ipa/0036-adtrust-add-missing-ipaAllowedOperations-objectclass.patch

From 477dbba18bf987bf4461fdfdfba0d497159db7ce Mon Sep 17 00:00:00 2001
From: Stanislav Levin <slev@altlinux.org>
Date: Wed, 4 Dec 2024 19:56:51 +0300
Subject: [PATCH] adtrust: add missing ipaAllowedOperations objectclass

Per @abbra explanation:
> When expected Kerberos principal names for this object were flipped to
  follow requirements for cross-realm krbtgt objects expected by Active
  Directory, trusted object changed its canonical Kerberos principal name.
  The keytab for this Kerberos principal name is fetched by SSSD and it
  needs to be permitted to read the key. We added the virtual permission
  to allow the keytab retrieval but didn't add the objectclass that
  actually allows adding an LDAP attribute to express the permission. When
  an attribute is added to an LDAP object, objectclasses of the object
  must allow presence of that attribute.

This is the followup to #9471 and fixes the upgrade.

Thanks @abbra!

Related: https://pagure.io/freeipa/issue/9471
Fixes: https://pagure.io/freeipa/issue/9712
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 ipaserver/install/plugins/adtrust.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py
index e6d49cb2512bff7dcce57f019ecb6c497d11ed52..ab3d427ef561aeb26eb098270446640ba451c8ad 100644
--- a/ipaserver/install/plugins/adtrust.py
+++ b/ipaserver/install/plugins/adtrust.py
@@ -705,7 +705,8 @@ class update_tdo_to_new_layout(Updater):
                 self.set_krb_principal([tgt_principal, nbt_principal],
                                        passwd_incoming,
                                        t_dn,
-                                       flags=self.KRB_PRINC_CREATE_DEFAULT)
+                                       flags=self.KRB_PRINC_CREATE_DEFAULT
+                                       | self.KRB_PRINC_CREATE_AGENT_PERMISSION)
 
             # 3. INBOUND: krbtgt/<OUR REALM>@<REMOTE REALM> must exist
             trust_principal = self.tgt_principal_template.format(
-- 
2.47.1
ipa-4.12.2-7 - Resolves: RHEL-70760 Fix typo in ipa-migrate log file i.e 'Privledges' to 'Privileges' - Resolves: RHEL-70481 ipa-server-upgrade fails after established trust with ad - Resolves: RHEL-69927 add support for python cryptography 44.0.0 - Resolves: RHEL-69908 All user groups are not being included during HSM token validation - Resolves: RHEL-69900 Upgrade to ipa-server-4.12.2-1.el9 OTP-based bind to LDAP without enforceldapotp is broken Signed-off-by: Florence Blanc-Renaud <flo@redhat.com> 2024-12-11 09:47:47 +00:00			`From 477dbba18bf987bf4461fdfdfba0d497159db7ce Mon Sep 17 00:00:00 2001`
			`From: Stanislav Levin <slev@altlinux.org>`
			`Date: Wed, 4 Dec 2024 19:56:51 +0300`
			`Subject: [PATCH] adtrust: add missing ipaAllowedOperations objectclass`

			`Per @abbra explanation:`
			`> When expected Kerberos principal names for this object were flipped to`
			`follow requirements for cross-realm krbtgt objects expected by Active`
			`Directory, trusted object changed its canonical Kerberos principal name.`
			`The keytab for this Kerberos principal name is fetched by SSSD and it`
			`needs to be permitted to read the key. We added the virtual permission`
			`to allow the keytab retrieval but didn't add the objectclass that`
			`actually allows adding an LDAP attribute to express the permission. When`
			`an attribute is added to an LDAP object, objectclasses of the object`
			`must allow presence of that attribute.`

			`This is the followup to #9471 and fixes the upgrade.`

			`Thanks @abbra!`

			`Related: https://pagure.io/freeipa/issue/9471`
			`Fixes: https://pagure.io/freeipa/issue/9712`
			`Signed-off-by: Stanislav Levin <slev@altlinux.org>`
			`Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>`
			`---`
			`ipaserver/install/plugins/adtrust.py \| 3 ++-`
			`1 file changed, 2 insertions(+), 1 deletion(-)`

			`diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py`
			`index e6d49cb2512bff7dcce57f019ecb6c497d11ed52..ab3d427ef561aeb26eb098270446640ba451c8ad 100644`
			`--- a/ipaserver/install/plugins/adtrust.py`
			`+++ b/ipaserver/install/plugins/adtrust.py`
			`@@ -705,7 +705,8 @@ class update_tdo_to_new_layout(Updater):`
			`self.set_krb_principal([tgt_principal, nbt_principal],`
			`passwd_incoming,`
			`t_dn,`
			`- flags=self.KRB_PRINC_CREATE_DEFAULT)`
			`+ flags=self.KRB_PRINC_CREATE_DEFAULT`
			`+ \| self.KRB_PRINC_CREATE_AGENT_PERMISSION)`

			`# 3. INBOUND: krbtgt/<OUR REALM>@<REMOTE REALM> must exist`
			`trust_principal = self.tgt_principal_template.format(`
			`--`
			`2.47.1`