[Freeipa-devel] [PATCH] 352-354 Add support for AD users to hbactest command

Simo Sorce simo at redhat.com
Sat Jan 19 18:35:28 UTC 2013 

On Fri, 2013-01-18 at 18:24 +0100, Martin Kosek wrote:
> How this works:
>    1. When a trusted domain user is tested, AD GC is searched
>       for the user entry Distinguished Name

My head is not clear today but it looks to me you are doing 2 searches.
One to go from samAccountName -> DNa dn then a second for DN -> SID.

Why are you doing 2 searches ? The first one can return you the
ObjectSid already.

Simo.

>    2. The user entry is then read from AD GC and its SID and SIDs
>       of all its assigned groups (tokenGroups attribute) are retrieved
>    3. The SIDs are then used to search IPA LDAP database to find
>       all external groups which have any of these SIDs as external
>       members
>    4. All these groups having these groups as direct or indirect
>       members are added to hbactest allowing it to perform the search
> 
> LIMITATIONS:
> - user SID in hbactest --user parameter is not supported
> - only Trusted Admins group members can use this function as it
>    uses secret for IPA-Trusted domain link
> - List of group SIDs does not contain group memberships outside
>    of the trusted domain
> 
> https://fedorahosted.org/freeipa/ticket/2997
> 
> ------------------------
> 
> There are also 2 patches changing current dcerpc.py code to make it usable both 
> for group-add-member trusted domain user resolution and also for purposes of 
> the trusted domain user hbactest.
> 
> Example of the new hbactest ability:
> # ipa hbacrule-show can_login
>    Rule name: can_login
>    Host category: all
>    Source host category: all
>    Enabled: TRUE
>    User Groups: admins, ad_test_admins
>    Services: login, sshd
> # ipa group-show ad_test_admins
>    Group name: ad_test_admins
>    Description: AD.TEST admins
>    GID: 179000011
>    Member groups: ext_all_admins
>    Member of HBAC rule: can_login
> # ipa group-show ext_all_admins
>    Group name: ext_all_admins
>    Description: All AD.TEST admins
>    Member of groups: ad_test_admins
>    Indirect Member of HBAC rule: can_login
>    External member: S-1-5-21-3035198329-144811719-1378114514-512
> 
> # ipa hbactest --user='AD\Administrator' --host=`hostname` --service=sshd
> --------------------
> Access granted: True
> --------------------
>    Matched rules: can_login
> 
> There may still be dragons, I am sending what I have now, still need to run 
> more tests.
> 
> Martin
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel


-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-devel mailing list