From 942dedb71437cd89932a7f39ca73d65c09aa59be Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>

Date: Wed, 2 Apr 2014 19:37:34 +0200

Subject: [PATCH] s3-kerberos: make ipv6 support for generated krb5 config

 files more robust.

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

Older MIT Kerberos libraries will add any secondary ipv6 address as

ipv4 address, defining the (default) krb5 port 88 circumvents that.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>

---

 source3/libads/kerberos.c | 29 +++++++++++++++++++++++++++--

 1 file changed, 27 insertions(+), 2 deletions(-)

diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c

index 649e568..f3c23ea 100644

--- a/source3/libads/kerberos.c

+++ b/source3/libads/kerberos.c

@@ -615,6 +615,31 @@ static void add_sockaddr_unique(struct sockaddr_storage *addrs, int *num_addrs,

 	*num_addrs += 1;

 }

+/* print_canonical_sockaddr prints an ipv6 addr in the form of

+* [ipv6.addr]. This string, when put in a generated krb5.conf file is not

+* always properly dealt with by some older krb5 libraries. Adding the hard-coded

+* portnumber workarounds the issue. - gd */

+

+static char *print_canonical_sockaddr_with_port(TALLOC_CTX *mem_ctx,

+						const struct sockaddr_storage *pss)

+{

+	char *str = NULL;

+

+	str = print_canonical_sockaddr(mem_ctx, pss);

+	if (str == NULL) {

+		return NULL;

+	}

+

+	if (pss->ss_family != AF_INET6) {

+		return str;

+	}

+

+#if defined(HAVE_IPV6)

+	str = talloc_asprintf_append(str, ":88");

+#endif

+	return str;

+}

+

 static char *get_kdc_ip_string(char *mem_ctx,

 		const char *realm,

 		const char *sitename,

@@ -634,7 +659,7 @@ static char *get_kdc_ip_string(char *mem_ctx,

 	struct netlogon_samlogon_response **responses = NULL;

 	NTSTATUS status;

 	char *kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n", "",

-					print_canonical_sockaddr(mem_ctx, pss));

+					print_canonical_sockaddr_with_port(mem_ctx, pss));

 	if (kdc_str == NULL) {

 		TALLOC_FREE(frame);

@@ -726,7 +751,7 @@ static char *get_kdc_ip_string(char *mem_ctx,

 		/* Append to the string - inefficient but not done often. */

 		new_kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",

 					      kdc_str,

-					      print_canonical_sockaddr(mem_ctx, &dc_addrs[i]));

+					      print_canonical_sockaddr_with_port(mem_ctx, &dc_addrs[i]));

 		if (new_kdc_str == NULL) {

 			goto fail;

 		}

-- 

1.9.0

From 60db71015f84dd242be889576d85ccd5c6a1f73b Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>

Date: Wed, 16 Apr 2014 16:07:14 +0200

Subject: [PATCH] s3-libads: allow ads_try_connect() to re-use a resolved ip

 address.

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

Pass down a struct sockaddr_storage to ads_try_connect.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>

Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>

Autobuild-Date(master): Thu Apr 17 19:56:16 CEST 2014 on sn-devel-104

---

 source3/libads/ldap.c | 44 ++++++++++++++++++++++++++------------------

 1 file changed, 26 insertions(+), 18 deletions(-)

diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c

index d9bb8e2..8fed8fd 100644

--- a/source3/libads/ldap.c

+++ b/source3/libads/ldap.c

@@ -228,33 +228,27 @@ bool ads_closest_dc(ADS_STRUCT *ads)

   try a connection to a given ldap server, returning True and setting the servers IP

   in the ads struct if successful

  */

-static bool ads_try_connect(ADS_STRUCT *ads, const char *server, bool gc)

+static bool ads_try_connect(ADS_STRUCT *ads, bool gc,

+			    struct sockaddr_storage *ss)

 {

 	struct NETLOGON_SAM_LOGON_RESPONSE_EX cldap_reply;

 	TALLOC_CTX *frame = talloc_stackframe();

 	bool ret = false;

-	struct sockaddr_storage ss;

 	char addr[INET6_ADDRSTRLEN];

-	if (!server || !*server) {

+	if (ss == NULL) {

 		TALLOC_FREE(frame);

 		return False;

 	}

-	if (!resolve_name(server, &ss, 0x20, true)) {

-		DEBUG(5,("ads_try_connect: unable to resolve name %s\n",

-			 server ));

-		TALLOC_FREE(frame);

-		return false;

-	}

-	print_sockaddr(addr, sizeof(addr), &ss);

+	print_sockaddr(addr, sizeof(addr), ss);

 	DEBUG(5,("ads_try_connect: sending CLDAP request to %s (realm: %s)\n", 

 		addr, ads->server.realm));

 	ZERO_STRUCT( cldap_reply );

-	if ( !ads_cldap_netlogon_5(frame, &ss, ads->server.realm, &cldap_reply ) ) {

+	if ( !ads_cldap_netlogon_5(frame, ss, ads->server.realm, &cldap_reply ) ) {

 		DEBUG(3,("ads_try_connect: CLDAP request %s failed.\n", addr));

 		ret = false;

 		goto out;

@@ -298,7 +292,7 @@ static bool ads_try_connect(ADS_STRUCT *ads, const char *server, bool gc)

 	ads->server.workgroup          = SMB_STRDUP(cldap_reply.domain_name);

 	ads->ldap.port = gc ? LDAP_GC_PORT : LDAP_PORT;

-	ads->ldap.ss = ss;

+	ads->ldap.ss = *ss;

 	/* Store our site name. */

 	sitename_store( cldap_reply.domain_name, cldap_reply.client_site);

@@ -330,6 +324,7 @@ static NTSTATUS ads_find_dc(ADS_STRUCT *ads)

 	bool use_own_domain = False;

 	char *sitename;

 	NTSTATUS status = NT_STATUS_UNSUCCESSFUL;

+	bool ok = false;

 	/* if the realm and workgroup are both empty, assume they are ours */

@@ -384,12 +379,14 @@ static NTSTATUS ads_find_dc(ADS_STRUCT *ads)

 		DEBUG(6,("ads_find_dc: (ldap) looking for %s '%s'\n",

 			(got_realm ? "realm" : "domain"), realm));

-		if (get_dc_name(domain, realm, srv_name, &ip_out)) {

+		ok = get_dc_name(domain, realm, srv_name, &ip_out);

+		if (ok) {

 			/*

 			 * we call ads_try_connect() to fill in the

 			 * ads->config details

 			 */

-			if (ads_try_connect(ads, srv_name, false)) {

+			ok = ads_try_connect(ads, false, &ip_out);

+			if (ok) {

 				return NT_STATUS_OK;

 			}

 		}

@@ -445,7 +442,8 @@ static NTSTATUS ads_find_dc(ADS_STRUCT *ads)

 			}

 		}

-		if ( ads_try_connect(ads, server, false) ) {

+		ok = ads_try_connect(ads, false, &ip_list[i].ss);

+		if (ok) {

 			SAFE_FREE(ip_list);

 			SAFE_FREE(sitename);

 			return NT_STATUS_OK;

@@ -630,9 +628,19 @@ ADS_STATUS ads_connect(ADS_STRUCT *ads)

 		TALLOC_FREE(s);

 	}

-	if (ads->server.ldap_server)

-	{

-		if (ads_try_connect(ads, ads->server.ldap_server, ads->server.gc)) {

+	if (ads->server.ldap_server) {

+		bool ok = false;

+		struct sockaddr_storage ss;

+

+		ok = resolve_name(ads->server.ldap_server, &ss, 0x20, true);

+		if (!ok) {

+			DEBUG(5,("ads_connect: unable to resolve name %s\n",

+				 ads->server.ldap_server));

+			status = ADS_ERROR_NT(NT_STATUS_NOT_FOUND);

+			goto out;

+		}

+		ok = ads_try_connect(ads, ads->server.gc, &ss);

+		if (ok) {

 			goto got_connection;

 		}

-- 

1.9.0