trusts: add support for one-way trust and switch to it by default

One-way trust is the default now, use 'trust add --two-way ' to
force bidirectional trust

https://fedorahosted.org/freeipa/ticket/4959

In case of one-way trust we cannot authenticate using cross-realm TGT
against an AD DC. We have to use trusted domain object from within AD
domain and access to this object is limited to avoid compromising the whole
trust configuration.

Instead, IPA framework can call out to oddjob daemon and ask it to
run the script which can have access to the TDO object. This script
(com.redhat.idm.trust-fetch-domains) is using cifs/ipa.master principal
to retrieve TDO object credentials from IPA LDAP if needed and then
authenticate against AD DCs using the TDO object credentials.

The script pulls the trust topology out of AD DCs and updates IPA LDAP
store. Then IPA framework can pick the updated data from the IPA LDAP
under normal access conditions.

Part of https://fedorahosted.org/freeipa/ticket/4546

2 files changed, 61 insertions, 0 deletions

diff --git a/install/oddjob/etc/dbus-1/system.d/oddjob-ipa-trust.conf b/install/oddjob/etc/dbus-1/system.d/oddjob-ipa-trust.conf
new file mode 100644
index 000000000..2e4c1367b
--- /dev/null
+++ b/install/oddjob/etc/dbus-1/system.d/oddjob-ipa-trust.conf
@@ -0,0 +1,40 @@
+<!DOCTYPE busconfig PUBLIC
+ "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+
+<busconfig>
+ <!-- Only root can own (provide) the com.redhat.idm.trust service
+       on the system bus. -->
+  <policy user="root">
+    <allow own="com.redhat.idm.trust"/>
+    <allow send_destination="com.redhat.idm.trust"
+           send_path="/"
+           send_interface="com.redhat.idm.trust"
+           send_member="fetch_domains"/>
+  </policy>
+
+  <!-- Allow anyone to call the introspection methods of the "/" object
+       provided by the com.redhat.idm.trust service. -->
+  <policy context="default">
+    <allow send_destination="com.redhat.idm.trust"
+           send_path="/"
+           send_interface="org.freedesktop.DBus.Introspectable"
+           send_member="Introspect"/>
+    <allow send_destination="com.redhat.idm.trust"
+           send_path="/"
+           send_interface="org.freedesktop.DBus.Properties"
+           send_member="GetAll"/>
+    <allow send_destination="com.redhat.idm.trust"
+           send_path="/"
+           send_interface="org.freedesktop.DBus.Properties"
+           send_member="Get"/>
+  </policy>
+
+  <policy user="apache">
+    <allow send_destination="com.redhat.idm.trust"
+           send_path="/"
+           send_interface="com.redhat.idm.trust"
+           send_member="fetch_domains"/>
+  </policy>
+
+</busconfig>
diff --git a/install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf b/install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf
new file mode 100644
index 000000000..17817de09
--- /dev/null
+++ b/install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf
@@ -0,0 +1,21 @@
+<?xml version="1.0"?>
+<oddjobconfig>
+  <service name="com.redhat.idm.trust">
+    <allow user="root"/>
+    <allow user="apache"/>
+    <object name="/">
+      <interface name="org.freedesktop.DBus.Introspectable">
+        <allow min_uid="0" max_uid="0"/>
+        <!-- <method name="Introspect"/> -->
+      </interface>
+      <interface name="com.redhat.idm.trust">
+        <method name="fetch_domains">
+          <helper exec="/usr/libexec/ipa/com.redhat.idm.trust-fetch-domains"
+		  arguments="1"
+                  argument_passing_method="cmdline"
+		  prepend_user_name="no"/>
+        </method>
+      </interface>
+    </object>
+  </service>
+</oddjobconfig>