The branch, master has been updated via 965d1888008 net: ignore possible SIGPIPE upon ldap_unbind when over TLS via 39b293c2d0b ads: set sasl-wrapping to plain when over TLS via b3af1d334d6 Fix ads_set_sasl_wrap_flags to only change sasl flags via 9ec83caeb51 Decouple ldap-ssl-ads from ldap-ssl option via 10f61cd39b9 selftest: add tests for net-ads over TLS from 4c74db6978c docs: Fix documentation for require_membership_of of pam_winbind
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 965d18880081296ed7189daa0eeef6024c308db1 Author: Isaac Boukris <ibouk...@gmail.com> Date: Sat Jul 11 05:04:59 2020 +0200 net: ignore possible SIGPIPE upon ldap_unbind when over TLS From local tests with strace: socket(AF_UNIX, SOCK_STREAM, 0) = 12 write(2, "Connecting to 10.53.57.21 at por"..., 38) = 38 ... write(2, "ads_domain_func_level: 3\n", 25) = 25 write(12, "\27\3\3\0\37\0\0\0\0\0\0\0\16nl[\374\375i\325\334\25\227kxG@\326\311R\225x"..., 36) = 36 write(12, "\25\3\3\0\32\0\0\0\0\0\0\0\17Hh\304\254\244\17\342<\334\210L&\20_\177\307\232P", 31) = -1 EPIPE (Broken pipe) --- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER, si_pid=12089, si_uid=1000} --- +++ killed by SIGPIPE +++ BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439 Signed-off-by: Isaac Boukris <ibouk...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Autobuild-User(master): Isaac Boukris <ibouk...@samba.org> Autobuild-Date(master): Mon Jul 13 12:06:07 UTC 2020 on sn-devel-184 commit 39b293c2d0bb64f11f63a41fbbc5031e5a2922e2 Author: Isaac Boukris <ibouk...@gmail.com> Date: Thu Jul 2 09:33:12 2020 +0200 ads: set sasl-wrapping to plain when over TLS BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439 Signed-off-by: Isaac Boukris <ibouk...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit b3af1d334d6159dca75c2a74e7c6f909952c31af Author: Isaac Boukris <ibouk...@gmail.com> Date: Thu Jul 2 10:59:18 2020 +0200 Fix ads_set_sasl_wrap_flags to only change sasl flags BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439 Signed-off-by: Isaac Boukris <ibouk...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 9ec83caeb51e85ef9a217d5017d5844389d48513 Author: Isaac Boukris <ibouk...@gmail.com> Date: Wed Jun 24 15:28:45 2020 +0300 Decouple ldap-ssl-ads from ldap-ssl option BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439 Signed-off-by: Isaac Boukris <ibouk...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 10f61cd39b9e03e7bb781edf04022ea6ae1f1cac Author: Isaac Boukris <ibouk...@gmail.com> Date: Mon Jun 29 16:55:33 2020 +0300 selftest: add tests for net-ads over TLS BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439 Signed-off-by: Isaac Boukris <ibouk...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> ----------------------------------------------------------------------- Summary of changes: WHATSNEW.txt | 11 ++++ docs-xml/smbdotconf/ldap/ldapsslads.xml | 7 +- selftest/knownfail.d/net_ads_ntlm_fallback | 10 +++ source3/include/smbldap.h | 1 + .../lib/ABI/{smbldap-2.sigs => smbldap-2.1.0.sigs} | 1 + source3/lib/smbldap.c | 19 ++++-- source3/libads/ads_proto.h | 2 +- source3/libads/ads_struct.c | 8 ++- source3/libads/ldap.c | 6 +- source3/utils/net.c | 3 + source3/wscript_build | 2 +- source4/selftest/tests.py | 8 +++ testprogs/blackbox/test_net_ads_base.sh | 76 ++++++++++++++++++++++ 13 files changed, 138 insertions(+), 16 deletions(-) create mode 100644 selftest/knownfail.d/net_ads_ntlm_fallback copy source3/lib/ABI/{smbldap-2.sigs => smbldap-2.1.0.sigs} (98%) create mode 100755 testprogs/blackbox/test_net_ads_base.sh Changeset truncated at 500 lines: diff --git a/WHATSNEW.txt b/WHATSNEW.txt index cd75f6741c0..e7b46a7b159 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -17,6 +17,17 @@ NEW FEATURES/CHANGES ==================== +The "ldap ssl ads" option no longer depends on "ldap ssl" option: +----------------------------------------------------------------- +With this release, the "ldap ssl ads" can be set to "yes" even if "ldap ssl" +is off. + +The "ldap ssl ads" no longer requires sasl-wrapping to be set to plain: +----------------------------------------------------------------------- +This is now done implicitly when over TLS, so "client ldap sasl wrapping" +does not need to be set to "plain" in order for it to work. + + REMOVED FEATURES ================ diff --git a/docs-xml/smbdotconf/ldap/ldapsslads.xml b/docs-xml/smbdotconf/ldap/ldapsslads.xml index 98c39651f1e..f99afe5bbad 100644 --- a/docs-xml/smbdotconf/ldap/ldapsslads.xml +++ b/docs-xml/smbdotconf/ldap/ldapsslads.xml @@ -7,13 +7,10 @@ <para>This option is used to define whether or not Samba should use SSL when connecting to the ldap server using <emphasis>ads</emphasis> methods. - Rpc methods are not affected by this parameter. Please note, that - this parameter won't have any effect if <smbconfoption name="ldap ssl"/> - is set to <parameter>no</parameter>. + Rpc methods are not affected by this parameter. </para> - <para>See <refentrytitle>smb.conf</refentrytitle><manvolnum>5</manvolnum> - for more information on <smbconfoption name="ldap ssl"/>. + <para>See also <smbconfoption name="ldap ssl"/>. </para> </description> diff --git a/selftest/knownfail.d/net_ads_ntlm_fallback b/selftest/knownfail.d/net_ads_ntlm_fallback new file mode 100644 index 00000000000..b16a39d134d --- /dev/null +++ b/selftest/knownfail.d/net_ads_ntlm_fallback @@ -0,0 +1,10 @@ +# net-ads commands that fail with: --option=gensec:gse_krb5=no +^samba4.blackbox.net_ads_base.nomech=gse_krb5.testjoin +^samba4.blackbox.net_ads_base.nomech=gse_krb5.check dNSHostName +^samba4.blackbox.net_ads_base.nomech=gse_krb5.check SPN +^samba4.blackbox.net_ads_base.nomech=gse_krb5.test setspn list +^samba4.blackbox.net_ads_tls.nomech=gse_krb5.testjoin +^samba4.blackbox.net_ads_tls.nomech=gse_krb5.check dNSHostName +^samba4.blackbox.net_ads_tls.nomech=gse_krb5.check ldapssl=off +^samba4.blackbox.net_ads_tls.nomech=gse_krb5.check SPN +^samba4.blackbox.net_ads_tls.nomech=gse_krb5.test setspn list diff --git a/source3/include/smbldap.h b/source3/include/smbldap.h index 878268aebd6..d063f44afbc 100644 --- a/source3/include/smbldap.h +++ b/source3/include/smbldap.h @@ -72,6 +72,7 @@ int smbldap_modify(struct smbldap_state *ldap_state, const char *dn, LDAPMod *attrs[]); int smbldap_start_tls(LDAP *ldap_struct, int version); +int smbldap_start_tls_start(LDAP *ldap_struct, int version); int smbldap_setup_full_conn(LDAP **ldap_struct, const char *uri); int smbldap_search(struct smbldap_state *ldap_state, const char *base, int scope, const char *filter, diff --git a/source3/lib/ABI/smbldap-2.sigs b/source3/lib/ABI/smbldap-2.1.0.sigs similarity index 98% copy from source3/lib/ABI/smbldap-2.sigs copy to source3/lib/ABI/smbldap-2.1.0.sigs index 8abefec15b6..67dcc9a8a78 100644 --- a/source3/lib/ABI/smbldap-2.sigs +++ b/source3/lib/ABI/smbldap-2.1.0.sigs @@ -23,6 +23,7 @@ smbldap_set_mod_blob: void (LDAPMod ***, int, const char *, const DATA_BLOB *) smbldap_set_paged_results: void (struct smbldap_state *, bool) smbldap_setup_full_conn: int (LDAP **, const char *) smbldap_start_tls: int (LDAP *, int) +smbldap_start_tls_start: int (LDAP *, int) smbldap_talloc_autofree_ldapmod: void (TALLOC_CTX *, LDAPMod **) smbldap_talloc_autofree_ldapmsg: void (TALLOC_CTX *, LDAPMessage *) smbldap_talloc_dn: char *(TALLOC_CTX *, LDAP *, LDAPMessage *) diff --git a/source3/lib/smbldap.c b/source3/lib/smbldap.c index 34c841f9243..4815dd81fc3 100644 --- a/source3/lib/smbldap.c +++ b/source3/lib/smbldap.c @@ -598,20 +598,27 @@ static void smbldap_store_state(LDAP *ld, struct smbldap_state *smbldap_state) } /******************************************************************** - start TLS on an existing LDAP connection + start TLS on an existing LDAP connection per config *******************************************************************/ int smbldap_start_tls(LDAP *ldap_struct, int version) -{ -#ifdef LDAP_OPT_X_TLS - int rc,tls; -#endif - +{ if (lp_ldap_ssl() != LDAP_SSL_START_TLS) { return LDAP_SUCCESS; } + return smbldap_start_tls_start(ldap_struct, version); +} + +/******************************************************************** + start TLS on an existing LDAP connection unconditionally +*******************************************************************/ + +int smbldap_start_tls_start(LDAP *ldap_struct, int version) +{ #ifdef LDAP_OPT_X_TLS + int rc,tls; + /* check if we use ldaps already */ ldap_get_option(ldap_struct, LDAP_OPT_X_TLS, &tls); if (tls == LDAP_OPT_X_TLS_HARD) { diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h index cd9c1082681..6cdde0cf6eb 100644 --- a/source3/libads/ads_proto.h +++ b/source3/libads/ads_proto.h @@ -47,7 +47,7 @@ ADS_STRUCT *ads_init(const char *realm, const char *workgroup, const char *ldap_server, enum ads_sasl_state_e sasl_state); -bool ads_set_sasl_wrap_flags(ADS_STRUCT *ads, int flags); +bool ads_set_sasl_wrap_flags(ADS_STRUCT *ads, unsigned flags); void ads_destroy(ADS_STRUCT **ads); /* The following definitions come from libads/disp_sec.c */ diff --git a/source3/libads/ads_struct.c b/source3/libads/ads_struct.c index 043a1b21247..67a9a7cf75e 100644 --- a/source3/libads/ads_struct.c +++ b/source3/libads/ads_struct.c @@ -176,13 +176,17 @@ ADS_STRUCT *ads_init(const char *realm, /**************************************************************** ****************************************************************/ -bool ads_set_sasl_wrap_flags(ADS_STRUCT *ads, int flags) +bool ads_set_sasl_wrap_flags(ADS_STRUCT *ads, unsigned flags) { + unsigned other_flags; + if (!ads) { return false; } - ads->auth.flags = flags; + other_flags = ads->auth.flags & ~(ADS_AUTH_SASL_SIGN|ADS_AUTH_SASL_SEAL); + + ads->auth.flags = flags | other_flags; return true; } diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c index 55c9668089d..1ffe96d32c9 100755 --- a/source3/libads/ldap.c +++ b/source3/libads/ldap.c @@ -703,10 +703,14 @@ got_connection: ldap_set_option(ads->ldap.ld, LDAP_OPT_PROTOCOL_VERSION, &version); if ( lp_ldap_ssl_ads() ) { - status = ADS_ERROR(smbldap_start_tls(ads->ldap.ld, version)); + status = ADS_ERROR(smbldap_start_tls_start(ads->ldap.ld, version)); if (!ADS_ERR_OK(status)) { goto out; } + if (!ads_set_sasl_wrap_flags(ads, 0)) { + status = ADS_ERROR(LDAP_OPERATIONS_ERROR); + goto out; + } } /* fill in the current time and offsets */ diff --git a/source3/utils/net.c b/source3/utils/net.c index 683b46794e4..e289b2814bc 100644 --- a/source3/utils/net.c +++ b/source3/utils/net.c @@ -1289,6 +1289,9 @@ static void get_credentials_file(struct net_context *c, POPT_TABLEEND }; + /* Ignore possible SIGPIPE upon ldap_unbind when over TLS */ + BlockSignals(True, SIGPIPE); + zero_sockaddr(&c->opt_dest_ip); setup_logging(argv[0], DEBUG_STDERR); diff --git a/source3/wscript_build b/source3/wscript_build index 5a07eddac44..ec8135c302f 100644 --- a/source3/wscript_build +++ b/source3/wscript_build @@ -501,7 +501,7 @@ bld.SAMBA3_LIBRARY('smbldap', abi_directory='lib/ABI', abi_match='smbldap_*', pc_files=[], - vnum='2', + vnum='2.1.0', public_headers='include/smbldap.h include/smb_ldap.h') bld.SAMBA3_LIBRARY('ads', diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index 0e219f94d04..588586e39b3 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -544,6 +544,12 @@ plantestsuite("samba4.blackbox.client_etypes_strong(ad_dc:client)", "ad_dc:clien plantestsuite("samba4.blackbox.net_ads_dns(ad_member:local)", "ad_member:local", [os.path.join(bbdir, "test_net_ads_dns.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', '$REALM', '$USERNAME', '$PASSWORD']) plantestsuite("samba4.blackbox.samba-tool_ntacl(ad_member:local)", "ad_member:local", [os.path.join(bbdir, "test_samba-tool_ntacl.sh"), '$PREFIX', '$DOMSID']) +for nomech in ["none", "gse_krb5", "ntlmssp"]: + # we can't test TLS with ad_dc env as it doesn't allow SASL over TLS + plantestsuite("samba4.blackbox.net_ads_base.nomech=%s" % nomech, "ad_dc:client", [os.path.join(bbdir, "test_net_ads_base.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', 'no', nomech, '$PREFIX_ABS']) + plantestsuite("samba4.blackbox.net_ads_tls.nomech=%s" % nomech, "fl2008dc:client", [os.path.join(bbdir, "test_net_ads_base.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', 'yes', nomech, '$PREFIX_ABS']) + plantestsuite("samba4.blackbox.net_ads_tls.nomech=%s" % nomech, "fl2008r2dc:client", [os.path.join(bbdir, "test_net_ads_base.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', 'noverify', nomech, '$PREFIX_ABS']) + if have_gnutls_crypto_policies: plantestsuite("samba4.blackbox.weak_crypto.client", "ad_dc", [os.path.join(bbdir, "test_weak_crypto.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc"]) @@ -554,6 +560,8 @@ if have_gnutls_crypto_policies: t = "--krb5auth=$DOMAIN/$DC_USERNAME%$DC_PASSWORD" plantestsuite("samba3.wbinfo_simple.fips.%s" % t, "ad_member_fips:local", [os.path.join(srcdir(), "nsswitch/tests/test_wbinfo_simple.sh"), t]) plantestsuite("samba4.wbinfo_name_lookup.fips", "ad_member_fips", [os.path.join(srcdir(), "nsswitch/tests/test_wbinfo_name_lookup.sh"), '$DOMAIN', '$REALM', '$DC_USERNAME']) + for nomech in ["none", "ntlmssp"]: + plantestsuite("samba4.blackbox.net_ads_base.nomech=%s" % nomech, "ad_dc_fips:client", [os.path.join(bbdir, "test_net_ads_base.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', 'no', nomech, '$PREFIX_ABS']) plantestsuite_loadlist("samba4.rpc.echo against NetBIOS alias", "ad_dc_ntvfs", [valgrindify(smbtorture4), "$LISTOPT", "$LOADLIST", 'ncacn_np:$NETBIOSALIAS', '-U$DOMAIN/$USERNAME%$PASSWORD', 'rpc.echo']) # json tests hook into ``chgdcpass'' to make them run in contributor CI on diff --git a/testprogs/blackbox/test_net_ads_base.sh b/testprogs/blackbox/test_net_ads_base.sh new file mode 100755 index 00000000000..59e3da67a7f --- /dev/null +++ b/testprogs/blackbox/test_net_ads_base.sh @@ -0,0 +1,76 @@ +#!/bin/sh + +if [ $# -lt 5 ]; then +cat <<EOF +Usage: test_net_ads_base.sh DC_SERVER DC_USERNAME DC_PASSWORD TLS_MODE NO_MECH PREFIX_ABS +EOF +exit 1; +fi + +DC_SERVER=$1 +DC_USERNAME=$2 +DC_PASSWORD=$3 +TLS_MODE=$4 +NO_MECH=$5 +BASEDIR=$6 +shift 6 + +HOSTNAME=`dd if=/dev/urandom bs=1 count=32 2>/dev/null | sha1sum | cut -b 1-10` +HOSTNAME=`echo hn$HOSTNAME | tr '[:lower:]' '[:upper:]'` +LCHOSTNAME=`echo $HOSTNAME | tr '[:upper:]' '[:lower:]'` + +RUNDIR=`pwd` +cd $BASEDIR +WORKDIR=`mktemp -d -p .` +WORKDIR=`basename $WORKDIR` +cp -a client/* $WORKDIR/ +sed -ri "s@(dir|directory) = (.*)/client/@\1 = \2/$WORKDIR/@" $WORKDIR/client.conf +sed -ri "s/netbios name = .*/netbios name = $HOSTNAME/" $WORKDIR/client.conf +sed -ri "s/workgroup = .*/workgroup = $DOMAIN/" $WORKDIR/client.conf +sed -ri "s/realm = .*/realm = $REALM/" $WORKDIR/client.conf +rm -f $WORKDIR/private/secrets.tdb +cd $RUNDIR + +failed=0 + +export LDAPTLS_CACERT=$(grep "tls cafile" $BASEDIR/$WORKDIR/client.conf | cut -f2 -d= | awk '{$1=$1};1') + +xoptions="" +if [ $TLS_MODE != "no" ]; then + xoptions="--option=ldapsslads=yes" +fi + +if [ $NO_MECH != "none" ]; then + xoptions="$xoptions --option=gensec:$NO_MECH=no" +fi + +if [ $TLS_MODE = "noverify" ]; then + export LDAPTLS_REQCERT=allow +fi + +net_tool="$VALGRIND $BINDIR/net -s $BASEDIR/$WORKDIR/client.conf --option=security=ads -k $xoptions" + +# Load test functions +. `dirname $0`/subunit.sh + +testit "join" $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD --no-dns-updates || failed=`expr $failed + 1` + +testit "testjoin" $net_tool ads testjoin -P || failed=`expr $failed + 1` + +testit_grep "check dNSHostName" $LCHOSTNAME $net_tool ads search -P samaccountname=$HOSTNAME\$ dNSHostName || failed=`expr $failed + 1` + +tls_log="StartTLS issued: using a TLS connection" +opt="-d3 --option=ldapssl=off" +if [ $TLS_MODE != "no" ]; then + testit_grep "check ldapssl=off" "$tls_log" $net_tool $opt ads search -P samaccountname=$HOSTNAME\$ dn || failed=`expr $failed + 1` +fi + +testit_grep "check SPN" "HOST/$HOSTNAME" $net_tool ads search -P samaccountname=$HOSTNAME\$ servicePrincipalName || failed=`expr $failed + 1` + +testit_grep "test setspn list" "HOST/$HOSTNAME" $net_tool ads setspn list $HOSTNAME -P || failed=`expr $failed + 1` + +testit "leave" $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` + +rm -rf $BASEDIR/$WORKDIR + +exit $failed -- Samba Shared Repository