The branch, v4-12-test has been updated via 7b1bac7d084 Add net-ads-join dnshostname=fqdn option via 71efed33f47 Add msDS-AdditionalDnsHostName entries to the keytab via 279e72fe334 Add a test for msDS-AdditionalDnsHostName entries in keytab via b3630d58e48 Refactor ads_keytab_add_entry() to make it iterable via 533a4be557b Fix accidental overwrite of dnsHostName by the last netbios alias via e25e574ba04 Add a test to check dNSHostName with netbios aliases via 5015bbbd701 s3:libads: prefer ENCTYPE_AES256_CTS_HMAC_SHA1_96 in ads_keytab_add_entry() via 2b15eee1bc0 docs-xml: update list of posible VFS operations for vfs_full_audit via c2051cdfda6 s3: libsmbclient: Finish unifing bad iconv behavior across CORE NT1 SMB2 protocols. via ea64f5fb2d8 s3: libsmb: In SMB2 return NT_STATUS_INVALID_NETWORK_RESPONSE if name conversion ended up with a NULL filename. via cc105695a60 s3: libsmb: In SMB1 old protocol - return NT_STATUS_INVALID_NETWORK_RESPONSE if name conversion ended up with a NULL filename. via 290ae67b24e s3: selftest: Add test_smbclient_iconv.sh to check client behavior on bad name conversion. via 701cbabc92e s3: selftest: Add share definition [bad_iconv] in fileserver. from f02893f5360 winbindd: Fix a use-after-free when winbind clients exit
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-12-test - Log ----------------------------------------------------------------- commit 7b1bac7d084815cf8b0f070b16a5c93af78f2153 Author: Isaac Boukris <ibouk...@gmail.com> Date: Wed May 27 15:54:12 2020 +0200 Add net-ads-join dnshostname=fqdn option BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396 Signed-off-by: Isaac Boukris <ibouk...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Autobuild-User(master): Andreas Schneider <a...@cryptomilk.org> Autobuild-Date(master): Fri May 29 13:33:28 UTC 2020 on sn-devel-184 Autobuild-User(v4-12-test): Karolin Seeger <ksee...@samba.org> Autobuild-Date(v4-12-test): Thu Jun 4 13:12:27 UTC 2020 on sn-devel-184 commit 71efed33f47dfc4f294881257add9121623e29ce Author: Isaac Boukris <ibouk...@gmail.com> Date: Wed May 27 15:36:28 2020 +0200 Add msDS-AdditionalDnsHostName entries to the keytab BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396 Signed-off-by: Isaac Boukris <ibouk...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 279e72fe334d8ac375f0e5a8cfccc0fcf0b6d02f Author: Isaac Boukris <ibouk...@gmail.com> Date: Wed May 27 17:55:12 2020 +0200 Add a test for msDS-AdditionalDnsHostName entries in keytab BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396 Signed-off-by: Isaac Boukris <ibouk...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit b3630d58e4816402231500551aa6268b5a8cffa7 Author: Isaac Boukris <ibouk...@gmail.com> Date: Wed May 27 13:25:17 2020 +0200 Refactor ads_keytab_add_entry() to make it iterable so we can more easily add msDS-AdditionalDnsHostName entries. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396 Signed-off-by: Isaac Boukris <ibouk...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 533a4be557bd7923ff8bfaea9a82cd99d47b10f4 Author: Isaac Boukris <ibouk...@gmail.com> Date: Wed May 27 15:52:46 2020 +0200 Fix accidental overwrite of dnsHostName by the last netbios alias BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396 Signed-off-by: Isaac Boukris <ibouk...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit e25e574ba042d83c7f7675b75139385d8cc9ffc8 Author: Isaac Boukris <ibouk...@gmail.com> Date: Wed May 27 16:50:45 2020 +0200 Add a test to check dNSHostName with netbios aliases BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396 Signed-off-by: Isaac Boukris <ibouk...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 5015bbbd70188553454cfdbbf4faa1c2062c4882 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Nov 29 13:48:24 2019 +0100 s3:libads: prefer ENCTYPE_AES256_CTS_HMAC_SHA1_96 in ads_keytab_add_entry() This is currently not critical as we only use keytabs only as acceptor, but in future we'll also use them for kinit() and there we should prefer the newest type. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 2b15eee1bc0d48b9804f20d5bb3cc8b2fde8085e Author: Björn Jacke <b...@sernet.de> Date: Tue May 19 12:42:31 2020 +0200 docs-xml: update list of posible VFS operations for vfs_full_audit the list of valid operations can be generated by grep "{ SMB_VFS_OP_" source3/modules/vfs_full_audit.c |sed 's/.*,[ \t]*"//;s/".*//'|grep -v NULL | sort BUG: https://bugzilla.samba.org/show_bug.cgi?id=14386 based on 14470e4e4c16cfc36384027c39c1685dea42ad26 in master Signed-off-by: Bjoern Jacke <bja...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> commit c2051cdfda67f04e641c7b58d0c89a675ed6fb79 Author: Jeremy Allison <j...@samba.org> Date: Mon May 11 15:58:27 2020 -0700 s3: libsmbclient: Finish unifing bad iconv behavior across CORE NT1 SMB2 protocols. On bad name conversion, exit the directory listing with an error, but leave the connection intact. We were already checking for finfo->name == NULL here, but were ignoring it and not reporting an error. Remove the knownfail.d/bad_iconv file as we now behave the same across CORE/NT1/SMB2. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14374 Signed-off-by: Jeremy Allison <j...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Autobuild-User(master): Jeremy Allison <j...@samba.org> Autobuild-Date(master): Tue May 12 21:32:44 UTC 2020 on sn-devel-184 (cherry picked from commit 393da520e43bd3a28feb231bcd9fd5308a3daa4a) commit ea64f5fb2d87877d77a8ccdd6874b367efaf62a4 Author: Jeremy Allison <j...@samba.org> Date: Mon May 11 12:23:49 2020 -0700 s3: libsmb: In SMB2 return NT_STATUS_INVALID_NETWORK_RESPONSE if name conversion ended up with a NULL filename. Can happen if namelen == 0. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14374 Signed-off-by: Jeremy Allison <j...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> (cherry picked from commit 753115a8d19f6ac8cd28305748fc6d888679dccc) commit cc105695a60f629928c971e98e15edb89fb58162 Author: Jeremy Allison <j...@samba.org> Date: Mon May 11 12:34:10 2020 -0700 s3: libsmb: In SMB1 old protocol - return NT_STATUS_INVALID_NETWORK_RESPONSE if name conversion ended up with a NULL filename. Can happen if namelen == 0. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14374 Signed-off-by: Jeremy Allison <j...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> (cherry picked from commit b10de0bb64fe022e6b066584013dfb0bdf2ade96) commit 290ae67b24eec2a50c937216b92e7294e1e08109 Author: Jeremy Allison <j...@samba.org> Date: Mon May 11 15:37:00 2020 -0700 s3: selftest: Add test_smbclient_iconv.sh to check client behavior on bad name conversion. SMB2 and NT1 fail this, CORE already returns NT_STATUS_INVALID_NETWORK_RESPONSE on bad conversion. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14374 Signed-off-by: Jeremy Allison <j...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> (back-ported from commit e016671d34c24c4768df774425ec743b88e30015) commit 701cbabc92e3bab2ddf55e8adef2b005ea4ae4c5 Author: Jeremy Allison <j...@samba.org> Date: Mon May 11 14:10:54 2020 -0700 s3: selftest: Add share definition [bad_iconv] in fileserver. Creates a utf8 valid filename within that is invalid in CP850. Useful to test smbclient list directory character set conversions. https://bugzilla.samba.org/show_bug.cgi?id=14374 Signed-off-by: Jeremy Allison <j...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> (back-ported from commit a9651d6bc2b6dea8adc859ce21c2431253868887) ----------------------------------------------------------------------- Summary of changes: docs-xml/manpages/net.8.xml | 7 +- docs-xml/manpages/vfs_full_audit.8.xml | 70 +++++++-- selftest/target/Samba3.pm | 20 +++ source3/libads/ads_proto.h | 5 + source3/libads/kerberos_keytab.c | 224 ++++++++++++++++----------- source3/libads/ldap.c | 45 ++++++ source3/libnet/libnet_join.c | 12 +- source3/librpc/idl/libnet_join.idl | 1 + source3/libsmb/cli_smb2_fnum.c | 6 + source3/libsmb/clilist.c | 10 +- source3/script/tests/test_smbclient_iconv.sh | 53 +++++++ source3/selftest/tests.py | 6 + source3/utils/net_ads.c | 9 +- testprogs/blackbox/test_net_ads.sh | 38 +++++ 14 files changed, 391 insertions(+), 115 deletions(-) create mode 100755 source3/script/tests/test_smbclient_iconv.sh Changeset truncated at 500 lines: diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml index 37dd30b7864..cbab9c63a5e 100644 --- a/docs-xml/manpages/net.8.xml +++ b/docs-xml/manpages/net.8.xml @@ -481,7 +481,7 @@ The remote server must be specified with the -S option. <refsect2> <title>[RPC|ADS] JOIN [TYPE] [--no-dns-updates] [-U username[%password]] -[createupn=UPN] [createcomputer=OU] [machinepass=PASS] +[dnshostname=FQDN] [createupn=UPN] [createcomputer=OU] [machinepass=PASS] [osName=string osVer=string] [options]</title> <para> @@ -496,6 +496,11 @@ be created.</para> joining the domain. </para> +<para> +[FQDN] (ADS only) set the dnsHosName attribute during the join. +The default format is netbiosname.dnsdomain. +</para> + <para> [UPN] (ADS only) set the principalname attribute during the join. The default format is host/netbiosname@REALM. diff --git a/docs-xml/manpages/vfs_full_audit.8.xml b/docs-xml/manpages/vfs_full_audit.8.xml index 7b17e2e1ad4..e6c05c3fdc3 100644 --- a/docs-xml/manpages/vfs_full_audit.8.xml +++ b/docs-xml/manpages/vfs_full_audit.8.xml @@ -38,60 +38,98 @@ complete set of Samba VFS operations:</para> <simplelist> + <member>aio_force</member> + <member>audit_file</member> + <member>brl_lock_windows</member> + <member>brl_unlock_windows</member> <member>chdir</member> <member>chflags</member> <member>chmod</member> - <member>chown</member> <member>close</member> <member>closedir</member> <member>connect</member> - <member>copy_chunk_send</member> - <member>copy_chunk_recv</member> + <member>connectpath</member> + <member>create_dfs_pathat</member> + <member>create_file</member> <member>disconnect</member> <member>disk_free</member> + <member>durable_cookie</member> + <member>durable_disconnect</member> + <member>durable_reconnect</member> + <member>fallocate</member> <member>fchmod</member> <member>fchown</member> + <member>fdopendir</member> + <member>fget_dos_attributes</member> <member>fget_nt_acl</member> <member>fgetxattr</member> + <member>file_id_create</member> <member>flistxattr</member> <member>fremovexattr</member> + <member>fs_capabilities</member> + <member>fsctl</member> + <member>fset_dos_attributes</member> <member>fset_nt_acl</member> <member>fsetxattr</member> + <member>fs_file_id</member> <member>fstat</member> <member>fsync</member> + <member>fsync_recv</member> + <member>fsync_send</member> <member>ftruncate</member> + <member>get_alloc_size</member> <member>get_compression</member> + <member>get_dfs_referrals</member> + <member>get_dos_attributes</member> + <member>get_dos_attributes_recv</member> + <member>get_dos_attributes_send</member> + <member>getlock</member> <member>get_nt_acl</member> <member>get_quota</member> + <member>get_real_filename</member> <member>get_shadow_copy_data</member> - <member>getlock</member> <member>getwd</member> <member>getxattr</member> + <member>getxattrat_recv</member> + <member>getxattrat_send</member> + <member>is_offline</member> <member>kernel_flock</member> - <member>link</member> + <member>lchown</member> + <member>linkat</member> <member>linux_setlease</member> <member>listxattr</member> <member>lock</member> <member>lseek</member> <member>lstat</member> - <member>mkdir</member> - <member>mknod</member> + <member>mkdirat</member> + <member>mknodat</member> + <member>ntimes</member> + <member>offload_read_recv</member> + <member>offload_read_send</member> + <member>offload_write_recv</member> + <member>offload_write_send</member> <member>open</member> <member>opendir</member> <member>pread</member> + <member>pread_recv</member> + <member>pread_send</member> <member>pwrite</member> + <member>pwrite_recv</member> + <member>pwrite_send</member> <member>read</member> <member>readdir</member> - <member>readlink</member> + <member>readdir_attr</member> + <member>readlinkat</member> <member>realpath</member> + <member>recvfile</member> <member>removexattr</member> - <member>rename</member> + <member>renameat</member> <member>rewinddir</member> - <member>rmdir</member> <member>seekdir</member> <member>sendfile</member> <member>set_compression</member> - <member>set_nt_acl</member> + <member>set_dos_attributes</member> + <member>set_offline</member> <member>set_quota</member> <member>setxattr</member> <member>snap_check_path</member> @@ -99,15 +137,19 @@ <member>snap_delete</member> <member>stat</member> <member>statvfs</member> - <member>symlink</member> + <member>streaminfo</member> + <member>strict_lock_check</member> + <member>symlinkat</member> + <member>sys_acl_blob_get_fd</member> + <member>sys_acl_blob_get_file</member> <member>sys_acl_delete_def_file</member> <member>sys_acl_get_fd</member> <member>sys_acl_get_file</member> <member>sys_acl_set_fd</member> <member>sys_acl_set_file</member> <member>telldir</member> - <member>unlink</member> - <member>utime</member> + <member>translate_name</member> + <member>unlinkat</member> <member>write</member> </simplelist> diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm index cdbbbdcef3d..1bfb72af690 100755 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm @@ -959,6 +959,9 @@ sub setup_fileserver my $usershare_sharedir="$share_dir/usershares"; push(@dirs,$usershare_sharedir); + my $bad_iconv_sharedir="$share_dir/bad_iconv"; + push(@dirs, $bad_iconv_sharedir); + my $fileserver_options = " kernel change notify = yes rpc_server:mdssvc = embedded @@ -1039,6 +1042,12 @@ sub setup_fileserver path = $share_dir comment = force group test # force group = everyone + +[bad_iconv] + path = $bad_iconv_sharedir + comment = smb username is [%U] + vfs objects = + [homes] comment = Home directories browseable = No @@ -1107,6 +1116,17 @@ sub setup_fileserver close(VALID_USERS_TARGET); chmod 0644, $valid_users_target; + ## + ## create a valid utf8 filename which is invalid as a CP850 conversion + ## + my $bad_iconv_target = "$bad_iconv_sharedir/\xED\x9F\xBF"; + unless (open(BAD_ICONV_TARGET, ">$bad_iconv_target")) { + warn("Unable to open $bad_iconv_target"); + return undef; + } + close(BAD_ICONV_TARGET); + chmod 0644, $bad_iconv_target; + return $vars; } diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h index 495ef5d3325..cd9c1082681 100644 --- a/source3/libads/ads_proto.h +++ b/source3/libads/ads_proto.h @@ -137,6 +137,11 @@ ADS_STATUS ads_get_sid_from_extended_dn(TALLOC_CTX *mem_ctx, enum ads_extended_dn_flags flags, struct dom_sid *sid); char* ads_get_dnshostname( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name ); +ADS_STATUS ads_get_additional_dns_hostnames(TALLOC_CTX *mem_ctx, + ADS_STRUCT *ads, + const char *machine_name, + char ***hostnames_array, + size_t *num_hostnames); char* ads_get_upn( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name ); bool ads_has_samaccountname( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name ); ADS_STATUS ads_join_realm(ADS_STRUCT *ads, const char *machine_name, diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c index 7d193e1a600..da363741d10 100644 --- a/source3/libads/kerberos_keytab.c +++ b/source3/libads/kerberos_keytab.c @@ -228,86 +228,26 @@ out: return ok; } -/********************************************************************** - Adds a single service principal, i.e. 'host' to the system keytab -***********************************************************************/ - -int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads) +static int add_kt_entry_etypes(krb5_context context, TALLOC_CTX *tmpctx, + ADS_STRUCT *ads, const char *salt_princ_s, + krb5_keytab keytab, krb5_kvno kvno, + const char *srvPrinc, const char *my_fqdn, + krb5_data *password, bool update_ads) { krb5_error_code ret = 0; - krb5_context context = NULL; - krb5_keytab keytab = NULL; - krb5_data password; - krb5_kvno kvno; - krb5_enctype enctypes[6] = { -#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 - ENCTYPE_AES128_CTS_HMAC_SHA1_96, -#endif + char *princ_s = NULL; + char *short_princ_s = NULL; + krb5_enctype enctypes[4] = { #ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96 ENCTYPE_AES256_CTS_HMAC_SHA1_96, +#endif +#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 + ENCTYPE_AES128_CTS_HMAC_SHA1_96, #endif ENCTYPE_ARCFOUR_HMAC, 0 }; - char *princ_s = NULL; - char *short_princ_s = NULL; - char *salt_princ_s = NULL; - char *password_s = NULL; - char *my_fqdn; - TALLOC_CTX *tmpctx = NULL; - int i; - - ret = smb_krb5_init_context_common(&context); - if (ret) { - DBG_ERR("kerberos init context failed (%s)\n", - error_message(ret)); - return -1; - } - - ret = ads_keytab_open(context, &keytab); - if (ret != 0) { - goto out; - } - - /* retrieve the password */ - if (!secrets_init()) { - DEBUG(1, (__location__ ": secrets_init failed\n")); - ret = -1; - goto out; - } - password_s = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL); - if (!password_s) { - DEBUG(1, (__location__ ": failed to fetch machine password\n")); - ret = -1; - goto out; - } - ZERO_STRUCT(password); - password.data = password_s; - password.length = strlen(password_s); - - /* we need the dNSHostName value here */ - tmpctx = talloc_init(__location__); - if (!tmpctx) { - DEBUG(0, (__location__ ": talloc_init() failed!\n")); - ret = -1; - goto out; - } - - my_fqdn = ads_get_dnshostname(ads, tmpctx, lp_netbios_name()); - if (!my_fqdn) { - DEBUG(0, (__location__ ": unable to determine machine " - "account's dns name in AD!\n")); - ret = -1; - goto out; - } - - /* make sure we have a single instance of a the computer account */ - if (!ads_has_samaccountname(ads, tmpctx, lp_netbios_name())) { - DEBUG(0, (__location__ ": unable to determine machine " - "account's short name in AD!\n")); - ret = -1; - goto out; - } + size_t i; /* Construct our principal */ if (strchr_m(srvPrinc, '@')) { @@ -356,22 +296,6 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads) } } - kvno = (krb5_kvno)ads_get_machine_kvno(ads, lp_netbios_name()); - if (kvno == -1) { - /* -1 indicates failure, everything else is OK */ - DEBUG(1, (__location__ ": ads_get_machine_kvno failed to " - "determine the system's kvno.\n")); - ret = -1; - goto out; - } - - salt_princ_s = kerberos_secrets_fetch_salt_princ(); - if (salt_princ_s == NULL) { - DBG_WARNING("kerberos_secrets_fetch_salt_princ() failed\n"); - ret = -1; - goto out; - } - for (i = 0; enctypes[i]; i++) { /* add the fqdn principal to the keytab */ @@ -381,11 +305,11 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads) princ_s, salt_princ_s, enctypes[i], - &password, + password, false, false); if (ret) { - DEBUG(1, (__location__ ": Failed to add entry to keytab\n")); + DBG_WARNING("Failed to add entry to keytab\n"); goto out; } @@ -397,12 +321,126 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads) short_princ_s, salt_princ_s, enctypes[i], - &password, + password, false, false); if (ret) { - DEBUG(1, (__location__ - ": Failed to add short entry to keytab\n")); + DBG_WARNING("Failed to add short entry to keytab\n"); + goto out; + } + } + } +out: + return ret; +} + +/********************************************************************** + Adds a single service principal, i.e. 'host' to the system keytab +***********************************************************************/ + +int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads) +{ + krb5_error_code ret = 0; + krb5_context context = NULL; + krb5_keytab keytab = NULL; + krb5_data password; + krb5_kvno kvno; + char *salt_princ_s = NULL; + char *password_s = NULL; + char *my_fqdn; + TALLOC_CTX *tmpctx = NULL; + char **hostnames_array = NULL; + size_t num_hostnames = 0; + + ret = smb_krb5_init_context_common(&context); + if (ret) { + DBG_ERR("kerberos init context failed (%s)\n", + error_message(ret)); + return -1; + } + + ret = ads_keytab_open(context, &keytab); + if (ret != 0) { + goto out; + } + + /* retrieve the password */ + if (!secrets_init()) { + DBG_WARNING("secrets_init failed\n"); + ret = -1; + goto out; + } + password_s = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL); + if (!password_s) { + DBG_WARNING("failed to fetch machine password\n"); + ret = -1; + goto out; + } + ZERO_STRUCT(password); + password.data = password_s; + password.length = strlen(password_s); + + /* we need the dNSHostName value here */ + tmpctx = talloc_init(__location__); + if (!tmpctx) { + DBG_ERR("talloc_init() failed!\n"); + ret = -1; + goto out; + } + + my_fqdn = ads_get_dnshostname(ads, tmpctx, lp_netbios_name()); + if (!my_fqdn) { + DBG_ERR("unable to determine machine account's dns name in " + "AD!\n"); + ret = -1; + goto out; + } + + /* make sure we have a single instance of a the computer account */ + if (!ads_has_samaccountname(ads, tmpctx, lp_netbios_name())) { + DBG_ERR("unable to determine machine account's short name in " + "AD!\n"); + ret = -1; + goto out; + } + + kvno = (krb5_kvno)ads_get_machine_kvno(ads, lp_netbios_name()); + if (kvno == -1) { + /* -1 indicates failure, everything else is OK */ + DBG_WARNING("ads_get_machine_kvno failed to determine the " + "system's kvno.\n"); + ret = -1; + goto out; + } + + salt_princ_s = kerberos_secrets_fetch_salt_princ(); + if (salt_princ_s == NULL) { + DBG_WARNING("kerberos_secrets_fetch_salt_princ() failed\n"); + ret = -1; + goto out; + } + + ret = add_kt_entry_etypes(context, tmpctx, ads, salt_princ_s, keytab, + kvno, srvPrinc, my_fqdn, &password, + update_ads); + if (ret != 0) { + goto out; + } + + if (ADS_ERR_OK(ads_get_additional_dns_hostnames(tmpctx, ads, + lp_netbios_name(), + &hostnames_array, + &num_hostnames))) { + size_t i; + + for (i = 0; i < num_hostnames; i++) { + + ret = add_kt_entry_etypes(context, tmpctx, ads, + salt_princ_s, keytab, + kvno, srvPrinc, + hostnames_array[i], + &password, update_ads); + if (ret != 0) { goto out; } } diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c index f0fcf9fcd56..f6fde5e19e1 100755 --- a/source3/libads/ldap.c +++ b/source3/libads/ldap.c @@ -1377,6 +1377,7 @@ char *ads_parent_dn(const char *dn) "unicodePwd", -- Samba Shared Repository