The Samba-Bugzilla – Attachment 16146 Details for
Bug 14354
Samba 4.12 KDC breaks with DES keys still in the database and msDS-SupportedEncryptionTypes 31 indicating support for it.
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for v4-12-test branch with -x information
v4-12-test.patch (text/plain), 6.63 KB, created by
Isaac Boukris
on 2020-07-28 15:51:04 UTC
(
hide
)
Description:
patch for v4-12-test branch with -x information
Filename:
MIME Type:
Creator:
Isaac Boukris
Created:
2020-07-28 15:51:04 UTC
Size:
6.63 KB
patch
obsolete
>From 307d8b2a90bb5e53563574abd912ac88928efcc0 Mon Sep 17 00:00:00 2001 >From: Isaac Boukris <iboukris@gmail.com> >Date: Mon, 27 Apr 2020 14:00:38 +0200 >Subject: [PATCH 1/2] Add a test with old msDS-SupportedEncryptionTypes > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14354 > >Signed-off-by: Isaac Boukris <iboukris@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 07399831794e28c7c2cf0140d0f1d1b5538b5f60) >--- > selftest/knownfail.d/old_enctypes | 1 + > source4/selftest/tests.py | 2 + > testprogs/blackbox/test_old_enctypes.sh | 68 +++++++++++++++++++++++++ > 3 files changed, 71 insertions(+) > create mode 100644 selftest/knownfail.d/old_enctypes > create mode 100755 testprogs/blackbox/test_old_enctypes.sh > >diff --git a/selftest/knownfail.d/old_enctypes b/selftest/knownfail.d/old_enctypes >new file mode 100644 >index 00000000000..b8dde6f1f04 >--- /dev/null >+++ b/selftest/knownfail.d/old_enctypes >@@ -0,0 +1 @@ >+^samba4.blackbox.test_old_enctypes.Export keytab while old enctypes are supported\(fl2003dc:local\) >diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py >index 1d965c751a4..f88f064b713 100755 >--- a/source4/selftest/tests.py >+++ b/source4/selftest/tests.py >@@ -464,6 +464,8 @@ plantestsuite("samba4.blackbox.net_rpc_user(ad_dc)", "ad_dc", [os.path.join(bbdi > > plantestsuite("samba4.blackbox.test_primary_group", "ad_dc:local", [os.path.join(bbdir, "test_primary_group.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$DOMAIN', '$PREFIX_ABS']) > >+plantestsuite("samba4.blackbox.test_old_enctypes", "fl2003dc:local", [os.path.join(bbdir, "test_old_enctypes.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$NETBIOSNAME', '$PREFIX_ABS']) >+ > if have_heimdal_support: > for env in ["ad_dc_ntvfs", "ad_dc"]: > plantestsuite("samba4.blackbox.pkinit", "%s:local" % env, [os.path.join(bbdir, "test_pkinit_heimdal.sh"), '$SERVER', 'pkinit', '$PASSWORD', '$REALM', '$DOMAIN', '$PREFIX/%s' % env, "aes256-cts-hmac-sha1-96", smbclient4, configuration]) >diff --git a/testprogs/blackbox/test_old_enctypes.sh b/testprogs/blackbox/test_old_enctypes.sh >new file mode 100755 >index 00000000000..794a265940e >--- /dev/null >+++ b/testprogs/blackbox/test_old_enctypes.sh >@@ -0,0 +1,68 @@ >+#!/bin/bash >+ >+if [ $# -lt 5 ]; then >+cat <<EOF >+Usage: test_primary_group.sh SERVER USERNAME PASSWORD NETBIOSNAME PREFIX_ABS >+EOF >+exit 1; >+fi >+ >+SERVER=$1 >+USERNAME=$2 >+PASSWORD=$3 >+NETBIOSNAME=$4 >+PREFIX_ABS=$5 >+shift 5 >+failed=0 >+ >+samba4bindir="$BINDIR" >+samba4srcdir="$SRCDIR/source4" >+ >+samba_tool="$samba4bindir/samba-tool" >+ >+ldbmodify="ldbmodify" >+if [ -x "$samba4bindir/ldbmodify" ]; then >+ ldbmodify="$samba4bindir/ldbmodify" >+fi >+ >+ldbsearch="ldbsearch" >+if [ -x "$samba4bindir/ldbsearch" ]; then >+ ldbsearch="$samba4bindir/ldbsearch" >+fi >+ >+. `dirname $0`/subunit.sh >+. `dirname $0`/common_test_fns.inc >+ >+out="${PREFIX_ABS}/tmpldbsearch.out" >+$ldbsearch -H ldap://$SERVER -U$USERNAME%$PASSWORD -d0 sAMAccountName="$NETBIOSNAME\$" dn msDS-SupportedEncryptionTypes > $out >+testit_grep "find my dn" msDS-SupportedEncryptionTypes cat $out || failed=`expr $failed + 1` >+ >+my_dn=$(cat $out | sed -n 's/^dn: //p') >+my_encs=$(cat $out | sed -n 's/^msDS-SupportedEncryptionTypes: //p') >+my_test_encs=`expr $my_encs + 3` >+ >+ldif="${PREFIX_ABS}/tmpldbmodify.ldif" >+ >+cat > $ldif <<EOF >+dn: $my_dn >+changetype: modify >+replace: msDS-SupportedEncryptionTypes >+msDS-SupportedEncryptionTypes: $my_test_encs >+EOF >+ >+testit "Change msDS-SupportedEncryptionTypes to $my_test_encs" $VALGRIND $ldbmodify -H ldap://$SERVER -U$USERNAME%$PASSWORD -d0 < $ldif || failed=`expr $failed + 1` >+kt=${PREFIX_ABS}/tmp_host_out_keytab >+testit "Export keytab while old enctypes are supported" $samba_tool domain exportkeytab --principal=$NETBIOSNAME\$ $kt >+ >+cat > $ldif <<EOF >+dn: $my_dn >+changetype: modify >+replace: msDS-SupportedEncryptionTypes >+msDS-SupportedEncryptionTypes: $my_encs >+EOF >+ >+testit "Change msDS-SupportedEncryptionTypes back to $my_encs" $VALGRIND $ldbmodify -H ldap://$SERVER -U$USERNAME%$PASSWORD -d0 < $ldif || failed=`expr $failed + 1` >+ >+rm -rf $kt $out $ldif >+ >+exit $failed >-- >2.25.4 > > >From 651f7049e4177de3961feb5693390b7faea0460e Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 23 Apr 2020 11:56:54 +0200 >Subject: [PATCH 2/2] kdc:db-glue: ignore KRB5_PROG_ETYPE_NOSUPP also for > Primary:Kerberos > >Currently we only ignore KRB5_PROG_ETYPE_NOSUPP for >Primary:Kerberos-Newer-Keys, but not for Primary:Kerberos. > >If a service account has msDS-SupportedEncryptionTypes: 31 >and DES keys stored in Primary:Kerberos, we'll pass the >DES key to smb_krb5_keyblock_init_contents(), but may get >KRB5_PROG_ETYPE_NOSUPP. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14354 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Isaac Boukris <iboukris@samba.org> > >Autobuild-User(master): Stefan Metzmacher <metze@samba.org> >Autobuild-Date(master): Tue Jul 28 14:04:26 UTC 2020 on sn-devel-184 > >(cherry picked from commit 4baa7cc8e473f6b63316b4ae5db34796c0f864c3) >--- > selftest/knownfail.d/old_enctypes | 1 - > source4/kdc/db-glue.c | 18 ++++++++++++------ > 2 files changed, 12 insertions(+), 7 deletions(-) > delete mode 100644 selftest/knownfail.d/old_enctypes > >diff --git a/selftest/knownfail.d/old_enctypes b/selftest/knownfail.d/old_enctypes >deleted file mode 100644 >index b8dde6f1f04..00000000000 >--- a/selftest/knownfail.d/old_enctypes >+++ /dev/null >@@ -1 +0,0 @@ >-^samba4.blackbox.test_old_enctypes.Export keytab while old enctypes are supported\(fl2003dc:local\) >diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c >index 023ae7b580d..d2a79920ab5 100644 >--- a/source4/kdc/db-glue.c >+++ b/source4/kdc/db-glue.c >@@ -631,18 +631,18 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context, > pkb4->keys[i].value->data, > pkb4->keys[i].value->length, > &key.key); >- if (ret == KRB5_PROG_ETYPE_NOSUPP) { >- DEBUG(2,("Unsupported keytype ignored - type %u\n", >- pkb4->keys[i].keytype)); >- ret = 0; >- continue; >- } > if (ret) { > if (key.salt) { > smb_krb5_free_data_contents(context, &key.salt->salt); > free(key.salt); > key.salt = NULL; > } >+ if (ret == KRB5_PROG_ETYPE_NOSUPP) { >+ DEBUG(2,("Unsupported keytype ignored - type %u\n", >+ pkb4->keys[i].keytype)); >+ ret = 0; >+ continue; >+ } > goto out; > } > >@@ -693,6 +693,12 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context, > free(key.salt); > key.salt = NULL; > } >+ if (ret == KRB5_PROG_ETYPE_NOSUPP) { >+ DEBUG(2,("Unsupported keytype ignored - type %u\n", >+ pkb3->keys[i].keytype)); >+ ret = 0; >+ continue; >+ } > goto out; > } > >-- >2.25.4 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
iboukris
:
review+
metze
:
review+
Actions:
View
Attachments on
bug 14354
:
15938
|
16145
| 16146 |
16147