Bug 1345975

Summary: [RFE] Support One-Way Trust authenticated by trust secret
Product: Red Hat Enterprise Linux 7 Reporter: Aly <opennetworksolutions>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Kaleem <ksiddiqu>
Severity: high Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: unspecified    
Version: 7.4CC: abokovoy, abradshaw, asakure, cheimes, ddas, gparente, jhrozek, jvilicic, ktadimar, michael.ward, mkosek, mmuehlfe, molasaga, mowens, opennetworksolutions, pasik, pvoborni, rcritten, sorlov, tmihinto, tscherf
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Fixed In Version: ipa-4.6.5-2.el7 Doc Type: Enhancement
Doc Text:
IdM supports establishing a one-way trust from a Windows DC using a shared secret With this enhancement, Identity Management (IdM) supports establishing a one-way forest trust to Active Directory (AD) authenticated by a shared secret from the Windows AD domain controller (DC). Previous IdM versions did not contain the features that allowed AD DCs to contact an IdM DC in the mentioned scenario. As a result, IdM now supports establishing a one-way forest trust using a shared secret from both Active Directory and from IdM.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-06 13:09:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1421663    
Bug Blocks: 1550132, 1644708, 1647919    

Description Aly 2016-06-13 14:33:33 UTC
Description of problem: 
Access Denied error when created a one-way trust using a trust-secret and attempting to validate on the Active Directory side (last step of trust procedure). 

Version-Release number of selected component (if applicable):
Red Hat Enterprise Linux Server release 7.2 (Maipo)

How reproducible:

Steps to Reproduce:
1.The documentation advises to create the trust on the windows side with these steps:
   The Trust Type is Forest trust.
   The Direction of Trust is One-way.
   The Sides of Trust is This domain only.
   The Outgoing Trust Authentication Level is Forest-wide authentication.(not this option does not exist on a one-way trust as noted in the document)
   Set the Trust Password.
2. ipa trust-add --type=ad --trust-secret domain.test
3. ipa trust-fetch-domains
4. Domain Controller-> Trust Console -> trust-> properties-> "name suffix routing"-> Refresh
5. prompted for credentials (Not expected), 
6. credentials for IPA domain do not work
7. Eventually errors out with "Access Denied"

Expected results:
4. Domain Controller-> Trust Console -> trust-> properties-> "name suffix routing"-> Refresh
5. "Name Suffix Routing" being populated
6. Trust setup-complete

Additional info:
When I select a *two-way* trust on the Active Directory side, I was able to achieve the trust including the "Name Suffix Routing" being populated when I hit refresh. As expected this worked without any prompt for credentials. 

However the noted procedure does not work for a one-way trust using a trust-secret. I have additional information from Alexander who was assisting debug this issue:

"The following was found in the samba logs:

[2016/06/13 08:06:44.098299,  3, pid=31436, effective(1817800000, 1817800000), real(1817800000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1450(api_rpcTNP)
[2016/06/13 08:06:44.098304,  6, pid=31436, effective(1817800000, 1817800000), real(1817800000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1469(api_rpcTNP)
api_rpc_cmds[43].fn == 0x7f90496d38d0
[2016/06/13 08:06:44.098318,  1, pid=31436, effective(1817800000, 1817800000), real(1817800000, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug)
      netr_DsRGetForestTrustInformation: struct netr_DsRGetForestTrustInformation
         in: struct netr_DsRGetForestTrustInformation
             server_name              : *
                 server_name              : '\\f24-master.ipa.ad.test'
             trusted_domain_name      : NULL
             flags                    : 0x00000000 (0)
[2016/06/13 08:06:44.098334,  4, pid=31436, effective(1817800000, 1817800000), real(1817800000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1480(api_rpcTNP)
api_rpcTNP: fault(5) return.

The fault(5) is librpc/idl/dcerpc.idl:          DCERPC_FAULT_ACCESS_DENIED = 0x00000005,

something is missing in the access token when IPA admin credentials are used to connect to retrieve forest trust information from AD side "

Comment 2 Petr Vobornik 2016-06-22 17:01:15 UTC
Alexander, what is your assessment?

Comment 3 Alexander Bokovoy 2016-06-22 17:17:26 UTC
I'm still looking at this. It is non-trivial and I'm not sure we can fix it for RHEL 7.3.

Comment 4 Petr Vobornik 2016-07-13 13:55:10 UTC
Upstream ticket:

Comment 5 Petr Vobornik 2016-07-21 16:29:33 UTC
*** Bug 1355640 has been marked as a duplicate of this bug. ***

Comment 7 Petr Vobornik 2016-09-07 13:50:28 UTC
*** Bug 1300040 has been marked as a duplicate of this bug. ***

Comment 11 Martin Kosek 2017-03-28 10:57:31 UTC
Alexander Bokovoy tested the workflow with fixed cyrus sasl (with GSS-SPNEGO support - Bug 1421663) and the workflow still requested features/capabilities that IdM server does not have - this makes this Bugzilla an actual RFE - updating title.

Comment 18 Alexander Bokovoy 2018-06-19 12:54:22 UTC
An update on the status of this RFE.

For the reference, there are two patchsets required: https://github.com/SSSD/sssd/pull/522 is for SSSD, and https://github.com/abbra/freeipa/commit/05d211a1e8a208e065463ab05f5f09491df8052f is for FreeIPA. They are work in progress upstream and not suitable for including in production yet.

They originally were made to allow one-way trust from Samba AD side and since Samba AD closely follows what Windows does in this exchange, they should help us too. For Samba AD an additional Samba AD patchset is required to fix trusted domain object principal's salt.

I have verified with a new install that Windows Server 2012R2 and FreeeIPA/SSSD with my patches are able to get one-way trust with a shared secret working at least partially.

The sequence is following:

    Establish a one-way trust with a shared secret on IPA side: ipa trust-add <ad-domain> --shared-secret
    On Windows side, open Active Directory Domain and Trusts tool
    Open properties for the Windows forest
    Choose 'Trusts' tab and press 'New trust' button there
    Navigate through the trust wizard by entering:
        IPA forest name, then 'next'
        Choose 'Forest trust' on the Trust Type page
        Choose 'One-way: incoming' on the Direction of Trust page
        Choose 'This domain only' on the Sides of Trust page
        Enter the same shared secret one was using in step (1) with 'ipa trust-add'
        Complete trust wizard

Going back to the trust properties, one can now validate trust from Windows side. However, retrieving forest trust information is not working due to Samba not having it implemented for non-Samba AD case which is what FreeIPA Samba DC is using.

I am working on a FreeIPA design and will publish it on freeipa.org wiki once I get existing patches sorted out so that they can be used together with the design to understand the setup. The code I have works already for new deployments, we need to polish and merge it upstream. The part that is not done completely yet is upgrading existing trust agreements.

SSSD part needs a better implementation as agreed with Jakub in https://github.com/SSSD/sssd/pull/522

Comment 20 Alexander Bokovoy 2018-09-18 07:47:48 UTC
Another update:

- SSSD 1.16.3 and 2.0 were released with SSSD patches

- Samba 4.7, 4.8, 4.8 got released with enhancements that allow proceeding with the trust against Samba AD.

- FreeIPA patches are still pending the remaining upgrade code work

Comment 21 Florence Blanc-Renaud 2018-10-19 13:46:32 UTC
*** Bug 1190566 has been marked as a duplicate of this bug. ***

Comment 22 Alexander Bokovoy 2019-03-22 18:42:09 UTC
A pull request to FreeIPA is submitted now: https://github.com/freeipa/freeipa/pull/2926

Comment 31 Sergey Orlov 2019-05-29 11:04:53 UTC
On the Doc Text: external trust is also supported, as well as forest one.

Comment 34 errata-xmlrpc 2019-08-06 13:09:02 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.