Bug 1371915

Summary: When establishing external two-way trust, forest root Administrator account is used to fetch domain info
Product: Red Hat Enterprise Linux 7 Reporter: Martin Bašti <mbasti>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Kaleem <ksiddiqu>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.3CC: lmiksik, mbabinsk, pvoborni, rcritten, sumenon
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.4.0-10.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-04 06:02:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1375269    
Bug Blocks:    
Attachments:
Description Flags
http error log none

Description Martin Bašti 2016-08-31 12:25:25 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/6277

When establishing external trust and specifying domain Admin's name without realm component, the credential generation code erroneously selects the forest root domain name as the realm component of domain admin account name. If the domain admins use separate account passwords (as is usually the case in real-life deployments), `trust-add` tries to fetch trusted domain info using wrong credentials and thus fails to authenticate against DCs of trusted domain:

{{{
s4_tevent: Destroying timer event 0x7f72ce7153f0 "tevent_req_timedout"
     &response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX
        command                  : LOGON_SAM_LOGON_RESPONSE_EX (23)
        sbz                      : 0x0000 (0)
        server_type              : 0x0000f1fd (61949)
               1: NBT_SERVER_PDC
               1: NBT_SERVER_GC
               1: NBT_SERVER_LDAP
               1: NBT_SERVER_DS
               1: NBT_SERVER_KDC
               1: NBT_SERVER_TIMESERV
               1: NBT_SERVER_CLOSEST
               1: NBT_SERVER_WRITABLE
               0: NBT_SERVER_GOOD_TIMESERV
               0: NBT_SERVER_NDNC
               0: NBT_SERVER_SELECT_SECRET_DOMAIN_6
               1: NBT_SERVER_FULL_SECRET_DOMAIN_6
               1: NBT_SERVER_ADS_WEB_SERVICE
               1: NBT_SERVER_DS_8
               0: NBT_SERVER_HAS_DNS_NAME
               0: NBT_SERVER_IS_DEFAULT_NC
               0: NBT_SERVER_FOREST_ROOT
        domain_uuid              : c3374e8b-8a15-45d2-a518-325a2886e2e3
        forest                   : 'root-dom.ad.forest.test'
        dns_domain               : 'tree-dom.ad.forest.test'
        pdc_dns_name             : 'adtree.tree-dom.ad.forest.test'
        domain_name              : 'TREE-DOM'
        pdc_name                 : 'ADTREE'
        user_name                : ''
        server_site              : 'Default-First-Site-Name'
        client_site              : 'Default-First-Site-Name'
        sockaddr_size            : 0x00 (0)
        sockaddr: struct nbt_sockaddr
            sockaddr_family          : 0x00000000 (0)
            pdc_ip                   : (null)
            remaining                : DATA_BLOB length=0
        next_closest_site        : NULL
        nt_version               : 0x00000005 (5)
               1: NETLOGON_NT_VERSION_1
               0: NETLOGON_NT_VERSION_5
               1: NETLOGON_NT_VERSION_5EX
               0: NETLOGON_NT_VERSION_5EX_WITH_IP
               0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE
               0: NETLOGON_NT_VERSION_AVOID_NT4EMUL
               0: NETLOGON_NT_VERSION_PDC
               0: NETLOGON_NT_VERSION_IP
               0: NETLOGON_NT_VERSION_LOCAL
               0: NETLOGON_NT_VERSION_GC
        lmnt_token               : 0xffff (65535)
        lm20_token               : 0xffff (65535)
finddcs: Found matching DC 2620:52:0:224e:21a:4aff:fe23:1596 with server_type=0x0000f1fd
[Wed Aug 31 12:17:16.535749 2016] [wsgi:error] [pid 75094] ipa: DEBUG: Destroying the contents of the separate ccache
[Wed Aug 31 12:17:16.536234 2016] [wsgi:error] [pid 75094] ipa: DEBUG: Starting external process
[Wed Aug 31 12:17:16.536306 2016] [wsgi:error] [pid 75094] ipa: DEBUG: args=/usr/bin/kdestroy -A -c /var/run/ipa_memcached/krbcc_TDAtree-dom.ad.forest.test
[Wed Aug 31 12:17:16.553353 2016] [wsgi:error] [pid 75094] ipa: DEBUG: Process finished, return code=0
[Wed Aug 31 12:17:16.553484 2016] [wsgi:error] [pid 75094] ipa: DEBUG: stdout=
[Wed Aug 31 12:17:16.553539 2016] [wsgi:error] [pid 75094] ipa: DEBUG: stderr=
[Wed Aug 31 12:17:16.553720 2016] [wsgi:error] [pid 75094] ipa: DEBUG: Running kinit with credentials of AD administrator
[Wed Aug 31 12:17:16.553893 2016] [wsgi:error] [pid 75094] ipa: DEBUG: Starting external process
[Wed Aug 31 12:17:16.553951 2016] [wsgi:error] [pid 75094] ipa: DEBUG: args=/usr/bin/kinit Administrator.FOREST.TEST <-- *should be TREE-DOM.AD.FOREST.TEST
[Wed Aug 31 12:17:17.397022 2016] [wsgi:error] [pid 75094] ipa: DEBUG: Process finished, return code=1
[Wed Aug 31 12:17:17.397298 2016] [wsgi:error] [pid 75094] ipa: DEBUG: stdout=Password for Administrator.FOREST.TEST:
[Wed Aug 31 12:17:17.397307 2016] [wsgi:error] [pid 75094]
[Wed Aug 31 12:17:17.397367 2016] [wsgi:error] [pid 75094] ipa: DEBUG: stderr=kinit: Password incorrect while getting initial credentials
[Wed Aug 31 12:17:17.397375 2016] [wsgi:error] [pid 75094]
[Wed Aug 31 12:17:17.399233 2016] [wsgi:error] [pid 75094] ipa: INFO: [jsonserver_session] admin: trust_add/1(u'tree-dom.ad.forest.test', realm_admin=u'Administrator', realm_passwd=u'********', bidirectional=True, external=True, version=u'2.212'): SUCCESS
}}}

Steps to reproduce:

1.) Setup an AD forest of at least two domains (root-tree, or root-child) and make sure that domain Admins have different passwords

2.) Install FreeIPA server and run ipa-adtrust-install

3.) Try to establish external trust to the tree or child domain of the forest

{{{
ipa trust-add AD.TREE.DOMAIN --external=True --two-way=True --admin Administrator`, the
}}}

Expected results:

The trust is added and all domain info is retrieved correctly

Actual results:

fetching trusted domain info fails and the httpd error log contains unsuccesful kinit as root domain administrator
Comment 1 Martin Bašti 2016-08-31 13:09:05 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/f32e0e4e522e09390f4295dd79f52d7a48877d3a
Comment 4 Sudhir Menon 2016-09-15 14:34:15 UTC 
Tested on RHEL7.3 using

ipa-server-trust-ad-4.4.0-11.el7.x86_64
ipa-server-4.4.0-11.el7.x86_64

1.DomainAdmins (administrator) account has different password for test.qa and chd.pne.qe in the test env.

Actual Steps:-
1. External trust to tree-root domain
[root@master ~]# ipa trust-add --two-way=true --external=true
Realm name: test.qa
Active Directory domain administrator: administrator
Active Directory domain administrator's password: 
------------------------------------------------
Added Active Directory trust for realm "test.qa"
------------------------------------------------
  Realm name: test.qa
  Domain NetBIOS name: TEST
  Domain Security Identifier: S-1-5-21-4204873575-1158510886-1449965812
  Trust direction: Two-way trust
  Trust type: Non-transitive external trust to a domain in another Active Directory forest
  Trust status: Established and verified

2. External trust to child domain
[root@master ~]# ipa trust-add --two-way=true --external=true
Realm name: chd.pne.qe
Active Directory domain administrator: Administrator  
Active Directory domain administrator's password: 
---------------------------------------------------
Added Active Directory trust for realm "chd.pne.qe"
---------------------------------------------------
  Realm name: chd.pne.qe
  Domain NetBIOS name: CHD
  Domain Security Identifier: S-1-5-21-725505228-2944741108-2454985349
  Trust direction: Two-way trust
  Trust type: Non-transitive external trust to a domain in another Active Directory forest
  Trust status: Established and verified

[root@master ~]# ipa trustdomain-find
Realm name: chd.pne.qe
  Domain name: chd.pne.qe
  Domain NetBIOS name: CHD
  Domain Security Identifier: S-1-5-21-725505228-2944741108-2454985349
  Domain enabled: True
----------------------------
Number of entries returned 1
----------------------------
[root@master ~]# ipa trustdomain-find
Realm name: test.qa
  Domain name: test.qa
  Domain NetBIOS name: TEST
  Domain Security Identifier: S-1-5-21-4204873575-1158510886-1449965812
  Domain enabled: True
----------------------------
Number of entries returned 1
----------------------------

Note: ipa trust-fetch-domains already has a bug #1375269 which will be verified once that is fixed.
Comment 5 Sudhir Menon 2016-09-16 19:13:34 UTC 
Created attachment 1201793 [details]
http error log

1. [root@master httpd]# ipa trust-find
---------------
1 trust matched
---------------
  Realm name: test.qa
  Domain NetBIOS name: TEST
  Domain Security Identifier: S-1-5-21-4204873575-1158510886-1449965812
  Trust type: Non-transitive external trust to a domain in another Active Directory forest
  UPN suffixes: qa.org
----------------------------
Number of entries returned 1
----------------------------

1. [root@master httpd]# ipa trust-fetch-domains
Realm name: test.qa
--------------------------------------------------------------------------------
List of trust domains successfully refreshed. Use trustdomain-find command to list them.
--------------------------------------------------------------------------------
Number of entries returned 0
----------------------------

2. Attached, httpd error log doesnot contain unsuccessful kinit as root domain administrator
Comment 6 Sudhir Menon 2016-09-16 19:14:50 UTC 
Verified on RHEL73 using 
ipa-server-4.4.0-12.el7.x86_64
ipa-server-trust-ad-4.4.0-12.el7.x86_64
Comment 8 errata-xmlrpc 2016-11-04 06:02:37 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html