[PATCH] Joining domains specifying auth realm

Andrew Bartlett abartlet at samba.org
Fri Apr 25 10:50:47 GMT 2003


On Fri, 2003-04-25 at 01:04, Ken Cross wrote:
> > -----Original Message-----
> > From: Andrew Bartlett [mailto:abartlet at samba.org] 
> > Sent: Thursday, April 24, 2003 9:05 AM
> > To: Ken Cross
> > Cc: 'Multiple recipients of list SAMBA-TECHNICAL'; 'Andrew Bartlett'
> > Subject: RE: [PATCH] Joining domains specifying auth realm
> > 
> > 
> > On Tue, 2003-03-18 at 00:47, Ken Cross wrote:
> > > Andrew:
> > > 
> > > Patch to HEAD below -- sorry, should have realized that.
> > > 
> > > The reason I had to change it was that ads_set_machine_password uses
> > > ads->auth.realm to build the principal name.  Should that be 
> > > ads->config.realm?
> > 
> > I think it should.
> > 
> > Can you give me current (and fixed) version of this patch for 
> > 3.0?  I would love to get it in before the feature freeze.
> > 
> > Andrew Bartlett
> > 
> > -- 
> > Andrew Bartlett                                 abartlet at pcug.org.au
> > Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
> > Student Network Administrator, Hawker College   abartlet at hawkerc.net
> > http://samba.org     http://build.samba.org     http://hawkerc.net
> >
> 
> Andrew:
> 
> Patches for SAMBA_3_0 below.
> 
> Ken

Comments below:

> Index: libads/krb5_setpw.c
> ===================================================================
> RCS file: /cvsroot/samba/source/libads/krb5_setpw.c,v
> retrieving revision 1.7.2.7
> diff -p -u -r1.7.2.7 krb5_setpw.c
> --- libads/krb5_setpw.c 17 Mar 2003 22:58:24 -0000      1.7.2.7
> +++ libads/krb5_setpw.c 24 Apr 2003 14:54:14 -0000
> @@ -678,7 +678,7 @@ ADS_STATUS ads_set_machine_password(ADS_
>           we need to use the '$' form of the name here, as otherwise the
>           server might end up setting the password for a user instead
>          */
> -       asprintf(&principal, "%s$@%s", host, ads->auth.realm);
> +       asprintf(&principal, "%s$@%s", host, ads->config.realm);
>         
>         status = krb5_set_password(ads->auth.kdc_server, principal,
> password, ads->auth.time_offset);

This looks good.  

> Index: utils/net_ads.c
> ===================================================================
> RCS file: /cvsroot/samba/source/utils/net_ads.c,v
> retrieving revision 1.37.2.15
> diff -p -u -r1.37.2.15 net_ads.c
> --- utils/net_ads.c     14 Apr 2003 22:27:09 -0000      1.37.2.15
> +++ utils/net_ads.c     24 Apr 2003 14:54:35 -0000
> @@ -109,6 +109,9 @@ static int net_ads_info(int argc, const 
>         d_printf("LDAP port: %d\n", ads->ldap_port);
>         d_printf("Server time: %s\n",
> http_timestring(ads->config.current_time));
>  
> +       d_printf("KDC server: %s\n", ads->auth.kdc_server );
> /* KJC */
> +       d_printf("Server time offset: %d\n", ads->auth.time_offset );
> /* KJC */
> +
>         return 0;
>  }
>  
> @@ -124,6 +127,7 @@ static ADS_STRUCT *ads_startup(void)
>         ADS_STATUS status;
>         BOOL need_password = False;
>         BOOL second_time = False;
> +       char *cp, *realm_save = NULL;
>         
>         ads = ads_init(NULL, NULL, opt_host);
>  
> @@ -150,7 +154,29 @@ retry:
>  
>         ads->auth.user_name = strdup(opt_user_name);
>  
> +       /*
> +        * If the username is of the form "name at realm", 
> +        * extract the realm and convert to upper case.
> +        * This is only used to establish the connection.
> +        */
> +       realm_save = ads->auth.realm;
> +       if (cp = strchr(ads->auth.user_name, '@')) {
> +               *cp++ = '\0';
> +               ads->auth.realm = cp;
> +               strupper(ads->auth.realm);
> +       }
> +
>         status = ads_connect(ads);
> +
> +       /*
> +        * Restore the realm name.  If there wasn't one,
> +        * default to the configuration realm.
> +        */
> +       if( realm_save == NULL )
> +               realm_save = strdup(ads->config.realm);
> +
> +       ads->auth.realm = realm_save;
> +
>         if (!ADS_ERR_OK(status)) {
>                 if (!need_password && !second_time) {
>                         need_password = True;

I'm still not convinced on this bit - why do we need to restore it? If
we did the authentication during the ads_connect, why do we need to set
it back?

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030425/433bd899/attachment.bin


More information about the samba-technical mailing list