Bug 1250135 - Detect re-established trusts in the IPA subdomain code
Summary: Detect re-established trusts in the IPA subdomain code
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.0
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: Jakub Hrozek
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-08-04 15:04 UTC by Jakub Hrozek
Modified: 2020-05-02 18:03 UTC (History)
11 users (show)

Fixed In Version: sssd-1.13.0-35.el7
Doc Type: Enhancement
Doc Text:
Feature: Detect re-established trusts in the IPA subdomain code and re-fetching the keytab Reason: Fetching the keytabs only when sssd service is restarted constitutes bad user experience Result: Auto-detect the error from the LDAP provider and re-fetch the keytab automatically
Clone Of:
Environment:
Last Closed: 2015-11-19 11:39:48 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Github SSSD sssd issues 3680 None None None 2020-05-02 18:03:08 UTC
Red Hat Product Errata RHSA-2015:2355 normal SHIPPED_LIVE Low: sssd security, bug fix, and enhancement update 2015-11-19 10:27:42 UTC

Description Jakub Hrozek 2015-08-04 15:04:16 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2639

This RFE is part of one-way trusts support.

Please see the related section [https://fedorahosted.org/sssd/wiki/DesignDocs/OneWayTrusts?version=10#Detectingre-establishedtrustsandre-fetchingthekeytabs about detecting re-established trusts] of the design page for accurate description.

Comment 1 Jakub Hrozek 2015-08-04 15:05:31 UTC
Cloned from upstream ticket per Steeve's request since this issue is getting annoying for QE.

First patches are on the list under review already.

Comment 2 Jakub Hrozek 2015-08-20 16:38:25 UTC
Exception rationale: While we have code in SSSD that fetches the keytabs when sssd service is restarted, this constitutes bad user experience. We should auto-detect the error from the LDAP provider and re-fetch the keytab automatically.

Comment 4 Jakub Hrozek 2015-09-21 18:42:29 UTC
First batch of fixes landed upstream:
    * 20162352030d1c577bb69d44e967d2c5839e5c0e
    * ece345a74cec793e6d970a4955beb3d4a05935b3
    * 64d4b1e5fd4a3c99ef8d8fef6ad0db52c5152c1c
    * dd0a21738e1b71940bba11134734b5999e9fd8e9
    * 7fc8692d49cdaa0368072f196433c07b475da679
    * 0561d532cf76b035b73cfed929a6896071dac407
    * 99c5f2f6ba0af6ce52be0d82ec2794bacc215742
    * b5825c74b6bf7a99ae2172392dbecb51179013a6

Comment 5 Jakub Hrozek 2015-09-23 08:10:31 UTC
The rest of the patchset is on review now.

Comment 7 Jakub Hrozek 2015-09-24 09:04:00 UTC
FWIW, the last patchset related to this bug was:
* 4c53f8b7400630ae06459aa8b5079427edcaa348
* 669ce24f8157b7d79914b3eb5a18214ef42aacc8
* bc58e1cfee742178f95922d964349d6c262f6df7
* 42bd89dbe77846b6ee60365bba50da521745bca1

Comment 8 Varun Mylaraiah 2015-09-30 06:49:30 UTC
Could you please add steps to verify this bug?

Comment 9 Jakub Hrozek 2015-09-30 09:32:05 UTC
(In reply to Varun Mylaraiah from comment #8)
> Could you please add steps to verify this bug?

We want to make sure that when trust is broken and re-established (trust-del; trust-add) then resolving AD users still work, even for those that were not cached and SSSD re-fetches the correct keytab and the keytab can be used.

You can see the test I ran in the sssd-devel mail:
https://lists.fedorahosted.org/pipermail/sssd-devel/2015-September/024905.html

Comment 10 Varun Mylaraiah 2015-10-01 15:11:18 UTC
Verified

sssd-1.13.0-36.el7.x86_64
ipa-server-4.2.0-12.el7.x86_64

[root@master2 ~]# echo Secret123|ipa trust-add --type=ad adtest.qe --admin Administrator --password
--------------------------------------------------
Added Active Directory trust for realm "adtest.qe"
--------------------------------------------------
  Realm name: adtest.qe
  Domain NetBIOS name: ADTEST
  Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
  SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2,
                          S-1-1, S-1-0, S-1-5-19, S-1-5-18
  SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2,
                          S-1-1, S-1-0, S-1-5-19, S-1-5-18
  Trust direction: Trusting forest
  Trust type: Active Directory domain
  Trust status: Established and verified

[root@master2 ~]# getent passwd aduser99@adtest.qe
aduser99@adtest.qe:*:1148407324:1148407324:aduser99 user:/home/adtest.qe/aduser99:

[root@master2 ~]# ipa trust-del adtest.qe
-------------------------
Deleted trust "adtest.qe"
-------------------------

[root@master2 ~]# echo Secret123|ipa trust-add --type=ad adtest.qe --admin Administrator --password --two-way=True
--------------------------------------------------
Added Active Directory trust for realm "adtest.qe"
--------------------------------------------------
  Realm name: adtest.qe
  Domain NetBIOS name: ADTEST
  Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
  SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2,
                          S-1-1, S-1-0, S-1-5-19, S-1-5-18
  SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2,
                          S-1-1, S-1-0, S-1-5-19, S-1-5-18
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified

[root@master2 ~]# getent passwd aduser99@adtest.qe
aduser99@adtest.qe:*:1148407324:1148407324:aduser99 user:/home/adtest.qe/aduser99:

Comment 11 errata-xmlrpc 2015-11-19 11:39:48 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-2355.html


Note You need to log in before you can comment on or make changes to this bug.