s4:ldap_server: Update gMSA keys when DSDB_CONTROL_GMSA_UPDATE_OID control is specified

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index 010cc78e6692c4fa99898fd5ec25a19ccf9e5d92..f4366462d7998da6862c87489f801ea0ed2b80e2 100644 (file)
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -159,7 +159,3 @@
 ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_no_compound_id_support_no_claims_valid_existing_device_claims_target_policy\(ad_dc\)$
 ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_no_compound_id_support_no_claims_valid_existing_device_claims\(ad_dc\)$
 ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_rodc_issued\(ad_dc\)$
-#
-# GMSA tests
-#
-^samba\.tests\.krb5\.gmsa_tests\.samba\.tests\.krb5\.gmsa_tests\.GmsaTests\.test_retrieving_managed_password_triggers_keys_update\(ad_dc:local\)$

diff --git a/selftest/knownfail_mit_kdc_1_20 b/selftest/knownfail_mit_kdc_1_20
index 8afe69b8a95f4fc0109ec45dbd92127af4c29d75..d964a6bfac0959830f841d409c26f10db8433fb7 100644 (file)
--- a/selftest/knownfail_mit_kdc_1_20
+++ b/selftest/knownfail_mit_kdc_1_20
@@ -142,4 +142,3 @@
 ^samba.tests.krb5.gmsa_tests.samba.tests.krb5.gmsa_tests.GmsaTests.test_authentication_triggers_keys_update\(ad_dc:local\)$
 ^samba.tests.krb5.gmsa_tests.samba.tests.krb5.gmsa_tests.GmsaTests.test_gmsa_can_perform_as_req_with_aes256\(ad_dc:local\)$
 ^samba.tests.krb5.gmsa_tests.samba.tests.krb5.gmsa_tests.GmsaTests.test_gmsa_can_perform_as_req_with_rc4\(ad_dc:local\)$
-^samba.tests.krb5.gmsa_tests.samba.tests.krb5.gmsa_tests.GmsaTests.test_retrieving_managed_password_triggers_keys_update\(ad_dc:local\)$

diff --git a/source4/ldap_server/ldap_backend.c b/source4/ldap_server/ldap_backend.c
index 746dafbb19c5822f6cf983539362712c23cf9684..06030f10177cda173e74950cf9d7c8e79a9674a3 100644 (file)
--- a/source4/ldap_server/ldap_backend.c
+++ b/source4/ldap_server/ldap_backend.c
@@ -19,6 +19,7 @@
 */
 
 #include "includes.h"
+#include <talloc.h>
 #include "ldap_server/ldap_server.h"
 #include "../lib/util/dlinklist.h"
 #include "auth/credentials/credentials.h"
@@ -27,6 +28,7 @@
 #include "auth/common_auth.h"
 #include "param/param.h"
 #include "samba/service_stream.h"
+#include "dsdb/gmsa/util.h"
 #include "dsdb/samdb/samdb.h"
 #include <ldb_errors.h>
 #include <ldb_module.h>
@@ -596,6 +598,7 @@ struct ldapsrv_context {
        bool attributesonly;
        struct ldb_control **controls;
        size_t count; /* For notification only */
+       const struct gmsa_update **updates;
 };
 
 static int ldap_server_search_callback(struct ldb_request *req, struct ldb_reply *ares)
@@ -657,6 +660,31 @@ static int ldap_server_search_callback(struct ldb_request *req, struct ldb_reply
                        ent->attributes[j].num_values = msg->elements[j].num_values;
                        ent->attributes[j].values = msg->elements[j].values;
                }
+
+               {
+                       const struct ldb_control
+                               *ctrl = ldb_controls_get_control(
+                                       ares->controls,
+                                       DSDB_CONTROL_GMSA_UPDATE_OID);
+
+                       if (ctrl != NULL) {
+                               const struct gmsa_update **updates = NULL;
+                               const size_t len = talloc_array_length(
+                                       ctx->updates);
+
+                               updates = talloc_realloc(
+                                       ctx,
+                                       ctx->updates,
+                                       const struct gmsa_update *,
+                                       len + 1);
+                               if (updates != NULL) {
+                                       updates[len] = talloc_steal(updates,
+                                                                   ctrl->data);
+                                       ctx->updates = updates;
+                               }
+                       }
+               }
+
 queue_reply:
                status = ldapsrv_queue_reply(call, ent_r);
                if (NT_STATUS_EQUAL(status, NT_STATUS_FILE_TOO_LARGE)) {
@@ -923,6 +951,22 @@ static NTSTATUS ldapsrv_SearchRequest(struct ldapsrv_call *call)
        ldb_ret = ldb_wait(lreq->handle, LDB_WAIT_ALL);
 
        if (ldb_ret == LDB_SUCCESS) {
+               size_t n;
+               const size_t len = talloc_array_length(callback_ctx->updates);
+
+               for (n = 0; n < len; ++n) {
+                       int ret;
+
+                       ret = dsdb_update_gmsa_entry_keys(
+                               samdb, local_ctx, callback_ctx->updates[n]);
+                       if (ret) {
+                               /* Ignore the error. */
+                               DBG_WARNING("Failed to update keys for Group "
+                                           "Managed Service Account: %s\n",
+                                           ldb_strerror(ret));
+                       }
+               }
+
                if (call->notification.busy) {
                        /* Move/Add it to the end */
                        DLIST_DEMOTE(call->conn->pending_calls, call);