[SCM] Samba Shared Repository - branch master updated

Stefan Metzmacher metze at samba.org
Thu Mar 17 19:44:03 UTC 2016


The branch, master has been updated
       via  c06058a s3-auth: check for return code of cli_credentials_set_machine_account().
       via  fe93a09 s4-smb_server: check for return code of cli_credentials_set_machine_account().
       via  31f07d0 s4:rpc_server: require access to the machine account credentials
       via  57946ac auth/gensec: split out a gensec_verify_dcerpc_auth_level() function
       via  cc3dea5 auth/gensec: make sure gensec_security_by_auth_type() returns NULL for AUTH_TYPE_NONE
       via  733ccd1 s4:torture/rpc/schannel: don't use validation level 6 without privacy
       via  5058168 s4:torture/rpc: correctly use torture_skip() for test_ManyGetDCName() without NCACN_NP
       via  050a1d0 s4:torture/rpc/samlogon: use DCERPC_SEAL for netr_LogonSamLogonEx and validation level 6
       via  26e5ef6 s4:torture/rpc/samr: use DCERPC_SEAL in setup_schannel_netlogon_pipe()
       via  1a7d8b8 s4:torture/netlogon: add/use test_SetupCredentialsPipe() helper function
       via  f9a1915 s3:test_rpcclient_samlogon.sh: test samlogon with schannel
       via  2c36501 s3:selftest: rpc.samr.passwords.validate should run with [seal] in order to be realistic
       via  b00c38a selftest: setup information of new samba.example.com CA in the client environment
       via  b2c0f71 selftest: set tls crlfile if it exist
       via  c321a59 selftest: use Samba::prepare_keyblobs() and use the certs from the new CA
       via  a6447fd selftest: add Samba::prepare_keyblobs() helper function
       via  2a96885 selftest: mark commands in manage-CA-samba.example.com.sh as DONE
       via  1928f08 selftest: add CA-samba.example.com binary files (currently unused by Samba)
       via  520c85a selftest: add CA-samba.example.com (non-binary) files
       via  bdc1f03 selftest: add config and script to create a samba.example.com CA
       via  b0bdbee selftest: add some helper scripts to mange a CA
       via  c561a42 selftest: s!addc.samba.example.com!addom.samba.example.com!
      from  bcb6714 ctdb-tests: Add a utility to parse ctdb packets

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit c06058a99be4cf3ad3431dc263d4595ffc226fcf
Author: Günther Deschner <gd at samba.org>
Date:   Sat Sep 26 02:20:50 2015 +0200

    s3-auth: check for return code of cli_credentials_set_machine_account().
    
    Guenther
    
    Signed-off-by: Günther Deschner <gd at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    
    Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
    Autobuild-Date(master): Thu Mar 17 20:43:19 CET 2016 on sn-devel-144

commit fe93a09889a854d7c93f9b349d5794bdbb9403ba
Author: Günther Deschner <gd at samba.org>
Date:   Sat Sep 26 02:18:44 2015 +0200

    s4-smb_server: check for return code of cli_credentials_set_machine_account().
    
    We keep anonymous server_credentials structure in order to let
    the rpc.spoolss.notify start it's test server.
    
    Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
    
    Signed-off-by: Günther Deschner <gd at samba.org>
    Signed-off-by: Stefan Metzmacher <metze at samba.org>

commit 31f07d05629bc05ef99edc86ad2a3e95ec8599f1
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Jun 26 08:10:46 2015 +0200

    s4:rpc_server: require access to the machine account credentials
    
    Even a standalone server should be selfjoined.
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Günther Deschner <gd at samba.org>

commit 57946ac7c19c4e9bd8893c3acb9daf7c4bd02159
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Dec 15 15:08:43 2015 +0100

    auth/gensec: split out a gensec_verify_dcerpc_auth_level() function
    
    We only need this logic once.
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Günther Deschner <gd at samba.org>

commit cc3dea5a8104eef2cfd1f8c05e25da186c334320
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Jul 10 13:01:47 2015 +0200

    auth/gensec: make sure gensec_security_by_auth_type() returns NULL for AUTH_TYPE_NONE
    
    ops->auth_type == 0, means the backend doesn't support DCERPC.
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Günther Deschner <gd at samba.org>

commit 733ccd13209c20f8e76ae7b47e1741791c1cd6ba
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Mar 11 02:55:30 2016 +0100

    s4:torture/rpc/schannel: don't use validation level 6 without privacy
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Günther Deschner <gd at samba.org>

commit 50581689d924032de1765ec884dbd160652888be
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Mar 11 18:09:26 2016 +0100

    s4:torture/rpc: correctly use torture_skip() for test_ManyGetDCName() without NCACN_NP
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Günther Deschner <gd at samba.org>

commit 050a1d0653716fd7c166d35a7236a014bf1d1516
Author: Stefan Metzmacher <metze at samba.org>
Date:   Mon Mar 14 01:56:07 2016 +0100

    s4:torture/rpc/samlogon: use DCERPC_SEAL for netr_LogonSamLogonEx and validation level 6
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Günther Deschner <gd at samba.org>

commit 26e5ef68188d2e44d42f75ed6aabf2557c9ce5ce
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu Mar 10 17:24:03 2016 +0100

    s4:torture/rpc/samr: use DCERPC_SEAL in setup_schannel_netlogon_pipe()
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Günther Deschner <gd at samba.org>

commit 1a7d8b8602a687ff6eef45f15f597694e94e14b1
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Dec 22 12:10:12 2015 +0100

    s4:torture/netlogon: add/use test_SetupCredentialsPipe() helper function
    
    This create a schannel connection to netlogon, this makes the tests
    more realistic.
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Günther Deschner <gd at samba.org>

commit f9a1915238dc7a573c58dd8c7bac3637689af265
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Dec 22 09:13:46 2015 +0100

    s3:test_rpcclient_samlogon.sh: test samlogon with schannel
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Günther Deschner <gd at samba.org>

commit 2c36501640207604a5c66fb582c2d5981619147e
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Dec 18 07:10:06 2015 +0100

    s3:selftest: rpc.samr.passwords.validate should run with [seal] in order to be realistic
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Günther Deschner <gd at samba.org>

commit b00c38afc6203f1e1f566db31a63cedba632dfab
Author: Stefan Metzmacher <metze at samba.org>
Date:   Sat Jan 9 21:21:25 2016 +0100

    selftest: setup information of new samba.example.com CA in the client environment
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Günther Deschner <gd at samba.org>

commit b2c0f71db026353060ad47fd0a85241a3df8c703
Author: Stefan Metzmacher <metze at samba.org>
Date:   Sat Jan 9 21:21:25 2016 +0100

    selftest: set tls crlfile if it exist
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Günther Deschner <gd at samba.org>

commit c321a59f267d1a997eff6f864a79437ef759adeb
Author: Stefan Metzmacher <metze at samba.org>
Date:   Sat Jan 9 21:21:25 2016 +0100

    selftest: use Samba::prepare_keyblobs() and use the certs from the new CA
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Günther Deschner <gd at samba.org>

commit a6447fd6d010b525d235b894d5be62c807922cb5
Author: Stefan Metzmacher <metze at samba.org>
Date:   Sat Jan 9 21:21:25 2016 +0100

    selftest: add Samba::prepare_keyblobs() helper function
    
    This copies the certificates from the samba.example.com CA if they
    exist.
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Günther Deschner <gd at samba.org>

commit 2a96885ac706ae3e7c6fd7aaff0215f3f171bc27
Author: Stefan Metzmacher <metze at samba.org>
Date:   Sat Jan 9 01:06:05 2016 +0100

    selftest: mark commands in manage-CA-samba.example.com.sh as DONE
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Günther Deschner <gd at samba.org>

commit 1928f081067079b945354dc2caf21d3fe8a5e2a2
Author: Stefan Metzmacher <metze at samba.org>
Date:   Sat Jan 9 01:09:31 2016 +0100

    selftest: add CA-samba.example.com binary files (currently unused by Samba)
    
    This patch can be skipped, when it causes problems with tools like 'patch'.
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Günther Deschner <gd at samba.org>

commit 520c85a15fa1f4718e2e793303327abea22db149
Author: Stefan Metzmacher <metze at samba.org>
Date:   Sat Jan 9 01:09:31 2016 +0100

    selftest: add CA-samba.example.com (non-binary) files
    
    The binary files will follow in the next, this allows the next
    commit to be skipped as the binary files are not used by samba yet.
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Günther Deschner <gd at samba.org>

commit bdc1f036a8a66256afe8dc88f8a9dc47655640bd
Author: Stefan Metzmacher <metze at samba.org>
Date:   Sat Jan 9 01:08:02 2016 +0100

    selftest: add config and script to create a samba.example.com CA
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Günther Deschner <gd at samba.org>

commit b0bdbeeef44259782c9941b5cfff7d4925e1f2f2
Author: Stefan Metzmacher <metze at samba.org>
Date:   Sat Jan 9 01:06:05 2016 +0100

    selftest: add some helper scripts to mange a CA
    
    This is partly based on the SmartCard HowTo from:
    https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Günther Deschner <gd at samba.org>

commit c561a42ff68bc4561147839e3a65951924f6af21
Author: Stefan Metzmacher <metze at samba.org>
Date:   Sat Jan 16 13:57:47 2016 +0100

    selftest: s!addc.samba.example.com!addom.samba.example.com!
    
    It's confusing to have addc.samba.example.com as domain name
    and addc.addc.samba.example.com as hostname.
    
    We now have addom.samba.example.com as domain name
    and addc.addom.samba.example.com as hostname.
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Günther Deschner <gd at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 auth/gensec/gensec.c                               | 103 +++---
 auth/gensec/gensec_start.c                         |   8 +-
 .../DC-addc.addom.samba.example.com-S02-cert.cer   | Bin 0 -> 2552 bytes
 .../DC-addc.addom.samba.example.com-S02-cert.pem   | 191 ++++++++++
 .../DC-addc.addom.samba.example.com-S02-key.pem    |  54 +++
 ...DC-addc.addom.samba.example.com-S02-openssl.cnf | 250 +++++++++++++
 ...ddc.addom.samba.example.com-S02-private-key.pem |  51 +++
 ...DC-addc.addom.samba.example.com-S02-private.p12 | Bin 0 -> 5309 bytes
 .../DC-addc.addom.samba.example.com-S02-req.pem    |  30 ++
 .../DC-addc.addom.samba.example.com-cert.pem       |   1 +
 ...DC-addc.addom.samba.example.com-private-key.pem |   1 +
 .../DC-localdc.samba.example.com-S00-cert.cer      | Bin 0 -> 2543 bytes
 .../DC-localdc.samba.example.com-S00-cert.pem      | 190 ++++++++++
 .../DC-localdc.samba.example.com-S00-key.pem       |  54 +++
 .../DC-localdc.samba.example.com-S00-openssl.cnf   | 250 +++++++++++++
 ...C-localdc.samba.example.com-S00-private-key.pem |  51 +++
 .../DC-localdc.samba.example.com-S00-private.p12   | Bin 0 -> 5293 bytes
 .../DC-localdc.samba.example.com-S00-req.pem       |  30 ++
 .../DC-localdc.samba.example.com-cert.pem          |   1 +
 .../DC-localdc.samba.example.com-private-key.pem   |   1 +
 .../manage-ca/CA-samba.example.com/NewCerts/00.pem | 190 ++++++++++
 .../manage-ca/CA-samba.example.com/NewCerts/01.pem | 169 +++++++++
 .../manage-ca/CA-samba.example.com/NewCerts/02.pem | 191 ++++++++++
 .../manage-ca/CA-samba.example.com/NewCerts/03.pem | 169 +++++++++
 .../Private/CA-samba.example.com-crlnumber.txt     |   1 +
 .../Private/CA-samba.example.com-crlnumber.txt.old |   1 +
 .../Private/CA-samba.example.com-index.txt         |   4 +
 .../Private/CA-samba.example.com-index.txt.attr    |   1 +
 .../CA-samba.example.com-index.txt.attr.old        |   1 +
 .../Private/CA-samba.example.com-index.txt.old     |   3 +
 .../Private/CA-samba.example.com-openssl.cnf       | 203 +++++++++++
 .../Private/CA-samba.example.com-private-key.pem   | 102 ++++++
 .../Private/CA-samba.example.com-serial.txt        |   1 +
 .../Private/CA-samba.example.com-serial.txt.old    |   1 +
 .../Public/CA-samba.example.com-cert.cer           | Bin 0 -> 2880 bytes
 .../Public/CA-samba.example.com-cert.pem           |  62 ++++
 .../Public/CA-samba.example.com-crl.crl            | Bin 0 -> 1401 bytes
 .../Public/CA-samba.example.com-crl.pem            |  32 ++
 ...inistrator at addom.samba.example.com-S03-cert.cer | Bin 0 -> 2335 bytes
 ...inistrator at addom.samba.example.com-S03-cert.pem | 169 +++++++++
 ...ministrator at addom.samba.example.com-S03-key.pem |  30 ++
 ...strator at addom.samba.example.com-S03-openssl.cnf | 242 +++++++++++++
 ...tor at addom.samba.example.com-S03-private-key.pem |  27 ++
 ...strator at addom.samba.example.com-S03-private.p12 | Bin 0 -> 3933 bytes
 ...ministrator at addom.samba.example.com-S03-req.pem |  19 +
 ...-administrator at addom.samba.example.com-cert.pem |   1 +
 ...strator at addom.samba.example.com-private-key.pem |   1 +
 ...ER-administrator at samba.example.com-S01-cert.cer | Bin 0 -> 2305 bytes
 ...ER-administrator at samba.example.com-S01-cert.pem | 169 +++++++++
 ...SER-administrator at samba.example.com-S01-key.pem |  30 ++
 ...administrator at samba.example.com-S01-openssl.cnf | 242 +++++++++++++
 ...nistrator at samba.example.com-S01-private-key.pem |  27 ++
 ...administrator at samba.example.com-S01-private.p12 | Bin 0 -> 3909 bytes
 ...SER-administrator at samba.example.com-S01-req.pem |  19 +
 .../USER-administrator at samba.example.com-cert.pem  |   1 +
 ...administrator at samba.example.com-private-key.pem |   1 +
 selftest/manage-ca/manage-CA-samba.example.com.cnf |  21 ++
 selftest/manage-ca/manage-CA-samba.example.com.sh  |  18 +
 selftest/manage-ca/manage-ca.sh                    | 387 +++++++++++++++++++++
 .../manage-CA-example.com.cnf                      |  17 +
 .../openssl-BASE-template.cnf                      | 201 +++++++++++
 .../manage-ca.templates.d/openssl-CA-template.cnf  |   2 +
 .../manage-ca.templates.d/openssl-DC-template.cnf  |  49 +++
 .../openssl-USER-template.cnf                      |  41 +++
 selftest/selftest.pl                               |  39 +++
 selftest/target/Samba.pm                           | 105 ++++++
 selftest/target/Samba4.pm                          | 223 +-----------
 source3/auth/auth_samba4.c                         |   4 +-
 source3/script/tests/test_rpcclient_samlogon.sh    |  11 +-
 source3/selftest/tests.py                          |   4 +-
 source4/rpc_server/dcesrv_auth.c                   |   8 +-
 source4/smb_server/smb/negprot.c                   |   6 +-
 source4/smb_server/smb2/negprot.c                  |   6 +-
 source4/torture/rpc/forest_trust.c                 |  12 +-
 source4/torture/rpc/lsa.c                          |  14 +-
 source4/torture/rpc/netlogon.c                     | 100 +++++-
 source4/torture/rpc/netlogon.h                     |   7 +
 source4/torture/rpc/remote_pac.c                   |  34 +-
 source4/torture/rpc/samlogon.c                     |   3 +-
 source4/torture/rpc/samr.c                         |   3 +-
 source4/torture/rpc/schannel.c                     |  27 +-
 81 files changed, 4388 insertions(+), 329 deletions(-)
 create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-cert.cer
 create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-cert.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-key.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-openssl.cnf
 create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-private-key.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-private.p12
 create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-req.pem
 create mode 120000 selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-cert.pem
 create mode 120000 selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-private-key.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-cert.cer
 create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-cert.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-key.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-openssl.cnf
 create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-private-key.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-private.p12
 create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-req.pem
 create mode 120000 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-cert.pem
 create mode 120000 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-private-key.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/NewCerts/00.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/NewCerts/01.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/NewCerts/02.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/NewCerts/03.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-crlnumber.txt
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-crlnumber.txt.old
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt.attr
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt.attr.old
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt.old
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-openssl.cnf
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-private-key.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-serial.txt
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-serial.txt.old
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Public/CA-samba.example.com-cert.cer
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Public/CA-samba.example.com-cert.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Public/CA-samba.example.com-crl.crl
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Public/CA-samba.example.com-crl.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at addom.samba.example.com/USER-administrator at addom.samba.example.com-S03-cert.cer
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at addom.samba.example.com/USER-administrator at addom.samba.example.com-S03-cert.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at addom.samba.example.com/USER-administrator at addom.samba.example.com-S03-key.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at addom.samba.example.com/USER-administrator at addom.samba.example.com-S03-openssl.cnf
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at addom.samba.example.com/USER-administrator at addom.samba.example.com-S03-private-key.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at addom.samba.example.com/USER-administrator at addom.samba.example.com-S03-private.p12
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at addom.samba.example.com/USER-administrator at addom.samba.example.com-S03-req.pem
 create mode 120000 selftest/manage-ca/CA-samba.example.com/Users/administrator at addom.samba.example.com/USER-administrator at addom.samba.example.com-cert.pem
 create mode 120000 selftest/manage-ca/CA-samba.example.com/Users/administrator at addom.samba.example.com/USER-administrator at addom.samba.example.com-private-key.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-S01-cert.cer
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-S01-cert.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-S01-key.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-S01-openssl.cnf
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-S01-private-key.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-S01-private.p12
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-S01-req.pem
 create mode 120000 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-cert.pem
 create mode 120000 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-private-key.pem
 create mode 100644 selftest/manage-ca/manage-CA-samba.example.com.cnf
 create mode 100644 selftest/manage-ca/manage-CA-samba.example.com.sh
 create mode 100755 selftest/manage-ca/manage-ca.sh
 create mode 100644 selftest/manage-ca/manage-ca.templates.d/manage-CA-example.com.cnf
 create mode 100644 selftest/manage-ca/manage-ca.templates.d/openssl-BASE-template.cnf
 create mode 100644 selftest/manage-ca/manage-ca.templates.d/openssl-CA-template.cnf
 create mode 100644 selftest/manage-ca/manage-ca.templates.d/openssl-DC-template.cnf
 create mode 100644 selftest/manage-ca/manage-ca.templates.d/openssl-USER-template.cnf


Changeset truncated at 500 lines:

diff --git a/auth/gensec/gensec.c b/auth/gensec/gensec.c
index 9fd5f25..e3b1352 100644
--- a/auth/gensec/gensec.c
+++ b/auth/gensec/gensec.c
@@ -217,6 +217,50 @@ _PUBLIC_ size_t gensec_max_update_size(struct gensec_security *gensec_security)
 	return gensec_security->max_update_size;
 }
 
+static NTSTATUS gensec_verify_dcerpc_auth_level(struct gensec_security *gensec_security)
+{
+	if (gensec_security->dcerpc_auth_level == 0) {
+		return NT_STATUS_OK;
+	}
+
+	/*
+	 * Because callers using the
+	 * gensec_start_mech_by_auth_type() never call
+	 * gensec_want_feature(), it isn't sensible for them
+	 * to have to call gensec_have_feature() manually, and
+	 * these are not points of negotiation, but are
+	 * asserted by the client
+	 */
+	switch (gensec_security->dcerpc_auth_level) {
+	case DCERPC_AUTH_LEVEL_INTEGRITY:
+		if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
+			DEBUG(0,("Did not manage to negotiate mandetory feature "
+				 "SIGN for dcerpc auth_level %u\n",
+				 gensec_security->dcerpc_auth_level));
+			return NT_STATUS_ACCESS_DENIED;
+		}
+		break;
+	case DCERPC_AUTH_LEVEL_PRIVACY:
+		if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
+			DEBUG(0,("Did not manage to negotiate mandetory feature "
+				 "SIGN for dcerpc auth_level %u\n",
+				 gensec_security->dcerpc_auth_level));
+			return NT_STATUS_ACCESS_DENIED;
+		}
+		if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
+			DEBUG(0,("Did not manage to negotiate mandetory feature "
+				 "SEAL for dcerpc auth_level %u\n",
+				 gensec_security->dcerpc_auth_level));
+			return NT_STATUS_ACCESS_DENIED;
+		}
+		break;
+	default:
+		break;
+	}
+
+	return NT_STATUS_OK;
+}
+
 _PUBLIC_ NTSTATUS gensec_update_ev(struct gensec_security *gensec_security,
 				   TALLOC_CTX *out_mem_ctx,
 				   struct tevent_context *ev,
@@ -261,31 +305,9 @@ _PUBLIC_ NTSTATUS gensec_update_ev(struct gensec_security *gensec_security,
 		 * these are not points of negotiation, but are
 		 * asserted by the client
 		 */
-		switch (gensec_security->dcerpc_auth_level) {
-		case DCERPC_AUTH_LEVEL_INTEGRITY:
-			if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
-				DEBUG(0,("Did not manage to negotiate mandetory feature "
-					 "SIGN for dcerpc auth_level %u\n",
-					 gensec_security->dcerpc_auth_level));
-				return NT_STATUS_ACCESS_DENIED;
-			}
-			break;
-		case DCERPC_AUTH_LEVEL_PRIVACY:
-			if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
-				DEBUG(0,("Did not manage to negotiate mandetory feature "
-					 "SIGN for dcerpc auth_level %u\n",
-					 gensec_security->dcerpc_auth_level));
-				return NT_STATUS_ACCESS_DENIED;
-			}
-			if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
-				DEBUG(0,("Did not manage to negotiate mandetory feature "
-					 "SEAL for dcerpc auth_level %u\n",
-					 gensec_security->dcerpc_auth_level));
-				return NT_STATUS_ACCESS_DENIED;
-			}
-			break;
-		default:
-			break;
+		status = gensec_verify_dcerpc_auth_level(gensec_security);
+		if (!NT_STATUS_IS_OK(status)) {
+			return status;
 		}
 
 		return NT_STATUS_OK;
@@ -458,34 +480,9 @@ static void gensec_update_subreq_done(struct tevent_req *subreq)
 	 * these are not points of negotiation, but are
 	 * asserted by the client
 	 */
-	switch (state->gensec_security->dcerpc_auth_level) {
-	case DCERPC_AUTH_LEVEL_INTEGRITY:
-		if (!gensec_have_feature(state->gensec_security, GENSEC_FEATURE_SIGN)) {
-			DEBUG(0,("Did not manage to negotiate mandetory feature "
-				 "SIGN for dcerpc auth_level %u\n",
-				 state->gensec_security->dcerpc_auth_level));
-			tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
-			return;
-		}
-		break;
-	case DCERPC_AUTH_LEVEL_PRIVACY:
-		if (!gensec_have_feature(state->gensec_security, GENSEC_FEATURE_SIGN)) {
-			DEBUG(0,("Did not manage to negotiate mandetory feature "
-				 "SIGN for dcerpc auth_level %u\n",
-				 state->gensec_security->dcerpc_auth_level));
-			tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
-			return;
-		}
-		if (!gensec_have_feature(state->gensec_security, GENSEC_FEATURE_SEAL)) {
-			DEBUG(0,("Did not manage to negotiate mandetory feature "
-				 "SEAL for dcerpc auth_level %u\n",
-				 state->gensec_security->dcerpc_auth_level));
-			tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
-			return;
-		}
-		break;
-	default:
-		break;
+	status = gensec_verify_dcerpc_auth_level(state->gensec_security);
+	if (tevent_req_nterror(req, status)) {
+		return;
 	}
 
 	tevent_req_done(req);
diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
index bb9cd18..4c43519 100644
--- a/auth/gensec/gensec_start.c
+++ b/auth/gensec/gensec_start.c
@@ -234,7 +234,13 @@ _PUBLIC_ const struct gensec_security_ops *gensec_security_by_auth_type(
 	int i;
 	const struct gensec_security_ops **backends;
 	const struct gensec_security_ops *backend;
-	TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
+	TALLOC_CTX *mem_ctx;
+
+	if (auth_type == DCERPC_AUTH_TYPE_NONE) {
+		return NULL;
+	}
+
+	mem_ctx = talloc_new(gensec_security);
 	if (!mem_ctx) {
 		return NULL;
 	}
diff --git a/selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-cert.cer b/selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-cert.cer
new file mode 100644
index 0000000..15001a3
Binary files /dev/null and b/selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-cert.cer differ
diff --git a/selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-cert.pem b/selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-cert.pem
new file mode 100644
index 0000000..2e2a8b9
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-cert.pem
@@ -0,0 +1,191 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 2 (0x2)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=SambaState, L=SambaCity, O=SambaSelfTesting, OU=CA Administration, CN=CA of samba.example.com/emailAddress=ca-samba.example.com at samba.example.com
+        Validity
+            Not Before: Mar 16 23:29:25 2016 GMT
+            Not After : Mar 11 23:29:25 2036 GMT
+        Subject: C=US, ST=SambaState, O=SambaSelfTesting, OU=Domain Controllers, CN=addc.addom.samba.example.com/emailAddress=ca-samba.example.com at samba.example.com
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (4096 bit)
+                Modulus:
+                    00:a6:c4:a9:bf:75:ea:4c:8d:3b:fd:8a:0f:b0:a2:
+                    b6:c7:a8:1f:e4:0e:3e:41:ef:d6:10:48:77:7b:4e:
+                    4c:59:e1:bf:6d:c7:18:7b:a8:01:a7:d5:d2:2c:21:
+                    3e:d0:1a:da:58:03:e8:42:f1:53:0e:a7:91:b9:2c:
+                    b9:e7:7a:c9:de:5e:ed:4c:93:6b:cc:dd:17:d0:c7:
+                    d1:f1:7c:3d:0d:6f:df:5d:53:5a:b1:1f:a3:7b:5b:
+                    41:65:0c:7c:ea:53:df:bb:da:41:15:da:49:e3:b9:
+                    2d:bb:b5:af:ef:8c:b8:84:74:d0:18:16:8e:5c:e4:
+                    c2:e7:a1:87:8f:e3:87:8b:0b:bb:90:30:e8:e0:f3:
+                    eb:c0:50:5f:b5:7f:54:9a:1b:34:43:fd:be:5a:80:
+                    6e:0f:63:a2:b3:79:42:4a:85:c8:07:c7:82:55:23:
+                    88:d4:4e:03:2f:f1:95:bd:ed:15:2d:3e:16:cd:ff:
+                    c7:9b:03:29:36:a6:5d:c9:1a:1e:89:a5:ba:66:83:
+                    0f:96:a8:07:9f:24:b9:1b:8f:02:9a:b8:50:29:8b:
+                    be:63:45:fa:45:c3:38:23:a0:98:3a:b4:6b:42:99:
+                    13:36:4b:84:ef:27:89:39:34:79:f8:67:16:7b:9c:
+                    2a:03:41:15:63:46:e4:db:2f:f2:3e:6d:fe:7c:20:
+                    1e:9f:02:48:a4:bc:15:42:a6:f8:38:86:dc:6b:7c:
+                    4e:67:a3:31:81:8e:b6:30:1a:eb:3d:08:25:19:5f:
+                    42:dc:39:ec:79:1d:30:0a:fb:16:8f:3d:19:14:cc:
+                    f5:af:d7:c6:75:cf:b3:96:a2:b2:9b:d9:03:01:a3:
+                    ca:88:1d:72:ed:6f:d1:bf:57:56:8e:b9:07:9b:b9:
+                    04:13:1e:0b:5a:06:6b:2b:43:a2:dc:d5:b7:f4:ba:
+                    d3:ae:9d:ad:fd:d3:8a:7c:2f:87:32:fa:89:88:58:
+                    00:ae:16:2b:9c:1d:58:82:4d:e5:21:da:d5:6c:f7:
+                    a8:40:8b:c7:02:d5:36:30:ef:3f:09:9b:a6:d2:31:
+                    a3:bf:20:d4:a2:9e:26:c4:b4:c3:0f:0b:6c:00:d1:
+                    2c:16:b1:2a:eb:06:d9:d5:98:c3:cd:cb:20:68:ad:
+                    0a:2c:a1:2f:27:41:5c:91:de:49:62:ed:d8:3a:ef:
+                    68:1c:6d:fe:94:c3:28:68:32:60:08:65:cd:02:9f:
+                    97:96:2f:0f:87:27:3d:b9:0f:85:62:e8:2b:9a:b4:
+                    f4:d3:d7:c1:93:96:27:23:29:88:b1:39:99:53:3a:
+                    20:aa:88:44:3b:4a:24:2a:8b:e0:b4:8d:dd:66:30:
+                    df:a6:6e:b7:fc:21:43:16:9e:3e:12:20:c8:7a:30:
+                    c1:3d:ab
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 CRL Distribution Points: 
+
+                Full Name:
+                  URI:http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
+
+            Netscape Cert Type: 
+                SSL Server
+            X509v3 Key Usage: 
+                Digital Signature, Non Repudiation, Key Encipherment
+            Netscape Comment: 
+                Domain Controller Certificate addc.addom.samba.example.com
+            X509v3 Subject Key Identifier: 
+                3D:BC:70:0C:74:D4:B8:85:49:1D:08:84:C4:1B:27:F2:AF:72:37:D3
+            X509v3 Authority Key Identifier: 
+                keyid:A2:3E:02:2A:A3:A7:4D:39:B4:08:4D:99:CC:0C:75:36:EA:27:C3:3E
+
+            X509v3 Subject Alternative Name: 
+                DNS:addc.addom.samba.example.com, othername:<unsupported>
+            X509v3 Issuer Alternative Name: 
+                email:ca-samba.example.com at samba.example.com
+            Netscape CA Revocation Url: 
+                http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication, TLS Web Server Authentication, msKDC
+    Signature Algorithm: sha256WithRSAEncryption
+         9e:8b:bb:0a:7a:dc:c0:94:33:bc:18:a5:e6:4a:1f:ff:8e:21:
+         b1:8f:33:f0:3e:8b:6c:72:55:c4:47:71:5f:ce:e7:31:ef:5b:
+         62:04:b7:57:8f:a8:27:9f:ed:69:d2:ec:a8:0d:e2:76:33:8d:
+         41:3a:67:61:5c:53:60:c7:53:ed:d7:99:72:29:1d:ae:d3:ee:
+         c9:76:1c:6d:18:47:e9:94:dd:2e:97:3f:99:af:b5:f4:a1:7c:
+         92:f6:4d:b5:c1:7a:0c:38:ba:d1:b6:19:9a:9f:e2:02:84:d4:
+         54:01:38:7b:55:86:4a:ee:3d:85:48:01:da:34:09:69:43:25:
+         7e:6e:06:73:e0:b9:7c:b5:9c:4e:9c:b5:52:85:32:62:62:25:
+         39:fa:02:4b:51:2e:df:8e:52:17:02:50:f4:99:29:bf:7e:97:
+         53:91:12:85:9a:69:62:45:59:c4:5b:3f:af:18:e6:7b:e4:86:
+         5d:f1:9e:5a:2b:3e:14:6e:7e:d4:47:24:ef:d9:a8:ec:d9:a6:
+         cb:b8:4f:1a:86:d9:43:20:41:16:15:5f:81:0d:fe:6b:31:53:
+         c1:f6:84:4c:f3:03:64:d2:e6:44:3d:7a:60:79:d7:37:6f:33:
+         de:c0:a8:b9:6e:fe:b2:79:ac:b4:53:92:b8:0a:59:2b:cc:6b:
+         37:c4:6f:c6:44:02:f7:7c:c5:c6:a6:6f:c2:ad:de:78:1e:48:
+         96:cc:fe:59:2e:53:ce:34:d6:e8:f0:56:43:30:32:90:6f:f9:
+         47:76:ab:99:63:e3:e8:a3:f3:83:98:e9:05:2b:ea:f9:f9:9d:
+         66:70:c7:2c:00:c2:9e:57:3e:31:43:50:50:c8:db:a8:2d:21:
+         4e:6f:39:c2:bd:ef:d8:47:99:27:0d:48:b2:58:f1:be:45:bd:
+         fe:c4:a2:56:fc:06:02:dc:19:33:85:53:ed:38:59:01:16:bc:
+         aa:c5:d3:4b:37:54:83:1b:e5:c1:4b:dd:34:6b:e5:d8:35:86:
+         95:e6:9f:d2:22:84:b1:e2:4f:a7:2e:4d:e6:9c:eb:db:df:42:
+         e1:b4:66:e6:58:d3:28:10:34:97:f3:9c:6b:5f:05:2c:47:2c:
+         e3:75:eb:6f:74:0a:ec:d7:1d:30:80:56:44:12:26:f6:4e:5f:
+         ff:92:f4:62:02:36:9c:62:eb:39:98:53:68:68:95:fb:94:68:
+         69:b8:3c:66:1a:ce:78:c4:cf:c4:6f:21:ac:a8:a6:f4:ab:69:
+         2a:2e:00:5d:f7:67:06:b1:4f:97:58:88:55:d8:6e:eb:a5:98:
+         50:36:21:70:3d:b0:a4:f5:3b:21:b3:1c:f5:a9:dd:c6:4a:c2:
+         89:b8:5a:b3:bc:1f:21:ce:4c:68:5f:98:d8:39:70:d2:7e:a0:
+         90:df:ad:a3:13:eb:3c:93:f6:b8:f4:d9:a7:51:b3:0d:ea:ee:
+         d4:57:aa:db:ca:7c:8a:a0:08:c3:98:9a:3a:b7:ba:2a:50:92:
+         26:c2:e3:11:ba:12:60:24:b9:59:df:62:a8:d7:4d:a3:cb:ea:
+         46:e8:39:f9:83:14:a8:5c:44:75:71:6b:7f:99:bd:68:58:d9:
+         6b:d1:cd:c7:45:95:9e:44:1e:85:35:c0:30:2b:18:aa:eb:2f:
+         93:d5:be:66:5d:70:ed:1d:04:f2:c1:1e:b5:ec:45:0c:04:f6:
+         9d:88:d3:0c:20:5e:5b:23:df:34:a1:f5:ea:b4:a1:44:c0:da:
+         d5:ea:89:e8:b5:cb:dc:f8:92:ee:ac:8d:61:ed:bf:74:2b:28:
+         79:1f:f4:9a:ff:63:bd:e6:aa:79:1d:2c:26:4a:b2:26:53:57:
+         ba:88:0e:eb:19:57:c0:10:a0:1e:81:2a:c0:56:2e:c3:2a:81:
+         bf:c1:5a:e7:48:ce:c1:6a:b9:6c:41:cc:44:a6:b8:70:e2:57:
+         0e:6d:41:d6:61:da:bf:ac:20:2c:a7:2a:67:23:98:00:ba:ce:
+         8b:a8:c2:45:66:a7:08:eb:7f:0a:b5:e7:9b:d6:f4:07:d5:b3:
+         43:cd:27:d4:fa:c9:40:8f:af:b2:36:1c:e7:44:b4:4e:cc:5a:
+         2b:73:ad:8f:c4:d9:47:a6:fb:2c:7d:1a:80:2a:55:b3:80:34:
+         6f:8e:17:27:93:05:21:40:e9:8f:bf:47:6a:52:f5:2e:b5:18:
+         d1:8c:1d:83:04:80:55:fd:21:28:dc:7c:be:c8:c1:5f:e4:40:
+         d3:13:e4:66:bf:ad:92:4e:9b:db:c1:be:a3:42:74:da:c3:2c:
+         0a:da:3f:94:14:ad:7e:de:81:c6:01:6a:f7:7a:b4:25:51:b0:
+         ab:cd:b3:3a:77:bf:c3:6b:04:44:30:73:41:ad:93:49:67:ee:
+         43:d1:96:8e:36:83:2b:1b:6c:e7:cc:3e:d6:16:b9:88:4a:ab:
+         56:c0:76:00:f6:9a:6a:8a:e3:e0:41:75:9d:3b:47:0f:c9:0a:
+         8e:9f:9c:00:92:bb:ae:d8:42:56:35:64:eb:59:13:da:2c:63:
+         83:c3:ec:68:91:b5:f3:71:85:48:54:c3:9d:a1:c8:63:f3:de:
+         5d:a5:34:a9:1e:85:2c:2c:b5:d8:a9:62:8d:26:1f:b2:9e:a7:
+         83:4d:df:69:63:b5:b7:e5:dd:e7:3b:18:e5:b3:77:df:c5:47:
+         b3:f7:8c:e7:5e:87:2e:46:e3:8f:b1:2b:9b:c6:26:2d:1a:28:
+         30:13:10:86:5b:46:87:b1:2d:12:ce:b6:fe:1c:4e:44
+-----BEGIN CERTIFICATE-----
+MIIJ9DCCBdygAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBxjELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMClNhbWJhU3RhdGUxEjAQBgNVBAcMCVNhbWJhQ2l0eTEZMBcGA1UE
+CgwQU2FtYmFTZWxmVGVzdGluZzEaMBgGA1UECwwRQ0EgQWRtaW5pc3RyYXRpb24x
+IDAeBgNVBAMMF0NBIG9mIHNhbWJhLmV4YW1wbGUuY29tMTUwMwYJKoZIhvcNAQkB
+FiZjYS1zYW1iYS5leGFtcGxlLmNvbUBzYW1iYS5leGFtcGxlLmNvbTAeFw0xNjAz
+MTYyMzI5MjVaFw0zNjAzMTEyMzI5MjVaMIG4MQswCQYDVQQGEwJVUzETMBEGA1UE
+CAwKU2FtYmFTdGF0ZTEZMBcGA1UECgwQU2FtYmFTZWxmVGVzdGluZzEbMBkGA1UE
+CwwSRG9tYWluIENvbnRyb2xsZXJzMSUwIwYDVQQDDBxhZGRjLmFkZG9tLnNhbWJh
+LmV4YW1wbGUuY29tMTUwMwYJKoZIhvcNAQkBFiZjYS1zYW1iYS5leGFtcGxlLmNv
+bUBzYW1iYS5leGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC
+ggIBAKbEqb916kyNO/2KD7CitseoH+QOPkHv1hBId3tOTFnhv23HGHuoAafV0iwh
+PtAa2lgD6ELxUw6nkbksued6yd5e7UyTa8zdF9DH0fF8PQ1v311TWrEfo3tbQWUM
+fOpT37vaQRXaSeO5Lbu1r++MuIR00BgWjlzkwuehh4/jh4sLu5Aw6ODz68BQX7V/
+VJobNEP9vlqAbg9jorN5QkqFyAfHglUjiNROAy/xlb3tFS0+Fs3/x5sDKTamXcka
+HomlumaDD5aoB58kuRuPApq4UCmLvmNF+kXDOCOgmDq0a0KZEzZLhO8niTk0efhn
+FnucKgNBFWNG5Nsv8j5t/nwgHp8CSKS8FUKm+DiG3Gt8TmejMYGOtjAa6z0IJRlf
+Qtw57HkdMAr7Fo89GRTM9a/XxnXPs5aispvZAwGjyogdcu1v0b9XVo65B5u5BBMe
+C1oGaytDotzVt/S6066drf3TinwvhzL6iYhYAK4WK5wdWIJN5SHa1Wz3qECLxwLV
+NjDvPwmbptIxo78g1KKeJsS0ww8LbADRLBaxKusG2dWYw83LIGitCiyhLydBXJHe
+SWLt2DrvaBxt/pTDKGgyYAhlzQKfl5YvD4cnPbkPhWLoK5q09NPXwZOWJyMpiLE5
+mVM6IKqIRDtKJCqL4LSN3WYw36Zut/whQxaePhIgyHowwT2rAgMBAAGjggH3MIIB
+8zAJBgNVHRMEAjAAME8GA1UdHwRIMEYwRKBCoECGPmh0dHA6Ly93d3cuc2FtYmEu
+ZXhhbXBsZS5jb20vY3Jscy9DQS1zYW1iYS5leGFtcGxlLmNvbS1jcmwuY3JsMBEG
+CWCGSAGG+EIBAQQEAwIGQDALBgNVHQ8EBAMCBeAwSQYJYIZIAYb4QgENBDwWOkRv
+bWFpbiBDb250cm9sbGVyIENlcnRpZmljYXRlIGFkZGMuYWRkb20uc2FtYmEuZXhh
+bXBsZS5jb20wHQYDVR0OBBYEFD28cAx01LiFSR0IhMQbJ/KvcjfTMB8GA1UdIwQY
+MBaAFKI+Aiqjp005tAhNmcwMdTbqJ8M+MEAGA1UdEQQ5MDeCHGFkZGMuYWRkb20u
+c2FtYmEuZXhhbXBsZS5jb22gFwYJKwYBBAGCNxkBoAoECAEjRWeJq83vMDEGA1Ud
+EgQqMCiBJmNhLXNhbWJhLmV4YW1wbGUuY29tQHNhbWJhLmV4YW1wbGUuY29tME0G
+CWCGSAGG+EIBBARAFj5odHRwOi8vd3d3LnNhbWJhLmV4YW1wbGUuY29tL2NybHMv
+Q0Etc2FtYmEuZXhhbXBsZS5jb20tY3JsLmNybDAmBgNVHSUEHzAdBggrBgEFBQcD
+AgYIKwYBBQUHAwEGBysGAQUCAwUwDQYJKoZIhvcNAQELBQADggQBAJ6Luwp63MCU
+M7wYpeZKH/+OIbGPM/A+i2xyVcRHcV/O5zHvW2IEt1ePqCef7WnS7KgN4nYzjUE6
+Z2FcU2DHU+3XmXIpHa7T7sl2HG0YR+mU3S6XP5mvtfShfJL2TbXBegw4utG2GZqf
+4gKE1FQBOHtVhkruPYVIAdo0CWlDJX5uBnPguXy1nE6ctVKFMmJiJTn6AktRLt+O
+UhcCUPSZKb9+l1OREoWaaWJFWcRbP68Y5nvkhl3xnlorPhRuftRHJO/ZqOzZpsu4
+TxqG2UMgQRYVX4EN/msxU8H2hEzzA2TS5kQ9emB51zdvM97AqLlu/rJ5rLRTkrgK
+WSvMazfEb8ZEAvd8xcamb8Kt3ngeSJbM/lkuU8401ujwVkMwMpBv+Ud2q5lj4+ij
+84OY6QUr6vn5nWZwxywAwp5XPjFDUFDI26gtIU5vOcK979hHmScNSLJY8b5Fvf7E
+olb8BgLcGTOFU+04WQEWvKrF00s3VIMb5cFL3TRr5dg1hpXmn9IihLHiT6cuTeac
+69vfQuG0ZuZY0ygQNJfznGtfBSxHLON16290CuzXHTCAVkQSJvZOX/+S9GICNpxi
+6zmYU2holfuUaGm4PGYaznjEz8RvIayopvSraSouAF33ZwaxT5dYiFXYbuulmFA2
+IXA9sKT1OyGzHPWp3cZKwom4WrO8HyHOTGhfmNg5cNJ+oJDfraMT6zyT9rj02adR
+sw3q7tRXqtvKfIqgCMOYmjq3uipQkibC4xG6EmAkuVnfYqjXTaPL6kboOfmDFKhc
+RHVxa3+ZvWhY2WvRzcdFlZ5EHoU1wDArGKrrL5PVvmZdcO0dBPLBHrXsRQwE9p2I
+0wwgXlsj3zSh9eq0oUTA2tXqiei1y9z4ku6sjWHtv3QrKHkf9Jr/Y73mqnkdLCZK
+siZTV7qIDusZV8AQoB6BKsBWLsMqgb/BWudIzsFquWxBzESmuHDiVw5tQdZh2r+s
+ICynKmcjmAC6zouowkVmpwjrfwq155vW9AfVs0PNJ9T6yUCPr7I2HOdEtE7MWitz
+rY/E2Uem+yx9GoAqVbOANG+OFyeTBSFA6Y+/R2pS9S61GNGMHYMEgFX9ISjcfL7I
+wV/kQNMT5Ga/rZJOm9vBvqNCdNrDLAraP5QUrX7egcYBavd6tCVRsKvNszp3v8Nr
+BEQwc0Gtk0ln7kPRlo42gysbbOfMPtYWuYhKq1bAdgD2mmqK4+BBdZ07Rw/JCo6f
+nACSu67YQlY1ZOtZE9osY4PD7GiRtfNxhUhUw52hyGPz3l2lNKkehSwstdipYo0m
+H7Kep4NN32ljtbfl3ec7GOWzd9/FR7P3jOdehy5G44+xK5vGJi0aKDATEIZbRoex
+LRLOtv4cTkQ=
+-----END CERTIFICATE-----
diff --git a/selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-key.pem b/selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-key.pem
new file mode 100644
index 0000000..6f11ced
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-key.pem
@@ -0,0 +1,54 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIJjjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIpUlK4cdzu/UCAggA
+MBQGCCqGSIb3DQMHBAju3WkqK++BQgSCCUit3hNjGErKHafSn7CLnhKlNTzvtaAv
+PwTStReWMNULMJ6Z1Rhm0jO8x5BBStEHy3A4h1GmWNSyIzOhZqGi3K2SqpBa9+TP
+SSYzeNKCsv/06QeQ3GTJJF2GTKLw8I2tZOJnNy5wYprGDuz92AAncj645C8xBYb/
+RgN1YyHh3B2tkPlOVZZU8z8hH9iaDwKiXfY0+EgVDSCj1pHWKEzGzhx4UtyKhCc5
+1J4fyPA+8SzJ0tRAohLHdrm9KIn/tawbbS6Ce8iwLBad6A4k73WgYW4ZawMA+n1X
+OIhyCR/dfIlPRPcojyN4c2O5uPmGCDErt6awUY7LyctZPRAUBbk83i69HbRvK/kq
+JuyhTIWUbhVpvt6HZxCC0cFBy7tlSeOL3LXlu1JoWAEqCVm8vHQPs3WTwTTrShHP
+kauortTdLstddxqPwWKmUcSLcviK+IfD54y3fJGYMr5goLdXCGfb7XZQoXANIYKP
+di/jXOn6PTjKdC7/J8G0UZmRmjEvxp5CBPiNqr07YJUfu7IN4KxEKRf/aDyJ1npw
+JEaMFiBvFx0Vr5nm7trQ43TdkuHbn7MY6nkPMbzC8a8KcKFGbnU/n6TIyeGYo2o5
+2ICW3QmXjzhrWiDzU+cEbSEs77UAQJNrSxRVuKKuwLEnuy6/pRhlxex6Hp6nNCOd
+dTZKDeqHsntRa6zTuOleh+XOMHeSuHjhJdThxEszHPFsYzH/EtE8TaKiBQE9kecy
+M+nbxfMqRTYitsl8wTPiuoTgrzDjUJcAAsS/jDNYUA63NCG2BT9Gq9qY48DwfWGM
+YPMYj6CfRwsyAPSeC7hV31olnGAp15kBhM2TpxE6KqUnGuxL0ET9LJsHjaRsP+r1
+KMjNmibQSy948LIvHhEtdfg5/Jn5jv6JHmmSBktma4C+MUfQKBinzy6MM1IAaZlZ
+hUdL14VnERFh9OGLjZGBOBlk/9FU2Yf4lfAtLgT95GezlYQIOqpG/Pkm04wH71+W
+bfW+53gBQqcaSexM5QFsqRspq7yyLX0mElG6z5gOmEJN3rV+DZ2d+84dxKQ5rX++
++mLYlfQKe1K/1F8HVXH/1ZMeAkzvxk1Odlm6fhwcTHciX3CSESAtJeLSD3PNgSE1
+f0Lep/CteZecOnM63T454jC4V49qXYgQBD32WuOHIbFhHd/lQ5Zj+3T5LgKlE5H3
+5oTUU/+DFgqFrwHlM5f1Ha9G8rjuHucjHyQ7ix7jNjEIoG82It8ESisIOoOwb3bc
+Jjkfj3v7f5Axi0wyD94KLFntBCI64uhyTk+JuvagA2KnLQ5uWEFRgqhMXRNg3kbI
+STOAopjoB2bnIvQZxQ8hxOT67EjKd7iJJXh2zfBAQ7dvnVKznvdSamTcB/Uh3IQR
+RjOZE3ej3lEb4XCM2NCyqZvFgoU+Og4yg+4yainCE+6Jt1jYNvms2iabxC+ZQZ3t
+/vCgVDvnULX5FJvphGK/Idua5FFIeSNLOoK9qjfrBNL9kdFVMWCyMyK0cIdsZFRp
+2at32a9n8OU1rRYgFn8kaWK4JQqKelm1qVCixcHLUtI/cyp+t7vvjOGRnDrbfoK0
+ae+pt0De0aBsOMKmUetn3CXFXIyQa/FJ3W8X7yl82ctS3ZZmWcND0Lqhoa1JADdj
+vbxxGzh1rJPsuPePwIXAVqtbVJD84i+dP0+i1oR/e5jNgRKj0tJcfZnnsvmSIldY
+FvxDpIX2h/tDrTKfwQzFHBBuPA00ZuGfftGc4LD7SOVjVb6CF2GMX/0+zmKlPf56
+FvxvGl+GwLPz/BaSGlT/4DApF0HJEZ1AeSvzHGhdgWecbk4s/lMAnv17vH2YWql1
+uJ54FgDAT0ufzAb0aHAl3YO8pYDOOXGqHaqWRMJvtuh15FB52HYvt+Ojo2mzPu4j
+lvUcOBRMzgPl8zcs0L/WgE0SggC6DpXGU+rK1/J91qlNRBJ664R6j0iyskPvdzYN
+aJ8ZZSJ+yQPralfSD/Sd+RcRviP2draINoyVbFHSH2zvvhcZc0ETL24tNI/tSXpR
+Cw86CajiN7T691pC3eZyQLSQJnMSY/0F0i12KU3J+1kq6eeMSoPc5EKItfH5wxjw
+RPnJAU84HGIQEAhEn6Ht1XaZcMfo9xyr9WMpmyH4OoTLt1+gFGgSCfbjsusl9aNl
+EDhcYmav8OFHE48qvEoYyHD7S3fwsxKFSCJpYTRweBRQaEzpq1z90tVxzhLZFpJe
+A7sw/HpiOuty0hDHQ5JaiRBsQ+CiOsVdWZXzaI/H0aoaPbLbpursuTPPPG5OFqvL
+WIIDfFYZ9rhy8t/YaAeTyFoLx1VU7m88ZZndyaVXhnqp7iaU14NXlelPeyKJ3ZXc
+pd6gZ4l1XAJHbeyiBx+6khtZb6JTLbYpwfbjTqPmDtNw2PVb5rwF0ZSeP6LXKOEM
++WntayDMbWK67yUCBlkPTpY4k+8nV8pJ+th9sR8LlL7d9rZgbSjmxG8XgjC7HHg+
+4I2O7poGQMVgtMeIsGZRIS0cTpm1dpCRfFQPR0DOB6+wjDRPIRNNiTZQYdkpfHQ1
+QSpCskaWG9HzJQGSu+meN4LdaKEoXwNMMz77fCTWhXXkvy6Ujm44EpOOfaHXpg7T
+AQagXzyII0xXj+rAFkqmnyygWgxpou6f3MkoWxIC/qYocC4Ci3oWMAZVssWfnhoP
+T/ZormTZN3uQCZYtfwTjbjh5efFQc4I9THxkHV6eyhGE7MQO/D/5zjBzkwmNsU6b
+GttZyyHto+oKlXMF9dNKxLkQbtVO8ZDIDuNP+sb/m7wj3GG2MNoklp6Cd7lckimv
+PqkQP7PQa8h6EeFXmTKqi7vfgsQAEIzTfOLJDvfHhLC54pjbFPR8vY0T5Y2Dwe8w
+rMPwFenW1ae6DjeGDHij3+QbQmTYZeu8Hblhs5DNhy7wtZX05IUsioVfJLC9QngN
+Y5u7OuMGQLPdcPjWHBuZsl/lMdii1lOB/PrExrEIsybSGPQonDfK6x1pOeyIJsbr
+fDnevcamxLpG6BU8U7AqE1QHa/sJGNO/lgsHGLrb5A2id1J+VttSxSG09sML49uw
+T+vmgdVbVjsYRvMSjMfwRrVp4NARlXph5FUA2DxAKXvr1reicAleVgQDcokAHhLi
+vGZ34XFIZHB+YZvHxd3tZxLcKvAMZQJTPlO6RdD9cx+84DEfevaJilUjyu6Ga4ty
+HjA=
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-openssl.cnf b/selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-openssl.cnf
new file mode 100644
index 0000000..bdd0364
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-openssl.cnf
@@ -0,0 +1,250 @@
+#
+# Based on the OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME            = .
+RANDFILE        = $ENV::HOME/.rnd
+
+#CRLDISTPT       = [CRL Distribution Point; e.g., http://crl-list.base/w4edom-l4.base.crl]
+CRLDISTPT       = http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
+
+# Extra OBJECT IDENTIFIER info:
+oid_section     = new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions        = 
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+# Ordinarily, certificates must have this oid as an enhanced key usage in order for Windows to allow them to be used as a login credential
+scardLogin=1.3.6.1.4.1.311.20.2.2
+# Used in a smart card login certificate's subject alternative name
+msUPN=1.3.6.1.4.1.311.20.2.3
+# Ordinarily, certificates must have this oid as an enhanced key usage in order for Windows to allow them to be used to identify a domain controller
+msKDC=1.3.6.1.5.2.3.5
+# Identifies the AD GUID
+msADGUID=1.3.6.1.4.1.311.25.1
+
+####################################################################
+[ ca ]
+default_ca  = CA_default        # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir         = CA-samba.example.com         # Where everything is kept
+certs       = $dir/_none_certs        # Where the issued certs are kept
+crl_dir     = $dir/_none_crl          # Where the issued crl are kept
+database    = $dir/Private/CA-samba.example.com-index.txt    # database index file.
+unique_subject  = yes           # Set to 'no' to allow creation of
+                                # several certificates with same subject.
+new_certs_dir   = $dir/NewCerts     # default place for new certs.
+
+certificate = $dir/Public/CA-samba.example.com-cert.pem   # The CA certificate
+serial      = $dir/Private/CA-samba.example.com-serial.txt       # The current serial number
+crlnumber   = $dir/Private/CA-samba.example.com-crlnumber.txt    # the current crl number
+                                # must be commented out to leave a V1 CRL
+
+#crl         = $dir/Public/CA-samba.example.com-crl.pem           # The current CRL
+crl         = $dir/Public/CA-samba.example.com-crl.crl           # The current CRL
+private_key = $dir/Private/CA-samba.example.com-private-key.pem    # The private key
+RANDFILE    = $dir/Private/CA-samba.example.com.rand        # private random number file
+
+#x509_extensions    =   # The extensions to add to the cert
+x509_extensions = template_x509_extensions
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt    = ca_default        # Subject Name options
+cert_opt    = ca_default        # Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+crl_extensions  = crl_ext
+
+default_days    = 7300           # how long to certify for
+default_crl_days= 7300            # how long before next CRL
+default_md  = sha256            # use public key default MD
+preserve    = no                # keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy      = policy_match
+
+# For the CA policy
+[ policy_match ]


-- 
Samba Shared Repository



More information about the samba-cvs mailing list