/[smeserver]/rpms/samba/sme10/samba-4.2.99-net_ads_join_fix_keytab_generation.patch
ViewVC logotype

Annotation of /rpms/samba/sme10/samba-4.2.99-net_ads_join_fix_keytab_generation.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph

Revision 1.2 - (hide annotations) (download)
Thu Mar 2 16:04:48 2017 UTC (7 years, 3 months ago) by unnilennium
Branch: MAIN
CVS Tags: HEAD
Changes since 1.1: +0 -0 lines
FILE REMOVED 
update to samba-4.4.4-12 upstream version
1 vip-ire 1.1 From 203193d5b167b5d24911d0438eda65f05eec2b31 Mon Sep 17 00:00:00 2001
2     From: Stefan Metzmacher <metze@samba.org>
3     Date: Fri, 22 Jan 2016 09:57:04 +0100
4     Subject: [PATCH 01/11] s3:libads: setup the msDS-SupportedEncryptionTypes
5     attribute on ldap_add
6     MIME-Version: 1.0
7     Content-Type: text/plain; charset=UTF-8
8     Content-Transfer-Encoding: 8bit
9    
10     We may not have the permission to modify the object after creation.
11    
12     BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755
13    
14     Signed-off-by: Stefan Metzmacher <metze@samba.org>
15     Reviewed-by: Björn Jacke <bj@sernet.de>
16     Reviewed-by: Günther Deschner <gd@samba.org>
17    
18     Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
19     Autobuild-Date(master): Fri Feb 26 11:30:03 CET 2016 on sn-devel-144
20     ---
21     source3/libads/ldap.c | 26 ++++++++++++++++++
22     source3/libnet/libnet_join.c | 65 --------------------------------------------
23     2 files changed, 26 insertions(+), 65 deletions(-)
24    
25     diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
26     index 121ba08..125c9d7 100644
27     --- a/source3/libads/ldap.c
28     +++ b/source3/libads/ldap.c
29     @@ -29,6 +29,7 @@
30     #include "../libds/common/flags.h"
31     #include "smbldap.h"
32     #include "../libcli/security/security.h"
33     +#include "../librpc/gen_ndr/netlogon.h"
34     #include "lib/param/loadparm.h"
35    
36     #ifdef HAVE_LDAP
37     @@ -2006,6 +2007,12 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, const char *machine_name,
38     uint32_t acct_control = ( UF_WORKSTATION_TRUST_ACCOUNT |\
39     UF_DONT_EXPIRE_PASSWD |\
40     UF_ACCOUNTDISABLE );
41     + uint32_t func_level = 0;
42     +
43     + ret = ads_domain_func_level(ads, &func_level);
44     + if (!ADS_ERR_OK(ret)) {
45     + return ret;
46     + }
47    
48     if (!(ctx = talloc_init("ads_add_machine_acct")))
49     return ADS_ERROR(LDAP_NO_MEMORY);
50     @@ -2041,6 +2048,25 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, const char *machine_name,
51     ads_mod_strlist(ctx, &mods, "objectClass", objectClass);
52     ads_mod_str(ctx, &mods, "userAccountControl", controlstr);
53    
54     + if (func_level >= DS_DOMAIN_FUNCTION_2008) {
55     + uint32_t etype_list = ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5;
56     + const char *etype_list_str;
57     +
58     +#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
59     + etype_list |= ENC_HMAC_SHA1_96_AES128;
60     +#endif
61     +#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
62     + etype_list |= ENC_HMAC_SHA1_96_AES256;
63     +#endif
64     +
65     + etype_list_str = talloc_asprintf(ctx, "%d", (int)etype_list);
66     + if (etype_list_str == NULL) {
67     + goto done;
68     + }
69     + ads_mod_str(ctx, &mods, "msDS-SupportedEncryptionTypes",
70     + etype_list_str);
71     + }
72     +
73     ret = ads_gen_add(ads, new_dn, mods);
74    
75     done:
76     diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
77     index d7c7679..5564bd2 100644
78     --- a/source3/libnet/libnet_join.c
79     +++ b/source3/libnet/libnet_join.c
80     @@ -605,52 +605,6 @@ static ADS_STATUS libnet_join_set_os_attributes(TALLOC_CTX *mem_ctx,
81     /****************************************************************
82     ****************************************************************/
83    
84     -static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx,
85     - struct libnet_JoinCtx *r)
86     -{
87     - ADS_STATUS status;
88     - ADS_MODLIST mods;
89     - uint32_t etype_list = ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5;
90     - const char *etype_list_str;
91     -
92     -#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
93     - etype_list |= ENC_HMAC_SHA1_96_AES128;
94     -#endif
95     -#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
96     - etype_list |= ENC_HMAC_SHA1_96_AES256;
97     -#endif
98     -
99     - etype_list_str = talloc_asprintf(mem_ctx, "%d", etype_list);
100     - if (!etype_list_str) {
101     - return ADS_ERROR(LDAP_NO_MEMORY);
102     - }
103     -
104     - /* Find our DN */
105     -
106     - status = libnet_join_find_machine_acct(mem_ctx, r);
107     - if (!ADS_ERR_OK(status)) {
108     - return status;
109     - }
110     -
111     - /* now do the mods */
112     -
113     - mods = ads_init_mods(mem_ctx);
114     - if (!mods) {
115     - return ADS_ERROR(LDAP_NO_MEMORY);
116     - }
117     -
118     - status = ads_mod_str(mem_ctx, &mods, "msDS-SupportedEncryptionTypes",
119     - etype_list_str);
120     - if (!ADS_ERR_OK(status)) {
121     - return status;
122     - }
123     -
124     - return ads_gen_mod(r->in.ads, r->out.dn, mods);
125     -}
126     -
127     -/****************************************************************
128     -****************************************************************/
129     -
130     static bool libnet_join_create_keytab(TALLOC_CTX *mem_ctx,
131     struct libnet_JoinCtx *r)
132     {
133     @@ -725,7 +679,6 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx,
134     struct libnet_JoinCtx *r)
135     {
136     ADS_STATUS status;
137     - uint32_t func_level = 0;
138    
139     if (!r->in.ads) {
140     status = libnet_join_connect_ads(mem_ctx, r);
141     @@ -760,24 +713,6 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx,
142     return status;
143     }
144    
145     - status = ads_domain_func_level(r->in.ads, &func_level);
146     - if (!ADS_ERR_OK(status)) {
147     - libnet_join_set_error_string(mem_ctx, r,
148     - "failed to query domain controller functional level: %s",
149     - ads_errstr(status));
150     - return status;
151     - }
152     -
153     - if (func_level >= DS_DOMAIN_FUNCTION_2008) {
154     - status = libnet_join_set_etypes(mem_ctx, r);
155     - if (!ADS_ERR_OK(status)) {
156     - libnet_join_set_error_string(mem_ctx, r,
157     - "failed to set machine kerberos encryption types: %s",
158     - ads_errstr(status));
159     - return status;
160     - }
161     - }
162     -
163     if (!libnet_join_derive_salting_principal(mem_ctx, r)) {
164     return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
165     }
166     --
167     2.9.0
168    
169    
170     From 3b269e29a5b91723749d16685782c5c590fda424 Mon Sep 17 00:00:00 2001
171     From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
172     Date: Fri, 11 Mar 2016 23:14:13 +0100
173     Subject: [PATCH 02/11] Partly revert "s3:libads: setup the
174     msDS-SupportedEncryptionTypes attribute on ldap_add"
175     MIME-Version: 1.0
176     Content-Type: text/plain; charset=UTF-8
177     Content-Transfer-Encoding: 8bit
178    
179     This partly reverts commit 0c74d62524db376b6a3fac00c688be0cdffcaa80.
180    
181     BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755
182    
183     Signed-off-by: Günther Deschner <gd@samba.org>
184     Reviewed-by: Stefan Metzmacher <metze@samba.org>
185     (cherry picked from commit 6686f67d2a91146c8bb2fb2a8104fcaa5710b855)
186     ---
187     source3/libnet/libnet_join.c | 46 ++++++++++++++++++++++++++++++++++++++++++++
188     1 file changed, 46 insertions(+)
189    
190     diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
191     index 5564bd2..343e5f1 100644
192     --- a/source3/libnet/libnet_join.c
193     +++ b/source3/libnet/libnet_join.c
194     @@ -604,6 +604,52 @@ static ADS_STATUS libnet_join_set_os_attributes(TALLOC_CTX *mem_ctx,
195    
196     /****************************************************************
197     ****************************************************************/
198     +#if 0
199     +static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx,
200     + struct libnet_JoinCtx *r)
201     +{
202     + ADS_STATUS status;
203     + ADS_MODLIST mods;
204     + uint32_t etype_list = ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5;
205     + const char *etype_list_str;
206     +
207     +#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
208     + etype_list |= ENC_HMAC_SHA1_96_AES128;
209     +#endif
210     +#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
211     + etype_list |= ENC_HMAC_SHA1_96_AES256;
212     +#endif
213     +
214     + etype_list_str = talloc_asprintf(mem_ctx, "%d", etype_list);
215     + if (!etype_list_str) {
216     + return ADS_ERROR(LDAP_NO_MEMORY);
217     + }
218     +
219     + /* Find our DN */
220     +
221     + status = libnet_join_find_machine_acct(mem_ctx, r);
222     + if (!ADS_ERR_OK(status)) {
223     + return status;
224     + }
225     +
226     + /* now do the mods */
227     +
228     + mods = ads_init_mods(mem_ctx);
229     + if (!mods) {
230     + return ADS_ERROR(LDAP_NO_MEMORY);
231     + }
232     +
233     + status = ads_mod_str(mem_ctx, &mods, "msDS-SupportedEncryptionTypes",
234     + etype_list_str);
235     + if (!ADS_ERR_OK(status)) {
236     + return status;
237     + }
238     +
239     + return ads_gen_mod(r->in.ads, r->out.dn, mods);
240     +}
241     +#endif
242     +/****************************************************************
243     +****************************************************************/
244    
245     static bool libnet_join_create_keytab(TALLOC_CTX *mem_ctx,
246     struct libnet_JoinCtx *r)
247     --
248     2.9.0
249    
250    
251     From 452f99fdd08f9c5e5dcc660dc8900115f0abb093 Mon Sep 17 00:00:00 2001
252     From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
253     Date: Wed, 2 Mar 2016 18:07:53 +0100
254     Subject: [PATCH 03/11] s3:libnet:libnet_join: prepare to allow connecting with
255     machine creds.
256    
257     BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755
258    
259     Guenther
260    
261     Signed-off-by: Guenther Deschner <gd@samba.org>
262     Reviewed-by: Stefan Metzmacher <metze@samba.org>
263     (cherry picked from commit 71d5634ab58f0ca21db633990231bd01a22c956c)
264     ---
265     source3/libnet/libnet_join.c | 73 +++++++++++++++++++++++++++++++++++++++++---
266     1 file changed, 68 insertions(+), 5 deletions(-)
267    
268     diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
269     index 343e5f1..cc93a85 100644
270     --- a/source3/libnet/libnet_join.c
271     +++ b/source3/libnet/libnet_join.c
272     @@ -42,6 +42,7 @@
273     #include "lib/param/loadparm.h"
274     #include "libcli/auth/netlogon_creds_cli.h"
275     #include "auth/credentials/credentials.h"
276     +#include "krb5_env.h"
277    
278     /****************************************************************
279     ****************************************************************/
280     @@ -118,6 +119,7 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name,
281     const char *dc_name,
282     const char *user_name,
283     const char *password,
284     + const char *ccname,
285     ADS_STRUCT **ads)
286     {
287     ADS_STATUS status;
288     @@ -150,6 +152,12 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name,
289     my_ads->auth.password = SMB_STRDUP(password);
290     }
291    
292     + if (ccname != NULL) {
293     + SAFE_FREE(my_ads->auth.ccache_name);
294     + my_ads->auth.ccache_name = SMB_STRDUP(ccname);
295     + setenv(KRB5_ENV_CCNAME, my_ads->auth.ccache_name, 1);
296     + }
297     +
298     status = ads_connect_user_creds(my_ads);
299     if (!ADS_ERR_OK(status)) {
300     ads_destroy(&my_ads);
301     @@ -164,15 +172,51 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name,
302     ****************************************************************/
303    
304     static ADS_STATUS libnet_join_connect_ads(TALLOC_CTX *mem_ctx,
305     - struct libnet_JoinCtx *r)
306     + struct libnet_JoinCtx *r,
307     + bool use_machine_creds)
308     {
309     ADS_STATUS status;
310     + const char *username;
311     + const char *password;
312     + const char *ccname = NULL;
313     +
314     + if (use_machine_creds) {
315     + if (r->in.machine_name == NULL ||
316     + r->in.machine_password == NULL) {
317     + return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
318     + }
319     + username = talloc_strdup(mem_ctx, r->in.machine_name);
320     + if (username == NULL) {
321     + return ADS_ERROR(LDAP_NO_MEMORY);
322     + }
323     + if (username[strlen(username)] != '$') {
324     + username = talloc_asprintf(username, "%s$", username);
325     + if (username == NULL) {
326     + return ADS_ERROR(LDAP_NO_MEMORY);
327     + }
328     + }
329     + password = r->in.machine_password;
330     + ccname = "MEMORY:libnet_join_machine_creds";
331     + } else {
332     + username = r->in.admin_account;
333     + password = r->in.admin_password;
334     +
335     + /*
336     + * when r->in.use_kerberos is set to allow "net ads join -k" we
337     + * may not override the provided credential cache - gd
338     + */
339     +
340     + if (!r->in.use_kerberos) {
341     + ccname = "MEMORY:libnet_join_user_creds";
342     + }
343     + }
344    
345     status = libnet_connect_ads(r->out.dns_domain_name,
346     r->out.netbios_domain_name,
347     r->in.dc_name,
348     - r->in.admin_account,
349     - r->in.admin_password,
350     + username,
351     + password,
352     + ccname,
353     &r->in.ads);
354     if (!ADS_ERR_OK(status)) {
355     libnet_join_set_error_string(mem_ctx, r,
356     @@ -201,6 +245,24 @@ static ADS_STATUS libnet_join_connect_ads(TALLOC_CTX *mem_ctx,
357     /****************************************************************
358     ****************************************************************/
359    
360     +static ADS_STATUS libnet_join_connect_ads_user(TALLOC_CTX *mem_ctx,
361     + struct libnet_JoinCtx *r)
362     +{
363     + return libnet_join_connect_ads(mem_ctx, r, false);
364     +}
365     +
366     +/****************************************************************
367     +****************************************************************/
368     +#if 0
369     +static ADS_STATUS libnet_join_connect_ads_machine(TALLOC_CTX *mem_ctx,
370     + struct libnet_JoinCtx *r)
371     +{
372     + return libnet_join_connect_ads(mem_ctx, r, true);
373     +}
374     +#endif
375     +/****************************************************************
376     +****************************************************************/
377     +
378     static ADS_STATUS libnet_unjoin_connect_ads(TALLOC_CTX *mem_ctx,
379     struct libnet_UnjoinCtx *r)
380     {
381     @@ -211,6 +273,7 @@ static ADS_STATUS libnet_unjoin_connect_ads(TALLOC_CTX *mem_ctx,
382     r->in.dc_name,
383     r->in.admin_account,
384     r->in.admin_password,
385     + NULL,
386     &r->in.ads);
387     if (!ADS_ERR_OK(status)) {
388     libnet_unjoin_set_error_string(mem_ctx, r,
389     @@ -727,7 +790,7 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx,
390     ADS_STATUS status;
391    
392     if (!r->in.ads) {
393     - status = libnet_join_connect_ads(mem_ctx, r);
394     + status = libnet_join_connect_ads_user(mem_ctx, r);
395     if (!ADS_ERR_OK(status)) {
396     return status;
397     }
398     @@ -2258,7 +2321,7 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
399     if (r->out.domain_is_ad && r->in.account_ou &&
400     !(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE)) {
401    
402     - ads_status = libnet_join_connect_ads(mem_ctx, r);
403     + ads_status = libnet_join_connect_ads_user(mem_ctx, r);
404     if (!ADS_ERR_OK(ads_status)) {
405     return WERR_DEFAULT_JOIN_REQUIRED;
406     }
407     --
408     2.9.0
409    
410    
411     From 3f6d9131abd68620bb35ef3bafbde586a1b751c2 Mon Sep 17 00:00:00 2001
412     From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
413     Date: Fri, 4 Mar 2016 17:42:05 +0100
414     Subject: [PATCH 04/11] s3:libads:ldap: print LDAP error message with log level
415     10.
416    
417     Guenther
418    
419     BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755
420    
421     Signed-off-by: Guenther Deschner <gd@samba.org>
422     Reviewed-by: Stefan Metzmacher <metze@samba.org>
423     (cherry picked from commit 34030b025b9e4cd5e7321d6e242f6c03da2a60c0)
424     ---
425     source3/libads/ldap.c | 14 ++++++++++++++
426     1 file changed, 14 insertions(+)
427    
428     diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
429     index 125c9d7..91753d2 100644
430     --- a/source3/libads/ldap.c
431     +++ b/source3/libads/ldap.c
432     @@ -1416,6 +1416,17 @@ static ADS_STATUS ads_mod_ber(TALLOC_CTX *ctx, ADS_MODLIST *mods,
433     }
434     #endif
435    
436     +static void ads_print_error(int ret, LDAP *ld)
437     +{
438     + if (ret != 0) {
439     + char *ld_error = NULL;
440     + ldap_get_option(ld, LDAP_OPT_ERROR_STRING, &ld_error);
441     + DEBUG(10,("AD LDAP failure %d (%s):\n%s\n", ret,
442     + ldap_err2string(ret), ld_error));
443     + SAFE_FREE(ld_error);
444     + }
445     +}
446     +
447     /**
448     * Perform an ldap modify
449     * @param ads connection to ads server
450     @@ -1451,6 +1462,7 @@ ADS_STATUS ads_gen_mod(ADS_STRUCT *ads, const char *mod_dn, ADS_MODLIST mods)
451     mods[i] = NULL;
452     ret = ldap_modify_ext_s(ads->ldap.ld, utf8_dn,
453     (LDAPMod **) mods, controls, NULL);
454     + ads_print_error(ret, ads->ldap.ld);
455     TALLOC_FREE(utf8_dn);
456     return ADS_ERROR(ret);
457     }
458     @@ -1479,6 +1491,7 @@ ADS_STATUS ads_gen_add(ADS_STRUCT *ads, const char *new_dn, ADS_MODLIST mods)
459     mods[i] = NULL;
460    
461     ret = ldap_add_s(ads->ldap.ld, utf8_dn, (LDAPMod**)mods);
462     + ads_print_error(ret, ads->ldap.ld);
463     TALLOC_FREE(utf8_dn);
464     return ADS_ERROR(ret);
465     }
466     @@ -1500,6 +1513,7 @@ ADS_STATUS ads_del_dn(ADS_STRUCT *ads, char *del_dn)
467     }
468    
469     ret = ldap_delete_s(ads->ldap.ld, utf8_dn);
470     + ads_print_error(ret, ads->ldap.ld);
471     TALLOC_FREE(utf8_dn);
472     return ADS_ERROR(ret);
473     }
474     --
475     2.9.0
476    
477    
478     From 6a2647247ab0abddc38c2abade36116e3a2e5788 Mon Sep 17 00:00:00 2001
479     From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
480     Date: Fri, 11 Mar 2016 12:13:24 +0100
481     Subject: [PATCH 05/11] s3:libads:ndr: add ADS_AUTH_USER_CREDS to
482     ndr_print_ads_auth_flags()
483    
484     Guenther
485    
486     BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755
487    
488     Signed-off-by: Guenther Deschner <gd@samba.org>
489     Reviewed-by: Stefan Metzmacher <metze@samba.org>
490     (cherry picked from commit e8f6acdeece990dc8953d494113dee856d80da45)
491     ---
492     source3/libads/ndr.c | 1 +
493     1 file changed, 1 insertion(+)
494    
495     diff --git a/source3/libads/ndr.c b/source3/libads/ndr.c
496     index fd0b63e..ac0b9e6 100644
497     --- a/source3/libads/ndr.c
498     +++ b/source3/libads/ndr.c
499     @@ -37,6 +37,7 @@ static void ndr_print_ads_auth_flags(struct ndr_print *ndr, const char *name, ui
500     ndr_print_bitmap_flag(ndr, sizeof(uint32_t), "ADS_AUTH_SASL_SIGN", ADS_AUTH_SASL_SIGN, r);
501     ndr_print_bitmap_flag(ndr, sizeof(uint32_t), "ADS_AUTH_SASL_SEAL", ADS_AUTH_SASL_SEAL, r);
502     ndr_print_bitmap_flag(ndr, sizeof(uint32_t), "ADS_AUTH_SASL_FORCE", ADS_AUTH_SASL_FORCE, r);
503     + ndr_print_bitmap_flag(ndr, sizeof(uint32_t), "ADS_AUTH_USER_CREDS", ADS_AUTH_USER_CREDS, r);
504     ndr->depth--;
505     }
506    
507     --
508     2.9.0
509    
510    
511     From 51657c35d3455226f697bef24a7d967944a2c67d Mon Sep 17 00:00:00 2001
512     From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
513     Date: Fri, 11 Mar 2016 12:15:14 +0100
514     Subject: [PATCH 06/11] s3:libads:ldap: fix ads_check_ou_dn to deal with
515     account_ou not being initialized
516    
517     Guenther
518    
519     BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755
520    
521     Signed-off-by: Guenther Deschner <gd@samba.org>
522     Reviewed-by: Stefan Metzmacher <metze@samba.org>
523     (cherry picked from commit c61b111e6fa3e138d4d9cf5038b69644248e834a)
524     ---
525     source3/libads/ldap.c | 14 ++++++++++----
526     1 file changed, 10 insertions(+), 4 deletions(-)
527    
528     diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
529     index 91753d2..8eac5c8 100644
530     --- a/source3/libads/ldap.c
531     +++ b/source3/libads/ldap.c
532     @@ -3870,10 +3870,16 @@ ADS_STATUS ads_check_ou_dn(TALLOC_CTX *mem_ctx,
533     const char *name;
534     char *ou_string;
535    
536     - exploded_dn = ldap_explode_dn(*account_ou, 0);
537     - if (exploded_dn) {
538     - ldap_value_free(exploded_dn);
539     - return ADS_SUCCESS;
540     + if (account_ou == NULL) {
541     + return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
542     + }
543     +
544     + if (*account_ou != NULL) {
545     + exploded_dn = ldap_explode_dn(*account_ou, 0);
546     + if (exploded_dn) {
547     + ldap_value_free(exploded_dn);
548     + return ADS_SUCCESS;
549     + }
550     }
551    
552     ou_string = ads_ou_string(ads, *account_ou);
553     --
554     2.9.0
555    
556    
557     From 7a1303f27904fafb8245b9ad9a26e7f846d9968d Mon Sep 17 00:00:00 2001
558     From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
559     Date: Thu, 10 Mar 2016 18:03:47 +0100
560     Subject: [PATCH 07/11] s3:libnet:libnet_join: always try to create
561     machineaccount via LDAP first.
562    
563     Guenther
564    
565     BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755
566    
567     Signed-off-by: Guenther Deschner <gd@samba.org>
568     Reviewed-by: Stefan Metzmacher <metze@samba.org>
569     (cherry picked from commit df8f79cc9d44ad7b2caa6b86b7ebde7bb1fd4c8c)
570     ---
571     source3/libnet/libnet_join.c | 28 +++++++++++++++++++++++++---
572     1 file changed, 25 insertions(+), 3 deletions(-)
573    
574     diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
575     index cc93a85..b10080d 100644
576     --- a/source3/libnet/libnet_join.c
577     +++ b/source3/libnet/libnet_join.c
578     @@ -2318,16 +2318,36 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
579     r->out.dns_domain_name, r->out.netbios_domain_name,
580     NULL, smbXcli_conn_remote_sockaddr(cli->conn));
581    
582     - if (r->out.domain_is_ad && r->in.account_ou &&
583     + if (r->out.domain_is_ad &&
584     !(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE)) {
585    
586     + const char *initial_account_ou = r->in.account_ou;
587     +
588     + /*
589     + * we want to create the msDS-SupportedEncryptionTypes attribute
590     + * as early as possible so always try an LDAP create as the user
591     + * first. We copy r->in.account_ou because it may be changed
592     + * during the machine pre-creation.
593     + */
594     +
595     ads_status = libnet_join_connect_ads_user(mem_ctx, r);
596     if (!ADS_ERR_OK(ads_status)) {
597     return WERR_DEFAULT_JOIN_REQUIRED;
598     }
599    
600     ads_status = libnet_join_precreate_machine_acct(mem_ctx, r);
601     - if (!ADS_ERR_OK(ads_status)) {
602     + if (ADS_ERR_OK(ads_status)) {
603     +
604     + /*
605     + * LDAP object create succeeded, now go to the rpc
606     + * password set routines
607     + */
608     +
609     + r->in.join_flags &= ~WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE;
610     + goto rpc_join;
611     + }
612     +
613     + if (initial_account_ou != NULL) {
614     libnet_join_set_error_string(mem_ctx, r,
615     "failed to precreate account in ou %s: %s",
616     r->in.account_ou,
617     @@ -2335,10 +2355,12 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
618     return WERR_DEFAULT_JOIN_REQUIRED;
619     }
620    
621     - r->in.join_flags &= ~WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE;
622     + DEBUG(5, ("failed to precreate account in ou %s: %s",
623     + r->in.account_ou, ads_errstr(ads_status)));
624     }
625     #endif /* HAVE_ADS */
626    
627     + rpc_join:
628     if ((r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE) &&
629     (r->in.join_flags & WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED)) {
630     status = libnet_join_joindomain_rpc_unsecure(mem_ctx, r, cli);
631     --
632     2.9.0
633    
634    
635     From d4cf8358ce96964443cae441f0808d744a1fd95d Mon Sep 17 00:00:00 2001
636     From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
637     Date: Fri, 11 Mar 2016 16:02:27 +0100
638     Subject: [PATCH 08/11] s3:librpc:idl:libnet_join: add encryption types to
639     libnet_JoinCtx.
640    
641     Guenther
642    
643     BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755
644    
645     Signed-off-by: Guenther Deschner <gd@samba.org>
646     Reviewed-by: Stefan Metzmacher <metze@samba.org>
647     (cherry picked from commit 4a49f6fac9d6c77d1eedf914308e67eb6e2baa8d)
648     ---
649     source3/librpc/idl/libnet_join.idl | 4 +++-
650     1 file changed, 3 insertions(+), 1 deletion(-)
651    
652     diff --git a/source3/librpc/idl/libnet_join.idl b/source3/librpc/idl/libnet_join.idl
653     index ac0a350..0718739 100644
654     --- a/source3/librpc/idl/libnet_join.idl
655     +++ b/source3/librpc/idl/libnet_join.idl
656     @@ -35,6 +35,7 @@ interface libnetjoin
657     [in] boolean8 use_kerberos,
658     [in] netr_SchannelType secure_channel_type,
659     [in,noprint] messaging_context *msg_ctx,
660     + [in] uint32 desired_encryption_types,
661     [out] string account_name,
662     [out] string netbios_domain_name,
663     [out] string dns_domain_name,
664     @@ -43,7 +44,8 @@ interface libnetjoin
665     [out] dom_sid *domain_sid,
666     [out] boolean8 modified_config,
667     [out] string error_string,
668     - [out] boolean8 domain_is_ad
669     + [out] boolean8 domain_is_ad,
670     + [out] uint32 set_encryption_types
671     );
672    
673     [nopush,nopull,noopnum] WERROR libnet_UnjoinCtx(
674     --
675     2.9.0
676    
677    
678     From b6dae5b223f379dbdbd3b4ccca9492753f7f5286 Mon Sep 17 00:00:00 2001
679     From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
680     Date: Fri, 11 Mar 2016 16:04:52 +0100
681     Subject: [PATCH 09/11] s3:libnet:libnet_join: define list of desired
682     encryption types only once.
683    
684     Guenther
685    
686     BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755
687    
688     Signed-off-by: Guenther Deschner <gd@samba.org>
689     Reviewed-by: Stefan Metzmacher <metze@samba.org>
690     (cherry picked from commit e0da059b39f9dd5ccb74f32f965e1ced384c77eb)
691     ---
692     source3/libads/ads_proto.h | 6 ++++--
693     source3/libads/ldap.c | 14 ++++----------
694     source3/libnet/libnet_join.c | 24 ++++++++++++++----------
695     3 files changed, 22 insertions(+), 22 deletions(-)
696    
697     diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h
698     index 1399f41..425c352 100644
699     --- a/source3/libads/ads_proto.h
700     +++ b/source3/libads/ads_proto.h
701     @@ -97,8 +97,10 @@ ADS_STATUS ads_get_service_principal_names(TALLOC_CTX *mem_ctx,
702     ADS_STATUS ads_clear_service_principal_names(ADS_STRUCT *ads, const char *machine_name);
703     ADS_STATUS ads_add_service_principal_name(ADS_STRUCT *ads, const char *machine_name,
704     const char *my_fqdn, const char *spn);
705     -ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, const char *machine_name,
706     - const char *org_unit);
707     +ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads,
708     + const char *machine_name,
709     + const char *org_unit,
710     + uint32_t etype_list);
711     ADS_STATUS ads_move_machine_acct(ADS_STRUCT *ads, const char *machine_name,
712     const char *org_unit, bool *moved);
713     int ads_count_replies(ADS_STRUCT *ads, void *res);
714     diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
715     index 8eac5c8..72bf4d9 100644
716     --- a/source3/libads/ldap.c
717     +++ b/source3/libads/ldap.c
718     @@ -2006,8 +2006,10 @@ ADS_STATUS ads_add_service_principal_name(ADS_STRUCT *ads, const char *machine_n
719     * @return 0 upon success, or non-zero otherwise
720     **/
721    
722     -ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, const char *machine_name,
723     - const char *org_unit)
724     +ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads,
725     + const char *machine_name,
726     + const char *org_unit,
727     + uint32_t etype_list)
728     {
729     ADS_STATUS ret;
730     char *samAccountName, *controlstr;
731     @@ -2063,16 +2065,8 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, const char *machine_name,
732     ads_mod_str(ctx, &mods, "userAccountControl", controlstr);
733    
734     if (func_level >= DS_DOMAIN_FUNCTION_2008) {
735     - uint32_t etype_list = ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5;
736     const char *etype_list_str;
737    
738     -#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
739     - etype_list |= ENC_HMAC_SHA1_96_AES128;
740     -#endif
741     -#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
742     - etype_list |= ENC_HMAC_SHA1_96_AES256;
743     -#endif
744     -
745     etype_list_str = talloc_asprintf(ctx, "%d", (int)etype_list);
746     if (etype_list_str == NULL) {
747     goto done;
748     diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
749     index b10080d..876a453 100644
750     --- a/source3/libnet/libnet_join.c
751     +++ b/source3/libnet/libnet_join.c
752     @@ -318,7 +318,8 @@ static ADS_STATUS libnet_join_precreate_machine_acct(TALLOC_CTX *mem_ctx,
753    
754     status = ads_create_machine_acct(r->in.ads,
755     r->in.machine_name,
756     - r->in.account_ou);
757     + r->in.account_ou,
758     + r->in.desired_encryption_types);
759    
760     if (ADS_ERR_OK(status)) {
761     DEBUG(1,("machine account creation created\n"));
762     @@ -673,17 +674,10 @@ static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx,
763     {
764     ADS_STATUS status;
765     ADS_MODLIST mods;
766     - uint32_t etype_list = ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5;
767     const char *etype_list_str;
768    
769     -#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
770     - etype_list |= ENC_HMAC_SHA1_96_AES128;
771     -#endif
772     -#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
773     - etype_list |= ENC_HMAC_SHA1_96_AES256;
774     -#endif
775     -
776     - etype_list_str = talloc_asprintf(mem_ctx, "%d", etype_list);
777     + etype_list_str = talloc_asprintf(mem_ctx, "%d",
778     + r->in.desired_encryption_types);
779     if (!etype_list_str) {
780     return ADS_ERROR(LDAP_NO_MEMORY);
781     }
782     @@ -2143,6 +2137,16 @@ WERROR libnet_init_JoinCtx(TALLOC_CTX *mem_ctx,
783    
784     ctx->in.secure_channel_type = SEC_CHAN_WKSTA;
785    
786     + ctx->in.desired_encryption_types = ENC_CRC32 |
787     + ENC_RSA_MD5 |
788     + ENC_RC4_HMAC_MD5;
789     +#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
790     + ctx->in.desired_encryption_types |= ENC_HMAC_SHA1_96_AES128;
791     +#endif
792     +#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
793     + ctx->in.desired_encryption_types |= ENC_HMAC_SHA1_96_AES256;
794     +#endif
795     +
796     *r = ctx;
797    
798     return WERR_OK;
799     --
800     2.9.0
801    
802    
803     From 51a68159e119149b9527cac8a8a119f34bb6879a Mon Sep 17 00:00:00 2001
804     From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
805     Date: Fri, 11 Mar 2016 16:05:53 +0100
806     Subject: [PATCH 10/11] s3:libnet:libnet_join: fill in output enctypes and only
807     modify when necessary.
808    
809     Guenther
810    
811     BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755
812    
813     Signed-off-by: Guenther Deschner <gd@samba.org>
814     Reviewed-by: Stefan Metzmacher <metze@samba.org>
815     (cherry picked from commit 5d498d1b4d9b83f179fb7b2841a19ad984eec5f8)
816     ---
817     source3/libads/ldap.c | 2 +-
818     source3/libnet/libnet_join.c | 18 +++++++++++++++++-
819     2 files changed, 18 insertions(+), 2 deletions(-)
820    
821     diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
822     index 72bf4d9..f611da2 100644
823     --- a/source3/libads/ldap.c
824     +++ b/source3/libads/ldap.c
825     @@ -1268,7 +1268,7 @@ char *ads_parent_dn(const char *dn)
826     {
827     ADS_STATUS status;
828     char *expr;
829     - const char *attrs[] = {"*", "nTSecurityDescriptor", NULL};
830     + const char *attrs[] = {"*", "msDS-SupportedEncryptionTypes", "nTSecurityDescriptor", NULL};
831    
832     *res = NULL;
833    
834     diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
835     index 876a453..9f3d830 100644
836     --- a/source3/libnet/libnet_join.c
837     +++ b/source3/libnet/libnet_join.c
838     @@ -417,6 +417,11 @@ static ADS_STATUS libnet_join_find_machine_acct(TALLOC_CTX *mem_ctx,
839     goto done;
840     }
841    
842     + if (!ads_pull_uint32(r->in.ads, res, "msDS-SupportedEncryptionTypes",
843     + &r->out.set_encryption_types)) {
844     + r->out.set_encryption_types = 0;
845     + }
846     +
847     done:
848     ads_msgfree(r->in.ads, res);
849     TALLOC_FREE(dn);
850     @@ -689,6 +694,10 @@ static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx,
851     return status;
852     }
853    
854     + if (r->in.desired_encryption_types == r->out.set_encryption_types) {
855     + return ADS_SUCCESS;
856     + }
857     +
858     /* now do the mods */
859    
860     mods = ads_init_mods(mem_ctx);
861     @@ -702,7 +711,14 @@ static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx,
862     return status;
863     }
864    
865     - return ads_gen_mod(r->in.ads, r->out.dn, mods);
866     + status = ads_gen_mod(r->in.ads, r->out.dn, mods);
867     + if (!ADS_ERR_OK(status)) {
868     + return status;
869     + }
870     +
871     + r->out.set_encryption_types = r->in.desired_encryption_types;
872     +
873     + return ADS_SUCCESS;
874     }
875     #endif
876     /****************************************************************
877     --
878     2.9.0
879    
880    
881     From a489ac90045212decebbadf46a51fff42c224d3c Mon Sep 17 00:00:00 2001
882     From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
883     Date: Fri, 11 Mar 2016 23:15:06 +0100
884     Subject: [PATCH 11/11] s3:libnet:libnet_join: update
885     msDS-SupportedEncryptionTypes (if required) with machine creds.
886    
887     Guenther
888    
889     BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755
890    
891     Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
892    
893     Signed-off-by: Guenther Deschner <gd@samba.org>
894     Signed-off-by: Stefan Metzmacher <metze@samba.org>
895    
896     Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
897     Autobuild-Date(master): Mon Mar 14 19:38:48 CET 2016 on sn-devel-144
898    
899     (cherry picked from commit 06aefe4b956ae8748e20ae4c730aa344e81808b6)
900     ---
901     source3/libnet/libnet_join.c | 59 +++++++++++++++++++++++++++++++++++++++++---
902     1 file changed, 55 insertions(+), 4 deletions(-)
903    
904     diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
905     index 9f3d830..84f0e40 100644
906     --- a/source3/libnet/libnet_join.c
907     +++ b/source3/libnet/libnet_join.c
908     @@ -253,13 +253,13 @@ static ADS_STATUS libnet_join_connect_ads_user(TALLOC_CTX *mem_ctx,
909    
910     /****************************************************************
911     ****************************************************************/
912     -#if 0
913     +
914     static ADS_STATUS libnet_join_connect_ads_machine(TALLOC_CTX *mem_ctx,
915     struct libnet_JoinCtx *r)
916     {
917     return libnet_join_connect_ads(mem_ctx, r, true);
918     }
919     -#endif
920     +
921     /****************************************************************
922     ****************************************************************/
923    
924     @@ -673,7 +673,7 @@ static ADS_STATUS libnet_join_set_os_attributes(TALLOC_CTX *mem_ctx,
925    
926     /****************************************************************
927     ****************************************************************/
928     -#if 0
929     +
930     static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx,
931     struct libnet_JoinCtx *r)
932     {
933     @@ -720,7 +720,7 @@ static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx,
934    
935     return ADS_SUCCESS;
936     }
937     -#endif
938     +
939     /****************************************************************
940     ****************************************************************/
941    
942     @@ -798,6 +798,7 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx,
943     struct libnet_JoinCtx *r)
944     {
945     ADS_STATUS status;
946     + bool need_etype_update = false;
947    
948     if (!r->in.ads) {
949     status = libnet_join_connect_ads_user(mem_ctx, r);
950     @@ -832,6 +833,56 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx,
951     return status;
952     }
953    
954     + status = libnet_join_find_machine_acct(mem_ctx, r);
955     + if (!ADS_ERR_OK(status)) {
956     + return status;
957     + }
958     +
959     + if (r->in.desired_encryption_types != r->out.set_encryption_types) {
960     + uint32_t func_level = 0;
961     +
962     + status = ads_domain_func_level(r->in.ads, &func_level);
963     + if (!ADS_ERR_OK(status)) {
964     + libnet_join_set_error_string(mem_ctx, r,
965     + "failed to query domain controller functional level: %s",
966     + ads_errstr(status));
967     + return status;
968     + }
969     +
970     + if (func_level >= DS_DOMAIN_FUNCTION_2008) {
971     + need_etype_update = true;
972     + }
973     + }
974     +
975     + if (need_etype_update) {
976     + /*
977     + * We need to reconnect as machine account in order
978     + * to update msDS-SupportedEncryptionTypes reliable
979     + */
980     +
981     + if (r->in.ads->auth.ccache_name != NULL) {
982     + ads_kdestroy(r->in.ads->auth.ccache_name);
983     + }
984     +
985     + ads_destroy(&r->in.ads);
986     +
987     + status = libnet_join_connect_ads_machine(mem_ctx, r);
988     + if (!ADS_ERR_OK(status)) {
989     + libnet_join_set_error_string(mem_ctx, r,
990     + "Failed to connect as machine account: %s",
991     + ads_errstr(status));
992     + return status;
993     + }
994     +
995     + status = libnet_join_set_etypes(mem_ctx, r);
996     + if (!ADS_ERR_OK(status)) {
997     + libnet_join_set_error_string(mem_ctx, r,
998     + "failed to set machine kerberos encryption types: %s",
999     + ads_errstr(status));
1000     + return status;
1001     + }
1002     + }
1003     +
1004     if (!libnet_join_derive_salting_principal(mem_ctx, r)) {
1005     return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
1006     }
1007     --
1008     2.9.0
1009    
admin@koozali.org
 ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed