The branch, master has been updated
via c06058a s3-auth: check for return code of
cli_credentials_set_machine_account().
via fe93a09 s4-smb_server: check for return code of
cli_credentials_set_machine_account().
via 31f07d0 s4:rpc_server: require access to the machine account
credentials
via 57946ac auth/gensec: split out a gensec_verify_dcerpc_auth_level()
function
via cc3dea5 auth/gensec: make sure gensec_security_by_auth_type()
returns NULL for AUTH_TYPE_NONE
via 733ccd1 s4:torture/rpc/schannel: don't use validation level 6
without privacy
via 5058168 s4:torture/rpc: correctly use torture_skip() for
test_ManyGetDCName() without NCACN_NP
via 050a1d0 s4:torture/rpc/samlogon: use DCERPC_SEAL for
netr_LogonSamLogonEx and validation level 6
via 26e5ef6 s4:torture/rpc/samr: use DCERPC_SEAL in
setup_schannel_netlogon_pipe()
via 1a7d8b8 s4:torture/netlogon: add/use test_SetupCredentialsPipe()
helper function
via f9a1915 s3:test_rpcclient_samlogon.sh: test samlogon with schannel
via 2c36501 s3:selftest: rpc.samr.passwords.validate should run with
[seal] in order to be realistic
via b00c38a selftest: setup information of new samba.example.com CA in
the client environment
via b2c0f71 selftest: set tls crlfile if it exist
via c321a59 selftest: use Samba::prepare_keyblobs() and use the certs
from the new CA
via a6447fd selftest: add Samba::prepare_keyblobs() helper function
via 2a96885 selftest: mark commands in manage-CA-samba.example.com.sh
as DONE
via 1928f08 selftest: add CA-samba.example.com binary files (currently
unused by Samba)
via 520c85a selftest: add CA-samba.example.com (non-binary) files
via bdc1f03 selftest: add config and script to create a
samba.example.com CA
via b0bdbee selftest: add some helper scripts to mange a CA
via c561a42 selftest: s!addc.samba.example.com!addom.samba.example.com!
from bcb6714 ctdb-tests: Add a utility to parse ctdb packets
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit c06058a99be4cf3ad3431dc263d4595ffc226fcf
Author: Günther Deschner <[email protected]>
Date: Sat Sep 26 02:20:50 2015 +0200
s3-auth: check for return code of cli_credentials_set_machine_account().
Guenther
Signed-off-by: Günther Deschner <[email protected]>
Reviewed-by: Stefan Metzmacher <[email protected]>
Autobuild-User(master): Stefan Metzmacher <[email protected]>
Autobuild-Date(master): Thu Mar 17 20:43:19 CET 2016 on sn-devel-144
commit fe93a09889a854d7c93f9b349d5794bdbb9403ba
Author: Günther Deschner <[email protected]>
Date: Sat Sep 26 02:18:44 2015 +0200
s4-smb_server: check for return code of
cli_credentials_set_machine_account().
We keep anonymous server_credentials structure in order to let
the rpc.spoolss.notify start it's test server.
Pair-Programmed-With: Stefan Metzmacher <[email protected]>
Signed-off-by: Günther Deschner <[email protected]>
Signed-off-by: Stefan Metzmacher <[email protected]>
commit 31f07d05629bc05ef99edc86ad2a3e95ec8599f1
Author: Stefan Metzmacher <[email protected]>
Date: Fri Jun 26 08:10:46 2015 +0200
s4:rpc_server: require access to the machine account credentials
Even a standalone server should be selfjoined.
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Günther Deschner <[email protected]>
commit 57946ac7c19c4e9bd8893c3acb9daf7c4bd02159
Author: Stefan Metzmacher <[email protected]>
Date: Tue Dec 15 15:08:43 2015 +0100
auth/gensec: split out a gensec_verify_dcerpc_auth_level() function
We only need this logic once.
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Günther Deschner <[email protected]>
commit cc3dea5a8104eef2cfd1f8c05e25da186c334320
Author: Stefan Metzmacher <[email protected]>
Date: Fri Jul 10 13:01:47 2015 +0200
auth/gensec: make sure gensec_security_by_auth_type() returns NULL for
AUTH_TYPE_NONE
ops->auth_type == 0, means the backend doesn't support DCERPC.
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Günther Deschner <[email protected]>
commit 733ccd13209c20f8e76ae7b47e1741791c1cd6ba
Author: Stefan Metzmacher <[email protected]>
Date: Fri Mar 11 02:55:30 2016 +0100
s4:torture/rpc/schannel: don't use validation level 6 without privacy
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Günther Deschner <[email protected]>
commit 50581689d924032de1765ec884dbd160652888be
Author: Stefan Metzmacher <[email protected]>
Date: Fri Mar 11 18:09:26 2016 +0100
s4:torture/rpc: correctly use torture_skip() for test_ManyGetDCName()
without NCACN_NP
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Günther Deschner <[email protected]>
commit 050a1d0653716fd7c166d35a7236a014bf1d1516
Author: Stefan Metzmacher <[email protected]>
Date: Mon Mar 14 01:56:07 2016 +0100
s4:torture/rpc/samlogon: use DCERPC_SEAL for netr_LogonSamLogonEx and
validation level 6
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Günther Deschner <[email protected]>
commit 26e5ef68188d2e44d42f75ed6aabf2557c9ce5ce
Author: Stefan Metzmacher <[email protected]>
Date: Thu Mar 10 17:24:03 2016 +0100
s4:torture/rpc/samr: use DCERPC_SEAL in setup_schannel_netlogon_pipe()
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Günther Deschner <[email protected]>
commit 1a7d8b8602a687ff6eef45f15f597694e94e14b1
Author: Stefan Metzmacher <[email protected]>
Date: Tue Dec 22 12:10:12 2015 +0100
s4:torture/netlogon: add/use test_SetupCredentialsPipe() helper function
This create a schannel connection to netlogon, this makes the tests
more realistic.
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Günther Deschner <[email protected]>
commit f9a1915238dc7a573c58dd8c7bac3637689af265
Author: Stefan Metzmacher <[email protected]>
Date: Tue Dec 22 09:13:46 2015 +0100
s3:test_rpcclient_samlogon.sh: test samlogon with schannel
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Günther Deschner <[email protected]>
commit 2c36501640207604a5c66fb582c2d5981619147e
Author: Stefan Metzmacher <[email protected]>
Date: Fri Dec 18 07:10:06 2015 +0100
s3:selftest: rpc.samr.passwords.validate should run with [seal] in order to
be realistic
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Günther Deschner <[email protected]>
commit b00c38afc6203f1e1f566db31a63cedba632dfab
Author: Stefan Metzmacher <[email protected]>
Date: Sat Jan 9 21:21:25 2016 +0100
selftest: setup information of new samba.example.com CA in the client
environment
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Günther Deschner <[email protected]>
commit b2c0f71db026353060ad47fd0a85241a3df8c703
Author: Stefan Metzmacher <[email protected]>
Date: Sat Jan 9 21:21:25 2016 +0100
selftest: set tls crlfile if it exist
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Günther Deschner <[email protected]>
commit c321a59f267d1a997eff6f864a79437ef759adeb
Author: Stefan Metzmacher <[email protected]>
Date: Sat Jan 9 21:21:25 2016 +0100
selftest: use Samba::prepare_keyblobs() and use the certs from the new CA
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Günther Deschner <[email protected]>
commit a6447fd6d010b525d235b894d5be62c807922cb5
Author: Stefan Metzmacher <[email protected]>
Date: Sat Jan 9 21:21:25 2016 +0100
selftest: add Samba::prepare_keyblobs() helper function
This copies the certificates from the samba.example.com CA if they
exist.
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Günther Deschner <[email protected]>
commit 2a96885ac706ae3e7c6fd7aaff0215f3f171bc27
Author: Stefan Metzmacher <[email protected]>
Date: Sat Jan 9 01:06:05 2016 +0100
selftest: mark commands in manage-CA-samba.example.com.sh as DONE
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Günther Deschner <[email protected]>
commit 1928f081067079b945354dc2caf21d3fe8a5e2a2
Author: Stefan Metzmacher <[email protected]>
Date: Sat Jan 9 01:09:31 2016 +0100
selftest: add CA-samba.example.com binary files (currently unused by Samba)
This patch can be skipped, when it causes problems with tools like 'patch'.
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Günther Deschner <[email protected]>
commit 520c85a15fa1f4718e2e793303327abea22db149
Author: Stefan Metzmacher <[email protected]>
Date: Sat Jan 9 01:09:31 2016 +0100
selftest: add CA-samba.example.com (non-binary) files
The binary files will follow in the next, this allows the next
commit to be skipped as the binary files are not used by samba yet.
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Günther Deschner <[email protected]>
commit bdc1f036a8a66256afe8dc88f8a9dc47655640bd
Author: Stefan Metzmacher <[email protected]>
Date: Sat Jan 9 01:08:02 2016 +0100
selftest: add config and script to create a samba.example.com CA
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Günther Deschner <[email protected]>
commit b0bdbeeef44259782c9941b5cfff7d4925e1f2f2
Author: Stefan Metzmacher <[email protected]>
Date: Sat Jan 9 01:06:05 2016 +0100
selftest: add some helper scripts to mange a CA
This is partly based on the SmartCard HowTo from:
https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Günther Deschner <[email protected]>
commit c561a42ff68bc4561147839e3a65951924f6af21
Author: Stefan Metzmacher <[email protected]>
Date: Sat Jan 16 13:57:47 2016 +0100
selftest: s!addc.samba.example.com!addom.samba.example.com!
It's confusing to have addc.samba.example.com as domain name
and addc.addc.samba.example.com as hostname.
We now have addom.samba.example.com as domain name
and addc.addom.samba.example.com as hostname.
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Günther Deschner <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
auth/gensec/gensec.c | 103 +++---
auth/gensec/gensec_start.c | 8 +-
.../DC-addc.addom.samba.example.com-S02-cert.cer | Bin 0 -> 2552 bytes
.../DC-addc.addom.samba.example.com-S02-cert.pem | 191 ++++++++++
.../DC-addc.addom.samba.example.com-S02-key.pem | 54 +++
...DC-addc.addom.samba.example.com-S02-openssl.cnf | 250 +++++++++++++
...ddc.addom.samba.example.com-S02-private-key.pem | 51 +++
...DC-addc.addom.samba.example.com-S02-private.p12 | Bin 0 -> 5309 bytes
.../DC-addc.addom.samba.example.com-S02-req.pem | 30 ++
.../DC-addc.addom.samba.example.com-cert.pem | 1 +
...DC-addc.addom.samba.example.com-private-key.pem | 1 +
.../DC-localdc.samba.example.com-S00-cert.cer | Bin 0 -> 2543 bytes
.../DC-localdc.samba.example.com-S00-cert.pem | 190 ++++++++++
.../DC-localdc.samba.example.com-S00-key.pem | 54 +++
.../DC-localdc.samba.example.com-S00-openssl.cnf | 250 +++++++++++++
...C-localdc.samba.example.com-S00-private-key.pem | 51 +++
.../DC-localdc.samba.example.com-S00-private.p12 | Bin 0 -> 5293 bytes
.../DC-localdc.samba.example.com-S00-req.pem | 30 ++
.../DC-localdc.samba.example.com-cert.pem | 1 +
.../DC-localdc.samba.example.com-private-key.pem | 1 +
.../manage-ca/CA-samba.example.com/NewCerts/00.pem | 190 ++++++++++
.../manage-ca/CA-samba.example.com/NewCerts/01.pem | 169 +++++++++
.../manage-ca/CA-samba.example.com/NewCerts/02.pem | 191 ++++++++++
.../manage-ca/CA-samba.example.com/NewCerts/03.pem | 169 +++++++++
.../Private/CA-samba.example.com-crlnumber.txt | 1 +
.../Private/CA-samba.example.com-crlnumber.txt.old | 1 +
.../Private/CA-samba.example.com-index.txt | 4 +
.../Private/CA-samba.example.com-index.txt.attr | 1 +
.../CA-samba.example.com-index.txt.attr.old | 1 +
.../Private/CA-samba.example.com-index.txt.old | 3 +
.../Private/CA-samba.example.com-openssl.cnf | 203 +++++++++++
.../Private/CA-samba.example.com-private-key.pem | 102 ++++++
.../Private/CA-samba.example.com-serial.txt | 1 +
.../Private/CA-samba.example.com-serial.txt.old | 1 +
.../Public/CA-samba.example.com-cert.cer | Bin 0 -> 2880 bytes
.../Public/CA-samba.example.com-cert.pem | 62 ++++
.../Public/CA-samba.example.com-crl.crl | Bin 0 -> 1401 bytes
.../Public/CA-samba.example.com-crl.pem | 32 ++
[email protected] | Bin 0 -> 2335 bytes
[email protected] | 169 +++++++++
[email protected] | 30 ++
[email protected] | 242 +++++++++++++
[email protected] | 27 ++
[email protected] | Bin 0 -> 3933 bytes
[email protected] | 19 +
[email protected] | 1 +
[email protected] | 1 +
[email protected] | Bin 0 -> 2305 bytes
[email protected] | 169 +++++++++
[email protected] | 30 ++
[email protected] | 242 +++++++++++++
[email protected] | 27 ++
[email protected] | Bin 0 -> 3909 bytes
[email protected] | 19 +
.../[email protected] | 1 +
[email protected] | 1 +
selftest/manage-ca/manage-CA-samba.example.com.cnf | 21 ++
selftest/manage-ca/manage-CA-samba.example.com.sh | 18 +
selftest/manage-ca/manage-ca.sh | 387 +++++++++++++++++++++
.../manage-CA-example.com.cnf | 17 +
.../openssl-BASE-template.cnf | 201 +++++++++++
.../manage-ca.templates.d/openssl-CA-template.cnf | 2 +
.../manage-ca.templates.d/openssl-DC-template.cnf | 49 +++
.../openssl-USER-template.cnf | 41 +++
selftest/selftest.pl | 39 +++
selftest/target/Samba.pm | 105 ++++++
selftest/target/Samba4.pm | 223 +-----------
source3/auth/auth_samba4.c | 4 +-
source3/script/tests/test_rpcclient_samlogon.sh | 11 +-
source3/selftest/tests.py | 4 +-
source4/rpc_server/dcesrv_auth.c | 8 +-
source4/smb_server/smb/negprot.c | 6 +-
source4/smb_server/smb2/negprot.c | 6 +-
source4/torture/rpc/forest_trust.c | 12 +-
source4/torture/rpc/lsa.c | 14 +-
source4/torture/rpc/netlogon.c | 100 +++++-
source4/torture/rpc/netlogon.h | 7 +
source4/torture/rpc/remote_pac.c | 34 +-
source4/torture/rpc/samlogon.c | 3 +-
source4/torture/rpc/samr.c | 3 +-
source4/torture/rpc/schannel.c | 27 +-
81 files changed, 4388 insertions(+), 329 deletions(-)
create mode 100644
selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-cert.cer
create mode 100644
selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-cert.pem
create mode 100644
selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-key.pem
create mode 100644
selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-openssl.cnf
create mode 100644
selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-private-key.pem
create mode 100644
selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-private.p12
create mode 100644
selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-req.pem
create mode 120000
selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-cert.pem
create mode 120000
selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-private-key.pem
create mode 100644
selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-cert.cer
create mode 100644
selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-cert.pem
create mode 100644
selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-key.pem
create mode 100644
selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-openssl.cnf
create mode 100644
selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-private-key.pem
create mode 100644
selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-private.p12
create mode 100644
selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-req.pem
create mode 120000
selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-cert.pem
create mode 120000
selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-private-key.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/NewCerts/00.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/NewCerts/01.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/NewCerts/02.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/NewCerts/03.pem
create mode 100644
selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-crlnumber.txt
create mode 100644
selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-crlnumber.txt.old
create mode 100644
selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt
create mode 100644
selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt.attr
create mode 100644
selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt.attr.old
create mode 100644
selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt.old
create mode 100644
selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-openssl.cnf
create mode 100644
selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-private-key.pem
create mode 100644
selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-serial.txt
create mode 100644
selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-serial.txt.old
create mode 100644
selftest/manage-ca/CA-samba.example.com/Public/CA-samba.example.com-cert.cer
create mode 100644
selftest/manage-ca/CA-samba.example.com/Public/CA-samba.example.com-cert.pem
create mode 100644
selftest/manage-ca/CA-samba.example.com/Public/CA-samba.example.com-crl.crl
create mode 100644
selftest/manage-ca/CA-samba.example.com/Public/CA-samba.example.com-crl.pem
create mode 100644
selftest/manage-ca/CA-samba.example.com/Users/[email protected]/[email protected]
create mode 100644
selftest/manage-ca/CA-samba.example.com/Users/[email protected]/[email protected]
create mode 100644
selftest/manage-ca/CA-samba.example.com/Users/[email protected]/[email protected]
create mode 100644
selftest/manage-ca/CA-samba.example.com/Users/[email protected]/[email protected]
create mode 100644
selftest/manage-ca/CA-samba.example.com/Users/[email protected]/[email protected]
create mode 100644
selftest/manage-ca/CA-samba.example.com/Users/[email protected]/[email protected]
create mode 100644
selftest/manage-ca/CA-samba.example.com/Users/[email protected]/[email protected]
create mode 120000
selftest/manage-ca/CA-samba.example.com/Users/[email protected]/[email protected]
create mode 120000
selftest/manage-ca/CA-samba.example.com/Users/[email protected]/[email protected]
create mode 100644
selftest/manage-ca/CA-samba.example.com/Users/[email protected]/[email protected]
create mode 100644
selftest/manage-ca/CA-samba.example.com/Users/[email protected]/[email protected]
create mode 100644
selftest/manage-ca/CA-samba.example.com/Users/[email protected]/[email protected]
create mode 100644
selftest/manage-ca/CA-samba.example.com/Users/[email protected]/[email protected]
create mode 100644
selftest/manage-ca/CA-samba.example.com/Users/[email protected]/[email protected]
create mode 100644
selftest/manage-ca/CA-samba.example.com/Users/[email protected]/[email protected]
create mode 100644
selftest/manage-ca/CA-samba.example.com/Users/[email protected]/[email protected]
create mode 120000
selftest/manage-ca/CA-samba.example.com/Users/[email protected]/[email protected]
create mode 120000
selftest/manage-ca/CA-samba.example.com/Users/[email protected]/[email protected]
create mode 100644 selftest/manage-ca/manage-CA-samba.example.com.cnf
create mode 100644 selftest/manage-ca/manage-CA-samba.example.com.sh
create mode 100755 selftest/manage-ca/manage-ca.sh
create mode 100644
selftest/manage-ca/manage-ca.templates.d/manage-CA-example.com.cnf
create mode 100644
selftest/manage-ca/manage-ca.templates.d/openssl-BASE-template.cnf
create mode 100644
selftest/manage-ca/manage-ca.templates.d/openssl-CA-template.cnf
create mode 100644
selftest/manage-ca/manage-ca.templates.d/openssl-DC-template.cnf
create mode 100644
selftest/manage-ca/manage-ca.templates.d/openssl-USER-template.cnf
Changeset truncated at 500 lines:
diff --git a/auth/gensec/gensec.c b/auth/gensec/gensec.c
index 9fd5f25..e3b1352 100644
--- a/auth/gensec/gensec.c
+++ b/auth/gensec/gensec.c
@@ -217,6 +217,50 @@ _PUBLIC_ size_t gensec_max_update_size(struct
gensec_security *gensec_security)
return gensec_security->max_update_size;
}
+static NTSTATUS gensec_verify_dcerpc_auth_level(struct gensec_security
*gensec_security)
+{
+ if (gensec_security->dcerpc_auth_level == 0) {
+ return NT_STATUS_OK;
+ }
+
+ /*
+ * Because callers using the
+ * gensec_start_mech_by_auth_type() never call
+ * gensec_want_feature(), it isn't sensible for them
+ * to have to call gensec_have_feature() manually, and
+ * these are not points of negotiation, but are
+ * asserted by the client
+ */
+ switch (gensec_security->dcerpc_auth_level) {
+ case DCERPC_AUTH_LEVEL_INTEGRITY:
+ if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN))
{
+ DEBUG(0,("Did not manage to negotiate mandetory feature
"
+ "SIGN for dcerpc auth_level %u\n",
+ gensec_security->dcerpc_auth_level));
+ return NT_STATUS_ACCESS_DENIED;
+ }
+ break;
+ case DCERPC_AUTH_LEVEL_PRIVACY:
+ if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN))
{
+ DEBUG(0,("Did not manage to negotiate mandetory feature
"
+ "SIGN for dcerpc auth_level %u\n",
+ gensec_security->dcerpc_auth_level));
+ return NT_STATUS_ACCESS_DENIED;
+ }
+ if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL))
{
+ DEBUG(0,("Did not manage to negotiate mandetory feature
"
+ "SEAL for dcerpc auth_level %u\n",
+ gensec_security->dcerpc_auth_level));
+ return NT_STATUS_ACCESS_DENIED;
+ }
+ break;
+ default:
+ break;
+ }
+
+ return NT_STATUS_OK;
+}
+
_PUBLIC_ NTSTATUS gensec_update_ev(struct gensec_security *gensec_security,
TALLOC_CTX *out_mem_ctx,
struct tevent_context *ev,
@@ -261,31 +305,9 @@ _PUBLIC_ NTSTATUS gensec_update_ev(struct gensec_security
*gensec_security,
* these are not points of negotiation, but are
* asserted by the client
*/
- switch (gensec_security->dcerpc_auth_level) {
- case DCERPC_AUTH_LEVEL_INTEGRITY:
- if (!gensec_have_feature(gensec_security,
GENSEC_FEATURE_SIGN)) {
- DEBUG(0,("Did not manage to negotiate mandetory
feature "
- "SIGN for dcerpc auth_level %u\n",
- gensec_security->dcerpc_auth_level));
- return NT_STATUS_ACCESS_DENIED;
- }
- break;
- case DCERPC_AUTH_LEVEL_PRIVACY:
- if (!gensec_have_feature(gensec_security,
GENSEC_FEATURE_SIGN)) {
- DEBUG(0,("Did not manage to negotiate mandetory
feature "
- "SIGN for dcerpc auth_level %u\n",
- gensec_security->dcerpc_auth_level));
- return NT_STATUS_ACCESS_DENIED;
- }
- if (!gensec_have_feature(gensec_security,
GENSEC_FEATURE_SEAL)) {
- DEBUG(0,("Did not manage to negotiate mandetory
feature "
- "SEAL for dcerpc auth_level %u\n",
- gensec_security->dcerpc_auth_level));
- return NT_STATUS_ACCESS_DENIED;
- }
- break;
- default:
- break;
+ status = gensec_verify_dcerpc_auth_level(gensec_security);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}
return NT_STATUS_OK;
@@ -458,34 +480,9 @@ static void gensec_update_subreq_done(struct tevent_req
*subreq)
* these are not points of negotiation, but are
* asserted by the client
*/
- switch (state->gensec_security->dcerpc_auth_level) {
- case DCERPC_AUTH_LEVEL_INTEGRITY:
- if (!gensec_have_feature(state->gensec_security,
GENSEC_FEATURE_SIGN)) {
- DEBUG(0,("Did not manage to negotiate mandetory feature
"
- "SIGN for dcerpc auth_level %u\n",
- state->gensec_security->dcerpc_auth_level));
- tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
- return;
- }
- break;
- case DCERPC_AUTH_LEVEL_PRIVACY:
- if (!gensec_have_feature(state->gensec_security,
GENSEC_FEATURE_SIGN)) {
- DEBUG(0,("Did not manage to negotiate mandetory feature
"
- "SIGN for dcerpc auth_level %u\n",
- state->gensec_security->dcerpc_auth_level));
- tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
- return;
- }
- if (!gensec_have_feature(state->gensec_security,
GENSEC_FEATURE_SEAL)) {
- DEBUG(0,("Did not manage to negotiate mandetory feature
"
- "SEAL for dcerpc auth_level %u\n",
- state->gensec_security->dcerpc_auth_level));
- tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
- return;
- }
- break;
- default:
- break;
+ status = gensec_verify_dcerpc_auth_level(state->gensec_security);
+ if (tevent_req_nterror(req, status)) {
+ return;
}
tevent_req_done(req);
diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
index bb9cd18..4c43519 100644
--- a/auth/gensec/gensec_start.c
+++ b/auth/gensec/gensec_start.c
@@ -234,7 +234,13 @@ _PUBLIC_ const struct gensec_security_ops
*gensec_security_by_auth_type(
int i;
const struct gensec_security_ops **backends;
const struct gensec_security_ops *backend;
- TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
+ TALLOC_CTX *mem_ctx;
+
+ if (auth_type == DCERPC_AUTH_TYPE_NONE) {
+ return NULL;
+ }
+
+ mem_ctx = talloc_new(gensec_security);
if (!mem_ctx) {
return NULL;
}
diff --git
a/selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-cert.cer
b/selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-cert.cer
new file mode 100644
index 0000000..15001a3
Binary files /dev/null and
b/selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-cert.cer
differ
diff --git
a/selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-cert.pem
b/selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-cert.pem
new file mode 100644
index 0000000..2e2a8b9
--- /dev/null
+++
b/selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-cert.pem
@@ -0,0 +1,191 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 2 (0x2)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=SambaState, L=SambaCity, O=SambaSelfTesting, OU=CA
Administration, CN=CA of
samba.example.com/[email protected]
+ Validity
+ Not Before: Mar 16 23:29:25 2016 GMT
+ Not After : Mar 11 23:29:25 2036 GMT
+ Subject: C=US, ST=SambaState, O=SambaSelfTesting, OU=Domain
Controllers,
CN=addc.addom.samba.example.com/[email protected]
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (4096 bit)
+ Modulus:
+ 00:a6:c4:a9:bf:75:ea:4c:8d:3b:fd:8a:0f:b0:a2:
+ b6:c7:a8:1f:e4:0e:3e:41:ef:d6:10:48:77:7b:4e:
+ 4c:59:e1:bf:6d:c7:18:7b:a8:01:a7:d5:d2:2c:21:
+ 3e:d0:1a:da:58:03:e8:42:f1:53:0e:a7:91:b9:2c:
+ b9:e7:7a:c9:de:5e:ed:4c:93:6b:cc:dd:17:d0:c7:
+ d1:f1:7c:3d:0d:6f:df:5d:53:5a:b1:1f:a3:7b:5b:
+ 41:65:0c:7c:ea:53:df:bb:da:41:15:da:49:e3:b9:
+ 2d:bb:b5:af:ef:8c:b8:84:74:d0:18:16:8e:5c:e4:
+ c2:e7:a1:87:8f:e3:87:8b:0b:bb:90:30:e8:e0:f3:
+ eb:c0:50:5f:b5:7f:54:9a:1b:34:43:fd:be:5a:80:
+ 6e:0f:63:a2:b3:79:42:4a:85:c8:07:c7:82:55:23:
+ 88:d4:4e:03:2f:f1:95:bd:ed:15:2d:3e:16:cd:ff:
+ c7:9b:03:29:36:a6:5d:c9:1a:1e:89:a5:ba:66:83:
+ 0f:96:a8:07:9f:24:b9:1b:8f:02:9a:b8:50:29:8b:
+ be:63:45:fa:45:c3:38:23:a0:98:3a:b4:6b:42:99:
+ 13:36:4b:84:ef:27:89:39:34:79:f8:67:16:7b:9c:
+ 2a:03:41:15:63:46:e4:db:2f:f2:3e:6d:fe:7c:20:
+ 1e:9f:02:48:a4:bc:15:42:a6:f8:38:86:dc:6b:7c:
+ 4e:67:a3:31:81:8e:b6:30:1a:eb:3d:08:25:19:5f:
+ 42:dc:39:ec:79:1d:30:0a:fb:16:8f:3d:19:14:cc:
+ f5:af:d7:c6:75:cf:b3:96:a2:b2:9b:d9:03:01:a3:
+ ca:88:1d:72:ed:6f:d1:bf:57:56:8e:b9:07:9b:b9:
+ 04:13:1e:0b:5a:06:6b:2b:43:a2:dc:d5:b7:f4:ba:
+ d3:ae:9d:ad:fd:d3:8a:7c:2f:87:32:fa:89:88:58:
+ 00:ae:16:2b:9c:1d:58:82:4d:e5:21:da:d5:6c:f7:
+ a8:40:8b:c7:02:d5:36:30:ef:3f:09:9b:a6:d2:31:
+ a3:bf:20:d4:a2:9e:26:c4:b4:c3:0f:0b:6c:00:d1:
+ 2c:16:b1:2a:eb:06:d9:d5:98:c3:cd:cb:20:68:ad:
+ 0a:2c:a1:2f:27:41:5c:91:de:49:62:ed:d8:3a:ef:
+ 68:1c:6d:fe:94:c3:28:68:32:60:08:65:cd:02:9f:
+ 97:96:2f:0f:87:27:3d:b9:0f:85:62:e8:2b:9a:b4:
+ f4:d3:d7:c1:93:96:27:23:29:88:b1:39:99:53:3a:
+ 20:aa:88:44:3b:4a:24:2a:8b:e0:b4:8d:dd:66:30:
+ df:a6:6e:b7:fc:21:43:16:9e:3e:12:20:c8:7a:30:
+ c1:3d:ab
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ X509v3 CRL Distribution Points:
+
+ Full Name:
+
URI:http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
+
+ Netscape Cert Type:
+ SSL Server
+ X509v3 Key Usage:
+ Digital Signature, Non Repudiation, Key Encipherment
+ Netscape Comment:
+ Domain Controller Certificate addc.addom.samba.example.com
+ X509v3 Subject Key Identifier:
+ 3D:BC:70:0C:74:D4:B8:85:49:1D:08:84:C4:1B:27:F2:AF:72:37:D3
+ X509v3 Authority Key Identifier:
+
keyid:A2:3E:02:2A:A3:A7:4D:39:B4:08:4D:99:CC:0C:75:36:EA:27:C3:3E
+
+ X509v3 Subject Alternative Name:
+ DNS:addc.addom.samba.example.com, othername:<unsupported>
+ X509v3 Issuer Alternative Name:
+ email:[email protected]
+ Netscape CA Revocation Url:
+ http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
+ X509v3 Extended Key Usage:
+ TLS Web Client Authentication, TLS Web Server Authentication,
msKDC
+ Signature Algorithm: sha256WithRSAEncryption
+ 9e:8b:bb:0a:7a:dc:c0:94:33:bc:18:a5:e6:4a:1f:ff:8e:21:
+ b1:8f:33:f0:3e:8b:6c:72:55:c4:47:71:5f:ce:e7:31:ef:5b:
+ 62:04:b7:57:8f:a8:27:9f:ed:69:d2:ec:a8:0d:e2:76:33:8d:
+ 41:3a:67:61:5c:53:60:c7:53:ed:d7:99:72:29:1d:ae:d3:ee:
+ c9:76:1c:6d:18:47:e9:94:dd:2e:97:3f:99:af:b5:f4:a1:7c:
+ 92:f6:4d:b5:c1:7a:0c:38:ba:d1:b6:19:9a:9f:e2:02:84:d4:
+ 54:01:38:7b:55:86:4a:ee:3d:85:48:01:da:34:09:69:43:25:
+ 7e:6e:06:73:e0:b9:7c:b5:9c:4e:9c:b5:52:85:32:62:62:25:
+ 39:fa:02:4b:51:2e:df:8e:52:17:02:50:f4:99:29:bf:7e:97:
+ 53:91:12:85:9a:69:62:45:59:c4:5b:3f:af:18:e6:7b:e4:86:
+ 5d:f1:9e:5a:2b:3e:14:6e:7e:d4:47:24:ef:d9:a8:ec:d9:a6:
+ cb:b8:4f:1a:86:d9:43:20:41:16:15:5f:81:0d:fe:6b:31:53:
+ c1:f6:84:4c:f3:03:64:d2:e6:44:3d:7a:60:79:d7:37:6f:33:
+ de:c0:a8:b9:6e:fe:b2:79:ac:b4:53:92:b8:0a:59:2b:cc:6b:
+ 37:c4:6f:c6:44:02:f7:7c:c5:c6:a6:6f:c2:ad:de:78:1e:48:
+ 96:cc:fe:59:2e:53:ce:34:d6:e8:f0:56:43:30:32:90:6f:f9:
+ 47:76:ab:99:63:e3:e8:a3:f3:83:98:e9:05:2b:ea:f9:f9:9d:
+ 66:70:c7:2c:00:c2:9e:57:3e:31:43:50:50:c8:db:a8:2d:21:
+ 4e:6f:39:c2:bd:ef:d8:47:99:27:0d:48:b2:58:f1:be:45:bd:
+ fe:c4:a2:56:fc:06:02:dc:19:33:85:53:ed:38:59:01:16:bc:
+ aa:c5:d3:4b:37:54:83:1b:e5:c1:4b:dd:34:6b:e5:d8:35:86:
+ 95:e6:9f:d2:22:84:b1:e2:4f:a7:2e:4d:e6:9c:eb:db:df:42:
+ e1:b4:66:e6:58:d3:28:10:34:97:f3:9c:6b:5f:05:2c:47:2c:
+ e3:75:eb:6f:74:0a:ec:d7:1d:30:80:56:44:12:26:f6:4e:5f:
+ ff:92:f4:62:02:36:9c:62:eb:39:98:53:68:68:95:fb:94:68:
+ 69:b8:3c:66:1a:ce:78:c4:cf:c4:6f:21:ac:a8:a6:f4:ab:69:
+ 2a:2e:00:5d:f7:67:06:b1:4f:97:58:88:55:d8:6e:eb:a5:98:
+ 50:36:21:70:3d:b0:a4:f5:3b:21:b3:1c:f5:a9:dd:c6:4a:c2:
+ 89:b8:5a:b3:bc:1f:21:ce:4c:68:5f:98:d8:39:70:d2:7e:a0:
+ 90:df:ad:a3:13:eb:3c:93:f6:b8:f4:d9:a7:51:b3:0d:ea:ee:
+ d4:57:aa:db:ca:7c:8a:a0:08:c3:98:9a:3a:b7:ba:2a:50:92:
+ 26:c2:e3:11:ba:12:60:24:b9:59:df:62:a8:d7:4d:a3:cb:ea:
+ 46:e8:39:f9:83:14:a8:5c:44:75:71:6b:7f:99:bd:68:58:d9:
+ 6b:d1:cd:c7:45:95:9e:44:1e:85:35:c0:30:2b:18:aa:eb:2f:
+ 93:d5:be:66:5d:70:ed:1d:04:f2:c1:1e:b5:ec:45:0c:04:f6:
+ 9d:88:d3:0c:20:5e:5b:23:df:34:a1:f5:ea:b4:a1:44:c0:da:
+ d5:ea:89:e8:b5:cb:dc:f8:92:ee:ac:8d:61:ed:bf:74:2b:28:
+ 79:1f:f4:9a:ff:63:bd:e6:aa:79:1d:2c:26:4a:b2:26:53:57:
+ ba:88:0e:eb:19:57:c0:10:a0:1e:81:2a:c0:56:2e:c3:2a:81:
+ bf:c1:5a:e7:48:ce:c1:6a:b9:6c:41:cc:44:a6:b8:70:e2:57:
+ 0e:6d:41:d6:61:da:bf:ac:20:2c:a7:2a:67:23:98:00:ba:ce:
+ 8b:a8:c2:45:66:a7:08:eb:7f:0a:b5:e7:9b:d6:f4:07:d5:b3:
+ 43:cd:27:d4:fa:c9:40:8f:af:b2:36:1c:e7:44:b4:4e:cc:5a:
+ 2b:73:ad:8f:c4:d9:47:a6:fb:2c:7d:1a:80:2a:55:b3:80:34:
+ 6f:8e:17:27:93:05:21:40:e9:8f:bf:47:6a:52:f5:2e:b5:18:
+ d1:8c:1d:83:04:80:55:fd:21:28:dc:7c:be:c8:c1:5f:e4:40:
+ d3:13:e4:66:bf:ad:92:4e:9b:db:c1:be:a3:42:74:da:c3:2c:
+ 0a:da:3f:94:14:ad:7e:de:81:c6:01:6a:f7:7a:b4:25:51:b0:
+ ab:cd:b3:3a:77:bf:c3:6b:04:44:30:73:41:ad:93:49:67:ee:
+ 43:d1:96:8e:36:83:2b:1b:6c:e7:cc:3e:d6:16:b9:88:4a:ab:
+ 56:c0:76:00:f6:9a:6a:8a:e3:e0:41:75:9d:3b:47:0f:c9:0a:
+ 8e:9f:9c:00:92:bb:ae:d8:42:56:35:64:eb:59:13:da:2c:63:
+ 83:c3:ec:68:91:b5:f3:71:85:48:54:c3:9d:a1:c8:63:f3:de:
+ 5d:a5:34:a9:1e:85:2c:2c:b5:d8:a9:62:8d:26:1f:b2:9e:a7:
+ 83:4d:df:69:63:b5:b7:e5:dd:e7:3b:18:e5:b3:77:df:c5:47:
+ b3:f7:8c:e7:5e:87:2e:46:e3:8f:b1:2b:9b:c6:26:2d:1a:28:
+ 30:13:10:86:5b:46:87:b1:2d:12:ce:b6:fe:1c:4e:44
+-----BEGIN CERTIFICATE-----
+MIIJ9DCCBdygAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBxjELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMClNhbWJhU3RhdGUxEjAQBgNVBAcMCVNhbWJhQ2l0eTEZMBcGA1UE
+CgwQU2FtYmFTZWxmVGVzdGluZzEaMBgGA1UECwwRQ0EgQWRtaW5pc3RyYXRpb24x
+IDAeBgNVBAMMF0NBIG9mIHNhbWJhLmV4YW1wbGUuY29tMTUwMwYJKoZIhvcNAQkB
+FiZjYS1zYW1iYS5leGFtcGxlLmNvbUBzYW1iYS5leGFtcGxlLmNvbTAeFw0xNjAz
+MTYyMzI5MjVaFw0zNjAzMTEyMzI5MjVaMIG4MQswCQYDVQQGEwJVUzETMBEGA1UE
+CAwKU2FtYmFTdGF0ZTEZMBcGA1UECgwQU2FtYmFTZWxmVGVzdGluZzEbMBkGA1UE
+CwwSRG9tYWluIENvbnRyb2xsZXJzMSUwIwYDVQQDDBxhZGRjLmFkZG9tLnNhbWJh
+LmV4YW1wbGUuY29tMTUwMwYJKoZIhvcNAQkBFiZjYS1zYW1iYS5leGFtcGxlLmNv
+bUBzYW1iYS5leGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC
+ggIBAKbEqb916kyNO/2KD7CitseoH+QOPkHv1hBId3tOTFnhv23HGHuoAafV0iwh
+PtAa2lgD6ELxUw6nkbksued6yd5e7UyTa8zdF9DH0fF8PQ1v311TWrEfo3tbQWUM
+fOpT37vaQRXaSeO5Lbu1r++MuIR00BgWjlzkwuehh4/jh4sLu5Aw6ODz68BQX7V/
+VJobNEP9vlqAbg9jorN5QkqFyAfHglUjiNROAy/xlb3tFS0+Fs3/x5sDKTamXcka
+HomlumaDD5aoB58kuRuPApq4UCmLvmNF+kXDOCOgmDq0a0KZEzZLhO8niTk0efhn
+FnucKgNBFWNG5Nsv8j5t/nwgHp8CSKS8FUKm+DiG3Gt8TmejMYGOtjAa6z0IJRlf
+Qtw57HkdMAr7Fo89GRTM9a/XxnXPs5aispvZAwGjyogdcu1v0b9XVo65B5u5BBMe
+C1oGaytDotzVt/S6066drf3TinwvhzL6iYhYAK4WK5wdWIJN5SHa1Wz3qECLxwLV
+NjDvPwmbptIxo78g1KKeJsS0ww8LbADRLBaxKusG2dWYw83LIGitCiyhLydBXJHe
+SWLt2DrvaBxt/pTDKGgyYAhlzQKfl5YvD4cnPbkPhWLoK5q09NPXwZOWJyMpiLE5
+mVM6IKqIRDtKJCqL4LSN3WYw36Zut/whQxaePhIgyHowwT2rAgMBAAGjggH3MIIB
+8zAJBgNVHRMEAjAAME8GA1UdHwRIMEYwRKBCoECGPmh0dHA6Ly93d3cuc2FtYmEu
+ZXhhbXBsZS5jb20vY3Jscy9DQS1zYW1iYS5leGFtcGxlLmNvbS1jcmwuY3JsMBEG
+CWCGSAGG+EIBAQQEAwIGQDALBgNVHQ8EBAMCBeAwSQYJYIZIAYb4QgENBDwWOkRv
+bWFpbiBDb250cm9sbGVyIENlcnRpZmljYXRlIGFkZGMuYWRkb20uc2FtYmEuZXhh
+bXBsZS5jb20wHQYDVR0OBBYEFD28cAx01LiFSR0IhMQbJ/KvcjfTMB8GA1UdIwQY
+MBaAFKI+Aiqjp005tAhNmcwMdTbqJ8M+MEAGA1UdEQQ5MDeCHGFkZGMuYWRkb20u
+c2FtYmEuZXhhbXBsZS5jb22gFwYJKwYBBAGCNxkBoAoECAEjRWeJq83vMDEGA1Ud
+EgQqMCiBJmNhLXNhbWJhLmV4YW1wbGUuY29tQHNhbWJhLmV4YW1wbGUuY29tME0G
+CWCGSAGG+EIBBARAFj5odHRwOi8vd3d3LnNhbWJhLmV4YW1wbGUuY29tL2NybHMv
+Q0Etc2FtYmEuZXhhbXBsZS5jb20tY3JsLmNybDAmBgNVHSUEHzAdBggrBgEFBQcD
+AgYIKwYBBQUHAwEGBysGAQUCAwUwDQYJKoZIhvcNAQELBQADggQBAJ6Luwp63MCU
+M7wYpeZKH/+OIbGPM/A+i2xyVcRHcV/O5zHvW2IEt1ePqCef7WnS7KgN4nYzjUE6
+Z2FcU2DHU+3XmXIpHa7T7sl2HG0YR+mU3S6XP5mvtfShfJL2TbXBegw4utG2GZqf
+4gKE1FQBOHtVhkruPYVIAdo0CWlDJX5uBnPguXy1nE6ctVKFMmJiJTn6AktRLt+O
+UhcCUPSZKb9+l1OREoWaaWJFWcRbP68Y5nvkhl3xnlorPhRuftRHJO/ZqOzZpsu4
+TxqG2UMgQRYVX4EN/msxU8H2hEzzA2TS5kQ9emB51zdvM97AqLlu/rJ5rLRTkrgK
+WSvMazfEb8ZEAvd8xcamb8Kt3ngeSJbM/lkuU8401ujwVkMwMpBv+Ud2q5lj4+ij
+84OY6QUr6vn5nWZwxywAwp5XPjFDUFDI26gtIU5vOcK979hHmScNSLJY8b5Fvf7E
+olb8BgLcGTOFU+04WQEWvKrF00s3VIMb5cFL3TRr5dg1hpXmn9IihLHiT6cuTeac
+69vfQuG0ZuZY0ygQNJfznGtfBSxHLON16290CuzXHTCAVkQSJvZOX/+S9GICNpxi
+6zmYU2holfuUaGm4PGYaznjEz8RvIayopvSraSouAF33ZwaxT5dYiFXYbuulmFA2
+IXA9sKT1OyGzHPWp3cZKwom4WrO8HyHOTGhfmNg5cNJ+oJDfraMT6zyT9rj02adR
+sw3q7tRXqtvKfIqgCMOYmjq3uipQkibC4xG6EmAkuVnfYqjXTaPL6kboOfmDFKhc
+RHVxa3+ZvWhY2WvRzcdFlZ5EHoU1wDArGKrrL5PVvmZdcO0dBPLBHrXsRQwE9p2I
+0wwgXlsj3zSh9eq0oUTA2tXqiei1y9z4ku6sjWHtv3QrKHkf9Jr/Y73mqnkdLCZK
+siZTV7qIDusZV8AQoB6BKsBWLsMqgb/BWudIzsFquWxBzESmuHDiVw5tQdZh2r+s
+ICynKmcjmAC6zouowkVmpwjrfwq155vW9AfVs0PNJ9T6yUCPr7I2HOdEtE7MWitz
+rY/E2Uem+yx9GoAqVbOANG+OFyeTBSFA6Y+/R2pS9S61GNGMHYMEgFX9ISjcfL7I
+wV/kQNMT5Ga/rZJOm9vBvqNCdNrDLAraP5QUrX7egcYBavd6tCVRsKvNszp3v8Nr
+BEQwc0Gtk0ln7kPRlo42gysbbOfMPtYWuYhKq1bAdgD2mmqK4+BBdZ07Rw/JCo6f
+nACSu67YQlY1ZOtZE9osY4PD7GiRtfNxhUhUw52hyGPz3l2lNKkehSwstdipYo0m
+H7Kep4NN32ljtbfl3ec7GOWzd9/FR7P3jOdehy5G44+xK5vGJi0aKDATEIZbRoex
+LRLOtv4cTkQ=
+-----END CERTIFICATE-----
diff --git
a/selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-key.pem
b/selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-key.pem
new file mode 100644
index 0000000..6f11ced
--- /dev/null
+++
b/selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-key.pem
@@ -0,0 +1,54 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIJjjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIpUlK4cdzu/UCAggA
+MBQGCCqGSIb3DQMHBAju3WkqK++BQgSCCUit3hNjGErKHafSn7CLnhKlNTzvtaAv
+PwTStReWMNULMJ6Z1Rhm0jO8x5BBStEHy3A4h1GmWNSyIzOhZqGi3K2SqpBa9+TP
+SSYzeNKCsv/06QeQ3GTJJF2GTKLw8I2tZOJnNy5wYprGDuz92AAncj645C8xBYb/
+RgN1YyHh3B2tkPlOVZZU8z8hH9iaDwKiXfY0+EgVDSCj1pHWKEzGzhx4UtyKhCc5
+1J4fyPA+8SzJ0tRAohLHdrm9KIn/tawbbS6Ce8iwLBad6A4k73WgYW4ZawMA+n1X
+OIhyCR/dfIlPRPcojyN4c2O5uPmGCDErt6awUY7LyctZPRAUBbk83i69HbRvK/kq
+JuyhTIWUbhVpvt6HZxCC0cFBy7tlSeOL3LXlu1JoWAEqCVm8vHQPs3WTwTTrShHP
+kauortTdLstddxqPwWKmUcSLcviK+IfD54y3fJGYMr5goLdXCGfb7XZQoXANIYKP
+di/jXOn6PTjKdC7/J8G0UZmRmjEvxp5CBPiNqr07YJUfu7IN4KxEKRf/aDyJ1npw
+JEaMFiBvFx0Vr5nm7trQ43TdkuHbn7MY6nkPMbzC8a8KcKFGbnU/n6TIyeGYo2o5
+2ICW3QmXjzhrWiDzU+cEbSEs77UAQJNrSxRVuKKuwLEnuy6/pRhlxex6Hp6nNCOd
+dTZKDeqHsntRa6zTuOleh+XOMHeSuHjhJdThxEszHPFsYzH/EtE8TaKiBQE9kecy
+M+nbxfMqRTYitsl8wTPiuoTgrzDjUJcAAsS/jDNYUA63NCG2BT9Gq9qY48DwfWGM
+YPMYj6CfRwsyAPSeC7hV31olnGAp15kBhM2TpxE6KqUnGuxL0ET9LJsHjaRsP+r1
+KMjNmibQSy948LIvHhEtdfg5/Jn5jv6JHmmSBktma4C+MUfQKBinzy6MM1IAaZlZ
+hUdL14VnERFh9OGLjZGBOBlk/9FU2Yf4lfAtLgT95GezlYQIOqpG/Pkm04wH71+W
+bfW+53gBQqcaSexM5QFsqRspq7yyLX0mElG6z5gOmEJN3rV+DZ2d+84dxKQ5rX++
++mLYlfQKe1K/1F8HVXH/1ZMeAkzvxk1Odlm6fhwcTHciX3CSESAtJeLSD3PNgSE1
+f0Lep/CteZecOnM63T454jC4V49qXYgQBD32WuOHIbFhHd/lQ5Zj+3T5LgKlE5H3
+5oTUU/+DFgqFrwHlM5f1Ha9G8rjuHucjHyQ7ix7jNjEIoG82It8ESisIOoOwb3bc
+Jjkfj3v7f5Axi0wyD94KLFntBCI64uhyTk+JuvagA2KnLQ5uWEFRgqhMXRNg3kbI
+STOAopjoB2bnIvQZxQ8hxOT67EjKd7iJJXh2zfBAQ7dvnVKznvdSamTcB/Uh3IQR
+RjOZE3ej3lEb4XCM2NCyqZvFgoU+Og4yg+4yainCE+6Jt1jYNvms2iabxC+ZQZ3t
+/vCgVDvnULX5FJvphGK/Idua5FFIeSNLOoK9qjfrBNL9kdFVMWCyMyK0cIdsZFRp
+2at32a9n8OU1rRYgFn8kaWK4JQqKelm1qVCixcHLUtI/cyp+t7vvjOGRnDrbfoK0
+ae+pt0De0aBsOMKmUetn3CXFXIyQa/FJ3W8X7yl82ctS3ZZmWcND0Lqhoa1JADdj
+vbxxGzh1rJPsuPePwIXAVqtbVJD84i+dP0+i1oR/e5jNgRKj0tJcfZnnsvmSIldY
+FvxDpIX2h/tDrTKfwQzFHBBuPA00ZuGfftGc4LD7SOVjVb6CF2GMX/0+zmKlPf56
+FvxvGl+GwLPz/BaSGlT/4DApF0HJEZ1AeSvzHGhdgWecbk4s/lMAnv17vH2YWql1
+uJ54FgDAT0ufzAb0aHAl3YO8pYDOOXGqHaqWRMJvtuh15FB52HYvt+Ojo2mzPu4j
+lvUcOBRMzgPl8zcs0L/WgE0SggC6DpXGU+rK1/J91qlNRBJ664R6j0iyskPvdzYN
+aJ8ZZSJ+yQPralfSD/Sd+RcRviP2draINoyVbFHSH2zvvhcZc0ETL24tNI/tSXpR
+Cw86CajiN7T691pC3eZyQLSQJnMSY/0F0i12KU3J+1kq6eeMSoPc5EKItfH5wxjw
+RPnJAU84HGIQEAhEn6Ht1XaZcMfo9xyr9WMpmyH4OoTLt1+gFGgSCfbjsusl9aNl
+EDhcYmav8OFHE48qvEoYyHD7S3fwsxKFSCJpYTRweBRQaEzpq1z90tVxzhLZFpJe
+A7sw/HpiOuty0hDHQ5JaiRBsQ+CiOsVdWZXzaI/H0aoaPbLbpursuTPPPG5OFqvL
+WIIDfFYZ9rhy8t/YaAeTyFoLx1VU7m88ZZndyaVXhnqp7iaU14NXlelPeyKJ3ZXc
+pd6gZ4l1XAJHbeyiBx+6khtZb6JTLbYpwfbjTqPmDtNw2PVb5rwF0ZSeP6LXKOEM
++WntayDMbWK67yUCBlkPTpY4k+8nV8pJ+th9sR8LlL7d9rZgbSjmxG8XgjC7HHg+
+4I2O7poGQMVgtMeIsGZRIS0cTpm1dpCRfFQPR0DOB6+wjDRPIRNNiTZQYdkpfHQ1
+QSpCskaWG9HzJQGSu+meN4LdaKEoXwNMMz77fCTWhXXkvy6Ujm44EpOOfaHXpg7T
+AQagXzyII0xXj+rAFkqmnyygWgxpou6f3MkoWxIC/qYocC4Ci3oWMAZVssWfnhoP
+T/ZormTZN3uQCZYtfwTjbjh5efFQc4I9THxkHV6eyhGE7MQO/D/5zjBzkwmNsU6b
+GttZyyHto+oKlXMF9dNKxLkQbtVO8ZDIDuNP+sb/m7wj3GG2MNoklp6Cd7lckimv
+PqkQP7PQa8h6EeFXmTKqi7vfgsQAEIzTfOLJDvfHhLC54pjbFPR8vY0T5Y2Dwe8w
+rMPwFenW1ae6DjeGDHij3+QbQmTYZeu8Hblhs5DNhy7wtZX05IUsioVfJLC9QngN
+Y5u7OuMGQLPdcPjWHBuZsl/lMdii1lOB/PrExrEIsybSGPQonDfK6x1pOeyIJsbr
+fDnevcamxLpG6BU8U7AqE1QHa/sJGNO/lgsHGLrb5A2id1J+VttSxSG09sML49uw
+T+vmgdVbVjsYRvMSjMfwRrVp4NARlXph5FUA2DxAKXvr1reicAleVgQDcokAHhLi
+vGZ34XFIZHB+YZvHxd3tZxLcKvAMZQJTPlO6RdD9cx+84DEfevaJilUjyu6Ga4ty
+HjA=
+-----END ENCRYPTED PRIVATE KEY-----
diff --git
a/selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-openssl.cnf
b/selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-openssl.cnf
new file mode 100644
index 0000000..bdd0364
--- /dev/null
+++
b/selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-openssl.cnf
@@ -0,0 +1,250 @@
+#
+# Based on the OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME = .
+RANDFILE = $ENV::HOME/.rnd
+
+#CRLDISTPT = [CRL Distribution Point; e.g.,
http://crl-list.base/w4edom-l4.base.crl]
+CRLDISTPT =
http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
+
+# Extra OBJECT IDENTIFIER info:
+oid_section = new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions =
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+# Ordinarily, certificates must have this oid as an enhanced key usage in
order for Windows to allow them to be used as a login credential
+scardLogin=1.3.6.1.4.1.311.20.2.2
+# Used in a smart card login certificate's subject alternative name
+msUPN=1.3.6.1.4.1.311.20.2.3
+# Ordinarily, certificates must have this oid as an enhanced key usage in
order for Windows to allow them to be used to identify a domain controller
+msKDC=1.3.6.1.5.2.3.5
+# Identifies the AD GUID
+msADGUID=1.3.6.1.4.1.311.25.1
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir = CA-samba.example.com # Where everything is kept
+certs = $dir/_none_certs # Where the issued certs are kept
+crl_dir = $dir/_none_crl # Where the issued crl are kept
+database = $dir/Private/CA-samba.example.com-index.txt # database index
file.
+unique_subject = yes # Set to 'no' to allow creation of
+ # several certificates with same subject.
+new_certs_dir = $dir/NewCerts # default place for new certs.
+
+certificate = $dir/Public/CA-samba.example.com-cert.pem # The CA certificate
+serial = $dir/Private/CA-samba.example.com-serial.txt # The current
serial number
+crlnumber = $dir/Private/CA-samba.example.com-crlnumber.txt # the current
crl number
+ # must be commented out to leave a V1 CRL
+
+#crl = $dir/Public/CA-samba.example.com-crl.pem # The
current CRL
+crl = $dir/Public/CA-samba.example.com-crl.crl # The current
CRL
+private_key = $dir/Private/CA-samba.example.com-private-key.pem # The
private key
+RANDFILE = $dir/Private/CA-samba.example.com.rand # private random
number file
+
+#x509_extensions = # The extensions to add to the cert
+x509_extensions = template_x509_extensions
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt = ca_default # Subject Name options
+cert_opt = ca_default # Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+crl_extensions = crl_ext
+
+default_days = 7300 # how long to certify for
+default_crl_days= 7300 # how long before next CRL
+default_md = sha256 # use public key default MD
+preserve = no # keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy = policy_match
+
+# For the CA policy
+[ policy_match ]
--
Samba Shared Repository
