Bug 1371915 - When establishing external two-way trust, forest root Administrator account is used to fetch domain info
Summary: When establishing external two-way trust, forest root Administrator account i...
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Kaleem
URL:
Whiteboard:
Keywords:
Depends On: 1375269
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-08-31 12:25 UTC by Martin Bašti
Modified: 2016-11-04 06:02 UTC (History)
5 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2016-11-04 06:02:37 UTC


Attachments (Terms of Use)
http error log (148.49 KB, text/plain)
2016-09-16 19:13 UTC, Sudhir Menon
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2404 normal SHIPPED_LIVE ipa bug fix and enhancement update 2016-11-03 13:56:18 UTC

Description Martin Bašti 2016-08-31 12:25:25 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/6277

When establishing external trust and specifying domain Admin's name without realm component, the credential generation code erroneously selects the forest root domain name as the realm component of domain admin account name. If the domain admins use separate account passwords (as is usually the case in real-life deployments), `trust-add` tries to fetch trusted domain info using wrong credentials and thus fails to authenticate against DCs of trusted domain:

{{{
s4_tevent: Destroying timer event 0x7f72ce7153f0 "tevent_req_timedout"
     &response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX
        command                  : LOGON_SAM_LOGON_RESPONSE_EX (23)
        sbz                      : 0x0000 (0)
        server_type              : 0x0000f1fd (61949)
               1: NBT_SERVER_PDC
               1: NBT_SERVER_GC
               1: NBT_SERVER_LDAP
               1: NBT_SERVER_DS
               1: NBT_SERVER_KDC
               1: NBT_SERVER_TIMESERV
               1: NBT_SERVER_CLOSEST
               1: NBT_SERVER_WRITABLE
               0: NBT_SERVER_GOOD_TIMESERV
               0: NBT_SERVER_NDNC
               0: NBT_SERVER_SELECT_SECRET_DOMAIN_6
               1: NBT_SERVER_FULL_SECRET_DOMAIN_6
               1: NBT_SERVER_ADS_WEB_SERVICE
               1: NBT_SERVER_DS_8
               0: NBT_SERVER_HAS_DNS_NAME
               0: NBT_SERVER_IS_DEFAULT_NC
               0: NBT_SERVER_FOREST_ROOT
        domain_uuid              : c3374e8b-8a15-45d2-a518-325a2886e2e3
        forest                   : 'root-dom.ad.forest.test'
        dns_domain               : 'tree-dom.ad.forest.test'
        pdc_dns_name             : 'adtree.tree-dom.ad.forest.test'
        domain_name              : 'TREE-DOM'
        pdc_name                 : 'ADTREE'
        user_name                : ''
        server_site              : 'Default-First-Site-Name'
        client_site              : 'Default-First-Site-Name'
        sockaddr_size            : 0x00 (0)
        sockaddr: struct nbt_sockaddr
            sockaddr_family          : 0x00000000 (0)
            pdc_ip                   : (null)
            remaining                : DATA_BLOB length=0
        next_closest_site        : NULL
        nt_version               : 0x00000005 (5)
               1: NETLOGON_NT_VERSION_1
               0: NETLOGON_NT_VERSION_5
               1: NETLOGON_NT_VERSION_5EX
               0: NETLOGON_NT_VERSION_5EX_WITH_IP
               0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE
               0: NETLOGON_NT_VERSION_AVOID_NT4EMUL
               0: NETLOGON_NT_VERSION_PDC
               0: NETLOGON_NT_VERSION_IP
               0: NETLOGON_NT_VERSION_LOCAL
               0: NETLOGON_NT_VERSION_GC
        lmnt_token               : 0xffff (65535)
        lm20_token               : 0xffff (65535)
finddcs: Found matching DC 2620:52:0:224e:21a:4aff:fe23:1596 with server_type=0x0000f1fd
[Wed Aug 31 12:17:16.535749 2016] [wsgi:error] [pid 75094] ipa: DEBUG: Destroying the contents of the separate ccache
[Wed Aug 31 12:17:16.536234 2016] [wsgi:error] [pid 75094] ipa: DEBUG: Starting external process
[Wed Aug 31 12:17:16.536306 2016] [wsgi:error] [pid 75094] ipa: DEBUG: args=/usr/bin/kdestroy -A -c /var/run/ipa_memcached/krbcc_TDAtree-dom.ad.forest.test
[Wed Aug 31 12:17:16.553353 2016] [wsgi:error] [pid 75094] ipa: DEBUG: Process finished, return code=0
[Wed Aug 31 12:17:16.553484 2016] [wsgi:error] [pid 75094] ipa: DEBUG: stdout=
[Wed Aug 31 12:17:16.553539 2016] [wsgi:error] [pid 75094] ipa: DEBUG: stderr=
[Wed Aug 31 12:17:16.553720 2016] [wsgi:error] [pid 75094] ipa: DEBUG: Running kinit with credentials of AD administrator
[Wed Aug 31 12:17:16.553893 2016] [wsgi:error] [pid 75094] ipa: DEBUG: Starting external process
[Wed Aug 31 12:17:16.553951 2016] [wsgi:error] [pid 75094] ipa: DEBUG: args=/usr/bin/kinit Administrator@ROOT-DOM.AD.FOREST.TEST <-- *should be TREE-DOM.AD.FOREST.TEST
[Wed Aug 31 12:17:17.397022 2016] [wsgi:error] [pid 75094] ipa: DEBUG: Process finished, return code=1
[Wed Aug 31 12:17:17.397298 2016] [wsgi:error] [pid 75094] ipa: DEBUG: stdout=Password for Administrator@ROOT-DOM.AD.FOREST.TEST:
[Wed Aug 31 12:17:17.397307 2016] [wsgi:error] [pid 75094]
[Wed Aug 31 12:17:17.397367 2016] [wsgi:error] [pid 75094] ipa: DEBUG: stderr=kinit: Password incorrect while getting initial credentials
[Wed Aug 31 12:17:17.397375 2016] [wsgi:error] [pid 75094]
[Wed Aug 31 12:17:17.399233 2016] [wsgi:error] [pid 75094] ipa: INFO: [jsonserver_session] admin@IPA.TEST: trust_add/1(u'tree-dom.ad.forest.test', realm_admin=u'Administrator', realm_passwd=u'********', bidirectional=True, external=True, version=u'2.212'): SUCCESS
}}}

Steps to reproduce:

1.) Setup an AD forest of at least two domains (root-tree, or root-child) and make sure that domain Admins have different passwords

2.) Install FreeIPA server and run ipa-adtrust-install

3.) Try to establish external trust to the tree or child domain of the forest

{{{
ipa trust-add AD.TREE.DOMAIN --external=True --two-way=True --admin Administrator`, the
}}}

Expected results:

The trust is added and all domain info is retrieved correctly

Actual results:

fetching trusted domain info fails and the httpd error log contains unsuccesful kinit as root domain administrator

Comment 1 Martin Bašti 2016-08-31 13:09:05 UTC
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/f32e0e4e522e09390f4295dd79f52d7a48877d3a

Comment 4 Sudhir Menon 2016-09-15 14:34:15 UTC
Tested on RHEL7.3 using

ipa-server-trust-ad-4.4.0-11.el7.x86_64
ipa-server-4.4.0-11.el7.x86_64

1.DomainAdmins (administrator) account has different password for test.qa and chd.pne.qe in the test env.

Actual Steps:-
1. External trust to tree-root domain
[root@master ~]# ipa trust-add --two-way=true --external=true
Realm name: test.qa
Active Directory domain administrator: administrator
Active Directory domain administrator's password: 
------------------------------------------------
Added Active Directory trust for realm "test.qa"
------------------------------------------------
  Realm name: test.qa
  Domain NetBIOS name: TEST
  Domain Security Identifier: S-1-5-21-4204873575-1158510886-1449965812
  Trust direction: Two-way trust
  Trust type: Non-transitive external trust to a domain in another Active Directory forest
  Trust status: Established and verified

2. External trust to child domain
[root@master ~]# ipa trust-add --two-way=true --external=true
Realm name: chd.pne.qe
Active Directory domain administrator: Administrator  
Active Directory domain administrator's password: 
---------------------------------------------------
Added Active Directory trust for realm "chd.pne.qe"
---------------------------------------------------
  Realm name: chd.pne.qe
  Domain NetBIOS name: CHD
  Domain Security Identifier: S-1-5-21-725505228-2944741108-2454985349
  Trust direction: Two-way trust
  Trust type: Non-transitive external trust to a domain in another Active Directory forest
  Trust status: Established and verified

[root@master ~]# ipa trustdomain-find
Realm name: chd.pne.qe
  Domain name: chd.pne.qe
  Domain NetBIOS name: CHD
  Domain Security Identifier: S-1-5-21-725505228-2944741108-2454985349
  Domain enabled: True
----------------------------
Number of entries returned 1
----------------------------
[root@master ~]# ipa trustdomain-find
Realm name: test.qa
  Domain name: test.qa
  Domain NetBIOS name: TEST
  Domain Security Identifier: S-1-5-21-4204873575-1158510886-1449965812
  Domain enabled: True
----------------------------
Number of entries returned 1
----------------------------

Note: ipa trust-fetch-domains already has a bug #1375269 which will be verified once that is fixed.

Comment 5 Sudhir Menon 2016-09-16 19:13 UTC
Created attachment 1201793 [details]
http error log

1. [root@master httpd]# ipa trust-find
---------------
1 trust matched
---------------
  Realm name: test.qa
  Domain NetBIOS name: TEST
  Domain Security Identifier: S-1-5-21-4204873575-1158510886-1449965812
  Trust type: Non-transitive external trust to a domain in another Active Directory forest
  UPN suffixes: qa.org
----------------------------
Number of entries returned 1
----------------------------

1. [root@master httpd]# ipa trust-fetch-domains
Realm name: test.qa
--------------------------------------------------------------------------------
List of trust domains successfully refreshed. Use trustdomain-find command to list them.
--------------------------------------------------------------------------------
Number of entries returned 0
----------------------------

2. Attached, httpd error log doesnot contain unsuccessful kinit as root domain administrator

Comment 6 Sudhir Menon 2016-09-16 19:14:50 UTC
Verified on RHEL73 using 
ipa-server-4.4.0-12.el7.x86_64
ipa-server-trust-ad-4.4.0-12.el7.x86_64

Comment 8 errata-xmlrpc 2016-11-04 06:02:37 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html


Note You need to log in before you can comment on or make changes to this bug.