The branch, v4-22-test has been updated
via 33647976766 s3:utils: Allow ROLE_IPA_DC to allow to use Kerberos in
gensec
via 00adb3104e7 s3:netlogon: IPA DC is the PDC as well - allow
ROLE_IPA_DC in _netr_DsRGetForestTrustInformation()
via d14fa6eb96a docs-xml: Make smb.conf 'server role' value consistent
with ROLE_IPA_DC in libparam
via fe8eafc289d s3:winbindd: Resolve dc name using CLDAP also for
ROLE_IPA_DC
via 25f5debf01e s3-net: fix "net ads kerberos" krb5ccname handling
via b17dec31068 s3-selftest: add tests for "net ads kerberos" commands
from 4a05b06b12a s3/libsmb: check the negative-conn-cache in
resolve_ads()
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-22-test
- Log -----------------------------------------------------------------
commit 3364797676624aa9367076a69b2daf73870429ba
Author: Pavel Filipenský <[email protected]>
Date: Mon Aug 4 23:28:24 2025 +0200
s3:utils: Allow ROLE_IPA_DC to allow to use Kerberos in gensec
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15891
Signed-off-by: Pavel Filipenský <[email protected]>
Reviewed-by: Alexander Bokovoy <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
Autobuild-User(master): Andreas Schneider <[email protected]>
Autobuild-Date(master): Tue Aug 5 14:51:51 UTC 2025 on atb-devel-224
(cherry picked from commit a4dff82e45308db3ccabac2a55c03d52f04d7b4d)
Autobuild-User(v4-22-test): Jule Anger <[email protected]>
Autobuild-Date(v4-22-test): Mon Aug 11 07:53:47 UTC 2025 on atb-devel-224
commit 00adb3104e745babb2c330fa9c9e324805395edb
Author: Pavel Filipenský <[email protected]>
Date: Mon Aug 4 23:26:02 2025 +0200
s3:netlogon: IPA DC is the PDC as well - allow ROLE_IPA_DC in
_netr_DsRGetForestTrustInformation()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15891
Signed-off-by: Pavel Filipenský <[email protected]>
Reviewed-by: Alexander Bokovoy <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
(cherry picked from commit 1dbafcc4e4ff8f39af5ca737b30e9821413dd1f2)
commit d14fa6eb96a9f296d386ff4864e4f016440f2ac8
Author: Pavel Filipenský <[email protected]>
Date: Mon Aug 4 08:35:29 2025 +0200
docs-xml: Make smb.conf 'server role' value consistent with ROLE_IPA_DC in
libparam
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15891
Signed-off-by: Pavel Filipenský <[email protected]>
Reviewed-by: Alexander Bokovoy <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
(cherry picked from commit d88268102ade07fab345e04109818d97d8843a14)
commit fe8eafc289dfbb6f2b6c706f2a8a68186807d4f8
Author: Pavel Filipenský <[email protected]>
Date: Wed Jul 23 15:09:21 2025 +0200
s3:winbindd: Resolve dc name using CLDAP also for ROLE_IPA_DC
server role ROLE_IPA_DC (introduced in e2d5b4d) needs special handling
in dcip_check_name(). We should resolve the DC name using:
- CLDAP in dcip_check_name_ads()
instead of:
- NETBIOS in nbt_getdc() that fails if Windows is not providing netbios.
The impacted environment has:
domain->alt_name = example.com
domain->active_directory = 1
security = USER
server role = ROLE_IPA_DC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15891
Signed-off-by: Pavel Filipenský <[email protected]>
Signed-off-by: Andreas Schneider <[email protected]>
Pair-programmed-with: Andreas Schneider <[email protected]>
Reviewed-by: Alexander Bokovoy <[email protected]>
(cherry picked from commit 4921c3304e5e0480e5bb80a757b3f04b3b92c3b1)
commit 25f5debf01e8163d06c0039fb6a84b3ef0c4ded3
Author: Günther Deschner <[email protected]>
Date: Sun Jul 20 18:00:22 2025 +0200
s3-net: fix "net ads kerberos" krb5ccname handling
We can only rely on KRB5CCNAME being set, --use-krb5-ccname content is
not available.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15840
Guenther
Signed-off-by: Guenther Deschner <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
Autobuild-User(master): Günther Deschner <[email protected]>
Autobuild-Date(master): Thu Jul 24 17:31:14 UTC 2025 on atb-devel-224
(cherry picked from commit 8a97afdae788e8d10a51035f8b287dc00293f90d)
commit b17dec310680ddc5f8d704e6cf3d4c6194f86acc
Author: Günther Deschner <[email protected]>
Date: Sun Jul 20 17:59:37 2025 +0200
s3-selftest: add tests for "net ads kerberos" commands
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15840
Guenther
Signed-off-by: Guenther Deschner <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
(cherry picked from commit 18d0574a0fe4b5fd468f949cfaa507ab4519c9e6)
-----------------------------------------------------------------------
Summary of changes:
docs-xml/smbdotconf/security/serverrole.xml | 2 +-
selftest/knownfail | 1 -
source3/rpc_server/netlogon/srv_netlog_nt.c | 5 +-
source3/script/tests/test_net_ads_kerberos.sh | 158 ++++++++++++++++++++++++++
source3/selftest/tests.py | 12 ++
source3/utils/net.c | 15 +++
source3/utils/net.h | 1 +
source3/utils/net_ads.c | 6 +-
source3/utils/ntlm_auth.c | 6 +-
source3/winbindd/winbindd_cm.c | 4 +-
10 files changed, 202 insertions(+), 8 deletions(-)
create mode 100755 source3/script/tests/test_net_ads_kerberos.sh
Changeset truncated at 500 lines:
diff --git a/docs-xml/smbdotconf/security/serverrole.xml
b/docs-xml/smbdotconf/security/serverrole.xml
index 4ea4e4751ee..40244e125ce 100644
--- a/docs-xml/smbdotconf/security/serverrole.xml
+++ b/docs-xml/smbdotconf/security/serverrole.xml
@@ -78,7 +78,7 @@
url="http://wiki.samba.org/index.php/Samba4/HOWTO";>Samba4
HOWTO</ulink></para>
- <para><anchor id="IPA-DC"/><emphasis>SERVER ROLE = IPA DOMAIN
CONTROLLER</emphasis></para>
+ <para><anchor id="IPA-DC"/><emphasis>SERVER ROLE = IPA PRIMARY DOMAIN
CONTROLLER</emphasis></para>
<para>This mode of operation runs Samba in a hybrid mode for IPA
domain controller, providing forest trust to Active Directory.
diff --git a/selftest/knownfail b/selftest/knownfail
index 103a0bb1d76..ab2d79d7114 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -338,4 +338,3 @@
# We currently don't send referrals for LDAP modify of non-replicated attrs
^samba4.ldap.rodc.python\(rodc\).__main__.RodcTests.test_modify_nonreplicated.*
-
diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c
b/source3/rpc_server/netlogon/srv_netlog_nt.c
index 896e4e60d5a..c3759a558ca 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -2655,7 +2655,10 @@ WERROR _netr_DsRGetForestTrustInformation(struct
pipes_struct *p,
return WERR_INVALID_FLAGS;
}
- if ((r->in.flags & DS_GFTI_UPDATE_TDO) && (lp_server_role() !=
ROLE_DOMAIN_PDC)) {
+ if ((r->in.flags & DS_GFTI_UPDATE_TDO) &&
+ (lp_server_role() != ROLE_DOMAIN_PDC) &&
+ (lp_server_role() != ROLE_IPA_DC))
+ {
p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
return WERR_NERR_NOTPRIMARY;
}
diff --git a/source3/script/tests/test_net_ads_kerberos.sh
b/source3/script/tests/test_net_ads_kerberos.sh
new file mode 100755
index 00000000000..8a3c9ef2bc7
--- /dev/null
+++ b/source3/script/tests/test_net_ads_kerberos.sh
@@ -0,0 +1,158 @@
+#!/bin/sh
+
+if [ $# -lt 5 ]; then
+ cat <<EOF
+Usage: test_net_ads_kerberos.sh USERNAME REALM PASSWORD PREFIX
+EOF
+ exit 1
+fi
+
+USERNAME="$1"
+REALM="$2"
+PASSWORD="$3"
+PREFIX="$4"
+shift 4
+ADDARGS="$*"
+
+incdir=$(dirname "$0")/../../../testprogs/blackbox
+. "$incdir"/subunit.sh
+
+mkdir -p "$PREFIX"/private
+PACFILE=$PREFIX/private/pacsave.$$
+
+KRB5CCNAME_PATH="$PREFIX/net_ads_kerberos_krb5ccache"
+rm -f "$KRB5CCNAME_PATH"
+
+KRB5CCNAME="FILE:$KRB5CCNAME_PATH"
+
+
+#################################################
+## Test "net ads kerberos kinit" variants
+#################################################
+
+testit "net_ads_kerberos_kinit" \
+ "$VALGRIND" "$BINDIR"/net ads kerberos kinit \
+ -U"$USERNAME"%"$PASSWORD" "$ADDARGS" \
+ || failed=$((failed + 1))
+
+export KRB5CCNAME="$KRB5CCNAME_PATH"
+testit "net_ads_kerberos_kinit (KRB5CCNAME env set)" \
+ "$VALGRIND" "$BINDIR"/net ads kerberos kinit \
+ -U"$USERNAME"%"$PASSWORD" "$ADDARGS" \
+ || failed=$((failed + 1))
+unset KRB5CCNAME
+rm -f "$KRB5CCNAME_PATH"
+
+# --use-krb5-ccache is not working
+#testit "net_ads_kerberos_kinit (with --use-krb5-ccache)" \
+# $VALGRIND $BINDIR/net ads kerberos kinit \
+# -U$USERNAME%$PASSWORD $ADDARGS \
+# --use-krb5-ccache=${KRB5CCNAME} \
+# || failed=$((failed + 1))
+
+testit "net_ads_kerberos_kinit (-P)" \
+ "$VALGRIND" "$BINDIR"/net ads kerberos kinit \
+ -P "$ADDARGS" \
+ || failed=$((failed + 1))
+
+export KRB5CCNAME="$KRB5CCNAME_PATH"
+testit "net_ads_kerberos_kinit (-P and KRB5CCNAME env set)" \
+ "$VALGRIND" "$BINDIR"/net ads kerberos kinit \
+ -P "$ADDARGS" \
+ || failed=$((failed + 1))
+unset KRB5CCNAME
+rm -f "$KRB5CCNAME_PATH"
+
+# --use-krb5-ccache is not working
+#testit "net_ads_kerberos_kinit (-P with --use-krb5-ccache)" \
+# $VALGRIND $BINDIR/net ads kerberos kinit \
+# -P $ADDARGS \
+# --use-krb5-ccache=${KRB5CCNAME} \
+# || failed=$((failed + 1))
+
+
+#################################################
+## Test "net ads kerberos renew" variants
+#################################################
+
+#testit "net_ads_kerberos_renew" \
+# $VALGRIND $BINDIR/net ads kerberos renew \
+# -U$USERNAME%$PASSWORD $ADDARGS \
+# || failed=$((failed + 1))
+#
+#export KRB5CCNAME=$KRB5CCNAME_PATH
+#testit "net_ads_kerberos_renew (KRB5CCNAME env)" \
+# $VALGRIND $BINDIR/net ads kerberos renew \
+# -U$USERNAME%$PASSWORD $ADDARGS \
+# || failed=$((failed + 1))
+#unset KRB5CCNAME
+#rm -f $KRB5CCNAME_PATH
+#
+# renew only succeeds with pre-kinit
+export KRB5CCNAME="$KRB5CCNAME_PATH"
+testit "net_ads_kerberos_kinit (KRB5CCNAME env set)" \
+ "$VALGRIND" "$BINDIR"/net ads kerberos kinit \
+ -U"$USERNAME"%"$PASSWORD" "$ADDARGS" \
+ || failed=$((failed + 1))
+
+testit "net_ads_kerberos_renew" \
+ "$VALGRIND" "$BINDIR"/net ads kerberos renew \
+ -U"$USERNAME"%"$PASSWORD" "$ADDARGS" \
+ || failed=$((failed + 1))
+unset KRB5CCNAME
+rm -f "$KRB5CCNAME_PATH"
+
+
+#################################################
+## Test "net ads kerberos pac" variants
+#################################################
+
+testit "net_ads_kerberos_pac_dump" \
+ "$VALGRIND" "$BINDIR"/net ads kerberos pac dump \
+ -U"$USERNAME"%"$PASSWORD" "$ADDARGS" \
+ || failed=$((failed + 1))
+
+testit "net_ads_kerberos_pac_dump (-P)" \
+ "$VALGRIND" "$BINDIR"/net ads kerberos pac dump \
+ -P "$ADDARGS" \
+ || failed=$((failed + 1))
+
+IMPERSONATE_PRINC="alice@$REALM"
+
+#testit "net_ads_kerberos_pac_dump (impersonate)" \
+# $VALGRIND $BINDIR/net ads kerberos pac dump \
+# -U$USERNAME%$PASSWORD \
+# impersonate=$IMPERSONATE_PRINC $ADDARGS \
+# || failed=$((failed + 1))
+
+testit "net_ads_kerberos_pac_dump (impersonate and -P)" \
+ "$VALGRIND" "$BINDIR"/net ads kerberos pac dump \
+ -P \
+ impersonate="$IMPERSONATE_PRINC" "$ADDARGS" \
+ || failed=$((failed + 1))
+
+# no clue why this doesn't work...
+#
+#testit_expect_failure "net_ads_kerberos_pac_save (without filename)"
+# $VALGRIND $BINDIR/net ads kerberos pac save \
+# -U$USERNAME%$PASSWORD $ADDARGS \
+# || failed=$((failed + 1))
+
+testit "net_ads_kerberos_pac_save" \
+ "$VALGRIND" "$BINDIR"/net ads kerberos pac save \
+ -U"$USERNAME"%"$PASSWORD" "$ADDARGS" \
+ filename="$PACFILE" \
+ || failed=$((failed + 1))
+
+rm -f "$PACFILE"
+
+testit "net_ads_kerberos_pac_save (-P)" \
+ "$VALGRIND" "$BINDIR"/net ads kerberos pac save \
+ -P "$ADDARGS" \
+ filename="$PACFILE" \
+ || failed=$((failed + 1))
+
+rm -f "$PACFILE"
+rm -f "$KRB5CCNAME_PATH"
+
+testok "$0" "$failed"
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 3768b919c3e..e4c897cd1da 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -1900,6 +1900,18 @@ plantestsuite(
"bin/samba-tool",
'$DNSNAME'])
+for auth in ["$DC_USERNAME", "$DOMAIN\\\\$DC_USERNAME", "$DC_USERNAME@$REALM"
]:
+ plantestsuite(
+ "samba3.blackbox.net_ads_kerberos (%s)" % auth,
+ "ad_member:local",
+ [os.path.join(samba3srcdir,
+ "script/tests/test_net_ads_kerberos.sh"),
+ auth,
+ '$REALM',
+ '$DC_PASSWORD',
+ '$PREFIX',
+ configuration])
+
plantestsuite("samba3.blackbox.force-user-unlink",
"maptoguest:local",
[os.path.join(samba3srcdir,
diff --git a/source3/utils/net.c b/source3/utils/net.c
index c432ebe991f..7ce93ced79e 100644
--- a/source3/utils/net.c
+++ b/source3/utils/net.c
@@ -1394,6 +1394,7 @@ static struct functable net_func[] = {
cli_credentials_get_principal_obtained(c->creds);
enum credentials_obtained password_obtained =
cli_credentials_get_password_obtained(c->creds);
+ char *krb5ccname = NULL;
if (principal_obtained == CRED_SPECIFIED) {
c->explicit_credentials = true;
@@ -1410,6 +1411,20 @@ static struct functable net_func[] = {
GENSEC_FEATURE_NTLM_CCACHE,
CRED_SPECIFIED);
}
+
+ /* cli_credentials_get_ccache_name_obtained() would not work
+ * here, we also cannot get the content of --use-krb5-ccache= so
+ * for now at least honour the KRB5CCNAME environment variable
+ * to get 'net ads kerberos' functions to work at all - gd */
+
+ krb5ccname = getenv("KRB5CCNAME");
+ if (krb5ccname == NULL) {
+ krb5ccname = talloc_strdup(c, "MEMORY:net");
+ }
+ if (krb5ccname == NULL) {
+ exit(1);
+ }
+ c->opt_krb5_ccache = krb5ccname;
}
c->msg_ctx = cmdline_messaging_context(get_dyn_CONFIGFILE());
diff --git a/source3/utils/net.h b/source3/utils/net.h
index 8540a6db9d4..8a4218b529f 100644
--- a/source3/utils/net.h
+++ b/source3/utils/net.h
@@ -97,6 +97,7 @@ struct net_context {
const char *opt_witness_new_ip;
int opt_witness_new_node;
const char *opt_witness_forced_response;
+ const char *opt_krb5_ccache;
int opt_have_ip;
struct sockaddr_storage opt_dest_ip;
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index 0128f3eb7e8..46531210411 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -3036,7 +3036,7 @@ static int net_ads_kerberos_renew(struct net_context *c,
int argc, const char **
return -1;
}
- ret = smb_krb5_renew_ticket(NULL, NULL, NULL, NULL);
+ ret = smb_krb5_renew_ticket(c->opt_krb5_ccache, NULL, NULL, NULL);
if (ret) {
d_printf(_("failed to renew kerberos ticket: %s\n"),
error_message(ret));
@@ -3091,7 +3091,7 @@ static int net_ads_kerberos_pac_common(struct net_context
*c, int argc, const ch
0,
NULL,
NULL,
- NULL,
+ c->opt_krb5_ccache,
true,
true,
2592000, /* one month */
@@ -3272,7 +3272,7 @@ static int net_ads_kerberos_kinit(struct net_context *c,
int argc, const char **
0,
NULL,
NULL,
- NULL,
+ c->opt_krb5_ccache,
true,
true,
2592000, /* one month */
diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index 905f33840b1..d39956c3bee 100644
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -1355,7 +1355,11 @@ static NTSTATUS
ntlm_auth_prepare_gensec_server(TALLOC_CTX *mem_ctx,
cli_credentials_set_conf(server_credentials, lp_ctx);
- if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC || lp_security() ==
SEC_ADS || USE_KERBEROS_KEYTAB) {
+ if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC ||
+ lp_server_role() == ROLE_IPA_DC ||
+ lp_security() == SEC_ADS ||
+ USE_KERBEROS_KEYTAB)
+ {
cli_credentials_set_kerberos_state(server_credentials,
CRED_USE_KERBEROS_DESIRED,
CRED_SPECIFIED);
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index bff3a9ce4f9..d52deccf430 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -1098,7 +1098,9 @@ static bool dcip_check_name(TALLOC_CTX *mem_ctx,
if ((lp_security() == SEC_ADS) && (domain->alt_name != NULL)) {
is_ad_domain = true;
- } else if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) {
+ } else if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC ||
+ lp_server_role() == ROLE_IPA_DC)
+ {
is_ad_domain = domain->active_directory;
}
--
Samba Shared Repository
