1891056 – ipa-kdb: support subordinate/superior UPN suffixes

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1891056 - ipa-kdb: support subordinate/superior UPN suffixes

Summary: ipa-kdb: support subordinate/superior UPN suffixes

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	8.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	8.0
Assignee:	Thomas Woerner
QA Contact:	ipa-qe
Docs Contact:	Josip Vilicic
URL:
Whiteboard:
Depends On:
Blocks:	1914823 1914824
TreeView+	depends on / blocked

Reported:	2020-10-23 17:16 UTC by Thorsten Scherf
Modified:	2023-12-15 19:54 UTC (History)
CC List:	11 users (show)
Fixed In Version:	ipa-4.9.0-0.2.rc2
Doc Type:	Enhancement
Doc Text:	.AD users can now log in to IdM with UPN suffixes subordinate to known UPN suffixes Previously, Active Directory (AD) users could not log into Identity Management (IdM) with a Universal Principal Name (UPN) (for example, `sub1.ad-example.com`) that is a subdomain of a known UPN suffix (for example, `ad-example.com`) because internal Samba processes filtered subdomains as duplicates of any Top Level Names (TLNs). This update validates UPNs by testing if they are subordinate to the known UPN suffixes. As a result, users can now log in using subordinate UPN suffixes in the described scenario.
Clone Of:
Clones:	1914823 1914824 (view as bug list)
Environment:
Last Closed:	2021-05-18 15:48:21 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	pm-rhel: mirror+

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Fedora Pagure	freeipa issue 8554	0	None	None	None	2020-10-23 17:41:33 UTC

Description Thorsten Scherf 2020-10-23 17:16:41 UTC

Description of problem:
[MS-ADTS] 6.1.6.9.3.2 requires msDS-TrustForestTrustInfo attribute of
trusted domain information in Active Directory to conform certain rules.
One side-effect of those rules is that list of UPN suffixes reported
through the netr_DsRGetForestTrustInformation function is dynamically
filtered to deduplicate subordinate suffixes.

It means that if list of UPN suffixes contains the following top level
names (TLNs):

fabrikam.com
sub.fabrikam.com

then netr_DsRGetForestTrustInformation would only return 'fabrikam.com'
as the TLN, fully filtering 'sub.fabrikam.com'.

IPA KDB driver used exact comparison of the UPN suffixes so any
subordinate had to be specified exactly.

Modify logic so that if exact check does not succeed, we validate a
realm to test being a subordinate of the known UPN suffixes. The
subordinate check is done by making sure UPN suffix is at the end of the
test realm and is immediately preceded with a dot.

Because the function to check suffixes potentially called for every
Kerberos principal, precalculate and cache length for each UPN suffix at
the time we retrieve the list of them.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
6.1.6.9.3.2 Building Well-Formed msDS-TrustForestTrustInfo Messages
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/2994b19c-04ff-430d-b788-c82d334b31bc

Comment 1 Thorsten Scherf 2020-10-23 17:35:30 UTC

https://github.com/freeipa/freeipa/pull/5206

Comment 2 Rob Crittenden 2020-10-23 17:39:54 UTC

Upstream ticket:
https://pagure.io/freeipa/issue/8554

Comment 3 Rob Crittenden 2020-10-26 19:56:04 UTC

Fixed upstream
master:
https://pagure.io/freeipa/c/8b6d1ab854387840f7526d6d59ddc7102231957f

Comment 6 Rob Crittenden 2020-10-28 15:20:18 UTC

Fixed upstream
ipa-4-8:
https://pagure.io/freeipa/c/1f0702bf9231a4898a2d58325fc51c71fea25047

Comment 9 Alexander Bokovoy 2020-11-26 10:03:18 UTC

Additional commits:
commit 442038c41aef9ce07d0491a08bec406ede5f6686
Author: Sudhir Menon <sumenon>
Date:   Wed Nov 11 14:55:32 2020 +0530

    ipatests: support subordinate upn suffixes
    
    This test adds new UPN Suffix on the AD side
    within the ad.test subtree i.e new.ad.test and this
    UPN is then assigned to aduser and then try to
    kinit using aduser along with the UPN set, to ensure
    that the kinit succeeds
    
    Signed-off-by: Sudhir Menon <sumenon>
    Reviewed-By: Alexander Bokovoy <abokovoy>

commit 0da6a57b406f538edf187c44760885c237261183
Author: Alexander Bokovoy <abokovoy>
Date:   Tue Nov 24 16:03:36 2020 +0200

    ad trust: accept subordinate domains of the forest trust root
    
    Commit 8b6d1ab854387840f7526d6d59ddc7102231957f added support for
    subordinate UPN suffixes but missed the case where subordinate UPN is a
    subdomain of the forest root domain and not mentioned in the UPN
    suffixes list.
    
    Correct this situation by applying the same check to the trusted domain
    name as well.
    
    Fixes: https://pagure.io/freeipa/issue/8554
    Signed-off-by: Alexander Bokovoy <abokovoy>
    Reviewed-By: Alexander Bokovoy <abokovoy>


Fixed upstream
master:
https://pagure.io/freeipa/c/442038c41aef9ce07d0491a08bec406ede5f6686
https://pagure.io/freeipa/c/0da6a57b406f538edf187c44760885c237261183

Comment 11 Florence Blanc-Renaud 2020-11-26 13:16:30 UTC

Fixed upstream
ipa-4-8:
https://pagure.io/freeipa/c/d5cca835d5439331c05475d0ad2f993ac6f8b615
https://pagure.io/freeipa/c/6b224e57672e3f73f93bb9eddd9031e945529a1e

Comment 12 Florence Blanc-Renaud 2020-11-26 15:32:25 UTC

Fixed upstream
ipa-4-9:
https://pagure.io/freeipa/c/7e605e958ef6d41584afc238433669c15458ac67
https://pagure.io/freeipa/c/381cc5e8eae1b7437fc15cb699983887d398f498

Comment 21 errata-xmlrpc 2021-05-18 15:48:21 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:1846

Note You need to log in before you can comment on or make changes to this bug.