The branch, master has been updated
via 8a97afdae78 s3-net: fix "net ads kerberos" krb5ccname handling
via 18d0574a0fe s3-selftest: add tests for "net ads kerberos" commands
from 7900f319db3 ctdb-server: Load optional tunables.d/ directory
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 8a97afdae788e8d10a51035f8b287dc00293f90d
Author: Günther Deschner <[email protected]>
Date: Sun Jul 20 18:00:22 2025 +0200
s3-net: fix "net ads kerberos" krb5ccname handling
We can only rely on KRB5CCNAME being set, --use-krb5-ccname content is
not available.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15840
Guenther
Signed-off-by: Guenther Deschner <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
Autobuild-User(master): Günther Deschner <[email protected]>
Autobuild-Date(master): Thu Jul 24 17:31:14 UTC 2025 on atb-devel-224
commit 18d0574a0fe4b5fd468f949cfaa507ab4519c9e6
Author: Günther Deschner <[email protected]>
Date: Sun Jul 20 17:59:37 2025 +0200
s3-selftest: add tests for "net ads kerberos" commands
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15840
Guenther
Signed-off-by: Guenther Deschner <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
selftest/knownfail | 1 -
source3/script/tests/test_net_ads_kerberos.sh | 158 ++++++++++++++++++++++++++
source3/selftest/tests.py | 12 ++
source3/utils/net.c | 15 +++
source3/utils/net.h | 1 +
source3/utils/net_ads.c | 6 +-
6 files changed, 189 insertions(+), 4 deletions(-)
create mode 100755 source3/script/tests/test_net_ads_kerberos.sh
Changeset truncated at 500 lines:
diff --git a/selftest/knownfail b/selftest/knownfail
index 103a0bb1d76..ab2d79d7114 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -338,4 +338,3 @@
# We currently don't send referrals for LDAP modify of non-replicated attrs
^samba4.ldap.rodc.python\(rodc\).__main__.RodcTests.test_modify_nonreplicated.*
-
diff --git a/source3/script/tests/test_net_ads_kerberos.sh
b/source3/script/tests/test_net_ads_kerberos.sh
new file mode 100755
index 00000000000..8a3c9ef2bc7
--- /dev/null
+++ b/source3/script/tests/test_net_ads_kerberos.sh
@@ -0,0 +1,158 @@
+#!/bin/sh
+
+if [ $# -lt 5 ]; then
+ cat <<EOF
+Usage: test_net_ads_kerberos.sh USERNAME REALM PASSWORD PREFIX
+EOF
+ exit 1
+fi
+
+USERNAME="$1"
+REALM="$2"
+PASSWORD="$3"
+PREFIX="$4"
+shift 4
+ADDARGS="$*"
+
+incdir=$(dirname "$0")/../../../testprogs/blackbox
+. "$incdir"/subunit.sh
+
+mkdir -p "$PREFIX"/private
+PACFILE=$PREFIX/private/pacsave.$$
+
+KRB5CCNAME_PATH="$PREFIX/net_ads_kerberos_krb5ccache"
+rm -f "$KRB5CCNAME_PATH"
+
+KRB5CCNAME="FILE:$KRB5CCNAME_PATH"
+
+
+#################################################
+## Test "net ads kerberos kinit" variants
+#################################################
+
+testit "net_ads_kerberos_kinit" \
+ "$VALGRIND" "$BINDIR"/net ads kerberos kinit \
+ -U"$USERNAME"%"$PASSWORD" "$ADDARGS" \
+ || failed=$((failed + 1))
+
+export KRB5CCNAME="$KRB5CCNAME_PATH"
+testit "net_ads_kerberos_kinit (KRB5CCNAME env set)" \
+ "$VALGRIND" "$BINDIR"/net ads kerberos kinit \
+ -U"$USERNAME"%"$PASSWORD" "$ADDARGS" \
+ || failed=$((failed + 1))
+unset KRB5CCNAME
+rm -f "$KRB5CCNAME_PATH"
+
+# --use-krb5-ccache is not working
+#testit "net_ads_kerberos_kinit (with --use-krb5-ccache)" \
+# $VALGRIND $BINDIR/net ads kerberos kinit \
+# -U$USERNAME%$PASSWORD $ADDARGS \
+# --use-krb5-ccache=${KRB5CCNAME} \
+# || failed=$((failed + 1))
+
+testit "net_ads_kerberos_kinit (-P)" \
+ "$VALGRIND" "$BINDIR"/net ads kerberos kinit \
+ -P "$ADDARGS" \
+ || failed=$((failed + 1))
+
+export KRB5CCNAME="$KRB5CCNAME_PATH"
+testit "net_ads_kerberos_kinit (-P and KRB5CCNAME env set)" \
+ "$VALGRIND" "$BINDIR"/net ads kerberos kinit \
+ -P "$ADDARGS" \
+ || failed=$((failed + 1))
+unset KRB5CCNAME
+rm -f "$KRB5CCNAME_PATH"
+
+# --use-krb5-ccache is not working
+#testit "net_ads_kerberos_kinit (-P with --use-krb5-ccache)" \
+# $VALGRIND $BINDIR/net ads kerberos kinit \
+# -P $ADDARGS \
+# --use-krb5-ccache=${KRB5CCNAME} \
+# || failed=$((failed + 1))
+
+
+#################################################
+## Test "net ads kerberos renew" variants
+#################################################
+
+#testit "net_ads_kerberos_renew" \
+# $VALGRIND $BINDIR/net ads kerberos renew \
+# -U$USERNAME%$PASSWORD $ADDARGS \
+# || failed=$((failed + 1))
+#
+#export KRB5CCNAME=$KRB5CCNAME_PATH
+#testit "net_ads_kerberos_renew (KRB5CCNAME env)" \
+# $VALGRIND $BINDIR/net ads kerberos renew \
+# -U$USERNAME%$PASSWORD $ADDARGS \
+# || failed=$((failed + 1))
+#unset KRB5CCNAME
+#rm -f $KRB5CCNAME_PATH
+#
+# renew only succeeds with pre-kinit
+export KRB5CCNAME="$KRB5CCNAME_PATH"
+testit "net_ads_kerberos_kinit (KRB5CCNAME env set)" \
+ "$VALGRIND" "$BINDIR"/net ads kerberos kinit \
+ -U"$USERNAME"%"$PASSWORD" "$ADDARGS" \
+ || failed=$((failed + 1))
+
+testit "net_ads_kerberos_renew" \
+ "$VALGRIND" "$BINDIR"/net ads kerberos renew \
+ -U"$USERNAME"%"$PASSWORD" "$ADDARGS" \
+ || failed=$((failed + 1))
+unset KRB5CCNAME
+rm -f "$KRB5CCNAME_PATH"
+
+
+#################################################
+## Test "net ads kerberos pac" variants
+#################################################
+
+testit "net_ads_kerberos_pac_dump" \
+ "$VALGRIND" "$BINDIR"/net ads kerberos pac dump \
+ -U"$USERNAME"%"$PASSWORD" "$ADDARGS" \
+ || failed=$((failed + 1))
+
+testit "net_ads_kerberos_pac_dump (-P)" \
+ "$VALGRIND" "$BINDIR"/net ads kerberos pac dump \
+ -P "$ADDARGS" \
+ || failed=$((failed + 1))
+
+IMPERSONATE_PRINC="alice@$REALM"
+
+#testit "net_ads_kerberos_pac_dump (impersonate)" \
+# $VALGRIND $BINDIR/net ads kerberos pac dump \
+# -U$USERNAME%$PASSWORD \
+# impersonate=$IMPERSONATE_PRINC $ADDARGS \
+# || failed=$((failed + 1))
+
+testit "net_ads_kerberos_pac_dump (impersonate and -P)" \
+ "$VALGRIND" "$BINDIR"/net ads kerberos pac dump \
+ -P \
+ impersonate="$IMPERSONATE_PRINC" "$ADDARGS" \
+ || failed=$((failed + 1))
+
+# no clue why this doesn't work...
+#
+#testit_expect_failure "net_ads_kerberos_pac_save (without filename)"
+# $VALGRIND $BINDIR/net ads kerberos pac save \
+# -U$USERNAME%$PASSWORD $ADDARGS \
+# || failed=$((failed + 1))
+
+testit "net_ads_kerberos_pac_save" \
+ "$VALGRIND" "$BINDIR"/net ads kerberos pac save \
+ -U"$USERNAME"%"$PASSWORD" "$ADDARGS" \
+ filename="$PACFILE" \
+ || failed=$((failed + 1))
+
+rm -f "$PACFILE"
+
+testit "net_ads_kerberos_pac_save (-P)" \
+ "$VALGRIND" "$BINDIR"/net ads kerberos pac save \
+ -P "$ADDARGS" \
+ filename="$PACFILE" \
+ || failed=$((failed + 1))
+
+rm -f "$PACFILE"
+rm -f "$KRB5CCNAME_PATH"
+
+testok "$0" "$failed"
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 2497211faed..dad58fca5f2 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -1954,6 +1954,18 @@ plantestsuite(
"bin/samba-tool",
'$DNSNAME'])
+for auth in ["$DC_USERNAME", "$DOMAIN\\\\$DC_USERNAME", "$DC_USERNAME@$REALM"
]:
+ plantestsuite(
+ "samba3.blackbox.net_ads_kerberos (%s)" % auth,
+ "ad_member:local",
+ [os.path.join(samba3srcdir,
+ "script/tests/test_net_ads_kerberos.sh"),
+ auth,
+ '$REALM',
+ '$DC_PASSWORD',
+ '$PREFIX',
+ configuration])
+
plantestsuite("samba3.blackbox.force-user-unlink",
"maptoguest:local",
[os.path.join(samba3srcdir,
diff --git a/source3/utils/net.c b/source3/utils/net.c
index c432ebe991f..7ce93ced79e 100644
--- a/source3/utils/net.c
+++ b/source3/utils/net.c
@@ -1394,6 +1394,7 @@ static struct functable net_func[] = {
cli_credentials_get_principal_obtained(c->creds);
enum credentials_obtained password_obtained =
cli_credentials_get_password_obtained(c->creds);
+ char *krb5ccname = NULL;
if (principal_obtained == CRED_SPECIFIED) {
c->explicit_credentials = true;
@@ -1410,6 +1411,20 @@ static struct functable net_func[] = {
GENSEC_FEATURE_NTLM_CCACHE,
CRED_SPECIFIED);
}
+
+ /* cli_credentials_get_ccache_name_obtained() would not work
+ * here, we also cannot get the content of --use-krb5-ccache= so
+ * for now at least honour the KRB5CCNAME environment variable
+ * to get 'net ads kerberos' functions to work at all - gd */
+
+ krb5ccname = getenv("KRB5CCNAME");
+ if (krb5ccname == NULL) {
+ krb5ccname = talloc_strdup(c, "MEMORY:net");
+ }
+ if (krb5ccname == NULL) {
+ exit(1);
+ }
+ c->opt_krb5_ccache = krb5ccname;
}
c->msg_ctx = cmdline_messaging_context(get_dyn_CONFIGFILE());
diff --git a/source3/utils/net.h b/source3/utils/net.h
index 8540a6db9d4..8a4218b529f 100644
--- a/source3/utils/net.h
+++ b/source3/utils/net.h
@@ -97,6 +97,7 @@ struct net_context {
const char *opt_witness_new_ip;
int opt_witness_new_node;
const char *opt_witness_forced_response;
+ const char *opt_krb5_ccache;
int opt_have_ip;
struct sockaddr_storage opt_dest_ip;
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index b39f0d2739a..f77c2b8210a 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -2998,7 +2998,7 @@ static int net_ads_kerberos_renew(struct net_context *c,
int argc, const char **
return -1;
}
- ret = smb_krb5_renew_ticket(NULL, NULL, NULL, NULL);
+ ret = smb_krb5_renew_ticket(c->opt_krb5_ccache, NULL, NULL, NULL);
if (ret) {
d_printf(_("failed to renew kerberos ticket: %s\n"),
error_message(ret));
@@ -3053,7 +3053,7 @@ static int net_ads_kerberos_pac_common(struct net_context
*c, int argc, const ch
0,
NULL,
NULL,
- NULL,
+ c->opt_krb5_ccache,
true,
true,
2592000, /* one month */
@@ -3234,7 +3234,7 @@ static int net_ads_kerberos_kinit(struct net_context *c,
int argc, const char **
0,
NULL,
NULL,
- NULL,
+ c->opt_krb5_ccache,
true,
true,
2592000, /* one month */
--
Samba Shared Repository
