diff options
author | Alexander Bokovoy <abokovoy@redhat.com> | 2013-09-05 08:13:53 +0300 |
---|---|---|
committer | Petr Viktorin <pviktori@redhat.com> | 2013-09-20 09:59:02 +0200 |
commit | 9cf8ec79c9e9d05ce9f21b4b187077e1fa650c95 (patch) | |
tree | 0e0f505cf3167b7a675d0b39e327e73ebae84f29 /daemons | |
parent | 316a9c215982527814089dc02be95fe14e635006 (diff) | |
download | freeipa-9cf8ec79c9e9d05ce9f21b4b187077e1fa650c95.tar.gz freeipa-9cf8ec79c9e9d05ce9f21b4b187077e1fa650c95.tar.xz freeipa-9cf8ec79c9e9d05ce9f21b4b187077e1fa650c95.zip |
ipa-sam: do not modify objectclass when trust object already created
When trust is established, last step done by IPA framework is to set
encryption types associated with the trust. This operation fails due
to ipa-sam attempting to modify object classes in trust object entry
which is not allowed by ACI.
Additionally, wrong handle was used by dcerpc.py code when executing
SetInformationTrustedDomain() against IPA smbd which prevented even to
reach the point where ipa-sam would be asked to modify the trust object.
Diffstat (limited to 'daemons')
-rw-r--r-- | daemons/ipa-sam/ipa_sam.c | 112 |
1 files changed, 71 insertions, 41 deletions
diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c index 4a2fca563..cf39bb91a 100644 --- a/daemons/ipa-sam/ipa_sam.c +++ b/daemons/ipa-sam/ipa_sam.c @@ -2229,11 +2229,14 @@ static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods, LDAPMod **mods; bool res; char *trusted_dn = NULL; - int ret, i; + int ret, i, count; NTSTATUS status; TALLOC_CTX *tmp_ctx; char *trustpw; char *sid; + char **in_blacklist = NULL; + char **out_blacklist = NULL; + uint32_t enctypes, trust_offset; DEBUG(10, ("ipasam_set_trusted_domain called for domain %s\n", domain)); @@ -2250,10 +2253,12 @@ static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods, } mods = NULL; - smbldap_make_mod(priv2ld(ldap_state), entry, &mods, "objectClass", - LDAP_OBJ_TRUSTED_DOMAIN); - smbldap_make_mod(priv2ld(ldap_state), entry, &mods, "objectClass", - LDAP_OBJ_ID_OBJECT); + if (entry == NULL) { + smbldap_make_mod(priv2ld(ldap_state), entry, &mods, "objectClass", + LDAP_OBJ_TRUSTED_DOMAIN); + smbldap_make_mod(priv2ld(ldap_state), entry, &mods, "objectClass", + LDAP_OBJ_ID_OBJECT); + } if (entry != NULL) { sid = get_single_attribute(tmp_ctx, priv2ld(ldap_state), entry, @@ -2314,26 +2319,37 @@ static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods, } } + trust_offset = 0; if (td->trust_posix_offset != NULL) { - res = smbldap_make_mod_uint32_t(priv2ld(ldap_state), entry, - &mods, - LDAP_ATTRIBUTE_TRUST_POSIX_OFFSET, - *td->trust_posix_offset); - if (!res) { - status = NT_STATUS_UNSUCCESSFUL; - goto done; - } + trust_offset = *td->trust_posix_offset; } + res = smbldap_make_mod_uint32_t(priv2ld(ldap_state), entry, + &mods, + LDAP_ATTRIBUTE_TRUST_POSIX_OFFSET, + trust_offset); + if (!res) { + status = NT_STATUS_UNSUCCESSFUL; + goto done; + } + + enctypes = KERB_ENCTYPE_DES_CBC_CRC | + KERB_ENCTYPE_DES_CBC_MD5 | + KERB_ENCTYPE_RC4_HMAC_MD5 | + KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 | + KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96; + if (td->supported_enc_type != NULL) { - res = smbldap_make_mod_uint32_t(priv2ld(ldap_state), entry, - &mods, - LDAP_ATTRIBUTE_SUPPORTED_ENC_TYPE, - *td->supported_enc_type); - if (!res) { - status = NT_STATUS_UNSUCCESSFUL; - goto done; - } + enctypes = *td->supported_enc_type; + } + + res = smbldap_make_mod_uint32_t(priv2ld(ldap_state), entry, + &mods, + LDAP_ATTRIBUTE_SUPPORTED_ENC_TYPE, + enctypes); + if (!res) { + status = NT_STATUS_UNSUCCESSFUL; + goto done; } if (td->trust_auth_outgoing.data != NULL) { @@ -2354,31 +2370,45 @@ static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods, &td->trust_forest_trust_info); } + + /* Only add default blacklists for incoming and outgoing SIDs but don't modify existing ones */ + in_blacklist = get_attribute_values(tmp_ctx, ldap_state->smbldap_state->ldap_struct, entry, + LDAP_ATTRIBUTE_SID_BLACKLIST_INCOMING, &count); + out_blacklist = get_attribute_values(tmp_ctx, ldap_state->smbldap_state->ldap_struct, entry, + LDAP_ATTRIBUTE_SID_BLACKLIST_OUTGOING, &count); + for (i = 0; ipa_mspac_well_known_sids[i]; i++) { - smbldap_make_mod(priv2ld(ldap_state), entry, &mods, - LDAP_ATTRIBUTE_SID_BLACKLIST_INCOMING, - ipa_mspac_well_known_sids[i]); - smbldap_make_mod(priv2ld(ldap_state), entry, &mods, - LDAP_ATTRIBUTE_SID_BLACKLIST_OUTGOING, - ipa_mspac_well_known_sids[i]); + if (in_blacklist == NULL) { + smbldap_make_mod(priv2ld(ldap_state), entry, &mods, + LDAP_ATTRIBUTE_SID_BLACKLIST_INCOMING, + ipa_mspac_well_known_sids[i]); + } + if (out_blacklist == NULL) { + smbldap_make_mod(priv2ld(ldap_state), entry, &mods, + LDAP_ATTRIBUTE_SID_BLACKLIST_OUTGOING, + ipa_mspac_well_known_sids[i]); + } } smbldap_talloc_autofree_ldapmod(tmp_ctx, mods); - trusted_dn = trusted_domain_dn(tmp_ctx, ldap_state, domain); - if (trusted_dn == NULL) { - status = NT_STATUS_NO_MEMORY; - goto done; - } - if (entry == NULL) { - ret = smbldap_add(ldap_state->smbldap_state, trusted_dn, mods); - } else { - ret = smbldap_modify(ldap_state->smbldap_state, trusted_dn, mods); - } - if (ret != LDAP_SUCCESS) { - DEBUG(1, ("error writing trusted domain data!\n")); - status = NT_STATUS_UNSUCCESSFUL; - goto done; + if (mods != NULL) { + trusted_dn = trusted_domain_dn(tmp_ctx, ldap_state, domain); + if (trusted_dn == NULL) { + status = NT_STATUS_NO_MEMORY; + goto done; + } + + if (entry == NULL) { + ret = smbldap_add(ldap_state->smbldap_state, trusted_dn, mods); + } else { + ret = smbldap_modify(ldap_state->smbldap_state, trusted_dn, mods); + } + if (ret != LDAP_SUCCESS) { + DEBUG(1, ("error writing trusted domain data!\n")); + status = NT_STATUS_UNSUCCESSFUL; + goto done; + } } if (entry == NULL) { /* FIXME: allow password updates here */ |