s3:libads: setup the msDS-SupportedEncryptionTypes attribute on ldap_add
authorStefan Metzmacher <metze@samba.org>
Fri, 22 Jan 2016 08:57:04 +0000 (09:57 +0100)
committerStefan Metzmacher <metze@samba.org>
Fri, 26 Feb 2016 10:30:03 +0000 (11:30 +0100)
We may not have the permission to modify the object after creation.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Björn Jacke <bj@sernet.de>
Reviewed-by: Günther Deschner <gd@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Feb 26 11:30:03 CET 2016 on sn-devel-144

source3/libads/ldap.c
source3/libnet/libnet_join.c

index 2c52e32..322e7ab 100644 (file)
@@ -29,6 +29,7 @@
 #include "../libds/common/flags.h"
 #include "smbldap.h"
 #include "../libcli/security/security.h"
+#include "../librpc/gen_ndr/netlogon.h"
 #include "lib/param/loadparm.h"
 
 #ifdef HAVE_LDAP
@@ -2211,6 +2212,12 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, const char *machine_name,
        uint32_t acct_control = ( UF_WORKSTATION_TRUST_ACCOUNT |\
                                UF_DONT_EXPIRE_PASSWD |\
                                UF_ACCOUNTDISABLE );
+       uint32_t func_level = 0;
+
+       ret = ads_domain_func_level(ads, &func_level);
+       if (!ADS_ERR_OK(ret)) {
+               return ret;
+       }
 
        if (!(ctx = talloc_init("ads_add_machine_acct")))
                return ADS_ERROR(LDAP_NO_MEMORY);
@@ -2242,6 +2249,25 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, const char *machine_name,
        ads_mod_strlist(ctx, &mods, "objectClass", objectClass);
        ads_mod_str(ctx, &mods, "userAccountControl", controlstr);
 
+       if (func_level >= DS_DOMAIN_FUNCTION_2008) {
+               uint32_t etype_list = ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5;
+               const char *etype_list_str;
+
+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
+               etype_list |= ENC_HMAC_SHA1_96_AES128;
+#endif
+#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
+               etype_list |= ENC_HMAC_SHA1_96_AES256;
+#endif
+
+               etype_list_str = talloc_asprintf(ctx, "%d", (int)etype_list);
+               if (etype_list_str == NULL) {
+                       goto done;
+               }
+               ads_mod_str(ctx, &mods, "msDS-SupportedEncryptionTypes",
+                           etype_list_str);
+       }
+
        ret = ads_gen_add(ads, new_dn, mods);
 
 done:
index 3e58b18..6dce03c 100644 (file)
@@ -616,52 +616,6 @@ static ADS_STATUS libnet_join_set_os_attributes(TALLOC_CTX *mem_ctx,
 /****************************************************************
 ****************************************************************/
 
-static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx,
-                                        struct libnet_JoinCtx *r)
-{
-       ADS_STATUS status;
-       ADS_MODLIST mods;
-       uint32_t etype_list = ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5;
-       const char *etype_list_str;
-
-#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
-       etype_list |= ENC_HMAC_SHA1_96_AES128;
-#endif
-#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
-       etype_list |= ENC_HMAC_SHA1_96_AES256;
-#endif
-
-       etype_list_str = talloc_asprintf(mem_ctx, "%d", etype_list);
-       if (!etype_list_str) {
-               return ADS_ERROR(LDAP_NO_MEMORY);
-       }
-
-       /* Find our DN */
-
-       status = libnet_join_find_machine_acct(mem_ctx, r);
-       if (!ADS_ERR_OK(status)) {
-               return status;
-       }
-
-       /* now do the mods */
-
-       mods = ads_init_mods(mem_ctx);
-       if (!mods) {
-               return ADS_ERROR(LDAP_NO_MEMORY);
-       }
-
-       status = ads_mod_str(mem_ctx, &mods, "msDS-SupportedEncryptionTypes",
-                            etype_list_str);
-       if (!ADS_ERR_OK(status)) {
-               return status;
-       }
-
-       return ads_gen_mod(r->in.ads, r->out.dn, mods);
-}
-
-/****************************************************************
-****************************************************************/
-
 static bool libnet_join_create_keytab(TALLOC_CTX *mem_ctx,
                                      struct libnet_JoinCtx *r)
 {
@@ -736,7 +690,6 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx,
                                                  struct libnet_JoinCtx *r)
 {
        ADS_STATUS status;
-       uint32_t func_level = 0;
 
        if (!r->in.ads) {
                status = libnet_join_connect_ads(mem_ctx, r);
@@ -771,24 +724,6 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx,
                return status;
        }
 
-       status = ads_domain_func_level(r->in.ads, &func_level);
-       if (!ADS_ERR_OK(status)) {
-               libnet_join_set_error_string(mem_ctx, r,
-                       "failed to query domain controller functional level: %s",
-                       ads_errstr(status));
-               return status;
-       }
-
-       if (func_level >= DS_DOMAIN_FUNCTION_2008) {
-               status = libnet_join_set_etypes(mem_ctx, r);
-               if (!ADS_ERR_OK(status)) {
-                       libnet_join_set_error_string(mem_ctx, r,
-                               "failed to set machine kerberos encryption types: %s",
-                               ads_errstr(status));
-                       return status;
-               }
-       }
-
        if (!libnet_join_derive_salting_principal(mem_ctx, r)) {
                return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
        }