Bug 1250135 – Detect re-established trusts in the IPA subdomain code

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1250135 - Detect re-established trusts in the IPA subdomain code

Summary:	Detect re-established trusts in the IPA subdomain code

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	sssd (Show other bugs)
Sub Component:
Version:	7.0
Hardware:	Unspecified Unspecified

Priority	medium Severity unspecified
Target Milestone:	rc
Target Release:	---
Assigned To:	Jakub Hrozek
QA Contact:	Kaushik Banerjee
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2015-08-04 11:04 EDT by Jakub Hrozek
Modified:	2015-11-19 06:39 EST (History)
CC List:	11 users (show)

See Also:
Fixed In Version:	sssd-1.13.0-35.el7
Doc Type:	Enhancement
Doc Text:	Feature: Detect re-established trusts in the IPA subdomain code and re-fetching the keytab Reason: Fetching the keytabs only when sssd service is restarted constitutes bad user experience Result: Auto-detect the error from the LDAP provider and re-fetch the keytab automatically
Story Points:	---
Clone Of:
Environment:
Last Closed:	2015-11-19 06:39:48 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:2355	normal	SHIPPED_LIVE	Low: sssd security, bug fix, and enhancement update	2015-11-19 05:27:42 EST

Groups: None (edit)

Description Jakub Hrozek 2015-08-04 11:04:16 EDT

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2639

This RFE is part of one-way trusts support.

Please see the related section [https://fedorahosted.org/sssd/wiki/DesignDocs/OneWayTrusts?version=10#Detectingre-establishedtrustsandre-fetchingthekeytabs about detecting re-established trusts] of the design page for accurate description.

Comment 1 Jakub Hrozek 2015-08-04 11:05:31 EDT

Cloned from upstream ticket per Steeve's request since this issue is getting annoying for QE.

First patches are on the list under review already.

Comment 2 Jakub Hrozek 2015-08-20 12:38:25 EDT

Exception rationale: While we have code in SSSD that fetches the keytabs when sssd service is restarted, this constitutes bad user experience. We should auto-detect the error from the LDAP provider and re-fetch the keytab automatically.

Comment 4 Jakub Hrozek 2015-09-21 14:42:29 EDT

First batch of fixes landed upstream:
    * 20162352030d1c577bb69d44e967d2c5839e5c0e
    * ece345a74cec793e6d970a4955beb3d4a05935b3
    * 64d4b1e5fd4a3c99ef8d8fef6ad0db52c5152c1c
    * dd0a21738e1b71940bba11134734b5999e9fd8e9
    * 7fc8692d49cdaa0368072f196433c07b475da679
    * 0561d532cf76b035b73cfed929a6896071dac407
    * 99c5f2f6ba0af6ce52be0d82ec2794bacc215742
    * b5825c74b6bf7a99ae2172392dbecb51179013a6

Comment 5 Jakub Hrozek 2015-09-23 04:10:31 EDT

The rest of the patchset is on review now.

Comment 7 Jakub Hrozek 2015-09-24 05:04:00 EDT

FWIW, the last patchset related to this bug was:
* 4c53f8b7400630ae06459aa8b5079427edcaa348
* 669ce24f8157b7d79914b3eb5a18214ef42aacc8
* bc58e1cfee742178f95922d964349d6c262f6df7
* 42bd89dbe77846b6ee60365bba50da521745bca1

Comment 8 Varun Mylaraiah 2015-09-30 02:49:30 EDT

Could you please add steps to verify this bug?

Comment 9 Jakub Hrozek 2015-09-30 05:32:05 EDT

(In reply to Varun Mylaraiah from comment #8)
> Could you please add steps to verify this bug?

We want to make sure that when trust is broken and re-established (trust-del; trust-add) then resolving AD users still work, even for those that were not cached and SSSD re-fetches the correct keytab and the keytab can be used.

You can see the test I ran in the sssd-devel mail:
https://lists.fedorahosted.org/pipermail/sssd-devel/2015-September/024905.html

Comment 10 Varun Mylaraiah 2015-10-01 11:11:18 EDT

Verified

sssd-1.13.0-36.el7.x86_64
ipa-server-4.2.0-12.el7.x86_64

[root@master2 ~]# echo Secret123|ipa trust-add --type=ad adtest.qe --admin Administrator --password
--------------------------------------------------
Added Active Directory trust for realm "adtest.qe"
--------------------------------------------------
  Realm name: adtest.qe
  Domain NetBIOS name: ADTEST
  Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
  SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2,
                          S-1-1, S-1-0, S-1-5-19, S-1-5-18
  SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2,
                          S-1-1, S-1-0, S-1-5-19, S-1-5-18
  Trust direction: Trusting forest
  Trust type: Active Directory domain
  Trust status: Established and verified

[root@master2 ~]# getent passwd aduser99@adtest.qe
aduser99@adtest.qe:*:1148407324:1148407324:aduser99 user:/home/adtest.qe/aduser99:

[root@master2 ~]# ipa trust-del adtest.qe
-------------------------
Deleted trust "adtest.qe"
-------------------------

[root@master2 ~]# echo Secret123|ipa trust-add --type=ad adtest.qe --admin Administrator --password --two-way=True
--------------------------------------------------
Added Active Directory trust for realm "adtest.qe"
--------------------------------------------------
  Realm name: adtest.qe
  Domain NetBIOS name: ADTEST
  Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
  SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2,
                          S-1-1, S-1-0, S-1-5-19, S-1-5-18
  SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2,
                          S-1-1, S-1-0, S-1-5-19, S-1-5-18
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified

[root@master2 ~]# getent passwd aduser99@adtest.qe
aduser99@adtest.qe:*:1148407324:1148407324:aduser99 user:/home/adtest.qe/aduser99:

Comment 11 errata-xmlrpc 2015-11-19 06:39:48 EST

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-2355.html

Note You need to log in before you can comment on or make changes to this bug.