rpms/ipa
6
0
Fork 0
Code Issues Pull Requests Releases Activity
c9s
ipa/0004-Trust-fix-tdo-with-WITH_FOREST.patch
Florence Blanc-Renaud 7b095b326d ipa-4.13.0-1 
- Resolves: RHEL-134542 Add modern WebUI as submodule and enable routing in Apache
- Resolves: RHEL-134540 Switch IPA to use the PKI python API directly rather than RPC calls
- Resolves: RHEL-134196 After upgrade from 9.7 to 9.8 ipactl restart fails to restart winbind service
- Resolves: RHEL-132334 Include latest fixes in python3-ipatests package
- Resolves: RHEL-129224 Fix ipatests for kdcproxy after CVE-2025-59088 fix
- Resolves: RHEL-126974 Minor typo in ipa_idrange_fix.py
- Resolves: RHEL-120954 Rebase ipa to latest 4.13.x version for RHEL 9.8

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
2025-12-15 17:36:43 +01:00

52 lines
2.2 KiB
Diff
Raw Permalink Blame History

From 6f0cd075e5a588628a98d3b4a95e755af59845d7 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Thu, 4 Dec 2025 13:13:21 +0100
Subject: [PATCH] Trust: fix tdo with WITH_FOREST
When a trust was established pre samba 4.23, the trust domain object
could contain ipanttrustattributes: 8 (LSA_TRUST_ATTRIBUTE_WITHIN_FOREST)
This value prevents winbind restart.
The current code replaces 0 with LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE
but should also handle the case for LSA_TRUST_ATTRIBUTE_WITHIN_FOREST.
In this case we should drop the bit and replace it by FOREST_TRANSITIVE
one because otherwise Samba will skip the domain. Do not change the LDAP
representation to allow older replicas to continue operations.
Fixes: https://pagure.io/freeipa/issue/9892
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
---
daemons/ipa-sam/ipa_sam.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index c43ffddbbdd69123b5d568a937fbc12d138243d1..ea25934d569f378f41b386bbb57d33eaf2bb19c0 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -2545,10 +2545,17 @@ static bool fill_pdb_trusted_domain(TALLOC_CTX *mem_ctx,
if (!res) {
goto done;
}
- if (td->trust_attributes == 0 && (td->domain_name != dns_domain)) {
- /* attribute wasn't present and this is not a subdomain within
- * the parent forest */
- td->trust_attributes = LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE;
+ if (td->domain_name != dns_domain) {
+ if ((td->trust_attributes & LSA_TRUST_ATTRIBUTE_WITHIN_FOREST) != 0 ||
+ (td->trust_attributes == 0)) {
+ /* when trust attribute is not present or contains WITHIN_FOREST,
+ * we should drop the bit and replace it by FOREST_TRANSITIVE
+ * one because otherwise Samba will skip the domain.
+ * Do not change the LDAP representation to allow older replicas
+ * to continue operations. */
+ td->trust_attributes &= ~LSA_TRUST_ATTRIBUTE_WITHIN_FOREST;
+ td->trust_attributes |= LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE;
+ }
}
res = get_uint32_t_from_ldap_msg(ipasam_state, entry,
--
2.52.0
Reference in New Issue View Git Blame Copy Permalink