[Freeipa-devel] [PATCH] 0529 Add managed read permission to trusts

Martin Kosek mkosek at redhat.com
Wed Apr 16 15:16:38 UTC 2014 

On 04/16/2014 05:10 PM, Alexander Bokovoy wrote:
> On Wed, 16 Apr 2014, Martin Kosek wrote:
>> On 04/16/2014 03:59 PM, Alexander Bokovoy wrote:
>>> On Wed, 16 Apr 2014, Simo Sorce wrote:
>>>> On Wed, 2014-04-16 at 16:15 +0300, Alexander Bokovoy wrote:
>>>>> On Wed, 16 Apr 2014, Simo Sorce wrote:
>>>>> >> +                'ipanttrusteddomainsid', 'ipanttrustforesttrustinfo',
>>>>> >> +                'ipanttrustposixoffset',
>>>>> >> 'ipantsupportedencryptiontypes',
>>>>> >> +                'ipantsidblacklistincoming',
>>>>> >> 'ipantsidblacklistoutgoing',
>>>>> >> +                # ipaNTDomainAttrs:
>>>>> >> +                'ipantsecurityidentifier', 'ipantflatname',
>>>>> >> 'ipantdomainguid',
>>>>> >> +                'ipantfallbackprimarygroup',
>>>>> >> +            },
>>>>> >> +        },
>>>>> >> +    }
>>>>> >>
>>>>> >>      label = _('Trusts')
>>>>> >>      label_singular = _('Trust')
>>>>> >
>>>>> >In general I am not sure all authenticated users need access to all this
>>>>> >info. Alexander ?
>>>>> SSSD needs to read some of this information for subdomains support.
>>>>> That would be at least host/*@REALM who needs to access it.
>>>>
>>>> Can you please list exactly which ones are needed ?
>>> SSSD subdomains support needs:
>>>   - objectclasses ipaNTTrustedDomain/ipaNTDomainAttrs
>>>     - ipaNTFlatName
>>>     - ipaNTSecurityIdentifier
>>>     - ipaNTTrustedDomainSID
>>>     - cn
>>
>> Question is - is there any added value in hiding part of the
>> trust information from authenticated users? I.e. attributes like
>> ipanttrustdirection, ipaNTTrustAttributes (what is the purpose of this
>> attribute anyway?), SID blacklists...
> Yes. Some of those attributes are needed as internal detail of ipasam --
> part of how Samba stores this information taken from specific DCE RPC
> structures.
> 
>> If yes, we would need to split this permission in 2 and have one for
>> authenticated users and one for "Trust Adminitrators" and "Trust Readers".
> Yes. Authenticated users shouldn't get any access to those details:
>   ipantsupportedencryptiontypes
>   ipanttrustattributes
>   ipanttrustauthincoming
>   ipanttrustauthoutgoing
> 
> 

Ok. I assume that "cn=adtrust agents,cn=sysaccounts,SUFFIX" system group should
then have this permission assigned so that samba can operate the attributes.

Martin

More information about the Freeipa-devel mailing list