From 66a9c1daa86e824e55155f07fd05666cd9905ad9 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 22 Dec 2023 12:09:45 +1300 Subject: [PATCH] s4-kdc: Prepare for gMSA support by recording it on the entry This will allow the "samba-tool domain exportkeytab" code to do special gMSA processing and in the future will allow the KDC to know it needs to check if the keys in the DB need refreshing. Signed-off-by: Andrew Bartlett Reviewed-by: Jo Sutton --- source4/kdc/db-glue.c | 5 +++++ source4/kdc/samba_kdc.h | 1 + 2 files changed, 6 insertions(+) diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c index 14eb9f7428b..fc1400a305a 100644 --- a/source4/kdc/db-glue.c +++ b/source4/kdc/db-glue.c @@ -1131,6 +1131,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, bool force_rc4 = lpcfg_kdc_force_enable_rc4_weak_session_keys(lp_ctx); struct ldb_message_element *objectclasses; struct ldb_val computer_val = data_blob_string_const("computer"); + struct ldb_val gmsa_oc_val = data_blob_string_const("msDS-GroupManagedServiceAccount"); uint32_t config_default_supported_enctypes = lpcfg_kdc_default_domain_supported_enctypes(lp_ctx); uint32_t default_supported_enctypes = config_default_supported_enctypes != 0 ? @@ -1197,6 +1198,10 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, goto out; } + if (objectclasses && ldb_msg_find_val(objectclasses, &gmsa_oc_val)) { + p->group_managed_service_account = true; + } + p->is_rodc = is_rodc; p->kdc_db_ctx = kdc_db_ctx; p->realm_dn = talloc_reference(p, realm_dn); diff --git a/source4/kdc/samba_kdc.h b/source4/kdc/samba_kdc.h index 095a8cc0cf7..67009b963bc 100644 --- a/source4/kdc/samba_kdc.h +++ b/source4/kdc/samba_kdc.h @@ -75,6 +75,7 @@ struct samba_kdc_entry { bool is_trust : 1; bool claims_from_pac_are_initialized : 1; bool claims_from_db_are_initialized : 1; + bool group_managed_service_account : 1; }; extern struct hdb_method hdb_samba4_interface;