#6815 ipasam: need to implement ipasam_update_sam_account()
Opened 7 years ago by frenaud. Modified 6 years ago

When a trust is established with AD, the AD server periodically calls NETR_SERVERPASSWORDSET2 and the operation fails with NT_STATUS_NOT_IMPLEMENTED (log in /var/log/samba/smbd.lsasd.xx):

[2017/03/24 10:30:18.736045,  1, pid=70262, effective(99, 99), real(99, 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
       netr_ServerPasswordSet2: struct netr_ServerPasswordSet2
          out: struct netr_ServerPasswordSet2
              return_authenticator     : *
                  return_authenticator: struct netr_Authenticator
                      cred: struct netr_Credential
                          data                     : ced899cf781997ca
                      timestamp                : (time_t)0
              result                   : NT_STATUS_NOT_IMPLEMENTED

pdb_update_sam_account() is called but ipasam doesn't provide this function, meaning that the default samba implementation is used and returns NT_STATUS_NOT_IMPLEMENTED.

We need to implement ipasam_update_sam_account().


Note: setting NT hash only is a bit complicated because we should be expecting to synchronize both Kerberos and NT hash passwords for the same entry. Since this is trusted domain object entry, having them not in sync would cause broken trust operations for SSSD.

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1436625

7 years ago

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1436625

7 years ago

Closing as duplicate of 6660, this ticket is mentioned there as comment: https://pagure.io/freeipa/issue/6660#comment-433860

Metadata Update from @pvoborni:
- Issue close_status updated to: duplicate
- Issue status updated to: Closed (was: Open)

7 years ago

Reopening. This is another part of the bigger issues. Ticket #6660 is a prerequisite to reach netr_ServerPassword2 but we still need to implement pdb_update_sam_account() in ipasam backend and also switch to use info level 26 from info level 18 in netr_set_machine_account_password(). I'll open a related Samba bug too.

Metadata Update from @abbra:
- Issue status updated to: Open (was: Closed)

7 years ago
7 years ago
7 years ago

Metadata Update from @pvoborni:
- Issue priority set to: critical
- Issue set to the milestone: FreeIPA 4.5.1
- Issue tagged with: bug

7 years ago

Metadata Update from @abbra:
- Issue assigned to abbra

7 years ago

Metadata Update from @abbra:
- Issue assigned to abbra

7 years ago

Metadata Update from @abbra:
- Issue assigned to abbra

7 years ago

Metadata Update from @abbra:
- Issue assigned to abbra

7 years ago

Metadata Update from @mbasti:
- Issue set to the milestone: FreeIPA 4.5.2 (was: FreeIPA 4.5.1)

7 years ago

FreeIPA 4.5.1 has been released, moving to FreeIPA 4.5.2 milestone

Metadata Update from @tkrizek:
- Issue set to the milestone: FreeIPA 4.5.3 (was: FreeIPA 4.5.2)

6 years ago

Metadata Update from @tkrizek:
- Issue set to the milestone: FreeIPA 4.5.4 (was: FreeIPA 4.5.3)

6 years ago

Metadata Update from @tkrizek:
- Issue set to the milestone: FreeIPA 4.5.5 (was: FreeIPA 4.5.4)

6 years ago

Login to comment on this ticket.

Metadata