[Freeipa-devel] [PATCH] 116 Add PAC to master host TGTs

Alexander Bokovoy abokovoy at redhat.com
Wed Jul 3 10:00:43 UTC 2013 

On Mon, 01 Jul 2013, Sumit Bose wrote:
>Hi,
>
>this patch fixes https://fedorahosted.org/freeipa/ticket/3651 but only
>to allow SSSD running on a FreeIPA server to access the AD LDAP server.
>In the ticket a more generic solution is described but since there is no
>other use case so far I think this patch is sufficient for the time
>being.
>
>bye,
>Sumit

>From a707d8f9d771dfe4fb8487e051519dba0ef72449 Mon Sep 17 00:00:00 2001
>From: Sumit Bose <sbose at redhat.com>
>Date: Mon, 1 Jul 2013 13:47:22 +0200
>Subject: [PATCH] Add PAC to master host TGTs
>
>For a proper SALS bind with GSSAPI against an AD LDAP server a PAC is
>needed. To allow SSSD in ipa_server_mode to access the LDAP or GC server
>of a trusted domain with the credentials of a FreeIPA server host a
>PAC must be added to the TGT for the host.
s/SALS/SASL/


>To determine if a host is a FreeIPA server or not it is checked if there
>is an entry for the host in cn=master,cn=ipa,cn=etc,$base. Unfortunately
>this requires an additional LDAP lookup. But since TGS-REQs for hosts
>should be rare I think it is acceptable for the time being.
I think it is better to change this lookup to
"cn=ADTRUST,cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX", it would
explicitly limit us to the IPA masters running AD trusts.

>+static bool is_master_host(struct ipadb_context *ipactx, const char *fqdn)
>+{
>+    int ret;
>+    char *master_host_base = NULL;
>+    LDAPMessage *result = NULL;
>+    krb5_error_code err;
>+
>+    ret = asprintf(&master_host_base, "cn=%s,cn=masters,cn=ipa,cn=etc,%s",
>+                                      fqdn, ipactx->base);
here: "cn=ADTRUST,cn=%s,cn=masters,cn=ipa,cn=etc,%s"

>+    if (is_host) {
>+        prigid = 515; /* Well known RID for domain computers group */
Could you please mention this fact in the commit message as well?

>+    if (is_host) {
>+        /* Well know RID of domain controllers group */
>+        info3->base.rid = 516;
Same here.



-- 
/ Alexander Bokovoy

More information about the Freeipa-devel mailing list