[SCM] Samba Shared Repository - branch master updated

Günther Deschner gd at samba.org
Tue Sep 24 19:52:02 UTC 2019


The branch, master has been updated
       via  0ee085b5948 selftest/Samba3.pm: use "winbind use krb5 enterprise principals = yes" for ad_member
       via  e2737a74d44 selftest/Samba3.pm: use "winbind scan trusted domains = no" for ad_member
       via  ad6f0e056ac selftest/tests.py: test pam_winbind for trusts domains
       via  13e3811c951 selftest: Export TRUST information in the ad_member target environment
       via  f07b542c61f selftest/tests.py: test pam_winbind with a lot of username variations
       via  36e95e42ea8 selftest/tests.py: test pam_winbind with krb5_auth
       via  72daf99fd1f selftest/tests.py: prepare looping over pam_winbindd tests
       via  3d38a8e9135 test_pam_winbind.sh: allow different pam_winbindd config options to be specified
       via  653e9048585 tests/pam_winbind.py: allow upn names to be used in USERNAME with an empty DOMAIN value
       via  cd3ffaabb56 tests/pam_winbind.py: turn pypamtest.PamTestError into a failure
       via  a77be15d283 s3:winbindd: implement the "winbind use krb5 enterprise principals" logic
       via  95206523996 docs-xml: add "winbind use krb5 enterprise principals" option
       via  3bdf023956e krb5_wrap: let smb_krb5_parse_name() accept enterprise principals
       via  303b7e59a28 s3:libads: ads_krb5_chg_password() should always use the canonicalized principal
       via  162b4199493 s4:auth: kinit_to_ccache() should always use the canonicalized principal
       via  5d0bf32ec0a krb5_wrap: smb_krb5_kinit_password_ccache() should always use the canonicalized principal
       via  0bced73bed4 s3:libads/kerberos: always use the canonicalized principal after kinit
       via  6ed18c12c57 s3:libsmb: let cli_session_creds_prepare_krb5() update the canonicalized principal to cli_credentials
       via  361fb0efabf s3:libsmb: avoid wrong debug message in cli_session_creds_prepare_krb5()
       via  bc473e5cf08 s3:libads: let kerberos_kinit_password_ext() return the canonicalized principal/realm
       via  db8fd3d6a31 s4:auth: use the correct client realm in gensec_gssapi_update_internal()
       via  acbf922fc29 nsswitch: add logging to wbc_auth_error_to_pam_error() for non auth errors
      from  4f5c4df316d wscript_build: string concatenation efficiency cleanup

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 0ee085b594878f5e0e83839f465303754f015459
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Sep 18 08:10:26 2019 +0200

    selftest/Samba3.pm: use "winbind use krb5 enterprise principals = yes" for ad_member
    
    This demonstrates that can do krb5_auth in winbindd without knowning about trusted domains.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Guenther Deschner <gd at samba.org>
    
    Autobuild-User(master): Günther Deschner <gd at samba.org>
    Autobuild-Date(master): Tue Sep 24 19:51:29 UTC 2019 on sn-devel-184

commit e2737a74d4453a3d65e5466ddc4405d68444df27
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Sep 18 08:02:38 2019 +0200

    selftest/Samba3.pm: use "winbind scan trusted domains = no" for ad_member
    
    This demonstrates that we rely on knowning about trusted domains before
    we can do krb5_auth in winbindd.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Guenther Deschner <gd at samba.org>

commit ad6f0e056ac27ab5c078dbdbff44372da05caab2
Author: Stefan Metzmacher <metze at samba.org>
Date:   Sat Jun 10 14:38:40 2017 +0200

    selftest/tests.py: test pam_winbind for trusts domains
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Guenther Deschner <gd at samba.org>

commit 13e3811c9510cf213881527877bed40092e0b33c
Author: Andreas Schneider <asn at samba.org>
Date:   Mon Mar 20 11:39:41 2017 +0100

    selftest: Export TRUST information in the ad_member target environment
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
    
    Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Guenther Deschner <gd at samba.org>

commit f07b542c61f84a97c097208e10bf9375ddfa9a15
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Sep 18 14:03:34 2019 +0200

    selftest/tests.py: test pam_winbind with a lot of username variations
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Guenther Deschner <gd at samba.org>

commit 36e95e42ea8a7e5a4091a647215d06d2ab47fab6
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Sep 18 08:08:57 2019 +0200

    selftest/tests.py: test pam_winbind with krb5_auth
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Guenther Deschner <gd at samba.org>

commit 72daf99fd1ffd8269fce25d69458de35e2ae32cc
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Sep 18 01:25:23 2019 +0200

    selftest/tests.py: prepare looping over pam_winbindd tests
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Guenther Deschner <gd at samba.org>

commit 3d38a8e9135bb72bc4ca079fab0eb5358942b3f1
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Sep 18 01:25:58 2019 +0200

    test_pam_winbind.sh: allow different pam_winbindd config options to be specified
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Guenther Deschner <gd at samba.org>

commit 653e90485854d978dc522e689cd78c19dcc22a70
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Sep 20 08:13:28 2019 +0200

    tests/pam_winbind.py: allow upn names to be used in USERNAME with an empty DOMAIN value
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Guenther Deschner <gd at samba.org>

commit cd3ffaabb568db26e0de5e83178487e5947c4f09
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Sep 18 08:04:42 2019 +0200

    tests/pam_winbind.py: turn pypamtest.PamTestError into a failure
    
    A failure generated by the AssertionError() checks can be added
    to selftest/knownfail.d/*.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Guenther Deschner <gd at samba.org>

commit a77be15d28390c5d12202278adbe6b50200a2c1b
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Jul 19 15:10:09 2019 +0000

    s3:winbindd: implement the "winbind use krb5 enterprise principals" logic
    
    We can use enterprise principals (e.g. upnfromB at B.EXAMPLE.COM@PRIMARY.A.EXAMPLE.COM)
    and delegate the routing decisions to the KDCs.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Guenther Deschner <gd at samba.org>

commit 9520652399696010c333a3ce7247809ce5337a91
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Sep 11 16:44:43 2019 +0200

    docs-xml: add "winbind use krb5 enterprise principals" option
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Guenther Deschner <gd at samba.org>

commit 3bdf023956e861485be70430112ed38d0a5424f7
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Sep 13 15:52:25 2019 +0200

    krb5_wrap: let smb_krb5_parse_name() accept enterprise principals
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Guenther Deschner <gd at samba.org>

commit 303b7e59a286896888ee2473995fc50bb2b5ce5e
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Sep 13 16:04:30 2019 +0200

    s3:libads: ads_krb5_chg_password() should always use the canonicalized principal
    
    We should always use krb5_get_init_creds_opt_set_canonicalize()
    and krb5_get_init_creds_opt_set_win2k() for heimdal
    and expect the client principal to be changed.
    
    There's no reason to have a different logic between MIT and Heimdal.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Guenther Deschner <gd at samba.org>

commit 162b4199493c1f179e775a325a19ae7a136c418b
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Sep 13 16:04:30 2019 +0200

    s4:auth: kinit_to_ccache() should always use the canonicalized principal
    
    We should always use krb5_get_init_creds_opt_set_canonicalize()
    and krb5_get_init_creds_opt_set_win2k() for heimdal
    and expect the client principal to be changed.
    
    There's no reason to have a different logic between MIT and Heimdal.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Guenther Deschner <gd at samba.org>

commit 5d0bf32ec0ad21d49587e3a1520ffdc8b5ae7614
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Sep 13 16:04:30 2019 +0200

    krb5_wrap: smb_krb5_kinit_password_ccache() should always use the canonicalized principal
    
    We should always use krb5_get_init_creds_opt_set_canonicalize()
    and krb5_get_init_creds_opt_set_win2k() for heimdal
    and expect the client principal to be changed.
    
    There's no reason to have a different logic between MIT and Heimdal.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Guenther Deschner <gd at samba.org>

commit 0bced73bed481a8846a6b3e68be85941914390ba
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Sep 13 16:04:30 2019 +0200

    s3:libads/kerberos: always use the canonicalized principal after kinit
    
    We should always use krb5_get_init_creds_opt_set_canonicalize()
    and krb5_get_init_creds_opt_set_win2k() for heimdal
    and expect the client principal to be changed.
    
    There's no reason to have a different logic between MIT and Heimdal.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Guenther Deschner <gd at samba.org>

commit 6ed18c12c57efb2a010e0ce5196c51b48e57a4b9
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Sep 17 08:49:13 2019 +0200

    s3:libsmb: let cli_session_creds_prepare_krb5() update the canonicalized principal to cli_credentials
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Guenther Deschner <gd at samba.org>

commit 361fb0efabfb189526c851107eee49161da2293c
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Sep 17 10:08:10 2019 +0200

    s3:libsmb: avoid wrong debug message in cli_session_creds_prepare_krb5()
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Guenther Deschner <gd at samba.org>

commit bc473e5cf088a137395842540ed8eb748373a236
Author: Stefan Metzmacher <metze at samba.org>
Date:   Mon Sep 16 17:14:11 2019 +0200

    s3:libads: let kerberos_kinit_password_ext() return the canonicalized principal/realm
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Guenther Deschner <gd at samba.org>

commit db8fd3d6a315b140ebd6ccd0dcdfdcf27cd1bb38
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Sep 17 08:05:09 2019 +0200

    s4:auth: use the correct client realm in gensec_gssapi_update_internal()
    
    The function gensec_gssapi_client_creds() may call kinit and gets
    a TGT for the user. The principal provided by the user may not
    be canonicalized. The user may use 'given.last at example.com'
    but that may be mapped to glast at AD.EXAMPLE.PRIVATE in the background.
    
    It means we should use client_realm = AD.EXAMPLE.PRIVATE
    instead of client_realm = EXAMPLE.COM
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Guenther Deschner <gd at samba.org>

commit acbf922fc2963a42d6cbe652bb32eee231020958
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Sep 18 13:58:46 2019 +0200

    nsswitch: add logging to wbc_auth_error_to_pam_error() for non auth errors
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Guenther Deschner <gd at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 .../winbind/winbindusekrb5enterpriseprincipals.xml |  34 ++++
 lib/krb5_wrap/krb5_samba.c                         |   7 +-
 nsswitch/pam_winbind.c                             |   4 +
 python/samba/tests/pam_winbind.py                  |  25 ++-
 python/samba/tests/pam_winbind_chauthtok.py        |  10 +-
 python/samba/tests/pam_winbind_warn_pwd_expire.py  |  10 +-
 python/samba/tests/test_pam_winbind.sh             |  12 +-
 python/samba/tests/test_pam_winbind_chauthtok.sh   |   4 +-
 .../tests/test_pam_winbind_warn_pwd_expire.sh      |  20 ++-
 selftest/target/Samba.pm                           |  22 +++
 selftest/target/Samba3.pm                          |  26 +++-
 selftest/tests.py                                  | 171 ++++++++++++++++++---
 source3/libads/authdata.c                          |   1 +
 source3/libads/kerberos.c                          |  55 +++++--
 source3/libads/kerberos_proto.h                    |   5 +-
 source3/libads/kerberos_util.c                     |   3 +-
 source3/libads/krb5_setpw.c                        |   6 +
 source3/libsmb/cliconnect.c                        |  41 ++++-
 source3/utils/net_ads.c                            |   3 +
 source3/winbindd/winbindd_cred_cache.c             |   6 +
 source3/winbindd/winbindd_pam.c                    |  57 ++++---
 source4/auth/gensec/gensec_gssapi.c                |   6 +-
 source4/auth/kerberos/kerberos_util.c              |   2 +
 23 files changed, 438 insertions(+), 92 deletions(-)
 create mode 100644 docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml


Changeset truncated at 500 lines:

diff --git a/docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml b/docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml
new file mode 100644
index 00000000000..bfc11c8636c
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml
@@ -0,0 +1,34 @@
+<samba:parameter name="winbind use krb5 enterprise principals"
+                 context="G"
+                 type="boolean"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>winbindd is able to get kerberos tickets for
+	pam_winbind with krb5_auth or wbinfo -K/--krb5auth=.
+	</para>
+
+	<para>winbindd (at least on a domain member) is never be able
+	to have a complete picture of the trust topology (which is managed by the DCs).
+	There might be uPNSuffixes and msDS-SPNSuffixes values,
+	which don't belong to any AD domain at all.
+	</para>
+
+	<para>With <smbconfoption name="winbind scan trusted domains">no</smbconfoption>
+	winbindd don't even get an incomplete picture of the topology.
+	</para>
+
+	<para>It is not really required to know about the trust topology.
+	We can just rely on the [K]DCs of our primary domain (e.g. PRIMARY.A.EXAMPLE.COM)
+	and use enterprise principals e.g. upnfromB at B.EXAMPLE.COM@PRIMARY.A.EXAMPLE.COM
+	and follow the WRONG_REALM referrals in order to find the correct DC.
+	The final principal might be userfromB at INTERNALB.EXAMPLE.PRIVATE.
+	</para>
+
+	<para>With <smbconfoption name="winbind use krb5 enterprise principals">yes</smbconfoption>
+	winbindd enterprise principals will be used.
+	</para>
+</description>
+
+<value type="default">no</value>
+<value type="example">yes</value>
+</samba:parameter>
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 72889fffcf0..a4e73c64f00 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -701,6 +701,11 @@ krb5_error_code smb_krb5_parse_name(krb5_context context,
 	}
 
 	ret = krb5_parse_name(context, utf8_name, principal);
+	if (ret == KRB5_PARSE_MALFORMED) {
+		ret = krb5_parse_name_flags(context, utf8_name,
+					    KRB5_PRINCIPAL_PARSE_ENTERPRISE,
+					    principal);
+	}
 	TALLOC_FREE(frame);
 	return ret;
 }
@@ -2114,14 +2119,12 @@ krb5_error_code smb_krb5_kinit_password_ccache(krb5_context ctx,
 		return code;
 	}
 
-#ifndef SAMBA4_USES_HEIMDAL /* MIT */
 	/*
 	 * We need to store the principal as returned from the KDC to the
 	 * credentials cache. If we don't do that the KRB5 library is not
 	 * able to find the tickets it is looking for
 	 */
 	principal = my_creds.client;
-#endif
 	code = krb5_cc_initialize(ctx, cc, principal);
 	if (code) {
 		goto done;
diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c
index 7841377fdd6..3ad70d3c4cd 100644
--- a/nsswitch/pam_winbind.c
+++ b/nsswitch/pam_winbind.c
@@ -862,6 +862,10 @@ static int wbc_auth_error_to_pam_error(struct pwb_context *ctx,
 	}
 
 	ret = wbc_error_to_pam_error(status);
+	_pam_log(ctx, LOG_ERR,
+		 "request %s failed: %s, PAM error: %s (%d)!",
+		 fn, wbcErrorString(status),
+		 _pam_error_code_str(ret), ret);
 	return pam_winbind_request_log(ctx, ret, username, fn);
 }
 
diff --git a/python/samba/tests/pam_winbind.py b/python/samba/tests/pam_winbind.py
index 68b05b30d7d..708f408f768 100644
--- a/python/samba/tests/pam_winbind.py
+++ b/python/samba/tests/pam_winbind.py
@@ -26,11 +26,17 @@ class SimplePamTests(samba.tests.TestCase):
         domain = os.environ["DOMAIN"]
         username = os.environ["USERNAME"]
         password = os.environ["PASSWORD"]
-        unix_username = "%s/%s" % (domain, username)
+        if domain != "":
+            unix_username = "%s/%s" % (domain, username)
+        else:
+            unix_username = "%s" % username
         expected_rc = 0  # PAM_SUCCESS
 
         tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rc)
-        res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password])
+        try:
+            res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password])
+        except pypamtest.PamTestError as e:
+            raise AssertionError(str(e))
 
         self.assertTrue(res is not None)
 
@@ -38,11 +44,17 @@ class SimplePamTests(samba.tests.TestCase):
         domain = os.environ["DOMAIN"]
         username = os.environ["USERNAME"]
         password = "WrongPassword"
-        unix_username = "%s/%s" % (domain, username)
+        if domain != "":
+            unix_username = "%s/%s" % (domain, username)
+        else:
+            unix_username = "%s" % username
         expected_rc = 7  # PAM_AUTH_ERR
 
         tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rc)
-        res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password])
+        try:
+            res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password])
+        except pypamtest.PamTestError as e:
+            raise AssertionError(str(e))
 
         self.assertTrue(res is not None)
 
@@ -52,6 +64,9 @@ class SimplePamTests(samba.tests.TestCase):
         expected_rc = 0  # PAM_SUCCESS
 
         tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rc)
-        res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password])
+        try:
+            res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password])
+        except pypamtest.PamTestError as e:
+            raise AssertionError(str(e))
 
         self.assertTrue(res is not None)
diff --git a/python/samba/tests/pam_winbind_chauthtok.py b/python/samba/tests/pam_winbind_chauthtok.py
index e5be3a83ce7..c1d569b3cd0 100644
--- a/python/samba/tests/pam_winbind_chauthtok.py
+++ b/python/samba/tests/pam_winbind_chauthtok.py
@@ -27,10 +27,16 @@ class PamChauthtokTests(samba.tests.TestCase):
         username = os.environ["USERNAME"]
         password = os.environ["PASSWORD"]
         newpassword = os.environ["NEWPASSWORD"]
-        unix_username = "%s/%s" % (domain, username)
+        if domain != "":
+            unix_username = "%s/%s" % (domain, username)
+        else:
+            unix_username = "%s" % username
         expected_rc = 0 # PAM_SUCCESS
 
         tc = pypamtest.TestCase(pypamtest.PAMTEST_CHAUTHTOK, expected_rc)
-        res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password, newpassword, newpassword])
+        try:
+            res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password, newpassword, newpassword])
+        except pypamtest.PamTestError as e:
+            raise AssertionError(str(e))
 
         self.assertTrue(res is not None)
diff --git a/python/samba/tests/pam_winbind_warn_pwd_expire.py b/python/samba/tests/pam_winbind_warn_pwd_expire.py
index df60bc5ace6..56f5da94f98 100644
--- a/python/samba/tests/pam_winbind_warn_pwd_expire.py
+++ b/python/samba/tests/pam_winbind_warn_pwd_expire.py
@@ -27,11 +27,17 @@ class PasswordExpirePamTests(samba.tests.TestCase):
         username = os.environ["USERNAME"]
         password = os.environ["PASSWORD"]
         warn_pwd_expire = int(os.environ["WARN_PWD_EXPIRE"])
-        unix_username = "%s/%s" % (domain, username)
+        if domain != "":
+            unix_username = "%s/%s" % (domain, username)
+        else:
+            unix_username = "%s" % username
         expected_rc = 0  # PAM_SUCCESS
 
         tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rc)
-        res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password])
+        try:
+            res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password])
+        except pypamtest.PamTestError as e:
+            raise AssertionError(str(e))
 
         self.assertTrue(res is not None)
         if warn_pwd_expire == 0:
diff --git a/python/samba/tests/test_pam_winbind.sh b/python/samba/tests/test_pam_winbind.sh
index 0406b108b31..755e67280fa 100755
--- a/python/samba/tests/test_pam_winbind.sh
+++ b/python/samba/tests/test_pam_winbind.sh
@@ -12,6 +12,10 @@ PASSWORD="$3"
 export PASSWORD
 shift 3
 
+PAM_OPTIONS="$1"
+export PAM_OPTIONS
+shift 1
+
 PAM_WRAPPER_PATH="$BINDIR/default/third_party/pam_wrapper"
 
 pam_winbind="$BINDIR/shared/pam_winbind.so"
@@ -19,10 +23,10 @@ service_dir="$SELFTEST_TMPDIR/pam_services"
 service_file="$service_dir/samba"
 
 mkdir $service_dir
-echo "auth        required    $pam_winbind debug debug_state" > $service_file
-echo "account     required    $pam_winbind debug debug_state" >> $service_file
-echo "password    required    $pam_winbind debug debug_state" >> $service_file
-echo "session     required    $pam_winbind debug debug_state" >> $service_file
+echo "auth        required    $pam_winbind debug debug_state $PAM_OPTIONS" > $service_file
+echo "account     required    $pam_winbind debug debug_state $PAM_OPTIONS" >> $service_file
+echo "password    required    $pam_winbind debug debug_state $PAM_OPTIONS" >> $service_file
+echo "session     required    $pam_winbind debug debug_state $PAM_OPTIONS" >> $service_file
 
 PAM_WRAPPER="1"
 export PAM_WRAPPER
diff --git a/python/samba/tests/test_pam_winbind_chauthtok.sh b/python/samba/tests/test_pam_winbind_chauthtok.sh
index 5887699300a..48adc81859d 100755
--- a/python/samba/tests/test_pam_winbind_chauthtok.sh
+++ b/python/samba/tests/test_pam_winbind_chauthtok.sh
@@ -53,11 +53,11 @@ PAM_WRAPPER_DEBUGLEVEL=${PAM_WRAPPER_DEBUGLEVEL:="2"}
 export PAM_WRAPPER_DEBUGLEVEL
 
 case $PAM_OPTIONS in
-    use_authtok)
+    *use_authtok*)
         PAM_AUTHTOK="$NEWPASSWORD"
         export PAM_AUTHTOK
     ;;
-    try_authtok)
+    *try_authtok*)
         PAM_AUTHTOK="$NEWPASSWORD"
         export PAM_AUTHTOK
     ;;
diff --git a/python/samba/tests/test_pam_winbind_warn_pwd_expire.sh b/python/samba/tests/test_pam_winbind_warn_pwd_expire.sh
index 16dede44227..348d2ae8387 100755
--- a/python/samba/tests/test_pam_winbind_warn_pwd_expire.sh
+++ b/python/samba/tests/test_pam_winbind_warn_pwd_expire.sh
@@ -12,6 +12,10 @@ PASSWORD="$3"
 export PASSWORD
 shift 3
 
+PAM_OPTIONS="$1"
+export PAM_OPTIONS
+shift 1
+
 PAM_WRAPPER_PATH="$BINDIR/default/third_party/pam_wrapper"
 
 pam_winbind="$BINDIR/shared/pam_winbind.so"
@@ -37,10 +41,10 @@ export PAM_WRAPPER_DEBUGLEVEL
 WARN_PWD_EXPIRE="50"
 export WARN_PWD_EXPIRE
 
-echo "auth        required    $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE" > $service_file
-echo "account     required    $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE" >> $service_file
-echo "password    required    $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE" >> $service_file
-echo "session     required    $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE" >> $service_file
+echo "auth        required    $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" > $service_file
+echo "account     required    $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" >> $service_file
+echo "password    required    $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" >> $service_file
+echo "session     required    $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" >> $service_file
 
 PYTHONPATH="$PYTHONPATH:$PAM_WRAPPER_PATH:$(dirname $0)" $PYTHON -m samba.subunit.run samba.tests.pam_winbind_warn_pwd_expire
 exit_code=$?
@@ -54,10 +58,10 @@ fi
 WARN_PWD_EXPIRE="0"
 export WARN_PWD_EXPIRE
 
-echo "auth        required    $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE" > $service_file
-echo "account     required    $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE" >> $service_file
-echo "password    required    $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE" >> $service_file
-echo "session     required    $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE" >> $service_file
+echo "auth        required    $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" > $service_file
+echo "account     required    $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" >> $service_file
+echo "password    required    $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" >> $service_file
+echo "session     required    $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" >> $service_file
 
 PYTHONPATH="$PYTHONPATH:$PAM_WRAPPER_PATH:$(dirname $0)" $PYTHON -m samba.subunit.run samba.tests.pam_winbind_warn_pwd_expire
 exit_code=$?
diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm
index 996bdae188a..d933faba1d5 100644
--- a/selftest/target/Samba.pm
+++ b/selftest/target/Samba.pm
@@ -724,6 +724,28 @@ my @exported_envvars = (
 	"TRUST_REALM",
 	"TRUST_DOMSID",
 
+	# stuff related to a trusted domain, on a trust_member
+	# the domain behind a forest trust (two-way)
+	"TRUST_F_BOTH_SERVER",
+	"TRUST_F_BOTH_SERVER_IP",
+	"TRUST_F_BOTH_SERVER_IPV6",
+	"TRUST_F_BOTH_NETBIOSNAME",
+	"TRUST_F_BOTH_USERNAME",
+	"TRUST_F_BOTH_PASSWORD",
+	"TRUST_F_BOTH_DOMAIN",
+	"TRUST_F_BOTH_REALM",
+
+	# stuff related to a trusted domain, on a trust_member
+	# the domain behind an external trust (two-way)
+	"TRUST_E_BOTH_SERVER",
+	"TRUST_E_BOTH_SERVER_IP",
+	"TRUST_E_BOTH_SERVER_IPV6",
+	"TRUST_E_BOTH_NETBIOSNAME",
+	"TRUST_E_BOTH_USERNAME",
+	"TRUST_E_BOTH_PASSWORD",
+	"TRUST_E_BOTH_DOMAIN",
+	"TRUST_E_BOTH_REALM",
+
 	# domain controller stuff
 	"DC_SERVER",
 	"DC_SERVER_IP",
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 7c9fdfc6889..fab8c146f34 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -181,7 +181,7 @@ sub check_env($$)
 
 	nt4_member          => ["nt4_dc"],
 
-	ad_member           => ["ad_dc"],
+	ad_member           => ["ad_dc", "fl2008r2dc", "fl2003dc"],
 	ad_member_rfc2307   => ["ad_dc_ntvfs"],
 	ad_member_idmap_rid => ["ad_dc"],
 	ad_member_idmap_ad  => ["fl2008r2dc"],
@@ -369,7 +369,7 @@ sub setup_nt4_member
 
 sub setup_ad_member
 {
-	my ($self, $prefix, $dcvars) = @_;
+	my ($self, $prefix, $dcvars, $trustvars_f, $trustvars_e) = @_;
 
 	my $prefix_abs = abs_path($prefix);
 	my @dirs = ();
@@ -416,6 +416,8 @@ sub setup_ad_member
 	template homedir = /home/%D/%G/%U
 	auth event notification = true
 	password server = $dcvars->{SERVER}
+	winbind scan trusted domains = no
+	winbind use krb5 enterprise principals = yes
 
 [sub_dug]
 	path = $share_dir/D_%D/U_%U/G_%G
@@ -493,6 +495,26 @@ sub setup_ad_member
 	$ret->{DC_USERNAME} = $dcvars->{USERNAME};
 	$ret->{DC_PASSWORD} = $dcvars->{PASSWORD};
 
+	# forest trust
+	$ret->{TRUST_F_BOTH_SERVER} = $trustvars_f->{SERVER};
+	$ret->{TRUST_F_BOTH_SERVER_IP} = $trustvars_f->{SERVER_IP};
+	$ret->{TRUST_F_BOTH_SERVER_IPV6} = $trustvars_f->{SERVER_IPV6};
+	$ret->{TRUST_F_BOTH_NETBIOSNAME} = $trustvars_f->{NETBIOSNAME};
+	$ret->{TRUST_F_BOTH_USERNAME} = $trustvars_f->{USERNAME};
+	$ret->{TRUST_F_BOTH_PASSWORD} = $trustvars_f->{PASSWORD};
+	$ret->{TRUST_F_BOTH_DOMAIN} = $trustvars_f->{DOMAIN};
+	$ret->{TRUST_F_BOTH_REALM} = $trustvars_f->{REALM};
+
+	# external trust
+	$ret->{TRUST_E_BOTH_SERVER} = $trustvars_e->{SERVER};
+	$ret->{TRUST_E_BOTH_SERVER_IP} = $trustvars_e->{SERVER_IP};
+	$ret->{TRUST_E_BOTH_SERVER_IPV6} = $trustvars_e->{SERVER_IPV6};
+	$ret->{TRUST_E_BOTH_NETBIOSNAME} = $trustvars_e->{NETBIOSNAME};
+	$ret->{TRUST_E_BOTH_USERNAME} = $trustvars_e->{USERNAME};
+	$ret->{TRUST_E_BOTH_PASSWORD} = $trustvars_e->{PASSWORD};
+	$ret->{TRUST_E_BOTH_DOMAIN} = $trustvars_e->{DOMAIN};
+	$ret->{TRUST_E_BOTH_REALM} = $trustvars_e->{REALM};
+
 	return $ret;
 }
 
diff --git a/selftest/tests.py b/selftest/tests.py
index 3377e7826bd..69b1d4c7d0c 100644
--- a/selftest/tests.py
+++ b/selftest/tests.py
@@ -213,27 +213,156 @@ planpythontestsuite("none", "samba.tests.tdb_util")
 planpythontestsuite("none", "samba.tests.samdb_api")
 
 if with_pam:
-    plantestsuite("samba.tests.pam_winbind(local)", "ad_member",
-                  [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
-                   valgrindify(python), pam_wrapper_so_path,
-                   "$SERVER", "$USERNAME", "$PASSWORD"])
-    plantestsuite("samba.tests.pam_winbind(domain)", "ad_member",
-                  [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
-                   valgrindify(python), pam_wrapper_so_path,
-                   "$DOMAIN", "$DC_USERNAME", "$DC_PASSWORD"])
-
-    for pam_options in ["''", "use_authtok", "try_authtok"]:
-        plantestsuite("samba.tests.pam_winbind_chauthtok with options %s" % pam_options, "ad_member",
-                      [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind_chauthtok.sh"),
-                       valgrindify(python), pam_wrapper_so_path, pam_set_items_so_path,
-                       "$DOMAIN", "TestPamOptionsUser", "oldp at ssword0", "newp at ssword0",
-                       pam_options, 'yes',
-                       "$DC_SERVER", "$DC_USERNAME", "$DC_PASSWORD"])
-
-    plantestsuite("samba.tests.pam_winbind_warn_pwd_expire(domain)", "ad_member",
-                  [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind_warn_pwd_expire.sh"),
-                   valgrindify(python), pam_wrapper_so_path,
-                   "$DOMAIN", "alice", "Secret007"])
+    env = "ad_member"
+    options = [
+        {
+            "description": "krb5",
+            "pam_options": "krb5_auth krb5_ccache_type=FILE",
+        },
+        {
+            "description": "default",
+            "pam_options": "",
+        },
+    ]
+    for o in options:
+        description = o["description"]
+        pam_options = "'%s'" % o["pam_options"]
+
+        plantestsuite("samba.tests.pam_winbind(local+%s)" % description, env,
+                      [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
+                       valgrindify(python), pam_wrapper_so_path,
+                       "$SERVER", "$USERNAME", "$PASSWORD",
+                       pam_options])
+        plantestsuite("samba.tests.pam_winbind(domain1+%s)" % description, env,
+                      [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
+                       valgrindify(python), pam_wrapper_so_path,
+                       "$DOMAIN", "$DC_USERNAME", "$DC_PASSWORD",
+                       pam_options])
+        plantestsuite("samba.tests.pam_winbind(domain2+%s)" % description, env,
+                      [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
+                       valgrindify(python), pam_wrapper_so_path,
+                       "$REALM", "$DC_USERNAME", "$DC_PASSWORD",
+                       pam_options])
+        plantestsuite("samba.tests.pam_winbind(domain3+%s)" % description, env,
+                      [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
+                       valgrindify(python), pam_wrapper_so_path,
+                       "''", "${DC_USERNAME}@${DOMAIN}", "$DC_PASSWORD",
+                       pam_options])
+        plantestsuite("samba.tests.pam_winbind(domain4+%s)" % description, env,
+                      [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
+                       valgrindify(python), pam_wrapper_so_path,
+                       "''", "${DC_USERNAME}@${REALM}", "$DC_PASSWORD",
+                       pam_options])
+        plantestsuite("samba.tests.pam_winbind(domain5+%s)" % description, env,
+                      [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
+                       valgrindify(python), pam_wrapper_so_path,
+                       "$REALM", "${DC_USERNAME}@${DOMAIN}", "$DC_PASSWORD",
+                       pam_options])
+        plantestsuite("samba.tests.pam_winbind(domain6+%s)" % description, env,
+                      [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
+                       valgrindify(python), pam_wrapper_so_path,
+                       "$DOMAIN", "${DC_USERNAME}@${REALM}", "$DC_PASSWORD",
+                       pam_options])
+        plantestsuite("samba.tests.pam_winbind(trust_f_both1+%s)" % description, env,
+                      [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
+                       valgrindify(python), pam_wrapper_so_path,
+                       "$TRUST_F_BOTH_DOMAIN",
+                       "$TRUST_F_BOTH_USERNAME",
+                       "$TRUST_F_BOTH_PASSWORD",
+                       pam_options])
+        plantestsuite("samba.tests.pam_winbind(trust_f_both2+%s)" % description, env,
+                      [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
+                       valgrindify(python), pam_wrapper_so_path,
+                       "$TRUST_F_BOTH_REALM",
+                       "$TRUST_F_BOTH_USERNAME",
+                       "$TRUST_F_BOTH_PASSWORD",
+                       pam_options])
+        plantestsuite("samba.tests.pam_winbind(trust_f_both3+%s)" % description, env,
+                      [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
+                       valgrindify(python), pam_wrapper_so_path,
+                       "''",
+                       "${TRUST_F_BOTH_USERNAME}@${TRUST_F_BOTH_DOMAIN}",
+                       "$TRUST_F_BOTH_PASSWORD",
+                       pam_options])
+        plantestsuite("samba.tests.pam_winbind(trust_f_both4+%s)" % description, env,
+                      [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
+                       valgrindify(python), pam_wrapper_so_path,
+                       "''",
+                       "${TRUST_F_BOTH_USERNAME}@${TRUST_F_BOTH_REALM}",
+                       "$TRUST_F_BOTH_PASSWORD",
+                       pam_options])
+        plantestsuite("samba.tests.pam_winbind(trust_f_both5+%s)" % description, env,
+                      [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
+                       valgrindify(python), pam_wrapper_so_path,
+                       "${TRUST_F_BOTH_REALM}",
+                       "${TRUST_F_BOTH_USERNAME}@${TRUST_F_BOTH_DOMAIN}",
+                       "$TRUST_F_BOTH_PASSWORD",
+                       pam_options])
+        plantestsuite("samba.tests.pam_winbind(trust_f_both6+%s)" % description, env,
+                      [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
+                       valgrindify(python), pam_wrapper_so_path,
+                       "${TRUST_F_BOTH_DOMAIN}",
+                       "${TRUST_F_BOTH_USERNAME}@${TRUST_F_BOTH_REALM}",
+                       "$TRUST_F_BOTH_PASSWORD",
+                       pam_options])
+        plantestsuite("samba.tests.pam_winbind(trust_e_both1+%s)" % description, env,
+                      [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
+                       valgrindify(python), pam_wrapper_so_path,
+                       "$TRUST_E_BOTH_DOMAIN",
+                       "$TRUST_E_BOTH_USERNAME",
+                       "$TRUST_E_BOTH_PASSWORD",
+                       pam_options])


-- 
Samba Shared Repository



More information about the samba-cvs mailing list