Bug 1219832 - Samba 4.2 broke FreeIPA trusts to AD
Summary: Samba 4.2 broke FreeIPA trusts to AD
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: samba
Version: 22
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Guenther Deschner
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 1219834
TreeView+ depends on / blocked
 
Reported: 2015-05-08 11:58 UTC by Alexander Bokovoy
Modified: 2015-05-28 11:58 UTC (History)
7 users (show)

Fixed In Version: samba-4.2.1-8.fc22
Clone Of:
: 1219834 (view as bug list)
Environment:
Last Closed: 2015-05-28 11:58:49 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
Proposed patch (1.15 KB, patch)
2015-05-08 12:01 UTC, Alexander Bokovoy 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Samba Project 11265 0 None None None Never

Description Alexander Bokovoy 2015-05-08 11:58:35 UTC 
Description of problem:
With upgrade to Samba 4.2.1 previously working trusts to AD feature of FreeIPA no longer works. There are multiple changes in Samba 4.2.1 on protocol level and handling of authentication that caused FreeIPA Python code to fail.

Namely, underlying Samba code considers a DCE RPC connection authenticated using Kerberos credentials obtained via S4U2Proxy mechanism still to be anonymous and therefore is unable to derive a session key out of Krb5 session.

This breaks communication from FreeIPA web server to local smbd process where we operate under credentials of an admin which were given to us through S4U2Proxy.

DCE RPC (LSA RPC in this case) session key is essential to encrypt trust secrets for cross realm trust. Unavailability of the session key breaks the process to establish the trust.

Version-Release number of selected component (if applicable):
samba-4.2.1-7.fc22

How reproducible:
Always

Steps to Reproduce:
1. Install FreeIPA: freeipa-server, freeipa-server-trust-ad (and other packages if integrated DNS server is required)
2. Deploy FreeIPA with ipa-server-install and further configure it to work with AD: ipa-adtrust-install
3. Attempt to configure trust: ipa trust-add ad.test --admin Administrator --password
4. Observe failure

Actual results:
# echo Test1234|ipa trust-add ad.test --admin Administrator --password

in /var/log/httpd/error_log:
[Wed Apr 29 17:17:34.763163 2015] [wsgi:error] [pid 15115] ipa: INFO: [jsonserver_session] admin.LI: trust_add(u'ad.test', trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'********', all=False, raw=False, version=u'2.116'): RemoteRetrieveError


Expected results:
# echo Test1234|ipa trust-add ad.test --admin Administrator --password

----------------------------------------
Re-established trust to domain "ad.test"
----------------------------------------
  Realm name: ad.test
  Domain NetBIOS name: AD
  Domain Security Identifier: S-1-5-21-2275361654-3393353068-3720134936
  SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13,
                          S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18
  SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13,
                          S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified

In /var/log/httpd/error_log:
[Fri May 08 11:56:15.979347 2015] [wsgi:error] [pid 7359] ipa: INFO: [jsonserver_session] admin.LI: trust_add(u'ad.test', trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'********', all=False, raw=False, version=u'2.116'): SUCCESS
Comment 1 Alexander Bokovoy 2015-05-08 12:01:02 UTC 
Created attachment 1023460 [details]
Proposed patch

Attached is the patch that fixes the problem to me. Credentials should not be considered anonymous if they obtained via Kerberos.
Comment 2 Alexander Bokovoy 2015-05-08 12:06:36 UTC 
Even with the patch to Samba we need to update FreeIPA code to consider more pipe binding options.

Here is an example of how error message would look like if using default FreeIPA 4.1.4 code:

# echo Test1234|ipa trust-add ad.test --admin Administrator --password
ipa: ERROR: CIFS server communication error: code "-1073741776",
                  message "An invalid combination of parameters was specified." (both may be "None")

e.g. samba returns NT_STATUS_INVALID_PARAMETER_MIX.
Comment 3 Alexander Bokovoy 2015-05-08 12:36:03 UTC 
Adding a bug on Samba upstream side.
Comment 4 Fedora Update System 2015-05-11 19:08:53 UTC 
samba-4.2.1-8.fc22,freeipa-4.1.4-3.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/samba-4.2.1-8.fc22,freeipa-4.1.4-3.fc22
Comment 5 Fedora Update System 2015-05-12 20:50:37 UTC 
Package samba-4.2.1-8.fc22, freeipa-4.1.4-4.fc22:
* should fix your issue,
* was pushed to the Fedora 22 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing samba-4.2.1-8.fc22 freeipa-4.1.4-4.fc22'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-8084/samba-4.2.1-8.fc22,freeipa-4.1.4-4.fc22
then log in and leave karma (feedback).
Comment 6 Fedora Update System 2015-05-28 11:58:49 UTC 
samba-4.2.1-8.fc22, freeipa-4.1.4-4.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.