The branch, master has been updated
via fb0d624 torture:smb2: improve torture_comments in connect test
via 78d7b23 torture:smb2: fix memory leak in connect test.
via 4d9484e torture:smb2: rewrite connect test to use torture_asserts
for create errors
via 358c09b torture:smb2: rewrite connect test to use torture_asserts
via def483c winbindd: move a variable into scope
via b3931af s3-kerberos: avoid entering a password change dialogue also
when using MIT.
from f6f43c4 winbind: Remove unused WINBINDD_UID_TO_SID
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit fb0d6244278baa97c35101480b18640796f86bf1
Author: Michael Adam <ob...@samba.org>
Date: Tue Feb 23 00:27:11 2016 +0100
torture:smb2: improve torture_comments in connect test
Signed-off-by: Michael Adam <ob...@samba.org>
Autobuild-User(master): Jeremy Allison <j...@samba.org>
Autobuild-Date(master): Tue Feb 23 04:50:53 CET 2016 on sn-devel-144
commit 78d7b23f2f55ebdc3ed2a2abdd68a294a8ef99f7
Author: Michael Adam <ob...@samba.org>
Date: Mon Feb 22 23:23:13 2016 +0100
torture:smb2: fix memory leak in connect test.
Signed-off-by: Michael Adam <ob...@samba.org>
commit 4d9484e7c40cb3c3517538348fda521dafcd2f9a
Author: Michael Adam <ob...@samba.org>
Date: Mon Feb 22 16:22:14 2016 +0100
torture:smb2: rewrite connect test to use torture_asserts for create errors
let torture_smb2_createfile propagate errors
Signed-off-by: Michael Adam <ob...@samba.org>
commit 358c09b899f62b6f9ac9693b9101639c0cde8d3f
Author: Michael Adam <ob...@samba.org>
Date: Mon Feb 22 14:32:44 2016 +0100
torture:smb2: rewrite connect test to use torture_asserts
Signed-off-by: Michael Adam <ob...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
commit def483c81536be8bf49f27c536fb37bef3e0930e
Author: Michael Adam <ob...@samba.org>
Date: Mon Feb 22 15:18:26 2016 +0100
winbindd: move a variable into scope
Signed-off-by: Michael Adam <ob...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
commit b3931af2df293a9cb75f21cdb5555fb6725dff34
Author: Günther Deschner <g...@samba.org>
Date: Mon Feb 15 12:58:07 2016 +0100
s3-kerberos: avoid entering a password change dialogue also when using MIT.
Without this fix, for accounts with an expired password, a password change
process is initiated and - due to the prompter - this fails with a confusing
error message:
"kerberos_kinit_password administra...@w2k12dom.ber.redhat.com failed:
Password
mismatch
Failed to join domain: failed to connect to AD: Password mismatch"
Guenther
Signed-off-by: Guenther Deschner <g...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
source3/libads/kerberos.c | 59 +++++++++++++++-----------
source3/winbindd/winbindd_misc.c | 2 +-
source4/torture/smb2/connect.c | 89 ++++++++++++++++------------------------
wscript_configure_system_mitkrb5 | 1 +
4 files changed, 73 insertions(+), 78 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index 9a7a1e7..4774a9f 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -47,33 +47,44 @@ kerb_prompter(krb5_context ctx, void *data,
krb5_prompt prompts[])
{
if (num_prompts == 0) return 0;
-#if HAVE_KRB5_PROMPT_TYPE
-
- /*
- * only heimdal has a prompt type and we need to deal with it here to
- * avoid loops.
- *
- * removing the prompter completely is not an option as at least these
- * versions would crash: heimdal-1.0.2 and heimdal-1.1. Later heimdal
- * version have looping detection and return with a proper error code.
- */
-
- if ((num_prompts == 2) &&
- (prompts[0].type == KRB5_PROMPT_TYPE_NEW_PASSWORD) &&
- (prompts[1].type == KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN)) {
+ if (num_prompts == 2) {
/*
- * We don't want to change passwords here. We're
- * called from heimal when the KDC returns
- * KRB5KDC_ERR_KEY_EXPIRED, but at this point we don't
- * have the chance to ask the user for a new
- * password. If we return 0 (i.e. success), we will be
- * spinning in the endless for-loop in
- * change_password() in
- * source4/heimdal/lib/krb5/init_creds_pw.c:526ff
+ * only heimdal has a prompt type and we need to deal with it
here to
+ * avoid loops.
+ *
+ * removing the prompter completely is not an option as at
least these
+ * versions would crash: heimdal-1.0.2 and heimdal-1.1. Later
heimdal
+ * version have looping detection and return with a proper
error code.
*/
- return KRB5KDC_ERR_KEY_EXPIRED;
+
+#if HAVE_KRB5_PROMPT_TYPE /* Heimdal */
+ if (prompts[0].type == KRB5_PROMPT_TYPE_NEW_PASSWORD &&
+ prompts[1].type == KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN) {
+ /*
+ * We don't want to change passwords here. We're
+ * called from heimal when the KDC returns
+ * KRB5KDC_ERR_KEY_EXPIRED, but at this point we don't
+ * have the chance to ask the user for a new
+ * password. If we return 0 (i.e. success), we will be
+ * spinning in the endless for-loop in
+ * change_password() in
+ * source4/heimdal/lib/krb5/init_creds_pw.c:526ff
+ */
+ return KRB5KDC_ERR_KEY_EXPIRED;
+ }
+#elif defined(HAVE_KRB5_GET_PROMPT_TYPES) /* MIT */
+ krb5_prompt_type *prompt_types = NULL;
+
+ prompt_types = krb5_get_prompt_types(ctx);
+ if (prompt_types != NULL) {
+ if (prompt_types[0] == KRB5_PROMPT_TYPE_NEW_PASSWORD &&
+ prompt_types[1] ==
KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN) {
+ return KRB5KDC_ERR_KEY_EXP;
+ }
+ }
+#endif
}
-#endif /* HAVE_KRB5_PROMPT_TYPE */
+
memset(prompts[0].reply->data, '\0', prompts[0].reply->length);
if (prompts[0].reply->length > 0) {
if (data) {
diff --git a/source3/winbindd/winbindd_misc.c b/source3/winbindd/winbindd_misc.c
index 29831aa..3e024c9 100644
--- a/source3/winbindd/winbindd_misc.c
+++ b/source3/winbindd/winbindd_misc.c
@@ -88,7 +88,6 @@ static bool trust_is_transitive(struct winbindd_tdc_domain
*domain)
void winbindd_list_trusted_domains(struct winbindd_cli_state *state)
{
struct winbindd_tdc_domain *dom_list = NULL;
- struct winbindd_tdc_domain *d = NULL;
size_t num_domains = 0;
int extra_data_len = 0;
char *extra_data = NULL;
@@ -111,6 +110,7 @@ void winbindd_list_trusted_domains(struct
winbindd_cli_state *state)
for ( i = 0; i < num_domains; i++ ) {
struct winbindd_domain *domain;
bool is_online = true;
+ struct winbindd_tdc_domain *d = NULL;
d = &dom_list[i];
domain = find_domain_from_name_noinit(d->domain_name);
diff --git a/source4/torture/smb2/connect.c b/source4/torture/smb2/connect.c
index 0067de0..6340430 100644
--- a/source4/torture/smb2/connect.c
+++ b/source4/torture/smb2/connect.c
@@ -90,7 +90,7 @@ static NTSTATUS torture_smb2_write(struct torture_context
*tctx, struct smb2_tre
status = smb2_write(tree, &w);
if (!NT_STATUS_IS_OK(status)) {
- printf("write failed - %s\n", nt_errstr(status));
+ printf("write 1 failed - %s\n", nt_errstr(status));
return status;
}
@@ -98,7 +98,7 @@ static NTSTATUS torture_smb2_write(struct torture_context
*tctx, struct smb2_tre
status = smb2_write(tree, &w);
if (!NT_STATUS_IS_OK(status)) {
- printf("write failed - %s\n", nt_errstr(status));
+ printf("write 2 failed - %s\n", nt_errstr(status));
return status;
}
@@ -137,8 +137,9 @@ static NTSTATUS torture_smb2_write(struct torture_context
*tctx, struct smb2_tre
/*
send a create
*/
-static struct smb2_handle torture_smb2_createfile(struct smb2_tree *tree,
- const char *fname)
+static NTSTATUS torture_smb2_createfile(struct smb2_tree *tree,
+ const char *fname,
+ struct smb2_handle *handle)
{
struct smb2_create io;
NTSTATUS status;
@@ -158,8 +159,8 @@ static struct smb2_handle torture_smb2_createfile(struct
smb2_tree *tree,
status = smb2_create(tree, tmp_ctx, &io);
if (!NT_STATUS_IS_OK(status)) {
- printf("create1 failed - %s\n", nt_errstr(status));
- return io.out.file.handle;
+ TALLOC_FREE(tmp_ctx);
+ return status;
}
if (DEBUGLVL(1)) {
@@ -179,8 +180,10 @@ static struct smb2_handle torture_smb2_createfile(struct
smb2_tree *tree,
}
talloc_free(tmp_ctx);
-
- return io.out.file.handle;
+
+ *handle = io.out.file.handle;
+
+ return NT_STATUS_OK;
}
@@ -194,74 +197,54 @@ bool torture_smb2_connect(struct torture_context *torture)
struct smb2_request *req;
struct smb2_handle h1, h2;
NTSTATUS status;
+ bool ok;
- if (!torture_smb2_connection(torture, &tree)) {
- return false;
- }
+ ok = torture_smb2_connection(torture, &tree);
+ torture_assert(torture, ok, "torture_smb2_connection failed");
smb2_util_unlink(tree, "test9.dat");
- h1 = torture_smb2_createfile(tree, "test9.dat");
- h2 = torture_smb2_createfile(tree, "test9.dat");
+ status = torture_smb2_createfile(tree, "test9.dat", &h1);
+ torture_assert_ntstatus_ok(torture, status, "create failed");
+
+ status = torture_smb2_createfile(tree, "test9.dat", &h2);
+ torture_assert_ntstatus_ok(torture, status, "create failed");
+
status = torture_smb2_write(torture, tree, h1);
- if (!NT_STATUS_IS_OK(status)) {
- printf("Write failed - %s\n", nt_errstr(status));
- return false;
- }
+ torture_assert_ntstatus_ok(torture, status, "write failed");
+
status = torture_smb2_close(tree, h1);
- if (!NT_STATUS_IS_OK(status)) {
- printf("Close failed - %s\n", nt_errstr(status));
- return false;
- }
+ torture_assert_ntstatus_ok(torture, status, "close failed");
+
status = torture_smb2_close(tree, h2);
- if (!NT_STATUS_IS_OK(status)) {
- printf("Close failed - %s\n", nt_errstr(status));
- return false;
- }
+ torture_assert_ntstatus_ok(torture, status, "close failed");
status = smb2_util_close(tree, h1);
- if (!NT_STATUS_EQUAL(status, NT_STATUS_FILE_CLOSED)) {
- printf("close should have closed the handle - %s\n",
nt_errstr(status));
- return false;
- }
+ torture_assert_ntstatus_equal(torture, status, NT_STATUS_FILE_CLOSED,
+ "close should have closed the handle");
status = smb2_tdis(tree);
- if (!NT_STATUS_IS_OK(status)) {
- printf("tdis failed - %s\n", nt_errstr(status));
- return false;
- }
+ torture_assert_ntstatus_ok(torture, status, "tdis failed");
status = smb2_tdis(tree);
- if (!NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_NAME_DELETED)) {
- printf("tdis should have disabled session - %s\n",
nt_errstr(status));
- return false;
- }
+ torture_assert_ntstatus_equal(torture, status,
+ NT_STATUS_NETWORK_NAME_DELETED,
+ "tdis should have closed the tcon");
status = smb2_logoff(tree->session);
- if (!NT_STATUS_IS_OK(status)) {
- printf("Logoff failed - %s\n", nt_errstr(status));
- return false;
- }
+ torture_assert_ntstatus_ok(torture, status, "logoff failed");
req = smb2_logoff_send(tree->session);
- if (!req) {
- printf("smb2_logoff_send() failed\n");
- return false;
- }
+ torture_assert_not_null(torture, req, "smb2_logoff_send failed");
req->session = NULL;
status = smb2_logoff_recv(req);
- if (!NT_STATUS_EQUAL(status, NT_STATUS_USER_SESSION_DELETED)) {
- printf("Logoff should have disabled session - %s\n",
nt_errstr(status));
- return false;
- }
+ torture_assert_ntstatus_equal(torture, status,
NT_STATUS_USER_SESSION_DELETED,
+ "logoff should have disabled session");
status = smb2_keepalive(tree->session->transport);
- if (!NT_STATUS_IS_OK(status)) {
- printf("keepalive failed? - %s\n", nt_errstr(status));
- return false;
- }
+ torture_assert_ntstatus_ok(torture, status, "keepalive failed");
talloc_free(mem_ctx);
diff --git a/wscript_configure_system_mitkrb5 b/wscript_configure_system_mitkrb5
index 4b3a69f..9c1ad8f 100644
--- a/wscript_configure_system_mitkrb5
+++ b/wscript_configure_system_mitkrb5
@@ -115,6 +115,7 @@ conf.CHECK_FUNCS('''
krb5_keyblock_init krb5_principal_set_realm krb5_principal_get_type
krb5_principal_set_type
krb5_warnx
+ krb5_get_prompt_types
''',
lib='krb5 k5crypto')
conf.CHECK_DECLS('''krb5_get_credentials_for_user
--
Samba Shared Repository
