URL: https://github.com/freeipa/freeipa/pull/632 Author: flo-renaud Title: #632: ipa-sam: create the gidNumber attribute in the trusted domain entry Action: synchronized
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/632/head:pr632 git checkout pr632
From b75e11502e669cae3a58dd66fe5d0a75e23a6e97 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Tue, 21 Mar 2017 17:33:20 +0100 Subject: [PATCH 1/2] ipa-sam: create the gidNumber attribute in the trusted domain entry When a trusted domain entry is created, the uidNumber attribute is created but not the gidNumber attribute. This causes samba to log Failed to find a Unix account for DOM-AD$ because the samu structure does not contain a group_sid and is not put in the cache. The fix creates the gidNumber attribute in the trusted domain entry, and initialises the group_sid field in the samu structure returned by ldapsam_getsampwnam. This ensures that the entry is put in the cache. Note that this is only a partial fix for 6660 as it does not prevent _netr_ServerAuthenticate3 from failing with the log _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client VM-AD machine account dom-ad.example.com. https://pagure.io/freeipa/issue/6827 --- daemons/ipa-sam/ipa_sam.c | 40 +++++++++++++++++++++++++++++++++++++--- 1 file changed, 37 insertions(+), 3 deletions(-) diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c index 4c1fda5..6a29e8e 100644 --- a/daemons/ipa-sam/ipa_sam.c +++ b/daemons/ipa-sam/ipa_sam.c @@ -195,6 +195,7 @@ struct ipasam_privates { char *trust_dn; char *flat_name; struct dom_sid fallback_primary_group; + char *fallback_primary_group_gid_str; char *server_princ; char *client_princ; struct sss_idmap_ctx *idmap_ctx; @@ -2419,6 +2420,9 @@ static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods, if (entry == NULL || sid == NULL) { smbldap_make_mod(priv2ld(ldap_state), entry, &mods, LDAP_ATTRIBUTE_UIDNUMBER, IPA_MAGIC_ID_STR); + smbldap_make_mod(priv2ld(ldap_state), entry, &mods, + LDAP_ATTRIBUTE_GIDNUMBER, + ldap_state->ipasam_privates->fallback_primary_group_gid_str); } if (td->netbios_name != NULL) { @@ -2829,6 +2833,7 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td, { NTSTATUS status; struct dom_sid *u_sid; + struct dom_sid *g_sid; char *name; char *trustpw = NULL; char *trustpw_utf8 = NULL; @@ -2884,6 +2889,11 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td, } talloc_free(u_sid); + g_sid = &ldap_state->ipasam_privates->fallback_primary_group; + if (!pdb_set_group_sid(user, g_sid, PDB_SET)) { + return false; + } + status = get_trust_pwd(user, &td->trust_auth_incoming, &trustpw, NULL); if (!NT_STATUS_IS_OK(status)) { return false; @@ -3594,14 +3604,17 @@ static void ipasam_free_private_data(void **vp) static struct dom_sid *get_fallback_group_sid(TALLOC_CTX *mem_ctx, struct smbldap_state *ldap_state, struct sss_idmap_ctx *idmap_ctx, - LDAPMessage *dom_entry) + LDAPMessage *dom_entry, + char **fallback_group_gid_str) { char *dn; char *sid; + char *gidnumber; int ret; const char *filter = "objectClass=*"; const char *attr_list[] = { LDAP_ATTRIBUTE_SID, + LDAP_ATTRIBUTE_GIDNUMBER, NULL}; LDAPMessage *result; LDAPMessage *entry; @@ -3648,9 +3661,20 @@ static struct dom_sid *get_fallback_group_sid(TALLOC_CTX *mem_ctx, talloc_free(sid); return NULL; } + talloc_free(sid); + + gidnumber = get_single_attribute(mem_ctx, ldap_state->ldap_struct, + entry, LDAP_ATTRIBUTE_GIDNUMBER); + if (gidnumber == NULL) { + DEBUG(0, ("Missing mandatory attribute %s.\n", + LDAP_ATTRIBUTE_GIDNUMBER)); + ldap_msgfree(result); + return NULL; + } + + *fallback_group_gid_str = gidnumber; ldap_msgfree(result); - talloc_free(sid); return fallback_group_sid; } @@ -4443,6 +4467,7 @@ static NTSTATUS pdb_init_ipasam(struct pdb_methods **pdb_method, char *domain_sid_string = NULL; struct dom_sid *ldap_domain_sid = NULL; struct dom_sid *fallback_group_sid = NULL; + char *fallback_group_gid_str = NULL; LDAPMessage *result = NULL; LDAPMessage *entry = NULL; @@ -4586,7 +4611,8 @@ static NTSTATUS pdb_init_ipasam(struct pdb_methods **pdb_method, fallback_group_sid = get_fallback_group_sid(ldap_state, ldap_state->smbldap_state, ldap_state->ipasam_privates->idmap_ctx, - result); + result, + &fallback_group_gid_str); if (fallback_group_sid == NULL) { DEBUG(0, ("Cannot find SID of fallback group.\n")); ldap_msgfree(result); @@ -4596,6 +4622,14 @@ static NTSTATUS pdb_init_ipasam(struct pdb_methods **pdb_method, fallback_group_sid); talloc_free(fallback_group_sid); + if (fallback_group_gid_str == NULL) { + DEBUG(0, ("Cannot find gidNumber of fallback group.\n")); + ldap_msgfree(result); + return NT_STATUS_INVALID_PARAMETER; + } + ldap_state->ipasam_privates->fallback_primary_group_gid_str = + fallback_group_gid_str; + domain_sid_string = get_single_attribute( ldap_state, ldap_state->smbldap_state->ldap_struct, From 3c58c3e128b68c6f8e0f06fc5f75ea612f0863ac Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Mon, 3 Apr 2017 15:57:47 +0200 Subject: [PATCH 2/2] Upgrade: add gidnumber to trusted domain entry The trusted domain entries created in earlier versions are missing gidnumber. During upgrade, a new plugin will read the gidnumber of the fallback group cn=Default SMB Group and add this value to trusted domain entries which do not have a gidNumber. https://pagure.io/freeipa/issue/6827 --- install/updates/90-post_upgrade_plugins.update | 1 + ipaserver/install/plugins/adtrust.py | 56 ++++++++++++++++++++++++++ 2 files changed, 57 insertions(+) diff --git a/install/updates/90-post_upgrade_plugins.update b/install/updates/90-post_upgrade_plugins.update index 34069e7..8477199 100644 --- a/install/updates/90-post_upgrade_plugins.update +++ b/install/updates/90-post_upgrade_plugins.update @@ -10,6 +10,7 @@ plugin: update_sigden_extdom_broken_config plugin: update_sids plugin: update_default_range plugin: update_default_trust_view +plugin: update_tdo_gidnumber plugin: update_ca_renewal_master plugin: update_idrange_type plugin: update_pacs diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py index 4296808..075f197 100644 --- a/ipaserver/install/plugins/adtrust.py +++ b/ipaserver/install/plugins/adtrust.py @@ -22,6 +22,7 @@ from ipapython.dn import DN from ipapython.ipa_log_manager import root_logger from ipaserver.install import sysupgrade +from ipaserver.install.adtrustinstance import ADTRUSTInstance register = Registry() @@ -316,3 +317,58 @@ def execute(self, **options): sysupgrade.set_upgrade_state('sidgen', 'update_sids', False) return False, () + + +@register() +class update_tdo_gidnumber(Updater): + """ + Create a gidNumber attribute for Trusted Domain Objects. + + The value is taken from the fallback group defined in cn=Default SMB Group. + """ + def execute(self, **options): + ldap = self.api.Backend.ldap2 + + # Read the gidnumber of the fallback group + dn = DN(('cn', ADTRUSTInstance.FALLBACK_GROUP_NAME), + self.api.env.container_group, + self.api.env.basedn) + + try: + entry = ldap.get_entry(dn, ['gidnumber']) + gidNumber = entry.get('gidnumber') + except errors.NotFound: + self.log.error("{0} not found".format( + ADTRUSTInstance.FALLBACK_GROUP_NAME)) + return False, () + + if not gidNumber: + self.log.error("{0} does not have a gidnumber".format( + ADTRUSTInstance.FALLBACK_GROUP_NAME)) + return False, () + + # For each trusted domain object, add gidNumber + try: + tdos = ldap.get_entries( + DN(self.api.env.container_adtrusts, self.api.env.basedn), + scope=ldap.SCOPE_ONELEVEL, + filter="(objectclass=ipaNTTrustedDomain)", + attrs_list=['gidnumber']) + for tdo in tdos: + # if the trusted domain object does not contain gidnumber, + # add the default fallback group gidnumber + if not tdo.get('gidnumber'): + try: + tdo['gidnumber'] = gidNumber + ldap.update_entry(tdo) + self.log.debug("Added gidnumber {0} to {1}".format( + gidNumber, tdo.dn)) + except Exception: + self.log.warning( + "Failed to add gidnumber to {0}".format(tdo.dn)) + + except errors.NotFound: + self.log.debug("No trusted domain object to update") + return False, () + + return False, ()
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
