[SCM] Samba Shared Repository - branch master updated
Jeremy Allison
jra at samba.org
Tue Apr 5 01:45:01 UTC 2022
The branch, master has been updated
via 63bbdbae19d gpo: Improve Certificate Auto Enroll Debug messages
via 157d2dd77fd gpo: Certificate Auto Enrollment default Kerberos auth
from a543d38cd1e third_party:waf: Do not recurse in aesni-intel if GnuTLS provides the cipher
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 63bbdbae19dda6d28ecf8ce27addda728c7a028d
Author: David Mulder <dmulder at suse.com>
Date: Mon Apr 4 10:42:40 2022 -0600
gpo: Improve Certificate Auto Enroll Debug messages
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Tue Apr 5 01:44:33 UTC 2022 on sn-devel-184
commit 157d2dd77fd92b926350df0def6a3aa6edf823f2
Author: David Mulder <dmulder at suse.com>
Date: Mon Apr 4 10:33:15 2022 -0600
gpo: Certificate Auto Enrollment default Kerberos auth
Certificate Auto Enrollment uses Kerberos to
authenticate to AD. If someone configures their
cepces.conf to use a different default
authentication, then samba-gpupdate fails. Force
Kerberos auth from samba-gpupdate.
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
-----------------------------------------------------------------------
Summary of changes:
python/samba/gp_cert_auto_enroll_ext.py | 17 ++++++++++-------
python/samba/tests/bin/cepces-submit | 2 ++
2 files changed, 12 insertions(+), 7 deletions(-)
Changeset truncated at 500 lines:
diff --git a/python/samba/gp_cert_auto_enroll_ext.py b/python/samba/gp_cert_auto_enroll_ext.py
index b61aaf7b985..e5c2f2e4394 100644
--- a/python/samba/gp_cert_auto_enroll_ext.py
+++ b/python/samba/gp_cert_auto_enroll_ext.py
@@ -82,12 +82,12 @@ def get_supported_templates(server):
if os.path.exists(cepces_submit):
env = os.environ
env['CERTMONGER_OPERATION'] = 'GET-SUPPORTED-TEMPLATES'
- p = Popen([cepces_submit, '--server=%s' % server], env=env,
- stdout=PIPE, stderr=PIPE)
+ p = Popen([cepces_submit, '--server=%s' % server, '--auth=Kerberos'],
+ env=env, stdout=PIPE, stderr=PIPE)
out, err = p.communicate()
if p.returncode != 0:
- log.warn('Failed to fetch the list of supported templates.')
- log.debug(err.decode())
+ data = { 'Error': err.decode() }
+ log.error('Failed to fetch the list of supported templates.', data)
return out.strip().split()
return []
@@ -136,12 +136,14 @@ def cert_enroll(ca, trust_dir, private_dir):
cepces_submit = find_cepces_submit()
if getcert is not None and os.path.exists(cepces_submit):
p = Popen([getcert, 'add-ca', '-c', ca['cn'][0], '-e',
- '%s --server=%s' % (cepces_submit, ca['dNSHostName'][0])],
+ '%s --server=%s --auth=Kerberos' % (cepces_submit,
+ ca['dNSHostName'][0])],
stdout=PIPE, stderr=PIPE)
out, err = p.communicate()
log.debug(out.decode())
if p.returncode != 0:
- log.debug(err.decode())
+ data = { 'Error': err.decode(), 'CA': ca['cn'][0] }
+ log.error('Failed to add Certificate Authority', data)
supported_templates = get_supported_templates(ca['dNSHostName'][0])
for template, attrs in ca['certificateTemplates'].items():
if template not in supported_templates:
@@ -157,7 +159,8 @@ def cert_enroll(ca, trust_dir, private_dir):
out, err = p.communicate()
log.debug(out.decode())
if p.returncode != 0:
- log.debug(err.decode())
+ data = { 'Error': err.decode(), 'Certificate': nickname }
+ log.error('Failed to request certificate', data)
data['files'].extend([keyfile, certfile])
data['templates'].append(nickname)
if update is not None:
diff --git a/python/samba/tests/bin/cepces-submit b/python/samba/tests/bin/cepces-submit
index 1f9d57c6bfb..668682a9f58 100755
--- a/python/samba/tests/bin/cepces-submit
+++ b/python/samba/tests/bin/cepces-submit
@@ -7,9 +7,11 @@ sys.path.insert(0, "bin/python")
if __name__ == "__main__":
parser = optparse.OptionParser('cepces-submit [options]')
parser.add_option('--server')
+ parser.add_option('--auth')
(opts, args) = parser.parse_args()
assert opts.server is not None
+ assert opts.auth == 'Kerberos'
if 'CERTMONGER_OPERATION' in os.environ and \
os.environ['CERTMONGER_OPERATION'] == 'GET-SUPPORTED-TEMPLATES':
print('Machine') # Report a Machine template
--
Samba Shared Repository
More information about the samba-cvs
mailing list