The Samba-Bugzilla – Attachment 12909 Details for
Bug 12515
create_local_private_krb5_conf_for_domain should generate entries for kpasswd_sever
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Proposed fix
0001-libads-generate-associated-kpasswd_server-entries.patch (text/plain), 3.00 KB, created by
Matthieu Patou
on 2017-02-09 01:38:37 UTC
(
hide
)
Description:
Proposed fix
Filename:
MIME Type:
Creator:
Matthieu Patou
Created:
2017-02-09 01:38:37 UTC
Size:
3.00 KB
patch
obsolete
>From c4325a2a21e7953a2d77225f6d1bacf7f9b5c083 Mon Sep 17 00:00:00 2001 >From: Matthieu Patou <mat@matws.net> >Date: Wed, 8 Feb 2017 16:58:36 -0800 >Subject: [PATCH] libads: generate associated kpasswd_server entries > >When changing password using kerberos, Samba is delegating the work to >kerberos library. MIT Kerberos at least is using _kpasswd records to >locate the kpasswd server when doing password changes. Without the >change kerberos will use any server in the domain. With this change we >insure that the notion of site is taken into account and that kerberos >is contacting closer DCs. > >Change-Id: I03c51716180064a90942c1a9691eee01989df7ad >--- > source3/libads/kerberos.c | 32 ++++++++++++++++++++++++-------- > 1 file changed, 24 insertions(+), 8 deletions(-) > >diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c >index dcb268e..36fb16b 100644 >--- a/source3/libads/kerberos.c >+++ b/source3/libads/kerberos.c >@@ -763,11 +763,18 @@ static char *get_kdc_ip_string(char *mem_ctx, > char *result = NULL; > struct netlogon_samlogon_response **responses = NULL; > NTSTATUS status; >- char *kdc_str = talloc_asprintf(mem_ctx, "%s\t\tkdc = %s\n", "", >+ const char KRB_TEMPLATE_ENTRY[] = "%s\t\t%s = %s\n"; >+ const char KDC_ENTRY[] = "kdc"; >+ const char KPASSWD_ENTRY[] = "kpasswd_server"; >+ char *kdc_str = talloc_asprintf(mem_ctx, KRB_TEMPLATE_ENTRY, "", KDC_ENTRY, >+ print_canonical_sockaddr_with_port(mem_ctx, pss)); >+ char *kpasswd_str = talloc_asprintf(mem_ctx, KRB_TEMPLATE_ENTRY, "", KPASSWD_ENTRY, > print_canonical_sockaddr_with_port(mem_ctx, pss)); > >- if (kdc_str == NULL) { >+ if (kdc_str == NULL || kpasswd_str == NULL) { > TALLOC_FREE(frame); >+ TALLOC_FREE(kdc_str); >+ TALLOC_FREE(kpasswd_str); > return NULL; > } > >@@ -860,26 +867,35 @@ static char *get_kdc_ip_string(char *mem_ctx, > > for (i=0; i<num_dcs; i++) { > char *new_kdc_str; >+ char *new_kpasswd_str; > > if (responses[i] == NULL) { > continue; > } > > /* Append to the string - inefficient but not done often. */ >- new_kdc_str = talloc_asprintf(mem_ctx, "%s\t\tkdc = %s\n", >- kdc_str, >+ new_kdc_str = talloc_asprintf(mem_ctx, KRB_TEMPLATE_ENTRY, >+ kdc_str, KDC_ENTRY, >+ print_canonical_sockaddr_with_port(mem_ctx, &dc_addrs[i])); >+ new_kpasswd_str = talloc_asprintf(mem_ctx, KRB_TEMPLATE_ENTRY, >+ kpasswd_str, KPASSWD_ENTRY, > print_canonical_sockaddr_with_port(mem_ctx, &dc_addrs[i])); >- if (new_kdc_str == NULL) { >+ if (new_kdc_str == NULL || new_kpasswd_str == NULL) { > goto out; > } > TALLOC_FREE(kdc_str); >+ TALLOC_FREE(kpasswd_str); > kdc_str = new_kdc_str; >+ kpasswd_str = new_kpasswd_str; > } > > out: >- DEBUG(10, ("get_kdc_ip_string: Returning %s\n", kdc_str)); >- >- result = kdc_str; >+ if (kdc_str != NULL && kpasswd_str != NULL) { >+ result = talloc_asprintf(mem_ctx, "%s%s", kdc_str, kpasswd_str); >+ } >+ TALLOC_FREE(kdc_str); >+ TALLOC_FREE(kpasswd_str); >+ DEBUG(10, ("get_kdc_ip_string: Returning %s\n", result)); > SAFE_FREE(ip_srv_site); > SAFE_FREE(ip_srv_nonsite); > TALLOC_FREE(frame); >-- >2.7.4 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=12909">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 12515
: 12909 |
12910