Bug 1250135 - Detect re-established trusts in the IPA subdomain code
Detect re-established trusts in the IPA subdomain code
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd (Show other bugs)
7.0
Unspecified Unspecified
medium Severity unspecified
: rc
: ---
Assigned To: Jakub Hrozek
Kaushik Banerjee
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-08-04 11:04 EDT by Jakub Hrozek
Modified: 2015-11-19 06:39 EST (History)
11 users (show)

See Also:
Fixed In Version: sssd-1.13.0-35.el7
Doc Type: Enhancement
Doc Text:
Feature: Detect re-established trusts in the IPA subdomain code and re-fetching the keytab Reason: Fetching the keytabs only when sssd service is restarted constitutes bad user experience Result: Auto-detect the error from the LDAP provider and re-fetch the keytab automatically
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-11-19 06:39:48 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jakub Hrozek 2015-08-04 11:04:16 EDT
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2639

This RFE is part of one-way trusts support.

Please see the related section [https://fedorahosted.org/sssd/wiki/DesignDocs/OneWayTrusts?version=10#Detectingre-establishedtrustsandre-fetchingthekeytabs about detecting re-established trusts] of the design page for accurate description.
Comment 1 Jakub Hrozek 2015-08-04 11:05:31 EDT
Cloned from upstream ticket per Steeve's request since this issue is getting annoying for QE.

First patches are on the list under review already.
Comment 2 Jakub Hrozek 2015-08-20 12:38:25 EDT
Exception rationale: While we have code in SSSD that fetches the keytabs when sssd service is restarted, this constitutes bad user experience. We should auto-detect the error from the LDAP provider and re-fetch the keytab automatically.
Comment 4 Jakub Hrozek 2015-09-21 14:42:29 EDT
First batch of fixes landed upstream:
    * 20162352030d1c577bb69d44e967d2c5839e5c0e
    * ece345a74cec793e6d970a4955beb3d4a05935b3
    * 64d4b1e5fd4a3c99ef8d8fef6ad0db52c5152c1c
    * dd0a21738e1b71940bba11134734b5999e9fd8e9
    * 7fc8692d49cdaa0368072f196433c07b475da679
    * 0561d532cf76b035b73cfed929a6896071dac407
    * 99c5f2f6ba0af6ce52be0d82ec2794bacc215742
    * b5825c74b6bf7a99ae2172392dbecb51179013a6
Comment 5 Jakub Hrozek 2015-09-23 04:10:31 EDT
The rest of the patchset is on review now.
Comment 7 Jakub Hrozek 2015-09-24 05:04:00 EDT
FWIW, the last patchset related to this bug was:
* 4c53f8b7400630ae06459aa8b5079427edcaa348
* 669ce24f8157b7d79914b3eb5a18214ef42aacc8
* bc58e1cfee742178f95922d964349d6c262f6df7
* 42bd89dbe77846b6ee60365bba50da521745bca1
Comment 8 Varun Mylaraiah 2015-09-30 02:49:30 EDT
Could you please add steps to verify this bug?
Comment 9 Jakub Hrozek 2015-09-30 05:32:05 EDT
(In reply to Varun Mylaraiah from comment #8)
> Could you please add steps to verify this bug?

We want to make sure that when trust is broken and re-established (trust-del; trust-add) then resolving AD users still work, even for those that were not cached and SSSD re-fetches the correct keytab and the keytab can be used.

You can see the test I ran in the sssd-devel mail:
https://lists.fedorahosted.org/pipermail/sssd-devel/2015-September/024905.html
Comment 10 Varun Mylaraiah 2015-10-01 11:11:18 EDT
Verified

sssd-1.13.0-36.el7.x86_64
ipa-server-4.2.0-12.el7.x86_64

[root@master2 ~]# echo Secret123|ipa trust-add --type=ad adtest.qe --admin Administrator --password
--------------------------------------------------
Added Active Directory trust for realm "adtest.qe"
--------------------------------------------------
  Realm name: adtest.qe
  Domain NetBIOS name: ADTEST
  Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
  SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2,
                          S-1-1, S-1-0, S-1-5-19, S-1-5-18
  SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2,
                          S-1-1, S-1-0, S-1-5-19, S-1-5-18
  Trust direction: Trusting forest
  Trust type: Active Directory domain
  Trust status: Established and verified

[root@master2 ~]# getent passwd aduser99@adtest.qe
aduser99@adtest.qe:*:1148407324:1148407324:aduser99 user:/home/adtest.qe/aduser99:

[root@master2 ~]# ipa trust-del adtest.qe
-------------------------
Deleted trust "adtest.qe"
-------------------------

[root@master2 ~]# echo Secret123|ipa trust-add --type=ad adtest.qe --admin Administrator --password --two-way=True
--------------------------------------------------
Added Active Directory trust for realm "adtest.qe"
--------------------------------------------------
  Realm name: adtest.qe
  Domain NetBIOS name: ADTEST
  Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
  SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2,
                          S-1-1, S-1-0, S-1-5-19, S-1-5-18
  SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2,
                          S-1-1, S-1-0, S-1-5-19, S-1-5-18
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified

[root@master2 ~]# getent passwd aduser99@adtest.qe
aduser99@adtest.qe:*:1148407324:1148407324:aduser99 user:/home/adtest.qe/aduser99:
Comment 11 errata-xmlrpc 2015-11-19 06:39:48 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-2355.html

Note You need to log in before you can comment on or make changes to this bug.