Bug 1219834 - Samba 4.2 broke FreeIPA trusts to AD
Summary: Samba 4.2 broke FreeIPA trusts to AD
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: freeipa
Version: 22
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: IPA Maintainers
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On: 1219832
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-05-08 12:08 UTC by Alexander Bokovoy
Modified: 2015-05-28 11:58 UTC (History)
13 users (show)

Fixed In Version: samba-4.2.1-8.fc22
Doc Type: Bug Fix
Doc Text:
Clone Of: 1219832
Environment:
Last Closed: 2015-05-28 11:58:46 UTC
Type: Bug


Attachments (Terms of Use)
Proposed patch (3.63 KB, patch)
2015-05-08 12:14 UTC, Alexander Bokovoy
no flags Details | Diff

Description Alexander Bokovoy 2015-05-08 12:08:15 UTC
+++ This bug was initially created as a clone of Bug #1219832 +++

Description of problem:
With upgrade to Samba 4.2.1 previously working trusts to AD feature of FreeIPA no longer works. There are multiple changes in Samba 4.2.1 on protocol level and handling of authentication that caused FreeIPA Python code to fail.

Namely, underlying Samba code considers a DCE RPC connection authenticated using Kerberos credentials obtained via S4U2Proxy mechanism still to be anonymous and therefore is unable to derive a session key out of Krb5 session.

This breaks communication from FreeIPA web server to local smbd process where we operate under credentials of an admin which were given to us through S4U2Proxy.

DCE RPC (LSA RPC in this case) session key is essential to encrypt trust secrets for cross realm trust. Unavailability of the session key breaks the process to establish the trust.

Version-Release number of selected component (if applicable):
samba-4.2.1-7.fc22

How reproducible:
Always

Steps to Reproduce:
1. Install FreeIPA: freeipa-server, freeipa-server-trust-ad (and other packages if integrated DNS server is required)
2. Deploy FreeIPA with ipa-server-install and further configure it to work with AD: ipa-adtrust-install
3. Attempt to configure trust: ipa trust-add ad.test --admin Administrator --password
4. Observe failure

Actual results:
# echo Test1234|ipa trust-add ad.test --admin Administrator --password

in /var/log/httpd/error_log:
[Wed Apr 29 17:17:34.763163 2015] [wsgi:error] [pid 15115] ipa: INFO: [jsonserver_session] admin@T.VDA.LI: trust_add(u'ad.test', trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'********', all=False, raw=False, version=u'2.116'): RemoteRetrieveError


Expected results:
# echo Test1234|ipa trust-add ad.test --admin Administrator --password

----------------------------------------
Re-established trust to domain "ad.test"
----------------------------------------
  Realm name: ad.test
  Domain NetBIOS name: AD
  Domain Security Identifier: S-1-5-21-2275361654-3393353068-3720134936
  SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13,
                          S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18
  SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13,
                          S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified

In /var/log/httpd/error_log:
[Fri May 08 11:56:15.979347 2015] [wsgi:error] [pid 7359] ipa: INFO: [jsonserver_session] admin@T.VDA.LI: trust_add(u'ad.test', trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'********', all=False, raw=False, version=u'2.116'): SUCCESS

--- Additional comment from Alexander Bokovoy on 2015-05-08 15:01:02 EEST ---

Attached is the patch that fixes the problem to me. Credentials should not be considered anonymous if they obtained via Kerberos.

--- Additional comment from Alexander Bokovoy on 2015-05-08 15:06:36 EEST ---

Even with the patch to Samba we need to update FreeIPA code to consider more pipe binding options.

Here is an example of how error message would look like if using default FreeIPA 4.1.4 code:

# echo Test1234|ipa trust-add ad.test --admin Administrator --password
ipa: ERROR: CIFS server communication error: code "-1073741776",
                  message "An invalid combination of parameters was specified." (both may be "None")

e.g. samba returns NT_STATUS_INVALID_PARAMETER_MIX.

Comment 1 Alexander Bokovoy 2015-05-08 12:14:27 UTC
Created attachment 1023463 [details]
Proposed patch

Attached patch makes FreeIPA working with a Samba 4.2.1 with the fix for anonymous credentials.

Comment 2 Fedora Update System 2015-05-11 19:08:51 UTC
samba-4.2.1-8.fc22,freeipa-4.1.4-3.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/samba-4.2.1-8.fc22,freeipa-4.1.4-3.fc22

Comment 3 Fedora Update System 2015-05-12 20:50:35 UTC
Package samba-4.2.1-8.fc22, freeipa-4.1.4-4.fc22:
* should fix your issue,
* was pushed to the Fedora 22 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing samba-4.2.1-8.fc22 freeipa-4.1.4-4.fc22'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-8084/samba-4.2.1-8.fc22,freeipa-4.1.4-4.fc22
then log in and leave karma (feedback).

Comment 4 Fedora Update System 2015-05-28 11:58:46 UTC
samba-4.2.1-8.fc22, freeipa-4.1.4-4.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.