svn commit: samba r24804 - in branches: SAMBA_3_2/source/include SAMBA_3_2/source/libads SAMBA_3_2_0/source/include SAMBA_3_2_0/source/libads

gd at samba.org gd at samba.org
Thu Aug 30 15:39:52 GMT 2007 

Author: gd
Date: 2007-08-30 15:39:51 +0000 (Thu, 30 Aug 2007)
New Revision: 24804

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=24804

Log:
As a temporary workaround, also try to guess the server's principal in the
"not_defined_in_RFC4178 at please_ignore" case to make at least LDAP SASL binds
succeed with windows server 2008.

Guenther

Modified:
   branches/SAMBA_3_2/source/include/ads.h
   branches/SAMBA_3_2/source/libads/sasl.c
   branches/SAMBA_3_2/source/libads/util.c
   branches/SAMBA_3_2_0/source/include/ads.h
   branches/SAMBA_3_2_0/source/libads/sasl.c
   branches/SAMBA_3_2_0/source/libads/util.c


Changeset:
Modified: branches/SAMBA_3_2/source/include/ads.h
===================================================================
--- branches/SAMBA_3_2/source/include/ads.h	2007-08-30 14:55:32 UTC (rev 24803)
+++ branches/SAMBA_3_2/source/include/ads.h	2007-08-30 15:39:51 UTC (rev 24804)
@@ -394,4 +394,6 @@
 
 #define ADS_EXTENDED_RIGHT_APPLY_GROUP_POLICY "edacfd8f-ffb3-11d1-b41d-00a0c968f939"
 
+#define ADS_IGNORE_PRINCIPAL "not_defined_in_RFC4178 at please_ignore"
+
 #endif	/* _INCLUDE_ADS_H_ */

Modified: branches/SAMBA_3_2/source/libads/sasl.c
===================================================================
--- branches/SAMBA_3_2/source/libads/sasl.c	2007-08-30 14:55:32 UTC (rev 24803)
+++ branches/SAMBA_3_2/source/libads/sasl.c	2007-08-30 15:39:51 UTC (rev 24804)
@@ -657,55 +657,26 @@
 
 	ZERO_STRUCTP(p);
 
-	/* I've seen a child Windows 2000 domain not send 
-	   the principal name back in the first round of 
+	/* I've seen a child Windows 2000 domain not send
+	   the principal name back in the first round of
 	   the SASL bind reply.  So we guess based on server
 	   name and realm.  --jerry  */
-	if (given_principal) {
-		p->string = SMB_STRDUP(given_principal);
-		if (!p->string) {
-			return ADS_ERROR(LDAP_NO_MEMORY);
-		}
-	} else if (ads->server.realm && ads->server.ldap_server) {
-		char *server, *server_realm;
+	/* Also try best guess when we get the w2k8 ignore
+	   principal back - gd */
 
-		server = SMB_STRDUP(ads->server.ldap_server);
-		server_realm = SMB_STRDUP(ads->server.realm);
+	if (!given_principal ||
+	    strequal(given_principal, ADS_IGNORE_PRINCIPAL)) {
 
-		if (!server || !server_realm) {
-			return ADS_ERROR(LDAP_NO_MEMORY);
+		status = ads_guess_service_principal(ads, given_principal,
+						     &p->string);
+		if (!ADS_ERR_OK(status)) {
+			return status;
 		}
-
-		strlower_m(server);
-		strupper_m(server_realm);
-		asprintf(&p->string, "ldap/%s@%s", server, server_realm);
-
-		SAFE_FREE(server);
-		SAFE_FREE(server_realm);
-
+	} else {
+		p->string = SMB_STRDUP(given_principal);
 		if (!p->string) {
 			return ADS_ERROR(LDAP_NO_MEMORY);
 		}
-	} else if (ads->config.realm && ads->config.ldap_server_name) {
-		char *server, *server_realm;
-
-		server = SMB_STRDUP(ads->config.ldap_server_name);
-		server_realm = SMB_STRDUP(ads->config.realm);
-
-		if (!server || !server_realm) {
-			return ADS_ERROR(LDAP_NO_MEMORY);
-		}
-
-		strlower_m(server);
-		strupper_m(server_realm);
-		asprintf(&p->string, "ldap/%s@%s", server, server_realm);
-
-		SAFE_FREE(server);
-		SAFE_FREE(server_realm);
-
-		if (!p->string) {
-			return ADS_ERROR(LDAP_NO_MEMORY);
-		}
 	}
 
 	initialize_krb5_error_table();

Modified: branches/SAMBA_3_2/source/libads/util.c
===================================================================
--- branches/SAMBA_3_2/source/libads/util.c	2007-08-30 14:55:32 UTC (rev 24803)
+++ branches/SAMBA_3_2/source/libads/util.c	2007-08-30 15:39:51 UTC (rev 24804)
@@ -51,4 +51,62 @@
 	SAFE_FREE(password);
 	return ret;
 }
+
+ADS_STATUS ads_guess_service_principal(ADS_STRUCT *ads,
+				       const char *given_principal,
+				       char **returned_principal)
+{
+	char *princ = NULL;
+
+	if (ads->server.realm && ads->server.ldap_server) {
+		char *server, *server_realm;
+
+		server = SMB_STRDUP(ads->server.ldap_server);
+		server_realm = SMB_STRDUP(ads->server.realm);
+
+		if (!server || !server_realm) {
+			return ADS_ERROR(LDAP_NO_MEMORY);
+		}
+
+		strlower_m(server);
+		strupper_m(server_realm);
+		asprintf(&princ, "ldap/%s@%s", server, server_realm);
+
+		SAFE_FREE(server);
+		SAFE_FREE(server_realm);
+
+		if (!princ) {
+			return ADS_ERROR(LDAP_NO_MEMORY);
+		}
+	} else if (ads->config.realm && ads->config.ldap_server_name) {
+		char *server, *server_realm;
+
+		server = SMB_STRDUP(ads->config.ldap_server_name);
+		server_realm = SMB_STRDUP(ads->config.realm);
+
+		if (!server || !server_realm) {
+			return ADS_ERROR(LDAP_NO_MEMORY);
+		}
+
+		strlower_m(server);
+		strupper_m(server_realm);
+		asprintf(&princ, "ldap/%s@%s", server, server_realm);
+
+		SAFE_FREE(server);
+		SAFE_FREE(server_realm);
+
+		if (!princ) {
+			return ADS_ERROR(LDAP_NO_MEMORY);
+		}
+	}
+
+	if (!princ) {
+		return ADS_ERROR(LDAP_PARAM_ERROR);
+	}
+
+	*returned_principal = princ;
+
+	return ADS_SUCCESS;
+}
+
 #endif

Modified: branches/SAMBA_3_2_0/source/include/ads.h
===================================================================
--- branches/SAMBA_3_2_0/source/include/ads.h	2007-08-30 14:55:32 UTC (rev 24803)
+++ branches/SAMBA_3_2_0/source/include/ads.h	2007-08-30 15:39:51 UTC (rev 24804)
@@ -394,4 +394,6 @@
 
 #define ADS_EXTENDED_RIGHT_APPLY_GROUP_POLICY "edacfd8f-ffb3-11d1-b41d-00a0c968f939"
 
+#define ADS_IGNORE_PRINCIPAL "not_defined_in_RFC4178 at please_ignore"
+
 #endif	/* _INCLUDE_ADS_H_ */

Modified: branches/SAMBA_3_2_0/source/libads/sasl.c
===================================================================
--- branches/SAMBA_3_2_0/source/libads/sasl.c	2007-08-30 14:55:32 UTC (rev 24803)
+++ branches/SAMBA_3_2_0/source/libads/sasl.c	2007-08-30 15:39:51 UTC (rev 24804)
@@ -657,55 +657,26 @@
 
 	ZERO_STRUCTP(p);
 
-	/* I've seen a child Windows 2000 domain not send 
-	   the principal name back in the first round of 
+	/* I've seen a child Windows 2000 domain not send
+	   the principal name back in the first round of
 	   the SASL bind reply.  So we guess based on server
 	   name and realm.  --jerry  */
-	if (given_principal) {
-		p->string = SMB_STRDUP(given_principal);
-		if (!p->string) {
-			return ADS_ERROR(LDAP_NO_MEMORY);
-		}
-	} else if (ads->server.realm && ads->server.ldap_server) {
-		char *server, *server_realm;
+	/* Also try best guess when we get the w2k8 ignore
+	   principal back - gd */
 
-		server = SMB_STRDUP(ads->server.ldap_server);
-		server_realm = SMB_STRDUP(ads->server.realm);
+	if (!given_principal ||
+	    strequal(given_principal, ADS_IGNORE_PRINCIPAL)) {
 
-		if (!server || !server_realm) {
-			return ADS_ERROR(LDAP_NO_MEMORY);
+		status = ads_guess_service_principal(ads, given_principal,
+						     &p->string);
+		if (!ADS_ERR_OK(status)) {
+			return status;
 		}
-
-		strlower_m(server);
-		strupper_m(server_realm);
-		asprintf(&p->string, "ldap/%s@%s", server, server_realm);
-
-		SAFE_FREE(server);
-		SAFE_FREE(server_realm);
-
+	} else {
+		p->string = SMB_STRDUP(given_principal);
 		if (!p->string) {
 			return ADS_ERROR(LDAP_NO_MEMORY);
 		}
-	} else if (ads->config.realm && ads->config.ldap_server_name) {
-		char *server, *server_realm;
-
-		server = SMB_STRDUP(ads->config.ldap_server_name);
-		server_realm = SMB_STRDUP(ads->config.realm);
-
-		if (!server || !server_realm) {
-			return ADS_ERROR(LDAP_NO_MEMORY);
-		}
-
-		strlower_m(server);
-		strupper_m(server_realm);
-		asprintf(&p->string, "ldap/%s@%s", server, server_realm);
-
-		SAFE_FREE(server);
-		SAFE_FREE(server_realm);
-
-		if (!p->string) {
-			return ADS_ERROR(LDAP_NO_MEMORY);
-		}
 	}
 
 	initialize_krb5_error_table();

Modified: branches/SAMBA_3_2_0/source/libads/util.c
===================================================================
--- branches/SAMBA_3_2_0/source/libads/util.c	2007-08-30 14:55:32 UTC (rev 24803)
+++ branches/SAMBA_3_2_0/source/libads/util.c	2007-08-30 15:39:51 UTC (rev 24804)
@@ -51,4 +51,62 @@
 	SAFE_FREE(password);
 	return ret;
 }
+
+ADS_STATUS ads_guess_service_principal(ADS_STRUCT *ads,
+				       const char *given_principal,
+				       char **returned_principal)
+{
+	char *princ = NULL;
+
+	if (ads->server.realm && ads->server.ldap_server) {
+		char *server, *server_realm;
+
+		server = SMB_STRDUP(ads->server.ldap_server);
+		server_realm = SMB_STRDUP(ads->server.realm);
+
+		if (!server || !server_realm) {
+			return ADS_ERROR(LDAP_NO_MEMORY);
+		}
+
+		strlower_m(server);
+		strupper_m(server_realm);
+		asprintf(&princ, "ldap/%s@%s", server, server_realm);
+
+		SAFE_FREE(server);
+		SAFE_FREE(server_realm);
+
+		if (!princ) {
+			return ADS_ERROR(LDAP_NO_MEMORY);
+		}
+	} else if (ads->config.realm && ads->config.ldap_server_name) {
+		char *server, *server_realm;
+
+		server = SMB_STRDUP(ads->config.ldap_server_name);
+		server_realm = SMB_STRDUP(ads->config.realm);
+
+		if (!server || !server_realm) {
+			return ADS_ERROR(LDAP_NO_MEMORY);
+		}
+
+		strlower_m(server);
+		strupper_m(server_realm);
+		asprintf(&princ, "ldap/%s@%s", server, server_realm);
+
+		SAFE_FREE(server);
+		SAFE_FREE(server_realm);
+
+		if (!princ) {
+			return ADS_ERROR(LDAP_NO_MEMORY);
+		}
+	}
+
+	if (!princ) {
+		return ADS_ERROR(LDAP_PARAM_ERROR);
+	}
+
+	*returned_principal = princ;
+
+	return ADS_SUCCESS;
+}
+
 #endif

More information about the samba-cvs mailing list