samba/samba-4.19-fix-smbget-auth.patch
Pavel Filipenský cfb9a1c4ec Fix smbget password interactive authentication
resolves: RHEL-17283
2023-12-14 21:37:14 +01:00

1066 lines
35 KiB
Diff

From 3b25f764e714dee0327fd4f068bd14650f7e7ab4 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 7 Dec 2023 09:18:26 +0100
Subject: [PATCH 01/13] s3:tests: Fix authentication with smbget_user in smbget
tests
Currently the smget share is broken. We set `guest ok = yes` so if you
specify invalid names, the authentication will still succeed as we
are mapped to guest.
The smbget_user is a local ad_member user. We need to set the
workstation as the "domain" for the user.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit c14c5dec09fe1c86b29b3091ad521e73a2e1c3e9)
---
source3/script/tests/test_smbget.sh | 28 ++++++++++++++--------------
1 file changed, 14 insertions(+), 14 deletions(-)
diff --git a/source3/script/tests/test_smbget.sh b/source3/script/tests/test_smbget.sh
index bdc62a71eff..5ab35a03e24 100755
--- a/source3/script/tests/test_smbget.sh
+++ b/source3/script/tests/test_smbget.sh
@@ -72,7 +72,7 @@ test_singlefile_guest()
test_singlefile_U()
{
clear_download_area
- $SMBGET --verbose -U$USERNAME%$PASSWORD smb://$SERVER_IP/smbget/testfile
+ $SMBGET --verbose -U${SERVER}/${USERNAME}%$PASSWORD smb://$SERVER_IP/smbget/testfile
if [ $? -ne 0 ]; then
echo 'ERROR: RC does not match, expected: 0'
return 1
@@ -132,7 +132,7 @@ test_singlefile_U_domain()
test_singlefile_smburl()
{
clear_download_area
- $SMBGET --workgroup $DOMAIN smb://$USERNAME:$PASSWORD@$SERVER_IP/smbget/testfile
+ $SMBGET --workgroup $DOMAIN smb://${USERNAME}:$PASSWORD@$SERVER_IP/smbget/testfile
if [ $? -ne 0 ]; then
echo 'ERROR: RC does not match, expected: 0'
return 1
@@ -148,7 +148,7 @@ test_singlefile_smburl()
test_singlefile_smburl2()
{
clear_download_area
- $SMBGET "smb://$DOMAIN;$USERNAME:$PASSWORD@$SERVER_IP/smbget/testfile"
+ $SMBGET "smb://$DOMAIN;${USERNAME}:$PASSWORD@$SERVER_IP/smbget/testfile"
if [ $? -ne 0 ]; then
echo 'ERROR: RC does not match, expected: 0'
return 1
@@ -165,7 +165,7 @@ test_singlefile_authfile()
{
clear_download_area
cat >"${TMPDIR}/authfile" << EOF
-username = $USERNAME
+username = ${SERVER}/${USERNAME}
password = $PASSWORD
EOF
$SMBGET --verbose --authentication-file="${TMPDIR}/authfile" smb://$SERVER_IP/smbget/testfile
@@ -186,7 +186,7 @@ EOF
test_recursive_U()
{
clear_download_area
- $SMBGET --verbose --recursive -U$USERNAME%$PASSWORD smb://$SERVER_IP/smbget/
+ $SMBGET --verbose --recursive -U${SERVER}/${USERNAME}%$PASSWORD smb://$SERVER_IP/smbget/
if [ $? -ne 0 ]; then
echo 'ERROR: RC does not match, expected: 0'
return 1
@@ -207,7 +207,7 @@ test_recursive_existing_dir()
{
clear_download_area
mkdir dir1
- $SMBGET --verbose --recursive -U$USERNAME%$PASSWORD smb://$SERVER_IP/smbget/
+ $SMBGET --verbose --recursive -U${SERVER}/${USERNAME}%$PASSWORD smb://$SERVER_IP/smbget/
if [ $? -ne 0 ]; then
echo 'ERROR: RC does not match, expected: 0'
return 1
@@ -230,7 +230,7 @@ test_recursive_with_empty()
# create some additional empty directories
mkdir -p $WORKDIR/dir001/dir002/dir003
mkdir -p $WORKDIR/dir004/dir005/dir006
- $SMBGET --verbose --recursive -U$USERNAME%$PASSWORD smb://$SERVER_IP/smbget/
+ $SMBGET --verbose --recursive -U${SERVER}/${USERNAME}%$PASSWORD smb://$SERVER_IP/smbget/
rc=$?
rm -rf $WORKDIR/dir001
rm -rf $WORKDIR/dir004
@@ -260,7 +260,7 @@ test_resume()
clear_download_area
cp $WORKDIR/testfile .
truncate -s 1024 testfile
- $SMBGET --verbose --resume -U$USERNAME%$PASSWORD smb://$SERVER_IP/smbget/testfile
+ $SMBGET --verbose --resume -U${SERVER}/${USERNAME}%$PASSWORD smb://$SERVER_IP/smbget/testfile
if [ $? -ne 0 ]; then
echo 'ERROR: RC does not match, expected: 0'
return 1
@@ -279,7 +279,7 @@ test_resume_modified()
{
clear_download_area
dd if=/dev/urandom bs=1024 count=2 of=testfile
- $SMBGET --verbose --resume -U$USERNAME%$PASSWORD smb://$SERVER_IP/smbget/testfile
+ $SMBGET --verbose --resume -U${SERVER}/${USERNAME}%$PASSWORD smb://$SERVER_IP/smbget/testfile
if [ $? -ne 1 ]; then
echo 'ERROR: RC does not match, expected: 1'
return 1
@@ -291,14 +291,14 @@ test_resume_modified()
test_update()
{
clear_download_area
- $SMBGET --verbose -U$USERNAME%$PASSWORD smb://$SERVER_IP/smbget/testfile
+ $SMBGET --verbose -U${SERVER}/${USERNAME}%$PASSWORD smb://$SERVER_IP/smbget/testfile
if [ $? -ne 0 ]; then
echo 'ERROR: RC does not match, expected: 0'
return 1
fi
# secondary download should pass
- $SMBGET --verbose --update -U$USERNAME%$PASSWORD smb://$SERVER_IP/smbget/testfile
+ $SMBGET --verbose --update -U${SERVER}/${USERNAME}%$PASSWORD smb://$SERVER_IP/smbget/testfile
if [ $? -ne 0 ]; then
echo 'ERROR: RC does not match, expected: 0'
return 1
@@ -308,7 +308,7 @@ test_update()
# touch source to trigger new download
sleep 2
touch -m $WORKDIR/testfile
- $SMBGET --verbose --update -U$USERNAME%$PASSWORD smb://$SERVER_IP/smbget/testfile
+ $SMBGET --verbose --update -U${SERVER}/${USERNAME}%$PASSWORD smb://$SERVER_IP/smbget/testfile
if [ $? -ne 0 ]; then
echo 'ERROR: RC does not match, expected: 0'
return 1
@@ -397,7 +397,7 @@ test_limit_rate()
test_encrypt()
{
clear_download_area
- $SMBGET --verbose --encrypt -U$USERNAME%$PASSWORD smb://$SERVER_IP/smbget/testfile
+ $SMBGET --verbose --encrypt -U${SERVER}/${USERNAME}%$PASSWORD smb://$SERVER_IP/smbget/testfile
if [ $? -ne 0 ]; then
echo 'ERROR: RC does not match, expected: 0'
return 1
@@ -409,7 +409,7 @@ test_encrypt()
fi
clear_download_area
- $SMBGET --verbose --client-protection=encrypt -U$USERNAME%$PASSWORD smb://$SERVER_IP/smbget/testfile
+ $SMBGET --verbose --client-protection=encrypt -U${SERVER}/${USERNAME}%$PASSWORD smb://$SERVER_IP/smbget/testfile
if [ $? -ne 0 ]; then
echo 'ERROR: RC does not match, expected: 0'
return 1
--
2.43.0
From a61c1ed2e21640a60b219b8efb16fed7ddfbce7c Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 8 Dec 2023 13:06:27 +0100
Subject: [PATCH 02/13] selftest: Remove trailing tabs/white spaces in
Samba4.pm
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit a2af6946f5e53b7d954aa54d3d115dbe4975b1c4)
---
selftest/target/Samba4.pm | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index a10c1313322..e559bf888a9 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -559,7 +559,7 @@ sub provision_raw_prepare($$$$$$$$$$$$$$)
warn("Unable to clean up");
}
-
+
my $swiface = Samba::get_interface($hostname);
$ctx->{prefix} = $prefix;
@@ -1034,7 +1034,7 @@ replace: userPrincipalName
userPrincipalName: testallowed upn\@$ctx->{realm}
replace: servicePrincipalName
servicePrincipalName: host/testallowed
--
+-
";
close($ldif);
unless ($? == 0) {
@@ -1057,7 +1057,7 @@ servicePrincipalName: host/testallowed
changetype: modify
replace: userPrincipalName
userPrincipalName: testdenied_upn\@$ctx->{realm}.upn
--
+-
";
close($ldif);
unless ($? == 0) {
@@ -2225,7 +2225,7 @@ sub provision_chgdcpass($$)
warn("Unable to add wins configuration");
return undef;
}
-
+
# Remove secrets.tdb from this environment to test that we
# still start up on systems without the new matching
# secrets.tdb records.
--
2.43.0
From 4177d6b866f8a0a72ebe208c5025ad643a2610d8 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 8 Dec 2023 13:07:19 +0100
Subject: [PATCH 03/13] selftest: Add DOMAIN_ADMIN and DOMAIN_USER variables
We should start using those in future. So we can distinguish which
privileges we want. Currently DC_USERNAME is the Administrator. Whatever
possible should use DOMIAN_USER instead.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 56d0c3a0263ed166452c129219e7a391ba4d014c)
---
selftest/target/Samba.pm | 4 ++++
selftest/target/Samba3.pm | 24 ++++++++++++++++++++++++
selftest/target/Samba4.pm | 8 ++++++++
3 files changed, 36 insertions(+)
diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm
index b959db493ca..e4bd6a0d5d2 100644
--- a/selftest/target/Samba.pm
+++ b/selftest/target/Samba.pm
@@ -947,6 +947,10 @@ my @exported_envvars = (
"PASSWORD",
"DC_USERNAME",
"DC_PASSWORD",
+ "DOMAIN_ADMIN",
+ "DOMAIN_ADMIN_PASSWORD",
+ "DOMAIN_USER",
+ "DOMAIN_USER_PASSWORD",
# UID/GID for rfc2307 mapping tests
"UID_RFC2307TEST",
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 85e69e4b72d..8755d0a2f1f 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -1006,6 +1006,10 @@ sub provision_ad_member
$ret->{DC_NETBIOSNAME} = $dcvars->{NETBIOSNAME};
$ret->{DC_USERNAME} = $dcvars->{USERNAME};
$ret->{DC_PASSWORD} = $dcvars->{PASSWORD};
+ $ret->{DOMAIN_ADMIN} = $dcvars->{DOMAIN_ADMIN};
+ $ret->{DOMAIN_ADMIN_PASSWORD} = $dcvars->{DOMAIN_ADMIN_PASSWORD};
+ $ret->{DOMAIN_USER} = $dcvars->{DOMAIN_USER};
+ $ret->{DOMAIN_USER_PASSWORD} = $dcvars->{DOMAIN_USER_PASSWORD};
# forest trust
$ret->{TRUST_F_BOTH_SERVER} = $trustvars_f->{SERVER};
@@ -1171,6 +1175,10 @@ sub setup_ad_member_rfc2307
$ret->{DC_NETBIOSNAME} = $dcvars->{NETBIOSNAME};
$ret->{DC_USERNAME} = $dcvars->{USERNAME};
$ret->{DC_PASSWORD} = $dcvars->{PASSWORD};
+ $ret->{DOMAIN_ADMIN} = $dcvars->{DOMAIN_ADMIN};
+ $ret->{DOMAIN_ADMIN_PASSWORD} = $dcvars->{DOMAIN_ADMIN_PASSWORD};
+ $ret->{DOMAIN_USER} = $dcvars->{DOMAIN_USER};
+ $ret->{DOMAIN_USER_PASSWORD} = $dcvars->{DOMAIN_USER_PASSWORD};
return $ret;
}
@@ -1267,6 +1275,10 @@ sub setup_admem_idmap_autorid
$ret->{DC_NETBIOSNAME} = $dcvars->{NETBIOSNAME};
$ret->{DC_USERNAME} = $dcvars->{USERNAME};
$ret->{DC_PASSWORD} = $dcvars->{PASSWORD};
+ $ret->{DOMAIN_ADMIN} = $dcvars->{DOMAIN_ADMIN};
+ $ret->{DOMAIN_ADMIN_PASSWORD} = $dcvars->{DOMAIN_ADMIN_PASSWORD};
+ $ret->{DOMAIN_USER} = $dcvars->{DOMAIN_USER};
+ $ret->{DOMAIN_USER_PASSWORD} = $dcvars->{DOMAIN_USER_PASSWORD};
return $ret;
}
@@ -1366,6 +1378,10 @@ sub setup_ad_member_idmap_rid
$ret->{DC_NETBIOSNAME} = $dcvars->{NETBIOSNAME};
$ret->{DC_USERNAME} = $dcvars->{USERNAME};
$ret->{DC_PASSWORD} = $dcvars->{PASSWORD};
+ $ret->{DOMAIN_ADMIN} = $dcvars->{DOMAIN_ADMIN};
+ $ret->{DOMAIN_ADMIN_PASSWORD} = $dcvars->{DOMAIN_ADMIN_PASSWORD};
+ $ret->{DOMAIN_USER} = $dcvars->{DOMAIN_USER};
+ $ret->{DOMAIN_USER_PASSWORD} = $dcvars->{DOMAIN_USER_PASSWORD};
return $ret;
}
@@ -1466,6 +1482,10 @@ sub setup_ad_member_idmap_ad
$ret->{DC_NETBIOSNAME} = $dcvars->{NETBIOSNAME};
$ret->{DC_USERNAME} = $dcvars->{USERNAME};
$ret->{DC_PASSWORD} = $dcvars->{PASSWORD};
+ $ret->{DOMAIN_ADMIN} = $dcvars->{DOMAIN_ADMIN};
+ $ret->{DOMAIN_ADMIN_PASSWORD} = $dcvars->{DOMAIN_ADMIN_PASSWORD};
+ $ret->{DOMAIN_USER} = $dcvars->{DOMAIN_USER};
+ $ret->{DOMAIN_USER_PASSWORD} = $dcvars->{DOMAIN_USER_PASSWORD};
$ret->{TRUST_SERVER} = $dcvars->{TRUST_SERVER};
$ret->{TRUST_USERNAME} = $dcvars->{TRUST_USERNAME};
@@ -1558,6 +1578,10 @@ sub setup_ad_member_oneway
$ret->{DC_NETBIOSNAME} = $dcvars->{NETBIOSNAME};
$ret->{DC_USERNAME} = $dcvars->{USERNAME};
$ret->{DC_PASSWORD} = $dcvars->{PASSWORD};
+ $ret->{DOMAIN_ADMIN} = $dcvars->{DOMAIN_ADMIN};
+ $ret->{DOMAIN_ADMIN_PASSWORD} = $dcvars->{DOMAIN_ADMIN_PASSWORD};
+ $ret->{DOMAIN_USER} = $dcvars->{DOMAIN_USER};
+ $ret->{DOMAIN_USER_PASSWORD} = $dcvars->{DOMAIN_USER_PASSWORD};
$ret->{TRUST_SERVER} = $dcvars->{TRUST_SERVER};
$ret->{TRUST_USERNAME} = $dcvars->{TRUST_USERNAME};
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index e559bf888a9..cbaacce48da 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -587,6 +587,10 @@ sub provision_raw_prepare($$$$$$$$$$$$$$)
$ctx->{realm} = uc($realm);
$ctx->{dnsname} = lc($realm);
$ctx->{samsid} = $samsid;
+ $ctx->{domain_admin} = "Administrator";
+ $ctx->{domain_admin_password} = $password;
+ $ctx->{domain_user} = "alice";
+ $ctx->{domain_user_password} = "Secret007";
$ctx->{functional_level} = $functional_level;
@@ -906,6 +910,10 @@ nogroup:x:65534:nobody
DOMAIN => $ctx->{domain},
USERNAME => $ctx->{username},
DC_USERNAME => $ctx->{username},
+ DOMAIN_ADMIN => $ctx->{domain_admin},
+ DOMAIN_ADMIN_PASSWORD => $ctx->{domain_admin_password},
+ DOMAIN_USER => $ctx->{domain_user},
+ DOMAIN_USER_PASSWORD => $ctx->{domain_user_password},
REALM => $ctx->{realm},
DNSNAME => $ctx->{dnsname},
SAMSID => $ctx->{samsid},
--
2.43.0
From c5839fd47591e46431d56091f151f22a5e35d16c Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 7 Dec 2023 09:45:54 +0100
Subject: [PATCH 04/13] s3:tests: Pass down a normal domain user for
test_smbget.sh
It is better to test with a normal user than administrator.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 337034e675aaeb366d360a791ec0d003426230af)
---
source3/script/tests/test_smbget.sh | 22 ++++++++++++----------
source3/selftest/tests.py | 2 ++
2 files changed, 14 insertions(+), 10 deletions(-)
diff --git a/source3/script/tests/test_smbget.sh b/source3/script/tests/test_smbget.sh
index 5ab35a03e24..257291b18ff 100755
--- a/source3/script/tests/test_smbget.sh
+++ b/source3/script/tests/test_smbget.sh
@@ -16,9 +16,11 @@ DOMAIN=${3}
REALM=${4}
USERNAME=${5}
PASSWORD=${6}
-WORKDIR=${7}
-SMBGET="$VALGRIND ${8}"
-shift 8
+DOMAIN_USER=${7}
+DOMAIN_USER_PASSWORD=${8}
+WORKDIR=${9}
+SMBGET="$VALGRIND ${10}"
+shift 10
TMPDIR="$SELFTEST_TMPDIR"
@@ -89,7 +91,7 @@ test_singlefile_U_UPN()
{
clear_download_area
- ${SMBGET} --verbose -U"${DC_USERNAME}@${REALM}%${DC_PASSWORD}" \
+ ${SMBGET} --verbose -U"${DOMAIN_USER}@${REALM}%${DOMAIN_USER_PASSWORD}" \
"smb://${SERVER_IP}/smbget/testfile"
ret=${?}
if [ ${ret} -ne 0 ]; then
@@ -111,7 +113,7 @@ test_singlefile_U_domain()
{
clear_download_area
- ${SMBGET} --verbose -U"${DOMAIN}/${DC_USERNAME}%${DC_PASSWORD}" \
+ ${SMBGET} --verbose -U"${DOMAIN}/${DOMAIN_USER}%${DOMAIN_USER_PASSWORD}" \
"smb://${SERVER_IP}/smbget/testfile"
ret=${?}
if [ ${ret} -ne 0 ]; then
@@ -132,7 +134,7 @@ test_singlefile_U_domain()
test_singlefile_smburl()
{
clear_download_area
- $SMBGET --workgroup $DOMAIN smb://${USERNAME}:$PASSWORD@$SERVER_IP/smbget/testfile
+ $SMBGET --workgroup $DOMAIN smb://${DOMAIN_USER}:$DOMAIN_USER_PASSWORD@$SERVER_IP/smbget/testfile
if [ $? -ne 0 ]; then
echo 'ERROR: RC does not match, expected: 0'
return 1
@@ -148,7 +150,7 @@ test_singlefile_smburl()
test_singlefile_smburl2()
{
clear_download_area
- $SMBGET "smb://$DOMAIN;${USERNAME}:$PASSWORD@$SERVER_IP/smbget/testfile"
+ $SMBGET "smb://$DOMAIN;${DOMAIN_USER}:$DOMAIN_USER_PASSWORD@$SERVER_IP/smbget/testfile"
if [ $? -ne 0 ]; then
echo 'ERROR: RC does not match, expected: 0'
return 1
@@ -343,7 +345,7 @@ test_msdfs_link_domain()
{
clear_download_area
- ${SMBGET} --verbose "-U${DOMAIN}/${DC_USERNAME}%${DC_PASSWORD}" \
+ ${SMBGET} --verbose "-U${DOMAIN}/${DOMAIN_USER}%${DOMAIN_USER_PASSWORD}" \
"smb://${SERVER}/msdfs-share/deeppath/msdfs-src2/readable_file"
ret=$?
if [ ${ret} -ne 0 ]; then
@@ -358,7 +360,7 @@ test_msdfs_link_upn()
{
clear_download_area
- ${SMBGET} --verbose "-U${DC_USERNAME}@${REALM}%${DC_PASSWORD}" \
+ ${SMBGET} --verbose "-U${DOMAIN_USER}@${REALM}%${DOMAIN_USER_PASSWORD}" \
"smb://${SERVER}/msdfs-share/deeppath/msdfs-src2/readable_file"
ret=$?
if [ ${ret} -ne 0 ]; then
@@ -433,7 +435,7 @@ test_kerberos()
KRB5CCNAME="FILE:${KRB5CCNAME_PATH}"
export KRB5CCNAME
kerberos_kinit "${samba_kinit}" \
- "${DC_USERNAME}@${REALM}" "${DC_PASSWORD}"
+ "${DOMAIN_USER}@${REALM}" "${DOMAIN_USER_PASSWORD}"
$SMBGET --verbose --use-krb5-ccache="${KRB5CCNAME}" \
smb://$SERVER/smbget/testfile
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 5a784f1c5aa..973384f8c53 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -931,6 +931,8 @@ plantestsuite("samba3.blackbox.smbget",
'$REALM',
'smbget_user',
'$PASSWORD',
+ '$DOMAIN_USER',
+ '$DOMAIN_USER_PASSWORD',
'$LOCAL_PATH/smbget',
smbget
])
--
2.43.0
From 43f8a0acbcda931efb40403b15ef4c8d8ec94c8b Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 7 Dec 2023 10:51:32 +0100
Subject: [PATCH 05/13] s3:tests: Fix test_kerberos in smbget tests
We switched to a temporary directory, so $PREFIX doesn't exist.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 62b0b79ce065246417996dec61afa6a10f6ab99b)
---
source3/script/tests/test_smbget.sh | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/source3/script/tests/test_smbget.sh b/source3/script/tests/test_smbget.sh
index 257291b18ff..5b65db89a26 100755
--- a/source3/script/tests/test_smbget.sh
+++ b/source3/script/tests/test_smbget.sh
@@ -429,13 +429,17 @@ test_kerberos()
{
clear_download_area
- KRB5CCNAME_PATH="$PREFIX/smget_krb5ccache"
+ KRB5CCNAME_PATH="${TMPDIR}/smget_krb5ccache"
rm -f "${KRB5CCNAME_PATH}"
KRB5CCNAME="FILE:${KRB5CCNAME_PATH}"
export KRB5CCNAME
kerberos_kinit "${samba_kinit}" \
"${DOMAIN_USER}@${REALM}" "${DOMAIN_USER_PASSWORD}"
+ if [ $? -ne 0 ]; then
+ echo 'Failed to get Kerberos ticket'
+ return 1
+ fi
$SMBGET --verbose --use-krb5-ccache="${KRB5CCNAME}" \
smb://$SERVER/smbget/testfile
--
2.43.0
From 26be99f6ac11bd3c6cfd737b332ee3aca660b390 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 7 Dec 2023 11:43:33 +0100
Subject: [PATCH 06/13] s3:tests: Fix the test_kerberos_trust in smbget
testsuite
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 468fb05d6357779228e411076e286abcdb70cf96)
---
source3/script/tests/test_smbget.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source3/script/tests/test_smbget.sh b/source3/script/tests/test_smbget.sh
index 5b65db89a26..50e8cea3900 100755
--- a/source3/script/tests/test_smbget.sh
+++ b/source3/script/tests/test_smbget.sh
@@ -465,7 +465,7 @@ test_kerberos_trust()
$SMBGET --verbose --use-kerberos=required \
-U"${TRUST_F_BOTH_USERNAME}@${TRUST_F_BOTH_REALM}%${TRUST_F_BOTH_PASSWORD}" \
- smb://$SERVER/smbget/testfile
+ smb://$SERVER.${REALM}/smbget/testfile
if [ $? -ne 0 ]; then
echo 'ERROR: RC does not match, expected: 0'
return 1
--
2.43.0
From 0cbea3a4c5b7f5356c209ba2826f01506b40f1f8 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 7 Dec 2023 13:11:46 +0100
Subject: [PATCH 07/13] s3:tests: Remove the non-working
test_kerberos_upn_denied of smbget
See TODO code comment for details.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 1a04fd255c2c94e01bda9840bfd6b372007bb3c7)
---
source3/script/tests/test_smbget.sh | 52 +++++++++++++++++------------
1 file changed, 30 insertions(+), 22 deletions(-)
diff --git a/source3/script/tests/test_smbget.sh b/source3/script/tests/test_smbget.sh
index 50e8cea3900..1956fc5b38e 100755
--- a/source3/script/tests/test_smbget.sh
+++ b/source3/script/tests/test_smbget.sh
@@ -480,26 +480,34 @@ test_kerberos_trust()
return 0
}
-test_kerberos_upn_denied()
-{
- clear_download_area
-
- $SMBGET --verbose --use-kerberos=required \
- -U"testdenied_upn@${REALM}.upn%${PASSWORD}" \
- "smb://${SERVER}/smbget/testfile"
- if [ $? -ne 0 ]; then
- echo 'ERROR: RC does not match, expected: 0'
- return 1
- fi
-
- cmp --silent $WORKDIR/testfile ./testfile
- if [ $? -ne 0 ]; then
- echo 'ERROR: file content does not match'
- return 1
- fi
-
- return 0
-}
+# TODO FIXME
+# This test does not work, as we can't tell the libsmb code that the
+# principal is an enterprice principal. We need support for enterprise
+# principals in kerberos_kinit_password_ext() and a way to pass it via the
+# credenitals structure and commandline options.
+# It works if you do: kinit -E testdenied_upn@${REALM}.upn
+#
+# test_kerberos_upn_denied()
+# {
+# set -x
+# clear_download_area
+#
+# $SMBGET --verbose --use-kerberos=required \
+# -U"testdenied_upn@${REALM}.upn%${DC_PASSWORD}" \
+# "smb://${SERVER}.${REALM}/smbget/testfile" -d10
+# if [ $? -ne 0 ]; then
+# echo 'ERROR: RC does not match, expected: 0'
+# return 1
+# fi
+#
+# cmp --silent $WORKDIR/testfile ./testfile
+# if [ $? -ne 0 ]; then
+# echo 'ERROR: file content does not match'
+# return 1
+# fi
+#
+# return 0
+# }
create_test_data
@@ -567,8 +575,8 @@ testit "kerberos" test_kerberos ||
testit "kerberos_trust" test_kerberos_trust ||
failed=$((failed + 1))
-testit "kerberos_upn_denied" test_kerberos_upn_denied ||
- failed=$((failed + 1))
+# testit "kerberos_upn_denied" test_kerberos_upn_denied ||
+# failed=$((failed + 1))
clear_download_area
--
2.43.0
From b3d5792525df99cf149ce08392c359fb97f68ec5 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 7 Dec 2023 09:47:14 +0100
Subject: [PATCH 08/13] s3:tests: Fix smbget test
Time to fix the smget share to not have `guest ok = yes` set. A new
[smbget_guest] will be used for guest only tests. This way we can
correctly test different authentication mechanisms.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit c46769f3f10d21ed802e17aa79ae17e345168e63)
---
selftest/target/Samba3.pm | 4 ++++
source3/script/tests/test_smbget.sh | 8 ++++----
2 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 8755d0a2f1f..2c69993c56a 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -3587,6 +3587,10 @@ sub provision($$)
[smbget]
path = $smbget_sharedir
comment = smb username is [%U]
+
+[smbget_guest]
+ path = $smbget_sharedir
+ comment = smb username is [%U]
guest ok = yes
include = $aliceconfdir/%U.conf
diff --git a/source3/script/tests/test_smbget.sh b/source3/script/tests/test_smbget.sh
index 1956fc5b38e..0af28c6ff89 100755
--- a/source3/script/tests/test_smbget.sh
+++ b/source3/script/tests/test_smbget.sh
@@ -57,8 +57,8 @@ clear_download_area()
test_singlefile_guest()
{
clear_download_area
- echo "$SMBGET --verbose --guest smb://$SERVER_IP/smbget/testfile"
- $SMBGET --verbose --guest smb://$SERVER_IP/smbget/testfile
+ echo "$SMBGET --verbose --guest smb://$SERVER_IP/smbget_guest/testfile"
+ $SMBGET --verbose --guest smb://$SERVER_IP/smbget_guest/testfile
if [ $? -ne 0 ]; then
echo 'ERROR: RC does not match, expected: 0'
return 1
@@ -376,9 +376,9 @@ test_msdfs_link_upn()
test_limit_rate()
{
clear_download_area
- echo "$SMBGET --verbose --guest --limit-rate 100 smb://$SERVER_IP/smbget/testfile"
+ echo "$SMBGET --verbose --guest --limit-rate 100 smb://$SERVER_IP/smbget_guest/testfile"
time_begin=$(date +%s)
- $SMBGET --verbose --guest --limit-rate 100 smb://$SERVER_IP/smbget/testfile
+ $SMBGET --verbose --guest --limit-rate 100 smb://$SERVER_IP/smbget_guest/testfile
if [ $? -ne 0 ]; then
echo 'ERROR: RC does not match, expected: 0'
return 1
--
2.43.0
From b40c350a6550946129aadbace4e6cecc219c666a Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 6 Dec 2023 13:16:26 +0100
Subject: [PATCH 09/13] auth:creds:tests: Add test for password callback
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit ab4b25964a43a1ef550f10580ad395e178fe647e)
---
auth/credentials/tests/test_creds.c | 32 +++++++++++++++++++++++++++++
selftest/knownfail.d/creds | 1 +
2 files changed, 33 insertions(+)
create mode 100644 selftest/knownfail.d/creds
diff --git a/auth/credentials/tests/test_creds.c b/auth/credentials/tests/test_creds.c
index a2f9642bfe0..414dd46a6b0 100644
--- a/auth/credentials/tests/test_creds.c
+++ b/auth/credentials/tests/test_creds.c
@@ -285,6 +285,37 @@ static void torture_creds_gensec_feature(void **state)
assert_int_equal(creds->gensec_features, GENSEC_FEATURE_SIGN);
}
+static const char *torture_get_password(struct cli_credentials *creds)
+{
+ return talloc_strdup(creds, "SECRET");
+}
+
+static void torture_creds_password_callback(void **state)
+{
+ TALLOC_CTX *mem_ctx = *state;
+ struct cli_credentials *creds = NULL;
+ const char *password = NULL;
+ enum credentials_obtained pwd_obtained = CRED_UNINITIALISED;
+ bool ok;
+
+ creds = cli_credentials_init(mem_ctx);
+ assert_non_null(creds);
+
+ ok = cli_credentials_set_domain(creds, "WURST", CRED_SPECIFIED);
+ assert_true(ok);
+ ok = cli_credentials_set_username(creds, "brot", CRED_SPECIFIED);
+ assert_true(ok);
+
+ ok = cli_credentials_set_password_callback(creds, torture_get_password);
+ assert_true(ok);
+ assert_int_equal(creds->password_obtained, CRED_CALLBACK);
+
+ password = cli_credentials_get_password_and_obtained(creds,
+ &pwd_obtained);
+ assert_int_equal(pwd_obtained, CRED_CALLBACK_RESULT);
+ assert_string_equal(password, "SECRET");
+}
+
int main(int argc, char *argv[])
{
int rc;
@@ -296,6 +327,7 @@ int main(int argc, char *argv[])
cmocka_unit_test(torture_creds_parse_string),
cmocka_unit_test(torture_creds_krb5_state),
cmocka_unit_test(torture_creds_gensec_feature),
+ cmocka_unit_test(torture_creds_password_callback)
};
if (argc == 2) {
diff --git a/selftest/knownfail.d/creds b/selftest/knownfail.d/creds
new file mode 100644
index 00000000000..09491f22c65
--- /dev/null
+++ b/selftest/knownfail.d/creds
@@ -0,0 +1 @@
+^samba.unittests.credentials.torture_creds_password_callback.none
--
2.43.0
From 42f5976603f2dfab9e3179535f9d137014621b54 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 6 Dec 2023 13:06:42 +0100
Subject: [PATCH 10/13] auth:creds: Fix
cli_credentials_get_password_and_obtained() with callback
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 1041dae03f0f7e9e2b6b4a649eb1d298a34ce699)
---
auth/credentials/credentials.c | 4 +++-
selftest/knownfail.d/creds | 1 -
2 files changed, 3 insertions(+), 2 deletions(-)
delete mode 100644 selftest/knownfail.d/creds
diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
index 0485cc4e64e..8cabdd8d1c3 100644
--- a/auth/credentials/credentials.c
+++ b/auth/credentials/credentials.c
@@ -465,11 +465,13 @@ _PUBLIC_ const char *
cli_credentials_get_password_and_obtained(struct cli_credentials *cred,
enum credentials_obtained *obtained)
{
+ const char *password = cli_credentials_get_password(cred);
+
if (obtained != NULL) {
*obtained = cred->password_obtained;
}
- return cli_credentials_get_password(cred);
+ return password;
}
/* Set a password on the credentials context, including an indication
diff --git a/selftest/knownfail.d/creds b/selftest/knownfail.d/creds
deleted file mode 100644
index 09491f22c65..00000000000
--- a/selftest/knownfail.d/creds
+++ /dev/null
@@ -1 +0,0 @@
-^samba.unittests.credentials.torture_creds_password_callback.none
--
2.43.0
From 619185a178f00bbf88a853309225773b02fdbda4 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 6 Dec 2023 13:26:43 +0100
Subject: [PATCH 11/13] auth:creds: Add
cli_credentials_get_domain_and_obtained()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit a7622bc7db093558c6f6e3da4d2a899a764dec09)
---
auth/credentials/credentials.c | 22 ++++++++++++++++++++++
auth/credentials/credentials.h | 3 +++
auth/credentials/tests/test_creds.c | 6 ++++++
3 files changed, 31 insertions(+)
diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
index 8cabdd8d1c3..7a00279b8b4 100644
--- a/auth/credentials/credentials.c
+++ b/auth/credentials/credentials.c
@@ -738,6 +738,28 @@ _PUBLIC_ const char *cli_credentials_get_domain(struct cli_credentials *cred)
return cred->domain;
}
+/**
+ * @brief Obtain the domain for this credential context.
+ *
+ * @param[in] cred The credential context.
+ *
+ * @param[out] obtained A pointer to store the obtained information.
+ *
+ * @return The domain name or NULL if an error occurred.
+ */
+_PUBLIC_ const char *cli_credentials_get_domain_and_obtained(
+ struct cli_credentials *cred,
+ enum credentials_obtained *obtained)
+{
+ const char *domain = cli_credentials_get_domain(cred);
+
+ if (obtained != NULL) {
+ *obtained = cred->domain_obtained;
+ }
+
+ return domain;
+}
+
_PUBLIC_ bool cli_credentials_set_domain(struct cli_credentials *cred,
const char *val,
diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
index c3a048ecc8d..c5ffe536e07 100644
--- a/auth/credentials/credentials.h
+++ b/auth/credentials/credentials.h
@@ -127,6 +127,9 @@ int cli_credentials_get_keytab(struct cli_credentials *cred,
struct loadparm_context *lp_ctx,
struct keytab_container **_ktc);
const char *cli_credentials_get_domain(struct cli_credentials *cred);
+const char *cli_credentials_get_domain_and_obtained(
+ struct cli_credentials *cred,
+ enum credentials_obtained *obtained);
struct netlogon_creds_CredentialState *cli_credentials_get_netlogon_creds(struct cli_credentials *cred);
void cli_credentials_set_machine_account_pending(struct cli_credentials *cred,
struct loadparm_context *lp_ctx);
diff --git a/auth/credentials/tests/test_creds.c b/auth/credentials/tests/test_creds.c
index 414dd46a6b0..2cb2e6d0e34 100644
--- a/auth/credentials/tests/test_creds.c
+++ b/auth/credentials/tests/test_creds.c
@@ -48,6 +48,7 @@ static void torture_creds_init(void **state)
const char *username = NULL;
const char *domain = NULL;
const char *password = NULL;
+ enum credentials_obtained dom_obtained = CRED_UNINITIALISED;
enum credentials_obtained usr_obtained = CRED_UNINITIALISED;
enum credentials_obtained pwd_obtained = CRED_UNINITIALISED;
bool ok;
@@ -65,6 +66,11 @@ static void torture_creds_init(void **state)
domain = cli_credentials_get_domain(creds);
assert_string_equal(domain, "WURST");
+ domain = cli_credentials_get_domain_and_obtained(creds,
+ &dom_obtained);
+ assert_int_equal(dom_obtained, CRED_SPECIFIED);
+ assert_string_equal(domain, "WURST");
+
username = cli_credentials_get_username(creds);
assert_null(username);
ok = cli_credentials_set_username(creds, "brot", CRED_SPECIFIED);
--
2.43.0
From a72e035090075ff1b36c5d67daf5f601277bceaa Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 6 Dec 2023 15:58:08 +0100
Subject: [PATCH 12/13] s3:tests: Add interactive smbget test for password
entry
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 5b38f3be8cb986aa2db3aab5c3c3d2e8739893ce)
---
source3/script/tests/test_smbget.sh | 32 +++++++++++++++++++++++++++++
1 file changed, 32 insertions(+)
diff --git a/source3/script/tests/test_smbget.sh b/source3/script/tests/test_smbget.sh
index 0af28c6ff89..74050f6951a 100755
--- a/source3/script/tests/test_smbget.sh
+++ b/source3/script/tests/test_smbget.sh
@@ -29,6 +29,7 @@ incdir=$(dirname $0)/../../../testprogs/blackbox
. "${incdir}/common_test_fns.inc"
samba_kinit=$(system_or_builddir_binary kinit "${BINDIR}" samba4kinit)
+samba_texpect="${BINDIR}/texpect"
create_test_data()
{
@@ -163,6 +164,33 @@ test_singlefile_smburl2()
return 0
}
+test_singlefile_smburl_interactive()
+{
+ clear_download_area
+
+ tmpfile="$(mktemp --tmpdir="${TMPDIR}" expect_XXXXXXXXXX)"
+
+ cat >"${tmpfile}" <<EOF
+expect Password for
+send ${DOMAIN_USER_PASSWORD}\n
+EOF
+
+ USER="hanswurst" ${samba_texpect} "${tmpfile}" ${SMBGET} "smb://${DOMAIN};${DOMAIN_USER}@${SERVER_IP}/smbget/testfile"
+ ret=$?
+ rm -f "${tmpfile}"
+ if [ ${ret} -ne 0 ]; then
+ echo 'ERROR: RC does not match, expected: 0'
+ return 1
+ fi
+ cmp --silent $WORKDIR/testfile ./testfile
+ ret=$?
+ if [ ${ret} -ne 0 ]; then
+ echo 'ERROR: file content does not match'
+ return 1
+ fi
+ return 0
+}
+
test_singlefile_authfile()
{
clear_download_area
@@ -533,6 +561,10 @@ testit "download single file with smb URL including domain" \
test_singlefile_smburl2 ||
failed=$(expr $failed + 1)
+testit "download single file with smb URL interactive" \
+ test_singlefile_smburl_interactive ||
+ failed=$(expr $failed + 1)
+
testit "download single file with authfile" test_singlefile_authfile ||
failed=$(expr $failed + 1)
--
2.43.0
From 7d13ed182ebd57d7ba38fc343b13b040f258d3a6 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 6 Dec 2023 13:16:53 +0100
Subject: [PATCH 13/13] s3:utils: Fix auth callback with smburl
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit f2f7ed419e03e5ae8cc85f42af5b2bcf91abefe2)
---
source3/utils/smbget.c | 40 ++++++++++++++++++++++++++++++++++------
1 file changed, 34 insertions(+), 6 deletions(-)
diff --git a/source3/utils/smbget.c b/source3/utils/smbget.c
index 8d98ba24602..598607ea391 100644
--- a/source3/utils/smbget.c
+++ b/source3/utils/smbget.c
@@ -114,20 +114,48 @@ static void get_auth_data_with_context_fn(SMBCCTX *ctx,
const char *username = NULL;
const char *password = NULL;
const char *domain = NULL;
+ enum credentials_obtained obtained = CRED_UNINITIALISED;
- username = cli_credentials_get_username(creds);
+ username = cli_credentials_get_username_and_obtained(creds, &obtained);
if (username != NULL) {
- strncpy(usr, username, usr_len - 1);
+ bool overwrite = false;
+ if (usr[0] == '\0') {
+ overwrite = true;
+ }
+ if (obtained >= CRED_CALLBACK_RESULT) {
+ overwrite = true;
+ }
+ if (overwrite) {
+ strncpy(usr, username, usr_len - 1);
+ }
}
- password = cli_credentials_get_password(creds);
+ password = cli_credentials_get_password_and_obtained(creds, &obtained);
if (password != NULL) {
- strncpy(pwd, password, pwd_len - 1);
+ bool overwrite = false;
+ if (usr[0] == '\0') {
+ overwrite = true;
+ }
+ if (obtained >= CRED_CALLBACK_RESULT) {
+ overwrite = true;
+ }
+ if (overwrite) {
+ strncpy(pwd, password, pwd_len - 1);
+ }
}
- domain = cli_credentials_get_domain(creds);
+ domain = cli_credentials_get_domain_and_obtained(creds, &obtained);
if (domain != NULL) {
- strncpy(dom, domain, dom_len - 1);
+ bool overwrite = false;
+ if (usr[0] == '\0') {
+ overwrite = true;
+ }
+ if (obtained >= CRED_CALLBACK_RESULT) {
+ overwrite = true;
+ }
+ if (overwrite) {
+ strncpy(dom, domain, dom_len - 1);
+ }
}
smbc_set_credentials_with_fallback(ctx, domain, username, password);
--
2.43.0