On Mon, 01 Jul 2013, Sumit Bose wrote:
Hi,

this patch fixes https://fedorahosted.org/freeipa/ticket/3651 but only
to allow SSSD running on a FreeIPA server to access the AD LDAP server.
In the ticket a more generic solution is described but since there is no
other use case so far I think this patch is sufficient for the time
being.

bye,
Sumit

From a707d8f9d771dfe4fb8487e051519dba0ef72449 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sb...@redhat.com>
Date: Mon, 1 Jul 2013 13:47:22 +0200
Subject: [PATCH] Add PAC to master host TGTs

For a proper SALS bind with GSSAPI against an AD LDAP server a PAC is
needed. To allow SSSD in ipa_server_mode to access the LDAP or GC server
of a trusted domain with the credentials of a FreeIPA server host a
PAC must be added to the TGT for the host.
s/SALS/SASL/


To determine if a host is a FreeIPA server or not it is checked if there
is an entry for the host in cn=master,cn=ipa,cn=etc,$base. Unfortunately
this requires an additional LDAP lookup. But since TGS-REQs for hosts
should be rare I think it is acceptable for the time being.
I think it is better to change this lookup to
"cn=ADTRUST,cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX", it would
explicitly limit us to the IPA masters running AD trusts.

+static bool is_master_host(struct ipadb_context *ipactx, const char *fqdn)
+{
+    int ret;
+    char *master_host_base = NULL;
+    LDAPMessage *result = NULL;
+    krb5_error_code err;
+
+    ret = asprintf(&master_host_base, "cn=%s,cn=masters,cn=ipa,cn=etc,%s",
+                                      fqdn, ipactx->base);
here: "cn=ADTRUST,cn=%s,cn=masters,cn=ipa,cn=etc,%s"

+    if (is_host) {
+        prigid = 515; /* Well known RID for domain computers group */
Could you please mention this fact in the commit message as well?

+    if (is_host) {
+        /* Well know RID of domain controllers group */
+        info3->base.rid = 516;
Same here.



--
/ Alexander Bokovoy

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to