s3:libnet:libnet_join: update msDS-SupportedEncryptionTypes (if required) with machin...

Guenther

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Mar 14 19:38:48 CET 2016 on sn-devel-144

diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index ac7e3efdbde62e875ef90d0b96d6e623d02f4ab6..235592c4f2407fb2272f2109ba6c327ea289c931 100644 (file)
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -253,13 +253,13 @@ static ADS_STATUS libnet_join_connect_ads_user(TALLOC_CTX *mem_ctx,
 
 /****************************************************************
 ****************************************************************/
-#if 0
+
 static ADS_STATUS libnet_join_connect_ads_machine(TALLOC_CTX *mem_ctx,
                                                  struct libnet_JoinCtx *r)
 {
        return libnet_join_connect_ads(mem_ctx, r, true);
 }
-#endif
+
 /****************************************************************
 ****************************************************************/
 
@@ -684,7 +684,7 @@ static ADS_STATUS libnet_join_set_os_attributes(TALLOC_CTX *mem_ctx,
 
 /****************************************************************
 ****************************************************************/
-#if 0
+
 static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx,
                                         struct libnet_JoinCtx *r)
 {
@@ -731,7 +731,7 @@ static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx,
 
        return ADS_SUCCESS;
 }
-#endif
+
 /****************************************************************
 ****************************************************************/
 
@@ -809,6 +809,7 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx,
                                                  struct libnet_JoinCtx *r)
 {
        ADS_STATUS status;
+       bool need_etype_update = false;
 
        if (!r->in.ads) {
                status = libnet_join_connect_ads_user(mem_ctx, r);
@@ -843,6 +844,56 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx,
                return status;
        }
 
+       status = libnet_join_find_machine_acct(mem_ctx, r);
+       if (!ADS_ERR_OK(status)) {
+               return status;
+       }
+
+       if (r->in.desired_encryption_types != r->out.set_encryption_types) {
+               uint32_t func_level = 0;
+
+               status = ads_domain_func_level(r->in.ads, &func_level);
+               if (!ADS_ERR_OK(status)) {
+                       libnet_join_set_error_string(mem_ctx, r,
+                               "failed to query domain controller functional level: %s",
+                               ads_errstr(status));
+                       return status;
+               }
+
+               if (func_level >= DS_DOMAIN_FUNCTION_2008) {
+                       need_etype_update = true;
+               }
+       }
+
+       if (need_etype_update) {
+               /*
+                * We need to reconnect as machine account in order
+                * to update msDS-SupportedEncryptionTypes reliable
+                */
+
+               if (r->in.ads->auth.ccache_name != NULL) {
+                       ads_kdestroy(r->in.ads->auth.ccache_name);
+               }
+
+               ads_destroy(&r->in.ads);
+
+               status = libnet_join_connect_ads_machine(mem_ctx, r);
+               if (!ADS_ERR_OK(status)) {
+                       libnet_join_set_error_string(mem_ctx, r,
+                               "Failed to connect as machine account: %s",
+                               ads_errstr(status));
+                       return status;
+               }
+
+               status = libnet_join_set_etypes(mem_ctx, r);
+               if (!ADS_ERR_OK(status)) {
+                       libnet_join_set_error_string(mem_ctx, r,
+                               "failed to set machine kerberos encryption types: %s",
+                               ads_errstr(status));
+                       return status;
+               }
+       }
+
        if (!libnet_join_derive_salting_principal(mem_ctx, r)) {
                return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
        }