The branch, master has been updated via 631e063 s3-lib: Do not set an empty string in split_domain_user() via 0c4e132 s3-lib: Parse WORKGROUP\username in set_cmdline_auth_info_username() via 5328325 s3-lib: Do not create 'MACHINE$@' usernames via 7f14776 nsswitch: Use own credential cache for wbinfo tests via 2dac252 testprogs: Use own credential cache for test_client_etypes.sh via 7abda74 testprogs: Use better KRB5CCNAME in test_password_settings.sh via 9413e33 s3-script: Use unique krb5ccache name via 3470dca s3-selftest: Rename samba3.ntlm_auth.krb5 old ccache test from c60ea2c glusterfs: Avoid tevent_internal.h
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 631e063f6bb49da426ca7343b6987f7831078d7f Author: Andreas Schneider <a...@samba.org> Date: Tue Sep 20 19:51:15 2016 +0200 s3-lib: Do not set an empty string in split_domain_user() The function should also return if it failed or not. Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> Autobuild-User(master): Stefan Metzmacher <me...@samba.org> Autobuild-Date(master): Sun Sep 25 12:56:17 CEST 2016 on sn-devel-144 commit 0c4e13243826871e0597fcd37bd90b184c296e21 Author: Andreas Schneider <a...@samba.org> Date: Thu Sep 15 12:08:24 2016 +0200 s3-lib: Parse WORKGROUP\username in set_cmdline_auth_info_username() Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 5328325f94fc2b49f34cf5f2c699ec7440ef1ec9 Author: Andreas Schneider <a...@samba.org> Date: Thu Sep 15 12:54:42 2016 +0200 s3-lib: Do not create 'MACHINE$@' usernames If there is no realm set we should not add it to the machine account. Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 7f14776ba7704bdefcbd6ad71856b6efdeacf052 Author: Andreas Schneider <a...@samba.org> Date: Mon Sep 19 13:27:30 2016 +0200 nsswitch: Use own credential cache for wbinfo tests If we do not set it will add the credentials to the system default credential cache, which is e.g. FILE:/tmp/krb5cc_1000. Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 2dac25249749734dfc2f27cb10088e97cecdc6ad Author: Andreas Schneider <a...@samba.org> Date: Wed Sep 21 00:01:35 2016 +0200 testprogs: Use own credential cache for test_client_etypes.sh Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 7abda740f5671ff6f1ef326cf80afb8b65a4e5e7 Author: Andreas Schneider <a...@samba.org> Date: Tue Sep 20 09:46:34 2016 +0200 testprogs: Use better KRB5CCNAME in test_password_settings.sh Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 9413e337cee630d3357b9a3299a67a4160bbc495 Author: Andreas Schneider <a...@samba.org> Date: Mon Sep 19 12:18:31 2016 +0200 s3-script: Use unique krb5ccache name Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 3470dca36df56aaf08589632462865154c9fa869 Author: Andreas Schneider <a...@samba.org> Date: Thu Sep 15 15:47:25 2016 +0200 s3-selftest: Rename samba3.ntlm_auth.krb5 old ccache test This makes it easier to run only one of them. Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> ----------------------------------------------------------------------- Summary of changes: nsswitch/tests/test_wbinfo.sh | 10 +++- nsswitch/tests/test_wbinfo_simple.sh | 10 +++- source3/include/proto.h | 2 +- source3/lib/util.c | 16 +++++- source3/lib/util_cmdline.c | 61 +++++++++++++++++++++- source3/libnet/libnet_join.c | 40 ++++++++++---- source3/rpc_server/wkssvc/srv_wkssvc_nt.c | 24 ++++++--- .../script/tests/test_smbclient_netbios_aliases.sh | 5 +- source3/selftest/tests.py | 2 +- testprogs/blackbox/test_client_etypes.sh | 8 +++ testprogs/blackbox/test_password_settings.sh | 8 ++- 11 files changed, 156 insertions(+), 30 deletions(-) Changeset truncated at 500 lines: diff --git a/nsswitch/tests/test_wbinfo.sh b/nsswitch/tests/test_wbinfo.sh index 1d14ca3..69cc437 100755 --- a/nsswitch/tests/test_wbinfo.sh +++ b/nsswitch/tests/test_wbinfo.sh @@ -51,6 +51,12 @@ knownfail() { return $status } +KRB5CCNAME_PATH="$PREFIX/test_wbinfo_krb5ccache" +rm -f $KRB5CCNAME_PATH + +KRB5CCNAME="FILE:$KRB5CCNAME_PATH" +export KRB5CCNAME + # List users testit "wbinfo -u against $TARGET" $wbinfo -u || failed=`expr $failed + 1` # List groups @@ -244,8 +250,10 @@ testit "wbinfo --getdcname against $TARGET" $wbinfo --getdcname=$DOMAIN testit "wbinfo -p against $TARGET" $wbinfo -p || failed=`expr $failed + 1` -testit "wbinfo -K against $TARGET with domain creds" $wbinfo -K "$DOMAIN/$USERNAME"%"$PASSWORD" || failed=`expr $failed + 1` +testit "wbinfo -K against $TARGET with domain creds" $wbinfo --krb5ccname=$KRB5CCNAME --krb5auth="$DOMAIN/$USERNAME"%"$PASSWORD" || failed=`expr $failed + 1` testit "wbinfo --separator against $TARGET" $wbinfo --separator || failed=`expr $failed + 1` +rm -f $KRB5CCNAME_PATH + exit $failed diff --git a/nsswitch/tests/test_wbinfo_simple.sh b/nsswitch/tests/test_wbinfo_simple.sh index dc90ddc..35adb6c 100755 --- a/nsswitch/tests/test_wbinfo_simple.sh +++ b/nsswitch/tests/test_wbinfo_simple.sh @@ -12,6 +12,14 @@ ADDARGS="$*" incdir=`dirname $0`/../../testprogs/blackbox . $incdir/subunit.sh -testit "wbinfo" $VALGRIND $BINDIR/wbinfo $ADDARGS || failed=`expr $failed + 1` +KRB5CCNAME_PATH="$PREFIX/test_wbinfo_simple_krb5ccname" +rm -f $KRB5CCNAME_PATH + +KRB5CCNAME="FILE:$KRB5CCNAME_PATH" +export KRB5CCNAME + +testit "wbinfo" $VALGRIND $BINDIR/wbinfo --krb5ccname="$KRB5CCNAME" $ADDARGS || failed=`expr $failed + 1` + +rm -f $KRB5CCNAME_PATH testok $0 $failed diff --git a/source3/include/proto.h b/source3/include/proto.h index 0aa1009..fe4217d 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -424,7 +424,7 @@ char *get_safe_ptr(const char *buf_base, size_t buf_len, char *ptr, size_t off); char *get_safe_str_ptr(const char *buf_base, size_t buf_len, char *ptr, size_t off); int get_safe_SVAL(const char *buf_base, size_t buf_len, char *ptr, size_t off, int failval); int get_safe_IVAL(const char *buf_base, size_t buf_len, char *ptr, size_t off, int failval); -void split_domain_user(TALLOC_CTX *mem_ctx, +bool split_domain_user(TALLOC_CTX *mem_ctx, const char *full_name, char **domain, char **user); diff --git a/source3/lib/util.c b/source3/lib/util.c index ad33624..bab3998 100644 --- a/source3/lib/util.c +++ b/source3/lib/util.c @@ -2103,7 +2103,7 @@ int get_safe_IVAL(const char *buf_base, size_t buf_len, char *ptr, size_t off, i call (they take care of winbind separator and other winbind specific settings). ****************************************************************/ -void split_domain_user(TALLOC_CTX *mem_ctx, +bool split_domain_user(TALLOC_CTX *mem_ctx, const char *full_name, char **domain, char **user) @@ -2115,11 +2115,23 @@ void split_domain_user(TALLOC_CTX *mem_ctx, if (p != NULL) { *domain = talloc_strndup(mem_ctx, full_name, PTR_DIFF(p, full_name)); + if (*domain == NULL) { + return false; + } *user = talloc_strdup(mem_ctx, p+1); + if (*user == NULL) { + TALLOC_FREE(*domain); + return false; + } } else { - *domain = talloc_strdup(mem_ctx, ""); + *domain = NULL; *user = talloc_strdup(mem_ctx, full_name); + if (*user == NULL) { + return false; + } } + + return true; } /**************************************************************** diff --git a/source3/lib/util_cmdline.c b/source3/lib/util_cmdline.c index 80c3ecd..3ef1d09 100644 --- a/source3/lib/util_cmdline.c +++ b/source3/lib/util_cmdline.c @@ -54,8 +54,49 @@ const char *get_cmdline_auth_info_username(const struct user_auth_info *auth_inf void set_cmdline_auth_info_username(struct user_auth_info *auth_info, const char *username) { + char *s; + char *p; + bool contains_domain = false; + + s = talloc_strdup(auth_info, username); + if (s == NULL) { + exit(ENOMEM); + } + + p = strchr_m(s, '\\'); + if (p != NULL) { + contains_domain = true; + } + if (!contains_domain) { + p = strchr_m(s, '/'); + if (p != NULL) { + contains_domain = true; + } + } + if (!contains_domain) { + char sep = *lp_winbind_separator(); + + if (sep != '\0') { + p = strchr_m(s, *lp_winbind_separator()); + if (p != NULL) { + contains_domain = true; + } + } + } + + if (contains_domain) { + *p = '\0'; + username = p + 1; + + /* s is now the workgroup part */ + set_cmdline_auth_info_domain(auth_info, s); + } + TALLOC_FREE(auth_info->username); auth_info->username = talloc_strdup(auth_info, username); + + TALLOC_FREE(s); + if (!auth_info->username) { exit(ENOMEM); } @@ -207,6 +248,9 @@ bool set_cmdline_auth_info_machine_account_creds(struct user_auth_info *auth_inf { char *pass = NULL; char *account = NULL; + const char *realm = lp_realm(); + int rc; + if (!get_cmdline_auth_info_use_machine_account(auth_info)) { return false; @@ -217,8 +261,21 @@ bool set_cmdline_auth_info_machine_account_creds(struct user_auth_info *auth_inf return false; } - if (asprintf(&account, "%s$@%s", lp_netbios_name(), lp_realm()) < 0) { - return false; + if (realm != NULL && realm[0] != '\0') { + rc = asprintf(&account, + "%s$@%s", + lp_netbios_name(), + realm); + if (rc < 0) { + return false; + } + } else { + rc = asprintf(&account, + "%s$", + lp_netbios_name()); + if (rc < 0) { + return false; + } } pass = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL); diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index 3d66eaf..bbbd06e 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -2131,11 +2131,21 @@ static WERROR libnet_join_pre_processing(TALLOC_CTX *mem_ctx, if (!r->in.admin_domain) { char *admin_domain = NULL; char *admin_account = NULL; - split_domain_user(mem_ctx, - r->in.admin_account, - &admin_domain, - &admin_account); - r->in.admin_domain = admin_domain; + bool ok; + + ok = split_domain_user(mem_ctx, + r->in.admin_account, + &admin_domain, + &admin_account); + if (!ok) { + return WERR_NOMEM; + } + + if (admin_domain != NULL) { + r->in.admin_domain = admin_domain; + } else { + r->in.admin_domain = r->in.domain_name; + } r->in.admin_account = admin_account; } @@ -2814,11 +2824,21 @@ static WERROR libnet_unjoin_pre_processing(TALLOC_CTX *mem_ctx, if (!r->in.admin_domain) { char *admin_domain = NULL; char *admin_account = NULL; - split_domain_user(mem_ctx, - r->in.admin_account, - &admin_domain, - &admin_account); - r->in.admin_domain = admin_domain; + bool ok; + + ok = split_domain_user(mem_ctx, + r->in.admin_account, + &admin_domain, + &admin_account); + if (!ok) { + return WERR_NOMEM; + } + + if (admin_domain != NULL) { + r->in.admin_domain = admin_domain; + } else { + r->in.admin_domain = r->in.domain_name; + } r->in.admin_account = admin_account; } diff --git a/source3/rpc_server/wkssvc/srv_wkssvc_nt.c b/source3/rpc_server/wkssvc/srv_wkssvc_nt.c index 52809a4..25233e5 100644 --- a/source3/rpc_server/wkssvc/srv_wkssvc_nt.c +++ b/source3/rpc_server/wkssvc/srv_wkssvc_nt.c @@ -825,6 +825,7 @@ WERROR _wkssvc_NetrJoinDomain2(struct pipes_struct *p, struct security_token *token = p->session_info->security_token; NTSTATUS status; DATA_BLOB session_key; + bool ok; if (!r->in.domain_name) { return WERR_INVALID_PARAM; @@ -863,10 +864,13 @@ WERROR _wkssvc_NetrJoinDomain2(struct pipes_struct *p, return werr; } - split_domain_user(p->mem_ctx, - r->in.admin_account, - &admin_domain, - &admin_account); + ok = split_domain_user(p->mem_ctx, + r->in.admin_account, + &admin_domain, + &admin_account); + if (!ok) { + return WERR_NOMEM; + } werr = libnet_init_JoinCtx(p->mem_ctx, &j); if (!W_ERROR_IS_OK(werr)) { @@ -913,6 +917,7 @@ WERROR _wkssvc_NetrUnjoinDomain2(struct pipes_struct *p, struct security_token *token = p->session_info->security_token; NTSTATUS status; DATA_BLOB session_key; + bool ok; if (!r->in.account || !r->in.encrypted_password) { return WERR_INVALID_PARAM; @@ -942,10 +947,13 @@ WERROR _wkssvc_NetrUnjoinDomain2(struct pipes_struct *p, return werr; } - split_domain_user(p->mem_ctx, - r->in.account, - &admin_domain, - &admin_account); + ok = split_domain_user(p->mem_ctx, + r->in.account, + &admin_domain, + &admin_account); + if (!ok) { + return WERR_NOMEM; + } werr = libnet_init_UnjoinCtx(p->mem_ctx, &u); if (!W_ERROR_IS_OK(werr)) { diff --git a/source3/script/tests/test_smbclient_netbios_aliases.sh b/source3/script/tests/test_smbclient_netbios_aliases.sh index cb0d967..610eeda 100755 --- a/source3/script/tests/test_smbclient_netbios_aliases.sh +++ b/source3/script/tests/test_smbclient_netbios_aliases.sh @@ -22,10 +22,11 @@ if test -x $BINDIR/samba4kinit; then samba4kinit=$BINDIR/samba4kinit fi -KRB5CCNAME_PATH="$PREFIX/tmpccache" +KRB5CCNAME_PATH="$PREFIX/test_smbclient_netbios_aliases_krb5ccache" +rm -rf $KRB5CCNAME_PATH + KRB5CCNAME="FILE:$KRB5CCNAME_PATH" export KRB5CCNAME -rm -rf $KRB5CCNAME_PATH incdir=`dirname $0`/../../../testprogs/blackbox . $incdir/subunit.sh diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py index c75b7ae..d0f5334 100755 --- a/source3/selftest/tests.py +++ b/source3/selftest/tests.py @@ -152,7 +152,7 @@ t = "WBCLIENT-MULTI-PING" plantestsuite("samba3.smbtorture_s3.%s" % t, env, [os.path.join(samba3srcdir, "script/tests/test_smbtorture_s3.sh"), t, '//foo/bar', '""', '""', smbtorture3, ""]) -plantestsuite("samba3.ntlm_auth.krb5(ktest:local) old ccache", "ktest:local", [os.path.join(samba3srcdir, "script/tests/test_ntlm_auth_krb5.sh"), valgrindify(python), samba3srcdir, ntlm_auth3, '$PREFIX/ktest/krb5_ccache-2', '$SERVER', configuration]) +plantestsuite("samba3.ntlm_auth.krb5 with old ccache(ktest:local)", "ktest:local", [os.path.join(samba3srcdir, "script/tests/test_ntlm_auth_krb5.sh"), valgrindify(python), samba3srcdir, ntlm_auth3, '$PREFIX/ktest/krb5_ccache-2', '$SERVER', configuration]) plantestsuite("samba3.ntlm_auth.krb5(ktest:local)", "ktest:local", [os.path.join(samba3srcdir, "script/tests/test_ntlm_auth_krb5.sh"), valgrindify(python), samba3srcdir, ntlm_auth3, '$PREFIX/ktest/krb5_ccache-3', '$SERVER', configuration]) diff --git a/testprogs/blackbox/test_client_etypes.sh b/testprogs/blackbox/test_client_etypes.sh index 57739c6..98ff73a 100755 --- a/testprogs/blackbox/test_client_etypes.sh +++ b/testprogs/blackbox/test_client_etypes.sh @@ -15,6 +15,12 @@ EXPECTED_ETYPES="$6" # Load test functions . `dirname $0`/subunit.sh +KRB5CCNAME_PATH="$PREFIX/test_client_etypes_krb5ccname" +rm -f $KRB5CCNAME_PATH + +KRB5CCNAME="FILE:$KRB5CCNAME_PATH" +export KRB5CCNAME + #requires tshark and sha1sum if ! which tshark > /dev/null 2>&1 || ! which sha1sum > /dev/null 2>&1 ; then subunit_start_test "client encryption types" @@ -71,5 +77,7 @@ actual_types="`tshark -r $pcap_file -nVY "kerberos" | \ testit "verify types" test "x$actual_types" = "x$EXPECTED_ETYPES" || failed=`expr $failed + 1` rm -rf $BASEDIR/$WORKDIR +rm -f $KRB5CCNAME_PATH + exit $failed diff --git a/testprogs/blackbox/test_password_settings.sh b/testprogs/blackbox/test_password_settings.sh index 17f905f..9436e30 100755 --- a/testprogs/blackbox/test_password_settings.sh +++ b/testprogs/blackbox/test_password_settings.sh @@ -75,7 +75,10 @@ testit "create user locally" \ ### Test normal operation as user ########################################################### -KRB5CCNAME="$PREFIX/tmpuserccache" +KRB5CCNAME_PATH="$PREFIX/test_password_settings_krb5ccache" +rm -f $KRB5CCNAME_PATH + +KRB5CCNAME="FILE:$KRB5CCNAME_PATH" export KRB5CCNAME testit "kinit with user password" \ @@ -206,6 +209,7 @@ testit "reset password policies" \ testit "delete user $TEST_USERNAME" \ $VALGRIND $samba_tool user delete $TEST_USERNAME -U"$USERNAME%$PASSWORD" $CONFIG -k no || failed=`expr $failed + 1` -rm -f $PREFIX/tmpuserpassfile $PREFIX/tmpsmbpasswdscript $PREFIX/tmpuserccache +rm -f $PREFIX/tmpuserpassfile $PREFIX/tmpsmbpasswdscript +rm -f $KRB5CCNAME_PATH exit $failed -- Samba Shared Repository