helpers. Resolves: https://fedorahosted.org/freeipa/ticket/5738 --- install/oddjob/com.redhat.idm.trust-fetch-domains | 2 +- ipalib/plugins/trust.py | 13 + 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/install/oddjob/com.redhat.idm.trust-fetch-domains b/install/oddjob/com.redhat.idm.trust-fetch-domains index 4c50c43..f5ec8d7 100755 --- a/install/oddjob/com.redhat.idm.trust-fetch-domains +++ b/install/oddjob/com.redhat.idm.trust-fetch-domains @@ -75,7 +75,7 @@ env._bootstrap(context='server', debug=options.debug, log=None) env._finalize_core(**dict(DEFAULT_CONFIG)) # Initialize the API with the proper debug level -api.bootstrap(context='server', debug=env.debug, log=None) +api.bootstrap(in_server=True, debug=env.debug, log=None, context='server') api.finalize() # Only import trust plugin after api is initialized or internal imports diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index 8672669..c2e5745 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -1592,14 +1592,19 @@ def add_new_domains_from_trust(myapi, trustinstance, trust_entry, domains, **opt if 'raw' in options: dom['raw'] = options['raw'] -res = myapi.Command.trustdomain_add(trust_name, name, **dom) -result.append(res['result']) +try: +res = myapi.Command.trustdomain_add(trust_name, name, **dom) +result.append(res['result']) +except errors.DuplicateEntry: +# Ignore updating duplicate entries +pass if idrange_type != u'ipa-ad-trust-posix': range_name = name.upper() + '_id_range' dom['range_type'] = u'ipa-ad-trust' -add_range(myapi, trustinstance, range_name, dom['ipanttrusteddomainsid'], - trust_name, name, **dom) +add_range(myapi, trustinstance, + range_name, dom['ipanttrusteddomainsid'], + name, **dom) except errors.DuplicateEntry: # Ignore updating duplicate entries pass -- 2.7.4 -- Manage your subscription for the
Re: [Freeipa-devel] [PATCH 0215-0216] Child domain fixes for AD trust
On 08/08/2016 01:27 PM, Alexander Bokovoy wrote: Hi! Attached two patches attempt to fix some of the issues we see with child domains. SSSD only 'sees' users from child domains if there is an ID range for each of them. However, after refactoring of trust code when external trust was introduced, part of the range creation had wrong assumption that if a trusted domain exists, its range also exists. This is now fixed to try to create range even if the domain exists. In fact, because the older code was not going to the range creation for trusted domains which already existed, adding ranges was done incorrectly: ID ranges use full domain name and don't need - hierarchy, but the code was passing both parent and the child names. As result, an attempt to create an ID range for parent was done instead of the child. Parent ID range already existed so we never got to create child ID ranges at all in that case. Finally, there is a fix in SSSD to properly generate CA paths so that libkrb5 can calculate correct trust path via forest root (parent) domain. While looking at that, I also decided to simplify logic in ipa-kdb driver because for cross-forest trust we never can transit to the child domain directly, we always have to use the forest root domain. However, old code could actually set a immediate domain's parent instead of the forest root for deep level trust relationship within the forest we trust. As we still cannot get to second level or beyond directly or via their actual parent domain, we always have to go through the forest root domain. The simplified code enforces this logic. ACK, but patch 215 needs rebase for ipa-4-3 and ipa-4-2. -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0215-0216] Child domain fixes for AD trust
Hi! Attached two patches attempt to fix some of the issues we see with child domains. SSSD only 'sees' users from child domains if there is an ID range for each of them. However, after refactoring of trust code when external trust was introduced, part of the range creation had wrong assumption that if a trusted domain exists, its range also exists. This is now fixed to try to create range even if the domain exists. In fact, because the older code was not going to the range creation for trusted domains which already existed, adding ranges was done incorrectly: ID ranges use full domain name and don't need - hierarchy, but the code was passing both parent and the child names. As result, an attempt to create an ID range for parent was done instead of the child. Parent ID range already existed so we never got to create child ID ranges at all in that case. Finally, there is a fix in SSSD to properly generate CA paths so that libkrb5 can calculate correct trust path via forest root (parent) domain. While looking at that, I also decided to simplify logic in ipa-kdb driver because for cross-forest trust we never can transit to the child domain directly, we always have to use the forest root domain. However, old code could actually set a immediate domain's parent instead of the forest root for deep level trust relationship within the forest we trust. As we still cannot get to second level or beyond directly or via their actual parent domain, we always have to go through the forest root domain. The simplified code enforces this logic. -- / Alexander Bokovoy From 37e4ab4786aec94bfb057fa3146d4e18e30df391 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Sat, 6 Aug 2016 11:12:13 +0300 Subject: [PATCH 4/5] trust: make sure ID range is created for the child domain even if it exists ID ranges for child domains of a forest trust were created incorrectly in FreeIPA 4.4.0 due to refactoring of -- if the domain was already existing, we never attempted to create the ID range for it. At the same time, when domain was missing, we attempted to add ID range and passed both forest root and the child domain names to add_range(). However, add_range() only looks at the first positional argument which was the forest root name. That ID range always exists (it is created before child domains are processed). Modify the code to make sure child domain name is passed as the first positional argument. In addition, the oddjob helper should explicitly set context='server' so that idrange code will be able to see and use ipaserver/dcerpc.py helpers. Resolves: https://fedorahosted.org/freeipa/ticket/5738 --- install/oddjob/com.redhat.idm.trust-fetch-domains | 2 +- ipaserver/plugins/trust.py| 10 +++--- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/install/oddjob/com.redhat.idm.trust-fetch-domains b/install/oddjob/com.redhat.idm.trust-fetch-domains index 7c948fd..bffa021 100755 --- a/install/oddjob/com.redhat.idm.trust-fetch-domains +++ b/install/oddjob/com.redhat.idm.trust-fetch-domains @@ -76,7 +76,7 @@ env._bootstrap(debug=options.debug, log=None) env._finalize_core(**dict(DEFAULT_CONFIG)) # Initialize the API with the proper debug level -api.bootstrap(in_server=True, debug=env.debug, log=None) +api.bootstrap(in_server=True, debug=env.debug, log=None, context='server') api.finalize() # Only import trust plugin after api is initialized or internal imports diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py index f2e0b1e..f90d9c1 100644 --- a/ipaserver/plugins/trust.py +++ b/ipaserver/plugins/trust.py @@ -1673,15 +1673,19 @@ def add_new_domains_from_trust(myapi, trustinstance, trust_entry, domains, **opt if 'raw' in options: dom['raw'] = options['raw'] -res = myapi.Command.trustdomain_add(trust_name, name, **dom) -result.append(res['result']) +try: +res = myapi.Command.trustdomain_add(trust_name, name, **dom) +result.append(res['result']) +except errors.DuplicateEntry: +# Ignore updating duplicate entries +pass if idrange_type != u'ipa-ad-trust-posix': range_name = name.upper() + '_id_range' dom['range_type'] = u'ipa-ad-trust' add_range(myapi, trustinstance, range_name, dom['ipanttrusteddomainsid'], - trust_name, name, **dom) + name, **dom) except errors.DuplicateEntry: # Ignore updating duplicate entries pass -- 2.7.4 From 767458d1532feb7029ff9a52e67e931fd87869ec Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Sun, 7 Aug 2016 21:42:14 +0300 Subject: [PATCH 5/5] ipa-kdb: simplify trusted domain parent search In terms of cross-forest trust parent domain is the root domain of the forest because we only have trust established with t
