From 4062e7b963bbc23fc6ed908e94c4a0747712905a Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Thu, 11 Nov 2021 09:58:09 +0200
Subject: [PATCH] ipa-kdb: honor SID from the host or service entry

If the SID was explicitly set for the host or service entry, honor it
when issuing PAC. For normal services and hosts we don't allocate
individual SIDs but for cifs/... principals on domain members we do as
they need to login to Samba domain controller.

Related: https://pagure.io/freeipa/issue/9031

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
 daemons/ipa-kdb/ipa_kdb_mspac.c | 50 ++++++++++++++++++++-------------
 1 file changed, 30 insertions(+), 20 deletions(-)

diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 0e0ee3616..6f272f9fe 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -653,28 +653,15 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
      * clear it after detecting the changes */
     info3->base.acct_flags = ACB_USE_AES_KEYS;
 
-    if ((is_host || is_service)) {
-        /* it is either host or service, so get the hostname first */
-        char *sep = strchr(info3->base.account_name.string, '/');
-        bool is_master = is_master_host(
-                            ipactx,
-                            sep ? sep + 1 : info3->base.account_name.string);
-        if (is_master) {
-            /* Well known RID of domain controllers group */
-            info3->base.rid = 516;
-            info3->base.acct_flags |= ACB_SVRTRUST;
-        } else {
-            /* Well known RID of domain computers group */
-            info3->base.rid = 515;
-            info3->base.acct_flags |= ACB_WSTRUST;
-        }
-    } else {
-        ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
-                                     "ipaNTSecurityIdentifier", &strres);
-        if (ret) {
-            /* SID is mandatory */
+    ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
+                                 "ipaNTSecurityIdentifier", &strres);
+    if (ret) {
+        /* SID is mandatory for all but host/services */
+        if (!(is_host || is_service)) {
             return ret;
         }
+        info3->base.rid = 0;
+    } else {
         ret = ipadb_string_to_sid(strres, &sid);
         free(strres);
         if (ret) {
@@ -686,6 +673,29 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
         }
     }
 
+    /* If SID was present prefer using it even for hosts and services
+     * but we still need to set the account flags correctly */
+    if ((is_host || is_service)) {
+        /* it is either host or service, so get the hostname first */
+        char *sep = strchr(info3->base.account_name.string, '/');
+        bool is_master = is_master_host(
+                            ipactx,
+                            sep ? sep + 1 : info3->base.account_name.string);
+        if (is_master) {
+            /* Well known RID of domain controllers group */
+            if (info3->base.rid == 0) {
+                info3->base.rid = 516;
+            }
+            info3->base.acct_flags |= ACB_SVRTRUST;
+        } else {
+            /* Well known RID of domain computers group */
+            if (info3->base.rid == 0) {
+                info3->base.rid = 515;
+            }
+            info3->base.acct_flags |= ACB_WSTRUST;
+        }
+    }
+
     ret = ipadb_ldap_deref_results(ipactx->lcontext, lentry, &deref_results);
     switch (ret) {
     LDAPDerefRes *dres;