[Freeipa-devel] [PATCH] 0080 rewrite SID comparison to take into account different SID forms
Martin Kosek
mkosek at redhat.com
Thu Sep 27 12:01:11 UTC 2012
On 09/27/2012 01:57 PM, Sumit Bose wrote:
> On Tue, Sep 25, 2012 at 05:40:57PM +0300, Alexander Bokovoy wrote:
>> Hi,
>>
>> Domain validator code in ipaserver/dcerpc.py verifies that a SID belongs
>> to one of our trusted domains. This verification was expecting that SID
>> is for some resource within trusted domain and ignored the case when it
>> is the SID of the trusted domain, i.e. when sid has form like
>> S-1-5-21-16904141-148189700-2149043814 rather than
>> S-1-5-21-16904141-148189700-2149043814-512 (Domain Admins).
>>
>> The latter is what idrange-add command uses.
>>
>> So comparing SID with SID was done by stripping last component (RID).
>> In case of idrange-add stripping last RID was making a SID that could
>> never compare to a trusted domain SID.
>>
>> Somehow the code worked for me in Fedora and started failing on RHEL6.
>>
>> --
>> / Alexander Bokovoy
>
> ACK
>
> bye,
> Sumit
>
Pushed to master, ipa-3-0.
Martin
More information about the Freeipa-devel
mailing list