The branch, v4-10-test has been updated
via f19881f6198 fault.c: improve fault_report message text pointing to
our wiki
via 56379945161 selftest/Samba3.pm: use "winbind use krb5 enterprise
principals = yes" for ad_member
via abd2d22cdda selftest/Samba3.pm: use "winbind scan trusted domains =
no" for ad_member
via fd097f0b3bb selftest/tests.py: test pam_winbind with a lot of
username variations
via fe13bfcdfdc selftest/tests.py: test pam_winbind with krb5_auth
via 9bb73edc69c selftest/tests.py: prepare looping over pam_winbindd
tests
via 8118fc89262 test_pam_winbind.sh: allow different pam_winbindd
config options to be specified
via 6bc0549bfde tests/pam_winbind.py: allow upn names to be used in
USERNAME with an empty DOMAIN value
via f2283616011 tests/pam_winbind.py: turn pypamtest.PamTestError into
a failure
via 956618ac6da s3:winbindd: implement the "winbind use krb5 enterprise
principals" logic
via 4760bbaae22 docs-xml: add "winbind use krb5 enterprise principals"
option
via aa1e8e53551 krb5_wrap: let smb_krb5_parse_name() accept enterprise
principals
via d7f0baf2f54 s3:libads: ads_krb5_chg_password() should always use
the canonicalized principal
via 73608fced20 s4:auth: kinit_to_ccache() should always use the
canonicalized principal
via be9ea381530 krb5_wrap: smb_krb5_kinit_password_ccache() should
always use the canonicalized principal
via 03477632b62 s3:libads/kerberos: always use the canonicalized
principal after kinit
via aeaffacb9c8 s3:libsmb: let cli_session_creds_prepare_krb5() update
the canonicalized principal to cli_credentials
via 45a078db792 s3:libsmb: avoid wrong debug message in
cli_session_creds_prepare_krb5()
via e620cad350e s3:libads: let kerberos_kinit_password_ext() return the
canonicalized principal/realm
via 9f2d5ae0c59 s4:auth: use the correct client realm in
gensec_gssapi_update_internal()
via 05eb45e1d37 s3/libads: clang: Fix Value stored to 'canon_princ' is
never read
from eaecffd63db classicupgrade: fix a a bytes-like object is required,
not 'str' error
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-10-test
- Log -----------------------------------------------------------------
commit f19881f6198a006a281a11ea2f2952213c213e08
Author: Björn Jacke <[email protected]>
Date: Mon Sep 23 08:57:33 2019 +0200
fault.c: improve fault_report message text pointing to our wiki
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14139
Signed-off-by: Bjoern Jacke <[email protected]>
Reviewed-by: Alexander Bokovoy <[email protected]>
(cherry picked from commit ec4c5975528f3d3ab9c8813e176c6d1a2f1ca506)
Autobuild-User(v4-10-test): Karolin Seeger <[email protected]>
Autobuild-Date(v4-10-test): Thu Sep 26 04:49:25 UTC 2019 on sn-devel-144
commit 563799451611d0c452cd639a1c31c03474252672
Author: Stefan Metzmacher <[email protected]>
Date: Wed Sep 18 08:10:26 2019 +0200
selftest/Samba3.pm: use "winbind use krb5 enterprise principals = yes" for
ad_member
This demonstrates that can do krb5_auth in winbindd without knowning about
trusted domains.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
Autobuild-User(master): Günther Deschner <[email protected]>
Autobuild-Date(master): Tue Sep 24 19:51:29 UTC 2019 on sn-devel-184
(similar to commit 0ee085b594878f5e0e83839f465303754f015459)
commit abd2d22cdda79baf89a9115c17aeae2d91695e26
Author: Stefan Metzmacher <[email protected]>
Date: Wed Sep 18 08:02:38 2019 +0200
selftest/Samba3.pm: use "winbind scan trusted domains = no" for ad_member
This demonstrates that we rely on knowning about trusted domains before
we can do krb5_auth in winbindd.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
(similar to commit e2737a74d4453a3d65e5466ddc4405d68444df27)
commit fd097f0b3bb9560a59f7d7e6ef50d113fcff6641
Author: Stefan Metzmacher <[email protected]>
Date: Wed Sep 18 14:03:34 2019 +0200
selftest/tests.py: test pam_winbind with a lot of username variations
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
(cherry picked from commit f07b542c61f84a97c097208e10bf9375ddfa9a15)
commit fe13bfcdfdcb3590df1da5fd592c6c2e15935d53
Author: Stefan Metzmacher <[email protected]>
Date: Wed Sep 18 08:08:57 2019 +0200
selftest/tests.py: test pam_winbind with krb5_auth
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
(cherry picked from commit 36e95e42ea8a7e5a4091a647215d06d2ab47fab6)
commit 9bb73edc69c1b8d58f56ce7ad0f55c3373fd5d4c
Author: Stefan Metzmacher <[email protected]>
Date: Wed Sep 18 01:25:23 2019 +0200
selftest/tests.py: prepare looping over pam_winbindd tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
(cherry picked from commit 72daf99fd1ffd8269fce25d69458de35e2ae32cc)
commit 8118fc89262b5113121db40df71b54f47ce47041
Author: Stefan Metzmacher <[email protected]>
Date: Wed Sep 18 01:25:58 2019 +0200
test_pam_winbind.sh: allow different pam_winbindd config options to be
specified
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
(cherry picked from commit 3d38a8e9135bb72bc4ca079fab0eb5358942b3f1)
commit 6bc0549bfdee6ce28987eeb82201787dcf0f0f62
Author: Stefan Metzmacher <[email protected]>
Date: Fri Sep 20 08:13:28 2019 +0200
tests/pam_winbind.py: allow upn names to be used in USERNAME with an empty
DOMAIN value
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
(cherry picked from commit 653e90485854d978dc522e689cd78c19dcc22a70)
commit f2283616011a4a39aeb97cb865b87aebca7c39e6
Author: Stefan Metzmacher <[email protected]>
Date: Wed Sep 18 08:04:42 2019 +0200
tests/pam_winbind.py: turn pypamtest.PamTestError into a failure
A failure generated by the AssertionError() checks can be added
to selftest/knownfail.d/*.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
(cherry picked from commit cd3ffaabb568db26e0de5e83178487e5947c4f09)
commit 956618ac6da407a6ac0b60b5165b4050775fa2ab
Author: Stefan Metzmacher <[email protected]>
Date: Fri Jul 19 15:10:09 2019 +0000
s3:winbindd: implement the "winbind use krb5 enterprise principals" logic
We can use enterprise principals (e.g.
[email protected]@PRIMARY.A.EXAMPLE.COM)
and delegate the routing decisions to the KDCs.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
(cherry picked from commit a77be15d28390c5d12202278adbe6b50200a2c1b)
commit 4760bbaae22aede59869577cf6176f10d816ade7
Author: Stefan Metzmacher <[email protected]>
Date: Wed Sep 11 16:44:43 2019 +0200
docs-xml: add "winbind use krb5 enterprise principals" option
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
(cherry picked from commit 9520652399696010c333a3ce7247809ce5337a91)
commit aa1e8e535519163d03edde2a9e34269c3ce576b4
Author: Stefan Metzmacher <[email protected]>
Date: Fri Sep 13 15:52:25 2019 +0200
krb5_wrap: let smb_krb5_parse_name() accept enterprise principals
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
(cherry picked from commit 3bdf023956e861485be70430112ed38d0a5424f7)
commit d7f0baf2f5431350e57b9bc24f7656fb91a730f5
Author: Stefan Metzmacher <[email protected]>
Date: Fri Sep 13 16:04:30 2019 +0200
s3:libads: ads_krb5_chg_password() should always use the canonicalized
principal
We should always use krb5_get_init_creds_opt_set_canonicalize()
and krb5_get_init_creds_opt_set_win2k() for heimdal
and expect the client principal to be changed.
There's no reason to have a different logic between MIT and Heimdal.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
(cherry picked from commit 303b7e59a286896888ee2473995fc50bb2b5ce5e)
commit 73608fced20bf6ac8a90d4032389c4958e419c43
Author: Stefan Metzmacher <[email protected]>
Date: Fri Sep 13 16:04:30 2019 +0200
s4:auth: kinit_to_ccache() should always use the canonicalized principal
We should always use krb5_get_init_creds_opt_set_canonicalize()
and krb5_get_init_creds_opt_set_win2k() for heimdal
and expect the client principal to be changed.
There's no reason to have a different logic between MIT and Heimdal.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
(cherry picked from commit 162b4199493c1f179e775a325a19ae7a136c418b)
commit be9ea381530329c9641ac3858d5c52bfefef06ff
Author: Stefan Metzmacher <[email protected]>
Date: Fri Sep 13 16:04:30 2019 +0200
krb5_wrap: smb_krb5_kinit_password_ccache() should always use the
canonicalized principal
We should always use krb5_get_init_creds_opt_set_canonicalize()
and krb5_get_init_creds_opt_set_win2k() for heimdal
and expect the client principal to be changed.
There's no reason to have a different logic between MIT and Heimdal.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
(cherry picked from commit 5d0bf32ec0ad21d49587e3a1520ffdc8b5ae7614)
commit 03477632b620d883247ae8c46876cc99879fbaea
Author: Stefan Metzmacher <[email protected]>
Date: Fri Sep 13 16:04:30 2019 +0200
s3:libads/kerberos: always use the canonicalized principal after kinit
We should always use krb5_get_init_creds_opt_set_canonicalize()
and krb5_get_init_creds_opt_set_win2k() for heimdal
and expect the client principal to be changed.
There's no reason to have a different logic between MIT and Heimdal.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
(cherry picked from commit 0bced73bed481a8846a6b3e68be85941914390ba)
commit aeaffacb9c889e8074ba91a3b4b6f2ddc305f3f8
Author: Stefan Metzmacher <[email protected]>
Date: Tue Sep 17 08:49:13 2019 +0200
s3:libsmb: let cli_session_creds_prepare_krb5() update the canonicalized
principal to cli_credentials
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
(cherry picked from commit 6ed18c12c57efb2a010e0ce5196c51b48e57a4b9)
commit 45a078db792a2e8fc580c9dda1ca0b03d9c0064d
Author: Stefan Metzmacher <[email protected]>
Date: Tue Sep 17 10:08:10 2019 +0200
s3:libsmb: avoid wrong debug message in cli_session_creds_prepare_krb5()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
(cherry picked from commit 361fb0efabfb189526c851107eee49161da2293c)
commit e620cad350e759968fa7c5a3d832c12f2a18fa09
Author: Stefan Metzmacher <[email protected]>
Date: Mon Sep 16 17:14:11 2019 +0200
s3:libads: let kerberos_kinit_password_ext() return the canonicalized
principal/realm
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
(cherry picked from commit bc473e5cf088a137395842540ed8eb748373a236)
commit 9f2d5ae0c59834ea97682a98f2b69fdec2c98a9f
Author: Stefan Metzmacher <[email protected]>
Date: Tue Sep 17 08:05:09 2019 +0200
s4:auth: use the correct client realm in gensec_gssapi_update_internal()
The function gensec_gssapi_client_creds() may call kinit and gets
a TGT for the user. The principal provided by the user may not
be canonicalized. The user may use '[email protected]'
but that may be mapped to [email protected] in the background.
It means we should use client_realm = AD.EXAMPLE.PRIVATE
instead of client_realm = EXAMPLE.COM
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
(cherry picked from commit db8fd3d6a315b140ebd6ccd0dcdfdcf27cd1bb38)
commit 05eb45e1d3753763283a777b1fd92b8d7936be94
Author: Noel Power <[email protected]>
Date: Thu Aug 8 15:06:28 2019 +0100
s3/libads: clang: Fix Value stored to 'canon_princ' is never read
Fixes:
source3/libads/kerberos.c:192:2: warning: Value stored to 'canon_princ' is
never read <--[clang]
canon_princ = me;
^ ~~
1 warning generated.
Signed-off-by: Noel Power <[email protected]>
Reviewed-by: Gary Lockyer <[email protected]>
(cherry picked from commit 52d20087f620704549f5a5cdcbec79cb08a36290)
-----------------------------------------------------------------------
Summary of changes:
.../winbind/winbindusekrb5enterpriseprincipals.xml | 34 +++++++++
lib/krb5_wrap/krb5_samba.c | 7 +-
lib/util/fault.c | 6 +-
python/samba/tests/pam_winbind.py | 25 +++++--
python/samba/tests/pam_winbind_chauthtok.py | 10 ++-
python/samba/tests/pam_winbind_warn_pwd_expire.py | 10 ++-
python/samba/tests/test_pam_winbind.sh | 12 ++-
python/samba/tests/test_pam_winbind_chauthtok.sh | 4 +-
.../tests/test_pam_winbind_warn_pwd_expire.sh | 20 +++--
selftest/target/Samba3.pm | 2 +
selftest/tests.py | 87 ++++++++++++++++------
source3/libads/authdata.c | 1 +
source3/libads/kerberos.c | 54 +++++++++++---
source3/libads/kerberos_proto.h | 5 +-
source3/libads/kerberos_util.c | 3 +-
source3/libads/krb5_setpw.c | 6 ++
source3/libsmb/cliconnect.c | 41 ++++++++--
source3/utils/net_ads.c | 3 +
source3/winbindd/winbindd_cred_cache.c | 6 ++
source3/winbindd/winbindd_pam.c | 57 ++++++++------
source4/auth/gensec/gensec_gssapi.c | 6 +-
source4/auth/kerberos/kerberos_util.c | 2 +
22 files changed, 311 insertions(+), 90 deletions(-)
create mode 100644
docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml
Changeset truncated at 500 lines:
diff --git a/docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml
b/docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml
new file mode 100644
index 00000000000..bfc11c8636c
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml
@@ -0,0 +1,34 @@
+<samba:parameter name="winbind use krb5 enterprise principals"
+ context="G"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc";>
+<description>
+ <para>winbindd is able to get kerberos tickets for
+ pam_winbind with krb5_auth or wbinfo -K/--krb5auth=.
+ </para>
+
+ <para>winbindd (at least on a domain member) is never be able
+ to have a complete picture of the trust topology (which is managed by
the DCs).
+ There might be uPNSuffixes and msDS-SPNSuffixes values,
+ which don't belong to any AD domain at all.
+ </para>
+
+ <para>With <smbconfoption name="winbind scan trusted
domains">no</smbconfoption>
+ winbindd don't even get an incomplete picture of the topology.
+ </para>
+
+ <para>It is not really required to know about the trust topology.
+ We can just rely on the [K]DCs of our primary domain (e.g.
PRIMARY.A.EXAMPLE.COM)
+ and use enterprise principals e.g.
[email protected]@PRIMARY.A.EXAMPLE.COM
+ and follow the WRONG_REALM referrals in order to find the correct DC.
+ The final principal might be [email protected].
+ </para>
+
+ <para>With <smbconfoption name="winbind use krb5 enterprise
principals">yes</smbconfoption>
+ winbindd enterprise principals will be used.
+ </para>
+</description>
+
+<value type="default">no</value>
+<value type="example">yes</value>
+</samba:parameter>
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index f0dc86b1859..abdcb308728 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -701,6 +701,11 @@ krb5_error_code smb_krb5_parse_name(krb5_context context,
}
ret = krb5_parse_name(context, utf8_name, principal);
+ if (ret == KRB5_PARSE_MALFORMED) {
+ ret = krb5_parse_name_flags(context, utf8_name,
+ KRB5_PRINCIPAL_PARSE_ENTERPRISE,
+ principal);
+ }
TALLOC_FREE(frame);
return ret;
}
@@ -2111,14 +2116,12 @@ krb5_error_code
smb_krb5_kinit_password_ccache(krb5_context ctx,
return code;
}
-#ifndef SAMBA4_USES_HEIMDAL /* MIT */
/*
* We need to store the principal as returned from the KDC to the
* credentials cache. If we don't do that the KRB5 library is not
* able to find the tickets it is looking for
*/
principal = my_creds.client;
-#endif
code = krb5_cc_initialize(ctx, cc, principal);
if (code) {
goto done;
diff --git a/lib/util/fault.c b/lib/util/fault.c
index bde20e33460..d78fc617593 100644
--- a/lib/util/fault.c
+++ b/lib/util/fault.c
@@ -78,7 +78,11 @@ static void fault_report(int sig)
DEBUGSEP(0);
DEBUG(0,("INTERNAL ERROR: Signal %d in pid %d
(%s)",sig,(int)getpid(),SAMBA_VERSION_STRING));
- DEBUG(0,("\nPlease read the Trouble-Shooting section of the Samba
HOWTO\n"));
+ DEBUG(0,("\nIf you are running a recent Samba version, and "
+ "if you think this problem is not yet fixed in the "
+ "latest versions, please consider reporting this "
+ "bug, see "
+ "https://wiki.samba.org/index.php/Bug_Reporting\n";));
DEBUGSEP(0);
smb_panic("internal error");
diff --git a/python/samba/tests/pam_winbind.py
b/python/samba/tests/pam_winbind.py
index 68b05b30d7d..708f408f768 100644
--- a/python/samba/tests/pam_winbind.py
+++ b/python/samba/tests/pam_winbind.py
@@ -26,11 +26,17 @@ class SimplePamTests(samba.tests.TestCase):
domain = os.environ["DOMAIN"]
username = os.environ["USERNAME"]
password = os.environ["PASSWORD"]
- unix_username = "%s/%s" % (domain, username)
+ if domain != "":
+ unix_username = "%s/%s" % (domain, username)
+ else:
+ unix_username = "%s" % username
expected_rc = 0 # PAM_SUCCESS
tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rc)
- res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password])
+ try:
+ res = pypamtest.run_pamtest(unix_username, "samba", [tc],
[password])
+ except pypamtest.PamTestError as e:
+ raise AssertionError(str(e))
self.assertTrue(res is not None)
@@ -38,11 +44,17 @@ class SimplePamTests(samba.tests.TestCase):
domain = os.environ["DOMAIN"]
username = os.environ["USERNAME"]
password = "WrongPassword"
- unix_username = "%s/%s" % (domain, username)
+ if domain != "":
+ unix_username = "%s/%s" % (domain, username)
+ else:
+ unix_username = "%s" % username
expected_rc = 7 # PAM_AUTH_ERR
tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rc)
- res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password])
+ try:
+ res = pypamtest.run_pamtest(unix_username, "samba", [tc],
[password])
+ except pypamtest.PamTestError as e:
+ raise AssertionError(str(e))
self.assertTrue(res is not None)
@@ -52,6 +64,9 @@ class SimplePamTests(samba.tests.TestCase):
expected_rc = 0 # PAM_SUCCESS
tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rc)
- res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password])
+ try:
+ res = pypamtest.run_pamtest(unix_username, "samba", [tc],
[password])
+ except pypamtest.PamTestError as e:
+ raise AssertionError(str(e))
self.assertTrue(res is not None)
diff --git a/python/samba/tests/pam_winbind_chauthtok.py
b/python/samba/tests/pam_winbind_chauthtok.py
index e5be3a83ce7..c1d569b3cd0 100644
--- a/python/samba/tests/pam_winbind_chauthtok.py
+++ b/python/samba/tests/pam_winbind_chauthtok.py
@@ -27,10 +27,16 @@ class PamChauthtokTests(samba.tests.TestCase):
username = os.environ["USERNAME"]
password = os.environ["PASSWORD"]
newpassword = os.environ["NEWPASSWORD"]
- unix_username = "%s/%s" % (domain, username)
+ if domain != "":
+ unix_username = "%s/%s" % (domain, username)
+ else:
+ unix_username = "%s" % username
expected_rc = 0 # PAM_SUCCESS
tc = pypamtest.TestCase(pypamtest.PAMTEST_CHAUTHTOK, expected_rc)
- res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password,
newpassword, newpassword])
+ try:
+ res = pypamtest.run_pamtest(unix_username, "samba", [tc],
[password, newpassword, newpassword])
+ except pypamtest.PamTestError as e:
+ raise AssertionError(str(e))
self.assertTrue(res is not None)
diff --git a/python/samba/tests/pam_winbind_warn_pwd_expire.py
b/python/samba/tests/pam_winbind_warn_pwd_expire.py
index df60bc5ace6..56f5da94f98 100644
--- a/python/samba/tests/pam_winbind_warn_pwd_expire.py
+++ b/python/samba/tests/pam_winbind_warn_pwd_expire.py
@@ -27,11 +27,17 @@ class PasswordExpirePamTests(samba.tests.TestCase):
username = os.environ["USERNAME"]
password = os.environ["PASSWORD"]
warn_pwd_expire = int(os.environ["WARN_PWD_EXPIRE"])
- unix_username = "%s/%s" % (domain, username)
+ if domain != "":
+ unix_username = "%s/%s" % (domain, username)
+ else:
+ unix_username = "%s" % username
expected_rc = 0 # PAM_SUCCESS
tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rc)
- res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password])
+ try:
+ res = pypamtest.run_pamtest(unix_username, "samba", [tc],
[password])
+ except pypamtest.PamTestError as e:
+ raise AssertionError(str(e))
self.assertTrue(res is not None)
if warn_pwd_expire == 0:
diff --git a/python/samba/tests/test_pam_winbind.sh
b/python/samba/tests/test_pam_winbind.sh
index 0406b108b31..755e67280fa 100755
--- a/python/samba/tests/test_pam_winbind.sh
+++ b/python/samba/tests/test_pam_winbind.sh
@@ -12,6 +12,10 @@ PASSWORD="$3"
export PASSWORD
shift 3
+PAM_OPTIONS="$1"
+export PAM_OPTIONS
+shift 1
+
PAM_WRAPPER_PATH="$BINDIR/default/third_party/pam_wrapper"
pam_winbind="$BINDIR/shared/pam_winbind.so"
@@ -19,10 +23,10 @@ service_dir="$SELFTEST_TMPDIR/pam_services"
service_file="$service_dir/samba"
mkdir $service_dir
-echo "auth required $pam_winbind debug debug_state" > $service_file
-echo "account required $pam_winbind debug debug_state" >> $service_file
-echo "password required $pam_winbind debug debug_state" >> $service_file
-echo "session required $pam_winbind debug debug_state" >> $service_file
+echo "auth required $pam_winbind debug debug_state $PAM_OPTIONS" >
$service_file
+echo "account required $pam_winbind debug debug_state $PAM_OPTIONS" >>
$service_file
+echo "password required $pam_winbind debug debug_state $PAM_OPTIONS" >>
$service_file
+echo "session required $pam_winbind debug debug_state $PAM_OPTIONS" >>
$service_file
PAM_WRAPPER="1"
export PAM_WRAPPER
diff --git a/python/samba/tests/test_pam_winbind_chauthtok.sh
b/python/samba/tests/test_pam_winbind_chauthtok.sh
index 5887699300a..48adc81859d 100755
--- a/python/samba/tests/test_pam_winbind_chauthtok.sh
+++ b/python/samba/tests/test_pam_winbind_chauthtok.sh
@@ -53,11 +53,11 @@ PAM_WRAPPER_DEBUGLEVEL=${PAM_WRAPPER_DEBUGLEVEL:="2"}
export PAM_WRAPPER_DEBUGLEVEL
case $PAM_OPTIONS in
- use_authtok)
+ *use_authtok*)
PAM_AUTHTOK="$NEWPASSWORD"
export PAM_AUTHTOK
;;
- try_authtok)
+ *try_authtok*)
PAM_AUTHTOK="$NEWPASSWORD"
export PAM_AUTHTOK
;;
diff --git a/python/samba/tests/test_pam_winbind_warn_pwd_expire.sh
b/python/samba/tests/test_pam_winbind_warn_pwd_expire.sh
index 16dede44227..348d2ae8387 100755
--- a/python/samba/tests/test_pam_winbind_warn_pwd_expire.sh
+++ b/python/samba/tests/test_pam_winbind_warn_pwd_expire.sh
@@ -12,6 +12,10 @@ PASSWORD="$3"
export PASSWORD
shift 3
+PAM_OPTIONS="$1"
+export PAM_OPTIONS
+shift 1
+
PAM_WRAPPER_PATH="$BINDIR/default/third_party/pam_wrapper"
pam_winbind="$BINDIR/shared/pam_winbind.so"
@@ -37,10 +41,10 @@ export PAM_WRAPPER_DEBUGLEVEL
WARN_PWD_EXPIRE="50"
export WARN_PWD_EXPIRE
-echo "auth required $pam_winbind debug debug_state
warn_pwd_expire=$WARN_PWD_EXPIRE" > $service_file
-echo "account required $pam_winbind debug debug_state
warn_pwd_expire=$WARN_PWD_EXPIRE" >> $service_file
-echo "password required $pam_winbind debug debug_state
warn_pwd_expire=$WARN_PWD_EXPIRE" >> $service_file
-echo "session required $pam_winbind debug debug_state
warn_pwd_expire=$WARN_PWD_EXPIRE" >> $service_file
+echo "auth required $pam_winbind debug debug_state
warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" > $service_file
+echo "account required $pam_winbind debug debug_state
warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" >> $service_file
+echo "password required $pam_winbind debug debug_state
warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" >> $service_file
+echo "session required $pam_winbind debug debug_state
warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" >> $service_file
PYTHONPATH="$PYTHONPATH:$PAM_WRAPPER_PATH:$(dirname $0)" $PYTHON -m
samba.subunit.run samba.tests.pam_winbind_warn_pwd_expire
exit_code=$?
@@ -54,10 +58,10 @@ fi
WARN_PWD_EXPIRE="0"
export WARN_PWD_EXPIRE
-echo "auth required $pam_winbind debug debug_state
warn_pwd_expire=$WARN_PWD_EXPIRE" > $service_file
-echo "account required $pam_winbind debug debug_state
warn_pwd_expire=$WARN_PWD_EXPIRE" >> $service_file
-echo "password required $pam_winbind debug debug_state
warn_pwd_expire=$WARN_PWD_EXPIRE" >> $service_file
-echo "session required $pam_winbind debug debug_state
warn_pwd_expire=$WARN_PWD_EXPIRE" >> $service_file
+echo "auth required $pam_winbind debug debug_state
warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" > $service_file
+echo "account required $pam_winbind debug debug_state
warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" >> $service_file
+echo "password required $pam_winbind debug debug_state
warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" >> $service_file
+echo "session required $pam_winbind debug debug_state
warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" >> $service_file
PYTHONPATH="$PYTHONPATH:$PAM_WRAPPER_PATH:$(dirname $0)" $PYTHON -m
samba.subunit.run samba.tests.pam_winbind_warn_pwd_expire
exit_code=$?
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 2f491441815..70f535e1a49 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -412,6 +412,8 @@ sub setup_ad_member
realm = $dcvars->{REALM}
netbios aliases = foo bar
template homedir = /home/%D/%G/%U
+ winbind scan trusted domains = no
+ winbind use krb5 enterprise principals = yes
[sub_dug]
path = $share_dir/D_%D/U_%U/G_%G
diff --git a/selftest/tests.py b/selftest/tests.py
index 7dbc0a9871f..c9529328359 100644
--- a/selftest/tests.py
+++ b/selftest/tests.py
@@ -165,27 +165,72 @@ planpythontestsuite("none", "samba.tests.tdb_util",
py3_compatible=True)
planpythontestsuite("none", "samba.tests.samdb_api", py3_compatible=True)
if with_pam:
- plantestsuite("samba.tests.pam_winbind(local)", "ad_member",
- [os.path.join(srcdir(),
"python/samba/tests/test_pam_winbind.sh"),
- valgrindify(python), pam_wrapper_so_path,
- "$SERVER", "$USERNAME", "$PASSWORD"])
- plantestsuite("samba.tests.pam_winbind(domain)", "ad_member",
- [os.path.join(srcdir(),
"python/samba/tests/test_pam_winbind.sh"),
- valgrindify(python), pam_wrapper_so_path,
- "$DOMAIN", "$DC_USERNAME", "$DC_PASSWORD"])
-
- for pam_options in ["''", "use_authtok", "try_authtok"]:
- plantestsuite("samba.tests.pam_winbind_chauthtok with options %s" %
pam_options, "ad_member",
- [os.path.join(srcdir(),
"python/samba/tests/test_pam_winbind_chauthtok.sh"),
- valgrindify(python), pam_wrapper_so_path,
pam_set_items_so_path,
- "$DOMAIN", "TestPamOptionsUser", "oldp@ssword0",
"newp@ssword0",
- pam_options, 'yes',
- "$DC_SERVER", "$DC_USERNAME", "$DC_PASSWORD"])
-
- plantestsuite("samba.tests.pam_winbind_warn_pwd_expire(domain)",
"ad_member",
- [os.path.join(srcdir(),
"python/samba/tests/test_pam_winbind_warn_pwd_expire.sh"),
- valgrindify(python), pam_wrapper_so_path,
- "$DOMAIN", "alice", "Secret007"])
+ env = "ad_member"
+ options = [
+ {
+ "description": "krb5",
+ "pam_options": "krb5_auth krb5_ccache_type=FILE",
+ },
+ {
+ "description": "default",
+ "pam_options": "",
+ },
+ ]
+ for o in options:
+ description = o["description"]
+ pam_options = "'%s'" % o["pam_options"]
+
+ plantestsuite("samba.tests.pam_winbind(local+%s)" % description, env,
+ [os.path.join(srcdir(),
"python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "$SERVER", "$USERNAME", "$PASSWORD",
+ pam_options])
+ plantestsuite("samba.tests.pam_winbind(domain1+%s)" % description, env,
+ [os.path.join(srcdir(),
"python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "$DOMAIN", "$DC_USERNAME", "$DC_PASSWORD",
+ pam_options])
+ plantestsuite("samba.tests.pam_winbind(domain2+%s)" % description, env,
+ [os.path.join(srcdir(),
"python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "$REALM", "$DC_USERNAME", "$DC_PASSWORD",
+ pam_options])
+ plantestsuite("samba.tests.pam_winbind(domain3+%s)" % description, env,
+ [os.path.join(srcdir(),
"python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "''", "${DC_USERNAME}@${DOMAIN}", "$DC_PASSWORD",
+ pam_options])
+ plantestsuite("samba.tests.pam_winbind(domain4+%s)" % description, env,
+ [os.path.join(srcdir(),
"python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "''", "${DC_USERNAME}@${REALM}", "$DC_PASSWORD",
+ pam_options])
+ plantestsuite("samba.tests.pam_winbind(domain5+%s)" % description, env,
+ [os.path.join(srcdir(),
"python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "$REALM", "${DC_USERNAME}@${DOMAIN}", "$DC_PASSWORD",
+ pam_options])
+ plantestsuite("samba.tests.pam_winbind(domain6+%s)" % description, env,
+ [os.path.join(srcdir(),
"python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "$DOMAIN", "${DC_USERNAME}@${REALM}", "$DC_PASSWORD",
+ pam_options])
+
+ for authtok_options in ["", "use_authtok", "try_authtok"]:
+ _pam_options = "'%s %s'" % (o["pam_options"], authtok_options)
+ _description = "%s %s" % (description, authtok_options)
+ plantestsuite("samba.tests.pam_winbind_chauthtok(domain+%s)" %
_description, env,
+ [os.path.join(srcdir(),
"python/samba/tests/test_pam_winbind_chauthtok.sh"),
+ valgrindify(python), pam_wrapper_so_path,
pam_set_items_so_path,
+ "$DOMAIN", "TestPamOptionsUser", "oldp@ssword0",
"newp@ssword0",
+ _pam_options, 'yes',
+ "$DC_SERVER", "$DC_USERNAME", "$DC_PASSWORD"])
+
+ plantestsuite("samba.tests.pam_winbind_warn_pwd_expire(domain+%s)" %
description, env,
+ [os.path.join(srcdir(),
"python/samba/tests/test_pam_winbind_warn_pwd_expire.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "$DOMAIN", "alice", "Secret007",
+ pam_options])
plantestsuite("samba.unittests.krb5samba", "none",
diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
index 86a1be71bf9..6e6d5b397ff 100644
--- a/source3/libads/authdata.c
+++ b/source3/libads/authdata.c
@@ -170,6 +170,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
request_pac,
add_netbios_addr,
renewable_time,
+ NULL, NULL, NULL,
&status);
if (ret) {
DEBUG(1,("kinit failed for '%s' with: %s (%d)\n",
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index 721c3c2a929..559ec3b7f53 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -106,7 +106,7 @@ kerb_prompter(krb5_context ctx, void *data,
place in default cache location.
[email protected]
*/
-int kerberos_kinit_password_ext(const char *principal,
+int kerberos_kinit_password_ext(const char *given_principal,
const char *password,
int time_offset,
time_t *expire_time,
@@ -115,8 +115,12 @@ int kerberos_kinit_password_ext(const char *principal,
bool request_pac,
bool add_netbios_addr,
time_t renewable_time,
+ TALLOC_CTX *mem_ctx,
+ char **_canon_principal,
+ char **_canon_realm,
NTSTATUS *ntstatus)
{
+ TALLOC_CTX *frame = talloc_stackframe();
krb5_context ctx = NULL;
krb5_error_code code = 0;
krb5_ccache cc = NULL;
@@ -125,6 +129,8 @@ int kerberos_kinit_password_ext(const char *principal,
krb5_creds my_creds;
krb5_get_init_creds_opt *opt = NULL;
smb_krb5_addresses *addr = NULL;
+ char *canon_principal = NULL;
+ char *canon_realm = NULL;
ZERO_STRUCT(my_creds);
@@ -132,6 +138,7 @@ int kerberos_kinit_password_ext(const char *principal,
if (code != 0) {
DBG_ERR("kerberos init context failed (%s)\n",
error_message(code));
+ TALLOC_FREE(frame);
return code;
}
@@ -139,16 +146,16 @@ int kerberos_kinit_password_ext(const char *principal,
krb5_set_real_time(ctx, time(NULL) + time_offset, 0);
}
- DEBUG(10,("kerberos_kinit_password: as %s using [%s] as ccache and
config [%s]\n",
- principal,
- cache_name ? cache_name: krb5_cc_default_name(ctx),
- getenv("KRB5_CONFIG")));
+ DBG_DEBUG("as %s using [%s] as ccache and config [%s]\n",
+ given_principal,
+ cache_name ? cache_name: krb5_cc_default_name(ctx),
+ getenv("KRB5_CONFIG"));
if ((code = krb5_cc_resolve(ctx, cache_name ? cache_name :
krb5_cc_default_name(ctx), &cc))) {
goto out;
}
- if ((code = smb_krb5_parse_name(ctx, principal, &me))) {
+ if ((code = smb_krb5_parse_name(ctx, given_principal, &me))) {
goto out;
}
@@ -160,7 +167,10 @@ int kerberos_kinit_password_ext(const char *principal,
krb5_get_init_creds_opt_set_forwardable(opt, True);
/* Turn on canonicalization for lower case realm support */
-#ifndef SAMBA4_USES_HEIMDAL /* MIT */
+#ifdef SAMBA4_USES_HEIMDAL
+ krb5_get_init_creds_opt_set_win2k(ctx, opt, true);
+ krb5_get_init_creds_opt_set_canonicalize(ctx, opt, true);
+#else /* MIT */
krb5_get_init_creds_opt_set_canonicalize(opt, true);
#endif /* MIT */
#if 0
@@ -189,10 +199,23 @@ int kerberos_kinit_password_ext(const char *principal,
goto out;
}
- canon_princ = me;
-#ifndef SAMBA4_USES_HEIMDAL /* MIT */
canon_princ = my_creds.client;
-#endif /* MIT */
+
+ code = smb_krb5_unparse_name(frame,
+ ctx,
+ canon_princ,
+ &canon_principal);
+ if (code != 0) {
+ goto out;
+ }
+
--
Samba Shared Repository
