[SCM] Samba Shared Repository - branch master updated
Isaac Boukris
iboukris at samba.org
Mon Jul 13 12:07:03 UTC 2020
The branch, master has been updated
via 965d1888008 net: ignore possible SIGPIPE upon ldap_unbind when over TLS
via 39b293c2d0b ads: set sasl-wrapping to plain when over TLS
via b3af1d334d6 Fix ads_set_sasl_wrap_flags to only change sasl flags
via 9ec83caeb51 Decouple ldap-ssl-ads from ldap-ssl option
via 10f61cd39b9 selftest: add tests for net-ads over TLS
from 4c74db6978c docs: Fix documentation for require_membership_of of pam_winbind
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 965d18880081296ed7189daa0eeef6024c308db1
Author: Isaac Boukris <iboukris at gmail.com>
Date: Sat Jul 11 05:04:59 2020 +0200
net: ignore possible SIGPIPE upon ldap_unbind when over TLS
From local tests with strace:
socket(AF_UNIX, SOCK_STREAM, 0) = 12
write(2, "Connecting to 10.53.57.21 at por"..., 38) = 38
...
write(2, "ads_domain_func_level: 3\n", 25) = 25
write(12, "\27\3\3\0\37\0\0\0\0\0\0\0\16nl[\374\375i\325\334\25\227kxG@\326\311R\225x"..., 36) = 36
write(12, "\25\3\3\0\32\0\0\0\0\0\0\0\17Hh\304\254\244\17\342<\334\210L&\20_\177\307\232P", 31) = -1 EPIPE (Broken pipe)
--- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER, si_pid=12089, si_uid=1000} ---
+++ killed by SIGPIPE +++
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439
Signed-off-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Isaac Boukris <iboukris at samba.org>
Autobuild-Date(master): Mon Jul 13 12:06:07 UTC 2020 on sn-devel-184
commit 39b293c2d0bb64f11f63a41fbbc5031e5a2922e2
Author: Isaac Boukris <iboukris at gmail.com>
Date: Thu Jul 2 09:33:12 2020 +0200
ads: set sasl-wrapping to plain when over TLS
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439
Signed-off-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit b3af1d334d6159dca75c2a74e7c6f909952c31af
Author: Isaac Boukris <iboukris at gmail.com>
Date: Thu Jul 2 10:59:18 2020 +0200
Fix ads_set_sasl_wrap_flags to only change sasl flags
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439
Signed-off-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 9ec83caeb51e85ef9a217d5017d5844389d48513
Author: Isaac Boukris <iboukris at gmail.com>
Date: Wed Jun 24 15:28:45 2020 +0300
Decouple ldap-ssl-ads from ldap-ssl option
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439
Signed-off-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 10f61cd39b9e03e7bb781edf04022ea6ae1f1cac
Author: Isaac Boukris <iboukris at gmail.com>
Date: Mon Jun 29 16:55:33 2020 +0300
selftest: add tests for net-ads over TLS
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439
Signed-off-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 11 ++++
docs-xml/smbdotconf/ldap/ldapsslads.xml | 7 +-
selftest/knownfail.d/net_ads_ntlm_fallback | 10 +++
source3/include/smbldap.h | 1 +
.../lib/ABI/{smbldap-2.sigs => smbldap-2.1.0.sigs} | 1 +
source3/lib/smbldap.c | 19 ++++--
source3/libads/ads_proto.h | 2 +-
source3/libads/ads_struct.c | 8 ++-
source3/libads/ldap.c | 6 +-
source3/utils/net.c | 3 +
source3/wscript_build | 2 +-
source4/selftest/tests.py | 8 +++
testprogs/blackbox/test_net_ads_base.sh | 76 ++++++++++++++++++++++
13 files changed, 138 insertions(+), 16 deletions(-)
create mode 100644 selftest/knownfail.d/net_ads_ntlm_fallback
copy source3/lib/ABI/{smbldap-2.sigs => smbldap-2.1.0.sigs} (98%)
create mode 100755 testprogs/blackbox/test_net_ads_base.sh
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index cd75f6741c0..e7b46a7b159 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -17,6 +17,17 @@ NEW FEATURES/CHANGES
====================
+The "ldap ssl ads" option no longer depends on "ldap ssl" option:
+-----------------------------------------------------------------
+With this release, the "ldap ssl ads" can be set to "yes" even if "ldap ssl"
+is off.
+
+The "ldap ssl ads" no longer requires sasl-wrapping to be set to plain:
+-----------------------------------------------------------------------
+This is now done implicitly when over TLS, so "client ldap sasl wrapping"
+does not need to be set to "plain" in order for it to work.
+
+
REMOVED FEATURES
================
diff --git a/docs-xml/smbdotconf/ldap/ldapsslads.xml b/docs-xml/smbdotconf/ldap/ldapsslads.xml
index 98c39651f1e..f99afe5bbad 100644
--- a/docs-xml/smbdotconf/ldap/ldapsslads.xml
+++ b/docs-xml/smbdotconf/ldap/ldapsslads.xml
@@ -7,13 +7,10 @@
<para>This option is used to define whether or not Samba should
use SSL when connecting to the ldap server using
<emphasis>ads</emphasis> methods.
- Rpc methods are not affected by this parameter. Please note, that
- this parameter won't have any effect if <smbconfoption name="ldap ssl"/>
- is set to <parameter>no</parameter>.
+ Rpc methods are not affected by this parameter.
</para>
- <para>See <refentrytitle>smb.conf</refentrytitle><manvolnum>5</manvolnum>
- for more information on <smbconfoption name="ldap ssl"/>.
+ <para>See also <smbconfoption name="ldap ssl"/>.
</para>
</description>
diff --git a/selftest/knownfail.d/net_ads_ntlm_fallback b/selftest/knownfail.d/net_ads_ntlm_fallback
new file mode 100644
index 00000000000..b16a39d134d
--- /dev/null
+++ b/selftest/knownfail.d/net_ads_ntlm_fallback
@@ -0,0 +1,10 @@
+# net-ads commands that fail with: --option=gensec:gse_krb5=no
+^samba4.blackbox.net_ads_base.nomech=gse_krb5.testjoin
+^samba4.blackbox.net_ads_base.nomech=gse_krb5.check dNSHostName
+^samba4.blackbox.net_ads_base.nomech=gse_krb5.check SPN
+^samba4.blackbox.net_ads_base.nomech=gse_krb5.test setspn list
+^samba4.blackbox.net_ads_tls.nomech=gse_krb5.testjoin
+^samba4.blackbox.net_ads_tls.nomech=gse_krb5.check dNSHostName
+^samba4.blackbox.net_ads_tls.nomech=gse_krb5.check ldapssl=off
+^samba4.blackbox.net_ads_tls.nomech=gse_krb5.check SPN
+^samba4.blackbox.net_ads_tls.nomech=gse_krb5.test setspn list
diff --git a/source3/include/smbldap.h b/source3/include/smbldap.h
index 878268aebd6..d063f44afbc 100644
--- a/source3/include/smbldap.h
+++ b/source3/include/smbldap.h
@@ -72,6 +72,7 @@ int smbldap_modify(struct smbldap_state *ldap_state,
const char *dn,
LDAPMod *attrs[]);
int smbldap_start_tls(LDAP *ldap_struct, int version);
+int smbldap_start_tls_start(LDAP *ldap_struct, int version);
int smbldap_setup_full_conn(LDAP **ldap_struct, const char *uri);
int smbldap_search(struct smbldap_state *ldap_state,
const char *base, int scope, const char *filter,
diff --git a/source3/lib/ABI/smbldap-2.sigs b/source3/lib/ABI/smbldap-2.1.0.sigs
similarity index 98%
copy from source3/lib/ABI/smbldap-2.sigs
copy to source3/lib/ABI/smbldap-2.1.0.sigs
index 8abefec15b6..67dcc9a8a78 100644
--- a/source3/lib/ABI/smbldap-2.sigs
+++ b/source3/lib/ABI/smbldap-2.1.0.sigs
@@ -23,6 +23,7 @@ smbldap_set_mod_blob: void (LDAPMod ***, int, const char *, const DATA_BLOB *)
smbldap_set_paged_results: void (struct smbldap_state *, bool)
smbldap_setup_full_conn: int (LDAP **, const char *)
smbldap_start_tls: int (LDAP *, int)
+smbldap_start_tls_start: int (LDAP *, int)
smbldap_talloc_autofree_ldapmod: void (TALLOC_CTX *, LDAPMod **)
smbldap_talloc_autofree_ldapmsg: void (TALLOC_CTX *, LDAPMessage *)
smbldap_talloc_dn: char *(TALLOC_CTX *, LDAP *, LDAPMessage *)
diff --git a/source3/lib/smbldap.c b/source3/lib/smbldap.c
index 34c841f9243..4815dd81fc3 100644
--- a/source3/lib/smbldap.c
+++ b/source3/lib/smbldap.c
@@ -598,20 +598,27 @@ static void smbldap_store_state(LDAP *ld, struct smbldap_state *smbldap_state)
}
/********************************************************************
- start TLS on an existing LDAP connection
+ start TLS on an existing LDAP connection per config
*******************************************************************/
int smbldap_start_tls(LDAP *ldap_struct, int version)
-{
-#ifdef LDAP_OPT_X_TLS
- int rc,tls;
-#endif
-
+{
if (lp_ldap_ssl() != LDAP_SSL_START_TLS) {
return LDAP_SUCCESS;
}
+ return smbldap_start_tls_start(ldap_struct, version);
+}
+
+/********************************************************************
+ start TLS on an existing LDAP connection unconditionally
+*******************************************************************/
+
+int smbldap_start_tls_start(LDAP *ldap_struct, int version)
+{
#ifdef LDAP_OPT_X_TLS
+ int rc,tls;
+
/* check if we use ldaps already */
ldap_get_option(ldap_struct, LDAP_OPT_X_TLS, &tls);
if (tls == LDAP_OPT_X_TLS_HARD) {
diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h
index cd9c1082681..6cdde0cf6eb 100644
--- a/source3/libads/ads_proto.h
+++ b/source3/libads/ads_proto.h
@@ -47,7 +47,7 @@ ADS_STRUCT *ads_init(const char *realm,
const char *workgroup,
const char *ldap_server,
enum ads_sasl_state_e sasl_state);
-bool ads_set_sasl_wrap_flags(ADS_STRUCT *ads, int flags);
+bool ads_set_sasl_wrap_flags(ADS_STRUCT *ads, unsigned flags);
void ads_destroy(ADS_STRUCT **ads);
/* The following definitions come from libads/disp_sec.c */
diff --git a/source3/libads/ads_struct.c b/source3/libads/ads_struct.c
index 043a1b21247..67a9a7cf75e 100644
--- a/source3/libads/ads_struct.c
+++ b/source3/libads/ads_struct.c
@@ -176,13 +176,17 @@ ADS_STRUCT *ads_init(const char *realm,
/****************************************************************
****************************************************************/
-bool ads_set_sasl_wrap_flags(ADS_STRUCT *ads, int flags)
+bool ads_set_sasl_wrap_flags(ADS_STRUCT *ads, unsigned flags)
{
+ unsigned other_flags;
+
if (!ads) {
return false;
}
- ads->auth.flags = flags;
+ other_flags = ads->auth.flags & ~(ADS_AUTH_SASL_SIGN|ADS_AUTH_SASL_SEAL);
+
+ ads->auth.flags = flags | other_flags;
return true;
}
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index 55c9668089d..1ffe96d32c9 100755
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -703,10 +703,14 @@ got_connection:
ldap_set_option(ads->ldap.ld, LDAP_OPT_PROTOCOL_VERSION, &version);
if ( lp_ldap_ssl_ads() ) {
- status = ADS_ERROR(smbldap_start_tls(ads->ldap.ld, version));
+ status = ADS_ERROR(smbldap_start_tls_start(ads->ldap.ld, version));
if (!ADS_ERR_OK(status)) {
goto out;
}
+ if (!ads_set_sasl_wrap_flags(ads, 0)) {
+ status = ADS_ERROR(LDAP_OPERATIONS_ERROR);
+ goto out;
+ }
}
/* fill in the current time and offsets */
diff --git a/source3/utils/net.c b/source3/utils/net.c
index 683b46794e4..e289b2814bc 100644
--- a/source3/utils/net.c
+++ b/source3/utils/net.c
@@ -1289,6 +1289,9 @@ static void get_credentials_file(struct net_context *c,
POPT_TABLEEND
};
+ /* Ignore possible SIGPIPE upon ldap_unbind when over TLS */
+ BlockSignals(True, SIGPIPE);
+
zero_sockaddr(&c->opt_dest_ip);
setup_logging(argv[0], DEBUG_STDERR);
diff --git a/source3/wscript_build b/source3/wscript_build
index 5a07eddac44..ec8135c302f 100644
--- a/source3/wscript_build
+++ b/source3/wscript_build
@@ -501,7 +501,7 @@ bld.SAMBA3_LIBRARY('smbldap',
abi_directory='lib/ABI',
abi_match='smbldap_*',
pc_files=[],
- vnum='2',
+ vnum='2.1.0',
public_headers='include/smbldap.h include/smb_ldap.h')
bld.SAMBA3_LIBRARY('ads',
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 0e219f94d04..588586e39b3 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -544,6 +544,12 @@ plantestsuite("samba4.blackbox.client_etypes_strong(ad_dc:client)", "ad_dc:clien
plantestsuite("samba4.blackbox.net_ads_dns(ad_member:local)", "ad_member:local", [os.path.join(bbdir, "test_net_ads_dns.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', '$REALM', '$USERNAME', '$PASSWORD'])
plantestsuite("samba4.blackbox.samba-tool_ntacl(ad_member:local)", "ad_member:local", [os.path.join(bbdir, "test_samba-tool_ntacl.sh"), '$PREFIX', '$DOMSID'])
+for nomech in ["none", "gse_krb5", "ntlmssp"]:
+ # we can't test TLS with ad_dc env as it doesn't allow SASL over TLS
+ plantestsuite("samba4.blackbox.net_ads_base.nomech=%s" % nomech, "ad_dc:client", [os.path.join(bbdir, "test_net_ads_base.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', 'no', nomech, '$PREFIX_ABS'])
+ plantestsuite("samba4.blackbox.net_ads_tls.nomech=%s" % nomech, "fl2008dc:client", [os.path.join(bbdir, "test_net_ads_base.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', 'yes', nomech, '$PREFIX_ABS'])
+ plantestsuite("samba4.blackbox.net_ads_tls.nomech=%s" % nomech, "fl2008r2dc:client", [os.path.join(bbdir, "test_net_ads_base.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', 'noverify', nomech, '$PREFIX_ABS'])
+
if have_gnutls_crypto_policies:
plantestsuite("samba4.blackbox.weak_crypto.client", "ad_dc", [os.path.join(bbdir, "test_weak_crypto.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc"])
@@ -554,6 +560,8 @@ if have_gnutls_crypto_policies:
t = "--krb5auth=$DOMAIN/$DC_USERNAME%$DC_PASSWORD"
plantestsuite("samba3.wbinfo_simple.fips.%s" % t, "ad_member_fips:local", [os.path.join(srcdir(), "nsswitch/tests/test_wbinfo_simple.sh"), t])
plantestsuite("samba4.wbinfo_name_lookup.fips", "ad_member_fips", [os.path.join(srcdir(), "nsswitch/tests/test_wbinfo_name_lookup.sh"), '$DOMAIN', '$REALM', '$DC_USERNAME'])
+ for nomech in ["none", "ntlmssp"]:
+ plantestsuite("samba4.blackbox.net_ads_base.nomech=%s" % nomech, "ad_dc_fips:client", [os.path.join(bbdir, "test_net_ads_base.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', 'no', nomech, '$PREFIX_ABS'])
plantestsuite_loadlist("samba4.rpc.echo against NetBIOS alias", "ad_dc_ntvfs", [valgrindify(smbtorture4), "$LISTOPT", "$LOADLIST", 'ncacn_np:$NETBIOSALIAS', '-U$DOMAIN/$USERNAME%$PASSWORD', 'rpc.echo'])
# json tests hook into ``chgdcpass'' to make them run in contributor CI on
diff --git a/testprogs/blackbox/test_net_ads_base.sh b/testprogs/blackbox/test_net_ads_base.sh
new file mode 100755
index 00000000000..59e3da67a7f
--- /dev/null
+++ b/testprogs/blackbox/test_net_ads_base.sh
@@ -0,0 +1,76 @@
+#!/bin/sh
+
+if [ $# -lt 5 ]; then
+cat <<EOF
+Usage: test_net_ads_base.sh DC_SERVER DC_USERNAME DC_PASSWORD TLS_MODE NO_MECH PREFIX_ABS
+EOF
+exit 1;
+fi
+
+DC_SERVER=$1
+DC_USERNAME=$2
+DC_PASSWORD=$3
+TLS_MODE=$4
+NO_MECH=$5
+BASEDIR=$6
+shift 6
+
+HOSTNAME=`dd if=/dev/urandom bs=1 count=32 2>/dev/null | sha1sum | cut -b 1-10`
+HOSTNAME=`echo hn$HOSTNAME | tr '[:lower:]' '[:upper:]'`
+LCHOSTNAME=`echo $HOSTNAME | tr '[:upper:]' '[:lower:]'`
+
+RUNDIR=`pwd`
+cd $BASEDIR
+WORKDIR=`mktemp -d -p .`
+WORKDIR=`basename $WORKDIR`
+cp -a client/* $WORKDIR/
+sed -ri "s@(dir|directory) = (.*)/client/@\1 = \2/$WORKDIR/@" $WORKDIR/client.conf
+sed -ri "s/netbios name = .*/netbios name = $HOSTNAME/" $WORKDIR/client.conf
+sed -ri "s/workgroup = .*/workgroup = $DOMAIN/" $WORKDIR/client.conf
+sed -ri "s/realm = .*/realm = $REALM/" $WORKDIR/client.conf
+rm -f $WORKDIR/private/secrets.tdb
+cd $RUNDIR
+
+failed=0
+
+export LDAPTLS_CACERT=$(grep "tls cafile" $BASEDIR/$WORKDIR/client.conf | cut -f2 -d= | awk '{$1=$1};1')
+
+xoptions=""
+if [ $TLS_MODE != "no" ]; then
+ xoptions="--option=ldapsslads=yes"
+fi
+
+if [ $NO_MECH != "none" ]; then
+ xoptions="$xoptions --option=gensec:$NO_MECH=no"
+fi
+
+if [ $TLS_MODE = "noverify" ]; then
+ export LDAPTLS_REQCERT=allow
+fi
+
+net_tool="$VALGRIND $BINDIR/net -s $BASEDIR/$WORKDIR/client.conf --option=security=ads -k $xoptions"
+
+# Load test functions
+. `dirname $0`/subunit.sh
+
+testit "join" $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD --no-dns-updates || failed=`expr $failed + 1`
+
+testit "testjoin" $net_tool ads testjoin -P || failed=`expr $failed + 1`
+
+testit_grep "check dNSHostName" $LCHOSTNAME $net_tool ads search -P samaccountname=$HOSTNAME\$ dNSHostName || failed=`expr $failed + 1`
+
+tls_log="StartTLS issued: using a TLS connection"
+opt="-d3 --option=ldapssl=off"
+if [ $TLS_MODE != "no" ]; then
+ testit_grep "check ldapssl=off" "$tls_log" $net_tool $opt ads search -P samaccountname=$HOSTNAME\$ dn || failed=`expr $failed + 1`
+fi
+
+testit_grep "check SPN" "HOST/$HOSTNAME" $net_tool ads search -P samaccountname=$HOSTNAME\$ servicePrincipalName || failed=`expr $failed + 1`
+
+testit_grep "test setspn list" "HOST/$HOSTNAME" $net_tool ads setspn list $HOSTNAME -P || failed=`expr $failed + 1`
+
+testit "leave" $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+
+rm -rf $BASEDIR/$WORKDIR
+
+exit $failed
--
Samba Shared Repository
More information about the samba-cvs
mailing list