From 05f7e9a72a1769af9d41b1ca40fe6a14b3f069d1 Mon Sep 17 00:00:00 2001

From: Isaac Boukris <iboukris@gmail.com>

Date: Fri, 30 Aug 2019 00:22:15 +0300

Subject: [PATCH 1/6] libnet_join: build dnsHostName from netbios name and

 lp_dnsdomain()

This make the join process much more reliable, and avoids "Constraint

violation" error when the fqdn returned from getaddrinfo has already

got assigned an SPN.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14116

Signed-off-by: Isaac Boukris <iboukris@redhat.com>

Reviewed-by: Ralph Boehme <slow@samba.org>

Reviewed-by: Alexander Bokovoy <ab@samba.org>

---

 source3/libnet/libnet_join.c       | 31 +++++++++++-------------------

 testprogs/blackbox/test_net_ads.sh |  7 +++++--

 2 files changed, 16 insertions(+), 22 deletions(-)

diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c

index 7943bef2cf6..818b3039cb9 100644

--- a/source3/libnet/libnet_join.c

+++ b/source3/libnet/libnet_join.c

@@ -533,29 +533,23 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,

 		}

 	}

-	if (!name_to_fqdn(my_fqdn, r->in.machine_name)

-	    || (strchr(my_fqdn, '.') == NULL)) {

-		fstr_sprintf(my_fqdn, "%s.%s", r->in.machine_name,

-			     r->out.dns_domain_name);

-	}

+	fstr_sprintf(my_fqdn, "%s.%s", r->in.machine_name, lp_dnsdomain());

 	if (!strlower_m(my_fqdn)) {

 		return ADS_ERROR_LDAP(LDAP_NO_MEMORY);

 	}

-	if (!strequal(my_fqdn, r->in.machine_name)) {

-		spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn);

-		if (!spn) {

-			return ADS_ERROR_LDAP(LDAP_NO_MEMORY);

-		}

+	spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn);

+	if (spn == NULL) {

+		return ADS_ERROR_LDAP(LDAP_NO_MEMORY);

+	}

-		ok = ads_element_in_array(spn_array, num_spns, spn);

+	ok = ads_element_in_array(spn_array, num_spns, spn);

+	if (!ok) {

+		ok = add_string_to_array(spn_array, spn,

+					 &spn_array, &num_spns);

 		if (!ok) {

-			ok = add_string_to_array(spn_array, spn,

-						 &spn_array, &num_spns);

-			if (!ok) {

-				return ADS_ERROR_LDAP(LDAP_NO_MEMORY);

-			}

+			return ADS_ERROR_LDAP(LDAP_NO_MEMORY);

 		}

 	}

@@ -591,12 +585,9 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,

 			/*

 			 * Add HOST/netbiosname.domainname

 			 */

-			if (r->out.dns_domain_name == NULL) {

-				continue;

-			}

 			fstr_sprintf(my_fqdn, "%s.%s",

 				     *netbios_aliases,

-				     r->out.dns_domain_name);

+				     lp_dnsdomain());

 			spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn);

 			if (spn == NULL) {

diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh

index cc8345c4624..ef6f99ddea4 100755

--- a/testprogs/blackbox/test_net_ads.sh

+++ b/testprogs/blackbox/test_net_ads.sh

@@ -81,7 +81,7 @@ testit "testjoin (dedicated keytab)" $VALGRIND $net_tool ads testjoin -kP || fai

 netbios=$(grep "netbios name" $BASEDIR/$WORKDIR/client.conf | cut -f2 -d= | awk '{$1=$1};1')

 uc_netbios=$(echo $netbios | tr '[:lower:]' '[:upper:]')

 lc_realm=$(echo $REALM | tr '[:upper:]' '[:lower:]')

-fqdns="$netbios.$lc_realm"

+fqdn="$netbios.$lc_realm"

 krb_princ="primary/instance@$REALM"

 testit "test (dedicated keytab) add a fully qualified krb5 principal" $VALGRIND $net_tool ads keytab add $krb_princ -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`

@@ -99,7 +99,7 @@ testit "test (dedicated keytab) at least one krb5 principal created from $machin

 service="nfs"

 testit "test (dedicated keytab) add a $service service to keytab" $VALGRIND $net_tool ads keytab add $service -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`

-search_str="$service/$fqdns@$REALM"

+search_str="$service/$fqdn@$REALM"

 found=`$net_tool ads keytab list -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" | grep $search_str | wc -l`

 testit "test (dedicated keytab) at least one (long form) krb5 principal created from service added is present in keytab" test $found -gt 1 || failed=`expr $failed + 1`

@@ -206,6 +206,9 @@ testit "join" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD || failed

 testit "testjoin" $VALGRIND $net_tool ads testjoin || failed=`expr $failed + 1`

+testit_grep "check dNSHostName" $fqdn $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ dNSHostName || failed=`expr $failed + 1`

+testit_grep "check SPN" ${uc_netbios}.${lc_realm} $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1`

+

 ##Goodbye...

 testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`

-- 

2.21.0

From 4cbad1eb46896bbd74c5b19dbb0a8937ffde90c2 Mon Sep 17 00:00:00 2001

From: Isaac Boukris <iboukris@gmail.com>

Date: Wed, 18 Sep 2019 20:00:34 +0300

Subject: [PATCH 2/6] libnet_join_set_machine_spn: improve style and make a bit

 room for indentation

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14116

Signed-off-by: Isaac Boukris <iboukris@redhat.com>

Reviewed-by: Ralph Boehme <slow@samba.org>

Reviewed-by: Alexander Bokovoy <ab@samba.org>

---

 source3/libnet/libnet_join.c | 95 ++++++++++++++++++------------------

 1 file changed, 47 insertions(+), 48 deletions(-)

diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c

index 818b3039cb9..67ab50c68a8 100644

--- a/source3/libnet/libnet_join.c

+++ b/source3/libnet/libnet_join.c

@@ -517,7 +517,7 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,

 	/* Windows only creates HOST/shortname & HOST/fqdn. */

 	spn = talloc_asprintf(mem_ctx, "HOST/%s", r->in.machine_name);

-	if (!spn) {

+	if (spn == NULL) {

 		return ADS_ERROR_LDAP(LDAP_NO_MEMORY);

 	}

 	if (!strupper_m(spn)) {

@@ -553,60 +553,59 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,

 		}

 	}

-	netbios_aliases = lp_netbios_aliases();

-	if (netbios_aliases != NULL) {

-		for (; *netbios_aliases != NULL; netbios_aliases++) {

-			/*

-			 * Add HOST/NETBIOSNAME

-			 */

-			spn = talloc_asprintf(mem_ctx, "HOST/%s", *netbios_aliases);

-			if (spn == NULL) {

-				TALLOC_FREE(spn);

-				return ADS_ERROR_LDAP(LDAP_NO_MEMORY);

-			}

-			if (!strupper_m(spn)) {

-				TALLOC_FREE(spn);

-				return ADS_ERROR_LDAP(LDAP_NO_MEMORY);

-			}

+	for (netbios_aliases = lp_netbios_aliases();

+	     netbios_aliases != NULL && *netbios_aliases != NULL;

+	     netbios_aliases++) {

+		/*

+		 * Add HOST/NETBIOSNAME

+		 */

+		spn = talloc_asprintf(mem_ctx, "HOST/%s", *netbios_aliases);

+		if (spn == NULL) {

+			TALLOC_FREE(spn);

+			return ADS_ERROR_LDAP(LDAP_NO_MEMORY);

+		}

+		if (!strupper_m(spn)) {

+			TALLOC_FREE(spn);

+			return ADS_ERROR_LDAP(LDAP_NO_MEMORY);

+		}

-			ok = ads_element_in_array(spn_array, num_spns, spn);

-			if (ok) {

-				TALLOC_FREE(spn);

-				continue;

-			}

-			ok = add_string_to_array(spn_array, spn,

-						 &spn_array, &num_spns);

-			if (!ok) {

-				TALLOC_FREE(spn);

-				return ADS_ERROR_LDAP(LDAP_NO_MEMORY);

-			}

+		ok = ads_element_in_array(spn_array, num_spns, spn);

+		if (ok) {

+			TALLOC_FREE(spn);

+			continue;

+		}

+		ok = add_string_to_array(spn_array, spn,

+					 &spn_array, &num_spns);

+		if (!ok) {

 			TALLOC_FREE(spn);

+			return ADS_ERROR_LDAP(LDAP_NO_MEMORY);

+		}

+		TALLOC_FREE(spn);

-			/*

-			 * Add HOST/netbiosname.domainname

-			 */

-			fstr_sprintf(my_fqdn, "%s.%s",

-				     *netbios_aliases,

-				     lp_dnsdomain());

+		/*

+		 * Add HOST/netbiosname.domainname

+		 */

+		fstr_sprintf(my_fqdn, "%s.%s",

+			     *netbios_aliases,

+			     lp_dnsdomain());

-			spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn);

-			if (spn == NULL) {

-				return ADS_ERROR_LDAP(LDAP_NO_MEMORY);

-			}

+		spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn);

+		if (spn == NULL) {

+			return ADS_ERROR_LDAP(LDAP_NO_MEMORY);

+		}

-			ok = ads_element_in_array(spn_array, num_spns, spn);

-			if (ok) {

-				TALLOC_FREE(spn);

-				continue;

-			}

-			ok = add_string_to_array(spn_array, spn,

-						 &spn_array, &num_spns);

-			if (!ok) {

-				TALLOC_FREE(spn);

-				return ADS_ERROR_LDAP(LDAP_NO_MEMORY);

-			}

+		ok = ads_element_in_array(spn_array, num_spns, spn);

+		if (ok) {

+			TALLOC_FREE(spn);

+			continue;

+		}

+		ok = add_string_to_array(spn_array, spn,

+					 &spn_array, &num_spns);

+		if (!ok) {

 			TALLOC_FREE(spn);

+			return ADS_ERROR_LDAP(LDAP_NO_MEMORY);

 		}

+		TALLOC_FREE(spn);

 	}

 	/* make sure to NULL terminate the array */

-- 

2.21.0

From b8e1264ececf38681ca9a519a51e8336044673f0 Mon Sep 17 00:00:00 2001

From: Isaac Boukris <iboukris@gmail.com>

Date: Wed, 18 Sep 2019 21:29:47 +0300

Subject: [PATCH 3/6] libnet_join_set_machine_spn: simplify memory handling

and avoid a possible memory leak when passing null to

add_string_to_array() as mem_ctx.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14116

Signed-off-by: Isaac Boukris <iboukris@redhat.com>

Reviewed-by: Ralph Boehme <slow@samba.org>

Reviewed-by: Alexander Bokovoy <ab@samba.org>

---

 source3/libnet/libnet_join.c | 74 ++++++++++++++++++++----------------

 1 file changed, 42 insertions(+), 32 deletions(-)

diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c

index 67ab50c68a8..43035370526 100644

--- a/source3/libnet/libnet_join.c

+++ b/source3/libnet/libnet_join.c

@@ -490,6 +490,7 @@ static ADS_STATUS libnet_join_get_machine_spns(TALLOC_CTX *mem_ctx,

 static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,

 					      struct libnet_JoinCtx *r)

 {

+	TALLOC_CTX *frame = talloc_stackframe();

 	ADS_STATUS status;

 	ADS_MODLIST mods;

 	fstring my_fqdn;

@@ -506,7 +507,7 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,

 		return status;

 	}

-	status = libnet_join_get_machine_spns(mem_ctx,

+	status = libnet_join_get_machine_spns(frame,

 					      r,

 					      discard_const_p(char **, &spn_array),

 					      &num_spns);

@@ -516,40 +517,46 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,

 	/* Windows only creates HOST/shortname & HOST/fqdn. */

-	spn = talloc_asprintf(mem_ctx, "HOST/%s", r->in.machine_name);

+	spn = talloc_asprintf(frame, "HOST/%s", r->in.machine_name);

 	if (spn == NULL) {

-		return ADS_ERROR_LDAP(LDAP_NO_MEMORY);

+		status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);

+		goto done;

 	}

 	if (!strupper_m(spn)) {

-		return ADS_ERROR_LDAP(LDAP_NO_MEMORY);

+		status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);

+		goto done;

 	}

 	ok = ads_element_in_array(spn_array, num_spns, spn);

 	if (!ok) {

-		ok = add_string_to_array(spn_array, spn,

+		ok = add_string_to_array(frame, spn,

 					 &spn_array, &num_spns);

 		if (!ok) {

-			return ADS_ERROR_LDAP(LDAP_NO_MEMORY);

+			status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);

+			goto done;

 		}

 	}

 	fstr_sprintf(my_fqdn, "%s.%s", r->in.machine_name, lp_dnsdomain());

 	if (!strlower_m(my_fqdn)) {

-		return ADS_ERROR_LDAP(LDAP_NO_MEMORY);

+		status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);

+		goto done;

 	}

-	spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn);

+	spn = talloc_asprintf(frame, "HOST/%s", my_fqdn);

 	if (spn == NULL) {

-		return ADS_ERROR_LDAP(LDAP_NO_MEMORY);

+		status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);

+		goto done;

 	}

 	ok = ads_element_in_array(spn_array, num_spns, spn);

 	if (!ok) {

-		ok = add_string_to_array(spn_array, spn,

+		ok = add_string_to_array(frame, spn,

 					 &spn_array, &num_spns);

 		if (!ok) {

-			return ADS_ERROR_LDAP(LDAP_NO_MEMORY);

+			status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);

+			goto done;

 		}

 	}

@@ -559,28 +566,26 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,

 		/*

 		 * Add HOST/NETBIOSNAME

 		 */

-		spn = talloc_asprintf(mem_ctx, "HOST/%s", *netbios_aliases);

+		spn = talloc_asprintf(frame, "HOST/%s", *netbios_aliases);

 		if (spn == NULL) {

-			TALLOC_FREE(spn);

-			return ADS_ERROR_LDAP(LDAP_NO_MEMORY);

+			status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);

+			goto done;

 		}

 		if (!strupper_m(spn)) {

-			TALLOC_FREE(spn);

-			return ADS_ERROR_LDAP(LDAP_NO_MEMORY);

+			status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);

+			goto done;

 		}

 		ok = ads_element_in_array(spn_array, num_spns, spn);

 		if (ok) {

-			TALLOC_FREE(spn);

 			continue;

 		}

 		ok = add_string_to_array(spn_array, spn,

 					 &spn_array, &num_spns);

 		if (!ok) {

-			TALLOC_FREE(spn);

-			return ADS_ERROR_LDAP(LDAP_NO_MEMORY);

+			status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);

+			goto done;

 		}

-		TALLOC_FREE(spn);

 		/*

 		 * Add HOST/netbiosname.domainname

@@ -589,51 +594,56 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,

 			     *netbios_aliases,

 			     lp_dnsdomain());

-		spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn);

+		spn = talloc_asprintf(frame, "HOST/%s", my_fqdn);

 		if (spn == NULL) {

-			return ADS_ERROR_LDAP(LDAP_NO_MEMORY);

+			status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);

+			goto done;

 		}

 		ok = ads_element_in_array(spn_array, num_spns, spn);

 		if (ok) {

-			TALLOC_FREE(spn);

 			continue;

 		}

 		ok = add_string_to_array(spn_array, spn,

 					 &spn_array, &num_spns);

 		if (!ok) {

-			TALLOC_FREE(spn);

-			return ADS_ERROR_LDAP(LDAP_NO_MEMORY);

+			status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);

+			goto done;

 		}

-		TALLOC_FREE(spn);

 	}

 	/* make sure to NULL terminate the array */

-	spn_array = talloc_realloc(mem_ctx, spn_array, const char *, num_spns + 1);

+	spn_array = talloc_realloc(frame, spn_array, const char *, num_spns + 1);

 	if (spn_array == NULL) {

-		return ADS_ERROR_LDAP(LDAP_NO_MEMORY);

+		status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);

+		goto done;

 	}

 	spn_array[num_spns] = NULL;

 	mods = ads_init_mods(mem_ctx);

 	if (!mods) {

-		return ADS_ERROR_LDAP(LDAP_NO_MEMORY);

+		status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);

+		goto done;

 	}

 	/* fields of primary importance */

 	status = ads_mod_str(mem_ctx, &mods, "dNSHostName", my_fqdn);

 	if (!ADS_ERR_OK(status)) {

-		return ADS_ERROR_LDAP(LDAP_NO_MEMORY);

+		goto done;

 	}

 	status = ads_mod_strlist(mem_ctx, &mods, "servicePrincipalName",

 				 spn_array);

 	if (!ADS_ERR_OK(status)) {

-		return ADS_ERROR_LDAP(LDAP_NO_MEMORY);

+		goto done;

 	}

-	return ads_gen_mod(r->in.ads, r->out.dn, mods);

+	status = ads_gen_mod(r->in.ads, r->out.dn, mods);

+

+done:

+	TALLOC_FREE(frame);

+	return status;

 }

 /****************************************************************

-- 

2.21.0

From 3e65f72b141a7ee256ae581e5f48f1d930aed76a Mon Sep 17 00:00:00 2001

From: Isaac Boukris <iboukris@gmail.com>

Date: Wed, 18 Sep 2019 23:15:57 +0300

Subject: [PATCH 4/6] libnet_join_set_machine_spn: simplify adding uniq spn to

 array

and do not skip adding a fully qualified spn to netbios-aliases

in case a short spn already existed.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14116

Signed-off-by: Isaac Boukris <iboukris@redhat.com>

Reviewed-by: Ralph Boehme <slow@samba.org>

Reviewed-by: Alexander Bokovoy <ab@samba.org>

---

 source3/libnet/libnet_join.c | 56 +++++++++++++++---------------------

 1 file changed, 23 insertions(+), 33 deletions(-)

diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c

index 43035370526..a1d8a25bbc2 100644

--- a/source3/libnet/libnet_join.c

+++ b/source3/libnet/libnet_join.c

@@ -483,6 +483,19 @@ static ADS_STATUS libnet_join_get_machine_spns(TALLOC_CTX *mem_ctx,

 	return status;

 }

+static ADS_STATUS add_uniq_spn(TALLOC_CTX *mem_ctx, const  char *spn,

+			       const char ***array, size_t *num)

+{

+	bool ok = ads_element_in_array(*array, *num, spn);

+	if (!ok) {

+		ok = add_string_to_array(mem_ctx, spn, array, num);

+		if (!ok) {

+			return ADS_ERROR_LDAP(LDAP_NO_MEMORY);

+		}

+	}

+	return ADS_SUCCESS;

+}

+

 /****************************************************************

  Set a machines dNSHostName and servicePrincipalName attributes

 ****************************************************************/

@@ -497,7 +510,6 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,

 	const char **spn_array = NULL;

 	size_t num_spns = 0;

 	char *spn = NULL;

-	bool ok;

 	const char **netbios_aliases = NULL;

 	/* Find our DN */

@@ -527,14 +539,9 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,

 		goto done;

 	}

-	ok = ads_element_in_array(spn_array, num_spns, spn);

-	if (!ok) {

-		ok = add_string_to_array(frame, spn,

-					 &spn_array, &num_spns);

-		if (!ok) {

-			status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);

-			goto done;

-		}

+	status = add_uniq_spn(frame, spn, &spn_array, &num_spns);

+	if (!ADS_ERR_OK(status)) {

+		goto done;

 	}

 	fstr_sprintf(my_fqdn, "%s.%s", r->in.machine_name, lp_dnsdomain());

@@ -550,14 +557,9 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,

 		goto done;

 	}

-	ok = ads_element_in_array(spn_array, num_spns, spn);

-	if (!ok) {

-		ok = add_string_to_array(frame, spn,

-					 &spn_array, &num_spns);

-		if (!ok) {

-			status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);

-			goto done;

-		}

+	status = add_uniq_spn(frame, spn, &spn_array, &num_spns);

+	if (!ADS_ERR_OK(status)) {

+		goto done;

 	}

 	for (netbios_aliases = lp_netbios_aliases();

@@ -576,14 +578,8 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,

 			goto done;

 		}

-		ok = ads_element_in_array(spn_array, num_spns, spn);

-		if (ok) {

-			continue;

-		}

-		ok = add_string_to_array(spn_array, spn,

-					 &spn_array, &num_spns);

-		if (!ok) {

-			status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);

+		status = add_uniq_spn(frame, spn, &spn_array, &num_spns);

+		if (!ADS_ERR_OK(status)) {

 			goto done;

 		}

@@ -600,14 +596,8 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,

 			goto done;

 		}

-		ok = ads_element_in_array(spn_array, num_spns, spn);

-		if (ok) {

-			continue;

-		}

-		ok = add_string_to_array(spn_array, spn,

-					 &spn_array, &num_spns);

-		if (!ok) {

-			status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);

+		status = add_uniq_spn(frame, spn, &spn_array, &num_spns);

+		if (!ADS_ERR_OK(status)) {

 			goto done;

 		}

 	}

-- 

2.21.0

From db7560ff0fb861552406bb4c422cff55c82f58bf Mon Sep 17 00:00:00 2001

From: Isaac Boukris <iboukris@gmail.com>

Date: Tue, 17 Sep 2019 21:38:07 +0300

Subject: [PATCH 5/6] docs-xml: add "additional dns hostnames" smb.conf option

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14116

Signed-off-by: Isaac Boukris <iboukris@redhat.com>

Reviewed-by: Ralph Boehme <slow@samba.org>

Reviewed-by: Alexander Bokovoy <ab@samba.org>

---

 docs-xml/smbdotconf/base/additionaldnshostnames.xml | 11 +++++++++++

 1 file changed, 11 insertions(+)

 create mode 100644 docs-xml/smbdotconf/base/additionaldnshostnames.xml

diff --git a/docs-xml/smbdotconf/base/additionaldnshostnames.xml b/docs-xml/smbdotconf/base/additionaldnshostnames.xml

new file mode 100644

index 00000000000..ddc04ee9f81

--- /dev/null

+++ b/docs-xml/smbdotconf/base/additionaldnshostnames.xml

@@ -0,0 +1,11 @@

+

+                 context="G"

+                 type="cmdlist"

+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">

+ <description>

+        <para> A list of additional DNS names by which this host can be identified

+        </para>

+</description>

+<value type="default"><comment>empty string (no additional dns names)</comment></value>

+<value type="example"> host2.example.com host3.other.com </value>

+</samba:parameter>

-- 

2.21.0

From 2669cecc51f8f7d6675b4dac9b345b3c5a7fc879 Mon Sep 17 00:00:00 2001

From: Isaac Boukris <iboukris@gmail.com>

Date: Fri, 13 Sep 2019 10:56:10 +0300

Subject: [PATCH 6/6] libnet_join: add SPNs for additional-dns-hostnames

 entries

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

and set msDS-AdditionalDnsHostName to the specified list.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14116

Signed-off-by: Isaac Boukris <iboukris@redhat.com>

Reviewed-by: Ralph Boehme <slow@samba.org>

Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>

Autobuild-Date(master): Fri Oct 25 10:43:08 UTC 2019 on sn-devel-184

---

 source3/libnet/libnet_join.c       | 27 +++++++++++++++++++++++++++

 testprogs/blackbox/test_net_ads.sh | 10 +++++++++-

 2 files changed, 36 insertions(+), 1 deletion(-)

diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c

index a1d8a25bbc2..eb8e0ea17f7 100644

--- a/source3/libnet/libnet_join.c

+++ b/source3/libnet/libnet_join.c

@@ -511,6 +511,7 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,

 	size_t num_spns = 0;

 	char *spn = NULL;

 	const char **netbios_aliases = NULL;

+	const char **addl_hostnames = NULL;

 	/* Find our DN */

@@ -602,6 +603,22 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,

 		}

 	}

+	for (addl_hostnames = lp_additional_dns_hostnames();

+	     addl_hostnames != NULL && *addl_hostnames != NULL;

+	     addl_hostnames++) {

+

+		spn = talloc_asprintf(frame, "HOST/%s", *addl_hostnames);

+		if (spn == NULL) {

+			status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);

+			goto done;

+		}

+

+		status = add_uniq_spn(frame, spn, &spn_array, &num_spns);

+		if (!ADS_ERR_OK(status)) {

+			goto done;

+		}

+	}

+

 	/* make sure to NULL terminate the array */

 	spn_array = talloc_realloc(frame, spn_array, const char *, num_spns + 1);

 	if (spn_array == NULL) {

@@ -629,6 +646,16 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,

 		goto done;

 	}

+	addl_hostnames = lp_additional_dns_hostnames();

+	if (addl_hostnames != NULL && *addl_hostnames != NULL) {

+		status = ads_mod_strlist(mem_ctx, &mods,

+					 "msDS-AdditionalDnsHostName",

+					 addl_hostnames);

+		if (!ADS_ERR_OK(status)) {

+			goto done;

+		}

+	}

+

 	status = ads_gen_mod(r->in.ads, r->out.dn, mods);

 done:

diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh

index ef6f99ddea4..8bcff006b8e 100755

--- a/testprogs/blackbox/test_net_ads.sh

+++ b/testprogs/blackbox/test_net_ads.sh

@@ -202,13 +202,21 @@ base_dn="DC=addom,DC=samba,DC=example,DC=com"

 computers_dn="CN=Computers,$base_dn"

 testit "ldb check for existence of machine account" $ldbsearch -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM -s base -b "cn=$HOSTNAME,$computers_dn" || failed=`expr $failed + 1`

-testit "join" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`

+dns_alias1="${netbios}_alias1.other.${lc_realm}"

+dns_alias2="${netbios}_alias2.other2.${lc_realm}"

+testit "join" $VALGRIND $net_tool --option=additionaldnshostnames=$dns_alias1,$dns_alias2 ads join -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`

 testit "testjoin" $VALGRIND $net_tool ads testjoin || failed=`expr $failed + 1`

 testit_grep "check dNSHostName" $fqdn $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ dNSHostName || failed=`expr $failed + 1`

 testit_grep "check SPN" ${uc_netbios}.${lc_realm} $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1`

+testit_grep "dns alias SPN" $dns_alias1 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1`

+testit_grep "dns alias SPN" $dns_alias2 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1`

+

+testit_grep "dns alias addl" $dns_alias1 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ msDS-AdditionalDnsHostName || failed=`expr $failed + 1`

+testit_grep "dns alias addl" $dns_alias2 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ msDS-AdditionalDnsHostName || failed=`expr $failed + 1`

+