[Backport][ipa-4-6] add default access control when migrating trust objects #3658
Conversation
|
I don't know if you want to accept this suggestion or add an exception. I'm inclined to add an exception to keep the code consistent between versions. ************* Module ipaserver.install.plugins.adtrust |
|
It is interesting that we don't have this problem with newer Python and pylint versions. I agree to ignore it for compatibility with newer releases. |
It looks like for some cases we do not have proper set up keytab retrieval configuration in the old trusted domain object. This mostly affects two-way trust cases. In such cases, create default configuration as ipasam would have created when trust was established. Resolves: https://pagure.io/freeipa/issue/8067 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
If trusted domain object (TDO) is lacking ipaAllowedToPerform;read_keys attribute values, it cannot be used by SSSD to retrieve TDO keys and the whole communication with Active Directory domain controllers will not be possible. This seems to affect trusts which were created before ipaAllowedToPerform;read_keys permission granting was introduced (FreeIPA 4.2). Add back the default setting for the permissions which grants access to trust agents and trust admins. Resolves: https://pagure.io/freeipa/issue/8067 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
It is interesting that we don't have this problem with newer Python and pylint versions. Ignoring to try to keep the code more in line with newer releases.
rcritten
force-pushed
the
adtrust-ipa-4-6
branch
from
a932019
to
e39c625
Compare
|
@rcritten |
This PR was opened automatically because PR #3643 was pushed to master and backport to ipa-4-6 is required.