From: Andrew Bartlett <abartlet@samba.org>
Date: Mon, 4 Mar 2024 22:49:49 +0000 (+1300)
Subject: python/samba/provision: Ensure KDS root key is usable as soon as provision is complete
X-Git-Tag: tdb-1.4.11~1526
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b42043897a6ebf52f70c5bdcdcfe6a18f8ad6fd8;p=thirdparty%2Fsamba.git

python/samba/provision: Ensure KDS root key is usable as soon as provision is complete

We do this by setting the start time to being 10 hours 5min earlier
than now.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
---

diff --git a/python/samba/provision/__init__.py b/python/samba/provision/__init__.py
index c8731c4962f..c7f761cd75c 100644
--- a/python/samba/provision/__init__.py
+++ b/python/samba/provision/__init__.py
@@ -73,9 +73,14 @@ from samba.dsdb import (
     DS_DOMAIN_FUNCTION_2016,
     ENC_ALL_TYPES,
 )
+from samba.gkdi import (
+    KEY_CYCLE_DURATION,
+    MAX_CLOCK_SKEW
+)
 from samba.idmap import IDmapDB
 from samba.ms_display_specifiers import read_ms_ldif
 from samba.ntacls import setntacl, getntacl, dsacl2fsacl
+from samba.nt_time import nt_now
 from samba.ndr import ndr_pack, ndr_unpack
 from samba.provision.backend import (
     LDBBackend,
@@ -2401,7 +2406,12 @@ def provision(logger, session_info, smbconf=None,
                 if updates_allowed_overridden:
                     lp.set("dsdb:schema update allowed", "no")
 
-                gkdi_root_key_dn = samdb.new_gkdi_root_key()
+                current_time = nt_now()
+                # We want the GKDI key to be instantly available for use
+                use_start_time = current_time \
+                    - KEY_CYCLE_DURATION - MAX_CLOCK_SKEW
+                gkdi_root_key_dn = samdb.new_gkdi_root_key(current_time=current_time,
+                                                           use_start_time=use_start_time)
                 logger.info("gkdi/gmsa root key added with guid "
                             f"{gkdi_root_key_dn.get_rdn_value()}")
 
diff --git a/selftest/knownfail.d/gkdi b/selftest/knownfail.d/gkdi
index db82ad8c3aa..fbea302922f 100644
--- a/selftest/knownfail.d/gkdi
+++ b/selftest/knownfail.d/gkdi
@@ -17,4 +17,3 @@
 ^samba\.tests\.krb5\.gkdi_tests\.samba\.tests\.krb5\.gkdi_tests\.GkdiImplicitRootKeyTests\.test_request_default_seed_key\(ad_dc\)$
 ^samba\.tests\.krb5\.gkdi_tests\.samba\.tests\.krb5\.gkdi_tests\.GkdiImplicitRootKeyTests\.test_request_l0_seed_key\(ad_dc\)$
 ^samba\.tests\.krb5\.gkdi_tests\.samba\.tests\.krb5\.gkdi_tests\.GkdiImplicitRootKeyTests\.test_request_l1_seed_key\(ad_dc\)$
-^samba.tests.dsdb_quiet_provision_tests.samba.tests.dsdb_quiet_provision_tests.DsdbQuietProvisionTests.test_dsdb_dn_gkdi_gmsa_root_keys_exist
\ No newline at end of file