[Freeipa-devel] [PATCH] 0529 Add managed read permission to trusts

Alexander Bokovoy abokovoy at redhat.com
Wed Apr 16 15:22:55 UTC 2014 

On Wed, 16 Apr 2014, Martin Kosek wrote:
>On 04/16/2014 05:10 PM, Alexander Bokovoy wrote:
>> On Wed, 16 Apr 2014, Martin Kosek wrote:
>>> On 04/16/2014 03:59 PM, Alexander Bokovoy wrote:
>>>> On Wed, 16 Apr 2014, Simo Sorce wrote:
>>>>> On Wed, 2014-04-16 at 16:15 +0300, Alexander Bokovoy wrote:
>>>>>> On Wed, 16 Apr 2014, Simo Sorce wrote:
>>>>>> >> +                'ipanttrusteddomainsid', 'ipanttrustforesttrustinfo',
>>>>>> >> +                'ipanttrustposixoffset',
>>>>>> >> 'ipantsupportedencryptiontypes',
>>>>>> >> +                'ipantsidblacklistincoming',
>>>>>> >> 'ipantsidblacklistoutgoing',
>>>>>> >> +                # ipaNTDomainAttrs:
>>>>>> >> +                'ipantsecurityidentifier', 'ipantflatname',
>>>>>> >> 'ipantdomainguid',
>>>>>> >> +                'ipantfallbackprimarygroup',
>>>>>> >> +            },
>>>>>> >> +        },
>>>>>> >> +    }
>>>>>> >>
>>>>>> >>      label = _('Trusts')
>>>>>> >>      label_singular = _('Trust')
>>>>>> >
>>>>>> >In general I am not sure all authenticated users need access to all this
>>>>>> >info. Alexander ?
>>>>>> SSSD needs to read some of this information for subdomains support.
>>>>>> That would be at least host/*@REALM who needs to access it.
>>>>>
>>>>> Can you please list exactly which ones are needed ?
>>>> SSSD subdomains support needs:
>>>>   - objectclasses ipaNTTrustedDomain/ipaNTDomainAttrs
>>>>     - ipaNTFlatName
>>>>     - ipaNTSecurityIdentifier
>>>>     - ipaNTTrustedDomainSID
>>>>     - cn
>>>
>>> Question is - is there any added value in hiding part of the
>>> trust information from authenticated users? I.e. attributes like
>>> ipanttrustdirection, ipaNTTrustAttributes (what is the purpose of this
>>> attribute anyway?), SID blacklists...
>> Yes. Some of those attributes are needed as internal detail of ipasam --
>> part of how Samba stores this information taken from specific DCE RPC
>> structures.
>>
>>> If yes, we would need to split this permission in 2 and have one for
>>> authenticated users and one for "Trust Adminitrators" and "Trust Readers".
>> Yes. Authenticated users shouldn't get any access to those details:
>>   ipantsupportedencryptiontypes
>>   ipanttrustattributes
>>   ipanttrustauthincoming
>>   ipanttrustauthoutgoing
>>
>>
>
>Ok. I assume that "cn=adtrust agents,cn=sysaccounts,SUFFIX" system group should
>then have this permission assigned so that samba can operate the attributes.
'adtrust agents' and 'trust administrators' should have read, modify,
delete, and search on cn=trusts.

-- 
/ Alexander Bokovoy

More information about the Freeipa-devel mailing list