Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Trust samba ad #10

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Trust samba ad #10

wants to merge 3 commits into from

Conversation

abbra
Copy link
Collaborator

@abbra abbra commented Mar 20, 2019

test

abbra added 3 commits March 19, 2019 20:09
@abbra
Add design page for one-way trust to AD with shared secret
94299a7
@abbra
ipa-sam: support one-way trust to Samba AD
5776a07 
Refactor ipa-sam code to generate principals with additional POSIX
information so that FreeIPA is capable to establish trust to Samba AD.

Trust verification process from Samba AD DC side requires us to have
a working local TDO object with POSIX attributes so that smbd would be
able to map incoming authenticated Kerberos principal for the TDO to
a local POSIX account. While Samba AD DC uses Kerberos to talk to us,
its Kerberos ticket lacks MS-PAC information and Samba falls back to
a direct getpwnam() call to verify that this user exists.

Note that FreeIPA stores TDO objects in a subtree of cn=trusts,$SUFFIX
and thus SSSD is not able to see these POSIX accounts unless
specifically instructed to do so via multiple search bases.
@abbra
WIP: test with ad topology
d660a50
@netoarmando
Copy link

This PR is being tested by PR-CI using the changes suggested here: freeipa/freeipa-pr-ci#259.

@netoarmando
Copy link

netoarmando commented Mar 20, 2019
edited
Loading

@abbra As of today, test_trust.py requires an AD subdomain and AD tree domain, as we can see here:

freeipa/ipatests/test_integration/test_trust.py

Lines 30 to 35 in 3337840

class ADTrustBase(IntegrationTest):
"""Provides common checks for the AD trust integration testing."""
topology = 'line'
num_ad_domains = 1
optional_extra_roles = ['ad_subdomain', 'ad_treedomain']

That num_ad_domains is used here:

freeipa/ipatests/pytest_ipa/integration/__init__.py

Lines 218 to 226 in 3337840

for _i in range(cls.num_ad_domains):
domain_descriptions.append({
'type': 'AD',
'hosts': {
'ad': 1,
'ad_subdomain': cls.num_ad_domains,
'ad_treedomain': cls.num_ad_domains,
}
})

However, on PR-CI we only have the AD (root) and the child hosts, to be able to execute the tests right now I'm pointing the ad_treedomain to the child instance. Any thoughts?

@abbra
Copy link
Collaborator Author

abbra commented Mar 21, 2019

Tree root domain is a domain that is part of the forest but is not subordinate in terms of DNS. Eg. if you have AD forest root ad.vm, a child domain child.ad.vm, then a domain named some.test would be a tree root domain for forest ad.vm if it is part of ad.vm forest.

@abbra
Copy link
Collaborator Author

abbra commented Mar 21, 2019

@f-trivino, @netoarmando we need to have samba-client installed on the master -- without it all tests in test_trust.py are skipped.

('/usr/lib/python3.7/site-packages/_pytest/nose.py', 22, 'Skipped: Package samba-client not available on master.ipa.test')

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
needs rebase
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@abbra @netoarmando @f-trivino