[SCM] Samba Shared Repository - branch master updated
Günther Deschner
gd at samba.org
Tue Sep 24 19:52:02 UTC 2019
The branch, master has been updated
via 0ee085b5948 selftest/Samba3.pm: use "winbind use krb5 enterprise principals = yes" for ad_member
via e2737a74d44 selftest/Samba3.pm: use "winbind scan trusted domains = no" for ad_member
via ad6f0e056ac selftest/tests.py: test pam_winbind for trusts domains
via 13e3811c951 selftest: Export TRUST information in the ad_member target environment
via f07b542c61f selftest/tests.py: test pam_winbind with a lot of username variations
via 36e95e42ea8 selftest/tests.py: test pam_winbind with krb5_auth
via 72daf99fd1f selftest/tests.py: prepare looping over pam_winbindd tests
via 3d38a8e9135 test_pam_winbind.sh: allow different pam_winbindd config options to be specified
via 653e9048585 tests/pam_winbind.py: allow upn names to be used in USERNAME with an empty DOMAIN value
via cd3ffaabb56 tests/pam_winbind.py: turn pypamtest.PamTestError into a failure
via a77be15d283 s3:winbindd: implement the "winbind use krb5 enterprise principals" logic
via 95206523996 docs-xml: add "winbind use krb5 enterprise principals" option
via 3bdf023956e krb5_wrap: let smb_krb5_parse_name() accept enterprise principals
via 303b7e59a28 s3:libads: ads_krb5_chg_password() should always use the canonicalized principal
via 162b4199493 s4:auth: kinit_to_ccache() should always use the canonicalized principal
via 5d0bf32ec0a krb5_wrap: smb_krb5_kinit_password_ccache() should always use the canonicalized principal
via 0bced73bed4 s3:libads/kerberos: always use the canonicalized principal after kinit
via 6ed18c12c57 s3:libsmb: let cli_session_creds_prepare_krb5() update the canonicalized principal to cli_credentials
via 361fb0efabf s3:libsmb: avoid wrong debug message in cli_session_creds_prepare_krb5()
via bc473e5cf08 s3:libads: let kerberos_kinit_password_ext() return the canonicalized principal/realm
via db8fd3d6a31 s4:auth: use the correct client realm in gensec_gssapi_update_internal()
via acbf922fc29 nsswitch: add logging to wbc_auth_error_to_pam_error() for non auth errors
from 4f5c4df316d wscript_build: string concatenation efficiency cleanup
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 0ee085b594878f5e0e83839f465303754f015459
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 18 08:10:26 2019 +0200
selftest/Samba3.pm: use "winbind use krb5 enterprise principals = yes" for ad_member
This demonstrates that can do krb5_auth in winbindd without knowning about trusted domains.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
Autobuild-User(master): Günther Deschner <gd at samba.org>
Autobuild-Date(master): Tue Sep 24 19:51:29 UTC 2019 on sn-devel-184
commit e2737a74d4453a3d65e5466ddc4405d68444df27
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 18 08:02:38 2019 +0200
selftest/Samba3.pm: use "winbind scan trusted domains = no" for ad_member
This demonstrates that we rely on knowning about trusted domains before
we can do krb5_auth in winbindd.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit ad6f0e056ac27ab5c078dbdbff44372da05caab2
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jun 10 14:38:40 2017 +0200
selftest/tests.py: test pam_winbind for trusts domains
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 13e3811c9510cf213881527877bed40092e0b33c
Author: Andreas Schneider <asn at samba.org>
Date: Mon Mar 20 11:39:41 2017 +0100
selftest: Export TRUST information in the ad_member target environment
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Andreas Schneider <asn at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit f07b542c61f84a97c097208e10bf9375ddfa9a15
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 18 14:03:34 2019 +0200
selftest/tests.py: test pam_winbind with a lot of username variations
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 36e95e42ea8a7e5a4091a647215d06d2ab47fab6
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 18 08:08:57 2019 +0200
selftest/tests.py: test pam_winbind with krb5_auth
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 72daf99fd1ffd8269fce25d69458de35e2ae32cc
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 18 01:25:23 2019 +0200
selftest/tests.py: prepare looping over pam_winbindd tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 3d38a8e9135bb72bc4ca079fab0eb5358942b3f1
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 18 01:25:58 2019 +0200
test_pam_winbind.sh: allow different pam_winbindd config options to be specified
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 653e90485854d978dc522e689cd78c19dcc22a70
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Sep 20 08:13:28 2019 +0200
tests/pam_winbind.py: allow upn names to be used in USERNAME with an empty DOMAIN value
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit cd3ffaabb568db26e0de5e83178487e5947c4f09
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 18 08:04:42 2019 +0200
tests/pam_winbind.py: turn pypamtest.PamTestError into a failure
A failure generated by the AssertionError() checks can be added
to selftest/knownfail.d/*.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit a77be15d28390c5d12202278adbe6b50200a2c1b
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jul 19 15:10:09 2019 +0000
s3:winbindd: implement the "winbind use krb5 enterprise principals" logic
We can use enterprise principals (e.g. upnfromB at B.EXAMPLE.COM@PRIMARY.A.EXAMPLE.COM)
and delegate the routing decisions to the KDCs.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 9520652399696010c333a3ce7247809ce5337a91
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 11 16:44:43 2019 +0200
docs-xml: add "winbind use krb5 enterprise principals" option
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 3bdf023956e861485be70430112ed38d0a5424f7
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Sep 13 15:52:25 2019 +0200
krb5_wrap: let smb_krb5_parse_name() accept enterprise principals
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 303b7e59a286896888ee2473995fc50bb2b5ce5e
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Sep 13 16:04:30 2019 +0200
s3:libads: ads_krb5_chg_password() should always use the canonicalized principal
We should always use krb5_get_init_creds_opt_set_canonicalize()
and krb5_get_init_creds_opt_set_win2k() for heimdal
and expect the client principal to be changed.
There's no reason to have a different logic between MIT and Heimdal.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 162b4199493c1f179e775a325a19ae7a136c418b
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Sep 13 16:04:30 2019 +0200
s4:auth: kinit_to_ccache() should always use the canonicalized principal
We should always use krb5_get_init_creds_opt_set_canonicalize()
and krb5_get_init_creds_opt_set_win2k() for heimdal
and expect the client principal to be changed.
There's no reason to have a different logic between MIT and Heimdal.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 5d0bf32ec0ad21d49587e3a1520ffdc8b5ae7614
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Sep 13 16:04:30 2019 +0200
krb5_wrap: smb_krb5_kinit_password_ccache() should always use the canonicalized principal
We should always use krb5_get_init_creds_opt_set_canonicalize()
and krb5_get_init_creds_opt_set_win2k() for heimdal
and expect the client principal to be changed.
There's no reason to have a different logic between MIT and Heimdal.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 0bced73bed481a8846a6b3e68be85941914390ba
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Sep 13 16:04:30 2019 +0200
s3:libads/kerberos: always use the canonicalized principal after kinit
We should always use krb5_get_init_creds_opt_set_canonicalize()
and krb5_get_init_creds_opt_set_win2k() for heimdal
and expect the client principal to be changed.
There's no reason to have a different logic between MIT and Heimdal.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 6ed18c12c57efb2a010e0ce5196c51b48e57a4b9
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 17 08:49:13 2019 +0200
s3:libsmb: let cli_session_creds_prepare_krb5() update the canonicalized principal to cli_credentials
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 361fb0efabfb189526c851107eee49161da2293c
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 17 10:08:10 2019 +0200
s3:libsmb: avoid wrong debug message in cli_session_creds_prepare_krb5()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit bc473e5cf088a137395842540ed8eb748373a236
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Sep 16 17:14:11 2019 +0200
s3:libads: let kerberos_kinit_password_ext() return the canonicalized principal/realm
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit db8fd3d6a315b140ebd6ccd0dcdfdcf27cd1bb38
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 17 08:05:09 2019 +0200
s4:auth: use the correct client realm in gensec_gssapi_update_internal()
The function gensec_gssapi_client_creds() may call kinit and gets
a TGT for the user. The principal provided by the user may not
be canonicalized. The user may use 'given.last at example.com'
but that may be mapped to glast at AD.EXAMPLE.PRIVATE in the background.
It means we should use client_realm = AD.EXAMPLE.PRIVATE
instead of client_realm = EXAMPLE.COM
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit acbf922fc2963a42d6cbe652bb32eee231020958
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 18 13:58:46 2019 +0200
nsswitch: add logging to wbc_auth_error_to_pam_error() for non auth errors
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
-----------------------------------------------------------------------
Summary of changes:
.../winbind/winbindusekrb5enterpriseprincipals.xml | 34 ++++
lib/krb5_wrap/krb5_samba.c | 7 +-
nsswitch/pam_winbind.c | 4 +
python/samba/tests/pam_winbind.py | 25 ++-
python/samba/tests/pam_winbind_chauthtok.py | 10 +-
python/samba/tests/pam_winbind_warn_pwd_expire.py | 10 +-
python/samba/tests/test_pam_winbind.sh | 12 +-
python/samba/tests/test_pam_winbind_chauthtok.sh | 4 +-
.../tests/test_pam_winbind_warn_pwd_expire.sh | 20 ++-
selftest/target/Samba.pm | 22 +++
selftest/target/Samba3.pm | 26 +++-
selftest/tests.py | 171 ++++++++++++++++++---
source3/libads/authdata.c | 1 +
source3/libads/kerberos.c | 55 +++++--
source3/libads/kerberos_proto.h | 5 +-
source3/libads/kerberos_util.c | 3 +-
source3/libads/krb5_setpw.c | 6 +
source3/libsmb/cliconnect.c | 41 ++++-
source3/utils/net_ads.c | 3 +
source3/winbindd/winbindd_cred_cache.c | 6 +
source3/winbindd/winbindd_pam.c | 57 ++++---
source4/auth/gensec/gensec_gssapi.c | 6 +-
source4/auth/kerberos/kerberos_util.c | 2 +
23 files changed, 438 insertions(+), 92 deletions(-)
create mode 100644 docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml
Changeset truncated at 500 lines:
diff --git a/docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml b/docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml
new file mode 100644
index 00000000000..bfc11c8636c
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml
@@ -0,0 +1,34 @@
+<samba:parameter name="winbind use krb5 enterprise principals"
+ context="G"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>winbindd is able to get kerberos tickets for
+ pam_winbind with krb5_auth or wbinfo -K/--krb5auth=.
+ </para>
+
+ <para>winbindd (at least on a domain member) is never be able
+ to have a complete picture of the trust topology (which is managed by the DCs).
+ There might be uPNSuffixes and msDS-SPNSuffixes values,
+ which don't belong to any AD domain at all.
+ </para>
+
+ <para>With <smbconfoption name="winbind scan trusted domains">no</smbconfoption>
+ winbindd don't even get an incomplete picture of the topology.
+ </para>
+
+ <para>It is not really required to know about the trust topology.
+ We can just rely on the [K]DCs of our primary domain (e.g. PRIMARY.A.EXAMPLE.COM)
+ and use enterprise principals e.g. upnfromB at B.EXAMPLE.COM@PRIMARY.A.EXAMPLE.COM
+ and follow the WRONG_REALM referrals in order to find the correct DC.
+ The final principal might be userfromB at INTERNALB.EXAMPLE.PRIVATE.
+ </para>
+
+ <para>With <smbconfoption name="winbind use krb5 enterprise principals">yes</smbconfoption>
+ winbindd enterprise principals will be used.
+ </para>
+</description>
+
+<value type="default">no</value>
+<value type="example">yes</value>
+</samba:parameter>
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 72889fffcf0..a4e73c64f00 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -701,6 +701,11 @@ krb5_error_code smb_krb5_parse_name(krb5_context context,
}
ret = krb5_parse_name(context, utf8_name, principal);
+ if (ret == KRB5_PARSE_MALFORMED) {
+ ret = krb5_parse_name_flags(context, utf8_name,
+ KRB5_PRINCIPAL_PARSE_ENTERPRISE,
+ principal);
+ }
TALLOC_FREE(frame);
return ret;
}
@@ -2114,14 +2119,12 @@ krb5_error_code smb_krb5_kinit_password_ccache(krb5_context ctx,
return code;
}
-#ifndef SAMBA4_USES_HEIMDAL /* MIT */
/*
* We need to store the principal as returned from the KDC to the
* credentials cache. If we don't do that the KRB5 library is not
* able to find the tickets it is looking for
*/
principal = my_creds.client;
-#endif
code = krb5_cc_initialize(ctx, cc, principal);
if (code) {
goto done;
diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c
index 7841377fdd6..3ad70d3c4cd 100644
--- a/nsswitch/pam_winbind.c
+++ b/nsswitch/pam_winbind.c
@@ -862,6 +862,10 @@ static int wbc_auth_error_to_pam_error(struct pwb_context *ctx,
}
ret = wbc_error_to_pam_error(status);
+ _pam_log(ctx, LOG_ERR,
+ "request %s failed: %s, PAM error: %s (%d)!",
+ fn, wbcErrorString(status),
+ _pam_error_code_str(ret), ret);
return pam_winbind_request_log(ctx, ret, username, fn);
}
diff --git a/python/samba/tests/pam_winbind.py b/python/samba/tests/pam_winbind.py
index 68b05b30d7d..708f408f768 100644
--- a/python/samba/tests/pam_winbind.py
+++ b/python/samba/tests/pam_winbind.py
@@ -26,11 +26,17 @@ class SimplePamTests(samba.tests.TestCase):
domain = os.environ["DOMAIN"]
username = os.environ["USERNAME"]
password = os.environ["PASSWORD"]
- unix_username = "%s/%s" % (domain, username)
+ if domain != "":
+ unix_username = "%s/%s" % (domain, username)
+ else:
+ unix_username = "%s" % username
expected_rc = 0 # PAM_SUCCESS
tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rc)
- res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password])
+ try:
+ res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password])
+ except pypamtest.PamTestError as e:
+ raise AssertionError(str(e))
self.assertTrue(res is not None)
@@ -38,11 +44,17 @@ class SimplePamTests(samba.tests.TestCase):
domain = os.environ["DOMAIN"]
username = os.environ["USERNAME"]
password = "WrongPassword"
- unix_username = "%s/%s" % (domain, username)
+ if domain != "":
+ unix_username = "%s/%s" % (domain, username)
+ else:
+ unix_username = "%s" % username
expected_rc = 7 # PAM_AUTH_ERR
tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rc)
- res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password])
+ try:
+ res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password])
+ except pypamtest.PamTestError as e:
+ raise AssertionError(str(e))
self.assertTrue(res is not None)
@@ -52,6 +64,9 @@ class SimplePamTests(samba.tests.TestCase):
expected_rc = 0 # PAM_SUCCESS
tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rc)
- res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password])
+ try:
+ res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password])
+ except pypamtest.PamTestError as e:
+ raise AssertionError(str(e))
self.assertTrue(res is not None)
diff --git a/python/samba/tests/pam_winbind_chauthtok.py b/python/samba/tests/pam_winbind_chauthtok.py
index e5be3a83ce7..c1d569b3cd0 100644
--- a/python/samba/tests/pam_winbind_chauthtok.py
+++ b/python/samba/tests/pam_winbind_chauthtok.py
@@ -27,10 +27,16 @@ class PamChauthtokTests(samba.tests.TestCase):
username = os.environ["USERNAME"]
password = os.environ["PASSWORD"]
newpassword = os.environ["NEWPASSWORD"]
- unix_username = "%s/%s" % (domain, username)
+ if domain != "":
+ unix_username = "%s/%s" % (domain, username)
+ else:
+ unix_username = "%s" % username
expected_rc = 0 # PAM_SUCCESS
tc = pypamtest.TestCase(pypamtest.PAMTEST_CHAUTHTOK, expected_rc)
- res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password, newpassword, newpassword])
+ try:
+ res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password, newpassword, newpassword])
+ except pypamtest.PamTestError as e:
+ raise AssertionError(str(e))
self.assertTrue(res is not None)
diff --git a/python/samba/tests/pam_winbind_warn_pwd_expire.py b/python/samba/tests/pam_winbind_warn_pwd_expire.py
index df60bc5ace6..56f5da94f98 100644
--- a/python/samba/tests/pam_winbind_warn_pwd_expire.py
+++ b/python/samba/tests/pam_winbind_warn_pwd_expire.py
@@ -27,11 +27,17 @@ class PasswordExpirePamTests(samba.tests.TestCase):
username = os.environ["USERNAME"]
password = os.environ["PASSWORD"]
warn_pwd_expire = int(os.environ["WARN_PWD_EXPIRE"])
- unix_username = "%s/%s" % (domain, username)
+ if domain != "":
+ unix_username = "%s/%s" % (domain, username)
+ else:
+ unix_username = "%s" % username
expected_rc = 0 # PAM_SUCCESS
tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rc)
- res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password])
+ try:
+ res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password])
+ except pypamtest.PamTestError as e:
+ raise AssertionError(str(e))
self.assertTrue(res is not None)
if warn_pwd_expire == 0:
diff --git a/python/samba/tests/test_pam_winbind.sh b/python/samba/tests/test_pam_winbind.sh
index 0406b108b31..755e67280fa 100755
--- a/python/samba/tests/test_pam_winbind.sh
+++ b/python/samba/tests/test_pam_winbind.sh
@@ -12,6 +12,10 @@ PASSWORD="$3"
export PASSWORD
shift 3
+PAM_OPTIONS="$1"
+export PAM_OPTIONS
+shift 1
+
PAM_WRAPPER_PATH="$BINDIR/default/third_party/pam_wrapper"
pam_winbind="$BINDIR/shared/pam_winbind.so"
@@ -19,10 +23,10 @@ service_dir="$SELFTEST_TMPDIR/pam_services"
service_file="$service_dir/samba"
mkdir $service_dir
-echo "auth required $pam_winbind debug debug_state" > $service_file
-echo "account required $pam_winbind debug debug_state" >> $service_file
-echo "password required $pam_winbind debug debug_state" >> $service_file
-echo "session required $pam_winbind debug debug_state" >> $service_file
+echo "auth required $pam_winbind debug debug_state $PAM_OPTIONS" > $service_file
+echo "account required $pam_winbind debug debug_state $PAM_OPTIONS" >> $service_file
+echo "password required $pam_winbind debug debug_state $PAM_OPTIONS" >> $service_file
+echo "session required $pam_winbind debug debug_state $PAM_OPTIONS" >> $service_file
PAM_WRAPPER="1"
export PAM_WRAPPER
diff --git a/python/samba/tests/test_pam_winbind_chauthtok.sh b/python/samba/tests/test_pam_winbind_chauthtok.sh
index 5887699300a..48adc81859d 100755
--- a/python/samba/tests/test_pam_winbind_chauthtok.sh
+++ b/python/samba/tests/test_pam_winbind_chauthtok.sh
@@ -53,11 +53,11 @@ PAM_WRAPPER_DEBUGLEVEL=${PAM_WRAPPER_DEBUGLEVEL:="2"}
export PAM_WRAPPER_DEBUGLEVEL
case $PAM_OPTIONS in
- use_authtok)
+ *use_authtok*)
PAM_AUTHTOK="$NEWPASSWORD"
export PAM_AUTHTOK
;;
- try_authtok)
+ *try_authtok*)
PAM_AUTHTOK="$NEWPASSWORD"
export PAM_AUTHTOK
;;
diff --git a/python/samba/tests/test_pam_winbind_warn_pwd_expire.sh b/python/samba/tests/test_pam_winbind_warn_pwd_expire.sh
index 16dede44227..348d2ae8387 100755
--- a/python/samba/tests/test_pam_winbind_warn_pwd_expire.sh
+++ b/python/samba/tests/test_pam_winbind_warn_pwd_expire.sh
@@ -12,6 +12,10 @@ PASSWORD="$3"
export PASSWORD
shift 3
+PAM_OPTIONS="$1"
+export PAM_OPTIONS
+shift 1
+
PAM_WRAPPER_PATH="$BINDIR/default/third_party/pam_wrapper"
pam_winbind="$BINDIR/shared/pam_winbind.so"
@@ -37,10 +41,10 @@ export PAM_WRAPPER_DEBUGLEVEL
WARN_PWD_EXPIRE="50"
export WARN_PWD_EXPIRE
-echo "auth required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE" > $service_file
-echo "account required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE" >> $service_file
-echo "password required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE" >> $service_file
-echo "session required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE" >> $service_file
+echo "auth required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" > $service_file
+echo "account required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" >> $service_file
+echo "password required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" >> $service_file
+echo "session required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" >> $service_file
PYTHONPATH="$PYTHONPATH:$PAM_WRAPPER_PATH:$(dirname $0)" $PYTHON -m samba.subunit.run samba.tests.pam_winbind_warn_pwd_expire
exit_code=$?
@@ -54,10 +58,10 @@ fi
WARN_PWD_EXPIRE="0"
export WARN_PWD_EXPIRE
-echo "auth required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE" > $service_file
-echo "account required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE" >> $service_file
-echo "password required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE" >> $service_file
-echo "session required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE" >> $service_file
+echo "auth required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" > $service_file
+echo "account required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" >> $service_file
+echo "password required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" >> $service_file
+echo "session required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" >> $service_file
PYTHONPATH="$PYTHONPATH:$PAM_WRAPPER_PATH:$(dirname $0)" $PYTHON -m samba.subunit.run samba.tests.pam_winbind_warn_pwd_expire
exit_code=$?
diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm
index 996bdae188a..d933faba1d5 100644
--- a/selftest/target/Samba.pm
+++ b/selftest/target/Samba.pm
@@ -724,6 +724,28 @@ my @exported_envvars = (
"TRUST_REALM",
"TRUST_DOMSID",
+ # stuff related to a trusted domain, on a trust_member
+ # the domain behind a forest trust (two-way)
+ "TRUST_F_BOTH_SERVER",
+ "TRUST_F_BOTH_SERVER_IP",
+ "TRUST_F_BOTH_SERVER_IPV6",
+ "TRUST_F_BOTH_NETBIOSNAME",
+ "TRUST_F_BOTH_USERNAME",
+ "TRUST_F_BOTH_PASSWORD",
+ "TRUST_F_BOTH_DOMAIN",
+ "TRUST_F_BOTH_REALM",
+
+ # stuff related to a trusted domain, on a trust_member
+ # the domain behind an external trust (two-way)
+ "TRUST_E_BOTH_SERVER",
+ "TRUST_E_BOTH_SERVER_IP",
+ "TRUST_E_BOTH_SERVER_IPV6",
+ "TRUST_E_BOTH_NETBIOSNAME",
+ "TRUST_E_BOTH_USERNAME",
+ "TRUST_E_BOTH_PASSWORD",
+ "TRUST_E_BOTH_DOMAIN",
+ "TRUST_E_BOTH_REALM",
+
# domain controller stuff
"DC_SERVER",
"DC_SERVER_IP",
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 7c9fdfc6889..fab8c146f34 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -181,7 +181,7 @@ sub check_env($$)
nt4_member => ["nt4_dc"],
- ad_member => ["ad_dc"],
+ ad_member => ["ad_dc", "fl2008r2dc", "fl2003dc"],
ad_member_rfc2307 => ["ad_dc_ntvfs"],
ad_member_idmap_rid => ["ad_dc"],
ad_member_idmap_ad => ["fl2008r2dc"],
@@ -369,7 +369,7 @@ sub setup_nt4_member
sub setup_ad_member
{
- my ($self, $prefix, $dcvars) = @_;
+ my ($self, $prefix, $dcvars, $trustvars_f, $trustvars_e) = @_;
my $prefix_abs = abs_path($prefix);
my @dirs = ();
@@ -416,6 +416,8 @@ sub setup_ad_member
template homedir = /home/%D/%G/%U
auth event notification = true
password server = $dcvars->{SERVER}
+ winbind scan trusted domains = no
+ winbind use krb5 enterprise principals = yes
[sub_dug]
path = $share_dir/D_%D/U_%U/G_%G
@@ -493,6 +495,26 @@ sub setup_ad_member
$ret->{DC_USERNAME} = $dcvars->{USERNAME};
$ret->{DC_PASSWORD} = $dcvars->{PASSWORD};
+ # forest trust
+ $ret->{TRUST_F_BOTH_SERVER} = $trustvars_f->{SERVER};
+ $ret->{TRUST_F_BOTH_SERVER_IP} = $trustvars_f->{SERVER_IP};
+ $ret->{TRUST_F_BOTH_SERVER_IPV6} = $trustvars_f->{SERVER_IPV6};
+ $ret->{TRUST_F_BOTH_NETBIOSNAME} = $trustvars_f->{NETBIOSNAME};
+ $ret->{TRUST_F_BOTH_USERNAME} = $trustvars_f->{USERNAME};
+ $ret->{TRUST_F_BOTH_PASSWORD} = $trustvars_f->{PASSWORD};
+ $ret->{TRUST_F_BOTH_DOMAIN} = $trustvars_f->{DOMAIN};
+ $ret->{TRUST_F_BOTH_REALM} = $trustvars_f->{REALM};
+
+ # external trust
+ $ret->{TRUST_E_BOTH_SERVER} = $trustvars_e->{SERVER};
+ $ret->{TRUST_E_BOTH_SERVER_IP} = $trustvars_e->{SERVER_IP};
+ $ret->{TRUST_E_BOTH_SERVER_IPV6} = $trustvars_e->{SERVER_IPV6};
+ $ret->{TRUST_E_BOTH_NETBIOSNAME} = $trustvars_e->{NETBIOSNAME};
+ $ret->{TRUST_E_BOTH_USERNAME} = $trustvars_e->{USERNAME};
+ $ret->{TRUST_E_BOTH_PASSWORD} = $trustvars_e->{PASSWORD};
+ $ret->{TRUST_E_BOTH_DOMAIN} = $trustvars_e->{DOMAIN};
+ $ret->{TRUST_E_BOTH_REALM} = $trustvars_e->{REALM};
+
return $ret;
}
diff --git a/selftest/tests.py b/selftest/tests.py
index 3377e7826bd..69b1d4c7d0c 100644
--- a/selftest/tests.py
+++ b/selftest/tests.py
@@ -213,27 +213,156 @@ planpythontestsuite("none", "samba.tests.tdb_util")
planpythontestsuite("none", "samba.tests.samdb_api")
if with_pam:
- plantestsuite("samba.tests.pam_winbind(local)", "ad_member",
- [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
- valgrindify(python), pam_wrapper_so_path,
- "$SERVER", "$USERNAME", "$PASSWORD"])
- plantestsuite("samba.tests.pam_winbind(domain)", "ad_member",
- [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
- valgrindify(python), pam_wrapper_so_path,
- "$DOMAIN", "$DC_USERNAME", "$DC_PASSWORD"])
-
- for pam_options in ["''", "use_authtok", "try_authtok"]:
- plantestsuite("samba.tests.pam_winbind_chauthtok with options %s" % pam_options, "ad_member",
- [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind_chauthtok.sh"),
- valgrindify(python), pam_wrapper_so_path, pam_set_items_so_path,
- "$DOMAIN", "TestPamOptionsUser", "oldp at ssword0", "newp at ssword0",
- pam_options, 'yes',
- "$DC_SERVER", "$DC_USERNAME", "$DC_PASSWORD"])
-
- plantestsuite("samba.tests.pam_winbind_warn_pwd_expire(domain)", "ad_member",
- [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind_warn_pwd_expire.sh"),
- valgrindify(python), pam_wrapper_so_path,
- "$DOMAIN", "alice", "Secret007"])
+ env = "ad_member"
+ options = [
+ {
+ "description": "krb5",
+ "pam_options": "krb5_auth krb5_ccache_type=FILE",
+ },
+ {
+ "description": "default",
+ "pam_options": "",
+ },
+ ]
+ for o in options:
+ description = o["description"]
+ pam_options = "'%s'" % o["pam_options"]
+
+ plantestsuite("samba.tests.pam_winbind(local+%s)" % description, env,
+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "$SERVER", "$USERNAME", "$PASSWORD",
+ pam_options])
+ plantestsuite("samba.tests.pam_winbind(domain1+%s)" % description, env,
+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "$DOMAIN", "$DC_USERNAME", "$DC_PASSWORD",
+ pam_options])
+ plantestsuite("samba.tests.pam_winbind(domain2+%s)" % description, env,
+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "$REALM", "$DC_USERNAME", "$DC_PASSWORD",
+ pam_options])
+ plantestsuite("samba.tests.pam_winbind(domain3+%s)" % description, env,
+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "''", "${DC_USERNAME}@${DOMAIN}", "$DC_PASSWORD",
+ pam_options])
+ plantestsuite("samba.tests.pam_winbind(domain4+%s)" % description, env,
+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "''", "${DC_USERNAME}@${REALM}", "$DC_PASSWORD",
+ pam_options])
+ plantestsuite("samba.tests.pam_winbind(domain5+%s)" % description, env,
+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "$REALM", "${DC_USERNAME}@${DOMAIN}", "$DC_PASSWORD",
+ pam_options])
+ plantestsuite("samba.tests.pam_winbind(domain6+%s)" % description, env,
+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "$DOMAIN", "${DC_USERNAME}@${REALM}", "$DC_PASSWORD",
+ pam_options])
+ plantestsuite("samba.tests.pam_winbind(trust_f_both1+%s)" % description, env,
+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "$TRUST_F_BOTH_DOMAIN",
+ "$TRUST_F_BOTH_USERNAME",
+ "$TRUST_F_BOTH_PASSWORD",
+ pam_options])
+ plantestsuite("samba.tests.pam_winbind(trust_f_both2+%s)" % description, env,
+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "$TRUST_F_BOTH_REALM",
+ "$TRUST_F_BOTH_USERNAME",
+ "$TRUST_F_BOTH_PASSWORD",
+ pam_options])
+ plantestsuite("samba.tests.pam_winbind(trust_f_both3+%s)" % description, env,
+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "''",
+ "${TRUST_F_BOTH_USERNAME}@${TRUST_F_BOTH_DOMAIN}",
+ "$TRUST_F_BOTH_PASSWORD",
+ pam_options])
+ plantestsuite("samba.tests.pam_winbind(trust_f_both4+%s)" % description, env,
+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "''",
+ "${TRUST_F_BOTH_USERNAME}@${TRUST_F_BOTH_REALM}",
+ "$TRUST_F_BOTH_PASSWORD",
+ pam_options])
+ plantestsuite("samba.tests.pam_winbind(trust_f_both5+%s)" % description, env,
+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "${TRUST_F_BOTH_REALM}",
+ "${TRUST_F_BOTH_USERNAME}@${TRUST_F_BOTH_DOMAIN}",
+ "$TRUST_F_BOTH_PASSWORD",
+ pam_options])
+ plantestsuite("samba.tests.pam_winbind(trust_f_both6+%s)" % description, env,
+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "${TRUST_F_BOTH_DOMAIN}",
+ "${TRUST_F_BOTH_USERNAME}@${TRUST_F_BOTH_REALM}",
+ "$TRUST_F_BOTH_PASSWORD",
+ pam_options])
+ plantestsuite("samba.tests.pam_winbind(trust_e_both1+%s)" % description, env,
+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "$TRUST_E_BOTH_DOMAIN",
+ "$TRUST_E_BOTH_USERNAME",
+ "$TRUST_E_BOTH_PASSWORD",
+ pam_options])
--
Samba Shared Repository
More information about the samba-cvs
mailing list