[SCM] Samba Shared Repository - branch master updated
Andreas Schneider
asn at samba.org
Tue May 15 13:46:02 UTC 2018
The branch, master has been updated
via 8bd67c5 auth: keytab invalidation fix
via a3d6fdd auth: keytab invalidation test
from 506c520 smbd: fileserver: Change defaults to work with EA support out of the box.
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 8bd67c593da5525a63a1d596e2c7fe38bc7cee57
Author: Aaron Haslett <aaronhaslett at catalyst.net.nz>
Date: Tue May 1 11:10:50 2018 +1200
auth: keytab invalidation fix
chgtdcpass should add a new DC password and delete the old ones but the bug
exposed by this test causes the tool to remove only a single record from
the old entries, leaving the old passwords functional. Since the tool is
used by administrators who may have disclosed their domain join password and
want to invalidate it, this is a security concern.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13415
Signed-off-by: Aaron Haslett <aaronhaslett at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Tue May 15 15:45:08 CEST 2018 on sn-devel-144
commit a3d6fdd5355d366f3d23915cecc10c6f039daa44
Author: Aaron Haslett <aaronhaslett at catalyst.net.nz>
Date: Tue May 1 11:10:24 2018 +1200
auth: keytab invalidation test
chgtdcpass should add a new DC password and delete the old ones but the bug
exposed by this test causes the tool to remove only a single record from
the old entries, leaving the old passwords functional. Since the tool is
used by administrators who may have disclosed their domain join password and
want to invalidate it, this is a security concern.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13415
Signed-off-by: Aaron Haslett <aaronhaslett at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
-----------------------------------------------------------------------
Summary of changes:
.../__init__.py => selftest/knownfail.d/keytab | 0
selftest/tests.py | 2 +
source4/auth/kerberos/kerberos_util.c | 2 +-
source4/auth/tests/kerberos.c | 107 +++++++++++++++++++++
source4/auth/wscript_build | 6 ++
5 files changed, 116 insertions(+), 1 deletion(-)
copy third_party/pep8/testsuite/__init__.py => selftest/knownfail.d/keytab (100%)
create mode 100644 source4/auth/tests/kerberos.c
Changeset truncated at 500 lines:
diff --git a/third_party/pep8/testsuite/__init__.py b/selftest/knownfail.d/keytab
similarity index 100%
copy from third_party/pep8/testsuite/__init__.py
copy to selftest/knownfail.d/keytab
diff --git a/selftest/tests.py b/selftest/tests.py
index 185ad37..f354bb5 100644
--- a/selftest/tests.py
+++ b/selftest/tests.py
@@ -187,5 +187,7 @@ plantestsuite("samba.unittests.tldap", "none",
[os.path.join(bindir(), "default/source3/test_tldap")])
plantestsuite("samba.unittests.rfc1738", "none",
[os.path.join(bindir(), "default/lib/util/test_rfc1738")])
+plantestsuite("samba.unittests.kerberos", "none",
+ [os.path.join(bindir(), "test_kerberos")])
plantestsuite("samba.unittests.ms_fnmatch", "none",
[os.path.join(bindir(), "default/lib/util/test_ms_fnmatch")])
diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c
index 618da62..50bf8fe 100644
--- a/source4/auth/kerberos/kerberos_util.c
+++ b/source4/auth/kerberos/kerberos_util.c
@@ -633,7 +633,7 @@ krb5_error_code smb_krb5_remove_obsolete_keytab_entries(TALLOC_CTX *mem_ctx,
krb5_kt_free_entry(context, &entry);
/* Make sure we do not double free */
ZERO_STRUCT(entry);
- } while (code != 0);
+ } while (code == 0);
krb5_kt_end_seq_get(context, keytab, &cursor);
diff --git a/source4/auth/tests/kerberos.c b/source4/auth/tests/kerberos.c
new file mode 100644
index 0000000..703c806
--- /dev/null
+++ b/source4/auth/tests/kerberos.c
@@ -0,0 +1,107 @@
+#include <time.h>
+#include <stdlib.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <stdint.h>
+#include <cmocka.h>
+
+#include "includes.h"
+#include "system/kerberos.h"
+#include "auth/kerberos/kerberos.h"
+#include "auth/credentials/credentials.h"
+#include "auth/credentials/credentials_proto.h"
+#include "auth/credentials/credentials_krb5.h"
+#include "auth/kerberos/kerberos_credentials.h"
+#include "auth/kerberos/kerberos_util.h"
+
+static void internal_obsolete_keytab_test(int num_principals, int num_kvnos,
+ krb5_kvno kvno, const char *kt_name)
+{
+ krb5_context krb5_ctx;
+ krb5_keytab keytab;
+ krb5_keytab_entry kt_entry;
+ krb5_kt_cursor cursor;
+ krb5_error_code code;
+
+ int i,j;
+ char princ_name[6] = "user0";
+ char expect_princ_name[23] = "user0 at samba.example.com";
+ bool found_previous;
+ const char *error_str;
+
+ TALLOC_CTX *tmp_ctx = talloc_new(NULL);
+ krb5_principal *principals = talloc_zero_array(tmp_ctx,
+ krb5_principal,
+ num_principals);
+ krb5_init_context(&krb5_ctx);
+ krb5_kt_resolve(krb5_ctx, kt_name, &keytab);
+ ZERO_STRUCT(kt_entry);
+
+ for(i=0; i<num_principals; i++) {
+ princ_name[4] = (char)i+48;
+ smb_krb5_make_principal(krb5_ctx, &(principals[i]),
+ "samba.example.com", princ_name, NULL);
+ kt_entry.principal = principals[i];
+ for (j=0; j<num_kvnos; j++) {
+ kt_entry.vno = j+1;
+ krb5_kt_add_entry(krb5_ctx, keytab, &kt_entry);
+ }
+ }
+
+ code = krb5_kt_start_seq_get(krb5_ctx, keytab, &cursor);
+ assert_int_equal(code, 0);
+ for (i=0; i<num_principals; i++) {
+ expect_princ_name[4] = (char)i+48;
+ for (j=0; j<num_kvnos; j++) {
+ char *unparsed_name;
+ code = krb5_kt_next_entry(krb5_ctx, keytab,
+ &kt_entry, &cursor);
+ assert_int_equal(code, 0);
+ assert_int_equal(kt_entry.vno, j+1);
+ krb5_unparse_name(krb5_ctx, kt_entry.principal,
+ &unparsed_name);
+ assert_string_equal(expect_princ_name, unparsed_name);
+ }
+ }
+
+ smb_krb5_remove_obsolete_keytab_entries(tmp_ctx, krb5_ctx, keytab,
+ num_principals, principals,
+ kvno, &found_previous,
+ &error_str);
+
+ code = krb5_kt_start_seq_get(krb5_ctx, keytab, &cursor);
+ assert_int_equal(code, 0);
+ for (i=0; i<num_principals; i++) {
+ char *unparsed_name;
+ expect_princ_name[4] = (char)i+48;
+ code = krb5_kt_next_entry(krb5_ctx, keytab, &kt_entry, &cursor);
+ assert_int_equal(code, 0);
+ assert_int_equal(kt_entry.vno, kvno-1);
+ krb5_unparse_name(krb5_ctx, kt_entry.principal, &unparsed_name);
+ assert_string_equal(expect_princ_name, unparsed_name);
+ }
+ code = krb5_kt_next_entry(krb5_ctx, keytab, &kt_entry, &cursor);
+ assert_int_not_equal(code, 0);
+}
+
+static void test_krb5_remove_obsolete_keytab_entries_many(void **state)
+{
+ internal_obsolete_keytab_test(5, 4, (krb5_kvno)5, "MEMORY:LOL2");
+}
+
+static void test_krb5_remove_obsolete_keytab_entries_one(void **state)
+{
+ internal_obsolete_keytab_test(1, 2, (krb5_kvno)3, "MEMORY:LOL");
+}
+
+int main(int argc, const char **argv)
+{
+ const struct CMUnitTest tests[] = {
+ cmocka_unit_test(test_krb5_remove_obsolete_keytab_entries_one),
+ cmocka_unit_test(test_krb5_remove_obsolete_keytab_entries_many),
+ };
+
+ cmocka_set_message_output(CM_OUTPUT_SUBUNIT);
+ return cmocka_run_group_tests(tests, NULL, NULL);
+}
diff --git a/source4/auth/wscript_build b/source4/auth/wscript_build
index f750861..d3452d2 100644
--- a/source4/auth/wscript_build
+++ b/source4/auth/wscript_build
@@ -42,6 +42,12 @@ bld.SAMBA_SUBSYSTEM('auth4_sam',
deps=''
)
+bld.SAMBA_BINARY('test_kerberos',
+ source='tests/kerberos.c',
+ deps='cmocka authkrb5 krb5samba com_err CREDENTIALS_KRB5',
+ local_include=False,
+ install=False
+ )
for env in bld.gen_python_environments():
pytalloc_util = bld.pyembed_libname('pytalloc-util')
--
Samba Shared Repository
More information about the samba-cvs
mailing list