mirror of
https://github.com/samba-team/samba.git
synced 2025-01-10 01:18:15 +03:00
s3:libnet: Require sealed LDAP SASL connections for joining
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
This commit is contained in:
Andreas Schneider
Andreas Schneider
parent
456322a613
commit
b84abb3a46
@ -210,7 +210,7 @@ static int py_ads_init(ADS *self, PyObject *args, PyObject *kwds)
|
||||
self->ads_ptr = NULL;
|
||||
}
|
||||
/* always succeeds or crashes */
|
||||
self->ads_ptr = ads_init(realm, workgroup, ldap_server);
|
||||
self->ads_ptr = ads_init(realm, workgroup, ldap_server, ADS_SASL_PLAIN);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -417,7 +417,10 @@ WERROR NetGetJoinableOUs_l(struct libnetapi_ctx *ctx,
|
||||
|
||||
dc = strip_hostname(info->dc_unc);
|
||||
|
||||
ads = ads_init(info->domain_name, info->domain_name, dc);
|
||||
ads = ads_init(info->domain_name,
|
||||
info->domain_name,
|
||||
dc,
|
||||
ADS_SASL_PLAIN);
|
||||
if (!ads) {
|
||||
return WERR_GEN_FAILURE;
|
||||
}
|
||||
|
||||
@ -32,6 +32,12 @@
|
||||
#ifndef _LIBADS_ADS_PROTO_H_
|
||||
#define _LIBADS_ADS_PROTO_H_
|
||||
|
||||
enum ads_sasl_state_e {
|
||||
ADS_SASL_PLAIN = 0,
|
||||
ADS_SASL_SIGN,
|
||||
ADS_SASL_SEAL,
|
||||
};
|
||||
|
||||
/* The following definitions come from libads/ads_struct.c */
|
||||
|
||||
char *ads_build_path(const char *realm, const char *sep, const char *field, int reverse);
|
||||
@ -39,7 +45,8 @@ char *ads_build_dn(const char *realm);
|
||||
char *ads_build_domain(const char *dn);
|
||||
ADS_STRUCT *ads_init(const char *realm,
|
||||
const char *workgroup,
|
||||
const char *ldap_server);
|
||||
const char *ldap_server,
|
||||
enum ads_sasl_state_e sasl_state);
|
||||
bool ads_set_sasl_wrap_flags(ADS_STRUCT *ads, int flags);
|
||||
void ads_destroy(ADS_STRUCT **ads);
|
||||
|
||||
|
||||
@ -132,7 +132,8 @@ char *ads_build_domain(const char *dn)
|
||||
*/
|
||||
ADS_STRUCT *ads_init(const char *realm,
|
||||
const char *workgroup,
|
||||
const char *ldap_server)
|
||||
const char *ldap_server,
|
||||
enum ads_sasl_state_e sasl_state)
|
||||
{
|
||||
ADS_STRUCT *ads;
|
||||
int wrap_flags;
|
||||
@ -152,6 +153,17 @@ ADS_STRUCT *ads_init(const char *realm,
|
||||
wrap_flags = 0;
|
||||
}
|
||||
|
||||
switch (sasl_state) {
|
||||
case ADS_SASL_PLAIN:
|
||||
break;
|
||||
case ADS_SASL_SIGN:
|
||||
wrap_flags |= ADS_AUTH_SASL_SIGN;
|
||||
break;
|
||||
case ADS_SASL_SEAL:
|
||||
wrap_flags |= ADS_AUTH_SASL_SEAL;
|
||||
break;
|
||||
}
|
||||
|
||||
ads->auth.flags = wrap_flags;
|
||||
|
||||
/* Start with the configured page size when the connection is new,
|
||||
|
||||
@ -2966,7 +2966,7 @@ ADS_STATUS ads_current_time(ADS_STRUCT *ads)
|
||||
|
||||
if ( !ads->ldap.ld ) {
|
||||
if ( (ads_s = ads_init( ads->server.realm, ads->server.workgroup,
|
||||
ads->server.ldap_server )) == NULL )
|
||||
ads->server.ldap_server, ADS_SASL_PLAIN )) == NULL )
|
||||
{
|
||||
status = ADS_ERROR(LDAP_NO_MEMORY);
|
||||
goto done;
|
||||
@ -3028,7 +3028,7 @@ ADS_STATUS ads_domain_func_level(ADS_STRUCT *ads, uint32_t *val)
|
||||
|
||||
if ( !ads->ldap.ld ) {
|
||||
if ( (ads_s = ads_init( ads->server.realm, ads->server.workgroup,
|
||||
ads->server.ldap_server )) == NULL )
|
||||
ads->server.ldap_server, ADS_SASL_PLAIN )) == NULL )
|
||||
{
|
||||
status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
|
||||
goto done;
|
||||
|
||||
@ -140,7 +140,8 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name,
|
||||
|
||||
my_ads = ads_init(dns_domain_name,
|
||||
netbios_domain_name,
|
||||
dc_name);
|
||||
dc_name,
|
||||
ADS_SASL_SEAL);
|
||||
if (!my_ads) {
|
||||
return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
|
||||
}
|
||||
|
||||
@ -69,7 +69,7 @@ static bool ads_dc_name(const char *domain,
|
||||
|
||||
/* Try this 3 times then give up. */
|
||||
for( i =0 ; i < 3; i++) {
|
||||
ads = ads_init(realm, domain, NULL);
|
||||
ads = ads_init(realm, domain, NULL, ADS_SASL_PLAIN);
|
||||
if (!ads) {
|
||||
TALLOC_FREE(sitename);
|
||||
return False;
|
||||
|
||||
@ -227,7 +227,7 @@ WERROR nt_printer_guid_retrieve(TALLOC_CTX *mem_ctx, const char *printer,
|
||||
return WERR_NOT_ENOUGH_MEMORY;
|
||||
}
|
||||
|
||||
ads = ads_init(lp_realm(), lp_workgroup(), NULL);
|
||||
ads = ads_init(lp_realm(), lp_workgroup(), NULL, ADS_SASL_PLAIN);
|
||||
if (ads == NULL) {
|
||||
result = WERR_RPC_S_SERVER_UNAVAILABLE;
|
||||
goto out;
|
||||
@ -577,7 +577,7 @@ WERROR nt_printer_publish(TALLOC_CTX *mem_ctx,
|
||||
|
||||
TALLOC_FREE(sinfo2);
|
||||
|
||||
ads = ads_init(lp_realm(), lp_workgroup(), NULL);
|
||||
ads = ads_init(lp_realm(), lp_workgroup(), NULL, ADS_SASL_PLAIN);
|
||||
if (!ads) {
|
||||
DEBUG(3, ("ads_init() failed\n"));
|
||||
win_rc = WERR_RPC_S_SERVER_UNAVAILABLE;
|
||||
@ -633,7 +633,7 @@ WERROR check_published_printers(struct messaging_context *msg_ctx)
|
||||
tmp_ctx = talloc_new(NULL);
|
||||
if (!tmp_ctx) return WERR_NOT_ENOUGH_MEMORY;
|
||||
|
||||
ads = ads_init(lp_realm(), lp_workgroup(), NULL);
|
||||
ads = ads_init(lp_realm(), lp_workgroup(), NULL, ADS_SASL_PLAIN);
|
||||
if (!ads) {
|
||||
DEBUG(3, ("ads_init() failed\n"));
|
||||
return WERR_RPC_S_SERVER_UNAVAILABLE;
|
||||
|
||||
@ -620,7 +620,10 @@ retry_connect:
|
||||
realm = assume_own_realm(c);
|
||||
}
|
||||
|
||||
ads = ads_init(realm, c->opt_target_workgroup, c->opt_host);
|
||||
ads = ads_init(realm,
|
||||
c->opt_target_workgroup,
|
||||
c->opt_host,
|
||||
ADS_SASL_PLAIN);
|
||||
|
||||
if (!c->opt_user_name) {
|
||||
c->opt_user_name = "administrator";
|
||||
@ -729,7 +732,8 @@ static int net_ads_check_int(const char *realm, const char *workgroup, const cha
|
||||
ADS_STRUCT *ads;
|
||||
ADS_STATUS status;
|
||||
|
||||
if ( (ads = ads_init( realm, workgroup, host )) == NULL ) {
|
||||
ads = ads_init(realm, workgroup, host, ADS_SASL_PLAIN);
|
||||
if (ads == NULL ) {
|
||||
return -1;
|
||||
}
|
||||
|
||||
@ -1764,7 +1768,7 @@ static void _net_ads_join_dns_updates(struct net_context *c, TALLOC_CTX *ctx, st
|
||||
* kinit with the machine password to do dns update.
|
||||
*/
|
||||
|
||||
ads_dns = ads_init(lp_realm(), NULL, r->in.dc_name);
|
||||
ads_dns = ads_init(lp_realm(), NULL, r->in.dc_name, ADS_SASL_PLAIN);
|
||||
|
||||
if (ads_dns == NULL) {
|
||||
d_fprintf(stderr, _("DNS update failed: out of memory!\n"));
|
||||
@ -2655,7 +2659,8 @@ static int net_ads_password(struct net_context *c, int argc, const char **argv)
|
||||
|
||||
/* use the realm so we can eventually change passwords for users
|
||||
in realms other than default */
|
||||
if (!(ads = ads_init(realm, c->opt_workgroup, c->opt_host))) {
|
||||
ads = ads_init(realm, c->opt_workgroup, c->opt_host, ADS_SASL_PLAIN);
|
||||
if (ads == NULL) {
|
||||
return -1;
|
||||
}
|
||||
|
||||
|
||||
@ -110,7 +110,10 @@ static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp,
|
||||
/* we don't want this to affect the users ccache */
|
||||
setenv("KRB5CCNAME", WINBIND_CCACHE_NAME, 1);
|
||||
|
||||
ads = ads_init(target_realm, target_dom_name, ldap_server);
|
||||
ads = ads_init(target_realm,
|
||||
target_dom_name,
|
||||
ldap_server,
|
||||
ADS_SASL_SEAL);
|
||||
if (!ads) {
|
||||
DEBUG(1,("ads_init for domain %s failed\n", target_dom_name));
|
||||
return ADS_ERROR(LDAP_NO_MEMORY);
|
||||
|
||||
@ -1414,7 +1414,10 @@ static bool dcip_check_name(TALLOC_CTX *mem_ctx,
|
||||
|
||||
print_sockaddr(addr, sizeof(addr), pss);
|
||||
|
||||
ads = ads_init(domain->alt_name, domain->name, addr);
|
||||
ads = ads_init(domain->alt_name,
|
||||
domain->name,
|
||||
addr,
|
||||
ADS_SASL_PLAIN);
|
||||
ads->auth.flags |= ADS_AUTH_NO_BIND;
|
||||
ads->config.flags |= request_flags;
|
||||
ads->server.no_fallback = true;
|
||||
|
||||
Loading…
Reference in New Issue
Block a user