[SCM] Samba Shared Repository - branch master updated
Isaac Boukris
iboukris at samba.org
Tue Aug 11 10:54:01 UTC 2020
The branch, master has been updated
via 32eb7f39667 Remove depracated "ldap ssl ads" smb.conf option
via 08909e66ef0 Revert "selftest: add tests for net-ads over TLS"
from a97c78fb221 lzxpress: add bounds checking to lzxpress_decompress()
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 32eb7f3966703582f2f8f2c75b2f960c5e4eb492
Author: Isaac Boukris <iboukris at gmail.com>
Date: Mon Aug 10 12:15:26 2020 +0200
Remove depracated "ldap ssl ads" smb.conf option
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14462
Signed-off-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Isaac Boukris <iboukris at samba.org>
Autobuild-Date(master): Tue Aug 11 10:53:05 UTC 2020 on sn-devel-184
commit 08909e66ef0c7ef1dc627ce8a8daf6e4a779ada6
Author: Isaac Boukris <iboukris at gmail.com>
Date: Mon Aug 10 12:21:51 2020 +0200
Revert "selftest: add tests for net-ads over TLS"
As we are removing the option.
This reverts commit 10f61cd39b9e03e7bb781edf04022ea6ae1f1cac.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14462
Signed-off-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 13 +----
docs-xml/smbdotconf/ldap/ldapsslads.xml | 18 -------
selftest/knownfail.d/net_ads_ntlm_fallback | 10 ----
source3/libads/ldap.c | 11 -----
source3/param/loadparm.c | 1 -
source4/selftest/tests.py | 8 ----
testprogs/blackbox/test_net_ads_base.sh | 76 ------------------------------
7 files changed, 2 insertions(+), 135 deletions(-)
delete mode 100644 docs-xml/smbdotconf/ldap/ldapsslads.xml
delete mode 100644 selftest/knownfail.d/net_ads_ntlm_fallback
delete mode 100755 testprogs/blackbox/test_net_ads_base.sh
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index f76aa4e79a0..206ee6ad20d 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -17,17 +17,6 @@ NEW FEATURES/CHANGES
====================
-The "ldap ssl ads" option no longer depends on "ldap ssl" option:
------------------------------------------------------------------
-With this release, the "ldap ssl ads" can be set to "yes" even if "ldap ssl"
-is off.
-
-The "ldap ssl ads" no longer requires sasl-wrapping to be set to plain:
------------------------------------------------------------------------
-This is now done implicitly when over TLS, so "client ldap sasl wrapping"
-does not need to be set to "plain" in order for it to work.
-
-
CTDB CHANGES
============
@@ -44,12 +33,14 @@ CTDB CHANGES
REMOVED FEATURES
================
+The deprecated "ldap ssl ads" smb.conf option has been removed.
smb.conf changes
================
Parameter Name Description Default
-------------- ----------- -------
+ ldap ssl ads removed
diff --git a/docs-xml/smbdotconf/ldap/ldapsslads.xml b/docs-xml/smbdotconf/ldap/ldapsslads.xml
deleted file mode 100644
index f99afe5bbad..00000000000
--- a/docs-xml/smbdotconf/ldap/ldapsslads.xml
+++ /dev/null
@@ -1,18 +0,0 @@
-<samba:parameter name="ldap ssl ads"
- context="G"
- type="boolean"
- deprecated="1"
- xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
-<description>
- <para>This option is used to define whether or not Samba should
- use SSL when connecting to the ldap server using
- <emphasis>ads</emphasis> methods.
- Rpc methods are not affected by this parameter.
- </para>
-
- <para>See also <smbconfoption name="ldap ssl"/>.
- </para>
-
-</description>
-<value type="default">no</value>
-</samba:parameter>
diff --git a/selftest/knownfail.d/net_ads_ntlm_fallback b/selftest/knownfail.d/net_ads_ntlm_fallback
deleted file mode 100644
index b16a39d134d..00000000000
--- a/selftest/knownfail.d/net_ads_ntlm_fallback
+++ /dev/null
@@ -1,10 +0,0 @@
-# net-ads commands that fail with: --option=gensec:gse_krb5=no
-^samba4.blackbox.net_ads_base.nomech=gse_krb5.testjoin
-^samba4.blackbox.net_ads_base.nomech=gse_krb5.check dNSHostName
-^samba4.blackbox.net_ads_base.nomech=gse_krb5.check SPN
-^samba4.blackbox.net_ads_base.nomech=gse_krb5.test setspn list
-^samba4.blackbox.net_ads_tls.nomech=gse_krb5.testjoin
-^samba4.blackbox.net_ads_tls.nomech=gse_krb5.check dNSHostName
-^samba4.blackbox.net_ads_tls.nomech=gse_krb5.check ldapssl=off
-^samba4.blackbox.net_ads_tls.nomech=gse_krb5.check SPN
-^samba4.blackbox.net_ads_tls.nomech=gse_krb5.test setspn list
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index d431156912f..ee4628a09a2 100755
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -704,17 +704,6 @@ got_connection:
ldap_set_option(ads->ldap.ld, LDAP_OPT_PROTOCOL_VERSION, &version);
- if ( lp_ldap_ssl_ads() ) {
- status = ADS_ERROR(smbldap_start_tls_start(ads->ldap.ld, version));
- if (!ADS_ERR_OK(status)) {
- goto out;
- }
- if (!ads_set_sasl_wrap_flags(ads, 0)) {
- status = ADS_ERROR(LDAP_OPERATIONS_ERROR);
- goto out;
- }
- }
-
/* fill in the current time and offsets */
status = ads_current_time( ads );
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index ebe120433ee..73f7c065e09 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -740,7 +740,6 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
lpcfg_string_set(Globals.ctx, &Globals.ldap_admin_dn, "");
Globals.ldap_ssl = LDAP_SSL_START_TLS;
- Globals.ldap_ssl_ads = false;
Globals.ldap_deref = -1;
Globals.ldap_passwd_sync = LDAP_PASSWD_SYNC_OFF;
Globals.ldap_delete_dn = false;
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index c6da90cc740..42be34a8afc 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -552,12 +552,6 @@ plantestsuite("samba4.blackbox.net_ads_dns_async(ad_member:local)",
'$REALM'])
plantestsuite("samba4.blackbox.samba-tool_ntacl(ad_member:local)", "ad_member:local", [os.path.join(bbdir, "test_samba-tool_ntacl.sh"), '$PREFIX', '$DOMSID'])
-for nomech in ["none", "gse_krb5", "ntlmssp"]:
- # we can't test TLS with ad_dc env as it doesn't allow SASL over TLS
- plantestsuite("samba4.blackbox.net_ads_base.nomech=%s" % nomech, "ad_dc:client", [os.path.join(bbdir, "test_net_ads_base.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', 'no', nomech, '$PREFIX_ABS'])
- plantestsuite("samba4.blackbox.net_ads_tls.nomech=%s" % nomech, "fl2008dc:client", [os.path.join(bbdir, "test_net_ads_base.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', 'yes', nomech, '$PREFIX_ABS'])
- plantestsuite("samba4.blackbox.net_ads_tls.nomech=%s" % nomech, "fl2008r2dc:client", [os.path.join(bbdir, "test_net_ads_base.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', 'noverify', nomech, '$PREFIX_ABS'])
-
if have_gnutls_crypto_policies:
plantestsuite("samba4.blackbox.weak_crypto.client", "ad_dc", [os.path.join(bbdir, "test_weak_crypto.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc"])
@@ -568,8 +562,6 @@ if have_gnutls_crypto_policies:
t = "--krb5auth=$DOMAIN/$DC_USERNAME%$DC_PASSWORD"
plantestsuite("samba3.wbinfo_simple.fips.%s" % t, "ad_member_fips:local", [os.path.join(srcdir(), "nsswitch/tests/test_wbinfo_simple.sh"), t])
plantestsuite("samba4.wbinfo_name_lookup.fips", "ad_member_fips", [os.path.join(srcdir(), "nsswitch/tests/test_wbinfo_name_lookup.sh"), '$DOMAIN', '$REALM', '$DC_USERNAME'])
- for nomech in ["none", "ntlmssp"]:
- plantestsuite("samba4.blackbox.net_ads_base.nomech=%s" % nomech, "ad_dc_fips:client", [os.path.join(bbdir, "test_net_ads_base.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', 'no', nomech, '$PREFIX_ABS'])
plantestsuite_loadlist("samba4.rpc.echo against NetBIOS alias", "ad_dc_ntvfs", [valgrindify(smbtorture4), "$LISTOPT", "$LOADLIST", 'ncacn_np:$NETBIOSALIAS', '-U$DOMAIN/$USERNAME%$PASSWORD', 'rpc.echo'])
# json tests hook into ``chgdcpass'' to make them run in contributor CI on
diff --git a/testprogs/blackbox/test_net_ads_base.sh b/testprogs/blackbox/test_net_ads_base.sh
deleted file mode 100755
index 59e3da67a7f..00000000000
--- a/testprogs/blackbox/test_net_ads_base.sh
+++ /dev/null
@@ -1,76 +0,0 @@
-#!/bin/sh
-
-if [ $# -lt 5 ]; then
-cat <<EOF
-Usage: test_net_ads_base.sh DC_SERVER DC_USERNAME DC_PASSWORD TLS_MODE NO_MECH PREFIX_ABS
-EOF
-exit 1;
-fi
-
-DC_SERVER=$1
-DC_USERNAME=$2
-DC_PASSWORD=$3
-TLS_MODE=$4
-NO_MECH=$5
-BASEDIR=$6
-shift 6
-
-HOSTNAME=`dd if=/dev/urandom bs=1 count=32 2>/dev/null | sha1sum | cut -b 1-10`
-HOSTNAME=`echo hn$HOSTNAME | tr '[:lower:]' '[:upper:]'`
-LCHOSTNAME=`echo $HOSTNAME | tr '[:upper:]' '[:lower:]'`
-
-RUNDIR=`pwd`
-cd $BASEDIR
-WORKDIR=`mktemp -d -p .`
-WORKDIR=`basename $WORKDIR`
-cp -a client/* $WORKDIR/
-sed -ri "s@(dir|directory) = (.*)/client/@\1 = \2/$WORKDIR/@" $WORKDIR/client.conf
-sed -ri "s/netbios name = .*/netbios name = $HOSTNAME/" $WORKDIR/client.conf
-sed -ri "s/workgroup = .*/workgroup = $DOMAIN/" $WORKDIR/client.conf
-sed -ri "s/realm = .*/realm = $REALM/" $WORKDIR/client.conf
-rm -f $WORKDIR/private/secrets.tdb
-cd $RUNDIR
-
-failed=0
-
-export LDAPTLS_CACERT=$(grep "tls cafile" $BASEDIR/$WORKDIR/client.conf | cut -f2 -d= | awk '{$1=$1};1')
-
-xoptions=""
-if [ $TLS_MODE != "no" ]; then
- xoptions="--option=ldapsslads=yes"
-fi
-
-if [ $NO_MECH != "none" ]; then
- xoptions="$xoptions --option=gensec:$NO_MECH=no"
-fi
-
-if [ $TLS_MODE = "noverify" ]; then
- export LDAPTLS_REQCERT=allow
-fi
-
-net_tool="$VALGRIND $BINDIR/net -s $BASEDIR/$WORKDIR/client.conf --option=security=ads -k $xoptions"
-
-# Load test functions
-. `dirname $0`/subunit.sh
-
-testit "join" $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD --no-dns-updates || failed=`expr $failed + 1`
-
-testit "testjoin" $net_tool ads testjoin -P || failed=`expr $failed + 1`
-
-testit_grep "check dNSHostName" $LCHOSTNAME $net_tool ads search -P samaccountname=$HOSTNAME\$ dNSHostName || failed=`expr $failed + 1`
-
-tls_log="StartTLS issued: using a TLS connection"
-opt="-d3 --option=ldapssl=off"
-if [ $TLS_MODE != "no" ]; then
- testit_grep "check ldapssl=off" "$tls_log" $net_tool $opt ads search -P samaccountname=$HOSTNAME\$ dn || failed=`expr $failed + 1`
-fi
-
-testit_grep "check SPN" "HOST/$HOSTNAME" $net_tool ads search -P samaccountname=$HOSTNAME\$ servicePrincipalName || failed=`expr $failed + 1`
-
-testit_grep "test setspn list" "HOST/$HOSTNAME" $net_tool ads setspn list $HOSTNAME -P || failed=`expr $failed + 1`
-
-testit "leave" $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
-
-rm -rf $BASEDIR/$WORKDIR
-
-exit $failed
--
Samba Shared Repository
More information about the samba-cvs
mailing list