1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

719 Commits

Author SHA1 Message Date
Joseph Sutton
e650b41ff9 CVE-2022-2031 testprogs: Add test for short-lived ticket across an incoming trust
We ensure that the KDC does not reject a TGS-REQ with our short-lived
TGT over an incoming trust.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-07-24 09:23:56 +02:00
Andreas Schneider
4aafa72991 CVE-2022-2031 testprogs: Add kadmin/changepw canonicalization test with MIT kpasswd
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-07-24 09:23:56 +02:00
Andreas Schneider
3761a6e871 CVE-2022-2031 testprogs: Fix auth with smbclient and krb5 ccache
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-07-24 09:23:55 +02:00
Andreas Schneider
dd6c50b82e testprogs: Add test that local krb5.conf has been created
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit d2ac90cdd5)
2022-03-17 09:14:56 +00:00
Pavel Filipenský
eb0fa26dce tests: Add test for disabling NTLMSSP for ldap client connections
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-01-21 23:33:36 +00:00
Volker Lendecke
afd014245a test: Prime the kpasswd server
I was getting this failure:

[102(815)/143 at 10m59s] samba4.blackbox.net_ads_dns(ad_member:local)(ad_member:local)
UNEXPECTED(failure): samba4.blackbox.net_ads_dns(ad_member:local).Adding an unprivileged user(ad_member:local)
REASON: Exception: Exception: Could not add user unprivuser. Error setting password Incorrect net address

My preliminary analysis shows that the KRB5KRB_AP_ERR_BADADDR error
message is triggered by the libkrb5 client code. I have not yet shown
this to happen with pure libkrb5, but my theory is the following:

k5_privsafe_check_addrs() fails under the following circumstances: The
kpasswd server is contacted on IPv4 and is slow to reply. After
waiting a bit, libkrb5 also tries to contact kpasswd on
IPv6. kpasswd_sendto_msg_callback() for the IPv6 request changes the
authentication context's local_addr to IPv6. Then the IPv4 request is
replied to, and then k5_privsafe_check_addrs() bails on the address
family in ac->local_addr (IPv6) vs the one received and via the IPv4
connection.

libkrb5's src/lib/krb5/os/changepw.c has this comment:

    /*
     * TBD:  Does this tamper w/ the auth context in such a way
     * to break us?  Yes - provide 1 per conn-state / host...
     */

I think we're hit by this.

This patch hacks around the situation by priming the kpasswd server
without error checking. If the initial v4 request is quick enough
because the kpasswd server is already started up properly, everything
works flawlessly.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2021-12-10 14:02:30 +00:00
Andreas Schneider
492fd5b00f testprogs: Add rpcclient schannel tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2021-12-02 13:59:31 +00:00
Douglas Bagnall
6ced906e2b test/blackbox/test_samba-tool_ntacl: use utf-8
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-11-17 04:36:37 +00:00
Douglas Bagnall
55752c12cf CVE-2020-25722 blackbox/upgrades tests: ignore SPN for ldapcmp
We need to have the SPNs there before someone else nabs them, which
makes the re-provisioned old releases different from the reference
versions that we keep for this comparison.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:33 +00:00
Andreas Schneider
5c6640470a testprogs: Use new cmdline option for kerberos
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14846

Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-10-28 12:32:35 +00:00
Andrew Bartlett
a7ad665e65 selftest/dbcheck: Fix up RODC one-way links (use correct dbcheck rule)
The previous commit was correct on intention, but it was not noticed
as there is a race, that the incorrect rule was appended to.

These links are removed by remove_plausible_deleted_DN_links not
fix_all_old_dn_string_component_mismatch

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Oct 15 10:00:47 UTC 2021 on sn-devel-184
2021-10-15 10:00:47 +00:00
Joseph Sutton
40e5db4aab selftest/dbcheck: Fix up RODC one-way links
Test accounts were replicated to the RODC and then deleted, causing
state links to remain in the database.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-10-14 18:59:31 +00:00
Ralph Boehme
fdfc475000 selftest: fix ---configfile option
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2021-09-10 15:10:30 +00:00
Günther Deschner
7938d94d12 s4-selftest: add net offlinejoin tests
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Wed Jul 14 17:38:21 UTC 2021 on sn-devel-184
2021-07-14 17:38:21 +00:00
Andreas Schneider
a5012df861 selftest: fl2000dc: Add outgoing trust from fl2000dc to ad_dc
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-07-07 14:10:29 +00:00
Isaac Boukris
194d726a80 selftest: Fix "outgoing" test in kinit_trust heimdal
Found by the test not failing in one-way trust.

Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-07-07 14:10:29 +00:00
Andreas Schneider
8d71afb4e6 testprogs: Show that DOM\user and REALM\user work for auth
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-07-07 14:10:28 +00:00
Andreas Schneider
4b2b5c8f68 testprogs: Rename TRUST_CREDS variables in test_trust_utils.sh
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-07-07 14:10:28 +00:00
Stefan Metzmacher
7c3bb491ba testprogs: Consistantly use kinit -c $KRB5CCNAME
We want to be really clear which credentials cache we use.

The kerberos_kinit() shell function uses this internally.

-c is the common option between MIT and Heimdal, and is
equivilant to --cache

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Jul  5 23:51:43 UTC 2021 on sn-devel-184
2021-07-05 23:51:43 +00:00
Andrew Bartlett
bbff4f5e6b testprogs/blackbox: Remove joined dc for ldapcmp
We don't need this DC once the ldapcmp is over, and it avoids
the running DC spamming the logs looking for it.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2021-06-21 00:58:31 +00:00
Andreas Schneider
4b4fd5340a testprogs: Add smbtorture tests with new options
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-06-16 00:34:38 +00:00
Andreas Schneider
092d26af6a s4:torture: Pass the pkinit ccache via a torture variable
Mixing -Uuser%password and --krb5-ccache doesn't really work on the
cmdline as -U overwrited the ccache.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-06-16 00:34:38 +00:00
Andreas Schneider
c01213471f testprogs: Use new kerberos options for smbclient(4) tests
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-06-16 00:34:38 +00:00
Andreas Schneider
db876e95b5 testprogs: Remove --debuglevel from test_kinit_trusts_mit.sh
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-06-16 00:34:38 +00:00
Joseph Sutton
c6b2846c9d testprogs: Test that dns.keytab is created after a dns upgrade
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-06-11 07:41:38 +00:00
Andreas Schneider
ea071d278a s3:utils: Use connection and credentials parser in net util
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-05-28 02:55:31 +00:00
Andreas Schneider
7fa1ae04df testprogs: Add additional rpcclient tests for new cmdline options
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-05-20 02:58:36 +00:00
Andreas Schneider
ba7c2cee9d testprogs: Rename test_rpc_getusername_legacy()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-05-20 02:58:36 +00:00
Andreas Schneider
ff7d4a65ca testprogs: Add more smbclient kerberos tests for new cmdline options
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-05-20 02:58:36 +00:00
Andreas Schneider
08434e413f testprogs: Add test for offline logon support
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-05-12 20:29:32 +00:00
Andreas Schneider
f291b8f157 tests: Use --configfile instead of -s
We should use long options in tests to make clear what we are trying to
do.

Also the -s short option will be removed for --configfile later.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-04-28 03:43:34 +00:00
Andreas Schneider
86f7bc7a37 testprogs: Use --suppress-prompt instead of -s for testparm
We should use long options in tests to make clear what we are trying to
do.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-04-28 03:43:34 +00:00
Andreas Schneider
fca9c56836 tests: Use ldbsearch '--scope instead of '-s'
We should use long options in tests to make clear what we are trying to
do.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-04-28 03:43:34 +00:00
Andrew Bartlett
4367eeb778 selftest: Improve test names in kinit test for improved debugging
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-04-20 11:42:37 +00:00
Stefan Metzmacher
467cfaf852 testprogs:blackbox: create temporary files under $PREFIX/SELFTEST_TMPDIR
Tests should not create files in the build nor the source directory!

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-04-13 08:23:35 +00:00
Andrew Bartlett
da627106cd dbcheck: Check Deleted Objects and reduce noise in reports about expired tombstones
These reports (about recently deleted objects)
create concern about a perfectly normal part of DB operation.

We must not operate on objects that are expired or we might reanimate them,
but we must fix "Deleted Objects" if it is wrong (mostly it is set as being
deleted in 9999, but in alpha19 we got this wrong).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14593

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Feb  3 05:29:11 UTC 2021 on sn-devel-184
2021-02-03 05:29:11 +00:00
Andrew Bartlett
1ec1c35a3a selftest: Confirm that we fix any errors on the Deleted Objects container itself
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14593

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-02-03 04:19:36 +00:00
Björn Jacke
98caa173b2 tests: also test net ads dns (un)register with IPv6
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13706

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-12-23 12:45:35 +00:00
Björn Jacke
f30e100b39 tests: also test v6 for async dns test by using dig
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-12-23 12:45:35 +00:00
Björn Baumbach
98119189cf blackbox/test_samba-tool_ntacl.sh: script requires two arguments
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-12-17 13:59:37 +00:00
Andreas Schneider
39536286d4 testprogs: Fix MIT KRB5 export keytab with > 1.18
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Nov 21 00:11:02 UTC 2020 on sn-devel-184
2020-11-21 00:11:02 +00:00
Stefan Metzmacher
40079975f7 testprogs/blackbox: make sure subunit.sh always terminates DETAILS with '\n]\n'
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-11-11 21:14:32 +00:00
Andreas Schneider
1432d225b0 testprogs: Fix and improve upgradeprovision-oldrelease test
This fixes running `make test` in a release tarball!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14542

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Oct 22 17:28:39 UTC 2020 on sn-devel-184
2020-10-22 17:28:39 +00:00
Andreas Schneider
32305d607f testprogs: Fix and improve dbcheck-oldrelease test
This fixes running `make test` in a release tarball!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14542

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2020-10-22 16:05:31 +00:00
Andreas Schneider
28720d66df testprogs: Fix and improve functionalprep test
This fixes running `make test` in a release tarball!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14542

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2020-10-22 16:05:31 +00:00
Andreas Schneider
d8fe4315c8 testprogs: Fix and improve dbcheck-links test
This fixes running `make test` in a release tarball!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14542

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2020-10-22 16:05:30 +00:00
Andreas Schneider
a9765084f1 testprogs: Fix and improve runtime-links test
This fixes running `make test` in a release tarball!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14542

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2020-10-22 16:05:30 +00:00
Andreas Schneider
e4194355f4 testprogs: Fix and improve tombstones-expunge test
This fixes running `make test` in a release tarball!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14542

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2020-10-22 16:05:30 +00:00
Andreas Schneider
e58ccdaa1a testprogs: Fix and improve demote-saveddb test
This fixes running `make test` in a release tarball!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14542

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2020-10-22 16:05:30 +00:00
Andreas Schneider
3770f28c62 testprogs: Add remove_directory to common test functions
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14542

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2020-10-22 16:05:30 +00:00