#8067 add default access control configuration to trusted domain objects
Closed: fixed 4 years ago by tdudlak. Opened 4 years ago by abbra.

It looks like for some cases we do not have proper set up keytab retrieval configuration in the old trusted domain object. This mostly affects two-way trust cases. In such cases, we need to create default configuration as ipasam would have created when the trust was established.

Recently we migrated old style trusted domain objects to a new style to support one-way trust with a shared secret. We had to change that all configurations do use trusted domain object credentials instead of relying on a working cross-realm trust ticket in two-way trust case. The latter helps us against tightening of unconditional ticket delegation across cross-forest trust (after https://support.microsoft.com/en-us/help/4490425/updates-to-tgt-delegation-across-incoming-trusts-in-windows-server) which would have prevented RHEL IdM trust to AD otherwise working for two-way trust at all.


I submitted a pull request upstream that adds a default access control to new objects: https://github.com/freeipa/freeipa/pull/3643

Metadata Update from @abbra:
- Issue assigned to abbra

4 years ago

master:

  • 9aeb6ba add default access control when migrating trust objects
  • 0be9888 adtrust: add default read_keys permission for TDO objects

ipa-4-8:

  • 0deea83 add default access control when migrating trust objects
  • b32510d adtrust: add default read_keys permission for TDO objects

Metadata Update from @tdudlak:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

4 years ago

ipa-4-7:

  • cf23e73 add default access control when migrating trust objects
  • df19bf5 adtrust: add default read_keys permission for TDO objects

ipa-4-6:

  • 5741e03 add default access control when migrating trust objects
  • b764b38 adtrust: add default read_keys permission for TDO objects
  • 582e7a3 Disable deprecated-lambda check in adtrust upgrade code

Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1751707

4 years ago
4 years ago

Login to comment on this ticket.

Metadata