URL: https://github.com/SSSD/sssd/pull/522 Author: abbra Title: #522: Prepare SSSD to support IPA in trust to Samba AD Action: opened
PR body: """ This pull request prepares SSSD ipa provider to support IPA in trust to Samba AD but the same changes are needed for a properly working bi-directional trust against Microsoft AD as well. To make everything fully working, one needs patches against FreeIPA too but SSSD changes are isolated.
@sumit-bose @jhrozek please review.
1. When IPA establishes a trust to an Active Directory forest, a number of special objects is created in a subtree of `cn=trusts,$SUFFIX`. These objects represent Kerberos principals for trusted domain objects (TDOs) used for both incoming and outgoing trusts. For bi-directional trust there is a requirement that one of them (`<REMOTE FLAT NAME>$@<OUR REALM>`) must have a POSIX identity because a remote domain controller will use it to authenticate against smbd running on IPA master.
SSSD only looks for user accounts in `cn=accounts,$SUFFIX`, so an attempt by smbd to resolve this principal name as a POSIX user via `getpwnam()` will fail. And the reason why smbd behaves this way is due to the fact that a Kerberos ticket used for authentication contains no MS-PAC record, thus not allowing Samba to build a local security token it needs. This is expected for the authentication using TDO account as it is used for bootstrapping reasons (AD DC couldn't create and sign MS-PAC record for an account in IPA realm) but the side effect is that TDO object must be known as a POSIX account on IPA master.
Thus, we extend user search base in IPA provider to search in both `cn=accounts,$SUFFIX` and `cn=trusts,$SUFFIX`. Changes on FreeIPA side will handle access controls and generation of the POSIX information for the TDO accounts.
2. For long time we relied on using cross-realm TGTs to talk to Active Directory domain controllers (LDAP and GC services) in case of bi-directional trust. Unfortunately, this is not something we can continue using as there are multiple reasons such access can be denied by a trusted AD side, including SID filtering and other security measurements. It also happens that right now Samba AD in Fedora has a bug in handling a cross-realm TGT generated by the FreeIPA KDC. As result, while technically IPA could establish a bi-directional trust to Samba AD, it does not work as any SSSD attempt to connect to AD DCs via LDAP with GSSAPI will fail (Samba AD DC answers error with PROCESS_TGS message on Kerberos level and authentication fails).
For this reason, we should remove any distinction when using bi-directional trust and simply always use a special keytab with a TDO object as we do in uni-directional trust case. While a more generic Kerberos authentication will not work in the outbound direction, SSSD will be able to resolve users/groups. """
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/522/head:pr522 git checkout pr522
URL: https://github.com/SSSD/sssd/pull/522 Title: #522: Prepare SSSD to support IPA in trust to Samba AD
centos-ci commented: """ Can one of the admins verify this patch? """
See the full comment at https://github.com/SSSD/sssd/pull/522#issuecomment-367925813
URL: https://github.com/SSSD/sssd/pull/522 Title: #522: Prepare SSSD to support IPA in trust to Samba AD
centos-ci commented: """ Can one of the admins verify this patch? """
See the full comment at https://github.com/SSSD/sssd/pull/522#issuecomment-367925811
URL: https://github.com/SSSD/sssd/pull/522 Title: #522: Prepare SSSD to support IPA in trust to Samba AD
sumit-bose commented: """ ok to test
"""
See the full comment at https://github.com/SSSD/sssd/pull/522#issuecomment-367938353
URL: https://github.com/SSSD/sssd/pull/522 Title: #522: Prepare SSSD to support IPA in trust to Samba AD
jhrozek commented: """ I only scrolled through the patches, I must admit I didn't do any testing yet.
For the search bases, I would just appreciate a more descriptive variable names than value/value2.
Is the TDO lookup something that also the clients do or only masters do? The first patch touches both cases, but I think it might improve performance if we only set multiple search bases on the IPA servers. In general I'm somewhat concerned about performance implications because two search bases mean that anything that doesn't hit the first search base also hits the second one. And in the typical case, this might be either local users (because of the way libc behaves, it tries to find group memberships across all databases) or, in case of trusts, we first try to match a name against the ID views before the trusted domain, now we'd have to try for the ID view in two bases. This is OK if it's done only on the master, but if this was done on the clients as well, I wonder if we had to improve the heuristics or add a filter to the search base.
btw is adding the filter something we should do anyway to speed up the lookup? In this case, we do know what the server is, so we might as well ask the 389 developers if they have any recommendation.
About the keytab patch, this really needs careful testing. At the very least, we also have codepaths for one-way or two-way trusts that also set different options (I guess that's where the principal and the keytab get propagated into the low-level sdap code). Did you test the lookups with both one-way and two-way trusts after the change or would you prefer if I (or someone else, see below) try to run the available tests?
finally please note I'll be mostly away much of the next week -- I hope others can chime in as well if this PR is urgent, otherwise I'll see what I can do. """
See the full comment at https://github.com/SSSD/sssd/pull/522#issuecomment-368657139
URL: https://github.com/SSSD/sssd/pull/522 Author: abbra Title: #522: Prepare SSSD to support IPA in trust to Samba AD Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/522/head:pr522 git checkout pr522
URL: https://github.com/SSSD/sssd/pull/522 Author: abbra Title: #522: Prepare SSSD to support IPA in trust to Samba AD Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/522/head:pr522 git checkout pr522
URL: https://github.com/SSSD/sssd/pull/522 Title: #522: Prepare SSSD to support IPA in trust to Samba AD
abbra commented: """ @jhrozek @sumit-bose I've updated the patches to address Jakub's comments.TDO lookup should only be performed in the server mode, so I added that. At the server side there will be ACIs limiting this access to `cn=adtrust agents` members (e.g. SSSD and smbd on IPA masters) only. I also added a filter `(objectclass=ipaIDObject)` which will be used by the TDO objects.
I'm going to test it more extensively today. """
See the full comment at https://github.com/SSSD/sssd/pull/522#issuecomment-369189670
URL: https://github.com/SSSD/sssd/pull/522 Author: abbra Title: #522: Prepare SSSD to support IPA in trust to Samba AD Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/522/head:pr522 git checkout pr522
URL: https://github.com/SSSD/sssd/pull/522 Author: abbra Title: #522: Prepare SSSD to support IPA in trust to Samba AD Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/522/head:pr522 git checkout pr522
URL: https://github.com/SSSD/sssd/pull/522 Title: #522: Prepare SSSD to support IPA in trust to Samba AD
abbra commented: """ @jhrozek, @sumit-bose I've updated this pull request with a new code that adds a missing `cn=trusts,$SUFFIX` base after a user base is parsed. I find this approach cleaner than the previous one and it also avoids issues with parsing the option.
To test it, you need my https://github.com/abbra/freeipa/tree/trust-one-way-improvements FreeIPA branch. With the SSSD changes from this pull request and FreeIPA patches from trust-one-way-improvements branch I'm able to establish: - one way trust with shared secret from Windows Server side - trust to Samba AD
So I guess this is actually a good start.
A draft design page is https://cloud.vda.li/hackmd/s/Sy-rkrU-7 """
See the full comment at https://github.com/SSSD/sssd/pull/522#issuecomment-401338875
URL: https://github.com/SSSD/sssd/pull/522 Title: #522: Prepare SSSD to support IPA in trust to Samba AD
abbra commented: """ @jhrozek ping, is it possible to review this pull request? """
See the full comment at https://github.com/SSSD/sssd/pull/522#issuecomment-403373886
URL: https://github.com/SSSD/sssd/pull/522 Title: #522: Prepare SSSD to support IPA in trust to Samba AD
Label: -Changes requested
URL: https://github.com/SSSD/sssd/pull/522 Title: #522: Prepare SSSD to support IPA in trust to Samba AD
Label: +Accepted
URL: https://github.com/SSSD/sssd/pull/522 Title: #522: Prepare SSSD to support IPA in trust to Samba AD
jhrozek commented: """ coverity and CI did not find any issues -> +Accepted """
See the full comment at https://github.com/SSSD/sssd/pull/522#issuecomment-405346482
URL: https://github.com/SSSD/sssd/pull/522 Title: #522: Prepare SSSD to support IPA in trust to Samba AD
jhrozek commented: """ * master: 14faec9cd9437ef116ae054412d25ec2e820e409 0648053a7c99de5148c4cffea68c47a3f660303d """
See the full comment at https://github.com/SSSD/sssd/pull/522#issuecomment-406293423
URL: https://github.com/SSSD/sssd/pull/522 Author: abbra Title: #522: Prepare SSSD to support IPA in trust to Samba AD Action: closed
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/522/head:pr522 git checkout pr522
URL: https://github.com/SSSD/sssd/pull/522 Title: #522: Prepare SSSD to support IPA in trust to Samba AD
Label: +Pushed
sssd-devel@lists.fedorahosted.org
-
abbra -
centos-ci
-
jhrozek
-
sumit-bose