ipaserver/dcerpc.py: use Kerberos authentication for discovery

In FIPS mode we cannot rely on NTLMSSP at all, so we have ensure Kerberos is used by Samba Python libraries. This is achieved by requiring credentials objects to always use Kerberos authentication. Additionally, we have to normalize the principal used to authenticate. In case it was passed without realm, add forest root domain as a realm. In case it was passed with NetBIOS domain name, remove it and replace with a realm. Since we only know about the forest root domain as a realm, require that for other domains' users a real Kerberos principal is specified. Fixes: https://pagure.io/freeipa/issue/8655 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2025-02-25 18:55:28 -06:00 · 2021-01-13 11:53:30 +02:00 · 2021-01-13 11:53:30 +02:00 · e157ea1e14
commit e157ea1e14
parent cf17b7af5a
1 changed files with 15 additions and 2 deletions
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@ -1618,14 +1618,27 @@ def retrieve_remote_domain(hostname, local_flatname,
    rd.read_only = True
    if realm_admin and realm_passwd:
        if 'name' in rd.info:
+            realm_netbios = ""
            names = realm_admin.split('\\')
            if len(names) > 1:
                # realm admin is in DOMAIN\user format
                # strip DOMAIN part as we'll enforce the one discovered
                realm_admin = names[-1]
-            auth_string = r"%s\%s%%%s" \
-                          % (rd.info['name'], realm_admin, realm_passwd)
+                realm_netbios = names[0]
+            names = realm_admin.split('@')
+            if len(names) == 1:
+                if all([len(realm_netbios) != 0,
+                        realm_netbios.lower() != rd.info['name'].lower()]):
+                    raise errors.ValidationError(
+                        name=_('Credentials'),
+                        error=_('Non-Kerberos user name was specified, '
+                                'please provide user@REALM variant instead'))
+                realm_admin = r"%s@%s" % (
+                    realm_admin, rd.info['dns_forest'].upper())
+            auth_string = r"%s%%%s" \
+                          % (realm_admin, realm_passwd)
            td = get_instance(local_flatname)
+            td.creds.set_kerberos_state(credentials.MUST_USE_KERBEROS)
            td.creds.parse_string(auth_string)
            td.creds.set_workstation(hostname)
            if realm_server is None: