The Samba-Bugzilla – Attachment 16783 Details for
Bug 14817
Update Kerberos testing and dependencies to bring in fix for KDC crash
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
script used to select the backport (v3) to 4.14
backport-to-4.14.sh (text/plain), 27.47 KB, created by
Andrew Bartlett
on 2021-09-07 07:46:51 UTC
(
hide
)
Description:
script used to select the backport (v3) to 4.14
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2021-09-07 07:46:51 UTC
Size:
27.47 KB
patch
obsolete
>#!/bin/bash >set -x >set -e >git reset --hard origin/v4-14-test > ># Patch by Volker for librpc: Add py_descriptor_richcmp() equality function ># Needed for a clean apply of a later patch by Joseph for the ># Py_NotImplemented -> Py_RETURN_NOTIMPLEMENTED in 290c1dc0975867a71c02e911708323d1f38b6f96 >git cherry-pick -x 439b7ccdc1b1c91c66c1a7c83e340fa044c26377 > ># tests python krb5: MS-KILE client principal look-up >git cherry-pick -x 768d48fca9f8c7527c0d12e7acc8942b5fd36ac2 > ># ccache tests >git cherry-pick -x 2867950721993c62a636d754e50d483fda39e19c..7791acb074b84ec7b571a81f15b56d33e2214ce9 > ># Kerberos test infrastructure >git cherry-pick -x 0e3ddc27ed6d603a21cb2b187f3295506d560604..bf71fa038e9b97f770e06e88226e885d67342d47 > >git am - <<'EOF' >From 04c689bf184189e6261812e89f3db10b52adb465 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Tue, 7 Sep 2021 09:08:58 +1200 >Subject: [PATCH] selftest: add space after --list in output of > selftesthelpers.py > >Selected and backported from: > >commit b113a3bbcd03ab6a62883fbca85ee8749e038887 >Author: Volker Lendecke <vl@samba.org> >Date: Mon Apr 19 16:04:00 2021 +0200 > > torture: Show sddl_decode() failure for "GWFX" access mask > > Signed-off-by: Volker Lendecke <vl@samba.org> > Reviewed-by: Jeremy Allison <jra@samba.org> > >(This allows subsequent patches to be cherry-picked cleanly) > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >--- > selftest/selftesthelpers.py | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/selftest/selftesthelpers.py b/selftest/selftesthelpers.py >index 7b4c084b6de..23f1b9ccd68 100644 >--- a/selftest/selftesthelpers.py >+++ b/selftest/selftesthelpers.py >@@ -109,7 +109,7 @@ def plantestsuite_loadlist(name, env, cmdline): > raise AssertionError("loadlist test %s does not support not --list" % name) > if "$LOADLIST" not in cmdline: > raise AssertionError("loadlist test %s does not support --load-list" % name) >- print(("%s | %s" % (cmdline.replace("$LOADLIST", ""), add_prefix(name, env, support_list))).replace("$LISTOPT", "--list")) >+ print(("%s | %s" % (cmdline.replace("$LOADLIST", ""), add_prefix(name, env, support_list))).replace("$LISTOPT", "--list ")) > print(cmdline.replace("$LISTOPT", "") + " 2>&1 " + " | " + add_prefix(name, env, False)) > > >-- >2.25.1 >EOF > ># ENV support in plantestsuite >git cherry-pick -x 7fb741b3b1ac7c2bac355b77cf71cd8881d58d5b..48289b6964d28e153fec885aceca02c6a9b436ef ># More Kerberos testing infrastructure >git cherry-pick -x 4809f4a6ee971bcd9767839c729b636b7582fc02..98dc19e8c817fc66e253e544874a45b17b8bfa7b > >git am - <<'EOF' >From 6de2f5b6fb0b6614e06256a814eeb5cee2356a23 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 27 Jul 2021 11:39:37 +1200 >Subject: [PATCH] tests/krb5: Make checking less strict > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 6df0e406f1f823bf4d65cd478eb6f2424b69adcc) > >[abartlet@samba.org Adapted to add knownfail because in this >Samba 4.14 backport we do not include >b3ee034b4d457607ef25a5b01da64e1eaf5906dd >(s4:kdc: prefer newer enctypes for preauth responses)] >--- > python/samba/tests/krb5/raw_testcase.py | 52 ++++++++++--------- > .../knownfail.d/samba.tests.krb5.as_req_tests | 42 --------------- > 2 files changed, 27 insertions(+), 67 deletions(-) > >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index 70062ca338a..69b7c7adc9b 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -1625,8 +1625,9 @@ class RawKerberosTest(TestCaseInTempDir): > > self.assertElementEqual(rep, 'msg-type', msg_type) # AS-REP | TGS-REP > padata = self.getElementValue(rep, 'padata') >- self.assertElementEqualUTF8(rep, 'crealm', expected_crealm) >- self.assertElementEqualPrincipal(rep, 'cname', expected_cname) >+ if self.strict_checking: >+ self.assertElementEqualUTF8(rep, 'crealm', expected_crealm) >+ self.assertElementEqualPrincipal(rep, 'cname', expected_cname) > self.assertElementPresent(rep, 'ticket') > ticket = self.getElementValue(rep, 'ticket') > ticket_encpart = None >@@ -1682,8 +1683,9 @@ class RawKerberosTest(TestCaseInTempDir): > if encpart_decryption_key is not None: > self.assertElementEqual(encpart, 'etype', > encpart_decryption_key.etype) >- self.assertElementKVNO(encpart, 'kvno', >- encpart_decryption_key.kvno) >+ if self.strict_checking: >+ self.assertElementKVNO(encpart, 'kvno', >+ encpart_decryption_key.kvno) > rep_decpart = encpart_decryption_key.decrypt( > encpart_decryption_usage, > encpart_cipher) >@@ -1846,17 +1848,17 @@ class RawKerberosTest(TestCaseInTempDir): > self.assertElementEqual(rep, 'pvno', 5) > self.assertElementEqual(rep, 'msg-type', KRB_ERROR) > self.assertElementEqual(rep, 'error-code', expected_error_mode) >- self.assertElementMissing(rep, 'ctime') >- self.assertElementMissing(rep, 'cusec') >+ if self.strict_checking: >+ self.assertElementMissing(rep, 'ctime') >+ self.assertElementMissing(rep, 'cusec') > self.assertElementPresent(rep, 'stime') > self.assertElementPresent(rep, 'susec') > # error-code checked above > if self.strict_checking: > self.assertElementMissing(rep, 'crealm') > self.assertElementMissing(rep, 'cname') >- self.assertElementEqualUTF8(rep, 'realm', expected_srealm) >- self.assertElementEqualPrincipal(rep, 'sname', expected_sname) >- if self.strict_checking: >+ self.assertElementEqualUTF8(rep, 'realm', expected_srealm) >+ self.assertElementEqualPrincipal(rep, 'sname', expected_sname) > self.assertElementMissing(rep, 'e-text') > if expected_error_mode == KDC_ERR_GENERIC: > self.assertElementMissing(rep, 'e-data') >@@ -1922,7 +1924,8 @@ class RawKerberosTest(TestCaseInTempDir): > self.assertIsNotNone(pk_as_rep19) > return > >- self.assertIsNotNone(etype_info2) >+ if self.strict_checking: >+ self.assertIsNotNone(etype_info2) > if expect_etype_info: > self.assertIsNotNone(etype_info) > else: >@@ -1931,23 +1934,22 @@ class RawKerberosTest(TestCaseInTempDir): > if unexpect_etype_info: > self.assertIsNone(etype_info) > >- self.assertGreaterEqual(len(etype_info2), 1) >- self.assertLessEqual(len(etype_info2), len(expect_etype_info2)) > if self.strict_checking: >+ self.assertGreaterEqual(len(etype_info2), 1) > self.assertEqual(len(etype_info2), len(expect_etype_info2)) >- for i in range(0, len(etype_info2)): >- e = self.getElementValue(etype_info2[i], 'etype') >- self.assertEqual(e, expect_etype_info2[i]) >- salt = self.getElementValue(etype_info2[i], 'salt') >- if e == kcrypto.Enctype.RC4: >- self.assertIsNone(salt) >- else: >- self.assertIsNotNone(salt) >- if expected_salt is not None: >- self.assertEqual(salt, expected_salt) >- s2kparams = self.getElementValue(etype_info2[i], 's2kparams') >- if self.strict_checking: >- self.assertIsNone(s2kparams) >+ for i in range(0, len(etype_info2)): >+ e = self.getElementValue(etype_info2[i], 'etype') >+ self.assertEqual(e, expect_etype_info2[i]) >+ salt = self.getElementValue(etype_info2[i], 'salt') >+ if e == kcrypto.Enctype.RC4: >+ self.assertIsNone(salt) >+ else: >+ self.assertIsNotNone(salt) >+ if expected_salt is not None: >+ self.assertEqual(salt, expected_salt) >+ s2kparams = self.getElementValue(etype_info2[i], 's2kparams') >+ if self.strict_checking: >+ self.assertIsNone(s2kparams) > if etype_info is not None: > self.assertEqual(len(etype_info), 1) > e = self.getElementValue(etype_info[0], 'etype') >diff --git a/selftest/knownfail.d/samba.tests.krb5.as_req_tests b/selftest/knownfail.d/samba.tests.krb5.as_req_tests >index f395bdc553b..35375dfcc8e 100644 >--- a/selftest/knownfail.d/samba.tests.krb5.as_req_tests >+++ b/selftest/knownfail.d/samba.tests.krb5.as_req_tests >@@ -1,45 +1,3 @@ >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_dummy_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_dummy_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_dummy_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_dummy_rc4_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_dummy_rc4_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_dummy_rc4_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_rc4_dummy_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_rc4_dummy_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_rc4_dummy_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_rc4_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_rc4_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_rc4_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_aes128_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_aes128_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_aes128_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_aes128_rc4_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_aes128_rc4_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_aes128_rc4_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_rc4_aes128_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_rc4_aes128_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_rc4_aes128_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_aes128_dummy_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_aes128_dummy_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_aes128_dummy_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_aes128_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_aes128_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_aes128_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_dummy_aes128_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_dummy_aes128_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_dummy_aes128_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_aes128_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_aes128_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_aes128_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_aes128_rc4_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_aes128_rc4_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_aes128_rc4_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_rc4_aes128_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_rc4_aes128_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_rc4_aes128_pac_True.fl2008r2dc > ^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes128_aes256_pac_False.fl2008r2dc > ^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes128_aes256_pac_None.fl2008r2dc > ^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes128_aes256_pac_True.fl2008r2dc >-- >2.25.1 > > >EOF > ># FAST tests >git cherry-pick -x 6df0e406f1f823bf4d65cd478eb6f2424b69adcc..984a0db00c3f2e38b568a75eb1944f4d7bb7f854 > >git am - <<'EOF' >From bdccd858d5139a8ee2a2b32adf49c61fc73304f1 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Tue, 7 Sep 2021 17:23:32 +1200 >Subject: [PATCH] selftest: Remove knownfail for no_etypes FAST tests > >These test pass because b3ee034b4d457607ef25a5b01da64e1eaf5906dd >(s4:kdc: prefer newer enctypes for preauth responses) is not included >in the 4.14 backport. > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >--- > selftest/knownfail_heimdal_kdc | 3 --- > 1 file changed, 3 deletions(-) > >diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc >index 02a3db1a3cd..9a61f476469 100644 >--- a/selftest/knownfail_heimdal_kdc >+++ b/selftest/knownfail_heimdal_kdc >@@ -47,7 +47,6 @@ > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_armor.ad_dc > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_hide_client_names.ad_dc > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_no_claims.ad_dc >-^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_no_etypes.ad_dc > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_no_subkey.ad_dc > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_outer_wrong_flags.ad_dc > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_outer_wrong_nonce.ad_dc >@@ -56,9 +55,7 @@ > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_service_ticket.ad_dc > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_service_ticket_mach.ad_dc > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_unknown_critical_option.ad_dc >-^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_fast_no_etypes.ad_dc > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs.ad_dc >-^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_no_etypes.ad_dc > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_no_subkey.ad_dc > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_service_ticket.ad_dc > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_service_ticket_mach.ad_dc >-- >2.25.1 > > >EOF > ># missing sname KDC crash tests >git cherry-pick -x d9edad89f3b268c6da8f988a42f8cf2a3b697fe7..c6d7e19ecfb264c6f79df5a20e830e4ea6fdb340 >git cherry-pick -x ebd673e976aea5dd481a75f180fd526995c4fda0 > >git am - <<'EOF' >From 671ac4e3247b0ed542eb17b57246a76a90703334 Mon Sep 17 00:00:00 2001 >From: Luke Howard <lukeh@padl.com> >Date: Tue, 31 Aug 2021 17:38:16 +1200 >Subject: [PATCH 1/2] kdc: KRB5KDC_ERR_{C,S}_PRINCIPAL_UNKNOWN if missing field > >If missing cname or sname in AS-REQ, return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN and >KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN. This matches MIT behaviour. > >[abartlet@samba.org Backported from Heimdal commit 892a1ffcaad98157e945c540b81f65edb14d29bd >and knownfail added. Further adapted knownfail for 4.14 due to conflicts >as the patch that adds a test which crashes old MIT versions is >omitted] > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >--- > selftest/knownfail_heimdal_kdc | 1 + > source4/heimdal/kdc/kerberos5.c | 4 ++-- > 2 files changed, 3 insertions(+), 2 deletions(-) > >diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc >index b336d6fb3e2..d3b4e5ecb3b 100644 >--- a/selftest/knownfail_heimdal_kdc >+++ b/selftest/knownfail_heimdal_kdc >@@ -70,3 +70,4 @@ > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_no_sname.ad_dc > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_no_sname.ad_dc > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_no_sname.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_no_sname.ad_dc >diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c >index 27d38ad84b7..0fa336e871c 100644 >--- a/source4/heimdal/kdc/kerberos5.c >+++ b/source4/heimdal/kdc/kerberos5.c >@@ -996,7 +996,7 @@ _kdc_as_rep(krb5_context context, > flags |= HDB_F_CANON; > > if(b->sname == NULL){ >- ret = KRB5KRB_ERR_GENERIC; >+ ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; > e_text = "No server in request"; > } else{ > ret = _krb5_principalname2krb5_principal (context, >@@ -1012,7 +1012,7 @@ _kdc_as_rep(krb5_context context, > goto out; > } > if(b->cname == NULL){ >- ret = KRB5KRB_ERR_GENERIC; >+ ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; > e_text = "No client in request"; > } else { > ret = _krb5_principalname2krb5_principal (context, >-- >2.25.1 > > >From f9f672f2b79666c8d6f659e27a552597f578d806 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Tue, 31 Aug 2021 22:38:01 +1200 >Subject: [PATCH 2/2] tests/krb5: Allow KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN for a > missing sname > >This allows our code to still pass with the error code that >MIT and Heimdal have chosen > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> > >Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> >Autobuild-Date(master): Thu Sep 2 14:28:31 UTC 2021 on sn-devel-184 > >[abartlet@samba.org: Backported from 10baaf08523200e47451aa1862430977b0365b59 > to Samba 4.14 due to conflicts in > knownfail as the test which crashes older MIT KDC versions is > omitted] >--- > python/samba/tests/krb5/fast_tests.py | 23 +++++++++++++------- > python/samba/tests/krb5/kdc_base_test.py | 6 ++++- > python/samba/tests/krb5/rfc4120_constants.py | 1 + > selftest/knownfail_heimdal_kdc | 3 --- > 4 files changed, 21 insertions(+), 12 deletions(-) > >diff --git a/python/samba/tests/krb5/fast_tests.py b/python/samba/tests/krb5/fast_tests.py >index fb5c0fc28f8..1b7c380840d 100755 >--- a/python/samba/tests/krb5/fast_tests.py >+++ b/python/samba/tests/krb5/fast_tests.py >@@ -20,6 +20,7 @@ > import functools > import os > import sys >+import collections > > import ldb > >@@ -37,6 +38,7 @@ from samba.tests.krb5.rfc4120_constants import ( > FX_FAST_ARMOR_AP_REQUEST, > KDC_ERR_ETYPE_NOSUPP, > KDC_ERR_GENERIC, >+ KDC_ERR_S_PRINCIPAL_UNKNOWN, > KDC_ERR_NOT_US, > KDC_ERR_PREAUTH_FAILED, > KDC_ERR_PREAUTH_REQUIRED, >@@ -115,7 +117,7 @@ class FAST_Tests(KDCBaseTest): > self._run_test_sequence([ > { > 'rep_type': KRB_AS_REP, >- 'expected_error_mode': KDC_ERR_GENERIC, >+ 'expected_error_mode': (KDC_ERR_GENERIC, KDC_ERR_S_PRINCIPAL_UNKNOWN), > 'use_fast': False, > 'sname': None, > 'expected_sname': expected_sname >@@ -132,7 +134,7 @@ class FAST_Tests(KDCBaseTest): > self._run_test_sequence([ > { > 'rep_type': KRB_TGS_REP, >- 'expected_error_mode': KDC_ERR_GENERIC, >+ 'expected_error_mode': (KDC_ERR_GENERIC, KDC_ERR_S_PRINCIPAL_UNKNOWN), > 'use_fast': False, > 'gen_tgt_fn': self.get_user_tgt, > 'sname': None, >@@ -169,7 +171,7 @@ class FAST_Tests(KDCBaseTest): > self._run_test_sequence([ > { > 'rep_type': KRB_TGS_REP, >- 'expected_error_mode': KDC_ERR_GENERIC, >+ 'expected_error_mode': (KDC_ERR_GENERIC, KDC_ERR_S_PRINCIPAL_UNKNOWN), > 'use_fast': True, > 'gen_tgt_fn': self.get_user_tgt, > 'fast_armor': None, >@@ -1162,7 +1164,12 @@ class FAST_Tests(KDCBaseTest): > self.assertIn(rep_type, (KRB_AS_REP, KRB_TGS_REP)) > > expected_error_mode = kdc_dict.pop('expected_error_mode') >- self.assertIn(expected_error_mode, range(240)) >+ if expected_error_mode == 0: >+ expected_error_mode = () >+ elif not isinstance(expected_error_mode, collections.abc.Container): >+ expected_error_mode = (expected_error_mode,) >+ for error in expected_error_mode: >+ self.assertIn(error, range(240)) > > use_fast = kdc_dict.pop('use_fast') > self.assertIs(type(use_fast), bool) >@@ -1173,7 +1180,7 @@ class FAST_Tests(KDCBaseTest): > > if fast_armor_type is not None: > self.assertIn('gen_armor_tgt_fn', kdc_dict) >- elif expected_error_mode != KDC_ERR_GENERIC: >+ elif KDC_ERR_GENERIC not in expected_error_mode: > self.assertNotIn('gen_armor_tgt_fn', kdc_dict) > > gen_armor_tgt_fn = kdc_dict.pop('gen_armor_tgt_fn', None) >@@ -1197,7 +1204,7 @@ class FAST_Tests(KDCBaseTest): > self.assertNotIn('gen_tgt_fn', kdc_dict) > tgt = None > >- if expected_error_mode != 0: >+ if len(expected_error_mode) != 0: > check_error_fn = self.generic_check_kdc_error > check_rep_fn = None > else: >@@ -1411,7 +1418,7 @@ class FAST_Tests(KDCBaseTest): > realm=crealm, > sname=sname, > etypes=etypes) >- if expected_error_mode == 0: >+ if len(expected_error_mode) == 0: > self.check_reply(rep, rep_type) > > fast_cookie = None >@@ -1425,7 +1432,7 @@ class FAST_Tests(KDCBaseTest): > else: > fast_cookie = None > >- if expected_error_mode == KDC_ERR_PREAUTH_REQUIRED: >+ if KDC_ERR_PREAUTH_REQUIRED in expected_error_mode: > preauth_etype_info2 = ( > kdc_exchange_dict['preauth_etype_info2']) > else: >diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py >index b148fa01f65..f5c1eba9151 100644 >--- a/python/samba/tests/krb5/kdc_base_test.py >+++ b/python/samba/tests/krb5/kdc_base_test.py >@@ -21,6 +21,7 @@ import os > from datetime import datetime, timezone > import tempfile > import binascii >+import collections > > from collections import namedtuple > import ldb >@@ -598,7 +599,10 @@ class KDCBaseTest(RawKerberosTest): > """ > self.assertIsNotNone(rep) > self.assertEqual(rep['msg-type'], KRB_ERROR, "rep = {%s}" % rep) >- self.assertEqual(rep['error-code'], expected, "rep = {%s}" % rep) >+ if isinstance(expected, collections.abc.Container): >+ self.assertIn(rep['error-code'], expected, "rep = {%s}" % rep) >+ else: >+ self.assertEqual(rep['error-code'], expected, "rep = {%s}" % rep) > > def tgs_req(self, cname, sname, realm, ticket, key, etypes): > '''Send a TGS-REQ, returns the response and the decrypted and >diff --git a/python/samba/tests/krb5/rfc4120_constants.py b/python/samba/tests/krb5/rfc4120_constants.py >index c70ce309b95..ac2bac4d91e 100644 >--- a/python/samba/tests/krb5/rfc4120_constants.py >+++ b/python/samba/tests/krb5/rfc4120_constants.py >@@ -67,6 +67,7 @@ PADATA_SUPPORTED_ETYPES = int( > > # Error codes > KDC_ERR_C_PRINCIPAL_UNKNOWN = 6 >+KDC_ERR_S_PRINCIPAL_UNKNOWN = 7 > KDC_ERR_POLICY = 12 > KDC_ERR_ETYPE_NOSUPP = 14 > KDC_ERR_PREAUTH_FAILED = 24 >diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc >index d3b4e5ecb3b..27b3096c8ca 100644 >--- a/selftest/knownfail_heimdal_kdc >+++ b/selftest/knownfail_heimdal_kdc >@@ -68,6 +68,3 @@ > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_outer_no_sname.ad_dc > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_outer_no_sname.ad_dc > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_no_sname.ad_dc >-^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_no_sname.ad_dc >-^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_no_sname.ad_dc >-^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_no_sname.ad_dc >-- >2.25.1 > >EOF > >git-add-bug 14817 origin/v4-14-test..HEAD > >git format-patch origin/v4-14-test..HEAD --stdout > samba-4-14-kdc-crash.patch >git diff origin/v4-14-test..HEAD --stat > samba-4-14-kdc-crash.diffstat
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 14817
:
16763
|
16764
|
16765
|
16766
|
16767
|
16768
|
16769
|
16777
|
16778
|
16779
|
16780
|
16781
|
16782
|
16783
|
16784
|
16785
|
16786
|
16787
|
16788
|
16789
|
16790
|
16791
|
16792
|
16793
|
16794
|
16795