[SCM] Samba Shared Repository - branch master updated
Andreas Schneider
asn at samba.org
Tue Nov 3 16:48:02 UTC 2020
The branch, master has been updated
via 27480333fdc s3:vfs: Document the encryption_required flag in vfs.h
via 1a92994a951 auth:creds:tests: Migrate test to a cmocka unit test
via 1298280a22e auth:creds: Rename CRED_USE_KERBEROS values
from 7d846cd178d s3: modules: vfs_glusterfs: Fix leak of char **lines onto mem_ctx on return.
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 27480333fdc0ee6c35c5b3d3bbd5bb026fc7dba0
Author: Andreas Schneider <asn at samba.org>
Date: Tue Nov 3 11:57:03 2020 +0100
s3:vfs: Document the encryption_required flag in vfs.h
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Tue Nov 3 16:47:57 UTC 2020 on sn-devel-184
commit 1a92994a9513f5e73d30604a1dc217ddeb1ac8d5
Author: Andreas Schneider <asn at samba.org>
Date: Tue Sep 1 12:32:28 2020 +0200
auth:creds:tests: Migrate test to a cmocka unit test
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit 1298280a22ef7494fb85a6a5953bae15d22fa204
Author: Andreas Schneider <asn at samba.org>
Date: Thu Aug 20 09:40:41 2020 +0200
auth:creds: Rename CRED_USE_KERBEROS values
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
-----------------------------------------------------------------------
Summary of changes:
auth/credentials/credentials.c | 8 +-
auth/credentials/credentials.h | 9 +-
auth/credentials/credentials_krb5.c | 4 +-
auth/credentials/credentials_ntlm.c | 2 +-
auth/credentials/credentials_secrets.c | 5 +-
auth/credentials/pycredentials.c | 6 +-
auth/credentials/tests/simple.c | 2 +-
auth/credentials/tests/test_creds.c | 221 +++++++++++++++++++++++++++++++++
auth/credentials/wscript_build | 8 +-
auth/gensec/gensec_start.c | 8 +-
examples/winexe/winexe.c | 4 +-
selftest/tests.py | 2 +
source3/auth/auth_generic.c | 4 +-
source3/include/vfs.h | 2 +
source3/lib/util_cmdline.c | 18 +--
source3/libads/sasl.c | 8 +-
source3/libnet/libnet_join.c | 2 +-
source3/libsmb/cliconnect.c | 16 +--
source3/passdb/passdb.c | 6 +-
source3/passdb/pdb_samba_dsdb.c | 4 +-
source3/rpc_client/cli_pipe.c | 2 +-
source3/rpcclient/rpcclient.c | 8 +-
source3/utils/net_ads.c | 2 +-
source3/utils/net_util.c | 6 +-
source3/utils/ntlm_auth.c | 4 +-
source3/winbindd/winbindd_cm.c | 2 +-
source4/auth/gensec/gensec_gssapi.c | 2 +-
source4/auth/session.c | 2 +-
source4/lib/cmdline/popt_credentials.c | 4 +-
source4/torture/ldap/session_expiry.c | 2 +-
source4/torture/local/local.c | 1 -
source4/torture/local/wscript_build | 2 +-
source4/torture/raw/session.c | 4 +-
source4/torture/rpc/schannel.c | 4 +-
source4/torture/smb2/session.c | 12 +-
35 files changed, 316 insertions(+), 80 deletions(-)
create mode 100644 auth/credentials/tests/test_creds.c
Changeset truncated at 500 lines:
diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
index 77c35dd104b..1bdd6f15a09 100644
--- a/auth/credentials/credentials.c
+++ b/auth/credentials/credentials.c
@@ -44,6 +44,8 @@ _PUBLIC_ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx)
cred->winbind_separator = '\\';
+ cred->use_kerberos = CRED_USE_KERBEROS_DESIRED;
+
cred->signing_state = SMB_SIGNING_DEFAULT;
/*
@@ -360,7 +362,7 @@ _PUBLIC_ bool cli_credentials_authentication_requested(struct cli_credentials *c
return true;
}
- if (cli_credentials_get_kerberos_state(cred) == CRED_MUST_USE_KERBEROS) {
+ if (cli_credentials_get_kerberos_state(cred) == CRED_USE_KERBEROS_REQUIRED) {
return true;
}
@@ -1018,7 +1020,7 @@ _PUBLIC_ void cli_credentials_guess(struct cli_credentials *cred,
}
if (lp_ctx != NULL &&
- cli_credentials_get_kerberos_state(cred) != CRED_DONT_USE_KERBEROS) {
+ cli_credentials_get_kerberos_state(cred) != CRED_USE_KERBEROS_DISABLED) {
cli_credentials_set_ccache(cred, lp_ctx, NULL, CRED_GUESS_FILE,
&error_string);
}
@@ -1097,7 +1099,7 @@ _PUBLIC_ void cli_credentials_set_anonymous(struct cli_credentials *cred)
cli_credentials_set_principal(cred, NULL, CRED_SPECIFIED);
cli_credentials_set_realm(cred, NULL, CRED_SPECIFIED);
cli_credentials_set_workstation(cred, "", CRED_UNINITIALISED);
- cli_credentials_set_kerberos_state(cred, CRED_DONT_USE_KERBEROS);
+ cli_credentials_set_kerberos_state(cred, CRED_USE_KERBEROS_DISABLED);
}
/**
diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
index 4c140615751..f468b8558dd 100644
--- a/auth/credentials/credentials.h
+++ b/auth/credentials/credentials.h
@@ -53,9 +53,12 @@ enum credentials_obtained {
};
enum credentials_use_kerberos {
- CRED_AUTO_USE_KERBEROS = 0, /* Default, we try kerberos if available */
- CRED_DONT_USE_KERBEROS, /* Sometimes trying kerberos just does 'bad things', so don't */
- CRED_MUST_USE_KERBEROS /* Sometimes administrators are paranoid, so always do kerberos */
+ /** Sometimes trying kerberos just does 'bad things', so don't */
+ CRED_USE_KERBEROS_DISABLED = 0,
+ /** Default, we try kerberos if available */
+ CRED_USE_KERBEROS_DESIRED,
+ /** Sometimes administrators are paranoid, so always do kerberos */
+ CRED_USE_KERBEROS_REQUIRED,
};
enum credentials_krb_forwardable {
diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index c321f713130..d7b1c430841 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -873,7 +873,7 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
ret = cli_credentials_get_ccache(cred, event_ctx, lp_ctx,
&ccache, error_string);
if (ret) {
- if (cli_credentials_get_kerberos_state(cred) == CRED_MUST_USE_KERBEROS) {
+ if (cli_credentials_get_kerberos_state(cred) == CRED_USE_KERBEROS_REQUIRED) {
DEBUG(1, ("Failed to get kerberos credentials (kerberos required): %s\n", *error_string));
} else {
DEBUG(4, ("Failed to get kerberos credentials: %s\n", *error_string));
@@ -1433,7 +1433,7 @@ _PUBLIC_ void cli_credentials_set_impersonate_principal(struct cli_credentials *
cred->impersonate_principal = talloc_strdup(cred, principal);
talloc_free(cred->self_service);
cred->self_service = talloc_strdup(cred, self_service);
- cli_credentials_set_kerberos_state(cred, CRED_MUST_USE_KERBEROS);
+ cli_credentials_set_kerberos_state(cred, CRED_USE_KERBEROS_REQUIRED);
}
/*
diff --git a/auth/credentials/credentials_ntlm.c b/auth/credentials/credentials_ntlm.c
index f1b22a6c9e2..1bec60e5dce 100644
--- a/auth/credentials/credentials_ntlm.c
+++ b/auth/credentials/credentials_ntlm.c
@@ -53,7 +53,7 @@ _PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred
const struct samr_Password *nt_hash = NULL;
int rc;
- if (cred->use_kerberos == CRED_MUST_USE_KERBEROS) {
+ if (cred->use_kerberos == CRED_USE_KERBEROS_REQUIRED) {
TALLOC_FREE(frame);
return NT_STATUS_INVALID_PARAMETER_MIX;
}
diff --git a/auth/credentials/credentials_secrets.c b/auth/credentials/credentials_secrets.c
index 52a89d4d5b4..58067a5bece 100644
--- a/auth/credentials/credentials_secrets.c
+++ b/auth/credentials/credentials_secrets.c
@@ -370,7 +370,8 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credenti
}
if (secrets_tdb_password_more_recent) {
- enum credentials_use_kerberos use_kerberos = CRED_DONT_USE_KERBEROS;
+ enum credentials_use_kerberos use_kerberos =
+ CRED_USE_KERBEROS_DISABLED;
char *machine_account = talloc_asprintf(tmp_ctx, "%s$", lpcfg_netbios_name(lp_ctx));
cli_credentials_set_password(cred, secrets_tdb_password, CRED_SPECIFIED);
cli_credentials_set_old_password(cred, secrets_tdb_old_password, CRED_SPECIFIED);
@@ -386,7 +387,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credenti
FALL_THROUGH;
case ROLE_ACTIVE_DIRECTORY_DC:
- use_kerberos = CRED_AUTO_USE_KERBEROS;
+ use_kerberos = CRED_USE_KERBEROS_DESIRED;
break;
}
}
diff --git a/auth/credentials/pycredentials.c b/auth/credentials/pycredentials.c
index 17c90573f09..95dde276ef7 100644
--- a/auth/credentials/pycredentials.c
+++ b/auth/credentials/pycredentials.c
@@ -1492,9 +1492,9 @@ MODULE_INIT_FUNC(credentials)
PyModule_AddObject(m, "CALLBACK_RESULT", PyLong_FromLong(CRED_CALLBACK_RESULT));
PyModule_AddObject(m, "SPECIFIED", PyLong_FromLong(CRED_SPECIFIED));
- PyModule_AddObject(m, "AUTO_USE_KERBEROS", PyLong_FromLong(CRED_AUTO_USE_KERBEROS));
- PyModule_AddObject(m, "DONT_USE_KERBEROS", PyLong_FromLong(CRED_DONT_USE_KERBEROS));
- PyModule_AddObject(m, "MUST_USE_KERBEROS", PyLong_FromLong(CRED_MUST_USE_KERBEROS));
+ PyModule_AddObject(m, "AUTO_USE_KERBEROS", PyLong_FromLong(CRED_USE_KERBEROS_DESIRED));
+ PyModule_AddObject(m, "DONT_USE_KERBEROS", PyLong_FromLong(CRED_USE_KERBEROS_DISABLED));
+ PyModule_AddObject(m, "MUST_USE_KERBEROS", PyLong_FromLong(CRED_USE_KERBEROS_REQUIRED));
PyModule_AddObject(m, "AUTO_KRB_FORWARDABLE", PyLong_FromLong(CRED_AUTO_KRB_FORWARDABLE));
PyModule_AddObject(m, "NO_KRB_FORWARDABLE", PyLong_FromLong(CRED_NO_KRB_FORWARDABLE));
diff --git a/auth/credentials/tests/simple.c b/auth/credentials/tests/simple.c
index 7f122bed3bc..b39d7a2251b 100644
--- a/auth/credentials/tests/simple.c
+++ b/auth/credentials/tests/simple.c
@@ -73,7 +73,7 @@ static bool test_guess(struct torture_context *tctx)
const char *passwd_fd = getenv("PASSWD_FD");
const char *passwd_file = getenv("PASSWD_FILE");
- cli_credentials_set_kerberos_state(creds, CRED_MUST_USE_KERBEROS);
+ cli_credentials_set_kerberos_state(creds, CRED_USE_KERBEROS_REQUIRED);
unsetenv("USER");
unsetenv("PASSWD_FD");
diff --git a/auth/credentials/tests/test_creds.c b/auth/credentials/tests/test_creds.c
new file mode 100644
index 00000000000..d2d3d30d73d
--- /dev/null
+++ b/auth/credentials/tests/test_creds.c
@@ -0,0 +1,221 @@
+/*
+ * Unix SMB/CIFS implementation.
+ *
+ * Copyright (C) 2018-2019 Andreas Schneider <asn at samba.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdint.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+#include "lib/replace/replace.h"
+#include "auth/credentials/credentials.c"
+
+static int setup_talloc_context(void **state)
+{
+ TALLOC_CTX *frame = talloc_stackframe();
+
+ *state = frame;
+ return 0;
+}
+
+static int teardown_talloc_context(void **state)
+{
+ TALLOC_CTX *frame = *state;
+ TALLOC_FREE(frame);
+ return 0;
+}
+
+static void torture_creds_init(void **state)
+{
+ TALLOC_CTX *mem_ctx = *state;
+ struct cli_credentials *creds = NULL;
+ const char *username = NULL;
+ const char *domain = NULL;
+ const char *password = NULL;
+ bool ok;
+
+ creds = cli_credentials_init(mem_ctx);
+ assert_non_null(creds);
+ assert_null(creds->username);
+ assert_int_equal(creds->username_obtained, CRED_UNINITIALISED);
+
+ domain = cli_credentials_get_domain(creds);
+ assert_null(domain);
+ ok = cli_credentials_set_domain(creds, "WURST", CRED_SPECIFIED);
+ assert_true(ok);
+ assert_int_equal(creds->domain_obtained, CRED_SPECIFIED);
+ domain = cli_credentials_get_domain(creds);
+ assert_string_equal(domain, "WURST");
+
+ username = cli_credentials_get_username(creds);
+ assert_null(username);
+ ok = cli_credentials_set_username(creds, "brot", CRED_SPECIFIED);
+ assert_true(ok);
+ assert_int_equal(creds->username_obtained, CRED_SPECIFIED);
+ username = cli_credentials_get_username(creds);
+ assert_string_equal(username, "brot");
+
+ password = cli_credentials_get_password(creds);
+ assert_null(password);
+ ok = cli_credentials_set_password(creds, "SECRET", CRED_SPECIFIED);
+ assert_true(ok);
+ assert_int_equal(creds->password_obtained, CRED_SPECIFIED);
+ password = cli_credentials_get_password(creds);
+ assert_string_equal(password, "SECRET");
+}
+
+static void torture_creds_init_anonymous(void **state)
+{
+ TALLOC_CTX *mem_ctx = *state;
+ struct cli_credentials *creds = NULL;
+
+ creds = cli_credentials_init_anon(mem_ctx);
+ assert_non_null(creds);
+
+ assert_string_equal(creds->domain, "");
+ assert_int_equal(creds->domain_obtained, CRED_SPECIFIED);
+
+ assert_string_equal(creds->username, "");
+ assert_int_equal(creds->username_obtained, CRED_SPECIFIED);
+
+ assert_null(creds->password);
+ assert_int_equal(creds->password_obtained, CRED_SPECIFIED);
+}
+
+static void torture_creds_guess(void **state)
+{
+ TALLOC_CTX *mem_ctx = *state;
+ struct cli_credentials *creds = NULL;
+ const char *env_user = getenv("USER");
+
+ creds = cli_credentials_init(mem_ctx);
+ assert_non_null(creds);
+
+ setenv("PASSWD", "SECRET", 1);
+ cli_credentials_guess(creds, NULL);
+
+ assert_string_equal(creds->username, env_user);
+ assert_int_equal(creds->username_obtained, CRED_GUESS_ENV);
+
+ assert_string_equal(creds->password, "SECRET");
+ assert_int_equal(creds->password_obtained, CRED_GUESS_ENV);
+ unsetenv("PASSWD");
+}
+
+static void torture_creds_anon_guess(void **state)
+{
+ TALLOC_CTX *mem_ctx = *state;
+ struct cli_credentials *creds = NULL;
+
+ creds = cli_credentials_init_anon(mem_ctx);
+ assert_non_null(creds);
+
+ setenv("PASSWD", "SECRET", 1);
+ cli_credentials_guess(creds, NULL);
+
+ assert_string_equal(creds->username, "");
+ assert_int_equal(creds->username_obtained, CRED_SPECIFIED);
+
+ assert_null(creds->password);
+ assert_int_equal(creds->password_obtained, CRED_SPECIFIED);
+ unsetenv("PASSWD");
+}
+
+static void torture_creds_parse_string(void **state)
+{
+ TALLOC_CTX *mem_ctx = *state;
+ struct cli_credentials *creds = NULL;
+
+ creds = cli_credentials_init(mem_ctx);
+ assert_non_null(creds);
+
+ /* Anonymous */
+ cli_credentials_parse_string(creds, "%", CRED_SPECIFIED);
+
+ assert_string_equal(creds->domain, "");
+ assert_int_equal(creds->domain_obtained, CRED_SPECIFIED);
+
+ assert_string_equal(creds->username, "");
+ assert_int_equal(creds->username_obtained, CRED_SPECIFIED);
+
+ assert_null(creds->password);
+ assert_int_equal(creds->password_obtained, CRED_SPECIFIED);
+
+ /* Username + password */
+ cli_credentials_parse_string(creds, "wurst%BROT", CRED_SPECIFIED);
+
+ assert_string_equal(creds->domain, "");
+ assert_int_equal(creds->domain_obtained, CRED_SPECIFIED);
+
+ assert_string_equal(creds->username, "wurst");
+ assert_int_equal(creds->username_obtained, CRED_SPECIFIED);
+
+ assert_string_equal(creds->password, "BROT");
+ assert_int_equal(creds->password_obtained, CRED_SPECIFIED);
+
+ /* Domain + username + password */
+ cli_credentials_parse_string(creds, "XXL\\wurst%BROT", CRED_SPECIFIED);
+
+ assert_string_equal(creds->domain, "XXL");
+ assert_int_equal(creds->domain_obtained, CRED_SPECIFIED);
+
+ assert_string_equal(creds->username, "wurst");
+ assert_int_equal(creds->username_obtained, CRED_SPECIFIED);
+
+ assert_string_equal(creds->password, "BROT");
+ assert_int_equal(creds->password_obtained, CRED_SPECIFIED);
+
+ /* Principal */
+ cli_credentials_parse_string(creds, "wurst at brot.realm", CRED_SPECIFIED);
+
+ assert_string_equal(creds->domain, "");
+ assert_int_equal(creds->domain_obtained, CRED_SPECIFIED);
+
+ assert_string_equal(creds->username, "wurst at brot.realm");
+ assert_int_equal(creds->username_obtained, CRED_SPECIFIED);
+
+ assert_string_equal(creds->principal, "wurst at brot.realm");
+ assert_int_equal(creds->principal_obtained, CRED_SPECIFIED);
+
+ assert_string_equal(creds->password, "BROT");
+ assert_int_equal(creds->password_obtained, CRED_SPECIFIED);
+}
+
+int main(int argc, char *argv[])
+{
+ int rc;
+ const struct CMUnitTest tests[] = {
+ cmocka_unit_test(torture_creds_init),
+ cmocka_unit_test(torture_creds_init_anonymous),
+ cmocka_unit_test(torture_creds_guess),
+ cmocka_unit_test(torture_creds_anon_guess),
+ cmocka_unit_test(torture_creds_parse_string),
+ };
+
+ if (argc == 2) {
+ cmocka_set_test_filter(argv[1]);
+ }
+ cmocka_set_message_output(CM_OUTPUT_SUBUNIT);
+
+ rc = cmocka_run_group_tests(tests,
+ setup_talloc_context,
+ teardown_talloc_context);
+
+ return rc;
+}
diff --git a/auth/credentials/wscript_build b/auth/credentials/wscript_build
index 1e3302e3e48..46111164b36 100644
--- a/auth/credentials/wscript_build
+++ b/auth/credentials/wscript_build
@@ -5,7 +5,7 @@ bld.SAMBA_LIBRARY('samba-credentials',
public_headers='credentials.h',
pc_files='samba-credentials.pc',
deps='LIBCRYPTO samba-errors events LIBCLI_AUTH samba-security CREDENTIALS_SECRETS CREDENTIALS_KRB5',
- vnum='0.1.0'
+ vnum='1.0.0'
)
bld.SAMBA_SUBSYSTEM('CREDENTIALS_KRB5',
@@ -31,3 +31,9 @@ bld.SAMBA_PYTHON('pycredentials',
public_deps='samba-credentials cmdline-credentials %s %s CREDENTIALS_KRB5 CREDENTIALS_SECRETS' % (pytalloc_util, pyparam_util),
realname='samba/credentials.so'
)
+
+bld.SAMBA_BINARY('test_creds',
+ source='tests/test_creds.c',
+ deps='cmocka samba-credentials',
+ local_include=False,
+ for_selftest=True)
diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
index 4996e13e027..0a484eefcf4 100644
--- a/auth/gensec/gensec_start.c
+++ b/auth/gensec/gensec_start.c
@@ -119,18 +119,18 @@ static const struct gensec_security_ops **gensec_use_kerberos_mechs(
}
switch (use_kerberos) {
- case CRED_AUTO_USE_KERBEROS:
+ case CRED_USE_KERBEROS_DESIRED:
keep = true;
break;
- case CRED_DONT_USE_KERBEROS:
+ case CRED_USE_KERBEROS_DISABLED:
if (old_gensec_list[i]->kerberos == false) {
keep = true;
}
break;
- case CRED_MUST_USE_KERBEROS:
+ case CRED_USE_KERBEROS_REQUIRED:
if (old_gensec_list[i]->kerberos == true) {
keep = true;
}
@@ -158,7 +158,7 @@ _PUBLIC_ const struct gensec_security_ops **gensec_security_mechs(
TALLOC_CTX *mem_ctx)
{
const struct gensec_security_ops * const *backends = gensec_security_all();
- enum credentials_use_kerberos use_kerberos = CRED_AUTO_USE_KERBEROS;
+ enum credentials_use_kerberos use_kerberos = CRED_USE_KERBEROS_DESIRED;
bool keep_schannel = false;
if (gensec_security != NULL) {
diff --git a/examples/winexe/winexe.c b/examples/winexe/winexe.c
index 03e7ec85198..95386211c0a 100644
--- a/examples/winexe/winexe.c
+++ b/examples/winexe/winexe.c
@@ -283,8 +283,8 @@ static void parse_args(int argc, const char *argv[],
if (opt_kerberos) {
cli_credentials_set_kerberos_state(cred,
strcmp(opt_kerberos, "yes")
- ? CRED_MUST_USE_KERBEROS
- : CRED_DONT_USE_KERBEROS);
+ ? CRED_USE_KERBEROS_REQUIRED
+ : CRED_USE_KERBEROS_DISABLED);
}
if (options->runas == NULL && options->runas_file != NULL) {
diff --git a/selftest/tests.py b/selftest/tests.py
index 86cab3f8046..4a968cdbe8a 100644
--- a/selftest/tests.py
+++ b/selftest/tests.py
@@ -418,3 +418,5 @@ plantestsuite("samba.unittests.test_oLschema2ldif", "none",
if with_elasticsearch_backend:
plantestsuite("samba.unittests.mdsparser_es", "none",
[os.path.join(bindir(), "default/source3/test_mdsparser_es")] + [configuration])
+plantestsuite("samba.unittests.credentials", "none",
+ [os.path.join(bindir(), "default/auth/credentials/test_creds")])
diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
index 0e9500ac08d..f314acd9559 100644
--- a/source3/auth/auth_generic.c
+++ b/source3/auth/auth_generic.c
@@ -356,9 +356,9 @@ NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx,
cli_credentials_set_conf(server_credentials, lp_ctx);
if (lp_security() == SEC_ADS || USE_KERBEROS_KEYTAB) {
- cli_credentials_set_kerberos_state(server_credentials, CRED_AUTO_USE_KERBEROS);
+ cli_credentials_set_kerberos_state(server_credentials, CRED_USE_KERBEROS_DESIRED);
} else {
- cli_credentials_set_kerberos_state(server_credentials, CRED_DONT_USE_KERBEROS);
+ cli_credentials_set_kerberos_state(server_credentials, CRED_USE_KERBEROS_DISABLED);
}
nt_status = gensec_server_start(tmp_ctx, gensec_settings,
diff --git a/source3/include/vfs.h b/source3/include/vfs.h
index 7aff0c67ada..91151df6e06 100644
--- a/source3/include/vfs.h
+++ b/source3/include/vfs.h
@@ -331,6 +331,8 @@
* Version 44 - Remove dirfsp arg from struct files_struct
* Version 44 - Remove dirfsp arg to SMB_VFS_CREATE_FILE()
* Version 44 - Make dirfsp arg to SMB_VFS_READLINKAT() const
+ * Version 44 - Add a flag 'encryption_required' to files_struct that that
+ * prevents that encrypted connections can be downgraded.
*/
#define SMB_VFS_INTERFACE_VERSION 44
diff --git a/source3/lib/util_cmdline.c b/source3/lib/util_cmdline.c
index 9c9e2f0ac0f..d2af34ee19b 100644
--- a/source3/lib/util_cmdline.c
+++ b/source3/lib/util_cmdline.c
@@ -307,9 +307,9 @@ void set_cmdline_auth_info_use_kerberos(struct user_auth_info *auth_info,
enum credentials_use_kerberos krb5_state;
if (b) {
- krb5_state = CRED_MUST_USE_KERBEROS;
+ krb5_state = CRED_USE_KERBEROS_REQUIRED;
} else {
- krb5_state = CRED_DONT_USE_KERBEROS;
+ krb5_state = CRED_USE_KERBEROS_DISABLED;
--
Samba Shared Repository
More information about the samba-cvs
mailing list