Attachment 18442 Details for Bug 15715 – backport to 4.21 branch

[patch] backport to 4.21 branch

samba-4.21.0-backport.patch (text/plain), 5.29 KB, created by Alexander Bokovoy on 2024-09-13 13:40:01 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Alexander Bokovoy

Created: 2024-09-13 13:40:01 UTC

Size: 5.29 KB

patch

obsolete

>From 26797d7bd2662718b3eb795f1b8e6100d51e3ab7 Mon Sep 17 00:00:00 2001
>From: Alexander Bokovoy <ab@samba.org>
>Date: Tue, 3 Sep 2024 08:48:24 +0300
>Subject: [PATCH] sync machine password to keytab: handle FreeIPA use case
>MIME-Version: 1.0
>Content-Type: text/plain; charset=UTF-8
>Content-Transfer-Encoding: 8bit
>
>FreeIPA uses own procedure to retrieve keytabs and during the setup of
>Samba on FreeIPA client the keytab is already present, only machine
>account needs to be set in the secrets database.
>
>'sync machine password to keytab' option handling broke this use case by
>always attempting to contact a domain controller and failing to do so
>(Fedora bug https://bugzilla.redhat.com/show_bug.cgi?id=2309199).
>
>The original synchronizing machine account password to keytab feature
>did not have a mechanism to disable its logic at all.
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=15715
>
>Signed-off-by: Alexander Bokovoy <ab@samba.org>
>Reviewed-by: Pavel FilipenskÃ½ <pfilipensky@samba.org>
>
>Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
>Autobuild-Date(master): Fri Sep 13 13:16:09 UTC 2024 on atb-devel-224
>
>(cherry picked from commit 4f577c7b6894132be4842944f2f950b087312b16)
>---
> .../security/syncmachinepasswordtokeytab.xml  | 29 +++++++++++++++++--
> source3/libads/kerberos_keytab.c              |  5 ++++
> source3/utils/net.c                           |  8 +++++
> source3/utils/testparm.c                      |  3 +-
> 4 files changed, 41 insertions(+), 4 deletions(-)
>
>diff --git a/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml b/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml
>index 4cad9da73f2..f7dc30023d4 100644
>--- a/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml
>+++ b/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml
>@@ -18,7 +18,11 @@ or by winbindd doing regular updates (see <smbconfoption name="machine password
> </para>
> 
> <para>
>-The option takes a list of keytab strings. Each string has this form:
>+The option takes a list of keytab strings to describe how to synchronize
>+content of those keytabs or a single 'disabled' value to disable the
>+synchronization.
>+
>+Each string has this form:
> <programlisting>
> absolute_path_to_keytab:spn_spec[:sync_etypes][:sync_kvno][:netbios_aliases][:additional_dns_hostnames][:machine_password]
> </programlisting>
>@@ -70,8 +74,27 @@ If sync_etypes or sync_kvno or sync_spns is present then winbind connects to DC.
> </para>
> 
> <para>
>-If no value is present, winbind uses value <programlisting>/path/to/keytab:sync_spns:sync_kvno:machine_password</programlisting>
>-where the path to the keytab is obtained either from the krb5 library or from <smbconfoption name="dedicated keytab file"/>
>+If no value is present and <smbconfoption name="kerberos method"/> is different from
>+'secrets only', the behavior differs between winbind and net utility:
>+</para>
>+<itemizedlist>
>+        <listitem>
>+                <para><userinput>winbind</userinput> uses value
>+                      <programlisting>/path/to/keytab:sync_spns:sync_kvno:machine_password</programlisting>
>+                      where the path to the keytab is obtained either from the krb5 library or from
>+                      <smbconfoption name="dedicated keytab file"/>.
>+                </para>
>+        </listitem>
>+        <listitem>
>+                <para><userinput>net changesecretpw -f</userinput> command uses the default 'disabled' value.</para>
>+        </listitem>
>+        <listitem><para>No other <userinput>net</userinput> subcommands use the 'disabled' value.</para></listitem>
>+</itemizedlist>
>+
>+<para>
>+If a single value 'disabled' is present, the synchronization process is
>+disabled. This is required for FreeIPA domain member setup where keytab
>+synchronization uses a protocol not implemented by Samba.
> </para>
> 
> <para>
>diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
>index 6ede567b75f..dbf8af44c1f 100644
>--- a/source3/libads/kerberos_keytab.c
>+++ b/source3/libads/kerberos_keytab.c
>@@ -904,6 +904,11 @@ NTSTATUS sync_pw2keytabs(void)
> 		goto params_ready;
> 	}
> 
>+	if ((*lp_ptr != NULL) && strequal_m(*lp_ptr, "disabled")) {
>+		DBG_DEBUG("'sync machine password to keytab' is explicitly disabled.\n");
>+		return NT_STATUS_OK;
>+	}
>+
> 	line = lp_ptr;
> 	while (*line) {
> 		DBG_DEBUG("Scanning line: %s\n", *line);
>diff --git a/source3/utils/net.c b/source3/utils/net.c
>index 7b40d2bee95..c432ebe991f 100644
>--- a/source3/utils/net.c
>+++ b/source3/utils/net.c
>@@ -207,6 +207,14 @@ static int net_changesecretpw(struct net_context *c, int argc,
> 		struct timeval tv = timeval_current();
> 		NTTIME now = timeval_to_nttime(&tv);
> 
>+#ifdef HAVE_ADS
>+		if (USE_KERBEROS_KEYTAB) {
>+		   if (lp_sync_machine_password_to_keytab() == NULL) {
>+			lp_do_parameter(-1, "sync machine password to keytab", "disabled");
>+		   }
>+		}
>+#endif
>+
> 		if (c->opt_stdin) {
> 			set_line_buffering(stdin);
> 			set_line_buffering(stdout);
>diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c
>index e3ed336a79a..a31a7a8a30a 100644
>--- a/source3/utils/testparm.c
>+++ b/source3/utils/testparm.c
>@@ -803,7 +803,8 @@ static int do_global_checks(void)
> 			"instead of 'kerberos method'.\n\n");
> 	}
> 
>-	if (lp_ptr != NULL) {
>+	if (lp_ptr != NULL &&
>+	    ((*lp_ptr != NULL) && !strequal_m(*lp_ptr, "disabled"))) {
> 		while (*lp_ptr) {
> 			ret |= pw2kt_check_line(*lp_ptr++);
> 		}
>-- 
>2.46.0
>

Flags:

asn: review+

Actions: View

Attachments on bug 15715: 18441 | 18442