The branch, master has been updated
via 67bdf268c97 s3:testparm: Fix "sync machine password to keytab"
validation
via aa6467f9da0 s3:tests: Add testparm tests for "sync machine password
to keytab" option
from 5f8125665cb mdssvc: make a copy of the elasticsearch:default_fields
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 67bdf268c978400ef016d34d70c21a85dbbfa9ea
Author: Samuel Cabrero <[email protected]>
Date: Tue Dec 9 10:01:16 2025 +0100
s3:testparm: Fix "sync machine password to keytab" validation
Signed-off-by: Samuel Cabrero <[email protected]>
Reviewed-by: Pavel Filipenský <[email protected]>
Autobuild-User(master): Samuel Cabrero <[email protected]>
Autobuild-Date(master): Tue Dec 23 09:43:56 UTC 2025 on atb-devel-224
commit aa6467f9da05b3ec804a327a1d23ac6d4446aa99
Author: Samuel Cabrero <[email protected]>
Date: Tue Dec 9 11:50:48 2025 +0100
s3:tests: Add testparm tests for "sync machine password to keytab" option
Signed-off-by: Samuel Cabrero <[email protected]>
Reviewed-by: Pavel Filipenský <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
source3/script/tests/test_testparm_s3.sh | 63 +++++++++++++++++++++
source3/utils/testparm.c | 95 ++++++++++++++++++++------------
2 files changed, 123 insertions(+), 35 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/script/tests/test_testparm_s3.sh
b/source3/script/tests/test_testparm_s3.sh
index a11ef855cca..ebf23159a37 100755
--- a/source3/script/tests/test_testparm_s3.sh
+++ b/source3/script/tests/test_testparm_s3.sh
@@ -16,6 +16,7 @@ LOCAL_PATH="$1"
TEMP_CONFFILE=${LOCAL_PATH}/smb.conf.tmp
TESTPARM="$VALGRIND ${TESTPARM:-$BINDIR/testparm} --suppress-prompt
--skip-logic-checks"
+TESTPARM_LOGIC="${BINDIR}/testparm --suppress-prompt"
incdir=$(dirname $0)/../../../testprogs/blackbox
. $incdir/subunit.sh
@@ -44,6 +45,19 @@ EOF
${TESTPARM} ${TEMP_CONFFILE}
}
+test_one_global_option_logic()
+{
+ OPTION="$@"
+ rm -f ${TEMP_CONFFILE}
+ cat >${TEMP_CONFFILE} <<EOF
+[global]
+ state directory = /tmp
+ cache directory = /tmp
+ ${OPTION}
+EOF
+ ${TESTPARM_LOGIC} ${TEMP_CONFFILE}
+}
+
test_copy()
{
rm -f ${TEMP_CONFFILE}
@@ -145,6 +159,55 @@ testit "copy" \
test_testparm_deprecated "test_deprecated_warning_printed"
test_testparm_deprecated_suppress "test_deprecated_warning_suppressed"
+testit "sync machine password to keytab 0" \
+ test_one_global_option_logic "sync machine password to keytab =
\"/path/to/keytab0:account_name:machine_password\"" ||
+ failed=$(expr ${failed} + 1)
+testit "sync machine password to keytab 1" \
+ test_one_global_option_logic "sync machine password to keytab =
\"/path/to/keytab1:account_name:sync_etypes:sync_kvno:machine_password\"" ||
+ failed=$(expr ${failed} + 1)
+testit "sync machine password to keytab 2" \
+ test_one_global_option_logic "sync machine password to keytab =
\"/path/to/keytab2:sync_spns:machine_password\"" ||
+ failed=$(expr ${failed} + 1)
+testit "sync machine password to keytab 3" \
+ test_one_global_option_logic "sync machine password to keytab =
\"/path/to/keytab3:sync_spns:sync_kvno:machine_password\"" ||
+ failed=$(expr ${failed} + 1)
+testit "sync machine password to keytab 4" \
+ test_one_global_option_logic "sync machine password to keytab =
\"/path/to/keytab4:spn_prefixes=imap,smtp:machine_password\"" ||
+ failed=$(expr ${failed} + 1)
+testit "sync machine password to keytab 5" \
+ test_one_global_option_logic "sync machine password to keytab =
\"/path/to/keytab5:spn_prefixes=imap,smtp:netbios_aliases:additional_dns_hostnames:sync_kvno:machine_password\""
||
+ failed=$(expr ${failed} + 1)
+testit "sync machine password to keytab 6" \
+ test_one_global_option_logic "sync machine password to keytab =
\"/path/to/keytab6:spns=wurst/brot@REALM:machine_password\"" ||
+ failed=$(expr ${failed} + 1)
+testit "sync machine password to keytab 7" \
+ test_one_global_option_logic "sync machine password to keytab =
\"/path/to/keytab7:spns=wurst/brot@REALM,wurst2/brot@REALM:sync_kvno:machine_password\""
||
+ failed=$(expr ${failed} + 1)
+testit "sync machine password to keytab 8" \
+ test_one_global_option_logic "sync machine password to keytab =
\"/path/to/keytab8:sync_account_name:sync_upn:sync_spns:spn_prefixes=host,cifs,http:spns=wurst/brot@REALM:sync_kvno:machine_password\""
||
+ failed=$(expr ${failed} + 1)
+testit "sync machine password to keytab 9" \
+ test_one_global_option_logic "sync machine password to keytab =
\"/path/to/keytab9:machine_password\"" ||
+ failed=$(expr ${failed} + 1)
+testit_expect_failure "sync machine password to keytab 10" \
+ test_one_global_option_logic "sync machine password to keytab =
\"/path/to/keytab10\"" ||
+ failed=$(expr ${failed} + 1)
+testit_expect_failure "sync machine password to keytab 11" \
+ test_one_global_option_logic "sync machine password to keytab =
\"/path/to/keytab11:\"" ||
+ failed=$(expr ${failed} + 1)
+testit_expect_failure "sync machine password to keytab 12" \
+ test_one_global_option_logic "sync machine password to keytab =
\"/path/to/keytab12:foo\"" ||
+ failed=$(expr ${failed} + 1)
+testit_expect_failure "sync machine password to keytab 13" \
+ test_one_global_option_logic "sync machine password to keytab =
\"/path/to/keytab13:spns\"" ||
+ failed=$(expr ${failed} + 1)
+testit_expect_failure "sync machine password to keytab 14" \
+ test_one_global_option_logic "sync machine password to keytab =
\"/path/to/keytab14:spns=\"" ||
+ failed=$(expr ${failed} + 1)
+testit_expect_failure "sync machine password to keytab 15" \
+ test_one_global_option_logic "sync machine password to keytab =
\"/path/to/keytab15:machine_password=\"" ||
+ failed=$(expr ${failed} + 1)
+
rm -f ${TEMP_CONFFILE}
testok $0 ${failed}
diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c
index 306924ac7c8..14e6181f417 100644
--- a/source3/utils/testparm.c
+++ b/source3/utils/testparm.c
@@ -270,11 +270,50 @@ done:
return ok;
}
+static int pw2kt_validate_spn_spec(const char *line, char *option)
+{
+ char *p = NULL;
+
+ /* Check for simple tokens */
+ if (strequal(option, ":account_name") ||
+ strequal(option, ":sync_account_name") ||
+ strequal(option, ":sync_upn") ||
+ strequal(option, ":sync_spns"))
+ {
+ *option = 0;
+ return 0;
+ }
+
+ /* Check for key=value tokens */
+ if ((p = strrchr_m(option, '='))) {
+ if (strlen(p) <= 1) {
+ fprintf(stderr, "ERROR: Empty value "
+ "for spn_spec option '%s'\n", option);
+ return 1;
+ }
+ *p = 0;
+ if (strequal(option, ":spn_prefixes") ||
+ strequal(option, ":spns"))
+ {
+ *option = 0;
+ return 0;
+ }
+ fprintf(stderr,
+ "ERROR: only SPN specifier 'spns' and 'spn_prefixes' "
+ "can contain '=' and comma separated list of values "
+ "in line:\n%s\noption:%s\n", line, option);
+ return 1;
+ }
+
+ fprintf(stderr, "ERROR: Invalid spn_spec value: %s\n", option);
+
+ return 1;
+}
+
static int pw2kt_check_line(const char *line)
{
char *keytabname = NULL;
char *spn_spec = NULL;
- char *spn_val = NULL;
char *option = NULL;
bool machine_password = false;
@@ -288,26 +327,24 @@ static int pw2kt_check_line(const char *line)
fprintf(stderr, "ERROR: ':' is expected in line:\n%s\n\n",
line);
return 1;
}
- *spn_spec++ = 0;
/* reverse match with strrchr_m() */
while ((option = strrchr_m(spn_spec, ':')) != NULL) {
- *option++ = 0;
- if (!strequal(option, "sync_kvno") &&
- !strequal(option, "sync_etypes") &&
- !strequal(option, "additional_dns_hostnames") &&
- !strequal(option, "netbios_aliases") &&
- !strequal(option, "machine_password"))
+ if (strequal(option, ":sync_kvno") ||
+ strequal(option, ":sync_etypes") ||
+ strequal(option, ":additional_dns_hostnames") ||
+ strequal(option, ":netbios_aliases"))
{
- fprintf(stderr,
- "ERROR: unknown option '%s' in line:\n%s\n\n",
- option,
- line);
- return 1;
- }
- if (strequal(option, "machine_password")) {
+ /* consume the valid option */
+ *option = 0;
+ continue;
+ } else if (strequal(option, ":machine_password")) {
machine_password = true;
+ *option = 0;
+ continue;
}
+ /* Reached the spn_spec portion */
+ break;
}
if (!machine_password) {
fprintf(stderr,
@@ -316,30 +353,18 @@ static int pw2kt_check_line(const char *line)
line);
}
- spn_val = strchr_m(spn_spec, '=');
- if (spn_val != NULL) {
- *spn_val++ = 0;
- if (!strequal(spn_spec, "spns") &&
- !strequal(spn_spec, "spn_prefixes"))
- {
- fprintf(stderr,
- "ERROR: only SPN specifier 'spns' and "
- "'spn_prefixes' can contain '=' and comma "
- "separated list of values in line:\n%s\n\n",
- line);
+ /* Remaining part has syntax 'spn_spec[:spn_spec]' */
+ while ((option = strrchr_m(spn_spec, ':')) != NULL) {
+ if (pw2kt_validate_spn_spec(line, option)) {
return 1;
}
+ *option = 0;
}
- if (!strequal(spn_spec, "account_name") &&
- !strequal(spn_spec, "sync_spns") &&
- !strequal(spn_spec, "spns") &&
- !strequal(spn_spec, "spn_prefixes"))
- {
- fprintf(stderr,
- "ERROR: unknown SPN specifier '%s' in line:\n%s\n\n",
- spn_spec,
- line);
+ /* spn_spec must be empty at the end */
+ if (strlen(spn_spec) > 0) {
+ fprintf(stderr, "ERROR: Unexpected option '%s' in line '%s'\n",
+ spn_spec, line);
return 1;
}
--
Samba Shared Repository
