The branch, master has been updated
via 0a65bb5... s4:selftest Add testing of kpasswd password set on
servicePrincipalName
via 5f6f7a2... s4:kdc Add support for changing password of a
servicePrincipalName
from 6199ae4... s4-ldb: fixed command line parsing in oLschema2ldif
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 0a65bb57a18176a4aaa6972c025062577b124ee7
Author: Andrew Bartlett <[email protected]>
Date: Thu Mar 25 16:30:54 2010 +1100
s4:selftest Add testing of kpasswd password set on servicePrincipalName
commit 5f6f7a2e518b53783df60e497e1b12fdaee307a7
Author: Andrew Bartlett <[email protected]>
Date: Thu Mar 25 16:27:40 2010 +1100
s4:kdc Add support for changing password of a servicePrincipalName
Apparently AD supports setting a password on a servicePrincipalName,
not just a user principal name. This should fix (part of) the join of
OpenSolaris's internal CIFS server to Samba4 as reported by Bug #7273
Andrew Bartlett
-----------------------------------------------------------------------
Summary of changes:
source4/kdc/kpasswdd.c | 42 ++++++++++++++++++++++++++++---------
testprogs/blackbox/test_kinit.sh | 31 ++++++++++++++++++++++++++++
2 files changed, 63 insertions(+), 10 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/kdc/kpasswdd.c b/source4/kdc/kpasswdd.c
index e65f25d..5e1efee 100644
--- a/source4/kdc/kpasswdd.c
+++ b/source4/kdc/kpasswdd.c
@@ -250,6 +250,7 @@ static bool kpasswd_process_request(struct kdc_server *kdc,
krb5_principal principal;
char *set_password_on_princ;
struct ldb_dn *set_password_on_dn;
+ bool service_principal_name = false;
size_t len;
int ret;
@@ -311,14 +312,29 @@ static bool kpasswd_process_request(struct kdc_server
*kdc,
}
free_ChangePasswdDataMS(&chpw);
- if (krb5_unparse_name(context, principal,
&set_password_on_princ) != 0) {
- krb5_free_principal(context, principal);
- return kpasswdd_make_error_reply(kdc, mem_ctx,
- KRB5_KPASSWD_MALFORMED,
- "krb5_unparse_name
failed!",
- reply);
- }
+ if (principal->name.name_string.len >= 2) {
+ service_principal_name = true;
+ /* We use this, rather than 'no realm' flag,
+ * as we don't want to accept a password
+ * change on a principal from another realm */
+
+ if (krb5_unparse_name_short(context, principal,
&set_password_on_princ) != 0) {
+ krb5_free_principal(context, principal);
+ return kpasswdd_make_error_reply(kdc, mem_ctx,
+
KRB5_KPASSWD_MALFORMED,
+
"krb5_unparse_name failed!",
+ reply);
+ }
+ } else {
+ if (krb5_unparse_name(context, principal,
&set_password_on_princ) != 0) {
+ krb5_free_principal(context, principal);
+ return kpasswdd_make_error_reply(kdc, mem_ctx,
+
KRB5_KPASSWD_MALFORMED,
+
"krb5_unparse_name failed!",
+ reply);
+ }
+ }
krb5_free_principal(context, principal);
samdb = samdb_connect(mem_ctx, kdc->task->event_ctx,
kdc->task->lp_ctx, session_info);
@@ -344,9 +360,15 @@ static bool kpasswd_process_request(struct kdc_server *kdc,
reply);
}
- status = crack_user_principal_name(samdb, mem_ctx,
- set_password_on_princ,
- &set_password_on_dn, NULL);
+ if (service_principal_name) {
+ status = crack_service_principal_name(samdb, mem_ctx,
+
set_password_on_princ,
+
&set_password_on_dn, NULL);
+ } else {
+ status = crack_user_principal_name(samdb, mem_ctx,
+
set_password_on_princ,
+ &set_password_on_dn,
NULL);
+ }
free(set_password_on_princ);
if (!NT_STATUS_IS_OK(status)) {
ldb_transaction_cancel(samdb);
diff --git a/testprogs/blackbox/test_kinit.sh b/testprogs/blackbox/test_kinit.sh
index 1ee4e1c..034b850 100755
--- a/testprogs/blackbox/test_kinit.sh
+++ b/testprogs/blackbox/test_kinit.sh
@@ -23,6 +23,8 @@ samba4bindir="$BUILDDIR/bin"
smbclient="$samba4bindir/smbclient$EXEEXT"
samba4kinit="$samba4bindir/samba4kinit$EXEEXT"
net="$samba4bindir/net$EXEEXT"
+ldbmodify="$samba4bindir/ldbmodify$EXEEXT"
+ldbsearch="$samba4bindir/ldbsearch$EXEEXT"
rkpty="$samba4bindir/rkpty$EXEEXT"
samba4kpasswd="$samba4bindir/samba4kpasswd$EXEEXT"
enableaccount="$samba4bindir/net enableaccount"
@@ -68,6 +70,18 @@ testit "add user with kerberos ccache" $VALGRIND $net user
add nettestuser $CONF
userpass=testp...@12%
echo $USERPASS > ./tmpuserpassfile
+echo "Getting defaultNamingContext"
+BASEDN=`$ldbsearch $options --basedn='' -H ldap://$SERVER -s base DUMMY=x
defaultNamingContext | grep defaultNamingContext | awk '{print $2}'`
+
+cat > ./tmpldbmodify <<EOF
+dn: cn=nettestuser,cn=users,$BASEDN
+changetype: modify
+add: servicePrincipalName
+servicePrincipalName: host/nettestuser
+EOF
+
+testit "modify servicePrincipalName" $VALGRIND $ldbmodify -H ldap://$SERVER
./tmpldbmodify -k yes $@ || failed=`expr $failed + 1`
+
testit "set user password with kerberos ccache" $VALGRIND $net password set
$DOMAIN\\nettestuser $USERPASS $CONFIGURATION -k yes $@ || failed=`expr
$failed + 1`
testit "enable user with kerberos cache" $VALGRIND $enableaccount nettestuser
-H ldap://$SERVER -k yes $@ || failed=`expr $failed + 1`
@@ -125,6 +139,23 @@ testit "kinit with user password" $samba4kinit
--password-file=./tmpuserpassfile
test_smbclient "Test login with user kerberos ccache" 'ls' -k yes ||
failed=`expr $failed + 1`
+newuserpass=testp...@910%
+echo $NEWUSERPASS > ./tmpuserpassfile
+
+cat > ./tmpkpasswdscript <<EOF
+expect New password
+send ${NEWUSERPASS}\n
+expect New password
+send ${NEWUSERPASS}\n
+expect Success
+EOF
+
+testit "set user password with kpasswd and servicePrincipalName" $rkpty
./tmpkpasswdscript $samba4kpasswd --cache=$PREFIX/tmpccache
host/nettestu...@$realm || failed=`expr $failed + 1`
+
+testit "kinit with user password" $samba4kinit
--password-file=./tmpuserpassfile --request-pac nettestu...@$realm ||
failed=`expr $failed + 1`
+
+test_smbclient "Test login with user kerberos ccache" 'ls' -k yes ||
failed=`expr $failed + 1`
+
KRB5CCNAME="$PREFIX/tmpccache"
export KRB5CCNAME
--
Samba Shared Repository
