pgreco / rpms / ipa

Forked from forks/areguera/rpms/ipa 4 years ago
Clone

Blame SOURCES/0017-trust-detect-and-error-out-when-non-AD-trust-with-IP.patch

c58629
From a4e9e8f368c8a61d539e9da26e4a16a6234c138f Mon Sep 17 00:00:00 2001
c58629
From: Alexander Bokovoy <abokovoy@redhat.com>
c58629
Date: Fri, 17 Nov 2017 17:19:25 +0200
c58629
Subject: [PATCH] trust: detect and error out when non-AD trust with IPA domain
c58629
 name exists
c58629
c58629
Quite often users choose wrong type of trust on Active Directory side
c58629
when setting up a trust to freeIPA. The trust type supported by freeIPA
c58629
is just a normal forest trust to another Active Directory. However,
c58629
some people follow old internet recipes that force using a trust to MIT
c58629
Kerberos realm.
c58629
c58629
This is a wrong type of trust. Unfortunately, when someone used MIT
c58629
Kerberos realm trust, there is no way to programmatically remote the
c58629
trust from freeIPA side. As result, we have to detect such situation and
c58629
report an error.
c58629
c58629
To do proper reporting, we need reuse some constants and trust type
c58629
names we use in IPA CLI/Web UI. These common components were moved to
c58629
a separate ipaserver/dcerpc_common.py module that is imported by both
c58629
ipaserver/plugins/trust.py and ipaserver/dcerpc.py.
c58629
c58629
Fixes https://pagure.io/freeipa/issue/7264
c58629
c58629
Reviewed-By: Christian Heimes <cheimes@redhat.com>
c58629
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
c58629
---
c58629
 ipaserver/dcerpc.py        | 37 +++++++++++++++--------
c58629
 ipaserver/dcerpc_common.py | 73 ++++++++++++++++++++++++++++++++++++++++++++++
c58629
 ipaserver/plugins/trust.py | 65 ++++++++++-------------------------------
c58629
 3 files changed, 113 insertions(+), 62 deletions(-)
c58629
 create mode 100644 ipaserver/dcerpc_common.py
c58629
c58629
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
c58629
index aa63cd9db0a1d47b5309cc6bed2ff7584760a39d..ac1b2a34784df491a3851aa21bbadbec2297241c 100644
c58629
--- a/ipaserver/dcerpc.py
c58629
+++ b/ipaserver/dcerpc.py
c58629
@@ -31,6 +31,10 @@ from ipapython import ipautil
c58629
 from ipapython.ipa_log_manager import root_logger
c58629
 from ipapython.dn import DN
c58629
 from ipaserver.install import installutils
c58629
+from ipaserver.dcerpc_common import (TRUST_BIDIRECTIONAL,
c58629
+                                     TRUST_JOIN_EXTERNAL,
c58629
+                                     trust_type_string)
c58629
+
c58629
 from ipalib.util import normalize_name
c58629
 
c58629
 import os
c58629
@@ -77,15 +81,6 @@ The code in this module relies heavily on samba4-python package
c58629
 and Samba4 python bindings.
c58629
 """)
c58629
 
c58629
-# Both constants can be used as masks against trust direction
c58629
-# because bi-directional has two lower bits set.
c58629
-TRUST_ONEWAY = 1
c58629
-TRUST_BIDIRECTIONAL = 3
c58629
-
c58629
-# Trust join behavior
c58629
-# External trust -- allow creating trust to a non-root domain in the forest
c58629
-TRUST_JOIN_EXTERNAL = 1
c58629
-
c58629
 
c58629
 def is_sid_valid(sid):
c58629
     try:
c58629
@@ -151,6 +146,7 @@ pysss_type_key_translation_dict = {
c58629
     pysss_nss_idmap.ID_BOTH: 'both',
c58629
 }
c58629
 
c58629
+
c58629
 class TrustTopologyConflictSolved(Exception):
c58629
     """
c58629
     Internal trust error: raised when previously detected
c58629
@@ -1254,9 +1250,26 @@ class TrustDomainInstance(object):
c58629
             dname = lsa.String()
c58629
             dname.string = another_domain.info['dns_domain']
c58629
             res = self._pipe.QueryTrustedDomainInfoByName(
c58629
-                                self._policy_handle,
c58629
-                                dname,
c58629
-                                lsa.LSA_TRUSTED_DOMAIN_INFO_FULL_INFO)
c58629
+                self._policy_handle,
c58629
+                dname,
c58629
+                lsa.LSA_TRUSTED_DOMAIN_INFO_FULL_INFO
c58629
+            )
c58629
+            if res.info_ex.trust_type != lsa.LSA_TRUST_TYPE_UPLEVEL:
c58629
+                msg = _('There is already a trust to {ipa_domain} with '
c58629
+                        'unsupported type {trust_type}. Please remove '
c58629
+                        'it manually on AD DC side.')
c58629
+                ttype = trust_type_string(
c58629
+                    res.info_ex.trust_type, res.info_ex.trust_attributes
c58629
+                )
c58629
+                err = unicode(msg).format(
c58629
+                    ipa_domain=another_domain.info['dns_domain'],
c58629
+                    trust_type=ttype)
c58629
+
c58629
+                raise errors.ValidationError(
c58629
+                    name=_('AD domain controller'),
c58629
+                    error=err
c58629
+                )
c58629
+
c58629
             self._pipe.DeleteTrustedDomain(self._policy_handle,
c58629
                                            res.info_ex.sid)
c58629
         except RuntimeError as e:
c58629
diff --git a/ipaserver/dcerpc_common.py b/ipaserver/dcerpc_common.py
c58629
new file mode 100644
c58629
index 0000000000000000000000000000000000000000..526b025e3282c8a556088eb2ed1ba467b889b86c
c58629
--- /dev/null
c58629
+++ b/ipaserver/dcerpc_common.py
c58629
@@ -0,0 +1,73 @@
c58629
+import six
c58629
+from ipalib import _
c58629
+if six.PY3:
c58629
+    unicode = six.text_type
c58629
+
c58629
+# Both constants can be used as masks against trust direction
c58629
+# because bi-directional has two lower bits set.
c58629
+TRUST_ONEWAY = 1
c58629
+TRUST_BIDIRECTIONAL = 3
c58629
+
c58629
+# Trust join behavior
c58629
+# External trust -- allow creating trust to a non-root domain in the forest
c58629
+TRUST_JOIN_EXTERNAL = 1
c58629
+
c58629
+# We don't want to import any of Samba Python code here just for constants
c58629
+# Since these constants set in MS-ADTS, we can rely on their stability
c58629
+LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE = 0x00000001
c58629
+
c58629
+_trust_direction_dict = {
c58629
+        1: _('Trusting forest'),
c58629
+        2: _('Trusted forest'),
c58629
+        3: _('Two-way trust')
c58629
+}
c58629
+
c58629
+_trust_status_dict = {
c58629
+        True: _('Established and verified'),
c58629
+        False: _('Waiting for confirmation by remote side')
c58629
+}
c58629
+
c58629
+_trust_type_dict_unknown = _('Unknown')
c58629
+
c58629
+# Trust type is a combination of ipanttrusttype and ipanttrustattributes
c58629
+# We shift trust attributes by 3 bits to left so bit 0 becomes bit 3 and
c58629
+# 2+(1 << 3) becomes 10.
c58629
+_trust_type_dict = {
c58629
+        1: _('Non-Active Directory domain'),
c58629
+        2: _('Active Directory domain'),
c58629
+        3: _('RFC4120-compliant Kerberos realm'),
c58629
+        10: _('Non-transitive external trust to a domain in '
c58629
+              'another Active Directory forest'),
c58629
+        11: _('Non-transitive external trust to an RFC4120-'
c58629
+              'compliant Kerberos realm')
c58629
+}
c58629
+
c58629
+
c58629
+def trust_type_string(level, attrs):
c58629
+    """
c58629
+    Returns a string representing a type of the trust.
c58629
+    The original field is an enum:
c58629
+      LSA_TRUST_TYPE_DOWNLEVEL  = 0x00000001,
c58629
+      LSA_TRUST_TYPE_UPLEVEL    = 0x00000002,
c58629
+      LSA_TRUST_TYPE_MIT        = 0x00000003
c58629
+    """
c58629
+    transitive = int(attrs) & LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE
c58629
+    string = _trust_type_dict.get(int(level) | (transitive << 3),
c58629
+                                  _trust_type_dict_unknown)
c58629
+    return unicode(string)
c58629
+
c58629
+
c58629
+def trust_direction_string(level):
c58629
+    """
c58629
+    Returns a string representing a direction of the trust.
c58629
+    The original field is a bitmask taking two bits in use
c58629
+      LSA_TRUST_DIRECTION_INBOUND  = 0x00000001,
c58629
+      LSA_TRUST_DIRECTION_OUTBOUND = 0x00000002
c58629
+    """
c58629
+    string = _trust_direction_dict.get(int(level), _trust_type_dict_unknown)
c58629
+    return unicode(string)
c58629
+
c58629
+
c58629
+def trust_status_string(level):
c58629
+    string = _trust_status_dict.get(level, _trust_type_dict_unknown)
c58629
+    return unicode(string)
c58629
diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py
c58629
index d0bbfbc47ca65c9c5229685fc9d202c293fe41cd..ecc5fa0b22f94de05cc5282758be093f0cfca13f 100644
c58629
--- a/ipaserver/plugins/trust.py
c58629
+++ b/ipaserver/plugins/trust.py
c58629
@@ -44,6 +44,13 @@ from ipalib import errors
c58629
 from ipalib import output
c58629
 from ldap import SCOPE_SUBTREE
c58629
 from time import sleep
c58629
+from ipaserver.dcerpc_common import (TRUST_ONEWAY,
c58629
+                                     TRUST_BIDIRECTIONAL,
c58629
+                                     TRUST_JOIN_EXTERNAL,
c58629
+                                     LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE,
c58629
+                                     trust_type_string,
c58629
+                                     trust_direction_string,
c58629
+                                     trust_status_string)
c58629
 
c58629
 if six.PY3:
c58629
     unicode = str
c58629
@@ -63,9 +70,6 @@ except Exception as e:
c58629
 if api.env.in_server and api.env.context in ['lite', 'server']:
c58629
     try:
c58629
         import ipaserver.dcerpc
c58629
-        from ipaserver.dcerpc import (TRUST_ONEWAY,
c58629
-                                      TRUST_BIDIRECTIONAL,
c58629
-                                      TRUST_JOIN_EXTERNAL)
c58629
         import dbus
c58629
         import dbus.mainloop.glib
c58629
         _bindings_installed = True
c58629
@@ -157,28 +161,14 @@ particular type.
c58629
 
c58629
 register = Registry()
c58629
 
c58629
-# Trust type is a combination of ipanttrusttype and ipanttrustattributes
c58629
-# We shift trust attributes by 3 bits to left so bit 0 becomes bit 3 and
c58629
-# 2+(1 << 3) becomes 10.
c58629
-_trust_type_dict = {1 : _('Non-Active Directory domain'),
c58629
-                    2 : _('Active Directory domain'),
c58629
-                    3 : _('RFC4120-compliant Kerberos realm'),
c58629
-                    10: _('Non-transitive external trust to a domain in another Active Directory forest')}
c58629
-
c58629
-_trust_direction_dict = {1 : _('Trusting forest'),
c58629
-                         2 : _('Trusted forest'),
c58629
-                         3 : _('Two-way trust')}
c58629
-_trust_status_dict = {True : _('Established and verified'),
c58629
-                 False : _('Waiting for confirmation by remote side')}
c58629
-_trust_type_dict_unknown = _('Unknown')
c58629
-
c58629
-_trust_type_option = StrEnum('trust_type',
c58629
-                        cli_name='type',
c58629
-                        label=_('Trust type (ad for Active Directory, default)'),
c58629
-                        values=(u'ad',),
c58629
-                        default=u'ad',
c58629
-                        autofill=True,
c58629
-                    )
c58629
+_trust_type_option = StrEnum(
c58629
+         'trust_type',
c58629
+         cli_name='type',
c58629
+         label=_('Trust type (ad for Active Directory, default)'),
c58629
+         values=(u'ad',),
c58629
+         default=u'ad',
c58629
+         autofill=True,
c58629
+        )
c58629
 
c58629
 DEFAULT_RANGE_SIZE = 200000
c58629
 
c58629
@@ -187,31 +177,6 @@ DBUS_IFACE_TRUST = 'com.redhat.idm.trust'
c58629
 CRED_STYLE_SAMBA = 1
c58629
 CRED_STYLE_KERBEROS = 2
c58629
 
c58629
-LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE = 0x00000001
c58629
-
c58629
-def trust_type_string(level, attrs):
c58629
-    """
c58629
-    Returns a string representing a type of the trust. The original field is an enum:
c58629
-      LSA_TRUST_TYPE_DOWNLEVEL  = 0x00000001,
c58629
-      LSA_TRUST_TYPE_UPLEVEL    = 0x00000002,
c58629
-      LSA_TRUST_TYPE_MIT        = 0x00000003
c58629
-    """
c58629
-    transitive = int(attrs) & LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE
c58629
-    string = _trust_type_dict.get(int(level) | (transitive << 3), _trust_type_dict_unknown)
c58629
-    return unicode(string)
c58629
-
c58629
-def trust_direction_string(level):
c58629
-    """
c58629
-    Returns a string representing a direction of the trust. The original field is a bitmask taking two bits in use
c58629
-      LSA_TRUST_DIRECTION_INBOUND  = 0x00000001,
c58629
-      LSA_TRUST_DIRECTION_OUTBOUND = 0x00000002
c58629
-    """
c58629
-    string = _trust_direction_dict.get(int(level), _trust_type_dict_unknown)
c58629
-    return unicode(string)
c58629
-
c58629
-def trust_status_string(level):
c58629
-    string = _trust_status_dict.get(level, _trust_type_dict_unknown)
c58629
-    return unicode(string)
c58629
 
c58629
 def make_trust_dn(env, trust_type, dn):
c58629
     assert isinstance(dn, DN)
c58629
-- 
c58629
2.13.6
c58629