/[smeserver]/rpms/samba/sme10/samba-4.2.99-net_ads_join_fix_keytab_generation.patch
ViewVC logotype

Contents of /rpms/samba/sme10/samba-4.2.99-net_ads_join_fix_keytab_generation.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph

Revision 1.2 - (show annotations) (download)
Thu Mar 2 16:04:48 2017 UTC (7 years, 3 months ago) by unnilennium
Branch: MAIN
CVS Tags: HEAD
Changes since 1.1: +0 -0 lines
FILE REMOVED 
update to samba-4.4.4-12 upstream version
1 From 203193d5b167b5d24911d0438eda65f05eec2b31 Mon Sep 17 00:00:00 2001
2 From: Stefan Metzmacher <metze@samba.org>
3 Date: Fri, 22 Jan 2016 09:57:04 +0100
4 Subject: [PATCH 01/11] s3:libads: setup the msDS-SupportedEncryptionTypes
5 attribute on ldap_add
6 MIME-Version: 1.0
7 Content-Type: text/plain; charset=UTF-8
8 Content-Transfer-Encoding: 8bit
9
10 We may not have the permission to modify the object after creation.
11
12 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755
13
14 Signed-off-by: Stefan Metzmacher <metze@samba.org>
15 Reviewed-by: Björn Jacke <bj@sernet.de>
16 Reviewed-by: Günther Deschner <gd@samba.org>
17
18 Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
19 Autobuild-Date(master): Fri Feb 26 11:30:03 CET 2016 on sn-devel-144
20 ---
21 source3/libads/ldap.c | 26 ++++++++++++++++++
22 source3/libnet/libnet_join.c | 65 --------------------------------------------
23 2 files changed, 26 insertions(+), 65 deletions(-)
24
25 diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
26 index 121ba08..125c9d7 100644
27 --- a/source3/libads/ldap.c
28 +++ b/source3/libads/ldap.c
29 @@ -29,6 +29,7 @@
30 #include "../libds/common/flags.h"
31 #include "smbldap.h"
32 #include "../libcli/security/security.h"
33 +#include "../librpc/gen_ndr/netlogon.h"
34 #include "lib/param/loadparm.h"
35
36 #ifdef HAVE_LDAP
37 @@ -2006,6 +2007,12 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, const char *machine_name,
38 uint32_t acct_control = ( UF_WORKSTATION_TRUST_ACCOUNT |\
39 UF_DONT_EXPIRE_PASSWD |\
40 UF_ACCOUNTDISABLE );
41 + uint32_t func_level = 0;
42 +
43 + ret = ads_domain_func_level(ads, &func_level);
44 + if (!ADS_ERR_OK(ret)) {
45 + return ret;
46 + }
47
48 if (!(ctx = talloc_init("ads_add_machine_acct")))
49 return ADS_ERROR(LDAP_NO_MEMORY);
50 @@ -2041,6 +2048,25 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, const char *machine_name,
51 ads_mod_strlist(ctx, &mods, "objectClass", objectClass);
52 ads_mod_str(ctx, &mods, "userAccountControl", controlstr);
53
54 + if (func_level >= DS_DOMAIN_FUNCTION_2008) {
55 + uint32_t etype_list = ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5;
56 + const char *etype_list_str;
57 +
58 +#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
59 + etype_list |= ENC_HMAC_SHA1_96_AES128;
60 +#endif
61 +#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
62 + etype_list |= ENC_HMAC_SHA1_96_AES256;
63 +#endif
64 +
65 + etype_list_str = talloc_asprintf(ctx, "%d", (int)etype_list);
66 + if (etype_list_str == NULL) {
67 + goto done;
68 + }
69 + ads_mod_str(ctx, &mods, "msDS-SupportedEncryptionTypes",
70 + etype_list_str);
71 + }
72 +
73 ret = ads_gen_add(ads, new_dn, mods);
74
75 done:
76 diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
77 index d7c7679..5564bd2 100644
78 --- a/source3/libnet/libnet_join.c
79 +++ b/source3/libnet/libnet_join.c
80 @@ -605,52 +605,6 @@ static ADS_STATUS libnet_join_set_os_attributes(TALLOC_CTX *mem_ctx,
81 /****************************************************************
82 ****************************************************************/
83
84 -static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx,
85 - struct libnet_JoinCtx *r)
86 -{
87 - ADS_STATUS status;
88 - ADS_MODLIST mods;
89 - uint32_t etype_list = ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5;
90 - const char *etype_list_str;
91 -
92 -#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
93 - etype_list |= ENC_HMAC_SHA1_96_AES128;
94 -#endif
95 -#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
96 - etype_list |= ENC_HMAC_SHA1_96_AES256;
97 -#endif
98 -
99 - etype_list_str = talloc_asprintf(mem_ctx, "%d", etype_list);
100 - if (!etype_list_str) {
101 - return ADS_ERROR(LDAP_NO_MEMORY);
102 - }
103 -
104 - /* Find our DN */
105 -
106 - status = libnet_join_find_machine_acct(mem_ctx, r);
107 - if (!ADS_ERR_OK(status)) {
108 - return status;
109 - }
110 -
111 - /* now do the mods */
112 -
113 - mods = ads_init_mods(mem_ctx);
114 - if (!mods) {
115 - return ADS_ERROR(LDAP_NO_MEMORY);
116 - }
117 -
118 - status = ads_mod_str(mem_ctx, &mods, "msDS-SupportedEncryptionTypes",
119 - etype_list_str);
120 - if (!ADS_ERR_OK(status)) {
121 - return status;
122 - }
123 -
124 - return ads_gen_mod(r->in.ads, r->out.dn, mods);
125 -}
126 -
127 -/****************************************************************
128 -****************************************************************/
129 -
130 static bool libnet_join_create_keytab(TALLOC_CTX *mem_ctx,
131 struct libnet_JoinCtx *r)
132 {
133 @@ -725,7 +679,6 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx,
134 struct libnet_JoinCtx *r)
135 {
136 ADS_STATUS status;
137 - uint32_t func_level = 0;
138
139 if (!r->in.ads) {
140 status = libnet_join_connect_ads(mem_ctx, r);
141 @@ -760,24 +713,6 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx,
142 return status;
143 }
144
145 - status = ads_domain_func_level(r->in.ads, &func_level);
146 - if (!ADS_ERR_OK(status)) {
147 - libnet_join_set_error_string(mem_ctx, r,
148 - "failed to query domain controller functional level: %s",
149 - ads_errstr(status));
150 - return status;
151 - }
152 -
153 - if (func_level >= DS_DOMAIN_FUNCTION_2008) {
154 - status = libnet_join_set_etypes(mem_ctx, r);
155 - if (!ADS_ERR_OK(status)) {
156 - libnet_join_set_error_string(mem_ctx, r,
157 - "failed to set machine kerberos encryption types: %s",
158 - ads_errstr(status));
159 - return status;
160 - }
161 - }
162 -
163 if (!libnet_join_derive_salting_principal(mem_ctx, r)) {
164 return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
165 }
166 --
167 2.9.0
168
169
170 From 3b269e29a5b91723749d16685782c5c590fda424 Mon Sep 17 00:00:00 2001
171 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
172 Date: Fri, 11 Mar 2016 23:14:13 +0100
173 Subject: [PATCH 02/11] Partly revert "s3:libads: setup the
174 msDS-SupportedEncryptionTypes attribute on ldap_add"
175 MIME-Version: 1.0
176 Content-Type: text/plain; charset=UTF-8
177 Content-Transfer-Encoding: 8bit
178
179 This partly reverts commit 0c74d62524db376b6a3fac00c688be0cdffcaa80.
180
181 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755
182
183 Signed-off-by: Günther Deschner <gd@samba.org>
184 Reviewed-by: Stefan Metzmacher <metze@samba.org>
185 (cherry picked from commit 6686f67d2a91146c8bb2fb2a8104fcaa5710b855)
186 ---
187 source3/libnet/libnet_join.c | 46 ++++++++++++++++++++++++++++++++++++++++++++
188 1 file changed, 46 insertions(+)
189
190 diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
191 index 5564bd2..343e5f1 100644
192 --- a/source3/libnet/libnet_join.c
193 +++ b/source3/libnet/libnet_join.c
194 @@ -604,6 +604,52 @@ static ADS_STATUS libnet_join_set_os_attributes(TALLOC_CTX *mem_ctx,
195
196 /****************************************************************
197 ****************************************************************/
198 +#if 0
199 +static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx,
200 + struct libnet_JoinCtx *r)
201 +{
202 + ADS_STATUS status;
203 + ADS_MODLIST mods;
204 + uint32_t etype_list = ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5;
205 + const char *etype_list_str;
206 +
207 +#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
208 + etype_list |= ENC_HMAC_SHA1_96_AES128;
209 +#endif
210 +#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
211 + etype_list |= ENC_HMAC_SHA1_96_AES256;
212 +#endif
213 +
214 + etype_list_str = talloc_asprintf(mem_ctx, "%d", etype_list);
215 + if (!etype_list_str) {
216 + return ADS_ERROR(LDAP_NO_MEMORY);
217 + }
218 +
219 + /* Find our DN */
220 +
221 + status = libnet_join_find_machine_acct(mem_ctx, r);
222 + if (!ADS_ERR_OK(status)) {
223 + return status;
224 + }
225 +
226 + /* now do the mods */
227 +
228 + mods = ads_init_mods(mem_ctx);
229 + if (!mods) {
230 + return ADS_ERROR(LDAP_NO_MEMORY);
231 + }
232 +
233 + status = ads_mod_str(mem_ctx, &mods, "msDS-SupportedEncryptionTypes",
234 + etype_list_str);
235 + if (!ADS_ERR_OK(status)) {
236 + return status;
237 + }
238 +
239 + return ads_gen_mod(r->in.ads, r->out.dn, mods);
240 +}
241 +#endif
242 +/****************************************************************
243 +****************************************************************/
244
245 static bool libnet_join_create_keytab(TALLOC_CTX *mem_ctx,
246 struct libnet_JoinCtx *r)
247 --
248 2.9.0
249
250
251 From 452f99fdd08f9c5e5dcc660dc8900115f0abb093 Mon Sep 17 00:00:00 2001
252 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
253 Date: Wed, 2 Mar 2016 18:07:53 +0100
254 Subject: [PATCH 03/11] s3:libnet:libnet_join: prepare to allow connecting with
255 machine creds.
256
257 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755
258
259 Guenther
260
261 Signed-off-by: Guenther Deschner <gd@samba.org>
262 Reviewed-by: Stefan Metzmacher <metze@samba.org>
263 (cherry picked from commit 71d5634ab58f0ca21db633990231bd01a22c956c)
264 ---
265 source3/libnet/libnet_join.c | 73 +++++++++++++++++++++++++++++++++++++++++---
266 1 file changed, 68 insertions(+), 5 deletions(-)
267
268 diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
269 index 343e5f1..cc93a85 100644
270 --- a/source3/libnet/libnet_join.c
271 +++ b/source3/libnet/libnet_join.c
272 @@ -42,6 +42,7 @@
273 #include "lib/param/loadparm.h"
274 #include "libcli/auth/netlogon_creds_cli.h"
275 #include "auth/credentials/credentials.h"
276 +#include "krb5_env.h"
277
278 /****************************************************************
279 ****************************************************************/
280 @@ -118,6 +119,7 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name,
281 const char *dc_name,
282 const char *user_name,
283 const char *password,
284 + const char *ccname,
285 ADS_STRUCT **ads)
286 {
287 ADS_STATUS status;
288 @@ -150,6 +152,12 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name,
289 my_ads->auth.password = SMB_STRDUP(password);
290 }
291
292 + if (ccname != NULL) {
293 + SAFE_FREE(my_ads->auth.ccache_name);
294 + my_ads->auth.ccache_name = SMB_STRDUP(ccname);
295 + setenv(KRB5_ENV_CCNAME, my_ads->auth.ccache_name, 1);
296 + }
297 +
298 status = ads_connect_user_creds(my_ads);
299 if (!ADS_ERR_OK(status)) {
300 ads_destroy(&my_ads);
301 @@ -164,15 +172,51 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name,
302 ****************************************************************/
303
304 static ADS_STATUS libnet_join_connect_ads(TALLOC_CTX *mem_ctx,
305 - struct libnet_JoinCtx *r)
306 + struct libnet_JoinCtx *r,
307 + bool use_machine_creds)
308 {
309 ADS_STATUS status;
310 + const char *username;
311 + const char *password;
312 + const char *ccname = NULL;
313 +
314 + if (use_machine_creds) {
315 + if (r->in.machine_name == NULL ||
316 + r->in.machine_password == NULL) {
317 + return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
318 + }
319 + username = talloc_strdup(mem_ctx, r->in.machine_name);
320 + if (username == NULL) {
321 + return ADS_ERROR(LDAP_NO_MEMORY);
322 + }
323 + if (username[strlen(username)] != '$') {
324 + username = talloc_asprintf(username, "%s$", username);
325 + if (username == NULL) {
326 + return ADS_ERROR(LDAP_NO_MEMORY);
327 + }
328 + }
329 + password = r->in.machine_password;
330 + ccname = "MEMORY:libnet_join_machine_creds";
331 + } else {
332 + username = r->in.admin_account;
333 + password = r->in.admin_password;
334 +
335 + /*
336 + * when r->in.use_kerberos is set to allow "net ads join -k" we
337 + * may not override the provided credential cache - gd
338 + */
339 +
340 + if (!r->in.use_kerberos) {
341 + ccname = "MEMORY:libnet_join_user_creds";
342 + }
343 + }
344
345 status = libnet_connect_ads(r->out.dns_domain_name,
346 r->out.netbios_domain_name,
347 r->in.dc_name,
348 - r->in.admin_account,
349 - r->in.admin_password,
350 + username,
351 + password,
352 + ccname,
353 &r->in.ads);
354 if (!ADS_ERR_OK(status)) {
355 libnet_join_set_error_string(mem_ctx, r,
356 @@ -201,6 +245,24 @@ static ADS_STATUS libnet_join_connect_ads(TALLOC_CTX *mem_ctx,
357 /****************************************************************
358 ****************************************************************/
359
360 +static ADS_STATUS libnet_join_connect_ads_user(TALLOC_CTX *mem_ctx,
361 + struct libnet_JoinCtx *r)
362 +{
363 + return libnet_join_connect_ads(mem_ctx, r, false);
364 +}
365 +
366 +/****************************************************************
367 +****************************************************************/
368 +#if 0
369 +static ADS_STATUS libnet_join_connect_ads_machine(TALLOC_CTX *mem_ctx,
370 + struct libnet_JoinCtx *r)
371 +{
372 + return libnet_join_connect_ads(mem_ctx, r, true);
373 +}
374 +#endif
375 +/****************************************************************
376 +****************************************************************/
377 +
378 static ADS_STATUS libnet_unjoin_connect_ads(TALLOC_CTX *mem_ctx,
379 struct libnet_UnjoinCtx *r)
380 {
381 @@ -211,6 +273,7 @@ static ADS_STATUS libnet_unjoin_connect_ads(TALLOC_CTX *mem_ctx,
382 r->in.dc_name,
383 r->in.admin_account,
384 r->in.admin_password,
385 + NULL,
386 &r->in.ads);
387 if (!ADS_ERR_OK(status)) {
388 libnet_unjoin_set_error_string(mem_ctx, r,
389 @@ -727,7 +790,7 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx,
390 ADS_STATUS status;
391
392 if (!r->in.ads) {
393 - status = libnet_join_connect_ads(mem_ctx, r);
394 + status = libnet_join_connect_ads_user(mem_ctx, r);
395 if (!ADS_ERR_OK(status)) {
396 return status;
397 }
398 @@ -2258,7 +2321,7 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
399 if (r->out.domain_is_ad && r->in.account_ou &&
400 !(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE)) {
401
402 - ads_status = libnet_join_connect_ads(mem_ctx, r);
403 + ads_status = libnet_join_connect_ads_user(mem_ctx, r);
404 if (!ADS_ERR_OK(ads_status)) {
405 return WERR_DEFAULT_JOIN_REQUIRED;
406 }
407 --
408 2.9.0
409
410
411 From 3f6d9131abd68620bb35ef3bafbde586a1b751c2 Mon Sep 17 00:00:00 2001
412 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
413 Date: Fri, 4 Mar 2016 17:42:05 +0100
414 Subject: [PATCH 04/11] s3:libads:ldap: print LDAP error message with log level
415 10.
416
417 Guenther
418
419 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755
420
421 Signed-off-by: Guenther Deschner <gd@samba.org>
422 Reviewed-by: Stefan Metzmacher <metze@samba.org>
423 (cherry picked from commit 34030b025b9e4cd5e7321d6e242f6c03da2a60c0)
424 ---
425 source3/libads/ldap.c | 14 ++++++++++++++
426 1 file changed, 14 insertions(+)
427
428 diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
429 index 125c9d7..91753d2 100644
430 --- a/source3/libads/ldap.c
431 +++ b/source3/libads/ldap.c
432 @@ -1416,6 +1416,17 @@ static ADS_STATUS ads_mod_ber(TALLOC_CTX *ctx, ADS_MODLIST *mods,
433 }
434 #endif
435
436 +static void ads_print_error(int ret, LDAP *ld)
437 +{
438 + if (ret != 0) {
439 + char *ld_error = NULL;
440 + ldap_get_option(ld, LDAP_OPT_ERROR_STRING, &ld_error);
441 + DEBUG(10,("AD LDAP failure %d (%s):\n%s\n", ret,
442 + ldap_err2string(ret), ld_error));
443 + SAFE_FREE(ld_error);
444 + }
445 +}
446 +
447 /**
448 * Perform an ldap modify
449 * @param ads connection to ads server
450 @@ -1451,6 +1462,7 @@ ADS_STATUS ads_gen_mod(ADS_STRUCT *ads, const char *mod_dn, ADS_MODLIST mods)
451 mods[i] = NULL;
452 ret = ldap_modify_ext_s(ads->ldap.ld, utf8_dn,
453 (LDAPMod **) mods, controls, NULL);
454 + ads_print_error(ret, ads->ldap.ld);
455 TALLOC_FREE(utf8_dn);
456 return ADS_ERROR(ret);
457 }
458 @@ -1479,6 +1491,7 @@ ADS_STATUS ads_gen_add(ADS_STRUCT *ads, const char *new_dn, ADS_MODLIST mods)
459 mods[i] = NULL;
460
461 ret = ldap_add_s(ads->ldap.ld, utf8_dn, (LDAPMod**)mods);
462 + ads_print_error(ret, ads->ldap.ld);
463 TALLOC_FREE(utf8_dn);
464 return ADS_ERROR(ret);
465 }
466 @@ -1500,6 +1513,7 @@ ADS_STATUS ads_del_dn(ADS_STRUCT *ads, char *del_dn)
467 }
468
469 ret = ldap_delete_s(ads->ldap.ld, utf8_dn);
470 + ads_print_error(ret, ads->ldap.ld);
471 TALLOC_FREE(utf8_dn);
472 return ADS_ERROR(ret);
473 }
474 --
475 2.9.0
476
477
478 From 6a2647247ab0abddc38c2abade36116e3a2e5788 Mon Sep 17 00:00:00 2001
479 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
480 Date: Fri, 11 Mar 2016 12:13:24 +0100
481 Subject: [PATCH 05/11] s3:libads:ndr: add ADS_AUTH_USER_CREDS to
482 ndr_print_ads_auth_flags()
483
484 Guenther
485
486 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755
487
488 Signed-off-by: Guenther Deschner <gd@samba.org>
489 Reviewed-by: Stefan Metzmacher <metze@samba.org>
490 (cherry picked from commit e8f6acdeece990dc8953d494113dee856d80da45)
491 ---
492 source3/libads/ndr.c | 1 +
493 1 file changed, 1 insertion(+)
494
495 diff --git a/source3/libads/ndr.c b/source3/libads/ndr.c
496 index fd0b63e..ac0b9e6 100644
497 --- a/source3/libads/ndr.c
498 +++ b/source3/libads/ndr.c
499 @@ -37,6 +37,7 @@ static void ndr_print_ads_auth_flags(struct ndr_print *ndr, const char *name, ui
500 ndr_print_bitmap_flag(ndr, sizeof(uint32_t), "ADS_AUTH_SASL_SIGN", ADS_AUTH_SASL_SIGN, r);
501 ndr_print_bitmap_flag(ndr, sizeof(uint32_t), "ADS_AUTH_SASL_SEAL", ADS_AUTH_SASL_SEAL, r);
502 ndr_print_bitmap_flag(ndr, sizeof(uint32_t), "ADS_AUTH_SASL_FORCE", ADS_AUTH_SASL_FORCE, r);
503 + ndr_print_bitmap_flag(ndr, sizeof(uint32_t), "ADS_AUTH_USER_CREDS", ADS_AUTH_USER_CREDS, r);
504 ndr->depth--;
505 }
506
507 --
508 2.9.0
509
510
511 From 51657c35d3455226f697bef24a7d967944a2c67d Mon Sep 17 00:00:00 2001
512 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
513 Date: Fri, 11 Mar 2016 12:15:14 +0100
514 Subject: [PATCH 06/11] s3:libads:ldap: fix ads_check_ou_dn to deal with
515 account_ou not being initialized
516
517 Guenther
518
519 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755
520
521 Signed-off-by: Guenther Deschner <gd@samba.org>
522 Reviewed-by: Stefan Metzmacher <metze@samba.org>
523 (cherry picked from commit c61b111e6fa3e138d4d9cf5038b69644248e834a)
524 ---
525 source3/libads/ldap.c | 14 ++++++++++----
526 1 file changed, 10 insertions(+), 4 deletions(-)
527
528 diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
529 index 91753d2..8eac5c8 100644
530 --- a/source3/libads/ldap.c
531 +++ b/source3/libads/ldap.c
532 @@ -3870,10 +3870,16 @@ ADS_STATUS ads_check_ou_dn(TALLOC_CTX *mem_ctx,
533 const char *name;
534 char *ou_string;
535
536 - exploded_dn = ldap_explode_dn(*account_ou, 0);
537 - if (exploded_dn) {
538 - ldap_value_free(exploded_dn);
539 - return ADS_SUCCESS;
540 + if (account_ou == NULL) {
541 + return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
542 + }
543 +
544 + if (*account_ou != NULL) {
545 + exploded_dn = ldap_explode_dn(*account_ou, 0);
546 + if (exploded_dn) {
547 + ldap_value_free(exploded_dn);
548 + return ADS_SUCCESS;
549 + }
550 }
551
552 ou_string = ads_ou_string(ads, *account_ou);
553 --
554 2.9.0
555
556
557 From 7a1303f27904fafb8245b9ad9a26e7f846d9968d Mon Sep 17 00:00:00 2001
558 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
559 Date: Thu, 10 Mar 2016 18:03:47 +0100
560 Subject: [PATCH 07/11] s3:libnet:libnet_join: always try to create
561 machineaccount via LDAP first.
562
563 Guenther
564
565 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755
566
567 Signed-off-by: Guenther Deschner <gd@samba.org>
568 Reviewed-by: Stefan Metzmacher <metze@samba.org>
569 (cherry picked from commit df8f79cc9d44ad7b2caa6b86b7ebde7bb1fd4c8c)
570 ---
571 source3/libnet/libnet_join.c | 28 +++++++++++++++++++++++++---
572 1 file changed, 25 insertions(+), 3 deletions(-)
573
574 diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
575 index cc93a85..b10080d 100644
576 --- a/source3/libnet/libnet_join.c
577 +++ b/source3/libnet/libnet_join.c
578 @@ -2318,16 +2318,36 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
579 r->out.dns_domain_name, r->out.netbios_domain_name,
580 NULL, smbXcli_conn_remote_sockaddr(cli->conn));
581
582 - if (r->out.domain_is_ad && r->in.account_ou &&
583 + if (r->out.domain_is_ad &&
584 !(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE)) {
585
586 + const char *initial_account_ou = r->in.account_ou;
587 +
588 + /*
589 + * we want to create the msDS-SupportedEncryptionTypes attribute
590 + * as early as possible so always try an LDAP create as the user
591 + * first. We copy r->in.account_ou because it may be changed
592 + * during the machine pre-creation.
593 + */
594 +
595 ads_status = libnet_join_connect_ads_user(mem_ctx, r);
596 if (!ADS_ERR_OK(ads_status)) {
597 return WERR_DEFAULT_JOIN_REQUIRED;
598 }
599
600 ads_status = libnet_join_precreate_machine_acct(mem_ctx, r);
601 - if (!ADS_ERR_OK(ads_status)) {
602 + if (ADS_ERR_OK(ads_status)) {
603 +
604 + /*
605 + * LDAP object create succeeded, now go to the rpc
606 + * password set routines
607 + */
608 +
609 + r->in.join_flags &= ~WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE;
610 + goto rpc_join;
611 + }
612 +
613 + if (initial_account_ou != NULL) {
614 libnet_join_set_error_string(mem_ctx, r,
615 "failed to precreate account in ou %s: %s",
616 r->in.account_ou,
617 @@ -2335,10 +2355,12 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
618 return WERR_DEFAULT_JOIN_REQUIRED;
619 }
620
621 - r->in.join_flags &= ~WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE;
622 + DEBUG(5, ("failed to precreate account in ou %s: %s",
623 + r->in.account_ou, ads_errstr(ads_status)));
624 }
625 #endif /* HAVE_ADS */
626
627 + rpc_join:
628 if ((r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE) &&
629 (r->in.join_flags & WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED)) {
630 status = libnet_join_joindomain_rpc_unsecure(mem_ctx, r, cli);
631 --
632 2.9.0
633
634
635 From d4cf8358ce96964443cae441f0808d744a1fd95d Mon Sep 17 00:00:00 2001
636 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
637 Date: Fri, 11 Mar 2016 16:02:27 +0100
638 Subject: [PATCH 08/11] s3:librpc:idl:libnet_join: add encryption types to
639 libnet_JoinCtx.
640
641 Guenther
642
643 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755
644
645 Signed-off-by: Guenther Deschner <gd@samba.org>
646 Reviewed-by: Stefan Metzmacher <metze@samba.org>
647 (cherry picked from commit 4a49f6fac9d6c77d1eedf914308e67eb6e2baa8d)
648 ---
649 source3/librpc/idl/libnet_join.idl | 4 +++-
650 1 file changed, 3 insertions(+), 1 deletion(-)
651
652 diff --git a/source3/librpc/idl/libnet_join.idl b/source3/librpc/idl/libnet_join.idl
653 index ac0a350..0718739 100644
654 --- a/source3/librpc/idl/libnet_join.idl
655 +++ b/source3/librpc/idl/libnet_join.idl
656 @@ -35,6 +35,7 @@ interface libnetjoin
657 [in] boolean8 use_kerberos,
658 [in] netr_SchannelType secure_channel_type,
659 [in,noprint] messaging_context *msg_ctx,
660 + [in] uint32 desired_encryption_types,
661 [out] string account_name,
662 [out] string netbios_domain_name,
663 [out] string dns_domain_name,
664 @@ -43,7 +44,8 @@ interface libnetjoin
665 [out] dom_sid *domain_sid,
666 [out] boolean8 modified_config,
667 [out] string error_string,
668 - [out] boolean8 domain_is_ad
669 + [out] boolean8 domain_is_ad,
670 + [out] uint32 set_encryption_types
671 );
672
673 [nopush,nopull,noopnum] WERROR libnet_UnjoinCtx(
674 --
675 2.9.0
676
677
678 From b6dae5b223f379dbdbd3b4ccca9492753f7f5286 Mon Sep 17 00:00:00 2001
679 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
680 Date: Fri, 11 Mar 2016 16:04:52 +0100
681 Subject: [PATCH 09/11] s3:libnet:libnet_join: define list of desired
682 encryption types only once.
683
684 Guenther
685
686 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755
687
688 Signed-off-by: Guenther Deschner <gd@samba.org>
689 Reviewed-by: Stefan Metzmacher <metze@samba.org>
690 (cherry picked from commit e0da059b39f9dd5ccb74f32f965e1ced384c77eb)
691 ---
692 source3/libads/ads_proto.h | 6 ++++--
693 source3/libads/ldap.c | 14 ++++----------
694 source3/libnet/libnet_join.c | 24 ++++++++++++++----------
695 3 files changed, 22 insertions(+), 22 deletions(-)
696
697 diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h
698 index 1399f41..425c352 100644
699 --- a/source3/libads/ads_proto.h
700 +++ b/source3/libads/ads_proto.h
701 @@ -97,8 +97,10 @@ ADS_STATUS ads_get_service_principal_names(TALLOC_CTX *mem_ctx,
702 ADS_STATUS ads_clear_service_principal_names(ADS_STRUCT *ads, const char *machine_name);
703 ADS_STATUS ads_add_service_principal_name(ADS_STRUCT *ads, const char *machine_name,
704 const char *my_fqdn, const char *spn);
705 -ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, const char *machine_name,
706 - const char *org_unit);
707 +ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads,
708 + const char *machine_name,
709 + const char *org_unit,
710 + uint32_t etype_list);
711 ADS_STATUS ads_move_machine_acct(ADS_STRUCT *ads, const char *machine_name,
712 const char *org_unit, bool *moved);
713 int ads_count_replies(ADS_STRUCT *ads, void *res);
714 diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
715 index 8eac5c8..72bf4d9 100644
716 --- a/source3/libads/ldap.c
717 +++ b/source3/libads/ldap.c
718 @@ -2006,8 +2006,10 @@ ADS_STATUS ads_add_service_principal_name(ADS_STRUCT *ads, const char *machine_n
719 * @return 0 upon success, or non-zero otherwise
720 **/
721
722 -ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, const char *machine_name,
723 - const char *org_unit)
724 +ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads,
725 + const char *machine_name,
726 + const char *org_unit,
727 + uint32_t etype_list)
728 {
729 ADS_STATUS ret;
730 char *samAccountName, *controlstr;
731 @@ -2063,16 +2065,8 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, const char *machine_name,
732 ads_mod_str(ctx, &mods, "userAccountControl", controlstr);
733
734 if (func_level >= DS_DOMAIN_FUNCTION_2008) {
735 - uint32_t etype_list = ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5;
736 const char *etype_list_str;
737
738 -#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
739 - etype_list |= ENC_HMAC_SHA1_96_AES128;
740 -#endif
741 -#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
742 - etype_list |= ENC_HMAC_SHA1_96_AES256;
743 -#endif
744 -
745 etype_list_str = talloc_asprintf(ctx, "%d", (int)etype_list);
746 if (etype_list_str == NULL) {
747 goto done;
748 diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
749 index b10080d..876a453 100644
750 --- a/source3/libnet/libnet_join.c
751 +++ b/source3/libnet/libnet_join.c
752 @@ -318,7 +318,8 @@ static ADS_STATUS libnet_join_precreate_machine_acct(TALLOC_CTX *mem_ctx,
753
754 status = ads_create_machine_acct(r->in.ads,
755 r->in.machine_name,
756 - r->in.account_ou);
757 + r->in.account_ou,
758 + r->in.desired_encryption_types);
759
760 if (ADS_ERR_OK(status)) {
761 DEBUG(1,("machine account creation created\n"));
762 @@ -673,17 +674,10 @@ static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx,
763 {
764 ADS_STATUS status;
765 ADS_MODLIST mods;
766 - uint32_t etype_list = ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5;
767 const char *etype_list_str;
768
769 -#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
770 - etype_list |= ENC_HMAC_SHA1_96_AES128;
771 -#endif
772 -#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
773 - etype_list |= ENC_HMAC_SHA1_96_AES256;
774 -#endif
775 -
776 - etype_list_str = talloc_asprintf(mem_ctx, "%d", etype_list);
777 + etype_list_str = talloc_asprintf(mem_ctx, "%d",
778 + r->in.desired_encryption_types);
779 if (!etype_list_str) {
780 return ADS_ERROR(LDAP_NO_MEMORY);
781 }
782 @@ -2143,6 +2137,16 @@ WERROR libnet_init_JoinCtx(TALLOC_CTX *mem_ctx,
783
784 ctx->in.secure_channel_type = SEC_CHAN_WKSTA;
785
786 + ctx->in.desired_encryption_types = ENC_CRC32 |
787 + ENC_RSA_MD5 |
788 + ENC_RC4_HMAC_MD5;
789 +#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
790 + ctx->in.desired_encryption_types |= ENC_HMAC_SHA1_96_AES128;
791 +#endif
792 +#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
793 + ctx->in.desired_encryption_types |= ENC_HMAC_SHA1_96_AES256;
794 +#endif
795 +
796 *r = ctx;
797
798 return WERR_OK;
799 --
800 2.9.0
801
802
803 From 51a68159e119149b9527cac8a8a119f34bb6879a Mon Sep 17 00:00:00 2001
804 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
805 Date: Fri, 11 Mar 2016 16:05:53 +0100
806 Subject: [PATCH 10/11] s3:libnet:libnet_join: fill in output enctypes and only
807 modify when necessary.
808
809 Guenther
810
811 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755
812
813 Signed-off-by: Guenther Deschner <gd@samba.org>
814 Reviewed-by: Stefan Metzmacher <metze@samba.org>
815 (cherry picked from commit 5d498d1b4d9b83f179fb7b2841a19ad984eec5f8)
816 ---
817 source3/libads/ldap.c | 2 +-
818 source3/libnet/libnet_join.c | 18 +++++++++++++++++-
819 2 files changed, 18 insertions(+), 2 deletions(-)
820
821 diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
822 index 72bf4d9..f611da2 100644
823 --- a/source3/libads/ldap.c
824 +++ b/source3/libads/ldap.c
825 @@ -1268,7 +1268,7 @@ char *ads_parent_dn(const char *dn)
826 {
827 ADS_STATUS status;
828 char *expr;
829 - const char *attrs[] = {"*", "nTSecurityDescriptor", NULL};
830 + const char *attrs[] = {"*", "msDS-SupportedEncryptionTypes", "nTSecurityDescriptor", NULL};
831
832 *res = NULL;
833
834 diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
835 index 876a453..9f3d830 100644
836 --- a/source3/libnet/libnet_join.c
837 +++ b/source3/libnet/libnet_join.c
838 @@ -417,6 +417,11 @@ static ADS_STATUS libnet_join_find_machine_acct(TALLOC_CTX *mem_ctx,
839 goto done;
840 }
841
842 + if (!ads_pull_uint32(r->in.ads, res, "msDS-SupportedEncryptionTypes",
843 + &r->out.set_encryption_types)) {
844 + r->out.set_encryption_types = 0;
845 + }
846 +
847 done:
848 ads_msgfree(r->in.ads, res);
849 TALLOC_FREE(dn);
850 @@ -689,6 +694,10 @@ static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx,
851 return status;
852 }
853
854 + if (r->in.desired_encryption_types == r->out.set_encryption_types) {
855 + return ADS_SUCCESS;
856 + }
857 +
858 /* now do the mods */
859
860 mods = ads_init_mods(mem_ctx);
861 @@ -702,7 +711,14 @@ static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx,
862 return status;
863 }
864
865 - return ads_gen_mod(r->in.ads, r->out.dn, mods);
866 + status = ads_gen_mod(r->in.ads, r->out.dn, mods);
867 + if (!ADS_ERR_OK(status)) {
868 + return status;
869 + }
870 +
871 + r->out.set_encryption_types = r->in.desired_encryption_types;
872 +
873 + return ADS_SUCCESS;
874 }
875 #endif
876 /****************************************************************
877 --
878 2.9.0
879
880
881 From a489ac90045212decebbadf46a51fff42c224d3c Mon Sep 17 00:00:00 2001
882 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
883 Date: Fri, 11 Mar 2016 23:15:06 +0100
884 Subject: [PATCH 11/11] s3:libnet:libnet_join: update
885 msDS-SupportedEncryptionTypes (if required) with machine creds.
886
887 Guenther
888
889 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755
890
891 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
892
893 Signed-off-by: Guenther Deschner <gd@samba.org>
894 Signed-off-by: Stefan Metzmacher <metze@samba.org>
895
896 Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
897 Autobuild-Date(master): Mon Mar 14 19:38:48 CET 2016 on sn-devel-144
898
899 (cherry picked from commit 06aefe4b956ae8748e20ae4c730aa344e81808b6)
900 ---
901 source3/libnet/libnet_join.c | 59 +++++++++++++++++++++++++++++++++++++++++---
902 1 file changed, 55 insertions(+), 4 deletions(-)
903
904 diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
905 index 9f3d830..84f0e40 100644
906 --- a/source3/libnet/libnet_join.c
907 +++ b/source3/libnet/libnet_join.c
908 @@ -253,13 +253,13 @@ static ADS_STATUS libnet_join_connect_ads_user(TALLOC_CTX *mem_ctx,
909
910 /****************************************************************
911 ****************************************************************/
912 -#if 0
913 +
914 static ADS_STATUS libnet_join_connect_ads_machine(TALLOC_CTX *mem_ctx,
915 struct libnet_JoinCtx *r)
916 {
917 return libnet_join_connect_ads(mem_ctx, r, true);
918 }
919 -#endif
920 +
921 /****************************************************************
922 ****************************************************************/
923
924 @@ -673,7 +673,7 @@ static ADS_STATUS libnet_join_set_os_attributes(TALLOC_CTX *mem_ctx,
925
926 /****************************************************************
927 ****************************************************************/
928 -#if 0
929 +
930 static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx,
931 struct libnet_JoinCtx *r)
932 {
933 @@ -720,7 +720,7 @@ static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx,
934
935 return ADS_SUCCESS;
936 }
937 -#endif
938 +
939 /****************************************************************
940 ****************************************************************/
941
942 @@ -798,6 +798,7 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx,
943 struct libnet_JoinCtx *r)
944 {
945 ADS_STATUS status;
946 + bool need_etype_update = false;
947
948 if (!r->in.ads) {
949 status = libnet_join_connect_ads_user(mem_ctx, r);
950 @@ -832,6 +833,56 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx,
951 return status;
952 }
953
954 + status = libnet_join_find_machine_acct(mem_ctx, r);
955 + if (!ADS_ERR_OK(status)) {
956 + return status;
957 + }
958 +
959 + if (r->in.desired_encryption_types != r->out.set_encryption_types) {
960 + uint32_t func_level = 0;
961 +
962 + status = ads_domain_func_level(r->in.ads, &func_level);
963 + if (!ADS_ERR_OK(status)) {
964 + libnet_join_set_error_string(mem_ctx, r,
965 + "failed to query domain controller functional level: %s",
966 + ads_errstr(status));
967 + return status;
968 + }
969 +
970 + if (func_level >= DS_DOMAIN_FUNCTION_2008) {
971 + need_etype_update = true;
972 + }
973 + }
974 +
975 + if (need_etype_update) {
976 + /*
977 + * We need to reconnect as machine account in order
978 + * to update msDS-SupportedEncryptionTypes reliable
979 + */
980 +
981 + if (r->in.ads->auth.ccache_name != NULL) {
982 + ads_kdestroy(r->in.ads->auth.ccache_name);
983 + }
984 +
985 + ads_destroy(&r->in.ads);
986 +
987 + status = libnet_join_connect_ads_machine(mem_ctx, r);
988 + if (!ADS_ERR_OK(status)) {
989 + libnet_join_set_error_string(mem_ctx, r,
990 + "Failed to connect as machine account: %s",
991 + ads_errstr(status));
992 + return status;
993 + }
994 +
995 + status = libnet_join_set_etypes(mem_ctx, r);
996 + if (!ADS_ERR_OK(status)) {
997 + libnet_join_set_error_string(mem_ctx, r,
998 + "failed to set machine kerberos encryption types: %s",
999 + ads_errstr(status));
1000 + return status;
1001 + }
1002 + }
1003 +
1004 if (!libnet_join_derive_salting_principal(mem_ctx, r)) {
1005 return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
1006 }
1007 --
1008 2.9.0
1009
admin@koozali.org
 ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed