[Freeipa-devel] [PATCH] 0529 Add managed read permission to trusts

Martin Kosek mkosek at redhat.com
Wed Apr 23 12:46:10 UTC 2014 

On 04/22/2014 01:38 PM, Petr Viktorin wrote:
> On 04/16/2014 05:56 PM, Simo Sorce wrote:
>> On Wed, 2014-04-16 at 18:34 +0300, Alexander Bokovoy wrote:
>>> On Wed, 16 Apr 2014, Martin Kosek wrote:
>>>>>>>>>>>> In general I am not sure all authenticated users need access to all
>>>>>>>>>>>> this
>>>>>>>>>>>> info. Alexander ?
>>>>>>>>>>> SSSD needs to read some of this information for subdomains support.
>>>>>>>>>>> That would be at least host/*@REALM who needs to access it.
>>>>>>>>>>
>>>>>>>>>> Can you please list exactly which ones are needed ?
>>>>>>>>> SSSD subdomains support needs:
>>>>>>>>>    - objectclasses ipaNTTrustedDomain/ipaNTDomainAttrs
>>>>>>>>>      - ipaNTFlatName
>>>>>>>>>      - ipaNTSecurityIdentifier
>>>>>>>>>      - ipaNTTrustedDomainSID
>>>>>>>>>      - cn
>>>>>>>>
>>>>>>>> Question is - is there any added value in hiding part of the
>>>>>>>> trust information from authenticated users? I.e. attributes like
>>>>>>>> ipanttrustdirection, ipaNTTrustAttributes (what is the purpose of this
>>>>>>>> attribute anyway?), SID blacklists...
>>>>>>> Yes. Some of those attributes are needed as internal detail of ipasam --
>>>>>>> part of how Samba stores this information taken from specific DCE RPC
>>>>>>> structures.
>>>>>>>
>>>>>>>> If yes, we would need to split this permission in 2 and have one for
>>>>>>>> authenticated users and one for "Trust Adminitrators" and "Trust Readers".
>>>>>>> Yes. Authenticated users shouldn't get any access to those details:
>>>>>>>    ipantsupportedencryptiontypes
>>>>>>>    ipanttrustattributes
>>>>>>>    ipanttrustauthincoming
>>>>>>>    ipanttrustauthoutgoing
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> Ok. I assume that "cn=adtrust agents,cn=sysaccounts,SUFFIX" system group
>>>>>> should
>>>>>> then have this permission assigned so that samba can operate the attributes.
>>>>> 'adtrust agents' and 'trust administrators' should have read, modify,
>>>>> delete, and search on cn=trusts.
>>>>>
>>>>
>>>> Right. We will probably want to turn most of ACIs in
>>>> install/updates/60-trusts.update in managed permissions (i.e. defined in
>>>> trust.py) and make "adtrust agents" and "trust admins" it's members.
>>> I agree.
>>>
>>
>> +1
>>
>> Simo.
>>
> 
> All right. Now I'm replacing the global anonymous read ACI; converting the
> others will come later. The existing agents/admins ACIs grant the 'read' (or
> 'all') right already.
> ipaIDRange is covered in the range plugin, so what's left for this patch is the
> ipaNTTrustedDomain/ipaNTDomainAttrs attributes.
> 
> Does that sound reasonable?

This is all that's needed from SSSD side, I just verified in sssd git. sssd
indeed only uses these attributes:

#define IPA_CN "cn"
#define IPA_FLATNAME "ipaNTFlatName"
#define IPA_SID "ipaNTSecurityIdentifier"
#define IPA_TRUSTED_DOMAIN_SID "ipaNTTrustedDomainSID"

So I am OK with the patch as is.

However, with this ACI, regular users will not be able to show Trusts with
command line even though they have access to the basic information:

# ipa trust-find
----------------
0 trusts matched
----------------
----------------------------
Number of entries returned 0
----------------------------

IMO trust command should be able to return the information that the user is
allowed to see. I prepared a patch to make the read part of trust.py more
resilient to missing attributes. Attached.

With this patch enabled, I have this output as regular user:

# ipa trust-find
---------------
1 trust matched
---------------
  Realm name: tbad.example.com
  Domain NetBIOS name: TBAD
  Domain Security Identifier: S-1-5-21-2997650941-1802118864-3094776726
----------------------------
Number of entries returned 1
----------------------------
# ipa trust-show tbad.example.com
  Realm name: tbad.example.com
  Domain NetBIOS name: TBAD
  Domain Security Identifier: S-1-5-21-2997650941-1802118864-3094776726

# ipa trustdomain-find tbad.example.com
  Domain name: child.tbad.example.com
  Domain NetBIOS name: CHILD
  Domain Security Identifier: S-1-5-21-972585150-1048339146-1910910075

  Domain name: tbad.example.com
  Domain NetBIOS name: TBAD
  Domain Security Identifier: S-1-5-21-2997650941-1802118864-3094776726
----------------------------
Number of entries returned 2
----------------------------

The only bigger change I did was to filter trust root domains by
ipaNTSecurityIdentifier and not ipaNTSIDBlacklistIncoming which is not
available to everyone.

Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-469-make-trust-objects-available-to-regular-users.patch
Type: text/x-patch
Size: 4070 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140423/0d94fe34/attachment.bin>

More information about the Freeipa-devel mailing list