diff --git a/ocaml/xapi/extauth_plugin_ADwinbind.ml b/ocaml/xapi/extauth_plugin_ADwinbind.ml index 59afbad446..7e77f3a850 100644 --- a/ocaml/xapi/extauth_plugin_ADwinbind.ml +++ b/ocaml/xapi/extauth_plugin_ADwinbind.ml @@ -102,14 +102,6 @@ let generic_error msg = let fail fmt = Printf.ksprintf generic_error fmt -let is_samba_updated = - (* This is temporary workaround to be compatible for old and new samba, to decouple the merge of xapi and samba *) - let check_file = "/usr/lib64/samba/libxattr-tdb-private-samba.so" in - Sys.file_exists check_file - -let kerberos_opt = - match is_samba_updated with true -> [] | false -> ["--kerberos"] - (* Global cache for netbios name to domain name mapping using atomic map for thread safety *) module StringMap = Map.Make (String) @@ -424,7 +416,6 @@ module Ldap = struct ; kdc ; "--machine-pass" ] - @ kerberos_opt @ attrs in let stdout = @@ -458,7 +449,6 @@ module Ldap = struct let query = Printf.sprintf "(|(sAMAccountName=%s)(name=%s))" name name in let args = ["ads"; "search"; "-d"; debug_level (); "--server"; kdc; "--machine-pass"] - @ kerberos_opt @ [query; key] in try @@ -751,7 +741,7 @@ end let kdcs_of_domain domain = try Helpers.call_script ~log_output:On_failure net_cmd - (["lookup"; "kdc"; domain; "-d"; debug_level ()] @ kerberos_opt) + ["lookup"; "kdc"; domain; "-d"; debug_level ()] (* Result like 10.71.212.25:88\n10.62.1.25:88\n*) |> String.split_on_char '\n' |> List.filter (fun x -> String.trim x <> "") (* Remove empty lines *) @@ -765,9 +755,7 @@ let workgroup_from_server kdc = let key = "Pre-Win2k Domain" in try Helpers.call_script ~log_output:On_failure net_cmd - (["ads"; "lookup"; "-S"; KDC.server kdc; "-d"; debug_level ()] - @ kerberos_opt - ) + ["ads"; "lookup"; "-S"; KDC.server kdc; "-d"; debug_level ()] |> Xapi_cmd_result.of_output ~sep:':' ~key |> Result.ok with _ -> @@ -794,57 +782,41 @@ let config_winbind_daemon ~workgroup ~netbios_name ~domain = let smb_config = "/etc/samba/smb.conf" in let string_of_bool = function true -> "yes" | false -> "no" in - (*`allow kerberos auth fallback` depends on our internal samba patch, - * this patch disable fallback to ntlm by default and can be enabled - * Looks like upstream is doing something similar on master with - * configuration `weak_crypto`, check and replace the internal patch when - * upgrade to samba packages with this capacity *) - let allow_fallback = - string_of_bool !Xapi_globs.winbind_allow_kerberos_auth_fallback - in let scan_trusted_domains = string_of_bool !Xapi_globs.winbind_scan_trusted_domains in - let version_conf = - match is_samba_updated with - | false -> - [Printf.sprintf "allow kerberos auth fallback = %s" allow_fallback] - | true -> + ( match (workgroup, netbios_name, domain) with + | Some wkgroup, Some netbios, Some dom -> [ - "client use kerberos = required" + "# autogenerated by xapi" + ; "[global]" + ; "client use kerberos = required" ; "sync machine password to keytab = \ /etc/krb5.keytab:account_name:sync_etypes:sync_kvno:machine_password" + ; "kerberos method = secrets and keytab" + ; Printf.sprintf "realm = %s" dom + ; "security = ADS" + ; "template shell = /bin/bash" + ; "winbind refresh tickets = yes" + ; "winbind enum groups = no" + ; "winbind enum users = no" + ; Printf.sprintf "winbind scan trusted domains = %s" + scan_trusted_domains + ; "winbind use krb5 enterprise principals = yes" + ; Printf.sprintf "winbind cache time = %d" + !Xapi_globs.winbind_cache_time + ; Printf.sprintf "machine password timeout = 0" + ; Printf.sprintf "kerberos encryption types = %s" + (Kerberos_encryption_types.Winbind.to_string + !Xapi_globs.winbind_kerberos_encryption_type + ) + ; Printf.sprintf "workgroup = %s" wkgroup + ; Printf.sprintf "netbios name = %s" netbios + ; "idmap config * : backend = autorid" + ; Printf.sprintf "idmap config * : range = %d-%d" 2_000_000 99_999_999 + ; Printf.sprintf "log level = %s" (debug_level ()) + ; "" (* Empty line at the end *) ] - in - ( match (workgroup, netbios_name, domain) with - | Some wkgroup, Some netbios, Some dom -> - ["# autogenerated by xapi"; "[global]"] - @ version_conf - @ [ - "kerberos method = secrets and keytab" - ; Printf.sprintf "realm = %s" dom - ; "security = ADS" - ; "template shell = /bin/bash" - ; "winbind refresh tickets = yes" - ; "winbind enum groups = no" - ; "winbind enum users = no" - ; Printf.sprintf "winbind scan trusted domains = %s" - scan_trusted_domains - ; "winbind use krb5 enterprise principals = yes" - ; Printf.sprintf "winbind cache time = %d" - !Xapi_globs.winbind_cache_time - ; Printf.sprintf "machine password timeout = 0" - ; Printf.sprintf "kerberos encryption types = %s" - (Kerberos_encryption_types.Winbind.to_string - !Xapi_globs.winbind_kerberos_encryption_type - ) - ; Printf.sprintf "workgroup = %s" wkgroup - ; Printf.sprintf "netbios name = %s" netbios - ; "idmap config * : backend = autorid" - ; Printf.sprintf "idmap config * : range = %d-%d" 2_000_000 99_999_999 - ; Printf.sprintf "log level = %s" (debug_level ()) - ; "" (* Empty line at the end *) - ] | _ -> ["# autogenerated by xapi"; "[global]"; "" (* Empty line at the end *)] ) @@ -922,9 +894,7 @@ let clear_machine_account ~service_name = function | Some u, Some p -> ( (* Disable machine account in DC *) let env = [|Printf.sprintf "PASSWD=%s" p|] in - let args = - ["ads"; "leave"; "-U"; u; "-d"; debug_level ()] @ kerberos_opt - in + let args = ["ads"; "leave"; "-U"; u; "-d"; debug_level ()] in try Helpers.call_script ~env net_cmd args |> ignore ; debug "Succeed to clear the machine account for domain %s" service_name @@ -1568,23 +1538,19 @@ module AuthADWinbind : Auth_signature.AUTH_MODULE = struct let args = [ - [ - "ads" - ; "join" - ; service_name - ; "-U" - ; user - ; "-n" - ; netbios_name - ; "-d" - ; debug_level () - ; "--no-dns-updates" - ] - @ kerberos_opt - ; ou_param - ; dns_hostname_option + "ads" + ; "join" + ; service_name + ; "-U" + ; user + ; "-n" + ; netbios_name + ; "-d" + ; debug_level () + ; "--no-dns-updates" ] - |> List.concat + @ ou_param + @ dns_hostname_option in debug "Joining domain %s with user %s netbios_name %s" service_name user netbios_name ; diff --git a/ocaml/xapi/xapi_globs.ml b/ocaml/xapi/xapi_globs.ml index 18aeba14d7..fb02570e87 100644 --- a/ocaml/xapi/xapi_globs.ml +++ b/ocaml/xapi/xapi_globs.ml @@ -1063,8 +1063,6 @@ let winbind_kerberos_encryption_type = ref Kerberos_encryption_types.Winbind.All let winbind_set_machine_account_kerberos_encryption_type = ref false -let winbind_allow_kerberos_auth_fallback = ref false - let winbind_scan_trusted_domains = ref false let winbind_keep_configuration = ref false @@ -1663,11 +1661,6 @@ let other_options = , "Whether set machine account encryption type \ (msDS-SupportedEncryptionTypes) on domain controller" ) - ; ( "winbind_allow_kerberos_auth_fallback" - , Arg.Set winbind_allow_kerberos_auth_fallback - , (fun () -> string_of_bool !winbind_allow_kerberos_auth_fallback) - , "Whether to allow fallback to other auth on kerberos failure" - ) ; ( "winbind_scan_trusted_domains" , Arg.Set winbind_scan_trusted_domains , (fun () -> string_of_bool !winbind_scan_trusted_domains)