RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1345975 - [RFE] Support One-Way Trust authenticated by trust secret
Summary: [RFE] Support One-Way Trust authenticated by trust secret
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.4
Hardware: Unspecified
OS: Linux
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Kaleem
Marc Muehlfeld
: 1190566 1300040 1355640 (view as bug list)
Depends On: 1421663
Blocks: 1550132 1644708 1647919
TreeView+ depends on / blocked
Reported: 2016-06-13 14:33 UTC by Aly
Modified: 2021-12-10 14:49 UTC (History)
21 users (show)

Fixed In Version: ipa-4.6.5-2.el7
Doc Type: Enhancement
Doc Text:
IdM supports establishing a one-way trust from a Windows DC using a shared secret With this enhancement, Identity Management (IdM) supports establishing a one-way forest trust to Active Directory (AD) authenticated by a shared secret from the Windows AD domain controller (DC). Previous IdM versions did not contain the features that allowed AD DCs to contact an IdM DC in the mentioned scenario. As a result, IdM now supports establishing a one-way forest trust using a shared secret from both Active Directory and from IdM.
Clone Of:
Last Closed: 2019-08-06 13:09:02 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1355640 0 high CLOSED Unable to refresh name routing suffixes to IPA from AD side 2021-02-22 00:41:40 UTC
Red Hat Issue Tracker FREEIPA-7506 0 None None None 2021-12-10 14:49:35 UTC
Red Hat Product Errata RHBA-2019:2241 0 None None None 2019-08-06 13:09:26 UTC

Internal Links: 1355640

Description Aly 2016-06-13 14:33:33 UTC
Description of problem: 
Access Denied error when created a one-way trust using a trust-secret and attempting to validate on the Active Directory side (last step of trust procedure). 

Version-Release number of selected component (if applicable):
Red Hat Enterprise Linux Server release 7.2 (Maipo)

How reproducible:

Steps to Reproduce:
1.The documentation advises to create the trust on the windows side with these steps:
   The Trust Type is Forest trust.
   The Direction of Trust is One-way.
   The Sides of Trust is This domain only.
   The Outgoing Trust Authentication Level is Forest-wide authentication.(not this option does not exist on a one-way trust as noted in the document)
   Set the Trust Password.
2. ipa trust-add --type=ad --trust-secret domain.test
3. ipa trust-fetch-domains
4. Domain Controller-> Trust Console -> trust-> properties-> "name suffix routing"-> Refresh
5. prompted for credentials (Not expected), 
6. credentials for IPA domain do not work
7. Eventually errors out with "Access Denied"

Expected results:
4. Domain Controller-> Trust Console -> trust-> properties-> "name suffix routing"-> Refresh
5. "Name Suffix Routing" being populated
6. Trust setup-complete

Additional info:
When I select a *two-way* trust on the Active Directory side, I was able to achieve the trust including the "Name Suffix Routing" being populated when I hit refresh. As expected this worked without any prompt for credentials. 

However the noted procedure does not work for a one-way trust using a trust-secret. I have additional information from Alexander who was assisting debug this issue:

"The following was found in the samba logs:

[2016/06/13 08:06:44.098299,  3, pid=31436, effective(1817800000, 1817800000), real(1817800000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1450(api_rpcTNP)
[2016/06/13 08:06:44.098304,  6, pid=31436, effective(1817800000, 1817800000), real(1817800000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1469(api_rpcTNP)
api_rpc_cmds[43].fn == 0x7f90496d38d0
[2016/06/13 08:06:44.098318,  1, pid=31436, effective(1817800000, 1817800000), real(1817800000, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug)
      netr_DsRGetForestTrustInformation: struct netr_DsRGetForestTrustInformation
         in: struct netr_DsRGetForestTrustInformation
             server_name              : *
                 server_name              : '\\f24-master.ipa.ad.test'
             trusted_domain_name      : NULL
             flags                    : 0x00000000 (0)
[2016/06/13 08:06:44.098334,  4, pid=31436, effective(1817800000, 1817800000), real(1817800000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1480(api_rpcTNP)
api_rpcTNP: fault(5) return.

The fault(5) is librpc/idl/dcerpc.idl:          DCERPC_FAULT_ACCESS_DENIED = 0x00000005,

something is missing in the access token when IPA admin credentials are used to connect to retrieve forest trust information from AD side "

Comment 2 Petr Vobornik 2016-06-22 17:01:15 UTC
Alexander, what is your assessment?

Comment 3 Alexander Bokovoy 2016-06-22 17:17:26 UTC
I'm still looking at this. It is non-trivial and I'm not sure we can fix it for RHEL 7.3.

Comment 4 Petr Vobornik 2016-07-13 13:55:10 UTC
Upstream ticket:

Comment 5 Petr Vobornik 2016-07-21 16:29:33 UTC
*** Bug 1355640 has been marked as a duplicate of this bug. ***

Comment 7 Petr Vobornik 2016-09-07 13:50:28 UTC
*** Bug 1300040 has been marked as a duplicate of this bug. ***

Comment 11 Martin Kosek 2017-03-28 10:57:31 UTC
Alexander Bokovoy tested the workflow with fixed cyrus sasl (with GSS-SPNEGO support - Bug 1421663) and the workflow still requested features/capabilities that IdM server does not have - this makes this Bugzilla an actual RFE - updating title.

Comment 18 Alexander Bokovoy 2018-06-19 12:54:22 UTC
An update on the status of this RFE.

For the reference, there are two patchsets required: https://github.com/SSSD/sssd/pull/522 is for SSSD, and https://github.com/abbra/freeipa/commit/05d211a1e8a208e065463ab05f5f09491df8052f is for FreeIPA. They are work in progress upstream and not suitable for including in production yet.

They originally were made to allow one-way trust from Samba AD side and since Samba AD closely follows what Windows does in this exchange, they should help us too. For Samba AD an additional Samba AD patchset is required to fix trusted domain object principal's salt.

I have verified with a new install that Windows Server 2012R2 and FreeeIPA/SSSD with my patches are able to get one-way trust with a shared secret working at least partially.

The sequence is following:

    Establish a one-way trust with a shared secret on IPA side: ipa trust-add <ad-domain> --shared-secret
    On Windows side, open Active Directory Domain and Trusts tool
    Open properties for the Windows forest
    Choose 'Trusts' tab and press 'New trust' button there
    Navigate through the trust wizard by entering:
        IPA forest name, then 'next'
        Choose 'Forest trust' on the Trust Type page
        Choose 'One-way: incoming' on the Direction of Trust page
        Choose 'This domain only' on the Sides of Trust page
        Enter the same shared secret one was using in step (1) with 'ipa trust-add'
        Complete trust wizard

Going back to the trust properties, one can now validate trust from Windows side. However, retrieving forest trust information is not working due to Samba not having it implemented for non-Samba AD case which is what FreeIPA Samba DC is using.

I am working on a FreeIPA design and will publish it on freeipa.org wiki once I get existing patches sorted out so that they can be used together with the design to understand the setup. The code I have works already for new deployments, we need to polish and merge it upstream. The part that is not done completely yet is upgrading existing trust agreements.

SSSD part needs a better implementation as agreed with Jakub in https://github.com/SSSD/sssd/pull/522

Comment 20 Alexander Bokovoy 2018-09-18 07:47:48 UTC
Another update:

- SSSD 1.16.3 and 2.0 were released with SSSD patches

- Samba 4.7, 4.8, 4.8 got released with enhancements that allow proceeding with the trust against Samba AD.

- FreeIPA patches are still pending the remaining upgrade code work

Comment 21 Florence Blanc-Renaud 2018-10-19 13:46:32 UTC
*** Bug 1190566 has been marked as a duplicate of this bug. ***

Comment 22 Alexander Bokovoy 2019-03-22 18:42:09 UTC
A pull request to FreeIPA is submitted now: https://github.com/freeipa/freeipa/pull/2926

Comment 31 Sergey Orlov 2019-05-29 11:04:53 UTC
On the Doc Text: external trust is also supported, as well as forest one.

Comment 34 errata-xmlrpc 2019-08-06 13:09:02 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.