The branch, master has been updated
via f9ee4db2ba7 s3:utils: use the correct secrets.tdb in
net_use_krb_machine_account()
via ab3fc1595c0 s3:utils: let 'net ads testjoin' fail without valid
machine credentials
via 690c800c33d s3:test_update_keytab_clustered: add net ads testjoin
checks in more places
from 7a440864dde smbd: SMB3 POSIX Extensions statfs() is broken
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit f9ee4db2ba74e4f1f1b6d6f32082e5b0fe60f9b9
Author: Stefan Metzmacher <[email protected]>
Date: Wed Sep 11 18:21:58 2024 +0200
s3:utils: use the correct secrets.tdb in net_use_krb_machine_account()
On a cluster we need to use the ctdb controlled database and not
a local secrets.tdb...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15714
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Martin Schwenke <[email protected]>
Autobuild-User(master): Stefan Metzmacher <[email protected]>
Autobuild-Date(master): Fri Sep 20 05:54:43 UTC 2024 on atb-devel-224
commit ab3fc1595c0a2e0aa3719cc2fe4684e9a0a2f9d8
Author: Stefan Metzmacher <[email protected]>
Date: Wed Sep 18 23:48:00 2024 +0200
s3:utils: let 'net ads testjoin' fail without valid machine credentials
This will allow doing tests and make sure using anonymous credentials
doesn't cause false positive results...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15714
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Martin Schwenke <[email protected]>
commit 690c800c33df4d06d409b9ccfa57e5fa575ab1aa
Author: Stefan Metzmacher <[email protected]>
Date: Thu Sep 19 00:14:56 2024 +0200
s3:test_update_keytab_clustered: add net ads testjoin checks in more places
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15714
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Martin Schwenke <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
source3/script/tests/test_update_keytab_clustered.sh | 16 ++++++++++++++--
source3/utils/net_ads.c | 6 ++++++
source3/utils/net_util.c | 6 +++++-
3 files changed, 25 insertions(+), 3 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/script/tests/test_update_keytab_clustered.sh
b/source3/script/tests/test_update_keytab_clustered.sh
index a0016139db5..0fc299d041c 100755
--- a/source3/script/tests/test_update_keytab_clustered.sh
+++ b/source3/script/tests/test_update_keytab_clustered.sh
@@ -25,6 +25,12 @@ keytabs_sync_kvno="keytab0k keytab1k keytab2k keytab3k"
keytabs_nosync_kvno="keytab0 keytab1 keytab2 keytab3"
keytabs_all="$keytabs_sync_kvno $keytabs_nosync_kvno"
+check_net_ads_testjoin()
+{
+ UID_WRAPPER_ROOT=1 UID_WRAPPER_INITIAL_RUID=0
UID_WRAPPER_INITIAL_EUID=0 $samba_net ads testjoin
+ return $?
+}
+
# find the biggest vno and store it into global variable vno
get_biggest_vno()
{
@@ -133,6 +139,8 @@ global_inject_conf=$(dirname
$SMB_CONF_PATH)/global_inject.conf
echo "sync machine password script =
$PREFIX_ABS/clusteredmember/updatekeytab.sh" >$global_inject_conf
UID_WRAPPER_ROOT=1 $smbcontrol winbindd reload-config
+testit "net_ads_testjoin_initial" check_net_ads_testjoin || failed=$((failed +
1))
+
# To have both old and older password we do one unnecessary password change:
testit "wbinfo_change_secret_initial" \
"$samba_wbinfo" --change-secret --domain="${DOMAIN}" \
@@ -145,12 +153,14 @@ testit "wbinfo_check_secret_initial" \
# Create/sync all keytabs
testit "net_ads_keytab_sync" test_keytab_create || failed=$((failed + 1))
-testit "wbinfo_change_secret" \
+testit "net_ads_testjoin_after_sync" check_net_ads_testjoin ||
failed=$((failed + 1))
+
+testit "wbinfo_change_secret_after_sync" \
test_pwd_change "wbinfo_changesecret" \
"$samba_wbinfo --change-secret --domain=${DOMAIN}" \
|| failed=$((failed + 1))
-testit "wbinfo_check_secret" \
+testit "wbinfo_check_secret_after_sync" \
"$samba_wbinfo" --check-secret --domain="${DOMAIN}" \
|| failed=$((failed + 1))
@@ -159,6 +169,8 @@ test_smbclient "Test machine login with the changed secret"
\
--machine-pass ||
failed=$((failed + 1))
+testit "net_ads_testjoin_final" check_net_ads_testjoin || failed=$((failed +
1))
+
echo "" >$global_inject_conf
UID_WRAPPER_ROOT=1 $smbcontrol winbindd reload-config
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index 577834d96b5..0e5da492faf 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -1556,6 +1556,12 @@ static ADS_STATUS net_ads_join_ok(struct net_context *c)
net_use_krb_machine_account(c);
+ if (!cli_credentials_authentication_requested(c->creds)) {
+ DBG_ERR("Failed to get machine credentials\n");
+ TALLOC_FREE(tmp_ctx);
+ return ADS_ERROR_NT(NT_STATUS_ACCESS_DENIED);
+ }
+
get_dc_name(lp_workgroup(), lp_realm(), dc_name, &dcip);
status = ads_startup(c, true, tmp_ctx, &ads);
diff --git a/source3/utils/net_util.c b/source3/utils/net_util.c
index 93e08cafbf1..5039902bc5e 100644
--- a/source3/utils/net_util.c
+++ b/source3/utils/net_util.c
@@ -259,12 +259,16 @@ NTSTATUS connect_dst_pipe(struct net_context *c, struct
cli_state **cli_dst,
int net_use_krb_machine_account(struct net_context *c)
{
+ struct db_context *db_ctx = NULL;
+
if (!secrets_init()) {
d_fprintf(stderr,_("ERROR: Unable to open secrets database\n"));
exit(1);
}
- cli_credentials_set_machine_account(c->creds, c->lp_ctx);
+ db_ctx = secrets_db_ctx();
+
+ cli_credentials_set_machine_account_db_ctx(c->creds, c->lp_ctx, db_ctx);
c->explicit_credentials = true;
return 0;
}
--
Samba Shared Repository
