[Freeipa-devel] [freeipa PR#867][synchronized] trust-mod: allow modifying list of UPNs of a trusted forest

martbab via FreeIPA-devel Wed, 14 Jun 2017 06:40:18 -0700

   URL: https://github.com/freeipa/freeipa/pull/867
Author: abbra
 Title: #867: trust-mod: allow modifying list of UPNs of a trusted forest
Action: synchronized


To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/867/head:pr867
git checkout pr867

From eed383573ccad874114194e724c9ba282b2e4529 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <aboko...@redhat.com>
Date: Mon, 12 Jun 2017 11:05:06 +0300
Subject: [PATCH 1/2] trust-mod: allow modifying list of UPNs of a trusted
 forest

There are two ways for maintaining user principal names (UPNs) in Active
Directory:
 - associate UPN suffixes with the forest root and then allow for each
   user account to choose UPN suffix for logon
 - directly modify userPrincipalName attribute in LDAP

Both approaches lead to the same result: AD DC accepts user@UPN-Suffix
as a proper principal in AS-REQ and TGS-REQ.

The latter (directly modify userPrincipalName) case has a consequence
that this UPN suffix is not visible via netr_DsRGetForestTrustInformation
DCE RPC call. As result, FreeIPA KDC will not know that a particular UPN
suffix does belong to a trusted Active Directory forest. As result, SSSD
will not be able to authenticate and validate this user from a trusted
Active Directory forest.

This is especially true for one-word UPNs which otherwise wouldn't work
properly on Kerberos level for both FreeIPA and Active Directory.

Administrators are responsible for amending the list of UPNs associated
with the forest in this case. With this commit, an option is added to
'ipa trust-mod' that allows specifying arbitrary UPN suffixes to a
trusted forest root.

As with all '-mod' commands, the change replaces existing UPNs when
applied, so administrators are responsible to specify all of them:

  ipa trust-mod ad.test --upns={existing.upn,another_upn,new}

Fixes: https://pagure.io/freeipa/issue/7015
---
 API.txt                    | 3 ++-
 VERSION.m4                 | 4 ++--
 ipaserver/plugins/trust.py | 3 ++-
 3 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/API.txt b/API.txt
index 44567a22da..4930b0d6b2 100644
--- a/API.txt
+++ b/API.txt
@@ -5772,11 +5772,12 @@ output: ListOfEntries('result')
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
 output: Output('truncated', type=[<type 'bool'>])
 command: trust_mod/1
-args: 1,9,3
+args: 1,10,3
 arg: Str('cn', cli_name='realm')
 option: Str('addattr*', cli_name='addattr')
 option: Flag('all', autofill=True, cli_name='all', default=False)
 option: Str('delattr*', cli_name='delattr')
+option: Str('ipantadditionalsuffixes*', autofill=False, cli_name='upns')
 option: Str('ipantsidblacklistincoming*', autofill=False, cli_name='sid_blacklist_incoming')
 option: Str('ipantsidblacklistoutgoing*', autofill=False, cli_name='sid_blacklist_outgoing')
 option: Flag('raw', autofill=True, cli_name='raw', default=False)
diff --git a/VERSION.m4 b/VERSION.m4
index 706c243739..cc308f1e23 100644
--- a/VERSION.m4
+++ b/VERSION.m4
@@ -73,8 +73,8 @@ define(IPA_DATA_VERSION, 20100614120000)
 #                                                      #
 ########################################################
 define(IPA_API_VERSION_MAJOR, 2)
-define(IPA_API_VERSION_MINOR, 227)
-# Last change: Add `pkinit-status` command
+define(IPA_API_VERSION_MINOR, 228)
+# Last change: Expose ipaNTAdditionalSuffixes in trust-mod
 
 
 ########################################################
diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py
index 075b39dcc3..310634904e 100644
--- a/ipaserver/plugins/trust.py
+++ b/ipaserver/plugins/trust.py
@@ -553,8 +553,9 @@ class trust(LDAPObject):
             flags={'virtual_attribute', 'no_create', 'no_update', 'no_search'},
         ),
         Str('ipantadditionalsuffixes*',
+            cli_name='upns',
             label=_('UPN suffixes'),
-            flags={'no_create', 'no_update', 'no_search'},
+            flags={'no_create', 'no_search'},
         ),
     )
 

From 78e0a8f1fb352b2db54ec220646505c914c0760d Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <aboko...@redhat.com>
Date: Mon, 12 Jun 2017 11:05:06 +0300
Subject: [PATCH 2/2] trust-mod: allow modifying list of UPNs of a trusted
 forest

There are two ways for maintaining user principal names (UPNs) in Active
Directory:
 - associate UPN suffixes with the forest root and then allow for each
   user account to choose UPN suffix for logon
 - directly modify userPrincipalName attribute in LDAP

Both approaches lead to the same result: AD DC accepts user@UPN-Suffix
as a proper principal in AS-REQ and TGS-REQ.

The latter (directly modify userPrincipalName) case has a consequence
that this UPN suffix is not visible via netr_DsRGetForestTrustInformation
DCE RPC call. As result, FreeIPA KDC will not know that a particular UPN
suffix does belong to a trusted Active Directory forest. As result, SSSD
will not be able to authenticate and validate this user from a trusted
Active Directory forest.

This is especially true for one-word UPNs which otherwise wouldn't work
properly on Kerberos level for both FreeIPA and Active Directory.

Administrators are responsible for amending the list of UPNs associated
with the forest in this case. With this commit, an option is added to
'ipa trust-mod' that allows specifying arbitrary UPN suffixes to a
trusted forest root.

As with all '-mod' commands, the change replaces existing UPNs when
applied, so administrators are responsible to specify all of them:

  ipa trust-mod ad.test --upns={existing.upn,another_upn,new}

Fixes: https://pagure.io/freeipa/issue/7015
---
 API.txt                    | 2 +-
 ipaserver/plugins/trust.py | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/API.txt b/API.txt
index 4930b0d6b2..aabd9c0d4a 100644
--- a/API.txt
+++ b/API.txt
@@ -5777,7 +5777,7 @@ arg: Str('cn', cli_name='realm')
 option: Str('addattr*', cli_name='addattr')
 option: Flag('all', autofill=True, cli_name='all', default=False)
 option: Str('delattr*', cli_name='delattr')
-option: Str('ipantadditionalsuffixes*', autofill=False, cli_name='upns')
+option: Str('ipantadditionalsuffixes*', autofill=False, cli_name='upn_suffixes')
 option: Str('ipantsidblacklistincoming*', autofill=False, cli_name='sid_blacklist_incoming')
 option: Str('ipantsidblacklistoutgoing*', autofill=False, cli_name='sid_blacklist_outgoing')
 option: Flag('raw', autofill=True, cli_name='raw', default=False)
diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py
index 310634904e..d0bbfbc47c 100644
--- a/ipaserver/plugins/trust.py
+++ b/ipaserver/plugins/trust.py
@@ -553,7 +553,7 @@ class trust(LDAPObject):
             flags={'virtual_attribute', 'no_create', 'no_update', 'no_search'},
         ),
         Str('ipantadditionalsuffixes*',
-            cli_name='upns',
+            cli_name='upn_suffixes',
             label=_('UPN suffixes'),
             flags={'no_create', 'no_search'},
         ),

_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#867][synchronized] trust-mod: allow modifying list of UPNs of a trusted forest

Reply via email to