[Freeipa-devel] [PATCH] 352-354 Add support for AD users to hbactest command

Martin Kosek mkosek at redhat.com
Fri Jan 18 17:24:49 UTC 2013 

How this works:
   1. When a trusted domain user is tested, AD GC is searched
      for the user entry Distinguished Name
   2. The user entry is then read from AD GC and its SID and SIDs
      of all its assigned groups (tokenGroups attribute) are retrieved
   3. The SIDs are then used to search IPA LDAP database to find
      all external groups which have any of these SIDs as external
      members
   4. All these groups having these groups as direct or indirect
      members are added to hbactest allowing it to perform the search

LIMITATIONS:
- user SID in hbactest --user parameter is not supported
- only Trusted Admins group members can use this function as it
   uses secret for IPA-Trusted domain link
- List of group SIDs does not contain group memberships outside
   of the trusted domain

https://fedorahosted.org/freeipa/ticket/2997

------------------------

There are also 2 patches changing current dcerpc.py code to make it usable both 
for group-add-member trusted domain user resolution and also for purposes of 
the trusted domain user hbactest.

Example of the new hbactest ability:
# ipa hbacrule-show can_login
   Rule name: can_login
   Host category: all
   Source host category: all
   Enabled: TRUE
   User Groups: admins, ad_test_admins
   Services: login, sshd
# ipa group-show ad_test_admins
   Group name: ad_test_admins
   Description: AD.TEST admins
   GID: 179000011
   Member groups: ext_all_admins
   Member of HBAC rule: can_login
# ipa group-show ext_all_admins
   Group name: ext_all_admins
   Description: All AD.TEST admins
   Member of groups: ad_test_admins
   Indirect Member of HBAC rule: can_login
   External member: S-1-5-21-3035198329-144811719-1378114514-512

# ipa hbactest --user='AD\Administrator' --host=`hostname` --service=sshd
--------------------
Access granted: True
--------------------
   Matched rules: can_login

There may still be dragons, I am sending what I have now, still need to run 
more tests.

Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-352-generalize-ad-gc-search.patch
Type: text/x-patch
Size: 10514 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130118/092c40c0/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-353-do-not-hide-sid-resolver-error-in-group-add-member.patch
Type: text/x-patch
Size: 1378 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130118/092c40c0/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-354-add-support-for-ad-users-to-hbactest-command.patch
Type: text/x-patch
Size: 8041 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130118/092c40c0/attachment-0002.bin>

More information about the Freeipa-devel mailing list