The Samba-Bugzilla – Attachment 12452 Details for
Bug 12248
Handle arbitrary principals in keytab
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
s3:utils/net: add SPN entries from net ads
0001-s3-utils-net-add-SPN-entries-from-net-ads.patch (text/plain), 3.18 KB, created by
Daniel Kobras (dead mail address)
on 2016-09-08 14:00:54 UTC
(
hide
)
Description:
s3:utils/net: add SPN entries from net ads
Filename:
MIME Type:
Creator:
Daniel Kobras (dead mail address)
Created:
2016-09-08 14:00:54 UTC
Size:
3.18 KB
patch
obsolete
>From 5622e198027b5e1e52fedb78f1b96ed42e1fced6 Mon Sep 17 00:00:00 2001 >From: Daniel Kobras <d.kobras@science-computing.de> >Date: Thu, 8 Sep 2016 15:11:49 +0200 >Subject: [PATCH 1/2] s3:utils/net: add SPN entries from net ads > >source3/libads/kerberos_keytab.c::ads_keytab_add_entry() tries to second-guess >when new keytab entries should also be added as servicePrincipalNames to the >machine account, but 'net ads keytab add' is the only case where we should >ever encounter a non-existing SPN. Adding this logic to the caller allows us >to simplify ads_keytab_add_entry() later on. > >Signed-off-by: Daniel Kobras <d.kobras@science-computing.de> >--- > source3/utils/net_ads.c | 58 ++++++++++++++++++++++++++++++++++++++++++++++++- > 1 file changed, 57 insertions(+), 1 deletion(-) > >diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c >index e6b9fdc..0e7b2bd 100644 >--- a/source3/utils/net_ads.c >+++ b/source3/utils/net_ads.c >@@ -2609,7 +2609,15 @@ static int net_ads_keytab_add(struct net_context *c, int argc, const char **argv > { > int i; > int ret = 0; >+ char *my_fqdn; >+ char *princ_s; > ADS_STRUCT *ads; >+ ADS_STATUS aderr; >+ TALLOC_CTX *ctx = NULL; >+ >+#ifdef DEVELOPER >+ talloc_enable_leak_report(); >+#endif > > if (c->display_usage) { > d_printf("%s\n%s", >@@ -2625,10 +2633,58 @@ static int net_ads_keytab_add(struct net_context *c, int argc, const char **argv > if (!ADS_ERR_OK(ads_startup(c, true, &ads))) { > return -1; > } >+ >+ if (!(ctx = talloc_init("net_ads_keytab_add"))) { >+ d_fprintf(stderr, _("Could not initialise talloc context\n")); >+ return -1; >+ } >+ >+ my_fqdn = ads_get_dnshostname(ads, ctx, lp_netbios_name()); >+ if (!my_fqdn) { >+ DEBUG(0, (__location__ ": unable to determine machine " >+ "account's dns name in AD!\n")); >+ return -1; >+ } >+ > for (i = 0; i < argc; i++) { >- ret |= ads_keytab_add_entry(ads, argv[i]); >+ DEBUG(3, (__location__ ": Attempting to add/update " >+ "'%s'\n", argv[i])); >+ >+ /* foreign realm? -> just add to keytab and hope for the best */ >+ if (strchr_m(argv[i], '@')) { >+ DEBUG(3, (__location__ ": skip adding principal from arbitrary realm to AD")); >+ ret |= ads_keytab_add_entry(ads, argv[i]); >+ continue; >+ } >+ >+ /* machine account -> just add to keytab, should already be present in AD */ >+ if (strlen(argv[i]-1) > 0 && >+ argv[i][strlen(argv[i]-1)] == '$') { >+ DEBUG(3, (__location__ ": no need to add machine principal to AD")); >+ ret |= ads_keytab_add_entry(ads, argv[i]); >+ continue; >+ } >+ >+ /* add two new SPNs (with machine name and dNSHostName suffix, respectively) >+ * to our machine account */ >+ aderr = ads_add_service_principal_name(ads, lp_netbios_name(), \ >+ my_fqdn, argv[i]); >+ >+ if (!ADS_ERR_OK(aderr)) { >+ DEBUG(1, (__location__ ": failed to " >+ "ads_add_service_principal_name.\n")); >+ continue; >+ } >+ >+ /* add keytab entries for both SPNs */ >+ princ_s = talloc_asprintf(ctx, "%s/%s@%s", argv[i], lp_netbios_name(), lp_realm()); >+ ret |= ads_keytab_add_entry(ads, princ_s); >+ >+ princ_s = talloc_asprintf(ctx, "%s/%s@%s", argv[i], my_fqdn, lp_realm()); >+ ret |= ads_keytab_add_entry(ads, princ_s); > } > ads_destroy(&ads); >+ TALLOC_FREE(ctx); > return ret; > } > >-- >2.9.0 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 12248
: 12452 |
12453