[Freeipa-devel] [PATCH] 0195 harden trust-fetch-domains oddjobd script

Alexander Bokovoy abokovoy at redhat.com
Mon Aug 17 07:03:40 UTC 2015 

On Mon, 17 Aug 2015, Tomas Babej wrote:
>
>
>On 08/13/2015 04:29 PM, Alexander Bokovoy wrote:
>> Hi,
>>
>> see commit message for details.
>>
>>
>>
>
>Hi,
>
>code-wise this looks good to me. Unfortunately, I have not been able to
>verify in my setup that it fixes the issue in the linked BZ:
>
>$ echo Secret123456 | ipa trust-add --type=ad ad.test --range-type
>ipa-ad-trust --admin Administrator --password
>------------------------------------------------
>Added Active Directory trust for realm "ad.test"
>------------------------------------------------
>  Realm name: ad.test
>  Domain NetBIOS name: AD
>  Domain Security Identifier: S-1-5-21-1469936554-2294197481-461507924
>  SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7,
>S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8,
>                          S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14,
>S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2,
>                          S-1-1, S-1-0, S-1-5-19, S-1-5-18
>  SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7,
>S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8,
>                          S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14,
>S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2,
>                          S-1-1, S-1-0, S-1-5-19, S-1-5-18
>  Trust direction: Trusting forest
>  Trust type: Active Directory domain
>  Trust status: Established and verified
>
>$ idrange-find
>
>----------------
>2 ranges matched
>----------------
>  Range name: AD.TEST_id_range
>  First Posix ID of the range: 191200000
>  Number of IDs in the range: 200000
>  First RID of the corresponding RID range: 0
>  Domain SID of the trusted domain: S-1-5-21-1469936554-2294197481-461507924
>  Range type: Active Directory domain range
>
>  Range name: IPA.TEST_id_range
>  First Posix ID of the range: 695200000
>  Number of IDs in the range: 200000
>  First RID of the corresponding RID range: 1000
>  First RID of the secondary RID range: 100000000
>  Range type: local domain range
>----------------------------
>Number of entries returned 2
>----------------------------
>
>However, I have one child subdomain in the setup:
>
>$ ipa trustdomain-find
>Realm name: ad.test
>  Domain name: ad.test
>  Domain NetBIOS name: AD
>  Domain Security Identifier: S-1-5-21-1469936554-2294197481-461507924
>  Domain enabled: True
>
>  Domain name: sub.ad.test
>  Domain NetBIOS name: SUB
>  Domain Security Identifier: S-1-5-21-10134726-2575992721-4229914074
>  Domain enabled: True
>----------------------------
>Number of entries returned 2
>----------------------------
Look for AVCs, if there are any.

Also start abrtd and it should pick up any python exceptions in the
helper as 'crashes'.

-- 
/ Alexander Bokovoy

More information about the Freeipa-devel mailing list