Issue #6077: [RFE] Support One-Way Trust authenticated by trust secret - freeipa

freeipa

#6077 [RFE] Support One-Way Trust authenticated by trust secret

Closed: fixed 5 years ago by cheimes. Opened 7 years ago by pvoborni.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1345975

Description of problem:
Access Denied error when created a one-way trust using a trust-secret and
attempting to validate on the Active Directory side (last step of trust
procedure).

Version-Release number of selected component (if applicable):
ipa-server-trust-ad-4.2.0-15.el7_2.15.x86_64
ipa-python-4.2.0-15.el7_2.15.x86_64
ipa-admintools-4.2.0-15.el7_2.15.x86_64
ipa-server-4.2.0-15.el7_2.15.x86_64
ipa-client-4.2.0-15.el7_2.15.x86_64
Red Hat Enterprise Linux Server release 7.2 (Maipo)

How reproducible:
Very

Steps to Reproduce:
1.The documentation advises to create the trust on the windows side with these
steps:
   The Trust Type is Forest trust.
   The Direction of Trust is One-way.
   The Sides of Trust is This domain only.
   The Outgoing Trust Authentication Level is Forest-wide authentication.(not
this option does not exist on a one-way trust as noted in the document)
   Set the Trust Password.
2. ipa trust-add --type=ad --trust-secret domain.test
3. ipa trust-fetch-domains
4. Domain Controller-> Trust Console -> trust-> properties-> "name suffix
routing"-> Refresh
5. prompted for credentials (Not expected),
6. credentials for IPA domain do not work
7. Eventually errors out with "Access Denied"

Expected results:
4. Domain Controller-> Trust Console -> trust-> properties-> "name suffix
routing"-> Refresh
5. "Name Suffix Routing" being populated
6. Trust setup-complete

Additional info:
When I select a *two-way* trust on the Active Directory side, I was able to
achieve the trust including the "Name Suffix Routing" being populated when I
hit refresh. As expected this worked without any prompt for credentials.

However the noted procedure does not work for a one-way trust using a
trust-secret. I have additional information from Alexander who was assisting
debug this issue:

"The following was found in the samba logs:

[2016/06/13 08:06:44.098299,  3, pid=31436, effective(1817800000, 1817800000),
real(1817800000, 0), class=rpc_srv]
../source3/rpc_server/srv_pipe.c:1450(api_rpcTNP)
api_rpcTNP: rpc command: NETR_DSRGETFORESTTRUSTINFORMATION
[2016/06/13 08:06:44.098304,  6, pid=31436, effective(1817800000, 1817800000),
real(1817800000, 0), class=rpc_srv]
../source3/rpc_server/srv_pipe.c:1469(api_rpcTNP)
api_rpc_cmds[43].fn == 0x7f90496d38d0
[2016/06/13 08:06:44.098318,  1, pid=31436, effective(1817800000, 1817800000),
real(1817800000, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug)
      netr_DsRGetForestTrustInformation: struct
netr_DsRGetForestTrustInformation
         in: struct netr_DsRGetForestTrustInformation
             server_name              : *
                 server_name              : '\\f24-master.ipa.ad.test'
             trusted_domain_name      : NULL
             flags                    : 0x00000000 (0)
[2016/06/13 08:06:44.098334,  4, pid=31436, effective(1817800000, 1817800000),
real(1817800000, 0), class=rpc_srv]
../source3/rpc_server/srv_pipe.c:1480(api_rpcTNP)
api_rpcTNP: fault(5) return.

The fault(5) is librpc/idl/dcerpc.idl:          DCERPC_FAULT_ACCESS_DENIED =
0x00000005,

something is missing in the access token when IPA admin credentials are used to
connect to retrieve forest trust information from AD side "

pvoborni commented 7 years ago

This one cannot currently be fixed. We have fundamental issue with it as
it looks like we are unable to trick AD into validation with one-way
shared secret from our side but we cannot tell people to do validation
from AD side because it does not work due to some SASL incompatibilities
between CyrusSASL and AD client code.

dpal commented 7 years ago

Is there a workaround that can/needs to be documented?

abbra commented 7 years ago

A workaround is to use administrator credentials to establish one-way trust. We also would generate cryptographically strong trust secret in this case. Another workaround is to use two-way trust, which would work fine with a manually specified trust secret.

pvoborni commented 7 years ago

(#5683) was closed as a duplicate of this bug.

Edited 7 years ago by pvoborni

Metadata Update from @pvoborni:
- Issue assigned to abbra
- Issue set to the milestone: FreeIPA 4.5 backlog

7 years ago

mkosek commented 7 years ago

As noted in https://bugzilla.redhat.com/show_bug.cgi?id=1345975#c11, this is actually a full RFE, title should be changed to "[RFE] Support One-Way Trust authenticated by trust secret"

Metadata Update from @mkosek:
- Issue close_status updated to: None

7 years ago

abbra commented 5 years ago

Pull request: https://github.com/freeipa/freeipa/pull/2926

cheimes commented 5 years ago

master:

2a8176e Add design page for one-way trust to AD with shared secret
120bab0 trust: allow trust agents to read POSIX identities of trust
dc8f074 trusts: add support for one-way shared secret trust
18cb30d upgrade: upgrade existing trust agreements to new layout
dca901c upgrade: add trust upgrade to actual upgrade code

cheimes commented 5 years ago

ipa-4-6:

9a45361 Replace hard-coded paths with path constants
076d894 Support Samba 4.9
b70e4d1 Add design page for one-way trust to AD with shared secret
7a7ef33 trust: allow trust agents to read POSIX identities of trust
b2bac94 trusts: add support for one-way shared secret trust
7476953 upgrade: upgrade existing trust agreements to new layout
9ce3a29 upgrade: add trust upgrade to actual upgrade code

cheimes commented 5 years ago

ipa-4-7:

50c0d6d Add design page for one-way trust to AD with shared secret
f6183c8 trust: allow trust agents to read POSIX identities of trust
0b5ae1b trusts: add support for one-way shared secret trust
2a7731c upgrade: upgrade existing trust agreements to new layout
595f42a upgrade: add trust upgrade to actual upgrade code

Metadata Update from @cheimes:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

5 years ago

abbra commented 4 years ago

master:

3f02fc9 ipatests: new tests for establishing one-way AD trust with shared secret

sorlov commented 4 years ago

ipa-4-6:

2a773cb ipatests: new tests for establishing one-way AD trust with shared secret

sorlov commented 4 years ago

ipa-4-7:

ac7b1b1 ipatests: new tests for establishing one-way AD trust with shared secret

Metadata

Assignee

abbra

Tags

None

Blocking

None

Depending on

None

Priority

important

Milestone

FreeIPA 4.5 backlog

None

affects_doc

None

source

None

knownissue

None

type

defect

blockedby

None

test_case

None

component

Trusts

blocking

None

on_review

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=1345975

tester

None

changelog

None

design

None

freeipa

Source Code

#6077 [RFE] Support One-Way Trust authenticated by trust secret Closed: fixed 5 years ago by cheimes. Opened 7 years ago by pvoborni.

Metadata

#6077 [RFE] Support One-Way Trust authenticated by trust secret

Closed: fixed 5 years ago by cheimes. Opened 7 years ago by pvoborni.