[Freeipa-devel] [freeipa PR#632][opened] ipa-sam: create the gidNumber attribute in the trusted domain entry

Tue, 21 Mar 2017 11:22:41 -0700 

   URL: https://github.com/freeipa/freeipa/pull/632
Author: flo-renaud
 Title: #632: ipa-sam: create the gidNumber attribute in the trusted domain 
entry
Action: opened

PR body:
"""
When a trusted domain entry is created, the uidNumber attribute is created
but not the gidNumber attribute. This causes samba to log
        Failed to find a Unix account for DOM-AD$
because the samu structure does not contain a group_sid and is not put
in the cache.
The fix creates the gidNumber attribute in the trusted domain entry,
and initialises the group_sid field in the samu structure returned
by ldapsam_getsampwnam. This ensures that the entry is put in the cache.

Note that this is only a partial fix for 6660 as it does not prevent
_netr_ServerAuthenticate3 from failing with the log
        _netr_ServerAuthenticate3: netlogon_creds_server_check failed. 
Rejecting auth request from client VM-AD machine account dom-ad.example.com.

https://pagure.io/freeipa/issue/6660
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/632/head:pr632
git checkout pr632

From 4e431ebfcf7a3a03a0a9e30db5db9106c349bdc0 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <f...@redhat.com>
Date: Tue, 21 Mar 2017 17:33:20 +0100
Subject: [PATCH] ipa-sam: create the gidNumber attribute in the trusted domain
 entry

When a trusted domain entry is created, the uidNumber attribute is created
but not the gidNumber attribute. This causes samba to log
	Failed to find a Unix account for DOM-AD$
because the samu structure does not contain a group_sid and is not put
in the cache.
The fix creates the gidNumber attribute in the trusted domain entry,
and initialises the group_sid field in the samu structure returned
by ldapsam_getsampwnam. This ensures that the entry is put in the cache.

Note that this is only a partial fix for 6660 as it does not prevent
_netr_ServerAuthenticate3 from failing with the log
	_netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client VM-AD machine account dom-ad.example.com.

https://pagure.io/freeipa/issue/6660
---
 daemons/ipa-sam/ipa_sam.c | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index 4c1fda5..c483ee4 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -2419,6 +2419,8 @@ static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods,
 	if (entry == NULL || sid == NULL) {
 		smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
 				 LDAP_ATTRIBUTE_UIDNUMBER, IPA_MAGIC_ID_STR);
+		smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
+		                 LDAP_ATTRIBUTE_GIDNUMBER, IPA_MAGIC_ID_STR);
 	}
 
 	if (td->netbios_name != NULL) {
@@ -2823,12 +2825,18 @@ static uint32_t pdb_ipasam_capabilities(struct pdb_methods *methods)
 	return PDB_CAP_STORE_RIDS | PDB_CAP_ADS | PDB_CAP_TRUSTED_DOMAINS_EX;
 }
 
+static int ipasam_get_primary_group_sid(TALLOC_CTX *mem_ctx,
+                                        struct ldapsam_privates *ldap_state,
+                                        LDAPMessage *entry,
+                                        struct dom_sid **_group_sid);
+
 static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td,
 			     LDAPMessage *entry,
 			     struct ldapsam_privates *ldap_state)
 {
 	NTSTATUS status;
 	struct dom_sid *u_sid;
+	struct dom_sid *g_sid;
 	char *name;
 	char *trustpw = NULL;
 	char *trustpw_utf8 = NULL;
@@ -2839,6 +2847,7 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td,
 	bool res;
 	char *sid_str;
 	enum idmap_error_code err;
+	TALLOC_CTX *tmp_ctx;
 
 	if (!pdb_set_acct_ctrl(user, ACB_DOMTRUST | ACB_TRUSTED_FOR_DELEGATION,
 			      PDB_SET)) {
@@ -2884,6 +2893,23 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td,
 	}
 	talloc_free(u_sid);
 
+	tmp_ctx= talloc_init("init_sam_from_td");
+	if (!tmp_ctx) {
+		return false;
+	}
+
+	if (ipasam_get_primary_group_sid(tmp_ctx, ldap_state, entry, &g_sid)
+			!= 0) {
+		talloc_free(tmp_ctx);
+		return false;
+	}
+
+	if (!pdb_set_group_sid(user, g_sid, PDB_SET)) {
+		talloc_free(tmp_ctx);
+		return false;
+	}
+	talloc_free(tmp_ctx);
+
 	status = get_trust_pwd(user, &td->trust_auth_incoming, &trustpw, NULL);
 	if (!NT_STATUS_IS_OK(status)) {
 		return false;

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to