The branch, master has been updated
via 5af28c9 drsuapi: Improve debug in DsWriteAccountSpn
via e7f54a2 samdb: Improve debugging in acl_validate_spn_value()
from 6de656b selftest: use the default values for "server signing"
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 5af28c93dcf4ac14dc02f39ab96a82a53be54ce1
Author: Volker Lendecke <[email protected]>
Date: Tue May 24 15:10:14 2016 +0200
drsuapi: Improve debug in DsWriteAccountSpn
Signed-off-by: Volker Lendecke <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
Autobuild-User(master): Volker Lendecke <[email protected]>
Autobuild-Date(master): Wed May 25 11:34:13 CEST 2016 on sn-devel-144
commit e7f54a28426a46bcb7e0226bee176e1d588e27ef
Author: Volker Lendecke <[email protected]>
Date: Tue May 24 15:07:00 2016 +0200
samdb: Improve debugging in acl_validate_spn_value()
Signed-off-by: Volker Lendecke <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
source4/dsdb/samdb/ldb_modules/acl.c | 22 ++++++++++++++++++++--
source4/rpc_server/drsuapi/writespn.c | 3 +++
2 files changed, 23 insertions(+), 2 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/dsdb/samdb/ldb_modules/acl.c
b/source4/dsdb/samdb/ldb_modules/acl.c
index 2aafc6c..910f9e8 100644
--- a/source4/dsdb/samdb/ldb_modules/acl.c
+++ b/source4/dsdb/samdb/ldb_modules/acl.c
@@ -521,7 +521,7 @@ static int acl_validate_spn_value(TALLOC_CTX *mem_ctx,
const char *netbios_name,
const char *ntds_guid)
{
- int ret;
+ int ret, princ_size;
krb5_context krb_ctx;
krb5_error_code kerr;
krb5_principal principal;
@@ -555,7 +555,9 @@ static int acl_validate_spn_value(TALLOC_CTX *mem_ctx,
return LDB_ERR_CONSTRAINT_VIOLATION;
}
- if (krb5_princ_size(krb_ctx, principal) < 2) {
+ princ_size = krb5_princ_size(krb_ctx, principal);
+ if (princ_size < 2) {
+ DBG_WARNING("princ_size=%d\n", princ_size);
goto fail;
}
@@ -572,21 +574,29 @@ static int acl_validate_spn_value(TALLOC_CTX *mem_ctx,
if (serviceName) {
if (!is_dc) {
+ DBG_WARNING("is_dc=false, serviceName=%s,"
+ "serviceType=%s\n", serviceName,
+ serviceType);
goto fail;
}
if (strcasecmp(serviceType, "ldap") == 0) {
if (strcasecmp(serviceName, netbios_name) != 0 &&
strcasecmp(serviceName, forest_name) != 0) {
+ DBG_WARNING("serviceName=%s\n", serviceName);
goto fail;
}
} else if (strcasecmp(serviceType, "gc") == 0) {
if (strcasecmp(serviceName, forest_name) != 0) {
+ DBG_WARNING("serviceName=%s\n", serviceName);
goto fail;
}
} else {
if (strcasecmp(serviceName, base_domain) != 0 &&
strcasecmp(serviceName, netbios_name) != 0) {
+ DBG_WARNING("serviceType=%s, "
+ "serviceName=%s\n",
+ serviceType, serviceName);
goto fail;
}
}
@@ -611,6 +621,14 @@ static int acl_validate_spn_value(TALLOC_CTX *mem_ctx,
fail:
krb5_free_principal(krb_ctx, principal);
krb5_free_context(krb_ctx);
+ ldb_debug_set(ldb, LDB_DEBUG_WARNING,
+ "acl: spn validation failed for "
+ "spn[%s] uac[0x%x] account[%s] hostname[%s] "
+ "nbname[%s] ntds[%s] forest[%s] domain[%s]\n",
+ spn_value, (unsigned)userAccountControl,
+ samAccountName, dnsHostName,
+ netbios_name, ntds_guid,
+ forest_name, base_domain);
return LDB_ERR_CONSTRAINT_VIOLATION;
success:
diff --git a/source4/rpc_server/drsuapi/writespn.c
b/source4/rpc_server/drsuapi/writespn.c
index 04a4792..c3bdb3f 100644
--- a/source4/rpc_server/drsuapi/writespn.c
+++ b/source4/rpc_server/drsuapi/writespn.c
@@ -29,6 +29,7 @@
#include "libcli/security/security.h"
#include "libcli/security/session.h"
#include "rpc_server/drsuapi/dcesrv_drsuapi.h"
+#include "librpc/gen_ndr/ndr_drsuapi.h"
#include "auth/session.h"
/*
@@ -232,6 +233,8 @@ WERROR dcesrv_drsuapi_DsWriteAccountSpn(struct
dcesrv_call_state *dce_call, TALL
DEBUG(0,("Failed to modify SPNs on %s: %s\n",
ldb_dn_get_linearized(msg->dn),
ldb_errstring(b_state->sam_ctx)));
+ NDR_PRINT_IN_DEBUG(
+ drsuapi_DsWriteAccountSpn, r);
r->out.res->res1.status = WERR_ACCESS_DENIED;
} else {
DEBUG(2,("Modified %u SPNs on %s\n", spn_count,
--
Samba Shared Repository
