89 lines
3.8 KiB
Diff
89 lines
3.8 KiB
Diff
From 35ab765554e3469daae204fb045eb4281f4f4f36 Mon Sep 17 00:00:00 2001
|
|
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
Date: Fri, 8 May 2015 12:09:13 +0000
|
|
Subject: [PATCH] ipaserver/dcerpc: Ensure LSA pipe has session key before
|
|
using it
|
|
|
|
With Samba 4.2 there is a bug that prevents Samba to consider Kerberos
|
|
credentials used by IPA httpd process when talking to smbd. As result,
|
|
LSA RPC connection is seen as anonymous by Samba client code and we cannot
|
|
derive session key to use for encrypting trust secrets before transmitting
|
|
them.
|
|
|
|
Additionally, rewrite of the SMB protocol support in Samba caused previously
|
|
working logic of choosing DCE RPC binding string to fail. We need to try
|
|
a different set of priorities until they fail or succeed.
|
|
|
|
Requires Samba fixes from https://bugzilla.redhat.com/show_bug.cgi?id=1219832
|
|
|
|
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1219834
|
|
|
|
---
|
|
ipaserver/dcerpc.py | 19 ++++++++++++++-----
|
|
1 file changed, 14 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
|
|
index e342c49..25f8bf8 100644
|
|
--- a/ipaserver/dcerpc.py
|
|
+++ b/ipaserver/dcerpc.py
|
|
@@ -89,6 +89,10 @@ dcerpc_error_codes = {
|
|
-1073741811: # NT_STATUS_INVALID_PARAMETER
|
|
errors.RemoteRetrieveError(
|
|
reason=_('AD domain controller complains about communication sequence. It may mean unsynchronized time on both sides, for example')),
|
|
+ -1073741776: # NT_STATUS_INVALID_PARAMETER_MIX, we simply will skip the binding
|
|
+ access_denied_error,
|
|
+ -1073741772: # NT_STATUS_OBJECT_NAME_NOT_FOUND
|
|
+ errors.RemoteRetrieveError(reason=_('CIFS server configuration does not allow access to \\\\pipe\\lsarpc')),
|
|
}
|
|
|
|
dcerpc_error_messages = {
|
|
@@ -728,16 +732,20 @@ class TrustDomainInstance(object):
|
|
return
|
|
|
|
attempts = 0
|
|
+ session_attempts = 0
|
|
bindings = self.__gen_lsa_bindings(remote_host)
|
|
for binding in bindings:
|
|
try:
|
|
self._pipe = self.__gen_lsa_connection(binding)
|
|
- if self._pipe:
|
|
+ if self._pipe and self._pipe.session_key:
|
|
break
|
|
except errors.ACIError, e:
|
|
attempts = attempts + 1
|
|
+ except RuntimeError, e:
|
|
+ # When session key is not available, we just skip this binding
|
|
+ session_attempts = session_attempts + 1
|
|
|
|
- if self._pipe is None and attempts == len(bindings):
|
|
+ if self._pipe is None and (attempts + session_attemps) == len(bindings):
|
|
raise errors.ACIError(
|
|
info=_('CIFS server %(host)s denied your credentials') % dict(host=remote_host))
|
|
|
|
@@ -745,6 +753,7 @@ class TrustDomainInstance(object):
|
|
raise errors.RemoteRetrieveError(
|
|
reason=_('Cannot establish LSA connection to %(host)s. Is CIFS server running?') % dict(host=remote_host))
|
|
self.binding = binding
|
|
+ self.session_key = self._pipe.session_key
|
|
|
|
def __gen_lsa_bindings(self, remote_host):
|
|
"""
|
|
@@ -753,11 +762,11 @@ class TrustDomainInstance(object):
|
|
Generate all we can use. init_lsa_pipe() will try them one by one until
|
|
there is one working.
|
|
|
|
- We try NCACN_NP before NCACN_IP_TCP and signed sessions before unsigned.
|
|
+ We try NCACN_NP before NCACN_IP_TCP and use SMB2 before SMB1 or defaults.
|
|
"""
|
|
transports = (u'ncacn_np', u'ncacn_ip_tcp')
|
|
- options = ( u',', u'')
|
|
- binding_template=lambda x,y,z: u'%s:%s[%s]' % (x, y, z)
|
|
+ options = ( u'smb2', u'smb1', u'')
|
|
+ binding_template=lambda x,y,z: u'%s:%s[%s,print]' % (x, y, z)
|
|
return [binding_template(t, remote_host, o) for t in transports for o in options]
|
|
|
|
def retrieve_anonymously(self, remote_host, discover_srv=False, search_pdc=False):
|
|
--
|
|
2.4.0
|
|
|