[Freeipa-devel] [PATCH] 0073 Add trust verification code

Petr Vobornik pvoborni at redhat.com
Tue Sep 18 12:43:57 UTC 2012


On 09/18/2012 02:15 PM, Sumit Bose wrote:
> On Tue, Sep 18, 2012 at 12:42:49PM +0200, Sumit Bose wrote:
>> On Mon, Sep 17, 2012 at 06:44:36PM +0300, Alexander Bokovoy wrote:
>>> Hi,
>>>
>>> Following patch adds trust verification sequence to the case when we
>>> establish trust with knowledge of AD administrative credentials.
>>>
>>> As we found out, in order to validate/verify trust, one has to have
>>> administrative credentials for the trusted domain, since there are
>>> few RPCs that should be performed against trusted domain's DC's LSA
>>> and NetLogon pipes and these are protected by administrative credentials.
>>>
>>> Thus, when we know admin credentials for the remote domain, we can
>>> perform the trust validation.
>>>
>>> https://fedorahosted.org/freeipa/ticket/2763
>>>
>>
>> Just a short feedback. The patch is working as expected, for a newly
>> created trust Windows will send a TGS request to the IPA KDC without
>> explicit validation on the windows side. Currently I have some issues
>> in my test setup so that I can not give a full ACK atm.
>>
>
> ok, ACK.
>
> Nevertheless it would be nice if Petr can check for any implications to
> the web UI with respect to the status of the trust.

It shouldn't break Web UI but Web UI won't use it. In add command Web UI 
uses only the command state (success/error). If the truststatus text 
would be a part of command summary text, it can be displayed in 
notification message (which fades after 3s) when comment 8 of 
https://fedorahosted.org/freeipa/ticket/2977#comment:8 is implemented.

It would be nice if it can be saved to ldap and return in show/find 
commands? That way we can show it in search or details page. Or we can 
implement trust-status $TRUST --admin $ADMIN --$password $PASSWORD 
command to check the actual status anytime in a future.

>
> bye,
> Sumit
>
>> bye,
>> Sumit
>>
>>>
>>> --
>>> / Alexander Bokovoy
>>
>> _______________________________________________
>> Freeipa-devel mailing list
>> Freeipa-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
>


-- 
Petr Vobornik




More information about the Freeipa-devel mailing list