On 02/11/2013 06:58 PM, Alexander Bokovoy wrote: > On Mon, 11 Feb 2013, Martin Kosek wrote: >> On 02/11/2013 03:34 PM, Alexander Bokovoy wrote: >>> On Fri, 08 Feb 2013, Martin Kosek wrote: >>>> On 02/08/2013 10:47 AM, Martin Kosek wrote: >>>>> Sending patches according to RFE: >>>>> http://www.freeipa.org/page/V3/Configurable_SID_Blacklists >>>>> >>>>> How this works: >>>>> >>>>> 1) Trust is added, SID blacklist is filled with default list (by ipa-sam >>>>> plugin). When SID blacklist attribute is missing (e.g. for current >>>>> trusts), >>>>> ipa-kdb will use the hardcoded list. >>>>> >>>>> # echo password | ipa trust-add MKAD2012.TEST --admin="Administrator" >>>>> --password >>>>> ---------------------------------------------- >>>>> Re-established trust to domain "MKAD2012.TEST" >>>>> ---------------------------------------------- >>>>> Realm name: MKAD2012.TEST >>>>> Domain NetBIOS name: MKAD2012 >>>>> Domain Security Identifier: S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx >>>>> SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, >>>>> S-1-5-3, S-1-5-4, S-1-5-5, >>>>> S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, >>>>> S-1-5-11, S-1-5-12, S-1-5-13, >>>>> S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, >>>>> S-1-5-18, >>>>> S-1-5-19, S-1-5-20 >>>>> SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, >>>>> S-1-5-3, S-1-5-4, S-1-5-5, >>>>> S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, >>>>> S-1-5-11, S-1-5-12, S-1-5-13, >>>>> S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, >>>>> S-1-5-18, >>>>> S-1-5-19, S-1-5-20 >>>>> Trust direction: Two-way trust >>>>> Trust type: Active Directory domain >>>>> Trust status: Established and verified >>>>> >>>>> 2) Incoming SID blacklist is updated (I added S-1-18-1 to the list as it >>>>> is >>>>> included in MS-PAC when I log from AD 2012): >>>>> >>>>> # ipa trust-mod MKAD2012.TEST --sid-blacklist-incoming >>>>> S-1-0,S-1-1,S-1-2,S-1-3,S-1-5-1,S-1-5-2,S-1-5-3,S-1-5-4,S-1-5-5,S-1-5-6,S-1-5-7,S-1-5-8,S-1-5-9,S-1-5-10,S-1-5-11,S-1-5-12,S-1-5-13,S-1-5-14,S-1-5-15,S-1-5-16,S-1-5-17,S-1-5-18,S-1-5-19,S-1-5-20,S-1-18-1 >>>>> >>>>> >>>>> >>>>> 3) When I now login from AD2012 to my IPA machine, I get error message in >>>>> krb5kdc.log about the filtered SID I configured in LDAP: >>>>> >>>>> ... >>>>> Feb 08 04:11:33 ipa.linux.mkad2012.test krb5kdc[6493](Error): PAC >>>>> filtering >>>>> issue: SID [S-1-18-1] is not allowed from a trusted source and will be >>>>> excluded. >>>>> ... >>>>> >>>>> NOTE: >>>>> When coding and testing this feature I fixed several related bugs I found >>>>> in >>>>> ipa-kdb, see description of patches 363-365. >>>>> >>>>> Martin >>>>> >>>> >>>> I forgot to update ACI allowing Trust Admins to modify the blacklist. I >>>> also >>>> added a validator for SIDs to help catching invalid SIDs. >>>> >>>> Updated patches attached. >>> Work for me fine against Windows 2012 server. >>> >>> However, I'd like you to rebase on top of your previous patches. VERSION >>> file is causing conflict since your patchset for trustconfig command >>> increments to the same version as this one. >>> >> >> I pushed previous acked patch to master. Attaching patches 363-368 rebased on >> top of that. > ACK. > > Thanks a lot! >
Thanks for review! Pushed to master, ipa-3-1. Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
