|
|
0f6383 |
From 815da6970c8b973c514cc148b2caeca84f604f5c Mon Sep 17 00:00:00 2001
|
|
|
0f6383 |
From: Noel Power <noel.power@suse.com>
|
|
|
0f6383 |
Date: Thu, 8 Aug 2019 15:06:28 +0100
|
|
|
0f6383 |
Subject: [PATCH 01/22] s3/libads: clang: Fix Value stored to 'canon_princ' is
|
|
|
0f6383 |
never read
|
|
|
0f6383 |
|
|
|
0f6383 |
Fixes:
|
|
|
0f6383 |
|
|
|
0f6383 |
source3/libads/kerberos.c:192:2: warning: Value stored to 'canon_princ' is never read <--[clang]
|
|
|
0f6383 |
canon_princ = me;
|
|
|
0f6383 |
^ ~~
|
|
|
0f6383 |
1 warning generated.
|
|
|
0f6383 |
|
|
|
0f6383 |
Signed-off-by: Noel Power <noel.power@suse.com>
|
|
|
0f6383 |
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
|
|
|
0f6383 |
(cherry picked from commit 52d20087f620704549f5a5cdcbec79cb08a36290)
|
|
|
0f6383 |
---
|
|
|
0f6383 |
source3/libads/kerberos.c | 3 ++-
|
|
|
0f6383 |
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
0f6383 |
|
|
|
0f6383 |
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
|
|
|
0f6383 |
index 721c3c2a929..9fbe7dd0f07 100644
|
|
|
0f6383 |
--- a/source3/libads/kerberos.c
|
|
|
0f6383 |
+++ b/source3/libads/kerberos.c
|
|
|
0f6383 |
@@ -189,9 +189,10 @@ int kerberos_kinit_password_ext(const char *principal,
|
|
|
0f6383 |
goto out;
|
|
|
0f6383 |
}
|
|
|
0f6383 |
|
|
|
0f6383 |
- canon_princ = me;
|
|
|
0f6383 |
#ifndef SAMBA4_USES_HEIMDAL /* MIT */
|
|
|
0f6383 |
canon_princ = my_creds.client;
|
|
|
0f6383 |
+#else
|
|
|
0f6383 |
+ canon_princ = me;
|
|
|
0f6383 |
#endif /* MIT */
|
|
|
0f6383 |
|
|
|
0f6383 |
if ((code = krb5_cc_initialize(ctx, cc, canon_princ))) {
|
|
|
0f6383 |
--
|
|
|
0f6383 |
2.24.1
|
|
|
0f6383 |
|
|
|
0f6383 |
|
|
|
0f6383 |
From 9db218df645bd15232b5bda98f51f0ecc05425c9 Mon Sep 17 00:00:00 2001
|
|
|
0f6383 |
From: Stefan Metzmacher <metze@samba.org>
|
|
|
0f6383 |
Date: Tue, 17 Sep 2019 08:05:09 +0200
|
|
|
0f6383 |
Subject: [PATCH 02/22] s4:auth: use the correct client realm in
|
|
|
0f6383 |
gensec_gssapi_update_internal()
|
|
|
0f6383 |
|
|
|
0f6383 |
The function gensec_gssapi_client_creds() may call kinit and gets
|
|
|
0f6383 |
a TGT for the user. The principal provided by the user may not
|
|
|
0f6383 |
be canonicalized. The user may use 'given.last@example.com'
|
|
|
0f6383 |
but that may be mapped to glast@AD.EXAMPLE.PRIVATE in the background.
|
|
|
0f6383 |
|
|
|
0f6383 |
It means we should use client_realm = AD.EXAMPLE.PRIVATE
|
|
|
0f6383 |
instead of client_realm = EXAMPLE.COM
|
|
|
0f6383 |
|
|
|
0f6383 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
|
|
|
0f6383 |
|
|
|
0f6383 |
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
|
0f6383 |
Reviewed-by: Guenther Deschner <gd@samba.org>
|
|
|
0f6383 |
(cherry picked from commit db8fd3d6a315b140ebd6ccd0dcdfdcf27cd1bb38)
|
|
|
0f6383 |
---
|
|
|
0f6383 |
source4/auth/gensec/gensec_gssapi.c | 6 ++++--
|
|
|
0f6383 |
1 file changed, 4 insertions(+), 2 deletions(-)
|
|
|
0f6383 |
|
|
|
0f6383 |
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
|
|
|
0f6383 |
index 4577c91c93a..045a0225741 100644
|
|
|
0f6383 |
--- a/source4/auth/gensec/gensec_gssapi.c
|
|
|
0f6383 |
+++ b/source4/auth/gensec/gensec_gssapi.c
|
|
|
0f6383 |
@@ -437,8 +437,6 @@ static NTSTATUS gensec_gssapi_update_internal(struct gensec_security *gensec_sec
|
|
|
0f6383 |
const char *target_principal = gensec_get_target_principal(gensec_security);
|
|
|
0f6383 |
const char *hostname = gensec_get_target_hostname(gensec_security);
|
|
|
0f6383 |
const char *service = gensec_get_target_service(gensec_security);
|
|
|
0f6383 |
- const char *client_realm = cli_credentials_get_realm(cli_creds);
|
|
|
0f6383 |
- const char *server_realm = NULL;
|
|
|
0f6383 |
gss_OID gss_oid_p = NULL;
|
|
|
0f6383 |
OM_uint32 time_req = 0;
|
|
|
0f6383 |
OM_uint32 time_rec = 0;
|
|
|
0f6383 |
@@ -457,6 +455,7 @@ static NTSTATUS gensec_gssapi_update_internal(struct gensec_security *gensec_sec
|
|
|
0f6383 |
switch (gensec_security->gensec_role) {
|
|
|
0f6383 |
case GENSEC_CLIENT:
|
|
|
0f6383 |
{
|
|
|
0f6383 |
+ const char *client_realm = NULL;
|
|
|
0f6383 |
#ifdef SAMBA4_USES_HEIMDAL
|
|
|
0f6383 |
struct gsskrb5_send_to_kdc send_to_kdc;
|
|
|
0f6383 |
krb5_error_code ret;
|
|
|
0f6383 |
@@ -532,6 +531,7 @@ static NTSTATUS gensec_gssapi_update_internal(struct gensec_security *gensec_sec
|
|
|
0f6383 |
* transitive forest trusts, would have to do the
|
|
|
0f6383 |
* fallback ourself.
|
|
|
0f6383 |
*/
|
|
|
0f6383 |
+ client_realm = cli_credentials_get_realm(cli_creds);
|
|
|
0f6383 |
#ifndef SAMBA4_USES_HEIMDAL
|
|
|
0f6383 |
if (gensec_gssapi_state->server_name == NULL) {
|
|
|
0f6383 |
nt_status = gensec_gssapi_setup_server_principal(gensec_gssapi_state,
|
|
|
0f6383 |
@@ -575,6 +575,8 @@ static NTSTATUS gensec_gssapi_update_internal(struct gensec_security *gensec_sec
|
|
|
0f6383 |
}
|
|
|
0f6383 |
#endif /* !SAMBA4_USES_HEIMDAL */
|
|
|
0f6383 |
if (gensec_gssapi_state->server_name == NULL) {
|
|
|
0f6383 |
+ const char *server_realm = NULL;
|
|
|
0f6383 |
+
|
|
|
0f6383 |
server_realm = smb_krb5_get_realm_from_hostname(gensec_gssapi_state,
|
|
|
0f6383 |
hostname,
|
|
|
0f6383 |
client_realm);
|
|
|
0f6383 |
--
|
|
|
0f6383 |
2.24.1
|
|
|
0f6383 |
|
|
|
0f6383 |
|
|
|
0f6383 |
From 7e70ce1c6a6bb4041dbad54628d4f93caff771d4 Mon Sep 17 00:00:00 2001
|
|
|
0f6383 |
From: Stefan Metzmacher <metze@samba.org>
|
|
|
0f6383 |
Date: Mon, 16 Sep 2019 17:14:11 +0200
|
|
|
0f6383 |
Subject: [PATCH 03/22] s3:libads: let kerberos_kinit_password_ext() return the
|
|
|
0f6383 |
canonicalized principal/realm
|
|
|
0f6383 |
|
|
|
0f6383 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
|
|
|
0f6383 |
|
|
|
0f6383 |
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
|
0f6383 |
Reviewed-by: Guenther Deschner <gd@samba.org>
|
|
|
0f6383 |
(cherry picked from commit bc473e5cf088a137395842540ed8eb748373a236)
|
|
|
0f6383 |
---
|
|
|
0f6383 |
source3/libads/authdata.c | 1 +
|
|
|
0f6383 |
source3/libads/kerberos.c | 46 ++++++++++++++++++++++----
|
|
|
0f6383 |
source3/libads/kerberos_proto.h | 5 ++-
|
|
|
0f6383 |
source3/libads/kerberos_util.c | 3 +-
|
|
|
0f6383 |
source3/utils/net_ads.c | 3 ++
|
|
|
0f6383 |
source3/winbindd/winbindd_cred_cache.c | 6 ++++
|
|
|
0f6383 |
6 files changed, 56 insertions(+), 8 deletions(-)
|
|
|
0f6383 |
|
|
|
0f6383 |
diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
|
|
|
0f6383 |
index 86a1be71bf9..6e6d5b397ff 100644
|
|
|
0f6383 |
--- a/source3/libads/authdata.c
|
|
|
0f6383 |
+++ b/source3/libads/authdata.c
|
|
|
0f6383 |
@@ -170,6 +170,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
|
|
|
0f6383 |
request_pac,
|
|
|
0f6383 |
add_netbios_addr,
|
|
|
0f6383 |
renewable_time,
|
|
|
0f6383 |
+ NULL, NULL, NULL,
|
|
|
0f6383 |
&status);
|
|
|
0f6383 |
if (ret) {
|
|
|
0f6383 |
DEBUG(1,("kinit failed for '%s' with: %s (%d)\n",
|
|
|
0f6383 |
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
|
|
|
0f6383 |
index 9fbe7dd0f07..3e09d70268f 100644
|
|
|
0f6383 |
--- a/source3/libads/kerberos.c
|
|
|
0f6383 |
+++ b/source3/libads/kerberos.c
|
|
|
0f6383 |
@@ -106,7 +106,7 @@ kerb_prompter(krb5_context ctx, void *data,
|
|
|
0f6383 |
place in default cache location.
|
|
|
0f6383 |
remus@snapserver.com
|
|
|
0f6383 |
*/
|
|
|
0f6383 |
-int kerberos_kinit_password_ext(const char *principal,
|
|
|
0f6383 |
+int kerberos_kinit_password_ext(const char *given_principal,
|
|
|
0f6383 |
const char *password,
|
|
|
0f6383 |
int time_offset,
|
|
|
0f6383 |
time_t *expire_time,
|
|
|
0f6383 |
@@ -115,8 +115,12 @@ int kerberos_kinit_password_ext(const char *principal,
|
|
|
0f6383 |
bool request_pac,
|
|
|
0f6383 |
bool add_netbios_addr,
|
|
|
0f6383 |
time_t renewable_time,
|
|
|
0f6383 |
+ TALLOC_CTX *mem_ctx,
|
|
|
0f6383 |
+ char **_canon_principal,
|
|
|
0f6383 |
+ char **_canon_realm,
|
|
|
0f6383 |
NTSTATUS *ntstatus)
|
|
|
0f6383 |
{
|
|
|
0f6383 |
+ TALLOC_CTX *frame = talloc_stackframe();
|
|
|
0f6383 |
krb5_context ctx = NULL;
|
|
|
0f6383 |
krb5_error_code code = 0;
|
|
|
0f6383 |
krb5_ccache cc = NULL;
|
|
|
0f6383 |
@@ -125,6 +129,8 @@ int kerberos_kinit_password_ext(const char *principal,
|
|
|
0f6383 |
krb5_creds my_creds;
|
|
|
0f6383 |
krb5_get_init_creds_opt *opt = NULL;
|
|
|
0f6383 |
smb_krb5_addresses *addr = NULL;
|
|
|
0f6383 |
+ char *canon_principal = NULL;
|
|
|
0f6383 |
+ char *canon_realm = NULL;
|
|
|
0f6383 |
|
|
|
0f6383 |
ZERO_STRUCT(my_creds);
|
|
|
0f6383 |
|
|
|
0f6383 |
@@ -132,6 +138,7 @@ int kerberos_kinit_password_ext(const char *principal,
|
|
|
0f6383 |
if (code != 0) {
|
|
|
0f6383 |
DBG_ERR("kerberos init context failed (%s)\n",
|
|
|
0f6383 |
error_message(code));
|
|
|
0f6383 |
+ TALLOC_FREE(frame);
|
|
|
0f6383 |
return code;
|
|
|
0f6383 |
}
|
|
|
0f6383 |
|
|
|
0f6383 |
@@ -139,16 +146,16 @@ int kerberos_kinit_password_ext(const char *principal,
|
|
|
0f6383 |
krb5_set_real_time(ctx, time(NULL) + time_offset, 0);
|
|
|
0f6383 |
}
|
|
|
0f6383 |
|
|
|
0f6383 |
- DEBUG(10,("kerberos_kinit_password: as %s using [%s] as ccache and config [%s]\n",
|
|
|
0f6383 |
- principal,
|
|
|
0f6383 |
- cache_name ? cache_name: krb5_cc_default_name(ctx),
|
|
|
0f6383 |
- getenv("KRB5_CONFIG")));
|
|
|
0f6383 |
+ DBG_DEBUG("as %s using [%s] as ccache and config [%s]\n",
|
|
|
0f6383 |
+ given_principal,
|
|
|
0f6383 |
+ cache_name ? cache_name: krb5_cc_default_name(ctx),
|
|
|
0f6383 |
+ getenv("KRB5_CONFIG"));
|
|
|
0f6383 |
|
|
|
0f6383 |
if ((code = krb5_cc_resolve(ctx, cache_name ? cache_name : krb5_cc_default_name(ctx), &cc))) {
|
|
|
0f6383 |
goto out;
|
|
|
0f6383 |
}
|
|
|
0f6383 |
|
|
|
0f6383 |
- if ((code = smb_krb5_parse_name(ctx, principal, &me))) {
|
|
|
0f6383 |
+ if ((code = smb_krb5_parse_name(ctx, given_principal, &me))) {
|
|
|
0f6383 |
goto out;
|
|
|
0f6383 |
}
|
|
|
0f6383 |
|
|
|
0f6383 |
@@ -195,6 +202,22 @@ int kerberos_kinit_password_ext(const char *principal,
|
|
|
0f6383 |
canon_princ = me;
|
|
|
0f6383 |
#endif /* MIT */
|
|
|
0f6383 |
|
|
|
0f6383 |
+ code = smb_krb5_unparse_name(frame,
|
|
|
0f6383 |
+ ctx,
|
|
|
0f6383 |
+ canon_princ,
|
|
|
0f6383 |
+ &canon_principal);
|
|
|
0f6383 |
+ if (code != 0) {
|
|
|
0f6383 |
+ goto out;
|
|
|
0f6383 |
+ }
|
|
|
0f6383 |
+
|
|
|
0f6383 |
+ DBG_DEBUG("%s mapped to %s\n", given_principal, canon_principal);
|
|
|
0f6383 |
+
|
|
|
0f6383 |
+ canon_realm = smb_krb5_principal_get_realm(frame, ctx, canon_princ);
|
|
|
0f6383 |
+ if (canon_realm == NULL) {
|
|
|
0f6383 |
+ code = ENOMEM;
|
|
|
0f6383 |
+ goto out;
|
|
|
0f6383 |
+ }
|
|
|
0f6383 |
+
|
|
|
0f6383 |
if ((code = krb5_cc_initialize(ctx, cc, canon_princ))) {
|
|
|
0f6383 |
goto out;
|
|
|
0f6383 |
}
|
|
|
0f6383 |
@@ -210,6 +233,13 @@ int kerberos_kinit_password_ext(const char *principal,
|
|
|
0f6383 |
if (renew_till_time) {
|
|
|
0f6383 |
*renew_till_time = (time_t) my_creds.times.renew_till;
|
|
|
0f6383 |
}
|
|
|
0f6383 |
+
|
|
|
0f6383 |
+ if (_canon_principal != NULL) {
|
|
|
0f6383 |
+ *_canon_principal = talloc_move(mem_ctx, &canon_principal);
|
|
|
0f6383 |
+ }
|
|
|
0f6383 |
+ if (_canon_realm != NULL) {
|
|
|
0f6383 |
+ *_canon_realm = talloc_move(mem_ctx, &canon_realm);
|
|
|
0f6383 |
+ }
|
|
|
0f6383 |
out:
|
|
|
0f6383 |
if (ntstatus) {
|
|
|
0f6383 |
/* fast path */
|
|
|
0f6383 |
@@ -239,6 +269,7 @@ int kerberos_kinit_password_ext(const char *principal,
|
|
|
0f6383 |
if (ctx) {
|
|
|
0f6383 |
krb5_free_context(ctx);
|
|
|
0f6383 |
}
|
|
|
0f6383 |
+ TALLOC_FREE(frame);
|
|
|
0f6383 |
return code;
|
|
|
0f6383 |
}
|
|
|
0f6383 |
|
|
|
0f6383 |
@@ -328,6 +359,9 @@ int kerberos_kinit_password(const char *principal,
|
|
|
0f6383 |
False,
|
|
|
0f6383 |
False,
|
|
|
0f6383 |
0,
|
|
|
0f6383 |
+ NULL,
|
|
|
0f6383 |
+ NULL,
|
|
|
0f6383 |
+ NULL,
|
|
|
0f6383 |
NULL);
|
|
|
0f6383 |
}
|
|
|
0f6383 |
|
|
|
0f6383 |
diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h
|
|
|
0f6383 |
index f92cabd757e..433bce9e0ec 100644
|
|
|
0f6383 |
--- a/source3/libads/kerberos_proto.h
|
|
|
0f6383 |
+++ b/source3/libads/kerberos_proto.h
|
|
|
0f6383 |
@@ -45,7 +45,7 @@ struct PAC_DATA_CTR {
|
|
|
0f6383 |
|
|
|
0f6383 |
/* The following definitions come from libads/kerberos.c */
|
|
|
0f6383 |
|
|
|
0f6383 |
-int kerberos_kinit_password_ext(const char *principal,
|
|
|
0f6383 |
+int kerberos_kinit_password_ext(const char *given_principal,
|
|
|
0f6383 |
const char *password,
|
|
|
0f6383 |
int time_offset,
|
|
|
0f6383 |
time_t *expire_time,
|
|
|
0f6383 |
@@ -54,6 +54,9 @@ int kerberos_kinit_password_ext(const char *principal,
|
|
|
0f6383 |
bool request_pac,
|
|
|
0f6383 |
bool add_netbios_addr,
|
|
|
0f6383 |
time_t renewable_time,
|
|
|
0f6383 |
+ TALLOC_CTX *mem_ctx,
|
|
|
0f6383 |
+ char **_canon_principal,
|
|
|
0f6383 |
+ char **_canon_realm,
|
|
|
0f6383 |
NTSTATUS *ntstatus);
|
|
|
0f6383 |
int ads_kdestroy(const char *cc_name);
|
|
|
0f6383 |
|
|
|
0f6383 |
diff --git a/source3/libads/kerberos_util.c b/source3/libads/kerberos_util.c
|
|
|
0f6383 |
index 68c0f302239..bfe53820aff 100644
|
|
|
0f6383 |
--- a/source3/libads/kerberos_util.c
|
|
|
0f6383 |
+++ b/source3/libads/kerberos_util.c
|
|
|
0f6383 |
@@ -66,7 +66,8 @@ int ads_kinit_password(ADS_STRUCT *ads)
|
|
|
0f6383 |
ads->auth.time_offset,
|
|
|
0f6383 |
&ads->auth.tgt_expire, NULL,
|
|
|
0f6383 |
ads->auth.ccache_name, false, false,
|
|
|
0f6383 |
- ads->auth.renewable, NULL);
|
|
|
0f6383 |
+ ads->auth.renewable,
|
|
|
0f6383 |
+ NULL, NULL, NULL, NULL);
|
|
|
0f6383 |
|
|
|
0f6383 |
if (ret) {
|
|
|
0f6383 |
DEBUG(0,("kerberos_kinit_password %s failed: %s\n",
|
|
|
0f6383 |
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
|
|
|
0f6383 |
index 1f055507ad7..d33031a0dbd 100644
|
|
|
0f6383 |
--- a/source3/utils/net_ads.c
|
|
|
0f6383 |
+++ b/source3/utils/net_ads.c
|
|
|
0f6383 |
@@ -3352,6 +3352,9 @@ static int net_ads_kerberos_kinit(struct net_context *c, int argc, const char **
|
|
|
0f6383 |
true,
|
|
|
0f6383 |
true,
|
|
|
0f6383 |
2592000, /* one month */
|
|
|
0f6383 |
+ NULL,
|
|
|
0f6383 |
+ NULL,
|
|
|
0f6383 |
+ NULL,
|
|
|
0f6383 |
&status);
|
|
|
0f6383 |
if (ret) {
|
|
|
0f6383 |
d_printf(_("failed to kinit password: %s\n"),
|
|
|
0f6383 |
diff --git a/source3/winbindd/winbindd_cred_cache.c b/source3/winbindd/winbindd_cred_cache.c
|
|
|
0f6383 |
index 85ad426446a..5baecf906b9 100644
|
|
|
0f6383 |
--- a/source3/winbindd/winbindd_cred_cache.c
|
|
|
0f6383 |
+++ b/source3/winbindd/winbindd_cred_cache.c
|
|
|
0f6383 |
@@ -146,6 +146,9 @@ rekinit:
|
|
|
0f6383 |
False, /* no PAC required anymore */
|
|
|
0f6383 |
True,
|
|
|
0f6383 |
WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
|
|
|
0f6383 |
+ NULL,
|
|
|
0f6383 |
+ NULL,
|
|
|
0f6383 |
+ NULL,
|
|
|
0f6383 |
NULL);
|
|
|
0f6383 |
gain_root_privilege();
|
|
|
0f6383 |
|
|
|
0f6383 |
@@ -343,6 +346,9 @@ static void krb5_ticket_gain_handler(struct tevent_context *event_ctx,
|
|
|
0f6383 |
False, /* no PAC required anymore */
|
|
|
0f6383 |
True,
|
|
|
0f6383 |
WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
|
|
|
0f6383 |
+ NULL,
|
|
|
0f6383 |
+ NULL,
|
|
|
0f6383 |
+ NULL,
|
|
|
0f6383 |
NULL);
|
|
|
0f6383 |
gain_root_privilege();
|
|
|
0f6383 |
|
|
|
0f6383 |
--
|
|
|
0f6383 |
2.24.1
|
|
|
0f6383 |
|
|
|
0f6383 |
|
|
|
0f6383 |
From 0455607124f93b72c1233d451efefbc0c445017e Mon Sep 17 00:00:00 2001
|
|
|
0f6383 |
From: Stefan Metzmacher <metze@samba.org>
|
|
|
0f6383 |
Date: Tue, 17 Sep 2019 10:08:10 +0200
|
|
|
0f6383 |
Subject: [PATCH 04/22] s3:libsmb: avoid wrong debug message in
|
|
|
0f6383 |
cli_session_creds_prepare_krb5()
|
|
|
0f6383 |
|
|
|
0f6383 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
|
|
|
0f6383 |
|
|
|
0f6383 |
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
|
0f6383 |
Reviewed-by: Guenther Deschner <gd@samba.org>
|
|
|
0f6383 |
(cherry picked from commit 361fb0efabfb189526c851107eee49161da2293c)
|
|
|
0f6383 |
---
|
|
|
0f6383 |
source3/libsmb/cliconnect.c | 2 ++
|
|
|
0f6383 |
1 file changed, 2 insertions(+)
|
|
|
0f6383 |
|
|
|
0f6383 |
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
|
|
|
0f6383 |
index c416d10fa24..28f5fde0757 100644
|
|
|
0f6383 |
--- a/source3/libsmb/cliconnect.c
|
|
|
0f6383 |
+++ b/source3/libsmb/cliconnect.c
|
|
|
0f6383 |
@@ -375,6 +375,8 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli,
|
|
|
0f6383 |
/*
|
|
|
0f6383 |
* Ignore the error and hope that NTLM will work
|
|
|
0f6383 |
*/
|
|
|
0f6383 |
+ TALLOC_FREE(frame);
|
|
|
0f6383 |
+ return NT_STATUS_OK;
|
|
|
0f6383 |
}
|
|
|
0f6383 |
|
|
|
0f6383 |
DBG_DEBUG("Successfully authenticated as %s to access %s using "
|
|
|
0f6383 |
--
|
|
|
0f6383 |
2.24.1
|
|
|
0f6383 |
|
|
|
0f6383 |
|
|
|
0f6383 |
From 68c4e372ef66fda975c4db7eb4fd283bfe4218a7 Mon Sep 17 00:00:00 2001
|
|
|
0f6383 |
From: Stefan Metzmacher <metze@samba.org>
|
|
|
0f6383 |
Date: Tue, 17 Sep 2019 08:49:13 +0200
|
|
|
0f6383 |
Subject: [PATCH 05/22] s3:libsmb: let cli_session_creds_prepare_krb5() update
|
|
|
0f6383 |
the canonicalized principal to cli_credentials
|
|
|
0f6383 |
|
|
|
0f6383 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
|
|
|
0f6383 |
|
|
|
0f6383 |
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
|
0f6383 |
Reviewed-by: Guenther Deschner <gd@samba.org>
|
|
|
0f6383 |
(cherry picked from commit 6ed18c12c57efb2a010e0ce5196c51b48e57a4b9)
|
|
|
0f6383 |
---
|
|
|
0f6383 |
source3/libsmb/cliconnect.c | 39 ++++++++++++++++++++++++++++++++-----
|
|
|
0f6383 |
1 file changed, 34 insertions(+), 5 deletions(-)
|
|
|
0f6383 |
|
|
|
0f6383 |
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
|
|
|
0f6383 |
index 28f5fde0757..ca6882c225e 100644
|
|
|
0f6383 |
--- a/source3/libsmb/cliconnect.c
|
|
|
0f6383 |
+++ b/source3/libsmb/cliconnect.c
|
|
|
0f6383 |
@@ -229,6 +229,8 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli,
|
|
|
0f6383 |
const char *user_account = NULL;
|
|
|
0f6383 |
const char *user_domain = NULL;
|
|
|
0f6383 |
const char *pass = NULL;
|
|
|
0f6383 |
+ char *canon_principal = NULL;
|
|
|
0f6383 |
+ char *canon_realm = NULL;
|
|
|
0f6383 |
const char *target_hostname = NULL;
|
|
|
0f6383 |
const DATA_BLOB *server_blob = NULL;
|
|
|
0f6383 |
bool got_kerberos_mechanism = false;
|
|
|
0f6383 |
@@ -237,6 +239,7 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli,
|
|
|
0f6383 |
bool need_kinit = false;
|
|
|
0f6383 |
bool auth_requested = true;
|
|
|
0f6383 |
int ret;
|
|
|
0f6383 |
+ bool ok;
|
|
|
0f6383 |
|
|
|
0f6383 |
target_hostname = smbXcli_conn_remote_name(cli->conn);
|
|
|
0f6383 |
server_blob = smbXcli_conn_server_gss_blob(cli->conn);
|
|
|
0f6383 |
@@ -245,7 +248,6 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli,
|
|
|
0f6383 |
if (server_blob != NULL && server_blob->length != 0) {
|
|
|
0f6383 |
char *OIDs[ASN1_MAX_OIDS] = { NULL, };
|
|
|
0f6383 |
size_t i;
|
|
|
0f6383 |
- bool ok;
|
|
|
0f6383 |
|
|
|
0f6383 |
/*
|
|
|
0f6383 |
* The server sent us the first part of the SPNEGO exchange in the
|
|
|
0f6383 |
@@ -354,9 +356,19 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli,
|
|
|
0f6383 |
* only if required!
|
|
|
0f6383 |
*/
|
|
|
0f6383 |
setenv(KRB5_ENV_CCNAME, "MEMORY:cliconnect", 1);
|
|
|
0f6383 |
- ret = kerberos_kinit_password(user_principal, pass,
|
|
|
0f6383 |
- 0 /* no time correction for now */,
|
|
|
0f6383 |
- NULL);
|
|
|
0f6383 |
+ ret = kerberos_kinit_password_ext(user_principal,
|
|
|
0f6383 |
+ pass,
|
|
|
0f6383 |
+ 0,
|
|
|
0f6383 |
+ 0,
|
|
|
0f6383 |
+ 0,
|
|
|
0f6383 |
+ NULL,
|
|
|
0f6383 |
+ false,
|
|
|
0f6383 |
+ false,
|
|
|
0f6383 |
+ 0,
|
|
|
0f6383 |
+ frame,
|
|
|
0f6383 |
+ &canon_principal,
|
|
|
0f6383 |
+ &canon_realm,
|
|
|
0f6383 |
+ NULL);
|
|
|
0f6383 |
if (ret != 0) {
|
|
|
0f6383 |
int dbglvl = DBGLVL_NOTICE;
|
|
|
0f6383 |
|
|
|
0f6383 |
@@ -379,9 +391,26 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli,
|
|
|
0f6383 |
return NT_STATUS_OK;
|
|
|
0f6383 |
}
|
|
|
0f6383 |
|
|
|
0f6383 |
- DBG_DEBUG("Successfully authenticated as %s to access %s using "
|
|
|
0f6383 |
+ ok = cli_credentials_set_principal(creds,
|
|
|
0f6383 |
+ canon_principal,
|
|
|
0f6383 |
+ CRED_SPECIFIED);
|
|
|
0f6383 |
+ if (!ok) {
|
|
|
0f6383 |
+ TALLOC_FREE(frame);
|
|
|
0f6383 |
+ return NT_STATUS_NO_MEMORY;
|
|
|
0f6383 |
+ }
|
|
|
0f6383 |
+
|
|
|
0f6383 |
+ ok = cli_credentials_set_realm(creds,
|
|
|
0f6383 |
+ canon_realm,
|
|
|
0f6383 |
+ CRED_SPECIFIED);
|
|
|
0f6383 |
+ if (!ok) {
|
|
|
0f6383 |
+ TALLOC_FREE(frame);
|
|
|
0f6383 |
+ return NT_STATUS_NO_MEMORY;
|
|
|
0f6383 |
+ }
|
|
|
0f6383 |
+
|
|
|
0f6383 |
+ DBG_DEBUG("Successfully authenticated as %s (%s) to access %s using "
|
|
|
0f6383 |
"Kerberos\n",
|
|
|
0f6383 |
user_principal,
|
|
|
0f6383 |
+ canon_principal,
|
|
|
0f6383 |
target_hostname);
|
|
|
0f6383 |
|
|
|
0f6383 |
TALLOC_FREE(frame);
|
|
|
0f6383 |
--
|
|
|
0f6383 |
2.24.1
|
|
|
0f6383 |
|
|
|
0f6383 |
|
|
|
0f6383 |
From 38fd2f1fe94b63242296b2b1ce0a49065969a820 Mon Sep 17 00:00:00 2001
|
|
|
0f6383 |
From: Stefan Metzmacher <metze@samba.org>
|
|
|
0f6383 |
Date: Fri, 13 Sep 2019 16:04:30 +0200
|
|
|
0f6383 |
Subject: [PATCH 06/22] s3:libads/kerberos: always use the canonicalized
|
|
|
0f6383 |
principal after kinit
|
|
|
0f6383 |
|
|
|
0f6383 |
We should always use krb5_get_init_creds_opt_set_canonicalize()
|
|
|
0f6383 |
and krb5_get_init_creds_opt_set_win2k() for heimdal
|
|
|
0f6383 |
and expect the client principal to be changed.
|
|
|
0f6383 |
|
|
|
0f6383 |
There's no reason to have a different logic between MIT and Heimdal.
|
|
|
0f6383 |
|
|
|
0f6383 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
|
|
|
0f6383 |
|
|
|
0f6383 |
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
|
0f6383 |
Reviewed-by: Guenther Deschner <gd@samba.org>
|
|
|
0f6383 |
(cherry picked from commit 0bced73bed481a8846a6b3e68be85941914390ba)
|
|
|
0f6383 |
---
|
|
|
0f6383 |
source3/libads/kerberos.c | 9 ++++-----
|
|
|
0f6383 |
1 file changed, 4 insertions(+), 5 deletions(-)
|
|
|
0f6383 |
|
|
|
0f6383 |
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
|
|
|
0f6383 |
index 3e09d70268f..559ec3b7f53 100644
|
|
|
0f6383 |
--- a/source3/libads/kerberos.c
|
|
|
0f6383 |
+++ b/source3/libads/kerberos.c
|
|
|
0f6383 |
@@ -167,7 +167,10 @@ int kerberos_kinit_password_ext(const char *given_principal,
|
|
|
0f6383 |
krb5_get_init_creds_opt_set_forwardable(opt, True);
|
|
|
0f6383 |
|
|
|
0f6383 |
/* Turn on canonicalization for lower case realm support */
|
|
|
0f6383 |
-#ifndef SAMBA4_USES_HEIMDAL /* MIT */
|
|
|
0f6383 |
+#ifdef SAMBA4_USES_HEIMDAL
|
|
|
0f6383 |
+ krb5_get_init_creds_opt_set_win2k(ctx, opt, true);
|
|
|
0f6383 |
+ krb5_get_init_creds_opt_set_canonicalize(ctx, opt, true);
|
|
|
0f6383 |
+#else /* MIT */
|
|
|
0f6383 |
krb5_get_init_creds_opt_set_canonicalize(opt, true);
|
|
|
0f6383 |
#endif /* MIT */
|
|
|
0f6383 |
#if 0
|
|
|
0f6383 |
@@ -196,11 +199,7 @@ int kerberos_kinit_password_ext(const char *given_principal,
|
|
|
0f6383 |
goto out;
|
|
|
0f6383 |
}
|
|
|
0f6383 |
|
|
|
0f6383 |
-#ifndef SAMBA4_USES_HEIMDAL /* MIT */
|
|
|
0f6383 |
canon_princ = my_creds.client;
|
|
|
0f6383 |
-#else
|
|
|
0f6383 |
- canon_princ = me;
|
|
|
0f6383 |
-#endif /* MIT */
|
|
|
0f6383 |
|
|
|
0f6383 |
code = smb_krb5_unparse_name(frame,
|
|
|
0f6383 |
ctx,
|
|
|
0f6383 |
--
|
|
|
0f6383 |
2.24.1
|
|
|
0f6383 |
|
|
|
0f6383 |
|
|
|
0f6383 |
From 6e1a52f6f48ca6624c8988a03ecfe5a3327c537e Mon Sep 17 00:00:00 2001
|
|
|
0f6383 |
From: Stefan Metzmacher <metze@samba.org>
|
|
|
0f6383 |
Date: Fri, 13 Sep 2019 16:04:30 +0200
|
|
|
0f6383 |
Subject: [PATCH 07/22] krb5_wrap: smb_krb5_kinit_password_ccache() should
|
|
|
0f6383 |
always use the canonicalized principal
|
|
|
0f6383 |
|
|
|
0f6383 |
We should always use krb5_get_init_creds_opt_set_canonicalize()
|
|
|
0f6383 |
and krb5_get_init_creds_opt_set_win2k() for heimdal
|
|
|
0f6383 |
and expect the client principal to be changed.
|
|
|
0f6383 |
|
|
|
0f6383 |
There's no reason to have a different logic between MIT and Heimdal.
|
|
|
0f6383 |
|
|
|
0f6383 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
|
|
|
0f6383 |
|
|
|
0f6383 |
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
|
0f6383 |
Reviewed-by: Guenther Deschner <gd@samba.org>
|
|
|
0f6383 |
(cherry picked from commit 5d0bf32ec0ad21d49587e3a1520ffdc8b5ae7614)
|
|
|
0f6383 |
---
|
|
|
0f6383 |
lib/krb5_wrap/krb5_samba.c | 2 --
|
|
|
0f6383 |
1 file changed, 2 deletions(-)
|
|
|
0f6383 |
|
|
|
0f6383 |
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
|
|
|
0f6383 |
index f0dc86b1859..a63159812e1 100644
|
|
|
0f6383 |
--- a/lib/krb5_wrap/krb5_samba.c
|
|
|
0f6383 |
+++ b/lib/krb5_wrap/krb5_samba.c
|
|
|
0f6383 |
@@ -2111,14 +2111,12 @@ krb5_error_code smb_krb5_kinit_password_ccache(krb5_context ctx,
|
|
|
0f6383 |
return code;
|
|
|
0f6383 |
}
|
|
|
0f6383 |
|
|
|
0f6383 |
-#ifndef SAMBA4_USES_HEIMDAL /* MIT */
|
|
|
0f6383 |
/*
|
|
|
0f6383 |
* We need to store the principal as returned from the KDC to the
|
|
|
0f6383 |
* credentials cache. If we don't do that the KRB5 library is not
|
|
|
0f6383 |
* able to find the tickets it is looking for
|
|
|
0f6383 |
*/
|
|
|
0f6383 |
principal = my_creds.client;
|
|
|
0f6383 |
-#endif
|
|
|
0f6383 |
code = krb5_cc_initialize(ctx, cc, principal);
|
|
|
0f6383 |
if (code) {
|
|
|
0f6383 |
goto done;
|
|
|
0f6383 |
--
|
|
|
0f6383 |
2.24.1
|
|
|
0f6383 |
|
|
|
0f6383 |
|
|
|
0f6383 |
From b19c14b730b470f969ccb2e2a64f57dc3ece46de Mon Sep 17 00:00:00 2001
|
|
|
0f6383 |
From: Stefan Metzmacher <metze@samba.org>
|
|
|
0f6383 |
Date: Fri, 13 Sep 2019 16:04:30 +0200
|
|
|
0f6383 |
Subject: [PATCH 08/22] s4:auth: kinit_to_ccache() should always use the
|
|
|
0f6383 |
canonicalized principal
|
|
|
0f6383 |
|
|
|
0f6383 |
We should always use krb5_get_init_creds_opt_set_canonicalize()
|
|
|
0f6383 |
and krb5_get_init_creds_opt_set_win2k() for heimdal
|
|
|
0f6383 |
and expect the client principal to be changed.
|
|
|
0f6383 |
|
|
|
0f6383 |
There's no reason to have a different logic between MIT and Heimdal.
|
|
|
0f6383 |
|
|
|
0f6383 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
|
|
|
0f6383 |
|
|
|
0f6383 |
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
|
0f6383 |
Reviewed-by: Guenther Deschner <gd@samba.org>
|
|
|
0f6383 |
(cherry picked from commit 162b4199493c1f179e775a325a19ae7a136c418b)
|
|
|
0f6383 |
---
|
|
|
0f6383 |
source4/auth/kerberos/kerberos_util.c | 2 ++
|
|
|
0f6383 |
1 file changed, 2 insertions(+)
|
|
|
0f6383 |
|
|
|
0f6383 |
diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c
|
|
|
0f6383 |
index 50bf8feec96..950d91f1737 100644
|
|
|
0f6383 |
--- a/source4/auth/kerberos/kerberos_util.c
|
|
|
0f6383 |
+++ b/source4/auth/kerberos/kerberos_util.c
|
|
|
0f6383 |
@@ -313,6 +313,8 @@ done:
|
|
|
0f6383 |
*/
|
|
|
0f6383 |
krb5_get_init_creds_opt_set_win2k(smb_krb5_context->krb5_context,
|
|
|
0f6383 |
krb_options, true);
|
|
|
0f6383 |
+ krb5_get_init_creds_opt_set_canonicalize(smb_krb5_context->krb5_context,
|
|
|
0f6383 |
+ krb_options, true);
|
|
|
0f6383 |
#else /* MIT */
|
|
|
0f6383 |
krb5_get_init_creds_opt_set_canonicalize(krb_options, true);
|
|
|
0f6383 |
#endif
|
|
|
0f6383 |
--
|
|
|
0f6383 |
2.24.1
|
|
|
0f6383 |
|
|
|
0f6383 |
|
|
|
0f6383 |
From 1cf9d944d7dd15d8c3c796f071f82d8ffff7095e Mon Sep 17 00:00:00 2001
|
|
|
0f6383 |
From: Stefan Metzmacher <metze@samba.org>
|
|
|
0f6383 |
Date: Fri, 13 Sep 2019 16:04:30 +0200
|
|
|
0f6383 |
Subject: [PATCH 09/22] s3:libads: ads_krb5_chg_password() should always use
|
|
|
0f6383 |
the canonicalized principal
|
|
|
0f6383 |
|
|
|
0f6383 |
We should always use krb5_get_init_creds_opt_set_canonicalize()
|
|
|
0f6383 |
and krb5_get_init_creds_opt_set_win2k() for heimdal
|
|
|
0f6383 |
and expect the client principal to be changed.
|
|
|
0f6383 |
|
|
|
0f6383 |
There's no reason to have a different logic between MIT and Heimdal.
|
|
|
0f6383 |
|
|
|
0f6383 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
|
|
|
0f6383 |
|
|
|
0f6383 |
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
|
0f6383 |
Reviewed-by: Guenther Deschner <gd@samba.org>
|
|
|
0f6383 |
(cherry picked from commit 303b7e59a286896888ee2473995fc50bb2b5ce5e)
|
|
|
0f6383 |
---
|
|
|
0f6383 |
source3/libads/krb5_setpw.c | 6 ++++++
|
|
|
0f6383 |
1 file changed, 6 insertions(+)
|
|
|
0f6383 |
|
|
|
0f6383 |
diff --git a/source3/libads/krb5_setpw.c b/source3/libads/krb5_setpw.c
|
|
|
0f6383 |
index c3c9477c4cf..67bc2f4640d 100644
|
|
|
0f6383 |
--- a/source3/libads/krb5_setpw.c
|
|
|
0f6383 |
+++ b/source3/libads/krb5_setpw.c
|
|
|
0f6383 |
@@ -203,6 +203,12 @@ static ADS_STATUS ads_krb5_chg_password(const char *kdc_host,
|
|
|
0f6383 |
krb5_get_init_creds_opt_set_renew_life(opts, 0);
|
|
|
0f6383 |
krb5_get_init_creds_opt_set_forwardable(opts, 0);
|
|
|
0f6383 |
krb5_get_init_creds_opt_set_proxiable(opts, 0);
|
|
|
0f6383 |
+#ifdef SAMBA4_USES_HEIMDAL
|
|
|
0f6383 |
+ krb5_get_init_creds_opt_set_win2k(context, opts, true);
|
|
|
0f6383 |
+ krb5_get_init_creds_opt_set_canonicalize(context, opts, true);
|
|
|
0f6383 |
+#else /* MIT */
|
|
|
0f6383 |
+ krb5_get_init_creds_opt_set_canonicalize(opts, true);
|
|
|
0f6383 |
+#endif /* MIT */
|
|
|
0f6383 |
|
|
|
0f6383 |
/* note that heimdal will fill in the local addresses if the addresses
|
|
|
0f6383 |
* in the creds_init_opt are all empty and then later fail with invalid
|
|
|
0f6383 |
--
|
|
|
0f6383 |
2.24.1
|
|
|
0f6383 |
|
|
|
0f6383 |
|
|
|
0f6383 |
From dc23b10c5c82f4587062fea5d68eb5d373d37bcb Mon Sep 17 00:00:00 2001
|
|
|
0f6383 |
From: Stefan Metzmacher <metze@samba.org>
|
|
|
0f6383 |
Date: Fri, 13 Sep 2019 15:52:25 +0200
|
|
|
0f6383 |
Subject: [PATCH 10/22] krb5_wrap: let smb_krb5_parse_name() accept enterprise
|
|
|
0f6383 |
principals
|
|
|
0f6383 |
|
|
|
0f6383 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
|
|
|
0f6383 |
|
|
|
0f6383 |
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
|
0f6383 |
Reviewed-by: Guenther Deschner <gd@samba.org>
|
|
|
0f6383 |
(cherry picked from commit 3bdf023956e861485be70430112ed38d0a5424f7)
|
|
|
0f6383 |
---
|
|
|
0f6383 |
lib/krb5_wrap/krb5_samba.c | 5 +++++
|
|
|
0f6383 |
1 file changed, 5 insertions(+)
|
|
|
0f6383 |
|
|
|
0f6383 |
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
|
|
|
0f6383 |
index a63159812e1..abdcb308728 100644
|
|
|
0f6383 |
--- a/lib/krb5_wrap/krb5_samba.c
|
|
|
0f6383 |
+++ b/lib/krb5_wrap/krb5_samba.c
|
|
|
0f6383 |
@@ -701,6 +701,11 @@ krb5_error_code smb_krb5_parse_name(krb5_context context,
|
|
|
0f6383 |
}
|
|
|
0f6383 |
|
|
|
0f6383 |
ret = krb5_parse_name(context, utf8_name, principal);
|
|
|
0f6383 |
+ if (ret == KRB5_PARSE_MALFORMED) {
|
|
|
0f6383 |
+ ret = krb5_parse_name_flags(context, utf8_name,
|
|
|
0f6383 |
+ KRB5_PRINCIPAL_PARSE_ENTERPRISE,
|
|
|
0f6383 |
+ principal);
|
|
|
0f6383 |
+ }
|
|
|
0f6383 |
TALLOC_FREE(frame);
|
|
|
0f6383 |
return ret;
|
|
|
0f6383 |
}
|
|
|
0f6383 |
--
|
|
|
0f6383 |
2.24.1
|
|
|
0f6383 |
|
|
|
0f6383 |
|
|
|
0f6383 |
From 056fe4807255578204e56d247cd6ba003213e558 Mon Sep 17 00:00:00 2001
|
|
|
0f6383 |
From: Stefan Metzmacher <metze@samba.org>
|
|
|
0f6383 |
Date: Wed, 11 Sep 2019 16:44:43 +0200
|
|
|
0f6383 |
Subject: [PATCH 11/22] docs-xml: add "winbind use krb5 enterprise principals"
|
|
|
0f6383 |
option
|
|
|
0f6383 |
|
|
|
0f6383 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
|
|
|
0f6383 |
|
|
|
0f6383 |
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
|
0f6383 |
Reviewed-by: Guenther Deschner <gd@samba.org>
|
|
|
0f6383 |
(cherry picked from commit 9520652399696010c333a3ce7247809ce5337a91)
|
|
|
0f6383 |
---
|
|
|
0f6383 |
.../winbindusekrb5enterpriseprincipals.xml | 34 +++++++++++++++++++
|
|
|
0f6383 |
1 file changed, 34 insertions(+)
|
|
|
0f6383 |
create mode 100644 docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml
|
|
|
0f6383 |
|
|
|
0f6383 |
diff --git a/docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml b/docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml
|
|
|
0f6383 |
new file mode 100644
|
|
|
0f6383 |
index 00000000000..bfc11c8636c
|
|
|
0f6383 |
--- /dev/null
|
|
|
0f6383 |
+++ b/docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml
|
|
|
0f6383 |
@@ -0,0 +1,34 @@
|
|
|
0f6383 |
+
|
|
|
0f6383 |
+ context="G"
|
|
|
0f6383 |
+ type="boolean"
|
|
|
0f6383 |
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
|
|
|
0f6383 |
+<description>
|
|
|
0f6383 |
+ <para>winbindd is able to get kerberos tickets for
|
|
|
0f6383 |
+ pam_winbind with krb5_auth or wbinfo -K/--krb5auth=.
|
|
|
0f6383 |
+ </para>
|
|
|
0f6383 |
+
|
|
|
0f6383 |
+ <para>winbindd (at least on a domain member) is never be able
|
|
|
0f6383 |
+ to have a complete picture of the trust topology (which is managed by the DCs).
|
|
|
0f6383 |
+ There might be uPNSuffixes and msDS-SPNSuffixes values,
|
|
|
0f6383 |
+ which don't belong to any AD domain at all.
|
|
|
0f6383 |
+ </para>
|
|
|
0f6383 |
+
|
|
|
0f6383 |
+ <para>With <smbconfoption name="winbind scan trusted domains">no</smbconfoption>
|
|
|
0f6383 |
+ winbindd don't even get an incomplete picture of the topology.
|
|
|
0f6383 |
+ </para>
|
|
|
0f6383 |
+
|
|
|
0f6383 |
+ <para>It is not really required to know about the trust topology.
|
|
|
0f6383 |
+ We can just rely on the [K]DCs of our primary domain (e.g. PRIMARY.A.EXAMPLE.COM)
|
|
|
0f6383 |
+ and use enterprise principals e.g. upnfromB@B.EXAMPLE.COM@PRIMARY.A.EXAMPLE.COM
|
|
|
0f6383 |
+ and follow the WRONG_REALM referrals in order to find the correct DC.
|
|
|
0f6383 |
+ The final principal might be userfromB@INTERNALB.EXAMPLE.PRIVATE.
|
|
|
0f6383 |
+ </para>
|
|
|
0f6383 |
+
|
|
|
0f6383 |
+ <para>With <smbconfoption name="winbind use krb5 enterprise principals">yes</smbconfoption>
|
|
|
0f6383 |
+ winbindd enterprise principals will be used.
|
|
|
0f6383 |
+ </para>
|
|
|
0f6383 |
+</description>
|
|
|
0f6383 |
+
|
|
|
0f6383 |
+<value type="default">no</value>
|
|
|
0f6383 |
+<value type="example">yes</value>
|
|
|
0f6383 |
+</samba:parameter>
|
|
|
0f6383 |
--
|
|
|
0f6383 |
2.24.1
|
|
|
0f6383 |
|
|
|
0f6383 |
|
|
|
0f6383 |
From f2c43932e14173574177c9e36894a25e7d8a6609 Mon Sep 17 00:00:00 2001
|
|
|
0f6383 |
From: Stefan Metzmacher <metze@samba.org>
|
|
|
0f6383 |
Date: Fri, 19 Jul 2019 15:10:09 +0000
|
|
|
0f6383 |
Subject: [PATCH 12/22] s3:winbindd: implement the "winbind use krb5 enterprise
|
|
|
0f6383 |
principals" logic
|
|
|
0f6383 |
|
|
|
0f6383 |
We can use enterprise principals (e.g. upnfromB@B.EXAMPLE.COM@PRIMARY.A.EXAMPLE.COM)
|
|
|
0f6383 |
and delegate the routing decisions to the KDCs.
|
|
|
0f6383 |
|
|
|
0f6383 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
|
|
|
0f6383 |
|
|
|
0f6383 |
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
|
0f6383 |
Reviewed-by: Guenther Deschner <gd@samba.org>
|
|
|
0f6383 |
(cherry picked from commit a77be15d28390c5d12202278adbe6b50200a2c1b)
|
|
|
0f6383 |
---
|
|
|
0f6383 |
source3/winbindd/winbindd_pam.c | 57 +++++++++++++++++++--------------
|
|
|
0f6383 |
1 file changed, 33 insertions(+), 24 deletions(-)
|
|
|
0f6383 |
|
|
|
0f6383 |
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
|
|
|
0f6383 |
index b81f2722c42..35018fbe284 100644
|
|
|
0f6383 |
--- a/source3/winbindd/winbindd_pam.c
|
|
|
0f6383 |
+++ b/source3/winbindd/winbindd_pam.c
|
|
|
0f6383 |
@@ -418,6 +418,15 @@ struct winbindd_domain *find_auth_domain(uint8_t flags,
|
|
|
0f6383 |
return find_domain_from_name_noinit(domain_name);
|
|
|
0f6383 |
}
|
|
|
0f6383 |
|
|
|
0f6383 |
+ if (lp_winbind_use_krb5_enterprise_principals()) {
|
|
|
0f6383 |
+ /*
|
|
|
0f6383 |
+ * If we use enterprise principals
|
|
|
0f6383 |
+ * we always go trough our primary domain
|
|
|
0f6383 |
+ * and follow the WRONG_REALM replies.
|
|
|
0f6383 |
+ */
|
|
|
0f6383 |
+ flags &= ~WBFLAG_PAM_CONTACT_TRUSTDOM;
|
|
|
0f6383 |
+ }
|
|
|
0f6383 |
+
|
|
|
0f6383 |
/* we can auth against trusted domains */
|
|
|
0f6383 |
if (flags & WBFLAG_PAM_CONTACT_TRUSTDOM) {
|
|
|
0f6383 |
domain = find_domain_from_name_noinit(domain_name);
|
|
|
0f6383 |
@@ -717,7 +726,20 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
|
|
|
0f6383 |
return NT_STATUS_INVALID_PARAMETER;
|
|
|
0f6383 |
}
|
|
|
0f6383 |
|
|
|
0f6383 |
- principal_s = talloc_asprintf(mem_ctx, "%s@%s", name_user, realm);
|
|
|
0f6383 |
+ if (lp_winbind_use_krb5_enterprise_principals() &&
|
|
|
0f6383 |
+ name_namespace[0] != '\0')
|
|
|
0f6383 |
+ {
|
|
|
0f6383 |
+ principal_s = talloc_asprintf(mem_ctx,
|
|
|
0f6383 |
+ "%s@%s@%s",
|
|
|
0f6383 |
+ name_user,
|
|
|
0f6383 |
+ name_namespace,
|
|
|
0f6383 |
+ realm);
|
|
|
0f6383 |
+ } else {
|
|
|
0f6383 |
+ principal_s = talloc_asprintf(mem_ctx,
|
|
|
0f6383 |
+ "%s@%s",
|
|
|
0f6383 |
+ name_user,
|
|
|
0f6383 |
+ realm);
|
|
|
0f6383 |
+ }
|
|
|
0f6383 |
if (principal_s == NULL) {
|
|
|
0f6383 |
return NT_STATUS_NO_MEMORY;
|
|
|
0f6383 |
}
|
|
|
0f6383 |
@@ -1284,30 +1306,16 @@ static NTSTATUS winbindd_dual_pam_auth_kerberos(struct winbindd_domain *domain,
|
|
|
0f6383 |
|
|
|
0f6383 |
/* what domain should we contact? */
|
|
|
0f6383 |
|
|
|
0f6383 |
- if ( IS_DC ) {
|
|
|
0f6383 |
- contact_domain = find_domain_from_name(name_namespace);
|
|
|
0f6383 |
- if (contact_domain == NULL) {
|
|
|
0f6383 |
- DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
|
|
|
0f6383 |
- state->request->data.auth.user, name_domain, name_user, name_domain));
|
|
|
0f6383 |
- result = NT_STATUS_NO_SUCH_USER;
|
|
|
0f6383 |
- goto done;
|
|
|
0f6383 |
- }
|
|
|
0f6383 |
-
|
|
|
0f6383 |
+ if (lp_winbind_use_krb5_enterprise_principals()) {
|
|
|
0f6383 |
+ contact_domain = find_auth_domain(0, name_namespace);
|
|
|
0f6383 |
} else {
|
|
|
0f6383 |
- if (is_myname(name_domain)) {
|
|
|
0f6383 |
- DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", name_domain));
|
|
|
0f6383 |
- result = NT_STATUS_NO_SUCH_USER;
|
|
|
0f6383 |
- goto done;
|
|
|
0f6383 |
- }
|
|
|
0f6383 |
-
|
|
|
0f6383 |
contact_domain = find_domain_from_name(name_namespace);
|
|
|
0f6383 |
- if (contact_domain == NULL) {
|
|
|
0f6383 |
- DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
|
|
|
0f6383 |
- state->request->data.auth.user, name_domain, name_user, name_domain));
|
|
|
0f6383 |
-
|
|
|
0f6383 |
- result = NT_STATUS_NO_SUCH_USER;
|
|
|
0f6383 |
- goto done;
|
|
|
0f6383 |
- }
|
|
|
0f6383 |
+ }
|
|
|
0f6383 |
+ if (contact_domain == NULL) {
|
|
|
0f6383 |
+ DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
|
|
|
0f6383 |
+ state->request->data.auth.user, name_domain, name_user, name_namespace));
|
|
|
0f6383 |
+ result = NT_STATUS_NO_SUCH_USER;
|
|
|
0f6383 |
+ goto done;
|
|
|
0f6383 |
}
|
|
|
0f6383 |
|
|
|
0f6383 |
if (contact_domain->initialized &&
|
|
|
0f6383 |
@@ -1320,7 +1328,8 @@ static NTSTATUS winbindd_dual_pam_auth_kerberos(struct winbindd_domain *domain,
|
|
|
0f6383 |
}
|
|
|
0f6383 |
|
|
|
0f6383 |
if (!contact_domain->active_directory) {
|
|
|
0f6383 |
- DEBUG(3,("krb5 auth requested but domain is not Active Directory\n"));
|
|
|
0f6383 |
+ DEBUG(3,("krb5 auth requested but domain (%s) is not Active Directory\n",
|
|
|
0f6383 |
+ contact_domain->name));
|
|
|
0f6383 |
return NT_STATUS_INVALID_LOGON_TYPE;
|
|
|
0f6383 |
}
|
|
|
0f6383 |
try_login:
|
|
|
0f6383 |
--
|
|
|
0f6383 |
2.24.1
|
|
|
0f6383 |
|
|
|
0f6383 |
|
|
|
0f6383 |
From eb1bdb032fe5f63cd53cb5a40702b8bcfac673ff Mon Sep 17 00:00:00 2001
|
|
|
0f6383 |
From: Stefan Metzmacher <metze@samba.org>
|
|
|
0f6383 |
Date: Wed, 18 Sep 2019 08:04:42 +0200
|
|
|
0f6383 |
Subject: [PATCH 13/22] tests/pam_winbind.py: turn pypamtest.PamTestError into
|
|
|
0f6383 |
a failure
|
|
|
0f6383 |
|
|
|
0f6383 |
A failure generated by the AssertionError() checks can be added
|
|
|
0f6383 |
to selftest/knownfail.d/*.
|
|
|
0f6383 |
|
|
|
0f6383 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
|
|
|
0f6383 |
|
|
|
0f6383 |
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
|
0f6383 |
Reviewed-by: Guenther Deschner <gd@samba.org>
|
|
|
0f6383 |
(cherry picked from commit cd3ffaabb568db26e0de5e83178487e5947c4f09)
|
|
|
0f6383 |
---
|
|
|
0f6383 |
python/samba/tests/pam_winbind.py | 15 ++++++++++++---
|
|
|
0f6383 |
python/samba/tests/pam_winbind_chauthtok.py | 5 ++++-
|
|
|
0f6383 |
python/samba/tests/pam_winbind_warn_pwd_expire.py | 5 ++++-
|
|
|
0f6383 |
3 files changed, 20 insertions(+), 5 deletions(-)
|
|
|
0f6383 |
|
|
|
0f6383 |
diff --git a/python/samba/tests/pam_winbind.py b/python/samba/tests/pam_winbind.py
|
|
|
0f6383 |
index 68b05b30d7d..b05e8af6ffb 100644
|
|
|
0f6383 |
--- a/python/samba/tests/pam_winbind.py
|
|
|
0f6383 |
+++ b/python/samba/tests/pam_winbind.py
|
|
|
0f6383 |
@@ -30,7 +30,10 @@ class SimplePamTests(samba.tests.TestCase):
|
|
|
0f6383 |
expected_rc = 0 # PAM_SUCCESS
|
|
|
0f6383 |
|
|
|
0f6383 |
tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rc)
|
|
|
0f6383 |
- res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password])
|
|
|
0f6383 |
+ try:
|
|
|
0f6383 |
+ res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password])
|
|
|
0f6383 |
+ except pypamtest.PamTestError as e:
|
|
|
0f6383 |
+ raise AssertionError(str(e))
|
|
|
0f6383 |
|
|
|
0f6383 |
self.assertTrue(res is not None)
|
|
|
0f6383 |
|
|
|
0f6383 |
@@ -42,7 +45,10 @@ class SimplePamTests(samba.tests.TestCase):
|
|
|
0f6383 |
expected_rc = 7 # PAM_AUTH_ERR
|
|
|
0f6383 |
|
|
|
0f6383 |
tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rc)
|
|
|
0f6383 |
- res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password])
|
|
|
0f6383 |
+ try:
|
|
|
0f6383 |
+ res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password])
|
|
|
0f6383 |
+ except pypamtest.PamTestError as e:
|
|
|
0f6383 |
+ raise AssertionError(str(e))
|
|
|
0f6383 |
|
|
|
0f6383 |
self.assertTrue(res is not None)
|
|
|
0f6383 |
|
|
|
0f6383 |
@@ -52,6 +58,9 @@ class SimplePamTests(samba.tests.TestCase):
|
|
|
0f6383 |
expected_rc = 0 # PAM_SUCCESS
|
|
|
0f6383 |
|
|
|
0f6383 |
tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rc)
|
|
|
0f6383 |
- res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password])
|
|
|
0f6383 |
+ try:
|
|
|
0f6383 |
+ res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password])
|
|
|
0f6383 |
+ except pypamtest.PamTestError as e:
|
|
|
0f6383 |
+ raise AssertionError(str(e))
|
|
|
0f6383 |
|
|
|
0f6383 |
self.assertTrue(res is not None)
|
|
|
0f6383 |
diff --git a/python/samba/tests/pam_winbind_chauthtok.py b/python/samba/tests/pam_winbind_chauthtok.py
|
|
|
0f6383 |
index e5be3a83ce7..18c2705127a 100644
|
|
|
0f6383 |
--- a/python/samba/tests/pam_winbind_chauthtok.py
|
|
|
0f6383 |
+++ b/python/samba/tests/pam_winbind_chauthtok.py
|
|
|
0f6383 |
@@ -31,6 +31,9 @@ class PamChauthtokTests(samba.tests.TestCase):
|
|
|
0f6383 |
expected_rc = 0 # PAM_SUCCESS
|
|
|
0f6383 |
|
|
|
0f6383 |
tc = pypamtest.TestCase(pypamtest.PAMTEST_CHAUTHTOK, expected_rc)
|
|
|
0f6383 |
- res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password, newpassword, newpassword])
|
|
|
0f6383 |
+ try:
|
|
|
0f6383 |
+ res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password, newpassword, newpassword])
|
|
|
0f6383 |
+ except pypamtest.PamTestError as e:
|
|
|
0f6383 |
+ raise AssertionError(str(e))
|
|
|
0f6383 |
|
|
|
0f6383 |
self.assertTrue(res is not None)
|
|
|
0f6383 |
diff --git a/python/samba/tests/pam_winbind_warn_pwd_expire.py b/python/samba/tests/pam_winbind_warn_pwd_expire.py
|
|
|
0f6383 |
index df60bc5ace6..1af2f9befe1 100644
|
|
|
0f6383 |
--- a/python/samba/tests/pam_winbind_warn_pwd_expire.py
|
|
|
0f6383 |
+++ b/python/samba/tests/pam_winbind_warn_pwd_expire.py
|
|
|
0f6383 |
@@ -31,7 +31,10 @@ class PasswordExpirePamTests(samba.tests.TestCase):
|
|
|
0f6383 |
expected_rc = 0 # PAM_SUCCESS
|
|
|
0f6383 |
|
|
|
0f6383 |
tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rc)
|
|
|
0f6383 |
- res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password])
|
|
|
0f6383 |
+ try:
|
|
|
0f6383 |
+ res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password])
|
|
|
0f6383 |
+ except pypamtest.PamTestError as e:
|
|
|
0f6383 |
+ raise AssertionError(str(e))
|
|
|
0f6383 |
|
|
|
0f6383 |
self.assertTrue(res is not None)
|
|
|
0f6383 |
if warn_pwd_expire == 0:
|
|
|
0f6383 |
--
|
|
|
0f6383 |
2.24.1
|
|
|
0f6383 |
|
|
|
0f6383 |
|
|
|
0f6383 |
From 54999a5fccc1777c1ee766c552cf32bb489634c9 Mon Sep 17 00:00:00 2001
|
|
|
0f6383 |
From: Stefan Metzmacher <metze@samba.org>
|
|
|
0f6383 |
Date: Fri, 20 Sep 2019 08:13:28 +0200
|
|
|
0f6383 |
Subject: [PATCH 14/22] tests/pam_winbind.py: allow upn names to be used in
|
|
|
0f6383 |
USERNAME with an empty DOMAIN value
|
|
|
0f6383 |
|
|
|
0f6383 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
|
|
|
0f6383 |
|
|
|
0f6383 |
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
|
0f6383 |
Reviewed-by: Guenther Deschner <gd@samba.org>
|
|
|
0f6383 |
(cherry picked from commit 653e90485854d978dc522e689cd78c19dcc22a70)
|
|
|
0f6383 |
---
|
|
|
0f6383 |
python/samba/tests/pam_winbind.py | 10 ++++++++--
|
|
|
0f6383 |
python/samba/tests/pam_winbind_chauthtok.py | 5 ++++-
|
|
|
0f6383 |
python/samba/tests/pam_winbind_warn_pwd_expire.py | 5 ++++-
|
|
|
0f6383 |
3 files changed, 16 insertions(+), 4 deletions(-)
|
|
|
0f6383 |
|
|
|
0f6383 |
diff --git a/python/samba/tests/pam_winbind.py b/python/samba/tests/pam_winbind.py
|
|
|
0f6383 |
index b05e8af6ffb..708f408f768 100644
|
|
|
0f6383 |
--- a/python/samba/tests/pam_winbind.py
|
|
|
0f6383 |
+++ b/python/samba/tests/pam_winbind.py
|
|
|
0f6383 |
@@ -26,7 +26,10 @@ class SimplePamTests(samba.tests.TestCase):
|
|
|
0f6383 |
domain = os.environ["DOMAIN"]
|
|
|
0f6383 |
username = os.environ["USERNAME"]
|
|
|
0f6383 |
password = os.environ["PASSWORD"]
|
|
|
0f6383 |
- unix_username = "%s/%s" % (domain, username)
|
|
|
0f6383 |
+ if domain != "":
|
|
|
0f6383 |
+ unix_username = "%s/%s" % (domain, username)
|
|
|
0f6383 |
+ else:
|
|
|
0f6383 |
+ unix_username = "%s" % username
|
|
|
0f6383 |
expected_rc = 0 # PAM_SUCCESS
|
|
|
0f6383 |
|
|
|
0f6383 |
tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rc)
|
|
|
0f6383 |
@@ -41,7 +44,10 @@ class SimplePamTests(samba.tests.TestCase):
|
|
|
0f6383 |
domain = os.environ["DOMAIN"]
|
|
|
0f6383 |
username = os.environ["USERNAME"]
|
|
|
0f6383 |
password = "WrongPassword"
|
|
|
0f6383 |
- unix_username = "%s/%s" % (domain, username)
|
|
|
0f6383 |
+ if domain != "":
|
|
|
0f6383 |
+ unix_username = "%s/%s" % (domain, username)
|
|
|
0f6383 |
+ else:
|
|
|
0f6383 |
+ unix_username = "%s" % username
|
|
|
0f6383 |
expected_rc = 7 # PAM_AUTH_ERR
|
|
|
0f6383 |
|
|
|
0f6383 |
tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rc)
|
|
|
0f6383 |
diff --git a/python/samba/tests/pam_winbind_chauthtok.py b/python/samba/tests/pam_winbind_chauthtok.py
|
|
|
0f6383 |
index 18c2705127a..c1d569b3cd0 100644
|
|
|
0f6383 |
--- a/python/samba/tests/pam_winbind_chauthtok.py
|
|
|
0f6383 |
+++ b/python/samba/tests/pam_winbind_chauthtok.py
|
|
|
0f6383 |
@@ -27,7 +27,10 @@ class PamChauthtokTests(samba.tests.TestCase):
|
|
|
0f6383 |
username = os.environ["USERNAME"]
|
|
|
0f6383 |
password = os.environ["PASSWORD"]
|
|
|
0f6383 |
newpassword = os.environ["NEWPASSWORD"]
|
|
|
0f6383 |
- unix_username = "%s/%s" % (domain, username)
|
|
|
0f6383 |
+ if domain != "":
|
|
|
0f6383 |
+ unix_username = "%s/%s" % (domain, username)
|
|
|
0f6383 |
+ else:
|
|
|
0f6383 |
+ unix_username = "%s" % username
|
|
|
0f6383 |
expected_rc = 0 # PAM_SUCCESS
|
|
|
0f6383 |
|
|
|
0f6383 |
tc = pypamtest.TestCase(pypamtest.PAMTEST_CHAUTHTOK, expected_rc)
|
|
|
0f6383 |
diff --git a/python/samba/tests/pam_winbind_warn_pwd_expire.py b/python/samba/tests/pam_winbind_warn_pwd_expire.py
|
|
|
0f6383 |
index 1af2f9befe1..56f5da94f98 100644
|
|
|
0f6383 |
--- a/python/samba/tests/pam_winbind_warn_pwd_expire.py
|
|
|
0f6383 |
+++ b/python/samba/tests/pam_winbind_warn_pwd_expire.py
|
|
|
0f6383 |
@@ -27,7 +27,10 @@ class PasswordExpirePamTests(samba.tests.TestCase):
|
|
|
0f6383 |
username = os.environ["USERNAME"]
|
|
|
0f6383 |
password = os.environ["PASSWORD"]
|
|
|
0f6383 |
warn_pwd_expire = int(os.environ["WARN_PWD_EXPIRE"])
|
|
|
0f6383 |
- unix_username = "%s/%s" % (domain, username)
|
|
|
0f6383 |
+ if domain != "":
|
|
|
0f6383 |
+ unix_username = "%s/%s" % (domain, username)
|
|
|
0f6383 |
+ else:
|
|
|
0f6383 |
+ unix_username = "%s" % username
|
|
|
0f6383 |
expected_rc = 0 # PAM_SUCCESS
|
|
|
0f6383 |
|
|
|
0f6383 |
tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rc)
|
|
|
0f6383 |
--
|
|
|
0f6383 |
2.24.1
|
|
|
0f6383 |
|
|
|
0f6383 |
|
|
|
0f6383 |
From a36c24e3553477c52864db8b4796cbe63ed6462a Mon Sep 17 00:00:00 2001
|
|
|
0f6383 |
From: Stefan Metzmacher <metze@samba.org>
|
|
|
0f6383 |
Date: Wed, 18 Sep 2019 01:25:58 +0200
|
|
|
0f6383 |
Subject: [PATCH 15/22] test_pam_winbind.sh: allow different pam_winbindd
|
|
|
0f6383 |
config options to be specified
|
|
|
0f6383 |
|
|
|
0f6383 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
|
|
|
0f6383 |
|
|
|
0f6383 |
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
|
0f6383 |
Reviewed-by: Guenther Deschner <gd@samba.org>
|
|
|
0f6383 |
(cherry picked from commit 3d38a8e9135bb72bc4ca079fab0eb5358942b3f1)
|
|
|
0f6383 |
---
|
|
|
0f6383 |
python/samba/tests/test_pam_winbind.sh | 12 +++++++----
|
|
|
0f6383 |
.../samba/tests/test_pam_winbind_chauthtok.sh | 4 ++--
|
|
|
0f6383 |
.../tests/test_pam_winbind_warn_pwd_expire.sh | 20 +++++++++++--------
|
|
|
0f6383 |
selftest/tests.py | 6 +++---
|
|
|
0f6383 |
4 files changed, 25 insertions(+), 17 deletions(-)
|
|
|
0f6383 |
|
|
|
0f6383 |
diff --git a/python/samba/tests/test_pam_winbind.sh b/python/samba/tests/test_pam_winbind.sh
|
|
|
0f6383 |
index 0406b108b31..755e67280fa 100755
|
|
|
0f6383 |
--- a/python/samba/tests/test_pam_winbind.sh
|
|
|
0f6383 |
+++ b/python/samba/tests/test_pam_winbind.sh
|
|
|
0f6383 |
@@ -12,6 +12,10 @@ PASSWORD="$3"
|
|
|
0f6383 |
export PASSWORD
|
|
|
0f6383 |
shift 3
|
|
|
0f6383 |
|
|
|
0f6383 |
+PAM_OPTIONS="$1"
|
|
|
0f6383 |
+export PAM_OPTIONS
|
|
|
0f6383 |
+shift 1
|
|
|
0f6383 |
+
|
|
|
0f6383 |
PAM_WRAPPER_PATH="$BINDIR/default/third_party/pam_wrapper"
|
|
|
0f6383 |
|
|
|
0f6383 |
pam_winbind="$BINDIR/shared/pam_winbind.so"
|
|
|
0f6383 |
@@ -19,10 +23,10 @@ service_dir="$SELFTEST_TMPDIR/pam_services"
|
|
|
0f6383 |
service_file="$service_dir/samba"
|
|
|
0f6383 |
|
|
|
0f6383 |
mkdir $service_dir
|
|
|
0f6383 |
-echo "auth required $pam_winbind debug debug_state" > $service_file
|
|
|
0f6383 |
-echo "account required $pam_winbind debug debug_state" >> $service_file
|
|
|
0f6383 |
-echo "password required $pam_winbind debug debug_state" >> $service_file
|
|
|
0f6383 |
-echo "session required $pam_winbind debug debug_state" >> $service_file
|
|
|
0f6383 |
+echo "auth required $pam_winbind debug debug_state $PAM_OPTIONS" > $service_file
|
|
|
0f6383 |
+echo "account required $pam_winbind debug debug_state $PAM_OPTIONS" >> $service_file
|
|
|
0f6383 |
+echo "password required $pam_winbind debug debug_state $PAM_OPTIONS" >> $service_file
|
|
|
0f6383 |
+echo "session required $pam_winbind debug debug_state $PAM_OPTIONS" >> $service_file
|
|
|
0f6383 |
|
|
|
0f6383 |
PAM_WRAPPER="1"
|
|
|
0f6383 |
export PAM_WRAPPER
|
|
|
0f6383 |
diff --git a/python/samba/tests/test_pam_winbind_chauthtok.sh b/python/samba/tests/test_pam_winbind_chauthtok.sh
|
|
|
0f6383 |
index 5887699300a..48adc81859d 100755
|
|
|
0f6383 |
--- a/python/samba/tests/test_pam_winbind_chauthtok.sh
|
|
|
0f6383 |
+++ b/python/samba/tests/test_pam_winbind_chauthtok.sh
|
|
|
0f6383 |
@@ -53,11 +53,11 @@ PAM_WRAPPER_DEBUGLEVEL=${PAM_WRAPPER_DEBUGLEVEL:="2"}
|
|
|
0f6383 |
export PAM_WRAPPER_DEBUGLEVEL
|
|
|
0f6383 |
|
|
|
0f6383 |
case $PAM_OPTIONS in
|
|
|
0f6383 |
- use_authtok)
|
|
|
0f6383 |
+ *use_authtok*)
|
|
|
0f6383 |
PAM_AUTHTOK="$NEWPASSWORD"
|
|
|
0f6383 |
export PAM_AUTHTOK
|
|
|
0f6383 |
;;
|
|
|
0f6383 |
- try_authtok)
|
|
|
0f6383 |
+ *try_authtok*)
|
|
|
0f6383 |
PAM_AUTHTOK="$NEWPASSWORD"
|
|
|
0f6383 |
export PAM_AUTHTOK
|
|
|
0f6383 |
;;
|
|
|
0f6383 |
diff --git a/python/samba/tests/test_pam_winbind_warn_pwd_expire.sh b/python/samba/tests/test_pam_winbind_warn_pwd_expire.sh
|
|
|
0f6383 |
index 16dede44227..348d2ae8387 100755
|
|
|
0f6383 |
--- a/python/samba/tests/test_pam_winbind_warn_pwd_expire.sh
|
|
|
0f6383 |
+++ b/python/samba/tests/test_pam_winbind_warn_pwd_expire.sh
|
|
|
0f6383 |
@@ -12,6 +12,10 @@ PASSWORD="$3"
|
|
|
0f6383 |
export PASSWORD
|
|
|
0f6383 |
shift 3
|
|
|
0f6383 |
|
|
|
0f6383 |
+PAM_OPTIONS="$1"
|
|
|
0f6383 |
+export PAM_OPTIONS
|
|
|
0f6383 |
+shift 1
|
|
|
0f6383 |
+
|
|
|
0f6383 |
PAM_WRAPPER_PATH="$BINDIR/default/third_party/pam_wrapper"
|
|
|
0f6383 |
|
|
|
0f6383 |
pam_winbind="$BINDIR/shared/pam_winbind.so"
|
|
|
0f6383 |
@@ -37,10 +41,10 @@ export PAM_WRAPPER_DEBUGLEVEL
|
|
|
0f6383 |
WARN_PWD_EXPIRE="50"
|
|
|
0f6383 |
export WARN_PWD_EXPIRE
|
|
|
0f6383 |
|
|
|
0f6383 |
-echo "auth required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE" > $service_file
|
|
|
0f6383 |
-echo "account required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE" >> $service_file
|
|
|
0f6383 |
-echo "password required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE" >> $service_file
|
|
|
0f6383 |
-echo "session required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE" >> $service_file
|
|
|
0f6383 |
+echo "auth required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" > $service_file
|
|
|
0f6383 |
+echo "account required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" >> $service_file
|
|
|
0f6383 |
+echo "password required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" >> $service_file
|
|
|
0f6383 |
+echo "session required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" >> $service_file
|
|
|
0f6383 |
|
|
|
0f6383 |
PYTHONPATH="$PYTHONPATH:$PAM_WRAPPER_PATH:$(dirname $0)" $PYTHON -m samba.subunit.run samba.tests.pam_winbind_warn_pwd_expire
|
|
|
0f6383 |
exit_code=$?
|
|
|
0f6383 |
@@ -54,10 +58,10 @@ fi
|
|
|
0f6383 |
WARN_PWD_EXPIRE="0"
|
|
|
0f6383 |
export WARN_PWD_EXPIRE
|
|
|
0f6383 |
|
|
|
0f6383 |
-echo "auth required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE" > $service_file
|
|
|
0f6383 |
-echo "account required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE" >> $service_file
|
|
|
0f6383 |
-echo "password required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE" >> $service_file
|
|
|
0f6383 |
-echo "session required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE" >> $service_file
|
|
|
0f6383 |
+echo "auth required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" > $service_file
|
|
|
0f6383 |
+echo "account required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" >> $service_file
|
|
|
0f6383 |
+echo "password required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" >> $service_file
|
|
|
0f6383 |
+echo "session required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" >> $service_file
|
|
|
0f6383 |
|
|
|
0f6383 |
PYTHONPATH="$PYTHONPATH:$PAM_WRAPPER_PATH:$(dirname $0)" $PYTHON -m samba.subunit.run samba.tests.pam_winbind_warn_pwd_expire
|
|
|
0f6383 |
exit_code=$?
|
|
|
0f6383 |
diff --git a/selftest/tests.py b/selftest/tests.py
|
|
|
0f6383 |
index 7dbc0a9871f..507f7c3ea55 100644
|
|
|
0f6383 |
--- a/selftest/tests.py
|
|
|
0f6383 |
+++ b/selftest/tests.py
|
|
|
0f6383 |
@@ -168,11 +168,11 @@ if with_pam:
|
|
|
0f6383 |
plantestsuite("samba.tests.pam_winbind(local)", "ad_member",
|
|
|
0f6383 |
[os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
|
|
|
0f6383 |
valgrindify(python), pam_wrapper_so_path,
|
|
|
0f6383 |
- "$SERVER", "$USERNAME", "$PASSWORD"])
|
|
|
0f6383 |
+ "$SERVER", "$USERNAME", "$PASSWORD", "''"])
|
|
|
0f6383 |
plantestsuite("samba.tests.pam_winbind(domain)", "ad_member",
|
|
|
0f6383 |
[os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
|
|
|
0f6383 |
valgrindify(python), pam_wrapper_so_path,
|
|
|
0f6383 |
- "$DOMAIN", "$DC_USERNAME", "$DC_PASSWORD"])
|
|
|
0f6383 |
+ "$DOMAIN", "$DC_USERNAME", "$DC_PASSWORD", "''"])
|
|
|
0f6383 |
|
|
|
0f6383 |
for pam_options in ["''", "use_authtok", "try_authtok"]:
|
|
|
0f6383 |
plantestsuite("samba.tests.pam_winbind_chauthtok with options %s" % pam_options, "ad_member",
|
|
|
0f6383 |
@@ -185,7 +185,7 @@ if with_pam:
|
|
|
0f6383 |
plantestsuite("samba.tests.pam_winbind_warn_pwd_expire(domain)", "ad_member",
|
|
|
0f6383 |
[os.path.join(srcdir(), "python/samba/tests/test_pam_winbind_warn_pwd_expire.sh"),
|
|
|
0f6383 |
valgrindify(python), pam_wrapper_so_path,
|
|
|
0f6383 |
- "$DOMAIN", "alice", "Secret007"])
|
|
|
0f6383 |
+ "$DOMAIN", "alice", "Secret007", "''"])
|
|
|
0f6383 |
|
|
|
0f6383 |
|
|
|
0f6383 |
plantestsuite("samba.unittests.krb5samba", "none",
|
|
|
0f6383 |
--
|
|
|
0f6383 |
2.24.1
|
|
|
0f6383 |
|
|
|
0f6383 |
|
|
|
0f6383 |
From a1a34241a96e2dc2bb5a1157c51f8d7b85973b32 Mon Sep 17 00:00:00 2001
|
|
|
0f6383 |
From: Stefan Metzmacher <metze@samba.org>
|
|
|
0f6383 |
Date: Wed, 18 Sep 2019 01:25:23 +0200
|
|
|
0f6383 |
Subject: [PATCH 16/22] selftest/tests.py: prepare looping over pam_winbindd
|
|
|
0f6383 |
tests
|
|
|
0f6383 |
|
|
|
0f6383 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
|
|
|
0f6383 |
|
|
|
0f6383 |
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
|
0f6383 |
Reviewed-by: Guenther Deschner <gd@samba.org>
|
|
|
0f6383 |
(cherry picked from commit 72daf99fd1ffd8269fce25d69458de35e2ae32cc)
|
|
|
0f6383 |
---
|
|
|
0f6383 |
selftest/tests.py | 58 ++++++++++++++++++++++++++++++-----------------
|
|
|
0f6383 |
1 file changed, 37 insertions(+), 21 deletions(-)
|
|
|
0f6383 |
|
|
|
0f6383 |
diff --git a/selftest/tests.py b/selftest/tests.py
|
|
|
0f6383 |
index 507f7c3ea55..3224de493f9 100644
|
|
|
0f6383 |
--- a/selftest/tests.py
|
|
|
0f6383 |
+++ b/selftest/tests.py
|
|
|
0f6383 |
@@ -165,27 +165,43 @@ planpythontestsuite("none", "samba.tests.tdb_util", py3_compatible=True)
|
|
|
0f6383 |
planpythontestsuite("none", "samba.tests.samdb_api", py3_compatible=True)
|
|
|
0f6383 |
|
|
|
0f6383 |
if with_pam:
|
|
|
0f6383 |
- plantestsuite("samba.tests.pam_winbind(local)", "ad_member",
|
|
|
0f6383 |
- [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
|
|
|
0f6383 |
- valgrindify(python), pam_wrapper_so_path,
|
|
|
0f6383 |
- "$SERVER", "$USERNAME", "$PASSWORD", "''"])
|
|
|
0f6383 |
- plantestsuite("samba.tests.pam_winbind(domain)", "ad_member",
|
|
|
0f6383 |
- [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
|
|
|
0f6383 |
- valgrindify(python), pam_wrapper_so_path,
|
|
|
0f6383 |
- "$DOMAIN", "$DC_USERNAME", "$DC_PASSWORD", "''"])
|
|
|
0f6383 |
-
|
|
|
0f6383 |
- for pam_options in ["''", "use_authtok", "try_authtok"]:
|
|
|
0f6383 |
- plantestsuite("samba.tests.pam_winbind_chauthtok with options %s" % pam_options, "ad_member",
|
|
|
0f6383 |
- [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind_chauthtok.sh"),
|
|
|
0f6383 |
- valgrindify(python), pam_wrapper_so_path, pam_set_items_so_path,
|
|
|
0f6383 |
- "$DOMAIN", "TestPamOptionsUser", "oldp@ssword0", "newp@ssword0",
|
|
|
0f6383 |
- pam_options, 'yes',
|
|
|
0f6383 |
- "$DC_SERVER", "$DC_USERNAME", "$DC_PASSWORD"])
|
|
|
0f6383 |
-
|
|
|
0f6383 |
- plantestsuite("samba.tests.pam_winbind_warn_pwd_expire(domain)", "ad_member",
|
|
|
0f6383 |
- [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind_warn_pwd_expire.sh"),
|
|
|
0f6383 |
- valgrindify(python), pam_wrapper_so_path,
|
|
|
0f6383 |
- "$DOMAIN", "alice", "Secret007", "''"])
|
|
|
0f6383 |
+ env = "ad_member"
|
|
|
0f6383 |
+ options = [
|
|
|
0f6383 |
+ {
|
|
|
0f6383 |
+ "description": "default",
|
|
|
0f6383 |
+ "pam_options": "",
|
|
|
0f6383 |
+ },
|
|
|
0f6383 |
+ ]
|
|
|
0f6383 |
+ for o in options:
|
|
|
0f6383 |
+ description = o["description"]
|
|
|
0f6383 |
+ pam_options = "'%s'" % o["pam_options"]
|
|
|
0f6383 |
+
|
|
|
0f6383 |
+ plantestsuite("samba.tests.pam_winbind(local+%s)" % description, env,
|
|
|
0f6383 |
+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
|
|
|
0f6383 |
+ valgrindify(python), pam_wrapper_so_path,
|
|
|
0f6383 |
+ "$SERVER", "$USERNAME", "$PASSWORD",
|
|
|
0f6383 |
+ pam_options])
|
|
|
0f6383 |
+ plantestsuite("samba.tests.pam_winbind(domain+%s)" % description, env,
|
|
|
0f6383 |
+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
|
|
|
0f6383 |
+ valgrindify(python), pam_wrapper_so_path,
|
|
|
0f6383 |
+ "$DOMAIN", "$DC_USERNAME", "$DC_PASSWORD",
|
|
|
0f6383 |
+ pam_options])
|
|
|
0f6383 |
+
|
|
|
0f6383 |
+ for authtok_options in ["", "use_authtok", "try_authtok"]:
|
|
|
0f6383 |
+ _pam_options = "'%s %s'" % (o["pam_options"], authtok_options)
|
|
|
0f6383 |
+ _description = "%s %s" % (description, authtok_options)
|
|
|
0f6383 |
+ plantestsuite("samba.tests.pam_winbind_chauthtok(domain+%s)" % _description, env,
|
|
|
0f6383 |
+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind_chauthtok.sh"),
|
|
|
0f6383 |
+ valgrindify(python), pam_wrapper_so_path, pam_set_items_so_path,
|
|
|
0f6383 |
+ "$DOMAIN", "TestPamOptionsUser", "oldp@ssword0", "newp@ssword0",
|
|
|
0f6383 |
+ _pam_options, 'yes',
|
|
|
0f6383 |
+ "$DC_SERVER", "$DC_USERNAME", "$DC_PASSWORD"])
|
|
|
0f6383 |
+
|
|
|
0f6383 |
+ plantestsuite("samba.tests.pam_winbind_warn_pwd_expire(domain+%s)" % description, env,
|
|
|
0f6383 |
+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind_warn_pwd_expire.sh"),
|
|
|
0f6383 |
+ valgrindify(python), pam_wrapper_so_path,
|
|
|
0f6383 |
+ "$DOMAIN", "alice", "Secret007",
|
|
|
0f6383 |
+ pam_options])
|
|
|
0f6383 |
|
|
|
0f6383 |
|
|
|
0f6383 |
plantestsuite("samba.unittests.krb5samba", "none",
|
|
|
0f6383 |
--
|
|
|
0f6383 |
2.24.1
|
|
|
0f6383 |
|
|
|
0f6383 |
|
|
|
0f6383 |
From 71047f27e44dd9b3c7aaf421990199de408ee67b Mon Sep 17 00:00:00 2001
|
|
|
0f6383 |
From: Stefan Metzmacher <metze@samba.org>
|
|
|
0f6383 |
Date: Wed, 18 Sep 2019 08:08:57 +0200
|
|
|
0f6383 |
Subject: [PATCH 17/22] selftest/tests.py: test pam_winbind with krb5_auth
|
|
|
0f6383 |
|
|
|
0f6383 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
|
|
|
0f6383 |
|
|
|
0f6383 |
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
|
0f6383 |
Reviewed-by: Guenther Deschner <gd@samba.org>
|
|
|
0f6383 |
(cherry picked from commit 36e95e42ea8a7e5a4091a647215d06d2ab47fab6)
|
|
|
0f6383 |
---
|
|
|
0f6383 |
selftest/tests.py | 4 ++++
|
|
|
0f6383 |
1 file changed, 4 insertions(+)
|
|
|
0f6383 |
|
|
|
0f6383 |
diff --git a/selftest/tests.py b/selftest/tests.py
|
|
|
0f6383 |
index 3224de493f9..c2d94262c3c 100644
|
|
|
0f6383 |
--- a/selftest/tests.py
|
|
|
0f6383 |
+++ b/selftest/tests.py
|
|
|
0f6383 |
@@ -167,6 +167,10 @@ planpythontestsuite("none", "samba.tests.samdb_api", py3_compatible=True)
|
|
|
0f6383 |
if with_pam:
|
|
|
0f6383 |
env = "ad_member"
|
|
|
0f6383 |
options = [
|
|
|
0f6383 |
+ {
|
|
|
0f6383 |
+ "description": "krb5",
|
|
|
0f6383 |
+ "pam_options": "krb5_auth krb5_ccache_type=FILE",
|
|
|
0f6383 |
+ },
|
|
|
0f6383 |
{
|
|
|
0f6383 |
"description": "default",
|
|
|
0f6383 |
"pam_options": "",
|
|
|
0f6383 |
--
|
|
|
0f6383 |
2.24.1
|
|
|
0f6383 |
|
|
|
0f6383 |
|
|
|
0f6383 |
From 2262c07316a247aa20b306767af172c22e47d438 Mon Sep 17 00:00:00 2001
|
|
|
0f6383 |
From: Stefan Metzmacher <metze@samba.org>
|
|
|
0f6383 |
Date: Wed, 18 Sep 2019 14:03:34 +0200
|
|
|
0f6383 |
Subject: [PATCH 18/22] selftest/tests.py: test pam_winbind with a lot of
|
|
|
0f6383 |
username variations
|
|
|
0f6383 |
|
|
|
0f6383 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
|
|
|
0f6383 |
|
|
|
0f6383 |
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
|
0f6383 |
Reviewed-by: Guenther Deschner <gd@samba.org>
|
|
|
0f6383 |
(cherry picked from commit f07b542c61f84a97c097208e10bf9375ddfa9a15)
|
|
|
0f6383 |
---
|
|
|
0f6383 |
selftest/tests.py | 27 ++++++++++++++++++++++++++-
|
|
|
0f6383 |
1 file changed, 26 insertions(+), 1 deletion(-)
|
|
|
0f6383 |
|
|
|
0f6383 |
diff --git a/selftest/tests.py b/selftest/tests.py
|
|
|
0f6383 |
index c2d94262c3c..c9529328359 100644
|
|
|
0f6383 |
--- a/selftest/tests.py
|
|
|
0f6383 |
+++ b/selftest/tests.py
|
|
|
0f6383 |
@@ -185,11 +185,36 @@ if with_pam:
|
|
|
0f6383 |
valgrindify(python), pam_wrapper_so_path,
|
|
|
0f6383 |
"$SERVER", "$USERNAME", "$PASSWORD",
|
|
|
0f6383 |
pam_options])
|
|
|
0f6383 |
- plantestsuite("samba.tests.pam_winbind(domain+%s)" % description, env,
|
|
|
0f6383 |
+ plantestsuite("samba.tests.pam_winbind(domain1+%s)" % description, env,
|
|
|
0f6383 |
[os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
|
|
|
0f6383 |
valgrindify(python), pam_wrapper_so_path,
|
|
|
0f6383 |
"$DOMAIN", "$DC_USERNAME", "$DC_PASSWORD",
|
|
|
0f6383 |
pam_options])
|
|
|
0f6383 |
+ plantestsuite("samba.tests.pam_winbind(domain2+%s)" % description, env,
|
|
|
0f6383 |
+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
|
|
|
0f6383 |
+ valgrindify(python), pam_wrapper_so_path,
|
|
|
0f6383 |
+ "$REALM", "$DC_USERNAME", "$DC_PASSWORD",
|
|
|
0f6383 |
+ pam_options])
|
|
|
0f6383 |
+ plantestsuite("samba.tests.pam_winbind(domain3+%s)" % description, env,
|
|
|
0f6383 |
+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
|
|
|
0f6383 |
+ valgrindify(python), pam_wrapper_so_path,
|
|
|
0f6383 |
+ "''", "${DC_USERNAME}@${DOMAIN}", "$DC_PASSWORD",
|
|
|
0f6383 |
+ pam_options])
|
|
|
0f6383 |
+ plantestsuite("samba.tests.pam_winbind(domain4+%s)" % description, env,
|
|
|
0f6383 |
+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
|
|
|
0f6383 |
+ valgrindify(python), pam_wrapper_so_path,
|
|
|
0f6383 |
+ "''", "${DC_USERNAME}@${REALM}", "$DC_PASSWORD",
|
|
|
0f6383 |
+ pam_options])
|
|
|
0f6383 |
+ plantestsuite("samba.tests.pam_winbind(domain5+%s)" % description, env,
|
|
|
0f6383 |
+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
|
|
|
0f6383 |
+ valgrindify(python), pam_wrapper_so_path,
|
|
|
0f6383 |
+ "$REALM", "${DC_USERNAME}@${DOMAIN}", "$DC_PASSWORD",
|
|
|
0f6383 |
+ pam_options])
|
|
|
0f6383 |
+ plantestsuite("samba.tests.pam_winbind(domain6+%s)" % description, env,
|
|
|
0f6383 |
+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
|
|
|
0f6383 |
+ valgrindify(python), pam_wrapper_so_path,
|
|
|
0f6383 |
+ "$DOMAIN", "${DC_USERNAME}@${REALM}", "$DC_PASSWORD",
|
|
|
0f6383 |
+ pam_options])
|
|
|
0f6383 |
|
|
|
0f6383 |
for authtok_options in ["", "use_authtok", "try_authtok"]:
|
|
|
0f6383 |
_pam_options = "'%s %s'" % (o["pam_options"], authtok_options)
|
|
|
0f6383 |
--
|
|
|
0f6383 |
2.24.1
|
|
|
0f6383 |
|
|
|
0f6383 |
|
|
|
0f6383 |
From 2ed154a74c10d77a1db4543e9c1b498875777a4c Mon Sep 17 00:00:00 2001
|
|
|
0f6383 |
From: Stefan Metzmacher <metze@samba.org>
|
|
|
0f6383 |
Date: Wed, 18 Sep 2019 08:02:38 +0200
|
|
|
0f6383 |
Subject: [PATCH 19/22] selftest/Samba3.pm: use "winbind scan trusted domains =
|
|
|
0f6383 |
no" for ad_member
|
|
|
0f6383 |
|
|
|
0f6383 |
This demonstrates that we rely on knowning about trusted domains before
|
|
|
0f6383 |
we can do krb5_auth in winbindd.
|
|
|
0f6383 |
|
|
|
0f6383 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
|
|
|
0f6383 |
|
|
|
0f6383 |
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
|
0f6383 |
Reviewed-by: Guenther Deschner <gd@samba.org>
|
|
|
0f6383 |
(similar to commit e2737a74d4453a3d65e5466ddc4405d68444df27)
|
|
|
0f6383 |
---
|
|
|
0f6383 |
selftest/target/Samba3.pm | 1 +
|
|
|
0f6383 |
1 file changed, 1 insertion(+)
|
|
|
0f6383 |
|
|
|
0f6383 |
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
|
|
|
0f6383 |
index 892a6a15e2d..751304d9166 100755
|
|
|
0f6383 |
--- a/selftest/target/Samba3.pm
|
|
|
0f6383 |
+++ b/selftest/target/Samba3.pm
|
|
|
0f6383 |
@@ -412,6 +412,7 @@ sub setup_ad_member
|
|
|
0f6383 |
realm = $dcvars->{REALM}
|
|
|
0f6383 |
netbios aliases = foo bar
|
|
|
0f6383 |
template homedir = /home/%D/%G/%U
|
|
|
0f6383 |
+ winbind scan trusted domains = no
|
|
|
0f6383 |
|
|
|
0f6383 |
[sub_dug]
|
|
|
0f6383 |
path = $share_dir/D_%D/U_%U/G_%G
|
|
|
0f6383 |
--
|
|
|
0f6383 |
2.24.1
|
|
|
0f6383 |
|
|
|
0f6383 |
|
|
|
0f6383 |
From 27a48944cfbfb2932558a799d5b9c057e0d4ea42 Mon Sep 17 00:00:00 2001
|
|
|
0f6383 |
From: Stefan Metzmacher <metze@samba.org>
|
|
|
0f6383 |
Date: Wed, 18 Sep 2019 08:10:26 +0200
|
|
|
0f6383 |
Subject: [PATCH 20/22] selftest/Samba3.pm: use "winbind use krb5 enterprise
|
|
|
0f6383 |
principals = yes" for ad_member
|
|
|
0f6383 |
MIME-Version: 1.0
|
|
|
0f6383 |
Content-Type: text/plain; charset=UTF-8
|
|
|
0f6383 |
Content-Transfer-Encoding: 8bit
|
|
|
0f6383 |
|
|
|
0f6383 |
This demonstrates that can do krb5_auth in winbindd without knowning about trusted domains.
|
|
|
0f6383 |
|
|
|
0f6383 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
|
|
|
0f6383 |
|
|
|
0f6383 |
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
|
0f6383 |
Reviewed-by: Guenther Deschner <gd@samba.org>
|
|
|
0f6383 |
|
|
|
0f6383 |
Autobuild-User(master): Günther Deschner <gd@samba.org>
|
|
|
0f6383 |
Autobuild-Date(master): Tue Sep 24 19:51:29 UTC 2019 on sn-devel-184
|
|
|
0f6383 |
|
|
|
0f6383 |
(similar to commit 0ee085b594878f5e0e83839f465303754f015459)
|
|
|
0f6383 |
---
|
|
|
0f6383 |
selftest/target/Samba3.pm | 1 +
|
|
|
0f6383 |
1 file changed, 1 insertion(+)
|
|
|
0f6383 |
|
|
|
0f6383 |
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
|
|
|
0f6383 |
index 751304d9166..89e75e54a91 100755
|
|
|
0f6383 |
--- a/selftest/target/Samba3.pm
|
|
|
0f6383 |
+++ b/selftest/target/Samba3.pm
|
|
|
0f6383 |
@@ -413,6 +413,7 @@ sub setup_ad_member
|
|
|
0f6383 |
netbios aliases = foo bar
|
|
|
0f6383 |
template homedir = /home/%D/%G/%U
|
|
|
0f6383 |
winbind scan trusted domains = no
|
|
|
0f6383 |
+ winbind use krb5 enterprise principals = yes
|
|
|
0f6383 |
|
|
|
0f6383 |
[sub_dug]
|
|
|
0f6383 |
path = $share_dir/D_%D/U_%U/G_%G
|
|
|
0f6383 |
--
|
|
|
0f6383 |
2.24.1
|
|
|
0f6383 |
|
|
|
0f6383 |
|
|
|
0f6383 |
From f70c0339b7e0f22351bdb2604504bf4f2c794544 Mon Sep 17 00:00:00 2001
|
|
|
0f6383 |
From: Andreas Schneider <asn@samba.org>
|
|
|
0f6383 |
Date: Wed, 9 Oct 2019 20:11:03 +0200
|
|
|
0f6383 |
Subject: [PATCH 21/22] lib:krb5_wrap: Do not create a temporary file for
|
|
|
0f6383 |
MEMORY keytabs
|
|
|
0f6383 |
|
|
|
0f6383 |
The autobuild cleanup script fails with:
|
|
|
0f6383 |
|
|
|
0f6383 |
The tree has 3 new uncommitted files!!!
|
|
|
0f6383 |
git clean -n
|
|
|
0f6383 |
Would remove MEMORY:tmp_smb_creds_SK98Lv
|
|
|
0f6383 |
Would remove MEMORY:tmp_smb_creds_kornU6
|
|
|
0f6383 |
Would remove MEMORY:tmp_smb_creds_ljR828
|
|
|
0f6383 |
|
|
|
0f6383 |
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
|
0f6383 |
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
|
0f6383 |
(cherry picked from commit d888655244b4d8ec7a69a042e0ff3c074585b0de)
|
|
|
0f6383 |
(cherry picked from commit d533a588b62829688824824da681cb360a399651)
|
|
|
0f6383 |
---
|
|
|
0f6383 |
lib/krb5_wrap/krb5_samba.c | 16 ++++++++--------
|
|
|
0f6383 |
1 file changed, 8 insertions(+), 8 deletions(-)
|
|
|
0f6383 |
|
|
|
0f6383 |
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
|
|
|
0f6383 |
index abdcb308728..6ce1d09952e 100644
|
|
|
0f6383 |
--- a/lib/krb5_wrap/krb5_samba.c
|
|
|
0f6383 |
+++ b/lib/krb5_wrap/krb5_samba.c
|
|
|
0f6383 |
@@ -2002,21 +2002,21 @@ krb5_error_code smb_krb5_kinit_keyblock_ccache(krb5_context ctx,
|
|
|
0f6383 |
krb_options);
|
|
|
0f6383 |
#elif defined(HAVE_KRB5_GET_INIT_CREDS_KEYTAB)
|
|
|
0f6383 |
{
|
|
|
0f6383 |
-#define SMB_CREDS_KEYTAB "MEMORY:tmp_smb_creds_XXXXXX"
|
|
|
0f6383 |
- char tmp_name[sizeof(SMB_CREDS_KEYTAB)];
|
|
|
0f6383 |
+#define SMB_CREDS_KEYTAB "MEMORY:tmp_kinit_keyblock_ccache"
|
|
|
0f6383 |
+ char tmp_name[64] = {0};
|
|
|
0f6383 |
krb5_keytab_entry entry;
|
|
|
0f6383 |
krb5_keytab keytab;
|
|
|
0f6383 |
- mode_t mask;
|
|
|
0f6383 |
+ int rc;
|
|
|
0f6383 |
|
|
|
0f6383 |
memset(&entry, 0, sizeof(entry));
|
|
|
0f6383 |
entry.principal = principal;
|
|
|
0f6383 |
*(KRB5_KT_KEY(&entry)) = *keyblock;
|
|
|
0f6383 |
|
|
|
0f6383 |
- memcpy(tmp_name, SMB_CREDS_KEYTAB, sizeof(SMB_CREDS_KEYTAB));
|
|
|
0f6383 |
- mask = umask(S_IRWXO | S_IRWXG);
|
|
|
0f6383 |
- mktemp(tmp_name);
|
|
|
0f6383 |
- umask(mask);
|
|
|
0f6383 |
- if (tmp_name[0] == 0) {
|
|
|
0f6383 |
+ rc = snprintf(tmp_name, sizeof(tmp_name),
|
|
|
0f6383 |
+ "%s-%p",
|
|
|
0f6383 |
+ SMB_CREDS_KEYTAB,
|
|
|
0f6383 |
+ &my_creds);
|
|
|
0f6383 |
+ if (rc < 0) {
|
|
|
0f6383 |
return KRB5_KT_BADNAME;
|
|
|
0f6383 |
}
|
|
|
0f6383 |
code = krb5_kt_resolve(ctx, tmp_name, &keytab);
|
|
|
0f6383 |
--
|
|
|
0f6383 |
2.24.1
|
|
|
0f6383 |
|
|
|
0f6383 |
|
|
|
0f6383 |
From 496c7702401cdce4603bdb143742fdf59e614fdd Mon Sep 17 00:00:00 2001
|
|
|
0f6383 |
From: Andreas Schneider <asn@samba.org>
|
|
|
0f6383 |
Date: Wed, 9 Oct 2019 16:32:47 +0200
|
|
|
0f6383 |
Subject: [PATCH 22/22] s3:libads: Do not turn on canonicalization flag for MIT
|
|
|
0f6383 |
Kerberos
|
|
|
0f6383 |
|
|
|
0f6383 |
This partially reverts 303b7e59a286896888ee2473995fc50bb2b5ce5e.
|
|
|
0f6383 |
|
|
|
0f6383 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14155
|
|
|
0f6383 |
|
|
|
0f6383 |
Pair-Programmed-With: Isaac Boukris <iboukris@redhat.com>
|
|
|
0f6383 |
|
|
|
0f6383 |
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
|
0f6383 |
Signed-off-by: Isaac Boukris <iboukris@redhat.com>
|
|
|
0f6383 |
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
|
0f6383 |
(cherry picked from commit 123584294cfd153acc2d9a5be9d71c395c847a25)
|
|
|
0f6383 |
|
|
|
0f6383 |
Autobuild-User(v4-10-test): Stefan Metzmacher <metze@samba.org>
|
|
|
0f6383 |
Autobuild-Date(v4-10-test): Wed Oct 16 16:43:59 UTC 2019 on sn-devel-144
|
|
|
0f6383 |
|
|
|
0f6383 |
(cherry picked from commit 3ad42536f873f21cc2db774ca3ea694ca7142253)
|
|
|
0f6383 |
---
|
|
|
0f6383 |
source3/libads/krb5_setpw.c | 15 +++++++++++++++
|
|
|
0f6383 |
1 file changed, 15 insertions(+)
|
|
|
0f6383 |
|
|
|
0f6383 |
diff --git a/source3/libads/krb5_setpw.c b/source3/libads/krb5_setpw.c
|
|
|
0f6383 |
index 67bc2f4640d..028b0dcfa65 100644
|
|
|
0f6383 |
--- a/source3/libads/krb5_setpw.c
|
|
|
0f6383 |
+++ b/source3/libads/krb5_setpw.c
|
|
|
0f6383 |
@@ -207,7 +207,22 @@ static ADS_STATUS ads_krb5_chg_password(const char *kdc_host,
|
|
|
0f6383 |
krb5_get_init_creds_opt_set_win2k(context, opts, true);
|
|
|
0f6383 |
krb5_get_init_creds_opt_set_canonicalize(context, opts, true);
|
|
|
0f6383 |
#else /* MIT */
|
|
|
0f6383 |
+#if 0
|
|
|
0f6383 |
+ /*
|
|
|
0f6383 |
+ * FIXME
|
|
|
0f6383 |
+ *
|
|
|
0f6383 |
+ * Due to an upstream MIT Kerberos bug, this feature is not
|
|
|
0f6383 |
+ * not working. Affection versions (2019-10-09): <= 1.17
|
|
|
0f6383 |
+ *
|
|
|
0f6383 |
+ * Reproducer:
|
|
|
0f6383 |
+ * kinit -C aDmInIsTrAtOr@ACME.COM -S kadmin/changepw@ACME.COM
|
|
|
0f6383 |
+ *
|
|
|
0f6383 |
+ * This is NOT a problem if the service is a krbtgt.
|
|
|
0f6383 |
+ *
|
|
|
0f6383 |
+ * https://bugzilla.samba.org/show_bug.cgi?id=14155
|
|
|
0f6383 |
+ */
|
|
|
0f6383 |
krb5_get_init_creds_opt_set_canonicalize(opts, true);
|
|
|
0f6383 |
+#endif
|
|
|
0f6383 |
#endif /* MIT */
|
|
|
0f6383 |
|
|
|
0f6383 |
/* note that heimdal will fill in the local addresses if the addresses
|
|
|
0f6383 |
--
|
|
|
0f6383 |
2.24.1
|
|
|
0f6383 |
|