[Freeipa-devel] [PATCH] 0128 subdomains: Use AD admin credentials when trust is being established

Sumit Bose sbose at redhat.com
Fri Nov 29 09:54:21 UTC 2013 

On Thu, Nov 28, 2013 at 03:04:49PM +0200, Alexander Bokovoy wrote:
> On Wed, 27 Nov 2013, Alexander Bokovoy wrote:
> >Hi!
> >
> >Attached patch should solve an issue when fetching subdomains fails
> >shortly after trust has been established due to MS-PAC caching effects
> >on KDC. We have already made an alternative path to use when AD admin
> >credentials are available but failed to actually use them here.
> >
> >Details in the patch.
> >
> >https://fedorahosted.org/freeipa/ticket/4046
> New version attached. It makes sure we use correct domain name when
> constructing credentials for NTLMSSP authentication if AD administrator
> credentials do not include one.
> 
> Many thanks to Scott Poore who kindly provided Windows Server 2008R2
> setup which failed for the original case and also for the first version
> of this patch.
> 
> -- 
> / Alexander Bokovoy

Patch makes sense and is working in my tests, so ACK. There are only two
cosmetic issues where I leave it up to you if they need fixing, see
below.

It's a pity that we have to fall back to NTLMSSP, but currently I do not
see another solution as well. Do you think it would make sense to open a
ticket as a reminder to do some more research how this can be done with
Kerberos?

> that auth module believes these parameters were overidden by the user
> through the command line and ignore some of options. We have to do calls
> in the right order to forse NTLMSSP use instead of Kerberos.

                        ^^^^^
> 
> Fixes https://fedorahosted.org/freeipa/ticket/4046
> ---
>  ipalib/plugins/trust.py |  8 ++++++--
>  ipaserver/dcerpc.py     | 41 +++++++++++++++++++++++++++--------------
>  2 files changed, 33 insertions(+), 16 deletions(-)
> 
> +        if len(sp) == 1:
> +            sp.insert(0, trustinstance.remote_domain.info['name'])
> +        creds = u"{name}%{password}".format(name="\\".join(sp), password=password)
                                                                                   ^^

> +    cr.set_workstation(domain_validator.flatname)
> +    netrc = net.Net(creds=cr, lp=td.parm)
> +    try:
> +        result = netrc.finddc(domain=trustdomain, flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS)
                                                                                   ^^^^^^^^^^^^^^^

I'm not sure about any policy related to long lines in python, but you
added 2 lines over 80 characters.

bye,
Sumit

More information about the Freeipa-devel mailing list