[SCM] Samba Shared Repository - branch v4-7-test updated
Karolin Seeger
kseeger at samba.org
Fri Dec 7 16:00:02 UTC 2018
The branch, v4-7-test has been updated
via 23b41ebe1de CVE-2018-14629 dns: fix CNAME loop prevention using counter regression
via afc79912685 CVE-2018-14629: Tests to expose regression from dns cname loop fix
via 29481e9dd5d .gitlab-ci.yml: Adapt to current GitLab CI setup
via 4cccc63ee44 gitlab-ci: add .gitlab-ci.yml
via fcbea2c7c96 CVE-2018-16853: fix crash in expired passowrd case
via 09b9a9bed3a CVE-2018-16853: Do not segfault if client is not set
via 03607d79e35 CVE-2018-16853: Add a test to verify s4u2self doesn't crash
via 22794132513 CVE-2018-16853: The ticket in check_policy_as can actually be a TGS
via 51518080df9 CVE-2018-16853: Fix kinit test on system lacking ldbsearch
from c4ec9d57608 VERSION: Bump version up to 4.7.13.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test
- Log -----------------------------------------------------------------
commit 23b41ebe1deca762e03d4d688f0a11e11f809afd
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 28 15:21:56 2018 +0100
CVE-2018-14629 dns: fix CNAME loop prevention using counter regression
The loop prevention should only be done for CNAME records!
Otherwise we truncate the answer records for A, AAAA or
SRV queries, which is a bad idea if you have more than 20 DCs.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13600
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Tue Dec 4 08:52:29 CET 2018 on sn-devel-144
(cherry picked from commit 34f4491d79b47b2fe2457b8882f11644cf773bc4)
Autobuild-User(v4-7-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-7-test): Fri Dec 7 16:59:16 CET 2018 on sn-devel-144
commit afc799126853e1ce9cb498c4cc0eb17b9e0dd565
Author: Aaron Haslett <aaronhaslett at catalyst.net.nz>
Date: Fri Nov 30 18:37:27 2018 +1300
CVE-2018-14629: Tests to expose regression from dns cname loop fix
These tests expose the regression described by Stefan Metzmacher in
discussion on the bugzilla paged linked below.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13600
Signed-off-by: Aaron Haslett <aaronhaslett at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 14399fd818b130a6347eec860460929c292d5996)
commit 29481e9dd5dc1765d1108eee5d6ab2a3551c5192
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Jun 26 14:59:26 2018 +1200
.gitlab-ci.yml: Adapt to current GitLab CI setup
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit fb522c1ba0afa1b2298e66dfde42806cae72e5b9)
commit 4cccc63ee44ec1757b9b16d293a331e2f5c962e6
Author: Joe Guo <joeg at catalyst.net.nz>
Date: Wed Sep 20 09:33:27 2017 +1200
gitlab-ci: add .gitlab-ci.yml
Add .gitlab-ci.yml file, and define build jobs in groups.
Once gitlab-runner set up, builds and tests can be triggered
automatically in parallel when push to gitlab.
Also, with gitlab-runner autoscale mode, build instances
will be created and removed on demand.
Signed-off-by: Joe Guo <joeg at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Tue Oct 31 15:32:16 CET 2017 on sn-devel-144
(cherry picked from commit 8be4236b323b5f755ff6c0bf0a4a5fb99343c84d)
commit fcbea2c7c9680ad7e24235150d61f9a0aee36bb4
Author: Isaac Boukris <iboukris at gmail.com>
Date: Wed Nov 7 22:53:35 2018 +0200
CVE-2018-16853: fix crash in expired passowrd case
When calling encode_krb5_padata_sequence() make sure to
pass a null terminated array as required.
Fixes expired passowrd case in samba4.blackbox.kinit test.
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 09b9a9bed3aae0fbd945921849cd66ce9e22e0ea
Author: Andreas Schneider <asn at samba.org>
Date: Wed Sep 28 07:22:32 2016 +0200
CVE-2018-16853: Do not segfault if client is not set
This can be triggered with FAST but we don't support this yet.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13571
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 03607d79e358c664bcf25a5304684dccb49b3ffe
Author: Isaac Boukris <iboukris at gmail.com>
Date: Sat Aug 18 16:01:59 2018 +0300
CVE-2018-16853: Add a test to verify s4u2self doesn't crash
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13571
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 22794132513e7c8ddc3cff98f7786a48554499dc
Author: Isaac Boukris <iboukris at gmail.com>
Date: Sat Aug 18 00:40:30 2018 +0300
CVE-2018-16853: The ticket in check_policy_as can actually be a TGS
This happens when we are called from S4U2Self flow, and in that case
kdcreq->client is NULL. Use the name from client entry instead.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13571
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 51518080df97b0c9263aa6c3113a600c5a101548
Author: Isaac Boukris <iboukris at gmail.com>
Date: Sat Aug 18 15:32:43 2018 +0300
CVE-2018-16853: Fix kinit test on system lacking ldbsearch
By fixing bindir variable name.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13571
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
-----------------------------------------------------------------------
Summary of changes:
.gitlab-ci-private.yml | 53 ++++++++++++++++
python/samba/tests/dns.py | 100 +++++++++++++++++++++++++++++++
selftest/knownfail.d/dns | 14 ++++-
source4/dns_server/dns_query.c | 29 ++++++---
source4/kdc/mit-kdb/kdb_samba_policies.c | 16 ++++-
source4/kdc/mit_samba.c | 7 ++-
testprogs/blackbox/test_kinit_mit.sh | 20 +++++--
7 files changed, 219 insertions(+), 20 deletions(-)
create mode 100644 .gitlab-ci-private.yml
Changeset truncated at 500 lines:
diff --git a/.gitlab-ci-private.yml b/.gitlab-ci-private.yml
new file mode 100644
index 00000000000..584b853c25e
--- /dev/null
+++ b/.gitlab-ci-private.yml
@@ -0,0 +1,53 @@
+# see https://docs.gitlab.com/ce/ci/yaml/README.html for all available options
+
+image: registry.gitlab.com/samba-team/samba:latest
+
+before_script:
+ - echo "Build starting ..."
+
+build_samba:
+ stage: build
+ tags:
+ - docker
+ - private
+ script:
+ # this one takes about 4 hours to finish
+ - python script/autobuild.py samba --verbose --tail --testbase /tmp/samba-testbase
+
+build_samba_others:
+ stage: build
+ tags:
+ - docker
+ - private
+ script:
+ - python script/autobuild.py samba-nopython --verbose --tail --testbase /tmp/samba-testbase
+ - python script/autobuild.py samba-systemkrb5 --verbose --tail --testbase /tmp/samba-testbase
+ - python script/autobuild.py samba-xc --verbose --tail --testbase /tmp/samba-testbase
+ - python script/autobuild.py samba-o3 --verbose --tail --testbase /tmp/samba-testbase
+ - python script/autobuild.py samba-libs --verbose --tail --testbase /tmp/samba-testbase
+ - python script/autobuild.py samba-static --verbose --tail --testbase /tmp/samba-testbase
+
+build_ctdb:
+ stage: build
+ tags:
+ - docker
+ - private
+ script:
+ - python script/autobuild.py samba-ctdb --verbose --tail --testbase /tmp/samba-testbase
+ - python script/autobuild.py ctdb --verbose --tail --testbase /tmp/samba-testbase
+
+build_others:
+ stage: build
+ tags:
+ - docker
+ - private
+ script:
+ - python script/autobuild.py ldb --verbose --tail --testbase /tmp/samba-testbase
+ - python script/autobuild.py pidl --verbose --tail --testbase /tmp/samba-testbase
+ - python script/autobuild.py replace --verbose --tail --testbase /tmp/samba-testbase
+ - python script/autobuild.py talloc --verbose --tail --testbase /tmp/samba-testbase
+ - python script/autobuild.py tdb --verbose --tail --testbase /tmp/samba-testbase
+ - python script/autobuild.py tevent --verbose --tail --testbase /tmp/samba-testbase
+
+after_script:
+ - echo "Build finished!"
diff --git a/python/samba/tests/dns.py b/python/samba/tests/dns.py
index 3390a3990c9..eea3f720a1a 100644
--- a/python/samba/tests/dns.py
+++ b/python/samba/tests/dns.py
@@ -821,6 +821,106 @@ class TestComplexQueries(DNSTest):
max_recursion_depth = 20
self.assertEquals(len(response.answers), max_recursion_depth)
+ # Make sure cname limit doesn't count other records. This is a generic
+ # test called in tests below
+ def max_rec_test(self, rtype, rec_gen):
+ name = "limittestrec{0}.{1}".format(rtype, self.get_dns_domain())
+ limit = 20
+ num_recs_to_enter = limit + 5
+
+ for i in range(1, num_recs_to_enter+1):
+ ip = rec_gen(i)
+ self.make_dns_update(name, ip, rtype)
+
+ p = self.make_name_packet(dns.DNS_OPCODE_QUERY)
+ questions = []
+
+ q = self.make_name_question(name,
+ rtype,
+ dns.DNS_QCLASS_IN)
+ questions.append(q)
+ self.finish_name_packet(p, questions)
+
+ (response, response_packet) =\
+ self.dns_transaction_udp(p, host=self.server_ip)
+
+ self.assertEqual(len(response.answers), num_recs_to_enter)
+
+ def test_record_limit_A(self):
+ def ip4_gen(i):
+ return "127.0.0." + str(i)
+ self.max_rec_test(rtype=dns.DNS_QTYPE_A, rec_gen=ip4_gen)
+
+ def test_record_limit_AAAA(self):
+ def ip6_gen(i):
+ return "AAAA:0:0:0:0:0:0:" + str(i)
+ self.max_rec_test(rtype=dns.DNS_QTYPE_AAAA, rec_gen=ip6_gen)
+
+ def test_record_limit_SRV(self):
+ def srv_gen(i):
+ rec = dns.srv_record()
+ rec.priority = 1
+ rec.weight = 1
+ rec.port = 92
+ rec.target = "srvtestrec" + str(i)
+ return rec
+ self.max_rec_test(rtype=dns.DNS_QTYPE_SRV, rec_gen=srv_gen)
+
+ # Same as test_record_limit_A but with a preceding CNAME follow
+ def test_cname_limit(self):
+ cname1 = "cnamelimittestrec." + self.get_dns_domain()
+ cname2 = "cnamelimittestrec2." + self.get_dns_domain()
+ cname3 = "cnamelimittestrec3." + self.get_dns_domain()
+ ip_prefix = '127.0.0.'
+ limit = 20
+ num_recs_to_enter = limit + 5
+
+ self.make_dns_update(cname1, cname2, dnsp.DNS_TYPE_CNAME)
+ self.make_dns_update(cname2, cname3, dnsp.DNS_TYPE_CNAME)
+ num_arecs_to_enter = num_recs_to_enter - 2
+ for i in range(1, num_arecs_to_enter+1):
+ ip = ip_prefix + str(i)
+ self.make_dns_update(cname3, ip, dns.DNS_QTYPE_A)
+
+ p = self.make_name_packet(dns.DNS_OPCODE_QUERY)
+ questions = []
+
+ q = self.make_name_question(cname1,
+ dns.DNS_QTYPE_A,
+ dns.DNS_QCLASS_IN)
+ questions.append(q)
+ self.finish_name_packet(p, questions)
+
+ (response, response_packet) =\
+ self.dns_transaction_udp(p, host=self.server_ip)
+
+ self.assertEqual(len(response.answers), num_recs_to_enter)
+
+ # ANY query on cname record shouldn't follow the link
+ def test_cname_any_query(self):
+ cname1 = "cnameanytestrec." + self.get_dns_domain()
+ cname2 = "cnameanytestrec2." + self.get_dns_domain()
+ cname3 = "cnameanytestrec3." + self.get_dns_domain()
+
+ self.make_dns_update(cname1, cname2, dnsp.DNS_TYPE_CNAME)
+ self.make_dns_update(cname2, cname3, dnsp.DNS_TYPE_CNAME)
+
+ p = self.make_name_packet(dns.DNS_OPCODE_QUERY)
+ questions = []
+
+ q = self.make_name_question(cname1,
+ dns.DNS_QTYPE_ALL,
+ dns.DNS_QCLASS_IN)
+ questions.append(q)
+ self.finish_name_packet(p, questions)
+
+ (response, response_packet) =\
+ self.dns_transaction_udp(p, host=self.server_ip)
+
+ self.assertEqual(len(response.answers), 1)
+ self.assertEqual(response.answers[0].name, cname1)
+ self.assertEqual(response.answers[0].rdata, cname2)
+
class TestInvalidQueries(DNSTest):
def setUp(self):
diff --git a/selftest/knownfail.d/dns b/selftest/knownfail.d/dns
index 8c79b3abe00..c26a31aeb4e 100644
--- a/selftest/knownfail.d/dns
+++ b/selftest/knownfail.d/dns
@@ -47,7 +47,17 @@ samba.tests.dns.__main__.TestSimpleQueries.test_qtype_all_query\(rodc:local\)
samba.tests.dns.__main__.TestSimpleQueries.test_one_SOA_query\(rodc:local\)
#
-# rodc and vampire_dc require signed dns updates, so the test setup
-# fails, but the test does run on fl2003dc
+# rodc and vampire_dc require signed dns updates, so these tests' setups
+# fail, but they pass on fl2003dc
^samba.tests.dns.__main__.TestComplexQueries.test_cname_loop\(rodc:local\)
^samba.tests.dns.__main__.TestComplexQueries.test_cname_loop\(vampire_dc:local\)
+^samba.tests.dns.__main__.TestComplexQueries.test_record_limit_A\(rodc:local\)
+^samba.tests.dns.__main__.TestComplexQueries.test_record_limit_A\(vampire_dc:local\)
+^samba.tests.dns.__main__.TestComplexQueries.test_record_limit_AAAA\(rodc:local\)
+^samba.tests.dns.__main__.TestComplexQueries.test_record_limit_AAAA\(vampire_dc:local\)
+^samba.tests.dns.__main__.TestComplexQueries.test_record_limit_SRV\(rodc:local\)
+^samba.tests.dns.__main__.TestComplexQueries.test_record_limit_SRV\(vampire_dc:local\)
+^samba.tests.dns.__main__.TestComplexQueries.test_cname_limit\(vampire_dc:local\)
+^samba.tests.dns.__main__.TestComplexQueries.test_cname_limit\(rodc:local\)
+^samba.tests.dns.__main__.TestComplexQueries.test_cname_any_query\(vampire_dc:local\)
+^samba.tests.dns.__main__.TestComplexQueries.test_cname_any_query\(rodc:local\)
diff --git a/source4/dns_server/dns_query.c b/source4/dns_server/dns_query.c
index fafadb6ac6f..cb9afd099c2 100644
--- a/source4/dns_server/dns_query.c
+++ b/source4/dns_server/dns_query.c
@@ -439,7 +439,8 @@ static struct tevent_req *handle_authoritative_send(
TALLOC_CTX *mem_ctx, struct tevent_context *ev,
struct dns_server *dns, const char *forwarder,
struct dns_name_question *question,
- struct dns_res_rec **answers, struct dns_res_rec **nsrecs);
+ struct dns_res_rec **answers, struct dns_res_rec **nsrecs,
+ size_t cname_depth);
static WERROR handle_authoritative_recv(struct tevent_req *req);
struct handle_dnsrpcrec_state {
@@ -455,7 +456,8 @@ static struct tevent_req *handle_dnsrpcrec_send(
struct dns_server *dns, const char *forwarder,
const struct dns_name_question *question,
struct dnsp_DnssrvRpcRecord *rec,
- struct dns_res_rec **answers, struct dns_res_rec **nsrecs)
+ struct dns_res_rec **answers, struct dns_res_rec **nsrecs,
+ size_t cname_depth)
{
struct tevent_req *req, *subreq;
struct handle_dnsrpcrec_state *state;
@@ -471,7 +473,7 @@ static struct tevent_req *handle_dnsrpcrec_send(
state->answers = answers;
state->nsrecs = nsrecs;
- if (talloc_array_length(*answers) >= MAX_Q_RECURSION_DEPTH) {
+ if (cname_depth >= MAX_Q_RECURSION_DEPTH) {
tevent_req_done(req);
return tevent_req_post(req, ev);
}
@@ -516,7 +518,8 @@ static struct tevent_req *handle_dnsrpcrec_send(
if (dns_authoritative_for_zone(dns, new_q->name)) {
subreq = handle_authoritative_send(
state, ev, dns, forwarder, new_q,
- state->answers, state->nsrecs);
+ state->answers, state->nsrecs,
+ cname_depth + 1);
if (tevent_req_nomem(subreq, req)) {
return tevent_req_post(req, ev);
}
@@ -600,6 +603,8 @@ struct handle_authoritative_state {
struct dns_res_rec **answers;
struct dns_res_rec **nsrecs;
+
+ size_t cname_depth;
};
static void handle_authoritative_done(struct tevent_req *subreq);
@@ -608,7 +613,8 @@ static struct tevent_req *handle_authoritative_send(
TALLOC_CTX *mem_ctx, struct tevent_context *ev,
struct dns_server *dns, const char *forwarder,
struct dns_name_question *question,
- struct dns_res_rec **answers, struct dns_res_rec **nsrecs)
+ struct dns_res_rec **answers, struct dns_res_rec **nsrecs,
+ size_t cname_depth)
{
struct tevent_req *req, *subreq;
struct handle_authoritative_state *state;
@@ -626,6 +632,7 @@ static struct tevent_req *handle_authoritative_send(
state->forwarder = forwarder;
state->answers = answers;
state->nsrecs = nsrecs;
+ state->cname_depth = cname_depth;
werr = dns_name2dn(dns, state, question->name, &dn);
if (tevent_req_werror(req, werr)) {
@@ -646,7 +653,8 @@ static struct tevent_req *handle_authoritative_send(
subreq = handle_dnsrpcrec_send(
state, state->ev, state->dns, state->forwarder,
state->question, &state->recs[state->recs_done],
- state->answers, state->nsrecs);
+ state->answers, state->nsrecs,
+ state->cname_depth);
if (tevent_req_nomem(subreq, req)) {
return tevent_req_post(req, ev);
}
@@ -678,7 +686,8 @@ static void handle_authoritative_done(struct tevent_req *subreq)
subreq = handle_dnsrpcrec_send(
state, state->ev, state->dns, state->forwarder,
state->question, &state->recs[state->recs_done],
- state->answers, state->nsrecs);
+ state->answers, state->nsrecs,
+ state->cname_depth);
if (tevent_req_nomem(subreq, req)) {
return;
}
@@ -1050,7 +1059,8 @@ struct tevent_req *dns_server_process_query_send(
subreq = handle_authoritative_send(
state, ev, dns, (forwarders == NULL ? NULL : forwarders[0]),
- &in->questions[0], &state->answers, &state->nsrecs);
+ &in->questions[0], &state->answers, &state->nsrecs,
+ 0); /* cname_depth */
if (tevent_req_nomem(subreq, req)) {
return tevent_req_post(req, ev);
}
@@ -1152,7 +1162,8 @@ static void dns_server_process_query_got_auth(struct tevent_req *subreq)
subreq = handle_authoritative_send(state, state->ev, state->dns,
state->forwarders->forwarder,
state->question, &state->answers,
- &state->nsrecs);
+ &state->nsrecs,
+ 0); /* cname_depth */
if (tevent_req_nomem(subreq, req)) {
return;
diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c
index 81140abfd50..0b1265980b1 100644
--- a/source4/kdc/mit-kdb/kdb_samba_policies.c
+++ b/source4/kdc/mit-kdb/kdb_samba_policies.c
@@ -81,6 +81,7 @@ krb5_error_code kdb_samba_db_check_policy_as(krb5_context context,
char *netbios_name = NULL;
char *realm = NULL;
bool password_change = false;
+ krb5_const_principal client_princ;
DATA_BLOB int_data = { NULL, 0 };
krb5_data d;
krb5_pa_data **e_data;
@@ -90,7 +91,10 @@ krb5_error_code kdb_samba_db_check_policy_as(krb5_context context,
return KRB5_KDB_DBNOTINITED;
}
- if (ks_is_kadmin(context, kdcreq->client)) {
+ /* Prefer canonicalised name from client entry */
+ client_princ = client ? client->princ : kdcreq->client;
+
+ if (client_princ == NULL || ks_is_kadmin(context, client_princ)) {
return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
}
@@ -111,7 +115,7 @@ krb5_error_code kdb_samba_db_check_policy_as(krb5_context context,
goto done;
}
- code = krb5_unparse_name(context, kdcreq->client, &client_name);
+ code = krb5_unparse_name(context, client_princ, &client_name);
if (code) {
goto done;
}
@@ -441,6 +445,14 @@ void kdb_samba_db_audit_as_req(krb5_context context,
{
struct mit_samba_context *mit_ctx;
+ /*
+ * FIXME: This segfaulted with a FAST test
+ * FIND_FAST: <unknown client> for <unknown server>, Unknown FAST armor type 0
+ */
+ if (client == NULL) {
+ return;
+ }
+
mit_ctx = ks_get_context(context);
if (mit_ctx == NULL) {
return;
diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
index 1cd6750f5ab..8283c726487 100644
--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
@@ -855,7 +855,7 @@ krb5_error_code encode_krb5_padata_sequence(krb5_pa_data *const *rep, krb5_data
static void samba_kdc_build_edata_reply(NTSTATUS nt_status, DATA_BLOB *e_data)
{
krb5_error_code ret = 0;
- krb5_pa_data pa, *ppa = NULL;
+ krb5_pa_data pa, *ppa[2];
krb5_data *d = NULL;
if (!e_data)
@@ -876,9 +876,10 @@ static void samba_kdc_build_edata_reply(NTSTATUS nt_status, DATA_BLOB *e_data)
SIVAL(pa.contents, 4, 0);
SIVAL(pa.contents, 8, 1);
- ppa = &pa;
+ ppa[0] = &pa;
+ ppa[1] = NULL;
- ret = encode_krb5_padata_sequence(&ppa, &d);
+ ret = encode_krb5_padata_sequence(ppa, &d);
free(pa.contents);
if (ret) {
return;
diff --git a/testprogs/blackbox/test_kinit_mit.sh b/testprogs/blackbox/test_kinit_mit.sh
index 3e07281b8c7..f1567caa3a1 100755
--- a/testprogs/blackbox/test_kinit_mit.sh
+++ b/testprogs/blackbox/test_kinit_mit.sh
@@ -24,6 +24,7 @@ samba_srcdir="$SRCDIR/source4"
samba_kinit=kinit
samba_kdestroy=kdestroy
samba_kpasswd=kpasswd
+samba_kvno=kvno
samba_tool="$samba_bindir/samba-tool"
samba_texpect="$samba_bindir/texpect"
@@ -32,13 +33,13 @@ samba_enableaccount="$samba_tool user enable"
machineaccountccache="$samba_srcdir/scripting/bin/machineaccountccache"
ldbmodify="ldbmodify"
-if [ -x "$samba4bindir/ldbmodify" ]; then
- ldbmodify="$samba4bindir/ldbmodify"
+if [ -x "$samba_bindir/ldbmodify" ]; then
+ ldbmodify="$samba_bindir/ldbmodify"
fi
ldbsearch="ldbsearch"
-if [ -x "$samba4bindir/ldbsearch" ]; then
- ldbsearch="$samba4bindir/ldbsearch"
+if [ -x "$samba_bindir/ldbsearch" ]; then
+ ldbsearch="$samba_bindir/ldbsearch"
fi
. `dirname $0`/subunit.sh
@@ -299,6 +300,17 @@ test_smbclient "Test machine account login with kerberos ccache" 'ls' -k yes ||
testit "reset password policies" $VALGRIND $samba_tool domain passwordsettings $ADMIN_LDBMODIFY_CONFIG set --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=default --max-pwd-age=default || failed=`expr $failed + 1`
+###########################################################
+### Test basic s4u2self request
+###########################################################
+
+# Use previous acquired machine creds to request a ticket for self.
+# We expect it to fail for now.
+MACHINE_ACCOUNT="$(hostname -s | tr [a-z] [A-Z])\$@$REALM"
+$samba_kvno -U$MACHINE_ACCOUNT $MACHINE_ACCOUNT
+# But we expect the KDC to be up and running still
+testit "kinit with machineaccountccache after s4u2self" $machineaccountccache $CONFIGURATION $KRB5CCNAME || failed=`expr $failed + 1`
+
### Cleanup
$samba_kdestroy
--
Samba Shared Repository
More information about the samba-cvs
mailing list