610 lines
23 KiB
Diff
610 lines
23 KiB
Diff
From 9691c65234f2833792977d6e25a314baca724c64 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Bj=C3=B6rn=20Baumbach?= <bb@sernet.de>
|
|
Date: Mon, 10 Feb 2020 19:19:44 +0100
|
|
Subject: [PATCH 1/7] s3-libads: use dns name to open a ldap session
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
Required for working certificate verification.
|
|
|
|
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13124
|
|
Signed-off-by: Björn Baumbach <bb@sernet.de>
|
|
Reviewed-by: Bjoern Jacke <bjacke@samba.org>
|
|
|
|
Autobuild-User(master): Björn Baumbach <bb@sernet.de>
|
|
Autobuild-Date(master): Thu Mar 5 12:29:26 UTC 2020 on sn-devel-184
|
|
|
|
(cherry picked from commit e45e0912d99335f4feec7f937180ea21f7f62a72)
|
|
---
|
|
source3/libads/ldap.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
|
|
index 7ef7e7e8420..b7f819d876b 100755
|
|
--- a/source3/libads/ldap.c
|
|
+++ b/source3/libads/ldap.c
|
|
@@ -669,7 +669,7 @@ got_connection:
|
|
|
|
/* Otherwise setup the TCP LDAP session */
|
|
|
|
- ads->ldap.ld = ldap_open_with_timeout(addr,
|
|
+ ads->ldap.ld = ldap_open_with_timeout(ads->config.ldap_server_name,
|
|
&ads->ldap.ss,
|
|
ads->ldap.port, lp_ldap_timeout());
|
|
if (ads->ldap.ld == NULL) {
|
|
--
|
|
2.25.4
|
|
|
|
|
|
From b0cdea726ef5d90c531a49d2bf8b343cdb788719 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Bj=C3=B6rn=20Baumbach?= <bb@sernet.de>
|
|
Date: Wed, 3 Jun 2020 19:40:59 +0200
|
|
Subject: [PATCH 2/7] s3-libads: use ldap_init_fd() to initialize a ldap
|
|
session if possible
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
Use the known ip address of the ldap server to open the connection and
|
|
initialize the ldap session with ldap_init_fd().
|
|
|
|
This avoid unnecessary DNS lookups which might block or prevent the
|
|
successful connection.
|
|
|
|
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13124
|
|
|
|
Signed-off-by: Björn Baumbach <bb@sernet.de>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
(cherry picked from commit c8080bbd708eaa3212fa516861ac9e3b267989a0)
|
|
---
|
|
source3/libads/ldap.c | 18 +++++++++++++++++-
|
|
1 file changed, 17 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
|
|
index b7f819d876b..36e73440495 100755
|
|
--- a/source3/libads/ldap.c
|
|
+++ b/source3/libads/ldap.c
|
|
@@ -92,7 +92,23 @@ static void gotalarm_sig(int signum)
|
|
return NULL;
|
|
}
|
|
|
|
-#ifdef HAVE_LDAP_INITIALIZE
|
|
+#ifdef HAVE_LDAP_INIT_FD
|
|
+ {
|
|
+ int fd = -1;
|
|
+ NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
|
|
+
|
|
+ status = open_socket_out(ss, port, to, &fd);
|
|
+ if (!NT_STATUS_IS_OK(status)) {
|
|
+ return NULL;
|
|
+ }
|
|
+
|
|
+/* define LDAP_PROTO_TCP from openldap.h if required */
|
|
+#ifndef LDAP_PROTO_TCP
|
|
+#define LDAP_PROTO_TCP 1
|
|
+#endif
|
|
+ ldap_err = ldap_init_fd(fd, LDAP_PROTO_TCP, uri, &ldp);
|
|
+ }
|
|
+#elif defined(HAVE_LDAP_INITIALIZE)
|
|
ldap_err = ldap_initialize(&ldp, uri);
|
|
#else
|
|
ldp = ldap_open(server, port);
|
|
--
|
|
2.25.4
|
|
|
|
|
|
From 6c5b4317b150d3d2aed77c207dd3cb0039392bd6 Mon Sep 17 00:00:00 2001
|
|
From: Isaac Boukris <iboukris@gmail.com>
|
|
Date: Mon, 29 Jun 2020 16:55:33 +0300
|
|
Subject: [PATCH 3/7] selftest: add tests for net-ads over TLS
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439
|
|
|
|
Signed-off-by: Isaac Boukris <iboukris@samba.org>
|
|
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
---
|
|
selftest/knownfail.d/net_ads_ntlm_fallback | 10 +++
|
|
selftest/knownfail.d/net_ads_tls | 1 +
|
|
source4/selftest/tests.py | 7 ++
|
|
testprogs/blackbox/test_net_ads_base.sh | 76 ++++++++++++++++++++++
|
|
4 files changed, 94 insertions(+)
|
|
create mode 100644 selftest/knownfail.d/net_ads_ntlm_fallback
|
|
create mode 100644 selftest/knownfail.d/net_ads_tls
|
|
create mode 100755 testprogs/blackbox/test_net_ads_base.sh
|
|
|
|
diff --git a/selftest/knownfail.d/net_ads_ntlm_fallback b/selftest/knownfail.d/net_ads_ntlm_fallback
|
|
new file mode 100644
|
|
index 00000000000..b16a39d134d
|
|
--- /dev/null
|
|
+++ b/selftest/knownfail.d/net_ads_ntlm_fallback
|
|
@@ -0,0 +1,10 @@
|
|
+# net-ads commands that fail with: --option=gensec:gse_krb5=no
|
|
+^samba4.blackbox.net_ads_base.nomech=gse_krb5.testjoin
|
|
+^samba4.blackbox.net_ads_base.nomech=gse_krb5.check dNSHostName
|
|
+^samba4.blackbox.net_ads_base.nomech=gse_krb5.check SPN
|
|
+^samba4.blackbox.net_ads_base.nomech=gse_krb5.test setspn list
|
|
+^samba4.blackbox.net_ads_tls.nomech=gse_krb5.testjoin
|
|
+^samba4.blackbox.net_ads_tls.nomech=gse_krb5.check dNSHostName
|
|
+^samba4.blackbox.net_ads_tls.nomech=gse_krb5.check ldapssl=off
|
|
+^samba4.blackbox.net_ads_tls.nomech=gse_krb5.check SPN
|
|
+^samba4.blackbox.net_ads_tls.nomech=gse_krb5.test setspn list
|
|
diff --git a/selftest/knownfail.d/net_ads_tls b/selftest/knownfail.d/net_ads_tls
|
|
new file mode 100644
|
|
index 00000000000..251c948b6a9
|
|
--- /dev/null
|
|
+++ b/selftest/knownfail.d/net_ads_tls
|
|
@@ -0,0 +1 @@
|
|
+^samba4.blackbox.net_ads_tls
|
|
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
|
|
index 1d965c751a4..a394afa177f 100755
|
|
--- a/source4/selftest/tests.py
|
|
+++ b/source4/selftest/tests.py
|
|
@@ -511,6 +511,13 @@ plantestsuite("samba4.blackbox.client_etypes_legacy(ad_dc:client)", "ad_dc:clien
|
|
plantestsuite("samba4.blackbox.client_etypes_strong(ad_dc:client)", "ad_dc:client", [os.path.join(bbdir, "test_client_etypes.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', '$PREFIX_ABS', 'strong', '17_18'])
|
|
plantestsuite("samba4.blackbox.net_ads_dns(ad_member:local)", "ad_member:local", [os.path.join(bbdir, "test_net_ads_dns.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', '$REALM', '$USERNAME', '$PASSWORD'])
|
|
plantestsuite("samba4.blackbox.samba-tool_ntacl(ad_member:local)", "ad_member:local", [os.path.join(bbdir, "test_samba-tool_ntacl.sh"), '$PREFIX', '$DOMSID'])
|
|
+
|
|
+for nomech in ["none", "gse_krb5", "ntlmssp"]:
|
|
+ # we can't test TLS with ad_dc env as it doesn't allow SASL over TLS
|
|
+ plantestsuite("samba4.blackbox.net_ads_base.nomech=%s" % nomech, "ad_dc:client", [os.path.join(bbdir, "test_net_ads_base.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', 'no', nomech, '$PREFIX_ABS'])
|
|
+ plantestsuite("samba4.blackbox.net_ads_tls.nomech=%s" % nomech, "fl2008dc:client", [os.path.join(bbdir, "test_net_ads_base.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', 'yes', nomech, '$PREFIX_ABS'])
|
|
+ plantestsuite("samba4.blackbox.net_ads_tls.nomech=%s" % nomech, "fl2008r2dc:client", [os.path.join(bbdir, "test_net_ads_base.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', 'noverify', nomech, '$PREFIX_ABS'])
|
|
+
|
|
plantestsuite_loadlist("samba4.rpc.echo against NetBIOS alias", "ad_dc_ntvfs", [valgrindify(smbtorture4), "$LISTOPT", "$LOADLIST", 'ncacn_np:$NETBIOSALIAS', '-U$DOMAIN/$USERNAME%$PASSWORD', 'rpc.echo'])
|
|
# json tests hook into ``chgdcpass'' to make them run in contributor CI on
|
|
# gitlab
|
|
diff --git a/testprogs/blackbox/test_net_ads_base.sh b/testprogs/blackbox/test_net_ads_base.sh
|
|
new file mode 100755
|
|
index 00000000000..59e3da67a7f
|
|
--- /dev/null
|
|
+++ b/testprogs/blackbox/test_net_ads_base.sh
|
|
@@ -0,0 +1,76 @@
|
|
+#!/bin/sh
|
|
+
|
|
+if [ $# -lt 5 ]; then
|
|
+cat <<EOF
|
|
+Usage: test_net_ads_base.sh DC_SERVER DC_USERNAME DC_PASSWORD TLS_MODE NO_MECH PREFIX_ABS
|
|
+EOF
|
|
+exit 1;
|
|
+fi
|
|
+
|
|
+DC_SERVER=$1
|
|
+DC_USERNAME=$2
|
|
+DC_PASSWORD=$3
|
|
+TLS_MODE=$4
|
|
+NO_MECH=$5
|
|
+BASEDIR=$6
|
|
+shift 6
|
|
+
|
|
+HOSTNAME=`dd if=/dev/urandom bs=1 count=32 2>/dev/null | sha1sum | cut -b 1-10`
|
|
+HOSTNAME=`echo hn$HOSTNAME | tr '[:lower:]' '[:upper:]'`
|
|
+LCHOSTNAME=`echo $HOSTNAME | tr '[:upper:]' '[:lower:]'`
|
|
+
|
|
+RUNDIR=`pwd`
|
|
+cd $BASEDIR
|
|
+WORKDIR=`mktemp -d -p .`
|
|
+WORKDIR=`basename $WORKDIR`
|
|
+cp -a client/* $WORKDIR/
|
|
+sed -ri "s@(dir|directory) = (.*)/client/@\1 = \2/$WORKDIR/@" $WORKDIR/client.conf
|
|
+sed -ri "s/netbios name = .*/netbios name = $HOSTNAME/" $WORKDIR/client.conf
|
|
+sed -ri "s/workgroup = .*/workgroup = $DOMAIN/" $WORKDIR/client.conf
|
|
+sed -ri "s/realm = .*/realm = $REALM/" $WORKDIR/client.conf
|
|
+rm -f $WORKDIR/private/secrets.tdb
|
|
+cd $RUNDIR
|
|
+
|
|
+failed=0
|
|
+
|
|
+export LDAPTLS_CACERT=$(grep "tls cafile" $BASEDIR/$WORKDIR/client.conf | cut -f2 -d= | awk '{$1=$1};1')
|
|
+
|
|
+xoptions=""
|
|
+if [ $TLS_MODE != "no" ]; then
|
|
+ xoptions="--option=ldapsslads=yes"
|
|
+fi
|
|
+
|
|
+if [ $NO_MECH != "none" ]; then
|
|
+ xoptions="$xoptions --option=gensec:$NO_MECH=no"
|
|
+fi
|
|
+
|
|
+if [ $TLS_MODE = "noverify" ]; then
|
|
+ export LDAPTLS_REQCERT=allow
|
|
+fi
|
|
+
|
|
+net_tool="$VALGRIND $BINDIR/net -s $BASEDIR/$WORKDIR/client.conf --option=security=ads -k $xoptions"
|
|
+
|
|
+# Load test functions
|
|
+. `dirname $0`/subunit.sh
|
|
+
|
|
+testit "join" $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD --no-dns-updates || failed=`expr $failed + 1`
|
|
+
|
|
+testit "testjoin" $net_tool ads testjoin -P || failed=`expr $failed + 1`
|
|
+
|
|
+testit_grep "check dNSHostName" $LCHOSTNAME $net_tool ads search -P samaccountname=$HOSTNAME\$ dNSHostName || failed=`expr $failed + 1`
|
|
+
|
|
+tls_log="StartTLS issued: using a TLS connection"
|
|
+opt="-d3 --option=ldapssl=off"
|
|
+if [ $TLS_MODE != "no" ]; then
|
|
+ testit_grep "check ldapssl=off" "$tls_log" $net_tool $opt ads search -P samaccountname=$HOSTNAME\$ dn || failed=`expr $failed + 1`
|
|
+fi
|
|
+
|
|
+testit_grep "check SPN" "HOST/$HOSTNAME" $net_tool ads search -P samaccountname=$HOSTNAME\$ servicePrincipalName || failed=`expr $failed + 1`
|
|
+
|
|
+testit_grep "test setspn list" "HOST/$HOSTNAME" $net_tool ads setspn list $HOSTNAME -P || failed=`expr $failed + 1`
|
|
+
|
|
+testit "leave" $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
|
|
+
|
|
+rm -rf $BASEDIR/$WORKDIR
|
|
+
|
|
+exit $failed
|
|
--
|
|
2.25.4
|
|
|
|
|
|
From 94d20b09d565c0f4b0809e1cd778f7082e4733f8 Mon Sep 17 00:00:00 2001
|
|
From: Isaac Boukris <iboukris@gmail.com>
|
|
Date: Wed, 24 Jun 2020 15:28:45 +0300
|
|
Subject: [PATCH 4/7] Decouple ldap-ssl-ads from ldap-ssl option
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439
|
|
|
|
Signed-off-by: Isaac Boukris <iboukris@samba.org>
|
|
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
---
|
|
WHATSNEW.txt | 6 +++++
|
|
docs-xml/smbdotconf/ldap/ldapsslads.xml | 7 ++----
|
|
source3/include/smbldap.h | 1 +
|
|
source3/lib/ABI/smbldap-2.1.0.sigs | 33 +++++++++++++++++++++++++
|
|
source3/lib/smbldap.c | 19 +++++++++-----
|
|
source3/libads/ldap.c | 2 +-
|
|
source3/wscript_build | 2 +-
|
|
7 files changed, 57 insertions(+), 13 deletions(-)
|
|
create mode 100644 source3/lib/ABI/smbldap-2.1.0.sigs
|
|
|
|
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
|
|
index a5b554fe11f..8935876d247 100644
|
|
--- a/WHATSNEW.txt
|
|
+++ b/WHATSNEW.txt
|
|
@@ -557,6 +557,12 @@ CTDB changes
|
|
helper exits. This triggers an election.
|
|
|
|
|
|
+The "ldap ssl ads" option no longer depends on "ldap ssl" option:
|
|
+-----------------------------------------------------------------
|
|
+With this release, the "ldap ssl ads" can be set to "yes" even if "ldap ssl"
|
|
+is off.
|
|
+
|
|
+
|
|
REMOVED FEATURES
|
|
================
|
|
|
|
diff --git a/docs-xml/smbdotconf/ldap/ldapsslads.xml b/docs-xml/smbdotconf/ldap/ldapsslads.xml
|
|
index 98c39651f1e..f99afe5bbad 100644
|
|
--- a/docs-xml/smbdotconf/ldap/ldapsslads.xml
|
|
+++ b/docs-xml/smbdotconf/ldap/ldapsslads.xml
|
|
@@ -7,13 +7,10 @@
|
|
<para>This option is used to define whether or not Samba should
|
|
use SSL when connecting to the ldap server using
|
|
<emphasis>ads</emphasis> methods.
|
|
- Rpc methods are not affected by this parameter. Please note, that
|
|
- this parameter won't have any effect if <smbconfoption name="ldap ssl"/>
|
|
- is set to <parameter>no</parameter>.
|
|
+ Rpc methods are not affected by this parameter.
|
|
</para>
|
|
|
|
- <para>See <refentrytitle>smb.conf</refentrytitle><manvolnum>5</manvolnum>
|
|
- for more information on <smbconfoption name="ldap ssl"/>.
|
|
+ <para>See also <smbconfoption name="ldap ssl"/>.
|
|
</para>
|
|
|
|
</description>
|
|
diff --git a/source3/include/smbldap.h b/source3/include/smbldap.h
|
|
index 878268aebd6..d063f44afbc 100644
|
|
--- a/source3/include/smbldap.h
|
|
+++ b/source3/include/smbldap.h
|
|
@@ -72,6 +72,7 @@ int smbldap_modify(struct smbldap_state *ldap_state,
|
|
const char *dn,
|
|
LDAPMod *attrs[]);
|
|
int smbldap_start_tls(LDAP *ldap_struct, int version);
|
|
+int smbldap_start_tls_start(LDAP *ldap_struct, int version);
|
|
int smbldap_setup_full_conn(LDAP **ldap_struct, const char *uri);
|
|
int smbldap_search(struct smbldap_state *ldap_state,
|
|
const char *base, int scope, const char *filter,
|
|
diff --git a/source3/lib/ABI/smbldap-2.1.0.sigs b/source3/lib/ABI/smbldap-2.1.0.sigs
|
|
new file mode 100644
|
|
index 00000000000..67dcc9a8a78
|
|
--- /dev/null
|
|
+++ b/source3/lib/ABI/smbldap-2.1.0.sigs
|
|
@@ -0,0 +1,33 @@
|
|
+smbldap_add: int (struct smbldap_state *, const char *, LDAPMod **)
|
|
+smbldap_delete: int (struct smbldap_state *, const char *)
|
|
+smbldap_extended_operation: int (struct smbldap_state *, const char *, struct berval *, LDAPControl **, LDAPControl **, char **, struct berval **)
|
|
+smbldap_free_struct: void (struct smbldap_state **)
|
|
+smbldap_get_ldap: LDAP *(struct smbldap_state *)
|
|
+smbldap_get_paged_results: bool (struct smbldap_state *)
|
|
+smbldap_get_single_attribute: bool (LDAP *, LDAPMessage *, const char *, char *, int)
|
|
+smbldap_has_control: bool (LDAP *, const char *)
|
|
+smbldap_has_extension: bool (LDAP *, const char *)
|
|
+smbldap_has_naming_context: bool (LDAP *, const char *)
|
|
+smbldap_init: NTSTATUS (TALLOC_CTX *, struct tevent_context *, const char *, bool, const char *, const char *, struct smbldap_state **)
|
|
+smbldap_make_mod: void (LDAP *, LDAPMessage *, LDAPMod ***, const char *, const char *)
|
|
+smbldap_make_mod_blob: void (LDAP *, LDAPMessage *, LDAPMod ***, const char *, const DATA_BLOB *)
|
|
+smbldap_modify: int (struct smbldap_state *, const char *, LDAPMod **)
|
|
+smbldap_pull_sid: bool (LDAP *, LDAPMessage *, const char *, struct dom_sid *)
|
|
+smbldap_search: int (struct smbldap_state *, const char *, int, const char *, const char **, int, LDAPMessage **)
|
|
+smbldap_search_paged: int (struct smbldap_state *, const char *, int, const char *, const char **, int, int, LDAPMessage **, void **)
|
|
+smbldap_search_suffix: int (struct smbldap_state *, const char *, const char **, LDAPMessage **)
|
|
+smbldap_set_bind_callback: void (struct smbldap_state *, smbldap_bind_callback_fn, void *)
|
|
+smbldap_set_creds: bool (struct smbldap_state *, bool, const char *, const char *)
|
|
+smbldap_set_mod: void (LDAPMod ***, int, const char *, const char *)
|
|
+smbldap_set_mod_blob: void (LDAPMod ***, int, const char *, const DATA_BLOB *)
|
|
+smbldap_set_paged_results: void (struct smbldap_state *, bool)
|
|
+smbldap_setup_full_conn: int (LDAP **, const char *)
|
|
+smbldap_start_tls: int (LDAP *, int)
|
|
+smbldap_start_tls_start: int (LDAP *, int)
|
|
+smbldap_talloc_autofree_ldapmod: void (TALLOC_CTX *, LDAPMod **)
|
|
+smbldap_talloc_autofree_ldapmsg: void (TALLOC_CTX *, LDAPMessage *)
|
|
+smbldap_talloc_dn: char *(TALLOC_CTX *, LDAP *, LDAPMessage *)
|
|
+smbldap_talloc_first_attribute: char *(LDAP *, LDAPMessage *, const char *, TALLOC_CTX *)
|
|
+smbldap_talloc_single_attribute: char *(LDAP *, LDAPMessage *, const char *, TALLOC_CTX *)
|
|
+smbldap_talloc_single_blob: bool (TALLOC_CTX *, LDAP *, LDAPMessage *, const char *, DATA_BLOB *)
|
|
+smbldap_talloc_smallest_attribute: char *(LDAP *, LDAPMessage *, const char *, TALLOC_CTX *)
|
|
diff --git a/source3/lib/smbldap.c b/source3/lib/smbldap.c
|
|
index 34c841f9243..4815dd81fc3 100644
|
|
--- a/source3/lib/smbldap.c
|
|
+++ b/source3/lib/smbldap.c
|
|
@@ -598,20 +598,27 @@ static void smbldap_store_state(LDAP *ld, struct smbldap_state *smbldap_state)
|
|
}
|
|
|
|
/********************************************************************
|
|
- start TLS on an existing LDAP connection
|
|
+ start TLS on an existing LDAP connection per config
|
|
*******************************************************************/
|
|
|
|
int smbldap_start_tls(LDAP *ldap_struct, int version)
|
|
-{
|
|
-#ifdef LDAP_OPT_X_TLS
|
|
- int rc,tls;
|
|
-#endif
|
|
-
|
|
+{
|
|
if (lp_ldap_ssl() != LDAP_SSL_START_TLS) {
|
|
return LDAP_SUCCESS;
|
|
}
|
|
|
|
+ return smbldap_start_tls_start(ldap_struct, version);
|
|
+}
|
|
+
|
|
+/********************************************************************
|
|
+ start TLS on an existing LDAP connection unconditionally
|
|
+*******************************************************************/
|
|
+
|
|
+int smbldap_start_tls_start(LDAP *ldap_struct, int version)
|
|
+{
|
|
#ifdef LDAP_OPT_X_TLS
|
|
+ int rc,tls;
|
|
+
|
|
/* check if we use ldaps already */
|
|
ldap_get_option(ldap_struct, LDAP_OPT_X_TLS, &tls);
|
|
if (tls == LDAP_OPT_X_TLS_HARD) {
|
|
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
|
|
index 36e73440495..16c32b2d5a7 100755
|
|
--- a/source3/libads/ldap.c
|
|
+++ b/source3/libads/ldap.c
|
|
@@ -703,7 +703,7 @@ got_connection:
|
|
ldap_set_option(ads->ldap.ld, LDAP_OPT_PROTOCOL_VERSION, &version);
|
|
|
|
if ( lp_ldap_ssl_ads() ) {
|
|
- status = ADS_ERROR(smbldap_start_tls(ads->ldap.ld, version));
|
|
+ status = ADS_ERROR(smbldap_start_tls_start(ads->ldap.ld, version));
|
|
if (!ADS_ERR_OK(status)) {
|
|
goto out;
|
|
}
|
|
diff --git a/source3/wscript_build b/source3/wscript_build
|
|
index 10d9f71ae76..76d01a78f64 100644
|
|
--- a/source3/wscript_build
|
|
+++ b/source3/wscript_build
|
|
@@ -520,7 +520,7 @@ bld.SAMBA3_LIBRARY('smbldap',
|
|
abi_directory='lib/ABI',
|
|
abi_match='smbldap_*',
|
|
pc_files=[],
|
|
- vnum='2',
|
|
+ vnum='2.1.0',
|
|
public_headers='include/smbldap.h include/smb_ldap.h')
|
|
|
|
bld.SAMBA3_LIBRARY('ads',
|
|
--
|
|
2.25.4
|
|
|
|
|
|
From a7d674b519b363c6e20fa5784ab998fc622c9859 Mon Sep 17 00:00:00 2001
|
|
From: Isaac Boukris <iboukris@gmail.com>
|
|
Date: Thu, 2 Jul 2020 10:59:18 +0200
|
|
Subject: [PATCH 5/7] Fix ads_set_sasl_wrap_flags to only change sasl flags
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439
|
|
|
|
Signed-off-by: Isaac Boukris <iboukris@samba.org>
|
|
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
---
|
|
source3/libads/ads_proto.h | 2 +-
|
|
source3/libads/ads_struct.c | 8 ++++++--
|
|
2 files changed, 7 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h
|
|
index cd9c1082681..6cdde0cf6eb 100644
|
|
--- a/source3/libads/ads_proto.h
|
|
+++ b/source3/libads/ads_proto.h
|
|
@@ -47,7 +47,7 @@ ADS_STRUCT *ads_init(const char *realm,
|
|
const char *workgroup,
|
|
const char *ldap_server,
|
|
enum ads_sasl_state_e sasl_state);
|
|
-bool ads_set_sasl_wrap_flags(ADS_STRUCT *ads, int flags);
|
|
+bool ads_set_sasl_wrap_flags(ADS_STRUCT *ads, unsigned flags);
|
|
void ads_destroy(ADS_STRUCT **ads);
|
|
|
|
/* The following definitions come from libads/disp_sec.c */
|
|
diff --git a/source3/libads/ads_struct.c b/source3/libads/ads_struct.c
|
|
index 043a1b21247..67a9a7cf75e 100644
|
|
--- a/source3/libads/ads_struct.c
|
|
+++ b/source3/libads/ads_struct.c
|
|
@@ -176,13 +176,17 @@ ADS_STRUCT *ads_init(const char *realm,
|
|
/****************************************************************
|
|
****************************************************************/
|
|
|
|
-bool ads_set_sasl_wrap_flags(ADS_STRUCT *ads, int flags)
|
|
+bool ads_set_sasl_wrap_flags(ADS_STRUCT *ads, unsigned flags)
|
|
{
|
|
+ unsigned other_flags;
|
|
+
|
|
if (!ads) {
|
|
return false;
|
|
}
|
|
|
|
- ads->auth.flags = flags;
|
|
+ other_flags = ads->auth.flags & ~(ADS_AUTH_SASL_SIGN|ADS_AUTH_SASL_SEAL);
|
|
+
|
|
+ ads->auth.flags = flags | other_flags;
|
|
|
|
return true;
|
|
}
|
|
--
|
|
2.25.4
|
|
|
|
|
|
From e75511bf6b6b516db3336cd5f1d8f27307805801 Mon Sep 17 00:00:00 2001
|
|
From: Isaac Boukris <iboukris@gmail.com>
|
|
Date: Thu, 2 Jul 2020 09:33:12 +0200
|
|
Subject: [PATCH 6/7] ads: set sasl-wrapping to plain when over TLS
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439
|
|
|
|
Signed-off-by: Isaac Boukris <iboukris@samba.org>
|
|
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
---
|
|
WHATSNEW.txt | 5 +++++
|
|
selftest/knownfail.d/net_ads_tls | 1 -
|
|
source3/libads/ldap.c | 4 ++++
|
|
3 files changed, 9 insertions(+), 1 deletion(-)
|
|
delete mode 100644 selftest/knownfail.d/net_ads_tls
|
|
|
|
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
|
|
index 8935876d247..927b9a0fa59 100644
|
|
--- a/WHATSNEW.txt
|
|
+++ b/WHATSNEW.txt
|
|
@@ -562,6 +562,11 @@ The "ldap ssl ads" option no longer depends on "ldap ssl" option:
|
|
With this release, the "ldap ssl ads" can be set to "yes" even if "ldap ssl"
|
|
is off.
|
|
|
|
+The "ldap ssl ads" no longer requires sasl-wrapping to be set to plain:
|
|
+-----------------------------------------------------------------------
|
|
+This is now done implicitly when over TLS, so "client ldap sasl wrapping"
|
|
+does not need to be set to "plain" in order for it to work.
|
|
+
|
|
|
|
REMOVED FEATURES
|
|
================
|
|
diff --git a/selftest/knownfail.d/net_ads_tls b/selftest/knownfail.d/net_ads_tls
|
|
deleted file mode 100644
|
|
index 251c948b6a9..00000000000
|
|
--- a/selftest/knownfail.d/net_ads_tls
|
|
+++ /dev/null
|
|
@@ -1 +0,0 @@
|
|
-^samba4.blackbox.net_ads_tls
|
|
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
|
|
index 16c32b2d5a7..3f41e990085 100755
|
|
--- a/source3/libads/ldap.c
|
|
+++ b/source3/libads/ldap.c
|
|
@@ -707,6 +707,10 @@ got_connection:
|
|
if (!ADS_ERR_OK(status)) {
|
|
goto out;
|
|
}
|
|
+ if (!ads_set_sasl_wrap_flags(ads, 0)) {
|
|
+ status = ADS_ERROR(LDAP_OPERATIONS_ERROR);
|
|
+ goto out;
|
|
+ }
|
|
}
|
|
|
|
/* fill in the current time and offsets */
|
|
--
|
|
2.25.4
|
|
|
|
|
|
From 43694fbfa79b255a27a4becaf8743d2b110495e9 Mon Sep 17 00:00:00 2001
|
|
From: Isaac Boukris <iboukris@gmail.com>
|
|
Date: Sat, 11 Jul 2020 05:04:59 +0200
|
|
Subject: [PATCH 7/7] net: ignore possible SIGPIPE upon ldap_unbind when over
|
|
TLS
|
|
|
|
From local tests with strace:
|
|
|
|
socket(AF_UNIX, SOCK_STREAM, 0) = 12
|
|
write(2, "Connecting to 10.53.57.21 at por"..., 38) = 38
|
|
...
|
|
write(2, "ads_domain_func_level: 3\n", 25) = 25
|
|
write(12, "\27\3\3\0\37\0\0\0\0\0\0\0\16nl[\374\375i\325\334\25\227kxG@\326\311R\225x"..., 36) = 36
|
|
write(12, "\25\3\3\0\32\0\0\0\0\0\0\0\17Hh\304\254\244\17\342<\334\210L&\20_\177\307\232P", 31) = -1 EPIPE (Broken pipe)
|
|
--- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER, si_pid=12089, si_uid=1000} ---
|
|
+++ killed by SIGPIPE +++
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439
|
|
|
|
Signed-off-by: Isaac Boukris <iboukris@samba.org>
|
|
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
|
|
Autobuild-User(master): Isaac Boukris <iboukris@samba.org>
|
|
Autobuild-Date(master): Mon Jul 13 12:06:07 UTC 2020 on sn-devel-184
|
|
---
|
|
source3/utils/net.c | 3 +++
|
|
1 file changed, 3 insertions(+)
|
|
|
|
diff --git a/source3/utils/net.c b/source3/utils/net.c
|
|
index 683b46794e4..e289b2814bc 100644
|
|
--- a/source3/utils/net.c
|
|
+++ b/source3/utils/net.c
|
|
@@ -1289,6 +1289,9 @@ static void get_credentials_file(struct net_context *c,
|
|
POPT_TABLEEND
|
|
};
|
|
|
|
+ /* Ignore possible SIGPIPE upon ldap_unbind when over TLS */
|
|
+ BlockSignals(True, SIGPIPE);
|
|
+
|
|
zero_sockaddr(&c->opt_dest_ip);
|
|
|
|
setup_logging(argv[0], DEBUG_STDERR);
|
|
--
|
|
2.25.4
|
|
|
|
From 0a58060cb223a1ee6629f4ba706834369dd42a3d Mon Sep 17 00:00:00 2001
|
|
From: Isaac Boukris <iboukris@gmail.com>
|
|
Date: Tue, 14 Jul 2020 22:38:06 +0200
|
|
Subject: [PATCH] s3-libads: pass timeout to open_socket_out in ms
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13124
|
|
|
|
Signed-off-by: Isaac Boukris <iboukris@samba.org>
|
|
---
|
|
source3/libads/ldap.c | 4 +++-
|
|
1 file changed, 3 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
|
|
index 1ffe96d32c9..d431156912f 100755
|
|
--- a/source3/libads/ldap.c
|
|
+++ b/source3/libads/ldap.c
|
|
@@ -96,9 +96,11 @@ static void gotalarm_sig(int signum)
|
|
{
|
|
int fd = -1;
|
|
NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
|
|
+ unsigned timeout_ms = 1000 * to;
|
|
|
|
- status = open_socket_out(ss, port, to, &fd);
|
|
+ status = open_socket_out(ss, port, timeout_ms, &fd);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
+ DEBUG(3, ("open_socket_out: failed to open socket\n"));
|
|
return NULL;
|
|
}
|
|
|
|
--
|
|
2.25.4
|
|
|