[PATCHES] site-aware Kerberos authentication during domain join
Jeremy Allison
jra at samba.org
Mon Mar 7 22:22:47 UTC 2016
On Thu, Mar 03, 2016 at 09:44:46AM +0200, Uri Simchoni wrote:
> Hi,
>
> Attached please find a fix for
> https://bugzilla.samba.org/show_bug.cgi?id=11769.
>
> The bug description explains why this may be important.
>
> The fix enables site-aware Kerberos during execution of "net ads
> join -k", even if winbindd is not started (so the locator cannot be
> used).
>
> This works only if the user specified the domain's DNS name (which
> is assumed to be equal to the Kerberos realm). If the user didn't
> specify it (e.g. only specified flat domain name or server to use),
> we need to securely contact a DC to determine the domain's DNS name,
> so we cannot pre-configure Kerberos.
>
> Review appreciated.
LGTM. Pushed ! Thanks.
> From abc61757a7331eaf04d1023a41058b304a7f4cf9 Mon Sep 17 00:00:00 2001
> From: Uri Simchoni <uri at samba.org>
> Date: Thu, 3 Mar 2016 09:18:44 +0200
> Subject: [PATCH 1/3] dsgetdcname: return an IP address on rediscovery
>
> When dsgetdcname return its result based on discovery
> process (instead of retrieving cached value), always
> return the found server's IP address in dc_address field,
> rather than its netbios name.
>
> BUG: https://bugzilla.samba.org/show_bug.cgi?id=11769
>
> Signed-off-by: Uri Simchoni <uri at samba.org>
> ---
> source3/libsmb/dsgetdcname.c | 14 +++++++-------
> 1 file changed, 7 insertions(+), 7 deletions(-)
>
> diff --git a/source3/libsmb/dsgetdcname.c b/source3/libsmb/dsgetdcname.c
> index a63ba5a..1033329 100644
> --- a/source3/libsmb/dsgetdcname.c
> +++ b/source3/libsmb/dsgetdcname.c
> @@ -792,14 +792,14 @@ static NTSTATUS make_dc_info_from_cldap_reply(TALLOC_CTX *mem_ctx,
> print_sockaddr(addr, sizeof(addr), ss);
> dc_address = addr;
> dc_address_type = DS_ADDRESS_TYPE_INET;
> - }
> -
> - if (!ss && r->sockaddr.pdc_ip) {
> - dc_address = r->sockaddr.pdc_ip;
> - dc_address_type = DS_ADDRESS_TYPE_INET;
> } else {
> - dc_address = r->pdc_name;
> - dc_address_type = DS_ADDRESS_TYPE_NETBIOS;
> + if (r->sockaddr.pdc_ip) {
> + dc_address = r->sockaddr.pdc_ip;
> + dc_address_type = DS_ADDRESS_TYPE_INET;
> + } else {
> + dc_address = r->pdc_name;
> + dc_address_type = DS_ADDRESS_TYPE_NETBIOS;
> + }
> }
>
> map_dc_and_domain_names(flags,
> --
> 2.5.0
>
>
> From c02e80def037d5906c15a4ea54d1e5ef2208377b Mon Sep 17 00:00:00 2001
> From: Uri Simchoni <uri at samba.org>
> Date: Thu, 3 Mar 2016 09:18:57 +0200
> Subject: [PATCH 2/3] dsgetdcname: fix flag check
>
> Fix the check for zero requseted flags.
>
> BUG: https://bugzilla.samba.org/show_bug.cgi?id=11769
>
> Signed-off-by: Uri Simchoni <uri at samba.org>
> ---
> source3/libsmb/dsgetdcname.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/source3/libsmb/dsgetdcname.c b/source3/libsmb/dsgetdcname.c
> index 1033329..b5bc51df 100644
> --- a/source3/libsmb/dsgetdcname.c
> +++ b/source3/libsmb/dsgetdcname.c
> @@ -284,7 +284,7 @@ static uint32_t get_cldap_reply_server_flags(struct netlogon_samlogon_response *
> static bool check_cldap_reply_required_flags(uint32_t ret_flags,
> uint32_t req_flags)
> {
> - if (ret_flags == 0) {
> + if (req_flags == 0) {
> return true;
> }
>
> --
> 2.5.0
>
>
> From 28d1c795f16f881acef98eeb26972b30be569902 Mon Sep 17 00:00:00 2001
> From: Uri Simchoni <uri at samba.org>
> Date: Thu, 3 Mar 2016 09:18:58 +0200
> Subject: [PATCH 3/3] libnet: make Kerberos domain join site-aware
>
> When joining a domain using Kerberos authentication, create a
> configuration file for the Kerberos libs to prefer on-site
> domain controllers, without relying on the winbindd Kerberos
> locator, which many not be operational at this stage.
>
> BUG: https://bugzilla.samba.org/show_bug.cgi?id=11769
>
> Signed-off-by: Uri Simchoni <uri at samba.org>
> ---
> source3/libnet/libnet_join.c | 52 ++++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 52 insertions(+)
>
> diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
> index 6dce03c..fc737a2 100644
> --- a/source3/libnet/libnet_join.c
> +++ b/source3/libnet/libnet_join.c
> @@ -2157,6 +2157,17 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
> #ifdef HAVE_ADS
> ADS_STATUS ads_status;
> #endif /* HAVE_ADS */
> + const char *pre_connect_realm = NULL;
> + const char *numeric_dcip = NULL;
> + const char *sitename = NULL;
> +
> + /* Before contacting a DC, we can securely know
> + * the realm only if the user specifies it.
> + */
> + if (r->in.use_kerberos &&
> + r->in.domain_name_type == JoinDomNameTypeDNS) {
> + pre_connect_realm = r->in.domain_name;
> + }
>
> if (!r->in.dc_name) {
> struct netr_DsRGetDCNameInfo *info;
> @@ -2189,6 +2200,47 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
> dc = strip_hostname(info->dc_unc);
> r->in.dc_name = talloc_strdup(mem_ctx, dc);
> W_ERROR_HAVE_NO_MEMORY(r->in.dc_name);
> +
> + if (info->dc_address == NULL || info->dc_address[0] != '\\' ||
> + info->dc_address[1] != '\\') {
> + DBG_ERR("ill-formed DC address '%s'\n",
> + info->dc_address);
> + return WERR_DCNOTFOUND;
> + }
> +
> + numeric_dcip = info->dc_address + 2;
> + sitename = info->dc_site_name;
> + /* info goes out of scope but the memory stays
> + allocated on the talloc context */
> + }
> +
> + if (pre_connect_realm != NULL) {
> + struct sockaddr_storage ss = {0};
> +
> + if (numeric_dcip != NULL) {
> + if (!interpret_string_addr(&ss, numeric_dcip,
> + AI_NUMERICHOST)) {
> + DBG_ERR(
> + "cannot parse IP address '%s' of DC '%s'\n",
> + numeric_dcip, r->in.dc_name);
> + return WERR_DCNOTFOUND;
> + }
> + } else {
> + if (!interpret_string_addr(&ss, r->in.dc_name, 0)) {
> + DBG_WARNING(
> + "cannot resolve IP address of DC '%s'\n",
> + r->in.dc_name);
> + return WERR_DCNOTFOUND;
> + }
> + }
> +
> + /* The domain parameter is only used as modifier
> + * to krb5.conf file name. .JOIN is is not a valid
> + * NetBIOS name so it cannot clash with another domain
> + * -- Uri.
> + */
> + create_local_private_krb5_conf_for_domain(
> + pre_connect_realm, ".JOIN", sitename, &ss);
> }
>
> status = libnet_join_lookup_dc_rpc(mem_ctx, r, &cli);
> --
> 2.5.0
>
More information about the samba-technical
mailing list