The branch, master has been updated via a3ef974 s3-rpc_server Remove comment, yes the key is correct. via 77e6716 s3-auth consolidate create_local_token() into make_server_info_krb5() via 841d0bc s3-selftest Remove more instances of /tmp in test_smbclient_s3.sh via 6351dee s3-selftest Add testing of kerberos login via 55134c9 s4-credentials Add a command line hook to set the kerberos credentials cache via ffb6003 s3-selftest Disable log rotation in 'make test' from 513574a talloc - some documentation changes
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit a3ef974d30fd1adcf1a25940c2a2fa7e03fad6a0 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Feb 10 21:40:07 2011 +1100 s3-rpc_server Remove comment, yes the key is correct. Autobuild-User: Andrew Bartlett <abart...@samba.org> Autobuild-Date: Mon Apr 4 13:31:52 CEST 2011 on sn-devel-104 commit 77e67163daaa670ee43ddbc4fd3fd3e8c3c38d49 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Feb 10 21:04:01 2011 +1100 s3-auth consolidate create_local_token() into make_server_info_krb5() This ensures that all callers don't need to each add builtin groups and privileges to the user's token Andrew Bartlett commit 841d0bc9e81dbe56352ac8b12e63e8257963936e Author: Andrew Bartlett <abart...@samba.org> Date: Mon Apr 4 19:18:47 2011 +1000 s3-selftest Remove more instances of /tmp in test_smbclient_s3.sh commit 6351dee4d810bfa20c3a892d0eba3b2ac828e193 Author: Andrew Bartlett <abart...@samba.org> Date: Mon Apr 4 19:13:17 2011 +1000 s3-selftest Add testing of kerberos login This uses a pre-calculated credentials cache, that should be valid until 2036. Andrew Bartlett commit 55134c9a9e4a47c6a8ed89ef10c95c0fa0d4daaf Author: Andrew Bartlett <abart...@samba.org> Date: Mon Apr 4 19:11:39 2011 +1000 s4-credentials Add a command line hook to set the kerberos credentials cache This allows this to be specified independent of the KRB5CCNAME environment variable (in this case, it's harder than it should be to set up in the make test for s3 that way). Andrew Bartlett commit ffb600330289e59071ffbbb071a7d20afb7ab09f Author: Andrew Bartlett <abart...@samba.org> Date: Mon Apr 4 09:22:03 2011 +1000 s3-selftest Disable log rotation in 'make test' ----------------------------------------------------------------------- Summary of changes: selftest/target/Samba3.pm | 66 +++++++++++++++++++++++++++++ source3/auth/proto.h | 4 +- source3/auth/user_krb5.c | 12 +++++- source3/rpc_server/dcesrv_gssapi.c | 2 +- source3/rpc_server/srv_pipe.c | 12 ----- source3/script/tests/test_smbclient_s3.sh | 8 ++-- source3/selftest/ktest-krb5_ccache | Bin 0 -> 11966 bytes source3/selftest/ktest-secrets.tdb | Bin 0 -> 45056 bytes source3/selftest/tests.py | 19 +++++++-- source3/smbd/sesssetup.c | 20 +-------- source3/smbd/smb2_sesssetup.c | 22 ++-------- source4/lib/cmdline/popt_credentials.c | 14 ++++++- 12 files changed, 117 insertions(+), 62 deletions(-) create mode 100644 source3/selftest/ktest-krb5_ccache create mode 100644 source3/selftest/ktest-secrets.tdb Changeset truncated at 500 lines: diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm index 38148eb..de3fffb 100644 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm @@ -102,6 +102,8 @@ sub setup_env($$$) return $self->setup_dc("$path/dc"); } elsif ($envname eq "secshare") { return $self->setup_secshare("$path/secshare"); + } elsif ($envname eq "ktest") { + return $self->setup_ktest("$path/ktest"); } elsif ($envname eq "secserver") { if (not defined($self->{vars}->{dc})) { $self->setup_dc("$path/dc"); @@ -255,6 +257,69 @@ sub setup_secserver($$$) return $ret; } +sub setup_ktest($$$) +{ + my ($self, $prefix, $dcvars) = @_; + + print "PROVISIONING server with security=ads..."; + + my $ktest_options = " + workgroup = KTEST + realm = ktest.samba.example.com + security = ads + username map = $prefix/lib/username.map +"; + + my $ret = $self->provision($prefix, + "LOCALKTEST6", + 5, + "localktest6pass", + $ktest_options); + + $ret or die("Unable to provision"); + + open(USERMAP, ">$prefix/lib/username.map") or die("Unable to open $prefix/lib/username.map"); + print USERMAP " +$ret->{USERNAME} = KTEST\\Administrator +"; + close(USERMAP); + +#This is the secrets.tdb created by 'net ads join' from Samba3 to a +#Samba4 DC with the same parameters as are being used here. The +#domain SID is S-1-5-21-1071277805-689288055-3486227160 + + system("cp $self->{srcdir}/source3/selftest/ktest-secrets.tdb $prefix/private/secrets.tdb"); + chmod 0600, "$prefix/private/secrets.tdb"; + +#This uses a pre-calculated krb5 credentials cache, obtained by running Samba4 with: +# "--option=kdc:service ticket lifetime=239232" "--option=kdc:user ticket lifetime=239232" "--option=kdc:renewal lifetime=239232" +# +#and having in krb5.conf: +# ticket_lifetime = 799718400 +# renew_lifetime = 799718400 +# +# The commands run were: +# kinit administra...@ktest.samba.example.com +# kvno host/localkte...@ktest.samba.example.com +# kvno cifs/localkte...@ktest.samba.example.com +# kvno host/localkte...@ktest.samba.example.com +# kvno cifs/localkte...@ktest.samba.example.com +# +# This creates a credential cache with a very long lifetime (2036 at at 2011-04) + + $ret->{KRB5_CCACHE}="FILE:$prefix/krb5_ccache"; + + system("cp $self->{srcdir}/source3/selftest/ktest-krb5_ccache $prefix/krb5_ccache"); + chmod 0600, "$prefix/krb5_ccache"; + + $self->check_or_start($ret, + ($ENV{SMBD_MAXTIME} or 2700), + "yes", "no", "yes"); + + $self->wait_for_start($ret); + return $ret; +} + sub stop_sig_term($$) { my ($self, $pid) = @_; kill("USR1", $pid) or kill("ALRM", $pid) or warn("Unable to kill $pid: $!"); @@ -572,6 +637,7 @@ sub provision($$$$$$) log file = $logdir/log.\%m log level = 0 debug pid = yes + max log size = 0 name resolve order = bcast diff --git a/source3/auth/proto.h b/source3/auth/proto.h index 88cc707..3bf325e 100644 --- a/source3/auth/proto.h +++ b/source3/auth/proto.h @@ -264,5 +264,5 @@ NTSTATUS make_server_info_krb5(TALLOC_CTX *mem_ctx, char *username, struct passwd *pw, struct PAC_LOGON_INFO *logon_info, - bool mapped_to_guest, - struct auth_serversupplied_info **server_info); + bool mapped_to_guest, bool username_was_mapped, + struct auth_serversupplied_info **server_info); diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c index e52149a..1d87cca 100644 --- a/source3/auth/user_krb5.c +++ b/source3/auth/user_krb5.c @@ -185,7 +185,7 @@ NTSTATUS make_server_info_krb5(TALLOC_CTX *mem_ctx, char *username, struct passwd *pw, struct PAC_LOGON_INFO *logon_info, - bool mapped_to_guest, + bool mapped_to_guest, bool username_was_mapped, struct auth_serversupplied_info **server_info) { NTSTATUS status; @@ -259,7 +259,17 @@ NTSTATUS make_server_info_krb5(TALLOC_CTX *mem_ctx, (*server_info)->info3->base.domain.string = talloc_strdup((*server_info)->info3, ntdomain); } + } + + (*server_info)->nss_token |= username_was_mapped; + if (!mapped_to_guest) { + status = create_local_token(*server_info); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(10,("failed to create local token: %s\n", + nt_errstr(status))); + return status; + } } return NT_STATUS_OK; diff --git a/source3/rpc_server/dcesrv_gssapi.c b/source3/rpc_server/dcesrv_gssapi.c index f60f6ce..a3007e4 100644 --- a/source3/rpc_server/dcesrv_gssapi.c +++ b/source3/rpc_server/dcesrv_gssapi.c @@ -230,7 +230,7 @@ NTSTATUS gssapi_server_get_user_info(struct gse_context *gse_ctx, status = make_server_info_krb5(mem_ctx, ntuser, ntdomain, username, pw, - logon_info, is_guest, server_info); + logon_info, is_guest, is_mapped, server_info); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n", nt_errstr(status))); diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c index 73a3486..27a7aae 100644 --- a/source3/rpc_server/srv_pipe.c +++ b/source3/rpc_server/srv_pipe.c @@ -738,18 +738,6 @@ static NTSTATUS pipe_gssapi_verify_final(TALLOC_CTX *mem_ctx, return status; } - if ((*session_info)->security_token == NULL) { - status = create_local_token(*session_info); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Failed to create local user token (%s)\n", - nt_errstr(status))); - status = NT_STATUS_ACCESS_DENIED; - return status; - } - } - - /* TODO: this is what the ntlmssp code does with the session_key, check - * it is ok with gssapi too */ /* * We're an authenticated bind over smb, so the session key needs to * be set to "SystemLibraryDTC". Weird, but this is what Windows diff --git a/source3/script/tests/test_smbclient_s3.sh b/source3/script/tests/test_smbclient_s3.sh index 30b26a4..972f68f 100755 --- a/source3/script/tests/test_smbclient_s3.sh +++ b/source3/script/tests/test_smbclient_s3.sh @@ -131,7 +131,7 @@ EOF # Test creating a good symlink and deleting it by path. test_good_symlink() { - tmpfile=/tmp/smbclient.in.$$ + tmpfile=$PREFIX/smbclient.in.$$ slink_name="$LOCAL_PATH/slink" slink_target="$LOCAL_PATH/slink_target" @@ -181,7 +181,7 @@ EOF test_read_only_dir() { prompt="NT_STATUS_ACCESS_DENIED making remote directory" - tmpfile=/tmp/smbclient.in.$$ + tmpfile=$PREFIX/smbclient.in.$$ ## ## We can't do this as non-root. We always have rights to @@ -238,7 +238,7 @@ EOF test_owner_only_file() { prompt="NT_STATUS_ACCESS_DENIED opening remote file" - tmpfile=/tmp/smbclient.in.$$ + tmpfile=$PREFIX/smbclient.in.$$ ## ## We can't do this as non-root. We always have rights to @@ -294,7 +294,7 @@ EOF # Test accessing an msdfs path. test_msdfs_link() { - tmpfile=/tmp/smbclient.in.$$ + tmpfile=$PREFIX/smbclient.in.$$ prompt=" msdfs-target " cat > $tmpfile <<EOF diff --git a/source3/selftest/ktest-krb5_ccache b/source3/selftest/ktest-krb5_ccache new file mode 100644 index 0000000..1510222 Binary files /dev/null and b/source3/selftest/ktest-krb5_ccache differ diff --git a/source3/selftest/ktest-secrets.tdb b/source3/selftest/ktest-secrets.tdb new file mode 100644 index 0000000..c09c315 Binary files /dev/null and b/source3/selftest/ktest-secrets.tdb differ diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py index 9ddb164..826b84f 100755 --- a/source3/selftest/tests.py +++ b/source3/selftest/tests.py @@ -207,12 +207,23 @@ if sub.returncode == 0: smb_options = ["", ",smb2"] endianness_options = ["", ",bigendian"] for z in smb_options: - for e in endianness_options: - for a in auth_options: - for s in signseal_options: - binding_string = "ncacn_np:$SERVER_IP[%s%s%s%s]" % (a, s, z, e) + for s in signseal_options: + for e in endianness_options: + for a in auth_options: + binding_string = "ncacn_np:$SERVER[%s%s%s%s]" % (a, s, z, e) options = binding_string + " -U$USERNAME%$PASSWORD" plansmbtorturetestsuite(test, "dc", options, 'over ncacn_np with [%s%s%s%s] ' % (a, s, z, e)) + + # We should try more combinations in future, but this is all + # the pre-calculated credentials cache supports at the moment + e = "" + a = "" + binding_string = "ncacn_np:$SERVER[%s%s%s%s]" % (a, s, z, e) + options = binding_string + " -k yes --krb5-ccache=$PREFIX/ktest/krb5_ccache" + plansmbtorturetestsuite(test, "ktest", options, 'over kerberos ncacn_np with [%s%s%s%s] ' % (a, s, z, e)) + + + for e in endianness_options: for a in auth_options: for s in signseal_options: diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c index c5d44c6..57b0b68 100644 --- a/source3/smbd/sesssetup.c +++ b/source3/smbd/sesssetup.c @@ -372,6 +372,7 @@ static void reply_spnego_kerberos(struct smb_request *req, ret = make_server_info_krb5(mem_ctx, user, domain, real_username, pw, logon_info, map_domainuser_to_guest, + username_was_mapped, &server_info); if (!NT_STATUS_IS_OK(ret)) { DEBUG(1, ("make_server_info_krb5 failed!\n")); @@ -382,25 +383,6 @@ static void reply_spnego_kerberos(struct smb_request *req, return; } - server_info->nss_token |= username_was_mapped; - - /* we need to build the token for the user. make_server_info_guest() - already does this */ - - if ( !server_info->security_token ) { - ret = create_local_token( server_info ); - if ( !NT_STATUS_IS_OK(ret) ) { - DEBUG(10,("failed to create local token: %s\n", - nt_errstr(ret))); - data_blob_free(&ap_rep); - data_blob_free(&session_key); - TALLOC_FREE( mem_ctx ); - TALLOC_FREE( server_info ); - reply_nterror(req, nt_status_squash(ret)); - return; - } - } - if (!is_partial_auth_vuid(sconn, sess_vuid)) { sess_vuid = register_initial_vuid(sconn); } diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c index 6649cfb..3668ab8 100644 --- a/source3/smbd/smb2_sesssetup.c +++ b/source3/smbd/smb2_sesssetup.c @@ -237,29 +237,15 @@ static NTSTATUS smbd_smb2_session_setup_krb5(struct smbd_smb2_session *session, reload_services(smb2req->sconn->msg_ctx, smb2req->sconn->sock, true); status = make_server_info_krb5(session, - user, domain, real_username, pw, - logon_info, map_domainuser_to_guest, - &session->session_info); + user, domain, real_username, pw, + logon_info, map_domainuser_to_guest, + username_was_mapped, + &session->session_info); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("smb2: make_server_info_krb5 failed\n")); goto fail; } - - session->session_info->nss_token |= username_was_mapped; - - /* we need to build the token for the user. make_session_info_guest() - already does this */ - - if (!session->session_info->security_token ) { - status = create_local_token(session->session_info); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(10,("smb2: failed to create local token: %s\n", - nt_errstr(status))); - goto fail; - } - } - if ((in_security_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED) || lp_server_signing() == Required) { session->do_signing = true; diff --git a/source4/lib/cmdline/popt_credentials.c b/source4/lib/cmdline/popt_credentials.c index 11f4036..6dcef3f 100644 --- a/source4/lib/cmdline/popt_credentials.c +++ b/source4/lib/cmdline/popt_credentials.c @@ -34,12 +34,13 @@ * -P,--machine-pass * --simple-bind-dn * --password + * --krb5-ccache */ static bool dont_ask; static bool machine_account_pending; -enum opt { OPT_SIMPLE_BIND_DN, OPT_PASSWORD, OPT_KERBEROS, OPT_SIGN, OPT_ENCRYPT }; +enum opt { OPT_SIMPLE_BIND_DN, OPT_PASSWORD, OPT_KERBEROS, OPT_SIGN, OPT_ENCRYPT, OPT_KRB5_CCACHE }; /* disable asking for a password @@ -130,6 +131,16 @@ static void popt_common_credentials_callback(poptContext con, cli_credentials_set_bind_dn(cmdline_credentials, arg); break; } + case OPT_KRB5_CCACHE: + { + const char *error_string; + if (cli_credentials_set_ccache(cmdline_credentials, cmdline_lp_ctx, arg, CRED_SPECIFIED, + &error_string) != 0) { + fprintf(stderr, "Error reading krb5 credentials cache: '%s' %s", arg, error_string); + exit(1); + } + break; + } case OPT_SIGN: { uint32_t gensec_features; @@ -166,6 +177,7 @@ struct poptOption popt_common_credentials[] = { { "machine-pass", 'P', POPT_ARG_NONE, NULL, 'P', "Use stored machine account password (implies -k)" }, { "simple-bind-dn", 0, POPT_ARG_STRING, NULL, OPT_SIMPLE_BIND_DN, "DN to use for a simple bind" }, { "kerberos", 'k', POPT_ARG_STRING, NULL, OPT_KERBEROS, "Use Kerberos, -k [yes|no]" }, + { "krb5-ccache", 0, POPT_ARG_STRING, NULL, OPT_KRB5_CCACHE, "Credentials cache location for Kerberos" }, { "sign", 'S', POPT_ARG_NONE, NULL, OPT_SIGN, "Sign connection to prevent modification in transit" }, { "encrypt", 'e', POPT_ARG_NONE, NULL, OPT_ENCRYPT, "Encrypt connection for privacy" }, { NULL } -- Samba Shared Repository