|Summary:||[RFE] Support One-Way Trust authenticated by trust secret|
|Product:||Red Hat Enterprise Linux 7||Reporter:||Aly <opennetworksolutions>|
|Component:||ipa||Assignee:||IPA Maintainers <ipa-maint>|
|Status:||CLOSED ERRATA||QA Contact:||Kaleem <ksiddiqu>|
|Severity:||high||Docs Contact:||Marc Muehlfeld <mmuehlfe>|
|Version:||7.4||CC:||abokovoy, abradshaw, asakure, cheimes, ddas, gparente, jhrozek, jvilicic, ktadimar, michael.ward, mkosek, mmuehlfe, molasaga, mowens, opennetworksolutions, pasik, pvoborni, rcritten, sorlov, tmihinto, tscherf|
|Fixed In Version:||ipa-4.6.5-2.el7||Doc Type:||Enhancement|
IdM supports establishing a one-way trust from a Windows DC using a shared secret With this enhancement, Identity Management (IdM) supports establishing a one-way forest trust to Active Directory (AD) authenticated by a shared secret from the Windows AD domain controller (DC). Previous IdM versions did not contain the features that allowed AD DCs to contact an IdM DC in the mentioned scenario. As a result, IdM now supports establishing a one-way forest trust using a shared secret from both Active Directory and from IdM.
|Last Closed:||2019-08-06 13:09:02 UTC||Type:||Bug|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:||1421663|
|Bug Blocks:||1644708, 1550132, 1647919|
Description Aly 2016-06-13 14:33:33 UTC
Description of problem: Access Denied error when created a one-way trust using a trust-secret and attempting to validate on the Active Directory side (last step of trust procedure). Version-Release number of selected component (if applicable): ipa-server-trust-ad-4.2.0-15.el7_2.15.x86_64 ipa-python-4.2.0-15.el7_2.15.x86_64 ipa-admintools-4.2.0-15.el7_2.15.x86_64 ipa-server-4.2.0-15.el7_2.15.x86_64 ipa-client-4.2.0-15.el7_2.15.x86_64 Red Hat Enterprise Linux Server release 7.2 (Maipo) How reproducible: Very Steps to Reproduce: 1.The documentation advises to create the trust on the windows side with these steps: The Trust Type is Forest trust. The Direction of Trust is One-way. The Sides of Trust is This domain only. The Outgoing Trust Authentication Level is Forest-wide authentication.(not this option does not exist on a one-way trust as noted in the document) Set the Trust Password. 2. ipa trust-add --type=ad --trust-secret domain.test 3. ipa trust-fetch-domains 4. Domain Controller-> Trust Console -> trust-> properties-> "name suffix routing"-> Refresh 5. prompted for credentials (Not expected), 6. credentials for IPA domain do not work 7. Eventually errors out with "Access Denied" Expected results: 4. Domain Controller-> Trust Console -> trust-> properties-> "name suffix routing"-> Refresh 5. "Name Suffix Routing" being populated 6. Trust setup-complete Additional info: When I select a *two-way* trust on the Active Directory side, I was able to achieve the trust including the "Name Suffix Routing" being populated when I hit refresh. As expected this worked without any prompt for credentials. However the noted procedure does not work for a one-way trust using a trust-secret. I have additional information from Alexander who was assisting debug this issue: "The following was found in the samba logs: [2016/06/13 08:06:44.098299, 3, pid=31436, effective(1817800000, 1817800000), real(1817800000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1450(api_rpcTNP) api_rpcTNP: rpc command: NETR_DSRGETFORESTTRUSTINFORMATION [2016/06/13 08:06:44.098304, 6, pid=31436, effective(1817800000, 1817800000), real(1817800000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1469(api_rpcTNP) api_rpc_cmds.fn == 0x7f90496d38d0 [2016/06/13 08:06:44.098318, 1, pid=31436, effective(1817800000, 1817800000), real(1817800000, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) netr_DsRGetForestTrustInformation: struct netr_DsRGetForestTrustInformation in: struct netr_DsRGetForestTrustInformation server_name : * server_name : '\\f24-master.ipa.ad.test' trusted_domain_name : NULL flags : 0x00000000 (0) [2016/06/13 08:06:44.098334, 4, pid=31436, effective(1817800000, 1817800000), real(1817800000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1480(api_rpcTNP) api_rpcTNP: fault(5) return. The fault(5) is librpc/idl/dcerpc.idl: DCERPC_FAULT_ACCESS_DENIED = 0x00000005, something is missing in the access token when IPA admin credentials are used to connect to retrieve forest trust information from AD side "
Comment 2 Petr Vobornik 2016-06-22 17:01:15 UTC
Alexander, what is your assessment?
Comment 3 Alexander Bokovoy 2016-06-22 17:17:26 UTC
I'm still looking at this. It is non-trivial and I'm not sure we can fix it for RHEL 7.3.
Comment 4 Petr Vobornik 2016-07-13 13:55:10 UTC
Upstream ticket: https://fedorahosted.org/freeipa/ticket/6077
Comment 5 Petr Vobornik 2016-07-21 16:29:33 UTC
*** Bug 1355640 has been marked as a duplicate of this bug. ***
Comment 7 Petr Vobornik 2016-09-07 13:50:28 UTC
*** Bug 1300040 has been marked as a duplicate of this bug. ***
Comment 11 Martin Kosek 2017-03-28 10:57:31 UTC
Alexander Bokovoy tested the workflow with fixed cyrus sasl (with GSS-SPNEGO support - Bug 1421663) and the workflow still requested features/capabilities that IdM server does not have - this makes this Bugzilla an actual RFE - updating title.
Comment 18 Alexander Bokovoy 2018-06-19 12:54:22 UTC
An update on the status of this RFE. For the reference, there are two patchsets required: https://github.com/SSSD/sssd/pull/522 is for SSSD, and https://github.com/abbra/freeipa/commit/05d211a1e8a208e065463ab05f5f09491df8052f is for FreeIPA. They are work in progress upstream and not suitable for including in production yet. They originally were made to allow one-way trust from Samba AD side and since Samba AD closely follows what Windows does in this exchange, they should help us too. For Samba AD an additional Samba AD patchset is required to fix trusted domain object principal's salt. I have verified with a new install that Windows Server 2012R2 and FreeeIPA/SSSD with my patches are able to get one-way trust with a shared secret working at least partially. The sequence is following: Establish a one-way trust with a shared secret on IPA side: ipa trust-add <ad-domain> --shared-secret On Windows side, open Active Directory Domain and Trusts tool Open properties for the Windows forest Choose 'Trusts' tab and press 'New trust' button there Navigate through the trust wizard by entering: IPA forest name, then 'next' Choose 'Forest trust' on the Trust Type page Choose 'One-way: incoming' on the Direction of Trust page Choose 'This domain only' on the Sides of Trust page Enter the same shared secret one was using in step (1) with 'ipa trust-add' Complete trust wizard Going back to the trust properties, one can now validate trust from Windows side. However, retrieving forest trust information is not working due to Samba not having it implemented for non-Samba AD case which is what FreeIPA Samba DC is using. I am working on a FreeIPA design and will publish it on freeipa.org wiki once I get existing patches sorted out so that they can be used together with the design to understand the setup. The code I have works already for new deployments, we need to polish and merge it upstream. The part that is not done completely yet is upgrading existing trust agreements. SSSD part needs a better implementation as agreed with Jakub in https://github.com/SSSD/sssd/pull/522
Comment 20 Alexander Bokovoy 2018-09-18 07:47:48 UTC
Another update: - SSSD 1.16.3 and 2.0 were released with SSSD patches - Samba 4.7, 4.8, 4.8 got released with enhancements that allow proceeding with the trust against Samba AD. - FreeIPA patches are still pending the remaining upgrade code work
Comment 21 Florence Blanc-Renaud 2018-10-19 13:46:32 UTC
*** Bug 1190566 has been marked as a duplicate of this bug. ***
Comment 22 Alexander Bokovoy 2019-03-22 18:42:09 UTC
A pull request to FreeIPA is submitted now: https://github.com/freeipa/freeipa/pull/2926
Comment 23 Christian Heimes 2019-03-28 13:12:22 UTC
Fixed upstream master: https://pagure.io/freeipa/c/2a8176ee03318f208a86d25bd9320f885b16d112 https://pagure.io/freeipa/c/120bab0d9c9970979d109583329a13fc3e4949f3 https://pagure.io/freeipa/c/dc8f074cc7ba647644b96785590f1645e5661a93 https://pagure.io/freeipa/c/18cb30d4638c0fecf5f02735f2b4794be5d97b67 https://pagure.io/freeipa/c/dca901c05ef6dde69145963d3ea51b994b568740 ipa-4-7: https://pagure.io/freeipa/c/50c0d6dc7b93abe2448ecc499e32e11bf5e3e7f5 https://pagure.io/freeipa/c/f6183c80826c90a8b0c051284d66cb0a2378cdc1 https://pagure.io/freeipa/c/0b5ae1bd00c336c1963efdb28891780fb61af17e https://pagure.io/freeipa/c/2a7731c5ae8d3f7fad9ee20584e271100d090557 https://pagure.io/freeipa/c/595f42af25f882fe5d45b0e08bdd5300d7267fdb ipa-4-6: https://pagure.io/freeipa/c/9a453619c8c46322fc652f57376e4e834f957f57 https://pagure.io/freeipa/c/076d89429d838b472782f20da483841847e435b5 https://pagure.io/freeipa/c/b70e4d19d8bb610fedc50c8ad17cb7b61229247f https://pagure.io/freeipa/c/7a7ef33fa8d1e800467e7bda5e23170edbabb4a2 https://pagure.io/freeipa/c/b2bac94c2486523f180a16068c5c07df8169aa1f https://pagure.io/freeipa/c/7476953c85eddd92e7a2f010a34a3ba421c91965 https://pagure.io/freeipa/c/9ce3a29915fa691369fff8401b5995e0f7f06e06
Comment 31 Sergey Orlov 2019-05-29 11:04:53 UTC
On the Doc Text: external trust is also supported, as well as forest one.
Comment 32 Sergey Orlov 2019-07-02 10:15:27 UTC
Comment 34 errata-xmlrpc 2019-08-06 13:09:02 UTC
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2241