On 08/18/2015 11:56 AM, Alexander Bokovoy wrote:
> On Tue, 18 Aug 2015, Alexander Bokovoy wrote:
>> On Mon, 17 Aug 2015, Tomas Babej wrote:
>>>
>>>
>>> On 08/17/2015 09:03 AM, Alexander Bokovoy wrote:
>>>> On Mon, 17 Aug 2015, Tomas Babej wrote:
>>>>>
>>>>>
>>>>> On 08/13/2015 04:29 PM, Alexander Bokovoy wrote:
>>>>>> Hi,
>>>>>>
>>>>>> see commit message for details.
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> Hi,
>>>>>
>>>>> code-wise this looks good to me. Unfortunately, I have not been
>>>>> able to
>>>>> verify in my setup that it fixes the issue in the linked BZ:
>>>>>
>>>>> $ echo Secret123456 | ipa trust-add --type=ad ad.test --range-type
>>>>> ipa-ad-trust --admin Administrator --password
>>>>> ------------------------------------------------
>>>>> Added Active Directory trust for realm "ad.test"
>>>>> ------------------------------------------------
>>>>> Realm name: ad.test
>>>>> Domain NetBIOS name: AD
>>>>> Domain Security Identifier: S-1-5-21-1469936554-2294197481-461507924
>>>>> SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7,
>>>>> S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8,
>>>>> S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14,
>>>>> S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2,
>>>>> S-1-1, S-1-0, S-1-5-19, S-1-5-18
>>>>> SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7,
>>>>> S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8,
>>>>> S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14,
>>>>> S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2,
>>>>> S-1-1, S-1-0, S-1-5-19, S-1-5-18
>>>>> Trust direction: Trusting forest
>>>>> Trust type: Active Directory domain
>>>>> Trust status: Established and verified
>>>>>
>>>>> $ idrange-find
>>>>>
>>>>> ----------------
>>>>> 2 ranges matched
>>>>> ----------------
>>>>> Range name: AD.TEST_id_range
>>>>> First Posix ID of the range: 191200000
>>>>> Number of IDs in the range: 200000
>>>>> First RID of the corresponding RID range: 0
>>>>> Domain SID of the trusted domain:
>>>>> S-1-5-21-1469936554-2294197481-461507924
>>>>> Range type: Active Directory domain range
>>>>>
>>>>> Range name: IPA.TEST_id_range
>>>>> First Posix ID of the range: 695200000
>>>>> Number of IDs in the range: 200000
>>>>> First RID of the corresponding RID range: 1000
>>>>> First RID of the secondary RID range: 100000000
>>>>> Range type: local domain range
>>>>> ----------------------------
>>>>> Number of entries returned 2
>>>>> ----------------------------
>>>>>
>>>>> However, I have one child subdomain in the setup:
>>>>>
>>>>> $ ipa trustdomain-find
>>>>> Realm name: ad.test
>>>>> Domain name: ad.test
>>>>> Domain NetBIOS name: AD
>>>>> Domain Security Identifier: S-1-5-21-1469936554-2294197481-461507924
>>>>> Domain enabled: True
>>>>>
>>>>> Domain name: sub.ad.test
>>>>> Domain NetBIOS name: SUB
>>>>> Domain Security Identifier: S-1-5-21-10134726-2575992721-4229914074
>>>>> Domain enabled: True
>>>>> ----------------------------
>>>>> Number of entries returned 2
>>>>> ----------------------------
>>>> Look for AVCs, if there are any.
>>>>
>>>> Also start abrtd and it should pick up any python exceptions in the
>>>> helper as 'crashes'.
>>>>
>>>
>>> Right. Insufficient LDAP permissions caused the following backtrace in
>>> the oddjob helper:
>>>
>>> ipaldap.py:948:error_handler:ACIError: Insufficient access: Insufficient
>>> 'add' privilege to add the entry
>>> 'cn=SUB.AD.TEST_id_range,cn=ranges,cn=etc,dc=ipa,dc=test'.
>>>
>>> Traceback (most recent call last):
>>> File "/usr/libexec/ipa/com.redhat.idm.trust-fetch-domains", line 216,
>>> in <module>
>>> trusted_domain, name, **dom)
>>> File "/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py", line
>>> 347, in add_range
>>> ipanttrusteddomainsid=dom_sid)
>>> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 443,
>>> in __call__
>>> ret = self.run(*args, **options)
>>> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 760,
>>> in run
>>> return self.execute(*args, **options)
>>> File "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py",
>>> line 1234, in execute
>>> self._exc_wrapper(keys, options, ldap.add_entry)(entry_attrs)
>>> File "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py",
>>> line 1145, in wrapped
>>> return func(*call_args, **call_kwargs)
>>> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
>>> 1442, in add_entry
>>> self.conn.add_s(str(entry.dn), attrs.items())
>>> File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
>>> self.gen.throw(type, value, traceback)
>>> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
>>> 948, in error_handler
>>> raise errors.ACIError(info=info)
>>> ACIError: Insufficient access: Insufficient 'add' privilege to add the
>>> entry 'cn=SUB.AD.TEST_id_range,cn=ranges,cn=etc,dc=ipa,dc=test'.
>>>
>>> Local variables in innermost frame:
>>> info: "Insufficient 'add' privilege to add the entry
>>> 'cn=SUB.AD.TEST_id_range,cn=ranges,cn=etc,dc=ipa,dc=test'."
>>> arg_desc: None
>>> self: ipaserver.plugins.ldap2.ldap2()
>>> e: INSUFFICIENT_ACCESS({'info': "Insufficient 'add' privilege to add the
>>> entry 'cn=SUB.AD.TEST_id_range,cn=ranges,cn=etc,dc=ipa,dc=test'.\n",
>>> 'desc': 'Insufficient access'},)
>>> desc: 'Insufficient access'
>> Updated patch attached.
>>
>> You can install freeipa from my COPR abbra/freeipa-oneway (you need
>> mkosek/freeipa-master COPR for dependencies) to test.
> .. and use abbra/sssd-kkdcproxy for sssd git master -- you'll need it to
> allow SSSD to properly handle keytabs chowned to sssd:sssd by the
> helper.
>
> With abbra/freeipa-oneway, abbra/sssd-kkdcproxy, mkosek/freeipa-master
> COPR repos I get child AD domains working correctly with one-way trust.
>
>
This works as expected, ID range for subdomain is added.
$ ipa trust-add --type=ad ad.test --range-type ipa-ad-trust --admin
Administrator --password
------------------------------------------------
Added Active Directory trust for realm "ad.test"
------------------------------------------------
Realm name: ad.test
Domain NetBIOS name: AD
...
Trust direction: Trusting forest
Trust type: Active Directory domain
Trust status: Established and verified
$ ipa idrange-find
----------------
3 ranges matched
----------------
Range name: AD.TEST_id_range
...
Range type: Active Directory domain range
Range name: IPA.TEST_id_range
...
Range type: local domain range
Range name: SUB.AD.TEST_id_range
...
Range type: Active Directory domain range
----------------------------
Number of entries returned 3
----------------------------
ACK
Tomas
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
