Attachment 14547 Details for Bug 13653 – Back ported patch for Patch for v4.9

Back ported patch for Patch for v4.9

bug-13653-v4-9.patch.txt (text/plain), 24.98 KB, created by Gary Lockyer on 2018-10-29 01:23:04 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Gary Lockyer

Created: 2018-10-29 01:23:04 UTC

Size: 24.98 KB

patch

obsolete

>From df05a255d449e6556929dcad6762e38d56f343f2 Mon Sep 17 00:00:00 2001
>From: Gary Lockyer <gary@catalyst.net.nz>
>Date: Wed, 17 Oct 2018 09:10:10 +1300
>Subject: [PATCH 1/3] python tests Blackbox: add random_password
>
>Add the random_password method to the BlackboxTestCase class and remove
>duplicated copies from other test cases. Also use SystemRandom so that
>the generated passwords are more cryptographically sound.
>
>Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
>Reviewed-by: Andrew Bartlett <abartlet@samba.org>
>(cherry picked from commit b6e45fb479689cff028b1fe626533b035e313ce3)
>---
> python/samba/tests/__init__.py                | 33 ++++++++++++++-----
> python/samba/tests/samba_tool/base.py         |  7 ----
> python/samba/tests/samba_tool/user.py         |  8 ++---
> .../tests/samba_tool/user_virtualCryptSHA.py  | 18 ++--------
> 4 files changed, 30 insertions(+), 36 deletions(-)
>
>diff --git a/python/samba/tests/__init__.py b/python/samba/tests/__init__.py
>index f04b42be826..bc336f7f153 100644
>--- a/python/samba/tests/__init__.py
>+++ b/python/samba/tests/__init__.py
>@@ -37,15 +37,19 @@ import samba.auth
> import samba.dcerpc.base
> from samba.compat import PY3, text_type
> from random import randint
>-if not PY3:
>-    # Py2 only
>-    try:
>-        from samba.samdb import SamDB
>-    except ImportError:
>-        SamDB = lambda *x: None
>-    import samba.ndr
>-    import samba.dcerpc.dcerpc
>-    import samba.dcerpc.epmapper
>+from random import SystemRandom
>+import string
>+try:
>+    from samba.samdb import SamDB
>+except ImportError:
>+    # We are built without samdb support,
>+    # imitate it so that connect_samdb() can recover
>+    def SamDB(*args, **kwargs):
>+        return None
>+
>+import samba.ndr
>+import samba.dcerpc.dcerpc
>+import samba.dcerpc.epmapper
> 
> try:
>     from unittest import SkipTest
>@@ -387,6 +391,17 @@ class BlackboxTestCase(TestCaseInTempDir):
>             raise BlackboxProcessError(retcode, line, stdoutdata, stderrdata)
>         return stdoutdata
> 
>+    # Generate a random password that can be safely  passed on the command line
>+    # i.e. it does not contain any shell meta characters.
>+    def random_password(self, count=32):
>+        password = SystemRandom().choice(string.ascii_uppercase)
>+        password += SystemRandom().choice(string.digits)
>+        password += SystemRandom().choice(string.ascii_lowercase)
>+        password += ''.join(SystemRandom().choice(string.ascii_uppercase +
>+                    string.ascii_lowercase +
>+                    string.digits) for x in range(count - 3))
>+        return password
>+
> 
> def connect_samdb(samdb_url, lp=None, session_info=None, credentials=None,
>                   flags=0, ldb_options=None, ldap_only=False, global_schema=True):
>diff --git a/python/samba/tests/samba_tool/base.py b/python/samba/tests/samba_tool/base.py
>index 06e19c19087..7b75c397b71 100644
>--- a/python/samba/tests/samba_tool/base.py
>+++ b/python/samba/tests/samba_tool/base.py
>@@ -125,13 +125,6 @@ class SambaToolCmdTest(samba.tests.BlackboxTestCase):
>         name += ''.join(random.choice(string.ascii_uppercase + string.ascii_lowercase+ string.digits) for x in range(count - 1))
>         return name
> 
>-    def randomPass(self, count=16):
>-        name = random.choice(string.ascii_uppercase)
>-        name += random.choice(string.digits)
>-        name += random.choice(string.ascii_lowercase)
>-        name += ''.join(random.choice(string.ascii_uppercase + string.ascii_lowercase+ string.digits) for x in range(count - 3))
>-        return name
>-
>     def randomXid(self):
>         # pick some hopefully unused, high UID/GID range to avoid interference
>         # from the system the test runs on
>diff --git a/python/samba/tests/samba_tool/user.py b/python/samba/tests/samba_tool/user.py
>index f99288a7cb8..bd83f3fb7a9 100644
>--- a/python/samba/tests/samba_tool/user.py
>+++ b/python/samba/tests/samba_tool/user.py
>@@ -187,7 +187,7 @@ class UserCmdTestCase(SambaToolCmdTest):
> 
>     def test_setpassword(self):
>         for user in self.users:
>-            newpasswd = self.randomPass()
>+            newpasswd = self.random_password(16)
>             (result, out, err) = self.runsubcmd("user", "setpassword",
>                                                 user["name"],
>                                                 "--newpassword=%s" % newpasswd,
>@@ -229,7 +229,7 @@ class UserCmdTestCase(SambaToolCmdTest):
>                 "syncpasswords --no-wait: 'sAMAccountName': %s out[%s]" % (user["name"], out))
> 
>         for user in self.users:
>-            newpasswd = self.randomPass()
>+            newpasswd = self.random_password(16)
>             creds = credentials.Credentials()
>             creds.set_anonymous()
>             creds.set_password(newpasswd)
>@@ -291,7 +291,7 @@ class UserCmdTestCase(SambaToolCmdTest):
>                     "getpassword virtualSSHA: out[%s]" % out)
> 
>         for user in self.users:
>-            newpasswd = self.randomPass()
>+            newpasswd = self.random_password(16)
>             (result, out, err) = self.runsubcmd("user", "setpassword",
>                                                 user["name"],
>                                                 "--newpassword=%s" % newpasswd,
>@@ -503,7 +503,7 @@ sAMAccountName: %s
>         """create a user with random attribute values, you can specify base attributes"""
>         user = {
>             "name": self.randomName(),
>-            "password": self.randomPass(),
>+            "password": self.random_password(16),
>             "surname": self.randomName(),
>             "given-name": self.randomName(),
>             "job-title": self.randomName(),
>diff --git a/python/samba/tests/samba_tool/user_virtualCryptSHA.py b/python/samba/tests/samba_tool/user_virtualCryptSHA.py
>index 3edf1a4b4f6..fc17c5d4014 100644
>--- a/python/samba/tests/samba_tool/user_virtualCryptSHA.py
>+++ b/python/samba/tests/samba_tool/user_virtualCryptSHA.py
>@@ -29,23 +29,8 @@ from samba.ndr import ndr_unpack
> from samba.dcerpc import drsblobs
> from samba import dsdb
> import re
>-import random
>-import string
> 
> USER_NAME = "CryptSHATestUser"
>-# Create a random 32 character password, containing only letters and
>-# digits to avoid issues when used on the command line.
>-# Ensuring the password includes at least:
>-#   1 upper case letter
>-#   1 lower case letter
>-#   1 digit.
>-#
>-USER_PASS = (''.join(random.choice(string.ascii_uppercase +
>-                                   string.ascii_lowercase +
>-                                   string.digits) for _ in range(29)) +
>-             random.choice(string.ascii_uppercase) +
>-             random.choice(string.ascii_lowercase) +
>-             random.choice(string.digits))
> HASH_OPTION = "password hash userPassword schemes"
> 
> # Get the value of an attribute from the output string
>@@ -83,10 +68,11 @@ class UserCmdCryptShaTestCase(SambaToolCmdTest):
>             credentials=self.creds,
>             lp=self.lp)
> 
>+        password = self.random_password()
>         self.runsubcmd("user",
>                        "create",
>                        USER_NAME,
>-                       USER_PASS)
>+                       password)
> 
>     def tearDown(self):
>         super(UserCmdCryptShaTestCase, self).tearDown()
>-- 
>2.17.1
>
>
>From aa93833061ec5d49cba5c2aa084848bffbaa5d2e Mon Sep 17 00:00:00 2001
>From: Gary Lockyer <gary@catalyst.net.nz>
>Date: Mon, 15 Oct 2018 16:01:47 +1300
>Subject: [PATCH 2/3] dsdb encrypted_secrets tests: Allow "ldb://" in file path
>
>When creating a new user and specifying the local file path of the
>sam.ldb DB, it's possible to create an account that you can't actually
>login with.
>
>This commit contains tests to verify the bug.
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=13653
>
>Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
>Reviewed-by: Andrew Bartlett <abartlet@samba.org>
>(cherry picked from commit e1eee614ca8a3f0f5609a3d9d8ce7ae926de1f9e)
>---
> python/samba/tests/blackbox/bug13653.py       | 212 ++++++++++++++++++
> selftest/knownfail.d/bug13653                 |  14 ++
> selftest/knownfail.d/encrypted_secrets        |   6 +
> .../tests/test_encrypted_secrets.c            |   1 -
> source4/dsdb/samdb/ldb_modules/wscript_build  |  17 +-
> source4/selftest/tests.py                     |  21 +-
> 6 files changed, 267 insertions(+), 4 deletions(-)
> create mode 100644 python/samba/tests/blackbox/bug13653.py
> create mode 100644 selftest/knownfail.d/bug13653
>
>diff --git a/python/samba/tests/blackbox/bug13653.py b/python/samba/tests/blackbox/bug13653.py
>new file mode 100644
>index 00000000000..6ac23896a6f
>--- /dev/null
>+++ b/python/samba/tests/blackbox/bug13653.py
>@@ -0,0 +1,212 @@
>+# Black box tests verify bug 13653
>+#
>+# Copyright (C) Catalyst.Net Ltd'. 2018
>+#
>+# This program is free software; you can redistribute it and/or modify
>+# it under the terms of the GNU General Public License as published by
>+# the Free Software Foundation; either version 3 of the License, or
>+# (at your option) any later version.
>+#
>+# This program is distributed in the hope that it will be useful,
>+# but WITHOUT ANY WARRANTY; without even the implied warranty of
>+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
>+# GNU General Public License for more details.
>+#
>+# You should have received a copy of the GNU General Public License
>+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
>+
>+"""Blackbox test verifying bug 13653
>+
>+https://bugzilla.samba.org/show_bug.cgi?id=13653
>+
>+
>+When creating a new user and specifying the local filepath of the sam.ldb DB,
>+it's possible to create an account that you can't actually login with.
>+
>+This only happens if the DB is using encrypted secrets and you specify "ldb://"
>+in the sam.ldb path, e.g. "-H ldb://st/ad_dc/private/sam.ldb".
>+The user account will be created, but its secrets will not be encrypted.
>+Attempts to login as the user will then be rejected due to invalid credentials.
>+
>+We think this may also cause replication/joins to break.
>+
>+You do get a warning about "No encrypted secrets key file" when this happens,
>+although the reason behind this message is not obvious. Specifying a "tdb://"
>+prefix, or not specifying a prefix, works fine.
>+
>+Example of the problem below using the ad_dc testenv.
>+
>+addc$ bin/samba-tool user create tdb-user pass12#
>+      -H tdb://st/ad_dc/private/sam.ldb
>+User 'tdb-user' created successfully
>+
>+# HERE: using the "ldb://" prefix generates a warning, but the user is still
>+# created successfully.
>+
>+addc$ bin/samba-tool user create ldb-user pass12#
>+      -H ldb://st/ad_dc/private/sam.ldb
>+No encrypted secrets key file. Secret attributes will not be encrypted or
>+decrypted
>+
>+User 'ldb-user' created successfully
>+
>+addc$ bin/samba-tool user create noprefix-user pass12#
>+      -H st/ad_dc/private/sam.ldb
>+User 'noprefix-user' created successfully
>+
>+addc$ bin/ldbsearch -H ldap://$SERVER -Utdb-user%pass12# '(cn=tdb-user)' dn
>+# record 1
>+dn: CN=tdb-user,CN=Users,DC=addom,DC=samba,DC=example,DC=com
>+
>+# Referral
>+ref: ldap://addom.samba.example.com/CN=Configuration,DC=addom,DC=samba,
>+     DC=example,DC=com
>+
>+# Referral
>+ref: ldap://addom.samba.example.com/DC=DomainDnsZones,DC=addom,DC=samba,
>+     DC=example,DC=com
>+
>+# Referral
>+ref: ldap://addom.samba.example.com/DC=ForestDnsZones,DC=addom,DC=samba,
>+     DC=example,DC=com
>+
>+# returned 4 records
>+# 1 entries
>+# 3 referrals
>+
>+# HERE: can't login as the user created with "ldb://" prefix
>+
>+addc$ bin/ldbsearch -H ldap://$SERVER -Uldb-user%pass12# '(cn=ldb-user)' dn
>+Wrong username or password: kinit for ldb-user@ADDOM.SAMBA.EXAMPLE.COM failed
>+(Client not found in Kerberos database)
>+
>+Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS
>+               -  <8009030C: LdapErr: DSID-0C0904DC,
>+                    comment: AcceptSecurityContext error, data 54e, v1db1> <>
>+Failed to connect to 'ldap://addc' with backend
>+    'ldap': LDAP error 49 LDAP_INVALID_CREDENTIALS
>+            -  <8009030C: LdapErr: DSID-0C0904DC,
>+               comment: AcceptSecurityContext error, data 54e, v1db1> <>
>+Failed to connect to ldap://addc - LDAP error 49 LDAP_INVALID_CREDENTIALS
>+    -  <8009030C: LdapErr: DSID-0C0904DC,
>+       comment: AcceptSecurityContext error, data 54e, v1db1> <>
>+addc$ bin/ldbsearch -H ldap://$SERVER -Unoprefix-user%pass12#
>+      '(cn=noprefix-user)' dn
>+# record 1
>+dn: CN=noprefix-user,CN=Users,DC=addom,DC=samba,DC=example,DC=com
>+
>+# Referral
>+ref: ldap://addom.samba.example.com/CN=Configuration,DC=addom,DC=samba,
>+    DC=example,DC=com
>+
>+# Referral
>+ref: ldap://addom.samba.example.com/DC=DomainDnsZones,DC=addom,DC=samba,
>+     DC=example,DC=com
>+
>+# Referral
>+ref: ldap://addom.samba.example.com/DC=ForestDnsZones,DC=addom,DC=samba,
>+     DC=example,DC=com
>+
>+# returned 4 records
>+# 1 entries
>+# 3 referrals
>+"""
>+
>+from samba.tests import (
>+    BlackboxTestCase,
>+    BlackboxProcessError,
>+    delete_force,
>+    env_loadparm)
>+from samba.credentials import Credentials
>+from samba.samdb import SamDB
>+from samba.auth import system_session
>+from os import environ
>+
>+
>+class Bug13653Tests(BlackboxTestCase):
>+
>+    # Open a local connection to the SamDB
>+    # and load configuration from the OS environment.
>+    def setUp(self):
>+        super(Bug13653Tests, self).setUp()
>+        self.env = environ["TEST_ENV"]
>+        self.server = environ["SERVER"]
>+        self.prefix = environ["PREFIX_ABS"]
>+        lp = env_loadparm()
>+        creds = Credentials()
>+        session = system_session()
>+        creds.guess(lp)
>+        self.ldb = SamDB(session_info=session,
>+                         credentials=creds,
>+                         lp=lp)
>+
>+    # Delete the user account created by the test case.
>+    # The user name is in self.user
>+    def tearDown(self):
>+        super(Bug13653Tests, self).tearDown()
>+        try:
>+            dn = "CN=%s,CN=Users,%s" % (self.user, self.ldb.domain_dn())
>+            delete_force(self.ldb, dn)
>+        except Exception as e:
>+            # We ignore any exceptions deleting the user in tearDown
>+            # this allows the known fail mechanism to work for this test
>+            # so the test can be committed before the fix.
>+            # otherwise this delete fails with
>+            #   Error(11)  unpacking encrypted secret, data possibly corrupted
>+            #   or altered
>+            pass
>+
>+    # Delete the user account created by the test case.
>+    # The user name is in self.user
>+    def delete_user(self):
>+        dn = "CN=%s,CN=Users,%s" % (self.user, self.ldb.domain_dn())
>+        try:
>+            delete_force(self.ldb, dn)
>+        except Exception as e:
>+            self.fail(str(e))
>+
>+    def _test_scheme(self, scheme):
>+        """Ensure a user can be created by samba-tool with the supplied scheme
>+           and that that user can logon."""
>+
>+        self.delete_user()
>+
>+        password = self.random_password()
>+        db_path = "%s/%s/%s/private/sam.ldb" % (scheme, self.prefix, self.env)
>+        try:
>+            command =\
>+                "bin/samba-tool user create %s %s -H %s" % (
>+                    self.user, password, db_path)
>+            self.check_run(command)
>+            command =\
>+                "bin/ldbsearch -H ldap://%s/ -U%s%%%s '(cn=%s)' dn" % (
>+                    self.server, self.user, password, self.user)
>+            self.check_run(command)
>+        except BlackboxProcessError as e:
>+            self.fail(str(e))
>+
>+    def test_tdb_scheme(self):
>+        """Ensure a user can be created by samba-tool with the "tbd://" scheme
>+           and that that user can logon."""
>+
>+        self.user = "TDB_USER"
>+        self._test_scheme("tdb://")
>+
>+    def test_mdb_scheme(self):
>+        """Ensure a user can be created by samba-tool with the "mdb://" scheme
>+           and that that user can logon.
>+
>+           NOTE: this test is currently in knownfail.d/encrypted_secrets as
>+                 sam.ldb is currently a tdb even if the lmdb backend is
>+                 selected
>+        """
>+
>+        self.user = "MDB_USER"
>+        self._test_scheme("mdb://")
>+
>+    def test_ldb_scheme(self):
>+        """Ensure a user can be created by samba-tool with the "ldb://" scheme
>+           and that that user can logon."""
>+
>+        self.user = "LDB_USER"
>+        self._test_scheme("ldb://")
>diff --git a/selftest/knownfail.d/bug13653 b/selftest/knownfail.d/bug13653
>new file mode 100644
>index 00000000000..14b955de178
>--- /dev/null
>+++ b/selftest/knownfail.d/bug13653
>@@ -0,0 +1,14 @@
>+^samba.tests.blackbox.bug13653.samba.tests.blackbox.bug13653.Bug13653Tests.test_ldb_scheme
>+^samba.tests.blackbox.bug13653.python3.samba.tests.blackbox.bug13653.Bug13653Tests.test_ldb_scheme
>+^samba4.dsdb.samdb.ldb_modules.encrypted_secrets.mdb.test_key_file
>+^samba4.dsdb.samdb.ldb_modules.encrypted_secrets.mdb.test_key_file_short_key
>+^samba4.dsdb.samdb.ldb_modules.encrypted_secrets.mdb.test_key_file_long_key
>+^samba4.dsdb.samdb.ldb_modules.encrypted_secrets.mdb.test_gnutls_value_encryption
>+^samba4.dsdb.samdb.ldb_modules.encrypted_secrets.mdb.test_gnutls_altered_header
>+^samba4.dsdb.samdb.ldb_modules.encrypted_secrets.mdb.test_gnutls_altered_data
>+^samba4.dsdb.samdb.ldb_modules.encrypted_secrets.mdb.test_gnutls_altered_iv
>+^samba4.dsdb.samdb.ldb_modules.encrypted_secrets.mdb.test_samba_value_encryption
>+^samba4.dsdb.samdb.ldb_modules.encrypted_secrets.mdb.test_samba_altered_header
>+^samba4.dsdb.samdb.ldb_modules.encrypted_secrets.mdb.test_samba_altered_data
>+^samba4.dsdb.samdb.ldb_modules.encrypted_secrets.mdb.test_samba_altered_iv
>+^samba4.dsdb.samdb.ldb_modules.encrypted_secrets.mdb.test_message_encryption_decryption
>diff --git a/selftest/knownfail.d/encrypted_secrets b/selftest/knownfail.d/encrypted_secrets
>index a701d1d9d7e..9973baa3e51 100644
>--- a/selftest/knownfail.d/encrypted_secrets
>+++ b/selftest/knownfail.d/encrypted_secrets
>@@ -6,3 +6,9 @@
> #   * secrets are not stored as encrypted text when this option is specified
> ^samba.tests.encrypted_secrets.samba.tests.encrypted_secrets.EncryptedSecretsTests.test_encrypted_secrets$fl2000dc:local$
> ^samba.tests.encrypted_secrets.samba.tests.encrypted_secrets.EncryptedSecretsTests.test_required_features$fl2000dc:local$
>+#
>+# The tests for bug 13563 https://bugzilla.samba.org/show_bug.cgi?id=13653
>+# should fail in the mdb case, as sam.ldb is currently a tdb file.
>+#
>+^samba.tests.blackbox.bug13653.python3.samba.tests.blackbox.bug13653.Bug13653Tests.test_mdb_scheme
>+^samba.tests.blackbox.bug13653.samba.tests.blackbox.bug13653.Bug13653Tests.test_mdb_scheme
>diff --git a/source4/dsdb/samdb/ldb_modules/tests/test_encrypted_secrets.c b/source4/dsdb/samdb/ldb_modules/tests/test_encrypted_secrets.c
>index 4aa325635ce..258e1ba829f 100644
>--- a/source4/dsdb/samdb/ldb_modules/tests/test_encrypted_secrets.c
>+++ b/source4/dsdb/samdb/ldb_modules/tests/test_encrypted_secrets.c
>@@ -27,7 +27,6 @@ int ldb_encrypted_secrets_module_init(const char *version);
> #define TEST_ENCRYPTED_SECRETS
> #include "../encrypted_secrets.c"
> 
>-#define TEST_BE "tdb"
> struct ldbtest_ctx {
> 	struct tevent_context *ev;
> 	struct ldb_context *ldb;
>diff --git a/source4/dsdb/samdb/ldb_modules/wscript_build b/source4/dsdb/samdb/ldb_modules/wscript_build
>index 9e0ac281cc6..f9de3533529 100644
>--- a/source4/dsdb/samdb/ldb_modules/wscript_build
>+++ b/source4/dsdb/samdb/ldb_modules/wscript_build
>@@ -28,8 +28,9 @@ bld.SAMBA_BINARY('test_unique_object_sids',
>             DSDB_MODULE_HELPERS
>         ''',
>         install=False)
>-bld.SAMBA_BINARY('test_encrypted_secrets',
>+bld.SAMBA_BINARY('test_encrypted_secrets_tdb',
>         source='tests/test_encrypted_secrets.c',
>+        cflags='-DTEST_BE=\"tdb\"',
>         deps='''
>             talloc
>             samba-util
>@@ -40,6 +41,20 @@ bld.SAMBA_BINARY('test_encrypted_secrets',
>             DSDB_MODULE_HELPERS
>         ''',
>         install=False)
>+if bld.CONFIG_SET('HAVE_LMDB'):
>+    bld.SAMBA_BINARY('test_encrypted_secrets_mdb',
>+            source='tests/test_encrypted_secrets.c',
>+            cflags='-DTEST_BE=\"mdb\"',
>+            deps='''
>+                talloc
>+                samba-util
>+                samdb-common
>+                samdb
>+                cmocka
>+                gnutls
>+                DSDB_MODULE_HELPERS
>+            ''',
>+            install=False)
> 
> if bld.AD_DC_BUILD_IS_ENABLED():
>     bld.PROCESS_SEPARATE_RULE("server")
>diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
>index 3a07eee4750..a4345140fe6 100755
>--- a/source4/selftest/tests.py
>+++ b/source4/selftest/tests.py
>@@ -1129,10 +1129,27 @@ for env in ["ad_dc_ntvfs", "ad_dc", "fl2000dc", "fl2003dc", "fl2008r2dc",
> 
> # cmocka tests not requiring a specific encironment
> #
>+# Tests to verify bug 13653 https://bugzilla.samba.org/show_bug.cgi?id=13653
>+# ad_dc has an lmdb backend, ad_dc_ntvfs has a tdb backend.
>+#
>+planoldpythontestsuite("ad_dc_ntvfs:local",
>+                       "samba.tests.blackbox.bug13653",
>+                       extra_args=['-U"$USERNAME%$PASSWORD"'],
>+                       environ={'TEST_ENV': 'ad_dc_ntvfs'},
>+                       py3_compatible=True)
>+planoldpythontestsuite("ad_dc:local",
>+                       "samba.tests.blackbox.bug13653",
>+                       extra_args=['-U"$USERNAME%$PASSWORD"'],
>+                       environ={'TEST_ENV': 'ad_dc'},
>+                       py3_compatible=True)
>+# cmocka tests not requiring a specific environment
>+#
> plantestsuite("samba4.dsdb.samdb.ldb_modules.unique_object_sids" , "none",
>               [os.path.join(bindir(), "test_unique_object_sids")])
>-plantestsuite("samba4.dsdb.samdb.ldb_modules.encrypted_secrets", "none",
>-                  [os.path.join(bindir(), "test_encrypted_secrets")])
>+plantestsuite("samba4.dsdb.samdb.ldb_modules.encrypted_secrets.tdb", "none",
>+              [os.path.join(bindir(), "test_encrypted_secrets_tdb")])
>+plantestsuite("samba4.dsdb.samdb.ldb_modules.encrypted_secrets.mdb", "none",
>+              [os.path.join(bindir(), "test_encrypted_secrets_mdb")])
> plantestsuite("lib.audit_logging.audit_logging", "none",
>                   [os.path.join(bindir(), "audit_logging_test")])
> plantestsuite("samba4.dsdb.samdb.ldb_modules.audit_util", "none",
>-- 
>2.17.1
>
>
>From 971ca3fab851c3f75597a6d5fa9386390f19c276 Mon Sep 17 00:00:00 2001
>From: Gary Lockyer <gary@catalyst.net.nz>
>Date: Mon, 15 Oct 2018 16:02:40 +1300
>Subject: [PATCH 3/3] dsdb encrypted_secrets: Allow "ldb:// and "mdb://" in
> file path
>
>Correctly handle "ldb://" and "mdb://" schemes in the file path when
>determining the path for the encrypted secrets key file.
>
>When creating a new user and specifying the local file path of the
>sam.ldb DB, it was possible to create an account that you could not
>login with. The path for the key file was incorrectly calculated
>for the "ldb://" and "mdb://" schemes, the scheme was not stripped from
>the path and the subsequent open of the key file failed.
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=13653
>
>Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
>Reviewed-by: Andrew Bartlett <abartlet@samba.org>
>
>Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
>Autobuild-Date(master): Fri Oct 19 09:34:46 CEST 2018 on sn-devel-144
>
>(cherry picked from commit 7b59cd74f9f75d85b91c6ca517d0243e7f6bd2e1)
>---
> selftest/knownfail.d/bug13653                      | 14 --------------
> source4/dsdb/samdb/ldb_modules/encrypted_secrets.c |  6 ++++++
> 2 files changed, 6 insertions(+), 14 deletions(-)
> delete mode 100644 selftest/knownfail.d/bug13653
>
>diff --git a/selftest/knownfail.d/bug13653 b/selftest/knownfail.d/bug13653
>deleted file mode 100644
>index 14b955de178..00000000000
>--- a/selftest/knownfail.d/bug13653
>+++ /dev/null
>@@ -1,14 +0,0 @@
>-^samba.tests.blackbox.bug13653.samba.tests.blackbox.bug13653.Bug13653Tests.test_ldb_scheme
>-^samba.tests.blackbox.bug13653.python3.samba.tests.blackbox.bug13653.Bug13653Tests.test_ldb_scheme
>-^samba4.dsdb.samdb.ldb_modules.encrypted_secrets.mdb.test_key_file
>-^samba4.dsdb.samdb.ldb_modules.encrypted_secrets.mdb.test_key_file_short_key
>-^samba4.dsdb.samdb.ldb_modules.encrypted_secrets.mdb.test_key_file_long_key
>-^samba4.dsdb.samdb.ldb_modules.encrypted_secrets.mdb.test_gnutls_value_encryption
>-^samba4.dsdb.samdb.ldb_modules.encrypted_secrets.mdb.test_gnutls_altered_header
>-^samba4.dsdb.samdb.ldb_modules.encrypted_secrets.mdb.test_gnutls_altered_data
>-^samba4.dsdb.samdb.ldb_modules.encrypted_secrets.mdb.test_gnutls_altered_iv
>-^samba4.dsdb.samdb.ldb_modules.encrypted_secrets.mdb.test_samba_value_encryption
>-^samba4.dsdb.samdb.ldb_modules.encrypted_secrets.mdb.test_samba_altered_header
>-^samba4.dsdb.samdb.ldb_modules.encrypted_secrets.mdb.test_samba_altered_data
>-^samba4.dsdb.samdb.ldb_modules.encrypted_secrets.mdb.test_samba_altered_iv
>-^samba4.dsdb.samdb.ldb_modules.encrypted_secrets.mdb.test_message_encryption_decryption
>diff --git a/source4/dsdb/samdb/ldb_modules/encrypted_secrets.c b/source4/dsdb/samdb/ldb_modules/encrypted_secrets.c
>index ef69bb0831c..b2df15c08f4 100644
>--- a/source4/dsdb/samdb/ldb_modules/encrypted_secrets.c
>+++ b/source4/dsdb/samdb/ldb_modules/encrypted_secrets.c
>@@ -131,6 +131,12 @@ static const char* get_key_directory(TALLOC_CTX *ctx, struct ldb_context *ldb)
> 	if (strncmp("tdb://", sam_ldb_path, 6) == 0) {
> 		sam_ldb_path += 6;
> 	}
>+	else if (strncmp("ldb://", sam_ldb_path, 6) == 0) {
>+		sam_ldb_path += 6;
>+	}
>+	else if (strncmp("mdb://", sam_ldb_path, 6) == 0) {
>+		sam_ldb_path += 6;
>+	}
> 	private_dir = talloc_strdup(ctx, sam_ldb_path);
> 	if (private_dir == NULL) {
> 		ldb_set_errstring(ldb,
>-- 
>2.17.1
>

Flags:

abartlet: review+

Actions: View

Attachments on bug 13653: 14530 | 14533 | 14547