[SCM] Samba Shared Repository - branch v4-11-test updated
Karolin Seeger
kseeger at samba.org
Wed Oct 2 11:07:03 UTC 2019
The branch, v4-11-test has been updated
via 42d530b0dbc winbind: provide passwd struct for group sid with ID_TYPE_BOTH mapping (again)
via 4a43d8b996b selftest: Test ID_TYPE_BOTH with idmap_rid module
via 0182ccfd22b waf:replace: Do not link against libpthread if not necessary
via b5dfe882ecb third_party: Link uid_wrapper against pthread
via 48cd645d1d8 third_party: Link nss_wrapper against pthread
via 62f0ce14a1b third_party: Only link cmocka against librt if really needed
via 82c9a6c4b0a pthreadpool: Only link pthreadpool against librt if we have to
via 7ec980b991f replace: Only link against librt if really needed
via 4709a848c55 s3:waf: Do not check for nanosleep() as we don't use it anywhere
via a89e8588449 s3-winbindd: fix forest trusts with additional trust attributes.
via 75702977dde fault.c: improve fault_report message text pointing to our wiki
via fcb247f4147 selftest/Samba3.pm: use "winbind use krb5 enterprise principals = yes" for ad_member
via f836385629c selftest/Samba3.pm: use "winbind scan trusted domains = no" for ad_member
via f0f2ce68e45 selftest/tests.py: test pam_winbind for trusts domains
via e3760d6e3a3 selftest: Export TRUST information in the ad_member target environment
via 2290dfe49bf selftest/tests.py: test pam_winbind with a lot of username variations
via e7b84754510 selftest/tests.py: test pam_winbind with krb5_auth
via cfee9031720 selftest/tests.py: prepare looping over pam_winbindd tests
via 8aae6dd753b test_pam_winbind.sh: allow different pam_winbindd config options to be specified
via 913c79d2e06 tests/pam_winbind.py: allow upn names to be used in USERNAME with an empty DOMAIN value
via 5583d045a25 tests/pam_winbind.py: turn pypamtest.PamTestError into a failure
via e8c701673a8 s3:winbindd: implement the "winbind use krb5 enterprise principals" logic
via 82fb0291f1f docs-xml: add "winbind use krb5 enterprise principals" option
via 9de64feb1ec krb5_wrap: let smb_krb5_parse_name() accept enterprise principals
via 2fd31d85701 s3:libads: ads_krb5_chg_password() should always use the canonicalized principal
via 5d9961e6454 s4:auth: kinit_to_ccache() should always use the canonicalized principal
via d3d951f4240 krb5_wrap: smb_krb5_kinit_password_ccache() should always use the canonicalized principal
via 35e3f1a4054 s3:libads/kerberos: always use the canonicalized principal after kinit
via 5628c4ffd32 s3:libsmb: let cli_session_creds_prepare_krb5() update the canonicalized principal to cli_credentials
via 7ed22554470 s3:libsmb: avoid wrong debug message in cli_session_creds_prepare_krb5()
via f5ea5a5e2a5 s3:libads: let kerberos_kinit_password_ext() return the canonicalized principal/realm
via 2ba8997d006 s4:auth: use the correct client realm in gensec_gssapi_update_internal()
via ed3ac77dc22 nsswitch: add logging to wbc_auth_error_to_pam_error() for non auth errors
via fa63860f7b1 s3/libads: clang: Fix Value stored to 'canon_princ' is never read
from 18963e909d7 classicupgrade: fix a a bytes-like object is required, not 'str' error
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-11-test
- Log -----------------------------------------------------------------
commit 42d530b0dbc1b1389b393c648357de31e4c11e9f
Author: Michael Adam <obnox at samba.org>
Date: Fri Jan 11 10:44:30 2019 +0100
winbind: provide passwd struct for group sid with ID_TYPE_BOTH mapping (again)
https://git.samba.org/?p=samba.git;a=commitdiff;h=394622ef8c916cf361f8596dba4664dc8d6bfc9e
originally introduced the above feature.
This functionality was undone as part of "winbind: Restructure get_pwsid"
https://git.samba.org/?p=samba.git;a=commitdiff;h=bce19a6efe11980933531f0349c8f5212419366a
I think that this semantic change was accidential.
This patch undoes the semantic change and re-establishes the
functionality.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14141
Signed-off-by: Michael Adam <obnox at samba.org>
Reviewed-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Christof Schmitt <cs at samba.org>
Autobuild-Date(master): Fri Sep 27 17:25:29 UTC 2019 on sn-devel-184
(cherry picked from commit 63c9147f8631d73b52bdd36ff407e0361dcf5178)
Autobuild-User(v4-11-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-11-test): Wed Oct 2 11:06:20 UTC 2019 on sn-devel-184
commit 4a43d8b996b1ce444596ed41a686be5ae526113d
Author: Christof Schmitt <cs at samba.org>
Date: Wed Sep 25 17:19:27 2019 -0700
selftest: Test ID_TYPE_BOTH with idmap_rid module
ID_TYPE_BOTH means that each user and group has two mappings, a uid and
gid. In addition the calls to getpwent, getpwuid, getgrent and getgrgid
always return some information, so that uid and gid can be mapped to a
name. Establish a test to verify that the expected information is
returned.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14141
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 485874d6bb328c50c9a98785e85270f28ade7497)
commit 0182ccfd22bfd002d9c1d1f04372fccd642cfc0e
Author: Andreas Schneider <asn at samba.org>
Date: Mon Sep 23 16:53:12 2019 +0200
waf:replace: Do not link against libpthread if not necessary
On Linux we should avoid linking everything against libpthread. Symbols
used my most application are provided by glibc and code which deals with
threads has to explicitly link against libpthread. This avoids setting
LDFLAGS=-pthread globally.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14140
Signed-off-by: Andreas Schneider <asn at samba.org>
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
Pair-Programmed-With: Isaac Boukris <iboukris at gmail.com>
Reviewed-by: Matthias Dieter Wallnöfer <mdw at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
(cherry picked from commit 9499db075b72b147e2ff9bb78e9d5edbaac14e69)
commit b5dfe882ecbe5317c12971d83140b59a0d24da6b
Author: Andreas Schneider <asn at samba.org>
Date: Mon Sep 23 17:40:13 2019 +0200
third_party: Link uid_wrapper against pthread
uid_wrapper uses pthread_atfork() which is only provided by libpthread. │····················
So we need an explicit dependency.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14140
Signed-off-by: Andreas Schneider <asn at samba.org>
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
Pair-Programmed-With: Isaac Boukris <iboukris at gmail.com>
Reviewed-by: Matthias Dieter Wallnöfer <mdw at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
(cherry picked from commit bd0cd8e13234d684da77a65f6fdaea2572625369)
commit 48cd645d1d81fae6f528e3cc7e83b3d9ad1caefd
Author: Andreas Schneider <asn at samba.org>
Date: Mon Sep 23 17:39:29 2019 +0200
third_party: Link nss_wrapper against pthread
nss_wrapper uses pthread_atfork() which is only provided by libpthread.
So we need an explicit dependency.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14140
Signed-off-by: Andreas Schneider <asn at samba.org>
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
Pair-Programmed-With: Isaac Boukris <iboukris at gmail.com>
Reviewed-by: Matthias Dieter Wallnöfer <mdw at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
(cherry picked from commit 68d8a02ef57cce29e4ff3ef1b792adfc10d0b916)
commit 62f0ce14a1b8e03e4c4fd8710df86a9a58bca73b
Author: Andreas Schneider <asn at samba.org>
Date: Mon Sep 23 17:04:57 2019 +0200
third_party: Only link cmocka against librt if really needed
cmocka also uses clock_gettime().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14140
Signed-off-by: Andreas Schneider <asn at samba.org>
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
Pair-Programmed-With: Isaac Boukris <iboukris at gmail.com>
Reviewed-by: Matthias Dieter Wallnöfer <mdw at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
(cherry picked from commit 36e8d715bc8dc1e8466f5a5c9798df76310b7572)
commit 82c9a6c4b0adfc472b342c898c2cb3b382132c53
Author: Andreas Schneider <asn at samba.org>
Date: Mon Sep 23 16:10:35 2019 +0200
pthreadpool: Only link pthreadpool against librt if we have to
This calls clock_gettime() which is available in glibc on Linux. If the
wscript in libreplace detected that librt is needed for clock_gettime()
we have to link against it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14140
Signed-off-by: Andreas Schneider <asn at samba.org>
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
Pair-Programmed-With: Isaac Boukris <iboukris at gmail.com>
Reviewed-by: Matthias Dieter Wallnöfer <mdw at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
(cherry picked from commit 4b28239d13b17e42eb5aa4b405342f46347f3de4)
commit 7ec980b991fd5b62e5739a5fdb2dcbb1306c52d9
Author: Andreas Schneider <asn at samba.org>
Date: Mon Sep 23 15:14:24 2019 +0200
replace: Only link against librt if really needed
fdatasync() and clock_gettime() are provided by glibc on Linux, so there
is no need to link against librt. Checks have been added so if there are
platforms which require it are still functional.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14140
Signed-off-by: Andreas Schneider <asn at samba.org>
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
Pair-Programmed-With: Isaac Boukris <iboukris at gmail.com>
Reviewed-by: Matthias Dieter Wallnöfer <mdw at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
(cherry picked from commit 480152dd6729d4c58faca6f3e4fa91ff4614c272)
commit 4709a848c550e6b56a8a94ca722fa6ab091e3725
Author: Andreas Schneider <asn at samba.org>
Date: Mon Sep 23 15:18:55 2019 +0200
s3:waf: Do not check for nanosleep() as we don't use it anywhere
We use usleep() in the meantime.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14140
Signed-off-by: Andreas Schneider <asn at samba.org>
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
Pair-Programmed-With: Isaac Boukris <iboukris at gmail.com>
Reviewed-by: Matthias Dieter Wallnöfer <mdw at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
(cherry picked from commit 952e1812fa9bdc1bac2a7ae5ebb5532f1ea31447)
commit a89e8588449a09f47250e81d87828de74d4c5106
Author: Günther Deschner <gd at samba.org>
Date: Thu Sep 12 16:39:10 2019 +0200
s3-winbindd: fix forest trusts with additional trust attributes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14130
Guenther
Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit d78c87e665e23e6470a19a69383ede7137172c26)
commit 75702977dde834f06460e8434ea98b81020efbe2
Author: Björn Jacke <bj at sernet.de>
Date: Mon Sep 23 08:57:33 2019 +0200
fault.c: improve fault_report message text pointing to our wiki
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14139
Signed-off-by: Bjoern Jacke <bjacke at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
(cherry picked from commit ec4c5975528f3d3ab9c8813e176c6d1a2f1ca506)
commit fcb247f41478e8b1f8ff504e901cefc047bdf197
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 18 08:10:26 2019 +0200
selftest/Samba3.pm: use "winbind use krb5 enterprise principals = yes" for ad_member
This demonstrates that can do krb5_auth in winbindd without knowning about trusted domains.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
Autobuild-User(master): Günther Deschner <gd at samba.org>
Autobuild-Date(master): Tue Sep 24 19:51:29 UTC 2019 on sn-devel-184
(cherry picked from commit 0ee085b594878f5e0e83839f465303754f015459)
commit f836385629c097ec8564ac19045c5906fdb13f64
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 18 08:02:38 2019 +0200
selftest/Samba3.pm: use "winbind scan trusted domains = no" for ad_member
This demonstrates that we rely on knowning about trusted domains before
we can do krb5_auth in winbindd.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit e2737a74d4453a3d65e5466ddc4405d68444df27)
commit f0f2ce68e450dbf9f8f7e2257dee9e5e00c29567
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jun 10 14:38:40 2017 +0200
selftest/tests.py: test pam_winbind for trusts domains
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit ad6f0e056ac27ab5c078dbdbff44372da05caab2)
commit e3760d6e3a3d141719e47eed755805a330609cac
Author: Andreas Schneider <asn at samba.org>
Date: Mon Mar 20 11:39:41 2017 +0100
selftest: Export TRUST information in the ad_member target environment
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Andreas Schneider <asn at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 13e3811c9510cf213881527877bed40092e0b33c)
commit 2290dfe49bf267784d3bec491cb9b8978c3d66dc
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 18 14:03:34 2019 +0200
selftest/tests.py: test pam_winbind with a lot of username variations
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit f07b542c61f84a97c097208e10bf9375ddfa9a15)
commit e7b84754510b5850891752c5fc943714f0a46a4d
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 18 08:08:57 2019 +0200
selftest/tests.py: test pam_winbind with krb5_auth
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 36e95e42ea8a7e5a4091a647215d06d2ab47fab6)
commit cfee90317203e174c4553c264f47387afef7aeaa
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 18 01:25:23 2019 +0200
selftest/tests.py: prepare looping over pam_winbindd tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 72daf99fd1ffd8269fce25d69458de35e2ae32cc)
commit 8aae6dd753b51bc54042c8cbc9308e08cdeef089
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 18 01:25:58 2019 +0200
test_pam_winbind.sh: allow different pam_winbindd config options to be specified
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 3d38a8e9135bb72bc4ca079fab0eb5358942b3f1)
commit 913c79d2e06acf93b7a3fedab6b0c30a0c1272bf
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Sep 20 08:13:28 2019 +0200
tests/pam_winbind.py: allow upn names to be used in USERNAME with an empty DOMAIN value
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 653e90485854d978dc522e689cd78c19dcc22a70)
commit 5583d045a259a54f3f9000e747a713fa97effe15
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 18 08:04:42 2019 +0200
tests/pam_winbind.py: turn pypamtest.PamTestError into a failure
A failure generated by the AssertionError() checks can be added
to selftest/knownfail.d/*.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit cd3ffaabb568db26e0de5e83178487e5947c4f09)
commit e8c701673a8b0378e95f501c5ccb4f3cb661460e
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jul 19 15:10:09 2019 +0000
s3:winbindd: implement the "winbind use krb5 enterprise principals" logic
We can use enterprise principals (e.g. upnfromB at B.EXAMPLE.COM@PRIMARY.A.EXAMPLE.COM)
and delegate the routing decisions to the KDCs.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit a77be15d28390c5d12202278adbe6b50200a2c1b)
commit 82fb0291f1fe69143b093a4b3cb47fc36d964c22
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 11 16:44:43 2019 +0200
docs-xml: add "winbind use krb5 enterprise principals" option
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 9520652399696010c333a3ce7247809ce5337a91)
commit 9de64feb1ec94ccef89931ce41ffebb18d80d921
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Sep 13 15:52:25 2019 +0200
krb5_wrap: let smb_krb5_parse_name() accept enterprise principals
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 3bdf023956e861485be70430112ed38d0a5424f7)
commit 2fd31d85701a4f05c306eb47791c65fd7e39d66d
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Sep 13 16:04:30 2019 +0200
s3:libads: ads_krb5_chg_password() should always use the canonicalized principal
We should always use krb5_get_init_creds_opt_set_canonicalize()
and krb5_get_init_creds_opt_set_win2k() for heimdal
and expect the client principal to be changed.
There's no reason to have a different logic between MIT and Heimdal.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 303b7e59a286896888ee2473995fc50bb2b5ce5e)
commit 5d9961e64542ff1a7d360441db62ef6af3118292
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Sep 13 16:04:30 2019 +0200
s4:auth: kinit_to_ccache() should always use the canonicalized principal
We should always use krb5_get_init_creds_opt_set_canonicalize()
and krb5_get_init_creds_opt_set_win2k() for heimdal
and expect the client principal to be changed.
There's no reason to have a different logic between MIT and Heimdal.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 162b4199493c1f179e775a325a19ae7a136c418b)
commit d3d951f4240c543162976e18da9e0090254d72b6
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Sep 13 16:04:30 2019 +0200
krb5_wrap: smb_krb5_kinit_password_ccache() should always use the canonicalized principal
We should always use krb5_get_init_creds_opt_set_canonicalize()
and krb5_get_init_creds_opt_set_win2k() for heimdal
and expect the client principal to be changed.
There's no reason to have a different logic between MIT and Heimdal.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 5d0bf32ec0ad21d49587e3a1520ffdc8b5ae7614)
commit 35e3f1a4054dd55e53e229fd78fe85433f577d95
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Sep 13 16:04:30 2019 +0200
s3:libads/kerberos: always use the canonicalized principal after kinit
We should always use krb5_get_init_creds_opt_set_canonicalize()
and krb5_get_init_creds_opt_set_win2k() for heimdal
and expect the client principal to be changed.
There's no reason to have a different logic between MIT and Heimdal.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 0bced73bed481a8846a6b3e68be85941914390ba)
commit 5628c4ffd328634014b5cc97f2717ff829bab8e3
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 17 08:49:13 2019 +0200
s3:libsmb: let cli_session_creds_prepare_krb5() update the canonicalized principal to cli_credentials
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 6ed18c12c57efb2a010e0ce5196c51b48e57a4b9)
commit 7ed225544705ad3b6f66122fe335bb8e47569d95
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 17 10:08:10 2019 +0200
s3:libsmb: avoid wrong debug message in cli_session_creds_prepare_krb5()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 361fb0efabfb189526c851107eee49161da2293c)
commit f5ea5a5e2a5479b993cea335b73194b1c4cc6e76
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Sep 16 17:14:11 2019 +0200
s3:libads: let kerberos_kinit_password_ext() return the canonicalized principal/realm
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit bc473e5cf088a137395842540ed8eb748373a236)
commit 2ba8997d006eb6120ac3cf1917ba2b0e3b1a3d86
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 17 08:05:09 2019 +0200
s4:auth: use the correct client realm in gensec_gssapi_update_internal()
The function gensec_gssapi_client_creds() may call kinit and gets
a TGT for the user. The principal provided by the user may not
be canonicalized. The user may use 'given.last at example.com'
but that may be mapped to glast at AD.EXAMPLE.PRIVATE in the background.
It means we should use client_realm = AD.EXAMPLE.PRIVATE
instead of client_realm = EXAMPLE.COM
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit db8fd3d6a315b140ebd6ccd0dcdfdcf27cd1bb38)
commit ed3ac77dc22572132667df2f2ba717cc16a8daa7
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 18 13:58:46 2019 +0200
nsswitch: add logging to wbc_auth_error_to_pam_error() for non auth errors
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit acbf922fc2963a42d6cbe652bb32eee231020958)
commit fa63860f7b1621e507c1950872444d366891384a
Author: Noel Power <noel.power at suse.com>
Date: Thu Aug 8 15:06:28 2019 +0100
s3/libads: clang: Fix Value stored to 'canon_princ' is never read
Fixes:
source3/libads/kerberos.c:192:2: warning: Value stored to 'canon_princ' is never read <--[clang]
canon_princ = me;
^ ~~
1 warning generated.
Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
(cherry picked from commit 52d20087f620704549f5a5cdcbec79cb08a36290)
-----------------------------------------------------------------------
Summary of changes:
.../winbind/winbindusekrb5enterpriseprincipals.xml | 34 ++++
lib/krb5_wrap/krb5_samba.c | 7 +-
lib/pthreadpool/wscript_build | 7 +-
lib/replace/wscript | 34 +++-
lib/util/fault.c | 6 +-
nsswitch/pam_winbind.c | 4 +
nsswitch/tests/test_idmap_rid.sh | 132 ++++++++++++++++
python/samba/tests/pam_winbind.py | 25 ++-
python/samba/tests/pam_winbind_chauthtok.py | 10 +-
python/samba/tests/pam_winbind_warn_pwd_expire.py | 10 +-
python/samba/tests/test_pam_winbind.sh | 12 +-
python/samba/tests/test_pam_winbind_chauthtok.sh | 4 +-
.../tests/test_pam_winbind_warn_pwd_expire.sh | 20 ++-
selftest/target/Samba.pm | 22 +++
selftest/target/Samba3.pm | 26 +++-
selftest/tests.py | 171 ++++++++++++++++++---
source3/libads/authdata.c | 1 +
source3/libads/kerberos.c | 54 +++++--
source3/libads/kerberos_proto.h | 5 +-
source3/libads/kerberos_util.c | 3 +-
source3/libads/krb5_setpw.c | 6 +
source3/libsmb/cliconnect.c | 41 ++++-
source3/utils/net_ads.c | 3 +
source3/winbindd/wb_queryuser.c | 18 ++-
source3/winbindd/winbindd_ads.c | 2 +-
source3/winbindd/winbindd_cred_cache.c | 6 +
source3/winbindd/winbindd_pam.c | 57 ++++---
source3/winbindd/winbindd_util.c | 2 +-
source3/wscript | 1 -
source4/auth/gensec/gensec_gssapi.c | 6 +-
source4/auth/kerberos/kerberos_util.c | 2 +
third_party/cmocka/wscript | 7 +-
third_party/nss_wrapper/wscript | 2 +-
third_party/uid_wrapper/wscript | 2 +-
34 files changed, 634 insertions(+), 108 deletions(-)
create mode 100644 docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml
Changeset truncated at 500 lines:
diff --git a/docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml b/docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml
new file mode 100644
index 00000000000..bfc11c8636c
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml
@@ -0,0 +1,34 @@
+<samba:parameter name="winbind use krb5 enterprise principals"
+ context="G"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>winbindd is able to get kerberos tickets for
+ pam_winbind with krb5_auth or wbinfo -K/--krb5auth=.
+ </para>
+
+ <para>winbindd (at least on a domain member) is never be able
+ to have a complete picture of the trust topology (which is managed by the DCs).
+ There might be uPNSuffixes and msDS-SPNSuffixes values,
+ which don't belong to any AD domain at all.
+ </para>
+
+ <para>With <smbconfoption name="winbind scan trusted domains">no</smbconfoption>
+ winbindd don't even get an incomplete picture of the topology.
+ </para>
+
+ <para>It is not really required to know about the trust topology.
+ We can just rely on the [K]DCs of our primary domain (e.g. PRIMARY.A.EXAMPLE.COM)
+ and use enterprise principals e.g. upnfromB at B.EXAMPLE.COM@PRIMARY.A.EXAMPLE.COM
+ and follow the WRONG_REALM referrals in order to find the correct DC.
+ The final principal might be userfromB at INTERNALB.EXAMPLE.PRIVATE.
+ </para>
+
+ <para>With <smbconfoption name="winbind use krb5 enterprise principals">yes</smbconfoption>
+ winbindd enterprise principals will be used.
+ </para>
+</description>
+
+<value type="default">no</value>
+<value type="example">yes</value>
+</samba:parameter>
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 72889fffcf0..a4e73c64f00 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -701,6 +701,11 @@ krb5_error_code smb_krb5_parse_name(krb5_context context,
}
ret = krb5_parse_name(context, utf8_name, principal);
+ if (ret == KRB5_PARSE_MALFORMED) {
+ ret = krb5_parse_name_flags(context, utf8_name,
+ KRB5_PRINCIPAL_PARSE_ENTERPRISE,
+ principal);
+ }
TALLOC_FREE(frame);
return ret;
}
@@ -2114,14 +2119,12 @@ krb5_error_code smb_krb5_kinit_password_ccache(krb5_context ctx,
return code;
}
-#ifndef SAMBA4_USES_HEIMDAL /* MIT */
/*
* We need to store the principal as returned from the KDC to the
* credentials cache. If we don't do that the KRB5 library is not
* able to find the tickets it is looking for
*/
principal = my_creds.client;
-#endif
code = krb5_cc_initialize(ctx, cc, principal);
if (code) {
goto done;
diff --git a/lib/pthreadpool/wscript_build b/lib/pthreadpool/wscript_build
index 57df25548b1..70aa7cbf041 100644
--- a/lib/pthreadpool/wscript_build
+++ b/lib/pthreadpool/wscript_build
@@ -1,12 +1,17 @@
#!/usr/bin/env python
if bld.env.WITH_PTHREADPOOL:
+ extra_libs=''
+
+ # Link to librt if needed for clock_gettime()
+ if bld.CONFIG_SET('HAVE_LIBRT'): extra_libs += ' rt'
+
bld.SAMBA_SUBSYSTEM('PTHREADPOOL',
source='''pthreadpool.c
pthreadpool_pipe.c
pthreadpool_tevent.c
''',
- deps='pthread rt replace tevent-util')
+ deps='pthread replace tevent-util' + extra_libs)
else:
bld.SAMBA_SUBSYSTEM('PTHREADPOOL',
source='''pthreadpool_sync.c
diff --git a/lib/replace/wscript b/lib/replace/wscript
index 4df1b4d77c4..240d730cbee 100644
--- a/lib/replace/wscript
+++ b/lib/replace/wscript
@@ -458,11 +458,28 @@ def configure(conf):
conf.CHECK_C_PROTOTYPE('dlopen', 'void *dlopen(const char* filename, unsigned int flags)',
define='DLOPEN_TAKES_UNSIGNED_FLAGS', headers='dlfcn.h dl.h')
- if conf.CHECK_FUNCS_IN('fdatasync', 'rt', checklibc=True):
+ #
+ # Check for clock_gettime and fdatasync
+ #
+ # First check libc to avoid linking libreplace against librt.
+ #
+ if conf.CHECK_FUNCS('fdatasync'):
# some systems are missing the declaration
conf.CHECK_DECLS('fdatasync')
+ else:
+ if conf.CHECK_FUNCS_IN('fdatasync', 'rt'):
+ # some systems are missing the declaration
+ conf.CHECK_DECLS('fdatasync')
+
+ has_clock_gettime = False
+ if conf.CHECK_FUNCS('clock_gettime'):
+ has_clock_gettime = True
- if conf.CHECK_FUNCS_IN('clock_gettime', 'rt', checklibc=True):
+ if not has_clock_gettime:
+ if conf.CHECK_FUNCS_IN('clock_gettime', 'rt', checklibc=True):
+ has_clock_gettime = True
+
+ if has_clock_gettime:
for c in ['CLOCK_MONOTONIC', 'CLOCK_PROCESS_CPUTIME_ID', 'CLOCK_REALTIME']:
conf.CHECK_CODE('''
#if TIME_WITH_SYS_TIME
@@ -535,6 +552,11 @@ def configure(conf):
PTHREAD_CFLAGS='error'
PTHREAD_LDFLAGS='error'
+ if PTHREAD_LDFLAGS == 'error':
+ # Check if pthread_attr_init() is provided by libc first!
+ if conf.CHECK_FUNCS('pthread_attr_init'):
+ PTHREAD_CFLAGS='-D_REENTRANT'
+ PTHREAD_LDFLAGS=''
if PTHREAD_LDFLAGS == 'error':
if conf.CHECK_FUNCS_IN('pthread_attr_init', 'pthread'):
PTHREAD_CFLAGS='-D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS'
@@ -547,10 +569,7 @@ def configure(conf):
if conf.CHECK_FUNCS_IN('pthread_attr_init', 'c_r'):
PTHREAD_CFLAGS='-D_THREAD_SAFE -pthread'
PTHREAD_LDFLAGS='-pthread'
- if PTHREAD_LDFLAGS == 'error':
- if conf.CHECK_FUNCS('pthread_attr_init'):
- PTHREAD_CFLAGS='-D_REENTRANT'
- PTHREAD_LDFLAGS='-lpthread'
+
# especially for HP-UX, where the CHECK_FUNC macro fails to test for
# pthread_attr_init. On pthread_mutex_lock it works there...
if PTHREAD_LDFLAGS == 'error':
@@ -816,6 +835,7 @@ def build(bld):
extra_libs = ''
if bld.CONFIG_SET('HAVE_LIBBSD'): extra_libs += ' bsd'
+ if bld.CONFIG_SET('HAVE_LIBRT'): extra_libs += ' rt'
bld.SAMBA_SUBSYSTEM('LIBREPLACE_HOSTCC',
REPLACE_HOSTCC_SOURCE,
@@ -856,7 +876,7 @@ def build(bld):
# at the moment:
# hide_symbols=bld.BUILTIN_LIBRARY('replace'),
private_library=True,
- deps='crypt dl nsl socket rt attr' + extra_libs)
+ deps='crypt dl nsl socket attr' + extra_libs)
replace_test_cflags = ''
if bld.CONFIG_SET('HAVE_WNO_FORMAT_TRUNCATION'):
diff --git a/lib/util/fault.c b/lib/util/fault.c
index 5be9162679e..c42bc51789a 100644
--- a/lib/util/fault.c
+++ b/lib/util/fault.c
@@ -78,7 +78,11 @@ static void fault_report(int sig)
DEBUGSEP(0);
DEBUG(0,("INTERNAL ERROR: Signal %d in pid %d (%s)",sig,(int)getpid(),SAMBA_VERSION_STRING));
- DEBUG(0,("\nPlease read the Trouble-Shooting section of the Samba HOWTO\n"));
+ DEBUG(0,("\nIf you are running a recent Samba version, and "
+ "if you think this problem is not yet fixed in the "
+ "latest versions, please consider reporting this "
+ "bug, see "
+ "https://wiki.samba.org/index.php/Bug_Reporting\n"));
DEBUGSEP(0);
smb_panic("internal error");
diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c
index 7841377fdd6..3ad70d3c4cd 100644
--- a/nsswitch/pam_winbind.c
+++ b/nsswitch/pam_winbind.c
@@ -862,6 +862,10 @@ static int wbc_auth_error_to_pam_error(struct pwb_context *ctx,
}
ret = wbc_error_to_pam_error(status);
+ _pam_log(ctx, LOG_ERR,
+ "request %s failed: %s, PAM error: %s (%d)!",
+ fn, wbcErrorString(status),
+ _pam_error_code_str(ret), ret);
return pam_winbind_request_log(ctx, ret, username, fn);
}
diff --git a/nsswitch/tests/test_idmap_rid.sh b/nsswitch/tests/test_idmap_rid.sh
index 8209a50a4fc..4e6477f666e 100755
--- a/nsswitch/tests/test_idmap_rid.sh
+++ b/nsswitch/tests/test_idmap_rid.sh
@@ -63,4 +63,136 @@ test "$out" = "$SID -> unmapped"
ret=$?
testit "Bogus SID returns unmapped" test $ret -eq 0 || failed=$(expr $failed + 1)
+#
+# Test 3: ID_TYPE_BOTH mappings for group
+#
+
+GROUP="$DOMAIN/Domain Users"
+GROUP_SID=$($wbinfo --name-to-sid="$GROUP" | sed -e 's/ .*//')
+
+uid=$($wbinfo --sid-to-uid=$GROUP_SID)
+ret=$?
+testit "ID_TYPE_BOTH group map to uid succeeds" test $ret -eq 0 ||\
+ failed=$(expr $failed + 1)
+testit "ID_TYPE_BOTH group map to uid has result" test -n $uid ||\
+ failed=$(expr $failed + 1)
+
+gid=$($wbinfo --sid-to-gid=$GROUP_SID)
+ret=$?
+testit "ID_TYPE_BOTH group map to gid succeeds" test $ret -eq 0 ||\
+ failed=$(expr $failed + 1)
+testit "ID_TYPE_BOTH group map to gid has result" test -n $gid ||\
+ failed=$(expr $failed + 1)
+
+testit "ID_TYPE_BOTH group uid equals gid" test $uid -eq $gid ||\
+ failed=$(expr $failed + 1)
+
+group_pw="$DOMAIN/domain users:*:$uid:$gid::/home/$DOMAIN/domain users:/bin/false"
+
+out=$(getent passwd "$GROUP")
+ret=$?
+testit "getpwnam for ID_TYPE_BOTH group succeeds" test $ret -eq 0 ||\
+ failed=$(expr $failed + 1)
+
+test "$out" = "$group_pw"
+ret=$?
+testit "getpwnam for ID_TYPE_BOTH group output" test $ret -eq 0 ||\
+ failed=$(expr $failed + 1)
+
+out=$(getent passwd $uid)
+ret=$?
+testit "getpwuid for ID_TYPE_BOTH group succeeds" test $ret -eq 0 ||\
+ failed=$(expr $failed + 1)
+test "$out" = "$group_pw"
+ret=$?
+testit "getpwuid for ID_TYPE_BOTH group output" test $ret -eq 0 ||\
+ failed=$(expr $failed + 1)
+
+group_gr="$DOMAIN/domain users:x:$gid:"
+
+out=$(getent group "$GROUP")
+ret=$?
+testit "getgrnam for ID_TYPE_BOTH group succeeds" test $ret -eq 0 ||\
+ failed=$(expr $failed + 1)
+test "$out" = "$group_gr"
+ret=$?
+testit "getgrnam for ID_TYPE_BOTH group output" test $ret -eq 0 ||\
+ failed=$(expr $failed + 1)
+
+out=$(getent group "$gid")
+ret=$?
+testit "getgrgid for ID_TYPE_BOTH group succeeds" test $ret -eq 0 ||\
+ failed=$(expr $failed + 1)
+test "$out" = "$group_gr"
+ret=$?
+testit "getgrgid for ID_TYPE_BOTH group output" test $ret -eq 0 ||\
+ failed=$(expr $failed + 1)
+
+#
+# Test 4: ID_TYPE_BOTH mappings for user
+#
+
+dom_users_gid=$gid
+
+USER="$DOMAIN/Administrator"
+USER_SID=$($wbinfo --name-to-sid="$USER" | sed -e 's/ .*//')
+
+uid=$($wbinfo --sid-to-uid=$USER_SID)
+ret=$?
+testit "ID_TYPE_BOTH user map to uid succeeds" test $ret -eq 0 ||\
+ failed=$(expr $failed + 1)
+testit "ID_TYPE_BOTH user map to uid has result" test -n $uid ||\
+ failed=$(expr $failed + 1)
+
+gid=$($wbinfo --sid-to-gid=$USER_SID)
+ret=$?
+testit "ID_TYPE_BOTH user map to gid succeeds" test $ret -eq 0 ||\
+ failed=$(expr $failed + 1)
+testit "ID_TYPE_BOTH user map to gid has result" test -n $gid ||\
+ failed=$(expr $failed + 1)
+
+testit "ID_TYPE_BOTH user uid equals gid" test $uid -eq $gid ||\
+ failed=$(expr $failed + 1)
+
+user_pw="$DOMAIN/administrator:*:$uid:$dom_users_gid::/home/$DOMAIN/administrator:/bin/false"
+
+out=$(getent passwd "$USER")
+ret=$?
+testit "getpwnam for ID_TYPE_BOTH user succeeds" test $ret -eq 0 ||\
+ failed=$(expr $failed + 1)
+
+test "$out" = "$user_pw"
+ret=$?
+testit "getpwnam for ID_TYPE_BOTH user output" test $ret -eq 0 ||\
+ failed=$(expr $failed + 1)
+
+out=$(getent passwd $uid)
+ret=$?
+testit "getpwuid for ID_TYPE_BOTH user succeeds" test $ret -eq 0 ||\
+ failed=$(expr $failed + 1)
+test "$out" = "$user_pw"
+ret=$?
+testit "getpwuid for ID_TYPE_BOTH user output" test $ret -eq 0 ||\
+ failed=$(expr $failed + 1)
+
+user_gr="$DOMAIN/administrator:x:$gid:$DOMAIN/administrator"
+
+out=$(getent group "$USER")
+ret=$?
+testit "getgrnam for ID_TYPE_BOTH user succeeds" test $ret -eq 0 ||\
+ failed=$(expr $failed + 1)
+test "$out" = "$user_gr"
+ret=$?
+testit "getgrnam for ID_TYPE_BOTH user output" test $ret -eq 0 ||\
+ failed=$(expr $failed + 1)
+
+out=$(getent group "$gid")
+ret=$?
+testit "getgrgid for ID_TYPE_BOTH user succeeds" test $ret -eq 0 ||\
+ failed=$(expr $failed + 1)
+test "$out" = "$user_gr"
+ret=$?
+testit "getgrgid for ID_TYPE_BOTH user output" test $ret -eq 0 ||\
+ failed=$(expr $failed + 1)
+
exit $failed
diff --git a/python/samba/tests/pam_winbind.py b/python/samba/tests/pam_winbind.py
index 68b05b30d7d..708f408f768 100644
--- a/python/samba/tests/pam_winbind.py
+++ b/python/samba/tests/pam_winbind.py
@@ -26,11 +26,17 @@ class SimplePamTests(samba.tests.TestCase):
domain = os.environ["DOMAIN"]
username = os.environ["USERNAME"]
password = os.environ["PASSWORD"]
- unix_username = "%s/%s" % (domain, username)
+ if domain != "":
+ unix_username = "%s/%s" % (domain, username)
+ else:
+ unix_username = "%s" % username
expected_rc = 0 # PAM_SUCCESS
tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rc)
- res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password])
+ try:
+ res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password])
+ except pypamtest.PamTestError as e:
+ raise AssertionError(str(e))
self.assertTrue(res is not None)
@@ -38,11 +44,17 @@ class SimplePamTests(samba.tests.TestCase):
domain = os.environ["DOMAIN"]
username = os.environ["USERNAME"]
password = "WrongPassword"
- unix_username = "%s/%s" % (domain, username)
+ if domain != "":
+ unix_username = "%s/%s" % (domain, username)
+ else:
+ unix_username = "%s" % username
expected_rc = 7 # PAM_AUTH_ERR
tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rc)
- res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password])
+ try:
+ res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password])
+ except pypamtest.PamTestError as e:
+ raise AssertionError(str(e))
self.assertTrue(res is not None)
@@ -52,6 +64,9 @@ class SimplePamTests(samba.tests.TestCase):
expected_rc = 0 # PAM_SUCCESS
tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rc)
- res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password])
+ try:
+ res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password])
+ except pypamtest.PamTestError as e:
+ raise AssertionError(str(e))
self.assertTrue(res is not None)
diff --git a/python/samba/tests/pam_winbind_chauthtok.py b/python/samba/tests/pam_winbind_chauthtok.py
index e5be3a83ce7..c1d569b3cd0 100644
--- a/python/samba/tests/pam_winbind_chauthtok.py
+++ b/python/samba/tests/pam_winbind_chauthtok.py
@@ -27,10 +27,16 @@ class PamChauthtokTests(samba.tests.TestCase):
username = os.environ["USERNAME"]
password = os.environ["PASSWORD"]
newpassword = os.environ["NEWPASSWORD"]
- unix_username = "%s/%s" % (domain, username)
+ if domain != "":
+ unix_username = "%s/%s" % (domain, username)
+ else:
+ unix_username = "%s" % username
expected_rc = 0 # PAM_SUCCESS
tc = pypamtest.TestCase(pypamtest.PAMTEST_CHAUTHTOK, expected_rc)
- res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password, newpassword, newpassword])
+ try:
+ res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password, newpassword, newpassword])
+ except pypamtest.PamTestError as e:
+ raise AssertionError(str(e))
self.assertTrue(res is not None)
diff --git a/python/samba/tests/pam_winbind_warn_pwd_expire.py b/python/samba/tests/pam_winbind_warn_pwd_expire.py
index df60bc5ace6..56f5da94f98 100644
--- a/python/samba/tests/pam_winbind_warn_pwd_expire.py
+++ b/python/samba/tests/pam_winbind_warn_pwd_expire.py
@@ -27,11 +27,17 @@ class PasswordExpirePamTests(samba.tests.TestCase):
username = os.environ["USERNAME"]
password = os.environ["PASSWORD"]
warn_pwd_expire = int(os.environ["WARN_PWD_EXPIRE"])
- unix_username = "%s/%s" % (domain, username)
+ if domain != "":
+ unix_username = "%s/%s" % (domain, username)
+ else:
+ unix_username = "%s" % username
expected_rc = 0 # PAM_SUCCESS
tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rc)
- res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password])
+ try:
+ res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password])
+ except pypamtest.PamTestError as e:
+ raise AssertionError(str(e))
self.assertTrue(res is not None)
if warn_pwd_expire == 0:
diff --git a/python/samba/tests/test_pam_winbind.sh b/python/samba/tests/test_pam_winbind.sh
index 0406b108b31..755e67280fa 100755
--- a/python/samba/tests/test_pam_winbind.sh
+++ b/python/samba/tests/test_pam_winbind.sh
@@ -12,6 +12,10 @@ PASSWORD="$3"
export PASSWORD
shift 3
+PAM_OPTIONS="$1"
+export PAM_OPTIONS
+shift 1
+
PAM_WRAPPER_PATH="$BINDIR/default/third_party/pam_wrapper"
pam_winbind="$BINDIR/shared/pam_winbind.so"
@@ -19,10 +23,10 @@ service_dir="$SELFTEST_TMPDIR/pam_services"
service_file="$service_dir/samba"
mkdir $service_dir
-echo "auth required $pam_winbind debug debug_state" > $service_file
-echo "account required $pam_winbind debug debug_state" >> $service_file
-echo "password required $pam_winbind debug debug_state" >> $service_file
-echo "session required $pam_winbind debug debug_state" >> $service_file
+echo "auth required $pam_winbind debug debug_state $PAM_OPTIONS" > $service_file
+echo "account required $pam_winbind debug debug_state $PAM_OPTIONS" >> $service_file
+echo "password required $pam_winbind debug debug_state $PAM_OPTIONS" >> $service_file
+echo "session required $pam_winbind debug debug_state $PAM_OPTIONS" >> $service_file
PAM_WRAPPER="1"
export PAM_WRAPPER
diff --git a/python/samba/tests/test_pam_winbind_chauthtok.sh b/python/samba/tests/test_pam_winbind_chauthtok.sh
index 5887699300a..48adc81859d 100755
--- a/python/samba/tests/test_pam_winbind_chauthtok.sh
+++ b/python/samba/tests/test_pam_winbind_chauthtok.sh
@@ -53,11 +53,11 @@ PAM_WRAPPER_DEBUGLEVEL=${PAM_WRAPPER_DEBUGLEVEL:="2"}
export PAM_WRAPPER_DEBUGLEVEL
case $PAM_OPTIONS in
- use_authtok)
+ *use_authtok*)
PAM_AUTHTOK="$NEWPASSWORD"
export PAM_AUTHTOK
;;
- try_authtok)
+ *try_authtok*)
PAM_AUTHTOK="$NEWPASSWORD"
export PAM_AUTHTOK
;;
diff --git a/python/samba/tests/test_pam_winbind_warn_pwd_expire.sh b/python/samba/tests/test_pam_winbind_warn_pwd_expire.sh
index 16dede44227..348d2ae8387 100755
--- a/python/samba/tests/test_pam_winbind_warn_pwd_expire.sh
+++ b/python/samba/tests/test_pam_winbind_warn_pwd_expire.sh
@@ -12,6 +12,10 @@ PASSWORD="$3"
export PASSWORD
shift 3
--
Samba Shared Repository
More information about the samba-cvs
mailing list