Re: [Freeipa-devel] [PATCH] 363-368 Configurable SID blacklists

Mon, 11 Feb 2013 09:58:36 -0800 

On Mon, 11 Feb 2013, Martin Kosek wrote:

On 02/11/2013 03:34 PM, Alexander Bokovoy wrote:

On Fri, 08 Feb 2013, Martin Kosek wrote:

On 02/08/2013 10:47 AM, Martin Kosek wrote:

Sending patches according to RFE:
http://www.freeipa.org/page/V3/Configurable_SID_Blacklists

How this works:

1) Trust is added, SID blacklist is filled with default list (by ipa-sam
plugin). When SID blacklist attribute is missing (e.g. for current trusts),
ipa-kdb will use the hardcoded list.

# echo password | ipa trust-add MKAD2012.TEST --admin="Administrator"
--password
----------------------------------------------
Re-established trust to domain "MKAD2012.TEST"
----------------------------------------------
  Realm name: MKAD2012.TEST
  Domain NetBIOS name: MKAD2012
  Domain Security Identifier: S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx
  SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2,
S-1-5-3, S-1-5-4, S-1-5-5,
                          S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10,
S-1-5-11, S-1-5-12, S-1-5-13,
                          S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18,
S-1-5-19, S-1-5-20
  SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2,
S-1-5-3, S-1-5-4, S-1-5-5,
                          S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10,
S-1-5-11, S-1-5-12, S-1-5-13,
                          S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18,
S-1-5-19, S-1-5-20
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified

2) Incoming SID blacklist is updated (I added S-1-18-1 to the list as it is
included in MS-PAC when I log from AD 2012):

# ipa trust-mod MKAD2012.TEST --sid-blacklist-incoming
S-1-0,S-1-1,S-1-2,S-1-3,S-1-5-1,S-1-5-2,S-1-5-3,S-1-5-4,S-1-5-5,S-1-5-6,S-1-5-7,S-1-5-8,S-1-5-9,S-1-5-10,S-1-5-11,S-1-5-12,S-1-5-13,S-1-5-14,S-1-5-15,S-1-5-16,S-1-5-17,S-1-5-18,S-1-5-19,S-1-5-20,S-1-18-1


3) When I now login from AD2012 to my IPA machine, I get error message in
krb5kdc.log about the filtered SID I configured in LDAP:

...
Feb 08 04:11:33 ipa.linux.mkad2012.test krb5kdc[6493](Error): PAC filtering
issue: SID [S-1-18-1] is not allowed from a trusted source and will be
excluded.
...

NOTE:
When coding and testing this feature I fixed several related bugs I found in
ipa-kdb, see description of patches 363-365.

Martin



I forgot to update ACI allowing Trust Admins to modify the blacklist. I also
added a validator for SIDs to help catching invalid SIDs.

Updated patches attached.

Work for me fine against Windows 2012 server.

However, I'd like you to rebase on top of your previous patches. VERSION
file is causing conflict since your patchset for trustconfig command
increments to the same version as this one.



I pushed previous acked patch to master. Attaching patches 363-368 rebased on
top of that.

ACK.

Thanks a lot!

--
/ Alexander Bokovoy

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to