[Freeipa-devel] [PATCH] 363-368 Configurable SID blacklists

Martin Kosek mkosek at redhat.com
Mon Feb 11 14:46:57 UTC 2013 

On 02/11/2013 03:34 PM, Alexander Bokovoy wrote:
> On Fri, 08 Feb 2013, Martin Kosek wrote:
>> On 02/08/2013 10:47 AM, Martin Kosek wrote:
>>> Sending patches according to RFE:
>>> http://www.freeipa.org/page/V3/Configurable_SID_Blacklists
>>>
>>> How this works:
>>>
>>> 1) Trust is added, SID blacklist is filled with default list (by ipa-sam
>>> plugin). When SID blacklist attribute is missing (e.g. for current trusts),
>>> ipa-kdb will use the hardcoded list.
>>>
>>> # echo password | ipa trust-add MKAD2012.TEST --admin="Administrator"
>>> --password
>>> ----------------------------------------------
>>> Re-established trust to domain "MKAD2012.TEST"
>>> ----------------------------------------------
>>>   Realm name: MKAD2012.TEST
>>>   Domain NetBIOS name: MKAD2012
>>>   Domain Security Identifier: S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx
>>>   SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2,
>>> S-1-5-3, S-1-5-4, S-1-5-5,
>>>                           S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10,
>>> S-1-5-11, S-1-5-12, S-1-5-13,
>>>                           S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18,
>>> S-1-5-19, S-1-5-20
>>>   SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2,
>>> S-1-5-3, S-1-5-4, S-1-5-5,
>>>                           S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10,
>>> S-1-5-11, S-1-5-12, S-1-5-13,
>>>                           S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18,
>>> S-1-5-19, S-1-5-20
>>>   Trust direction: Two-way trust
>>>   Trust type: Active Directory domain
>>>   Trust status: Established and verified
>>>
>>> 2) Incoming SID blacklist is updated (I added S-1-18-1 to the list as it is
>>> included in MS-PAC when I log from AD 2012):
>>>
>>> # ipa trust-mod MKAD2012.TEST --sid-blacklist-incoming
>>> S-1-0,S-1-1,S-1-2,S-1-3,S-1-5-1,S-1-5-2,S-1-5-3,S-1-5-4,S-1-5-5,S-1-5-6,S-1-5-7,S-1-5-8,S-1-5-9,S-1-5-10,S-1-5-11,S-1-5-12,S-1-5-13,S-1-5-14,S-1-5-15,S-1-5-16,S-1-5-17,S-1-5-18,S-1-5-19,S-1-5-20,S-1-18-1
>>>
>>>
>>> 3) When I now login from AD2012 to my IPA machine, I get error message in
>>> krb5kdc.log about the filtered SID I configured in LDAP:
>>>
>>> ...
>>> Feb 08 04:11:33 ipa.linux.mkad2012.test krb5kdc[6493](Error): PAC filtering
>>> issue: SID [S-1-18-1] is not allowed from a trusted source and will be
>>> excluded.
>>> ...
>>>
>>> NOTE:
>>> When coding and testing this feature I fixed several related bugs I found in
>>> ipa-kdb, see description of patches 363-365.
>>>
>>> Martin
>>>
>>
>> I forgot to update ACI allowing Trust Admins to modify the blacklist. I also
>> added a validator for SIDs to help catching invalid SIDs.
>>
>> Updated patches attached.
> Work for me fine against Windows 2012 server.
> 
> However, I'd like you to rebase on top of your previous patches. VERSION
> file is causing conflict since your patchset for trustconfig command
> increments to the same version as this one.
> 

I pushed previous acked patch to master. Attaching patches 363-368 rebased on
top of that.

Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-363-3-ipa-kdb-add-sentinel-for-ldapderefspec-allocation.patch
Type: text/x-patch
Size: 1504 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130211/26d4d499/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-364-3-ipa-kdb-avoid-enomem-when-all-sids-are-filtered-out.patch
Type: text/x-patch
Size: 2014 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130211/26d4d499/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-365-3-ipa-kdb-reinitialize-ldap-configuration-for-known-re.patch
Type: text/x-patch
Size: 3388 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130211/26d4d499/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-366-3-add-sid-blacklist-attributes.patch
Type: text/x-patch
Size: 18744 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130211/26d4d499/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-367-3-ipa-kdb-read-sid-blacklist-from-ldap.patch
Type: text/x-patch
Size: 10333 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130211/26d4d499/attachment-0004.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-368-3-ipa-sam-fill-sid-blacklist-when-trust-is-added.patch
Type: text/x-patch
Size: 2265 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130211/26d4d499/attachment-0005.bin>

More information about the Freeipa-devel mailing list