CP-309791: Update samba to 4.21

liulinC · snwoods · commit cda022dc67de · 2025-11-11T11:25:03.000Z
Microsoft Windows is doing security hardening https://bugzilla.samba.org/show_bug.cgi?id=15876 Our samba needs to update accordingly. There are some interface and configuration updates, thus xapi needs to be updated as well. This update is intended te be compatible with old and new samba, to decouple the merge of samba update. The old interface support will be dropped after samba merge. Signed-off-by: Lin Liu <Lin.Liu01@cloud.com>
diff --git a/ocaml/xapi/extauth_plugin_ADwinbind.ml b/ocaml/xapi/extauth_plugin_ADwinbind.ml
@@ -91,6 +91,14 @@ let generic_error msg =
 
 let fail fmt = Printf.ksprintf generic_error fmt
 
+let is_samba_updated =
+  (* This is temporary workaround to be compatible for old and new samba, to decouple the merge of xapi and samba *)
+  let check_file = "/usr/lib64/samba/libxattr-tdb-private-samba.so" in
+  Sys.file_exists check_file
+
+let kerberos_opt =
+  match is_samba_updated with true -> [] | false -> ["--kerberos"]
+
 (** Kerberos Domain Controller. The current implementation does not
     work with non-standard ports *)
 module KDC : sig
@@ -413,8 +421,8 @@ module Ldap = struct
           ; "--server"
           ; KDC.server kdc
           ; "--machine-pass"
-          ; "--kerberos"
           ]
+          @ kerberos_opt
           @ attrs
         in
         let stdout =
@@ -440,10 +448,9 @@ module Ldap = struct
       ; "--server"
       ; KDC.server kdc
       ; "--machine-pass"
-      ; "--kerberos"
-      ; query
-      ; key
       ]
+      @ kerberos_opt
+      @ [query; key]
     in
     try
       Helpers.call_script ~env !Xapi_globs.net_cmd args
@@ -794,7 +801,7 @@ end
 let kdcs_of_domain domain =
   try
     Helpers.call_script ~log_output:On_failure net_cmd
-      ["lookup"; "kdc"; domain; "-d"; debug_level (); "--kerberos"]
+      (["lookup"; "kdc"; domain; "-d"; debug_level ()] @ kerberos_opt)
     (* Result like 10.71.212.25:88\n10.62.1.25:88\n*)
     |> String.split_on_char '\n'
     |> List.filter (fun x -> String.trim x <> "") (* Remove empty lines *)
@@ -808,9 +815,9 @@ let workgroup_from_server kdc =
   let key = "Pre-Win2k Domain" in
   try
     Helpers.call_script ~log_output:On_failure net_cmd
-      [
-        "ads"; "lookup"; "-S"; KDC.server kdc; "-d"; debug_level (); "--kerberos"
-      ]
+      (["ads"; "lookup"; "-S"; KDC.server kdc; "-d"; debug_level ()]
+      @ kerberos_opt
+      )
     |> Xapi_cmd_result.of_output ~sep:':' ~key
     |> Result.ok
   with _ ->
@@ -843,36 +850,47 @@ let config_winbind_daemon ~workgroup ~netbios_name ~domain =
      * upgrade to samba packages with this capacity *)
     if !Xapi_globs.winbind_allow_kerberos_auth_fallback then "yes" else "no"
   in
+  let version_conf =
+    match is_samba_updated with
+    | false ->
+        [Printf.sprintf "allow kerberos auth fallback = %s" allow_fallback]
+    | true ->
+        [
+          "client use kerberos = required"
+        ; "sync machine password to keytab = \
+           /etc/krb5.keytab:account_name:sync_etypes:sync_kvno:machine_password"
+        ]
+  in
   ( match (workgroup, netbios_name, domain) with
   | Some wkgroup, Some netbios, Some dom ->
-      [
-        "# autogenerated by xapi"
-      ; "[global]"
-      ; "kerberos method = secrets and keytab"
-      ; Printf.sprintf "realm = %s" dom
-      ; "security = ADS"
-      ; "template shell = /bin/bash"
-      ; "winbind refresh tickets = yes"
-      ; "winbind enum groups = no"
-      ; "winbind enum users = no"
-      ; "winbind scan trusted domains = yes"
-      ; "winbind use krb5 enterprise principals = yes"
-      ; Printf.sprintf "winbind cache time = %d" !Xapi_globs.winbind_cache_time
-      ; Printf.sprintf "machine password timeout = 0"
-      ; Printf.sprintf "kerberos encryption types = %s"
-          (Kerberos_encryption_types.Winbind.to_string
-             !Xapi_globs.winbind_kerberos_encryption_type
-          )
-      ; Printf.sprintf "workgroup = %s" wkgroup
-      ; Printf.sprintf "netbios name = %s" netbios
-      ; "idmap config * : range = 3000000-3999999"
-      ; Printf.sprintf "idmap config %s: backend = rid" dom
-      ; Printf.sprintf "idmap config %s: range = 2000000-2999999" dom
-      ; Printf.sprintf "log level = %s" (debug_level ())
-      ; Printf.sprintf "allow kerberos auth fallback = %s" allow_fallback
-      ; "idmap config * : backend = tdb"
-      ; "" (* Empty line at the end *)
-      ]
+      ["# autogenerated by xapi"; "[global]"]
+      @ version_conf
+      @ [
+          "kerberos method = secrets and keytab"
+        ; Printf.sprintf "realm = %s" dom
+        ; "security = ADS"
+        ; "template shell = /bin/bash"
+        ; "winbind refresh tickets = yes"
+        ; "winbind enum groups = no"
+        ; "winbind enum users = no"
+        ; "winbind scan trusted domains = yes"
+        ; "winbind use krb5 enterprise principals = yes"
+        ; Printf.sprintf "winbind cache time = %d"
+            !Xapi_globs.winbind_cache_time
+        ; Printf.sprintf "machine password timeout = 0"
+        ; Printf.sprintf "kerberos encryption types = %s"
+            (Kerberos_encryption_types.Winbind.to_string
+               !Xapi_globs.winbind_kerberos_encryption_type
+            )
+        ; Printf.sprintf "workgroup = %s" wkgroup
+        ; Printf.sprintf "netbios name = %s" netbios
+        ; "idmap config * : range = 3000000-3999999"
+        ; Printf.sprintf "idmap config %s: backend = rid" dom
+        ; Printf.sprintf "idmap config %s: range = 2000000-2999999" dom
+        ; Printf.sprintf "log level = %s" (debug_level ())
+        ; "idmap config * : backend = tdb"
+        ; "" (* Empty line at the end *)
+        ]
   | _ ->
       ["# autogenerated by xapi"; "[global]"; "" (* Empty line at the end *)]
   )
@@ -951,7 +969,7 @@ let clear_machine_account ~service_name = function
       (* Disable machine account in DC *)
       let env = [|Printf.sprintf "PASSWD=%s" p|] in
       let args =
-        ["ads"; "leave"; "-U"; u; "-d"; debug_level (); "--kerberos"]
+        ["ads"; "leave"; "-U"; u; "-d"; debug_level ()] @ kerberos_opt
       in
       try
         Helpers.call_script ~env net_cmd args |> ignore ;
@@ -1228,15 +1246,8 @@ module RotateMachinePassword = struct
 
   let kdc_fqdn_of_ip kdc =
     let args =
-      [
-        "ads"
-      ; "lookup"
-      ; "--server"
-      ; KDC.server kdc
-      ; "--kerberos"
-      ; "-d"
-      ; debug_level ()
-      ]
+      ["ads"; "lookup"; "--server"; KDC.server kdc; "-d"; debug_level ()]
+      @ kerberos_opt
     in
     Helpers.call_script !Xapi_globs.net_cmd args ~log_output:On_failure
     |> Xapi_cmd_result.of_output ~sep:':' ~key:"Domain Controller"
@@ -1303,12 +1314,12 @@ module RotateMachinePassword = struct
               [
                 "ads"
               ; "changetrustpw"
-              ; "--kerberos"
               ; "--server"
               ; kdc_fqdn
               ; "-d"
               ; debug_level ()
               ]
+              @ kerberos_opt
             in
             finally
               (fun () ->
@@ -1786,8 +1797,8 @@ module AuthADWinbind : Auth_signature.AUTH_MODULE = struct
         ; "-d"
         ; debug_level ()
         ; "--no-dns-updates"
-        ; "--kerberos"
         ]
+        @ kerberos_opt
       ; ou_param
       ; dns_hostname_option
       ]
