[PR PATCH] [Updated] samba-tool domain trust: fix trust compatibility to Windows Server 1709 and FreeIPA
Alexander Bokovoy
ab at samba.org
Thu Jul 19 11:35:42 UTC 2018
On to, 19 heinä 2018, Stefan Metzmacher wrote:
> Hi Alexander,
>
> I've implemented the autodetection of smb1 and smb2 for our dcerpc
> client side.
>
> Please review patches 1-13 from the attached patchset and push it.
Thanks, they look good to me but python/samba/auth_log.py failed due to
unexpected SMB to SMB2 upgrade. Attached patch should fix a test.
There is also a failure:
ERROR: Testsuite[samba4.rpc.lsa.secrets on ncacn_np with with -k no --option=gensec:spnego=no --option=clientntlmv2auth=yes(nt4_dc)]
>
> Here's the related pending pipeline:
> https://gitlab.com/samba-team/devel/samba/pipelines/26062213
>
> >> Can you split the last patch and demonstrate the the test passes with
> >> a temporary file in selftest/knownfail.d/ and then gets fixed with the
> >> changes. From reading the test I guess it won't fail as the bug happens
> >> in two places.
> > Thing is, it will not fail for wrong salt too because we are running
> > against the same code that uses the same method to generate salt
> > principal. So before the patch we've got 'EXAMPLE.COMFOO$' as a salt,
> > after the patch we'd get 'EXAMPLE.COMkrbtgtFOO' but in both cases both
> > client and KDC would be operating with the same salt because we retrieve
> > this keytab from the same KDC.
> >
> > I wonder if we can retrieve it from a different KDC and store under
> > the proper principal but current code for keytab retrieval in libnet
> > doesn't handle that because it has no way to specify a different
> > principal name when writing keys to a keytab (we want to retrieve
> > FOO$@EXAMPLE.COM as EXAMPLE$@FOO.COM and then try to auth against
> > FOO.COM KDC).
> >
> > With my parallel patches (in works) to FreeIPA and SSSD, I get Samba AD
> > DC properly trusted by FreeIPA and FreeIPA properly trusted by Samba AD
> > DC when trust is driven from FreeIPA side. So salt fixes helped, for
> > cases when TDA is used for authentication by both sides. There
> > is a remaining need to fix cross-realm TGT on FreeIPA side to allow
> > FreeIPA -> Samba AD leg to work with cross-realm referral issuance.
> > Samba AD -> FreeIPA leg works already.
>
> I ported the patch to master (some defines are different...)
>
> The pipeline with the complete set is:
> https://gitlab.com/samba-team/devel/samba/pipelines/26062727
>
> In the commit message of path 14 I added some TODOs:
>
> TODO: unit tests: loop over all account types with, loop over names with
> and without upn, with and without '$'. Use 'eXaMpLe.COM' and similar
> names to check the correct upper/lower case result.
>
> TODO: Also verify this against windows...
> A test can create objects via ldap and/or lsa (for trusts)
> then get the object including supplementalCredentials
> via drsuapi (as admin) and check the stored salt.
> We should have similar tests already.
>
> I think we need at least some test that can't fail because
> of a symmetric fix.
>
> Would you have time to work on such tests?
Unfortunately not until second half of August. If you have time to do it
before that, it would be appreciated.
--
/ Alexander Bokovoy
-------------- next part --------------
>From 6851263318287680067da001dbed1153c458d35d Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <ab at samba.org>
Date: Thu, 19 Jul 2018 14:07:39 +0300
Subject: [PATCH] tests/auth_log: Permit SMB2 service description if empty
binding is used for kerberos authentication
Signed-off-by: Alexander Bokovoy <ab at samba.org>
---
python/samba/tests/auth_log.py | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/python/samba/tests/auth_log.py b/python/samba/tests/auth_log.py
index cb524d0ed81..42ea699c992 100644
--- a/python/samba/tests/auth_log.py
+++ b/python/samba/tests/auth_log.py
@@ -28,6 +28,7 @@ from samba.credentials import DONT_USE_KERBEROS, MUST_USE_KERBEROS
from samba import NTSTATUSError
from subprocess import call
from ldb import LdbError
+import re
class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
@@ -147,7 +148,16 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
self.assertEquals("Authorization", msg["type"])
serviceDescription = "SMB"
print("binding %s" % binding)
- if binding == "[smb2]":
+
+ # Turn "[foo,bar]" into a list ("foo", "bar") to test
+ # lambda x: x removes anything that evaluates to False,
+ # including empty strings, so we handle "" as well
+ binding_list = filter(lambda x: x,
+ re.compile('[\[,\]]').split(binding))
+
+ # Handle explicit smb2 or auto upgrade to smb2 in binding
+ if "smb2" in binding_list or
+ "smb1" not in binding_list:
serviceDescription = "SMB2"
self.assertEquals(serviceDescription,
--
2.17.1
More information about the samba-technical
mailing list