[Freeipa-devel] [PATCH] 0080 rewrite SID comparison to take into account different SID forms
Sumit Bose
sbose at redhat.com
Thu Sep 27 11:57:24 UTC 2012
On Tue, Sep 25, 2012 at 05:40:57PM +0300, Alexander Bokovoy wrote:
> Hi,
>
> Domain validator code in ipaserver/dcerpc.py verifies that a SID belongs
> to one of our trusted domains. This verification was expecting that SID
> is for some resource within trusted domain and ignored the case when it
> is the SID of the trusted domain, i.e. when sid has form like
> S-1-5-21-16904141-148189700-2149043814 rather than
> S-1-5-21-16904141-148189700-2149043814-512 (Domain Admins).
>
> The latter is what idrange-add command uses.
>
> So comparing SID with SID was done by stripping last component (RID).
> In case of idrange-add stripping last RID was making a SID that could
> never compare to a trusted domain SID.
>
> Somehow the code worked for me in Fedora and started failing on RHEL6.
>
> --
> / Alexander Bokovoy
ACK
bye,
Sumit
More information about the Freeipa-devel
mailing list