Merge pull request #122 from scabrero/fix-samba-4-21

Fix joining with samba 4.21
yast · Oct 21, 2024 · b51ba27 · b51ba27
2 parents eb471da + a738c49
commit b51ba27
Show file tree

Hide file tree

Showing 5 changed files with 82 additions and 3 deletions.
diff --git a/package/yast2-auth-client.changes b/package/yast2-auth-client.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Wed Sep 25 11:14:02 UTC 2024 - Samuel Cabrero <[email protected]>
+
+- Use new smb.conf parameter "sync machine password to keytab"
+- Skip whitespace-only lines when parsing krb5.conf
+- 5.0.1
+
 -------------------------------------------------------------------
 Wed Aug 30 20:16:10 UTC 2023 - Josef Reidinger <[email protected]>
 

diff --git a/package/yast2-auth-client.spec b/package/yast2-auth-client.spec
@@ -17,7 +17,7 @@
 
 
 Name:           yast2-auth-client
-Version:        5.0.0
+Version:        5.0.1
 Release:        0
 Url:            https://github.com/yast/yast-auth-client
 Summary:        YaST2 - Centralised System Authentication Configuration

diff --git a/src/lib/auth/authconf.rb b/src/lib/auth/authconf.rb
@@ -26,13 +26,16 @@
 require 'fileutils'
 require 'date'
 require 'auth/krbparse'
+require 'shellwords'
+require "yast2/execute"
 
 module Auth
     # Manage system-wide authentication configuration from Kerberos, LDAP, Samba, and SSSD's perspectives.
     class AuthConf
         include Yast::I18n
         include Yast::Logger
         include Yast::UIShortcuts
+        include Yast::Logger
 
         attr_accessor(:krb_conf, :krb_pam, :ldap_pam, :ldap_nss, :sssd_conf, :sssd_pam, :sssd_nss, :sssd_enabled)
         attr_accessor(:autofs_enabled, :nscd_enabled, :mkhomedir_pam)
@@ -755,18 +758,65 @@ def aux_apply
                 service_disable_stop('nscd')
             end
         end
-
+
+        def is_installed_version_newer_or_equal?(installed_rpm_version, test_rpm_version)
+            installed_rpm_version_l = installed_rpm_version
+                .split(/[-.+]/)
+                .select { |i| i.match?(/^\d+$/) }
+                .map(&:to_i)
+
+            test_rpm_version_l = test_rpm_version
+                .split(/[-.+]/)
+                .select { |i| i.match?(/^\d+$/) }
+                .map(&:to_i)
+
+            log.info(
+                "Evaluating installed #{installed_rpm_version_l} and test #{test_rpm_version_l} versions"
+            )
+
+            comparison_result = installed_rpm_version_l <=> test_rpm_version_l
+            installed_version_is_equal_or_newer = comparison_result != -1
+
+            log.info(
+                "#{installed_rpm_version} >= #{test_rpm_version} -> #{installed_version_is_equal_or_newer}"
+            )
+            installed_version_is_equal_or_newer
+        end
+
+        # @return [String, nil]
+        def samba_version
+            cmd = "/bin/rpm -q --queryformat %{VERSION} samba"
+            bin, *args = cmd.split
+            Yast::Execute.locally!(bin, *args, stdout: :capture)
+        rescue Cheetah::ExecutionFailed
+            log.warn("Cannot check the installed samba version: #{cmd}")
+            nil
+        end
+
         # Create a temporary file holding smb.conf for the specified AD domain.
         # @return [File] a closed file, caller should #unlink after it is no longer used.
         def ad_create_tmp_smb_conf(ad_domain_name, workgroup_name)
+            installed_rpm_version = samba_version
+            if !installed_rpm_version
+                Yast::Report.Error(_('Failed to check the installed samba version.'))
+                return
+            end
+
+            system_keytab = krb_get_default(:default_keytab_name)
+            if is_installed_version_newer_or_equal?(installed_rpm_version, "4.21.0")
+                system_keytab_param = "sync machine password to keytab = #{system_keytab}:account_name:sync_etypes:sync_kvno:machine_password"
+            else
+                system_keytab_param = "kerberos method = secrets and keytab"
+            end
+
             out = Tempfile.new("tempfile")
             out.write("
 [global]
     security = ads
     realm = #{ad_domain_name}
     workgroup = #{workgroup_name}
     log file = /var/log/samba/%m.log
-    kerberos method = secrets and keytab
+    #{system_keytab_param}
     client signing = yes
     client use spnego = yes
 ")
@@ -814,6 +864,9 @@ def ad_get_membership_status(ad_domain_name)
                 return [false, false]
             end
             smb_conf = ad_create_tmp_smb_conf(ad_domain_name, ad_get_workgroup_name(ad_domain_name))
+            if smb_conf.nil?
+                return [false, false]
+            end
             _, status = Open3.capture2("net -s #{smb_conf.path} ads testjoin")
             ad_has_computer = status.exitstatus == 0
             klist, _ = Open3.capture2("klist -k")
@@ -871,6 +924,9 @@ def ad_join_domain
 
             # Create a temporary smb.conf to join this computer
             smb_conf = ad_create_tmp_smb_conf(@ad_domain, ad_get_workgroup_name(@ad_domain))
+            if smb_conf.nil?
+                return [false, _('Failed to create temporary smb.conf')]
+            end
             output = ''
             exitstatus = 0
             ou_param = @ad_ou.to_s == '' ? '' : "createcomputer=#{@ad_ou}"

diff --git a/src/lib/auth/krbparse.rb b/src/lib/auth/krbparse.rb
@@ -34,6 +34,8 @@ def self.parse(krb_conf_text)
                 if comment_match
                     next
                 end
+                # Skip empty lines
+                next if line.match?(/^\s+$/)
                 # Remember include/includedir directives
                 include_match = /^(includedir|include|module)\s+(.+)$/.match(line)
                 if include_match

diff --git a/test/authconf_test.rb b/test/authconf_test.rb
@@ -32,6 +32,20 @@
     end
     authconf = Auth::AuthConfInst
 
+    describe 'Samba' do
+        it 'Detect samba version' do
+            expect(authconf.is_installed_version_newer_or_equal?("4.20.1", "4.21.0")).to eq(false)
+            expect(authconf.is_installed_version_newer_or_equal?("4.21.0", "4.20.1")).to eq(true)
+            expect(authconf.is_installed_version_newer_or_equal?("4.21.0", "4.21.0")).to eq(true)
+            expect(authconf.is_installed_version_newer_or_equal?("4.20.1", "4.21")).to eq(false)
+            expect(authconf.is_installed_version_newer_or_equal?("4.21.0", "4.20")).to eq(true)
+            expect(authconf.is_installed_version_newer_or_equal?("4.21.0", "4.21")).to eq(true)
+            expect(authconf.is_installed_version_newer_or_equal?("4.20", "4.21.0")).to eq(false)
+            expect(authconf.is_installed_version_newer_or_equal?("4.21", "4.20.1")).to eq(true)
+            expect(authconf.is_installed_version_newer_or_equal?("4.21", "4.20.0")).to eq(true)
+        end
+    end
+
     describe 'SSSD' do
         it 'Read, lint, and export SSSD configuration' do
             authconf.sssd_read