The Samba-Bugzilla – Attachment 11905 Details for
Bug 11769
net ads join -k kerberos authentication is not site-aware
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
git-am fix for 4.4.0 and 4.3.next
jsite.patch (text/plain), 5.52 KB, created by
Uri Simchoni
on 2016-03-08 20:41:59 UTC
(
hide
)
Description:
git-am fix for 4.4.0 and 4.3.next
Filename:
MIME Type:
Creator:
Uri Simchoni
Created:
2016-03-08 20:41:59 UTC
Size:
5.52 KB
patch
obsolete
>From 3b423bfc121d4ac35105e11c0aef92794dd5a3d0 Mon Sep 17 00:00:00 2001 >From: Uri Simchoni <uri@samba.org> >Date: Thu, 3 Mar 2016 09:18:44 +0200 >Subject: [PATCH 1/3] dsgetdcname: return an IP address on rediscovery > >When dsgetdcname return its result based on discovery >process (instead of retrieving cached value), always >return the found server's IP address in dc_address field, >rather than its netbios name. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11769 > >Signed-off-by: Uri Simchoni <uri@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit ef84f4c018424b1fcc232a4780dc2c0435701d86) >--- > source3/libsmb/dsgetdcname.c | 14 +++++++------- > 1 file changed, 7 insertions(+), 7 deletions(-) > >diff --git a/source3/libsmb/dsgetdcname.c b/source3/libsmb/dsgetdcname.c >index a63ba5a..1033329 100644 >--- a/source3/libsmb/dsgetdcname.c >+++ b/source3/libsmb/dsgetdcname.c >@@ -792,14 +792,14 @@ static NTSTATUS make_dc_info_from_cldap_reply(TALLOC_CTX *mem_ctx, > print_sockaddr(addr, sizeof(addr), ss); > dc_address = addr; > dc_address_type = DS_ADDRESS_TYPE_INET; >- } >- >- if (!ss && r->sockaddr.pdc_ip) { >- dc_address = r->sockaddr.pdc_ip; >- dc_address_type = DS_ADDRESS_TYPE_INET; > } else { >- dc_address = r->pdc_name; >- dc_address_type = DS_ADDRESS_TYPE_NETBIOS; >+ if (r->sockaddr.pdc_ip) { >+ dc_address = r->sockaddr.pdc_ip; >+ dc_address_type = DS_ADDRESS_TYPE_INET; >+ } else { >+ dc_address = r->pdc_name; >+ dc_address_type = DS_ADDRESS_TYPE_NETBIOS; >+ } > } > > map_dc_and_domain_names(flags, >-- >2.5.0 > > >From 5a3da7b434d40d881a79a5119bd8a99d270d39f9 Mon Sep 17 00:00:00 2001 >From: Uri Simchoni <uri@samba.org> >Date: Thu, 3 Mar 2016 09:18:57 +0200 >Subject: [PATCH 2/3] dsgetdcname: fix flag check > >Fix the check for zero requseted flags. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11769 > >Signed-off-by: Uri Simchoni <uri@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit 6d717402e42131298ba670ee47686379854ec56d) >--- > source3/libsmb/dsgetdcname.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/source3/libsmb/dsgetdcname.c b/source3/libsmb/dsgetdcname.c >index 1033329..b5bc51df 100644 >--- a/source3/libsmb/dsgetdcname.c >+++ b/source3/libsmb/dsgetdcname.c >@@ -284,7 +284,7 @@ static uint32_t get_cldap_reply_server_flags(struct netlogon_samlogon_response * > static bool check_cldap_reply_required_flags(uint32_t ret_flags, > uint32_t req_flags) > { >- if (ret_flags == 0) { >+ if (req_flags == 0) { > return true; > } > >-- >2.5.0 > > >From e6b5c90d7fb5c4866783e25773c82a4edd136d9b Mon Sep 17 00:00:00 2001 >From: Uri Simchoni <uri@samba.org> >Date: Thu, 3 Mar 2016 09:18:58 +0200 >Subject: [PATCH 3/3] libnet: make Kerberos domain join site-aware > >When joining a domain using Kerberos authentication, create a >configuration file for the Kerberos libs to prefer on-site >domain controllers, without relying on the winbindd Kerberos >locator, which many not be operational at this stage. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11769 > >Signed-off-by: Uri Simchoni <uri@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> > >Autobuild-User(master): Jeremy Allison <jra@samba.org> >Autobuild-Date(master): Tue Mar 8 01:30:35 CET 2016 on sn-devel-144 > >(cherry picked from commit 0dbab0e33e9efc46f72b6a8b0dc894ea251df9aa) >--- > source3/libnet/libnet_join.c | 52 ++++++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 52 insertions(+) > >diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c >index 6dce03c..fc737a2 100644 >--- a/source3/libnet/libnet_join.c >+++ b/source3/libnet/libnet_join.c >@@ -2157,6 +2157,17 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx, > #ifdef HAVE_ADS > ADS_STATUS ads_status; > #endif /* HAVE_ADS */ >+ const char *pre_connect_realm = NULL; >+ const char *numeric_dcip = NULL; >+ const char *sitename = NULL; >+ >+ /* Before contacting a DC, we can securely know >+ * the realm only if the user specifies it. >+ */ >+ if (r->in.use_kerberos && >+ r->in.domain_name_type == JoinDomNameTypeDNS) { >+ pre_connect_realm = r->in.domain_name; >+ } > > if (!r->in.dc_name) { > struct netr_DsRGetDCNameInfo *info; >@@ -2189,6 +2200,47 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx, > dc = strip_hostname(info->dc_unc); > r->in.dc_name = talloc_strdup(mem_ctx, dc); > W_ERROR_HAVE_NO_MEMORY(r->in.dc_name); >+ >+ if (info->dc_address == NULL || info->dc_address[0] != '\\' || >+ info->dc_address[1] != '\\') { >+ DBG_ERR("ill-formed DC address '%s'\n", >+ info->dc_address); >+ return WERR_DCNOTFOUND; >+ } >+ >+ numeric_dcip = info->dc_address + 2; >+ sitename = info->dc_site_name; >+ /* info goes out of scope but the memory stays >+ allocated on the talloc context */ >+ } >+ >+ if (pre_connect_realm != NULL) { >+ struct sockaddr_storage ss = {0}; >+ >+ if (numeric_dcip != NULL) { >+ if (!interpret_string_addr(&ss, numeric_dcip, >+ AI_NUMERICHOST)) { >+ DBG_ERR( >+ "cannot parse IP address '%s' of DC '%s'\n", >+ numeric_dcip, r->in.dc_name); >+ return WERR_DCNOTFOUND; >+ } >+ } else { >+ if (!interpret_string_addr(&ss, r->in.dc_name, 0)) { >+ DBG_WARNING( >+ "cannot resolve IP address of DC '%s'\n", >+ r->in.dc_name); >+ return WERR_DCNOTFOUND; >+ } >+ } >+ >+ /* The domain parameter is only used as modifier >+ * to krb5.conf file name. .JOIN is is not a valid >+ * NetBIOS name so it cannot clash with another domain >+ * -- Uri. >+ */ >+ create_local_private_krb5_conf_for_domain( >+ pre_connect_realm, ".JOIN", sitename, &ss); > } > > status = libnet_join_lookup_dc_rpc(mem_ctx, r, &cli); >-- >2.5.0 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
uri
:
review?
(
jra
)
uri
:
review?
(
gd
)
asn
:
review+
Actions:
View
Attachments on
bug 11769
: 11905