The Samba-Bugzilla – Attachment 16779 Details for
Bug 14817
Update Kerberos testing and dependencies to bring in fix for KDC crash
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
potential 4.14 backport script
backport-to-4.14.sh (text/plain), 12.32 KB, created by
Andrew Bartlett
on 2021-09-06 22:16:33 UTC
(
hide
)
Description:
potential 4.14 backport script
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2021-09-06 22:16:33 UTC
Size:
12.32 KB
patch
obsolete
>#!/bin/bash >set -x >set -e >git reset --hard origin/v4-14-test > ># Patch by Volker for librpc: Add py_descriptor_richcmp() equality function ># Needed for a clean apply of a later patch by Joseph for the ># Py_NotImplemented -> Py_RETURN_NOTIMPLEMENTED in 290c1dc0975867a71c02e911708323d1f38b6f96 >git cherry-pick -x 439b7ccdc1b1c91c66c1a7c83e340fa044c26377 > >git cherry-pick -x 768d48fca9f8c7527c0d12e7acc8942b5fd36ac2 >git cherry-pick -x 2867950721993c62a636d754e50d483fda39e19c..7791acb074b84ec7b571a81f15b56d33e2214ce9 >git cherry-pick -x 0e3ddc27ed6d603a21cb2b187f3295506d560604..bf71fa038e9b97f770e06e88226e885d67342d47 > >cat > list-and-space.patch <<'EOF' >From 04c689bf184189e6261812e89f3db10b52adb465 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Tue, 7 Sep 2021 09:08:58 +1200 >Subject: [PATCH] selftest: add space after --list in output of > selftesthelpers.py > >Selected and backported from: > >commit b113a3bbcd03ab6a62883fbca85ee8749e038887 >Author: Volker Lendecke <vl@samba.org> >Date: Mon Apr 19 16:04:00 2021 +0200 > > torture: Show sddl_decode() failure for "GWFX" access mask > > Signed-off-by: Volker Lendecke <vl@samba.org> > Reviewed-by: Jeremy Allison <jra@samba.org> > >(This allows subsequent patches to be cherry-picked cleanly) > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >--- > selftest/selftesthelpers.py | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/selftest/selftesthelpers.py b/selftest/selftesthelpers.py >index 7b4c084b6de..23f1b9ccd68 100644 >--- a/selftest/selftesthelpers.py >+++ b/selftest/selftesthelpers.py >@@ -109,7 +109,7 @@ def plantestsuite_loadlist(name, env, cmdline): > raise AssertionError("loadlist test %s does not support not --list" % name) > if "$LOADLIST" not in cmdline: > raise AssertionError("loadlist test %s does not support --load-list" % name) >- print(("%s | %s" % (cmdline.replace("$LOADLIST", ""), add_prefix(name, env, support_list))).replace("$LISTOPT", "--list")) >+ print(("%s | %s" % (cmdline.replace("$LOADLIST", ""), add_prefix(name, env, support_list))).replace("$LISTOPT", "--list ")) > print(cmdline.replace("$LISTOPT", "") + " 2>&1 " + " | " + add_prefix(name, env, False)) > > >-- >2.25.1 >EOF > >git am list-and-space.patch > >git cherry-pick -x 7fb741b3b1ac7c2bac355b77cf71cd8881d58d5b..48289b6964d28e153fec885aceca02c6a9b436ef >git cherry-pick -x 4809f4a6ee971bcd9767839c729b636b7582fc02..984a0db00c3f2e38b568a75eb1944f4d7bb7f854 >git cherry-pick -x d9edad89f3b268c6da8f988a42f8cf2a3b697fe7..c6d7e19ecfb264c6f79df5a20e830e4ea6fdb340 >git cherry-pick -x ebd673e976aea5dd481a75f180fd526995c4fda0 > >cat > no-sname.patch <<'EOF' >From 671ac4e3247b0ed542eb17b57246a76a90703334 Mon Sep 17 00:00:00 2001 >From: Luke Howard <lukeh@padl.com> >Date: Tue, 31 Aug 2021 17:38:16 +1200 >Subject: [PATCH 1/2] kdc: KRB5KDC_ERR_{C,S}_PRINCIPAL_UNKNOWN if missing field > >If missing cname or sname in AS-REQ, return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN and >KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN. This matches MIT behaviour. > >[abartlet@samba.org Backported from Heimdal commit 892a1ffcaad98157e945c540b81f65edb14d29bd >and knownfail added. Further adapted knownfail for 4.14 due to conflicts >as the patch that adds a test which crashes old MIT versions is >omitted] > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >--- > selftest/knownfail_heimdal_kdc | 1 + > source4/heimdal/kdc/kerberos5.c | 4 ++-- > 2 files changed, 3 insertions(+), 2 deletions(-) > >diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc >index b336d6fb3e2..d3b4e5ecb3b 100644 >--- a/selftest/knownfail_heimdal_kdc >+++ b/selftest/knownfail_heimdal_kdc >@@ -70,3 +70,4 @@ > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_no_sname.ad_dc > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_no_sname.ad_dc > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_no_sname.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_no_sname.ad_dc >diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c >index 27d38ad84b7..0fa336e871c 100644 >--- a/source4/heimdal/kdc/kerberos5.c >+++ b/source4/heimdal/kdc/kerberos5.c >@@ -996,7 +996,7 @@ _kdc_as_rep(krb5_context context, > flags |= HDB_F_CANON; > > if(b->sname == NULL){ >- ret = KRB5KRB_ERR_GENERIC; >+ ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; > e_text = "No server in request"; > } else{ > ret = _krb5_principalname2krb5_principal (context, >@@ -1012,7 +1012,7 @@ _kdc_as_rep(krb5_context context, > goto out; > } > if(b->cname == NULL){ >- ret = KRB5KRB_ERR_GENERIC; >+ ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; > e_text = "No client in request"; > } else { > ret = _krb5_principalname2krb5_principal (context, >-- >2.25.1 > > >From f9f672f2b79666c8d6f659e27a552597f578d806 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Tue, 31 Aug 2021 22:38:01 +1200 >Subject: [PATCH 2/2] tests/krb5: Allow KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN for a > missing sname > >This allows our code to still pass with the error code that >MIT and Heimdal have chosen > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> > >Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> >Autobuild-Date(master): Thu Sep 2 14:28:31 UTC 2021 on sn-devel-184 > >[abartlet@samba.org: Backported from 10baaf08523200e47451aa1862430977b0365b59 > to Samba 4.14 due to conflicts in > knownfail as the test which crashes older MIT KDC versions is > omitted] >--- > python/samba/tests/krb5/fast_tests.py | 23 +++++++++++++------- > python/samba/tests/krb5/kdc_base_test.py | 6 ++++- > python/samba/tests/krb5/rfc4120_constants.py | 1 + > selftest/knownfail_heimdal_kdc | 3 --- > 4 files changed, 21 insertions(+), 12 deletions(-) > >diff --git a/python/samba/tests/krb5/fast_tests.py b/python/samba/tests/krb5/fast_tests.py >index fb5c0fc28f8..1b7c380840d 100755 >--- a/python/samba/tests/krb5/fast_tests.py >+++ b/python/samba/tests/krb5/fast_tests.py >@@ -20,6 +20,7 @@ > import functools > import os > import sys >+import collections > > import ldb > >@@ -37,6 +38,7 @@ from samba.tests.krb5.rfc4120_constants import ( > FX_FAST_ARMOR_AP_REQUEST, > KDC_ERR_ETYPE_NOSUPP, > KDC_ERR_GENERIC, >+ KDC_ERR_S_PRINCIPAL_UNKNOWN, > KDC_ERR_NOT_US, > KDC_ERR_PREAUTH_FAILED, > KDC_ERR_PREAUTH_REQUIRED, >@@ -115,7 +117,7 @@ class FAST_Tests(KDCBaseTest): > self._run_test_sequence([ > { > 'rep_type': KRB_AS_REP, >- 'expected_error_mode': KDC_ERR_GENERIC, >+ 'expected_error_mode': (KDC_ERR_GENERIC, KDC_ERR_S_PRINCIPAL_UNKNOWN), > 'use_fast': False, > 'sname': None, > 'expected_sname': expected_sname >@@ -132,7 +134,7 @@ class FAST_Tests(KDCBaseTest): > self._run_test_sequence([ > { > 'rep_type': KRB_TGS_REP, >- 'expected_error_mode': KDC_ERR_GENERIC, >+ 'expected_error_mode': (KDC_ERR_GENERIC, KDC_ERR_S_PRINCIPAL_UNKNOWN), > 'use_fast': False, > 'gen_tgt_fn': self.get_user_tgt, > 'sname': None, >@@ -169,7 +171,7 @@ class FAST_Tests(KDCBaseTest): > self._run_test_sequence([ > { > 'rep_type': KRB_TGS_REP, >- 'expected_error_mode': KDC_ERR_GENERIC, >+ 'expected_error_mode': (KDC_ERR_GENERIC, KDC_ERR_S_PRINCIPAL_UNKNOWN), > 'use_fast': True, > 'gen_tgt_fn': self.get_user_tgt, > 'fast_armor': None, >@@ -1162,7 +1164,12 @@ class FAST_Tests(KDCBaseTest): > self.assertIn(rep_type, (KRB_AS_REP, KRB_TGS_REP)) > > expected_error_mode = kdc_dict.pop('expected_error_mode') >- self.assertIn(expected_error_mode, range(240)) >+ if expected_error_mode == 0: >+ expected_error_mode = () >+ elif not isinstance(expected_error_mode, collections.abc.Container): >+ expected_error_mode = (expected_error_mode,) >+ for error in expected_error_mode: >+ self.assertIn(error, range(240)) > > use_fast = kdc_dict.pop('use_fast') > self.assertIs(type(use_fast), bool) >@@ -1173,7 +1180,7 @@ class FAST_Tests(KDCBaseTest): > > if fast_armor_type is not None: > self.assertIn('gen_armor_tgt_fn', kdc_dict) >- elif expected_error_mode != KDC_ERR_GENERIC: >+ elif KDC_ERR_GENERIC not in expected_error_mode: > self.assertNotIn('gen_armor_tgt_fn', kdc_dict) > > gen_armor_tgt_fn = kdc_dict.pop('gen_armor_tgt_fn', None) >@@ -1197,7 +1204,7 @@ class FAST_Tests(KDCBaseTest): > self.assertNotIn('gen_tgt_fn', kdc_dict) > tgt = None > >- if expected_error_mode != 0: >+ if len(expected_error_mode) != 0: > check_error_fn = self.generic_check_kdc_error > check_rep_fn = None > else: >@@ -1411,7 +1418,7 @@ class FAST_Tests(KDCBaseTest): > realm=crealm, > sname=sname, > etypes=etypes) >- if expected_error_mode == 0: >+ if len(expected_error_mode) == 0: > self.check_reply(rep, rep_type) > > fast_cookie = None >@@ -1425,7 +1432,7 @@ class FAST_Tests(KDCBaseTest): > else: > fast_cookie = None > >- if expected_error_mode == KDC_ERR_PREAUTH_REQUIRED: >+ if KDC_ERR_PREAUTH_REQUIRED in expected_error_mode: > preauth_etype_info2 = ( > kdc_exchange_dict['preauth_etype_info2']) > else: >diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py >index b148fa01f65..f5c1eba9151 100644 >--- a/python/samba/tests/krb5/kdc_base_test.py >+++ b/python/samba/tests/krb5/kdc_base_test.py >@@ -21,6 +21,7 @@ import os > from datetime import datetime, timezone > import tempfile > import binascii >+import collections > > from collections import namedtuple > import ldb >@@ -598,7 +599,10 @@ class KDCBaseTest(RawKerberosTest): > """ > self.assertIsNotNone(rep) > self.assertEqual(rep['msg-type'], KRB_ERROR, "rep = {%s}" % rep) >- self.assertEqual(rep['error-code'], expected, "rep = {%s}" % rep) >+ if isinstance(expected, collections.abc.Container): >+ self.assertIn(rep['error-code'], expected, "rep = {%s}" % rep) >+ else: >+ self.assertEqual(rep['error-code'], expected, "rep = {%s}" % rep) > > def tgs_req(self, cname, sname, realm, ticket, key, etypes): > '''Send a TGS-REQ, returns the response and the decrypted and >diff --git a/python/samba/tests/krb5/rfc4120_constants.py b/python/samba/tests/krb5/rfc4120_constants.py >index c70ce309b95..ac2bac4d91e 100644 >--- a/python/samba/tests/krb5/rfc4120_constants.py >+++ b/python/samba/tests/krb5/rfc4120_constants.py >@@ -67,6 +67,7 @@ PADATA_SUPPORTED_ETYPES = int( > > # Error codes > KDC_ERR_C_PRINCIPAL_UNKNOWN = 6 >+KDC_ERR_S_PRINCIPAL_UNKNOWN = 7 > KDC_ERR_POLICY = 12 > KDC_ERR_ETYPE_NOSUPP = 14 > KDC_ERR_PREAUTH_FAILED = 24 >diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc >index d3b4e5ecb3b..27b3096c8ca 100644 >--- a/selftest/knownfail_heimdal_kdc >+++ b/selftest/knownfail_heimdal_kdc >@@ -68,6 +68,3 @@ > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_outer_no_sname.ad_dc > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_outer_no_sname.ad_dc > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_no_sname.ad_dc >-^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_no_sname.ad_dc >-^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_no_sname.ad_dc >-^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_no_sname.ad_dc >-- >2.25.1 > >EOF > >git-add-bug 14817 origin/v4-14-test..HEAD > >git format-patch origin/v4-14-test..HEAD --stdout > samba-4-14-kdc-crash.patch >git diff origin/v4-14-test..HEAD --stat > samba-4-14-kdc-crash.diffstat
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 14817
:
16763
|
16764
|
16765
|
16766
|
16767
|
16768
|
16769
|
16777
|
16778
|
16779
|
16780
|
16781
|
16782
|
16783
|
16784
|
16785
|
16786
|
16787
|
16788
|
16789
|
16790
|
16791
|
16792
|
16793
|
16794
|
16795