Author: gd Date: 2007-08-30 15:39:51 +0000 (Thu, 30 Aug 2007) New Revision: 24804
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=24804 Log: As a temporary workaround, also try to guess the server's principal in the "[EMAIL PROTECTED]" case to make at least LDAP SASL binds succeed with windows server 2008. Guenther Modified: branches/SAMBA_3_2/source/include/ads.h branches/SAMBA_3_2/source/libads/sasl.c branches/SAMBA_3_2/source/libads/util.c branches/SAMBA_3_2_0/source/include/ads.h branches/SAMBA_3_2_0/source/libads/sasl.c branches/SAMBA_3_2_0/source/libads/util.c Changeset: Modified: branches/SAMBA_3_2/source/include/ads.h =================================================================== --- branches/SAMBA_3_2/source/include/ads.h 2007-08-30 14:55:32 UTC (rev 24803) +++ branches/SAMBA_3_2/source/include/ads.h 2007-08-30 15:39:51 UTC (rev 24804) @@ -394,4 +394,6 @@ #define ADS_EXTENDED_RIGHT_APPLY_GROUP_POLICY "edacfd8f-ffb3-11d1-b41d-00a0c968f939" +#define ADS_IGNORE_PRINCIPAL "[EMAIL PROTECTED]" + #endif /* _INCLUDE_ADS_H_ */ Modified: branches/SAMBA_3_2/source/libads/sasl.c =================================================================== --- branches/SAMBA_3_2/source/libads/sasl.c 2007-08-30 14:55:32 UTC (rev 24803) +++ branches/SAMBA_3_2/source/libads/sasl.c 2007-08-30 15:39:51 UTC (rev 24804) @@ -657,55 +657,26 @@ ZERO_STRUCTP(p); - /* I've seen a child Windows 2000 domain not send - the principal name back in the first round of + /* I've seen a child Windows 2000 domain not send + the principal name back in the first round of the SASL bind reply. So we guess based on server name and realm. --jerry */ - if (given_principal) { - p->string = SMB_STRDUP(given_principal); - if (!p->string) { - return ADS_ERROR(LDAP_NO_MEMORY); - } - } else if (ads->server.realm && ads->server.ldap_server) { - char *server, *server_realm; + /* Also try best guess when we get the w2k8 ignore + principal back - gd */ - server = SMB_STRDUP(ads->server.ldap_server); - server_realm = SMB_STRDUP(ads->server.realm); + if (!given_principal || + strequal(given_principal, ADS_IGNORE_PRINCIPAL)) { - if (!server || !server_realm) { - return ADS_ERROR(LDAP_NO_MEMORY); + status = ads_guess_service_principal(ads, given_principal, + &p->string); + if (!ADS_ERR_OK(status)) { + return status; } - - strlower_m(server); - strupper_m(server_realm); - asprintf(&p->string, "ldap/[EMAIL PROTECTED]", server, server_realm); - - SAFE_FREE(server); - SAFE_FREE(server_realm); - + } else { + p->string = SMB_STRDUP(given_principal); if (!p->string) { return ADS_ERROR(LDAP_NO_MEMORY); } - } else if (ads->config.realm && ads->config.ldap_server_name) { - char *server, *server_realm; - - server = SMB_STRDUP(ads->config.ldap_server_name); - server_realm = SMB_STRDUP(ads->config.realm); - - if (!server || !server_realm) { - return ADS_ERROR(LDAP_NO_MEMORY); - } - - strlower_m(server); - strupper_m(server_realm); - asprintf(&p->string, "ldap/[EMAIL PROTECTED]", server, server_realm); - - SAFE_FREE(server); - SAFE_FREE(server_realm); - - if (!p->string) { - return ADS_ERROR(LDAP_NO_MEMORY); - } } initialize_krb5_error_table(); Modified: branches/SAMBA_3_2/source/libads/util.c =================================================================== --- branches/SAMBA_3_2/source/libads/util.c 2007-08-30 14:55:32 UTC (rev 24803) +++ branches/SAMBA_3_2/source/libads/util.c 2007-08-30 15:39:51 UTC (rev 24804) @@ -51,4 +51,62 @@ SAFE_FREE(password); return ret; } + +ADS_STATUS ads_guess_service_principal(ADS_STRUCT *ads, + const char *given_principal, + char **returned_principal) +{ + char *princ = NULL; + + if (ads->server.realm && ads->server.ldap_server) { + char *server, *server_realm; + + server = SMB_STRDUP(ads->server.ldap_server); + server_realm = SMB_STRDUP(ads->server.realm); + + if (!server || !server_realm) { + return ADS_ERROR(LDAP_NO_MEMORY); + } + + strlower_m(server); + strupper_m(server_realm); + asprintf(&princ, "ldap/[EMAIL PROTECTED]", server, server_realm); + + SAFE_FREE(server); + SAFE_FREE(server_realm); + + if (!princ) { + return ADS_ERROR(LDAP_NO_MEMORY); + } + } else if (ads->config.realm && ads->config.ldap_server_name) { + char *server, *server_realm; + + server = SMB_STRDUP(ads->config.ldap_server_name); + server_realm = SMB_STRDUP(ads->config.realm); + + if (!server || !server_realm) { + return ADS_ERROR(LDAP_NO_MEMORY); + } + + strlower_m(server); + strupper_m(server_realm); + asprintf(&princ, "ldap/[EMAIL PROTECTED]", server, server_realm); + + SAFE_FREE(server); + SAFE_FREE(server_realm); + + if (!princ) { + return ADS_ERROR(LDAP_NO_MEMORY); + } + } + + if (!princ) { + return ADS_ERROR(LDAP_PARAM_ERROR); + } + + *returned_principal = princ; + + return ADS_SUCCESS; +} + #endif Modified: branches/SAMBA_3_2_0/source/include/ads.h =================================================================== --- branches/SAMBA_3_2_0/source/include/ads.h 2007-08-30 14:55:32 UTC (rev 24803) +++ branches/SAMBA_3_2_0/source/include/ads.h 2007-08-30 15:39:51 UTC (rev 24804) @@ -394,4 +394,6 @@ #define ADS_EXTENDED_RIGHT_APPLY_GROUP_POLICY "edacfd8f-ffb3-11d1-b41d-00a0c968f939" +#define ADS_IGNORE_PRINCIPAL "[EMAIL PROTECTED]" + #endif /* _INCLUDE_ADS_H_ */ Modified: branches/SAMBA_3_2_0/source/libads/sasl.c =================================================================== --- branches/SAMBA_3_2_0/source/libads/sasl.c 2007-08-30 14:55:32 UTC (rev 24803) +++ branches/SAMBA_3_2_0/source/libads/sasl.c 2007-08-30 15:39:51 UTC (rev 24804) @@ -657,55 +657,26 @@ ZERO_STRUCTP(p); - /* I've seen a child Windows 2000 domain not send - the principal name back in the first round of + /* I've seen a child Windows 2000 domain not send + the principal name back in the first round of the SASL bind reply. So we guess based on server name and realm. --jerry */ - if (given_principal) { - p->string = SMB_STRDUP(given_principal); - if (!p->string) { - return ADS_ERROR(LDAP_NO_MEMORY); - } - } else if (ads->server.realm && ads->server.ldap_server) { - char *server, *server_realm; + /* Also try best guess when we get the w2k8 ignore + principal back - gd */ - server = SMB_STRDUP(ads->server.ldap_server); - server_realm = SMB_STRDUP(ads->server.realm); + if (!given_principal || + strequal(given_principal, ADS_IGNORE_PRINCIPAL)) { - if (!server || !server_realm) { - return ADS_ERROR(LDAP_NO_MEMORY); + status = ads_guess_service_principal(ads, given_principal, + &p->string); + if (!ADS_ERR_OK(status)) { + return status; } - - strlower_m(server); - strupper_m(server_realm); - asprintf(&p->string, "ldap/[EMAIL PROTECTED]", server, server_realm); - - SAFE_FREE(server); - SAFE_FREE(server_realm); - + } else { + p->string = SMB_STRDUP(given_principal); if (!p->string) { return ADS_ERROR(LDAP_NO_MEMORY); } - } else if (ads->config.realm && ads->config.ldap_server_name) { - char *server, *server_realm; - - server = SMB_STRDUP(ads->config.ldap_server_name); - server_realm = SMB_STRDUP(ads->config.realm); - - if (!server || !server_realm) { - return ADS_ERROR(LDAP_NO_MEMORY); - } - - strlower_m(server); - strupper_m(server_realm); - asprintf(&p->string, "ldap/[EMAIL PROTECTED]", server, server_realm); - - SAFE_FREE(server); - SAFE_FREE(server_realm); - - if (!p->string) { - return ADS_ERROR(LDAP_NO_MEMORY); - } } initialize_krb5_error_table(); Modified: branches/SAMBA_3_2_0/source/libads/util.c =================================================================== --- branches/SAMBA_3_2_0/source/libads/util.c 2007-08-30 14:55:32 UTC (rev 24803) +++ branches/SAMBA_3_2_0/source/libads/util.c 2007-08-30 15:39:51 UTC (rev 24804) @@ -51,4 +51,62 @@ SAFE_FREE(password); return ret; } + +ADS_STATUS ads_guess_service_principal(ADS_STRUCT *ads, + const char *given_principal, + char **returned_principal) +{ + char *princ = NULL; + + if (ads->server.realm && ads->server.ldap_server) { + char *server, *server_realm; + + server = SMB_STRDUP(ads->server.ldap_server); + server_realm = SMB_STRDUP(ads->server.realm); + + if (!server || !server_realm) { + return ADS_ERROR(LDAP_NO_MEMORY); + } + + strlower_m(server); + strupper_m(server_realm); + asprintf(&princ, "ldap/[EMAIL PROTECTED]", server, server_realm); + + SAFE_FREE(server); + SAFE_FREE(server_realm); + + if (!princ) { + return ADS_ERROR(LDAP_NO_MEMORY); + } + } else if (ads->config.realm && ads->config.ldap_server_name) { + char *server, *server_realm; + + server = SMB_STRDUP(ads->config.ldap_server_name); + server_realm = SMB_STRDUP(ads->config.realm); + + if (!server || !server_realm) { + return ADS_ERROR(LDAP_NO_MEMORY); + } + + strlower_m(server); + strupper_m(server_realm); + asprintf(&princ, "ldap/[EMAIL PROTECTED]", server, server_realm); + + SAFE_FREE(server); + SAFE_FREE(server_realm); + + if (!princ) { + return ADS_ERROR(LDAP_NO_MEMORY); + } + } + + if (!princ) { + return ADS_ERROR(LDAP_PARAM_ERROR); + } + + *returned_principal = princ; + + return ADS_SUCCESS; +} + #endif