From e157ea1e14edd239c58847957fe0ae7c7fa5c9ab Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Wed, 13 Jan 2021 11:53:30 +0200
Subject: [PATCH] ipaserver/dcerpc.py: use Kerberos authentication for
 discovery

In FIPS mode we cannot rely on NTLMSSP at all, so we have ensure
Kerberos is used by Samba Python libraries. This is achieved by
requiring credentials objects to always use Kerberos authentication.

Additionally, we have to normalize the principal used to authenticate.
In case it was passed without realm, add forest root domain as a realm.
In case it was passed with NetBIOS domain name, remove it and replace
with a realm. Since we only know about the forest root domain as a
realm, require that for other domains' users a real Kerberos principal
is specified.

Fixes: https://pagure.io/freeipa/issue/8655
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
 ipaserver/dcerpc.py | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index 466491acd..2694e4e31 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -1618,14 +1618,27 @@ def retrieve_remote_domain(hostname, local_flatname,
     rd.read_only = True
     if realm_admin and realm_passwd:
         if 'name' in rd.info:
+            realm_netbios = ""
             names = realm_admin.split('\\')
             if len(names) > 1:
                 # realm admin is in DOMAIN\user format
                 # strip DOMAIN part as we'll enforce the one discovered
                 realm_admin = names[-1]
-            auth_string = r"%s\%s%%%s" \
-                          % (rd.info['name'], realm_admin, realm_passwd)
+                realm_netbios = names[0]
+            names = realm_admin.split('@')
+            if len(names) == 1:
+                if all([len(realm_netbios) != 0,
+                        realm_netbios.lower() != rd.info['name'].lower()]):
+                    raise errors.ValidationError(
+                        name=_('Credentials'),
+                        error=_('Non-Kerberos user name was specified, '
+                                'please provide user@REALM variant instead'))
+                realm_admin = r"%s@%s" % (
+                    realm_admin, rd.info['dns_forest'].upper())
+            auth_string = r"%s%%%s" \
+                          % (realm_admin, realm_passwd)
             td = get_instance(local_flatname)
+            td.creds.set_kerberos_state(credentials.MUST_USE_KERBEROS)
             td.creds.parse_string(auth_string)
             td.creds.set_workstation(hostname)
             if realm_server is None: