1 |
From 203193d5b167b5d24911d0438eda65f05eec2b31 Mon Sep 17 00:00:00 2001 |
2 |
From: Stefan Metzmacher <metze@samba.org> |
3 |
Date: Fri, 22 Jan 2016 09:57:04 +0100 |
4 |
Subject: [PATCH 01/11] s3:libads: setup the msDS-SupportedEncryptionTypes |
5 |
attribute on ldap_add |
6 |
MIME-Version: 1.0 |
7 |
Content-Type: text/plain; charset=UTF-8 |
8 |
Content-Transfer-Encoding: 8bit |
9 |
|
10 |
We may not have the permission to modify the object after creation. |
11 |
|
12 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755 |
13 |
|
14 |
Signed-off-by: Stefan Metzmacher <metze@samba.org> |
15 |
Reviewed-by: Björn Jacke <bj@sernet.de> |
16 |
Reviewed-by: Günther Deschner <gd@samba.org> |
17 |
|
18 |
Autobuild-User(master): Stefan Metzmacher <metze@samba.org> |
19 |
Autobuild-Date(master): Fri Feb 26 11:30:03 CET 2016 on sn-devel-144 |
20 |
--- |
21 |
source3/libads/ldap.c | 26 ++++++++++++++++++ |
22 |
source3/libnet/libnet_join.c | 65 -------------------------------------------- |
23 |
2 files changed, 26 insertions(+), 65 deletions(-) |
24 |
|
25 |
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c |
26 |
index 121ba08..125c9d7 100644 |
27 |
--- a/source3/libads/ldap.c |
28 |
+++ b/source3/libads/ldap.c |
29 |
@@ -29,6 +29,7 @@ |
30 |
#include "../libds/common/flags.h" |
31 |
#include "smbldap.h" |
32 |
#include "../libcli/security/security.h" |
33 |
+#include "../librpc/gen_ndr/netlogon.h" |
34 |
#include "lib/param/loadparm.h" |
35 |
|
36 |
#ifdef HAVE_LDAP |
37 |
@@ -2006,6 +2007,12 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, const char *machine_name, |
38 |
uint32_t acct_control = ( UF_WORKSTATION_TRUST_ACCOUNT |\ |
39 |
UF_DONT_EXPIRE_PASSWD |\ |
40 |
UF_ACCOUNTDISABLE ); |
41 |
+ uint32_t func_level = 0; |
42 |
+ |
43 |
+ ret = ads_domain_func_level(ads, &func_level); |
44 |
+ if (!ADS_ERR_OK(ret)) { |
45 |
+ return ret; |
46 |
+ } |
47 |
|
48 |
if (!(ctx = talloc_init("ads_add_machine_acct"))) |
49 |
return ADS_ERROR(LDAP_NO_MEMORY); |
50 |
@@ -2041,6 +2048,25 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, const char *machine_name, |
51 |
ads_mod_strlist(ctx, &mods, "objectClass", objectClass); |
52 |
ads_mod_str(ctx, &mods, "userAccountControl", controlstr); |
53 |
|
54 |
+ if (func_level >= DS_DOMAIN_FUNCTION_2008) { |
55 |
+ uint32_t etype_list = ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5; |
56 |
+ const char *etype_list_str; |
57 |
+ |
58 |
+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 |
59 |
+ etype_list |= ENC_HMAC_SHA1_96_AES128; |
60 |
+#endif |
61 |
+#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96 |
62 |
+ etype_list |= ENC_HMAC_SHA1_96_AES256; |
63 |
+#endif |
64 |
+ |
65 |
+ etype_list_str = talloc_asprintf(ctx, "%d", (int)etype_list); |
66 |
+ if (etype_list_str == NULL) { |
67 |
+ goto done; |
68 |
+ } |
69 |
+ ads_mod_str(ctx, &mods, "msDS-SupportedEncryptionTypes", |
70 |
+ etype_list_str); |
71 |
+ } |
72 |
+ |
73 |
ret = ads_gen_add(ads, new_dn, mods); |
74 |
|
75 |
done: |
76 |
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c |
77 |
index d7c7679..5564bd2 100644 |
78 |
--- a/source3/libnet/libnet_join.c |
79 |
+++ b/source3/libnet/libnet_join.c |
80 |
@@ -605,52 +605,6 @@ static ADS_STATUS libnet_join_set_os_attributes(TALLOC_CTX *mem_ctx, |
81 |
/**************************************************************** |
82 |
****************************************************************/ |
83 |
|
84 |
-static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx, |
85 |
- struct libnet_JoinCtx *r) |
86 |
-{ |
87 |
- ADS_STATUS status; |
88 |
- ADS_MODLIST mods; |
89 |
- uint32_t etype_list = ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5; |
90 |
- const char *etype_list_str; |
91 |
- |
92 |
-#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 |
93 |
- etype_list |= ENC_HMAC_SHA1_96_AES128; |
94 |
-#endif |
95 |
-#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96 |
96 |
- etype_list |= ENC_HMAC_SHA1_96_AES256; |
97 |
-#endif |
98 |
- |
99 |
- etype_list_str = talloc_asprintf(mem_ctx, "%d", etype_list); |
100 |
- if (!etype_list_str) { |
101 |
- return ADS_ERROR(LDAP_NO_MEMORY); |
102 |
- } |
103 |
- |
104 |
- /* Find our DN */ |
105 |
- |
106 |
- status = libnet_join_find_machine_acct(mem_ctx, r); |
107 |
- if (!ADS_ERR_OK(status)) { |
108 |
- return status; |
109 |
- } |
110 |
- |
111 |
- /* now do the mods */ |
112 |
- |
113 |
- mods = ads_init_mods(mem_ctx); |
114 |
- if (!mods) { |
115 |
- return ADS_ERROR(LDAP_NO_MEMORY); |
116 |
- } |
117 |
- |
118 |
- status = ads_mod_str(mem_ctx, &mods, "msDS-SupportedEncryptionTypes", |
119 |
- etype_list_str); |
120 |
- if (!ADS_ERR_OK(status)) { |
121 |
- return status; |
122 |
- } |
123 |
- |
124 |
- return ads_gen_mod(r->in.ads, r->out.dn, mods); |
125 |
-} |
126 |
- |
127 |
-/**************************************************************** |
128 |
-****************************************************************/ |
129 |
- |
130 |
static bool libnet_join_create_keytab(TALLOC_CTX *mem_ctx, |
131 |
struct libnet_JoinCtx *r) |
132 |
{ |
133 |
@@ -725,7 +679,6 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx, |
134 |
struct libnet_JoinCtx *r) |
135 |
{ |
136 |
ADS_STATUS status; |
137 |
- uint32_t func_level = 0; |
138 |
|
139 |
if (!r->in.ads) { |
140 |
status = libnet_join_connect_ads(mem_ctx, r); |
141 |
@@ -760,24 +713,6 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx, |
142 |
return status; |
143 |
} |
144 |
|
145 |
- status = ads_domain_func_level(r->in.ads, &func_level); |
146 |
- if (!ADS_ERR_OK(status)) { |
147 |
- libnet_join_set_error_string(mem_ctx, r, |
148 |
- "failed to query domain controller functional level: %s", |
149 |
- ads_errstr(status)); |
150 |
- return status; |
151 |
- } |
152 |
- |
153 |
- if (func_level >= DS_DOMAIN_FUNCTION_2008) { |
154 |
- status = libnet_join_set_etypes(mem_ctx, r); |
155 |
- if (!ADS_ERR_OK(status)) { |
156 |
- libnet_join_set_error_string(mem_ctx, r, |
157 |
- "failed to set machine kerberos encryption types: %s", |
158 |
- ads_errstr(status)); |
159 |
- return status; |
160 |
- } |
161 |
- } |
162 |
- |
163 |
if (!libnet_join_derive_salting_principal(mem_ctx, r)) { |
164 |
return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL); |
165 |
} |
166 |
-- |
167 |
2.9.0 |
168 |
|
169 |
|
170 |
From 3b269e29a5b91723749d16685782c5c590fda424 Mon Sep 17 00:00:00 2001 |
171 |
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> |
172 |
Date: Fri, 11 Mar 2016 23:14:13 +0100 |
173 |
Subject: [PATCH 02/11] Partly revert "s3:libads: setup the |
174 |
msDS-SupportedEncryptionTypes attribute on ldap_add" |
175 |
MIME-Version: 1.0 |
176 |
Content-Type: text/plain; charset=UTF-8 |
177 |
Content-Transfer-Encoding: 8bit |
178 |
|
179 |
This partly reverts commit 0c74d62524db376b6a3fac00c688be0cdffcaa80. |
180 |
|
181 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755 |
182 |
|
183 |
Signed-off-by: Günther Deschner <gd@samba.org> |
184 |
Reviewed-by: Stefan Metzmacher <metze@samba.org> |
185 |
(cherry picked from commit 6686f67d2a91146c8bb2fb2a8104fcaa5710b855) |
186 |
--- |
187 |
source3/libnet/libnet_join.c | 46 ++++++++++++++++++++++++++++++++++++++++++++ |
188 |
1 file changed, 46 insertions(+) |
189 |
|
190 |
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c |
191 |
index 5564bd2..343e5f1 100644 |
192 |
--- a/source3/libnet/libnet_join.c |
193 |
+++ b/source3/libnet/libnet_join.c |
194 |
@@ -604,6 +604,52 @@ static ADS_STATUS libnet_join_set_os_attributes(TALLOC_CTX *mem_ctx, |
195 |
|
196 |
/**************************************************************** |
197 |
****************************************************************/ |
198 |
+#if 0 |
199 |
+static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx, |
200 |
+ struct libnet_JoinCtx *r) |
201 |
+{ |
202 |
+ ADS_STATUS status; |
203 |
+ ADS_MODLIST mods; |
204 |
+ uint32_t etype_list = ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5; |
205 |
+ const char *etype_list_str; |
206 |
+ |
207 |
+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 |
208 |
+ etype_list |= ENC_HMAC_SHA1_96_AES128; |
209 |
+#endif |
210 |
+#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96 |
211 |
+ etype_list |= ENC_HMAC_SHA1_96_AES256; |
212 |
+#endif |
213 |
+ |
214 |
+ etype_list_str = talloc_asprintf(mem_ctx, "%d", etype_list); |
215 |
+ if (!etype_list_str) { |
216 |
+ return ADS_ERROR(LDAP_NO_MEMORY); |
217 |
+ } |
218 |
+ |
219 |
+ /* Find our DN */ |
220 |
+ |
221 |
+ status = libnet_join_find_machine_acct(mem_ctx, r); |
222 |
+ if (!ADS_ERR_OK(status)) { |
223 |
+ return status; |
224 |
+ } |
225 |
+ |
226 |
+ /* now do the mods */ |
227 |
+ |
228 |
+ mods = ads_init_mods(mem_ctx); |
229 |
+ if (!mods) { |
230 |
+ return ADS_ERROR(LDAP_NO_MEMORY); |
231 |
+ } |
232 |
+ |
233 |
+ status = ads_mod_str(mem_ctx, &mods, "msDS-SupportedEncryptionTypes", |
234 |
+ etype_list_str); |
235 |
+ if (!ADS_ERR_OK(status)) { |
236 |
+ return status; |
237 |
+ } |
238 |
+ |
239 |
+ return ads_gen_mod(r->in.ads, r->out.dn, mods); |
240 |
+} |
241 |
+#endif |
242 |
+/**************************************************************** |
243 |
+****************************************************************/ |
244 |
|
245 |
static bool libnet_join_create_keytab(TALLOC_CTX *mem_ctx, |
246 |
struct libnet_JoinCtx *r) |
247 |
-- |
248 |
2.9.0 |
249 |
|
250 |
|
251 |
From 452f99fdd08f9c5e5dcc660dc8900115f0abb093 Mon Sep 17 00:00:00 2001 |
252 |
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> |
253 |
Date: Wed, 2 Mar 2016 18:07:53 +0100 |
254 |
Subject: [PATCH 03/11] s3:libnet:libnet_join: prepare to allow connecting with |
255 |
machine creds. |
256 |
|
257 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755 |
258 |
|
259 |
Guenther |
260 |
|
261 |
Signed-off-by: Guenther Deschner <gd@samba.org> |
262 |
Reviewed-by: Stefan Metzmacher <metze@samba.org> |
263 |
(cherry picked from commit 71d5634ab58f0ca21db633990231bd01a22c956c) |
264 |
--- |
265 |
source3/libnet/libnet_join.c | 73 +++++++++++++++++++++++++++++++++++++++++--- |
266 |
1 file changed, 68 insertions(+), 5 deletions(-) |
267 |
|
268 |
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c |
269 |
index 343e5f1..cc93a85 100644 |
270 |
--- a/source3/libnet/libnet_join.c |
271 |
+++ b/source3/libnet/libnet_join.c |
272 |
@@ -42,6 +42,7 @@ |
273 |
#include "lib/param/loadparm.h" |
274 |
#include "libcli/auth/netlogon_creds_cli.h" |
275 |
#include "auth/credentials/credentials.h" |
276 |
+#include "krb5_env.h" |
277 |
|
278 |
/**************************************************************** |
279 |
****************************************************************/ |
280 |
@@ -118,6 +119,7 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name, |
281 |
const char *dc_name, |
282 |
const char *user_name, |
283 |
const char *password, |
284 |
+ const char *ccname, |
285 |
ADS_STRUCT **ads) |
286 |
{ |
287 |
ADS_STATUS status; |
288 |
@@ -150,6 +152,12 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name, |
289 |
my_ads->auth.password = SMB_STRDUP(password); |
290 |
} |
291 |
|
292 |
+ if (ccname != NULL) { |
293 |
+ SAFE_FREE(my_ads->auth.ccache_name); |
294 |
+ my_ads->auth.ccache_name = SMB_STRDUP(ccname); |
295 |
+ setenv(KRB5_ENV_CCNAME, my_ads->auth.ccache_name, 1); |
296 |
+ } |
297 |
+ |
298 |
status = ads_connect_user_creds(my_ads); |
299 |
if (!ADS_ERR_OK(status)) { |
300 |
ads_destroy(&my_ads); |
301 |
@@ -164,15 +172,51 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name, |
302 |
****************************************************************/ |
303 |
|
304 |
static ADS_STATUS libnet_join_connect_ads(TALLOC_CTX *mem_ctx, |
305 |
- struct libnet_JoinCtx *r) |
306 |
+ struct libnet_JoinCtx *r, |
307 |
+ bool use_machine_creds) |
308 |
{ |
309 |
ADS_STATUS status; |
310 |
+ const char *username; |
311 |
+ const char *password; |
312 |
+ const char *ccname = NULL; |
313 |
+ |
314 |
+ if (use_machine_creds) { |
315 |
+ if (r->in.machine_name == NULL || |
316 |
+ r->in.machine_password == NULL) { |
317 |
+ return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); |
318 |
+ } |
319 |
+ username = talloc_strdup(mem_ctx, r->in.machine_name); |
320 |
+ if (username == NULL) { |
321 |
+ return ADS_ERROR(LDAP_NO_MEMORY); |
322 |
+ } |
323 |
+ if (username[strlen(username)] != '$') { |
324 |
+ username = talloc_asprintf(username, "%s$", username); |
325 |
+ if (username == NULL) { |
326 |
+ return ADS_ERROR(LDAP_NO_MEMORY); |
327 |
+ } |
328 |
+ } |
329 |
+ password = r->in.machine_password; |
330 |
+ ccname = "MEMORY:libnet_join_machine_creds"; |
331 |
+ } else { |
332 |
+ username = r->in.admin_account; |
333 |
+ password = r->in.admin_password; |
334 |
+ |
335 |
+ /* |
336 |
+ * when r->in.use_kerberos is set to allow "net ads join -k" we |
337 |
+ * may not override the provided credential cache - gd |
338 |
+ */ |
339 |
+ |
340 |
+ if (!r->in.use_kerberos) { |
341 |
+ ccname = "MEMORY:libnet_join_user_creds"; |
342 |
+ } |
343 |
+ } |
344 |
|
345 |
status = libnet_connect_ads(r->out.dns_domain_name, |
346 |
r->out.netbios_domain_name, |
347 |
r->in.dc_name, |
348 |
- r->in.admin_account, |
349 |
- r->in.admin_password, |
350 |
+ username, |
351 |
+ password, |
352 |
+ ccname, |
353 |
&r->in.ads); |
354 |
if (!ADS_ERR_OK(status)) { |
355 |
libnet_join_set_error_string(mem_ctx, r, |
356 |
@@ -201,6 +245,24 @@ static ADS_STATUS libnet_join_connect_ads(TALLOC_CTX *mem_ctx, |
357 |
/**************************************************************** |
358 |
****************************************************************/ |
359 |
|
360 |
+static ADS_STATUS libnet_join_connect_ads_user(TALLOC_CTX *mem_ctx, |
361 |
+ struct libnet_JoinCtx *r) |
362 |
+{ |
363 |
+ return libnet_join_connect_ads(mem_ctx, r, false); |
364 |
+} |
365 |
+ |
366 |
+/**************************************************************** |
367 |
+****************************************************************/ |
368 |
+#if 0 |
369 |
+static ADS_STATUS libnet_join_connect_ads_machine(TALLOC_CTX *mem_ctx, |
370 |
+ struct libnet_JoinCtx *r) |
371 |
+{ |
372 |
+ return libnet_join_connect_ads(mem_ctx, r, true); |
373 |
+} |
374 |
+#endif |
375 |
+/**************************************************************** |
376 |
+****************************************************************/ |
377 |
+ |
378 |
static ADS_STATUS libnet_unjoin_connect_ads(TALLOC_CTX *mem_ctx, |
379 |
struct libnet_UnjoinCtx *r) |
380 |
{ |
381 |
@@ -211,6 +273,7 @@ static ADS_STATUS libnet_unjoin_connect_ads(TALLOC_CTX *mem_ctx, |
382 |
r->in.dc_name, |
383 |
r->in.admin_account, |
384 |
r->in.admin_password, |
385 |
+ NULL, |
386 |
&r->in.ads); |
387 |
if (!ADS_ERR_OK(status)) { |
388 |
libnet_unjoin_set_error_string(mem_ctx, r, |
389 |
@@ -727,7 +790,7 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx, |
390 |
ADS_STATUS status; |
391 |
|
392 |
if (!r->in.ads) { |
393 |
- status = libnet_join_connect_ads(mem_ctx, r); |
394 |
+ status = libnet_join_connect_ads_user(mem_ctx, r); |
395 |
if (!ADS_ERR_OK(status)) { |
396 |
return status; |
397 |
} |
398 |
@@ -2258,7 +2321,7 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx, |
399 |
if (r->out.domain_is_ad && r->in.account_ou && |
400 |
!(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE)) { |
401 |
|
402 |
- ads_status = libnet_join_connect_ads(mem_ctx, r); |
403 |
+ ads_status = libnet_join_connect_ads_user(mem_ctx, r); |
404 |
if (!ADS_ERR_OK(ads_status)) { |
405 |
return WERR_DEFAULT_JOIN_REQUIRED; |
406 |
} |
407 |
-- |
408 |
2.9.0 |
409 |
|
410 |
|
411 |
From 3f6d9131abd68620bb35ef3bafbde586a1b751c2 Mon Sep 17 00:00:00 2001 |
412 |
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> |
413 |
Date: Fri, 4 Mar 2016 17:42:05 +0100 |
414 |
Subject: [PATCH 04/11] s3:libads:ldap: print LDAP error message with log level |
415 |
10. |
416 |
|
417 |
Guenther |
418 |
|
419 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755 |
420 |
|
421 |
Signed-off-by: Guenther Deschner <gd@samba.org> |
422 |
Reviewed-by: Stefan Metzmacher <metze@samba.org> |
423 |
(cherry picked from commit 34030b025b9e4cd5e7321d6e242f6c03da2a60c0) |
424 |
--- |
425 |
source3/libads/ldap.c | 14 ++++++++++++++ |
426 |
1 file changed, 14 insertions(+) |
427 |
|
428 |
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c |
429 |
index 125c9d7..91753d2 100644 |
430 |
--- a/source3/libads/ldap.c |
431 |
+++ b/source3/libads/ldap.c |
432 |
@@ -1416,6 +1416,17 @@ static ADS_STATUS ads_mod_ber(TALLOC_CTX *ctx, ADS_MODLIST *mods, |
433 |
} |
434 |
#endif |
435 |
|
436 |
+static void ads_print_error(int ret, LDAP *ld) |
437 |
+{ |
438 |
+ if (ret != 0) { |
439 |
+ char *ld_error = NULL; |
440 |
+ ldap_get_option(ld, LDAP_OPT_ERROR_STRING, &ld_error); |
441 |
+ DEBUG(10,("AD LDAP failure %d (%s):\n%s\n", ret, |
442 |
+ ldap_err2string(ret), ld_error)); |
443 |
+ SAFE_FREE(ld_error); |
444 |
+ } |
445 |
+} |
446 |
+ |
447 |
/** |
448 |
* Perform an ldap modify |
449 |
* @param ads connection to ads server |
450 |
@@ -1451,6 +1462,7 @@ ADS_STATUS ads_gen_mod(ADS_STRUCT *ads, const char *mod_dn, ADS_MODLIST mods) |
451 |
mods[i] = NULL; |
452 |
ret = ldap_modify_ext_s(ads->ldap.ld, utf8_dn, |
453 |
(LDAPMod **) mods, controls, NULL); |
454 |
+ ads_print_error(ret, ads->ldap.ld); |
455 |
TALLOC_FREE(utf8_dn); |
456 |
return ADS_ERROR(ret); |
457 |
} |
458 |
@@ -1479,6 +1491,7 @@ ADS_STATUS ads_gen_add(ADS_STRUCT *ads, const char *new_dn, ADS_MODLIST mods) |
459 |
mods[i] = NULL; |
460 |
|
461 |
ret = ldap_add_s(ads->ldap.ld, utf8_dn, (LDAPMod**)mods); |
462 |
+ ads_print_error(ret, ads->ldap.ld); |
463 |
TALLOC_FREE(utf8_dn); |
464 |
return ADS_ERROR(ret); |
465 |
} |
466 |
@@ -1500,6 +1513,7 @@ ADS_STATUS ads_del_dn(ADS_STRUCT *ads, char *del_dn) |
467 |
} |
468 |
|
469 |
ret = ldap_delete_s(ads->ldap.ld, utf8_dn); |
470 |
+ ads_print_error(ret, ads->ldap.ld); |
471 |
TALLOC_FREE(utf8_dn); |
472 |
return ADS_ERROR(ret); |
473 |
} |
474 |
-- |
475 |
2.9.0 |
476 |
|
477 |
|
478 |
From 6a2647247ab0abddc38c2abade36116e3a2e5788 Mon Sep 17 00:00:00 2001 |
479 |
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> |
480 |
Date: Fri, 11 Mar 2016 12:13:24 +0100 |
481 |
Subject: [PATCH 05/11] s3:libads:ndr: add ADS_AUTH_USER_CREDS to |
482 |
ndr_print_ads_auth_flags() |
483 |
|
484 |
Guenther |
485 |
|
486 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755 |
487 |
|
488 |
Signed-off-by: Guenther Deschner <gd@samba.org> |
489 |
Reviewed-by: Stefan Metzmacher <metze@samba.org> |
490 |
(cherry picked from commit e8f6acdeece990dc8953d494113dee856d80da45) |
491 |
--- |
492 |
source3/libads/ndr.c | 1 + |
493 |
1 file changed, 1 insertion(+) |
494 |
|
495 |
diff --git a/source3/libads/ndr.c b/source3/libads/ndr.c |
496 |
index fd0b63e..ac0b9e6 100644 |
497 |
--- a/source3/libads/ndr.c |
498 |
+++ b/source3/libads/ndr.c |
499 |
@@ -37,6 +37,7 @@ static void ndr_print_ads_auth_flags(struct ndr_print *ndr, const char *name, ui |
500 |
ndr_print_bitmap_flag(ndr, sizeof(uint32_t), "ADS_AUTH_SASL_SIGN", ADS_AUTH_SASL_SIGN, r); |
501 |
ndr_print_bitmap_flag(ndr, sizeof(uint32_t), "ADS_AUTH_SASL_SEAL", ADS_AUTH_SASL_SEAL, r); |
502 |
ndr_print_bitmap_flag(ndr, sizeof(uint32_t), "ADS_AUTH_SASL_FORCE", ADS_AUTH_SASL_FORCE, r); |
503 |
+ ndr_print_bitmap_flag(ndr, sizeof(uint32_t), "ADS_AUTH_USER_CREDS", ADS_AUTH_USER_CREDS, r); |
504 |
ndr->depth--; |
505 |
} |
506 |
|
507 |
-- |
508 |
2.9.0 |
509 |
|
510 |
|
511 |
From 51657c35d3455226f697bef24a7d967944a2c67d Mon Sep 17 00:00:00 2001 |
512 |
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> |
513 |
Date: Fri, 11 Mar 2016 12:15:14 +0100 |
514 |
Subject: [PATCH 06/11] s3:libads:ldap: fix ads_check_ou_dn to deal with |
515 |
account_ou not being initialized |
516 |
|
517 |
Guenther |
518 |
|
519 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755 |
520 |
|
521 |
Signed-off-by: Guenther Deschner <gd@samba.org> |
522 |
Reviewed-by: Stefan Metzmacher <metze@samba.org> |
523 |
(cherry picked from commit c61b111e6fa3e138d4d9cf5038b69644248e834a) |
524 |
--- |
525 |
source3/libads/ldap.c | 14 ++++++++++---- |
526 |
1 file changed, 10 insertions(+), 4 deletions(-) |
527 |
|
528 |
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c |
529 |
index 91753d2..8eac5c8 100644 |
530 |
--- a/source3/libads/ldap.c |
531 |
+++ b/source3/libads/ldap.c |
532 |
@@ -3870,10 +3870,16 @@ ADS_STATUS ads_check_ou_dn(TALLOC_CTX *mem_ctx, |
533 |
const char *name; |
534 |
char *ou_string; |
535 |
|
536 |
- exploded_dn = ldap_explode_dn(*account_ou, 0); |
537 |
- if (exploded_dn) { |
538 |
- ldap_value_free(exploded_dn); |
539 |
- return ADS_SUCCESS; |
540 |
+ if (account_ou == NULL) { |
541 |
+ return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); |
542 |
+ } |
543 |
+ |
544 |
+ if (*account_ou != NULL) { |
545 |
+ exploded_dn = ldap_explode_dn(*account_ou, 0); |
546 |
+ if (exploded_dn) { |
547 |
+ ldap_value_free(exploded_dn); |
548 |
+ return ADS_SUCCESS; |
549 |
+ } |
550 |
} |
551 |
|
552 |
ou_string = ads_ou_string(ads, *account_ou); |
553 |
-- |
554 |
2.9.0 |
555 |
|
556 |
|
557 |
From 7a1303f27904fafb8245b9ad9a26e7f846d9968d Mon Sep 17 00:00:00 2001 |
558 |
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> |
559 |
Date: Thu, 10 Mar 2016 18:03:47 +0100 |
560 |
Subject: [PATCH 07/11] s3:libnet:libnet_join: always try to create |
561 |
machineaccount via LDAP first. |
562 |
|
563 |
Guenther |
564 |
|
565 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755 |
566 |
|
567 |
Signed-off-by: Guenther Deschner <gd@samba.org> |
568 |
Reviewed-by: Stefan Metzmacher <metze@samba.org> |
569 |
(cherry picked from commit df8f79cc9d44ad7b2caa6b86b7ebde7bb1fd4c8c) |
570 |
--- |
571 |
source3/libnet/libnet_join.c | 28 +++++++++++++++++++++++++--- |
572 |
1 file changed, 25 insertions(+), 3 deletions(-) |
573 |
|
574 |
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c |
575 |
index cc93a85..b10080d 100644 |
576 |
--- a/source3/libnet/libnet_join.c |
577 |
+++ b/source3/libnet/libnet_join.c |
578 |
@@ -2318,16 +2318,36 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx, |
579 |
r->out.dns_domain_name, r->out.netbios_domain_name, |
580 |
NULL, smbXcli_conn_remote_sockaddr(cli->conn)); |
581 |
|
582 |
- if (r->out.domain_is_ad && r->in.account_ou && |
583 |
+ if (r->out.domain_is_ad && |
584 |
!(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE)) { |
585 |
|
586 |
+ const char *initial_account_ou = r->in.account_ou; |
587 |
+ |
588 |
+ /* |
589 |
+ * we want to create the msDS-SupportedEncryptionTypes attribute |
590 |
+ * as early as possible so always try an LDAP create as the user |
591 |
+ * first. We copy r->in.account_ou because it may be changed |
592 |
+ * during the machine pre-creation. |
593 |
+ */ |
594 |
+ |
595 |
ads_status = libnet_join_connect_ads_user(mem_ctx, r); |
596 |
if (!ADS_ERR_OK(ads_status)) { |
597 |
return WERR_DEFAULT_JOIN_REQUIRED; |
598 |
} |
599 |
|
600 |
ads_status = libnet_join_precreate_machine_acct(mem_ctx, r); |
601 |
- if (!ADS_ERR_OK(ads_status)) { |
602 |
+ if (ADS_ERR_OK(ads_status)) { |
603 |
+ |
604 |
+ /* |
605 |
+ * LDAP object create succeeded, now go to the rpc |
606 |
+ * password set routines |
607 |
+ */ |
608 |
+ |
609 |
+ r->in.join_flags &= ~WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE; |
610 |
+ goto rpc_join; |
611 |
+ } |
612 |
+ |
613 |
+ if (initial_account_ou != NULL) { |
614 |
libnet_join_set_error_string(mem_ctx, r, |
615 |
"failed to precreate account in ou %s: %s", |
616 |
r->in.account_ou, |
617 |
@@ -2335,10 +2355,12 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx, |
618 |
return WERR_DEFAULT_JOIN_REQUIRED; |
619 |
} |
620 |
|
621 |
- r->in.join_flags &= ~WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE; |
622 |
+ DEBUG(5, ("failed to precreate account in ou %s: %s", |
623 |
+ r->in.account_ou, ads_errstr(ads_status))); |
624 |
} |
625 |
#endif /* HAVE_ADS */ |
626 |
|
627 |
+ rpc_join: |
628 |
if ((r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE) && |
629 |
(r->in.join_flags & WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED)) { |
630 |
status = libnet_join_joindomain_rpc_unsecure(mem_ctx, r, cli); |
631 |
-- |
632 |
2.9.0 |
633 |
|
634 |
|
635 |
From d4cf8358ce96964443cae441f0808d744a1fd95d Mon Sep 17 00:00:00 2001 |
636 |
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> |
637 |
Date: Fri, 11 Mar 2016 16:02:27 +0100 |
638 |
Subject: [PATCH 08/11] s3:librpc:idl:libnet_join: add encryption types to |
639 |
libnet_JoinCtx. |
640 |
|
641 |
Guenther |
642 |
|
643 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755 |
644 |
|
645 |
Signed-off-by: Guenther Deschner <gd@samba.org> |
646 |
Reviewed-by: Stefan Metzmacher <metze@samba.org> |
647 |
(cherry picked from commit 4a49f6fac9d6c77d1eedf914308e67eb6e2baa8d) |
648 |
--- |
649 |
source3/librpc/idl/libnet_join.idl | 4 +++- |
650 |
1 file changed, 3 insertions(+), 1 deletion(-) |
651 |
|
652 |
diff --git a/source3/librpc/idl/libnet_join.idl b/source3/librpc/idl/libnet_join.idl |
653 |
index ac0a350..0718739 100644 |
654 |
--- a/source3/librpc/idl/libnet_join.idl |
655 |
+++ b/source3/librpc/idl/libnet_join.idl |
656 |
@@ -35,6 +35,7 @@ interface libnetjoin |
657 |
[in] boolean8 use_kerberos, |
658 |
[in] netr_SchannelType secure_channel_type, |
659 |
[in,noprint] messaging_context *msg_ctx, |
660 |
+ [in] uint32 desired_encryption_types, |
661 |
[out] string account_name, |
662 |
[out] string netbios_domain_name, |
663 |
[out] string dns_domain_name, |
664 |
@@ -43,7 +44,8 @@ interface libnetjoin |
665 |
[out] dom_sid *domain_sid, |
666 |
[out] boolean8 modified_config, |
667 |
[out] string error_string, |
668 |
- [out] boolean8 domain_is_ad |
669 |
+ [out] boolean8 domain_is_ad, |
670 |
+ [out] uint32 set_encryption_types |
671 |
); |
672 |
|
673 |
[nopush,nopull,noopnum] WERROR libnet_UnjoinCtx( |
674 |
-- |
675 |
2.9.0 |
676 |
|
677 |
|
678 |
From b6dae5b223f379dbdbd3b4ccca9492753f7f5286 Mon Sep 17 00:00:00 2001 |
679 |
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> |
680 |
Date: Fri, 11 Mar 2016 16:04:52 +0100 |
681 |
Subject: [PATCH 09/11] s3:libnet:libnet_join: define list of desired |
682 |
encryption types only once. |
683 |
|
684 |
Guenther |
685 |
|
686 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755 |
687 |
|
688 |
Signed-off-by: Guenther Deschner <gd@samba.org> |
689 |
Reviewed-by: Stefan Metzmacher <metze@samba.org> |
690 |
(cherry picked from commit e0da059b39f9dd5ccb74f32f965e1ced384c77eb) |
691 |
--- |
692 |
source3/libads/ads_proto.h | 6 ++++-- |
693 |
source3/libads/ldap.c | 14 ++++---------- |
694 |
source3/libnet/libnet_join.c | 24 ++++++++++++++---------- |
695 |
3 files changed, 22 insertions(+), 22 deletions(-) |
696 |
|
697 |
diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h |
698 |
index 1399f41..425c352 100644 |
699 |
--- a/source3/libads/ads_proto.h |
700 |
+++ b/source3/libads/ads_proto.h |
701 |
@@ -97,8 +97,10 @@ ADS_STATUS ads_get_service_principal_names(TALLOC_CTX *mem_ctx, |
702 |
ADS_STATUS ads_clear_service_principal_names(ADS_STRUCT *ads, const char *machine_name); |
703 |
ADS_STATUS ads_add_service_principal_name(ADS_STRUCT *ads, const char *machine_name, |
704 |
const char *my_fqdn, const char *spn); |
705 |
-ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, const char *machine_name, |
706 |
- const char *org_unit); |
707 |
+ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, |
708 |
+ const char *machine_name, |
709 |
+ const char *org_unit, |
710 |
+ uint32_t etype_list); |
711 |
ADS_STATUS ads_move_machine_acct(ADS_STRUCT *ads, const char *machine_name, |
712 |
const char *org_unit, bool *moved); |
713 |
int ads_count_replies(ADS_STRUCT *ads, void *res); |
714 |
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c |
715 |
index 8eac5c8..72bf4d9 100644 |
716 |
--- a/source3/libads/ldap.c |
717 |
+++ b/source3/libads/ldap.c |
718 |
@@ -2006,8 +2006,10 @@ ADS_STATUS ads_add_service_principal_name(ADS_STRUCT *ads, const char *machine_n |
719 |
* @return 0 upon success, or non-zero otherwise |
720 |
**/ |
721 |
|
722 |
-ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, const char *machine_name, |
723 |
- const char *org_unit) |
724 |
+ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, |
725 |
+ const char *machine_name, |
726 |
+ const char *org_unit, |
727 |
+ uint32_t etype_list) |
728 |
{ |
729 |
ADS_STATUS ret; |
730 |
char *samAccountName, *controlstr; |
731 |
@@ -2063,16 +2065,8 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, const char *machine_name, |
732 |
ads_mod_str(ctx, &mods, "userAccountControl", controlstr); |
733 |
|
734 |
if (func_level >= DS_DOMAIN_FUNCTION_2008) { |
735 |
- uint32_t etype_list = ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5; |
736 |
const char *etype_list_str; |
737 |
|
738 |
-#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 |
739 |
- etype_list |= ENC_HMAC_SHA1_96_AES128; |
740 |
-#endif |
741 |
-#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96 |
742 |
- etype_list |= ENC_HMAC_SHA1_96_AES256; |
743 |
-#endif |
744 |
- |
745 |
etype_list_str = talloc_asprintf(ctx, "%d", (int)etype_list); |
746 |
if (etype_list_str == NULL) { |
747 |
goto done; |
748 |
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c |
749 |
index b10080d..876a453 100644 |
750 |
--- a/source3/libnet/libnet_join.c |
751 |
+++ b/source3/libnet/libnet_join.c |
752 |
@@ -318,7 +318,8 @@ static ADS_STATUS libnet_join_precreate_machine_acct(TALLOC_CTX *mem_ctx, |
753 |
|
754 |
status = ads_create_machine_acct(r->in.ads, |
755 |
r->in.machine_name, |
756 |
- r->in.account_ou); |
757 |
+ r->in.account_ou, |
758 |
+ r->in.desired_encryption_types); |
759 |
|
760 |
if (ADS_ERR_OK(status)) { |
761 |
DEBUG(1,("machine account creation created\n")); |
762 |
@@ -673,17 +674,10 @@ static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx, |
763 |
{ |
764 |
ADS_STATUS status; |
765 |
ADS_MODLIST mods; |
766 |
- uint32_t etype_list = ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5; |
767 |
const char *etype_list_str; |
768 |
|
769 |
-#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 |
770 |
- etype_list |= ENC_HMAC_SHA1_96_AES128; |
771 |
-#endif |
772 |
-#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96 |
773 |
- etype_list |= ENC_HMAC_SHA1_96_AES256; |
774 |
-#endif |
775 |
- |
776 |
- etype_list_str = talloc_asprintf(mem_ctx, "%d", etype_list); |
777 |
+ etype_list_str = talloc_asprintf(mem_ctx, "%d", |
778 |
+ r->in.desired_encryption_types); |
779 |
if (!etype_list_str) { |
780 |
return ADS_ERROR(LDAP_NO_MEMORY); |
781 |
} |
782 |
@@ -2143,6 +2137,16 @@ WERROR libnet_init_JoinCtx(TALLOC_CTX *mem_ctx, |
783 |
|
784 |
ctx->in.secure_channel_type = SEC_CHAN_WKSTA; |
785 |
|
786 |
+ ctx->in.desired_encryption_types = ENC_CRC32 | |
787 |
+ ENC_RSA_MD5 | |
788 |
+ ENC_RC4_HMAC_MD5; |
789 |
+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 |
790 |
+ ctx->in.desired_encryption_types |= ENC_HMAC_SHA1_96_AES128; |
791 |
+#endif |
792 |
+#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96 |
793 |
+ ctx->in.desired_encryption_types |= ENC_HMAC_SHA1_96_AES256; |
794 |
+#endif |
795 |
+ |
796 |
*r = ctx; |
797 |
|
798 |
return WERR_OK; |
799 |
-- |
800 |
2.9.0 |
801 |
|
802 |
|
803 |
From 51a68159e119149b9527cac8a8a119f34bb6879a Mon Sep 17 00:00:00 2001 |
804 |
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> |
805 |
Date: Fri, 11 Mar 2016 16:05:53 +0100 |
806 |
Subject: [PATCH 10/11] s3:libnet:libnet_join: fill in output enctypes and only |
807 |
modify when necessary. |
808 |
|
809 |
Guenther |
810 |
|
811 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755 |
812 |
|
813 |
Signed-off-by: Guenther Deschner <gd@samba.org> |
814 |
Reviewed-by: Stefan Metzmacher <metze@samba.org> |
815 |
(cherry picked from commit 5d498d1b4d9b83f179fb7b2841a19ad984eec5f8) |
816 |
--- |
817 |
source3/libads/ldap.c | 2 +- |
818 |
source3/libnet/libnet_join.c | 18 +++++++++++++++++- |
819 |
2 files changed, 18 insertions(+), 2 deletions(-) |
820 |
|
821 |
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c |
822 |
index 72bf4d9..f611da2 100644 |
823 |
--- a/source3/libads/ldap.c |
824 |
+++ b/source3/libads/ldap.c |
825 |
@@ -1268,7 +1268,7 @@ char *ads_parent_dn(const char *dn) |
826 |
{ |
827 |
ADS_STATUS status; |
828 |
char *expr; |
829 |
- const char *attrs[] = {"*", "nTSecurityDescriptor", NULL}; |
830 |
+ const char *attrs[] = {"*", "msDS-SupportedEncryptionTypes", "nTSecurityDescriptor", NULL}; |
831 |
|
832 |
*res = NULL; |
833 |
|
834 |
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c |
835 |
index 876a453..9f3d830 100644 |
836 |
--- a/source3/libnet/libnet_join.c |
837 |
+++ b/source3/libnet/libnet_join.c |
838 |
@@ -417,6 +417,11 @@ static ADS_STATUS libnet_join_find_machine_acct(TALLOC_CTX *mem_ctx, |
839 |
goto done; |
840 |
} |
841 |
|
842 |
+ if (!ads_pull_uint32(r->in.ads, res, "msDS-SupportedEncryptionTypes", |
843 |
+ &r->out.set_encryption_types)) { |
844 |
+ r->out.set_encryption_types = 0; |
845 |
+ } |
846 |
+ |
847 |
done: |
848 |
ads_msgfree(r->in.ads, res); |
849 |
TALLOC_FREE(dn); |
850 |
@@ -689,6 +694,10 @@ static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx, |
851 |
return status; |
852 |
} |
853 |
|
854 |
+ if (r->in.desired_encryption_types == r->out.set_encryption_types) { |
855 |
+ return ADS_SUCCESS; |
856 |
+ } |
857 |
+ |
858 |
/* now do the mods */ |
859 |
|
860 |
mods = ads_init_mods(mem_ctx); |
861 |
@@ -702,7 +711,14 @@ static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx, |
862 |
return status; |
863 |
} |
864 |
|
865 |
- return ads_gen_mod(r->in.ads, r->out.dn, mods); |
866 |
+ status = ads_gen_mod(r->in.ads, r->out.dn, mods); |
867 |
+ if (!ADS_ERR_OK(status)) { |
868 |
+ return status; |
869 |
+ } |
870 |
+ |
871 |
+ r->out.set_encryption_types = r->in.desired_encryption_types; |
872 |
+ |
873 |
+ return ADS_SUCCESS; |
874 |
} |
875 |
#endif |
876 |
/**************************************************************** |
877 |
-- |
878 |
2.9.0 |
879 |
|
880 |
|
881 |
From a489ac90045212decebbadf46a51fff42c224d3c Mon Sep 17 00:00:00 2001 |
882 |
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> |
883 |
Date: Fri, 11 Mar 2016 23:15:06 +0100 |
884 |
Subject: [PATCH 11/11] s3:libnet:libnet_join: update |
885 |
msDS-SupportedEncryptionTypes (if required) with machine creds. |
886 |
|
887 |
Guenther |
888 |
|
889 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755 |
890 |
|
891 |
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> |
892 |
|
893 |
Signed-off-by: Guenther Deschner <gd@samba.org> |
894 |
Signed-off-by: Stefan Metzmacher <metze@samba.org> |
895 |
|
896 |
Autobuild-User(master): Stefan Metzmacher <metze@samba.org> |
897 |
Autobuild-Date(master): Mon Mar 14 19:38:48 CET 2016 on sn-devel-144 |
898 |
|
899 |
(cherry picked from commit 06aefe4b956ae8748e20ae4c730aa344e81808b6) |
900 |
--- |
901 |
source3/libnet/libnet_join.c | 59 +++++++++++++++++++++++++++++++++++++++++--- |
902 |
1 file changed, 55 insertions(+), 4 deletions(-) |
903 |
|
904 |
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c |
905 |
index 9f3d830..84f0e40 100644 |
906 |
--- a/source3/libnet/libnet_join.c |
907 |
+++ b/source3/libnet/libnet_join.c |
908 |
@@ -253,13 +253,13 @@ static ADS_STATUS libnet_join_connect_ads_user(TALLOC_CTX *mem_ctx, |
909 |
|
910 |
/**************************************************************** |
911 |
****************************************************************/ |
912 |
-#if 0 |
913 |
+ |
914 |
static ADS_STATUS libnet_join_connect_ads_machine(TALLOC_CTX *mem_ctx, |
915 |
struct libnet_JoinCtx *r) |
916 |
{ |
917 |
return libnet_join_connect_ads(mem_ctx, r, true); |
918 |
} |
919 |
-#endif |
920 |
+ |
921 |
/**************************************************************** |
922 |
****************************************************************/ |
923 |
|
924 |
@@ -673,7 +673,7 @@ static ADS_STATUS libnet_join_set_os_attributes(TALLOC_CTX *mem_ctx, |
925 |
|
926 |
/**************************************************************** |
927 |
****************************************************************/ |
928 |
-#if 0 |
929 |
+ |
930 |
static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx, |
931 |
struct libnet_JoinCtx *r) |
932 |
{ |
933 |
@@ -720,7 +720,7 @@ static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx, |
934 |
|
935 |
return ADS_SUCCESS; |
936 |
} |
937 |
-#endif |
938 |
+ |
939 |
/**************************************************************** |
940 |
****************************************************************/ |
941 |
|
942 |
@@ -798,6 +798,7 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx, |
943 |
struct libnet_JoinCtx *r) |
944 |
{ |
945 |
ADS_STATUS status; |
946 |
+ bool need_etype_update = false; |
947 |
|
948 |
if (!r->in.ads) { |
949 |
status = libnet_join_connect_ads_user(mem_ctx, r); |
950 |
@@ -832,6 +833,56 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx, |
951 |
return status; |
952 |
} |
953 |
|
954 |
+ status = libnet_join_find_machine_acct(mem_ctx, r); |
955 |
+ if (!ADS_ERR_OK(status)) { |
956 |
+ return status; |
957 |
+ } |
958 |
+ |
959 |
+ if (r->in.desired_encryption_types != r->out.set_encryption_types) { |
960 |
+ uint32_t func_level = 0; |
961 |
+ |
962 |
+ status = ads_domain_func_level(r->in.ads, &func_level); |
963 |
+ if (!ADS_ERR_OK(status)) { |
964 |
+ libnet_join_set_error_string(mem_ctx, r, |
965 |
+ "failed to query domain controller functional level: %s", |
966 |
+ ads_errstr(status)); |
967 |
+ return status; |
968 |
+ } |
969 |
+ |
970 |
+ if (func_level >= DS_DOMAIN_FUNCTION_2008) { |
971 |
+ need_etype_update = true; |
972 |
+ } |
973 |
+ } |
974 |
+ |
975 |
+ if (need_etype_update) { |
976 |
+ /* |
977 |
+ * We need to reconnect as machine account in order |
978 |
+ * to update msDS-SupportedEncryptionTypes reliable |
979 |
+ */ |
980 |
+ |
981 |
+ if (r->in.ads->auth.ccache_name != NULL) { |
982 |
+ ads_kdestroy(r->in.ads->auth.ccache_name); |
983 |
+ } |
984 |
+ |
985 |
+ ads_destroy(&r->in.ads); |
986 |
+ |
987 |
+ status = libnet_join_connect_ads_machine(mem_ctx, r); |
988 |
+ if (!ADS_ERR_OK(status)) { |
989 |
+ libnet_join_set_error_string(mem_ctx, r, |
990 |
+ "Failed to connect as machine account: %s", |
991 |
+ ads_errstr(status)); |
992 |
+ return status; |
993 |
+ } |
994 |
+ |
995 |
+ status = libnet_join_set_etypes(mem_ctx, r); |
996 |
+ if (!ADS_ERR_OK(status)) { |
997 |
+ libnet_join_set_error_string(mem_ctx, r, |
998 |
+ "failed to set machine kerberos encryption types: %s", |
999 |
+ ads_errstr(status)); |
1000 |
+ return status; |
1001 |
+ } |
1002 |
+ } |
1003 |
+ |
1004 |
if (!libnet_join_derive_salting_principal(mem_ctx, r)) { |
1005 |
return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL); |
1006 |
} |
1007 |
-- |
1008 |
2.9.0 |
1009 |
|