The Samba-Bugzilla – Attachment 9188 Details for
Bug 9091
When replicating DNS for bind9_dlz we need to create the server-DNS account remotely
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
4.1 patch cherry-picked from master
4.1-dns-account-creation-and-tests.patch (text/plain), 25.86 KB, created by
Andrew Bartlett
on 2013-09-05 00:16:38 UTC
(
hide
)
Description:
4.1 patch cherry-picked from master
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2013-09-05 00:16:38 UTC
Size:
25.86 KB
patch
obsolete
>From 1689b69d7bf69a5d99a3ca023e7f96ed776ff514 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Mon, 24 Dec 2012 08:56:50 +1100 >Subject: [PATCH 1/6] scripting/join.py: Handle creating the dns-NAME account > during a DC join > >This will ensure that the DLZ plugin works out of the box when joining a second Samba DC to the >domain. > >Andrew Bartlett > >Reviewed-by: Stefan Metzmacher <metze@samba.org> >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit b106d9090e8f8f44f02059d2ced3d10066787060) >--- > python/samba/join.py | 73 ++++++++++++++++++++++++++++++++-- > python/samba/provision/sambadns.py | 11 +++-- > source4/scripting/bin/samba_upgradedns | 11 ++++- > source4/setup/secrets_dns.ldif | 2 +- > 4 files changed, 88 insertions(+), 9 deletions(-) > >diff --git a/python/samba/join.py b/python/samba/join.py >index c55c22c..b2f4da4 100644 >--- a/python/samba/join.py >+++ b/python/samba/join.py >@@ -26,9 +26,12 @@ from samba.ndr import ndr_pack > from samba.dcerpc import security, drsuapi, misc, nbt, lsa, drsblobs > from samba.credentials import Credentials, DONT_USE_KERBEROS > from samba.provision import secretsdb_self_join, provision, provision_fill, FILL_DRS, FILL_SUBDOMAIN >+from samba.provision.common import setup_path > from samba.schema import Schema > from samba.net import Net > from samba.provision.sambadns import setup_bind9_dns >+from samba import read_and_sub_file >+from base64 import b64encode > import logging > import talloc > import random >@@ -179,6 +182,19 @@ class dc_join(object): > attrs=["msDS-krbTgtLink"]) > if res: > ctx.del_noerror(res[0].dn, recursive=True) >+ >+ res = ctx.samdb.search(base=ctx.samdb.get_default_basedn(), >+ expression='(&(sAMAccountName=%s)(servicePrincipalName=%s))' % (ldb.binary_encode("dns-%s" % ctx.myname), ldb.binary_encode("dns/%s" % ctx.dnshostname)), >+ attrs=[]) >+ if res: >+ ctx.del_noerror(res[0].dn, recursive=True) >+ >+ res = ctx.samdb.search(base=ctx.samdb.get_default_basedn(), >+ expression='(sAMAccountName=%s)' % ldb.binary_encode("dns-%s" % ctx.myname), >+ attrs=[]) >+ if res: >+ raise RuntimeError("Not removing account %s which looks like a Samba DNS service account but does not have servicePrincipalName=%s" % (ldb.binary_encode("dns-%s" % ctx.myname), ldb.binary_encode("dns/%s" % ctx.dnshostname))) >+ > if ctx.connection_dn is not None: > ctx.del_noerror(ctx.connection_dn) > if ctx.krbtgt_dn is not None: >@@ -579,6 +595,56 @@ class dc_join(object): > "userAccountControl") > ctx.samdb.modify(m) > >+ if ctx.dns_backend.startswith("BIND9_"): >+ ctx.dnspass = samba.generate_random_password(128, 255) >+ >+ recs = ctx.samdb.parse_ldif(read_and_sub_file(setup_path("provision_dns_add_samba.ldif"), >+ {"DNSDOMAIN": ctx.dnsdomain, >+ "DOMAINDN": ctx.base_dn, >+ "HOSTNAME" : ctx.myname, >+ "DNSPASS_B64": b64encode(ctx.dnspass), >+ "DNSNAME" : ctx.dnshostname})) >+ for changetype, msg in recs: >+ assert changetype == ldb.CHANGETYPE_NONE >+ print "Adding DNS account %s with dns/ SPN" % msg["dn"] >+ >+ # Remove dns password (we will set it as a modify, as we can't do clearTextPassword over LDAP) >+ del msg["clearTextPassword"] >+ # Remove isCriticalSystemObject for similar reasons, it cannot be set over LDAP >+ del msg["isCriticalSystemObject"] >+ try: >+ ctx.samdb.add(msg) >+ dns_acct_dn = msg["dn"] >+ except ldb.LdbError, (num, _): >+ if num != ldb.ERR_ENTRY_ALREADY_EXISTS: >+ raise >+ >+ # The account password set operation should normally be done over >+ # LDAP. Windows 2000 DCs however allow this only with SSL >+ # connections which are hard to set up and otherwise refuse with >+ # ERR_UNWILLING_TO_PERFORM. In this case we fall back to libnet >+ # over SAMR. >+ print "Setting account password for %s" % ctx.samname >+ try: >+ ctx.samdb.setpassword("(&(objectClass=user)(samAccountName=dns-%s))" >+ % ldb.binary_encode(ctx.myname), >+ ctx.dnspass, >+ force_change_at_next_login=False, >+ username=ctx.samname) >+ except ldb.LdbError, (num, _): >+ if num != ldb.ERR_UNWILLING_TO_PERFORM: >+ pass >+ ctx.net.set_password(account_name="dns-" % ctx.myname, >+ domain_name=ctx.domain_name, >+ newpassword=ctx.dnspass) >+ >+ res = ctx.samdb.search(base=dns_acct_dn, scope=ldb.SCOPE_BASE, >+ attrs=["msDS-KeyVersionNumber"]) >+ if "msDS-KeyVersionNumber" in res[0]: >+ ctx.dns_key_version_number = int(res[0]["msDS-KeyVersionNumber"][0]) >+ else: >+ ctx.dns_key_version_number = None >+ > def join_add_objects2(ctx): > """add the various objects needed for the join, for subdomains post replication""" > >@@ -861,13 +927,12 @@ class dc_join(object): > key_version_number=ctx.key_version_number) > > if ctx.dns_backend.startswith("BIND9_"): >- dnspass = samba.generate_random_password(128, 255) >- > setup_bind9_dns(ctx.local_samdb, secrets_ldb, security.dom_sid(ctx.domsid), > ctx.names, ctx.paths, ctx.lp, logger, > dns_backend=ctx.dns_backend, >- dnspass=dnspass, os_level=ctx.behavior_version, >- targetdir=ctx.targetdir) >+ dnspass=ctx.dnspass, os_level=ctx.behavior_version, >+ targetdir=ctx.targetdir, >+ key_version_number=ctx.dns_key_version_number) > > def join_setup_trusts(ctx): > """provision the local SAM.""" >diff --git a/python/samba/provision/sambadns.py b/python/samba/provision/sambadns.py >index a5a45cf..4acc24b 100644 >--- a/python/samba/provision/sambadns.py >+++ b/python/samba/provision/sambadns.py >@@ -620,7 +620,7 @@ def add_dc_msdcs_records(samdb, forestdn, prefix, site, dnsforest, hostname, > > > def secretsdb_setup_dns(secretsdb, names, private_dir, realm, >- dnsdomain, dns_keytab_path, dnspass): >+ dnsdomain, dns_keytab_path, dnspass, key_version_number): > """Add DNS specific bits to a secrets database. > > :param secretsdb: Ldb Handle to the secrets database >@@ -632,11 +632,15 @@ def secretsdb_setup_dns(secretsdb, names, private_dir, realm, > except OSError: > pass > >+ if key_version_number is None: >+ key_version_number = 1 >+ > setup_ldb(secretsdb, setup_path("secrets_dns.ldif"), { > "REALM": realm, > "DNSDOMAIN": dnsdomain, > "DNS_KEYTAB": dns_keytab_path, > "DNSPASS_B64": b64encode(dnspass), >+ "KEY_VERSION_NUMBER": str(key_version_number), > "HOSTNAME": names.hostname, > "DNSNAME" : '%s.%s' % ( > names.netbiosname.lower(), names.dnsdomain.lower()) >@@ -1074,7 +1078,7 @@ def setup_ad_dns(samdb, secretsdb, domainsid, names, paths, lp, logger, > > def setup_bind9_dns(samdb, secretsdb, domainsid, names, paths, lp, logger, > dns_backend, os_level, site=None, dnspass=None, hostip=None, >- hostip6=None, targetdir=None): >+ hostip6=None, targetdir=None, key_version_number=None): > """Provision DNS information (assuming BIND9 backend in DC role) > > :param samdb: LDB object connected to sam.ldb file >@@ -1107,7 +1111,8 @@ def setup_bind9_dns(samdb, secretsdb, domainsid, names, paths, lp, logger, > secretsdb_setup_dns(secretsdb, names, > paths.private_dir, realm=names.realm, > dnsdomain=names.dnsdomain, >- dns_keytab_path=paths.dns_keytab, dnspass=dnspass) >+ dns_keytab_path=paths.dns_keytab, dnspass=dnspass, >+ key_version_number=key_version_number) > > create_dns_dir(logger, paths) > >diff --git a/source4/scripting/bin/samba_upgradedns b/source4/scripting/bin/samba_upgradedns >index 3c30090..7ae5dbf 100755 >--- a/source4/scripting/bin/samba_upgradedns >+++ b/source4/scripting/bin/samba_upgradedns >@@ -436,10 +436,19 @@ if __name__ == '__main__': > "DNSNAME" : dnsname } > ) > >+ res = ldbs.sam.search(base=domaindn, scope=ldb.SCOPE_DEFAULT, >+ expression='(sAMAccountName=dns-%s)' % (hostname), >+ attrs=["msDS-KeyVersionNumber"]) >+ if "msDS-KeyVersionNumber" in res[0]: >+ dns_key_version_number = int(res[0]["msDS-KeyVersionNumber"][0]) >+ else: >+ dns_key_version_number = None >+ > secretsdb_setup_dns(ldbs.secrets, names, > paths.private_dir, realm=names.realm, > dnsdomain=names.dnsdomain, >- dns_keytab_path=paths.dns_keytab, dnspass=dnspass) >+ dns_keytab_path=paths.dns_keytab, dnspass=dnspass, >+ key_version_number=dns_key_version_number) > else: > logger.info("dns-%s account already exists" % hostname) > >diff --git a/source4/setup/secrets_dns.ldif b/source4/setup/secrets_dns.ldif >index 67fd66b..192c06d 100644 >--- a/source4/setup/secrets_dns.ldif >+++ b/source4/setup/secrets_dns.ldif >@@ -5,7 +5,7 @@ objectClass: secret > objectClass: kerberosSecret > realm: ${REALM} > servicePrincipalName: DNS/${DNSNAME} >-msDS-KeyVersionNumber: 1 >+msDS-KeyVersionNumber: ${KEY_VERSION_NUMBER} > privateKeytab: ${DNS_KEYTAB} > secret:: ${DNSPASS_B64} > samAccountName: dns-${HOSTNAME} >-- >1.8.4.rc3 > > >From 584a3f1a6e4773d1bb4699cb9f3868c256c5475f Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Mon, 24 Dec 2012 09:12:04 +1100 >Subject: [PATCH 2/6] scripting/samba_upgradedns: Tighten up exception and > attribute list handling > >This avoids asking for attributes that will not be used, and looks only for the >expected exceptions, rather than all exceptions. > >Andrew Bartlett > >Reviewed-by: Stefan Metzmacher <metze@samba.org> >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit d19c437a36b26e71c24bc25e672d714e21ba50bd) >--- > source4/scripting/bin/samba_upgradedns | 19 ++++++++++--------- > 1 file changed, 10 insertions(+), 9 deletions(-) > >diff --git a/source4/scripting/bin/samba_upgradedns b/source4/scripting/bin/samba_upgradedns >index 7ae5dbf..a8d2f90 100755 >--- a/source4/scripting/bin/samba_upgradedns >+++ b/source4/scripting/bin/samba_upgradedns >@@ -284,7 +284,7 @@ if __name__ == '__main__': > expression='(sAMAccountName=DnsAdmins)', > attrs=['objectSid']) > dnsadmins_sid = ndr_unpack(security.dom_sid, msg[0]['objectSid'][0]) >- except Exception, e: >+ except IndexError: > logger.info("Adding DNS accounts") > add_dns_accounts(ldbs.sam, domaindn) > dnsadmins_sid = get_dnsadmins_sid(ldbs.sam, domaindn) >@@ -314,7 +314,7 @@ if __name__ == '__main__': > msg = ldbs.sam.search(base=names.configdn, scope=ldb.SCOPE_DEFAULT, > expression=expression, attrs=['nCName']) > ncname = msg[0]['nCName'][0] >- except Exception, e: >+ except IndexError: > logger.info("Creating DNS partitions") > > logger.info("Looking up IPv4 addresses") >@@ -415,16 +415,17 @@ if __name__ == '__main__': > dn = 'samAccountName=dns-%s,CN=Principals' % hostname > msg = ldbs.secrets.search(expression='(dn=%s)' % dn, attrs=['secret']) > dnssecret = msg[0]['secret'][0] >- except Exception: >+ except IndexError: >+ > logger.info("Adding dns-%s account" % hostname) > > try: > msg = ldbs.sam.search(base=domaindn, scope=ldb.SCOPE_DEFAULT, > expression='(sAMAccountName=dns-%s)' % (hostname), >- attrs=['clearTextPassword']) >+ attrs=[]) > dn = msg[0].dn > ldbs.sam.delete(dn) >- except Exception: >+ except IndexError: > pass > > dnspass = samba.generate_random_password(128, 255) >@@ -472,9 +473,9 @@ if __name__ == '__main__': > # Check if dns-HOSTNAME account exists and delete it if required > try: > dn_str = 'samAccountName=dns-%s,CN=Principals' % hostname >- msg = ldbs.secrets.search(expression='(dn=%s)' % dn_str, attrs=['secret']) >+ msg = ldbs.secrets.search(expression='(dn=%s)' % dn_str, attrs=[]) > dn = msg[0].dn >- except Exception: >+ except IndexError: > dn = None > > if dn is not None: >@@ -486,9 +487,9 @@ if __name__ == '__main__': > try: > msg = ldbs.sam.search(base=domaindn, scope=ldb.SCOPE_DEFAULT, > expression='(sAMAccountName=dns-%s)' % (hostname), >- attrs=['clearTextPassword']) >+ attrs=[]) > dn = msg[0].dn >- except Exception: >+ except IndexError: > dn = None > > if dn is not None: >-- >1.8.4.rc3 > > >From 8eb5ea30abefef562d6489edeb3b12344ae74ac6 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Wed, 26 Dec 2012 10:03:47 +1100 >Subject: [PATCH 3/6] selftest: Test creation of the dns-SERVER account during > selftest > >We do this by having the samba-tool domain dcpromo for promoted_vampire_dc also create a >dns-SERVER account. > >Andrew Bartlett > >Reviewed-by: Stefan Metzmacher <metze@samba.org> >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit e281037c9bfa68ca3dc564ec7a36e5c790024902) >--- > selftest/target/Samba4.pm | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm >index e574b48..c30f3e8 100644 >--- a/selftest/target/Samba4.pm >+++ b/selftest/target/Samba4.pm >@@ -1069,7 +1069,7 @@ sub provision_promoted_dc($$$) > $cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" "; > $cmd .= "$samba_tool domain dcpromo $ret->{CONFIGURATION} $dcvars->{REALM} DC --realm=$dcvars->{REALM}"; > $cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}"; >- $cmd .= " --machinepass=machine$ret->{PASSWORD} --use-ntvfs"; >+ $cmd .= " --machinepass=machine$ret->{PASSWORD} --use-ntvfs --dns-backend=BIND9_DLZ"; > > unless (system($cmd) == 0) { > warn("Join failed\n$cmd"); >-- >1.8.4.rc3 > > >From 5ca5e1fcf5e5c9dba2202adaf3a2b456caf411e5 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Fri, 28 Dec 2012 09:25:11 +1100 >Subject: [PATCH 4/6] selftest: Start internal DNS server on domain provisioned > for BIND9_DLZ > >This shows that the internal server can use the dns-SERVER account. > >Andrew Bartlett > >Reviewed-by: Stefan Metzmacher <metze@samba.org> >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit 013c4990c6f1412dd25592bf177ceffab4b5d16d) >--- > selftest/target/Samba4.pm | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm >index c30f3e8..37f7102 100644 >--- a/selftest/target/Samba4.pm >+++ b/selftest/target/Samba4.pm >@@ -1520,7 +1520,7 @@ sub provision_chgdcpass($$) > "chgdcpassword.samba.example.com", > "2008", > "chgDCpass1", >- undef, "server services = -dns", "", >+ undef, "", "", > $extra_provision_options); > > return undef unless(defined $ret); >-- >1.8.4.rc3 > > >From d3a0d96757da81dcedf2ed65f009ddbc8c7522ae Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Fri, 28 Dec 2012 10:06:39 +1100 >Subject: [PATCH 5/6] selftest: Add a basic test of samba_upgradedns > >This does not check that the command runs correctly, but does at least check >that the command runs to completion without errors. > >Andrew Bartlett > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 16b26eafa75280e576333975cff5dd1505c118fa) >--- > source4/selftest/tests.py | 1 + > testprogs/blackbox/test_samba_upgradedns.sh | 37 +++++++++++++++++++++++++++++ > 2 files changed, 38 insertions(+) > create mode 100755 testprogs/blackbox/test_samba_upgradedns.sh > >diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py >index 10b8a25..f656acd 100755 >--- a/source4/selftest/tests.py >+++ b/source4/selftest/tests.py >@@ -312,6 +312,7 @@ plantestsuite("samba4.blackbox.rfc2307_mapping(dc:local)", "dc:local", [os.path. > plantestsuite("samba4.blackbox.wbinfo(dc:local)", "dc:local", [os.path.join(samba4srcdir, "../nsswitch/tests/test_wbinfo.sh"), '$DOMAIN', '$USERNAME', '$PASSWORD', "dc"]) > plantestsuite("samba4.blackbox.wbinfo(s4member:local)", "s4member:local", [os.path.join(samba4srcdir, "../nsswitch/tests/test_wbinfo.sh"), '$DOMAIN', '$DC_USERNAME', '$DC_PASSWORD', "s4member"]) > plantestsuite("samba4.blackbox.chgdcpass", "chgdcpass", [os.path.join(bbdir, "test_chgdcpass.sh"), '$SERVER', "CHGDCPASS\$", '$REALM', '$DOMAIN', '$PREFIX', "aes256-cts-hmac-sha1-96", '$SELFTEST_PREFIX/chgdcpass', smbclient4]) >+plantestsuite("samba4.blackbox.samba_upgradedns(chgdcpass:local)", "chgdcpass:local", [os.path.join(bbdir, "test_samba_upgradedns.sh"), '$SERVER', '$REALM', '$PREFIX', '$SELFTEST_PREFIX/chgdcpass']) > plantestsuite_loadlist("samba4.rpc.echo against NetBIOS alias", "dc", [valgrindify(smbtorture4), "$LISTOPT", 'ncacn_np:$NETBIOSALIAS', '-U$DOMAIN/$USERNAME%$PASSWORD', 'rpc.echo']) > > # Tests using the "Simple" NTVFS backend >diff --git a/testprogs/blackbox/test_samba_upgradedns.sh b/testprogs/blackbox/test_samba_upgradedns.sh >new file mode 100755 >index 0000000..a080f73 >--- /dev/null >+++ b/testprogs/blackbox/test_samba_upgradedns.sh >@@ -0,0 +1,37 @@ >+#!/bin/sh >+# Blackbox tests for the samba_upgradedns >+# Copyright (C) 2006-2007 Jelmer Vernooij <jelmer@samba.org> >+# Copyright (C) 2006-2012 Andrew Bartlett <abartlet@samba.org> >+ >+if [ $# -lt 4 ]; then >+cat <<EOF >+Usage: test_samba_upgradedns.sh SERVER REALM PREFIX PROVDIR >+EOF >+exit 1; >+fi >+ >+SERVER=$1 >+REALM=$2 >+PREFIX=$3 >+PROVDIR=$4 >+shift 4 >+failed=0 >+ >+samba4bindir="$BINDIR" >+samba4srcdir="$SRCDIR/source4" >+samba4kinit="$samba4bindir/samba4kinit" >+ >+. `dirname $0`/subunit.sh >+ >+testit "run samba_upgradedns converting to bind9 DLZ" $samba4srcdir/scripting/bin/samba_upgradedns --dns-backend=BIND9_DLZ -s $PROVDIR/etc/smb.conf || failed=`expr $failed + 1` >+ >+testit "run samba_upgradedns converting to internal" $samba4srcdir/scripting/bin/samba_upgradedns --dns-backend=SAMBA_INTERNAL -s $PROVDIR/etc/smb.conf || failed=`expr $failed + 1` >+ >+testit "run samba_upgradedns converting to internal (2nd time)" $samba4srcdir/scripting/bin/samba_upgradedns --dns-backend=SAMBA_INTERNAL -s $PROVDIR/etc/smb.conf || failed=`expr $failed + 1` >+ >+testit "run samba_upgradedns converting to bind9 DLZ (2nd time)" $samba4srcdir/scripting/bin/samba_upgradedns --dns-backend=BIND9_DLZ -s $PROVDIR/etc/smb.conf || failed=`expr $failed + 1` >+ >+testit "run samba_upgradedns converting to bind9 DLZ (3rd time)" $samba4srcdir/scripting/bin/samba_upgradedns --dns-backend=BIND9_DLZ -s $PROVDIR/etc/smb.conf || failed=`expr $failed + 1` >+ >+ >+exit $failed >-- >1.8.4.rc3 > > >From 4ff4538ca03b0002b24a6419270d1e1ed719798d Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Fri, 28 Dec 2012 21:00:28 +1100 >Subject: [PATCH 6/6] torture: Ensure that GSSAPI and SPNEGO packets are > accepted by dlz_bind9 > >This exercises some more of the dlz_bind9 code outside BIND, by >sending in a ticket to be access checked, wrapped either in SPNEGO or >just in GSSAPI. > >Andrew Bartlett > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> > >Autobuild-User(master): Stefan Metzmacher <metze@samba.org> >Autobuild-Date(master): Wed Sep 4 11:25:10 CEST 2013 on sn-devel-104 > >(cherry picked from commit 38e43961c01f6f491b069e7106fe2a2ec80bd840) >--- > source4/selftest/tests.py | 2 +- > source4/torture/dns/dlz_bind9.c | 78 +++++++++++++++++++++++++++++++++++++++ > source4/torture/winbind/winbind.c | 1 + > 3 files changed, 80 insertions(+), 1 deletion(-) > >diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py >index f656acd..e738d1d9 100755 >--- a/source4/selftest/tests.py >+++ b/source4/selftest/tests.py >@@ -283,7 +283,7 @@ for t in smbtorture4_testsuites("dns_internal."): > # Local tests > for t in smbtorture4_testsuites("dlz_bind9."): > #The dlz_bind9 tests needs to look at the DNS database >- plansmbtorture4testsuite(t, "chgdcpass:local", "ncalrpc:localhost") >+ plansmbtorture4testsuite(t, "chgdcpass:local", ["ncalrpc:$SERVER", '-U$USERNAME%$PASSWORD']) > > planpythontestsuite("s3dc", "samba.tests.libsmb_samba_internal"); > >diff --git a/source4/torture/dns/dlz_bind9.c b/source4/torture/dns/dlz_bind9.c >index 18d65a3..d7d1736 100644 >--- a/source4/torture/dns/dlz_bind9.c >+++ b/source4/torture/dns/dlz_bind9.c >@@ -26,6 +26,9 @@ > #include "dsdb/samdb/samdb.h" > #include "dsdb/common/util.h" > #include "auth/session.h" >+#include "auth/gensec/gensec.h" >+#include "auth/credentials/credentials.h" >+#include "lib/cmdline/popt_common.h" > > struct torture_context *tctx_static; > >@@ -121,7 +124,80 @@ static bool test_dlz_bind9_configure(struct torture_context *tctx) > return true; > } > >+/* >+ * Test that a ticket obtained for the DNS service will be accepted on the Samba DLZ side >+ * >+ */ >+static bool test_dlz_bind9_gensec(struct torture_context *tctx, const char *mech) >+{ >+ NTSTATUS status; >+ >+ struct gensec_security *gensec_client_context; >+ >+ DATA_BLOB client_to_server, server_to_client; >+ >+ void *dbdata; >+ const char *argv[] = { >+ "samba_dlz", >+ "-H", >+ lpcfg_private_path(tctx, tctx->lp_ctx, "dns/sam.ldb"), >+ NULL >+ }; >+ tctx_static = tctx; >+ torture_assert_int_equal(tctx, dlz_create("samba_dlz", 3, discard_const_p(char *, argv), &dbdata, >+ "log", dlz_bind9_log_wrapper, >+ "writeable_zone", dlz_bind9_writeable_zone_hook, NULL), >+ ISC_R_SUCCESS, >+ "Failed to create samba_dlz"); >+ >+ torture_assert_int_equal(tctx, dlz_configure((void*)tctx, dbdata), >+ ISC_R_SUCCESS, >+ "Failed to configure samba_dlz"); >+ >+ status = gensec_client_start(tctx, &gensec_client_context, >+ lpcfg_gensec_settings(tctx, tctx->lp_ctx)); >+ torture_assert_ntstatus_ok(tctx, status, "gensec_client_start (client) failed"); >+ >+ status = gensec_set_target_hostname(gensec_client_context, torture_setting_string(tctx, "host", NULL)); >+ torture_assert_ntstatus_ok(tctx, status, "gensec_set_target_hostname (client) failed"); >+ >+ status = gensec_set_credentials(gensec_client_context, cmdline_credentials); >+ torture_assert_ntstatus_ok(tctx, status, "gensec_set_credentials (client) failed"); >+ >+ status = gensec_start_mech_by_sasl_name(gensec_client_context, mech); >+ torture_assert_ntstatus_ok(tctx, status, "gensec_start_mech_by_sasl_name (client) failed"); >+ >+ server_to_client = data_blob(NULL, 0); >+ >+ /* Do one step of the client-server update dance */ >+ status = gensec_update(gensec_client_context, tctx, tctx->ev, server_to_client, &client_to_server); >+ if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {; >+ torture_assert_ntstatus_ok(tctx, status, "gensec_update (client) failed"); >+ } >+ >+ torture_assert_int_equal(tctx, dlz_ssumatch(cli_credentials_get_username(cmdline_credentials), >+ lpcfg_dnsdomain(tctx->lp_ctx), >+ "127.0.0.1", "type", "key", >+ client_to_server.length, >+ client_to_server.data, >+ dbdata), >+ ISC_R_SUCCESS, >+ "Failed to check key for update rights samba_dlz"); > >+ dlz_destroy(dbdata); >+ >+ return true; >+} >+ >+static bool test_dlz_bind9_gssapi(struct torture_context *tctx) >+{ >+ return test_dlz_bind9_gensec(tctx, "GSSAPI"); >+} >+ >+static bool test_dlz_bind9_spnego(struct torture_context *tctx) >+{ >+ return test_dlz_bind9_gensec(tctx, "GSS-SPNEGO"); >+} > > static struct torture_suite *dlz_bind9_suite(TALLOC_CTX *ctx) > { >@@ -132,6 +208,8 @@ static struct torture_suite *dlz_bind9_suite(TALLOC_CTX *ctx) > torture_suite_add_simple_test(suite, "version", test_dlz_bind9_version); > torture_suite_add_simple_test(suite, "create", test_dlz_bind9_create); > torture_suite_add_simple_test(suite, "configure", test_dlz_bind9_configure); >+ torture_suite_add_simple_test(suite, "gssapi", test_dlz_bind9_gssapi); >+ torture_suite_add_simple_test(suite, "spnego", test_dlz_bind9_spnego); > return suite; > } > >diff --git a/source4/torture/winbind/winbind.c b/source4/torture/winbind/winbind.c >index 5956834..65382a9 100644 >--- a/source4/torture/winbind/winbind.c >+++ b/source4/torture/winbind/winbind.c >@@ -201,6 +201,7 @@ static bool torture_winbind_pac(struct torture_context *tctx) > torture_assert_ntstatus_ok(tctx, status, "gensec_client_start (client) failed"); > > status = gensec_set_target_hostname(gensec_client_context, cli_credentials_get_workstation(cmdline_credentials)); >+ torture_assert_ntstatus_ok(tctx, status, "gensec_set_target_hostname (client) failed"); > > status = gensec_set_credentials(gensec_client_context, cmdline_credentials); > torture_assert_ntstatus_ok(tctx, status, "gensec_set_credentials (client) failed"); >-- >1.8.4.rc3 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
metze
:
review+
Actions:
View
Attachments on
bug 9091
:
8371
|
9185
| 9188 |
9189
|
9210
|
9361
|
9362