On Tue, 18 Aug 2015, Alexander Bokovoy wrote:
On Mon, 17 Aug 2015, Tomas Babej wrote:



On 08/17/2015 09:03 AM, Alexander Bokovoy wrote:
On Mon, 17 Aug 2015, Tomas Babej wrote:


On 08/13/2015 04:29 PM, Alexander Bokovoy wrote:
Hi,

see commit message for details.




Hi,

code-wise this looks good to me. Unfortunately, I have not been able to
verify in my setup that it fixes the issue in the linked BZ:

$ echo Secret123456 | ipa trust-add --type=ad ad.test --range-type
ipa-ad-trust --admin Administrator --password
------------------------------------------------
Added Active Directory trust for realm "ad.test"
------------------------------------------------
Realm name: ad.test
Domain NetBIOS name: AD
Domain Security Identifier: S-1-5-21-1469936554-2294197481-461507924
SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7,
S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8,
                        S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14,
S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2,
                        S-1-1, S-1-0, S-1-5-19, S-1-5-18
SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7,
S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8,
                        S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14,
S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2,
                        S-1-1, S-1-0, S-1-5-19, S-1-5-18
Trust direction: Trusting forest
Trust type: Active Directory domain
Trust status: Established and verified

$ idrange-find

----------------
2 ranges matched
----------------
Range name: AD.TEST_id_range
First Posix ID of the range: 191200000
Number of IDs in the range: 200000
First RID of the corresponding RID range: 0
Domain SID of the trusted domain:
S-1-5-21-1469936554-2294197481-461507924
Range type: Active Directory domain range

Range name: IPA.TEST_id_range
First Posix ID of the range: 695200000
Number of IDs in the range: 200000
First RID of the corresponding RID range: 1000
First RID of the secondary RID range: 100000000
Range type: local domain range
----------------------------
Number of entries returned 2
----------------------------

However, I have one child subdomain in the setup:

$ ipa trustdomain-find
Realm name: ad.test
Domain name: ad.test
Domain NetBIOS name: AD
Domain Security Identifier: S-1-5-21-1469936554-2294197481-461507924
Domain enabled: True

Domain name: sub.ad.test
Domain NetBIOS name: SUB
Domain Security Identifier: S-1-5-21-10134726-2575992721-4229914074
Domain enabled: True
----------------------------
Number of entries returned 2
----------------------------
Look for AVCs, if there are any.

Also start abrtd and it should pick up any python exceptions in the
helper as 'crashes'.


Right. Insufficient LDAP permissions caused the following backtrace in
the oddjob helper:

ipaldap.py:948:error_handler:ACIError: Insufficient access: Insufficient
'add' privilege to add the entry
'cn=SUB.AD.TEST_id_range,cn=ranges,cn=etc,dc=ipa,dc=test'.

Traceback (most recent call last):
File "/usr/libexec/ipa/com.redhat.idm.trust-fetch-domains", line 216,
in <module>
  trusted_domain, name, **dom)
File "/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py", line
347, in add_range
  ipanttrusteddomainsid=dom_sid)
File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 443,
in __call__
  ret = self.run(*args, **options)
File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 760,
in run
  return self.execute(*args, **options)
File "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py",
line 1234, in execute
  self._exc_wrapper(keys, options, ldap.add_entry)(entry_attrs)
File "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py",
line 1145, in wrapped
  return func(*call_args, **call_kwargs)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
1442, in add_entry
  self.conn.add_s(str(entry.dn), attrs.items())
File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
  self.gen.throw(type, value, traceback)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
948, in error_handler
  raise errors.ACIError(info=info)
ACIError: Insufficient access: Insufficient 'add' privilege to add the
entry 'cn=SUB.AD.TEST_id_range,cn=ranges,cn=etc,dc=ipa,dc=test'.

Local variables in innermost frame:
info: "Insufficient 'add' privilege to add the entry
'cn=SUB.AD.TEST_id_range,cn=ranges,cn=etc,dc=ipa,dc=test'."
arg_desc: None
self: ipaserver.plugins.ldap2.ldap2()
e: INSUFFICIENT_ACCESS({'info': "Insufficient 'add' privilege to add the
entry 'cn=SUB.AD.TEST_id_range,cn=ranges,cn=etc,dc=ipa,dc=test'.\n",
'desc': 'Insufficient access'},)
desc: 'Insufficient access'
Updated patch attached.

You can install freeipa from my COPR abbra/freeipa-oneway (you need
mkosek/freeipa-master COPR for dependencies) to test.
.. and use abbra/sssd-kkdcproxy for sssd git master -- you'll need it to
allow SSSD to properly handle keytabs chowned to sssd:sssd by the
helper.

With abbra/freeipa-oneway, abbra/sssd-kkdcproxy, mkosek/freeipa-master
COPR repos I get child AD domains working correctly with one-way trust.


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to