The branch, master has been updated via 4baa7cc8e47 kdc:db-glue: ignore KRB5_PROG_ETYPE_NOSUPP also for Primary:Kerberos via 07399831794 Add a test with old msDS-SupportedEncryptionTypes from 6e496aa3635 nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 4baa7cc8e473f6b63316b4ae5db34796c0f864c3 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Apr 23 11:56:54 2020 +0200 kdc:db-glue: ignore KRB5_PROG_ETYPE_NOSUPP also for Primary:Kerberos Currently we only ignore KRB5_PROG_ETYPE_NOSUPP for Primary:Kerberos-Newer-Keys, but not for Primary:Kerberos. If a service account has msDS-SupportedEncryptionTypes: 31 and DES keys stored in Primary:Kerberos, we'll pass the DES key to smb_krb5_keyblock_init_contents(), but may get KRB5_PROG_ETYPE_NOSUPP. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14354 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Isaac Boukris <ibouk...@samba.org> Autobuild-User(master): Stefan Metzmacher <me...@samba.org> Autobuild-Date(master): Tue Jul 28 14:04:26 UTC 2020 on sn-devel-184 commit 07399831794e28c7c2cf0140d0f1d1b5538b5f60 Author: Isaac Boukris <ibouk...@gmail.com> Date: Mon Apr 27 14:00:38 2020 +0200 Add a test with old msDS-SupportedEncryptionTypes BUG: https://bugzilla.samba.org/show_bug.cgi?id=14354 Signed-off-by: Isaac Boukris <ibouk...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> ----------------------------------------------------------------------- Summary of changes: source4/kdc/db-glue.c | 18 ++++++--- source4/selftest/tests.py | 2 + testprogs/blackbox/test_old_enctypes.sh | 68 +++++++++++++++++++++++++++++++++ 3 files changed, 82 insertions(+), 6 deletions(-) create mode 100755 testprogs/blackbox/test_old_enctypes.sh Changeset truncated at 500 lines: diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c index 27728dab904..5fd0f431cdf 100644 --- a/source4/kdc/db-glue.c +++ b/source4/kdc/db-glue.c @@ -631,18 +631,18 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context, pkb4->keys[i].value->data, pkb4->keys[i].value->length, &key.key); - if (ret == KRB5_PROG_ETYPE_NOSUPP) { - DEBUG(2,("Unsupported keytype ignored - type %u\n", - pkb4->keys[i].keytype)); - ret = 0; - continue; - } if (ret) { if (key.salt) { smb_krb5_free_data_contents(context, &key.salt->salt); free(key.salt); key.salt = NULL; } + if (ret == KRB5_PROG_ETYPE_NOSUPP) { + DEBUG(2,("Unsupported keytype ignored - type %u\n", + pkb4->keys[i].keytype)); + ret = 0; + continue; + } goto out; } @@ -693,6 +693,12 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context, free(key.salt); key.salt = NULL; } + if (ret == KRB5_PROG_ETYPE_NOSUPP) { + DEBUG(2,("Unsupported keytype ignored - type %u\n", + pkb3->keys[i].keytype)); + ret = 0; + continue; + } goto out; } diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index 588586e39b3..6e7c014ba8d 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -494,6 +494,8 @@ plantestsuite("samba4.blackbox.net_rpc_user(ad_dc)", "ad_dc", [os.path.join(bbdi plantestsuite("samba4.blackbox.test_primary_group", "ad_dc:local", [os.path.join(bbdir, "test_primary_group.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$DOMAIN', '$PREFIX_ABS']) +plantestsuite("samba4.blackbox.test_old_enctypes", "fl2003dc:local", [os.path.join(bbdir, "test_old_enctypes.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$NETBIOSNAME', '$PREFIX_ABS']) + if have_heimdal_support: for env in ["ad_dc_ntvfs", "ad_dc"]: plantestsuite("samba4.blackbox.pkinit", "%s:local" % env, [os.path.join(bbdir, "test_pkinit_heimdal.sh"), '$SERVER', 'pkinit', '$PASSWORD', '$REALM', '$DOMAIN', '$PREFIX/%s' % env, "aes256-cts-hmac-sha1-96", smbclient3, configuration]) diff --git a/testprogs/blackbox/test_old_enctypes.sh b/testprogs/blackbox/test_old_enctypes.sh new file mode 100755 index 00000000000..794a265940e --- /dev/null +++ b/testprogs/blackbox/test_old_enctypes.sh @@ -0,0 +1,68 @@ +#!/bin/bash + +if [ $# -lt 5 ]; then +cat <<EOF +Usage: test_primary_group.sh SERVER USERNAME PASSWORD NETBIOSNAME PREFIX_ABS +EOF +exit 1; +fi + +SERVER=$1 +USERNAME=$2 +PASSWORD=$3 +NETBIOSNAME=$4 +PREFIX_ABS=$5 +shift 5 +failed=0 + +samba4bindir="$BINDIR" +samba4srcdir="$SRCDIR/source4" + +samba_tool="$samba4bindir/samba-tool" + +ldbmodify="ldbmodify" +if [ -x "$samba4bindir/ldbmodify" ]; then + ldbmodify="$samba4bindir/ldbmodify" +fi + +ldbsearch="ldbsearch" +if [ -x "$samba4bindir/ldbsearch" ]; then + ldbsearch="$samba4bindir/ldbsearch" +fi + +. `dirname $0`/subunit.sh +. `dirname $0`/common_test_fns.inc + +out="${PREFIX_ABS}/tmpldbsearch.out" +$ldbsearch -H ldap://$SERVER -U$USERNAME%$PASSWORD -d0 sAMAccountName="$NETBIOSNAME\$" dn msDS-SupportedEncryptionTypes > $out +testit_grep "find my dn" msDS-SupportedEncryptionTypes cat $out || failed=`expr $failed + 1` + +my_dn=$(cat $out | sed -n 's/^dn: //p') +my_encs=$(cat $out | sed -n 's/^msDS-SupportedEncryptionTypes: //p') +my_test_encs=`expr $my_encs + 3` + +ldif="${PREFIX_ABS}/tmpldbmodify.ldif" + +cat > $ldif <<EOF +dn: $my_dn +changetype: modify +replace: msDS-SupportedEncryptionTypes +msDS-SupportedEncryptionTypes: $my_test_encs +EOF + +testit "Change msDS-SupportedEncryptionTypes to $my_test_encs" $VALGRIND $ldbmodify -H ldap://$SERVER -U$USERNAME%$PASSWORD -d0 < $ldif || failed=`expr $failed + 1` +kt=${PREFIX_ABS}/tmp_host_out_keytab +testit "Export keytab while old enctypes are supported" $samba_tool domain exportkeytab --principal=$NETBIOSNAME\$ $kt + +cat > $ldif <<EOF +dn: $my_dn +changetype: modify +replace: msDS-SupportedEncryptionTypes +msDS-SupportedEncryptionTypes: $my_encs +EOF + +testit "Change msDS-SupportedEncryptionTypes back to $my_encs" $VALGRIND $ldbmodify -H ldap://$SERVER -U$USERNAME%$PASSWORD -d0 < $ldif || failed=`expr $failed + 1` + +rm -rf $kt $out $ldif + +exit $failed -- Samba Shared Repository