ipa-sam: create the gidNumber attribute in the trusted domain entry

When a trusted domain entry is created, the uidNumber attribute is created but not the gidNumber attribute. This causes samba to log Failed to find a Unix account for DOM-AD$ because the samu structure does not contain a group_sid and is not put in the cache. The fix creates the gidNumber attribute in the trusted domain entry, and initialises the group_sid field in the samu structure returned by ldapsam_getsampwnam. This ensures that the entry is put in the cache. Note that this is only a partial fix for 6660 as it does not prevent _netr_ServerAuthenticate3 from failing with the log _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client VM-AD machine account dom-ad.example.com. https://pagure.io/freeipa/issue/6827
freeipa · Mar 28, 2017 · b000fdf · b000fdf
1 parent 1530758
commit b000fdf
Showing 1 changed file with 26 additions and 0 deletions.
diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
@@ -2419,6 +2419,8 @@ static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods,
 	if (entry == NULL || sid == NULL) {
 		smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
 				 LDAP_ATTRIBUTE_UIDNUMBER, IPA_MAGIC_ID_STR);
+		smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
+		                 LDAP_ATTRIBUTE_GIDNUMBER, IPA_MAGIC_ID_STR);
 	}
 
 	if (td->netbios_name != NULL) {
@@ -2823,12 +2825,18 @@ static uint32_t pdb_ipasam_capabilities(struct pdb_methods *methods)
 	return PDB_CAP_STORE_RIDS | PDB_CAP_ADS | PDB_CAP_TRUSTED_DOMAINS_EX;
 }
 
+static int ipasam_get_primary_group_sid(TALLOC_CTX *mem_ctx,
+                                        struct ldapsam_privates *ldap_state,
+                                        LDAPMessage *entry,
+                                        struct dom_sid **_group_sid);
+
 static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td,
 			     LDAPMessage *entry,
 			     struct ldapsam_privates *ldap_state)
 {
 	NTSTATUS status;
 	struct dom_sid *u_sid;
+	struct dom_sid *g_sid;
 	char *name;
 	char *trustpw = NULL;
 	char *trustpw_utf8 = NULL;
@@ -2839,6 +2847,7 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td,
 	bool res;
 	char *sid_str;
 	enum idmap_error_code err;
+	TALLOC_CTX *tmp_ctx;
 
 	if (!pdb_set_acct_ctrl(user, ACB_DOMTRUST | ACB_TRUSTED_FOR_DELEGATION,
 			      PDB_SET)) {
@@ -2884,6 +2893,23 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td,
 	}
 	talloc_free(u_sid);
 
+	tmp_ctx= talloc_init("init_sam_from_td");
+	if (!tmp_ctx) {
+		return false;
+	}
+
+	if (ipasam_get_primary_group_sid(tmp_ctx, ldap_state, entry, &g_sid)
+			!= 0) {
+		talloc_free(tmp_ctx);
+		return false;
+	}
+
+	if (!pdb_set_group_sid(user, g_sid, PDB_SET)) {
+		talloc_free(tmp_ctx);
+		return false;
+	}
+	talloc_free(tmp_ctx);
+
 	status = get_trust_pwd(user, &td->trust_auth_incoming, &trustpw, NULL);
 	if (!NT_STATUS_IS_OK(status)) {
 		return false;