[Freeipa-devel] [PATCH] 0195 harden trust-fetch-domains oddjobd script

Martin Basti mbasti at redhat.com
Tue Aug 18 16:49:12 UTC 2015 


On 08/18/2015 06:00 PM, Tomas Babej wrote:
>
> On 08/18/2015 11:56 AM, Alexander Bokovoy wrote:
>> On Tue, 18 Aug 2015, Alexander Bokovoy wrote:
>>> On Mon, 17 Aug 2015, Tomas Babej wrote:
>>>>
>>>> On 08/17/2015 09:03 AM, Alexander Bokovoy wrote:
>>>>> On Mon, 17 Aug 2015, Tomas Babej wrote:
>>>>>>
>>>>>> On 08/13/2015 04:29 PM, Alexander Bokovoy wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> see commit message for details.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> code-wise this looks good to me. Unfortunately, I have not been
>>>>>> able to
>>>>>> verify in my setup that it fixes the issue in the linked BZ:
>>>>>>
>>>>>> $ echo Secret123456 | ipa trust-add --type=ad ad.test --range-type
>>>>>> ipa-ad-trust --admin Administrator --password
>>>>>> ------------------------------------------------
>>>>>> Added Active Directory trust for realm "ad.test"
>>>>>> ------------------------------------------------
>>>>>> Realm name: ad.test
>>>>>> Domain NetBIOS name: AD
>>>>>> Domain Security Identifier: S-1-5-21-1469936554-2294197481-461507924
>>>>>> SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7,
>>>>>> S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8,
>>>>>>                          S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14,
>>>>>> S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2,
>>>>>>                          S-1-1, S-1-0, S-1-5-19, S-1-5-18
>>>>>> SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7,
>>>>>> S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8,
>>>>>>                          S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14,
>>>>>> S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2,
>>>>>>                          S-1-1, S-1-0, S-1-5-19, S-1-5-18
>>>>>> Trust direction: Trusting forest
>>>>>> Trust type: Active Directory domain
>>>>>> Trust status: Established and verified
>>>>>>
>>>>>> $ idrange-find
>>>>>>
>>>>>> ----------------
>>>>>> 2 ranges matched
>>>>>> ----------------
>>>>>> Range name: AD.TEST_id_range
>>>>>> First Posix ID of the range: 191200000
>>>>>> Number of IDs in the range: 200000
>>>>>> First RID of the corresponding RID range: 0
>>>>>> Domain SID of the trusted domain:
>>>>>> S-1-5-21-1469936554-2294197481-461507924
>>>>>> Range type: Active Directory domain range
>>>>>>
>>>>>> Range name: IPA.TEST_id_range
>>>>>> First Posix ID of the range: 695200000
>>>>>> Number of IDs in the range: 200000
>>>>>> First RID of the corresponding RID range: 1000
>>>>>> First RID of the secondary RID range: 100000000
>>>>>> Range type: local domain range
>>>>>> ----------------------------
>>>>>> Number of entries returned 2
>>>>>> ----------------------------
>>>>>>
>>>>>> However, I have one child subdomain in the setup:
>>>>>>
>>>>>> $ ipa trustdomain-find
>>>>>> Realm name: ad.test
>>>>>> Domain name: ad.test
>>>>>> Domain NetBIOS name: AD
>>>>>> Domain Security Identifier: S-1-5-21-1469936554-2294197481-461507924
>>>>>> Domain enabled: True
>>>>>>
>>>>>> Domain name: sub.ad.test
>>>>>> Domain NetBIOS name: SUB
>>>>>> Domain Security Identifier: S-1-5-21-10134726-2575992721-4229914074
>>>>>> Domain enabled: True
>>>>>> ----------------------------
>>>>>> Number of entries returned 2
>>>>>> ----------------------------
>>>>> Look for AVCs, if there are any.
>>>>>
>>>>> Also start abrtd and it should pick up any python exceptions in the
>>>>> helper as 'crashes'.
>>>>>
>>>> Right. Insufficient LDAP permissions caused the following backtrace in
>>>> the oddjob helper:
>>>>
>>>> ipaldap.py:948:error_handler:ACIError: Insufficient access: Insufficient
>>>> 'add' privilege to add the entry
>>>> 'cn=SUB.AD.TEST_id_range,cn=ranges,cn=etc,dc=ipa,dc=test'.
>>>>
>>>> Traceback (most recent call last):
>>>> File "/usr/libexec/ipa/com.redhat.idm.trust-fetch-domains", line 216,
>>>> in <module>
>>>>    trusted_domain, name, **dom)
>>>> File "/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py", line
>>>> 347, in add_range
>>>>    ipanttrusteddomainsid=dom_sid)
>>>> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 443,
>>>> in __call__
>>>>    ret = self.run(*args, **options)
>>>> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 760,
>>>> in run
>>>>    return self.execute(*args, **options)
>>>> File "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py",
>>>> line 1234, in execute
>>>>    self._exc_wrapper(keys, options, ldap.add_entry)(entry_attrs)
>>>> File "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py",
>>>> line 1145, in wrapped
>>>>    return func(*call_args, **call_kwargs)
>>>> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
>>>> 1442, in add_entry
>>>>    self.conn.add_s(str(entry.dn), attrs.items())
>>>> File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
>>>>    self.gen.throw(type, value, traceback)
>>>> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
>>>> 948, in error_handler
>>>>    raise errors.ACIError(info=info)
>>>> ACIError: Insufficient access: Insufficient 'add' privilege to add the
>>>> entry 'cn=SUB.AD.TEST_id_range,cn=ranges,cn=etc,dc=ipa,dc=test'.
>>>>
>>>> Local variables in innermost frame:
>>>> info: "Insufficient 'add' privilege to add the entry
>>>> 'cn=SUB.AD.TEST_id_range,cn=ranges,cn=etc,dc=ipa,dc=test'."
>>>> arg_desc: None
>>>> self: ipaserver.plugins.ldap2.ldap2()
>>>> e: INSUFFICIENT_ACCESS({'info': "Insufficient 'add' privilege to add the
>>>> entry 'cn=SUB.AD.TEST_id_range,cn=ranges,cn=etc,dc=ipa,dc=test'.\n",
>>>> 'desc': 'Insufficient access'},)
>>>> desc: 'Insufficient access'
>>> Updated patch attached.
>>>
>>> You can install freeipa from my COPR abbra/freeipa-oneway (you need
>>> mkosek/freeipa-master COPR for dependencies) to test.
>> .. and use abbra/sssd-kkdcproxy for sssd git master -- you'll need it to
>> allow SSSD to properly handle keytabs chowned to sssd:sssd by the
>> helper.
>>
>> With abbra/freeipa-oneway, abbra/sssd-kkdcproxy, mkosek/freeipa-master
>> COPR repos I get child AD domains working correctly with one-way trust.
>>
>>
> This works as expected, ID range for subdomain is added.
>
> $ ipa trust-add --type=ad ad.test --range-type ipa-ad-trust --admin
> Administrator --password
> ------------------------------------------------
> Added Active Directory trust for realm "ad.test"
> ------------------------------------------------
>    Realm name: ad.test
>    Domain NetBIOS name: AD
> ...
>    Trust direction: Trusting forest
>    Trust type: Active Directory domain
>    Trust status: Established and verified
>
> $ ipa idrange-find
> ----------------
> 3 ranges matched
> ----------------
>    Range name: AD.TEST_id_range
> ...
>    Range type: Active Directory domain range
>
>    Range name: IPA.TEST_id_range
> ...
>    Range type: local domain range
>
>    Range name: SUB.AD.TEST_id_range
> ...
>    Range type: Active Directory domain range
> ----------------------------
> Number of entries returned 3
> ----------------------------
>
>
> ACK
>
>
> Tomas
>
Pushed to:
master: 3692a1c57f5d404a61a01623ef732234ccbbdffd
ipa-4-2: c30baa9bb9dfa5a5de7685e9203f3eae95dec22a

More information about the Freeipa-devel mailing list