Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1345975

Summary: [RFE] Support One-Way Trust authenticated by trust secret
Product: Red Hat Enterprise Linux 7 Reporter: Aly <opennetworksolutions>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Kaleem <ksiddiqu>
Severity: high Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: unspecified    
Version: 7.4CC: abokovoy, abradshaw, asakure, cheimes, ddas, gparente, jhrozek, jvilicic, ktadimar, michael.ward, mkosek, mmuehlfe, molasaga, mowens, opennetworksolutions, pasik, pvoborni, rcritten, sorlov, tmihinto, tscherf
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: ipa-4.6.5-2.el7 Doc Type: Enhancement
Doc Text:
IdM supports establishing a one-way trust from a Windows DC using a shared secret With this enhancement, Identity Management (IdM) supports establishing a one-way forest trust to Active Directory (AD) authenticated by a shared secret from the Windows AD domain controller (DC). Previous IdM versions did not contain the features that allowed AD DCs to contact an IdM DC in the mentioned scenario. As a result, IdM now supports establishing a one-way forest trust using a shared secret from both Active Directory and from IdM.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-06 13:09:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1421663    
Bug Blocks: 1550132, 1644708, 1647919    

Description Aly 2016-06-13 14:33:33 UTC 
Description of problem: 
Access Denied error when created a one-way trust using a trust-secret and attempting to validate on the Active Directory side (last step of trust procedure). 

Version-Release number of selected component (if applicable):
ipa-server-trust-ad-4.2.0-15.el7_2.15.x86_64
ipa-python-4.2.0-15.el7_2.15.x86_64
ipa-admintools-4.2.0-15.el7_2.15.x86_64
ipa-server-4.2.0-15.el7_2.15.x86_64
ipa-client-4.2.0-15.el7_2.15.x86_64
Red Hat Enterprise Linux Server release 7.2 (Maipo)

How reproducible:
Very

Steps to Reproduce:
1.The documentation advises to create the trust on the windows side with these steps:
   The Trust Type is Forest trust.
   The Direction of Trust is One-way.
   The Sides of Trust is This domain only.
   The Outgoing Trust Authentication Level is Forest-wide authentication.(not this option does not exist on a one-way trust as noted in the document)
   Set the Trust Password.
2. ipa trust-add --type=ad --trust-secret domain.test
3. ipa trust-fetch-domains
4. Domain Controller-> Trust Console -> trust-> properties-> "name suffix routing"-> Refresh
5. prompted for credentials (Not expected), 
6. credentials for IPA domain do not work
7. Eventually errors out with "Access Denied"

Expected results:
4. Domain Controller-> Trust Console -> trust-> properties-> "name suffix routing"-> Refresh
5. "Name Suffix Routing" being populated
6. Trust setup-complete

Additional info:
When I select a *two-way* trust on the Active Directory side, I was able to achieve the trust including the "Name Suffix Routing" being populated when I hit refresh. As expected this worked without any prompt for credentials. 

However the noted procedure does not work for a one-way trust using a trust-secret. I have additional information from Alexander who was assisting debug this issue:

"The following was found in the samba logs:

[2016/06/13 08:06:44.098299,  3, pid=31436, effective(1817800000, 1817800000), real(1817800000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1450(api_rpcTNP)
api_rpcTNP: rpc command: NETR_DSRGETFORESTTRUSTINFORMATION
[2016/06/13 08:06:44.098304,  6, pid=31436, effective(1817800000, 1817800000), real(1817800000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1469(api_rpcTNP)
api_rpc_cmds[43].fn == 0x7f90496d38d0
[2016/06/13 08:06:44.098318,  1, pid=31436, effective(1817800000, 1817800000), real(1817800000, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug)
      netr_DsRGetForestTrustInformation: struct netr_DsRGetForestTrustInformation
         in: struct netr_DsRGetForestTrustInformation
             server_name              : *
                 server_name              : '\\f24-master.ipa.ad.test'
             trusted_domain_name      : NULL
             flags                    : 0x00000000 (0)
[2016/06/13 08:06:44.098334,  4, pid=31436, effective(1817800000, 1817800000), real(1817800000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1480(api_rpcTNP)
api_rpcTNP: fault(5) return.

The fault(5) is librpc/idl/dcerpc.idl:          DCERPC_FAULT_ACCESS_DENIED = 0x00000005,

something is missing in the access token when IPA admin credentials are used to connect to retrieve forest trust information from AD side "
Comment 2 Petr Vobornik 2016-06-22 17:01:15 UTC 
Alexander, what is your assessment?
Comment 3 Alexander Bokovoy 2016-06-22 17:17:26 UTC 
I'm still looking at this. It is non-trivial and I'm not sure we can fix it for RHEL 7.3.
Comment 4 Petr Vobornik 2016-07-13 13:55:10 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/6077
Comment 5 Petr Vobornik 2016-07-21 16:29:33 UTC 
*** Bug 1355640 has been marked as a duplicate of this bug. ***
Comment 7 Petr Vobornik 2016-09-07 13:50:28 UTC 
*** Bug 1300040 has been marked as a duplicate of this bug. ***
Comment 11 Martin Kosek 2017-03-28 10:57:31 UTC 
Alexander Bokovoy tested the workflow with fixed cyrus sasl (with GSS-SPNEGO support - Bug 1421663) and the workflow still requested features/capabilities that IdM server does not have - this makes this Bugzilla an actual RFE - updating title.
Comment 18 Alexander Bokovoy 2018-06-19 12:54:22 UTC 
An update on the status of this RFE.

For the reference, there are two patchsets required: https://github.com/SSSD/sssd/pull/522 is for SSSD, and https://github.com/abbra/freeipa/commit/05d211a1e8a208e065463ab05f5f09491df8052f is for FreeIPA. They are work in progress upstream and not suitable for including in production yet.

They originally were made to allow one-way trust from Samba AD side and since Samba AD closely follows what Windows does in this exchange, they should help us too. For Samba AD an additional Samba AD patchset is required to fix trusted domain object principal's salt.

I have verified with a new install that Windows Server 2012R2 and FreeeIPA/SSSD with my patches are able to get one-way trust with a shared secret working at least partially.

The sequence is following:

    Establish a one-way trust with a shared secret on IPA side: ipa trust-add <ad-domain> --shared-secret
    On Windows side, open Active Directory Domain and Trusts tool
    Open properties for the Windows forest
    Choose 'Trusts' tab and press 'New trust' button there
    Navigate through the trust wizard by entering:
        IPA forest name, then 'next'
        Choose 'Forest trust' on the Trust Type page
        Choose 'One-way: incoming' on the Direction of Trust page
        Choose 'This domain only' on the Sides of Trust page
        Enter the same shared secret one was using in step (1) with 'ipa trust-add'
        Complete trust wizard

Going back to the trust properties, one can now validate trust from Windows side. However, retrieving forest trust information is not working due to Samba not having it implemented for non-Samba AD case which is what FreeIPA Samba DC is using.

I am working on a FreeIPA design and will publish it on freeipa.org wiki once I get existing patches sorted out so that they can be used together with the design to understand the setup. The code I have works already for new deployments, we need to polish and merge it upstream. The part that is not done completely yet is upgrading existing trust agreements.

SSSD part needs a better implementation as agreed with Jakub in https://github.com/SSSD/sssd/pull/522
Comment 20 Alexander Bokovoy 2018-09-18 07:47:48 UTC 
Another update:

- SSSD 1.16.3 and 2.0 were released with SSSD patches

- Samba 4.7, 4.8, 4.8 got released with enhancements that allow proceeding with the trust against Samba AD.

- FreeIPA patches are still pending the remaining upgrade code work
Comment 21 Florence Blanc-Renaud 2018-10-19 13:46:32 UTC 
*** Bug 1190566 has been marked as a duplicate of this bug. ***
Comment 22 Alexander Bokovoy 2019-03-22 18:42:09 UTC 
A pull request to FreeIPA is submitted now: https://github.com/freeipa/freeipa/pull/2926
Comment 23 Christian Heimes 2019-03-28 13:12:22 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/2a8176ee03318f208a86d25bd9320f885b16d112
https://pagure.io/freeipa/c/120bab0d9c9970979d109583329a13fc3e4949f3
https://pagure.io/freeipa/c/dc8f074cc7ba647644b96785590f1645e5661a93
https://pagure.io/freeipa/c/18cb30d4638c0fecf5f02735f2b4794be5d97b67
https://pagure.io/freeipa/c/dca901c05ef6dde69145963d3ea51b994b568740
ipa-4-7:
https://pagure.io/freeipa/c/50c0d6dc7b93abe2448ecc499e32e11bf5e3e7f5
https://pagure.io/freeipa/c/f6183c80826c90a8b0c051284d66cb0a2378cdc1
https://pagure.io/freeipa/c/0b5ae1bd00c336c1963efdb28891780fb61af17e
https://pagure.io/freeipa/c/2a7731c5ae8d3f7fad9ee20584e271100d090557
https://pagure.io/freeipa/c/595f42af25f882fe5d45b0e08bdd5300d7267fdb
ipa-4-6:
https://pagure.io/freeipa/c/9a453619c8c46322fc652f57376e4e834f957f57
https://pagure.io/freeipa/c/076d89429d838b472782f20da483841847e435b5
https://pagure.io/freeipa/c/b70e4d19d8bb610fedc50c8ad17cb7b61229247f
https://pagure.io/freeipa/c/7a7ef33fa8d1e800467e7bda5e23170edbabb4a2
https://pagure.io/freeipa/c/b2bac94c2486523f180a16068c5c07df8169aa1f
https://pagure.io/freeipa/c/7476953c85eddd92e7a2f010a34a3ba421c91965
https://pagure.io/freeipa/c/9ce3a29915fa691369fff8401b5995e0f7f06e06
Comment 31 Sergey Orlov 2019-05-29 11:04:53 UTC 
On the Doc Text: external trust is also supported, as well as forest one.
Comment 32 Sergey Orlov 2019-07-02 10:15:27 UTC 
Autotest: https://github.com/freeipa/freeipa/blob/master/ipatests/test_integration/test_trust.py
Comment 34 errata-xmlrpc 2019-08-06 13:09:02 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2241