The Samba-Bugzilla – Attachment 15490 Details for
Bug 14124
pam_winbind with krb5_auth or wbinfo -K doesn't work for users of trusted domains/forests
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patches for v4-10-test
tmp410.diff.txt (text/plain), 52.94 KB, created by
Stefan Metzmacher
on 2019-09-25 09:39:57 UTC
(
hide
)
Description:
Patches for v4-10-test
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2019-09-25 09:39:57 UTC
Size:
52.94 KB
patch
obsolete
>From 8da9bd1774f26e1027200faa2b74137bc2bdc030 Mon Sep 17 00:00:00 2001 >From: Noel Power <noel.power@suse.com> >Date: Thu, 8 Aug 2019 15:06:28 +0100 >Subject: [PATCH 01/20] s3/libads: clang: Fix Value stored to 'canon_princ' is > never read > >Fixes: > >source3/libads/kerberos.c:192:2: warning: Value stored to 'canon_princ' is never read <--[clang] > canon_princ = me; > ^ ~~ >1 warning generated. > >Signed-off-by: Noel Power <noel.power@suse.com> >Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> >(cherry picked from commit 52d20087f620704549f5a5cdcbec79cb08a36290) >--- > source3/libads/kerberos.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > >diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c >index 721c3c2a9294..9fbe7dd0f071 100644 >--- a/source3/libads/kerberos.c >+++ b/source3/libads/kerberos.c >@@ -189,9 +189,10 @@ int kerberos_kinit_password_ext(const char *principal, > goto out; > } > >- canon_princ = me; > #ifndef SAMBA4_USES_HEIMDAL /* MIT */ > canon_princ = my_creds.client; >+#else >+ canon_princ = me; > #endif /* MIT */ > > if ((code = krb5_cc_initialize(ctx, cc, canon_princ))) { >-- >2.17.1 > > >From 0204d7547fd66b904f92e278d6792ee0de6291bb Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 17 Sep 2019 08:05:09 +0200 >Subject: [PATCH 02/20] s4:auth: use the correct client realm in > gensec_gssapi_update_internal() > >The function gensec_gssapi_client_creds() may call kinit and gets >a TGT for the user. The principal provided by the user may not >be canonicalized. The user may use 'given.last@example.com' >but that may be mapped to glast@AD.EXAMPLE.PRIVATE in the background. > >It means we should use client_realm = AD.EXAMPLE.PRIVATE >instead of client_realm = EXAMPLE.COM > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Guenther Deschner <gd@samba.org> >(cherry picked from commit db8fd3d6a315b140ebd6ccd0dcdfdcf27cd1bb38) >--- > source4/auth/gensec/gensec_gssapi.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > >diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c >index 4577c91c93a2..045a02257419 100644 >--- a/source4/auth/gensec/gensec_gssapi.c >+++ b/source4/auth/gensec/gensec_gssapi.c >@@ -437,8 +437,6 @@ static NTSTATUS gensec_gssapi_update_internal(struct gensec_security *gensec_sec > const char *target_principal = gensec_get_target_principal(gensec_security); > const char *hostname = gensec_get_target_hostname(gensec_security); > const char *service = gensec_get_target_service(gensec_security); >- const char *client_realm = cli_credentials_get_realm(cli_creds); >- const char *server_realm = NULL; > gss_OID gss_oid_p = NULL; > OM_uint32 time_req = 0; > OM_uint32 time_rec = 0; >@@ -457,6 +455,7 @@ static NTSTATUS gensec_gssapi_update_internal(struct gensec_security *gensec_sec > switch (gensec_security->gensec_role) { > case GENSEC_CLIENT: > { >+ const char *client_realm = NULL; > #ifdef SAMBA4_USES_HEIMDAL > struct gsskrb5_send_to_kdc send_to_kdc; > krb5_error_code ret; >@@ -532,6 +531,7 @@ static NTSTATUS gensec_gssapi_update_internal(struct gensec_security *gensec_sec > * transitive forest trusts, would have to do the > * fallback ourself. > */ >+ client_realm = cli_credentials_get_realm(cli_creds); > #ifndef SAMBA4_USES_HEIMDAL > if (gensec_gssapi_state->server_name == NULL) { > nt_status = gensec_gssapi_setup_server_principal(gensec_gssapi_state, >@@ -575,6 +575,8 @@ static NTSTATUS gensec_gssapi_update_internal(struct gensec_security *gensec_sec > } > #endif /* !SAMBA4_USES_HEIMDAL */ > if (gensec_gssapi_state->server_name == NULL) { >+ const char *server_realm = NULL; >+ > server_realm = smb_krb5_get_realm_from_hostname(gensec_gssapi_state, > hostname, > client_realm); >-- >2.17.1 > > >From 9d9b82e15a95c14e40628bc97b6b0d10082c3086 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Mon, 16 Sep 2019 17:14:11 +0200 >Subject: [PATCH 03/20] s3:libads: let kerberos_kinit_password_ext() return the > canonicalized principal/realm > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Guenther Deschner <gd@samba.org> >(cherry picked from commit bc473e5cf088a137395842540ed8eb748373a236) >--- > source3/libads/authdata.c | 1 + > source3/libads/kerberos.c | 46 ++++++++++++++++++++++---- > source3/libads/kerberos_proto.h | 5 ++- > source3/libads/kerberos_util.c | 3 +- > source3/utils/net_ads.c | 3 ++ > source3/winbindd/winbindd_cred_cache.c | 6 ++++ > 6 files changed, 56 insertions(+), 8 deletions(-) > >diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c >index 86a1be71bf98..6e6d5b397ffb 100644 >--- a/source3/libads/authdata.c >+++ b/source3/libads/authdata.c >@@ -170,6 +170,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, > request_pac, > add_netbios_addr, > renewable_time, >+ NULL, NULL, NULL, > &status); > if (ret) { > DEBUG(1,("kinit failed for '%s' with: %s (%d)\n", >diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c >index 9fbe7dd0f071..3e09d70268f0 100644 >--- a/source3/libads/kerberos.c >+++ b/source3/libads/kerberos.c >@@ -106,7 +106,7 @@ kerb_prompter(krb5_context ctx, void *data, > place in default cache location. > remus@snapserver.com > */ >-int kerberos_kinit_password_ext(const char *principal, >+int kerberos_kinit_password_ext(const char *given_principal, > const char *password, > int time_offset, > time_t *expire_time, >@@ -115,8 +115,12 @@ int kerberos_kinit_password_ext(const char *principal, > bool request_pac, > bool add_netbios_addr, > time_t renewable_time, >+ TALLOC_CTX *mem_ctx, >+ char **_canon_principal, >+ char **_canon_realm, > NTSTATUS *ntstatus) > { >+ TALLOC_CTX *frame = talloc_stackframe(); > krb5_context ctx = NULL; > krb5_error_code code = 0; > krb5_ccache cc = NULL; >@@ -125,6 +129,8 @@ int kerberos_kinit_password_ext(const char *principal, > krb5_creds my_creds; > krb5_get_init_creds_opt *opt = NULL; > smb_krb5_addresses *addr = NULL; >+ char *canon_principal = NULL; >+ char *canon_realm = NULL; > > ZERO_STRUCT(my_creds); > >@@ -132,6 +138,7 @@ int kerberos_kinit_password_ext(const char *principal, > if (code != 0) { > DBG_ERR("kerberos init context failed (%s)\n", > error_message(code)); >+ TALLOC_FREE(frame); > return code; > } > >@@ -139,16 +146,16 @@ int kerberos_kinit_password_ext(const char *principal, > krb5_set_real_time(ctx, time(NULL) + time_offset, 0); > } > >- DEBUG(10,("kerberos_kinit_password: as %s using [%s] as ccache and config [%s]\n", >- principal, >- cache_name ? cache_name: krb5_cc_default_name(ctx), >- getenv("KRB5_CONFIG"))); >+ DBG_DEBUG("as %s using [%s] as ccache and config [%s]\n", >+ given_principal, >+ cache_name ? cache_name: krb5_cc_default_name(ctx), >+ getenv("KRB5_CONFIG")); > > if ((code = krb5_cc_resolve(ctx, cache_name ? cache_name : krb5_cc_default_name(ctx), &cc))) { > goto out; > } > >- if ((code = smb_krb5_parse_name(ctx, principal, &me))) { >+ if ((code = smb_krb5_parse_name(ctx, given_principal, &me))) { > goto out; > } > >@@ -195,6 +202,22 @@ int kerberos_kinit_password_ext(const char *principal, > canon_princ = me; > #endif /* MIT */ > >+ code = smb_krb5_unparse_name(frame, >+ ctx, >+ canon_princ, >+ &canon_principal); >+ if (code != 0) { >+ goto out; >+ } >+ >+ DBG_DEBUG("%s mapped to %s\n", given_principal, canon_principal); >+ >+ canon_realm = smb_krb5_principal_get_realm(frame, ctx, canon_princ); >+ if (canon_realm == NULL) { >+ code = ENOMEM; >+ goto out; >+ } >+ > if ((code = krb5_cc_initialize(ctx, cc, canon_princ))) { > goto out; > } >@@ -210,6 +233,13 @@ int kerberos_kinit_password_ext(const char *principal, > if (renew_till_time) { > *renew_till_time = (time_t) my_creds.times.renew_till; > } >+ >+ if (_canon_principal != NULL) { >+ *_canon_principal = talloc_move(mem_ctx, &canon_principal); >+ } >+ if (_canon_realm != NULL) { >+ *_canon_realm = talloc_move(mem_ctx, &canon_realm); >+ } > out: > if (ntstatus) { > /* fast path */ >@@ -239,6 +269,7 @@ int kerberos_kinit_password_ext(const char *principal, > if (ctx) { > krb5_free_context(ctx); > } >+ TALLOC_FREE(frame); > return code; > } > >@@ -328,6 +359,9 @@ int kerberos_kinit_password(const char *principal, > False, > False, > 0, >+ NULL, >+ NULL, >+ NULL, > NULL); > } > >diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h >index f92cabd757eb..433bce9e0ec6 100644 >--- a/source3/libads/kerberos_proto.h >+++ b/source3/libads/kerberos_proto.h >@@ -45,7 +45,7 @@ struct PAC_DATA_CTR { > > /* The following definitions come from libads/kerberos.c */ > >-int kerberos_kinit_password_ext(const char *principal, >+int kerberos_kinit_password_ext(const char *given_principal, > const char *password, > int time_offset, > time_t *expire_time, >@@ -54,6 +54,9 @@ int kerberos_kinit_password_ext(const char *principal, > bool request_pac, > bool add_netbios_addr, > time_t renewable_time, >+ TALLOC_CTX *mem_ctx, >+ char **_canon_principal, >+ char **_canon_realm, > NTSTATUS *ntstatus); > int ads_kdestroy(const char *cc_name); > >diff --git a/source3/libads/kerberos_util.c b/source3/libads/kerberos_util.c >index 68c0f302239b..bfe53820aff6 100644 >--- a/source3/libads/kerberos_util.c >+++ b/source3/libads/kerberos_util.c >@@ -66,7 +66,8 @@ int ads_kinit_password(ADS_STRUCT *ads) > ads->auth.time_offset, > &ads->auth.tgt_expire, NULL, > ads->auth.ccache_name, false, false, >- ads->auth.renewable, NULL); >+ ads->auth.renewable, >+ NULL, NULL, NULL, NULL); > > if (ret) { > DEBUG(0,("kerberos_kinit_password %s failed: %s\n", >diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c >index 1f055507ad72..d33031a0dbda 100644 >--- a/source3/utils/net_ads.c >+++ b/source3/utils/net_ads.c >@@ -3352,6 +3352,9 @@ static int net_ads_kerberos_kinit(struct net_context *c, int argc, const char ** > true, > true, > 2592000, /* one month */ >+ NULL, >+ NULL, >+ NULL, > &status); > if (ret) { > d_printf(_("failed to kinit password: %s\n"), >diff --git a/source3/winbindd/winbindd_cred_cache.c b/source3/winbindd/winbindd_cred_cache.c >index 85ad426446ae..5baecf906b94 100644 >--- a/source3/winbindd/winbindd_cred_cache.c >+++ b/source3/winbindd/winbindd_cred_cache.c >@@ -146,6 +146,9 @@ rekinit: > False, /* no PAC required anymore */ > True, > WINBINDD_PAM_AUTH_KRB5_RENEW_TIME, >+ NULL, >+ NULL, >+ NULL, > NULL); > gain_root_privilege(); > >@@ -343,6 +346,9 @@ static void krb5_ticket_gain_handler(struct tevent_context *event_ctx, > False, /* no PAC required anymore */ > True, > WINBINDD_PAM_AUTH_KRB5_RENEW_TIME, >+ NULL, >+ NULL, >+ NULL, > NULL); > gain_root_privilege(); > >-- >2.17.1 > > >From bf4ca9d4c218f1814b297ce3d39eb18e078e1b62 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 17 Sep 2019 10:08:10 +0200 >Subject: [PATCH 04/20] s3:libsmb: avoid wrong debug message in > cli_session_creds_prepare_krb5() > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Guenther Deschner <gd@samba.org> >(cherry picked from commit 361fb0efabfb189526c851107eee49161da2293c) >--- > source3/libsmb/cliconnect.c | 2 ++ > 1 file changed, 2 insertions(+) > >diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c >index c416d10fa241..28f5fde07576 100644 >--- a/source3/libsmb/cliconnect.c >+++ b/source3/libsmb/cliconnect.c >@@ -375,6 +375,8 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli, > /* > * Ignore the error and hope that NTLM will work > */ >+ TALLOC_FREE(frame); >+ return NT_STATUS_OK; > } > > DBG_DEBUG("Successfully authenticated as %s to access %s using " >-- >2.17.1 > > >From 8b6091049cb22be80d65c77d26a7e37ce096b8d6 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 17 Sep 2019 08:49:13 +0200 >Subject: [PATCH 05/20] s3:libsmb: let cli_session_creds_prepare_krb5() update > the canonicalized principal to cli_credentials > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Guenther Deschner <gd@samba.org> >(cherry picked from commit 6ed18c12c57efb2a010e0ce5196c51b48e57a4b9) >--- > source3/libsmb/cliconnect.c | 39 ++++++++++++++++++++++++++++++++----- > 1 file changed, 34 insertions(+), 5 deletions(-) > >diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c >index 28f5fde07576..ca6882c225e4 100644 >--- a/source3/libsmb/cliconnect.c >+++ b/source3/libsmb/cliconnect.c >@@ -229,6 +229,8 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli, > const char *user_account = NULL; > const char *user_domain = NULL; > const char *pass = NULL; >+ char *canon_principal = NULL; >+ char *canon_realm = NULL; > const char *target_hostname = NULL; > const DATA_BLOB *server_blob = NULL; > bool got_kerberos_mechanism = false; >@@ -237,6 +239,7 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli, > bool need_kinit = false; > bool auth_requested = true; > int ret; >+ bool ok; > > target_hostname = smbXcli_conn_remote_name(cli->conn); > server_blob = smbXcli_conn_server_gss_blob(cli->conn); >@@ -245,7 +248,6 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli, > if (server_blob != NULL && server_blob->length != 0) { > char *OIDs[ASN1_MAX_OIDS] = { NULL, }; > size_t i; >- bool ok; > > /* > * The server sent us the first part of the SPNEGO exchange in the >@@ -354,9 +356,19 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli, > * only if required! > */ > setenv(KRB5_ENV_CCNAME, "MEMORY:cliconnect", 1); >- ret = kerberos_kinit_password(user_principal, pass, >- 0 /* no time correction for now */, >- NULL); >+ ret = kerberos_kinit_password_ext(user_principal, >+ pass, >+ 0, >+ 0, >+ 0, >+ NULL, >+ false, >+ false, >+ 0, >+ frame, >+ &canon_principal, >+ &canon_realm, >+ NULL); > if (ret != 0) { > int dbglvl = DBGLVL_NOTICE; > >@@ -379,9 +391,26 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli, > return NT_STATUS_OK; > } > >- DBG_DEBUG("Successfully authenticated as %s to access %s using " >+ ok = cli_credentials_set_principal(creds, >+ canon_principal, >+ CRED_SPECIFIED); >+ if (!ok) { >+ TALLOC_FREE(frame); >+ return NT_STATUS_NO_MEMORY; >+ } >+ >+ ok = cli_credentials_set_realm(creds, >+ canon_realm, >+ CRED_SPECIFIED); >+ if (!ok) { >+ TALLOC_FREE(frame); >+ return NT_STATUS_NO_MEMORY; >+ } >+ >+ DBG_DEBUG("Successfully authenticated as %s (%s) to access %s using " > "Kerberos\n", > user_principal, >+ canon_principal, > target_hostname); > > TALLOC_FREE(frame); >-- >2.17.1 > > >From b8519340cc5083cc60c14c63008c0bafee203709 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 13 Sep 2019 16:04:30 +0200 >Subject: [PATCH 06/20] s3:libads/kerberos: always use the canonicalized > principal after kinit > >We should always use krb5_get_init_creds_opt_set_canonicalize() >and krb5_get_init_creds_opt_set_win2k() for heimdal >and expect the client principal to be changed. > >There's no reason to have a different logic between MIT and Heimdal. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Guenther Deschner <gd@samba.org> >(cherry picked from commit 0bced73bed481a8846a6b3e68be85941914390ba) >--- > source3/libads/kerberos.c | 9 ++++----- > 1 file changed, 4 insertions(+), 5 deletions(-) > >diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c >index 3e09d70268f0..559ec3b7f538 100644 >--- a/source3/libads/kerberos.c >+++ b/source3/libads/kerberos.c >@@ -167,7 +167,10 @@ int kerberos_kinit_password_ext(const char *given_principal, > krb5_get_init_creds_opt_set_forwardable(opt, True); > > /* Turn on canonicalization for lower case realm support */ >-#ifndef SAMBA4_USES_HEIMDAL /* MIT */ >+#ifdef SAMBA4_USES_HEIMDAL >+ krb5_get_init_creds_opt_set_win2k(ctx, opt, true); >+ krb5_get_init_creds_opt_set_canonicalize(ctx, opt, true); >+#else /* MIT */ > krb5_get_init_creds_opt_set_canonicalize(opt, true); > #endif /* MIT */ > #if 0 >@@ -196,11 +199,7 @@ int kerberos_kinit_password_ext(const char *given_principal, > goto out; > } > >-#ifndef SAMBA4_USES_HEIMDAL /* MIT */ > canon_princ = my_creds.client; >-#else >- canon_princ = me; >-#endif /* MIT */ > > code = smb_krb5_unparse_name(frame, > ctx, >-- >2.17.1 > > >From 9672855430feca46b958ecfb18d02c6ae1bf18b0 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 13 Sep 2019 16:04:30 +0200 >Subject: [PATCH 07/20] krb5_wrap: smb_krb5_kinit_password_ccache() should > always use the canonicalized principal > >We should always use krb5_get_init_creds_opt_set_canonicalize() >and krb5_get_init_creds_opt_set_win2k() for heimdal >and expect the client principal to be changed. > >There's no reason to have a different logic between MIT and Heimdal. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Guenther Deschner <gd@samba.org> >(cherry picked from commit 5d0bf32ec0ad21d49587e3a1520ffdc8b5ae7614) >--- > lib/krb5_wrap/krb5_samba.c | 2 -- > 1 file changed, 2 deletions(-) > >diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c >index f0dc86b18595..a63159812e19 100644 >--- a/lib/krb5_wrap/krb5_samba.c >+++ b/lib/krb5_wrap/krb5_samba.c >@@ -2111,14 +2111,12 @@ krb5_error_code smb_krb5_kinit_password_ccache(krb5_context ctx, > return code; > } > >-#ifndef SAMBA4_USES_HEIMDAL /* MIT */ > /* > * We need to store the principal as returned from the KDC to the > * credentials cache. If we don't do that the KRB5 library is not > * able to find the tickets it is looking for > */ > principal = my_creds.client; >-#endif > code = krb5_cc_initialize(ctx, cc, principal); > if (code) { > goto done; >-- >2.17.1 > > >From f9d5009255a8484a8886d3c9f73d93c51d4bcc1c Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 13 Sep 2019 16:04:30 +0200 >Subject: [PATCH 08/20] s4:auth: kinit_to_ccache() should always use the > canonicalized principal > >We should always use krb5_get_init_creds_opt_set_canonicalize() >and krb5_get_init_creds_opt_set_win2k() for heimdal >and expect the client principal to be changed. > >There's no reason to have a different logic between MIT and Heimdal. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Guenther Deschner <gd@samba.org> >(cherry picked from commit 162b4199493c1f179e775a325a19ae7a136c418b) >--- > source4/auth/kerberos/kerberos_util.c | 2 ++ > 1 file changed, 2 insertions(+) > >diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c >index 50bf8feec968..950d91f17378 100644 >--- a/source4/auth/kerberos/kerberos_util.c >+++ b/source4/auth/kerberos/kerberos_util.c >@@ -313,6 +313,8 @@ done: > */ > krb5_get_init_creds_opt_set_win2k(smb_krb5_context->krb5_context, > krb_options, true); >+ krb5_get_init_creds_opt_set_canonicalize(smb_krb5_context->krb5_context, >+ krb_options, true); > #else /* MIT */ > krb5_get_init_creds_opt_set_canonicalize(krb_options, true); > #endif >-- >2.17.1 > > >From a82ff01ed55852434112f7b37a9a110dfe1e5f01 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 13 Sep 2019 16:04:30 +0200 >Subject: [PATCH 09/20] s3:libads: ads_krb5_chg_password() should always use > the canonicalized principal > >We should always use krb5_get_init_creds_opt_set_canonicalize() >and krb5_get_init_creds_opt_set_win2k() for heimdal >and expect the client principal to be changed. > >There's no reason to have a different logic between MIT and Heimdal. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Guenther Deschner <gd@samba.org> >(cherry picked from commit 303b7e59a286896888ee2473995fc50bb2b5ce5e) >--- > source3/libads/krb5_setpw.c | 6 ++++++ > 1 file changed, 6 insertions(+) > >diff --git a/source3/libads/krb5_setpw.c b/source3/libads/krb5_setpw.c >index c3c9477c4cf1..67bc2f4640d5 100644 >--- a/source3/libads/krb5_setpw.c >+++ b/source3/libads/krb5_setpw.c >@@ -203,6 +203,12 @@ static ADS_STATUS ads_krb5_chg_password(const char *kdc_host, > krb5_get_init_creds_opt_set_renew_life(opts, 0); > krb5_get_init_creds_opt_set_forwardable(opts, 0); > krb5_get_init_creds_opt_set_proxiable(opts, 0); >+#ifdef SAMBA4_USES_HEIMDAL >+ krb5_get_init_creds_opt_set_win2k(context, opts, true); >+ krb5_get_init_creds_opt_set_canonicalize(context, opts, true); >+#else /* MIT */ >+ krb5_get_init_creds_opt_set_canonicalize(opts, true); >+#endif /* MIT */ > > /* note that heimdal will fill in the local addresses if the addresses > * in the creds_init_opt are all empty and then later fail with invalid >-- >2.17.1 > > >From 057aa1be6a2f66f2b8e6b87e3c298c6c6457319d Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 13 Sep 2019 15:52:25 +0200 >Subject: [PATCH 10/20] krb5_wrap: let smb_krb5_parse_name() accept enterprise > principals > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Guenther Deschner <gd@samba.org> >(cherry picked from commit 3bdf023956e861485be70430112ed38d0a5424f7) >--- > lib/krb5_wrap/krb5_samba.c | 5 +++++ > 1 file changed, 5 insertions(+) > >diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c >index a63159812e19..abdcb308728f 100644 >--- a/lib/krb5_wrap/krb5_samba.c >+++ b/lib/krb5_wrap/krb5_samba.c >@@ -701,6 +701,11 @@ krb5_error_code smb_krb5_parse_name(krb5_context context, > } > > ret = krb5_parse_name(context, utf8_name, principal); >+ if (ret == KRB5_PARSE_MALFORMED) { >+ ret = krb5_parse_name_flags(context, utf8_name, >+ KRB5_PRINCIPAL_PARSE_ENTERPRISE, >+ principal); >+ } > TALLOC_FREE(frame); > return ret; > } >-- >2.17.1 > > >From 536b35c9d406296c7560e8c4a6be1fb4c1b9c599 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 11 Sep 2019 16:44:43 +0200 >Subject: [PATCH 11/20] docs-xml: add "winbind use krb5 enterprise principals" > option > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Guenther Deschner <gd@samba.org> >(cherry picked from commit 9520652399696010c333a3ce7247809ce5337a91) >--- > .../winbindusekrb5enterpriseprincipals.xml | 34 +++++++++++++++++++ > 1 file changed, 34 insertions(+) > create mode 100644 docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml > >diff --git a/docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml b/docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml >new file mode 100644 >index 000000000000..bfc11c8636c6 >--- /dev/null >+++ b/docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml >@@ -0,0 +1,34 @@ >+<samba:parameter name="winbind use krb5 enterprise principals" >+ context="G" >+ type="boolean" >+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> >+<description> >+ <para>winbindd is able to get kerberos tickets for >+ pam_winbind with krb5_auth or wbinfo -K/--krb5auth=. >+ </para> >+ >+ <para>winbindd (at least on a domain member) is never be able >+ to have a complete picture of the trust topology (which is managed by the DCs). >+ There might be uPNSuffixes and msDS-SPNSuffixes values, >+ which don't belong to any AD domain at all. >+ </para> >+ >+ <para>With <smbconfoption name="winbind scan trusted domains">no</smbconfoption> >+ winbindd don't even get an incomplete picture of the topology. >+ </para> >+ >+ <para>It is not really required to know about the trust topology. >+ We can just rely on the [K]DCs of our primary domain (e.g. PRIMARY.A.EXAMPLE.COM) >+ and use enterprise principals e.g. upnfromB@B.EXAMPLE.COM@PRIMARY.A.EXAMPLE.COM >+ and follow the WRONG_REALM referrals in order to find the correct DC. >+ The final principal might be userfromB@INTERNALB.EXAMPLE.PRIVATE. >+ </para> >+ >+ <para>With <smbconfoption name="winbind use krb5 enterprise principals">yes</smbconfoption> >+ winbindd enterprise principals will be used. >+ </para> >+</description> >+ >+<value type="default">no</value> >+<value type="example">yes</value> >+</samba:parameter> >-- >2.17.1 > > >From e46a7b0cb32538ff522b1b7b275e95368f2828dd Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 19 Jul 2019 15:10:09 +0000 >Subject: [PATCH 12/20] s3:winbindd: implement the "winbind use krb5 enterprise > principals" logic > >We can use enterprise principals (e.g. upnfromB@B.EXAMPLE.COM@PRIMARY.A.EXAMPLE.COM) >and delegate the routing decisions to the KDCs. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Guenther Deschner <gd@samba.org> >(cherry picked from commit a77be15d28390c5d12202278adbe6b50200a2c1b) >--- > source3/winbindd/winbindd_pam.c | 57 +++++++++++++++++++-------------- > 1 file changed, 33 insertions(+), 24 deletions(-) > >diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c >index b81f2722c420..35018fbe284c 100644 >--- a/source3/winbindd/winbindd_pam.c >+++ b/source3/winbindd/winbindd_pam.c >@@ -418,6 +418,15 @@ struct winbindd_domain *find_auth_domain(uint8_t flags, > return find_domain_from_name_noinit(domain_name); > } > >+ if (lp_winbind_use_krb5_enterprise_principals()) { >+ /* >+ * If we use enterprise principals >+ * we always go trough our primary domain >+ * and follow the WRONG_REALM replies. >+ */ >+ flags &= ~WBFLAG_PAM_CONTACT_TRUSTDOM; >+ } >+ > /* we can auth against trusted domains */ > if (flags & WBFLAG_PAM_CONTACT_TRUSTDOM) { > domain = find_domain_from_name_noinit(domain_name); >@@ -717,7 +726,20 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, > return NT_STATUS_INVALID_PARAMETER; > } > >- principal_s = talloc_asprintf(mem_ctx, "%s@%s", name_user, realm); >+ if (lp_winbind_use_krb5_enterprise_principals() && >+ name_namespace[0] != '\0') >+ { >+ principal_s = talloc_asprintf(mem_ctx, >+ "%s@%s@%s", >+ name_user, >+ name_namespace, >+ realm); >+ } else { >+ principal_s = talloc_asprintf(mem_ctx, >+ "%s@%s", >+ name_user, >+ realm); >+ } > if (principal_s == NULL) { > return NT_STATUS_NO_MEMORY; > } >@@ -1284,30 +1306,16 @@ static NTSTATUS winbindd_dual_pam_auth_kerberos(struct winbindd_domain *domain, > > /* what domain should we contact? */ > >- if ( IS_DC ) { >- contact_domain = find_domain_from_name(name_namespace); >- if (contact_domain == NULL) { >- DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n", >- state->request->data.auth.user, name_domain, name_user, name_domain)); >- result = NT_STATUS_NO_SUCH_USER; >- goto done; >- } >- >+ if (lp_winbind_use_krb5_enterprise_principals()) { >+ contact_domain = find_auth_domain(0, name_namespace); > } else { >- if (is_myname(name_domain)) { >- DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", name_domain)); >- result = NT_STATUS_NO_SUCH_USER; >- goto done; >- } >- > contact_domain = find_domain_from_name(name_namespace); >- if (contact_domain == NULL) { >- DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n", >- state->request->data.auth.user, name_domain, name_user, name_domain)); >- >- result = NT_STATUS_NO_SUCH_USER; >- goto done; >- } >+ } >+ if (contact_domain == NULL) { >+ DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n", >+ state->request->data.auth.user, name_domain, name_user, name_namespace)); >+ result = NT_STATUS_NO_SUCH_USER; >+ goto done; > } > > if (contact_domain->initialized && >@@ -1320,7 +1328,8 @@ static NTSTATUS winbindd_dual_pam_auth_kerberos(struct winbindd_domain *domain, > } > > if (!contact_domain->active_directory) { >- DEBUG(3,("krb5 auth requested but domain is not Active Directory\n")); >+ DEBUG(3,("krb5 auth requested but domain (%s) is not Active Directory\n", >+ contact_domain->name)); > return NT_STATUS_INVALID_LOGON_TYPE; > } > try_login: >-- >2.17.1 > > >From d9a9e09da76462fb457fec4b2cd74c19dcac8434 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 18 Sep 2019 08:04:42 +0200 >Subject: [PATCH 13/20] tests/pam_winbind.py: turn pypamtest.PamTestError into > a failure > >A failure generated by the AssertionError() checks can be added >to selftest/knownfail.d/*. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Guenther Deschner <gd@samba.org> >(cherry picked from commit cd3ffaabb568db26e0de5e83178487e5947c4f09) >--- > python/samba/tests/pam_winbind.py | 15 ++++++++++++--- > python/samba/tests/pam_winbind_chauthtok.py | 5 ++++- > python/samba/tests/pam_winbind_warn_pwd_expire.py | 5 ++++- > 3 files changed, 20 insertions(+), 5 deletions(-) > >diff --git a/python/samba/tests/pam_winbind.py b/python/samba/tests/pam_winbind.py >index 68b05b30d7d3..b05e8af6ffb5 100644 >--- a/python/samba/tests/pam_winbind.py >+++ b/python/samba/tests/pam_winbind.py >@@ -30,7 +30,10 @@ class SimplePamTests(samba.tests.TestCase): > expected_rc = 0 # PAM_SUCCESS > > tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rc) >- res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password]) >+ try: >+ res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password]) >+ except pypamtest.PamTestError as e: >+ raise AssertionError(str(e)) > > self.assertTrue(res is not None) > >@@ -42,7 +45,10 @@ class SimplePamTests(samba.tests.TestCase): > expected_rc = 7 # PAM_AUTH_ERR > > tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rc) >- res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password]) >+ try: >+ res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password]) >+ except pypamtest.PamTestError as e: >+ raise AssertionError(str(e)) > > self.assertTrue(res is not None) > >@@ -52,6 +58,9 @@ class SimplePamTests(samba.tests.TestCase): > expected_rc = 0 # PAM_SUCCESS > > tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rc) >- res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password]) >+ try: >+ res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password]) >+ except pypamtest.PamTestError as e: >+ raise AssertionError(str(e)) > > self.assertTrue(res is not None) >diff --git a/python/samba/tests/pam_winbind_chauthtok.py b/python/samba/tests/pam_winbind_chauthtok.py >index e5be3a83ce72..18c2705127ab 100644 >--- a/python/samba/tests/pam_winbind_chauthtok.py >+++ b/python/samba/tests/pam_winbind_chauthtok.py >@@ -31,6 +31,9 @@ class PamChauthtokTests(samba.tests.TestCase): > expected_rc = 0 # PAM_SUCCESS > > tc = pypamtest.TestCase(pypamtest.PAMTEST_CHAUTHTOK, expected_rc) >- res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password, newpassword, newpassword]) >+ try: >+ res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password, newpassword, newpassword]) >+ except pypamtest.PamTestError as e: >+ raise AssertionError(str(e)) > > self.assertTrue(res is not None) >diff --git a/python/samba/tests/pam_winbind_warn_pwd_expire.py b/python/samba/tests/pam_winbind_warn_pwd_expire.py >index df60bc5ace67..1af2f9befe1f 100644 >--- a/python/samba/tests/pam_winbind_warn_pwd_expire.py >+++ b/python/samba/tests/pam_winbind_warn_pwd_expire.py >@@ -31,7 +31,10 @@ class PasswordExpirePamTests(samba.tests.TestCase): > expected_rc = 0 # PAM_SUCCESS > > tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rc) >- res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password]) >+ try: >+ res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password]) >+ except pypamtest.PamTestError as e: >+ raise AssertionError(str(e)) > > self.assertTrue(res is not None) > if warn_pwd_expire == 0: >-- >2.17.1 > > >From 7e73a81ce8469d9413d878a77f7f5151a4095c95 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 20 Sep 2019 08:13:28 +0200 >Subject: [PATCH 14/20] tests/pam_winbind.py: allow upn names to be used in > USERNAME with an empty DOMAIN value > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Guenther Deschner <gd@samba.org> >(cherry picked from commit 653e90485854d978dc522e689cd78c19dcc22a70) >--- > python/samba/tests/pam_winbind.py | 10 ++++++++-- > python/samba/tests/pam_winbind_chauthtok.py | 5 ++++- > python/samba/tests/pam_winbind_warn_pwd_expire.py | 5 ++++- > 3 files changed, 16 insertions(+), 4 deletions(-) > >diff --git a/python/samba/tests/pam_winbind.py b/python/samba/tests/pam_winbind.py >index b05e8af6ffb5..708f408f7683 100644 >--- a/python/samba/tests/pam_winbind.py >+++ b/python/samba/tests/pam_winbind.py >@@ -26,7 +26,10 @@ class SimplePamTests(samba.tests.TestCase): > domain = os.environ["DOMAIN"] > username = os.environ["USERNAME"] > password = os.environ["PASSWORD"] >- unix_username = "%s/%s" % (domain, username) >+ if domain != "": >+ unix_username = "%s/%s" % (domain, username) >+ else: >+ unix_username = "%s" % username > expected_rc = 0 # PAM_SUCCESS > > tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rc) >@@ -41,7 +44,10 @@ class SimplePamTests(samba.tests.TestCase): > domain = os.environ["DOMAIN"] > username = os.environ["USERNAME"] > password = "WrongPassword" >- unix_username = "%s/%s" % (domain, username) >+ if domain != "": >+ unix_username = "%s/%s" % (domain, username) >+ else: >+ unix_username = "%s" % username > expected_rc = 7 # PAM_AUTH_ERR > > tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rc) >diff --git a/python/samba/tests/pam_winbind_chauthtok.py b/python/samba/tests/pam_winbind_chauthtok.py >index 18c2705127ab..c1d569b3cd00 100644 >--- a/python/samba/tests/pam_winbind_chauthtok.py >+++ b/python/samba/tests/pam_winbind_chauthtok.py >@@ -27,7 +27,10 @@ class PamChauthtokTests(samba.tests.TestCase): > username = os.environ["USERNAME"] > password = os.environ["PASSWORD"] > newpassword = os.environ["NEWPASSWORD"] >- unix_username = "%s/%s" % (domain, username) >+ if domain != "": >+ unix_username = "%s/%s" % (domain, username) >+ else: >+ unix_username = "%s" % username > expected_rc = 0 # PAM_SUCCESS > > tc = pypamtest.TestCase(pypamtest.PAMTEST_CHAUTHTOK, expected_rc) >diff --git a/python/samba/tests/pam_winbind_warn_pwd_expire.py b/python/samba/tests/pam_winbind_warn_pwd_expire.py >index 1af2f9befe1f..56f5da94f981 100644 >--- a/python/samba/tests/pam_winbind_warn_pwd_expire.py >+++ b/python/samba/tests/pam_winbind_warn_pwd_expire.py >@@ -27,7 +27,10 @@ class PasswordExpirePamTests(samba.tests.TestCase): > username = os.environ["USERNAME"] > password = os.environ["PASSWORD"] > warn_pwd_expire = int(os.environ["WARN_PWD_EXPIRE"]) >- unix_username = "%s/%s" % (domain, username) >+ if domain != "": >+ unix_username = "%s/%s" % (domain, username) >+ else: >+ unix_username = "%s" % username > expected_rc = 0 # PAM_SUCCESS > > tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rc) >-- >2.17.1 > > >From 90a37b96967d3230a8fd4833fe8b5a338d5851b2 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 18 Sep 2019 01:25:58 +0200 >Subject: [PATCH 15/20] test_pam_winbind.sh: allow different pam_winbindd > config options to be specified > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Guenther Deschner <gd@samba.org> >(cherry picked from commit 3d38a8e9135bb72bc4ca079fab0eb5358942b3f1) >--- > python/samba/tests/test_pam_winbind.sh | 12 +++++++---- > .../samba/tests/test_pam_winbind_chauthtok.sh | 4 ++-- > .../tests/test_pam_winbind_warn_pwd_expire.sh | 20 +++++++++++-------- > selftest/tests.py | 6 +++--- > 4 files changed, 25 insertions(+), 17 deletions(-) > >diff --git a/python/samba/tests/test_pam_winbind.sh b/python/samba/tests/test_pam_winbind.sh >index 0406b108b312..755e67280fa1 100755 >--- a/python/samba/tests/test_pam_winbind.sh >+++ b/python/samba/tests/test_pam_winbind.sh >@@ -12,6 +12,10 @@ PASSWORD="$3" > export PASSWORD > shift 3 > >+PAM_OPTIONS="$1" >+export PAM_OPTIONS >+shift 1 >+ > PAM_WRAPPER_PATH="$BINDIR/default/third_party/pam_wrapper" > > pam_winbind="$BINDIR/shared/pam_winbind.so" >@@ -19,10 +23,10 @@ service_dir="$SELFTEST_TMPDIR/pam_services" > service_file="$service_dir/samba" > > mkdir $service_dir >-echo "auth required $pam_winbind debug debug_state" > $service_file >-echo "account required $pam_winbind debug debug_state" >> $service_file >-echo "password required $pam_winbind debug debug_state" >> $service_file >-echo "session required $pam_winbind debug debug_state" >> $service_file >+echo "auth required $pam_winbind debug debug_state $PAM_OPTIONS" > $service_file >+echo "account required $pam_winbind debug debug_state $PAM_OPTIONS" >> $service_file >+echo "password required $pam_winbind debug debug_state $PAM_OPTIONS" >> $service_file >+echo "session required $pam_winbind debug debug_state $PAM_OPTIONS" >> $service_file > > PAM_WRAPPER="1" > export PAM_WRAPPER >diff --git a/python/samba/tests/test_pam_winbind_chauthtok.sh b/python/samba/tests/test_pam_winbind_chauthtok.sh >index 5887699300a2..48adc81859d5 100755 >--- a/python/samba/tests/test_pam_winbind_chauthtok.sh >+++ b/python/samba/tests/test_pam_winbind_chauthtok.sh >@@ -53,11 +53,11 @@ PAM_WRAPPER_DEBUGLEVEL=${PAM_WRAPPER_DEBUGLEVEL:="2"} > export PAM_WRAPPER_DEBUGLEVEL > > case $PAM_OPTIONS in >- use_authtok) >+ *use_authtok*) > PAM_AUTHTOK="$NEWPASSWORD" > export PAM_AUTHTOK > ;; >- try_authtok) >+ *try_authtok*) > PAM_AUTHTOK="$NEWPASSWORD" > export PAM_AUTHTOK > ;; >diff --git a/python/samba/tests/test_pam_winbind_warn_pwd_expire.sh b/python/samba/tests/test_pam_winbind_warn_pwd_expire.sh >index 16dede442270..348d2ae8387e 100755 >--- a/python/samba/tests/test_pam_winbind_warn_pwd_expire.sh >+++ b/python/samba/tests/test_pam_winbind_warn_pwd_expire.sh >@@ -12,6 +12,10 @@ PASSWORD="$3" > export PASSWORD > shift 3 > >+PAM_OPTIONS="$1" >+export PAM_OPTIONS >+shift 1 >+ > PAM_WRAPPER_PATH="$BINDIR/default/third_party/pam_wrapper" > > pam_winbind="$BINDIR/shared/pam_winbind.so" >@@ -37,10 +41,10 @@ export PAM_WRAPPER_DEBUGLEVEL > WARN_PWD_EXPIRE="50" > export WARN_PWD_EXPIRE > >-echo "auth required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE" > $service_file >-echo "account required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE" >> $service_file >-echo "password required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE" >> $service_file >-echo "session required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE" >> $service_file >+echo "auth required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" > $service_file >+echo "account required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" >> $service_file >+echo "password required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" >> $service_file >+echo "session required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" >> $service_file > > PYTHONPATH="$PYTHONPATH:$PAM_WRAPPER_PATH:$(dirname $0)" $PYTHON -m samba.subunit.run samba.tests.pam_winbind_warn_pwd_expire > exit_code=$? >@@ -54,10 +58,10 @@ fi > WARN_PWD_EXPIRE="0" > export WARN_PWD_EXPIRE > >-echo "auth required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE" > $service_file >-echo "account required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE" >> $service_file >-echo "password required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE" >> $service_file >-echo "session required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE" >> $service_file >+echo "auth required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" > $service_file >+echo "account required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" >> $service_file >+echo "password required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" >> $service_file >+echo "session required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" >> $service_file > > PYTHONPATH="$PYTHONPATH:$PAM_WRAPPER_PATH:$(dirname $0)" $PYTHON -m samba.subunit.run samba.tests.pam_winbind_warn_pwd_expire > exit_code=$? >diff --git a/selftest/tests.py b/selftest/tests.py >index 7dbc0a9871fa..507f7c3ea558 100644 >--- a/selftest/tests.py >+++ b/selftest/tests.py >@@ -168,11 +168,11 @@ if with_pam: > plantestsuite("samba.tests.pam_winbind(local)", "ad_member", > [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"), > valgrindify(python), pam_wrapper_so_path, >- "$SERVER", "$USERNAME", "$PASSWORD"]) >+ "$SERVER", "$USERNAME", "$PASSWORD", "''"]) > plantestsuite("samba.tests.pam_winbind(domain)", "ad_member", > [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"), > valgrindify(python), pam_wrapper_so_path, >- "$DOMAIN", "$DC_USERNAME", "$DC_PASSWORD"]) >+ "$DOMAIN", "$DC_USERNAME", "$DC_PASSWORD", "''"]) > > for pam_options in ["''", "use_authtok", "try_authtok"]: > plantestsuite("samba.tests.pam_winbind_chauthtok with options %s" % pam_options, "ad_member", >@@ -185,7 +185,7 @@ if with_pam: > plantestsuite("samba.tests.pam_winbind_warn_pwd_expire(domain)", "ad_member", > [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind_warn_pwd_expire.sh"), > valgrindify(python), pam_wrapper_so_path, >- "$DOMAIN", "alice", "Secret007"]) >+ "$DOMAIN", "alice", "Secret007", "''"]) > > > plantestsuite("samba.unittests.krb5samba", "none", >-- >2.17.1 > > >From b5edc8a83e09db7aef2077fa903a445637d74e9a Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 18 Sep 2019 01:25:23 +0200 >Subject: [PATCH 16/20] selftest/tests.py: prepare looping over pam_winbindd > tests > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Guenther Deschner <gd@samba.org> >(cherry picked from commit 72daf99fd1ffd8269fce25d69458de35e2ae32cc) >--- > selftest/tests.py | 58 ++++++++++++++++++++++++++++++----------------- > 1 file changed, 37 insertions(+), 21 deletions(-) > >diff --git a/selftest/tests.py b/selftest/tests.py >index 507f7c3ea558..3224de493f97 100644 >--- a/selftest/tests.py >+++ b/selftest/tests.py >@@ -165,27 +165,43 @@ planpythontestsuite("none", "samba.tests.tdb_util", py3_compatible=True) > planpythontestsuite("none", "samba.tests.samdb_api", py3_compatible=True) > > if with_pam: >- plantestsuite("samba.tests.pam_winbind(local)", "ad_member", >- [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"), >- valgrindify(python), pam_wrapper_so_path, >- "$SERVER", "$USERNAME", "$PASSWORD", "''"]) >- plantestsuite("samba.tests.pam_winbind(domain)", "ad_member", >- [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"), >- valgrindify(python), pam_wrapper_so_path, >- "$DOMAIN", "$DC_USERNAME", "$DC_PASSWORD", "''"]) >- >- for pam_options in ["''", "use_authtok", "try_authtok"]: >- plantestsuite("samba.tests.pam_winbind_chauthtok with options %s" % pam_options, "ad_member", >- [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind_chauthtok.sh"), >- valgrindify(python), pam_wrapper_so_path, pam_set_items_so_path, >- "$DOMAIN", "TestPamOptionsUser", "oldp@ssword0", "newp@ssword0", >- pam_options, 'yes', >- "$DC_SERVER", "$DC_USERNAME", "$DC_PASSWORD"]) >- >- plantestsuite("samba.tests.pam_winbind_warn_pwd_expire(domain)", "ad_member", >- [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind_warn_pwd_expire.sh"), >- valgrindify(python), pam_wrapper_so_path, >- "$DOMAIN", "alice", "Secret007", "''"]) >+ env = "ad_member" >+ options = [ >+ { >+ "description": "default", >+ "pam_options": "", >+ }, >+ ] >+ for o in options: >+ description = o["description"] >+ pam_options = "'%s'" % o["pam_options"] >+ >+ plantestsuite("samba.tests.pam_winbind(local+%s)" % description, env, >+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"), >+ valgrindify(python), pam_wrapper_so_path, >+ "$SERVER", "$USERNAME", "$PASSWORD", >+ pam_options]) >+ plantestsuite("samba.tests.pam_winbind(domain+%s)" % description, env, >+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"), >+ valgrindify(python), pam_wrapper_so_path, >+ "$DOMAIN", "$DC_USERNAME", "$DC_PASSWORD", >+ pam_options]) >+ >+ for authtok_options in ["", "use_authtok", "try_authtok"]: >+ _pam_options = "'%s %s'" % (o["pam_options"], authtok_options) >+ _description = "%s %s" % (description, authtok_options) >+ plantestsuite("samba.tests.pam_winbind_chauthtok(domain+%s)" % _description, env, >+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind_chauthtok.sh"), >+ valgrindify(python), pam_wrapper_so_path, pam_set_items_so_path, >+ "$DOMAIN", "TestPamOptionsUser", "oldp@ssword0", "newp@ssword0", >+ _pam_options, 'yes', >+ "$DC_SERVER", "$DC_USERNAME", "$DC_PASSWORD"]) >+ >+ plantestsuite("samba.tests.pam_winbind_warn_pwd_expire(domain+%s)" % description, env, >+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind_warn_pwd_expire.sh"), >+ valgrindify(python), pam_wrapper_so_path, >+ "$DOMAIN", "alice", "Secret007", >+ pam_options]) > > > plantestsuite("samba.unittests.krb5samba", "none", >-- >2.17.1 > > >From 907e316f193711d809cf9a362c2f28e8020bfc93 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 18 Sep 2019 08:08:57 +0200 >Subject: [PATCH 17/20] selftest/tests.py: test pam_winbind with krb5_auth > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Guenther Deschner <gd@samba.org> >(cherry picked from commit 36e95e42ea8a7e5a4091a647215d06d2ab47fab6) >--- > selftest/tests.py | 4 ++++ > 1 file changed, 4 insertions(+) > >diff --git a/selftest/tests.py b/selftest/tests.py >index 3224de493f97..c2d94262c3c5 100644 >--- a/selftest/tests.py >+++ b/selftest/tests.py >@@ -167,6 +167,10 @@ planpythontestsuite("none", "samba.tests.samdb_api", py3_compatible=True) > if with_pam: > env = "ad_member" > options = [ >+ { >+ "description": "krb5", >+ "pam_options": "krb5_auth krb5_ccache_type=FILE", >+ }, > { > "description": "default", > "pam_options": "", >-- >2.17.1 > > >From 1b986d511929e443a235db12cedd97a42682f8c5 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 18 Sep 2019 14:03:34 +0200 >Subject: [PATCH 18/20] selftest/tests.py: test pam_winbind with a lot of > username variations > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Guenther Deschner <gd@samba.org> >(cherry picked from commit f07b542c61f84a97c097208e10bf9375ddfa9a15) >--- > selftest/tests.py | 27 ++++++++++++++++++++++++++- > 1 file changed, 26 insertions(+), 1 deletion(-) > >diff --git a/selftest/tests.py b/selftest/tests.py >index c2d94262c3c5..c95293283595 100644 >--- a/selftest/tests.py >+++ b/selftest/tests.py >@@ -185,11 +185,36 @@ if with_pam: > valgrindify(python), pam_wrapper_so_path, > "$SERVER", "$USERNAME", "$PASSWORD", > pam_options]) >- plantestsuite("samba.tests.pam_winbind(domain+%s)" % description, env, >+ plantestsuite("samba.tests.pam_winbind(domain1+%s)" % description, env, > [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"), > valgrindify(python), pam_wrapper_so_path, > "$DOMAIN", "$DC_USERNAME", "$DC_PASSWORD", > pam_options]) >+ plantestsuite("samba.tests.pam_winbind(domain2+%s)" % description, env, >+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"), >+ valgrindify(python), pam_wrapper_so_path, >+ "$REALM", "$DC_USERNAME", "$DC_PASSWORD", >+ pam_options]) >+ plantestsuite("samba.tests.pam_winbind(domain3+%s)" % description, env, >+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"), >+ valgrindify(python), pam_wrapper_so_path, >+ "''", "${DC_USERNAME}@${DOMAIN}", "$DC_PASSWORD", >+ pam_options]) >+ plantestsuite("samba.tests.pam_winbind(domain4+%s)" % description, env, >+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"), >+ valgrindify(python), pam_wrapper_so_path, >+ "''", "${DC_USERNAME}@${REALM}", "$DC_PASSWORD", >+ pam_options]) >+ plantestsuite("samba.tests.pam_winbind(domain5+%s)" % description, env, >+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"), >+ valgrindify(python), pam_wrapper_so_path, >+ "$REALM", "${DC_USERNAME}@${DOMAIN}", "$DC_PASSWORD", >+ pam_options]) >+ plantestsuite("samba.tests.pam_winbind(domain6+%s)" % description, env, >+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"), >+ valgrindify(python), pam_wrapper_so_path, >+ "$DOMAIN", "${DC_USERNAME}@${REALM}", "$DC_PASSWORD", >+ pam_options]) > > for authtok_options in ["", "use_authtok", "try_authtok"]: > _pam_options = "'%s %s'" % (o["pam_options"], authtok_options) >-- >2.17.1 > > >From b3cd2f6f585bf0e4b7490081e888fed825f45150 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 18 Sep 2019 08:02:38 +0200 >Subject: [PATCH 19/20] selftest/Samba3.pm: use "winbind scan trusted domains = > no" for ad_member > >This demonstrates that we rely on knowning about trusted domains before >we can do krb5_auth in winbindd. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Guenther Deschner <gd@samba.org> >(similar to commit e2737a74d4453a3d65e5466ddc4405d68444df27) >--- > selftest/target/Samba3.pm | 1 + > 1 file changed, 1 insertion(+) > >diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm >index 2f491441815f..992b3a30ecfe 100755 >--- a/selftest/target/Samba3.pm >+++ b/selftest/target/Samba3.pm >@@ -412,6 +412,7 @@ sub setup_ad_member > realm = $dcvars->{REALM} > netbios aliases = foo bar > template homedir = /home/%D/%G/%U >+ winbind scan trusted domains = no > > [sub_dug] > path = $share_dir/D_%D/U_%U/G_%G >-- >2.17.1 > > >From c4be45573479dbbcca15fdd1b283cd1d0401a526 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 18 Sep 2019 08:10:26 +0200 >Subject: [PATCH 20/20] selftest/Samba3.pm: use "winbind use krb5 enterprise > principals = yes" for ad_member >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >This demonstrates that can do krb5_auth in winbindd without knowning about trusted domains. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Guenther Deschner <gd@samba.org> > >Autobuild-User(master): Günther Deschner <gd@samba.org> >Autobuild-Date(master): Tue Sep 24 19:51:29 UTC 2019 on sn-devel-184 > >(similar to commit 0ee085b594878f5e0e83839f465303754f015459) >--- > selftest/target/Samba3.pm | 1 + > 1 file changed, 1 insertion(+) > >diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm >index 992b3a30ecfe..70f535e1a49b 100755 >--- a/selftest/target/Samba3.pm >+++ b/selftest/target/Samba3.pm >@@ -413,6 +413,7 @@ sub setup_ad_member > netbios aliases = foo bar > template homedir = /home/%D/%G/%U > winbind scan trusted domains = no >+ winbind use krb5 enterprise principals = yes > > [sub_dug] > path = $share_dir/D_%D/U_%U/G_%G >-- >2.17.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=15490">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
gd
:
review+
Actions:
View
Attachments on
bug 14124
:
15489
| 15490