]> git.ipfire.org Git - ipfire-2.x.git/blame - src/patches/samba/samba-3.6.23-fix_libads_krb5_ipv6.patch
projects / ipfire-2.x.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-suricata
[ipfire-2.x.git] / src / patches / samba / samba-3.6.23-fix_libads_krb5_ipv6.patch
CommitLineData
1d13e637
AF		 1From 918ac8f0ed19aeaa4718fa94fcabe87d0419d768 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
3Date: Mon, 13 Jan 2014 15:59:26 +0100
4Subject: [PATCH 1/5] PATCHSET11: s3-kerberos: remove print_kdc_line()
5 completely.
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10Just calling print_canonical_sockaddr() is sufficient, as it already deals with
11ipv6 as well. The port handling, which was only done for IPv6 (not IPv4), is
12removed as well. It was pointless because it always derived the port number from
13the provided address which was either a SMB (usually port 445) or LDAP
14connection. No KDC will ever run on port 389 or 445 on a Windows/Samba DC.
15Finally, the kerberos libraries that we support and build with, can deal with
16ipv6 addresses in krb5.conf, so we no longer put the (unnecessary) burden of
17resolving the DC name on the kerberos library anymore.
18
19Guenther
20
21Signed-off-by: Günther Deschner <gd@samba.org>
22Reviewed-by: Andreas Schneider <asn@samba.org>
23
24Conflicts:
25 source3/libads/kerberos.c
26---
27 source3/libads/kerberos.c | 86 +++++------------------------------------------
28 1 file changed, 9 insertions(+), 77 deletions(-)
29
30diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
31index 1153ccb..064e5f7 100644
32--- a/source3/libads/kerberos.c
33+++ b/source3/libads/kerberos.c
34@@ -661,73 +661,6 @@ int kerberos_kinit_password(const char *principal,
35 }
36
37 /************************************************************************
38-************************************************************************/
39-
40-static char *print_kdc_line(char *mem_ctx,
41- const char *prev_line,
42- const struct sockaddr_storage *pss,
43- const char *kdc_name)
44-{
45- char *kdc_str = NULL;
46-
47- if (pss->ss_family == AF_INET) {
48- kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",
49- prev_line,
50- print_canonical_sockaddr(mem_ctx, pss));
51- } else {
52- char addr[INET6_ADDRSTRLEN];
53- uint16_t port = get_sockaddr_port(pss);
54-
55- DEBUG(10,("print_kdc_line: IPv6 case for kdc_name: %s, port: %d\n",
56- kdc_name, port));
57-
58- if (port != 0 && port != DEFAULT_KRB5_PORT) {
59- /* Currently for IPv6 we can't specify a non-default
60- krb5 port with an address, as this requires a ':'.
61- Resolve to a name. */
62- char hostname[MAX_DNS_NAME_LENGTH];
63- int ret = sys_getnameinfo((const struct sockaddr *)pss,
64- sizeof(*pss),
65- hostname, sizeof(hostname),
66- NULL, 0,
67- NI_NAMEREQD);
68- if (ret) {
69- DEBUG(0,("print_kdc_line: can't resolve name "
70- "for kdc with non-default port %s. "
71- "Error %s\n.",
72- print_canonical_sockaddr(mem_ctx, pss),
73- gai_strerror(ret)));
74- return NULL;
75- }
76- /* Success, use host:port */
77- kdc_str = talloc_asprintf(mem_ctx,
78- "%s\tkdc = %s:%u\n",
79- prev_line,
80- hostname,
81- (unsigned int)port);
82- } else {
83-
84- /* no krb5 lib currently supports "kdc = ipv6 address"
85- * at all, so just fill in just the kdc_name if we have
86- * it and let the krb5 lib figure out the appropriate
87- * ipv6 address - gd */
88-
89- if (kdc_name) {
90- kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",
91- prev_line, kdc_name);
92- } else {
93- kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",
94- prev_line,
95- print_sockaddr(addr,
96- sizeof(addr),
97- pss));
98- }
99- }
100- }
101- return kdc_str;
102-}
103-
104-/************************************************************************
105 Create a string list of available kdc's, possibly searching by sitename.
106 Does DNS queries.
107
108@@ -746,7 +679,8 @@ static char *get_kdc_ip_string(char *mem_ctx,
109 struct ip_service *ip_srv_nonsite = NULL;
110 int count_site = 0;
111 int count_nonsite;
112- char *kdc_str = print_kdc_line(mem_ctx, "", pss, kdc_name);
113+ char *kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n", "",
114+ print_canonical_sockaddr(mem_ctx, pss));
115
116 if (kdc_str == NULL) {
117 return NULL;
118@@ -768,10 +702,9 @@ static char *get_kdc_ip_string(char *mem_ctx,
119 }
120 /* Append to the string - inefficient
121 * but not done often. */
122- kdc_str = print_kdc_line(mem_ctx,
123- kdc_str,
124- &ip_srv_site[i].ss,
125- NULL);
126+ kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",
127+ kdc_str,
128+ print_canonical_sockaddr(mem_ctx, &ip_srv_site[i].ss));
129 if (!kdc_str) {
130 SAFE_FREE(ip_srv_site);
131 return NULL;
132@@ -806,11 +739,10 @@ static char *get_kdc_ip_string(char *mem_ctx,
133 }
134
135 /* Append to the string - inefficient but not done often. */
136- kdc_str = print_kdc_line(mem_ctx,
137- kdc_str,
138- &ip_srv_nonsite[i].ss,
139- NULL);
140- if (!kdc_str) {
141+ kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",
142+ kdc_str,
143+ print_canonical_sockaddr(mem_ctx, &ip_srv_nonsite[i].ss));
144+ if (kdc_str == NULL) {
145 SAFE_FREE(ip_srv_site);
146 SAFE_FREE(ip_srv_nonsite);
147 return NULL;
148--
1491.9.0
150
151
152From b4eba7d838b60230b9f6c9a08ef0ddc00e3e47f0 Mon Sep 17 00:00:00 2001
153From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
154Date: Fri, 7 Mar 2014 14:47:31 +0100
155Subject: [PATCH 2/5] PATCHSET11: s3-kerberos: remove unused kdc_name from
156 create_local_private_krb5_conf_for_domain().
157MIME-Version: 1.0
158Content-Type: text/plain; charset=UTF-8
159Content-Transfer-Encoding: 8bit
160
161Guenther
162
163Signed-off-by: Günther Deschner <gd@samba.org>
164Reviewed-by: Andreas Schneider <asn@samba.org>
165
166Autobuild-User(master): Günther Deschner <gd@samba.org>
167Autobuild-Date(master): Fri Mar 7 18:43:57 CET 2014 on sn-devel-104
168
169Conflicts:
170 source3/libads/kerberos.c
171 source3/libads/kerberos_proto.h
172 source3/libnet/libnet_join.c
173 source3/winbindd/winbindd_cm.c
174---
175 source3/libads/kerberos.c | 10 ++++------
176 source3/libads/kerberos_proto.h | 3 +--
177 source3/libnet/libnet_join.c | 2 +-
178 source3/libsmb/namequery_dc.c | 6 ++----
179 source3/winbindd/winbindd_cm.c | 6 ++----
180 5 files changed, 10 insertions(+), 17 deletions(-)
181
182diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
183index 064e5f7..b826cb3 100644
184--- a/source3/libads/kerberos.c
185+++ b/source3/libads/kerberos.c
186@@ -671,8 +671,7 @@ int kerberos_kinit_password(const char *principal,
187 static char *get_kdc_ip_string(char *mem_ctx,
188 const char *realm,
189 const char *sitename,
190- struct sockaddr_storage *pss,
191- const char *kdc_name)
192+ struct sockaddr_storage *pss)
193 {
194 int i;
195 struct ip_service *ip_srv_site = NULL;
196@@ -769,8 +768,7 @@ static char *get_kdc_ip_string(char *mem_ctx,
197 bool create_local_private_krb5_conf_for_domain(const char *realm,
198 const char *domain,
199 const char *sitename,
200- struct sockaddr_storage *pss,
201- const char *kdc_name)
202+ struct sockaddr_storage *pss)
203 {
204 char *dname;
205 char *tmpname = NULL;
206@@ -794,7 +792,7 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
207 return false;
208 }
209
210- if (domain == NULL || pss == NULL || kdc_name == NULL) {
211+ if (domain == NULL || pss == NULL) {
212 return false;
213 }
214
215@@ -825,7 +823,7 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
216 realm_upper = talloc_strdup(fname, realm);
217 strupper_m(realm_upper);
218
219- kdc_ip_string = get_kdc_ip_string(dname, realm, sitename, pss, kdc_name);
220+ kdc_ip_string = get_kdc_ip_string(dname, realm, sitename, pss);
221 if (!kdc_ip_string) {
222 goto done;
223 }
224diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h
225index 406669cc..90d7cd9 100644
226--- a/source3/libads/kerberos_proto.h
227+++ b/source3/libads/kerberos_proto.h
228@@ -75,8 +75,7 @@ int kerberos_kinit_password(const char *principal,
229 bool create_local_private_krb5_conf_for_domain(const char *realm,
230 const char *domain,
231 const char *sitename,
232- struct sockaddr_storage *pss,
233- const char *kdc_name);
234+ struct sockaddr_storage *pss);
235
236 /* The following definitions come from libads/authdata.c */
237
238diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
239index e84682d..f1736ec 100644
240--- a/source3/libnet/libnet_join.c
241+++ b/source3/libnet/libnet_join.c
242@@ -1985,7 +1985,7 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
243
244 create_local_private_krb5_conf_for_domain(
245 r->out.dns_domain_name, r->out.netbios_domain_name,
246- NULL, &cli->dest_ss, cli->desthost);
247+ NULL, &cli->dest_ss);
248
249 if (r->out.domain_is_ad && r->in.account_ou &&
250 !(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE)) {
251diff --git a/source3/libsmb/namequery_dc.c b/source3/libsmb/namequery_dc.c
252index 39b780c..149121a 100644
253--- a/source3/libsmb/namequery_dc.c
254+++ b/source3/libsmb/namequery_dc.c
255@@ -111,14 +111,12 @@ static bool ads_dc_name(const char *domain,
256 create_local_private_krb5_conf_for_domain(realm,
257 domain,
258 sitename,
259- &ads->ldap.ss,
260- ads->config.ldap_server_name);
261+ &ads->ldap.ss);
262 } else {
263 create_local_private_krb5_conf_for_domain(realm,
264 domain,
265 NULL,
266- &ads->ldap.ss,
267- ads->config.ldap_server_name);
268+ &ads->ldap.ss);
269 }
270 }
271 #endif
272diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
273index 8271279..59f30a5 100644
274--- a/source3/winbindd/winbindd_cm.c
275+++ b/source3/winbindd/winbindd_cm.c
276@@ -1226,8 +1226,7 @@ static bool dcip_to_name(TALLOC_CTX *mem_ctx,
277 create_local_private_krb5_conf_for_domain(domain->alt_name,
278 domain->name,
279 sitename,
280- pss,
281- name);
282+ pss);
283
284 SAFE_FREE(sitename);
285 } else {
286@@ -1235,8 +1234,7 @@ static bool dcip_to_name(TALLOC_CTX *mem_ctx,
287 create_local_private_krb5_conf_for_domain(domain->alt_name,
288 domain->name,
289 NULL,
290- pss,
291- name);
292+ pss);
293 }
294 winbindd_set_locator_kdc_envs(domain);
295
296--
2971.9.0
298
299
300From db840b57e81922cea984530e2dc1b42cc99e75de Mon Sep 17 00:00:00 2001
301From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
302Date: Wed, 2 Apr 2014 19:37:34 +0200
303Subject: [PATCH 3/5] PATCHSET11: s3-kerberos: make ipv6 support for generated
304 krb5 config files more robust.
305MIME-Version: 1.0
306Content-Type: text/plain; charset=UTF-8
307Content-Transfer-Encoding: 8bit
308
309Older MIT Kerberos libraries will add any secondary ipv6 address as
310ipv4 address, defining the (default) krb5 port 88 circumvents that.
311
312Guenther
313
314Signed-off-by: Günther Deschner <gd@samba.org>
315Reviewed-by: Andreas Schneider <asn@samba.org>
316
317Autobuild-User(master): Günther Deschner <gd@samba.org>
318Autobuild-Date(master): Fri Apr 4 16:33:12 CEST 2014 on sn-devel-104
319
320Conflicts:
321 source3/libads/kerberos.c
322---
323 source3/libads/kerberos.c | 29 +++++++++++++++++++++++++++--
324 1 file changed, 27 insertions(+), 2 deletions(-)
325
326diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
327index b826cb3..5e34aa3 100644
328--- a/source3/libads/kerberos.c
329+++ b/source3/libads/kerberos.c
330@@ -668,6 +668,31 @@ int kerberos_kinit_password(const char *principal,
331
332 ************************************************************************/
333
334+/* print_canonical_sockaddr prints an ipv6 addr in the form of
335+* [ipv6.addr]. This string, when put in a generated krb5.conf file is not
336+* always properly dealt with by some older krb5 libraries. Adding the hard-coded
337+* portnumber workarounds the issue. - gd */
338+
339+static char *print_canonical_sockaddr_with_port(TALLOC_CTX *mem_ctx,
340+ const struct sockaddr_storage *pss)
341+{
342+ char *str = NULL;
343+
344+ str = print_canonical_sockaddr(mem_ctx, pss);
345+ if (str == NULL) {
346+ return NULL;
347+ }
348+
349+ if (pss->ss_family != AF_INET6) {
350+ return str;
351+ }
352+
353+#if defined(HAVE_IPV6)
354+ str = talloc_asprintf_append(str, ":88");
355+#endif
356+ return str;
357+}
358+
359 static char *get_kdc_ip_string(char *mem_ctx,
360 const char *realm,
361 const char *sitename,
362@@ -679,7 +704,7 @@ static char *get_kdc_ip_string(char *mem_ctx,
363 int count_site = 0;
364 int count_nonsite;
365 char *kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n", "",
366- print_canonical_sockaddr(mem_ctx, pss));
367+ print_canonical_sockaddr_with_port(mem_ctx, pss));
368
369 if (kdc_str == NULL) {
370 return NULL;
371@@ -740,7 +765,7 @@ static char *get_kdc_ip_string(char *mem_ctx,
372 /* Append to the string - inefficient but not done often. */
373 kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",
374 kdc_str,
375- print_canonical_sockaddr(mem_ctx, &ip_srv_nonsite[i].ss));
376+ print_canonical_sockaddr_with_port(mem_ctx, &ip_srv_nonsite[i].ss));
377 if (kdc_str == NULL) {
378 SAFE_FREE(ip_srv_site);
379 SAFE_FREE(ip_srv_nonsite);
380--
3811.9.0
382
383
384From 208f1d7b5ae557bf34a39c847aeb1925ce4cb171 Mon Sep 17 00:00:00 2001
385From: Andrew Bartlett <abartlet@samba.org>
386Date: Tue, 26 Apr 2011 17:03:32 +1000
387Subject: [PATCH 4/5] PATCHSET11: s3-libads Pass a struct sockaddr_storage to
388 cldap routines
389
390This avoids these routines doing a DNS lookup that has already been
391done, and ensures that the emulated DNS lookup isn't thrown away.
392
393Andrew Bartlett
394---
395 source3/libads/cldap.c | 14 ++++--------
396 source3/libads/cldap.h | 4 ++--
397 source3/libads/ldap.c | 41 ++++++++++-------------------------
398 source3/libsmb/dsgetdcname.c | 3 ++-
399 source3/utils/net_ads.c | 7 +++---
400 source3/winbindd/idmap_adex/gc_util.c | 12 +++++++++-
401 6 files changed, 33 insertions(+), 48 deletions(-)
402
403diff --git a/source3/libads/cldap.c b/source3/libads/cldap.c
404index 5d2e900..03fa17c 100644
405--- a/source3/libads/cldap.c
406+++ b/source3/libads/cldap.c
407@@ -30,7 +30,7 @@
408 *******************************************************************/
409
410 bool ads_cldap_netlogon(TALLOC_CTX *mem_ctx,
411- const char *server,
412+ struct sockaddr_storage *ss,
413 const char *realm,
414 uint32_t nt_version,
415 struct netlogon_samlogon_response **_reply)
416@@ -39,18 +39,12 @@ bool ads_cldap_netlogon(TALLOC_CTX *mem_ctx,
417 struct cldap_netlogon io;
418 struct netlogon_samlogon_response *reply;
419 NTSTATUS status;
420- struct sockaddr_storage ss;
421 char addrstr[INET6_ADDRSTRLEN];
422 const char *dest_str;
423 int ret;
424 struct tsocket_address *dest_addr;
425
426- if (!interpret_string_addr_prefer_ipv4(&ss, server, 0)) {
427- DEBUG(2,("Failed to resolve[%s] into an address for cldap\n",
428- server));
429- return false;
430- }
431- dest_str = print_sockaddr(addrstr, sizeof(addrstr), &ss);
432+ dest_str = print_sockaddr(addrstr, sizeof(addrstr), ss);
433
434 ret = tsocket_address_inet_from_strings(mem_ctx, "ip",
435 dest_str, LDAP_PORT,
436@@ -113,7 +107,7 @@ failed:
437 *******************************************************************/
438
439 bool ads_cldap_netlogon_5(TALLOC_CTX *mem_ctx,
440- const char *server,
441+ struct sockaddr_storage *ss,
442 const char *realm,
443 struct NETLOGON_SAM_LOGON_RESPONSE_EX *reply5)
444 {
445@@ -121,7 +115,7 @@ bool ads_cldap_netlogon_5(TALLOC_CTX *mem_ctx,
446 struct netlogon_samlogon_response *reply = NULL;
447 bool ret;
448
449- ret = ads_cldap_netlogon(mem_ctx, server, realm, nt_version, &reply);
450+ ret = ads_cldap_netlogon(mem_ctx, ss, realm, nt_version, &reply);
451 if (!ret) {
452 return false;
453 }
454diff --git a/source3/libads/cldap.h b/source3/libads/cldap.h
455index d2ad4b0..60e1c56 100644
456--- a/source3/libads/cldap.h
457+++ b/source3/libads/cldap.h
458@@ -27,12 +27,12 @@
459
460 /* The following definitions come from libads/cldap.c */
461 bool ads_cldap_netlogon(TALLOC_CTX *mem_ctx,
462- const char *server,
463+ struct sockaddr_storage *ss,
464 const char *realm,
465 uint32_t nt_version,
466 struct netlogon_samlogon_response **reply);
467 bool ads_cldap_netlogon_5(TALLOC_CTX *mem_ctx,
468- const char *server,
469+ struct sockaddr_storage *ss,
470 const char *realm,
471 struct NETLOGON_SAM_LOGON_RESPONSE_EX *reply5);
472
473diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
474index b841c84..0db0bcd 100644
475--- a/source3/libads/ldap.c
476+++ b/source3/libads/ldap.c
477@@ -196,45 +196,32 @@ bool ads_closest_dc(ADS_STRUCT *ads)
478 */
479 static bool ads_try_connect(ADS_STRUCT *ads, const char *server, bool gc)
480 {
481- char *srv;
482 struct NETLOGON_SAM_LOGON_RESPONSE_EX cldap_reply;
483 TALLOC_CTX *frame = talloc_stackframe();
484 bool ret = false;
485+ struct sockaddr_storage ss;
486+ char addr[INET6_ADDRSTRLEN];
487
488 if (!server || !*server) {
489 TALLOC_FREE(frame);
490 return False;
491 }
492
493- if (!is_ipaddress(server)) {
494- struct sockaddr_storage ss;
495- char addr[INET6_ADDRSTRLEN];
496-
497- if (!resolve_name(server, &ss, 0x20, true)) {
498- DEBUG(5,("ads_try_connect: unable to resolve name %s\n",
499- server ));
500- TALLOC_FREE(frame);
501- return false;
502- }
503- print_sockaddr(addr, sizeof(addr), &ss);
504- srv = talloc_strdup(frame, addr);
505- } else {
506- /* this copes with inet_ntoa brokenness */
507- srv = talloc_strdup(frame, server);
508- }
509-
510- if (!srv) {
511+ if (!resolve_name(server, &ss, 0x20, true)) {
512+ DEBUG(5,("ads_try_connect: unable to resolve name %s\n",
513+ server ));
514 TALLOC_FREE(frame);
515 return false;
516 }
517+ print_sockaddr(addr, sizeof(addr), &ss);
518
519 DEBUG(5,("ads_try_connect: sending CLDAP request to %s (realm: %s)\n",
520- srv, ads->server.realm));
521+ addr, ads->server.realm));
522
523 ZERO_STRUCT( cldap_reply );
524
525- if ( !ads_cldap_netlogon_5(frame, srv, ads->server.realm, &cldap_reply ) ) {
526- DEBUG(3,("ads_try_connect: CLDAP request %s failed.\n", srv));
527+ if ( !ads_cldap_netlogon_5(frame, &ss, ads->server.realm, &cldap_reply ) ) {
528+ DEBUG(3,("ads_try_connect: CLDAP request %s failed.\n", addr));
529 ret = false;
530 goto out;
531 }
532@@ -243,7 +230,7 @@ static bool ads_try_connect(ADS_STRUCT *ads, const char *server, bool gc)
533
534 if ( !(cldap_reply.server_type & NBT_SERVER_LDAP) ) {
535 DEBUG(1,("ads_try_connect: %s's CLDAP reply says it is not an LDAP server!\n",
536- srv));
537+ addr));
538 ret = false;
539 goto out;
540 }
541@@ -273,13 +260,7 @@ static bool ads_try_connect(ADS_STRUCT *ads, const char *server, bool gc)
542 ads->server.workgroup = SMB_STRDUP(cldap_reply.domain_name);
543
544 ads->ldap.port = gc ? LDAP_GC_PORT : LDAP_PORT;
545- if (!interpret_string_addr(&ads->ldap.ss, srv, 0)) {
546- DEBUG(1,("ads_try_connect: unable to convert %s "
547- "to an address\n",
548- srv));
549- ret = false;
550- goto out;
551- }
552+ ads->ldap.ss = ss;
553
554 /* Store our site name. */
555 sitename_store( cldap_reply.domain_name, cldap_reply.client_site);
556diff --git a/source3/libsmb/dsgetdcname.c b/source3/libsmb/dsgetdcname.c
557index 841a179..2f8b8dc 100644
558--- a/source3/libsmb/dsgetdcname.c
559+++ b/source3/libsmb/dsgetdcname.c
560@@ -863,9 +863,10 @@ static NTSTATUS process_dc_dns(TALLOC_CTX *mem_ctx,
561
562 for (i=0; i<num_dcs; i++) {
563
564+
565 DEBUG(10,("LDAP ping to %s\n", dclist[i].hostname));
566
567- if (ads_cldap_netlogon(mem_ctx, dclist[i].hostname,
568+ if (ads_cldap_netlogon(mem_ctx, &dclist[i].ss,
569 domain_name,
570 nt_version,
571 &r))
572diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
573index 8f8b7b4..816349d 100644
574--- a/source3/utils/net_ads.c
575+++ b/source3/utils/net_ads.c
576@@ -62,7 +62,8 @@ static int net_ads_cldap_netlogon(struct net_context *c, ADS_STRUCT *ads)
577 struct NETLOGON_SAM_LOGON_RESPONSE_EX reply;
578
579 print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
580- if ( !ads_cldap_netlogon_5(talloc_tos(), addr, ads->server.realm, &reply ) ) {
581+
582+ if ( !ads_cldap_netlogon_5(talloc_tos(), &ads->ldap.ss, ads->server.realm, &reply ) ) {
583 d_fprintf(stderr, _("CLDAP query failed!\n"));
584 return -1;
585 }
586@@ -385,7 +386,6 @@ int net_ads_check(struct net_context *c)
587 static int net_ads_workgroup(struct net_context *c, int argc, const char **argv)
588 {
589 ADS_STRUCT *ads;
590- char addr[INET6_ADDRSTRLEN];
591 struct NETLOGON_SAM_LOGON_RESPONSE_EX reply;
592
593 if (c->display_usage) {
594@@ -407,8 +407,7 @@ static int net_ads_workgroup(struct net_context *c, int argc, const char **argv)
595 ads->ldap.port = 389;
596 }
597
598- print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
599- if ( !ads_cldap_netlogon_5(talloc_tos(), addr, ads->server.realm, &reply ) ) {
600+ if ( !ads_cldap_netlogon_5(talloc_tos(), &ads->ldap.ss, ads->server.realm, &reply ) ) {
601 d_fprintf(stderr, _("CLDAP query failed!\n"));
602 ads_destroy(&ads);
603 return -1;
604diff --git a/source3/winbindd/idmap_adex/gc_util.c b/source3/winbindd/idmap_adex/gc_util.c
605index 77b318c..e625265 100644
606--- a/source3/winbindd/idmap_adex/gc_util.c
607+++ b/source3/winbindd/idmap_adex/gc_util.c
608@@ -107,6 +107,7 @@ done:
609 NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
610 struct NETLOGON_SAM_LOGON_RESPONSE_EX cldap_reply;
611 TALLOC_CTX *frame = talloc_stackframe();
612+ struct sockaddr_storage ss;
613
614 if (!gc || !domain) {
615 return NT_STATUS_INVALID_PARAMETER;
616@@ -126,8 +127,17 @@ done:
617 nt_status = ads_ntstatus(ads_status);
618 BAIL_ON_NTSTATUS_ERROR(nt_status);
619
620+ if (!resolve_name(ads->config.ldap_server_name, &ss, 0x20, true)) {
621+ DEBUG(5,("gc_find_forest_root: unable to resolve name %s\n",
622+ ads->config.ldap_server_name));
623+ nt_status = NT_STATUS_IO_TIMEOUT;
624+ /* This matches the old code which did the resolve in
625+ * ads_cldap_netlogon_5 */
626+ BAIL_ON_NTSTATUS_ERROR(nt_status);
627+ }
628+
629 if (!ads_cldap_netlogon_5(frame,
630- ads->config.ldap_server_name,
631+ &ss,
632 ads->config.realm,
633 &cldap_reply))
634 {
635--
6361.9.0
637
638
639From 4eb02e7caa83b725988dd9f659b3568873522a30 Mon Sep 17 00:00:00 2001
640From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
641Date: Wed, 16 Apr 2014 16:07:14 +0200
642Subject: [PATCH 5/5] PATCHSET11: s3-libads: allow ads_try_connect() to re-use
643 a resolved ip address.
644MIME-Version: 1.0
645Content-Type: text/plain; charset=UTF-8
646Content-Transfer-Encoding: 8bit
647
648Pass down a struct sockaddr_storage to ads_try_connect.
649
650Guenther
651
652Signed-off-by: Günther Deschner <gd@samba.org>
653Reviewed-by: Andreas Schneider <asn@samba.org>
654
655Autobuild-User(master): Günther Deschner <gd@samba.org>
656Autobuild-Date(master): Thu Apr 17 19:56:16 CEST 2014 on sn-devel-104
657---
658 source3/libads/ldap.c | 44 ++++++++++++++++++++++++++------------------
659 1 file changed, 26 insertions(+), 18 deletions(-)
660
661diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
662index 0db0bcd..f8349cf 100644
663--- a/source3/libads/ldap.c
664+++ b/source3/libads/ldap.c
665@@ -194,33 +194,27 @@ bool ads_closest_dc(ADS_STRUCT *ads)
666 try a connection to a given ldap server, returning True and setting the servers IP
667 in the ads struct if successful
668 */
669-static bool ads_try_connect(ADS_STRUCT *ads, const char *server, bool gc)
670+static bool ads_try_connect(ADS_STRUCT *ads, bool gc,
671+ struct sockaddr_storage *ss)
672 {
673 struct NETLOGON_SAM_LOGON_RESPONSE_EX cldap_reply;
674 TALLOC_CTX *frame = talloc_stackframe();
675 bool ret = false;
676- struct sockaddr_storage ss;
677 char addr[INET6_ADDRSTRLEN];
678
679- if (!server || !*server) {
680+ if (ss == NULL) {
681 TALLOC_FREE(frame);
682 return False;
683 }
684
685- if (!resolve_name(server, &ss, 0x20, true)) {
686- DEBUG(5,("ads_try_connect: unable to resolve name %s\n",
687- server ));
688- TALLOC_FREE(frame);
689- return false;
690- }
691- print_sockaddr(addr, sizeof(addr), &ss);
692+ print_sockaddr(addr, sizeof(addr), ss);
693
694 DEBUG(5,("ads_try_connect: sending CLDAP request to %s (realm: %s)\n",
695 addr, ads->server.realm));
696
697 ZERO_STRUCT( cldap_reply );
698
699- if ( !ads_cldap_netlogon_5(frame, &ss, ads->server.realm, &cldap_reply ) ) {
700+ if ( !ads_cldap_netlogon_5(frame, ss, ads->server.realm, &cldap_reply ) ) {
701 DEBUG(3,("ads_try_connect: CLDAP request %s failed.\n", addr));
702 ret = false;
703 goto out;
704@@ -260,7 +254,7 @@ static bool ads_try_connect(ADS_STRUCT *ads, const char *server, bool gc)
705 ads->server.workgroup = SMB_STRDUP(cldap_reply.domain_name);
706
707 ads->ldap.port = gc ? LDAP_GC_PORT : LDAP_PORT;
708- ads->ldap.ss = ss;
709+ ads->ldap.ss = *ss;
710
711 /* Store our site name. */
712 sitename_store( cldap_reply.domain_name, cldap_reply.client_site);
713@@ -292,6 +286,7 @@ static NTSTATUS ads_find_dc(ADS_STRUCT *ads)
714 bool use_own_domain = False;
715 char *sitename;
716 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
717+ bool ok = false;
718
719 /* if the realm and workgroup are both empty, assume they are ours */
720
721@@ -345,12 +340,14 @@ static NTSTATUS ads_find_dc(ADS_STRUCT *ads)
722 DEBUG(6,("ads_find_dc: (ldap) looking for %s '%s'\n",
723 (got_realm ? "realm" : "domain"), realm));
724
725- if (get_dc_name(domain, realm, srv_name, &ip_out)) {
726+ ok = get_dc_name(domain, realm, srv_name, &ip_out);
727+ if (ok) {
728 /*
729 * we call ads_try_connect() to fill in the
730 * ads->config details
731 */
732- if (ads_try_connect(ads, srv_name, false)) {
733+ ok = ads_try_connect(ads, false, &ip_out);
734+ if (ok) {
735 return NT_STATUS_OK;
736 }
737 }
738@@ -406,7 +403,8 @@ static NTSTATUS ads_find_dc(ADS_STRUCT *ads)
739 }
740 }
741
742- if ( ads_try_connect(ads, server, false) ) {
743+ ok = ads_try_connect(ads, false, &ip_list[i].ss);
744+ if (ok) {
745 SAFE_FREE(ip_list);
746 SAFE_FREE(sitename);
747 return NT_STATUS_OK;
748@@ -591,9 +589,19 @@ ADS_STATUS ads_connect(ADS_STRUCT *ads)
749 TALLOC_FREE(s);
750 }
751
752- if (ads->server.ldap_server)
753- {
754- if (ads_try_connect(ads, ads->server.ldap_server, ads->server.gc)) {
755+ if (ads->server.ldap_server) {
756+ bool ok = false;
757+ struct sockaddr_storage ss;
758+
759+ ok = resolve_name(ads->server.ldap_server, &ss, 0x20, true);
760+ if (!ok) {
761+ DEBUG(5,("ads_connect: unable to resolve name %s\n",
762+ ads->server.ldap_server));
763+ status = ADS_ERROR_NT(NT_STATUS_NOT_FOUND);
764+ goto out;
765+ }
766+ ok = ads_try_connect(ads, ads->server.gc, &ss);
767+ if (ok) {
768 goto got_connection;
769 }
770
771--
7721.9.0
773
774diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
775index b826cb3..5e34aa3 100644
776--- a/source3/libads/kerberos.c
777+++ b/source3/libads/kerberos.c
778@@ -827,10 +827,6 @@
779 return false;
780 }
781
782- if (domain == NULL || pss == NULL || kdc_name == NULL) {
783- return false;
784- }
785-
786 dname = lock_path("smb_krb5");
787 if (!dname) {
788 return false;
IPFire 2.x development tree