Created attachment 11036 [details] Proposed patch against v4-2-test Description of problem: With upgrade to Samba 4.2.1 previously working trusts to AD feature of FreeIPA no longer works. There are multiple changes in Samba 4.2.1 on protocol level and handling of authentication that caused FreeIPA Python code to fail. Namely, underlying Samba code considers a DCE RPC connection authenticated using Kerberos credentials obtained via S4U2Proxy mechanism still to be anonymous and therefore is unable to derive a session key out of Krb5 session. This breaks communication from FreeIPA web server to local smbd process where we operate under credentials of an admin which were given to us through S4U2Proxy. DCE RPC (LSA RPC in this case) session key is essential to encrypt trust secrets for cross realm trust. Unavailability of the session key breaks the process to establish the trust. Version-Release number of selected component (if applicable): samba-4.2.1-7.fc22 How reproducible: Always Steps to Reproduce: 1. Install FreeIPA: freeipa-server, freeipa-server-trust-ad (and other packages if integrated DNS server is required) 2. Deploy FreeIPA with ipa-server-install and further configure it to work with AD: ipa-adtrust-install 3. Attempt to configure trust: ipa trust-add ad.test --admin Administrator --password 4. Observe failure Actual results: # echo Test1234|ipa trust-add ad.test --admin Administrator --password ipa: ERROR: CIFS server communication error: code "-1073741776", message "An invalid combination of parameters was specified." (both may be "None") e.g. samba returns NT_STATUS_INVALID_PARAMETER_MIX. in /var/log/httpd/error_log: [Wed Apr 29 17:17:34.763163 2015] [wsgi:error] [pid 15115] ipa: INFO: [jsonserver_session] admin@T.VDA.LI: trust_add(u'ad.test', trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'********', all=False, raw=False, version=u'2.116'): RemoteRetrieveError Expected results: # echo Test1234|ipa trust-add ad.test --admin Administrator --password ---------------------------------------- Re-established trust to domain "ad.test" ---------------------------------------- Realm name: ad.test Domain NetBIOS name: AD Domain Security Identifier: S-1-5-21-2275361654-3393353068-3720134936 SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18 SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18 Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified In /var/log/httpd/error_log: [Fri May 08 11:56:15.979347 2015] [wsgi:error] [pid 7359] ipa: INFO: [jsonserver_session] admin@T.VDA.LI: trust_add(u'ad.test', trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'********', all=False, raw=False, version=u'2.116'): SUCCESS Note that even with the proposed patch to Samba we need to update FreeIPA code to consider more pipe binding options. I filed a bug https://bugzilla.redhat.com/show_bug.cgi?id=1219834 to handle that.
Andrew, can you please review the patch.
Created attachment 11064 [details] update patch Updated patch after discussion with Andrew -- we want to check principal for both Kerberos and NTLMSSP cases.
Comment on attachment 11064 [details] update patch Maybe metze can take a look, with extra please :)
Comment on attachment 11064 [details] update patch Can you cherry-pick -x the commit from master?
That's the problem -- nobody pushed the patch so I'd love to see you finally reviewing and pushing it.
Comment on attachment 11064 [details] update patch looks good to me please push to master with my review and a BUG: reference
Comment on attachment 11064 [details] update patch LGTM
Created attachment 11261 [details] version for v4-2-test Patch cherry-picked from master is attached.
Pushed to autobuild-v4-2-test.
(In reply to Karolin Seeger from comment #9) Pushed to v4-2-test. Closing out bug report. Thanks!