Bug 11265 - Samba 4.2 broke FreeIPA trusts to AD
Samba 4.2 broke FreeIPA trusts to AD
Status: RESOLVED FIXED
Product: Samba 4.1 and newer
Classification: Unclassified
Component: DCE-RPCs and pipes
4.2.1
All All
: P5 normal
: ---
Assigned To: Karolin Seeger
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-05-08 12:35 UTC by Alexander Bokovoy
Modified: 2015-07-21 14:36 UTC (History)
3 users (show)

See Also:
ab: review? (abartlet)


Attachments
Proposed patch against v4-2-test (1.15 KB, patch)
2015-05-08 12:35 UTC, Alexander Bokovoy
no flags Details
update patch (1.08 KB, patch)
2015-05-18 12:26 UTC, Alexander Bokovoy
ab: review? (abartlet)
metze: review+
gd: review+
Details
version for v4-2-test (1.43 KB, patch)
2015-07-15 14:45 UTC, Alexander Bokovoy
metze: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bokovoy 2015-05-08 12:35:09 UTC
Created attachment 11036 [details]
Proposed patch against v4-2-test

Description of problem:
With upgrade to Samba 4.2.1 previously working trusts to AD feature of FreeIPA no longer works. There are multiple changes in Samba 4.2.1 on protocol level and handling of authentication that caused FreeIPA Python code to fail.

Namely, underlying Samba code considers a DCE RPC connection authenticated using Kerberos credentials obtained via S4U2Proxy mechanism still to be anonymous and therefore is unable to derive a session key out of Krb5 session.

This breaks communication from FreeIPA web server to local smbd process where we operate under credentials of an admin which were given to us through S4U2Proxy.

DCE RPC (LSA RPC in this case) session key is essential to encrypt trust secrets for cross realm trust. Unavailability of the session key breaks the process to establish the trust.

Version-Release number of selected component (if applicable):
samba-4.2.1-7.fc22

How reproducible:
Always

Steps to Reproduce:
1. Install FreeIPA: freeipa-server, freeipa-server-trust-ad (and other packages if integrated DNS server is required)
2. Deploy FreeIPA with ipa-server-install and further configure it to work with AD: ipa-adtrust-install
3. Attempt to configure trust: ipa trust-add ad.test --admin Administrator --password
4. Observe failure

Actual results:
# echo Test1234|ipa trust-add ad.test --admin Administrator --password
ipa: ERROR: CIFS server communication error: code "-1073741776",
                  message "An invalid combination of parameters was specified." (both may be "None")

e.g. samba returns NT_STATUS_INVALID_PARAMETER_MIX.
in /var/log/httpd/error_log:
[Wed Apr 29 17:17:34.763163 2015] [wsgi:error] [pid 15115] ipa: INFO: [jsonserver_session] admin@T.VDA.LI: trust_add(u'ad.test', trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'********', all=False, raw=False, version=u'2.116'): RemoteRetrieveError


Expected results:
# echo Test1234|ipa trust-add ad.test --admin Administrator --password

----------------------------------------
Re-established trust to domain "ad.test"
----------------------------------------
  Realm name: ad.test
  Domain NetBIOS name: AD
  Domain Security Identifier: S-1-5-21-2275361654-3393353068-3720134936
  SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13,
                          S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18
  SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13,
                          S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified

In /var/log/httpd/error_log:
[Fri May 08 11:56:15.979347 2015] [wsgi:error] [pid 7359] ipa: INFO: [jsonserver_session] admin@T.VDA.LI: trust_add(u'ad.test', trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'********', all=False, raw=False, version=u'2.116'): SUCCESS

Note that even with the proposed patch to Samba we need to update FreeIPA code to consider more pipe binding options. I filed a bug https://bugzilla.redhat.com/show_bug.cgi?id=1219834 to handle that.
Comment 1 Alexander Bokovoy 2015-05-18 11:29:29 UTC
Andrew, can you please review the patch.
Comment 2 Alexander Bokovoy 2015-05-18 12:26:04 UTC
Created attachment 11064 [details]
update patch

Updated patch after discussion with Andrew -- we want to check principal for both Kerberos and NTLMSSP cases.
Comment 3 Andreas Schneider 2015-07-14 12:50:13 UTC
Comment on attachment 11064 [details]
update patch

Maybe metze can take a look, with extra please :)
Comment 4 Stefan Metzmacher 2015-07-14 13:31:48 UTC
Comment on attachment 11064 [details]
update patch

Can you cherry-pick -x the commit from master?
Comment 5 Alexander Bokovoy 2015-07-14 14:28:36 UTC
That's the problem -- nobody pushed the patch so I'd love to see you finally reviewing and pushing it.
Comment 6 Stefan Metzmacher 2015-07-14 19:58:14 UTC
Comment on attachment 11064 [details]
update patch

looks good to me please push to master with my review and a BUG: reference
Comment 7 Guenther Deschner 2015-07-15 10:53:00 UTC
Comment on attachment 11064 [details]
update patch

LGTM
Comment 8 Alexander Bokovoy 2015-07-15 14:45:48 UTC
Created attachment 11261 [details]
version for v4-2-test

Patch cherry-picked from master is attached.
Comment 9 Karolin Seeger 2015-07-16 09:47:42 UTC
Pushed to autobuild-v4-2-test.
Comment 10 Karolin Seeger 2015-07-21 14:36:35 UTC
(In reply to Karolin Seeger from comment #9)
Pushed to v4-2-test.
Closing out bug report.

Thanks!