The branch, master has been updated
via 459b43e5776 testprogs: Add test for 'net ads join createcomputer='
via 14f320fa1e4 s3:libads: Just change the machine password if account
already exists
via 39b8c8b30a5 s3:libnet: Improve debug messages
via ce776293505 s3:libads: Fix creating machine account using LDAP
via b755a643802 s3:libads: Don't set supported encryption types during
account creation
via 4f389c1f78c s3:libads: Fix detection if acount already exists in
ads_find_machine_count()
via 35f3e4aed1f s3:libads: Use a talloc_asprintf in
ads_find_machine_acct()
via 8ed993789f9 s3:libads: Cleanup error code paths in
ads_create_machine_acct()
via b84abb3a462 s3:libnet: Require sealed LDAP SASL connections for
joining
via 456322a6131 s3:libads: Use ldap_add_ext_s() in ads_gen_add()
via 320b5be4dce testprogs: Fix failure count in test_net_ads.sh
from 4a24d949975 libcli:smb: Use gnutls_aead_cipher_decryptv2() for AES
GCM or CCM
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 459b43e5776180dc1540cd845b72ff78747ecd6f
Author: Andreas Schneider <[email protected]>
Date: Thu Aug 22 16:31:30 2019 +0200
testprogs: Add test for 'net ads join createcomputer='
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Alexander Bokovoy <[email protected]>
Autobuild-User(master): Andreas Schneider <[email protected]>
Autobuild-Date(master): Wed Oct 9 08:26:17 UTC 2019 on sn-devel-184
commit 14f320fa1e40ecc3a43dabb0cecd57430270a521
Author: Andreas Schneider <[email protected]>
Date: Thu Aug 8 14:40:04 2019 +0200
s3:libads: Just change the machine password if account already exists
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13884
Pair-Programmed-With: Guenther Deschner <[email protected]>
Signed-off-by: Guenther Deschner <[email protected]>
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Alexander Bokovoy <[email protected]>
commit 39b8c8b30a5d5bd70f8da3a02cf77f7592788b94
Author: Andreas Schneider <[email protected]>
Date: Wed Aug 14 10:15:19 2019 +0200
s3:libnet: Improve debug messages
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Alexander Bokovoy <[email protected]>
commit ce7762935051c862ecdd3e82d93096aac61dd292
Author: Andreas Schneider <[email protected]>
Date: Tue Aug 13 16:34:34 2019 +0200
s3:libads: Fix creating machine account using LDAP
This implements the same behaviour as Windows.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13884
Pair-Programmed-With: Guenther Deschner <[email protected]>
Signed-off-by: Guenther Deschner <[email protected]>
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Alexander Bokovoy <[email protected]>
commit b755a6438022579dab1a403c81d60b1ed7efca38
Author: Andreas Schneider <[email protected]>
Date: Wed Aug 14 12:17:20 2019 +0200
s3:libads: Don't set supported encryption types during account creation
This is already handled by libnet_join_post_processing_ads_modify()
which calls libnet_join_set_etypes() if encrytion types should be set.
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Alexander Bokovoy <[email protected]>
commit 4f389c1f78cdc2424795e3b2a1ce43818c400c2d
Author: Andreas Schneider <[email protected]>
Date: Wed Aug 14 13:01:19 2019 +0200
s3:libads: Fix detection if acount already exists in
ads_find_machine_count()
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Alexander Bokovoy <[email protected]>
commit 35f3e4aed1f1c2ba1c8dc50921f238937f343357
Author: Andreas Schneider <[email protected]>
Date: Wed Aug 21 12:22:32 2019 +0200
s3:libads: Use a talloc_asprintf in ads_find_machine_acct()
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Alexander Bokovoy <[email protected]>
commit 8ed993789f93624b7b60dd5314fe5472e69e903a
Author: Andreas Schneider <[email protected]>
Date: Tue Aug 13 16:30:07 2019 +0200
s3:libads: Cleanup error code paths in ads_create_machine_acct()
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Alexander Bokovoy <[email protected]>
commit b84abb3a46211dc84e52ef95750627e4dd081f2f
Author: Andreas Schneider <[email protected]>
Date: Tue Aug 13 17:41:40 2019 +0200
s3:libnet: Require sealed LDAP SASL connections for joining
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Alexander Bokovoy <[email protected]>
commit 456322a61319a10aaedda5244488ea4e5aa5cb64
Author: Andreas Schneider <[email protected]>
Date: Tue Aug 13 17:06:58 2019 +0200
s3:libads: Use ldap_add_ext_s() in ads_gen_add()
ldap_add_s() is marked as deprecated.
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Alexander Bokovoy <[email protected]>
commit 320b5be4dce95d8dac4b3c0847faf5b730754a37
Author: Andreas Schneider <[email protected]>
Date: Thu Aug 8 14:35:38 2019 +0200
testprogs: Fix failure count in test_net_ads.sh
There are missing ` at the end of the line.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13884
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Alexander Bokovoy <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
libgpo/pygpo.c | 2 +-
source3/lib/netapi/joindomain.c | 5 +-
source3/libads/ads_proto.h | 13 +-
source3/libads/ads_struct.c | 14 +-
source3/libads/ldap.c | 339 +++++++++++++++++++++++++++++++------
source3/libnet/libnet_join.c | 31 ++--
source3/libsmb/namequery_dc.c | 2 +-
source3/printing/nt_printing_ads.c | 6 +-
source3/utils/net_ads.c | 13 +-
source3/winbindd/winbindd_ads.c | 5 +-
source3/winbindd/winbindd_cm.c | 5 +-
testprogs/blackbox/test_net_ads.sh | 36 +++-
12 files changed, 389 insertions(+), 82 deletions(-)
Changeset truncated at 500 lines:
diff --git a/libgpo/pygpo.c b/libgpo/pygpo.c
index b1f788d3a00..581d20e0649 100644
--- a/libgpo/pygpo.c
+++ b/libgpo/pygpo.c
@@ -210,7 +210,7 @@ static int py_ads_init(ADS *self, PyObject *args, PyObject
*kwds)
self->ads_ptr = NULL;
}
/* always succeeds or crashes */
- self->ads_ptr = ads_init(realm, workgroup, ldap_server);
+ self->ads_ptr = ads_init(realm, workgroup, ldap_server, ADS_SASL_PLAIN);
return 0;
}
diff --git a/source3/lib/netapi/joindomain.c b/source3/lib/netapi/joindomain.c
index 387c517c1be..f2d36fc00db 100644
--- a/source3/lib/netapi/joindomain.c
+++ b/source3/lib/netapi/joindomain.c
@@ -417,7 +417,10 @@ WERROR NetGetJoinableOUs_l(struct libnetapi_ctx *ctx,
dc = strip_hostname(info->dc_unc);
- ads = ads_init(info->domain_name, info->domain_name, dc);
+ ads = ads_init(info->domain_name,
+ info->domain_name,
+ dc,
+ ADS_SASL_PLAIN);
if (!ads) {
return WERR_GEN_FAILURE;
}
diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h
index 154bf67f964..495ef5d3325 100644
--- a/source3/libads/ads_proto.h
+++ b/source3/libads/ads_proto.h
@@ -32,6 +32,12 @@
#ifndef _LIBADS_ADS_PROTO_H_
#define _LIBADS_ADS_PROTO_H_
+enum ads_sasl_state_e {
+ ADS_SASL_PLAIN = 0,
+ ADS_SASL_SIGN,
+ ADS_SASL_SEAL,
+};
+
/* The following definitions come from libads/ads_struct.c */
char *ads_build_path(const char *realm, const char *sep, const char *field,
int reverse);
@@ -39,7 +45,8 @@ char *ads_build_dn(const char *realm);
char *ads_build_domain(const char *dn);
ADS_STRUCT *ads_init(const char *realm,
const char *workgroup,
- const char *ldap_server);
+ const char *ldap_server,
+ enum ads_sasl_state_e sasl_state);
bool ads_set_sasl_wrap_flags(ADS_STRUCT *ads, int flags);
void ads_destroy(ADS_STRUCT **ads);
@@ -107,8 +114,10 @@ ADS_STATUS ads_add_service_principal_names(ADS_STRUCT
*ads, const char *machine_
const char **spns);
ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads,
const char *machine_name,
+ const char *machine_password,
const char *org_unit,
- uint32_t etype_list);
+ uint32_t etype_list,
+ const char *dns_domain_name);
ADS_STATUS ads_move_machine_acct(ADS_STRUCT *ads, const char *machine_name,
const char *org_unit, bool *moved);
int ads_count_replies(ADS_STRUCT *ads, void *res);
diff --git a/source3/libads/ads_struct.c b/source3/libads/ads_struct.c
index 3ab682c0e38..043a1b21247 100644
--- a/source3/libads/ads_struct.c
+++ b/source3/libads/ads_struct.c
@@ -132,7 +132,8 @@ char *ads_build_domain(const char *dn)
*/
ADS_STRUCT *ads_init(const char *realm,
const char *workgroup,
- const char *ldap_server)
+ const char *ldap_server,
+ enum ads_sasl_state_e sasl_state)
{
ADS_STRUCT *ads;
int wrap_flags;
@@ -152,6 +153,17 @@ ADS_STRUCT *ads_init(const char *realm,
wrap_flags = 0;
}
+ switch (sasl_state) {
+ case ADS_SASL_PLAIN:
+ break;
+ case ADS_SASL_SIGN:
+ wrap_flags |= ADS_AUTH_SASL_SIGN;
+ break;
+ case ADS_SASL_SEAL:
+ wrap_flags |= ADS_AUTH_SASL_SEAL;
+ break;
+ }
+
ads->auth.flags = wrap_flags;
/* Start with the configured page size when the connection is new,
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index 6942106a3c3..90d402abb4e 100644
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -1366,19 +1366,42 @@ char *ads_parent_dn(const char *dn)
{
ADS_STATUS status;
char *expr;
- const char *attrs[] = {"*", "msDS-SupportedEncryptionTypes",
"nTSecurityDescriptor", NULL};
+ const char *attrs[] = {
+ /* This is how Windows checks for machine accounts */
+ "objectClass",
+ "SamAccountName",
+ "userAccountControl",
+ "DnsHostName",
+ "ServicePrincipalName",
+ "unicodePwd",
+
+ /* Additional attributes Samba checks */
+ "msDS-SupportedEncryptionTypes",
+ "nTSecurityDescriptor",
+
+ NULL
+ };
+ TALLOC_CTX *frame = talloc_stackframe();
*res = NULL;
/* the easiest way to find a machine account anywhere in the tree
is to look for hostname$ */
- if (asprintf(&expr, "(samAccountName=%s$)", machine) == -1) {
- DEBUG(1, ("asprintf failed!\n"));
- return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
+ expr = talloc_asprintf(frame, "(samAccountName=%s$)", machine);
+ if (expr == NULL) {
+ status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
+ goto done;
}
status = ads_search(ads, res, expr, attrs);
- SAFE_FREE(expr);
+ if (ADS_ERR_OK(status)) {
+ if (ads_count_replies(ads, *res) != 1) {
+ status = ADS_ERROR_LDAP(LDAP_NO_SUCH_OBJECT);
+ }
+ }
+
+done:
+ TALLOC_FREE(frame);
return status;
}
@@ -1493,7 +1516,6 @@ ADS_STATUS ads_mod_strlist(TALLOC_CTX *ctx, ADS_MODLIST
*mods,
name, (const void **) vals);
}
-#if 0
/**
* Add a single ber-encoded value to a mod list
* @param ctx An initialized TALLOC_CTX
@@ -1514,7 +1536,6 @@ static ADS_STATUS ads_mod_ber(TALLOC_CTX *ctx,
ADS_MODLIST *mods,
return ads_modlist_add(ctx, mods, LDAP_MOD_REPLACE|LDAP_MOD_BVALUES,
name, (const void **) values);
}
-#endif
static void ads_print_error(int ret, LDAP *ld)
{
@@ -1596,7 +1617,7 @@ ADS_STATUS ads_gen_add(ADS_STRUCT *ads, const char
*new_dn, ADS_MODLIST mods)
/* make sure the end of the list is NULL */
mods[i] = NULL;
- ret = ldap_add_s(ads->ldap.ld, utf8_dn, (LDAPMod**)mods);
+ ret = ldap_add_ext_s(ads->ldap.ld, utf8_dn, (LDAPMod**)mods, NULL,
NULL);
ads_print_error(ret, ads->ldap.ld);
TALLOC_FREE(utf8_dn);
return ADS_ERROR(ret);
@@ -1863,11 +1884,11 @@ ADS_STATUS ads_clear_service_principal_names(ADS_STRUCT
*ads, const char *machin
char *dn_string = NULL;
ret = ads_find_machine_acct(ads, &res, machine_name);
- if (!ADS_ERR_OK(ret) || ads_count_replies(ads, res) != 1) {
+ if (!ADS_ERR_OK(ret)) {
DEBUG(5,("ads_clear_service_principal_names: WARNING: Host
Account for %s not found... skipping operation.\n", machine_name));
DEBUG(5,("ads_clear_service_principal_names: WARNING: Service
Principals for %s have NOT been cleared.\n", machine_name));
ads_msgfree(ads, res);
- return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
+ return ret;
}
DEBUG(5,("ads_clear_service_principal_names: Host account for %s
found\n", machine_name));
@@ -2023,12 +2044,12 @@ ADS_STATUS ads_add_service_principal_names(ADS_STRUCT
*ads,
const char **servicePrincipalName = spns;
ret = ads_find_machine_acct(ads, &res, machine_name);
- if (!ADS_ERR_OK(ret) || ads_count_replies(ads, res) != 1) {
+ if (!ADS_ERR_OK(ret)) {
DEBUG(1,("ads_add_service_principal_name: WARNING: Host Account
for %s not found... skipping operation.\n",
machine_name));
DEBUG(1,("ads_add_service_principal_name: WARNING: Service
Principals have NOT been added.\n"));
ads_msgfree(ads, res);
- return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
+ return ret;
}
DEBUG(1,("ads_add_service_principal_name: Host account for %s found\n",
machine_name));
@@ -2077,6 +2098,127 @@ ADS_STATUS ads_add_service_principal_names(ADS_STRUCT
*ads,
return ret;
}
+static uint32_t ads_get_acct_ctrl(ADS_STRUCT *ads,
+ LDAPMessage *msg)
+{
+ uint32_t acct_ctrl = 0;
+ bool ok;
+
+ ok = ads_pull_uint32(ads, msg, "userAccountControl", &acct_ctrl);
+ if (!ok) {
+ return 0;
+ }
+
+ return acct_ctrl;
+}
+
+static ADS_STATUS ads_change_machine_acct(ADS_STRUCT *ads,
+ LDAPMessage *msg,
+ const struct berval *machine_pw_val)
+{
+ ADS_MODLIST mods;
+ ADS_STATUS ret;
+ TALLOC_CTX *frame = talloc_stackframe();
+ uint32_t acct_control;
+ char *control_str = NULL;
+ const char *attrs[] = {
+ "objectSid",
+ NULL
+ };
+ LDAPMessage *res = NULL;
+ char *dn = NULL;
+
+ dn = ads_get_dn(ads, frame, msg);
+ if (dn == NULL) {
+ ret = ADS_ERROR(LDAP_NO_MEMORY);
+ goto done;
+ }
+
+ acct_control = ads_get_acct_ctrl(ads, msg);
+ if (acct_control == 0) {
+ ret = ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
+ goto done;
+ }
+
+ /*
+ * Changing the password, disables the account. So we need to change the
+ * userAccountControl flags to enable it again.
+ */
+ mods = ads_init_mods(frame);
+ if (mods == NULL) {
+ ret = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+ goto done;
+ }
+
+ ads_mod_ber(frame, &mods, "unicodePwd", machine_pw_val);
+
+ ret = ads_gen_mod(ads, dn, mods);
+ if (!ADS_ERR_OK(ret)) {
+ goto done;
+ }
+ TALLOC_FREE(mods);
+
+ /*
+ * To activate the account, we need to disable and enable it.
+ */
+ acct_control |= UF_ACCOUNTDISABLE;
+
+ control_str = talloc_asprintf(frame, "%u", acct_control);
+ if (control_str == NULL) {
+ ret = ADS_ERROR(LDAP_NO_MEMORY);
+ goto done;
+ }
+
+ mods = ads_init_mods(frame);
+ if (mods == NULL) {
+ ret = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+ goto done;
+ }
+
+ ads_mod_str(frame, &mods, "userAccountControl", control_str);
+
+ ret = ads_gen_mod(ads, dn, mods);
+ if (!ADS_ERR_OK(ret)) {
+ goto done;
+ }
+ TALLOC_FREE(mods);
+ TALLOC_FREE(control_str);
+
+ /*
+ * Enable the account again.
+ */
+ acct_control &= ~UF_ACCOUNTDISABLE;
+
+ control_str = talloc_asprintf(frame, "%u", acct_control);
+ if (control_str == NULL) {
+ ret = ADS_ERROR(LDAP_NO_MEMORY);
+ goto done;
+ }
+
+ mods = ads_init_mods(frame);
+ if (mods == NULL) {
+ ret = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+ goto done;
+ }
+
+ ads_mod_str(frame, &mods, "userAccountControl", control_str);
+
+ ret = ads_gen_mod(ads, dn, mods);
+ if (!ADS_ERR_OK(ret)) {
+ goto done;
+ }
+ TALLOC_FREE(mods);
+ TALLOC_FREE(control_str);
+
+ ret = ads_search_dn(ads, &res, dn, attrs);
+ ads_msgfree(ads, res);
+
+done:
+ talloc_free(frame);
+
+ return ret;
+}
+
/**
* adds a machine account to the ADS server
* @param ads An intialized ADS_STRUCT
@@ -2088,79 +2230,169 @@ ADS_STATUS ads_add_service_principal_names(ADS_STRUCT
*ads,
ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads,
const char *machine_name,
+ const char *machine_password,
const char *org_unit,
- uint32_t etype_list)
+ uint32_t etype_list,
+ const char *dns_domain_name)
{
ADS_STATUS ret;
- char *samAccountName, *controlstr;
- TALLOC_CTX *ctx;
+ char *samAccountName = NULL;
+ char *controlstr = NULL;
+ TALLOC_CTX *ctx = NULL;
ADS_MODLIST mods;
char *machine_escaped = NULL;
- char *new_dn;
- const char *objectClass[] = {"top", "person", "organizationalPerson",
- "user", "computer", NULL};
+ char *dns_hostname = NULL;
+ char *new_dn = NULL;
+ char *utf8_pw = NULL;
+ size_t utf8_pw_len = 0;
+ char *utf16_pw = NULL;
+ size_t utf16_pw_len = 0;
+ struct berval machine_pw_val;
+ bool ok;
+ const char **spn_array = NULL;
+ size_t num_spns = 0;
+ const char *spn_prefix[] = {
+ "HOST",
+ "RestrictedKrbHost",
+ };
+ size_t i;
LDAPMessage *res = NULL;
- uint32_t acct_control = ( UF_WORKSTATION_TRUST_ACCOUNT |\
- UF_DONT_EXPIRE_PASSWD |\
- UF_ACCOUNTDISABLE );
- uint32_t func_level = 0;
+ uint32_t acct_control = UF_WORKSTATION_TRUST_ACCOUNT;
- ret = ads_domain_func_level(ads, &func_level);
- if (!ADS_ERR_OK(ret)) {
- return ret;
+ ctx = talloc_init("ads_add_machine_acct");
+ if (ctx == NULL) {
+ return ADS_ERROR(LDAP_NO_MEMORY);
}
- if (!(ctx = talloc_init("ads_add_machine_acct")))
- return ADS_ERROR(LDAP_NO_MEMORY);
+ machine_escaped = escape_rdn_val_string_alloc(machine_name);
+ if (machine_escaped == NULL) {
+ ret = ADS_ERROR(LDAP_NO_MEMORY);
+ goto done;
+ }
- ret = ADS_ERROR(LDAP_NO_MEMORY);
+ utf8_pw = talloc_asprintf(ctx, "\"%s\"", machine_password);
+ if (utf8_pw == NULL) {
+ ret = ADS_ERROR(LDAP_NO_MEMORY);
+ goto done;
+ }
+ utf8_pw_len = strlen(utf8_pw);
- machine_escaped = escape_rdn_val_string_alloc(machine_name);
- if (!machine_escaped) {
+ ok = convert_string_talloc(ctx,
+ CH_UTF8, CH_UTF16MUNGED,
+ utf8_pw, utf8_pw_len,
+ (void *)&utf16_pw, &utf16_pw_len);
+ if (!ok) {
+ ret = ADS_ERROR(LDAP_NO_MEMORY);
goto done;
}
+ machine_pw_val = (struct berval) {
+ .bv_val = utf16_pw,
+ .bv_len = utf16_pw_len,
+ };
+
+ /* Check if the machine account already exists. */
ret = ads_find_machine_acct(ads, &res, machine_escaped);
- if (ADS_ERR_OK(ret) && ads_count_replies(ads, res) == 1) {
- DBG_DEBUG("Host account for %s already exists.\n",
- machine_escaped);
- ret = ADS_ERROR_LDAP(LDAP_ALREADY_EXISTS);
+ if (ADS_ERR_OK(ret)) {
+ /* Change the machine account password */
+ ret = ads_change_machine_acct(ads, res, &machine_pw_val);
ads_msgfree(ads, res);
+
goto done;
}
ads_msgfree(ads, res);
new_dn = talloc_asprintf(ctx, "cn=%s,%s", machine_escaped, org_unit);
- samAccountName = talloc_asprintf(ctx, "%s$", machine_name);
-
- if ( !new_dn || !samAccountName ) {
+ if (new_dn == NULL) {
+ ret = ADS_ERROR(LDAP_NO_MEMORY);
goto done;
}
- if (!(controlstr = talloc_asprintf(ctx, "%u", acct_control))) {
+ /* Create machine account */
+
+ samAccountName = talloc_asprintf(ctx, "%s$", machine_name);
+ if (samAccountName == NULL) {
+ ret = ADS_ERROR(LDAP_NO_MEMORY);
goto done;
}
- if (!(mods = ads_init_mods(ctx))) {
+ dns_hostname = talloc_asprintf(ctx,
+ "%s.%s",
+ machine_name,
+ dns_domain_name);
+ if (dns_hostname == NULL) {
+ ret = ADS_ERROR(LDAP_NO_MEMORY);
goto done;
}
- ads_mod_str(ctx, &mods, "cn", machine_name);
- ads_mod_str(ctx, &mods, "sAMAccountName", samAccountName);
- ads_mod_strlist(ctx, &mods, "objectClass", objectClass);
- ads_mod_str(ctx, &mods, "userAccountControl", controlstr);
+ /* Add dns_hostname SPNs */
+ for (i = 0; i < ARRAY_SIZE(spn_prefix); i++) {
+ char *spn = talloc_asprintf(ctx,
+ "%s/%s",
+ spn_prefix[i],
+ dns_hostname);
+ if (spn == NULL) {
+ ret = ADS_ERROR(LDAP_NO_MEMORY);
+ goto done;
+ }
- if (func_level >= DS_DOMAIN_FUNCTION_2008) {
- const char *etype_list_str;
+ ok = add_string_to_array(spn_array,
+ spn,
+ &spn_array,
+ &num_spns);
+ if (!ok) {
+ ret = ADS_ERROR(LDAP_NO_MEMORY);
+ goto done;
+ }
+ }
- etype_list_str = talloc_asprintf(ctx, "%d", (int)etype_list);
- if (etype_list_str == NULL) {
+ /* Add machine_name SPNs */
+ for (i = 0; i < ARRAY_SIZE(spn_prefix); i++) {
+ char *spn = talloc_asprintf(ctx,
+ "%s/%s",
+ spn_prefix[i],
+ machine_name);
+ if (spn == NULL) {
+ ret = ADS_ERROR(LDAP_NO_MEMORY);
goto done;
}
- ads_mod_str(ctx, &mods, "msDS-SupportedEncryptionTypes",
--
Samba Shared Repository
