The Samba-Bugzilla – Attachment 18326 Details for
Bug 15653
idmap_ad creates an incorrect local krb5.conf in case of trusted domain lookups
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for 4.20
v4-20-idmap-ad.patch (text/plain), 4.57 KB, created by
Andreas Schneider
on 2024-06-05 12:10:11 UTC
(
hide
)
Description:
patch for 4.20
Filename:
MIME Type:
Creator:
Andreas Schneider
Created:
2024-06-05 12:10:11 UTC
Size:
4.57 KB
patch
obsolete
>From b6286e55127cb5b12d79b3b99c4ff627751d2adf Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Tue, 28 May 2024 13:51:53 +0200 >Subject: [PATCH 1/3] s3:libads: Allow get_kdc_ip_string() to lookup the KDCs > IP > >Remove the requirement to provide an IP address. We should look up the >IP of the KDC and use it for the specified realm/workgroup. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15653 > >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit 28aa0b815baf4668e3df01d52597c40fd430e2fb) >--- > source3/libads/kerberos.c | 30 +++++++++++++++--------------- > 1 file changed, 15 insertions(+), 15 deletions(-) > >diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c >index f76c5665205..44f2a0eead9 100644 >--- a/source3/libads/kerberos.c >+++ b/source3/libads/kerberos.c >@@ -437,23 +437,23 @@ static char *get_kdc_ip_string(char *mem_ctx, > char *kdc_str = NULL; > char *canon_sockaddr = NULL; > >- SMB_ASSERT(pss != NULL); >- >- canon_sockaddr = print_canonical_sockaddr_with_port(frame, pss); >- if (canon_sockaddr == NULL) { >- goto out; >- } >+ if (pss != NULL) { >+ canon_sockaddr = print_canonical_sockaddr_with_port(frame, pss); >+ if (canon_sockaddr == NULL) { >+ goto out; >+ } > >- kdc_str = talloc_asprintf(frame, >- "\t\tkdc = %s\n", >- canon_sockaddr); >- if (kdc_str == NULL) { >- goto out; >- } >+ kdc_str = talloc_asprintf(frame, >+ "\t\tkdc = %s\n", >+ canon_sockaddr); >+ if (kdc_str == NULL) { >+ goto out; >+ } > >- ok = sockaddr_storage_to_samba_sockaddr(&sa, pss); >- if (!ok) { >- goto out; >+ ok = sockaddr_storage_to_samba_sockaddr(&sa, pss); >+ if (!ok) { >+ goto out; >+ } > } > > /* >-- >2.45.2 > > >From 558f49e446faf6406339eaa3dd891c431e19a6dd Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Tue, 28 May 2024 13:53:51 +0200 >Subject: [PATCH 2/3] s3:libads: Do not fail if we don't get an IP passed down > >The IP should be optional and we should look it up if not provided. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15653 > >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit 9dcc52d2a57314ec9ddaae82b3c49da051d1f1d2) >--- > source3/libads/kerberos.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c >index 44f2a0eead9..6c6d23c29da 100644 >--- a/source3/libads/kerberos.c >+++ b/source3/libads/kerberos.c >@@ -704,7 +704,7 @@ bool create_local_private_krb5_conf_for_domain(const char *realm, > return false; > } > >- if (domain == NULL || pss == NULL) { >+ if (domain == NULL) { > return false; > } > >-- >2.45.2 > > >From a0ae8e3deeae1c37b3a15f77efb80a7dd0a12092 Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Tue, 28 May 2024 13:54:24 +0200 >Subject: [PATCH 3/3] s3:winbind: Fix idmap_ad creating an invalid local > krb5.conf > >In case of a trusted domain, we are providing the realm of the primary >trust but specify the KDC IP of the trusted domain. This leads to >Kerberos ticket requests to the trusted domain KDC which doesn't know >about the machine account. However we need a ticket from our primary >trust KDC. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15653 > >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(backported from commit 8989aa47b7493e6b7978c2efc4a40c781e9a2aee) >--- > source3/winbindd/idmap_ad.c | 11 +++++++++-- > 1 file changed, 9 insertions(+), 2 deletions(-) > >diff --git a/source3/winbindd/idmap_ad.c b/source3/winbindd/idmap_ad.c >index 5c9fe07db95..b8002825161 100644 >--- a/source3/winbindd/idmap_ad.c >+++ b/source3/winbindd/idmap_ad.c >@@ -320,7 +320,10 @@ static NTSTATUS idmap_ad_get_tldap_ctx(TALLOC_CTX *mem_ctx, > struct tldap_context **pld) > { > struct netr_DsRGetDCNameInfo *dcinfo; >- struct sockaddr_storage dcaddr; >+ struct sockaddr_storage dcaddr = { >+ .ss_family = AF_UNSPEC, >+ }; >+ struct sockaddr_storage *pdcaddr = NULL; > struct cli_credentials *creds; > struct loadparm_context *lp_ctx; > struct tldap_context *ld; >@@ -362,9 +365,13 @@ static NTSTATUS idmap_ad_get_tldap_ctx(TALLOC_CTX *mem_ctx, > * create_local_private_krb5_conf_for_domain() can deal with > * sitename==NULL > */ >+ if (strequal(domname, lp_realm()) || strequal(domname, lp_workgroup())) >+ { >+ pdcaddr = &dcaddr; >+ } > > ok = create_local_private_krb5_conf_for_domain( >- lp_realm(), lp_workgroup(), sitename, &dcaddr); >+ lp_realm(), lp_workgroup(), sitename, pdcaddr); > TALLOC_FREE(sitename); > if (!ok) { > DBG_DEBUG("Could not create private krb5.conf\n"); >-- >2.45.2 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=18326">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
pfilipensky
:
review+
Actions:
View
Attachments on
bug 15653
: 18326