Attachment 16012 Details for Bug 14396 – port fix for v4.12 branch

[patch] port fix for v4.12 branch

addl-dns-v4-12-test.patch (text/plain), 25.81 KB, created by Isaac Boukris on 2020-05-29 14:27:25 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Isaac Boukris

Created: 2020-05-29 14:27:25 UTC

Size: 25.81 KB

patch

obsolete

>From 881e3b47a17d7d0b3687ef26d782fc3281a8faa3 Mon Sep 17 00:00:00 2001
>From: Stefan Metzmacher <metze@samba.org>
>Date: Fri, 29 Nov 2019 13:48:24 +0100
>Subject: [PATCH 1/7] s3:libads: prefer ENCTYPE_AES256_CTS_HMAC_SHA1_96 in
> ads_keytab_add_entry()
>
>This is currently not critical as we only use keytabs
>only as acceptor, but in future we'll also use them
>for kinit() and there we should prefer the newest type.
>
>Signed-off-by: Stefan Metzmacher <metze@samba.org>
>Reviewed-by: Andreas Schneider <asn@samba.org>
>---
> source3/libads/kerberos_keytab.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
>diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
>index 7d193e1a600..bc35d5edbe4 100644
>--- a/source3/libads/kerberos_keytab.c
>+++ b/source3/libads/kerberos_keytab.c
>@@ -240,11 +240,11 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads)
> 	krb5_data password;
> 	krb5_kvno kvno;
>         krb5_enctype enctypes[6] = {
>-#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
>-		ENCTYPE_AES128_CTS_HMAC_SHA1_96,
>-#endif
> #ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
> 		ENCTYPE_AES256_CTS_HMAC_SHA1_96,
>+#endif
>+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
>+		ENCTYPE_AES128_CTS_HMAC_SHA1_96,
> #endif
> 		ENCTYPE_ARCFOUR_HMAC,
> 		0
>-- 
>2.24.1
>
>
>From bc27267b33d989468d7d993e4db2bd9b649bd996 Mon Sep 17 00:00:00 2001
>From: Isaac Boukris <iboukris@gmail.com>
>Date: Wed, 27 May 2020 16:50:45 +0200
>Subject: [PATCH 2/7] Add a test to check dNSHostName with netbios aliases
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396
>
>Signed-off-by: Isaac Boukris <iboukris@samba.org>
>Reviewed-by: Andreas Schneider <asn@samba.org>
>---
> selftest/knownfail.d/nb_alias_dnshostname |  2 ++
> testprogs/blackbox/test_net_ads.sh        | 14 ++++++++++++++
> 2 files changed, 16 insertions(+)
> create mode 100644 selftest/knownfail.d/nb_alias_dnshostname
>
>diff --git a/selftest/knownfail.d/nb_alias_dnshostname b/selftest/knownfail.d/nb_alias_dnshostname
>new file mode 100644
>index 00000000000..3c14e9931b9
>--- /dev/null
>+++ b/selftest/knownfail.d/nb_alias_dnshostname
>@@ -0,0 +1,2 @@
>+^samba4.blackbox.net_ads.nb_alias check dNSHostName
>+^samba4.blackbox.net_ads.nb_alias check main SPN
>diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh
>index 95c0cf76f90..6073ea972f9 100755
>--- a/testprogs/blackbox/test_net_ads.sh
>+++ b/testprogs/blackbox/test_net_ads.sh
>@@ -220,6 +220,20 @@ testit_grep "dns alias addl" $dns_alias2 $VALGRIND $net_tool ads search -P samac
> ##Goodbye...
> testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
> 
>+# netbios aliases tests
>+testit "join nb_alias" $VALGRIND $net_tool --option=netbiosaliases=nb_alias1,nb_alias2 ads join -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
>+
>+testit "testjoin nb_alias" $VALGRIND $net_tool ads testjoin || failed=`expr $failed + 1`
>+
>+testit_grep "nb_alias check dNSHostName" $fqdn $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ dNSHostName || failed=`expr $failed + 1`
>+testit_grep "nb_alias check main SPN" ${uc_netbios}.${lc_realm} $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1`
>+
>+testit_grep "nb_alias1 SPN" nb_alias1 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1`
>+testit_grep "nb_alias2 SPN" nb_alias2 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1`
>+
>+##Goodbye...
>+testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
>+
> #
> # Test createcomputer option of 'net ads join'
> #
>-- 
>2.24.1
>
>
>From f270db1ce1c0c6efc38fc467c8c0c89b13aaa479 Mon Sep 17 00:00:00 2001
>From: Isaac Boukris <iboukris@gmail.com>
>Date: Wed, 27 May 2020 15:52:46 +0200
>Subject: [PATCH 3/7] Fix accidental overwrite of dnsHostName by the last
> netbios alias
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396
>
>Signed-off-by: Isaac Boukris <iboukris@samba.org>
>Reviewed-by: Andreas Schneider <asn@samba.org>
>---
> selftest/knownfail.d/nb_alias_dnshostname | 2 --
> source3/libnet/libnet_join.c              | 5 +++--
> 2 files changed, 3 insertions(+), 4 deletions(-)
> delete mode 100644 selftest/knownfail.d/nb_alias_dnshostname
>
>diff --git a/selftest/knownfail.d/nb_alias_dnshostname b/selftest/knownfail.d/nb_alias_dnshostname
>deleted file mode 100644
>index 3c14e9931b9..00000000000
>--- a/selftest/knownfail.d/nb_alias_dnshostname
>+++ /dev/null
>@@ -1,2 +0,0 @@
>-^samba4.blackbox.net_ads.nb_alias check dNSHostName
>-^samba4.blackbox.net_ads.nb_alias check main SPN
>diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
>index eb8e0ea17f7..22162186f61 100644
>--- a/source3/libnet/libnet_join.c
>+++ b/source3/libnet/libnet_join.c
>@@ -507,6 +507,7 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
> 	ADS_STATUS status;
> 	ADS_MODLIST mods;
> 	fstring my_fqdn;
>+	fstring my_alias;
> 	const char **spn_array = NULL;
> 	size_t num_spns = 0;
> 	char *spn = NULL;
>@@ -587,11 +588,11 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
> 		/*
> 		 * Add HOST/netbiosname.domainname
> 		 */
>-		fstr_sprintf(my_fqdn, "%s.%s",
>+		fstr_sprintf(my_alias, "%s.%s",
> 			     *netbios_aliases,
> 			     lp_dnsdomain());
> 
>-		spn = talloc_asprintf(frame, "HOST/%s", my_fqdn);
>+		spn = talloc_asprintf(frame, "HOST/%s", my_alias);
> 		if (spn == NULL) {
> 			status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
> 			goto done;
>-- 
>2.24.1
>
>
>From 3ab241317947fbb6b75060f67c47e57be6fb1459 Mon Sep 17 00:00:00 2001
>From: Isaac Boukris <iboukris@gmail.com>
>Date: Wed, 27 May 2020 13:25:17 +0200
>Subject: [PATCH 4/7] Refactor ads_keytab_add_entry() to make it iterable
>
>so we can more easily add msDS-AdditionalDnsHostName entries.
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396
>
>Signed-off-by: Isaac Boukris <iboukris@samba.org>
>Reviewed-by: Andreas Schneider <asn@samba.org>
>---
> source3/libads/kerberos_keytab.c | 197 +++++++++++++++++--------------
> 1 file changed, 107 insertions(+), 90 deletions(-)
>
>diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
>index bc35d5edbe4..c46e98a4270 100644
>--- a/source3/libads/kerberos_keytab.c
>+++ b/source3/libads/kerberos_keytab.c
>@@ -228,18 +228,16 @@ out:
> 	return ok;
> }
> 
>-/**********************************************************************
>- Adds a single service principal, i.e. 'host' to the system keytab
>-***********************************************************************/
>-
>-int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads)
>+static int add_kt_entry_etypes(krb5_context context, TALLOC_CTX *tmpctx,
>+			       ADS_STRUCT *ads, const char *salt_princ_s,
>+			       krb5_keytab keytab, krb5_kvno kvno,
>+			       const char *srvPrinc, const char *my_fqdn,
>+			       krb5_data *password, bool update_ads)
> {
> 	krb5_error_code ret = 0;
>-	krb5_context context = NULL;
>-	krb5_keytab keytab = NULL;
>-	krb5_data password;
>-	krb5_kvno kvno;
>-        krb5_enctype enctypes[6] = {
>+	char *princ_s = NULL;
>+	char *short_princ_s = NULL;
>+	krb5_enctype enctypes[4] = {
> #ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
> 		ENCTYPE_AES256_CTS_HMAC_SHA1_96,
> #endif
>@@ -249,65 +247,7 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads)
> 		ENCTYPE_ARCFOUR_HMAC,
> 		0
> 	};
>-	char *princ_s = NULL;
>-	char *short_princ_s = NULL;
>-	char *salt_princ_s = NULL;
>-	char *password_s = NULL;
>-	char *my_fqdn;
>-	TALLOC_CTX *tmpctx = NULL;
>-	int i;
>-
>-	ret = smb_krb5_init_context_common(&context);
>-	if (ret) {
>-		DBG_ERR("kerberos init context failed (%s)\n",
>-			error_message(ret));
>-		return -1;
>-	}
>-
>-	ret = ads_keytab_open(context, &keytab);
>-	if (ret != 0) {
>-		goto out;
>-	}
>-
>-	/* retrieve the password */
>-	if (!secrets_init()) {
>-		DEBUG(1, (__location__ ": secrets_init failed\n"));
>-		ret = -1;
>-		goto out;
>-	}
>-	password_s = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
>-	if (!password_s) {
>-		DEBUG(1, (__location__ ": failed to fetch machine password\n"));
>-		ret = -1;
>-		goto out;
>-	}
>-	ZERO_STRUCT(password);
>-	password.data = password_s;
>-	password.length = strlen(password_s);
>-
>-	/* we need the dNSHostName value here */
>-	tmpctx = talloc_init(__location__);
>-	if (!tmpctx) {
>-		DEBUG(0, (__location__ ": talloc_init() failed!\n"));
>-		ret = -1;
>-		goto out;
>-	}
>-
>-	my_fqdn = ads_get_dnshostname(ads, tmpctx, lp_netbios_name());
>-	if (!my_fqdn) {
>-		DEBUG(0, (__location__ ": unable to determine machine "
>-			  "account's dns name in AD!\n"));
>-		ret = -1;
>-		goto out;
>-	}
>-
>-	/* make sure we have a single instance of a the computer account */
>-	if (!ads_has_samaccountname(ads, tmpctx, lp_netbios_name())) {
>-		DEBUG(0, (__location__ ": unable to determine machine "
>-			  "account's short name in AD!\n"));
>-		ret = -1;
>-		goto out;
>-	}
>+	size_t i;
> 
> 	/* Construct our principal */
> 	if (strchr_m(srvPrinc, '@')) {
>@@ -356,22 +296,6 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads)
> 		}
> 	}
> 
>-	kvno = (krb5_kvno)ads_get_machine_kvno(ads, lp_netbios_name());
>-	if (kvno == -1) {
>-		/* -1 indicates failure, everything else is OK */
>-		DEBUG(1, (__location__ ": ads_get_machine_kvno failed to "
>-			 "determine the system's kvno.\n"));
>-		ret = -1;
>-		goto out;
>-	}
>-
>-	salt_princ_s = kerberos_secrets_fetch_salt_princ();
>-	if (salt_princ_s == NULL) {
>-		DBG_WARNING("kerberos_secrets_fetch_salt_princ() failed\n");
>-		ret = -1;
>-		goto out;
>-	}
>-
> 	for (i = 0; enctypes[i]; i++) {
> 
> 		/* add the fqdn principal to the keytab */
>@@ -381,11 +305,11 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads)
> 					    princ_s,
> 					    salt_princ_s,
> 					    enctypes[i],
>-					    &password,
>+					    password,
> 					    false,
> 					    false);
> 		if (ret) {
>-			DEBUG(1, (__location__ ": Failed to add entry to keytab\n"));
>+			DBG_WARNING("Failed to add entry to keytab\n");
> 			goto out;
> 		}
> 
>@@ -397,16 +321,109 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads)
> 						    short_princ_s,
> 						    salt_princ_s,
> 						    enctypes[i],
>-						    &password,
>+						    password,
> 						    false,
> 						    false);
> 			if (ret) {
>-				DEBUG(1, (__location__
>-					  ": Failed to add short entry to keytab\n"));
>+				DBG_WARNING("Failed to add short entry to keytab\n");
> 				goto out;
> 			}
> 		}
> 	}
>+out:
>+	return ret;
>+}
>+
>+/**********************************************************************
>+ Adds a single service principal, i.e. 'host' to the system keytab
>+***********************************************************************/
>+
>+int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads)
>+{
>+	krb5_error_code ret = 0;
>+	krb5_context context = NULL;
>+	krb5_keytab keytab = NULL;
>+	krb5_data password;
>+	krb5_kvno kvno;
>+	char *salt_princ_s = NULL;
>+	char *password_s = NULL;
>+	char *my_fqdn;
>+	TALLOC_CTX *tmpctx = NULL;
>+
>+	ret = smb_krb5_init_context_common(&context);
>+	if (ret) {
>+		DBG_ERR("kerberos init context failed (%s)\n",
>+			error_message(ret));
>+		return -1;
>+	}
>+
>+	ret = ads_keytab_open(context, &keytab);
>+	if (ret != 0) {
>+		goto out;
>+	}
>+
>+	/* retrieve the password */
>+	if (!secrets_init()) {
>+		DBG_WARNING("secrets_init failed\n");
>+		ret = -1;
>+		goto out;
>+	}
>+	password_s = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
>+	if (!password_s) {
>+		DBG_WARNING("failed to fetch machine password\n");
>+		ret = -1;
>+		goto out;
>+	}
>+	ZERO_STRUCT(password);
>+	password.data = password_s;
>+	password.length = strlen(password_s);
>+
>+	/* we need the dNSHostName value here */
>+	tmpctx = talloc_init(__location__);
>+	if (!tmpctx) {
>+		DBG_ERR("talloc_init() failed!\n");
>+		ret = -1;
>+		goto out;
>+	}
>+
>+	my_fqdn = ads_get_dnshostname(ads, tmpctx, lp_netbios_name());
>+	if (!my_fqdn) {
>+		DBG_ERR("unable to determine machine account's dns name in "
>+			"AD!\n");
>+		ret = -1;
>+		goto out;
>+	}
>+
>+	/* make sure we have a single instance of a the computer account */
>+	if (!ads_has_samaccountname(ads, tmpctx, lp_netbios_name())) {
>+		DBG_ERR("unable to determine machine account's short name in "
>+			"AD!\n");
>+		ret = -1;
>+		goto out;
>+	}
>+
>+	kvno = (krb5_kvno)ads_get_machine_kvno(ads, lp_netbios_name());
>+	if (kvno == -1) {
>+		/* -1 indicates failure, everything else is OK */
>+		DBG_WARNING("ads_get_machine_kvno failed to determine the "
>+			    "system's kvno.\n");
>+		ret = -1;
>+		goto out;
>+	}
>+
>+	salt_princ_s = kerberos_secrets_fetch_salt_princ();
>+	if (salt_princ_s == NULL) {
>+		DBG_WARNING("kerberos_secrets_fetch_salt_princ() failed\n");
>+		ret = -1;
>+		goto out;
>+	}
>+
>+	ret = add_kt_entry_etypes(context, tmpctx, ads, salt_princ_s, keytab,
>+				  kvno, srvPrinc, my_fqdn, &password,
>+				  update_ads);
>+	if (ret != 0) {
>+		goto out;
>+	}
> 
> out:
> 	SAFE_FREE(salt_princ_s);
>-- 
>2.24.1
>
>
>From 42936021a1af2214b7a43f56f67d4c130fdde080 Mon Sep 17 00:00:00 2001
>From: Isaac Boukris <iboukris@gmail.com>
>Date: Wed, 27 May 2020 17:55:12 +0200
>Subject: [PATCH 5/7] Add a test for msDS-AdditionalDnsHostName entries in
> keytab
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396
>
>Signed-off-by: Isaac Boukris <iboukris@samba.org>
>Reviewed-by: Andreas Schneider <asn@samba.org>
>---
> selftest/knownfail.d/dns_alias_keytab | 2 ++
> testprogs/blackbox/test_net_ads.sh    | 9 +++++++++
> 2 files changed, 11 insertions(+)
> create mode 100644 selftest/knownfail.d/dns_alias_keytab
>
>diff --git a/selftest/knownfail.d/dns_alias_keytab b/selftest/knownfail.d/dns_alias_keytab
>new file mode 100644
>index 00000000000..216592e1210
>--- /dev/null
>+++ b/selftest/knownfail.d/dns_alias_keytab
>@@ -0,0 +1,2 @@
>+^samba4.blackbox.net_ads.dns alias1 check keytab
>+^samba4.blackbox.net_ads.dns alias2 check keytab
>diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh
>index 6073ea972f9..a40b477a173 100755
>--- a/testprogs/blackbox/test_net_ads.sh
>+++ b/testprogs/blackbox/test_net_ads.sh
>@@ -217,6 +217,15 @@ testit_grep "dns alias SPN" $dns_alias2 $VALGRIND $net_tool ads search -P samacc
> testit_grep "dns alias addl" $dns_alias1 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ msDS-AdditionalDnsHostName || failed=`expr $failed + 1`
> testit_grep "dns alias addl" $dns_alias2 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ msDS-AdditionalDnsHostName || failed=`expr $failed + 1`
> 
>+dedicated_keytab_file="$PREFIX_ABS/test_dns_aliases_dedicated_krb5.keytab"
>+
>+testit "dns alias create_keytab" $VALGRIND $net_tool ads keytab create --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
>+
>+testit_grep "dns alias1 check keytab" "host/${dns_alias1}@$REALM" $net_tool ads keytab list --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
>+testit_grep "dns alias2 check keytab" "host/${dns_alias2}@$REALM" $net_tool ads keytab list --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
>+
>+rm -f $dedicated_keytab_file
>+
> ##Goodbye...
> testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
> 
>-- 
>2.24.1
>
>
>From f45843d11260e10c88bea1d21314093c77ff07a0 Mon Sep 17 00:00:00 2001
>From: Isaac Boukris <iboukris@gmail.com>
>Date: Wed, 27 May 2020 15:36:28 +0200
>Subject: [PATCH 6/7] Add msDS-AdditionalDnsHostName entries to the keytab
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396
>
>Signed-off-by: Isaac Boukris <iboukris@samba.org>
>Reviewed-by: Andreas Schneider <asn@samba.org>
>---
> selftest/knownfail.d/dns_alias_keytab |  2 --
> source3/libads/ads_proto.h            |  5 +++
> source3/libads/kerberos_keytab.c      | 21 +++++++++++++
> source3/libads/ldap.c                 | 45 +++++++++++++++++++++++++++
> 4 files changed, 71 insertions(+), 2 deletions(-)
> delete mode 100644 selftest/knownfail.d/dns_alias_keytab
>
>diff --git a/selftest/knownfail.d/dns_alias_keytab b/selftest/knownfail.d/dns_alias_keytab
>deleted file mode 100644
>index 216592e1210..00000000000
>--- a/selftest/knownfail.d/dns_alias_keytab
>+++ /dev/null
>@@ -1,2 +0,0 @@
>-^samba4.blackbox.net_ads.dns alias1 check keytab
>-^samba4.blackbox.net_ads.dns alias2 check keytab
>diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h
>index 495ef5d3325..cd9c1082681 100644
>--- a/source3/libads/ads_proto.h
>+++ b/source3/libads/ads_proto.h
>@@ -137,6 +137,11 @@ ADS_STATUS ads_get_sid_from_extended_dn(TALLOC_CTX *mem_ctx,
> 					enum ads_extended_dn_flags flags,
> 					struct dom_sid *sid);
> char* ads_get_dnshostname( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name );
>+ADS_STATUS ads_get_additional_dns_hostnames(TALLOC_CTX *mem_ctx,
>+                                            ADS_STRUCT *ads,
>+                                            const char *machine_name,
>+                                            char ***hostnames_array,
>+                                            size_t *num_hostnames);
> char* ads_get_upn( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name );
> bool ads_has_samaccountname( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name );
> ADS_STATUS ads_join_realm(ADS_STRUCT *ads, const char *machine_name,
>diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
>index c46e98a4270..da363741d10 100644
>--- a/source3/libads/kerberos_keytab.c
>+++ b/source3/libads/kerberos_keytab.c
>@@ -349,6 +349,8 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads)
> 	char *password_s = NULL;
> 	char *my_fqdn;
> 	TALLOC_CTX *tmpctx = NULL;
>+	char **hostnames_array = NULL;
>+	size_t num_hostnames = 0;
> 
> 	ret = smb_krb5_init_context_common(&context);
> 	if (ret) {
>@@ -425,6 +427,25 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads)
> 		goto out;
> 	}
> 
>+	if (ADS_ERR_OK(ads_get_additional_dns_hostnames(tmpctx, ads,
>+							lp_netbios_name(),
>+							&hostnames_array,
>+							&num_hostnames))) {
>+		size_t i;
>+
>+		for (i = 0; i < num_hostnames; i++) {
>+
>+			ret = add_kt_entry_etypes(context, tmpctx, ads,
>+						  salt_princ_s, keytab,
>+						  kvno, srvPrinc,
>+						  hostnames_array[i],
>+						  &password, update_ads);
>+			if (ret != 0) {
>+				goto out;
>+			}
>+		}
>+	}
>+
> out:
> 	SAFE_FREE(salt_princ_s);
> 	TALLOC_FREE(tmpctx);
>diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
>index f0fcf9fcd56..f6fde5e19e1 100755
>--- a/source3/libads/ldap.c
>+++ b/source3/libads/ldap.c
>@@ -1377,6 +1377,7 @@ char *ads_parent_dn(const char *dn)
> 		"unicodePwd",
> 
> 		/* Additional attributes Samba checks */
>+		"msDS-AdditionalDnsHostName",
> 		"msDS-SupportedEncryptionTypes",
> 		"nTSecurityDescriptor",
> 
>@@ -3668,6 +3669,50 @@ out:
> /********************************************************************
> ********************************************************************/
> 
>+ADS_STATUS ads_get_additional_dns_hostnames(TALLOC_CTX *mem_ctx,
>+					    ADS_STRUCT *ads,
>+					    const char *machine_name,
>+					    char ***hostnames_array,
>+					    size_t *num_hostnames)
>+{
>+	ADS_STATUS status;
>+	LDAPMessage *res = NULL;
>+	int count;
>+
>+	status = ads_find_machine_acct(ads,
>+				       &res,
>+				       machine_name);
>+	if (!ADS_ERR_OK(status)) {
>+		DEBUG(1,("Host Account for %s not found... skipping operation.\n",
>+			 machine_name));
>+		return status;
>+	}
>+
>+	count = ads_count_replies(ads, res);
>+	if (count != 1) {
>+		status = ADS_ERROR(LDAP_NO_SUCH_OBJECT);
>+		goto done;
>+	}
>+
>+	*hostnames_array = ads_pull_strings(ads, mem_ctx, res,
>+					    "msDS-AdditionalDnsHostName",
>+					    num_hostnames);
>+	if (*hostnames_array == NULL) {
>+		DEBUG(1, ("Host account for %s does not have msDS-AdditionalDnsHostName.\n",
>+			  machine_name));
>+		status = ADS_ERROR(LDAP_NO_SUCH_OBJECT);
>+		goto done;
>+	}
>+
>+done:
>+	ads_msgfree(ads, res);
>+
>+	return status;
>+}
>+
>+/********************************************************************
>+********************************************************************/
>+
> char* ads_get_upn( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name )
> {
> 	LDAPMessage *res = NULL;
>-- 
>2.24.1
>
>
>From f039d0ae9f1a2f110d1b73dc4ee41aa030efe06e Mon Sep 17 00:00:00 2001
>From: Isaac Boukris <iboukris@gmail.com>
>Date: Wed, 27 May 2020 15:54:12 +0200
>Subject: [PATCH 7/7] Add net-ads-join dnshostname=fqdn option
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396
>
>Signed-off-by: Isaac Boukris <iboukris@samba.org>
>Reviewed-by: Andreas Schneider <asn@samba.org>
>
>Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
>Autobuild-Date(master): Fri May 29 13:33:28 UTC 2020 on sn-devel-184
>---
> docs-xml/manpages/net.8.xml        |  7 ++++++-
> source3/libnet/libnet_join.c       |  7 ++++++-
> source3/librpc/idl/libnet_join.idl |  1 +
> source3/utils/net_ads.c            |  9 ++++++++-
> testprogs/blackbox/test_net_ads.sh | 15 +++++++++++++++
> 5 files changed, 36 insertions(+), 3 deletions(-)
>
>diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
>index 37dd30b7864..cbab9c63a5e 100644
>--- a/docs-xml/manpages/net.8.xml
>+++ b/docs-xml/manpages/net.8.xml
>@@ -481,7 +481,7 @@ The remote server must be specified with the -S option.
> 
> <refsect2>
> <title>[RPC|ADS] JOIN [TYPE] [--no-dns-updates] [-U username[%password]]
>-[createupn=UPN] [createcomputer=OU] [machinepass=PASS]
>+[dnshostname=FQDN] [createupn=UPN] [createcomputer=OU] [machinepass=PASS]
> [osName=string osVer=string] [options]</title>
> 
> <para>
>@@ -496,6 +496,11 @@ be created.</para>
> joining the domain.
> </para>
> 
>+<para>
>+[FQDN] (ADS only) set the dnsHosName attribute during the join.
>+The default format is netbiosname.dnsdomain.
>+</para>
>+
> <para>
> [UPN] (ADS only) set the principalname attribute during the join.  The default
> format is host/netbiosname@REALM.
>diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
>index 22162186f61..a087587bba7 100644
>--- a/source3/libnet/libnet_join.c
>+++ b/source3/libnet/libnet_join.c
>@@ -546,7 +546,12 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
> 		goto done;
> 	}
> 
>-	fstr_sprintf(my_fqdn, "%s.%s", r->in.machine_name, lp_dnsdomain());
>+	if (r->in.dnshostname != NULL) {
>+		fstr_sprintf(my_fqdn, "%s", r->in.dnshostname);
>+	} else {
>+		fstr_sprintf(my_fqdn, "%s.%s", r->in.machine_name,
>+			     lp_dnsdomain());
>+	}
> 
> 	if (!strlower_m(my_fqdn)) {
> 		status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
>diff --git a/source3/librpc/idl/libnet_join.idl b/source3/librpc/idl/libnet_join.idl
>index e45034d40da..03d919863b5 100644
>--- a/source3/librpc/idl/libnet_join.idl
>+++ b/source3/librpc/idl/libnet_join.idl
>@@ -37,6 +37,7 @@ interface libnetjoin
> 		[in] string os_servicepack,
> 		[in] boolean8 create_upn,
> 		[in] string upn,
>+		[in] string dnshostname,
> 		[in] boolean8 modify_config,
> 		[in,unique] ads_struct *ads,
> 		[in] boolean8 debug,
>diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
>index 95a6ed74b78..dd3c650be8b 100644
>--- a/source3/utils/net_ads.c
>+++ b/source3/utils/net_ads.c
>@@ -1710,6 +1710,8 @@ static int net_ads_join_usage(struct net_context *c, int argc, const char **argv
> {
> 	d_printf(_("net ads join [--no-dns-updates] [options]\n"
> 	           "Valid options:\n"));
>+	d_printf(_("   dnshostname=FQDN      Set the dnsHostName attribute during the join.\n"
>+		   "                         The default is in the form netbiosname.dnsdomain\n"));
> 	d_printf(_("   createupn[=UPN]       Set the userPrincipalName attribute during the join.\n"
> 		   "                         The default UPN is in the form host/netbiosname@REALM.\n"));
> 	d_printf(_("   createcomputer=OU     Precreate the computer account in a specific OU.\n"
>@@ -1830,6 +1832,7 @@ int net_ads_join(struct net_context *c, int argc, const char **argv)
> 	const char *domain = lp_realm();
> 	WERROR werr = WERR_NERR_SETUPNOTJOINED;
> 	bool createupn = false;
>+	const char *dnshostname = NULL;
> 	const char *machineupn = NULL;
> 	const char *machine_password = NULL;
> 	const char *create_in_ou = NULL;
>@@ -1870,7 +1873,10 @@ int net_ads_join(struct net_context *c, int argc, const char **argv)
> 	/* process additional command line args */
> 
> 	for ( i=0; i<argc; i++ ) {
>-		if ( !strncasecmp_m(argv[i], "createupn", strlen("createupn")) ) {
>+		if ( !strncasecmp_m(argv[i], "dnshostname", strlen("dnshostname")) ) {
>+			dnshostname = get_string_param(argv[i]);
>+		}
>+		else if ( !strncasecmp_m(argv[i], "createupn", strlen("createupn")) ) {
> 			createupn = true;
> 			machineupn = get_string_param(argv[i]);
> 		}
>@@ -1938,6 +1944,7 @@ int net_ads_join(struct net_context *c, int argc, const char **argv)
> 	r->in.domain_name_type	= domain_name_type;
> 	r->in.create_upn	= createupn;
> 	r->in.upn		= machineupn;
>+	r->in.dnshostname	= dnshostname;
> 	r->in.account_ou	= create_in_ou;
> 	r->in.os_name		= os_name;
> 	r->in.os_version	= os_version;
>diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh
>index a40b477a173..85257f445d8 100755
>--- a/testprogs/blackbox/test_net_ads.sh
>+++ b/testprogs/blackbox/test_net_ads.sh
>@@ -277,6 +277,21 @@ rm -f $dedicated_keytab_file
> 
> testit "leave+createupn" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
> 
>+#
>+# Test dnshostname option of 'net ads join'
>+#
>+testit "join+dnshostname" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD dnshostname="alt.hostname.$HOSTNAME" || failed=`expr $failed + 1`
>+
>+testit_grep "check dnshostname opt" "dNSHostName: alt.hostname.$HOSTNAME" $ldbsearch -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM -s base -b "CN=$HOSTNAME,CN=Computers,$base_dn" || failed=`expr $failed + 1`
>+
>+testit "create_keytab+dnshostname" $VALGRIND $net_tool ads keytab create --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
>+
>+testit_grep "check dnshostname+keytab" "host/alt.hostname.$HOSTNAME@$REALM" $net_tool ads keytab list --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
>+
>+rm -f $dedicated_keytab_file
>+
>+testit "leave+dnshostname" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
>+
> rm -rf $BASEDIR/$WORKDIR
> 
> exit $failed
>-- 
>2.24.1
>

Flags:

iboukris: review+
asn: review+
iboukris: ci-passed+

Actions: View

Attachments on bug 14396: 16012