Age | Commit message (Collapse) | Author | Files | Lines |
|
smbclient
|
|
The root cause for existing ccache being invalidated was use of global loadparm with
'workgroup' value set as if from command line. However, we don't really need to take
'workgroup' parameter value's nature into account when invalidating existing ccache.
When -U is used on the command line, one can specify a password to force ccache
invalidation.
The commit also reverts previous fix now that root cause is clear.
|
|
This deserves some explanation.
With commit 518232d4578d700f5f5ea1609275a6cd1de3a1e7 samba4.blackbox.kinit test set
was wrapped with password settings reset before and after the tests with an idea to
maintain reliable state for the tests. As result, the resetting of the password
settings was done after the test that tried to use smbclient with a Kerberos ticket
obtained with machine account credentials.
However, the code in credentials_krb5.c, function cli_credentials_get_client_gss_creds(),
never worked correctly when credentials were already in ccache. Instead, gensec_gssapi module
always re-kinited even if existing credentials were available in the ccache. This had an effect
on 'samba4.blackbox.kinit(dc:local).reset password policies(dc:local)' test equal to
never having initialized ccache at all, as if 'rm -f $KRB5CCNAME' was run before the test.
When the issue of not using already initialized credentials from ccache was fixed with
d0aae88f1290e6a7a6d4bfc24aa62795e4892a31 'auth-credentials: Support using pre-fetched ccache
when obtaining kerberos credentials' commit, Samba 4 credentials library started to correctly
re-used already obtained credentials from ccaches. This caused failure of the test
'samba4.blackbox.kinit(dc:local).reset password policies(dc:local)' because machine account
has no permissions to modify password settings.
Thus, the correct fix is to reset ccache state before performing the test.
Autobuild-User: Alexander Bokovoy <ab@samba.org>
Autobuild-Date: Wed May 23 18:46:12 CEST 2012 on sn-devel-104
|
|
|
|
user create
Signed-off-by: Theresa Halloran <thallora@linux.vnet.ibm.com>
Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
|
|
If we specify a domain, then we indicate that we must use that domain
which overrides the credentials cache we found in the environment.
Andrew Bartlett
|
|
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
Python version of samba-tool does not require 'domain\' prefix for username.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
Python version of samba-tool requires the command and the subcommand to
be specified before the options.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
setpassword"
This is part of the work to reflect the object-action model
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
Changed test suite to reflect the changes from setpassword to "domain setpassword" to fit the object-action model
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Wed Jun 1 10:37:50 CEST 2011 on sn-devel-104
|
|
Just have BINDIR, and have it default to ./bin
Andrew Bartlett
|
|
this fixes the blackbox tests for a top level build
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
metze
|
|
This tests that the handling of lowercase realms works in our KDC and
libraries.
Andrew Bartlett
|
|
Autobuild-User: Kai Blin <kai@samba.org>
Autobuild-Date: Thu Oct 28 07:25:16 UTC 2010 on sn-devel-104
|
|
too many Ts
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Fri Oct 15 10:14:27 UTC 2010 on sn-devel-104
|
|
passing -W breaks -k yes
|
|
This :local tells selftest.pl to use the local smb.conf for the test
environment, not the generic client smb.conf
This then makes the rest work properly - otherwise, it may attempt to
connect to the wrong KDC for example.
The only problem is that we can't test the 'net join' with this set,
so this is removed from the test. The member server test environment
checks this anyway.
Andrew Bartlett
|
|
|
|
This allows us to run the PKINIT tests only against the main DC (for
which the certificates were generated), while testing the available
encryption types in each functional level.
In particular, we need to assert that AES encryption is available in
the 2008 functional level.
Andrew Bartlett
|
|
syntax
|
|
metze
|
|
|
|
|
|
|
|
This allows the integration of external tools that can't be linked
into C or python, but need to authenticate as the local machine
account.
The machineaccountccache script demonstrates this, and debugging has
been improved in cli_credentials_set_secrets() by passing back and
error string.
Andrew Bartlett
|
|
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
This reverts commit d4389a230b6aea5a0b2a98e255b14a59c8248b0b.
This revert changed the behaviour which I didn't expect. Thanks abartlet to
point this out!
|
|
The "enableaccount" script works only on local LDB anymore - therefore remove
this parameter.
|
|
This extends the PKINIT code in Heimdal to ask the HDB layer if the
User Principal Name name in the certificate is an alias (perhaps just
by case change) of the name given in the AS-REQ. (This was a TODO in
the Heimdal KDC)
The testsuite is extended to test this behaviour, and the other PKINIT
certficate (using the standard method to specify a principal name in a
certificate) is updated to use a Administrator (not administrator).
(This fixes the kinit test).
Andrew Bartlett
|
|
The previous code only allowed an KRB5_NT_ENTERPRISE name (an e-mail
list user principal name) in an AS-REQ. Evidence from the wild
(Win2k8 reportadely) indicates that this is instead valid for all
types of requests.
While this is now handled in heimdal/kdc/misc.c, a flag is now defined
in Heimdal's hdb so that we can take over this handling in future (once we start
using a system Heimdal, and if we find out there is more to be done
here).
Andrew Bartlett
|
|
The purpose of this test is to ensure that the Kerberos credentials
cache is valid. If the username and password is specified, this
overrides the very thing we are trying to test.
Andrew Bartlett
|
|
metze
|
|
This uses kpasswd operated as a blackbox, assisted by the newly
imported rkpty tool.
Andrew Bartlett
|
|
metze
|
|
(This used to be commit 58f956dc4591137489cba16f360f2d24d91dadc1)
|
|
(This used to be commit 49367e044e3ab94639ab3209bfd06c6286b44b59)
|
|
Andrew Bartlett
(This used to be commit 695cee0349f561625e4bbfa3a142a5e35f7eb4bf)
|
|
This fixes up the python credentials interface in a number of areas,
with the aim of supporting '-k yes' as a command line option. (This
enables the use of kerberos).
As such, I've had to change the get_credentials call to take a
loadparm context, so that the credentials can be initialised
correctly.
The test_kinit script has been modified to prove that this continues
to work, as well as to provide greater code coverage of the kerberos
paths.
Andrew Bartlett
(This used to be commit 727ef40c2b56910028ef3c1092b8eab1bfa6ce63)
|
|
(This used to be commit 16382999bebf158996e16219e7053ef4821550c1)
|
|
(This used to be commit 8616bfa0ae5762ae45b8339c84b8e4ae499f5897)
|
|
Andrew Bartlett
(This used to be commit 4fab53432a3599cf62a7ebef977bc33ef5a5f734)
|
|
consistantly report errors. (Some were being lost due to the "echo
foo | cmd" calling convention).
Andrew Bartlett
(This used to be commit d0a994d0ce7b1d4a33bbca5348c2da868401971f)
|
|
(This used to be commit b0cbf169366e3624f4d8c2b1a65e478e72734871)
|
|
Andrew Bartlett
(This used to be commit 7f27bfc3568bc09b2b9cb9ba03aae55a03e08f9a)
|