From 0f1bc28744d8c7cae2fe2774b50fc4336408a74d Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sat, 2 Sep 2006 19:27:44 +0000 Subject: r18006: Actually a smaller change than it looks. Leverage the get_dc_list code to get the _kerberos. names for site support. This way we don't depend on one KDC to do ticket refresh. Even though we know it's up when we add it, it may go down when we're trying to refresh. Jeremy. (This used to be commit 77fe2a3d7418012a8dbfb6aaeb2a8dd57c6e1a5d) --- source3/libads/kerberos.c | 51 +++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 49 insertions(+), 2 deletions(-) (limited to 'source3/libads/kerberos.c') diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c index 4801aec23e..c872508fe8 100644 --- a/source3/libads/kerberos.c +++ b/source3/libads/kerberos.c @@ -464,6 +464,46 @@ int kerberos_kinit_password(const char *principal, 0); } +/************************************************************************ + Create a string list of available kdc's, possibly searching by sitename. + Does DNS queries. +************************************************************************/ + +static char *get_kdc_ip_string(char *mem_ctx, const char *realm, struct in_addr primary_ip) +{ + struct ip_service *ip_srv; + int count, i; + char *kdc_str = talloc_asprintf(mem_ctx, "\tkdc = %s\n", + inet_ntoa(primary_ip)); + + if (kdc_str == NULL) { + return NULL; + } + + if (!NT_STATUS_IS_OK(get_kdc_list(realm, &ip_srv, &count))) { + DEBUG(10,("get_kdc_ip_string: get_kdc_list failed. Returning %s\n", + kdc_str )); + return kdc_str; + } + + for (i = 0; i < count; i++) { + if (ip_equal(ip_srv[i].ip, primary_ip)) { + continue; + } + /* Append to the string - inefficient but not done often. */ + kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n", + kdc_str, inet_ntoa(ip_srv[i].ip)); + if (!kdc_str) { + return NULL; + } + } + + DEBUG(10,("get_kdc_ip_string: Returning %s\n", + kdc_str )); + + return kdc_str; +} + /************************************************************************ Create a specific krb5.conf file in the private directory pointing at a specific kdc for a realm. Keyed off domain name. Sets @@ -477,6 +517,7 @@ BOOL create_local_private_krb5_conf_for_domain(const char *realm, const char *do char *dname = talloc_asprintf(NULL, "%s/smb_krb5", lp_lockdir()); char *fname = NULL; char *file_contents = NULL; + char *kdc_ip_string; size_t flen = 0; size_t ret; char *realm_upper = NULL; @@ -505,10 +546,16 @@ BOOL create_local_private_krb5_conf_for_domain(const char *realm, const char *do realm_upper = talloc_strdup(fname, realm); strupper_m(realm_upper); + kdc_ip_string = get_kdc_ip_string(dname, realm, ip); + if (!kdc_ip_string) { + TALLOC_FREE(dname); + return False; + } + file_contents = talloc_asprintf(fname, "[libdefaults]\n\tdefault_realm = %s\n\n" "[realms]\n\t%s = {\n" - "\t\tkdc = %s\n\t}\n", - realm_upper, realm_upper, inet_ntoa(ip)); + "\t\t%s\t}\n", + realm_upper, realm_upper, kdc_ip_string); if (!file_contents) { TALLOC_FREE(dname); -- cgit