#6671 Privilege separation in IPA framework broke trust-add
Closed: fixed 2 years ago Opened 2 years ago by abbra.

Merging of privilege separation in IPA framework to git master broke trust to AD. An attempt to establish trust fails in Samba libraries trying to import Kerberos credentials from a ccache.

[Wed Feb 15 09:10:17.309768 2017] [wsgi:error] [pid 5796] ipa: DEBUG: Created connection context.ldap2_140281247773904
[Wed Feb 15 09:10:17.309855 2017] [wsgi:error] [pid 5796] ipa: DEBUG: WSGI jsonserver.__call__:
[Wed Feb 15 09:10:17.309937 2017] [wsgi:error] [pid 5796] ipa: DEBUG: WSGI WSGIExecutioner.__call__:
[Wed Feb 15 09:10:17.310381 2017] [wsgi:error] [pid 5796] ipa: DEBUG: raw: trust_add(u'ad.ipa.cool', realm_admin=u'Administrator', realm_passwd=u'********', version=u'2.218')
[Wed Feb 15 09:10:17.310675 2017] [wsgi:error] [pid 5796] ipa: DEBUG: trust_add(u'ad.ipa.cool', trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'********', all=False, raw=False
, version=u'2.218')
[Wed Feb 15 09:10:17.311198 2017] [wsgi:error] [pid 5796] ipa: DEBUG: raw: adtrust_is_enabled(version=u'2.218')
[Wed Feb 15 09:10:17.311341 2017] [wsgi:error] [pid 5796] ipa: DEBUG: adtrust_is_enabled(version=u'2.218')
INFO: Current debug levels:
  all: 50
  tdb: 50
  printdrivers: 50
  lanman: 50
  smb: 50
  rpc_parse: 50
  rpc_srv: 50
  rpc_cli: 50
  passdb: 50
  sam: 50
  auth: 50
  winbind: 50
  vfs: 50
  idmap: 50
  quota: 50
  acls: 50
  locking: 50
  msdfs: 50
  dmapi: 50
  registry: 50
  scavenger: 50
  dns: 50
  ldb: 50
  tevent: 50
pm_process() returned Yes
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
Using binding ncacn_np:nyx.xs.ipa.cool[,print,smb2]
s4_tevent: Added timed event "dcerpc_connect_timeout_handler": 0x7f95bc710090
s4_tevent: Added timed event "composite_trigger": 0x7f95bc710870
s4_tevent: Added timed event "composite_trigger": 0x7f95bc710ab0
s4_tevent: Running timer event 0x7f95bc710870 "composite_trigger"
s4_tevent: Destroying timer event 0x7f95bc710ab0 "composite_trigger"
Mapped to DCERPC endpoint \pipe\lsarpc
added interface ens3 ip=some-address bcast= netmask=ffff:ffff:ffff:ffff::
added interface ens3 ip=some-address bcast=some-address netmask=255.255.255.0
added interface ens4 ip=some-address bcast=some-address netmask=255.255.252.0
added interface ens3 ip=some-address bcast= netmask=ffff:ffff:ffff:ffff::
added interface ens3 ip=some-address bcast=some-address netmask=255.255.255.0
added interface ens4 ip=some-address bcast=some-address netmask=255.255.252.0
resolve_lmhosts: Attempting lmhosts lookup for name nyx.xs.ipa.cool<0x20>
getlmhostsent: lmhost entry: 127.0.0.1 localhost 
s4_tevent: Added timed event "composite_trigger": 0x7f95bc713450
s4_tevent: Ending timer event 0x7f95bc710870 "composite_trigger"
s4_tevent: Running timer event 0x7f95bc713450 "composite_trigger"
s4_tevent: Ending timer event 0x7f95bc713450 "composite_trigger"
s4_tevent: Added timed event "connect_multi_timer": 0x7f95bc713720
s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f95bc713f00
s4_tevent: Run immediate event "tevent_req_trigger": 0x7f95bc713f00
s4_tevent: Destroying timer event 0x7f95bc713720 "connect_multi_timer"
Socket options:
        SO_KEEPALIVE = 0
        SO_REUSEADDR = 0
        SO_BROADCAST = 0
        TCP_NODELAY = 1
        TCP_KEEPCNT = 9
        TCP_KEEPIDLE = 7200
        TCP_KEEPINTVL = 75
        IPTOS_LOWDELAY = 0
        IPTOS_THROUGHPUT = 0
        SO_REUSEPORT = 0
        SO_SNDBUF = 2626560
        SO_RCVBUF = 1061504
        SO_SNDLOWAT = 1
        SO_RCVLOWAT = 1
        SO_SNDTIMEO = 0
        SO_RCVTIMEO = 0
        TCP_QUICKACK = 1
        TCP_DEFER_ACCEPT = 0
s4_tevent: Added timed event "tevent_req_timedout": 0x7f95bc710870
s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7f95bc712ea0
s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7f95bc712ea0
s4_tevent: Destroying timer event 0x7f95bc710870 "tevent_req_timedout"
s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f95bc7138e0
s4_tevent: Run immediate event "tevent_req_trigger": 0x7f95bc7138e0
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Ticket in credentials cache for admin@XS.IPA.COOL will expire in 0 secs
Aquiring initiator credentials failed: gss_krb5_import_cred failed: Credential cache is empty
SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_UNSUCCESSFUL
s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f95bc7138e0
s4_tevent: Run immediate event "tevent_req_trigger": 0x7f95bc7138e0
s4_tevent: Destroying timer event 0x7f95bc710090 "dcerpc_connect_timeout_handler"
[Wed Feb 15 09:10:17.336678 2017] [wsgi:error] [pid 5796] ipa: DEBUG: WSGI wsgi_execute PublicError: Traceback (most recent call last):
[Wed Feb 15 09:10:17.336694 2017] [wsgi:error] [pid 5796]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 368, in wsgi_execute
[Wed Feb 15 09:10:17.336698 2017] [wsgi:error] [pid 5796]     result = command(*args, **options)
[Wed Feb 15 09:10:17.336701 2017] [wsgi:error] [pid 5796]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__
[Wed Feb 15 09:10:17.336705 2017] [wsgi:error] [pid 5796]     return self.__do_call(*args, **options)
[Wed Feb 15 09:10:17.336708 2017] [wsgi:error] [pid 5796]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in __do_call
[Wed Feb 15 09:10:17.336710 2017] [wsgi:error] [pid 5796]     ret = self.run(*args, **options)
[Wed Feb 15 09:10:17.336727 2017] [wsgi:error] [pid 5796]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 797, in run
[Wed Feb 15 09:10:17.336730 2017] [wsgi:error] [pid 5796]     return self.execute(*args, **options)
[Wed Feb 15 09:10:17.336733 2017] [wsgi:error] [pid 5796]   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line 737, in execute
[Wed Feb 15 09:10:17.336742 2017] [wsgi:error] [pid 5796]     full_join = self.validate_options(*keys, **options)
[Wed Feb 15 09:10:17.336745 2017] [wsgi:error] [pid 5796]   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line 836, in validate_options
[Wed Feb 15 09:10:17.336749 2017] [wsgi:error] [pid 5796]     self.trustinstance = ipaserver.dcerpc.TrustDomainJoins(self.api)
[Wed Feb 15 09:10:17.336752 2017] [wsgi:error] [pid 5796]   File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1540, in __init__
[Wed Feb 15 09:10:17.336754 2017] [wsgi:error] [pid 5796]     self.__populate_local_domain()
[Wed Feb 15 09:10:17.336757 2017] [wsgi:error] [pid 5796]   File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1553, in __populate_local_domain
[Wed Feb 15 09:10:17.336760 2017] [wsgi:error] [pid 5796]     ld.retrieve(installutils.get_fqdn())
[Wed Feb 15 09:10:17.336762 2017] [wsgi:error] [pid 5796]   File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 961, in retrieve
[Wed Feb 15 09:10:17.336764 2017] [wsgi:error] [pid 5796]     self.init_lsa_pipe(remote_host)
[Wed Feb 15 09:10:17.336767 2017] [wsgi:error] [pid 5796]   File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 868, in init_lsa_pipe
[Wed Feb 15 09:10:17.336769 2017] [wsgi:error] [pid 5796]     self._pipe = self.__gen_lsa_connection(binding)
[Wed Feb 15 09:10:17.336772 2017] [wsgi:error] [pid 5796]   File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 847, in __gen_lsa_connection
[Wed Feb 15 09:10:17.336774 2017] [wsgi:error] [pid 5796]     raise assess_dcerpc_exception(num=num, message=message)
[Wed Feb 15 09:10:17.336777 2017] [wsgi:error] [pid 5796] RemoteRetrieveError: communication with CIFS server was unsuccessful
[Wed Feb 15 09:10:17.336779 2017] [wsgi:error] [pid 5796] 
[Wed Feb 15 09:10:17.337038 2017] [wsgi:error] [pid 5796] ipa: INFO: [jsonserver_session] admin@XS.IPA.COOL: trust_add/1(u'ad.ipa.cool', realm_admin=u'Administrator', realm_passwd=u'********', version=u'2.218'): RemoteRetrieveError
[Wed Feb 15 09:10:17.338093 2017] [wsgi:error] [pid 5796] ipa: DEBUG: Destroyed connection context.ldap2_140281247773904

Samba needs to use gss_acquire_cred_from (properly intercepted by gssproxy's mechglue) and not gss_krb5_import_cred as the latter shortcircuits gssapi internally and will fail because the credentials are not in a format libkrb5 can use.

Unfortunately, this means we need to implement a new gensec submechanism as gensec's gssapi_krb5 is full of direct krb5 calls and manipulation of ccaches.

There are two parts that need to be added:

  • auth/credentials/credentials_gssapi.c -- for cli_credentials API
  • source4/auth/gssapi/* -- for authentication / eventloop integration

in both cases GSSAPI calls need to be used and any access to direct ccache/keytab manipulation to be replaced with cred store API extensions for GSSAPI.

I'd prefer to have a separate gensec mechanism that we can compile in instead of "kerberos" one as it allows to clean up the flow.

Metadata Update from @abbra:
- Issue assigned to someone
- Issue set to the milestone: 0.0 NEEDS_TRIAGE

2 years ago

Metadata Update from @pvoborni:
- Custom field affects_doc reset
- Custom field tester adjusted to wanted
- Issue assigned to abbra (was: someone)
- Issue close_status updated to: None
- Issue priority set to: 1 (was: 3)
- Issue set to the milestone: FreeIPA 4.5 (was: 0.0 NEEDS_TRIAGE)

2 years ago

I've reduced the required changes to two calls in auth/credentials/credentials_krb5.c in Samba and opened https://bugzilla.samba.org/show_bug.cgi?id=12611 to track them.

Meanwhile, Simo did add support for gss_acquire_cred() interposing to gssproxy. There will be more changes in gssproxy to make Samba client GENSEC GSSAPI supported (gss_cred_set_option interposing), slated for 0.6.3 version.

Metadata Update from @abbra:
- Custom field affects_doc reset

2 years ago

Metadata Update from @pvoborni:
- Issue tagged with: regression

2 years ago

First part of the patch to move to gss_acquire_cred_from() is committed to Samba git. Also, gssproxy 0.7.0 implemented interposing of gss_cred_set_option().

Fedora 26 and rawhide were updated with samba-4.6.0-2 build that includes a backport of the Samba patch.

master:

  • c37254e Bump required version of gssproxy to 0.7.0

Metadata Update from @mbasti:
- Issue set to the milestone: FreeIPA 4.5.1 (was: FreeIPA 4.5)

2 years ago

Metadata Update from @stlaz:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/653

2 years ago

ipa-4-5:

  • 41ff57b Bump samba version for FIPS and priv. separation
    master:

  • b7ae336 Bump samba version for FIPS and priv. separation

Metadata Update from @pvomacka:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

2 years ago

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1436342

2 years ago

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1436342

2 years ago

Login to comment on this ticket.

Metadata