From 2fcd113f5507f643fcf80d5a9770ce72aa121ba8 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 31 Aug 2006 04:14:08 +0000 Subject: r17945: Store the server and client sitenames in the ADS struct so we can see when they match - only create the ugly krb5 hack when they do. Jeremy. (This used to be commit 9be4ecf24b6b5dacf4c2891bddb072fa7543753f) --- source3/include/ads.h | 2 ++ source3/include/ads_cldap.h | 2 ++ source3/libads/ads_struct.c | 2 ++ source3/libads/dns.c | 12 +++++++++--- source3/libads/kerberos.c | 11 ++++++++++- source3/libads/ldap.c | 32 ++++++++++++++++++++++++++++++++ source3/libsmb/namequery_dc.c | 4 ++-- source3/nsswitch/winbindd_cm.c | 2 +- 8 files changed, 60 insertions(+), 7 deletions(-) (limited to 'source3') diff --git a/source3/include/ads.h b/source3/include/ads.h index 365ac3e852..f200df5d22 100644 --- a/source3/include/ads.h +++ b/source3/include/ads.h @@ -46,6 +46,8 @@ typedef struct { char *realm; char *bind_path; char *ldap_server_name; + char *server_site_name; + char *client_site_name; time_t current_time; } config; diff --git a/source3/include/ads_cldap.h b/source3/include/ads_cldap.h index e5df892a40..0108363c1b 100644 --- a/source3/include/ads_cldap.h +++ b/source3/include/ads_cldap.h @@ -43,6 +43,8 @@ struct cldap_netlogon_reply { uint16 lm20_token; }; +#define DEFAULT_SITE_NAME "Default-First-Site-Name" + /* Mailslot or cldap getdcname response flags */ #define ADS_PDC 0x00000001 /* DC is PDC */ #define ADS_GC 0x00000004 /* DC is a GC of forest */ diff --git a/source3/libads/ads_struct.c b/source3/libads/ads_struct.c index 372f72fe06..130d86b8dc 100644 --- a/source3/libads/ads_struct.c +++ b/source3/libads/ads_struct.c @@ -136,6 +136,8 @@ void ads_destroy(ADS_STRUCT **ads) SAFE_FREE((*ads)->config.realm); SAFE_FREE((*ads)->config.bind_path); SAFE_FREE((*ads)->config.ldap_server_name); + SAFE_FREE((*ads)->config.server_site_name); + SAFE_FREE((*ads)->config.client_site_name); SAFE_FREE((*ads)->schema.posix_uidnumber_attr); SAFE_FREE((*ads)->schema.posix_gidnumber_attr); diff --git a/source3/libads/dns.c b/source3/libads/dns.c index 4d935c1b6e..3f99a73a33 100644 --- a/source3/libads/dns.c +++ b/source3/libads/dns.c @@ -590,8 +590,9 @@ BOOL sitename_store(const char *sitename) if (!sitename || (sitename && !*sitename)) { DEBUG(5,("sitename_store: deleting empty sitename!\n")); return gencache_del(SITENAME_KEY); - } else if (sitename && strequal(sitename, "Default-First-Site-Name")) { - DEBUG(5,("sitename_store: delete default sitename Default-First-Site-Name\n")); + } else if (sitename && strequal(sitename, DEFAULT_SITE_NAME)) { + DEBUG(5,("sitename_store: delete default sitename %s\n", + DEFAULT_SITE_NAME)); return gencache_del(SITENAME_KEY); } @@ -633,11 +634,16 @@ char *sitename_fetch(void) Did the sitename change ? ****************************************************************************/ -BOOL sitename_changed(const char *sitename) +BOOL stored_sitename_changed(const char *sitename) { BOOL ret = False; char *new_sitename = sitename_fetch(); + /* Treat default site as no name. */ + if (strequal(sitename, DEFAULT_SITE_NAME)) { + sitename = NULL; + } + if (sitename && new_sitename && !strequal(sitename, new_sitename)) { ret = True; } else if ((sitename && !new_sitename) || diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c index 46b64ca22d..dc85a77304 100644 --- a/source3/libads/kerberos.c +++ b/source3/libads/kerberos.c @@ -477,16 +477,20 @@ BOOL create_local_private_krb5_conf_for_domain(const char *realm, const char *do char *fname = talloc_asprintf(NULL, "%s/smb_krb5.conf.%s", lp_private_dir(), domain); char *file_contents = NULL; size_t flen = 0; + char *realm_upper = NULL; int loopcount = 0; if (!fname) { return False; } + realm_upper = talloc_strdup(fname, realm); + strupper_m(realm_upper); + file_contents = talloc_asprintf(fname, "[libdefaults]\n\tdefault_realm = %s\n" "[realms]\n\t%s = {\n" "\t\tkdc = %s\n]\n", - realm, realm, inet_ntoa(ip)); + realm_upper, realm_upper, inet_ntoa(ip)); if (!file_contents) { TALLOC_FREE(fname); @@ -541,6 +545,11 @@ BOOL create_local_private_krb5_conf_for_domain(const char *realm, const char *do /* Set the environment variable to this file. */ setenv("KRB5_CONFIG", fname, 1); TALLOC_FREE(fname); + + DEBUG(5,("create_local_private_krb5_conf_for_domain: wrote " + "file %s with realm %s KDC = %s\n", + realm_upper, inet_ntoa(ip)); + return True; } #endif diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c index 1d192895d9..60e4c9f5b7 100644 --- a/source3/libads/ldap.c +++ b/source3/libads/ldap.c @@ -115,6 +115,27 @@ static int ldap_search_with_timeout(LDAP *ld, return result; } +#ifdef HAVE_KRB5 +/********************************************** + Do client and server sitename match ? +**********************************************/ + +BOOL ads_sitename_match(ADS_STRUCT *ads) +{ + if (ads->config.server_site_name == NULL && + ads->config.client_site_name == NULL ) { + return True; + } + if (ads->config.server_site_name && + ads->config.client_site_name && + strequal(ads->config.server_site_name, + ads->config.client_site_name)) { + return True; + } + return False; +} +#endif + /* try a connection to a given ldap server, returning True and setting the servers IP in the ads struct if successful @@ -157,6 +178,8 @@ BOOL ads_try_connect(ADS_STRUCT *ads, const char *server ) SAFE_FREE(ads->config.realm); SAFE_FREE(ads->config.bind_path); SAFE_FREE(ads->config.ldap_server_name); + SAFE_FREE(ads->config.server_site); + SAFE_FREE(ads->config.client_site); SAFE_FREE(ads->server.workgroup); ads->config.flags = cldap_reply.flags; @@ -164,6 +187,15 @@ BOOL ads_try_connect(ADS_STRUCT *ads, const char *server ) strupper_m(cldap_reply.domain); ads->config.realm = SMB_STRDUP(cldap_reply.domain); ads->config.bind_path = ads_build_dn(ads->config.realm); + if (*cldap_reply.server_site_name) { + ads->config.server_site_name = + SMB_STRDUP(cldap_reply.server_site_name); + } + if (*cldap_reply.client_site_name) { + ads->config.server_site_name = + SMB_STRDUP(cldap_reply.server_site_name); + } + ads->server.workgroup = SMB_STRDUP(cldap_reply.netbios_domain); ads->ldap_port = LDAP_PORT; diff --git a/source3/libsmb/namequery_dc.c b/source3/libsmb/namequery_dc.c index 4099cc9dd8..cf01fb269e 100644 --- a/source3/libsmb/namequery_dc.c +++ b/source3/libsmb/namequery_dc.c @@ -68,7 +68,7 @@ static BOOL ads_dc_name(const char *domain, has changed. If so, we need to re-do the DNS query to ensure we only find servers in our site. */ - if (sitename_changed(sitename)) { + if (stored_sitename_changed(sitename)) { SAFE_FREE(sitename); sitename = sitename_fetch(); ads_destroy(&ads); @@ -76,7 +76,7 @@ static BOOL ads_dc_name(const char *domain, } #ifdef HAVE_KRB5 - if ((ads->config.flags & ADS_KDC) && sitename) { + if ((ads->config.flags & ADS_KDC) && ads_sitename_match(ads)) { /* We're going to use this KDC for this realm/domain. If we are using sites, then force the krb5 libs to use this KDC. */ diff --git a/source3/nsswitch/winbindd_cm.c b/source3/nsswitch/winbindd_cm.c index a09faaed94..2288f29888 100644 --- a/source3/nsswitch/winbindd_cm.c +++ b/source3/nsswitch/winbindd_cm.c @@ -607,7 +607,7 @@ static BOOL dcip_to_name( const char *domainname, const char *realm, namecache_store(name, 0x20, 1, &ip_list); #ifdef HAVE_KRB5 - if ((ads->config.flags & ADS_KDC) && sitename) { + if ((ads->config.flags & ADS_KDC) && ads_sitename_match(ads)) { /* We're going to use this KDC for this realm/domain. If we are using sites, then force the krb5 libs to use this KDC. */ -- cgit