[SCM] Samba Shared Repository - branch v4-1-test updated

Karolin Seeger kseeger at samba.org
Thu Oct 9 15:44:02 MDT 2014


The branch, v4-1-test has been updated
       via  429ddb1 s3: smb2cli: query info return length check was reversed.
       via  0e17b3f s3-libads: Add all machine account principals to the keytab.
       via  6602ad3 registry: Don't leave dangling transactions
       via  f2f050c s3-winbindd: Do not use domain SID from LookupSids for Sids2UnixIDs call
       via  a0eb3dd s3: Move init_lsa_ref_domain_list to lib
       via  2cd2490 idmap_rfc2307: Fix a crash after connection problem to DC
       via  043415e s3-libnet: Make sure we do not overwrite precreated SPNs.
       via  306e7e3 s3-libnet: Add libnet_join_get_machine_spns().
       via  f42d65e s3-libads: Add function to search for an element in an array.
       via  5923c9a s3-libads: Add a function to retrieve the SPNs of a computer account.
      from  bff195a s3-libads: Improve service principle guessing.

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-1-test


- Log -----------------------------------------------------------------
commit 429ddb19e7b36e535b9c59664999d52bee99806f
Author: Jeremy Allison <jra at samba.org>
Date:   Wed Oct 1 14:20:10 2014 -0700

    s3: smb2cli: query info return length check was reversed.
    
    Make it identical to the check in libcli/smb/smb2cli_ioctl.c
    
    https://bugzilla.samba.org/show_bug.cgi?id=10848
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: "Stefan (metze) Metzmacher" <metze at samba.org>
    Reviewed-by: David Disseldorp <ddiss at suse.de>
    
    Autobuild-User(master): Jeremy Allison <jra at samba.org>
    Autobuild-Date(master): Thu Oct  2 04:42:26 CEST 2014 on sn-devel-104
    
    (cherry picked from commit 6c05cd3e895831be7d9a68a51de2048d04c188a0)
    
    Autobuild-User(v4-1-test): Karolin Seeger <kseeger at samba.org>
    Autobuild-Date(v4-1-test): Thu Oct  9 23:43:36 CEST 2014 on sn-devel-104

commit 0e17b3f3c7ef06b953f5c636ca5fb6f0801dac58
Author: Andreas Schneider <asn at samba.org>
Date:   Wed Sep 24 10:51:33 2014 +0200

    s3-libads: Add all machine account principals to the keytab.
    
    This adds all SPNs defined in the DC for the computer account to the
    keytab using 'net ads keytab create -P'.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=9985
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Guenther Deschner <gd at samba.org>
    (cherry picked from commit 5d58b92f8fcbc509f4fe2bd3617bcaeada1806b6)

commit 6602ad3be3753503423bd2c3ba0e03961a2a4038
Author: Volker Lendecke <vl at samba.org>
Date:   Wed Oct 8 15:39:28 2014 +0200

    registry: Don't leave dangling transactions
    
    When a createkey fails due to access denied, we need to do a
    transaction_cancel. Otherwise the lock on the db will stay around.
    
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Guenther Deschner <gd at samba.org>
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=10860

commit f2f050ccb9a07fc1219f4f4b73ef2875ca37ab9e
Author: Christof Schmitt <cs at samba.org>
Date:   Thu Sep 11 16:39:21 2014 -0700

    s3-winbindd: Do not use domain SID from LookupSids for Sids2UnixIDs call
    
    Create a new lsa_RefDomainList and populate it with the domain SID from
    the original query. That avoids the problem that for migrated objects,
    LookupSids returns the SID of the new domain, and combining that with
    the RID from the input results in an invalid SID.
    
    A better fix would be querying the RID of the user in the new domain,
    but the approach here at least avoids id mappings entries for invalid
    SIDs.
    
    Signed-off-by: Christof Schmitt <cs at samba.org>
    Reviewed-by: Volker Lendecke <vl at samba.org>
    
    Autobuild-User(master): Volker Lendecke <vl at samba.org>
    Autobuild-Date(master): Mon Sep 29 13:15:18 CEST 2014 on sn-devel-104
    
    (cherry picked from commit 9c9216410faf707edc4ba05f2b715d45f7f51ca4)
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=10838
    Invalid id mappings for users/groups migrated from another domain

commit a0eb3ddd761235e0308fa8f8982ef027ea179805
Author: Christof Schmitt <cs at samba.org>
Date:   Thu Sep 11 16:11:06 2014 -0700

    s3: Move init_lsa_ref_domain_list to lib
    
    This will be used in the next patch in winbind.
    
    Signed-off-by: Christof Schmitt <cs at samba.org>
    Reviewed-by: Volker Lendecke <vl at samba.org>
    
    (cherry picked from commit 16594e7fc0a46249a48d0d0635de0c1050ecd340)

commit 2cd2490f356fcb3642aa1bd60729f69906ffca81
Author: Christof Schmitt <cs at samba.org>
Date:   Wed Sep 17 13:23:11 2014 -0700

    idmap_rfc2307: Fix a crash after connection problem to DC
    
    When the connection to the DC has a problem, the code behind
    ads_do_search_retry closes the current connection and opens a new one.
    The new connection has a new struct LDAP to represent the connection. In
    this case, the LDAP pointer in the idmap_rfc2307_context becomes
    invalid.
    
    Fix this problem by updating the local pointer after calling
    ads_do_search_retry.
    
    Signed-off-by: Christof Schmitt <cs at samba.org>
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=10837
    winbind crash in idmap_rfc2307 module

commit 043415e1d69db9bc81f4a51cc392529d58955004
Author: Günther Deschner <gd at samba.org>
Date:   Fri Sep 26 03:35:43 2014 +0200

    s3-libnet: Make sure we do not overwrite precreated SPNs.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=9984
    
    Signed-off-by: Günther Deschner <gd at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    
    Autobuild-User(master): Günther Deschner <gd at samba.org>
    Autobuild-Date(master): Fri Sep 26 08:22:45 CEST 2014 on sn-devel-104
    
    (cherry picked from commit 0aacbe78bb40d76b65087c2a197c92b0101e625e)

commit 306e7e3746e86ecea0f36411d98ba52532dfba02
Author: Andreas Schneider <asn at samba.org>
Date:   Fri Sep 26 03:09:08 2014 +0200

    s3-libnet: Add libnet_join_get_machine_spns().
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=9984
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Guenther Deschner <gd at samba.org>
    (cherry picked from commit 7e0b8fcce5572c88d50993a1dbd90f65638ba90f)

commit f42d65e94d4aeebc7471187a85905fba83a17ace
Author: Andreas Schneider <asn at samba.org>
Date:   Wed Sep 24 09:23:58 2014 +0200

    s3-libads: Add function to search for an element in an array.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=9984
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Guenther Deschner <gd at samba.org>
    (cherry picked from commit e1ee4c8bc7018db7787dd9a0be6d3aa40a477ee2)

commit 5923c9a228870bee2818cdc740598fd708d063f8
Author: Andreas Schneider <asn at samba.org>
Date:   Wed Sep 24 09:22:03 2014 +0200

    s3-libads: Add a function to retrieve the SPNs of a computer account.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=9984
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Guenther Deschner <gd at samba.org>
    (cherry picked from commit 4eaa4ccbdf279f1ff6d8218b36d92aeea0114cd8)

-----------------------------------------------------------------------

Summary of changes:
 libcli/smb/smb2cli_query_info.c               |    2 +-
 source3/{lib/version_test.c => include/lsa.h} |   17 ++---
 source3/lib/lsa.c                             |   67 ++++++++++++++++++
 source3/libads/ads_proto.h                    |    8 ++
 source3/libads/kerberos_keytab.c              |   74 ++++++++++++++------
 source3/libads/ldap.c                         |   91 +++++++++++++++++++++++++
 source3/libnet/libnet_join.c                  |   59 +++++++++++++++-
 source3/registry/reg_api.c                    |    2 +-
 source3/rpc_server/lsa/srv_lsa_nt.c           |   48 +-------------
 source3/rpc_server/wscript_build              |    2 +-
 source3/winbindd/idmap_rfc2307.c              |    1 +
 source3/winbindd/wb_sids2xids.c               |   33 ++++++++-
 source3/wscript_build                         |    4 +
 13 files changed, 321 insertions(+), 87 deletions(-)
 copy source3/{lib/version_test.c => include/lsa.h} (74%)
 create mode 100644 source3/lib/lsa.c


Changeset truncated at 500 lines:

diff --git a/libcli/smb/smb2cli_query_info.c b/libcli/smb/smb2cli_query_info.c
index 454f25a..a24844b 100644
--- a/libcli/smb/smb2cli_query_info.c
+++ b/libcli/smb/smb2cli_query_info.c
@@ -154,7 +154,7 @@ static void smb2cli_query_info_done(struct tevent_req *subreq)
 			return;
 		}
 
-		if (output_buffer_length < dyn_len) {
+		if (output_buffer_length > dyn_len) {
 			tevent_req_nterror(
 				req, NT_STATUS_INVALID_NETWORK_RESPONSE);
 			return;
diff --git a/source3/lib/version_test.c b/source3/include/lsa.h
similarity index 74%
copy from source3/lib/version_test.c
copy to source3/include/lsa.h
index 880cfeb..7681aed 100644
--- a/source3/lib/version_test.c
+++ b/source3/include/lsa.h
@@ -1,7 +1,5 @@
 /*
- *  Unix SMB/CIFS implementation.
- *  version_test - test program for samba_version_strion()
- *  Copyright (C) Michael Adam 2009
+ * Helper functions related to the LSA server
  *
  *  This program is free software; you can redistribute it and/or modify
  *  it under the terms of the GNU General Public License as published by
@@ -16,11 +14,12 @@
  *  You should have received a copy of the GNU General Public License
  *  along with this program; if not, see <http://www.gnu.org/licenses/>.
  */
+#ifndef LSA_H
+#define LSA_H
 
-#include "includes.h"
+int init_lsa_ref_domain_list(TALLOC_CTX *mem_ctx,
+			     struct lsa_RefDomainList *ref,
+			     const char *dom_name,
+			     struct dom_sid *dom_sid);
 
-int main(void)
-{
-	printf("%s\n", samba_version_string());
-	return 0;
-}
+#endif
diff --git a/source3/lib/lsa.c b/source3/lib/lsa.c
new file mode 100644
index 0000000..0046fda
--- /dev/null
+++ b/source3/lib/lsa.c
@@ -0,0 +1,67 @@
+/*
+ * Helper functions related to the LSA server
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+/***************************************************************************
+ init_lsa_ref_domain_list - adds a domain if it's not already in, returns index.
+***************************************************************************/
+
+#include "includes.h"
+#include "libcli/security/dom_sid.h"
+#include "librpc/gen_ndr/lsa.h"
+#include "lsa.h"
+
+int init_lsa_ref_domain_list(TALLOC_CTX *mem_ctx,
+			     struct lsa_RefDomainList *ref,
+			     const char *dom_name,
+			     struct dom_sid *dom_sid)
+{
+	int num = 0;
+
+	if (dom_name != NULL) {
+		for (num = 0; num < ref->count; num++) {
+			if (dom_sid_equal(dom_sid, ref->domains[num].sid)) {
+				return num;
+			}
+		}
+	} else {
+		num = ref->count;
+	}
+
+	if (num >= LSA_REF_DOMAIN_LIST_MULTIPLIER) {
+		/* index not found, already at maximum domain limit */
+		return -1;
+	}
+
+	ref->count = num + 1;
+	ref->max_size = LSA_REF_DOMAIN_LIST_MULTIPLIER;
+
+	ref->domains = talloc_realloc(mem_ctx, ref->domains,
+					    struct lsa_DomainInfo, ref->count);
+	if (!ref->domains) {
+		return -1;
+	}
+
+	ZERO_STRUCT(ref->domains[num]);
+
+	ref->domains[num].name.string = dom_name;
+	ref->domains[num].sid = dom_sid_dup(mem_ctx, dom_sid);
+	if (!ref->domains[num].sid) {
+		return -1;
+	}
+
+	return num;
+}
diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h
index 17a84d1..1e34247 100644
--- a/source3/libads/ads_proto.h
+++ b/source3/libads/ads_proto.h
@@ -87,6 +87,14 @@ ADS_STATUS ads_add_strlist(TALLOC_CTX *ctx, ADS_MODLIST *mods,
 				const char *name, const char **vals);
 uint32 ads_get_kvno(ADS_STRUCT *ads, const char *account_name);
 uint32_t ads_get_machine_kvno(ADS_STRUCT *ads, const char *machine_name);
+
+bool ads_element_in_array(const char **el_array, size_t num_el, const char *el);
+
+ADS_STATUS ads_get_service_principal_names(TALLOC_CTX *mem_ctx,
+					   ADS_STRUCT *ads,
+					   const char *machine_name,
+					   char ***spn_array,
+					   size_t *num_spns);
 ADS_STATUS ads_clear_service_principal_names(ADS_STRUCT *ads, const char *machine_name);
 ADS_STATUS ads_add_service_principal_name(ADS_STRUCT *ads, const char *machine_name,
                                           const char *my_fqdn, const char *spn);
diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index 83df088..d13625b 100644
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -507,20 +507,57 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
 	krb5_kt_cursor cursor;
 	krb5_keytab_entry kt_entry;
 	krb5_kvno kvno;
-	int i, found = 0;
+	size_t found = 0;
 	char *sam_account_name, *upn;
 	char **oldEntries = NULL, *princ_s[26];
-	TALLOC_CTX *tmpctx = NULL;
+	TALLOC_CTX *frame;
 	char *machine_name;
+	char **spn_array;
+	size_t num_spns;
+	size_t i;
+	ADS_STATUS status;
 
-	/* these are the main ones we need */
-	ret = ads_keytab_add_entry(ads, "host");
-	if (ret != 0) {
-		DEBUG(1, (__location__ ": ads_keytab_add_entry failed while "
-			  "adding 'host' principal.\n"));
-		return ret;
+	frame = talloc_stackframe();
+	if (frame == NULL) {
+		ret = -1;
+		goto done;
+	}
+
+	status = ads_get_service_principal_names(frame,
+						 ads,
+						 lp_netbios_name(),
+						 &spn_array,
+						 &num_spns);
+	if (!ADS_ERR_OK(status)) {
+		ret = -1;
+		goto done;
 	}
 
+	for (i = 0; i < num_spns; i++) {
+		char *srv_princ;
+		char *p;
+
+		srv_princ = strlower_talloc(frame, spn_array[i]);
+		if (srv_princ == NULL) {
+			ret = -1;
+			goto done;
+		}
+
+		p = strchr_m(srv_princ, '/');
+		if (p == NULL) {
+			continue;
+		}
+		p[0] = '\0';
+
+		/* Add the SPNs found on the DC */
+		ret = ads_keytab_add_entry(ads, srv_princ);
+		if (ret != 0) {
+			DEBUG(1, ("ads_keytab_add_entry failed while "
+				  "adding '%s' principal.\n",
+				  spn_array[i]));
+			goto done;
+		}
+	}
 
 #if 0	/* don't create the CIFS/... keytab entries since no one except smbd
 	   really needs them and we will fall back to verifying against
@@ -543,24 +580,17 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
 	if (ret) {
 		DEBUG(1, (__location__ ": could not krb5_init_context: %s\n",
 			  error_message(ret)));
-		return ret;
-	}
-
-	tmpctx = talloc_init(__location__);
-	if (!tmpctx) {
-		DEBUG(0, (__location__ ": talloc_init() failed!\n"));
-		ret = -1;
 		goto done;
 	}
 
-	machine_name = talloc_strdup(tmpctx, lp_netbios_name());
+	machine_name = talloc_strdup(frame, lp_netbios_name());
 	if (!machine_name) {
 		ret = -1;
 		goto done;
 	}
 
 	/* now add the userPrincipalName and sAMAccountName entries */
-	sam_account_name = ads_get_samaccountname(ads, tmpctx, machine_name);
+	sam_account_name = ads_get_samaccountname(ads, frame, machine_name);
 	if (!sam_account_name) {
 		DEBUG(0, (__location__ ": unable to determine machine "
 			  "account's name in AD!\n"));
@@ -584,7 +614,7 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
 	}
 
 	/* remember that not every machine account will have a upn */
-	upn = ads_get_upn(ads, tmpctx, machine_name);
+	upn = ads_get_upn(ads, frame, machine_name);
 	if (upn) {
 		ret = ads_keytab_add_entry(ads, upn);
 		if (ret != 0) {
@@ -596,7 +626,7 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
 
 	/* Now loop through the keytab and update any other existing entries */
 	kvno = (krb5_kvno)ads_get_machine_kvno(ads, machine_name);
-	if (kvno == -1) {
+	if (kvno == (krb5_kvno)-1) {
 		DEBUG(1, (__location__ ": ads_get_machine_kvno() failed to "
 			  "determine the system's kvno.\n"));
 		goto done;
@@ -629,12 +659,12 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
 	 * have a race condition where someone else could add entries after
 	 * we've counted them. Re-open asap to minimise the race. JRA.
 	 */
-	DEBUG(3, (__location__ ": Found %d entries in the keytab.\n", found));
+	DEBUG(3, (__location__ ": Found %zd entries in the keytab.\n", found));
 	if (!found) {
 		goto done;
 	}
 
-	oldEntries = talloc_array(tmpctx, char *, found);
+	oldEntries = talloc_array(frame, char *, found);
 	if (!oldEntries) {
 		DEBUG(1, (__location__ ": Failed to allocate space to store "
 			  "the old keytab entries (talloc failed?).\n"));
@@ -708,7 +738,7 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
 
 done:
 	TALLOC_FREE(oldEntries);
-	TALLOC_FREE(tmpctx);
+	TALLOC_FREE(frame);
 
 	{
 		krb5_keytab_entry zero_kt_entry;
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index fb99132..8d104c2 100644
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -1927,6 +1927,97 @@ ADS_STATUS ads_clear_service_principal_names(ADS_STRUCT *ads, const char *machin
 }
 
 /**
+ * @brief Search for an element in a string array.
+ *
+ * @param[in]  el_array  The string array to search.
+ *
+ * @param[in]  num_el    The number of elements in the string array.
+ *
+ * @param[in]  el        The string to search.
+ *
+ * @return               True if found, false if not.
+ */
+bool ads_element_in_array(const char **el_array, size_t num_el, const char *el)
+{
+	size_t i;
+
+	if (el_array == NULL || num_el == 0 || el == NULL) {
+		return false;
+	}
+
+	for (i = 0; i < num_el && el_array[i] != NULL; i++) {
+		int cmp;
+
+		cmp = strcasecmp_m(el_array[i], el);
+		if (cmp == 0) {
+			return true;
+		}
+	}
+
+	return false;
+}
+
+/**
+ * @brief This gets the service principal names of an existing computer account.
+ *
+ * @param[in]  mem_ctx      The memory context to use to allocate the spn array.
+ *
+ * @param[in]  ads          The ADS context to use.
+ *
+ * @param[in]  machine_name The NetBIOS name of the computer, which is used to
+ *                          identify the computer account.
+ *
+ * @param[in]  spn_array    A pointer to store the array for SPNs.
+ *
+ * @param[in]  num_spns     The number of principals stored in the array.
+ *
+ * @return                  0 on success, or a ADS error if a failure occured.
+ */
+ADS_STATUS ads_get_service_principal_names(TALLOC_CTX *mem_ctx,
+					   ADS_STRUCT *ads,
+					   const char *machine_name,
+					   char ***spn_array,
+					   size_t *num_spns)
+{
+	ADS_STATUS status;
+	LDAPMessage *res = NULL;
+	char *dn;
+	int count;
+
+	status = ads_find_machine_acct(ads,
+				       &res,
+				       machine_name);
+	if (!ADS_ERR_OK(status)) {
+		DEBUG(1,("Host Account for %s not found... skipping operation.\n",
+			 machine_name));
+		return status;
+	}
+
+	count = ads_count_replies(ads, res);
+	if (count != 1) {
+		status = ADS_ERROR(LDAP_NO_SUCH_OBJECT);
+		goto done;
+	}
+
+	dn = ads_get_dn(ads, mem_ctx, res);
+	if (dn == NULL) {
+		status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+		goto done;
+	}
+
+	*spn_array = ads_pull_strings(ads,
+				      mem_ctx,
+				      res,
+				      "servicePrincipalName",
+				      num_spns);
+
+done:
+	ads_msgfree(ads, res);
+
+	return status;
+}
+
+/**
  * This adds a service principal name to an existing computer account
  * (found by hostname) in AD.
  * @param ads An initialized ADS_STRUCT
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index 1418385..aa7b5cb 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -358,6 +358,26 @@ static ADS_STATUS libnet_join_find_machine_acct(TALLOC_CTX *mem_ctx,
 	return status;
 }
 
+static ADS_STATUS libnet_join_get_machine_spns(TALLOC_CTX *mem_ctx,
+					       struct libnet_JoinCtx *r,
+					       char ***spn_array,
+					       size_t *num_spns)
+{
+	ADS_STATUS status;
+
+	if (r->in.machine_name == NULL) {
+		return ADS_ERROR_SYSTEM(EINVAL);
+	}
+
+	status = ads_get_service_principal_names(mem_ctx,
+						 r->in.ads,
+						 r->in.machine_name,
+						 spn_array,
+						 num_spns);
+
+	return status;
+}
+
 /****************************************************************
  Set a machines dNSHostName and servicePrincipalName attributes
 ****************************************************************/
@@ -368,8 +388,10 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
 	ADS_STATUS status;
 	ADS_MODLIST mods;
 	fstring my_fqdn;
-	const char *spn_array[3] = {NULL, NULL, NULL};
+	const char **spn_array = NULL;
+	size_t num_spns = 0;
 	char *spn = NULL;
+	bool ok;
 
 	/* Find our DN */
 
@@ -378,6 +400,14 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
 		return status;
 	}
 
+	status = libnet_join_get_machine_spns(mem_ctx,
+					      r,
+					      discard_const_p(char **, &spn_array),
+					      &num_spns);
+	if (!ADS_ERR_OK(status)) {
+		DEBUG(5, ("Retrieving the servicePrincipalNames failed.\n"));
+	}
+
 	/* Windows only creates HOST/shortname & HOST/fqdn. */
 
 	spn = talloc_asprintf(mem_ctx, "HOST/%s", r->in.machine_name);
@@ -387,7 +417,15 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
 	if (!strupper_m(spn)) {
 		return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
 	}
-	spn_array[0] = spn;
+
+	ok = ads_element_in_array(spn_array, num_spns, spn);
+	if (!ok) {
+		ok = add_string_to_array(spn_array, spn,
+					 &spn_array, (int *)&num_spns);
+		if (!ok) {
+			return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+		}
+	}
 
 	if (!name_to_fqdn(my_fqdn, r->in.machine_name)
 	    || (strchr(my_fqdn, '.') == NULL)) {
@@ -404,8 +442,23 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
 		if (!spn) {
 			return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
 		}
-		spn_array[1] = spn;
+
+		ok = ads_element_in_array(spn_array, num_spns, spn);
+		if (!ok) {
+			ok = add_string_to_array(spn_array, spn,
+						 &spn_array, (int *)&num_spns);
+			if (!ok) {
+				return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+			}
+		}
+	}
+
+	/* make sure to NULL terminate the array */
+	spn_array = talloc_realloc(mem_ctx, spn_array, const char *, num_spns + 1);
+	if (spn_array == NULL) {
+		return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
 	}
+	spn_array[num_spns] = NULL;
 
 	mods = ads_init_mods(mem_ctx);
 	if (!mods) {
diff --git a/source3/registry/reg_api.c b/source3/registry/reg_api.c
index ca990e2..cb8576e 100644
--- a/source3/registry/reg_api.c
+++ b/source3/registry/reg_api.c
@@ -634,7 +634,7 @@ WERROR reg_createkey(TALLOC_CTX *ctx, struct registry_key *parent,
 				 key->token))
 	{
 		err = WERR_ACCESS_DENIED;
-		goto done;
+		goto trans_done;
 	}
 
 	/*
diff --git a/source3/rpc_server/lsa/srv_lsa_nt.c b/source3/rpc_server/lsa/srv_lsa_nt.c
index f4dc4af..46f42d5 100644
--- a/source3/rpc_server/lsa/srv_lsa_nt.c
+++ b/source3/rpc_server/lsa/srv_lsa_nt.c
@@ -49,6 +49,7 @@
 #include "../librpc/gen_ndr/ndr_wkssvc.h"


-- 
Samba Shared Repository


More information about the samba-cvs mailing list