The Samba-Bugzilla – Attachment 18450 Details for
Bug 15714
net ads testjoin and other commands use the wrong secrets.tdb in a cluster
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
Patches for v4-21-test
bfixes-tmp421.txt (text/plain), 6.67 KB, created by
Stefan Metzmacher
on 2024-09-30 14:33:03 UTC
(
hide
)
Description:
Patches for v4-21-test
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2024-09-30 14:33:03 UTC
Size:
6.67 KB
patch
obsolete
>From 2602f5dd0ea159dfe3705e401b9ea86379b94b31 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 19 Sep 2024 00:14:56 +0200 >Subject: [PATCH 1/3] s3:test_update_keytab_clustered: add net ads testjoin > checks in more places > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15714 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Martin Schwenke <martin@meltin.net> >(cherry picked from commit 690c800c33df4d06d409b9ccfa57e5fa575ab1aa) >--- > .../script/tests/test_update_keytab_clustered.sh | 16 ++++++++++++++-- > 1 file changed, 14 insertions(+), 2 deletions(-) > >diff --git a/source3/script/tests/test_update_keytab_clustered.sh b/source3/script/tests/test_update_keytab_clustered.sh >index a0016139db52..0fc299d041c9 100755 >--- a/source3/script/tests/test_update_keytab_clustered.sh >+++ b/source3/script/tests/test_update_keytab_clustered.sh >@@ -25,6 +25,12 @@ keytabs_sync_kvno="keytab0k keytab1k keytab2k keytab3k" > keytabs_nosync_kvno="keytab0 keytab1 keytab2 keytab3" > keytabs_all="$keytabs_sync_kvno $keytabs_nosync_kvno" > >+check_net_ads_testjoin() >+{ >+ UID_WRAPPER_ROOT=1 UID_WRAPPER_INITIAL_RUID=0 UID_WRAPPER_INITIAL_EUID=0 $samba_net ads testjoin >+ return $? >+} >+ > # find the biggest vno and store it into global variable vno > get_biggest_vno() > { >@@ -133,6 +139,8 @@ global_inject_conf=$(dirname $SMB_CONF_PATH)/global_inject.conf > echo "sync machine password script = $PREFIX_ABS/clusteredmember/updatekeytab.sh" >$global_inject_conf > UID_WRAPPER_ROOT=1 $smbcontrol winbindd reload-config > >+testit "net_ads_testjoin_initial" check_net_ads_testjoin || failed=$((failed + 1)) >+ > # To have both old and older password we do one unnecessary password change: > testit "wbinfo_change_secret_initial" \ > "$samba_wbinfo" --change-secret --domain="${DOMAIN}" \ >@@ -145,12 +153,14 @@ testit "wbinfo_check_secret_initial" \ > # Create/sync all keytabs > testit "net_ads_keytab_sync" test_keytab_create || failed=$((failed + 1)) > >-testit "wbinfo_change_secret" \ >+testit "net_ads_testjoin_after_sync" check_net_ads_testjoin || failed=$((failed + 1)) >+ >+testit "wbinfo_change_secret_after_sync" \ > test_pwd_change "wbinfo_changesecret" \ > "$samba_wbinfo --change-secret --domain=${DOMAIN}" \ > || failed=$((failed + 1)) > >-testit "wbinfo_check_secret" \ >+testit "wbinfo_check_secret_after_sync" \ > "$samba_wbinfo" --check-secret --domain="${DOMAIN}" \ > || failed=$((failed + 1)) > >@@ -159,6 +169,8 @@ test_smbclient "Test machine login with the changed secret" \ > --machine-pass || > failed=$((failed + 1)) > >+testit "net_ads_testjoin_final" check_net_ads_testjoin || failed=$((failed + 1)) >+ > echo "" >$global_inject_conf > UID_WRAPPER_ROOT=1 $smbcontrol winbindd reload-config > >-- >2.34.1 > > >From da3c07c184d092c9526967bb4160fb327d932c63 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 18 Sep 2024 23:48:00 +0200 >Subject: [PATCH 2/3] s3:utils: let 'net ads testjoin' fail without valid > machine credentials > >This will allow doing tests and make sure using anonymous credentials >doesn't cause false positive results... > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15714 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Martin Schwenke <martin@meltin.net> >(cherry picked from commit ab3fc1595c0a2e0aa3719cc2fe4684e9a0a2f9d8) >--- > selftest/knownfail.d/net_ads_testjoin | 4 ++++ > source3/utils/net_ads.c | 6 ++++++ > 2 files changed, 10 insertions(+) > create mode 100644 selftest/knownfail.d/net_ads_testjoin > >diff --git a/selftest/knownfail.d/net_ads_testjoin b/selftest/knownfail.d/net_ads_testjoin >new file mode 100644 >index 000000000000..4e88d4a9031f >--- /dev/null >+++ b/selftest/knownfail.d/net_ads_testjoin >@@ -0,0 +1,4 @@ >+^samba3.blackbox.update_keytab_clustered.net_ads_testjoin_initial.clusteredmember >+^samba3.blackbox.update_keytab_clustered.net_ads_testjoin_after_sync.clusteredmember >+^samba3.blackbox.update_keytab_clustered.wbinfo_change_secret_after_sync.clusteredmember >+^samba3.blackbox.update_keytab_clustered.net_ads_testjoin_final.clusteredmember >diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c >index 577834d96b5c..0e5da492faf2 100644 >--- a/source3/utils/net_ads.c >+++ b/source3/utils/net_ads.c >@@ -1556,6 +1556,12 @@ static ADS_STATUS net_ads_join_ok(struct net_context *c) > > net_use_krb_machine_account(c); > >+ if (!cli_credentials_authentication_requested(c->creds)) { >+ DBG_ERR("Failed to get machine credentials\n"); >+ TALLOC_FREE(tmp_ctx); >+ return ADS_ERROR_NT(NT_STATUS_ACCESS_DENIED); >+ } >+ > get_dc_name(lp_workgroup(), lp_realm(), dc_name, &dcip); > > status = ads_startup(c, true, tmp_ctx, &ads); >-- >2.34.1 > > >From 8244cede95ced40e07927c49a376dcdbb5ed7fe4 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 11 Sep 2024 18:21:58 +0200 >Subject: [PATCH 3/3] s3:utils: use the correct secrets.tdb in > net_use_krb_machine_account() > >On a cluster we need to use the ctdb controlled database and not >a local secrets.tdb... > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15714 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Martin Schwenke <martin@meltin.net> > >Autobuild-User(master): Stefan Metzmacher <metze@samba.org> >Autobuild-Date(master): Fri Sep 20 05:54:43 UTC 2024 on atb-devel-224 > >(cherry picked from commit f9ee4db2ba74e4f1f1b6d6f32082e5b0fe60f9b9) >--- > selftest/knownfail.d/net_ads_testjoin | 4 ---- > source3/utils/net_util.c | 6 +++++- > 2 files changed, 5 insertions(+), 5 deletions(-) > delete mode 100644 selftest/knownfail.d/net_ads_testjoin > >diff --git a/selftest/knownfail.d/net_ads_testjoin b/selftest/knownfail.d/net_ads_testjoin >deleted file mode 100644 >index 4e88d4a9031f..000000000000 >--- a/selftest/knownfail.d/net_ads_testjoin >+++ /dev/null >@@ -1,4 +0,0 @@ >-^samba3.blackbox.update_keytab_clustered.net_ads_testjoin_initial.clusteredmember >-^samba3.blackbox.update_keytab_clustered.net_ads_testjoin_after_sync.clusteredmember >-^samba3.blackbox.update_keytab_clustered.wbinfo_change_secret_after_sync.clusteredmember >-^samba3.blackbox.update_keytab_clustered.net_ads_testjoin_final.clusteredmember >diff --git a/source3/utils/net_util.c b/source3/utils/net_util.c >index 93e08cafbf11..5039902bc5e9 100644 >--- a/source3/utils/net_util.c >+++ b/source3/utils/net_util.c >@@ -259,12 +259,16 @@ NTSTATUS connect_dst_pipe(struct net_context *c, struct cli_state **cli_dst, > > int net_use_krb_machine_account(struct net_context *c) > { >+ struct db_context *db_ctx = NULL; >+ > if (!secrets_init()) { > d_fprintf(stderr,_("ERROR: Unable to open secrets database\n")); > exit(1); > } > >- cli_credentials_set_machine_account(c->creds, c->lp_ctx); >+ db_ctx = secrets_db_ctx(); >+ >+ cli_credentials_set_machine_account_db_ctx(c->creds, c->lp_ctx, db_ctx); > c->explicit_credentials = true; > return 0; > } >-- >2.34.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=18450">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
npower
:
review+
martins
:
review+
Actions:
View
Attachments on
bug 15714
: 18450