[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Tue Jun 4 20:53:01 UTC 2024
The branch, master has been updated
via a54dca4ea54 tests/krb5: Calculate correct gMSA password to fix flapping test
via 9c700f790ba tests/krb5: Reset local database time in a cleaner (and nearly equivalent) fashion
via 5eac95652a8 s4:dsdb: Use talloc_get_type_abort()
via 3256c6bfd6b tests/krb5: Make use of update_password() method
via 38cfdb66231 ldb: Fix typo
via 8989aa47b74 s3:winbind: Fix idmap_ad creating an invalid local krb5.conf
via 9dcc52d2a57 s3:libads: Do not fail if we don't get an IP passed down
via 28aa0b815ba s3:libads: Allow get_kdc_ip_string() to lookup the KDCs IP
from c005de07aee smbd: list reparse tag in QUERY_DIRECTORY
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit a54dca4ea546c596740d1afab70b1cdd25e1721b
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Tue May 28 16:59:30 2024 +1200
tests/krb5: Calculate correct gMSA password to fix flapping test
If this test happens to be run in the five minute window prior to the
next ten‐hour GKDI interval — about once every one hundred and twenty
runs — the ‘current’ password requested from LDAP will actually be the
future password, which won’t match what’s in the database.
Instead of taking the password from LDAP, calculate it ourselves with
expected_gmsa_password_blob().
[330(7038)/334 at 43m51s] samba.tests.krb5.gmsa_tests(ad_dc:local)
UNEXPECTED(failure): samba.tests.krb5.gmsa_tests.samba.tests.krb5.gmsa_tests.GmsaTests.test_retrieving_managed_password_triggers_keys_update(ad_dc:local)
REASON: Exception: Exception: Traceback (most recent call last):
File "/builds/samba-testbase/samba-def-build/bin/python/samba/tests/krb5/gmsa_tests.py", line 1091, in test_retrieving_managed_password_triggers_keys_update
self.assertEqual(creds.get_nt_hash(), nt_hash)
AssertionError: b'\xcf[\xe8:\xc7-\xd4V\xce\t\xfc\xcd\x06.T\x8a' != b'c\xc5\x97k\x17"G\x1e\x81>\xacV\x9d.*\x14'
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Tue Jun 4 20:52:09 UTC 2024 on atb-devel-224
commit 9c700f790baa5155465cb8e1bcdb4dcbbd28bbfd
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Tue May 28 16:53:22 2024 +1200
tests/krb5: Reset local database time in a cleaner (and nearly equivalent) fashion
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5eac95652a89b4edb1e82f00c93267172aaeda42
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Tue May 28 14:24:51 2024 +1200
s4:dsdb: Use talloc_get_type_abort()
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3256c6bfd6b48bf08a8724f5e5bd654b9c5379fb
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Mon May 27 17:53:17 2024 +1200
tests/krb5: Make use of update_password() method
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 38cfdb662319085569cf4d96bcbceeb74ae1c5f9
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Fri Apr 12 15:10:33 2024 +1200
ldb: Fix typo
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 8989aa47b7493e6b7978c2efc4a40c781e9a2aee
Author: Andreas Schneider <asn at samba.org>
Date: Tue May 28 13:54:24 2024 +0200
s3:winbind: Fix idmap_ad creating an invalid local krb5.conf
In case of a trusted domain, we are providing the realm of the primary
trust but specify the KDC IP of the trusted domain. This leads to
Kerberos ticket requests to the trusted domain KDC which doesn't know
about the machine account. However we need a ticket from our primary
trust KDC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15653
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9dcc52d2a57314ec9ddaae82b3c49da051d1f1d2
Author: Andreas Schneider <asn at samba.org>
Date: Tue May 28 13:53:51 2024 +0200
s3:libads: Do not fail if we don't get an IP passed down
The IP should be optional and we should look it up if not provided.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15653
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 28aa0b815baf4668e3df01d52597c40fd430e2fb
Author: Andreas Schneider <asn at samba.org>
Date: Tue May 28 13:51:53 2024 +0200
s3:libads: Allow get_kdc_ip_string() to lookup the KDCs IP
Remove the requirement to provide an IP address. We should look up the
IP of the KDC and use it for the specified realm/workgroup.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15653
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
lib/ldb/common/attrib_handlers.c | 2 +-
python/samba/tests/krb5/gmsa_tests.py | 22 +++++++++++++------
source3/libads/kerberos.c | 32 ++++++++++++++--------------
source3/winbindd/idmap_ad.c | 11 ++++++++--
source4/dsdb/samdb/ldb_modules/operational.c | 2 +-
5 files changed, 42 insertions(+), 27 deletions(-)
Changeset truncated at 500 lines:
diff --git a/lib/ldb/common/attrib_handlers.c b/lib/ldb/common/attrib_handlers.c
index 145ff487310..2f0b1bf861f 100644
--- a/lib/ldb/common/attrib_handlers.c
+++ b/lib/ldb/common/attrib_handlers.c
@@ -290,7 +290,7 @@ static int ldb_canonicalise_Boolean(struct ldb_context *ldb, void *mem_ctx,
* field with Boolean syntax, so we might as well have consistent behaviour in
* that case.
*
- * The most probably values are {"FALSE", 5} and {"TRUE", 4}. To save time we
+ * The most probable values are {"FALSE", 5} and {"TRUE", 4}. To save time we
* compare first by length, which makes FALSE > TRUE. This is somewhat
* contrary to convention, but is how Samba has worked forever.
*
diff --git a/python/samba/tests/krb5/gmsa_tests.py b/python/samba/tests/krb5/gmsa_tests.py
index 031e27bb8fe..f27e4235713 100755
--- a/python/samba/tests/krb5/gmsa_tests.py
+++ b/python/samba/tests/krb5/gmsa_tests.py
@@ -1033,8 +1033,7 @@ class GmsaTests(GkdiBaseTest, KDCBaseTest):
creds = self.gmsa_account(samdb=local_samdb, interval=password_interval)
dn = creds.get_dn()
- current_nt_time = self.current_nt_time(samdb)
- self.set_db_time(local_samdb, current_nt_time)
+ self.set_db_time(local_samdb, None)
# Search the local database for the account’s keys.
res = local_samdb.search(
@@ -1080,8 +1079,18 @@ class GmsaTests(GkdiBaseTest, KDCBaseTest):
"supplementalCredentials has not been updated (yet)",
)
+ # Calculate the password with which to authenticate.
+ current_series = self.gmsa_series_for_account(
+ local_samdb, creds, password_interval
+ )
+ managed_pwd = self.expected_gmsa_password_blob(
+ local_samdb,
+ creds,
+ current_series.interval_gkid(0),
+ query_expiration_gkid=current_series.interval_gkid(1),
+ )
+
# Set the new password.
- managed_pwd = ndr_unpack(gmsa.MANAGEDPASSWORD_BLOB, managed_password)
self.assertIsNotNone(
managed_pwd.passwords.current, "current password must be present"
)
@@ -1110,8 +1119,7 @@ class GmsaTests(GkdiBaseTest, KDCBaseTest):
creds = self.gmsa_account(samdb=local_samdb, interval=password_interval)
dn = creds.get_dn()
- current_nt_time = self.current_nt_time(samdb)
- self.set_db_time(local_samdb, current_nt_time)
+ self.set_db_time(local_samdb, None)
# Search the local database for the account’s keys.
res = local_samdb.search(
@@ -1897,11 +1905,11 @@ class GmsaTests(GkdiBaseTest, KDCBaseTest):
self.assertEqual(ntstatus.NT_STATUS_LOGON_FAILURE, err.exception.args[0])
# But we can use the previous password to authenticate.
- creds.set_password(password_1)
+ creds.update_password(password_1)
srvsvc.srvsvc(f"ncacn_np:{dc_server}", lp, creds)
# And we can authenticate using the current password.
- creds.set_password(password_2)
+ creds.update_password(password_2)
srvsvc.srvsvc(f"ncacn_np:{dc_server}", lp, creds)
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index 46b224f56c9..72ce5b7bb34 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -445,23 +445,23 @@ static char *get_kdc_ip_string(char *mem_ctx,
char *kdc_str = NULL;
char *canon_sockaddr = NULL;
- SMB_ASSERT(pss != NULL);
-
- canon_sockaddr = print_canonical_sockaddr_with_port(frame, pss);
- if (canon_sockaddr == NULL) {
- goto out;
- }
+ if (pss != NULL) {
+ canon_sockaddr = print_canonical_sockaddr_with_port(frame, pss);
+ if (canon_sockaddr == NULL) {
+ goto out;
+ }
- kdc_str = talloc_asprintf(frame,
- "\t\tkdc = %s\n",
- canon_sockaddr);
- if (kdc_str == NULL) {
- goto out;
- }
+ kdc_str = talloc_asprintf(frame,
+ "\t\tkdc = %s\n",
+ canon_sockaddr);
+ if (kdc_str == NULL) {
+ goto out;
+ }
- ok = sockaddr_storage_to_samba_sockaddr(&sa, pss);
- if (!ok) {
- goto out;
+ ok = sockaddr_storage_to_samba_sockaddr(&sa, pss);
+ if (!ok) {
+ goto out;
+ }
}
/*
@@ -712,7 +712,7 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
return false;
}
- if (domain == NULL || pss == NULL) {
+ if (domain == NULL) {
return false;
}
diff --git a/source3/winbindd/idmap_ad.c b/source3/winbindd/idmap_ad.c
index df14ca818dc..00a75a6f3ec 100644
--- a/source3/winbindd/idmap_ad.c
+++ b/source3/winbindd/idmap_ad.c
@@ -298,7 +298,10 @@ static NTSTATUS idmap_ad_get_tldap_ctx(TALLOC_CTX *mem_ctx,
struct tldap_context **pld)
{
struct netr_DsRGetDCNameInfo *dcinfo;
- struct sockaddr_storage dcaddr;
+ struct sockaddr_storage dcaddr = {
+ .ss_family = AF_UNSPEC,
+ };
+ struct sockaddr_storage *pdcaddr = NULL;
struct winbindd_domain *creds_domain = NULL;
struct cli_credentials *creds;
struct loadparm_context *lp_ctx;
@@ -365,9 +368,13 @@ static NTSTATUS idmap_ad_get_tldap_ctx(TALLOC_CTX *mem_ctx,
* create_local_private_krb5_conf_for_domain() can deal with
* sitename==NULL
*/
+ if (strequal(domname, lp_realm()) || strequal(domname, lp_workgroup()))
+ {
+ pdcaddr = &dcaddr;
+ }
ok = create_local_private_krb5_conf_for_domain(
- lp_realm(), lp_workgroup(), sitename, &dcaddr);
+ lp_realm(), lp_workgroup(), sitename, pdcaddr);
TALLOC_FREE(sitename);
if (!ok) {
DBG_DEBUG("Could not create private krb5.conf\n");
diff --git a/source4/dsdb/samdb/ldb_modules/operational.c b/source4/dsdb/samdb/ldb_modules/operational.c
index f27eedef0d3..eac9182256f 100644
--- a/source4/dsdb/samdb/ldb_modules/operational.c
+++ b/source4/dsdb/samdb/ldb_modules/operational.c
@@ -1580,7 +1580,7 @@ static int operational_callback(struct ldb_request *req, struct ldb_reply *ares)
struct operational_context *ac;
int ret;
- ac = talloc_get_type(req->context, struct operational_context);
+ ac = talloc_get_type_abort(req->context, struct operational_context);
if (!ares) {
return ldb_module_done(ac->req, NULL, NULL,
--
Samba Shared Repository
More information about the samba-cvs
mailing list