Hi,

this is something that felt between the cracks. Some time ago we
introduced a new objectclass ipaIDobject to allow objects to have an
UID, GID or SID which are basically no users or groups. The DNA plugin
should be aware of this new objectclass which is fix by the first patch.

The second patch actually use this new objectclass in ipasam. Currenlty
ipasam generates a hardcoded SID for the trusted domain user which might
lead to confusion. With the second patch the trusted domain user has a
proper SID.

bye,
Sumit
From 1453f3920a5f54d1579f0a64506fed1cdb843658 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sb...@redhat.com>
Date: Thu, 4 Oct 2012 17:42:15 +0200
Subject: [PATCH 83/84] Add new ipaIDobject to DNA plugin configuraton

---
 install/share/dna.ldif           | 2 +-
 install/updates/62-ranges.update | 5 +++++
 2 Dateien geändert, 6 Zeilen hinzugefügt(+), 1 Zeile entfernt(-)

diff --git a/install/share/dna.ldif b/install/share/dna.ldif
index 
5707d3a6c7c1cbf6a6189c9fd7fffdb9c837f281..ee927fcc5ba0aa5b49cf79964359e9dffe89ee5b
 100644
--- a/install/share/dna.ldif
+++ b/install/share/dna.ldif
@@ -10,7 +10,7 @@ dnaType: gidNumber
 dnaNextValue: eval($IDSTART)
 dnaMaxValue: eval($IDMAX)
 dnaMagicRegen: 999
-dnaFilter: (|(objectclass=posixAccount)(objectClass=posixGroup))
+dnaFilter: 
(|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ipaIDobject))
 dnaScope: $SUFFIX
 dnaThreshold: 500
 dnaSharedCfgDN: cn=posix-ids,cn=dna,cn=ipa,cn=etc,$SUFFIX
diff --git a/install/updates/62-ranges.update b/install/updates/62-ranges.update
index 
9ba47421312c68cd64000866b3f4866a76bfe586..79d5326d6000d038923b2a92dcdec98370fa90f4
 100644
--- a/install/updates/62-ranges.update
+++ b/install/updates/62-ranges.update
@@ -29,3 +29,8 @@ default: nsslapd-pluginvendor: Red Hat, Inc.
 default: nsslapd-plugindescription: IPA Range-Check plugin
 default: nsslapd-plugin-depends-on-type: database
 default: nsslapd-basedn: $SUFFIX
+
+# Add new ipaIDobject to DNA plugin configuraton
+dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
+replace:dnaFilter:(|(objectclass=posixAccount)(objectClass=posixGroup))::(|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ipaIDobject))
+
-- 
1.7.11.4

From a5b4bbe6a057509bfc98e63ef6c9f40222855339 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sb...@redhat.com>
Date: Thu, 4 Oct 2012 17:23:30 +0200
Subject: [PATCH 84/84] ipasam: generate proper SID for trusted domain object

---
 daemons/ipa-sam/ipa_sam.c | 57 ++++++++++++++++++++++++++++++++++++++++-------
 1 Datei geändert, 49 Zeilen hinzugefügt(+), 8 Zeilen entfernt(-)

diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index 
7dc4549cb8f6390827642f14c4cff29539916261..48d566046ba2ebd5f6a8cd64227e0cb2685ff724
 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -93,6 +93,7 @@ bool secrets_store(const char *key, const void *data, size_t 
size); /* available
 #define LDAP_PAGE_SIZE 1024
 #define LDAP_OBJ_SAMBASAMACCOUNT "ipaNTUserAttrs"
 #define LDAP_OBJ_TRUSTED_DOMAIN "ipaNTTrustedDomain"
+#define LDAP_OBJ_ID_OBJECT "ipaIDobject"
 #define LDAP_ATTRIBUTE_TRUST_SID "ipaNTTrustedDomainSID"
 #define LDAP_ATTRIBUTE_SID "ipaNTSecurityIdentifier"
 #define LDAP_OBJ_GROUPMAP "ipaNTGroupAttrs"
@@ -2168,6 +2169,7 @@ static NTSTATUS ipasam_set_trusted_domain(struct 
pdb_methods *methods,
        NTSTATUS status;
        TALLOC_CTX *tmp_ctx;
        char *trustpw;
+       char *sid;
 
        DEBUG(10, ("ipasam_set_trusted_domain called for domain %s\n", domain));
 
@@ -2186,6 +2188,17 @@ static NTSTATUS ipasam_set_trusted_domain(struct 
pdb_methods *methods,
        mods = NULL;
        smbldap_make_mod(priv2ld(ldap_state), entry, &mods, "objectClass",
                         LDAP_OBJ_TRUSTED_DOMAIN);
+       smbldap_make_mod(priv2ld(ldap_state), entry, &mods, "objectClass",
+                        LDAP_OBJ_ID_OBJECT);
+
+       if (entry != NULL) {
+               sid = get_single_attribute(tmp_ctx, priv2ld(ldap_state), entry,
+                                          LDAP_ATTRIBUTE_SID);
+       }
+       if (entry == NULL || sid == NULL) {
+               smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
+                                LDAP_ATTRIBUTE_UIDNUMBER, IPA_MAGIC_ID_STR);
+       }
 
        if (td->netbios_name != NULL) {
                smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
@@ -2509,10 +2522,11 @@ static uint32_t pdb_ipasam_capabilities(struct 
pdb_methods *methods)
 }
 
 static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td,
+                            LDAPMessage *entry,
                             struct ldapsam_privates *ldap_state)
 {
        NTSTATUS status;
-       struct dom_sid u_sid;
+       struct dom_sid *u_sid;
        char *name;
        char *trustpw = NULL;
        char *trustpw_utf8 = NULL;
@@ -2522,6 +2536,8 @@ static bool init_sam_from_td(struct samu *user, struct 
pdb_trusted_domain *td,
        struct ntlm_keys ntlm_keys;
        size_t converted_size;
        bool res;
+       char *sid_str;
+       enum idmap_error_code err;
 
        if (!pdb_set_acct_ctrl(user, ACB_DOMTRUST | ACB_TRUSTED_FOR_DELEGATION,
                              PDB_SET)) {
@@ -2545,14 +2561,27 @@ static bool init_sam_from_td(struct samu *user, struct 
pdb_trusted_domain *td,
                return false;
        }
 
-       /* FIXME: create a proper SID here */
-       if (!sid_compose(&u_sid, &ldap_state->domain_sid, 6789)) {
+       sid_str = get_single_attribute(user, priv2ld(ldap_state), entry,
+                                      LDAP_ATTRIBUTE_SID);
+       if (sid_str == NULL) {
+               DEBUG(5, ("Missing SID for trusted domain object.\n"));
                return false;
        }
 
-       if (!pdb_set_user_sid(user, &u_sid, PDB_SET)) {
+       err = sss_idmap_sid_to_smb_sid(ldap_state->ipasam_privates->idmap_ctx,
+                                      sid_str, &u_sid);
+       if (err != IDMAP_SUCCESS) {
+               DEBUG(10, ("Could not convert string %s to sid.\n", sid_str));
+               talloc_free(sid_str);
                return false;
        }
+       talloc_free(sid_str);
+
+       if (!pdb_set_user_sid(user, u_sid, PDB_SET)) {
+               talloc_free(u_sid);
+               return false;
+       }
+       talloc_free(u_sid);
 
        status = get_trust_pwd(user, &td->trust_auth_incoming, &trustpw, NULL);
        if (!NT_STATUS_IS_OK(status)) {
@@ -2982,6 +3011,7 @@ static NTSTATUS getsam_interdom_trust_account(struct 
pdb_methods *methods,
        TALLOC_CTX *tmp_ctx;
        struct pdb_trusted_domain *td;
        NTSTATUS status;
+       LDAPMessage *entry = NULL;
 
        /* The caller must check that (sname[lastidx] == '.') || 
(sname[lastidx] == '$'))
         * before calling this function.
@@ -2999,13 +3029,24 @@ static NTSTATUS getsam_interdom_trust_account(struct 
pdb_methods *methods,
        }
        dom_name[lastidx] = '\0';
 
-       status = ipasam_get_trusted_domain(methods, tmp_ctx, dom_name, &td);
-       if (!NT_STATUS_IS_OK(status)) {
-               DEBUG(5, ("ipasam_get_trusted_domain failed.\n"));
+       if (!get_trusted_domain_by_name_int(ldap_state, tmp_ctx, dom_name,
+                                           &entry)) {
+               status = NT_STATUS_UNSUCCESSFUL;
+               goto done;
+       }
+       if (entry == NULL) {
+               DEBUG(5, ("getsam_interdom_trust_account: no such trusted " \
+                          "domain: %s\n", dom_name));
+               status = NT_STATUS_NO_SUCH_DOMAIN;
+               goto done;
+       }
+
+       if (!fill_pdb_trusted_domain(tmp_ctx, ldap_state, entry, &td)) {
+               status = NT_STATUS_UNSUCCESSFUL;
                goto done;
        }
 
-       if (!init_sam_from_td(user, td, ldap_state)) {
+       if (!init_sam_from_td(user, td, entry, ldap_state)) {
                DEBUG(5, ("init_sam_from_td failed.\n"));
                status = NT_STATUS_NO_SUCH_USER;
                goto done;
-- 
1.7.11.4

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to