[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Mon Apr 4 05:32:01 MDT 2011
The branch, master has been updated
via a3ef974 s3-rpc_server Remove comment, yes the key is correct.
via 77e6716 s3-auth consolidate create_local_token() into make_server_info_krb5()
via 841d0bc s3-selftest Remove more instances of /tmp in test_smbclient_s3.sh
via 6351dee s3-selftest Add testing of kerberos login
via 55134c9 s4-credentials Add a command line hook to set the kerberos credentials cache
via ffb6003 s3-selftest Disable log rotation in 'make test'
from 513574a talloc - some documentation changes
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit a3ef974d30fd1adcf1a25940c2a2fa7e03fad6a0
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Feb 10 21:40:07 2011 +1100
s3-rpc_server Remove comment, yes the key is correct.
Autobuild-User: Andrew Bartlett <abartlet at samba.org>
Autobuild-Date: Mon Apr 4 13:31:52 CEST 2011 on sn-devel-104
commit 77e67163daaa670ee43ddbc4fd3fd3e8c3c38d49
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Feb 10 21:04:01 2011 +1100
s3-auth consolidate create_local_token() into make_server_info_krb5()
This ensures that all callers don't need to each add builtin groups
and privileges to the user's token
Andrew Bartlett
commit 841d0bc9e81dbe56352ac8b12e63e8257963936e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Apr 4 19:18:47 2011 +1000
s3-selftest Remove more instances of /tmp in test_smbclient_s3.sh
commit 6351dee4d810bfa20c3a892d0eba3b2ac828e193
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Apr 4 19:13:17 2011 +1000
s3-selftest Add testing of kerberos login
This uses a pre-calculated credentials cache, that should be valid
until 2036.
Andrew Bartlett
commit 55134c9a9e4a47c6a8ed89ef10c95c0fa0d4daaf
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Apr 4 19:11:39 2011 +1000
s4-credentials Add a command line hook to set the kerberos credentials cache
This allows this to be specified independent of the KRB5CCNAME
environment variable (in this case, it's harder than it should be to
set up in the make test for s3 that way).
Andrew Bartlett
commit ffb600330289e59071ffbbb071a7d20afb7ab09f
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Apr 4 09:22:03 2011 +1000
s3-selftest Disable log rotation in 'make test'
-----------------------------------------------------------------------
Summary of changes:
selftest/target/Samba3.pm | 66 +++++++++++++++++++++++++++++
source3/auth/proto.h | 4 +-
source3/auth/user_krb5.c | 12 +++++-
source3/rpc_server/dcesrv_gssapi.c | 2 +-
source3/rpc_server/srv_pipe.c | 12 -----
source3/script/tests/test_smbclient_s3.sh | 8 ++--
source3/selftest/ktest-krb5_ccache | Bin 0 -> 11966 bytes
source3/selftest/ktest-secrets.tdb | Bin 0 -> 45056 bytes
source3/selftest/tests.py | 19 +++++++--
source3/smbd/sesssetup.c | 20 +--------
source3/smbd/smb2_sesssetup.c | 22 ++--------
source4/lib/cmdline/popt_credentials.c | 14 ++++++-
12 files changed, 117 insertions(+), 62 deletions(-)
create mode 100644 source3/selftest/ktest-krb5_ccache
create mode 100644 source3/selftest/ktest-secrets.tdb
Changeset truncated at 500 lines:
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 38148eb..de3fffb 100644
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -102,6 +102,8 @@ sub setup_env($$$)
return $self->setup_dc("$path/dc");
} elsif ($envname eq "secshare") {
return $self->setup_secshare("$path/secshare");
+ } elsif ($envname eq "ktest") {
+ return $self->setup_ktest("$path/ktest");
} elsif ($envname eq "secserver") {
if (not defined($self->{vars}->{dc})) {
$self->setup_dc("$path/dc");
@@ -255,6 +257,69 @@ sub setup_secserver($$$)
return $ret;
}
+sub setup_ktest($$$)
+{
+ my ($self, $prefix, $dcvars) = @_;
+
+ print "PROVISIONING server with security=ads...";
+
+ my $ktest_options = "
+ workgroup = KTEST
+ realm = ktest.samba.example.com
+ security = ads
+ username map = $prefix/lib/username.map
+";
+
+ my $ret = $self->provision($prefix,
+ "LOCALKTEST6",
+ 5,
+ "localktest6pass",
+ $ktest_options);
+
+ $ret or die("Unable to provision");
+
+ open(USERMAP, ">$prefix/lib/username.map") or die("Unable to open $prefix/lib/username.map");
+ print USERMAP "
+$ret->{USERNAME} = KTEST\\Administrator
+";
+ close(USERMAP);
+
+#This is the secrets.tdb created by 'net ads join' from Samba3 to a
+#Samba4 DC with the same parameters as are being used here. The
+#domain SID is S-1-5-21-1071277805-689288055-3486227160
+
+ system("cp $self->{srcdir}/source3/selftest/ktest-secrets.tdb $prefix/private/secrets.tdb");
+ chmod 0600, "$prefix/private/secrets.tdb";
+
+#This uses a pre-calculated krb5 credentials cache, obtained by running Samba4 with:
+# "--option=kdc:service ticket lifetime=239232" "--option=kdc:user ticket lifetime=239232" "--option=kdc:renewal lifetime=239232"
+#
+#and having in krb5.conf:
+# ticket_lifetime = 799718400
+# renew_lifetime = 799718400
+#
+# The commands run were:
+# kinit administrator at KTEST.SAMBA.EXAMPLE.COM
+# kvno host/localktest6 at KTEST.SAMBA.EXAMPLE.COM
+# kvno cifs/localktest6 at KTEST.SAMBA.EXAMPLE.COM
+# kvno host/LOCALKTEST6 at KTEST.SAMBA.EXAMPLE.COM
+# kvno cifs/LOCALKTEST6 at KTEST.SAMBA.EXAMPLE.COM
+#
+# This creates a credential cache with a very long lifetime (2036 at at 2011-04)
+
+ $ret->{KRB5_CCACHE}="FILE:$prefix/krb5_ccache";
+
+ system("cp $self->{srcdir}/source3/selftest/ktest-krb5_ccache $prefix/krb5_ccache");
+ chmod 0600, "$prefix/krb5_ccache";
+
+ $self->check_or_start($ret,
+ ($ENV{SMBD_MAXTIME} or 2700),
+ "yes", "no", "yes");
+
+ $self->wait_for_start($ret);
+ return $ret;
+}
+
sub stop_sig_term($$) {
my ($self, $pid) = @_;
kill("USR1", $pid) or kill("ALRM", $pid) or warn("Unable to kill $pid: $!");
@@ -572,6 +637,7 @@ sub provision($$$$$$)
log file = $logdir/log.\%m
log level = 0
debug pid = yes
+ max log size = 0
name resolve order = bcast
diff --git a/source3/auth/proto.h b/source3/auth/proto.h
index 88cc707..3bf325e 100644
--- a/source3/auth/proto.h
+++ b/source3/auth/proto.h
@@ -264,5 +264,5 @@ NTSTATUS make_server_info_krb5(TALLOC_CTX *mem_ctx,
char *username,
struct passwd *pw,
struct PAC_LOGON_INFO *logon_info,
- bool mapped_to_guest,
- struct auth_serversupplied_info **server_info);
+ bool mapped_to_guest, bool username_was_mapped,
+ struct auth_serversupplied_info **server_info);
diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c
index e52149a..1d87cca 100644
--- a/source3/auth/user_krb5.c
+++ b/source3/auth/user_krb5.c
@@ -185,7 +185,7 @@ NTSTATUS make_server_info_krb5(TALLOC_CTX *mem_ctx,
char *username,
struct passwd *pw,
struct PAC_LOGON_INFO *logon_info,
- bool mapped_to_guest,
+ bool mapped_to_guest, bool username_was_mapped,
struct auth_serversupplied_info **server_info)
{
NTSTATUS status;
@@ -259,7 +259,17 @@ NTSTATUS make_server_info_krb5(TALLOC_CTX *mem_ctx,
(*server_info)->info3->base.domain.string =
talloc_strdup((*server_info)->info3, ntdomain);
}
+ }
+
+ (*server_info)->nss_token |= username_was_mapped;
+ if (!mapped_to_guest) {
+ status = create_local_token(*server_info);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(10,("failed to create local token: %s\n",
+ nt_errstr(status)));
+ return status;
+ }
}
return NT_STATUS_OK;
diff --git a/source3/rpc_server/dcesrv_gssapi.c b/source3/rpc_server/dcesrv_gssapi.c
index f60f6ce..a3007e4 100644
--- a/source3/rpc_server/dcesrv_gssapi.c
+++ b/source3/rpc_server/dcesrv_gssapi.c
@@ -230,7 +230,7 @@ NTSTATUS gssapi_server_get_user_info(struct gse_context *gse_ctx,
status = make_server_info_krb5(mem_ctx,
ntuser, ntdomain, username, pw,
- logon_info, is_guest, server_info);
+ logon_info, is_guest, is_mapped, server_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n",
nt_errstr(status)));
diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index 73a3486..27a7aae 100644
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -738,18 +738,6 @@ static NTSTATUS pipe_gssapi_verify_final(TALLOC_CTX *mem_ctx,
return status;
}
- if ((*session_info)->security_token == NULL) {
- status = create_local_token(*session_info);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1, ("Failed to create local user token (%s)\n",
- nt_errstr(status)));
- status = NT_STATUS_ACCESS_DENIED;
- return status;
- }
- }
-
- /* TODO: this is what the ntlmssp code does with the session_key, check
- * it is ok with gssapi too */
/*
* We're an authenticated bind over smb, so the session key needs to
* be set to "SystemLibraryDTC". Weird, but this is what Windows
diff --git a/source3/script/tests/test_smbclient_s3.sh b/source3/script/tests/test_smbclient_s3.sh
index 30b26a4..972f68f 100755
--- a/source3/script/tests/test_smbclient_s3.sh
+++ b/source3/script/tests/test_smbclient_s3.sh
@@ -131,7 +131,7 @@ EOF
# Test creating a good symlink and deleting it by path.
test_good_symlink()
{
- tmpfile=/tmp/smbclient.in.$$
+ tmpfile=$PREFIX/smbclient.in.$$
slink_name="$LOCAL_PATH/slink"
slink_target="$LOCAL_PATH/slink_target"
@@ -181,7 +181,7 @@ EOF
test_read_only_dir()
{
prompt="NT_STATUS_ACCESS_DENIED making remote directory"
- tmpfile=/tmp/smbclient.in.$$
+ tmpfile=$PREFIX/smbclient.in.$$
##
## We can't do this as non-root. We always have rights to
@@ -238,7 +238,7 @@ EOF
test_owner_only_file()
{
prompt="NT_STATUS_ACCESS_DENIED opening remote file"
- tmpfile=/tmp/smbclient.in.$$
+ tmpfile=$PREFIX/smbclient.in.$$
##
## We can't do this as non-root. We always have rights to
@@ -294,7 +294,7 @@ EOF
# Test accessing an msdfs path.
test_msdfs_link()
{
- tmpfile=/tmp/smbclient.in.$$
+ tmpfile=$PREFIX/smbclient.in.$$
prompt=" msdfs-target "
cat > $tmpfile <<EOF
diff --git a/source3/selftest/ktest-krb5_ccache b/source3/selftest/ktest-krb5_ccache
new file mode 100644
index 0000000..1510222
Binary files /dev/null and b/source3/selftest/ktest-krb5_ccache differ
diff --git a/source3/selftest/ktest-secrets.tdb b/source3/selftest/ktest-secrets.tdb
new file mode 100644
index 0000000..c09c315
Binary files /dev/null and b/source3/selftest/ktest-secrets.tdb differ
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 9ddb164..826b84f 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -207,12 +207,23 @@ if sub.returncode == 0:
smb_options = ["", ",smb2"]
endianness_options = ["", ",bigendian"]
for z in smb_options:
- for e in endianness_options:
- for a in auth_options:
- for s in signseal_options:
- binding_string = "ncacn_np:$SERVER_IP[%s%s%s%s]" % (a, s, z, e)
+ for s in signseal_options:
+ for e in endianness_options:
+ for a in auth_options:
+ binding_string = "ncacn_np:$SERVER[%s%s%s%s]" % (a, s, z, e)
options = binding_string + " -U$USERNAME%$PASSWORD"
plansmbtorturetestsuite(test, "dc", options, 'over ncacn_np with [%s%s%s%s] ' % (a, s, z, e))
+
+ # We should try more combinations in future, but this is all
+ # the pre-calculated credentials cache supports at the moment
+ e = ""
+ a = ""
+ binding_string = "ncacn_np:$SERVER[%s%s%s%s]" % (a, s, z, e)
+ options = binding_string + " -k yes --krb5-ccache=$PREFIX/ktest/krb5_ccache"
+ plansmbtorturetestsuite(test, "ktest", options, 'over kerberos ncacn_np with [%s%s%s%s] ' % (a, s, z, e))
+
+
+
for e in endianness_options:
for a in auth_options:
for s in signseal_options:
diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index c5d44c6..57b0b68 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -372,6 +372,7 @@ static void reply_spnego_kerberos(struct smb_request *req,
ret = make_server_info_krb5(mem_ctx,
user, domain, real_username, pw,
logon_info, map_domainuser_to_guest,
+ username_was_mapped,
&server_info);
if (!NT_STATUS_IS_OK(ret)) {
DEBUG(1, ("make_server_info_krb5 failed!\n"));
@@ -382,25 +383,6 @@ static void reply_spnego_kerberos(struct smb_request *req,
return;
}
- server_info->nss_token |= username_was_mapped;
-
- /* we need to build the token for the user. make_server_info_guest()
- already does this */
-
- if ( !server_info->security_token ) {
- ret = create_local_token( server_info );
- if ( !NT_STATUS_IS_OK(ret) ) {
- DEBUG(10,("failed to create local token: %s\n",
- nt_errstr(ret)));
- data_blob_free(&ap_rep);
- data_blob_free(&session_key);
- TALLOC_FREE( mem_ctx );
- TALLOC_FREE( server_info );
- reply_nterror(req, nt_status_squash(ret));
- return;
- }
- }
-
if (!is_partial_auth_vuid(sconn, sess_vuid)) {
sess_vuid = register_initial_vuid(sconn);
}
diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index 6649cfb..3668ab8 100644
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -237,29 +237,15 @@ static NTSTATUS smbd_smb2_session_setup_krb5(struct smbd_smb2_session *session,
reload_services(smb2req->sconn->msg_ctx, smb2req->sconn->sock, true);
status = make_server_info_krb5(session,
- user, domain, real_username, pw,
- logon_info, map_domainuser_to_guest,
- &session->session_info);
+ user, domain, real_username, pw,
+ logon_info, map_domainuser_to_guest,
+ username_was_mapped,
+ &session->session_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("smb2: make_server_info_krb5 failed\n"));
goto fail;
}
-
- session->session_info->nss_token |= username_was_mapped;
-
- /* we need to build the token for the user. make_session_info_guest()
- already does this */
-
- if (!session->session_info->security_token ) {
- status = create_local_token(session->session_info);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(10,("smb2: failed to create local token: %s\n",
- nt_errstr(status)));
- goto fail;
- }
- }
-
if ((in_security_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED) ||
lp_server_signing() == Required) {
session->do_signing = true;
diff --git a/source4/lib/cmdline/popt_credentials.c b/source4/lib/cmdline/popt_credentials.c
index 11f4036..6dcef3f 100644
--- a/source4/lib/cmdline/popt_credentials.c
+++ b/source4/lib/cmdline/popt_credentials.c
@@ -34,12 +34,13 @@
* -P,--machine-pass
* --simple-bind-dn
* --password
+ * --krb5-ccache
*/
static bool dont_ask;
static bool machine_account_pending;
-enum opt { OPT_SIMPLE_BIND_DN, OPT_PASSWORD, OPT_KERBEROS, OPT_SIGN, OPT_ENCRYPT };
+enum opt { OPT_SIMPLE_BIND_DN, OPT_PASSWORD, OPT_KERBEROS, OPT_SIGN, OPT_ENCRYPT, OPT_KRB5_CCACHE };
/*
disable asking for a password
@@ -130,6 +131,16 @@ static void popt_common_credentials_callback(poptContext con,
cli_credentials_set_bind_dn(cmdline_credentials, arg);
break;
}
+ case OPT_KRB5_CCACHE:
+ {
+ const char *error_string;
+ if (cli_credentials_set_ccache(cmdline_credentials, cmdline_lp_ctx, arg, CRED_SPECIFIED,
+ &error_string) != 0) {
+ fprintf(stderr, "Error reading krb5 credentials cache: '%s' %s", arg, error_string);
+ exit(1);
+ }
+ break;
+ }
case OPT_SIGN:
{
uint32_t gensec_features;
@@ -166,6 +177,7 @@ struct poptOption popt_common_credentials[] = {
{ "machine-pass", 'P', POPT_ARG_NONE, NULL, 'P', "Use stored machine account password (implies -k)" },
{ "simple-bind-dn", 0, POPT_ARG_STRING, NULL, OPT_SIMPLE_BIND_DN, "DN to use for a simple bind" },
{ "kerberos", 'k', POPT_ARG_STRING, NULL, OPT_KERBEROS, "Use Kerberos, -k [yes|no]" },
+ { "krb5-ccache", 0, POPT_ARG_STRING, NULL, OPT_KRB5_CCACHE, "Credentials cache location for Kerberos" },
{ "sign", 'S', POPT_ARG_NONE, NULL, OPT_SIGN, "Sign connection to prevent modification in transit" },
{ "encrypt", 'e', POPT_ARG_NONE, NULL, OPT_ENCRYPT, "Encrypt connection for privacy" },
{ NULL }
--
Samba Shared Repository
More information about the samba-cvs
mailing list