f0fcb5fccb
- resolves: RHEL-59788
133 lines
5.2 KiB
Diff
133 lines
5.2 KiB
Diff
From 26797d7bd2662718b3eb795f1b8e6100d51e3ab7 Mon Sep 17 00:00:00 2001
|
|
From: Alexander Bokovoy <ab@samba.org>
|
|
Date: Tue, 3 Sep 2024 08:48:24 +0300
|
|
Subject: [PATCH] sync machine password to keytab: handle FreeIPA use case
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
FreeIPA uses own procedure to retrieve keytabs and during the setup of
|
|
Samba on FreeIPA client the keytab is already present, only machine
|
|
account needs to be set in the secrets database.
|
|
|
|
'sync machine password to keytab' option handling broke this use case by
|
|
always attempting to contact a domain controller and failing to do so
|
|
(Fedora bug https://bugzilla.redhat.com/show_bug.cgi?id=2309199).
|
|
|
|
The original synchronizing machine account password to keytab feature
|
|
did not have a mechanism to disable its logic at all.
|
|
|
|
Signed-off-by: Alexander Bokovoy <ab@samba.org>
|
|
Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
|
|
|
|
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
|
|
Autobuild-Date(master): Fri Sep 13 13:16:09 UTC 2024 on atb-devel-224
|
|
|
|
(cherry picked from commit 4f577c7b6894132be4842944f2f950b087312b16)
|
|
---
|
|
.../security/syncmachinepasswordtokeytab.xml | 29 +++++++++++++++++--
|
|
source3/libads/kerberos_keytab.c | 5 ++++
|
|
source3/utils/net.c | 8 +++++
|
|
source3/utils/testparm.c | 3 +-
|
|
4 files changed, 41 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml b/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml
|
|
index 4cad9da73f2..f7dc30023d4 100644
|
|
--- a/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml
|
|
+++ b/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml
|
|
@@ -18,7 +18,11 @@ or by winbindd doing regular updates (see <smbconfoption name="machine password
|
|
</para>
|
|
|
|
<para>
|
|
-The option takes a list of keytab strings. Each string has this form:
|
|
+The option takes a list of keytab strings to describe how to synchronize
|
|
+content of those keytabs or a single 'disabled' value to disable the
|
|
+synchronization.
|
|
+
|
|
+Each string has this form:
|
|
<programlisting>
|
|
absolute_path_to_keytab:spn_spec[:sync_etypes][:sync_kvno][:netbios_aliases][:additional_dns_hostnames][:machine_password]
|
|
</programlisting>
|
|
@@ -70,8 +74,27 @@ If sync_etypes or sync_kvno or sync_spns is present then winbind connects to DC.
|
|
</para>
|
|
|
|
<para>
|
|
-If no value is present, winbind uses value <programlisting>/path/to/keytab:sync_spns:sync_kvno:machine_password</programlisting>
|
|
-where the path to the keytab is obtained either from the krb5 library or from <smbconfoption name="dedicated keytab file"/>
|
|
+If no value is present and <smbconfoption name="kerberos method"/> is different from
|
|
+'secrets only', the behavior differs between winbind and net utility:
|
|
+</para>
|
|
+<itemizedlist>
|
|
+ <listitem>
|
|
+ <para><userinput>winbind</userinput> uses value
|
|
+ <programlisting>/path/to/keytab:sync_spns:sync_kvno:machine_password</programlisting>
|
|
+ where the path to the keytab is obtained either from the krb5 library or from
|
|
+ <smbconfoption name="dedicated keytab file"/>.
|
|
+ </para>
|
|
+ </listitem>
|
|
+ <listitem>
|
|
+ <para><userinput>net changesecretpw -f</userinput> command uses the default 'disabled' value.</para>
|
|
+ </listitem>
|
|
+ <listitem><para>No other <userinput>net</userinput> subcommands use the 'disabled' value.</para></listitem>
|
|
+</itemizedlist>
|
|
+
|
|
+<para>
|
|
+If a single value 'disabled' is present, the synchronization process is
|
|
+disabled. This is required for FreeIPA domain member setup where keytab
|
|
+synchronization uses a protocol not implemented by Samba.
|
|
</para>
|
|
|
|
<para>
|
|
diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
|
|
index 6ede567b75f..dbf8af44c1f 100644
|
|
--- a/source3/libads/kerberos_keytab.c
|
|
+++ b/source3/libads/kerberos_keytab.c
|
|
@@ -904,6 +904,11 @@ NTSTATUS sync_pw2keytabs(void)
|
|
goto params_ready;
|
|
}
|
|
|
|
+ if ((*lp_ptr != NULL) && strequal_m(*lp_ptr, "disabled")) {
|
|
+ DBG_DEBUG("'sync machine password to keytab' is explicitly disabled.\n");
|
|
+ return NT_STATUS_OK;
|
|
+ }
|
|
+
|
|
line = lp_ptr;
|
|
while (*line) {
|
|
DBG_DEBUG("Scanning line: %s\n", *line);
|
|
diff --git a/source3/utils/net.c b/source3/utils/net.c
|
|
index 7b40d2bee95..c432ebe991f 100644
|
|
--- a/source3/utils/net.c
|
|
+++ b/source3/utils/net.c
|
|
@@ -207,6 +207,14 @@ static int net_changesecretpw(struct net_context *c, int argc,
|
|
struct timeval tv = timeval_current();
|
|
NTTIME now = timeval_to_nttime(&tv);
|
|
|
|
+#ifdef HAVE_ADS
|
|
+ if (USE_KERBEROS_KEYTAB) {
|
|
+ if (lp_sync_machine_password_to_keytab() == NULL) {
|
|
+ lp_do_parameter(-1, "sync machine password to keytab", "disabled");
|
|
+ }
|
|
+ }
|
|
+#endif
|
|
+
|
|
if (c->opt_stdin) {
|
|
set_line_buffering(stdin);
|
|
set_line_buffering(stdout);
|
|
diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c
|
|
index e3ed336a79a..a31a7a8a30a 100644
|
|
--- a/source3/utils/testparm.c
|
|
+++ b/source3/utils/testparm.c
|
|
@@ -803,7 +803,8 @@ static int do_global_checks(void)
|
|
"instead of 'kerberos method'.\n\n");
|
|
}
|
|
|
|
- if (lp_ptr != NULL) {
|
|
+ if (lp_ptr != NULL &&
|
|
+ ((*lp_ptr != NULL) && !strequal_m(*lp_ptr, "disabled"))) {
|
|
while (*lp_ptr) {
|
|
ret |= pw2kt_check_line(*lp_ptr++);
|
|
}
|
|
--
|
|
2.46.0
|
|
|