[PATCHES] site-aware Kerberos authentication during domain join

Alexander Bokovoy ab at samba.org
Wed Jun 15 07:01:17 UTC 2016 

On Wed, 15 Jun 2016, Alexander Bokovoy wrote:
> On Wed, 15 Jun 2016, Andreas Schneider wrote:
> > On Tuesday, 14 June 2016 22:50:28 CEST Alexander Bokovoy wrote:
> > > On Mon, 07 Mar 2016, Jeremy Allison wrote:
> > > > On Thu, Mar 03, 2016 at 09:44:46AM +0200, Uri Simchoni wrote:
> > > > > Hi,
> > > > > 
> > > > > Attached please find a fix for
> > > > > https://bugzilla.samba.org/show_bug.cgi?id=11769.
> > > > > 
> > > > > The bug description explains why this may be important.
> > > > > 
> > > > > The fix enables site-aware Kerberos during execution of "net ads
> > > > > join -k", even if winbindd is not started (so the locator cannot be
> > > > > used).
> > > > > 
> > > > > This works only if the user specified the domain's DNS name (which
> > > > > is assumed to be equal to the Kerberos realm). If the user didn't
> > > > > specify it (e.g. only specified flat domain name or server to use),
> > > > > we need to securely contact a DC to determine the domain's DNS name,
> > > > > so we cannot pre-configure Kerberos.
> > > > > 
> > > > > Review appreciated.
> > > > 
> > > > LGTM. Pushed ! Thanks.
> > > 
> > > I think this is not enough. We don't use discovered site name later in
> > > the process as private krb5.conf will be rewritten after the call to
> > > libnet_join_check_config.
> > > 
> > > Attached patch makes sure we pass sitename to the new krb5.conf.
> > 
> > Awesome, we need backports of this!!!
> 4.4 'backport' is exactly same patch, down to the diff offset. Once the
> autobuild passes, I'll do cherry-picking and add a new bug.
New bug: https://bugzilla.samba.org/show_bug.cgi?id=11975

Patch with BUG: line attached.
-- 
/ Alexander Bokovoy
-------------- next part --------------
>From 1c0bff335441a1beaa2d12ce12526d8388e776f7 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <ab at samba.org>
Date: Tue, 14 Jun 2016 22:37:31 +0300
Subject: [PATCH] libnet_join: use sitename if it was set by pre-join detection

When domain member is joined to AD, we need to use the same DC to
authenticate against after the join because the machine account might
not be replicated yet to other domain controllers, including off-site.

Bug https://bugzilla.samba.org/show_bug.cgi?id=11769 dealt with
detection of the site pre-join. However, we rewrite private local
krb5.conf afterwards without taking the discovered site name into
account.

Fix this by reusing the site discovered pre-join.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11975

Signed-off-by: Alexander Bokovoy <ab at samba.org>
---
 source3/libnet/libnet_join.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index a28864d..c007183 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -2500,7 +2500,7 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
 
 	create_local_private_krb5_conf_for_domain(
 		r->out.dns_domain_name, r->out.netbios_domain_name,
-		NULL, smbXcli_conn_remote_sockaddr(cli->conn));
+		sitename, smbXcli_conn_remote_sockaddr(cli->conn));
 
 	if (r->out.domain_is_ad &&
 	    !(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE)) {
-- 
2.7.4

More information about the samba-technical mailing list