[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Wed Aug 29 17:27:02 MDT 2012
The branch, master has been updated
via 5131359 auth/credentials: Support match-by-key in cli_credentials_get_server_gss_creds()
via a58bf44 s4-torture: Add start of a test to confirm winbindd PAC parsing
via fe36bb4 lib/krb4_wrap: Add const to kt_copy_one_principal
from 6678907 s3:vfs_gpfs: Use directory not file to get fileset id
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 5131359edae7a5c7092c0d41bb225941596ddcac
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Aug 30 07:49:21 2012 +1000
auth/credentials: Support match-by-key in cli_credentials_get_server_gss_creds()
This allows a password alone to be used to accept kerberos tickets.
Of course, we need to have got the salt right, but we do not need also
the correct kvno. This allows gensec_gssapi to accept tickets based on
a secrets.tdb entry.
Andrew Bartlett
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Thu Aug 30 01:26:12 CEST 2012 on sn-devel-104
commit a58bf44c1ec62736fc20e0e7dedb8a1c0306380c
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Aug 24 10:01:42 2012 +1000
s4-torture: Add start of a test to confirm winbindd PAC parsing
So far this confirms that we can accept a ticket using the secrets.tdb
entry.
Andrew Bartlett
commit fe36bb4bcc35cccbc6f0a91a9ef4a29e908048a0
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Aug 29 17:58:45 2012 +1000
lib/krb4_wrap: Add const to kt_copy_one_principal
-----------------------------------------------------------------------
Summary of changes:
auth/credentials/credentials_krb5.c | 11 ++-
lib/krb5_wrap/keytab_util.c | 2 +-
lib/krb5_wrap/krb5_samba.h | 2 +-
source3/selftest/tests.py | 4 +-
source4/auth/kerberos/kerberos.h | 1 +
source4/auth/kerberos/kerberos_util.c | 1 +
source4/torture/rpc/remote_pac.c | 2 +-
source4/torture/winbind/winbind.c | 153 +++++++++++++++++++++++++++++++++
8 files changed, 169 insertions(+), 7 deletions(-)
Changeset truncated at 500 lines:
diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index 2a23688..459e948 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -717,6 +717,11 @@ _PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred,
cred->keytab_obtained = (MAX(cred->principal_obtained,
cred->username_obtained));
+ /* We make this keytab up based on a password. Therefore
+ * match-by-key is acceptable, we can't match on the wrong
+ * principal */
+ ktc->password_based = true;
+
talloc_steal(cred, ktc);
cred->keytab = ktc;
*_ktc = cred->keytab;
@@ -818,12 +823,12 @@ _PUBLIC_ int cli_credentials_get_server_gss_creds(struct cli_credentials *cred,
return ENOMEM;
}
- if (obtained < CRED_SPECIFIED) {
- /* This creates a GSSAPI cred_id_t with the principal and keytab set */
+ if (ktc->password_based || obtained < CRED_SPECIFIED) {
+ /* This creates a GSSAPI cred_id_t for match-by-key with only the keytab set */
maj_stat = gss_krb5_import_cred(&min_stat, NULL, NULL, ktc->keytab,
&gcc->creds);
} else {
- /* This creates a GSSAPI cred_id_t with the principal and keytab set */
+ /* This creates a GSSAPI cred_id_t with the principal and keytab set, matching by name */
maj_stat = gss_krb5_import_cred(&min_stat, NULL, princ, ktc->keytab,
&gcc->creds);
}
diff --git a/lib/krb5_wrap/keytab_util.c b/lib/krb5_wrap/keytab_util.c
index 91e4990..f9a8679 100644
--- a/lib/krb5_wrap/keytab_util.c
+++ b/lib/krb5_wrap/keytab_util.c
@@ -162,7 +162,7 @@ krb5_error_code kt_copy_one_principal(krb5_context context,
const char *to,
const char *principal,
krb5_kvno kvno,
- krb5_enctype *enctypes)
+ const krb5_enctype *enctypes)
{
krb5_error_code ret;
krb5_keytab src_keytab, dst_keytab;
diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
index c823c73..73a52a5 100644
--- a/lib/krb5_wrap/krb5_samba.h
+++ b/lib/krb5_wrap/krb5_samba.h
@@ -281,7 +281,7 @@ krb5_error_code kt_copy_one_principal(krb5_context context,
const char *to,
const char *principal,
krb5_kvno kvno,
- krb5_enctype *enctypes);
+ const krb5_enctype *enctypes);
#if defined(HAVE_KRB5_KT_COMPARE)
#define smb_krb5_kt_compare krb5_kt_compare
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 8b65232..f6b8c01 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -304,7 +304,7 @@ rpc = ["rpc.authcontext", "rpc.samba3.bind", "rpc.samba3.srvsvc", "rpc.samba3.sh
local = ["local.nss-wrapper", "local.ndr"]
-winbind = ["winbind.struct", "winbind.wbclient"]
+winbind = ["winbind.struct", "winbind.wbclient", "winbind.pac"]
rap = ["rap.basic", "rap.rpc", "rap.printing", "rap.sam"]
@@ -323,6 +323,8 @@ for t in tests:
elif t == "rap.sam":
plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD --option=doscharset=ISO-8859-1')
plansmbtorturetestsuite(t, "plugin_s4_dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD --option=doscharset=ISO-8859-1')
+ elif t == "winbind.pac":
+ plansmbtorturetestsuite(t, "s3member:local", '//$SERVER/tmp --realm=$REALM --machine-pass --option=torture:addc=$DC_SERVER', description="machine account")
elif t == "unix.whoami":
plansmbtorturetestsuite(t, "member:local", '//$SERVER/tmp --machine-pass', description="machine account")
plansmbtorturetestsuite(t, "s3member:local", '//$SERVER/tmp --machine-pass --option=torture:addc=$DC_SERVER', description="machine account")
diff --git a/source4/auth/kerberos/kerberos.h b/source4/auth/kerberos/kerberos.h
index 51b8055..45975f1 100644
--- a/source4/auth/kerberos/kerberos.h
+++ b/source4/auth/kerberos/kerberos.h
@@ -40,6 +40,7 @@ struct ccache_container {
struct keytab_container {
struct smb_krb5_context *smb_krb5_context;
krb5_keytab keytab;
+ bool password_based;
};
/* not really ASN.1, but RFC 1964 */
diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c
index 17ae99c..b65a2ad 100644
--- a/source4/auth/kerberos/kerberos_util.c
+++ b/source4/auth/kerberos/kerberos_util.c
@@ -378,6 +378,7 @@ krb5_error_code smb_krb5_get_keytab_container(TALLOC_CTX *mem_ctx,
(*ktc)->smb_krb5_context = talloc_reference(*ktc, smb_krb5_context);
(*ktc)->keytab = keytab;
+ (*ktc)->password_based = false;
talloc_set_destructor(*ktc, free_keytab_container);
return 0;
diff --git a/source4/torture/rpc/remote_pac.c b/source4/torture/rpc/remote_pac.c
index 75e9418..3e25a46 100644
--- a/source4/torture/rpc/remote_pac.c
+++ b/source4/torture/rpc/remote_pac.c
@@ -3,7 +3,7 @@
test suite for netlogon PAC operations
- Copyright (C) Andrew Bartlett <abartlet at samba.org> 2008
+ Copyright (C) Andrew Bartlett <abartlet at samba.org> 2012
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
diff --git a/source4/torture/winbind/winbind.c b/source4/torture/winbind/winbind.c
index 80b914b..cb895f5 100644
--- a/source4/torture/winbind/winbind.c
+++ b/source4/torture/winbind/winbind.c
@@ -2,6 +2,7 @@
Unix SMB/CIFS implementation.
SMB torture tester
Copyright (C) Stefan Metzmacher 2007
+ Copyright (C) Andrew Bartlett <abartlet at samba.org> 2012
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -20,6 +21,156 @@
#include "includes.h"
#include "torture/smbtorture.h"
#include "torture/winbind/proto.h"
+#include "auth/auth.h"
+#include "auth/auth_sam_reply.h"
+#include "auth/gensec/gensec.h"
+#include "system/kerberos.h"
+#include "auth/kerberos/kerberos.h"
+#include "auth/credentials/credentials.h"
+#include "param/param.h"
+#include "lib/cmdline/popt_common.h"
+
+struct pac_data {
+ DATA_BLOB pac_blob;
+};
+
+/* A helper function which avoids touching the local databases to
+ * generate the session info, as we just want to verify the PAC
+ * details, not the full local token */
+static NTSTATUS test_generate_session_info_pac(struct auth4_context *auth_ctx,
+ TALLOC_CTX *mem_ctx,
+ struct smb_krb5_context *smb_krb5_context,
+ DATA_BLOB *pac_blob,
+ const char *principal_name,
+ const struct tsocket_address *remote_address,
+ uint32_t session_info_flags,
+ struct auth_session_info **session_info)
+{
+ NTSTATUS nt_status;
+ struct auth_user_info_dc *user_info_dc;
+ TALLOC_CTX *tmp_ctx;
+ struct pac_data *pac_data;
+
+ tmp_ctx = talloc_named(mem_ctx, 0, "gensec_gssapi_session_info context");
+ NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
+
+ auth_ctx->private_data = pac_data = talloc_zero(auth_ctx, struct pac_data);
+
+ pac_data->pac_blob = *pac_blob;
+
+ talloc_steal(pac_data, pac_data->pac_blob.data);
+ nt_status = kerberos_pac_blob_to_user_info_dc(tmp_ctx,
+ *pac_blob,
+ smb_krb5_context->krb5_context,
+ &user_info_dc,
+ NULL, NULL);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ talloc_free(tmp_ctx);
+ return nt_status;
+ }
+
+ if (user_info_dc->info->authenticated) {
+ session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED;
+ }
+
+ session_info_flags |= AUTH_SESSION_INFO_SIMPLE_PRIVILEGES;
+ nt_status = auth_generate_session_info(mem_ctx,
+ NULL,
+ NULL,
+ user_info_dc, session_info_flags,
+ session_info);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ talloc_free(tmp_ctx);
+ return nt_status;
+ }
+
+ talloc_free(tmp_ctx);
+ return nt_status;
+}
+
+/* Check to see if we can pass the PAC across to the NETLOGON server for validation */
+
+/* Also happens to be a really good one-step verfication of our Kerberos stack */
+
+static bool torture_winbind_pac(struct torture_context *tctx)
+{
+ NTSTATUS status;
+
+ struct gensec_security *gensec_client_context;
+ struct gensec_security *gensec_server_context;
+
+ DATA_BLOB client_to_server, server_to_client;
+
+ struct auth4_context *auth_context;
+ struct auth_session_info *session_info;
+ struct pac_data *pac_data;
+
+ TALLOC_CTX *tmp_ctx = talloc_new(tctx);
+ torture_assert(tctx, tmp_ctx != NULL, "talloc_new() failed");
+
+ auth_context = talloc_zero(tmp_ctx, struct auth4_context);
+ torture_assert(tctx, auth_context != NULL, "talloc_new() failed");
+
+ auth_context->generate_session_info_pac = test_generate_session_info_pac;
+
+ status = gensec_client_start(tctx, &gensec_client_context,
+ lpcfg_gensec_settings(tctx, tctx->lp_ctx));
+ torture_assert_ntstatus_ok(tctx, status, "gensec_client_start (client) failed");
+
+ status = gensec_set_target_hostname(gensec_client_context, cli_credentials_get_workstation(cmdline_credentials));
+
+ status = gensec_set_credentials(gensec_client_context, cmdline_credentials);
+ torture_assert_ntstatus_ok(tctx, status, "gensec_set_credentials (client) failed");
+
+ status = gensec_start_mech_by_sasl_name(gensec_client_context, "GSSAPI");
+ torture_assert_ntstatus_ok(tctx, status, "gensec_start_mech_by_sasl_name (client) failed");
+
+ status = gensec_server_start(tctx,
+ lpcfg_gensec_settings(tctx, tctx->lp_ctx),
+ auth_context, &gensec_server_context);
+ torture_assert_ntstatus_ok(tctx, status, "gensec_server_start (server) failed");
+
+ status = gensec_set_credentials(gensec_server_context, cmdline_credentials);
+ torture_assert_ntstatus_ok(tctx, status, "gensec_set_credentials (server) failed");
+
+ status = gensec_start_mech_by_sasl_name(gensec_server_context, "GSSAPI");
+ torture_assert_ntstatus_ok(tctx, status, "gensec_start_mech_by_sasl_name (server) failed");
+
+ server_to_client = data_blob(NULL, 0);
+
+ do {
+ /* Do a client-server update dance */
+ status = gensec_update(gensec_client_context, tmp_ctx, tctx->ev, server_to_client, &client_to_server);
+ if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {;
+ torture_assert_ntstatus_ok(tctx, status, "gensec_update (client) failed");
+ }
+
+ status = gensec_update(gensec_server_context, tmp_ctx, tctx->ev, client_to_server, &server_to_client);
+ if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {;
+ torture_assert_ntstatus_ok(tctx, status, "gensec_update (server) failed");
+ }
+
+ if (NT_STATUS_IS_OK(status)) {
+ break;
+ }
+ } while (1);
+
+ /* Extract the PAC using Samba's code */
+
+ status = gensec_session_info(gensec_server_context, gensec_server_context, &session_info);
+ torture_assert_ntstatus_ok(tctx, status, "gensec_session_info failed");
+
+ pac_data = talloc_get_type(auth_context->private_data, struct pac_data);
+
+ torture_assert(tctx, pac_data != NULL, "gensec_update failed to fill in pac_data in auth_context");
+ torture_assert(tctx, pac_data->pac_blob.data != NULL, "pac_blob not present");
+
+ /* TODO: Check the PAC blob with winbind */
+
+ return true;
+}
+
+
NTSTATUS torture_winbind_init(void)
{
@@ -27,6 +178,8 @@ NTSTATUS torture_winbind_init(void)
torture_suite_add_suite(suite, torture_winbind_struct_init());
torture_suite_add_suite(suite, torture_wbclient());
+ torture_suite_add_simple_test(suite,
+ "pac", torture_winbind_pac);
suite->description = talloc_strdup(suite, "WINBIND tests");
--
Samba Shared Repository
More information about the samba-cvs
mailing list