[SCM] Samba Shared Repository - branch v4-12-test updated

Karolin Seeger kseeger at samba.org
Thu Jun 4 13:13:04 UTC 2020


The branch, v4-12-test has been updated
       via  7b1bac7d084 Add net-ads-join dnshostname=fqdn option
       via  71efed33f47 Add msDS-AdditionalDnsHostName entries to the keytab
       via  279e72fe334 Add a test for msDS-AdditionalDnsHostName entries in keytab
       via  b3630d58e48 Refactor ads_keytab_add_entry() to make it iterable
       via  533a4be557b Fix accidental overwrite of dnsHostName by the last netbios alias
       via  e25e574ba04 Add a test to check dNSHostName with netbios aliases
       via  5015bbbd701 s3:libads: prefer ENCTYPE_AES256_CTS_HMAC_SHA1_96 in ads_keytab_add_entry()
       via  2b15eee1bc0 docs-xml: update list of posible VFS operations for vfs_full_audit
       via  c2051cdfda6 s3: libsmbclient: Finish unifing bad iconv behavior across CORE NT1 SMB2 protocols.
       via  ea64f5fb2d8 s3: libsmb: In SMB2 return NT_STATUS_INVALID_NETWORK_RESPONSE if name conversion ended up with a NULL filename.
       via  cc105695a60 s3: libsmb: In SMB1 old protocol - return NT_STATUS_INVALID_NETWORK_RESPONSE if name conversion ended up with a NULL filename.
       via  290ae67b24e s3: selftest: Add test_smbclient_iconv.sh to check client behavior on bad name conversion.
       via  701cbabc92e s3: selftest: Add share definition [bad_iconv] in fileserver.
      from  f02893f5360 winbindd: Fix a use-after-free when winbind clients exit

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-12-test


- Log -----------------------------------------------------------------
commit 7b1bac7d084815cf8b0f070b16a5c93af78f2153
Author: Isaac Boukris <iboukris at gmail.com>
Date:   Wed May 27 15:54:12 2020 +0200

    Add net-ads-join dnshostname=fqdn option
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396
    
    Signed-off-by: Isaac Boukris <iboukris at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    
    Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
    Autobuild-Date(master): Fri May 29 13:33:28 UTC 2020 on sn-devel-184
    
    Autobuild-User(v4-12-test): Karolin Seeger <kseeger at samba.org>
    Autobuild-Date(v4-12-test): Thu Jun  4 13:12:27 UTC 2020 on sn-devel-184

commit 71efed33f47dfc4f294881257add9121623e29ce
Author: Isaac Boukris <iboukris at gmail.com>
Date:   Wed May 27 15:36:28 2020 +0200

    Add msDS-AdditionalDnsHostName entries to the keytab
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396
    
    Signed-off-by: Isaac Boukris <iboukris at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 279e72fe334d8ac375f0e5a8cfccc0fcf0b6d02f
Author: Isaac Boukris <iboukris at gmail.com>
Date:   Wed May 27 17:55:12 2020 +0200

    Add a test for msDS-AdditionalDnsHostName entries in keytab
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396
    
    Signed-off-by: Isaac Boukris <iboukris at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit b3630d58e4816402231500551aa6268b5a8cffa7
Author: Isaac Boukris <iboukris at gmail.com>
Date:   Wed May 27 13:25:17 2020 +0200

    Refactor ads_keytab_add_entry() to make it iterable
    
    so we can more easily add msDS-AdditionalDnsHostName entries.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396
    
    Signed-off-by: Isaac Boukris <iboukris at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 533a4be557bd7923ff8bfaea9a82cd99d47b10f4
Author: Isaac Boukris <iboukris at gmail.com>
Date:   Wed May 27 15:52:46 2020 +0200

    Fix accidental overwrite of dnsHostName by the last netbios alias
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396
    
    Signed-off-by: Isaac Boukris <iboukris at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit e25e574ba042d83c7f7675b75139385d8cc9ffc8
Author: Isaac Boukris <iboukris at gmail.com>
Date:   Wed May 27 16:50:45 2020 +0200

    Add a test to check dNSHostName with netbios aliases
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396
    
    Signed-off-by: Isaac Boukris <iboukris at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 5015bbbd70188553454cfdbbf4faa1c2062c4882
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Nov 29 13:48:24 2019 +0100

    s3:libads: prefer ENCTYPE_AES256_CTS_HMAC_SHA1_96 in ads_keytab_add_entry()
    
    This is currently not critical as we only use keytabs
    only as acceptor, but in future we'll also use them
    for kinit() and there we should prefer the newest type.
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 2b15eee1bc0d48b9804f20d5bb3cc8b2fde8085e
Author: Björn Jacke <bj at sernet.de>
Date:   Tue May 19 12:42:31 2020 +0200

    docs-xml: update list of posible VFS operations for vfs_full_audit
    
    the list of valid operations can be generated by
    
    grep "{ SMB_VFS_OP_" source3/modules/vfs_full_audit.c |sed 's/.*,[ \t]*"//;s/".*//'|grep -v NULL | sort
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14386
    
    based on 14470e4e4c16cfc36384027c39c1685dea42ad26 in master
    
    Signed-off-by: Bjoern Jacke <bjacke at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit c2051cdfda67f04e641c7b58d0c89a675ed6fb79
Author: Jeremy Allison <jra at samba.org>
Date:   Mon May 11 15:58:27 2020 -0700

    s3: libsmbclient: Finish unifing bad iconv behavior across CORE NT1 SMB2 protocols.
    
    On bad name conversion, exit the directory listing with an error, but leave the
    connection intact. We were already checking for finfo->name == NULL here,
    but were ignoring it and not reporting an error.
    
    Remove the knownfail.d/bad_iconv file as we now
    behave the same across CORE/NT1/SMB2.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14374
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    
    Autobuild-User(master): Jeremy Allison <jra at samba.org>
    Autobuild-Date(master): Tue May 12 21:32:44 UTC 2020 on sn-devel-184
    
    (cherry picked from commit 393da520e43bd3a28feb231bcd9fd5308a3daa4a)

commit ea64f5fb2d87877d77a8ccdd6874b367efaf62a4
Author: Jeremy Allison <jra at samba.org>
Date:   Mon May 11 12:23:49 2020 -0700

    s3: libsmb: In SMB2 return NT_STATUS_INVALID_NETWORK_RESPONSE if name conversion ended up with a NULL filename.
    
    Can happen if namelen == 0.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14374
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    (cherry picked from commit 753115a8d19f6ac8cd28305748fc6d888679dccc)

commit cc105695a60f629928c971e98e15edb89fb58162
Author: Jeremy Allison <jra at samba.org>
Date:   Mon May 11 12:34:10 2020 -0700

    s3: libsmb: In SMB1 old protocol - return NT_STATUS_INVALID_NETWORK_RESPONSE if name conversion ended up with a NULL filename.
    
    Can happen if namelen == 0.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14374
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    (cherry picked from commit b10de0bb64fe022e6b066584013dfb0bdf2ade96)

commit 290ae67b24eec2a50c937216b92e7294e1e08109
Author: Jeremy Allison <jra at samba.org>
Date:   Mon May 11 15:37:00 2020 -0700

    s3: selftest: Add test_smbclient_iconv.sh to check client behavior on bad name conversion.
    
    SMB2 and NT1 fail this, CORE already returns NT_STATUS_INVALID_NETWORK_RESPONSE
    on bad conversion.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14374
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    (back-ported from commit e016671d34c24c4768df774425ec743b88e30015)

commit 701cbabc92e3bab2ddf55e8adef2b005ea4ae4c5
Author: Jeremy Allison <jra at samba.org>
Date:   Mon May 11 14:10:54 2020 -0700

    s3: selftest: Add share definition [bad_iconv] in fileserver.
    
    Creates a utf8 valid filename within that is invalid in CP850.
    Useful to test smbclient list directory character set conversions.
    
    https://bugzilla.samba.org/show_bug.cgi?id=14374
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    (back-ported from commit a9651d6bc2b6dea8adc859ce21c2431253868887)

-----------------------------------------------------------------------

Summary of changes:
 docs-xml/manpages/net.8.xml                  |   7 +-
 docs-xml/manpages/vfs_full_audit.8.xml       |  70 +++++++--
 selftest/target/Samba3.pm                    |  20 +++
 source3/libads/ads_proto.h                   |   5 +
 source3/libads/kerberos_keytab.c             | 224 ++++++++++++++++-----------
 source3/libads/ldap.c                        |  45 ++++++
 source3/libnet/libnet_join.c                 |  12 +-
 source3/librpc/idl/libnet_join.idl           |   1 +
 source3/libsmb/cli_smb2_fnum.c               |   6 +
 source3/libsmb/clilist.c                     |  10 +-
 source3/script/tests/test_smbclient_iconv.sh |  53 +++++++
 source3/selftest/tests.py                    |   6 +
 source3/utils/net_ads.c                      |   9 +-
 testprogs/blackbox/test_net_ads.sh           |  38 +++++
 14 files changed, 391 insertions(+), 115 deletions(-)
 create mode 100755 source3/script/tests/test_smbclient_iconv.sh


Changeset truncated at 500 lines:

diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
index 37dd30b7864..cbab9c63a5e 100644
--- a/docs-xml/manpages/net.8.xml
+++ b/docs-xml/manpages/net.8.xml
@@ -481,7 +481,7 @@ The remote server must be specified with the -S option.
 
 <refsect2>
 <title>[RPC|ADS] JOIN [TYPE] [--no-dns-updates] [-U username[%password]]
-[createupn=UPN] [createcomputer=OU] [machinepass=PASS]
+[dnshostname=FQDN] [createupn=UPN] [createcomputer=OU] [machinepass=PASS]
 [osName=string osVer=string] [options]</title>
 
 <para>
@@ -496,6 +496,11 @@ be created.</para>
 joining the domain.
 </para>
 
+<para>
+[FQDN] (ADS only) set the dnsHosName attribute during the join.
+The default format is netbiosname.dnsdomain.
+</para>
+
 <para>
 [UPN] (ADS only) set the principalname attribute during the join.  The default
 format is host/netbiosname at REALM.
diff --git a/docs-xml/manpages/vfs_full_audit.8.xml b/docs-xml/manpages/vfs_full_audit.8.xml
index 7b17e2e1ad4..e6c05c3fdc3 100644
--- a/docs-xml/manpages/vfs_full_audit.8.xml
+++ b/docs-xml/manpages/vfs_full_audit.8.xml
@@ -38,60 +38,98 @@
 	complete set of Samba VFS operations:</para>
 
 	<simplelist>
+        <member>aio_force</member>
+        <member>audit_file</member>
+        <member>brl_lock_windows</member>
+        <member>brl_unlock_windows</member>
         <member>chdir</member>
         <member>chflags</member>
         <member>chmod</member>
-        <member>chown</member>
         <member>close</member>
         <member>closedir</member>
         <member>connect</member>
-	<member>copy_chunk_send</member>
-	<member>copy_chunk_recv</member>
+        <member>connectpath</member>
+        <member>create_dfs_pathat</member>
+        <member>create_file</member>
         <member>disconnect</member>
         <member>disk_free</member>
+        <member>durable_cookie</member>
+        <member>durable_disconnect</member>
+        <member>durable_reconnect</member>
+        <member>fallocate</member>
         <member>fchmod</member>
         <member>fchown</member>
+        <member>fdopendir</member>
+        <member>fget_dos_attributes</member>
         <member>fget_nt_acl</member>
         <member>fgetxattr</member>
+        <member>file_id_create</member>
         <member>flistxattr</member>
         <member>fremovexattr</member>
+        <member>fs_capabilities</member>
+        <member>fsctl</member>
+        <member>fset_dos_attributes</member>
         <member>fset_nt_acl</member>
         <member>fsetxattr</member>
+        <member>fs_file_id</member>
         <member>fstat</member>
         <member>fsync</member>
+        <member>fsync_recv</member>
+        <member>fsync_send</member>
         <member>ftruncate</member>
+        <member>get_alloc_size</member>
         <member>get_compression</member>
+        <member>get_dfs_referrals</member>
+        <member>get_dos_attributes</member>
+        <member>get_dos_attributes_recv</member>
+        <member>get_dos_attributes_send</member>
+        <member>getlock</member>
         <member>get_nt_acl</member>
         <member>get_quota</member>
+        <member>get_real_filename</member>
         <member>get_shadow_copy_data</member>
-        <member>getlock</member>
         <member>getwd</member>
         <member>getxattr</member>
+        <member>getxattrat_recv</member>
+        <member>getxattrat_send</member>
+        <member>is_offline</member>
         <member>kernel_flock</member>
-        <member>link</member>
+        <member>lchown</member>
+        <member>linkat</member>
         <member>linux_setlease</member>
         <member>listxattr</member>
         <member>lock</member>
         <member>lseek</member>
         <member>lstat</member>
-        <member>mkdir</member>
-        <member>mknod</member>
+        <member>mkdirat</member>
+        <member>mknodat</member>
+        <member>ntimes</member>
+        <member>offload_read_recv</member>
+        <member>offload_read_send</member>
+        <member>offload_write_recv</member>
+        <member>offload_write_send</member>
         <member>open</member>
         <member>opendir</member>
         <member>pread</member>
+        <member>pread_recv</member>
+        <member>pread_send</member>
         <member>pwrite</member>
+        <member>pwrite_recv</member>
+        <member>pwrite_send</member>
         <member>read</member>
         <member>readdir</member>
-        <member>readlink</member>
+        <member>readdir_attr</member>
+        <member>readlinkat</member>
         <member>realpath</member>
+        <member>recvfile</member>
         <member>removexattr</member>
-        <member>rename</member>
+        <member>renameat</member>
         <member>rewinddir</member>
-        <member>rmdir</member>
         <member>seekdir</member>
         <member>sendfile</member>
         <member>set_compression</member>
-        <member>set_nt_acl</member>
+        <member>set_dos_attributes</member>
+        <member>set_offline</member>
         <member>set_quota</member>
         <member>setxattr</member>
         <member>snap_check_path</member>
@@ -99,15 +137,19 @@
         <member>snap_delete</member>
         <member>stat</member>
         <member>statvfs</member>
-        <member>symlink</member>
+        <member>streaminfo</member>
+        <member>strict_lock_check</member>
+        <member>symlinkat</member>
+        <member>sys_acl_blob_get_fd</member>
+        <member>sys_acl_blob_get_file</member>
         <member>sys_acl_delete_def_file</member>
         <member>sys_acl_get_fd</member>
         <member>sys_acl_get_file</member>
         <member>sys_acl_set_fd</member>
         <member>sys_acl_set_file</member>
         <member>telldir</member>
-        <member>unlink</member>
-        <member>utime</member>
+        <member>translate_name</member>
+        <member>unlinkat</member>
         <member>write</member>
 	</simplelist>
 
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index cdbbbdcef3d..1bfb72af690 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -959,6 +959,9 @@ sub setup_fileserver
 	my $usershare_sharedir="$share_dir/usershares";
 	push(@dirs,$usershare_sharedir);
 
+	my $bad_iconv_sharedir="$share_dir/bad_iconv";
+	push(@dirs, $bad_iconv_sharedir);
+
 	my $fileserver_options = "
 	kernel change notify = yes
 	rpc_server:mdssvc = embedded
@@ -1039,6 +1042,12 @@ sub setup_fileserver
 	path = $share_dir
 	comment = force group test
 #	force group = everyone
+
+[bad_iconv]
+	path = $bad_iconv_sharedir
+	comment = smb username is [%U]
+	vfs objects =
+
 [homes]
 	comment = Home directories
 	browseable = No
@@ -1107,6 +1116,17 @@ sub setup_fileserver
         close(VALID_USERS_TARGET);
         chmod 0644, $valid_users_target;
 
+	##
+	## create a valid utf8 filename which is invalid as a CP850 conversion
+	##
+        my $bad_iconv_target = "$bad_iconv_sharedir/\xED\x9F\xBF";
+        unless (open(BAD_ICONV_TARGET, ">$bad_iconv_target")) {
+                warn("Unable to open $bad_iconv_target");
+                return undef;
+        }
+        close(BAD_ICONV_TARGET);
+        chmod 0644, $bad_iconv_target;
+
 	return $vars;
 }
 
diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h
index 495ef5d3325..cd9c1082681 100644
--- a/source3/libads/ads_proto.h
+++ b/source3/libads/ads_proto.h
@@ -137,6 +137,11 @@ ADS_STATUS ads_get_sid_from_extended_dn(TALLOC_CTX *mem_ctx,
 					enum ads_extended_dn_flags flags,
 					struct dom_sid *sid);
 char* ads_get_dnshostname( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name );
+ADS_STATUS ads_get_additional_dns_hostnames(TALLOC_CTX *mem_ctx,
+                                            ADS_STRUCT *ads,
+                                            const char *machine_name,
+                                            char ***hostnames_array,
+                                            size_t *num_hostnames);
 char* ads_get_upn( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name );
 bool ads_has_samaccountname( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name );
 ADS_STATUS ads_join_realm(ADS_STRUCT *ads, const char *machine_name,
diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index 7d193e1a600..da363741d10 100644
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -228,86 +228,26 @@ out:
 	return ok;
 }
 
-/**********************************************************************
- Adds a single service principal, i.e. 'host' to the system keytab
-***********************************************************************/
-
-int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads)
+static int add_kt_entry_etypes(krb5_context context, TALLOC_CTX *tmpctx,
+			       ADS_STRUCT *ads, const char *salt_princ_s,
+			       krb5_keytab keytab, krb5_kvno kvno,
+			       const char *srvPrinc, const char *my_fqdn,
+			       krb5_data *password, bool update_ads)
 {
 	krb5_error_code ret = 0;
-	krb5_context context = NULL;
-	krb5_keytab keytab = NULL;
-	krb5_data password;
-	krb5_kvno kvno;
-        krb5_enctype enctypes[6] = {
-#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
-		ENCTYPE_AES128_CTS_HMAC_SHA1_96,
-#endif
+	char *princ_s = NULL;
+	char *short_princ_s = NULL;
+	krb5_enctype enctypes[4] = {
 #ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
 		ENCTYPE_AES256_CTS_HMAC_SHA1_96,
+#endif
+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
+		ENCTYPE_AES128_CTS_HMAC_SHA1_96,
 #endif
 		ENCTYPE_ARCFOUR_HMAC,
 		0
 	};
-	char *princ_s = NULL;
-	char *short_princ_s = NULL;
-	char *salt_princ_s = NULL;
-	char *password_s = NULL;
-	char *my_fqdn;
-	TALLOC_CTX *tmpctx = NULL;
-	int i;
-
-	ret = smb_krb5_init_context_common(&context);
-	if (ret) {
-		DBG_ERR("kerberos init context failed (%s)\n",
-			error_message(ret));
-		return -1;
-	}
-
-	ret = ads_keytab_open(context, &keytab);
-	if (ret != 0) {
-		goto out;
-	}
-
-	/* retrieve the password */
-	if (!secrets_init()) {
-		DEBUG(1, (__location__ ": secrets_init failed\n"));
-		ret = -1;
-		goto out;
-	}
-	password_s = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
-	if (!password_s) {
-		DEBUG(1, (__location__ ": failed to fetch machine password\n"));
-		ret = -1;
-		goto out;
-	}
-	ZERO_STRUCT(password);
-	password.data = password_s;
-	password.length = strlen(password_s);
-
-	/* we need the dNSHostName value here */
-	tmpctx = talloc_init(__location__);
-	if (!tmpctx) {
-		DEBUG(0, (__location__ ": talloc_init() failed!\n"));
-		ret = -1;
-		goto out;
-	}
-
-	my_fqdn = ads_get_dnshostname(ads, tmpctx, lp_netbios_name());
-	if (!my_fqdn) {
-		DEBUG(0, (__location__ ": unable to determine machine "
-			  "account's dns name in AD!\n"));
-		ret = -1;
-		goto out;
-	}
-
-	/* make sure we have a single instance of a the computer account */
-	if (!ads_has_samaccountname(ads, tmpctx, lp_netbios_name())) {
-		DEBUG(0, (__location__ ": unable to determine machine "
-			  "account's short name in AD!\n"));
-		ret = -1;
-		goto out;
-	}
+	size_t i;
 
 	/* Construct our principal */
 	if (strchr_m(srvPrinc, '@')) {
@@ -356,22 +296,6 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads)
 		}
 	}
 
-	kvno = (krb5_kvno)ads_get_machine_kvno(ads, lp_netbios_name());
-	if (kvno == -1) {
-		/* -1 indicates failure, everything else is OK */
-		DEBUG(1, (__location__ ": ads_get_machine_kvno failed to "
-			 "determine the system's kvno.\n"));
-		ret = -1;
-		goto out;
-	}
-
-	salt_princ_s = kerberos_secrets_fetch_salt_princ();
-	if (salt_princ_s == NULL) {
-		DBG_WARNING("kerberos_secrets_fetch_salt_princ() failed\n");
-		ret = -1;
-		goto out;
-	}
-
 	for (i = 0; enctypes[i]; i++) {
 
 		/* add the fqdn principal to the keytab */
@@ -381,11 +305,11 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads)
 					    princ_s,
 					    salt_princ_s,
 					    enctypes[i],
-					    &password,
+					    password,
 					    false,
 					    false);
 		if (ret) {
-			DEBUG(1, (__location__ ": Failed to add entry to keytab\n"));
+			DBG_WARNING("Failed to add entry to keytab\n");
 			goto out;
 		}
 
@@ -397,12 +321,126 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads)
 						    short_princ_s,
 						    salt_princ_s,
 						    enctypes[i],
-						    &password,
+						    password,
 						    false,
 						    false);
 			if (ret) {
-				DEBUG(1, (__location__
-					  ": Failed to add short entry to keytab\n"));
+				DBG_WARNING("Failed to add short entry to keytab\n");
+				goto out;
+			}
+		}
+	}
+out:
+	return ret;
+}
+
+/**********************************************************************
+ Adds a single service principal, i.e. 'host' to the system keytab
+***********************************************************************/
+
+int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads)
+{
+	krb5_error_code ret = 0;
+	krb5_context context = NULL;
+	krb5_keytab keytab = NULL;
+	krb5_data password;
+	krb5_kvno kvno;
+	char *salt_princ_s = NULL;
+	char *password_s = NULL;
+	char *my_fqdn;
+	TALLOC_CTX *tmpctx = NULL;
+	char **hostnames_array = NULL;
+	size_t num_hostnames = 0;
+
+	ret = smb_krb5_init_context_common(&context);
+	if (ret) {
+		DBG_ERR("kerberos init context failed (%s)\n",
+			error_message(ret));
+		return -1;
+	}
+
+	ret = ads_keytab_open(context, &keytab);
+	if (ret != 0) {
+		goto out;
+	}
+
+	/* retrieve the password */
+	if (!secrets_init()) {
+		DBG_WARNING("secrets_init failed\n");
+		ret = -1;
+		goto out;
+	}
+	password_s = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
+	if (!password_s) {
+		DBG_WARNING("failed to fetch machine password\n");
+		ret = -1;
+		goto out;
+	}
+	ZERO_STRUCT(password);
+	password.data = password_s;
+	password.length = strlen(password_s);
+
+	/* we need the dNSHostName value here */
+	tmpctx = talloc_init(__location__);
+	if (!tmpctx) {
+		DBG_ERR("talloc_init() failed!\n");
+		ret = -1;
+		goto out;
+	}
+
+	my_fqdn = ads_get_dnshostname(ads, tmpctx, lp_netbios_name());
+	if (!my_fqdn) {
+		DBG_ERR("unable to determine machine account's dns name in "
+			"AD!\n");
+		ret = -1;
+		goto out;
+	}
+
+	/* make sure we have a single instance of a the computer account */
+	if (!ads_has_samaccountname(ads, tmpctx, lp_netbios_name())) {
+		DBG_ERR("unable to determine machine account's short name in "
+			"AD!\n");
+		ret = -1;
+		goto out;
+	}
+
+	kvno = (krb5_kvno)ads_get_machine_kvno(ads, lp_netbios_name());
+	if (kvno == -1) {
+		/* -1 indicates failure, everything else is OK */
+		DBG_WARNING("ads_get_machine_kvno failed to determine the "
+			    "system's kvno.\n");
+		ret = -1;
+		goto out;
+	}
+
+	salt_princ_s = kerberos_secrets_fetch_salt_princ();
+	if (salt_princ_s == NULL) {
+		DBG_WARNING("kerberos_secrets_fetch_salt_princ() failed\n");
+		ret = -1;
+		goto out;
+	}
+
+	ret = add_kt_entry_etypes(context, tmpctx, ads, salt_princ_s, keytab,
+				  kvno, srvPrinc, my_fqdn, &password,
+				  update_ads);
+	if (ret != 0) {
+		goto out;
+	}
+
+	if (ADS_ERR_OK(ads_get_additional_dns_hostnames(tmpctx, ads,
+							lp_netbios_name(),
+							&hostnames_array,
+							&num_hostnames))) {
+		size_t i;
+
+		for (i = 0; i < num_hostnames; i++) {
+
+			ret = add_kt_entry_etypes(context, tmpctx, ads,
+						  salt_princ_s, keytab,
+						  kvno, srvPrinc,
+						  hostnames_array[i],
+						  &password, update_ads);
+			if (ret != 0) {
 				goto out;
 			}
 		}
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index f0fcf9fcd56..f6fde5e19e1 100755
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -1377,6 +1377,7 @@ char *ads_parent_dn(const char *dn)
 		"unicodePwd",
 


-- 
Samba Shared Repository



More information about the samba-cvs mailing list