mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-28 18:01:23 -06:00
3692a1c57f
When ipa-getkeytab is used to fetch trusted domain object credentials, the fetched entry has always kvno 1. ipa-getkeytab always adds a key to keytab which means older key versions will be in the SSSD keytab and will confuse libkrb5 ccache initialization code as all kvno values are equal to 1. Wrong key is picked up then and kinit fails. To solve this problem, always remove existing /var/lib/sss/keytabs/forest.keytab before retrieving a new one. To make sure script's input cannot be used to define what should be removed (by passing a relative path), make sure we retrieve trusted forest name from LDAP. If it is not possible to retrieve, the script will issue an exception and quit. If abrtd is running, this will be recorded as a 'crash' and an attempt to use script by malicious user would be recorded as well in the abrtd journal. Additionally, as com.redhat.idm.trust-fetch-domains will create ID ranges for the domains of the trusted forest if they don't exist, it needs permissions to do so. The permission should be granted only to cifs/ipa.master@IPA.REALM services which means they must have krbprincipalname=cifs/*@IPA.REALM,cn=services,... DN and be members of cn=adtrust agents,cn=sysaccounts,... group. Solves https://bugzilla.redhat.com/show_bug.cgi?id=1250190 Ticket https://fedorahosted.org/freeipa/ticket/5182 Reviewed-By: Tomas Babej <tbabej@redhat.com> |
||
|---|---|---|
| .. | ||
| 05-pre_upgrade_plugins.update | ||
| 10-config.update | ||
| 10-enable-betxn.update | ||
| 10-rootdse.update | ||
| 10-schema_compat.update | ||
| 10-selinuxusermap.update | ||
| 10-uniqueness.update | ||
| 19-managed-entries.update | ||
| 20-aci.update | ||
| 20-dna.update | ||
| 20-host_nis_groups.update | ||
| 20-indices.update | ||
| 20-nss_ldap.update | ||
| 20-replication.update | ||
| 20-sslciphers.update | ||
| 20-syncrepl.update | ||
| 20-user_private_groups.update | ||
| 20-uuid.update | ||
| 20-winsync_index.update | ||
| 21-ca_renewal_container.update | ||
| 21-certstore_container.update | ||
| 21-replicas_container.update | ||
| 25-referint.update | ||
| 30-provisioning.update | ||
| 30-s4u2proxy.update | ||
| 40-automember.update | ||
| 40-certprofile.update | ||
| 40-delegation.update | ||
| 40-dns.update | ||
| 40-otp.update | ||
| 40-realm_domains.update | ||
| 40-replication.update | ||
| 41-caacl.update | ||
| 45-roles.update | ||
| 50-7_bit_check.update | ||
| 50-dogtag10-migration.update | ||
| 50-groupuuid.update | ||
| 50-hbacservice.update | ||
| 50-ipaconfig.update | ||
| 50-krbenctypes.update | ||
| 50-lockout-policy.update | ||
| 50-nis.update | ||
| 55-pbacmemberof.update | ||
| 59-trusts-sysacount.update | ||
| 60-trusts.update | ||
| 61-trusts-s4u2proxy.update | ||
| 62-ranges.update | ||
| 71-idviews.update | ||
| 72-domainlevels.update | ||
| 90-post_upgrade_plugins.update | ||
| Makefile.am | ||
| README | ||
The update files are sorted before being processed because there are cases where order matters (such as getting schema added first, creating parent entries, etc). Updates are applied in blocks of ten so that any entries that are dependant on another can be added successfully without having to rely on the length of the DN to get the sorting correct. The file names should use the format #-<description>.update where # conforms to this: 10 - 19: Configuration 20 - 29: 389-ds configuration, new indices 30 - 39: Structual elements of the DIT 40 - 49: Pre-loaded data 50 - 59: Cleanup existing data 60 - 69: AD Trust 70 - 79: Reserved 80 - 89: Reserved These numbers aren't absolute, there may be reasons to put an update into one place or another, but by adhereing to the scheme it will be easier to find existing updates and know where to put new ones.