Re: [Freeipa-devel] [PATCH] 355 Avoid internal error when user is not Trust admin
On 02/20/2013 07:25 PM, Rob Crittenden wrote:
> Martin Kosek wrote:
>> On 02/20/2013 12:30 PM, Petr Viktorin wrote:
>>> On 02/20/2013 09:15 AM, Martin Kosek wrote:
On 02/19/2013 10:19 PM, Rob Crittenden wrote:
> Martin Kosek wrote:
>> On 01/24/2013 12:01 PM, Martin Kosek wrote:
>>> When user tries to perform any action requiring communication with
>>> trusted domain, IPA server tries to retrieve a trust secret on his
>>> behalf to be able to establish the connection. This happens for
>>> example during group-add-member command when external user is
>>> being resolved in the AD.
>>>
>>> When user is not member of Trust admins group, the retrieval crashes
>>> and reports internal error. Catch this exception and rather report
>>> properly formatted ACIError.
>>>
>>>
>>>
>>> I hit this error after updating to the latest FreeIPA version with the
>>> AD CVE
>>> fixed.
>>>
>>> Martin
>>>
>>
>> I filed a ticket to not loose this fix and patch. Attaching an updated
>> patch
>> with ticket URL in description.
>>
>> Martin
>>
>
>
> The patch fixes the problem but the error is untranslated:
>
> member group: AD\Domain Admins: Insufficient access:
> Gettext('communication
> with trusted domains is allowed for Trusts administrator group members
> only',
> domain='ipa', localedir=None)
>
> rob
I think this is just because this string is not in our ipa.pot file yet
(will
be when we do Transifex refresh").
Martin
>>>
>>> I don't have AD so I can't investigate, but this problem is usually due to
>>> the
>>> error being converted to string instead of using the strerror attribute.
>>>
>>
>> You are right, attaching a patch which fixes it for group-add-member. But
>> just
>> with using a quick grep, I see we do not use strerror on a lot of other
>> places,
>> we may want to open a ticket to fix that too.
>>
>> Martin
>>
>
> ACK, pushed to master and ipa-3-1
>
> I think another ticket for your grep findings would be a good idea.
>
> rob
Ok, here it is:
https://fedorahosted.org/freeipa/ticket/3445
Martin
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 355 Avoid internal error when user is not Trust admin
Martin Kosek wrote:
On 02/20/2013 12:30 PM, Petr Viktorin wrote:
On 02/20/2013 09:15 AM, Martin Kosek wrote:
On 02/19/2013 10:19 PM, Rob Crittenden wrote:
Martin Kosek wrote:
On 01/24/2013 12:01 PM, Martin Kosek wrote:
When user tries to perform any action requiring communication with
trusted domain, IPA server tries to retrieve a trust secret on his
behalf to be able to establish the connection. This happens for
example during group-add-member command when external user is
being resolved in the AD.
When user is not member of Trust admins group, the retrieval crashes
and reports internal error. Catch this exception and rather report
properly formatted ACIError.
I hit this error after updating to the latest FreeIPA version with the AD CVE
fixed.
Martin
I filed a ticket to not loose this fix and patch. Attaching an updated patch
with ticket URL in description.
Martin
The patch fixes the problem but the error is untranslated:
member group: AD\Domain Admins: Insufficient access:
Gettext('communication
with trusted domains is allowed for Trusts administrator group members only',
domain='ipa', localedir=None)
rob
I think this is just because this string is not in our ipa.pot file yet (will
be when we do Transifex refresh").
Martin
I don't have AD so I can't investigate, but this problem is usually due to the
error being converted to string instead of using the strerror attribute.
You are right, attaching a patch which fixes it for group-add-member. But just
with using a quick grep, I see we do not use strerror on a lot of other places,
we may want to open a ticket to fix that too.
Martin
ACK, pushed to master and ipa-3-1
I think another ticket for your grep findings would be a good idea.
rob
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 355 Avoid internal error when user is not Trust admin
On 02/20/2013 12:30 PM, Petr Viktorin wrote:
> On 02/20/2013 09:15 AM, Martin Kosek wrote:
>> On 02/19/2013 10:19 PM, Rob Crittenden wrote:
>>> Martin Kosek wrote:
On 01/24/2013 12:01 PM, Martin Kosek wrote:
> When user tries to perform any action requiring communication with
> trusted domain, IPA server tries to retrieve a trust secret on his
> behalf to be able to establish the connection. This happens for
> example during group-add-member command when external user is
> being resolved in the AD.
>
> When user is not member of Trust admins group, the retrieval crashes
> and reports internal error. Catch this exception and rather report
> properly formatted ACIError.
>
>
>
> I hit this error after updating to the latest FreeIPA version with the AD
> CVE
> fixed.
>
> Martin
>
I filed a ticket to not loose this fix and patch. Attaching an updated
patch
with ticket URL in description.
Martin
>>>
>>>
>>> The patch fixes the problem but the error is untranslated:
>>>
>>> member group: AD\Domain Admins: Insufficient access:
>>> Gettext('communication
>>> with trusted domains is allowed for Trusts administrator group members
>>> only',
>>> domain='ipa', localedir=None)
>>>
>>> rob
>>
>> I think this is just because this string is not in our ipa.pot file yet (will
>> be when we do Transifex refresh").
>>
>> Martin
>>
>
> I don't have AD so I can't investigate, but this problem is usually due to the
> error being converted to string instead of using the strerror attribute.
>
You are right, attaching a patch which fixes it for group-add-member. But just
with using a quick grep, I see we do not use strerror on a lot of other places,
we may want to open a ticket to fix that too.
Martin
From 0662aedeefec4e8dff621ad7d0f1ead881a559ca Mon Sep 17 00:00:00 2001
From: Martin Kosek
Date: Thu, 24 Jan 2013 11:51:58 +0100
Subject: [PATCH] Avoid internal error when user is not Trust admin
When user tries to perform any action requiring communication with
trusted domain, IPA server tries to retrieve a trust secret on his
behalf to be able to establish the connection. This happens for
example during group-add-member command when external user is
being resolved in the AD.
When user is not member of Trust admins group, the retrieval crashes
and reports internal error. Catch this exception and rather report
properly formatted ACIError. Also make sure that this exception is
properly processed in group-add-member post callback.
https://fedorahosted.org/freeipa/ticket/3390
---
ipalib/plugins/group.py | 2 +-
ipaserver/dcerpc.py | 27 +++
2 files changed, 24 insertions(+), 5 deletions(-)
diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py
index 4994dacb3218e03e1f92b7c16bf355c8ffa4d6f9..06e80931a0d77beb93b08cdf2637e3c750c1bafa 100644
--- a/ipalib/plugins/group.py
+++ b/ipalib/plugins/group.py
@@ -387,7 +387,7 @@ class group_add_member(LDAPAddMember):
try:
actual_sid = domain_validator.get_trusted_domain_object_sid(sid)
except errors.PublicError, e:
-failed_sids.append((sid, unicode(e)))
+failed_sids.append((sid, e.strerror))
else:
sids.append(actual_sid)
restore = []
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index b471bccee414281e26eaaf404b59fb3268d37112..140e26f77f6dd405e30fc13422869d9667da6ba0 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -156,10 +156,29 @@ class DomainValidator(object):
self.ATTR_TRUST_AUTHOUT])
result = dict()
-for entry in entries:
-result[entry[1][self.ATTR_TRUST_PARTNER][0]] = (entry[1][self.ATTR_FLATNAME][0].lower(),
-security.dom_sid(entry[1][self.ATTR_TRUSTED_SID][0]),
-entry[1][self.ATTR_TRUST_AUTHOUT][0])
+for dn, entry in entries:
+try:
+trust_partner = entry[self.ATTR_TRUST_PARTNER][0]
+flatname_normalized = entry[self.ATTR_FLATNAME][0].lower()
+trusted_sid = entry[self.ATTR_TRUSTED_SID][0]
+except KeyError, e:
+# Some piece of trusted domain info in LDAP is missing
+# Skip the domain, but leave log entry for investigation
+api.log.warn("Trusted domain '%s' entry misses an attribute: %s",
+dn, e)
+continue
+trust_authout = entry.get(self.ATTR_TRUST_AUTHOUT, [None])[0]
+
+# We were able to read all Trusted domain attributes but the secret
+# Use
Re: [Freeipa-devel] [PATCH] 355 Avoid internal error when user is not Trust admin
On 02/20/2013 09:15 AM, Martin Kosek wrote:
On 02/19/2013 10:19 PM, Rob Crittenden wrote:
Martin Kosek wrote:
On 01/24/2013 12:01 PM, Martin Kosek wrote:
When user tries to perform any action requiring communication with
trusted domain, IPA server tries to retrieve a trust secret on his
behalf to be able to establish the connection. This happens for
example during group-add-member command when external user is
being resolved in the AD.
When user is not member of Trust admins group, the retrieval crashes
and reports internal error. Catch this exception and rather report
properly formatted ACIError.
I hit this error after updating to the latest FreeIPA version with the AD CVE
fixed.
Martin
I filed a ticket to not loose this fix and patch. Attaching an updated patch
with ticket URL in description.
Martin
The patch fixes the problem but the error is untranslated:
member group: AD\Domain Admins: Insufficient access: Gettext('communication
with trusted domains is allowed for Trusts administrator group members only',
domain='ipa', localedir=None)
rob
I think this is just because this string is not in our ipa.pot file yet (will
be when we do Transifex refresh").
Martin
I don't have AD so I can't investigate, but this problem is usually due
to the error being converted to string instead of using the strerror
attribute.
--
PetrĀ³
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 355 Avoid internal error when user is not Trust admin
On 02/19/2013 10:19 PM, Rob Crittenden wrote:
> Martin Kosek wrote:
>> On 01/24/2013 12:01 PM, Martin Kosek wrote:
>>> When user tries to perform any action requiring communication with
>>> trusted domain, IPA server tries to retrieve a trust secret on his
>>> behalf to be able to establish the connection. This happens for
>>> example during group-add-member command when external user is
>>> being resolved in the AD.
>>>
>>> When user is not member of Trust admins group, the retrieval crashes
>>> and reports internal error. Catch this exception and rather report
>>> properly formatted ACIError.
>>>
>>>
>>>
>>> I hit this error after updating to the latest FreeIPA version with the AD
>>> CVE
>>> fixed.
>>>
>>> Martin
>>>
>>
>> I filed a ticket to not loose this fix and patch. Attaching an updated patch
>> with ticket URL in description.
>>
>> Martin
>>
>
>
> The patch fixes the problem but the error is untranslated:
>
> member group: AD\Domain Admins: Insufficient access:
> Gettext('communication
> with trusted domains is allowed for Trusts administrator group members only',
> domain='ipa', localedir=None)
>
> rob
I think this is just because this string is not in our ipa.pot file yet (will
be when we do Transifex refresh").
Martin
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 355 Avoid internal error when user is not Trust admin
Martin Kosek wrote:
On 01/24/2013 12:01 PM, Martin Kosek wrote:
When user tries to perform any action requiring communication with
trusted domain, IPA server tries to retrieve a trust secret on his
behalf to be able to establish the connection. This happens for
example during group-add-member command when external user is
being resolved in the AD.
When user is not member of Trust admins group, the retrieval crashes
and reports internal error. Catch this exception and rather report
properly formatted ACIError.
I hit this error after updating to the latest FreeIPA version with the AD CVE
fixed.
Martin
I filed a ticket to not loose this fix and patch. Attaching an updated patch
with ticket URL in description.
Martin
The patch fixes the problem but the error is untranslated:
member group: AD\Domain Admins: Insufficient access:
Gettext('communication with trusted domains is allowed for Trusts
administrator group members only', domain='ipa', localedir=None)
rob
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 355 Avoid internal error when user is not Trust admin
On 01/24/2013 12:01 PM, Martin Kosek wrote:
> When user tries to perform any action requiring communication with
> trusted domain, IPA server tries to retrieve a trust secret on his
> behalf to be able to establish the connection. This happens for
> example during group-add-member command when external user is
> being resolved in the AD.
>
> When user is not member of Trust admins group, the retrieval crashes
> and reports internal error. Catch this exception and rather report
> properly formatted ACIError.
>
>
>
> I hit this error after updating to the latest FreeIPA version with the AD CVE
> fixed.
>
> Martin
>
I filed a ticket to not loose this fix and patch. Attaching an updated patch
with ticket URL in description.
Martin
From 99e21a67553aba2b13e11ec1e2514b0eb4f0cfd3 Mon Sep 17 00:00:00 2001
From: Martin Kosek
Date: Thu, 24 Jan 2013 11:51:58 +0100
Subject: [PATCH] Avoid internal error when user is not Trust admin
When user tries to perform any action requiring communication with
trusted domain, IPA server tries to retrieve a trust secret on his
behalf to be able to establish the connection. This happens for
example during group-add-member command when external user is
being resolved in the AD.
When user is not member of Trust admins group, the retrieval crashes
and reports internal error. Catch this exception and rather report
properly formatted ACIError.
https://fedorahosted.org/freeipa/ticket/3390
---
ipaserver/dcerpc.py | 27 +++
1 file changed, 23 insertions(+), 4 deletions(-)
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index 54a70defc9df52db58054d29c1c9f9189a88cabb..f6c94e52d2a59e88f58bfadf8747ab4b7aeedecb 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -148,10 +148,29 @@ class DomainValidator(object):
self.ATTR_TRUST_AUTHOUT])
result = dict()
-for entry in entries:
-result[entry[1][self.ATTR_TRUST_PARTNER][0]] = (entry[1][self.ATTR_FLATNAME][0].lower(),
-security.dom_sid(entry[1][self.ATTR_TRUSTED_SID][0]),
-entry[1][self.ATTR_TRUST_AUTHOUT][0])
+for dn, entry in entries:
+try:
+trust_partner = entry[self.ATTR_TRUST_PARTNER][0]
+flatname_normalized = entry[self.ATTR_FLATNAME][0].lower()
+trusted_sid = entry[self.ATTR_TRUSTED_SID][0]
+except KeyError, e:
+# Some piece of trusted domain info in LDAP is missing
+# Skip the domain, but leave log entry for investigation
+api.log.warn("Trusted domain '%s' entry misses an attribute: %s",
+dn, e)
+continue
+trust_authout = entry.get(self.ATTR_TRUST_AUTHOUT, [None])[0]
+
+# We were able to read all Trusted domain attributes but the secret
+# User is not member of trust admins group
+if trust_authout is None:
+raise errors.ACIError(
+info=_('communication with trusted domains is allowed '
+ 'for Trusts administrator group members only'))
+
+result[trust_partner] = (flatname_normalized,
+ security.dom_sid(trusted_sid),
+ trust_authout)
return result
except errors.NotFound, e:
return []
--
1.8.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
