The Samba-Bugzilla – Attachment 12453 Details for
Bug 12248
Handle arbitrary principals in keytab
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
s3-libads: update arbitrary principals in keytab
0002-s3-libads-update-arbitrary-principals-in-keytab.patch (text/plain), 4.05 KB, created by
Daniel Kobras (dead mail address)
on 2016-09-08 14:01:41 UTC
(
hide
)
Description:
s3-libads: update arbitrary principals in keytab
Filename:
MIME Type:
Creator:
Daniel Kobras (dead mail address)
Created:
2016-09-08 14:01:41 UTC
Size:
4.05 KB
patch
obsolete
>From de2840d73cc01b840145cca59d80c479797c1c4c Mon Sep 17 00:00:00 2001 >From: Daniel Kobras <d.kobras@science-computing.de> >Date: Thu, 8 Sep 2016 15:23:12 +0200 >Subject: [PATCH 2/2] s3-libads: update arbitrary principals in keytab > >Let ads_keytab_add_entry() just update any principal it's given, and get rid of >magic to auto-add SPNs to the machine account that would clobber and replace >existing principal names. > >Signed-off-by: Daniel Kobras <d.kobras@science-computing.de> >--- > source3/libads/kerberos_keytab.c | 71 ++-------------------------------------- > 1 file changed, 3 insertions(+), 68 deletions(-) > >diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c >index 8c7c1c3..dac8aa9 100644 >--- a/source3/libads/kerberos_keytab.c >+++ b/source3/libads/kerberos_keytab.c >@@ -61,10 +61,7 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc) > char *short_princ_s = NULL; > char *salt_princ_s = NULL; > char *password_s = NULL; >- char *my_fqdn; > TALLOC_CTX *tmpctx = NULL; >- char *machine_name; >- ADS_STATUS aderr; > int i; > > initialize_krb5_error_table(); >@@ -98,7 +95,6 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc) > password.data = password_s; > password.length = strlen(password_s); > >- /* we need the dNSHostName value here */ > tmpctx = talloc_init(__location__); > if (!tmpctx) { > DEBUG(0, (__location__ ": talloc_init() failed!\n")); >@@ -106,24 +102,6 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc) > goto out; > } > >- my_fqdn = ads_get_dnshostname(ads, tmpctx, lp_netbios_name()); >- if (!my_fqdn) { >- DEBUG(0, (__location__ ": unable to determine machine " >- "account's dns name in AD!\n")); >- ret = -1; >- goto out; >- } >- >- machine_name = ads_get_samaccountname(ads, tmpctx, lp_netbios_name()); >- if (!machine_name) { >- DEBUG(0, (__location__ ": unable to determine machine " >- "account's short name in AD!\n")); >- ret = -1; >- goto out; >- } >- /*strip the trailing '$' */ >- machine_name[strlen(machine_name)-1] = '\0'; >- > /* Construct our principal */ > if (strchr_m(srvPrinc, '@')) { > /* It's a fully-named principal. */ >@@ -132,51 +110,14 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc) > ret = -1; > goto out; > } >- } else if (srvPrinc[strlen(srvPrinc)-1] == '$') { >- /* It's the machine account, as used by smbclient clients. */ >- princ_s = talloc_asprintf(tmpctx, "%s@%s", >- srvPrinc, lp_realm()); >- if (!princ_s) { >- ret = -1; >- goto out; >- } > } else { >- /* It's a normal service principal. Add the SPN now so that we >- * can obtain credentials for it and double-check the salt value >- * used to generate the service's keys. */ >- >- princ_s = talloc_asprintf(tmpctx, "%s/%s@%s", >- srvPrinc, my_fqdn, lp_realm()); >+ /* Add our default realm. */ >+ princ_s = talloc_asprintf(tmpctx, "%s@%s", >+ srvPrinc, lp_realm()); > if (!princ_s) { > ret = -1; > goto out; > } >- short_princ_s = talloc_asprintf(tmpctx, "%s/%s@%s", >- srvPrinc, machine_name, >- lp_realm()); >- if (short_princ_s == NULL) { >- ret = -1; >- goto out; >- } >- >- /* According to http://support.microsoft.com/kb/326985/en-us, >- certain principal names are automatically mapped to the >- host/... principal in the AD account. >- So only create these in the keytab, not in AD. --jerry */ >- >- if (!strequal(srvPrinc, "cifs") && >- !strequal(srvPrinc, "host")) { >- DEBUG(3, (__location__ ": Attempting to add/update " >- "'%s'\n", princ_s)); >- >- aderr = ads_add_service_principal_name(ads, >- lp_netbios_name(), my_fqdn, srvPrinc); >- if (!ADS_ERR_OK(aderr)) { >- DEBUG(1, (__location__ ": failed to " >- "ads_add_service_principal_name.\n")); >- goto out; >- } >- } > } > > kvno = (krb5_kvno)ads_get_machine_kvno(ads, lp_netbios_name()); >@@ -357,12 +298,6 @@ int ads_keytab_create_default(ADS_STRUCT *ads) > goto done; > } > >- p = strchr_m(srv_princ, '/'); >- if (p == NULL) { >- continue; >- } >- p[0] = '\0'; >- > /* Add the SPNs found on the DC */ > ret = ads_keytab_add_entry(ads, srv_princ); > if (ret != 0) { >-- >2.9.0 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=12453">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 12248
:
12452
| 12453