The Samba-Bugzilla – Attachment 17858 Details for
Bug 15323
net ads search -P doesn't work against servers in other domains
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patches for v4-18-test
bfixes-tmp418.txt (text/plain), 5.67 KB, created by
Stefan Metzmacher
on 2023-04-12 12:11:30 UTC
(
hide
)
Description:
Patches for v4-18-test
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2023-04-12 12:11:30 UTC
Size:
5.67 KB
patch
obsolete
>From 3b5191700d9b2ec6bf2c3d5a3a297f934c4b44d6 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 5 Apr 2023 16:45:21 +0200 >Subject: [PATCH 1/2] testprogs/blackbox: add test_net_ads_search_server.sh > >This reproduces a regression with >'net ads search -P --server server.of.trusted.domain' > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15323 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >(cherry picked from commit 3b585f9e8cc320841fab4cd5c3be53788d0a87ac) >--- > .../samba4.blackbox.net_ads_search_server_P | 1 + > source4/selftest/tests.py | 11 ++++++ > .../blackbox/test_net_ads_search_server.sh | 37 +++++++++++++++++++ > 3 files changed, 49 insertions(+) > create mode 100644 selftest/knownfail.d/samba4.blackbox.net_ads_search_server_P > create mode 100755 testprogs/blackbox/test_net_ads_search_server.sh > >diff --git a/selftest/knownfail.d/samba4.blackbox.net_ads_search_server_P b/selftest/knownfail.d/samba4.blackbox.net_ads_search_server_P >new file mode 100644 >index 000000000000..7f06e3fe7386 >--- /dev/null >+++ b/selftest/knownfail.d/samba4.blackbox.net_ads_search_server_P >@@ -0,0 +1 @@ >+^samba4.blackbox.net_ads_search_server_P.trust >diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py >index 052058383f72..823ada7a5dcc 100755 >--- a/source4/selftest/tests.py >+++ b/source4/selftest/tests.py >@@ -666,6 +666,17 @@ plantestsuite("samba4.blackbox.client_etypes_strong(ad_dc:client)", "ad_dc:clien > plantestsuite("samba4.blackbox.net_ads_dns(ad_member:local)", "ad_member:local", [os.path.join(bbdir, "test_net_ads_dns.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', '$REALM', '$USERNAME', '$PASSWORD']) > plantestsuite("samba4.blackbox.samba-tool_ntacl(ad_member:local)", "ad_member:local", [os.path.join(bbdir, "test_samba-tool_ntacl.sh"), '$PREFIX', '$DOMSID']) > >+env = "ad_member:local" >+plantestsuite("samba4.blackbox.net_ads_search_server_P.primary", env, >+ [os.path.join(bbdir, "test_net_ads_search_server.sh"), >+ '$DC_SERVER', '$REALM']) >+plantestsuite("samba4.blackbox.net_ads_search_server_P.trust_e_both", env, >+ [os.path.join(bbdir, "test_net_ads_search_server.sh"), >+ '$TRUST_E_BOTH_SERVER', '$TRUST_E_BOTH_REALM']) >+plantestsuite("samba4.blackbox.net_ads_search_server_P.trust_f_both", env, >+ [os.path.join(bbdir, "test_net_ads_search_server.sh"), >+ '$TRUST_F_BOTH_SERVER', '$TRUST_F_BOTH_REALM']) >+ > if have_gnutls_fips_mode_support: > plantestsuite("samba4.blackbox.weak_crypto.client", "ad_dc", [os.path.join(bbdir, "test_weak_crypto.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc"]) > plantestsuite("samba4.blackbox.test_weak_disable_ntlmssp_ldap", "ad_member:local", [os.path.join(bbdir, "test_weak_disable_ntlmssp_ldap.sh"),'$DC_USERNAME', '$DC_PASSWORD']) >diff --git a/testprogs/blackbox/test_net_ads_search_server.sh b/testprogs/blackbox/test_net_ads_search_server.sh >new file mode 100755 >index 000000000000..f8350c9a97aa >--- /dev/null >+++ b/testprogs/blackbox/test_net_ads_search_server.sh >@@ -0,0 +1,37 @@ >+#!/bin/sh >+ >+if [ $# -lt 2 ]; then >+cat <<EOF >+Usage: $0 SERVER REALM >+EOF >+exit 1; >+fi >+ >+SERVER=$1 >+REALM=$2 >+shift 2 >+ >+failed=0 >+. `dirname $0`/subunit.sh >+ >+samba_net="$BINDIR/net" >+ >+DN=$(echo "${REALM}" | tr '[:upper:]' '[:lower:]' | sed -e 's!^!DC=!' -e 's!\.!,DC=!g') >+testit_grep_count \ >+ "net_ads_search.ntlmssp" \ >+ "distinguishedName: ${DN}" \ >+ 1 \ >+ $samba_net ads search --use-kerberos=off -P \ >+ --server "${SERVER}.${REALM}" \ >+ '(objectClass=domain)' distinguishedName || \ >+ failed=$((failed + 1)) >+testit_grep_count \ >+ "net_ads_search.krb5" \ >+ "distinguishedName: ${DN}" \ >+ 1 \ >+ $samba_net ads search --use-kerberos=required -P \ >+ --server "${SERVER}.${REALM}" \ >+ '(objectClass=domain)' distinguishedName || \ >+ failed=$((failed + 1)) >+ >+exit $failed >-- >2.34.1 > > >From 8736ae7adf2d4b05dbfc4e7e1cf809b0480f3be8 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 2 Mar 2023 14:46:25 +0100 >Subject: [PATCH 2/2] net_ads: fill ads->auth.realm from c->creds > >We get the realm we use for authentication needs to >the realm belonging to the username we use. > >We derive the username from c->creds, so we need to >do the same for the realm. > >Otherwise we try to authenticate as the wrong user. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15323 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >(cherry picked from commit 0ef53b948e13eb36b536228cccd89aa4c2adbb90) >--- > .../samba4.blackbox.net_ads_search_server_P | 1 - > source3/utils/net_ads.c | 10 +++++++++- > 2 files changed, 9 insertions(+), 2 deletions(-) > delete mode 100644 selftest/knownfail.d/samba4.blackbox.net_ads_search_server_P > >diff --git a/selftest/knownfail.d/samba4.blackbox.net_ads_search_server_P b/selftest/knownfail.d/samba4.blackbox.net_ads_search_server_P >deleted file mode 100644 >index 7f06e3fe7386..000000000000 >--- a/selftest/knownfail.d/samba4.blackbox.net_ads_search_server_P >+++ /dev/null >@@ -1 +0,0 @@ >-^samba4.blackbox.net_ads_search_server_P.trust >diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c >index 4bca90d5c8c0..9ec884394eb0 100644 >--- a/source3/utils/net_ads.c >+++ b/source3/utils/net_ads.c >@@ -710,7 +710,15 @@ retry: > TALLOC_FREE(ads); > return ADS_ERROR(LDAP_NO_MEMORY); > } >- } >+ } else if (ads->auth.realm == NULL) { >+ const char *c_realm = cli_credentials_get_realm(c->creds); >+ >+ ads->auth.realm = talloc_strdup(ads, c_realm); >+ if (ads->auth.realm == NULL) { >+ TALLOC_FREE(ads); >+ return ADS_ERROR(LDAP_NO_MEMORY); >+ } >+ } > > status = ads_connect(ads); > >-- >2.34.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=17858">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
asn
:
review+
Actions:
View
Attachments on
bug 15323
: 17858 |
17859