From f38b733ed8e19665ce9bd1547efb290458166ea7 Mon Sep 17 00:00:00 2001 From: Noel Power Date: Thu, 8 Aug 2019 15:06:28 +0100 Subject: [PATCH 01/23] s3/libads: clang: Fix Value stored to 'canon_princ' is never read Fixes: source3/libads/kerberos.c:192:2: warning: Value stored to 'canon_princ' is never read <--[clang] canon_princ = me; ^ ~~ 1 warning generated. Signed-off-by: Noel Power Reviewed-by: Gary Lockyer (cherry picked from commit 52d20087f620704549f5a5cdcbec79cb08a36290) --- source3/libads/kerberos.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c index 721c3c2a9294..9fbe7dd0f071 100644 --- a/source3/libads/kerberos.c +++ b/source3/libads/kerberos.c @@ -189,9 +189,10 @@ int kerberos_kinit_password_ext(const char *principal, goto out; } - canon_princ = me; #ifndef SAMBA4_USES_HEIMDAL /* MIT */ canon_princ = my_creds.client; +#else + canon_princ = me; #endif /* MIT */ if ((code = krb5_cc_initialize(ctx, cc, canon_princ))) { -- 2.17.1 From 561b7fa3784266fb395fef60f213432d782970ae Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 18 Sep 2019 13:58:46 +0200 Subject: [PATCH 02/23] nsswitch: add logging to wbc_auth_error_to_pam_error() for non auth errors Signed-off-by: Stefan Metzmacher Reviewed-by: Guenther Deschner (cherry picked from commit acbf922fc2963a42d6cbe652bb32eee231020958) --- nsswitch/pam_winbind.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c index 7841377fdd65..3ad70d3c4cdc 100644 --- a/nsswitch/pam_winbind.c +++ b/nsswitch/pam_winbind.c @@ -862,6 +862,10 @@ static int wbc_auth_error_to_pam_error(struct pwb_context *ctx, } ret = wbc_error_to_pam_error(status); + _pam_log(ctx, LOG_ERR, + "request %s failed: %s, PAM error: %s (%d)!", + fn, wbcErrorString(status), + _pam_error_code_str(ret), ret); return pam_winbind_request_log(ctx, ret, username, fn); } -- 2.17.1 From f3e517a73ddcfcb303492210e6615535787f0f72 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 17 Sep 2019 08:05:09 +0200 Subject: [PATCH 03/23] s4:auth: use the correct client realm in gensec_gssapi_update_internal() The function gensec_gssapi_client_creds() may call kinit and gets a TGT for the user. The principal provided by the user may not be canonicalized. The user may use 'given.last@example.com' but that may be mapped to glast@AD.EXAMPLE.PRIVATE in the background. It means we should use client_realm = AD.EXAMPLE.PRIVATE instead of client_realm = EXAMPLE.COM BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124 Signed-off-by: Stefan Metzmacher Reviewed-by: Guenther Deschner (cherry picked from commit db8fd3d6a315b140ebd6ccd0dcdfdcf27cd1bb38) --- source4/auth/gensec/gensec_gssapi.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index 4577c91c93a2..045a02257419 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -437,8 +437,6 @@ static NTSTATUS gensec_gssapi_update_internal(struct gensec_security *gensec_sec const char *target_principal = gensec_get_target_principal(gensec_security); const char *hostname = gensec_get_target_hostname(gensec_security); const char *service = gensec_get_target_service(gensec_security); - const char *client_realm = cli_credentials_get_realm(cli_creds); - const char *server_realm = NULL; gss_OID gss_oid_p = NULL; OM_uint32 time_req = 0; OM_uint32 time_rec = 0; @@ -457,6 +455,7 @@ static NTSTATUS gensec_gssapi_update_internal(struct gensec_security *gensec_sec switch (gensec_security->gensec_role) { case GENSEC_CLIENT: { + const char *client_realm = NULL; #ifdef SAMBA4_USES_HEIMDAL struct gsskrb5_send_to_kdc send_to_kdc; krb5_error_code ret; @@ -532,6 +531,7 @@ static NTSTATUS gensec_gssapi_update_internal(struct gensec_security *gensec_sec * transitive forest trusts, would have to do the * fallback ourself. */ + client_realm = cli_credentials_get_realm(cli_creds); #ifndef SAMBA4_USES_HEIMDAL if (gensec_gssapi_state->server_name == NULL) { nt_status = gensec_gssapi_setup_server_principal(gensec_gssapi_state, @@ -575,6 +575,8 @@ static NTSTATUS gensec_gssapi_update_internal(struct gensec_security *gensec_sec } #endif /* !SAMBA4_USES_HEIMDAL */ if (gensec_gssapi_state->server_name == NULL) { + const char *server_realm = NULL; + server_realm = smb_krb5_get_realm_from_hostname(gensec_gssapi_state, hostname, client_realm); -- 2.17.1 From 8928fd7663f2065e44a62f5bab5a7016971a7195 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 16 Sep 2019 17:14:11 +0200 Subject: [PATCH 04/23] s3:libads: let kerberos_kinit_password_ext() return the canonicalized principal/realm BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124 Signed-off-by: Stefan Metzmacher Reviewed-by: Guenther Deschner (cherry picked from commit bc473e5cf088a137395842540ed8eb748373a236) --- source3/libads/authdata.c | 1 + source3/libads/kerberos.c | 46 ++++++++++++++++++++++---- source3/libads/kerberos_proto.h | 5 ++- source3/libads/kerberos_util.c | 3 +- source3/utils/net_ads.c | 3 ++ source3/winbindd/winbindd_cred_cache.c | 6 ++++ 6 files changed, 56 insertions(+), 8 deletions(-) diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c index 86a1be71bf98..6e6d5b397ffb 100644 --- a/source3/libads/authdata.c +++ b/source3/libads/authdata.c @@ -170,6 +170,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, request_pac, add_netbios_addr, renewable_time, + NULL, NULL, NULL, &status); if (ret) { DEBUG(1,("kinit failed for '%s' with: %s (%d)\n", diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c index 9fbe7dd0f071..3e09d70268f0 100644 --- a/source3/libads/kerberos.c +++ b/source3/libads/kerberos.c @@ -106,7 +106,7 @@ kerb_prompter(krb5_context ctx, void *data, place in default cache location. remus@snapserver.com */ -int kerberos_kinit_password_ext(const char *principal, +int kerberos_kinit_password_ext(const char *given_principal, const char *password, int time_offset, time_t *expire_time, @@ -115,8 +115,12 @@ int kerberos_kinit_password_ext(const char *principal, bool request_pac, bool add_netbios_addr, time_t renewable_time, + TALLOC_CTX *mem_ctx, + char **_canon_principal, + char **_canon_realm, NTSTATUS *ntstatus) { + TALLOC_CTX *frame = talloc_stackframe(); krb5_context ctx = NULL; krb5_error_code code = 0; krb5_ccache cc = NULL; @@ -125,6 +129,8 @@ int kerberos_kinit_password_ext(const char *principal, krb5_creds my_creds; krb5_get_init_creds_opt *opt = NULL; smb_krb5_addresses *addr = NULL; + char *canon_principal = NULL; + char *canon_realm = NULL; ZERO_STRUCT(my_creds); @@ -132,6 +138,7 @@ int kerberos_kinit_password_ext(const char *principal, if (code != 0) { DBG_ERR("kerberos init context failed (%s)\n", error_message(code)); + TALLOC_FREE(frame); return code; } @@ -139,16 +146,16 @@ int kerberos_kinit_password_ext(const char *principal, krb5_set_real_time(ctx, time(NULL) + time_offset, 0); } - DEBUG(10,("kerberos_kinit_password: as %s using [%s] as ccache and config [%s]\n", - principal, - cache_name ? cache_name: krb5_cc_default_name(ctx), - getenv("KRB5_CONFIG"))); + DBG_DEBUG("as %s using [%s] as ccache and config [%s]\n", + given_principal, + cache_name ? cache_name: krb5_cc_default_name(ctx), + getenv("KRB5_CONFIG")); if ((code = krb5_cc_resolve(ctx, cache_name ? cache_name : krb5_cc_default_name(ctx), &cc))) { goto out; } - if ((code = smb_krb5_parse_name(ctx, principal, &me))) { + if ((code = smb_krb5_parse_name(ctx, given_principal, &me))) { goto out; } @@ -195,6 +202,22 @@ int kerberos_kinit_password_ext(const char *principal, canon_princ = me; #endif /* MIT */ + code = smb_krb5_unparse_name(frame, + ctx, + canon_princ, + &canon_principal); + if (code != 0) { + goto out; + } + + DBG_DEBUG("%s mapped to %s\n", given_principal, canon_principal); + + canon_realm = smb_krb5_principal_get_realm(frame, ctx, canon_princ); + if (canon_realm == NULL) { + code = ENOMEM; + goto out; + } + if ((code = krb5_cc_initialize(ctx, cc, canon_princ))) { goto out; } @@ -210,6 +233,13 @@ int kerberos_kinit_password_ext(const char *principal, if (renew_till_time) { *renew_till_time = (time_t) my_creds.times.renew_till; } + + if (_canon_principal != NULL) { + *_canon_principal = talloc_move(mem_ctx, &canon_principal); + } + if (_canon_realm != NULL) { + *_canon_realm = talloc_move(mem_ctx, &canon_realm); + } out: if (ntstatus) { /* fast path */ @@ -239,6 +269,7 @@ int kerberos_kinit_password_ext(const char *principal, if (ctx) { krb5_free_context(ctx); } + TALLOC_FREE(frame); return code; } @@ -328,6 +359,9 @@ int kerberos_kinit_password(const char *principal, False, False, 0, + NULL, + NULL, + NULL, NULL); } diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h index f92cabd757eb..433bce9e0ec6 100644 --- a/source3/libads/kerberos_proto.h +++ b/source3/libads/kerberos_proto.h @@ -45,7 +45,7 @@ struct PAC_DATA_CTR { /* The following definitions come from libads/kerberos.c */ -int kerberos_kinit_password_ext(const char *principal, +int kerberos_kinit_password_ext(const char *given_principal, const char *password, int time_offset, time_t *expire_time, @@ -54,6 +54,9 @@ int kerberos_kinit_password_ext(const char *principal, bool request_pac, bool add_netbios_addr, time_t renewable_time, + TALLOC_CTX *mem_ctx, + char **_canon_principal, + char **_canon_realm, NTSTATUS *ntstatus); int ads_kdestroy(const char *cc_name); diff --git a/source3/libads/kerberos_util.c b/source3/libads/kerberos_util.c index 68c0f302239b..bfe53820aff6 100644 --- a/source3/libads/kerberos_util.c +++ b/source3/libads/kerberos_util.c @@ -66,7 +66,8 @@ int ads_kinit_password(ADS_STRUCT *ads) ads->auth.time_offset, &ads->auth.tgt_expire, NULL, ads->auth.ccache_name, false, false, - ads->auth.renewable, NULL); + ads->auth.renewable, + NULL, NULL, NULL, NULL); if (ret) { DEBUG(0,("kerberos_kinit_password %s failed: %s\n", diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c index 6b4cd3591b08..4a0f59a1e80e 100644 --- a/source3/utils/net_ads.c +++ b/source3/utils/net_ads.c @@ -3353,6 +3353,9 @@ static int net_ads_kerberos_kinit(struct net_context *c, int argc, const char ** true, true, 2592000, /* one month */ + NULL, + NULL, + NULL, &status); if (ret) { d_printf(_("failed to kinit password: %s\n"), diff --git a/source3/winbindd/winbindd_cred_cache.c b/source3/winbindd/winbindd_cred_cache.c index 85ad426446ae..5baecf906b94 100644 --- a/source3/winbindd/winbindd_cred_cache.c +++ b/source3/winbindd/winbindd_cred_cache.c @@ -146,6 +146,9 @@ rekinit: False, /* no PAC required anymore */ True, WINBINDD_PAM_AUTH_KRB5_RENEW_TIME, + NULL, + NULL, + NULL, NULL); gain_root_privilege(); @@ -343,6 +346,9 @@ static void krb5_ticket_gain_handler(struct tevent_context *event_ctx, False, /* no PAC required anymore */ True, WINBINDD_PAM_AUTH_KRB5_RENEW_TIME, + NULL, + NULL, + NULL, NULL); gain_root_privilege(); -- 2.17.1 From 96e16e7b80bf0fbab989730ae5609ca307bd4a0a Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 17 Sep 2019 10:08:10 +0200 Subject: [PATCH 05/23] s3:libsmb: avoid wrong debug message in cli_session_creds_prepare_krb5() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124 Signed-off-by: Stefan Metzmacher Reviewed-by: Guenther Deschner (cherry picked from commit 361fb0efabfb189526c851107eee49161da2293c) --- source3/libsmb/cliconnect.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 3a116b6c7e6a..7b6adfd69750 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -375,6 +375,8 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli, /* * Ignore the error and hope that NTLM will work */ + TALLOC_FREE(frame); + return NT_STATUS_OK; } DBG_DEBUG("Successfully authenticated as %s to access %s using " -- 2.17.1 From 124bb1b922c76ac46088c40b65c34e7528a94188 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 17 Sep 2019 08:49:13 +0200 Subject: [PATCH 06/23] s3:libsmb: let cli_session_creds_prepare_krb5() update the canonicalized principal to cli_credentials BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124 Signed-off-by: Stefan Metzmacher Reviewed-by: Guenther Deschner (cherry picked from commit 6ed18c12c57efb2a010e0ce5196c51b48e57a4b9) --- source3/libsmb/cliconnect.c | 39 ++++++++++++++++++++++++++++++++----- 1 file changed, 34 insertions(+), 5 deletions(-) diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 7b6adfd69750..94cec0628813 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -229,6 +229,8 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli, const char *user_account = NULL; const char *user_domain = NULL; const char *pass = NULL; + char *canon_principal = NULL; + char *canon_realm = NULL; const char *target_hostname = NULL; const DATA_BLOB *server_blob = NULL; bool got_kerberos_mechanism = false; @@ -237,6 +239,7 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli, bool need_kinit = false; bool auth_requested = true; int ret; + bool ok; target_hostname = smbXcli_conn_remote_name(cli->conn); server_blob = smbXcli_conn_server_gss_blob(cli->conn); @@ -245,7 +248,6 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli, if (server_blob != NULL && server_blob->length != 0) { char *OIDs[ASN1_MAX_OIDS] = { NULL, }; size_t i; - bool ok; /* * The server sent us the first part of the SPNEGO exchange in the @@ -354,9 +356,19 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli, * only if required! */ setenv(KRB5_ENV_CCNAME, "MEMORY:cliconnect", 1); - ret = kerberos_kinit_password(user_principal, pass, - 0 /* no time correction for now */, - NULL); + ret = kerberos_kinit_password_ext(user_principal, + pass, + 0, + 0, + 0, + NULL, + false, + false, + 0, + frame, + &canon_principal, + &canon_realm, + NULL); if (ret != 0) { int dbglvl = DBGLVL_NOTICE; @@ -379,9 +391,26 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli, return NT_STATUS_OK; } - DBG_DEBUG("Successfully authenticated as %s to access %s using " + ok = cli_credentials_set_principal(creds, + canon_principal, + CRED_SPECIFIED); + if (!ok) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + + ok = cli_credentials_set_realm(creds, + canon_realm, + CRED_SPECIFIED); + if (!ok) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + + DBG_DEBUG("Successfully authenticated as %s (%s) to access %s using " "Kerberos\n", user_principal, + canon_principal, target_hostname); TALLOC_FREE(frame); -- 2.17.1 From 2255a322a293049b4a49935073da128d6379930a Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 13 Sep 2019 16:04:30 +0200 Subject: [PATCH 07/23] s3:libads/kerberos: always use the canonicalized principal after kinit We should always use krb5_get_init_creds_opt_set_canonicalize() and krb5_get_init_creds_opt_set_win2k() for heimdal and expect the client principal to be changed. There's no reason to have a different logic between MIT and Heimdal. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124 Signed-off-by: Stefan Metzmacher Reviewed-by: Guenther Deschner (cherry picked from commit 0bced73bed481a8846a6b3e68be85941914390ba) --- source3/libads/kerberos.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c index 3e09d70268f0..559ec3b7f538 100644 --- a/source3/libads/kerberos.c +++ b/source3/libads/kerberos.c @@ -167,7 +167,10 @@ int kerberos_kinit_password_ext(const char *given_principal, krb5_get_init_creds_opt_set_forwardable(opt, True); /* Turn on canonicalization for lower case realm support */ -#ifndef SAMBA4_USES_HEIMDAL /* MIT */ +#ifdef SAMBA4_USES_HEIMDAL + krb5_get_init_creds_opt_set_win2k(ctx, opt, true); + krb5_get_init_creds_opt_set_canonicalize(ctx, opt, true); +#else /* MIT */ krb5_get_init_creds_opt_set_canonicalize(opt, true); #endif /* MIT */ #if 0 @@ -196,11 +199,7 @@ int kerberos_kinit_password_ext(const char *given_principal, goto out; } -#ifndef SAMBA4_USES_HEIMDAL /* MIT */ canon_princ = my_creds.client; -#else - canon_princ = me; -#endif /* MIT */ code = smb_krb5_unparse_name(frame, ctx, -- 2.17.1 From 2f8153c6787ec9d0f401f94be5e6cf96cd8dd393 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 13 Sep 2019 16:04:30 +0200 Subject: [PATCH 08/23] krb5_wrap: smb_krb5_kinit_password_ccache() should always use the canonicalized principal We should always use krb5_get_init_creds_opt_set_canonicalize() and krb5_get_init_creds_opt_set_win2k() for heimdal and expect the client principal to be changed. There's no reason to have a different logic between MIT and Heimdal. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124 Signed-off-by: Stefan Metzmacher Reviewed-by: Guenther Deschner (cherry picked from commit 5d0bf32ec0ad21d49587e3a1520ffdc8b5ae7614) --- lib/krb5_wrap/krb5_samba.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c index 72889fffcf0a..55c17d481f4d 100644 --- a/lib/krb5_wrap/krb5_samba.c +++ b/lib/krb5_wrap/krb5_samba.c @@ -2114,14 +2114,12 @@ krb5_error_code smb_krb5_kinit_password_ccache(krb5_context ctx, return code; } -#ifndef SAMBA4_USES_HEIMDAL /* MIT */ /* * We need to store the principal as returned from the KDC to the * credentials cache. If we don't do that the KRB5 library is not * able to find the tickets it is looking for */ principal = my_creds.client; -#endif code = krb5_cc_initialize(ctx, cc, principal); if (code) { goto done; -- 2.17.1 From c6d4d80c5e2f7722b84feb251cac26122ff6194c Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 13 Sep 2019 16:04:30 +0200 Subject: [PATCH 09/23] s4:auth: kinit_to_ccache() should always use the canonicalized principal We should always use krb5_get_init_creds_opt_set_canonicalize() and krb5_get_init_creds_opt_set_win2k() for heimdal and expect the client principal to be changed. There's no reason to have a different logic between MIT and Heimdal. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124 Signed-off-by: Stefan Metzmacher Reviewed-by: Guenther Deschner (cherry picked from commit 162b4199493c1f179e775a325a19ae7a136c418b) --- source4/auth/kerberos/kerberos_util.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c index 50bf8feec968..950d91f17378 100644 --- a/source4/auth/kerberos/kerberos_util.c +++ b/source4/auth/kerberos/kerberos_util.c @@ -313,6 +313,8 @@ done: */ krb5_get_init_creds_opt_set_win2k(smb_krb5_context->krb5_context, krb_options, true); + krb5_get_init_creds_opt_set_canonicalize(smb_krb5_context->krb5_context, + krb_options, true); #else /* MIT */ krb5_get_init_creds_opt_set_canonicalize(krb_options, true); #endif -- 2.17.1 From c970300223e760ba22ac5daf232551fc9988fd22 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 13 Sep 2019 16:04:30 +0200 Subject: [PATCH 10/23] s3:libads: ads_krb5_chg_password() should always use the canonicalized principal We should always use krb5_get_init_creds_opt_set_canonicalize() and krb5_get_init_creds_opt_set_win2k() for heimdal and expect the client principal to be changed. There's no reason to have a different logic between MIT and Heimdal. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124 Signed-off-by: Stefan Metzmacher Reviewed-by: Guenther Deschner (cherry picked from commit 303b7e59a286896888ee2473995fc50bb2b5ce5e) --- source3/libads/krb5_setpw.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/source3/libads/krb5_setpw.c b/source3/libads/krb5_setpw.c index c3c9477c4cf1..67bc2f4640d5 100644 --- a/source3/libads/krb5_setpw.c +++ b/source3/libads/krb5_setpw.c @@ -203,6 +203,12 @@ static ADS_STATUS ads_krb5_chg_password(const char *kdc_host, krb5_get_init_creds_opt_set_renew_life(opts, 0); krb5_get_init_creds_opt_set_forwardable(opts, 0); krb5_get_init_creds_opt_set_proxiable(opts, 0); +#ifdef SAMBA4_USES_HEIMDAL + krb5_get_init_creds_opt_set_win2k(context, opts, true); + krb5_get_init_creds_opt_set_canonicalize(context, opts, true); +#else /* MIT */ + krb5_get_init_creds_opt_set_canonicalize(opts, true); +#endif /* MIT */ /* note that heimdal will fill in the local addresses if the addresses * in the creds_init_opt are all empty and then later fail with invalid -- 2.17.1 From 9880e930a783b09eb98ff94e9094b90457007015 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 13 Sep 2019 15:52:25 +0200 Subject: [PATCH 11/23] krb5_wrap: let smb_krb5_parse_name() accept enterprise principals BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124 Signed-off-by: Stefan Metzmacher Reviewed-by: Guenther Deschner (cherry picked from commit 3bdf023956e861485be70430112ed38d0a5424f7) --- lib/krb5_wrap/krb5_samba.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c index 55c17d481f4d..a4e73c64f002 100644 --- a/lib/krb5_wrap/krb5_samba.c +++ b/lib/krb5_wrap/krb5_samba.c @@ -701,6 +701,11 @@ krb5_error_code smb_krb5_parse_name(krb5_context context, } ret = krb5_parse_name(context, utf8_name, principal); + if (ret == KRB5_PARSE_MALFORMED) { + ret = krb5_parse_name_flags(context, utf8_name, + KRB5_PRINCIPAL_PARSE_ENTERPRISE, + principal); + } TALLOC_FREE(frame); return ret; } -- 2.17.1 From 6f7c54eababd5d71f4ee6f5b208d3d126a06874e Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 11 Sep 2019 16:44:43 +0200 Subject: [PATCH 12/23] docs-xml: add "winbind use krb5 enterprise principals" option BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124 Signed-off-by: Stefan Metzmacher Reviewed-by: Guenther Deschner (cherry picked from commit 9520652399696010c333a3ce7247809ce5337a91) --- .../winbindusekrb5enterpriseprincipals.xml | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml diff --git a/docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml b/docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml new file mode 100644 index 000000000000..bfc11c8636c6 --- /dev/null +++ b/docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml @@ -0,0 +1,34 @@ + + + winbindd is able to get kerberos tickets for + pam_winbind with krb5_auth or wbinfo -K/--krb5auth=. + + + winbindd (at least on a domain member) is never be able + to have a complete picture of the trust topology (which is managed by the DCs). + There might be uPNSuffixes and msDS-SPNSuffixes values, + which don't belong to any AD domain at all. + + + With no + winbindd don't even get an incomplete picture of the topology. + + + It is not really required to know about the trust topology. + We can just rely on the [K]DCs of our primary domain (e.g. PRIMARY.A.EXAMPLE.COM) + and use enterprise principals e.g. upnfromB@B.EXAMPLE.COM@PRIMARY.A.EXAMPLE.COM + and follow the WRONG_REALM referrals in order to find the correct DC. + The final principal might be userfromB@INTERNALB.EXAMPLE.PRIVATE. + + + With yes + winbindd enterprise principals will be used. + + + +no +yes + -- 2.17.1 From c242fbb89db7eb0ef65eb44641f65edad06fd423 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 19 Jul 2019 15:10:09 +0000 Subject: [PATCH 13/23] s3:winbindd: implement the "winbind use krb5 enterprise principals" logic We can use enterprise principals (e.g. upnfromB@B.EXAMPLE.COM@PRIMARY.A.EXAMPLE.COM) and delegate the routing decisions to the KDCs. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124 Signed-off-by: Stefan Metzmacher Reviewed-by: Guenther Deschner (cherry picked from commit a77be15d28390c5d12202278adbe6b50200a2c1b) --- source3/winbindd/winbindd_pam.c | 57 +++++++++++++++++++-------------- 1 file changed, 33 insertions(+), 24 deletions(-) diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index eaf16d0dcede..c5b7c09b5c13 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -419,6 +419,15 @@ struct winbindd_domain *find_auth_domain(uint8_t flags, return find_domain_from_name_noinit(domain_name); } + if (lp_winbind_use_krb5_enterprise_principals()) { + /* + * If we use enterprise principals + * we always go trough our primary domain + * and follow the WRONG_REALM replies. + */ + flags &= ~WBFLAG_PAM_CONTACT_TRUSTDOM; + } + /* we can auth against trusted domains */ if (flags & WBFLAG_PAM_CONTACT_TRUSTDOM) { domain = find_domain_from_name_noinit(domain_name); @@ -723,7 +732,20 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, return NT_STATUS_INVALID_PARAMETER; } - principal_s = talloc_asprintf(mem_ctx, "%s@%s", name_user, realm); + if (lp_winbind_use_krb5_enterprise_principals() && + name_namespace[0] != '\0') + { + principal_s = talloc_asprintf(mem_ctx, + "%s@%s@%s", + name_user, + name_namespace, + realm); + } else { + principal_s = talloc_asprintf(mem_ctx, + "%s@%s", + name_user, + realm); + } if (principal_s == NULL) { return NT_STATUS_NO_MEMORY; } @@ -1290,30 +1312,16 @@ static NTSTATUS winbindd_dual_pam_auth_kerberos(struct winbindd_domain *domain, /* what domain should we contact? */ - if ( IS_DC ) { - contact_domain = find_domain_from_name(name_namespace); - if (contact_domain == NULL) { - DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n", - state->request->data.auth.user, name_domain, name_user, name_domain)); - result = NT_STATUS_NO_SUCH_USER; - goto done; - } - + if (lp_winbind_use_krb5_enterprise_principals()) { + contact_domain = find_auth_domain(0, name_namespace); } else { - if (is_myname(name_domain)) { - DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", name_domain)); - result = NT_STATUS_NO_SUCH_USER; - goto done; - } - contact_domain = find_domain_from_name(name_namespace); - if (contact_domain == NULL) { - DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n", - state->request->data.auth.user, name_domain, name_user, name_domain)); - - result = NT_STATUS_NO_SUCH_USER; - goto done; - } + } + if (contact_domain == NULL) { + DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n", + state->request->data.auth.user, name_domain, name_user, name_namespace)); + result = NT_STATUS_NO_SUCH_USER; + goto done; } if (contact_domain->initialized && @@ -1326,7 +1334,8 @@ static NTSTATUS winbindd_dual_pam_auth_kerberos(struct winbindd_domain *domain, } if (!contact_domain->active_directory) { - DEBUG(3,("krb5 auth requested but domain is not Active Directory\n")); + DEBUG(3,("krb5 auth requested but domain (%s) is not Active Directory\n", + contact_domain->name)); return NT_STATUS_INVALID_LOGON_TYPE; } try_login: -- 2.17.1 From 30ee6a717fea4d830b7f82b6a17a1d63a68e4406 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 18 Sep 2019 08:04:42 +0200 Subject: [PATCH 14/23] tests/pam_winbind.py: turn pypamtest.PamTestError into a failure A failure generated by the AssertionError() checks can be added to selftest/knownfail.d/*. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124 Signed-off-by: Stefan Metzmacher Reviewed-by: Guenther Deschner (cherry picked from commit cd3ffaabb568db26e0de5e83178487e5947c4f09) --- python/samba/tests/pam_winbind.py | 15 ++++++++++++--- python/samba/tests/pam_winbind_chauthtok.py | 5 ++++- python/samba/tests/pam_winbind_warn_pwd_expire.py | 5 ++++- 3 files changed, 20 insertions(+), 5 deletions(-) diff --git a/python/samba/tests/pam_winbind.py b/python/samba/tests/pam_winbind.py index 68b05b30d7d3..b05e8af6ffb5 100644 --- a/python/samba/tests/pam_winbind.py +++ b/python/samba/tests/pam_winbind.py @@ -30,7 +30,10 @@ class SimplePamTests(samba.tests.TestCase): expected_rc = 0 # PAM_SUCCESS tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rc) - res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password]) + try: + res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password]) + except pypamtest.PamTestError as e: + raise AssertionError(str(e)) self.assertTrue(res is not None) @@ -42,7 +45,10 @@ class SimplePamTests(samba.tests.TestCase): expected_rc = 7 # PAM_AUTH_ERR tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rc) - res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password]) + try: + res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password]) + except pypamtest.PamTestError as e: + raise AssertionError(str(e)) self.assertTrue(res is not None) @@ -52,6 +58,9 @@ class SimplePamTests(samba.tests.TestCase): expected_rc = 0 # PAM_SUCCESS tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rc) - res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password]) + try: + res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password]) + except pypamtest.PamTestError as e: + raise AssertionError(str(e)) self.assertTrue(res is not None) diff --git a/python/samba/tests/pam_winbind_chauthtok.py b/python/samba/tests/pam_winbind_chauthtok.py index e5be3a83ce72..18c2705127ab 100644 --- a/python/samba/tests/pam_winbind_chauthtok.py +++ b/python/samba/tests/pam_winbind_chauthtok.py @@ -31,6 +31,9 @@ class PamChauthtokTests(samba.tests.TestCase): expected_rc = 0 # PAM_SUCCESS tc = pypamtest.TestCase(pypamtest.PAMTEST_CHAUTHTOK, expected_rc) - res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password, newpassword, newpassword]) + try: + res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password, newpassword, newpassword]) + except pypamtest.PamTestError as e: + raise AssertionError(str(e)) self.assertTrue(res is not None) diff --git a/python/samba/tests/pam_winbind_warn_pwd_expire.py b/python/samba/tests/pam_winbind_warn_pwd_expire.py index df60bc5ace67..1af2f9befe1f 100644 --- a/python/samba/tests/pam_winbind_warn_pwd_expire.py +++ b/python/samba/tests/pam_winbind_warn_pwd_expire.py @@ -31,7 +31,10 @@ class PasswordExpirePamTests(samba.tests.TestCase): expected_rc = 0 # PAM_SUCCESS tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rc) - res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password]) + try: + res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password]) + except pypamtest.PamTestError as e: + raise AssertionError(str(e)) self.assertTrue(res is not None) if warn_pwd_expire == 0: -- 2.17.1 From 2c5a68b00f8fee6fb752d0f94c9d31afe3cd09ce Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 20 Sep 2019 08:13:28 +0200 Subject: [PATCH 15/23] tests/pam_winbind.py: allow upn names to be used in USERNAME with an empty DOMAIN value BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124 Signed-off-by: Stefan Metzmacher Reviewed-by: Guenther Deschner (cherry picked from commit 653e90485854d978dc522e689cd78c19dcc22a70) --- python/samba/tests/pam_winbind.py | 10 ++++++++-- python/samba/tests/pam_winbind_chauthtok.py | 5 ++++- python/samba/tests/pam_winbind_warn_pwd_expire.py | 5 ++++- 3 files changed, 16 insertions(+), 4 deletions(-) diff --git a/python/samba/tests/pam_winbind.py b/python/samba/tests/pam_winbind.py index b05e8af6ffb5..708f408f7683 100644 --- a/python/samba/tests/pam_winbind.py +++ b/python/samba/tests/pam_winbind.py @@ -26,7 +26,10 @@ class SimplePamTests(samba.tests.TestCase): domain = os.environ["DOMAIN"] username = os.environ["USERNAME"] password = os.environ["PASSWORD"] - unix_username = "%s/%s" % (domain, username) + if domain != "": + unix_username = "%s/%s" % (domain, username) + else: + unix_username = "%s" % username expected_rc = 0 # PAM_SUCCESS tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rc) @@ -41,7 +44,10 @@ class SimplePamTests(samba.tests.TestCase): domain = os.environ["DOMAIN"] username = os.environ["USERNAME"] password = "WrongPassword" - unix_username = "%s/%s" % (domain, username) + if domain != "": + unix_username = "%s/%s" % (domain, username) + else: + unix_username = "%s" % username expected_rc = 7 # PAM_AUTH_ERR tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rc) diff --git a/python/samba/tests/pam_winbind_chauthtok.py b/python/samba/tests/pam_winbind_chauthtok.py index 18c2705127ab..c1d569b3cd00 100644 --- a/python/samba/tests/pam_winbind_chauthtok.py +++ b/python/samba/tests/pam_winbind_chauthtok.py @@ -27,7 +27,10 @@ class PamChauthtokTests(samba.tests.TestCase): username = os.environ["USERNAME"] password = os.environ["PASSWORD"] newpassword = os.environ["NEWPASSWORD"] - unix_username = "%s/%s" % (domain, username) + if domain != "": + unix_username = "%s/%s" % (domain, username) + else: + unix_username = "%s" % username expected_rc = 0 # PAM_SUCCESS tc = pypamtest.TestCase(pypamtest.PAMTEST_CHAUTHTOK, expected_rc) diff --git a/python/samba/tests/pam_winbind_warn_pwd_expire.py b/python/samba/tests/pam_winbind_warn_pwd_expire.py index 1af2f9befe1f..56f5da94f981 100644 --- a/python/samba/tests/pam_winbind_warn_pwd_expire.py +++ b/python/samba/tests/pam_winbind_warn_pwd_expire.py @@ -27,7 +27,10 @@ class PasswordExpirePamTests(samba.tests.TestCase): username = os.environ["USERNAME"] password = os.environ["PASSWORD"] warn_pwd_expire = int(os.environ["WARN_PWD_EXPIRE"]) - unix_username = "%s/%s" % (domain, username) + if domain != "": + unix_username = "%s/%s" % (domain, username) + else: + unix_username = "%s" % username expected_rc = 0 # PAM_SUCCESS tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rc) -- 2.17.1 From d3149eff0d2ad797cf58860d7a1697c38a793d16 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 18 Sep 2019 01:25:58 +0200 Subject: [PATCH 16/23] test_pam_winbind.sh: allow different pam_winbindd config options to be specified BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124 Signed-off-by: Stefan Metzmacher Reviewed-by: Guenther Deschner (cherry picked from commit 3d38a8e9135bb72bc4ca079fab0eb5358942b3f1) --- python/samba/tests/test_pam_winbind.sh | 12 +++++++---- .../samba/tests/test_pam_winbind_chauthtok.sh | 4 ++-- .../tests/test_pam_winbind_warn_pwd_expire.sh | 20 +++++++++++-------- selftest/tests.py | 6 +++--- 4 files changed, 25 insertions(+), 17 deletions(-) diff --git a/python/samba/tests/test_pam_winbind.sh b/python/samba/tests/test_pam_winbind.sh index 0406b108b312..755e67280fa1 100755 --- a/python/samba/tests/test_pam_winbind.sh +++ b/python/samba/tests/test_pam_winbind.sh @@ -12,6 +12,10 @@ PASSWORD="$3" export PASSWORD shift 3 +PAM_OPTIONS="$1" +export PAM_OPTIONS +shift 1 + PAM_WRAPPER_PATH="$BINDIR/default/third_party/pam_wrapper" pam_winbind="$BINDIR/shared/pam_winbind.so" @@ -19,10 +23,10 @@ service_dir="$SELFTEST_TMPDIR/pam_services" service_file="$service_dir/samba" mkdir $service_dir -echo "auth required $pam_winbind debug debug_state" > $service_file -echo "account required $pam_winbind debug debug_state" >> $service_file -echo "password required $pam_winbind debug debug_state" >> $service_file -echo "session required $pam_winbind debug debug_state" >> $service_file +echo "auth required $pam_winbind debug debug_state $PAM_OPTIONS" > $service_file +echo "account required $pam_winbind debug debug_state $PAM_OPTIONS" >> $service_file +echo "password required $pam_winbind debug debug_state $PAM_OPTIONS" >> $service_file +echo "session required $pam_winbind debug debug_state $PAM_OPTIONS" >> $service_file PAM_WRAPPER="1" export PAM_WRAPPER diff --git a/python/samba/tests/test_pam_winbind_chauthtok.sh b/python/samba/tests/test_pam_winbind_chauthtok.sh index 5887699300a2..48adc81859d5 100755 --- a/python/samba/tests/test_pam_winbind_chauthtok.sh +++ b/python/samba/tests/test_pam_winbind_chauthtok.sh @@ -53,11 +53,11 @@ PAM_WRAPPER_DEBUGLEVEL=${PAM_WRAPPER_DEBUGLEVEL:="2"} export PAM_WRAPPER_DEBUGLEVEL case $PAM_OPTIONS in - use_authtok) + *use_authtok*) PAM_AUTHTOK="$NEWPASSWORD" export PAM_AUTHTOK ;; - try_authtok) + *try_authtok*) PAM_AUTHTOK="$NEWPASSWORD" export PAM_AUTHTOK ;; diff --git a/python/samba/tests/test_pam_winbind_warn_pwd_expire.sh b/python/samba/tests/test_pam_winbind_warn_pwd_expire.sh index 16dede442270..348d2ae8387e 100755 --- a/python/samba/tests/test_pam_winbind_warn_pwd_expire.sh +++ b/python/samba/tests/test_pam_winbind_warn_pwd_expire.sh @@ -12,6 +12,10 @@ PASSWORD="$3" export PASSWORD shift 3 +PAM_OPTIONS="$1" +export PAM_OPTIONS +shift 1 + PAM_WRAPPER_PATH="$BINDIR/default/third_party/pam_wrapper" pam_winbind="$BINDIR/shared/pam_winbind.so" @@ -37,10 +41,10 @@ export PAM_WRAPPER_DEBUGLEVEL WARN_PWD_EXPIRE="50" export WARN_PWD_EXPIRE -echo "auth required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE" > $service_file -echo "account required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE" >> $service_file -echo "password required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE" >> $service_file -echo "session required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE" >> $service_file +echo "auth required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" > $service_file +echo "account required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" >> $service_file +echo "password required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" >> $service_file +echo "session required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" >> $service_file PYTHONPATH="$PYTHONPATH:$PAM_WRAPPER_PATH:$(dirname $0)" $PYTHON -m samba.subunit.run samba.tests.pam_winbind_warn_pwd_expire exit_code=$? @@ -54,10 +58,10 @@ fi WARN_PWD_EXPIRE="0" export WARN_PWD_EXPIRE -echo "auth required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE" > $service_file -echo "account required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE" >> $service_file -echo "password required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE" >> $service_file -echo "session required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE" >> $service_file +echo "auth required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" > $service_file +echo "account required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" >> $service_file +echo "password required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" >> $service_file +echo "session required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" >> $service_file PYTHONPATH="$PYTHONPATH:$PAM_WRAPPER_PATH:$(dirname $0)" $PYTHON -m samba.subunit.run samba.tests.pam_winbind_warn_pwd_expire exit_code=$? diff --git a/selftest/tests.py b/selftest/tests.py index 1568f29b2128..2d3587837a3f 100644 --- a/selftest/tests.py +++ b/selftest/tests.py @@ -216,11 +216,11 @@ if with_pam: plantestsuite("samba.tests.pam_winbind(local)", "ad_member", [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"), valgrindify(python), pam_wrapper_so_path, - "$SERVER", "$USERNAME", "$PASSWORD"]) + "$SERVER", "$USERNAME", "$PASSWORD", "''"]) plantestsuite("samba.tests.pam_winbind(domain)", "ad_member", [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"), valgrindify(python), pam_wrapper_so_path, - "$DOMAIN", "$DC_USERNAME", "$DC_PASSWORD"]) + "$DOMAIN", "$DC_USERNAME", "$DC_PASSWORD", "''"]) for pam_options in ["''", "use_authtok", "try_authtok"]: plantestsuite("samba.tests.pam_winbind_chauthtok with options %s" % pam_options, "ad_member", @@ -233,7 +233,7 @@ if with_pam: plantestsuite("samba.tests.pam_winbind_warn_pwd_expire(domain)", "ad_member", [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind_warn_pwd_expire.sh"), valgrindify(python), pam_wrapper_so_path, - "$DOMAIN", "alice", "Secret007"]) + "$DOMAIN", "alice", "Secret007", "''"]) plantestsuite("samba.unittests.krb5samba", "none", -- 2.17.1 From b072a4eab938a188198f779f32b33fe942cd5575 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 18 Sep 2019 01:25:23 +0200 Subject: [PATCH 17/23] selftest/tests.py: prepare looping over pam_winbindd tests BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124 Signed-off-by: Stefan Metzmacher Reviewed-by: Guenther Deschner (cherry picked from commit 72daf99fd1ffd8269fce25d69458de35e2ae32cc) --- selftest/tests.py | 58 ++++++++++++++++++++++++++++++----------------- 1 file changed, 37 insertions(+), 21 deletions(-) diff --git a/selftest/tests.py b/selftest/tests.py index 2d3587837a3f..95d027f95214 100644 --- a/selftest/tests.py +++ b/selftest/tests.py @@ -213,27 +213,43 @@ planpythontestsuite("none", "samba.tests.tdb_util") planpythontestsuite("none", "samba.tests.samdb_api") if with_pam: - plantestsuite("samba.tests.pam_winbind(local)", "ad_member", - [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"), - valgrindify(python), pam_wrapper_so_path, - "$SERVER", "$USERNAME", "$PASSWORD", "''"]) - plantestsuite("samba.tests.pam_winbind(domain)", "ad_member", - [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"), - valgrindify(python), pam_wrapper_so_path, - "$DOMAIN", "$DC_USERNAME", "$DC_PASSWORD", "''"]) - - for pam_options in ["''", "use_authtok", "try_authtok"]: - plantestsuite("samba.tests.pam_winbind_chauthtok with options %s" % pam_options, "ad_member", - [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind_chauthtok.sh"), - valgrindify(python), pam_wrapper_so_path, pam_set_items_so_path, - "$DOMAIN", "TestPamOptionsUser", "oldp@ssword0", "newp@ssword0", - pam_options, 'yes', - "$DC_SERVER", "$DC_USERNAME", "$DC_PASSWORD"]) - - plantestsuite("samba.tests.pam_winbind_warn_pwd_expire(domain)", "ad_member", - [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind_warn_pwd_expire.sh"), - valgrindify(python), pam_wrapper_so_path, - "$DOMAIN", "alice", "Secret007", "''"]) + env = "ad_member" + options = [ + { + "description": "default", + "pam_options": "", + }, + ] + for o in options: + description = o["description"] + pam_options = "'%s'" % o["pam_options"] + + plantestsuite("samba.tests.pam_winbind(local+%s)" % description, env, + [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"), + valgrindify(python), pam_wrapper_so_path, + "$SERVER", "$USERNAME", "$PASSWORD", + pam_options]) + plantestsuite("samba.tests.pam_winbind(domain+%s)" % description, env, + [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"), + valgrindify(python), pam_wrapper_so_path, + "$DOMAIN", "$DC_USERNAME", "$DC_PASSWORD", + pam_options]) + + for authtok_options in ["", "use_authtok", "try_authtok"]: + _pam_options = "'%s %s'" % (o["pam_options"], authtok_options) + _description = "%s %s" % (description, authtok_options) + plantestsuite("samba.tests.pam_winbind_chauthtok(domain+%s)" % _description, env, + [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind_chauthtok.sh"), + valgrindify(python), pam_wrapper_so_path, pam_set_items_so_path, + "$DOMAIN", "TestPamOptionsUser", "oldp@ssword0", "newp@ssword0", + _pam_options, 'yes', + "$DC_SERVER", "$DC_USERNAME", "$DC_PASSWORD"]) + + plantestsuite("samba.tests.pam_winbind_warn_pwd_expire(domain+%s)" % description, env, + [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind_warn_pwd_expire.sh"), + valgrindify(python), pam_wrapper_so_path, + "$DOMAIN", "alice", "Secret007", + pam_options]) plantestsuite("samba.unittests.krb5samba", "none", -- 2.17.1 From 6ae80b82998ab598d7cdb60af176b510dfabf529 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 18 Sep 2019 08:08:57 +0200 Subject: [PATCH 18/23] selftest/tests.py: test pam_winbind with krb5_auth BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124 Signed-off-by: Stefan Metzmacher Reviewed-by: Guenther Deschner (cherry picked from commit 36e95e42ea8a7e5a4091a647215d06d2ab47fab6) --- selftest/tests.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/selftest/tests.py b/selftest/tests.py index 95d027f95214..0bcb826071cd 100644 --- a/selftest/tests.py +++ b/selftest/tests.py @@ -215,6 +215,10 @@ planpythontestsuite("none", "samba.tests.samdb_api") if with_pam: env = "ad_member" options = [ + { + "description": "krb5", + "pam_options": "krb5_auth krb5_ccache_type=FILE", + }, { "description": "default", "pam_options": "", -- 2.17.1 From f8135637c0fa971167c45cd9e62d9ec4f8167d5b Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 18 Sep 2019 14:03:34 +0200 Subject: [PATCH 19/23] selftest/tests.py: test pam_winbind with a lot of username variations BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124 Signed-off-by: Stefan Metzmacher Reviewed-by: Guenther Deschner (cherry picked from commit f07b542c61f84a97c097208e10bf9375ddfa9a15) --- selftest/tests.py | 27 ++++++++++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/selftest/tests.py b/selftest/tests.py index 0bcb826071cd..e37cb9e7b964 100644 --- a/selftest/tests.py +++ b/selftest/tests.py @@ -233,11 +233,36 @@ if with_pam: valgrindify(python), pam_wrapper_so_path, "$SERVER", "$USERNAME", "$PASSWORD", pam_options]) - plantestsuite("samba.tests.pam_winbind(domain+%s)" % description, env, + plantestsuite("samba.tests.pam_winbind(domain1+%s)" % description, env, [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"), valgrindify(python), pam_wrapper_so_path, "$DOMAIN", "$DC_USERNAME", "$DC_PASSWORD", pam_options]) + plantestsuite("samba.tests.pam_winbind(domain2+%s)" % description, env, + [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"), + valgrindify(python), pam_wrapper_so_path, + "$REALM", "$DC_USERNAME", "$DC_PASSWORD", + pam_options]) + plantestsuite("samba.tests.pam_winbind(domain3+%s)" % description, env, + [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"), + valgrindify(python), pam_wrapper_so_path, + "''", "${DC_USERNAME}@${DOMAIN}", "$DC_PASSWORD", + pam_options]) + plantestsuite("samba.tests.pam_winbind(domain4+%s)" % description, env, + [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"), + valgrindify(python), pam_wrapper_so_path, + "''", "${DC_USERNAME}@${REALM}", "$DC_PASSWORD", + pam_options]) + plantestsuite("samba.tests.pam_winbind(domain5+%s)" % description, env, + [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"), + valgrindify(python), pam_wrapper_so_path, + "$REALM", "${DC_USERNAME}@${DOMAIN}", "$DC_PASSWORD", + pam_options]) + plantestsuite("samba.tests.pam_winbind(domain6+%s)" % description, env, + [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"), + valgrindify(python), pam_wrapper_so_path, + "$DOMAIN", "${DC_USERNAME}@${REALM}", "$DC_PASSWORD", + pam_options]) for authtok_options in ["", "use_authtok", "try_authtok"]: _pam_options = "'%s %s'" % (o["pam_options"], authtok_options) -- 2.17.1 From b15987526e5d3b4472892c0e9b8fae66a10e8eaf Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 20 Mar 2017 11:39:41 +0100 Subject: [PATCH 20/23] selftest: Export TRUST information in the ad_member target environment BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124 Pair-Programmed-With: Stefan Metzmacher Signed-off-by: Andreas Schneider Signed-off-by: Stefan Metzmacher Reviewed-by: Guenther Deschner (cherry picked from commit 13e3811c9510cf213881527877bed40092e0b33c) --- selftest/target/Samba.pm | 22 ++++++++++++++++++++++ selftest/target/Samba3.pm | 24 ++++++++++++++++++++++-- 2 files changed, 44 insertions(+), 2 deletions(-) diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm index ca3099c9d057..c30f6fe33ce6 100644 --- a/selftest/target/Samba.pm +++ b/selftest/target/Samba.pm @@ -724,6 +724,28 @@ my @exported_envvars = ( "TRUST_REALM", "TRUST_DOMSID", + # stuff related to a trusted domain, on a trust_member + # the domain behind a forest trust (two-way) + "TRUST_F_BOTH_SERVER", + "TRUST_F_BOTH_SERVER_IP", + "TRUST_F_BOTH_SERVER_IPV6", + "TRUST_F_BOTH_NETBIOSNAME", + "TRUST_F_BOTH_USERNAME", + "TRUST_F_BOTH_PASSWORD", + "TRUST_F_BOTH_DOMAIN", + "TRUST_F_BOTH_REALM", + + # stuff related to a trusted domain, on a trust_member + # the domain behind an external trust (two-way) + "TRUST_E_BOTH_SERVER", + "TRUST_E_BOTH_SERVER_IP", + "TRUST_E_BOTH_SERVER_IPV6", + "TRUST_E_BOTH_NETBIOSNAME", + "TRUST_E_BOTH_USERNAME", + "TRUST_E_BOTH_PASSWORD", + "TRUST_E_BOTH_DOMAIN", + "TRUST_E_BOTH_REALM", + # domain controller stuff "DC_SERVER", "DC_SERVER_IP", diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm index 131d576a767a..52d78ea51c07 100755 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm @@ -181,7 +181,7 @@ sub check_env($$) nt4_member => ["nt4_dc"], - ad_member => ["ad_dc"], + ad_member => ["ad_dc", "fl2008r2dc", "fl2003dc"], ad_member_rfc2307 => ["ad_dc_ntvfs"], ad_member_idmap_rid => ["ad_dc"], ad_member_idmap_ad => ["fl2008r2dc"], @@ -369,7 +369,7 @@ sub setup_nt4_member sub setup_ad_member { - my ($self, $prefix, $dcvars) = @_; + my ($self, $prefix, $dcvars, $trustvars_f, $trustvars_e) = @_; my $prefix_abs = abs_path($prefix); my @dirs = (); @@ -493,6 +493,26 @@ sub setup_ad_member $ret->{DC_USERNAME} = $dcvars->{USERNAME}; $ret->{DC_PASSWORD} = $dcvars->{PASSWORD}; + # forest trust + $ret->{TRUST_F_BOTH_SERVER} = $trustvars_f->{SERVER}; + $ret->{TRUST_F_BOTH_SERVER_IP} = $trustvars_f->{SERVER_IP}; + $ret->{TRUST_F_BOTH_SERVER_IPV6} = $trustvars_f->{SERVER_IPV6}; + $ret->{TRUST_F_BOTH_NETBIOSNAME} = $trustvars_f->{NETBIOSNAME}; + $ret->{TRUST_F_BOTH_USERNAME} = $trustvars_f->{USERNAME}; + $ret->{TRUST_F_BOTH_PASSWORD} = $trustvars_f->{PASSWORD}; + $ret->{TRUST_F_BOTH_DOMAIN} = $trustvars_f->{DOMAIN}; + $ret->{TRUST_F_BOTH_REALM} = $trustvars_f->{REALM}; + + # external trust + $ret->{TRUST_E_BOTH_SERVER} = $trustvars_e->{SERVER}; + $ret->{TRUST_E_BOTH_SERVER_IP} = $trustvars_e->{SERVER_IP}; + $ret->{TRUST_E_BOTH_SERVER_IPV6} = $trustvars_e->{SERVER_IPV6}; + $ret->{TRUST_E_BOTH_NETBIOSNAME} = $trustvars_e->{NETBIOSNAME}; + $ret->{TRUST_E_BOTH_USERNAME} = $trustvars_e->{USERNAME}; + $ret->{TRUST_E_BOTH_PASSWORD} = $trustvars_e->{PASSWORD}; + $ret->{TRUST_E_BOTH_DOMAIN} = $trustvars_e->{DOMAIN}; + $ret->{TRUST_E_BOTH_REALM} = $trustvars_e->{REALM}; + return $ret; } -- 2.17.1 From 8bb3de5370d30f29700c9eb188d4218a9a57cea5 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Sat, 10 Jun 2017 14:38:40 +0200 Subject: [PATCH 21/23] selftest/tests.py: test pam_winbind for trusts domains BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124 Signed-off-by: Stefan Metzmacher Reviewed-by: Guenther Deschner (cherry picked from commit ad6f0e056ac27ab5c078dbdbff44372da05caab2) --- selftest/tests.py | 84 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 84 insertions(+) diff --git a/selftest/tests.py b/selftest/tests.py index e37cb9e7b964..e767f276353b 100644 --- a/selftest/tests.py +++ b/selftest/tests.py @@ -263,6 +263,90 @@ if with_pam: valgrindify(python), pam_wrapper_so_path, "$DOMAIN", "${DC_USERNAME}@${REALM}", "$DC_PASSWORD", pam_options]) + plantestsuite("samba.tests.pam_winbind(trust_f_both1+%s)" % description, env, + [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"), + valgrindify(python), pam_wrapper_so_path, + "$TRUST_F_BOTH_DOMAIN", + "$TRUST_F_BOTH_USERNAME", + "$TRUST_F_BOTH_PASSWORD", + pam_options]) + plantestsuite("samba.tests.pam_winbind(trust_f_both2+%s)" % description, env, + [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"), + valgrindify(python), pam_wrapper_so_path, + "$TRUST_F_BOTH_REALM", + "$TRUST_F_BOTH_USERNAME", + "$TRUST_F_BOTH_PASSWORD", + pam_options]) + plantestsuite("samba.tests.pam_winbind(trust_f_both3+%s)" % description, env, + [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"), + valgrindify(python), pam_wrapper_so_path, + "''", + "${TRUST_F_BOTH_USERNAME}@${TRUST_F_BOTH_DOMAIN}", + "$TRUST_F_BOTH_PASSWORD", + pam_options]) + plantestsuite("samba.tests.pam_winbind(trust_f_both4+%s)" % description, env, + [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"), + valgrindify(python), pam_wrapper_so_path, + "''", + "${TRUST_F_BOTH_USERNAME}@${TRUST_F_BOTH_REALM}", + "$TRUST_F_BOTH_PASSWORD", + pam_options]) + plantestsuite("samba.tests.pam_winbind(trust_f_both5+%s)" % description, env, + [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"), + valgrindify(python), pam_wrapper_so_path, + "${TRUST_F_BOTH_REALM}", + "${TRUST_F_BOTH_USERNAME}@${TRUST_F_BOTH_DOMAIN}", + "$TRUST_F_BOTH_PASSWORD", + pam_options]) + plantestsuite("samba.tests.pam_winbind(trust_f_both6+%s)" % description, env, + [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"), + valgrindify(python), pam_wrapper_so_path, + "${TRUST_F_BOTH_DOMAIN}", + "${TRUST_F_BOTH_USERNAME}@${TRUST_F_BOTH_REALM}", + "$TRUST_F_BOTH_PASSWORD", + pam_options]) + plantestsuite("samba.tests.pam_winbind(trust_e_both1+%s)" % description, env, + [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"), + valgrindify(python), pam_wrapper_so_path, + "$TRUST_E_BOTH_DOMAIN", + "$TRUST_E_BOTH_USERNAME", + "$TRUST_E_BOTH_PASSWORD", + pam_options]) + plantestsuite("samba.tests.pam_winbind(trust_e_both2+%s)" % description, env, + [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"), + valgrindify(python), pam_wrapper_so_path, + "$TRUST_E_BOTH_REALM", + "$TRUST_E_BOTH_USERNAME", + "$TRUST_E_BOTH_PASSWORD", + pam_options]) + plantestsuite("samba.tests.pam_winbind(trust_e_both3+%s)" % description, env, + [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"), + valgrindify(python), pam_wrapper_so_path, + "''", + "${TRUST_E_BOTH_USERNAME}@${TRUST_E_BOTH_DOMAIN}", + "$TRUST_E_BOTH_PASSWORD", + pam_options]) + plantestsuite("samba.tests.pam_winbind(trust_e_both4+%s)" % description, env, + [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"), + valgrindify(python), pam_wrapper_so_path, + "''", + "${TRUST_E_BOTH_USERNAME}@${TRUST_E_BOTH_REALM}", + "$TRUST_E_BOTH_PASSWORD", + pam_options]) + plantestsuite("samba.tests.pam_winbind(trust_e_both5+%s)" % description, env, + [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"), + valgrindify(python), pam_wrapper_so_path, + "${TRUST_E_BOTH_REALM}", + "${TRUST_E_BOTH_USERNAME}@${TRUST_E_BOTH_DOMAIN}", + "$TRUST_E_BOTH_PASSWORD", + pam_options]) + plantestsuite("samba.tests.pam_winbind(trust_e_both6+%s)" % description, env, + [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"), + valgrindify(python), pam_wrapper_so_path, + "${TRUST_E_BOTH_DOMAIN}", + "${TRUST_E_BOTH_USERNAME}@${TRUST_E_BOTH_REALM}", + "$TRUST_E_BOTH_PASSWORD", + pam_options]) for authtok_options in ["", "use_authtok", "try_authtok"]: _pam_options = "'%s %s'" % (o["pam_options"], authtok_options) -- 2.17.1 From c38ed699b42fbea26306c88253292c6e55ab1579 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 18 Sep 2019 08:02:38 +0200 Subject: [PATCH 22/23] selftest/Samba3.pm: use "winbind scan trusted domains = no" for ad_member This demonstrates that we rely on knowning about trusted domains before we can do krb5_auth in winbindd. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124 Signed-off-by: Stefan Metzmacher Reviewed-by: Guenther Deschner (cherry picked from commit e2737a74d4453a3d65e5466ddc4405d68444df27) --- selftest/knownfail.d/pam_winbind_krb5 | 1 + selftest/target/Samba3.pm | 1 + 2 files changed, 2 insertions(+) create mode 100644 selftest/knownfail.d/pam_winbind_krb5 diff --git a/selftest/knownfail.d/pam_winbind_krb5 b/selftest/knownfail.d/pam_winbind_krb5 new file mode 100644 index 000000000000..1dd0c7d3f1c3 --- /dev/null +++ b/selftest/knownfail.d/pam_winbind_krb5 @@ -0,0 +1 @@ +^samba.tests.pam_winbind.trust_._both..krb5..samba.tests.pam_winbind.SimplePamTests.test_authenticate diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm index 52d78ea51c07..a75ec094b5ed 100755 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm @@ -416,6 +416,7 @@ sub setup_ad_member template homedir = /home/%D/%G/%U auth event notification = true password server = $dcvars->{SERVER} + winbind scan trusted domains = no [sub_dug] path = $share_dir/D_%D/U_%U/G_%G -- 2.17.1 From abbccc8cfbf268df2826286520b802cc119cb287 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 18 Sep 2019 08:10:26 +0200 Subject: [PATCH 23/23] selftest/Samba3.pm: use "winbind use krb5 enterprise principals = yes" for ad_member MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This demonstrates that can do krb5_auth in winbindd without knowning about trusted domains. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124 Signed-off-by: Stefan Metzmacher Reviewed-by: Guenther Deschner Autobuild-User(master): Günther Deschner Autobuild-Date(master): Tue Sep 24 19:51:29 UTC 2019 on sn-devel-184 (cherry picked from commit 0ee085b594878f5e0e83839f465303754f015459) --- selftest/knownfail.d/pam_winbind_krb5 | 1 - selftest/target/Samba3.pm | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) delete mode 100644 selftest/knownfail.d/pam_winbind_krb5 diff --git a/selftest/knownfail.d/pam_winbind_krb5 b/selftest/knownfail.d/pam_winbind_krb5 deleted file mode 100644 index 1dd0c7d3f1c3..000000000000 --- a/selftest/knownfail.d/pam_winbind_krb5 +++ /dev/null @@ -1 +0,0 @@ -^samba.tests.pam_winbind.trust_._both..krb5..samba.tests.pam_winbind.SimplePamTests.test_authenticate diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm index a75ec094b5ed..32bd8698df25 100755 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm @@ -417,6 +417,7 @@ sub setup_ad_member auth event notification = true password server = $dcvars->{SERVER} winbind scan trusted domains = no + winbind use krb5 enterprise principals = yes [sub_dug] path = $share_dir/D_%D/U_%U/G_%G -- 2.17.1