On 08/18/2015 06:00 PM, Tomas Babej wrote:
On 08/18/2015 11:56 AM, Alexander Bokovoy wrote:On Tue, 18 Aug 2015, Alexander Bokovoy wrote:On Mon, 17 Aug 2015, Tomas Babej wrote:On 08/17/2015 09:03 AM, Alexander Bokovoy wrote:On Mon, 17 Aug 2015, Tomas Babej wrote:On 08/13/2015 04:29 PM, Alexander Bokovoy wrote:Hi, see commit message for details.Hi, code-wise this looks good to me. Unfortunately, I have not been able to verify in my setup that it fixes the issue in the linked BZ: $ echo Secret123456 | ipa trust-add --type=ad ad.test --range-type ipa-ad-trust --admin Administrator --password ------------------------------------------------ Added Active Directory trust for realm "ad.test" ------------------------------------------------ Realm name: ad.test Domain NetBIOS name: AD Domain Security Identifier: S-1-5-21-1469936554-2294197481-461507924 SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18 SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18 Trust direction: Trusting forest Trust type: Active Directory domain Trust status: Established and verified $ idrange-find ---------------- 2 ranges matched ---------------- Range name: AD.TEST_id_range First Posix ID of the range: 191200000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S-1-5-21-1469936554-2294197481-461507924 Range type: Active Directory domain range Range name: IPA.TEST_id_range First Posix ID of the range: 695200000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 100000000 Range type: local domain range ---------------------------- Number of entries returned 2 ---------------------------- However, I have one child subdomain in the setup: $ ipa trustdomain-find Realm name: ad.test Domain name: ad.test Domain NetBIOS name: AD Domain Security Identifier: S-1-5-21-1469936554-2294197481-461507924 Domain enabled: True Domain name: sub.ad.test Domain NetBIOS name: SUB Domain Security Identifier: S-1-5-21-10134726-2575992721-4229914074 Domain enabled: True ---------------------------- Number of entries returned 2 ----------------------------Look for AVCs, if there are any. Also start abrtd and it should pick up any python exceptions in the helper as 'crashes'.Right. Insufficient LDAP permissions caused the following backtrace in the oddjob helper: ipaldap.py:948:error_handler:ACIError: Insufficient access: Insufficient 'add' privilege to add the entry 'cn=SUB.AD.TEST_id_range,cn=ranges,cn=etc,dc=ipa,dc=test'. Traceback (most recent call last): File "/usr/libexec/ipa/com.redhat.idm.trust-fetch-domains", line 216, in <module> trusted_domain, name, **dom) File "/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py", line 347, in add_range ipanttrusteddomainsid=dom_sid) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 443, in __call__ ret = self.run(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 760, in run return self.execute(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", line 1234, in execute self._exc_wrapper(keys, options, ldap.add_entry)(entry_attrs) File "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", line 1145, in wrapped return func(*call_args, **call_kwargs) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1442, in add_entry self.conn.add_s(str(entry.dn), attrs.items()) File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ self.gen.throw(type, value, traceback) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 948, in error_handler raise errors.ACIError(info=info) ACIError: Insufficient access: Insufficient 'add' privilege to add the entry 'cn=SUB.AD.TEST_id_range,cn=ranges,cn=etc,dc=ipa,dc=test'. Local variables in innermost frame: info: "Insufficient 'add' privilege to add the entry 'cn=SUB.AD.TEST_id_range,cn=ranges,cn=etc,dc=ipa,dc=test'." arg_desc: None self: ipaserver.plugins.ldap2.ldap2() e: INSUFFICIENT_ACCESS({'info': "Insufficient 'add' privilege to add the entry 'cn=SUB.AD.TEST_id_range,cn=ranges,cn=etc,dc=ipa,dc=test'.\n", 'desc': 'Insufficient access'},) desc: 'Insufficient access'Updated patch attached. You can install freeipa from my COPR abbra/freeipa-oneway (you need mkosek/freeipa-master COPR for dependencies) to test... and use abbra/sssd-kkdcproxy for sssd git master -- you'll need it to allow SSSD to properly handle keytabs chowned to sssd:sssd by the helper. With abbra/freeipa-oneway, abbra/sssd-kkdcproxy, mkosek/freeipa-master COPR repos I get child AD domains working correctly with one-way trust.This works as expected, ID range for subdomain is added. $ ipa trust-add --type=ad ad.test --range-type ipa-ad-trust --admin Administrator --password ------------------------------------------------ Added Active Directory trust for realm "ad.test" ------------------------------------------------ Realm name: ad.test Domain NetBIOS name: AD ... Trust direction: Trusting forest Trust type: Active Directory domain Trust status: Established and verified $ ipa idrange-find ---------------- 3 ranges matched ---------------- Range name: AD.TEST_id_range ... Range type: Active Directory domain range Range name: IPA.TEST_id_range ... Range type: local domain range Range name: SUB.AD.TEST_id_range ... Range type: Active Directory domain range ---------------------------- Number of entries returned 3 ---------------------------- ACK Tomas
Pushed to: master: 3692a1c57f5d404a61a01623ef732234ccbbdffd ipa-4-2: c30baa9bb9dfa5a5de7685e9203f3eae95dec22a -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
