Attachment 12452 Details for Bug 12248 – s3:utils/net: add SPN entries from net ads

[patch] s3:utils/net: add SPN entries from net ads

0001-s3-utils-net-add-SPN-entries-from-net-ads.patch (text/plain), 3.18 KB, created by Daniel Kobras (dead mail address) on 2016-09-08 14:00:54 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Daniel Kobras (dead mail address)

Created: 2016-09-08 14:00:54 UTC

Size: 3.18 KB

patch

obsolete

>From 5622e198027b5e1e52fedb78f1b96ed42e1fced6 Mon Sep 17 00:00:00 2001
>From: Daniel Kobras <d.kobras@science-computing.de>
>Date: Thu, 8 Sep 2016 15:11:49 +0200
>Subject: [PATCH 1/2] s3:utils/net: add SPN entries from net ads
>
>source3/libads/kerberos_keytab.c::ads_keytab_add_entry() tries to second-guess
>when new keytab entries should also be added as servicePrincipalNames to the
>machine account, but 'net ads keytab add' is the only case where we should
>ever encounter a non-existing SPN. Adding this logic to the caller allows us
>to simplify ads_keytab_add_entry() later on.
>
>Signed-off-by: Daniel Kobras <d.kobras@science-computing.de>
>---
> source3/utils/net_ads.c | 58 ++++++++++++++++++++++++++++++++++++++++++++++++-
> 1 file changed, 57 insertions(+), 1 deletion(-)
>
>diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
>index e6b9fdc..0e7b2bd 100644
>--- a/source3/utils/net_ads.c
>+++ b/source3/utils/net_ads.c
>@@ -2609,7 +2609,15 @@ static int net_ads_keytab_add(struct net_context *c, int argc, const char **argv
> {
> 	int i;
> 	int ret = 0;
>+	char *my_fqdn;
>+	char *princ_s;
> 	ADS_STRUCT *ads;
>+	ADS_STATUS aderr;
>+	TALLOC_CTX *ctx = NULL;
>+
>+#ifdef DEVELOPER
>+	talloc_enable_leak_report();
>+#endif
> 
> 	if (c->display_usage) {
> 		d_printf("%s\n%s",
>@@ -2625,10 +2633,58 @@ static int net_ads_keytab_add(struct net_context *c, int argc, const char **argv
> 	if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
> 		return -1;
> 	}
>+
>+	if (!(ctx = talloc_init("net_ads_keytab_add"))) {
>+		d_fprintf(stderr, _("Could not initialise talloc context\n"));
>+		return -1;
>+	}
>+
>+	my_fqdn = ads_get_dnshostname(ads, ctx, lp_netbios_name());
>+	if (!my_fqdn) {
>+		DEBUG(0, (__location__ ": unable to determine machine "
>+		          "account's dns name in AD!\n"));
>+		return -1;
>+	}
>+
> 	for (i = 0; i < argc; i++) {
>-		ret |= ads_keytab_add_entry(ads, argv[i]);
>+		DEBUG(3, (__location__ ": Attempting to add/update "
>+			  "'%s'\n", argv[i]));
>+
>+		/* foreign realm? -> just add to keytab and hope for the best */
>+		if (strchr_m(argv[i], '@')) {
>+			DEBUG(3, (__location__ ": skip adding principal from arbitrary realm to AD"));
>+			ret |= ads_keytab_add_entry(ads, argv[i]);
>+			continue;
>+		}
>+
>+		/* machine account -> just add to keytab, should already be present in AD */
>+		if (strlen(argv[i]-1) > 0 &&
>+		           argv[i][strlen(argv[i]-1)] == '$') {
>+			DEBUG(3, (__location__ ": no need to add machine principal to AD"));
>+			ret |= ads_keytab_add_entry(ads, argv[i]);
>+			continue;
>+		}
>+
>+		/* add two new SPNs (with machine name and dNSHostName suffix, respectively)
>+		 * to our machine account */
>+		aderr = ads_add_service_principal_name(ads, lp_netbios_name(), \
>+		                                       my_fqdn, argv[i]);
>+
>+		if (!ADS_ERR_OK(aderr)) {
>+			DEBUG(1, (__location__ ": failed to "
>+				 "ads_add_service_principal_name.\n"));
>+			continue;
>+		}
>+
>+		/* add keytab entries for both SPNs */
>+		princ_s = talloc_asprintf(ctx, "%s/%s@%s", argv[i], lp_netbios_name(), lp_realm());
>+		ret |= ads_keytab_add_entry(ads, princ_s);
>+
>+		princ_s = talloc_asprintf(ctx, "%s/%s@%s", argv[i], my_fqdn, lp_realm());
>+		ret |= ads_keytab_add_entry(ads, princ_s);
> 	}
> 	ads_destroy(&ads);
>+	TALLOC_FREE(ctx);
> 	return ret;
> }
> 
>-- 
>2.9.0
>

Actions: View

Attachments on bug 12248: 12452 | 12453