From f5f632bcae881477fc102e5d6a5dd93ad308869d Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Wed, 17 Nov 2021 16:34:07 +0100 Subject: [PATCH 1/4] selftest: Add reproducer for bug 14908 Bug: https://bugzilla.samba.org/show_bug.cgi?id=14908 Signed-off-by: Volker Lendecke --- .../knownfail.d/clustered_machine_account | 1 + .../script/tests/test_net_machine_account.sh | 23 +++++++++++++++++++ source3/selftest/tests.py | 9 ++++++++ 3 files changed, 33 insertions(+) create mode 100644 selftest/knownfail.d/clustered_machine_account create mode 100755 source3/script/tests/test_net_machine_account.sh diff --git a/selftest/knownfail.d/clustered_machine_account b/selftest/knownfail.d/clustered_machine_account new file mode 100644 index 00000000000..16abc62a51c --- /dev/null +++ b/selftest/knownfail.d/clustered_machine_account @@ -0,0 +1 @@ +^samba3.net_machine_account.net_ads_user\(clusteredmember\) \ No newline at end of file diff --git a/source3/script/tests/test_net_machine_account.sh b/source3/script/tests/test_net_machine_account.sh new file mode 100755 index 00000000000..f3d145a4784 --- /dev/null +++ b/source3/script/tests/test_net_machine_account.sh @@ -0,0 +1,23 @@ +#!/bin/sh +# Reproducer for https://bugzilla.samba.org/show_bug.cgi?id=14908 + +if [ $# -lt 2 ]; then + echo "Usage: $0 NET CONFFILE SERVER_IP" + exit 1 +fi + +NET="$1"; shift +CONFFILE="$1"; shift +SERVER_IP="$1"; shift + +export UID_WRAPPER_ROOT=1 + +incdir=`dirname $0`/../../../testprogs/blackbox +. $incdir/subunit.sh + +failed=0 + +testit "net_ads_user" $VALGRIND $NET rpc user --configfile="$CONFFILE" -S "$SERVER_IP" -P || failed=`expr $failed + 1` + +testok $0 $failed + diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py index c24558d8a8a..64697e487dd 100755 --- a/source3/selftest/tests.py +++ b/source3/selftest/tests.py @@ -1274,6 +1274,15 @@ plantestsuite( "", "-b $PREFIX/clusteredmember/unclists/tmp.txt -N 5 -o 10"]) +plantestsuite( + "samba3.net_machine_account", + "clusteredmember", + [os.path.join(samba3srcdir, + "script/tests/test_net_machine_account.sh"), + "bin/net", + "$SERVERCONFFILE", + "$SERVER_IP"]) + plantestsuite( "samba3.net_lookup_ldap", "ad_dc:local", -- 2.30.2 From 38c8a9ad9e1377ffa649f59cc6d8720365d5cf75 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Wed, 17 Nov 2021 12:25:05 +0100 Subject: [PATCH 2/4] lib: Add required includes to source3/include/secrets.h Bug: https://bugzilla.samba.org/show_bug.cgi?id=14908 Signed-off-by: Volker Lendecke --- source3/include/secrets.h | 3 +++ 1 file changed, 3 insertions(+) diff --git a/source3/include/secrets.h b/source3/include/secrets.h index 2478561cee7..1abfbb07e89 100644 --- a/source3/include/secrets.h +++ b/source3/include/secrets.h @@ -20,6 +20,9 @@ #ifndef _SECRETS_H #define _SECRETS_H +#include "replace.h" +#include "librpc/gen_ndr/security.h" + /* the first one is for the hashed password (NT4 style) the latter for plaintext (ADS) */ -- 2.30.2 From 81c90e2e9f44e3f38e5a14dc0d90b29b0cc1e518 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Wed, 17 Nov 2021 12:25:58 +0100 Subject: [PATCH 3/4] cmdline: Add a callback to set the machine account details source3 clients need to work in clustered mode, the default cli_credentials_set_machine_account() only looks at the local secrets.tdb file Bug: https://bugzilla.samba.org/show_bug.cgi?id=14908 Signed-off-by: Volker Lendecke --- lib/cmdline/cmdline.c | 16 ++++++++++++++-- lib/cmdline/cmdline.h | 4 ++++ 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/lib/cmdline/cmdline.c b/lib/cmdline/cmdline.c index 63e81bc0a7f..0c0b3ead7da 100644 --- a/lib/cmdline/cmdline.c +++ b/lib/cmdline/cmdline.c @@ -30,6 +30,11 @@ static struct cli_credentials *cmdline_creds; static samba_cmdline_load_config cmdline_load_config_fn; static struct samba_cmdline_daemon_cfg cmdline_daemon_cfg; +static NTSTATUS (*cli_credentials_set_machine_account_fn)( + struct cli_credentials *cred, + struct loadparm_context *lp_ctx) = + cli_credentials_set_machine_account; + /* PRIVATE */ bool samba_cmdline_set_talloc_ctx(TALLOC_CTX *mem_ctx) { @@ -122,6 +127,13 @@ struct samba_cmdline_daemon_cfg *samba_cmdline_get_daemon_cfg(void) return &cmdline_daemon_cfg; } +void samba_cmdline_set_machine_account_fn( + NTSTATUS (*fn) (struct cli_credentials *cred, + struct loadparm_context *lp_ctx)) +{ + cli_credentials_set_machine_account_fn = fn; +} + void samba_cmdline_burn(int argc, char *argv[]) { bool found = false; @@ -792,8 +804,8 @@ static void popt_common_credentials_callback(poptContext popt_ctx, if (machine_account_pending) { NTSTATUS status; - status = cli_credentials_set_machine_account(creds, - lp_ctx); + status = cli_credentials_set_machine_account_fn( + creds, lp_ctx); if (!NT_STATUS_IS_OK(status)) { fprintf(stderr, "Failed to set machine account: %s\n", diff --git a/lib/cmdline/cmdline.h b/lib/cmdline/cmdline.h index 1f85da0099e..5cd58c3ddbb 100644 --- a/lib/cmdline/cmdline.h +++ b/lib/cmdline/cmdline.h @@ -131,6 +131,10 @@ struct poptOption *samba_cmdline_get_popt(enum smb_cmdline_popt_options opt); */ struct samba_cmdline_daemon_cfg *samba_cmdline_get_daemon_cfg(void); +void samba_cmdline_set_machine_account_fn( + NTSTATUS (*fn) (struct cli_credentials *cred, + struct loadparm_context *lp_ctx)); + /** * @brief Burn secrets on the command line. * -- 2.30.2 From bc35aa8f447bd334a3a48afc18adad7b18e5d356 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Wed, 17 Nov 2021 12:27:27 +0100 Subject: [PATCH 4/4] cmdline: Make -P work in clustered mode Bug: https://bugzilla.samba.org/show_bug.cgi?id=14908 Signed-off-by: Volker Lendecke --- lib/cmdline/cmdline_s3.c | 28 +++++++++++++++++++ lib/cmdline/wscript | 2 +- .../knownfail.d/clustered_machine_account | 1 - 3 files changed, 29 insertions(+), 2 deletions(-) delete mode 100644 selftest/knownfail.d/clustered_machine_account diff --git a/lib/cmdline/cmdline_s3.c b/lib/cmdline/cmdline_s3.c index 639d403aed3..6e2c154c756 100644 --- a/lib/cmdline/cmdline_s3.c +++ b/lib/cmdline/cmdline_s3.c @@ -26,6 +26,7 @@ #include "auth/credentials/credentials.h" #include "dynconfig/dynconfig.h" #include "cmdline_private.h" +#include "source3/include/secrets.h" static bool _require_smbconf; static enum samba_cmdline_config_type _config_type; @@ -84,6 +85,31 @@ static bool _samba_cmdline_load_config_s3(void) return true; } +static NTSTATUS _samba_cmd_set_machine_account_s3( + struct cli_credentials *cred, + struct loadparm_context *lp_ctx) +{ + struct db_context *db_ctx = secrets_db_ctx(); + NTSTATUS status; + + if (db_ctx == NULL) { + DBG_WARNING("failed to open secrets.tdb to obtain our " + "trust credentials for %s\n", + lpcfg_workgroup(lp_ctx));; + return NT_STATUS_INTERNAL_ERROR; + } + + status = cli_credentials_set_machine_account_db_ctx( + cred, lp_ctx, db_ctx); + if (!NT_STATUS_IS_OK(status)) { + DBG_WARNING("cli_credentials_set_machine_account_db_ctx " + "failed: %s\n", + nt_errstr(status)); + } + + return status; +} + bool samba_cmdline_init(TALLOC_CTX *mem_ctx, enum samba_cmdline_config_type config_type, bool require_smbconf) @@ -119,6 +145,8 @@ bool samba_cmdline_init(TALLOC_CTX *mem_ctx, } samba_cmdline_set_load_config_fn(_samba_cmdline_load_config_s3); + samba_cmdline_set_machine_account_fn( + _samba_cmd_set_machine_account_s3); return true; } diff --git a/lib/cmdline/wscript b/lib/cmdline/wscript index 9c50b47a41c..6b816c859c1 100644 --- a/lib/cmdline/wscript +++ b/lib/cmdline/wscript @@ -19,7 +19,7 @@ def build(bld): bld.SAMBA_SUBSYSTEM('CMDLINE_S3', source='cmdline_s3.c', - deps='cmdline') + deps='cmdline secrets3') bld.SAMBA_SUBSYSTEM('CMDLINE_S4', source='cmdline_s4.c', diff --git a/selftest/knownfail.d/clustered_machine_account b/selftest/knownfail.d/clustered_machine_account deleted file mode 100644 index 16abc62a51c..00000000000 --- a/selftest/knownfail.d/clustered_machine_account +++ /dev/null @@ -1 +0,0 @@ -^samba3.net_machine_account.net_ads_user\(clusteredmember\) \ No newline at end of file -- 2.30.2