[SCM] Samba Shared Repository - branch master updated
Andreas Schneider
asn at samba.org
Fri Mar 25 21:55:01 UTC 2022
The branch, master has been updated
via 67294a23b97 testprogs: A PKINIT PAC test which runs against Heimdal and MIT Kerberos
via 06da77a365f testprogs: Manually reformat test_pkinit_pac.sh
via 970f1100863 testprogs: Reformat test_pkinit_pac.sh with shfmt
via f0f47eedf74 testprogs: Rename test_pkinit_pac_heimdal.sh
via 6a125b0ac9f testprogs: A PKINIT test which runs against Heimdal and MIT Kerberos
via c27f17df379 testprogs: Remove the usage of enctype in test_pkinit_simple.sh
via 3aa7df568bc testprogs: Change from $foo to "${foo}" variable style
via e1728858577 testprogs: Manually reformat testit commands in test_pkinit_simple.sh
via a0deaed6290 testprogs: Fix calculating failed in test_pkinit_simple.sh
via ff0b3a9ee6f testprogs: Format test_pkinit_simple.sh with shfmt
via 9baac4a8177 testprogs: Rename test_pkinit_heimdal.sh
via 4d0ea9e3b0a testprogs: Fix kerberos_kinit with additional options
via b39176f795b selftest: Setup PKINIT for MIT Kerberos
via 28f57a757b6 s4:kdc: Add Smart Card and file based PKINIT support
via e2b9df1cbcd s4:tests: Run Heimdal PKINIT tests only against ad_dc env
via 5636c59a6d0 s4:kdc: If we set the kerberos debug level to 10 write a trace file
via 7b226a66ac6 s4:kdc: Remove trailing white spaces in kdc-service-mit.c
via bd590c03963 s4:kdc: Improve debug message of samba_kdc_fetch_server()
from 206909d52b7 s4: dns: Add customizable dns port option
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 67294a23b97e3fae3c20861a8313f860b89a2859
Author: Andreas Schneider <asn at samba.org>
Date: Tue Jan 25 19:35:06 2022 +0100
testprogs: A PKINIT PAC test which runs against Heimdal and MIT Kerberos
There is no need to specify the enctype and it isn't supported by MIT Kerberos
anyway.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Fri Mar 25 21:54:11 UTC 2022 on sn-devel-184
commit 06da77a365f3389ae15aadbc007ab4a7eaaac032
Author: Andreas Schneider <asn at samba.org>
Date: Fri Mar 18 11:05:23 2022 +0100
testprogs: Manually reformat test_pkinit_pac.sh
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 970f1100863fda4e743023a9d2387f8aaee6c87e
Author: Andreas Schneider <asn at samba.org>
Date: Fri Mar 18 11:04:19 2022 +0100
testprogs: Reformat test_pkinit_pac.sh with shfmt
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f0f47eedf74f17d0079fa6f22602a79617194d66
Author: Andreas Schneider <asn at samba.org>
Date: Thu Mar 17 14:33:52 2022 +0100
testprogs: Rename test_pkinit_pac_heimdal.sh
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6a125b0ac9fc5b9845a58e6ae4a17263de8396b4
Author: Andreas Schneider <asn at samba.org>
Date: Thu Mar 24 13:04:54 2022 +1300
testprogs: A PKINIT test which runs against Heimdal and MIT Kerberos
There is no need to specify the enctype and it isn't supported with MIT
Kerberos.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c27f17df379e7c38975f93e3a919516d5b0a07fe
Author: Andreas Schneider <asn at samba.org>
Date: Thu Mar 24 13:50:49 2022 +0100
testprogs: Remove the usage of enctype in test_pkinit_simple.sh
This is not needed anymore and the default is AES in the meantime.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3aa7df568bca6f8e493a9d20635092f66a2c14f5
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Mar 24 12:53:28 2022 +1300
testprogs: Change from $foo to "${foo}" variable style
This is selected from and to improve the understanding of:
testprogs: A PKINIT test which runs against Heimdal and MIT Kerberos
There is no need to specify the enctype and it isn't supported with MIT
Kerberos.
Signed-off-by: Andreas Schneider <asn at samba.org>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit e17288585773ccbe498fa9f745598b8137c94aad
Author: Andreas Schneider <asn at samba.org>
Date: Fri Mar 18 10:26:46 2022 +0100
testprogs: Manually reformat testit commands in test_pkinit_simple.sh
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a0deaed62908e39cdd0086c2b712ce335ace644e
Author: Andreas Schneider <asn at samba.org>
Date: Fri Mar 18 10:21:20 2022 +0100
testprogs: Fix calculating failed in test_pkinit_simple.sh
We only want to increase it if a test is failing. If something is expected to
fail, we should not count that as failed.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ff0b3a9ee6f4a38725640335bf94df140858fb00
Author: Andreas Schneider <asn at samba.org>
Date: Fri Mar 18 10:20:27 2022 +0100
testprogs: Format test_pkinit_simple.sh with shfmt
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9baac4a8177a6ecb06c31c43f5540a5103b766ee
Author: Andreas Schneider <asn at samba.org>
Date: Thu Mar 17 14:28:26 2022 +0100
testprogs: Rename test_pkinit_heimdal.sh
We want one common test which works against Heimdal and MIT Kerberos.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4d0ea9e3b0aad7fda5dc2acc31d38a9162624d75
Author: Andreas Schneider <asn at samba.org>
Date: Thu Mar 17 13:57:21 2022 +0100
testprogs: Fix kerberos_kinit with additional options
The additional options need to come before we specify the principal
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b39176f795b8ae7942ce277d3b48276018f7da9a
Author: Andreas Schneider <asn at samba.org>
Date: Mon Jan 24 19:47:16 2022 +0100
selftest: Setup PKINIT for MIT Kerberos
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 28f57a757b65a734c13f55501dc2f92efacad7dd
Author: Andreas Schneider <asn at samba.org>
Date: Wed Jan 19 12:49:45 2022 +0100
s4:kdc: Add Smart Card and file based PKINIT support
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e2b9df1cbcdf87ba0c791b31999e6863f84ebe1a
Author: Andreas Schneider <asn at samba.org>
Date: Tue Jan 25 19:39:56 2022 +0100
s4:tests: Run Heimdal PKINIT tests only against ad_dc env
There is not difference kerberos-wise between those two envs.
This reverts 661e1a229e85f566c5fc5d43ea03fbb29847439a.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5636c59a6d06a2ee092c64a736ad333bf9eac9aa
Author: Andreas Schneider <asn at samba.org>
Date: Thu Jan 20 08:46:55 2022 +0100
s4:kdc: If we set the kerberos debug level to 10 write a trace file
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7b226a66ac6aae266692b08c62a93829746238a8
Author: Andreas Schneider <asn at samba.org>
Date: Thu Feb 24 12:18:18 2022 +0100
s4:kdc: Remove trailing white spaces in kdc-service-mit.c
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit bd590c039636998d1f572d5bf55bcfc76b198ab0
Author: Andreas Schneider <asn at samba.org>
Date: Tue Jan 18 09:24:44 2022 +0100
s4:kdc: Improve debug message of samba_kdc_fetch_server()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
selftest/knownfail_mit_kdc | 7 -
selftest/skip_mit_kdc_pre_1_20 | 2 +
selftest/target/Samba.pm | 25 +-
selftest/wscript | 3 +
source4/kdc/db-glue.c | 16 +-
source4/kdc/kdc-service-mit.c | 18 +-
source4/kdc/sdb_to_kdb.c | 13 +-
source4/selftest/tests.py | 25 +-
testprogs/blackbox/common_test_fns.inc | 4 +-
testprogs/blackbox/test_pkinit_heimdal.sh | 175 --------------
testprogs/blackbox/test_pkinit_pac.sh | 63 +++++
testprogs/blackbox/test_pkinit_pac_heimdal.sh | 50 ----
testprogs/blackbox/test_pkinit_simple.sh | 333 ++++++++++++++++++++++++++
13 files changed, 493 insertions(+), 241 deletions(-)
create mode 100644 selftest/skip_mit_kdc_pre_1_20
delete mode 100755 testprogs/blackbox/test_pkinit_heimdal.sh
create mode 100755 testprogs/blackbox/test_pkinit_pac.sh
delete mode 100755 testprogs/blackbox/test_pkinit_pac_heimdal.sh
create mode 100755 testprogs/blackbox/test_pkinit_simple.sh
Changeset truncated at 500 lines:
diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc
index a3f3e51e367..9b55627bbc8 100644
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -262,18 +262,11 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
#
^netr-bdc-arcfour.verify-sig-arcfour
^netr-bdc-arcfour.verify-sig-arcfour
-^samba4.blackbox.pkinit_pac.STEP1 remote.pac verification.ad_dc:local
-^samba4.blackbox.pkinit_pac.STEP1 remote.pac verification.ad_dc_ntvfs:local
^samba4.blackbox.pkinit_pac.netr-bdc-aes.verify-sig-aes.ad_dc:local
-^samba4.blackbox.pkinit_pac.netr-bdc-aes.verify-sig-aes.ad_dc_ntvfs:local
^samba4.blackbox.pkinit_pac.netr-mem-aes.s4u2proxy-aes.ad_dc:local
-^samba4.blackbox.pkinit_pac.netr-mem-aes.s4u2proxy-aes.ad_dc_ntvfs:local
^samba4.blackbox.pkinit_pac.netr-mem-aes.verify-sig-aes.ad_dc:local
-^samba4.blackbox.pkinit_pac.netr-mem-aes.verify-sig-aes.ad_dc_ntvfs:local
^samba4.blackbox.pkinit_pac.netr-mem-arcfour.s4u2proxy-arcfour.ad_dc:local
-^samba4.blackbox.pkinit_pac.netr-mem-arcfour.s4u2proxy-arcfour.ad_dc_ntvfs:local
^samba4.blackbox.pkinit_pac.netr-mem-arcfour.verify-sig-arcfour.ad_dc:local
-^samba4.blackbox.pkinit_pac.netr-mem-arcfour.verify-sig-arcfour.ad_dc_ntvfs:local
^samba4.rpc.pac on ncacn_np.netr-mem-aes.s4u2proxy-aes.fl2000dc
^samba4.rpc.pac on ncacn_np.netr-mem-aes.s4u2proxy-aes.fl2003dc
^samba4.rpc.pac on ncacn_np.netr-mem-aes.s4u2proxy-aes.fl2008dc
diff --git a/selftest/skip_mit_kdc_pre_1_20 b/selftest/skip_mit_kdc_pre_1_20
new file mode 100644
index 00000000000..aa6c418662d
--- /dev/null
+++ b/selftest/skip_mit_kdc_pre_1_20
@@ -0,0 +1,2 @@
+^samba4.blackbox.pkinit_simple
+^samba4.blackbox.pkinit_pac
diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm
index 4245db2703a..2131e4a39ca 100644
--- a/selftest/target/Samba.pm
+++ b/selftest/target/Samba.pm
@@ -361,7 +361,14 @@ sub mk_krb5_conf($$)
}
if (defined($ctx->{tlsdir})) {
- print KRB5CONF "
+ if (defined($ENV{MITKRB5})) {
+ print KRB5CONF "
+ pkinit_anchors = FILE:$ctx->{tlsdir}/ca.pem
+ pkinit_kdc_hostname = $ctx->{hostname}.$ctx->{dnsname}
+
+";
+ } else {
+ print KRB5CONF "
[appdefaults]
pkinit_anchors = FILE:$ctx->{tlsdir}/ca.pem
@@ -372,6 +379,7 @@ sub mk_krb5_conf($$)
pkinit_anchors = FILE:$ctx->{tlsdir}/ca.pem
";
+ }
}
print KRB5CONF "
@@ -464,16 +472,31 @@ sub mk_mitkdc_conf($$)
$ctx->{realm} = {
master_key_type = aes256-cts
default_principal_flags = +preauth
+ pkinit_identity = FILE:$ctx->{tlsdir}/kdc.pem,$ctx->{tlsdir}/key.pem
+ pkinit_anchors = FILE:$ctx->{tlsdir}/ca.pem
+ pkinit_eku_checking = scLogin
+ pkinit_indicator = pkinit
+ pkinit_allow_upn = true
}
$ctx->{dnsname} = {
master_key_type = aes256-cts
default_principal_flags = +preauth
+ pkinit_identity = FILE:$ctx->{tlsdir}/kdc.pem,$ctx->{tlsdir}/key.pem
+ pkinit_anchors = FILE:$ctx->{tlsdir}/ca.pem
+ pkinit_eku_checking = scLogin
+ pkinit_indicator = pkinit
+ pkinit_allow_upn = true
}
$ctx->{domain} = {
master_key_type = aes256-cts
default_principal_flags = +preauth
+ pkinit_identity = FILE:$ctx->{tlsdir}/kdc.pem,$ctx->{tlsdir}/key.pem
+ pkinit_anchors = FILE:$ctx->{tlsdir}/ca.pem
+ pkinit_eku_checking = scLogin
+ pkinit_indicator = pkinit
+ pkinit_allow_upn = true
}
[dbmodules]
diff --git a/selftest/wscript b/selftest/wscript
index c92b37bd5e1..a8b6d45cd1d 100644
--- a/selftest/wscript
+++ b/selftest/wscript
@@ -258,6 +258,9 @@ def cmd_testonly(opt):
if CONFIG_GET(opt, 'USING_SYSTEM_KRB5') and CONFIG_GET(opt, 'MIT_KDC_PATH'):
env.OPTIONS += " --mitkrb5 --exclude=${srcdir}/selftest/skip_mit_kdc"
+ if CONFIG_GET(opt, 'HAVE_MIT_KRB5_PRE_1_20'):
+ env.OPTIONS += " --mitkrb5 --exclude=${srcdir}/selftest/skip_mit_kdc_pre_1_20"
+
env.FILTER_XFAIL += " --expected-failures=${srcdir}/selftest/"\
"knownfail_mit_kdc"
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index dbe9276350c..ea329b7edab 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -2381,7 +2381,21 @@ static krb5_error_code samba_kdc_fetch_server(krb5_context context,
flags, kvno,
realm_dn, msg, entry);
if (ret != 0) {
- krb5_warnx(context, "samba_kdc_fetch: message2entry failed");
+ char *client_name = NULL;
+ krb5_error_code code;
+
+ code = krb5_unparse_name(context, principal, &client_name);
+ if (code == 0) {
+ krb5_warnx(context,
+ "samba_kdc_fetch: message2entry failed for "
+ "%s",
+ client_name);
+ } else {
+ krb5_warnx(context,
+ "samba_kdc_fetch: message2entry and "
+ "krb5_unparse_name failed");
+ }
+ SAFE_FREE(client_name);
}
return ret;
diff --git a/source4/kdc/kdc-service-mit.c b/source4/kdc/kdc-service-mit.c
index 5d4180aa7cc..f9aaedefc23 100644
--- a/source4/kdc/kdc-service-mit.c
+++ b/source4/kdc/kdc-service-mit.c
@@ -146,6 +146,7 @@ NTSTATUS mitkdc_task_init(struct task_server *task)
kadm5_ret_t ret;
kadm5_config_params config;
void *server_handle;
+ int dbglvl = 0;
task_server_set_title(task, "task[mitkdc_parent]");
@@ -188,6 +189,21 @@ NTSTATUS mitkdc_task_init(struct task_server *task)
setenv("KRB5_KDC_PROFILE", kdc_config, 0);
TALLOC_FREE(kdc_config);
+ dbglvl = debuglevel_get_class(DBGC_KERBEROS);
+ if (dbglvl >= 10) {
+ char *kdc_trace_file = talloc_asprintf(task,
+ "%s/mit_kdc_trace.log",
+ get_dyn_LOGFILEBASE());
+ if (kdc_trace_file == NULL) {
+ task_server_terminate(task,
+ "KDC: no memory",
+ false);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ setenv("KRB5_TRACE", kdc_trace_file, 1);
+ }
+
/* start it as a child process */
kdc_cmd = lpcfg_mit_kdc_command(task->lp_ctx);
@@ -357,7 +373,7 @@ NTSTATUS server_service_mitkdc_init(TALLOC_CTX *mem_ctx)
{
static const struct service_details details = {
.inhibit_fork_on_accept = true,
- /*
+ /*
* Need to prevent pre-forking on kdc.
* The task_init function is run on the master process only
* and the irpc process name is registered in it's event loop.
diff --git a/source4/kdc/sdb_to_kdb.c b/source4/kdc/sdb_to_kdb.c
index 9d7729ebee7..c24fd738ad3 100644
--- a/source4/kdc/sdb_to_kdb.c
+++ b/source4/kdc/sdb_to_kdb.c
@@ -65,9 +65,16 @@ static int SDBFlags_to_kflags(const struct SDBFlags *s,
if (s->change_pw) {
*k |= KRB5_KDB_PWCHANGE_SERVICE;
}
+#if 0
+ /*
+ * Do not set KRB5_KDB_REQUIRES_HW_AUTH as this would tell the client
+ * to enforce hardware authentication. It prevents the use of files
+ * based public key authentication which we use for testing.
+ */
if (s->require_hwauth) {
*k |= KRB5_KDB_REQUIRES_HW_AUTH;
}
+#endif
if (s->ok_as_delegate) {
*k |= KRB5_KDB_OK_AS_DELEGATE;
}
@@ -290,7 +297,11 @@ int sdb_entry_to_krb5_db_entry(krb5_context context,
/* FIXME: TODO HDB Extensions */
- if (s->keys.len > 0) {
+ /*
+ * Don't copy keys (allow password auth) if s->flags.require_hwauth is
+ * set which translates to UF_SMARTCARD_REQUIRED.
+ */
+ if (s->keys.len > 0 && s->flags.require_hwauth == 0) {
k->key_data = malloc(s->keys.len * sizeof(krb5_key_data));
if (k->key_data == NULL) {
free_krb5_db_entry(context, k);
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 45fbc960c31..165a933d110 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -555,9 +555,6 @@ plantestsuite("samba4.blackbox.test_primary_group", "ad_dc:local", [os.path.join
plantestsuite("samba4.blackbox.test_old_enctypes", "fl2003dc:local", [os.path.join(bbdir, "test_old_enctypes.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$NETBIOSNAME', '$PREFIX_ABS'])
if have_heimdal_support:
- for env in ["ad_dc_ntvfs", "ad_dc"]:
- plantestsuite("samba4.blackbox.pkinit", "%s:local" % env, [os.path.join(bbdir, "test_pkinit_heimdal.sh"), '$SERVER', 'pkinit', '$PASSWORD', '$REALM', '$DOMAIN', '$PREFIX/%s' % env, "aes256-cts-hmac-sha1-96", smbclient3, configuration])
- plantestsuite("samba4.blackbox.pkinit_pac", "%s:local" % env, [os.path.join(bbdir, "test_pkinit_pac_heimdal.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$PREFIX/%s' % env, "aes256-cts-hmac-sha1-96", configuration])
plantestsuite("samba4.blackbox.kinit", "ad_dc_ntvfs:local", [os.path.join(bbdir, "test_kinit_heimdal.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$PREFIX', "aes256-cts-hmac-sha1-96", smbclient4, configuration])
plantestsuite("samba4.blackbox.kinit", "fl2000dc:local", [os.path.join(bbdir, "test_kinit_heimdal.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$PREFIX', "arcfour-hmac-md5", smbclient3, configuration])
plantestsuite("samba4.blackbox.kinit", "fl2008r2dc:local", [os.path.join(bbdir, "test_kinit_heimdal.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$PREFIX', "aes256-cts-hmac-sha1-96", smbclient3, configuration])
@@ -577,6 +574,28 @@ else:
plantestsuite("samba4.blackbox.export.keytab", "ad_dc_ntvfs:local", [os.path.join(bbdir, "test_export_keytab_mit.sh"), '$SERVER', '$USERNAME', '$REALM', '$DOMAIN', "$PREFIX", smbclient4])
plantestsuite("samba4.blackbox.kpasswd", "ad_dc_ntvfs:local", [os.path.join(bbdir, "test_kpasswd_mit.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc_ntvfs"])
+plantestsuite("samba4.blackbox.pkinit_simple",
+ "ad_dc:local",
+ [os.path.join(bbdir, "test_pkinit_simple.sh"),
+ '$SERVER',
+ 'pkinit',
+ '$PASSWORD',
+ '$REALM',
+ '$DOMAIN',
+ '$PREFIX/ad_dc',
+ smbclient3,
+ configuration])
+plantestsuite("samba4.blackbox.pkinit_pac",
+ "ad_dc:local",
+ [os.path.join(bbdir, "test_pkinit_pac.sh"),
+ '$SERVER',
+ '$USERNAME',
+ '$PASSWORD',
+ '$REALM',
+ '$DOMAIN',
+ '$PREFIX/ad_dc',
+ configuration])
+
plantestsuite("samba.blackbox.client_kerberos", "ad_dc", [os.path.join(bbdir, "test_client_kerberos.sh"), '$DOMAIN', '$REALM', '$USERNAME', '$PASSWORD', '$SERVER', '$PREFIX_ABS', '$SMB_CONF_PATH'])
env="ad_member:local"
diff --git a/testprogs/blackbox/common_test_fns.inc b/testprogs/blackbox/common_test_fns.inc
index 1c988f439a7..0b685dbd019 100755
--- a/testprogs/blackbox/common_test_fns.inc
+++ b/testprogs/blackbox/common_test_fns.inc
@@ -98,11 +98,11 @@ kerberos_kinit() {
if [ "${kbase}" = "samba4kinit" ]; then
kpassfile=$(mktemp)
echo $password > ${kpassfile}
- $kinit_tool -c ${KRB5CCNAME} --password-file=${kpassfile} $principal $@
+ $kinit_tool -c ${KRB5CCNAME} --password-file=${kpassfile} $@ $principal
status=$?
rm -f ${kpassfile}
else
- echo $password | $kinit_tool $principal $@
+ echo $password | $kinit_tool $@ $principal
status=$?
fi
return $status
diff --git a/testprogs/blackbox/test_pkinit_heimdal.sh b/testprogs/blackbox/test_pkinit_heimdal.sh
deleted file mode 100755
index 08ebc7497c4..00000000000
--- a/testprogs/blackbox/test_pkinit_heimdal.sh
+++ /dev/null
@@ -1,175 +0,0 @@
-#!/bin/sh
-# Blackbox tests for kinit and kerberos integration with smbclient etc
-# Copyright (C) 2006-2007 Jelmer Vernooij <jelmer at samba.org>
-# Copyright (C) 2006-2008 Andrew Bartlett <abartlet at samba.org>
-
-if [ $# -lt 5 ]; then
-cat <<EOF
-Usage: test_kinit.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX ENCTYPE SMBCLINET
-EOF
-exit 1;
-fi
-
-SERVER=$1
-USERNAME=$2
-PASSWORD=$3
-REALM=$4
-DOMAIN=$5
-PREFIX=$6
-ENCTYPE=$7
-smbclient=$8
-shift 8
-failed=0
-
-samba4bindir="$BINDIR"
-samba4srcdir="$SRCDIR/source4"
-samba4kinit_binary=kinit
-if test -x $BINDIR/samba4kinit; then
- samba4kinit_binary=$BINDIR/samba4kinit
-fi
-
-samba_tool="$samba4bindir/samba-tool"
-wbinfo="$samba4bindir/wbinfo"
-samba4kpasswd=kpasswd
-if test -x $BINDIR/samba4kpasswd; then
- samba4passwd=$BINDIR/samba4kpasswd
-fi
-
-ldbmodify="ldbmodify"
-if [ -x "$samba4bindir/ldbmodify" ]; then
- ldbmodify="$samba4bindir/ldbmodify"
-fi
-
-ldbsearch="ldbsearch"
-if [ -x "$samba4bindir/ldbsearch" ]; then
- ldbsearch="$samba4bindir/ldbsearch"
-fi
-
-. `dirname $0`/subunit.sh
-. `dirname $0`/common_test_fns.inc
-
-enctype="-e $ENCTYPE"
-unc="//$SERVER/tmp"
-
-KRB5CCNAME_PATH="$PREFIX/tmpccache"
-KRB5CCNAME="FILE:$KRB5CCNAME_PATH"
-samba4kinit="$samba4kinit_binary -c $KRB5CCNAME"
-export KRB5CCNAME
-rm -f $KRB5CCNAME_PATH
-PASSFILE_PATH="$PREFIX/tmppassfile"
-rm -f $PASSFILE_PATH
-echo $PASSWORD > $PASSFILE_PATH
-
-USER_PRINCIPAL_NAME=`echo "${USERNAME}@${REALM}" | tr A-Z a-z`
-PKUSER="--pk-user=FILE:$PREFIX/pkinit/USER-${USER_PRINCIPAL_NAME}-cert.pem,$PREFIX/pkinit/USER-${USER_PRINCIPAL_NAME}-private-key.pem"
-
-# STEP1:
-# Now we set the UF_SMARTCARD_REQUIRED bit
-# This means we have a normal enabled account *without* a known password
-testit "STEP1 samba-tool user create $USERNAME --smartcard-required" $PYTHON ${samba_tool} user create $USERNAME --smartcard-required || failed=`expr $failed + 1`
-
-testit_expect_failure "STEP1 kinit with password" $samba4kinit $enctype --password-file=$PASSFILE_PATH --request-pac $USERNAME@$REALM && failed=`expr $failed + 1`
-testit_expect_failure "STEP1 Test login with NTLM" $smbclient "$unc" -c 'ls' -U$USERNAME%$PASSWORD && failed=`expr $failed + 1`
-testit_expect_failure "STEP1 Test wbinfo with password" $wbinfo --authenticate=$DOMAIN/$USERNAME%$PASSWORD && failed=`expr $failed + 1`
-
-testit "STEP1 kinit with pkinit (name specified) " $samba4kinit $enctype --request-pac --renewable $PKUSER $USERNAME@$REALM || failed=`expr $failed + 1`
-testit "STEP1 kinit renew ticket (name specified)" $samba4kinit --request-pac -R || failed=`expr $failed + 1`
-test_smbclient "STEP1 Test login with kerberos ccache (name specified)" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=`expr $failed + 1`
-
-testit_expect_failure "STEP1 kinit with pkinit (wrong name specified) " $samba4kinit $enctype --request-pac --renewable $PKUSER not$USERNAME@$REALM || failed=`expr $failed + 1`
-
-testit_expect_failure "STEP1 kinit with pkinit (wrong name specified 2) " $samba4kinit $enctype --request-pac --renewable $PKUSER $SERVER@$REALM || failed=`expr $failed + 1`
-
-testit "STEP1 kinit with pkinit (enterprise name specified)" $samba4kinit $enctype --request-pac --renewable $PKUSER --enterprise $USERNAME@$REALM || failed=`expr $failed + 1`
-testit "STEP1 kinit renew ticket (enterprise name specified)" $samba4kinit --request-pac -R || failed=`expr $failed + 1`
-test_smbclient "STEP1 Test login with kerberos ccache (enterprise name specified)" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=`expr $failed + 1`
-
-testit_expect_failure "STEP1 kinit with pkinit (wrong enterprise name specified) " $samba4kinit $enctype --request-pac --renewable $PKUSER --enterprise not$USERNAME@$REALM || failed=`expr $failed + 1`
-
-testit_expect_failure "STEP1 kinit with pkinit (wrong enterprise name specified 2) " $samba4kinit $enctype --request-pac --renewable $PKUSER --enterprise $SERVER$@$REALM || failed=`expr $failed + 1`
-
-testit "STEP1 kinit with pkinit (enterprise name in cert)" $samba4kinit $enctype --request-pac --renewable $PKUSER --pk-enterprise || failed=`expr $failed + 1`
-testit "STEP1 kinit renew ticket (enterprise name in cert)" $samba4kinit --request-pac -R || failed=`expr $failed + 1`
-test_smbclient "STEP1 Test login with kerberos ccache (enterprise name in cert)" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=`expr $failed + 1`
-
-# STEP2:
-# We still have UF_SMARTCARD_REQUIRED, but with a known password
-testit "STEP2 samba-tool user setpassword $USERNAME --newpassword" $PYTHON ${samba_tool} user setpassword $USERNAME --newpassword=$PASSWORD || failed=`expr $failed + 1`
-
-testit_expect_failure "STEP2 kinit with password" $samba4kinit $enctype --password-file=$PASSFILE_PATH --request-pac $USERNAME@$REALM && failed=`expr $failed + 1`
-test_smbclient "STEP2 Test login with NTLM" 'ls' "$unc" -U$USERNAME%$PASSWORD || failed=`expr $failed + 1`
-testit_expect_failure "STEP2 Test wbinfo with password" $wbinfo --authenticate=$DOMAIN/$USERNAME%$PASSWORD && failed=`expr $failed + 1`
-
-testit "STEP2 kinit with pkinit (name specified) " $samba4kinit $enctype --request-pac --renewable $PKUSER $USERNAME@$REALM || failed=`expr $failed + 1`
-testit "STEP2 kinit renew ticket (name specified)" $samba4kinit --request-pac -R || failed=`expr $failed + 1`
-test_smbclient "STEP2 Test login with kerberos ccache (name specified)" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=`expr $failed + 1`
-
-testit "STEP2 kinit with pkinit (enterprise name specified)" $samba4kinit $enctype --request-pac --renewable $PKUSER --enterprise $USERNAME@$REALM || failed=`expr $failed + 1`
-testit "STEP2 kinit renew ticket (enterprise name specified)" $samba4kinit --request-pac -R || failed=`expr $failed + 1`
-test_smbclient "STEP2 Test login with kerberos ccache (enterprise name specified)" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=`expr $failed + 1`
-
-testit "STEP2 kinit with pkinit (enterprise name in cert)" $samba4kinit $enctype --request-pac --renewable $PKUSER --pk-enterprise || failed=`expr $failed + 1`
-testit "STEP2 kinit renew ticket (enterprise name in cert)" $samba4kinit --request-pac -R || failed=`expr $failed + 1`
-test_smbclient "STEP2 Test login with kerberos ccache (enterprise name in cert)" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=`expr $failed + 1`
-
-# STEP3:
-# The account is a normal account without the UF_SMARTCARD_REQUIRED bit set
-testit "STEP3 samba-tool user setpassword $USERNAME --smartcard-required" $PYTHON ${samba_tool} user setpassword $USERNAME --newpassword=$PASSWORD --clear-smartcard-required || failed=`expr $failed + 1`
-
-testit "STEP3 kinit with password" $samba4kinit $enctype --password-file=$PASSFILE_PATH --request-pac $USERNAME@$REALM || failed=`expr $failed + 1`
-test_smbclient "STEP3 Test login with user kerberos ccache" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=`expr $failed + 1`
-test_smbclient "STEP3 Test login with NTLM" 'ls' "$unc" -U$USERNAME%$PASSWORD || failed=`expr $failed + 1`
-testit "STEP3 Test wbinfo with password" $wbinfo --authenticate=$DOMAIN/$USERNAME%$PASSWORD || failed=`expr $failed + 1`
-
-testit "STEP3 kinit with pkinit (name specified) " $samba4kinit $enctype --request-pac --renewable $PKUSER $USERNAME@$REALM || failed=`expr $failed + 1`
-testit "STEP3 kinit renew ticket (name specified)" $samba4kinit --request-pac -R || failed=`expr $failed + 1`
-test_smbclient "STEP3 Test login with kerberos ccache (name specified)" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=`expr $failed + 1`
-
-testit "STEP3 kinit with pkinit (enterprise name specified)" $samba4kinit $enctype --request-pac --renewable $PKUSER --enterprise $USERNAME@$REALM || failed=`expr $failed + 1`
-testit "STEP3 kinit renew ticket (enterprise name specified)" $samba4kinit --request-pac -R || failed=`expr $failed + 1`
-test_smbclient "STEP3 Test login with kerberos ccache (enterprise name specified)" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=`expr $failed + 1`
-
-testit "STEP3 kinit with pkinit (enterprise name in cert)" $samba4kinit $enctype --request-pac --renewable $PKUSER --pk-enterprise || failed=`expr $failed + 1`
-testit "STEP3 kinit renew ticket (enterprise name in cert)" $samba4kinit --request-pac -R || failed=`expr $failed + 1`
-test_smbclient "STEP3 Test login with kerberos ccache (enterprise name in cert)" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=`expr $failed + 1`
-
-# STEP4:
-# Now we set the UF_SMARTCARD_REQUIRED bit
-# This means we have a normal enabled account *without* a known password
-testit "STEP4 samba-tool user setpassword $USERNAME --smartcard-required" $PYTHON ${samba_tool} user setpassword $USERNAME --smartcard-required || failed=`expr $failed + 1`
-
-testit_expect_failure "STEP4 kinit with password" $samba4kinit $enctype --password-file=$PASSFILE_PATH --request-pac $USERNAME@$REALM && failed=`expr $failed + 1`
-testit_expect_failure "STEP4 Test login with NTLM" $smbclient "$unc" -c 'ls' -U$USERNAME%$PASSWORD && failed=`expr $failed + 1`
-testit_expect_failure "STEP4 Test wbinfo with password" $wbinfo --authenticate=$DOMAIN/$USERNAME%$PASSWORD && failed=`expr $failed + 1`
-
-testit "STEP4 kinit with pkinit (name specified) " $samba4kinit $enctype --request-pac --renewable $PKUSER $USERNAME@$REALM || failed=`expr $failed + 1`
-testit "STEP4 kinit renew ticket (name specified)" $samba4kinit --request-pac -R || failed=`expr $failed + 1`
-test_smbclient "STEP4 Test login with kerberos ccache (name specified)" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=`expr $failed + 1`
-
-testit "STEP4 kinit with pkinit (enterprise name specified)" $samba4kinit $enctype --request-pac --renewable $PKUSER --enterprise $USERNAME@$REALM || failed=`expr $failed + 1`
-testit "STEP4 kinit renew ticket (enterprise name specified)" $samba4kinit --request-pac -R || failed=`expr $failed + 1`
-test_smbclient "STEP4 Test login with kerberos ccache (enterprise name specified)" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=`expr $failed + 1`
-
-testit "STEP4 kinit with pkinit (enterprise name in cert)" $samba4kinit $enctype --request-pac --renewable $PKUSER --pk-enterprise || failed=`expr $failed + 1`
-testit "STEP4 kinit renew ticket (enterprise name in cert)" $samba4kinit --request-pac -R || failed=`expr $failed + 1`
-test_smbclient "STEP4 Test login with kerberos ccache (enterprise name in cert)" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=`expr $failed + 1`
-
-# STEP5:
-# disable the account
-testit "STEP5 samba-tool user disable $USERNAME" $PYTHON ${samba_tool} user disable $USERNAME || failed=`expr $failed + 1`
-
-testit_expect_failure "STEP5 kinit with password" $samba4kinit $enctype --password-file=$PASSFILE_PATH --request-pac $USERNAME@$REALM && failed=`expr $failed + 1`
-testit_expect_failure "STEP5 Test login with NTLM" $smbclient "$unc" -c 'ls' -U$USERNAME%$PASSWORD && failed=`expr $failed + 1`
-testit_expect_failure "STEP5 Test wbinfo with password" $wbinfo --authenticate=$DOMAIN/$USERNAME%$PASSWORD && failed=`expr $failed + 1`
-
-testit_expect_failure "STEP5 kinit with pkinit (name specified) " $samba4kinit $enctype --request-pac --renewable $PKUSER $USERNAME@$REALM && failed=`expr $failed + 1`
-testit_expect_failure "STEP5 kinit with pkinit (enterprise name specified)" $samba4kinit $enctype --request-pac --renewable $PKUSER --enterprise $USERNAME@$REALM && failed=`expr $failed + 1`
-testit_expect_failure "STEP5 kinit with pkinit (enterprise name in cert)" $samba4kinit $enctype --request-pac --renewable $PKUSER --pk-enterprise && failed=`expr $failed + 1`
-
-# STEP6:
-# cleanup
-testit "STEP6 samba-tool user delete $USERNAME " $PYTHON ${samba_tool} user delete $USERNAME || failed=`expr $failed + 2`
-
-rm -f $PASSFILE_PATH
-rm -f $KRB5CCNAME_PATH
-exit $failed
diff --git a/testprogs/blackbox/test_pkinit_pac.sh b/testprogs/blackbox/test_pkinit_pac.sh
new file mode 100755
index 00000000000..8047517fde1
--- /dev/null
+++ b/testprogs/blackbox/test_pkinit_pac.sh
@@ -0,0 +1,63 @@
+#!/bin/sh
+# Blackbox tests for pkinit and pac verification
+#
+# Copyright (C) 2006-2008 Stefan Metzmacher
+# Copyright (C) 2022 Andreas Schneider
+
+if [ $# -lt 6 ]; then
+ cat <<EOF
+Usage: test_pkinit_pac.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX
+EOF
+ exit 1
+fi
+
+SERVER=$1
+USERNAME=$2
+PASSWORD=$3
+REALM=$4
+DOMAIN=$5
+PREFIX=$6
+shift 6
+failed=0
+
+samba_bindir="$BINDIR"
+
+samba_kinit="$(command -v kinit)"
+if [ -x "${samba_bindir}/samba4kinit" ]; then
+ samba_kinit="${samba_bindir}/samba4kinit"
+fi
+samba_smbtorture="${samba_bindir}/smbtorture --basedir=$SELFTEST_TMPDIR"
+
+. "$(dirname "$0")"/subunit.sh
+. "$(dirname "$0")"/common_test_fns.inc
+
+KRB5CCNAME_PATH="$PREFIX/tmpccache"
+rm -f "${KRB5CCNAME_PATH}"
+KRB5CCNAME="FILE:$KRB5CCNAME_PATH"
+export KRB5CCNAME
+
+USER_PRINCIPAL_NAME="$(echo "${USERNAME}@${REALM}" | tr "[:upper:]" "[:lower:]")"
+
+kbase="$(basename "${samba_kinit}")"
+if [ "${kbase}" = "samba4kinit" ]; then
+ # HEIMDAL
--
Samba Shared Repository
More information about the samba-cvs
mailing list