|
|
af2bad |
From 0ef46723cad274d0fe7948a67b33f9f20fab3f0d Mon Sep 17 00:00:00 2001
|
|
|
af2bad |
From: Alexander Bokovoy <ab@samba.org>
|
|
|
af2bad |
Date: Tue, 7 Jan 2020 19:25:53 +0200
|
|
|
7bd85e |
Subject: [PATCH 01/11] s3-rpcserver: fix security level check for
|
|
|
af2bad |
DsRGetForestTrustInformation
|
|
|
af2bad |
MIME-Version: 1.0
|
|
|
af2bad |
Content-Type: text/plain; charset=UTF-8
|
|
|
af2bad |
Content-Transfer-Encoding: 8bit
|
|
|
af2bad |
|
|
|
af2bad |
Harmonize _netr_DsRGetForestTrustInformation with source4/ logic which
|
|
|
af2bad |
didn't change since DCE RPC channel refactoring.
|
|
|
af2bad |
|
|
|
af2bad |
With the current code we return RPC faul as can be seen in the logs:
|
|
|
af2bad |
|
|
|
af2bad |
2019/12/11 17:12:55.463081, 1, pid=20939, effective(1284200000, 1284200000), real(1284200000, 0), class=rpc_parse] ../librpc/ndr/ndr.c:471(ndr_print_function_debug)
|
|
|
af2bad |
netr_DsRGetForestTrustInformation: struct netr_DsRGetForestTrustInformation
|
|
|
af2bad |
in: struct netr_DsRGetForestTrustInformation
|
|
|
af2bad |
server_name : *
|
|
|
af2bad |
server_name : '\\some-dc.example.com'
|
|
|
af2bad |
trusted_domain_name : NULL
|
|
|
af2bad |
flags : 0x00000000 (0)
|
|
|
af2bad |
[2019/12/11 17:12:55.463122, 4, pid=20939, effective(1284200000, 1284200000), real(1284200000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1561(api_rpcTNP)
|
|
|
af2bad |
api_rpcTNP: fault(5) return.
|
|
|
af2bad |
|
|
|
af2bad |
This is due to this check in processing a request:
|
|
|
af2bad |
if (!(p->pipe_bound && (p->auth.auth_type != DCERPC_AUTH_TYPE_NONE)
|
|
|
af2bad |
&& (p->auth.auth_level != DCERPC_AUTH_LEVEL_NONE))) {
|
|
|
af2bad |
p->fault_state = DCERPC_FAULT_ACCESS_DENIED;
|
|
|
af2bad |
return WERR_ACCESS_DENIED;
|
|
|
af2bad |
}
|
|
|
af2bad |
|
|
|
af2bad |
and since we get AuthZ response,
|
|
|
af2bad |
|
|
|
af2bad |
Successful AuthZ: [netlogon,ncacn_np] user [EXAMPLE]\[admin] [S-1-5-21-1234567-890123456-500] at [Wed, 11 Dec 2019 17:12:55.461164 UTC]
|
|
|
af2bad |
Remote host [ipv4:Y.Y.Y.Y:59017] local host [ipv4:X.X.X.X:445]
|
|
|
af2bad |
[2019/12/11 17:12:55.461584, 4, pid=20939, effective(0, 0), real(0, 0)] ../lib/audit_logging/audit_logging.c:141(audit_log_json)
|
|
|
af2bad |
JSON Authorization: {"timestamp": "2019-12-11T17:12:55.461491+0000",
|
|
|
af2bad |
"type": "Authorization", "Authorization": {"version": {"major": 1, "minor": 1},
|
|
|
af2bad |
"localAddress": "ipv4:X.X.X.X:445", "remoteAddress": "ipv4:Y.Y.Y.Y:59017",
|
|
|
af2bad |
"serviceDescription": "netlogon", "authType": "ncacn_np",
|
|
|
af2bad |
"domain": "EXAMPLE", "account": "admin", "sid": "S-1-5-21-1234567-890123456-500",
|
|
|
af2bad |
"sessionId": "c5a2386f-f2cc-4241-9a9e-d104cf5859d5", "logonServer": "SOME-DC",
|
|
|
af2bad |
"transportProtection": "SMB", "accountFlags": "0x00000010"}}
|
|
|
af2bad |
|
|
|
af2bad |
this means we are actually getting anonymous DCE/RPC access to netlogon
|
|
|
af2bad |
on top of authenticated SMB connection. In such case we have exactly
|
|
|
af2bad |
auth_type set to DCERPC_AUTH_TYPE_NONE and auth_level set to
|
|
|
af2bad |
DCERPC_AUTH_LEVEL_NONE in the pipe->auth. Thus, returning an error.
|
|
|
af2bad |
|
|
|
af2bad |
Update the code to follow the same security level check as in s4 variant
|
|
|
af2bad |
of the call.
|
|
|
af2bad |
|
|
|
af2bad |
Signed-off-by: Alexander Bokovoy <ab@samba.org>
|
|
|
af2bad |
Reviewed-by: Guenther Deschner <gd@samba.org>
|
|
|
af2bad |
|
|
|
af2bad |
Autobuild-User(master): Günther Deschner <gd@samba.org>
|
|
|
af2bad |
Autobuild-Date(master): Mon Jan 13 15:05:28 UTC 2020 on sn-devel-184
|
|
|
af2bad |
|
|
|
af2bad |
(cherry picked from commit c6d880a115095c336b8b74f45854a99abb1bbb87)
|
|
|
af2bad |
---
|
|
|
af2bad |
source3/rpc_server/netlogon/srv_netlog_nt.c | 6 +++---
|
|
|
af2bad |
1 file changed, 3 insertions(+), 3 deletions(-)
|
|
|
af2bad |
|
|
|
af2bad |
diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
|
|
|
af2bad |
index d799ba4feef..87613b99fde 100644
|
|
|
af2bad |
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
|
|
|
af2bad |
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
|
|
|
af2bad |
@@ -2425,10 +2425,10 @@ WERROR _netr_DsRGetForestTrustInformation(struct pipes_struct *p,
|
|
|
af2bad |
{
|
|
|
af2bad |
NTSTATUS status;
|
|
|
af2bad |
struct lsa_ForestTrustInformation *info, **info_ptr;
|
|
|
af2bad |
+ enum security_user_level security_level;
|
|
|
af2bad |
|
|
|
af2bad |
- if (!(p->pipe_bound && (p->auth.auth_type != DCERPC_AUTH_TYPE_NONE)
|
|
|
af2bad |
- && (p->auth.auth_level != DCERPC_AUTH_LEVEL_NONE))) {
|
|
|
af2bad |
- p->fault_state = DCERPC_FAULT_ACCESS_DENIED;
|
|
|
af2bad |
+ security_level = security_session_user_level(p->session_info, NULL);
|
|
|
af2bad |
+ if (security_level < SECURITY_USER) {
|
|
|
af2bad |
return WERR_ACCESS_DENIED;
|
|
|
af2bad |
}
|
|
|
af2bad |
|
|
|
af2bad |
--
|
|
|
7bd85e |
2.25.4
|
|
|
af2bad |
|
|
|
af2bad |
|
|
|
af2bad |
From 67c40147a3c1da49a8d407282e1917ed3be511b0 Mon Sep 17 00:00:00 2001
|
|
|
af2bad |
From: Isaac Boukris <iboukris@gmail.com>
|
|
|
af2bad |
Date: Wed, 27 May 2020 16:50:45 +0200
|
|
|
7bd85e |
Subject: [PATCH 02/11] Add a test to check dNSHostName with netbios aliases
|
|
|
af2bad |
|
|
|
af2bad |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396
|
|
|
af2bad |
|
|
|
af2bad |
Signed-off-by: Isaac Boukris <iboukris@samba.org>
|
|
|
af2bad |
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
|
af2bad |
---
|
|
|
af2bad |
selftest/knownfail.d/nb_alias_dnshostname | 2 ++
|
|
|
af2bad |
testprogs/blackbox/test_net_ads.sh | 14 ++++++++++++++
|
|
|
af2bad |
2 files changed, 16 insertions(+)
|
|
|
af2bad |
create mode 100644 selftest/knownfail.d/nb_alias_dnshostname
|
|
|
af2bad |
|
|
|
af2bad |
diff --git a/selftest/knownfail.d/nb_alias_dnshostname b/selftest/knownfail.d/nb_alias_dnshostname
|
|
|
af2bad |
new file mode 100644
|
|
|
af2bad |
index 00000000000..3c14e9931b9
|
|
|
af2bad |
--- /dev/null
|
|
|
af2bad |
+++ b/selftest/knownfail.d/nb_alias_dnshostname
|
|
|
af2bad |
@@ -0,0 +1,2 @@
|
|
|
af2bad |
+^samba4.blackbox.net_ads.nb_alias check dNSHostName
|
|
|
af2bad |
+^samba4.blackbox.net_ads.nb_alias check main SPN
|
|
|
af2bad |
diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh
|
|
|
af2bad |
index 95c0cf76f90..6073ea972f9 100755
|
|
|
af2bad |
--- a/testprogs/blackbox/test_net_ads.sh
|
|
|
af2bad |
+++ b/testprogs/blackbox/test_net_ads.sh
|
|
|
af2bad |
@@ -220,6 +220,20 @@ testit_grep "dns alias addl" $dns_alias2 $VALGRIND $net_tool ads search -P samac
|
|
|
af2bad |
##Goodbye...
|
|
|
af2bad |
testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
|
|
|
af2bad |
|
|
|
af2bad |
+# netbios aliases tests
|
|
|
af2bad |
+testit "join nb_alias" $VALGRIND $net_tool --option=netbiosaliases=nb_alias1,nb_alias2 ads join -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
|
|
|
af2bad |
+
|
|
|
af2bad |
+testit "testjoin nb_alias" $VALGRIND $net_tool ads testjoin || failed=`expr $failed + 1`
|
|
|
af2bad |
+
|
|
|
af2bad |
+testit_grep "nb_alias check dNSHostName" $fqdn $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ dNSHostName || failed=`expr $failed + 1`
|
|
|
af2bad |
+testit_grep "nb_alias check main SPN" ${uc_netbios}.${lc_realm} $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1`
|
|
|
af2bad |
+
|
|
|
af2bad |
+testit_grep "nb_alias1 SPN" nb_alias1 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1`
|
|
|
af2bad |
+testit_grep "nb_alias2 SPN" nb_alias2 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1`
|
|
|
af2bad |
+
|
|
|
af2bad |
+##Goodbye...
|
|
|
af2bad |
+testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
|
|
|
af2bad |
+
|
|
|
af2bad |
#
|
|
|
af2bad |
# Test createcomputer option of 'net ads join'
|
|
|
af2bad |
#
|
|
|
af2bad |
--
|
|
|
7bd85e |
2.25.4
|
|
|
af2bad |
|
|
|
af2bad |
|
|
|
af2bad |
From b3e19ea4f4f366e7f6b99114c71f65c303402ef8 Mon Sep 17 00:00:00 2001
|
|
|
af2bad |
From: Isaac Boukris <iboukris@gmail.com>
|
|
|
af2bad |
Date: Wed, 27 May 2020 15:52:46 +0200
|
|
|
7bd85e |
Subject: [PATCH 03/11] Fix accidental overwrite of dnsHostName by the last
|
|
|
af2bad |
netbios alias
|
|
|
af2bad |
|
|
|
af2bad |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396
|
|
|
af2bad |
|
|
|
af2bad |
Signed-off-by: Isaac Boukris <iboukris@samba.org>
|
|
|
af2bad |
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
|
af2bad |
---
|
|
|
af2bad |
selftest/knownfail.d/nb_alias_dnshostname | 2 --
|
|
|
af2bad |
source3/libnet/libnet_join.c | 5 +++--
|
|
|
af2bad |
2 files changed, 3 insertions(+), 4 deletions(-)
|
|
|
af2bad |
delete mode 100644 selftest/knownfail.d/nb_alias_dnshostname
|
|
|
af2bad |
|
|
|
af2bad |
diff --git a/selftest/knownfail.d/nb_alias_dnshostname b/selftest/knownfail.d/nb_alias_dnshostname
|
|
|
af2bad |
deleted file mode 100644
|
|
|
af2bad |
index 3c14e9931b9..00000000000
|
|
|
af2bad |
--- a/selftest/knownfail.d/nb_alias_dnshostname
|
|
|
af2bad |
+++ /dev/null
|
|
|
af2bad |
@@ -1,2 +0,0 @@
|
|
|
af2bad |
-^samba4.blackbox.net_ads.nb_alias check dNSHostName
|
|
|
af2bad |
-^samba4.blackbox.net_ads.nb_alias check main SPN
|
|
|
af2bad |
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
|
|
|
af2bad |
index 9d4f656ffec..a31011b0ff8 100644
|
|
|
af2bad |
--- a/source3/libnet/libnet_join.c
|
|
|
af2bad |
+++ b/source3/libnet/libnet_join.c
|
|
|
af2bad |
@@ -507,6 +507,7 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
|
|
|
af2bad |
ADS_STATUS status;
|
|
|
af2bad |
ADS_MODLIST mods;
|
|
|
af2bad |
fstring my_fqdn;
|
|
|
af2bad |
+ fstring my_alias;
|
|
|
af2bad |
const char **spn_array = NULL;
|
|
|
af2bad |
size_t num_spns = 0;
|
|
|
af2bad |
char *spn = NULL;
|
|
|
af2bad |
@@ -587,11 +588,11 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
|
|
|
af2bad |
/*
|
|
|
af2bad |
* Add HOST/netbiosname.domainname
|
|
|
af2bad |
*/
|
|
|
af2bad |
- fstr_sprintf(my_fqdn, "%s.%s",
|
|
|
af2bad |
+ fstr_sprintf(my_alias, "%s.%s",
|
|
|
af2bad |
*netbios_aliases,
|
|
|
af2bad |
lp_dnsdomain());
|
|
|
af2bad |
|
|
|
af2bad |
- spn = talloc_asprintf(frame, "HOST/%s", my_fqdn);
|
|
|
af2bad |
+ spn = talloc_asprintf(frame, "HOST/%s", my_alias);
|
|
|
af2bad |
if (spn == NULL) {
|
|
|
af2bad |
status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
|
|
|
af2bad |
goto done;
|
|
|
af2bad |
--
|
|
|
7bd85e |
2.25.4
|
|
|
af2bad |
|
|
|
af2bad |
|
|
|
af2bad |
From 134c761913dcf84c8c18751a8ba9cc3652995138 Mon Sep 17 00:00:00 2001
|
|
|
af2bad |
From: Isaac Boukris <iboukris@gmail.com>
|
|
|
af2bad |
Date: Thu, 24 Oct 2019 19:04:51 +0300
|
|
|
7bd85e |
Subject: [PATCH 04/11] Refactor ads_keytab_add_entry() to make it iterable
|
|
|
af2bad |
|
|
|
af2bad |
so we can more easily add msDS-AdditionalDnsHostName entries.
|
|
|
af2bad |
|
|
|
af2bad |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396
|
|
|
af2bad |
|
|
|
af2bad |
Signed-off-by: Isaac Boukris <iboukris@samba.org>
|
|
|
af2bad |
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
|
af2bad |
---
|
|
|
af2bad |
source3/libads/kerberos_keytab.c | 197 +++++++++++++++++--------------
|
|
|
af2bad |
1 file changed, 107 insertions(+), 90 deletions(-)
|
|
|
af2bad |
|
|
|
af2bad |
diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
|
|
|
af2bad |
index 97d5535041c..0f450a09df5 100644
|
|
|
af2bad |
--- a/source3/libads/kerberos_keytab.c
|
|
|
af2bad |
+++ b/source3/libads/kerberos_keytab.c
|
|
|
af2bad |
@@ -228,18 +228,16 @@ out:
|
|
|
af2bad |
return ok;
|
|
|
af2bad |
}
|
|
|
af2bad |
|
|
|
af2bad |
-/**********************************************************************
|
|
|
af2bad |
- Adds a single service principal, i.e. 'host' to the system keytab
|
|
|
af2bad |
-***********************************************************************/
|
|
|
af2bad |
-
|
|
|
af2bad |
-int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads)
|
|
|
af2bad |
+static int add_kt_entry_etypes(krb5_context context, TALLOC_CTX *tmpctx,
|
|
|
af2bad |
+ ADS_STRUCT *ads, const char *salt_princ_s,
|
|
|
af2bad |
+ krb5_keytab keytab, krb5_kvno kvno,
|
|
|
af2bad |
+ const char *srvPrinc, const char *my_fqdn,
|
|
|
af2bad |
+ krb5_data *password, bool update_ads)
|
|
|
af2bad |
{
|
|
|
af2bad |
krb5_error_code ret = 0;
|
|
|
af2bad |
- krb5_context context = NULL;
|
|
|
af2bad |
- krb5_keytab keytab = NULL;
|
|
|
af2bad |
- krb5_data password;
|
|
|
af2bad |
- krb5_kvno kvno;
|
|
|
af2bad |
- krb5_enctype enctypes[6] = {
|
|
|
af2bad |
+ char *princ_s = NULL;
|
|
|
af2bad |
+ char *short_princ_s = NULL;
|
|
|
af2bad |
+ krb5_enctype enctypes[6] = {
|
|
|
af2bad |
ENCTYPE_DES_CBC_CRC,
|
|
|
af2bad |
ENCTYPE_DES_CBC_MD5,
|
|
|
af2bad |
#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
|
|
|
af2bad |
@@ -251,65 +249,7 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads)
|
|
|
af2bad |
ENCTYPE_ARCFOUR_HMAC,
|
|
|
af2bad |
0
|
|
|
af2bad |
};
|
|
|
af2bad |
- char *princ_s = NULL;
|
|
|
af2bad |
- char *short_princ_s = NULL;
|
|
|
af2bad |
- char *salt_princ_s = NULL;
|
|
|
af2bad |
- char *password_s = NULL;
|
|
|
af2bad |
- char *my_fqdn;
|
|
|
af2bad |
- TALLOC_CTX *tmpctx = NULL;
|
|
|
af2bad |
- int i;
|
|
|
af2bad |
-
|
|
|
af2bad |
- ret = smb_krb5_init_context_common(&context);
|
|
|
af2bad |
- if (ret) {
|
|
|
af2bad |
- DBG_ERR("kerberos init context failed (%s)\n",
|
|
|
af2bad |
- error_message(ret));
|
|
|
af2bad |
- return -1;
|
|
|
af2bad |
- }
|
|
|
af2bad |
-
|
|
|
af2bad |
- ret = ads_keytab_open(context, &keytab);
|
|
|
af2bad |
- if (ret != 0) {
|
|
|
af2bad |
- goto out;
|
|
|
af2bad |
- }
|
|
|
af2bad |
-
|
|
|
af2bad |
- /* retrieve the password */
|
|
|
af2bad |
- if (!secrets_init()) {
|
|
|
af2bad |
- DEBUG(1, (__location__ ": secrets_init failed\n"));
|
|
|
af2bad |
- ret = -1;
|
|
|
af2bad |
- goto out;
|
|
|
af2bad |
- }
|
|
|
af2bad |
- password_s = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
|
|
|
af2bad |
- if (!password_s) {
|
|
|
af2bad |
- DEBUG(1, (__location__ ": failed to fetch machine password\n"));
|
|
|
af2bad |
- ret = -1;
|
|
|
af2bad |
- goto out;
|
|
|
af2bad |
- }
|
|
|
af2bad |
- ZERO_STRUCT(password);
|
|
|
af2bad |
- password.data = password_s;
|
|
|
af2bad |
- password.length = strlen(password_s);
|
|
|
af2bad |
-
|
|
|
af2bad |
- /* we need the dNSHostName value here */
|
|
|
af2bad |
- tmpctx = talloc_init(__location__);
|
|
|
af2bad |
- if (!tmpctx) {
|
|
|
af2bad |
- DEBUG(0, (__location__ ": talloc_init() failed!\n"));
|
|
|
af2bad |
- ret = -1;
|
|
|
af2bad |
- goto out;
|
|
|
af2bad |
- }
|
|
|
af2bad |
-
|
|
|
af2bad |
- my_fqdn = ads_get_dnshostname(ads, tmpctx, lp_netbios_name());
|
|
|
af2bad |
- if (!my_fqdn) {
|
|
|
af2bad |
- DEBUG(0, (__location__ ": unable to determine machine "
|
|
|
af2bad |
- "account's dns name in AD!\n"));
|
|
|
af2bad |
- ret = -1;
|
|
|
af2bad |
- goto out;
|
|
|
af2bad |
- }
|
|
|
af2bad |
-
|
|
|
af2bad |
- /* make sure we have a single instance of a the computer account */
|
|
|
af2bad |
- if (!ads_has_samaccountname(ads, tmpctx, lp_netbios_name())) {
|
|
|
af2bad |
- DEBUG(0, (__location__ ": unable to determine machine "
|
|
|
af2bad |
- "account's short name in AD!\n"));
|
|
|
af2bad |
- ret = -1;
|
|
|
af2bad |
- goto out;
|
|
|
af2bad |
- }
|
|
|
af2bad |
+ size_t i;
|
|
|
af2bad |
|
|
|
af2bad |
/* Construct our principal */
|
|
|
af2bad |
if (strchr_m(srvPrinc, '@')) {
|
|
|
af2bad |
@@ -358,22 +298,6 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads)
|
|
|
af2bad |
}
|
|
|
af2bad |
}
|
|
|
af2bad |
|
|
|
af2bad |
- kvno = (krb5_kvno)ads_get_machine_kvno(ads, lp_netbios_name());
|
|
|
af2bad |
- if (kvno == -1) {
|
|
|
af2bad |
- /* -1 indicates failure, everything else is OK */
|
|
|
af2bad |
- DEBUG(1, (__location__ ": ads_get_machine_kvno failed to "
|
|
|
af2bad |
- "determine the system's kvno.\n"));
|
|
|
af2bad |
- ret = -1;
|
|
|
af2bad |
- goto out;
|
|
|
af2bad |
- }
|
|
|
af2bad |
-
|
|
|
af2bad |
- salt_princ_s = kerberos_secrets_fetch_salt_princ();
|
|
|
af2bad |
- if (salt_princ_s == NULL) {
|
|
|
af2bad |
- DBG_WARNING("kerberos_secrets_fetch_salt_princ() failed\n");
|
|
|
af2bad |
- ret = -1;
|
|
|
af2bad |
- goto out;
|
|
|
af2bad |
- }
|
|
|
af2bad |
-
|
|
|
af2bad |
for (i = 0; enctypes[i]; i++) {
|
|
|
af2bad |
|
|
|
af2bad |
/* add the fqdn principal to the keytab */
|
|
|
af2bad |
@@ -383,11 +307,11 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads)
|
|
|
af2bad |
princ_s,
|
|
|
af2bad |
salt_princ_s,
|
|
|
af2bad |
enctypes[i],
|
|
|
af2bad |
- &password,
|
|
|
af2bad |
+ password,
|
|
|
af2bad |
false,
|
|
|
af2bad |
false);
|
|
|
af2bad |
if (ret) {
|
|
|
af2bad |
- DEBUG(1, (__location__ ": Failed to add entry to keytab\n"));
|
|
|
af2bad |
+ DBG_WARNING("Failed to add entry to keytab\n");
|
|
|
af2bad |
goto out;
|
|
|
af2bad |
}
|
|
|
af2bad |
|
|
|
af2bad |
@@ -399,16 +323,109 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads)
|
|
|
af2bad |
short_princ_s,
|
|
|
af2bad |
salt_princ_s,
|
|
|
af2bad |
enctypes[i],
|
|
|
af2bad |
- &password,
|
|
|
af2bad |
+ password,
|
|
|
af2bad |
false,
|
|
|
af2bad |
false);
|
|
|
af2bad |
if (ret) {
|
|
|
af2bad |
- DEBUG(1, (__location__
|
|
|
af2bad |
- ": Failed to add short entry to keytab\n"));
|
|
|
af2bad |
+ DBG_WARNING("Failed to add short entry to keytab\n");
|
|
|
af2bad |
goto out;
|
|
|
af2bad |
}
|
|
|
af2bad |
}
|
|
|
af2bad |
}
|
|
|
af2bad |
+out:
|
|
|
af2bad |
+ return ret;
|
|
|
af2bad |
+}
|
|
|
af2bad |
+
|
|
|
af2bad |
+/**********************************************************************
|
|
|
af2bad |
+ Adds a single service principal, i.e. 'host' to the system keytab
|
|
|
af2bad |
+***********************************************************************/
|
|
|
af2bad |
+
|
|
|
af2bad |
+int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads)
|
|
|
af2bad |
+{
|
|
|
af2bad |
+ krb5_error_code ret = 0;
|
|
|
af2bad |
+ krb5_context context = NULL;
|
|
|
af2bad |
+ krb5_keytab keytab = NULL;
|
|
|
af2bad |
+ krb5_data password;
|
|
|
af2bad |
+ krb5_kvno kvno;
|
|
|
af2bad |
+ char *salt_princ_s = NULL;
|
|
|
af2bad |
+ char *password_s = NULL;
|
|
|
af2bad |
+ char *my_fqdn;
|
|
|
af2bad |
+ TALLOC_CTX *tmpctx = NULL;
|
|
|
af2bad |
+
|
|
|
af2bad |
+ ret = smb_krb5_init_context_common(&context);
|
|
|
af2bad |
+ if (ret) {
|
|
|
af2bad |
+ DBG_ERR("kerberos init context failed (%s)\n",
|
|
|
af2bad |
+ error_message(ret));
|
|
|
af2bad |
+ return -1;
|
|
|
af2bad |
+ }
|
|
|
af2bad |
+
|
|
|
af2bad |
+ ret = ads_keytab_open(context, &keytab);
|
|
|
af2bad |
+ if (ret != 0) {
|
|
|
af2bad |
+ goto out;
|
|
|
af2bad |
+ }
|
|
|
af2bad |
+
|
|
|
af2bad |
+ /* retrieve the password */
|
|
|
af2bad |
+ if (!secrets_init()) {
|
|
|
af2bad |
+ DBG_WARNING("secrets_init failed\n");
|
|
|
af2bad |
+ ret = -1;
|
|
|
af2bad |
+ goto out;
|
|
|
af2bad |
+ }
|
|
|
af2bad |
+ password_s = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
|
|
|
af2bad |
+ if (!password_s) {
|
|
|
af2bad |
+ DBG_WARNING("failed to fetch machine password\n");
|
|
|
af2bad |
+ ret = -1;
|
|
|
af2bad |
+ goto out;
|
|
|
af2bad |
+ }
|
|
|
af2bad |
+ ZERO_STRUCT(password);
|
|
|
af2bad |
+ password.data = password_s;
|
|
|
af2bad |
+ password.length = strlen(password_s);
|
|
|
af2bad |
+
|
|
|
af2bad |
+ /* we need the dNSHostName value here */
|
|
|
af2bad |
+ tmpctx = talloc_init(__location__);
|
|
|
af2bad |
+ if (!tmpctx) {
|
|
|
af2bad |
+ DBG_ERR("talloc_init() failed!\n");
|
|
|
af2bad |
+ ret = -1;
|
|
|
af2bad |
+ goto out;
|
|
|
af2bad |
+ }
|
|
|
af2bad |
+
|
|
|
af2bad |
+ my_fqdn = ads_get_dnshostname(ads, tmpctx, lp_netbios_name());
|
|
|
af2bad |
+ if (!my_fqdn) {
|
|
|
af2bad |
+ DBG_ERR("unable to determine machine account's dns name in "
|
|
|
af2bad |
+ "AD!\n");
|
|
|
af2bad |
+ ret = -1;
|
|
|
af2bad |
+ goto out;
|
|
|
af2bad |
+ }
|
|
|
af2bad |
+
|
|
|
af2bad |
+ /* make sure we have a single instance of a the computer account */
|
|
|
af2bad |
+ if (!ads_has_samaccountname(ads, tmpctx, lp_netbios_name())) {
|
|
|
af2bad |
+ DBG_ERR("unable to determine machine account's short name in "
|
|
|
af2bad |
+ "AD!\n");
|
|
|
af2bad |
+ ret = -1;
|
|
|
af2bad |
+ goto out;
|
|
|
af2bad |
+ }
|
|
|
af2bad |
+
|
|
|
af2bad |
+ kvno = (krb5_kvno)ads_get_machine_kvno(ads, lp_netbios_name());
|
|
|
af2bad |
+ if (kvno == -1) {
|
|
|
af2bad |
+ /* -1 indicates failure, everything else is OK */
|
|
|
af2bad |
+ DBG_WARNING("ads_get_machine_kvno failed to determine the "
|
|
|
af2bad |
+ "system's kvno.\n");
|
|
|
af2bad |
+ ret = -1;
|
|
|
af2bad |
+ goto out;
|
|
|
af2bad |
+ }
|
|
|
af2bad |
+
|
|
|
af2bad |
+ salt_princ_s = kerberos_secrets_fetch_salt_princ();
|
|
|
af2bad |
+ if (salt_princ_s == NULL) {
|
|
|
af2bad |
+ DBG_WARNING("kerberos_secrets_fetch_salt_princ() failed\n");
|
|
|
af2bad |
+ ret = -1;
|
|
|
af2bad |
+ goto out;
|
|
|
af2bad |
+ }
|
|
|
af2bad |
+
|
|
|
af2bad |
+ ret = add_kt_entry_etypes(context, tmpctx, ads, salt_princ_s, keytab,
|
|
|
af2bad |
+ kvno, srvPrinc, my_fqdn, &password,
|
|
|
af2bad |
+ update_ads);
|
|
|
af2bad |
+ if (ret != 0) {
|
|
|
af2bad |
+ goto out;
|
|
|
af2bad |
+ }
|
|
|
af2bad |
|
|
|
af2bad |
out:
|
|
|
af2bad |
SAFE_FREE(salt_princ_s);
|
|
|
af2bad |
--
|
|
|
7bd85e |
2.25.4
|
|
|
af2bad |
|
|
|
af2bad |
|
|
|
af2bad |
From 7b2295db8683bb9432f49e2f09912799e65e2e6b Mon Sep 17 00:00:00 2001
|
|
|
af2bad |
From: Isaac Boukris <iboukris@gmail.com>
|
|
|
af2bad |
Date: Wed, 27 May 2020 17:55:12 +0200
|
|
|
7bd85e |
Subject: [PATCH 05/11] Add a test for msDS-AdditionalDnsHostName entries in
|
|
|
af2bad |
keytab
|
|
|
af2bad |
|
|
|
af2bad |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396
|
|
|
af2bad |
|
|
|
af2bad |
Signed-off-by: Isaac Boukris <iboukris@samba.org>
|
|
|
af2bad |
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
|
af2bad |
---
|
|
|
af2bad |
selftest/knownfail.d/dns_alias_keytab | 2 ++
|
|
|
af2bad |
testprogs/blackbox/test_net_ads.sh | 9 +++++++++
|
|
|
af2bad |
2 files changed, 11 insertions(+)
|
|
|
af2bad |
create mode 100644 selftest/knownfail.d/dns_alias_keytab
|
|
|
af2bad |
|
|
|
af2bad |
diff --git a/selftest/knownfail.d/dns_alias_keytab b/selftest/knownfail.d/dns_alias_keytab
|
|
|
af2bad |
new file mode 100644
|
|
|
af2bad |
index 00000000000..216592e1210
|
|
|
af2bad |
--- /dev/null
|
|
|
af2bad |
+++ b/selftest/knownfail.d/dns_alias_keytab
|
|
|
af2bad |
@@ -0,0 +1,2 @@
|
|
|
af2bad |
+^samba4.blackbox.net_ads.dns alias1 check keytab
|
|
|
af2bad |
+^samba4.blackbox.net_ads.dns alias2 check keytab
|
|
|
af2bad |
diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh
|
|
|
af2bad |
index 6073ea972f9..a40b477a173 100755
|
|
|
af2bad |
--- a/testprogs/blackbox/test_net_ads.sh
|
|
|
af2bad |
+++ b/testprogs/blackbox/test_net_ads.sh
|
|
|
af2bad |
@@ -217,6 +217,15 @@ testit_grep "dns alias SPN" $dns_alias2 $VALGRIND $net_tool ads search -P samacc
|
|
|
af2bad |
testit_grep "dns alias addl" $dns_alias1 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ msDS-AdditionalDnsHostName || failed=`expr $failed + 1`
|
|
|
af2bad |
testit_grep "dns alias addl" $dns_alias2 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ msDS-AdditionalDnsHostName || failed=`expr $failed + 1`
|
|
|
af2bad |
|
|
|
af2bad |
+dedicated_keytab_file="$PREFIX_ABS/test_dns_aliases_dedicated_krb5.keytab"
|
|
|
af2bad |
+
|
|
|
af2bad |
+testit "dns alias create_keytab" $VALGRIND $net_tool ads keytab create --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
|
|
|
af2bad |
+
|
|
|
af2bad |
+testit_grep "dns alias1 check keytab" "host/${dns_alias1}@$REALM" $net_tool ads keytab list --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
|
|
|
af2bad |
+testit_grep "dns alias2 check keytab" "host/${dns_alias2}@$REALM" $net_tool ads keytab list --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
|
|
|
af2bad |
+
|
|
|
af2bad |
+rm -f $dedicated_keytab_file
|
|
|
af2bad |
+
|
|
|
af2bad |
##Goodbye...
|
|
|
af2bad |
testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
|
|
|
af2bad |
|
|
|
af2bad |
--
|
|
|
7bd85e |
2.25.4
|
|
|
af2bad |
|
|
|
af2bad |
|
|
|
af2bad |
From ca89f163524c317b6a2fffeb527194b34ede526d Mon Sep 17 00:00:00 2001
|
|
|
af2bad |
From: Isaac Boukris <iboukris@gmail.com>
|
|
|
af2bad |
Date: Wed, 27 May 2020 15:36:28 +0200
|
|
|
7bd85e |
Subject: [PATCH 06/11] Add msDS-AdditionalDnsHostName entries to the keytab
|
|
|
af2bad |
|
|
|
af2bad |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396
|
|
|
af2bad |
|
|
|
af2bad |
Signed-off-by: Isaac Boukris <iboukris@samba.org>
|
|
|
af2bad |
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
|
af2bad |
---
|
|
|
af2bad |
selftest/knownfail.d/dns_alias_keytab | 2 --
|
|
|
af2bad |
source3/libads/ads_proto.h | 5 +++
|
|
|
af2bad |
source3/libads/kerberos_keytab.c | 21 +++++++++++++
|
|
|
af2bad |
source3/libads/ldap.c | 45 +++++++++++++++++++++++++++
|
|
|
af2bad |
4 files changed, 71 insertions(+), 2 deletions(-)
|
|
|
af2bad |
delete mode 100644 selftest/knownfail.d/dns_alias_keytab
|
|
|
af2bad |
|
|
|
af2bad |
diff --git a/selftest/knownfail.d/dns_alias_keytab b/selftest/knownfail.d/dns_alias_keytab
|
|
|
af2bad |
deleted file mode 100644
|
|
|
af2bad |
index 216592e1210..00000000000
|
|
|
af2bad |
--- a/selftest/knownfail.d/dns_alias_keytab
|
|
|
af2bad |
+++ /dev/null
|
|
|
af2bad |
@@ -1,2 +0,0 @@
|
|
|
af2bad |
-^samba4.blackbox.net_ads.dns alias1 check keytab
|
|
|
af2bad |
-^samba4.blackbox.net_ads.dns alias2 check keytab
|
|
|
af2bad |
diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h
|
|
|
af2bad |
index 495ef5d3325..cd9c1082681 100644
|
|
|
af2bad |
--- a/source3/libads/ads_proto.h
|
|
|
af2bad |
+++ b/source3/libads/ads_proto.h
|
|
|
af2bad |
@@ -137,6 +137,11 @@ ADS_STATUS ads_get_sid_from_extended_dn(TALLOC_CTX *mem_ctx,
|
|
|
af2bad |
enum ads_extended_dn_flags flags,
|
|
|
af2bad |
struct dom_sid *sid);
|
|
|
af2bad |
char* ads_get_dnshostname( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name );
|
|
|
af2bad |
+ADS_STATUS ads_get_additional_dns_hostnames(TALLOC_CTX *mem_ctx,
|
|
|
af2bad |
+ ADS_STRUCT *ads,
|
|
|
af2bad |
+ const char *machine_name,
|
|
|
af2bad |
+ char ***hostnames_array,
|
|
|
af2bad |
+ size_t *num_hostnames);
|
|
|
af2bad |
char* ads_get_upn( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name );
|
|
|
af2bad |
bool ads_has_samaccountname( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name );
|
|
|
af2bad |
ADS_STATUS ads_join_realm(ADS_STRUCT *ads, const char *machine_name,
|
|
|
af2bad |
diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
|
|
|
af2bad |
index 0f450a09df5..818ec884a03 100644
|
|
|
af2bad |
--- a/source3/libads/kerberos_keytab.c
|
|
|
af2bad |
+++ b/source3/libads/kerberos_keytab.c
|
|
|
af2bad |
@@ -351,6 +351,8 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads)
|
|
|
af2bad |
char *password_s = NULL;
|
|
|
af2bad |
char *my_fqdn;
|
|
|
af2bad |
TALLOC_CTX *tmpctx = NULL;
|
|
|
af2bad |
+ char **hostnames_array = NULL;
|
|
|
af2bad |
+ size_t num_hostnames = 0;
|
|
|
af2bad |
|
|
|
af2bad |
ret = smb_krb5_init_context_common(&context);
|
|
|
af2bad |
if (ret) {
|
|
|
af2bad |
@@ -427,6 +429,25 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads)
|
|
|
af2bad |
goto out;
|
|
|
af2bad |
}
|
|
|
af2bad |
|
|
|
af2bad |
+ if (ADS_ERR_OK(ads_get_additional_dns_hostnames(tmpctx, ads,
|
|
|
af2bad |
+ lp_netbios_name(),
|
|
|
af2bad |
+ &hostnames_array,
|
|
|
af2bad |
+ &num_hostnames))) {
|
|
|
af2bad |
+ size_t i;
|
|
|
af2bad |
+
|
|
|
af2bad |
+ for (i = 0; i < num_hostnames; i++) {
|
|
|
af2bad |
+
|
|
|
af2bad |
+ ret = add_kt_entry_etypes(context, tmpctx, ads,
|
|
|
af2bad |
+ salt_princ_s, keytab,
|
|
|
af2bad |
+ kvno, srvPrinc,
|
|
|
af2bad |
+ hostnames_array[i],
|
|
|
af2bad |
+ &password, update_ads);
|
|
|
af2bad |
+ if (ret != 0) {
|
|
|
af2bad |
+ goto out;
|
|
|
af2bad |
+ }
|
|
|
af2bad |
+ }
|
|
|
af2bad |
+ }
|
|
|
af2bad |
+
|
|
|
af2bad |
out:
|
|
|
af2bad |
SAFE_FREE(salt_princ_s);
|
|
|
af2bad |
TALLOC_FREE(tmpctx);
|
|
|
af2bad |
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
|
|
|
af2bad |
index db2b72ab1b5..02a628ee0e6 100644
|
|
|
af2bad |
--- a/source3/libads/ldap.c
|
|
|
af2bad |
+++ b/source3/libads/ldap.c
|
|
|
af2bad |
@@ -1377,6 +1377,7 @@ char *ads_parent_dn(const char *dn)
|
|
|
af2bad |
"unicodePwd",
|
|
|
af2bad |
|
|
|
af2bad |
/* Additional attributes Samba checks */
|
|
|
af2bad |
+ "msDS-AdditionalDnsHostName",
|
|
|
af2bad |
"msDS-SupportedEncryptionTypes",
|
|
|
af2bad |
"nTSecurityDescriptor",
|
|
|
af2bad |
|
|
|
af2bad |
@@ -3663,6 +3664,50 @@ out:
|
|
|
af2bad |
/********************************************************************
|
|
|
af2bad |
********************************************************************/
|
|
|
af2bad |
|
|
|
af2bad |
+ADS_STATUS ads_get_additional_dns_hostnames(TALLOC_CTX *mem_ctx,
|
|
|
af2bad |
+ ADS_STRUCT *ads,
|
|
|
af2bad |
+ const char *machine_name,
|
|
|
af2bad |
+ char ***hostnames_array,
|
|
|
af2bad |
+ size_t *num_hostnames)
|
|
|
af2bad |
+{
|
|
|
af2bad |
+ ADS_STATUS status;
|
|
|
af2bad |
+ LDAPMessage *res = NULL;
|
|
|
af2bad |
+ int count;
|
|
|
af2bad |
+
|
|
|
af2bad |
+ status = ads_find_machine_acct(ads,
|
|
|
af2bad |
+ &res,
|
|
|
af2bad |
+ machine_name);
|
|
|
af2bad |
+ if (!ADS_ERR_OK(status)) {
|
|
|
af2bad |
+ DEBUG(1,("Host Account for %s not found... skipping operation.\n",
|
|
|
af2bad |
+ machine_name));
|
|
|
af2bad |
+ return status;
|
|
|
af2bad |
+ }
|
|
|
af2bad |
+
|
|
|
af2bad |
+ count = ads_count_replies(ads, res);
|
|
|
af2bad |
+ if (count != 1) {
|
|
|
af2bad |
+ status = ADS_ERROR(LDAP_NO_SUCH_OBJECT);
|
|
|
af2bad |
+ goto done;
|
|
|
af2bad |
+ }
|
|
|
af2bad |
+
|
|
|
af2bad |
+ *hostnames_array = ads_pull_strings(ads, mem_ctx, res,
|
|
|
af2bad |
+ "msDS-AdditionalDnsHostName",
|
|
|
af2bad |
+ num_hostnames);
|
|
|
af2bad |
+ if (*hostnames_array == NULL) {
|
|
|
af2bad |
+ DEBUG(1, ("Host account for %s does not have msDS-AdditionalDnsHostName.\n",
|
|
|
af2bad |
+ machine_name));
|
|
|
af2bad |
+ status = ADS_ERROR(LDAP_NO_SUCH_OBJECT);
|
|
|
af2bad |
+ goto done;
|
|
|
af2bad |
+ }
|
|
|
af2bad |
+
|
|
|
af2bad |
+done:
|
|
|
af2bad |
+ ads_msgfree(ads, res);
|
|
|
af2bad |
+
|
|
|
af2bad |
+ return status;
|
|
|
af2bad |
+}
|
|
|
af2bad |
+
|
|
|
af2bad |
+/********************************************************************
|
|
|
af2bad |
+********************************************************************/
|
|
|
af2bad |
+
|
|
|
af2bad |
char* ads_get_upn( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name )
|
|
|
af2bad |
{
|
|
|
af2bad |
LDAPMessage *res = NULL;
|
|
|
af2bad |
--
|
|
|
7bd85e |
2.25.4
|
|
|
af2bad |
|
|
|
af2bad |
|
|
|
af2bad |
From 48d6a35118f2c8e51bbe3f31c1500f8ab097498e Mon Sep 17 00:00:00 2001
|
|
|
af2bad |
From: Isaac Boukris <iboukris@gmail.com>
|
|
|
af2bad |
Date: Wed, 27 May 2020 15:54:12 +0200
|
|
|
7bd85e |
Subject: [PATCH 07/11] Add net-ads-join dnshostname=fqdn option
|
|
|
af2bad |
|
|
|
af2bad |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396
|
|
|
af2bad |
|
|
|
af2bad |
Signed-off-by: Isaac Boukris <iboukris@samba.org>
|
|
|
af2bad |
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
|
af2bad |
|
|
|
af2bad |
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
|
|
|
af2bad |
Autobuild-Date(master): Fri May 29 13:33:28 UTC 2020 on sn-devel-184
|
|
|
af2bad |
---
|
|
|
af2bad |
docs-xml/manpages/net.8.xml | 7 ++++++-
|
|
|
af2bad |
source3/libnet/libnet_join.c | 7 ++++++-
|
|
|
af2bad |
source3/librpc/idl/libnet_join.idl | 1 +
|
|
|
af2bad |
source3/utils/net_ads.c | 9 ++++++++-
|
|
|
af2bad |
testprogs/blackbox/test_net_ads.sh | 15 +++++++++++++++
|
|
|
af2bad |
5 files changed, 36 insertions(+), 3 deletions(-)
|
|
|
af2bad |
|
|
|
af2bad |
diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
|
|
|
af2bad |
index 37dfa2af694..69e18df8b6c 100644
|
|
|
af2bad |
--- a/docs-xml/manpages/net.8.xml
|
|
|
af2bad |
+++ b/docs-xml/manpages/net.8.xml
|
|
|
af2bad |
@@ -454,7 +454,7 @@ The remote server must be specified with the -S option.
|
|
|
af2bad |
|
|
|
af2bad |
<refsect2>
|
|
|
af2bad |
<title>[RPC|ADS] JOIN [TYPE] [--no-dns-updates] [-U username[%password]]
|
|
|
af2bad |
-[createupn=UPN] [createcomputer=OU] [machinepass=PASS]
|
|
|
af2bad |
+[dnshostname=FQDN] [createupn=UPN] [createcomputer=OU] [machinepass=PASS]
|
|
|
af2bad |
[osName=string osVer=string] [options]</title>
|
|
|
af2bad |
|
|
|
af2bad |
<para>
|
|
|
af2bad |
@@ -469,6 +469,11 @@ be created.</para>
|
|
|
af2bad |
joining the domain.
|
|
|
af2bad |
</para>
|
|
|
af2bad |
|
|
|
af2bad |
+<para>
|
|
|
af2bad |
+[FQDN] (ADS only) set the dnsHosName attribute during the join.
|
|
|
af2bad |
+The default format is netbiosname.dnsdomain.
|
|
|
af2bad |
+</para>
|
|
|
af2bad |
+
|
|
|
af2bad |
<para>
|
|
|
af2bad |
[UPN] (ADS only) set the principalname attribute during the join. The default
|
|
|
af2bad |
format is host/netbiosname@REALM.
|
|
|
af2bad |
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
|
|
|
af2bad |
index a31011b0ff8..de558be4f91 100644
|
|
|
af2bad |
--- a/source3/libnet/libnet_join.c
|
|
|
af2bad |
+++ b/source3/libnet/libnet_join.c
|
|
|
af2bad |
@@ -546,7 +546,12 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
|
|
|
af2bad |
goto done;
|
|
|
af2bad |
}
|
|
|
af2bad |
|
|
|
af2bad |
- fstr_sprintf(my_fqdn, "%s.%s", r->in.machine_name, lp_dnsdomain());
|
|
|
af2bad |
+ if (r->in.dnshostname != NULL) {
|
|
|
af2bad |
+ fstr_sprintf(my_fqdn, "%s", r->in.dnshostname);
|
|
|
af2bad |
+ } else {
|
|
|
af2bad |
+ fstr_sprintf(my_fqdn, "%s.%s", r->in.machine_name,
|
|
|
af2bad |
+ lp_dnsdomain());
|
|
|
af2bad |
+ }
|
|
|
af2bad |
|
|
|
af2bad |
if (!strlower_m(my_fqdn)) {
|
|
|
af2bad |
status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
|
|
|
af2bad |
diff --git a/source3/librpc/idl/libnet_join.idl b/source3/librpc/idl/libnet_join.idl
|
|
|
af2bad |
index e45034d40da..03d919863b5 100644
|
|
|
af2bad |
--- a/source3/librpc/idl/libnet_join.idl
|
|
|
af2bad |
+++ b/source3/librpc/idl/libnet_join.idl
|
|
|
af2bad |
@@ -37,6 +37,7 @@ interface libnetjoin
|
|
|
af2bad |
[in] string os_servicepack,
|
|
|
af2bad |
[in] boolean8 create_upn,
|
|
|
af2bad |
[in] string upn,
|
|
|
af2bad |
+ [in] string dnshostname,
|
|
|
af2bad |
[in] boolean8 modify_config,
|
|
|
af2bad |
[in,unique] ads_struct *ads,
|
|
|
af2bad |
[in] boolean8 debug,
|
|
|
af2bad |
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
|
|
|
af2bad |
index 07a22098fb1..3cf8fbbf7c8 100644
|
|
|
af2bad |
--- a/source3/utils/net_ads.c
|
|
|
af2bad |
+++ b/source3/utils/net_ads.c
|
|
|
af2bad |
@@ -1710,6 +1710,8 @@ static int net_ads_join_usage(struct net_context *c, int argc, const char **argv
|
|
|
af2bad |
{
|
|
|
af2bad |
d_printf(_("net ads join [--no-dns-updates] [options]\n"
|
|
|
af2bad |
"Valid options:\n"));
|
|
|
af2bad |
+ d_printf(_(" dnshostname=FQDN Set the dnsHostName attribute during the join.\n"
|
|
|
af2bad |
+ " The default is in the form netbiosname.dnsdomain\n"));
|
|
|
af2bad |
d_printf(_(" createupn[=UPN] Set the userPrincipalName attribute during the join.\n"
|
|
|
af2bad |
" The default UPN is in the form host/netbiosname@REALM.\n"));
|
|
|
af2bad |
d_printf(_(" createcomputer=OU Precreate the computer account in a specific OU.\n"
|
|
|
af2bad |
@@ -1830,6 +1832,7 @@ int net_ads_join(struct net_context *c, int argc, const char **argv)
|
|
|
af2bad |
const char *domain = lp_realm();
|
|
|
af2bad |
WERROR werr = WERR_NERR_SETUPNOTJOINED;
|
|
|
af2bad |
bool createupn = false;
|
|
|
af2bad |
+ const char *dnshostname = NULL;
|
|
|
af2bad |
const char *machineupn = NULL;
|
|
|
af2bad |
const char *machine_password = NULL;
|
|
|
af2bad |
const char *create_in_ou = NULL;
|
|
|
af2bad |
@@ -1870,7 +1873,10 @@ int net_ads_join(struct net_context *c, int argc, const char **argv)
|
|
|
af2bad |
/* process additional command line args */
|
|
|
af2bad |
|
|
|
af2bad |
for ( i=0; i
|
|
|
af2bad |
- if ( !strncasecmp_m(argv[i], "createupn", strlen("createupn")) ) {
|
|
|
af2bad |
+ if ( !strncasecmp_m(argv[i], "dnshostname", strlen("dnshostname")) ) {
|
|
|
af2bad |
+ dnshostname = get_string_param(argv[i]);
|
|
|
af2bad |
+ }
|
|
|
af2bad |
+ else if ( !strncasecmp_m(argv[i], "createupn", strlen("createupn")) ) {
|
|
|
af2bad |
createupn = true;
|
|
|
af2bad |
machineupn = get_string_param(argv[i]);
|
|
|
af2bad |
}
|
|
|
af2bad |
@@ -1938,6 +1944,7 @@ int net_ads_join(struct net_context *c, int argc, const char **argv)
|
|
|
af2bad |
r->in.domain_name_type = domain_name_type;
|
|
|
af2bad |
r->in.create_upn = createupn;
|
|
|
af2bad |
r->in.upn = machineupn;
|
|
|
af2bad |
+ r->in.dnshostname = dnshostname;
|
|
|
af2bad |
r->in.account_ou = create_in_ou;
|
|
|
af2bad |
r->in.os_name = os_name;
|
|
|
af2bad |
r->in.os_version = os_version;
|
|
|
af2bad |
diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh
|
|
|
af2bad |
index a40b477a173..85257f445d8 100755
|
|
|
af2bad |
--- a/testprogs/blackbox/test_net_ads.sh
|
|
|
af2bad |
+++ b/testprogs/blackbox/test_net_ads.sh
|
|
|
af2bad |
@@ -277,6 +277,21 @@ rm -f $dedicated_keytab_file
|
|
|
af2bad |
|
|
|
af2bad |
testit "leave+createupn" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
|
|
|
af2bad |
|
|
|
af2bad |
+#
|
|
|
af2bad |
+# Test dnshostname option of 'net ads join'
|
|
|
af2bad |
+#
|
|
|
af2bad |
+testit "join+dnshostname" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD dnshostname="alt.hostname.$HOSTNAME" || failed=`expr $failed + 1`
|
|
|
af2bad |
+
|
|
|
af2bad |
+testit_grep "check dnshostname opt" "dNSHostName: alt.hostname.$HOSTNAME" $ldbsearch -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM -s base -b "CN=$HOSTNAME,CN=Computers,$base_dn" || failed=`expr $failed + 1`
|
|
|
af2bad |
+
|
|
|
af2bad |
+testit "create_keytab+dnshostname" $VALGRIND $net_tool ads keytab create --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
|
|
|
af2bad |
+
|
|
|
af2bad |
+testit_grep "check dnshostname+keytab" "host/alt.hostname.$HOSTNAME@$REALM" $net_tool ads keytab list --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
|
|
|
af2bad |
+
|
|
|
af2bad |
+rm -f $dedicated_keytab_file
|
|
|
af2bad |
+
|
|
|
af2bad |
+testit "leave+dnshostname" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
|
|
|
af2bad |
+
|
|
|
af2bad |
rm -rf $BASEDIR/$WORKDIR
|
|
|
af2bad |
|
|
|
af2bad |
exit $failed
|
|
|
af2bad |
--
|
|
|
7bd85e |
2.25.4
|
|
|
7bd85e |
|
|
|
7bd85e |
|
|
|
7bd85e |
From 8cd52f39772bf6b9c008a4e281c3a75f150a043b Mon Sep 17 00:00:00 2001
|
|
|
7bd85e |
From: Isaac Boukris <iboukris@gmail.com>
|
|
|
7bd85e |
Date: Thu, 11 Jun 2020 21:05:07 +0300
|
|
|
7bd85e |
Subject: [PATCH 08/11] Fix a typo in recent net man page changes
|
|
|
7bd85e |
|
|
|
7bd85e |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14406
|
|
|
7bd85e |
|
|
|
7bd85e |
Signed-off-by: Isaac Boukris <iboukris@samba.org>
|
|
|
7bd85e |
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
|
7bd85e |
---
|
|
|
7bd85e |
docs-xml/manpages/net.8.xml | 2 +-
|
|
|
7bd85e |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
7bd85e |
|
|
|
7bd85e |
diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
|
|
|
7bd85e |
index 69e18df8b6c..9b1d4458acc 100644
|
|
|
7bd85e |
--- a/docs-xml/manpages/net.8.xml
|
|
|
7bd85e |
+++ b/docs-xml/manpages/net.8.xml
|
|
|
7bd85e |
@@ -470,7 +470,7 @@ joining the domain.
|
|
|
7bd85e |
</para>
|
|
|
7bd85e |
|
|
|
7bd85e |
<para>
|
|
|
7bd85e |
-[FQDN] (ADS only) set the dnsHosName attribute during the join.
|
|
|
7bd85e |
+[FQDN] (ADS only) set the dnsHostName attribute during the join.
|
|
|
7bd85e |
The default format is netbiosname.dnsdomain.
|
|
|
7bd85e |
</para>
|
|
|
7bd85e |
|
|
|
7bd85e |
--
|
|
|
7bd85e |
2.25.4
|
|
|
7bd85e |
|
|
|
7bd85e |
|
|
|
7bd85e |
From 2741058ea556296869d8895eb4adc30a07ecd59a Mon Sep 17 00:00:00 2001
|
|
|
7bd85e |
From: Isaac Boukris <iboukris@gmail.com>
|
|
|
7bd85e |
Date: Tue, 16 Jun 2020 22:01:49 +0300
|
|
|
7bd85e |
Subject: [PATCH 09/11] selftest: add tests for binary
|
|
|
7bd85e |
msDS-AdditionalDnsHostName
|
|
|
7bd85e |
|
|
|
7bd85e |
Like the short names added implicitly by Windows DC.
|
|
|
7bd85e |
|
|
|
7bd85e |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14406
|
|
|
7bd85e |
|
|
|
7bd85e |
Signed-off-by: Isaac Boukris <iboukris@samba.org>
|
|
|
7bd85e |
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
|
7bd85e |
---
|
|
|
7bd85e |
selftest/knownfail.d/binary_addl_hostname | 3 +++
|
|
|
7bd85e |
testprogs/blackbox/test_net_ads.sh | 22 ++++++++++++++++++++++
|
|
|
7bd85e |
2 files changed, 25 insertions(+)
|
|
|
7bd85e |
create mode 100644 selftest/knownfail.d/binary_addl_hostname
|
|
|
7bd85e |
|
|
|
7bd85e |
diff --git a/selftest/knownfail.d/binary_addl_hostname b/selftest/knownfail.d/binary_addl_hostname
|
|
|
7bd85e |
new file mode 100644
|
|
|
7bd85e |
index 00000000000..559db1df507
|
|
|
7bd85e |
--- /dev/null
|
|
|
7bd85e |
+++ b/selftest/knownfail.d/binary_addl_hostname
|
|
|
7bd85e |
@@ -0,0 +1,3 @@
|
|
|
7bd85e |
+^samba4.blackbox.net_ads.dns alias1 check keytab
|
|
|
7bd85e |
+^samba4.blackbox.net_ads.dns alias2 check keytab
|
|
|
7bd85e |
+^samba4.blackbox.net_ads.addl short check keytab
|
|
|
7bd85e |
diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh
|
|
|
7bd85e |
index 85257f445d8..eef4a31a6a7 100755
|
|
|
7bd85e |
--- a/testprogs/blackbox/test_net_ads.sh
|
|
|
7bd85e |
+++ b/testprogs/blackbox/test_net_ads.sh
|
|
|
7bd85e |
@@ -41,6 +41,11 @@ if [ -x "$BINDIR/ldbdel" ]; then
|
|
|
7bd85e |
ldbdel="$BINDIR/ldbdel"
|
|
|
7bd85e |
fi
|
|
|
7bd85e |
|
|
|
7bd85e |
+ldbmodify="ldbmodify"
|
|
|
7bd85e |
+if [ -x "$BINDIR/ldbmodify" ]; then
|
|
|
7bd85e |
+ ldbmodify="$BINDIR/ldbmodify"
|
|
|
7bd85e |
+fi
|
|
|
7bd85e |
+
|
|
|
7bd85e |
# Load test functions
|
|
|
7bd85e |
. `dirname $0`/subunit.sh
|
|
|
7bd85e |
|
|
|
7bd85e |
@@ -217,12 +222,29 @@ testit_grep "dns alias SPN" $dns_alias2 $VALGRIND $net_tool ads search -P samacc
|
|
|
7bd85e |
testit_grep "dns alias addl" $dns_alias1 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ msDS-AdditionalDnsHostName || failed=`expr $failed + 1`
|
|
|
7bd85e |
testit_grep "dns alias addl" $dns_alias2 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ msDS-AdditionalDnsHostName || failed=`expr $failed + 1`
|
|
|
7bd85e |
|
|
|
7bd85e |
+# Test binary msDS-AdditionalDnsHostName like ones added by Windows DC
|
|
|
7bd85e |
+short_alias_file="$PREFIX_ABS/short_alias_file"
|
|
|
7bd85e |
+printf 'short_alias\0$' > $short_alias_file
|
|
|
7bd85e |
+cat > $PREFIX_ABS/tmpldbmodify <
|
|
|
7bd85e |
+dn: CN=$HOSTNAME,$computers_dn
|
|
|
7bd85e |
+changetype: modify
|
|
|
7bd85e |
+add: msDS-AdditionalDnsHostName
|
|
|
7bd85e |
+msDS-AdditionalDnsHostName:< file://$short_alias_file
|
|
|
7bd85e |
+EOF
|
|
|
7bd85e |
+
|
|
|
7bd85e |
+testit "add binary msDS-AdditionalDnsHostName" $VALGRIND $ldbmodify -k yes -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM $PREFIX_ABS/tmpldbmodify || failed=`expr $failed + 1`
|
|
|
7bd85e |
+
|
|
|
7bd85e |
+testit_grep "addl short alias" short_alias $ldbsearch --show-binary -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM -s base -b "CN=$HOSTNAME,CN=Computers,$base_dn" msDS-AdditionalDnsHostName || failed=`expr $failed + 1`
|
|
|
7bd85e |
+
|
|
|
7bd85e |
+rm -f $PREFIX_ABS/tmpldbmodify $short_alias_file
|
|
|
7bd85e |
+
|
|
|
7bd85e |
dedicated_keytab_file="$PREFIX_ABS/test_dns_aliases_dedicated_krb5.keytab"
|
|
|
7bd85e |
|
|
|
7bd85e |
testit "dns alias create_keytab" $VALGRIND $net_tool ads keytab create --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
|
|
|
7bd85e |
|
|
|
7bd85e |
testit_grep "dns alias1 check keytab" "host/${dns_alias1}@$REALM" $net_tool ads keytab list --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
|
|
|
7bd85e |
testit_grep "dns alias2 check keytab" "host/${dns_alias2}@$REALM" $net_tool ads keytab list --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
|
|
|
7bd85e |
+testit_grep "addl short check keytab" "host/short_alias@$REALM" $net_tool ads keytab list --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
|
|
|
7bd85e |
|
|
|
7bd85e |
rm -f $dedicated_keytab_file
|
|
|
7bd85e |
|
|
|
7bd85e |
--
|
|
|
7bd85e |
2.25.4
|
|
|
7bd85e |
|
|
|
7bd85e |
|
|
|
7bd85e |
From 8fc75d1992a2b736c14e8d6b76c04e8227757971 Mon Sep 17 00:00:00 2001
|
|
|
7bd85e |
From: Isaac Boukris <iboukris@gmail.com>
|
|
|
7bd85e |
Date: Thu, 11 Jun 2020 16:51:27 +0300
|
|
|
7bd85e |
Subject: [PATCH 10/11] Properly handle msDS-AdditionalDnsHostName returned
|
|
|
7bd85e |
from Windows DC
|
|
|
7bd85e |
|
|
|
7bd85e |
Windows DC adds short names for each specified msDS-AdditionalDnsHostName
|
|
|
7bd85e |
attribute, but these have a suffix of "\0$" and thus fail with
|
|
|
7bd85e |
ldap_get_values(), use ldap_get_values_len() instead.
|
|
|
7bd85e |
|
|
|
7bd85e |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14406
|
|
|
7bd85e |
|
|
|
7bd85e |
Signed-off-by: Isaac Boukris <iboukris@samba.org>
|
|
|
7bd85e |
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
|
7bd85e |
---
|
|
|
7bd85e |
selftest/knownfail.d/binary_addl_hostname | 3 --
|
|
|
7bd85e |
source3/libads/ldap.c | 38 +++++++++++++++++++++--
|
|
|
7bd85e |
2 files changed, 35 insertions(+), 6 deletions(-)
|
|
|
7bd85e |
delete mode 100644 selftest/knownfail.d/binary_addl_hostname
|
|
|
7bd85e |
|
|
|
7bd85e |
diff --git a/selftest/knownfail.d/binary_addl_hostname b/selftest/knownfail.d/binary_addl_hostname
|
|
|
7bd85e |
deleted file mode 100644
|
|
|
7bd85e |
index 559db1df507..00000000000
|
|
|
7bd85e |
--- a/selftest/knownfail.d/binary_addl_hostname
|
|
|
7bd85e |
+++ /dev/null
|
|
|
7bd85e |
@@ -1,3 +0,0 @@
|
|
|
7bd85e |
-^samba4.blackbox.net_ads.dns alias1 check keytab
|
|
|
7bd85e |
-^samba4.blackbox.net_ads.dns alias2 check keytab
|
|
|
7bd85e |
-^samba4.blackbox.net_ads.addl short check keytab
|
|
|
7bd85e |
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
|
|
|
7bd85e |
index 02a628ee0e6..2684bba63ec 100644
|
|
|
7bd85e |
--- a/source3/libads/ldap.c
|
|
|
7bd85e |
+++ b/source3/libads/ldap.c
|
|
|
7bd85e |
@@ -3664,6 +3664,40 @@ out:
|
|
|
7bd85e |
/********************************************************************
|
|
|
7bd85e |
********************************************************************/
|
|
|
7bd85e |
|
|
|
7bd85e |
+static char **get_addl_hosts(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx,
|
|
|
7bd85e |
+ LDAPMessage *msg, size_t *num_values)
|
|
|
7bd85e |
+{
|
|
|
7bd85e |
+ const char *field = "msDS-AdditionalDnsHostName";
|
|
|
7bd85e |
+ struct berval **values = NULL;
|
|
|
7bd85e |
+ char **ret = NULL;
|
|
|
7bd85e |
+ size_t i, converted_size;
|
|
|
7bd85e |
+
|
|
|
7bd85e |
+ values = ldap_get_values_len(ads->ldap.ld, msg, field);
|
|
|
7bd85e |
+ if (values == NULL) {
|
|
|
7bd85e |
+ return NULL;
|
|
|
7bd85e |
+ }
|
|
|
7bd85e |
+
|
|
|
7bd85e |
+ *num_values = ldap_count_values_len(values);
|
|
|
7bd85e |
+
|
|
|
7bd85e |
+ ret = talloc_array(mem_ctx, char *, *num_values + 1);
|
|
|
7bd85e |
+ if (ret == NULL) {
|
|
|
7bd85e |
+ ldap_value_free_len(values);
|
|
|
7bd85e |
+ return NULL;
|
|
|
7bd85e |
+ }
|
|
|
7bd85e |
+
|
|
|
7bd85e |
+ for (i = 0; i < *num_values; i++) {
|
|
|
7bd85e |
+ if (!pull_utf8_talloc(mem_ctx, &ret[i], values[i]->bv_val,
|
|
|
7bd85e |
+ &converted_size)) {
|
|
|
7bd85e |
+ ldap_value_free_len(values);
|
|
|
7bd85e |
+ return NULL;
|
|
|
7bd85e |
+ }
|
|
|
7bd85e |
+ }
|
|
|
7bd85e |
+ ret[i] = NULL;
|
|
|
7bd85e |
+
|
|
|
7bd85e |
+ ldap_value_free_len(values);
|
|
|
7bd85e |
+ return ret;
|
|
|
7bd85e |
+}
|
|
|
7bd85e |
+
|
|
|
7bd85e |
ADS_STATUS ads_get_additional_dns_hostnames(TALLOC_CTX *mem_ctx,
|
|
|
7bd85e |
ADS_STRUCT *ads,
|
|
|
7bd85e |
const char *machine_name,
|
|
|
7bd85e |
@@ -3689,9 +3723,7 @@ ADS_STATUS ads_get_additional_dns_hostnames(TALLOC_CTX *mem_ctx,
|
|
|
7bd85e |
goto done;
|
|
|
7bd85e |
}
|
|
|
7bd85e |
|
|
|
7bd85e |
- *hostnames_array = ads_pull_strings(ads, mem_ctx, res,
|
|
|
7bd85e |
- "msDS-AdditionalDnsHostName",
|
|
|
7bd85e |
- num_hostnames);
|
|
|
7bd85e |
+ *hostnames_array = get_addl_hosts(ads, mem_ctx, res, num_hostnames);
|
|
|
7bd85e |
if (*hostnames_array == NULL) {
|
|
|
7bd85e |
DEBUG(1, ("Host account for %s does not have msDS-AdditionalDnsHostName.\n",
|
|
|
7bd85e |
machine_name));
|
|
|
7bd85e |
--
|
|
|
7bd85e |
2.25.4
|
|
|
7bd85e |
|
|
|
7bd85e |
|
|
|
7bd85e |
From 05dc94412f1f9809a3c84f4335c157258ee31273 Mon Sep 17 00:00:00 2001
|
|
|
7bd85e |
From: Isaac Boukris <iboukris@gmail.com>
|
|
|
7bd85e |
Date: Sat, 20 Jun 2020 17:17:33 +0200
|
|
|
7bd85e |
Subject: [PATCH 11/11] Fix usage of ldap_get_values_len for
|
|
|
7bd85e |
msDS-AdditionalDnsHostName
|
|
|
7bd85e |
|
|
|
7bd85e |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14406
|
|
|
7bd85e |
|
|
|
7bd85e |
Signed-off-by: Isaac Boukris <iboukris@samba.org>
|
|
|
7bd85e |
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
|
7bd85e |
|
|
|
7bd85e |
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
|
|
|
7bd85e |
Autobuild-Date(master): Mon Jun 22 09:59:04 UTC 2020 on sn-devel-184
|
|
|
7bd85e |
---
|
|
|
7bd85e |
source3/libads/ldap.c | 8 ++++++--
|
|
|
7bd85e |
1 file changed, 6 insertions(+), 2 deletions(-)
|
|
|
7bd85e |
|
|
|
7bd85e |
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
|
|
|
7bd85e |
index 2684bba63ec..d1ce9cee2f0 100644
|
|
|
7bd85e |
--- a/source3/libads/ldap.c
|
|
|
7bd85e |
+++ b/source3/libads/ldap.c
|
|
|
7bd85e |
@@ -3686,8 +3686,12 @@ static char **get_addl_hosts(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx,
|
|
|
7bd85e |
}
|
|
|
7bd85e |
|
|
|
7bd85e |
for (i = 0; i < *num_values; i++) {
|
|
|
7bd85e |
- if (!pull_utf8_talloc(mem_ctx, &ret[i], values[i]->bv_val,
|
|
|
7bd85e |
- &converted_size)) {
|
|
|
7bd85e |
+ ret[i] = NULL;
|
|
|
7bd85e |
+ if (!convert_string_talloc(mem_ctx, CH_UTF8, CH_UNIX,
|
|
|
7bd85e |
+ values[i]->bv_val,
|
|
|
7bd85e |
+ strnlen(values[i]->bv_val,
|
|
|
7bd85e |
+ values[i]->bv_len),
|
|
|
7bd85e |
+ &ret[i], &converted_size)) {
|
|
|
7bd85e |
ldap_value_free_len(values);
|
|
|
7bd85e |
return NULL;
|
|
|
7bd85e |
}
|
|
|
7bd85e |
--
|
|
|
7bd85e |
2.25.4
|
|
|
af2bad |
|