13045 Idmap's KDC lookup override doesn't work

Reviewed by: Dan McDonald <danmcd@joyent.com>
Approved by: Robert Mustacchi <rm@fingolfin.org>

7 files changed, 32 insertions, 6 deletions

diff --git a/usr/src/cmd/idmap/idmapd/krb5_lookup.c b/usr/src/cmd/idmap/idmapd/krb5_lookup.c
index a45fc5d8f3..bdd0d56759 100644
--- a/usr/src/cmd/idmap/idmapd/krb5_lookup.c
+++ b/usr/src/cmd/idmap/idmapd/krb5_lookup.c
@@ -10,7 +10,7 @@
  */
 
 /*
- * Copyright 2014 Nexenta Systems, Inc.  All rights reserved.
+ * Copyright 2020 Nexenta by DDN, Inc. All rights reserved.
  */
 
 #include <stdio.h>
@@ -27,6 +27,8 @@
 #include <synch.h>
 #include <thread.h>
 
+#include <ads/dsgetdc.h>
+
 #include "idmapd.h"
 #include "libadutils.h"
 #include "locate_plugin.h"
@@ -102,6 +104,12 @@ _krb5_override_service_locator(
 		goto out;
 	}
 
+	if ((ds->flags & DS_KDC_FLAG) == 0) {
+		idmapdlog(LOG_WARNING, "Domain Controller is not a KDC: "
+		    "Kerberos auth may be slow");
+		goto out;
+	}
+
 	switch (family) {
 	case AF_UNSPEC:
 		break;	/* OK */
diff --git a/usr/src/cmd/idmap/idmapd/mapfile-intf b/usr/src/cmd/idmap/idmapd/mapfile-intf
index 1ab5c033d7..d2f8c7cb04 100644
--- a/usr/src/cmd/idmap/idmapd/mapfile-intf
+++ b/usr/src/cmd/idmap/idmapd/mapfile-intf
@@ -21,6 +21,7 @@
 
 #
 # Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
+# Copyright 2019 Nexenta by DDN, Inc. All rights reserved.
 #
 
 #
@@ -43,4 +44,5 @@ $mapfile_version 2
 SYMBOL_SCOPE {
 	global:
 		app_krb5_user_uid;
+		_krb5_override_service_locator;
 };
diff --git a/usr/src/cmd/smbsrv/smbd/smbd_krb5lookup.c b/usr/src/cmd/smbsrv/smbd/smbd_krb5lookup.c
index af98b15b1b..83bc6b21d2 100644
--- a/usr/src/cmd/smbsrv/smbd/smbd_krb5lookup.c
+++ b/usr/src/cmd/smbsrv/smbd/smbd_krb5lookup.c
@@ -10,7 +10,7 @@
  */
 
 /*
- * Copyright 2014 Nexenta Systems, Inc.  All rights reserved.
+ * Copyright 2020 Nexenta by DDN, Inc. All rights reserved.
  */
 
 #include <stdio.h>
@@ -26,6 +26,7 @@
 #include <sys/note.h>
 
 #include <smbsrv/libsmbns.h>
+#include <ads/dsgetdc.h>
 
 #include "smbd.h"
 #include "locate_plugin.h"
@@ -107,6 +108,13 @@ _krb5_override_service_locator(
 	    dxi.d_dci.dc_addr.a_family == 0)
 		return (KRB5_REALM_CANT_RESOLVE);
 
+	if ((dxi.d_dci.dc_flags & DS_KDC_FLAG) == 0) {
+		smbd_report("_krb5_override_service_locator: "
+		    "Domain Controller is not a KDC: "
+		    "Kerberos auth may be slow");
+		return (rc);
+	}
+
 	switch (family) {
 	case AF_UNSPEC:
 		break;	/* OK */
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/bld_princ.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/bld_princ.c
index 505bde065e..a456aa04c8 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/bld_princ.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/bld_princ.c
@@ -4,6 +4,8 @@
  * Copyright 1991 by the Massachusetts Institute of Technology.
  * All Rights Reserved.
  *
+ * Copyright 2020 Nexenta by DDN, Inc. All rights reserved.
+ *
  * Export of this software from the United States of America may
  *   require a specific license from the United States Government.
  *   It is the responsibility of any person or organization contemplating
@@ -48,13 +50,14 @@ krb5_build_principal_va(krb5_context context, krb5_principal princ, unsigned int
     if (data == 0)
 	return ENOMEM;
     krb5_princ_set_realm_length(context, princ, rlen);
-    tmpdata = malloc(rlen);
+    tmpdata = malloc(rlen + 1);
     if (!tmpdata) {
 	free (data);
 	return ENOMEM;
     }
     krb5_princ_set_realm_data(context, princ, tmpdata);
     memcpy(tmpdata, realm, rlen);
+    tmpdata[rlen] = '\0';
 
     /* process rest of components */
 
diff --git a/usr/src/lib/smbsrv/libsmb/common/libsmb.h b/usr/src/lib/smbsrv/libsmb/common/libsmb.h
index 4f08abcfca..362c15c294 100644
--- a/usr/src/lib/smbsrv/libsmb/common/libsmb.h
+++ b/usr/src/lib/smbsrv/libsmb/common/libsmb.h
@@ -21,7 +21,7 @@
 
 /*
  * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
- * Copyright 2019 Nexenta Systems, Inc.  All rights reserved.
+ * Copyright 2019 Nexenta by DDN, Inc. All rights reserved.
  * Copyright 2020 RackTop Systems, Inc.
  */
 
@@ -641,6 +641,7 @@ typedef struct smb_trusted_domains {
 typedef struct smb_dcinfo {
 	char			dc_name[MAXHOSTNAMELEN];
 	smb_inaddr_t		dc_addr;
+	uint32_t		dc_flags;
 } smb_dcinfo_t;
 
 /*
diff --git a/usr/src/lib/smbsrv/libsmbns/common/libsmbns.h b/usr/src/lib/smbsrv/libsmbns/common/libsmbns.h
index 11396695d2..fc8bd69957 100644
--- a/usr/src/lib/smbsrv/libsmbns/common/libsmbns.h
+++ b/usr/src/lib/smbsrv/libsmbns/common/libsmbns.h
@@ -20,7 +20,7 @@
  */
 /*
  * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
- * Copyright 2014 Nexenta Systems, Inc.  All rights reserved.
+ * Copyright 2019 Nexenta by DDN, Inc. All rights reserved.
  */
 
 #ifndef	_LIBSMBNS_H
@@ -50,6 +50,7 @@ typedef struct smb_ads_host_info {
 	int port;		/* ldap port */
 	int priority;		/* DNS SRV record priority */
 	int weight;		/* DNS SRV record weight */
+	uint32_t flags;		/* DC flags */
 	smb_inaddr_t ipaddr;	/* network byte order */
 } smb_ads_host_info_t;
 
diff --git a/usr/src/lib/smbsrv/libsmbns/common/smbns_ads.c b/usr/src/lib/smbsrv/libsmbns/common/smbns_ads.c
index 5f797a38aa..44ae747bbf 100644
--- a/usr/src/lib/smbsrv/libsmbns/common/smbns_ads.c
+++ b/usr/src/lib/smbsrv/libsmbns/common/smbns_ads.c
@@ -20,7 +20,7 @@
  */
 /*
  * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
- * Copyright 2014 Nexenta Systems, Inc.  All rights reserved.
+ * Copyright 2019 Nexenta by DDN, Inc. All rights reserved.
  */
 
 #include <sys/param.h>
@@ -476,6 +476,8 @@ again:
 		goto out;
 	}
 
+	host->flags = dci->Flags;
+
 	(void) mutex_lock(&smb_ads_cached_host_mtx);
 	if (!smb_ads_cached_host_info)
 		smb_ads_cached_host_info = smb_ads_dup_host_info(host);
@@ -1974,6 +1976,7 @@ smb_ads_lookup_msdcs(char *fqdn, smb_dcinfo_t *dci)
 
 	(void) strlcpy(dci->dc_name, hinfo->name, sizeof (dci->dc_name));
 	dci->dc_addr = hinfo->ipaddr;
+	dci->dc_flags = hinfo->flags;
 
 	free(hinfo);
 	return (NT_STATUS_SUCCESS);