CP-309846: Select proper AD certificate (#6975)

liulinC · web-flow · commit 794844fbe575 · 2026-03-26T09:26:24.000+08:00
Select CA bundles to setup TLS connection to DC in following preference
- /etc/trusted-certs/ca-bundle-ldaps.pem
- /etc/trusted-certs/ca-bundle-general.pem
- /etc/stunnel/certs (Legacy, will be removed with trusted certs)

Raise proper error code when no certs exists
diff --git a/ocaml/idl/datamodel_errors.ml b/ocaml/idl/datamodel_errors.ml
@@ -754,6 +754,8 @@ let _ =
     ~doc:"The host failed to enable external authentication." () ;
   error Api_errors.auth_enable_failed_invalid_certs ["message"]
     ~doc:"The host failed to enable external authentication." () ;
+  error Api_errors.auth_enable_failed_no_certs ["message"]
+    ~doc:"The host failed to enable external authentication." () ;
   error Api_errors.auth_disable_failed ["message"]
     ~doc:"The host failed to disable external authentication." () ;
   error Api_errors.auth_disable_failed_wrong_credentials ["message"]
@@ -845,6 +847,8 @@ let _ =
     ~doc:"The pool failed to enable external authentication." () ;
   error Api_errors.pool_auth_enable_failed_invalid_certs ["host"; "message"]
     ~doc:"The pool failed to enable external authentication." () ;
+  error Api_errors.pool_auth_enable_failed_no_certs ["host"; "message"]
+    ~doc:"The pool failed to enable external authentication." () ;
   error Api_errors.auth_set_ldaps_failed ["host"; "message"]
     ~doc:"The pool failed to set LDAPS configuration." () ;
   error Api_errors.pool_auth_disable_failed ["host"; "message"]
diff --git a/ocaml/tests/test_extauth_plugin_ADwinbind.ml b/ocaml/tests/test_extauth_plugin_ADwinbind.ml
@@ -92,6 +92,8 @@ module Errtag = Generic.MakeStateless (struct
           "E_INVALID_ACCOUNT"
       | E_INVALID_CERTS ->
           "E_INVALID_CERTS"
+      | E_NO_CERTS ->
+          "E_NO_CERTS"
   end
 
   let transform = Extauth_plugin_ADwinbind.tag_from_err_msg
diff --git a/ocaml/xapi-consts/api_errors.ml b/ocaml/xapi-consts/api_errors.ml
@@ -1025,6 +1025,8 @@ let auth_is_disabled = add_error "AUTH_IS_DISABLED"
 
 let auth_invalid_certs = add_error "AUTH_INVALID_CERTS"
 
+let auth_no_certs = add_error "AUTH_NO_CERTS"
+
 let auth_suffix_wrong_credentials = "_WRONG_CREDENTIALS"
 
 let auth_suffix_permission_denied = "_PERMISSION_DENIED"
@@ -1039,6 +1041,8 @@ let auth_suffix_invalid_account = "_INVALID_ACCOUNT"
 
 let auth_suffix_invalid_certs = "_INVALID_CERTS"
 
+let auth_suffix_no_certs = "_NO_CERTS"
+
 let auth_enable_failed = add_error "AUTH_ENABLE_FAILED"
 
 let auth_enable_failed_wrong_credentials =
@@ -1062,6 +1066,9 @@ let auth_enable_failed_invalid_account =
 let auth_enable_failed_invalid_certs =
   add_error $ auth_enable_failed ^ auth_suffix_invalid_certs
 
+let auth_enable_failed_no_certs =
+  add_error $ auth_enable_failed ^ auth_suffix_no_certs
+
 let auth_disable_failed = add_error "AUTH_DISABLE_FAILED"
 
 let auth_disable_failed_wrong_credentials =
@@ -1097,6 +1104,9 @@ let pool_auth_enable_failed_invalid_account =
 let pool_auth_enable_failed_invalid_certs =
   add_error $ pool_auth_enable_failed ^ auth_suffix_invalid_certs
 
+let pool_auth_enable_failed_no_certs =
+  add_error $ pool_auth_enable_failed ^ auth_suffix_no_certs
+
 let pool_auth_enable_failed_duplicate_hostname =
   add_error $ pool_auth_enable_failed ^ "_DUPLICATE_HOSTNAME"
 
diff --git a/ocaml/xapi/auth_signature.ml b/ocaml/xapi/auth_signature.ml
@@ -32,6 +32,7 @@ type auth_service_error_tag =
   | E_INVALID_OU
   | E_INVALID_ACCOUNT
   | E_INVALID_CERTS
+  | E_NO_CERTS
 
 exception Auth_service_error of auth_service_error_tag * string
 
@@ -55,6 +56,8 @@ let suffix_of_tag errtag =
       Api_errors.auth_suffix_invalid_account
   | E_INVALID_CERTS ->
       Api_errors.auth_suffix_invalid_certs
+  | E_NO_CERTS ->
+      Api_errors.auth_suffix_no_certs
 
 (* required fields in subject.other_config *)
 let subject_information_field_subject_name = "subject-name"
diff --git a/ocaml/xapi/extauth.ml b/ocaml/xapi/extauth.ml
@@ -205,6 +205,8 @@ let call_with_exception_handler fn =
       raise (Api_errors.Server_error (Api_errors.subject_cannot_be_resolved, []))
   | Auth_signature.Auth_service_error (E_INVALID_CERTS, msg) ->
       raise (Api_errors.Server_error (Api_errors.auth_invalid_certs, [msg]))
+  | Auth_signature.Auth_service_error (E_NO_CERTS, msg) ->
+      raise (Api_errors.Server_error (Api_errors.auth_no_certs, [msg]))
   | Auth_signature.Auth_service_error (_, msg) ->
       raise (Api_errors.Server_error (Api_errors.auth_service_error, [msg]))
   | e ->
diff --git a/ocaml/xapi/extauth_plugin_ADwinbind.ml b/ocaml/xapi/extauth_plugin_ADwinbind.ml
@@ -77,11 +77,13 @@ let auth_ex uname =
   let msg = Printf.sprintf "failed to authenticate user '%s'" uname in
   Auth_signature.(Auth_failure msg)
 
-let generic_ex fmt =
+let gen_ex tag fmt =
   Printf.ksprintf
-    (fun msg -> Auth_signature.(Auth_service_error (E_GENERIC, msg)))
+    (fun msg -> Auth_signature.(Auth_service_error (tag, msg)))
     fmt
 
+let generic_ex fmt = gen_ex E_GENERIC fmt
+
 let net_cmd = !Xapi_globs.net_cmd
 
 let wb_cmd = !Xapi_globs.wb_cmd
@@ -90,6 +92,31 @@ let tdb_tool = !Xapi_globs.tdb_tool
 
 let domain_krb5_dir = Filename.concat Xapi_globs.samba_dir "lock/smb_krb5"
 
+(* Legacy certificates folder *)
+let certs_dir = "/etc/stunnel/certs"
+
+let ldaps_ca_bundle = "/etc/trusted-certs/ca-bundle-ldaps.pem"
+
+let general_ca_bundle = "/etc/trusted-certs/ca-bundle-general.pem"
+
+(** Return the best available CA bundle/cert path, in priority order:
+    ldaps-specific bundle > general bundle > legacy certs dir.
+    Returns [None] if none exist. *)
+
+let ca_bundle_path () =
+  [ldaps_ca_bundle; general_ca_bundle; certs_dir]
+  |> List.find_opt Sys.file_exists
+
+let assert_ca_exists = function
+  | true ->
+      ca_bundle_path ()
+      |> Option.to_result
+           ~none:(gen_ex E_NO_CERTS "No certs to setup TLS connection to DC")
+      |> maybe_raise
+      |> ignore
+  | false ->
+      ()
+
 let debug_level () =
   clamp
     !Xapi_globs.winbind_debug_level
@@ -880,16 +907,10 @@ let query_domain_workgroup ~domain =
 let config_winbind_daemon domain_info =
   let smb_config = "/etc/samba/smb.conf" in
   let extra_conf = "/etc/samba/smb.extra.conf" in
-  (* Will change to following config after trusted certs feature
-  tls cafile = /etc/trusted-certs/ca-bundle-[ldaps|general].pem
-  *)
-  let certs_dir = "/etc/stunnel/certs" in
   let string_of_bool = function true -> "yes" | false -> "no" in
-
   let scan_trusted_domains =
     string_of_bool !Xapi_globs.winbind_scan_trusted_domains
   in
-
   ( match domain_info with
     | Some
         {
@@ -902,6 +923,17 @@ let config_winbind_daemon domain_info =
         let ldaps_conf =
           match ldaps with Some true -> "ldaps" | _ -> "seal"
         in
+        let tls_ca =
+          match ca_bundle_path () with
+          | Some path when Sys.is_directory path ->
+              Printf.sprintf "tls ca directories = %s" path
+          | Some path ->
+              Printf.sprintf "tls cafile = %s" path
+          | None ->
+              (* Presuming assert_ca_exists is called before reach here,
+                 so ldaps is not enabled here, this item does not matter *)
+              Printf.sprintf "tls cafile = %s" ldaps_ca_bundle
+        in
         [
           Printf.sprintf "# This file is managed by xapi, update %s instead"
             extra_conf
@@ -916,10 +948,10 @@ let config_winbind_daemon domain_info =
         ; "winbind refresh tickets = yes"
         ; "winbind enum groups = no"
         ; "winbind enum users = no"
-        ; Printf.sprintf "client ldap sasl wrapping= %s" ldaps_conf
+        ; Printf.sprintf "client ldap sasl wrapping = %s" ldaps_conf
         ; "tls trust system cas = yes"
         ; "tls verify peer = ca_and_name_if_available"
-        ; Printf.sprintf "tls ca directories = %s" certs_dir
+        ; tls_ca
         ; Printf.sprintf "winbind scan trusted domains = %s"
             scan_trusted_domains
         ; "winbind use krb5 enterprise principals = yes"
@@ -1190,7 +1222,8 @@ let set_ldaps ~__context ~ldaps ~force =
   if old_domain_info.ldaps = Some ldaps && not force then
     raise (generic_ex "ldaps is already %s" (string_of_bool ldaps)) ;
 
-  (* check certificate exists *)
+  assert_ca_exists ldaps ;
+
   let new_domain_info = {old_domain_info with ldaps= Some ldaps} in
   (* Apply new configuration to winbind daemon for trial *)
   Winbind.configure ~__context ~domain_info:new_domain_info () ;
@@ -1662,7 +1695,8 @@ module AuthADWinbind : Auth_signature.AUTH_MODULE = struct
       (* Query new domain workgroup during join domain *)
       query_domain_workgroup ~domain:service_name
     in
-    let ldaps = Some (Helpers.ldaps_enabled_in_config ~config:config_params) in
+    let ldaps = Helpers.ldaps_enabled_in_config ~config:config_params in
+    assert_ca_exists ldaps ;
 
     let ou, ou_param = extract_ou_config ~config_params in
     let domain_info =
@@ -1672,7 +1706,7 @@ module AuthADWinbind : Auth_signature.AUTH_MODULE = struct
       ; workgroup= Some workgroup
       ; netbios_name= Some netbios_name
       ; machine_pwd_last_change_time= Some (Unix.time ())
-      ; ldaps
+      ; ldaps= Some ldaps
       ; ou
       }
     in
