diff options
author | Andreas Schneider <asn@samba.org> | 2019-08-13 17:41:40 +0200 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2019-10-16 12:15:53 +0000 |
commit | 399598138815c38ea992c97a3a65b82fb849c6f4 (patch) | |
tree | 01ab38668ea8f4453565e7733f449e686778286b | |
parent | 377483859c0c3b9543262471c2487c0ea35c4c82 (diff) | |
download | samba-399598138815c38ea992c97a3a65b82fb849c6f4.tar.gz |
s3:libnet: Require sealed LDAP SASL connections for joining
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit b84abb3a46211dc84e52ef95750627e4dd081f2f)
-rw-r--r-- | libgpo/pygpo.c | 2 | ||||
-rw-r--r-- | source3/lib/netapi/joindomain.c | 5 | ||||
-rw-r--r-- | source3/libads/ads_proto.h | 9 | ||||
-rw-r--r-- | source3/libads/ads_struct.c | 14 | ||||
-rw-r--r-- | source3/libads/ldap.c | 4 | ||||
-rw-r--r-- | source3/libnet/libnet_join.c | 3 | ||||
-rw-r--r-- | source3/libsmb/namequery_dc.c | 2 | ||||
-rw-r--r-- | source3/printing/nt_printing_ads.c | 6 | ||||
-rw-r--r-- | source3/utils/net_ads.c | 13 | ||||
-rw-r--r-- | source3/winbindd/winbindd_ads.c | 5 | ||||
-rw-r--r-- | source3/winbindd/winbindd_cm.c | 5 |
11 files changed, 51 insertions, 17 deletions
diff --git a/libgpo/pygpo.c b/libgpo/pygpo.c index cd107318860..4db8cad7ca4 100644 --- a/libgpo/pygpo.c +++ b/libgpo/pygpo.c @@ -212,7 +212,7 @@ static int py_ads_init(ADS *self, PyObject *args, PyObject *kwds) return -1; } - self->ads_ptr = ads_init(realm, workgroup, ldap_server); + self->ads_ptr = ads_init(realm, workgroup, ldap_server, ADS_SASL_PLAIN); if (self->ads_ptr == NULL) { return -1; } diff --git a/source3/lib/netapi/joindomain.c b/source3/lib/netapi/joindomain.c index ff2154ba803..8d0752f4531 100644 --- a/source3/lib/netapi/joindomain.c +++ b/source3/lib/netapi/joindomain.c @@ -411,7 +411,10 @@ WERROR NetGetJoinableOUs_l(struct libnetapi_ctx *ctx, dc = strip_hostname(info->dc_unc); - ads = ads_init(info->domain_name, info->domain_name, dc); + ads = ads_init(info->domain_name, + info->domain_name, + dc, + ADS_SASL_PLAIN); if (!ads) { return WERR_GEN_FAILURE; } diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h index 154bf67f964..92bb3a22cdb 100644 --- a/source3/libads/ads_proto.h +++ b/source3/libads/ads_proto.h @@ -32,6 +32,12 @@ #ifndef _LIBADS_ADS_PROTO_H_ #define _LIBADS_ADS_PROTO_H_ +enum ads_sasl_state_e { + ADS_SASL_PLAIN = 0, + ADS_SASL_SIGN, + ADS_SASL_SEAL, +}; + /* The following definitions come from libads/ads_struct.c */ char *ads_build_path(const char *realm, const char *sep, const char *field, int reverse); @@ -39,7 +45,8 @@ char *ads_build_dn(const char *realm); char *ads_build_domain(const char *dn); ADS_STRUCT *ads_init(const char *realm, const char *workgroup, - const char *ldap_server); + const char *ldap_server, + enum ads_sasl_state_e sasl_state); bool ads_set_sasl_wrap_flags(ADS_STRUCT *ads, int flags); void ads_destroy(ADS_STRUCT **ads); diff --git a/source3/libads/ads_struct.c b/source3/libads/ads_struct.c index 3ab682c0e38..043a1b21247 100644 --- a/source3/libads/ads_struct.c +++ b/source3/libads/ads_struct.c @@ -132,7 +132,8 @@ char *ads_build_domain(const char *dn) */ ADS_STRUCT *ads_init(const char *realm, const char *workgroup, - const char *ldap_server) + const char *ldap_server, + enum ads_sasl_state_e sasl_state) { ADS_STRUCT *ads; int wrap_flags; @@ -152,6 +153,17 @@ ADS_STRUCT *ads_init(const char *realm, wrap_flags = 0; } + switch (sasl_state) { + case ADS_SASL_PLAIN: + break; + case ADS_SASL_SIGN: + wrap_flags |= ADS_AUTH_SASL_SIGN; + break; + case ADS_SASL_SEAL: + wrap_flags |= ADS_AUTH_SASL_SEAL; + break; + } + ads->auth.flags = wrap_flags; /* Start with the configured page size when the connection is new, diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c index d409d4ab78e..7bdda4b1768 100644 --- a/source3/libads/ldap.c +++ b/source3/libads/ldap.c @@ -2964,7 +2964,7 @@ ADS_STATUS ads_current_time(ADS_STRUCT *ads) if ( !ads->ldap.ld ) { if ( (ads_s = ads_init( ads->server.realm, ads->server.workgroup, - ads->server.ldap_server )) == NULL ) + ads->server.ldap_server, ADS_SASL_PLAIN )) == NULL ) { status = ADS_ERROR(LDAP_NO_MEMORY); goto done; @@ -3026,7 +3026,7 @@ ADS_STATUS ads_domain_func_level(ADS_STRUCT *ads, uint32_t *val) if ( !ads->ldap.ld ) { if ( (ads_s = ads_init( ads->server.realm, ads->server.workgroup, - ads->server.ldap_server )) == NULL ) + ads->server.ldap_server, ADS_SASL_PLAIN )) == NULL ) { status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY); goto done; diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index b876d7ea89f..a512afc238a 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -140,7 +140,8 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name, my_ads = ads_init(dns_domain_name, netbios_domain_name, - dc_name); + dc_name, + ADS_SASL_SEAL); if (!my_ads) { return ADS_ERROR_LDAP(LDAP_NO_MEMORY); } diff --git a/source3/libsmb/namequery_dc.c b/source3/libsmb/namequery_dc.c index 4ee5b5278e4..f63dde61603 100644 --- a/source3/libsmb/namequery_dc.c +++ b/source3/libsmb/namequery_dc.c @@ -69,7 +69,7 @@ static bool ads_dc_name(const char *domain, /* Try this 3 times then give up. */ for( i =0 ; i < 3; i++) { - ads = ads_init(realm, domain, NULL); + ads = ads_init(realm, domain, NULL, ADS_SASL_PLAIN); if (!ads) { TALLOC_FREE(sitename); return False; diff --git a/source3/printing/nt_printing_ads.c b/source3/printing/nt_printing_ads.c index 2588e1de7e7..a82f1361fc8 100644 --- a/source3/printing/nt_printing_ads.c +++ b/source3/printing/nt_printing_ads.c @@ -227,7 +227,7 @@ WERROR nt_printer_guid_retrieve(TALLOC_CTX *mem_ctx, const char *printer, return WERR_NOT_ENOUGH_MEMORY; } - ads = ads_init(lp_realm(), lp_workgroup(), NULL); + ads = ads_init(lp_realm(), lp_workgroup(), NULL, ADS_SASL_PLAIN); if (ads == NULL) { result = WERR_RPC_S_SERVER_UNAVAILABLE; goto out; @@ -577,7 +577,7 @@ WERROR nt_printer_publish(TALLOC_CTX *mem_ctx, TALLOC_FREE(sinfo2); - ads = ads_init(lp_realm(), lp_workgroup(), NULL); + ads = ads_init(lp_realm(), lp_workgroup(), NULL, ADS_SASL_PLAIN); if (!ads) { DEBUG(3, ("ads_init() failed\n")); win_rc = WERR_RPC_S_SERVER_UNAVAILABLE; @@ -633,7 +633,7 @@ WERROR check_published_printers(struct messaging_context *msg_ctx) tmp_ctx = talloc_new(NULL); if (!tmp_ctx) return WERR_NOT_ENOUGH_MEMORY; - ads = ads_init(lp_realm(), lp_workgroup(), NULL); + ads = ads_init(lp_realm(), lp_workgroup(), NULL, ADS_SASL_PLAIN); if (!ads) { DEBUG(3, ("ads_init() failed\n")); return WERR_RPC_S_SERVER_UNAVAILABLE; diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c index d33031a0dbd..07a22098fb1 100644 --- a/source3/utils/net_ads.c +++ b/source3/utils/net_ads.c @@ -620,7 +620,10 @@ retry_connect: realm = assume_own_realm(c); } - ads = ads_init(realm, c->opt_target_workgroup, c->opt_host); + ads = ads_init(realm, + c->opt_target_workgroup, + c->opt_host, + ADS_SASL_PLAIN); if (!c->opt_user_name) { c->opt_user_name = "administrator"; @@ -729,7 +732,8 @@ static int net_ads_check_int(const char *realm, const char *workgroup, const cha ADS_STRUCT *ads; ADS_STATUS status; - if ( (ads = ads_init( realm, workgroup, host )) == NULL ) { + ads = ads_init(realm, workgroup, host, ADS_SASL_PLAIN); + if (ads == NULL ) { return -1; } @@ -1764,7 +1768,7 @@ static void _net_ads_join_dns_updates(struct net_context *c, TALLOC_CTX *ctx, st * kinit with the machine password to do dns update. */ - ads_dns = ads_init(lp_realm(), NULL, r->in.dc_name); + ads_dns = ads_init(lp_realm(), NULL, r->in.dc_name, ADS_SASL_PLAIN); if (ads_dns == NULL) { d_fprintf(stderr, _("DNS update failed: out of memory!\n")); @@ -2654,7 +2658,8 @@ static int net_ads_password(struct net_context *c, int argc, const char **argv) /* use the realm so we can eventually change passwords for users in realms other than default */ - if (!(ads = ads_init(realm, c->opt_workgroup, c->opt_host))) { + ads = ads_init(realm, c->opt_workgroup, c->opt_host, ADS_SASL_PLAIN); + if (ads == NULL) { return -1; } diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c index 922ca43764b..556b4523866 100644 --- a/source3/winbindd/winbindd_ads.c +++ b/source3/winbindd/winbindd_ads.c @@ -110,7 +110,10 @@ static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp, /* we don't want this to affect the users ccache */ setenv("KRB5CCNAME", WINBIND_CCACHE_NAME, 1); - ads = ads_init(target_realm, target_dom_name, ldap_server); + ads = ads_init(target_realm, + target_dom_name, + ldap_server, + ADS_SASL_SEAL); if (!ads) { DEBUG(1,("ads_init for domain %s failed\n", target_dom_name)); return ADS_ERROR(LDAP_NO_MEMORY); diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index 22d3dcaa92b..4bd03ed8b7a 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -1414,7 +1414,10 @@ static bool dcip_check_name(TALLOC_CTX *mem_ctx, print_sockaddr(addr, sizeof(addr), pss); - ads = ads_init(domain->alt_name, domain->name, addr); + ads = ads_init(domain->alt_name, + domain->name, + addr, + ADS_SASL_PLAIN); ads->auth.flags |= ADS_AUTH_NO_BIND; ads->config.flags |= request_flags; ads->server.no_fallback = true; |