-
Notifications
You must be signed in to change notification settings - Fork 27
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add detection of wrong SIDs in accounts after 'ipa migrate-ds' #242
Comments
So I guess a query for SIDs that don't match the domain SID would be the best way to find errant entries. How can I determine the domain SID for the IPA install? |
You can retrieve local domain SID in
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
With hardening against CVE-2020-25717, FreeIPA KDC now performs a number of checks for SIDs of user accounts. Namely:
On freeipa-users@ there it was already reported that if users were migrated from an old installation with the help of
ipa migrate-ds
, they would have SIDs generated in the older IPA deployment and thus would be different to the SID in the current IPA setup. Reference: https://lists.fedorahosted.org/archives/list/[email protected]/thread/4S4QQDC4FBVTA4GYWWVBPKGYN3MF4UJ6/Add a check for that.
It is possible to fix this issue by removing SID attribute and an object class that requires it and then calling
ipa config-mod --add-sids --enable-sids
to regenerate missing SIDs. Since old SIDs are invalid in the new environment and IPA does not have SID history, they can be removed unless SIDs were used on Windows side to assign permissions. We don't generally support that yet without Global Catalog feature, though.The text was updated successfully, but these errors were encountered: