cli_credentials ccache semantics and test changes

simo idra at samba.org
Wed May 23 19:15:14 MDT 2012


On Thu, 2012-05-24 at 10:55 +1000, Andrew Bartlett wrote: 
> On Wed, 2012-05-23 at 18:47 +0200, Alexander Bokovoy wrote:
> 
> > - Log -----------------------------------------------------------------
> > commit dcfb34fbb4b7484bdaa70fbe9ae9fd84738ab469
> > Author: Alexander Bokovoy <ab at samba.org>
> > Date:   Wed May 23 17:34:24 2012 +0300
> > 
> >     blackbox: fix samba4.blackbox.kinit test
> >     
> >     This deserves some explanation.
> >     
> >     With commit 518232d4578d700f5f5ea1609275a6cd1de3a1e7 samba4.blackbox.kinit test set
> >     was wrapped with password settings reset before and after the tests with an idea to
> >     maintain reliable state for the tests. As result, the resetting of the password
> >     settings was done after the test that tried to use smbclient with a Kerberos ticket
> >     obtained with machine account credentials.
> >     
> >     However, the code in credentials_krb5.c, function cli_credentials_get_client_gss_creds(),
> >     never worked correctly when credentials were already in ccache. Instead, gensec_gssapi module
> >     always re-kinited even if existing credentials were available in the ccache. This had an effect
> >     on 'samba4.blackbox.kinit(dc:local).reset password policies(dc:local)' test equal to
> >     never having initialized ccache at all, as if 'rm -f $KRB5CCNAME' was run before the test.
> >     
> >     When the issue of not using already initialized credentials from ccache was fixed with
> >     d0aae88f1290e6a7a6d4bfc24aa62795e4892a31 'auth-credentials: Support using pre-fetched ccache
> >     when obtaining kerberos credentials' commit, Samba 4 credentials library started to correctly
> >     re-used already obtained credentials from ccaches. This caused failure of the test
> >     'samba4.blackbox.kinit(dc:local).reset password policies(dc:local)' because machine account
> >     has no permissions to modify password settings.
> >     
> >     Thus, the correct fix is to reset ccache state before performing the test.
> >     
> >     Autobuild-User: Alexander Bokovoy <ab at samba.org>
> >     Autobuild-Date: Wed May 23 18:46:12 CEST 2012 on sn-devel-104
> 
> Alexander,
> 
> I'm really sorry, but this is not the right way to handle it.  Indeed,
> the need to change this test (which was perfectly correct beforehand)
> shows that the code change was incorrect.  We will need to revert both
> of these, and I need to work with you more closely to sort out a way to
> support your legitimate needs.

Andrew,
please identify what is wrong with the change.

To the best of our knowledge the previous code was simply wrong and the
test depended on wrong behavior.

We did need the change to make things work with credentials obtained
before the samba libraries were called. Without that change we were not
able to reuse a perfectly valid ccache.

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Principal Software Engineer at Red Hat, Inc. <simo at redhat.com>



More information about the samba-technical mailing list