|
|
483b06 |
From 4df20255c1738526696ea72af6fc70e9c6aa6694 Mon Sep 17 00:00:00 2001
|
|
|
483b06 |
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
483b06 |
Date: Mon, 12 Jun 2017 11:05:06 +0300
|
|
|
483b06 |
Subject: [PATCH] trust-mod: allow modifying list of UPNs of a trusted forest
|
|
|
483b06 |
|
|
|
483b06 |
There are two ways for maintaining user principal names (UPNs) in Active
|
|
|
483b06 |
Directory:
|
|
|
483b06 |
- associate UPN suffixes with the forest root and then allow for each
|
|
|
483b06 |
user account to choose UPN suffix for logon
|
|
|
483b06 |
- directly modify userPrincipalName attribute in LDAP
|
|
|
483b06 |
|
|
|
483b06 |
Both approaches lead to the same result: AD DC accepts user@UPN-Suffix
|
|
|
483b06 |
as a proper principal in AS-REQ and TGS-REQ.
|
|
|
483b06 |
|
|
|
483b06 |
The latter (directly modify userPrincipalName) case has a consequence
|
|
|
483b06 |
that this UPN suffix is not visible via netr_DsRGetForestTrustInformation
|
|
|
483b06 |
DCE RPC call. As result, FreeIPA KDC will not know that a particular UPN
|
|
|
483b06 |
suffix does belong to a trusted Active Directory forest. As result, SSSD
|
|
|
483b06 |
will not be able to authenticate and validate this user from a trusted
|
|
|
483b06 |
Active Directory forest.
|
|
|
483b06 |
|
|
|
483b06 |
This is especially true for one-word UPNs which otherwise wouldn't work
|
|
|
483b06 |
properly on Kerberos level for both FreeIPA and Active Directory.
|
|
|
483b06 |
|
|
|
483b06 |
Administrators are responsible for amending the list of UPNs associated
|
|
|
483b06 |
with the forest in this case. With this commit, an option is added to
|
|
|
483b06 |
'ipa trust-mod' that allows specifying arbitrary UPN suffixes to a
|
|
|
483b06 |
trusted forest root.
|
|
|
483b06 |
|
|
|
483b06 |
As with all '-mod' commands, the change replaces existing UPNs when
|
|
|
483b06 |
applied, so administrators are responsible to specify all of them:
|
|
|
483b06 |
|
|
|
483b06 |
ipa trust-mod ad.test --upn-suffixes={existing.upn,another_upn,new}
|
|
|
483b06 |
|
|
|
483b06 |
Fixes: https://pagure.io/freeipa/issue/7015
|
|
|
483b06 |
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
|
|
483b06 |
---
|
|
|
483b06 |
API.txt | 3 ++-
|
|
|
483b06 |
VERSION.m4 | 4 ++--
|
|
|
483b06 |
ipaserver/plugins/trust.py | 3 ++-
|
|
|
483b06 |
3 files changed, 6 insertions(+), 4 deletions(-)
|
|
|
483b06 |
|
|
|
483b06 |
diff --git a/API.txt b/API.txt
|
|
|
483b06 |
index 6511ad8d1cb4dc9079628fc058312f31aaec624d..86229156adfba829a46b6a831ad6843cc1a17d6a 100644
|
|
|
483b06 |
--- a/API.txt
|
|
|
483b06 |
+++ b/API.txt
|
|
|
483b06 |
@@ -5769,11 +5769,12 @@ output: ListOfEntries('result')
|
|
|
483b06 |
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
|
|
|
483b06 |
output: Output('truncated', type=[<type 'bool'>])
|
|
|
483b06 |
command: trust_mod/1
|
|
|
483b06 |
-args: 1,9,3
|
|
|
483b06 |
+args: 1,10,3
|
|
|
483b06 |
arg: Str('cn', cli_name='realm')
|
|
|
483b06 |
option: Str('addattr*', cli_name='addattr')
|
|
|
483b06 |
option: Flag('all', autofill=True, cli_name='all', default=False)
|
|
|
483b06 |
option: Str('delattr*', cli_name='delattr')
|
|
|
483b06 |
+option: Str('ipantadditionalsuffixes*', autofill=False, cli_name='upn_suffixes')
|
|
|
483b06 |
option: Str('ipantsidblacklistincoming*', autofill=False, cli_name='sid_blacklist_incoming')
|
|
|
483b06 |
option: Str('ipantsidblacklistoutgoing*', autofill=False, cli_name='sid_blacklist_outgoing')
|
|
|
483b06 |
option: Flag('raw', autofill=True, cli_name='raw', default=False)
|
|
|
483b06 |
diff --git a/VERSION.m4 b/VERSION.m4
|
|
|
483b06 |
index 8aa3ef03f352cd176579c5d5848ed9550f22105d..25aaa1dd0e3c2868e63300dec7fe9228f1ebcb43 100644
|
|
|
483b06 |
--- a/VERSION.m4
|
|
|
483b06 |
+++ b/VERSION.m4
|
|
|
483b06 |
@@ -73,8 +73,8 @@ define(IPA_DATA_VERSION, 20100614120000)
|
|
|
483b06 |
# #
|
|
|
483b06 |
########################################################
|
|
|
483b06 |
define(IPA_API_VERSION_MAJOR, 2)
|
|
|
483b06 |
-define(IPA_API_VERSION_MINOR, 227)
|
|
|
483b06 |
-# Last change: Add `pkinit-status` command
|
|
|
483b06 |
+define(IPA_API_VERSION_MINOR, 228)
|
|
|
483b06 |
+# Last change: Expose ipaNTAdditionalSuffixes in trust-mod
|
|
|
483b06 |
|
|
|
483b06 |
|
|
|
483b06 |
########################################################
|
|
|
483b06 |
diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py
|
|
|
483b06 |
index 075b39dcc33a79f3e73e8e1e9e31ebbef17618fe..d0bbfbc47ca65c9c5229685fc9d202c293fe41cd 100644
|
|
|
483b06 |
--- a/ipaserver/plugins/trust.py
|
|
|
483b06 |
+++ b/ipaserver/plugins/trust.py
|
|
|
483b06 |
@@ -553,8 +553,9 @@ class trust(LDAPObject):
|
|
|
483b06 |
flags={'virtual_attribute', 'no_create', 'no_update', 'no_search'},
|
|
|
483b06 |
),
|
|
|
483b06 |
Str('ipantadditionalsuffixes*',
|
|
|
483b06 |
+ cli_name='upn_suffixes',
|
|
|
483b06 |
label=_('UPN suffixes'),
|
|
|
483b06 |
- flags={'no_create', 'no_update', 'no_search'},
|
|
|
483b06 |
+ flags={'no_create', 'no_search'},
|
|
|
483b06 |
),
|
|
|
483b06 |
)
|
|
|
483b06 |
|
|
|
483b06 |
--
|
|
|
483b06 |
2.9.4
|
|
|
483b06 |
|