Merging of privilege separation in IPA framework to git master broke trust to AD. An attempt to establish trust fails in Samba libraries trying to import Kerberos credentials from a ccache.
[Wed Feb 15 09:10:17.309768 2017] [wsgi:error] [pid 5796] ipa: DEBUG: Created connection context.ldap2_140281247773904 [Wed Feb 15 09:10:17.309855 2017] [wsgi:error] [pid 5796] ipa: DEBUG: WSGI jsonserver.__call__: [Wed Feb 15 09:10:17.309937 2017] [wsgi:error] [pid 5796] ipa: DEBUG: WSGI WSGIExecutioner.__call__: [Wed Feb 15 09:10:17.310381 2017] [wsgi:error] [pid 5796] ipa: DEBUG: raw: trust_add(u'ad.ipa.cool', realm_admin=u'Administrator', realm_passwd=u'********', version=u'2.218') [Wed Feb 15 09:10:17.310675 2017] [wsgi:error] [pid 5796] ipa: DEBUG: trust_add(u'ad.ipa.cool', trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'********', all=False, raw=False , version=u'2.218') [Wed Feb 15 09:10:17.311198 2017] [wsgi:error] [pid 5796] ipa: DEBUG: raw: adtrust_is_enabled(version=u'2.218') [Wed Feb 15 09:10:17.311341 2017] [wsgi:error] [pid 5796] ipa: DEBUG: adtrust_is_enabled(version=u'2.218') INFO: Current debug levels: all: 50 tdb: 50 printdrivers: 50 lanman: 50 smb: 50 rpc_parse: 50 rpc_srv: 50 rpc_cli: 50 passdb: 50 sam: 50 auth: 50 winbind: 50 vfs: 50 idmap: 50 quota: 50 acls: 50 locking: 50 msdfs: 50 dmapi: 50 registry: 50 scavenger: 50 dns: 50 ldb: 50 tevent: 50 pm_process() returned Yes GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered Using binding ncacn_np:nyx.xs.ipa.cool[,print,smb2] s4_tevent: Added timed event "dcerpc_connect_timeout_handler": 0x7f95bc710090 s4_tevent: Added timed event "composite_trigger": 0x7f95bc710870 s4_tevent: Added timed event "composite_trigger": 0x7f95bc710ab0 s4_tevent: Running timer event 0x7f95bc710870 "composite_trigger" s4_tevent: Destroying timer event 0x7f95bc710ab0 "composite_trigger" Mapped to DCERPC endpoint \pipe\lsarpc added interface ens3 ip=some-address bcast= netmask=ffff:ffff:ffff:ffff:: added interface ens3 ip=some-address bcast=some-address netmask=255.255.255.0 added interface ens4 ip=some-address bcast=some-address netmask=255.255.252.0 added interface ens3 ip=some-address bcast= netmask=ffff:ffff:ffff:ffff:: added interface ens3 ip=some-address bcast=some-address netmask=255.255.255.0 added interface ens4 ip=some-address bcast=some-address netmask=255.255.252.0 resolve_lmhosts: Attempting lmhosts lookup for name nyx.xs.ipa.cool<0x20> getlmhostsent: lmhost entry: 127.0.0.1 localhost s4_tevent: Added timed event "composite_trigger": 0x7f95bc713450 s4_tevent: Ending timer event 0x7f95bc710870 "composite_trigger" s4_tevent: Running timer event 0x7f95bc713450 "composite_trigger" s4_tevent: Ending timer event 0x7f95bc713450 "composite_trigger" s4_tevent: Added timed event "connect_multi_timer": 0x7f95bc713720 s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f95bc713f00 s4_tevent: Run immediate event "tevent_req_trigger": 0x7f95bc713f00 s4_tevent: Destroying timer event 0x7f95bc713720 "connect_multi_timer" Socket options: SO_KEEPALIVE = 0 SO_REUSEADDR = 0 SO_BROADCAST = 0 TCP_NODELAY = 1 TCP_KEEPCNT = 9 TCP_KEEPIDLE = 7200 TCP_KEEPINTVL = 75 IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_REUSEPORT = 0 SO_SNDBUF = 2626560 SO_RCVBUF = 1061504 SO_SNDLOWAT = 1 SO_RCVLOWAT = 1 SO_SNDTIMEO = 0 SO_RCVTIMEO = 0 TCP_QUICKACK = 1 TCP_DEFER_ACCEPT = 0 s4_tevent: Added timed event "tevent_req_timedout": 0x7f95bc710870 s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7f95bc712ea0 s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7f95bc712ea0 s4_tevent: Destroying timer event 0x7f95bc710870 "tevent_req_timedout" s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f95bc7138e0 s4_tevent: Run immediate event "tevent_req_trigger": 0x7f95bc7138e0 Starting GENSEC mechanism spnego Starting GENSEC submechanism gssapi_krb5 Ticket in credentials cache for admin@XS.IPA.COOL will expire in 0 secs Aquiring initiator credentials failed: gss_krb5_import_cred failed: Credential cache is empty SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_UNSUCCESSFUL s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f95bc7138e0 s4_tevent: Run immediate event "tevent_req_trigger": 0x7f95bc7138e0 s4_tevent: Destroying timer event 0x7f95bc710090 "dcerpc_connect_timeout_handler" [Wed Feb 15 09:10:17.336678 2017] [wsgi:error] [pid 5796] ipa: DEBUG: WSGI wsgi_execute PublicError: Traceback (most recent call last): [Wed Feb 15 09:10:17.336694 2017] [wsgi:error] [pid 5796] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 368, in wsgi_execute [Wed Feb 15 09:10:17.336698 2017] [wsgi:error] [pid 5796] result = command(*args, **options) [Wed Feb 15 09:10:17.336701 2017] [wsgi:error] [pid 5796] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__ [Wed Feb 15 09:10:17.336705 2017] [wsgi:error] [pid 5796] return self.__do_call(*args, **options) [Wed Feb 15 09:10:17.336708 2017] [wsgi:error] [pid 5796] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in __do_call [Wed Feb 15 09:10:17.336710 2017] [wsgi:error] [pid 5796] ret = self.run(*args, **options) [Wed Feb 15 09:10:17.336727 2017] [wsgi:error] [pid 5796] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 797, in run [Wed Feb 15 09:10:17.336730 2017] [wsgi:error] [pid 5796] return self.execute(*args, **options) [Wed Feb 15 09:10:17.336733 2017] [wsgi:error] [pid 5796] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line 737, in execute [Wed Feb 15 09:10:17.336742 2017] [wsgi:error] [pid 5796] full_join = self.validate_options(*keys, **options) [Wed Feb 15 09:10:17.336745 2017] [wsgi:error] [pid 5796] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line 836, in validate_options [Wed Feb 15 09:10:17.336749 2017] [wsgi:error] [pid 5796] self.trustinstance = ipaserver.dcerpc.TrustDomainJoins(self.api) [Wed Feb 15 09:10:17.336752 2017] [wsgi:error] [pid 5796] File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1540, in __init__ [Wed Feb 15 09:10:17.336754 2017] [wsgi:error] [pid 5796] self.__populate_local_domain() [Wed Feb 15 09:10:17.336757 2017] [wsgi:error] [pid 5796] File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1553, in __populate_local_domain [Wed Feb 15 09:10:17.336760 2017] [wsgi:error] [pid 5796] ld.retrieve(installutils.get_fqdn()) [Wed Feb 15 09:10:17.336762 2017] [wsgi:error] [pid 5796] File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 961, in retrieve [Wed Feb 15 09:10:17.336764 2017] [wsgi:error] [pid 5796] self.init_lsa_pipe(remote_host) [Wed Feb 15 09:10:17.336767 2017] [wsgi:error] [pid 5796] File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 868, in init_lsa_pipe [Wed Feb 15 09:10:17.336769 2017] [wsgi:error] [pid 5796] self._pipe = self.__gen_lsa_connection(binding) [Wed Feb 15 09:10:17.336772 2017] [wsgi:error] [pid 5796] File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 847, in __gen_lsa_connection [Wed Feb 15 09:10:17.336774 2017] [wsgi:error] [pid 5796] raise assess_dcerpc_exception(num=num, message=message) [Wed Feb 15 09:10:17.336777 2017] [wsgi:error] [pid 5796] RemoteRetrieveError: communication with CIFS server was unsuccessful [Wed Feb 15 09:10:17.336779 2017] [wsgi:error] [pid 5796] [Wed Feb 15 09:10:17.337038 2017] [wsgi:error] [pid 5796] ipa: INFO: [jsonserver_session] admin@XS.IPA.COOL: trust_add/1(u'ad.ipa.cool', realm_admin=u'Administrator', realm_passwd=u'********', version=u'2.218'): RemoteRetrieveError [Wed Feb 15 09:10:17.338093 2017] [wsgi:error] [pid 5796] ipa: DEBUG: Destroyed connection context.ldap2_140281247773904
Samba needs to use gss_acquire_cred_from (properly intercepted by gssproxy's mechglue) and not gss_krb5_import_cred as the latter shortcircuits gssapi internally and will fail because the credentials are not in a format libkrb5 can use.
Unfortunately, this means we need to implement a new gensec submechanism as gensec's gssapi_krb5 is full of direct krb5 calls and manipulation of ccaches.
There are two parts that need to be added:
in both cases GSSAPI calls need to be used and any access to direct ccache/keytab manipulation to be replaced with cred store API extensions for GSSAPI.
I'd prefer to have a separate gensec mechanism that we can compile in instead of "kerberos" one as it allows to clean up the flow.
Metadata Update from @abbra: - Issue assigned to someone - Issue set to the milestone: 0.0 NEEDS_TRIAGE
Metadata Update from @pvoborni: - Custom field affects_doc reset - Custom field tester adjusted to wanted - Issue assigned to abbra (was: someone) - Issue close_status updated to: None - Issue priority set to: 1 (was: 3) - Issue set to the milestone: FreeIPA 4.5 (was: 0.0 NEEDS_TRIAGE)
I've reduced the required changes to two calls in auth/credentials/credentials_krb5.c in Samba and opened https://bugzilla.samba.org/show_bug.cgi?id=12611 to track them.
Meanwhile, Simo did add support for gss_acquire_cred() interposing to gssproxy. There will be more changes in gssproxy to make Samba client GENSEC GSSAPI supported (gss_cred_set_option interposing), slated for 0.6.3 version.
Metadata Update from @abbra: - Custom field affects_doc reset
Metadata Update from @pvoborni: - Issue tagged with: regression
First part of the patch to move to gss_acquire_cred_from() is committed to Samba git. Also, gssproxy 0.7.0 implemented interposing of gss_cred_set_option().
Fedora 26 and rawhide were updated with samba-4.6.0-2 build that includes a backport of the Samba patch.
master:
Metadata Update from @mbasti: - Issue set to the milestone: FreeIPA 4.5.1 (was: FreeIPA 4.5)
Metadata Update from @stlaz: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/653
ipa-4-5:
41ff57b Bump samba version for FIPS and priv. separation master:
b7ae336 Bump samba version for FIPS and priv. separation
Metadata Update from @pvomacka: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @pvoborni: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1436342
Issue linked to bug 1436342
Log in to comment on this ticket.