freeipa/ipalib
Alexander Bokovoy 6332cb3125 trust: automatically resolve DNS trust conflicts for triangle trusts
For configuration where:
  - AD example.com trusts IPA at ipa.example.com
  - AD example.org trusts AD example.com
  - a trust is tried to be established between ipa.example.com and
    example.org,

there will be a trust topology conflict detected by example.org domain
controller because ipa.example.com DNS namespace overlaps with
example.com DNS namespace.

This type of trust topology conflict is documented in MS-ADTS 6.1.6.9.3.2
"Building Well-Formed msDS-TrustForestTrustInfo Message". A similar
conflict can arise for SID and NetBIOS namespaces. However, unlike SID
and NetBIOS namespaces, we can solve DNS namespace conflict
automatically if there are administrative credentials for example.org
available.

A manual sequence to solve the DNS namespace conflict is described in
https://msdn.microsoft.com/it-it/library/cc786254%28v=ws.10%29.aspx.
This sequence boils down to the following steps:

   1. As an administrator of the example.org, you need to add an
exclusion entry for ipa.example.com in the properties of the trust to
example.com
   2. Establish trust between ipa.example.com and example.org

It is important to add the exclusion entry before step 4 or there will
be conflict recorded which cannot be cleared easily right now due to a
combination of bugs in both IPA and Active Directory.

This patchset implements automated solution for the case when we have
access to the example.org's administrator credentials:

   1. Attempt to establish trust and update trust topology information.
   2. If trust topology conflict is detected as result of (1):
   2.1. Fetch trust topology infromation for the conflicting forest
        trust
   2.2. Add exclusion entry to our domain to the trust topology obtained
        in (2.1)
   2.3. Update trust topology for the conflicting forest trust
   3. Re-establish trust between ipa.example.com and example.org

We cannot do the same for shared secret trust and for external trust,
though:

   1. For shared secret trust we don't have administrative credentials
      in the forest reporting the conflict

   2. For the external trust we cannot set topology information due to
      MS-LSAD 3.1.4.7.16 because external trust is non-transitive by
      definition and thus setting topology information will fail.

To test this logic one can use two Samba AD forests with FreeIPA
using a sub-domain of one of them.

Fixes: https://fedorahosted.org/freeipa/ticket/6076
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-08-22 13:31:47 +02:00
..
__init__.py ipalib: move server-side plugins to ipaserver 2016-06-03 09:00:34 +02:00
aci.py ipalib.aci: Port to Python 3 2015-10-13 14:16:32 +02:00
backend.py rpc: specify connection options in API config 2016-06-03 09:00:34 +02:00
base.py Modernize use of range() 2015-09-01 11:42:01 +02:00
capabilities.py dns_name_values capability added 2014-06-03 15:55:32 +02:00
certstore.py Modernize 'except' clauses 2015-08-12 18:17:23 +02:00
cli.py help: Do not create instances to get information about commands and topics 2016-08-03 16:32:39 +02:00
config.py env: Add 'server' variable to api.env 2016-06-28 15:03:42 +02:00
constants.py CA replica promotion: add proper CA DNS records 2016-06-28 16:56:35 +02:00
crud.py ipalib, ipaserver: fix incorrect API.register calls in docstrings 2016-05-25 16:06:26 +02:00
dns.py dns: do not rely on custom param fields in record attributes 2016-06-20 16:39:12 +02:00
errors.py trust: automatically resolve DNS trust conflicts for triangle trusts 2016-08-22 13:31:47 +02:00
frontend.py Tests: Fix failing tests in test_ipalib/test_frontend 2016-08-17 17:41:08 +02:00
krb_utils.py pylint: supress false positive no-member errors 2016-03-02 14:57:36 +01:00
Makefile Package ipapython, ipalib, ipaplatform, ipatests for Python 3 2015-12-17 10:52:57 +01:00
messages.py Fix malformed or missing docstrings in ipalib/messages 2016-08-16 11:59:35 +02:00
output.py allow 'value' output param in commands without primary key 2016-07-20 13:57:01 +02:00
parameters.py parameters: move the confirm kwarg to Param 2016-08-10 08:51:39 +02:00
pkcs10.py Remove unused imports 2015-12-23 07:59:22 +01:00
plugable.py help: Do not create instances to get information about commands and topics 2016-08-03 16:32:39 +02:00
request.py ipalib: provide per-call command context 2016-03-03 10:06:18 +01:00
rpc.py ipalib: introduce Principal parameter 2016-07-01 09:37:25 +02:00
setup.py.in pylint: fix: multiple-statements 2016-06-21 13:51:28 +02:00
text.py Remove unused imports 2015-12-23 07:59:22 +01:00
util.py harden the check for trust namespace overlap in new principals 2016-07-28 09:34:43 +02:00
x509.py Remove service and host cert issuer validation 2016-06-06 08:58:01 +02:00