The Samba-Bugzilla – Attachment 15035 Details for
Bug 13861
'net ads join' to child domain fails when using -U admin@forestroot
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for 4.8
v4-8-net_ads_join.patch (text/plain), 13.42 KB, created by
Andreas Schneider
on 2019-04-02 06:08:37 UTC
(
hide
)
Description:
patch for 4.8
Filename:
MIME Type:
Creator:
Andreas Schneider
Created:
2019-04-02 06:08:37 UTC
Size:
13.42 KB
patch
obsolete
>From 5badb4d509d8bc73831fa7c3ef348952e9934090 Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Fri, 29 Mar 2019 11:34:53 +0100 >Subject: [PATCH 1/8] s3:libads: Print more information when LDAP fails > >Currently we just get an error but don't know what exactly we tried to >do in 'net ads join -d10'. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861 > >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit 40669e3739eb5cde135c371e2c8134d3f11a16a5) >--- > source3/libads/ldap.c | 12 ++++++++++-- > 1 file changed, 10 insertions(+), 2 deletions(-) > >diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c >index c18837cc524..726dfc1f078 100644 >--- a/source3/libads/ldap.c >+++ b/source3/libads/ldap.c >@@ -1519,8 +1519,10 @@ static void ads_print_error(int ret, LDAP *ld) > if (ret != 0) { > char *ld_error = NULL; > ldap_get_option(ld, LDAP_OPT_ERROR_STRING, &ld_error); >- DEBUG(10,("AD LDAP failure %d (%s):\n%s\n", ret, >- ldap_err2string(ret), ld_error)); >+ DBG_ERR("AD LDAP ERROR: %d (%s): %s\n", >+ ret, >+ ldap_err2string(ret), >+ ld_error); > SAFE_FREE(ld_error); > } > } >@@ -1547,6 +1549,8 @@ ADS_STATUS ads_gen_mod(ADS_STRUCT *ads, const char *mod_dn, ADS_MODLIST mods) > (char) 1}; > LDAPControl *controls[2]; > >+ DBG_INFO("AD LDAP: Modifying %s\n", mod_dn); >+ > controls[0] = &PermitModify; > controls[1] = NULL; > >@@ -1578,6 +1582,8 @@ ADS_STATUS ads_gen_add(ADS_STRUCT *ads, const char *new_dn, ADS_MODLIST mods) > char *utf8_dn = NULL; > size_t converted_size; > >+ DBG_INFO("AD LDAP: Adding %s\n", new_dn); >+ > if (!push_utf8_talloc(talloc_tos(), &utf8_dn, new_dn, &converted_size)) { > DEBUG(1, ("ads_gen_add: push_utf8_talloc failed!")); > return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); >@@ -1610,6 +1616,8 @@ ADS_STATUS ads_del_dn(ADS_STRUCT *ads, char *del_dn) > return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); > } > >+ DBG_INFO("AD LDAP: Deleting %s\n", del_dn); >+ > ret = ldap_delete_s(ads->ldap.ld, utf8_dn); > ads_print_error(ret, ads->ldap.ld); > TALLOC_FREE(utf8_dn); >-- >2.21.0 > > >From d3a51e7e76fa24ac90d57c24b6232d7c886862d2 Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Wed, 27 Mar 2019 16:45:39 +0100 >Subject: [PATCH 2/8] s3:libsmb: Add some useful debug output to cliconnect > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861 > >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit 011a47f04dabe22095a30d284662d8ca50463ee8) >--- > source3/libsmb/cliconnect.c | 13 +++++++++++++ > 1 file changed, 13 insertions(+) > >diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c >index 7689910fae9..4191f1d8eb3 100644 >--- a/source3/libsmb/cliconnect.c >+++ b/source3/libsmb/cliconnect.c >@@ -344,6 +344,8 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli, > return NT_STATUS_OK; > } > >+ DBG_INFO("Doing kinit for %s to access %s\n", >+ user_principal, target_hostname); > > /* > * TODO: This should be done within the gensec layer >@@ -373,6 +375,11 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli, > */ > } > >+ DBG_DEBUG("Successfully authenticated as %s to access %s using " >+ "Kerberos\n", >+ user_principal, >+ target_hostname); >+ > TALLOC_FREE(frame); > return NT_STATUS_OK; > } >@@ -1292,6 +1299,10 @@ static struct tevent_req *cli_session_setup_spnego_send( > return tevent_req_post(req, ev); > } > >+ DBG_INFO("Connect to %s as %s using SPNEGO\n", >+ target_hostname, >+ cli_credentials_get_principal(creds, talloc_tos())); >+ > subreq = cli_session_setup_gensec_send(state, ev, cli, creds, > target_service, target_hostname); > if (tevent_req_nomem(subreq, req)) { >@@ -1495,6 +1506,8 @@ struct tevent_req *cli_session_setup_creds_send(TALLOC_CTX *mem_ctx, > return tevent_req_post(req, ev); > } > >+ DBG_INFO("Connect to %s as %s using NTLM\n", domain, username); >+ > if ((sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) == 0) { > bool use_unicode = smbXcli_conn_use_unicode(cli->conn); > uint8_t *bytes = NULL; >-- >2.21.0 > > >From 18db0977b3f145745097b953865185c21915c94b Mon Sep 17 00:00:00 2001 >From: Guenther Deschner <gd@samba.org> >Date: Mon, 1 Apr 2019 17:46:39 +0200 >Subject: [PATCH 3/8] s3:libnet: Fix debug message in libnet_DomainJoin() > >A newline is missing but also use DBG_INFO macro and cleanup spelling. > >Signed-off-by: Guenther Deschner <gd@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit 3a33c360071bb7cada58f1f71ccd8949fda70662) >--- > source3/libnet/libnet_join.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > >diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c >index 0595cfe64ab..3ebc5ae573d 100644 >--- a/source3/libnet/libnet_join.c >+++ b/source3/libnet/libnet_join.c >@@ -2649,8 +2649,8 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx, > return WERR_NERR_DEFAULTJOINREQUIRED; > } > >- DEBUG(5, ("failed to precreate account in ou %s: %s", >- r->in.account_ou, ads_errstr(ads_status))); >+ DBG_INFO("Failed to pre-create account in OU %s: %s\n", >+ r->in.account_ou, ads_errstr(ads_status)); > } > #endif /* HAVE_ADS */ > >-- >2.21.0 > > >From 1a773900abe95f3c98e3eb78bf6d98fab6df1817 Mon Sep 17 00:00:00 2001 >From: Guenther Deschner <gd@samba.org> >Date: Wed, 27 Mar 2019 17:51:04 +0100 >Subject: [PATCH 4/8] auth:ntlmssp: Add back CRAP ndr debug output > >This got lost somehow during refactoring. This is still viable >information when trying to figure out what is going wrong when >authenticating a user over NTLMSSP. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861 > >Signed-off-by: Guenther Deschner <gd@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit 9e92654899db3c951bee0203415a15737402e7b7) >--- > auth/ntlmssp/ntlmssp_client.c | 32 ++++++++++++++++++++++++++++++++ > 1 file changed, 32 insertions(+) > >diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c >index 54fda41b534..999fbe2ea34 100644 >--- a/auth/ntlmssp/ntlmssp_client.c >+++ b/auth/ntlmssp/ntlmssp_client.c >@@ -342,6 +342,22 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, > } > } > >+ if (DEBUGLEVEL >= 10) { >+ struct CHALLENGE_MESSAGE *challenge = >+ talloc(ntlmssp_state, struct CHALLENGE_MESSAGE); >+ if (challenge != NULL) { >+ NTSTATUS status; >+ challenge->NegotiateFlags = chal_flags; >+ status = ntlmssp_pull_CHALLENGE_MESSAGE( >+ &in, challenge, challenge); >+ if (NT_STATUS_IS_OK(status)) { >+ NDR_PRINT_DEBUG(CHALLENGE_MESSAGE, >+ challenge); >+ } >+ TALLOC_FREE(challenge); >+ } >+ } >+ > if (chal_flags & NTLMSSP_TARGET_TYPE_SERVER) { > ntlmssp_state->server.is_standalone = true; > } else { >@@ -702,6 +718,22 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, > return nt_status; > } > >+ if (DEBUGLEVEL >= 10) { >+ struct AUTHENTICATE_MESSAGE *authenticate = >+ talloc(ntlmssp_state, struct AUTHENTICATE_MESSAGE); >+ if (authenticate != NULL) { >+ NTSTATUS status; >+ authenticate->NegotiateFlags = ntlmssp_state->neg_flags; >+ status = ntlmssp_pull_AUTHENTICATE_MESSAGE( >+ out, authenticate, authenticate); >+ if (NT_STATUS_IS_OK(status)) { >+ NDR_PRINT_DEBUG(AUTHENTICATE_MESSAGE, >+ authenticate); >+ } >+ TALLOC_FREE(authenticate); >+ } >+ } >+ > /* > * We always include the MIC, even without: > * av_flags->Value.AvFlags |= NTLMSSP_AVFLAG_MIC_IN_AUTHENTICATE_MESSAGE; >-- >2.21.0 > > >From b7129f8761d4a3b7e64b1639e29845838ff968da Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Mon, 1 Apr 2019 15:59:10 +0200 >Subject: [PATCH 5/8] auth:creds: Prefer the principal over DOMAIN/username > when using NTLM > >If we want to authenticate using -Wadmin@otherdomain the DC should do >take care of the authentication with the right DC for us. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861 > >Pair-Programmed-With: Guenther Deschner <gd@samba.org> >Signed-off-by: Guenther Deschner <gd@samba.org> >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit 5c7f0a6902cfdd698e5f4159d37537bb4c9c1cc3) >--- > auth/credentials/credentials.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c >index 4f3042e3152..5b13ffee809 100644 >--- a/auth/credentials/credentials.c >+++ b/auth/credentials/credentials.c >@@ -1115,7 +1115,7 @@ _PUBLIC_ void cli_credentials_get_ntlm_username_domain(struct cli_credentials *c > const char **username, > const char **domain) > { >- if (cred->principal_obtained > cred->username_obtained) { >+ if (cred->principal_obtained >= cred->username_obtained) { > *domain = talloc_strdup(mem_ctx, ""); > *username = cli_credentials_get_principal(cred, mem_ctx); > } else { >-- >2.21.0 > > >From 2a7512202885160b7e22c9866bfc4963e1e5c150 Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Mon, 1 Apr 2019 16:39:45 +0200 >Subject: [PATCH 6/8] s3:libnet: Use more secure name for the JOIN krb5.conf > >Currently we create krb5.conf..JOIN, use krb5.conf._JOIN_ instead. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861 > >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit b7f0c64514a28cfb5d2cdee683c18943b97ea753) >--- > source3/libnet/libnet_join.c | 8 +++++--- > 1 file changed, 5 insertions(+), 3 deletions(-) > >diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c >index 3ebc5ae573d..698311cd03b 100644 >--- a/source3/libnet/libnet_join.c >+++ b/source3/libnet/libnet_join.c >@@ -2583,12 +2583,14 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx, > } > > /* The domain parameter is only used as modifier >- * to krb5.conf file name. .JOIN is is not a valid >+ * to krb5.conf file name. _JOIN_ is is not a valid > * NetBIOS name so it cannot clash with another domain > * -- Uri. > */ >- create_local_private_krb5_conf_for_domain( >- pre_connect_realm, ".JOIN", sitename, &ss); >+ create_local_private_krb5_conf_for_domain(pre_connect_realm, >+ "_JOIN_", >+ sitename, >+ &ss); > } > > status = libnet_join_lookup_dc_rpc(mem_ctx, r, &cli); >-- >2.21.0 > > >From 64910e0cdecb33e3e0d5c5087483c0d38bb32b7a Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Mon, 1 Apr 2019 16:47:26 +0200 >Subject: [PATCH 7/8] s3:libads: Make sure we can lookup KDCs which are not > configured > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861 > >Pair-Programmed-With: Guenther Deschner <gd@samba.org> >Signed-off-by: Guenther Deschner <gd@samba.org> >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit c016afc832543514ebf7ecda1fbe6b272ea533d6) >--- > source3/libads/kerberos.c | 12 ++++++++++-- > 1 file changed, 10 insertions(+), 2 deletions(-) > >diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c >index cfb09a704cb..fdedafba40f 100644 >--- a/source3/libads/kerberos.c >+++ b/source3/libads/kerberos.c >@@ -672,11 +672,19 @@ bool create_local_private_krb5_conf_for_domain(const char *realm, > } > #endif > >+ /* >+ * We are setting 'dns_lookup_kdc' to true, because we want to lookup >+ * KDCs which are not configured via DNS SRV records, eg. if we do: >+ * >+ * net ads join -Uadmin@otherdomain >+ */ > file_contents = > talloc_asprintf(fname, >- "[libdefaults]\n\tdefault_realm = %s\n" >+ "[libdefaults]\n" >+ "\tdefault_realm = %s\n" > "%s" >- "\tdns_lookup_realm = false\n\n" >+ "\tdns_lookup_realm = false\n" >+ "\tdns_lookup_kdc = true\n\n" > "[realms]\n\t%s = {\n" > "%s\t}\n" > "%s\n", >-- >2.21.0 > > >From 22abeb43bfa2c196df4104d8a8a330e3eae2212f Mon Sep 17 00:00:00 2001 >From: Guenther Deschner <gd@samba.org> >Date: Mon, 1 Apr 2019 17:40:03 +0200 >Subject: [PATCH 8/8] s3:ldap: Leave add machine code early for pre-existing > accounts > >This avoids numerous LDAP constraint violation errors when we try to >re-precreate an already existing machine account. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861 > >Pair-Programmed-With: Andreas Schneider <asn@samba.org> >Signed-off-by: Guenther Deschner <gd@samba.org> >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit 2044ca0e20bd3180720a82506b3af041d14b5c68) >--- > source3/libads/ldap.c | 10 +++++++++- > 1 file changed, 9 insertions(+), 1 deletion(-) > >diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c >index 726dfc1f078..b4b8bfa09f5 100644 >--- a/source3/libads/ldap.c >+++ b/source3/libads/ldap.c >@@ -2139,6 +2139,15 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, > goto done; > } > >+ ret = ads_find_machine_acct(ads, &res, machine_escaped); >+ ads_msgfree(ads, res); >+ if (ADS_ERR_OK(ret)) { >+ DBG_DEBUG("Host account for %s already exists.\n", >+ machine_escaped); >+ ret = ADS_ERROR_LDAP(LDAP_ALREADY_EXISTS); >+ goto done; >+ } >+ > new_dn = talloc_asprintf(ctx, "cn=%s,%s", machine_escaped, org_unit); > samAccountName = talloc_asprintf(ctx, "%s$", machine_name); > >@@ -2174,7 +2183,6 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, > > done: > SAFE_FREE(machine_escaped); >- ads_msgfree(ads, res); > talloc_destroy(ctx); > > return ret; >-- >2.21.0 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=15035">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 13861
:
15033
|
15034
|
15035
|
15048
|
15049