[SCM] Samba Shared Repository - branch master updated

Andrew Bartlett abartlet at samba.org
Tue Apr 5 21:25:02 MDT 2011


The branch, master has been updated
       via  d84a8d5 s3-selftest Add tests to show kerberos works across a password change
       via  0415a57 s3-librpc Fix creation of in-memory keytab for previous password
       via  747ebc1 s3-selftest names into DNS hosts file to avoid NBT lookups
       via  457c665 libcli/nbt Cope with blank lines in DNS hosts file
      from  82e0ba2 docs: fix the missing parameter description section in the smb.conf manpage

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit d84a8d534374072fc96fd5da34e0021c81005f1a
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Wed Apr 6 09:12:15 2011 +1000

    s3-selftest Add tests to show kerberos works across a password change
    
    It is important that a machine account password change does not
    invalidate existing tickets.
    
    This is only for the default kerberos method with a password in
    secrets.tdb.  The keytab based methods are still not tested.
    
    Andrew Bartlett
    
    Autobuild-User: Andrew Bartlett <abartlet at samba.org>
    Autobuild-Date: Wed Apr  6 05:24:48 CEST 2011 on sn-devel-104

commit 0415a5736e7e68f076fcf63dc16a7d33da4e569d
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Wed Apr 6 09:10:13 2011 +1000

    s3-librpc Fix creation of in-memory keytab for previous password
    
    We set the current password twice, rather than the current and old
    password.
    
    Andrew Bartlett

commit 747ebc118a5cff75e71341e1f39b8127e96e41cd
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Wed Apr 6 12:10:03 2011 +1000

    s3-selftest names into DNS hosts file to avoid NBT lookups
    
    NBT lookups cause trouble and variablity in 'make test', so it's much
    better if we just use the fake DNS code.  This code is only used by
    smbtorture4 at this time, but the other client tools are generally
    told to contact by IP address.
    
    We need to contact by name to test Kerberos, and this should make the
    kerberos tests much more reliable.
    
    Andrew Bartlett

commit 457c665be2777513ff8aed1de53d8ea4eb462adc
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Wed Apr 6 12:09:41 2011 +1000

    libcli/nbt Cope with blank lines in DNS hosts file

-----------------------------------------------------------------------

Summary of changes:
 libcli/nbt/dns_hosts_file.c                        |    6 ++--
 selftest/target/Samba3.pm                          |   23 ++++++++++++++++---
 source3/librpc/crypto/gse_krb5.c                   |    2 +-
 .../{ktest-krb5_ccache => ktest-krb5_ccache-2}     |  Bin 11966 -> 11966 bytes
 source3/selftest/ktest-krb5_ccache-3               |  Bin 0 -> 6031 bytes
 source3/selftest/ktest-secrets.tdb                 |  Bin 45056 -> 45056 bytes
 source3/selftest/tests.py                          |    5 +++-
 7 files changed, 27 insertions(+), 9 deletions(-)
 rename source3/selftest/{ktest-krb5_ccache => ktest-krb5_ccache-2} (100%)
 create mode 100644 source3/selftest/ktest-krb5_ccache-3


Changeset truncated at 500 lines:

diff --git a/libcli/nbt/dns_hosts_file.c b/libcli/nbt/dns_hosts_file.c
index c6491a9..8013936 100644
--- a/libcli/nbt/dns_hosts_file.c
+++ b/libcli/nbt/dns_hosts_file.c
@@ -85,15 +85,15 @@ static bool getdns_hosts_fileent(TALLOC_CTX *ctx, XFILE *fp, char **pp_name, cha
 			++count;
 		if (next_token_talloc(ctx, &ptr, &name, NULL))
 			++count;
-		if (strcasecmp(name_type, "A") == 0) {
+		if (name_type && strcasecmp(name_type, "A") == 0) {
 			if (next_token_talloc(ctx, &ptr, &ip, NULL))
 				++count;
-		} else if (strcasecmp(name_type, "SRV") == 0) {
+		} else if (name_type && strcasecmp(name_type, "SRV") == 0) {
 			if (next_token_talloc(ctx, &ptr, &next_name, NULL))
 				++count;
 			if (next_token_talloc(ctx, &ptr, &port, NULL))
 				++count;
-		} else if (strcasecmp(name_type, "CNAME") == 0) {
+		} else if (name_type && strcasecmp(name_type, "CNAME") == 0) {
 			if (next_token_talloc(ctx, &ptr, &next_name, NULL))
 				++count;
 		}
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index de3fffb..b6c851a 100644
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -298,19 +298,29 @@ $ret->{USERNAME} = KTEST\\Administrator
 # ticket_lifetime = 799718400
 # renew_lifetime = 799718400
 #
-# The commands run were:
+# The commands for the -2 keytab where were:
 # kinit administrator at KTEST.SAMBA.EXAMPLE.COM
 # kvno host/localktest6 at KTEST.SAMBA.EXAMPLE.COM
 # kvno cifs/localktest6 at KTEST.SAMBA.EXAMPLE.COM
 # kvno host/LOCALKTEST6 at KTEST.SAMBA.EXAMPLE.COM
 # kvno cifs/LOCALKTEST6 at KTEST.SAMBA.EXAMPLE.COM
 #
-# This creates a credential cache with a very long lifetime (2036 at at 2011-04)
+# and then for the -3 keytab, I did
+#
+# net changetrustpw; kdestroy and the same again.
+#
+# This creates a credential cache with a very long lifetime (2036 at
+# at 2011-04), and shows that running 'net changetrustpw' does not
+# break existing logins (for the secrets.tdb method at least).
+#
 
 	$ret->{KRB5_CCACHE}="FILE:$prefix/krb5_ccache";
 
-	system("cp $self->{srcdir}/source3/selftest/ktest-krb5_ccache $prefix/krb5_ccache");
-	chmod 0600, "$prefix/krb5_ccache";
+	system("cp $self->{srcdir}/source3/selftest/ktest-krb5_ccache-2 $prefix/krb5_ccache-2");
+	chmod 0600, "$prefix/krb5_ccache-2";
+
+	system("cp $self->{srcdir}/source3/selftest/ktest-krb5_ccache-3 $prefix/krb5_ccache-3");
+	chmod 0600, "$prefix/krb5_ccache-3";
 
 	$self->check_or_start($ret,
 			      ($ENV{SMBD_MAXTIME} or 2700),
@@ -802,6 +812,11 @@ domusers:X:$gid_domusers:
 
 	print "DONE\n";
 
+	open(HOSTS, ">>$ENV{SELFTEST_PREFIX}/dns_host_file") or die("Unable to open $ENV{SELFTEST_PREFIX}/dns_host_file");
+	print HOSTS "A $server $server_ip
+";
+	close(HOSTS);
+
 	$ret{SERVER_IP} = $server_ip;
 	$ret{NMBD_TEST_LOG} = "$prefix/nmbd_test.log";
 	$ret{NMBD_TEST_LOG_POS} = 0;
diff --git a/source3/librpc/crypto/gse_krb5.c b/source3/librpc/crypto/gse_krb5.c
index 735dff0..830d517 100644
--- a/source3/librpc/crypto/gse_krb5.c
+++ b/source3/librpc/crypto/gse_krb5.c
@@ -280,7 +280,7 @@ static krb5_error_code get_mem_keytab_from_secrets(krb5_context krbctx,
 		goto out;
 	}
 
-	pwd_old = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
+	pwd_old = secrets_fetch_prev_machine_password(lp_workgroup());
 	if (!pwd_old) {
 		DEBUG(10, (__location__ ": no prev machine password\n"));
 	} else {
diff --git a/source3/selftest/ktest-krb5_ccache-3 b/source3/selftest/ktest-krb5_ccache-3
new file mode 100644
index 0000000..a056beb
Binary files /dev/null and b/source3/selftest/ktest-krb5_ccache-3 differ
diff --git a/source3/selftest/ktest-secrets.tdb b/source3/selftest/ktest-secrets.tdb
index c09c315..cf5c3d0 100644
Binary files a/source3/selftest/ktest-secrets.tdb and b/source3/selftest/ktest-secrets.tdb differ
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 826b84f..3fd44c5 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -219,7 +219,10 @@ if sub.returncode == 0:
             e = ""
             a = ""
             binding_string = "ncacn_np:$SERVER[%s%s%s%s]" % (a, s, z, e)
-            options = binding_string + " -k yes --krb5-ccache=$PREFIX/ktest/krb5_ccache"
+            options = binding_string + " -k yes --krb5-ccache=$PREFIX/ktest/krb5_ccache-2"
+            plansmbtorturetestsuite(test, "ktest", options, 'over kerberos with old ccache ncacn_np with [%s%s%s%s] ' % (a, s, z, e))
+
+            options = binding_string + " -k yes --krb5-ccache=$PREFIX/ktest/krb5_ccache-3"
             plansmbtorturetestsuite(test, "ktest", options, 'over kerberos ncacn_np with [%s%s%s%s] ' % (a, s, z, e))
 
 


-- 
Samba Shared Repository


More information about the samba-cvs mailing list