[PATCHES] site-aware Kerberos authentication during domain join
Uri Simchoni
uri at samba.org
Thu Mar 3 07:44:46 UTC 2016
Hi,
Attached please find a fix for
https://bugzilla.samba.org/show_bug.cgi?id=11769.
The bug description explains why this may be important.
The fix enables site-aware Kerberos during execution of "net ads join
-k", even if winbindd is not started (so the locator cannot be used).
This works only if the user specified the domain's DNS name (which is
assumed to be equal to the Kerberos realm). If the user didn't specify
it (e.g. only specified flat domain name or server to use), we need to
securely contact a DC to determine the domain's DNS name, so we cannot
pre-configure Kerberos.
Review appreciated.
Thanks,
Uri.
-------------- next part --------------
From abc61757a7331eaf04d1023a41058b304a7f4cf9 Mon Sep 17 00:00:00 2001
From: Uri Simchoni <uri at samba.org>
Date: Thu, 3 Mar 2016 09:18:44 +0200
Subject: [PATCH 1/3] dsgetdcname: return an IP address on rediscovery
When dsgetdcname return its result based on discovery
process (instead of retrieving cached value), always
return the found server's IP address in dc_address field,
rather than its netbios name.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11769
Signed-off-by: Uri Simchoni <uri at samba.org>
---
source3/libsmb/dsgetdcname.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/source3/libsmb/dsgetdcname.c b/source3/libsmb/dsgetdcname.c
index a63ba5a..1033329 100644
--- a/source3/libsmb/dsgetdcname.c
+++ b/source3/libsmb/dsgetdcname.c
@@ -792,14 +792,14 @@ static NTSTATUS make_dc_info_from_cldap_reply(TALLOC_CTX *mem_ctx,
print_sockaddr(addr, sizeof(addr), ss);
dc_address = addr;
dc_address_type = DS_ADDRESS_TYPE_INET;
- }
-
- if (!ss && r->sockaddr.pdc_ip) {
- dc_address = r->sockaddr.pdc_ip;
- dc_address_type = DS_ADDRESS_TYPE_INET;
} else {
- dc_address = r->pdc_name;
- dc_address_type = DS_ADDRESS_TYPE_NETBIOS;
+ if (r->sockaddr.pdc_ip) {
+ dc_address = r->sockaddr.pdc_ip;
+ dc_address_type = DS_ADDRESS_TYPE_INET;
+ } else {
+ dc_address = r->pdc_name;
+ dc_address_type = DS_ADDRESS_TYPE_NETBIOS;
+ }
}
map_dc_and_domain_names(flags,
--
2.5.0
From c02e80def037d5906c15a4ea54d1e5ef2208377b Mon Sep 17 00:00:00 2001
From: Uri Simchoni <uri at samba.org>
Date: Thu, 3 Mar 2016 09:18:57 +0200
Subject: [PATCH 2/3] dsgetdcname: fix flag check
Fix the check for zero requseted flags.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11769
Signed-off-by: Uri Simchoni <uri at samba.org>
---
source3/libsmb/dsgetdcname.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source3/libsmb/dsgetdcname.c b/source3/libsmb/dsgetdcname.c
index 1033329..b5bc51df 100644
--- a/source3/libsmb/dsgetdcname.c
+++ b/source3/libsmb/dsgetdcname.c
@@ -284,7 +284,7 @@ static uint32_t get_cldap_reply_server_flags(struct netlogon_samlogon_response *
static bool check_cldap_reply_required_flags(uint32_t ret_flags,
uint32_t req_flags)
{
- if (ret_flags == 0) {
+ if (req_flags == 0) {
return true;
}
--
2.5.0
From 28d1c795f16f881acef98eeb26972b30be569902 Mon Sep 17 00:00:00 2001
From: Uri Simchoni <uri at samba.org>
Date: Thu, 3 Mar 2016 09:18:58 +0200
Subject: [PATCH 3/3] libnet: make Kerberos domain join site-aware
When joining a domain using Kerberos authentication, create a
configuration file for the Kerberos libs to prefer on-site
domain controllers, without relying on the winbindd Kerberos
locator, which many not be operational at this stage.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11769
Signed-off-by: Uri Simchoni <uri at samba.org>
---
source3/libnet/libnet_join.c | 52 ++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 52 insertions(+)
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index 6dce03c..fc737a2 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -2157,6 +2157,17 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
#ifdef HAVE_ADS
ADS_STATUS ads_status;
#endif /* HAVE_ADS */
+ const char *pre_connect_realm = NULL;
+ const char *numeric_dcip = NULL;
+ const char *sitename = NULL;
+
+ /* Before contacting a DC, we can securely know
+ * the realm only if the user specifies it.
+ */
+ if (r->in.use_kerberos &&
+ r->in.domain_name_type == JoinDomNameTypeDNS) {
+ pre_connect_realm = r->in.domain_name;
+ }
if (!r->in.dc_name) {
struct netr_DsRGetDCNameInfo *info;
@@ -2189,6 +2200,47 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
dc = strip_hostname(info->dc_unc);
r->in.dc_name = talloc_strdup(mem_ctx, dc);
W_ERROR_HAVE_NO_MEMORY(r->in.dc_name);
+
+ if (info->dc_address == NULL || info->dc_address[0] != '\\' ||
+ info->dc_address[1] != '\\') {
+ DBG_ERR("ill-formed DC address '%s'\n",
+ info->dc_address);
+ return WERR_DCNOTFOUND;
+ }
+
+ numeric_dcip = info->dc_address + 2;
+ sitename = info->dc_site_name;
+ /* info goes out of scope but the memory stays
+ allocated on the talloc context */
+ }
+
+ if (pre_connect_realm != NULL) {
+ struct sockaddr_storage ss = {0};
+
+ if (numeric_dcip != NULL) {
+ if (!interpret_string_addr(&ss, numeric_dcip,
+ AI_NUMERICHOST)) {
+ DBG_ERR(
+ "cannot parse IP address '%s' of DC '%s'\n",
+ numeric_dcip, r->in.dc_name);
+ return WERR_DCNOTFOUND;
+ }
+ } else {
+ if (!interpret_string_addr(&ss, r->in.dc_name, 0)) {
+ DBG_WARNING(
+ "cannot resolve IP address of DC '%s'\n",
+ r->in.dc_name);
+ return WERR_DCNOTFOUND;
+ }
+ }
+
+ /* The domain parameter is only used as modifier
+ * to krb5.conf file name. .JOIN is is not a valid
+ * NetBIOS name so it cannot clash with another domain
+ * -- Uri.
+ */
+ create_local_private_krb5_conf_for_domain(
+ pre_connect_realm, ".JOIN", sitename, &ss);
}
status = libnet_join_lookup_dc_rpc(mem_ctx, r, &cli);
--
2.5.0
More information about the samba-technical
mailing list