The Samba-Bugzilla – Attachment 14193 Details for
Bug 13429
kvno off by one after net ads changetrustpw
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
potential fix that calculates the kvno
kvno_fix.patch (text/plain), 8.96 KB, created by
David Mulder
on 2018-05-10 16:46:45 UTC
(
hide
)
Description:
potential fix that calculates the kvno
Filename:
MIME Type:
Creator:
David Mulder
Created:
2018-05-10 16:46:45 UTC
Size:
8.96 KB
patch
obsolete
>diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h >index 154bf67f964..879534f9528 100644 >--- a/source3/libads/ads_proto.h >+++ b/source3/libads/ads_proto.h >@@ -32,6 +32,8 @@ > #ifndef _LIBADS_ADS_PROTO_H_ > #define _LIBADS_ADS_PROTO_H_ > >+#include "krb5.h" >+ > /* The following definitions come from libads/ads_struct.c */ > > char *ads_build_path(const char *realm, const char *sep, const char *field, int reverse); >@@ -50,9 +52,9 @@ void ads_disp_sd(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct security_descripto > /* The following definitions come from libads/kerberos_keytab.c */ > > int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, >- bool update_ads); >+ bool update_ads, krb5_kvno *kvno); > int ads_keytab_flush(ADS_STRUCT *ads); >-int ads_keytab_create_default(ADS_STRUCT *ads); >+int ads_keytab_create_default(ADS_STRUCT *ads, krb5_kvno *kvno); > int ads_keytab_list(const char *keytab_name); > > /* The following definitions come from libads/net_ads_setspn.c */ >diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c >index 8eb7b2a7c6b..5ff18123b63 100644 >--- a/source3/libads/kerberos_keytab.c >+++ b/source3/libads/kerberos_keytab.c >@@ -232,13 +232,16 @@ out: > Adds a single service principal, i.e. 'host' to the system keytab > ***********************************************************************/ > >-int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads) >+int ads_keytab_add_entry(ADS_STRUCT *ads, >+ const char *srvPrinc, >+ bool update_ads, >+ krb5_kvno *kvno) > { > krb5_error_code ret = 0; > krb5_context context = NULL; > krb5_keytab keytab = NULL; > krb5_data password; >- krb5_kvno kvno; >+ krb5_kvno lkvno; > krb5_enctype enctypes[6] = { > ENCTYPE_DES_CBC_CRC, > ENCTYPE_DES_CBC_MD5, >@@ -359,13 +362,18 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads) > } > } > >- kvno = (krb5_kvno)ads_get_machine_kvno(ads, lp_netbios_name()); >- if (kvno == -1) { >- /* -1 indicates failure, everything else is OK */ >- DEBUG(1, (__location__ ": ads_get_machine_kvno failed to " >- "determine the system's kvno.\n")); >- ret = -1; >- goto out; >+ if (!kvno) { >+ lkvno = >+ (krb5_kvno)ads_get_machine_kvno(ads, lp_netbios_name()); >+ if (lkvno == -1) { >+ /* -1 indicates failure, everything else is OK */ >+ DEBUG(1, (__location__ >+ ": ads_get_machine_kvno failed to " >+ "determine the system's kvno.\n")); >+ ret = -1; >+ goto out; >+ } >+ kvno = &lkvno; > } > > salt_princ_s = kerberos_secrets_fetch_salt_princ(); >@@ -380,7 +388,7 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads) > /* add the fqdn principal to the keytab */ > ret = smb_krb5_kt_add_entry(context, > keytab, >- kvno, >+ *kvno, > princ_s, > salt_princ_s, > enctypes[i], >@@ -396,7 +404,7 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads) > if (short_princ_s) { > ret = smb_krb5_kt_add_entry(context, > keytab, >- kvno, >+ *kvno, > short_princ_s, > salt_princ_s, > enctypes[i], >@@ -490,14 +498,14 @@ out: > Adds all the required service principals to the system keytab. > ***********************************************************************/ > >-int ads_keytab_create_default(ADS_STRUCT *ads) >+int ads_keytab_create_default(ADS_STRUCT *ads, krb5_kvno *kvno) > { > krb5_error_code ret = 0; > krb5_context context = NULL; > krb5_keytab keytab = NULL; > krb5_kt_cursor cursor = {0}; > krb5_keytab_entry kt_entry = {0}; >- krb5_kvno kvno; >+ krb5_kvno lkvno; > size_t found = 0; > char *sam_account_name, *upn; > char **oldEntries = NULL, *princ_s[26]; >@@ -528,6 +536,23 @@ int ads_keytab_create_default(ADS_STRUCT *ads) > goto done; > } > >+ machine_name = talloc_strdup(frame, lp_netbios_name()); >+ if (!machine_name) { >+ ret = -1; >+ goto done; >+ } >+ >+ if (!kvno) { >+ lkvno = (krb5_kvno)ads_get_machine_kvno(ads, machine_name); >+ if (lkvno == (krb5_kvno)-1) { >+ DEBUG(1, (__location__ >+ ": ads_get_machine_kvno() failed to " >+ "determine the system's kvno.\n")); >+ goto done; >+ } >+ kvno = &lkvno; >+ } >+ > for (i = 0; i < num_spns; i++) { > char *srv_princ; > char *p; >@@ -545,7 +570,7 @@ int ads_keytab_create_default(ADS_STRUCT *ads) > p[0] = '\0'; > > /* Add the SPNs found on the DC */ >- ret = ads_keytab_add_entry(ads, srv_princ, false); >+ ret = ads_keytab_add_entry(ads, srv_princ, false, kvno); > if (ret != 0) { > DEBUG(1, ("ads_keytab_add_entry failed while " > "adding '%s' principal.\n", >@@ -576,12 +601,6 @@ int ads_keytab_create_default(ADS_STRUCT *ads) > goto done; > } > >- machine_name = talloc_strdup(frame, lp_netbios_name()); >- if (!machine_name) { >- ret = -1; >- goto done; >- } >- > /* now add the userPrincipalName and sAMAccountName entries */ > ok = ads_has_samaccountname(ads, frame, machine_name); > if (!ok) { >@@ -607,7 +626,7 @@ int ads_keytab_create_default(ADS_STRUCT *ads) > goto done; > } > >- ret = ads_keytab_add_entry(ads, sam_account_name, false); >+ ret = ads_keytab_add_entry(ads, sam_account_name, false, NULL); > if (ret != 0) { > DEBUG(1, (__location__ ": ads_keytab_add_entry() failed " > "while adding sAMAccountName (%s)\n", >@@ -618,7 +637,7 @@ int ads_keytab_create_default(ADS_STRUCT *ads) > /* remember that not every machine account will have a upn */ > upn = ads_get_upn(ads, frame, machine_name); > if (upn) { >- ret = ads_keytab_add_entry(ads, upn, false); >+ ret = ads_keytab_add_entry(ads, upn, false, NULL); > if (ret != 0) { > DEBUG(1, (__location__ ": ads_keytab_add_entry() " > "failed while adding UPN (%s)\n", upn)); >@@ -627,12 +646,6 @@ int ads_keytab_create_default(ADS_STRUCT *ads) > } > > /* Now loop through the keytab and update any other existing entries */ >- kvno = (krb5_kvno)ads_get_machine_kvno(ads, machine_name); >- if (kvno == (krb5_kvno)-1) { >- DEBUG(1, (__location__ ": ads_get_machine_kvno() failed to " >- "determine the system's kvno.\n")); >- goto done; >- } > > DEBUG(3, (__location__ ": Searching for keytab entries to preserve " > "and update.\n")); >@@ -680,7 +693,7 @@ int ads_keytab_create_default(ADS_STRUCT *ads) > } > > while (krb5_kt_next_entry(context, keytab, &kt_entry, &cursor) == 0) { >- if (kt_entry.vno != kvno) { >+ if (kt_entry.vno != *kvno) { > char *ktprinc = NULL; > char *p; > >@@ -732,7 +745,7 @@ int ads_keytab_create_default(ADS_STRUCT *ads) > > ret = 0; > for (i = 0; oldEntries[i]; i++) { >- ret |= ads_keytab_add_entry(ads, oldEntries[i], false); >+ ret |= ads_keytab_add_entry(ads, oldEntries[i], false, NULL); > TALLOC_FREE(oldEntries[i]); > } > >diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c >index a9405e8d288..06d130aeff1 100644 >--- a/source3/libnet/libnet_join.c >+++ b/source3/libnet/libnet_join.c >@@ -809,7 +809,7 @@ static bool libnet_join_create_keytab(TALLOC_CTX *mem_ctx, > return true; > } > >- if (ads_keytab_create_default(r->in.ads) != 0) { >+ if (ads_keytab_create_default(r->in.ads, NULL) != 0) { > return false; > } > >diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c >index ffa67d8f525..69df6b3d235 100644 >--- a/source3/utils/net_ads.c >+++ b/source3/utils/net_ads.c >@@ -2341,6 +2341,7 @@ int net_ads_changetrustpw(struct net_context *c, int argc, const char **argv) > char *host_principal; > fstring my_name; > ADS_STATUS ret; >+ krb5_kvno kvno; > > if (c->display_usage) { > d_printf( "%s\n" >@@ -2376,6 +2377,7 @@ int net_ads_changetrustpw(struct net_context *c, int argc, const char **argv) > } > d_printf(_("Changing password for principal: %s\n"), host_principal); > >+ kvno = (krb5_kvno)ads_get_machine_kvno(ads, my_name); > ret = ads_change_trust_account_password(ads, host_principal); > > if (!ADS_ERR_OK(ret)) { >@@ -2386,10 +2388,14 @@ int net_ads_changetrustpw(struct net_context *c, int argc, const char **argv) > } > > d_printf(_("Password change for principal %s succeeded.\n"), host_principal); >+ if (kvno != (krb5_kvno)ads_get_machine_kvno(ads, my_name)) { >+ d_printf(_( >+ "Server reported different kvno than calculated kvno!\n")); >+ } > > if (USE_SYSTEM_KEYTAB) { > d_printf(_("Attempting to update system keytab with new password.\n")); >- if (ads_keytab_create_default(ads)) { >+ if (ads_keytab_create_default(ads, &kvno)) { > d_printf(_("Failed to update system keytab.\n")); > } > } >@@ -2630,7 +2636,7 @@ static int net_ads_keytab_add(struct net_context *c, > return -1; > } > for (i = 0; i < argc; i++) { >- ret |= ads_keytab_add_entry(ads, argv[i], update_ads); >+ ret |= ads_keytab_add_entry(ads, argv[i], update_ads, NULL); > } > ads_destroy(&ads); > return ret; >@@ -2667,7 +2673,7 @@ static int net_ads_keytab_create(struct net_context *c, int argc, const char **a > if (!ADS_ERR_OK(ads_startup(c, true, &ads))) { > return -1; > } >- ret = ads_keytab_create_default(ads); >+ ret = ads_keytab_create_default(ads, NULL); > ads_destroy(&ads); > return ret; > }
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 13429
: 14193