#4207 Access is not rejected for disabled domain
Closed: Fixed None Opened 10 years ago by steeve.

[root@dhcp207-218 ipa-idrange-cli]# echo Secret123 | ipa trust-add --type=ad adtest.qe --admin administrator --password
--------------------------------------------------
Added Active Directory trust for realm "adtest.qe"
--------------------------------------------------
  Realm name: adtest.qe
  Domain NetBIOS name: ADTEST
  Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
  SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
                          S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
                          S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified

[root@dhcp207-218 ipa-idrange-cli]# ipa trustdomain-find adtest.qe
  Domain name: adtest.qe
  Domain NetBIOS name: ADTEST
  Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
  Domain enabled: True

  Domain name: pune.adtest.qe
  Domain NetBIOS name: PUNE
  Domain Security Identifier: S-1-5-21-91314187-2404433721-1858927112
  Domain enabled: True
----------------------------
Number of entries returned 2
----------------------------

[root@dhcp207-218 ipa-idrange-cli]# getent passwd testu1@pune.adtest.qe
testu1@pune.adtest.qe:*:839001108:839001108:testu1 user:/home/pune.adtest.qe/testu1:

[root@dhcp207-218 ipa-idrange-cli]# ssh -o StrictHostKeyChecking=no -l testu1@pune.adtest.qe `hostname` echo 'login successful'
testu1@pune.adtest.qe@dhcp207-218.testrelm.test's password: 
Permission denied, please try again.
testu1@pune.adtest.qe@dhcp207-218.testrelm.test's password:

[root@dhcp207-218 ipa-idrange-cli]# ipa trustdomain-disable adtest.qe pune.adtest.qe ; sleep 120; ssh -o StrictHostKeyChecking=no -l testu1@pune.adtest.qe `hostname` echo 'login successful'
--------------------------------------
Disabled trust domain "pune.adtest.qe"
--------------------------------------
testu1@pune.adtest.qe@dhcp207-218.testrelm.test's password: 
login successful

[root@dhcp207-218 ipa-idrange-cli]# ipa trustdomain-enable adtest.qe pune.adtest.qe ; sleep 120 ;ssh -o StrictHostKeyChecking=no -l testu1@pune.adtest.qe `hostname` echo 'login successful'
-------------------------------------
Enabled trust domain "pune.adtest.qe"
-------------------------------------
testu1@pune.adtest.qe@dhcp207-218.testrelm.test's password: 
login successful

[root@dhcp207-218 ~]# tail -f /var/log/krb5kdc.log

--------------------------------------------
Feb 27 19:28:10 dhcp207-218.testrelm.test krb5kdc[3508](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.65.207.218: ISSUE: authtime 1393508786, etypes {rep=18 tkt=18 ses=18}, HTTP/dhcp207-218.testrelm.test@TESTRELM.TEST for ldap/dhcp207-218.testrelm.test@TESTRELM.TEST
Feb 27 19:28:10 dhcp207-218.testrelm.test krb5kdc[3508](info): ... CONSTRAINED-DELEGATION s4u-client=admin@TESTRELM.TEST
Feb 27 19:28:10 dhcp207-218.testrelm.test krb5kdc[3508](info): closing down fd 12
Feb 27 19:28:32 dhcp207-218.testrelm.test krb5kdc[3508](info): bad realm transit path from 'testu1@PUNE.ADTEST.QE' to 'host/dhcp207-218.testrelm.test@TESTRELM.TEST' via 'ADTEST.QE'
Feb 27 19:28:32 dhcp207-218.testrelm.test krb5kdc[3508](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.65.207.218: BAD_TRANSIT: authtime 1393509513,  testu1@PUNE.ADTEST.QE for host/dhcp207-218.testrelm.test@TESTRELM.TEST, KDC policy rejects request
Feb 27 19:28:32 dhcp207-218.testrelm.test krb5kdc[3508](info): closing down fd 12
Feb 27 19:28:32 dhcp207-218.testrelm.test krb5kdc[3508](info): bad realm transit path from 'testu1@PUNE.ADTEST.QE' to 'host/dhcp207-218.testrelm.test@TESTRELM.TEST' via 'ADTEST.QE'
Feb 27 19:28:32 dhcp207-218.testrelm.test krb5kdc[3508](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.65.207.218: BAD_TRANSIT: authtime 1393509513,  testu1@PUNE.ADTEST.QE for host/dhcp207-218.testrelm.test@TESTRELM.TEST, KDC policy rejects request
Feb 27 19:28:32 dhcp207-218.testrelm.test krb5kdc[3508](info): closing down fd 12

--------------------------------------------
Feb 27 19:29:10 dhcp207-218.testrelm.test krb5kdc[3508](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.65.207.218: ISSUE: authtime 1393508786, etypes {rep=18 tkt=18 ses=18}, HTTP/dhcp207-218.testrelm.test@TESTRELM.TEST for ldap/dhcp207-218.testrelm.test@TESTRELM.TEST
Feb 27 19:29:10 dhcp207-218.testrelm.test krb5kdc[3508](info): ... CONSTRAINED-DELEGATION s4u-client=admin@TESTRELM.TEST
Feb 27 19:29:10 dhcp207-218.testrelm.test krb5kdc[3508](info): closing down fd 12
Feb 27 19:29:10 dhcp207-218.testrelm.test krb5kdc[3508](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.65.207.218: NEEDED_PREAUTH: HTTP/dhcp207-218.testrelm.test@TESTRELM.TEST for krbtgt/TESTRELM.TEST@TESTRELM.TEST, Additional pre-authentication required
Feb 27 19:29:10 dhcp207-218.testrelm.test krb5kdc[3508](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.65.207.218: ISSUE: authtime 1393509550, etypes {rep=18 tkt=18 ses=18}, HTTP/dhcp207-218.testrelm.test@TESTRELM.TEST for krbtgt/TESTRELM.TEST@TESTRELM.TEST
Feb 27 19:31:11 dhcp207-218.testrelm.test krb5kdc[3508](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.65.207.218: NEEDED_PREAUTH: host/dhcp207-218.testrelm.test@TESTRELM.TEST for krbtgt/TESTRELM.TEST@TESTRELM.TEST, Additional pre-authentication required
Feb 27 19:31:11 dhcp207-218.testrelm.test krb5kdc[3508](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.65.207.218: ISSUE: authtime 1393509671, etypes {rep=18 tkt=18 ses=18}, host/dhcp207-218.testrelm.test@TESTRELM.TEST for krbtgt/TESTRELM.TEST@TESTRELM.TEST
Feb 27 19:31:11 dhcp207-218.testrelm.test krb5kdc[3508](info): TGS_REQ: issuing TGT krbtgt/ADTEST.QE@TESTRELM.TEST
Feb 27 19:31:11 dhcp207-218.testrelm.test krb5kdc[3508](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.65.207.218: ISSUE: authtime 1393509671, etypes {rep=18 tkt=18 ses=18}, host/dhcp207-218.testrelm.test@TESTRELM.TEST for krbtgt/ADTEST.QE@TESTRELM.TEST
Feb 27 19:31:11 dhcp207-218.testrelm.test krb5kdc[3508](info): closing down fd 12
Feb 27 19:31:15 dhcp207-218.testrelm.test krb5kdc[3508](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.65.207.218: ISSUE: authtime 1393509676, etypes {rep=18 tkt=18 ses=18}, testu1@PUNE.ADTEST.QE for host/dhcp207-218.testrelm.test@TESTRELM.TEST
Feb 27 19:31:15 dhcp207-218.testrelm.test krb5kdc[3508](info): closing down fd 12
Feb 27 19:31:17 dhcp207-218.testrelm.test krb5kdc[3508](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.65.207.218: NEEDED_PREAUTH: host/dhcp207-218.testrelm.test@TESTRELM.TEST for krbtgt/TESTRELM.TEST@TESTRELM.TEST, Additional pre-authentication required
Feb 27 19:31:17 dhcp207-218.testrelm.test krb5kdc[3508](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.65.207.218: ISSUE: authtime 1393509677, etypes {rep=18 tkt=18 ses=18}, host/dhcp207-218.testrelm.test@TESTRELM.TEST for krbtgt/TESTRELM.TEST@TESTRELM.TEST
Feb 27 19:31:17 dhcp207-218.testrelm.test krb5kdc[3508](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.65.207.218: ISSUE: authtime 1393509677, etypes {rep=18 tkt=18 ses=18}, host/dhcp207-218.testrelm.test@TESTRELM.TEST for krbtgt/ADTEST.QE@TESTRELM.TEST
Feb 27 19:31:17 dhcp207-218.testrelm.test krb5kdc[3508](info): closing down fd 12

--------------------------------------
Feb 27 19:31:45 dhcp207-218.testrelm.test krb5kdc[3508](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.65.207.218: ISSUE: authtime 1393508786, etypes {rep=18 tkt=18 ses=18}, HTTP/dhcp207-218.testrelm.test@TESTRELM.TEST for ldap/dhcp207-218.testrelm.test@TESTRELM.TEST
Feb 27 19:31:45 dhcp207-218.testrelm.test krb5kdc[3508](info): ... CONSTRAINED-DELEGATION s4u-client=admin@TESTRELM.TEST
Feb 27 19:31:45 dhcp207-218.testrelm.test krb5kdc[3508](info): closing down fd 12
Feb 27 19:31:45 dhcp207-218.testrelm.test krb5kdc[3508](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.65.207.218: NEEDED_PREAUTH: HTTP/dhcp207-218.testrelm.test@TESTRELM.TEST for krbtgt/TESTRELM.TEST@TESTRELM.TEST, Additional pre-authentication required
Feb 27 19:31:45 dhcp207-218.testrelm.test krb5kdc[3508](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.65.207.218: ISSUE: authtime 1393509705, etypes {rep=18 tkt=18 ses=18}, HTTP/dhcp207-218.testrelm.test@TESTRELM.TEST for krbtgt/TESTRELM.TEST@TESTRELM.TEST
Feb 27 19:33:58 dhcp207-218.testrelm.test krb5kdc[3508](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.65.207.218: ISSUE: authtime 1393509838, etypes {rep=18 tkt=18 ses=18}, testu1@PUNE.ADTEST.QE for host/dhcp207-218.testrelm.test@TESTRELM.TEST
Feb 27 19:33:58 dhcp207-218.testrelm.test krb5kdc[3508](info): closing down fd 12

Sumit is looking into it. This is a must for 3.3.x series.

Attached current patch which was testeed by Scott and Sumit. Also attached a screenshot showing correct behavior with the patch.

master:

  • 6b45ec3 fix filtering of subdomain-based trust users

ipa-3-3:

  • be033fd fix filtering of subdomain-based trust users

Metadata Update from @steeve:
- Issue assigned to abbra
- Issue set to the milestone: FreeIPA 3.3.5 (bug fixing)

7 years ago

Login to comment on this ticket.

Metadata
Attachments 1