On Tue, 12 May 2015, Alexander Bokovoy wrote:
On Fri, 08 May 2015, Alexander Bokovoy wrote:

attached patch fixes issues with Samba 4.2 in Fedora 22.

See commit message for the details. Note that you'll
also need Samba fixes from https://bugzilla.redhat.com/show_bug.cgi?id=1219832
to test the patch.

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1219834
An update is available in Bodhi:

Please test and support.
Attached please find an update of the patch 0178. I've found one typo
which was missed in the original version due to exception handling.

I'll update bodhi request when builds are ready.
/ Alexander Bokovoy
From 28fccac07760764acc86f9c91850481ef2c1e1ae Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <aboko...@redhat.com>
Date: Fri, 8 May 2015 12:09:13 +0000
Subject: [PATCH 2/3] ipaserver/dcerpc: Ensure LSA pipe has session key before
 using it

With Samba 4.2 there is a bug that prevents Samba to consider Kerberos
credentials used by IPA httpd process when talking to smbd. As result,
LSA RPC connection is seen as anonymous by Samba client code and we cannot
derive session key to use for encrypting trust secrets before transmitting

Additionally, rewrite of the SMB protocol support in Samba caused previously
working logic of choosing DCE RPC binding string to fail. We need to try
a different set of priorities until they fail or succeed.

Requires Samba fixes from https://bugzilla.redhat.com/show_bug.cgi?id=1219832

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1219834

 ipaserver/dcerpc.py | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index e342c49..44689cc 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -89,6 +89,10 @@ dcerpc_error_codes = {
             reason=_('AD domain controller complains about communication 
sequence. It may mean unsynchronized time on both sides, for example')),
+    -1073741776: # NT_STATUS_INVALID_PARAMETER_MIX, we simply will skip the 
+        access_denied_error,
+        errors.RemoteRetrieveError(reason=_('CIFS server configuration does 
not allow access to \\\\pipe\\lsarpc')),
 dcerpc_error_messages = {
@@ -728,16 +732,20 @@ class TrustDomainInstance(object):
         attempts = 0
+        session_attempts = 0
         bindings = self.__gen_lsa_bindings(remote_host)
         for binding in bindings:
                 self._pipe = self.__gen_lsa_connection(binding)
-                if self._pipe:
+                if self._pipe and self._pipe.session_key:
             except errors.ACIError, e:
                 attempts = attempts + 1
+            except RuntimeError, e:
+                # When session key is not available, we just skip this binding
+                session_attempts = session_attempts + 1
-        if self._pipe is None and attempts == len(bindings):
+        if self._pipe is None and (attempts + session_attempts) == 
             raise errors.ACIError(
                 info=_('CIFS server %(host)s denied your credentials') % 
@@ -745,6 +753,7 @@ class TrustDomainInstance(object):
             raise errors.RemoteRetrieveError(
                 reason=_('Cannot establish LSA connection to %(host)s. Is CIFS 
server running?') % dict(host=remote_host))
         self.binding = binding
+        self.session_key = self._pipe.session_key
     def __gen_lsa_bindings(self, remote_host):
@@ -753,11 +762,11 @@ class TrustDomainInstance(object):
         Generate all we can use. init_lsa_pipe() will try them one by one until
         there is one working.
-        We try NCACN_NP before NCACN_IP_TCP and signed sessions before 
+        We try NCACN_NP before NCACN_IP_TCP and use SMB2 before SMB1 or 
         transports = (u'ncacn_np', u'ncacn_ip_tcp')
-        options = ( u',', u'')
-        binding_template=lambda x,y,z: u'%s:%s[%s]' % (x, y, z)
+        options = ( u'smb2', u'smb1', u'')
+        binding_template=lambda x,y,z: u'%s:%s[%s,print]' % (x, y, z)
         return [binding_template(t, remote_host, o) for t in transports for o 
in options]
     def retrieve_anonymously(self, remote_host, discover_srv=False, 

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to