[Freeipa-devel] [PATCH] 363-368 Configurable SID blacklists

Alexander Bokovoy abokovoy at redhat.com
Mon Feb 11 17:58:05 UTC 2013 

On Mon, 11 Feb 2013, Martin Kosek wrote:
>On 02/11/2013 03:34 PM, Alexander Bokovoy wrote:
>> On Fri, 08 Feb 2013, Martin Kosek wrote:
>>> On 02/08/2013 10:47 AM, Martin Kosek wrote:
>>>> Sending patches according to RFE:
>>>> http://www.freeipa.org/page/V3/Configurable_SID_Blacklists
>>>>
>>>> How this works:
>>>>
>>>> 1) Trust is added, SID blacklist is filled with default list (by ipa-sam
>>>> plugin). When SID blacklist attribute is missing (e.g. for current trusts),
>>>> ipa-kdb will use the hardcoded list.
>>>>
>>>> # echo password | ipa trust-add MKAD2012.TEST --admin="Administrator"
>>>> --password
>>>> ----------------------------------------------
>>>> Re-established trust to domain "MKAD2012.TEST"
>>>> ----------------------------------------------
>>>>   Realm name: MKAD2012.TEST
>>>>   Domain NetBIOS name: MKAD2012
>>>>   Domain Security Identifier: S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx
>>>>   SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2,
>>>> S-1-5-3, S-1-5-4, S-1-5-5,
>>>>                           S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10,
>>>> S-1-5-11, S-1-5-12, S-1-5-13,
>>>>                           S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18,
>>>> S-1-5-19, S-1-5-20
>>>>   SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2,
>>>> S-1-5-3, S-1-5-4, S-1-5-5,
>>>>                           S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10,
>>>> S-1-5-11, S-1-5-12, S-1-5-13,
>>>>                           S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18,
>>>> S-1-5-19, S-1-5-20
>>>>   Trust direction: Two-way trust
>>>>   Trust type: Active Directory domain
>>>>   Trust status: Established and verified
>>>>
>>>> 2) Incoming SID blacklist is updated (I added S-1-18-1 to the list as it is
>>>> included in MS-PAC when I log from AD 2012):
>>>>
>>>> # ipa trust-mod MKAD2012.TEST --sid-blacklist-incoming
>>>> S-1-0,S-1-1,S-1-2,S-1-3,S-1-5-1,S-1-5-2,S-1-5-3,S-1-5-4,S-1-5-5,S-1-5-6,S-1-5-7,S-1-5-8,S-1-5-9,S-1-5-10,S-1-5-11,S-1-5-12,S-1-5-13,S-1-5-14,S-1-5-15,S-1-5-16,S-1-5-17,S-1-5-18,S-1-5-19,S-1-5-20,S-1-18-1
>>>>
>>>>
>>>> 3) When I now login from AD2012 to my IPA machine, I get error message in
>>>> krb5kdc.log about the filtered SID I configured in LDAP:
>>>>
>>>> ...
>>>> Feb 08 04:11:33 ipa.linux.mkad2012.test krb5kdc[6493](Error): PAC filtering
>>>> issue: SID [S-1-18-1] is not allowed from a trusted source and will be
>>>> excluded.
>>>> ...
>>>>
>>>> NOTE:
>>>> When coding and testing this feature I fixed several related bugs I found in
>>>> ipa-kdb, see description of patches 363-365.
>>>>
>>>> Martin
>>>>
>>>
>>> I forgot to update ACI allowing Trust Admins to modify the blacklist. I also
>>> added a validator for SIDs to help catching invalid SIDs.
>>>
>>> Updated patches attached.
>> Work for me fine against Windows 2012 server.
>>
>> However, I'd like you to rebase on top of your previous patches. VERSION
>> file is causing conflict since your patchset for trustconfig command
>> increments to the same version as this one.
>>
>
>I pushed previous acked patch to master. Attaching patches 363-368 rebased on
>top of that.
ACK.

Thanks a lot!

-- 
/ Alexander Bokovoy

More information about the Freeipa-devel mailing list