Re: [Freeipa-devel] [PATCH] 355 Avoid internal error when user is not Trust admin
On 02/19/2013 10:19 PM, Rob Crittenden wrote:
Martin Kosek wrote:
On 01/24/2013 12:01 PM, Martin Kosek wrote:
When user tries to perform any action requiring communication with
trusted domain, IPA server tries to retrieve a trust secret on his
behalf to be able to establish the connection. This happens for
example during group-add-member command when external user is
being resolved in the AD.
When user is not member of Trust admins group, the retrieval crashes
and reports internal error. Catch this exception and rather report
properly formatted ACIError.
I hit this error after updating to the latest FreeIPA version with the AD
CVE
fixed.
Martin
I filed a ticket to not loose this fix and patch. Attaching an updated patch
with ticket URL in description.
Martin
The patch fixes the problem but the error is untranslated:
member group: AD\Domain Admins: Insufficient access:
Gettext('communication
with trusted domains is allowed for Trusts administrator group members only',
domain='ipa', localedir=None)
rob
I think this is just because this string is not in our ipa.pot file yet (will
be when we do Transifex refresh).
Martin
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 355 Avoid internal error when user is not Trust admin
On 02/20/2013 09:15 AM, Martin Kosek wrote:
On 02/19/2013 10:19 PM, Rob Crittenden wrote:
Martin Kosek wrote:
On 01/24/2013 12:01 PM, Martin Kosek wrote:
When user tries to perform any action requiring communication with
trusted domain, IPA server tries to retrieve a trust secret on his
behalf to be able to establish the connection. This happens for
example during group-add-member command when external user is
being resolved in the AD.
When user is not member of Trust admins group, the retrieval crashes
and reports internal error. Catch this exception and rather report
properly formatted ACIError.
I hit this error after updating to the latest FreeIPA version with the AD CVE
fixed.
Martin
I filed a ticket to not loose this fix and patch. Attaching an updated patch
with ticket URL in description.
Martin
The patch fixes the problem but the error is untranslated:
member group: AD\Domain Admins: Insufficient access: Gettext('communication
with trusted domains is allowed for Trusts administrator group members only',
domain='ipa', localedir=None)
rob
I think this is just because this string is not in our ipa.pot file yet (will
be when we do Transifex refresh).
Martin
I don't have AD so I can't investigate, but this problem is usually due
to the error being converted to string instead of using the strerror
attribute.
--
PetrĀ³
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 355 Avoid internal error when user is not Trust admin
On 02/20/2013 12:30 PM, Petr Viktorin wrote:
On 02/20/2013 09:15 AM, Martin Kosek wrote:
On 02/19/2013 10:19 PM, Rob Crittenden wrote:
Martin Kosek wrote:
On 01/24/2013 12:01 PM, Martin Kosek wrote:
When user tries to perform any action requiring communication with
trusted domain, IPA server tries to retrieve a trust secret on his
behalf to be able to establish the connection. This happens for
example during group-add-member command when external user is
being resolved in the AD.
When user is not member of Trust admins group, the retrieval crashes
and reports internal error. Catch this exception and rather report
properly formatted ACIError.
I hit this error after updating to the latest FreeIPA version with the AD
CVE
fixed.
Martin
I filed a ticket to not loose this fix and patch. Attaching an updated
patch
with ticket URL in description.
Martin
The patch fixes the problem but the error is untranslated:
member group: AD\Domain Admins: Insufficient access:
Gettext('communication
with trusted domains is allowed for Trusts administrator group members
only',
domain='ipa', localedir=None)
rob
I think this is just because this string is not in our ipa.pot file yet (will
be when we do Transifex refresh).
Martin
I don't have AD so I can't investigate, but this problem is usually due to the
error being converted to string instead of using the strerror attribute.
You are right, attaching a patch which fixes it for group-add-member. But just
with using a quick grep, I see we do not use strerror on a lot of other places,
we may want to open a ticket to fix that too.
Martin
From 0662aedeefec4e8dff621ad7d0f1ead881a559ca Mon Sep 17 00:00:00 2001
From: Martin Kosek mko...@redhat.com
Date: Thu, 24 Jan 2013 11:51:58 +0100
Subject: [PATCH] Avoid internal error when user is not Trust admin
When user tries to perform any action requiring communication with
trusted domain, IPA server tries to retrieve a trust secret on his
behalf to be able to establish the connection. This happens for
example during group-add-member command when external user is
being resolved in the AD.
When user is not member of Trust admins group, the retrieval crashes
and reports internal error. Catch this exception and rather report
properly formatted ACIError. Also make sure that this exception is
properly processed in group-add-member post callback.
https://fedorahosted.org/freeipa/ticket/3390
---
ipalib/plugins/group.py | 2 +-
ipaserver/dcerpc.py | 27 +++
2 files changed, 24 insertions(+), 5 deletions(-)
diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py
index 4994dacb3218e03e1f92b7c16bf355c8ffa4d6f9..06e80931a0d77beb93b08cdf2637e3c750c1bafa 100644
--- a/ipalib/plugins/group.py
+++ b/ipalib/plugins/group.py
@@ -387,7 +387,7 @@ class group_add_member(LDAPAddMember):
try:
actual_sid = domain_validator.get_trusted_domain_object_sid(sid)
except errors.PublicError, e:
-failed_sids.append((sid, unicode(e)))
+failed_sids.append((sid, e.strerror))
else:
sids.append(actual_sid)
restore = []
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index b471bccee414281e26eaaf404b59fb3268d37112..140e26f77f6dd405e30fc13422869d9667da6ba0 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -156,10 +156,29 @@ class DomainValidator(object):
self.ATTR_TRUST_AUTHOUT])
result = dict()
-for entry in entries:
-result[entry[1][self.ATTR_TRUST_PARTNER][0]] = (entry[1][self.ATTR_FLATNAME][0].lower(),
-security.dom_sid(entry[1][self.ATTR_TRUSTED_SID][0]),
-entry[1][self.ATTR_TRUST_AUTHOUT][0])
+for dn, entry in entries:
+try:
+trust_partner = entry[self.ATTR_TRUST_PARTNER][0]
+flatname_normalized = entry[self.ATTR_FLATNAME][0].lower()
+trusted_sid = entry[self.ATTR_TRUSTED_SID][0]
+except KeyError, e:
+# Some piece of trusted domain info in LDAP is missing
+# Skip the domain, but leave log entry for investigation
+api.log.warn(Trusted domain '%s' entry misses an attribute: %s,
+dn, e)
+continue
+trust_authout = entry.get(self.ATTR_TRUST_AUTHOUT, [None])[0]
+
+# We were able to read all Trusted domain attributes but the secret
+# User is not member of trust admins group
+if trust_authout is None:
+raise errors.ACIError(
+
Re: [Freeipa-devel] [PATCH] 355 Avoid internal error when user is not Trust admin
Martin Kosek wrote:
On 02/20/2013 12:30 PM, Petr Viktorin wrote:
On 02/20/2013 09:15 AM, Martin Kosek wrote:
On 02/19/2013 10:19 PM, Rob Crittenden wrote:
Martin Kosek wrote:
On 01/24/2013 12:01 PM, Martin Kosek wrote:
When user tries to perform any action requiring communication with
trusted domain, IPA server tries to retrieve a trust secret on his
behalf to be able to establish the connection. This happens for
example during group-add-member command when external user is
being resolved in the AD.
When user is not member of Trust admins group, the retrieval crashes
and reports internal error. Catch this exception and rather report
properly formatted ACIError.
I hit this error after updating to the latest FreeIPA version with the AD CVE
fixed.
Martin
I filed a ticket to not loose this fix and patch. Attaching an updated patch
with ticket URL in description.
Martin
The patch fixes the problem but the error is untranslated:
member group: AD\Domain Admins: Insufficient access:
Gettext('communication
with trusted domains is allowed for Trusts administrator group members only',
domain='ipa', localedir=None)
rob
I think this is just because this string is not in our ipa.pot file yet (will
be when we do Transifex refresh).
Martin
I don't have AD so I can't investigate, but this problem is usually due to the
error being converted to string instead of using the strerror attribute.
You are right, attaching a patch which fixes it for group-add-member. But just
with using a quick grep, I see we do not use strerror on a lot of other places,
we may want to open a ticket to fix that too.
Martin
ACK, pushed to master and ipa-3-1
I think another ticket for your grep findings would be a good idea.
rob
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 355 Avoid internal error when user is not Trust admin
Martin Kosek wrote:
On 01/24/2013 12:01 PM, Martin Kosek wrote:
When user tries to perform any action requiring communication with
trusted domain, IPA server tries to retrieve a trust secret on his
behalf to be able to establish the connection. This happens for
example during group-add-member command when external user is
being resolved in the AD.
When user is not member of Trust admins group, the retrieval crashes
and reports internal error. Catch this exception and rather report
properly formatted ACIError.
I hit this error after updating to the latest FreeIPA version with the AD CVE
fixed.
Martin
I filed a ticket to not loose this fix and patch. Attaching an updated patch
with ticket URL in description.
Martin
The patch fixes the problem but the error is untranslated:
member group: AD\Domain Admins: Insufficient access:
Gettext('communication with trusted domains is allowed for Trusts
administrator group members only', domain='ipa', localedir=None)
rob
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 355 Avoid internal error when user is not Trust admin
On 01/24/2013 12:01 PM, Martin Kosek wrote:
When user tries to perform any action requiring communication with
trusted domain, IPA server tries to retrieve a trust secret on his
behalf to be able to establish the connection. This happens for
example during group-add-member command when external user is
being resolved in the AD.
When user is not member of Trust admins group, the retrieval crashes
and reports internal error. Catch this exception and rather report
properly formatted ACIError.
I hit this error after updating to the latest FreeIPA version with the AD CVE
fixed.
Martin
I filed a ticket to not loose this fix and patch. Attaching an updated patch
with ticket URL in description.
Martin
From 99e21a67553aba2b13e11ec1e2514b0eb4f0cfd3 Mon Sep 17 00:00:00 2001
From: Martin Kosek mko...@redhat.com
Date: Thu, 24 Jan 2013 11:51:58 +0100
Subject: [PATCH] Avoid internal error when user is not Trust admin
When user tries to perform any action requiring communication with
trusted domain, IPA server tries to retrieve a trust secret on his
behalf to be able to establish the connection. This happens for
example during group-add-member command when external user is
being resolved in the AD.
When user is not member of Trust admins group, the retrieval crashes
and reports internal error. Catch this exception and rather report
properly formatted ACIError.
https://fedorahosted.org/freeipa/ticket/3390
---
ipaserver/dcerpc.py | 27 +++
1 file changed, 23 insertions(+), 4 deletions(-)
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index 54a70defc9df52db58054d29c1c9f9189a88cabb..f6c94e52d2a59e88f58bfadf8747ab4b7aeedecb 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -148,10 +148,29 @@ class DomainValidator(object):
self.ATTR_TRUST_AUTHOUT])
result = dict()
-for entry in entries:
-result[entry[1][self.ATTR_TRUST_PARTNER][0]] = (entry[1][self.ATTR_FLATNAME][0].lower(),
-security.dom_sid(entry[1][self.ATTR_TRUSTED_SID][0]),
-entry[1][self.ATTR_TRUST_AUTHOUT][0])
+for dn, entry in entries:
+try:
+trust_partner = entry[self.ATTR_TRUST_PARTNER][0]
+flatname_normalized = entry[self.ATTR_FLATNAME][0].lower()
+trusted_sid = entry[self.ATTR_TRUSTED_SID][0]
+except KeyError, e:
+# Some piece of trusted domain info in LDAP is missing
+# Skip the domain, but leave log entry for investigation
+api.log.warn(Trusted domain '%s' entry misses an attribute: %s,
+dn, e)
+continue
+trust_authout = entry.get(self.ATTR_TRUST_AUTHOUT, [None])[0]
+
+# We were able to read all Trusted domain attributes but the secret
+# User is not member of trust admins group
+if trust_authout is None:
+raise errors.ACIError(
+info=_('communication with trusted domains is allowed '
+ 'for Trusts administrator group members only'))
+
+result[trust_partner] = (flatname_normalized,
+ security.dom_sid(trusted_sid),
+ trust_authout)
return result
except errors.NotFound, e:
return []
--
1.8.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
