From: Jo Sutton <josutton@catalyst.net.nz>
Date: Mon, 15 Apr 2024 03:13:45 +0000 (+1200)
Subject: s4:ldap_server: Update gMSA keys when DSDB_CONTROL_GMSA_UPDATE_OID control is specified
X-Git-Tag: tdb-1.4.11~1045
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7ba6181159215e99d8a0f2f3974ee0d46d146f35;p=thirdparty%2Fsamba.git

s4:ldap_server: Update gMSA keys when DSDB_CONTROL_GMSA_UPDATE_OID control is specified

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index 010cc78e669..f4366462d79 100644
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -159,7 +159,3 @@
 ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_no_compound_id_support_no_claims_valid_existing_device_claims_target_policy\(ad_dc\)$
 ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_no_compound_id_support_no_claims_valid_existing_device_claims\(ad_dc\)$
 ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_rodc_issued\(ad_dc\)$
-#
-# GMSA tests
-#
-^samba\.tests\.krb5\.gmsa_tests\.samba\.tests\.krb5\.gmsa_tests\.GmsaTests\.test_retrieving_managed_password_triggers_keys_update\(ad_dc:local\)$
diff --git a/selftest/knownfail_mit_kdc_1_20 b/selftest/knownfail_mit_kdc_1_20
index 8afe69b8a95..d964a6bfac0 100644
--- a/selftest/knownfail_mit_kdc_1_20
+++ b/selftest/knownfail_mit_kdc_1_20
@@ -142,4 +142,3 @@
 ^samba.tests.krb5.gmsa_tests.samba.tests.krb5.gmsa_tests.GmsaTests.test_authentication_triggers_keys_update\(ad_dc:local\)$
 ^samba.tests.krb5.gmsa_tests.samba.tests.krb5.gmsa_tests.GmsaTests.test_gmsa_can_perform_as_req_with_aes256\(ad_dc:local\)$
 ^samba.tests.krb5.gmsa_tests.samba.tests.krb5.gmsa_tests.GmsaTests.test_gmsa_can_perform_as_req_with_rc4\(ad_dc:local\)$
-^samba.tests.krb5.gmsa_tests.samba.tests.krb5.gmsa_tests.GmsaTests.test_retrieving_managed_password_triggers_keys_update\(ad_dc:local\)$
diff --git a/source4/ldap_server/ldap_backend.c b/source4/ldap_server/ldap_backend.c
index 746dafbb19c..06030f10177 100644
--- a/source4/ldap_server/ldap_backend.c
+++ b/source4/ldap_server/ldap_backend.c
@@ -19,6 +19,7 @@
 */
 
 #include "includes.h"
+#include <talloc.h>
 #include "ldap_server/ldap_server.h"
 #include "../lib/util/dlinklist.h"
 #include "auth/credentials/credentials.h"
@@ -27,6 +28,7 @@
 #include "auth/common_auth.h"
 #include "param/param.h"
 #include "samba/service_stream.h"
+#include "dsdb/gmsa/util.h"
 #include "dsdb/samdb/samdb.h"
 #include <ldb_errors.h>
 #include <ldb_module.h>
@@ -596,6 +598,7 @@ struct ldapsrv_context {
 	bool attributesonly;
 	struct ldb_control **controls;
 	size_t count; /* For notification only */
+	const struct gmsa_update **updates;
 };
 
 static int ldap_server_search_callback(struct ldb_request *req, struct ldb_reply *ares)
@@ -657,6 +660,31 @@ static int ldap_server_search_callback(struct ldb_request *req, struct ldb_reply
 			ent->attributes[j].num_values = msg->elements[j].num_values;
 			ent->attributes[j].values = msg->elements[j].values;
 		}
+
+		{
+			const struct ldb_control
+				*ctrl = ldb_controls_get_control(
+					ares->controls,
+					DSDB_CONTROL_GMSA_UPDATE_OID);
+
+			if (ctrl != NULL) {
+				const struct gmsa_update **updates = NULL;
+				const size_t len = talloc_array_length(
+					ctx->updates);
+
+				updates = talloc_realloc(
+					ctx,
+					ctx->updates,
+					const struct gmsa_update *,
+					len + 1);
+				if (updates != NULL) {
+					updates[len] = talloc_steal(updates,
+								    ctrl->data);
+					ctx->updates = updates;
+				}
+			}
+		}
+
 queue_reply:
 		status = ldapsrv_queue_reply(call, ent_r);
 		if (NT_STATUS_EQUAL(status, NT_STATUS_FILE_TOO_LARGE)) {
@@ -923,6 +951,22 @@ static NTSTATUS ldapsrv_SearchRequest(struct ldapsrv_call *call)
 	ldb_ret = ldb_wait(lreq->handle, LDB_WAIT_ALL);
 
 	if (ldb_ret == LDB_SUCCESS) {
+		size_t n;
+		const size_t len = talloc_array_length(callback_ctx->updates);
+
+		for (n = 0; n < len; ++n) {
+			int ret;
+
+			ret = dsdb_update_gmsa_entry_keys(
+				samdb, local_ctx, callback_ctx->updates[n]);
+			if (ret) {
+				/* Ignore the error. */
+				DBG_WARNING("Failed to update keys for Group "
+					    "Managed Service Account: %s\n",
+					    ldb_strerror(ret));
+			}
+		}
+
 		if (call->notification.busy) {
 			/* Move/Add it to the end */
 			DLIST_DEMOTE(call->conn->pending_calls, call);