Bug 1891056

Summary: ipa-kdb: support subordinate/superior UPN suffixes
Product: Red Hat Enterprise Linux 8 Reporter: Thorsten Scherf <tscherf>
Component: ipaAssignee: Thomas Woerner <twoerner>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: high Docs Contact: Josip Vilicic <jvilicic>
Priority: unspecified    
Version: 8.2CC: abokovoy, frenaud, jvilicic, ksiddiqu, ndehadra, pasik, rcritten, sumenon, tmihinto, tscherf, twoerner
Target Milestone: rcKeywords: ZStream
Target Release: 8.0Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.9.0-0.2.rc2 Doc Type: Enhancement
Doc Text:
.AD users can now log in to IdM with UPN suffixes subordinate to known UPN suffixes Previously, Active Directory (AD) users could not log into Identity Management (IdM) with a Universal Principal Name (UPN) (for example, `sub1.ad-example.com`) that is a subdomain of a known UPN suffix (for example, `ad-example.com`) because internal Samba processes filtered subdomains as duplicates of any Top Level Names (TLNs). This update validates UPNs by testing if they are subordinate to the known UPN suffixes. As a result, users can now log in using subordinate UPN suffixes in the described scenario.
 Story Points: ---
Clone Of:
: 1914823 1914824 (view as bug list) Environment:
Last Closed: 2021-05-18 15:48:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1914823, 1914824    

Description Thorsten Scherf 2020-10-23 17:16:41 UTC 
Description of problem:
[MS-ADTS] 6.1.6.9.3.2 requires msDS-TrustForestTrustInfo attribute of
trusted domain information in Active Directory to conform certain rules.
One side-effect of those rules is that list of UPN suffixes reported
through the netr_DsRGetForestTrustInformation function is dynamically
filtered to deduplicate subordinate suffixes.

It means that if list of UPN suffixes contains the following top level
names (TLNs):

fabrikam.com
sub.fabrikam.com

then netr_DsRGetForestTrustInformation would only return 'fabrikam.com'
as the TLN, fully filtering 'sub.fabrikam.com'.

IPA KDB driver used exact comparison of the UPN suffixes so any
subordinate had to be specified exactly.

Modify logic so that if exact check does not succeed, we validate a
realm to test being a subordinate of the known UPN suffixes. The
subordinate check is done by making sure UPN suffix is at the end of the
test realm and is immediately preceded with a dot.

Because the function to check suffixes potentially called for every
Kerberos principal, precalculate and cache length for each UPN suffix at
the time we retrieve the list of them.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
6.1.6.9.3.2 Building Well-Formed msDS-TrustForestTrustInfo Messages
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/2994b19c-04ff-430d-b788-c82d334b31bc
Comment 1 Thorsten Scherf 2020-10-23 17:35:30 UTC 
https://github.com/freeipa/freeipa/pull/5206
Comment 2 Rob Crittenden 2020-10-23 17:39:54 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/8554
Comment 3 Rob Crittenden 2020-10-26 19:56:04 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/8b6d1ab854387840f7526d6d59ddc7102231957f
Comment 6 Rob Crittenden 2020-10-28 15:20:18 UTC 
Fixed upstream
ipa-4-8:
https://pagure.io/freeipa/c/1f0702bf9231a4898a2d58325fc51c71fea25047
Comment 9 Alexander Bokovoy 2020-11-26 10:03:18 UTC 
Additional commits:
commit 442038c41aef9ce07d0491a08bec406ede5f6686
Author: Sudhir Menon <sumenon>
Date:   Wed Nov 11 14:55:32 2020 +0530

    ipatests: support subordinate upn suffixes
    
    This test adds new UPN Suffix on the AD side
    within the ad.test subtree i.e new.ad.test and this
    UPN is then assigned to aduser and then try to
    kinit using aduser along with the UPN set, to ensure
    that the kinit succeeds
    
    Signed-off-by: Sudhir Menon <sumenon>
    Reviewed-By: Alexander Bokovoy <abokovoy>

commit 0da6a57b406f538edf187c44760885c237261183
Author: Alexander Bokovoy <abokovoy>
Date:   Tue Nov 24 16:03:36 2020 +0200

    ad trust: accept subordinate domains of the forest trust root
    
    Commit 8b6d1ab854387840f7526d6d59ddc7102231957f added support for
    subordinate UPN suffixes but missed the case where subordinate UPN is a
    subdomain of the forest root domain and not mentioned in the UPN
    suffixes list.
    
    Correct this situation by applying the same check to the trusted domain
    name as well.
    
    Fixes: https://pagure.io/freeipa/issue/8554
    Signed-off-by: Alexander Bokovoy <abokovoy>
    Reviewed-By: Alexander Bokovoy <abokovoy>


Fixed upstream
master:
https://pagure.io/freeipa/c/442038c41aef9ce07d0491a08bec406ede5f6686
https://pagure.io/freeipa/c/0da6a57b406f538edf187c44760885c237261183
Comment 11 Florence Blanc-Renaud 2020-11-26 13:16:30 UTC 
Fixed upstream
ipa-4-8:
https://pagure.io/freeipa/c/d5cca835d5439331c05475d0ad2f993ac6f8b615
https://pagure.io/freeipa/c/6b224e57672e3f73f93bb9eddd9031e945529a1e
Comment 12 Florence Blanc-Renaud 2020-11-26 15:32:25 UTC 
Fixed upstream
ipa-4-9:
https://pagure.io/freeipa/c/7e605e958ef6d41584afc238433669c15458ac67
https://pagure.io/freeipa/c/381cc5e8eae1b7437fc15cb699983887d398f498
Comment 21 errata-xmlrpc 2021-05-18 15:48:21 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:1846