[SCM] Samba Shared Repository - branch master updated

Andrew Bartlett abartlet at samba.org
Sun Jan 8 19:25:02 MST 2012


The branch, master has been updated
       via  356f798 auth/credentials Remove debug that prints in normal operation
       via  13f5414 s3-libsmb: Do not look up FQDN or use host/ for krb5 encrypted CIFS
       via  c243bd2 s3-sefltest Make krb5 tests contain the word krb5
       via  1a41f72 s3-selftst Add encrypted CIFS testing with kerberos
       via  4b9d52d s3-libsmb: match the rest of Samba3 in kerberos name selection in smb sealing
       via  c017c3e s3-selftest: Add test for smbclient kerberos support
       via  3192095 s3-build SMBTORTRUE4 variable is unused in make test
       via  bd9309b s3-build SAMBA4SHAREDIR is unused in make test
       via  fbe0275 s3-build: smbtorture4 can be built regardless of use_ads
       via  1a588df s3-selftest: remove smb4torture_possible and add have_ads_support
       via  cb00b58 s3-selftest Hide smb4torture_possible inside plansmbtorturetestsuite()
      from  eff69aa Add "repack" command to tdbtool.

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 356f7989eb7114a5149d777882cf741322f34dfc
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Mon Jan 9 11:52:54 2012 +1100

    auth/credentials Remove debug that prints in normal operation
    
    The fact that this function is unimplemented is unimportant to the callers
    as credential caches are not handled via the auth/credentials code in s3.
    
    Andrew Bartlett
    
    Autobuild-User: Andrew Bartlett <abartlet at samba.org>
    Autobuild-Date: Mon Jan  9 03:24:36 CET 2012 on sn-devel-104

commit 13f5414f93e54b2fad7d2966cd3ddd2e4abb0dc6
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Mon Jan 9 11:19:33 2012 +1100

    s3-libsmb: Do not look up FQDN or use host/ for krb5 encrypted CIFS
    
    This is important, as we want to use exactly the same name and ticket
    that the libsmb session setup code used, so we do not hit the KDC twice.
    
    For the session setup to have succeded using the default 'client use
    spnego principal = no', the cifs/ principal must exist anyway, so
    looking for host/ is pointless.  The case of 'client use spnego
    principal = yes' was never supported here.
    
    Andrew Bartlett

commit c243bd2578026d28abfbb4e8a76fe7f008291466
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Mon Jan 9 10:50:14 2012 +1100

    s3-sefltest Make krb5 tests contain the word krb5

commit 1a41f728611c283386b41fca5dfadad0aff3c8f5
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Mon Jan 9 10:49:49 2012 +1100

    s3-selftst Add encrypted CIFS testing with kerberos

commit 4b9d52d735ae6bb2be4573441bd15b4291c83c42
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Mon Jan 9 10:30:47 2012 +1100

    s3-libsmb: match the rest of Samba3 in kerberos name selection in smb sealing
    
    This mirrors 860ad734ba77238d187520f72afcbdc1c73d94ef which in turn
    mirrors the behaviour of the libsmb client code at session setup time.
    
    Andrew Bartlett

commit c017c3ec8e75106d893fe3b68fca34c75b513830
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Mon Jan 9 10:18:37 2012 +1100

    s3-selftest: Add test for smbclient kerberos support

commit 319209592d25872bc6b05b5fad5666ccc32cdc2a
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Fri Jan 6 19:16:32 2012 +1100

    s3-build SMBTORTRUE4 variable is unused in make test

commit bd9309b91c2dd19fbbc8be73732780ee0aaf8095
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Fri Jan 6 19:14:33 2012 +1100

    s3-build SAMBA4SHAREDIR is unused in make test

commit fbe027508464d876602f9e4b12defbe4def63995
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Fri Jan 6 19:12:08 2012 +1100

    s3-build: smbtorture4 can be built regardless of use_ads

commit 1a588dfd1940ae54923d5f7a66276dca2fa08aee
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Mon Jan 9 09:47:47 2012 +1100

    s3-selftest: remove smb4torture_possible and add have_ads_support
    
    The smb4torture_possible check has already been hidden in
    plansmbtorturetestsuite to reduce extra complexity and indentation.
    
    The have_ads_support check will allow ADS tests to be run when we
    do not have the ability to run smbtorture4
    
    Andrew Bartlett

commit cb00b58349fbd8c72d1c51e6cacc204c76a70a13
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Mon Jan 9 09:26:57 2012 +1100

    s3-selftest Hide smb4torture_possible inside plansmbtorturetestsuite()

-----------------------------------------------------------------------

Summary of changes:
 auth/credentials/credentials_samba3.c       |    1 -
 source3/Makefile.in                         |    2 -
 source3/configure.in                        |    4 -
 source3/libsmb/clifsinfo.c                  |   46 ++++------
 source3/script/tests/test_smbclient_krb5.sh |   21 +++++
 source3/selftest/tests.py                   |  127 +++++++++++++++++----------
 6 files changed, 117 insertions(+), 84 deletions(-)
 create mode 100755 source3/script/tests/test_smbclient_krb5.sh


Changeset truncated at 500 lines:

diff --git a/auth/credentials/credentials_samba3.c b/auth/credentials/credentials_samba3.c
index 2310825..d742a0a 100644
--- a/auth/credentials/credentials_samba3.c
+++ b/auth/credentials/credentials_samba3.c
@@ -28,7 +28,6 @@
 _PUBLIC_ void cli_credentials_invalidate_ccache(struct cli_credentials *cred,
 				       enum credentials_obtained obtained)
 {
-	DEBUG(0, ("cli_credentials_invalidate_ccache is unimplemented in the autoconf build\n"));
 	return;
 }
 
diff --git a/source3/Makefile.in b/source3/Makefile.in
index 72f2c9f..2dcb71b 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -54,7 +54,6 @@ SMB_PASSWD_FILE=@SMB_PASSWD_FILE@
 
 selftest_prefix=@selftest_prefix@
 selftest_shrdir=@selftest_shrdir@
-smbtorture4_path=@smbtorture4_path@
 smbtorture4_option=@smbtorture4_option@
 selftest_custom_conf=@selftest_custom_conf@
 
@@ -3520,7 +3519,6 @@ S3_LD_LIBPATH_OVERRIDE = $(LIB_PATH_VAR)="$(builddir)/bin:$$$(LIB_PATH_VAR)"
 
 test:: all torture timelimit
 	@LIB_PATH_VAR=$(LIB_PATH_VAR) $(S3_LD_LIBPATH_OVERRIDE) \
-		SAMBA4SHAREDDIR="$(builddir)/bin/shared" SMBTORTURE4=$(smbtorture4_path) \
 		NSS_WRAPPER_WINBIND_SO_PATH="$(srcdir)/../nsswitch/libnss_winbind.so" \
 		SELFTESTDIR="$(selftestdir)" SELFTESTPREFIX="$(selftest_prefix)" \
 		SOURCEDIR="$(srcdir)" \
diff --git a/source3/configure.in b/source3/configure.in
index 6a41f97..e39d439 100644
--- a/source3/configure.in
+++ b/source3/configure.in
@@ -4470,10 +4470,6 @@ if test x"$with_ads_support" != x"no"; then
 LIBS="$ac_save_LIBS"
 fi
 
-if test x"$use_ads" != xyes; then
-	smbtorture4_possible=no
-fi
-
 AC_CHECK_LIB_EXT(nscd, NSCD_LIBS, nscd_flush_cache)
 PASSDB_LIBS="$PASSDB_LIBS $NSCD_LIBS"
 
diff --git a/source3/libsmb/clifsinfo.c b/source3/libsmb/clifsinfo.c
index 5c86c5d..b02cdd5 100644
--- a/source3/libsmb/clifsinfo.c
+++ b/source3/libsmb/clifsinfo.c
@@ -710,30 +710,29 @@ static NTSTATUS make_cli_gss_blob(TALLOC_CTX *ctx,
 	gss_buffer_desc tok_out, tok_in;
 	DATA_BLOB blob_out = data_blob_null;
 	DATA_BLOB blob_in = data_blob_null;
-	char *host_princ_s = NULL;
 	OM_uint32 ret_flags = 0;
 	NTSTATUS status = NT_STATUS_OK;
 
-	gss_OID_desc nt_hostbased_service =
-	{10, discard_const_p(char, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x04")};
-
 	memset(&tok_out, '\0', sizeof(tok_out));
 
-	/* Get a ticket for the service at host */
-	if (asprintf(&host_princ_s, "%s@%s", service, host) == -1) {
+	/* Guess the realm based on the supplied service, and avoid the GSS libs
+	   doing DNS lookups which may fail.
+
+	   TODO: Loop with the KDC on some more combinations (local
+	   realm in particular), possibly falling back to
+	   GSS_C_NT_HOSTBASED_SERVICE
+	*/
+	input_name.value = kerberos_get_principal_from_service_hostname(talloc_tos(),
+									 service, host);
+	if (!input_name.value) {
 		return NT_STATUS_NO_MEMORY;
 	}
-
-	input_name.value = host_princ_s;
-	input_name.length = strlen(host_princ_s) + 1;
-
-	ret = gss_import_name(&min,
-				&input_name,
-				&nt_hostbased_service,
-				&srv_name);
-
+	input_name.length = strlen((char *)input_name.value);
+	ret = gss_import_name(&min, &input_name,
+			      GSS_C_NT_USER_NAME,
+			      &srv_name);
 	if (ret != GSS_S_COMPLETE) {
-		SAFE_FREE(host_princ_s);
+		TALLOC_FREE(input_name.value);
 		return map_nt_error_from_gss(ret, min);
 	}
 
@@ -785,7 +784,7 @@ static NTSTATUS make_cli_gss_blob(TALLOC_CTX *ctx,
 
 	data_blob_free(&blob_out);
 	data_blob_free(&blob_in);
-	SAFE_FREE(host_princ_s);
+	TALLOC_FREE(input_name.value);
 	gss_release_name(&min, &srv_name);
 	if (tok_out.value) {
 		gss_release_buffer(&min, &tok_out);
@@ -811,19 +810,8 @@ NTSTATUS cli_gss_smb_encryption_start(struct cli_state *cli)
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	name_to_fqdn(fqdn, cli_state_remote_name(cli));
-	strlower_m(fqdn);
-
 	servicename = "cifs";
-	status = make_cli_gss_blob(talloc_tos(), es, servicename, fqdn, NT_STATUS_OK, blob_recv, &blob_send);
-	if (!NT_STATUS_EQUAL(status,NT_STATUS_MORE_PROCESSING_REQUIRED)) {
-		servicename = "host";
-		status = make_cli_gss_blob(talloc_tos(), es, servicename, fqdn, NT_STATUS_OK, blob_recv, &blob_send);
-		if (!NT_STATUS_EQUAL(status,NT_STATUS_MORE_PROCESSING_REQUIRED)) {
-			goto fail;
-		}
-	}
-
+	status = make_cli_gss_blob(talloc_tos(), es, servicename, cli_state_remote_name(cli), NT_STATUS_OK, blob_recv, &blob_send);
 	do {
 		data_blob_free(&blob_recv);
 		status = enc_blob_send_receive(cli, &blob_send, &blob_recv, &param_out);
diff --git a/source3/script/tests/test_smbclient_krb5.sh b/source3/script/tests/test_smbclient_krb5.sh
new file mode 100755
index 0000000..02117dc
--- /dev/null
+++ b/source3/script/tests/test_smbclient_krb5.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+if [ $# -lt 1 ]; then
+cat <<EOF
+Usage: test_smbclient.sh ccache smbclient3 server <smbclient args>
+EOF
+exit 1;
+fi
+
+KRB5CCNAME=$1
+export KRB5CCNAME
+SMBCLIENT3=$2
+SERVER=$3
+shift 3
+ADDARGS="$*"
+
+incdir=`dirname $0`/../../../testprogs/blackbox
+. $incdir/subunit.sh
+testit "smbclient" $VALGRIND $SMBCLIENT3 //$SERVER/tmp -c 'ls' -k $ADDARGS || failed=`expr $failed + 1`
+
+testok $0 $failed
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index ea14cc6..dc0c32c 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -22,12 +22,29 @@ import os, sys
 sys.path.insert(0, os.path.normpath(os.path.join(os.path.dirname(__file__), "../../selftest")))
 from selftesthelpers import *
 import subprocess
-
 smb4torture = binpath("smbtorture4")
 samba3srcdir = srcdir() + "/source3"
 configuration = "--configfile=$SMB_CONF_PATH"
 scriptdir=os.path.join(samba3srcdir, "../script/tests")
 
+# see if we support ADS on the Samba3 side
+try:
+    config_h = os.environ["CONFIG_H"]
+except KeyError:
+    config_h = os.path.join(samba3srcdir, "include/autoconf/config.h")
+
+f = open(config_h, 'r')
+try:
+    have_ads_support = ("HAVE_LDAP 1" in f.read())
+finally:
+    f.close()
+
+f = open(config_h, 'r')
+try:
+    have_ads_support &= ("HAVE_KRB5 1" in f.read())
+finally:
+    f.close()
+
 torture_options = [configuration, "--maximum-runtime=$SELFTEST_MAXTIME", 
                    "--target=samba3", "--basedir=$SELFTEST_TMPDIR",
                    '--option="torture:winbindd_netbios_name=$SERVER"',
@@ -41,10 +58,15 @@ if os.getenv("SELFTEST_QUICK"):
     torture_options.append("--option=torture:quick=yes")
 smb4torture += " " + " ".join(torture_options)
 
+sub = subprocess.Popen("%s --version 2> /dev/null" % smb4torture, stdout=subprocess.PIPE, stdin=subprocess.PIPE, shell=True)
+sub.communicate("")
+smb4torture_possible = (sub.returncode == 0)
+
 def plansmbtorturetestsuite(name, env, options, description=''):
     modname = "samba3.posix_s3.%s %s" % (name, description)
     cmdline = "%s $LISTOPT %s %s" % (valgrindify(smb4torture), options, name)
-    plantestsuite_loadlist(modname, env, cmdline)
+    if smb4torture_possible:
+        plantestsuite_loadlist(modname, env, cmdline)
 
 plantestsuite("samba3.blackbox.success", "s3dc:local", [os.path.join(samba3srcdir, "script/tests/test_success.sh")])
 plantestsuite("samba3.blackbox.failure", "s3dc:local", [os.path.join(samba3srcdir, "script/tests/test_failure.sh")])
@@ -232,70 +254,79 @@ libsmbclient = ["libsmbclient"]
 
 tests= base + raw + smb2 + rpc + unix + local + winbind + rap + nbt + libsmbclient
 
-sub = subprocess.Popen("%s --version 2> /dev/null" % smb4torture, stdout=subprocess.PIPE, stdin=subprocess.PIPE, shell=True)
-sub.communicate("")
-
-if sub.returncode == 0:
-    for t in tests:
-        if t == "base.delaywrite":
-            plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD --maximum-runtime=900')
-        elif t == "rap.sam":
-            plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD --option=doscharset=ISO-8859-1')
-        elif t == "unix.whoami":
-            plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmpguest -U$USERNAME%$PASSWORD')
-        elif t == "raw.samba3posixtimedlock":
-            plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmpguest -U$USERNAME%$PASSWORD --option=torture:localdir=$SELFTEST_PREFIX/s3dc/share')
-        elif t == "raw.chkpath":
-            plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmpcase -U$USERNAME%$PASSWORD')
-        else:
-            plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD')
-
-
-    test = 'rpc.lsa.lookupsids'
-    auth_options = ["", "ntlm", "spnego", "spnego,ntlm" ]
-    signseal_options = ["", ",connect", ",sign", ",seal"]
-    smb_options = ["", ",smb2"]
-    endianness_options = ["", ",bigendian"]
-    for z in smb_options:
-        for s in signseal_options:
-            for e in endianness_options:
-                for a in auth_options:
-                    binding_string = "ncacn_np:$SERVER[%s%s%s%s]" % (a, s, z, e)
-                    options = binding_string + " -U$USERNAME%$PASSWORD"
-                    plansmbtorturetestsuite(test, "s3dc", options, 'over ncacn_np with [%s%s%s%s] ' % (a, s, z, e))
-                    plantestsuite("samba3.blackbox.rpcclient over ncacn_np with [%s%s%s%s] " % (a, s, z, e), "s3dc:local", [os.path.join(samba3srcdir, "script/tests/test_rpcclient.sh"),
+for t in tests:
+    if t == "base.delaywrite":
+        plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD --maximum-runtime=900')
+    elif t == "rap.sam":
+        plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD --option=doscharset=ISO-8859-1')
+    elif t == "unix.whoami":
+        plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmpguest -U$USERNAME%$PASSWORD')
+    elif t == "raw.samba3posixtimedlock":
+        plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmpguest -U$USERNAME%$PASSWORD --option=torture:localdir=$SELFTEST_PREFIX/s3dc/share')
+    elif t == "raw.chkpath":
+        plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmpcase -U$USERNAME%$PASSWORD')
+    else:
+        plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD')
+
+
+test = 'rpc.lsa.lookupsids'
+auth_options = ["", "ntlm", "spnego", "spnego,ntlm" ]
+signseal_options = ["", ",connect", ",sign", ",seal"]
+smb_options = ["", ",smb2"]
+endianness_options = ["", ",bigendian"]
+for z in smb_options:
+    for s in signseal_options:
+        for e in endianness_options:
+            for a in auth_options:
+                binding_string = "ncacn_np:$SERVER[%s%s%s%s]" % (a, s, z, e)
+                options = binding_string + " -U$USERNAME%$PASSWORD"
+                plansmbtorturetestsuite(test, "s3dc", options, 'over ncacn_np with [%s%s%s%s] ' % (a, s, z, e))
+                plantestsuite("samba3.blackbox.rpcclient over ncacn_np with [%s%s%s%s] " % (a, s, z, e), "s3dc:local", [os.path.join(samba3srcdir, "script/tests/test_rpcclient.sh"),
                                                                  "none", options, configuration])
 
+        if have_ads_support:
             # We should try more combinations in future, but this is all
             # the pre-calculated credentials cache supports at the moment
             e = ""
             a = ""
             binding_string = "ncacn_np:$SERVER[%s%s%s%s]" % (a, s, z, e)
             options = binding_string + " -k yes --krb5-ccache=$PREFIX/ktest/krb5_ccache-2"
-            plansmbtorturetestsuite(test, "ktest", options, 'over kerberos with old ccache ncacn_np with [%s%s%s%s] ' % (a, s, z, e))
+            plansmbtorturetestsuite(test, "ktest", options, 'krb5 with old ccache ncacn_np with [%s%s%s%s] ' % (a, s, z, e))
 
             options = binding_string + " -k yes --krb5-ccache=$PREFIX/ktest/krb5_ccache-3"
-            plansmbtorturetestsuite(test, "ktest", options, 'over kerberos ncacn_np with [%s%s%s%s] ' % (a, s, z, e))
+            plansmbtorturetestsuite(test, "ktest", options, 'krb5 ncacn_np with [%s%s%s%s] ' % (a, s, z, e))
 
             auth_options2 = ["krb5", "spnego,krb5"]
             for a in auth_options2:
                 binding_string = "ncacn_np:$SERVER[%s%s%s%s]" % (a, s, z, e)
 
-                plantestsuite("samba3.blackbox.rpcclient over kerberos with ncacn_np with [%s%s%s%s] " % (a, s, z, e), "ktest:local", [os.path.join(samba3srcdir, "script/tests/test_rpcclient.sh"),
+                plantestsuite("samba3.blackbox.rpcclient krb5 ncacn_np with [%s%s%s%s] " % (a, s, z, e), "ktest:local", [os.path.join(samba3srcdir, "script/tests/test_rpcclient.sh"),
                                                                                                                                   "$PREFIX/ktest/krb5_ccache-3", binding_string, "-k", configuration])
 
 
+if have_ads_support:
+    options_list = ["", "-E"]
+    for options in options_list:
+        plantestsuite("samba3.blackbox.smbclient_krb5 old ccache %s" % options, "ktest:local", 
+                      [os.path.join(samba3srcdir, "script/tests/test_smbclient_krb5.sh"),
+                       "$PREFIX/ktest/krb5_ccache-2", 
+                       binpath('smbclient3'), "$SERVER", options, configuration])
 
-    for e in endianness_options:
-        for a in auth_options:
-            for s in signseal_options:
-                binding_string = "ncacn_ip_tcp:$SERVER_IP[%s%s%s]" % (a, s, e)
-                options = binding_string + " -U$USERNAME%$PASSWORD"
-                plansmbtorturetestsuite(test, "s3dc", options, 'over ncacn_ip_tcp with [%s%s%s] ' % (a, s, e))
+        plantestsuite("samba3.blackbox.smbclient_krb5 %s" % options, "ktest:local", 
+                      [os.path.join(samba3srcdir, "script/tests/test_smbclient_krb5.sh"),
+                       "$PREFIX/ktest/krb5_ccache-3", 
+                       binpath('smbclient3'), "$SERVER", options, configuration])
+
+for e in endianness_options:
+    for a in auth_options:
+        for s in signseal_options:
+            binding_string = "ncacn_ip_tcp:$SERVER_IP[%s%s%s]" % (a, s, e)
+            options = binding_string + " -U$USERNAME%$PASSWORD"
+            plansmbtorturetestsuite(test, "s3dc", options, 'over ncacn_ip_tcp with [%s%s%s] ' % (a, s, e))
 
-    test = 'rpc.epmapper'
-    env = 's3dc:local'
-    binding_string = 'ncalrpc:'
-    options = binding_string + " -U$USERNAME%$PASSWORD"
+test = 'rpc.epmapper'
+env = 's3dc:local'
+binding_string = 'ncalrpc:'
+options = binding_string + " -U$USERNAME%$PASSWORD"
 
-    plansmbtorturetestsuite(test, env, options, 'over ncalrpc')
+plansmbtorturetestsuite(test, env, options, 'over ncalrpc')


-- 
Samba Shared Repository


More information about the samba-cvs mailing list