The branch, master has been updated via 8bd7b316bd6 kdc: Canonicalize realm for enterprise principals via dc2222eee8f heimdal_build: Do not build samba4kinit unless building embedded Heimdal via a0d75b1cce4 lib/replace: For heimdal_build: Try to use the OS or compiler provided atomic operators via 2701293f48a s4:torture: Remove pre-send and post-receive callbacks from 7eb1e1cc949 s4:torture: Remove test combination with enterprise principal without canonicalize flag
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 8bd7b316bd61ef35f6e0baa0b65f0ef00910112c Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Dec 7 13:15:38 2021 +1300 kdc: Canonicalize realm for enterprise principals Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Tue Dec 7 04:54:35 UTC 2021 on sn-devel-184 commit dc2222eee8f62ace1b7a67401d502d2b3c4a1e17 Author: Andrew Bartlett <abart...@samba.org> Date: Tue Dec 7 11:30:10 2021 +1300 heimdal_build: Do not build samba4kinit unless building embedded Heimdal We should not attempt to build local copies of Heimdal utilities against a system krb5 library. Inspired by a WIP commit by Stefan Metzmacher <me...@samba.org> in his lorikeet-heimdal import branch of patches to upgrade to a modern Heimdal. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14924 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> commit a0d75b1cce4b97e1d6b78ba2b7adf96988d55608 Author: Andrew Bartlett <abart...@samba.org> Date: Tue Jul 6 12:26:44 2021 +1200 lib/replace: For heimdal_build: Try to use the OS or compiler provided atomic operators This provides the defines that may be needed to use the compiler-provided atomics, rather than a fallback. Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> commit 2701293f48a9e4014f9ba1e925d458fe25865bfb Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Dec 3 11:58:53 2021 +1300 s4:torture: Remove pre-send and post-receive callbacks The client-side testing done by these callbacks is no longer needed, and the server-side testing is covered by Python-based tests. Removing these leaves us with a more manageable test of the Kerberos API. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> ----------------------------------------------------------------------- Summary of changes: lib/replace/wscript | 7 + selftest/knownfail.d/kdc-enterprise | 63 -- selftest/knownfail_heimdal_kdc | 3 - selftest/knownfail_mit_kdc | 36 + source4/heimdal_build/wscript_build | 31 +- source4/kdc/db-glue.c | 24 +- source4/torture/krb5/kdc-canon-heimdal.c | 1069 +----------------------------- 7 files changed, 71 insertions(+), 1162 deletions(-) delete mode 100644 selftest/knownfail.d/kdc-enterprise Changeset truncated at 500 lines: diff --git a/lib/replace/wscript b/lib/replace/wscript index 53cb5d4fa76..a928b80f2f7 100644 --- a/lib/replace/wscript +++ b/lib/replace/wscript @@ -298,6 +298,13 @@ def configure(conf): 'HAVE___SYNC_FETCH_AND_ADD', msg='Checking for __sync_fetch_and_add compiler builtin') + conf.CHECK_CODE(''' + int i; + (void)__sync_add_and_fetch(&i, 1); + ''', + 'HAVE___SYNC_ADD_AND_FETCH', + msg='Checking for __sync_add_and_fetch compiler builtin') + conf.CHECK_CODE(''' int32_t i; atomic_add_32(&i, 1); diff --git a/selftest/knownfail.d/kdc-enterprise b/selftest/knownfail.d/kdc-enterprise deleted file mode 100644 index c9b6c98a2ee..00000000000 --- a/selftest/knownfail.d/kdc-enterprise +++ /dev/null @@ -1,63 +0,0 @@ -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_RemoveDollar\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_UPN\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_UPN_RemoveDollar\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_RemoveDollar\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UPN\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UPN_RemoveDollar\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_RemoveDollar\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_UPN\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_UPN_RemoveDollar\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_RemoveDollar\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN_RemoveDollar\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_RemoveDollar\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_UPN\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_UPN_RemoveDollar\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_RemoveDollar\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_UPN\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_UPN_RemoveDollar\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_NetbiosRealm\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_NetbiosRealm_UPN\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UPN\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_NetbiosRealm\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_NetbiosRealm_UPN\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperUserName\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperUserName_NetbiosRealm\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperUserName_NetbiosRealm_UPN\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperUserName_UPN\( - - - -^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_AsReqSelf\( -^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_AsReqSelf\( -^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_RemoveDollar_AsReqSelf\( -^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_UPN_AsReqSelf\( -^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( -^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_RemoveDollar_AsReqSelf\( -^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UPN_AsReqSelf\( -^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UPN_RemoveDollar_AsReqSelf\( -^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_AsReqSelf\( -^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_RemoveDollar_AsReqSelf\( -^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_UPN_AsReqSelf\( -^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( -^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_AsReqSelf\( -^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_RemoveDollar_AsReqSelf\( -^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN_AsReqSelf\( -^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( -^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_AsReqSelf\( -^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_AsReqSelf\( -^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_RemoveDollar_AsReqSelf\( -^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_UPN_AsReqSelf\( -^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( -^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_RemoveDollar_AsReqSelf\( -^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_UPN_AsReqSelf\( -^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_UPN_RemoveDollar_AsReqSelf\( diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc index e9a560555da..692b9ecdd72 100644 --- a/selftest/knownfail_heimdal_kdc +++ b/selftest/knownfail_heimdal_kdc @@ -5,9 +5,6 @@ # # Heimdal currently fails the following MS-KILE client principal lookup # tests -^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_enterprise_principal_step_1_3 -^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_enterprise_principal_step_4 -^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_enterprise_principal_step_5 ^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_enterprise_principal_step_6_a ^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_enterprise_principal_step_6_b ^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_4_a diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc index 912111416dd..5434a2aa160 100644 --- a/selftest/knownfail_mit_kdc +++ b/selftest/knownfail_mit_kdc @@ -56,17 +56,53 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_UPN\( samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_UPN_RemoveDollar\( samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_AsReqSelf\( samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_AsReqSelf\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_RemoveDollar_AsReqSelf\( samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_UPN_AsReqSelf\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_RemoveDollar_AsReqSelf\( samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UPN_AsReqSelf\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UPN_RemoveDollar_AsReqSelf\( samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_AsReqSelf\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_RemoveDollar_AsReqSelf\( samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_UPN_AsReqSelf\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_AsReqSelf\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_RemoveDollar_AsReqSelf\( samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN_AsReqSelf\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_AsReqSelf\( samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_AsReqSelf\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_RemoveDollar_AsReqSelf\( samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_UPN_AsReqSelf\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_RemoveDollar_AsReqSelf\( samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_UPN_AsReqSelf\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_UPN_RemoveDollar_AsReqSelf\( samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_NetbiosRealm\( samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_NetbiosRealm_RemoveDollar\( samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_NetbiosRealm_UPN\( diff --git a/source4/heimdal_build/wscript_build b/source4/heimdal_build/wscript_build index 77519356575..04628e5d7ae 100644 --- a/source4/heimdal_build/wscript_build +++ b/source4/heimdal_build/wscript_build @@ -901,23 +901,24 @@ if not bld.CONFIG_SET('USING_SYSTEM_COMPILE_ET'): ) bld.env['COMPILE_ET'] = os.path.join(bld.bldnode.parent.abspath(), 'compile_et') -HEIMDAL_BINARY('samba4kinit', - 'kuser/kinit.c', - deps='krb5 heimntlm roken HEIMDAL_VERS hcrypto', - install=False - ) +if bld.CONFIG_SET('USING_EMBEDDED_HEIMDAL'): + HEIMDAL_BINARY('samba4kinit', + 'kuser/kinit.c', + deps='krb5 heimntlm roken HEIMDAL_VERS hcrypto', + install=False + ) -HEIMDAL_BINARY('samba4kgetcred', - 'kuser/kgetcred.c', - deps='krb5 heimntlm roken HEIMDAL_VERS hcrypto asn1', - install=False - ) + HEIMDAL_BINARY('samba4kgetcred', + 'kuser/kgetcred.c', + deps='krb5 heimntlm roken HEIMDAL_VERS hcrypto asn1', + install=False + ) -HEIMDAL_BINARY('samba4kpasswd', - 'kpasswd/kpasswd.c', - deps='krb5 heimntlm roken HEIMDAL_VERS hcrypto', - install=False - ) + HEIMDAL_BINARY('samba4kpasswd', + 'kpasswd/kpasswd.c', + deps='krb5 heimntlm roken HEIMDAL_VERS hcrypto', + install=False + ) # Alias subsystem to allow common kerberos code that will # otherwise link against MIT's gssapi_krb5 and k5crypto diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c index 4c56e6cbadd..22106bf8665 100644 --- a/source4/kdc/db-glue.c +++ b/source4/kdc/db-glue.c @@ -945,19 +945,17 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, goto out; } - if (smb_krb5_principal_get_type(context, principal) != KRB5_NT_ENTERPRISE_PRINCIPAL) { - /* While we have copied the client principal, tests - * show that Win2k3 returns the 'corrected' realm, not - * the client-specified realm. This code attempts to - * replace the client principal's realm with the one - * we determine from our records */ - - /* this has to be with malloc() */ - ret = smb_krb5_principal_set_realm(context, entry_ex->entry.principal, lpcfg_realm(lp_ctx)); - if (ret) { - krb5_clear_error_message(context); - goto out; - } + /* While we have copied the client principal, tests + * show that Win2k3 returns the 'corrected' realm, not + * the client-specified realm. This code attempts to + * replace the client principal's realm with the one + * we determine from our records */ + + /* this has to be with malloc() */ + ret = smb_krb5_principal_set_realm(context, entry_ex->entry.principal, lpcfg_realm(lp_ctx)); + if (ret) { + krb5_clear_error_message(context); + goto out; } } diff --git a/source4/torture/krb5/kdc-canon-heimdal.c b/source4/torture/krb5/kdc-canon-heimdal.c index 85c38546310..59ae750e206 100644 --- a/source4/torture/krb5/kdc-canon-heimdal.c +++ b/source4/torture/krb5/kdc-canon-heimdal.c @@ -71,30 +71,12 @@ struct test_data { const char *krb5_hostname; }; -enum test_stage { - TEST_AS_REQ = 0, - TEST_TGS_REQ_KRBTGT_CANON = 1, - TEST_TGS_REQ_CANON = 2, - TEST_SELF_TRUST_TGS_REQ = 3, - TEST_TGS_REQ = 4, - TEST_TGS_REQ_KRBTGT = 5, - TEST_TGS_REQ_HOST = 6, - TEST_TGS_REQ_HOST_SRV_INST = 7, - TEST_TGS_REQ_HOST_SRV_HST = 8, - TEST_DONE = 9 -}; - struct torture_krb5_context { struct smb_krb5_context *smb_krb5_context; struct torture_context *tctx; struct addrinfo *server; struct test_data *test_data; int packet_count; - enum test_stage test_stage; - AS_REQ as_req; - AS_REP as_rep; - TGS_REQ tgs_req; - TGS_REP tgs_rep; }; struct pac_data { @@ -213,948 +195,6 @@ static bool test_accept_ticket(struct torture_context *tctx, return true; } -/* - * TEST_AS_REQ - SEND - * - * Confirm that the outgoing packet meets certain expectations. This - * should be extended to further assert the correct and expected - * behaviour of the krb5 libs, so we know what we are sending to the - * server. - * - * Additionally, this CHANGES the request to remove the canonicalize - * flag automatically added by the krb5 libs when an enterprise - * principal is used, so we can test what the server does in this - * combination. - * - */ - -static bool torture_krb5_pre_send_as_req_test(struct torture_krb5_context *test_context, - const krb5_data *send_buf, - krb5_data *modified_send_buf) -{ - size_t used; - torture_assert_int_equal(test_context->tctx, decode_AS_REQ(send_buf->data, send_buf->length, - &test_context->as_req, &used), - 0, "decode_AS_REQ for TEST_AS_REQ failed"); - torture_assert_int_equal(test_context->tctx, used, send_buf->length, "length mismatch"); - torture_assert_int_equal(test_context->tctx, test_context->as_req.pvno, - 5, "Got wrong as_req->pvno"); - if (test_context->test_data->canonicalize - || test_context->test_data->enterprise) { - torture_assert(test_context->tctx, - test_context->as_req.req_body.kdc_options.canonicalize, - "krb5 libs did not set canonicalize!"); - } else { - torture_assert_int_equal(test_context->tctx, - test_context->as_req.req_body.kdc_options.canonicalize, - false, - "krb5 libs unexpectedly set canonicalize!"); - } - - if (test_context->test_data->as_req_spn) { - if (test_context->test_data->upn) { - torture_assert_int_equal(test_context->tctx, - test_context->as_req.req_body.cname->name_type, - KRB5_NT_PRINCIPAL, - "krb5 libs unexpectedly " - "did not set principal " - "as NT_PRINCIPAL!"); - } else { - torture_assert_int_equal(test_context->tctx, - test_context->as_req.req_body.cname->name_type, - KRB5_NT_SRV_HST, - "krb5 libs unexpectedly " - "did not set principal " - "as NT_SRV_HST!"); - } - } else if (test_context->test_data->enterprise) { - torture_assert_int_equal(test_context->tctx, - test_context->as_req.req_body.cname->name_type, - KRB5_NT_ENTERPRISE_PRINCIPAL, - "krb5 libs did not pass principal as enterprise!"); - } else { - torture_assert_int_equal(test_context->tctx, - test_context->as_req.req_body.cname->name_type, - KRB5_NT_PRINCIPAL, - "krb5 libs unexpectedly set principal as enterprise!"); - } - - *modified_send_buf = *send_buf; - - return true; -} - -/* - * TEST_AS_REQ - RECV - * - * Confirm that the reply packet from the KDC meets certain - * expectations as part of TEST_AS_REQ. This uses a packet count to - * work out what packet we are up to in the multiple exchanged - * triggerd by krb5_get_init_creds_password(). - * - */ - -static bool torture_krb5_post_recv_as_req_test(struct torture_krb5_context *test_context, - const krb5_data *recv_buf) -{ - KRB_ERROR error; - size_t used; - if (test_context->packet_count == 0) { - krb5_error_code k5ret; - /* - * The client libs obtain the salt by attempting to - * authenticate without pre-authentication and getting - * the correct salt with the - * KRB5KDC_ERR_PREAUTH_REQUIRED error. If we are in - * the test (netbios_realm && upn) that deliberatly - * has an incorrect principal, we check we get the - * correct error. - */ - k5ret = decode_KRB_ERROR(recv_buf->data, recv_buf->length, - &error, &used); - if (k5ret != 0) { - AS_REP as_rep; - k5ret = decode_AS_REP(recv_buf->data, recv_buf->length, - &as_rep, &used); - if (k5ret == 0) { - if (test_context->test_data->netbios_realm && test_context->test_data->upn) { - torture_assert(test_context->tctx, false, - "expected to get a KRB_ERROR packet with " - "KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN, got valid AS-REP"); - } else { - torture_assert(test_context->tctx, false, - "expected to get a KRB_ERROR packet with " - "KRB5KDC_ERR_PREAUTH_REQUIRED, got valid AS-REP"); - } - } else { - if (test_context->test_data->netbios_realm && test_context->test_data->upn) { - torture_assert(test_context->tctx, false, - "unable to decode as KRB-ERROR or AS-REP, " - "expected to get a KRB_ERROR packet with KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN"); - } else { - torture_assert(test_context->tctx, false, - "unable to decode as KRB-ERROR or AS-REP, " - "expected to get a KRB_ERROR packet with KRB5KDC_ERR_PREAUTH_REQUIRED"); - } - } - } - torture_assert_int_equal(test_context->tctx, used, recv_buf->length, - "length mismatch"); - torture_assert_int_equal(test_context->tctx, error.pvno, 5, - "Got wrong error.pvno"); - if (test_context->test_data->netbios_realm && test_context->test_data->upn) { - torture_assert_int_equal(test_context->tctx, - error.error_code, - KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN - KRB5KDC_ERR_NONE, - "Got wrong error.error_code"); - } else if (test_context->test_data->as_req_spn && !test_context->test_data->spn_is_upn) { - torture_assert_int_equal(test_context->tctx, - error.error_code, - KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN - KRB5KDC_ERR_NONE, - "Got wrong error.error_code"); - } else { - torture_assert_int_equal(test_context->tctx, - error.error_code, - KRB5KDC_ERR_PREAUTH_REQUIRED - KRB5KDC_ERR_NONE, - "Got wrong error.error_code"); - } - - free_KRB_ERROR(&error); - } else if ((decode_KRB_ERROR(recv_buf->data, recv_buf->length, &error, &used) == 0) - && (test_context->packet_count == 1)) { - /* - * The Windows 2012R2 KDC will always respond with - * KRB5KRB_ERR_RESPONSE_TOO_BIG over UDP as the ticket - * won't fit, because of the PAC. (It appears to do - * this always, even if it will). This triggers the - * client to try again over TCP. - */ - torture_assert_int_equal(test_context->tctx, - used, recv_buf->length, - "length mismatch"); - torture_assert_int_equal(test_context->tctx, - error.pvno, 5, - "Got wrong error.pvno"); - torture_assert_int_equal(test_context->tctx, - error.error_code, - KRB5KRB_ERR_RESPONSE_TOO_BIG - KRB5KDC_ERR_NONE, - "Got wrong error.error_code"); - free_KRB_ERROR(&error); - } else { - /* - * Finally the successful packet. - */ - torture_assert_int_equal(test_context->tctx, - decode_AS_REP(recv_buf->data, recv_buf->length, - &test_context->as_rep, &used), 0, - "decode_AS_REP failed"); - torture_assert_int_equal(test_context->tctx, used, recv_buf->length, - "length mismatch"); - torture_assert_int_equal(test_context->tctx, - test_context->as_rep.pvno, 5, - "Got wrong as_rep->pvno"); - torture_assert_int_equal(test_context->tctx, - test_context->as_rep.ticket.tkt_vno, 5, - "Got wrong as_rep->ticket.tkt_vno"); - torture_assert(test_context->tctx, - test_context->as_rep.ticket.enc_part.kvno, - "Did not get a KVNO in test_context->as_rep.ticket.enc_part.kvno"); - - /* - * We can confirm that the correct proxy behaviour is - * in use on the KDC by checking the KVNO of the - * krbtgt account returned in the reply. - * - * A packet passed to the full RW DC will not have a - * KVNO in the upper bits, while a packet processed - * locally on the RODC will have these bits filled in - * the msDS-SecondaryKrbTgtNumber - */ - if (torture_setting_bool(test_context->tctx, "expect_cached_at_rodc", false)) { - torture_assert_int_not_equal(test_context->tctx, - *test_context->as_rep.ticket.enc_part.kvno & 0xFFFF0000, - 0, "Did not get a RODC number in the KVNO"); - } else { - torture_assert_int_equal(test_context->tctx, - *test_context->as_rep.ticket.enc_part.kvno & 0xFFFF0000, - 0, "Unexpecedly got a RODC number in the KVNO"); - } - free_AS_REP(&test_context->as_rep); - } - torture_assert(test_context->tctx, test_context->packet_count < 3, "too many packets"); - free_AS_REQ(&test_context->as_req); - return true; -} - -/* - * TEST_TGS_REQ_KRBTGT_CANON - * - * - * Confirm that the outgoing TGS-REQ packet from krb5_get_creds() - * for the krbtgt/realm principal meets certain expectations, like - * that the canonicalize bit is not set - * - */ - -- Samba Shared Repository