CP-310956: Remove legacy winbind configuration

ocaml/xapi/extauth_plugin_ADwinbind.ml

@@ -102,14 +102,6 @@ let generic_error msg =
 
 let fail fmt = Printf.ksprintf generic_error fmt
 
-let is_samba_updated =
-  (* This is temporary workaround to be compatible for old and new samba, to decouple the merge of xapi and samba *)
-  let check_file = "/usr/lib64/samba/libxattr-tdb-private-samba.so" in
-  Sys.file_exists check_file
-
-let kerberos_opt =
-  match is_samba_updated with true -> [] | false -> ["--kerberos"]
-
 (* Global cache for netbios name to domain name mapping using atomic map for thread safety *)
 module StringMap = Map.Make (String)
 
@@ -424,7 +416,6 @@ module Ldap = struct
           ; kdc
           ; "--machine-pass"
           ]
-          @ kerberos_opt
           @ attrs
         in
         let stdout =
@@ -458,7 +449,6 @@ module Ldap = struct
     let query = Printf.sprintf "(|(sAMAccountName=%s)(name=%s))" name name in
     let args =
       ["ads"; "search"; "-d"; debug_level (); "--server"; kdc; "--machine-pass"]
-      @ kerberos_opt
       @ [query; key]
     in
     try
@@ -751,7 +741,7 @@ end
 let kdcs_of_domain domain =
   try
     Helpers.call_script ~log_output:On_failure net_cmd
-      (["lookup"; "kdc"; domain; "-d"; debug_level ()] @ kerberos_opt)
+      ["lookup"; "kdc"; domain; "-d"; debug_level ()]
     (* Result like 10.71.212.25:88\n10.62.1.25:88\n*)
     |> String.split_on_char '\n'
     |> List.filter (fun x -> String.trim x <> "") (* Remove empty lines *)
@@ -765,9 +755,7 @@ let workgroup_from_server kdc =
   let key = "Pre-Win2k Domain" in
   try
     Helpers.call_script ~log_output:On_failure net_cmd
-      (["ads"; "lookup"; "-S"; KDC.server kdc; "-d"; debug_level ()]
-      @ kerberos_opt
-      )
+      ["ads"; "lookup"; "-S"; KDC.server kdc; "-d"; debug_level ()]
     |> Xapi_cmd_result.of_output ~sep:':' ~key
     |> Result.ok
   with _ ->
@@ -794,57 +782,41 @@ let config_winbind_daemon ~workgroup ~netbios_name ~domain =
   let smb_config = "/etc/samba/smb.conf" in
   let string_of_bool = function true -> "yes" | false -> "no" in
 
-  (*`allow kerberos auth fallback` depends on our internal samba patch,
-   * this patch disable fallback to ntlm by default and can be enabled
-   * Looks like upstream is doing something similar on master with
-   * configuration `weak_crypto`, check and replace the internal patch when
-   * upgrade to samba packages with this capacity *)
-  let allow_fallback =
-    string_of_bool !Xapi_globs.winbind_allow_kerberos_auth_fallback
-  in
   let scan_trusted_domains =
     string_of_bool !Xapi_globs.winbind_scan_trusted_domains
   in
-  let version_conf =
-    match is_samba_updated with
-    | false ->
-        [Printf.sprintf "allow kerberos auth fallback = %s" allow_fallback]
-    | true ->
+  ( match (workgroup, netbios_name, domain) with
+    | Some wkgroup, Some netbios, Some dom ->
         [
-          "client use kerberos = required"
+          "# autogenerated by xapi"
+        ; "[global]"
+        ; "client use kerberos = required"
         ; "sync machine password to keytab = \
            /etc/krb5.keytab:account_name:sync_etypes:sync_kvno:machine_password"
+        ; "kerberos method = secrets and keytab"
+        ; Printf.sprintf "realm = %s" dom
+        ; "security = ADS"
+        ; "template shell = /bin/bash"
+        ; "winbind refresh tickets = yes"
+        ; "winbind enum groups = no"
+        ; "winbind enum users = no"
+        ; Printf.sprintf "winbind scan trusted domains = %s"
+            scan_trusted_domains
+        ; "winbind use krb5 enterprise principals = yes"
+        ; Printf.sprintf "winbind cache time = %d"
+            !Xapi_globs.winbind_cache_time
+        ; Printf.sprintf "machine password timeout = 0"
+        ; Printf.sprintf "kerberos encryption types = %s"
+            (Kerberos_encryption_types.Winbind.to_string
+               !Xapi_globs.winbind_kerberos_encryption_type
+            )
+        ; Printf.sprintf "workgroup = %s" wkgroup
+        ; Printf.sprintf "netbios name = %s" netbios
+        ; "idmap config * : backend = autorid"
+        ; Printf.sprintf "idmap config * : range = %d-%d" 2_000_000 99_999_999
+        ; Printf.sprintf "log level = %s" (debug_level ())
+        ; "" (* Empty line at the end *)
         ]
-  in
-  ( match (workgroup, netbios_name, domain) with
-    | Some wkgroup, Some netbios, Some dom ->
-        ["# autogenerated by xapi"; "[global]"]
-        @ version_conf
-        @ [
-            "kerberos method = secrets and keytab"
-          ; Printf.sprintf "realm = %s" dom
-          ; "security = ADS"
-          ; "template shell = /bin/bash"
-          ; "winbind refresh tickets = yes"
-          ; "winbind enum groups = no"
-          ; "winbind enum users = no"
-          ; Printf.sprintf "winbind scan trusted domains = %s"
-              scan_trusted_domains
-          ; "winbind use krb5 enterprise principals = yes"
-          ; Printf.sprintf "winbind cache time = %d"
-              !Xapi_globs.winbind_cache_time
-          ; Printf.sprintf "machine password timeout = 0"
-          ; Printf.sprintf "kerberos encryption types = %s"
-              (Kerberos_encryption_types.Winbind.to_string
-                 !Xapi_globs.winbind_kerberos_encryption_type
-              )
-          ; Printf.sprintf "workgroup = %s" wkgroup
-          ; Printf.sprintf "netbios name = %s" netbios
-          ; "idmap config * : backend = autorid"
-          ; Printf.sprintf "idmap config * : range = %d-%d" 2_000_000 99_999_999
-          ; Printf.sprintf "log level = %s" (debug_level ())
-          ; "" (* Empty line at the end *)
-          ]
     | _ ->
         ["# autogenerated by xapi"; "[global]"; "" (* Empty line at the end *)]
     )
@@ -922,9 +894,7 @@ let clear_machine_account ~service_name = function
   | Some u, Some p -> (
       (* Disable machine account in DC *)
       let env = [|Printf.sprintf "PASSWD=%s" p|] in
-      let args =
-        ["ads"; "leave"; "-U"; u; "-d"; debug_level ()] @ kerberos_opt
-      in
+      let args = ["ads"; "leave"; "-U"; u; "-d"; debug_level ()] in
       try
         Helpers.call_script ~env net_cmd args |> ignore ;
         debug "Succeed to clear the machine account for domain %s" service_name
@@ -1568,23 +1538,19 @@ module AuthADWinbind : Auth_signature.AUTH_MODULE = struct
 
     let args =
       [
-        [
-          "ads"
-        ; "join"
-        ; service_name
-        ; "-U"
-        ; user
-        ; "-n"
-        ; netbios_name
-        ; "-d"
-        ; debug_level ()
-        ; "--no-dns-updates"
-        ]
-        @ kerberos_opt
-      ; ou_param
-      ; dns_hostname_option
+        "ads"
+      ; "join"
+      ; service_name
+      ; "-U"
+      ; user
+      ; "-n"
+      ; netbios_name
+      ; "-d"
+      ; debug_level ()
+      ; "--no-dns-updates"
       ]
-      |> List.concat
+      @ ou_param
+      @ dns_hostname_option
     in
     debug "Joining domain %s with user %s netbios_name %s" service_name user
       netbios_name ;

ocaml/xapi/xapi_globs.ml

@@ -1063,8 +1063,6 @@ let winbind_kerberos_encryption_type = ref Kerberos_encryption_types.Winbind.All
 
 let winbind_set_machine_account_kerberos_encryption_type = ref false
 
-let winbind_allow_kerberos_auth_fallback = ref false
-
 let winbind_scan_trusted_domains = ref false
 
 let winbind_keep_configuration = ref false
@@ -1663,11 +1661,6 @@ let other_options =
     , "Whether set machine account encryption type \
        (msDS-SupportedEncryptionTypes) on domain controller"
     )
-  ; ( "winbind_allow_kerberos_auth_fallback"
-    , Arg.Set winbind_allow_kerberos_auth_fallback
-    , (fun () -> string_of_bool !winbind_allow_kerberos_auth_fallback)
-    , "Whether to allow fallback to other auth on kerberos failure"
-    )
   ; ( "winbind_scan_trusted_domains"
     , Arg.Set winbind_scan_trusted_domains
     , (fun () -> string_of_bool !winbind_scan_trusted_domains)