[PATCH] Joining domains specifying auth realm
Andrew Bartlett
abartlet at samba.org
Fri Apr 25 10:50:47 GMT 2003
On Fri, 2003-04-25 at 01:04, Ken Cross wrote:
> > -----Original Message-----
> > From: Andrew Bartlett [mailto:abartlet at samba.org]
> > Sent: Thursday, April 24, 2003 9:05 AM
> > To: Ken Cross
> > Cc: 'Multiple recipients of list SAMBA-TECHNICAL'; 'Andrew Bartlett'
> > Subject: RE: [PATCH] Joining domains specifying auth realm
> >
> >
> > On Tue, 2003-03-18 at 00:47, Ken Cross wrote:
> > > Andrew:
> > >
> > > Patch to HEAD below -- sorry, should have realized that.
> > >
> > > The reason I had to change it was that ads_set_machine_password uses
> > > ads->auth.realm to build the principal name. Should that be
> > > ads->config.realm?
> >
> > I think it should.
> >
> > Can you give me current (and fixed) version of this patch for
> > 3.0? I would love to get it in before the feature freeze.
> >
> > Andrew Bartlett
> >
> > --
> > Andrew Bartlett abartlet at pcug.org.au
> > Manager, Authentication Subsystems, Samba Team abartlet at samba.org
> > Student Network Administrator, Hawker College abartlet at hawkerc.net
> > http://samba.org http://build.samba.org http://hawkerc.net
> >
>
> Andrew:
>
> Patches for SAMBA_3_0 below.
>
> Ken
Comments below:
> Index: libads/krb5_setpw.c
> ===================================================================
> RCS file: /cvsroot/samba/source/libads/krb5_setpw.c,v
> retrieving revision 1.7.2.7
> diff -p -u -r1.7.2.7 krb5_setpw.c
> --- libads/krb5_setpw.c 17 Mar 2003 22:58:24 -0000 1.7.2.7
> +++ libads/krb5_setpw.c 24 Apr 2003 14:54:14 -0000
> @@ -678,7 +678,7 @@ ADS_STATUS ads_set_machine_password(ADS_
> we need to use the '$' form of the name here, as otherwise the
> server might end up setting the password for a user instead
> */
> - asprintf(&principal, "%s$@%s", host, ads->auth.realm);
> + asprintf(&principal, "%s$@%s", host, ads->config.realm);
>
> status = krb5_set_password(ads->auth.kdc_server, principal,
> password, ads->auth.time_offset);
This looks good.
> Index: utils/net_ads.c
> ===================================================================
> RCS file: /cvsroot/samba/source/utils/net_ads.c,v
> retrieving revision 1.37.2.15
> diff -p -u -r1.37.2.15 net_ads.c
> --- utils/net_ads.c 14 Apr 2003 22:27:09 -0000 1.37.2.15
> +++ utils/net_ads.c 24 Apr 2003 14:54:35 -0000
> @@ -109,6 +109,9 @@ static int net_ads_info(int argc, const
> d_printf("LDAP port: %d\n", ads->ldap_port);
> d_printf("Server time: %s\n",
> http_timestring(ads->config.current_time));
>
> + d_printf("KDC server: %s\n", ads->auth.kdc_server );
> /* KJC */
> + d_printf("Server time offset: %d\n", ads->auth.time_offset );
> /* KJC */
> +
> return 0;
> }
>
> @@ -124,6 +127,7 @@ static ADS_STRUCT *ads_startup(void)
> ADS_STATUS status;
> BOOL need_password = False;
> BOOL second_time = False;
> + char *cp, *realm_save = NULL;
>
> ads = ads_init(NULL, NULL, opt_host);
>
> @@ -150,7 +154,29 @@ retry:
>
> ads->auth.user_name = strdup(opt_user_name);
>
> + /*
> + * If the username is of the form "name at realm",
> + * extract the realm and convert to upper case.
> + * This is only used to establish the connection.
> + */
> + realm_save = ads->auth.realm;
> + if (cp = strchr(ads->auth.user_name, '@')) {
> + *cp++ = '\0';
> + ads->auth.realm = cp;
> + strupper(ads->auth.realm);
> + }
> +
> status = ads_connect(ads);
> +
> + /*
> + * Restore the realm name. If there wasn't one,
> + * default to the configuration realm.
> + */
> + if( realm_save == NULL )
> + realm_save = strdup(ads->config.realm);
> +
> + ads->auth.realm = realm_save;
> +
> if (!ADS_ERR_OK(status)) {
> if (!need_password && !second_time) {
> need_password = True;
I'm still not convinced on this bit - why do we need to restore it? If
we did the authentication during the ads_connect, why do we need to set
it back?
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030425/433bd899/attachment.bin
More information about the samba-technical
mailing list