[Freeipa-devel] [PATCH] 0529 Add managed read permission to trusts
Martin Kosek
mkosek at redhat.com
Mon Apr 28 09:04:57 UTC 2014
On 04/28/2014 10:02 AM, Alexander Bokovoy wrote:
> On Fri, 25 Apr 2014, Petr Viktorin wrote:
>> On 04/23/2014 02:46 PM, Martin Kosek wrote:
>>> On 04/22/2014 01:38 PM, Petr Viktorin wrote:
>>>> On 04/16/2014 05:56 PM, Simo Sorce wrote:
>>>>> On Wed, 2014-04-16 at 18:34 +0300, Alexander Bokovoy wrote:
>>>>>> On Wed, 16 Apr 2014, Martin Kosek wrote:
>>>>>>>>>>>>>>> In general I am not sure all authenticated users need access to all
>>>>>>>>>>>>>>> this
>>>>>>>>>>>>>>> info. Alexander ?
>>>>>>>>>>>>>> SSSD needs to read some of this information for subdomains support.
>>>>>>>>>>>>>> That would be at least host/*@REALM who needs to access it.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Can you please list exactly which ones are needed ?
>>>>>>>>>>>> SSSD subdomains support needs:
>>>>>>>>>>>> - objectclasses ipaNTTrustedDomain/ipaNTDomainAttrs
>>>>>>>>>>>> - ipaNTFlatName
>>>>>>>>>>>> - ipaNTSecurityIdentifier
>>>>>>>>>>>> - ipaNTTrustedDomainSID
>>>>>>>>>>>> - cn
>>>>>>>>>>>
>>>>>>>>>>> Question is - is there any added value in hiding part of the
>>>>>>>>>>> trust information from authenticated users? I.e. attributes like
>>>>>>>>>>> ipanttrustdirection, ipaNTTrustAttributes (what is the purpose of this
>>>>>>>>>>> attribute anyway?), SID blacklists...
>>>>>>>>>> Yes. Some of those attributes are needed as internal detail of ipasam --
>>>>>>>>>> part of how Samba stores this information taken from specific DCE RPC
>>>>>>>>>> structures.
>>>>>>>>>>
>>>>>>>>>>> If yes, we would need to split this permission in 2 and have one for
>>>>>>>>>>> authenticated users and one for "Trust Adminitrators" and "Trust
>>>>>>>>>>> Readers".
>>>>>>>>>> Yes. Authenticated users shouldn't get any access to those details:
>>>>>>>>>> ipantsupportedencryptiontypes
>>>>>>>>>> ipanttrustattributes
>>>>>>>>>> ipanttrustauthincoming
>>>>>>>>>> ipanttrustauthoutgoing
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Ok. I assume that "cn=adtrust agents,cn=sysaccounts,SUFFIX" system group
>>>>>>>>> should
>>>>>>>>> then have this permission assigned so that samba can operate the
>>>>>>>>> attributes.
>>>>>>>> 'adtrust agents' and 'trust administrators' should have read, modify,
>>>>>>>> delete, and search on cn=trusts.
>>>>>>>>
>>>>>>>
>>>>>>> Right. We will probably want to turn most of ACIs in
>>>>>>> install/updates/60-trusts.update in managed permissions (i.e. defined in
>>>>>>> trust.py) and make "adtrust agents" and "trust admins" it's members.
>>>>>> I agree.
>>>>>>
>>>>>
>>>>> +1
>>>>>
>>>>> Simo.
>>>>>
>>>>
>>>> All right. Now I'm replacing the global anonymous read ACI; converting the
>>>> others will come later. The existing agents/admins ACIs grant the 'read' (or
>>>> 'all') right already.
>>>> ipaIDRange is covered in the range plugin, so what's left for this patch is
>>>> the
>>>> ipaNTTrustedDomain/ipaNTDomainAttrs attributes.
>>>>
>>>> Does that sound reasonable?
>>>
>>> This is all that's needed from SSSD side, I just verified in sssd git. sssd
>>> indeed only uses these attributes:
>>>
>>> #define IPA_CN "cn"
>>> #define IPA_FLATNAME "ipaNTFlatName"
>>> #define IPA_SID "ipaNTSecurityIdentifier"
>>> #define IPA_TRUSTED_DOMAIN_SID "ipaNTTrustedDomainSID"
>>>
>>> So I am OK with the patch as is.
>>>
>>> However, with this ACI, regular users will not be able to show Trusts with
>>> command line even though they have access to the basic information:
>>>
>>> # ipa trust-find
>>> ----------------
>>> 0 trusts matched
>>> ----------------
>>> ----------------------------
>>> Number of entries returned 0
>>> ----------------------------
>>>
>>> IMO trust command should be able to return the information that the user is
>>> allowed to see. I prepared a patch to make the read part of trust.py more
>>> resilient to missing attributes. Attached.
>>>
>>> With this patch enabled, I have this output as regular user:
>>>
>>> # ipa trust-find
>>> ---------------
>>> 1 trust matched
>>> ---------------
>>> Realm name: tbad.example.com
>>> Domain NetBIOS name: TBAD
>>> Domain Security Identifier: S-1-5-21-2997650941-1802118864-3094776726
>>> ----------------------------
>>> Number of entries returned 1
>>> ----------------------------
>>> # ipa trust-show tbad.example.com
>>> Realm name: tbad.example.com
>>> Domain NetBIOS name: TBAD
>>> Domain Security Identifier: S-1-5-21-2997650941-1802118864-3094776726
>>>
>>> # ipa trustdomain-find tbad.example.com
>>> Domain name: child.tbad.example.com
>>> Domain NetBIOS name: CHILD
>>> Domain Security Identifier: S-1-5-21-972585150-1048339146-1910910075
>>>
>>> Domain name: tbad.example.com
>>> Domain NetBIOS name: TBAD
>>> Domain Security Identifier: S-1-5-21-2997650941-1802118864-3094776726
>>> ----------------------------
>>> Number of entries returned 2
>>> ----------------------------
>>>
>>> The only bigger change I did was to filter trust root domains by
>>> ipaNTSecurityIdentifier and not ipaNTSIDBlacklistIncoming which is not
>>> available to everyone.
>>>
>>> Martin
>>>
>>
>> The patch looks good to me, but I think Alexander is better qualified to
>> review it.
> ACK.
>
Thanks Alexander. I assume you are also ok with Petr's 529.2 I used as a base.
(there is also a pending patch 530 also touching this trust plugin area.
Martin
More information about the Freeipa-devel
mailing list