[Freeipa-devel] [PATCH] 0195 harden trust-fetch-domains oddjobd script

Tomas Babej tbabej at redhat.com
Mon Aug 17 08:29:23 UTC 2015 


On 08/17/2015 09:03 AM, Alexander Bokovoy wrote:
> On Mon, 17 Aug 2015, Tomas Babej wrote:
>>
>>
>> On 08/13/2015 04:29 PM, Alexander Bokovoy wrote:
>>> Hi,
>>>
>>> see commit message for details.
>>>
>>>
>>>
>>
>> Hi,
>>
>> code-wise this looks good to me. Unfortunately, I have not been able to
>> verify in my setup that it fixes the issue in the linked BZ:
>>
>> $ echo Secret123456 | ipa trust-add --type=ad ad.test --range-type
>> ipa-ad-trust --admin Administrator --password
>> ------------------------------------------------
>> Added Active Directory trust for realm "ad.test"
>> ------------------------------------------------
>>  Realm name: ad.test
>>  Domain NetBIOS name: AD
>>  Domain Security Identifier: S-1-5-21-1469936554-2294197481-461507924
>>  SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7,
>> S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8,
>>                          S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14,
>> S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2,
>>                          S-1-1, S-1-0, S-1-5-19, S-1-5-18
>>  SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7,
>> S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8,
>>                          S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14,
>> S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2,
>>                          S-1-1, S-1-0, S-1-5-19, S-1-5-18
>>  Trust direction: Trusting forest
>>  Trust type: Active Directory domain
>>  Trust status: Established and verified
>>
>> $ idrange-find
>>
>> ----------------
>> 2 ranges matched
>> ----------------
>>  Range name: AD.TEST_id_range
>>  First Posix ID of the range: 191200000
>>  Number of IDs in the range: 200000
>>  First RID of the corresponding RID range: 0
>>  Domain SID of the trusted domain:
>> S-1-5-21-1469936554-2294197481-461507924
>>  Range type: Active Directory domain range
>>
>>  Range name: IPA.TEST_id_range
>>  First Posix ID of the range: 695200000
>>  Number of IDs in the range: 200000
>>  First RID of the corresponding RID range: 1000
>>  First RID of the secondary RID range: 100000000
>>  Range type: local domain range
>> ----------------------------
>> Number of entries returned 2
>> ----------------------------
>>
>> However, I have one child subdomain in the setup:
>>
>> $ ipa trustdomain-find
>> Realm name: ad.test
>>  Domain name: ad.test
>>  Domain NetBIOS name: AD
>>  Domain Security Identifier: S-1-5-21-1469936554-2294197481-461507924
>>  Domain enabled: True
>>
>>  Domain name: sub.ad.test
>>  Domain NetBIOS name: SUB
>>  Domain Security Identifier: S-1-5-21-10134726-2575992721-4229914074
>>  Domain enabled: True
>> ----------------------------
>> Number of entries returned 2
>> ----------------------------
> Look for AVCs, if there are any.
> 
> Also start abrtd and it should pick up any python exceptions in the
> helper as 'crashes'.
> 

Right. Insufficient LDAP permissions caused the following backtrace in
the oddjob helper:

ipaldap.py:948:error_handler:ACIError: Insufficient access: Insufficient
'add' privilege to add the entry
'cn=SUB.AD.TEST_id_range,cn=ranges,cn=etc,dc=ipa,dc=test'.

Traceback (most recent call last):
  File "/usr/libexec/ipa/com.redhat.idm.trust-fetch-domains", line 216,
in <module>
    trusted_domain, name, **dom)
  File "/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py", line
347, in add_range
    ipanttrusteddomainsid=dom_sid)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 443,
in __call__
    ret = self.run(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 760,
in run
    return self.execute(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py",
line 1234, in execute
    self._exc_wrapper(keys, options, ldap.add_entry)(entry_attrs)
  File "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py",
line 1145, in wrapped
    return func(*call_args, **call_kwargs)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
1442, in add_entry
    self.conn.add_s(str(entry.dn), attrs.items())
  File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
    self.gen.throw(type, value, traceback)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
948, in error_handler
    raise errors.ACIError(info=info)
ACIError: Insufficient access: Insufficient 'add' privilege to add the
entry 'cn=SUB.AD.TEST_id_range,cn=ranges,cn=etc,dc=ipa,dc=test'.

Local variables in innermost frame:
info: "Insufficient 'add' privilege to add the entry
'cn=SUB.AD.TEST_id_range,cn=ranges,cn=etc,dc=ipa,dc=test'."
arg_desc: None
self: ipaserver.plugins.ldap2.ldap2()
e: INSUFFICIENT_ACCESS({'info': "Insufficient 'add' privilege to add the
entry 'cn=SUB.AD.TEST_id_range,cn=ranges,cn=etc,dc=ipa,dc=test'.\n",
'desc': 'Insufficient access'},)
desc: 'Insufficient access'

More information about the Freeipa-devel mailing list