The branch, master has been updated via c664859 selftest: Test auth_wbc, the auth4 winbind and winbind_wbclient modules using pdbtest via 6c37cd6 auth: Allow auth_samba4 to be forced to run a specific auth module via 66c099c selftest: Run pdbtest under valgrind if specified via 1e9750a nsswitch: Fix the check for the privileged pipe. from accb76b add FSCTL_SET_ZERO_ON_DEALLOCATION define
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit c664859a128ea7bbc05ac59a6b8384638e8cea4a Author: Andrew Bartlett <abart...@samba.org> Date: Fri May 16 14:30:43 2014 +1200 selftest: Test auth_wbc, the auth4 winbind and winbind_wbclient modules using pdbtest This ensures these authentication modules continue to operate correctly, and that the results are consistent. Andrew Bartlett Change-Id: I7f63cd93e55c6f73ceeafb14f1dc265291791803 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Fri May 16 12:50:44 CEST 2014 on sn-devel-104 commit 6c37cd65445f3acf4f41f375017ae7f5f1e34bde Author: Andrew Bartlett <abart...@samba.org> Date: Fri May 16 14:29:43 2014 +1200 auth: Allow auth_samba4 to be forced to run a specific auth module This will allow new tests to be written to validate winbindd authentication results Andrew Bartlett Change-Id: I008eba1de349b17ee4eb9f11be08338557dffecc Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 66c099cc58e3140d08ef0890550c647e51a4a641 Author: Andrew Bartlett <abart...@samba.org> Date: Wed May 14 19:26:00 2014 +1200 selftest: Run pdbtest under valgrind if specified Change-Id: I21e169ba563551e13c46f07f86205625ad166c64 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Reviewed-by: Volker Lendecke <volker.lende...@sernet.de> commit 1e9750a8324898f7182a0f7101f7cce4932f542b Author: Andreas Schneider <a...@samba.org> Date: Fri May 16 09:50:42 2014 +0200 nsswitch: Fix the check for the privileged pipe. Change-Id: I8f23ecc8444c3b25d5be2a7fdbf51ba7fe4a5ed9 Signed-off-by: Andreas Schneider <a...@samba.org> Pair-Programmed-With: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> ----------------------------------------------------------------------- Summary of changes: nsswitch/wb_common.c | 36 ++++++++++++++++--------------- selftest/target/Samba3.pm | 8 ++++-- selftest/target/Samba4.pm | 3 ++ source3/auth/auth_generic.c | 4 +- source3/auth/auth_samba4.c | 35 ++++++++++++++++++++++-------- source3/include/auth.h | 9 ++++++- source4/auth/auth.h | 2 +- source4/auth/ntlm/auth.c | 2 +- source4/selftest/tests.py | 6 ++++- testprogs/blackbox/test_pdbtest.sh | 41 ++++++++++++++++++----------------- 10 files changed, 89 insertions(+), 57 deletions(-) Changeset truncated at 500 lines: diff --git a/nsswitch/wb_common.c b/nsswitch/wb_common.c index b34ab33..44bfaf4 100644 --- a/nsswitch/wb_common.c +++ b/nsswitch/wb_common.c @@ -171,30 +171,26 @@ static int make_safe_fd(int fd) /** * @internal * - * @brief Check if we have priviliged access. + * @brief Check if we talk to the priviliged pipe which should be owned by root. * - * This checks if we have uid_wrapper running and if yes turns it of so that we - * can check if we have access. + * This checks if we have uid_wrapper running and if this is the case it will + * allow to connect to the winbind privileged pipe even it is not owned by root. * - * @param[in] uid The uid to compare if we have access. + * @param[in] uid The uid to check if we can safely talk to the pipe. * * @return If we have access it returns true, else false. */ -static bool winbind_privileged_access(uid_t uid) +static bool winbind_privileged_pipe_is_root(uid_t uid) { - uid_t euid; - - if (uid_wrapper_enabled()) { - setenv("UID_WRAPPER_MYUID", "1", 1); + if (uid == 0) { + return true; } - euid = geteuid(); - if (uid_wrapper_enabled()) { - unsetenv("UID_WRAPPER_MYUID"); + return true; } - return (uid == euid); + return false; } /* Connect to winbindd socket */ @@ -215,9 +211,12 @@ static int winbind_named_pipe_sock(const char *dir) return -1; } - /* This tells uid_wrapper to return the userid for the geteuid check */ + /* + * This tells us that the pipe is owned by a privileged + * process, as we will be sending passwords to it. + */ if (!S_ISDIR(st.st_mode) || - !winbind_privileged_access(st.st_uid)) { + !winbind_privileged_pipe_is_root(st.st_uid)) { errno = ENOENT; return -1; } @@ -245,9 +244,12 @@ static int winbind_named_pipe_sock(const char *dir) SAFE_FREE(path); /* Check permissions on unix socket file */ - /* This tells uid_wrapper to return the userid for the geteuid check */ + /* + * This tells us that the pipe is owned by a privileged + * process, as we will be sending passwords to it. + */ if (!S_ISSOCK(st.st_mode) || - !winbind_privileged_access(st.st_uid)) { + !winbind_privileged_pipe_is_root(st.st_uid)) { errno = ENOENT; return -1; } diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm index 9606d5b..489fec1 100755 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm @@ -935,10 +935,10 @@ sub provision($$$$$$) ## my ($max_uid, $max_gid); - my ($uid_nobody, $uid_root, $uid_pdbtest); + my ($uid_nobody, $uid_root, $uid_pdbtest, $uid_pdbtest2); my ($gid_nobody, $gid_nogroup, $gid_root, $gid_domusers, $gid_domadmins); - if ($unix_uid < 0xffff - 2) { + if ($unix_uid < 0xffff - 4) { $max_uid = 0xffff; } else { $max_uid = $unix_uid; @@ -947,8 +947,9 @@ sub provision($$$$$$) $uid_root = $max_uid - 1; $uid_nobody = $max_uid - 2; $uid_pdbtest = $max_uid - 3; + $uid_pdbtest2 = $max_uid - 4; - if ($unix_gids[0] < 0xffff - 3) { + if ($unix_gids[0] < 0xffff - 5) { $max_gid = 0xffff; } else { $max_gid = $unix_gids[0]; @@ -1180,6 +1181,7 @@ sub provision($$$$$$) print PASSWD "nobody:x:$uid_nobody:$gid_nobody:nobody gecos:$prefix_abs:/bin/false $unix_name:x:$unix_uid:$unix_gids[0]:$unix_name gecos:$prefix_abs:/bin/false pdbtest:x:$uid_pdbtest:$gid_nogroup:pdbtest gecos:$prefix_abs:/bin/false +pdbtest2:x:$uid_pdbtest2:$gid_nogroup:pdbtest gecos:$prefix_abs:/bin/false "; if ($unix_uid != 0) { print PASSWD "root:x:$uid_root:$gid_root:root gecos:$prefix_abs:/bin/false diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm index 15fb5d2..4e7cbd5 100755 --- a/selftest/target/Samba4.pm +++ b/selftest/target/Samba4.pm @@ -679,6 +679,9 @@ root:x:0:0:root gecos:$ctx->{prefix_abs}:/bin/false $ctx->{unix_name}:x:$ctx->{unix_uid}:100:$ctx->{unix_name} gecos:$ctx->{prefix_abs}:/bin/false nobody:x:65534:65533:nobody gecos:$ctx->{prefix_abs}:/bin/false pdbtest:x:65533:65533:pdbtest gecos:$ctx->{prefix_abs}:/bin/false +pdbtest2:x:65532:65533:pdbtest gecos:$ctx->{prefix_abs}:/bin/false +pdbtest3:x:65531:65533:pdbtest gecos:$ctx->{prefix_abs}:/bin/false +pdbtest4:x:65530:65533:pdbtest gecos:$ctx->{prefix_abs}:/bin/false "; close(PWD); my $uid_rfc2307test = 65533; diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c index e1c6475..05c4ddc 100644 --- a/source3/auth/auth_generic.c +++ b/source3/auth/auth_generic.c @@ -163,7 +163,7 @@ NTSTATUS make_auth4_context(TALLOC_CTX *mem_ctx, struct auth4_context **auth4_co } if (auth_context->make_auth4_context) { - nt_status = auth_context->make_auth4_context(mem_ctx, auth4_context_out); + nt_status = auth_context->make_auth4_context(auth_context, mem_ctx, auth4_context_out); TALLOC_FREE(tmp_ctx); return nt_status; @@ -197,7 +197,7 @@ NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx, } if (auth_context->prepare_gensec) { - nt_status = auth_context->prepare_gensec(tmp_ctx, + nt_status = auth_context->prepare_gensec(auth_context, tmp_ctx, &gensec_security); if (!NT_STATUS_IS_OK(nt_status)) { TALLOC_FREE(tmp_ctx); diff --git a/source3/auth/auth_samba4.c b/source3/auth/auth_samba4.c index fcc4c28..d9d7151 100644 --- a/source3/auth/auth_samba4.c +++ b/source3/auth/auth_samba4.c @@ -31,7 +31,8 @@ #undef DBGC_CLASS #define DBGC_CLASS DBGC_AUTH -static NTSTATUS make_auth4_context_s4(TALLOC_CTX *mem_ctx, +static NTSTATUS make_auth4_context_s4(const struct auth_context *auth_context, + TALLOC_CTX *mem_ctx, struct auth4_context **auth4_context); static struct idr_context *task_id_tree; @@ -111,7 +112,7 @@ static NTSTATUS check_samba4_security(const struct auth_context *auth_context, struct auth_user_info_dc *user_info_dc; struct auth4_context *auth4_context; - nt_status = make_auth4_context_s4(mem_ctx, &auth4_context); + nt_status = make_auth4_context_s4(auth_context, mem_ctx, &auth4_context); if (!NT_STATUS_IS_OK(nt_status)) { TALLOC_FREE(frame); goto done; @@ -178,7 +179,8 @@ static NTSTATUS check_samba4_security(const struct auth_context *auth_context, * token is generated and used in the SMB and LDAP servers, for NTLM * and for Kerberos. */ -static NTSTATUS prepare_gensec(TALLOC_CTX *mem_ctx, +static NTSTATUS prepare_gensec(struct auth_context *auth_context, + TALLOC_CTX *mem_ctx, struct gensec_security **gensec_context) { NTSTATUS status; @@ -270,7 +272,8 @@ static NTSTATUS prepare_gensec(TALLOC_CTX *mem_ctx, * consistency between NTLM logins and NTLMSSP logins, as NTLMSSP is * handled by the hook above. */ -static NTSTATUS make_auth4_context_s4(TALLOC_CTX *mem_ctx, +static NTSTATUS make_auth4_context_s4(const struct auth_context *auth_context, + TALLOC_CTX *mem_ctx, struct auth4_context **auth4_context) { NTSTATUS status; @@ -311,12 +314,17 @@ static NTSTATUS make_auth4_context_s4(TALLOC_CTX *mem_ctx, } talloc_reparent(frame, msg_ctx, server_id); - status = auth_context_create(mem_ctx, - event_ctx, - msg_ctx, - lp_ctx, - auth4_context); - + /* Allow forcing a specific auth4 module */ + if (!auth_context->forced_samba4_methods) { + status = auth_context_create(mem_ctx, + event_ctx, + msg_ctx, + lp_ctx, + auth4_context); + } else { + const char * const *forced_auth_methods = (const char * const *)str_list_make(mem_ctx, auth_context->forced_samba4_methods, NULL); + status = auth_context_create_methods(mem_ctx, forced_auth_methods, event_ctx, msg_ctx, lp_ctx, NULL, auth4_context); + } if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to start auth server code: %s\n", nt_errstr(status))); TALLOC_FREE(frame); @@ -349,6 +357,13 @@ static NTSTATUS auth_init_samba4(struct auth_context *auth_context, result->prepare_gensec = prepare_gensec; result->make_auth4_context = make_auth4_context_s4; + if (param && *param) { + auth_context->forced_samba4_methods = talloc_strdup(result, param); + if (!auth_context->forced_samba4_methods) { + return NT_STATUS_NO_MEMORY; + } + } + *auth_method = result; return NT_STATUS_OK; } diff --git a/source3/include/auth.h b/source3/include/auth.h index 07f8b9e..acae5a8 100644 --- a/source3/include/auth.h +++ b/source3/include/auth.h @@ -66,10 +66,14 @@ struct auth_serversupplied_info { char *unix_name; }; -typedef NTSTATUS (*prepare_gensec_fn)(TALLOC_CTX *mem_ctx, +struct auth_context; + +typedef NTSTATUS (*prepare_gensec_fn)(const struct auth_context *auth_context, + TALLOC_CTX *mem_ctx, struct gensec_security **gensec_context); -typedef NTSTATUS (*make_auth4_context_fn)(TALLOC_CTX *mem_ctx, +typedef NTSTATUS (*make_auth4_context_fn)(const struct auth_context *auth_context, + TALLOC_CTX *mem_ctx, struct auth4_context **auth4_context); struct auth_context { @@ -83,6 +87,7 @@ struct auth_context { prepare_gensec_fn prepare_gensec; make_auth4_context_fn make_auth4_context; + const char *forced_samba4_methods; }; typedef struct auth_methods diff --git a/source4/auth/auth.h b/source4/auth/auth.h index 129f58d..0b6b1d3 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -130,7 +130,7 @@ NTSTATUS auth_system_session_info(TALLOC_CTX *parent_ctx, struct loadparm_context *lp_ctx, struct auth_session_info **_session_info) ; -NTSTATUS auth_context_create_methods(TALLOC_CTX *mem_ctx, const char **methods, +NTSTATUS auth_context_create_methods(TALLOC_CTX *mem_ctx, const char * const *methods, struct tevent_context *ev, struct imessaging_context *msg, struct loadparm_context *lp_ctx, diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c index 16c9666..642d868 100644 --- a/source4/auth/ntlm/auth.c +++ b/source4/auth/ntlm/auth.c @@ -520,7 +520,7 @@ static NTSTATUS auth_generate_session_info_pac(struct auth4_context *auth_ctx, Make a auth_info struct for the auth subsystem - Allow the caller to specify the methods to use, including optionally the SAM to use ***************************************************************************/ -_PUBLIC_ NTSTATUS auth_context_create_methods(TALLOC_CTX *mem_ctx, const char **methods, +_PUBLIC_ NTSTATUS auth_context_create_methods(TALLOC_CTX *mem_ctx, const char * const *methods, struct tevent_context *ev, struct imessaging_context *msg, struct loadparm_context *lp_ctx, diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index 4bf02f3..5837322 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -167,7 +167,11 @@ for env in ["dc", "s3dc"]: "-k no --option=usespnego=no"]: name = "rpc.lsa.secrets on %s with with %s" % (transport, ntlmoptions) plansmbtorture4testsuite('rpc.lsa.secrets', env, ["%s:$SERVER[]" % (transport), ntlmoptions, '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN', '--option=gensec:target_hostname=$NETBIOSNAME'], "samba4.%s" % name) - plantestsuite("samba.blackbox.pdbtest", "%s:local" % env, [os.path.join(bbdir, "test_pdbtest.sh"), '$SERVER', "$PREFIX", smbclient4, '$SMB_CONF_PATH', configuration]) + plantestsuite("samba.blackbox.pdbtest(%s)" % env, "%s:local" % env, [os.path.join(bbdir, "test_pdbtest.sh"), '$SERVER', "$PREFIX", "pdbtest", smbclient4, '$SMB_CONF_PATH', configuration]) + plantestsuite("samba.blackbox.pdbtest.winbind(%s)" % env, "%s:local" % env, [os.path.join(bbdir, "test_pdbtest.sh"), '$SERVER', "$PREFIX", "pdbtest2", smbclient4, '$SMB_CONF_PATH', configuration + " --option='authmethods=wbc'"]) + +plantestsuite("samba.blackbox.pdbtest.s4winbind(dc)", "dc:local", [os.path.join(bbdir, "test_pdbtest.sh"), '$SERVER', "$PREFIX", "pdbtest3", smbclient4, '$SMB_CONF_PATH', configuration + " --option='authmethods=samba4:winbind'"]) +plantestsuite("samba.blackbox.pdbtest.s4winbind_wbclient(dc)", "dc:local", [os.path.join(bbdir, "test_pdbtest.sh"), '$SERVER', "$PREFIX", "pdbtest4", smbclient4, '$SMB_CONF_PATH', configuration + " --option='authmethods=samba4:winbind_wbclient'"]) transports = ["ncacn_np", "ncacn_ip_tcp"] diff --git a/testprogs/blackbox/test_pdbtest.sh b/testprogs/blackbox/test_pdbtest.sh index af822f9..05314dd 100755 --- a/testprogs/blackbox/test_pdbtest.sh +++ b/testprogs/blackbox/test_pdbtest.sh @@ -5,16 +5,17 @@ if [ $# -lt 2 ]; then cat <<EOF -Usage: test_pdbtest.sh SERVER PREFIX SMBCLIENT SMB_CONF +Usage: test_pdbtest.sh SERVER PREFIX USER SMBCLIENT SMB_CONF EOF exit 1; fi SERVER=$1 PREFIX=$2 -smbclient=$3 -SMB_CONF=$4 -shift 4 +USER=$3 +smbclient=$4 +SMB_CONF=$5 +shift 5 failed=0 samba4bindir="$BINDIR" @@ -45,7 +46,7 @@ test_smbclient() { UID_WRAPPER_ROOT=1 export UID_WRAPPER_ROOT -testit "pdbtest" $BINDIR/pdbtest -u pdbtest || failed=`expr $failed + 1` +testit "pdbtest" $VALGRIND $BINDIR/pdbtest -u $USER $@ || failed=`expr $failed + 1` NEWUSERPASS=testPaSS@01% @@ -57,14 +58,14 @@ expect retype new password: send ${NEWUSERPASS}\n EOF -testit "create user with pdbedit" $rkpty ./tmpsmbpasswdscript $VALGRIND $pdbedit -a pdbtest --account-desc="pdbedit-test-user" $@ || failed=`expr $failed + 1` +testit "create user with pdbedit" $rkpty ./tmpsmbpasswdscript $VALGRIND $pdbedit -a $USER --account-desc="pdbedit-test-user" $@ || failed=`expr $failed + 1` USERPASS=$NEWUSERPASS -test_smbclient "Test login with user (ntlm)" 'ls' -k no -Updbtest%$NEWUSERPASS $@ || failed=`expr $failed + 1` +test_smbclient "Test login with user (ntlm)" 'ls' -k no -U$USER%$NEWUSERPASS $@ || failed=`expr $failed + 1` -testit "modify user" $VALGRIND $pdbedit --modify pdbtest --drive="D:" $@ || failed=`expr $failed + 1` +testit "modify user" $VALGRIND $pdbedit --modify $USER --drive="D:" $@ || failed=`expr $failed + 1` -test_smbclient "Test login with user (ntlm)" 'ls' -k no -Updbtest%$NEWUSERPASS $@|| failed=`expr $failed + 1` +test_smbclient "Test login with user (ntlm)" 'ls' -k no -U$USER%$NEWUSERPASS $@|| failed=`expr $failed + 1` NEWUSERPASS=testPaSS@02% @@ -76,28 +77,28 @@ expect Retype new SMB password: send ${NEWUSERPASS}\n EOF -testit "set user password with smbpasswd" $rkpty ./tmpsmbpasswdscript $smbpasswd -L pdbtest -c $SMB_CONF || failed=`expr $failed + 1` +testit "set user password with smbpasswd" $rkpty ./tmpsmbpasswdscript $smbpasswd -L $USER -c $SMB_CONF || failed=`expr $failed + 1` USERPASS=$NEWUSERPASS -test_smbclient "Test login with user (ntlm)" 'ls' -k no -Updbtest%$NEWUSERPASS $@|| failed=`expr $failed + 1` +test_smbclient "Test login with user (ntlm)" 'ls' -k no -U$USER%$NEWUSERPASS $@|| failed=`expr $failed + 1` -testit "modify user - disabled" $VALGRIND $net sam set disabled pdbtest yes $@ || failed=`expr $failed + 1` +testit "modify user - disabled" $VALGRIND $net sam set disabled $USER yes $@ || failed=`expr $failed + 1` -testit_expect_failure "Test login with disabled suer" $VALGRIND $smbclient //$SERVER/tmp -c 'ls' -k no -Updbtest@%$USERPASS && failed=`expr $failed + 1` +testit_expect_failure "Test login with disabled suer" $VALGRIND $smbclient //$SERVER/tmp -c 'ls' -k no -U$USER@%$USERPASS && failed=`expr $failed + 1` -testit "modify user - enabled" $VALGRIND $net sam set disabled pdbtest no $@ || failed=`expr $failed + 1` +testit "modify user - enabled" $VALGRIND $net sam set disabled $USER no $@ || failed=`expr $failed + 1` -test_smbclient "Test login with re-enabled user (ntlm)" 'ls' -k no -Updbtest%$NEWUSERPASS || failed=`expr $failed + 1` +test_smbclient "Test login with re-enabled user (ntlm)" 'ls' -k no -U$USER%$NEWUSERPASS || failed=`expr $failed + 1` -testit "modify user - must change password now" $VALGRIND $net sam set pwdmustchangenow pdbtest yes $@ || failed=`expr $failed + 1` +testit "modify user - must change password now" $VALGRIND $net sam set pwdmustchangenow $USER yes $@ || failed=`expr $failed + 1` -testit_expect_failure "Test login with expired password" $VALGRIND $smbclient //$SERVER/tmp -c 'ls' -k no -Updbtest@%$USERPASS && failed=`expr $failed + 1` +testit_expect_failure "Test login with expired password" $VALGRIND $smbclient //$SERVER/tmp -c 'ls' -k no -U$USER@%$USERPASS && failed=`expr $failed + 1` -testit "modify user - disable password expiry" $VALGRIND $net sam set pwnoexp pdbtest yes $@ || failed=`expr $failed + 1` +testit "modify user - disable password expiry" $VALGRIND $net sam set pwnoexp $USER yes $@ || failed=`expr $failed + 1` -test_smbclient "Test login with no expiry (ntlm)" 'ls' -k no -Updbtest%$NEWUSERPASS || failed=`expr $failed + 1` +test_smbclient "Test login with no expiry (ntlm)" 'ls' -k no -U$USER%$NEWUSERPASS || failed=`expr $failed + 1` -testit "del user" $VALGRIND $pdbedit -x pdbtest $@ || failed=`expr $failed + 1` +testit "del user" $VALGRIND $pdbedit -x $USER $@ || failed=`expr $failed + 1` rm ./tmpsmbpasswdscript -- Samba Shared Repository