subject:"\[Freeipa\-devel\] \[freeipa PR#632\]\[synchronized\] ipa\-sam\: create the gidNumber attribute in the trusted domain entry"

[Freeipa-devel] [freeipa PR#632][synchronized] ipa-sam: create the gidNumber attribute in the trusted domain entry

2017-04-03 Thread flo-renaud

   URL: https://github.com/freeipa/freeipa/pull/632
Author: flo-renaud
 Title: #632: ipa-sam: create the gidNumber attribute in the trusted domain 
entry
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/632/head:pr632
git checkout pr632
From b75e11502e669cae3a58dd66fe5d0a75e23a6e97 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud 
Date: Tue, 21 Mar 2017 17:33:20 +0100
Subject: [PATCH 1/2] ipa-sam: create the gidNumber attribute in the trusted
 domain entry

When a trusted domain entry is created, the uidNumber attribute is created
but not the gidNumber attribute. This causes samba to log
	Failed to find a Unix account for DOM-AD$
because the samu structure does not contain a group_sid and is not put
in the cache.
The fix creates the gidNumber attribute in the trusted domain entry,
and initialises the group_sid field in the samu structure returned
by ldapsam_getsampwnam. This ensures that the entry is put in the cache.

Note that this is only a partial fix for 6660 as it does not prevent
_netr_ServerAuthenticate3 from failing with the log
	_netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client VM-AD machine account dom-ad.example.com.

https://pagure.io/freeipa/issue/6827
---
 daemons/ipa-sam/ipa_sam.c | 40 +---
 1 file changed, 37 insertions(+), 3 deletions(-)

diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index 4c1fda5..6a29e8e 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -195,6 +195,7 @@ struct ipasam_privates {
 	char *trust_dn;
 	char *flat_name;
 	struct dom_sid fallback_primary_group;
+	char *fallback_primary_group_gid_str;
 	char *server_princ;
 	char *client_princ;
 	struct sss_idmap_ctx *idmap_ctx;
@@ -2419,6 +2420,9 @@ static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods,
 	if (entry == NULL || sid == NULL) {
 		smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
  LDAP_ATTRIBUTE_UIDNUMBER, IPA_MAGIC_ID_STR);
+		smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
+		 LDAP_ATTRIBUTE_GIDNUMBER,
+ ldap_state->ipasam_privates->fallback_primary_group_gid_str);
 	}
 
 	if (td->netbios_name != NULL) {
@@ -2829,6 +2833,7 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td,
 {
 	NTSTATUS status;
 	struct dom_sid *u_sid;
+	struct dom_sid *g_sid;
 	char *name;
 	char *trustpw = NULL;
 	char *trustpw_utf8 = NULL;
@@ -2884,6 +2889,11 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td,
 	}
 	talloc_free(u_sid);
 
+	g_sid = &ldap_state->ipasam_privates->fallback_primary_group;
+	if (!pdb_set_group_sid(user, g_sid, PDB_SET)) {
+		return false;
+	}
+
 	status = get_trust_pwd(user, &td->trust_auth_incoming, &trustpw, NULL);
 	if (!NT_STATUS_IS_OK(status)) {
 		return false;
@@ -3594,14 +3604,17 @@ static void ipasam_free_private_data(void **vp)
 static struct dom_sid *get_fallback_group_sid(TALLOC_CTX *mem_ctx,
 	  struct smbldap_state *ldap_state,
 	  struct sss_idmap_ctx *idmap_ctx,
-	  LDAPMessage *dom_entry)
+	  LDAPMessage *dom_entry,
+	  char **fallback_group_gid_str)
 {
 	char *dn;
 	char *sid;
+	char *gidnumber;
 	int ret;
 	const char *filter = "objectClass=*";
 	const char *attr_list[] = {
 	LDAP_ATTRIBUTE_SID,
+	LDAP_ATTRIBUTE_GIDNUMBER,
 	NULL};
 	LDAPMessage *result;
 	LDAPMessage *entry;
@@ -3648,9 +3661,20 @@ static struct dom_sid *get_fallback_group_sid(TALLOC_CTX *mem_ctx,
 		talloc_free(sid);
 		return NULL;
 	}
+	talloc_free(sid);
+
+	gidnumber = get_single_attribute(mem_ctx, ldap_state->ldap_struct,
+	entry, LDAP_ATTRIBUTE_GIDNUMBER);
+	if (gidnumber == NULL) {
+		DEBUG(0, ("Missing mandatory attribute %s.\n",
+			  LDAP_ATTRIBUTE_GIDNUMBER));
+		ldap_msgfree(result);
+		return NULL;
+	}
+
+	*fallback_group_gid_str = gidnumber;
 
 	ldap_msgfree(result);
-	talloc_free(sid);
 
 	return fallback_group_sid;
 }
@@ -4443,6 +4467,7 @@ static NTSTATUS pdb_init_ipasam(struct pdb_methods **pdb_method,
 	char *domain_sid_string = NULL;
 	struct dom_sid *ldap_domain_sid = NULL;
 	struct dom_sid *fallback_group_sid = NULL;
+	char *fallback_group_gid_str = NULL;
 
 	LDAPMessage *result = NULL;
 	LDAPMessage *entry = NULL;
@@ -4586,7 +4611,8 @@ static NTSTATUS pdb_init_ipasam(struct pdb_methods **pdb_method,
 	fallback_group_sid = get_fallback_group_sid(ldap_state,
 	ldap_state->smbldap_state,
 	ldap_state->ipasam_privates->idmap_ctx,
-	result);
+	result,
+	&fallback_group_gid_str);
 	if (fallback_group_sid == NULL) {
 		DEBUG(0, ("Cannot find SID of fallback group.\n"));
 		ldap_msgfree(result);
@@ -4596,6 +4622,14 @@ static NTSTATUS pdb_init_ipasam(struct pdb_methods **pdb_method,
 		 fallback_group_sid);
 	talloc_free(fallback_group_sid);
 
+	if (fallback_group_gid_str == NULL) {
+		DEBUG(0, ("Cannot find gidNumber o

[Freeipa-devel] [freeipa PR#632][synchronized] ipa-sam: create the gidNumber attribute in the trusted domain entry

2017-03-28 Thread flo-renaud

   URL: https://github.com/freeipa/freeipa/pull/632
Author: flo-renaud
 Title: #632: ipa-sam: create the gidNumber attribute in the trusted domain 
entry
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/632/head:pr632
git checkout pr632
From b000fdfc229917e6cb62ba185ac24522899b3f86 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud 
Date: Tue, 21 Mar 2017 17:33:20 +0100
Subject: [PATCH] ipa-sam: create the gidNumber attribute in the trusted domain
 entry

When a trusted domain entry is created, the uidNumber attribute is created
but not the gidNumber attribute. This causes samba to log
	Failed to find a Unix account for DOM-AD$
because the samu structure does not contain a group_sid and is not put
in the cache.
The fix creates the gidNumber attribute in the trusted domain entry,
and initialises the group_sid field in the samu structure returned
by ldapsam_getsampwnam. This ensures that the entry is put in the cache.

Note that this is only a partial fix for 6660 as it does not prevent
_netr_ServerAuthenticate3 from failing with the log
	_netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client VM-AD machine account dom-ad.example.com.

https://pagure.io/freeipa/issue/6827
---
 daemons/ipa-sam/ipa_sam.c | 26 ++
 1 file changed, 26 insertions(+)

diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index 4c1fda5..c483ee4 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -2419,6 +2419,8 @@ static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods,
 	if (entry == NULL || sid == NULL) {
 		smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
  LDAP_ATTRIBUTE_UIDNUMBER, IPA_MAGIC_ID_STR);
+		smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
+		 LDAP_ATTRIBUTE_GIDNUMBER, IPA_MAGIC_ID_STR);
 	}
 
 	if (td->netbios_name != NULL) {
@@ -2823,12 +2825,18 @@ static uint32_t pdb_ipasam_capabilities(struct pdb_methods *methods)
 	return PDB_CAP_STORE_RIDS | PDB_CAP_ADS | PDB_CAP_TRUSTED_DOMAINS_EX;
 }
 
+static int ipasam_get_primary_group_sid(TALLOC_CTX *mem_ctx,
+struct ldapsam_privates *ldap_state,
+LDAPMessage *entry,
+struct dom_sid **_group_sid);
+
 static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td,
 			 LDAPMessage *entry,
 			 struct ldapsam_privates *ldap_state)
 {
 	NTSTATUS status;
 	struct dom_sid *u_sid;
+	struct dom_sid *g_sid;
 	char *name;
 	char *trustpw = NULL;
 	char *trustpw_utf8 = NULL;
@@ -2839,6 +2847,7 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td,
 	bool res;
 	char *sid_str;
 	enum idmap_error_code err;
+	TALLOC_CTX *tmp_ctx;
 
 	if (!pdb_set_acct_ctrl(user, ACB_DOMTRUST | ACB_TRUSTED_FOR_DELEGATION,
 			  PDB_SET)) {
@@ -2884,6 +2893,23 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td,
 	}
 	talloc_free(u_sid);
 
+	tmp_ctx= talloc_init("init_sam_from_td");
+	if (!tmp_ctx) {
+		return false;
+	}
+
+	if (ipasam_get_primary_group_sid(tmp_ctx, ldap_state, entry, &g_sid)
+			!= 0) {
+		talloc_free(tmp_ctx);
+		return false;
+	}
+
+	if (!pdb_set_group_sid(user, g_sid, PDB_SET)) {
+		talloc_free(tmp_ctx);
+		return false;
+	}
+	talloc_free(tmp_ctx);
+
 	status = get_trust_pwd(user, &td->trust_auth_incoming, &trustpw, NULL);
 	if (!NT_STATUS_IS_OK(status)) {
 		return false;
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#632][synchronized] ipa-sam: create the gidNumber attribute in the trusted domain entry

[Freeipa-devel] [freeipa PR#632][synchronized] ipa-sam: create the gidNumber attribute in the trusted domain entry

2 matches

Site Navigation

Mail list logo

Footer information