The Samba-Bugzilla – Attachment 11920 Details for
Bug 11755
net join may fail due to restricted ACLs
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Additional patches for v4-4-test
tmp44.diff.txt (text/plain), 26.38 KB, created by
Stefan Metzmacher
on 2016-03-14 19:40:51 UTC
(
hide
)
Description:
Additional patches for v4-4-test
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2016-03-14 19:40:51 UTC
Size:
26.38 KB
patch
obsolete
>From ce998274ea63611385b317896ff1206b317b7540 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Fri, 11 Mar 2016 23:14:13 +0100 >Subject: [PATCH 01/10] Partly revert "s3:libads: setup the > msDS-SupportedEncryptionTypes attribute on ldap_add" >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >This partly reverts commit 0c74d62524db376b6a3fac00c688be0cdffcaa80. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755 > >Signed-off-by: Günther Deschner <gd@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 6686f67d2a91146c8bb2fb2a8104fcaa5710b855) >--- > source3/libnet/libnet_join.c | 46 ++++++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 46 insertions(+) > >diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c >index fc737a2c..3b58f64 100644 >--- a/source3/libnet/libnet_join.c >+++ b/source3/libnet/libnet_join.c >@@ -615,6 +615,52 @@ static ADS_STATUS libnet_join_set_os_attributes(TALLOC_CTX *mem_ctx, > > /**************************************************************** > ****************************************************************/ >+#if 0 >+static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx, >+ struct libnet_JoinCtx *r) >+{ >+ ADS_STATUS status; >+ ADS_MODLIST mods; >+ uint32_t etype_list = ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5; >+ const char *etype_list_str; >+ >+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 >+ etype_list |= ENC_HMAC_SHA1_96_AES128; >+#endif >+#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96 >+ etype_list |= ENC_HMAC_SHA1_96_AES256; >+#endif >+ >+ etype_list_str = talloc_asprintf(mem_ctx, "%d", etype_list); >+ if (!etype_list_str) { >+ return ADS_ERROR(LDAP_NO_MEMORY); >+ } >+ >+ /* Find our DN */ >+ >+ status = libnet_join_find_machine_acct(mem_ctx, r); >+ if (!ADS_ERR_OK(status)) { >+ return status; >+ } >+ >+ /* now do the mods */ >+ >+ mods = ads_init_mods(mem_ctx); >+ if (!mods) { >+ return ADS_ERROR(LDAP_NO_MEMORY); >+ } >+ >+ status = ads_mod_str(mem_ctx, &mods, "msDS-SupportedEncryptionTypes", >+ etype_list_str); >+ if (!ADS_ERR_OK(status)) { >+ return status; >+ } >+ >+ return ads_gen_mod(r->in.ads, r->out.dn, mods); >+} >+#endif >+/**************************************************************** >+****************************************************************/ > > static bool libnet_join_create_keytab(TALLOC_CTX *mem_ctx, > struct libnet_JoinCtx *r) >-- >1.9.1 > > >From 3ea21e43b6180bd4bbd23432f8d5e0995e51c900 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Wed, 2 Mar 2016 18:07:53 +0100 >Subject: [PATCH 02/10] s3:libnet:libnet_join: prepare to allow connecting with > machine creds. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755 > >Guenther > >Signed-off-by: Guenther Deschner <gd@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 71d5634ab58f0ca21db633990231bd01a22c956c) >--- > source3/libnet/libnet_join.c | 73 +++++++++++++++++++++++++++++++++++++++++--- > 1 file changed, 68 insertions(+), 5 deletions(-) > >diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c >index 3b58f64..9757d79 100644 >--- a/source3/libnet/libnet_join.c >+++ b/source3/libnet/libnet_join.c >@@ -42,6 +42,7 @@ > #include "lib/param/loadparm.h" > #include "libcli/auth/netlogon_creds_cli.h" > #include "auth/credentials/credentials.h" >+#include "krb5_env.h" > > /**************************************************************** > ****************************************************************/ >@@ -118,6 +119,7 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name, > const char *dc_name, > const char *user_name, > const char *password, >+ const char *ccname, > ADS_STRUCT **ads) > { > ADS_STATUS status; >@@ -150,6 +152,12 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name, > my_ads->auth.password = SMB_STRDUP(password); > } > >+ if (ccname != NULL) { >+ SAFE_FREE(my_ads->auth.ccache_name); >+ my_ads->auth.ccache_name = SMB_STRDUP(ccname); >+ setenv(KRB5_ENV_CCNAME, my_ads->auth.ccache_name, 1); >+ } >+ > status = ads_connect_user_creds(my_ads); > if (!ADS_ERR_OK(status)) { > ads_destroy(&my_ads); >@@ -164,15 +172,51 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name, > ****************************************************************/ > > static ADS_STATUS libnet_join_connect_ads(TALLOC_CTX *mem_ctx, >- struct libnet_JoinCtx *r) >+ struct libnet_JoinCtx *r, >+ bool use_machine_creds) > { > ADS_STATUS status; >+ const char *username; >+ const char *password; >+ const char *ccname = NULL; >+ >+ if (use_machine_creds) { >+ if (r->in.machine_name == NULL || >+ r->in.machine_password == NULL) { >+ return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); >+ } >+ username = talloc_strdup(mem_ctx, r->in.machine_name); >+ if (username == NULL) { >+ return ADS_ERROR(LDAP_NO_MEMORY); >+ } >+ if (username[strlen(username)] != '$') { >+ username = talloc_asprintf(username, "%s$", username); >+ if (username == NULL) { >+ return ADS_ERROR(LDAP_NO_MEMORY); >+ } >+ } >+ password = r->in.machine_password; >+ ccname = "MEMORY:libnet_join_machine_creds"; >+ } else { >+ username = r->in.admin_account; >+ password = r->in.admin_password; >+ >+ /* >+ * when r->in.use_kerberos is set to allow "net ads join -k" we >+ * may not override the provided credential cache - gd >+ */ >+ >+ if (!r->in.use_kerberos) { >+ ccname = "MEMORY:libnet_join_user_creds"; >+ } >+ } > > status = libnet_connect_ads(r->out.dns_domain_name, > r->out.netbios_domain_name, > r->in.dc_name, >- r->in.admin_account, >- r->in.admin_password, >+ username, >+ password, >+ ccname, > &r->in.ads); > if (!ADS_ERR_OK(status)) { > libnet_join_set_error_string(mem_ctx, r, >@@ -201,6 +245,24 @@ static ADS_STATUS libnet_join_connect_ads(TALLOC_CTX *mem_ctx, > /**************************************************************** > ****************************************************************/ > >+static ADS_STATUS libnet_join_connect_ads_user(TALLOC_CTX *mem_ctx, >+ struct libnet_JoinCtx *r) >+{ >+ return libnet_join_connect_ads(mem_ctx, r, false); >+} >+ >+/**************************************************************** >+****************************************************************/ >+#if 0 >+static ADS_STATUS libnet_join_connect_ads_machine(TALLOC_CTX *mem_ctx, >+ struct libnet_JoinCtx *r) >+{ >+ return libnet_join_connect_ads(mem_ctx, r, true); >+} >+#endif >+/**************************************************************** >+****************************************************************/ >+ > static ADS_STATUS libnet_unjoin_connect_ads(TALLOC_CTX *mem_ctx, > struct libnet_UnjoinCtx *r) > { >@@ -211,6 +273,7 @@ static ADS_STATUS libnet_unjoin_connect_ads(TALLOC_CTX *mem_ctx, > r->in.dc_name, > r->in.admin_account, > r->in.admin_password, >+ NULL, > &r->in.ads); > if (!ADS_ERR_OK(status)) { > libnet_unjoin_set_error_string(mem_ctx, r, >@@ -738,7 +801,7 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx, > ADS_STATUS status; > > if (!r->in.ads) { >- status = libnet_join_connect_ads(mem_ctx, r); >+ status = libnet_join_connect_ads_user(mem_ctx, r); > if (!ADS_ERR_OK(status)) { > return status; > } >@@ -2311,7 +2374,7 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx, > if (r->out.domain_is_ad && r->in.account_ou && > !(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE)) { > >- ads_status = libnet_join_connect_ads(mem_ctx, r); >+ ads_status = libnet_join_connect_ads_user(mem_ctx, r); > if (!ADS_ERR_OK(ads_status)) { > return WERR_DEFAULT_JOIN_REQUIRED; > } >-- >1.9.1 > > >From b6e5e9152fb06d736046df289402afd62ef8bd85 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Fri, 4 Mar 2016 17:42:05 +0100 >Subject: [PATCH 03/10] s3:libads:ldap: print LDAP error message with log level > 10. > >Guenther > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755 > >Signed-off-by: Guenther Deschner <gd@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 34030b025b9e4cd5e7321d6e242f6c03da2a60c0) >--- > source3/libads/ldap.c | 14 ++++++++++++++ > 1 file changed, 14 insertions(+) > >diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c >index 9918b95..f4fc7b0 100644 >--- a/source3/libads/ldap.c >+++ b/source3/libads/ldap.c >@@ -1628,6 +1628,17 @@ static ADS_STATUS ads_mod_ber(TALLOC_CTX *ctx, ADS_MODLIST *mods, > } > #endif > >+static void ads_print_error(int ret, LDAP *ld) >+{ >+ if (ret != 0) { >+ char *ld_error = NULL; >+ ldap_get_option(ld, LDAP_OPT_ERROR_STRING, &ld_error); >+ DEBUG(10,("AD LDAP failure %d (%s):\n%s\n", ret, >+ ldap_err2string(ret), ld_error)); >+ SAFE_FREE(ld_error); >+ } >+} >+ > /** > * Perform an ldap modify > * @param ads connection to ads server >@@ -1663,6 +1674,7 @@ ADS_STATUS ads_gen_mod(ADS_STRUCT *ads, const char *mod_dn, ADS_MODLIST mods) > mods[i] = NULL; > ret = ldap_modify_ext_s(ads->ldap.ld, utf8_dn, > (LDAPMod **) mods, controls, NULL); >+ ads_print_error(ret, ads->ldap.ld); > TALLOC_FREE(utf8_dn); > return ADS_ERROR(ret); > } >@@ -1691,6 +1703,7 @@ ADS_STATUS ads_gen_add(ADS_STRUCT *ads, const char *new_dn, ADS_MODLIST mods) > mods[i] = NULL; > > ret = ldap_add_s(ads->ldap.ld, utf8_dn, (LDAPMod**)mods); >+ ads_print_error(ret, ads->ldap.ld); > TALLOC_FREE(utf8_dn); > return ADS_ERROR(ret); > } >@@ -1712,6 +1725,7 @@ ADS_STATUS ads_del_dn(ADS_STRUCT *ads, char *del_dn) > } > > ret = ldap_delete_s(ads->ldap.ld, utf8_dn); >+ ads_print_error(ret, ads->ldap.ld); > TALLOC_FREE(utf8_dn); > return ADS_ERROR(ret); > } >-- >1.9.1 > > >From 59ffa3797168ec0838263fc1e6f0d60ec99f8dea Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Fri, 11 Mar 2016 12:13:24 +0100 >Subject: [PATCH 04/10] s3:libads:ndr: add ADS_AUTH_USER_CREDS to > ndr_print_ads_auth_flags() > >Guenther > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755 > >Signed-off-by: Guenther Deschner <gd@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit e8f6acdeece990dc8953d494113dee856d80da45) >--- > source3/libads/ndr.c | 1 + > 1 file changed, 1 insertion(+) > >diff --git a/source3/libads/ndr.c b/source3/libads/ndr.c >index eb48437..957c0fa 100644 >--- a/source3/libads/ndr.c >+++ b/source3/libads/ndr.c >@@ -37,6 +37,7 @@ static void ndr_print_ads_auth_flags(struct ndr_print *ndr, const char *name, ui > ndr_print_bitmap_flag(ndr, sizeof(uint32_t), "ADS_AUTH_SASL_SIGN", ADS_AUTH_SASL_SIGN, r); > ndr_print_bitmap_flag(ndr, sizeof(uint32_t), "ADS_AUTH_SASL_SEAL", ADS_AUTH_SASL_SEAL, r); > ndr_print_bitmap_flag(ndr, sizeof(uint32_t), "ADS_AUTH_SASL_FORCE", ADS_AUTH_SASL_FORCE, r); >+ ndr_print_bitmap_flag(ndr, sizeof(uint32_t), "ADS_AUTH_USER_CREDS", ADS_AUTH_USER_CREDS, r); > ndr->depth--; > } > >-- >1.9.1 > > >From 880a7c4ab3551ab13de6d7e7c2257080ae0f8fbb Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Fri, 11 Mar 2016 12:15:14 +0100 >Subject: [PATCH 05/10] s3:libads:ldap: fix ads_check_ou_dn to deal with > account_ou not being initialized > >Guenther > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755 > >Signed-off-by: Guenther Deschner <gd@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit c61b111e6fa3e138d4d9cf5038b69644248e834a) >--- > source3/libads/ldap.c | 14 ++++++++++---- > 1 file changed, 10 insertions(+), 4 deletions(-) > >diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c >index f4fc7b0..664596f 100644 >--- a/source3/libads/ldap.c >+++ b/source3/libads/ldap.c >@@ -4079,10 +4079,16 @@ ADS_STATUS ads_check_ou_dn(TALLOC_CTX *mem_ctx, > const char *name; > char *ou_string; > >- exploded_dn = ldap_explode_dn(*account_ou, 0); >- if (exploded_dn) { >- ldap_value_free(exploded_dn); >- return ADS_SUCCESS; >+ if (account_ou == NULL) { >+ return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); >+ } >+ >+ if (*account_ou != NULL) { >+ exploded_dn = ldap_explode_dn(*account_ou, 0); >+ if (exploded_dn) { >+ ldap_value_free(exploded_dn); >+ return ADS_SUCCESS; >+ } > } > > ou_string = ads_ou_string(ads, *account_ou); >-- >1.9.1 > > >From d93f39c754b0d1bb1d42eba7e42eb25e5cf2e1c9 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Thu, 10 Mar 2016 18:03:47 +0100 >Subject: [PATCH 06/10] s3:libnet:libnet_join: always try to create > machineaccount via LDAP first. > >Guenther > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755 > >Signed-off-by: Guenther Deschner <gd@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit df8f79cc9d44ad7b2caa6b86b7ebde7bb1fd4c8c) >--- > source3/libnet/libnet_join.c | 28 +++++++++++++++++++++++++--- > 1 file changed, 25 insertions(+), 3 deletions(-) > >diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c >index 9757d79..6b9be5e 100644 >--- a/source3/libnet/libnet_join.c >+++ b/source3/libnet/libnet_join.c >@@ -2371,16 +2371,36 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx, > r->out.dns_domain_name, r->out.netbios_domain_name, > NULL, smbXcli_conn_remote_sockaddr(cli->conn)); > >- if (r->out.domain_is_ad && r->in.account_ou && >+ if (r->out.domain_is_ad && > !(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE)) { > >+ const char *initial_account_ou = r->in.account_ou; >+ >+ /* >+ * we want to create the msDS-SupportedEncryptionTypes attribute >+ * as early as possible so always try an LDAP create as the user >+ * first. We copy r->in.account_ou because it may be changed >+ * during the machine pre-creation. >+ */ >+ > ads_status = libnet_join_connect_ads_user(mem_ctx, r); > if (!ADS_ERR_OK(ads_status)) { > return WERR_DEFAULT_JOIN_REQUIRED; > } > > ads_status = libnet_join_precreate_machine_acct(mem_ctx, r); >- if (!ADS_ERR_OK(ads_status)) { >+ if (ADS_ERR_OK(ads_status)) { >+ >+ /* >+ * LDAP object create succeeded, now go to the rpc >+ * password set routines >+ */ >+ >+ r->in.join_flags &= ~WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE; >+ goto rpc_join; >+ } >+ >+ if (initial_account_ou != NULL) { > libnet_join_set_error_string(mem_ctx, r, > "failed to precreate account in ou %s: %s", > r->in.account_ou, >@@ -2388,10 +2408,12 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx, > return WERR_DEFAULT_JOIN_REQUIRED; > } > >- r->in.join_flags &= ~WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE; >+ DEBUG(5, ("failed to precreate account in ou %s: %s", >+ r->in.account_ou, ads_errstr(ads_status))); > } > #endif /* HAVE_ADS */ > >+ rpc_join: > if ((r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE) && > (r->in.join_flags & WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED)) { > status = libnet_join_joindomain_rpc_unsecure(mem_ctx, r, cli); >-- >1.9.1 > > >From 00f6cd0137230871616d8d3a6ab9ccd9598fccc2 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Fri, 11 Mar 2016 16:02:27 +0100 >Subject: [PATCH 07/10] s3:librpc:idl:libnet_join: add encryption types to > libnet_JoinCtx. > >Guenther > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755 > >Signed-off-by: Guenther Deschner <gd@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 4a49f6fac9d6c77d1eedf914308e67eb6e2baa8d) >--- > source3/librpc/idl/libnet_join.idl | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > >diff --git a/source3/librpc/idl/libnet_join.idl b/source3/librpc/idl/libnet_join.idl >index 61c117e..63ea1df 100644 >--- a/source3/librpc/idl/libnet_join.idl >+++ b/source3/librpc/idl/libnet_join.idl >@@ -43,6 +43,7 @@ interface libnetjoin > [in] boolean8 use_kerberos, > [in] netr_SchannelType secure_channel_type, > [in,noprint] messaging_context *msg_ctx, >+ [in] uint32 desired_encryption_types, > [out] string account_name, > [out] string netbios_domain_name, > [out] string dns_domain_name, >@@ -51,7 +52,8 @@ interface libnetjoin > [out] dom_sid *domain_sid, > [out] boolean8 modified_config, > [out] string error_string, >- [out] boolean8 domain_is_ad >+ [out] boolean8 domain_is_ad, >+ [out] uint32 set_encryption_types > ); > > [nopush,nopull,noopnum] WERROR libnet_UnjoinCtx( >-- >1.9.1 > > >From 7a0d7cc66aa832f4da16891a42d74e288fceed21 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Fri, 11 Mar 2016 16:04:52 +0100 >Subject: [PATCH 08/10] s3:libnet:libnet_join: define list of desired > encryption types only once. > >Guenther > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755 > >Signed-off-by: Guenther Deschner <gd@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit e0da059b39f9dd5ccb74f32f965e1ced384c77eb) >--- > source3/libads/ads_proto.h | 6 ++++-- > source3/libads/ldap.c | 14 ++++---------- > source3/libnet/libnet_join.c | 24 ++++++++++++++---------- > 3 files changed, 22 insertions(+), 22 deletions(-) > >diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h >index 224d992..eb0dea9 100644 >--- a/source3/libads/ads_proto.h >+++ b/source3/libads/ads_proto.h >@@ -98,8 +98,10 @@ ADS_STATUS ads_get_service_principal_names(TALLOC_CTX *mem_ctx, > ADS_STATUS ads_clear_service_principal_names(ADS_STRUCT *ads, const char *machine_name); > ADS_STATUS ads_add_service_principal_name(ADS_STRUCT *ads, const char *machine_name, > const char *my_fqdn, const char *spn); >-ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, const char *machine_name, >- const char *org_unit); >+ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, >+ const char *machine_name, >+ const char *org_unit, >+ uint32_t etype_list); > ADS_STATUS ads_move_machine_acct(ADS_STRUCT *ads, const char *machine_name, > const char *org_unit, bool *moved); > int ads_count_replies(ADS_STRUCT *ads, void *res); >diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c >index 664596f..8232bcc 100644 >--- a/source3/libads/ldap.c >+++ b/source3/libads/ldap.c >@@ -2211,8 +2211,10 @@ ADS_STATUS ads_add_service_principal_name(ADS_STRUCT *ads, const char *machine_n > * @return 0 upon success, or non-zero otherwise > **/ > >-ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, const char *machine_name, >- const char *org_unit) >+ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, >+ const char *machine_name, >+ const char *org_unit, >+ uint32_t etype_list) > { > ADS_STATUS ret; > char *samAccountName, *controlstr; >@@ -2268,16 +2270,8 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, const char *machine_name, > ads_mod_str(ctx, &mods, "userAccountControl", controlstr); > > if (func_level >= DS_DOMAIN_FUNCTION_2008) { >- uint32_t etype_list = ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5; > const char *etype_list_str; > >-#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 >- etype_list |= ENC_HMAC_SHA1_96_AES128; >-#endif >-#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96 >- etype_list |= ENC_HMAC_SHA1_96_AES256; >-#endif >- > etype_list_str = talloc_asprintf(ctx, "%d", (int)etype_list); > if (etype_list_str == NULL) { > goto done; >diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c >index 6b9be5e..c72172a 100644 >--- a/source3/libnet/libnet_join.c >+++ b/source3/libnet/libnet_join.c >@@ -318,7 +318,8 @@ static ADS_STATUS libnet_join_precreate_machine_acct(TALLOC_CTX *mem_ctx, > > status = ads_create_machine_acct(r->in.ads, > r->in.machine_name, >- r->in.account_ou); >+ r->in.account_ou, >+ r->in.desired_encryption_types); > > if (ADS_ERR_OK(status)) { > DEBUG(1,("machine account creation created\n")); >@@ -684,17 +685,10 @@ static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx, > { > ADS_STATUS status; > ADS_MODLIST mods; >- uint32_t etype_list = ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5; > const char *etype_list_str; > >-#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 >- etype_list |= ENC_HMAC_SHA1_96_AES128; >-#endif >-#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96 >- etype_list |= ENC_HMAC_SHA1_96_AES256; >-#endif >- >- etype_list_str = talloc_asprintf(mem_ctx, "%d", etype_list); >+ etype_list_str = talloc_asprintf(mem_ctx, "%d", >+ r->in.desired_encryption_types); > if (!etype_list_str) { > return ADS_ERROR(LDAP_NO_MEMORY); > } >@@ -2135,6 +2129,16 @@ WERROR libnet_init_JoinCtx(TALLOC_CTX *mem_ctx, > > ctx->in.secure_channel_type = SEC_CHAN_WKSTA; > >+ ctx->in.desired_encryption_types = ENC_CRC32 | >+ ENC_RSA_MD5 | >+ ENC_RC4_HMAC_MD5; >+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 >+ ctx->in.desired_encryption_types |= ENC_HMAC_SHA1_96_AES128; >+#endif >+#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96 >+ ctx->in.desired_encryption_types |= ENC_HMAC_SHA1_96_AES256; >+#endif >+ > *r = ctx; > > return WERR_OK; >-- >1.9.1 > > >From 5b36fe252aa8efb069ecdc8ba55951d7028c2465 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Fri, 11 Mar 2016 16:05:53 +0100 >Subject: [PATCH 09/10] s3:libnet:libnet_join: fill in output enctypes and only > modify when necessary. > >Guenther > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755 > >Signed-off-by: Guenther Deschner <gd@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 5d498d1b4d9b83f179fb7b2841a19ad984eec5f8) >--- > source3/libads/ldap.c | 2 +- > source3/libnet/libnet_join.c | 18 +++++++++++++++++- > 2 files changed, 18 insertions(+), 2 deletions(-) > >diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c >index 8232bcc..6735072 100644 >--- a/source3/libads/ldap.c >+++ b/source3/libads/ldap.c >@@ -1478,7 +1478,7 @@ char *ads_parent_dn(const char *dn) > { > ADS_STATUS status; > char *expr; >- const char *attrs[] = {"*", "nTSecurityDescriptor", NULL}; >+ const char *attrs[] = {"*", "msDS-SupportedEncryptionTypes", "nTSecurityDescriptor", NULL}; > > *res = NULL; > >diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c >index c72172a..ac7e3ef 100644 >--- a/source3/libnet/libnet_join.c >+++ b/source3/libnet/libnet_join.c >@@ -417,6 +417,11 @@ static ADS_STATUS libnet_join_find_machine_acct(TALLOC_CTX *mem_ctx, > goto done; > } > >+ if (!ads_pull_uint32(r->in.ads, res, "msDS-SupportedEncryptionTypes", >+ &r->out.set_encryption_types)) { >+ r->out.set_encryption_types = 0; >+ } >+ > done: > ads_msgfree(r->in.ads, res); > TALLOC_FREE(dn); >@@ -700,6 +705,10 @@ static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx, > return status; > } > >+ if (r->in.desired_encryption_types == r->out.set_encryption_types) { >+ return ADS_SUCCESS; >+ } >+ > /* now do the mods */ > > mods = ads_init_mods(mem_ctx); >@@ -713,7 +722,14 @@ static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx, > return status; > } > >- return ads_gen_mod(r->in.ads, r->out.dn, mods); >+ status = ads_gen_mod(r->in.ads, r->out.dn, mods); >+ if (!ADS_ERR_OK(status)) { >+ return status; >+ } >+ >+ r->out.set_encryption_types = r->in.desired_encryption_types; >+ >+ return ADS_SUCCESS; > } > #endif > /**************************************************************** >-- >1.9.1 > > >From c51b9c5fc18160734c5dc31389d28f7cfcc81b5a Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Fri, 11 Mar 2016 23:15:06 +0100 >Subject: [PATCH 10/10] s3:libnet:libnet_join: update > msDS-SupportedEncryptionTypes (if required) with machine creds. > >Guenther > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755 > >Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> > >Signed-off-by: Guenther Deschner <gd@samba.org> >Signed-off-by: Stefan Metzmacher <metze@samba.org> > >Autobuild-User(master): Stefan Metzmacher <metze@samba.org> >Autobuild-Date(master): Mon Mar 14 19:38:48 CET 2016 on sn-devel-144 > >(cherry picked from commit 06aefe4b956ae8748e20ae4c730aa344e81808b6) >--- > source3/libnet/libnet_join.c | 59 +++++++++++++++++++++++++++++++++++++++++--- > 1 file changed, 55 insertions(+), 4 deletions(-) > >diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c >index ac7e3ef..235592c 100644 >--- a/source3/libnet/libnet_join.c >+++ b/source3/libnet/libnet_join.c >@@ -253,13 +253,13 @@ static ADS_STATUS libnet_join_connect_ads_user(TALLOC_CTX *mem_ctx, > > /**************************************************************** > ****************************************************************/ >-#if 0 >+ > static ADS_STATUS libnet_join_connect_ads_machine(TALLOC_CTX *mem_ctx, > struct libnet_JoinCtx *r) > { > return libnet_join_connect_ads(mem_ctx, r, true); > } >-#endif >+ > /**************************************************************** > ****************************************************************/ > >@@ -684,7 +684,7 @@ static ADS_STATUS libnet_join_set_os_attributes(TALLOC_CTX *mem_ctx, > > /**************************************************************** > ****************************************************************/ >-#if 0 >+ > static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx, > struct libnet_JoinCtx *r) > { >@@ -731,7 +731,7 @@ static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx, > > return ADS_SUCCESS; > } >-#endif >+ > /**************************************************************** > ****************************************************************/ > >@@ -809,6 +809,7 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx, > struct libnet_JoinCtx *r) > { > ADS_STATUS status; >+ bool need_etype_update = false; > > if (!r->in.ads) { > status = libnet_join_connect_ads_user(mem_ctx, r); >@@ -843,6 +844,56 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx, > return status; > } > >+ status = libnet_join_find_machine_acct(mem_ctx, r); >+ if (!ADS_ERR_OK(status)) { >+ return status; >+ } >+ >+ if (r->in.desired_encryption_types != r->out.set_encryption_types) { >+ uint32_t func_level = 0; >+ >+ status = ads_domain_func_level(r->in.ads, &func_level); >+ if (!ADS_ERR_OK(status)) { >+ libnet_join_set_error_string(mem_ctx, r, >+ "failed to query domain controller functional level: %s", >+ ads_errstr(status)); >+ return status; >+ } >+ >+ if (func_level >= DS_DOMAIN_FUNCTION_2008) { >+ need_etype_update = true; >+ } >+ } >+ >+ if (need_etype_update) { >+ /* >+ * We need to reconnect as machine account in order >+ * to update msDS-SupportedEncryptionTypes reliable >+ */ >+ >+ if (r->in.ads->auth.ccache_name != NULL) { >+ ads_kdestroy(r->in.ads->auth.ccache_name); >+ } >+ >+ ads_destroy(&r->in.ads); >+ >+ status = libnet_join_connect_ads_machine(mem_ctx, r); >+ if (!ADS_ERR_OK(status)) { >+ libnet_join_set_error_string(mem_ctx, r, >+ "Failed to connect as machine account: %s", >+ ads_errstr(status)); >+ return status; >+ } >+ >+ status = libnet_join_set_etypes(mem_ctx, r); >+ if (!ADS_ERR_OK(status)) { >+ libnet_join_set_error_string(mem_ctx, r, >+ "failed to set machine kerberos encryption types: %s", >+ ads_errstr(status)); >+ return status; >+ } >+ } >+ > if (!libnet_join_derive_salting_principal(mem_ctx, r)) { > return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL); > } >-- >1.9.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
gd
:
review+
Actions:
View
Attachments on
bug 11755
:
11872
| 11920 |
11921