[PATCHES] site-aware Kerberos authentication during domain join

Jeremy Allison jra at samba.org
Mon Mar 7 22:22:47 UTC 2016


On Thu, Mar 03, 2016 at 09:44:46AM +0200, Uri Simchoni wrote:
> Hi,
> 
> Attached please find a fix for
> https://bugzilla.samba.org/show_bug.cgi?id=11769.
> 
> The bug description explains why this may be important.
> 
> The fix enables site-aware Kerberos during execution of "net ads
> join -k", even if winbindd is not started (so the locator cannot be
> used).
> 
> This works only if the user specified the domain's DNS name (which
> is assumed to be equal to the Kerberos realm). If the user didn't
> specify it (e.g. only specified flat domain name or server to use),
> we need to securely contact a DC to determine the domain's DNS name,
> so we cannot pre-configure Kerberos.
> 
> Review appreciated.

LGTM. Pushed ! Thanks.

> From abc61757a7331eaf04d1023a41058b304a7f4cf9 Mon Sep 17 00:00:00 2001
> From: Uri Simchoni <uri at samba.org>
> Date: Thu, 3 Mar 2016 09:18:44 +0200
> Subject: [PATCH 1/3] dsgetdcname: return an IP address on rediscovery
> 
> When dsgetdcname return its result based on discovery
> process (instead of retrieving cached value), always
> return the found server's IP address in dc_address field,
> rather than its netbios name.
> 
> BUG: https://bugzilla.samba.org/show_bug.cgi?id=11769
> 
> Signed-off-by: Uri Simchoni <uri at samba.org>
> ---
>  source3/libsmb/dsgetdcname.c | 14 +++++++-------
>  1 file changed, 7 insertions(+), 7 deletions(-)
> 
> diff --git a/source3/libsmb/dsgetdcname.c b/source3/libsmb/dsgetdcname.c
> index a63ba5a..1033329 100644
> --- a/source3/libsmb/dsgetdcname.c
> +++ b/source3/libsmb/dsgetdcname.c
> @@ -792,14 +792,14 @@ static NTSTATUS make_dc_info_from_cldap_reply(TALLOC_CTX *mem_ctx,
>  		print_sockaddr(addr, sizeof(addr), ss);
>  		dc_address = addr;
>  		dc_address_type = DS_ADDRESS_TYPE_INET;
> -	}
> -
> -	if (!ss && r->sockaddr.pdc_ip) {
> -		dc_address	= r->sockaddr.pdc_ip;
> -		dc_address_type	= DS_ADDRESS_TYPE_INET;
>  	} else {
> -		dc_address      = r->pdc_name;
> -		dc_address_type = DS_ADDRESS_TYPE_NETBIOS;
> +		if (r->sockaddr.pdc_ip) {
> +			dc_address	= r->sockaddr.pdc_ip;
> +			dc_address_type	= DS_ADDRESS_TYPE_INET;
> +		} else {
> +			dc_address      = r->pdc_name;
> +			dc_address_type = DS_ADDRESS_TYPE_NETBIOS;
> +		}
>  	}
>  
>  	map_dc_and_domain_names(flags,
> -- 
> 2.5.0
> 
> 
> From c02e80def037d5906c15a4ea54d1e5ef2208377b Mon Sep 17 00:00:00 2001
> From: Uri Simchoni <uri at samba.org>
> Date: Thu, 3 Mar 2016 09:18:57 +0200
> Subject: [PATCH 2/3] dsgetdcname: fix flag check
> 
> Fix the check for zero requseted flags.
> 
> BUG: https://bugzilla.samba.org/show_bug.cgi?id=11769
> 
> Signed-off-by: Uri Simchoni <uri at samba.org>
> ---
>  source3/libsmb/dsgetdcname.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/source3/libsmb/dsgetdcname.c b/source3/libsmb/dsgetdcname.c
> index 1033329..b5bc51df 100644
> --- a/source3/libsmb/dsgetdcname.c
> +++ b/source3/libsmb/dsgetdcname.c
> @@ -284,7 +284,7 @@ static uint32_t get_cldap_reply_server_flags(struct netlogon_samlogon_response *
>  static bool check_cldap_reply_required_flags(uint32_t ret_flags,
>  					     uint32_t req_flags)
>  {
> -	if (ret_flags == 0) {
> +	if (req_flags == 0) {
>  		return true;
>  	}
>  
> -- 
> 2.5.0
> 
> 
> From 28d1c795f16f881acef98eeb26972b30be569902 Mon Sep 17 00:00:00 2001
> From: Uri Simchoni <uri at samba.org>
> Date: Thu, 3 Mar 2016 09:18:58 +0200
> Subject: [PATCH 3/3] libnet: make Kerberos domain join site-aware
> 
> When joining a domain using Kerberos authentication, create a
> configuration file for the Kerberos libs to prefer on-site
> domain controllers, without relying on the winbindd Kerberos
> locator, which many not be operational at this stage.
> 
> BUG: https://bugzilla.samba.org/show_bug.cgi?id=11769
> 
> Signed-off-by: Uri Simchoni <uri at samba.org>
> ---
>  source3/libnet/libnet_join.c | 52 ++++++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 52 insertions(+)
> 
> diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
> index 6dce03c..fc737a2 100644
> --- a/source3/libnet/libnet_join.c
> +++ b/source3/libnet/libnet_join.c
> @@ -2157,6 +2157,17 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
>  #ifdef HAVE_ADS
>  	ADS_STATUS ads_status;
>  #endif /* HAVE_ADS */
> +	const char *pre_connect_realm = NULL;
> +	const char *numeric_dcip = NULL;
> +	const char *sitename = NULL;
> +
> +	/* Before contacting a DC, we can securely know
> +	 * the realm only if the user specifies it.
> +	 */
> +	if (r->in.use_kerberos &&
> +	    r->in.domain_name_type == JoinDomNameTypeDNS) {
> +		pre_connect_realm = r->in.domain_name;
> +	}
>  
>  	if (!r->in.dc_name) {
>  		struct netr_DsRGetDCNameInfo *info;
> @@ -2189,6 +2200,47 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
>  		dc = strip_hostname(info->dc_unc);
>  		r->in.dc_name = talloc_strdup(mem_ctx, dc);
>  		W_ERROR_HAVE_NO_MEMORY(r->in.dc_name);
> +
> +		if (info->dc_address == NULL || info->dc_address[0] != '\\' ||
> +		    info->dc_address[1] != '\\') {
> +			DBG_ERR("ill-formed DC address '%s'\n",
> +				info->dc_address);
> +			return WERR_DCNOTFOUND;
> +		}
> +
> +		numeric_dcip = info->dc_address + 2;
> +		sitename = info->dc_site_name;
> +		/* info goes out of scope but the memory stays
> +		   allocated on the talloc context */
> +	}
> +
> +	if (pre_connect_realm != NULL) {
> +		struct sockaddr_storage ss = {0};
> +
> +		if (numeric_dcip != NULL) {
> +			if (!interpret_string_addr(&ss, numeric_dcip,
> +						   AI_NUMERICHOST)) {
> +				DBG_ERR(
> +				    "cannot parse IP address '%s' of DC '%s'\n",
> +				    numeric_dcip, r->in.dc_name);
> +				return WERR_DCNOTFOUND;
> +			}
> +		} else {
> +			if (!interpret_string_addr(&ss, r->in.dc_name, 0)) {
> +				DBG_WARNING(
> +				    "cannot resolve IP address of DC '%s'\n",
> +				    r->in.dc_name);
> +				return WERR_DCNOTFOUND;
> +			}
> +		}
> +
> +		/* The domain parameter is only used as modifier
> +		 * to krb5.conf file name. .JOIN is is not a valid
> +		 * NetBIOS name so it cannot clash with another domain
> +		 * -- Uri.
> +		 */
> +		create_local_private_krb5_conf_for_domain(
> +		    pre_connect_realm, ".JOIN", sitename, &ss);
>  	}
>  
>  	status = libnet_join_lookup_dc_rpc(mem_ctx, r, &cli);
> -- 
> 2.5.0
> 




More information about the samba-technical mailing list