From 477dbba18bf987bf4461fdfdfba0d497159db7ce Mon Sep 17 00:00:00 2001 From: Stanislav Levin Date: Wed, 4 Dec 2024 19:56:51 +0300 Subject: [PATCH] adtrust: add missing ipaAllowedOperations objectclass Per @abbra explanation: > When expected Kerberos principal names for this object were flipped to follow requirements for cross-realm krbtgt objects expected by Active Directory, trusted object changed its canonical Kerberos principal name. The keytab for this Kerberos principal name is fetched by SSSD and it needs to be permitted to read the key. We added the virtual permission to allow the keytab retrieval but didn't add the objectclass that actually allows adding an LDAP attribute to express the permission. When an attribute is added to an LDAP object, objectclasses of the object must allow presence of that attribute. This is the followup to #9471 and fixes the upgrade. Thanks @abbra! Related: https://pagure.io/freeipa/issue/9471 Fixes: https://pagure.io/freeipa/issue/9712 Signed-off-by: Stanislav Levin Reviewed-By: Alexander Bokovoy --- ipaserver/install/plugins/adtrust.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py index e6d49cb2512bff7dcce57f019ecb6c497d11ed52..ab3d427ef561aeb26eb098270446640ba451c8ad 100644 --- a/ipaserver/install/plugins/adtrust.py +++ b/ipaserver/install/plugins/adtrust.py @@ -705,7 +705,8 @@ class update_tdo_to_new_layout(Updater): self.set_krb_principal([tgt_principal, nbt_principal], passwd_incoming, t_dn, - flags=self.KRB_PRINC_CREATE_DEFAULT) + flags=self.KRB_PRINC_CREATE_DEFAULT + | self.KRB_PRINC_CREATE_AGENT_PERMISSION) # 3. INBOUND: krbtgt/@ must exist trust_principal = self.tgt_principal_template.format( -- 2.47.1