[Freeipa-devel] [PATCH] 0073 Add trust verification code

Petr Vobornik pvoborni at redhat.com
Tue Sep 18 15:22:26 UTC 2012 

On 09/18/2012 03:22 PM, Alexander Bokovoy wrote:
> On Tue, 18 Sep 2012, Petr Vobornik wrote:
>> On 09/18/2012 02:15 PM, Sumit Bose wrote:
>>> On Tue, Sep 18, 2012 at 12:42:49PM +0200, Sumit Bose wrote:
>>>> On Mon, Sep 17, 2012 at 06:44:36PM +0300, Alexander Bokovoy wrote:
>>>>> Hi,
>>>>>
>>>>> Following patch adds trust verification sequence to the case when we
>>>>> establish trust with knowledge of AD administrative credentials.
>>>>>
>>>>> As we found out, in order to validate/verify trust, one has to have
>>>>> administrative credentials for the trusted domain, since there are
>>>>> few RPCs that should be performed against trusted domain's DC's LSA
>>>>> and NetLogon pipes and these are protected by administrative
>>>>> credentials.
>>>>>
>>>>> Thus, when we know admin credentials for the remote domain, we can
>>>>> perform the trust validation.
>>>>>
>>>>> https://fedorahosted.org/freeipa/ticket/2763
>>>>>
>>>>
>>>> Just a short feedback. The patch is working as expected, for a newly
>>>> created trust Windows will send a TGS request to the IPA KDC without
>>>> explicit validation on the windows side. Currently I have some issues
>>>> in my test setup so that I can not give a full ACK atm.
>>>>
>>>
>>> ok, ACK.
>>>
>>> Nevertheless it would be nice if Petr can check for any implications to
>>> the web UI with respect to the status of the trust.
>>
>> It shouldn't break Web UI but Web UI won't use it. In add command Web
>> UI uses only the command state (success/error). If the truststatus
>> text would be a part of command summary text, it can be displayed in
>> notification message (which fades after 3s) when comment 8 of
>> https://fedorahosted.org/freeipa/ticket/2977#comment:8 is implemented.
> It is displayed as part of the output, truststatus property:
> # ipa trust-add --type=ad --admin Administrator at ad.local --password
> ad.local
> Active directory domain adminstrator's password:
> -------------------------------------------------
> Added Active Directory trust for realm "ad.local"
> -------------------------------------------------
>    Realm name: ad.local
>    Domain NetBIOS name: AD
>    Domain Security Identifier: S-1-5-21-16904141-148189700-2149043814
>    Trust direction: Two-way trust
>    Trust type: Active Directory domain
>    Trust status: Established and verified
>
> Would be good if you could take it in use.

I created a patch which uses it. See attached screenshots. It may be 
useful but, as I wrote, the message is displayed only for 3s, so some 
users might not have time to read it whole - message is too long.

>> It would be nice if it can be saved to ldap and return in show/find
>> commands? That way we can show it in search or details page. Or we can
>> implement trust-status $TRUST --admin $ADMIN --$password $PASSWORD
>> command to check the actual status anytime in a future.
> We don't have an attribute to store the status. Neither it exists in
> Windows.
>
> I'll talk to Simo if we can have one attribute like that but the price
> of maintaining it up to date might be too much. On the other hand, we
> can always invalidate value in the attribute when ipasam cannot use
> shared trust account against trusted domain...
>
> Running validation/verification as a separate command is possible but it
> would be relatively resource-hungry and makes little use on its own. We
> may couple it together with future multiple suffixes support (tickets
> #2848, #2593) as fetching additional suffixes depends on validated trust
> relationship.
>


-- 
Petr Vobornik
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pvoborni-0215-Show-trust-status-in-add-success-notification.patch
Type: text/x-patch
Size: 3564 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120918/9048b6cd/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: trust-add-msg-established.png
Type: image/png
Size: 14543 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120918/9048b6cd/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: trust-add-msg-waiting.png
Type: image/png
Size: 12863 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120918/9048b6cd/attachment-0001.png>

More information about the Freeipa-devel mailing list