On Thu, Oct 03, 2013 at 12:01:35AM +0300, Alexander Bokovoy wrote: > On Wed, 02 Oct 2013, Tomas Babej wrote: > >>>I'll send new patchset shortly. > >>New patchset is attached. > >> > >>1. Added test update for ipalib/frontend.py changes > >>2. Used LDAPQuery as base for trustdomain_enable|disable commands as > >> suggested by Honza. > >>3. Fixed issues with removal of trust account password authentication > >>4. Added support to use AD administrator credentials when fetching > >> subdomains information when we establish trust as Kerberos will not > >> be available for cross-realm operations yet. > >>5. Patch 0123 is not part of the patchset and should not be committed, > >> we will discuss exact semantics of transition checks with MIT > >> Kerberos upstream first. > >>6. Fixed few error paths and dead-end cases like attempt to disable root > >> domain of the trust (renders trust dead) or enabling it (it is always > >> enabled). > >>7. Made clear that deleting root domain of the trust is not possible, > >> use trust-del instead. > >>8. Removed whitespaces where saw. > >> > >> > >> > > > >Thanks! > > > >This fixes most of the issues I had. > > > >To summarize, two issues from the today's functional testing we > >already discussed on IRC: > > > >1.) The blacklisting for the child domain does not work (it works > >fine for the root domain). > >Thus, ipa trustdomain-disable for the child domain does not reject > >access to the IPA's resources: > > > >[tbabej@vm-147 labtool]$ ipa trustdomain-disable > >tbad.idm.lab.eng.brq.redhat.com > >child.tbad.idm.lab.eng.brq.redhat.com > >------------------------------------------------------------------------------------------------------------------------------------ > >Domain child.tbad.idm.lab.eng.brq.redhat.com of trust > >tbad.idm.lab.eng.brq.redhat.com is already not allowed to access > >IPA resources > >------------------------------------------------------------------------------------------------------------------------------------ > >[tbabej@vm-147 labtool]$ kdestroy > >[tbabej@vm-147 labtool]$ kvno -S ldap `hostname` > >kvno: Credentials cache file '/run/user/536/krb5cc/tkt1sLaOS' not > >found while getting client principal name > >[tbabej@vm-147 labtool]$ kinit > >administra...@child.tbad.idm.lab.eng.brq.redhat.com > >Password for administra...@child.tbad.idm.lab.eng.brq.redhat.com: > >[tbabej@vm-147 labtool]$ klist > >Ticket cache: DIR::/run/user/536/krb5cc/tktS7Bkhj > >Default principal: administra...@child.tbad.idm.lab.eng.brq.redhat.com > > > >Valid starting Expires Service principal > >10/02/2013 21:28:52 10/03/2013 07:28:52 > >krbtgt/child.tbad.idm.lab.eng.brq.redhat....@child.tbad.idm.lab.eng.brq.redhat.com > > renew until 10/03/2013 21:28:46 > >[tbabej@vm-147 labtool]$ kvno -S ldap `hostname` > >ldap/vm-147.dom147.tbad.idm.lab.eng.brq.redhat....@dom147.tbad.idm.lab.eng.brq.redhat.com: > >kvno = 2 > > > >We should have been denied access here. > Right. This is *very good* finding. Since we put information about black > list only to the root level domain of the trust, we need to reference > the root level domain when checking a subdomain. We don't do that right > now and it is needed also in Sumit's patches so I'll work on merging > them. > > Here is my plan: make a helper that identifies root domain for the > trusted domain (Sumit's code already has this), fetch root domain of > the trust > and validate this domain's SID against black list associated with the > root domain in filter_logon_info().
Since it looks like the forest root<->member domain relationship is needed in various places I wonder if it would be easier in the long run to add this explicitly to the member domain objects e.g. with the help of a new objectclass ipaNTForestMember with a mandatory attribute ipaNTForest or ipaNTMemberOfForest? I think this would also help to make the handling of member domains in transitively trusted forests easier. bye, Sumit _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
