[freeipa PR#2926][opened] support shared secret trust established from Active Directory domain controller side
by abbra
URL: https://github.com/freeipa/freeipa/pull/2926
Author: abbra
Title: #2926: support shared secret trust established from Active Directory domain controller side
Action: opened
PR body:
"""
FreeIPA does support trust to an Active Directory forest. The trust can be
established using administrative credentials from the forest root domain or
using a so-called shared secret. In the latter case no administrative access is
given to the remote side of the trust and each administrator performs their
configuration separately: FreeIPA administrator configures IPA side, Active
Directory administrator adds IPA forest as a trusted one on the Active
Directory side.
For trust to be active, one needs to validate it. Validation process includes a
sequences of DCE RPC calls that force a domain controller on the trusted side
to establish a so-called "secure channel" to a remote domain controller in the
trusting domain. This is an administrative operation and requires
administrative privileges to activate. If trust was established using a shared
secret, IPA side will lack ability to initiate a validation process.
At the same time, FreeIPA 4.6 or earlier versions do not include functionality
to allow a remote validation from Active Directory to happen before trust
objects are created and SSSD can retrieve information from the Active Directory
side. Unfortunately, the latter is not possible until trust is validated.
The purpose of this design is to extend FreeIPA setup to allow trust validation
to be initiated from Windows UI in case a shared secret is used to create a
trust agreement.
TODO: while this code is useful as it is, there is no way to force AD DC to pull forest trust information from IPA DC side. This is due to the fact that Samba does not implement a required RPC call in the mode used by IPA. We need to implement a command that would allow pushing the forest trust topology from IPA side but this command requires administrative privileges on AD side which makes the situation a bit weird for a shared-secret trust.
A lack of forest trust topology update does not prevent resolving users through the trust link. It only prevents single sign-on from Windows side to IPA resources using GSSAPI. Password-based authentication works fine.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2926/head:pr2926
git checkout pr2926
5 years
[freeipa PR#2938][opened] Refactor container_masters queries
by tiran
URL: https://github.com/freeipa/freeipa/pull/2938
Author: tiran
Title: #2938: Refactor container_masters queries
Action: opened
PR body:
"""
Refactor for hidden replica PR #2927. All APIs that look for masters and services are now going through a set of well-defined APIs and use ``api.env.container_masters``.
## Use api.env.container_masters
Replace occurences of ``('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc')`` with ``api.env.container_masters``.
## Consolidate container_masters queries
Replace manual queries of ``container_masters`` with new APIs ``get_masters()`` and `is_service_enabled()``.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2938/head:pr2938
git checkout pr2938
5 years