The branch, master has been updated
via 02f6cfd torture-krb5: Add an initial test for s4u2self behaviour
via a1ddee8 kdc: Fix S4U2Self handling with
KRB5_NT_ENTERPRISE_PRINCIPAL containing a UPN
via 7bef5e4 talloc: version 2.1.2
via 3929abf talloc: fix _talloc_total_limit_size prototype
from 6b0cece lib: talloc: Test suite for the new destructor reparent
logic.
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 02f6cfd14c8ac15b5d8a55783bb98a87557394d5
Author: Andrew Bartlett <[email protected]>
Date: Mon Mar 9 11:12:01 2015 +1300
torture-krb5: Add an initial test for s4u2self behaviour
This test only checks for S4U2Self of the same user, but shows
that a user account is not a valid service for this purpose.
Andrew Bartlett
Signed-off-by: Andrew Bartlett <[email protected]>
Reviewed-by: Stefan Metzmacher <[email protected]>
Autobuild-User(master): Stefan Metzmacher <[email protected]>
Autobuild-Date(master): Mon Mar 9 12:10:09 CET 2015 on sn-devel-104
commit a1ddee8d2f9e58e04f3203db9afa576354dd2079
Author: Andrew Bartlett <[email protected]>
Date: Mon Mar 9 16:00:56 2015 +1300
kdc: Fix S4U2Self handling with KRB5_NT_ENTERPRISE_PRINCIPAL containing a
UPN
This is now handled properly by samba_kdc_lookup_server() and this wrapper
actually
breaks things.
Andrew Bartlett
Signed-off-by: Andrew Bartlett <[email protected]>
Reviewed-by: Stefan Metzmacher <[email protected]>
commit 7bef5e4f0e5ff4a4187f3d63e51a1725ff32b771
Author: Stefan Metzmacher <[email protected]>
Date: Mon Mar 9 09:07:24 2015 +0100
talloc: version 2.1.2
Changes:
- Allow destructors to reparent the object
- Allow destructors to remove itself
- Build improvements
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Günther Deschner <[email protected]>
commit 3929abfc6b5a3ae8a27da57d4dbee9524e3585e3
Author: Stefan Metzmacher <[email protected]>
Date: Tue Jan 27 13:07:34 2015 +0100
talloc: fix _talloc_total_limit_size prototype
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
...loc-util-2.0.6.sigs => pytalloc-util-2.1.2.sigs} | 0
.../ABI/{talloc-2.1.0.sigs => talloc-2.1.2.sigs} | 0
lib/talloc/talloc.c | 2 +-
lib/talloc/wscript | 2 +-
source4/kdc/db-glue.c | 21 ---------------------
source4/torture/krb5/kdc-canon.c | 18 +++++++++++++++---
6 files changed, 17 insertions(+), 26 deletions(-)
copy lib/talloc/ABI/{pytalloc-util-2.0.6.sigs => pytalloc-util-2.1.2.sigs}
(100%)
copy lib/talloc/ABI/{talloc-2.1.0.sigs => talloc-2.1.2.sigs} (100%)
Changeset truncated at 500 lines:
diff --git a/lib/talloc/ABI/pytalloc-util-2.0.6.sigs
b/lib/talloc/ABI/pytalloc-util-2.1.2.sigs
similarity index 100%
copy from lib/talloc/ABI/pytalloc-util-2.0.6.sigs
copy to lib/talloc/ABI/pytalloc-util-2.1.2.sigs
diff --git a/lib/talloc/ABI/talloc-2.1.0.sigs b/lib/talloc/ABI/talloc-2.1.2.sigs
similarity index 100%
copy from lib/talloc/ABI/talloc-2.1.0.sigs
copy to lib/talloc/ABI/talloc-2.1.2.sigs
diff --git a/lib/talloc/talloc.c b/lib/talloc/talloc.c
index 46f10f4..c10fd53 100644
--- a/lib/talloc/talloc.c
+++ b/lib/talloc/talloc.c
@@ -1064,7 +1064,7 @@ static inline int _talloc_free_internal(void *ptr, const
char *location)
return 0;
}
-static size_t _talloc_total_limit_size(const void *ptr,
+static inline size_t _talloc_total_limit_size(const void *ptr,
struct talloc_memlimit *old_limit,
struct talloc_memlimit *new_limit);
diff --git a/lib/talloc/wscript b/lib/talloc/wscript
index 986492c..97c52c3 100644
--- a/lib/talloc/wscript
+++ b/lib/talloc/wscript
@@ -1,7 +1,7 @@
#!/usr/bin/env python
APPNAME = 'talloc'
-VERSION = '2.1.1'
+VERSION = '2.1.2'
blddir = 'bin'
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index aa73641..0bc907e 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -1839,7 +1839,6 @@ samba_kdc_check_s4u2self(krb5_context context,
krb5_const_principal target_principal)
{
krb5_error_code ret;
- krb5_principal enterprise_prinicpal = NULL;
struct ldb_dn *realm_dn;
struct ldb_message *msg;
struct dom_sid *orig_sid;
@@ -1857,30 +1856,10 @@ samba_kdc_check_s4u2self(krb5_context context,
return ret;
}
- if (target_principal->name.name_type == KRB5_NT_ENTERPRISE_PRINCIPAL) {
- /* Need to reparse the enterprise principal to find the real
target */
- if (target_principal->name.name_string.len != 1) {
- ret = KRB5_PARSE_MALFORMED;
- krb5_set_error_message(context, ret,
"samba_kdc_check_s4u2self: request for delegation to enterprise principal with
wrong (%d) number of components",
-
target_principal->name.name_string.len);
- talloc_free(mem_ctx);
- return ret;
- }
- ret = krb5_parse_name(context,
target_principal->name.name_string.val[0],
- &enterprise_prinicpal);
- if (ret) {
- talloc_free(mem_ctx);
- return ret;
- }
- target_principal = enterprise_prinicpal;
- }
-
ret = samba_kdc_lookup_server(context, kdc_db_ctx, mem_ctx,
target_principal,
HDB_F_GET_CLIENT|HDB_F_GET_SERVER,
delegation_check_attrs, &realm_dn, &msg);
- krb5_free_principal(context, enterprise_prinicpal);
-
if (ret != 0) {
talloc_free(mem_ctx);
return ret;
diff --git a/source4/torture/krb5/kdc-canon.c b/source4/torture/krb5/kdc-canon.c
index 312c7b5..49c6c26 100644
--- a/source4/torture/krb5/kdc-canon.c
+++ b/source4/torture/krb5/kdc-canon.c
@@ -37,7 +37,8 @@
#define TEST_NETBIOS_REALM 0x0000010
#define TEST_WIN2K 0x0000020
#define TEST_UPN 0x0000040
-#define TEST_ALL 0x000007F
+#define TEST_S4U2SELF 0x0000080
+#define TEST_ALL 0x00000FF
struct test_data {
const char *test_name;
@@ -54,6 +55,7 @@ struct test_data {
bool win2k;
bool upn;
bool other_upn_suffix;
+ bool s4u2self;
const char *krb5_service;
const char *krb5_hostname;
};
@@ -1665,6 +1667,14 @@ static bool torture_krb5_as_req_canon(struct
torture_context *tctx, const void *
opt,
KRB5_GC_NO_STORE);
+ if (test_data->s4u2self) {
+ torture_assert_int_equal(tctx,
+
krb5_get_creds_opt_set_impersonate(k5_context,
+ opt,
+
principal),
+ 0, "krb5_get_creds_opt_set_impersonate
failed");
+ }
+
/* Confirm if we can get a ticket to our own name */
k5ret = krb5_get_creds(k5_context, opt, ccache, principal,
&server_creds);
@@ -2051,14 +2061,15 @@ struct torture_suite *torture_krb5_canon(TALLOC_CTX
*mem_ctx)
suite->description = talloc_strdup(suite, "Kerberos Canonicalisation
tests");
for (i = 0; i < TEST_ALL; i++) {
- char *name = talloc_asprintf(suite, "%s.%s.%s.%s.%s.%s.%s",
+ char *name = talloc_asprintf(suite, "%s.%s.%s.%s.%s.%s.%s.%s",
(i & TEST_CANONICALIZE) ? "canon"
: "no-canon",
(i & TEST_ENTERPRISE) ?
"enterprise" : "no-enterprise",
(i & TEST_UPPER_REALM) ?
"uc-realm" : "lc-realm",
(i & TEST_UPPER_USERNAME) ?
"uc-user" : "lc-user",
(i & TEST_NETBIOS_REALM) ?
"netbios-realm" : "krb5-realm",
(i & TEST_WIN2K) ? "win2k" :
"no-win2k",
- (i & TEST_UPN) ? "upn" : "no-upn");
+ (i & TEST_UPN) ? "upn" : "no-upn",
+ (i & TEST_S4U2SELF) ? "s4u2self" :
"normal");
struct test_data *test_data = talloc_zero(suite, struct
test_data);
@@ -2075,6 +2086,7 @@ struct torture_suite *torture_krb5_canon(TALLOC_CTX
*mem_ctx)
test_data->netbios_realm = (i & TEST_NETBIOS_REALM) != 0;
test_data->win2k = (i & TEST_WIN2K) != 0;
test_data->upn = (i & TEST_UPN) != 0;
+ test_data->s4u2self = (i & TEST_S4U2SELF) != 0;
torture_suite_add_simple_tcase_const(suite, name,
torture_krb5_as_req_canon,
test_data);
--
Samba Shared Repository
