SPNEGO failure with spnego:simulate_w2k=yes after MIT patches

Andrew Bartlett abartlet at samba.org
Mon Jun 12 02:15:44 UTC 2017


On Mon, 2017-06-12 at 13:30 +1200, Andrew Bartlett wrote:
> On Sun, 2017-06-11 at 23:20 +0200, Stefan Metzmacher wrote:
> > Hi Andrew,
> > 
> > > > What I don't understand is why this passes as part of a full
> > > > make
> > > > test,
> > > > but fails when only running the test on its own.
> > > > 
> > > > The level 4 logs give this clue:
> > > > 
> > > > kerberos_get_realm_from_hostname VAMPIRE2000DC: failed Cannot
> > > > determine
> > > > realm for host
> > > > SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for
> > > > ldap/VAMPIRE2000DC
> > > > failed (next[ntlmssp]): NT_STATUS_NO_MEMORY
> > 
> > Given the above message the attached patch may fix it...
> > 
> > metze
> 
> Yes, that fixes it.  It is annoying that it only fails during the
> individual test run.  Do you have any ideas on how we could write a
> test to trigger it every time?  Would attempting gensec_gssapi to an
> unqualified hostname be enough?

Specifically, this patch to samba.tests.gensec was not enough to
trigger it in my testing.  Does the environment, such as the krb5.conf
matter?  (This tests executes in ad_dc_ntvfs:local).

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba



-------------- next part --------------
From 81da0df35d976db527acff0639992267f31a7108 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet at samba.org>
Date: Mon, 12 Jun 2017 14:12:53 +1200
Subject: [PATCH] selftest: Add pygensec tests for GSS-SPNEGO and Win2000
 emulated SPNEGO

This is to provide some unit testing coverage for these different modes of operation

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
---
 python/samba/tests/gensec.py | 61 +++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 55 insertions(+), 6 deletions(-)

diff --git a/python/samba/tests/gensec.py b/python/samba/tests/gensec.py
index 368d406b6e3..fbc7410281b 100644
--- a/python/samba/tests/gensec.py
+++ b/python/samba/tests/gensec.py
@@ -32,6 +32,8 @@ class GensecTests(samba.tests.TestCase):
         self.settings = {}
         self.settings["lp_ctx"] = self.lp_ctx = samba.tests.env_loadparm()
         self.settings["target_hostname"] = self.lp_ctx.get("netbios name")
+        self.lp_ctx.set("spnego:simulate_w2k", "no")
+        
         """This is just for the API tests"""
         self.gensec = gensec.Security.start_client(self.settings)
 
@@ -44,7 +46,7 @@ class GensecTests(samba.tests.TestCase):
     def test_info_uninitialized(self):
         self.assertRaises(RuntimeError, self.gensec.session_info)
 
-    def test_update(self):
+    def _test_update(self, mech):
         """Test GENSEC by doing an exchange with ourselves using GSSAPI against a KDC"""
 
         """Start up a client and server GENSEC instance to test things with"""
@@ -52,7 +54,7 @@ class GensecTests(samba.tests.TestCase):
         self.gensec_client = gensec.Security.start_client(self.settings)
         self.gensec_client.set_credentials(self.get_credentials())
         self.gensec_client.want_feature(gensec.FEATURE_SEAL)
-        self.gensec_client.start_mech_by_sasl_name("GSSAPI")
+        self.gensec_client.start_mech_by_sasl_name(mech)
 
         self.gensec_server = gensec.Security.start_server(settings=self.settings,
                                                           auth_context=auth.AuthContext(lp_ctx=self.lp_ctx))
@@ -62,25 +64,37 @@ class GensecTests(samba.tests.TestCase):
         self.gensec_server.set_credentials(creds)
 
         self.gensec_server.want_feature(gensec.FEATURE_SEAL)
-        self.gensec_server.start_mech_by_sasl_name("GSSAPI")
+        self.gensec_server.start_mech_by_sasl_name(mech)
 
         client_finished = False
         server_finished = False
         server_to_client = b""
+        client_to_server = b""
 
         """Run the actual call loop"""
-        while not client_finished and not server_finished:
+        while True:
             if not client_finished:
                 print("running client gensec_update")
                 (client_finished, client_to_server) = self.gensec_client.update(server_to_client)
             if not server_finished:
                 print("running server gensec_update")
                 (server_finished, server_to_client) = self.gensec_server.update(client_to_server)
+
+            if client_finished and server_finished:
+                break
+            
+        self.assertTrue(server_finished)
+        self.assertTrue(client_finished)
+                
         session_info = self.gensec_server.session_info()
 
         test_bytes = b"Hello Server"
-        test_wrapped = self.gensec_client.wrap(test_bytes)
-        test_unwrapped = self.gensec_server.unwrap(test_wrapped)
+        try:
+            test_wrapped = self.gensec_client.wrap(test_bytes)
+            test_unwrapped = self.gensec_server.unwrap(test_wrapped)
+        except samba.NTSTATUSError as e:
+            self.fail(str(e))
+            
         self.assertEqual(test_bytes, test_unwrapped)
         test_bytes = b"Hello Client"
         test_wrapped = self.gensec_server.wrap(test_bytes)
@@ -91,6 +105,41 @@ class GensecTests(samba.tests.TestCase):
         server_session_key = self.gensec_server.session_key()
         self.assertEqual(client_session_key, server_session_key)
 
+    def test_update(self):
+        self._test_update("GSSAPI")
+        
+    def test_update_spnego(self):
+        self._test_update("GSS-SPNEGO")
+        
+    def test_update_w2k_spnego_client(self):
+        self.lp_ctx.set("spnego:simulate_w2k", "yes")
+
+        # Re-start the client with this set
+        self.gensec = gensec.Security.start_client(self.settings)
+
+        # Unset it for the server
+        self.lp_ctx.set("spnego:simulate_w2k", "no")
+
+        self._test_update("GSS-SPNEGO")
+        
+    def test_update_w2k_spnego_server(self):
+        # Re-start the client with this set
+        self.gensec = gensec.Security.start_client(self.settings)
+
+        # Unset it for the server
+        self.lp_ctx.set("spnego:simulate_w2k", "yes")
+
+        self._test_update("GSS-SPNEGO")
+        
+    def test_update_w2k_spnego(self):
+        self.lp_ctx.set("spnego:simulate_w2k", "no")
+
+        # Re-start the client with this set
+        self.gensec = gensec.Security.start_client(self.settings)
+
+        self._test_update("GSS-SPNEGO")
+        
+        
     def test_max_update_size(self):
         """Test GENSEC by doing an exchange with ourselves using GSSAPI against a KDC"""
 
-- 
2.11.0



More information about the samba-technical mailing list