[Freeipa-devel] [PATCH] 0195 harden trust-fetch-domains oddjobd script

Alexander Bokovoy abokovoy at redhat.com
Tue Aug 18 09:56:53 UTC 2015 

On Tue, 18 Aug 2015, Alexander Bokovoy wrote:
>On Mon, 17 Aug 2015, Tomas Babej wrote:
>>
>>
>>On 08/17/2015 09:03 AM, Alexander Bokovoy wrote:
>>>On Mon, 17 Aug 2015, Tomas Babej wrote:
>>>>
>>>>
>>>>On 08/13/2015 04:29 PM, Alexander Bokovoy wrote:
>>>>>Hi,
>>>>>
>>>>>see commit message for details.
>>>>>
>>>>>
>>>>>
>>>>
>>>>Hi,
>>>>
>>>>code-wise this looks good to me. Unfortunately, I have not been able to
>>>>verify in my setup that it fixes the issue in the linked BZ:
>>>>
>>>>$ echo Secret123456 | ipa trust-add --type=ad ad.test --range-type
>>>>ipa-ad-trust --admin Administrator --password
>>>>------------------------------------------------
>>>>Added Active Directory trust for realm "ad.test"
>>>>------------------------------------------------
>>>> Realm name: ad.test
>>>> Domain NetBIOS name: AD
>>>> Domain Security Identifier: S-1-5-21-1469936554-2294197481-461507924
>>>> SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7,
>>>>S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8,
>>>>                         S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14,
>>>>S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2,
>>>>                         S-1-1, S-1-0, S-1-5-19, S-1-5-18
>>>> SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7,
>>>>S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8,
>>>>                         S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14,
>>>>S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2,
>>>>                         S-1-1, S-1-0, S-1-5-19, S-1-5-18
>>>> Trust direction: Trusting forest
>>>> Trust type: Active Directory domain
>>>> Trust status: Established and verified
>>>>
>>>>$ idrange-find
>>>>
>>>>----------------
>>>>2 ranges matched
>>>>----------------
>>>> Range name: AD.TEST_id_range
>>>> First Posix ID of the range: 191200000
>>>> Number of IDs in the range: 200000
>>>> First RID of the corresponding RID range: 0
>>>> Domain SID of the trusted domain:
>>>>S-1-5-21-1469936554-2294197481-461507924
>>>> Range type: Active Directory domain range
>>>>
>>>> Range name: IPA.TEST_id_range
>>>> First Posix ID of the range: 695200000
>>>> Number of IDs in the range: 200000
>>>> First RID of the corresponding RID range: 1000
>>>> First RID of the secondary RID range: 100000000
>>>> Range type: local domain range
>>>>----------------------------
>>>>Number of entries returned 2
>>>>----------------------------
>>>>
>>>>However, I have one child subdomain in the setup:
>>>>
>>>>$ ipa trustdomain-find
>>>>Realm name: ad.test
>>>> Domain name: ad.test
>>>> Domain NetBIOS name: AD
>>>> Domain Security Identifier: S-1-5-21-1469936554-2294197481-461507924
>>>> Domain enabled: True
>>>>
>>>> Domain name: sub.ad.test
>>>> Domain NetBIOS name: SUB
>>>> Domain Security Identifier: S-1-5-21-10134726-2575992721-4229914074
>>>> Domain enabled: True
>>>>----------------------------
>>>>Number of entries returned 2
>>>>----------------------------
>>>Look for AVCs, if there are any.
>>>
>>>Also start abrtd and it should pick up any python exceptions in the
>>>helper as 'crashes'.
>>>
>>
>>Right. Insufficient LDAP permissions caused the following backtrace in
>>the oddjob helper:
>>
>>ipaldap.py:948:error_handler:ACIError: Insufficient access: Insufficient
>>'add' privilege to add the entry
>>'cn=SUB.AD.TEST_id_range,cn=ranges,cn=etc,dc=ipa,dc=test'.
>>
>>Traceback (most recent call last):
>> File "/usr/libexec/ipa/com.redhat.idm.trust-fetch-domains", line 216,
>>in <module>
>>   trusted_domain, name, **dom)
>> File "/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py", line
>>347, in add_range
>>   ipanttrusteddomainsid=dom_sid)
>> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 443,
>>in __call__
>>   ret = self.run(*args, **options)
>> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 760,
>>in run
>>   return self.execute(*args, **options)
>> File "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py",
>>line 1234, in execute
>>   self._exc_wrapper(keys, options, ldap.add_entry)(entry_attrs)
>> File "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py",
>>line 1145, in wrapped
>>   return func(*call_args, **call_kwargs)
>> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
>>1442, in add_entry
>>   self.conn.add_s(str(entry.dn), attrs.items())
>> File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
>>   self.gen.throw(type, value, traceback)
>> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
>>948, in error_handler
>>   raise errors.ACIError(info=info)
>>ACIError: Insufficient access: Insufficient 'add' privilege to add the
>>entry 'cn=SUB.AD.TEST_id_range,cn=ranges,cn=etc,dc=ipa,dc=test'.
>>
>>Local variables in innermost frame:
>>info: "Insufficient 'add' privilege to add the entry
>>'cn=SUB.AD.TEST_id_range,cn=ranges,cn=etc,dc=ipa,dc=test'."
>>arg_desc: None
>>self: ipaserver.plugins.ldap2.ldap2()
>>e: INSUFFICIENT_ACCESS({'info': "Insufficient 'add' privilege to add the
>>entry 'cn=SUB.AD.TEST_id_range,cn=ranges,cn=etc,dc=ipa,dc=test'.\n",
>>'desc': 'Insufficient access'},)
>>desc: 'Insufficient access'
>Updated patch attached.
>
>You can install freeipa from my COPR abbra/freeipa-oneway (you need
>mkosek/freeipa-master COPR for dependencies) to test.
.. and use abbra/sssd-kkdcproxy for sssd git master -- you'll need it to
allow SSSD to properly handle keytabs chowned to sssd:sssd by the
helper.

With abbra/freeipa-oneway, abbra/sssd-kkdcproxy, mkosek/freeipa-master
COPR repos I get child AD domains working correctly with one-way trust.


-- 
/ Alexander Bokovoy

More information about the Freeipa-devel mailing list