On 08/18/2015 11:56 AM, Alexander Bokovoy wrote: > On Tue, 18 Aug 2015, Alexander Bokovoy wrote: >> On Mon, 17 Aug 2015, Tomas Babej wrote: >>> >>> >>> On 08/17/2015 09:03 AM, Alexander Bokovoy wrote: >>>> On Mon, 17 Aug 2015, Tomas Babej wrote: >>>>> >>>>> >>>>> On 08/13/2015 04:29 PM, Alexander Bokovoy wrote: >>>>>> Hi, >>>>>> >>>>>> see commit message for details. >>>>>> >>>>>> >>>>>> >>>>> >>>>> Hi, >>>>> >>>>> code-wise this looks good to me. Unfortunately, I have not been >>>>> able to >>>>> verify in my setup that it fixes the issue in the linked BZ: >>>>> >>>>> $ echo Secret123456 | ipa trust-add --type=ad ad.test --range-type >>>>> ipa-ad-trust --admin Administrator --password >>>>> ------------------------------------------------ >>>>> Added Active Directory trust for realm "ad.test" >>>>> ------------------------------------------------ >>>>> Realm name: ad.test >>>>> Domain NetBIOS name: AD >>>>> Domain Security Identifier: S-1-5-21-1469936554-2294197481-461507924 >>>>> SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, >>>>> S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, >>>>> S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, >>>>> S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, >>>>> S-1-1, S-1-0, S-1-5-19, S-1-5-18 >>>>> SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, >>>>> S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, >>>>> S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, >>>>> S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, >>>>> S-1-1, S-1-0, S-1-5-19, S-1-5-18 >>>>> Trust direction: Trusting forest >>>>> Trust type: Active Directory domain >>>>> Trust status: Established and verified >>>>> >>>>> $ idrange-find >>>>> >>>>> ---------------- >>>>> 2 ranges matched >>>>> ---------------- >>>>> Range name: AD.TEST_id_range >>>>> First Posix ID of the range: 191200000 >>>>> Number of IDs in the range: 200000 >>>>> First RID of the corresponding RID range: 0 >>>>> Domain SID of the trusted domain: >>>>> S-1-5-21-1469936554-2294197481-461507924 >>>>> Range type: Active Directory domain range >>>>> >>>>> Range name: IPA.TEST_id_range >>>>> First Posix ID of the range: 695200000 >>>>> Number of IDs in the range: 200000 >>>>> First RID of the corresponding RID range: 1000 >>>>> First RID of the secondary RID range: 100000000 >>>>> Range type: local domain range >>>>> ---------------------------- >>>>> Number of entries returned 2 >>>>> ---------------------------- >>>>> >>>>> However, I have one child subdomain in the setup: >>>>> >>>>> $ ipa trustdomain-find >>>>> Realm name: ad.test >>>>> Domain name: ad.test >>>>> Domain NetBIOS name: AD >>>>> Domain Security Identifier: S-1-5-21-1469936554-2294197481-461507924 >>>>> Domain enabled: True >>>>> >>>>> Domain name: sub.ad.test >>>>> Domain NetBIOS name: SUB >>>>> Domain Security Identifier: S-1-5-21-10134726-2575992721-4229914074 >>>>> Domain enabled: True >>>>> ---------------------------- >>>>> Number of entries returned 2 >>>>> ---------------------------- >>>> Look for AVCs, if there are any. >>>> >>>> Also start abrtd and it should pick up any python exceptions in the >>>> helper as 'crashes'. >>>> >>> >>> Right. Insufficient LDAP permissions caused the following backtrace in >>> the oddjob helper: >>> >>> ipaldap.py:948:error_handler:ACIError: Insufficient access: Insufficient >>> 'add' privilege to add the entry >>> 'cn=SUB.AD.TEST_id_range,cn=ranges,cn=etc,dc=ipa,dc=test'. >>> >>> Traceback (most recent call last): >>> File "/usr/libexec/ipa/com.redhat.idm.trust-fetch-domains", line 216, >>> in <module> >>> trusted_domain, name, **dom) >>> File "/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py", line >>> 347, in add_range >>> ipanttrusteddomainsid=dom_sid) >>> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 443, >>> in __call__ >>> ret = self.run(*args, **options) >>> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 760, >>> in run >>> return self.execute(*args, **options) >>> File "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", >>> line 1234, in execute >>> self._exc_wrapper(keys, options, ldap.add_entry)(entry_attrs) >>> File "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", >>> line 1145, in wrapped >>> return func(*call_args, **call_kwargs) >>> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line >>> 1442, in add_entry >>> self.conn.add_s(str(entry.dn), attrs.items()) >>> File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ >>> self.gen.throw(type, value, traceback) >>> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line >>> 948, in error_handler >>> raise errors.ACIError(info=info) >>> ACIError: Insufficient access: Insufficient 'add' privilege to add the >>> entry 'cn=SUB.AD.TEST_id_range,cn=ranges,cn=etc,dc=ipa,dc=test'. >>> >>> Local variables in innermost frame: >>> info: "Insufficient 'add' privilege to add the entry >>> 'cn=SUB.AD.TEST_id_range,cn=ranges,cn=etc,dc=ipa,dc=test'." >>> arg_desc: None >>> self: ipaserver.plugins.ldap2.ldap2() >>> e: INSUFFICIENT_ACCESS({'info': "Insufficient 'add' privilege to add the >>> entry 'cn=SUB.AD.TEST_id_range,cn=ranges,cn=etc,dc=ipa,dc=test'.\n", >>> 'desc': 'Insufficient access'},) >>> desc: 'Insufficient access' >> Updated patch attached. >> >> You can install freeipa from my COPR abbra/freeipa-oneway (you need >> mkosek/freeipa-master COPR for dependencies) to test. > .. and use abbra/sssd-kkdcproxy for sssd git master -- you'll need it to > allow SSSD to properly handle keytabs chowned to sssd:sssd by the > helper. > > With abbra/freeipa-oneway, abbra/sssd-kkdcproxy, mkosek/freeipa-master > COPR repos I get child AD domains working correctly with one-way trust. > >
This works as expected, ID range for subdomain is added. $ ipa trust-add --type=ad ad.test --range-type ipa-ad-trust --admin Administrator --password ------------------------------------------------ Added Active Directory trust for realm "ad.test" ------------------------------------------------ Realm name: ad.test Domain NetBIOS name: AD ... Trust direction: Trusting forest Trust type: Active Directory domain Trust status: Established and verified $ ipa idrange-find ---------------- 3 ranges matched ---------------- Range name: AD.TEST_id_range ... Range type: Active Directory domain range Range name: IPA.TEST_id_range ... Range type: local domain range Range name: SUB.AD.TEST_id_range ... Range type: Active Directory domain range ---------------------------- Number of entries returned 3 ---------------------------- ACK Tomas -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code