diff options
author | Günther Deschner <gd@samba.org> | 2016-03-11 23:15:06 +0100 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2016-03-14 19:38:48 +0100 |
commit | 06aefe4b956ae8748e20ae4c730aa344e81808b6 (patch) | |
tree | 5b9f600f3a7b0f69b5a20d3caa53526293a92d0e /source3/libnet | |
parent | 5d498d1b4d9b83f179fb7b2841a19ad984eec5f8 (diff) | |
download | samba-06aefe4b956ae8748e20ae4c730aa344e81808b6.tar.gz |
s3:libnet:libnet_join: update msDS-SupportedEncryptionTypes (if required) with machine creds.
Guenther
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Mar 14 19:38:48 CET 2016 on sn-devel-144
Diffstat (limited to 'source3/libnet')
-rw-r--r-- | source3/libnet/libnet_join.c | 59 |
1 files changed, 55 insertions, 4 deletions
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index ac7e3efdbde..235592c4f24 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -253,13 +253,13 @@ static ADS_STATUS libnet_join_connect_ads_user(TALLOC_CTX *mem_ctx, /**************************************************************** ****************************************************************/ -#if 0 + static ADS_STATUS libnet_join_connect_ads_machine(TALLOC_CTX *mem_ctx, struct libnet_JoinCtx *r) { return libnet_join_connect_ads(mem_ctx, r, true); } -#endif + /**************************************************************** ****************************************************************/ @@ -684,7 +684,7 @@ static ADS_STATUS libnet_join_set_os_attributes(TALLOC_CTX *mem_ctx, /**************************************************************** ****************************************************************/ -#if 0 + static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx, struct libnet_JoinCtx *r) { @@ -731,7 +731,7 @@ static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx, return ADS_SUCCESS; } -#endif + /**************************************************************** ****************************************************************/ @@ -809,6 +809,7 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx, struct libnet_JoinCtx *r) { ADS_STATUS status; + bool need_etype_update = false; if (!r->in.ads) { status = libnet_join_connect_ads_user(mem_ctx, r); @@ -843,6 +844,56 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx, return status; } + status = libnet_join_find_machine_acct(mem_ctx, r); + if (!ADS_ERR_OK(status)) { + return status; + } + + if (r->in.desired_encryption_types != r->out.set_encryption_types) { + uint32_t func_level = 0; + + status = ads_domain_func_level(r->in.ads, &func_level); + if (!ADS_ERR_OK(status)) { + libnet_join_set_error_string(mem_ctx, r, + "failed to query domain controller functional level: %s", + ads_errstr(status)); + return status; + } + + if (func_level >= DS_DOMAIN_FUNCTION_2008) { + need_etype_update = true; + } + } + + if (need_etype_update) { + /* + * We need to reconnect as machine account in order + * to update msDS-SupportedEncryptionTypes reliable + */ + + if (r->in.ads->auth.ccache_name != NULL) { + ads_kdestroy(r->in.ads->auth.ccache_name); + } + + ads_destroy(&r->in.ads); + + status = libnet_join_connect_ads_machine(mem_ctx, r); + if (!ADS_ERR_OK(status)) { + libnet_join_set_error_string(mem_ctx, r, + "Failed to connect as machine account: %s", + ads_errstr(status)); + return status; + } + + status = libnet_join_set_etypes(mem_ctx, r); + if (!ADS_ERR_OK(status)) { + libnet_join_set_error_string(mem_ctx, r, + "failed to set machine kerberos encryption types: %s", + ads_errstr(status)); + return status; + } + } + if (!libnet_join_derive_salting_principal(mem_ctx, r)) { return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL); } |