[PATCH] Fix regression in samba-tool domain exportkeytab
Ralph Boehme
slow at samba.org
Sun Apr 24 06:21:00 UTC 2016
On Mon, Apr 18, 2016 at 11:45:10AM +0200, Ralph Boehme wrote:
> On Sun, Apr 17, 2016 at 07:26:05PM +0200, Ralph Boehme wrote:
> > Hi!
> >
> > Stumbled across that samba-tool domain exportkeytab --principal
> > doesn't work anymore in master. Turns out that exporting all keys is
> > broken as well, only one enctype per principal is preserved in the
> > keytab.
>
> after a private conversation with Andreas, we agreed that, while we're
> at it, we should look at smb_krb5_kt_add_entry() and why it deletes
> entries in this case where it's probably supposed to preserver them.
>
> Also, I'm going to fix the incomplete test for the expportkeytab
> --principal=<SPN> test in testprogs/blackbox/test_export_keytab_mit.sh.
so here's an updated patchset that adds full testing of the exported
keytabs and more.
When working on this I noticed that our KDC doesn't allow AS-REQ with
an SPN. Windows KDCs do allow this, so I bent it to my will. Please
review carefully, the change is too simple, it must be wrong. :)
Summary of changes:
o add a minimalistic ktutil usable in selftest
o check that the keytabs contains all expected enctypes, not just one
o check that exporting SPNs works
o allow AS-REQ with SPN
o check that a kinit with SPN works
Cheerio!
-slow
-------------- next part --------------
From 66392b61a9edc6b07e69e65e037e9e8a5e8fb3d4 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow at samba.org>
Date: Thu, 21 Apr 2016 20:54:12 +0200
Subject: [PATCH 1/8] krb5_wrap: add enctype arg to
smb_krb5_kt_seek_and_delete_old_entries()
Unused in this commit, the next commit will use it to avoid deleting
keys with the same kvno but a different enctype.
Signed-off-by: Ralph Boehme <slow at samba.org>
---
lib/krb5_wrap/krb5_samba.c | 2 ++
lib/krb5_wrap/krb5_samba.h | 1 +
source3/libads/kerberos_keytab.c | 1 +
3 files changed, 4 insertions(+)
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 247b83b..ea1f2d1 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -1485,6 +1485,7 @@ krb5_error_code smb_krb5_keytab_name(TALLOC_CTX *mem_ctx,
krb5_error_code smb_krb5_kt_seek_and_delete_old_entries(krb5_context context,
krb5_keytab keytab,
krb5_kvno kvno,
+ krb5_enctype enctype,
const char *princ_s,
krb5_principal princ,
bool flush,
@@ -1694,6 +1695,7 @@ krb5_error_code smb_krb5_kt_add_entry(krb5_context context,
ret = smb_krb5_kt_seek_and_delete_old_entries(context,
keytab,
kvno,
+ enctype,
princ_s,
princ,
false,
diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
index f198d72..15da9a1 100644
--- a/lib/krb5_wrap/krb5_samba.h
+++ b/lib/krb5_wrap/krb5_samba.h
@@ -193,6 +193,7 @@ krb5_error_code smb_krb5_keytab_name(TALLOC_CTX *mem_ctx,
krb5_error_code smb_krb5_kt_seek_and_delete_old_entries(krb5_context context,
krb5_keytab keytab,
krb5_kvno kvno,
+ krb5_enctype enctype,
const char *princ_s,
krb5_principal princ,
bool flush,
diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index 340e552..8a3363c 100644
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -280,6 +280,7 @@ int ads_keytab_flush(ADS_STRUCT *ads)
ret = smb_krb5_kt_seek_and_delete_old_entries(context,
keytab,
kvno,
+ KRB5_ENCTYPE_NULL,
NULL,
NULL,
true,
--
2.8.1
From 85d978cf92e34621b80b69733aa14b615505df27 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow at samba.org>
Date: Thu, 21 Apr 2016 20:55:36 +0200
Subject: [PATCH 2/8] krb5_wrap: fix keep_old_entries login in
smb_krb5_kt_seek_and_delete_old_entries()
This fixes an regression introduced in 5c5d586d3ebd40 at a higher level
in the caller smb_krb5_kt_add_entry(): calling smb_krb5_kt_add_entry
with keep_old_entries=false resulted in only one enctype per principal
being exported.
The function smb_krb5_kt_seek_and_delete_old_entries() is called from
smb_krb5_kt_add_entry() when adding keys to a keytab. When the keytab
contains keys with the same kvno as the key to be added and
keep_old_entries is false, the key is deleted without checking the
encryption type of the key. This means that when adding keys for a
principal only the last enctype will be in the exported keytab.
Fix this by checking the encryption type and only treat a key as "old"
if keytab_key_kvno <= new_key_kvno and keytab_key_enctype ==
new_key_enctype.
Signed-off-by: Ralph Boehme <slow at samba.org>
---
lib/krb5_wrap/krb5_samba.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index ea1f2d1..d1e60eb 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -1519,6 +1519,8 @@ krb5_error_code smb_krb5_kt_seek_and_delete_old_entries(krb5_context context,
DEBUG(3, (__location__ ": Will try to delete old keytab entries\n"));
while (!krb5_kt_next_entry(context, keytab, &kt_entry, &cursor)) {
bool name_ok = false;
+ krb5_enctype kt_entry_enctype =
+ smb_get_enctype_from_kt_entry(&kt_entry);
if (!flush && (princ_s != NULL)) {
ret = smb_krb5_unparse_name(tmp_ctx, context,
@@ -1588,6 +1590,16 @@ krb5_error_code smb_krb5_kt_seek_and_delete_old_entries(krb5_context context,
continue;
}
+ if (!flush &&
+ (kt_entry.vno == kvno) &&
+ (kt_entry_enctype != enctype))
+ {
+ DEBUG(5, (__location__ ": Saving entry with kvno [%d] "
+ "enctype [%d] for principal: %s.\n",
+ kvno, kt_entry_enctype, princ_s));
+ continue;
+ }
+
DEBUG(5, (__location__ ": Found old entry for principal: %s "
"(kvno %d) - trying to remove it.\n",
princ_s, kt_entry.vno));
--
2.8.1
From 6b7d16496f90fd806baf74a05813c070eb2602cd Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow at samba.org>
Date: Sun, 17 Apr 2016 16:28:00 +0200
Subject: [PATCH 3/8] s4/libnet: fix exporting to keytab by SPN
Fix a regression introduced by 5c5d586d3ebd40 that broke exporting
service principals by their spn with
samba-tool exportkeytab --principal=<SPN>.
Iteraring with samba_kdc_nextkey() only returns SPN, so this can't
work. If we want to search for a specific SPN, we have to use
samba_kdc_fetch().
Signed-off-by: Ralph Boehme <slow at samba.org>
---
source4/libnet/libnet_export_keytab.c | 39 +++++++++++++++++++++--------------
1 file changed, 23 insertions(+), 16 deletions(-)
diff --git a/source4/libnet/libnet_export_keytab.c b/source4/libnet/libnet_export_keytab.c
index ee2c470..8bceecc 100644
--- a/source4/libnet/libnet_export_keytab.c
+++ b/source4/libnet/libnet_export_keytab.c
@@ -56,10 +56,27 @@ static NTSTATUS sdb_kt_copy(TALLOC_CTX *mem_ctx,
goto done;
}
- for (code = samba_kdc_firstkey(context, db_ctx, &sentry);
- code == 0;
- code = samba_kdc_nextkey(context, db_ctx, &sentry)) {
- bool principal_found = false;
+ if (copy_one_principal) {
+ krb5_principal k5_princ;
+
+ code = smb_krb5_parse_name(context, principal, &k5_princ);
+ if (code != 0) {
+ *error_string = smb_get_krb5_error_message(context,
+ code,
+ mem_ctx);
+ status = NT_STATUS_UNSUCCESSFUL;
+ goto done;
+ }
+
+ code = samba_kdc_fetch(context, db_ctx, k5_princ,
+ SDB_F_GET_ANY, 0, &sentry);
+
+ krb5_free_principal(context, k5_princ);
+ } else {
+ code = samba_kdc_firstkey(context, db_ctx, &sentry);
+ }
+
+ for (; code == 0; code = samba_kdc_nextkey(context, db_ctx, &sentry)) {
int i;
code = krb5_unparse_name(context,
@@ -73,17 +90,7 @@ static NTSTATUS sdb_kt_copy(TALLOC_CTX *mem_ctx,
goto done;
}
- if (principal != NULL) {
- int cmp;
-
- cmp = strcmp(principal, entry_principal);
- if (cmp == 0) {
- principal_found = true;
- }
- }
-
- if (sentry.entry.keys.len == 0 ||
- (copy_one_principal && !principal_found)) {
+ if (sentry.entry.keys.len == 0) {
SAFE_FREE(entry_principal);
sdb_free_entry(&sentry);
sentry = (struct sdb_entry_ex) {
@@ -123,7 +130,7 @@ static NTSTATUS sdb_kt_copy(TALLOC_CTX *mem_ctx,
}
}
- if (principal_found) {
+ if (copy_one_principal) {
break;
}
--
2.8.1
From fd5ea7030e60b1a1a75d58005581733005e0d9ed Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow at samba.org>
Date: Fri, 22 Apr 2016 22:05:54 +0200
Subject: [PATCH 4/8] s4: add a minimal ktutil for selftest
This minimalistic version of ktutil dumps all principal names and
encryption types from a keytab, eg:
./bin/samba4ktutil test.keytab
ktpassuser at HILLHOUSE.SITE (arcfour-hmac-md5)
ktpassuser at HILLHOUSE.SITE (aes256-cts-hmac-sha1-96)
ktpassuser at HILLHOUSE.SITE (aes128-cts-hmac-sha1-96)
ktpassuser at HILLHOUSE.SITE (des-cbc-md5)
ktpassuser at HILLHOUSE.SITE (des-cbc-crc)
This is all we need to run some tests against keytabs exported with
`samba-tool domain exportkeytab`.
Signed-off-by: Ralph Boehme <slow at samba.org>
---
source4/kdc/ktutil.c | 122 ++++++++++++++++++++++++++++++++++++++++++++++
source4/kdc/wscript_build | 5 ++
2 files changed, 127 insertions(+)
create mode 100644 source4/kdc/ktutil.c
diff --git a/source4/kdc/ktutil.c b/source4/kdc/ktutil.c
new file mode 100644
index 0000000..bf07a53
--- /dev/null
+++ b/source4/kdc/ktutil.c
@@ -0,0 +1,122 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ Minimal ktutil for selftest
+
+ Copyright (C) Ralph Boehme <slow at samba.org> 2016
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "krb5_wrap/krb5_samba.h"
+
+static void smb_krb5_err(TALLOC_CTX *mem_ctx,
+ krb5_context context,
+ int exit_code,
+ krb5_error_code code,
+ const char *msg)
+{
+ char *krb5_err_str = smb_get_krb5_error_message(context,
+ code,
+ mem_ctx);
+ printf("%s: %s\n", msg, krb5_err_str ? krb5_err_str : "UNKOWN");
+
+ talloc_free(mem_ctx);
+ exit(exit_code);
+}
+
+int main (int argc, char **argv)
+{
+ TALLOC_CTX *mem_ctx = talloc_init("ktutil");
+ krb5_context context;
+ krb5_keytab keytab;
+ krb5_kt_cursor cursor;
+ krb5_keytab_entry entry;
+ krb5_error_code ret;
+ char *keytab_name = NULL;
+
+ if (mem_ctx == NULL) {
+ printf("talloc_init() failed\n");
+ exit(1);
+ }
+
+ if (argc != 2) {
+ printf("Usage: %s KEYTAB\n", argv[0]);
+ exit(1);
+ }
+
+ keytab_name = argv[1];
+
+ initialize_krb5_error_table();
+
+ ret = krb5_init_context(&context);
+ if (ret) {
+ smb_krb5_err(mem_ctx, context, 1, ret, "krb5_context");
+ }
+
+ ret = smb_krb5_open_keytab_relative(context, keytab_name, false, &keytab);
+ if (ret) {
+ smb_krb5_err(mem_ctx, context, 1, ret, "open keytab");
+ }
+
+ ret = krb5_kt_start_seq_get(context, keytab, &cursor);
+ if (ret) {
+ smb_krb5_err(mem_ctx, context, 1, ret, "krb5_kt_start_seq_get");
+ }
+
+ for (ret = krb5_kt_next_entry(context, keytab, &entry, &cursor);
+ ret == 0;
+ ret = krb5_kt_next_entry(context, keytab, &entry, &cursor))
+ {
+ char *principal = NULL;
+ char *enctype_str = NULL;
+ krb5_enctype enctype = smb_get_enctype_from_kt_entry(&entry);
+
+ ret = smb_krb5_unparse_name(mem_ctx,
+ context,
+ entry.principal,
+ &principal);
+ if (ret) {
+ smb_krb5_err(mem_ctx, context, 1, ret, "krb5_enctype_to_string");
+ }
+
+ ret = smb_krb5_enctype_to_string(context,
+ enctype,
+ &enctype_str);
+ if (ret) {
+ smb_krb5_err(mem_ctx, context, 1, ret, "krb5_enctype_to_string");
+ }
+
+ printf("%s (%s)\n", principal, enctype_str);
+
+ TALLOC_FREE(principal);
+ SAFE_FREE(enctype_str);
+ smb_krb5_kt_free_entry(context, &entry);
+ }
+
+ ret = krb5_kt_end_seq_get(context, keytab, &cursor);
+ if (ret) {
+ smb_krb5_err(mem_ctx, context, 1, ret, "krb5_kt_end_seq_get");
+ }
+
+ ret = krb5_kt_close(context, keytab);
+ if (ret) {
+ smb_krb5_err(mem_ctx, context, 1, ret, "krb5_kt_close");
+ }
+
+ krb5_free_context(context);
+ talloc_free(mem_ctx);
+ return 0;
+}
diff --git a/source4/kdc/wscript_build b/source4/kdc/wscript_build
index 3c9c77b..f0662e5 100755
--- a/source4/kdc/wscript_build
+++ b/source4/kdc/wscript_build
@@ -122,4 +122,9 @@ bld.SAMBA_SUBSYSTEM('MIT_SAMBA',
''',
enabled=(not bld.CONFIG_SET('SAMBA4_USES_HEIMDAL') and bld.CONFIG_SET('HAVE_KDB_H')) )
+bld.SAMBA_BINARY('samba4ktutil',
+ 'ktutil.c',
+ deps='krb5samba',
+ install=False)
+
bld.RECURSE('mit-kdb')
--
2.8.1
From e7e66916b173285db7eae3a9e583e435e688d58a Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow at samba.org>
Date: Fri, 22 Apr 2016 16:38:01 +0200
Subject: [PATCH 5/8] selftest/samba4.blackbox.export.keytab: use spn based on
fqdn
Signed-off-by: Ralph Boehme <slow at samba.org>
---
testprogs/blackbox/test_export_keytab_heimdal.sh | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/testprogs/blackbox/test_export_keytab_heimdal.sh b/testprogs/blackbox/test_export_keytab_heimdal.sh
index 736c7af..3bfd61c 100755
--- a/testprogs/blackbox/test_export_keytab_heimdal.sh
+++ b/testprogs/blackbox/test_export_keytab_heimdal.sh
@@ -23,6 +23,8 @@ samba4bindir="$BINDIR"
samba_tool="$samba4bindir/samba-tool"
newuser="$samba_tool user create"
+SERVER_FQDN="$SERVER.$(echo $REALM | tr '[:upper:]' '[:lower:]')"
+
samba4kinit=kinit
if test -x $BINDIR/samba4kinit; then
samba4kinit=$BINDIR/samba4kinit
@@ -53,8 +55,8 @@ testit "create user locally" $VALGRIND $newuser nettestuser $USERPASS $@ || fail
testit "dump keytab from domain" $VALGRIND $samba_tool domain exportkeytab $PREFIX/tmpkeytab $@ || failed=`expr $failed + 1`
testit "dump keytab from domain (2nd time)" $VALGRIND $samba_tool domain exportkeytab $PREFIX/tmpkeytab $@ || failed=`expr $failed + 1`
-testit "dump keytab from domain for cifs principal" $VALGRIND $samba_tool domain exportkeytab $PREFIX/tmpkeytab-server --principal=cifs/$SERVER $@ || failed=`expr $failed + 1`
-testit "dump keytab from domain for cifs principal (2nd time)" $VALGRIND $samba_tool domain exportkeytab $PREFIX/tmpkeytab-server --principal=cifs/$SERVER $@ || failed=`expr $failed + 1`
+testit "dump keytab from domain for cifs principal" $VALGRIND $samba_tool domain exportkeytab $PREFIX/tmpkeytab-server --principal=cifs/$SERVER_FQDN $@ || failed=`expr $failed + 1`
+testit "dump keytab from domain for cifs principal (2nd time)" $VALGRIND $samba_tool domain exportkeytab $PREFIX/tmpkeytab-server --principal=cifs/$SERVER_FQDN $@ || failed=`expr $failed + 1`
testit "dump keytab from domain for user principal" $VALGRIND $samba_tool domain exportkeytab $PREFIX/tmpkeytab-2 --principal=nettestuser $@ || failed=`expr $failed + 1`
testit "dump keytab from domain for user principal (2nd time)" $VALGRIND $samba_tool domain exportkeytab $PREFIX/tmpkeytab-2 --principal=nettestuser@$REALM $@ || failed=`expr $failed + 1`
--
2.8.1
From 2f0e907abd4869fdef3c4a61dc815ca5c2fe4895 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow at samba.org>
Date: Fri, 22 Apr 2016 23:59:12 +0200
Subject: [PATCH 6/8] selftest/samba4.blackbox.export.keytab: check exported
keytabs
Now that we have a usable ktutil, actually verify that the exported
keytabs contains the keys we expect.
Note that kinit with SPN fails against Heimdal, so this is added to
knownfail. Seems our Heimdal version only allows AS-REQ with UPN, not
SPN.
Signed-off-by: Ralph Boehme <slow at samba.org>
---
testprogs/blackbox/test_export_keytab_heimdal.sh | 30 ++++++++++++++++++++++++
1 file changed, 30 insertions(+)
diff --git a/testprogs/blackbox/test_export_keytab_heimdal.sh b/testprogs/blackbox/test_export_keytab_heimdal.sh
index 3bfd61c..99fd020 100755
--- a/testprogs/blackbox/test_export_keytab_heimdal.sh
+++ b/testprogs/blackbox/test_export_keytab_heimdal.sh
@@ -21,6 +21,7 @@ failed=0
samba4bindir="$BINDIR"
samba_tool="$samba4bindir/samba-tool"
+samba4ktutil="$BINDIR/samba4ktutil"
newuser="$samba_tool user create"
SERVER_FQDN="$SERVER.$(echo $REALM | tr '[:upper:]' '[:lower:]')"
@@ -48,18 +49,47 @@ test_smbclient() {
return $status
}
+test_keytab() {
+ testname="$1"
+ keytab="$2"
+ principal="$3"
+ expected_nkeys="$4"
+
+ echo "test: $testname"
+
+ NKEYS=$($VALGRIND $samba4ktutil $keytab | grep -i "$principal" | egrep "des|aes|arcfour" | wc -l)
+ status=$?
+ if [ x$status != x0 ]; then
+ echo "failure: $testname"
+ return $status
+ fi
+
+ if [ x$NKEYS != x$expected_nkeys ] ; then
+ echo "failure: $testname"
+ return 1
+ fi
+ echo "success: $testname"
+ return 0
+}
+
USERPASS=testPaSS at 01%
testit "create user locally" $VALGRIND $newuser nettestuser $USERPASS $@ || failed=`expr $failed + 1`
testit "dump keytab from domain" $VALGRIND $samba_tool domain exportkeytab $PREFIX/tmpkeytab $@ || failed=`expr $failed + 1`
+test_keytab "read keytab from domain" "$PREFIX/tmpkeytab" "$SERVER\\\$" 5
testit "dump keytab from domain (2nd time)" $VALGRIND $samba_tool domain exportkeytab $PREFIX/tmpkeytab $@ || failed=`expr $failed + 1`
+test_keytab "read keytab from domain (2nd time)" "$PREFIX/tmpkeytab" "$SERVER\\\$" 5
testit "dump keytab from domain for cifs principal" $VALGRIND $samba_tool domain exportkeytab $PREFIX/tmpkeytab-server --principal=cifs/$SERVER_FQDN $@ || failed=`expr $failed + 1`
+test_keytab "read keytab from domain for cifs principal" "$PREFIX/tmpkeytab-server" "cifs/$SERVER_FQDN" 5
testit "dump keytab from domain for cifs principal (2nd time)" $VALGRIND $samba_tool domain exportkeytab $PREFIX/tmpkeytab-server --principal=cifs/$SERVER_FQDN $@ || failed=`expr $failed + 1`
+test_keytab "read keytab from domain for cifs principal (2nd time)" "$PREFIX/tmpkeytab-server" "cifs/$SERVER_FQDN" 5
testit "dump keytab from domain for user principal" $VALGRIND $samba_tool domain exportkeytab $PREFIX/tmpkeytab-2 --principal=nettestuser $@ || failed=`expr $failed + 1`
+test_keytab "dump keytab from domain for user principal" "$PREFIX/tmpkeytab-2" "nettestuser@$REALM" 5
testit "dump keytab from domain for user principal (2nd time)" $VALGRIND $samba_tool domain exportkeytab $PREFIX/tmpkeytab-2 --principal=nettestuser@$REALM $@ || failed=`expr $failed + 1`
+test_keytab "dump keytab from domain for user principal (2nd time)" "$PREFIX/tmpkeytab-2" "nettestuser@$REALM" 5
KRB5CCNAME="$PREFIX/tmpuserccache"
export KRB5CCNAME
--
2.8.1
From 53881ebbc0968e07acef9371772320f2e52522ed Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow at samba.org>
Date: Sun, 24 Apr 2016 07:39:25 +0200
Subject: [PATCH 7/8] s4/heimdal: allow SPNs in AS-REQ
This allows testing keytabs with service tickets. Windows KDCs allow
this as well.
Signed-off-by: Ralph Boehme <slow at samba.org>
---
source4/heimdal/kdc/kerberos5.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
index 7e7aefd..3762abe 100644
--- a/source4/heimdal/kdc/kerberos5.c
+++ b/source4/heimdal/kdc/kerberos5.c
@@ -762,9 +762,9 @@ kdc_check_flags(krb5_context context,
return KRB5KDC_ERR_POLICY;
}
- if(!client->flags.client){
+ if (!is_as_req && !client->flags.client){
kdc_log(context, config, 0,
- "Principal may not act as client -- %s", client_name);
+ "Principal may only act as client in AS-REQ -- %s", client_name);
return KRB5KDC_ERR_POLICY;
}
@@ -1055,7 +1055,7 @@ _kdc_as_rep(krb5_context context,
*/
ret = _kdc_db_fetch(context, config, client_princ,
- HDB_F_GET_CLIENT | flags, NULL,
+ HDB_F_GET_ANY | flags, NULL,
&clientdb, &client);
if(ret == HDB_ERR_NOT_FOUND_HERE) {
kdc_log(context, config, 5, "client %s does not have secrets at this KDC, need to proxy", client_name);
--
2.8.1
From 4e8bf96c11e1b85b0245c18e31d5fcd19871f549 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow at samba.org>
Date: Sun, 24 Apr 2016 07:44:12 +0200
Subject: [PATCH 8/8] selftest/samba4.blackbox.export.keytab: check AS-REQ with
SPN
Signed-off-by: Ralph Boehme <slow at samba.org>
---
testprogs/blackbox/test_export_keytab_heimdal.sh | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/testprogs/blackbox/test_export_keytab_heimdal.sh b/testprogs/blackbox/test_export_keytab_heimdal.sh
index 99fd020..6bc4b1b 100755
--- a/testprogs/blackbox/test_export_keytab_heimdal.sh
+++ b/testprogs/blackbox/test_export_keytab_heimdal.sh
@@ -107,6 +107,10 @@ export KRB5CCNAME
testit "kinit with keytab as $USERNAME" $VALGRIND $samba4kinit --keytab=$PREFIX/tmpkeytab --request-pac $USERNAME@$REALM || failed=`expr $failed + 1`
+KRB5CCNAME="$PREFIX/tmpserverccache"
+export KRB5CCNAME
+testit "kinit with SPN from keytab" $VALGRIND $samba4kinit -k -t $PREFIX/tmpkeytab-server cifs/$SERVER_FQDN || failed=`expr $failed + 1`
+
testit "del user" $VALGRIND $samba_tool user delete nettestuser -k yes $@ || failed=`expr $failed + 1`
rm -f $PREFIX/tmpadminccache $PREFIX/tmpuserccache $PREFIX/tmpkeytab $PREFIX/tmpkeytab-2 $PREFIX/tmpkeytab-server
--
2.8.1
More information about the samba-technical
mailing list