1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
|
From 168627e1877317db86471a4b0360dccd9f469aaa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Mon, 13 Jan 2014 15:59:26 +0100
Subject: [PATCH 1/2] s3-kerberos: remove print_kdc_line() completely.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Just calling print_canonical_sockaddr() is sufficient, as it already deals with
ipv6 as well. The port handling, which was only done for IPv6 (not IPv4), is
removed as well. It was pointless because it always derived the port number from
the provided address which was either a SMB (usually port 445) or LDAP
connection. No KDC will ever run on port 389 or 445 on a Windows/Samba DC.
Finally, the kerberos libraries that we support and build with, can deal with
ipv6 addresses in krb5.conf, so we no longer put the (unnecessary) burden of
resolving the DC name on the kerberos library anymore.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
source3/libads/kerberos.c | 73 ++++-------------------------------------------
1 file changed, 5 insertions(+), 68 deletions(-)
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index b026e09..ea14350 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -592,70 +592,6 @@ int kerberos_kinit_password(const char *principal,
/************************************************************************
************************************************************************/
-static char *print_kdc_line(char *mem_ctx,
- const char *prev_line,
- const struct sockaddr_storage *pss,
- const char *kdc_name)
-{
- char addr[INET6_ADDRSTRLEN];
- uint16_t port = get_sockaddr_port(pss);
-
- if (pss->ss_family == AF_INET) {
- return talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",
- prev_line,
- print_canonical_sockaddr(mem_ctx, pss));
- }
-
- /*
- * IPv6 starts here
- */
-
- DEBUG(10, ("print_kdc_line: IPv6 case for kdc_name: %s, port: %d\n",
- kdc_name, port));
-
- if (port != 0 && port != DEFAULT_KRB5_PORT) {
- /* Currently for IPv6 we can't specify a non-default
- krb5 port with an address, as this requires a ':'.
- Resolve to a name. */
- char hostname[MAX_DNS_NAME_LENGTH];
- int ret = sys_getnameinfo((const struct sockaddr *)pss,
- sizeof(*pss),
- hostname, sizeof(hostname),
- NULL, 0,
- NI_NAMEREQD);
- if (ret) {
- DEBUG(0,("print_kdc_line: can't resolve name "
- "for kdc with non-default port %s. "
- "Error %s\n.",
- print_canonical_sockaddr(mem_ctx, pss),
- gai_strerror(ret)));
- return NULL;
- }
- /* Success, use host:port */
- return talloc_asprintf(mem_ctx,
- "%s\tkdc = %s:%u\n",
- prev_line,
- hostname,
- (unsigned int)port);
- }
-
- /* no krb5 lib currently supports "kdc = ipv6 address"
- * at all, so just fill in just the kdc_name if we have
- * it and let the krb5 lib figure out the appropriate
- * ipv6 address - gd */
-
- if (kdc_name) {
- return talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",
- prev_line, kdc_name);
- }
-
- return talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",
- prev_line,
- print_sockaddr(addr,
- sizeof(addr),
- pss));
-}
-
/************************************************************************
Create a string list of available kdc's, possibly searching by sitename.
Does DNS queries.
@@ -698,7 +634,8 @@ static char *get_kdc_ip_string(char *mem_ctx,
char *result = NULL;
struct netlogon_samlogon_response **responses = NULL;
NTSTATUS status;
- char *kdc_str = print_kdc_line(mem_ctx, "", pss, kdc_name);
+ char *kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n", "",
+ print_canonical_sockaddr(mem_ctx, pss));
if (kdc_str == NULL) {
TALLOC_FREE(frame);
@@ -788,9 +725,9 @@ static char *get_kdc_ip_string(char *mem_ctx,
}
/* Append to the string - inefficient but not done often. */
- new_kdc_str = print_kdc_line(mem_ctx, kdc_str,
- &dc_addrs[i],
- kdc_name);
+ new_kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",
+ kdc_str,
+ print_canonical_sockaddr(mem_ctx, &dc_addrs[i]));
if (new_kdc_str == NULL) {
goto fail;
}
--
1.8.5.3
From 3edb3d4084548960f03356cf4c44a6892e6efb84 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Fri, 7 Mar 2014 14:47:31 +0100
Subject: [PATCH 2/2] s3-kerberos: remove unused kdc_name from
create_local_private_krb5_conf_for_domain().
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
source3/libads/kerberos.c | 10 ++++------
source3/libads/kerberos_proto.h | 3 +--
source3/libnet/libnet_join.c | 3 +--
source3/libsmb/namequery_dc.c | 6 ++----
source3/winbindd/winbindd_cm.c | 6 ++----
5 files changed, 10 insertions(+), 18 deletions(-)
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index ea14350..649e568 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -618,8 +618,7 @@ static void add_sockaddr_unique(struct sockaddr_storage *addrs, int *num_addrs,
static char *get_kdc_ip_string(char *mem_ctx,
const char *realm,
const char *sitename,
- const struct sockaddr_storage *pss,
- const char *kdc_name)
+ const struct sockaddr_storage *pss)
{
TALLOC_CTX *frame = talloc_stackframe();
int i;
@@ -756,8 +755,7 @@ fail:
bool create_local_private_krb5_conf_for_domain(const char *realm,
const char *domain,
const char *sitename,
- const struct sockaddr_storage *pss,
- const char *kdc_name)
+ const struct sockaddr_storage *pss)
{
char *dname;
char *tmpname = NULL;
@@ -782,7 +780,7 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
return false;
}
- if (domain == NULL || pss == NULL || kdc_name == NULL) {
+ if (domain == NULL || pss == NULL) {
return false;
}
@@ -815,7 +813,7 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
goto done;
}
- kdc_ip_string = get_kdc_ip_string(dname, realm, sitename, pss, kdc_name);
+ kdc_ip_string = get_kdc_ip_string(dname, realm, sitename, pss);
if (!kdc_ip_string) {
goto done;
}
diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h
index f7470d2..2559634 100644
--- a/source3/libads/kerberos_proto.h
+++ b/source3/libads/kerberos_proto.h
@@ -62,8 +62,7 @@ int kerberos_kinit_password(const char *principal,
bool create_local_private_krb5_conf_for_domain(const char *realm,
const char *domain,
const char *sitename,
- const struct sockaddr_storage *pss,
- const char *kdc_name);
+ const struct sockaddr_storage *pss);
/* The following definitions come from libads/authdata.c */
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index a87eb38..68884cd 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -2152,8 +2152,7 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
create_local_private_krb5_conf_for_domain(
r->out.dns_domain_name, r->out.netbios_domain_name,
- NULL, smbXcli_conn_remote_sockaddr(cli->conn),
- smbXcli_conn_remote_name(cli->conn));
+ NULL, smbXcli_conn_remote_sockaddr(cli->conn));
if (r->out.domain_is_ad && r->in.account_ou &&
!(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE)) {
diff --git a/source3/libsmb/namequery_dc.c b/source3/libsmb/namequery_dc.c
index 3cfae79..eb34741 100644
--- a/source3/libsmb/namequery_dc.c
+++ b/source3/libsmb/namequery_dc.c
@@ -112,14 +112,12 @@ static bool ads_dc_name(const char *domain,
create_local_private_krb5_conf_for_domain(realm,
domain,
sitename,
- &ads->ldap.ss,
- ads->config.ldap_server_name);
+ &ads->ldap.ss);
} else {
create_local_private_krb5_conf_for_domain(realm,
domain,
NULL,
- &ads->ldap.ss,
- ads->config.ldap_server_name);
+ &ads->ldap.ss);
}
}
#endif
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 669a43e..be13a57 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -1233,8 +1233,7 @@ static bool dcip_to_name(TALLOC_CTX *mem_ctx,
create_local_private_krb5_conf_for_domain(domain->alt_name,
domain->name,
sitename,
- pss,
- *name);
+ pss);
SAFE_FREE(sitename);
} else {
@@ -1242,8 +1241,7 @@ static bool dcip_to_name(TALLOC_CTX *mem_ctx,
create_local_private_krb5_conf_for_domain(domain->alt_name,
domain->name,
NULL,
- pss,
- *name);
+ pss);
}
winbindd_set_locator_kdc_envs(domain);
--
1.8.5.3
|
