On Mon, 01 Jul 2013, Sumit Bose wrote:
Hi,
this patch fixes https://fedorahosted.org/freeipa/ticket/3651 but only
to allow SSSD running on a FreeIPA server to access the AD LDAP server.
In the ticket a more generic solution is described but since there is no
other use case so far I think this patch is sufficient for the time
being.
bye,
Sumit
From a707d8f9d771dfe4fb8487e051519dba0ef72449 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sb...@redhat.com>
Date: Mon, 1 Jul 2013 13:47:22 +0200
Subject: [PATCH] Add PAC to master host TGTs
For a proper SALS bind with GSSAPI against an AD LDAP server a PAC is
needed. To allow SSSD in ipa_server_mode to access the LDAP or GC server
of a trusted domain with the credentials of a FreeIPA server host a
PAC must be added to the TGT for the host.
s/SALS/SASL/
To determine if a host is a FreeIPA server or not it is checked if there
is an entry for the host in cn=master,cn=ipa,cn=etc,$base. Unfortunately
this requires an additional LDAP lookup. But since TGS-REQs for hosts
should be rare I think it is acceptable for the time being.
I think it is better to change this lookup to
"cn=ADTRUST,cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX", it would
explicitly limit us to the IPA masters running AD trusts.
+static bool is_master_host(struct ipadb_context *ipactx, const char *fqdn)
+{
+ int ret;
+ char *master_host_base = NULL;
+ LDAPMessage *result = NULL;
+ krb5_error_code err;
+
+ ret = asprintf(&master_host_base, "cn=%s,cn=masters,cn=ipa,cn=etc,%s",
+ fqdn, ipactx->base);
here: "cn=ADTRUST,cn=%s,cn=masters,cn=ipa,cn=etc,%s"
+ if (is_host) {
+ prigid = 515; /* Well known RID for domain computers group */
Could you please mention this fact in the commit message as well?
+ if (is_host) {
+ /* Well know RID of domain controllers group */
+ info3->base.rid = 516;
Same here.
--
/ Alexander Bokovoy
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel