Re: [Freeipa-devel] [PATCH] 0195 harden trust-fetch-domains oddjobd script

Mon, 17 Aug 2015 00:04:57 -0700 

On Mon, 17 Aug 2015, Tomas Babej wrote:



On 08/13/2015 04:29 PM, Alexander Bokovoy wrote:

Hi,

see commit message for details.





Hi,

code-wise this looks good to me. Unfortunately, I have not been able to
verify in my setup that it fixes the issue in the linked BZ:

$ echo Secret123456 | ipa trust-add --type=ad ad.test --range-type
ipa-ad-trust --admin Administrator --password
------------------------------------------------
Added Active Directory trust for realm "ad.test"
------------------------------------------------
 Realm name: ad.test
 Domain NetBIOS name: AD
 Domain Security Identifier: S-1-5-21-1469936554-2294197481-461507924
 SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7,
S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8,
                         S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14,
S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2,
                         S-1-1, S-1-0, S-1-5-19, S-1-5-18
 SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7,
S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8,
                         S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14,
S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2,
                         S-1-1, S-1-0, S-1-5-19, S-1-5-18
 Trust direction: Trusting forest
 Trust type: Active Directory domain
 Trust status: Established and verified

$ idrange-find

----------------
2 ranges matched
----------------
 Range name: AD.TEST_id_range
 First Posix ID of the range: 191200000
 Number of IDs in the range: 200000
 First RID of the corresponding RID range: 0
 Domain SID of the trusted domain: S-1-5-21-1469936554-2294197481-461507924
 Range type: Active Directory domain range

 Range name: IPA.TEST_id_range
 First Posix ID of the range: 695200000
 Number of IDs in the range: 200000
 First RID of the corresponding RID range: 1000
 First RID of the secondary RID range: 100000000
 Range type: local domain range
----------------------------
Number of entries returned 2
----------------------------

However, I have one child subdomain in the setup:

$ ipa trustdomain-find
Realm name: ad.test
 Domain name: ad.test
 Domain NetBIOS name: AD
 Domain Security Identifier: S-1-5-21-1469936554-2294197481-461507924
 Domain enabled: True

 Domain name: sub.ad.test
 Domain NetBIOS name: SUB
 Domain Security Identifier: S-1-5-21-10134726-2575992721-4229914074
 Domain enabled: True
----------------------------
Number of entries returned 2
----------------------------

Look for AVCs, if there are any.

Also start abrtd and it should pick up any python exceptions in the
helper as 'crashes'.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code






















					Reply via email to