2afa3fe731
- Resolves: RHEL-120956 Rebase ipa to latest 4.13.x version for RHEL 10.2 - Resolves: RHEL-90121 Add modern WebUI as submodule and enable routing in Apache - Resolves: RHEL-132337 Include latest fixes in python3-ipatests package - Resolves: RHEL-129965 Fix ipatests for kdcproxy after CVE-2025-59088 fix - Resolves: RHEL-129547 Switch IPA to use the PKI python API directly rather than RPC calls - Resolves: RHEL-133342 After upgrade from 9.7 to 9.8 ipactl restart fails to restart winbind service Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
52 lines
2.2 KiB
Diff
52 lines
2.2 KiB
Diff
From f274df651ff8c352527c78f837cdff02e8eaa8f6 Mon Sep 17 00:00:00 2001
|
|
From: Florence Blanc-Renaud <flo@redhat.com>
|
|
Date: Thu, 4 Dec 2025 13:13:21 +0100
|
|
Subject: [PATCH] Trust: fix tdo with WITH_FOREST
|
|
|
|
When a trust was established pre samba 4.23, the trust domain object
|
|
could contain ipanttrustattributes: 8 (LSA_TRUST_ATTRIBUTE_WITHIN_FOREST)
|
|
This value prevents winbind restart.
|
|
|
|
The current code replaces 0 with LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE
|
|
but should also handle the case for LSA_TRUST_ATTRIBUTE_WITHIN_FOREST.
|
|
In this case we should drop the bit and replace it by FOREST_TRANSITIVE
|
|
one because otherwise Samba will skip the domain. Do not change the LDAP
|
|
representation to allow older replicas to continue operations.
|
|
|
|
Fixes: https://pagure.io/freeipa/issue/9892
|
|
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
|
|
---
|
|
daemons/ipa-sam/ipa_sam.c | 15 +++++++++++----
|
|
1 file changed, 11 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
|
|
index c43ffddbbdd69123b5d568a937fbc12d138243d1..ea25934d569f378f41b386bbb57d33eaf2bb19c0 100644
|
|
--- a/daemons/ipa-sam/ipa_sam.c
|
|
+++ b/daemons/ipa-sam/ipa_sam.c
|
|
@@ -2545,10 +2545,17 @@ static bool fill_pdb_trusted_domain(TALLOC_CTX *mem_ctx,
|
|
if (!res) {
|
|
goto done;
|
|
}
|
|
- if (td->trust_attributes == 0 && (td->domain_name != dns_domain)) {
|
|
- /* attribute wasn't present and this is not a subdomain within
|
|
- * the parent forest */
|
|
- td->trust_attributes = LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE;
|
|
+ if (td->domain_name != dns_domain) {
|
|
+ if ((td->trust_attributes & LSA_TRUST_ATTRIBUTE_WITHIN_FOREST) != 0 ||
|
|
+ (td->trust_attributes == 0)) {
|
|
+ /* when trust attribute is not present or contains WITHIN_FOREST,
|
|
+ * we should drop the bit and replace it by FOREST_TRANSITIVE
|
|
+ * one because otherwise Samba will skip the domain.
|
|
+ * Do not change the LDAP representation to allow older replicas
|
|
+ * to continue operations. */
|
|
+ td->trust_attributes &= ~LSA_TRUST_ATTRIBUTE_WITHIN_FOREST;
|
|
+ td->trust_attributes |= LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE;
|
|
+ }
|
|
}
|
|
|
|
res = get_uint32_t_from_ldap_msg(ipasam_state, entry,
|
|
--
|
|
2.52.0
|
|
|