[Freeipa-devel] [freeipa PR#632][opened] ipa-sam: create the gidNumber attribute in the trusted domain entry

Discussion:

flo-renaud

2017-03-21 18:21:09 UTC

URL: https://github.com/freeipa/freeipa/pull/632
Author: flo-renaud
Title: #632: ipa-sam: create the gidNumber attribute in the trusted domain entry
Action: opened

PR body:
"""
When a trusted domain entry is created, the uidNumber attribute is created
but not the gidNumber attribute. This causes samba to log
Failed to find a Unix account for DOM-AD$
because the samu structure does not contain a group_sid and is not put
in the cache.
The fix creates the gidNumber attribute in the trusted domain entry,
and initialises the group_sid field in the samu structure returned
by ldapsam_getsampwnam. This ensures that the entry is put in the cache.

Note that this is only a partial fix for 6660 as it does not prevent
_netr_ServerAuthenticate3 from failing with the log
_netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client VM-AD machine account dom-ad.example.com.

https://pagure.io/freeipa/issue/6660
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/632/head:pr632
git checkout pr632

flo-renaud

2017-03-28 20:14:50 UTC

Permalink

URL: https://github.com/freeipa/freeipa/pull/632
Author: flo-renaud
Title: #632: ipa-sam: create the gidNumber attribute in the trusted domain entry
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/632/head:pr632
git checkout pr632

flo-renaud

2017-03-28 20:16:43 UTC

Permalink

URL: https://github.com/freeipa/freeipa/pull/632
Title: #632: ipa-sam: create the gidNumber attribute in the trusted domain entry

flo-renaud commented:
"""
I updated the commit message with a different issue number, related to the "Failed to find a unix account" message.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/632#issuecomment-289891045

flo-renaud

2017-03-28 20:15:34 UTC

Permalink

URL: https://github.com/freeipa/freeipa/pull/632
Author: flo-renaud
Title: #632: ipa-sam: create the gidNumber attribute in the trusted domain entry
Action: edited

Changed field: body
Original value:
"""
When a trusted domain entry is created, the uidNumber attribute is created
but not the gidNumber attribute. This causes samba to log
Failed to find a Unix account for DOM-AD$
because the samu structure does not contain a group_sid and is not put
in the cache.
The fix creates the gidNumber attribute in the trusted domain entry,
and initialises the group_sid field in the samu structure returned
by ldapsam_getsampwnam. This ensures that the entry is put in the cache.

Note that this is only a partial fix for 6660 as it does not prevent
_netr_ServerAuthenticate3 from failing with the log
_netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client VM-AD machine account dom-ad.example.com.

https://pagure.io/freeipa/issue/6660
"""

flo-renaud

2017-04-03 18:13:49 UTC

Permalink

flo-renaud

2017-04-03 18:16:23 UTC

Permalink

URL: https://github.com/freeipa/freeipa/pull/632
Title: #632: ipa-sam: create the gidNumber attribute in the trusted domain entry

flo-renaud commented:
"""
Hi @abbra
thank you for the review. PR updated following your comments, and with an upgrade plugin to handle existing trusted domain objects.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/632#issuecomment-291227659

abbra

2017-04-03 19:32:33 UTC

Permalink

URL: https://github.com/freeipa/freeipa/pull/632
Title: #632: ipa-sam: create the gidNumber attribute in the trusted domain entry

abbra commented:
"""
Thanks. I read through the code and it looks good to me. I'm going to test it together with my work on ipasam_update_sam_account() tomorrow.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/632#issuecomment-291249140

abbra

2017-04-06 13:01:16 UTC

Permalink

URL: https://github.com/freeipa/freeipa/pull/632
Title: #632: ipa-sam: create the gidNumber attribute in the trusted domain entry

abbra commented:
"""
LGTM.

`nltest /sc_verify:ipa.example.test` works thanks to this pull request:
```
C:\Users\Administrator>nltest /sc_query:ipa.example.test
Flags: 30 HAS_IP HAS_TIMESERV
Trusted DC Name \\master.ipa.example.test
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully
```

"""

See the full comment at https://github.com/freeipa/freeipa/pull/632#issuecomment-292167012

abbra

2017-04-06 13:01:39 UTC

Permalink

URL: https://github.com/freeipa/freeipa/pull/632
Title: #632: ipa-sam: create the gidNumber attribute in the trusted domain entry

Label: +ack

MartinBasti

2017-04-07 10:39:05 UTC

Permalink

URL: https://github.com/freeipa/freeipa/pull/632
Title: #632: ipa-sam: create the gidNumber attribute in the trusted domain entry

Label: +pushed

MartinBasti

2017-04-07 10:39:12 UTC

Permalink

URL: https://github.com/freeipa/freeipa/pull/632
Title: #632: ipa-sam: create the gidNumber attribute in the trusted domain entry

MartinBasti commented:
"""
master:

* e052c2dce04f5ce147dc2b6804f44705fa4d69df ipa-sam: create the gidNumber attribute in the trusted domain entry
* 5405de5bc15941d71137af10aa66a6cf922d9e6d Upgrade: add gidnumber to trusted domain entry

ipa-4-5:

* 91d36941653476abfff6a54ba7cb5a9f2c12c22d ipa-sam: create the gidNumber attribute in the trusted domain entry
* eddd29f1d52d63ea702437b0dd2a2826df52bc26 Upgrade: add gidnumber to trusted domain entry

"""

See the full comment at https://github.com/freeipa/freeipa/pull/632#issuecomment-292504625

MartinBasti

2017-04-07 10:39:14 UTC

Permalink

URL: https://github.com/freeipa/freeipa/pull/632
Author: flo-renaud
Title: #632: ipa-sam: create the gidNumber attribute in the trusted domain entry
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/632/head:pr632
git checkout pr632