1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

s4:ldap_server: Update gMSA keys when DSDB_CONTROL_GMSA_UPDATE_OID control is specified

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Jo Sutton 2024-04-15 15:13:45 +12:00 committed by Jo Sutton
parent 24f109c59f
commit 7ba6181159
3 changed files with 44 additions and 5 deletions

View File

@ -159,7 +159,3 @@
^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_no_compound_id_support_no_claims_valid_existing_device_claims_target_policy\(ad_dc\)$
^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_no_compound_id_support_no_claims_valid_existing_device_claims\(ad_dc\)$
^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_rodc_issued\(ad_dc\)$
#
# GMSA tests
#
^samba\.tests\.krb5\.gmsa_tests\.samba\.tests\.krb5\.gmsa_tests\.GmsaTests\.test_retrieving_managed_password_triggers_keys_update\(ad_dc:local\)$

View File

@ -142,4 +142,3 @@
^samba.tests.krb5.gmsa_tests.samba.tests.krb5.gmsa_tests.GmsaTests.test_authentication_triggers_keys_update\(ad_dc:local\)$
^samba.tests.krb5.gmsa_tests.samba.tests.krb5.gmsa_tests.GmsaTests.test_gmsa_can_perform_as_req_with_aes256\(ad_dc:local\)$
^samba.tests.krb5.gmsa_tests.samba.tests.krb5.gmsa_tests.GmsaTests.test_gmsa_can_perform_as_req_with_rc4\(ad_dc:local\)$
^samba.tests.krb5.gmsa_tests.samba.tests.krb5.gmsa_tests.GmsaTests.test_retrieving_managed_password_triggers_keys_update\(ad_dc:local\)$

View File

@ -19,6 +19,7 @@
*/
#include "includes.h"
#include <talloc.h>
#include "ldap_server/ldap_server.h"
#include "../lib/util/dlinklist.h"
#include "auth/credentials/credentials.h"
@ -27,6 +28,7 @@
#include "auth/common_auth.h"
#include "param/param.h"
#include "samba/service_stream.h"
#include "dsdb/gmsa/util.h"
#include "dsdb/samdb/samdb.h"
#include <ldb_errors.h>
#include <ldb_module.h>
@ -596,6 +598,7 @@ struct ldapsrv_context {
bool attributesonly;
struct ldb_control **controls;
size_t count; /* For notification only */
const struct gmsa_update **updates;
};
static int ldap_server_search_callback(struct ldb_request *req, struct ldb_reply *ares)
@ -657,6 +660,31 @@ static int ldap_server_search_callback(struct ldb_request *req, struct ldb_reply
ent->attributes[j].num_values = msg->elements[j].num_values;
ent->attributes[j].values = msg->elements[j].values;
}
{
const struct ldb_control
*ctrl = ldb_controls_get_control(
ares->controls,
DSDB_CONTROL_GMSA_UPDATE_OID);
if (ctrl != NULL) {
const struct gmsa_update **updates = NULL;
const size_t len = talloc_array_length(
ctx->updates);
updates = talloc_realloc(
ctx,
ctx->updates,
const struct gmsa_update *,
len + 1);
if (updates != NULL) {
updates[len] = talloc_steal(updates,
ctrl->data);
ctx->updates = updates;
}
}
}
queue_reply:
status = ldapsrv_queue_reply(call, ent_r);
if (NT_STATUS_EQUAL(status, NT_STATUS_FILE_TOO_LARGE)) {
@ -923,6 +951,22 @@ static NTSTATUS ldapsrv_SearchRequest(struct ldapsrv_call *call)
ldb_ret = ldb_wait(lreq->handle, LDB_WAIT_ALL);
if (ldb_ret == LDB_SUCCESS) {
size_t n;
const size_t len = talloc_array_length(callback_ctx->updates);
for (n = 0; n < len; ++n) {
int ret;
ret = dsdb_update_gmsa_entry_keys(
samdb, local_ctx, callback_ctx->updates[n]);
if (ret) {
/* Ignore the error. */
DBG_WARNING("Failed to update keys for Group "
"Managed Service Account: %s\n",
ldb_strerror(ret));
}
}
if (call->notification.busy) {
/* Move/Add it to the end */
DLIST_DEMOTE(call->conn->pending_calls, call);