On 02/20/2013 12:30 PM, Petr Viktorin wrote:
> On 02/20/2013 09:15 AM, Martin Kosek wrote:
>> On 02/19/2013 10:19 PM, Rob Crittenden wrote:
>>> Martin Kosek wrote:
>>>> On 01/24/2013 12:01 PM, Martin Kosek wrote:
>>>>> When user tries to perform any action requiring communication with
>>>>> trusted domain, IPA server tries to retrieve a trust secret on his
>>>>> behalf to be able to establish the connection. This happens for
>>>>> example during group-add-member command when external user is
>>>>> being resolved in the AD.
>>>>>
>>>>> When user is not member of Trust admins group, the retrieval crashes
>>>>> and reports internal error. Catch this exception and rather report
>>>>> properly formatted ACIError.
>>>>>
>>>>> ----
>>>>>
>>>>> I hit this error after updating to the latest FreeIPA version with the AD 
>>>>> CVE
>>>>> fixed.
>>>>>
>>>>> Martin
>>>>>
>>>>
>>>> I filed a ticket to not loose this fix and patch. Attaching an updated 
>>>> patch
>>>> with ticket URL in description.
>>>>
>>>> Martin
>>>>
>>>
>>>
>>> The patch fixes the problem but the error is untranslated:
>>>
>>>      member group: AD\Domain Admins: Insufficient access:
>>> Gettext('communication
>>> with trusted domains is allowed for Trusts administrator group members 
>>> only',
>>> domain='ipa', localedir=None)
>>>
>>> rob
>>
>> I think this is just because this string is not in our ipa.pot file yet (will
>> be when we do Transifex refresh").
>>
>> Martin
>>
> 
> I don't have AD so I can't investigate, but this problem is usually due to the
> error being converted to string instead of using the strerror attribute.
> 

You are right, attaching a patch which fixes it for group-add-member. But just
with using a quick grep, I see we do not use strerror on a lot of other places,
we may want to open a ticket to fix that too.

Martin

From 0662aedeefec4e8dff621ad7d0f1ead881a559ca Mon Sep 17 00:00:00 2001
From: Martin Kosek <mko...@redhat.com>
Date: Thu, 24 Jan 2013 11:51:58 +0100
Subject: [PATCH] Avoid internal error when user is not Trust admin

When user tries to perform any action requiring communication with
trusted domain, IPA server tries to retrieve a trust secret on his
behalf to be able to establish the connection. This happens for
example during group-add-member command when external user is
being resolved in the AD.

When user is not member of Trust admins group, the retrieval crashes
and reports internal error. Catch this exception and rather report
properly formatted ACIError. Also make sure that this exception is
properly processed in group-add-member post callback.

https://fedorahosted.org/freeipa/ticket/3390
---
 ipalib/plugins/group.py |  2 +-
 ipaserver/dcerpc.py     | 27 +++++++++++++++++++++++----
 2 files changed, 24 insertions(+), 5 deletions(-)

diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py
index 4994dacb3218e03e1f92b7c16bf355c8ffa4d6f9..06e80931a0d77beb93b08cdf2637e3c750c1bafa 100644
--- a/ipalib/plugins/group.py
+++ b/ipalib/plugins/group.py
@@ -387,7 +387,7 @@ class group_add_member(LDAPAddMember):
                     try:
                         actual_sid = domain_validator.get_trusted_domain_object_sid(sid)
                     except errors.PublicError, e:
-                        failed_sids.append((sid, unicode(e)))
+                        failed_sids.append((sid, e.strerror))
                     else:
                         sids.append(actual_sid)
             restore = []
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index b471bccee414281e26eaaf404b59fb3268d37112..140e26f77f6dd405e30fc13422869d9667da6ba0 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -156,10 +156,29 @@ class DomainValidator(object):
                                                                       self.ATTR_TRUST_AUTHOUT])
 
             result = dict()
-            for entry in entries:
-                result[entry[1][self.ATTR_TRUST_PARTNER][0]] = (entry[1][self.ATTR_FLATNAME][0].lower(),
-                                                                security.dom_sid(entry[1][self.ATTR_TRUSTED_SID][0]),
-                                                                entry[1][self.ATTR_TRUST_AUTHOUT][0])
+            for dn, entry in entries:
+                try:
+                    trust_partner = entry[self.ATTR_TRUST_PARTNER][0]
+                    flatname_normalized = entry[self.ATTR_FLATNAME][0].lower()
+                    trusted_sid = entry[self.ATTR_TRUSTED_SID][0]
+                except KeyError, e:
+                    # Some piece of trusted domain info in LDAP is missing
+                    # Skip the domain, but leave log entry for investigation
+                    api.log.warn("Trusted domain '%s' entry misses an attribute: %s",
+                            dn, e)
+                    continue
+                trust_authout = entry.get(self.ATTR_TRUST_AUTHOUT, [None])[0]
+
+                # We were able to read all Trusted domain attributes but the secret
+                # User is not member of trust admins group
+                if trust_authout is None:
+                    raise errors.ACIError(
+                        info=_('communication with trusted domains is allowed '
+                               'for Trusts administrator group members only'))
+
+                result[trust_partner] = (flatname_normalized,
+                                         security.dom_sid(trusted_sid),
+                                         trust_authout)
             return result
         except errors.NotFound, e:
             return []
-- 
1.8.1.2

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to