[Freeipa-devel] [PATCH] 0073 Add trust verification code
Petr Vobornik
pvoborni at redhat.com
Tue Sep 18 15:54:08 UTC 2012
On 09/18/2012 05:33 PM, Alexander Bokovoy wrote:
> On Tue, 18 Sep 2012, Petr Vobornik wrote:
>> On 09/18/2012 03:22 PM, Alexander Bokovoy wrote:
>>> On Tue, 18 Sep 2012, Petr Vobornik wrote:
>>>> On 09/18/2012 02:15 PM, Sumit Bose wrote:
>>>>> On Tue, Sep 18, 2012 at 12:42:49PM +0200, Sumit Bose wrote:
>>>>>> On Mon, Sep 17, 2012 at 06:44:36PM +0300, Alexander Bokovoy wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> Following patch adds trust verification sequence to the case when we
>>>>>>> establish trust with knowledge of AD administrative credentials.
>>>>>>>
>>>>>>> As we found out, in order to validate/verify trust, one has to have
>>>>>>> administrative credentials for the trusted domain, since there are
>>>>>>> few RPCs that should be performed against trusted domain's DC's LSA
>>>>>>> and NetLogon pipes and these are protected by administrative
>>>>>>> credentials.
>>>>>>>
>>>>>>> Thus, when we know admin credentials for the remote domain, we can
>>>>>>> perform the trust validation.
>>>>>>>
>>>>>>> https://fedorahosted.org/freeipa/ticket/2763
>>>>>>>
>>>>>>
>>>>>> Just a short feedback. The patch is working as expected, for a newly
>>>>>> created trust Windows will send a TGS request to the IPA KDC without
>>>>>> explicit validation on the windows side. Currently I have some issues
>>>>>> in my test setup so that I can not give a full ACK atm.
>>>>>>
>>>>>
>>>>> ok, ACK.
>>>>>
>>>>> Nevertheless it would be nice if Petr can check for any
>>>>> implications to
>>>>> the web UI with respect to the status of the trust.
>>>>
>>>> It shouldn't break Web UI but Web UI won't use it. In add command Web
>>>> UI uses only the command state (success/error). If the truststatus
>>>> text would be a part of command summary text, it can be displayed in
>>>> notification message (which fades after 3s) when comment 8 of
>>>> https://fedorahosted.org/freeipa/ticket/2977#comment:8 is implemented.
>>> It is displayed as part of the output, truststatus property:
>>> # ipa trust-add --type=ad --admin Administrator at ad.local --password
>>> ad.local
>>> Active directory domain adminstrator's password:
>>> -------------------------------------------------
>>> Added Active Directory trust for realm "ad.local"
>>> -------------------------------------------------
>>> Realm name: ad.local
>>> Domain NetBIOS name: AD
>>> Domain Security Identifier: S-1-5-21-16904141-148189700-2149043814
>>> Trust direction: Two-way trust
>>> Trust type: Active Directory domain
>>> Trust status: Established and verified
>>>
>>> Would be good if you could take it in use.
>>
>> I created a patch which uses it. See attached screenshots. It may be
>> useful but, as I wrote, the message is displayed only for 3s, so some
>> users might not have time to read it whole - message is too long.
> Well, as we don't have other means to show this information right now,
> that's good too. Maybe notification message timer could be possible to
> tune per instance? Then we could have, say, 5 seconds timeout here and
> keep 3 seconds as default one...
>
I tuned it. Updated patch attached.
--
Petr Vobornik
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pvoborni-0215-1-Show-trust-status-in-add-success-notification.patch
Type: text/x-patch
Size: 4687 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120918/f4210f01/attachment.bin>
More information about the Freeipa-devel
mailing list