[Freeipa-devel] [PATCH] 0073 Add trust verification code

Rob Crittenden rcritten at redhat.com
Tue Sep 18 18:42:32 UTC 2012


Alexander Bokovoy wrote:
> On Tue, 18 Sep 2012, Petr Vobornik wrote:
>> On 09/18/2012 05:33 PM, Alexander Bokovoy wrote:
>>> On Tue, 18 Sep 2012, Petr Vobornik wrote:
>>>> On 09/18/2012 03:22 PM, Alexander Bokovoy wrote:
>>>>> On Tue, 18 Sep 2012, Petr Vobornik wrote:
>>>>>> On 09/18/2012 02:15 PM, Sumit Bose wrote:
>>>>>>> On Tue, Sep 18, 2012 at 12:42:49PM +0200, Sumit Bose wrote:
>>>>>>>> On Mon, Sep 17, 2012 at 06:44:36PM +0300, Alexander Bokovoy wrote:
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> Following patch adds trust verification sequence to the case
>>>>>>>>> when we
>>>>>>>>> establish trust with knowledge of AD administrative credentials.
>>>>>>>>>
>>>>>>>>> As we found out, in order to validate/verify trust, one has to
>>>>>>>>> have
>>>>>>>>> administrative credentials for the trusted domain, since there are
>>>>>>>>> few RPCs that should be performed against trusted domain's DC's
>>>>>>>>> LSA
>>>>>>>>> and NetLogon pipes and these are protected by administrative
>>>>>>>>> credentials.
>>>>>>>>>
>>>>>>>>> Thus, when we know admin credentials for the remote domain, we can
>>>>>>>>> perform the trust validation.
>>>>>>>>>
>>>>>>>>> https://fedorahosted.org/freeipa/ticket/2763
>>>>>>>>>
>>>>>>>>
>>>>>>>> Just a short feedback. The patch is working as expected, for a
>>>>>>>> newly
>>>>>>>> created trust Windows will send a TGS request to the IPA KDC
>>>>>>>> without
>>>>>>>> explicit validation on the windows side. Currently I have some
>>>>>>>> issues
>>>>>>>> in my test setup so that I can not give a full ACK atm.
>>>>>>>>
>>>>>>>
>>>>>>> ok, ACK.
>>>>>>>
>>>>>>> Nevertheless it would be nice if Petr can check for any
>>>>>>> implications to
>>>>>>> the web UI with respect to the status of the trust.
>>>>>>
>>>>>> It shouldn't break Web UI but Web UI won't use it. In add command Web
>>>>>> UI uses only the command state (success/error). If the truststatus
>>>>>> text would be a part of command summary text, it can be displayed in
>>>>>> notification message (which fades after 3s) when comment 8 of
>>>>>> https://fedorahosted.org/freeipa/ticket/2977#comment:8 is
>>>>>> implemented.
>>>>> It is displayed as part of the output, truststatus property:
>>>>> # ipa trust-add --type=ad --admin Administrator at ad.local --password
>>>>> ad.local
>>>>> Active directory domain adminstrator's password:
>>>>> -------------------------------------------------
>>>>> Added Active Directory trust for realm "ad.local"
>>>>> -------------------------------------------------
>>>>>  Realm name: ad.local
>>>>>  Domain NetBIOS name: AD
>>>>>  Domain Security Identifier: S-1-5-21-16904141-148189700-2149043814
>>>>>  Trust direction: Two-way trust
>>>>>  Trust type: Active Directory domain
>>>>>  Trust status: Established and verified
>>>>>
>>>>> Would be good if you could take it in use.
>>>>
>>>> I created a patch which uses it. See attached screenshots. It may be
>>>> useful but, as I wrote, the message is displayed only for 3s, so some
>>>> users might not have time to read it whole - message is too long.
>>> Well, as we don't have other means to show this information right now,
>>> that's good too. Maybe notification message timer could be possible to
>>> tune per instance? Then we could have, say, 5 seconds timeout here and
>>> keep 3 seconds as default one...
>>>
>>
>> I tuned it. Updated patch attached.
> ACK. Worked fine for me.
>

Pushed 073 and 215.1 to ipa-3-0 and master

rob




More information about the Freeipa-devel mailing list