|
 |
86baa9 |
From 58478231b10a670bc8c8bf5a1a41a5e3cb075b3f Mon Sep 17 00:00:00 2001
|
|
|
86baa9 |
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
86baa9 |
Date: Fri, 22 Mar 2019 18:50:30 +0200
|
|
|
86baa9 |
Subject: [PATCH] trust: allow trust agents to read POSIX identities of trust
|
|
|
86baa9 |
|
|
|
86baa9 |
SSSD and Samba on IPA masters need to be able to look up POSIX
|
|
|
86baa9 |
attributes of trusted domain objects in order to allow Active Directory
|
|
|
86baa9 |
domain controllers from trusted forests to connect to LSA and NETLOGON
|
|
|
86baa9 |
pipes.
|
|
|
86baa9 |
|
|
|
86baa9 |
We only have access to read POSIX attributes in cn=accounts,$SUFFIX
|
|
|
86baa9 |
subtree rather than whole $SUFFIX. Thus, add an ACI to trusts subtree.
|
|
|
86baa9 |
|
|
|
86baa9 |
Fixes: https://pagure.io/freeipa/issue/6077
|
|
|
86baa9 |
(cherry picked from commit 8908b5085179d07cff45ebb11d498b872d28eee7)
|
|
|
86baa9 |
|
|
|
86baa9 |
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
|
86baa9 |
---
|
|
|
86baa9 |
install/updates/60-trusts.update | 1 +
|
|
|
86baa9 |
1 file changed, 1 insertion(+)
|
|
|
86baa9 |
|
|
|
86baa9 |
diff --git a/install/updates/60-trusts.update b/install/updates/60-trusts.update
|
|
|
86baa9 |
index 04c85ba77389b12415849ed81b8131c07b1c7a32..90201e1b4bfc01509da722303cb975a970131fb5 100644
|
|
|
86baa9 |
--- a/install/updates/60-trusts.update
|
|
|
86baa9 |
+++ b/install/updates/60-trusts.update
|
|
|
86baa9 |
@@ -33,6 +33,7 @@ add:aci: (target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType ||
|
|
|
86baa9 |
replace:aci:(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes || krbPrincipalName || krbLastPwdChange || krbTicketFlags || krbLoginFailedCount || krbExtraData || krbPrincipalKey")(version 3.0;acl "Allow trust system user to create and delete trust accounts and cross realm principals"; allow (read,write,add,delete) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)::(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes || ipaNTSIDBlacklistIncoming || ipaNTSIDBlacklistOutgoing || krbPrincipalName || krbLastPwdChange || krbTicketFlags || krbLoginFailedCount || krbExtraData || krbPrincipalKey")(version 3.0;acl "Allow trust system user to create and delete trust accounts and cross realm principals"; allow (read,write,add,delete) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)
|
|
|
86baa9 |
replace:aci:(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes")(version 3.0;acl "Allow trust admins manage trust accounts"; allow (read,write,add,delete) groupdn="ldap:///cn=trust admins,cn=groups,cn=accounts,$SUFFIX";)::(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes || ipaNTSIDBlacklistIncoming || ipaNTSIDBlacklistOutgoing")(version 3.0;acl "Allow trust admins manage trust accounts"; allow (read,write,add,delete) groupdn="ldap:///cn=trust admins,cn=groups,cn=accounts,$SUFFIX";)
|
|
|
86baa9 |
add:aci: (target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes || ipaNTSIDBlacklistIncoming || ipaNTSIDBlacklistOutgoing")(version 3.0;acl "Allow trust admins manage trust accounts"; allow (read,write,add,delete) groupdn="ldap:///cn=trust admins,cn=groups,cn=accounts,$SUFFIX";)
|
|
|
86baa9 |
+add:aci: (targetattr = "cn || createtimestamp || description || displayname || entryusn || gecos || gidnumber || givenname || homedirectory || ipantsecurityidentifier || loginshell || modifytimestamp || objectclass || uid || uidnumber")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "Allow reading POSIX information about trusted domain objects";allow (compare,read,search) groupdn = "ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)
|
|
|
86baa9 |
|
|
|
86baa9 |
# Samba user should be able to read NT passwords to authenticate
|
|
|
86baa9 |
# Add ipaNTHash to global ACIs, leave DNS tree out of global allow access rule
|
|
|
86baa9 |
--
|
|
|
86baa9 |
2.20.1
|
|
|
86baa9 |
|