From bd0d85804320e840db9b5cf19a5e69b3a0804e20 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Tue, 15 May 2012 20:03:16 +0300
Subject: Add trust-related ACIs

A high-level description of the design and ACIs for trusts is available at
https://www.redhat.com/archives/freeipa-devel/2011-December/msg00224.html
and
https://www.redhat.com/archives/freeipa-devel/2011-December/msg00248.html

Ticket #1731
---
 install/share/smb.conf.template   |  2 +-
 install/tools/ipa-adtrust-install |  5 ++++-
 install/updates/60-trusts.update  | 36 ++++++++++++++++++++++++++++++++++++
 3 files changed, 41 insertions(+), 2 deletions(-)

(limited to 'install')

diff --git a/install/share/smb.conf.template b/install/share/smb.conf.template
index 8ed521b50..3107350aa 100644
--- a/install/share/smb.conf.template
+++ b/install/share/smb.conf.template
@@ -14,11 +14,11 @@ passdb backend = ipasam:ldapi://$LDAPI_SOCKET
 disable spoolss = yes
 ldapsam:trusted=yes
 ldap ssl = off
-ldap admin dn = $SMB_DN
 ldap suffix = $SUFFIX
 ldap user suffix = cn=users,cn=accounts
 ldap group suffix = cn=groups,cn=accounts
 ldap machine suffix = cn=computers,cn=accounts
+ipasam:principal = cifs/$FQDN@$REALM
 rpc_server:epmapper = external
 rpc_server:lsarpc = external
 rpc_server:lsass = external
diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install
index f82d5bb82..c0b477102 100755
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@@ -224,13 +224,16 @@ def main():
     print "\t\t  * 389: (C)LDAP"
     print "\t\t  * 445: microsoft-ds"
     print ""
-    print "\tAdditionally you have to make sure the FreeIPA LDAP server cannot reached"
+    print "\tAdditionally you have to make sure the FreeIPA LDAP server cannot be reached"
     print "\tby any domain controller in the Active Directory domain by closing the"
     print "\tfollowing ports for these servers:"
     print "\t\tTCP Ports:"
     print "\t\t  * 389, 636: LDAP/LDAPS"
     print "\tYou may want to choose to REJECT the network packets instead of DROPing them"
     print "\tto avoid timeouts on the AD domain controllers."
+    print ""
+    print "\tWARNING: you MUST re-kinit admin user before using 'ipa trust-*' commands family"
+    print "\tin order to re-generate Kerberos tickets to include AD-specific information"
 
     return 0
 
diff --git a/install/updates/60-trusts.update b/install/updates/60-trusts.update
index 9a320fc46..cfd1ad7e5 100644
--- a/install/updates/60-trusts.update
+++ b/install/updates/60-trusts.update
@@ -24,3 +24,39 @@ add:objectClasses: (2.16.840.1.113730.3.8.12.4 NAME 'ipaNTDomainAttrs' SUP top A
 replace:objectClasses: (2.16.840.1.113730.3.8.12.5 NAME 'ipaNTTrustedDomain' SUP top STRUCTURAL DESC 'Trusted Domain Object' MUST ( cn ) MAY ( ipaNTTrustType $$ ipaNTTrustAttributes $$ ipaNTTrustDirection $$ ipaNTTrustPartner $$ ipaNTFlatName $$ ipaNTTrustAuthOutgoing $$ ipaNTTrustAuthIncoming $$ ipaNTSecurityIdentifier $$ ipaNTTrustForestTrustInfo $$ ipaNTTrustPosixOffset $$ ipaNTSupportedEncryptionTypes) )::objectClasses: (2.16.840.1.113730.3.8.12.5 NAME 'ipaNTTrustedDomain' SUP top STRUCTURAL DESC 'Trusted Domain Object' MUST ( cn ) MAY ( ipaNTTrustType $$ ipaNTTrustAttributes $$ ipaNTTrustDirection $$ ipaNTTrustPartner $$ ipaNTFlatName $$ ipaNTTrustAuthOutgoing $$ ipaNTTrustAuthIncoming $$ ipaNTTrustedDomainSID $$ ipaNTTrustForestTrustInfo $$ ipaNTTrustPosixOffset $$ ipaNTSupportedEncryptionTypes) )
 add:objectClasses: (2.16.840.1.113730.3.8.12.5 NAME 'ipaNTTrustedDomain' SUP top STRUCTURAL DESC 'Trusted Domain Object' MUST ( cn ) MAY ( ipaNTTrustType $$ ipaNTTrustAttributes $$ ipaNTTrustDirection $$ ipaNTTrustPartner $$ ipaNTFlatName $$ ipaNTTrustAuthOutgoing $$ ipaNTTrustAuthIncoming $$ ipaNTTrustedDomainSID $$ ipaNTTrustForestTrustInfo $$ ipaNTTrustPosixOffset $$ ipaNTSupportedEncryptionTypes) )
 
+dn: cn=trust admins,cn=groups,cn=accounts,$SUFFIX
+default: objectClass: top
+default: objectClass: groupofnames
+default: objectClass: ipausergroup
+default: objectClass: nestedgroup
+default: objectClass: ipaobject
+default: cn: trust admins
+default: description: Trusts administrators group
+default: member: uid=admin,cn=users,cn=accounts,$SUFFIX
+default: nsAccountLock: FALSE
+default: ipaUniqueID: autogenerate
+
+dn: cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX
+default: objectClass: GroupOfNames
+default: objectClass: top
+default: cn: adtrust agents
+default: member: krbprincipalname=cifs/$FQDN@$REALM,cn=services,cn=accounts,$SUFFIX
+
+dn: cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX
+add: member: krbprincipalname=cifs/$FQDN@$REALM,cn=services,cn=accounts,$SUFFIX
+
+dn: cn=trusts,$SUFFIX
+default: objectClass: top
+default: objectClass: nsContainer
+default: cn: trusts
+
+# Trust management
+# 1. cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX can manage trusts, to allow modification via CIFS
+# 2. cn=trust admins,cn=groups,cn=accounts,$SUFFIX can manage trusts (via ipa tools)
+dn: cn=trusts,$SUFFIX
+add:aci: '(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes")(version 3.0;acl "Allow trust system user to create and delete trust accounts"; allow (read,write,add,delete) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)'
+add:aci: '(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes")(version 3.0;acl "Allow trust admins manage trust accounts"; allow (read,write,add,delete) groupdn="ldap:///cn=trust admins,cn=groups,cn=accounts,$SUFFIX";)'
+
+# Samba user should be able to read NT passwords to authenticate
+dn: $SUFFIX
+add:aci: '(targetattr = "ipaNTHash")(version 3.0; acl "Samba system principals can read NT passwords"; allow (read) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)'
-- 
cgit