The branch, master has been updated
via f98b766d94a gitlab-ci: Add new runner for samba-admem-fips
via 242b6cf2c4c autobuild: Use sane random sleep values for
samba-admem-mit
via 4fe51b27e0d autobuild: Add ad_member_fips target
via 55cbdac15e6 selftest: Run some tests against ad_member_fips
via 984dd6416cd selftest: Add ad_member_fips target
via 5dc1c312b6e selftest: Add force_fips_mode support to
provision_ad_member()
via c94f6ddccae selftest: Split out a provision_ad_member() function
via 17a7618a234 selftest: Use Kerberos to join an ad_member
from dbfc197f65f s4/torture: Unlink test file at the beginning of
smb2.read.position
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit f98b766d94a778fa2194f3c46a8302fe697499f0
Author: Andreas Schneider <[email protected]>
Date: Fri May 15 12:08:27 2020 +0200
gitlab-ci: Add new runner for samba-admem-fips
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Alexander Bokovoy <[email protected]>
Autobuild-User(master): Andreas Schneider <[email protected]>
Autobuild-Date(master): Mon May 18 16:06:06 UTC 2020 on sn-devel-184
commit 242b6cf2c4cc216affb7fb3b0627eb082f79f080
Author: Andreas Schneider <[email protected]>
Date: Fri May 15 16:09:47 2020 +0200
autobuild: Use sane random sleep values for samba-admem-mit
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Alexander Bokovoy <[email protected]>
commit 4fe51b27e0d474eb7ada2f4dbda5872616335462
Author: Andreas Schneider <[email protected]>
Date: Fri May 15 12:07:04 2020 +0200
autobuild: Add ad_member_fips target
Reviewed-by: Alexander Bokovoy <[email protected]>
commit 55cbdac15e62e3dadf3bb992ae0dc9b051cf7df5
Author: Andreas Schneider <[email protected]>
Date: Fri May 15 11:41:55 2020 +0200
selftest: Run some tests against ad_member_fips
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Alexander Bokovoy <[email protected]>
commit 984dd6416cd12eeb0abf93aaf658510e4ddb1a3c
Author: Andreas Schneider <[email protected]>
Date: Fri May 15 11:30:35 2020 +0200
selftest: Add ad_member_fips target
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Alexander Bokovoy <[email protected]>
commit 5dc1c312b6edc6d5c9f51c6427c82201816e4cf4
Author: Andreas Schneider <[email protected]>
Date: Fri May 15 11:30:02 2020 +0200
selftest: Add force_fips_mode support to provision_ad_member()
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Alexander Bokovoy <[email protected]>
commit c94f6ddccae9093364b003287a95a43379067dd6
Author: Andreas Schneider <[email protected]>
Date: Wed May 13 16:54:39 2020 +0200
selftest: Split out a provision_ad_member() function
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Alexander Bokovoy <[email protected]>
commit 17a7618a234091e65a560fa83d96e871ef500846
Author: Andreas Schneider <[email protected]>
Date: Wed May 13 16:43:06 2020 +0200
selftest: Use Kerberos to join an ad_member
Reviewed-by: Alexander Bokovoy <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
.gitlab-ci.yml | 4 +++
script/autobuild.py | 14 +++++++-
selftest/target/Samba3.pm | 90 ++++++++++++++++++++++++++++++++++++++---------
source4/selftest/tests.py | 8 ++++-
4 files changed, 98 insertions(+), 18 deletions(-)
Changeset truncated at 500 lines:
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 4e9a5284429..489ac476784 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -185,6 +185,10 @@ samba-ad-dc-fips:
extends: .shared_template
image: $SAMBA_CI_CONTAINER_IMAGE_fedora31
+samba-admem-fips:
+ extends: .shared_template
+ image: $SAMBA_CI_CONTAINER_IMAGE_fedora31
+
.private_template:
extends: .shared_template
tags:
diff --git a/script/autobuild.py b/script/autobuild.py
index a9eb980c7aa..840ed4e9648 100755
--- a/script/autobuild.py
+++ b/script/autobuild.py
@@ -486,7 +486,7 @@ tasks = {
],
"samba-admem-mit": [
- ("random-sleep", random_sleep(300, 900)),
+ ("random-sleep", random_sleep(1, 1)),
("configure", "./configure.developer --with-selftest-prefix=./bin/ab
--with-system-mitkrb5 --with-experimental-mit-ad-dc" + samba_configure_params),
("make", "make -j"),
("test", make_test(include_envs=[
@@ -499,6 +499,17 @@ tasks = {
("check-clean-tree", "script/clean-source-tree.sh"),
],
+ "samba-admem-fips": [
+ ("random-sleep", random_sleep(1, 1)),
+ ("configure", "./configure.developer --with-selftest-prefix=./bin/ab
--with-system-mitkrb5 --with-experimental-mit-ad-dc" + samba_configure_params),
+ ("make", "make -j"),
+ ("test", make_test(include_envs=[
+ "ad_member_fips",
+ ])),
+ ("lcov", LCOV_CMD),
+ ("check-clean-tree", "script/clean-source-tree.sh"),
+ ],
+
"samba-ad-dc-1-mitkrb5": [
("random-sleep", random_sleep(1, 1)),
("configure", "./configure.developer --with-selftest-prefix=./bin/ab
--with-system-mitkrb5 --with-experimental-mit-ad-dc" + samba_configure_params),
@@ -828,6 +839,7 @@ defaulttasks.remove("fail")
defaulttasks.remove("samba-test-only")
defaulttasks.remove("samba-fuzz")
defaulttasks.remove("samba-ad-dc-fips")
+defaulttasks.remove("samba-admem-fips")
if os.environ.get("AUTOBUILD_SKIP_SAMBA_O3", "0") == "1":
defaulttasks.remove("samba-o3")
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index e988ef7210b..d99a59dca73 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -237,6 +237,7 @@ sub check_env($$)
ad_member_rfc2307 => ["ad_dc_ntvfs"],
ad_member_idmap_rid => ["ad_dc"],
ad_member_idmap_ad => ["fl2008r2dc"],
+ ad_member_fips => ["ad_dc_fips"],
clusteredmember_smb1 => ["nt4_dc"],
);
@@ -643,20 +644,18 @@ sub setup_clusteredmember_smb1
return $ret;
}
-sub setup_ad_member
+sub provision_ad_member
{
- my ($self, $prefix, $dcvars, $trustvars_f, $trustvars_e) = @_;
+ my ($self,
+ $prefix,
+ $dcvars,
+ $trustvars_f,
+ $trustvars_e,
+ $force_fips_mode) = @_;
my $prefix_abs = abs_path($prefix);
my @dirs = ();
- # If we didn't build with ADS, pretend this env was never available
- if (not $self->have_ads()) {
- return "UNKNOWN";
- }
-
- print "PROVISIONING S3 AD MEMBER...";
-
mkdir($prefix_abs, 0777);
my $share_dir="$prefix_abs/share";
@@ -747,6 +746,11 @@ sub setup_ad_member
$ret->{KRB5_CONFIG} = $ctx->{krb5_conf};
+ if (defined($force_fips_mode)) {
+ $ret->{GNUTLS_FORCE_FIPS_MODE} = "1";
+ $ret->{OPENSSL_FORCE_FIPS_MODE} = "1";
+ }
+
my $net = Samba::bindir_path($self, "net");
# Add hosts file for name lookups
my $cmd = "NSS_WRAPPER_HOSTS='$ret->{NSS_WRAPPER_HOSTS}' ";
@@ -756,11 +760,15 @@ sub setup_ad_member
} else {
$cmd .= "RESOLV_WRAPPER_HOSTS=\"$ret->{RESOLV_WRAPPER_HOSTS}\"
";
}
+ if (defined($force_fips_mode)) {
+ $cmd .= "GNUTLS_FORCE_FIPS_MODE=1 ";
+ $cmd .= "OPENSSL_FORCE_FIPS_MODE=1 ";
+ }
$cmd .= "RESOLV_CONF=\"$ret->{RESOLV_CONF}\" ";
$cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
$cmd .=
"SELFTEST_WINBINDD_SOCKET_DIR=\"$ret->{SELFTEST_WINBINDD_SOCKET_DIR}\" ";
$cmd .= "$net join $ret->{CONFIGURATION}";
- $cmd .= " -U$dcvars->{USERNAME}\%$dcvars->{PASSWORD}";
+ $cmd .= " -U$dcvars->{USERNAME}\%$dcvars->{PASSWORD} -k";
if (system($cmd) != 0) {
warn("Join failed\n$cmd");
@@ -811,6 +819,24 @@ sub setup_ad_member
return $ret;
}
+sub setup_ad_member
+{
+ my ($self,
+ $prefix,
+ $dcvars,
+ $trustvars_f,
+ $trustvars_e) = @_;
+
+ # If we didn't build with ADS, pretend this env was never available
+ if (not $self->have_ads()) {
+ return "UNKNOWN";
+ }
+
+ print "PROVISIONING AD MEMBER...";
+
+ return $self->provision_ad_member($prefix, $dcvars, $trustvars_f,
$trustvars_e);
+}
+
sub setup_ad_member_rfc2307
{
my ($self, $prefix, $dcvars) = @_;
@@ -1112,6 +1138,28 @@ sub setup_ad_member_idmap_ad
return $ret;
}
+sub setup_ad_member_fips
+{
+ my ($self,
+ $prefix,
+ $dcvars,
+ $trustvars_f,
+ $trustvars_e) = @_;
+
+ # If we didn't build with ADS, pretend this env was never available
+ if (not $self->have_ads()) {
+ return "UNKNOWN";
+ }
+
+ print "PROVISIONING AD FIPS MEMBER...";
+
+ return $self->provision_ad_member($prefix,
+ $dcvars,
+ $trustvars_f,
+ $trustvars_e,
+ 1);
+}
+
sub setup_simpleserver
{
my ($self, $path) = @_;
@@ -3004,12 +3052,22 @@ sub wait_for_start($$$$$)
my $count = 0;
do {
- $cmd = Samba::bindir_path($self, "smbclient");
- $cmd .= " $envvars->{CONFIGURATION}";
- $cmd .= " -L $envvars->{SERVER}";
- $cmd .= " -U%";
- $cmd .= " -I $envvars->{SERVER_IP}";
- $cmd .= " -p 139";
+ if (defined($envvars->{GNUTLS_FORCE_FIPS_MODE})) {
+ # We don't have NTLM in FIPS mode, so lets use
+ # smbcontrol instead of smbclient.
+ $cmd = Samba::bindir_path($self, "smbcontrol");
+ $cmd .= " $envvars->{CONFIGURATION}";
+ $cmd .= " smbd ping";
+ } else {
+ # This uses NTLM which is not available in FIPS
+ $cmd = Samba::bindir_path($self, "smbclient");
+ $cmd .= " $envvars->{CONFIGURATION}";
+ $cmd .= " -L $envvars->{SERVER}";
+ $cmd .= " -U%";
+ $cmd .= " -I $envvars->{SERVER_IP}";
+ $cmd .= " -p 139";
+ }
+
$ret = system($cmd);
if ($ret != 0) {
sleep(1);
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 480ea22987f..211a56e689a 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -529,9 +529,15 @@
plantestsuite("samba4.blackbox.samba-tool_ntacl(ad_member:local)", "ad_member:lo
if have_gnutls_crypto_policies:
plantestsuite("samba4.blackbox.weak_crypto.client", "ad_dc",
[os.path.join(bbdir, "test_weak_crypto.sh"), '$SERVER', '$USERNAME',
'$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc"])
- plantestsuite("samba4.blackbox.weak_crypto.server", "ad_dc_fips",
[os.path.join(bbdir, "test_weak_crypto_server.sh"), '$SERVER', '$USERNAME',
'$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc_fips", configuration])
+
+ for env in ["ad_dc_fips", "ad_member_fips"]:
+ plantestsuite("samba4.blackbox.weak_crypto.server", env,
[os.path.join(bbdir, "test_weak_crypto_server.sh"), '$SERVER', '$USERNAME',
'$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc_fips", configuration])
plantestsuite("samba4.blackbox.net_ads_fips", "ad_dc_fips:client",
[os.path.join(bbdir, "test_net_ads_fips.sh"), '$DC_SERVER', '$DC_USERNAME',
'$DC_PASSWORD', '$PREFIX_ABS'])
+ t = "--krb5auth=$DOMAIN/$DC_USERNAME%$DC_PASSWORD"
+ plantestsuite("samba3.wbinfo_simple.fips.%s" % t, "ad_member_fips:local",
[os.path.join(srcdir(), "nsswitch/tests/test_wbinfo_simple.sh"), t])
+ plantestsuite("samba4.wbinfo_name_lookup.fips", "ad_member_fips",
[os.path.join(srcdir(), "nsswitch/tests/test_wbinfo_name_lookup.sh"),
'$DOMAIN', '$REALM', '$DC_USERNAME'])
+
plantestsuite_loadlist("samba4.rpc.echo against NetBIOS alias", "ad_dc_ntvfs",
[valgrindify(smbtorture4), "$LISTOPT", "$LOADLIST", 'ncacn_np:$NETBIOSALIAS',
'-U$DOMAIN/$USERNAME%$PASSWORD', 'rpc.echo'])
# json tests hook into ``chgdcpass'' to make them run in contributor CI on
# gitlab
--
Samba Shared Repository
