[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Tue Jun 29 01:15:42 MDT 2010
The branch, master has been updated
via cc7c572... s4:secrets Ensure secrets.ldb uses the same hooks as the rest of Samba
via 48c8896... s4:selftest Split out PKINIT tests from test_kinit.sh and test enc types
via d76e485... s4:kdc Rework the 'allowed enc types' calculation
via f41e711... s4:auth Query LDB for msds-SupportedEncryptionTypes for the KDC
via 5167b97... s4:kerberos Add functions to convert msDS-SupportedEncryptionTypes
via 9fc3f81... s4:libnet_join Fix typo in msDS-SupportedEncryptionTypes
via 94637e5... s4:provision Add an msDS-SupportedEncryptionTypes entry to our DC
from 30dc87d... build: only use git when found by configure
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit cc7c572b3d87d2bd16cd7ec939a2d8a81bf36ef9
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Jun 23 21:15:43 2010 +1000
s4:secrets Ensure secrets.ldb uses the same hooks as the rest of Samba
This ensures that, for example, the utf8 functions are the same,
the GUID handler is the same and the NOSYNC flag is applied.
Andrew Bartlett
commit 48c8896f2ede1c441a1448c2e45106a317b64832
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jun 24 09:42:40 2010 +1000
s4:selftest Split out PKINIT tests from test_kinit.sh and test enc types
This allows us to run the PKINIT tests only against the main DC (for
which the certificates were generated), while testing the available
encryption types in each functional level.
In particular, we need to assert that AES encryption is available in
the 2008 functional level.
Andrew Bartlett
commit d76e4852ebf6ebaaa0e59b481c4b17ac15310aec
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jun 24 09:40:16 2010 +1000
s4:kdc Rework the 'allowed enc types' calculation
This changes the calculation to apply the allowed enc types to all
uses of the key (no point allowing a weak kinit to a key the server
wanted strongly protected). It also ensures that all the non-DES keys
are available on the krbtgt in particular, even as it does not have a
msds-SupportedEncryptionTypes attributes.
Andrew Bartlett
commit f41e71109744cbacfcbf6b8cf545e1f322d68494
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jun 24 10:03:29 2010 +1000
s4:auth Query LDB for msds-SupportedEncryptionTypes for the KDC
The KDC needs this to determine what encryption types an entry supports
Andrew Bartlett
commit 5167b97ff2d77ef28c59bb36988835ae421f027b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Jun 28 23:19:16 2010 +1000
s4:kerberos Add functions to convert msDS-SupportedEncryptionTypes
This will allow us to interpret this attibute broadly in Samba.
Andrew Bartlett
commit 9fc3f8194d55c20e1d5404301a0663888c4a0ba5
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Jun 28 23:17:28 2010 +1000
s4:libnet_join Fix typo in msDS-SupportedEncryptionTypes
commit 94637e5fe4724261f1cd5f48d8641e82f4b776ae
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Jun 28 23:14:23 2010 +1000
s4:provision Add an msDS-SupportedEncryptionTypes entry to our DC
This ensures that our DC will use all the available encyption types.
(The KDC reads this entry to determine what the server supports)
Andrew Bartlett
-----------------------------------------------------------------------
Summary of changes:
source4/auth/kerberos/kerberos.h | 6 ++
source4/auth/kerberos/kerberos_util.c | 57 ++++++++++++++++++++
source4/auth/sam.c | 1 +
source4/dsdb/pydsdb.c | 17 ++++++-
source4/kdc/db-glue.c | 76 ++++++++++++--------------
source4/lib/ldb-samba/ldb_wrap.c | 16 ++++--
source4/libnet/libnet_join.c | 2 +-
source4/param/secrets.c | 43 +--------------
source4/scripting/python/samba/provision.py | 17 ++++++-
source4/selftest/tests.sh | 5 ++-
testprogs/blackbox/test_kinit.sh | 28 +++++-----
testprogs/blackbox/test_pkinit.sh | 65 +++++++++++++++++++++++
12 files changed, 228 insertions(+), 105 deletions(-)
create mode 100755 testprogs/blackbox/test_pkinit.sh
Changeset truncated at 500 lines:
diff --git a/source4/auth/kerberos/kerberos.h b/source4/auth/kerberos/kerberos.h
index 96c11a4..b4422b5 100644
--- a/source4/auth/kerberos/kerberos.h
+++ b/source4/auth/kerberos/kerberos.h
@@ -53,6 +53,9 @@ struct keytab_container {
#define KRB5_KEY_DATA(k) ((k)->contents)
#endif /* HAVE_KRB5_KEYBLOCK_KEYVALUE */
+#define ENC_ALL_TYPES (ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5 | \
+ ENC_HMAC_SHA1_96_AES128 | ENC_HMAC_SHA1_96_AES256)
+
#ifndef HAVE_KRB5_SET_REAL_TIME
krb5_error_code krb5_set_real_time(krb5_context context, int32_t seconds, int32_t microseconds);
#endif
@@ -137,6 +140,9 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
time_t tgs_authtime,
DATA_BLOB *pac);
struct loadparm_context;
+uint32_t kerberos_enctype_to_bitmap(krb5_enctype enc_type_enum);
+/* Translate between the Microsoft msDS-SupportedEncryptionTypes values and the IETF encryption type values */
+krb5_enctype kerberos_enctype_bitmap_to_enctype(uint32_t enctype_bitmap);
#include "auth/kerberos/proto.h"
diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c
index 2b35851..30e43f0 100644
--- a/source4/auth/kerberos/kerberos_util.c
+++ b/source4/auth/kerberos/kerberos_util.c
@@ -740,3 +740,60 @@ krb5_error_code smb_krb5_create_memory_keytab(TALLOC_CTX *parent_ctx,
return ret;
}
+/* Translate between the IETF encryption type values and the Microsoft msDS-SupportedEncryptionTypes values */
+uint32_t kerberos_enctype_to_bitmap(krb5_enctype enc_type_enum)
+{
+ switch (enc_type_enum) {
+ case ENCTYPE_DES_CBC_CRC:
+ return ENC_CRC32;
+ case ENCTYPE_DES_CBC_MD5:
+ return ENC_RSA_MD5;
+ case ENCTYPE_ARCFOUR_HMAC_MD5:
+ return ENC_RC4_HMAC_MD5;
+ case ENCTYPE_AES128_CTS_HMAC_SHA1_96:
+ return ENC_HMAC_SHA1_96_AES128;
+ case ENCTYPE_AES256_CTS_HMAC_SHA1_96:
+ return ENC_HMAC_SHA1_96_AES256;
+ default:
+ return 0;
+ }
+}
+
+/* Translate between the Microsoft msDS-SupportedEncryptionTypes values and the IETF encryption type values */
+krb5_enctype kerberos_enctype_bitmap_to_enctype(uint32_t enctype_bitmap)
+{
+ switch (enctype_bitmap) {
+ case ENC_CRC32:
+ return ENCTYPE_DES_CBC_CRC;
+ case ENC_RSA_MD5:
+ return ENCTYPE_DES_CBC_MD5;
+ case ENC_RC4_HMAC_MD5:
+ return ENCTYPE_ARCFOUR_HMAC_MD5;
+ case ENC_HMAC_SHA1_96_AES128:
+ return ENCTYPE_AES128_CTS_HMAC_SHA1_96;
+ case ENC_HMAC_SHA1_96_AES256:
+ return ENCTYPE_AES256_CTS_HMAC_SHA1_96;
+ default:
+ return 0;
+ }
+}
+
+/* Return an array of krb5_enctype values */
+krb5_error_code kerberos_enctype_bitmap_to_enctypes(TALLOC_CTX *mem_ctx, uint32_t enctype_bitmap, krb5_enctype **enctypes)
+{
+ unsigned int i, j = 0;
+ *enctypes = talloc_zero_array(mem_ctx, krb5_enctype, 8*sizeof(enctype_bitmap));
+ if (!*enctypes) {
+ return ENOMEM;
+ }
+ for (i=0; i<(8*sizeof(enctype_bitmap)); i++) {
+ if ((1 << i) & enctype_bitmap) {
+ (*enctypes)[j] = kerberos_enctype_bitmap_to_enctype(enctype_bitmap);
+ if (!(*enctypes)[j]) {
+ return KRB5_PROG_ETYPE_NOSUPP;
+ }
+ j++;
+ }
+ }
+ return 0;
+}
diff --git a/source4/auth/sam.c b/source4/auth/sam.c
index d0487ce..cf2e219 100644
--- a/source4/auth/sam.c
+++ b/source4/auth/sam.c
@@ -36,6 +36,7 @@
"userPrincipalName", \
"servicePrincipalName", \
"msDS-KeyVersionNumber", \
+ "msDS-SupportedEncryptionTypes", \
"supplementalCredentials", \
\
/* passwords */ \
diff --git a/source4/dsdb/pydsdb.c b/source4/dsdb/pydsdb.c
index 4060b32..6966762 100644
--- a/source4/dsdb/pydsdb.c
+++ b/source4/dsdb/pydsdb.c
@@ -24,7 +24,8 @@
#include "lib/ldb/pyldb.h"
#include "libcli/security/security.h"
#include "librpc/ndr/libndr.h"
-
+#include "system/kerberos.h"
+#include "auth/kerberos/kerberos.h"
/* FIXME: These should be in a header file somewhere, once we finish moving
* away from SWIG .. */
#define PyErr_LDB_OR_RAISE(py_ldb, ldb) \
@@ -578,4 +579,18 @@ void initdsdb(void)
PyInt_FromLong(DS_DOMAIN_FUNCTION_2008));
PyModule_AddObject(m, "DS_DOMAIN_FUNCTION_2008_R2",
PyInt_FromLong(DS_DOMAIN_FUNCTION_2008_R2));
+
+ /* Kerberos encryption type constants */
+ PyModule_AddObject(m, "ENC_ALL_TYPES",
+ PyInt_FromLong(ENC_ALL_TYPES));
+ PyModule_AddObject(m, "ENC_CRC32",
+ PyInt_FromLong(ENC_CRC32));
+ PyModule_AddObject(m, "ENC_RSA_MD5",
+ PyInt_FromLong(ENC_RSA_MD5));
+ PyModule_AddObject(m, "ENC_RC4_HMAC_MD5",
+ PyInt_FromLong(ENC_RC4_HMAC_MD5));
+ PyModule_AddObject(m, "ENC_HMAC_SHA1_96_AES128",
+ PyInt_FromLong(ENC_HMAC_SHA1_96_AES128));
+ PyModule_AddObject(m, "ENC_HMAC_SHA1_96_AES256",
+ PyInt_FromLong(ENC_HMAC_SHA1_96_AES256));
}
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 8eb3f79..e913647 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -40,6 +40,7 @@
#include "param/param.h"
#include "../lib/crypto/md4.h"
#include "system/kerberos.h"
+#include "auth/kerberos/kerberos.h"
#include <hdb.h>
#include "kdc/samba_kdc.h"
#include "kdc/db-glue.h"
@@ -191,42 +192,10 @@ static void samba_kdc_free_entry(krb5_context context, hdb_entry_ex *entry_ex)
talloc_free(entry_ex->ctx);
}
-/* Determine, by translation between the encryption types allowed in
- * the msDS-SupportedEncTypes and their Kerberos defined values, if a
- * given encryption type is permitted for this target principal at
- * this time. */
-static bool allowed_enc_type(enum samba_kdc_ent_type ent_type,
- uint32_t supported_enc_types_bitmap, uint32_t enc_type_enum)
-{
- switch (ent_type) {
- case SAMBA_KDC_ENT_TYPE_KRBTGT:
- case SAMBA_KDC_ENT_TYPE_TRUST:
- /* Disallow krbtgt and trust tickets to be DES encrypted, it's just too dangerous */
- supported_enc_types_bitmap &= (~ENC_CRC32|ENC_RSA_MD5);
- case SAMBA_KDC_ENT_TYPE_SERVER:
- switch (enc_type_enum) {
- case ENCTYPE_DES_CBC_CRC:
- return supported_enc_types_bitmap & ENC_CRC32;
- case ENCTYPE_DES_CBC_MD5:
- return supported_enc_types_bitmap & ENC_RSA_MD5;
- case ENCTYPE_ARCFOUR_HMAC_MD5:
- return supported_enc_types_bitmap & ENC_RC4_HMAC_MD5;
- case ENCTYPE_AES128_CTS_HMAC_SHA1_96:
- return supported_enc_types_bitmap & ENC_HMAC_SHA1_96_AES128;
- case ENCTYPE_AES256_CTS_HMAC_SHA1_96:
- return supported_enc_types_bitmap & ENC_HMAC_SHA1_96_AES256;
- default:
- return false;
- }
- default:
- return true;
- /* Return all enc types to everyone else */
- }
-}
-
static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
TALLOC_CTX *mem_ctx,
struct ldb_message *msg,
+ uint32_t rid,
unsigned int userAccountControl,
enum samba_kdc_ent_type ent_type,
hdb_entry_ex *entry_ex)
@@ -244,14 +213,38 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
uint16_t i;
uint16_t allocated_keys = 0;
- /* Supported Enc Types for TGS-REQ to this target */
- uint32_t supported_enc_types = ldb_msg_find_attr_as_uint(msg, "msDS-SupportedEncTypes",
- ENC_CRC32|ENC_RSA_MD5|ENC_RC4_HMAC_MD5);
+ /* Supported Enc for this entry */
+ uint32_t supported_enctypes = ENC_ALL_TYPES; /* by default, we support all enc types */
+
+ /* However, if this is a TGS-REQ, then lock it down to a
+ * reasonable guess as to what the server can decode. The
+ * krbtgt is special - default to use what is stored for the KDC */
+ if (rid != DOMAIN_RID_KRBTGT && ent_type == SAMBA_KDC_ENT_TYPE_SERVER) {
+ /* This is the standard set for a server that has not declared a msDS-SupportedEncryptionTypes */
+ supported_enctypes = ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5;
+ }
+ supported_enctypes = ldb_msg_find_attr_as_uint(msg, "msDS-SupportedEncryptionTypes",
+ supported_enctypes);
+ if (rid == DOMAIN_RID_KRBTGT) {
+ /* Be double-sure never to use DES here */
+ supported_enctypes &= ~(ENC_CRC32|ENC_RSA_MD5);
+ }
+
+ switch (ent_type) {
+ case SAMBA_KDC_ENT_TYPE_KRBTGT:
+ case SAMBA_KDC_ENT_TYPE_TRUST:
+ /* Disallow krbtgt and trust tickets to be DES encrypted, it's just too dangerous */
+ supported_enctypes &= ~(ENC_CRC32|ENC_RSA_MD5);
+ break;
+ default:
+ break;
+ /* No further restrictions */
+ }
/* If UF_USE_DES_KEY_ONLY has been set, then don't allow use of the newer enc types */
if (userAccountControl & UF_USE_DES_KEY_ONLY) {
/* However, don't allow use of DES, if we were told not to by msDS-SupportedEncTypes */
- supported_enc_types &= ENC_CRC32|ENC_RSA_MD5;
+ supported_enctypes &= ENC_CRC32|ENC_RSA_MD5;
}
entry_ex->entry.keys.val = NULL;
@@ -367,7 +360,7 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
goto out;
}
- if (hash && supported_enc_types & ENC_RC4_HMAC_MD5) {
+ if (hash && (supported_enctypes & ENC_RC4_HMAC_MD5)) {
Key key;
key.mkvno = 0;
@@ -391,7 +384,7 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
if (!pkb4->keys[i].value) continue;
- if (!allowed_enc_type(ent_type, supported_enc_types, pkb4->keys[i].keytype)) {
+ if (!(kerberos_enctype_to_bitmap(pkb4->keys[i].keytype) & supported_enctypes)) {
continue;
}
@@ -450,7 +443,7 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
if (!pkb3->keys[i].value) continue;
- if (!allowed_enc_type(ent_type, supported_enc_types, pkb3->keys[i].keytype)) {
+ if (!(kerberos_enctype_to_bitmap(pkb3->keys[i].keytype) & supported_enctypes)) {
continue;
}
@@ -724,7 +717,8 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
entry_ex->entry.generation = NULL;
/* Get keys from the db */
- ret = samba_kdc_message2entry_keys(context, p, msg, userAccountControl,
+ ret = samba_kdc_message2entry_keys(context, p, msg,
+ rid, userAccountControl,
ent_type, entry_ex);
if (ret) {
/* Could be bougus data in the entry, or out of memory */
diff --git a/source4/lib/ldb-samba/ldb_wrap.c b/source4/lib/ldb-samba/ldb_wrap.c
index d750382..80256c9 100644
--- a/source4/lib/ldb-samba/ldb_wrap.c
+++ b/source4/lib/ldb-samba/ldb_wrap.c
@@ -168,14 +168,18 @@ static int ldb_wrap_destructor(struct ldb_wrap *w)
"%s/ldb",
lp_modulesdir(lp_ctx)));
- if (ldb_set_opaque(ldb, "sessionInfo", session_info)) {
- talloc_free(ldb);
- return NULL;
+ if (session_info) {
+ if (ldb_set_opaque(ldb, "sessionInfo", session_info)) {
+ talloc_free(ldb);
+ return NULL;
+ }
}
- if (ldb_set_opaque(ldb, "credentials", credentials)) {
- talloc_free(ldb);
- return NULL;
+ if (credentials) {
+ if (ldb_set_opaque(ldb, "credentials", credentials)) {
+ talloc_free(ldb);
+ return NULL;
+ }
}
if (ldb_set_opaque(ldb, "loadparm", lp_ctx)) {
diff --git a/source4/libnet/libnet_join.c b/source4/libnet/libnet_join.c
index ea11039..a8edabf 100644
--- a/source4/libnet/libnet_join.c
+++ b/source4/libnet/libnet_join.c
@@ -349,7 +349,7 @@ static NTSTATUS libnet_JoinADSDomain(struct libnet_context *ctx, struct libnet_J
if (rtn != LDB_SUCCESS && rtn != LDB_ERR_NO_SUCH_ATTRIBUTE) {
r->out.error_string
= talloc_asprintf(r,
- "Failed to replace msDS-SupportedEncryptionType on %s",
+ "Failed to replace msDS-SupportedEncryptionTypes on %s",
ldb_dn_get_linearized(msg->dn));
talloc_free(tmp_ctx);
return NT_STATUS_INTERNAL_DB_CORRUPTION;
diff --git a/source4/param/secrets.c b/source4/param/secrets.c
index 47a3f6b..8c135dc 100644
--- a/source4/param/secrets.c
+++ b/source4/param/secrets.c
@@ -26,6 +26,7 @@
#include "param/param.h"
#include "system/filesys.h"
#include "tdb_wrap.h"
+#include "lib/ldb-samba/ldb_wrap.h"
#include "lib/ldb/include/ldb.h"
#include "../tdb/include/tdb.h"
#include "../lib/util/util_tdb.h"
@@ -92,46 +93,8 @@ struct ldb_context *secrets_db_connect(TALLOC_CTX *mem_ctx,
struct tevent_context *ev_ctx,
struct loadparm_context *lp_ctx)
{
- char *path;
- const char *url;
- struct ldb_context *ldb;
-
- url = lp_secrets_url(lp_ctx);
- if (!url || !url[0]) {
- return NULL;
- }
-
- path = private_path(mem_ctx, lp_ctx, url);
- if (!path) {
- return NULL;
- }
-
- /* Secrets.ldb *must* always be local. If we call for a
- * system_session() we will recurse */
- ldb = ldb_init(mem_ctx, ev_ctx);
- if (!ldb) {
- talloc_free(path);
- return NULL;
- }
-
- ldb_set_modules_dir(ldb,
- talloc_asprintf(ldb, "%s/ldb", lp_modulesdir(lp_ctx)));
-
- if (ldb_connect(ldb, path, 0, NULL) != 0) {
- talloc_free(path);
- return NULL;
- }
-
- /* the update_keytab module relies on this being setup */
- if (ldb_set_opaque(ldb, "loadparm", lp_ctx) != LDB_SUCCESS) {
- talloc_free(path);
- talloc_free(ldb);
- return NULL;
- }
-
- talloc_free(path);
-
- return ldb;
+ return ldb_wrap_connect(mem_ctx, ev_ctx, lp_ctx, lp_secrets_url(lp_ctx),
+ NULL, NULL, 0);
}
/**
diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py
index 14615d0..131d4ff 100644
--- a/source4/scripting/python/samba/provision.py
+++ b/source4/scripting/python/samba/provision.py
@@ -43,7 +43,7 @@ from samba.auth import system_session, admin_session
import samba
from samba import version, Ldb, substitute_var, valid_netbios_name
from samba import check_all_substituted, read_and_sub_file, setup_file
-from samba.dsdb import DS_DOMAIN_FUNCTION_2003, DS_DOMAIN_FUNCTION_2008_R2
+from samba.dsdb import DS_DOMAIN_FUNCTION_2003, DS_DOMAIN_FUNCTION_2008_R2, ENC_ALL_TYPES
from samba.dcerpc import security
from samba.dcerpc.misc import SEC_CHAN_BDC, SEC_CHAN_WKSTA
from samba.idmap import IDmapDB
@@ -1495,6 +1495,21 @@ def provision(setup_dir, logger, session_info,
machinepass=machinepass,
secure_channel_type=SEC_CHAN_BDC)
+ # Now set up the right msDS-SupportedEncryptionTypes into the DB
+ # In future, this might be determined from some configuration
+ kerberos_enctypes = str(ENC_ALL_TYPES)
+
+ try:
+ msg = ldb.Message(ldb.Dn(samdb, samdb.searchone("distinguishedName", expression="samAccountName=%s$" % names.netbiosname, scope=ldb.SCOPE_SUBTREE)))
+ msg["msDS-SupportedEncryptionTypes"] = ldb.MessageElement(elements=kerberos_enctypes,
+ flags=ldb.FLAG_MOD_REPLACE,
+ name="msDS-SupportedEncryptionTypes")
+ samdb.modify(msg)
+ except ldb.LdbError, (ldb.ERR_NO_SUCH_ATTRIBUTE, _):
+ # It might be that this attribute does not exist in this schema
+ pass
+
+
if serverrole == "domain controller":
secretsdb_setup_dns(secrets_ldb, setup_path,
paths.private_dir,
diff --git a/source4/selftest/tests.sh b/source4/selftest/tests.sh
index a5a4f78..706c01a 100755
--- a/source4/selftest/tests.sh
+++ b/source4/selftest/tests.sh
@@ -364,7 +364,10 @@ planperltestsuite "selftest.samba4.pl" none $samba4srcdir/../selftest/test_samba
plantestsuite "blackbox.ndrdump" none $samba4srcdir/librpc/tests/test_ndrdump.sh
plantestsuite "blackbox.net" dc $samba4srcdir/utils/tests/test_net.sh "\$SERVER" "\$USERNAME" "\$PASSWORD" "\$DOMAIN"
-plantestsuite "blackbox.kinit" dc $bbdir/test_kinit.sh "\$SERVER" "\$USERNAME" "\$PASSWORD" "\$REALM" "\$DOMAIN" "$PREFIX" $CONFIGURATION
+plantestsuite "blackbox.pkinit" dc $bbdir/test_pkinit.sh "\$SERVER" "\$USERNAME" "\$PASSWORD" "\$REALM" "\$DOMAIN" "$PREFIX" aes256-cts-hmac-sha1-96 $CONFIGURATION
+plantestsuite "blackbox.kinit" dc $bbdir/test_kinit.sh "\$SERVER" "\$USERNAME" "\$PASSWORD" "\$REALM" "\$DOMAIN" "$PREFIX" aes256-cts-hmac-sha1-96 $CONFIGURATION
+plantestsuite "blackbox.kinit" fl2000dc $bbdir/test_kinit.sh "\$SERVER" "\$USERNAME" "\$PASSWORD" "\$REALM" "\$DOMAIN" "$PREFIX" arcfour-hmac-md5 $CONFIGURATION
+plantestsuite "blackbox.kinit" fl2008r2dc $bbdir/test_kinit.sh "\$SERVER" "\$USERNAME" "\$PASSWORD" "\$REALM" "\$DOMAIN" "$PREFIX" aes256-cts-hmac-sha1-96 $CONFIGURATION
plantestsuite "blackbox.passwords" dc:local $bbdir/test_passwords.sh "\$SERVER" "\$USERNAME" "\$PASSWORD" "\$REALM" "\$DOMAIN" "$PREFIX"
plantestsuite "blackbox.export.keytab" dc:local $bbdir/test_export_keytab.sh "\$SERVER" "\$USERNAME" "\$REALM" "\$DOMAIN" "$PREFIX"
plantestsuite "blackbox.cifsdd" dc $samba4srcdir/client/tests/test_cifsdd.sh "\$SERVER" "\$USERNAME" "\$PASSWORD" "\$DOMAIN"
diff --git a/testprogs/blackbox/test_kinit.sh b/testprogs/blackbox/test_kinit.sh
index 504d4f4..0373452 100755
--- a/testprogs/blackbox/test_kinit.sh
+++ b/testprogs/blackbox/test_kinit.sh
@@ -16,7 +16,8 @@ PASSWORD=$3
REALM=$4
DOMAIN=$5
PREFIX=$6
-shift 6
+ENCTYPE=$7
+shift 7
failed=0
samba4bindir="$BUILDDIR/bin"
@@ -48,18 +49,17 @@ test_smbclient() {
return $status
}
+enctype="-e $ENCTYPE"
+
KRB5CCNAME="$PREFIX/tmpccache"
export KRB5CCNAME
echo $PASSWORD > ./tmppassfile
-#testit "kinit with keytab" $samba4kinit --keytab=$PREFIX/dc/private/secrets.keytab $SERVER\$@$REALM || failed=`expr $failed + 1`
-testit "kinit with password" $samba4kinit --password-file=./tmppassfile --request-pac $USERNAME@$REALM || failed=`expr $failed + 1`
-testit "kinit with password (enterprise style)" $samba4kinit --enterprise --password-file=./tmppassfile --request-pac $USERNAME@$REALM || failed=`expr $failed + 1`
-testit "kinit with password (windows style)" $samba4kinit --windows --password-file=./tmppassfile --request-pac $USERNAME@$REALM || failed=`expr $failed + 1`
-testit "kinit with pkinit (name specified)" $samba4kinit --request-pac --renewable --pk-user=FILE:$PREFIX/dc/private/tls/admincert.pem,$PREFIX/dc/private/tls/adminkey.pem $USERNAME@$REALM || failed=`expr $failed + 1`
-testit "kinit with pkinit (enterprise name specified)" $samba4kinit --request-pac --renewable --pk-user=FILE:$PREFIX/dc/private/tls/admincert.pem,$PREFIX/dc/private/tls/adminkey.pem --enterprise $USERNAME@$REALM || failed=`expr $failed + 1`
-testit "kinit with pkinit (enterprise name in cert)" $samba4kinit --request-pac --renewable --pk-user=FILE:$PREFIX/dc/private/tls/admincertupn.pem,$PREFIX/dc/private/tls/adminkey.pem --pk-enterprise || failed=`expr $failed + 1`
-testit "kinit renew ticket" $samba4kinit --request-pac -R
+#testit "kinit with keytab" $samba4kinit $enctype --keytab=$PREFIX/dc/private/secrets.keytab $SERVER\$@$REALM || failed=`expr $failed + 1`
+testit "kinit with password" $samba4kinit $enctype --password-file=./tmppassfile --request-pac $USERNAME@$REALM || failed=`expr $failed + 1`
+testit "kinit with password (enterprise style)" $samba4kinit $enctype --enterprise --password-file=./tmppassfile --request-pac $USERNAME@$REALM || failed=`expr $failed + 1`
+testit "kinit with password (windows style)" $samba4kinit $enctype --renewable --windows --password-file=./tmppassfile --request-pac $USERNAME@$REALM || failed=`expr $failed + 1`
+testit "kinit renew ticket" $samba4kinit $enctype --request-pac -R
test_smbclient "Test login with kerberos ccache" 'ls' -k yes || failed=`expr $failed + 1`
@@ -89,7 +89,7 @@ testit "enable user with kerberos cache" $VALGRIND $enableaccount nettestuser -H
KRB5CCNAME="$PREFIX/tmpuserccache"
export KRB5CCNAME
-testit "kinit with user password" $samba4kinit --password-file=./tmpuserpassfile --request-pac nettestuser@$REALM || failed=`expr $failed + 1`
+testit "kinit with user password" $samba4kinit $enctype --password-file=./tmpuserpassfile --request-pac nettestuser@$REALM || failed=`expr $failed + 1`
test_smbclient "Test login with user kerberos ccache" 'ls' -k yes || failed=`expr $failed + 1`
@@ -97,7 +97,7 @@ NEWUSERPASS=testPaSS at 34%
testit "change user password with 'net password change' (rpc)" $VALGRIND $net password change -W$DOMAIN -U$DOMAIN\\nettestuser%$USERPASS $CONFIGURATION -k no $NEWUSERPASS $@ || failed=`expr $failed + 1`
echo $NEWUSERPASS > ./tmpuserpassfile
-testit "kinit with user password" $samba4kinit --password-file=./tmpuserpassfile --request-pac nettestuser@$REALM || failed=`expr $failed + 1`
+testit "kinit with user password" $samba4kinit $enctype --password-file=./tmpuserpassfile --request-pac nettestuser@$REALM || failed=`expr $failed + 1`
test_smbclient "Test login with user kerberos ccache" 'ls' -k yes || failed=`expr $failed + 1`
@@ -118,7 +118,7 @@ EOF
testit "change user password with kpasswd" $rkpty ./tmpkpasswdscript $samba4kpasswd nettestuser@$REALM || failed=`expr $failed + 1`
-testit "kinit with user password" $samba4kinit --password-file=./tmpuserpassfile --request-pac nettestuser@$REALM || failed=`expr $failed + 1`
+testit "kinit with user password" $samba4kinit $enctype --password-file=./tmpuserpassfile --request-pac nettestuser@$REALM || failed=`expr $failed + 1`
NEWUSERPASS=testPaSS at 78%
echo $NEWUSERPASS > ./tmpuserpassfile
@@ -135,7 +135,7 @@ EOF
testit "set user password with kpasswd" $rkpty ./tmpkpasswdscript $samba4kpasswd --cache=$PREFIX/tmpccache nettestuser@$REALM || failed=`expr $failed + 1`
-testit "kinit with user password" $samba4kinit --password-file=./tmpuserpassfile --request-pac nettestuser@$REALM || failed=`expr $failed + 1`
+testit "kinit with user password" $samba4kinit $enctype --password-file=./tmpuserpassfile --request-pac nettestuser@$REALM || failed=`expr $failed + 1`
test_smbclient "Test login with user kerberos ccache" 'ls' -k yes || failed=`expr $failed + 1`
--
Samba Shared Repository
More information about the samba-cvs
mailing list