The branch, master has been updated via fb0d624 torture:smb2: improve torture_comments in connect test via 78d7b23 torture:smb2: fix memory leak in connect test. via 4d9484e torture:smb2: rewrite connect test to use torture_asserts for create errors via 358c09b torture:smb2: rewrite connect test to use torture_asserts via def483c winbindd: move a variable into scope via b3931af s3-kerberos: avoid entering a password change dialogue also when using MIT. from f6f43c4 winbind: Remove unused WINBINDD_UID_TO_SID
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit fb0d6244278baa97c35101480b18640796f86bf1 Author: Michael Adam <ob...@samba.org> Date: Tue Feb 23 00:27:11 2016 +0100 torture:smb2: improve torture_comments in connect test Signed-off-by: Michael Adam <ob...@samba.org> Autobuild-User(master): Jeremy Allison <j...@samba.org> Autobuild-Date(master): Tue Feb 23 04:50:53 CET 2016 on sn-devel-144 commit 78d7b23f2f55ebdc3ed2a2abdd68a294a8ef99f7 Author: Michael Adam <ob...@samba.org> Date: Mon Feb 22 23:23:13 2016 +0100 torture:smb2: fix memory leak in connect test. Signed-off-by: Michael Adam <ob...@samba.org> commit 4d9484e7c40cb3c3517538348fda521dafcd2f9a Author: Michael Adam <ob...@samba.org> Date: Mon Feb 22 16:22:14 2016 +0100 torture:smb2: rewrite connect test to use torture_asserts for create errors let torture_smb2_createfile propagate errors Signed-off-by: Michael Adam <ob...@samba.org> commit 358c09b899f62b6f9ac9693b9101639c0cde8d3f Author: Michael Adam <ob...@samba.org> Date: Mon Feb 22 14:32:44 2016 +0100 torture:smb2: rewrite connect test to use torture_asserts Signed-off-by: Michael Adam <ob...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> commit def483c81536be8bf49f27c536fb37bef3e0930e Author: Michael Adam <ob...@samba.org> Date: Mon Feb 22 15:18:26 2016 +0100 winbindd: move a variable into scope Signed-off-by: Michael Adam <ob...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> commit b3931af2df293a9cb75f21cdb5555fb6725dff34 Author: Günther Deschner <g...@samba.org> Date: Mon Feb 15 12:58:07 2016 +0100 s3-kerberos: avoid entering a password change dialogue also when using MIT. Without this fix, for accounts with an expired password, a password change process is initiated and - due to the prompter - this fails with a confusing error message: "kerberos_kinit_password administra...@w2k12dom.ber.redhat.com failed: Password mismatch Failed to join domain: failed to connect to AD: Password mismatch" Guenther Signed-off-by: Guenther Deschner <g...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> ----------------------------------------------------------------------- Summary of changes: source3/libads/kerberos.c | 59 +++++++++++++++----------- source3/winbindd/winbindd_misc.c | 2 +- source4/torture/smb2/connect.c | 89 ++++++++++++++++------------------------ wscript_configure_system_mitkrb5 | 1 + 4 files changed, 73 insertions(+), 78 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c index 9a7a1e7..4774a9f 100644 --- a/source3/libads/kerberos.c +++ b/source3/libads/kerberos.c @@ -47,33 +47,44 @@ kerb_prompter(krb5_context ctx, void *data, krb5_prompt prompts[]) { if (num_prompts == 0) return 0; -#if HAVE_KRB5_PROMPT_TYPE - - /* - * only heimdal has a prompt type and we need to deal with it here to - * avoid loops. - * - * removing the prompter completely is not an option as at least these - * versions would crash: heimdal-1.0.2 and heimdal-1.1. Later heimdal - * version have looping detection and return with a proper error code. - */ - - if ((num_prompts == 2) && - (prompts[0].type == KRB5_PROMPT_TYPE_NEW_PASSWORD) && - (prompts[1].type == KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN)) { + if (num_prompts == 2) { /* - * We don't want to change passwords here. We're - * called from heimal when the KDC returns - * KRB5KDC_ERR_KEY_EXPIRED, but at this point we don't - * have the chance to ask the user for a new - * password. If we return 0 (i.e. success), we will be - * spinning in the endless for-loop in - * change_password() in - * source4/heimdal/lib/krb5/init_creds_pw.c:526ff + * only heimdal has a prompt type and we need to deal with it here to + * avoid loops. + * + * removing the prompter completely is not an option as at least these + * versions would crash: heimdal-1.0.2 and heimdal-1.1. Later heimdal + * version have looping detection and return with a proper error code. */ - return KRB5KDC_ERR_KEY_EXPIRED; + +#if HAVE_KRB5_PROMPT_TYPE /* Heimdal */ + if (prompts[0].type == KRB5_PROMPT_TYPE_NEW_PASSWORD && + prompts[1].type == KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN) { + /* + * We don't want to change passwords here. We're + * called from heimal when the KDC returns + * KRB5KDC_ERR_KEY_EXPIRED, but at this point we don't + * have the chance to ask the user for a new + * password. If we return 0 (i.e. success), we will be + * spinning in the endless for-loop in + * change_password() in + * source4/heimdal/lib/krb5/init_creds_pw.c:526ff + */ + return KRB5KDC_ERR_KEY_EXPIRED; + } +#elif defined(HAVE_KRB5_GET_PROMPT_TYPES) /* MIT */ + krb5_prompt_type *prompt_types = NULL; + + prompt_types = krb5_get_prompt_types(ctx); + if (prompt_types != NULL) { + if (prompt_types[0] == KRB5_PROMPT_TYPE_NEW_PASSWORD && + prompt_types[1] == KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN) { + return KRB5KDC_ERR_KEY_EXP; + } + } +#endif } -#endif /* HAVE_KRB5_PROMPT_TYPE */ + memset(prompts[0].reply->data, '\0', prompts[0].reply->length); if (prompts[0].reply->length > 0) { if (data) { diff --git a/source3/winbindd/winbindd_misc.c b/source3/winbindd/winbindd_misc.c index 29831aa..3e024c9 100644 --- a/source3/winbindd/winbindd_misc.c +++ b/source3/winbindd/winbindd_misc.c @@ -88,7 +88,6 @@ static bool trust_is_transitive(struct winbindd_tdc_domain *domain) void winbindd_list_trusted_domains(struct winbindd_cli_state *state) { struct winbindd_tdc_domain *dom_list = NULL; - struct winbindd_tdc_domain *d = NULL; size_t num_domains = 0; int extra_data_len = 0; char *extra_data = NULL; @@ -111,6 +110,7 @@ void winbindd_list_trusted_domains(struct winbindd_cli_state *state) for ( i = 0; i < num_domains; i++ ) { struct winbindd_domain *domain; bool is_online = true; + struct winbindd_tdc_domain *d = NULL; d = &dom_list[i]; domain = find_domain_from_name_noinit(d->domain_name); diff --git a/source4/torture/smb2/connect.c b/source4/torture/smb2/connect.c index 0067de0..6340430 100644 --- a/source4/torture/smb2/connect.c +++ b/source4/torture/smb2/connect.c @@ -90,7 +90,7 @@ static NTSTATUS torture_smb2_write(struct torture_context *tctx, struct smb2_tre status = smb2_write(tree, &w); if (!NT_STATUS_IS_OK(status)) { - printf("write failed - %s\n", nt_errstr(status)); + printf("write 1 failed - %s\n", nt_errstr(status)); return status; } @@ -98,7 +98,7 @@ static NTSTATUS torture_smb2_write(struct torture_context *tctx, struct smb2_tre status = smb2_write(tree, &w); if (!NT_STATUS_IS_OK(status)) { - printf("write failed - %s\n", nt_errstr(status)); + printf("write 2 failed - %s\n", nt_errstr(status)); return status; } @@ -137,8 +137,9 @@ static NTSTATUS torture_smb2_write(struct torture_context *tctx, struct smb2_tre /* send a create */ -static struct smb2_handle torture_smb2_createfile(struct smb2_tree *tree, - const char *fname) +static NTSTATUS torture_smb2_createfile(struct smb2_tree *tree, + const char *fname, + struct smb2_handle *handle) { struct smb2_create io; NTSTATUS status; @@ -158,8 +159,8 @@ static struct smb2_handle torture_smb2_createfile(struct smb2_tree *tree, status = smb2_create(tree, tmp_ctx, &io); if (!NT_STATUS_IS_OK(status)) { - printf("create1 failed - %s\n", nt_errstr(status)); - return io.out.file.handle; + TALLOC_FREE(tmp_ctx); + return status; } if (DEBUGLVL(1)) { @@ -179,8 +180,10 @@ static struct smb2_handle torture_smb2_createfile(struct smb2_tree *tree, } talloc_free(tmp_ctx); - - return io.out.file.handle; + + *handle = io.out.file.handle; + + return NT_STATUS_OK; } @@ -194,74 +197,54 @@ bool torture_smb2_connect(struct torture_context *torture) struct smb2_request *req; struct smb2_handle h1, h2; NTSTATUS status; + bool ok; - if (!torture_smb2_connection(torture, &tree)) { - return false; - } + ok = torture_smb2_connection(torture, &tree); + torture_assert(torture, ok, "torture_smb2_connection failed"); smb2_util_unlink(tree, "test9.dat"); - h1 = torture_smb2_createfile(tree, "test9.dat"); - h2 = torture_smb2_createfile(tree, "test9.dat"); + status = torture_smb2_createfile(tree, "test9.dat", &h1); + torture_assert_ntstatus_ok(torture, status, "create failed"); + + status = torture_smb2_createfile(tree, "test9.dat", &h2); + torture_assert_ntstatus_ok(torture, status, "create failed"); + status = torture_smb2_write(torture, tree, h1); - if (!NT_STATUS_IS_OK(status)) { - printf("Write failed - %s\n", nt_errstr(status)); - return false; - } + torture_assert_ntstatus_ok(torture, status, "write failed"); + status = torture_smb2_close(tree, h1); - if (!NT_STATUS_IS_OK(status)) { - printf("Close failed - %s\n", nt_errstr(status)); - return false; - } + torture_assert_ntstatus_ok(torture, status, "close failed"); + status = torture_smb2_close(tree, h2); - if (!NT_STATUS_IS_OK(status)) { - printf("Close failed - %s\n", nt_errstr(status)); - return false; - } + torture_assert_ntstatus_ok(torture, status, "close failed"); status = smb2_util_close(tree, h1); - if (!NT_STATUS_EQUAL(status, NT_STATUS_FILE_CLOSED)) { - printf("close should have closed the handle - %s\n", nt_errstr(status)); - return false; - } + torture_assert_ntstatus_equal(torture, status, NT_STATUS_FILE_CLOSED, + "close should have closed the handle"); status = smb2_tdis(tree); - if (!NT_STATUS_IS_OK(status)) { - printf("tdis failed - %s\n", nt_errstr(status)); - return false; - } + torture_assert_ntstatus_ok(torture, status, "tdis failed"); status = smb2_tdis(tree); - if (!NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_NAME_DELETED)) { - printf("tdis should have disabled session - %s\n", nt_errstr(status)); - return false; - } + torture_assert_ntstatus_equal(torture, status, + NT_STATUS_NETWORK_NAME_DELETED, + "tdis should have closed the tcon"); status = smb2_logoff(tree->session); - if (!NT_STATUS_IS_OK(status)) { - printf("Logoff failed - %s\n", nt_errstr(status)); - return false; - } + torture_assert_ntstatus_ok(torture, status, "logoff failed"); req = smb2_logoff_send(tree->session); - if (!req) { - printf("smb2_logoff_send() failed\n"); - return false; - } + torture_assert_not_null(torture, req, "smb2_logoff_send failed"); req->session = NULL; status = smb2_logoff_recv(req); - if (!NT_STATUS_EQUAL(status, NT_STATUS_USER_SESSION_DELETED)) { - printf("Logoff should have disabled session - %s\n", nt_errstr(status)); - return false; - } + torture_assert_ntstatus_equal(torture, status, NT_STATUS_USER_SESSION_DELETED, + "logoff should have disabled session"); status = smb2_keepalive(tree->session->transport); - if (!NT_STATUS_IS_OK(status)) { - printf("keepalive failed? - %s\n", nt_errstr(status)); - return false; - } + torture_assert_ntstatus_ok(torture, status, "keepalive failed"); talloc_free(mem_ctx); diff --git a/wscript_configure_system_mitkrb5 b/wscript_configure_system_mitkrb5 index 4b3a69f..9c1ad8f 100644 --- a/wscript_configure_system_mitkrb5 +++ b/wscript_configure_system_mitkrb5 @@ -115,6 +115,7 @@ conf.CHECK_FUNCS(''' krb5_keyblock_init krb5_principal_set_realm krb5_principal_get_type krb5_principal_set_type krb5_warnx + krb5_get_prompt_types ''', lib='krb5 k5crypto') conf.CHECK_DECLS('''krb5_get_credentials_for_user -- Samba Shared Repository