From b84abb3a46211dc84e52ef95750627e4dd081f2f Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 13 Aug 2019 17:41:40 +0200
Subject: [PATCH] s3:libnet: Require sealed LDAP SASL connections for joining

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
---
 libgpo/pygpo.c                     |  2 +-
 source3/lib/netapi/joindomain.c    |  5 ++++-
 source3/libads/ads_proto.h         |  9 ++++++++-
 source3/libads/ads_struct.c        | 14 +++++++++++++-
 source3/libads/ldap.c              |  4 ++--
 source3/libnet/libnet_join.c       |  3 ++-
 source3/libsmb/namequery_dc.c      |  2 +-
 source3/printing/nt_printing_ads.c |  6 +++---
 source3/utils/net_ads.c            | 13 +++++++++----
 source3/winbindd/winbindd_ads.c    |  5 ++++-
 source3/winbindd/winbindd_cm.c     |  5 ++++-
 11 files changed, 51 insertions(+), 17 deletions(-)

diff --git a/libgpo/pygpo.c b/libgpo/pygpo.c
index b1f788d3a00..581d20e0649 100644
--- a/libgpo/pygpo.c
+++ b/libgpo/pygpo.c
@@ -210,7 +210,7 @@ static int py_ads_init(ADS *self, PyObject *args, PyObject *kwds)
 		self->ads_ptr = NULL;
 	}
 	/* always succeeds or crashes */
-	self->ads_ptr = ads_init(realm, workgroup, ldap_server);
+	self->ads_ptr = ads_init(realm, workgroup, ldap_server, ADS_SASL_PLAIN);
 	
 	return 0;
 }
diff --git a/source3/lib/netapi/joindomain.c b/source3/lib/netapi/joindomain.c
index 387c517c1be..f2d36fc00db 100644
--- a/source3/lib/netapi/joindomain.c
+++ b/source3/lib/netapi/joindomain.c
@@ -417,7 +417,10 @@ WERROR NetGetJoinableOUs_l(struct libnetapi_ctx *ctx,
 
 	dc = strip_hostname(info->dc_unc);
 
-	ads = ads_init(info->domain_name, info->domain_name, dc);
+	ads = ads_init(info->domain_name,
+		       info->domain_name,
+		       dc,
+		       ADS_SASL_PLAIN);
 	if (!ads) {
 		return WERR_GEN_FAILURE;
 	}
diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h
index 154bf67f964..92bb3a22cdb 100644
--- a/source3/libads/ads_proto.h
+++ b/source3/libads/ads_proto.h
@@ -32,6 +32,12 @@
 #ifndef _LIBADS_ADS_PROTO_H_
 #define _LIBADS_ADS_PROTO_H_
 
+enum ads_sasl_state_e {
+	ADS_SASL_PLAIN = 0,
+	ADS_SASL_SIGN,
+	ADS_SASL_SEAL,
+};
+
 /* The following definitions come from libads/ads_struct.c  */
 
 char *ads_build_path(const char *realm, const char *sep, const char *field, int reverse);
@@ -39,7 +45,8 @@ char *ads_build_dn(const char *realm);
 char *ads_build_domain(const char *dn);
 ADS_STRUCT *ads_init(const char *realm,
 		     const char *workgroup,
-		     const char *ldap_server);
+		     const char *ldap_server,
+		     enum ads_sasl_state_e sasl_state);
 bool ads_set_sasl_wrap_flags(ADS_STRUCT *ads, int flags);
 void ads_destroy(ADS_STRUCT **ads);
 
diff --git a/source3/libads/ads_struct.c b/source3/libads/ads_struct.c
index 3ab682c0e38..043a1b21247 100644
--- a/source3/libads/ads_struct.c
+++ b/source3/libads/ads_struct.c
@@ -132,7 +132,8 @@ char *ads_build_domain(const char *dn)
 */
 ADS_STRUCT *ads_init(const char *realm, 
 		     const char *workgroup,
-		     const char *ldap_server)
+		     const char *ldap_server,
+		     enum ads_sasl_state_e sasl_state)
 {
 	ADS_STRUCT *ads;
 	int wrap_flags;
@@ -152,6 +153,17 @@ ADS_STRUCT *ads_init(const char *realm,
 		wrap_flags = 0;
 	}
 
+	switch (sasl_state) {
+	case ADS_SASL_PLAIN:
+		break;
+	case ADS_SASL_SIGN:
+		wrap_flags |= ADS_AUTH_SASL_SIGN;
+		break;
+	case ADS_SASL_SEAL:
+		wrap_flags |= ADS_AUTH_SASL_SEAL;
+		break;
+	}
+
 	ads->auth.flags = wrap_flags;
 
 	/* Start with the configured page size when the connection is new,
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index 42c37d9e9d2..793e97efdac 100644
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -2966,7 +2966,7 @@ ADS_STATUS ads_current_time(ADS_STRUCT *ads)
 
 	if ( !ads->ldap.ld ) {
 		if ( (ads_s = ads_init( ads->server.realm, ads->server.workgroup, 
-			ads->server.ldap_server )) == NULL )
+			ads->server.ldap_server, ADS_SASL_PLAIN )) == NULL )
 		{
 			status = ADS_ERROR(LDAP_NO_MEMORY);
 			goto done;
@@ -3028,7 +3028,7 @@ ADS_STATUS ads_domain_func_level(ADS_STRUCT *ads, uint32_t *val)
 
 	if ( !ads->ldap.ld ) {
 		if ( (ads_s = ads_init( ads->server.realm, ads->server.workgroup, 
-			ads->server.ldap_server )) == NULL )
+			ads->server.ldap_server, ADS_SASL_PLAIN )) == NULL )
 		{
 			status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
 			goto done;
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index d2a6ed1876d..3e24ba77dfd 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -140,7 +140,8 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name,
 
 	my_ads = ads_init(dns_domain_name,
 			  netbios_domain_name,
-			  dc_name);
+			  dc_name,
+			  ADS_SASL_SEAL);
 	if (!my_ads) {
 		return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
 	}
diff --git a/source3/libsmb/namequery_dc.c b/source3/libsmb/namequery_dc.c
index 4ee5b5278e4..f63dde61603 100644
--- a/source3/libsmb/namequery_dc.c
+++ b/source3/libsmb/namequery_dc.c
@@ -69,7 +69,7 @@ static bool ads_dc_name(const char *domain,
 
 	/* Try this 3 times then give up. */
 	for( i =0 ; i < 3; i++) {
-		ads = ads_init(realm, domain, NULL);
+		ads = ads_init(realm, domain, NULL, ADS_SASL_PLAIN);
 		if (!ads) {
 			TALLOC_FREE(sitename);
 			return False;
diff --git a/source3/printing/nt_printing_ads.c b/source3/printing/nt_printing_ads.c
index 2588e1de7e7..a82f1361fc8 100644
--- a/source3/printing/nt_printing_ads.c
+++ b/source3/printing/nt_printing_ads.c
@@ -227,7 +227,7 @@ WERROR nt_printer_guid_retrieve(TALLOC_CTX *mem_ctx, const char *printer,
 		return WERR_NOT_ENOUGH_MEMORY;
 	}
 
-	ads = ads_init(lp_realm(), lp_workgroup(), NULL);
+	ads = ads_init(lp_realm(), lp_workgroup(), NULL, ADS_SASL_PLAIN);
 	if (ads == NULL) {
 		result = WERR_RPC_S_SERVER_UNAVAILABLE;
 		goto out;
@@ -577,7 +577,7 @@ WERROR nt_printer_publish(TALLOC_CTX *mem_ctx,
 
 	TALLOC_FREE(sinfo2);
 
-	ads = ads_init(lp_realm(), lp_workgroup(), NULL);
+	ads = ads_init(lp_realm(), lp_workgroup(), NULL, ADS_SASL_PLAIN);
 	if (!ads) {
 		DEBUG(3, ("ads_init() failed\n"));
 		win_rc = WERR_RPC_S_SERVER_UNAVAILABLE;
@@ -633,7 +633,7 @@ WERROR check_published_printers(struct messaging_context *msg_ctx)
 	tmp_ctx = talloc_new(NULL);
 	if (!tmp_ctx) return WERR_NOT_ENOUGH_MEMORY;
 
-	ads = ads_init(lp_realm(), lp_workgroup(), NULL);
+	ads = ads_init(lp_realm(), lp_workgroup(), NULL, ADS_SASL_PLAIN);
 	if (!ads) {
 		DEBUG(3, ("ads_init() failed\n"));
 		return WERR_RPC_S_SERVER_UNAVAILABLE;
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index 97d417125dc..b7b221ddafa 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -620,7 +620,10 @@ retry_connect:
 		realm = assume_own_realm(c);
 	}
 
-	ads = ads_init(realm, c->opt_target_workgroup, c->opt_host);
+	ads = ads_init(realm,
+			c->opt_target_workgroup,
+			c->opt_host,
+			ADS_SASL_PLAIN);
 
 	if (!c->opt_user_name) {
 		c->opt_user_name = "administrator";
@@ -729,7 +732,8 @@ static int net_ads_check_int(const char *realm, const char *workgroup, const cha
 	ADS_STRUCT *ads;
 	ADS_STATUS status;
 
-	if ( (ads = ads_init( realm, workgroup, host )) == NULL ) {
+	ads = ads_init(realm, workgroup, host, ADS_SASL_PLAIN);
+	if (ads == NULL ) {
 		return -1;
 	}
 
@@ -1764,7 +1768,7 @@ static void _net_ads_join_dns_updates(struct net_context *c, TALLOC_CTX *ctx, st
 	 * kinit with the machine password to do dns update.
 	 */
 
-	ads_dns = ads_init(lp_realm(), NULL, r->in.dc_name);
+	ads_dns = ads_init(lp_realm(), NULL, r->in.dc_name, ADS_SASL_PLAIN);
 
 	if (ads_dns == NULL) {
 		d_fprintf(stderr, _("DNS update failed: out of memory!\n"));
@@ -2655,7 +2659,8 @@ static int net_ads_password(struct net_context *c, int argc, const char **argv)
 
 	/* use the realm so we can eventually change passwords for users
 	in realms other than default */
-	if (!(ads = ads_init(realm, c->opt_workgroup, c->opt_host))) {
+	ads = ads_init(realm, c->opt_workgroup, c->opt_host, ADS_SASL_PLAIN);
+	if (ads == NULL) {
 		return -1;
 	}
 
diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
index 485ca831be9..20f47eb5954 100644
--- a/source3/winbindd/winbindd_ads.c
+++ b/source3/winbindd/winbindd_ads.c
@@ -110,7 +110,10 @@ static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp,
 	/* we don't want this to affect the users ccache */
 	setenv("KRB5CCNAME", WINBIND_CCACHE_NAME, 1);
 
-	ads = ads_init(target_realm, target_dom_name, ldap_server);
+	ads = ads_init(target_realm,
+		       target_dom_name,
+		       ldap_server,
+		       ADS_SASL_SEAL);
 	if (!ads) {
 		DEBUG(1,("ads_init for domain %s failed\n", target_dom_name));
 		return ADS_ERROR(LDAP_NO_MEMORY);
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index b9a1c1eda7b..0e671ca22be 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -1414,7 +1414,10 @@ static bool dcip_check_name(TALLOC_CTX *mem_ctx,
 
 		print_sockaddr(addr, sizeof(addr), pss);
 
-		ads = ads_init(domain->alt_name, domain->name, addr);
+		ads = ads_init(domain->alt_name,
+			       domain->name,
+			       addr,
+			       ADS_SASL_PLAIN);
 		ads->auth.flags |= ADS_AUTH_NO_BIND;
 		ads->config.flags |= request_flags;
 		ads->server.no_fallback = true;
-- 
2.34.1