[Freeipa-devel] [PATCH] 0073 Add trust verification code

Alexander Bokovoy abokovoy at redhat.com
Tue Sep 18 16:08:57 UTC 2012


On Tue, 18 Sep 2012, Petr Vobornik wrote:
>On 09/18/2012 05:33 PM, Alexander Bokovoy wrote:
>>On Tue, 18 Sep 2012, Petr Vobornik wrote:
>>>On 09/18/2012 03:22 PM, Alexander Bokovoy wrote:
>>>>On Tue, 18 Sep 2012, Petr Vobornik wrote:
>>>>>On 09/18/2012 02:15 PM, Sumit Bose wrote:
>>>>>>On Tue, Sep 18, 2012 at 12:42:49PM +0200, Sumit Bose wrote:
>>>>>>>On Mon, Sep 17, 2012 at 06:44:36PM +0300, Alexander Bokovoy wrote:
>>>>>>>>Hi,
>>>>>>>>
>>>>>>>>Following patch adds trust verification sequence to the case when we
>>>>>>>>establish trust with knowledge of AD administrative credentials.
>>>>>>>>
>>>>>>>>As we found out, in order to validate/verify trust, one has to have
>>>>>>>>administrative credentials for the trusted domain, since there are
>>>>>>>>few RPCs that should be performed against trusted domain's DC's LSA
>>>>>>>>and NetLogon pipes and these are protected by administrative
>>>>>>>>credentials.
>>>>>>>>
>>>>>>>>Thus, when we know admin credentials for the remote domain, we can
>>>>>>>>perform the trust validation.
>>>>>>>>
>>>>>>>>https://fedorahosted.org/freeipa/ticket/2763
>>>>>>>>
>>>>>>>
>>>>>>>Just a short feedback. The patch is working as expected, for a newly
>>>>>>>created trust Windows will send a TGS request to the IPA KDC without
>>>>>>>explicit validation on the windows side. Currently I have some issues
>>>>>>>in my test setup so that I can not give a full ACK atm.
>>>>>>>
>>>>>>
>>>>>>ok, ACK.
>>>>>>
>>>>>>Nevertheless it would be nice if Petr can check for any
>>>>>>implications to
>>>>>>the web UI with respect to the status of the trust.
>>>>>
>>>>>It shouldn't break Web UI but Web UI won't use it. In add command Web
>>>>>UI uses only the command state (success/error). If the truststatus
>>>>>text would be a part of command summary text, it can be displayed in
>>>>>notification message (which fades after 3s) when comment 8 of
>>>>>https://fedorahosted.org/freeipa/ticket/2977#comment:8 is implemented.
>>>>It is displayed as part of the output, truststatus property:
>>>># ipa trust-add --type=ad --admin Administrator at ad.local --password
>>>>ad.local
>>>>Active directory domain adminstrator's password:
>>>>-------------------------------------------------
>>>>Added Active Directory trust for realm "ad.local"
>>>>-------------------------------------------------
>>>>  Realm name: ad.local
>>>>  Domain NetBIOS name: AD
>>>>  Domain Security Identifier: S-1-5-21-16904141-148189700-2149043814
>>>>  Trust direction: Two-way trust
>>>>  Trust type: Active Directory domain
>>>>  Trust status: Established and verified
>>>>
>>>>Would be good if you could take it in use.
>>>
>>>I created a patch which uses it. See attached screenshots. It may be
>>>useful but, as I wrote, the message is displayed only for 3s, so some
>>>users might not have time to read it whole - message is too long.
>>Well, as we don't have other means to show this information right now,
>>that's good too. Maybe notification message timer could be possible to
>>tune per instance? Then we could have, say, 5 seconds timeout here and
>>keep 3 seconds as default one...
>>
>
>I tuned it. Updated patch attached.
ACK. Worked fine for me.

-- 
/ Alexander Bokovoy




More information about the Freeipa-devel mailing list