CP-310956: Remove legacy winbind configuration (#6822)

9a468bf updated samba to 4.2x and keep legacy configuration in
smb.conf conditionally for backward compatibility.

Now samba binary is updated in all releases, this commit just drop the
legacy configurations

Author: liulinC

ocaml/xapi/extauth_plugin_ADwinbind.ml

@@ -102,14 +102,6 @@ let generic_error msg =
 
 let fail fmt = Printf.ksprintf generic_error fmt
 
-let is_samba_updated =
-  (* This is temporary workaround to be compatible for old and new samba, to decouple the merge of xapi and samba *)
-  let check_file = "/usr/lib64/samba/libxattr-tdb-private-samba.so" in
-  Sys.file_exists check_file
-
-let kerberos_opt =
-  match is_samba_updated with true -> [] | false -> ["--kerberos"]
-
 (* Global cache for netbios name to domain name mapping using atomic map for thread safety *)
 module StringMap = Map.Make (String)
 
@@ -424,7 +416,6 @@ module Ldap = struct
           ; kdc
           ; "--machine-pass"
           ]
-          @ kerberos_opt
           @ attrs
         in
         let stdout =
@@ -458,7 +449,6 @@ module Ldap = struct
     let query = Printf.sprintf "(|(sAMAccountName=%s)(name=%s))" name name in
     let args =
       ["ads"; "search"; "-d"; debug_level (); "--server"; kdc; "--machine-pass"]
-      @ kerberos_opt
       @ [query; key]
     in
     try
@@ -751,7 +741,7 @@ end
 let kdcs_of_domain domain =
   try
     Helpers.call_script ~log_output:On_failure net_cmd
-      (["lookup"; "kdc"; domain; "-d"; debug_level ()] @ kerberos_opt)
+      ["lookup"; "kdc"; domain; "-d"; debug_level ()]
     (* Result like 10.71.212.25:88\n10.62.1.25:88\n*)
     |> String.split_on_char '\n'
     |> List.filter (fun x -> String.trim x <> "") (* Remove empty lines *)
@@ -765,9 +755,7 @@ let workgroup_from_server kdc =
   let key = "Pre-Win2k Domain" in
   try
     Helpers.call_script ~log_output:On_failure net_cmd
-      (["ads"; "lookup"; "-S"; KDC.server kdc; "-d"; debug_level ()]
-      @ kerberos_opt
-      )
+      ["ads"; "lookup"; "-S"; KDC.server kdc; "-d"; debug_level ()]
     |> Xapi_cmd_result.of_output ~sep:':' ~key
     |> Result.ok
   with _ ->
@@ -794,57 +782,41 @@ let config_winbind_daemon ~workgroup ~netbios_name ~domain =
   let smb_config = "/etc/samba/smb.conf" in
   let string_of_bool = function true -> "yes" | false -> "no" in
 
-  (*`allow kerberos auth fallback` depends on our internal samba patch,
-   * this patch disable fallback to ntlm by default and can be enabled
-   * Looks like upstream is doing something similar on master with
-   * configuration `weak_crypto`, check and replace the internal patch when
-   * upgrade to samba packages with this capacity *)
-  let allow_fallback =
-    string_of_bool !Xapi_globs.winbind_allow_kerberos_auth_fallback
-  in
   let scan_trusted_domains =
     string_of_bool !Xapi_globs.winbind_scan_trusted_domains
   in
-  let version_conf =
-    match is_samba_updated with
-    | false ->
-        [Printf.sprintf "allow kerberos auth fallback = %s" allow_fallback]
-    | true ->
+  ( match (workgroup, netbios_name, domain) with
+    | Some wkgroup, Some netbios, Some dom ->
         [
-          "client use kerberos = required"
+          "# autogenerated by xapi"
+        ; "[global]"
+        ; "client use kerberos = required"
         ; "sync machine password to keytab = \
            /etc/krb5.keytab:account_name:sync_etypes:sync_kvno:machine_password"
+        ; "kerberos method = secrets and keytab"
+        ; Printf.sprintf "realm = %s" dom
+        ; "security = ADS"
+        ; "template shell = /bin/bash"
+        ; "winbind refresh tickets = yes"
+        ; "winbind enum groups = no"
+        ; "winbind enum users = no"
+        ; Printf.sprintf "winbind scan trusted domains = %s"
+            scan_trusted_domains
+        ; "winbind use krb5 enterprise principals = yes"
+        ; Printf.sprintf "winbind cache time = %d"
+            !Xapi_globs.winbind_cache_time
+        ; Printf.sprintf "machine password timeout = 0"
+        ; Printf.sprintf "kerberos encryption types = %s"
+            (Kerberos_encryption_types.Winbind.to_string
+               !Xapi_globs.winbind_kerberos_encryption_type
+            )
+        ; Printf.sprintf "workgroup = %s" wkgroup
+        ; Printf.sprintf "netbios name = %s" netbios
+        ; "idmap config * : backend = autorid"
+        ; Printf.sprintf "idmap config * : range = %d-%d" 2_000_000 99_999_999
+        ; Printf.sprintf "log level = %s" (debug_level ())
+        ; "" (* Empty line at the end *)
         ]
-  in
-  ( match (workgroup, netbios_name, domain) with
-    | Some wkgroup, Some netbios, Some dom ->
-        ["# autogenerated by xapi"; "[global]"]
-        @ version_conf
-        @ [
-            "kerberos method = secrets and keytab"
-          ; Printf.sprintf "realm = %s" dom
-          ; "security = ADS"
-          ; "template shell = /bin/bash"
-          ; "winbind refresh tickets = yes"
-          ; "winbind enum groups = no"
-          ; "winbind enum users = no"
-          ; Printf.sprintf "winbind scan trusted domains = %s"
-              scan_trusted_domains
-          ; "winbind use krb5 enterprise principals = yes"
-          ; Printf.sprintf "winbind cache time = %d"
-              !Xapi_globs.winbind_cache_time
-          ; Printf.sprintf "machine password timeout = 0"
-          ; Printf.sprintf "kerberos encryption types = %s"
-              (Kerberos_encryption_types.Winbind.to_string
-                 !Xapi_globs.winbind_kerberos_encryption_type
-              )
-          ; Printf.sprintf "workgroup = %s" wkgroup
-          ; Printf.sprintf "netbios name = %s" netbios
-          ; "idmap config * : backend = autorid"
-          ; Printf.sprintf "idmap config * : range = %d-%d" 2_000_000 99_999_999
-          ; Printf.sprintf "log level = %s" (debug_level ())
-          ; "" (* Empty line at the end *)
-          ]
     | _ ->
         ["# autogenerated by xapi"; "[global]"; "" (* Empty line at the end *)]
     )
@@ -922,9 +894,7 @@ let clear_machine_account ~service_name = function
   | Some u, Some p -> (
       (* Disable machine account in DC *)
       let env = [|Printf.sprintf "PASSWD=%s" p|] in
-      let args =
-        ["ads"; "leave"; "-U"; u; "-d"; debug_level ()] @ kerberos_opt
-      in
+      let args = ["ads"; "leave"; "-U"; u; "-d"; debug_level ()] in
       try
         Helpers.call_script ~env net_cmd args |> ignore ;
         debug "Succeed to clear the machine account for domain %s" service_name
@@ -1568,23 +1538,19 @@ module AuthADWinbind : Auth_signature.AUTH_MODULE = struct
 
     let args =
       [
-        [
-          "ads"
-        ; "join"
-        ; service_name
-        ; "-U"
-        ; user
-        ; "-n"
-        ; netbios_name
-        ; "-d"
-        ; debug_level ()
-        ; "--no-dns-updates"
-        ]
-        @ kerberos_opt
-      ; ou_param
-      ; dns_hostname_option
+        "ads"
+      ; "join"
+      ; service_name
+      ; "-U"
+      ; user
+      ; "-n"
+      ; netbios_name
+      ; "-d"
+      ; debug_level ()
+      ; "--no-dns-updates"
       ]
-      |> List.concat
+      @ ou_param
+      @ dns_hostname_option
     in
     debug "Joining domain %s with user %s netbios_name %s" service_name user
       netbios_name ;

ocaml/xapi/xapi_globs.ml

@@ -1063,8 +1063,6 @@ let winbind_kerberos_encryption_type = ref Kerberos_encryption_types.Winbind.All
 
 let winbind_set_machine_account_kerberos_encryption_type = ref false
 
-let winbind_allow_kerberos_auth_fallback = ref false
-
 let winbind_scan_trusted_domains = ref false
 
 let winbind_keep_configuration = ref false
@@ -1663,11 +1661,6 @@ let other_options =
     , "Whether set machine account encryption type \
        (msDS-SupportedEncryptionTypes) on domain controller"
     )
-  ; ( "winbind_allow_kerberos_auth_fallback"
-    , Arg.Set winbind_allow_kerberos_auth_fallback
-    , (fun () -> string_of_bool !winbind_allow_kerberos_auth_fallback)
-    , "Whether to allow fallback to other auth on kerberos failure"
-    )
   ; ( "winbind_scan_trusted_domains"
     , Arg.Set winbind_scan_trusted_domains
     , (fun () -> string_of_bool !winbind_scan_trusted_domains)