areguera / rpms / ipa

Forked from rpms/ipa 5 years ago
Clone
86baa9
From 5b9d7daf27cb10101432e8a25c364dcbe92b37a4 Mon Sep 17 00:00:00 2001
86baa9
From: Alexander Bokovoy <abokovoy@redhat.com>
86baa9
Date: Tue, 25 Jun 2019 15:22:57 +0300
86baa9
Subject: [PATCH] adtrust upgrade: fix wrong primary principal name
86baa9
86baa9
Upgrade code had Kerberos principal names mixed up: instead of creating
86baa9
krbtgt/LOCAL-FLAT@REMOTE and marking LOCAL-FLAT$@REMOTE as an alias to
86baa9
it, it created LOCAL-FLAT$@REMOTE Kerberos principal and marked
86baa9
krbtgt/LOCAL-FLAT@REMOTE as an alias.
86baa9
86baa9
This differs from what Active Directory expects and what is created by
86baa9
ipasam plugin when trust is established. When upgrading such deployment,
86baa9
an upgrade code then unexpectedly failed.
86baa9
86baa9
Resolves: https://pagure.io/freeipa/issue/7992
86baa9
Reviewed-By: Christian Heimes <cheimes@redhat.com>
86baa9
---
86baa9
 daemons/ipa-sam/ipa_sam.c                        | 12 +++++++-----
86baa9
 .../adtrust/oneway-trust-with-shared-secret.md   | 16 +++++++++-------
86baa9
 ipaserver/install/plugins/adtrust.py             |  4 ++--
86baa9
 3 files changed, 18 insertions(+), 14 deletions(-)
86baa9
86baa9
diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
86baa9
index 3cf878c3f99774f7715f776c31d70e2950f9451c..2251f3ddcd9d5549d12b3e411245b00395c6b0d9 100644
86baa9
--- a/daemons/ipa-sam/ipa_sam.c
86baa9
+++ b/daemons/ipa-sam/ipa_sam.c
86baa9
@@ -2011,11 +2011,13 @@ static bool handle_cross_realm_princs(struct ipasam_private *ipasam_state,
86baa9
 							 pwd_outgoing, trusted_dn,
86baa9
 							 KRB_PRINC_CREATE_DEFAULT);
86baa9
 
86baa9
-				/* Second: <OUR FLATNAME$>@<REMOTE REALM> is only used
86baa9
-				 * for SSSD to be able to talk to AD DCs but it has to
86baa9
-				 * have canonical name set to <OUR FLATNAME>$ because
86baa9
-				 * this is the salt used by AD DCs when using this
86baa9
-				 * principal, otherwise authentication will fail.
86baa9
+				/* Second: krbtgt/<OUR FLATNAME>@<REMOTE REALM>
86baa9
+				 * is only used for SSSD to be able to talk to
86baa9
+				 * AD DCs but it has to have canonical name set
86baa9
+				 * to krbtgt/<OUR FLATNAME> and alias it to
86baa9
+				 * <OUR FLATNAME$> because it is the salt used
86baa9
+				 * by AD DCs when using this principal,
86baa9
+				 * otherwise authentication will fail.
86baa9
 				 *
86baa9
 				 * *disable* use of this principal on our side as it is
86baa9
 				 * only used to retrieve trusted domain credentials by
86baa9
diff --git a/doc/designs/adtrust/oneway-trust-with-shared-secret.md b/doc/designs/adtrust/oneway-trust-with-shared-secret.md
86baa9
index dc58a08941acea447f9234107ebcba775351089e..09a940e34bb43a6e46beb85392c94423d2bfccd3 100644
86baa9
--- a/doc/designs/adtrust/oneway-trust-with-shared-secret.md
86baa9
+++ b/doc/designs/adtrust/oneway-trust-with-shared-secret.md
86baa9
@@ -131,16 +131,18 @@ and `LOCAL-FLAT` is the NetBIOS name of the FreeIPA primary domain (e.g.
86baa9
   REMOTE-FLAT$@LOCAL | Trusted domain object account for the Active Directory forest root domain
86baa9
   krbtgt/REMOTE-FLAT@LOCAL | Alias to REMOTE-FLAT$ TDO
86baa9
   krbtgt/LOCAL@REMOTE | Cross-realm principal representing IPA domain in Active Directory forest to allow crross-realm TGT issuance from IPA KDC side
86baa9
-  LOCAL-FLAT$@REMOTE | Trusted domain object account for IPA domain in Active Directory forest
86baa9
-  krbtgt/LOCAL-FLAT@REMOTE | Alias to LOCAL-FLAT$
86baa9
+  krbtgt/LOCAL-FLAT@REMOTE | Trusted domain object account for IPA domain in Active Directory forest
86baa9
+  LOCAL-FLAT$@REMOTE | Alias to krbtgt/LOCAL-FLAT@REMOTE
86baa9
 
86baa9
 For inbound trust `ipasam` module creates following principals:
86baa9
   * `krbtgt/LOCAL@REMOTE`, enabled by default
86baa9
-  * `LOCAL-FLAT$@REMOTE`, used by SSSD to talk to Active Directory domain
86baa9
-    controllers, with canonical name set to `LOCAL-FLAT$` because Kerberos KDC
86baa9
-    must use this salt when issuing tickets for this principal. The use of this
86baa9
-    principal is disabled on IPA side (IPA KDC does not issue tickets in this name)
86baa9
-    --- we only retrieve a keytab for the principal in SSSD.
86baa9
+  * `krbtgt/LOCAL-FLAT@REMOTE`, used by SSSD to talk to Active Directory domain
86baa9
+    controllers, with canonical name set to `krbtgt/LOCAL-FLAT@REMOTE` because
86baa9
+    Kerberos KDC must use this salt when issuing tickets for this principal. The
86baa9
+    use of this principal is disabled on IPA side (IPA KDC does not issue tickets
86baa9
+    in this name) --- we only retrieve a keytab for the principal in SSSD. SSSD
86baa9
+    retrieves a keytab for this principal using `LOCAL-FLAT$@REMOTE` Principal
86baa9
+    name.
86baa9
 
86baa9
 For outbound trust `ipasam` module creates following principals:
86baa9
   * `krbtgt/REMOTE@LOCAL`, enabled by default.
86baa9
diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py
86baa9
index 55df5cd01fd0f585d5955e700ccf20c7fc9a747f..f810522b236d8c04f4a417aac8fd3717563c358e 100644
86baa9
--- a/ipaserver/install/plugins/adtrust.py
86baa9
+++ b/ipaserver/install/plugins/adtrust.py
86baa9
@@ -680,12 +680,12 @@ class update_tdo_to_new_layout(Updater):
86baa9
                     trust_principal, t_realm)
86baa9
                 continue
86baa9
 
86baa9
-            # 4. Create <OUR FLATNAME$>@<REMOTE REALM>, disabled
86baa9
+            # 4. Create krbtgt/<OUR FLATNAME>@<REMOTE REALM>, disabled
86baa9
             nbt_principal = self.nbt_principal_template.format(
86baa9
                 nbt=our_nbt_name, realm=t_realm)
86baa9
             tgt_principal = self.tgt_principal_template.format(
86baa9
                 remote=our_nbt_name, local=t_realm)
86baa9
-            self.set_krb_principal([nbt_principal, tgt_principal],
86baa9
+            self.set_krb_principal([tgt_principal, nbt_principal],
86baa9
                                    passwd_incoming,
86baa9
                                    t_dn,
86baa9
                                    flags=self.KRB_PRINC_CREATE_DEFAULT |
86baa9
-- 
86baa9
2.20.1
86baa9