[Freeipa-devel] [PATCH] 0108 Add support for compatibility tree for trusted domain users

Alexander Bokovoy abokovoy at redhat.com
Tue Jul 16 13:22:01 UTC 2013


On Tue, 16 Jul 2013, Jakub Hrozek wrote:
>the patch looks mostly good to me. I only have some small nitpicks:
>
>> +++ b/install/tools/man/ipa-adtrust-install.1
>> @@ -106,6 +106,24 @@ The password of the user with administrative privileges for this IPA server. Wil
>>  .TP
>>  The credentials of the admin user will be used to obtain Kerberos ticket before configuring cross-realm trusts support and afterwards, to ensure that the ticket contains MS-PAC information required to actually add a trust with Active Directory domain via 'ipa trust-add --type=ad' command.
>>  .TP
>> +\fB\-\-enable\-compat\fR
>> +Enables support for trusted domains users for old clients through Schema Compatibility plugin.
>> +SSSD supports trusted domains natively starting with version 1.9 platform. For platforms that
>                                                                    ^^^^^^^^
>                                                          The word "platform"
>                                                          looks a little
>                                                          extra here to me.
Removed. I initially had statement there to talk about Linux and
non-Linux platforms, this word slipped when I edited platform talk out.

>> +lack SSSD or run older SSSD version one needs to use this option. When enabled, slapi\-nis package
>> +needs to be installed and schema\-compat\-plugin will be configured to provide lookup of
>> +users and groups from trusted domains via SSSD on IPA server. These users and groups will be
>> +available under \fBcn=users,cn=compat,$SUFFIX\fR and \fBcn=groups,cn=compat,$SUFFIX\fR trees.
>> +SSSD will normalize names of users and groups to lower case.
>> +.IP
>> +In addition to providing these users and groups through the compat tree, this option enables
>> +authentication over LDAP for trusted domain users with DN under compat tree, i.e. using bind DN
>> +\fBuid=administrator at ad.domain,cn=users,cn=compat,$SUFFIX\fR. This authentication is related
>> +to PAM stack using '\fBsystem\-auth\fR' PAM service. If you have disabled HBAC rule 'allow_all', then
>> +make sure there is special service called '\fBsystem\-auth\fR' created and HBAC rule to allow
>> +access to anyone to this rule on IPA masters is added. Please note that system-auth PAM service
>> +is not used directly by any other application, therefore it is safe to create one specifically
>> +to support trusted domain users via compatibility path.
>
>The last sentence wasn't really clear to me, were you suggesting to
>create a special PAM service?
I refactored the statement.

system-auth is a PAM service (/etc/pam.d/system-auth) provided by pam
RPM package. You don't need to create it as it is created and maintained
by the system (and authconfig).

What this sentence talks about is that PAM authentication means also
verifying HBAC rules. If you have disable 'allow_all' HBAC rule, then
for all PAM services there should be HBAC rule that allows access to it
if that is required. As in case of trusted AD users they don't exist in
LDAP, we cannot really refer to them in HBAC rules so we only can have
an HBAC rule that allows 'all' to access 'system-auth' service on 'ipa
masters' host group.

system-auth PAM service is not used by any other application directly.
Instead, their own PAM services include system-auth through PAM stack.
That's why I selected system-auth -- enabling HBAC rules to access it
does not compromise any other service because of the way how PAM
stacking works -- access to an app is granted through PAM service name
that application runs against. I.e. ssh runs against /etc/pam.d/ssh, so
HBAC rule would need to be created against 'ssh' service. /etc/pam.d/ssh
is including system-auth through PAM stack and system-auth is configured
to use pam_sss but 'system-auth' as service name is never seen or used
by anyone through PAM API.

>> +        if self.enable_compat:
>> +            self.step("Enabling trusted domains support for older clients via Schema Compatibility plugin",
>
>                         ^^^^
>                Nitpick: all the other steps begin with lowercased
>                letter. Only this one is uppercased, which makes the
>                tool output looks inconsistent:
> [15/21]: adding special DNS service records
> [16/21]: Enabling trusted domains support for older clients via Schema Compatibility plugin
> [17/21]: restarting Directory Server to take MS PAC and LDAP plugins changes into account
Thanks. Lowcased it.

Updated patch is attached.
-- 
/ Alexander Bokovoy
-------------- next part --------------
>From bbfb7620de54c8b55886f3e7a616096afa9ce58e Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Mon, 15 Jul 2013 19:13:50 +0300
Subject: [PATCH] ipa-adtrust-install: configure compatibility tree to serve
 trusted domain users

Enables  support  for  trusted  domains  users  for old clients through Schema
Compatibility plugin.  SSSD supports trusted domains natively starting with
version 1.9 platform. For platforms that lack SSSD or run older SSSD version
one needs  to  use  this  option.  When  enabled, slapi-nis  package  needs  to
be  installed  and schema-compat-plugin will be configured to provide lookup of
users and groups from trusted domains via SSSD on IPA server. These users and
groups will be available under  cn=users,cn=compat,$SUFFIX  and
cn=groups,cn=compat,$SUFFIX trees.  SSSD will normalize names of users and
groups to lower case.

In  addition  to  providing  these users and groups through the compat tree,
this option enables authentication over LDAP for trusted domain users with DN
under compat tree, i.e. using bind DN uid=administrator at ad.domain,cn=users,cn=compat,$SUFFIX.

This authentication  is related to  PAM  stack  using  'system-auth' PAM
service. If you have disabled HBAC rule 'allow_all', then make sure there is
special service called 'system-auth' created and HBAC rule to allow access to
anyone to this rule on IPA masters is added. Please note that system-auth PAM
service is  not used directly by any other application, therefore it is safe to
create one specifically to support trusted domain users via compatibility path.

https://fedorahosted.org/freeipa/ticket/3567
---
 install/tools/ipa-adtrust-install       | 18 +++++++++++++++++-
 install/tools/man/ipa-adtrust-install.1 | 23 +++++++++++++++++++++++
 ipaserver/install/adtrustinstance.py    | 22 +++++++++++++++++++++-
 3 files changed, 61 insertions(+), 2 deletions(-)

diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install
index 5744c6f..838f722 100755
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@@ -62,6 +62,9 @@ def parse_options():
     parser.add_option("--add-sids", dest="add_sids", action="store_true",
                       default=False, help="Add SIDs for existing users and" \
                                           " groups as the final step")
+    parser.add_option("--enable-compat",
+                      dest="enable_compat", default=False, action="store_true",
+                      help="Enable support for trusted domains for old clients")
 
     options, args = parser.parse_args()
     safe_options = parser.get_safe_opts(options)
@@ -194,6 +197,15 @@ def ensure_admin_kinit(admin_name, admin_password):
         return False
     return True
 
+def enable_compat_tree():
+    print "Do you want to enable support for trusted domains in Schema Compatibility plugin?"
+    print "This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users."
+    print ""
+    enable_compat = ipautil.user_input("Enable trusted domains support in slapi-nis?", default = False, allow_empty = False)
+    print ""
+    return enable_compat
+
+
 def main():
     safe_options, options = parse_options()
 
@@ -244,6 +256,9 @@ def main():
                     sys.exit("Aborting installation.")
                 break
 
+    if not options.unattended and not options.enable_compat:
+        options.enable_compat = enable_compat_tree()
+
     # Check we have a public IP that is associated with the hostname
     ip = None
     try:
@@ -363,7 +378,8 @@ def main():
     smb.setup(api.env.host, ip_address, api.env.realm, api.env.domain,
               netbios_name, reset_netbios_name,
               options.rid_base, options.secondary_rid_base,
-              options.no_msdcs, options.add_sids)
+              options.no_msdcs, options.add_sids,
+              enable_compat = options.enable_compat)
     smb.find_local_id_range()
     smb.create_instance()
 
diff --git a/install/tools/man/ipa-adtrust-install.1 b/install/tools/man/ipa-adtrust-install.1
index 38957f3..7f0566e 100644
--- a/install/tools/man/ipa-adtrust-install.1
+++ b/install/tools/man/ipa-adtrust-install.1
@@ -106,6 +106,29 @@ The password of the user with administrative privileges for this IPA server. Wil
 .TP
 The credentials of the admin user will be used to obtain Kerberos ticket before configuring cross-realm trusts support and afterwards, to ensure that the ticket contains MS-PAC information required to actually add a trust with Active Directory domain via 'ipa trust-add --type=ad' command.
 .TP
+\fB\-\-enable\-compat\fR
+Enables support for trusted domains users for old clients through Schema Compatibility plugin.
+SSSD supports trusted domains natively starting with version 1.9. For platforms that
+lack SSSD or run older SSSD version one needs to use this option. When enabled, slapi\-nis package
+needs to be installed and schema\-compat\-plugin will be configured to provide lookup of
+users and groups from trusted domains via SSSD on IPA server. These users and groups will be
+available under \fBcn=users,cn=compat,$SUFFIX\fR and \fBcn=groups,cn=compat,$SUFFIX\fR trees.
+SSSD will normalize names of users and groups to lower case.
+.IP
+In addition to providing these users and groups through the compat tree, this option enables
+authentication over LDAP for trusted domain users with DN under compat tree, i.e. using bind DN
+\fBuid=administrator at ad.domain,cn=users,cn=compat,$SUFFIX\fR.
+.IP
+LDAP authentication performed by the compat tree is done via PAM '\fBsystem\-auth\fR' service.
+This service exists by default on Linux systems and is provided by pam package as /etc/pam.d/system\-auth.
+If your IPA install does not have default HBAC rule 'allow_all' enabled, then make sure
+to define in IPA special service called '\fBsystem\-auth\fR' and create an HBAC
+rule to allow access to anyone to this rule on IPA masters.
+.IP
+As '\fBsystem\-auth\fR' PAM service is not used directly by any other
+application, it is safe to use it for trusted domain users via compatibility
+path.
+.TP
 .SH "EXIT STATUS"
 0 if the installation was successful
 
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index 4eb20d9..f072a6a 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -664,6 +664,20 @@ class ADTRUSTInstance(service.Service):
         except Exception, e:
             root_logger.critical("Checking replicas for cifs principals failed with error '%s'" % e)
 
+    def __enable_compat_tree(self):
+        try:
+            compat_plugin_dn = DN("cn=Schema Compatibility,cn=plugins,cn=config")
+            lookup_sssd_name = "schema-compat-lookup-sssd"
+            for config in (("cn=users", "user"), ("cn=groups", "group")):
+                entry_dn = DN(config[0], compat_plugin_dn)
+                current = self.admin_conn.get_entry(entry_dn)
+                lookup_sssd = current.get(lookup_sssd_name, [])
+                if not(config[1] in lookup_sssd):
+                    current[lookup_sssd_name] = [config[1]]
+                    self.admin_conn.update_entry(entry_dn, current)
+        except Exception, e:
+            root_logger.critical("Enabling SSSD support in slapi-nis failed with error '%s'" % e)
+
     def __start(self):
         try:
             self.start()
@@ -713,7 +727,7 @@ class ADTRUSTInstance(service.Service):
 
     def setup(self, fqdn, ip_address, realm_name, domain_name, netbios_name,
               reset_netbios_name, rid_base, secondary_rid_base,
-              no_msdcs=False, add_sids=False, smbd_user="samba"):
+              no_msdcs=False, add_sids=False, smbd_user="samba", enable_compat=False):
         self.fqdn = fqdn
         self.ip_address = ip_address
         self.realm = realm_name
@@ -724,6 +738,7 @@ class ADTRUSTInstance(service.Service):
         self.secondary_rid_base = secondary_rid_base
         self.no_msdcs = no_msdcs
         self.add_sids = add_sids
+        self.enable_compat = enable_compat
         self.smbd_user = smbd_user
         self.suffix = ipautil.realm_to_suffix(self.realm)
         self.ldapi_socket = "%%2fvar%%2frun%%2fslapd-%s.socket" % \
@@ -811,6 +826,11 @@ class ADTRUSTInstance(service.Service):
         self.step("configuring smbd to start on boot", self.__enable)
         self.step("adding special DNS service records", \
                   self.__add_dns_service_records)
+
+        if self.enable_compat:
+            self.step("enabling trusted domains support for older clients via Schema Compatibility plugin",
+                      self.__enable_compat_tree)
+
         self.step("restarting Directory Server to take MS PAC and LDAP plugins changes into account", \
                   self.__restart_dirsrv)
         self.step("adding fallback group", self.__add_fallback_group)
-- 
1.8.3.1



More information about the Freeipa-devel mailing list