The Samba-Bugzilla – Attachment 11166 Details for
Bug 11333
Domain-based DFS/msdfs proxy doesn't perform root referral correctly
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Here's an example patch that works in my domain
FixRootReferral.patch (text/plain), 2.75 KB, created by
samba
on 2015-06-17 00:27:27 UTC
(
hide
)
Description:
Here's an example patch that works in my domain
Filename:
MIME Type:
Creator:
samba
Created:
2015-06-17 00:27:27 UTC
Size:
2.75 KB
patch
obsolete
>diff -rup samba-4.2.2.orig/source3/libsmb/clidfs.c samba-4.2.2/source3/libsmb/clidfs.c >--- samba-4.2.2.orig/source3/libsmb/clidfs.c 2015-02-24 10:59:51.000000000 -0800 >+++ samba-4.2.2/source3/libsmb/clidfs.c 2015-06-16 17:20:08.247914441 -0700 >@@ -106,14 +106,17 @@ static NTSTATUS do_connect(TALLOC_CTX *c > struct cli_state **pcli) > { > struct cli_state *c = NULL; >+ fstring dc_name; > char *servicename; > char *sharename; > char *newserver, *newshare; > const char *username; > const char *password; > const char *domain; >+ const char *realm; > NTSTATUS status; > int flags = 0; >+ bool require_msdfs_proxy = false; > > /* make a copy so we don't modify the global string 'service' */ > servicename = talloc_strdup(ctx,share); >@@ -137,6 +140,43 @@ static NTSTATUS do_connect(TALLOC_CTX *c > return NT_STATUS_INVALID_PARAMETER; > } > >+ domain = get_cmdline_auth_info_domain(auth_info); >+ if ((domain == NULL) || (domain[0] == '\0')) { >+ domain = lp_workgroup(); >+ } >+ >+ realm = lp_realm(); >+ >+ // For domain-based DFS, if the domain or realm name is given as >+ // the server, the initial connection should be to one of the >+ // domain controllers. Assuming we can find a domain controller, >+ // require that the cli_check_msdfs_proxy call succeeds below. >+ if (strequal(server, domain) || strequal(server, realm)) { >+ struct ip_service *ip_list = NULL; >+ int count = 0; >+ int i; >+ >+ // is there a better way to get the nearest/best domain controller? >+ status = get_sorted_dc_list(domain, NULL, >+ &ip_list, &count, >+ false); >+ if (NT_STATUS_IS_OK(status)) { >+ for (i = 0; i < count; ++i) { >+ // We need the name for kerberos auth to trigger/work, as >+ // we need the server principal name during spnego >+ if (name_status_find("*", 0, 0, &ip_list[i].ss, dc_name)) { >+ DEBUG(4,("Using DC=%s for initial msdfs proxy get referrals\n", dc_name)); >+ server = dc_name; >+ require_msdfs_proxy = true; >+ break; >+ } >+ } >+ >+ SAFE_FREE(ip_list); >+ count = 0; >+ } >+ } >+ > if (get_cmdline_auth_info_use_kerberos(auth_info)) { > flags |= CLI_FULL_CONNECTION_USE_KERBEROS; > } >@@ -185,10 +225,6 @@ static NTSTATUS do_connect(TALLOC_CTX *c > > username = get_cmdline_auth_info_username(auth_info); > password = get_cmdline_auth_info_password(auth_info); >- domain = get_cmdline_auth_info_domain(auth_info); >- if ((domain == NULL) || (domain[0] == '\0')) { >- domain = lp_workgroup(); >- } > > status = cli_session_setup(c, username, > password, strlen(password), >@@ -251,6 +287,8 @@ static NTSTATUS do_connect(TALLOC_CTX *c > newshare, auth_info, false, > force_encrypt, max_protocol, > port, name_type, pcli); >+ } else if (require_msdfs_proxy) { >+ return NT_STATUS_NOT_FOUND; > } > > /* must be a normal share */
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=11166">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 11333
: 11166