The Samba-Bugzilla – Attachment 15522 Details for
Bug 13884
Joining Active Directory should not use SAMR to set the password
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for 4.10
v4.10.patch (text/plain), 40.25 KB, created by
Andreas Schneider
on 2019-10-09 15:27:45 UTC
(
hide
)
Description:
patch for 4.10
Filename:
MIME Type:
Creator:
Andreas Schneider
Created:
2019-10-09 15:27:45 UTC
Size:
40.25 KB
patch
obsolete
>From 0d1179d5c3585678e6b4097425a4137b8666d333 Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Thu, 8 Aug 2019 14:35:38 +0200 >Subject: [PATCH 01/11] testprogs: Fix failure count in test_net_ads.sh > >There are missing ` at the end of the line. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13884 > >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Alexander Bokovoy <ab@samba.org> >(cherry picked from commit 320b5be4dce95d8dac4b3c0847faf5b730754a37) >--- > testprogs/blackbox/test_net_ads.sh | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > >diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh >index d3c4de5b741..512aa9d2952 100755 >--- a/testprogs/blackbox/test_net_ads.sh >+++ b/testprogs/blackbox/test_net_ads.sh >@@ -141,10 +141,10 @@ testit "test spn service doensn't exist in AD but is present in keytab file afte > # SPN parser is very basic but does detect some illegal combination > > windows_spn="$spn_service/$spn_host:" >-testit_expect_failure "test (dedicated keytab) fail to parse windows spn with missing port" $VALGRIND $net_tool ads keytab add $windows_spn -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1 >+testit_expect_failure "test (dedicated keytab) fail to parse windows spn with missing port" $VALGRIND $net_tool ads keytab add $windows_spn -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1` > > windows_spn="$spn_service/$spn_host/" >-testit_expect_failure "test (dedicated keytab) fail to parse windows spn with missing servicename" $VALGRIND $net_tool ads keytab add $windows_spn -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1 >+testit_expect_failure "test (dedicated keytab) fail to parse windows spn with missing servicename" $VALGRIND $net_tool ads keytab add $windows_spn -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1` > > testit "changetrustpw (dedicated keytab)" $VALGRIND $net_tool ads changetrustpw || failed=`expr $failed + 1` > >-- >2.23.0 > > >From 5acc6ededece33202fe3aa26cb9de9c052e32ba2 Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Tue, 13 Aug 2019 17:06:58 +0200 >Subject: [PATCH 02/11] s3:libads: Use ldap_add_ext_s() in ads_gen_add() > >ldap_add_s() is marked as deprecated. > >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Alexander Bokovoy <ab@samba.org> >(cherry picked from commit 456322a61319a10aaedda5244488ea4e5aa5cb64) >--- > source3/libads/ldap.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c >index 8d13a7cf18c..d409d4ab78e 100644 >--- a/source3/libads/ldap.c >+++ b/source3/libads/ldap.c >@@ -1596,7 +1596,7 @@ ADS_STATUS ads_gen_add(ADS_STRUCT *ads, const char *new_dn, ADS_MODLIST mods) > /* make sure the end of the list is NULL */ > mods[i] = NULL; > >- ret = ldap_add_s(ads->ldap.ld, utf8_dn, (LDAPMod**)mods); >+ ret = ldap_add_ext_s(ads->ldap.ld, utf8_dn, (LDAPMod**)mods, NULL, NULL); > ads_print_error(ret, ads->ldap.ld); > TALLOC_FREE(utf8_dn); > return ADS_ERROR(ret); >-- >2.23.0 > > >From 17d370a97ee2c7e6359aafc0248efae90c654857 Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Tue, 13 Aug 2019 17:41:40 +0200 >Subject: [PATCH 03/11] s3:libnet: Require sealed LDAP SASL connections for > joining > >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Alexander Bokovoy <ab@samba.org> >(cherry picked from commit b84abb3a46211dc84e52ef95750627e4dd081f2f) >--- > libgpo/pygpo.c | 2 +- > source3/lib/netapi/joindomain.c | 5 ++++- > source3/libads/ads_proto.h | 9 ++++++++- > source3/libads/ads_struct.c | 14 +++++++++++++- > source3/libads/ldap.c | 4 ++-- > source3/libnet/libnet_join.c | 3 ++- > source3/libsmb/namequery_dc.c | 2 +- > source3/printing/nt_printing_ads.c | 6 +++--- > source3/utils/net_ads.c | 13 +++++++++---- > source3/winbindd/winbindd_ads.c | 5 ++++- > source3/winbindd/winbindd_cm.c | 5 ++++- > 11 files changed, 51 insertions(+), 17 deletions(-) > >diff --git a/libgpo/pygpo.c b/libgpo/pygpo.c >index cd107318860..4db8cad7ca4 100644 >--- a/libgpo/pygpo.c >+++ b/libgpo/pygpo.c >@@ -212,7 +212,7 @@ static int py_ads_init(ADS *self, PyObject *args, PyObject *kwds) > return -1; > } > >- self->ads_ptr = ads_init(realm, workgroup, ldap_server); >+ self->ads_ptr = ads_init(realm, workgroup, ldap_server, ADS_SASL_PLAIN); > if (self->ads_ptr == NULL) { > return -1; > } >diff --git a/source3/lib/netapi/joindomain.c b/source3/lib/netapi/joindomain.c >index ff2154ba803..8d0752f4531 100644 >--- a/source3/lib/netapi/joindomain.c >+++ b/source3/lib/netapi/joindomain.c >@@ -411,7 +411,10 @@ WERROR NetGetJoinableOUs_l(struct libnetapi_ctx *ctx, > > dc = strip_hostname(info->dc_unc); > >- ads = ads_init(info->domain_name, info->domain_name, dc); >+ ads = ads_init(info->domain_name, >+ info->domain_name, >+ dc, >+ ADS_SASL_PLAIN); > if (!ads) { > return WERR_GEN_FAILURE; > } >diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h >index 154bf67f964..92bb3a22cdb 100644 >--- a/source3/libads/ads_proto.h >+++ b/source3/libads/ads_proto.h >@@ -32,6 +32,12 @@ > #ifndef _LIBADS_ADS_PROTO_H_ > #define _LIBADS_ADS_PROTO_H_ > >+enum ads_sasl_state_e { >+ ADS_SASL_PLAIN = 0, >+ ADS_SASL_SIGN, >+ ADS_SASL_SEAL, >+}; >+ > /* The following definitions come from libads/ads_struct.c */ > > char *ads_build_path(const char *realm, const char *sep, const char *field, int reverse); >@@ -39,7 +45,8 @@ char *ads_build_dn(const char *realm); > char *ads_build_domain(const char *dn); > ADS_STRUCT *ads_init(const char *realm, > const char *workgroup, >- const char *ldap_server); >+ const char *ldap_server, >+ enum ads_sasl_state_e sasl_state); > bool ads_set_sasl_wrap_flags(ADS_STRUCT *ads, int flags); > void ads_destroy(ADS_STRUCT **ads); > >diff --git a/source3/libads/ads_struct.c b/source3/libads/ads_struct.c >index 3ab682c0e38..043a1b21247 100644 >--- a/source3/libads/ads_struct.c >+++ b/source3/libads/ads_struct.c >@@ -132,7 +132,8 @@ char *ads_build_domain(const char *dn) > */ > ADS_STRUCT *ads_init(const char *realm, > const char *workgroup, >- const char *ldap_server) >+ const char *ldap_server, >+ enum ads_sasl_state_e sasl_state) > { > ADS_STRUCT *ads; > int wrap_flags; >@@ -152,6 +153,17 @@ ADS_STRUCT *ads_init(const char *realm, > wrap_flags = 0; > } > >+ switch (sasl_state) { >+ case ADS_SASL_PLAIN: >+ break; >+ case ADS_SASL_SIGN: >+ wrap_flags |= ADS_AUTH_SASL_SIGN; >+ break; >+ case ADS_SASL_SEAL: >+ wrap_flags |= ADS_AUTH_SASL_SEAL; >+ break; >+ } >+ > ads->auth.flags = wrap_flags; > > /* Start with the configured page size when the connection is new, >diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c >index d409d4ab78e..7bdda4b1768 100644 >--- a/source3/libads/ldap.c >+++ b/source3/libads/ldap.c >@@ -2964,7 +2964,7 @@ ADS_STATUS ads_current_time(ADS_STRUCT *ads) > > if ( !ads->ldap.ld ) { > if ( (ads_s = ads_init( ads->server.realm, ads->server.workgroup, >- ads->server.ldap_server )) == NULL ) >+ ads->server.ldap_server, ADS_SASL_PLAIN )) == NULL ) > { > status = ADS_ERROR(LDAP_NO_MEMORY); > goto done; >@@ -3026,7 +3026,7 @@ ADS_STATUS ads_domain_func_level(ADS_STRUCT *ads, uint32_t *val) > > if ( !ads->ldap.ld ) { > if ( (ads_s = ads_init( ads->server.realm, ads->server.workgroup, >- ads->server.ldap_server )) == NULL ) >+ ads->server.ldap_server, ADS_SASL_PLAIN )) == NULL ) > { > status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY); > goto done; >diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c >index b876d7ea89f..a512afc238a 100644 >--- a/source3/libnet/libnet_join.c >+++ b/source3/libnet/libnet_join.c >@@ -140,7 +140,8 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name, > > my_ads = ads_init(dns_domain_name, > netbios_domain_name, >- dc_name); >+ dc_name, >+ ADS_SASL_SEAL); > if (!my_ads) { > return ADS_ERROR_LDAP(LDAP_NO_MEMORY); > } >diff --git a/source3/libsmb/namequery_dc.c b/source3/libsmb/namequery_dc.c >index 4ee5b5278e4..f63dde61603 100644 >--- a/source3/libsmb/namequery_dc.c >+++ b/source3/libsmb/namequery_dc.c >@@ -69,7 +69,7 @@ static bool ads_dc_name(const char *domain, > > /* Try this 3 times then give up. */ > for( i =0 ; i < 3; i++) { >- ads = ads_init(realm, domain, NULL); >+ ads = ads_init(realm, domain, NULL, ADS_SASL_PLAIN); > if (!ads) { > TALLOC_FREE(sitename); > return False; >diff --git a/source3/printing/nt_printing_ads.c b/source3/printing/nt_printing_ads.c >index 2588e1de7e7..a82f1361fc8 100644 >--- a/source3/printing/nt_printing_ads.c >+++ b/source3/printing/nt_printing_ads.c >@@ -227,7 +227,7 @@ WERROR nt_printer_guid_retrieve(TALLOC_CTX *mem_ctx, const char *printer, > return WERR_NOT_ENOUGH_MEMORY; > } > >- ads = ads_init(lp_realm(), lp_workgroup(), NULL); >+ ads = ads_init(lp_realm(), lp_workgroup(), NULL, ADS_SASL_PLAIN); > if (ads == NULL) { > result = WERR_RPC_S_SERVER_UNAVAILABLE; > goto out; >@@ -577,7 +577,7 @@ WERROR nt_printer_publish(TALLOC_CTX *mem_ctx, > > TALLOC_FREE(sinfo2); > >- ads = ads_init(lp_realm(), lp_workgroup(), NULL); >+ ads = ads_init(lp_realm(), lp_workgroup(), NULL, ADS_SASL_PLAIN); > if (!ads) { > DEBUG(3, ("ads_init() failed\n")); > win_rc = WERR_RPC_S_SERVER_UNAVAILABLE; >@@ -633,7 +633,7 @@ WERROR check_published_printers(struct messaging_context *msg_ctx) > tmp_ctx = talloc_new(NULL); > if (!tmp_ctx) return WERR_NOT_ENOUGH_MEMORY; > >- ads = ads_init(lp_realm(), lp_workgroup(), NULL); >+ ads = ads_init(lp_realm(), lp_workgroup(), NULL, ADS_SASL_PLAIN); > if (!ads) { > DEBUG(3, ("ads_init() failed\n")); > return WERR_RPC_S_SERVER_UNAVAILABLE; >diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c >index d33031a0dbd..07a22098fb1 100644 >--- a/source3/utils/net_ads.c >+++ b/source3/utils/net_ads.c >@@ -620,7 +620,10 @@ retry_connect: > realm = assume_own_realm(c); > } > >- ads = ads_init(realm, c->opt_target_workgroup, c->opt_host); >+ ads = ads_init(realm, >+ c->opt_target_workgroup, >+ c->opt_host, >+ ADS_SASL_PLAIN); > > if (!c->opt_user_name) { > c->opt_user_name = "administrator"; >@@ -729,7 +732,8 @@ static int net_ads_check_int(const char *realm, const char *workgroup, const cha > ADS_STRUCT *ads; > ADS_STATUS status; > >- if ( (ads = ads_init( realm, workgroup, host )) == NULL ) { >+ ads = ads_init(realm, workgroup, host, ADS_SASL_PLAIN); >+ if (ads == NULL ) { > return -1; > } > >@@ -1764,7 +1768,7 @@ static void _net_ads_join_dns_updates(struct net_context *c, TALLOC_CTX *ctx, st > * kinit with the machine password to do dns update. > */ > >- ads_dns = ads_init(lp_realm(), NULL, r->in.dc_name); >+ ads_dns = ads_init(lp_realm(), NULL, r->in.dc_name, ADS_SASL_PLAIN); > > if (ads_dns == NULL) { > d_fprintf(stderr, _("DNS update failed: out of memory!\n")); >@@ -2654,7 +2658,8 @@ static int net_ads_password(struct net_context *c, int argc, const char **argv) > > /* use the realm so we can eventually change passwords for users > in realms other than default */ >- if (!(ads = ads_init(realm, c->opt_workgroup, c->opt_host))) { >+ ads = ads_init(realm, c->opt_workgroup, c->opt_host, ADS_SASL_PLAIN); >+ if (ads == NULL) { > return -1; > } > >diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c >index 922ca43764b..556b4523866 100644 >--- a/source3/winbindd/winbindd_ads.c >+++ b/source3/winbindd/winbindd_ads.c >@@ -110,7 +110,10 @@ static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp, > /* we don't want this to affect the users ccache */ > setenv("KRB5CCNAME", WINBIND_CCACHE_NAME, 1); > >- ads = ads_init(target_realm, target_dom_name, ldap_server); >+ ads = ads_init(target_realm, >+ target_dom_name, >+ ldap_server, >+ ADS_SASL_SEAL); > if (!ads) { > DEBUG(1,("ads_init for domain %s failed\n", target_dom_name)); > return ADS_ERROR(LDAP_NO_MEMORY); >diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c >index 22d3dcaa92b..4bd03ed8b7a 100644 >--- a/source3/winbindd/winbindd_cm.c >+++ b/source3/winbindd/winbindd_cm.c >@@ -1414,7 +1414,10 @@ static bool dcip_check_name(TALLOC_CTX *mem_ctx, > > print_sockaddr(addr, sizeof(addr), pss); > >- ads = ads_init(domain->alt_name, domain->name, addr); >+ ads = ads_init(domain->alt_name, >+ domain->name, >+ addr, >+ ADS_SASL_PLAIN); > ads->auth.flags |= ADS_AUTH_NO_BIND; > ads->config.flags |= request_flags; > ads->server.no_fallback = true; >-- >2.23.0 > > >From 244ecd7d839340858e96d75118548942b44bbd5c Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Tue, 13 Aug 2019 16:30:07 +0200 >Subject: [PATCH 04/11] s3:libads: Cleanup error code paths in > ads_create_machine_acct() > >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Alexander Bokovoy <ab@samba.org> >(cherry picked from commit 8ed993789f93624b7b60dd5314fe5472e69e903a) >--- > source3/libads/ldap.c | 34 +++++++++++++++++++++++----------- > 1 file changed, 23 insertions(+), 11 deletions(-) > >diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c >index 7bdda4b1768..e492d0688a5 100644 >--- a/source3/libads/ldap.c >+++ b/source3/libads/ldap.c >@@ -2092,11 +2092,12 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, > uint32_t etype_list) > { > ADS_STATUS ret; >- char *samAccountName, *controlstr; >- TALLOC_CTX *ctx; >+ char *samAccountName = NULL; >+ char *controlstr = NULL; >+ TALLOC_CTX *ctx = NULL; > ADS_MODLIST mods; > char *machine_escaped = NULL; >- char *new_dn; >+ char *new_dn = NULL; > const char *objectClass[] = {"top", "person", "organizationalPerson", > "user", "computer", NULL}; > LDAPMessage *res = NULL; >@@ -2110,13 +2111,14 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, > return ret; > } > >- if (!(ctx = talloc_init("ads_add_machine_acct"))) >+ ctx = talloc_init("ads_add_machine_acct"); >+ if (ctx == NULL) { > return ADS_ERROR(LDAP_NO_MEMORY); >- >- ret = ADS_ERROR(LDAP_NO_MEMORY); >+ } > > machine_escaped = escape_rdn_val_string_alloc(machine_name); >- if (!machine_escaped) { >+ if (machine_escaped == NULL) { >+ ret = ADS_ERROR(LDAP_NO_MEMORY); > goto done; > } > >@@ -2131,17 +2133,26 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, > ads_msgfree(ads, res); > > new_dn = talloc_asprintf(ctx, "cn=%s,%s", machine_escaped, org_unit); >- samAccountName = talloc_asprintf(ctx, "%s$", machine_name); >+ if (new_dn == NULL) { >+ ret = ADS_ERROR(LDAP_NO_MEMORY); >+ goto done; >+ } > >- if ( !new_dn || !samAccountName ) { >+ samAccountName = talloc_asprintf(ctx, "%s$", machine_name); >+ if (samAccountName == NULL) { >+ ret = ADS_ERROR(LDAP_NO_MEMORY); > goto done; > } > >- if (!(controlstr = talloc_asprintf(ctx, "%u", acct_control))) { >+ controlstr = talloc_asprintf(ctx, "%u", acct_control); >+ if (controlstr == NULL) { >+ ret = ADS_ERROR(LDAP_NO_MEMORY); > goto done; > } > >- if (!(mods = ads_init_mods(ctx))) { >+ mods = ads_init_mods(ctx); >+ if (mods == NULL) { >+ ret = ADS_ERROR(LDAP_NO_MEMORY); > goto done; > } > >@@ -2155,6 +2166,7 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, > > etype_list_str = talloc_asprintf(ctx, "%d", (int)etype_list); > if (etype_list_str == NULL) { >+ ret = ADS_ERROR(LDAP_NO_MEMORY); > goto done; > } > ads_mod_str(ctx, &mods, "msDS-SupportedEncryptionTypes", >-- >2.23.0 > > >From 8d0e49716b7039fee4785186c67de774b34bd85b Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Wed, 21 Aug 2019 12:22:32 +0200 >Subject: [PATCH 05/11] s3:libads: Use a talloc_asprintf in > ads_find_machine_acct() > >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Alexander Bokovoy <ab@samba.org> >(cherry picked from commit 35f3e4aed1f1c2ba1c8dc50921f238937f343357) >--- > source3/libads/ldap.c | 12 ++++++++---- > 1 file changed, 8 insertions(+), 4 deletions(-) > >diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c >index e492d0688a5..3bc9a2a06aa 100644 >--- a/source3/libads/ldap.c >+++ b/source3/libads/ldap.c >@@ -1367,18 +1367,22 @@ char *ads_parent_dn(const char *dn) > ADS_STATUS status; > char *expr; > const char *attrs[] = {"*", "msDS-SupportedEncryptionTypes", "nTSecurityDescriptor", NULL}; >+ TALLOC_CTX *frame = talloc_stackframe(); > > *res = NULL; > > /* the easiest way to find a machine account anywhere in the tree > is to look for hostname$ */ >- if (asprintf(&expr, "(samAccountName=%s$)", machine) == -1) { >- DEBUG(1, ("asprintf failed!\n")); >- return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); >+ expr = talloc_asprintf(frame, "(samAccountName=%s$)", machine); >+ if (expr == NULL) { >+ status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY); >+ goto done; > } > > status = ads_search(ads, res, expr, attrs); >- SAFE_FREE(expr); >+ >+done: >+ TALLOC_FREE(frame); > return status; > } > >-- >2.23.0 > > >From be247641382d1cc730ab5cd1e8bebe92e1d3a6fc Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Wed, 14 Aug 2019 13:01:19 +0200 >Subject: [PATCH 06/11] s3:libads: Fix detection if acount already exists in > ads_find_machine_count() > >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Alexander Bokovoy <ab@samba.org> >(cherry picked from commit 4f389c1f78cdc2424795e3b2a1ce43818c400c2d) >--- > source3/libads/ldap.c | 36 ++++++++++++++++++++++++++++-------- > 1 file changed, 28 insertions(+), 8 deletions(-) > >diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c >index 3bc9a2a06aa..ec6ad61a55c 100644 >--- a/source3/libads/ldap.c >+++ b/source3/libads/ldap.c >@@ -1366,7 +1366,21 @@ char *ads_parent_dn(const char *dn) > { > ADS_STATUS status; > char *expr; >- const char *attrs[] = {"*", "msDS-SupportedEncryptionTypes", "nTSecurityDescriptor", NULL}; >+ const char *attrs[] = { >+ /* This is how Windows checks for machine accounts */ >+ "objectClass", >+ "SamAccountName", >+ "userAccountControl", >+ "DnsHostName", >+ "ServicePrincipalName", >+ "unicodePwd", >+ >+ /* Additional attributes Samba checks */ >+ "msDS-SupportedEncryptionTypes", >+ "nTSecurityDescriptor", >+ >+ NULL >+ }; > TALLOC_CTX *frame = talloc_stackframe(); > > *res = NULL; >@@ -1380,6 +1394,11 @@ char *ads_parent_dn(const char *dn) > } > > status = ads_search(ads, res, expr, attrs); >+ if (ADS_ERR_OK(status)) { >+ if (ads_count_replies(ads, *res) != 1) { >+ status = ADS_ERROR_LDAP(LDAP_NO_SUCH_OBJECT); >+ } >+ } > > done: > TALLOC_FREE(frame); >@@ -1867,11 +1886,11 @@ ADS_STATUS ads_clear_service_principal_names(ADS_STRUCT *ads, const char *machin > char *dn_string = NULL; > > ret = ads_find_machine_acct(ads, &res, machine_name); >- if (!ADS_ERR_OK(ret) || ads_count_replies(ads, res) != 1) { >+ if (!ADS_ERR_OK(ret)) { > DEBUG(5,("ads_clear_service_principal_names: WARNING: Host Account for %s not found... skipping operation.\n", machine_name)); > DEBUG(5,("ads_clear_service_principal_names: WARNING: Service Principals for %s have NOT been cleared.\n", machine_name)); > ads_msgfree(ads, res); >- return ADS_ERROR(LDAP_NO_SUCH_OBJECT); >+ return ret; > } > > DEBUG(5,("ads_clear_service_principal_names: Host account for %s found\n", machine_name)); >@@ -2027,12 +2046,12 @@ ADS_STATUS ads_add_service_principal_names(ADS_STRUCT *ads, > const char **servicePrincipalName = spns; > > ret = ads_find_machine_acct(ads, &res, machine_name); >- if (!ADS_ERR_OK(ret) || ads_count_replies(ads, res) != 1) { >+ if (!ADS_ERR_OK(ret)) { > DEBUG(1,("ads_add_service_principal_name: WARNING: Host Account for %s not found... skipping operation.\n", > machine_name)); > DEBUG(1,("ads_add_service_principal_name: WARNING: Service Principals have NOT been added.\n")); > ads_msgfree(ads, res); >- return ADS_ERROR(LDAP_NO_SUCH_OBJECT); >+ return ret; > } > > DEBUG(1,("ads_add_service_principal_name: Host account for %s found\n", machine_name)); >@@ -2127,7 +2146,7 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, > } > > ret = ads_find_machine_acct(ads, &res, machine_escaped); >- if (ADS_ERR_OK(ret) && ads_count_replies(ads, res) == 1) { >+ if (ADS_ERR_OK(ret)) { > DBG_DEBUG("Host account for %s already exists.\n", > machine_escaped); > ret = ADS_ERROR_LDAP(LDAP_ALREADY_EXISTS); >@@ -3684,14 +3703,15 @@ ADS_STATUS ads_leave_realm(ADS_STRUCT *ads, const char *hostname) > TALLOC_FREE(hostnameDN); > > status = ads_find_machine_acct(ads, &res, host); >- if (ADS_ERR_OK(status) && ads_count_replies(ads, res) == 1) { >+ if ((status.error_type == ENUM_ADS_ERROR_LDAP) && >+ (status.err.rc != LDAP_NO_SUCH_OBJECT)) { > DEBUG(3, ("Failed to remove host account.\n")); > SAFE_FREE(host); > return status; > } > > SAFE_FREE(host); >- return status; >+ return ADS_SUCCESS; > } > > /** >-- >2.23.0 > > >From d7485cee3652a91ac199f912d656713cf1ddafa9 Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Wed, 14 Aug 2019 12:17:20 +0200 >Subject: [PATCH 07/11] s3:libads: Don't set supported encryption types during > account creation > >This is already handled by libnet_join_post_processing_ads_modify() >which calls libnet_join_set_etypes() if encrytion types should be set. > >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Alexander Bokovoy <ab@samba.org> >(cherry picked from commit b755a6438022579dab1a403c81d60b1ed7efca38) >--- > source3/libads/ldap.c | 18 ------------------ > 1 file changed, 18 deletions(-) > >diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c >index ec6ad61a55c..8fbd97e25e2 100644 >--- a/source3/libads/ldap.c >+++ b/source3/libads/ldap.c >@@ -2127,12 +2127,6 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, > uint32_t acct_control = ( UF_WORKSTATION_TRUST_ACCOUNT |\ > UF_DONT_EXPIRE_PASSWD |\ > UF_ACCOUNTDISABLE ); >- uint32_t func_level = 0; >- >- ret = ads_domain_func_level(ads, &func_level); >- if (!ADS_ERR_OK(ret)) { >- return ret; >- } > > ctx = talloc_init("ads_add_machine_acct"); > if (ctx == NULL) { >@@ -2184,18 +2178,6 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, > ads_mod_strlist(ctx, &mods, "objectClass", objectClass); > ads_mod_str(ctx, &mods, "userAccountControl", controlstr); > >- if (func_level >= DS_DOMAIN_FUNCTION_2008) { >- const char *etype_list_str; >- >- etype_list_str = talloc_asprintf(ctx, "%d", (int)etype_list); >- if (etype_list_str == NULL) { >- ret = ADS_ERROR(LDAP_NO_MEMORY); >- goto done; >- } >- ads_mod_str(ctx, &mods, "msDS-SupportedEncryptionTypes", >- etype_list_str); >- } >- > ret = ads_gen_add(ads, new_dn, mods); > > done: >-- >2.23.0 > > >From f8f7158ac639c516e6dcdeca9d41b94ba6d06134 Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Tue, 13 Aug 2019 16:34:34 +0200 >Subject: [PATCH 08/11] s3:libads: Fix creating machine account using LDAP > >This implements the same behaviour as Windows. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13884 > >Pair-Programmed-With: Guenther Deschner <gd@samba.org> >Signed-off-by: Guenther Deschner <gd@samba.org> >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Alexander Bokovoy <ab@samba.org> >(cherry picked from commit ce7762935051c862ecdd3e82d93096aac61dd292) >--- > source3/libads/ads_proto.h | 4 +- > source3/libads/ldap.c | 118 +++++++++++++++++++++++++++++++---- > source3/libnet/libnet_join.c | 23 ++++--- > 3 files changed, 124 insertions(+), 21 deletions(-) > >diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h >index 92bb3a22cdb..495ef5d3325 100644 >--- a/source3/libads/ads_proto.h >+++ b/source3/libads/ads_proto.h >@@ -114,8 +114,10 @@ ADS_STATUS ads_add_service_principal_names(ADS_STRUCT *ads, const char *machine_ > const char **spns); > ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, > const char *machine_name, >+ const char *machine_password, > const char *org_unit, >- uint32_t etype_list); >+ uint32_t etype_list, >+ const char *dns_domain_name); > ADS_STATUS ads_move_machine_acct(ADS_STRUCT *ads, const char *machine_name, > const char *org_unit, bool *moved); > int ads_count_replies(ADS_STRUCT *ads, void *res); >diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c >index 8fbd97e25e2..81efda0cf30 100644 >--- a/source3/libads/ldap.c >+++ b/source3/libads/ldap.c >@@ -1516,7 +1516,6 @@ ADS_STATUS ads_mod_strlist(TALLOC_CTX *ctx, ADS_MODLIST *mods, > name, (const void **) vals); > } > >-#if 0 > /** > * Add a single ber-encoded value to a mod list > * @param ctx An initialized TALLOC_CTX >@@ -1537,7 +1536,6 @@ static ADS_STATUS ads_mod_ber(TALLOC_CTX *ctx, ADS_MODLIST *mods, > return ads_modlist_add(ctx, mods, LDAP_MOD_REPLACE|LDAP_MOD_BVALUES, > name, (const void **) values); > } >-#endif > > static void ads_print_error(int ret, LDAP *ld) > { >@@ -2111,8 +2109,10 @@ ADS_STATUS ads_add_service_principal_names(ADS_STRUCT *ads, > > ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, > const char *machine_name, >+ const char *machine_password, > const char *org_unit, >- uint32_t etype_list) >+ uint32_t etype_list, >+ const char *dns_domain_name) > { > ADS_STATUS ret; > char *samAccountName = NULL; >@@ -2120,13 +2120,23 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, > TALLOC_CTX *ctx = NULL; > ADS_MODLIST mods; > char *machine_escaped = NULL; >+ char *dns_hostname = NULL; > char *new_dn = NULL; >- const char *objectClass[] = {"top", "person", "organizationalPerson", >- "user", "computer", NULL}; >+ char *utf8_pw = NULL; >+ size_t utf8_pw_len = 0; >+ char *utf16_pw = NULL; >+ size_t utf16_pw_len = 0; >+ struct berval machine_pw_val; >+ bool ok; >+ const char **spn_array = NULL; >+ size_t num_spns = 0; >+ const char *spn_prefix[] = { >+ "HOST", >+ "RestrictedKrbHost", >+ }; >+ size_t i; > LDAPMessage *res = NULL; >- uint32_t acct_control = ( UF_WORKSTATION_TRUST_ACCOUNT |\ >- UF_DONT_EXPIRE_PASSWD |\ >- UF_ACCOUNTDISABLE ); >+ uint32_t acct_control = UF_WORKSTATION_TRUST_ACCOUNT; > > ctx = talloc_init("ads_add_machine_acct"); > if (ctx == NULL) { >@@ -2139,10 +2149,9 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, > goto done; > } > >+ /* Check if the machine account already exists. */ > ret = ads_find_machine_acct(ads, &res, machine_escaped); > if (ADS_ERR_OK(ret)) { >- DBG_DEBUG("Host account for %s already exists.\n", >- machine_escaped); > ret = ADS_ERROR_LDAP(LDAP_ALREADY_EXISTS); > ads_msgfree(ads, res); > goto done; >@@ -2155,28 +2164,111 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, > goto done; > } > >+ /* Create machine account */ >+ > samAccountName = talloc_asprintf(ctx, "%s$", machine_name); > if (samAccountName == NULL) { > ret = ADS_ERROR(LDAP_NO_MEMORY); > goto done; > } > >+ dns_hostname = talloc_asprintf(ctx, >+ "%s.%s", >+ machine_name, >+ dns_domain_name); >+ if (dns_hostname == NULL) { >+ ret = ADS_ERROR(LDAP_NO_MEMORY); >+ goto done; >+ } >+ >+ /* Add dns_hostname SPNs */ >+ for (i = 0; i < ARRAY_SIZE(spn_prefix); i++) { >+ char *spn = talloc_asprintf(ctx, >+ "%s/%s", >+ spn_prefix[i], >+ dns_hostname); >+ if (spn == NULL) { >+ ret = ADS_ERROR(LDAP_NO_MEMORY); >+ goto done; >+ } >+ >+ ok = add_string_to_array(spn_array, >+ spn, >+ &spn_array, >+ &num_spns); >+ if (!ok) { >+ ret = ADS_ERROR(LDAP_NO_MEMORY); >+ goto done; >+ } >+ } >+ >+ /* Add machine_name SPNs */ >+ for (i = 0; i < ARRAY_SIZE(spn_prefix); i++) { >+ char *spn = talloc_asprintf(ctx, >+ "%s/%s", >+ spn_prefix[i], >+ machine_name); >+ if (spn == NULL) { >+ ret = ADS_ERROR(LDAP_NO_MEMORY); >+ goto done; >+ } >+ >+ ok = add_string_to_array(spn_array, >+ spn, >+ &spn_array, >+ &num_spns); >+ if (!ok) { >+ ret = ADS_ERROR(LDAP_NO_MEMORY); >+ goto done; >+ } >+ } >+ >+ /* Make sure to NULL terminate the array */ >+ spn_array = talloc_realloc(ctx, spn_array, const char *, num_spns + 1); >+ if (spn_array == NULL) { >+ return ADS_ERROR_LDAP(LDAP_NO_MEMORY); >+ } >+ spn_array[num_spns] = NULL; >+ > controlstr = talloc_asprintf(ctx, "%u", acct_control); > if (controlstr == NULL) { > ret = ADS_ERROR(LDAP_NO_MEMORY); > goto done; > } > >+ utf8_pw = talloc_asprintf(ctx, "\"%s\"", machine_password); >+ if (utf8_pw == NULL) { >+ ret = ADS_ERROR(LDAP_NO_MEMORY); >+ goto done; >+ } >+ utf8_pw_len = strlen(utf8_pw); >+ >+ ok = convert_string_talloc(ctx, >+ CH_UTF8, CH_UTF16MUNGED, >+ utf8_pw, utf8_pw_len, >+ (void *)&utf16_pw, &utf16_pw_len); >+ if (!ok) { >+ ret = ADS_ERROR(LDAP_NO_MEMORY); >+ goto done; >+ } >+ >+ machine_pw_val = (struct berval) { >+ .bv_val = utf16_pw, >+ .bv_len = utf16_pw_len, >+ }; >+ > mods = ads_init_mods(ctx); > if (mods == NULL) { > ret = ADS_ERROR(LDAP_NO_MEMORY); > goto done; > } > >- ads_mod_str(ctx, &mods, "cn", machine_name); >- ads_mod_str(ctx, &mods, "sAMAccountName", samAccountName); >- ads_mod_strlist(ctx, &mods, "objectClass", objectClass); >+ ads_mod_str(ctx, &mods, "objectClass", "Computer"); >+ ads_mod_str(ctx, &mods, "SamAccountName", samAccountName); > ads_mod_str(ctx, &mods, "userAccountControl", controlstr); >+ ads_mod_str(ctx, &mods, "DnsHostName", dns_hostname); >+ ads_mod_strlist(ctx, &mods, "ServicePrincipalName", spn_array); >+ ads_mod_ber(ctx, &mods, "unicodePwd", &machine_pw_val); > > ret = ads_gen_add(ads, new_dn, mods); > >diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c >index a512afc238a..d5c8599beee 100644 >--- a/source3/libnet/libnet_join.c >+++ b/source3/libnet/libnet_join.c >@@ -338,10 +338,22 @@ static ADS_STATUS libnet_join_precreate_machine_acct(TALLOC_CTX *mem_ctx, > /* Attempt to create the machine account and bail if this fails. > Assume that the admin wants exactly what they requested */ > >+ if (r->in.machine_password == NULL) { >+ r->in.machine_password = >+ trust_pw_new_value(mem_ctx, >+ r->in.secure_channel_type, >+ SEC_ADS); >+ if (r->in.machine_password == NULL) { >+ return ADS_ERROR_LDAP(LDAP_NO_MEMORY); >+ } >+ } >+ > status = ads_create_machine_acct(r->in.ads, > r->in.machine_name, >+ r->in.machine_password, > r->in.account_ou, >- r->in.desired_encryption_types); >+ r->in.desired_encryption_types, >+ r->out.dns_domain_name); > > if (ADS_ERR_OK(status)) { > DEBUG(1,("machine account creation created\n")); >@@ -2668,12 +2680,11 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx, > if (ADS_ERR_OK(ads_status)) { > > /* >- * LDAP object create succeeded, now go to the rpc >- * password set routines >+ * LDAP object creation succeeded. > */ >- > r->in.join_flags &= ~WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE; >- goto rpc_join; >+ >+ return WERR_OK; > } > > if (initial_account_ou != NULL) { >@@ -2687,8 +2698,6 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx, > DBG_INFO("Failed to pre-create account in OU %s: %s\n", > r->in.account_ou, ads_errstr(ads_status)); > } >- rpc_join: >- > #endif /* HAVE_ADS */ > > if ((r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE) && >-- >2.23.0 > > >From f37eaa71dbd1cb206e8f3bcf251fc42308aa561d Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Wed, 14 Aug 2019 10:15:19 +0200 >Subject: [PATCH 09/11] s3:libnet: Improve debug messages > >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Alexander Bokovoy <ab@samba.org> >(cherry picked from commit 39b8c8b30a5d5bd70f8da3a02cf77f7592788b94) >--- > source3/libnet/libnet_join.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > >diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c >index d5c8599beee..31d1d221ed3 100644 >--- a/source3/libnet/libnet_join.c >+++ b/source3/libnet/libnet_join.c >@@ -356,7 +356,7 @@ static ADS_STATUS libnet_join_precreate_machine_acct(TALLOC_CTX *mem_ctx, > r->out.dns_domain_name); > > if (ADS_ERR_OK(status)) { >- DEBUG(1,("machine account creation created\n")); >+ DBG_WARNING("Machine account successfully created\n"); > return status; > } else if ((status.error_type == ENUM_ADS_ERROR_LDAP) && > (status.err.rc == LDAP_ALREADY_EXISTS)) { >@@ -364,7 +364,7 @@ static ADS_STATUS libnet_join_precreate_machine_acct(TALLOC_CTX *mem_ctx, > } > > if (!ADS_ERR_OK(status)) { >- DEBUG(1,("machine account creation failed\n")); >+ DBG_WARNING("Failed to create machine account\n"); > return status; > } > >-- >2.23.0 > > >From d590cf9739393e15aa4d9cc86ca56f93db6f1a2b Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Thu, 8 Aug 2019 14:40:04 +0200 >Subject: [PATCH 10/11] s3:libads: Just change the machine password if account > already exists > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13884 > >Pair-Programmed-With: Guenther Deschner <gd@samba.org> >Signed-off-by: Guenther Deschner <gd@samba.org> >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Alexander Bokovoy <ab@samba.org> >(cherry picked from commit 14f320fa1e40ecc3a43dabb0cecd57430270a521) >--- > source3/libads/ldap.c | 167 ++++++++++++++++++++++++++++++----- > source3/libnet/libnet_join.c | 1 + > 2 files changed, 146 insertions(+), 22 deletions(-) > >diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c >index 81efda0cf30..afae46d2e79 100644 >--- a/source3/libads/ldap.c >+++ b/source3/libads/ldap.c >@@ -2098,6 +2098,127 @@ ADS_STATUS ads_add_service_principal_names(ADS_STRUCT *ads, > return ret; > } > >+static uint32_t ads_get_acct_ctrl(ADS_STRUCT *ads, >+ LDAPMessage *msg) >+{ >+ uint32_t acct_ctrl = 0; >+ bool ok; >+ >+ ok = ads_pull_uint32(ads, msg, "userAccountControl", &acct_ctrl); >+ if (!ok) { >+ return 0; >+ } >+ >+ return acct_ctrl; >+} >+ >+static ADS_STATUS ads_change_machine_acct(ADS_STRUCT *ads, >+ LDAPMessage *msg, >+ const struct berval *machine_pw_val) >+{ >+ ADS_MODLIST mods; >+ ADS_STATUS ret; >+ TALLOC_CTX *frame = talloc_stackframe(); >+ uint32_t acct_control; >+ char *control_str = NULL; >+ const char *attrs[] = { >+ "objectSid", >+ NULL >+ }; >+ LDAPMessage *res = NULL; >+ char *dn = NULL; >+ >+ dn = ads_get_dn(ads, frame, msg); >+ if (dn == NULL) { >+ ret = ADS_ERROR(LDAP_NO_MEMORY); >+ goto done; >+ } >+ >+ acct_control = ads_get_acct_ctrl(ads, msg); >+ if (acct_control == 0) { >+ ret = ADS_ERROR(LDAP_NO_RESULTS_RETURNED); >+ goto done; >+ } >+ >+ /* >+ * Changing the password, disables the account. So we need to change the >+ * userAccountControl flags to enable it again. >+ */ >+ mods = ads_init_mods(frame); >+ if (mods == NULL) { >+ ret = ADS_ERROR_LDAP(LDAP_NO_MEMORY); >+ goto done; >+ } >+ >+ ads_mod_ber(frame, &mods, "unicodePwd", machine_pw_val); >+ >+ ret = ads_gen_mod(ads, dn, mods); >+ if (!ADS_ERR_OK(ret)) { >+ goto done; >+ } >+ TALLOC_FREE(mods); >+ >+ /* >+ * To activate the account, we need to disable and enable it. >+ */ >+ acct_control |= UF_ACCOUNTDISABLE; >+ >+ control_str = talloc_asprintf(frame, "%u", acct_control); >+ if (control_str == NULL) { >+ ret = ADS_ERROR(LDAP_NO_MEMORY); >+ goto done; >+ } >+ >+ mods = ads_init_mods(frame); >+ if (mods == NULL) { >+ ret = ADS_ERROR_LDAP(LDAP_NO_MEMORY); >+ goto done; >+ } >+ >+ ads_mod_str(frame, &mods, "userAccountControl", control_str); >+ >+ ret = ads_gen_mod(ads, dn, mods); >+ if (!ADS_ERR_OK(ret)) { >+ goto done; >+ } >+ TALLOC_FREE(mods); >+ TALLOC_FREE(control_str); >+ >+ /* >+ * Enable the account again. >+ */ >+ acct_control &= ~UF_ACCOUNTDISABLE; >+ >+ control_str = talloc_asprintf(frame, "%u", acct_control); >+ if (control_str == NULL) { >+ ret = ADS_ERROR(LDAP_NO_MEMORY); >+ goto done; >+ } >+ >+ mods = ads_init_mods(frame); >+ if (mods == NULL) { >+ ret = ADS_ERROR_LDAP(LDAP_NO_MEMORY); >+ goto done; >+ } >+ >+ ads_mod_str(frame, &mods, "userAccountControl", control_str); >+ >+ ret = ads_gen_mod(ads, dn, mods); >+ if (!ADS_ERR_OK(ret)) { >+ goto done; >+ } >+ TALLOC_FREE(mods); >+ TALLOC_FREE(control_str); >+ >+ ret = ads_search_dn(ads, &res, dn, attrs); >+ ads_msgfree(ads, res); >+ >+done: >+ talloc_free(frame); >+ >+ return ret; >+} >+ > /** > * adds a machine account to the ADS server > * @param ads An intialized ADS_STRUCT >@@ -2149,11 +2270,34 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, > goto done; > } > >+ utf8_pw = talloc_asprintf(ctx, "\"%s\"", machine_password); >+ if (utf8_pw == NULL) { >+ ret = ADS_ERROR(LDAP_NO_MEMORY); >+ goto done; >+ } >+ utf8_pw_len = strlen(utf8_pw); >+ >+ ok = convert_string_talloc(ctx, >+ CH_UTF8, CH_UTF16MUNGED, >+ utf8_pw, utf8_pw_len, >+ (void *)&utf16_pw, &utf16_pw_len); >+ if (!ok) { >+ ret = ADS_ERROR(LDAP_NO_MEMORY); >+ goto done; >+ } >+ >+ machine_pw_val = (struct berval) { >+ .bv_val = utf16_pw, >+ .bv_len = utf16_pw_len, >+ }; >+ > /* Check if the machine account already exists. */ > ret = ads_find_machine_acct(ads, &res, machine_escaped); > if (ADS_ERR_OK(ret)) { >- ret = ADS_ERROR_LDAP(LDAP_ALREADY_EXISTS); >+ /* Change the machine account password */ >+ ret = ads_change_machine_acct(ads, res, &machine_pw_val); > ads_msgfree(ads, res); >+ > goto done; > } > ads_msgfree(ads, res); >@@ -2236,27 +2380,6 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, > goto done; > } > >- utf8_pw = talloc_asprintf(ctx, "\"%s\"", machine_password); >- if (utf8_pw == NULL) { >- ret = ADS_ERROR(LDAP_NO_MEMORY); >- goto done; >- } >- utf8_pw_len = strlen(utf8_pw); >- >- ok = convert_string_talloc(ctx, >- CH_UTF8, CH_UTF16MUNGED, >- utf8_pw, utf8_pw_len, >- (void *)&utf16_pw, &utf16_pw_len); >- if (!ok) { >- ret = ADS_ERROR(LDAP_NO_MEMORY); >- goto done; >- } >- >- machine_pw_val = (struct berval) { >- .bv_val = utf16_pw, >- .bv_len = utf16_pw_len, >- }; >- > mods = ads_init_mods(ctx); > if (mods == NULL) { > ret = ADS_ERROR(LDAP_NO_MEMORY); >diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c >index 31d1d221ed3..1052afde641 100644 >--- a/source3/libnet/libnet_join.c >+++ b/source3/libnet/libnet_join.c >@@ -968,6 +968,7 @@ static ADS_STATUS libnet_join_post_processing_ads_modify(TALLOC_CTX *mem_ctx, > > if (r->in.ads->auth.ccache_name != NULL) { > ads_kdestroy(r->in.ads->auth.ccache_name); >+ r->in.ads->auth.ccache_name = NULL; > } > > ads_destroy(&r->in.ads); >-- >2.23.0 > > >From 2209c01f8069d47b47c8fc5df376cc9c41c552e1 Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Thu, 22 Aug 2019 16:31:30 +0200 >Subject: [PATCH 11/11] testprogs: Add test for 'net ads join createcomputer=' > >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Alexander Bokovoy <ab@samba.org> > >Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> >Autobuild-Date(master): Wed Oct 9 08:26:17 UTC 2019 on sn-devel-184 > >(cherry picked from commit 459b43e5776180dc1540cd845b72ff78747ecd6f) >--- > testprogs/blackbox/test_net_ads.sh | 32 ++++++++++++++++++++++++++++-- > 1 file changed, 30 insertions(+), 2 deletions(-) > >diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh >index 512aa9d2952..cc8345c4624 100755 >--- a/testprogs/blackbox/test_net_ads.sh >+++ b/testprogs/blackbox/test_net_ads.sh >@@ -31,6 +31,16 @@ if [ -x "$BINDIR/ldbsearch" ]; then > ldbsearch="$BINDIR/ldbsearch" > fi > >+ldbadd="ldbadd" >+if [ -x "$BINDIR/ldbadd" ]; then >+ ldbadd="$BINDIR/ldbadd" >+fi >+ >+ldbdel="ldbdel" >+if [ -x "$BINDIR/ldbdel" ]; then >+ ldbdel="$BINDIR/ldbdel" >+fi >+ > # Load test functions > . `dirname $0`/subunit.sh > >@@ -188,8 +198,9 @@ testit "testjoin user+password" $VALGRIND $net_tool ads testjoin -U$DC_USERNAME% > > testit "leave+keep_account" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD --keep-account || failed=`expr $failed + 1` > >-computers_ldb_ou="CN=Computers,DC=addom,DC=samba,DC=example,DC=com" >-testit "ldb check for existence of machine account" $ldbsearch -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM -s base -b "cn=$HOSTNAME,$computers_ldb_ou" || failed=`expr $failed + 1` >+base_dn="DC=addom,DC=samba,DC=example,DC=com" >+computers_dn="CN=Computers,$base_dn" >+testit "ldb check for existence of machine account" $ldbsearch -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM -s base -b "cn=$HOSTNAME,$computers_dn" || failed=`expr $failed + 1` > > testit "join" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` > >@@ -198,6 +209,23 @@ testit "testjoin" $VALGRIND $net_tool ads testjoin || failed=`expr $failed + 1` > ##Goodbye... > testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` > >+# >+# Test createcomputer option of 'net ads join' >+# >+testit "Create OU=Servers,$base_dn" $VALGRIND $ldbadd -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER <<EOF >+dn: OU=Servers,$base_dn >+objectClass: organizationalUnit >+EOF >+ >+testit "join+createcomputer" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD createcomputer=Servers || failed=`expr $failed + 1` >+ >+testit "ldb check for existence of machine account in OU=Servers" $ldbsearch -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM -s base -b "cn=$HOSTNAME,OU=Servers,$base_dn" || failed=`expr $failed + 1` >+ >+## Goodbye... >+testit "leave+createcomputer" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` >+ >+testit "Remove OU=Servers" $VALGRIND $ldbdel -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER "OU=Servers,$base_dn" >+ > rm -rf $BASEDIR/$WORKDIR > > exit $failed >-- >2.23.0 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
ab
:
review+
Actions:
View
Attachments on
bug 13884
:
15055
|
15056
|
15385
|
15391
|
15521
| 15522