[Freeipa-devel] [PATCH 0030] Add option to specify SID using domain name to idrange-add/mod

Alexander Bokovoy abokovoy at redhat.com
Thu Feb 14 16:37:19 UTC 2013 

On Thu, 14 Feb 2013, Tomas Babej wrote:
>>>>> + Str('ipanttrusteddomainname?',
>>>>> + cli_name='dom_name',
>>>>> + flags=('no_search', 'virtual_attribute'),
>>>>> + label=_('Name of the trusted domain'),
>>>>> + ),
>>>> New options is added but API.txt wasn't changed. As result, 'make rpms'
>>>> does not work.
>>>> 
>>>> Could you please fix the patch and re-send it?
>>>> 
>>> Sorry about that.
>>> 
>>> Updated patch attached.
>> I have one small question regarding use of dom_sid/dom_name.
>> 
>> If both dom_sid and dom_name were specified, failing to resolve dom_name
>> would force command to raise exception.
>> 
>> I'm not sure this is right behavior. Probably we should detect that both
>> dom_sid and dom_name were specified and bail out earlier so that only
>> one of them is accepted. That would be clearer to users, wouldn't it
> Sure, I definitely agree on that point. I added the check to idrange-add and
> idrange-mod. Also, the patch needed a rebase to apply on the current master.
I tried to play with various scenarious and one thing I noticed is 
that we refer dom_sid and dom_name in the error messages as they are
named internally. CLI replaces underscore by hyphen (_ -> -) and therefore
this error message becomes wrong -- you cannot specify --dom_sid, this
option is unknown to CLI.

In Web UI this would also mean an error message pointing to non-existing
option. Perhaps it would be reasonable to name options '--name' and
'--sid'? We don't have any clash there:
-------------------------------------------------------------------------
# ipa idrange-mod --help
Usage: ipa [global-options] idrange-mod NAME [options]

Positional arguments:
   NAME                  Range name

Options:
   -h, --help            show this help message and exit
   --base-id=INT         First Posix ID of the range
   --range-size=INT      Number of IDs in the range
   --rid-base=INT        First RID of the corresponding RID range
   --secondary-rid-base=INT
                         First RID of the secondary RID range
   --dom-sid=STR         Domain SID of the trusted domain
   --dom-name=STR        Name of the trusted domain
   --setattr=STR         Set an attribute to a name/value pair. Format is
                         attr=value. For multi-valued attributes, the command
                         replaces the values already present.
   --addattr=STR         Add an attribute/value pair. Format is
attr=value. The
                         attribute must be part of the schema.
   --delattr=STR         Delete an attribute/value pair. The option willbe
                         evaluated last, after all sets and adds.
   --rights              Display the access rights of this entry(requires
                         --all). See ipa man page for details.
   --all                 Retrieve and print all attributes from the server.
                         Affects command output.
   --raw                 Print entries as stored on the server. Only affects
                         output format.
-------------------------------------------------------------------------

So, if --name and --sid were used, an error message would become
----------------------------------------------------------------------
# ipa idrange-mod AD.LAN_id_range --dom-name foo.bar                                                                             
ipa: ERROR: invalid 'ID Range setup': SID for the specified trusted
domain name could not be found. Please specify the SID directly using
--sid option.
----------------------------------------------------------------------


Additionally, there is an error when SID for an object within the domain
is specified. Last RID of the SID represents an object within the domain
and we generally need to be careful allowing it in the place where
domain SID is specified:

# ipa idrange-mod AD.LAN_id_range --dom-sid S-1-5-21-3502988750-125904550-3683905862-1
-----------------------------------
Modified ID range "AD.LAN_id_range"
-----------------------------------
   Range name: AD.LAN_id_range
   First Posix ID of the range: 1442800000
   Number of IDs in the range: 200000
   First RID of the corresponding RID range: 0
   Domain SID of the trusted domain: S-1-5-21-3502988750-125904550-3683905862-1
   Range type: Active Directory domain range

Now this range is completely unusable due to the fact that there is no
way to match the domain SID against the range.

I think we need to make the check against established trusts more
strict and only allow exact match.

-- 
/ Alexander Bokovoy

More information about the Freeipa-devel mailing list