Blob Blame History Raw
From 9691c65234f2833792977d6e25a314baca724c64 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B6rn=20Baumbach?= <bb@sernet.de>
Date: Mon, 10 Feb 2020 19:19:44 +0100
Subject: [PATCH 1/7] s3-libads: use dns name to open a ldap session
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Required for working certificate verification.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13124
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Bjoern Jacke <bjacke@samba.org>

Autobuild-User(master): Björn Baumbach <bb@sernet.de>
Autobuild-Date(master): Thu Mar  5 12:29:26 UTC 2020 on sn-devel-184

(cherry picked from commit e45e0912d99335f4feec7f937180ea21f7f62a72)
---
 source3/libads/ldap.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index 7ef7e7e8420..b7f819d876b 100755
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -669,7 +669,7 @@ got_connection:
 
 	/* Otherwise setup the TCP LDAP session */
 
-	ads->ldap.ld = ldap_open_with_timeout(addr,
+	ads->ldap.ld = ldap_open_with_timeout(ads->config.ldap_server_name,
 					      &ads->ldap.ss,
 					      ads->ldap.port, lp_ldap_timeout());
 	if (ads->ldap.ld == NULL) {
-- 
2.25.4


From b0cdea726ef5d90c531a49d2bf8b343cdb788719 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B6rn=20Baumbach?= <bb@sernet.de>
Date: Wed, 3 Jun 2020 19:40:59 +0200
Subject: [PATCH 2/7] s3-libads: use ldap_init_fd() to initialize a ldap
 session if possible
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Use the known ip address of the ldap server to open the connection and
initialize the ldap session with ldap_init_fd().

This avoid unnecessary DNS lookups which might block or prevent the
successful connection.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13124

Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit c8080bbd708eaa3212fa516861ac9e3b267989a0)
---
 source3/libads/ldap.c | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index b7f819d876b..36e73440495 100755
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -92,7 +92,23 @@ static void gotalarm_sig(int signum)
 		return NULL;
 	}
 
-#ifdef HAVE_LDAP_INITIALIZE
+#ifdef HAVE_LDAP_INIT_FD
+	{
+		int fd = -1;
+		NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+
+		status = open_socket_out(ss, port, to, &fd);
+		if (!NT_STATUS_IS_OK(status)) {
+			return NULL;
+		}
+
+/* define LDAP_PROTO_TCP from openldap.h if required */
+#ifndef LDAP_PROTO_TCP
+#define LDAP_PROTO_TCP 1
+#endif
+		ldap_err = ldap_init_fd(fd, LDAP_PROTO_TCP, uri, &ldp);
+	}
+#elif defined(HAVE_LDAP_INITIALIZE)
 	ldap_err = ldap_initialize(&ldp, uri);
 #else
 	ldp = ldap_open(server, port);
-- 
2.25.4


From 6c5b4317b150d3d2aed77c207dd3cb0039392bd6 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Mon, 29 Jun 2020 16:55:33 +0300
Subject: [PATCH 3/7] selftest: add tests for net-ads over TLS

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439

Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
 selftest/knownfail.d/net_ads_ntlm_fallback | 10 +++
 selftest/knownfail.d/net_ads_tls           |  1 +
 source4/selftest/tests.py                  |  7 ++
 testprogs/blackbox/test_net_ads_base.sh    | 76 ++++++++++++++++++++++
 4 files changed, 94 insertions(+)
 create mode 100644 selftest/knownfail.d/net_ads_ntlm_fallback
 create mode 100644 selftest/knownfail.d/net_ads_tls
 create mode 100755 testprogs/blackbox/test_net_ads_base.sh

diff --git a/selftest/knownfail.d/net_ads_ntlm_fallback b/selftest/knownfail.d/net_ads_ntlm_fallback
new file mode 100644
index 00000000000..b16a39d134d
--- /dev/null
+++ b/selftest/knownfail.d/net_ads_ntlm_fallback
@@ -0,0 +1,10 @@
+# net-ads commands that fail with: --option=gensec:gse_krb5=no
+^samba4.blackbox.net_ads_base.nomech=gse_krb5.testjoin
+^samba4.blackbox.net_ads_base.nomech=gse_krb5.check dNSHostName
+^samba4.blackbox.net_ads_base.nomech=gse_krb5.check SPN
+^samba4.blackbox.net_ads_base.nomech=gse_krb5.test setspn list
+^samba4.blackbox.net_ads_tls.nomech=gse_krb5.testjoin
+^samba4.blackbox.net_ads_tls.nomech=gse_krb5.check dNSHostName
+^samba4.blackbox.net_ads_tls.nomech=gse_krb5.check ldapssl=off
+^samba4.blackbox.net_ads_tls.nomech=gse_krb5.check SPN
+^samba4.blackbox.net_ads_tls.nomech=gse_krb5.test setspn list
diff --git a/selftest/knownfail.d/net_ads_tls b/selftest/knownfail.d/net_ads_tls
new file mode 100644
index 00000000000..251c948b6a9
--- /dev/null
+++ b/selftest/knownfail.d/net_ads_tls
@@ -0,0 +1 @@
+^samba4.blackbox.net_ads_tls
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 1d965c751a4..a394afa177f 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -511,6 +511,13 @@ plantestsuite("samba4.blackbox.client_etypes_legacy(ad_dc:client)", "ad_dc:clien
 plantestsuite("samba4.blackbox.client_etypes_strong(ad_dc:client)", "ad_dc:client", [os.path.join(bbdir, "test_client_etypes.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', '$PREFIX_ABS', 'strong', '17_18'])
 plantestsuite("samba4.blackbox.net_ads_dns(ad_member:local)", "ad_member:local", [os.path.join(bbdir, "test_net_ads_dns.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', '$REALM', '$USERNAME', '$PASSWORD'])
 plantestsuite("samba4.blackbox.samba-tool_ntacl(ad_member:local)", "ad_member:local", [os.path.join(bbdir, "test_samba-tool_ntacl.sh"), '$PREFIX', '$DOMSID'])
+
+for nomech in ["none", "gse_krb5", "ntlmssp"]:
+    # we can't test TLS with ad_dc env as it doesn't allow SASL over TLS
+    plantestsuite("samba4.blackbox.net_ads_base.nomech=%s" % nomech, "ad_dc:client", [os.path.join(bbdir, "test_net_ads_base.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', 'no', nomech, '$PREFIX_ABS'])
+    plantestsuite("samba4.blackbox.net_ads_tls.nomech=%s" % nomech, "fl2008dc:client", [os.path.join(bbdir, "test_net_ads_base.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', 'yes', nomech, '$PREFIX_ABS'])
+    plantestsuite("samba4.blackbox.net_ads_tls.nomech=%s" % nomech, "fl2008r2dc:client", [os.path.join(bbdir, "test_net_ads_base.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', 'noverify', nomech, '$PREFIX_ABS'])
+
 plantestsuite_loadlist("samba4.rpc.echo against NetBIOS alias", "ad_dc_ntvfs", [valgrindify(smbtorture4), "$LISTOPT", "$LOADLIST", 'ncacn_np:$NETBIOSALIAS', '-U$DOMAIN/$USERNAME%$PASSWORD', 'rpc.echo'])
 # json tests hook into ``chgdcpass'' to make them run in contributor CI on
 # gitlab
diff --git a/testprogs/blackbox/test_net_ads_base.sh b/testprogs/blackbox/test_net_ads_base.sh
new file mode 100755
index 00000000000..59e3da67a7f
--- /dev/null
+++ b/testprogs/blackbox/test_net_ads_base.sh
@@ -0,0 +1,76 @@
+#!/bin/sh
+
+if [ $# -lt 5 ]; then
+cat <<EOF
+Usage: test_net_ads_base.sh DC_SERVER DC_USERNAME DC_PASSWORD TLS_MODE NO_MECH PREFIX_ABS
+EOF
+exit 1;
+fi
+
+DC_SERVER=$1
+DC_USERNAME=$2
+DC_PASSWORD=$3
+TLS_MODE=$4
+NO_MECH=$5
+BASEDIR=$6
+shift 6
+
+HOSTNAME=`dd if=/dev/urandom bs=1 count=32 2>/dev/null | sha1sum | cut -b 1-10`
+HOSTNAME=`echo hn$HOSTNAME | tr '[:lower:]' '[:upper:]'`
+LCHOSTNAME=`echo $HOSTNAME | tr '[:upper:]' '[:lower:]'`
+
+RUNDIR=`pwd`
+cd $BASEDIR
+WORKDIR=`mktemp -d -p .`
+WORKDIR=`basename $WORKDIR`
+cp -a client/* $WORKDIR/
+sed -ri "s@(dir|directory) = (.*)/client/@\1 = \2/$WORKDIR/@" $WORKDIR/client.conf
+sed -ri "s/netbios name = .*/netbios name = $HOSTNAME/" $WORKDIR/client.conf
+sed -ri "s/workgroup = .*/workgroup = $DOMAIN/" $WORKDIR/client.conf
+sed -ri "s/realm = .*/realm = $REALM/" $WORKDIR/client.conf
+rm -f $WORKDIR/private/secrets.tdb
+cd $RUNDIR
+
+failed=0
+
+export LDAPTLS_CACERT=$(grep "tls cafile" $BASEDIR/$WORKDIR/client.conf | cut -f2 -d= | awk '{$1=$1};1')
+
+xoptions=""
+if [ $TLS_MODE != "no" ]; then
+	xoptions="--option=ldapsslads=yes"
+fi
+
+if [ $NO_MECH != "none" ]; then
+	xoptions="$xoptions --option=gensec:$NO_MECH=no"
+fi
+
+if [ $TLS_MODE = "noverify" ]; then
+	export LDAPTLS_REQCERT=allow
+fi
+
+net_tool="$VALGRIND $BINDIR/net -s $BASEDIR/$WORKDIR/client.conf --option=security=ads -k $xoptions"
+
+# Load test functions
+. `dirname $0`/subunit.sh
+
+testit "join" $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD --no-dns-updates || failed=`expr $failed + 1`
+
+testit "testjoin" $net_tool ads testjoin -P || failed=`expr $failed + 1`
+
+testit_grep "check dNSHostName" $LCHOSTNAME $net_tool ads search -P samaccountname=$HOSTNAME\$ dNSHostName || failed=`expr $failed + 1`
+
+tls_log="StartTLS issued: using a TLS connection"
+opt="-d3 --option=ldapssl=off"
+if [ $TLS_MODE != "no" ]; then
+	testit_grep "check ldapssl=off" "$tls_log" $net_tool $opt ads search -P samaccountname=$HOSTNAME\$ dn || failed=`expr $failed + 1`
+fi
+
+testit_grep "check SPN" "HOST/$HOSTNAME" $net_tool ads search -P samaccountname=$HOSTNAME\$ servicePrincipalName || failed=`expr $failed + 1`
+
+testit_grep "test setspn list" "HOST/$HOSTNAME" $net_tool ads setspn list $HOSTNAME -P || failed=`expr $failed + 1`
+
+testit "leave" $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+
+rm -rf $BASEDIR/$WORKDIR
+
+exit $failed
-- 
2.25.4


From 94d20b09d565c0f4b0809e1cd778f7082e4733f8 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Wed, 24 Jun 2020 15:28:45 +0300
Subject: [PATCH 4/7] Decouple ldap-ssl-ads from ldap-ssl option

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439

Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
 WHATSNEW.txt                            |  6 +++++
 docs-xml/smbdotconf/ldap/ldapsslads.xml |  7 ++----
 source3/include/smbldap.h               |  1 +
 source3/lib/ABI/smbldap-2.1.0.sigs      | 33 +++++++++++++++++++++++++
 source3/lib/smbldap.c                   | 19 +++++++++-----
 source3/libads/ldap.c                   |  2 +-
 source3/wscript_build                   |  2 +-
 7 files changed, 57 insertions(+), 13 deletions(-)
 create mode 100644 source3/lib/ABI/smbldap-2.1.0.sigs

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index a5b554fe11f..8935876d247 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -557,6 +557,12 @@ CTDB changes
   helper exits.  This triggers an election.
 
 
+The "ldap ssl ads" option no longer depends on "ldap ssl" option:
+-----------------------------------------------------------------
+With this release, the "ldap ssl ads" can be set to "yes" even if "ldap ssl"
+is off.
+
+
 REMOVED FEATURES
 ================
 
diff --git a/docs-xml/smbdotconf/ldap/ldapsslads.xml b/docs-xml/smbdotconf/ldap/ldapsslads.xml
index 98c39651f1e..f99afe5bbad 100644
--- a/docs-xml/smbdotconf/ldap/ldapsslads.xml
+++ b/docs-xml/smbdotconf/ldap/ldapsslads.xml
@@ -7,13 +7,10 @@
 	<para>This option is used to define whether or not Samba should
 	use SSL when connecting to the ldap server using
 	<emphasis>ads</emphasis> methods.
-	Rpc methods are not affected by this parameter. Please note, that
-	this parameter won't have any effect if <smbconfoption name="ldap ssl"/>
-	is set to <parameter>no</parameter>.
+	Rpc methods are not affected by this parameter.
 	</para>
 
-	<para>See <refentrytitle>smb.conf</refentrytitle><manvolnum>5</manvolnum>
-	for more information on <smbconfoption name="ldap ssl"/>.
+	<para>See also <smbconfoption name="ldap ssl"/>.
 	</para>
 
 </description>
diff --git a/source3/include/smbldap.h b/source3/include/smbldap.h
index 878268aebd6..d063f44afbc 100644
--- a/source3/include/smbldap.h
+++ b/source3/include/smbldap.h
@@ -72,6 +72,7 @@ int smbldap_modify(struct smbldap_state *ldap_state,
                    const char *dn,
                    LDAPMod *attrs[]);
 int smbldap_start_tls(LDAP *ldap_struct, int version);
+int smbldap_start_tls_start(LDAP *ldap_struct, int version);
 int smbldap_setup_full_conn(LDAP **ldap_struct, const char *uri);
 int smbldap_search(struct smbldap_state *ldap_state,
 		   const char *base, int scope, const char *filter,
diff --git a/source3/lib/ABI/smbldap-2.1.0.sigs b/source3/lib/ABI/smbldap-2.1.0.sigs
new file mode 100644
index 00000000000..67dcc9a8a78
--- /dev/null
+++ b/source3/lib/ABI/smbldap-2.1.0.sigs
@@ -0,0 +1,33 @@
+smbldap_add: int (struct smbldap_state *, const char *, LDAPMod **)
+smbldap_delete: int (struct smbldap_state *, const char *)
+smbldap_extended_operation: int (struct smbldap_state *, const char *, struct berval *, LDAPControl **, LDAPControl **, char **, struct berval **)
+smbldap_free_struct: void (struct smbldap_state **)
+smbldap_get_ldap: LDAP *(struct smbldap_state *)
+smbldap_get_paged_results: bool (struct smbldap_state *)
+smbldap_get_single_attribute: bool (LDAP *, LDAPMessage *, const char *, char *, int)
+smbldap_has_control: bool (LDAP *, const char *)
+smbldap_has_extension: bool (LDAP *, const char *)
+smbldap_has_naming_context: bool (LDAP *, const char *)
+smbldap_init: NTSTATUS (TALLOC_CTX *, struct tevent_context *, const char *, bool, const char *, const char *, struct smbldap_state **)
+smbldap_make_mod: void (LDAP *, LDAPMessage *, LDAPMod ***, const char *, const char *)
+smbldap_make_mod_blob: void (LDAP *, LDAPMessage *, LDAPMod ***, const char *, const DATA_BLOB *)
+smbldap_modify: int (struct smbldap_state *, const char *, LDAPMod **)
+smbldap_pull_sid: bool (LDAP *, LDAPMessage *, const char *, struct dom_sid *)
+smbldap_search: int (struct smbldap_state *, const char *, int, const char *, const char **, int, LDAPMessage **)
+smbldap_search_paged: int (struct smbldap_state *, const char *, int, const char *, const char **, int, int, LDAPMessage **, void **)
+smbldap_search_suffix: int (struct smbldap_state *, const char *, const char **, LDAPMessage **)
+smbldap_set_bind_callback: void (struct smbldap_state *, smbldap_bind_callback_fn, void *)
+smbldap_set_creds: bool (struct smbldap_state *, bool, const char *, const char *)
+smbldap_set_mod: void (LDAPMod ***, int, const char *, const char *)
+smbldap_set_mod_blob: void (LDAPMod ***, int, const char *, const DATA_BLOB *)
+smbldap_set_paged_results: void (struct smbldap_state *, bool)
+smbldap_setup_full_conn: int (LDAP **, const char *)
+smbldap_start_tls: int (LDAP *, int)
+smbldap_start_tls_start: int (LDAP *, int)
+smbldap_talloc_autofree_ldapmod: void (TALLOC_CTX *, LDAPMod **)
+smbldap_talloc_autofree_ldapmsg: void (TALLOC_CTX *, LDAPMessage *)
+smbldap_talloc_dn: char *(TALLOC_CTX *, LDAP *, LDAPMessage *)
+smbldap_talloc_first_attribute: char *(LDAP *, LDAPMessage *, const char *, TALLOC_CTX *)
+smbldap_talloc_single_attribute: char *(LDAP *, LDAPMessage *, const char *, TALLOC_CTX *)
+smbldap_talloc_single_blob: bool (TALLOC_CTX *, LDAP *, LDAPMessage *, const char *, DATA_BLOB *)
+smbldap_talloc_smallest_attribute: char *(LDAP *, LDAPMessage *, const char *, TALLOC_CTX *)
diff --git a/source3/lib/smbldap.c b/source3/lib/smbldap.c
index 34c841f9243..4815dd81fc3 100644
--- a/source3/lib/smbldap.c
+++ b/source3/lib/smbldap.c
@@ -598,20 +598,27 @@ static void smbldap_store_state(LDAP *ld, struct smbldap_state *smbldap_state)
 }
 
 /********************************************************************
- start TLS on an existing LDAP connection
+ start TLS on an existing LDAP connection per config
 *******************************************************************/
 
 int smbldap_start_tls(LDAP *ldap_struct, int version)
-{ 
-#ifdef LDAP_OPT_X_TLS
-	int rc,tls;
-#endif
-
+{
 	if (lp_ldap_ssl() != LDAP_SSL_START_TLS) {
 		return LDAP_SUCCESS;
 	}
 
+	return smbldap_start_tls_start(ldap_struct, version);
+}
+
+/********************************************************************
+ start TLS on an existing LDAP connection unconditionally
+*******************************************************************/
+
+int smbldap_start_tls_start(LDAP *ldap_struct, int version)
+{
 #ifdef LDAP_OPT_X_TLS
+	int rc,tls;
+
 	/* check if we use ldaps already */
 	ldap_get_option(ldap_struct, LDAP_OPT_X_TLS, &tls);
 	if (tls == LDAP_OPT_X_TLS_HARD) {
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index 36e73440495..16c32b2d5a7 100755
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -703,7 +703,7 @@ got_connection:
 	ldap_set_option(ads->ldap.ld, LDAP_OPT_PROTOCOL_VERSION, &version);
 
 	if ( lp_ldap_ssl_ads() ) {
-		status = ADS_ERROR(smbldap_start_tls(ads->ldap.ld, version));
+		status = ADS_ERROR(smbldap_start_tls_start(ads->ldap.ld, version));
 		if (!ADS_ERR_OK(status)) {
 			goto out;
 		}
diff --git a/source3/wscript_build b/source3/wscript_build
index 10d9f71ae76..76d01a78f64 100644
--- a/source3/wscript_build
+++ b/source3/wscript_build
@@ -520,7 +520,7 @@ bld.SAMBA3_LIBRARY('smbldap',
                     abi_directory='lib/ABI',
                     abi_match='smbldap_*',
                     pc_files=[],
-                    vnum='2',
+                    vnum='2.1.0',
                     public_headers='include/smbldap.h include/smb_ldap.h')
 
 bld.SAMBA3_LIBRARY('ads',
-- 
2.25.4


From a7d674b519b363c6e20fa5784ab998fc622c9859 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Thu, 2 Jul 2020 10:59:18 +0200
Subject: [PATCH 5/7] Fix ads_set_sasl_wrap_flags to only change sasl flags

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439

Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
 source3/libads/ads_proto.h  | 2 +-
 source3/libads/ads_struct.c | 8 ++++++--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h
index cd9c1082681..6cdde0cf6eb 100644
--- a/source3/libads/ads_proto.h
+++ b/source3/libads/ads_proto.h
@@ -47,7 +47,7 @@ ADS_STRUCT *ads_init(const char *realm,
 		     const char *workgroup,
 		     const char *ldap_server,
 		     enum ads_sasl_state_e sasl_state);
-bool ads_set_sasl_wrap_flags(ADS_STRUCT *ads, int flags);
+bool ads_set_sasl_wrap_flags(ADS_STRUCT *ads, unsigned flags);
 void ads_destroy(ADS_STRUCT **ads);
 
 /* The following definitions come from libads/disp_sec.c  */
diff --git a/source3/libads/ads_struct.c b/source3/libads/ads_struct.c
index 043a1b21247..67a9a7cf75e 100644
--- a/source3/libads/ads_struct.c
+++ b/source3/libads/ads_struct.c
@@ -176,13 +176,17 @@ ADS_STRUCT *ads_init(const char *realm,
 /****************************************************************
 ****************************************************************/
 
-bool ads_set_sasl_wrap_flags(ADS_STRUCT *ads, int flags)
+bool ads_set_sasl_wrap_flags(ADS_STRUCT *ads, unsigned flags)
 {
+	unsigned other_flags;
+
 	if (!ads) {
 		return false;
 	}
 
-	ads->auth.flags = flags;
+	other_flags = ads->auth.flags & ~(ADS_AUTH_SASL_SIGN|ADS_AUTH_SASL_SEAL);
+
+	ads->auth.flags = flags | other_flags;
 
 	return true;
 }
-- 
2.25.4


From e75511bf6b6b516db3336cd5f1d8f27307805801 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Thu, 2 Jul 2020 09:33:12 +0200
Subject: [PATCH 6/7] ads: set sasl-wrapping to plain when over TLS

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439

Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
 WHATSNEW.txt                     | 5 +++++
 selftest/knownfail.d/net_ads_tls | 1 -
 source3/libads/ldap.c            | 4 ++++
 3 files changed, 9 insertions(+), 1 deletion(-)
 delete mode 100644 selftest/knownfail.d/net_ads_tls

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 8935876d247..927b9a0fa59 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -562,6 +562,11 @@ The "ldap ssl ads" option no longer depends on "ldap ssl" option:
 With this release, the "ldap ssl ads" can be set to "yes" even if "ldap ssl"
 is off.
 
+The "ldap ssl ads" no longer requires sasl-wrapping to be set to plain:
+-----------------------------------------------------------------------
+This is now done implicitly when over TLS, so "client ldap sasl wrapping"
+does not need to be set to "plain" in order for it to work.
+
 
 REMOVED FEATURES
 ================
diff --git a/selftest/knownfail.d/net_ads_tls b/selftest/knownfail.d/net_ads_tls
deleted file mode 100644
index 251c948b6a9..00000000000
--- a/selftest/knownfail.d/net_ads_tls
+++ /dev/null
@@ -1 +0,0 @@
-^samba4.blackbox.net_ads_tls
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index 16c32b2d5a7..3f41e990085 100755
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -707,6 +707,10 @@ got_connection:
 		if (!ADS_ERR_OK(status)) {
 			goto out;
 		}
+		if (!ads_set_sasl_wrap_flags(ads, 0)) {
+			status = ADS_ERROR(LDAP_OPERATIONS_ERROR);
+			goto out;
+		}
 	}
 
 	/* fill in the current time and offsets */
-- 
2.25.4


From 43694fbfa79b255a27a4becaf8743d2b110495e9 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Sat, 11 Jul 2020 05:04:59 +0200
Subject: [PATCH 7/7] net: ignore possible SIGPIPE upon ldap_unbind when over
 TLS

From local tests with strace:

socket(AF_UNIX, SOCK_STREAM, 0) = 12
write(2, "Connecting to 10.53.57.21 at por"..., 38) = 38
...
write(2, "ads_domain_func_level: 3\n", 25) = 25
write(12, "\27\3\3\0\37\0\0\0\0\0\0\0\16nl[\374\375i\325\334\25\227kxG@\326\311R\225x"..., 36) = 36
write(12, "\25\3\3\0\32\0\0\0\0\0\0\0\17Hh\304\254\244\17\342<\334\210L&\20_\177\307\232P", 31) = -1 EPIPE (Broken pipe)
--- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER, si_pid=12089, si_uid=1000} ---
+++ killed by SIGPIPE +++

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439

Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Isaac Boukris <iboukris@samba.org>
Autobuild-Date(master): Mon Jul 13 12:06:07 UTC 2020 on sn-devel-184
---
 source3/utils/net.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/source3/utils/net.c b/source3/utils/net.c
index 683b46794e4..e289b2814bc 100644
--- a/source3/utils/net.c
+++ b/source3/utils/net.c
@@ -1289,6 +1289,9 @@ static void get_credentials_file(struct net_context *c,
 		POPT_TABLEEND
 	};
 
+	/* Ignore possible SIGPIPE upon ldap_unbind when over TLS */
+	BlockSignals(True, SIGPIPE);
+
 	zero_sockaddr(&c->opt_dest_ip);
 
 	setup_logging(argv[0], DEBUG_STDERR);
-- 
2.25.4

From 0a58060cb223a1ee6629f4ba706834369dd42a3d Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Tue, 14 Jul 2020 22:38:06 +0200
Subject: [PATCH] s3-libads: pass timeout to open_socket_out in ms

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13124

Signed-off-by: Isaac Boukris <iboukris@samba.org>
---
 source3/libads/ldap.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index 1ffe96d32c9..d431156912f 100755
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -96,9 +96,11 @@ static void gotalarm_sig(int signum)
 	{
 		int fd = -1;
 		NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+		unsigned timeout_ms = 1000 * to;
 
-		status = open_socket_out(ss, port, to, &fd);
+		status = open_socket_out(ss, port, timeout_ms, &fd);
 		if (!NT_STATUS_IS_OK(status)) {
+			DEBUG(3, ("open_socket_out: failed to open socket\n"));
 			return NULL;
 		}
 
-- 
2.25.4