The branch, master has been updated
via 53fb00e torture: improve rpc.remote_pac test so we check if
LogonSamLogon actually succeeds
via 933305a torture: Improve winbindd.pac test to check multiple GENSEC
mechanims
via 121bbc01 gensec_krb5: Match behaviour of gensec_gssapi for
password-based keytabs
via 64f5984 test: improve kinit kerberos tests
from 57a03c6 autobuild: adapt a comment
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 53fb00e5d59c0e69a44ba54eeedc3a48a5322e9f
Author: Andrew Bartlett <[email protected]>
Date: Tue Dec 16 18:07:44 2014 +1300
torture: improve rpc.remote_pac test so we check if LogonSamLogon actually
succeeds
Signed-off-by: Andrew Bartlett <[email protected]>
Pair-programmed-with: Garming Sam <[email protected]>
Signed-off-by: Garming Sam <[email protected]>
Autobuild-User(master): Andrew Bartlett <[email protected]>
Autobuild-Date(master): Thu Dec 18 02:51:02 CET 2014 on sn-devel-104
commit 933305ad4ac03735f891c5043916b42be1a1c771
Author: Andrew Bartlett <[email protected]>
Date: Tue Dec 16 17:19:55 2014 +1300
torture: Improve winbindd.pac test to check multiple GENSEC mechanims
Signed-off-by: Andrew Bartlett <[email protected]>
Pair-programmed-with: Garming Sam <[email protected]>
commit 121bbc01842db03570623eadcbb97edab30ca651
Author: Andrew Bartlett <[email protected]>
Date: Thu Dec 18 11:03:44 2014 +1300
gensec_krb5: Match behaviour of gensec_gssapi for password-based keytabs
This allows the winbind.pac.krb5 test to pass against the s3member
environment, which uses the password from secrets.tdb.
Andrew Bartlett
Reviewed-by: Garming Sam <[email protected]>
Signed-off-by: Andrew Bartlett <[email protected]>
commit 64f5984273fac19282fa1dd77c773840030a4ccb
Author: Garming Sam <[email protected]>
Date: Tue Dec 16 14:54:14 2014 +1300
test: improve kinit kerberos tests
For enterprise and windows style kinit, a UPN is now configured.
There are now additional smbclient calls and added cache removals
to make the tests more robust.
Change-Id: I7c58ae4c9f303ca74a52878aa5dce2cc5f7d6742
Pair-programmed-with: Andrew Bartlett <[email protected]>
Signed-off-by: Garming Sam <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
Reviewed-by: Garming Sam <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
source4/auth/gensec/gensec_krb5.c | 10 ++++++
source4/torture/rpc/remote_pac.c | 2 ++
source4/torture/winbind/winbind.c | 67 +++++++++++++++++++++++++++++++++------
testprogs/blackbox/test_kinit.sh | 44 +++++++++++++++++++++----
4 files changed, 107 insertions(+), 16 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/auth/gensec/gensec_krb5.c
b/source4/auth/gensec/gensec_krb5.c
index c34c434..a81dfc3 100644
--- a/source4/auth/gensec/gensec_krb5.c
+++ b/source4/auth/gensec/gensec_krb5.c
@@ -591,6 +591,16 @@ static NTSTATUS gensec_krb5_update(struct gensec_security
*gensec_security,
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
+ if (keytab->password_based || obtained < CRED_SPECIFIED) {
+ /*
+ * Use match-by-key in this case (matches
+ * cli_credentials_get_server_gss_creds()
+ * behaviour). No need to free the memory,
+ * this is handled with a talloc destructor.
+ */
+ server_in_keytab = NULL;
+ }
+
/* Parse the GSSAPI wrapping, if it's there... (win2k3 allows
it to be omited) */
if (gensec_krb5_state->gssapi
&& gensec_gssapi_parse_krb5_wrap(out_mem_ctx, &in,
&unwrapped_in, tok_id)) {
diff --git a/source4/torture/rpc/remote_pac.c b/source4/torture/rpc/remote_pac.c
index 7ea123b..e5e12bf 100644
--- a/source4/torture/rpc/remote_pac.c
+++ b/source4/torture/rpc/remote_pac.c
@@ -725,6 +725,8 @@ static bool test_S2U4Self(struct torture_context *tctx,
&r.out.return_authenticator->cred),
"Credential chaining failed");
+ torture_assert_ntstatus_ok(tctx, r.out.result, "LogonSamLogon failed");
+
status = make_user_info_dc_netlogon_validation(tmp_ctx,
ninfo.identity_info.account_name.string,
r.in.validation_level,
diff --git a/source4/torture/winbind/winbind.c
b/source4/torture/winbind/winbind.c
index a47617a..29ef5db 100644
--- a/source4/torture/winbind/winbind.c
+++ b/source4/torture/winbind/winbind.c
@@ -175,12 +175,15 @@ static bool torture_decode_compare_pac(struct
torture_context *tctx,
return true;
}
-static bool torture_winbind_pac(struct torture_context *tctx)
+static bool torture_winbind_pac(struct torture_context *tctx,
+ const char *sasl_mech,
+ const char *mech)
{
NTSTATUS status;
struct gensec_security *gensec_client_context;
struct gensec_security *gensec_server_context;
+ struct cli_credentials *machine_credentials;
DATA_BLOB client_to_server, server_to_client;
@@ -191,6 +194,14 @@ static bool torture_winbind_pac(struct torture_context
*tctx)
TALLOC_CTX *tmp_ctx = talloc_new(tctx);
torture_assert(tctx, tmp_ctx != NULL, "talloc_new() failed");
+ machine_credentials = cli_credentials_init(tmp_ctx);
+ torture_assert(tctx, machine_credentials != NULL,
"cli_credentials_init() failed");
+
+ cli_credentials_set_conf(machine_credentials, tctx->lp_ctx);
+
+ status = cli_credentials_set_machine_account(machine_credentials,
tctx->lp_ctx);
+ torture_assert_ntstatus_ok(tctx, status, "
cli_credentials_set_machine_account() (for server) failed");
+
auth_context = talloc_zero(tmp_ctx, struct auth4_context);
torture_assert(tctx, auth_context != NULL, "talloc_new() failed");
@@ -200,25 +211,36 @@ static bool torture_winbind_pac(struct torture_context
*tctx)
lpcfg_gensec_settings(tctx, tctx->lp_ctx));
torture_assert_ntstatus_ok(tctx, status, "gensec_client_start (client)
failed");
- status = gensec_set_target_hostname(gensec_client_context,
cli_credentials_get_workstation(cmdline_credentials));
+ status = gensec_set_target_hostname(gensec_client_context,
cli_credentials_get_workstation(machine_credentials));
torture_assert_ntstatus_ok(tctx, status, "gensec_set_target_hostname
(client) failed");
status = gensec_set_credentials(gensec_client_context,
cmdline_credentials);
torture_assert_ntstatus_ok(tctx, status, "gensec_set_credentials
(client) failed");
- status = gensec_start_mech_by_sasl_name(gensec_client_context,
"GSSAPI");
- torture_assert_ntstatus_ok(tctx, status,
"gensec_start_mech_by_sasl_name (client) failed");
+ if (sasl_mech) {
+ status = gensec_start_mech_by_sasl_name(gensec_client_context,
sasl_mech);
+ torture_assert_ntstatus_ok(tctx, status,
"gensec_start_mech_by_sasl_name (client) failed");
+ } else {
+ status = gensec_start_mech_by_name(gensec_client_context, mech);
+ torture_assert_ntstatus_ok(tctx, status,
"gensec_start_mech_by_name (client) failed");
+ }
+
status = gensec_server_start(tctx,
lpcfg_gensec_settings(tctx, tctx->lp_ctx),
auth_context, &gensec_server_context);
torture_assert_ntstatus_ok(tctx, status, "gensec_server_start (server)
failed");
- status = gensec_set_credentials(gensec_server_context,
cmdline_credentials);
+ status = gensec_set_credentials(gensec_server_context,
machine_credentials);
torture_assert_ntstatus_ok(tctx, status, "gensec_set_credentials
(server) failed");
- status = gensec_start_mech_by_sasl_name(gensec_server_context,
"GSSAPI");
- torture_assert_ntstatus_ok(tctx, status,
"gensec_start_mech_by_sasl_name (server) failed");
+ if (sasl_mech) {
+ status = gensec_start_mech_by_sasl_name(gensec_server_context,
sasl_mech);
+ torture_assert_ntstatus_ok(tctx, status,
"gensec_start_mech_by_sasl_name (server) failed");
+ } else {
+ status = gensec_start_mech_by_name(gensec_server_context, mech);
+ torture_assert_ntstatus_ok(tctx, status,
"gensec_start_mech_by_name (server) failed");
+ }
server_to_client = data_blob(NULL, 0);
@@ -253,14 +275,39 @@ static bool torture_winbind_pac(struct torture_context
*tctx)
return true;
}
+static bool torture_winbind_pac_gssapi(struct torture_context *tctx)
+{
+ return torture_winbind_pac(tctx, "GSSAPI", NULL);
+}
+
+static bool torture_winbind_pac_gss_spnego(struct torture_context *tctx)
+{
+ return torture_winbind_pac(tctx, "GSS-SPNEGO", NULL);
+}
+
+static bool torture_winbind_pac_krb5(struct torture_context *tctx)
+{
+ return torture_winbind_pac(tctx, NULL, "krb5");
+}
+
NTSTATUS torture_winbind_init(void)
{
struct torture_suite *suite =
torture_suite_create(talloc_autofree_context(), "winbind");
-
+ struct torture_suite *pac_suite;
torture_suite_add_suite(suite, torture_winbind_struct_init());
torture_suite_add_suite(suite, torture_wbclient());
- torture_suite_add_simple_test(suite,
- "pac", torture_winbind_pac);
+
+ pac_suite = torture_suite_create(talloc_autofree_context(), "pac");
+ torture_suite_add_simple_test(pac_suite,
+ "GSSAPI", torture_winbind_pac_gssapi);
+ torture_suite_add_simple_test(pac_suite,
+ "GSS-SPNEGO",
torture_winbind_pac_gss_spnego);
+ torture_suite_add_simple_test(pac_suite,
+ "krb5", torture_winbind_pac_krb5);
+
+ pac_suite->description = talloc_strdup(suite, "Winbind Kerberos PAC
tests");
+
+ torture_suite_add_suite(suite, pac_suite);
suite->description = talloc_strdup(suite, "WINBIND tests");
diff --git a/testprogs/blackbox/test_kinit.sh b/testprogs/blackbox/test_kinit.sh
index 6ec1eaf..cc235c2 100755
--- a/testprogs/blackbox/test_kinit.sh
+++ b/testprogs/blackbox/test_kinit.sh
@@ -71,16 +71,25 @@ enctype="-e $ENCTYPE"
PWSETCONFIG="-H ldap://$SERVER -U$USERNAME%$PASSWORD"
export PWSETCONFIG
-KRB5CCNAME="$PREFIX/tmpccache"
+KRB5CCNAME_PATH="$PREFIX/tmpccache"
+KRB5CCNAME="FILE:$KRB5CCNAME_PATH"
+ADMIN_KRB5CCNAME="FILE:$KRB5CCNAME_PATH"
export KRB5CCNAME
+rm -rf $KRB5CCNAME_PATH
testit "reset password policies beside of minimum password age of 0 days"
$VALGRIND $samba_tool domain passwordsettings $PWSETCONFIG set
--complexity=default --history-length=default --min-pwd-length=default
--min-pwd-age=0 --max-pwd-age=default || failed=`expr $failed + 1`
echo $PASSWORD > $PREFIX/tmppassfile
#testit "kinit with keytab" $samba4kinit $enctype
--keytab=$PREFIX/dc/private/secrets.keytab $SERVER\$@$REALM || failed=`expr
$failed + 1`
testit "kinit with password" $samba4kinit $enctype
--password-file=$PREFIX/tmppassfile --request-pac $USERNAME@$REALM ||
failed=`expr $failed + 1`
+test_smbclient "Test login with user kerberos ccache" 'ls' -k yes ||
failed=`expr $failed + 1`
+
testit "kinit with password (enterprise style)" $samba4kinit $enctype
--enterprise --password-file=$PREFIX/tmppassfile --request-pac $USERNAME@$REALM
|| failed=`expr $failed + 1`
+test_smbclient "Test login with user kerberos ccache" 'ls' -k yes ||
failed=`expr $failed + 1`
+
testit "kinit with password (windows style)" $samba4kinit $enctype
--renewable --windows --password-file=$PREFIX/tmppassfile --request-pac
$USERNAME@$REALM || failed=`expr $failed + 1`
+test_smbclient "Test login with user kerberos ccache" 'ls' -k yes ||
failed=`expr $failed + 1`
+
testit "kinit renew ticket" $samba4kinit $enctype --request-pac -R
test_smbclient "Test login with kerberos ccache" 'ls' -k yes || failed=`expr
$failed + 1`
@@ -99,17 +108,21 @@ dn: cn=nettestuser,cn=users,$BASEDN
changetype: modify
add: servicePrincipalName
servicePrincipalName: host/nettestuser
+replace: userPrincipalName
+userPrincipalName: nettest@$REALM
EOF
-testit "modify servicePrincipalName" $VALGRIND $ldbmodify -H ldap://$SERVER
$PREFIX/tmpldbmodify -k yes $@ || failed=`expr $failed + 1`
+testit "modify servicePrincipalName and userPrincpalName" $VALGRIND $ldbmodify
-H ldap://$SERVER $PREFIX/tmpldbmodify -k yes $@ || failed=`expr $failed + 1`
testit "set user password with kerberos ccache" $VALGRIND $samba_tool user
setpassword nettestuser --newpassword=$USERPASS $CONFIGURATION -k yes $@ ||
failed=`expr $failed + 1`
testit "enable user with kerberos cache" $VALGRIND $enableaccount nettestuser
-H ldap://$SERVER -k yes $@ || failed=`expr $failed + 1`
-KRB5CCNAME="$PREFIX/tmpuserccache"
+KRB5CCNAME_PATH="$PREFIX/tmpuserccache"
+KRB5CCNAME="FILE:$KRB5CCNAME_PATH"
export KRB5CCNAME
+rm -f $KRB5CCNAME_PATH
testit "kinit with user password" $samba4kinit $enctype
--password-file=$PREFIX/tmpuserpassfile --request-pac nettestuser@$REALM ||
failed=`expr $failed + 1`
test_smbclient "Test login with user kerberos ccache" 'ls' -k yes ||
failed=`expr $failed + 1`
@@ -118,11 +131,25 @@ NEWUSERPASS=testPaSS@34%
testit "change user password with 'samba-tool user password' (rpc)" $VALGRIND
$samba_tool user password -W$DOMAIN -Unettestuser%$USERPASS $CONFIGURATION -k
no --newpassword=$NEWUSERPASS $@ || failed=`expr $failed + 1`
echo $NEWUSERPASS > $PREFIX/tmpuserpassfile
+rm -f $KRB5CCNAME_PATH
testit "kinit with user password" $samba4kinit $enctype
--password-file=$PREFIX/tmpuserpassfile --request-pac nettestuser@$REALM ||
failed=`expr $failed + 1`
test_smbclient "Test login with user kerberos ccache" 'ls' -k yes ||
failed=`expr $failed + 1`
+rm -f $KRB5CCNAME_PATH
+testit "kinit with password (NT-Principal style) using UPN" $samba4kinit
$enctype --password-file=$PREFIX/tmpuserpassfile --request-pac nettest@$REALM
|| failed=`expr $failed + 1`
+test_smbclient "Test login with user kerberos ccache from enterprise UPN" 'ls'
-k yes || failed=`expr $failed + 1`
+
+rm -f $KRB5CCNAME_PATH
+testit "kinit with password (enterprise style) using UPN" $samba4kinit
$enctype --enterprise --password-file=$PREFIX/tmpuserpassfile --request-pac
nettest@$REALM || failed=`expr $failed + 1`
+test_smbclient "Test login with user kerberos ccache from enterprise UPN" 'ls'
-k yes || failed=`expr $failed + 1`
+
+rm -f $KRB5CCNAME_PATH
+testit "kinit with password (windows style) using UPN" $samba4kinit $enctype
--renewable --windows --password-file=$PREFIX/tmpuserpassfile --request-pac
nettest@$REALM || failed=`expr $failed + 1`
+test_smbclient "Test login with user kerberos ccache from windows UPN" 'ls' -k
yes || failed=`expr $failed + 1`
+
+
USERPASS=$NEWUSERPASS
NEWUSERPASS=testPaSS@56%
echo $NEWUSERPASS > $PREFIX/tmpuserpassfile
@@ -139,6 +166,7 @@ EOF
testit "change user password with kpasswd" $texpect $PREFIX/tmpkpasswdscript
$samba4kpasswd nettestuser@$REALM || failed=`expr $failed + 1`
+rm -f $KRB5CCNAME_PATH
testit "kinit with user password" $samba4kinit $enctype
--password-file=$PREFIX/tmpuserpassfile --request-pac nettestuser@$REALM ||
failed=`expr $failed + 1`
NEWUSERPASS=testPaSS@78%
@@ -154,8 +182,9 @@ send ${NEWUSERPASS}\n
expect Success
EOF
-testit "set user password with kpasswd" $texpect $PREFIX/tmpkpasswdscript
$samba4kpasswd --cache=$PREFIX/tmpccache nettestuser@$REALM || failed=`expr
$failed + 1`
+testit "set user password with kpasswd" $texpect $PREFIX/tmpkpasswdscript
$samba4kpasswd --cache=$ADMIN_KRB5CCNAME nettestuser@$REALM || failed=`expr
$failed + 1`
+rm -f $KRB5CCNAME_PATH
testit "kinit with user password" $samba4kinit $enctype
--password-file=$PREFIX/tmpuserpassfile --request-pac nettestuser@$REALM ||
failed=`expr $failed + 1`
test_smbclient "Test login with user kerberos ccache" 'ls' -k yes ||
failed=`expr $failed + 1`
@@ -210,16 +239,19 @@ testit "kinit with user password" $samba4kinit $enctype
--password-file=$PREFIX/
test_smbclient "Test login with user kerberos ccache" 'ls' -k yes ||
failed=`expr $failed + 1`
-KRB5CCNAME="$PREFIX/tmpccache"
+KRB5CCNAME_PATH="$PREFIX/tmpccache"
+KRB5CCNAME="FILE:$KRB5CCNAME_PATH"
export KRB5CCNAME
+rm -rf $KRB5CCNAME_PATH
+
lowerrealm=$(echo $REALM | tr '[A-Z]' '[a-z]')
test_smbclient "Test login with user kerberos lowercase realm" 'ls' -k yes
-Unettestuser@$lowerrealm%$NEWUSERPASS || failed=`expr $failed + 1`
test_smbclient "Test login with user kerberos lowercase realm 2" 'ls' -k yes
-Unettestuser@$REALM%$NEWUSERPASS --realm=$lowerrealm || failed=`expr $failed +
1`
testit "del user with kerberos ccache" $VALGRIND $samba_tool user delete
nettestuser $CONFIGURATION -k yes $@ || failed=`expr $failed + 1`
-rm -f $KRB5CCNAME
+rm -f $KRB5CCNAME_PATH
testit "kinit with machineaccountccache script" $machineaccountccache
$CONFIGURATION $KRB5CCNAME || failed=`expr $failed + 1`
test_smbclient "Test machine account login with kerberos ccache" 'ls' -k yes
|| failed=`expr $failed + 1`
--
Samba Shared Repository
