Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1345975
Description of problem: Access Denied error when created a one-way trust using a trust-secret and attempting to validate on the Active Directory side (last step of trust procedure). Version-Release number of selected component (if applicable): ipa-server-trust-ad-4.2.0-15.el7_2.15.x86_64 ipa-python-4.2.0-15.el7_2.15.x86_64 ipa-admintools-4.2.0-15.el7_2.15.x86_64 ipa-server-4.2.0-15.el7_2.15.x86_64 ipa-client-4.2.0-15.el7_2.15.x86_64 Red Hat Enterprise Linux Server release 7.2 (Maipo) How reproducible: Very Steps to Reproduce: 1.The documentation advises to create the trust on the windows side with these steps: The Trust Type is Forest trust. The Direction of Trust is One-way. The Sides of Trust is This domain only. The Outgoing Trust Authentication Level is Forest-wide authentication.(not this option does not exist on a one-way trust as noted in the document) Set the Trust Password. 2. ipa trust-add --type=ad --trust-secret domain.test 3. ipa trust-fetch-domains 4. Domain Controller-> Trust Console -> trust-> properties-> "name suffix routing"-> Refresh 5. prompted for credentials (Not expected), 6. credentials for IPA domain do not work 7. Eventually errors out with "Access Denied" Expected results: 4. Domain Controller-> Trust Console -> trust-> properties-> "name suffix routing"-> Refresh 5. "Name Suffix Routing" being populated 6. Trust setup-complete Additional info: When I select a *two-way* trust on the Active Directory side, I was able to achieve the trust including the "Name Suffix Routing" being populated when I hit refresh. As expected this worked without any prompt for credentials. However the noted procedure does not work for a one-way trust using a trust-secret. I have additional information from Alexander who was assisting debug this issue: "The following was found in the samba logs: [2016/06/13 08:06:44.098299, 3, pid=31436, effective(1817800000, 1817800000), real(1817800000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1450(api_rpcTNP) api_rpcTNP: rpc command: NETR_DSRGETFORESTTRUSTINFORMATION [2016/06/13 08:06:44.098304, 6, pid=31436, effective(1817800000, 1817800000), real(1817800000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1469(api_rpcTNP) api_rpc_cmds[43].fn == 0x7f90496d38d0 [2016/06/13 08:06:44.098318, 1, pid=31436, effective(1817800000, 1817800000), real(1817800000, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) netr_DsRGetForestTrustInformation: struct netr_DsRGetForestTrustInformation in: struct netr_DsRGetForestTrustInformation server_name : * server_name : '\\f24-master.ipa.ad.test' trusted_domain_name : NULL flags : 0x00000000 (0) [2016/06/13 08:06:44.098334, 4, pid=31436, effective(1817800000, 1817800000), real(1817800000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1480(api_rpcTNP) api_rpcTNP: fault(5) return. The fault(5) is librpc/idl/dcerpc.idl: DCERPC_FAULT_ACCESS_DENIED = 0x00000005, something is missing in the access token when IPA admin credentials are used to connect to retrieve forest trust information from AD side "
This one cannot currently be fixed. We have fundamental issue with it as it looks like we are unable to trick AD into validation with one-way shared secret from our side but we cannot tell people to do validation from AD side because it does not work due to some SASL incompatibilities between CyrusSASL and AD client code.
Is there a workaround that can/needs to be documented?
A workaround is to use administrator credentials to establish one-way trust. We also would generate cryptographically strong trust secret in this case. Another workaround is to use two-way trust, which would work fine with a manually specified trust secret.
(#5683) was closed as a duplicate of this bug.
Metadata Update from @pvoborni: - Issue assigned to abbra - Issue set to the milestone: FreeIPA 4.5 backlog
As noted in https://bugzilla.redhat.com/show_bug.cgi?id=1345975#c11, this is actually a full RFE, title should be changed to "[RFE] Support One-Way Trust authenticated by trust secret"
Metadata Update from @mkosek: - Issue close_status updated to: None
Pull request: https://github.com/freeipa/freeipa/pull/2926
master:
ipa-4-6:
ipa-4-7:
Metadata Update from @cheimes: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.