The branch, v4-21-test has been updated
via 9ca7d637aae s3-net: fix "net ads kerberos" krb5ccname handling
via d9fc8dc0d4b s3-selftest: add tests for "net ads kerberos" commands
via 4750b7b5905 s3/libsmb: check the negative-conn-cache in
resolve_ads()
via ad604bb46f2 s3/libsmb: check command in
make_dc_info_from_cldap_reply()
via a0bf6a94267 libads: check for DCs in paused state in
ads_try_connect()
via e56376504a8 s3/libads: get rid of additional loop calling
add_failed_connection_entry()
via a9250ab504e s3:libads: let get_kdc_ip_string() check for a
blacklisted server name
via 2994369b3bd s3:libads: let cldap_ping_list() check for a
blacklisted server name
via 49948686de0 winbindd: blacklist servers returning
ACCESS_DENIED/authoritative=0
via 23eeafe43e9 winbindd: always use
winbind_add_failed_connection_entry() wrapper
via 56b975c4ff4 s3:conncache: improve debugging for the negative
connection cache
from 04913d3a42e Add check for the GPO link to have at least two
attributes separated by semicolumn. Allows to handle empty links.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-21-test
- Log -----------------------------------------------------------------
commit 9ca7d637aae14c49fa82f3a7becf9b2c1c5f5bf8
Author: Günther Deschner <[email protected]>
Date: Sun Jul 20 18:00:22 2025 +0200
s3-net: fix "net ads kerberos" krb5ccname handling
We can only rely on KRB5CCNAME being set, --use-krb5-ccname content is
not available.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15840
Guenther
Signed-off-by: Guenther Deschner <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
Autobuild-User(master): Günther Deschner <[email protected]>
Autobuild-Date(master): Thu Jul 24 17:31:14 UTC 2025 on atb-devel-224
(cherry picked from commit 8a97afdae788e8d10a51035f8b287dc00293f90d)
Autobuild-User(v4-21-test): Jule Anger <[email protected]>
Autobuild-Date(v4-21-test): Wed Aug 6 09:29:29 UTC 2025 on atb-devel-224
commit d9fc8dc0d4b775e9b17ef8c5b7aee504ca3fafe7
Author: Günther Deschner <[email protected]>
Date: Sun Jul 20 17:59:37 2025 +0200
s3-selftest: add tests for "net ads kerberos" commands
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15840
Guenther
Signed-off-by: Guenther Deschner <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
(cherry picked from commit 18d0574a0fe4b5fd468f949cfaa507ab4519c9e6)
commit 4750b7b59057bdd97fa34203a6344a2a8b3707b6
Author: Ralph Boehme <[email protected]>
Date: Thu Jul 3 18:42:04 2025 +0200
s3/libsmb: check the negative-conn-cache in resolve_ads()
This way we throw away blacklisted servers right away when learning about
them
from the DNS SRV query.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14981
Signed-off-by: Ralph Boehme <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
Autobuild-User(master): Günther Deschner <[email protected]>
Autobuild-Date(master): Wed Jul 30 10:10:21 UTC 2025 on atb-devel-224
(cherry picked from commit c1ee6fe9a489a8923d607e14d26768935a398849)
commit ad604bb46f203caca18e4bd19d02e33f11621ea3
Author: Ralph Boehme <[email protected]>
Date: Wed Jul 2 18:49:51 2025 +0200
s3/libsmb: check command in make_dc_info_from_cldap_reply()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14981
Signed-off-by: Ralph Boehme <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
(cherry picked from commit 5217bd1a2334825fed32f40c57f72464d126aac0)
commit a0bf6a94267364c59c57a8c442ee0cf7860c3b73
Author: Ralph Boehme <[email protected]>
Date: Fri Jul 25 16:51:31 2025 +0200
libads: check for DCs in paused state in ads_try_connect()
Similar to d3000d7df09de724694aa0682b9750b8c7767514 in master, 4.21 doesn't
have
netlogon_pings().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14981
Signed-off-by: Ralph Boehme <[email protected]>
commit e56376504a82080b09ed50c320fddddc0769850d
Author: Ralph Boehme <[email protected]>
Date: Tue Jul 1 18:19:32 2025 +0200
s3/libads: get rid of additional loop calling add_failed_connection_entry()
Just call add_failed_connection_entry() in the initial loop at all places
where
we have a "bad" result.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14981
Signed-off-by: Ralph Boehme <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
(cherry picked from commit a397801598eef4b0381a64a37af1845e9e85a50f)
commit a9250ab504ea30dbf64bad54e5f7f4f7393de832
Author: Stefan Metzmacher <[email protected]>
Date: Tue Jul 4 18:07:51 2023 +0200
s3:libads: let get_kdc_ip_string() check for a blacklisted server name
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14981
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
(cherry picked from commit 63051a2dcbe3a4a07f029e0c18aa90bd3f56b0a4)
commit 2994369b3bdf5b1fe35a6222a380bf0b6def4588
Author: Stefan Metzmacher <[email protected]>
Date: Wed Feb 16 13:09:14 2022 +0100
s3:libads: let cldap_ping_list() check for a blacklisted server name
If we black listed a server we should not use it even if
it responses to CLDAP requests.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14981
Pair-Programmed-With: Ralph Boehme <[email protected]>
Signed-off-by: Ralph Boehme <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
(cherry picked from commit 08c8760ad9706b62755e35acaa121647344a4c9e)
commit 49948686de0bd4235f2a4570f0bfd2c5f73567e5
Author: Stefan Metzmacher <[email protected]>
Date: Wed Feb 16 14:23:16 2022 +0100
winbindd: blacklist servers returning ACCESS_DENIED/authoritative=0
https://bugzilla.samba.org/show_bug.cgi?id=14981
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
(cherry picked from commit ce80451f3af4418d1c83be009b58b3824c071cae)
commit 23eeafe43e90a62f586a521506ed3d3013852a4e
Author: Stefan Metzmacher <[email protected]>
Date: Wed Feb 16 14:18:50 2022 +0100
winbindd: always use winbind_add_failed_connection_entry() wrapper
We should not use add_failed_connection_entry() directly.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14981
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
(cherry picked from commit 7fed75c495ead8f476c805b91cc6624ebf933427)
commit 56b975c4ff461d79a0ca12cf61a3628315655aab
Author: Stefan Metzmacher <[email protected]>
Date: Wed Feb 16 14:18:20 2022 +0100
s3:conncache: improve debugging for the negative connection cache
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14981
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
(cherry picked from commit 613ac83fb7666f5b132187d5587053e0d7dcd46d)
-----------------------------------------------------------------------
Summary of changes:
selftest/knownfail | 1 -
source3/libads/kerberos.c | 21 ++++
source3/libads/ldap.c | 55 +++++++--
source3/libsmb/conncache.c | 8 +-
source3/libsmb/dsgetdcname.c | 6 +
source3/libsmb/namequery.c | 25 +++-
source3/script/tests/test_net_ads_kerberos.sh | 158 ++++++++++++++++++++++++++
source3/selftest/tests.py | 12 ++
source3/utils/net.c | 15 +++
source3/utils/net.h | 1 +
source3/utils/net_ads.c | 6 +-
source3/winbindd/winbindd_cm.c | 2 +-
source3/winbindd/winbindd_pam.c | 96 +++++++++++++++-
source3/winbindd/winbindd_proto.h | 4 +
14 files changed, 383 insertions(+), 27 deletions(-)
create mode 100755 source3/script/tests/test_net_ads_kerberos.sh
Changeset truncated at 500 lines:
diff --git a/selftest/knownfail b/selftest/knownfail
index 5f64e4edad0..a7a2e2b2251 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -343,4 +343,3 @@
# We currently don't send referrals for LDAP modify of non-replicated attrs
^samba4.ldap.rodc.python\(rodc\).__main__.RodcTests.test_modify_nonreplicated.*
-
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index 72ce5b7bb34..106e773f1b6 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -580,11 +580,32 @@ static char *get_kdc_ip_string(char *mem_ctx,
for (i=0; i<num_dcs; i++) {
char *new_kdc_str;
+ struct NETLOGON_SAM_LOGON_RESPONSE_EX *cldap_reply = NULL;
+ char addr[INET6_ADDRSTRLEN];
if (responses[i] == NULL) {
continue;
}
+ if (responses[i]->ntver != NETLOGON_NT_VERSION_5EX) {
+ continue;
+ }
+
+ print_sockaddr(addr, sizeof(addr), &dc_addrs[i]);
+
+ cldap_reply = &responses[i]->data.nt5_ex;
+
+ if (cldap_reply->pdc_dns_name != NULL) {
+ status = check_negative_conn_cache(
+ realm,
+ cldap_reply->pdc_dns_name);
+ if (!NT_STATUS_IS_OK(status)) {
+ /* propagate blacklisting from name to ip */
+ add_failed_connection_entry(realm, addr,
status);
+ continue;
+ }
+ }
+
/* Append to the string - inefficient but not done often. */
new_kdc_str = talloc_asprintf_append(
kdc_str,
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index a2654c1f504..b9de711b63d 100644
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -280,6 +280,15 @@ static bool ads_fill_cldap_reply(ADS_STRUCT *ads,
goto out;
}
+ if (cldap_reply->command == LOGON_SAM_LOGON_PAUSE_RESPONSE ||
+ cldap_reply->command == LOGON_SAM_LOGON_PAUSE_RESPONSE_EX)
+ {
+ DBG_NOTICE("DC %s in paused state\n", addr);
+ ret = false;
+ goto out;
+ }
+
+
/* Fill in the ads->config values */
ADS_TALLOC_CONST_FREE(ads->config.workgroup);
@@ -520,21 +529,53 @@ again:
struct NETLOGON_SAM_LOGON_RESPONSE_EX *cldap_reply = NULL;
char server[INET6_ADDRSTRLEN];
+ print_sockaddr(server, sizeof(server), &req_sa_list[i]->u.ss);
+
if (responses[i] == NULL) {
+ add_failed_connection_entry(
+ domain,
+ server,
+ NT_STATUS_INVALID_NETWORK_RESPONSE);
continue;
}
- print_sockaddr(server, sizeof(server), &req_sa_list[i]->u.ss);
-
if (responses[i]->ntver != NETLOGON_NT_VERSION_5EX) {
DBG_NOTICE("realm=[%s] nt_version mismatch: 0x%08x for
%s\n",
ads->server.realm,
responses[i]->ntver, server);
+ add_failed_connection_entry(
+ domain,
+ server,
+ NT_STATUS_INVALID_NETWORK_RESPONSE);
continue;
}
cldap_reply = &responses[i]->data.nt5_ex;
+ if (cldap_reply->pdc_dns_name != NULL) {
+ status = check_negative_conn_cache(
+ domain,
+ cldap_reply->pdc_dns_name);
+ if (!NT_STATUS_IS_OK(status)) {
+ /*
+ * only use the server if it's not black listed
+ * by name
+ */
+ DBG_NOTICE("realm=[%s] server=[%s][%s] "
+ "black listed: %s\n",
+ ads->server.realm,
+ server,
+ cldap_reply->pdc_dns_name,
+ nt_errstr(status));
+ /* propagate blacklisting from name to ip */
+ add_failed_connection_entry(domain,
+ server,
+ status);
+ retry = true;
+ continue;
+ }
+ }
+
/* Returns ok only if it matches the correct server type */
ok = ads_fill_cldap_reply(ads,
false,
@@ -573,16 +614,6 @@ again:
}
}
- /* keep track of failures as all were not suitable */
- for (i = 0; i < num_requests; i++) {
- char server[INET6_ADDRSTRLEN];
-
- print_sockaddr(server, sizeof(server), &req_sa_list[i]->u.ss);
-
- add_failed_connection_entry(domain, server,
- NT_STATUS_UNSUCCESSFUL);
- }
-
status = NT_STATUS_NO_LOGON_SERVERS;
DBG_WARNING("realm[%s] no valid response "
"num_requests[%zu] for count[%zu] - %s\n",
diff --git a/source3/libsmb/conncache.c b/source3/libsmb/conncache.c
index 7310b508a3b..353c1e8f930 100644
--- a/source3/libsmb/conncache.c
+++ b/source3/libsmb/conncache.c
@@ -147,8 +147,9 @@ NTSTATUS check_negative_conn_cache( const char *domain,
const char *server)
if (gencache_get(key, talloc_tos(), &value, NULL))
result = negative_conn_cache_valuedecode(value);
done:
- DEBUG(9,("check_negative_conn_cache returning result %d for domain %s "
- "server %s\n", NT_STATUS_V(result), domain, server));
+ DBG_PREFIX(NT_STATUS_IS_OK(result) ? DBGLVL_DEBUG : DBGLVL_INFO,
+ ("returning result %s for domain %s "
+ "server %s\n", nt_errstr(result), domain, server));
TALLOC_FREE(key);
TALLOC_FREE(value);
return result;
@@ -187,7 +188,8 @@ void add_failed_connection_entry(const char *domain, const
char *server,
if (gencache_set(key, value,
time(NULL) + FAILED_CONNECTION_CACHE_TIMEOUT))
DEBUG(9,("add_failed_connection_entry: added domain %s (%s) "
- "to failed conn cache\n", domain, server ));
+ "to failed conn cache %s\n", domain, server,
+ nt_errstr(result)));
else
DEBUG(1,("add_failed_connection_entry: failed to add "
"domain %s (%s) to failed conn cache\n",
diff --git a/source3/libsmb/dsgetdcname.c b/source3/libsmb/dsgetdcname.c
index 654893c172c..a61c34a9ae3 100644
--- a/source3/libsmb/dsgetdcname.c
+++ b/source3/libsmb/dsgetdcname.c
@@ -791,6 +791,12 @@ static NTSTATUS make_dc_info_from_cldap_reply(
char addr[INET6_ADDRSTRLEN];
+ if (r->command == LOGON_SAM_LOGON_PAUSE_RESPONSE ||
+ r->command == LOGON_SAM_LOGON_PAUSE_RESPONSE_EX)
+ {
+ return NT_STATUS_NETLOGON_NOT_STARTED;
+ }
+
if (sa != NULL) {
print_sockaddr(addr, sizeof(addr), &sa->u.ss);
dc_address = addr;
diff --git a/source3/libsmb/namequery.c b/source3/libsmb/namequery.c
index 9a47f034d38..779386be39d 100644
--- a/source3/libsmb/namequery.c
+++ b/source3/libsmb/namequery.c
@@ -2576,6 +2576,14 @@ static NTSTATUS resolve_ads(TALLOC_CTX *ctx,
for(i = 0; i < numdcs; i++) {
/* Copy all the IP addresses from the SRV response */
size_t j;
+
+ status = check_negative_conn_cache(name, dcs[i].hostname);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_DEBUG("Skipping blacklisted server [%s] "
+ "for domain [%s]", dcs[i].hostname, name);
+ continue;
+ }
+
for (j = 0; j < dcs[i].num_ips; j++) {
char addr[INET6_ADDRSTRLEN];
@@ -2584,12 +2592,19 @@ static NTSTATUS resolve_ads(TALLOC_CTX *ctx,
continue;
}
+ print_sockaddr(addr,
+ sizeof(addr),
+ &srv_addrs[num_srv_addrs]);
+
DBG_DEBUG("SRV lookup %s got IP[%zu] %s\n",
- name,
- j,
- print_sockaddr(addr,
- sizeof(addr),
- &srv_addrs[num_srv_addrs]));
+ name, j, addr);
+
+ status = check_negative_conn_cache(name, addr);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_DEBUG("Skipping blacklisted server [%s] "
+ "for domain [%s]", addr, name);
+ continue;
+ }
num_srv_addrs++;
}
diff --git a/source3/script/tests/test_net_ads_kerberos.sh
b/source3/script/tests/test_net_ads_kerberos.sh
new file mode 100755
index 00000000000..8a3c9ef2bc7
--- /dev/null
+++ b/source3/script/tests/test_net_ads_kerberos.sh
@@ -0,0 +1,158 @@
+#!/bin/sh
+
+if [ $# -lt 5 ]; then
+ cat <<EOF
+Usage: test_net_ads_kerberos.sh USERNAME REALM PASSWORD PREFIX
+EOF
+ exit 1
+fi
+
+USERNAME="$1"
+REALM="$2"
+PASSWORD="$3"
+PREFIX="$4"
+shift 4
+ADDARGS="$*"
+
+incdir=$(dirname "$0")/../../../testprogs/blackbox
+. "$incdir"/subunit.sh
+
+mkdir -p "$PREFIX"/private
+PACFILE=$PREFIX/private/pacsave.$$
+
+KRB5CCNAME_PATH="$PREFIX/net_ads_kerberos_krb5ccache"
+rm -f "$KRB5CCNAME_PATH"
+
+KRB5CCNAME="FILE:$KRB5CCNAME_PATH"
+
+
+#################################################
+## Test "net ads kerberos kinit" variants
+#################################################
+
+testit "net_ads_kerberos_kinit" \
+ "$VALGRIND" "$BINDIR"/net ads kerberos kinit \
+ -U"$USERNAME"%"$PASSWORD" "$ADDARGS" \
+ || failed=$((failed + 1))
+
+export KRB5CCNAME="$KRB5CCNAME_PATH"
+testit "net_ads_kerberos_kinit (KRB5CCNAME env set)" \
+ "$VALGRIND" "$BINDIR"/net ads kerberos kinit \
+ -U"$USERNAME"%"$PASSWORD" "$ADDARGS" \
+ || failed=$((failed + 1))
+unset KRB5CCNAME
+rm -f "$KRB5CCNAME_PATH"
+
+# --use-krb5-ccache is not working
+#testit "net_ads_kerberos_kinit (with --use-krb5-ccache)" \
+# $VALGRIND $BINDIR/net ads kerberos kinit \
+# -U$USERNAME%$PASSWORD $ADDARGS \
+# --use-krb5-ccache=${KRB5CCNAME} \
+# || failed=$((failed + 1))
+
+testit "net_ads_kerberos_kinit (-P)" \
+ "$VALGRIND" "$BINDIR"/net ads kerberos kinit \
+ -P "$ADDARGS" \
+ || failed=$((failed + 1))
+
+export KRB5CCNAME="$KRB5CCNAME_PATH"
+testit "net_ads_kerberos_kinit (-P and KRB5CCNAME env set)" \
+ "$VALGRIND" "$BINDIR"/net ads kerberos kinit \
+ -P "$ADDARGS" \
+ || failed=$((failed + 1))
+unset KRB5CCNAME
+rm -f "$KRB5CCNAME_PATH"
+
+# --use-krb5-ccache is not working
+#testit "net_ads_kerberos_kinit (-P with --use-krb5-ccache)" \
+# $VALGRIND $BINDIR/net ads kerberos kinit \
+# -P $ADDARGS \
+# --use-krb5-ccache=${KRB5CCNAME} \
+# || failed=$((failed + 1))
+
+
+#################################################
+## Test "net ads kerberos renew" variants
+#################################################
+
+#testit "net_ads_kerberos_renew" \
+# $VALGRIND $BINDIR/net ads kerberos renew \
+# -U$USERNAME%$PASSWORD $ADDARGS \
+# || failed=$((failed + 1))
+#
+#export KRB5CCNAME=$KRB5CCNAME_PATH
+#testit "net_ads_kerberos_renew (KRB5CCNAME env)" \
+# $VALGRIND $BINDIR/net ads kerberos renew \
+# -U$USERNAME%$PASSWORD $ADDARGS \
+# || failed=$((failed + 1))
+#unset KRB5CCNAME
+#rm -f $KRB5CCNAME_PATH
+#
+# renew only succeeds with pre-kinit
+export KRB5CCNAME="$KRB5CCNAME_PATH"
+testit "net_ads_kerberos_kinit (KRB5CCNAME env set)" \
+ "$VALGRIND" "$BINDIR"/net ads kerberos kinit \
+ -U"$USERNAME"%"$PASSWORD" "$ADDARGS" \
+ || failed=$((failed + 1))
+
+testit "net_ads_kerberos_renew" \
+ "$VALGRIND" "$BINDIR"/net ads kerberos renew \
+ -U"$USERNAME"%"$PASSWORD" "$ADDARGS" \
+ || failed=$((failed + 1))
+unset KRB5CCNAME
+rm -f "$KRB5CCNAME_PATH"
+
+
+#################################################
+## Test "net ads kerberos pac" variants
+#################################################
+
+testit "net_ads_kerberos_pac_dump" \
+ "$VALGRIND" "$BINDIR"/net ads kerberos pac dump \
+ -U"$USERNAME"%"$PASSWORD" "$ADDARGS" \
+ || failed=$((failed + 1))
+
+testit "net_ads_kerberos_pac_dump (-P)" \
+ "$VALGRIND" "$BINDIR"/net ads kerberos pac dump \
+ -P "$ADDARGS" \
+ || failed=$((failed + 1))
+
+IMPERSONATE_PRINC="alice@$REALM"
+
+#testit "net_ads_kerberos_pac_dump (impersonate)" \
+# $VALGRIND $BINDIR/net ads kerberos pac dump \
+# -U$USERNAME%$PASSWORD \
+# impersonate=$IMPERSONATE_PRINC $ADDARGS \
+# || failed=$((failed + 1))
+
+testit "net_ads_kerberos_pac_dump (impersonate and -P)" \
+ "$VALGRIND" "$BINDIR"/net ads kerberos pac dump \
+ -P \
+ impersonate="$IMPERSONATE_PRINC" "$ADDARGS" \
+ || failed=$((failed + 1))
+
+# no clue why this doesn't work...
+#
+#testit_expect_failure "net_ads_kerberos_pac_save (without filename)"
+# $VALGRIND $BINDIR/net ads kerberos pac save \
+# -U$USERNAME%$PASSWORD $ADDARGS \
+# || failed=$((failed + 1))
+
+testit "net_ads_kerberos_pac_save" \
+ "$VALGRIND" "$BINDIR"/net ads kerberos pac save \
+ -U"$USERNAME"%"$PASSWORD" "$ADDARGS" \
+ filename="$PACFILE" \
+ || failed=$((failed + 1))
+
+rm -f "$PACFILE"
+
+testit "net_ads_kerberos_pac_save (-P)" \
+ "$VALGRIND" "$BINDIR"/net ads kerberos pac save \
+ -P "$ADDARGS" \
+ filename="$PACFILE" \
+ || failed=$((failed + 1))
+
+rm -f "$PACFILE"
+rm -f "$KRB5CCNAME_PATH"
+
+testok "$0" "$failed"
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index fe67a4df896..86d660800dc 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -1887,6 +1887,18 @@ plantestsuite(
"bin/samba-tool",
'$DNSNAME'])
+for auth in ["$DC_USERNAME", "$DOMAIN\\\\$DC_USERNAME", "$DC_USERNAME@$REALM"
]:
+ plantestsuite(
+ "samba3.blackbox.net_ads_kerberos (%s)" % auth,
+ "ad_member:local",
+ [os.path.join(samba3srcdir,
+ "script/tests/test_net_ads_kerberos.sh"),
+ auth,
+ '$REALM',
+ '$DC_PASSWORD',
+ '$PREFIX',
+ configuration])
+
plantestsuite("samba3.blackbox.force-user-unlink",
"maptoguest:local",
[os.path.join(samba3srcdir,
diff --git a/source3/utils/net.c b/source3/utils/net.c
index c432ebe991f..7ce93ced79e 100644
--- a/source3/utils/net.c
+++ b/source3/utils/net.c
@@ -1394,6 +1394,7 @@ static struct functable net_func[] = {
cli_credentials_get_principal_obtained(c->creds);
enum credentials_obtained password_obtained =
cli_credentials_get_password_obtained(c->creds);
+ char *krb5ccname = NULL;
if (principal_obtained == CRED_SPECIFIED) {
c->explicit_credentials = true;
@@ -1410,6 +1411,20 @@ static struct functable net_func[] = {
GENSEC_FEATURE_NTLM_CCACHE,
CRED_SPECIFIED);
}
+
+ /* cli_credentials_get_ccache_name_obtained() would not work
+ * here, we also cannot get the content of --use-krb5-ccache= so
+ * for now at least honour the KRB5CCNAME environment variable
+ * to get 'net ads kerberos' functions to work at all - gd */
+
+ krb5ccname = getenv("KRB5CCNAME");
+ if (krb5ccname == NULL) {
+ krb5ccname = talloc_strdup(c, "MEMORY:net");
+ }
+ if (krb5ccname == NULL) {
+ exit(1);
+ }
+ c->opt_krb5_ccache = krb5ccname;
}
c->msg_ctx = cmdline_messaging_context(get_dyn_CONFIGFILE());
diff --git a/source3/utils/net.h b/source3/utils/net.h
index 8540a6db9d4..8a4218b529f 100644
--- a/source3/utils/net.h
+++ b/source3/utils/net.h
@@ -97,6 +97,7 @@ struct net_context {
const char *opt_witness_new_ip;
int opt_witness_new_node;
const char *opt_witness_forced_response;
+ const char *opt_krb5_ccache;
int opt_have_ip;
struct sockaddr_storage opt_dest_ip;
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index 163dcf3efd6..9ba7afe1e04 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -3030,7 +3030,7 @@ static int net_ads_kerberos_renew(struct net_context *c,
int argc, const char **
return -1;
}
- ret = smb_krb5_renew_ticket(NULL, NULL, NULL, NULL);
+ ret = smb_krb5_renew_ticket(c->opt_krb5_ccache, NULL, NULL, NULL);
if (ret) {
d_printf(_("failed to renew kerberos ticket: %s\n"),
error_message(ret));
@@ -3085,7 +3085,7 @@ static int net_ads_kerberos_pac_common(struct net_context
*c, int argc, const ch
0,
NULL,
NULL,
- NULL,
+ c->opt_krb5_ccache,
true,
true,
2592000, /* one month */
@@ -3266,7 +3266,7 @@ static int net_ads_kerberos_kinit(struct net_context *c,
int argc, const char **
0,
NULL,
NULL,
- NULL,
+ c->opt_krb5_ccache,
true,
true,
2592000, /* one month */
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 9e51ee2acfe..53800988306 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -320,7 +320,7 @@ void set_domain_online_request(struct winbindd_domain
*domain)
Add -ve connection cache entries for domain and realm.
****************************************************************/
-static void winbind_add_failed_connection_entry(
+void winbind_add_failed_connection_entry(
const struct winbindd_domain *domain,
--
Samba Shared Repository
