[Freeipa-devel] [PATCH] 0195 harden trust-fetch-domains oddjobd script
Alexander Bokovoy
abokovoy at redhat.com
Mon Aug 17 07:03:40 UTC 2015
On Mon, 17 Aug 2015, Tomas Babej wrote:
>
>
>On 08/13/2015 04:29 PM, Alexander Bokovoy wrote:
>> Hi,
>>
>> see commit message for details.
>>
>>
>>
>
>Hi,
>
>code-wise this looks good to me. Unfortunately, I have not been able to
>verify in my setup that it fixes the issue in the linked BZ:
>
>$ echo Secret123456 | ipa trust-add --type=ad ad.test --range-type
>ipa-ad-trust --admin Administrator --password
>------------------------------------------------
>Added Active Directory trust for realm "ad.test"
>------------------------------------------------
> Realm name: ad.test
> Domain NetBIOS name: AD
> Domain Security Identifier: S-1-5-21-1469936554-2294197481-461507924
> SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7,
>S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8,
> S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14,
>S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2,
> S-1-1, S-1-0, S-1-5-19, S-1-5-18
> SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7,
>S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8,
> S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14,
>S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2,
> S-1-1, S-1-0, S-1-5-19, S-1-5-18
> Trust direction: Trusting forest
> Trust type: Active Directory domain
> Trust status: Established and verified
>
>$ idrange-find
>
>----------------
>2 ranges matched
>----------------
> Range name: AD.TEST_id_range
> First Posix ID of the range: 191200000
> Number of IDs in the range: 200000
> First RID of the corresponding RID range: 0
> Domain SID of the trusted domain: S-1-5-21-1469936554-2294197481-461507924
> Range type: Active Directory domain range
>
> Range name: IPA.TEST_id_range
> First Posix ID of the range: 695200000
> Number of IDs in the range: 200000
> First RID of the corresponding RID range: 1000
> First RID of the secondary RID range: 100000000
> Range type: local domain range
>----------------------------
>Number of entries returned 2
>----------------------------
>
>However, I have one child subdomain in the setup:
>
>$ ipa trustdomain-find
>Realm name: ad.test
> Domain name: ad.test
> Domain NetBIOS name: AD
> Domain Security Identifier: S-1-5-21-1469936554-2294197481-461507924
> Domain enabled: True
>
> Domain name: sub.ad.test
> Domain NetBIOS name: SUB
> Domain Security Identifier: S-1-5-21-10134726-2575992721-4229914074
> Domain enabled: True
>----------------------------
>Number of entries returned 2
>----------------------------
Look for AVCs, if there are any.
Also start abrtd and it should pick up any python exceptions in the
helper as 'crashes'.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list