[Freeipa-devel] [PATCH] 0118 add support for subdomains

Mon Sep 30 08:33:28 UTC 2013

On Sat, Sep 28, 2013 at 11:01:34PM +0300, Alexander Bokovoy wrote:
> On Fri, 27 Sep 2013, Sumit Bose wrote:
> >On Fri, Sep 27, 2013 at 03:53:08PM +0300, Alexander Bokovoy wrote:
> >>On Mon, 23 Sep 2013, Alexander Bokovoy wrote:
> >>>On Mon, 23 Sep 2013, Alexander Bokovoy wrote:
> >>>>On Mon, 23 Sep 2013, Alexander Bokovoy wrote:
> >>>>>On Mon, 23 Sep 2013, Martin Kosek wrote:
> >>>>>>>>However, we don't have trust type available so it needs to discovered
> >>>>>>>>every time. This doesn't play well with the framework, it is simply not
> >>>>>>>>expecting dynamic containers.
> >>>>>>>
> >>>>>>>This doesn't sound like a big obstacle to me. Right now the trust_type lookup
> >>>>>>>is done in trust_show.execute() for some reason, which is not the best place to
> >>>>>>>do it IMHO. Doing it in trust.get_dn() instead should simplify things enough to
> >>>>>>>make parent_object work.
> >>>>>>
> >>>>>>Yup, get_dn() is the method where object DN lookup should be done. See for
> >>>>>>example host.py plugin get_dn method, we also do a dynamic lookup for correct
> >>>>>>host name.
> >>>>>I'll see if that would work.
> >>>>>
> >>>>>>the best way to implement dynamic DN gathering is the get_dn() method. That
> >>>>>>way, it could be implemented in one place and all commands could take advantage
> >>>>>>of it instead of re-implementing it several times in pre_callback - this is
> >>>>>>just hackish.
> >>>>>I'd suggest you look into the code. The commands use pre_callback for a
> >>>>>different purpose than implementing dynamic DN gathering.
> >>>>>
> >>>>>>I think it would have been very useful to have a design page before sending a
> >>>>>>patch. It is then easier to make design decisions without having to dig into
> >>>>>>the patch.
> >>>>>The design page is there for long time:
> >>>>>http://www.freeipa.org/page/V3/Transitive_Trusts
> >>>>Ok, here is new version of the patch and updated version of my 0117
> >>>>patch as Sumit noticed I've sent wrong version.
> >>>Ok, here is updated 0118 which fixes API.txt change for trustdomain_add
> >>>-- I renamed trustdomain_create to trustdomain_add but forgot to rerun
> >>>makeapi.
> >>New edition attached for all subdomain-related patches:
> >
> >I did some tests and all is working as expected.
> >
> >>
> >>freeipa-abbra-0117-ipaserver-dcerpc.py-populate-forest-trust-informatio-3.patch
> >>  Use realmdomains to report name suffix routes at the time we establish trust
> >>
> >>freeipa-abbra-0118-trusts-support-subdomains-in-a-forest-3.patch
> >>  Introduce trustdomain-* commands to fetch list of domains associated
> >>  with a forest trust and allow filtering them off
> >
> >We talked on irc that ipaNTSupportedEncryptionTypes in the filter
> >for the trusted domains should be replace by a different attribute.
> >Because of an error in ipasam the ipaNTSupportedEncryptionTypes is only
> >set in recent versions and might not be present in the directory trees of
> >older versions.
> Fixed in the attached patch 0118 version 4.
> 
> Also attached first attempt to implement transiting through trusted
> domains, as patch 0123. In this patch we grant transition only if all
> three realms (client, transited realm, and server realm) match any of
> our trusted domains and our domain. This is probably a bit wider but it
> worked for me bidirectionally, from a child domain to a service in IPA,
> and from IPA realm to a service in a child domain of a forest trust.
> 
> -- 
> / Alexander Bokovoy

...
> +
> +	return (has_client_realm && has_transited_contents && has_server_realm) == false;

I would prefer real krb5 error codes here. 0 and
KRB5KRB_AP_ERR_ILL_CR_TKT are used in the core code which evaluates
[capaths].

bye,
Sumit

> +}
> -- 
> 1.8.3.1
> 