mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
sync machine password to keytab: handle FreeIPA use case
FreeIPA uses own procedure to retrieve keytabs and during the setup of Samba on FreeIPA client the keytab is already present, only machine account needs to be set in the secrets database. 'sync machine password to keytab' option handling broke this use case by always attempting to contact a domain controller and failing to do so (Fedora bug https://bugzilla.redhat.com/show_bug.cgi?id=2309199). The original synchronizing machine account password to keytab feature did not have a mechanism to disable its logic at all. Signed-off-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Pavel Filipenský <pfilipensky@samba.org> Autobuild-User(master): Alexander Bokovoy <ab@samba.org> Autobuild-Date(master): Fri Sep 13 13:16:09 UTC 2024 on atb-devel-224
This commit is contained in:
parent
12ad4832a7
commit
4f577c7b68
@ -18,7 +18,11 @@ or by winbindd doing regular updates (see <smbconfoption name="machine password
|
|||||||
</para>
|
</para>
|
||||||
|
|
||||||
<para>
|
<para>
|
||||||
The option takes a list of keytab strings. Each string has this form:
|
The option takes a list of keytab strings to describe how to synchronize
|
||||||
|
content of those keytabs or a single 'disabled' value to disable the
|
||||||
|
synchronization.
|
||||||
|
|
||||||
|
Each string has this form:
|
||||||
<programlisting>
|
<programlisting>
|
||||||
absolute_path_to_keytab:spn_spec[:sync_etypes][:sync_kvno][:netbios_aliases][:additional_dns_hostnames][:machine_password]
|
absolute_path_to_keytab:spn_spec[:sync_etypes][:sync_kvno][:netbios_aliases][:additional_dns_hostnames][:machine_password]
|
||||||
</programlisting>
|
</programlisting>
|
||||||
@ -70,8 +74,27 @@ If sync_etypes or sync_kvno or sync_spns is present then winbind connects to DC.
|
|||||||
</para>
|
</para>
|
||||||
|
|
||||||
<para>
|
<para>
|
||||||
If no value is present, winbind uses value <programlisting>/path/to/keytab:sync_spns:sync_kvno:machine_password</programlisting>
|
If no value is present and <smbconfoption name="kerberos method"/> is different from
|
||||||
where the path to the keytab is obtained either from the krb5 library or from <smbconfoption name="dedicated keytab file"/>
|
'secrets only', the behavior differs between winbind and net utility:
|
||||||
|
</para>
|
||||||
|
<itemizedlist>
|
||||||
|
<listitem>
|
||||||
|
<para><userinput>winbind</userinput> uses value
|
||||||
|
<programlisting>/path/to/keytab:sync_spns:sync_kvno:machine_password</programlisting>
|
||||||
|
where the path to the keytab is obtained either from the krb5 library or from
|
||||||
|
<smbconfoption name="dedicated keytab file"/>.
|
||||||
|
</para>
|
||||||
|
</listitem>
|
||||||
|
<listitem>
|
||||||
|
<para><userinput>net changesecretpw -f</userinput> command uses the default 'disabled' value.</para>
|
||||||
|
</listitem>
|
||||||
|
<listitem><para>No other <userinput>net</userinput> subcommands use the 'disabled' value.</para></listitem>
|
||||||
|
</itemizedlist>
|
||||||
|
|
||||||
|
<para>
|
||||||
|
If a single value 'disabled' is present, the synchronization process is
|
||||||
|
disabled. This is required for FreeIPA domain member setup where keytab
|
||||||
|
synchronization uses a protocol not implemented by Samba.
|
||||||
</para>
|
</para>
|
||||||
|
|
||||||
<para>
|
<para>
|
||||||
|
@ -904,6 +904,11 @@ NTSTATUS sync_pw2keytabs(void)
|
|||||||
goto params_ready;
|
goto params_ready;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if ((*lp_ptr != NULL) && strequal_m(*lp_ptr, "disabled")) {
|
||||||
|
DBG_DEBUG("'sync machine password to keytab' is explicitly disabled.\n");
|
||||||
|
return NT_STATUS_OK;
|
||||||
|
}
|
||||||
|
|
||||||
line = lp_ptr;
|
line = lp_ptr;
|
||||||
while (*line) {
|
while (*line) {
|
||||||
DBG_DEBUG("Scanning line: %s\n", *line);
|
DBG_DEBUG("Scanning line: %s\n", *line);
|
||||||
|
@ -207,6 +207,14 @@ static int net_changesecretpw(struct net_context *c, int argc,
|
|||||||
struct timeval tv = timeval_current();
|
struct timeval tv = timeval_current();
|
||||||
NTTIME now = timeval_to_nttime(&tv);
|
NTTIME now = timeval_to_nttime(&tv);
|
||||||
|
|
||||||
|
#ifdef HAVE_ADS
|
||||||
|
if (USE_KERBEROS_KEYTAB) {
|
||||||
|
if (lp_sync_machine_password_to_keytab() == NULL) {
|
||||||
|
lp_do_parameter(-1, "sync machine password to keytab", "disabled");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
if (c->opt_stdin) {
|
if (c->opt_stdin) {
|
||||||
set_line_buffering(stdin);
|
set_line_buffering(stdin);
|
||||||
set_line_buffering(stdout);
|
set_line_buffering(stdout);
|
||||||
|
@ -803,7 +803,8 @@ static int do_global_checks(void)
|
|||||||
"instead of 'kerberos method'.\n\n");
|
"instead of 'kerberos method'.\n\n");
|
||||||
}
|
}
|
||||||
|
|
||||||
if (lp_ptr != NULL) {
|
if (lp_ptr != NULL &&
|
||||||
|
((*lp_ptr != NULL) && !strequal_m(*lp_ptr, "disabled"))) {
|
||||||
while (*lp_ptr) {
|
while (*lp_ptr) {
|
||||||
ret |= pw2kt_check_line(*lp_ptr++);
|
ret |= pw2kt_check_line(*lp_ptr++);
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user