Bug 1461053

Summary: allow to modify list of UPNs of a trusted forest
Product: Red Hat Enterprise Linux 7 Reporter: Petr Vobornik <pvoborni>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Scott Poore <spoore>
Severity: high Docs Contact:
Priority: high    
Version: 7.4CC: enewland, mbabinsk, nsoman, pvoborni, pvomacka, rcritten, spoore, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.5.0-17.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 09:51:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Petr Vobornik 2017-06-13 12:36:09 UTC 
Cloned from upstream: https://pagure.io/freeipa/issue/7015

There are two ways for maintaining user principal names (UPNs) in Active 
Directory:
 - associate UPN suffixes with the forest root and then allow for each user account to choose UPN suffix for logon;
 - directly modify userPrincipalName attribute in LDAP

Both approaches lead to the same result: AD DC accepts user@UPN-Suffix as a proper principal in AS-REQ and TGS-REQ.

The latter (directly modify userPrincipalName) case has a consequence that this UPN suffix is not visible via netr_DsRGetForestTrustInformation DCE RPC call. As result, FreeIPA KDC will not know that a particular UPN suffix does belong to a trusted Active Directory forest. As result, SSSD will not be able to authenticate and validate this user from a trusted Active Directory forest.

This is especially true for one-word UPNs which otherwise wouldn't work properly on Kerberos level for both FreeIPA and Active Directory.

Administrators are responsible for amending the list of UPNs associated with the forest in this case. With this commit, an option is added to 'ipa trust-mod' that allows specifying arbitrary UPN suffixes to a trusted forest root.
Comment 2 Petr Vobornik 2017-06-13 12:36:22 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/7015
Comment 4 Martin Babinsky 2017-06-14 14:40:31 UTC 
Fixed upstream
ipa-4-5:
https://pagure.io/freeipa/c/9a31b21bff7c83219a4973adf815c900628ab620
master:
https://pagure.io/freeipa/c/abb638487580af99882b4751b64939d0aff0d38b
Comment 5 Pavel Vomacka 2017-06-14 14:57:19 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/b25412f9889f3523974e7aeb43920d4e2347fcfa
ipa-4-5:
https://pagure.io/freeipa/c/e22b61832bb5b52eb9daadcbc12ca41e0923503c
Comment 7 Scott Poore 2017-06-19 23:32:03 UTC 
Verified.

Version ::

ipa-server-4.5.0-17.el7.x86_64

Results ::


A Simple functional test where this is needed:

# Setup is that we have AD Trust and one AD User with a userPrincipalName attribute set to something different than the domain.

[root@auto-hv-02-guest08 ~]# ldapsearch -o ldif-wrap=no -xLLL \
>     -D "$AD_ADMIN" -w Secret123 \
>     -h idm-qe-ipa-win7.ipaadcs12r2.test \
>     -b "cn=temp user1,cn=Users,$AD_BASEDN" \
>     "(objectClass=*)" userPrincipalName
dn: CN=temp user1,CN=Users,DC=ipaadcs12r2,DC=test
userPrincipalName: 1234@mytest



# First show failure to login as either user before the UPN is added to the trust in IPA:

[root@auto-hv-02-guest08 ~]# ssh -l 1234@mytest $(hostname)
Password: 
Password: 
Password: 
Received disconnect from UNKNOWN port 65535:2: Too many authentication failures
Authentication failed.

[root@auto-hv-02-guest08 ~]# ssh -l tempuser1 $(hostname)
Password: 
Password: 
Password: 
Received disconnect from UNKNOWN port 65535:2: Too many authentication failures
Authentication failed.

# Now add the UPN:

[root@auto-hv-02-guest08 ~]# ipa trust-mod ipaadcs12r2.test --upn='MYTEST'
--------------------------------------------------------------------------
Modified trust "ipaadcs12r2.test" (change will be effective in 60 seconds)
--------------------------------------------------------------------------
  Realm name: ipaadcs12r2.test
  Domain NetBIOS name: IPAADCS12R2
  Domain Security Identifier: S-1-5-21-2104345585-122664420-2375807449
  UPN suffixes: MYTEST



[root@auto-hv-02-guest08 ~]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd

[root@auto-hv-02-guest08 ~]# ssh -l tempuser1 $(hostname)
Password: 
Last failed login: Mon Jun 19 18:51:15 EDT 2017 from IPSCRUBBED on ssh:notty
There were 3 failed login attempts since the last successful login.
Last login: Mon Jun 19 18:50:14 2017 from IPSCRUBBED
**  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **
         This System is part of the Red Hat Test System.              
                                                                      
      Please do not use this system for individual unit testing.      
                                                                      
      RHTS Test information:                                          
                         HOSTNAME=auto-hv-02-guest08.fqdn.scrubbed                          
                            JOBID=1884800                              
                         RECIPEID=3902568                           
                       LAB_SERVER=                         
                    RESULT_SERVER=[::1]:7080                      
                           DISTRO=RHEL-7.4                        
**  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **

-sh-4.2$ exit
logout
Connection to auto-hv-02-guest08.testrelm.test closed.

[root@auto-hv-02-guest08 ~]# ssh -l 1234@mytest $(hostname)
Password: 
Last login: Mon Jun 19 18:52:38 2017 from IPSCRUBBED
**  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **
         This System is part of the Red Hat Test System.              
                                                                      
      Please do not use this system for individual unit testing.      
                                                                      
      RHTS Test information:                                          
                         HOSTNAME=auto-hv-02-guest08.fqdn.scrubbed.                          
                            JOBID=1884800                              
                         RECIPEID=3902568                           
                       LAB_SERVER=                         
                    RESULT_SERVER=[::1]:7080                      
                           DISTRO=RHEL-7.4                            
**  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **

-sh-4.2$ id
uid=1664401105(tempuser1) gid=1664401105(tempuser1) groups=1664401105(tempuser1),1664400513(domain users)

-sh-4.2$ whoami
tempuser1
Comment 8 errata-xmlrpc 2017-08-01 09:51:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304