mirror of
https://github.com/samba-team/samba.git
synced 2024-12-24 21:34:56 +03:00
afd014245a
I was getting this failure: [102(815)/143 at 10m59s] samba4.blackbox.net_ads_dns(ad_member:local)(ad_member:local) UNEXPECTED(failure): samba4.blackbox.net_ads_dns(ad_member:local).Adding an unprivileged user(ad_member:local) REASON: Exception: Exception: Could not add user unprivuser. Error setting password Incorrect net address My preliminary analysis shows that the KRB5KRB_AP_ERR_BADADDR error message is triggered by the libkrb5 client code. I have not yet shown this to happen with pure libkrb5, but my theory is the following: k5_privsafe_check_addrs() fails under the following circumstances: The kpasswd server is contacted on IPv4 and is slow to reply. After waiting a bit, libkrb5 also tries to contact kpasswd on IPv6. kpasswd_sendto_msg_callback() for the IPv6 request changes the authentication context's local_addr to IPv6. Then the IPv4 request is replied to, and then k5_privsafe_check_addrs() bails on the address family in ac->local_addr (IPv6) vs the one received and via the IPv4 connection. libkrb5's src/lib/krb5/os/changepw.c has this comment: /* * TBD: Does this tamper w/ the auth context in such a way * to break us? Yes - provide 1 per conn-state / host... */ I think we're hit by this. This patch hacks around the situation by priming the kpasswd server without error checking. If the initial v4 request is quick enough because the kpasswd server is already started up properly, everything works flawlessly. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
95 lines
4.3 KiB
Bash
Executable File
95 lines
4.3 KiB
Bash
Executable File
#!/bin/sh
|
|
# Blackbox tests for net ads dns register etc.
|
|
# Copyright (C) 2006-2007 Jelmer Vernooij <jelmer@samba.org>
|
|
# Copyright (C) 2006-2008 Andrew Bartlett <abartlet@samba.org>
|
|
|
|
if [ $# -lt 6 ]; then
|
|
cat <<EOF
|
|
Usage: test_net_ads_dns.sh SERVER DC_USERNAME DC_PASSWORD REALM USER PASS
|
|
EOF
|
|
exit 1;
|
|
fi
|
|
|
|
SERVER=$1
|
|
DC_USERNAME=$2
|
|
DC_PASSWORD=$3
|
|
REALM=$4
|
|
USERNAME=$5
|
|
PASSWORD=$6
|
|
shift 6
|
|
failed=0
|
|
|
|
samba4bindir="$BINDIR"
|
|
|
|
samba_tool="$samba4bindir/samba-tool"
|
|
net_tool="$samba4bindir/net"
|
|
smbpasswd="$samba4bindir/smbpasswd"
|
|
texpect="$samba4bindir/texpect"
|
|
ldbsearch="$samba4bindir/ldbsearch"
|
|
ldbmodify="$samba4bindir/ldbmodify"
|
|
|
|
newuser="$samba_tool user create"
|
|
groupaddmem="$samba_tool group addmembers"
|
|
|
|
. `dirname $0`/subunit.sh
|
|
|
|
UID_WRAPPER_ROOT=1
|
|
export UID_WRAPPER_ROOT
|
|
|
|
IPADDRESS=10.1.4.111
|
|
IP6ADDRESS=fd00:1a1a::1:5ee:bad:c0de
|
|
IPADDRMAC=10.1.4.124
|
|
UNPRIVIP=10.1.4.130
|
|
NAME=testname
|
|
UNPRIVNAME=unprivname
|
|
UNPRIVUSER=unprivuser
|
|
UNPRIVPASS=UnPrivPass1
|
|
|
|
# These tests check that privileged users can add DNS names and that
|
|
# unprivileged users cannot do so.
|
|
echo "Starting ..."
|
|
|
|
testit "admin user should be able to add a DNS entry $NAME.$REALM $IPADDRESS $IP6ADDRESS" $VALGRIND $net_tool ads dns register $NAME.$REALM $IPADDRESS $IP6ADDRESS -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
|
|
|
|
testit "We should be able to see the new name $NAME.$REALM $IPADDRESS" dig @$SERVER +short -t a $NAME.$REALM | grep -q $IPADDRESS || failed=`expr $failed + 1`
|
|
testit "We should be able to see the new name $NAME.$REALM $IP6ADDRESS" dig @$SERVER +short -t aaaa $NAME.$REALM | grep -q $IP6ADDRESS || failed=`expr $failed + 1`
|
|
|
|
testit "We should be able to unregister the name $NAME.$REALM" $VALGRIND $net_tool ads dns unregister $NAME.$REALM -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
|
|
|
|
testit "The name $NAME.$REALM $IPADDRESS should not be there any longer" dig @$SERVER +short -t a $NAME.$REALM | grep -q $IPADDRESS && failed=`expr $failed + 1`
|
|
testit "The name $NAME.$REALM $IP6ADDRESS should not be there any longer" dig @$SERVER +short -t aaaa $NAME.$REALM | grep -q $IP6ADDRESS && failed=`expr $failed + 1`
|
|
|
|
# prime the kpasswd server, see "git blame" for an explanation
|
|
$VALGRIND $net_tool user add $UNPRIVUSER $UNPRIVPASS -U$DC_USERNAME%$DC_PASSWORD
|
|
$VALGRIND $net_tool user delete $UNPRIVUSER -U$DC_USERNAME%$DC_PASSWORD
|
|
|
|
# This should be an expect_failure test ...
|
|
testit "Adding an unprivileged user" $VALGRIND $net_tool user add $UNPRIVUSER $UNPRIVPASS -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
|
|
|
|
BASEDN=$($VALGRIND $ldbsearch -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM -b '' --scope=base defaultNamingContext | grep defaultNamingContext | sed -e 's!^defaultNamingContext: !!')
|
|
|
|
LDIF="dn: CN=$UNPRIVUSER,CN=users,${BASEDN}+changetype: modify+replace: userAccountControl+userAccountControl: 512"
|
|
|
|
echo $LDIF | tr '+' '\n' | $VALGRIND $ldbmodify -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM -i
|
|
STATUS=$?
|
|
|
|
testit "We should have enabled the account" test $STATUS -eq 0 || failed=`expr $failed + 1`
|
|
|
|
#Unprivileged users should be able to add new names
|
|
testit "Unprivileged users should be able to add new names" $net_tool ads dns register $UNPRIVNAME.$REALM $UNPRIVIP -U$UNPRIVUSER%$UNPRIVPASS || failed=`expr $failed + 1`
|
|
|
|
# This should work as well
|
|
testit "machine account should be able to add a DNS entry net ads dns register membername.$REALM $IPADDRMAC -P " $net_tool ads dns register membername.$REALM $IPADDRMAC -P || failed=`expr $failed + 1`
|
|
|
|
testit "We should be able to see the new name membername.$REALM" dig @$SERVER +short -t a membername.$REALM | grep -q $IPADDRMAC || failed=`expr $failed + 1`
|
|
|
|
#Unprivileged users should not be able to overwrite other's names
|
|
testit_expect_failure "Unprivileged users should not be able to modify existing names" $net_tool ads dns register membername.$REALM $UNPRIVIP -U$UNPRIVUSER%$UNPRIVPASS || failed=`expr $failed + 1`
|
|
|
|
testit "We should be able to unregister the name $NAME.$REALM $IPADDRESS" $VALGRIND $net_tool ads dns unregister $NAME.$REALM -P || failed=`expr $failed + 1`
|
|
|
|
testit "The name $NAME.$REALM ($IPADDRESS) should not be there any longer" dig @$SERVER +short -t a $NAME.$REALM | grep -q $IPADDRESS && failed=`expr $failed + 1`
|
|
testit "The name $NAME.$REALM ($IP6ADDRESS) should not be there any longer" dig @$SERVER +short -t aaaa $NAME.$REALM | grep -q $IP6ADDRESS && failed=`expr $failed + 1`
|
|
|
|
exit $failed
|