From 6d3e68480293b50cf3ac40ad09f3ab48de764089 Mon Sep 17 00:00:00 2001

From: Alexander Bokovoy <abokovoy@redhat.com>

Date: Mon, 24 Nov 2014 15:07:49 +0200

Subject: [PATCH] AD trust: improve trust validation

Trust validation requires AD DC to contact IPA server to verify that trust account

actually works. It can fail due to DNS or firewall issue or if AD DC was able to

resolve IPA master(s) via SRV records, it still may contact a replica that has

no trust data replicated yet.

In case AD DC still returns 'access denied', wait 5 seconds and try validation again.

Repeat validation until we hit a limit of 10 attempts, at which point raise

exception telling what's happening.

https://fedorahosted.org/freeipa/ticket/4764

Reviewed-By: Tomas Babej <tbabej@redhat.com>

---

 ipaserver/dcerpc.py | 19 ++++++++++++++++---

 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py

index caeca3c4ab357193aef4d0e6a373240acfdf1993..e342c4973746a113c0ad4f15a1e6050583461ccf 100644

--- a/ipaserver/dcerpc.py

+++ b/ipaserver/dcerpc.py

@@ -58,6 +58,7 @@ import pysss

 from ipaplatform.paths import paths

 from ldap.filter import escape_filter_chars

+from time import sleep

 __doc__ = _("""

 Classes to manage trust joins using DCE-RPC calls

@@ -93,6 +94,8 @@ dcerpc_error_codes = {

 dcerpc_error_messages = {

     "NT_STATUS_OBJECT_NAME_NOT_FOUND":

          errors.NotFound(reason=_('Cannot find specified domain or server name')),

+    "WERR_NO_LOGON_SERVERS":

+         errors.RemoteRetrieveError(reason=_('AD DC was unable to reach any IPA domain controller. Most likely it is a DNS or firewall issue')),

     "NT_STATUS_INVALID_PARAMETER_MIX":

          errors.RequirementError(name=_('At least the domain or IP address should be specified')),

 }

@@ -699,6 +702,7 @@ class TrustDomainInstance(object):

         self._policy_handle = None

         self.read_only = False

         self.ftinfo_records = None

+        self.validation_attempts = 0

     def __gen_lsa_connection(self, binding):

        if self.creds is None:

@@ -1011,9 +1015,18 @@ class TrustDomainInstance(object):

                                           netlogon.NETLOGON_CONTROL_TC_VERIFY,

                                           another_domain.info['dns_domain'])

         if (result and (result.flags and netlogon.NETLOGON_VERIFY_STATUS_RETURNED)):

-            # netr_LogonControl2Ex() returns non-None result only if overall call

-            # result was WERR_OK which means verification was correct.

-            # We only check that it was indeed status for verification process

+            if (result.pdc_connection_status[0] != 0) and (result.tc_connection_status[0] != 0):

+                if result.pdc_connection_status[1] == "WERR_ACCESS_DENIED":

+                    # Most likely AD DC hit another IPA replica which yet has no trust secret replicated

+                    # Sleep and repeat again

+                    self.validation_attempts += 1

+                    if self.validation_attempts < 10:

+                        sleep(5)

+                        return self.verify_trust(another_domain)

+                    raise errors.ACIError(reason=_('IPA master denied trust validation requests from AD DC '

+                                                   '%(count)d times. Most likely AD DC contacted a replica '

+                                                   'that has no trust information replicated yet.' % (self.validation_attempts)))

+                raise assess_dcerpc_exception(*result.pdc_connection_status)

             return True

         return False

-- 

2.1.0