URL: https://github.com/freeipa/freeipa/pull/632 Author: flo-renaud Title: #632: ipa-sam: create the gidNumber attribute in the trusted domain entry Action: opened
PR body: """ When a trusted domain entry is created, the uidNumber attribute is created but not the gidNumber attribute. This causes samba to log Failed to find a Unix account for DOM-AD$ because the samu structure does not contain a group_sid and is not put in the cache. The fix creates the gidNumber attribute in the trusted domain entry, and initialises the group_sid field in the samu structure returned by ldapsam_getsampwnam. This ensures that the entry is put in the cache. Note that this is only a partial fix for 6660 as it does not prevent _netr_ServerAuthenticate3 from failing with the log _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client VM-AD machine account dom-ad.example.com. https://pagure.io/freeipa/issue/6660 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/632/head:pr632 git checkout pr632
From 4e431ebfcf7a3a03a0a9e30db5db9106c349bdc0 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Tue, 21 Mar 2017 17:33:20 +0100 Subject: [PATCH] ipa-sam: create the gidNumber attribute in the trusted domain entry When a trusted domain entry is created, the uidNumber attribute is created but not the gidNumber attribute. This causes samba to log Failed to find a Unix account for DOM-AD$ because the samu structure does not contain a group_sid and is not put in the cache. The fix creates the gidNumber attribute in the trusted domain entry, and initialises the group_sid field in the samu structure returned by ldapsam_getsampwnam. This ensures that the entry is put in the cache. Note that this is only a partial fix for 6660 as it does not prevent _netr_ServerAuthenticate3 from failing with the log _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client VM-AD machine account dom-ad.example.com. https://pagure.io/freeipa/issue/6660 --- daemons/ipa-sam/ipa_sam.c | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c index 4c1fda5..c483ee4 100644 --- a/daemons/ipa-sam/ipa_sam.c +++ b/daemons/ipa-sam/ipa_sam.c @@ -2419,6 +2419,8 @@ static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods, if (entry == NULL || sid == NULL) { smbldap_make_mod(priv2ld(ldap_state), entry, &mods, LDAP_ATTRIBUTE_UIDNUMBER, IPA_MAGIC_ID_STR); + smbldap_make_mod(priv2ld(ldap_state), entry, &mods, + LDAP_ATTRIBUTE_GIDNUMBER, IPA_MAGIC_ID_STR); } if (td->netbios_name != NULL) { @@ -2823,12 +2825,18 @@ static uint32_t pdb_ipasam_capabilities(struct pdb_methods *methods) return PDB_CAP_STORE_RIDS | PDB_CAP_ADS | PDB_CAP_TRUSTED_DOMAINS_EX; } +static int ipasam_get_primary_group_sid(TALLOC_CTX *mem_ctx, + struct ldapsam_privates *ldap_state, + LDAPMessage *entry, + struct dom_sid **_group_sid); + static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td, LDAPMessage *entry, struct ldapsam_privates *ldap_state) { NTSTATUS status; struct dom_sid *u_sid; + struct dom_sid *g_sid; char *name; char *trustpw = NULL; char *trustpw_utf8 = NULL; @@ -2839,6 +2847,7 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td, bool res; char *sid_str; enum idmap_error_code err; + TALLOC_CTX *tmp_ctx; if (!pdb_set_acct_ctrl(user, ACB_DOMTRUST | ACB_TRUSTED_FOR_DELEGATION, PDB_SET)) { @@ -2884,6 +2893,23 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td, } talloc_free(u_sid); + tmp_ctx= talloc_init("init_sam_from_td"); + if (!tmp_ctx) { + return false; + } + + if (ipasam_get_primary_group_sid(tmp_ctx, ldap_state, entry, &g_sid) + != 0) { + talloc_free(tmp_ctx); + return false; + } + + if (!pdb_set_group_sid(user, g_sid, PDB_SET)) { + talloc_free(tmp_ctx); + return false; + } + talloc_free(tmp_ctx); + status = get_trust_pwd(user, &td->trust_auth_incoming, &trustpw, NULL); if (!NT_STATUS_IS_OK(status)) { return false;
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code