6d6ee7b5cb
Make sure nmb and smb initscripts return LSB compliant return codes Fix winbind over ipv6 Guenther
274 lines
8.4 KiB
Diff
274 lines
8.4 KiB
Diff
From 841525d4b9dcf167ae114dd656d74c510ef36c13 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
|
|
Date: Fri, 14 May 2010 23:21:47 +0200
|
|
Subject: [PATCH 1/3] s3-winbind: make the getpeername() checks in cm_prepare_connection ipv6 aware.
|
|
|
|
ipv6 gurus, please check.
|
|
|
|
Guenther
|
|
---
|
|
source3/winbindd/winbindd_cm.c | 30 +++++++++++++++++++++++++-----
|
|
1 files changed, 25 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
|
|
index 9715363..45747d4 100644
|
|
--- a/source3/winbindd/winbindd_cm.c
|
|
+++ b/source3/winbindd/winbindd_cm.c
|
|
@@ -808,11 +808,31 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
|
|
|
|
peeraddr_len = sizeof(peeraddr);
|
|
|
|
- if ((getpeername((*cli)->fd, &peeraddr, &peeraddr_len) != 0) ||
|
|
- (peeraddr_len != sizeof(struct sockaddr_in)) ||
|
|
- (peeraddr_in->sin_family != PF_INET))
|
|
- {
|
|
- DEBUG(0,("cm_prepare_connection: %s\n", strerror(errno)));
|
|
+ if ((getpeername((*cli)->fd, &peeraddr, &peeraddr_len) != 0)) {
|
|
+ DEBUG(0,("cm_prepare_connection: getpeername failed with: %s\n",
|
|
+ strerror(errno)));
|
|
+ result = NT_STATUS_UNSUCCESSFUL;
|
|
+ goto done;
|
|
+ }
|
|
+
|
|
+ if ((peeraddr_len != sizeof(struct sockaddr_in))
|
|
+#ifdef HAVE_IPV6
|
|
+ && (peeraddr_len != sizeof(struct sockaddr_in6))
|
|
+#endif
|
|
+ ) {
|
|
+ DEBUG(0,("cm_prepare_connection: got unexpected peeraddr len %d\n",
|
|
+ peeraddr_len));
|
|
+ result = NT_STATUS_UNSUCCESSFUL;
|
|
+ goto done;
|
|
+ }
|
|
+
|
|
+ if ((peeraddr_in->sin_family != PF_INET)
|
|
+#ifdef HAVE_IPV6
|
|
+ && (peeraddr_in->sin_family != PF_INET6)
|
|
+#endif
|
|
+ ) {
|
|
+ DEBUG(0,("cm_prepare_connection: got unexpected family %d\n",
|
|
+ peeraddr_in->sin_family));
|
|
result = NT_STATUS_UNSUCCESSFUL;
|
|
goto done;
|
|
}
|
|
--
|
|
1.6.6.1
|
|
|
|
|
|
From 435ba0625599388f585759738554ddb509ce3c54 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
|
|
Date: Fri, 14 May 2010 23:23:34 +0200
|
|
Subject: [PATCH 2/3] s3-kerberos: pass down kdc_name to create_local_private_krb5_conf_for_domain().
|
|
|
|
Guenther
|
|
---
|
|
source3/include/proto.h | 3 ++-
|
|
source3/libads/kerberos.c | 19 ++++++++++++-------
|
|
source3/libsmb/namequery_dc.c | 6 ++++--
|
|
source3/winbindd/winbindd_cm.c | 6 ++++--
|
|
4 files changed, 22 insertions(+), 12 deletions(-)
|
|
|
|
diff --git a/source3/include/proto.h b/source3/include/proto.h
|
|
index 91b6bd9..b633d9e 100644
|
|
--- a/source3/include/proto.h
|
|
+++ b/source3/include/proto.h
|
|
@@ -1821,7 +1821,8 @@ int kerberos_kinit_password(const char *principal,
|
|
bool create_local_private_krb5_conf_for_domain(const char *realm,
|
|
const char *domain,
|
|
const char *sitename,
|
|
- struct sockaddr_storage *pss);
|
|
+ struct sockaddr_storage *pss,
|
|
+ const char *kdc_name);
|
|
|
|
/* The following definitions come from libads/kerberos_keytab.c */
|
|
|
|
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
|
|
index 7fb4ec3..01a88e8 100644
|
|
--- a/source3/libads/kerberos.c
|
|
+++ b/source3/libads/kerberos.c
|
|
@@ -715,7 +715,8 @@ int kerberos_kinit_password(const char *principal,
|
|
|
|
static char *print_kdc_line(char *mem_ctx,
|
|
const char *prev_line,
|
|
- const struct sockaddr_storage *pss)
|
|
+ const struct sockaddr_storage *pss,
|
|
+ const char *kdc_name)
|
|
{
|
|
char *kdc_str = NULL;
|
|
|
|
@@ -772,14 +773,15 @@ static char *print_kdc_line(char *mem_ctx,
|
|
static char *get_kdc_ip_string(char *mem_ctx,
|
|
const char *realm,
|
|
const char *sitename,
|
|
- struct sockaddr_storage *pss)
|
|
+ struct sockaddr_storage *pss,
|
|
+ const char *kdc_name)
|
|
{
|
|
int i;
|
|
struct ip_service *ip_srv_site = NULL;
|
|
struct ip_service *ip_srv_nonsite = NULL;
|
|
int count_site = 0;
|
|
int count_nonsite;
|
|
- char *kdc_str = print_kdc_line(mem_ctx, "", pss);
|
|
+ char *kdc_str = print_kdc_line(mem_ctx, "", pss, kdc_name);
|
|
|
|
if (kdc_str == NULL) {
|
|
return NULL;
|
|
@@ -803,7 +805,8 @@ static char *get_kdc_ip_string(char *mem_ctx,
|
|
* but not done often. */
|
|
kdc_str = print_kdc_line(mem_ctx,
|
|
kdc_str,
|
|
- &ip_srv_site[i].ss);
|
|
+ &ip_srv_site[i].ss,
|
|
+ NULL);
|
|
if (!kdc_str) {
|
|
SAFE_FREE(ip_srv_site);
|
|
return NULL;
|
|
@@ -840,7 +843,8 @@ static char *get_kdc_ip_string(char *mem_ctx,
|
|
/* Append to the string - inefficient but not done often. */
|
|
kdc_str = print_kdc_line(mem_ctx,
|
|
kdc_str,
|
|
- &ip_srv_nonsite[i].ss);
|
|
+ &ip_srv_nonsite[i].ss,
|
|
+ NULL);
|
|
if (!kdc_str) {
|
|
SAFE_FREE(ip_srv_site);
|
|
SAFE_FREE(ip_srv_nonsite);
|
|
@@ -868,7 +872,8 @@ static char *get_kdc_ip_string(char *mem_ctx,
|
|
bool create_local_private_krb5_conf_for_domain(const char *realm,
|
|
const char *domain,
|
|
const char *sitename,
|
|
- struct sockaddr_storage *pss)
|
|
+ struct sockaddr_storage *pss,
|
|
+ const char *kdc_name)
|
|
{
|
|
char *dname;
|
|
char *tmpname = NULL;
|
|
@@ -912,7 +917,7 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
|
|
realm_upper = talloc_strdup(fname, realm);
|
|
strupper_m(realm_upper);
|
|
|
|
- kdc_ip_string = get_kdc_ip_string(dname, realm, sitename, pss);
|
|
+ kdc_ip_string = get_kdc_ip_string(dname, realm, sitename, pss, kdc_name);
|
|
if (!kdc_ip_string) {
|
|
goto done;
|
|
}
|
|
diff --git a/source3/libsmb/namequery_dc.c b/source3/libsmb/namequery_dc.c
|
|
index 3b3470d..cebd793 100644
|
|
--- a/source3/libsmb/namequery_dc.c
|
|
+++ b/source3/libsmb/namequery_dc.c
|
|
@@ -109,12 +109,14 @@ static bool ads_dc_name(const char *domain,
|
|
create_local_private_krb5_conf_for_domain(realm,
|
|
domain,
|
|
sitename,
|
|
- &ads->ldap.ss);
|
|
+ &ads->ldap.ss,
|
|
+ ads->config.ldap_server_name);
|
|
} else {
|
|
create_local_private_krb5_conf_for_domain(realm,
|
|
domain,
|
|
NULL,
|
|
- &ads->ldap.ss);
|
|
+ &ads->ldap.ss,
|
|
+ ads->config.ldap_server_name);
|
|
}
|
|
}
|
|
#endif
|
|
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
|
|
index 45747d4..5ea5196 100644
|
|
--- a/source3/winbindd/winbindd_cm.c
|
|
+++ b/source3/winbindd/winbindd_cm.c
|
|
@@ -1152,7 +1152,8 @@ static bool dcip_to_name(TALLOC_CTX *mem_ctx,
|
|
create_local_private_krb5_conf_for_domain(domain->alt_name,
|
|
domain->name,
|
|
sitename,
|
|
- pss);
|
|
+ pss,
|
|
+ name);
|
|
|
|
SAFE_FREE(sitename);
|
|
} else {
|
|
@@ -1160,7 +1161,8 @@ static bool dcip_to_name(TALLOC_CTX *mem_ctx,
|
|
create_local_private_krb5_conf_for_domain(domain->alt_name,
|
|
domain->name,
|
|
NULL,
|
|
- pss);
|
|
+ pss,
|
|
+ name);
|
|
}
|
|
winbindd_set_locator_kdc_envs(domain);
|
|
|
|
--
|
|
1.6.6.1
|
|
|
|
|
|
From 06135ae36667c96fe28b69724393323727e82ba6 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
|
|
Date: Sat, 15 May 2010 00:34:35 +0200
|
|
Subject: [PATCH 3/3] s3-kerberos: temporary fix for ipv6 in print_kdc_line().
|
|
|
|
Currently no krb5 lib supports "kdc = ipv6 address" at all, so for now just fill
|
|
in just the kdc_name if we have it and let the krb5 lib figure out the
|
|
appropriate ipv6 address
|
|
|
|
ipv6 gurus, please check.
|
|
|
|
Guenther
|
|
---
|
|
source3/libads/kerberos.c | 25 ++++++++++++++++++++-----
|
|
1 files changed, 20 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
|
|
index 01a88e8..c78b8b8 100644
|
|
--- a/source3/libads/kerberos.c
|
|
+++ b/source3/libads/kerberos.c
|
|
@@ -728,6 +728,9 @@ static char *print_kdc_line(char *mem_ctx,
|
|
char addr[INET6_ADDRSTRLEN];
|
|
uint16_t port = get_sockaddr_port(pss);
|
|
|
|
+ DEBUG(10,("print_kdc_line: IPV6 case for kdc_name: %s, port: %d\n",
|
|
+ kdc_name, port));
|
|
+
|
|
if (port != 0 && port != DEFAULT_KRB5_PORT) {
|
|
/* Currently for IPv6 we can't specify a non-default
|
|
krb5 port with an address, as this requires a ':'.
|
|
@@ -744,6 +747,7 @@ static char *print_kdc_line(char *mem_ctx,
|
|
"Error %s\n.",
|
|
print_canonical_sockaddr(mem_ctx, pss),
|
|
gai_strerror(ret)));
|
|
+ return NULL;
|
|
}
|
|
/* Success, use host:port */
|
|
kdc_str = talloc_asprintf(mem_ctx,
|
|
@@ -752,11 +756,22 @@ static char *print_kdc_line(char *mem_ctx,
|
|
hostname,
|
|
(unsigned int)port);
|
|
} else {
|
|
- kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",
|
|
- prev_line,
|
|
- print_sockaddr(addr,
|
|
- sizeof(addr),
|
|
- pss));
|
|
+
|
|
+ /* no krb5 lib currently supports "kdc = ipv6 address"
|
|
+ * at all, so just fill in just the kdc_name if we have
|
|
+ * it and let the krb5 lib figure out the appropriate
|
|
+ * ipv6 address - gd */
|
|
+
|
|
+ if (kdc_name) {
|
|
+ kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",
|
|
+ prev_line, kdc_name);
|
|
+ } else {
|
|
+ kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",
|
|
+ prev_line,
|
|
+ print_sockaddr(addr,
|
|
+ sizeof(addr),
|
|
+ pss));
|
|
+ }
|
|
}
|
|
}
|
|
return kdc_str;
|
|
--
|
|
1.6.6.1
|
|
|