From 9691c65234f2833792977d6e25a314baca724c64 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B6rn=20Baumbach?= <bb@sernet.de>
Date: Mon, 10 Feb 2020 19:19:44 +0100
Subject: [PATCH 1/7] s3-libads: use dns name to open a ldap session
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Required for working certificate verification.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13124
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Bjoern Jacke <bjacke@samba.org>
Autobuild-User(master): Björn Baumbach <bb@sernet.de>
Autobuild-Date(master): Thu Mar 5 12:29:26 UTC 2020 on sn-devel-184
(cherry picked from commit e45e0912d99335f4feec7f937180ea21f7f62a72)
---
source3/libads/ldap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index 7ef7e7e8420..b7f819d876b 100755
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -669,7 +669,7 @@ got_connection:
/* Otherwise setup the TCP LDAP session */
- ads->ldap.ld = ldap_open_with_timeout(addr,
+ ads->ldap.ld = ldap_open_with_timeout(ads->config.ldap_server_name,
&ads->ldap.ss,
ads->ldap.port, lp_ldap_timeout());
if (ads->ldap.ld == NULL) {
--
2.25.4
From b0cdea726ef5d90c531a49d2bf8b343cdb788719 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B6rn=20Baumbach?= <bb@sernet.de>
Date: Wed, 3 Jun 2020 19:40:59 +0200
Subject: [PATCH 2/7] s3-libads: use ldap_init_fd() to initialize a ldap
session if possible
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Use the known ip address of the ldap server to open the connection and
initialize the ldap session with ldap_init_fd().
This avoid unnecessary DNS lookups which might block or prevent the
successful connection.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13124
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit c8080bbd708eaa3212fa516861ac9e3b267989a0)
---
source3/libads/ldap.c | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index b7f819d876b..36e73440495 100755
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -92,7 +92,23 @@ static void gotalarm_sig(int signum)
return NULL;
}
-#ifdef HAVE_LDAP_INITIALIZE
+#ifdef HAVE_LDAP_INIT_FD
+ {
+ int fd = -1;
+ NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+
+ status = open_socket_out(ss, port, to, &fd);
+ if (!NT_STATUS_IS_OK(status)) {
+ return NULL;
+ }
+
+/* define LDAP_PROTO_TCP from openldap.h if required */
+#ifndef LDAP_PROTO_TCP
+#define LDAP_PROTO_TCP 1
+#endif
+ ldap_err = ldap_init_fd(fd, LDAP_PROTO_TCP, uri, &ldp);
+ }
+#elif defined(HAVE_LDAP_INITIALIZE)
ldap_err = ldap_initialize(&ldp, uri);
#else
ldp = ldap_open(server, port);
--
2.25.4
From 6c5b4317b150d3d2aed77c207dd3cb0039392bd6 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Mon, 29 Jun 2020 16:55:33 +0300
Subject: [PATCH 3/7] selftest: add tests for net-ads over TLS
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
selftest/knownfail.d/net_ads_ntlm_fallback | 10 +++
selftest/knownfail.d/net_ads_tls | 1 +
source4/selftest/tests.py | 7 ++
testprogs/blackbox/test_net_ads_base.sh | 76 ++++++++++++++++++++++
4 files changed, 94 insertions(+)
create mode 100644 selftest/knownfail.d/net_ads_ntlm_fallback
create mode 100644 selftest/knownfail.d/net_ads_tls
create mode 100755 testprogs/blackbox/test_net_ads_base.sh
diff --git a/selftest/knownfail.d/net_ads_ntlm_fallback b/selftest/knownfail.d/net_ads_ntlm_fallback
new file mode 100644
index 00000000000..b16a39d134d
--- /dev/null
+++ b/selftest/knownfail.d/net_ads_ntlm_fallback
@@ -0,0 +1,10 @@
+# net-ads commands that fail with: --option=gensec:gse_krb5=no
+^samba4.blackbox.net_ads_base.nomech=gse_krb5.testjoin
+^samba4.blackbox.net_ads_base.nomech=gse_krb5.check dNSHostName
+^samba4.blackbox.net_ads_base.nomech=gse_krb5.check SPN
+^samba4.blackbox.net_ads_base.nomech=gse_krb5.test setspn list
+^samba4.blackbox.net_ads_tls.nomech=gse_krb5.testjoin
+^samba4.blackbox.net_ads_tls.nomech=gse_krb5.check dNSHostName
+^samba4.blackbox.net_ads_tls.nomech=gse_krb5.check ldapssl=off
+^samba4.blackbox.net_ads_tls.nomech=gse_krb5.check SPN
+^samba4.blackbox.net_ads_tls.nomech=gse_krb5.test setspn list
diff --git a/selftest/knownfail.d/net_ads_tls b/selftest/knownfail.d/net_ads_tls
new file mode 100644
index 00000000000..251c948b6a9
--- /dev/null
+++ b/selftest/knownfail.d/net_ads_tls
@@ -0,0 +1 @@
+^samba4.blackbox.net_ads_tls
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 1d965c751a4..a394afa177f 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -511,6 +511,13 @@ plantestsuite("samba4.blackbox.client_etypes_legacy(ad_dc:client)", "ad_dc:clien
plantestsuite("samba4.blackbox.client_etypes_strong(ad_dc:client)", "ad_dc:client", [os.path.join(bbdir, "test_client_etypes.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', '$PREFIX_ABS', 'strong', '17_18'])
plantestsuite("samba4.blackbox.net_ads_dns(ad_member:local)", "ad_member:local", [os.path.join(bbdir, "test_net_ads_dns.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', '$REALM', '$USERNAME', '$PASSWORD'])
plantestsuite("samba4.blackbox.samba-tool_ntacl(ad_member:local)", "ad_member:local", [os.path.join(bbdir, "test_samba-tool_ntacl.sh"), '$PREFIX', '$DOMSID'])
+
+for nomech in ["none", "gse_krb5", "ntlmssp"]:
+ # we can't test TLS with ad_dc env as it doesn't allow SASL over TLS
+ plantestsuite("samba4.blackbox.net_ads_base.nomech=%s" % nomech, "ad_dc:client", [os.path.join(bbdir, "test_net_ads_base.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', 'no', nomech, '$PREFIX_ABS'])
+ plantestsuite("samba4.blackbox.net_ads_tls.nomech=%s" % nomech, "fl2008dc:client", [os.path.join(bbdir, "test_net_ads_base.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', 'yes', nomech, '$PREFIX_ABS'])
+ plantestsuite("samba4.blackbox.net_ads_tls.nomech=%s" % nomech, "fl2008r2dc:client", [os.path.join(bbdir, "test_net_ads_base.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', 'noverify', nomech, '$PREFIX_ABS'])
+
plantestsuite_loadlist("samba4.rpc.echo against NetBIOS alias", "ad_dc_ntvfs", [valgrindify(smbtorture4), "$LISTOPT", "$LOADLIST", 'ncacn_np:$NETBIOSALIAS', '-U$DOMAIN/$USERNAME%$PASSWORD', 'rpc.echo'])
# json tests hook into ``chgdcpass'' to make them run in contributor CI on
# gitlab
diff --git a/testprogs/blackbox/test_net_ads_base.sh b/testprogs/blackbox/test_net_ads_base.sh
new file mode 100755
index 00000000000..59e3da67a7f
--- /dev/null
+++ b/testprogs/blackbox/test_net_ads_base.sh
@@ -0,0 +1,76 @@
+#!/bin/sh
+
+if [ $# -lt 5 ]; then
+cat <<EOF
+Usage: test_net_ads_base.sh DC_SERVER DC_USERNAME DC_PASSWORD TLS_MODE NO_MECH PREFIX_ABS
+EOF
+exit 1;
+fi
+
+DC_SERVER=$1
+DC_USERNAME=$2
+DC_PASSWORD=$3
+TLS_MODE=$4
+NO_MECH=$5
+BASEDIR=$6
+shift 6
+
+HOSTNAME=`dd if=/dev/urandom bs=1 count=32 2>/dev/null | sha1sum | cut -b 1-10`
+HOSTNAME=`echo hn$HOSTNAME | tr '[:lower:]' '[:upper:]'`
+LCHOSTNAME=`echo $HOSTNAME | tr '[:upper:]' '[:lower:]'`
+
+RUNDIR=`pwd`
+cd $BASEDIR
+WORKDIR=`mktemp -d -p .`
+WORKDIR=`basename $WORKDIR`
+cp -a client/* $WORKDIR/
+sed -ri "s@(dir|directory) = (.*)/client/@\1 = \2/$WORKDIR/@" $WORKDIR/client.conf
+sed -ri "s/netbios name = .*/netbios name = $HOSTNAME/" $WORKDIR/client.conf
+sed -ri "s/workgroup = .*/workgroup = $DOMAIN/" $WORKDIR/client.conf
+sed -ri "s/realm = .*/realm = $REALM/" $WORKDIR/client.conf
+rm -f $WORKDIR/private/secrets.tdb
+cd $RUNDIR
+
+failed=0
+
+export LDAPTLS_CACERT=$(grep "tls cafile" $BASEDIR/$WORKDIR/client.conf | cut -f2 -d= | awk '{$1=$1};1')
+
+xoptions=""
+if [ $TLS_MODE != "no" ]; then
+ xoptions="--option=ldapsslads=yes"
+fi
+
+if [ $NO_MECH != "none" ]; then
+ xoptions="$xoptions --option=gensec:$NO_MECH=no"
+fi
+
+if [ $TLS_MODE = "noverify" ]; then
+ export LDAPTLS_REQCERT=allow
+fi
+
+net_tool="$VALGRIND $BINDIR/net -s $BASEDIR/$WORKDIR/client.conf --option=security=ads -k $xoptions"
+
+# Load test functions
+. `dirname $0`/subunit.sh
+
+testit "join" $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD --no-dns-updates || failed=`expr $failed + 1`
+
+testit "testjoin" $net_tool ads testjoin -P || failed=`expr $failed + 1`
+
+testit_grep "check dNSHostName" $LCHOSTNAME $net_tool ads search -P samaccountname=$HOSTNAME\$ dNSHostName || failed=`expr $failed + 1`
+
+tls_log="StartTLS issued: using a TLS connection"
+opt="-d3 --option=ldapssl=off"
+if [ $TLS_MODE != "no" ]; then
+ testit_grep "check ldapssl=off" "$tls_log" $net_tool $opt ads search -P samaccountname=$HOSTNAME\$ dn || failed=`expr $failed + 1`
+fi
+
+testit_grep "check SPN" "HOST/$HOSTNAME" $net_tool ads search -P samaccountname=$HOSTNAME\$ servicePrincipalName || failed=`expr $failed + 1`
+
+testit_grep "test setspn list" "HOST/$HOSTNAME" $net_tool ads setspn list $HOSTNAME -P || failed=`expr $failed + 1`
+
+testit "leave" $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+
+rm -rf $BASEDIR/$WORKDIR
+
+exit $failed
--
2.25.4
From 94d20b09d565c0f4b0809e1cd778f7082e4733f8 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Wed, 24 Jun 2020 15:28:45 +0300
Subject: [PATCH 4/7] Decouple ldap-ssl-ads from ldap-ssl option
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
WHATSNEW.txt | 6 +++++
docs-xml/smbdotconf/ldap/ldapsslads.xml | 7 ++----
source3/include/smbldap.h | 1 +
source3/lib/ABI/smbldap-2.1.0.sigs | 33 +++++++++++++++++++++++++
source3/lib/smbldap.c | 19 +++++++++-----
source3/libads/ldap.c | 2 +-
source3/wscript_build | 2 +-
7 files changed, 57 insertions(+), 13 deletions(-)
create mode 100644 source3/lib/ABI/smbldap-2.1.0.sigs
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index a5b554fe11f..8935876d247 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -557,6 +557,12 @@ CTDB changes
helper exits. This triggers an election.
+The "ldap ssl ads" option no longer depends on "ldap ssl" option:
+-----------------------------------------------------------------
+With this release, the "ldap ssl ads" can be set to "yes" even if "ldap ssl"
+is off.
+
+
REMOVED FEATURES
================
diff --git a/docs-xml/smbdotconf/ldap/ldapsslads.xml b/docs-xml/smbdotconf/ldap/ldapsslads.xml
index 98c39651f1e..f99afe5bbad 100644
--- a/docs-xml/smbdotconf/ldap/ldapsslads.xml
+++ b/docs-xml/smbdotconf/ldap/ldapsslads.xml
@@ -7,13 +7,10 @@
<para>This option is used to define whether or not Samba should
use SSL when connecting to the ldap server using
<emphasis>ads</emphasis> methods.
- Rpc methods are not affected by this parameter. Please note, that
- this parameter won't have any effect if <smbconfoption name="ldap ssl"/>
- is set to <parameter>no</parameter>.
+ Rpc methods are not affected by this parameter.
</para>
- <para>See <refentrytitle>smb.conf</refentrytitle><manvolnum>5</manvolnum>
- for more information on <smbconfoption name="ldap ssl"/>.
+ <para>See also <smbconfoption name="ldap ssl"/>.
</para>
</description>
diff --git a/source3/include/smbldap.h b/source3/include/smbldap.h
index 878268aebd6..d063f44afbc 100644
--- a/source3/include/smbldap.h
+++ b/source3/include/smbldap.h
@@ -72,6 +72,7 @@ int smbldap_modify(struct smbldap_state *ldap_state,
const char *dn,
LDAPMod *attrs[]);
int smbldap_start_tls(LDAP *ldap_struct, int version);
+int smbldap_start_tls_start(LDAP *ldap_struct, int version);
int smbldap_setup_full_conn(LDAP **ldap_struct, const char *uri);
int smbldap_search(struct smbldap_state *ldap_state,
const char *base, int scope, const char *filter,
diff --git a/source3/lib/ABI/smbldap-2.1.0.sigs b/source3/lib/ABI/smbldap-2.1.0.sigs
new file mode 100644
index 00000000000..67dcc9a8a78
--- /dev/null
+++ b/source3/lib/ABI/smbldap-2.1.0.sigs
@@ -0,0 +1,33 @@
+smbldap_add: int (struct smbldap_state *, const char *, LDAPMod **)
+smbldap_delete: int (struct smbldap_state *, const char *)
+smbldap_extended_operation: int (struct smbldap_state *, const char *, struct berval *, LDAPControl **, LDAPControl **, char **, struct berval **)
+smbldap_free_struct: void (struct smbldap_state **)
+smbldap_get_ldap: LDAP *(struct smbldap_state *)
+smbldap_get_paged_results: bool (struct smbldap_state *)
+smbldap_get_single_attribute: bool (LDAP *, LDAPMessage *, const char *, char *, int)
+smbldap_has_control: bool (LDAP *, const char *)
+smbldap_has_extension: bool (LDAP *, const char *)
+smbldap_has_naming_context: bool (LDAP *, const char *)
+smbldap_init: NTSTATUS (TALLOC_CTX *, struct tevent_context *, const char *, bool, const char *, const char *, struct smbldap_state **)
+smbldap_make_mod: void (LDAP *, LDAPMessage *, LDAPMod ***, const char *, const char *)
+smbldap_make_mod_blob: void (LDAP *, LDAPMessage *, LDAPMod ***, const char *, const DATA_BLOB *)
+smbldap_modify: int (struct smbldap_state *, const char *, LDAPMod **)
+smbldap_pull_sid: bool (LDAP *, LDAPMessage *, const char *, struct dom_sid *)
+smbldap_search: int (struct smbldap_state *, const char *, int, const char *, const char **, int, LDAPMessage **)
+smbldap_search_paged: int (struct smbldap_state *, const char *, int, const char *, const char **, int, int, LDAPMessage **, void **)
+smbldap_search_suffix: int (struct smbldap_state *, const char *, const char **, LDAPMessage **)
+smbldap_set_bind_callback: void (struct smbldap_state *, smbldap_bind_callback_fn, void *)
+smbldap_set_creds: bool (struct smbldap_state *, bool, const char *, const char *)
+smbldap_set_mod: void (LDAPMod ***, int, const char *, const char *)
+smbldap_set_mod_blob: void (LDAPMod ***, int, const char *, const DATA_BLOB *)
+smbldap_set_paged_results: void (struct smbldap_state *, bool)
+smbldap_setup_full_conn: int (LDAP **, const char *)
+smbldap_start_tls: int (LDAP *, int)
+smbldap_start_tls_start: int (LDAP *, int)
+smbldap_talloc_autofree_ldapmod: void (TALLOC_CTX *, LDAPMod **)
+smbldap_talloc_autofree_ldapmsg: void (TALLOC_CTX *, LDAPMessage *)
+smbldap_talloc_dn: char *(TALLOC_CTX *, LDAP *, LDAPMessage *)
+smbldap_talloc_first_attribute: char *(LDAP *, LDAPMessage *, const char *, TALLOC_CTX *)
+smbldap_talloc_single_attribute: char *(LDAP *, LDAPMessage *, const char *, TALLOC_CTX *)
+smbldap_talloc_single_blob: bool (TALLOC_CTX *, LDAP *, LDAPMessage *, const char *, DATA_BLOB *)
+smbldap_talloc_smallest_attribute: char *(LDAP *, LDAPMessage *, const char *, TALLOC_CTX *)
diff --git a/source3/lib/smbldap.c b/source3/lib/smbldap.c
index 34c841f9243..4815dd81fc3 100644
--- a/source3/lib/smbldap.c
+++ b/source3/lib/smbldap.c
@@ -598,20 +598,27 @@ static void smbldap_store_state(LDAP *ld, struct smbldap_state *smbldap_state)
}
/********************************************************************
- start TLS on an existing LDAP connection
+ start TLS on an existing LDAP connection per config
*******************************************************************/
int smbldap_start_tls(LDAP *ldap_struct, int version)
-{
-#ifdef LDAP_OPT_X_TLS
- int rc,tls;
-#endif
-
+{
if (lp_ldap_ssl() != LDAP_SSL_START_TLS) {
return LDAP_SUCCESS;
}
+ return smbldap_start_tls_start(ldap_struct, version);
+}
+
+/********************************************************************
+ start TLS on an existing LDAP connection unconditionally
+*******************************************************************/
+
+int smbldap_start_tls_start(LDAP *ldap_struct, int version)
+{
#ifdef LDAP_OPT_X_TLS
+ int rc,tls;
+
/* check if we use ldaps already */
ldap_get_option(ldap_struct, LDAP_OPT_X_TLS, &tls);
if (tls == LDAP_OPT_X_TLS_HARD) {
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index 36e73440495..16c32b2d5a7 100755
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -703,7 +703,7 @@ got_connection:
ldap_set_option(ads->ldap.ld, LDAP_OPT_PROTOCOL_VERSION, &version);
if ( lp_ldap_ssl_ads() ) {
- status = ADS_ERROR(smbldap_start_tls(ads->ldap.ld, version));
+ status = ADS_ERROR(smbldap_start_tls_start(ads->ldap.ld, version));
if (!ADS_ERR_OK(status)) {
goto out;
}
diff --git a/source3/wscript_build b/source3/wscript_build
index 10d9f71ae76..76d01a78f64 100644
--- a/source3/wscript_build
+++ b/source3/wscript_build
@@ -520,7 +520,7 @@ bld.SAMBA3_LIBRARY('smbldap',
abi_directory='lib/ABI',
abi_match='smbldap_*',
pc_files=[],
- vnum='2',
+ vnum='2.1.0',
public_headers='include/smbldap.h include/smb_ldap.h')
bld.SAMBA3_LIBRARY('ads',
--
2.25.4
From a7d674b519b363c6e20fa5784ab998fc622c9859 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Thu, 2 Jul 2020 10:59:18 +0200
Subject: [PATCH 5/7] Fix ads_set_sasl_wrap_flags to only change sasl flags
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
source3/libads/ads_proto.h | 2 +-
source3/libads/ads_struct.c | 8 ++++++--
2 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h
index cd9c1082681..6cdde0cf6eb 100644
--- a/source3/libads/ads_proto.h
+++ b/source3/libads/ads_proto.h
@@ -47,7 +47,7 @@ ADS_STRUCT *ads_init(const char *realm,
const char *workgroup,
const char *ldap_server,
enum ads_sasl_state_e sasl_state);
-bool ads_set_sasl_wrap_flags(ADS_STRUCT *ads, int flags);
+bool ads_set_sasl_wrap_flags(ADS_STRUCT *ads, unsigned flags);
void ads_destroy(ADS_STRUCT **ads);
/* The following definitions come from libads/disp_sec.c */
diff --git a/source3/libads/ads_struct.c b/source3/libads/ads_struct.c
index 043a1b21247..67a9a7cf75e 100644
--- a/source3/libads/ads_struct.c
+++ b/source3/libads/ads_struct.c
@@ -176,13 +176,17 @@ ADS_STRUCT *ads_init(const char *realm,
/****************************************************************
****************************************************************/
-bool ads_set_sasl_wrap_flags(ADS_STRUCT *ads, int flags)
+bool ads_set_sasl_wrap_flags(ADS_STRUCT *ads, unsigned flags)
{
+ unsigned other_flags;
+
if (!ads) {
return false;
}
- ads->auth.flags = flags;
+ other_flags = ads->auth.flags & ~(ADS_AUTH_SASL_SIGN|ADS_AUTH_SASL_SEAL);
+
+ ads->auth.flags = flags | other_flags;
return true;
}
--
2.25.4
From e75511bf6b6b516db3336cd5f1d8f27307805801 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Thu, 2 Jul 2020 09:33:12 +0200
Subject: [PATCH 6/7] ads: set sasl-wrapping to plain when over TLS
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
WHATSNEW.txt | 5 +++++
selftest/knownfail.d/net_ads_tls | 1 -
source3/libads/ldap.c | 4 ++++
3 files changed, 9 insertions(+), 1 deletion(-)
delete mode 100644 selftest/knownfail.d/net_ads_tls
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 8935876d247..927b9a0fa59 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -562,6 +562,11 @@ The "ldap ssl ads" option no longer depends on "ldap ssl" option:
With this release, the "ldap ssl ads" can be set to "yes" even if "ldap ssl"
is off.
+The "ldap ssl ads" no longer requires sasl-wrapping to be set to plain:
+-----------------------------------------------------------------------
+This is now done implicitly when over TLS, so "client ldap sasl wrapping"
+does not need to be set to "plain" in order for it to work.
+
REMOVED FEATURES
================
diff --git a/selftest/knownfail.d/net_ads_tls b/selftest/knownfail.d/net_ads_tls
deleted file mode 100644
index 251c948b6a9..00000000000
--- a/selftest/knownfail.d/net_ads_tls
+++ /dev/null
@@ -1 +0,0 @@
-^samba4.blackbox.net_ads_tls
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index 16c32b2d5a7..3f41e990085 100755
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -707,6 +707,10 @@ got_connection:
if (!ADS_ERR_OK(status)) {
goto out;
}
+ if (!ads_set_sasl_wrap_flags(ads, 0)) {
+ status = ADS_ERROR(LDAP_OPERATIONS_ERROR);
+ goto out;
+ }
}
/* fill in the current time and offsets */
--
2.25.4
From 43694fbfa79b255a27a4becaf8743d2b110495e9 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Sat, 11 Jul 2020 05:04:59 +0200
Subject: [PATCH 7/7] net: ignore possible SIGPIPE upon ldap_unbind when over
TLS
From local tests with strace:
socket(AF_UNIX, SOCK_STREAM, 0) = 12
write(2, "Connecting to 10.53.57.21 at por"..., 38) = 38
...
write(2, "ads_domain_func_level: 3\n", 25) = 25
write(12, "\27\3\3\0\37\0\0\0\0\0\0\0\16nl[\374\375i\325\334\25\227kxG@\326\311R\225x"..., 36) = 36
write(12, "\25\3\3\0\32\0\0\0\0\0\0\0\17Hh\304\254\244\17\342<\334\210L&\20_\177\307\232P", 31) = -1 EPIPE (Broken pipe)
--- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER, si_pid=12089, si_uid=1000} ---
+++ killed by SIGPIPE +++
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Isaac Boukris <iboukris@samba.org>
Autobuild-Date(master): Mon Jul 13 12:06:07 UTC 2020 on sn-devel-184
---
source3/utils/net.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/source3/utils/net.c b/source3/utils/net.c
index 683b46794e4..e289b2814bc 100644
--- a/source3/utils/net.c
+++ b/source3/utils/net.c
@@ -1289,6 +1289,9 @@ static void get_credentials_file(struct net_context *c,
POPT_TABLEEND
};
+ /* Ignore possible SIGPIPE upon ldap_unbind when over TLS */
+ BlockSignals(True, SIGPIPE);
+
zero_sockaddr(&c->opt_dest_ip);
setup_logging(argv[0], DEBUG_STDERR);
--
2.25.4
From 0a58060cb223a1ee6629f4ba706834369dd42a3d Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Tue, 14 Jul 2020 22:38:06 +0200
Subject: [PATCH] s3-libads: pass timeout to open_socket_out in ms
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13124
Signed-off-by: Isaac Boukris <iboukris@samba.org>
---
source3/libads/ldap.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index 1ffe96d32c9..d431156912f 100755
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -96,9 +96,11 @@ static void gotalarm_sig(int signum)
{
int fd = -1;
NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+ unsigned timeout_ms = 1000 * to;
- status = open_socket_out(ss, port, to, &fd);
+ status = open_socket_out(ss, port, timeout_ms, &fd);
if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(3, ("open_socket_out: failed to open socket\n"));
return NULL;
}
--
2.25.4