[SCM] Samba Shared Repository - branch master updated
Jeremy Allison
jra at samba.org
Fri Apr 8 21:06:01 UTC 2022
The branch, master has been updated
via be23ffbc5d6 examples: Update winbindd.stp and generate script
via ddc551f4477 s3:winbind: Convert PamAuth from struct based to NDR based
via c957d2dd77b s3:winbind: Set local and remote addresses in the crafted dcesrv_conn
via 0dbdc27604a s3:winbind: Make extra_data_to_sid_array() public
via d7739859e9c s3:winbind: Refactor log_authentication(), do not take winbindd_cli_state struct parameter
via 1e892e791d1 s3:winbind: Refactor fake_password_policy(), take netr_Validation as argument
via 1f8d70f188a s3:winbind: Refactor winbindd_dual_pam_auth_cached(), return netr_Validation
via e0f798f28df s3:winbind: Refactor winbindd_dual_pam_auth_cached(), avoid winbindd_cli_state parameter
via d9747504f23 s3:winbind: Refactor winbindd_dual_pam_auth_cached(), return krb5ccname as out parameter
via 6e017e217e6 s3:winbind: Refactor winbindd_dual_pam_auth_cached(), delay out variable assignment
via 7a3888113a6 s3:winbind: Refactor winbindd_dual_pam_auth_cached(), use temporary memory context
via cca932d329c s3:winbind: Refactor winbindd_dual_pam_auth_kerberos(), return netr_Validation
via 38b94791270 s3:winbind: Refactor winbindd_dual_pam_auth_kerberos(), do not take winbindd_cli_state struct parameter
via aebe79b7d41 s3:winbind: Refactor append_afs_token(), do not take winbindd_response struct as parameter
via ed2afdd3c88 s3:winbind: Refactor append_unix_username(), do not take winbindd_response struct as parameter
via 5439ecf723c selftest: Add a test for PamLogOff
via 3944b586d55 selftest: Extend test_wbc_logon_user to test WBFLAG_PAM_UNIX_NAME flag
via 68096b56159 s4:rpc_server: Fix duplicated function name between s3 and s4
via e0fadfd0d8b s4:rpc_server: Fix duplicated function name between s3 and s4
via a1a696a879a s3:winbind: Refactor check_info3_in_group() to take a wbint_SidArray struct
via 12ef1543453 s3:winbind: Move sighup handling related functions to winbindd-lib subsystem
via dfba83e14ab s3:winbind: Move sigterm handling functions to winbindd-lib subsystem
via 1903cf39da3 s3:winbind: Rename terminate() function to winbindd_terminate()
via 11d0266c743 s3:winbind: Move servide reload related functions to winbindd-lib subsystem
via d41698169d9 s3:winbind: Move function to flush cache to winbindd-lib subsystem
via 334a4aa125b s3:winbind: Move the function to get the privileged pipe dir to winbindd-lib subsystem
via 3250de22edb s3:winbind: Move imessaging context init function to winbindd-lib subsystem
via 321c51e14ab s3:winbind: Move functions to enable or disable cache to winbindd-lib subsystem
from efcaeff2c33 WHATSNEW.txt: Add explaination of --without-smb1-server and --with-smb1-server configure options.
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit be23ffbc5d6e896c81d614dbc559ba6d0554d5e2
Author: Samuel Cabrero <scabrero at samba.org>
Date: Thu Mar 31 12:34:29 2022 +0200
examples: Update winbindd.stp and generate script
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Fri Apr 8 21:06:01 UTC 2022 on sn-devel-184
commit ddc551f4477bfb8bc7ec636c89af01a028190d35
Author: Samuel Cabrero <scabrero at samba.org>
Date: Mon Jun 14 19:13:48 2021 +0200
s3:winbind: Convert PamAuth from struct based to NDR based
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit c957d2dd77b7b3bd8b815acd6c9be75c24eceef1
Author: Samuel Cabrero <scabrero at samba.org>
Date: Thu Feb 17 12:29:12 2022 +0100
s3:winbind: Set local and remote addresses in the crafted dcesrv_conn
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 0dbdc27604a2c9b55fe8e8b87fd22312e5a78455
Author: Samuel Cabrero <scabrero at samba.org>
Date: Mon Jun 14 18:05:34 2021 +0200
s3:winbind: Make extra_data_to_sid_array() public
Later winbindd_dual_pam_auth() will be converted to a local RPC call
handler and the parent will call this function to fill the 'r' struct.
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit d7739859e9cfa7688ef5e6ac815534dc87ea0ea6
Author: Samuel Cabrero <scabrero at samba.org>
Date: Wed Mar 30 20:55:12 2022 +0200
s3:winbind: Refactor log_authentication(), do not take winbindd_cli_state struct parameter
Later winbindd_dual_pam_auth() will be converted to a local RPC call
handler and it will not receive a winbindd_cli_state parameter. Avoid
passing this struct around.
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 1e892e791d1554b4788d06848828deb84cadd1ce
Author: Samuel Cabrero <scabrero at samba.org>
Date: Mon Jun 14 18:08:21 2021 +0200
s3:winbind: Refactor fake_password_policy(), take netr_Validation as argument
Later winbindd_dual_pam_auth() will be converted to a local RPC call
handler and it will return a netr_Validation from the child. This
function will be moved to the parent to fill the winbindd_response
struct.
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 1f8d70f188a66ade344bf38f39c0038d833d1b1b
Author: Samuel Cabrero <scabrero at samba.org>
Date: Thu Jun 10 16:50:06 2021 +0200
s3:winbind: Refactor winbindd_dual_pam_auth_cached(), return netr_Validation
Map netr_SamInfo3 to netr_Validation in this function instead of doing
it in the caller.
Later winbindd_dual_pam_auth() will be converted to a local RPC
handler and it will return the netr_Validation in the 'r' struct.
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit e0f798f28df070a66fcc2ef2c59ed46798fc6f2e
Author: Samuel Cabrero <scabrero at samba.org>
Date: Thu Jun 10 16:45:10 2021 +0200
s3:winbind: Refactor winbindd_dual_pam_auth_cached(), avoid winbindd_cli_state parameter
Later winbindd_dual_pam_auth() will be converted to a local RPC
handler and it will not receive a winbindd_cli_state struct as parameter.
Avoid passing around this struct.
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit d9747504f231d4b394639594001035585ce35ac8
Author: Samuel Cabrero <scabrero at samba.org>
Date: Thu Jun 10 16:15:13 2021 +0200
s3:winbind: Refactor winbindd_dual_pam_auth_cached(), return krb5ccname as out parameter
Later winbindd_dual_pam_auth() will be converted to a local RPC
handler and it will not receive a winbindd_cli_state struct as parameter.
Avoid passing around this struct.
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 6e017e217e620add239de5397a88415afad0b990
Author: Samuel Cabrero <scabrero at samba.org>
Date: Wed Mar 30 18:12:46 2022 +0200
s3:winbind: Refactor winbindd_dual_pam_auth_cached(), delay out variable assignment
Delay the assignment of the out varible and assign it only if
returning NT_STATUS_OK, the caller does not use the returned
netr_SamInfo3 if the function does not return NT_STATUS_OK.
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 7a3888113a62f3263cb887c75fc748d972a709e5
Author: Samuel Cabrero <scabrero at samba.org>
Date: Thu Jun 10 16:34:56 2021 +0200
s3:winbind: Refactor winbindd_dual_pam_auth_cached(), use temporary memory context
This function allocates a lot of intermedite variables, use a temporary
memory context.
The out variable info3 is assigned using talloc_steal() because the
local my_info3 is used below.
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit cca932d329cec65173a3647548c30c709df23253
Author: Samuel Cabrero <scabrero at samba.org>
Date: Mon Jun 14 18:39:02 2021 +0200
s3:winbind: Refactor winbindd_dual_pam_auth_kerberos(), return netr_Validation
Map netr_SamInfo6 to netr_Validation in winbindd_dual_pam_auth_kerberos()
instead of doing it in the caller.
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 38b947912700fed8792d77afcdc4bcd06a7d0a87
Author: Samuel Cabrero <scabrero at samba.org>
Date: Thu Jun 10 14:03:43 2021 +0200
s3:winbind: Refactor winbindd_dual_pam_auth_kerberos(), do not take winbindd_cli_state struct parameter
Refactor winbindd_dual_pam_auth_kerberos() to do not take a
winbindd_cli_state struct as parameter but its members. The kerberos
ccache name is returned as an out parameter and the caller is
responsible for copying it in the winbindd_response struct.
Later winbindd_dual_pam_auth() will be converted to a local RPC call
handler and it will not receive a winbindd_cli_state as argument so
reduce passing this struct around.
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit aebe79b7d4150b6656e03519f3b17dd24f5d6167
Author: Samuel Cabrero <scabrero at samba.org>
Date: Thu Jun 10 13:23:23 2021 +0200
s3:winbind: Refactor append_afs_token(), do not take winbindd_response struct as parameter
Refactor the append_afs_token() function to do not take a
winbindd_response as a parameter but its members directly. The AFS token
is returned as an out parameter in a DATA_BLOB, and the caller is
responsible for setting it the extra_data winbindd_response field and
extending the winbindd_response length.
Later winbindd_dual_pam_auth() will be converted to a local RPC
call handler and the netr_Validation will be returned in the 'r' struct
from the child to the parent. The parent will then fill the
winbindd_response struct.
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit ed2afdd3c8828dfe1259570bcf3f68acee840ed5
Author: Samuel Cabrero <scabrero at samba.org>
Date: Thu Jun 10 13:18:54 2021 +0200
s3:winbind: Refactor append_unix_username(), do not take winbindd_response struct as parameter
Refactor the append_unix_username() function to do not take a
winbindd_response struct as parameter but its members. The
unix username is returned as an out parameter and the caller is
responsible for setting it in the winbindd_response struct.
Later winbindd_dual_pam_auth() will be converted to a local RPC
call handler and the netr_Validation will be returned in the 'r' struct
from the child to the parent. The parent will then fill the
winbindd_response struct.
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 5439ecf723c7b4e52ef5ff32a5848e3b3b082d19
Author: Samuel Cabrero <scabrero at samba.org>
Date: Fri Jun 18 09:22:39 2021 +0200
selftest: Add a test for PamLogOff
This test also verifies the KRB5CCNAME environment variable is set after
a successful PAM authentication with Kerberos.
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 3944b586d555dcab6d132033165d2635b685e1f7
Author: Samuel Cabrero <scabrero at samba.org>
Date: Wed Mar 30 11:46:08 2022 +0200
selftest: Extend test_wbc_logon_user to test WBFLAG_PAM_UNIX_NAME flag
Use the same function append_unix_username() uses to build the expected
value as it depends on the server role. This requires linking
winbindd-lib.
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 68096b56159244a1b3607e5483623b5341423b68
Author: Samuel Cabrero <scabrero at samba.org>
Date: Thu Mar 31 12:32:08 2022 +0200
s4:rpc_server: Fix duplicated function name between s3 and s4
It can lead to link errors:
/usr/lib64/gcc/x86_64-suse-linux/11/../../../../x86_64-suse-linux/bin/ld: source3/rpc_server/rpc_server.c.24.o: in function `dcesrv_transport_terminate_connection':
/home/scabrero/workspace/samba/samba/bin/default/../../source3/rpc_server/rpc_server.c:242: multiple definition of `dcesrv_transport_terminate_connection'; source4/rpc_server/dcerpc_server.c.5.o:/home/scabrero/workspace/samba/samba/bin/default/../../source4/rpc_server/dcerpc_server.c:710: first defined here
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit e0fadfd0d8b3c7143872f5454ab361cbd4a47ba6
Author: Samuel Cabrero <scabrero at samba.org>
Date: Thu Mar 31 12:29:14 2022 +0200
s4:rpc_server: Fix duplicated function name between s3 and s4
It can lead to link errors:
/usr/lib64/gcc/x86_64-suse-linux/11/../../../../x86_64-suse-linux/bin/ld: source3/rpc_server/rpc_server.c.24.o: in function `dcesrv_assoc_group_find':
/home/scabrero/workspace/samba/samba/bin/default/../../source3/rpc_server/rpc_server.c:229: multiple definition of `dcesrv_assoc_group_find'; source4/rpc_server/dcerpc_server.c.5.o:/home/scabrero/workspace/samba/samba/bin/default/../../source4/rpc_server/dcerpc_server.c:121: first defined here
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit a1a696a879ac768db54b1a94110d6cb13fb9423c
Author: Samuel Cabrero <scabrero at samba.org>
Date: Thu Jun 10 12:02:08 2021 +0200
s3:winbind: Refactor check_info3_in_group() to take a wbint_SidArray struct
Refactor the check_info3_in_group() function to take a wbint_SidArray
struct. The sid strings stored in extra_data are parsed into a
wbint_SidArray in a separated function.
Later, winbindd_dual_pam_auth() will be converted to a local RPC
call handler and the wbint_SidArray containing the required membership
will be part of the 'r' struct.
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 12ef1543453a743af0aff8764bd1420566594321
Author: Samuel Cabrero <scabrero at samba.org>
Date: Wed Mar 2 18:44:07 2022 +0100
s3:winbind: Move sighup handling related functions to winbindd-lib subsystem
The source3/winbindd/winbindd.c file does not belong to 'winbindd-lib'
subsystem. Funtions called from winbindd-lib must be part of it.
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit dfba83e14ab36967fe98469d8dead7c94aa71df6
Author: Samuel Cabrero <scabrero at samba.org>
Date: Wed Mar 2 18:30:19 2022 +0100
s3:winbind: Move sigterm handling functions to winbindd-lib subsystem
The source3/winbindd/winbindd.c file does not belong to 'winbindd-lib'
subsystem. Funtions called from winbindd-lib must be part of it.
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 1903cf39da37660c44df58649b3795bf74799953
Author: Samuel Cabrero <scabrero at samba.org>
Date: Wed Mar 2 18:21:09 2022 +0100
s3:winbind: Rename terminate() function to winbindd_terminate()
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 11d0266c7431f0602c83fbfac1160c41c22ae085
Author: Samuel Cabrero <scabrero at samba.org>
Date: Wed Mar 2 18:16:51 2022 +0100
s3:winbind: Move servide reload related functions to winbindd-lib subsystem
The source3/winbindd/winbindd.c file does not belong to 'winbindd-lib'
subsystem. Funtions called from winbindd-lib must be part of it.
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit d41698169d9eb13e74184a1c4a8804c68c5d8dbb
Author: Samuel Cabrero <scabrero at samba.org>
Date: Wed Mar 2 18:13:15 2022 +0100
s3:winbind: Move function to flush cache to winbindd-lib subsystem
The source3/winbindd/winbindd.c file does not belong to 'winbindd-lib'
subsystem. Funtions called from winbindd-lib must be part of it.
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 334a4aa125b2e6345c3c1e12f829fc0602751b88
Author: Samuel Cabrero <scabrero at samba.org>
Date: Wed Mar 2 18:03:34 2022 +0100
s3:winbind: Move the function to get the privileged pipe dir to winbindd-lib subsystem
The source3/winbindd/winbindd.c file does not belong to 'winbindd-lib'
subsystem. Funtions called from winbindd-lib must be part of it.
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 3250de22edb052a850f39a824bb7c68d4157b483
Author: Samuel Cabrero <scabrero at samba.org>
Date: Wed Mar 2 18:00:56 2022 +0100
s3:winbind: Move imessaging context init function to winbindd-lib subsystem
The source3/winbindd/winbindd.c file does not belong to 'winbindd-lib'
subsystem. Funtions called from winbindd-lib must be part of it.
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 321c51e14ab797dd0d31086741b5eb668d022f1c
Author: Samuel Cabrero <scabrero at samba.org>
Date: Wed Mar 2 17:54:54 2022 +0100
s3:winbind: Move functions to enable or disable cache to winbindd-lib subsystem
The source3/winbindd/winbindd.c file does not belong to 'winbindd-lib'
subsystem. Funtions called from winbindd-lib must be part of it.
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
-----------------------------------------------------------------------
Summary of changes:
examples/systemtap/generate-winbindd.stp.sh | 1 +
examples/systemtap/winbindd.stp | 22 +-
librpc/idl/winbind.idl | 22 +
nsswitch/libwbclient/tests/wbclient.c | 46 ++
...winbind_chauthtok.py => pam_winbind_setcred.py} | 26 +-
..._pam_winbind.sh => test_pam_winbind_setcred.sh} | 12 +-
selftest/tests.py | 8 +
source3/winbindd/winbindd.c | 299 +-------
source3/winbindd/winbindd_cache.c | 31 +
source3/winbindd/winbindd_domain.c | 4 -
source3/winbindd/winbindd_dual.c | 167 +++++
source3/winbindd/winbindd_dual_ndr.c | 55 ++
source3/winbindd/winbindd_irpc.c | 37 +
source3/winbindd/winbindd_misc.c | 65 ++
source3/winbindd/winbindd_pam.c | 804 +++++++++++++--------
source3/winbindd/winbindd_pam_auth.c | 183 ++++-
source3/winbindd/winbindd_proto.h | 11 +-
source4/rpc_server/dcerpc_server.c | 8 +-
source4/rpc_server/service_rpc.c | 2 +-
source4/torture/rpc/spoolss_notify.c | 2 +-
source4/torture/winbind/wscript_build | 2 +-
21 files changed, 1153 insertions(+), 654 deletions(-)
copy python/samba/tests/{pam_winbind_chauthtok.py => pam_winbind_setcred.py} (59%)
copy python/samba/tests/{test_pam_winbind.sh => test_pam_winbind_setcred.sh} (81%)
Changeset truncated at 500 lines:
diff --git a/examples/systemtap/generate-winbindd.stp.sh b/examples/systemtap/generate-winbindd.stp.sh
index 5a4507874e4..28b2dbc58c1 100755
--- a/examples/systemtap/generate-winbindd.stp.sh
+++ b/examples/systemtap/generate-winbindd.stp.sh
@@ -9,6 +9,7 @@ winbindd_dual_pam_logoff
winbindd_dual_pam_chng_pswd_auth_crap
winbindd_dual_pam_chauthtok
_wbint_Ping
+_wbint_PamAuth
_wbint_ListTrustedDomains
_wbint_LookupSid
_wbint_LookupSids
diff --git a/examples/systemtap/winbindd.stp b/examples/systemtap/winbindd.stp
index 94f05596771..58926017595 100644
--- a/examples/systemtap/winbindd.stp
+++ b/examples/systemtap/winbindd.stp
@@ -2,7 +2,7 @@
#
# Systemtap script to instrument winbindd
#
-# Generated by examples/systemtap/generate-winbindd.stp.sh on mié 09 mar 2022 12:10:37 CET, do not edit
+# Generated by examples/systemtap/generate-winbindd.stp.sh on jue 31 mar 2022 12:34:16 CEST, do not edit
#
# Usage:
#
@@ -163,6 +163,26 @@ probe process("winbindd").function("_wbint_Ping").return {
dc_svctime["_wbint_Ping"] <<< duration
}
+#
+# winbind domain child function _wbint_PamAuth
+#
+
+probe process("winbindd").function("_wbint_PamAuth") {
+ dc_running[tid(), "_wbint_PamAuth"] = gettimeofday_us()
+}
+
+probe process("winbindd").function("_wbint_PamAuth").return {
+ if (!([tid(), "_wbint_PamAuth"] in dc_running))
+ next
+
+ end = gettimeofday_us()
+ begin = dc_running[tid(), "_wbint_PamAuth"]
+ delete dc_running[tid(), "_wbint_PamAuth"]
+
+ duration = end - begin
+ dc_svctime["_wbint_PamAuth"] <<< duration
+}
+
#
# winbind domain child function _wbint_ListTrustedDomains
#
diff --git a/librpc/idl/winbind.idl b/librpc/idl/winbind.idl
index c7ca95d1a69..2737c563c69 100644
--- a/librpc/idl/winbind.idl
+++ b/librpc/idl/winbind.idl
@@ -174,6 +174,28 @@ interface winbind
[out,ref] netr_DomainTrustList *domains
);
+ typedef [public] struct {
+ uint16 level;
+ [switch_is(level)] netr_Validation *validation;
+ [string,charset(UTF8)] char *krb5ccname;
+ } wbint_Validation;
+
+ typedef [public] struct {
+ [string,charset(UTF8)] char *username;
+ [string,charset(UTF8),flag(NDR_SECRET)] char *password;
+ [string,charset(UTF8)] char *krb5_cc_type;
+ hyper uid;
+ } wbint_AuthUserInfo;
+
+ NTSTATUS wbint_PamAuth(
+ [in,string,charset(UTF8)] char *client_name,
+ [in] hyper client_pid,
+ [in] uint32 flags,
+ [in] wbint_AuthUserInfo *info,
+ [in] wbint_SidArray *require_membership_of_sid,
+ [out,ref] wbint_Validation *validation
+ );
+
/* Public methods available via IRPC */
typedef [switch_type(uint16)] union netr_LogonLevel netr_LogonLevel;
diff --git a/nsswitch/libwbclient/tests/wbclient.c b/nsswitch/libwbclient/tests/wbclient.c
index 254070ed083..01fa2892c35 100644
--- a/nsswitch/libwbclient/tests/wbclient.c
+++ b/nsswitch/libwbclient/tests/wbclient.c
@@ -17,6 +17,7 @@
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
+#include "source3/include/includes.h"
#include "lib/replace/replace.h"
#include "libcli/util/ntstatus.h"
#include "libcli/util/werror.h"
@@ -24,6 +25,7 @@
#include "lib/util/time.h"
#include "libcli/resolve/resolve.h"
#include "nsswitch/libwbclient/wbclient.h"
+#include "nsswitch/winbind_client.h"
#include "torture/smbtorture.h"
#include "torture/winbind/proto.h"
#include "lib/util/util_net.h"
@@ -33,6 +35,7 @@
#include "lib/util/samba_util.h"
#include "auth/credentials/credentials.h"
#include "lib/cmdline/cmdline.h"
+#include "winbindd.h"
#include <gnutls/gnutls.h>
#include <gnutls/crypto.h>
@@ -930,6 +933,9 @@ static bool test_wbc_logon_user(struct torture_context *tctx)
char *sidstr;
wbcErr ret;
struct cli_credentials *creds = samba_cmdline_get_creds();
+ uint32_t i, flags = 0;
+ const char *expected_unix_username = NULL;
+ const char *unix_username = NULL;
ZERO_STRUCT(params);
@@ -1017,6 +1023,46 @@ static bool test_wbc_logon_user(struct torture_context *tctx)
wbcFreeMemory(params.blobs);
params.blobs = NULL; params.num_blobs = 0;
+ /* Test WBFLAG_PAM_UNIX_NAME */
+ params.username = cli_credentials_get_username(creds);
+ params.password = cli_credentials_get_password(creds);
+ flags = WBFLAG_PAM_UNIX_NAME;
+
+ torture_assert(tctx,
+ lp_load_global(lpcfg_configfile(tctx->lp_ctx)),
+ "lp_load_global() failed\n");
+ expected_unix_username = fill_domain_username_talloc(tctx,
+ cli_credentials_get_domain(creds),
+ cli_credentials_get_username(creds),
+ true);
+
+ ret = wbcAddNamedBlob(¶ms.num_blobs, ¶ms.blobs, "flags", 0,
+ (uint8_t *)&flags, sizeof(flags));
+ torture_assert_wbc_equal(tctx, ret, WBC_ERR_SUCCESS,
+ "%s", "wbcAddNamedBlob failed");
+
+ ret = wbcLogonUser(¶ms, &info, &error, &policy);
+ torture_assert_wbc_equal(tctx, ret, WBC_ERR_SUCCESS,
+ "wbcLogonUser for %s failed",
+ params.username);
+
+ for (unix_username=NULL, i=0; i<info->num_blobs; i++) {
+ torture_comment(tctx, "Found named blob '%s'\n", info->blobs[i].name);
+ if (strequal(info->blobs[i].name, "unix_username")) {
+ unix_username = (const char *)info->blobs[i].blob.data;
+ }
+ }
+ torture_assert_not_null(tctx, unix_username,
+ "wbcLogonUserInfo does not have unix_username blob\n");
+ torture_assert_str_equal(tctx, unix_username,
+ expected_unix_username,
+ "Unexpected unix_username");
+ wbcFreeMemory(info); info = NULL;
+ wbcFreeMemory(error); error = NULL;
+ wbcFreeMemory(policy); policy = NULL;
+ wbcFreeMemory(params.blobs);
+ params.blobs = NULL; params.num_blobs = 0;
+
return true;
}
diff --git a/python/samba/tests/pam_winbind_chauthtok.py b/python/samba/tests/pam_winbind_setcred.py
similarity index 59%
copy from python/samba/tests/pam_winbind_chauthtok.py
copy to python/samba/tests/pam_winbind_setcred.py
index c1d569b3cd0..055eac28fa3 100644
--- a/python/samba/tests/pam_winbind_chauthtok.py
+++ b/python/samba/tests/pam_winbind_setcred.py
@@ -1,7 +1,6 @@
# Unix SMB/CIFS implementation.
#
-# Copyright (C) 2017 Andreas Schneider <asn at samba.org>
-# Copyright (C) 2018 Mathieu Parent <math.parent at gmail.com>
+# Copyright (C) 2022 Samuel Cabrero <scabrero at samba.org>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -22,21 +21,36 @@ import pypamtest
import os
class PamChauthtokTests(samba.tests.TestCase):
- def test_chauthtok(self):
+ def test_setcred_delete_cred(self):
domain = os.environ["DOMAIN"]
username = os.environ["USERNAME"]
password = os.environ["PASSWORD"]
- newpassword = os.environ["NEWPASSWORD"]
+
if domain != "":
unix_username = "%s/%s" % (domain, username)
else:
unix_username = "%s" % username
expected_rc = 0 # PAM_SUCCESS
- tc = pypamtest.TestCase(pypamtest.PAMTEST_CHAUTHTOK, expected_rc)
+ tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rc)
+ tc1 = pypamtest.TestCase(pypamtest.PAMTEST_GETENVLIST, expected_rc)
+ tc2 = pypamtest.TestCase(pypamtest.PAMTEST_KEEPHANDLE, expected_rc)
try:
- res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password, newpassword, newpassword])
+ res = pypamtest.run_pamtest(unix_username, "samba", [tc, tc1, tc2], [password])
except pypamtest.PamTestError as e:
raise AssertionError(str(e))
self.assertTrue(res is not None)
+
+ ccache = tc1.pam_env["KRB5CCNAME"]
+ ccache = ccache[ccache.index(":") + 1:]
+ self.assertTrue(os.path.exists(ccache))
+
+ handle = tc2.pam_handle
+ tc3 = pypamtest.TestCase(pypamtest.PAMTEST_SETCRED, expected_rc, pypamtest.PAMTEST_FLAG_DELETE_CRED)
+ try:
+ res = pypamtest.run_pamtest(unix_username, "samba", [tc3], handle=handle)
+ except pypamtest.PamTestError as e:
+ raise AssertionError(str(e))
+
+ self.assertFalse(os.path.exists(ccache))
diff --git a/python/samba/tests/test_pam_winbind.sh b/python/samba/tests/test_pam_winbind_setcred.sh
similarity index 81%
copy from python/samba/tests/test_pam_winbind.sh
copy to python/samba/tests/test_pam_winbind_setcred.sh
index a4b9b5bb4a6..7d7acc25aec 100755
--- a/python/samba/tests/test_pam_winbind.sh
+++ b/python/samba/tests/test_pam_winbind_setcred.sh
@@ -23,10 +23,10 @@ service_dir="$SELFTEST_TMPDIR/pam_services"
service_file="$service_dir/samba"
mkdir $service_dir
-echo "auth required $pam_winbind debug debug_state $PAM_OPTIONS" >$service_file
-echo "account required $pam_winbind debug debug_state $PAM_OPTIONS" >>$service_file
-echo "password required $pam_winbind debug debug_state $PAM_OPTIONS" >>$service_file
-echo "session required $pam_winbind debug debug_state $PAM_OPTIONS" >>$service_file
+echo "auth required $pam_winbind debug debug_state $PAM_OPTIONS" > $service_file
+echo "account required $pam_winbind debug debug_state $PAM_OPTIONS" >> $service_file
+echo "password required $pam_winbind debug debug_state $PAM_OPTIONS" >> $service_file
+echo "session required $pam_winbind debug debug_state $PAM_OPTIONS" >> $service_file
PAM_WRAPPER="1"
export PAM_WRAPPER
@@ -35,10 +35,10 @@ export PAM_WRAPPER_SERVICE_DIR
LD_PRELOAD="$LD_PRELOAD:$PAM_WRAPPER_SO_PATH"
export LD_PRELOAD
-PAM_WRAPPER_DEBUGLEVEL=${PAM_WRAPPER_DEBUGLEVEL:="2"}
+PAM_WRAPPER_DEBUGLEVEL=${PAM_WRAPPER_DEBUGLEVEL:="3"}
export PAM_WRAPPER_DEBUGLEVEL
-PYTHONPATH="$PYTHONPATH:$PAM_WRAPPER_PATH:$(dirname $0)" $PYTHON -m samba.subunit.run samba.tests.pam_winbind
+PYTHONPATH="$PYTHONPATH:$PAM_WRAPPER_PATH:$(dirname $0)" $PYTHON -m samba.subunit.run samba.tests.pam_winbind_setcred
exit_code=$?
rm -rf $service_dir
diff --git a/selftest/tests.py b/selftest/tests.py
index e8b5ed013b0..19b07dfec27 100644
--- a/selftest/tests.py
+++ b/selftest/tests.py
@@ -382,6 +382,14 @@ if with_pam:
"$DOMAIN", "alice", "Secret007",
pam_options])
+ description = "krb5"
+ pam_options = "'krb5_auth krb5_ccache_type=FILE:/tmp/krb5cc_pam_test_%u'"
+ plantestsuite("samba.tests.pam_winbind_setcred(domain+%s)" % description, "ad_dc:local",
+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind_setcred.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "${DOMAIN}", "${DC_USERNAME}", "${DC_PASSWORD}",
+ pam_options])
+
plantestsuite("samba.unittests.krb5samba", "none",
[os.path.join(bindir(), "default/testsuite/unittests/test_krb5samba")])
diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c
index 0f9c6449a5a..af596319579 100644
--- a/source3/winbindd/winbindd.c
+++ b/source3/winbindd/winbindd.c
@@ -60,78 +60,11 @@
static bool client_is_idle(struct winbindd_cli_state *state);
static void remove_client(struct winbindd_cli_state *state);
-static void winbindd_setup_max_fds(void);
-static bool opt_nocache = False;
static bool interactive = False;
-struct imessaging_context *winbind_imessaging_context(void)
-{
- static struct imessaging_context *msg = NULL;
- struct messaging_context *msg_ctx;
- struct server_id myself;
- struct loadparm_context *lp_ctx;
-
- if (msg != NULL) {
- return msg;
- }
-
- msg_ctx = global_messaging_context();
- if (msg_ctx == NULL) {
- smb_panic("global_messaging_context failed\n");
- }
- myself = messaging_server_id(msg_ctx);
-
- lp_ctx = loadparm_init_s3(NULL, loadparm_s3_helpers());
- if (lp_ctx == NULL) {
- smb_panic("Could not load smb.conf to init winbindd's imessaging context.\n");
- }
-
- /*
- * Note we MUST use the NULL context here, not the autofree context,
- * to avoid side effects in forked children exiting.
- */
- msg = imessaging_init(NULL, lp_ctx, myself, global_event_context());
- talloc_unlink(NULL, lp_ctx);
-
- if (msg == NULL) {
- smb_panic("Could not init winbindd's messaging context.\n");
- }
- return msg;
-}
-
/* Reload configuration */
-bool winbindd_reload_services_file(const char *lfile)
-{
- const struct loadparm_substitution *lp_sub =
- loadparm_s3_global_substitution();
- bool ret;
-
- if (lp_loaded()) {
- char *fname = lp_next_configfile(talloc_tos(), lp_sub);
-
- if (file_exist(fname) && !strcsequal(fname,get_dyn_CONFIGFILE())) {
- set_dyn_CONFIGFILE(fname);
- }
- TALLOC_FREE(fname);
- }
-
- reopen_logs();
- ret = lp_load_global(get_dyn_CONFIGFILE());
-
- /* if this is a child, restore the logfile to the special
- name - <domain>, idmap, etc. */
- if (lfile && *lfile) {
- lp_set_logfile(lfile);
- }
-
- reopen_logs();
- load_interfaces();
- winbindd_setup_max_fds();
-
- return(ret);
-}
static void winbindd_status(void)
@@ -154,101 +87,6 @@ static void winbindd_status(void)
}
}
-/* Flush client cache */
-
-void winbindd_flush_caches(void)
-{
- /* We need to invalidate cached user list entries on a SIGHUP
- otherwise cached access denied errors due to restrict anonymous
- hang around until the sequence number changes. */
-
- if (!wcache_invalidate_cache()) {
- DEBUG(0, ("invalidating the cache failed; revalidate the cache\n"));
- if (!winbindd_cache_validate_and_initialize()) {
- exit(1);
- }
- }
-}
-
-static void flush_caches_noinit(void)
-{
- /*
- * We need to invalidate cached user list entries on a SIGHUP
- * otherwise cached access denied errors due to restrict anonymous
- * hang around until the sequence number changes.
- * NB
- * Skip uninitialized domains when flush cache.
- * If domain is not initialized, it means it is never
- * used or never become online. look, wcache_invalidate_cache()
- * -> get_cache() -> init_dc_connection(). It causes a lot of traffic
- * for unused domains and large traffic for primay domain's DC if there
- * are many domains..
- */
-
- if (!wcache_invalidate_cache_noinit()) {
- DEBUG(0, ("invalidating the cache failed; revalidate the cache\n"));
- if (!winbindd_cache_validate_and_initialize()) {
- exit(1);
- }
- }
-}
-
-/* Handle the signal by unlinking socket and exiting */
-
-static void terminate(bool is_parent)
-{
- if (is_parent) {
- /* When parent goes away we should
- * remove the socket file. Not so
- * when children terminate.
- */
- char *path = NULL;
-
- if (asprintf(&path, "%s/%s",
- lp_winbindd_socket_directory(), WINBINDD_SOCKET_NAME) > 0) {
- unlink(path);
- SAFE_FREE(path);
- }
- }
-
- idmap_close();
-
- netlogon_creds_cli_close_global_db();
-
-#if 0
- if (interactive) {
- TALLOC_CTX *mem_ctx = talloc_init("end_description");
- char *description = talloc_describe_all(mem_ctx);
-
- DEBUG(3, ("tallocs left:\n%s\n", description));
- talloc_destroy(mem_ctx);
- }
-#endif
-
- if (is_parent) {
- pidfile_unlink(lp_pid_directory(), "winbindd");
- }
-
- exit(0);
-}
-
-static void winbindd_sig_term_handler(struct tevent_context *ev,
- struct tevent_signal *se,
- int signum,
- int count,
- void *siginfo,
- void *private_data)
-{
- bool *p = talloc_get_type_abort(private_data, bool);
- bool is_parent = *p;
-
- TALLOC_FREE(p);
-
- DEBUG(0,("Got sig[%d] terminate (is_parent=%d)\n",
- signum, is_parent));
- terminate(is_parent);
-}
-
/*
handle stdin becoming readable when we are in --foreground mode
*/
@@ -265,58 +103,10 @@ static void winbindd_stdin_handler(struct tevent_context *ev,
parent has exited. Shutdown the server */
DEBUG(0,("EOF on stdin (is_parent=%d)\n",
(int)*is_parent));
- terminate(*is_parent);
+ winbindd_terminate(*is_parent);
}
}
-bool winbindd_setup_sig_term_handler(bool parent)
-{
- struct tevent_signal *se;
- bool *is_parent;
-
- is_parent = talloc(global_event_context(), bool);
- if (!is_parent) {
- return false;
- }
-
- *is_parent = parent;
-
- se = tevent_add_signal(global_event_context(),
- is_parent,
- SIGTERM, 0,
- winbindd_sig_term_handler,
- is_parent);
- if (!se) {
- DEBUG(0,("failed to setup SIGTERM handler"));
- talloc_free(is_parent);
- return false;
- }
-
- se = tevent_add_signal(global_event_context(),
- is_parent,
--
Samba Shared Repository
More information about the samba-cvs
mailing list