The Samba-Bugzilla – Attachment 14547 Details for
Bug 13653
Adding user to local DB with "ldb://" prefix creates invalid account
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
Back ported patch for Patch for v4.9
bug-13653-v4-9.patch.txt (text/plain), 24.98 KB, created by
Gary Lockyer
on 2018-10-29 01:23:04 UTC
(
hide
)
Description:
Back ported patch for Patch for v4.9
Filename:
MIME Type:
Creator:
Gary Lockyer
Created:
2018-10-29 01:23:04 UTC
Size:
24.98 KB
patch
obsolete
>From df05a255d449e6556929dcad6762e38d56f343f2 Mon Sep 17 00:00:00 2001 >From: Gary Lockyer <gary@catalyst.net.nz> >Date: Wed, 17 Oct 2018 09:10:10 +1300 >Subject: [PATCH 1/3] python tests Blackbox: add random_password > >Add the random_password method to the BlackboxTestCase class and remove >duplicated copies from other test cases. Also use SystemRandom so that >the generated passwords are more cryptographically sound. > >Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit b6e45fb479689cff028b1fe626533b035e313ce3) >--- > python/samba/tests/__init__.py | 33 ++++++++++++++----- > python/samba/tests/samba_tool/base.py | 7 ---- > python/samba/tests/samba_tool/user.py | 8 ++--- > .../tests/samba_tool/user_virtualCryptSHA.py | 18 ++-------- > 4 files changed, 30 insertions(+), 36 deletions(-) > >diff --git a/python/samba/tests/__init__.py b/python/samba/tests/__init__.py >index f04b42be826..bc336f7f153 100644 >--- a/python/samba/tests/__init__.py >+++ b/python/samba/tests/__init__.py >@@ -37,15 +37,19 @@ import samba.auth > import samba.dcerpc.base > from samba.compat import PY3, text_type > from random import randint >-if not PY3: >- # Py2 only >- try: >- from samba.samdb import SamDB >- except ImportError: >- SamDB = lambda *x: None >- import samba.ndr >- import samba.dcerpc.dcerpc >- import samba.dcerpc.epmapper >+from random import SystemRandom >+import string >+try: >+ from samba.samdb import SamDB >+except ImportError: >+ # We are built without samdb support, >+ # imitate it so that connect_samdb() can recover >+ def SamDB(*args, **kwargs): >+ return None >+ >+import samba.ndr >+import samba.dcerpc.dcerpc >+import samba.dcerpc.epmapper > > try: > from unittest import SkipTest >@@ -387,6 +391,17 @@ class BlackboxTestCase(TestCaseInTempDir): > raise BlackboxProcessError(retcode, line, stdoutdata, stderrdata) > return stdoutdata > >+ # Generate a random password that can be safely passed on the command line >+ # i.e. it does not contain any shell meta characters. >+ def random_password(self, count=32): >+ password = SystemRandom().choice(string.ascii_uppercase) >+ password += SystemRandom().choice(string.digits) >+ password += SystemRandom().choice(string.ascii_lowercase) >+ password += ''.join(SystemRandom().choice(string.ascii_uppercase + >+ string.ascii_lowercase + >+ string.digits) for x in range(count - 3)) >+ return password >+ > > def connect_samdb(samdb_url, lp=None, session_info=None, credentials=None, > flags=0, ldb_options=None, ldap_only=False, global_schema=True): >diff --git a/python/samba/tests/samba_tool/base.py b/python/samba/tests/samba_tool/base.py >index 06e19c19087..7b75c397b71 100644 >--- a/python/samba/tests/samba_tool/base.py >+++ b/python/samba/tests/samba_tool/base.py >@@ -125,13 +125,6 @@ class SambaToolCmdTest(samba.tests.BlackboxTestCase): > name += ''.join(random.choice(string.ascii_uppercase + string.ascii_lowercase+ string.digits) for x in range(count - 1)) > return name > >- def randomPass(self, count=16): >- name = random.choice(string.ascii_uppercase) >- name += random.choice(string.digits) >- name += random.choice(string.ascii_lowercase) >- name += ''.join(random.choice(string.ascii_uppercase + string.ascii_lowercase+ string.digits) for x in range(count - 3)) >- return name >- > def randomXid(self): > # pick some hopefully unused, high UID/GID range to avoid interference > # from the system the test runs on >diff --git a/python/samba/tests/samba_tool/user.py b/python/samba/tests/samba_tool/user.py >index f99288a7cb8..bd83f3fb7a9 100644 >--- a/python/samba/tests/samba_tool/user.py >+++ b/python/samba/tests/samba_tool/user.py >@@ -187,7 +187,7 @@ class UserCmdTestCase(SambaToolCmdTest): > > def test_setpassword(self): > for user in self.users: >- newpasswd = self.randomPass() >+ newpasswd = self.random_password(16) > (result, out, err) = self.runsubcmd("user", "setpassword", > user["name"], > "--newpassword=%s" % newpasswd, >@@ -229,7 +229,7 @@ class UserCmdTestCase(SambaToolCmdTest): > "syncpasswords --no-wait: 'sAMAccountName': %s out[%s]" % (user["name"], out)) > > for user in self.users: >- newpasswd = self.randomPass() >+ newpasswd = self.random_password(16) > creds = credentials.Credentials() > creds.set_anonymous() > creds.set_password(newpasswd) >@@ -291,7 +291,7 @@ class UserCmdTestCase(SambaToolCmdTest): > "getpassword virtualSSHA: out[%s]" % out) > > for user in self.users: >- newpasswd = self.randomPass() >+ newpasswd = self.random_password(16) > (result, out, err) = self.runsubcmd("user", "setpassword", > user["name"], > "--newpassword=%s" % newpasswd, >@@ -503,7 +503,7 @@ sAMAccountName: %s > """create a user with random attribute values, you can specify base attributes""" > user = { > "name": self.randomName(), >- "password": self.randomPass(), >+ "password": self.random_password(16), > "surname": self.randomName(), > "given-name": self.randomName(), > "job-title": self.randomName(), >diff --git a/python/samba/tests/samba_tool/user_virtualCryptSHA.py b/python/samba/tests/samba_tool/user_virtualCryptSHA.py >index 3edf1a4b4f6..fc17c5d4014 100644 >--- a/python/samba/tests/samba_tool/user_virtualCryptSHA.py >+++ b/python/samba/tests/samba_tool/user_virtualCryptSHA.py >@@ -29,23 +29,8 @@ from samba.ndr import ndr_unpack > from samba.dcerpc import drsblobs > from samba import dsdb > import re >-import random >-import string > > USER_NAME = "CryptSHATestUser" >-# Create a random 32 character password, containing only letters and >-# digits to avoid issues when used on the command line. >-# Ensuring the password includes at least: >-# 1 upper case letter >-# 1 lower case letter >-# 1 digit. >-# >-USER_PASS = (''.join(random.choice(string.ascii_uppercase + >- string.ascii_lowercase + >- string.digits) for _ in range(29)) + >- random.choice(string.ascii_uppercase) + >- random.choice(string.ascii_lowercase) + >- random.choice(string.digits)) > HASH_OPTION = "password hash userPassword schemes" > > # Get the value of an attribute from the output string >@@ -83,10 +68,11 @@ class UserCmdCryptShaTestCase(SambaToolCmdTest): > credentials=self.creds, > lp=self.lp) > >+ password = self.random_password() > self.runsubcmd("user", > "create", > USER_NAME, >- USER_PASS) >+ password) > > def tearDown(self): > super(UserCmdCryptShaTestCase, self).tearDown() >-- >2.17.1 > > >From aa93833061ec5d49cba5c2aa084848bffbaa5d2e Mon Sep 17 00:00:00 2001 >From: Gary Lockyer <gary@catalyst.net.nz> >Date: Mon, 15 Oct 2018 16:01:47 +1300 >Subject: [PATCH 2/3] dsdb encrypted_secrets tests: Allow "ldb://" in file path > >When creating a new user and specifying the local file path of the >sam.ldb DB, it's possible to create an account that you can't actually >login with. > >This commit contains tests to verify the bug. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13653 > >Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit e1eee614ca8a3f0f5609a3d9d8ce7ae926de1f9e) >--- > python/samba/tests/blackbox/bug13653.py | 212 ++++++++++++++++++ > selftest/knownfail.d/bug13653 | 14 ++ > selftest/knownfail.d/encrypted_secrets | 6 + > .../tests/test_encrypted_secrets.c | 1 - > source4/dsdb/samdb/ldb_modules/wscript_build | 17 +- > source4/selftest/tests.py | 21 +- > 6 files changed, 267 insertions(+), 4 deletions(-) > create mode 100644 python/samba/tests/blackbox/bug13653.py > create mode 100644 selftest/knownfail.d/bug13653 > >diff --git a/python/samba/tests/blackbox/bug13653.py b/python/samba/tests/blackbox/bug13653.py >new file mode 100644 >index 00000000000..6ac23896a6f >--- /dev/null >+++ b/python/samba/tests/blackbox/bug13653.py >@@ -0,0 +1,212 @@ >+# Black box tests verify bug 13653 >+# >+# Copyright (C) Catalyst.Net Ltd'. 2018 >+# >+# This program is free software; you can redistribute it and/or modify >+# it under the terms of the GNU General Public License as published by >+# the Free Software Foundation; either version 3 of the License, or >+# (at your option) any later version. >+# >+# This program is distributed in the hope that it will be useful, >+# but WITHOUT ANY WARRANTY; without even the implied warranty of >+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >+# GNU General Public License for more details. >+# >+# You should have received a copy of the GNU General Public License >+# along with this program. If not, see <http://www.gnu.org/licenses/>. >+ >+"""Blackbox test verifying bug 13653 >+ >+https://bugzilla.samba.org/show_bug.cgi?id=13653 >+ >+ >+When creating a new user and specifying the local filepath of the sam.ldb DB, >+it's possible to create an account that you can't actually login with. >+ >+This only happens if the DB is using encrypted secrets and you specify "ldb://" >+in the sam.ldb path, e.g. "-H ldb://st/ad_dc/private/sam.ldb". >+The user account will be created, but its secrets will not be encrypted. >+Attempts to login as the user will then be rejected due to invalid credentials. >+ >+We think this may also cause replication/joins to break. >+ >+You do get a warning about "No encrypted secrets key file" when this happens, >+although the reason behind this message is not obvious. Specifying a "tdb://" >+prefix, or not specifying a prefix, works fine. >+ >+Example of the problem below using the ad_dc testenv. >+ >+addc$ bin/samba-tool user create tdb-user pass12# >+ -H tdb://st/ad_dc/private/sam.ldb >+User 'tdb-user' created successfully >+ >+# HERE: using the "ldb://" prefix generates a warning, but the user is still >+# created successfully. >+ >+addc$ bin/samba-tool user create ldb-user pass12# >+ -H ldb://st/ad_dc/private/sam.ldb >+No encrypted secrets key file. Secret attributes will not be encrypted or >+decrypted >+ >+User 'ldb-user' created successfully >+ >+addc$ bin/samba-tool user create noprefix-user pass12# >+ -H st/ad_dc/private/sam.ldb >+User 'noprefix-user' created successfully >+ >+addc$ bin/ldbsearch -H ldap://$SERVER -Utdb-user%pass12# '(cn=tdb-user)' dn >+# record 1 >+dn: CN=tdb-user,CN=Users,DC=addom,DC=samba,DC=example,DC=com >+ >+# Referral >+ref: ldap://addom.samba.example.com/CN=Configuration,DC=addom,DC=samba, >+ DC=example,DC=com >+ >+# Referral >+ref: ldap://addom.samba.example.com/DC=DomainDnsZones,DC=addom,DC=samba, >+ DC=example,DC=com >+ >+# Referral >+ref: ldap://addom.samba.example.com/DC=ForestDnsZones,DC=addom,DC=samba, >+ DC=example,DC=com >+ >+# returned 4 records >+# 1 entries >+# 3 referrals >+ >+# HERE: can't login as the user created with "ldb://" prefix >+ >+addc$ bin/ldbsearch -H ldap://$SERVER -Uldb-user%pass12# '(cn=ldb-user)' dn >+Wrong username or password: kinit for ldb-user@ADDOM.SAMBA.EXAMPLE.COM failed >+(Client not found in Kerberos database) >+ >+Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS >+ - <8009030C: LdapErr: DSID-0C0904DC, >+ comment: AcceptSecurityContext error, data 54e, v1db1> <> >+Failed to connect to 'ldap://addc' with backend >+ 'ldap': LDAP error 49 LDAP_INVALID_CREDENTIALS >+ - <8009030C: LdapErr: DSID-0C0904DC, >+ comment: AcceptSecurityContext error, data 54e, v1db1> <> >+Failed to connect to ldap://addc - LDAP error 49 LDAP_INVALID_CREDENTIALS >+ - <8009030C: LdapErr: DSID-0C0904DC, >+ comment: AcceptSecurityContext error, data 54e, v1db1> <> >+addc$ bin/ldbsearch -H ldap://$SERVER -Unoprefix-user%pass12# >+ '(cn=noprefix-user)' dn >+# record 1 >+dn: CN=noprefix-user,CN=Users,DC=addom,DC=samba,DC=example,DC=com >+ >+# Referral >+ref: ldap://addom.samba.example.com/CN=Configuration,DC=addom,DC=samba, >+ DC=example,DC=com >+ >+# Referral >+ref: ldap://addom.samba.example.com/DC=DomainDnsZones,DC=addom,DC=samba, >+ DC=example,DC=com >+ >+# Referral >+ref: ldap://addom.samba.example.com/DC=ForestDnsZones,DC=addom,DC=samba, >+ DC=example,DC=com >+ >+# returned 4 records >+# 1 entries >+# 3 referrals >+""" >+ >+from samba.tests import ( >+ BlackboxTestCase, >+ BlackboxProcessError, >+ delete_force, >+ env_loadparm) >+from samba.credentials import Credentials >+from samba.samdb import SamDB >+from samba.auth import system_session >+from os import environ >+ >+ >+class Bug13653Tests(BlackboxTestCase): >+ >+ # Open a local connection to the SamDB >+ # and load configuration from the OS environment. >+ def setUp(self): >+ super(Bug13653Tests, self).setUp() >+ self.env = environ["TEST_ENV"] >+ self.server = environ["SERVER"] >+ self.prefix = environ["PREFIX_ABS"] >+ lp = env_loadparm() >+ creds = Credentials() >+ session = system_session() >+ creds.guess(lp) >+ self.ldb = SamDB(session_info=session, >+ credentials=creds, >+ lp=lp) >+ >+ # Delete the user account created by the test case. >+ # The user name is in self.user >+ def tearDown(self): >+ super(Bug13653Tests, self).tearDown() >+ try: >+ dn = "CN=%s,CN=Users,%s" % (self.user, self.ldb.domain_dn()) >+ delete_force(self.ldb, dn) >+ except Exception as e: >+ # We ignore any exceptions deleting the user in tearDown >+ # this allows the known fail mechanism to work for this test >+ # so the test can be committed before the fix. >+ # otherwise this delete fails with >+ # Error(11) unpacking encrypted secret, data possibly corrupted >+ # or altered >+ pass >+ >+ # Delete the user account created by the test case. >+ # The user name is in self.user >+ def delete_user(self): >+ dn = "CN=%s,CN=Users,%s" % (self.user, self.ldb.domain_dn()) >+ try: >+ delete_force(self.ldb, dn) >+ except Exception as e: >+ self.fail(str(e)) >+ >+ def _test_scheme(self, scheme): >+ """Ensure a user can be created by samba-tool with the supplied scheme >+ and that that user can logon.""" >+ >+ self.delete_user() >+ >+ password = self.random_password() >+ db_path = "%s/%s/%s/private/sam.ldb" % (scheme, self.prefix, self.env) >+ try: >+ command =\ >+ "bin/samba-tool user create %s %s -H %s" % ( >+ self.user, password, db_path) >+ self.check_run(command) >+ command =\ >+ "bin/ldbsearch -H ldap://%s/ -U%s%%%s '(cn=%s)' dn" % ( >+ self.server, self.user, password, self.user) >+ self.check_run(command) >+ except BlackboxProcessError as e: >+ self.fail(str(e)) >+ >+ def test_tdb_scheme(self): >+ """Ensure a user can be created by samba-tool with the "tbd://" scheme >+ and that that user can logon.""" >+ >+ self.user = "TDB_USER" >+ self._test_scheme("tdb://") >+ >+ def test_mdb_scheme(self): >+ """Ensure a user can be created by samba-tool with the "mdb://" scheme >+ and that that user can logon. >+ >+ NOTE: this test is currently in knownfail.d/encrypted_secrets as >+ sam.ldb is currently a tdb even if the lmdb backend is >+ selected >+ """ >+ >+ self.user = "MDB_USER" >+ self._test_scheme("mdb://") >+ >+ def test_ldb_scheme(self): >+ """Ensure a user can be created by samba-tool with the "ldb://" scheme >+ and that that user can logon.""" >+ >+ self.user = "LDB_USER" >+ self._test_scheme("ldb://") >diff --git a/selftest/knownfail.d/bug13653 b/selftest/knownfail.d/bug13653 >new file mode 100644 >index 00000000000..14b955de178 >--- /dev/null >+++ b/selftest/knownfail.d/bug13653 >@@ -0,0 +1,14 @@ >+^samba.tests.blackbox.bug13653.samba.tests.blackbox.bug13653.Bug13653Tests.test_ldb_scheme >+^samba.tests.blackbox.bug13653.python3.samba.tests.blackbox.bug13653.Bug13653Tests.test_ldb_scheme >+^samba4.dsdb.samdb.ldb_modules.encrypted_secrets.mdb.test_key_file >+^samba4.dsdb.samdb.ldb_modules.encrypted_secrets.mdb.test_key_file_short_key >+^samba4.dsdb.samdb.ldb_modules.encrypted_secrets.mdb.test_key_file_long_key >+^samba4.dsdb.samdb.ldb_modules.encrypted_secrets.mdb.test_gnutls_value_encryption >+^samba4.dsdb.samdb.ldb_modules.encrypted_secrets.mdb.test_gnutls_altered_header >+^samba4.dsdb.samdb.ldb_modules.encrypted_secrets.mdb.test_gnutls_altered_data >+^samba4.dsdb.samdb.ldb_modules.encrypted_secrets.mdb.test_gnutls_altered_iv >+^samba4.dsdb.samdb.ldb_modules.encrypted_secrets.mdb.test_samba_value_encryption >+^samba4.dsdb.samdb.ldb_modules.encrypted_secrets.mdb.test_samba_altered_header >+^samba4.dsdb.samdb.ldb_modules.encrypted_secrets.mdb.test_samba_altered_data >+^samba4.dsdb.samdb.ldb_modules.encrypted_secrets.mdb.test_samba_altered_iv >+^samba4.dsdb.samdb.ldb_modules.encrypted_secrets.mdb.test_message_encryption_decryption >diff --git a/selftest/knownfail.d/encrypted_secrets b/selftest/knownfail.d/encrypted_secrets >index a701d1d9d7e..9973baa3e51 100644 >--- a/selftest/knownfail.d/encrypted_secrets >+++ b/selftest/knownfail.d/encrypted_secrets >@@ -6,3 +6,9 @@ > # * secrets are not stored as encrypted text when this option is specified > ^samba.tests.encrypted_secrets.samba.tests.encrypted_secrets.EncryptedSecretsTests.test_encrypted_secrets\(fl2000dc:local\) > ^samba.tests.encrypted_secrets.samba.tests.encrypted_secrets.EncryptedSecretsTests.test_required_features\(fl2000dc:local\) >+# >+# The tests for bug 13563 https://bugzilla.samba.org/show_bug.cgi?id=13653 >+# should fail in the mdb case, as sam.ldb is currently a tdb file. >+# >+^samba.tests.blackbox.bug13653.python3.samba.tests.blackbox.bug13653.Bug13653Tests.test_mdb_scheme >+^samba.tests.blackbox.bug13653.samba.tests.blackbox.bug13653.Bug13653Tests.test_mdb_scheme >diff --git a/source4/dsdb/samdb/ldb_modules/tests/test_encrypted_secrets.c b/source4/dsdb/samdb/ldb_modules/tests/test_encrypted_secrets.c >index 4aa325635ce..258e1ba829f 100644 >--- a/source4/dsdb/samdb/ldb_modules/tests/test_encrypted_secrets.c >+++ b/source4/dsdb/samdb/ldb_modules/tests/test_encrypted_secrets.c >@@ -27,7 +27,6 @@ int ldb_encrypted_secrets_module_init(const char *version); > #define TEST_ENCRYPTED_SECRETS > #include "../encrypted_secrets.c" > >-#define TEST_BE "tdb" > struct ldbtest_ctx { > struct tevent_context *ev; > struct ldb_context *ldb; >diff --git a/source4/dsdb/samdb/ldb_modules/wscript_build b/source4/dsdb/samdb/ldb_modules/wscript_build >index 9e0ac281cc6..f9de3533529 100644 >--- a/source4/dsdb/samdb/ldb_modules/wscript_build >+++ b/source4/dsdb/samdb/ldb_modules/wscript_build >@@ -28,8 +28,9 @@ bld.SAMBA_BINARY('test_unique_object_sids', > DSDB_MODULE_HELPERS > ''', > install=False) >-bld.SAMBA_BINARY('test_encrypted_secrets', >+bld.SAMBA_BINARY('test_encrypted_secrets_tdb', > source='tests/test_encrypted_secrets.c', >+ cflags='-DTEST_BE=\"tdb\"', > deps=''' > talloc > samba-util >@@ -40,6 +41,20 @@ bld.SAMBA_BINARY('test_encrypted_secrets', > DSDB_MODULE_HELPERS > ''', > install=False) >+if bld.CONFIG_SET('HAVE_LMDB'): >+ bld.SAMBA_BINARY('test_encrypted_secrets_mdb', >+ source='tests/test_encrypted_secrets.c', >+ cflags='-DTEST_BE=\"mdb\"', >+ deps=''' >+ talloc >+ samba-util >+ samdb-common >+ samdb >+ cmocka >+ gnutls >+ DSDB_MODULE_HELPERS >+ ''', >+ install=False) > > if bld.AD_DC_BUILD_IS_ENABLED(): > bld.PROCESS_SEPARATE_RULE("server") >diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py >index 3a07eee4750..a4345140fe6 100755 >--- a/source4/selftest/tests.py >+++ b/source4/selftest/tests.py >@@ -1129,10 +1129,27 @@ for env in ["ad_dc_ntvfs", "ad_dc", "fl2000dc", "fl2003dc", "fl2008r2dc", > > # cmocka tests not requiring a specific encironment > # >+# Tests to verify bug 13653 https://bugzilla.samba.org/show_bug.cgi?id=13653 >+# ad_dc has an lmdb backend, ad_dc_ntvfs has a tdb backend. >+# >+planoldpythontestsuite("ad_dc_ntvfs:local", >+ "samba.tests.blackbox.bug13653", >+ extra_args=['-U"$USERNAME%$PASSWORD"'], >+ environ={'TEST_ENV': 'ad_dc_ntvfs'}, >+ py3_compatible=True) >+planoldpythontestsuite("ad_dc:local", >+ "samba.tests.blackbox.bug13653", >+ extra_args=['-U"$USERNAME%$PASSWORD"'], >+ environ={'TEST_ENV': 'ad_dc'}, >+ py3_compatible=True) >+# cmocka tests not requiring a specific environment >+# > plantestsuite("samba4.dsdb.samdb.ldb_modules.unique_object_sids" , "none", > [os.path.join(bindir(), "test_unique_object_sids")]) >-plantestsuite("samba4.dsdb.samdb.ldb_modules.encrypted_secrets", "none", >- [os.path.join(bindir(), "test_encrypted_secrets")]) >+plantestsuite("samba4.dsdb.samdb.ldb_modules.encrypted_secrets.tdb", "none", >+ [os.path.join(bindir(), "test_encrypted_secrets_tdb")]) >+plantestsuite("samba4.dsdb.samdb.ldb_modules.encrypted_secrets.mdb", "none", >+ [os.path.join(bindir(), "test_encrypted_secrets_mdb")]) > plantestsuite("lib.audit_logging.audit_logging", "none", > [os.path.join(bindir(), "audit_logging_test")]) > plantestsuite("samba4.dsdb.samdb.ldb_modules.audit_util", "none", >-- >2.17.1 > > >From 971ca3fab851c3f75597a6d5fa9386390f19c276 Mon Sep 17 00:00:00 2001 >From: Gary Lockyer <gary@catalyst.net.nz> >Date: Mon, 15 Oct 2018 16:02:40 +1300 >Subject: [PATCH 3/3] dsdb encrypted_secrets: Allow "ldb:// and "mdb://" in > file path > >Correctly handle "ldb://" and "mdb://" schemes in the file path when >determining the path for the encrypted secrets key file. > >When creating a new user and specifying the local file path of the >sam.ldb DB, it was possible to create an account that you could not >login with. The path for the key file was incorrectly calculated >for the "ldb://" and "mdb://" schemes, the scheme was not stripped from >the path and the subsequent open of the key file failed. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13653 > >Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> > >Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> >Autobuild-Date(master): Fri Oct 19 09:34:46 CEST 2018 on sn-devel-144 > >(cherry picked from commit 7b59cd74f9f75d85b91c6ca517d0243e7f6bd2e1) >--- > selftest/knownfail.d/bug13653 | 14 -------------- > source4/dsdb/samdb/ldb_modules/encrypted_secrets.c | 6 ++++++ > 2 files changed, 6 insertions(+), 14 deletions(-) > delete mode 100644 selftest/knownfail.d/bug13653 > >diff --git a/selftest/knownfail.d/bug13653 b/selftest/knownfail.d/bug13653 >deleted file mode 100644 >index 14b955de178..00000000000 >--- a/selftest/knownfail.d/bug13653 >+++ /dev/null >@@ -1,14 +0,0 @@ >-^samba.tests.blackbox.bug13653.samba.tests.blackbox.bug13653.Bug13653Tests.test_ldb_scheme >-^samba.tests.blackbox.bug13653.python3.samba.tests.blackbox.bug13653.Bug13653Tests.test_ldb_scheme >-^samba4.dsdb.samdb.ldb_modules.encrypted_secrets.mdb.test_key_file >-^samba4.dsdb.samdb.ldb_modules.encrypted_secrets.mdb.test_key_file_short_key >-^samba4.dsdb.samdb.ldb_modules.encrypted_secrets.mdb.test_key_file_long_key >-^samba4.dsdb.samdb.ldb_modules.encrypted_secrets.mdb.test_gnutls_value_encryption >-^samba4.dsdb.samdb.ldb_modules.encrypted_secrets.mdb.test_gnutls_altered_header >-^samba4.dsdb.samdb.ldb_modules.encrypted_secrets.mdb.test_gnutls_altered_data >-^samba4.dsdb.samdb.ldb_modules.encrypted_secrets.mdb.test_gnutls_altered_iv >-^samba4.dsdb.samdb.ldb_modules.encrypted_secrets.mdb.test_samba_value_encryption >-^samba4.dsdb.samdb.ldb_modules.encrypted_secrets.mdb.test_samba_altered_header >-^samba4.dsdb.samdb.ldb_modules.encrypted_secrets.mdb.test_samba_altered_data >-^samba4.dsdb.samdb.ldb_modules.encrypted_secrets.mdb.test_samba_altered_iv >-^samba4.dsdb.samdb.ldb_modules.encrypted_secrets.mdb.test_message_encryption_decryption >diff --git a/source4/dsdb/samdb/ldb_modules/encrypted_secrets.c b/source4/dsdb/samdb/ldb_modules/encrypted_secrets.c >index ef69bb0831c..b2df15c08f4 100644 >--- a/source4/dsdb/samdb/ldb_modules/encrypted_secrets.c >+++ b/source4/dsdb/samdb/ldb_modules/encrypted_secrets.c >@@ -131,6 +131,12 @@ static const char* get_key_directory(TALLOC_CTX *ctx, struct ldb_context *ldb) > if (strncmp("tdb://", sam_ldb_path, 6) == 0) { > sam_ldb_path += 6; > } >+ else if (strncmp("ldb://", sam_ldb_path, 6) == 0) { >+ sam_ldb_path += 6; >+ } >+ else if (strncmp("mdb://", sam_ldb_path, 6) == 0) { >+ sam_ldb_path += 6; >+ } > private_dir = talloc_strdup(ctx, sam_ldb_path); > if (private_dir == NULL) { > ldb_set_errstring(ldb, >-- >2.17.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
abartlet
:
review+
Actions:
View
Attachments on
bug 13653
:
14530
|
14533
| 14547