Bug 1219834

Summary: Samba 4.2 broke FreeIPA trusts to AD
Product: [Fedora] Fedora Reporter: Alexander Bokovoy <abokovoy>
Component: freeipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 22CC: abokovoy, asn, extras-qa, gdeschner, ipa-maint, jlayton, madam, mkosek, pviktori, pvoborni, rcritten, sbose, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: samba-4.2.1-8.fc22 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1219832 Environment:
Last Closed: 2015-05-28 11:58:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1219832    
Bug Blocks:    
Attachments:
Description Flags
Proposed patch none

Description Alexander Bokovoy 2015-05-08 12:08:15 UTC 
+++ This bug was initially created as a clone of Bug #1219832 +++

Description of problem:
With upgrade to Samba 4.2.1 previously working trusts to AD feature of FreeIPA no longer works. There are multiple changes in Samba 4.2.1 on protocol level and handling of authentication that caused FreeIPA Python code to fail.

Namely, underlying Samba code considers a DCE RPC connection authenticated using Kerberos credentials obtained via S4U2Proxy mechanism still to be anonymous and therefore is unable to derive a session key out of Krb5 session.

This breaks communication from FreeIPA web server to local smbd process where we operate under credentials of an admin which were given to us through S4U2Proxy.

DCE RPC (LSA RPC in this case) session key is essential to encrypt trust secrets for cross realm trust. Unavailability of the session key breaks the process to establish the trust.

Version-Release number of selected component (if applicable):
samba-4.2.1-7.fc22

How reproducible:
Always

Steps to Reproduce:
1. Install FreeIPA: freeipa-server, freeipa-server-trust-ad (and other packages if integrated DNS server is required)
2. Deploy FreeIPA with ipa-server-install and further configure it to work with AD: ipa-adtrust-install
3. Attempt to configure trust: ipa trust-add ad.test --admin Administrator --password
4. Observe failure

Actual results:
# echo Test1234|ipa trust-add ad.test --admin Administrator --password

in /var/log/httpd/error_log:
[Wed Apr 29 17:17:34.763163 2015] [wsgi:error] [pid 15115] ipa: INFO: [jsonserver_session] admin.LI: trust_add(u'ad.test', trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'********', all=False, raw=False, version=u'2.116'): RemoteRetrieveError


Expected results:
# echo Test1234|ipa trust-add ad.test --admin Administrator --password

----------------------------------------
Re-established trust to domain "ad.test"
----------------------------------------
  Realm name: ad.test
  Domain NetBIOS name: AD
  Domain Security Identifier: S-1-5-21-2275361654-3393353068-3720134936
  SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13,
                          S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18
  SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13,
                          S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified

In /var/log/httpd/error_log:
[Fri May 08 11:56:15.979347 2015] [wsgi:error] [pid 7359] ipa: INFO: [jsonserver_session] admin.LI: trust_add(u'ad.test', trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'********', all=False, raw=False, version=u'2.116'): SUCCESS

--- Additional comment from Alexander Bokovoy on 2015-05-08 15:01:02 EEST ---

Attached is the patch that fixes the problem to me. Credentials should not be considered anonymous if they obtained via Kerberos.

--- Additional comment from Alexander Bokovoy on 2015-05-08 15:06:36 EEST ---

Even with the patch to Samba we need to update FreeIPA code to consider more pipe binding options.

Here is an example of how error message would look like if using default FreeIPA 4.1.4 code:

# echo Test1234|ipa trust-add ad.test --admin Administrator --password
ipa: ERROR: CIFS server communication error: code "-1073741776",
                  message "An invalid combination of parameters was specified." (both may be "None")

e.g. samba returns NT_STATUS_INVALID_PARAMETER_MIX.
Comment 1 Alexander Bokovoy 2015-05-08 12:14:27 UTC 
Created attachment 1023463 [details]
Proposed patch

Attached patch makes FreeIPA working with a Samba 4.2.1 with the fix for anonymous credentials.
Comment 2 Fedora Update System 2015-05-11 19:08:51 UTC 
samba-4.2.1-8.fc22,freeipa-4.1.4-3.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/samba-4.2.1-8.fc22,freeipa-4.1.4-3.fc22
Comment 3 Fedora Update System 2015-05-12 20:50:35 UTC 
Package samba-4.2.1-8.fc22, freeipa-4.1.4-4.fc22:
* should fix your issue,
* was pushed to the Fedora 22 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing samba-4.2.1-8.fc22 freeipa-4.1.4-4.fc22'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-8084/samba-4.2.1-8.fc22,freeipa-4.1.4-4.fc22
then log in and leave karma (feedback).
Comment 4 Fedora Update System 2015-05-28 11:58:46 UTC 
samba-4.2.1-8.fc22, freeipa-4.1.4-4.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.