Hide Forgot
This bug is created as a clone of upstream ticket: https://fedorahosted.org/freeipa/ticket/6277 When establishing external trust and specifying domain Admin's name without realm component, the credential generation code erroneously selects the forest root domain name as the realm component of domain admin account name. If the domain admins use separate account passwords (as is usually the case in real-life deployments), `trust-add` tries to fetch trusted domain info using wrong credentials and thus fails to authenticate against DCs of trusted domain: {{{ s4_tevent: Destroying timer event 0x7f72ce7153f0 "tevent_req_timedout" &response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX command : LOGON_SAM_LOGON_RESPONSE_EX (23) sbz : 0x0000 (0) server_type : 0x0000f1fd (61949) 1: NBT_SERVER_PDC 1: NBT_SERVER_GC 1: NBT_SERVER_LDAP 1: NBT_SERVER_DS 1: NBT_SERVER_KDC 1: NBT_SERVER_TIMESERV 1: NBT_SERVER_CLOSEST 1: NBT_SERVER_WRITABLE 0: NBT_SERVER_GOOD_TIMESERV 0: NBT_SERVER_NDNC 0: NBT_SERVER_SELECT_SECRET_DOMAIN_6 1: NBT_SERVER_FULL_SECRET_DOMAIN_6 1: NBT_SERVER_ADS_WEB_SERVICE 1: NBT_SERVER_DS_8 0: NBT_SERVER_HAS_DNS_NAME 0: NBT_SERVER_IS_DEFAULT_NC 0: NBT_SERVER_FOREST_ROOT domain_uuid : c3374e8b-8a15-45d2-a518-325a2886e2e3 forest : 'root-dom.ad.forest.test' dns_domain : 'tree-dom.ad.forest.test' pdc_dns_name : 'adtree.tree-dom.ad.forest.test' domain_name : 'TREE-DOM' pdc_name : 'ADTREE' user_name : '' server_site : 'Default-First-Site-Name' client_site : 'Default-First-Site-Name' sockaddr_size : 0x00 (0) sockaddr: struct nbt_sockaddr sockaddr_family : 0x00000000 (0) pdc_ip : (null) remaining : DATA_BLOB length=0 next_closest_site : NULL nt_version : 0x00000005 (5) 1: NETLOGON_NT_VERSION_1 0: NETLOGON_NT_VERSION_5 1: NETLOGON_NT_VERSION_5EX 0: NETLOGON_NT_VERSION_5EX_WITH_IP 0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE 0: NETLOGON_NT_VERSION_AVOID_NT4EMUL 0: NETLOGON_NT_VERSION_PDC 0: NETLOGON_NT_VERSION_IP 0: NETLOGON_NT_VERSION_LOCAL 0: NETLOGON_NT_VERSION_GC lmnt_token : 0xffff (65535) lm20_token : 0xffff (65535) finddcs: Found matching DC 2620:52:0:224e:21a:4aff:fe23:1596 with server_type=0x0000f1fd [Wed Aug 31 12:17:16.535749 2016] [wsgi:error] [pid 75094] ipa: DEBUG: Destroying the contents of the separate ccache [Wed Aug 31 12:17:16.536234 2016] [wsgi:error] [pid 75094] ipa: DEBUG: Starting external process [Wed Aug 31 12:17:16.536306 2016] [wsgi:error] [pid 75094] ipa: DEBUG: args=/usr/bin/kdestroy -A -c /var/run/ipa_memcached/krbcc_TDAtree-dom.ad.forest.test [Wed Aug 31 12:17:16.553353 2016] [wsgi:error] [pid 75094] ipa: DEBUG: Process finished, return code=0 [Wed Aug 31 12:17:16.553484 2016] [wsgi:error] [pid 75094] ipa: DEBUG: stdout= [Wed Aug 31 12:17:16.553539 2016] [wsgi:error] [pid 75094] ipa: DEBUG: stderr= [Wed Aug 31 12:17:16.553720 2016] [wsgi:error] [pid 75094] ipa: DEBUG: Running kinit with credentials of AD administrator [Wed Aug 31 12:17:16.553893 2016] [wsgi:error] [pid 75094] ipa: DEBUG: Starting external process [Wed Aug 31 12:17:16.553951 2016] [wsgi:error] [pid 75094] ipa: DEBUG: args=/usr/bin/kinit Administrator.FOREST.TEST <-- *should be TREE-DOM.AD.FOREST.TEST [Wed Aug 31 12:17:17.397022 2016] [wsgi:error] [pid 75094] ipa: DEBUG: Process finished, return code=1 [Wed Aug 31 12:17:17.397298 2016] [wsgi:error] [pid 75094] ipa: DEBUG: stdout=Password for Administrator.FOREST.TEST: [Wed Aug 31 12:17:17.397307 2016] [wsgi:error] [pid 75094] [Wed Aug 31 12:17:17.397367 2016] [wsgi:error] [pid 75094] ipa: DEBUG: stderr=kinit: Password incorrect while getting initial credentials [Wed Aug 31 12:17:17.397375 2016] [wsgi:error] [pid 75094] [Wed Aug 31 12:17:17.399233 2016] [wsgi:error] [pid 75094] ipa: INFO: [jsonserver_session] admin: trust_add/1(u'tree-dom.ad.forest.test', realm_admin=u'Administrator', realm_passwd=u'********', bidirectional=True, external=True, version=u'2.212'): SUCCESS }}} Steps to reproduce: 1.) Setup an AD forest of at least two domains (root-tree, or root-child) and make sure that domain Admins have different passwords 2.) Install FreeIPA server and run ipa-adtrust-install 3.) Try to establish external trust to the tree or child domain of the forest {{{ ipa trust-add AD.TREE.DOMAIN --external=True --two-way=True --admin Administrator`, the }}} Expected results: The trust is added and all domain info is retrieved correctly Actual results: fetching trusted domain info fails and the httpd error log contains unsuccesful kinit as root domain administrator
Fixed upstream master: https://fedorahosted.org/freeipa/changeset/f32e0e4e522e09390f4295dd79f52d7a48877d3a
Tested on RHEL7.3 using ipa-server-trust-ad-4.4.0-11.el7.x86_64 ipa-server-4.4.0-11.el7.x86_64 1.DomainAdmins (administrator) account has different password for test.qa and chd.pne.qe in the test env. Actual Steps:- 1. External trust to tree-root domain [root@master ~]# ipa trust-add --two-way=true --external=true Realm name: test.qa Active Directory domain administrator: administrator Active Directory domain administrator's password: ------------------------------------------------ Added Active Directory trust for realm "test.qa" ------------------------------------------------ Realm name: test.qa Domain NetBIOS name: TEST Domain Security Identifier: S-1-5-21-4204873575-1158510886-1449965812 Trust direction: Two-way trust Trust type: Non-transitive external trust to a domain in another Active Directory forest Trust status: Established and verified 2. External trust to child domain [root@master ~]# ipa trust-add --two-way=true --external=true Realm name: chd.pne.qe Active Directory domain administrator: Administrator Active Directory domain administrator's password: --------------------------------------------------- Added Active Directory trust for realm "chd.pne.qe" --------------------------------------------------- Realm name: chd.pne.qe Domain NetBIOS name: CHD Domain Security Identifier: S-1-5-21-725505228-2944741108-2454985349 Trust direction: Two-way trust Trust type: Non-transitive external trust to a domain in another Active Directory forest Trust status: Established and verified [root@master ~]# ipa trustdomain-find Realm name: chd.pne.qe Domain name: chd.pne.qe Domain NetBIOS name: CHD Domain Security Identifier: S-1-5-21-725505228-2944741108-2454985349 Domain enabled: True ---------------------------- Number of entries returned 1 ---------------------------- [root@master ~]# ipa trustdomain-find Realm name: test.qa Domain name: test.qa Domain NetBIOS name: TEST Domain Security Identifier: S-1-5-21-4204873575-1158510886-1449965812 Domain enabled: True ---------------------------- Number of entries returned 1 ---------------------------- Note: ipa trust-fetch-domains already has a bug #1375269 which will be verified once that is fixed.
Created attachment 1201793 [details] http error log 1. [root@master httpd]# ipa trust-find --------------- 1 trust matched --------------- Realm name: test.qa Domain NetBIOS name: TEST Domain Security Identifier: S-1-5-21-4204873575-1158510886-1449965812 Trust type: Non-transitive external trust to a domain in another Active Directory forest UPN suffixes: qa.org ---------------------------- Number of entries returned 1 ---------------------------- 1. [root@master httpd]# ipa trust-fetch-domains Realm name: test.qa -------------------------------------------------------------------------------- List of trust domains successfully refreshed. Use trustdomain-find command to list them. -------------------------------------------------------------------------------- Number of entries returned 0 ---------------------------- 2. Attached, httpd error log doesnot contain unsuccessful kinit as root domain administrator
Verified on RHEL73 using ipa-server-4.4.0-12.el7.x86_64 ipa-server-trust-ad-4.4.0-12.el7.x86_64
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2404.html