From 05f7e9a72a1769af9d41b1ca40fe6a14b3f069d1 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Fri, 30 Aug 2019 00:22:15 +0300
Subject: [PATCH 1/6] libnet_join: build dnsHostName from netbios name and
 lp_dnsdomain()

This make the join process much more reliable, and avoids "Constraint
violation" error when the fqdn returned from getaddrinfo has already
got assigned an SPN.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14116

Signed-off-by: Isaac Boukris <iboukris@redhat.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
---
 source3/libnet/libnet_join.c       | 31 +++++++++++-------------------
 testprogs/blackbox/test_net_ads.sh |  7 +++++--
 2 files changed, 16 insertions(+), 22 deletions(-)

diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index 7943bef2cf6..818b3039cb9 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -533,29 +533,23 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
 		}
 	}
 
-	if (!name_to_fqdn(my_fqdn, r->in.machine_name)
-	    || (strchr(my_fqdn, '.') == NULL)) {
-		fstr_sprintf(my_fqdn, "%s.%s", r->in.machine_name,
-			     r->out.dns_domain_name);
-	}
+	fstr_sprintf(my_fqdn, "%s.%s", r->in.machine_name, lp_dnsdomain());
 
 	if (!strlower_m(my_fqdn)) {
 		return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
 	}
 
-	if (!strequal(my_fqdn, r->in.machine_name)) {
-		spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn);
-		if (!spn) {
-			return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
-		}
+	spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn);
+	if (spn == NULL) {
+		return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+	}
 
-		ok = ads_element_in_array(spn_array, num_spns, spn);
+	ok = ads_element_in_array(spn_array, num_spns, spn);
+	if (!ok) {
+		ok = add_string_to_array(spn_array, spn,
+					 &spn_array, &num_spns);
 		if (!ok) {
-			ok = add_string_to_array(spn_array, spn,
-						 &spn_array, &num_spns);
-			if (!ok) {
-				return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
-			}
+			return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
 		}
 	}
 
@@ -591,12 +585,9 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
 			/*
 			 * Add HOST/netbiosname.domainname
 			 */
-			if (r->out.dns_domain_name == NULL) {
-				continue;
-			}
 			fstr_sprintf(my_fqdn, "%s.%s",
 				     *netbios_aliases,
-				     r->out.dns_domain_name);
+				     lp_dnsdomain());
 
 			spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn);
 			if (spn == NULL) {
diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh
index cc8345c4624..ef6f99ddea4 100755
--- a/testprogs/blackbox/test_net_ads.sh
+++ b/testprogs/blackbox/test_net_ads.sh
@@ -81,7 +81,7 @@ testit "testjoin (dedicated keytab)" $VALGRIND $net_tool ads testjoin -kP || fai
 netbios=$(grep "netbios name" $BASEDIR/$WORKDIR/client.conf | cut -f2 -d= | awk '{$1=$1};1')
 uc_netbios=$(echo $netbios | tr '[:lower:]' '[:upper:]')
 lc_realm=$(echo $REALM | tr '[:upper:]' '[:lower:]')
-fqdns="$netbios.$lc_realm"
+fqdn="$netbios.$lc_realm"
 
 krb_princ="primary/instance@$REALM"
 testit "test (dedicated keytab) add a fully qualified krb5 principal" $VALGRIND $net_tool ads keytab add $krb_princ -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
@@ -99,7 +99,7 @@ testit "test (dedicated keytab) at least one krb5 principal created from $machin
 service="nfs"
 testit "test (dedicated keytab) add a $service service to keytab" $VALGRIND $net_tool ads keytab add $service -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
 
-search_str="$service/$fqdns@$REALM"
+search_str="$service/$fqdn@$REALM"
 found=`$net_tool ads keytab list -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" | grep $search_str | wc -l`
 testit "test (dedicated keytab) at least one (long form) krb5 principal created from service added is present in keytab" test $found -gt 1 || failed=`expr $failed + 1`
 
@@ -206,6 +206,9 @@ testit "join" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD || failed
 
 testit "testjoin" $VALGRIND $net_tool ads testjoin || failed=`expr $failed + 1`
 
+testit_grep "check dNSHostName" $fqdn $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ dNSHostName || failed=`expr $failed + 1`
+testit_grep "check SPN" ${uc_netbios}.${lc_realm} $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1`
+
 ##Goodbye...
 testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
 
-- 
2.21.0


From 4cbad1eb46896bbd74c5b19dbb0a8937ffde90c2 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Wed, 18 Sep 2019 20:00:34 +0300
Subject: [PATCH 2/6] libnet_join_set_machine_spn: improve style and make a bit
 room for indentation

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14116

Signed-off-by: Isaac Boukris <iboukris@redhat.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
---
 source3/libnet/libnet_join.c | 95 ++++++++++++++++++------------------
 1 file changed, 47 insertions(+), 48 deletions(-)

diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index 818b3039cb9..67ab50c68a8 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -517,7 +517,7 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
 	/* Windows only creates HOST/shortname & HOST/fqdn. */
 
 	spn = talloc_asprintf(mem_ctx, "HOST/%s", r->in.machine_name);
-	if (!spn) {
+	if (spn == NULL) {
 		return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
 	}
 	if (!strupper_m(spn)) {
@@ -553,60 +553,59 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
 		}
 	}
 
-	netbios_aliases = lp_netbios_aliases();
-	if (netbios_aliases != NULL) {
-		for (; *netbios_aliases != NULL; netbios_aliases++) {
-			/*
-			 * Add HOST/NETBIOSNAME
-			 */
-			spn = talloc_asprintf(mem_ctx, "HOST/%s", *netbios_aliases);
-			if (spn == NULL) {
-				TALLOC_FREE(spn);
-				return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
-			}
-			if (!strupper_m(spn)) {
-				TALLOC_FREE(spn);
-				return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
-			}
+	for (netbios_aliases = lp_netbios_aliases();
+	     netbios_aliases != NULL && *netbios_aliases != NULL;
+	     netbios_aliases++) {
+		/*
+		 * Add HOST/NETBIOSNAME
+		 */
+		spn = talloc_asprintf(mem_ctx, "HOST/%s", *netbios_aliases);
+		if (spn == NULL) {
+			TALLOC_FREE(spn);
+			return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+		}
+		if (!strupper_m(spn)) {
+			TALLOC_FREE(spn);
+			return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+		}
 
-			ok = ads_element_in_array(spn_array, num_spns, spn);
-			if (ok) {
-				TALLOC_FREE(spn);
-				continue;
-			}
-			ok = add_string_to_array(spn_array, spn,
-						 &spn_array, &num_spns);
-			if (!ok) {
-				TALLOC_FREE(spn);
-				return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
-			}
+		ok = ads_element_in_array(spn_array, num_spns, spn);
+		if (ok) {
+			TALLOC_FREE(spn);
+			continue;
+		}
+		ok = add_string_to_array(spn_array, spn,
+					 &spn_array, &num_spns);
+		if (!ok) {
 			TALLOC_FREE(spn);
+			return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+		}
+		TALLOC_FREE(spn);
 
-			/*
-			 * Add HOST/netbiosname.domainname
-			 */
-			fstr_sprintf(my_fqdn, "%s.%s",
-				     *netbios_aliases,
-				     lp_dnsdomain());
+		/*
+		 * Add HOST/netbiosname.domainname
+		 */
+		fstr_sprintf(my_fqdn, "%s.%s",
+			     *netbios_aliases,
+			     lp_dnsdomain());
 
-			spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn);
-			if (spn == NULL) {
-				return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
-			}
+		spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn);
+		if (spn == NULL) {
+			return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+		}
 
-			ok = ads_element_in_array(spn_array, num_spns, spn);
-			if (ok) {
-				TALLOC_FREE(spn);
-				continue;
-			}
-			ok = add_string_to_array(spn_array, spn,
-						 &spn_array, &num_spns);
-			if (!ok) {
-				TALLOC_FREE(spn);
-				return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
-			}
+		ok = ads_element_in_array(spn_array, num_spns, spn);
+		if (ok) {
+			TALLOC_FREE(spn);
+			continue;
+		}
+		ok = add_string_to_array(spn_array, spn,
+					 &spn_array, &num_spns);
+		if (!ok) {
 			TALLOC_FREE(spn);
+			return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
 		}
+		TALLOC_FREE(spn);
 	}
 
 	/* make sure to NULL terminate the array */
-- 
2.21.0


From b8e1264ececf38681ca9a519a51e8336044673f0 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Wed, 18 Sep 2019 21:29:47 +0300
Subject: [PATCH 3/6] libnet_join_set_machine_spn: simplify memory handling

and avoid a possible memory leak when passing null to
add_string_to_array() as mem_ctx.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14116

Signed-off-by: Isaac Boukris <iboukris@redhat.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
---
 source3/libnet/libnet_join.c | 74 ++++++++++++++++++++----------------
 1 file changed, 42 insertions(+), 32 deletions(-)

diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index 67ab50c68a8..43035370526 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -490,6 +490,7 @@ static ADS_STATUS libnet_join_get_machine_spns(TALLOC_CTX *mem_ctx,
 static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
 					      struct libnet_JoinCtx *r)
 {
+	TALLOC_CTX *frame = talloc_stackframe();
 	ADS_STATUS status;
 	ADS_MODLIST mods;
 	fstring my_fqdn;
@@ -506,7 +507,7 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
 		return status;
 	}
 
-	status = libnet_join_get_machine_spns(mem_ctx,
+	status = libnet_join_get_machine_spns(frame,
 					      r,
 					      discard_const_p(char **, &spn_array),
 					      &num_spns);
@@ -516,40 +517,46 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
 
 	/* Windows only creates HOST/shortname & HOST/fqdn. */
 
-	spn = talloc_asprintf(mem_ctx, "HOST/%s", r->in.machine_name);
+	spn = talloc_asprintf(frame, "HOST/%s", r->in.machine_name);
 	if (spn == NULL) {
-		return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+		status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+		goto done;
 	}
 	if (!strupper_m(spn)) {
-		return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+		status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+		goto done;
 	}
 
 	ok = ads_element_in_array(spn_array, num_spns, spn);
 	if (!ok) {
-		ok = add_string_to_array(spn_array, spn,
+		ok = add_string_to_array(frame, spn,
 					 &spn_array, &num_spns);
 		if (!ok) {
-			return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+			status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+			goto done;
 		}
 	}
 
 	fstr_sprintf(my_fqdn, "%s.%s", r->in.machine_name, lp_dnsdomain());
 
 	if (!strlower_m(my_fqdn)) {
-		return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+		status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+		goto done;
 	}
 
-	spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn);
+	spn = talloc_asprintf(frame, "HOST/%s", my_fqdn);
 	if (spn == NULL) {
-		return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+		status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+		goto done;
 	}
 
 	ok = ads_element_in_array(spn_array, num_spns, spn);
 	if (!ok) {
-		ok = add_string_to_array(spn_array, spn,
+		ok = add_string_to_array(frame, spn,
 					 &spn_array, &num_spns);
 		if (!ok) {
-			return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+			status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+			goto done;
 		}
 	}
 
@@ -559,28 +566,26 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
 		/*
 		 * Add HOST/NETBIOSNAME
 		 */
-		spn = talloc_asprintf(mem_ctx, "HOST/%s", *netbios_aliases);
+		spn = talloc_asprintf(frame, "HOST/%s", *netbios_aliases);
 		if (spn == NULL) {
-			TALLOC_FREE(spn);
-			return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+			status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+			goto done;
 		}
 		if (!strupper_m(spn)) {
-			TALLOC_FREE(spn);
-			return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+			status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+			goto done;
 		}
 
 		ok = ads_element_in_array(spn_array, num_spns, spn);
 		if (ok) {
-			TALLOC_FREE(spn);
 			continue;
 		}
 		ok = add_string_to_array(spn_array, spn,
 					 &spn_array, &num_spns);
 		if (!ok) {
-			TALLOC_FREE(spn);
-			return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+			status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+			goto done;
 		}
-		TALLOC_FREE(spn);
 
 		/*
 		 * Add HOST/netbiosname.domainname
@@ -589,51 +594,56 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
 			     *netbios_aliases,
 			     lp_dnsdomain());
 
-		spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn);
+		spn = talloc_asprintf(frame, "HOST/%s", my_fqdn);
 		if (spn == NULL) {
-			return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+			status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+			goto done;
 		}
 
 		ok = ads_element_in_array(spn_array, num_spns, spn);
 		if (ok) {
-			TALLOC_FREE(spn);
 			continue;
 		}
 		ok = add_string_to_array(spn_array, spn,
 					 &spn_array, &num_spns);
 		if (!ok) {
-			TALLOC_FREE(spn);
-			return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+			status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+			goto done;
 		}
-		TALLOC_FREE(spn);
 	}
 
 	/* make sure to NULL terminate the array */
-	spn_array = talloc_realloc(mem_ctx, spn_array, const char *, num_spns + 1);
+	spn_array = talloc_realloc(frame, spn_array, const char *, num_spns + 1);
 	if (spn_array == NULL) {
-		return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+		status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+		goto done;
 	}
 	spn_array[num_spns] = NULL;
 
 	mods = ads_init_mods(mem_ctx);
 	if (!mods) {
-		return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+		status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+		goto done;
 	}
 
 	/* fields of primary importance */
 
 	status = ads_mod_str(mem_ctx, &mods, "dNSHostName", my_fqdn);
 	if (!ADS_ERR_OK(status)) {
-		return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+		goto done;
 	}
 
 	status = ads_mod_strlist(mem_ctx, &mods, "servicePrincipalName",
 				 spn_array);
 	if (!ADS_ERR_OK(status)) {
-		return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+		goto done;
 	}
 
-	return ads_gen_mod(r->in.ads, r->out.dn, mods);
+	status = ads_gen_mod(r->in.ads, r->out.dn, mods);
+
+done:
+	TALLOC_FREE(frame);
+	return status;
 }
 
 /****************************************************************
-- 
2.21.0


From 3e65f72b141a7ee256ae581e5f48f1d930aed76a Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Wed, 18 Sep 2019 23:15:57 +0300
Subject: [PATCH 4/6] libnet_join_set_machine_spn: simplify adding uniq spn to
 array

and do not skip adding a fully qualified spn to netbios-aliases
in case a short spn already existed.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14116

Signed-off-by: Isaac Boukris <iboukris@redhat.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
---
 source3/libnet/libnet_join.c | 56 +++++++++++++++---------------------
 1 file changed, 23 insertions(+), 33 deletions(-)

diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index 43035370526..a1d8a25bbc2 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -483,6 +483,19 @@ static ADS_STATUS libnet_join_get_machine_spns(TALLOC_CTX *mem_ctx,
 	return status;
 }
 
+static ADS_STATUS add_uniq_spn(TALLOC_CTX *mem_ctx, const  char *spn,
+			       const char ***array, size_t *num)
+{
+	bool ok = ads_element_in_array(*array, *num, spn);
+	if (!ok) {
+		ok = add_string_to_array(mem_ctx, spn, array, num);
+		if (!ok) {
+			return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+		}
+	}
+	return ADS_SUCCESS;
+}
+
 /****************************************************************
  Set a machines dNSHostName and servicePrincipalName attributes
 ****************************************************************/
@@ -497,7 +510,6 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
 	const char **spn_array = NULL;
 	size_t num_spns = 0;
 	char *spn = NULL;
-	bool ok;
 	const char **netbios_aliases = NULL;
 
 	/* Find our DN */
@@ -527,14 +539,9 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
 		goto done;
 	}
 
-	ok = ads_element_in_array(spn_array, num_spns, spn);
-	if (!ok) {
-		ok = add_string_to_array(frame, spn,
-					 &spn_array, &num_spns);
-		if (!ok) {
-			status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
-			goto done;
-		}
+	status = add_uniq_spn(frame, spn, &spn_array, &num_spns);
+	if (!ADS_ERR_OK(status)) {
+		goto done;
 	}
 
 	fstr_sprintf(my_fqdn, "%s.%s", r->in.machine_name, lp_dnsdomain());
@@ -550,14 +557,9 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
 		goto done;
 	}
 
-	ok = ads_element_in_array(spn_array, num_spns, spn);
-	if (!ok) {
-		ok = add_string_to_array(frame, spn,
-					 &spn_array, &num_spns);
-		if (!ok) {
-			status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
-			goto done;
-		}
+	status = add_uniq_spn(frame, spn, &spn_array, &num_spns);
+	if (!ADS_ERR_OK(status)) {
+		goto done;
 	}
 
 	for (netbios_aliases = lp_netbios_aliases();
@@ -576,14 +578,8 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
 			goto done;
 		}
 
-		ok = ads_element_in_array(spn_array, num_spns, spn);
-		if (ok) {
-			continue;
-		}
-		ok = add_string_to_array(spn_array, spn,
-					 &spn_array, &num_spns);
-		if (!ok) {
-			status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+		status = add_uniq_spn(frame, spn, &spn_array, &num_spns);
+		if (!ADS_ERR_OK(status)) {
 			goto done;
 		}
 
@@ -600,14 +596,8 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
 			goto done;
 		}
 
-		ok = ads_element_in_array(spn_array, num_spns, spn);
-		if (ok) {
-			continue;
-		}
-		ok = add_string_to_array(spn_array, spn,
-					 &spn_array, &num_spns);
-		if (!ok) {
-			status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+		status = add_uniq_spn(frame, spn, &spn_array, &num_spns);
+		if (!ADS_ERR_OK(status)) {
 			goto done;
 		}
 	}
-- 
2.21.0


From db7560ff0fb861552406bb4c422cff55c82f58bf Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Tue, 17 Sep 2019 21:38:07 +0300
Subject: [PATCH 5/6] docs-xml: add "additional dns hostnames" smb.conf option

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14116

Signed-off-by: Isaac Boukris <iboukris@redhat.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
---
 docs-xml/smbdotconf/base/additionaldnshostnames.xml | 11 +++++++++++
 1 file changed, 11 insertions(+)
 create mode 100644 docs-xml/smbdotconf/base/additionaldnshostnames.xml

diff --git a/docs-xml/smbdotconf/base/additionaldnshostnames.xml b/docs-xml/smbdotconf/base/additionaldnshostnames.xml
new file mode 100644
index 00000000000..ddc04ee9f81
--- /dev/null
+++ b/docs-xml/smbdotconf/base/additionaldnshostnames.xml
@@ -0,0 +1,11 @@
+<samba:parameter name="additional dns hostnames"
+                 context="G"
+                 type="cmdlist"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+ <description>
+        <para> A list of additional DNS names by which this host can be identified
+        </para>
+</description>
+<value type="default"><comment>empty string (no additional dns names)</comment></value>
+<value type="example"> host2.example.com host3.other.com </value>
+</samba:parameter>
-- 
2.21.0


From 2669cecc51f8f7d6675b4dac9b345b3c5a7fc879 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Fri, 13 Sep 2019 10:56:10 +0300
Subject: [PATCH 6/6] libnet_join: add SPNs for additional-dns-hostnames
 entries
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

and set msDS-AdditionalDnsHostName to the specified list.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14116

Signed-off-by: Isaac Boukris <iboukris@redhat.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Oct 25 10:43:08 UTC 2019 on sn-devel-184
---
 source3/libnet/libnet_join.c       | 27 +++++++++++++++++++++++++++
 testprogs/blackbox/test_net_ads.sh | 10 +++++++++-
 2 files changed, 36 insertions(+), 1 deletion(-)

diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index a1d8a25bbc2..eb8e0ea17f7 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -511,6 +511,7 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
 	size_t num_spns = 0;
 	char *spn = NULL;
 	const char **netbios_aliases = NULL;
+	const char **addl_hostnames = NULL;
 
 	/* Find our DN */
 
@@ -602,6 +603,22 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
 		}
 	}
 
+	for (addl_hostnames = lp_additional_dns_hostnames();
+	     addl_hostnames != NULL && *addl_hostnames != NULL;
+	     addl_hostnames++) {
+
+		spn = talloc_asprintf(frame, "HOST/%s", *addl_hostnames);
+		if (spn == NULL) {
+			status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+			goto done;
+		}
+
+		status = add_uniq_spn(frame, spn, &spn_array, &num_spns);
+		if (!ADS_ERR_OK(status)) {
+			goto done;
+		}
+	}
+
 	/* make sure to NULL terminate the array */
 	spn_array = talloc_realloc(frame, spn_array, const char *, num_spns + 1);
 	if (spn_array == NULL) {
@@ -629,6 +646,16 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
 		goto done;
 	}
 
+	addl_hostnames = lp_additional_dns_hostnames();
+	if (addl_hostnames != NULL && *addl_hostnames != NULL) {
+		status = ads_mod_strlist(mem_ctx, &mods,
+					 "msDS-AdditionalDnsHostName",
+					 addl_hostnames);
+		if (!ADS_ERR_OK(status)) {
+			goto done;
+		}
+	}
+
 	status = ads_gen_mod(r->in.ads, r->out.dn, mods);
 
 done:
diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh
index ef6f99ddea4..8bcff006b8e 100755
--- a/testprogs/blackbox/test_net_ads.sh
+++ b/testprogs/blackbox/test_net_ads.sh
@@ -202,13 +202,21 @@ base_dn="DC=addom,DC=samba,DC=example,DC=com"
 computers_dn="CN=Computers,$base_dn"
 testit "ldb check for existence of machine account" $ldbsearch -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM -s base -b "cn=$HOSTNAME,$computers_dn" || failed=`expr $failed + 1`
 
-testit "join" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+dns_alias1="${netbios}_alias1.other.${lc_realm}"
+dns_alias2="${netbios}_alias2.other2.${lc_realm}"
+testit "join" $VALGRIND $net_tool --option=additionaldnshostnames=$dns_alias1,$dns_alias2 ads join -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
 
 testit "testjoin" $VALGRIND $net_tool ads testjoin || failed=`expr $failed + 1`
 
 testit_grep "check dNSHostName" $fqdn $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ dNSHostName || failed=`expr $failed + 1`
 testit_grep "check SPN" ${uc_netbios}.${lc_realm} $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1`
 
+testit_grep "dns alias SPN" $dns_alias1 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1`
+testit_grep "dns alias SPN" $dns_alias2 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1`
+
+testit_grep "dns alias addl" $dns_alias1 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ msDS-AdditionalDnsHostName || failed=`expr $failed + 1`
+testit_grep "dns alias addl" $dns_alias2 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ msDS-AdditionalDnsHostName || failed=`expr $failed + 1`
+
 ##Goodbye...
 testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
 
-- 
2.21.0