[SCM] Samba Shared Repository - branch master updated

Jeremy Allison jra at samba.org
Tue Apr 5 01:45:01 UTC 2022 

The branch, master has been updated
       via  63bbdbae19d gpo: Improve Certificate Auto Enroll Debug messages
       via  157d2dd77fd gpo: Certificate Auto Enrollment default Kerberos auth
      from  a543d38cd1e third_party:waf: Do not recurse in aesni-intel if GnuTLS provides the cipher

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 63bbdbae19dda6d28ecf8ce27addda728c7a028d
Author: David Mulder <dmulder at suse.com>
Date:   Mon Apr 4 10:42:40 2022 -0600

    gpo: Improve Certificate Auto Enroll Debug messages
    
    Signed-off-by: David Mulder <dmulder at suse.com>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    
    Autobuild-User(master): Jeremy Allison <jra at samba.org>
    Autobuild-Date(master): Tue Apr  5 01:44:33 UTC 2022 on sn-devel-184

commit 157d2dd77fd92b926350df0def6a3aa6edf823f2
Author: David Mulder <dmulder at suse.com>
Date:   Mon Apr 4 10:33:15 2022 -0600

    gpo: Certificate Auto Enrollment default Kerberos auth
    
    Certificate Auto Enrollment uses Kerberos to
    authenticate to AD. If someone configures their
    cepces.conf to use a different default
    authentication, then samba-gpupdate fails. Force
    Kerberos auth from samba-gpupdate.
    
    Signed-off-by: David Mulder <dmulder at suse.com>
    Reviewed-by: Jeremy Allison <jra at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 python/samba/gp_cert_auto_enroll_ext.py | 17 ++++++++++-------
 python/samba/tests/bin/cepces-submit    |  2 ++
 2 files changed, 12 insertions(+), 7 deletions(-)


Changeset truncated at 500 lines:

diff --git a/python/samba/gp_cert_auto_enroll_ext.py b/python/samba/gp_cert_auto_enroll_ext.py
index b61aaf7b985..e5c2f2e4394 100644
--- a/python/samba/gp_cert_auto_enroll_ext.py
+++ b/python/samba/gp_cert_auto_enroll_ext.py
@@ -82,12 +82,12 @@ def get_supported_templates(server):
     if os.path.exists(cepces_submit):
         env = os.environ
         env['CERTMONGER_OPERATION'] = 'GET-SUPPORTED-TEMPLATES'
-        p = Popen([cepces_submit, '--server=%s' % server], env=env,
-                       stdout=PIPE, stderr=PIPE)
+        p = Popen([cepces_submit, '--server=%s' % server, '--auth=Kerberos'],
+                       env=env, stdout=PIPE, stderr=PIPE)
         out, err = p.communicate()
         if p.returncode != 0:
-            log.warn('Failed to fetch the list of supported templates.')
-            log.debug(err.decode())
+            data = { 'Error': err.decode() }
+            log.error('Failed to fetch the list of supported templates.', data)
         return out.strip().split()
     return []
 
@@ -136,12 +136,14 @@ def cert_enroll(ca, trust_dir, private_dir):
     cepces_submit = find_cepces_submit()
     if getcert is not None and os.path.exists(cepces_submit):
         p = Popen([getcert, 'add-ca', '-c', ca['cn'][0], '-e',
-                  '%s --server=%s' % (cepces_submit, ca['dNSHostName'][0])],
+                  '%s --server=%s --auth=Kerberos' % (cepces_submit,
+                  ca['dNSHostName'][0])],
                   stdout=PIPE, stderr=PIPE)
         out, err = p.communicate()
         log.debug(out.decode())
         if p.returncode != 0:
-            log.debug(err.decode())
+            data = { 'Error': err.decode(), 'CA': ca['cn'][0] }
+            log.error('Failed to add Certificate Authority', data)
         supported_templates = get_supported_templates(ca['dNSHostName'][0])
         for template, attrs in ca['certificateTemplates'].items():
             if template not in supported_templates:
@@ -157,7 +159,8 @@ def cert_enroll(ca, trust_dir, private_dir):
             out, err = p.communicate()
             log.debug(out.decode())
             if p.returncode != 0:
-                log.debug(err.decode())
+                data = { 'Error': err.decode(), 'Certificate': nickname }
+                log.error('Failed to request certificate', data)
             data['files'].extend([keyfile, certfile])
             data['templates'].append(nickname)
         if update is not None:
diff --git a/python/samba/tests/bin/cepces-submit b/python/samba/tests/bin/cepces-submit
index 1f9d57c6bfb..668682a9f58 100755
--- a/python/samba/tests/bin/cepces-submit
+++ b/python/samba/tests/bin/cepces-submit
@@ -7,9 +7,11 @@ sys.path.insert(0, "bin/python")
 if __name__ == "__main__":
     parser = optparse.OptionParser('cepces-submit [options]')
     parser.add_option('--server')
+    parser.add_option('--auth')
 
     (opts, args) = parser.parse_args()
     assert opts.server is not None
+    assert opts.auth == 'Kerberos'
     if 'CERTMONGER_OPERATION' in os.environ and \
        os.environ['CERTMONGER_OPERATION'] == 'GET-SUPPORTED-TEMPLATES':
         print('Machine') # Report a Machine template


-- 
Samba Shared Repository

More information about the samba-cvs mailing list