sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-03-05 20:58:40 +03:00
Code

test: Prime the kpasswd server

Browse Source 
I was getting this failure:

[102(815)/143 at 10m59s] samba4.blackbox.net_ads_dns(ad_member:local)(ad_member:local)
UNEXPECTED(failure): samba4.blackbox.net_ads_dns(ad_member:local).Adding an unprivileged user(ad_member:local)
REASON: Exception: Exception: Could not add user unprivuser. Error setting password Incorrect net address

My preliminary analysis shows that the KRB5KRB_AP_ERR_BADADDR error
message is triggered by the libkrb5 client code. I have not yet shown
this to happen with pure libkrb5, but my theory is the following:

k5_privsafe_check_addrs() fails under the following circumstances: The
kpasswd server is contacted on IPv4 and is slow to reply. After
waiting a bit, libkrb5 also tries to contact kpasswd on
IPv6. kpasswd_sendto_msg_callback() for the IPv6 request changes the
authentication context's local_addr to IPv6. Then the IPv4 request is
replied to, and then k5_privsafe_check_addrs() bails on the address
family in ac->local_addr (IPv6) vs the one received and via the IPv4
connection.

libkrb5's src/lib/krb5/os/changepw.c has this comment:

    /*
     * TBD:  Does this tamper w/ the auth context in such a way
     * to break us?  Yes - provide 1 per conn-state / host...
     */

I think we're hit by this.

This patch hacks around the situation by priming the kpasswd server
without error checking. If the initial v4 request is quick enough
because the kpasswd server is already started up properly, everything
works flawlessly.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This commit is contained in:
Volker Lendecke 2021-09-01 12:04:43 +02:00
parent d5fa626394
commit afd014245a
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
testprogs/blackbox/test_net_ads_dns.sh
View File

@ -59,6 +59,10 @@ testit "We should be able to unregister the name $NAME.$REALM" $VALGRIND $net_to
testit "The name $NAME.$REALM $IPADDRESS should not be there any longer" dig @$SERVER +short -t a $NAME.$REALM | grep -q $IPADDRESS && failed=`expr $failed + 1`
testit "The name $NAME.$REALM $IP6ADDRESS should not be there any longer" dig @$SERVER +short -t aaaa $NAME.$REALM | grep -q $IP6ADDRESS && failed=`expr $failed + 1`
# prime the kpasswd server, see "git blame" for an explanation
$VALGRIND $net_tool user add $UNPRIVUSER $UNPRIVPASS -U$DC_USERNAME%$DC_PASSWORD
$VALGRIND $net_tool user delete $UNPRIVUSER -U$DC_USERNAME%$DC_PASSWORD
# This should be an expect_failure test ...
testit "Adding an unprivileged user" $VALGRIND $net_tool user add $UNPRIVUSER $UNPRIVPASS -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`