[SCM] Samba Shared Repository - branch master updated

Jeremy Allison jra at samba.org
Tue Feb 23 03:51:03 UTC 2016


The branch, master has been updated
       via  fb0d624 torture:smb2: improve torture_comments in connect test
       via  78d7b23 torture:smb2: fix memory leak in connect test.
       via  4d9484e torture:smb2: rewrite connect test to use torture_asserts for create errors
       via  358c09b torture:smb2: rewrite connect test to use torture_asserts
       via  def483c winbindd: move a variable into scope
       via  b3931af s3-kerberos: avoid entering a password change dialogue also when using MIT.
      from  f6f43c4 winbind: Remove unused WINBINDD_UID_TO_SID

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit fb0d6244278baa97c35101480b18640796f86bf1
Author: Michael Adam <obnox at samba.org>
Date:   Tue Feb 23 00:27:11 2016 +0100

    torture:smb2: improve torture_comments in connect test
    
    Signed-off-by: Michael Adam <obnox at samba.org>
    
    Autobuild-User(master): Jeremy Allison <jra at samba.org>
    Autobuild-Date(master): Tue Feb 23 04:50:53 CET 2016 on sn-devel-144

commit 78d7b23f2f55ebdc3ed2a2abdd68a294a8ef99f7
Author: Michael Adam <obnox at samba.org>
Date:   Mon Feb 22 23:23:13 2016 +0100

    torture:smb2: fix memory leak in connect test.
    
    Signed-off-by: Michael Adam <obnox at samba.org>

commit 4d9484e7c40cb3c3517538348fda521dafcd2f9a
Author: Michael Adam <obnox at samba.org>
Date:   Mon Feb 22 16:22:14 2016 +0100

    torture:smb2: rewrite connect test to use torture_asserts for create errors
    
    let torture_smb2_createfile propagate errors
    
    Signed-off-by: Michael Adam <obnox at samba.org>

commit 358c09b899f62b6f9ac9693b9101639c0cde8d3f
Author: Michael Adam <obnox at samba.org>
Date:   Mon Feb 22 14:32:44 2016 +0100

    torture:smb2: rewrite connect test to use torture_asserts
    
    Signed-off-by: Michael Adam <obnox at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>

commit def483c81536be8bf49f27c536fb37bef3e0930e
Author: Michael Adam <obnox at samba.org>
Date:   Mon Feb 22 15:18:26 2016 +0100

    winbindd: move a variable into scope
    
    Signed-off-by: Michael Adam <obnox at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>

commit b3931af2df293a9cb75f21cdb5555fb6725dff34
Author: Günther Deschner <gd at samba.org>
Date:   Mon Feb 15 12:58:07 2016 +0100

    s3-kerberos: avoid entering a password change dialogue also when using MIT.
    
    Without this fix, for accounts with an expired password, a password change
    process is initiated and - due to the prompter - this fails with a confusing
    error message:
    
    "kerberos_kinit_password Administrator at W2K12DOM.BER.REDHAT.COM failed: Password
    mismatch
    Failed to join domain: failed to connect to AD: Password mismatch"
    
    Guenther
    
    Signed-off-by: Guenther Deschner <gd at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 source3/libads/kerberos.c        | 59 +++++++++++++++-----------
 source3/winbindd/winbindd_misc.c |  2 +-
 source4/torture/smb2/connect.c   | 89 ++++++++++++++++------------------------
 wscript_configure_system_mitkrb5 |  1 +
 4 files changed, 73 insertions(+), 78 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index 9a7a1e7..4774a9f 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -47,33 +47,44 @@ kerb_prompter(krb5_context ctx, void *data,
 	       krb5_prompt prompts[])
 {
 	if (num_prompts == 0) return 0;
-#if HAVE_KRB5_PROMPT_TYPE
-
-	/*
-	 * only heimdal has a prompt type and we need to deal with it here to
-	 * avoid loops.
-	 *
-	 * removing the prompter completely is not an option as at least these
-	 * versions would crash: heimdal-1.0.2 and heimdal-1.1. Later heimdal
-	 * version have looping detection and return with a proper error code.
-	 */
-
-	if ((num_prompts == 2) &&
-	    (prompts[0].type == KRB5_PROMPT_TYPE_NEW_PASSWORD) &&
-	    (prompts[1].type == KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN)) {
+	if (num_prompts == 2) {
 		/*
-		 * We don't want to change passwords here. We're
-		 * called from heimal when the KDC returns
-		 * KRB5KDC_ERR_KEY_EXPIRED, but at this point we don't
-		 * have the chance to ask the user for a new
-		 * password. If we return 0 (i.e. success), we will be
-		 * spinning in the endless for-loop in
-		 * change_password() in
-		 * source4/heimdal/lib/krb5/init_creds_pw.c:526ff
+		 * only heimdal has a prompt type and we need to deal with it here to
+		 * avoid loops.
+		 *
+		 * removing the prompter completely is not an option as at least these
+		 * versions would crash: heimdal-1.0.2 and heimdal-1.1. Later heimdal
+		 * version have looping detection and return with a proper error code.
 		 */
-		return KRB5KDC_ERR_KEY_EXPIRED;
+
+#if HAVE_KRB5_PROMPT_TYPE /* Heimdal */
+		 if (prompts[0].type == KRB5_PROMPT_TYPE_NEW_PASSWORD &&
+		     prompts[1].type == KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN) {
+			/*
+			 * We don't want to change passwords here. We're
+			 * called from heimal when the KDC returns
+			 * KRB5KDC_ERR_KEY_EXPIRED, but at this point we don't
+			 * have the chance to ask the user for a new
+			 * password. If we return 0 (i.e. success), we will be
+			 * spinning in the endless for-loop in
+			 * change_password() in
+			 * source4/heimdal/lib/krb5/init_creds_pw.c:526ff
+			 */
+			return KRB5KDC_ERR_KEY_EXPIRED;
+		}
+#elif defined(HAVE_KRB5_GET_PROMPT_TYPES) /* MIT */
+		krb5_prompt_type *prompt_types = NULL;
+
+		prompt_types = krb5_get_prompt_types(ctx);
+		if (prompt_types != NULL) {
+			if (prompt_types[0] == KRB5_PROMPT_TYPE_NEW_PASSWORD &&
+			    prompt_types[1] == KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN) {
+				return KRB5KDC_ERR_KEY_EXP;
+			}
+		}
+#endif
 	}
-#endif /* HAVE_KRB5_PROMPT_TYPE */
+
 	memset(prompts[0].reply->data, '\0', prompts[0].reply->length);
 	if (prompts[0].reply->length > 0) {
 		if (data) {
diff --git a/source3/winbindd/winbindd_misc.c b/source3/winbindd/winbindd_misc.c
index 29831aa..3e024c9 100644
--- a/source3/winbindd/winbindd_misc.c
+++ b/source3/winbindd/winbindd_misc.c
@@ -88,7 +88,6 @@ static bool trust_is_transitive(struct winbindd_tdc_domain *domain)
 void winbindd_list_trusted_domains(struct winbindd_cli_state *state)
 {
 	struct winbindd_tdc_domain *dom_list = NULL;
-	struct winbindd_tdc_domain *d = NULL;
 	size_t num_domains = 0;
 	int extra_data_len = 0;
 	char *extra_data = NULL;
@@ -111,6 +110,7 @@ void winbindd_list_trusted_domains(struct winbindd_cli_state *state)
 	for ( i = 0; i < num_domains; i++ ) {
 		struct winbindd_domain *domain;
 		bool is_online = true;		
+		struct winbindd_tdc_domain *d = NULL;
 
 		d = &dom_list[i];
 		domain = find_domain_from_name_noinit(d->domain_name);
diff --git a/source4/torture/smb2/connect.c b/source4/torture/smb2/connect.c
index 0067de0..6340430 100644
--- a/source4/torture/smb2/connect.c
+++ b/source4/torture/smb2/connect.c
@@ -90,7 +90,7 @@ static NTSTATUS torture_smb2_write(struct torture_context *tctx, struct smb2_tre
 
 	status = smb2_write(tree, &w);
 	if (!NT_STATUS_IS_OK(status)) {
-		printf("write failed - %s\n", nt_errstr(status));
+		printf("write 1 failed - %s\n", nt_errstr(status));
 		return status;
 	}
 
@@ -98,7 +98,7 @@ static NTSTATUS torture_smb2_write(struct torture_context *tctx, struct smb2_tre
 
 	status = smb2_write(tree, &w);
 	if (!NT_STATUS_IS_OK(status)) {
-		printf("write failed - %s\n", nt_errstr(status));
+		printf("write 2 failed - %s\n", nt_errstr(status));
 		return status;
 	}
 
@@ -137,8 +137,9 @@ static NTSTATUS torture_smb2_write(struct torture_context *tctx, struct smb2_tre
 /*
   send a create
 */
-static struct smb2_handle torture_smb2_createfile(struct smb2_tree *tree, 
-					      const char *fname)
+static NTSTATUS torture_smb2_createfile(struct smb2_tree *tree,
+					const char *fname,
+					struct smb2_handle *handle)
 {
 	struct smb2_create io;
 	NTSTATUS status;
@@ -158,8 +159,8 @@ static struct smb2_handle torture_smb2_createfile(struct smb2_tree *tree,
 
 	status = smb2_create(tree, tmp_ctx, &io);
 	if (!NT_STATUS_IS_OK(status)) {
-		printf("create1 failed - %s\n", nt_errstr(status));
-		return io.out.file.handle;
+		TALLOC_FREE(tmp_ctx);
+		return status;
 	}
 
 	if (DEBUGLVL(1)) {
@@ -179,8 +180,10 @@ static struct smb2_handle torture_smb2_createfile(struct smb2_tree *tree,
 	}
 
 	talloc_free(tmp_ctx);
-	
-	return io.out.file.handle;
+
+	*handle = io.out.file.handle;
+
+	return NT_STATUS_OK;
 }
 
 
@@ -194,74 +197,54 @@ bool torture_smb2_connect(struct torture_context *torture)
 	struct smb2_request *req;
 	struct smb2_handle h1, h2;
 	NTSTATUS status;
+	bool ok;
 
-	if (!torture_smb2_connection(torture, &tree)) {
-		return false;
-	}
+	ok = torture_smb2_connection(torture, &tree);
+	torture_assert(torture, ok, "torture_smb2_connection failed");
 
 	smb2_util_unlink(tree, "test9.dat");
 
-	h1 = torture_smb2_createfile(tree, "test9.dat");
-	h2 = torture_smb2_createfile(tree, "test9.dat");
+	status = torture_smb2_createfile(tree, "test9.dat", &h1);
+	torture_assert_ntstatus_ok(torture, status, "create failed");
+
+	status = torture_smb2_createfile(tree, "test9.dat", &h2);
+	torture_assert_ntstatus_ok(torture, status, "create failed");
+
 	status = torture_smb2_write(torture, tree, h1);
-	if (!NT_STATUS_IS_OK(status)) {
-		printf("Write failed - %s\n", nt_errstr(status));
-		return false;
-	}
+	torture_assert_ntstatus_ok(torture, status, "write failed");
+
 	status = torture_smb2_close(tree, h1);
-	if (!NT_STATUS_IS_OK(status)) {
-		printf("Close failed - %s\n", nt_errstr(status));
-		return false;
-	}
+	torture_assert_ntstatus_ok(torture, status, "close failed");
+
 	status = torture_smb2_close(tree, h2);
-	if (!NT_STATUS_IS_OK(status)) {
-		printf("Close failed - %s\n", nt_errstr(status));
-		return false;
-	}
+	torture_assert_ntstatus_ok(torture, status, "close failed");
 
 	status = smb2_util_close(tree, h1);
-	if (!NT_STATUS_EQUAL(status, NT_STATUS_FILE_CLOSED)) {
-		printf("close should have closed the handle - %s\n", nt_errstr(status));
-		return false;
-	}
+	torture_assert_ntstatus_equal(torture, status, NT_STATUS_FILE_CLOSED,
+				      "close should have closed the handle");
 
 	status = smb2_tdis(tree);
-	if (!NT_STATUS_IS_OK(status)) {
-		printf("tdis failed - %s\n", nt_errstr(status));
-		return false;
-	}
+	torture_assert_ntstatus_ok(torture, status, "tdis failed");
 
 	status = smb2_tdis(tree);
-	if (!NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_NAME_DELETED)) {
-		printf("tdis should have disabled session - %s\n", nt_errstr(status));
-		return false;
-	}
+	torture_assert_ntstatus_equal(torture, status,
+				      NT_STATUS_NETWORK_NAME_DELETED,
+				      "tdis should have closed the tcon");
 
  	status = smb2_logoff(tree->session);
-	if (!NT_STATUS_IS_OK(status)) {
-		printf("Logoff failed - %s\n", nt_errstr(status));
-		return false;
-	}
+	torture_assert_ntstatus_ok(torture, status, "logoff failed");
 
 	req = smb2_logoff_send(tree->session);
-	if (!req) {
-		printf("smb2_logoff_send() failed\n");
-		return false;
-	}
+	torture_assert_not_null(torture, req, "smb2_logoff_send failed");
 
 	req->session = NULL;
 
 	status = smb2_logoff_recv(req);
-	if (!NT_STATUS_EQUAL(status, NT_STATUS_USER_SESSION_DELETED)) {
-		printf("Logoff should have disabled session - %s\n", nt_errstr(status));
-		return false;
-	}
+	torture_assert_ntstatus_equal(torture, status, NT_STATUS_USER_SESSION_DELETED,
+				      "logoff should have disabled session");
 
 	status = smb2_keepalive(tree->session->transport);
-	if (!NT_STATUS_IS_OK(status)) {
-		printf("keepalive failed? - %s\n", nt_errstr(status));
-		return false;
-	}
+	torture_assert_ntstatus_ok(torture, status, "keepalive failed");
 
 	talloc_free(mem_ctx);
 
diff --git a/wscript_configure_system_mitkrb5 b/wscript_configure_system_mitkrb5
index 4b3a69f..9c1ad8f 100644
--- a/wscript_configure_system_mitkrb5
+++ b/wscript_configure_system_mitkrb5
@@ -115,6 +115,7 @@ conf.CHECK_FUNCS('''
        krb5_keyblock_init krb5_principal_set_realm krb5_principal_get_type
        krb5_principal_set_type
        krb5_warnx
+       krb5_get_prompt_types
        ''',
      lib='krb5 k5crypto')
 conf.CHECK_DECLS('''krb5_get_credentials_for_user


-- 
Samba Shared Repository



More information about the samba-cvs mailing list