[PR PATCH] [Updated] samba-tool domain trust: fix trust compatibility to Windows Server 1709 and FreeIPA

Alexander Bokovoy ab at samba.org
Thu Jul 19 11:35:42 UTC 2018

On to, 19 heinä 2018, Stefan Metzmacher wrote:
> Hi Alexander,
> I've implemented the autodetection of smb1 and smb2 for our dcerpc
> client side.
> Please review patches 1-13 from the attached patchset and push it.
Thanks, they look good to me but python/samba/auth_log.py failed due to
unexpected SMB to SMB2 upgrade. Attached patch should fix a test.

There is also a failure:

ERROR: Testsuite[samba4.rpc.lsa.secrets on ncacn_np with with -k no --option=gensec:spnego=no --option=clientntlmv2auth=yes(nt4_dc)]

> Here's the related pending pipeline:
> https://gitlab.com/samba-team/devel/samba/pipelines/26062213
> >> Can you split the last patch and demonstrate the the test passes with
> >> a temporary file in selftest/knownfail.d/ and then gets fixed with the
> >> changes. From reading the test I guess it won't fail as the bug happens
> >> in two places.
> > Thing is, it will not fail for wrong salt too because we are running
> > against the same code that uses the same method to generate salt
> > principal. So before the patch we've got 'EXAMPLE.COMFOO$' as a salt,
> > after the patch we'd get 'EXAMPLE.COMkrbtgtFOO' but in both cases both
> > client and KDC would be operating with the same salt because we retrieve
> > this keytab from the same KDC.
> > 
> > I wonder if we can retrieve it from a different KDC and store under
> > the proper principal but current code for keytab retrieval in libnet
> > doesn't handle that because it has no way to specify a different
> > principal name when writing keys to a keytab (we want to retrieve
> > FOO$@EXAMPLE.COM as EXAMPLE$@FOO.COM and then try to auth against
> > 
> > With my parallel patches (in works) to FreeIPA and SSSD, I get Samba AD
> > DC properly trusted by FreeIPA and FreeIPA properly trusted by Samba AD
> > DC when trust is driven from FreeIPA side. So salt fixes helped, for
> > cases when TDA is used for authentication by both sides. There
> > is a remaining need to fix cross-realm TGT on FreeIPA side to allow
> > FreeIPA -> Samba AD leg to work with cross-realm referral issuance.
> > Samba AD -> FreeIPA leg works already.
> I ported the patch to master (some defines are different...)
> The pipeline with the complete set is:
> https://gitlab.com/samba-team/devel/samba/pipelines/26062727
> In the commit message of path 14 I added some TODOs:
>     TODO: unit tests: loop over all account types with, loop over names with
>     and without upn, with and without '$'. Use 'eXaMpLe.COM' and similar
>     names to check the correct upper/lower case result.
>     TODO: Also verify this against windows...
>     A test can create objects via ldap and/or lsa (for trusts)
>     then get the object including supplementalCredentials
>     via drsuapi (as admin) and check the stored salt.
>     We should have similar tests already.
> I think we need at least some test that can't fail because
> of a symmetric fix.
> Would you have time to work on such tests?
Unfortunately not until second half of August. If you have time to do it
before that, it would be appreciated.

/ Alexander Bokovoy
-------------- next part --------------
>From 6851263318287680067da001dbed1153c458d35d Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <ab at samba.org>
Date: Thu, 19 Jul 2018 14:07:39 +0300
Subject: [PATCH] tests/auth_log: Permit SMB2 service description if empty
 binding is used for kerberos authentication

Signed-off-by: Alexander Bokovoy <ab at samba.org>
 python/samba/tests/auth_log.py | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/python/samba/tests/auth_log.py b/python/samba/tests/auth_log.py
index cb524d0ed81..42ea699c992 100644
--- a/python/samba/tests/auth_log.py
+++ b/python/samba/tests/auth_log.py
@@ -28,6 +28,7 @@ from samba.credentials import DONT_USE_KERBEROS, MUST_USE_KERBEROS
 from samba import NTSTATUSError
 from subprocess import call
 from ldb import LdbError
+import re
 class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
@@ -147,7 +148,16 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
         self.assertEquals("Authorization", msg["type"])
         serviceDescription = "SMB"
         print("binding %s" % binding)
-        if binding == "[smb2]":
+        # Turn "[foo,bar]" into a list ("foo", "bar") to test
+        # lambda x: x removes anything that evaluates to False,
+        # including empty strings, so we handle "" as well
+        binding_list = filter(lambda x: x,
+                              re.compile('[\[,\]]').split(binding))
+        # Handle explicit smb2 or auto upgrade to smb2 in binding
+        if "smb2" in binding_list or
+           "smb1" not in binding_list:
             serviceDescription = "SMB2"

More information about the samba-technical mailing list