483b06
From 4df20255c1738526696ea72af6fc70e9c6aa6694 Mon Sep 17 00:00:00 2001
483b06
From: Alexander Bokovoy <abokovoy@redhat.com>
483b06
Date: Mon, 12 Jun 2017 11:05:06 +0300
483b06
Subject: [PATCH] trust-mod: allow modifying list of UPNs of a trusted forest
483b06
483b06
There are two ways for maintaining user principal names (UPNs) in Active
483b06
Directory:
483b06
 - associate UPN suffixes with the forest root and then allow for each
483b06
   user account to choose UPN suffix for logon
483b06
 - directly modify userPrincipalName attribute in LDAP
483b06
483b06
Both approaches lead to the same result: AD DC accepts user@UPN-Suffix
483b06
as a proper principal in AS-REQ and TGS-REQ.
483b06
483b06
The latter (directly modify userPrincipalName) case has a consequence
483b06
that this UPN suffix is not visible via netr_DsRGetForestTrustInformation
483b06
DCE RPC call. As result, FreeIPA KDC will not know that a particular UPN
483b06
suffix does belong to a trusted Active Directory forest. As result, SSSD
483b06
will not be able to authenticate and validate this user from a trusted
483b06
Active Directory forest.
483b06
483b06
This is especially true for one-word UPNs which otherwise wouldn't work
483b06
properly on Kerberos level for both FreeIPA and Active Directory.
483b06
483b06
Administrators are responsible for amending the list of UPNs associated
483b06
with the forest in this case. With this commit, an option is added to
483b06
'ipa trust-mod' that allows specifying arbitrary UPN suffixes to a
483b06
trusted forest root.
483b06
483b06
As with all '-mod' commands, the change replaces existing UPNs when
483b06
applied, so administrators are responsible to specify all of them:
483b06
483b06
  ipa trust-mod ad.test --upn-suffixes={existing.upn,another_upn,new}
483b06
483b06
Fixes: https://pagure.io/freeipa/issue/7015
483b06
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
483b06
---
483b06
 API.txt                    | 3 ++-
483b06
 VERSION.m4                 | 4 ++--
483b06
 ipaserver/plugins/trust.py | 3 ++-
483b06
 3 files changed, 6 insertions(+), 4 deletions(-)
483b06
483b06
diff --git a/API.txt b/API.txt
483b06
index 6511ad8d1cb4dc9079628fc058312f31aaec624d..86229156adfba829a46b6a831ad6843cc1a17d6a 100644
483b06
--- a/API.txt
483b06
+++ b/API.txt
483b06
@@ -5769,11 +5769,12 @@ output: ListOfEntries('result')
483b06
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
483b06
 output: Output('truncated', type=[<type 'bool'>])
483b06
 command: trust_mod/1
483b06
-args: 1,9,3
483b06
+args: 1,10,3
483b06
 arg: Str('cn', cli_name='realm')
483b06
 option: Str('addattr*', cli_name='addattr')
483b06
 option: Flag('all', autofill=True, cli_name='all', default=False)
483b06
 option: Str('delattr*', cli_name='delattr')
483b06
+option: Str('ipantadditionalsuffixes*', autofill=False, cli_name='upn_suffixes')
483b06
 option: Str('ipantsidblacklistincoming*', autofill=False, cli_name='sid_blacklist_incoming')
483b06
 option: Str('ipantsidblacklistoutgoing*', autofill=False, cli_name='sid_blacklist_outgoing')
483b06
 option: Flag('raw', autofill=True, cli_name='raw', default=False)
483b06
diff --git a/VERSION.m4 b/VERSION.m4
483b06
index 8aa3ef03f352cd176579c5d5848ed9550f22105d..25aaa1dd0e3c2868e63300dec7fe9228f1ebcb43 100644
483b06
--- a/VERSION.m4
483b06
+++ b/VERSION.m4
483b06
@@ -73,8 +73,8 @@ define(IPA_DATA_VERSION, 20100614120000)
483b06
 #                                                      #
483b06
 ########################################################
483b06
 define(IPA_API_VERSION_MAJOR, 2)
483b06
-define(IPA_API_VERSION_MINOR, 227)
483b06
-# Last change: Add `pkinit-status` command
483b06
+define(IPA_API_VERSION_MINOR, 228)
483b06
+# Last change: Expose ipaNTAdditionalSuffixes in trust-mod
483b06
 
483b06
 
483b06
 ########################################################
483b06
diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py
483b06
index 075b39dcc33a79f3e73e8e1e9e31ebbef17618fe..d0bbfbc47ca65c9c5229685fc9d202c293fe41cd 100644
483b06
--- a/ipaserver/plugins/trust.py
483b06
+++ b/ipaserver/plugins/trust.py
483b06
@@ -553,8 +553,9 @@ class trust(LDAPObject):
483b06
             flags={'virtual_attribute', 'no_create', 'no_update', 'no_search'},
483b06
         ),
483b06
         Str('ipantadditionalsuffixes*',
483b06
+            cli_name='upn_suffixes',
483b06
             label=_('UPN suffixes'),
483b06
-            flags={'no_create', 'no_update', 'no_search'},
483b06
+            flags={'no_create', 'no_search'},
483b06
         ),
483b06
     )
483b06
 
483b06
-- 
483b06
2.9.4
483b06