The Samba-Bugzilla – Attachment 11872 Details for
Bug 11755
net join may fail due to restricted ACLs
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch from master
patch (text/plain), 5.09 KB, created by
Guenther Deschner
on 2016-02-26 12:57:58 UTC
(
hide
)
Description:
patch from master
Filename:
MIME Type:
Creator:
Guenther Deschner
Created:
2016-02-26 12:57:58 UTC
Size:
5.09 KB
patch
obsolete
>From 0c74d62524db376b6a3fac00c688be0cdffcaa80 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 22 Jan 2016 09:57:04 +0100 >Subject: [PATCH] s3:libads: setup the msDS-SupportedEncryptionTypes attribute > on ldap_add >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >We may not have the permission to modify the object after creation. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Björn Jacke <bj@sernet.de> >Reviewed-by: Günther Deschner <gd@samba.org> > >Autobuild-User(master): Stefan Metzmacher <metze@samba.org> >Autobuild-Date(master): Fri Feb 26 11:30:03 CET 2016 on sn-devel-144 >--- > source3/libads/ldap.c | 26 ++++++++++++++++++ > source3/libnet/libnet_join.c | 65 -------------------------------------------- > 2 files changed, 26 insertions(+), 65 deletions(-) > >diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c >index 2c52e32..322e7ab 100644 >--- a/source3/libads/ldap.c >+++ b/source3/libads/ldap.c >@@ -29,6 +29,7 @@ > #include "../libds/common/flags.h" > #include "smbldap.h" > #include "../libcli/security/security.h" >+#include "../librpc/gen_ndr/netlogon.h" > #include "lib/param/loadparm.h" > > #ifdef HAVE_LDAP >@@ -2211,6 +2212,12 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, const char *machine_name, > uint32_t acct_control = ( UF_WORKSTATION_TRUST_ACCOUNT |\ > UF_DONT_EXPIRE_PASSWD |\ > UF_ACCOUNTDISABLE ); >+ uint32_t func_level = 0; >+ >+ ret = ads_domain_func_level(ads, &func_level); >+ if (!ADS_ERR_OK(ret)) { >+ return ret; >+ } > > if (!(ctx = talloc_init("ads_add_machine_acct"))) > return ADS_ERROR(LDAP_NO_MEMORY); >@@ -2242,6 +2249,25 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, const char *machine_name, > ads_mod_strlist(ctx, &mods, "objectClass", objectClass); > ads_mod_str(ctx, &mods, "userAccountControl", controlstr); > >+ if (func_level >= DS_DOMAIN_FUNCTION_2008) { >+ uint32_t etype_list = ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5; >+ const char *etype_list_str; >+ >+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 >+ etype_list |= ENC_HMAC_SHA1_96_AES128; >+#endif >+#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96 >+ etype_list |= ENC_HMAC_SHA1_96_AES256; >+#endif >+ >+ etype_list_str = talloc_asprintf(ctx, "%d", (int)etype_list); >+ if (etype_list_str == NULL) { >+ goto done; >+ } >+ ads_mod_str(ctx, &mods, "msDS-SupportedEncryptionTypes", >+ etype_list_str); >+ } >+ > ret = ads_gen_add(ads, new_dn, mods); > > done: >diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c >index 3e58b18..6dce03c 100644 >--- a/source3/libnet/libnet_join.c >+++ b/source3/libnet/libnet_join.c >@@ -616,52 +616,6 @@ static ADS_STATUS libnet_join_set_os_attributes(TALLOC_CTX *mem_ctx, > /**************************************************************** > ****************************************************************/ > >-static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx, >- struct libnet_JoinCtx *r) >-{ >- ADS_STATUS status; >- ADS_MODLIST mods; >- uint32_t etype_list = ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5; >- const char *etype_list_str; >- >-#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 >- etype_list |= ENC_HMAC_SHA1_96_AES128; >-#endif >-#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96 >- etype_list |= ENC_HMAC_SHA1_96_AES256; >-#endif >- >- etype_list_str = talloc_asprintf(mem_ctx, "%d", etype_list); >- if (!etype_list_str) { >- return ADS_ERROR(LDAP_NO_MEMORY); >- } >- >- /* Find our DN */ >- >- status = libnet_join_find_machine_acct(mem_ctx, r); >- if (!ADS_ERR_OK(status)) { >- return status; >- } >- >- /* now do the mods */ >- >- mods = ads_init_mods(mem_ctx); >- if (!mods) { >- return ADS_ERROR(LDAP_NO_MEMORY); >- } >- >- status = ads_mod_str(mem_ctx, &mods, "msDS-SupportedEncryptionTypes", >- etype_list_str); >- if (!ADS_ERR_OK(status)) { >- return status; >- } >- >- return ads_gen_mod(r->in.ads, r->out.dn, mods); >-} >- >-/**************************************************************** >-****************************************************************/ >- > static bool libnet_join_create_keytab(TALLOC_CTX *mem_ctx, > struct libnet_JoinCtx *r) > { >@@ -736,7 +690,6 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx, > struct libnet_JoinCtx *r) > { > ADS_STATUS status; >- uint32_t func_level = 0; > > if (!r->in.ads) { > status = libnet_join_connect_ads(mem_ctx, r); >@@ -771,24 +724,6 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx, > return status; > } > >- status = ads_domain_func_level(r->in.ads, &func_level); >- if (!ADS_ERR_OK(status)) { >- libnet_join_set_error_string(mem_ctx, r, >- "failed to query domain controller functional level: %s", >- ads_errstr(status)); >- return status; >- } >- >- if (func_level >= DS_DOMAIN_FUNCTION_2008) { >- status = libnet_join_set_etypes(mem_ctx, r); >- if (!ADS_ERR_OK(status)) { >- libnet_join_set_error_string(mem_ctx, r, >- "failed to set machine kerberos encryption types: %s", >- ads_errstr(status)); >- return status; >- } >- } >- > if (!libnet_join_derive_salting_principal(mem_ctx, r)) { > return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL); > } >-- >2.5.0 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=11872">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
gd
:
review+
asn
:
review+
bjacke
:
review+
Actions:
View
Attachments on
bug 11755
: 11872 |
11920
|
11921