mirror of
https://github.com/samba-team/samba.git
synced 2025-01-08 21:18:16 +03:00
s4:ldap_server: Update gMSA keys when DSDB_CONTROL_GMSA_UPDATE_OID control is specified
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
parent
24f109c59f
commit
7ba6181159
@ -159,7 +159,3 @@
|
||||
^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_no_compound_id_support_no_claims_valid_existing_device_claims_target_policy\(ad_dc\)$
|
||||
^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_no_compound_id_support_no_claims_valid_existing_device_claims\(ad_dc\)$
|
||||
^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_rodc_issued\(ad_dc\)$
|
||||
#
|
||||
# GMSA tests
|
||||
#
|
||||
^samba\.tests\.krb5\.gmsa_tests\.samba\.tests\.krb5\.gmsa_tests\.GmsaTests\.test_retrieving_managed_password_triggers_keys_update\(ad_dc:local\)$
|
||||
|
@ -142,4 +142,3 @@
|
||||
^samba.tests.krb5.gmsa_tests.samba.tests.krb5.gmsa_tests.GmsaTests.test_authentication_triggers_keys_update\(ad_dc:local\)$
|
||||
^samba.tests.krb5.gmsa_tests.samba.tests.krb5.gmsa_tests.GmsaTests.test_gmsa_can_perform_as_req_with_aes256\(ad_dc:local\)$
|
||||
^samba.tests.krb5.gmsa_tests.samba.tests.krb5.gmsa_tests.GmsaTests.test_gmsa_can_perform_as_req_with_rc4\(ad_dc:local\)$
|
||||
^samba.tests.krb5.gmsa_tests.samba.tests.krb5.gmsa_tests.GmsaTests.test_retrieving_managed_password_triggers_keys_update\(ad_dc:local\)$
|
||||
|
@ -19,6 +19,7 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
#include <talloc.h>
|
||||
#include "ldap_server/ldap_server.h"
|
||||
#include "../lib/util/dlinklist.h"
|
||||
#include "auth/credentials/credentials.h"
|
||||
@ -27,6 +28,7 @@
|
||||
#include "auth/common_auth.h"
|
||||
#include "param/param.h"
|
||||
#include "samba/service_stream.h"
|
||||
#include "dsdb/gmsa/util.h"
|
||||
#include "dsdb/samdb/samdb.h"
|
||||
#include <ldb_errors.h>
|
||||
#include <ldb_module.h>
|
||||
@ -596,6 +598,7 @@ struct ldapsrv_context {
|
||||
bool attributesonly;
|
||||
struct ldb_control **controls;
|
||||
size_t count; /* For notification only */
|
||||
const struct gmsa_update **updates;
|
||||
};
|
||||
|
||||
static int ldap_server_search_callback(struct ldb_request *req, struct ldb_reply *ares)
|
||||
@ -657,6 +660,31 @@ static int ldap_server_search_callback(struct ldb_request *req, struct ldb_reply
|
||||
ent->attributes[j].num_values = msg->elements[j].num_values;
|
||||
ent->attributes[j].values = msg->elements[j].values;
|
||||
}
|
||||
|
||||
{
|
||||
const struct ldb_control
|
||||
*ctrl = ldb_controls_get_control(
|
||||
ares->controls,
|
||||
DSDB_CONTROL_GMSA_UPDATE_OID);
|
||||
|
||||
if (ctrl != NULL) {
|
||||
const struct gmsa_update **updates = NULL;
|
||||
const size_t len = talloc_array_length(
|
||||
ctx->updates);
|
||||
|
||||
updates = talloc_realloc(
|
||||
ctx,
|
||||
ctx->updates,
|
||||
const struct gmsa_update *,
|
||||
len + 1);
|
||||
if (updates != NULL) {
|
||||
updates[len] = talloc_steal(updates,
|
||||
ctrl->data);
|
||||
ctx->updates = updates;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
queue_reply:
|
||||
status = ldapsrv_queue_reply(call, ent_r);
|
||||
if (NT_STATUS_EQUAL(status, NT_STATUS_FILE_TOO_LARGE)) {
|
||||
@ -923,6 +951,22 @@ static NTSTATUS ldapsrv_SearchRequest(struct ldapsrv_call *call)
|
||||
ldb_ret = ldb_wait(lreq->handle, LDB_WAIT_ALL);
|
||||
|
||||
if (ldb_ret == LDB_SUCCESS) {
|
||||
size_t n;
|
||||
const size_t len = talloc_array_length(callback_ctx->updates);
|
||||
|
||||
for (n = 0; n < len; ++n) {
|
||||
int ret;
|
||||
|
||||
ret = dsdb_update_gmsa_entry_keys(
|
||||
samdb, local_ctx, callback_ctx->updates[n]);
|
||||
if (ret) {
|
||||
/* Ignore the error. */
|
||||
DBG_WARNING("Failed to update keys for Group "
|
||||
"Managed Service Account: %s\n",
|
||||
ldb_strerror(ret));
|
||||
}
|
||||
}
|
||||
|
||||
if (call->notification.busy) {
|
||||
/* Move/Add it to the end */
|
||||
DLIST_DEMOTE(call->conn->pending_calls, call);
|
||||
|
Loading…
Reference in New Issue
Block a user