Age | Commit message (Collapse) | Author | Files | Lines |
|
and kerberos ccache
This shows that a username/password on the command line must always
override any credentials cache in the environment.
Andrew Bartlett
|
|
The root cause for existing ccache being invalidated was use of global loadparm with
'workgroup' value set as if from command line. However, we don't really need to take
'workgroup' parameter value's nature into account when invalidating existing ccache.
When -U is used on the command line, one can specify a password to force ccache
invalidation.
The commit also reverts previous fix now that root cause is clear.
|
|
If this test is run in the "dc" environment (rather than "dc:local") is would not delete the
test user.
Andrew Bartlett
|
|
This deserves some explanation.
With commit 518232d4578d700f5f5ea1609275a6cd1de3a1e7 samba4.blackbox.kinit test set
was wrapped with password settings reset before and after the tests with an idea to
maintain reliable state for the tests. As result, the resetting of the password
settings was done after the test that tried to use smbclient with a Kerberos ticket
obtained with machine account credentials.
However, the code in credentials_krb5.c, function cli_credentials_get_client_gss_creds(),
never worked correctly when credentials were already in ccache. Instead, gensec_gssapi module
always re-kinited even if existing credentials were available in the ccache. This had an effect
on 'samba4.blackbox.kinit(dc:local).reset password policies(dc:local)' test equal to
never having initialized ccache at all, as if 'rm -f $KRB5CCNAME' was run before the test.
When the issue of not using already initialized credentials from ccache was fixed with
d0aae88f1290e6a7a6d4bfc24aa62795e4892a31 'auth-credentials: Support using pre-fetched ccache
when obtaining kerberos credentials' commit, Samba 4 credentials library started to correctly
re-used already obtained credentials from ccaches. This caused failure of the test
'samba4.blackbox.kinit(dc:local).reset password policies(dc:local)' because machine account
has no permissions to modify password settings.
Thus, the correct fix is to reset ccache state before performing the test.
Autobuild-User: Alexander Bokovoy <ab@samba.org>
Autobuild-Date: Wed May 23 18:46:12 CEST 2012 on sn-devel-104
|
|
This avoids leaving an account in the test environment after the test is run
and therefore avoids issues with interations with other tests.
Also, we now use the local administrator account in the member server to
add the test account.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Fri Mar 2 14:44:36 CET 2012 on sn-devel-104
|
|
|
|
name of a domain member
This means that if we authentify for BOGUS\administrator in AD domain
FOREST with samba being domain member with the netbiosname MEMBER then
BOGUS\administrator will be mapped to MEMBER\administrator if the
password match.
|
|
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Tue Jan 24 11:05:09 CET 2012 on sn-devel-104
|
|
|
|
This allows only a particular principal to be exported to the keytab.
This is useful when setting up unix servers in a Samba controlled
domain.
Based on a request by Gémes Géza <geza@kzsdabas.hu>
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Tue Nov 29 09:20:55 CET 2011 on sn-devel-104
|
|
user create
Signed-off-by: Theresa Halloran <thallora@linux.vnet.ibm.com>
Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
|
|
If we specify a domain, then we indicate that we must use that domain
which overrides the credentials cache we found in the environment.
Andrew Bartlett
|
|
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
Replace the "samba-tool user setpassword" command with user level
"samba-tool user password" command.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
Python version of samba-tool does not require 'domain\' prefix for username.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
Python version of samba-tool requires the command and the subcommand to
be specified before the options.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
Updated test suite invocations of newuser to "user add" as
the newuser functionality is now being moved to "user add"
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
setpassword"
This is part of the work to reflect the object-action model
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
this leaves the database as-is, which makes it easier to examine the
problem
|
|
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
This should catch corruption that happens during a test run
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
a 'keytab' is a particular format known to administrators, whereas
'keys' is a bit too vague
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
The test suite has been changed to reflect the move from export to "domain dumpkeys" to reflect the object-action model
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
Changed test suite to reflect the changes from setpassword to "domain setpassword" to fit the object-action model
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
The test suite needs to change from setpassword to "user setpassword" to reflect the new cmd syntax
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
|
|
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Wed Jun 1 10:37:50 CEST 2011 on sn-devel-104
|
|
Autobuild-User: Matthieu Patou <mat@samba.org>
Autobuild-Date: Sat May 21 09:50:34 CEST 2011 on sn-devel-104
|
|
Just have BINDIR, and have it default to ./bin
Andrew Bartlett
|
|
|
|
this fixes the blackbox tests for a top level build
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
metze
|
|
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Sat Nov 27 04:32:11 CET 2010 on sn-devel-104
|
|
This tests that the handling of lowercase realms works in our KDC and
libraries.
Andrew Bartlett
|
|
Autobuild-User: Kai Blin <kai@samba.org>
Autobuild-Date: Thu Oct 28 07:25:16 UTC 2010 on sn-devel-104
|
|
too many Ts
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Fri Oct 15 10:14:27 UTC 2010 on sn-devel-104
|
|
passing -W breaks -k yes
|
|
metze
|
|
|
|
This :local tells selftest.pl to use the local smb.conf for the test
environment, not the generic client smb.conf
This then makes the rest work properly - otherwise, it may attempt to
connect to the wrong KDC for example.
The only problem is that we can't test the 'net join' with this set,
so this is removed from the test. The member server test environment
checks this anyway.
Andrew Bartlett
|
|
By using a CCACHE obtained while the old password was still valid, we
can tell if the server still accepts incoming Kerberos connections
with the old password.
Andrew Bartlett
|
|
Changing the machine account password should not prevent connections
with a current, valid CCACHE. This is because when the password is
changed, the server-side keytab keeps one old password around.
Andrew Bartlett
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
This patch is for testing the chgdcpass script which is mostly a call to
update_machine_account_password.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
This is a short-term workarround for broken scripts,
which use "exit $failed", without initializing failed.
We need a discussion on the mailing list how to handle this
in a nicer way.
This should fix some random failures in the blackbox tests.
metze
|
|
|
|
"minPwdAge" != 0
|
|
This allows us to run the PKINIT tests only against the main DC (for
which the certificates were generated), while testing the available
encryption types in each functional level.
In particular, we need to assert that AES encryption is available in
the 2008 functional level.
Andrew Bartlett
|
|
syntax
|
|
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|