The branch, master has been updated
via 7dc181757c7 gp: Send list of keys instead of dict to remove
via ee814f7707a gp: Test disabled enrollment unapplies policy
via 2a6ae997f24 gp: Template changes should invalidate cache
via 2d6943a8644 gp: Test adding new cert templates enforces changes
via 157335ee93e gp: Convert CA certificates to base64
via 1ef722cf66f gp: Test with binary content for certificate data
via bce3a892045 gp: Change root cert extension suffix
via fa80d1d8643 gp: Support update-ca-trust helper
via a1b285e485c gp: Support more global trust directories
via 776597bce92 samba-tool: Allow LDB URL to be None
via 8e7a62b6ffa waf: Build nmbd with -Wno-error=stringop-overflow
from c7672779128 util: Avoid logging to multiple backends for
stdout/stderr
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 7dc181757c76b881ceaf1915ebb0bfbcf5aca83a
Author: Gabriel Nagy <gabriel.n...@canonical.com>
Date: Wed Aug 16 12:33:59 2023 +0300
gp: Send list of keys instead of dict to remove
`cache_get_all_attribute_values` returns a dict whereas we need to pass
a list of keys to `remove`. These will be interpolated in the gpdb search.
Signed-off-by: Gabriel Nagy <gabriel.n...@canonical.com>
Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: David Mulder <dmul...@samba.org>
Autobuild-User(master): Andrew Bartlett <abart...@samba.org>
Autobuild-Date(master): Mon Aug 28 03:01:22 UTC 2023 on atb-devel-224
commit ee814f7707a8ddef2657212cd6d31799501b7bb3
Author: Gabriel Nagy <gabriel.n...@canonical.com>
Date: Fri Aug 18 17:26:59 2023 +0300
gp: Test disabled enrollment unapplies policy
For this we need to stage a Registry.pol file with certificate
autoenrollment enabled, but with checkboxes unticked.
Signed-off-by: Gabriel Nagy <gabriel.n...@canonical.com>
Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: David Mulder <dmul...@samba.org>
commit 2a6ae997f2464b12b72b5314fa80d9784fb0f6c1
Author: Gabriel Nagy <gabriel.n...@canonical.com>
Date: Wed Aug 16 12:37:17 2023 +0300
gp: Template changes should invalidate cache
If certificate templates are added or removed, the autoenroll extension
should react to this and reapply the policy. Previously this wasn't
taken into account.
Signed-off-by: Gabriel Nagy <gabriel.n...@canonical.com>
Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: David Mulder <dmul...@samba.org>
commit 2d6943a864405f324c467e8c3464c31ac08457b0
Author: Gabriel Nagy <gabriel.n...@canonical.com>
Date: Fri Aug 18 17:16:23 2023 +0300
gp: Test adding new cert templates enforces changes
Ensure that cepces-submit reporting additional templates and re-applying
will enforce the updated policy.
Signed-off-by: Gabriel Nagy <gabriel.n...@canonical.com>
Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: David Mulder <dmul...@samba.org>
commit 157335ee93eb866f9b6a47486a5668d6e76aced5
Author: Gabriel Nagy <gabriel.n...@canonical.com>
Date: Wed Aug 16 12:20:11 2023 +0300
gp: Convert CA certificates to base64
I don't know whether this applies universally, but in our case the
contents of `es['cACertificate'][0]` are binary, so cleanly converting
to a string fails with the following:
'utf-8' codec can't decode byte 0x82 in position 1: invalid start byte
We found a fix to be encoding the certificate to base64 when
constructing the CA list.
Section 4.4.5.2 of MS-CAESO also suggests that the content of
`cACertificate` is binary (OCTET string).
Signed-off-by: Gabriel Nagy <gabriel.n...@canonical.com>
Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: David Mulder <dmul...@samba.org>
commit 1ef722cf66f9ec99f52939f1cfca031c5fe1ad70
Author: Gabriel Nagy <gabriel.n...@canonical.com>
Date: Fri Aug 18 17:06:43 2023 +0300
gp: Test with binary content for certificate data
This fails all GPO-related tests that call `gpupdate --rsop`.
Signed-off-by: Gabriel Nagy <gabriel.n...@canonical.com>
Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: David Mulder <dmul...@samba.org>
commit bce3a89204545dcab5fb39a712590f6e166f997b
Author: Gabriel Nagy <gabriel.n...@canonical.com>
Date: Fri Aug 11 18:46:42 2023 +0300
gp: Change root cert extension suffix
On Ubuntu, certificates must end in '.crt' in order to be considered by
the `update-ca-certificates` helper.
Signed-off-by: Gabriel Nagy <gabriel.n...@canonical.com>
Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: David Mulder <dmul...@samba.org>
commit fa80d1d86439749c44e60cf9075e84dc9ed3c268
Author: Gabriel Nagy <gabriel.n...@canonical.com>
Date: Thu Aug 17 01:09:28 2023 +0300
gp: Support update-ca-trust helper
This is used on RHEL/Fedora instead of update-ca-certificates. They
behave similarly so it's enough to change the command name.
Signed-off-by: Gabriel Nagy <gabriel.n...@canonical.com>
Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: David Mulder <dmul...@samba.org>
commit a1b285e485c0b5a8747499bdbbb9f3f4fc025b2f
Author: Gabriel Nagy <gabriel.n...@canonical.com>
Date: Thu Aug 17 01:05:54 2023 +0300
gp: Support more global trust directories
In addition to the SUSE global trust directory, add support for RHEL and
Debian-based distributions (including Ubuntu).
To determine the correct directory to use, we iterate over the variants
and stop at the first which is a directory.
In case none is found, fallback to the first option which will produce a
warning as it did previously.
Signed-off-by: Gabriel Nagy <gabriel.n...@canonical.com>
Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: David Mulder <dmul...@samba.org>
commit 776597bce922d291257e34f1e3304227265a1dbc
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Aug 25 12:14:23 2023 +1200
samba-tool: Allow LDB URL to be None
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15458
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 8e7a62b6ffa0d78bbe8a606e2b3087572cdcf713
Author: Andreas Schneider <a...@samba.org>
Date: Tue Aug 22 15:52:16 2023 +0200
waf: Build nmbd with -Wno-error=stringop-overflow
We use strlcpy() which has been added to glibc recently. This means we
also get fortification for strlcpy() now:
source3/nmbd/nmbd_browsesync.c: In function
‘find_domain_master_name_query_success’:
source3/nmbd/nmbd_browsesync.c:337:9: warning: ‘strlcpy’ writing 257 bytes
into a
region of size 16 overflows the destination [-Wstringop-overflow=]
337 | strlcpy(userdata->data, work->work_group, size -
sizeof(*userdata));
|
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
We allocate memory for the userdata struct + fstring. However the data
pointer we use only is 16 bytes. Also nowadays you would use offsetof()
for the allocation calculation, but it only works correctly on newer
compilers like gcc > 7. We could make use of it in future after CentOS 7
is gone.
As we don't want to touch nmbd anymore, just silence the warnings.
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
buildtools/wafsamba/samba_autoconf.py | 3 +
python/samba/gp/gp_cert_auto_enroll_ext.py | 43 +++++++----
python/samba/netcmd/domain/level.py | 2 +-
python/samba/tests/bin/cepces-submit | 3 +-
python/samba/tests/gpo.py | 110 +++++++++++++++++++++++++++--
source3/nmbd/wscript_build | 5 ++
6 files changed, 148 insertions(+), 18 deletions(-)
Changeset truncated at 500 lines:
diff --git a/buildtools/wafsamba/samba_autoconf.py
b/buildtools/wafsamba/samba_autoconf.py
index 8541d003e2a..7cebcca40c5 100644
--- a/buildtools/wafsamba/samba_autoconf.py
+++ b/buildtools/wafsamba/samba_autoconf.py
@@ -817,6 +817,9 @@ int main(void) {
if CHECK_CFLAGS(conf, ["-Wno-error=array-bounds"]):
conf.define('HAVE_WNO_ERROR_ARRAY_BOUNDS', 1)
+ if CHECK_CFLAGS(conf, ["-Wno-error=stringop-overflow"]):
+ conf.define('HAVE_WNO_ERROR_STRINGOP_OVERFLOW', 1)
+
if not Options.options.disable_warnings_as_errors:
conf.ADD_NAMED_CFLAGS('PICKY_CFLAGS', '-Werror
-Wno-error=deprecated-declarations', testflags=True)
conf.ADD_NAMED_CFLAGS('PICKY_CFLAGS',
'-Wno-error=tautological-compare', testflags=True)
diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py
b/python/samba/gp/gp_cert_auto_enroll_ext.py
index 312c8ddf467..64c35782ae8 100644
--- a/python/samba/gp/gp_cert_auto_enroll_ext.py
+++ b/python/samba/gp/gp_cert_auto_enroll_ext.py
@@ -45,10 +45,12 @@ cert_wrap = b"""
-----BEGIN CERTIFICATE-----
%s
-----END CERTIFICATE-----"""
-global_trust_dir = '/etc/pki/trust/anchors'
endpoint_re = '(https|HTTPS)://(?P<server>[a-zA-Z0-9.-]+)/ADPolicyProvider' + \
'_CEP_(?P<auth>[a-zA-Z]+)/service.svc/CEP'
+global_trust_dirs = ['/etc/pki/trust/anchors', # SUSE
+ '/etc/pki/ca-trust/source/anchors', # RHEL/Fedora
+ '/usr/local/share/ca-certificates'] # Debian/Ubuntu
def octet_string_to_objectGUID(data):
"""Convert an octet string to an objectGUID."""
@@ -156,7 +158,7 @@ def fetch_certification_authorities(ldb):
for es in res:
data = { 'name': get_string(es['cn'][0]),
'hostname': get_string(es['dNSHostName'][0]),
- 'cACertificate': get_string(es['cACertificate'][0])
+ 'cACertificate':
get_string(base64.b64encode(es['cACertificate'][0]))
}
result.append(data)
return result
@@ -174,8 +176,7 @@ def fetch_template_attrs(ldb, name, attrs=None):
return {'msPKI-Minimal-Key-Size': ['2048']}
def format_root_cert(cert):
- cert = base64.b64encode(cert.encode())
- return cert_wrap % re.sub(b"(.{64})", b"\\1\n", cert, 0, re.DOTALL)
+ return cert_wrap % re.sub(b"(.{64})", b"\\1\n", cert.encode(), 0,
re.DOTALL)
def find_cepces_submit():
certmonger_dirs = [os.environ.get("PATH"), '/usr/lib/certmonger',
@@ -239,7 +240,8 @@ def getca(ca, url, trust_dir):
certs = load_der_pkcs7_certificates(r.content)
for i in range(0, len(certs)):
cert = certs[i].public_bytes(Encoding.PEM)
- dest = '%s.%d' % (root_cert, i)
+ filename, extension = root_cert.rsplit('.', 1)
+ dest = '%s.%d.%s' % (filename, i, extension)
with open(dest, 'wb') as w:
w.write(cert)
root_certs.append(dest)
@@ -249,12 +251,29 @@ def getca(ca, url, trust_dir):
return root_certs
+def find_global_trust_dir():
+ """Return the global trust dir using known paths from various Linux
distros."""
+ for trust_dir in global_trust_dirs:
+ if os.path.isdir(trust_dir):
+ return trust_dir
+ return global_trust_dirs[0]
+
+def update_ca_command():
+ """Return the command to update the CA trust store."""
+ return which('update-ca-certificates') or which('update-ca-trust')
+
+def changed(new_data, old_data):
+ """Return True if any key present in both dicts has changed."""
+ return any((new_data[k] != old_data[k] if k in old_data else False) \
+ for k in new_data.keys())
+
def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'):
"""Install the root certificate chain."""
data = dict({'files': [], 'templates': []}, **ca)
url = 'http://%s/CertSrv/mscep/mscep.dll/pkiclient.exe?' % ca['hostname']
root_certs = getca(ca, url, trust_dir)
data['files'].extend(root_certs)
+ global_trust_dir = find_global_trust_dir()
for src in root_certs:
# Symlink the certs to global trust dir
dst = os.path.join(global_trust_dir, os.path.basename(src))
@@ -273,7 +292,7 @@ def cert_enroll(ca, ldb, trust_dir, private_dir,
auth='Kerberos'):
# already exists. Ignore the FileExistsError. Preserve the
# existing symlink in the unapply data.
data['files'].append(dst)
- update = which('update-ca-certificates')
+ update = update_ca_command()
if update is not None:
Popen([update]).wait()
# Setup Certificate Auto Enrollment
@@ -337,12 +356,12 @@ class gp_cert_auto_enroll_ext(gp_pol_ext, gp_applier):
# If the policy has changed, unapply, then apply new policy
old_val = self.cache_get_attribute_value(guid, attribute)
old_data = json.loads(old_val) if old_val is not None else {}
- if all([(ca[k] == old_data[k] if k in old_data else False) \
- for k in ca.keys()]) or \
- self.cache_get_apply_state() == GPOSTATE.ENFORCE:
+ templates = ['%s.%s' % (ca['name'], t.decode()) for t in
get_supported_templates(ca['hostname'])]
+ new_data = { 'templates': templates, **ca }
+ if changed(new_data, old_data) or self.cache_get_apply_state() ==
GPOSTATE.ENFORCE:
self.unapply(guid, attribute, old_val)
- # If policy is already applied, skip application
- if old_val is not None and \
+ # If policy is already applied and unchanged, skip application
+ if old_val is not None and not changed(new_data, old_data) and \
self.cache_get_apply_state() != GPOSTATE.ENFORCE:
return
@@ -396,7 +415,7 @@ class gp_cert_auto_enroll_ext(gp_pol_ext, gp_applier):
# remove any existing policy
ca_attrs = \
self.cache_get_all_attribute_values(gpo.name)
- self.clean(gpo.name, remove=ca_attrs)
+ self.clean(gpo.name, remove=list(ca_attrs.keys()))
def __read_cep_data(self, guid, ldb, end_point_information,
trust_dir, private_dir):
diff --git a/python/samba/netcmd/domain/level.py
b/python/samba/netcmd/domain/level.py
index c4361eed342..7300561c30c 100644
--- a/python/samba/netcmd/domain/level.py
+++ b/python/samba/netcmd/domain/level.py
@@ -69,7 +69,7 @@ class cmd_domain_level(Command):
domain_dn = samdb.domain_dn()
in_transaction = False
- if subcommand == "raise" and not H.startswith("ldap"):
+ if subcommand == "raise" and (H is None or not H.startswith("ldap")):
samdb.transaction_start()
in_transaction = True
try:
diff --git a/python/samba/tests/bin/cepces-submit
b/python/samba/tests/bin/cepces-submit
index 668682a9f58..de63164692b 100755
--- a/python/samba/tests/bin/cepces-submit
+++ b/python/samba/tests/bin/cepces-submit
@@ -14,4 +14,5 @@ if __name__ == "__main__":
assert opts.auth == 'Kerberos'
if 'CERTMONGER_OPERATION' in os.environ and \
os.environ['CERTMONGER_OPERATION'] == 'GET-SUPPORTED-TEMPLATES':
- print('Machine') # Report a Machine template
+ templates = os.environ.get('CEPCES_SUBMIT_SUPPORTED_TEMPLATES',
'Machine').split(',')
+ print('\n'.join(templates)) # Report the requested templates
diff --git a/python/samba/tests/gpo.py b/python/samba/tests/gpo.py
index 442c1c00d02..fc72ca8b7cc 100644
--- a/python/samba/tests/gpo.py
+++ b/python/samba/tests/gpo.py
@@ -281,6 +281,28 @@ b"""
</PolFile>
"""
+auto_enroll_unchecked_reg_pol = \
+b"""
+<?xml version="1.0" encoding="utf-8"?>
+<PolFile num_entries="3" signature="PReg" version="1">
+ <Entry type="4" type_name="REG_DWORD">
+
<Key>Software\Policies\Microsoft\Cryptography\AutoEnrollment</Key>
+ <ValueName>AEPolicy</ValueName>
+ <Value>0</Value>
+ </Entry>
+ <Entry type="4" type_name="REG_DWORD">
+
<Key>Software\Policies\Microsoft\Cryptography\AutoEnrollment</Key>
+ <ValueName>OfflineExpirationPercent</ValueName>
+ <Value>10</Value>
+ </Entry>
+ <Entry type="1" type_name="REG_SZ">
+
<Key>Software\Policies\Microsoft\Cryptography\AutoEnrollment</Key>
+ <ValueName>OfflineExpirationStoreNames</ValueName>
+ <Value>MY</Value>
+ </Entry>
+</PolFile>
+"""
+
advanced_enroll_reg_pol = \
b"""
<?xml version="1.0" encoding="utf-8"?>
@@ -6896,14 +6918,14 @@ class GPOTests(tests.TestCase):
ldb.add({'dn': certa_dn,
'objectClass': 'certificationAuthority',
'authorityRevocationList': ['XXX'],
- 'cACertificate': 'XXX',
+ 'cACertificate':
b'0\x82\x03u0\x82\x02]\xa0\x03\x02\x01\x02\x02\x10I',
'certificateRevocationList': ['XXX'],
})
# Write the dummy pKIEnrollmentService
enroll_dn = 'CN=%s,CN=Enrollment Services,%s' % (ca_cn, confdn)
ldb.add({'dn': enroll_dn,
'objectClass': 'pKIEnrollmentService',
- 'cACertificate': 'XXXX',
+ 'cACertificate':
b'0\x82\x03u0\x82\x02]\xa0\x03\x02\x01\x02\x02\x10I',
'certificateTemplates': ['Machine'],
'dNSHostName': hostname,
})
@@ -6925,6 +6947,23 @@ class GPOTests(tests.TestCase):
self.assertTrue(os.path.exists(machine_crt),
'Machine key was not generated')
+ # Subsequent apply should react to new certificate templates
+ os.environ['CEPCES_SUBMIT_SUPPORTED_TEMPLATES'] =
'Machine,Workstation'
+ self.addCleanup(os.environ.pop,
'CEPCES_SUBMIT_SUPPORTED_TEMPLATES')
+ ext.process_group_policy([], gpos, dname, dname)
+ self.assertTrue(os.path.exists(ca_crt),
+ 'Root CA certificate was not requested')
+ self.assertTrue(os.path.exists(machine_crt),
+ 'Machine certificate was not requested')
+ self.assertTrue(os.path.exists(machine_crt),
+ 'Machine key was not generated')
+ workstation_crt = os.path.join(dname, '%s.Workstation.crt' % ca_cn)
+ self.assertTrue(os.path.exists(workstation_crt),
+ 'Workstation certificate was not requested')
+ workstation_key = os.path.join(dname, '%s.Workstation.key' % ca_cn)
+ self.assertTrue(os.path.exists(workstation_crt),
+ 'Workstation key was not generated')
+
# Verify RSOP does not fail
ext.rsop([g for g in gpos if g.name == guid][0])
@@ -6932,6 +6971,38 @@ class GPOTests(tests.TestCase):
ret = rsop(self.lp)
self.assertEquals(ret, 0, 'gpupdate --rsop failed!')
+ # Remove policy by staging pol file with auto-enroll unchecked
+
parser.load_xml(etree.fromstring(auto_enroll_unchecked_reg_pol.strip()))
+ ret = stage_file(reg_pol, ndr_pack(parser.pol_file))
+ self.assertTrue(ret, 'Could not create the target %s' % reg_pol)
+ ext.process_group_policy([], gpos, dname, dname)
+ self.assertFalse(os.path.exists(ca_crt),
+ 'Root CA certificate was not removed')
+ self.assertFalse(os.path.exists(machine_crt),
+ 'Machine certificate was not removed')
+ self.assertFalse(os.path.exists(machine_crt),
+ 'Machine key was not removed')
+ self.assertFalse(os.path.exists(workstation_crt),
+ 'Workstation certificate was not removed')
+ self.assertFalse(os.path.exists(workstation_crt),
+ 'Workstation key was not removed')
+
+ # Reapply policy by staging the enabled pol file
+ parser.load_xml(etree.fromstring(auto_enroll_reg_pol.strip()))
+ ret = stage_file(reg_pol, ndr_pack(parser.pol_file))
+ self.assertTrue(ret, 'Could not create the target %s' % reg_pol)
+ ext.process_group_policy([], gpos, dname, dname)
+ self.assertTrue(os.path.exists(ca_crt),
+ 'Root CA certificate was not requested')
+ self.assertTrue(os.path.exists(machine_crt),
+ 'Machine certificate was not requested')
+ self.assertTrue(os.path.exists(machine_crt),
+ 'Machine key was not generated')
+ self.assertTrue(os.path.exists(workstation_crt),
+ 'Workstation certificate was not requested')
+ self.assertTrue(os.path.exists(workstation_crt),
+ 'Workstation key was not generated')
+
# Remove policy
gp_db = store.get_gplog(machine_creds.get_username())
del_gpos = get_deleted_gpos_list(gp_db, [])
@@ -6942,11 +7013,17 @@ class GPOTests(tests.TestCase):
'Machine certificate was not removed')
self.assertFalse(os.path.exists(machine_crt),
'Machine key was not removed')
+ self.assertFalse(os.path.exists(workstation_crt),
+ 'Workstation certificate was not removed')
+ self.assertFalse(os.path.exists(workstation_crt),
+ 'Workstation key was not removed')
out, _ = Popen(['getcert', 'list-cas'], stdout=PIPE).communicate()
self.assertNotIn(get_bytes(ca_cn), out, 'CA was not removed')
out, _ = Popen(['getcert', 'list'], stdout=PIPE).communicate()
self.assertNotIn(b'Machine', out,
'Machine certificate not removed')
+ self.assertNotIn(b'Workstation', out,
+ 'Workstation certificate not removed')
# Remove the dummy CA, pKIEnrollmentService, and pKICertificateTemplate
ldb.delete(certa_dn)
@@ -7448,14 +7525,14 @@ class GPOTests(tests.TestCase):
ldb.add({'dn': certa_dn,
'objectClass': 'certificationAuthority',
'authorityRevocationList': ['XXX'],
- 'cACertificate': 'XXX',
+ 'cACertificate':
b'0\x82\x03u0\x82\x02]\xa0\x03\x02\x01\x02\x02\x10I',
'certificateRevocationList': ['XXX'],
})
# Write the dummy pKIEnrollmentService
enroll_dn = 'CN=%s,CN=Enrollment Services,%s' % (ca_cn, confdn)
ldb.add({'dn': enroll_dn,
'objectClass': 'pKIEnrollmentService',
- 'cACertificate': 'XXXX',
+ 'cACertificate':
b'0\x82\x03u0\x82\x02]\xa0\x03\x02\x01\x02\x02\x10I',
'certificateTemplates': ['Machine'],
'dNSHostName': hostname,
})
@@ -7480,6 +7557,25 @@ class GPOTests(tests.TestCase):
self.assertTrue(os.path.exists(machine_crt),
'Machine key was not generated')
+ # Subsequent apply should react to new certificate templates
+ os.environ['CEPCES_SUBMIT_SUPPORTED_TEMPLATES'] =
'Machine,Workstation'
+ self.addCleanup(os.environ.pop,
'CEPCES_SUBMIT_SUPPORTED_TEMPLATES')
+ ext.process_group_policy([], gpos, dname, dname)
+ for ca in ca_list:
+ self.assertTrue(os.path.exists(ca_crt),
+ 'Root CA certificate was not requested')
+ self.assertTrue(os.path.exists(machine_crt),
+ 'Machine certificate was not requested')
+ self.assertTrue(os.path.exists(machine_crt),
+ 'Machine key was not generated')
+
+ workstation_crt = os.path.join(dname, '%s.Workstation.crt' %
ca)
+ self.assertTrue(os.path.exists(workstation_crt),
+ 'Workstation certificate was not requested')
+ workstation_key = os.path.join(dname, '%s.Workstation.key' %
ca)
+ self.assertTrue(os.path.exists(workstation_crt),
+ 'Workstation key was not generated')
+
# Verify RSOP does not fail
ext.rsop([g for g in gpos if g.name == guid][0])
@@ -7497,12 +7593,18 @@ class GPOTests(tests.TestCase):
'Machine certificate was not removed')
self.assertFalse(os.path.exists(machine_crt),
'Machine key was not removed')
+ self.assertFalse(os.path.exists(workstation_crt),
+ 'Workstation certificate was not removed')
+ self.assertFalse(os.path.exists(workstation_crt),
+ 'Workstation key was not removed')
out, _ = Popen(['getcert', 'list-cas'], stdout=PIPE).communicate()
for ca in ca_list:
self.assertNotIn(get_bytes(ca), out, 'CA was not removed')
out, _ = Popen(['getcert', 'list'], stdout=PIPE).communicate()
self.assertNotIn(b'Machine', out,
'Machine certificate not removed')
+ self.assertNotIn(b'Workstation', out,
+ 'Workstation certificate not removed')
# Remove the dummy CA, pKIEnrollmentService, and pKICertificateTemplate
ldb.delete(certa_dn)
diff --git a/source3/nmbd/wscript_build b/source3/nmbd/wscript_build
index 22057dfb6b0..399cdb44188 100644
--- a/source3/nmbd/wscript_build
+++ b/source3/nmbd/wscript_build
@@ -1,5 +1,9 @@
#!/usr/bin/env python
+nmbd_cflags = ''
+if bld.CONFIG_SET('HAVE_WNO_ERROR_STRINGOP_OVERFLOW'):
+ nmbd_cflags = '-Wno-error=stringop-overflow'
+
bld.SAMBA3_BINARY('nmbd',
source='''
asyncdns.c
@@ -30,6 +34,7 @@ bld.SAMBA3_BINARY('nmbd',
nmbd_workgroupdb.c
nmbd_synclists.c
''',
+ cflags=nmbd_cflags,
deps='''
talloc
tevent
--
Samba Shared Repository
