ipa-sam: Fill SID blacklist when trust is added

Fill incoming and outgoing trust LDAP entry with default SID blacklist value. https://fedorahosted.org/freeipa/ticket/3289
2025-02-25 18:55:28 -06:00 · 2013-02-08 10:13:35 +01:00 · 2013-02-08 10:13:35 +01:00 · 994e2cda39
commit 994e2cda39
parent 827ea50566
1 changed files with 13 additions and 1 deletions
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@ -32,6 +32,7 @@
 #include <sss_idmap.h>
 #include "ipa_krb5.h"
 #include "ipa_pwd.h"
+#include "ipa_mspac.h"

 /* from drsblobs.h */
 struct AuthInfoNone {
@ -121,6 +122,8 @@ bool secrets_store(const char *key, const void *data, size_t size); /* available
 #define LDAP_ATTRIBUTE_HOME_PATH "ipaNTHomeDirectory"
 #define LDAP_ATTRIBUTE_LOGON_SCRIPT "ipaNTLogonScript"
 #define LDAP_ATTRIBUTE_PROFILE_PATH "ipaNTProfilePath"
+#define LDAP_ATTRIBUTE_SID_BLACKLIST_INCOMING "ipaNTSIDBlacklistIncoming"
+#define LDAP_ATTRIBUTE_SID_BLACKLIST_OUTGOING "ipaNTSIDBlacklistOutgoing"
 #define LDAP_ATTRIBUTE_NTHASH "ipaNTHash"
 #define LDAP_ATTRIBUTE_UIDNUMBER "uidnumber"
 #define LDAP_ATTRIBUTE_GIDNUMBER "gidnumber"
@ -2165,7 +2168,7 @@ static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods,
 	LDAPMod **mods;
 	bool res;
 	char *trusted_dn = NULL;
-	int ret;
+	int ret, i;
 	NTSTATUS status;
 	TALLOC_CTX *tmp_ctx;
 	char *trustpw;
@ -2290,6 +2293,15 @@ static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods,
 				      &td->trust_forest_trust_info);
 	}

+	for (i = 0; ipa_mspac_well_known_sids && ipa_mspac_well_known_sids[i]; i++) {
+		smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
+				      LDAP_ATTRIBUTE_SID_BLACKLIST_INCOMING,
+				      ipa_mspac_well_known_sids[i]);
+		smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
+				      LDAP_ATTRIBUTE_SID_BLACKLIST_OUTGOING,
+				      ipa_mspac_well_known_sids[i]);
+	}
+
 	smbldap_talloc_autofree_ldapmod(tmp_ctx, mods);

 	trusted_dn = trusted_domain_dn(tmp_ctx, ldap_state, domain);