samba/sme10/samba-4.4.5-accept_empty_realm_for_ad_domains_with_security_domain.patch

From a24fa6abf4f8a937554d292448a765677f9dec53 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Tue, 31 May 2016 18:47:34 +0200
Subject: [PATCH] s3:libnet: accept empty realm for AD domains when only
 security=domain is set.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Initial patch from Matt Rogers @ RedHat.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11977

Guenther

Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Wed Jun 15 20:28:31 CEST 2016 on sn-devel-144

(cherry picked from commit 234a470f198f8f09f46aaeaf58f966faccedef18)
---
 source3/libnet/libnet_join.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index a28864d..b5a5ae2 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -2367,9 +2367,26 @@ static WERROR libnet_join_check_config(TALLOC_CTX *mem_ctx,
                        W_ERROR_HAVE_NO_MEMORY(wrong_conf);
                }
 
+               /*
+                * We should generate the warning for the special case when
+                * domain is AD, "security = domain" and the realm parameter is
+                * not set.
+                */
+               if (lp_security() == SEC_DOMAIN &&
+                   r->out.domain_is_ad &&
+                   !valid_realm) {
+                       libnet_join_set_error_string(mem_ctx, r,
+                               "Warning: when joining AD domains with security=domain, "
+                               "\"realm\" should be defined in the configuration (%s) "
+                               "and configuration modification was not requested",
+                               wrong_conf);
+                       return WERR_OK;
+               }
+
                libnet_join_set_error_string(mem_ctx, r,
                        "Invalid configuration (%s) and configuration modification "
                        "was not requested", wrong_conf);
+
                return WERR_CAN_NOT_COMPLETE;
        }
 
-- 
2.9.0

From 872207a7dcbb6272e6a4e8bf2fd366128a63e087 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Wed, 15 Jun 2016 16:04:29 +0200
Subject: [PATCH 1/2] s3-libnet: Print error string even on successfuly
 completion of libnetjoin.

Sometimes useful information should be printed to the users.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11977

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 632faa87610b3afca3f8d3e9f3f46ee6b87f362a)
---
 source3/utils/net_ads.c |  5 +++++
 source3/utils/net_rpc.c | 10 ++++++++++
 2 files changed, 15 insertions(+)

diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index 90af09e..c61aa0d 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -1596,6 +1596,11 @@ int net_ads_join(struct net_context *c, int argc, const char **argv)
                        r->out.netbios_domain_name);
        }
 
+       /* print out informative error string in case there is one */
+       if (r->out.error_string != NULL) {
+               d_printf("%s\n", r->out.error_string);
+       }
+
        /*
         * We try doing the dns update (if it was compiled in
         * and if it was not disabled on the command line).
diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
index 93caf04..1e3e286 100644
--- a/source3/utils/net_rpc.c
+++ b/source3/utils/net_rpc.c
@@ -428,6 +428,11 @@ static int net_rpc_oldjoin(struct net_context *c, int argc, const char **argv)
                        r->out.netbios_domain_name);
        }
 
+       /* print out informative error string in case there is one */
+       if (r->out.error_string != NULL) {
+               d_printf("%s\n", r->out.error_string);
+       }
+
        TALLOC_FREE(mem_ctx);
 
        return 0;
@@ -607,6 +612,11 @@ static int net_rpc_join_newstyle(struct net_context *c, int argc, const char **a
                        r->out.netbios_domain_name);
        }
 
+       /* print out informative error string in case there is one */
+       if (r->out.error_string != NULL) {
+               d_printf("%s\n", r->out.error_string);
+       }
+
        TALLOC_FREE(mem_ctx);
 
        return 0;
-- 
2.5.5


From 3f5af70f63f2ca141da8bd28ae131079b7f93f55 Mon Sep 17 00:00:00 2001
From: Michael Adam <obnox@samba.org>
Date: Wed, 15 Jun 2016 23:03:32 +0200
Subject: [PATCH 2/2] libnet: ignore realm setting for domain security joins to
 AD domains if 'winbind rpc only = true'

Inspired by initial patch from Matt Rogers @ RedHat.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11977

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Wed Jun 22 05:05:47 CEST 2016 on sn-devel-144

(cherry picked from commit e29d8f108cd090706dc3f54282f5c33ec30df899)
---
 source3/libnet/libnet_join.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index c007183..bab58f3 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -2303,6 +2303,7 @@ static WERROR libnet_join_check_config(TALLOC_CTX *mem_ctx,
        bool valid_security = false;
        bool valid_workgroup = false;
        bool valid_realm = false;
+       bool ignored_realm = false;
 
        /* check if configuration is already set correctly */
 
@@ -2322,11 +2323,26 @@ static WERROR libnet_join_check_config(TALLOC_CTX *mem_ctx,
                        valid_realm = strequal(lp_realm(), r->out.dns_domain_name);
                        switch (lp_security()) {
                        case SEC_DOMAIN:
+                               if (!valid_realm && lp_winbind_rpc_only()) {
+                                       valid_realm = true;
+                                       ignored_realm = true;
+                               }
                        case SEC_ADS:
                                valid_security = true;
                        }
 
                        if (valid_workgroup && valid_realm && valid_security) {
+                               if (ignored_realm && !r->in.modify_config)
+                               {
+                                       libnet_join_set_error_string(mem_ctx, r,
+                                               "Warning: ignoring realm when "
+                                               "joining AD domain with "
+                                               "'security=domain' and "
+                                               "'winbind rpc only = yes'. "
+                                               "(realm set to '%s', "
+                                               "should be '%s').", lp_realm(),
+                                               r->out.dns_domain_name);
+                               }
                                /* nothing to be done */
                                return WERR_OK;
                        }
-- 
2.5.5

1	From a24fa6abf4f8a937554d292448a765677f9dec53 Mon Sep 17 00:00:00 2001
2	From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
3	Date: Tue, 31 May 2016 18:47:34 +0200
4	Subject: [PATCH] s3:libnet: accept empty realm for AD domains when only
5	security=domain is set.
6	MIME-Version: 1.0
7	Content-Type: text/plain; charset=UTF-8
8	Content-Transfer-Encoding: 8bit
9
10	Initial patch from Matt Rogers @ RedHat.
11
12	BUG: https://bugzilla.samba.org/show_bug.cgi?id=11977
13
14	Guenther
15
16	Pair-Programmed-With: Andreas Schneider <asn@samba.org>
17	Signed-off-by: Guenther Deschner <gd@samba.org>
18	Signed-off-by: Andreas Schneider <asn@samba.org>
19
20	Autobuild-User(master): Günther Deschner <gd@samba.org>
21	Autobuild-Date(master): Wed Jun 15 20:28:31 CEST 2016 on sn-devel-144
22
23	(cherry picked from commit 234a470f198f8f09f46aaeaf58f966faccedef18)
24	---
25	source3/libnet/libnet_join.c \| 17 +++++++++++++++++
26	1 file changed, 17 insertions(+)
27
28	diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
29	index a28864d..b5a5ae2 100644
30	--- a/source3/libnet/libnet_join.c
31	+++ b/source3/libnet/libnet_join.c
32	@@ -2367,9 +2367,26 @@ static WERROR libnet_join_check_config(TALLOC_CTX *mem_ctx,
33	W_ERROR_HAVE_NO_MEMORY(wrong_conf);
34	}
35
36	+ /*
37	+ * We should generate the warning for the special case when
38	+ * domain is AD, "security = domain" and the realm parameter is
39	+ * not set.
40	+ */
41	+ if (lp_security() == SEC_DOMAIN &&
42	+ r->out.domain_is_ad &&
43	+ !valid_realm) {
44	+ libnet_join_set_error_string(mem_ctx, r,
45	+ "Warning: when joining AD domains with security=domain, "
46	+ "\"realm\" should be defined in the configuration (%s) "
47	+ "and configuration modification was not requested",
48	+ wrong_conf);
49	+ return WERR_OK;
50	+ }
51	+
52	libnet_join_set_error_string(mem_ctx, r,
53	"Invalid configuration (%s) and configuration modification "
54	"was not requested", wrong_conf);
55	+
56	return WERR_CAN_NOT_COMPLETE;
57	}
58
59	--
60	2.9.0
61
62	From 872207a7dcbb6272e6a4e8bf2fd366128a63e087 Mon Sep 17 00:00:00 2001
63	From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
64	Date: Wed, 15 Jun 2016 16:04:29 +0200
65	Subject: [PATCH 1/2] s3-libnet: Print error string even on successfuly
66	completion of libnetjoin.
67
68	Sometimes useful information should be printed to the users.
69
70	BUG: https://bugzilla.samba.org/show_bug.cgi?id=11977
71
72	Guenther
73
74	Signed-off-by: Guenther Deschner <gd@samba.org>
75	(cherry picked from commit 632faa87610b3afca3f8d3e9f3f46ee6b87f362a)
76	---
77	source3/utils/net_ads.c \| 5 +++++
78	source3/utils/net_rpc.c \| 10 ++++++++++
79	2 files changed, 15 insertions(+)
80
81	diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
82	index 90af09e..c61aa0d 100644
83	--- a/source3/utils/net_ads.c
84	+++ b/source3/utils/net_ads.c
85	@@ -1596,6 +1596,11 @@ int net_ads_join(struct net_context c, int argc, const char *argv)
86	r->out.netbios_domain_name);
87	}
88
89	+ /* print out informative error string in case there is one */
90	+ if (r->out.error_string != NULL) {
91	+ d_printf("%s\n", r->out.error_string);
92	+ }
93	+
94	/*
95	* We try doing the dns update (if it was compiled in
96	* and if it was not disabled on the command line).
97	diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
98	index 93caf04..1e3e286 100644
99	--- a/source3/utils/net_rpc.c
100	+++ b/source3/utils/net_rpc.c
101	@@ -428,6 +428,11 @@ static int net_rpc_oldjoin(struct net_context c, int argc, const char *argv)
102	r->out.netbios_domain_name);
103	}
104
105	+ /* print out informative error string in case there is one */
106	+ if (r->out.error_string != NULL) {
107	+ d_printf("%s\n", r->out.error_string);
108	+ }
109	+
110	TALLOC_FREE(mem_ctx);
111
112	return 0;
113	@@ -607,6 +612,11 @@ static int net_rpc_join_newstyle(struct net_context c, int argc, const char *a
114	r->out.netbios_domain_name);
115	}
116
117	+ /* print out informative error string in case there is one */
118	+ if (r->out.error_string != NULL) {
119	+ d_printf("%s\n", r->out.error_string);
120	+ }
121	+
122	TALLOC_FREE(mem_ctx);
123
124	return 0;
125	--
126	2.5.5
127
128
129	From 3f5af70f63f2ca141da8bd28ae131079b7f93f55 Mon Sep 17 00:00:00 2001
130	From: Michael Adam <obnox@samba.org>
131	Date: Wed, 15 Jun 2016 23:03:32 +0200
132	Subject: [PATCH 2/2] libnet: ignore realm setting for domain security joins to
133	AD domains if 'winbind rpc only = true'
134
135	Inspired by initial patch from Matt Rogers @ RedHat.
136
137	BUG: https://bugzilla.samba.org/show_bug.cgi?id=11977
138
139	Signed-off-by: Michael Adam <obnox@samba.org>
140	Reviewed-by: Guenther Deschner <gd@samba.org>
141
142	Autobuild-User(master): Michael Adam <obnox@samba.org>
143	Autobuild-Date(master): Wed Jun 22 05:05:47 CEST 2016 on sn-devel-144
144
145	(cherry picked from commit e29d8f108cd090706dc3f54282f5c33ec30df899)
146	---
147	source3/libnet/libnet_join.c \| 16 ++++++++++++++++
148	1 file changed, 16 insertions(+)
149
150	diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
151	index c007183..bab58f3 100644
152	--- a/source3/libnet/libnet_join.c
153	+++ b/source3/libnet/libnet_join.c
154	@@ -2303,6 +2303,7 @@ static WERROR libnet_join_check_config(TALLOC_CTX *mem_ctx,
155	bool valid_security = false;
156	bool valid_workgroup = false;
157	bool valid_realm = false;
158	+ bool ignored_realm = false;
159
160	/* check if configuration is already set correctly */
161
162	@@ -2322,11 +2323,26 @@ static WERROR libnet_join_check_config(TALLOC_CTX *mem_ctx,
163	valid_realm = strequal(lp_realm(), r->out.dns_domain_name);
164	switch (lp_security()) {
165	case SEC_DOMAIN:
166	+ if (!valid_realm && lp_winbind_rpc_only()) {
167	+ valid_realm = true;
168	+ ignored_realm = true;
169	+ }
170	case SEC_ADS:
171	valid_security = true;
172	}
173
174	if (valid_workgroup && valid_realm && valid_security) {
175	+ if (ignored_realm && !r->in.modify_config)
176	+ {
177	+ libnet_join_set_error_string(mem_ctx, r,
178	+ "Warning: ignoring realm when "
179	+ "joining AD domain with "
180	+ "'security=domain' and "
181	+ "'winbind rpc only = yes'. "
182	+ "(realm set to '%s', "
183	+ "should be '%s').", lp_realm(),
184	+ r->out.dns_domain_name);
185	+ }
186	/* nothing to be done */
187	return WERR_OK;
188	}
189	--
190	2.5.5
191