[PATCHES] site-aware Kerberos authentication during domain join

Alexander Bokovoy ab at samba.org
Tue Jun 14 19:50:28 UTC 2016


On Mon, 07 Mar 2016, Jeremy Allison wrote:
> On Thu, Mar 03, 2016 at 09:44:46AM +0200, Uri Simchoni wrote:
> > Hi,
> > 
> > Attached please find a fix for
> > https://bugzilla.samba.org/show_bug.cgi?id=11769.
> > 
> > The bug description explains why this may be important.
> > 
> > The fix enables site-aware Kerberos during execution of "net ads
> > join -k", even if winbindd is not started (so the locator cannot be
> > used).
> > 
> > This works only if the user specified the domain's DNS name (which
> > is assumed to be equal to the Kerberos realm). If the user didn't
> > specify it (e.g. only specified flat domain name or server to use),
> > we need to securely contact a DC to determine the domain's DNS name,
> > so we cannot pre-configure Kerberos.
> > 
> > Review appreciated.
> 
> LGTM. Pushed ! Thanks.
I think this is not enough. We don't use discovered site name later in
the process as private krb5.conf will be rewritten after the call to
libnet_join_check_config.

Attached patch makes sure we pass sitename to the new krb5.conf.

-- 
/ Alexander Bokovoy
-------------- next part --------------
>From 1c0bff335441a1beaa2d12ce12526d8388e776f7 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <ab at samba.org>
Date: Tue, 14 Jun 2016 22:37:31 +0300
Subject: [PATCH] libnet_join: use sitename if it was set by pre-join detection

When domain member is joined to AD, we need to use the same DC to
authenticate against after the join because the machine account might
not be replicated yet to other domain controllers, including off-site.

Bug https://bugzilla.samba.org/show_bug.cgi?id=11769 dealt with
detection of the site pre-join. However, we rewrite private local
krb5.conf afterwards without taking the discovered site name into
account.

Fix this by reusing the site discovered pre-join.

Signed-off-by: Alexander Bokovoy <ab at samba.org>
---
 source3/libnet/libnet_join.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index a28864d..c007183 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -2500,7 +2500,7 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
 
 	create_local_private_krb5_conf_for_domain(
 		r->out.dns_domain_name, r->out.netbios_domain_name,
-		NULL, smbXcli_conn_remote_sockaddr(cli->conn));
+		sitename, smbXcli_conn_remote_sockaddr(cli->conn));
 
 	if (r->out.domain_is_ad &&
 	    !(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE)) {
-- 
2.7.4



More information about the samba-technical mailing list