[Freeipa-devel] [PATCH] 0529 Add managed read permission to trusts
Martin Kosek
mkosek at redhat.com
Wed Apr 23 12:46:10 UTC 2014
On 04/22/2014 01:38 PM, Petr Viktorin wrote:
> On 04/16/2014 05:56 PM, Simo Sorce wrote:
>> On Wed, 2014-04-16 at 18:34 +0300, Alexander Bokovoy wrote:
>>> On Wed, 16 Apr 2014, Martin Kosek wrote:
>>>>>>>>>>>> In general I am not sure all authenticated users need access to all
>>>>>>>>>>>> this
>>>>>>>>>>>> info. Alexander ?
>>>>>>>>>>> SSSD needs to read some of this information for subdomains support.
>>>>>>>>>>> That would be at least host/*@REALM who needs to access it.
>>>>>>>>>>
>>>>>>>>>> Can you please list exactly which ones are needed ?
>>>>>>>>> SSSD subdomains support needs:
>>>>>>>>> - objectclasses ipaNTTrustedDomain/ipaNTDomainAttrs
>>>>>>>>> - ipaNTFlatName
>>>>>>>>> - ipaNTSecurityIdentifier
>>>>>>>>> - ipaNTTrustedDomainSID
>>>>>>>>> - cn
>>>>>>>>
>>>>>>>> Question is - is there any added value in hiding part of the
>>>>>>>> trust information from authenticated users? I.e. attributes like
>>>>>>>> ipanttrustdirection, ipaNTTrustAttributes (what is the purpose of this
>>>>>>>> attribute anyway?), SID blacklists...
>>>>>>> Yes. Some of those attributes are needed as internal detail of ipasam --
>>>>>>> part of how Samba stores this information taken from specific DCE RPC
>>>>>>> structures.
>>>>>>>
>>>>>>>> If yes, we would need to split this permission in 2 and have one for
>>>>>>>> authenticated users and one for "Trust Adminitrators" and "Trust Readers".
>>>>>>> Yes. Authenticated users shouldn't get any access to those details:
>>>>>>> ipantsupportedencryptiontypes
>>>>>>> ipanttrustattributes
>>>>>>> ipanttrustauthincoming
>>>>>>> ipanttrustauthoutgoing
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> Ok. I assume that "cn=adtrust agents,cn=sysaccounts,SUFFIX" system group
>>>>>> should
>>>>>> then have this permission assigned so that samba can operate the attributes.
>>>>> 'adtrust agents' and 'trust administrators' should have read, modify,
>>>>> delete, and search on cn=trusts.
>>>>>
>>>>
>>>> Right. We will probably want to turn most of ACIs in
>>>> install/updates/60-trusts.update in managed permissions (i.e. defined in
>>>> trust.py) and make "adtrust agents" and "trust admins" it's members.
>>> I agree.
>>>
>>
>> +1
>>
>> Simo.
>>
>
> All right. Now I'm replacing the global anonymous read ACI; converting the
> others will come later. The existing agents/admins ACIs grant the 'read' (or
> 'all') right already.
> ipaIDRange is covered in the range plugin, so what's left for this patch is the
> ipaNTTrustedDomain/ipaNTDomainAttrs attributes.
>
> Does that sound reasonable?
This is all that's needed from SSSD side, I just verified in sssd git. sssd
indeed only uses these attributes:
#define IPA_CN "cn"
#define IPA_FLATNAME "ipaNTFlatName"
#define IPA_SID "ipaNTSecurityIdentifier"
#define IPA_TRUSTED_DOMAIN_SID "ipaNTTrustedDomainSID"
So I am OK with the patch as is.
However, with this ACI, regular users will not be able to show Trusts with
command line even though they have access to the basic information:
# ipa trust-find
----------------
0 trusts matched
----------------
----------------------------
Number of entries returned 0
----------------------------
IMO trust command should be able to return the information that the user is
allowed to see. I prepared a patch to make the read part of trust.py more
resilient to missing attributes. Attached.
With this patch enabled, I have this output as regular user:
# ipa trust-find
---------------
1 trust matched
---------------
Realm name: tbad.example.com
Domain NetBIOS name: TBAD
Domain Security Identifier: S-1-5-21-2997650941-1802118864-3094776726
----------------------------
Number of entries returned 1
----------------------------
# ipa trust-show tbad.example.com
Realm name: tbad.example.com
Domain NetBIOS name: TBAD
Domain Security Identifier: S-1-5-21-2997650941-1802118864-3094776726
# ipa trustdomain-find tbad.example.com
Domain name: child.tbad.example.com
Domain NetBIOS name: CHILD
Domain Security Identifier: S-1-5-21-972585150-1048339146-1910910075
Domain name: tbad.example.com
Domain NetBIOS name: TBAD
Domain Security Identifier: S-1-5-21-2997650941-1802118864-3094776726
----------------------------
Number of entries returned 2
----------------------------
The only bigger change I did was to filter trust root domains by
ipaNTSecurityIdentifier and not ipaNTSIDBlacklistIncoming which is not
available to everyone.
Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-469-make-trust-objects-available-to-regular-users.patch
Type: text/x-patch
Size: 4070 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140423/0d94fe34/attachment.bin>
More information about the Freeipa-devel
mailing list