From f53e9db5fadb808eeb7189a912d63f4754cd1da2 Mon Sep 17 00:00:00 2001 From: Martin Kosek Date: Feb 12 2013 09:46:53 +0000 Subject: ipa-sam: Fill SID blacklist when trust is added Fill incoming and outgoing trust LDAP entry with default SID blacklist value. https://fedorahosted.org/freeipa/ticket/3289 --- diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c index 3c4c97c..adf4822 100644 --- a/daemons/ipa-sam/ipa_sam.c +++ b/daemons/ipa-sam/ipa_sam.c @@ -32,6 +32,7 @@ #include #include "ipa_krb5.h" #include "ipa_pwd.h" +#include "ipa_mspac.h" /* from drsblobs.h */ struct AuthInfoNone { @@ -121,6 +122,8 @@ bool secrets_store(const char *key, const void *data, size_t size); /* available #define LDAP_ATTRIBUTE_HOME_PATH "ipaNTHomeDirectory" #define LDAP_ATTRIBUTE_LOGON_SCRIPT "ipaNTLogonScript" #define LDAP_ATTRIBUTE_PROFILE_PATH "ipaNTProfilePath" +#define LDAP_ATTRIBUTE_SID_BLACKLIST_INCOMING "ipaNTSIDBlacklistIncoming" +#define LDAP_ATTRIBUTE_SID_BLACKLIST_OUTGOING "ipaNTSIDBlacklistOutgoing" #define LDAP_ATTRIBUTE_NTHASH "ipaNTHash" #define LDAP_ATTRIBUTE_UIDNUMBER "uidnumber" #define LDAP_ATTRIBUTE_GIDNUMBER "gidnumber" @@ -2165,7 +2168,7 @@ static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods, LDAPMod **mods; bool res; char *trusted_dn = NULL; - int ret; + int ret, i; NTSTATUS status; TALLOC_CTX *tmp_ctx; char *trustpw; @@ -2290,6 +2293,15 @@ static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods, &td->trust_forest_trust_info); } + for (i = 0; ipa_mspac_well_known_sids && ipa_mspac_well_known_sids[i]; i++) { + smbldap_make_mod(priv2ld(ldap_state), entry, &mods, + LDAP_ATTRIBUTE_SID_BLACKLIST_INCOMING, + ipa_mspac_well_known_sids[i]); + smbldap_make_mod(priv2ld(ldap_state), entry, &mods, + LDAP_ATTRIBUTE_SID_BLACKLIST_OUTGOING, + ipa_mspac_well_known_sids[i]); + } + smbldap_talloc_autofree_ldapmod(tmp_ctx, mods); trusted_dn = trusted_domain_dn(tmp_ctx, ldap_state, domain);