From 168627e1877317db86471a4b0360dccd9f469aaa Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>

Date: Mon, 13 Jan 2014 15:59:26 +0100

Subject: [PATCH 1/2] s3-kerberos: remove print_kdc_line() completely.

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

Just calling print_canonical_sockaddr() is sufficient, as it already deals with

ipv6 as well. The port handling, which was only done for IPv6 (not IPv4), is

removed as well. It was pointless because it always derived the port number from

the provided address which was either a SMB (usually port 445) or LDAP

connection. No KDC will ever run on port 389 or 445 on a Windows/Samba DC.

Finally, the kerberos libraries that we support and build with, can deal with

ipv6 addresses in krb5.conf, so we no longer put the (unnecessary) burden of

resolving the DC name on the kerberos library anymore.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>

Reviewed-by: Andreas Schneider <asn@samba.org>

---

 source3/libads/kerberos.c | 73 ++++-------------------------------------------

 1 file changed, 5 insertions(+), 68 deletions(-)

diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c

index b026e09..ea14350 100644

--- a/source3/libads/kerberos.c

+++ b/source3/libads/kerberos.c

@@ -592,70 +592,6 @@ int kerberos_kinit_password(const char *principal,

 /************************************************************************

 ************************************************************************/

-static char *print_kdc_line(char *mem_ctx,

-			const char *prev_line,

-			const struct sockaddr_storage *pss,

-			const char *kdc_name)

-{

-	char addr[INET6_ADDRSTRLEN];

-	uint16_t port = get_sockaddr_port(pss);

-

-	if (pss->ss_family == AF_INET) {

-		return talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",

-				       prev_line,

-				       print_canonical_sockaddr(mem_ctx, pss));

-	}

-

-	/*

-	 * IPv6 starts here

-	 */

-

-	DEBUG(10, ("print_kdc_line: IPv6 case for kdc_name: %s, port: %d\n",

-		   kdc_name, port));

-

-	if (port != 0 && port != DEFAULT_KRB5_PORT) {

-		/* Currently for IPv6 we can't specify a non-default

-		   krb5 port with an address, as this requires a ':'.

-		   Resolve to a name. */

-		char hostname[MAX_DNS_NAME_LENGTH];

-		int ret = sys_getnameinfo((const struct sockaddr *)pss,

-					  sizeof(*pss),

-					  hostname, sizeof(hostname),

-					  NULL, 0,

-					  NI_NAMEREQD);

-		if (ret) {

-			DEBUG(0,("print_kdc_line: can't resolve name "

-				 "for kdc with non-default port %s. "

-				 "Error %s\n.",

-				 print_canonical_sockaddr(mem_ctx, pss),

-				 gai_strerror(ret)));

-			return NULL;

-		}

-		/* Success, use host:port */

-		return talloc_asprintf(mem_ctx,

-				       "%s\tkdc = %s:%u\n",

-				       prev_line,

-				       hostname,

-				       (unsigned int)port);

-	}

-

-	/* no krb5 lib currently supports "kdc = ipv6 address"

-	 * at all, so just fill in just the kdc_name if we have

-	 * it and let the krb5 lib figure out the appropriate

-	 * ipv6 address - gd */

-

-	if (kdc_name) {

-		return talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",

-				       prev_line, kdc_name);

-	}

-

-	return talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",

-			       prev_line,

-			       print_sockaddr(addr,

-					      sizeof(addr),

-					      pss));

-}

-

 /************************************************************************

  Create a string list of available kdc's, possibly searching by sitename.

  Does DNS queries.

@@ -698,7 +634,8 @@ static char *get_kdc_ip_string(char *mem_ctx,

 	char *result = NULL;

 	struct netlogon_samlogon_response **responses = NULL;

 	NTSTATUS status;

-	char *kdc_str = print_kdc_line(mem_ctx, "", pss, kdc_name);

+	char *kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n", "",

+					print_canonical_sockaddr(mem_ctx, pss));

 	if (kdc_str == NULL) {

 		TALLOC_FREE(frame);

@@ -788,9 +725,9 @@ static char *get_kdc_ip_string(char *mem_ctx,

 		}

 		/* Append to the string - inefficient but not done often. */

-		new_kdc_str = print_kdc_line(mem_ctx, kdc_str,

-					     &dc_addrs[i],

-					     kdc_name);

+		new_kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",

+					      kdc_str,

+					      print_canonical_sockaddr(mem_ctx, &dc_addrs[i]));

 		if (new_kdc_str == NULL) {

 			goto fail;

 		}

-- 

1.8.5.3

From 3edb3d4084548960f03356cf4c44a6892e6efb84 Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>

Date: Fri, 7 Mar 2014 14:47:31 +0100

Subject: [PATCH 2/2] s3-kerberos: remove unused kdc_name from

 create_local_private_krb5_conf_for_domain().

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>

Reviewed-by: Andreas Schneider <asn@samba.org>

---

 source3/libads/kerberos.c       | 10 ++++------

 source3/libads/kerberos_proto.h |  3 +--

 source3/libnet/libnet_join.c    |  3 +--

 source3/libsmb/namequery_dc.c   |  6 ++----

 source3/winbindd/winbindd_cm.c  |  6 ++----

 5 files changed, 10 insertions(+), 18 deletions(-)

diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c

index ea14350..649e568 100644

--- a/source3/libads/kerberos.c

+++ b/source3/libads/kerberos.c

@@ -618,8 +618,7 @@ static void add_sockaddr_unique(struct sockaddr_storage *addrs, int *num_addrs,

 static char *get_kdc_ip_string(char *mem_ctx,

 		const char *realm,

 		const char *sitename,

-		const struct sockaddr_storage *pss,

-		const char *kdc_name)

+		const struct sockaddr_storage *pss)

 {

 	TALLOC_CTX *frame = talloc_stackframe();

 	int i;

@@ -756,8 +755,7 @@ fail:

 bool create_local_private_krb5_conf_for_domain(const char *realm,

 						const char *domain,

 						const char *sitename,

-					        const struct sockaddr_storage *pss,

-						const char *kdc_name)

+					        const struct sockaddr_storage *pss)

 {

 	char *dname;

 	char *tmpname = NULL;

@@ -782,7 +780,7 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,

 		return false;

 	}

-	if (domain == NULL || pss == NULL || kdc_name == NULL) {

+	if (domain == NULL || pss == NULL) {

 		return false;

 	}

@@ -815,7 +813,7 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,

 		goto done;

 	}

-	kdc_ip_string = get_kdc_ip_string(dname, realm, sitename, pss, kdc_name);

+	kdc_ip_string = get_kdc_ip_string(dname, realm, sitename, pss);

 	if (!kdc_ip_string) {

 		goto done;

 	}

diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h

index f7470d2..2559634 100644

--- a/source3/libads/kerberos_proto.h

+++ b/source3/libads/kerberos_proto.h

@@ -62,8 +62,7 @@ int kerberos_kinit_password(const char *principal,

 bool create_local_private_krb5_conf_for_domain(const char *realm,

 						const char *domain,

 						const char *sitename,

-					        const struct sockaddr_storage *pss,

-						const char *kdc_name);

+					        const struct sockaddr_storage *pss);

 /* The following definitions come from libads/authdata.c  */

diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c

index a87eb38..68884cd 100644

--- a/source3/libnet/libnet_join.c

+++ b/source3/libnet/libnet_join.c

@@ -2152,8 +2152,7 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,

 	create_local_private_krb5_conf_for_domain(

 		r->out.dns_domain_name, r->out.netbios_domain_name,

-		NULL, smbXcli_conn_remote_sockaddr(cli->conn),

-		smbXcli_conn_remote_name(cli->conn));

+		NULL, smbXcli_conn_remote_sockaddr(cli->conn));

 	if (r->out.domain_is_ad && r->in.account_ou &&

 	    !(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE)) {

diff --git a/source3/libsmb/namequery_dc.c b/source3/libsmb/namequery_dc.c

index 3cfae79..eb34741 100644

--- a/source3/libsmb/namequery_dc.c

+++ b/source3/libsmb/namequery_dc.c

@@ -112,14 +112,12 @@ static bool ads_dc_name(const char *domain,

 				create_local_private_krb5_conf_for_domain(realm,

 									domain,

 									sitename,

-									&ads->ldap.ss,

-									ads->config.ldap_server_name);

+									&ads->ldap.ss);

 			} else {

 				create_local_private_krb5_conf_for_domain(realm,

 									domain,

 									NULL,

-									&ads->ldap.ss,

-									ads->config.ldap_server_name);

+									&ads->ldap.ss);

 			}

 		}

 #endif

diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c

index 669a43e..be13a57 100644

--- a/source3/winbindd/winbindd_cm.c

+++ b/source3/winbindd/winbindd_cm.c

@@ -1233,8 +1233,7 @@ static bool dcip_to_name(TALLOC_CTX *mem_ctx,

 					create_local_private_krb5_conf_for_domain(domain->alt_name,

 									domain->name,

 									sitename,

-									pss,

-									*name);

+									pss);

 					SAFE_FREE(sitename);

 				} else {

@@ -1242,8 +1241,7 @@ static bool dcip_to_name(TALLOC_CTX *mem_ctx,

 					create_local_private_krb5_conf_for_domain(domain->alt_name,

 									domain->name,

 									NULL,

-									pss,

-									*name);

+									pss);

 				}

 				winbindd_set_locator_kdc_envs(domain);

-- 

1.8.5.3