Re: [Freeipa-devel] [PATCH] 0073 Add trust verification code
Alexander Bokovoy wrote: On Tue, 18 Sep 2012, Petr Vobornik wrote: On 09/18/2012 05:33 PM, Alexander Bokovoy wrote: On Tue, 18 Sep 2012, Petr Vobornik wrote: On 09/18/2012 03:22 PM, Alexander Bokovoy wrote: On Tue, 18 Sep 2012, Petr Vobornik wrote: On 09/18/2012 02:15 PM, Sumit Bose wrote: On Tue, Sep 18, 2012 at 12:42:49PM +0200, Sumit Bose wrote: On Mon, Sep 17, 2012 at 06:44:36PM +0300, Alexander Bokovoy wrote: Hi, Following patch adds trust verification sequence to the case when we establish trust with knowledge of AD administrative credentials. As we found out, in order to validate/verify trust, one has to have administrative credentials for the trusted domain, since there are few RPCs that should be performed against trusted domain's DC's LSA and NetLogon pipes and these are protected by administrative credentials. Thus, when we know admin credentials for the remote domain, we can perform the trust validation. https://fedorahosted.org/freeipa/ticket/2763 Just a short feedback. The patch is working as expected, for a newly created trust Windows will send a TGS request to the IPA KDC without explicit validation on the windows side. Currently I have some issues in my test setup so that I can not give a full ACK atm. ok, ACK. Nevertheless it would be nice if Petr can check for any implications to the web UI with respect to the status of the trust. It shouldn't break Web UI but Web UI won't use it. In add command Web UI uses only the command state (success/error). If the truststatus text would be a part of command summary text, it can be displayed in notification message (which fades after 3s) when comment 8 of https://fedorahosted.org/freeipa/ticket/2977#comment:8 is implemented. It is displayed as part of the output, truststatus property: # ipa trust-add --type=ad --admin Administrator@ad.local --password ad.local Active directory domain adminstrator's password: - Added Active Directory trust for realm "ad.local" - Realm name: ad.local Domain NetBIOS name: AD Domain Security Identifier: S-1-5-21-16904141-148189700-2149043814 Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified Would be good if you could take it in use. I created a patch which uses it. See attached screenshots. It may be useful but, as I wrote, the message is displayed only for 3s, so some users might not have time to read it whole - message is too long. Well, as we don't have other means to show this information right now, that's good too. Maybe notification message timer could be possible to tune per instance? Then we could have, say, 5 seconds timeout here and keep 3 seconds as default one... I tuned it. Updated patch attached. ACK. Worked fine for me. Pushed 073 and 215.1 to ipa-3-0 and master rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0073 Add trust verification code
On Tue, 18 Sep 2012, Petr Vobornik wrote: On 09/18/2012 05:33 PM, Alexander Bokovoy wrote: On Tue, 18 Sep 2012, Petr Vobornik wrote: On 09/18/2012 03:22 PM, Alexander Bokovoy wrote: On Tue, 18 Sep 2012, Petr Vobornik wrote: On 09/18/2012 02:15 PM, Sumit Bose wrote: On Tue, Sep 18, 2012 at 12:42:49PM +0200, Sumit Bose wrote: On Mon, Sep 17, 2012 at 06:44:36PM +0300, Alexander Bokovoy wrote: Hi, Following patch adds trust verification sequence to the case when we establish trust with knowledge of AD administrative credentials. As we found out, in order to validate/verify trust, one has to have administrative credentials for the trusted domain, since there are few RPCs that should be performed against trusted domain's DC's LSA and NetLogon pipes and these are protected by administrative credentials. Thus, when we know admin credentials for the remote domain, we can perform the trust validation. https://fedorahosted.org/freeipa/ticket/2763 Just a short feedback. The patch is working as expected, for a newly created trust Windows will send a TGS request to the IPA KDC without explicit validation on the windows side. Currently I have some issues in my test setup so that I can not give a full ACK atm. ok, ACK. Nevertheless it would be nice if Petr can check for any implications to the web UI with respect to the status of the trust. It shouldn't break Web UI but Web UI won't use it. In add command Web UI uses only the command state (success/error). If the truststatus text would be a part of command summary text, it can be displayed in notification message (which fades after 3s) when comment 8 of https://fedorahosted.org/freeipa/ticket/2977#comment:8 is implemented. It is displayed as part of the output, truststatus property: # ipa trust-add --type=ad --admin Administrator@ad.local --password ad.local Active directory domain adminstrator's password: - Added Active Directory trust for realm "ad.local" - Realm name: ad.local Domain NetBIOS name: AD Domain Security Identifier: S-1-5-21-16904141-148189700-2149043814 Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified Would be good if you could take it in use. I created a patch which uses it. See attached screenshots. It may be useful but, as I wrote, the message is displayed only for 3s, so some users might not have time to read it whole - message is too long. Well, as we don't have other means to show this information right now, that's good too. Maybe notification message timer could be possible to tune per instance? Then we could have, say, 5 seconds timeout here and keep 3 seconds as default one... I tuned it. Updated patch attached. ACK. Worked fine for me. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0073 Add trust verification code
On 09/18/2012 05:33 PM, Alexander Bokovoy wrote: On Tue, 18 Sep 2012, Petr Vobornik wrote: On 09/18/2012 03:22 PM, Alexander Bokovoy wrote: On Tue, 18 Sep 2012, Petr Vobornik wrote: On 09/18/2012 02:15 PM, Sumit Bose wrote: On Tue, Sep 18, 2012 at 12:42:49PM +0200, Sumit Bose wrote: On Mon, Sep 17, 2012 at 06:44:36PM +0300, Alexander Bokovoy wrote: Hi, Following patch adds trust verification sequence to the case when we establish trust with knowledge of AD administrative credentials. As we found out, in order to validate/verify trust, one has to have administrative credentials for the trusted domain, since there are few RPCs that should be performed against trusted domain's DC's LSA and NetLogon pipes and these are protected by administrative credentials. Thus, when we know admin credentials for the remote domain, we can perform the trust validation. https://fedorahosted.org/freeipa/ticket/2763 Just a short feedback. The patch is working as expected, for a newly created trust Windows will send a TGS request to the IPA KDC without explicit validation on the windows side. Currently I have some issues in my test setup so that I can not give a full ACK atm. ok, ACK. Nevertheless it would be nice if Petr can check for any implications to the web UI with respect to the status of the trust. It shouldn't break Web UI but Web UI won't use it. In add command Web UI uses only the command state (success/error). If the truststatus text would be a part of command summary text, it can be displayed in notification message (which fades after 3s) when comment 8 of https://fedorahosted.org/freeipa/ticket/2977#comment:8 is implemented. It is displayed as part of the output, truststatus property: # ipa trust-add --type=ad --admin Administrator@ad.local --password ad.local Active directory domain adminstrator's password: - Added Active Directory trust for realm "ad.local" - Realm name: ad.local Domain NetBIOS name: AD Domain Security Identifier: S-1-5-21-16904141-148189700-2149043814 Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified Would be good if you could take it in use. I created a patch which uses it. See attached screenshots. It may be useful but, as I wrote, the message is displayed only for 3s, so some users might not have time to read it whole - message is too long. Well, as we don't have other means to show this information right now, that's good too. Maybe notification message timer could be possible to tune per instance? Then we could have, say, 5 seconds timeout here and keep 3 seconds as default one... I tuned it. Updated patch attached. -- Petr Vobornik From 4ec95483604c22119f3fa1405103558176e07784 Mon Sep 17 00:00:00 2001 From: Petr Vobornik Date: Tue, 18 Sep 2012 17:12:59 +0200 Subject: [PATCH] Show trust status in add success notification Web UI notification of 'Add verification step after trust creation' https://fedorahosted.org/freeipa/ticket/2763 --- install/ui/add.js | 13 + install/ui/ipa.js | 4 ++-- install/ui/trust.js | 18 ++ 3 files changed, 29 insertions(+), 6 deletions(-) diff --git a/install/ui/add.js b/install/ui/add.js index d855879452e5812c8c7fbae7bc9d1ff9035f1a6e..a5e30092f10495266351674b37fc8fa912af0fbe 100644 --- a/install/ui/add.js +++ b/install/ui/add.js @@ -52,7 +52,7 @@ IPA.entity_adder_dialog = function(spec) { var facet = IPA.current_entity.get_facet(); facet.refresh(); that.close(); -IPA.notify_success(that.get_success_message()); +that.notify_success(data); }, that.on_error); } @@ -66,7 +66,7 @@ IPA.entity_adder_dialog = function(spec) { that.add( function(data, text_status, xhr) { that.added.notify(); -that.show_message(that.get_success_message()); +that.show_message(that.get_success_message(data)); var facet = IPA.current_entity.get_facet(); facet.refresh(); that.reset(); @@ -86,7 +86,7 @@ IPA.entity_adder_dialog = function(spec) { that.close(); var result = data.result.result; that.show_edit_page(that.entity, result); -IPA.notify_success(that.get_success_message()); +that.notify_success(data); }, that.on_error); } @@ -102,11 +102,15 @@ IPA.entity_adder_dialog = function(spec) { }); }; -that.get_success_message = function() { +that.get_success_message = function(data) { var message = IPA.m
Re: [Freeipa-devel] [PATCH] 0073 Add trust verification code
On Tue, 18 Sep 2012, Petr Vobornik wrote: On 09/18/2012 03:22 PM, Alexander Bokovoy wrote: On Tue, 18 Sep 2012, Petr Vobornik wrote: On 09/18/2012 02:15 PM, Sumit Bose wrote: On Tue, Sep 18, 2012 at 12:42:49PM +0200, Sumit Bose wrote: On Mon, Sep 17, 2012 at 06:44:36PM +0300, Alexander Bokovoy wrote: Hi, Following patch adds trust verification sequence to the case when we establish trust with knowledge of AD administrative credentials. As we found out, in order to validate/verify trust, one has to have administrative credentials for the trusted domain, since there are few RPCs that should be performed against trusted domain's DC's LSA and NetLogon pipes and these are protected by administrative credentials. Thus, when we know admin credentials for the remote domain, we can perform the trust validation. https://fedorahosted.org/freeipa/ticket/2763 Just a short feedback. The patch is working as expected, for a newly created trust Windows will send a TGS request to the IPA KDC without explicit validation on the windows side. Currently I have some issues in my test setup so that I can not give a full ACK atm. ok, ACK. Nevertheless it would be nice if Petr can check for any implications to the web UI with respect to the status of the trust. It shouldn't break Web UI but Web UI won't use it. In add command Web UI uses only the command state (success/error). If the truststatus text would be a part of command summary text, it can be displayed in notification message (which fades after 3s) when comment 8 of https://fedorahosted.org/freeipa/ticket/2977#comment:8 is implemented. It is displayed as part of the output, truststatus property: # ipa trust-add --type=ad --admin Administrator@ad.local --password ad.local Active directory domain adminstrator's password: - Added Active Directory trust for realm "ad.local" - Realm name: ad.local Domain NetBIOS name: AD Domain Security Identifier: S-1-5-21-16904141-148189700-2149043814 Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified Would be good if you could take it in use. I created a patch which uses it. See attached screenshots. It may be useful but, as I wrote, the message is displayed only for 3s, so some users might not have time to read it whole - message is too long. Well, as we don't have other means to show this information right now, that's good too. Maybe notification message timer could be possible to tune per instance? Then we could have, say, 5 seconds timeout here and keep 3 seconds as default one... -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0073 Add trust verification code
On 09/18/2012 03:22 PM, Alexander Bokovoy wrote: On Tue, 18 Sep 2012, Petr Vobornik wrote: On 09/18/2012 02:15 PM, Sumit Bose wrote: On Tue, Sep 18, 2012 at 12:42:49PM +0200, Sumit Bose wrote: On Mon, Sep 17, 2012 at 06:44:36PM +0300, Alexander Bokovoy wrote: Hi, Following patch adds trust verification sequence to the case when we establish trust with knowledge of AD administrative credentials. As we found out, in order to validate/verify trust, one has to have administrative credentials for the trusted domain, since there are few RPCs that should be performed against trusted domain's DC's LSA and NetLogon pipes and these are protected by administrative credentials. Thus, when we know admin credentials for the remote domain, we can perform the trust validation. https://fedorahosted.org/freeipa/ticket/2763 Just a short feedback. The patch is working as expected, for a newly created trust Windows will send a TGS request to the IPA KDC without explicit validation on the windows side. Currently I have some issues in my test setup so that I can not give a full ACK atm. ok, ACK. Nevertheless it would be nice if Petr can check for any implications to the web UI with respect to the status of the trust. It shouldn't break Web UI but Web UI won't use it. In add command Web UI uses only the command state (success/error). If the truststatus text would be a part of command summary text, it can be displayed in notification message (which fades after 3s) when comment 8 of https://fedorahosted.org/freeipa/ticket/2977#comment:8 is implemented. It is displayed as part of the output, truststatus property: # ipa trust-add --type=ad --admin Administrator@ad.local --password ad.local Active directory domain adminstrator's password: - Added Active Directory trust for realm "ad.local" - Realm name: ad.local Domain NetBIOS name: AD Domain Security Identifier: S-1-5-21-16904141-148189700-2149043814 Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified Would be good if you could take it in use. I created a patch which uses it. See attached screenshots. It may be useful but, as I wrote, the message is displayed only for 3s, so some users might not have time to read it whole - message is too long. It would be nice if it can be saved to ldap and return in show/find commands? That way we can show it in search or details page. Or we can implement trust-status $TRUST --admin $ADMIN --$password $PASSWORD command to check the actual status anytime in a future. We don't have an attribute to store the status. Neither it exists in Windows. I'll talk to Simo if we can have one attribute like that but the price of maintaining it up to date might be too much. On the other hand, we can always invalidate value in the attribute when ipasam cannot use shared trust account against trusted domain... Running validation/verification as a separate command is possible but it would be relatively resource-hungry and makes little use on its own. We may couple it together with future multiple suffixes support (tickets #2848, #2593) as fetching additional suffixes depends on validated trust relationship. -- Petr Vobornik From 7835f62bccefe69abc6122d4ddd6aa7c571f59b2 Mon Sep 17 00:00:00 2001 From: Petr Vobornik Date: Tue, 18 Sep 2012 17:12:59 +0200 Subject: [PATCH] Show trust status in add success notification Web UI notification of 'Add verification step after trust creation' https://fedorahosted.org/freeipa/ticket/2763 --- install/ui/add.js | 9 + install/ui/trust.js | 14 ++ 2 files changed, 19 insertions(+), 4 deletions(-) diff --git a/install/ui/add.js b/install/ui/add.js index d855879452e5812c8c7fbae7bc9d1ff9035f1a6e..06c9b325a58e31e3366529b552df29109117f847 100644 --- a/install/ui/add.js +++ b/install/ui/add.js @@ -52,7 +52,7 @@ IPA.entity_adder_dialog = function(spec) { var facet = IPA.current_entity.get_facet(); facet.refresh(); that.close(); -IPA.notify_success(that.get_success_message()); +IPA.notify_success(that.get_success_message(data)); }, that.on_error); } @@ -66,7 +66,7 @@ IPA.entity_adder_dialog = function(spec) { that.add( function(data, text_status, xhr) { that.added.notify(); -that.show_message(that.get_success_message()); +that.show_message(that.get_success_message(data)); var facet = IPA.current_entity.get_facet(); facet.refresh(); that.reset(); @@ -86,7 +86,7 @@ IPA.entity_adder_dialog = function(spec) { that.close();
Re: [Freeipa-devel] [PATCH] 0073 Add trust verification code
On Tue, 18 Sep 2012, Petr Vobornik wrote: On 09/18/2012 02:15 PM, Sumit Bose wrote: On Tue, Sep 18, 2012 at 12:42:49PM +0200, Sumit Bose wrote: On Mon, Sep 17, 2012 at 06:44:36PM +0300, Alexander Bokovoy wrote: Hi, Following patch adds trust verification sequence to the case when we establish trust with knowledge of AD administrative credentials. As we found out, in order to validate/verify trust, one has to have administrative credentials for the trusted domain, since there are few RPCs that should be performed against trusted domain's DC's LSA and NetLogon pipes and these are protected by administrative credentials. Thus, when we know admin credentials for the remote domain, we can perform the trust validation. https://fedorahosted.org/freeipa/ticket/2763 Just a short feedback. The patch is working as expected, for a newly created trust Windows will send a TGS request to the IPA KDC without explicit validation on the windows side. Currently I have some issues in my test setup so that I can not give a full ACK atm. ok, ACK. Nevertheless it would be nice if Petr can check for any implications to the web UI with respect to the status of the trust. It shouldn't break Web UI but Web UI won't use it. In add command Web UI uses only the command state (success/error). If the truststatus text would be a part of command summary text, it can be displayed in notification message (which fades after 3s) when comment 8 of https://fedorahosted.org/freeipa/ticket/2977#comment:8 is implemented. It is displayed as part of the output, truststatus property: # ipa trust-add --type=ad --admin Administrator@ad.local --password ad.local Active directory domain adminstrator's password: - Added Active Directory trust for realm "ad.local" - Realm name: ad.local Domain NetBIOS name: AD Domain Security Identifier: S-1-5-21-16904141-148189700-2149043814 Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified Would be good if you could take it in use. It would be nice if it can be saved to ldap and return in show/find commands? That way we can show it in search or details page. Or we can implement trust-status $TRUST --admin $ADMIN --$password $PASSWORD command to check the actual status anytime in a future. We don't have an attribute to store the status. Neither it exists in Windows. I'll talk to Simo if we can have one attribute like that but the price of maintaining it up to date might be too much. On the other hand, we can always invalidate value in the attribute when ipasam cannot use shared trust account against trusted domain... Running validation/verification as a separate command is possible but it would be relatively resource-hungry and makes little use on its own. We may couple it together with future multiple suffixes support (tickets #2848, #2593) as fetching additional suffixes depends on validated trust relationship. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0073 Add trust verification code
On 09/18/2012 02:15 PM, Sumit Bose wrote: On Tue, Sep 18, 2012 at 12:42:49PM +0200, Sumit Bose wrote: On Mon, Sep 17, 2012 at 06:44:36PM +0300, Alexander Bokovoy wrote: Hi, Following patch adds trust verification sequence to the case when we establish trust with knowledge of AD administrative credentials. As we found out, in order to validate/verify trust, one has to have administrative credentials for the trusted domain, since there are few RPCs that should be performed against trusted domain's DC's LSA and NetLogon pipes and these are protected by administrative credentials. Thus, when we know admin credentials for the remote domain, we can perform the trust validation. https://fedorahosted.org/freeipa/ticket/2763 Just a short feedback. The patch is working as expected, for a newly created trust Windows will send a TGS request to the IPA KDC without explicit validation on the windows side. Currently I have some issues in my test setup so that I can not give a full ACK atm. ok, ACK. Nevertheless it would be nice if Petr can check for any implications to the web UI with respect to the status of the trust. It shouldn't break Web UI but Web UI won't use it. In add command Web UI uses only the command state (success/error). If the truststatus text would be a part of command summary text, it can be displayed in notification message (which fades after 3s) when comment 8 of https://fedorahosted.org/freeipa/ticket/2977#comment:8 is implemented. It would be nice if it can be saved to ldap and return in show/find commands? That way we can show it in search or details page. Or we can implement trust-status $TRUST --admin $ADMIN --$password $PASSWORD command to check the actual status anytime in a future. bye, Sumit bye, Sumit -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0073 Add trust verification code
On Tue, Sep 18, 2012 at 12:42:49PM +0200, Sumit Bose wrote: > On Mon, Sep 17, 2012 at 06:44:36PM +0300, Alexander Bokovoy wrote: > > Hi, > > > > Following patch adds trust verification sequence to the case when we > > establish trust with knowledge of AD administrative credentials. > > > > As we found out, in order to validate/verify trust, one has to have > > administrative credentials for the trusted domain, since there are > > few RPCs that should be performed against trusted domain's DC's LSA > > and NetLogon pipes and these are protected by administrative credentials. > > > > Thus, when we know admin credentials for the remote domain, we can > > perform the trust validation. > > > > https://fedorahosted.org/freeipa/ticket/2763 > > > > Just a short feedback. The patch is working as expected, for a newly > created trust Windows will send a TGS request to the IPA KDC without > explicit validation on the windows side. Currently I have some issues > in my test setup so that I can not give a full ACK atm. > ok, ACK. Nevertheless it would be nice if Petr can check for any implications to the web UI with respect to the status of the trust. bye, Sumit > bye, > Sumit > > > > > -- > > / Alexander Bokovoy > > ___ > Freeipa-devel mailing list > Freeipa-devel@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0073 Add trust verification code
On Mon, Sep 17, 2012 at 06:44:36PM +0300, Alexander Bokovoy wrote: > Hi, > > Following patch adds trust verification sequence to the case when we > establish trust with knowledge of AD administrative credentials. > > As we found out, in order to validate/verify trust, one has to have > administrative credentials for the trusted domain, since there are > few RPCs that should be performed against trusted domain's DC's LSA > and NetLogon pipes and these are protected by administrative credentials. > > Thus, when we know admin credentials for the remote domain, we can > perform the trust validation. > > https://fedorahosted.org/freeipa/ticket/2763 > Just a short feedback. The patch is working as expected, for a newly created trust Windows will send a TGS request to the IPA KDC without explicit validation on the windows side. Currently I have some issues in my test setup so that I can not give a full ACK atm. bye, Sumit > > -- > / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel