On 04/18/2014 03:40 PM, Martin Kosek wrote:
On 04/18/2014 01:55 PM, Petr Viktorin wrote:
On 04/17/2014 10:12 PM, Alexander Bokovoy wrote:
On Thu, 17 Apr 2014, Simo Sorce wrote:
On Thu, 2014-04-17 at 20:30 +0200, Martin Kosek wrote:
On 04/17/2014 07:11 PM, Petr Viktorin wrote:
Hello,
While working on the trust permissions I found a typo in the
'ipanttrustauthoutgoing' attribute in default_attributes. Here is a
fix.


I think the right question to ask - do we want to have
ipanttrustauth{incoming,outgoing} in default attributes?

I do not think so. It is supposed to hold a secret for the trust, I
do not
think you want it displayed on your terminal by default - even if you
have a
right to display it.

Yep, should not be returned by default to any command line utility.
Agreed. I wanted to remove it too the other day but forgot to file a
ticket.


I see.
Here is a patch to remove them.


Why did you remove SID blacklists from search_display_attributes? Is this what
we want?

Oops, a mistake on my part.

It changes trust-find behavior from:

# ipa trust-find
---------------
1 trust matched
---------------
   Realm name: tbad.example.com
   Domain NetBIOS name: TBAD
   Domain Security Identifier: S-1-5-21-2997650941-1802118864-3094776726
   SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7,
S-1-5-6, S-1-5-5, S-1-5-4,
                           S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15,
S-1-5-14, S-1-5-13, S-1-5-12,
                           S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0,
S-1-5-19, S-1-5-18
   SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7,
S-1-5-6, S-1-5-5, S-1-5-4,
                           S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15,
S-1-5-14, S-1-5-13, S-1-5-12,
                           S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0,
S-1-5-19, S-1-5-18
   Trust type: Active Directory domain
----------------------------
Number of entries returned 1
----------------------------

to

# ipa trust-find
---------------
1 trust matched
---------------
   Realm name: tbad.example.com
   Domain NetBIOS name: TBAD
   Domain Security Identifier: S-1-5-21-2997650941-1802118864-3094776726
   Trust type: Active Directory domain
----------------------------
Number of entries returned 1
----------------------------

I am not saying it is necessarily a bad thing to do. It IMO actually makes find
output consistent with trust-show and better to read.

I would personally remove search_display_attributes all together since we are
poking in this part and let trust return default attributes in the trust-find
command.

Martin

Alexander, would you be okay with that?


--
PetrĀ³

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to