From 365ed62ac488318cb0e1285942072f5a7bd87883 Mon Sep 17 00:00:00 2001 From: Gustavo Armenta Date: Fri, 1 Dec 2023 23:18:53 +0000 Subject: [PATCH] CF_GMSA_OU environment variable --- README.md | 1 + auth/kerberos/src/krb.cpp | 11 +++++++---- docs/cf_gmsa_ou.md | 5 +++++ 3 files changed, 13 insertions(+), 4 deletions(-) create mode 100644 docs/cf_gmsa_ou.md diff --git a/README.md b/README.md index ee6e149b..bcecf366 100644 --- a/README.md +++ b/README.md @@ -109,6 +109,7 @@ journalctl -u credentials-fetcher | :-------------------------- | ---------------------------------------- | :------------------------------------------------------------------------------------------- | | `CF_CRED_SPEC_FILE` | '/var/credentials-fetcher/my-credspec.json' | Path to a credential spec file used as input. (Lease id default: credspec) | | | '/var/credentials-fetcher/my-credspec.json:myLeaseId' | An optional lease id specified after a colon +| `CF_GMSA_OU` | 'CN=Managed Service Accounts' | Component of GMSA distinguished name (see docs/cf_gmsa_ou.md) | ## Compatibility diff --git a/auth/kerberos/src/krb.cpp b/auth/kerberos/src/krb.cpp index 2100db4a..a0017797 100644 --- a/auth/kerberos/src/krb.cpp +++ b/auth/kerberos/src/krb.cpp @@ -13,6 +13,7 @@ // Active Directory uses NetBIOS computer names that do not exceed 15 characters. // https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/naming-conventions-for-computer-domain-site-ou #define HOST_NAME_LENGTH_LIMIT 15 +#define ENV_CF_GMSA_OU "CF_GMSA_OU" static const std::string install_path_for_decode_exe = "/usr/sbin/credentials_fetcher_utf16_private.exe"; @@ -611,7 +612,6 @@ std::pair get_gmsa_krb_ticket( std::string domain_name, { std::string domain_controller_gmsa( "DOMAIN_CONTROLLER_GMSA" ); std::vector results; - if ( domain_name.empty() || gmsa_account_name.empty() ) { cf_logger.logger( LOG_ERR, "ERROR: %s:%d null args", __func__, __LINE__ ); @@ -655,15 +655,18 @@ std::pair get_gmsa_krb_ticket( std::string domain_name, return std::make_pair( -1, std::string( "" ) ); } } - /** * ldapsearch -H ldap:// -b 'CN=webapp01,CN=Managed Service * Accounts,DC=contoso,DC=com' -s sub "(objectClass=msDs-GroupManagedServiceAccount)" * msDS-ManagedPassword */ + std::string gmsa_ou = std::string( ",CN=Managed Service Accounts," ); + if ( getenv(ENV_CF_GMSA_OU) != NULL) + { + gmsa_ou = std::string( "," ) + getenv(ENV_CF_GMSA_OU)+ std::string( "," ); + } std::string cmd = std::string( "ldapsearch -H ldap://" ) + fqdn; - cmd += std::string( " -b 'CN=" ) + gmsa_account_name + - std::string( ",CN=Managed Service Accounts," ) + base_dn + std::string( "'" ) + + cmd += std::string( " -b 'CN=" ) + gmsa_account_name + gmsa_ou + base_dn + std::string( "'" ) + std::string( " -s sub \"(objectClass=msDs-GroupManagedServiceAccount)\" " " msDS-ManagedPassword" ); diff --git a/docs/cf_gmsa_ou.md b/docs/cf_gmsa_ou.md new file mode 100644 index 00000000..4cb187c3 --- /dev/null +++ b/docs/cf_gmsa_ou.md @@ -0,0 +1,5 @@ +Active Directory administrator can create the GMSA account with any distinguished name format. + +credentials-fetcher uses the GMSA distinguished name format "CN=${GMSA_ACCOUNT_NAME},${CF_GMSA_OU},DC=example,DC=com" where ",DC=example,DC=com" is generated depending on the domain. The environment variable CF_GMSA_OU default value is "CN=Managed Service Accounts". Users should change it to match their directory format. + +For example, GMSA account "BobSponge" in domain "example.com" results in GMSA distinguished name "CN=BobSponge,CN=Managed Service Accounts,DC=example,DC=com". When the user defines CF_GMSA_OU='OU=DA Managed Service Accounts,OU=DA' results in GMSA distinguished name "CN=BobSponge,OU=DA Managed Service Accounts,OU=DA,DC=example,DC=com"