From 3b25f764e714dee0327fd4f068bd14650f7e7ab4 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Thu, 7 Dec 2023 09:18:26 +0100 Subject: [PATCH 01/13] s3:tests: Fix authentication with smbget_user in smbget tests Currently the smget share is broken. We set `guest ok = yes` so if you specify invalid names, the authentication will still succeed as we are mapped to guest. The smbget_user is a local ad_member user. We need to set the workstation as the "domain" for the user. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532 Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett (cherry picked from commit c14c5dec09fe1c86b29b3091ad521e73a2e1c3e9) --- source3/script/tests/test_smbget.sh | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/source3/script/tests/test_smbget.sh b/source3/script/tests/test_smbget.sh index bdc62a71eff..5ab35a03e24 100755 --- a/source3/script/tests/test_smbget.sh +++ b/source3/script/tests/test_smbget.sh @@ -72,7 +72,7 @@ test_singlefile_guest() test_singlefile_U() { clear_download_area - $SMBGET --verbose -U$USERNAME%$PASSWORD smb://$SERVER_IP/smbget/testfile + $SMBGET --verbose -U${SERVER}/${USERNAME}%$PASSWORD smb://$SERVER_IP/smbget/testfile if [ $? -ne 0 ]; then echo 'ERROR: RC does not match, expected: 0' return 1 @@ -132,7 +132,7 @@ test_singlefile_U_domain() test_singlefile_smburl() { clear_download_area - $SMBGET --workgroup $DOMAIN smb://$USERNAME:$PASSWORD@$SERVER_IP/smbget/testfile + $SMBGET --workgroup $DOMAIN smb://${USERNAME}:$PASSWORD@$SERVER_IP/smbget/testfile if [ $? -ne 0 ]; then echo 'ERROR: RC does not match, expected: 0' return 1 @@ -148,7 +148,7 @@ test_singlefile_smburl() test_singlefile_smburl2() { clear_download_area - $SMBGET "smb://$DOMAIN;$USERNAME:$PASSWORD@$SERVER_IP/smbget/testfile" + $SMBGET "smb://$DOMAIN;${USERNAME}:$PASSWORD@$SERVER_IP/smbget/testfile" if [ $? -ne 0 ]; then echo 'ERROR: RC does not match, expected: 0' return 1 @@ -165,7 +165,7 @@ test_singlefile_authfile() { clear_download_area cat >"${TMPDIR}/authfile" << EOF -username = $USERNAME +username = ${SERVER}/${USERNAME} password = $PASSWORD EOF $SMBGET --verbose --authentication-file="${TMPDIR}/authfile" smb://$SERVER_IP/smbget/testfile @@ -186,7 +186,7 @@ EOF test_recursive_U() { clear_download_area - $SMBGET --verbose --recursive -U$USERNAME%$PASSWORD smb://$SERVER_IP/smbget/ + $SMBGET --verbose --recursive -U${SERVER}/${USERNAME}%$PASSWORD smb://$SERVER_IP/smbget/ if [ $? -ne 0 ]; then echo 'ERROR: RC does not match, expected: 0' return 1 @@ -207,7 +207,7 @@ test_recursive_existing_dir() { clear_download_area mkdir dir1 - $SMBGET --verbose --recursive -U$USERNAME%$PASSWORD smb://$SERVER_IP/smbget/ + $SMBGET --verbose --recursive -U${SERVER}/${USERNAME}%$PASSWORD smb://$SERVER_IP/smbget/ if [ $? -ne 0 ]; then echo 'ERROR: RC does not match, expected: 0' return 1 @@ -230,7 +230,7 @@ test_recursive_with_empty() # create some additional empty directories mkdir -p $WORKDIR/dir001/dir002/dir003 mkdir -p $WORKDIR/dir004/dir005/dir006 - $SMBGET --verbose --recursive -U$USERNAME%$PASSWORD smb://$SERVER_IP/smbget/ + $SMBGET --verbose --recursive -U${SERVER}/${USERNAME}%$PASSWORD smb://$SERVER_IP/smbget/ rc=$? rm -rf $WORKDIR/dir001 rm -rf $WORKDIR/dir004 @@ -260,7 +260,7 @@ test_resume() clear_download_area cp $WORKDIR/testfile . truncate -s 1024 testfile - $SMBGET --verbose --resume -U$USERNAME%$PASSWORD smb://$SERVER_IP/smbget/testfile + $SMBGET --verbose --resume -U${SERVER}/${USERNAME}%$PASSWORD smb://$SERVER_IP/smbget/testfile if [ $? -ne 0 ]; then echo 'ERROR: RC does not match, expected: 0' return 1 @@ -279,7 +279,7 @@ test_resume_modified() { clear_download_area dd if=/dev/urandom bs=1024 count=2 of=testfile - $SMBGET --verbose --resume -U$USERNAME%$PASSWORD smb://$SERVER_IP/smbget/testfile + $SMBGET --verbose --resume -U${SERVER}/${USERNAME}%$PASSWORD smb://$SERVER_IP/smbget/testfile if [ $? -ne 1 ]; then echo 'ERROR: RC does not match, expected: 1' return 1 @@ -291,14 +291,14 @@ test_resume_modified() test_update() { clear_download_area - $SMBGET --verbose -U$USERNAME%$PASSWORD smb://$SERVER_IP/smbget/testfile + $SMBGET --verbose -U${SERVER}/${USERNAME}%$PASSWORD smb://$SERVER_IP/smbget/testfile if [ $? -ne 0 ]; then echo 'ERROR: RC does not match, expected: 0' return 1 fi # secondary download should pass - $SMBGET --verbose --update -U$USERNAME%$PASSWORD smb://$SERVER_IP/smbget/testfile + $SMBGET --verbose --update -U${SERVER}/${USERNAME}%$PASSWORD smb://$SERVER_IP/smbget/testfile if [ $? -ne 0 ]; then echo 'ERROR: RC does not match, expected: 0' return 1 @@ -308,7 +308,7 @@ test_update() # touch source to trigger new download sleep 2 touch -m $WORKDIR/testfile - $SMBGET --verbose --update -U$USERNAME%$PASSWORD smb://$SERVER_IP/smbget/testfile + $SMBGET --verbose --update -U${SERVER}/${USERNAME}%$PASSWORD smb://$SERVER_IP/smbget/testfile if [ $? -ne 0 ]; then echo 'ERROR: RC does not match, expected: 0' return 1 @@ -397,7 +397,7 @@ test_limit_rate() test_encrypt() { clear_download_area - $SMBGET --verbose --encrypt -U$USERNAME%$PASSWORD smb://$SERVER_IP/smbget/testfile + $SMBGET --verbose --encrypt -U${SERVER}/${USERNAME}%$PASSWORD smb://$SERVER_IP/smbget/testfile if [ $? -ne 0 ]; then echo 'ERROR: RC does not match, expected: 0' return 1 @@ -409,7 +409,7 @@ test_encrypt() fi clear_download_area - $SMBGET --verbose --client-protection=encrypt -U$USERNAME%$PASSWORD smb://$SERVER_IP/smbget/testfile + $SMBGET --verbose --client-protection=encrypt -U${SERVER}/${USERNAME}%$PASSWORD smb://$SERVER_IP/smbget/testfile if [ $? -ne 0 ]; then echo 'ERROR: RC does not match, expected: 0' return 1 -- 2.43.0 From a61c1ed2e21640a60b219b8efb16fed7ddfbce7c Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Fri, 8 Dec 2023 13:06:27 +0100 Subject: [PATCH 02/13] selftest: Remove trailing tabs/white spaces in Samba4.pm BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532 Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett (cherry picked from commit a2af6946f5e53b7d954aa54d3d115dbe4975b1c4) --- selftest/target/Samba4.pm | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm index a10c1313322..e559bf888a9 100755 --- a/selftest/target/Samba4.pm +++ b/selftest/target/Samba4.pm @@ -559,7 +559,7 @@ sub provision_raw_prepare($$$$$$$$$$$$$$) warn("Unable to clean up"); } - + my $swiface = Samba::get_interface($hostname); $ctx->{prefix} = $prefix; @@ -1034,7 +1034,7 @@ replace: userPrincipalName userPrincipalName: testallowed upn\@$ctx->{realm} replace: servicePrincipalName servicePrincipalName: host/testallowed -- +- "; close($ldif); unless ($? == 0) { @@ -1057,7 +1057,7 @@ servicePrincipalName: host/testallowed changetype: modify replace: userPrincipalName userPrincipalName: testdenied_upn\@$ctx->{realm}.upn -- +- "; close($ldif); unless ($? == 0) { @@ -2225,7 +2225,7 @@ sub provision_chgdcpass($$) warn("Unable to add wins configuration"); return undef; } - + # Remove secrets.tdb from this environment to test that we # still start up on systems without the new matching # secrets.tdb records. -- 2.43.0 From 4177d6b866f8a0a72ebe208c5025ad643a2610d8 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Fri, 8 Dec 2023 13:07:19 +0100 Subject: [PATCH 03/13] selftest: Add DOMAIN_ADMIN and DOMAIN_USER variables We should start using those in future. So we can distinguish which privileges we want. Currently DC_USERNAME is the Administrator. Whatever possible should use DOMIAN_USER instead. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532 Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett (cherry picked from commit 56d0c3a0263ed166452c129219e7a391ba4d014c) --- selftest/target/Samba.pm | 4 ++++ selftest/target/Samba3.pm | 24 ++++++++++++++++++++++++ selftest/target/Samba4.pm | 8 ++++++++ 3 files changed, 36 insertions(+) diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm index b959db493ca..e4bd6a0d5d2 100644 --- a/selftest/target/Samba.pm +++ b/selftest/target/Samba.pm @@ -947,6 +947,10 @@ my @exported_envvars = ( "PASSWORD", "DC_USERNAME", "DC_PASSWORD", + "DOMAIN_ADMIN", + "DOMAIN_ADMIN_PASSWORD", + "DOMAIN_USER", + "DOMAIN_USER_PASSWORD", # UID/GID for rfc2307 mapping tests "UID_RFC2307TEST", diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm index 85e69e4b72d..8755d0a2f1f 100755 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm @@ -1006,6 +1006,10 @@ sub provision_ad_member $ret->{DC_NETBIOSNAME} = $dcvars->{NETBIOSNAME}; $ret->{DC_USERNAME} = $dcvars->{USERNAME}; $ret->{DC_PASSWORD} = $dcvars->{PASSWORD}; + $ret->{DOMAIN_ADMIN} = $dcvars->{DOMAIN_ADMIN}; + $ret->{DOMAIN_ADMIN_PASSWORD} = $dcvars->{DOMAIN_ADMIN_PASSWORD}; + $ret->{DOMAIN_USER} = $dcvars->{DOMAIN_USER}; + $ret->{DOMAIN_USER_PASSWORD} = $dcvars->{DOMAIN_USER_PASSWORD}; # forest trust $ret->{TRUST_F_BOTH_SERVER} = $trustvars_f->{SERVER}; @@ -1171,6 +1175,10 @@ sub setup_ad_member_rfc2307 $ret->{DC_NETBIOSNAME} = $dcvars->{NETBIOSNAME}; $ret->{DC_USERNAME} = $dcvars->{USERNAME}; $ret->{DC_PASSWORD} = $dcvars->{PASSWORD}; + $ret->{DOMAIN_ADMIN} = $dcvars->{DOMAIN_ADMIN}; + $ret->{DOMAIN_ADMIN_PASSWORD} = $dcvars->{DOMAIN_ADMIN_PASSWORD}; + $ret->{DOMAIN_USER} = $dcvars->{DOMAIN_USER}; + $ret->{DOMAIN_USER_PASSWORD} = $dcvars->{DOMAIN_USER_PASSWORD}; return $ret; } @@ -1267,6 +1275,10 @@ sub setup_admem_idmap_autorid $ret->{DC_NETBIOSNAME} = $dcvars->{NETBIOSNAME}; $ret->{DC_USERNAME} = $dcvars->{USERNAME}; $ret->{DC_PASSWORD} = $dcvars->{PASSWORD}; + $ret->{DOMAIN_ADMIN} = $dcvars->{DOMAIN_ADMIN}; + $ret->{DOMAIN_ADMIN_PASSWORD} = $dcvars->{DOMAIN_ADMIN_PASSWORD}; + $ret->{DOMAIN_USER} = $dcvars->{DOMAIN_USER}; + $ret->{DOMAIN_USER_PASSWORD} = $dcvars->{DOMAIN_USER_PASSWORD}; return $ret; } @@ -1366,6 +1378,10 @@ sub setup_ad_member_idmap_rid $ret->{DC_NETBIOSNAME} = $dcvars->{NETBIOSNAME}; $ret->{DC_USERNAME} = $dcvars->{USERNAME}; $ret->{DC_PASSWORD} = $dcvars->{PASSWORD}; + $ret->{DOMAIN_ADMIN} = $dcvars->{DOMAIN_ADMIN}; + $ret->{DOMAIN_ADMIN_PASSWORD} = $dcvars->{DOMAIN_ADMIN_PASSWORD}; + $ret->{DOMAIN_USER} = $dcvars->{DOMAIN_USER}; + $ret->{DOMAIN_USER_PASSWORD} = $dcvars->{DOMAIN_USER_PASSWORD}; return $ret; } @@ -1466,6 +1482,10 @@ sub setup_ad_member_idmap_ad $ret->{DC_NETBIOSNAME} = $dcvars->{NETBIOSNAME}; $ret->{DC_USERNAME} = $dcvars->{USERNAME}; $ret->{DC_PASSWORD} = $dcvars->{PASSWORD}; + $ret->{DOMAIN_ADMIN} = $dcvars->{DOMAIN_ADMIN}; + $ret->{DOMAIN_ADMIN_PASSWORD} = $dcvars->{DOMAIN_ADMIN_PASSWORD}; + $ret->{DOMAIN_USER} = $dcvars->{DOMAIN_USER}; + $ret->{DOMAIN_USER_PASSWORD} = $dcvars->{DOMAIN_USER_PASSWORD}; $ret->{TRUST_SERVER} = $dcvars->{TRUST_SERVER}; $ret->{TRUST_USERNAME} = $dcvars->{TRUST_USERNAME}; @@ -1558,6 +1578,10 @@ sub setup_ad_member_oneway $ret->{DC_NETBIOSNAME} = $dcvars->{NETBIOSNAME}; $ret->{DC_USERNAME} = $dcvars->{USERNAME}; $ret->{DC_PASSWORD} = $dcvars->{PASSWORD}; + $ret->{DOMAIN_ADMIN} = $dcvars->{DOMAIN_ADMIN}; + $ret->{DOMAIN_ADMIN_PASSWORD} = $dcvars->{DOMAIN_ADMIN_PASSWORD}; + $ret->{DOMAIN_USER} = $dcvars->{DOMAIN_USER}; + $ret->{DOMAIN_USER_PASSWORD} = $dcvars->{DOMAIN_USER_PASSWORD}; $ret->{TRUST_SERVER} = $dcvars->{TRUST_SERVER}; $ret->{TRUST_USERNAME} = $dcvars->{TRUST_USERNAME}; diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm index e559bf888a9..cbaacce48da 100755 --- a/selftest/target/Samba4.pm +++ b/selftest/target/Samba4.pm @@ -587,6 +587,10 @@ sub provision_raw_prepare($$$$$$$$$$$$$$) $ctx->{realm} = uc($realm); $ctx->{dnsname} = lc($realm); $ctx->{samsid} = $samsid; + $ctx->{domain_admin} = "Administrator"; + $ctx->{domain_admin_password} = $password; + $ctx->{domain_user} = "alice"; + $ctx->{domain_user_password} = "Secret007"; $ctx->{functional_level} = $functional_level; @@ -906,6 +910,10 @@ nogroup:x:65534:nobody DOMAIN => $ctx->{domain}, USERNAME => $ctx->{username}, DC_USERNAME => $ctx->{username}, + DOMAIN_ADMIN => $ctx->{domain_admin}, + DOMAIN_ADMIN_PASSWORD => $ctx->{domain_admin_password}, + DOMAIN_USER => $ctx->{domain_user}, + DOMAIN_USER_PASSWORD => $ctx->{domain_user_password}, REALM => $ctx->{realm}, DNSNAME => $ctx->{dnsname}, SAMSID => $ctx->{samsid}, -- 2.43.0 From c5839fd47591e46431d56091f151f22a5e35d16c Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Thu, 7 Dec 2023 09:45:54 +0100 Subject: [PATCH 04/13] s3:tests: Pass down a normal domain user for test_smbget.sh It is better to test with a normal user than administrator. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532 Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett (cherry picked from commit 337034e675aaeb366d360a791ec0d003426230af) --- source3/script/tests/test_smbget.sh | 22 ++++++++++++---------- source3/selftest/tests.py | 2 ++ 2 files changed, 14 insertions(+), 10 deletions(-) diff --git a/source3/script/tests/test_smbget.sh b/source3/script/tests/test_smbget.sh index 5ab35a03e24..257291b18ff 100755 --- a/source3/script/tests/test_smbget.sh +++ b/source3/script/tests/test_smbget.sh @@ -16,9 +16,11 @@ DOMAIN=${3} REALM=${4} USERNAME=${5} PASSWORD=${6} -WORKDIR=${7} -SMBGET="$VALGRIND ${8}" -shift 8 +DOMAIN_USER=${7} +DOMAIN_USER_PASSWORD=${8} +WORKDIR=${9} +SMBGET="$VALGRIND ${10}" +shift 10 TMPDIR="$SELFTEST_TMPDIR" @@ -89,7 +91,7 @@ test_singlefile_U_UPN() { clear_download_area - ${SMBGET} --verbose -U"${DC_USERNAME}@${REALM}%${DC_PASSWORD}" \ + ${SMBGET} --verbose -U"${DOMAIN_USER}@${REALM}%${DOMAIN_USER_PASSWORD}" \ "smb://${SERVER_IP}/smbget/testfile" ret=${?} if [ ${ret} -ne 0 ]; then @@ -111,7 +113,7 @@ test_singlefile_U_domain() { clear_download_area - ${SMBGET} --verbose -U"${DOMAIN}/${DC_USERNAME}%${DC_PASSWORD}" \ + ${SMBGET} --verbose -U"${DOMAIN}/${DOMAIN_USER}%${DOMAIN_USER_PASSWORD}" \ "smb://${SERVER_IP}/smbget/testfile" ret=${?} if [ ${ret} -ne 0 ]; then @@ -132,7 +134,7 @@ test_singlefile_U_domain() test_singlefile_smburl() { clear_download_area - $SMBGET --workgroup $DOMAIN smb://${USERNAME}:$PASSWORD@$SERVER_IP/smbget/testfile + $SMBGET --workgroup $DOMAIN smb://${DOMAIN_USER}:$DOMAIN_USER_PASSWORD@$SERVER_IP/smbget/testfile if [ $? -ne 0 ]; then echo 'ERROR: RC does not match, expected: 0' return 1 @@ -148,7 +150,7 @@ test_singlefile_smburl() test_singlefile_smburl2() { clear_download_area - $SMBGET "smb://$DOMAIN;${USERNAME}:$PASSWORD@$SERVER_IP/smbget/testfile" + $SMBGET "smb://$DOMAIN;${DOMAIN_USER}:$DOMAIN_USER_PASSWORD@$SERVER_IP/smbget/testfile" if [ $? -ne 0 ]; then echo 'ERROR: RC does not match, expected: 0' return 1 @@ -343,7 +345,7 @@ test_msdfs_link_domain() { clear_download_area - ${SMBGET} --verbose "-U${DOMAIN}/${DC_USERNAME}%${DC_PASSWORD}" \ + ${SMBGET} --verbose "-U${DOMAIN}/${DOMAIN_USER}%${DOMAIN_USER_PASSWORD}" \ "smb://${SERVER}/msdfs-share/deeppath/msdfs-src2/readable_file" ret=$? if [ ${ret} -ne 0 ]; then @@ -358,7 +360,7 @@ test_msdfs_link_upn() { clear_download_area - ${SMBGET} --verbose "-U${DC_USERNAME}@${REALM}%${DC_PASSWORD}" \ + ${SMBGET} --verbose "-U${DOMAIN_USER}@${REALM}%${DOMAIN_USER_PASSWORD}" \ "smb://${SERVER}/msdfs-share/deeppath/msdfs-src2/readable_file" ret=$? if [ ${ret} -ne 0 ]; then @@ -433,7 +435,7 @@ test_kerberos() KRB5CCNAME="FILE:${KRB5CCNAME_PATH}" export KRB5CCNAME kerberos_kinit "${samba_kinit}" \ - "${DC_USERNAME}@${REALM}" "${DC_PASSWORD}" + "${DOMAIN_USER}@${REALM}" "${DOMAIN_USER_PASSWORD}" $SMBGET --verbose --use-krb5-ccache="${KRB5CCNAME}" \ smb://$SERVER/smbget/testfile diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py index 5a784f1c5aa..973384f8c53 100755 --- a/source3/selftest/tests.py +++ b/source3/selftest/tests.py @@ -931,6 +931,8 @@ plantestsuite("samba3.blackbox.smbget", '$REALM', 'smbget_user', '$PASSWORD', + '$DOMAIN_USER', + '$DOMAIN_USER_PASSWORD', '$LOCAL_PATH/smbget', smbget ]) -- 2.43.0 From 43f8a0acbcda931efb40403b15ef4c8d8ec94c8b Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Thu, 7 Dec 2023 10:51:32 +0100 Subject: [PATCH 05/13] s3:tests: Fix test_kerberos in smbget tests We switched to a temporary directory, so $PREFIX doesn't exist. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532 Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett (cherry picked from commit 62b0b79ce065246417996dec61afa6a10f6ab99b) --- source3/script/tests/test_smbget.sh | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/source3/script/tests/test_smbget.sh b/source3/script/tests/test_smbget.sh index 257291b18ff..5b65db89a26 100755 --- a/source3/script/tests/test_smbget.sh +++ b/source3/script/tests/test_smbget.sh @@ -429,13 +429,17 @@ test_kerberos() { clear_download_area - KRB5CCNAME_PATH="$PREFIX/smget_krb5ccache" + KRB5CCNAME_PATH="${TMPDIR}/smget_krb5ccache" rm -f "${KRB5CCNAME_PATH}" KRB5CCNAME="FILE:${KRB5CCNAME_PATH}" export KRB5CCNAME kerberos_kinit "${samba_kinit}" \ "${DOMAIN_USER}@${REALM}" "${DOMAIN_USER_PASSWORD}" + if [ $? -ne 0 ]; then + echo 'Failed to get Kerberos ticket' + return 1 + fi $SMBGET --verbose --use-krb5-ccache="${KRB5CCNAME}" \ smb://$SERVER/smbget/testfile -- 2.43.0 From 26be99f6ac11bd3c6cfd737b332ee3aca660b390 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Thu, 7 Dec 2023 11:43:33 +0100 Subject: [PATCH 06/13] s3:tests: Fix the test_kerberos_trust in smbget testsuite BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532 Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett (cherry picked from commit 468fb05d6357779228e411076e286abcdb70cf96) --- source3/script/tests/test_smbget.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source3/script/tests/test_smbget.sh b/source3/script/tests/test_smbget.sh index 5b65db89a26..50e8cea3900 100755 --- a/source3/script/tests/test_smbget.sh +++ b/source3/script/tests/test_smbget.sh @@ -465,7 +465,7 @@ test_kerberos_trust() $SMBGET --verbose --use-kerberos=required \ -U"${TRUST_F_BOTH_USERNAME}@${TRUST_F_BOTH_REALM}%${TRUST_F_BOTH_PASSWORD}" \ - smb://$SERVER/smbget/testfile + smb://$SERVER.${REALM}/smbget/testfile if [ $? -ne 0 ]; then echo 'ERROR: RC does not match, expected: 0' return 1 -- 2.43.0 From 0cbea3a4c5b7f5356c209ba2826f01506b40f1f8 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Thu, 7 Dec 2023 13:11:46 +0100 Subject: [PATCH 07/13] s3:tests: Remove the non-working test_kerberos_upn_denied of smbget See TODO code comment for details. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532 Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett (cherry picked from commit 1a04fd255c2c94e01bda9840bfd6b372007bb3c7) --- source3/script/tests/test_smbget.sh | 52 +++++++++++++++++------------ 1 file changed, 30 insertions(+), 22 deletions(-) diff --git a/source3/script/tests/test_smbget.sh b/source3/script/tests/test_smbget.sh index 50e8cea3900..1956fc5b38e 100755 --- a/source3/script/tests/test_smbget.sh +++ b/source3/script/tests/test_smbget.sh @@ -480,26 +480,34 @@ test_kerberos_trust() return 0 } -test_kerberos_upn_denied() -{ - clear_download_area - - $SMBGET --verbose --use-kerberos=required \ - -U"testdenied_upn@${REALM}.upn%${PASSWORD}" \ - "smb://${SERVER}/smbget/testfile" - if [ $? -ne 0 ]; then - echo 'ERROR: RC does not match, expected: 0' - return 1 - fi - - cmp --silent $WORKDIR/testfile ./testfile - if [ $? -ne 0 ]; then - echo 'ERROR: file content does not match' - return 1 - fi - - return 0 -} +# TODO FIXME +# This test does not work, as we can't tell the libsmb code that the +# principal is an enterprice principal. We need support for enterprise +# principals in kerberos_kinit_password_ext() and a way to pass it via the +# credenitals structure and commandline options. +# It works if you do: kinit -E testdenied_upn@${REALM}.upn +# +# test_kerberos_upn_denied() +# { +# set -x +# clear_download_area +# +# $SMBGET --verbose --use-kerberos=required \ +# -U"testdenied_upn@${REALM}.upn%${DC_PASSWORD}" \ +# "smb://${SERVER}.${REALM}/smbget/testfile" -d10 +# if [ $? -ne 0 ]; then +# echo 'ERROR: RC does not match, expected: 0' +# return 1 +# fi +# +# cmp --silent $WORKDIR/testfile ./testfile +# if [ $? -ne 0 ]; then +# echo 'ERROR: file content does not match' +# return 1 +# fi +# +# return 0 +# } create_test_data @@ -567,8 +575,8 @@ testit "kerberos" test_kerberos || testit "kerberos_trust" test_kerberos_trust || failed=$((failed + 1)) -testit "kerberos_upn_denied" test_kerberos_upn_denied || - failed=$((failed + 1)) +# testit "kerberos_upn_denied" test_kerberos_upn_denied || +# failed=$((failed + 1)) clear_download_area -- 2.43.0 From b3d5792525df99cf149ce08392c359fb97f68ec5 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Thu, 7 Dec 2023 09:47:14 +0100 Subject: [PATCH 08/13] s3:tests: Fix smbget test Time to fix the smget share to not have `guest ok = yes` set. A new [smbget_guest] will be used for guest only tests. This way we can correctly test different authentication mechanisms. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532 Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett (cherry picked from commit c46769f3f10d21ed802e17aa79ae17e345168e63) --- selftest/target/Samba3.pm | 4 ++++ source3/script/tests/test_smbget.sh | 8 ++++---- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm index 8755d0a2f1f..2c69993c56a 100755 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm @@ -3587,6 +3587,10 @@ sub provision($$) [smbget] path = $smbget_sharedir comment = smb username is [%U] + +[smbget_guest] + path = $smbget_sharedir + comment = smb username is [%U] guest ok = yes include = $aliceconfdir/%U.conf diff --git a/source3/script/tests/test_smbget.sh b/source3/script/tests/test_smbget.sh index 1956fc5b38e..0af28c6ff89 100755 --- a/source3/script/tests/test_smbget.sh +++ b/source3/script/tests/test_smbget.sh @@ -57,8 +57,8 @@ clear_download_area() test_singlefile_guest() { clear_download_area - echo "$SMBGET --verbose --guest smb://$SERVER_IP/smbget/testfile" - $SMBGET --verbose --guest smb://$SERVER_IP/smbget/testfile + echo "$SMBGET --verbose --guest smb://$SERVER_IP/smbget_guest/testfile" + $SMBGET --verbose --guest smb://$SERVER_IP/smbget_guest/testfile if [ $? -ne 0 ]; then echo 'ERROR: RC does not match, expected: 0' return 1 @@ -376,9 +376,9 @@ test_msdfs_link_upn() test_limit_rate() { clear_download_area - echo "$SMBGET --verbose --guest --limit-rate 100 smb://$SERVER_IP/smbget/testfile" + echo "$SMBGET --verbose --guest --limit-rate 100 smb://$SERVER_IP/smbget_guest/testfile" time_begin=$(date +%s) - $SMBGET --verbose --guest --limit-rate 100 smb://$SERVER_IP/smbget/testfile + $SMBGET --verbose --guest --limit-rate 100 smb://$SERVER_IP/smbget_guest/testfile if [ $? -ne 0 ]; then echo 'ERROR: RC does not match, expected: 0' return 1 -- 2.43.0 From b40c350a6550946129aadbace4e6cecc219c666a Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Wed, 6 Dec 2023 13:16:26 +0100 Subject: [PATCH 09/13] auth:creds:tests: Add test for password callback BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532 Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett (cherry picked from commit ab4b25964a43a1ef550f10580ad395e178fe647e) --- auth/credentials/tests/test_creds.c | 32 +++++++++++++++++++++++++++++ selftest/knownfail.d/creds | 1 + 2 files changed, 33 insertions(+) create mode 100644 selftest/knownfail.d/creds diff --git a/auth/credentials/tests/test_creds.c b/auth/credentials/tests/test_creds.c index a2f9642bfe0..414dd46a6b0 100644 --- a/auth/credentials/tests/test_creds.c +++ b/auth/credentials/tests/test_creds.c @@ -285,6 +285,37 @@ static void torture_creds_gensec_feature(void **state) assert_int_equal(creds->gensec_features, GENSEC_FEATURE_SIGN); } +static const char *torture_get_password(struct cli_credentials *creds) +{ + return talloc_strdup(creds, "SECRET"); +} + +static void torture_creds_password_callback(void **state) +{ + TALLOC_CTX *mem_ctx = *state; + struct cli_credentials *creds = NULL; + const char *password = NULL; + enum credentials_obtained pwd_obtained = CRED_UNINITIALISED; + bool ok; + + creds = cli_credentials_init(mem_ctx); + assert_non_null(creds); + + ok = cli_credentials_set_domain(creds, "WURST", CRED_SPECIFIED); + assert_true(ok); + ok = cli_credentials_set_username(creds, "brot", CRED_SPECIFIED); + assert_true(ok); + + ok = cli_credentials_set_password_callback(creds, torture_get_password); + assert_true(ok); + assert_int_equal(creds->password_obtained, CRED_CALLBACK); + + password = cli_credentials_get_password_and_obtained(creds, + &pwd_obtained); + assert_int_equal(pwd_obtained, CRED_CALLBACK_RESULT); + assert_string_equal(password, "SECRET"); +} + int main(int argc, char *argv[]) { int rc; @@ -296,6 +327,7 @@ int main(int argc, char *argv[]) cmocka_unit_test(torture_creds_parse_string), cmocka_unit_test(torture_creds_krb5_state), cmocka_unit_test(torture_creds_gensec_feature), + cmocka_unit_test(torture_creds_password_callback) }; if (argc == 2) { diff --git a/selftest/knownfail.d/creds b/selftest/knownfail.d/creds new file mode 100644 index 00000000000..09491f22c65 --- /dev/null +++ b/selftest/knownfail.d/creds @@ -0,0 +1 @@ +^samba.unittests.credentials.torture_creds_password_callback.none -- 2.43.0 From 42f5976603f2dfab9e3179535f9d137014621b54 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Wed, 6 Dec 2023 13:06:42 +0100 Subject: [PATCH 10/13] auth:creds: Fix cli_credentials_get_password_and_obtained() with callback BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532 Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett (cherry picked from commit 1041dae03f0f7e9e2b6b4a649eb1d298a34ce699) --- auth/credentials/credentials.c | 4 +++- selftest/knownfail.d/creds | 1 - 2 files changed, 3 insertions(+), 2 deletions(-) delete mode 100644 selftest/knownfail.d/creds diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c index 0485cc4e64e..8cabdd8d1c3 100644 --- a/auth/credentials/credentials.c +++ b/auth/credentials/credentials.c @@ -465,11 +465,13 @@ _PUBLIC_ const char * cli_credentials_get_password_and_obtained(struct cli_credentials *cred, enum credentials_obtained *obtained) { + const char *password = cli_credentials_get_password(cred); + if (obtained != NULL) { *obtained = cred->password_obtained; } - return cli_credentials_get_password(cred); + return password; } /* Set a password on the credentials context, including an indication diff --git a/selftest/knownfail.d/creds b/selftest/knownfail.d/creds deleted file mode 100644 index 09491f22c65..00000000000 --- a/selftest/knownfail.d/creds +++ /dev/null @@ -1 +0,0 @@ -^samba.unittests.credentials.torture_creds_password_callback.none -- 2.43.0 From 619185a178f00bbf88a853309225773b02fdbda4 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Wed, 6 Dec 2023 13:26:43 +0100 Subject: [PATCH 11/13] auth:creds: Add cli_credentials_get_domain_and_obtained() BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532 Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett (cherry picked from commit a7622bc7db093558c6f6e3da4d2a899a764dec09) --- auth/credentials/credentials.c | 22 ++++++++++++++++++++++ auth/credentials/credentials.h | 3 +++ auth/credentials/tests/test_creds.c | 6 ++++++ 3 files changed, 31 insertions(+) diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c index 8cabdd8d1c3..7a00279b8b4 100644 --- a/auth/credentials/credentials.c +++ b/auth/credentials/credentials.c @@ -738,6 +738,28 @@ _PUBLIC_ const char *cli_credentials_get_domain(struct cli_credentials *cred) return cred->domain; } +/** + * @brief Obtain the domain for this credential context. + * + * @param[in] cred The credential context. + * + * @param[out] obtained A pointer to store the obtained information. + * + * @return The domain name or NULL if an error occurred. + */ +_PUBLIC_ const char *cli_credentials_get_domain_and_obtained( + struct cli_credentials *cred, + enum credentials_obtained *obtained) +{ + const char *domain = cli_credentials_get_domain(cred); + + if (obtained != NULL) { + *obtained = cred->domain_obtained; + } + + return domain; +} + _PUBLIC_ bool cli_credentials_set_domain(struct cli_credentials *cred, const char *val, diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h index c3a048ecc8d..c5ffe536e07 100644 --- a/auth/credentials/credentials.h +++ b/auth/credentials/credentials.h @@ -127,6 +127,9 @@ int cli_credentials_get_keytab(struct cli_credentials *cred, struct loadparm_context *lp_ctx, struct keytab_container **_ktc); const char *cli_credentials_get_domain(struct cli_credentials *cred); +const char *cli_credentials_get_domain_and_obtained( + struct cli_credentials *cred, + enum credentials_obtained *obtained); struct netlogon_creds_CredentialState *cli_credentials_get_netlogon_creds(struct cli_credentials *cred); void cli_credentials_set_machine_account_pending(struct cli_credentials *cred, struct loadparm_context *lp_ctx); diff --git a/auth/credentials/tests/test_creds.c b/auth/credentials/tests/test_creds.c index 414dd46a6b0..2cb2e6d0e34 100644 --- a/auth/credentials/tests/test_creds.c +++ b/auth/credentials/tests/test_creds.c @@ -48,6 +48,7 @@ static void torture_creds_init(void **state) const char *username = NULL; const char *domain = NULL; const char *password = NULL; + enum credentials_obtained dom_obtained = CRED_UNINITIALISED; enum credentials_obtained usr_obtained = CRED_UNINITIALISED; enum credentials_obtained pwd_obtained = CRED_UNINITIALISED; bool ok; @@ -65,6 +66,11 @@ static void torture_creds_init(void **state) domain = cli_credentials_get_domain(creds); assert_string_equal(domain, "WURST"); + domain = cli_credentials_get_domain_and_obtained(creds, + &dom_obtained); + assert_int_equal(dom_obtained, CRED_SPECIFIED); + assert_string_equal(domain, "WURST"); + username = cli_credentials_get_username(creds); assert_null(username); ok = cli_credentials_set_username(creds, "brot", CRED_SPECIFIED); -- 2.43.0 From a72e035090075ff1b36c5d67daf5f601277bceaa Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Wed, 6 Dec 2023 15:58:08 +0100 Subject: [PATCH 12/13] s3:tests: Add interactive smbget test for password entry BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532 Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett (cherry picked from commit 5b38f3be8cb986aa2db3aab5c3c3d2e8739893ce) --- source3/script/tests/test_smbget.sh | 32 +++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/source3/script/tests/test_smbget.sh b/source3/script/tests/test_smbget.sh index 0af28c6ff89..74050f6951a 100755 --- a/source3/script/tests/test_smbget.sh +++ b/source3/script/tests/test_smbget.sh @@ -29,6 +29,7 @@ incdir=$(dirname $0)/../../../testprogs/blackbox . "${incdir}/common_test_fns.inc" samba_kinit=$(system_or_builddir_binary kinit "${BINDIR}" samba4kinit) +samba_texpect="${BINDIR}/texpect" create_test_data() { @@ -163,6 +164,33 @@ test_singlefile_smburl2() return 0 } +test_singlefile_smburl_interactive() +{ + clear_download_area + + tmpfile="$(mktemp --tmpdir="${TMPDIR}" expect_XXXXXXXXXX)" + + cat >"${tmpfile}" < Date: Wed, 6 Dec 2023 13:16:53 +0100 Subject: [PATCH 13/13] s3:utils: Fix auth callback with smburl BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532 Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett (cherry picked from commit f2f7ed419e03e5ae8cc85f42af5b2bcf91abefe2) --- source3/utils/smbget.c | 40 ++++++++++++++++++++++++++++++++++------ 1 file changed, 34 insertions(+), 6 deletions(-) diff --git a/source3/utils/smbget.c b/source3/utils/smbget.c index 8d98ba24602..598607ea391 100644 --- a/source3/utils/smbget.c +++ b/source3/utils/smbget.c @@ -114,20 +114,48 @@ static void get_auth_data_with_context_fn(SMBCCTX *ctx, const char *username = NULL; const char *password = NULL; const char *domain = NULL; + enum credentials_obtained obtained = CRED_UNINITIALISED; - username = cli_credentials_get_username(creds); + username = cli_credentials_get_username_and_obtained(creds, &obtained); if (username != NULL) { - strncpy(usr, username, usr_len - 1); + bool overwrite = false; + if (usr[0] == '\0') { + overwrite = true; + } + if (obtained >= CRED_CALLBACK_RESULT) { + overwrite = true; + } + if (overwrite) { + strncpy(usr, username, usr_len - 1); + } } - password = cli_credentials_get_password(creds); + password = cli_credentials_get_password_and_obtained(creds, &obtained); if (password != NULL) { - strncpy(pwd, password, pwd_len - 1); + bool overwrite = false; + if (usr[0] == '\0') { + overwrite = true; + } + if (obtained >= CRED_CALLBACK_RESULT) { + overwrite = true; + } + if (overwrite) { + strncpy(pwd, password, pwd_len - 1); + } } - domain = cli_credentials_get_domain(creds); + domain = cli_credentials_get_domain_and_obtained(creds, &obtained); if (domain != NULL) { - strncpy(dom, domain, dom_len - 1); + bool overwrite = false; + if (usr[0] == '\0') { + overwrite = true; + } + if (obtained >= CRED_CALLBACK_RESULT) { + overwrite = true; + } + if (overwrite) { + strncpy(dom, domain, dom_len - 1); + } } smbc_set_credentials_with_fallback(ctx, domain, username, password); -- 2.43.0