[SCM] Samba Shared Repository - branch master updated
Stefan Metzmacher
metze at samba.org
Tue Jan 10 16:41:02 UTC 2017
The branch, master has been updated
via e84e44c messaging: Fix dead but not cleaned-up-yet destination sockets
via e6a5e6a script/autobuild.py: try make test TESTS=samba3.*ktest for samba-systemkrb5
via 1204b44 selftest/selftest.pl: print out '[expanded] command: ' in all error cases
via 133416a selftest/selftest.pl: we don't need to call Subunit::progress_pop() twice on error
via a5db045 selftest/selftesthelpers.py: let plantestsuite() use the env name in the test name
via 3a870ba s4:gensec_gssapi: require a realm in gensec_gssapi_client_start()
via 48bcca5 s4:gensec_gssapi: the value gensec_get_target_principal() should overwrite gensec_get_target_hostname()
via 30c0706 auth/credentials: Always set the the realm if we set the principal from the ccache
via 2a2c03c auth/credentials: remove const where we always return a talloc string
via 3be1203 krb5_wrap: let smb_krb5_kinit_s4u2_ccache() work if store_creds.client and server have different realms
via ea0c35f s4:auth/gensec: remove unused dependencies to gensec_util
from 207fa23 python/schema: fix tests flapping due to oid collision
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit e84e44ce923e5dc7529bb813e10a2890528a4ab0
Author: Volker Lendecke <vl at samba.org>
Date: Tue Jan 10 12:30:54 2017 +0000
messaging: Fix dead but not cleaned-up-yet destination sockets
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12509
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Tue Jan 10 17:40:58 CET 2017 on sn-devel-144
commit e6a5e6a01a3ada62a8490ae612e926738aa78a28
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 23 14:07:51 2016 +0100
script/autobuild.py: try make test TESTS=samba3.*ktest for samba-systemkrb5
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 1204b4432d23556bc8af32b0388141ae555cacb2
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Dec 29 12:35:48 2016 +0100
selftest/selftest.pl: print out '[expanded] command: ' in all error cases
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 133416a8b9eaa7b84ce6b7144a737647183ff1e0
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Dec 29 21:45:32 2016 +0100
selftest/selftest.pl: we don't need to call Subunit::progress_pop() twice on error
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit a5db045f98233ff6fda212000e23343a4ed0ab89
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Dec 29 15:57:03 2016 +0100
selftest/selftesthelpers.py: let plantestsuite() use the env name in the test name
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 3a870baee8d9dbe5359f04a108814afc27e57d46
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Dec 29 15:20:00 2016 +0100
s4:gensec_gssapi: require a realm in gensec_gssapi_client_start()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 48bcca566ebb3a5385b15b0525d7fbdd06361e04
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Dec 29 14:00:36 2016 +0100
s4:gensec_gssapi: the value gensec_get_target_principal() should overwrite gensec_get_target_hostname()
If gensec_get_target_principal() has a value, we no longer have to verify
the gensec_get_target_hostname() value, it can be just an ipadress.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 30c07065300281e3a67197fe39ed928346480ff7
Author: Andreas Schneider <asn at samba.org>
Date: Wed Dec 21 22:17:22 2016 +0100
auth/credentials: Always set the the realm if we set the principal from the ccache
This fixes a bug in gensec_gssapi_client_start() where an invalid realm
is used to get a Kerberos ticket.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 2a2c03c655e51ff83483bbde1ded36c2e679faa3
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Dec 29 15:26:00 2016 +0100
auth/credentials: remove const where we always return a talloc string
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 3be1203987de8cf1ae6f30b6e3a6904e3d46990e
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Dec 29 14:42:49 2016 +0100
krb5_wrap: let smb_krb5_kinit_s4u2_ccache() work if store_creds.client and server have different realms
As the principal in the resulting ccache may not match the realm of the
target principal, we need to store the credentials twice.
The caller uses the ccache principal's realm to construct the
search key for the target principal.
If we get administrator at SAMBADOMAIN via the NTLMSSP authentication
and want to do s4u2selfproxy, we'll get ticket for
client realm: SAMBADOMAIN
client name: administrator
server realm: SAMBA.EXAMPLE.COM
server name: cifs/localdc
This is stored in credential cache, but
the caller will use cifs/localdc at SAMBADOMAIN as
target_principal name when it tries to use the
cache.
So also store the ticket as:
client realm: SAMBADOMAIN
client name: administrator
server realm: SAMBADOMAIN
server name: cifs/localdc
Note that it can always happen that the target is not in the clients
realm, so we always deal with changing realm names, so this is not
a s4u2self/proxy specific thing.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit ea0c35fbd1e1799fc0162377ffc116cffa8659ab
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Dec 29 17:16:22 2016 +0100
s4:auth/gensec: remove unused dependencies to gensec_util
gensec_util only contains gensec_tstream and is already a public_dep
of 'gensec' itself.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
-----------------------------------------------------------------------
Summary of changes:
auth/credentials/credentials.c | 12 +++++-----
auth/credentials/credentials.h | 6 ++---
auth/credentials/credentials_krb5.c | 20 +++++++++++++---
lib/krb5_wrap/krb5_samba.c | 24 ++++++++++++++++++++
script/autobuild.py | 2 +-
selftest/selftest.pl | 5 +++-
selftest/selftesthelpers.py | 6 ++++-
selftest/skip.no-GSS_KRB5_CRED_NO_CI_FLAGS_X | 6 +++++
selftest/wscript | 4 ++++
source3/lib/messages.c | 11 +++++++++
source4/auth/gensec/gensec_gssapi.c | 34 +++++++++++++++++++++++-----
source4/auth/gensec/wscript_build | 4 ++--
12 files changed, 111 insertions(+), 23 deletions(-)
create mode 100644 selftest/skip.no-GSS_KRB5_CRED_NO_CI_FLAGS_X
Changeset truncated at 500 lines:
diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
index 06648c7..ff444e3 100644
--- a/auth/credentials/credentials.c
+++ b/auth/credentials/credentials.c
@@ -193,7 +193,7 @@ _PUBLIC_ const char *cli_credentials_get_bind_dn(struct cli_credentials *cred)
* @retval The username set on this context.
* @note Return value will never be NULL except by programmer error.
*/
-_PUBLIC_ const char *cli_credentials_get_principal_and_obtained(struct cli_credentials *cred, TALLOC_CTX *mem_ctx, enum credentials_obtained *obtained)
+_PUBLIC_ char *cli_credentials_get_principal_and_obtained(struct cli_credentials *cred, TALLOC_CTX *mem_ctx, enum credentials_obtained *obtained)
{
if (cred->machine_account_pending) {
cli_credentials_set_machine_account(cred,
@@ -256,7 +256,7 @@ _PUBLIC_ const char *cli_credentials_get_principal_and_obtained(struct cli_crede
* @retval The username set on this context.
* @note Return value will never be NULL except by programmer error.
*/
-_PUBLIC_ const char *cli_credentials_get_principal(struct cli_credentials *cred, TALLOC_CTX *mem_ctx)
+_PUBLIC_ char *cli_credentials_get_principal(struct cli_credentials *cred, TALLOC_CTX *mem_ctx)
{
enum credentials_obtained obtained;
return cli_credentials_get_principal_and_obtained(cred, mem_ctx, &obtained);
@@ -848,12 +848,12 @@ _PUBLIC_ void cli_credentials_parse_string(struct cli_credentials *credentials,
* @param mem_ctx The memory context to place the result on
*/
-_PUBLIC_ const char *cli_credentials_get_unparsed_name(struct cli_credentials *credentials, TALLOC_CTX *mem_ctx)
+_PUBLIC_ char *cli_credentials_get_unparsed_name(struct cli_credentials *credentials, TALLOC_CTX *mem_ctx)
{
const char *bind_dn = cli_credentials_get_bind_dn(credentials);
- const char *domain;
- const char *username;
- const char *name;
+ const char *domain = NULL;
+ const char *username = NULL;
+ char *name = NULL;
if (bind_dn) {
name = talloc_strdup(mem_ctx, bind_dn);
diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
index 6b0d83b..50f6994 100644
--- a/auth/credentials/credentials.h
+++ b/auth/credentials/credentials.h
@@ -113,7 +113,7 @@ void cli_credentials_set_machine_account_pending(struct cli_credentials *cred,
struct loadparm_context *lp_ctx);
void cli_credentials_set_conf(struct cli_credentials *cred,
struct loadparm_context *lp_ctx);
-const char *cli_credentials_get_principal(struct cli_credentials *cred, TALLOC_CTX *mem_ctx);
+char *cli_credentials_get_principal(struct cli_credentials *cred, TALLOC_CTX *mem_ctx);
int cli_credentials_get_server_gss_creds(struct cli_credentials *cred,
struct loadparm_context *lp_ctx,
struct gssapi_creds_container **_gcc);
@@ -189,7 +189,7 @@ bool cli_credentials_set_bind_dn(struct cli_credentials *cred,
const char *bind_dn);
const char *cli_credentials_get_bind_dn(struct cli_credentials *cred);
bool cli_credentials_parse_file(struct cli_credentials *cred, const char *file, enum credentials_obtained obtained);
-const char *cli_credentials_get_unparsed_name(struct cli_credentials *credentials, TALLOC_CTX *mem_ctx);
+char *cli_credentials_get_unparsed_name(struct cli_credentials *credentials, TALLOC_CTX *mem_ctx);
bool cli_credentials_set_password_callback(struct cli_credentials *cred,
const char *(*password_cb) (struct cli_credentials *));
enum netr_SchannelType cli_credentials_get_secure_channel_type(struct cli_credentials *cred);
@@ -257,7 +257,7 @@ bool cli_credentials_set_username_callback(struct cli_credentials *cred,
* @retval The username set on this context.
* @note Return value will never be NULL except by programmer error.
*/
-const char *cli_credentials_get_principal_and_obtained(struct cli_credentials *cred, TALLOC_CTX *mem_ctx, enum credentials_obtained *obtained);
+char *cli_credentials_get_principal_and_obtained(struct cli_credentials *cred, TALLOC_CTX *mem_ctx, enum credentials_obtained *obtained);
bool cli_credentials_set_principal(struct cli_credentials *cred,
const char *val,
enum credentials_obtained obtained);
diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index e974df9..a0346a2 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -107,7 +107,8 @@ static int cli_credentials_set_from_ccache(struct cli_credentials *cred,
enum credentials_obtained obtained,
const char **error_string)
{
-
+ bool ok;
+ char *realm;
krb5_principal princ;
krb5_error_code ret;
char *name;
@@ -134,11 +135,24 @@ static int cli_credentials_set_from_ccache(struct cli_credentials *cred,
return ret;
}
- cli_credentials_set_principal(cred, name, obtained);
-
+ ok = cli_credentials_set_principal(cred, name, obtained);
+ if (!ok) {
+ krb5_free_principal(ccache->smb_krb5_context->krb5_context, princ);
+ return ENOMEM;
+ }
free(name);
+ realm = smb_krb5_principal_get_realm(ccache->smb_krb5_context->krb5_context,
+ princ);
krb5_free_principal(ccache->smb_krb5_context->krb5_context, princ);
+ if (realm == NULL) {
+ return ENOMEM;
+ }
+ ok = cli_credentials_set_realm(cred, realm, obtained);
+ SAFE_FREE(realm);
+ if (!ok) {
+ return ENOMEM;
+ }
/* set the ccache_obtained here, as it just got set to UNINITIALISED by the calls above */
cred->ccache_obtained = obtained;
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index f8f3b16..bb0b5df 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -1942,6 +1942,7 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
krb5_principal target_princ;
krb5_ccache tmp_cc;
const char *self_realm;
+ const char *client_realm = NULL;
krb5_principal blacklist_principal = NULL;
krb5_principal whitelist_principal = NULL;
@@ -2273,6 +2274,29 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
return code;
}
+ client_realm = krb5_principal_get_realm(ctx, store_creds.client);
+ if (client_realm != NULL) {
+ /*
+ * Because the CANON flag doesn't have any impact
+ * on the impersonate_principal => store_creds.client
+ * realm mapping. We need to store the credentials twice,
+ * once with the returned realm and once with the
+ * realm of impersonate_principal.
+ */
+ code = krb5_principal_set_realm(ctx, store_creds.server,
+ client_realm);
+ if (code != 0) {
+ krb5_free_cred_contents(ctx, &store_creds);
+ return code;
+ }
+
+ code = krb5_cc_store_cred(ctx, store_cc, &store_creds);
+ if (code != 0) {
+ krb5_free_cred_contents(ctx, &store_creds);
+ return code;
+ }
+ }
+
if (expire_time) {
*expire_time = (time_t) store_creds.times.endtime;
}
diff --git a/script/autobuild.py b/script/autobuild.py
index 3d76130..45f449b 100755
--- a/script/autobuild.py
+++ b/script/autobuild.py
@@ -169,7 +169,7 @@ tasks = {
("make", "make -j", "text/plain"),
# we currently cannot run a full make test, a limited list of tests could be run
# via "make test TESTS=sometests"
- # ("test", "make test FAIL_IMMEDIATELY=1", "text/plain"),
+ ("test", "make test FAIL_IMMEDIATELY=1 TESTS='samba3.*ktest'", "text/plain"),
("install", "make install", "text/plain"),
("check-clean-tree", "script/clean-source-tree.sh", "text/plain"),
("clean", "make clean", "text/plain")
diff --git a/selftest/selftest.pl b/selftest/selftest.pl
index c54ea68..e1c3429 100755
--- a/selftest/selftest.pl
+++ b/selftest/selftest.pl
@@ -142,10 +142,13 @@ sub run_testsuite($$$$$)
Subunit::progress_pop();
if ($? == -1) {
- Subunit::progress_pop();
+ print "command: $cmd\n";
+ printf "expanded command: %s\n", expand_environment_strings($cmd);
Subunit::end_testsuite($name, "error", "Unable to run $cmd: $!");
exit(1);
} elsif ($? & 127) {
+ print "command: $cmd\n";
+ printf "expanded command: %s\n", expand_environment_strings($cmd);
Subunit::end_testsuite($name, "error",
sprintf("%s died with signal %d, %s coredump\n", $cmd, ($? & 127), ($? & 128) ? 'with' : 'without'));
exit(1);
diff --git a/selftest/selftesthelpers.py b/selftest/selftesthelpers.py
index 1a1e080..b0ece36 100644
--- a/selftest/selftesthelpers.py
+++ b/selftest/selftesthelpers.py
@@ -67,7 +67,11 @@ def plantestsuite(name, env, cmdline):
:param cmdline: Command line to run
"""
print "-- TEST --"
- print name
+ if env == "none":
+ fullname = name
+ else:
+ fullname = "%s(%s)" % (name, env)
+ print fullname
print env
if isinstance(cmdline, list):
cmdline = " ".join(cmdline)
diff --git a/selftest/skip.no-GSS_KRB5_CRED_NO_CI_FLAGS_X b/selftest/skip.no-GSS_KRB5_CRED_NO_CI_FLAGS_X
new file mode 100644
index 0000000..9ec679d
--- /dev/null
+++ b/selftest/skip.no-GSS_KRB5_CRED_NO_CI_FLAGS_X
@@ -0,0 +1,6 @@
+# GSS_KRB5_CRED_NO_CI_FLAGS_X is not available in older MIT releases (< 1.14)
+^samba3.rpc.lsa.lookupsids.krb5.*ncacn.*packet.*ktest
+^samba3.rpc.lsa.lookupsids.krb5.*ncacn.*sign.*ktest
+^samba3.blackbox.rpcclient.krb5.*ncacn.*krb5\].*ktest
+^samba3.blackbox.rpcclient.krb5.*ncacn.*packet\].*ktest
+^samba3.blackbox.rpcclient.krb5.*ncacn.*sign\].*ktest
diff --git a/selftest/wscript b/selftest/wscript
index 4a3fb4e..86deac5 100644
--- a/selftest/wscript
+++ b/selftest/wscript
@@ -231,6 +231,10 @@ def cmd_testonly(opt):
# FIXME REMOVE ME!
env.OPTIONS += " --use-dns-faking"
+ if not CONFIG_GET(opt, 'HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X'):
+ # older MIT krb5 libraries (< 1.14) don't have
+ # GSS_KRB5_CRED_NO_CI_FLAGS_X
+ env.OPTIONS += " --exclude=${srcdir}/selftest/skip.no-GSS_KRB5_CRED_NO_CI_FLAGS_X"
subunit_cache = None
# We use the full path rather than relative path to avoid problems on some platforms (ie. solaris 8).
diff --git a/source3/lib/messages.c b/source3/lib/messages.c
index 505eb66..533e869 100644
--- a/source3/lib/messages.c
+++ b/source3/lib/messages.c
@@ -626,6 +626,17 @@ int messaging_send_iov_from(struct messaging_context *msg_ctx,
unbecome_root();
}
+ if (ret == ECONNREFUSED) {
+ /*
+ * Linux returns this when a socket exists in the file
+ * system without a listening process. This is not
+ * documented in susv4 or the linux manpages, but it's
+ * easily testable. For the higher levels this is the
+ * same as "destination does not exist"
+ */
+ ret = ENOENT;
+ }
+
return ret;
}
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index a6c4019..2ae2e23 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -307,7 +307,15 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi
gss_buffer_desc name_token;
gss_OID name_type;
OM_uint32 maj_stat, min_stat;
+ const char *target_principal = NULL;
const char *hostname = gensec_get_target_hostname(gensec_security);
+ const char *service = gensec_get_target_service(gensec_security);
+ const char *realm = cli_credentials_get_realm(creds);
+
+ target_principal = gensec_get_target_principal(gensec_security);
+ if (target_principal != NULL) {
+ goto do_start;
+ }
if (!hostname) {
DEBUG(3, ("No hostname for target computer passed in, cannot use kerberos for this connection\n"));
@@ -322,6 +330,18 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi
return NT_STATUS_INVALID_PARAMETER;
}
+ if (realm == NULL) {
+ char *cred_name = cli_credentials_get_unparsed_name(creds,
+ gensec_security);
+ DEBUG(3, ("cli_credentials(%s) without realm, "
+ "cannot use kerberos for this connection %s/%s\n",
+ cred_name, service, hostname));
+ TALLOC_FREE(cred_name);
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+do_start:
+
nt_status = gensec_gssapi_start(gensec_security);
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
@@ -333,16 +353,18 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi
gensec_gssapi_state->gss_want_flags &= ~(GSS_C_DELEG_FLAG|GSS_C_DELEG_POLICY_FLAG);
}
- gensec_gssapi_state->target_principal = gensec_get_target_principal(gensec_security);
- if (gensec_gssapi_state->target_principal) {
+ if (target_principal != NULL) {
name_type = GSS_C_NULL_OID;
} else {
- gensec_gssapi_state->target_principal = talloc_asprintf(gensec_gssapi_state, "%s/%s@%s",
- gensec_get_target_service(gensec_security),
- hostname, cli_credentials_get_realm(creds));
-
+ target_principal = talloc_asprintf(gensec_gssapi_state,
+ "%s/%s@%s", service, hostname, realm);
+ if (target_principal == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
name_type = GSS_C_NT_USER_NAME;
}
+ gensec_gssapi_state->target_principal = target_principal;
+
name_token.value = discard_const_p(uint8_t, gensec_gssapi_state->target_principal);
name_token.length = strlen(gensec_gssapi_state->target_principal);
diff --git a/source4/auth/gensec/wscript_build b/source4/auth/gensec/wscript_build
index a1d30a9..098826a 100755
--- a/source4/auth/gensec/wscript_build
+++ b/source4/auth/gensec/wscript_build
@@ -13,7 +13,7 @@ bld.SAMBA_MODULE('gensec_krb5',
source='gensec_krb5.c ' + gensec_krb5_sources,
subsystem='gensec',
init_function='gensec_krb5_init',
- deps='samba-credentials authkrb5 com_err gensec_util',
+ deps='samba-credentials authkrb5 com_err',
internal_module=False,
enabled=bld.AD_DC_BUILD_IS_ENABLED()
)
@@ -23,7 +23,7 @@ bld.SAMBA_MODULE('gensec_gssapi',
source='gensec_gssapi.c',
subsystem='gensec',
init_function='gensec_gssapi_init',
- deps='gssapi samba-credentials authkrb5 com_err gensec_util'
+ deps='gssapi samba-credentials authkrb5 com_err'
)
bld.SAMBA_PYTHON('pygensec',
--
Samba Shared Repository
More information about the samba-cvs
mailing list