|
 |
6ec482 |
From 847e3d053fc5243a9fce7af673cb138983a3255c Mon Sep 17 00:00:00 2001
|
|
|
6ec482 |
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
6ec482 |
Date: Thu, 12 Sep 2019 11:21:51 +0300
|
|
|
6ec482 |
Subject: [PATCH] adtrust: add default read_keys permission for TDO objects
|
|
|
6ec482 |
|
|
|
6ec482 |
If trusted domain object (TDO) is lacking ipaAllowedToPerform;read_keys
|
|
|
6ec482 |
attribute values, it cannot be used by SSSD to retrieve TDO keys and the
|
|
|
6ec482 |
whole communication with Active Directory domain controllers will not be
|
|
|
6ec482 |
possible.
|
|
|
6ec482 |
|
|
|
6ec482 |
This seems to affect trusts which were created before
|
|
|
6ec482 |
ipaAllowedToPerform;read_keys permission granting was introduced
|
|
|
6ec482 |
(FreeIPA 4.2). Add back the default setting for the permissions which
|
|
|
6ec482 |
grants access to trust agents and trust admins.
|
|
|
6ec482 |
|
|
|
6ec482 |
Resolves: https://pagure.io/freeipa/issue/8067
|
|
|
6ec482 |
|
|
|
6ec482 |
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
6ec482 |
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
|
6ec482 |
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
|
6ec482 |
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
|
|
6ec482 |
---
|
|
|
6ec482 |
.../updates/90-post_upgrade_plugins.update | 1 +
|
|
|
6ec482 |
ipaserver/install/plugins/adtrust.py | 56 +++++++++++++++++++
|
|
|
6ec482 |
2 files changed, 57 insertions(+)
|
|
|
6ec482 |
|
|
|
6ec482 |
diff --git a/install/updates/90-post_upgrade_plugins.update b/install/updates/90-post_upgrade_plugins.update
|
|
|
6ec482 |
index 6cd87a4226e34839ba7625fa03893cd8fb902386..e3afb3423ccaf1598bc0a0e982a5264781fd81a4 100644
|
|
|
6ec482 |
--- a/install/updates/90-post_upgrade_plugins.update
|
|
|
6ec482 |
+++ b/install/updates/90-post_upgrade_plugins.update
|
|
|
6ec482 |
@@ -12,6 +12,7 @@ plugin: update_default_range
|
|
|
6ec482 |
plugin: update_default_trust_view
|
|
|
6ec482 |
plugin: update_tdo_gidnumber
|
|
|
6ec482 |
plugin: update_tdo_to_new_layout
|
|
|
6ec482 |
+plugin: update_tdo_default_read_keys_permissions
|
|
|
6ec482 |
plugin: update_ca_renewal_master
|
|
|
6ec482 |
plugin: update_idrange_type
|
|
|
6ec482 |
plugin: update_pacs
|
|
|
6ec482 |
diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py
|
|
|
6ec482 |
index 0dd2c840899abe3b51b9308d38a9d0f4d1fb2f9b..fca83aa6df2cc3fafca91f2ed55339dba016a1fa 100644
|
|
|
6ec482 |
--- a/ipaserver/install/plugins/adtrust.py
|
|
|
6ec482 |
+++ b/ipaserver/install/plugins/adtrust.py
|
|
|
6ec482 |
@@ -727,3 +727,59 @@ class update_tdo_to_new_layout(Updater):
|
|
|
6ec482 |
self.KRB_PRINC_CREATE_DISABLED)
|
|
|
6ec482 |
|
|
|
6ec482 |
return False, []
|
|
|
6ec482 |
+
|
|
|
6ec482 |
+
|
|
|
6ec482 |
+@register()
|
|
|
6ec482 |
+class update_tdo_default_read_keys_permissions(Updater):
|
|
|
6ec482 |
+ trust_filter = \
|
|
|
6ec482 |
+ "(&(objectClass=krbPrincipal)(krbPrincipalName=krbtgt/{nbt}@*))"
|
|
|
6ec482 |
+
|
|
|
6ec482 |
+ def execute(self, **options):
|
|
|
6ec482 |
+ ldap = self.api.Backend.ldap2
|
|
|
6ec482 |
+
|
|
|
6ec482 |
+ # First, see if trusts are enabled on the server
|
|
|
6ec482 |
+ if not self.api.Command.adtrust_is_enabled()['result']:
|
|
|
6ec482 |
+ logger.debug('AD Trusts are not enabled on this server')
|
|
|
6ec482 |
+ return False, []
|
|
|
6ec482 |
+
|
|
|
6ec482 |
+ result = self.api.Command.trustconfig_show()['result']
|
|
|
6ec482 |
+ our_nbt_name = result.get('ipantflatname', [None])[0]
|
|
|
6ec482 |
+ if not our_nbt_name:
|
|
|
6ec482 |
+ return False, []
|
|
|
6ec482 |
+
|
|
|
6ec482 |
+ trusts_dn = self.api.env.container_adtrusts + self.api.env.basedn
|
|
|
6ec482 |
+ trust_filter = self.trust_filter.format(nbt=our_nbt_name)
|
|
|
6ec482 |
+
|
|
|
6ec482 |
+ # We might be in a situation when no trusts exist yet
|
|
|
6ec482 |
+ # In such case there is nothing to upgrade but we have to catch
|
|
|
6ec482 |
+ # an exception or it will abort the whole upgrade process
|
|
|
6ec482 |
+ try:
|
|
|
6ec482 |
+ tdos = ldap.get_entries(
|
|
|
6ec482 |
+ base_dn=trusts_dn,
|
|
|
6ec482 |
+ scope=ldap.SCOPE_SUBTREE,
|
|
|
6ec482 |
+ filter=trust_filter,
|
|
|
6ec482 |
+ attrs_list=['*'])
|
|
|
6ec482 |
+ except errors.EmptyResult:
|
|
|
6ec482 |
+ tdos = []
|
|
|
6ec482 |
+
|
|
|
6ec482 |
+ for tdo in tdos:
|
|
|
6ec482 |
+ updates = dict()
|
|
|
6ec482 |
+ oc = tdo.get('objectClass', [])
|
|
|
6ec482 |
+ if 'ipaAllowedOperations' not in oc:
|
|
|
6ec482 |
+ updates['objectClass'] = oc + ['ipaAllowedOperations']
|
|
|
6ec482 |
+
|
|
|
6ec482 |
+ read_keys = tdo.get('ipaAllowedToPerform;read_keys', [])
|
|
|
6ec482 |
+ if not read_keys:
|
|
|
6ec482 |
+ read_keys_values = list(map(
|
|
|
6ec482 |
+ lambda x: x.format(basedn=self.api.env.basedn),
|
|
|
6ec482 |
+ trust_read_keys_template))
|
|
|
6ec482 |
+ updates['ipaAllowedToPerform;read_keys'] = read_keys_values
|
|
|
6ec482 |
+
|
|
|
6ec482 |
+ tdo.update(updates)
|
|
|
6ec482 |
+ try:
|
|
|
6ec482 |
+ ldap.update_entry(tdo)
|
|
|
6ec482 |
+ except errors.EmptyModlist:
|
|
|
6ec482 |
+ logger.debug("No update was required for TDO %s",
|
|
|
6ec482 |
+ tdo.single_value.get('krbCanonicalName'))
|
|
|
6ec482 |
+
|
|
|
6ec482 |
+ return False, []
|
|
|
6ec482 |
--
|
|
|
6ec482 |
2.20.1
|
|
|
6ec482 |
|