The branch, master has been updated
via 4baa7cc8e47 kdc:db-glue: ignore KRB5_PROG_ETYPE_NOSUPP also for
Primary:Kerberos
via 07399831794 Add a test with old msDS-SupportedEncryptionTypes
from 6e496aa3635 nsswitch/nsstest.c: Avoid nss function conflicts with
glibc nss.h
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 4baa7cc8e473f6b63316b4ae5db34796c0f864c3
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Apr 23 11:56:54 2020 +0200
kdc:db-glue: ignore KRB5_PROG_ETYPE_NOSUPP also for Primary:Kerberos
Currently we only ignore KRB5_PROG_ETYPE_NOSUPP for
Primary:Kerberos-Newer-Keys, but not for Primary:Kerberos.
If a service account has msDS-SupportedEncryptionTypes: 31
and DES keys stored in Primary:Kerberos, we'll pass the
DES key to smb_krb5_keyblock_init_contents(), but may get
KRB5_PROG_ETYPE_NOSUPP.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14354
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Isaac Boukris <ibouk...@samba.org>
Autobuild-User(master): Stefan Metzmacher <me...@samba.org>
Autobuild-Date(master): Tue Jul 28 14:04:26 UTC 2020 on sn-devel-184
commit 07399831794e28c7c2cf0140d0f1d1b5538b5f60
Author: Isaac Boukris <ibouk...@gmail.com>
Date: Mon Apr 27 14:00:38 2020 +0200
Add a test with old msDS-SupportedEncryptionTypes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14354
Signed-off-by: Isaac Boukris <ibouk...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
source4/kdc/db-glue.c | 18 ++++++---
source4/selftest/tests.py | 2 +
testprogs/blackbox/test_old_enctypes.sh | 68 +++++++++++++++++++++++++++++++++
3 files changed, 82 insertions(+), 6 deletions(-)
create mode 100755 testprogs/blackbox/test_old_enctypes.sh
Changeset truncated at 500 lines:
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 27728dab904..5fd0f431cdf 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -631,18 +631,18 @@ static krb5_error_code
samba_kdc_message2entry_keys(krb5_context context,
pkb4->keys[i].value->data,
pkb4->keys[i].value->length,
&key.key);
- if (ret == KRB5_PROG_ETYPE_NOSUPP) {
- DEBUG(2,("Unsupported keytype ignored - type
%u\n",
- pkb4->keys[i].keytype));
- ret = 0;
- continue;
- }
if (ret) {
if (key.salt) {
smb_krb5_free_data_contents(context,
&key.salt->salt);
free(key.salt);
key.salt = NULL;
}
+ if (ret == KRB5_PROG_ETYPE_NOSUPP) {
+ DEBUG(2,("Unsupported keytype ignored -
type %u\n",
+ pkb4->keys[i].keytype));
+ ret = 0;
+ continue;
+ }
goto out;
}
@@ -693,6 +693,12 @@ static krb5_error_code
samba_kdc_message2entry_keys(krb5_context context,
free(key.salt);
key.salt = NULL;
}
+ if (ret == KRB5_PROG_ETYPE_NOSUPP) {
+ DEBUG(2,("Unsupported keytype ignored -
type %u\n",
+ pkb3->keys[i].keytype));
+ ret = 0;
+ continue;
+ }
goto out;
}
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 588586e39b3..6e7c014ba8d 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -494,6 +494,8 @@ plantestsuite("samba4.blackbox.net_rpc_user(ad_dc)",
"ad_dc", [os.path.join(bbdi
plantestsuite("samba4.blackbox.test_primary_group", "ad_dc:local",
[os.path.join(bbdir, "test_primary_group.sh"), '$SERVER', '$USERNAME',
'$PASSWORD', '$DOMAIN', '$PREFIX_ABS'])
+plantestsuite("samba4.blackbox.test_old_enctypes", "fl2003dc:local",
[os.path.join(bbdir, "test_old_enctypes.sh"), '$SERVER', '$USERNAME',
'$PASSWORD', '$NETBIOSNAME', '$PREFIX_ABS'])
+
if have_heimdal_support:
for env in ["ad_dc_ntvfs", "ad_dc"]:
plantestsuite("samba4.blackbox.pkinit", "%s:local" % env,
[os.path.join(bbdir, "test_pkinit_heimdal.sh"), '$SERVER', 'pkinit',
'$PASSWORD', '$REALM', '$DOMAIN', '$PREFIX/%s' % env,
"aes256-cts-hmac-sha1-96", smbclient3, configuration])
diff --git a/testprogs/blackbox/test_old_enctypes.sh
b/testprogs/blackbox/test_old_enctypes.sh
new file mode 100755
index 00000000000..794a265940e
--- /dev/null
+++ b/testprogs/blackbox/test_old_enctypes.sh
@@ -0,0 +1,68 @@
+#!/bin/bash
+
+if [ $# -lt 5 ]; then
+cat <<EOF
+Usage: test_primary_group.sh SERVER USERNAME PASSWORD NETBIOSNAME PREFIX_ABS
+EOF
+exit 1;
+fi
+
+SERVER=$1
+USERNAME=$2
+PASSWORD=$3
+NETBIOSNAME=$4
+PREFIX_ABS=$5
+shift 5
+failed=0
+
+samba4bindir="$BINDIR"
+samba4srcdir="$SRCDIR/source4"
+
+samba_tool="$samba4bindir/samba-tool"
+
+ldbmodify="ldbmodify"
+if [ -x "$samba4bindir/ldbmodify" ]; then
+ ldbmodify="$samba4bindir/ldbmodify"
+fi
+
+ldbsearch="ldbsearch"
+if [ -x "$samba4bindir/ldbsearch" ]; then
+ ldbsearch="$samba4bindir/ldbsearch"
+fi
+
+. `dirname $0`/subunit.sh
+. `dirname $0`/common_test_fns.inc
+
+out="${PREFIX_ABS}/tmpldbsearch.out"
+$ldbsearch -H ldap://$SERVER -U$USERNAME%$PASSWORD -d0
sAMAccountName="$NETBIOSNAME\$" dn msDS-SupportedEncryptionTypes > $out
+testit_grep "find my dn" msDS-SupportedEncryptionTypes cat $out ||
failed=`expr $failed + 1`
+
+my_dn=$(cat $out | sed -n 's/^dn: //p')
+my_encs=$(cat $out | sed -n 's/^msDS-SupportedEncryptionTypes: //p')
+my_test_encs=`expr $my_encs + 3`
+
+ldif="${PREFIX_ABS}/tmpldbmodify.ldif"
+
+cat > $ldif <<EOF
+dn: $my_dn
+changetype: modify
+replace: msDS-SupportedEncryptionTypes
+msDS-SupportedEncryptionTypes: $my_test_encs
+EOF
+
+testit "Change msDS-SupportedEncryptionTypes to $my_test_encs" $VALGRIND
$ldbmodify -H ldap://$SERVER -U$USERNAME%$PASSWORD -d0 < $ldif || failed=`expr
$failed + 1`
+kt=${PREFIX_ABS}/tmp_host_out_keytab
+testit "Export keytab while old enctypes are supported" $samba_tool domain
exportkeytab --principal=$NETBIOSNAME\$ $kt
+
+cat > $ldif <<EOF
+dn: $my_dn
+changetype: modify
+replace: msDS-SupportedEncryptionTypes
+msDS-SupportedEncryptionTypes: $my_encs
+EOF
+
+testit "Change msDS-SupportedEncryptionTypes back to $my_encs" $VALGRIND
$ldbmodify -H ldap://$SERVER -U$USERNAME%$PASSWORD -d0 < $ldif || failed=`expr
$failed + 1`
+
+rm -rf $kt $out $ldif
+
+exit $failed
--
Samba Shared Repository
