The branch, master has been updated
via 0ee085b5948 selftest/Samba3.pm: use "winbind use krb5 enterprise
principals = yes" for ad_member
via e2737a74d44 selftest/Samba3.pm: use "winbind scan trusted domains =
no" for ad_member
via ad6f0e056ac selftest/tests.py: test pam_winbind for trusts domains
via 13e3811c951 selftest: Export TRUST information in the ad_member
target environment
via f07b542c61f selftest/tests.py: test pam_winbind with a lot of
username variations
via 36e95e42ea8 selftest/tests.py: test pam_winbind with krb5_auth
via 72daf99fd1f selftest/tests.py: prepare looping over pam_winbindd
tests
via 3d38a8e9135 test_pam_winbind.sh: allow different pam_winbindd
config options to be specified
via 653e9048585 tests/pam_winbind.py: allow upn names to be used in
USERNAME with an empty DOMAIN value
via cd3ffaabb56 tests/pam_winbind.py: turn pypamtest.PamTestError into
a failure
via a77be15d283 s3:winbindd: implement the "winbind use krb5 enterprise
principals" logic
via 95206523996 docs-xml: add "winbind use krb5 enterprise principals"
option
via 3bdf023956e krb5_wrap: let smb_krb5_parse_name() accept enterprise
principals
via 303b7e59a28 s3:libads: ads_krb5_chg_password() should always use
the canonicalized principal
via 162b4199493 s4:auth: kinit_to_ccache() should always use the
canonicalized principal
via 5d0bf32ec0a krb5_wrap: smb_krb5_kinit_password_ccache() should
always use the canonicalized principal
via 0bced73bed4 s3:libads/kerberos: always use the canonicalized
principal after kinit
via 6ed18c12c57 s3:libsmb: let cli_session_creds_prepare_krb5() update
the canonicalized principal to cli_credentials
via 361fb0efabf s3:libsmb: avoid wrong debug message in
cli_session_creds_prepare_krb5()
via bc473e5cf08 s3:libads: let kerberos_kinit_password_ext() return the
canonicalized principal/realm
via db8fd3d6a31 s4:auth: use the correct client realm in
gensec_gssapi_update_internal()
via acbf922fc29 nsswitch: add logging to wbc_auth_error_to_pam_error()
for non auth errors
from 4f5c4df316d wscript_build: string concatenation efficiency cleanup
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 0ee085b594878f5e0e83839f465303754f015459
Author: Stefan Metzmacher <[email protected]>
Date: Wed Sep 18 08:10:26 2019 +0200
selftest/Samba3.pm: use "winbind use krb5 enterprise principals = yes" for
ad_member
This demonstrates that can do krb5_auth in winbindd without knowning about
trusted domains.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
Autobuild-User(master): Günther Deschner <[email protected]>
Autobuild-Date(master): Tue Sep 24 19:51:29 UTC 2019 on sn-devel-184
commit e2737a74d4453a3d65e5466ddc4405d68444df27
Author: Stefan Metzmacher <[email protected]>
Date: Wed Sep 18 08:02:38 2019 +0200
selftest/Samba3.pm: use "winbind scan trusted domains = no" for ad_member
This demonstrates that we rely on knowning about trusted domains before
we can do krb5_auth in winbindd.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
commit ad6f0e056ac27ab5c078dbdbff44372da05caab2
Author: Stefan Metzmacher <[email protected]>
Date: Sat Jun 10 14:38:40 2017 +0200
selftest/tests.py: test pam_winbind for trusts domains
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
commit 13e3811c9510cf213881527877bed40092e0b33c
Author: Andreas Schneider <[email protected]>
Date: Mon Mar 20 11:39:41 2017 +0100
selftest: Export TRUST information in the ad_member target environment
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Pair-Programmed-With: Stefan Metzmacher <[email protected]>
Signed-off-by: Andreas Schneider <[email protected]>
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
commit f07b542c61f84a97c097208e10bf9375ddfa9a15
Author: Stefan Metzmacher <[email protected]>
Date: Wed Sep 18 14:03:34 2019 +0200
selftest/tests.py: test pam_winbind with a lot of username variations
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
commit 36e95e42ea8a7e5a4091a647215d06d2ab47fab6
Author: Stefan Metzmacher <[email protected]>
Date: Wed Sep 18 08:08:57 2019 +0200
selftest/tests.py: test pam_winbind with krb5_auth
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
commit 72daf99fd1ffd8269fce25d69458de35e2ae32cc
Author: Stefan Metzmacher <[email protected]>
Date: Wed Sep 18 01:25:23 2019 +0200
selftest/tests.py: prepare looping over pam_winbindd tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
commit 3d38a8e9135bb72bc4ca079fab0eb5358942b3f1
Author: Stefan Metzmacher <[email protected]>
Date: Wed Sep 18 01:25:58 2019 +0200
test_pam_winbind.sh: allow different pam_winbindd config options to be
specified
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
commit 653e90485854d978dc522e689cd78c19dcc22a70
Author: Stefan Metzmacher <[email protected]>
Date: Fri Sep 20 08:13:28 2019 +0200
tests/pam_winbind.py: allow upn names to be used in USERNAME with an empty
DOMAIN value
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
commit cd3ffaabb568db26e0de5e83178487e5947c4f09
Author: Stefan Metzmacher <[email protected]>
Date: Wed Sep 18 08:04:42 2019 +0200
tests/pam_winbind.py: turn pypamtest.PamTestError into a failure
A failure generated by the AssertionError() checks can be added
to selftest/knownfail.d/*.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
commit a77be15d28390c5d12202278adbe6b50200a2c1b
Author: Stefan Metzmacher <[email protected]>
Date: Fri Jul 19 15:10:09 2019 +0000
s3:winbindd: implement the "winbind use krb5 enterprise principals" logic
We can use enterprise principals (e.g.
[email protected]@PRIMARY.A.EXAMPLE.COM)
and delegate the routing decisions to the KDCs.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
commit 9520652399696010c333a3ce7247809ce5337a91
Author: Stefan Metzmacher <[email protected]>
Date: Wed Sep 11 16:44:43 2019 +0200
docs-xml: add "winbind use krb5 enterprise principals" option
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
commit 3bdf023956e861485be70430112ed38d0a5424f7
Author: Stefan Metzmacher <[email protected]>
Date: Fri Sep 13 15:52:25 2019 +0200
krb5_wrap: let smb_krb5_parse_name() accept enterprise principals
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
commit 303b7e59a286896888ee2473995fc50bb2b5ce5e
Author: Stefan Metzmacher <[email protected]>
Date: Fri Sep 13 16:04:30 2019 +0200
s3:libads: ads_krb5_chg_password() should always use the canonicalized
principal
We should always use krb5_get_init_creds_opt_set_canonicalize()
and krb5_get_init_creds_opt_set_win2k() for heimdal
and expect the client principal to be changed.
There's no reason to have a different logic between MIT and Heimdal.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
commit 162b4199493c1f179e775a325a19ae7a136c418b
Author: Stefan Metzmacher <[email protected]>
Date: Fri Sep 13 16:04:30 2019 +0200
s4:auth: kinit_to_ccache() should always use the canonicalized principal
We should always use krb5_get_init_creds_opt_set_canonicalize()
and krb5_get_init_creds_opt_set_win2k() for heimdal
and expect the client principal to be changed.
There's no reason to have a different logic between MIT and Heimdal.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
commit 5d0bf32ec0ad21d49587e3a1520ffdc8b5ae7614
Author: Stefan Metzmacher <[email protected]>
Date: Fri Sep 13 16:04:30 2019 +0200
krb5_wrap: smb_krb5_kinit_password_ccache() should always use the
canonicalized principal
We should always use krb5_get_init_creds_opt_set_canonicalize()
and krb5_get_init_creds_opt_set_win2k() for heimdal
and expect the client principal to be changed.
There's no reason to have a different logic between MIT and Heimdal.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
commit 0bced73bed481a8846a6b3e68be85941914390ba
Author: Stefan Metzmacher <[email protected]>
Date: Fri Sep 13 16:04:30 2019 +0200
s3:libads/kerberos: always use the canonicalized principal after kinit
We should always use krb5_get_init_creds_opt_set_canonicalize()
and krb5_get_init_creds_opt_set_win2k() for heimdal
and expect the client principal to be changed.
There's no reason to have a different logic between MIT and Heimdal.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
commit 6ed18c12c57efb2a010e0ce5196c51b48e57a4b9
Author: Stefan Metzmacher <[email protected]>
Date: Tue Sep 17 08:49:13 2019 +0200
s3:libsmb: let cli_session_creds_prepare_krb5() update the canonicalized
principal to cli_credentials
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
commit 361fb0efabfb189526c851107eee49161da2293c
Author: Stefan Metzmacher <[email protected]>
Date: Tue Sep 17 10:08:10 2019 +0200
s3:libsmb: avoid wrong debug message in cli_session_creds_prepare_krb5()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
commit bc473e5cf088a137395842540ed8eb748373a236
Author: Stefan Metzmacher <[email protected]>
Date: Mon Sep 16 17:14:11 2019 +0200
s3:libads: let kerberos_kinit_password_ext() return the canonicalized
principal/realm
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
commit db8fd3d6a315b140ebd6ccd0dcdfdcf27cd1bb38
Author: Stefan Metzmacher <[email protected]>
Date: Tue Sep 17 08:05:09 2019 +0200
s4:auth: use the correct client realm in gensec_gssapi_update_internal()
The function gensec_gssapi_client_creds() may call kinit and gets
a TGT for the user. The principal provided by the user may not
be canonicalized. The user may use '[email protected]'
but that may be mapped to [email protected] in the background.
It means we should use client_realm = AD.EXAMPLE.PRIVATE
instead of client_realm = EXAMPLE.COM
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
commit acbf922fc2963a42d6cbe652bb32eee231020958
Author: Stefan Metzmacher <[email protected]>
Date: Wed Sep 18 13:58:46 2019 +0200
nsswitch: add logging to wbc_auth_error_to_pam_error() for non auth errors
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
.../winbind/winbindusekrb5enterpriseprincipals.xml | 34 ++++
lib/krb5_wrap/krb5_samba.c | 7 +-
nsswitch/pam_winbind.c | 4 +
python/samba/tests/pam_winbind.py | 25 ++-
python/samba/tests/pam_winbind_chauthtok.py | 10 +-
python/samba/tests/pam_winbind_warn_pwd_expire.py | 10 +-
python/samba/tests/test_pam_winbind.sh | 12 +-
python/samba/tests/test_pam_winbind_chauthtok.sh | 4 +-
.../tests/test_pam_winbind_warn_pwd_expire.sh | 20 ++-
selftest/target/Samba.pm | 22 +++
selftest/target/Samba3.pm | 26 +++-
selftest/tests.py | 171 ++++++++++++++++++---
source3/libads/authdata.c | 1 +
source3/libads/kerberos.c | 55 +++++--
source3/libads/kerberos_proto.h | 5 +-
source3/libads/kerberos_util.c | 3 +-
source3/libads/krb5_setpw.c | 6 +
source3/libsmb/cliconnect.c | 41 ++++-
source3/utils/net_ads.c | 3 +
source3/winbindd/winbindd_cred_cache.c | 6 +
source3/winbindd/winbindd_pam.c | 57 ++++---
source4/auth/gensec/gensec_gssapi.c | 6 +-
source4/auth/kerberos/kerberos_util.c | 2 +
23 files changed, 438 insertions(+), 92 deletions(-)
create mode 100644
docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml
Changeset truncated at 500 lines:
diff --git a/docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml
b/docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml
new file mode 100644
index 00000000000..bfc11c8636c
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml
@@ -0,0 +1,34 @@
+<samba:parameter name="winbind use krb5 enterprise principals"
+ context="G"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc";>
+<description>
+ <para>winbindd is able to get kerberos tickets for
+ pam_winbind with krb5_auth or wbinfo -K/--krb5auth=.
+ </para>
+
+ <para>winbindd (at least on a domain member) is never be able
+ to have a complete picture of the trust topology (which is managed by
the DCs).
+ There might be uPNSuffixes and msDS-SPNSuffixes values,
+ which don't belong to any AD domain at all.
+ </para>
+
+ <para>With <smbconfoption name="winbind scan trusted
domains">no</smbconfoption>
+ winbindd don't even get an incomplete picture of the topology.
+ </para>
+
+ <para>It is not really required to know about the trust topology.
+ We can just rely on the [K]DCs of our primary domain (e.g.
PRIMARY.A.EXAMPLE.COM)
+ and use enterprise principals e.g.
[email protected]@PRIMARY.A.EXAMPLE.COM
+ and follow the WRONG_REALM referrals in order to find the correct DC.
+ The final principal might be [email protected].
+ </para>
+
+ <para>With <smbconfoption name="winbind use krb5 enterprise
principals">yes</smbconfoption>
+ winbindd enterprise principals will be used.
+ </para>
+</description>
+
+<value type="default">no</value>
+<value type="example">yes</value>
+</samba:parameter>
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 72889fffcf0..a4e73c64f00 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -701,6 +701,11 @@ krb5_error_code smb_krb5_parse_name(krb5_context context,
}
ret = krb5_parse_name(context, utf8_name, principal);
+ if (ret == KRB5_PARSE_MALFORMED) {
+ ret = krb5_parse_name_flags(context, utf8_name,
+ KRB5_PRINCIPAL_PARSE_ENTERPRISE,
+ principal);
+ }
TALLOC_FREE(frame);
return ret;
}
@@ -2114,14 +2119,12 @@ krb5_error_code
smb_krb5_kinit_password_ccache(krb5_context ctx,
return code;
}
-#ifndef SAMBA4_USES_HEIMDAL /* MIT */
/*
* We need to store the principal as returned from the KDC to the
* credentials cache. If we don't do that the KRB5 library is not
* able to find the tickets it is looking for
*/
principal = my_creds.client;
-#endif
code = krb5_cc_initialize(ctx, cc, principal);
if (code) {
goto done;
diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c
index 7841377fdd6..3ad70d3c4cd 100644
--- a/nsswitch/pam_winbind.c
+++ b/nsswitch/pam_winbind.c
@@ -862,6 +862,10 @@ static int wbc_auth_error_to_pam_error(struct pwb_context
*ctx,
}
ret = wbc_error_to_pam_error(status);
+ _pam_log(ctx, LOG_ERR,
+ "request %s failed: %s, PAM error: %s (%d)!",
+ fn, wbcErrorString(status),
+ _pam_error_code_str(ret), ret);
return pam_winbind_request_log(ctx, ret, username, fn);
}
diff --git a/python/samba/tests/pam_winbind.py
b/python/samba/tests/pam_winbind.py
index 68b05b30d7d..708f408f768 100644
--- a/python/samba/tests/pam_winbind.py
+++ b/python/samba/tests/pam_winbind.py
@@ -26,11 +26,17 @@ class SimplePamTests(samba.tests.TestCase):
domain = os.environ["DOMAIN"]
username = os.environ["USERNAME"]
password = os.environ["PASSWORD"]
- unix_username = "%s/%s" % (domain, username)
+ if domain != "":
+ unix_username = "%s/%s" % (domain, username)
+ else:
+ unix_username = "%s" % username
expected_rc = 0 # PAM_SUCCESS
tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rc)
- res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password])
+ try:
+ res = pypamtest.run_pamtest(unix_username, "samba", [tc],
[password])
+ except pypamtest.PamTestError as e:
+ raise AssertionError(str(e))
self.assertTrue(res is not None)
@@ -38,11 +44,17 @@ class SimplePamTests(samba.tests.TestCase):
domain = os.environ["DOMAIN"]
username = os.environ["USERNAME"]
password = "WrongPassword"
- unix_username = "%s/%s" % (domain, username)
+ if domain != "":
+ unix_username = "%s/%s" % (domain, username)
+ else:
+ unix_username = "%s" % username
expected_rc = 7 # PAM_AUTH_ERR
tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rc)
- res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password])
+ try:
+ res = pypamtest.run_pamtest(unix_username, "samba", [tc],
[password])
+ except pypamtest.PamTestError as e:
+ raise AssertionError(str(e))
self.assertTrue(res is not None)
@@ -52,6 +64,9 @@ class SimplePamTests(samba.tests.TestCase):
expected_rc = 0 # PAM_SUCCESS
tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rc)
- res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password])
+ try:
+ res = pypamtest.run_pamtest(unix_username, "samba", [tc],
[password])
+ except pypamtest.PamTestError as e:
+ raise AssertionError(str(e))
self.assertTrue(res is not None)
diff --git a/python/samba/tests/pam_winbind_chauthtok.py
b/python/samba/tests/pam_winbind_chauthtok.py
index e5be3a83ce7..c1d569b3cd0 100644
--- a/python/samba/tests/pam_winbind_chauthtok.py
+++ b/python/samba/tests/pam_winbind_chauthtok.py
@@ -27,10 +27,16 @@ class PamChauthtokTests(samba.tests.TestCase):
username = os.environ["USERNAME"]
password = os.environ["PASSWORD"]
newpassword = os.environ["NEWPASSWORD"]
- unix_username = "%s/%s" % (domain, username)
+ if domain != "":
+ unix_username = "%s/%s" % (domain, username)
+ else:
+ unix_username = "%s" % username
expected_rc = 0 # PAM_SUCCESS
tc = pypamtest.TestCase(pypamtest.PAMTEST_CHAUTHTOK, expected_rc)
- res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password,
newpassword, newpassword])
+ try:
+ res = pypamtest.run_pamtest(unix_username, "samba", [tc],
[password, newpassword, newpassword])
+ except pypamtest.PamTestError as e:
+ raise AssertionError(str(e))
self.assertTrue(res is not None)
diff --git a/python/samba/tests/pam_winbind_warn_pwd_expire.py
b/python/samba/tests/pam_winbind_warn_pwd_expire.py
index df60bc5ace6..56f5da94f98 100644
--- a/python/samba/tests/pam_winbind_warn_pwd_expire.py
+++ b/python/samba/tests/pam_winbind_warn_pwd_expire.py
@@ -27,11 +27,17 @@ class PasswordExpirePamTests(samba.tests.TestCase):
username = os.environ["USERNAME"]
password = os.environ["PASSWORD"]
warn_pwd_expire = int(os.environ["WARN_PWD_EXPIRE"])
- unix_username = "%s/%s" % (domain, username)
+ if domain != "":
+ unix_username = "%s/%s" % (domain, username)
+ else:
+ unix_username = "%s" % username
expected_rc = 0 # PAM_SUCCESS
tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rc)
- res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password])
+ try:
+ res = pypamtest.run_pamtest(unix_username, "samba", [tc],
[password])
+ except pypamtest.PamTestError as e:
+ raise AssertionError(str(e))
self.assertTrue(res is not None)
if warn_pwd_expire == 0:
diff --git a/python/samba/tests/test_pam_winbind.sh
b/python/samba/tests/test_pam_winbind.sh
index 0406b108b31..755e67280fa 100755
--- a/python/samba/tests/test_pam_winbind.sh
+++ b/python/samba/tests/test_pam_winbind.sh
@@ -12,6 +12,10 @@ PASSWORD="$3"
export PASSWORD
shift 3
+PAM_OPTIONS="$1"
+export PAM_OPTIONS
+shift 1
+
PAM_WRAPPER_PATH="$BINDIR/default/third_party/pam_wrapper"
pam_winbind="$BINDIR/shared/pam_winbind.so"
@@ -19,10 +23,10 @@ service_dir="$SELFTEST_TMPDIR/pam_services"
service_file="$service_dir/samba"
mkdir $service_dir
-echo "auth required $pam_winbind debug debug_state" > $service_file
-echo "account required $pam_winbind debug debug_state" >> $service_file
-echo "password required $pam_winbind debug debug_state" >> $service_file
-echo "session required $pam_winbind debug debug_state" >> $service_file
+echo "auth required $pam_winbind debug debug_state $PAM_OPTIONS" >
$service_file
+echo "account required $pam_winbind debug debug_state $PAM_OPTIONS" >>
$service_file
+echo "password required $pam_winbind debug debug_state $PAM_OPTIONS" >>
$service_file
+echo "session required $pam_winbind debug debug_state $PAM_OPTIONS" >>
$service_file
PAM_WRAPPER="1"
export PAM_WRAPPER
diff --git a/python/samba/tests/test_pam_winbind_chauthtok.sh
b/python/samba/tests/test_pam_winbind_chauthtok.sh
index 5887699300a..48adc81859d 100755
--- a/python/samba/tests/test_pam_winbind_chauthtok.sh
+++ b/python/samba/tests/test_pam_winbind_chauthtok.sh
@@ -53,11 +53,11 @@ PAM_WRAPPER_DEBUGLEVEL=${PAM_WRAPPER_DEBUGLEVEL:="2"}
export PAM_WRAPPER_DEBUGLEVEL
case $PAM_OPTIONS in
- use_authtok)
+ *use_authtok*)
PAM_AUTHTOK="$NEWPASSWORD"
export PAM_AUTHTOK
;;
- try_authtok)
+ *try_authtok*)
PAM_AUTHTOK="$NEWPASSWORD"
export PAM_AUTHTOK
;;
diff --git a/python/samba/tests/test_pam_winbind_warn_pwd_expire.sh
b/python/samba/tests/test_pam_winbind_warn_pwd_expire.sh
index 16dede44227..348d2ae8387 100755
--- a/python/samba/tests/test_pam_winbind_warn_pwd_expire.sh
+++ b/python/samba/tests/test_pam_winbind_warn_pwd_expire.sh
@@ -12,6 +12,10 @@ PASSWORD="$3"
export PASSWORD
shift 3
+PAM_OPTIONS="$1"
+export PAM_OPTIONS
+shift 1
+
PAM_WRAPPER_PATH="$BINDIR/default/third_party/pam_wrapper"
pam_winbind="$BINDIR/shared/pam_winbind.so"
@@ -37,10 +41,10 @@ export PAM_WRAPPER_DEBUGLEVEL
WARN_PWD_EXPIRE="50"
export WARN_PWD_EXPIRE
-echo "auth required $pam_winbind debug debug_state
warn_pwd_expire=$WARN_PWD_EXPIRE" > $service_file
-echo "account required $pam_winbind debug debug_state
warn_pwd_expire=$WARN_PWD_EXPIRE" >> $service_file
-echo "password required $pam_winbind debug debug_state
warn_pwd_expire=$WARN_PWD_EXPIRE" >> $service_file
-echo "session required $pam_winbind debug debug_state
warn_pwd_expire=$WARN_PWD_EXPIRE" >> $service_file
+echo "auth required $pam_winbind debug debug_state
warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" > $service_file
+echo "account required $pam_winbind debug debug_state
warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" >> $service_file
+echo "password required $pam_winbind debug debug_state
warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" >> $service_file
+echo "session required $pam_winbind debug debug_state
warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" >> $service_file
PYTHONPATH="$PYTHONPATH:$PAM_WRAPPER_PATH:$(dirname $0)" $PYTHON -m
samba.subunit.run samba.tests.pam_winbind_warn_pwd_expire
exit_code=$?
@@ -54,10 +58,10 @@ fi
WARN_PWD_EXPIRE="0"
export WARN_PWD_EXPIRE
-echo "auth required $pam_winbind debug debug_state
warn_pwd_expire=$WARN_PWD_EXPIRE" > $service_file
-echo "account required $pam_winbind debug debug_state
warn_pwd_expire=$WARN_PWD_EXPIRE" >> $service_file
-echo "password required $pam_winbind debug debug_state
warn_pwd_expire=$WARN_PWD_EXPIRE" >> $service_file
-echo "session required $pam_winbind debug debug_state
warn_pwd_expire=$WARN_PWD_EXPIRE" >> $service_file
+echo "auth required $pam_winbind debug debug_state
warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" > $service_file
+echo "account required $pam_winbind debug debug_state
warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" >> $service_file
+echo "password required $pam_winbind debug debug_state
warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" >> $service_file
+echo "session required $pam_winbind debug debug_state
warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" >> $service_file
PYTHONPATH="$PYTHONPATH:$PAM_WRAPPER_PATH:$(dirname $0)" $PYTHON -m
samba.subunit.run samba.tests.pam_winbind_warn_pwd_expire
exit_code=$?
diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm
index 996bdae188a..d933faba1d5 100644
--- a/selftest/target/Samba.pm
+++ b/selftest/target/Samba.pm
@@ -724,6 +724,28 @@ my @exported_envvars = (
"TRUST_REALM",
"TRUST_DOMSID",
+ # stuff related to a trusted domain, on a trust_member
+ # the domain behind a forest trust (two-way)
+ "TRUST_F_BOTH_SERVER",
+ "TRUST_F_BOTH_SERVER_IP",
+ "TRUST_F_BOTH_SERVER_IPV6",
+ "TRUST_F_BOTH_NETBIOSNAME",
+ "TRUST_F_BOTH_USERNAME",
+ "TRUST_F_BOTH_PASSWORD",
+ "TRUST_F_BOTH_DOMAIN",
+ "TRUST_F_BOTH_REALM",
+
+ # stuff related to a trusted domain, on a trust_member
+ # the domain behind an external trust (two-way)
+ "TRUST_E_BOTH_SERVER",
+ "TRUST_E_BOTH_SERVER_IP",
+ "TRUST_E_BOTH_SERVER_IPV6",
+ "TRUST_E_BOTH_NETBIOSNAME",
+ "TRUST_E_BOTH_USERNAME",
+ "TRUST_E_BOTH_PASSWORD",
+ "TRUST_E_BOTH_DOMAIN",
+ "TRUST_E_BOTH_REALM",
+
# domain controller stuff
"DC_SERVER",
"DC_SERVER_IP",
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 7c9fdfc6889..fab8c146f34 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -181,7 +181,7 @@ sub check_env($$)
nt4_member => ["nt4_dc"],
- ad_member => ["ad_dc"],
+ ad_member => ["ad_dc", "fl2008r2dc", "fl2003dc"],
ad_member_rfc2307 => ["ad_dc_ntvfs"],
ad_member_idmap_rid => ["ad_dc"],
ad_member_idmap_ad => ["fl2008r2dc"],
@@ -369,7 +369,7 @@ sub setup_nt4_member
sub setup_ad_member
{
- my ($self, $prefix, $dcvars) = @_;
+ my ($self, $prefix, $dcvars, $trustvars_f, $trustvars_e) = @_;
my $prefix_abs = abs_path($prefix);
my @dirs = ();
@@ -416,6 +416,8 @@ sub setup_ad_member
template homedir = /home/%D/%G/%U
auth event notification = true
password server = $dcvars->{SERVER}
+ winbind scan trusted domains = no
+ winbind use krb5 enterprise principals = yes
[sub_dug]
path = $share_dir/D_%D/U_%U/G_%G
@@ -493,6 +495,26 @@ sub setup_ad_member
$ret->{DC_USERNAME} = $dcvars->{USERNAME};
$ret->{DC_PASSWORD} = $dcvars->{PASSWORD};
+ # forest trust
+ $ret->{TRUST_F_BOTH_SERVER} = $trustvars_f->{SERVER};
+ $ret->{TRUST_F_BOTH_SERVER_IP} = $trustvars_f->{SERVER_IP};
+ $ret->{TRUST_F_BOTH_SERVER_IPV6} = $trustvars_f->{SERVER_IPV6};
+ $ret->{TRUST_F_BOTH_NETBIOSNAME} = $trustvars_f->{NETBIOSNAME};
+ $ret->{TRUST_F_BOTH_USERNAME} = $trustvars_f->{USERNAME};
+ $ret->{TRUST_F_BOTH_PASSWORD} = $trustvars_f->{PASSWORD};
+ $ret->{TRUST_F_BOTH_DOMAIN} = $trustvars_f->{DOMAIN};
+ $ret->{TRUST_F_BOTH_REALM} = $trustvars_f->{REALM};
+
+ # external trust
+ $ret->{TRUST_E_BOTH_SERVER} = $trustvars_e->{SERVER};
+ $ret->{TRUST_E_BOTH_SERVER_IP} = $trustvars_e->{SERVER_IP};
+ $ret->{TRUST_E_BOTH_SERVER_IPV6} = $trustvars_e->{SERVER_IPV6};
+ $ret->{TRUST_E_BOTH_NETBIOSNAME} = $trustvars_e->{NETBIOSNAME};
+ $ret->{TRUST_E_BOTH_USERNAME} = $trustvars_e->{USERNAME};
+ $ret->{TRUST_E_BOTH_PASSWORD} = $trustvars_e->{PASSWORD};
+ $ret->{TRUST_E_BOTH_DOMAIN} = $trustvars_e->{DOMAIN};
+ $ret->{TRUST_E_BOTH_REALM} = $trustvars_e->{REALM};
+
return $ret;
}
diff --git a/selftest/tests.py b/selftest/tests.py
index 3377e7826bd..69b1d4c7d0c 100644
--- a/selftest/tests.py
+++ b/selftest/tests.py
@@ -213,27 +213,156 @@ planpythontestsuite("none", "samba.tests.tdb_util")
planpythontestsuite("none", "samba.tests.samdb_api")
if with_pam:
- plantestsuite("samba.tests.pam_winbind(local)", "ad_member",
- [os.path.join(srcdir(),
"python/samba/tests/test_pam_winbind.sh"),
- valgrindify(python), pam_wrapper_so_path,
- "$SERVER", "$USERNAME", "$PASSWORD"])
- plantestsuite("samba.tests.pam_winbind(domain)", "ad_member",
- [os.path.join(srcdir(),
"python/samba/tests/test_pam_winbind.sh"),
- valgrindify(python), pam_wrapper_so_path,
- "$DOMAIN", "$DC_USERNAME", "$DC_PASSWORD"])
-
- for pam_options in ["''", "use_authtok", "try_authtok"]:
- plantestsuite("samba.tests.pam_winbind_chauthtok with options %s" %
pam_options, "ad_member",
- [os.path.join(srcdir(),
"python/samba/tests/test_pam_winbind_chauthtok.sh"),
- valgrindify(python), pam_wrapper_so_path,
pam_set_items_so_path,
- "$DOMAIN", "TestPamOptionsUser", "oldp@ssword0",
"newp@ssword0",
- pam_options, 'yes',
- "$DC_SERVER", "$DC_USERNAME", "$DC_PASSWORD"])
-
- plantestsuite("samba.tests.pam_winbind_warn_pwd_expire(domain)",
"ad_member",
- [os.path.join(srcdir(),
"python/samba/tests/test_pam_winbind_warn_pwd_expire.sh"),
- valgrindify(python), pam_wrapper_so_path,
- "$DOMAIN", "alice", "Secret007"])
+ env = "ad_member"
+ options = [
+ {
+ "description": "krb5",
+ "pam_options": "krb5_auth krb5_ccache_type=FILE",
+ },
+ {
+ "description": "default",
+ "pam_options": "",
+ },
+ ]
+ for o in options:
+ description = o["description"]
+ pam_options = "'%s'" % o["pam_options"]
+
+ plantestsuite("samba.tests.pam_winbind(local+%s)" % description, env,
+ [os.path.join(srcdir(),
"python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "$SERVER", "$USERNAME", "$PASSWORD",
+ pam_options])
+ plantestsuite("samba.tests.pam_winbind(domain1+%s)" % description, env,
+ [os.path.join(srcdir(),
"python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "$DOMAIN", "$DC_USERNAME", "$DC_PASSWORD",
+ pam_options])
+ plantestsuite("samba.tests.pam_winbind(domain2+%s)" % description, env,
+ [os.path.join(srcdir(),
"python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "$REALM", "$DC_USERNAME", "$DC_PASSWORD",
+ pam_options])
+ plantestsuite("samba.tests.pam_winbind(domain3+%s)" % description, env,
+ [os.path.join(srcdir(),
"python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "''", "${DC_USERNAME}@${DOMAIN}", "$DC_PASSWORD",
+ pam_options])
+ plantestsuite("samba.tests.pam_winbind(domain4+%s)" % description, env,
+ [os.path.join(srcdir(),
"python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "''", "${DC_USERNAME}@${REALM}", "$DC_PASSWORD",
+ pam_options])
+ plantestsuite("samba.tests.pam_winbind(domain5+%s)" % description, env,
+ [os.path.join(srcdir(),
"python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "$REALM", "${DC_USERNAME}@${DOMAIN}", "$DC_PASSWORD",
+ pam_options])
+ plantestsuite("samba.tests.pam_winbind(domain6+%s)" % description, env,
+ [os.path.join(srcdir(),
"python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "$DOMAIN", "${DC_USERNAME}@${REALM}", "$DC_PASSWORD",
+ pam_options])
+ plantestsuite("samba.tests.pam_winbind(trust_f_both1+%s)" %
description, env,
+ [os.path.join(srcdir(),
"python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "$TRUST_F_BOTH_DOMAIN",
+ "$TRUST_F_BOTH_USERNAME",
+ "$TRUST_F_BOTH_PASSWORD",
+ pam_options])
+ plantestsuite("samba.tests.pam_winbind(trust_f_both2+%s)" %
description, env,
+ [os.path.join(srcdir(),
"python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "$TRUST_F_BOTH_REALM",
+ "$TRUST_F_BOTH_USERNAME",
+ "$TRUST_F_BOTH_PASSWORD",
+ pam_options])
+ plantestsuite("samba.tests.pam_winbind(trust_f_both3+%s)" %
description, env,
+ [os.path.join(srcdir(),
"python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "''",
+ "${TRUST_F_BOTH_USERNAME}@${TRUST_F_BOTH_DOMAIN}",
+ "$TRUST_F_BOTH_PASSWORD",
+ pam_options])
+ plantestsuite("samba.tests.pam_winbind(trust_f_both4+%s)" %
description, env,
+ [os.path.join(srcdir(),
"python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "''",
+ "${TRUST_F_BOTH_USERNAME}@${TRUST_F_BOTH_REALM}",
+ "$TRUST_F_BOTH_PASSWORD",
+ pam_options])
+ plantestsuite("samba.tests.pam_winbind(trust_f_both5+%s)" %
description, env,
+ [os.path.join(srcdir(),
"python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "${TRUST_F_BOTH_REALM}",
+ "${TRUST_F_BOTH_USERNAME}@${TRUST_F_BOTH_DOMAIN}",
+ "$TRUST_F_BOTH_PASSWORD",
+ pam_options])
+ plantestsuite("samba.tests.pam_winbind(trust_f_both6+%s)" %
description, env,
+ [os.path.join(srcdir(),
"python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "${TRUST_F_BOTH_DOMAIN}",
+ "${TRUST_F_BOTH_USERNAME}@${TRUST_F_BOTH_REALM}",
+ "$TRUST_F_BOTH_PASSWORD",
+ pam_options])
+ plantestsuite("samba.tests.pam_winbind(trust_e_both1+%s)" %
description, env,
+ [os.path.join(srcdir(),
"python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "$TRUST_E_BOTH_DOMAIN",
+ "$TRUST_E_BOTH_USERNAME",
+ "$TRUST_E_BOTH_PASSWORD",
+ pam_options])
--
Samba Shared Repository
