#6277 When establishing external two-way trust, forest root Administrator account is used to fetch domain info
Closed: Fixed None Opened 3 years ago by mbabinsk.

When establishing external trust and specifying domain Admin's name without realm component, the credential generation code erroneously selects the forest root domain name as the realm component of domain admin account name. If the domain admins use separate account passwords (as is usually the case in real-life deployments), trust-add tries to fetch trusted domain info using wrong credentials and thus fails to authenticate against DCs of trusted domain:

s4_tevent: Destroying timer event 0x7f72ce7153f0 "tevent_req_timedout"
     &response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX
        command                  : LOGON_SAM_LOGON_RESPONSE_EX (23)
        sbz                      : 0x0000 (0)
        server_type              : 0x0000f1fd (61949)
               1: NBT_SERVER_PDC
               1: NBT_SERVER_GC
               1: NBT_SERVER_LDAP
               1: NBT_SERVER_DS
               1: NBT_SERVER_KDC
               1: NBT_SERVER_TIMESERV
               1: NBT_SERVER_CLOSEST
               1: NBT_SERVER_WRITABLE
               0: NBT_SERVER_GOOD_TIMESERV
               0: NBT_SERVER_NDNC
               0: NBT_SERVER_SELECT_SECRET_DOMAIN_6
               1: NBT_SERVER_FULL_SECRET_DOMAIN_6
               1: NBT_SERVER_ADS_WEB_SERVICE
               1: NBT_SERVER_DS_8
               0: NBT_SERVER_HAS_DNS_NAME
               0: NBT_SERVER_IS_DEFAULT_NC
               0: NBT_SERVER_FOREST_ROOT
        domain_uuid              : c3374e8b-8a15-45d2-a518-325a2886e2e3
        forest                   : 'root-dom.ad.forest.test'
        dns_domain               : 'tree-dom.ad.forest.test'
        pdc_dns_name             : 'adtree.tree-dom.ad.forest.test'
        domain_name              : 'TREE-DOM'
        pdc_name                 : 'ADTREE'
        user_name                : ''
        server_site              : 'Default-First-Site-Name'
        client_site              : 'Default-First-Site-Name'
        sockaddr_size            : 0x00 (0)
        sockaddr: struct nbt_sockaddr
            sockaddr_family          : 0x00000000 (0)
            pdc_ip                   : (null)
            remaining                : DATA_BLOB length=0
        next_closest_site        : NULL
        nt_version               : 0x00000005 (5)
               1: NETLOGON_NT_VERSION_1
               0: NETLOGON_NT_VERSION_5
               1: NETLOGON_NT_VERSION_5EX
               0: NETLOGON_NT_VERSION_5EX_WITH_IP
               0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE
               0: NETLOGON_NT_VERSION_AVOID_NT4EMUL
               0: NETLOGON_NT_VERSION_PDC
               0: NETLOGON_NT_VERSION_IP
               0: NETLOGON_NT_VERSION_LOCAL
               0: NETLOGON_NT_VERSION_GC
        lmnt_token               : 0xffff (65535)
        lm20_token               : 0xffff (65535)
finddcs: Found matching DC 2620:52:0:224e:21a:4aff:fe23:1596 with server_type=0x0000f1fd
[Wed Aug 31 12:17:16.535749 2016] [wsgi:error] [pid 75094] ipa: DEBUG: Destroying the contents of the separate ccache
[Wed Aug 31 12:17:16.536234 2016] [wsgi:error] [pid 75094] ipa: DEBUG: Starting external process
[Wed Aug 31 12:17:16.536306 2016] [wsgi:error] [pid 75094] ipa: DEBUG: args=/usr/bin/kdestroy -A -c /var/run/ipa_memcached/krbcc_TDAtree-dom.ad.forest.test
[Wed Aug 31 12:17:16.553353 2016] [wsgi:error] [pid 75094] ipa: DEBUG: Process finished, return code=0
[Wed Aug 31 12:17:16.553484 2016] [wsgi:error] [pid 75094] ipa: DEBUG: stdout=
[Wed Aug 31 12:17:16.553539 2016] [wsgi:error] [pid 75094] ipa: DEBUG: stderr=
[Wed Aug 31 12:17:16.553720 2016] [wsgi:error] [pid 75094] ipa: DEBUG: Running kinit with credentials of AD administrator
[Wed Aug 31 12:17:16.553893 2016] [wsgi:error] [pid 75094] ipa: DEBUG: Starting external process
[Wed Aug 31 12:17:16.553951 2016] [wsgi:error] [pid 75094] ipa: DEBUG: args=/usr/bin/kinit Administrator@ROOT-DOM.AD.FOREST.TEST <-- *should be TREE-DOM.AD.FOREST.TEST
[Wed Aug 31 12:17:17.397022 2016] [wsgi:error] [pid 75094] ipa: DEBUG: Process finished, return code=1
[Wed Aug 31 12:17:17.397298 2016] [wsgi:error] [pid 75094] ipa: DEBUG: stdout=Password for Administrator@ROOT-DOM.AD.FOREST.TEST:
[Wed Aug 31 12:17:17.397307 2016] [wsgi:error] [pid 75094]
[Wed Aug 31 12:17:17.397367 2016] [wsgi:error] [pid 75094] ipa: DEBUG: stderr=kinit: Password incorrect while getting initial credentials
[Wed Aug 31 12:17:17.397375 2016] [wsgi:error] [pid 75094]
[Wed Aug 31 12:17:17.399233 2016] [wsgi:error] [pid 75094] ipa: INFO: [jsonserver_session] admin@IPA.TEST: trust_add/1(u'tree-dom.ad.forest.test', realm_admin=u'Administrator', realm_passwd=u'********', bidirectional=True, external=True, version=u'2.212'): SUCCESS

Steps to reproduce:

1.) Setup an AD forest of at least two domains (root-tree, or root-child) and make sure that domain Admins have different passwords

2.) Install FreeIPA server and run ipa-adtrust-install

3.) Try to establish external trust to the tree or child domain of the forest

ipa trust-add AD.TREE.DOMAIN --external=True --two-way=True --admin Administrator`, the

Expected results:

The trust is added and all domain info is retrieved correctly

Actual results:

fetching trusted domain info fails and the httpd error log contains unsuccesful kinit as root domain administrator


A workaround is to use the full principal including the external domain name as --admin parameter, e.g.:

--admin Administrator@TREE-DOM.AD.FOREST.TEST

Sounds like something that needs to be covered in the documentation.

master:

  • f32e0e4 do not use trusted forest name to construct domain admin principal

Metadata Update from @mbabinsk:
- Issue assigned to mbabinsk
- Issue set to the milestone: FreeIPA 4.4.1

2 years ago

Login to comment on this ticket.

Metadata