[SCM] Samba Shared Repository - branch v4-10-test updated
Karolin Seeger
kseeger at samba.org
Thu Sep 26 04:50:05 UTC 2019
The branch, v4-10-test has been updated
via f19881f6198 fault.c: improve fault_report message text pointing to our wiki
via 56379945161 selftest/Samba3.pm: use "winbind use krb5 enterprise principals = yes" for ad_member
via abd2d22cdda selftest/Samba3.pm: use "winbind scan trusted domains = no" for ad_member
via fd097f0b3bb selftest/tests.py: test pam_winbind with a lot of username variations
via fe13bfcdfdc selftest/tests.py: test pam_winbind with krb5_auth
via 9bb73edc69c selftest/tests.py: prepare looping over pam_winbindd tests
via 8118fc89262 test_pam_winbind.sh: allow different pam_winbindd config options to be specified
via 6bc0549bfde tests/pam_winbind.py: allow upn names to be used in USERNAME with an empty DOMAIN value
via f2283616011 tests/pam_winbind.py: turn pypamtest.PamTestError into a failure
via 956618ac6da s3:winbindd: implement the "winbind use krb5 enterprise principals" logic
via 4760bbaae22 docs-xml: add "winbind use krb5 enterprise principals" option
via aa1e8e53551 krb5_wrap: let smb_krb5_parse_name() accept enterprise principals
via d7f0baf2f54 s3:libads: ads_krb5_chg_password() should always use the canonicalized principal
via 73608fced20 s4:auth: kinit_to_ccache() should always use the canonicalized principal
via be9ea381530 krb5_wrap: smb_krb5_kinit_password_ccache() should always use the canonicalized principal
via 03477632b62 s3:libads/kerberos: always use the canonicalized principal after kinit
via aeaffacb9c8 s3:libsmb: let cli_session_creds_prepare_krb5() update the canonicalized principal to cli_credentials
via 45a078db792 s3:libsmb: avoid wrong debug message in cli_session_creds_prepare_krb5()
via e620cad350e s3:libads: let kerberos_kinit_password_ext() return the canonicalized principal/realm
via 9f2d5ae0c59 s4:auth: use the correct client realm in gensec_gssapi_update_internal()
via 05eb45e1d37 s3/libads: clang: Fix Value stored to 'canon_princ' is never read
from eaecffd63db classicupgrade: fix a a bytes-like object is required, not 'str' error
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-10-test
- Log -----------------------------------------------------------------
commit f19881f6198a006a281a11ea2f2952213c213e08
Author: Björn Jacke <bj at sernet.de>
Date: Mon Sep 23 08:57:33 2019 +0200
fault.c: improve fault_report message text pointing to our wiki
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14139
Signed-off-by: Bjoern Jacke <bjacke at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
(cherry picked from commit ec4c5975528f3d3ab9c8813e176c6d1a2f1ca506)
Autobuild-User(v4-10-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-10-test): Thu Sep 26 04:49:25 UTC 2019 on sn-devel-144
commit 563799451611d0c452cd639a1c31c03474252672
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 18 08:10:26 2019 +0200
selftest/Samba3.pm: use "winbind use krb5 enterprise principals = yes" for ad_member
This demonstrates that can do krb5_auth in winbindd without knowning about trusted domains.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
Autobuild-User(master): Günther Deschner <gd at samba.org>
Autobuild-Date(master): Tue Sep 24 19:51:29 UTC 2019 on sn-devel-184
(similar to commit 0ee085b594878f5e0e83839f465303754f015459)
commit abd2d22cdda79baf89a9115c17aeae2d91695e26
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 18 08:02:38 2019 +0200
selftest/Samba3.pm: use "winbind scan trusted domains = no" for ad_member
This demonstrates that we rely on knowning about trusted domains before
we can do krb5_auth in winbindd.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(similar to commit e2737a74d4453a3d65e5466ddc4405d68444df27)
commit fd097f0b3bb9560a59f7d7e6ef50d113fcff6641
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 18 14:03:34 2019 +0200
selftest/tests.py: test pam_winbind with a lot of username variations
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit f07b542c61f84a97c097208e10bf9375ddfa9a15)
commit fe13bfcdfdcb3590df1da5fd592c6c2e15935d53
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 18 08:08:57 2019 +0200
selftest/tests.py: test pam_winbind with krb5_auth
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 36e95e42ea8a7e5a4091a647215d06d2ab47fab6)
commit 9bb73edc69c1b8d58f56ce7ad0f55c3373fd5d4c
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 18 01:25:23 2019 +0200
selftest/tests.py: prepare looping over pam_winbindd tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 72daf99fd1ffd8269fce25d69458de35e2ae32cc)
commit 8118fc89262b5113121db40df71b54f47ce47041
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 18 01:25:58 2019 +0200
test_pam_winbind.sh: allow different pam_winbindd config options to be specified
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 3d38a8e9135bb72bc4ca079fab0eb5358942b3f1)
commit 6bc0549bfdee6ce28987eeb82201787dcf0f0f62
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Sep 20 08:13:28 2019 +0200
tests/pam_winbind.py: allow upn names to be used in USERNAME with an empty DOMAIN value
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 653e90485854d978dc522e689cd78c19dcc22a70)
commit f2283616011a4a39aeb97cb865b87aebca7c39e6
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 18 08:04:42 2019 +0200
tests/pam_winbind.py: turn pypamtest.PamTestError into a failure
A failure generated by the AssertionError() checks can be added
to selftest/knownfail.d/*.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit cd3ffaabb568db26e0de5e83178487e5947c4f09)
commit 956618ac6da407a6ac0b60b5165b4050775fa2ab
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jul 19 15:10:09 2019 +0000
s3:winbindd: implement the "winbind use krb5 enterprise principals" logic
We can use enterprise principals (e.g. upnfromB at B.EXAMPLE.COM@PRIMARY.A.EXAMPLE.COM)
and delegate the routing decisions to the KDCs.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit a77be15d28390c5d12202278adbe6b50200a2c1b)
commit 4760bbaae22aede59869577cf6176f10d816ade7
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 11 16:44:43 2019 +0200
docs-xml: add "winbind use krb5 enterprise principals" option
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 9520652399696010c333a3ce7247809ce5337a91)
commit aa1e8e535519163d03edde2a9e34269c3ce576b4
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Sep 13 15:52:25 2019 +0200
krb5_wrap: let smb_krb5_parse_name() accept enterprise principals
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 3bdf023956e861485be70430112ed38d0a5424f7)
commit d7f0baf2f5431350e57b9bc24f7656fb91a730f5
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Sep 13 16:04:30 2019 +0200
s3:libads: ads_krb5_chg_password() should always use the canonicalized principal
We should always use krb5_get_init_creds_opt_set_canonicalize()
and krb5_get_init_creds_opt_set_win2k() for heimdal
and expect the client principal to be changed.
There's no reason to have a different logic between MIT and Heimdal.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 303b7e59a286896888ee2473995fc50bb2b5ce5e)
commit 73608fced20bf6ac8a90d4032389c4958e419c43
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Sep 13 16:04:30 2019 +0200
s4:auth: kinit_to_ccache() should always use the canonicalized principal
We should always use krb5_get_init_creds_opt_set_canonicalize()
and krb5_get_init_creds_opt_set_win2k() for heimdal
and expect the client principal to be changed.
There's no reason to have a different logic between MIT and Heimdal.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 162b4199493c1f179e775a325a19ae7a136c418b)
commit be9ea381530329c9641ac3858d5c52bfefef06ff
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Sep 13 16:04:30 2019 +0200
krb5_wrap: smb_krb5_kinit_password_ccache() should always use the canonicalized principal
We should always use krb5_get_init_creds_opt_set_canonicalize()
and krb5_get_init_creds_opt_set_win2k() for heimdal
and expect the client principal to be changed.
There's no reason to have a different logic between MIT and Heimdal.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 5d0bf32ec0ad21d49587e3a1520ffdc8b5ae7614)
commit 03477632b620d883247ae8c46876cc99879fbaea
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Sep 13 16:04:30 2019 +0200
s3:libads/kerberos: always use the canonicalized principal after kinit
We should always use krb5_get_init_creds_opt_set_canonicalize()
and krb5_get_init_creds_opt_set_win2k() for heimdal
and expect the client principal to be changed.
There's no reason to have a different logic between MIT and Heimdal.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 0bced73bed481a8846a6b3e68be85941914390ba)
commit aeaffacb9c889e8074ba91a3b4b6f2ddc305f3f8
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 17 08:49:13 2019 +0200
s3:libsmb: let cli_session_creds_prepare_krb5() update the canonicalized principal to cli_credentials
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 6ed18c12c57efb2a010e0ce5196c51b48e57a4b9)
commit 45a078db792a2e8fc580c9dda1ca0b03d9c0064d
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 17 10:08:10 2019 +0200
s3:libsmb: avoid wrong debug message in cli_session_creds_prepare_krb5()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 361fb0efabfb189526c851107eee49161da2293c)
commit e620cad350e759968fa7c5a3d832c12f2a18fa09
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Sep 16 17:14:11 2019 +0200
s3:libads: let kerberos_kinit_password_ext() return the canonicalized principal/realm
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit bc473e5cf088a137395842540ed8eb748373a236)
commit 9f2d5ae0c59834ea97682a98f2b69fdec2c98a9f
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 17 08:05:09 2019 +0200
s4:auth: use the correct client realm in gensec_gssapi_update_internal()
The function gensec_gssapi_client_creds() may call kinit and gets
a TGT for the user. The principal provided by the user may not
be canonicalized. The user may use 'given.last at example.com'
but that may be mapped to glast at AD.EXAMPLE.PRIVATE in the background.
It means we should use client_realm = AD.EXAMPLE.PRIVATE
instead of client_realm = EXAMPLE.COM
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit db8fd3d6a315b140ebd6ccd0dcdfdcf27cd1bb38)
commit 05eb45e1d3753763283a777b1fd92b8d7936be94
Author: Noel Power <noel.power at suse.com>
Date: Thu Aug 8 15:06:28 2019 +0100
s3/libads: clang: Fix Value stored to 'canon_princ' is never read
Fixes:
source3/libads/kerberos.c:192:2: warning: Value stored to 'canon_princ' is never read <--[clang]
canon_princ = me;
^ ~~
1 warning generated.
Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
(cherry picked from commit 52d20087f620704549f5a5cdcbec79cb08a36290)
-----------------------------------------------------------------------
Summary of changes:
.../winbind/winbindusekrb5enterpriseprincipals.xml | 34 +++++++++
lib/krb5_wrap/krb5_samba.c | 7 +-
lib/util/fault.c | 6 +-
python/samba/tests/pam_winbind.py | 25 +++++--
python/samba/tests/pam_winbind_chauthtok.py | 10 ++-
python/samba/tests/pam_winbind_warn_pwd_expire.py | 10 ++-
python/samba/tests/test_pam_winbind.sh | 12 ++-
python/samba/tests/test_pam_winbind_chauthtok.sh | 4 +-
.../tests/test_pam_winbind_warn_pwd_expire.sh | 20 +++--
selftest/target/Samba3.pm | 2 +
selftest/tests.py | 87 ++++++++++++++++------
source3/libads/authdata.c | 1 +
source3/libads/kerberos.c | 54 +++++++++++---
source3/libads/kerberos_proto.h | 5 +-
source3/libads/kerberos_util.c | 3 +-
source3/libads/krb5_setpw.c | 6 ++
source3/libsmb/cliconnect.c | 41 ++++++++--
source3/utils/net_ads.c | 3 +
source3/winbindd/winbindd_cred_cache.c | 6 ++
source3/winbindd/winbindd_pam.c | 57 ++++++++------
source4/auth/gensec/gensec_gssapi.c | 6 +-
source4/auth/kerberos/kerberos_util.c | 2 +
22 files changed, 311 insertions(+), 90 deletions(-)
create mode 100644 docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml
Changeset truncated at 500 lines:
diff --git a/docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml b/docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml
new file mode 100644
index 00000000000..bfc11c8636c
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml
@@ -0,0 +1,34 @@
+<samba:parameter name="winbind use krb5 enterprise principals"
+ context="G"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>winbindd is able to get kerberos tickets for
+ pam_winbind with krb5_auth or wbinfo -K/--krb5auth=.
+ </para>
+
+ <para>winbindd (at least on a domain member) is never be able
+ to have a complete picture of the trust topology (which is managed by the DCs).
+ There might be uPNSuffixes and msDS-SPNSuffixes values,
+ which don't belong to any AD domain at all.
+ </para>
+
+ <para>With <smbconfoption name="winbind scan trusted domains">no</smbconfoption>
+ winbindd don't even get an incomplete picture of the topology.
+ </para>
+
+ <para>It is not really required to know about the trust topology.
+ We can just rely on the [K]DCs of our primary domain (e.g. PRIMARY.A.EXAMPLE.COM)
+ and use enterprise principals e.g. upnfromB at B.EXAMPLE.COM@PRIMARY.A.EXAMPLE.COM
+ and follow the WRONG_REALM referrals in order to find the correct DC.
+ The final principal might be userfromB at INTERNALB.EXAMPLE.PRIVATE.
+ </para>
+
+ <para>With <smbconfoption name="winbind use krb5 enterprise principals">yes</smbconfoption>
+ winbindd enterprise principals will be used.
+ </para>
+</description>
+
+<value type="default">no</value>
+<value type="example">yes</value>
+</samba:parameter>
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index f0dc86b1859..abdcb308728 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -701,6 +701,11 @@ krb5_error_code smb_krb5_parse_name(krb5_context context,
}
ret = krb5_parse_name(context, utf8_name, principal);
+ if (ret == KRB5_PARSE_MALFORMED) {
+ ret = krb5_parse_name_flags(context, utf8_name,
+ KRB5_PRINCIPAL_PARSE_ENTERPRISE,
+ principal);
+ }
TALLOC_FREE(frame);
return ret;
}
@@ -2111,14 +2116,12 @@ krb5_error_code smb_krb5_kinit_password_ccache(krb5_context ctx,
return code;
}
-#ifndef SAMBA4_USES_HEIMDAL /* MIT */
/*
* We need to store the principal as returned from the KDC to the
* credentials cache. If we don't do that the KRB5 library is not
* able to find the tickets it is looking for
*/
principal = my_creds.client;
-#endif
code = krb5_cc_initialize(ctx, cc, principal);
if (code) {
goto done;
diff --git a/lib/util/fault.c b/lib/util/fault.c
index bde20e33460..d78fc617593 100644
--- a/lib/util/fault.c
+++ b/lib/util/fault.c
@@ -78,7 +78,11 @@ static void fault_report(int sig)
DEBUGSEP(0);
DEBUG(0,("INTERNAL ERROR: Signal %d in pid %d (%s)",sig,(int)getpid(),SAMBA_VERSION_STRING));
- DEBUG(0,("\nPlease read the Trouble-Shooting section of the Samba HOWTO\n"));
+ DEBUG(0,("\nIf you are running a recent Samba version, and "
+ "if you think this problem is not yet fixed in the "
+ "latest versions, please consider reporting this "
+ "bug, see "
+ "https://wiki.samba.org/index.php/Bug_Reporting\n"));
DEBUGSEP(0);
smb_panic("internal error");
diff --git a/python/samba/tests/pam_winbind.py b/python/samba/tests/pam_winbind.py
index 68b05b30d7d..708f408f768 100644
--- a/python/samba/tests/pam_winbind.py
+++ b/python/samba/tests/pam_winbind.py
@@ -26,11 +26,17 @@ class SimplePamTests(samba.tests.TestCase):
domain = os.environ["DOMAIN"]
username = os.environ["USERNAME"]
password = os.environ["PASSWORD"]
- unix_username = "%s/%s" % (domain, username)
+ if domain != "":
+ unix_username = "%s/%s" % (domain, username)
+ else:
+ unix_username = "%s" % username
expected_rc = 0 # PAM_SUCCESS
tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rc)
- res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password])
+ try:
+ res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password])
+ except pypamtest.PamTestError as e:
+ raise AssertionError(str(e))
self.assertTrue(res is not None)
@@ -38,11 +44,17 @@ class SimplePamTests(samba.tests.TestCase):
domain = os.environ["DOMAIN"]
username = os.environ["USERNAME"]
password = "WrongPassword"
- unix_username = "%s/%s" % (domain, username)
+ if domain != "":
+ unix_username = "%s/%s" % (domain, username)
+ else:
+ unix_username = "%s" % username
expected_rc = 7 # PAM_AUTH_ERR
tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rc)
- res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password])
+ try:
+ res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password])
+ except pypamtest.PamTestError as e:
+ raise AssertionError(str(e))
self.assertTrue(res is not None)
@@ -52,6 +64,9 @@ class SimplePamTests(samba.tests.TestCase):
expected_rc = 0 # PAM_SUCCESS
tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rc)
- res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password])
+ try:
+ res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password])
+ except pypamtest.PamTestError as e:
+ raise AssertionError(str(e))
self.assertTrue(res is not None)
diff --git a/python/samba/tests/pam_winbind_chauthtok.py b/python/samba/tests/pam_winbind_chauthtok.py
index e5be3a83ce7..c1d569b3cd0 100644
--- a/python/samba/tests/pam_winbind_chauthtok.py
+++ b/python/samba/tests/pam_winbind_chauthtok.py
@@ -27,10 +27,16 @@ class PamChauthtokTests(samba.tests.TestCase):
username = os.environ["USERNAME"]
password = os.environ["PASSWORD"]
newpassword = os.environ["NEWPASSWORD"]
- unix_username = "%s/%s" % (domain, username)
+ if domain != "":
+ unix_username = "%s/%s" % (domain, username)
+ else:
+ unix_username = "%s" % username
expected_rc = 0 # PAM_SUCCESS
tc = pypamtest.TestCase(pypamtest.PAMTEST_CHAUTHTOK, expected_rc)
- res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password, newpassword, newpassword])
+ try:
+ res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password, newpassword, newpassword])
+ except pypamtest.PamTestError as e:
+ raise AssertionError(str(e))
self.assertTrue(res is not None)
diff --git a/python/samba/tests/pam_winbind_warn_pwd_expire.py b/python/samba/tests/pam_winbind_warn_pwd_expire.py
index df60bc5ace6..56f5da94f98 100644
--- a/python/samba/tests/pam_winbind_warn_pwd_expire.py
+++ b/python/samba/tests/pam_winbind_warn_pwd_expire.py
@@ -27,11 +27,17 @@ class PasswordExpirePamTests(samba.tests.TestCase):
username = os.environ["USERNAME"]
password = os.environ["PASSWORD"]
warn_pwd_expire = int(os.environ["WARN_PWD_EXPIRE"])
- unix_username = "%s/%s" % (domain, username)
+ if domain != "":
+ unix_username = "%s/%s" % (domain, username)
+ else:
+ unix_username = "%s" % username
expected_rc = 0 # PAM_SUCCESS
tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rc)
- res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password])
+ try:
+ res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password])
+ except pypamtest.PamTestError as e:
+ raise AssertionError(str(e))
self.assertTrue(res is not None)
if warn_pwd_expire == 0:
diff --git a/python/samba/tests/test_pam_winbind.sh b/python/samba/tests/test_pam_winbind.sh
index 0406b108b31..755e67280fa 100755
--- a/python/samba/tests/test_pam_winbind.sh
+++ b/python/samba/tests/test_pam_winbind.sh
@@ -12,6 +12,10 @@ PASSWORD="$3"
export PASSWORD
shift 3
+PAM_OPTIONS="$1"
+export PAM_OPTIONS
+shift 1
+
PAM_WRAPPER_PATH="$BINDIR/default/third_party/pam_wrapper"
pam_winbind="$BINDIR/shared/pam_winbind.so"
@@ -19,10 +23,10 @@ service_dir="$SELFTEST_TMPDIR/pam_services"
service_file="$service_dir/samba"
mkdir $service_dir
-echo "auth required $pam_winbind debug debug_state" > $service_file
-echo "account required $pam_winbind debug debug_state" >> $service_file
-echo "password required $pam_winbind debug debug_state" >> $service_file
-echo "session required $pam_winbind debug debug_state" >> $service_file
+echo "auth required $pam_winbind debug debug_state $PAM_OPTIONS" > $service_file
+echo "account required $pam_winbind debug debug_state $PAM_OPTIONS" >> $service_file
+echo "password required $pam_winbind debug debug_state $PAM_OPTIONS" >> $service_file
+echo "session required $pam_winbind debug debug_state $PAM_OPTIONS" >> $service_file
PAM_WRAPPER="1"
export PAM_WRAPPER
diff --git a/python/samba/tests/test_pam_winbind_chauthtok.sh b/python/samba/tests/test_pam_winbind_chauthtok.sh
index 5887699300a..48adc81859d 100755
--- a/python/samba/tests/test_pam_winbind_chauthtok.sh
+++ b/python/samba/tests/test_pam_winbind_chauthtok.sh
@@ -53,11 +53,11 @@ PAM_WRAPPER_DEBUGLEVEL=${PAM_WRAPPER_DEBUGLEVEL:="2"}
export PAM_WRAPPER_DEBUGLEVEL
case $PAM_OPTIONS in
- use_authtok)
+ *use_authtok*)
PAM_AUTHTOK="$NEWPASSWORD"
export PAM_AUTHTOK
;;
- try_authtok)
+ *try_authtok*)
PAM_AUTHTOK="$NEWPASSWORD"
export PAM_AUTHTOK
;;
diff --git a/python/samba/tests/test_pam_winbind_warn_pwd_expire.sh b/python/samba/tests/test_pam_winbind_warn_pwd_expire.sh
index 16dede44227..348d2ae8387 100755
--- a/python/samba/tests/test_pam_winbind_warn_pwd_expire.sh
+++ b/python/samba/tests/test_pam_winbind_warn_pwd_expire.sh
@@ -12,6 +12,10 @@ PASSWORD="$3"
export PASSWORD
shift 3
+PAM_OPTIONS="$1"
+export PAM_OPTIONS
+shift 1
+
PAM_WRAPPER_PATH="$BINDIR/default/third_party/pam_wrapper"
pam_winbind="$BINDIR/shared/pam_winbind.so"
@@ -37,10 +41,10 @@ export PAM_WRAPPER_DEBUGLEVEL
WARN_PWD_EXPIRE="50"
export WARN_PWD_EXPIRE
-echo "auth required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE" > $service_file
-echo "account required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE" >> $service_file
-echo "password required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE" >> $service_file
-echo "session required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE" >> $service_file
+echo "auth required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" > $service_file
+echo "account required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" >> $service_file
+echo "password required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" >> $service_file
+echo "session required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" >> $service_file
PYTHONPATH="$PYTHONPATH:$PAM_WRAPPER_PATH:$(dirname $0)" $PYTHON -m samba.subunit.run samba.tests.pam_winbind_warn_pwd_expire
exit_code=$?
@@ -54,10 +58,10 @@ fi
WARN_PWD_EXPIRE="0"
export WARN_PWD_EXPIRE
-echo "auth required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE" > $service_file
-echo "account required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE" >> $service_file
-echo "password required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE" >> $service_file
-echo "session required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE" >> $service_file
+echo "auth required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" > $service_file
+echo "account required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" >> $service_file
+echo "password required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" >> $service_file
+echo "session required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" >> $service_file
PYTHONPATH="$PYTHONPATH:$PAM_WRAPPER_PATH:$(dirname $0)" $PYTHON -m samba.subunit.run samba.tests.pam_winbind_warn_pwd_expire
exit_code=$?
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 2f491441815..70f535e1a49 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -412,6 +412,8 @@ sub setup_ad_member
realm = $dcvars->{REALM}
netbios aliases = foo bar
template homedir = /home/%D/%G/%U
+ winbind scan trusted domains = no
+ winbind use krb5 enterprise principals = yes
[sub_dug]
path = $share_dir/D_%D/U_%U/G_%G
diff --git a/selftest/tests.py b/selftest/tests.py
index 7dbc0a9871f..c9529328359 100644
--- a/selftest/tests.py
+++ b/selftest/tests.py
@@ -165,27 +165,72 @@ planpythontestsuite("none", "samba.tests.tdb_util", py3_compatible=True)
planpythontestsuite("none", "samba.tests.samdb_api", py3_compatible=True)
if with_pam:
- plantestsuite("samba.tests.pam_winbind(local)", "ad_member",
- [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
- valgrindify(python), pam_wrapper_so_path,
- "$SERVER", "$USERNAME", "$PASSWORD"])
- plantestsuite("samba.tests.pam_winbind(domain)", "ad_member",
- [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
- valgrindify(python), pam_wrapper_so_path,
- "$DOMAIN", "$DC_USERNAME", "$DC_PASSWORD"])
-
- for pam_options in ["''", "use_authtok", "try_authtok"]:
- plantestsuite("samba.tests.pam_winbind_chauthtok with options %s" % pam_options, "ad_member",
- [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind_chauthtok.sh"),
- valgrindify(python), pam_wrapper_so_path, pam_set_items_so_path,
- "$DOMAIN", "TestPamOptionsUser", "oldp at ssword0", "newp at ssword0",
- pam_options, 'yes',
- "$DC_SERVER", "$DC_USERNAME", "$DC_PASSWORD"])
-
- plantestsuite("samba.tests.pam_winbind_warn_pwd_expire(domain)", "ad_member",
- [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind_warn_pwd_expire.sh"),
- valgrindify(python), pam_wrapper_so_path,
- "$DOMAIN", "alice", "Secret007"])
+ env = "ad_member"
+ options = [
+ {
+ "description": "krb5",
+ "pam_options": "krb5_auth krb5_ccache_type=FILE",
+ },
+ {
+ "description": "default",
+ "pam_options": "",
+ },
+ ]
+ for o in options:
+ description = o["description"]
+ pam_options = "'%s'" % o["pam_options"]
+
+ plantestsuite("samba.tests.pam_winbind(local+%s)" % description, env,
+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "$SERVER", "$USERNAME", "$PASSWORD",
+ pam_options])
+ plantestsuite("samba.tests.pam_winbind(domain1+%s)" % description, env,
+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "$DOMAIN", "$DC_USERNAME", "$DC_PASSWORD",
+ pam_options])
+ plantestsuite("samba.tests.pam_winbind(domain2+%s)" % description, env,
+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "$REALM", "$DC_USERNAME", "$DC_PASSWORD",
+ pam_options])
+ plantestsuite("samba.tests.pam_winbind(domain3+%s)" % description, env,
+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "''", "${DC_USERNAME}@${DOMAIN}", "$DC_PASSWORD",
+ pam_options])
+ plantestsuite("samba.tests.pam_winbind(domain4+%s)" % description, env,
+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "''", "${DC_USERNAME}@${REALM}", "$DC_PASSWORD",
+ pam_options])
+ plantestsuite("samba.tests.pam_winbind(domain5+%s)" % description, env,
+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "$REALM", "${DC_USERNAME}@${DOMAIN}", "$DC_PASSWORD",
+ pam_options])
+ plantestsuite("samba.tests.pam_winbind(domain6+%s)" % description, env,
+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "$DOMAIN", "${DC_USERNAME}@${REALM}", "$DC_PASSWORD",
+ pam_options])
+
+ for authtok_options in ["", "use_authtok", "try_authtok"]:
+ _pam_options = "'%s %s'" % (o["pam_options"], authtok_options)
+ _description = "%s %s" % (description, authtok_options)
+ plantestsuite("samba.tests.pam_winbind_chauthtok(domain+%s)" % _description, env,
+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind_chauthtok.sh"),
+ valgrindify(python), pam_wrapper_so_path, pam_set_items_so_path,
+ "$DOMAIN", "TestPamOptionsUser", "oldp at ssword0", "newp at ssword0",
+ _pam_options, 'yes',
+ "$DC_SERVER", "$DC_USERNAME", "$DC_PASSWORD"])
+
+ plantestsuite("samba.tests.pam_winbind_warn_pwd_expire(domain+%s)" % description, env,
+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind_warn_pwd_expire.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "$DOMAIN", "alice", "Secret007",
+ pam_options])
plantestsuite("samba.unittests.krb5samba", "none",
diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
index 86a1be71bf9..6e6d5b397ff 100644
--- a/source3/libads/authdata.c
+++ b/source3/libads/authdata.c
@@ -170,6 +170,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
request_pac,
add_netbios_addr,
renewable_time,
+ NULL, NULL, NULL,
&status);
if (ret) {
DEBUG(1,("kinit failed for '%s' with: %s (%d)\n",
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index 721c3c2a929..559ec3b7f53 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -106,7 +106,7 @@ kerb_prompter(krb5_context ctx, void *data,
place in default cache location.
remus at snapserver.com
*/
-int kerberos_kinit_password_ext(const char *principal,
+int kerberos_kinit_password_ext(const char *given_principal,
const char *password,
int time_offset,
time_t *expire_time,
@@ -115,8 +115,12 @@ int kerberos_kinit_password_ext(const char *principal,
bool request_pac,
bool add_netbios_addr,
time_t renewable_time,
+ TALLOC_CTX *mem_ctx,
+ char **_canon_principal,
+ char **_canon_realm,
NTSTATUS *ntstatus)
{
+ TALLOC_CTX *frame = talloc_stackframe();
krb5_context ctx = NULL;
krb5_error_code code = 0;
krb5_ccache cc = NULL;
@@ -125,6 +129,8 @@ int kerberos_kinit_password_ext(const char *principal,
krb5_creds my_creds;
krb5_get_init_creds_opt *opt = NULL;
smb_krb5_addresses *addr = NULL;
+ char *canon_principal = NULL;
+ char *canon_realm = NULL;
ZERO_STRUCT(my_creds);
@@ -132,6 +138,7 @@ int kerberos_kinit_password_ext(const char *principal,
if (code != 0) {
DBG_ERR("kerberos init context failed (%s)\n",
error_message(code));
+ TALLOC_FREE(frame);
return code;
}
@@ -139,16 +146,16 @@ int kerberos_kinit_password_ext(const char *principal,
krb5_set_real_time(ctx, time(NULL) + time_offset, 0);
}
- DEBUG(10,("kerberos_kinit_password: as %s using [%s] as ccache and config [%s]\n",
- principal,
- cache_name ? cache_name: krb5_cc_default_name(ctx),
- getenv("KRB5_CONFIG")));
+ DBG_DEBUG("as %s using [%s] as ccache and config [%s]\n",
+ given_principal,
+ cache_name ? cache_name: krb5_cc_default_name(ctx),
+ getenv("KRB5_CONFIG"));
if ((code = krb5_cc_resolve(ctx, cache_name ? cache_name : krb5_cc_default_name(ctx), &cc))) {
goto out;
}
- if ((code = smb_krb5_parse_name(ctx, principal, &me))) {
+ if ((code = smb_krb5_parse_name(ctx, given_principal, &me))) {
goto out;
}
@@ -160,7 +167,10 @@ int kerberos_kinit_password_ext(const char *principal,
krb5_get_init_creds_opt_set_forwardable(opt, True);
/* Turn on canonicalization for lower case realm support */
-#ifndef SAMBA4_USES_HEIMDAL /* MIT */
+#ifdef SAMBA4_USES_HEIMDAL
+ krb5_get_init_creds_opt_set_win2k(ctx, opt, true);
+ krb5_get_init_creds_opt_set_canonicalize(ctx, opt, true);
+#else /* MIT */
krb5_get_init_creds_opt_set_canonicalize(opt, true);
#endif /* MIT */
#if 0
@@ -189,10 +199,23 @@ int kerberos_kinit_password_ext(const char *principal,
goto out;
}
- canon_princ = me;
-#ifndef SAMBA4_USES_HEIMDAL /* MIT */
canon_princ = my_creds.client;
-#endif /* MIT */
+
+ code = smb_krb5_unparse_name(frame,
+ ctx,
+ canon_princ,
+ &canon_principal);
+ if (code != 0) {
+ goto out;
+ }
+
--
Samba Shared Repository
More information about the samba-cvs
mailing list