freeipa/install/updates/60-trusts.update

dn: cn=trust admins,cn=groups,cn=accounts,$SUFFIX
default: objectClass: top
default: objectClass: groupofnames
default: objectClass: ipausergroup
default: objectClass: nestedgroup
default: objectClass: ipaobject
default: cn: trust admins
default: description: Trusts administrators group
default: member: uid=admin,cn=users,cn=accounts,$SUFFIX
default: nsAccountLock: FALSE
default: ipaUniqueID: autogenerate

dn: cn=ADTrust Agents,cn=privileges,cn=pbac,$SUFFIX
default: objectClass: top
default: objectClass: groupofnames
default: objectClass: nestedgroup
default: cn: ADTrust Agents
default: description: System accounts able to access trust information
default: member: cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX

dn: cn=trusts,$SUFFIX
default: objectClass: top
default: objectClass: nsContainer
default: cn: trusts

# Trust management
# 1. cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX can manage trusts, to allow modification via CIFS
# 2. cn=trust admins,cn=groups,cn=accounts,$SUFFIX can manage trusts (via ipa tools)
dn: cn=trusts,$SUFFIX
add:aci: '(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes || krbPrincipalName || krbLastPwdChange || krbTicketFlags || krbLoginFailedCount || krbExtraData || krbPrincipalKey")(version 3.0;acl "Allow trust system user to create and delete trust accounts and cross realm principals"; allow (read,write,add,delete) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)'
replace:aci:'(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes || krbPrincipalName || krbLastPwdChange || krbTicketFlags || krbLoginFailedCount || krbExtraData || krbPrincipalKey")(version 3.0;acl "Allow trust system user to create and delete trust accounts and cross realm principals"; allow (read,write,add,delete) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)::(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes || ipaNTSIDBlacklistIncoming || ipaNTSIDBlacklistOutgoing || krbPrincipalName || krbLastPwdChange || krbTicketFlags || krbLoginFailedCount || krbExtraData || krbPrincipalKey")(version 3.0;acl "Allow trust system user to create and delete trust accounts and cross realm principals"; allow (read,write,add,delete) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)'
replace:aci:'(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes")(version 3.0;acl "Allow trust admins manage trust accounts"; allow (read,write,add,delete) groupdn="ldap:///cn=trust admins,cn=groups,cn=accounts,$SUFFIX";)::(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes || ipaNTSIDBlacklistIncoming || ipaNTSIDBlacklistOutgoing")(version 3.0;acl "Allow trust admins manage trust accounts"; allow (read,write,add,delete) groupdn="ldap:///cn=trust admins,cn=groups,cn=accounts,$SUFFIX";)'
add:aci: '(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes || ipaNTSIDBlacklistIncoming || ipaNTSIDBlacklistOutgoing")(version 3.0;acl "Allow trust admins manage trust accounts"; allow (read,write,add,delete) groupdn="ldap:///cn=trust admins,cn=groups,cn=accounts,$SUFFIX";)'

# Samba user should be able to read NT passwords to authenticate
# Add ipaNTHash to global ACIs, leave DNS tree out of global allow access rule
dn: $SUFFIX
add:aci: '(targetattr = "ipaNTHash")(version 3.0; acl "Samba system principals can read and write NT passwords"; allow (read,write) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)'
remove:aci: '(targetattr = "ipaNTHash")(version 3.0; acl "Samba system principals can read NT passwords"; allow (read) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)'

# Add the default PAC type to configuration
dn: cn=ipaConfig,cn=etc,$SUFFIX
addifnew: ipaKrbAuthzData: MS-PAC
Add trust-related ACIs A high-level description of the design and ACIs for trusts is available at https://www.redhat.com/archives/freeipa-devel/2011-December/msg00224.html and https://www.redhat.com/archives/freeipa-devel/2011-December/msg00248.html Ticket #1731 2012-05-15 12:03:16 -05:00			`dn: cn=trust admins,cn=groups,cn=accounts,$SUFFIX`
			`default: objectClass: top`
			`default: objectClass: groupofnames`
			`default: objectClass: ipausergroup`
			`default: objectClass: nestedgroup`
			`default: objectClass: ipaobject`
			`default: cn: trust admins`
			`default: description: Trusts administrators group`
			`default: member: uid=admin,cn=users,cn=accounts,$SUFFIX`
			`default: nsAccountLock: FALSE`
			`default: ipaUniqueID: autogenerate`

trusts: Allow reading system trust accounts by adtrust agents Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 2014-06-24 11:24:32 -05:00			`dn: cn=ADTrust Agents,cn=privileges,cn=pbac,$SUFFIX`
			`default: objectClass: top`
			`default: objectClass: groupofnames`
			`default: objectClass: nestedgroup`
			`default: cn: ADTrust Agents`
			`default: description: System accounts able to access trust information`
			`default: member: cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX`

Add trust-related ACIs A high-level description of the design and ACIs for trusts is available at https://www.redhat.com/archives/freeipa-devel/2011-December/msg00224.html and https://www.redhat.com/archives/freeipa-devel/2011-December/msg00248.html Ticket #1731 2012-05-15 12:03:16 -05:00			`dn: cn=trusts,$SUFFIX`
			`default: objectClass: top`
			`default: objectClass: nsContainer`
			`default: cn: trusts`

			`# Trust management`
			`# 1. cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX can manage trusts, to allow modification via CIFS`
			`# 2. cn=trust admins,cn=groups,cn=accounts,$SUFFIX can manage trusts (via ipa tools)`
			`dn: cn=trusts,$SUFFIX`
Use exop instead of kadmin.local 2012-03-13 08:06:02 -05:00			add:aci: '(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType \|\| ipaNTTrustAttributes \|\| ipaNTTrustDirection \|\| ipaNTTrustPartner \|\| ipaNTFlatName \|\| ipaNTTrustAuthOutgoing \|\| ipaNTTrustAuthIncoming \|\| ipaNTSecurityIdentifier \|\| ipaNTTrustForestTrustInfo \|\| ipaNTTrustPosixOffset \|\| ipaNTSupportedEncryptionTypes \|\| krbPrincipalName \|\| krbLastPwdChange \|\| krbTicketFlags \|\| krbLoginFailedCount \|\| krbExtraData \|\| krbPrincipalKey")(version 3.0;acl "Allow trust system user to create and delete trust accounts and cross realm principals"; allow (read,write,add,delete) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)'
ipa-sam: do not modify objectclass when trust object already created When trust is established, last step done by IPA framework is to set encryption types associated with the trust. This operation fails due to ipa-sam attempting to modify object classes in trust object entry which is not allowed by ACI. Additionally, wrong handle was used by dcerpc.py code when executing SetInformationTrustedDomain() against IPA smbd which prevented even to reach the point where ipa-sam would be asked to modify the trust object. 2013-09-05 00:13:53 -05:00			replace:aci:'(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType \|\| ipaNTTrustAttributes \|\| ipaNTTrustDirection \|\| ipaNTTrustPartner \|\| ipaNTFlatName \|\| ipaNTTrustAuthOutgoing \|\| ipaNTTrustAuthIncoming \|\| ipaNTSecurityIdentifier \|\| ipaNTTrustForestTrustInfo \|\| ipaNTTrustPosixOffset \|\| ipaNTSupportedEncryptionTypes \|\| krbPrincipalName \|\| krbLastPwdChange \|\| krbTicketFlags \|\| krbLoginFailedCount \|\| krbExtraData \|\| krbPrincipalKey")(version 3.0;acl "Allow trust system user to create and delete trust accounts and cross realm principals"; allow (read,write,add,delete) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)::(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType \|\| ipaNTTrustAttributes \|\| ipaNTTrustDirection \|\| ipaNTTrustPartner \|\| ipaNTFlatName \|\| ipaNTTrustAuthOutgoing \|\| ipaNTTrustAuthIncoming \|\| ipaNTSecurityIdentifier \|\| ipaNTTrustForestTrustInfo \|\| ipaNTTrustPosixOffset \|\| ipaNTSupportedEncryptionTypes \|\| ipaNTSIDBlacklistIncoming \|\| ipaNTSIDBlacklistOutgoing \|\| krbPrincipalName \|\| krbLastPwdChange \|\| krbTicketFlags \|\| krbLoginFailedCount \|\| krbExtraData \|\| krbPrincipalKey")(version 3.0;acl "Allow trust system user to create and delete trust accounts and cross realm principals"; allow (read,write,add,delete) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)'
Add SID blacklist attributes Update our LDAP schema and add 2 new attributes for SID blacklist definition. These new attributes can now be set per-trust with trustconfig command. https://fedorahosted.org/freeipa/ticket/3289 2013-02-07 07:59:00 -06:00			replace:aci:'(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType \|\| ipaNTTrustAttributes \|\| ipaNTTrustDirection \|\| ipaNTTrustPartner \|\| ipaNTFlatName \|\| ipaNTTrustAuthOutgoing \|\| ipaNTTrustAuthIncoming \|\| ipaNTSecurityIdentifier \|\| ipaNTTrustForestTrustInfo \|\| ipaNTTrustPosixOffset \|\| ipaNTSupportedEncryptionTypes")(version 3.0;acl "Allow trust admins manage trust accounts"; allow (read,write,add,delete) groupdn="ldap:///cn=trust admins,cn=groups,cn=accounts,$SUFFIX";)::(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType \|\| ipaNTTrustAttributes \|\| ipaNTTrustDirection \|\| ipaNTTrustPartner \|\| ipaNTFlatName \|\| ipaNTTrustAuthOutgoing \|\| ipaNTTrustAuthIncoming \|\| ipaNTSecurityIdentifier \|\| ipaNTTrustForestTrustInfo \|\| ipaNTTrustPosixOffset \|\| ipaNTSupportedEncryptionTypes \|\| ipaNTSIDBlacklistIncoming \|\| ipaNTSIDBlacklistOutgoing")(version 3.0;acl "Allow trust admins manage trust accounts"; allow (read,write,add,delete) groupdn="ldap:///cn=trust admins,cn=groups,cn=accounts,$SUFFIX";)'
			add:aci: '(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType \|\| ipaNTTrustAttributes \|\| ipaNTTrustDirection \|\| ipaNTTrustPartner \|\| ipaNTFlatName \|\| ipaNTTrustAuthOutgoing \|\| ipaNTTrustAuthIncoming \|\| ipaNTSecurityIdentifier \|\| ipaNTTrustForestTrustInfo \|\| ipaNTTrustPosixOffset \|\| ipaNTSupportedEncryptionTypes \|\| ipaNTSIDBlacklistIncoming \|\| ipaNTSIDBlacklistOutgoing")(version 3.0;acl "Allow trust admins manage trust accounts"; allow (read,write,add,delete) groupdn="ldap:///cn=trust admins,cn=groups,cn=accounts,$SUFFIX";)'
Add trust-related ACIs A high-level description of the design and ACIs for trusts is available at https://www.redhat.com/archives/freeipa-devel/2011-December/msg00224.html and https://www.redhat.com/archives/freeipa-devel/2011-December/msg00248.html Ticket #1731 2012-05-15 12:03:16 -05:00
			`# Samba user should be able to read NT passwords to authenticate`
Remove ipaNTHash from global allow ACI ipaNTHash contains security sensitive information, it should be hidden just like other password attributes. As a part of preparation for ticket #2511, the ACI allowing global access is also updated to hide DNS zones. https://fedorahosted.org/freeipa/ticket/2856 2012-06-26 11:09:32 -05:00			`# Add ipaNTHash to global ACIs, leave DNS tree out of global allow access rule`
Add trust-related ACIs A high-level description of the design and ACIs for trusts is available at https://www.redhat.com/archives/freeipa-devel/2011-December/msg00224.html and https://www.redhat.com/archives/freeipa-devel/2011-December/msg00248.html Ticket #1731 2012-05-15 12:03:16 -05:00			`dn: $SUFFIX`
Add ACI to allow regenerating ipaNTHash from ipasam ACI was lacking to allow actually writing MagicRegen into ipaNTHash attribute, Part 2 of https://fedorahosted.org/freeipa/ticket/3016 2012-08-22 06:24:33 -05:00			`add:aci: '(targetattr = "ipaNTHash")(version 3.0; acl "Samba system principals can read and write NT passwords"; allow (read,write) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)'`
			`remove:aci: '(targetattr = "ipaNTHash")(version 3.0; acl "Samba system principals can read NT passwords"; allow (read) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)'`
Add per-service option to store the types of PAC it supports Create a per-service default as well. https://fedorahosted.org/freeipa/ticket/2184 2012-08-01 09:14:11 -05:00
			`# Add the default PAC type to configuration`
			`dn: cn=ipaConfig,cn=etc,$SUFFIX`
			`addifnew: ipaKrbAuthzData: MS-PAC`