[Freeipa-devel] [PATCH] 0128 subdomains: Use AD admin credentials when trust is being established
Sumit Bose
sbose at redhat.com
Fri Nov 29 09:54:21 UTC 2013
On Thu, Nov 28, 2013 at 03:04:49PM +0200, Alexander Bokovoy wrote:
> On Wed, 27 Nov 2013, Alexander Bokovoy wrote:
> >Hi!
> >
> >Attached patch should solve an issue when fetching subdomains fails
> >shortly after trust has been established due to MS-PAC caching effects
> >on KDC. We have already made an alternative path to use when AD admin
> >credentials are available but failed to actually use them here.
> >
> >Details in the patch.
> >
> >https://fedorahosted.org/freeipa/ticket/4046
> New version attached. It makes sure we use correct domain name when
> constructing credentials for NTLMSSP authentication if AD administrator
> credentials do not include one.
>
> Many thanks to Scott Poore who kindly provided Windows Server 2008R2
> setup which failed for the original case and also for the first version
> of this patch.
>
> --
> / Alexander Bokovoy
Patch makes sense and is working in my tests, so ACK. There are only two
cosmetic issues where I leave it up to you if they need fixing, see
below.
It's a pity that we have to fall back to NTLMSSP, but currently I do not
see another solution as well. Do you think it would make sense to open a
ticket as a reminder to do some more research how this can be done with
Kerberos?
> that auth module believes these parameters were overidden by the user
> through the command line and ignore some of options. We have to do calls
> in the right order to forse NTLMSSP use instead of Kerberos.
^^^^^
>
> Fixes https://fedorahosted.org/freeipa/ticket/4046
> ---
> ipalib/plugins/trust.py | 8 ++++++--
> ipaserver/dcerpc.py | 41 +++++++++++++++++++++++++++--------------
> 2 files changed, 33 insertions(+), 16 deletions(-)
>
> + if len(sp) == 1:
> + sp.insert(0, trustinstance.remote_domain.info['name'])
> + creds = u"{name}%{password}".format(name="\\".join(sp), password=password)
^^
> + cr.set_workstation(domain_validator.flatname)
> + netrc = net.Net(creds=cr, lp=td.parm)
> + try:
> + result = netrc.finddc(domain=trustdomain, flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS)
^^^^^^^^^^^^^^^
I'm not sure about any policy related to long lines in python, but you
added 2 lines over 80 characters.
bye,
Sumit
More information about the Freeipa-devel
mailing list