Fix IPA DC schannel support

Guenther
2021-11-13 00:15:32 +01:00 · 2021-11-13 00:15:32 +01:00 · d2806fa77c
parent 598cab6469
commit d2806fa77c
2 changed files with 50 additions and 1 deletions
--- a/samba-4.13-ipa-dc-schannel.patch
+++ b/samba-4.13-ipa-dc-schannel.patch
@ -0,0 +1,45 @@
+From 3fc4d1d3998f3956a84c855cb60a9dcb335e1f59 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <ab@samba.org>
+Date: Fri, 12 Nov 2021 19:06:01 +0200
+Subject: [PATCH] IPA DC: add missing checks
+
+When introducing FreeIPA support, two places were forgotten:
+
+ - schannel gensec module needs to be aware of IPA DC
+ - _lsa_QueryInfoPolicy should treat IPA DC as PDC
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14903
+
+Signed-off-by: Alexander Bokovoy <ab@samba.org>
+---
+ auth/gensec/schannel.c              | 1 +
+ source3/rpc_server/lsa/srv_lsa_nt.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c
+index 0cdae141ead..6ebbe8f3179 100644
+--- a/auth/gensec/schannel.c
+++ b/auth/gensec/schannel.c
+@@ -1080,6 +1080,7 @@ static NTSTATUS schannel_server_start(struct gensec_security *gensec_security)
+ 	case ROLE_DOMAIN_BDC:
+ 	case ROLE_DOMAIN_PDC:
+ 	case ROLE_ACTIVE_DIRECTORY_DC:
+	case ROLE_IPA_DC:
+ 		return NT_STATUS_OK;
+ 	default:
+ 		return NT_STATUS_NOT_IMPLEMENTED;
+diff --git a/source3/rpc_server/lsa/srv_lsa_nt.c b/source3/rpc_server/lsa/srv_lsa_nt.c
+index 8d71b5252ab..ea92a22cbc9 100644
+--- a/source3/rpc_server/lsa/srv_lsa_nt.c
+++ b/source3/rpc_server/lsa/srv_lsa_nt.c
+@@ -683,6 +683,7 @@ NTSTATUS _lsa_QueryInfoPolicy(struct pipes_struct *p,
+ 		switch (lp_server_role()) {
+ 			case ROLE_DOMAIN_PDC:
+ 			case ROLE_DOMAIN_BDC:
+			case ROLE_IPA_DC:
+ 				name = get_global_sam_name();
+ 				sid = dom_sid_dup(p->mem_ctx, get_global_sam_sid());
+ 				if (!sid) {
+-- 
+2.33.1
+
--- a/samba.spec
+++ b/samba.spec
@ -8,7 +8,7 @@

 %define samba_requires_eq()  %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not")

-%define main_release 1
+%define main_release 2

 %define samba_version 4.13.14
 %define talloc_version 2.3.1
@ -137,6 +137,7 @@ Patch1:         samba-s4u.patch
 # Generate the patchset using: git format-patch -l1 --stdout -N > samba-4.13-redhat.patch
 Patch2:         samba-4.13-redhat.patch
 Patch3:         samba-4.13-fix-winbind-no-trusted-domain.patch
+Patch4:         samba-4.13-ipa-dc-schannel.patch

 Requires(pre): /usr/sbin/groupadd
 Requires(post): systemd
@ -3675,6 +3676,9 @@ fi
 %endif

 %changelog
+* Sat Nov 13 2021 Guenther Deschner <gdeschner@redhat.com> - 4.13.14-2
+- Fix IPA DC schannel support
+
 * Thu Nov 11 2021 Guenther Deschner <gdeschner@redhat.com> - 4.13.14-1
 - Fix winbind trusted domain regression
 - related: #2021716