The branch, master has been updated via 63bbdbae19d gpo: Improve Certificate Auto Enroll Debug messages via 157d2dd77fd gpo: Certificate Auto Enrollment default Kerberos auth from a543d38cd1e third_party:waf: Do not recurse in aesni-intel if GnuTLS provides the cipher
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 63bbdbae19dda6d28ecf8ce27addda728c7a028d Author: David Mulder <dmul...@suse.com> Date: Mon Apr 4 10:42:40 2022 -0600 gpo: Improve Certificate Auto Enroll Debug messages Signed-off-by: David Mulder <dmul...@suse.com> Reviewed-by: Jeremy Allison <j...@samba.org> Autobuild-User(master): Jeremy Allison <j...@samba.org> Autobuild-Date(master): Tue Apr 5 01:44:33 UTC 2022 on sn-devel-184 commit 157d2dd77fd92b926350df0def6a3aa6edf823f2 Author: David Mulder <dmul...@suse.com> Date: Mon Apr 4 10:33:15 2022 -0600 gpo: Certificate Auto Enrollment default Kerberos auth Certificate Auto Enrollment uses Kerberos to authenticate to AD. If someone configures their cepces.conf to use a different default authentication, then samba-gpupdate fails. Force Kerberos auth from samba-gpupdate. Signed-off-by: David Mulder <dmul...@suse.com> Reviewed-by: Jeremy Allison <j...@samba.org> ----------------------------------------------------------------------- Summary of changes: python/samba/gp_cert_auto_enroll_ext.py | 17 ++++++++++------- python/samba/tests/bin/cepces-submit | 2 ++ 2 files changed, 12 insertions(+), 7 deletions(-) Changeset truncated at 500 lines: diff --git a/python/samba/gp_cert_auto_enroll_ext.py b/python/samba/gp_cert_auto_enroll_ext.py index b61aaf7b985..e5c2f2e4394 100644 --- a/python/samba/gp_cert_auto_enroll_ext.py +++ b/python/samba/gp_cert_auto_enroll_ext.py @@ -82,12 +82,12 @@ def get_supported_templates(server): if os.path.exists(cepces_submit): env = os.environ env['CERTMONGER_OPERATION'] = 'GET-SUPPORTED-TEMPLATES' - p = Popen([cepces_submit, '--server=%s' % server], env=env, - stdout=PIPE, stderr=PIPE) + p = Popen([cepces_submit, '--server=%s' % server, '--auth=Kerberos'], + env=env, stdout=PIPE, stderr=PIPE) out, err = p.communicate() if p.returncode != 0: - log.warn('Failed to fetch the list of supported templates.') - log.debug(err.decode()) + data = { 'Error': err.decode() } + log.error('Failed to fetch the list of supported templates.', data) return out.strip().split() return [] @@ -136,12 +136,14 @@ def cert_enroll(ca, trust_dir, private_dir): cepces_submit = find_cepces_submit() if getcert is not None and os.path.exists(cepces_submit): p = Popen([getcert, 'add-ca', '-c', ca['cn'][0], '-e', - '%s --server=%s' % (cepces_submit, ca['dNSHostName'][0])], + '%s --server=%s --auth=Kerberos' % (cepces_submit, + ca['dNSHostName'][0])], stdout=PIPE, stderr=PIPE) out, err = p.communicate() log.debug(out.decode()) if p.returncode != 0: - log.debug(err.decode()) + data = { 'Error': err.decode(), 'CA': ca['cn'][0] } + log.error('Failed to add Certificate Authority', data) supported_templates = get_supported_templates(ca['dNSHostName'][0]) for template, attrs in ca['certificateTemplates'].items(): if template not in supported_templates: @@ -157,7 +159,8 @@ def cert_enroll(ca, trust_dir, private_dir): out, err = p.communicate() log.debug(out.decode()) if p.returncode != 0: - log.debug(err.decode()) + data = { 'Error': err.decode(), 'Certificate': nickname } + log.error('Failed to request certificate', data) data['files'].extend([keyfile, certfile]) data['templates'].append(nickname) if update is not None: diff --git a/python/samba/tests/bin/cepces-submit b/python/samba/tests/bin/cepces-submit index 1f9d57c6bfb..668682a9f58 100755 --- a/python/samba/tests/bin/cepces-submit +++ b/python/samba/tests/bin/cepces-submit @@ -7,9 +7,11 @@ sys.path.insert(0, "bin/python") if __name__ == "__main__": parser = optparse.OptionParser('cepces-submit [options]') parser.add_option('--server') + parser.add_option('--auth') (opts, args) = parser.parse_args() assert opts.server is not None + assert opts.auth == 'Kerberos' if 'CERTMONGER_OPERATION' in os.environ and \ os.environ['CERTMONGER_OPERATION'] == 'GET-SUPPORTED-TEMPLATES': print('Machine') # Report a Machine template -- Samba Shared Repository