[SCM] Samba Shared Repository - branch v4-21-test updated

Jule Anger Wed, 06 Aug 2025 02:30:21 -0700

The branch, v4-21-test has been updated
       via  9ca7d637aae s3-net: fix "net ads kerberos" krb5ccname handling
       via  d9fc8dc0d4b s3-selftest: add tests for "net ads kerberos" commands
       via  4750b7b5905 s3/libsmb: check the negative-conn-cache in 
resolve_ads()
       via  ad604bb46f2 s3/libsmb: check command in 
make_dc_info_from_cldap_reply()
       via  a0bf6a94267 libads: check for DCs in paused state in 
ads_try_connect()
       via  e56376504a8 s3/libads: get rid of additional loop calling 
add_failed_connection_entry()
       via  a9250ab504e s3:libads: let get_kdc_ip_string() check for a 
blacklisted server name
       via  2994369b3bd s3:libads: let cldap_ping_list() check for a 
blacklisted server name
       via  49948686de0 winbindd: blacklist servers returning 
ACCESS_DENIED/authoritative=0
       via  23eeafe43e9 winbindd: always use 
winbind_add_failed_connection_entry() wrapper
       via  56b975c4ff4 s3:conncache: improve debugging for the negative 
connection cache
      from  04913d3a42e Add check for the GPO link to have at least two 
attributes separated by semicolumn. Allows to handle empty links.


https://git.samba.org/?p=samba.git;a=shortlog;h=v4-21-test


- Log -----------------------------------------------------------------
commit 9ca7d637aae14c49fa82f3a7becf9b2c1c5f5bf8
Author: Günther Deschner <g...@samba.org>
Date:   Sun Jul 20 18:00:22 2025 +0200

    s3-net: fix "net ads kerberos" krb5ccname handling
    
    We can only rely on KRB5CCNAME being set, --use-krb5-ccname content is
    not available.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15840
    
    Guenther
    
    Signed-off-by: Guenther Deschner <g...@samba.org>
    Reviewed-by: Andreas Schneider <a...@samba.org>
    
    Autobuild-User(master): Günther Deschner <g...@samba.org>
    Autobuild-Date(master): Thu Jul 24 17:31:14 UTC 2025 on atb-devel-224
    
    (cherry picked from commit 8a97afdae788e8d10a51035f8b287dc00293f90d)
    
    Autobuild-User(v4-21-test): Jule Anger <jan...@samba.org>
    Autobuild-Date(v4-21-test): Wed Aug  6 09:29:29 UTC 2025 on atb-devel-224

commit d9fc8dc0d4b775e9b17ef8c5b7aee504ca3fafe7
Author: Günther Deschner <g...@samba.org>
Date:   Sun Jul 20 17:59:37 2025 +0200

    s3-selftest: add tests for "net ads kerberos" commands
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15840
    
    Guenther
    
    Signed-off-by: Guenther Deschner <g...@samba.org>
    Reviewed-by: Andreas Schneider <a...@samba.org>
    (cherry picked from commit 18d0574a0fe4b5fd468f949cfaa507ab4519c9e6)

commit 4750b7b59057bdd97fa34203a6344a2a8b3707b6
Author: Ralph Boehme <s...@samba.org>
Date:   Thu Jul 3 18:42:04 2025 +0200

    s3/libsmb: check the negative-conn-cache in resolve_ads()
    
    This way we throw away blacklisted servers right away when learning about 
them
    from the DNS SRV query.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14981
    
    Signed-off-by: Ralph Boehme <s...@samba.org>
    Reviewed-by: Guenther Deschner <g...@samba.org>
    
    Autobuild-User(master): Günther Deschner <g...@samba.org>
    Autobuild-Date(master): Wed Jul 30 10:10:21 UTC 2025 on atb-devel-224
    
    (cherry picked from commit c1ee6fe9a489a8923d607e14d26768935a398849)

commit ad604bb46f203caca18e4bd19d02e33f11621ea3
Author: Ralph Boehme <s...@samba.org>
Date:   Wed Jul 2 18:49:51 2025 +0200

    s3/libsmb: check command in make_dc_info_from_cldap_reply()
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14981
    
    Signed-off-by: Ralph Boehme <s...@samba.org>
    Reviewed-by: Guenther Deschner <g...@samba.org>
    (cherry picked from commit 5217bd1a2334825fed32f40c57f72464d126aac0)

commit a0bf6a94267364c59c57a8c442ee0cf7860c3b73
Author: Ralph Boehme <s...@samba.org>
Date:   Fri Jul 25 16:51:31 2025 +0200

    libads: check for DCs in paused state in ads_try_connect()
    
    Similar to d3000d7df09de724694aa0682b9750b8c7767514 in master, 4.21 doesn't 
have
    netlogon_pings().
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14981
    
    Signed-off-by: Ralph Boehme <s...@samba.org>

commit e56376504a82080b09ed50c320fddddc0769850d
Author: Ralph Boehme <s...@samba.org>
Date:   Tue Jul 1 18:19:32 2025 +0200

    s3/libads: get rid of additional loop calling add_failed_connection_entry()
    
    Just call add_failed_connection_entry() in the initial loop at all places 
where
    we have a "bad" result.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14981
    
    Signed-off-by: Ralph Boehme <s...@samba.org>
    Reviewed-by: Guenther Deschner <g...@samba.org>
    (cherry picked from commit a397801598eef4b0381a64a37af1845e9e85a50f)

commit a9250ab504ea30dbf64bad54e5f7f4f7393de832
Author: Stefan Metzmacher <me...@samba.org>
Date:   Tue Jul 4 18:07:51 2023 +0200

    s3:libads: let get_kdc_ip_string() check for a blacklisted server name
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14981
    
    Signed-off-by: Stefan Metzmacher <me...@samba.org>
    Reviewed-by: Ralph Boehme <s...@samba.org>
    Reviewed-by: Guenther Deschner <g...@samba.org>
    (cherry picked from commit 63051a2dcbe3a4a07f029e0c18aa90bd3f56b0a4)

commit 2994369b3bdf5b1fe35a6222a380bf0b6def4588
Author: Stefan Metzmacher <me...@samba.org>
Date:   Wed Feb 16 13:09:14 2022 +0100

    s3:libads: let cldap_ping_list() check for a blacklisted server name
    
    If we black listed a server we should not use it even if
    it responses to CLDAP requests.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14981
    
    Pair-Programmed-With: Ralph Boehme <s...@samba.org>
    Signed-off-by: Ralph Boehme <s...@samba.org>
    Reviewed-by: Guenther Deschner <g...@samba.org>
    (cherry picked from commit 08c8760ad9706b62755e35acaa121647344a4c9e)

commit 49948686de0bd4235f2a4570f0bfd2c5f73567e5
Author: Stefan Metzmacher <me...@samba.org>
Date:   Wed Feb 16 14:23:16 2022 +0100

    winbindd: blacklist servers returning ACCESS_DENIED/authoritative=0
    
    https://bugzilla.samba.org/show_bug.cgi?id=14981
    
    Signed-off-by: Stefan Metzmacher <me...@samba.org>
    Reviewed-by: Ralph Boehme <s...@samba.org>
    Reviewed-by: Guenther Deschner <g...@samba.org>
    (cherry picked from commit ce80451f3af4418d1c83be009b58b3824c071cae)

commit 23eeafe43e90a62f586a521506ed3d3013852a4e
Author: Stefan Metzmacher <me...@samba.org>
Date:   Wed Feb 16 14:18:50 2022 +0100

    winbindd: always use winbind_add_failed_connection_entry() wrapper
    
    We should not use add_failed_connection_entry() directly.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14981
    
    Signed-off-by: Stefan Metzmacher <me...@samba.org>
    Reviewed-by: Ralph Boehme <s...@samba.org>
    Reviewed-by: Guenther Deschner <g...@samba.org>
    (cherry picked from commit 7fed75c495ead8f476c805b91cc6624ebf933427)

commit 56b975c4ff461d79a0ca12cf61a3628315655aab
Author: Stefan Metzmacher <me...@samba.org>
Date:   Wed Feb 16 14:18:20 2022 +0100

    s3:conncache: improve debugging for the negative connection cache
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14981
    
    Signed-off-by: Stefan Metzmacher <me...@samba.org>
    Reviewed-by: Ralph Boehme <s...@samba.org>
    Reviewed-by: Guenther Deschner <g...@samba.org>
    (cherry picked from commit 613ac83fb7666f5b132187d5587053e0d7dcd46d)

-----------------------------------------------------------------------

Summary of changes:
 selftest/knownfail                            |   1 -
 source3/libads/kerberos.c                     |  21 ++++
 source3/libads/ldap.c                         |  55 +++++++--
 source3/libsmb/conncache.c                    |   8 +-
 source3/libsmb/dsgetdcname.c                  |   6 +
 source3/libsmb/namequery.c                    |  25 +++-
 source3/script/tests/test_net_ads_kerberos.sh | 158 ++++++++++++++++++++++++++
 source3/selftest/tests.py                     |  12 ++
 source3/utils/net.c                           |  15 +++
 source3/utils/net.h                           |   1 +
 source3/utils/net_ads.c                       |   6 +-
 source3/winbindd/winbindd_cm.c                |   2 +-
 source3/winbindd/winbindd_pam.c               |  96 +++++++++++++++-
 source3/winbindd/winbindd_proto.h             |   4 +
 14 files changed, 383 insertions(+), 27 deletions(-)
 create mode 100755 source3/script/tests/test_net_ads_kerberos.sh


Changeset truncated at 500 lines:

diff --git a/selftest/knownfail b/selftest/knownfail
index 5f64e4edad0..a7a2e2b2251 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -343,4 +343,3 @@
 
 # We currently don't send referrals for LDAP modify of non-replicated attrs
 ^samba4.ldap.rodc.python\(rodc\).__main__.RodcTests.test_modify_nonreplicated.*
-
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index 72ce5b7bb34..106e773f1b6 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -580,11 +580,32 @@ static char *get_kdc_ip_string(char *mem_ctx,
 
        for (i=0; i<num_dcs; i++) {
                char *new_kdc_str;
+               struct NETLOGON_SAM_LOGON_RESPONSE_EX *cldap_reply = NULL;
+               char addr[INET6_ADDRSTRLEN];
 
                if (responses[i] == NULL) {
                        continue;
                }
 
+               if (responses[i]->ntver != NETLOGON_NT_VERSION_5EX) {
+                       continue;
+               }
+
+               print_sockaddr(addr, sizeof(addr), &dc_addrs[i]);
+
+               cldap_reply = &responses[i]->data.nt5_ex;
+
+               if (cldap_reply->pdc_dns_name != NULL) {
+                       status = check_negative_conn_cache(
+                               realm,
+                               cldap_reply->pdc_dns_name);
+                       if (!NT_STATUS_IS_OK(status)) {
+                               /* propagate blacklisting from name to ip */
+                               add_failed_connection_entry(realm, addr, 
status);
+                               continue;
+                       }
+               }
+
                /* Append to the string - inefficient but not done often. */
                new_kdc_str = talloc_asprintf_append(
                                kdc_str,
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index a2654c1f504..b9de711b63d 100644
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -280,6 +280,15 @@ static bool ads_fill_cldap_reply(ADS_STRUCT *ads,
                goto out;
        }
 
+       if (cldap_reply->command == LOGON_SAM_LOGON_PAUSE_RESPONSE ||
+           cldap_reply->command == LOGON_SAM_LOGON_PAUSE_RESPONSE_EX)
+       {
+               DBG_NOTICE("DC %s in paused state\n", addr);
+               ret = false;
+               goto out;
+       }
+
+
        /* Fill in the ads->config values */
 
        ADS_TALLOC_CONST_FREE(ads->config.workgroup);
@@ -520,21 +529,53 @@ again:
                struct NETLOGON_SAM_LOGON_RESPONSE_EX *cldap_reply = NULL;
                char server[INET6_ADDRSTRLEN];
 
+               print_sockaddr(server, sizeof(server), &req_sa_list[i]->u.ss);
+
                if (responses[i] == NULL) {
+                       add_failed_connection_entry(
+                               domain,
+                               server,
+                               NT_STATUS_INVALID_NETWORK_RESPONSE);
                        continue;
                }
 
-               print_sockaddr(server, sizeof(server), &req_sa_list[i]->u.ss);
-
                if (responses[i]->ntver != NETLOGON_NT_VERSION_5EX) {
                        DBG_NOTICE("realm=[%s] nt_version mismatch: 0x%08x for 
%s\n",
                                   ads->server.realm,
                                   responses[i]->ntver, server);
+                       add_failed_connection_entry(
+                               domain,
+                               server,
+                               NT_STATUS_INVALID_NETWORK_RESPONSE);
                        continue;
                }
 
                cldap_reply = &responses[i]->data.nt5_ex;
 
+               if (cldap_reply->pdc_dns_name != NULL) {
+                       status = check_negative_conn_cache(
+                               domain,
+                               cldap_reply->pdc_dns_name);
+                       if (!NT_STATUS_IS_OK(status)) {
+                               /*
+                                * only use the server if it's not black listed
+                                * by name
+                                */
+                               DBG_NOTICE("realm=[%s] server=[%s][%s] "
+                                          "black listed: %s\n",
+                                          ads->server.realm,
+                                          server,
+                                          cldap_reply->pdc_dns_name,
+                                          nt_errstr(status));
+                               /* propagate blacklisting from name to ip */
+                               add_failed_connection_entry(domain,
+                                                           server,
+                                                           status);
+                               retry = true;
+                               continue;
+                       }
+               }
+
                /* Returns ok only if it matches the correct server type */
                ok = ads_fill_cldap_reply(ads,
                                          false,
@@ -573,16 +614,6 @@ again:
                }
        }
 
-       /* keep track of failures as all were not suitable */
-       for (i = 0; i < num_requests; i++) {
-               char server[INET6_ADDRSTRLEN];
-
-               print_sockaddr(server, sizeof(server), &req_sa_list[i]->u.ss);
-
-               add_failed_connection_entry(domain, server,
-                                           NT_STATUS_UNSUCCESSFUL);
-       }
-
        status = NT_STATUS_NO_LOGON_SERVERS;
        DBG_WARNING("realm[%s] no valid response "
                    "num_requests[%zu] for count[%zu] - %s\n",
diff --git a/source3/libsmb/conncache.c b/source3/libsmb/conncache.c
index 7310b508a3b..353c1e8f930 100644
--- a/source3/libsmb/conncache.c
+++ b/source3/libsmb/conncache.c
@@ -147,8 +147,9 @@ NTSTATUS check_negative_conn_cache( const char *domain, 
const char *server)
        if (gencache_get(key, talloc_tos(), &value, NULL))
                result = negative_conn_cache_valuedecode(value);
  done:
-       DEBUG(9,("check_negative_conn_cache returning result %d for domain %s "
-                 "server %s\n", NT_STATUS_V(result), domain, server));
+       DBG_PREFIX(NT_STATUS_IS_OK(result) ? DBGLVL_DEBUG : DBGLVL_INFO,
+                  ("returning result %s for domain %s "
+                   "server %s\n", nt_errstr(result), domain, server));
        TALLOC_FREE(key);
        TALLOC_FREE(value);
        return result;
@@ -187,7 +188,8 @@ void add_failed_connection_entry(const char *domain, const 
char *server,
        if (gencache_set(key, value,
                         time(NULL) + FAILED_CONNECTION_CACHE_TIMEOUT))
                DEBUG(9,("add_failed_connection_entry: added domain %s (%s) "
-                         "to failed conn cache\n", domain, server ));
+                         "to failed conn cache %s\n", domain, server,
+                        nt_errstr(result)));
        else
                DEBUG(1,("add_failed_connection_entry: failed to add "
                          "domain %s (%s) to failed conn cache\n",
diff --git a/source3/libsmb/dsgetdcname.c b/source3/libsmb/dsgetdcname.c
index 654893c172c..a61c34a9ae3 100644
--- a/source3/libsmb/dsgetdcname.c
+++ b/source3/libsmb/dsgetdcname.c
@@ -791,6 +791,12 @@ static NTSTATUS make_dc_info_from_cldap_reply(
 
        char addr[INET6_ADDRSTRLEN];
 
+       if (r->command == LOGON_SAM_LOGON_PAUSE_RESPONSE ||
+           r->command == LOGON_SAM_LOGON_PAUSE_RESPONSE_EX)
+       {
+               return NT_STATUS_NETLOGON_NOT_STARTED;
+       }
+
        if (sa != NULL) {
                print_sockaddr(addr, sizeof(addr), &sa->u.ss);
                dc_address = addr;
diff --git a/source3/libsmb/namequery.c b/source3/libsmb/namequery.c
index 9a47f034d38..779386be39d 100644
--- a/source3/libsmb/namequery.c
+++ b/source3/libsmb/namequery.c
@@ -2576,6 +2576,14 @@ static NTSTATUS resolve_ads(TALLOC_CTX *ctx,
        for(i = 0; i < numdcs; i++) {
                /* Copy all the IP addresses from the SRV response */
                size_t j;
+
+               status = check_negative_conn_cache(name, dcs[i].hostname);
+               if (!NT_STATUS_IS_OK(status)) {
+                       DBG_DEBUG("Skipping blacklisted server [%s] "
+                                 "for domain [%s]", dcs[i].hostname, name);
+                       continue;
+               }
+
                for (j = 0; j < dcs[i].num_ips; j++) {
                        char addr[INET6_ADDRSTRLEN];
 
@@ -2584,12 +2592,19 @@ static NTSTATUS resolve_ads(TALLOC_CTX *ctx,
                                continue;
                        }
 
+                       print_sockaddr(addr,
+                                      sizeof(addr),
+                                      &srv_addrs[num_srv_addrs]);
+
                        DBG_DEBUG("SRV lookup %s got IP[%zu] %s\n",
-                               name,
-                               j,
-                               print_sockaddr(addr,
-                                       sizeof(addr),
-                                       &srv_addrs[num_srv_addrs]));
+                                 name, j, addr);
+
+                       status = check_negative_conn_cache(name, addr);
+                       if (!NT_STATUS_IS_OK(status)) {
+                               DBG_DEBUG("Skipping blacklisted server [%s] "
+                                          "for domain [%s]", addr, name);
+                               continue;
+                       }
 
                        num_srv_addrs++;
                }
diff --git a/source3/script/tests/test_net_ads_kerberos.sh 
b/source3/script/tests/test_net_ads_kerberos.sh
new file mode 100755
index 00000000000..8a3c9ef2bc7
--- /dev/null
+++ b/source3/script/tests/test_net_ads_kerberos.sh
@@ -0,0 +1,158 @@
+#!/bin/sh
+
+if [ $# -lt 5 ]; then
+       cat <<EOF
+Usage: test_net_ads_kerberos.sh USERNAME REALM PASSWORD PREFIX
+EOF
+       exit 1
+fi
+
+USERNAME="$1"
+REALM="$2"
+PASSWORD="$3"
+PREFIX="$4"
+shift 4
+ADDARGS="$*"
+
+incdir=$(dirname "$0")/../../../testprogs/blackbox
+. "$incdir"/subunit.sh
+
+mkdir -p "$PREFIX"/private
+PACFILE=$PREFIX/private/pacsave.$$
+
+KRB5CCNAME_PATH="$PREFIX/net_ads_kerberos_krb5ccache"
+rm -f "$KRB5CCNAME_PATH"
+
+KRB5CCNAME="FILE:$KRB5CCNAME_PATH"
+
+
+#################################################
+## Test "net ads kerberos kinit" variants
+#################################################
+
+testit "net_ads_kerberos_kinit" \
+       "$VALGRIND" "$BINDIR"/net ads kerberos kinit \
+       -U"$USERNAME"%"$PASSWORD" "$ADDARGS" \
+       || failed=$((failed + 1))
+
+export KRB5CCNAME="$KRB5CCNAME_PATH"
+testit "net_ads_kerberos_kinit (KRB5CCNAME env set)" \
+       "$VALGRIND" "$BINDIR"/net ads kerberos kinit \
+       -U"$USERNAME"%"$PASSWORD" "$ADDARGS" \
+       || failed=$((failed + 1))
+unset KRB5CCNAME
+rm -f "$KRB5CCNAME_PATH"
+
+# --use-krb5-ccache is not working
+#testit "net_ads_kerberos_kinit (with --use-krb5-ccache)" \
+#      $VALGRIND $BINDIR/net ads kerberos kinit \
+#      -U$USERNAME%$PASSWORD $ADDARGS \
+#      --use-krb5-ccache=${KRB5CCNAME} \
+#      || failed=$((failed + 1))
+
+testit "net_ads_kerberos_kinit (-P)" \
+       "$VALGRIND" "$BINDIR"/net ads kerberos kinit \
+       -P "$ADDARGS" \
+       || failed=$((failed + 1))
+
+export KRB5CCNAME="$KRB5CCNAME_PATH"
+testit "net_ads_kerberos_kinit (-P and KRB5CCNAME env set)" \
+       "$VALGRIND" "$BINDIR"/net ads kerberos kinit \
+       -P "$ADDARGS" \
+       || failed=$((failed + 1))
+unset KRB5CCNAME
+rm -f "$KRB5CCNAME_PATH"
+
+# --use-krb5-ccache is not working
+#testit "net_ads_kerberos_kinit (-P with --use-krb5-ccache)" \
+#      $VALGRIND $BINDIR/net ads kerberos kinit \
+#      -P $ADDARGS \
+#      --use-krb5-ccache=${KRB5CCNAME} \
+#      || failed=$((failed + 1))
+
+
+#################################################
+## Test "net ads kerberos renew" variants
+#################################################
+
+#testit "net_ads_kerberos_renew" \
+#      $VALGRIND $BINDIR/net ads kerberos renew \
+#      -U$USERNAME%$PASSWORD $ADDARGS \
+#      || failed=$((failed + 1))
+#
+#export KRB5CCNAME=$KRB5CCNAME_PATH
+#testit "net_ads_kerberos_renew (KRB5CCNAME env)" \
+#      $VALGRIND $BINDIR/net ads kerberos renew \
+#      -U$USERNAME%$PASSWORD $ADDARGS \
+#      || failed=$((failed + 1))
+#unset KRB5CCNAME
+#rm -f $KRB5CCNAME_PATH
+#
+# renew only succeeds with pre-kinit
+export KRB5CCNAME="$KRB5CCNAME_PATH"
+testit "net_ads_kerberos_kinit (KRB5CCNAME env set)" \
+       "$VALGRIND" "$BINDIR"/net ads kerberos kinit \
+       -U"$USERNAME"%"$PASSWORD" "$ADDARGS" \
+       || failed=$((failed + 1))
+
+testit "net_ads_kerberos_renew" \
+       "$VALGRIND" "$BINDIR"/net ads kerberos renew \
+       -U"$USERNAME"%"$PASSWORD" "$ADDARGS" \
+       || failed=$((failed + 1))
+unset KRB5CCNAME
+rm -f "$KRB5CCNAME_PATH"
+
+
+#################################################
+## Test "net ads kerberos pac" variants
+#################################################
+
+testit "net_ads_kerberos_pac_dump" \
+       "$VALGRIND" "$BINDIR"/net ads kerberos pac dump \
+       -U"$USERNAME"%"$PASSWORD" "$ADDARGS" \
+       || failed=$((failed + 1))
+
+testit "net_ads_kerberos_pac_dump (-P)" \
+       "$VALGRIND" "$BINDIR"/net ads kerberos pac dump \
+       -P "$ADDARGS" \
+       || failed=$((failed + 1))
+
+IMPERSONATE_PRINC="alice@$REALM"
+
+#testit "net_ads_kerberos_pac_dump (impersonate)" \
+#      $VALGRIND $BINDIR/net ads kerberos pac dump \
+#      -U$USERNAME%$PASSWORD \
+#      impersonate=$IMPERSONATE_PRINC $ADDARGS \
+#      || failed=$((failed + 1))
+
+testit "net_ads_kerberos_pac_dump (impersonate and -P)" \
+       "$VALGRIND" "$BINDIR"/net ads kerberos pac dump \
+       -P \
+       impersonate="$IMPERSONATE_PRINC" "$ADDARGS" \
+       || failed=$((failed + 1))
+
+# no clue why this doesn't work...
+#
+#testit_expect_failure "net_ads_kerberos_pac_save (without filename)"
+#      $VALGRIND $BINDIR/net ads kerberos pac save \
+#      -U$USERNAME%$PASSWORD $ADDARGS \
+#      || failed=$((failed + 1))
+
+testit "net_ads_kerberos_pac_save" \
+       "$VALGRIND" "$BINDIR"/net ads kerberos pac save \
+       -U"$USERNAME"%"$PASSWORD" "$ADDARGS" \
+       filename="$PACFILE" \
+       || failed=$((failed + 1))
+
+rm -f "$PACFILE"
+
+testit "net_ads_kerberos_pac_save (-P)" \
+       "$VALGRIND" "$BINDIR"/net ads kerberos pac save \
+       -P "$ADDARGS" \
+       filename="$PACFILE" \
+       || failed=$((failed + 1))
+
+rm -f "$PACFILE"
+rm -f "$KRB5CCNAME_PATH"
+
+testok "$0" "$failed"
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index fe67a4df896..86d660800dc 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -1887,6 +1887,18 @@ plantestsuite(
      "bin/samba-tool",
      '$DNSNAME'])
 
+for auth in ["$DC_USERNAME", "$DOMAIN\\\\$DC_USERNAME", "$DC_USERNAME@$REALM" 
]:
+    plantestsuite(
+        "samba3.blackbox.net_ads_kerberos (%s)" % auth,
+        "ad_member:local",
+        [os.path.join(samba3srcdir,
+                      "script/tests/test_net_ads_kerberos.sh"),
+         auth,
+         '$REALM',
+         '$DC_PASSWORD',
+         '$PREFIX',
+         configuration])
+
 plantestsuite("samba3.blackbox.force-user-unlink",
               "maptoguest:local",
               [os.path.join(samba3srcdir,
diff --git a/source3/utils/net.c b/source3/utils/net.c
index c432ebe991f..7ce93ced79e 100644
--- a/source3/utils/net.c
+++ b/source3/utils/net.c
@@ -1394,6 +1394,7 @@ static struct functable net_func[] = {
                        cli_credentials_get_principal_obtained(c->creds);
                enum credentials_obtained password_obtained =
                        cli_credentials_get_password_obtained(c->creds);
+               char *krb5ccname = NULL;
 
                if (principal_obtained == CRED_SPECIFIED) {
                        c->explicit_credentials = true;
@@ -1410,6 +1411,20 @@ static struct functable net_func[] = {
                                GENSEC_FEATURE_NTLM_CCACHE,
                                CRED_SPECIFIED);
                }
+
+               /* cli_credentials_get_ccache_name_obtained() would not work
+                * here, we also cannot get the content of --use-krb5-ccache= so
+                * for now at least honour the KRB5CCNAME environment variable
+                * to get 'net ads kerberos' functions to work at all - gd */
+
+               krb5ccname = getenv("KRB5CCNAME");
+               if (krb5ccname == NULL) {
+                       krb5ccname = talloc_strdup(c, "MEMORY:net");
+               }
+               if (krb5ccname == NULL) {
+                       exit(1);
+               }
+               c->opt_krb5_ccache = krb5ccname;
        }
 
        c->msg_ctx = cmdline_messaging_context(get_dyn_CONFIGFILE());
diff --git a/source3/utils/net.h b/source3/utils/net.h
index 8540a6db9d4..8a4218b529f 100644
--- a/source3/utils/net.h
+++ b/source3/utils/net.h
@@ -97,6 +97,7 @@ struct net_context {
        const char *opt_witness_new_ip;
        int opt_witness_new_node;
        const char *opt_witness_forced_response;
+       const char *opt_krb5_ccache;
 
        int opt_have_ip;
        struct sockaddr_storage opt_dest_ip;
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index 163dcf3efd6..9ba7afe1e04 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -3030,7 +3030,7 @@ static int net_ads_kerberos_renew(struct net_context *c, 
int argc, const char **
                return -1;
        }
 
-       ret = smb_krb5_renew_ticket(NULL, NULL, NULL, NULL);
+       ret = smb_krb5_renew_ticket(c->opt_krb5_ccache, NULL, NULL, NULL);
        if (ret) {
                d_printf(_("failed to renew kerberos ticket: %s\n"),
                        error_message(ret));
@@ -3085,7 +3085,7 @@ static int net_ads_kerberos_pac_common(struct net_context 
*c, int argc, const ch
                                     0,
                                     NULL,
                                     NULL,
-                                    NULL,
+                                    c->opt_krb5_ccache,
                                     true,
                                     true,
                                     2592000, /* one month */
@@ -3266,7 +3266,7 @@ static int net_ads_kerberos_kinit(struct net_context *c, 
int argc, const char **
                                          0,
                                          NULL,
                                          NULL,
-                                         NULL,
+                                         c->opt_krb5_ccache,
                                          true,
                                          true,
                                          2592000, /* one month */
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 9e51ee2acfe..53800988306 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -320,7 +320,7 @@ void set_domain_online_request(struct winbindd_domain 
*domain)
  Add -ve connection cache entries for domain and realm.
 ****************************************************************/
 
-static void winbind_add_failed_connection_entry(
+void winbind_add_failed_connection_entry(
        const struct winbindd_domain *domain,


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch v4-21-test updated

Reply via email to