ipa-kdb: honor SID from the host or service entry

If the SID was explicitly set for the host or service entry, honor it when issuing PAC. For normal services and hosts we don't allocate individual SIDs but for cifs/... principals on domain members we do as they need to login to Samba domain controller. Related: https://pagure.io/freeipa/issue/9031 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2025-02-25 18:55:28 -06:00 · 2021-11-11 09:58:09 +02:00 · 2021-11-11 09:58:09 +02:00 · 4062e7b963
commit 4062e7b963
parent 6e6fad4b76
1 changed files with 30 additions and 20 deletions
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@ -653,28 +653,15 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
     * clear it after detecting the changes */
    info3->base.acct_flags = ACB_USE_AES_KEYS;

-    if ((is_host || is_service)) {
-        /* it is either host or service, so get the hostname first */
-        char *sep = strchr(info3->base.account_name.string, '/');
-        bool is_master = is_master_host(
-                            ipactx,
-                            sep ? sep + 1 : info3->base.account_name.string);
-        if (is_master) {
-            /* Well known RID of domain controllers group */
-            info3->base.rid = 516;
-            info3->base.acct_flags |= ACB_SVRTRUST;
-        } else {
-            /* Well known RID of domain computers group */
-            info3->base.rid = 515;
-            info3->base.acct_flags |= ACB_WSTRUST;
-        }
-    } else {
-        ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
-                                     "ipaNTSecurityIdentifier", &strres);
-        if (ret) {
-            /* SID is mandatory */
+    ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
+                                 "ipaNTSecurityIdentifier", &strres);
+    if (ret) {
+        /* SID is mandatory for all but host/services */
+        if (!(is_host || is_service)) {
            return ret;
        }
+        info3->base.rid = 0;
+    } else {
        ret = ipadb_string_to_sid(strres, &sid);
        free(strres);
        if (ret) {
@ -686,6 +673,29 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
        }
    }

+    /* If SID was present prefer using it even for hosts and services
+     * but we still need to set the account flags correctly */
+    if ((is_host || is_service)) {
+        /* it is either host or service, so get the hostname first */
+        char *sep = strchr(info3->base.account_name.string, '/');
+        bool is_master = is_master_host(
+                            ipactx,
+                            sep ? sep + 1 : info3->base.account_name.string);
+        if (is_master) {
+            /* Well known RID of domain controllers group */
+            if (info3->base.rid == 0) {
+                info3->base.rid = 516;
+            }
+            info3->base.acct_flags |= ACB_SVRTRUST;
+        } else {
+            /* Well known RID of domain computers group */
+            if (info3->base.rid == 0) {
+                info3->base.rid = 515;
+            }
+            info3->base.acct_flags |= ACB_WSTRUST;
+        }
+    }
+
    ret = ipadb_ldap_deref_results(ipactx->lcontext, lentry, &deref_results);
    switch (ret) {
    LDAPDerefRes *dres;