From 04139259e8d7e669c6ccfff6bc11230c56c39105 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Tue, 24 May 2022 10:17:00 +0200 Subject: [PATCH 1/4] testprogs: Fix auth with smbclient and krb5 ccache --use-kerberos=required will ask the user to provide a username and password to do a kinit. The test will open a password prompt in this case. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15104 Signed-off-by: Andreas Schneider Reviewed-by: Joseph Sutton Reviewed-by: Stefan Metzmacher (cherry picked from commit e9e5b3ae0f662d8541358a07861c06aa9f48aa5a) --- testprogs/blackbox/test_kpasswd_heimdal.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/testprogs/blackbox/test_kpasswd_heimdal.sh b/testprogs/blackbox/test_kpasswd_heimdal.sh index 43f38b09de2..a73c6665a18 100755 --- a/testprogs/blackbox/test_kpasswd_heimdal.sh +++ b/testprogs/blackbox/test_kpasswd_heimdal.sh @@ -71,7 +71,7 @@ testit "kinit with user password" \ do_kinit $TEST_PRINCIPAL $TEST_PASSWORD || failed=`expr $failed + 1` test_smbclient "Test login with user kerberos ccache" \ - "ls" "$SMB_UNC" --use-kerberos=required || failed=`expr $failed + 1` + "ls" "$SMB_UNC" --use-krb5-ccache=${KRB5CCNAME} || failed=`expr $failed + 1` testit "change user password with 'samba-tool user password' (unforced)" \ $VALGRIND $PYTHON $samba_tool user password -W$DOMAIN -U$TEST_USERNAME%$TEST_PASSWORD --use-kerberos=off --newpassword=$TEST_PASSWORD_NEW || failed=`expr $failed + 1` @@ -84,7 +84,7 @@ testit "kinit with user password" \ do_kinit $TEST_PRINCIPAL $TEST_PASSWORD || failed=`expr $failed + 1` test_smbclient "Test login with user kerberos ccache" \ - "ls" "$SMB_UNC" --use-kerberos=required || failed=`expr $failed + 1` + "ls" "$SMB_UNC" --use-krb5-ccache=${KRB5CCNAME} || failed=`expr $failed + 1` ########################################################### ### check that a short password is rejected -- 2.36.1 From c1254c1cc40307be9f486f9d2c89b829c88ee8df Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Wed, 22 Jun 2022 08:28:40 +0200 Subject: [PATCH 2/4] lib:cmdline: Fix error handling of --use-kerberos=desired|required|off Best reviewed with `git show -b` BUG: https://bugzilla.samba.org/show_bug.cgi?id=15104 Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher (cherry picked from commit 2dbd3210ed4a6703fcc6b0350a86860e5bcbd7c7) --- lib/cmdline/cmdline.c | 42 ++++++++++++++++++++++++++---------------- 1 file changed, 26 insertions(+), 16 deletions(-) diff --git a/lib/cmdline/cmdline.c b/lib/cmdline/cmdline.c index 0c0b3ead7da..67499fb3141 100644 --- a/lib/cmdline/cmdline.c +++ b/lib/cmdline/cmdline.c @@ -904,26 +904,36 @@ static void popt_common_credentials_callback(poptContext popt_ctx, } } break; - case OPT_USE_KERBEROS: - if (arg != NULL) { - int32_t use_kerberos = - lpcfg_parse_enum_vals("client use kerberos", arg); + case OPT_USE_KERBEROS: { + int32_t use_kerberos = INT_MIN; + if (arg == NULL) { + fprintf(stderr, + "Failed to parse " + "--use-kerberos=desired|required|off: " + "Missing argument\n"); + exit(1); + } - if (use_kerberos == INT_MIN) { - fprintf(stderr, "Failed to parse --use-kerberos\n"); - exit(1); - } + use_kerberos = lpcfg_parse_enum_vals("client use kerberos", + arg); + if (use_kerberos == INT_MIN) { + fprintf(stderr, + "Failed to parse " + "--use-kerberos=desired|required|off: " + "Invalid argument\n"); + exit(1); + } - ok = cli_credentials_set_kerberos_state(creds, - use_kerberos, - CRED_SPECIFIED); - if (!ok) { - fprintf(stderr, - "Failed to set Kerberos state to %s!\n", arg); - exit(1); - } + ok = cli_credentials_set_kerberos_state(creds, + use_kerberos, + CRED_SPECIFIED); + if (!ok) { + fprintf(stderr, + "Failed to set Kerberos state to %s!\n", arg); + exit(1); } break; + } case OPT_USE_KERBEROS_CCACHE: if (arg != NULL) { const char *error_string = NULL; -- 2.36.1 From c006830536f39a694cc07b8c4c127700b83286ec Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Wed, 22 Jun 2022 08:34:20 +0200 Subject: [PATCH 3/4] lib:cmdline: Fix error handling of --use-krb5-ccache=CCACHE Best reviewed with `git show -b` BUG: https://bugzilla.samba.org/show_bug.cgi?id=15104 Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher (cherry picked from commit 7cc340f972afa8320c0e4c1a2b5f1e11483bb4eb) --- lib/cmdline/cmdline.c | 58 ++++++++++++++++++++++++------------------- 1 file changed, 32 insertions(+), 26 deletions(-) diff --git a/lib/cmdline/cmdline.c b/lib/cmdline/cmdline.c index 67499fb3141..e10c352d40f 100644 --- a/lib/cmdline/cmdline.c +++ b/lib/cmdline/cmdline.c @@ -934,37 +934,43 @@ static void popt_common_credentials_callback(poptContext popt_ctx, } break; } - case OPT_USE_KERBEROS_CCACHE: - if (arg != NULL) { - const char *error_string = NULL; - int rc; + case OPT_USE_KERBEROS_CCACHE: { + const char *error_string = NULL; + int rc; - ok = cli_credentials_set_kerberos_state(creds, - CRED_USE_KERBEROS_REQUIRED, - CRED_SPECIFIED); - if (!ok) { - fprintf(stderr, - "Failed to set Kerberos state to %s!\n", arg); - exit(1); - } + if (arg == NULL) { + fprintf(stderr, + "Failed to parse --use-krb5-ccache=CCACHE: " + "Missing argument\n"); + exit(1); + } - rc = cli_credentials_set_ccache(creds, - lp_ctx, - arg, - CRED_SPECIFIED, - &error_string); - if (rc != 0) { - fprintf(stderr, - "Error reading krb5 credentials cache: '%s'" - " - %s\n", - arg, - error_string); - exit(1); - } + ok = cli_credentials_set_kerberos_state(creds, + CRED_USE_KERBEROS_REQUIRED, + CRED_SPECIFIED); + if (!ok) { + fprintf(stderr, + "Failed to set Kerberos state to %s!\n", arg); + exit(1); + } - skip_password_callback = true; + rc = cli_credentials_set_ccache(creds, + lp_ctx, + arg, + CRED_SPECIFIED, + &error_string); + if (rc != 0) { + fprintf(stderr, + "Error reading krb5 credentials cache: '%s'" + " - %s\n", + arg, + error_string); + exit(1); } + + skip_password_callback = true; break; + } case OPT_USE_WINBIND_CCACHE: { uint32_t gensec_features; -- 2.36.1 From af764ca58180b9fbf0b246690294d3fa37b27258 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Wed, 22 Jun 2022 08:37:06 +0200 Subject: [PATCH 4/4] lib:cmdline: Fix error handling of --client-protection=sign|encrypt|off Best reviewed with `git show -b` BUG: https://bugzilla.samba.org/show_bug.cgi?id=15104 Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher (cherry picked from commit f68374aac54b2e5c315acbab3e189755842e7c4e) --- lib/cmdline/cmdline.c | 119 ++++++++++++++++++++++-------------------- 1 file changed, 63 insertions(+), 56 deletions(-) diff --git a/lib/cmdline/cmdline.c b/lib/cmdline/cmdline.c index e10c352d40f..6d66187e347 100644 --- a/lib/cmdline/cmdline.c +++ b/lib/cmdline/cmdline.c @@ -990,68 +990,75 @@ static void popt_common_credentials_callback(poptContext popt_ctx, skip_password_callback = true; break; } - case OPT_CLIENT_PROTECTION: - if (arg != NULL) { - uint32_t gensec_features; - enum smb_signing_setting signing_state = - SMB_SIGNING_OFF; - enum smb_encryption_setting encryption_state = - SMB_ENCRYPTION_OFF; - - gensec_features = - cli_credentials_get_gensec_features( - creds); - - if (strequal(arg, "off")) { - gensec_features &= - ~(GENSEC_FEATURE_SIGN|GENSEC_FEATURE_SEAL); - - signing_state = SMB_SIGNING_OFF; - encryption_state = SMB_ENCRYPTION_OFF; - } else if (strequal(arg, "sign")) { - gensec_features |= GENSEC_FEATURE_SIGN; - - signing_state = SMB_SIGNING_REQUIRED; - encryption_state = SMB_ENCRYPTION_OFF; - } else if (strequal(arg, "encrypt")) { - gensec_features |= GENSEC_FEATURE_SEAL; - - signing_state = SMB_SIGNING_REQUIRED; - encryption_state = SMB_ENCRYPTION_REQUIRED; - } else { - fprintf(stderr, - "Failed to parse --client-protection\n"); - exit(1); - } + case OPT_CLIENT_PROTECTION: { + uint32_t gensec_features; + enum smb_signing_setting signing_state = + SMB_SIGNING_OFF; + enum smb_encryption_setting encryption_state = + SMB_ENCRYPTION_OFF; - ok = cli_credentials_set_gensec_features(creds, - gensec_features, - CRED_SPECIFIED); - if (!ok) { - fprintf(stderr, - "Failed to set gensec feature!\n"); - exit(1); - } + if (arg == NULL) { + fprintf(stderr, + "Failed to parse " + "--client-protection=sign|encrypt|off: " + "Missing argument\n"); + exit(1); + } - ok = cli_credentials_set_smb_signing(creds, - signing_state, - CRED_SPECIFIED); - if (!ok) { - fprintf(stderr, - "Failed to set smb signing!\n"); - exit(1); - } + gensec_features = + cli_credentials_get_gensec_features( + creds); + + if (strequal(arg, "off")) { + gensec_features &= + ~(GENSEC_FEATURE_SIGN|GENSEC_FEATURE_SEAL); + + signing_state = SMB_SIGNING_OFF; + encryption_state = SMB_ENCRYPTION_OFF; + } else if (strequal(arg, "sign")) { + gensec_features |= GENSEC_FEATURE_SIGN; - ok = cli_credentials_set_smb_encryption(creds, - encryption_state, + signing_state = SMB_SIGNING_REQUIRED; + encryption_state = SMB_ENCRYPTION_OFF; + } else if (strequal(arg, "encrypt")) { + gensec_features |= GENSEC_FEATURE_SEAL; + + signing_state = SMB_SIGNING_REQUIRED; + encryption_state = SMB_ENCRYPTION_REQUIRED; + } else { + fprintf(stderr, + "Failed to parse --client-protection\n"); + exit(1); + } + + ok = cli_credentials_set_gensec_features(creds, + gensec_features, CRED_SPECIFIED); - if (!ok) { - fprintf(stderr, - "Failed to set smb encryption!\n"); - exit(1); - } + if (!ok) { + fprintf(stderr, + "Failed to set gensec feature!\n"); + exit(1); + } + + ok = cli_credentials_set_smb_signing(creds, + signing_state, + CRED_SPECIFIED); + if (!ok) { + fprintf(stderr, + "Failed to set smb signing!\n"); + exit(1); + } + + ok = cli_credentials_set_smb_encryption(creds, + encryption_state, + CRED_SPECIFIED); + if (!ok) { + fprintf(stderr, + "Failed to set smb encryption!\n"); + exit(1); } break; + } } /* switch */ } -- 2.36.1