Hi, I prepared design page for the one-way trusts feature: https://fedorahosted.org/sssd/wiki/DesignDocs/OneWayTrusts
The text is copied below as well for your convenience. I have a couple of questions to discuss: - Is it worth it to put the keytabs into a new subdirectory so that a special SELinux label can be applied? I think yes, since then we'd have additional layer of protection of the trust secrets - Is there any reasonable fallback beyond re-fetching the keytab we can do? I can't think of any.. - Should the IPA tools signal SSSD either via UNIX signals or via the DBus API once a trust has been added or removed to minimize the race condition and improve user experience? Currently I hope not, the proposed mechanism should be enough but testing is still required. When the design page is agreed on, I'll turn the three subsections of the implementation phase into smaller tickets and close the tracker. = Feature Name = Related ticket(s): * https://fedorahosted.org/sssd/ticket/2579 === Problem statement === The next IPA release will support one-way trusts. SSSD needs to add support for this feature in its server mode. === Use cases === One-way trust to Active Directory where FreeIPA realm trusts Active Directory forest using cross-forest trust feature of AD but the AD forest does not trust FreeIPA realm. Users from AD forest can access resources in FreeIPA realm. === Overview of the solution === At a high level, SSSD needs to examine the trust objects whether they are one-way or two way trusts. For each one-way trust, SSSD needs to fetch and store the keytab and use the keytab to secure the connection. For two-way trusts, we can keep using the existing code that reuses the IPA realm and the system keytab for both IPA and AD connectins. Care must be taken to remove keytabs of trusts that were removed as well. Fetching the keytab would be done by calling the `ipa-getkeytab` utility for every one-way trust. The keytab would only be (re)fetched if it's missing or if attempting to use the keytab failed. On the IPA server, we must make sure that the IPA server identity is allowed to read the keytab. Because handling multiple keytabs increases the risk of failing connections in case the trust wasn't setup correctly, we need to modify the failover code to not set the whole back end offline in case connecting to a subdomain AD server fails. Instead, the subdomain will be marked as inactive for a short period of time, during which it would act as offline. The proper way of solving this problem would be to rework the failover module so that it can act per domain, not only per back end, however, that change is out of scope for this release. === Implementation details === This section describes all the required changes in detail. ==== Reading the subdomains in the IPA subdomain handler ==== The IPA subdomain handler will include the attribute `ipaNTTrustDirection` when reading the trust objects. Currently this attribute is not readable by the host principal, so the IPA ACIs must be relaxed (ipa ticket?). If the trust direction is set to an OR of `lsa.LSA_TRUST_DIRECTION_OUTBOUND` and `lsa.LSA_TRUST_DIRECTION_INBOUND`, then it's a two-way trust and we'll just use the existing code that re-uses the IPA keytab for the AD trusted domain as well. If the attribute is only `lsa.LSA_TRUST_DIRECTION_OUTBOUND`, we handle the trust as a one-way trust. The trust type can be stored in `ipa_ad_server_ctx`. Each `sss_domain_info` structure will be created as `inactive` in the subdomain code. After enumerating the trusted domains, the subdomain handler will check if a keytab already exists for every one-way trusted domain. If yes, the domain is ready to use and can be enabled. If there is no keytab, the subdomain handler will fork out a call to `ipa-getkeytab`, fetch the keytab and store it under `/var/lib/sss/db`. The `ipa-getkeytab` call will be done using Kerberos credentials the host has. IPA ACIs must be modified accordingly to allow the IPA server principals to fetch the trust keytabs, but noone else. The directory `/var/lib/sss/db` is already only accessible to the sssd user only. As an additional security measure, we might want to store the keytabs under a new directory so that the keytabs also receive a SELinux context stricter than the default `sssd_var_lib_t`. If fetching the keytab succeeds, the domain would be enabled. The SELinux policy must also be adjusted to allow calling `ipa-getkeytab` by the `sssd_be` process. If any trust relationships were removed, the corresponding keytabs must be removed from the disk as well. ==== Changes to the AD id_ctx instantiation ==== With two-way trust, we can keep using the default IPA principal and keytab. With one-way trust, the keytab retrieved from the IPA server must be used. Also, the principal must be passed into the `ad_create_default_options` function. The custom values must be set before we proceed to instantiate LDAP provider options. The only AD provider option we need to set is AD_KRB5_REALM. In the LDAP provider, we must take care that the following sdap options are set correctly: * SDAP_SASL_AUTHID - must be set to the NetBIOS name of the IPA domain. (A domain `TRUST.COM` would set this value to `TRUST$`). * SDAP_SASL_REALM - must be set to the AD realm * SDAP_KRB5_KEYTAB - must be set to the per-domain keytab retrieved from IPA The AD provider eventually calls `sdap_set_sasl_options()` from the LDAP provider, we need to make sure this function receives the correct values. During experimentation we were able to show that using multiple different SASL users and different realms doesn't cause any problems in SASL or LDAP libraries. The only place that will keep using the IPA realm is the failover instantiation. We need to keep using this hack until failover is per-backend. ==== Subdomain offline status changes ==== At the moment, the whole back end can be either online or offline and the status applies to both the main domain and the subdomains alike. As an effect, a failure to connect to a subdomain server would also make the main domain operate offline. In many subdomain setups, it's actually more convenient not to, because the subdomain server might be on a different network segment, behind a different firewall etc. Instead, the domain should only be made inactive. The `sss_domain_info` structure would convert the 'bool disabled' parameter into an `enum sss_domain_state`. The supported values would be: * ''disabled'' - the domain should not be used by either responder or provider. It was removed or disabled on the server. * ''active'' - the domain can be used by a responder and the data provider would forward its request to the backend * ''inactive'' - the domain can be used by a responder, but the data provider would just shortcut as if the domain was offline. For now, this option will be used by subdomains only. The implementation would include renaming the existing `be_mark_offline()` function to be called `be_mark_dom_offline()` and modifying its behaviour. The existing code that sets the offline status and runs the offline callbacks would be called for parent domains only. For subdomains, we would mark the subdomain as inactive and schedule a tevent request that would unconditionally reset inactive domain to active. The request would be scheduled after `offline_timeout` seconds to be consistent with main domains from user's perspective. Likewise, the `be_reset_offline()` function will be extended to reset inactive domains to active as well as the SIGUSR1 and SIGUSR2 signal handlers. Finally, all calls to the `be_is_offline()` function should be inspected and the invocations that are per-domain should be converted to a new function `be_dom_is_offline()` that would check the offline status for parent domains and the offline state for subdomains. We should also make sure the backend offline status structure is opaque as currently its internals are readable by external users as well. Making the offline status opaque would make it safer to perform modifications to the offline code. In both offline and inactive cases, the ID handlers would reply with `DP_ERR_OFFLINE`. The crucial difference between offline and inactive at this point would be that inactive domains are re-activated undonditionally. When we modify the failover code to handle domains separately, we'll be able to leverage per-domain online checks or online/offline callbacks as well. ==== Detecting re-established trusts ==== In cases the `sdap_kinit_send()` request fails, the sdap code would return a special error code instead of blindly returning `EIO` as it does at the moment. When the `ipa_get_ad_acct` request receives this error code, it would re-run the subdomain request in order to check if the trust relationship still exists and in order to re-fetch the keytab again. In case the trust is still established, we would re-set the inactive domain status and re-run the account request. In case the trust went away, the subdomain code should remove the trusted domain (however, this must be tested). If the account request returns any error after reinitializing the ketab, the subdomain would be marked inactive in order to avoid fetching the keytab again and again. In order to be able to run the subdomain request separately from the subdomain back end handler, the subdomain code must be wrapped into a subdomain request as the code currently assumes it's being called from the subdomain backend handler only. === Future work === Handling failover and offline status on per-domain basis instead of per-backend basis should be done in the next release. === Configuration changes === none === How To Test === Establish a one-way trust relationship with an AD domain. Make sure both IPA and AD users are resolvable. It's prudent to test combinations of one-way and two-way trusts with different forests. Make sure removing a trust relationship removes the keytab from the filesystem. Make sure that SSSD handles re-establishing a trust relationship. === Authors === * Jakub Hrozek <jhro...@redhat.com> _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel