Fix establishing trust when using Samba 4.2

Fixes: 1219834

0006-ipaserver-dcerpc-Ensure-LSA-pipe-has-session-key-bef.patch

@@ -0,0 +1,88 @@
+From 35ab765554e3469daae204fb045eb4281f4f4f36 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Fri, 8 May 2015 12:09:13 +0000
+Subject: [PATCH] ipaserver/dcerpc: Ensure LSA pipe has session key before
+ using it
+
+With Samba 4.2 there is a bug that prevents Samba to consider Kerberos
+credentials used by IPA httpd process when talking to smbd. As result,
+LSA RPC connection is seen as anonymous by Samba client code and we cannot
+derive session key to use for encrypting trust secrets before transmitting
+them.
+
+Additionally, rewrite of the SMB protocol support in Samba caused previously
+working logic of choosing DCE RPC binding string to fail. We need to try
+a different set of priorities until they fail or succeed.
+
+Requires Samba fixes from https://bugzilla.redhat.com/show_bug.cgi?id=1219832
+
+Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1219834
+
+---
+ ipaserver/dcerpc.py | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
+index e342c49..25f8bf8 100644
+--- a/ipaserver/dcerpc.py
++++ b/ipaserver/dcerpc.py
+@@ -89,6 +89,10 @@ dcerpc_error_codes = {
+     -1073741811: # NT_STATUS_INVALID_PARAMETER
+         errors.RemoteRetrieveError(
+             reason=_('AD domain controller complains about communication sequence. It may mean unsynchronized time on both sides, for example')),
++    -1073741776: # NT_STATUS_INVALID_PARAMETER_MIX, we simply will skip the binding
++        access_denied_error,
++    -1073741772: # NT_STATUS_OBJECT_NAME_NOT_FOUND
++        errors.RemoteRetrieveError(reason=_('CIFS server configuration does not allow access to \\\\pipe\\lsarpc')),
+ }
+ 
+ dcerpc_error_messages = {
+@@ -728,16 +732,20 @@ class TrustDomainInstance(object):
+             return
+ 
+         attempts = 0
++        session_attempts = 0
+         bindings = self.__gen_lsa_bindings(remote_host)
+         for binding in bindings:
+             try:
+                 self._pipe = self.__gen_lsa_connection(binding)
+-                if self._pipe:
++                if self._pipe and self._pipe.session_key:
+                     break
+             except errors.ACIError, e:
+                 attempts = attempts + 1
++            except RuntimeError, e:
++                # When session key is not available, we just skip this binding
++                session_attempts = session_attempts + 1
+ 
+-        if self._pipe is None and attempts == len(bindings):
++        if self._pipe is None and (attempts + session_attemps) == len(bindings):
+             raise errors.ACIError(
+                 info=_('CIFS server %(host)s denied your credentials') % dict(host=remote_host))
+ 
+@@ -745,6 +753,7 @@ class TrustDomainInstance(object):
+             raise errors.RemoteRetrieveError(
+                 reason=_('Cannot establish LSA connection to %(host)s. Is CIFS server running?') % dict(host=remote_host))
+         self.binding = binding
++        self.session_key = self._pipe.session_key
+ 
+     def __gen_lsa_bindings(self, remote_host):
+         """
+@@ -753,11 +762,11 @@ class TrustDomainInstance(object):
+         Generate all we can use. init_lsa_pipe() will try them one by one until
+         there is one working.
+ 
+-        We try NCACN_NP before NCACN_IP_TCP and signed sessions before unsigned.
++        We try NCACN_NP before NCACN_IP_TCP and use SMB2 before SMB1 or defaults.
+         """
+         transports = (u'ncacn_np', u'ncacn_ip_tcp')
+-        options = ( u',', u'')
+-        binding_template=lambda x,y,z: u'%s:%s[%s]' % (x, y, z)
++        options = ( u'smb2', u'smb1', u'')
++        binding_template=lambda x,y,z: u'%s:%s[%s,print]' % (x, y, z)
+         return [binding_template(t, remote_host, o) for t in transports for o in options]
+ 
+     def retrieve_anonymously(self, remote_host, discover_srv=False, search_pdc=False):
+-- 
+2.4.0
+

freeipa.spec

@@ -7,7 +7,7 @@
 %global samba_version 4.0.5-1
 %global selinux_policy_version 3.12.1-153
 %else
-%global samba_version 2:4.0.5-1
+%global samba_version 2:4.2.1-8
 %global selinux_policy_version 3.12.1-179
 %endif
 
@@ -25,7 +25,7 @@
 
 Name:           freeipa
 Version:        %{VERSION}
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 Group:          System Environment/Base
@@ -39,6 +39,7 @@ Patch0002:      0002-Make-lint-work-on-Fedora-22.patch
 Patch0003:      0003-Remove-unused-part-of-ipa.conf.patch
 Patch0004:      0004-Use-mod_auth_gssapi-instead-of-mod_auth_kerb.patch
 Patch0005:      0005-Bump-ipa.conf-version-to-17.patch
+Patch0006:      0006-ipaserver-dcerpc-Ensure-LSA-pipe-has-session-key-bef.patch
 
 %if ! %{ONLY_CLIENT}
 BuildRequires:  389-ds-base-devel >= 1.3.3.8
@@ -947,6 +948,9 @@ fi
 %endif # ONLY_CLIENT
 
 %changelog
+* Mon May 11 2015 Alexander Bokovoy <abokovoy@redhat.com> - 4.1.4-3
+- Fix FreeIPA trusts to AD feature with Samba 4.2 (#1219834)
+
 * Mon Mar 30 2015 Petr Vobornik <pvoborni@redhat.com> - 4.1.4-2
 - Replace mod_auth_kerb usage with mod_auth_gssapi