ipa-sam: do not modify objectclass when trust object already created

When trust is established, last step done by IPA framework is to set
encryption types associated with the trust. This operation fails due
to ipa-sam attempting to modify object classes in trust object entry
which is not allowed by ACI.

Additionally, wrong handle was used by dcerpc.py code when executing
SetInformationTrustedDomain() against IPA smbd which prevented even to
reach the point where ipa-sam would be asked to modify the trust object.

3 files changed, 81 insertions, 41 deletions

diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index 4a2fca56..cf39bb91 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -2229,11 +2229,14 @@ static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods,
 	LDAPMod **mods;
 	bool res;
 	char *trusted_dn = NULL;
-	int ret, i;
+	int ret, i, count;
 	NTSTATUS status;
 	TALLOC_CTX *tmp_ctx;
 	char *trustpw;
 	char *sid;
+	char **in_blacklist = NULL;
+	char **out_blacklist = NULL;
+	uint32_t enctypes, trust_offset;
 
 	DEBUG(10, ("ipasam_set_trusted_domain called for domain %s\n", domain));
 
@@ -2250,10 +2253,12 @@ static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods,
 	}
 
 	mods = NULL;
-	smbldap_make_mod(priv2ld(ldap_state), entry, &mods, "objectClass",
-			 LDAP_OBJ_TRUSTED_DOMAIN);
-	smbldap_make_mod(priv2ld(ldap_state), entry, &mods, "objectClass",
-			 LDAP_OBJ_ID_OBJECT);
+	if (entry == NULL) {
+		smbldap_make_mod(priv2ld(ldap_state), entry, &mods, "objectClass",
+				 LDAP_OBJ_TRUSTED_DOMAIN);
+		smbldap_make_mod(priv2ld(ldap_state), entry, &mods, "objectClass",
+				 LDAP_OBJ_ID_OBJECT);
+	}
 
 	if (entry != NULL) {
 		sid = get_single_attribute(tmp_ctx, priv2ld(ldap_state), entry,
@@ -2314,26 +2319,37 @@ static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods,
 		}
 	}
 
+	trust_offset = 0;
 	if (td->trust_posix_offset != NULL) {
-		res = smbldap_make_mod_uint32_t(priv2ld(ldap_state), entry,
-						&mods,
-						LDAP_ATTRIBUTE_TRUST_POSIX_OFFSET,
-						*td->trust_posix_offset);
-		if (!res) {
-			status = NT_STATUS_UNSUCCESSFUL;
-			goto done;
-		}
+		trust_offset = *td->trust_posix_offset;
 	}
 
+	res = smbldap_make_mod_uint32_t(priv2ld(ldap_state), entry,
+					&mods,
+					LDAP_ATTRIBUTE_TRUST_POSIX_OFFSET,
+					trust_offset);
+	if (!res) {
+		status = NT_STATUS_UNSUCCESSFUL;
+		goto done;
+	}
+
+	enctypes = KERB_ENCTYPE_DES_CBC_CRC |
+		   KERB_ENCTYPE_DES_CBC_MD5 |
+		   KERB_ENCTYPE_RC4_HMAC_MD5 |
+		   KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 |
+		   KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96;
+
 	if (td->supported_enc_type != NULL) {
-		res = smbldap_make_mod_uint32_t(priv2ld(ldap_state), entry,
-						&mods,
-						LDAP_ATTRIBUTE_SUPPORTED_ENC_TYPE,
-						*td->supported_enc_type);
-		if (!res) {
-			status = NT_STATUS_UNSUCCESSFUL;
-			goto done;
-		}
+		enctypes = *td->supported_enc_type;
+	}
+
+	res = smbldap_make_mod_uint32_t(priv2ld(ldap_state), entry,
+					&mods,
+					LDAP_ATTRIBUTE_SUPPORTED_ENC_TYPE,
+					enctypes);
+	if (!res) {
+		status = NT_STATUS_UNSUCCESSFUL;
+		goto done;
 	}
 
 	if (td->trust_auth_outgoing.data != NULL) {
@@ -2354,31 +2370,45 @@ static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods,
 				      &td->trust_forest_trust_info);
 	}
 
+
+	/* Only add default blacklists for incoming and outgoing SIDs but don't modify existing ones */
+	in_blacklist = get_attribute_values(tmp_ctx, ldap_state->smbldap_state->ldap_struct, entry,
+						LDAP_ATTRIBUTE_SID_BLACKLIST_INCOMING, &count);
+	out_blacklist = get_attribute_values(tmp_ctx, ldap_state->smbldap_state->ldap_struct, entry,
+						LDAP_ATTRIBUTE_SID_BLACKLIST_OUTGOING, &count);
+
 	for (i = 0; ipa_mspac_well_known_sids[i]; i++) {
-		smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
-				      LDAP_ATTRIBUTE_SID_BLACKLIST_INCOMING,
-				      ipa_mspac_well_known_sids[i]);
-		smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
-				      LDAP_ATTRIBUTE_SID_BLACKLIST_OUTGOING,
-				      ipa_mspac_well_known_sids[i]);
+		if (in_blacklist == NULL) {
+			smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
+					      LDAP_ATTRIBUTE_SID_BLACKLIST_INCOMING,
+					      ipa_mspac_well_known_sids[i]);
+		}
+		if (out_blacklist == NULL) {
+			smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
+					      LDAP_ATTRIBUTE_SID_BLACKLIST_OUTGOING,
+					      ipa_mspac_well_known_sids[i]);
+		}
 	}
 
 	smbldap_talloc_autofree_ldapmod(tmp_ctx, mods);
 
-	trusted_dn = trusted_domain_dn(tmp_ctx, ldap_state, domain);
-	if (trusted_dn == NULL) {
-		status = NT_STATUS_NO_MEMORY;
-		goto done;
-	}
-	if (entry == NULL) {
-		ret = smbldap_add(ldap_state->smbldap_state, trusted_dn, mods);
-	} else {
-		ret = smbldap_modify(ldap_state->smbldap_state, trusted_dn, mods);
-	}
-	if (ret != LDAP_SUCCESS) {
-		DEBUG(1, ("error writing trusted domain data!\n"));
-		status = NT_STATUS_UNSUCCESSFUL;
-		goto done;
+	if (mods != NULL) {
+		trusted_dn = trusted_domain_dn(tmp_ctx, ldap_state, domain);
+		if (trusted_dn == NULL) {
+			status = NT_STATUS_NO_MEMORY;
+			goto done;
+		}
+
+		if (entry == NULL) {
+			ret = smbldap_add(ldap_state->smbldap_state, trusted_dn, mods);
+		} else {
+			ret = smbldap_modify(ldap_state->smbldap_state, trusted_dn, mods);
+		}
+		if (ret != LDAP_SUCCESS) {
+			DEBUG(1, ("error writing trusted domain data!\n"));
+			status = NT_STATUS_UNSUCCESSFUL;
+			goto done;
+		}
 	}
 
 	if (entry == NULL) { /* FIXME: allow password updates here */
diff --git a/install/updates/60-trusts.update b/install/updates/60-trusts.update
index 1b251154..46de01a5 100644
--- a/install/updates/60-trusts.update
+++ b/install/updates/60-trusts.update
@@ -54,6 +54,7 @@ default: cn: trusts
 # 2. cn=trust admins,cn=groups,cn=accounts,$SUFFIX can manage trusts (via ipa tools)
 dn: cn=trusts,$SUFFIX
 add:aci: '(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes || krbPrincipalName || krbLastPwdChange || krbTicketFlags || krbLoginFailedCount || krbExtraData || krbPrincipalKey")(version 3.0;acl "Allow trust system user to create and delete trust accounts and cross realm principals"; allow (read,write,add,delete) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)'
+replace:aci:'(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes || krbPrincipalName || krbLastPwdChange || krbTicketFlags || krbLoginFailedCount || krbExtraData || krbPrincipalKey")(version 3.0;acl "Allow trust system user to create and delete trust accounts and cross realm principals"; allow (read,write,add,delete) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)::(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes || ipaNTSIDBlacklistIncoming || ipaNTSIDBlacklistOutgoing || krbPrincipalName || krbLastPwdChange || krbTicketFlags || krbLoginFailedCount || krbExtraData || krbPrincipalKey")(version 3.0;acl "Allow trust system user to create and delete trust accounts and cross realm principals"; allow (read,write,add,delete) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)'
 replace:aci:'(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes")(version 3.0;acl "Allow trust admins manage trust accounts"; allow (read,write,add,delete) groupdn="ldap:///cn=trust admins,cn=groups,cn=accounts,$SUFFIX";)::(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes || ipaNTSIDBlacklistIncoming || ipaNTSIDBlacklistOutgoing")(version 3.0;acl "Allow trust admins manage trust accounts"; allow (read,write,add,delete) groupdn="ldap:///cn=trust admins,cn=groups,cn=accounts,$SUFFIX";)'
 add:aci: '(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes || ipaNTSIDBlacklistIncoming || ipaNTSIDBlacklistOutgoing")(version 3.0;acl "Allow trust admins manage trust accounts"; allow (read,write,add,delete) groupdn="ldap:///cn=trust admins,cn=groups,cn=accounts,$SUFFIX";)'
 
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index a27a64d2..bd8f5aad 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -912,12 +912,21 @@ class TrustDomainInstance(object):
             raise assess_dcerpc_exception(num=num, message=message)
 
         try:
+            # We should use proper trustdom handle in order to modify the
+            # trust settings. Samba insists this has to be done with LSA
+            # OpenTrustedDomain* calls, it is not enough to have a handle
+            # returned by the CreateTrustedDomainEx2 call.
+            trustdom_handle = self._pipe.OpenTrustedDomainByName(self._policy_handle, dname, security.SEC_FLAG_MAXIMUM_ALLOWED)
             infoclass = lsa.TrustDomainInfoSupportedEncTypes()
             infoclass.enc_types = security.KERB_ENCTYPE_RC4_HMAC_MD5
             infoclass.enc_types |= security.KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96
             infoclass.enc_types |= security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96
             self._pipe.SetInformationTrustedDomain(trustdom_handle, lsa.LSA_TRUSTED_DOMAIN_SUPPORTED_ENCRYPTION_TYPES, infoclass)
         except RuntimeError, e:
+            # We can ignore the error here -- changing enctypes is for
+            # improved security but the trust will work with default values as
+            # well. In particular, the call may fail against Windows 2003
+            # server as that one doesn't support AES encryption types
             pass
 
     def verify_trust(self, another_domain):