[SCM] Samba Shared Repository - branch master updated

Andrew Bartlett abartlet at samba.org
Fri Jul 21 11:55:03 UTC 2017


The branch, master has been updated
       via  4e04f02 selftest: Add test for password change when NTLM is disabled
       via  4031b30 getncchanges: Do not segfault if somehow we get 0 results from an ldb_search with scope BASE
      from  ff7df3d build: fix ceph_statx check when configured with libcephfs_dir

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 4e04f025a0665e2573bdd92efe9ba5aa9dcd82d7
Author: Tim Beale <timbeale at catalyst.net.nz>
Date:   Tue Jul 4 17:27:27 2017 +1200

    selftest: Add test for password change when NTLM is disabled
    
    When NTLM is disabled, the server should reject NTLM-based password
    changes. Changing the password is a bit complicated from python, but
    because the server should reject the password change outright with
    NTLM_BLOCKED, the test doesn't actually need to provide valid
    credentials.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923
    Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>
    
    Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
    Autobuild-Date(master): Fri Jul 21 13:54:35 CEST 2017 on sn-devel-144

commit 4031b303e495210ee8d6a4e2dd49974d90f9c402
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Thu Apr 20 14:00:21 2017 +1200

    getncchanges: Do not segfault if somehow we get 0 results from an ldb_search with scope BASE
    
    This should not happen, but we have seen this happen in autobuild
    before the whole-DB locking issues were resolved by
    https://bugzilla.samba.org/show_bug.cgi?id=12858
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>

-----------------------------------------------------------------------

Summary of changes:
 python/samba/tests/ntlmauth.py            | 46 ++++++++++++++++++++++---------
 selftest/knownfail                        |  2 ++
 source4/rpc_server/drsuapi/getncchanges.c | 19 +++++++++++--
 3 files changed, 52 insertions(+), 15 deletions(-)


Changeset truncated at 500 lines:

diff --git a/python/samba/tests/ntlmauth.py b/python/samba/tests/ntlmauth.py
index 8db1ad0..a232bf2 100644
--- a/python/samba/tests/ntlmauth.py
+++ b/python/samba/tests/ntlmauth.py
@@ -19,13 +19,13 @@ from samba.tests import TestCase
 import os
 
 import samba
-from samba.credentials import Credentials, DONT_USE_KERBEROS
+from samba.credentials import Credentials, DONT_USE_KERBEROS, MUST_USE_KERBEROS
 
 from samba import NTSTATUSError, ntstatus
 import ctypes
 
 from samba import credentials
-from samba.dcerpc import srvsvc
+from samba.dcerpc import srvsvc, samr, lsa
 
 """
 Tests basic NTLM authentication
@@ -37,24 +37,21 @@ class NtlmAuthTests(TestCase):
         super(NtlmAuthTests, self).setUp()
 
         self.lp          = self.get_loadparm()
+        self.server      = os.getenv("SERVER")
 
-
+        self.creds = Credentials()
+        self.creds.guess(self.lp)
+        self.creds.set_username(os.getenv("USERNAME"))
+        self.creds.set_domain(self.server)
+        self.creds.set_password(os.getenv("PASSWORD"))
+        self.creds.set_kerberos_state(DONT_USE_KERBEROS)
 
     def tearDown(self):
         super(NtlmAuthTests, self).tearDown()
 
     def test_ntlm_connection(self):
-        server = os.getenv("SERVER")
-
-        creds = credentials.Credentials()
-        creds.guess(self.lp)
-        creds.set_username(os.getenv("USERNAME"))
-        creds.set_domain(server)
-        creds.set_password(os.getenv("PASSWORD"))
-        creds.set_kerberos_state(DONT_USE_KERBEROS)
-
         try:
-            conn = srvsvc.srvsvc("ncacn_np:%s[smb2,ntlm]" % server, self.lp, creds)
+            conn = srvsvc.srvsvc("ncacn_np:%s[smb2,ntlm]" % self.server, self.lp, self.creds)
 
             self.assertIsNotNone(conn)
         except NTSTATUSError as e:
@@ -65,4 +62,27 @@ class NtlmAuthTests(TestCase):
             else:
                 raise
 
+    def test_samr_change_password(self):
+        self.creds.set_kerberos_state(MUST_USE_KERBEROS)
+        conn = samr.samr("ncacn_np:%s[krb5,seal,smb2]" % os.getenv("SERVER"))
+
+        # we want to check whether this gets rejected outright because NTLM is
+        # disabled, so we don't actually need to encrypt a valid password here
+        server = lsa.String()
+        server.string = self.server
+        username = lsa.String()
+        username.string = os.getenv("USERNAME")
+
+        try:
+            conn.ChangePasswordUser2(server, username, None, None, True, None, None)
+        except NTSTATUSError as e:
+            # changing passwords is rejected when NTLM is disabled
+            enum = ctypes.c_uint32(e[0]).value
+            if enum == ntstatus.NT_STATUS_NTLM_BLOCKED:
+                self.fail("NTLM is disabled on this server")
+            elif enum == ntstatus.NT_STATUS_WRONG_PASSWORD:
+                # expected error case when NTLM is enabled
+                pass
+            else:
+                raise
 
diff --git a/selftest/knownfail b/selftest/knownfail
index 1cba331..f41b99d 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -342,3 +342,5 @@
 ^samba.tests.netlogonsvc.python\(fileserver\)
 # NTLM authentication is (intentionally) disabled in ktest
 ^samba.tests.ntlmauth.python\(ktest\).ntlmauth.NtlmAuthTests.test_ntlm_connection\(ktest\)
+# Disabling NTLM means you can't use samr to change the password
+^samba.tests.ntlmauth.python\(ktest\).ntlmauth.NtlmAuthTests.test_samr_change_password\(ktest\)
diff --git a/source4/rpc_server/drsuapi/getncchanges.c b/source4/rpc_server/drsuapi/getncchanges.c
index da294a6..a2063aa 100644
--- a/source4/rpc_server/drsuapi/getncchanges.c
+++ b/source4/rpc_server/drsuapi/getncchanges.c
@@ -2578,8 +2578,13 @@ allowed:
 		W_ERROR_HAVE_NO_MEMORY(msg_dn);
 
 
-		/* by re-searching here we avoid having a lot of full
-		 * records in memory between calls to getncchanges
+		/*
+		 * by re-searching here we avoid having a lot of full
+		 * records in memory between calls to getncchanges.
+		 *
+		 * We expect that we may get some objects that vanish
+		 * (tombstone expunge) between the first and second
+		 * check.
 		 */
 		ret = drsuapi_search_with_extended_dn(sam_ctx, obj, &msg_res,
 						      msg_dn,
@@ -2593,6 +2598,16 @@ allowed:
 			continue;
 		}
 
+		if (msg_res->count == 0) {
+			DEBUG(1,("getncchanges: got LDB_SUCCESS but failed"
+				 "to get any results in fetch of DN "
+				 "%s (race with tombstone expunge?)\n",
+				 ldb_dn_get_extended_linearized(obj,
+								msg_dn, 1)));
+			talloc_free(obj);
+			continue;
+		}
+
 		msg = msg_res->msgs[0];
 
 		/*


-- 
Samba Shared Repository



More information about the samba-cvs mailing list