The Samba-Bugzilla – Attachment 10912 Details for
Bug 11130
KDC TGS not finding principal
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Work in progress patches (the test still fail...)
tmp.diff.txt (text/plain), 5.84 KB, created by
Stefan Metzmacher
on 2015-03-26 10:32:13 UTC
(
hide
)
Description:
Work in progress patches (the test still fail...)
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2015-03-26 10:32:13 UTC
Size:
5.84 KB
patch
obsolete
>From 17520c7143ad9c22c45d161823cf57edb9c01406 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Mon, 23 Mar 2015 10:00:51 +0000 >Subject: [PATCH 1/2] BUG11130: s4:kdc:db-glue: allow TGS for > computer@EXAMPLE.COM > >This is only possible if computer@EXAMPLE.COM is unique, >if a user 'computer' exists it's not possible. > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=11130 >--- > source4/kdc/db-glue.c | 41 ++++++++++++++++++++++++++++++++++------- > 1 file changed, 34 insertions(+), 7 deletions(-) > >diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c >index edee0aa..a2c0ca2 100644 >--- a/source4/kdc/db-glue.c >+++ b/source4/kdc/db-glue.c >@@ -1651,6 +1651,9 @@ static krb5_error_code samba_kdc_lookup_server(krb5_context context, > int lret; > char *short_princ; > krb5_principal enterprise_prinicpal = NULL; >+ char *name1 = NULL; >+ size_t len1 = 0; >+ char *filter = NULL; > > if (smb_krb5_principal_get_type(context, principal) == KRB5_NT_ENTERPRISE_PRINCIPAL) { > char *str = NULL; >@@ -1691,24 +1694,48 @@ static krb5_error_code samba_kdc_lookup_server(krb5_context context, > return ret; > } > >+ name1 = ldb_binary_encode_string(mem_ctx, short_princ); >+ SAFE_FREE(short_princ); >+ if (name1 == NULL) { >+ return ENOMEM; >+ } >+ len1 = strlen(name1); >+ if (len1 >= 1 && name1[len1 - 1] != '$') { >+ filter = talloc_asprintf(mem_ctx, >+ "(&(objectClass=user)(|(samAccountName=%s)(samAccountName=%s$))", >+ name1, name1); >+ if (filter == NULL) { >+ return ENOMEM; >+ } >+ } else { >+ filter = talloc_asprintf(mem_ctx, >+ "(&(objectClass=user)(samAccountName=%s))", >+ name1); >+ if (filter == NULL) { >+ return ENOMEM; >+ } >+ } >+ > lret = dsdb_search_one(kdc_db_ctx->samdb, mem_ctx, msg, > *realm_dn, LDB_SCOPE_SUBTREE, > attrs, > DSDB_SEARCH_SHOW_EXTENDED_DN | DSDB_SEARCH_NO_GLOBAL_CATALOG, >- "(&(objectClass=user)(samAccountName=%s))", >- ldb_binary_encode_string(mem_ctx, short_princ)); >+ "%s", filter); > if (lret == LDB_ERR_NO_SUCH_OBJECT) { >- DEBUG(3, ("Failed to find an entry for %s\n", short_princ)); >- free(short_princ); >+ DEBUG(3, ("Failed to find an entry for %s filter:%s\n", >+ name1, filter)); >+ return HDB_ERR_NOENTRY; >+ } >+ if (lret == LDB_ERR_CONSTRAINT_VIOLATION) { >+ DEBUG(3, ("Failed to find unique entry for %s filter:%s\n", >+ name1, filter)); > return HDB_ERR_NOENTRY; > } > if (lret != LDB_SUCCESS) { > DEBUG(3, ("Failed single search for %s - %s\n", >- short_princ, ldb_errstring(kdc_db_ctx->samdb))); >- free(short_princ); >+ name1, ldb_errstring(kdc_db_ctx->samdb))); > return HDB_ERR_NOENTRY; > } >- free(short_princ); > return 0; > } > return HDB_ERR_NOENTRY; >-- >1.9.1 > > >From 128877cd077ec6beb4838acda552929732b10c55 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Mon, 23 Mar 2015 22:10:02 +0000 >Subject: [PATCH 2/2] BUG11130: samba4.rpc.lsa.secrets on %s with Kerberos - > netbios name principal TODO > >--- > source4/selftest/tests.py | 4 ++++ > 1 file changed, 4 insertions(+) > >diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py >index 17d0158..39f5204 100755 >--- a/source4/selftest/tests.py >+++ b/source4/selftest/tests.py >@@ -181,6 +181,10 @@ for env in ["ad_dc_ntvfs", "fl2000dc", "fl2003dc", "fl2008r2dc", "ad_dc"]: > plansmbtorture4testsuite('rpc.pac', env, ["%s:$SERVER[]" % (transport, ), '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN'], "samba4.rpc.pac on %s" % (transport,)) > plansmbtorture4testsuite('rpc.lsa.secrets', env, ["%s:$SERVER[]" % (transport, ), '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN', '--option=gensec:target_hostname=$NETBIOSNAME', 'rpc.lsa.secrets'], "samba4.rpc.lsa.secrets on %s with Kerberos" % (transport,)) > plansmbtorture4testsuite('rpc.lsa.secrets', env, ["%s:$SERVER[]" % (transport, ), '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN', "--option=clientusespnegoprincipal=yes", '--option=gensec:target_hostname=$NETBIOSNAME'], "samba4.rpc.lsa.secrets on %s with Kerberos - use target principal" % (transport,)) >+ #plansmbtorture4testsuite('rpc.lsa.secrets', env, ["%s:$SERVER[]" % (transport, ), '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN'], "samba4.rpc.lsa.secrets on %s with Kerberos - netbios name principal" % (transport,)) >+ plansmbtorture4testsuite('rpc.lsa.secrets', env, ["%s:$SERVER[target_principal=dcom/$NETBIOSNAME]" % (transport, ), '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN'], "samba4.rpc.lsa.secrets on %s with Kerberos - netbios name principal dcom" % (transport,)) >+ plansmbtorture4testsuite('rpc.lsa.secrets', env, ["%s:$SERVER[target_principal=$NETBIOSNAME\$]" % (transport, ), '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN'], "samba4.rpc.lsa.secrets on %s with Kerberos - netbios name principal dollar" % (transport,)) >+ plansmbtorture4testsuite('rpc.lsa.secrets', env, ["%s:$SERVER[target_principal=$NETBIOSNAME]" % (transport, ), '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN'], "samba4.rpc.lsa.secrets on %s with Kerberos - netbios name principal" % (transport,)) > plansmbtorture4testsuite('rpc.lsa.secrets.none*', env, ["%s:$SERVER" % transport, '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN', "--option=gensec:fake_gssapi_krb5=yes", '--option=gensec:gssapi_krb5=no', '--option=gensec:target_hostname=$NETBIOSNAME'], "samba4.rpc.lsa.secrets on %s with Kerberos - use Samba3 style login" % transport) > plansmbtorture4testsuite('rpc.lsa.secrets.none*', env, ["%s:$SERVER" % transport, '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN', "--option=clientusespnegoprincipal=yes", '--option=gensec:fake_gssapi_krb5=yes', '--option=gensec:gssapi_krb5=no', '--option=gensec:target_hostname=$NETBIOSNAME'], "samba4.rpc.lsa.secrets on %s with Kerberos - use Samba3 style login, use target principal" % transport) > for transport in transports: >-- >1.9.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=10912">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 11130
: 10912