From aeeaa1f96277e205854f481f67fef2a35cea17a7 Mon Sep 17 00:00:00 2001 From: Lin Liu Date: Wed, 7 Jan 2026 09:26:55 +0000 Subject: [PATCH] CP-310956: Remove legacy winbind configuration 9a468bff1eb updated samba to 4.2x and keep legacy configuration in smb.conf conditionally for backward compatibility. Now samba binary is updated in all releases, this commit just drop the legacy configurations Signed-off-by: Lin Liu --- ocaml/xapi/extauth_plugin_ADwinbind.ml | 120 +++++++++---------------- ocaml/xapi/xapi_globs.ml | 7 -- 2 files changed, 43 insertions(+), 84 deletions(-) diff --git a/ocaml/xapi/extauth_plugin_ADwinbind.ml b/ocaml/xapi/extauth_plugin_ADwinbind.ml index 59afbad4462..7e77f3a8502 100644 --- a/ocaml/xapi/extauth_plugin_ADwinbind.ml +++ b/ocaml/xapi/extauth_plugin_ADwinbind.ml @@ -102,14 +102,6 @@ let generic_error msg = let fail fmt = Printf.ksprintf generic_error fmt -let is_samba_updated = - (* This is temporary workaround to be compatible for old and new samba, to decouple the merge of xapi and samba *) - let check_file = "/usr/lib64/samba/libxattr-tdb-private-samba.so" in - Sys.file_exists check_file - -let kerberos_opt = - match is_samba_updated with true -> [] | false -> ["--kerberos"] - (* Global cache for netbios name to domain name mapping using atomic map for thread safety *) module StringMap = Map.Make (String) @@ -424,7 +416,6 @@ module Ldap = struct ; kdc ; "--machine-pass" ] - @ kerberos_opt @ attrs in let stdout = @@ -458,7 +449,6 @@ module Ldap = struct let query = Printf.sprintf "(|(sAMAccountName=%s)(name=%s))" name name in let args = ["ads"; "search"; "-d"; debug_level (); "--server"; kdc; "--machine-pass"] - @ kerberos_opt @ [query; key] in try @@ -751,7 +741,7 @@ end let kdcs_of_domain domain = try Helpers.call_script ~log_output:On_failure net_cmd - (["lookup"; "kdc"; domain; "-d"; debug_level ()] @ kerberos_opt) + ["lookup"; "kdc"; domain; "-d"; debug_level ()] (* Result like 10.71.212.25:88\n10.62.1.25:88\n*) |> String.split_on_char '\n' |> List.filter (fun x -> String.trim x <> "") (* Remove empty lines *) @@ -765,9 +755,7 @@ let workgroup_from_server kdc = let key = "Pre-Win2k Domain" in try Helpers.call_script ~log_output:On_failure net_cmd - (["ads"; "lookup"; "-S"; KDC.server kdc; "-d"; debug_level ()] - @ kerberos_opt - ) + ["ads"; "lookup"; "-S"; KDC.server kdc; "-d"; debug_level ()] |> Xapi_cmd_result.of_output ~sep:':' ~key |> Result.ok with _ -> @@ -794,57 +782,41 @@ let config_winbind_daemon ~workgroup ~netbios_name ~domain = let smb_config = "/etc/samba/smb.conf" in let string_of_bool = function true -> "yes" | false -> "no" in - (*`allow kerberos auth fallback` depends on our internal samba patch, - * this patch disable fallback to ntlm by default and can be enabled - * Looks like upstream is doing something similar on master with - * configuration `weak_crypto`, check and replace the internal patch when - * upgrade to samba packages with this capacity *) - let allow_fallback = - string_of_bool !Xapi_globs.winbind_allow_kerberos_auth_fallback - in let scan_trusted_domains = string_of_bool !Xapi_globs.winbind_scan_trusted_domains in - let version_conf = - match is_samba_updated with - | false -> - [Printf.sprintf "allow kerberos auth fallback = %s" allow_fallback] - | true -> + ( match (workgroup, netbios_name, domain) with + | Some wkgroup, Some netbios, Some dom -> [ - "client use kerberos = required" + "# autogenerated by xapi" + ; "[global]" + ; "client use kerberos = required" ; "sync machine password to keytab = \ /etc/krb5.keytab:account_name:sync_etypes:sync_kvno:machine_password" + ; "kerberos method = secrets and keytab" + ; Printf.sprintf "realm = %s" dom + ; "security = ADS" + ; "template shell = /bin/bash" + ; "winbind refresh tickets = yes" + ; "winbind enum groups = no" + ; "winbind enum users = no" + ; Printf.sprintf "winbind scan trusted domains = %s" + scan_trusted_domains + ; "winbind use krb5 enterprise principals = yes" + ; Printf.sprintf "winbind cache time = %d" + !Xapi_globs.winbind_cache_time + ; Printf.sprintf "machine password timeout = 0" + ; Printf.sprintf "kerberos encryption types = %s" + (Kerberos_encryption_types.Winbind.to_string + !Xapi_globs.winbind_kerberos_encryption_type + ) + ; Printf.sprintf "workgroup = %s" wkgroup + ; Printf.sprintf "netbios name = %s" netbios + ; "idmap config * : backend = autorid" + ; Printf.sprintf "idmap config * : range = %d-%d" 2_000_000 99_999_999 + ; Printf.sprintf "log level = %s" (debug_level ()) + ; "" (* Empty line at the end *) ] - in - ( match (workgroup, netbios_name, domain) with - | Some wkgroup, Some netbios, Some dom -> - ["# autogenerated by xapi"; "[global]"] - @ version_conf - @ [ - "kerberos method = secrets and keytab" - ; Printf.sprintf "realm = %s" dom - ; "security = ADS" - ; "template shell = /bin/bash" - ; "winbind refresh tickets = yes" - ; "winbind enum groups = no" - ; "winbind enum users = no" - ; Printf.sprintf "winbind scan trusted domains = %s" - scan_trusted_domains - ; "winbind use krb5 enterprise principals = yes" - ; Printf.sprintf "winbind cache time = %d" - !Xapi_globs.winbind_cache_time - ; Printf.sprintf "machine password timeout = 0" - ; Printf.sprintf "kerberos encryption types = %s" - (Kerberos_encryption_types.Winbind.to_string - !Xapi_globs.winbind_kerberos_encryption_type - ) - ; Printf.sprintf "workgroup = %s" wkgroup - ; Printf.sprintf "netbios name = %s" netbios - ; "idmap config * : backend = autorid" - ; Printf.sprintf "idmap config * : range = %d-%d" 2_000_000 99_999_999 - ; Printf.sprintf "log level = %s" (debug_level ()) - ; "" (* Empty line at the end *) - ] | _ -> ["# autogenerated by xapi"; "[global]"; "" (* Empty line at the end *)] ) @@ -922,9 +894,7 @@ let clear_machine_account ~service_name = function | Some u, Some p -> ( (* Disable machine account in DC *) let env = [|Printf.sprintf "PASSWD=%s" p|] in - let args = - ["ads"; "leave"; "-U"; u; "-d"; debug_level ()] @ kerberos_opt - in + let args = ["ads"; "leave"; "-U"; u; "-d"; debug_level ()] in try Helpers.call_script ~env net_cmd args |> ignore ; debug "Succeed to clear the machine account for domain %s" service_name @@ -1568,23 +1538,19 @@ module AuthADWinbind : Auth_signature.AUTH_MODULE = struct let args = [ - [ - "ads" - ; "join" - ; service_name - ; "-U" - ; user - ; "-n" - ; netbios_name - ; "-d" - ; debug_level () - ; "--no-dns-updates" - ] - @ kerberos_opt - ; ou_param - ; dns_hostname_option + "ads" + ; "join" + ; service_name + ; "-U" + ; user + ; "-n" + ; netbios_name + ; "-d" + ; debug_level () + ; "--no-dns-updates" ] - |> List.concat + @ ou_param + @ dns_hostname_option in debug "Joining domain %s with user %s netbios_name %s" service_name user netbios_name ; diff --git a/ocaml/xapi/xapi_globs.ml b/ocaml/xapi/xapi_globs.ml index 18aeba14d76..fb02570e872 100644 --- a/ocaml/xapi/xapi_globs.ml +++ b/ocaml/xapi/xapi_globs.ml @@ -1063,8 +1063,6 @@ let winbind_kerberos_encryption_type = ref Kerberos_encryption_types.Winbind.All let winbind_set_machine_account_kerberos_encryption_type = ref false -let winbind_allow_kerberos_auth_fallback = ref false - let winbind_scan_trusted_domains = ref false let winbind_keep_configuration = ref false @@ -1663,11 +1661,6 @@ let other_options = , "Whether set machine account encryption type \ (msDS-SupportedEncryptionTypes) on domain controller" ) - ; ( "winbind_allow_kerberos_auth_fallback" - , Arg.Set winbind_allow_kerberos_auth_fallback - , (fun () -> string_of_bool !winbind_allow_kerberos_auth_fallback) - , "Whether to allow fallback to other auth on kerberos failure" - ) ; ( "winbind_scan_trusted_domains" , Arg.Set winbind_scan_trusted_domains , (fun () -> string_of_bool !winbind_scan_trusted_domains)