samba/sme10/samba-4.4.5-accept_empty_realm_for_ad_domains_with_security_domain.patch

From a24fa6abf4f8a937554d292448a765677f9dec53 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Tue, 31 May 2016 18:47:34 +0200
Subject: [PATCH] s3:libnet: accept empty realm for AD domains when only
 security=domain is set.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Initial patch from Matt Rogers @ RedHat.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11977

Guenther

Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Wed Jun 15 20:28:31 CEST 2016 on sn-devel-144

(cherry picked from commit 234a470f198f8f09f46aaeaf58f966faccedef18)
---
 source3/libnet/libnet_join.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index a28864d..b5a5ae2 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -2367,9 +2367,26 @@ static WERROR libnet_join_check_config(TALLOC_CTX *mem_ctx,
                        W_ERROR_HAVE_NO_MEMORY(wrong_conf);
                }
 
+               /*
+                * We should generate the warning for the special case when
+                * domain is AD, "security = domain" and the realm parameter is
+                * not set.
+                */
+               if (lp_security() == SEC_DOMAIN &&
+                   r->out.domain_is_ad &&
+                   !valid_realm) {
+                       libnet_join_set_error_string(mem_ctx, r,
+                               "Warning: when joining AD domains with security=domain, "
+                               "\"realm\" should be defined in the configuration (%s) "
+                               "and configuration modification was not requested",
+                               wrong_conf);
+                       return WERR_OK;
+               }
+
                libnet_join_set_error_string(mem_ctx, r,
                        "Invalid configuration (%s) and configuration modification "
                        "was not requested", wrong_conf);
+
                return WERR_CAN_NOT_COMPLETE;
        }
 
-- 
2.9.0

From 872207a7dcbb6272e6a4e8bf2fd366128a63e087 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Wed, 15 Jun 2016 16:04:29 +0200
Subject: [PATCH 1/2] s3-libnet: Print error string even on successfuly
 completion of libnetjoin.

Sometimes useful information should be printed to the users.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11977

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 632faa87610b3afca3f8d3e9f3f46ee6b87f362a)
---
 source3/utils/net_ads.c |  5 +++++
 source3/utils/net_rpc.c | 10 ++++++++++
 2 files changed, 15 insertions(+)

diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index 90af09e..c61aa0d 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -1596,6 +1596,11 @@ int net_ads_join(struct net_context *c, int argc, const char **argv)
                        r->out.netbios_domain_name);
        }
 
+       /* print out informative error string in case there is one */
+       if (r->out.error_string != NULL) {
+               d_printf("%s\n", r->out.error_string);
+       }
+
        /*
         * We try doing the dns update (if it was compiled in
         * and if it was not disabled on the command line).
diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
index 93caf04..1e3e286 100644
--- a/source3/utils/net_rpc.c
+++ b/source3/utils/net_rpc.c
@@ -428,6 +428,11 @@ static int net_rpc_oldjoin(struct net_context *c, int argc, const char **argv)
                        r->out.netbios_domain_name);
        }
 
+       /* print out informative error string in case there is one */
+       if (r->out.error_string != NULL) {
+               d_printf("%s\n", r->out.error_string);
+       }
+
        TALLOC_FREE(mem_ctx);
 
        return 0;
@@ -607,6 +612,11 @@ static int net_rpc_join_newstyle(struct net_context *c, int argc, const char **a
                        r->out.netbios_domain_name);
        }
 
+       /* print out informative error string in case there is one */
+       if (r->out.error_string != NULL) {
+               d_printf("%s\n", r->out.error_string);
+       }
+
        TALLOC_FREE(mem_ctx);
 
        return 0;
-- 
2.5.5


From 3f5af70f63f2ca141da8bd28ae131079b7f93f55 Mon Sep 17 00:00:00 2001
From: Michael Adam <obnox@samba.org>
Date: Wed, 15 Jun 2016 23:03:32 +0200
Subject: [PATCH 2/2] libnet: ignore realm setting for domain security joins to
 AD domains if 'winbind rpc only = true'

Inspired by initial patch from Matt Rogers @ RedHat.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11977

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Wed Jun 22 05:05:47 CEST 2016 on sn-devel-144

(cherry picked from commit e29d8f108cd090706dc3f54282f5c33ec30df899)
---
 source3/libnet/libnet_join.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index c007183..bab58f3 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -2303,6 +2303,7 @@ static WERROR libnet_join_check_config(TALLOC_CTX *mem_ctx,
        bool valid_security = false;
        bool valid_workgroup = false;
        bool valid_realm = false;
+       bool ignored_realm = false;
 
        /* check if configuration is already set correctly */
 
@@ -2322,11 +2323,26 @@ static WERROR libnet_join_check_config(TALLOC_CTX *mem_ctx,
                        valid_realm = strequal(lp_realm(), r->out.dns_domain_name);
                        switch (lp_security()) {
                        case SEC_DOMAIN:
+                               if (!valid_realm && lp_winbind_rpc_only()) {
+                                       valid_realm = true;
+                                       ignored_realm = true;
+                               }
                        case SEC_ADS:
                                valid_security = true;
                        }
 
                        if (valid_workgroup && valid_realm && valid_security) {
+                               if (ignored_realm && !r->in.modify_config)
+                               {
+                                       libnet_join_set_error_string(mem_ctx, r,
+                                               "Warning: ignoring realm when "
+                                               "joining AD domain with "
+                                               "'security=domain' and "
+                                               "'winbind rpc only = yes'. "
+                                               "(realm set to '%s', "
+                                               "should be '%s').", lp_realm(),
+                                               r->out.dns_domain_name);
+                               }
                                /* nothing to be done */
                                return WERR_OK;
                        }
-- 
2.5.5

1	unnilennium	1.1	From a24fa6abf4f8a937554d292448a765677f9dec53 Mon Sep 17 00:00:00 2001
2			From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
3			Date: Tue, 31 May 2016 18:47:34 +0200
4			Subject: [PATCH] s3:libnet: accept empty realm for AD domains when only
5			security=domain is set.
6			MIME-Version: 1.0
7			Content-Type: text/plain; charset=UTF-8
8			Content-Transfer-Encoding: 8bit
9
10			Initial patch from Matt Rogers @ RedHat.
11
12			BUG: https://bugzilla.samba.org/show_bug.cgi?id=11977
13
14			Guenther
15
16			Pair-Programmed-With: Andreas Schneider <asn@samba.org>
17			Signed-off-by: Guenther Deschner <gd@samba.org>
18			Signed-off-by: Andreas Schneider <asn@samba.org>
19
20			Autobuild-User(master): Günther Deschner <gd@samba.org>
21			Autobuild-Date(master): Wed Jun 15 20:28:31 CEST 2016 on sn-devel-144
22
23			(cherry picked from commit 234a470f198f8f09f46aaeaf58f966faccedef18)
24			---
25			source3/libnet/libnet_join.c \| 17 +++++++++++++++++
26			1 file changed, 17 insertions(+)
27
28			diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
29			index a28864d..b5a5ae2 100644
30			--- a/source3/libnet/libnet_join.c
31			+++ b/source3/libnet/libnet_join.c
32			@@ -2367,9 +2367,26 @@ static WERROR libnet_join_check_config(TALLOC_CTX *mem_ctx,
33			W_ERROR_HAVE_NO_MEMORY(wrong_conf);
34			}
35
36			+ /*
37			+ * We should generate the warning for the special case when
38			+ * domain is AD, "security = domain" and the realm parameter is
39			+ * not set.
40			+ */
41			+ if (lp_security() == SEC_DOMAIN &&
42			+ r->out.domain_is_ad &&
43			+ !valid_realm) {
44			+ libnet_join_set_error_string(mem_ctx, r,
45			+ "Warning: when joining AD domains with security=domain, "
46			+ "\"realm\" should be defined in the configuration (%s) "
47			+ "and configuration modification was not requested",
48			+ wrong_conf);
49			+ return WERR_OK;
50			+ }
51			+
52			libnet_join_set_error_string(mem_ctx, r,
53			"Invalid configuration (%s) and configuration modification "
54			"was not requested", wrong_conf);
55			+
56			return WERR_CAN_NOT_COMPLETE;
57			}
58
59			--
60			2.9.0
61
62			From 872207a7dcbb6272e6a4e8bf2fd366128a63e087 Mon Sep 17 00:00:00 2001
63			From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
64			Date: Wed, 15 Jun 2016 16:04:29 +0200
65			Subject: [PATCH 1/2] s3-libnet: Print error string even on successfuly
66			completion of libnetjoin.
67
68			Sometimes useful information should be printed to the users.
69
70			BUG: https://bugzilla.samba.org/show_bug.cgi?id=11977
71
72			Guenther
73
74			Signed-off-by: Guenther Deschner <gd@samba.org>
75			(cherry picked from commit 632faa87610b3afca3f8d3e9f3f46ee6b87f362a)
76			---
77			source3/utils/net_ads.c \| 5 +++++
78			source3/utils/net_rpc.c \| 10 ++++++++++
79			2 files changed, 15 insertions(+)
80
81			diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
82			index 90af09e..c61aa0d 100644
83			--- a/source3/utils/net_ads.c
84			+++ b/source3/utils/net_ads.c
85			@@ -1596,6 +1596,11 @@ int net_ads_join(struct net_context c, int argc, const char *argv)
86			r->out.netbios_domain_name);
87			}
88
89			+ /* print out informative error string in case there is one */
90			+ if (r->out.error_string != NULL) {
91			+ d_printf("%s\n", r->out.error_string);
92			+ }
93			+
94			/*
95			* We try doing the dns update (if it was compiled in
96			* and if it was not disabled on the command line).
97			diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
98			index 93caf04..1e3e286 100644
99			--- a/source3/utils/net_rpc.c
100			+++ b/source3/utils/net_rpc.c
101			@@ -428,6 +428,11 @@ static int net_rpc_oldjoin(struct net_context c, int argc, const char *argv)
102			r->out.netbios_domain_name);
103			}
104
105			+ /* print out informative error string in case there is one */
106			+ if (r->out.error_string != NULL) {
107			+ d_printf("%s\n", r->out.error_string);
108			+ }
109			+
110			TALLOC_FREE(mem_ctx);
111
112			return 0;
113			@@ -607,6 +612,11 @@ static int net_rpc_join_newstyle(struct net_context c, int argc, const char *a
114			r->out.netbios_domain_name);
115			}
116
117			+ /* print out informative error string in case there is one */
118			+ if (r->out.error_string != NULL) {
119			+ d_printf("%s\n", r->out.error_string);
120			+ }
121			+
122			TALLOC_FREE(mem_ctx);
123
124			return 0;
125			--
126			2.5.5
127
128
129			From 3f5af70f63f2ca141da8bd28ae131079b7f93f55 Mon Sep 17 00:00:00 2001
130			From: Michael Adam <obnox@samba.org>
131			Date: Wed, 15 Jun 2016 23:03:32 +0200
132			Subject: [PATCH 2/2] libnet: ignore realm setting for domain security joins to
133			AD domains if 'winbind rpc only = true'
134
135			Inspired by initial patch from Matt Rogers @ RedHat.
136
137			BUG: https://bugzilla.samba.org/show_bug.cgi?id=11977
138
139			Signed-off-by: Michael Adam <obnox@samba.org>
140			Reviewed-by: Guenther Deschner <gd@samba.org>
141
142			Autobuild-User(master): Michael Adam <obnox@samba.org>
143			Autobuild-Date(master): Wed Jun 22 05:05:47 CEST 2016 on sn-devel-144
144
145			(cherry picked from commit e29d8f108cd090706dc3f54282f5c33ec30df899)
146			---
147			source3/libnet/libnet_join.c \| 16 ++++++++++++++++
148			1 file changed, 16 insertions(+)
149
150			diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
151			index c007183..bab58f3 100644
152			--- a/source3/libnet/libnet_join.c
153			+++ b/source3/libnet/libnet_join.c
154			@@ -2303,6 +2303,7 @@ static WERROR libnet_join_check_config(TALLOC_CTX *mem_ctx,
155			bool valid_security = false;
156			bool valid_workgroup = false;
157			bool valid_realm = false;
158			+ bool ignored_realm = false;
159
160			/* check if configuration is already set correctly */
161
162			@@ -2322,11 +2323,26 @@ static WERROR libnet_join_check_config(TALLOC_CTX *mem_ctx,
163			valid_realm = strequal(lp_realm(), r->out.dns_domain_name);
164			switch (lp_security()) {
165			case SEC_DOMAIN:
166			+ if (!valid_realm && lp_winbind_rpc_only()) {
167			+ valid_realm = true;
168			+ ignored_realm = true;
169			+ }
170			case SEC_ADS:
171			valid_security = true;
172			}
173
174			if (valid_workgroup && valid_realm && valid_security) {
175			+ if (ignored_realm && !r->in.modify_config)
176			+ {
177			+ libnet_join_set_error_string(mem_ctx, r,
178			+ "Warning: ignoring realm when "
179			+ "joining AD domain with "
180			+ "'security=domain' and "
181			+ "'winbind rpc only = yes'. "
182			+ "(realm set to '%s', "
183			+ "should be '%s').", lp_realm(),
184			+ r->out.dns_domain_name);
185			+ }
186			/* nothing to be done */
187			return WERR_OK;
188			}
189			--
190			2.5.5
191