[Freeipa-devel] [PATCH] 0529 Add managed read permission to trusts

Petr Viktorin pviktori at redhat.com
Mon Apr 28 14:20:28 UTC 2014 

On 04/28/2014 11:17 AM, Alexander Bokovoy wrote:
> On Mon, 28 Apr 2014, Martin Kosek wrote:
>> On 04/28/2014 10:02 AM, Alexander Bokovoy wrote:
>>> On Fri, 25 Apr 2014, Petr Viktorin wrote:
>>>> On 04/23/2014 02:46 PM, Martin Kosek wrote:
>>>>> On 04/22/2014 01:38 PM, Petr Viktorin wrote:
>>>>>> On 04/16/2014 05:56 PM, Simo Sorce wrote:
>>>>>>> On Wed, 2014-04-16 at 18:34 +0300, Alexander Bokovoy wrote:
>>>>>>>> On Wed, 16 Apr 2014, Martin Kosek wrote:
>>>>>>>>>>>>>>>>> In general I am not sure all authenticated users need
>>>>>>>>>>>>>>>>> access to all
>>>>>>>>>>>>>>>>> this
>>>>>>>>>>>>>>>>> info. Alexander ?
>>>>>>>>>>>>>>>> SSSD needs to read some of this information for
>>>>>>>>>>>>>>>> subdomains support.
>>>>>>>>>>>>>>>> That would be at least host/*@REALM who needs to access it.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Can you please list exactly which ones are needed ?
>>>>>>>>>>>>>> SSSD subdomains support needs:
>>>>>>>>>>>>>>    - objectclasses ipaNTTrustedDomain/ipaNTDomainAttrs
>>>>>>>>>>>>>>      - ipaNTFlatName
>>>>>>>>>>>>>>      - ipaNTSecurityIdentifier
>>>>>>>>>>>>>>      - ipaNTTrustedDomainSID
>>>>>>>>>>>>>>      - cn
>>>>>>>>>>>>>
>>>>>>>>>>>>> Question is - is there any added value in hiding part of the
>>>>>>>>>>>>> trust information from authenticated users? I.e. attributes
>>>>>>>>>>>>> like
>>>>>>>>>>>>> ipanttrustdirection, ipaNTTrustAttributes (what is the
>>>>>>>>>>>>> purpose of this
>>>>>>>>>>>>> attribute anyway?), SID blacklists...
>>>>>>>>>>>> Yes. Some of those attributes are needed as internal detail
>>>>>>>>>>>> of ipasam --
>>>>>>>>>>>> part of how Samba stores this information taken from
>>>>>>>>>>>> specific DCE RPC
>>>>>>>>>>>> structures.
>>>>>>>>>>>>
>>>>>>>>>>>>> If yes, we would need to split this permission in 2 and
>>>>>>>>>>>>> have one for
>>>>>>>>>>>>> authenticated users and one for "Trust Adminitrators" and
>>>>>>>>>>>>> "Trust
>>>>>>>>>>>>> Readers".
>>>>>>>>>>>> Yes. Authenticated users shouldn't get any access to those
>>>>>>>>>>>> details:
>>>>>>>>>>>>    ipantsupportedencryptiontypes
>>>>>>>>>>>>    ipanttrustattributes
>>>>>>>>>>>>    ipanttrustauthincoming
>>>>>>>>>>>>    ipanttrustauthoutgoing
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Ok. I assume that "cn=adtrust agents,cn=sysaccounts,SUFFIX"
>>>>>>>>>>> system group
>>>>>>>>>>> should
>>>>>>>>>>> then have this permission assigned so that samba can operate the
>>>>>>>>>>> attributes.
>>>>>>>>>> 'adtrust agents' and 'trust administrators' should have read,
>>>>>>>>>> modify,
>>>>>>>>>> delete, and search on cn=trusts.
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Right. We will probably want to turn most of ACIs in
>>>>>>>>> install/updates/60-trusts.update in managed permissions (i.e.
>>>>>>>>> defined in
>>>>>>>>> trust.py) and make "adtrust agents" and "trust admins" it's
>>>>>>>>> members.
>>>>>>>> I agree.
>>>>>>>>
>>>>>>>
>>>>>>> +1
>>>>>>>
>>>>>>> Simo.
>>>>>>>
>>>>>>
>>>>>> All right. Now I'm replacing the global anonymous read ACI;
>>>>>> converting the
>>>>>> others will come later. The existing agents/admins ACIs grant the
>>>>>> 'read' (or
>>>>>> 'all') right already.
>>>>>> ipaIDRange is covered in the range plugin, so what's left for this
>>>>>> patch is
>>>>>> the
>>>>>> ipaNTTrustedDomain/ipaNTDomainAttrs attributes.
>>>>>>
>>>>>> Does that sound reasonable?
>>>>>
>>>>> This is all that's needed from SSSD side, I just verified in sssd
>>>>> git. sssd
>>>>> indeed only uses these attributes:
>>>>>
>>>>> #define IPA_CN "cn"
>>>>> #define IPA_FLATNAME "ipaNTFlatName"
>>>>> #define IPA_SID "ipaNTSecurityIdentifier"
>>>>> #define IPA_TRUSTED_DOMAIN_SID "ipaNTTrustedDomainSID"
>>>>>
>>>>> So I am OK with the patch as is.
>>>>>
>>>>> However, with this ACI, regular users will not be able to show
>>>>> Trusts with
>>>>> command line even though they have access to the basic information:
>>>>>
>>>>> # ipa trust-find
>>>>> ----------------
>>>>> 0 trusts matched
>>>>> ----------------
>>>>> ----------------------------
>>>>> Number of entries returned 0
>>>>> ----------------------------
>>>>>
>>>>> IMO trust command should be able to return the information that the
>>>>> user is
>>>>> allowed to see. I prepared a patch to make the read part of
>>>>> trust.py more
>>>>> resilient to missing attributes. Attached.
>>>>>
>>>>> With this patch enabled, I have this output as regular user:
>>>>>
>>>>> # ipa trust-find
>>>>> ---------------
>>>>> 1 trust matched
>>>>> ---------------
>>>>>   Realm name: tbad.example.com
>>>>>   Domain NetBIOS name: TBAD
>>>>>   Domain Security Identifier:
>>>>> S-1-5-21-2997650941-1802118864-3094776726
>>>>> ----------------------------
>>>>> Number of entries returned 1
>>>>> ----------------------------
>>>>> # ipa trust-show tbad.example.com
>>>>>   Realm name: tbad.example.com
>>>>>   Domain NetBIOS name: TBAD
>>>>>   Domain Security Identifier:
>>>>> S-1-5-21-2997650941-1802118864-3094776726
>>>>>
>>>>> # ipa trustdomain-find tbad.example.com
>>>>>   Domain name: child.tbad.example.com
>>>>>   Domain NetBIOS name: CHILD
>>>>>   Domain Security Identifier: S-1-5-21-972585150-1048339146-1910910075
>>>>>
>>>>>   Domain name: tbad.example.com
>>>>>   Domain NetBIOS name: TBAD
>>>>>   Domain Security Identifier:
>>>>> S-1-5-21-2997650941-1802118864-3094776726
>>>>> ----------------------------
>>>>> Number of entries returned 2
>>>>> ----------------------------
>>>>>
>>>>> The only bigger change I did was to filter trust root domains by
>>>>> ipaNTSecurityIdentifier and not ipaNTSIDBlacklistIncoming which is not
>>>>> available to everyone.
>>>>>
>>>>> Martin
>>>>>
>>>>
>>>> The patch looks good to me, but I think Alexander is better
>>>> qualified to
>>>> review it.
>>> ACK.
>>>
>>
>> Thanks Alexander. I assume you are also ok with Petr's 529.2 I used as
>> a base.
>> (there is also a pending patch 530 also touching this trust plugin area.
> Yes. As I said in the other thread, I only slightly worried with SID
> blacklists visibility (or lack, there of) with the latest changes but we
> should handle that as a separate patchset (if any).
>

I've rebased my patch, and pushed both to master: 
5d832c342608fd567ea258c1d506cae28f6b0abf


-- 
Petr³

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0529.3-Add-managed-read-permissions-to-trust.patch
Type: text/x-patch
Size: 1592 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140428/6cbd406c/attachment.bin>

More information about the Freeipa-devel mailing list