Sending patches according to RFE:
http://www.freeipa.org/page/V3/Configurable_SID_Blacklists
How this works:
1) Trust is added, SID blacklist is filled with default list (by ipa-sam
plugin). When SID blacklist attribute is missing (e.g. for current trusts),
ipa-kdb will use the hardcoded list.
# echo password | ipa trust-add MKAD2012.TEST --admin="Administrator"
--password
----------------------------------------------
Re-established trust to domain "MKAD2012.TEST"
----------------------------------------------
Realm name: MKAD2012.TEST
Domain NetBIOS name: MKAD2012
Domain Security Identifier: S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx
SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2,
S-1-5-3, S-1-5-4, S-1-5-5,
S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10,
S-1-5-11, S-1-5-12, S-1-5-13,
S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18,
S-1-5-19, S-1-5-20
SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2,
S-1-5-3, S-1-5-4, S-1-5-5,
S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10,
S-1-5-11, S-1-5-12, S-1-5-13,
S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18,
S-1-5-19, S-1-5-20
Trust direction: Two-way trust
Trust type: Active Directory domain
Trust status: Established and verified
2) Incoming SID blacklist is updated (I added S-1-18-1 to the list as it is
included in MS-PAC when I log from AD 2012):
# ipa trust-mod MKAD2012.TEST --sid-blacklist-incoming
S-1-0,S-1-1,S-1-2,S-1-3,S-1-5-1,S-1-5-2,S-1-5-3,S-1-5-4,S-1-5-5,S-1-5-6,S-1-5-7,S-1-5-8,S-1-5-9,S-1-5-10,S-1-5-11,S-1-5-12,S-1-5-13,S-1-5-14,S-1-5-15,S-1-5-16,S-1-5-17,S-1-5-18,S-1-5-19,S-1-5-20,S-1-18-1
3) When I now login from AD2012 to my IPA machine, I get error message in
krb5kdc.log about the filtered SID I configured in LDAP:
...
Feb 08 04:11:33 ipa.linux.mkad2012.test krb5kdc[6493](Error): PAC filtering
issue: SID [S-1-18-1] is not allowed from a trusted source and will be
excluded.
...
NOTE:
When coding and testing this feature I fixed several related bugs I found in
ipa-kdb, see description of patches 363-365.
Martin