Merge ~ahasenack/ubuntu/+source/samba:jammy-samba-kb5028166-2027716 into ubuntu/+source/samba:ubuntu/jammy-devel
- Git
- lp:~ahasenack/ubuntu/+source/samba
- jammy-samba-kb5028166-2027716
- Merge into ubuntu/jammy-devel
Status: | Merged | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Approved by: | git-ubuntu bot | ||||||||||||
Approved revision: | not available | ||||||||||||
Merged at revision: | 1b97ed30dceab15beb88db4498e217cfb7f83bca | ||||||||||||
Proposed branch: | ~ahasenack/ubuntu/+source/samba:jammy-samba-kb5028166-2027716 | ||||||||||||
Merge into: | ubuntu/+source/samba:ubuntu/jammy-devel | ||||||||||||
Diff against target: |
805 lines (+753/-1) 6 files modified
debian/changelog (+18/-0) debian/patches/secure-channel-faulty-kb5028166.patch (+215/-0) debian/patches/series (+1/-0) debian/tests/control (+4/-0) debian/tests/samba-ad-dc-provisioning-internal-dns (+404/-0) debian/tests/util (+111/-1) |
||||||||||||
Related bugs: |
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
git-ubuntu bot | Approve | ||
Lucas Kanashiro (community) | Approve | ||
Canonical Server Reporter | Pending | ||
Review via email: mp+447459@code.launchpad.net |
Commit message
Description of the change
PPA: https:/
Bug fix for #2027716. SRU template is filled in, including a test case.
I split the patch in two commits: one that introduces the upstream patch, pristine, and another that removes the hunks that changed the upstream test suite. We don't run that test suite, and I think a smaller patch is easier to review, specially when comparing to the other ubuntu releases which needed a small backport change.
I tried to make incremental changes to this branch when compared to lunar, so it's easier to review. But range-diff is still a bit noisy, because the patch that fixes the problem needed a small backport.
The DEP8 test also needed tweaking for jammy, and I tried to keep the differences as additional commits.
DEP8 is green. It doesn't exercise this bug in particular, but does exercise a domain join with linux<->linux, which is a good regression test.
Lucas Kanashiro (lucaskanashiro) wrote : | # |
Lucas Kanashiro (lucaskanashiro) wrote : | # |
Argh, it built fine locally now, not sure exactly what happened, but there is this DEP-8 test failing locally for me:
autopkgtest [18:17:02]: test samba-ad-
samba-ad-
Summary of a local autopkgtest run:
autopkgtest [19:09:04]: @@@@@@@
cifs-share-access PASS
cifs-share-
python-smoke PASS
smbclient-
smbclient-
smbclient-
smbclient-
samba-ad-
Andreas Hasenack (ahasenack) wrote : | # |
Hm, that's odd:
660s Error loading module '/usr/lib/
Looks like jammy also needs the samba-vfs-modules package added to the test dependency, just like I found out for focal. Not sure how I didn't see this before.
Andreas Hasenack (ahasenack) wrote : | # |
PPA rebuilt (jammy), all tests re-triggered, let's see tomorrow what we get.
Andreas Hasenack (ahasenack) wrote : | # |
And this time it's green all around:
Results: (from http://
samba @ amd64:
26.07.23 00:00:56 Log 🗒️ ✅ Triggers: samba/2:
samba @ arm64:
26.07.23 00:40:52 Log 🗒️ ✅ Triggers: samba/2:
samba @ armhf:
26.07.23 00:01:31 Log 🗒️ ✅ Triggers: samba/2:
samba @ ppc64el:
26.07.23 00:15:03 Log 🗒️ ✅ Triggers: samba/2:
samba @ s390x:
26.07.23 00:18:25 Log 🗒️ ✅ Triggers: samba/2:
Lucas Kanashiro (lucaskanashiro) wrote : | # |
Awesome! Now, LGTM, +1.
git-ubuntu bot (git-ubuntu-bot) wrote : | # |
Approvers: ahasenack, lucaskanashiro
Uploaders: ahasenack, lucaskanashiro
MP auto-approved
Andreas Hasenack (ahasenack) wrote : | # |
Thanks, uploaded with rich history:
Uploading samba_4.
Uploading samba_4.
Uploading samba_4.
Uploading samba_4.
Update scan failed
At least one of the branches involved have failed to scan. You can manually schedule a rescan if required.
Preview Diff
1 | diff --git a/debian/changelog b/debian/changelog | |||
2 | index b951fb0..5e12a5e 100644 | |||
3 | --- a/debian/changelog | |||
4 | +++ b/debian/changelog | |||
5 | @@ -1,3 +1,21 @@ | |||
6 | 1 | samba (2:4.15.13+dfsg-0ubuntu1.3) jammy; urgency=medium | ||
7 | 2 | |||
8 | 3 | * d/p/secure-channel-faulty-kb5028166.patch: fix domain membership | ||
9 | 4 | after Windows KB5028166 update (LP: #2027716) | ||
10 | 5 | * Cherry pick samba AD DC provisioning DEP8 test from later Ubuntu | ||
11 | 6 | releases (LP: #1977746, LP: #2011745): | ||
12 | 7 | - d/t/control, d/t/util, d/t/samba-ad-dc-provisioning-internal-dns: | ||
13 | 8 | samba AD DC provisioning and domain join tests with internal DNS | ||
14 | 9 | + d/t/control: adjust package dependencies | ||
15 | 10 | + d/t/samba-ad-dc-provisioning-internal-dns: handle the case where | ||
16 | 11 | libnss-winbind does not automatically add winbind to | ||
17 | 12 | /etc/nsswitch.conf (that is done only in Lunar and later) | ||
18 | 13 | + d/t/samba-ad-dc-provisioning-internal-dns: use case insensitive | ||
19 | 14 | match when inspecting kerberos tickets, as the hostname may be | ||
20 | 15 | capitalized | ||
21 | 16 | |||
22 | 17 | -- Andreas Hasenack <andreas@canonical.com> Sun, 23 Jul 2023 17:09:59 -0300 | ||
23 | 18 | |||
24 | 1 | samba (2:4.15.13+dfsg-0ubuntu1.2) jammy-security; urgency=medium | 19 | samba (2:4.15.13+dfsg-0ubuntu1.2) jammy-security; urgency=medium |
25 | 2 | 20 | ||
26 | 3 | * SECURITY UPDATE: Out-Of-Bounds read in winbind AUTH_CRAP | 21 | * SECURITY UPDATE: Out-Of-Bounds read in winbind AUTH_CRAP |
27 | diff --git a/debian/patches/secure-channel-faulty-kb5028166.patch b/debian/patches/secure-channel-faulty-kb5028166.patch | |||
28 | 4 | new file mode 100644 | 22 | new file mode 100644 |
29 | index 0000000..c1367f7 | |||
30 | --- /dev/null | |||
31 | +++ b/debian/patches/secure-channel-faulty-kb5028166.patch | |||
32 | @@ -0,0 +1,215 @@ | |||
33 | 1 | From 2150e7f3dc409b415ca8b6a541729a49932c5073 Mon Sep 17 00:00:00 2001 | ||
34 | 2 | From: Stefan Metzmacher <metze@samba.org> | ||
35 | 3 | Date: Sat, 15 Jul 2023 17:20:32 +0200 | ||
36 | 4 | Subject: [PATCH 1/4] netlogon.idl: add support for netr_LogonGetCapabilities | ||
37 | 5 | response level 2 | ||
38 | 6 | |||
39 | 7 | We don't have any documentation about this yet, but tests against | ||
40 | 8 | a Windows Server 2022 patched with KB5028166 revealed that | ||
41 | 9 | the response for query_level=2 is exactly the same as | ||
42 | 10 | for querey_level=1. | ||
43 | 11 | |||
44 | 12 | Until we know the reason for query_level=2 we won't | ||
45 | 13 | use it as client nor support it in the server, but | ||
46 | 14 | we want ndrdump to work. | ||
47 | 15 | |||
48 | 16 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418 | ||
49 | 17 | |||
50 | 18 | Signed-off-by: Stefan Metzmacher <metze@samba.org> | ||
51 | 19 | Reviewed-by: Andrew Bartlett <abartlet@samba.org> | ||
52 | 20 | (cherry picked from commit 5f87888ed53320538cf773d64868390d8641a40e) | ||
53 | 21 | --- | ||
54 | 22 | librpc/idl/netlogon.idl | 1 + | ||
55 | 23 | 1 file changed, 1 insertion(+) | ||
56 | 24 | |||
57 | 25 | Ubuntu patch note: removed the parts that changed the upstream test suite | ||
58 | 26 | |||
59 | 27 | Origin: backport, https://bugzilla.samba.org/attachment.cgi?id=17987 | ||
60 | 28 | Bug: https://bugzilla.samba.org/show_bug.cgi?id=15418 | ||
61 | 29 | Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/2027716 | ||
62 | 30 | Last-Update: 2023-07-17 | ||
63 | 31 | |||
64 | 32 | diff --git a/librpc/idl/netlogon.idl b/librpc/idl/netlogon.idl | ||
65 | 33 | index d956a661fff7..b51767136d3c 100644 | ||
66 | 34 | --- a/librpc/idl/netlogon.idl | ||
67 | 35 | +++ b/librpc/idl/netlogon.idl | ||
68 | 36 | @@ -1241,6 +1241,7 @@ interface netlogon | ||
69 | 37 | /* Function 0x15 */ | ||
70 | 38 | typedef [switch_type(uint32)] union { | ||
71 | 39 | [case(1)] netr_NegotiateFlags server_capabilities; | ||
72 | 40 | + [case(2)] netr_NegotiateFlags server_capabilities; | ||
73 | 41 | } netr_Capabilities; | ||
74 | 42 | |||
75 | 43 | NTSTATUS netr_LogonGetCapabilities( | ||
76 | 44 | -- | ||
77 | 45 | 2.34.1 | ||
78 | 46 | |||
79 | 47 | |||
80 | 48 | From fa71e7b4b027dc8224fda7125f1faaefa4e71eae Mon Sep 17 00:00:00 2001 | ||
81 | 49 | From: Stefan Metzmacher <metze@samba.org> | ||
82 | 50 | Date: Sat, 15 Jul 2023 16:11:48 +0200 | ||
83 | 51 | Subject: [PATCH 3/4] s4:rpc_server:netlogon: generate FAULT_INVALID_TAG for | ||
84 | 52 | invalid netr_LogonGetCapabilities levels | ||
85 | 53 | |||
86 | 54 | This is important as Windows clients with KB5028166 seem to | ||
87 | 55 | call netr_LogonGetCapabilities with query_level=2 after | ||
88 | 56 | a call with query_level=1. | ||
89 | 57 | |||
90 | 58 | An unpatched Windows Server returns DCERPC_NCA_S_FAULT_INVALID_TAG | ||
91 | 59 | for query_level values other than 1. | ||
92 | 60 | While Samba tries to return NT_STATUS_NOT_SUPPORTED, but | ||
93 | 61 | later fails to marshall the response, which results | ||
94 | 62 | in DCERPC_FAULT_BAD_STUB_DATA instead. | ||
95 | 63 | |||
96 | 64 | Because we don't have any documentation for level 2 yet, | ||
97 | 65 | we just try to behave like an unpatched server and | ||
98 | 66 | generate DCERPC_NCA_S_FAULT_INVALID_TAG instead of | ||
99 | 67 | DCERPC_FAULT_BAD_STUB_DATA. | ||
100 | 68 | Which allows patched Windows clients to keep working | ||
101 | 69 | against a Samba DC. | ||
102 | 70 | |||
103 | 71 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418 | ||
104 | 72 | |||
105 | 73 | Signed-off-by: Stefan Metzmacher <metze@samba.org> | ||
106 | 74 | Reviewed-by: Andrew Bartlett <abartlet@samba.org> | ||
107 | 75 | (cherry picked from commit d5f1097b6220676d56ed5fc6707acf667b704518) | ||
108 | 76 | --- | ||
109 | 77 | .../knownfail.d/netr_LogonGetCapabilities | 2 -- | ||
110 | 78 | source4/rpc_server/netlogon/dcerpc_netlogon.c | 28 ++++++++++++++++--- | ||
111 | 79 | 2 files changed, 24 insertions(+), 6 deletions(-) | ||
112 | 80 | |||
113 | 81 | diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c | ||
114 | 82 | index 6a3e044eb9da..26be4f567513 100644 | ||
115 | 83 | --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c | ||
116 | 84 | +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c | ||
117 | 85 | @@ -2399,6 +2399,30 @@ static NTSTATUS dcesrv_netr_LogonGetCapabilities(struct dcesrv_call_state *dce_c | ||
118 | 86 | struct netlogon_creds_CredentialState *creds; | ||
119 | 87 | NTSTATUS status; | ||
120 | 88 | |||
121 | 89 | + switch (r->in.query_level) { | ||
122 | 90 | + case 1: | ||
123 | 91 | + break; | ||
124 | 92 | + case 2: | ||
125 | 93 | + /* | ||
126 | 94 | + * Until we know the details behind KB5028166 | ||
127 | 95 | + * just return DCERPC_NCA_S_FAULT_INVALID_TAG | ||
128 | 96 | + * like an unpatched Windows Server. | ||
129 | 97 | + */ | ||
130 | 98 | + FALL_THROUGH; | ||
131 | 99 | + default: | ||
132 | 100 | + /* | ||
133 | 101 | + * There would not be a way to marshall the | ||
134 | 102 | + * the response. Which would mean our final | ||
135 | 103 | + * ndr_push would fail an we would return | ||
136 | 104 | + * an RPC-level fault with DCERPC_FAULT_BAD_STUB_DATA. | ||
137 | 105 | + * | ||
138 | 106 | + * But it's important to match a Windows server | ||
139 | 107 | + * especially before KB5028166, see also our bug #15418 | ||
140 | 108 | + * Otherwise Windows client would stop talking to us. | ||
141 | 109 | + */ | ||
142 | 110 | + DCESRV_FAULT(DCERPC_NCA_S_FAULT_INVALID_TAG); | ||
143 | 111 | + } | ||
144 | 112 | + | ||
145 | 113 | status = dcesrv_netr_creds_server_step_check(dce_call, | ||
146 | 114 | mem_ctx, | ||
147 | 115 | r->in.computer_name, | ||
148 | 116 | @@ -2410,10 +2434,6 @@ static NTSTATUS dcesrv_netr_LogonGetCapabilities(struct dcesrv_call_state *dce_c | ||
149 | 117 | } | ||
150 | 118 | NT_STATUS_NOT_OK_RETURN(status); | ||
151 | 119 | |||
152 | 120 | - if (r->in.query_level != 1) { | ||
153 | 121 | - return NT_STATUS_NOT_SUPPORTED; | ||
154 | 122 | - } | ||
155 | 123 | - | ||
156 | 124 | r->out.capabilities->server_capabilities = creds->negotiate_flags; | ||
157 | 125 | |||
158 | 126 | return NT_STATUS_OK; | ||
159 | 127 | -- | ||
160 | 128 | 2.34.1 | ||
161 | 129 | |||
162 | 130 | |||
163 | 131 | From 05f110e1a4d4b38bfbaaa3a92fda7a9127b3b456 Mon Sep 17 00:00:00 2001 | ||
164 | 132 | From: Stefan Metzmacher <metze@samba.org> | ||
165 | 133 | Date: Sat, 15 Jul 2023 16:11:48 +0200 | ||
166 | 134 | Subject: [PATCH 4/4] s3:rpc_server:netlogon: generate FAULT_INVALID_TAG for | ||
167 | 135 | invalid netr_LogonGetCapabilities levels | ||
168 | 136 | |||
169 | 137 | This is important as Windows clients with KB5028166 seem to | ||
170 | 138 | call netr_LogonGetCapabilities with query_level=2 after | ||
171 | 139 | a call with query_level=1. | ||
172 | 140 | |||
173 | 141 | An unpatched Windows Server returns DCERPC_NCA_S_FAULT_INVALID_TAG | ||
174 | 142 | for query_level values other than 1. | ||
175 | 143 | While Samba tries to return NT_STATUS_NOT_SUPPORTED, but | ||
176 | 144 | later fails to marshall the response, which results | ||
177 | 145 | in DCERPC_FAULT_BAD_STUB_DATA instead. | ||
178 | 146 | |||
179 | 147 | Because we don't have any documentation for level 2 yet, | ||
180 | 148 | we just try to behave like an unpatched server and | ||
181 | 149 | generate DCERPC_NCA_S_FAULT_INVALID_TAG instead of | ||
182 | 150 | DCERPC_FAULT_BAD_STUB_DATA. | ||
183 | 151 | Which allows patched Windows clients to keep working | ||
184 | 152 | against a Samba DC. | ||
185 | 153 | |||
186 | 154 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418 | ||
187 | 155 | |||
188 | 156 | Signed-off-by: Stefan Metzmacher <metze@samba.org> | ||
189 | 157 | Reviewed-by: Andrew Bartlett <abartlet@samba.org> | ||
190 | 158 | |||
191 | 159 | Autobuild-User(master): Stefan Metzmacher <metze@samba.org> | ||
192 | 160 | Autobuild-Date(master): Mon Jul 17 07:35:09 UTC 2023 on atb-devel-224 | ||
193 | 161 | |||
194 | 162 | (cherry picked from commit dfeabce44fbb78083fbbb2aa634fc4172cf83db9) | ||
195 | 163 | --- | ||
196 | 164 | .../knownfail.d/netr_LogonGetCapabilities | 1 - | ||
197 | 165 | source3/rpc_server/netlogon/srv_netlog_nt.c | 29 ++++++++++++++++--- | ||
198 | 166 | 2 files changed, 25 insertions(+), 5 deletions(-) | ||
199 | 167 | delete mode 100644 selftest/knownfail.d/netr_LogonGetCapabilities | ||
200 | 168 | |||
201 | 169 | diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c | ||
202 | 170 | index 5906464a9f3..35433ec6781 100644 | ||
203 | 171 | --- a/source3/rpc_server/netlogon/srv_netlog_nt.c | ||
204 | 172 | +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c | ||
205 | 173 | @@ -2421,6 +2421,31 @@ NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct *p, | ||
206 | 174 | struct netlogon_creds_CredentialState *creds; | ||
207 | 175 | NTSTATUS status; | ||
208 | 176 | |||
209 | 177 | + switch (r->in.query_level) { | ||
210 | 178 | + case 1: | ||
211 | 179 | + break; | ||
212 | 180 | + case 2: | ||
213 | 181 | + /* | ||
214 | 182 | + * Until we know the details behind KB5028166 | ||
215 | 183 | + * just return DCERPC_NCA_S_FAULT_INVALID_TAG | ||
216 | 184 | + * like an unpatched Windows Server. | ||
217 | 185 | + */ | ||
218 | 186 | + FALL_THROUGH; | ||
219 | 187 | + default: | ||
220 | 188 | + /* | ||
221 | 189 | + * There would not be a way to marshall the | ||
222 | 190 | + * the response. Which would mean our final | ||
223 | 191 | + * ndr_push would fail an we would return | ||
224 | 192 | + * an RPC-level fault with DCERPC_FAULT_BAD_STUB_DATA. | ||
225 | 193 | + * | ||
226 | 194 | + * But it's important to match a Windows server | ||
227 | 195 | + * especially before KB5028166, see also our bug #15418 | ||
228 | 196 | + * Otherwise Windows client would stop talking to us. | ||
229 | 197 | + */ | ||
230 | 198 | + p->fault_state = DCERPC_NCA_S_FAULT_INVALID_TAG; | ||
231 | 199 | + return NT_STATUS_NOT_SUPPORTED; | ||
232 | 200 | + } | ||
233 | 201 | + | ||
234 | 202 | become_root(); | ||
235 | 203 | status = netr_creds_server_step_check(p, p->mem_ctx, | ||
236 | 204 | r->in.computer_name, | ||
237 | 205 | @@ -2432,10 +2457,6 @@ NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct *p, | ||
238 | 206 | return status; | ||
239 | 207 | } | ||
240 | 208 | |||
241 | 209 | - if (r->in.query_level != 1) { | ||
242 | 210 | - return NT_STATUS_NOT_SUPPORTED; | ||
243 | 211 | - } | ||
244 | 212 | - | ||
245 | 213 | r->out.capabilities->server_capabilities = creds->negotiate_flags; | ||
246 | 214 | |||
247 | 215 | return NT_STATUS_OK; | ||
248 | diff --git a/debian/patches/series b/debian/patches/series | |||
249 | index 5791d76..0a6a142 100644 | |||
250 | --- a/debian/patches/series | |||
251 | +++ b/debian/patches/series | |||
252 | @@ -64,3 +64,4 @@ CVE-2023-34968-09.patch | |||
253 | 64 | CVE-2023-34968-10.patch | 64 | CVE-2023-34968-10.patch |
254 | 65 | CVE-2023-34968-11.patch | 65 | CVE-2023-34968-11.patch |
255 | 66 | CVE-2023-34968-12.patch | 66 | CVE-2023-34968-12.patch |
256 | 67 | secure-channel-faulty-kb5028166.patch | ||
257 | diff --git a/debian/tests/control b/debian/tests/control | |||
258 | index 3ecb853..6814243 100644 | |||
259 | --- a/debian/tests/control | |||
260 | +++ b/debian/tests/control | |||
261 | @@ -24,3 +24,7 @@ Restrictions: needs-root, allow-stderr, isolation-container | |||
262 | 24 | Tests: smbclient-share-access-uring | 24 | Tests: smbclient-share-access-uring |
263 | 25 | Depends: samba, samba-vfs-modules, smbclient, coreutils, systemd, passwd | 25 | Depends: samba, samba-vfs-modules, smbclient, coreutils, systemd, passwd |
264 | 26 | Restrictions: needs-root, allow-stderr, isolation-container, skippable | 26 | Restrictions: needs-root, allow-stderr, isolation-container, skippable |
265 | 27 | |||
266 | 28 | Tests: samba-ad-dc-provisioning-internal-dns | ||
267 | 29 | Depends: samba, samba-dsdb-modules, samba-vfs-modules, winbind, smbclient, krb5-user, bind9-dnsutils, lxd | snapd, lsb-release, dctrl-tools | ||
268 | 30 | Restrictions: needs-root, isolation-machine, allow-stderr, breaks-testbed | ||
269 | diff --git a/debian/tests/samba-ad-dc-provisioning-internal-dns b/debian/tests/samba-ad-dc-provisioning-internal-dns | |||
270 | 27 | new file mode 100755 | 31 | new file mode 100755 |
271 | index 0000000..592a608 | |||
272 | --- /dev/null | |||
273 | +++ b/debian/tests/samba-ad-dc-provisioning-internal-dns | |||
274 | @@ -0,0 +1,404 @@ | |||
275 | 1 | #!/bin/bash | ||
276 | 2 | |||
277 | 3 | set -e | ||
278 | 4 | set -o pipefail | ||
279 | 5 | |||
280 | 6 | source debian/tests/util | ||
281 | 7 | |||
282 | 8 | declare -r domain="EXAMPLE" | ||
283 | 9 | declare -r realm="EXAMPLE.FAKE" | ||
284 | 10 | declare -r adminpass="Passw0rd" | ||
285 | 11 | declare -r test_user="test_user_${RANDOM}" | ||
286 | 12 | declare -r test_pw="test_user_secret_${RANDOM}" | ||
287 | 13 | declare -A user_pass | ||
288 | 14 | user_pass[Administrator]="${adminpass}" | ||
289 | 15 | user_pass[${test_user}]="${test_pw}" | ||
290 | 16 | declare -A join_method_deps | ||
291 | 17 | # Minimum set of deps: let realmd install the extra dependencies | ||
292 | 18 | # as needed, depending on the join method. | ||
293 | 19 | join_method_deps[realmd_sssd]="realmd krb5-user smbclient" | ||
294 | 20 | join_method_deps[realmd_winbind]="realmd krb5-user smbclient" | ||
295 | 21 | |||
296 | 22 | |||
297 | 23 | cleanup() { | ||
298 | 24 | rc=$? | ||
299 | 25 | set +e # so we don't exit midcleanup | ||
300 | 26 | if [ ${rc} -ne 0 ]; then | ||
301 | 27 | echo "## Something failed, gathering logs" | ||
302 | 28 | echo | ||
303 | 29 | echo "## smb.conf" | ||
304 | 30 | cat /etc/samba/smb.conf | ||
305 | 31 | echo | ||
306 | 32 | echo "## resolv.conf" | ||
307 | 33 | cat /etc/resolv.conf | ||
308 | 34 | echo | ||
309 | 35 | echo "## resolvectl status" | ||
310 | 36 | resolvectl status | ||
311 | 37 | echo "## journal for samba-ad-dc.service" | ||
312 | 38 | journalctl -u samba-ad-dc.service --lines 500 | ||
313 | 39 | echo | ||
314 | 40 | for log in /var/log/samba/log.*; do | ||
315 | 41 | # skip compressed logrotated files | ||
316 | 42 | if [ "${log%.gz}" != "${log}" ]; then | ||
317 | 43 | continue | ||
318 | 44 | fi | ||
319 | 45 | [ -s "${log}" ] || continue | ||
320 | 46 | echo "## $(basename ${log}):" | ||
321 | 47 | tail -n 500 "${log}" | ||
322 | 48 | echo | ||
323 | 49 | done | ||
324 | 50 | echo "## syslog" | ||
325 | 51 | tail -n 500 /var/log/syslog | ||
326 | 52 | fi | ||
327 | 53 | } | ||
328 | 54 | |||
329 | 55 | trap cleanup EXIT | ||
330 | 56 | |||
331 | 57 | assert_testparm() { | ||
332 | 58 | local parameter="${1}" | ||
333 | 59 | local expected_value="${2}" | ||
334 | 60 | local current_value="" | ||
335 | 61 | local -i retval=0 | ||
336 | 62 | |||
337 | 63 | echo -n "Asserting ${parameter} is ${expected_value}: " | ||
338 | 64 | current_value=$(testparm -s --parameter-name "${parameter}" 2>/dev/null) || { | ||
339 | 65 | retval=$? | ||
340 | 66 | echo "FAIL" | ||
341 | 67 | return ${retval} | ||
342 | 68 | } | ||
343 | 69 | if [ "${current_value}" = "${expected_value}" ]; then | ||
344 | 70 | echo "OK" | ||
345 | 71 | return 0 | ||
346 | 72 | else | ||
347 | 73 | echo "FAIL" | ||
348 | 74 | return 1 | ||
349 | 75 | fi | ||
350 | 76 | } | ||
351 | 77 | |||
352 | 78 | basic_config_tests() { | ||
353 | 79 | echo "## Basic config tests" | ||
354 | 80 | testparm -s > /dev/null | ||
355 | 81 | assert_testparm "realm" "${realm}" | ||
356 | 82 | assert_testparm "workgroup" "${domain}" | ||
357 | 83 | assert_testparm "server role" "active directory domain controller" | ||
358 | 84 | echo | ||
359 | 85 | } | ||
360 | 86 | |||
361 | 87 | dns_tests() { | ||
362 | 88 | echo "## DNS tests" | ||
363 | 89 | echo "Obtaining administrator kerberos ticket" | ||
364 | 90 | echo "${adminpass}" | timeout --verbose 30 kinit Administrator | ||
365 | 91 | echo | ||
366 | 92 | echo "Querying server info" | ||
367 | 93 | samba-tool dns serverinfo "$(hostname)" | ||
368 | 94 | echo | ||
369 | 95 | echo "Checking we got a service ticket of type host/" | ||
370 | 96 | klist | grep -i "host/$(hostname)" | ||
371 | 97 | echo | ||
372 | 98 | echo "Checking specific DNS records" | ||
373 | 99 | for srv in _ldap._tcp _kerberos._tcp _kerberos._udp _kpasswd._udp; do | ||
374 | 100 | echo -n "${srv}.${realm,,}: " | ||
375 | 101 | dig @localhost +short -t SRV ${srv}.${realm,,} | ||
376 | 102 | echo | ||
377 | 103 | done | ||
378 | 104 | echo | ||
379 | 105 | echo -n "Checking that our hostname \"$(hostname)\" is in DNS: " | ||
380 | 106 | myip=$(dig @localhost +short -t A "$(hostname).${realm,,}") | ||
381 | 107 | echo "${myip}" | ||
382 | 108 | echo | ||
383 | 109 | } | ||
384 | 110 | |||
385 | 111 | user_creation_tests() { | ||
386 | 112 | echo "## User creation tests" | ||
387 | 113 | samba-tool domain passwordsettings set --complexity=off | ||
388 | 114 | echo "Creating user \"${test_user}\" with password ${test_pw}" | ||
389 | 115 | samba-tool user add "${test_user}" "${test_pw}" | ||
390 | 116 | echo | ||
391 | 117 | echo "Attempting to obtain kerberos ticket for user \"${test_user}\"" | ||
392 | 118 | # just in case it ends up waiting at a prompt, we use "timeout" | ||
393 | 119 | echo "${test_pw}" | timeout --verbose 30 kinit "${test_user}" | ||
394 | 120 | echo "Ticket obtained" | ||
395 | 121 | klist | ||
396 | 122 | echo | ||
397 | 123 | } | ||
398 | 124 | |||
399 | 125 | smbclient_tests() { | ||
400 | 126 | echo "## smbclient tests" | ||
401 | 127 | kdestroy || : | ||
402 | 128 | echo | ||
403 | 129 | echo "Obtaining a TGT for ${test_user}" | ||
404 | 130 | echo "${test_pw}" | timeout --verbose 30 kinit "${test_user}" | ||
405 | 131 | klist | grep krbtgt | ||
406 | 132 | echo | ||
407 | 133 | echo "Attempting password-less authentication with smbclient" | ||
408 | 134 | echo | ||
409 | 135 | echo "Listing shares" | ||
410 | 136 | smbclient -L "$(hostname)" --use-kerberos=required -k | ||
411 | 137 | echo | ||
412 | 138 | echo "Listing the sysvol share" | ||
413 | 139 | smbclient "//$(hostname)/sysvol" --use-kerberos=required -k -c "ls" | ||
414 | 140 | echo | ||
415 | 141 | echo "Listing policies" | ||
416 | 142 | # lowercase the ${realm} | ||
417 | 143 | smbclient "//$(hostname)/sysvol" --use-kerberos=required -k -c "ls ${realm,,}/Policies/*" | ||
418 | 144 | echo | ||
419 | 145 | echo "Checking that we have a ticket for the cifs service after all these commands" | ||
420 | 146 | klist | grep cifs/ | ||
421 | 147 | echo | ||
422 | 148 | } | ||
423 | 149 | |||
424 | 150 | server_join_tests() { | ||
425 | 151 | local member_server | ||
426 | 152 | # the join methods are the keys of the join_method_deps dict | ||
427 | 153 | local -a methods=("${!join_method_deps[@]}") | ||
428 | 154 | local member_server="member-server" | ||
429 | 155 | |||
430 | 156 | echo "## Server join tests" | ||
431 | 157 | echo "## Initializing lxd" | ||
432 | 158 | setup_lxd "${realm,,}" | ||
433 | 159 | |||
434 | 160 | for method in "${methods[@]}"; do | ||
435 | 161 | echo "## Setting up member server to join a domain using method ${method}" | ||
436 | 162 | setup_member_server "${member_server}" "${method}" | ||
437 | 163 | echo "## Joining domain with method ${method}" | ||
438 | 164 | join_domain "${member_server}" "${method}" | ||
439 | 165 | echo | ||
440 | 166 | echo "## Verifying join with method ${method}" | ||
441 | 167 | verify_join "${member_server}" "${method}" | ||
442 | 168 | echo | ||
443 | 169 | echo "## Leaving domain with method ${method}" | ||
444 | 170 | leave_domain "${member_server}" "${method}" | ||
445 | 171 | echo | ||
446 | 172 | echo "## Destroying member server" | ||
447 | 173 | lxc delete --force "${member_server}" | ||
448 | 174 | done | ||
449 | 175 | } | ||
450 | 176 | |||
451 | 177 | setup_member_server() { | ||
452 | 178 | local container_name="${1}" | ||
453 | 179 | local method="${2}" | ||
454 | 180 | local release | ||
455 | 181 | |||
456 | 182 | release="$(lsb_release -cs)" | ||
457 | 183 | if [ -z "${join_method_deps[${method}]}" ]; then | ||
458 | 184 | echo "## INTERNAL ERROR, invalid join method: ${method}" | ||
459 | 185 | return 1 | ||
460 | 186 | fi | ||
461 | 187 | echo "## Got test dependencies: ${join_method_deps[${method}]}" | ||
462 | 188 | # can't use cloud-init here to install packages, because we first need to | ||
463 | 189 | # sync the apt config from the host to the container | ||
464 | 190 | echo "## Launching ${release} container" | ||
465 | 191 | lxc launch "ubuntu-daily:${release}" "${container_name}" -q | ||
466 | 192 | wait_container_ready "${container_name}" | ||
467 | 193 | send_apt_config "${container_name}" | ||
468 | 194 | copy_local_apt_files "${container_name}" | ||
469 | 195 | echo "## Installing dependencies in test container" | ||
470 | 196 | install_packages_in_container "${container_name}" ${join_method_deps[${method}]} | ||
471 | 197 | } | ||
472 | 198 | |||
473 | 199 | join_domain_realmd_winbind() { | ||
474 | 200 | local server="${1}" | ||
475 | 201 | local discover_cmd="realm discover -v --membership-software=samba --client-software=winbind ${realm,,}" | ||
476 | 202 | local join_cmd="realm join -v --membership-software=samba --client-software=winbind ${realm,,}" | ||
477 | 203 | |||
478 | 204 | echo "## Domain information" | ||
479 | 205 | lxc exec "${server}" -- ${discover_cmd} | ||
480 | 206 | echo | ||
481 | 207 | echo "## Running join command: ${join_cmd}" | ||
482 | 208 | echo "${adminpass}" | lxc exec "${server}" -- ${join_cmd} | ||
483 | 209 | # LP: #1980246 | ||
484 | 210 | # So far, only lunar and later automatically add winbind to /etc/nsswitch.conf. | ||
485 | 211 | lxc exec "${server}" -- sed -r -i \ | ||
486 | 212 | -e '/^(passwd|group):.*[[:space:]]winbind\b/b' \ | ||
487 | 213 | -e 's/^(passwd|group):.*/& winbind/' \ | ||
488 | 214 | /etc/nsswitch.conf | ||
489 | 215 | } | ||
490 | 216 | |||
491 | 217 | verify_join_realmd_winbind() { | ||
492 | 218 | local server="${1}" | ||
493 | 219 | local member_domain | ||
494 | 220 | |||
495 | 221 | echo -n "## Verifying member server joined domain name: " | ||
496 | 222 | member_domain=$(lxc exec "${server}" -- wbinfo --own-domain) | ||
497 | 223 | echo "${member_domain}" | ||
498 | 224 | if [ "${member_domain}" != "${domain}" ]; then | ||
499 | 225 | echo "ERROR: expected member server domain to match the joined domain:" | ||
500 | 226 | echo "member server domain: ${member_domain}" | ||
501 | 227 | echo "AD domain: ${domain}" | ||
502 | 228 | return 1 | ||
503 | 229 | fi | ||
504 | 230 | echo | ||
505 | 231 | # we just want to see the output, not parse it | ||
506 | 232 | echo "## Domain status in member server" | ||
507 | 233 | lxc exec "${server}" -- wbinfo --domain-info "${member_domain}" | ||
508 | 234 | echo | ||
509 | 235 | echo "## User status in member server" | ||
510 | 236 | for u in "${!user_pass[@]}"; do | ||
511 | 237 | echo "## User \"${u}@${realm}\" information:" | ||
512 | 238 | lxc exec "${server}" -- wbinfo --user-info "${u}@${realm}" | ||
513 | 239 | echo | ||
514 | 240 | echo "## id ${u}@${realm}" | ||
515 | 241 | lxc exec "${server}" -- id ${u}@${realm} | ||
516 | 242 | echo | ||
517 | 243 | echo "## kinit authentication check for user \"${u}@${realm}\" inside member server" | ||
518 | 244 | echo "${user_pass[${u}]}" | lxc exec "${server}" -- timeout --verbose 30 kinit "${u}@${realm}" | ||
519 | 245 | lxc exec "${server}" -- klist | ||
520 | 246 | echo | ||
521 | 247 | echo "## Listing shares with the obtained kerberos ticket" | ||
522 | 248 | lxc exec "${server}" -- smbclient -L "$(hostname)" --use-kerberos=required -k | ||
523 | 249 | lxc exec "${server}" -- kdestroy | ||
524 | 250 | echo | ||
525 | 251 | echo "## wbinfo authentication check for user \"${u}@${realm}\" inside member server" | ||
526 | 252 | # non-interactive format for username is user%password | ||
527 | 253 | lxc exec "${server}" -- wbinfo --authenticate="${u}@${realm}%${user_pass[${u}]}" | ||
528 | 254 | echo | ||
529 | 255 | echo "## wbinfo kerberos authentication check for user \"${u}@${realm}\" inside member server" | ||
530 | 256 | lxc exec "${server}" -- wbinfo --krb5auth="${u}@${realm}%${user_pass[${u}]}" | ||
531 | 257 | echo | ||
532 | 258 | echo "## Listing shares with the obtained kerberos ticket" | ||
533 | 259 | lxc exec "${server}" -- smbclient -L "$(hostname)" --use-kerberos=required -k | ||
534 | 260 | lxc exec "${server}" -- kdestroy | ||
535 | 261 | done | ||
536 | 262 | } | ||
537 | 263 | |||
538 | 264 | leave_domain_realmd_winbind() { | ||
539 | 265 | local server="${1}" | ||
540 | 266 | local leave_cmd="realm leave -v --remove --client-software=winbind" | ||
541 | 267 | |||
542 | 268 | echo "## Running leave command: ${leave_cmd}" | ||
543 | 269 | echo "${adminpass}" | lxc exec "${server}" -- ${leave_cmd} | ||
544 | 270 | } | ||
545 | 271 | |||
546 | 272 | join_domain_realmd_sssd() { | ||
547 | 273 | local server="${1}" | ||
548 | 274 | local discover_cmd="realm discover -v --membership-software=adcli --client-software=sssd ${realm,,}" | ||
549 | 275 | local join_cmd="realm join -v --membership-software=adcli --client-software=sssd ${realm,,}" | ||
550 | 276 | |||
551 | 277 | echo "## Domain information" | ||
552 | 278 | lxc exec "${server}" -- ${discover_cmd} | ||
553 | 279 | echo | ||
554 | 280 | echo "## Running join command: ${join_cmd}" | ||
555 | 281 | echo "${adminpass}" | lxc exec "${server}" -- ${join_cmd} | ||
556 | 282 | echo | ||
557 | 283 | } | ||
558 | 284 | |||
559 | 285 | verify_join_realmd_sssd() { | ||
560 | 286 | local server="${1}" | ||
561 | 287 | local samba_domain | ||
562 | 288 | |||
563 | 289 | echo -n "## Verifying member server joined domain name: " | ||
564 | 290 | samba_domain=$(lxc exec "${server}" -- sssctl domain-list) | ||
565 | 291 | echo "${samba_domain}" | ||
566 | 292 | if [ "${samba_domain}" != "${realm,,}" ]; then | ||
567 | 293 | echo "ERROR: expected member server domain to match the joined domain:" | ||
568 | 294 | echo "member server domain: ${samba_domain}" | ||
569 | 295 | echo "AD domain: ${realm,,}" | ||
570 | 296 | return 1 | ||
571 | 297 | fi | ||
572 | 298 | echo | ||
573 | 299 | # we just want to see the output, not parse it | ||
574 | 300 | echo "## Domain status in member server" | ||
575 | 301 | lxc exec "${server}" -- sssctl domain-status "${realm}" | ||
576 | 302 | echo | ||
577 | 303 | echo "## User status in member server" | ||
578 | 304 | for u in "${!user_pass[@]}"; do | ||
579 | 305 | echo "## User \"${u}@${realm}\" information:" | ||
580 | 306 | lxc exec "${server}" -- sssctl user-checks "${u}@${realm}" | ||
581 | 307 | echo | ||
582 | 308 | echo "## id ${u}@${realm}" | ||
583 | 309 | lxc exec "${server}" -- id "${u}@${realm}" | ||
584 | 310 | echo | ||
585 | 311 | echo "## kinit authentication check for user \"${u}@${realm}\" inside member server" | ||
586 | 312 | echo "${user_pass[${u}]}" | lxc exec "${server}" -- timeout --verbose 30 kinit "${u}@${realm}" | ||
587 | 313 | lxc exec "${server}" -- klist | ||
588 | 314 | echo | ||
589 | 315 | echo "## Listing shares with the obtained kerberos ticket" | ||
590 | 316 | lxc exec "${server}" -- smbclient -L "$(hostname)" --use-kerberos=required -k | ||
591 | 317 | lxc exec "${server}" -- kdestroy | ||
592 | 318 | done | ||
593 | 319 | } | ||
594 | 320 | |||
595 | 321 | leave_domain_realmd_sssd() { | ||
596 | 322 | local server="${1}" | ||
597 | 323 | local leave_cmd="realm leave -v --remove --client-software=sssd" | ||
598 | 324 | |||
599 | 325 | echo "## Running leave command: ${leave_cmd}" | ||
600 | 326 | echo "${adminpass}" | lxc exec "${server}" -- ${leave_cmd} | ||
601 | 327 | } | ||
602 | 328 | |||
603 | 329 | join_domain() { | ||
604 | 330 | local server="${1}" | ||
605 | 331 | local m="${2}" | ||
606 | 332 | |||
607 | 333 | join_domain_${m} "${server}" | ||
608 | 334 | } | ||
609 | 335 | |||
610 | 336 | verify_join() { | ||
611 | 337 | local server="${1}" | ||
612 | 338 | local m="${2}" | ||
613 | 339 | |||
614 | 340 | verify_join_${m} "${server}" | ||
615 | 341 | } | ||
616 | 342 | |||
617 | 343 | leave_domain() { | ||
618 | 344 | local server="${1}" | ||
619 | 345 | local m="${2}" | ||
620 | 346 | |||
621 | 347 | leave_domain_${m} "${server}" | ||
622 | 348 | } | ||
623 | 349 | |||
624 | 350 | systemctl stop smbd nmbd winbind | ||
625 | 351 | systemctl disable smbd nmbd winbind | ||
626 | 352 | systemctl mask smbd nmbd winbind | ||
627 | 353 | |||
628 | 354 | systemctl unmask samba-ad-dc | ||
629 | 355 | systemctl enable samba-ad-dc | ||
630 | 356 | |||
631 | 357 | if [ -f /etc/samba/smb.conf ]; then | ||
632 | 358 | mv /etc/samba/smb.conf{,.orig} | ||
633 | 359 | fi | ||
634 | 360 | |||
635 | 361 | # make sure we are starting fresh, as previous tests might left things around | ||
636 | 362 | |||
637 | 363 | rm -rf /var/lib/samba/* /var/cache/samba/* /run/samba/* | ||
638 | 364 | kdestroy || : | ||
639 | 365 | |||
640 | 366 | samba-tool domain provision \ | ||
641 | 367 | --domain="${domain}" \ | ||
642 | 368 | --realm="${realm}" \ | ||
643 | 369 | --adminpass="${adminpass}" \ | ||
644 | 370 | --server-role=dc \ | ||
645 | 371 | --use-rfc2307 \ | ||
646 | 372 | --dns-backend=SAMBA_INTERNAL | ||
647 | 373 | |||
648 | 374 | current_dns=$(resolvectl status | grep "^Current DNS Server:" | awk '{print $4}') | ||
649 | 375 | |||
650 | 376 | if [ -n "${current_dns}" ]; then | ||
651 | 377 | echo "## Setting dns forwarder to ${current_dns} in smb.conf" | ||
652 | 378 | sed -r -i "s,dns forwarder = .*,dns forwarder = ${current_dns}," \ | ||
653 | 379 | /etc/samba/smb.conf | ||
654 | 380 | unlink /etc/resolv.conf | ||
655 | 381 | echo "nameserver 127.0.0.1" > /etc/resolv.conf | ||
656 | 382 | # lowercase substitution | ||
657 | 383 | echo "search ${realm,,}" >> /etc/resolv.conf | ||
658 | 384 | systemctl stop systemd-resolved | ||
659 | 385 | systemctl disable systemd-resolved | ||
660 | 386 | else | ||
661 | 387 | echo "## Warning, couldn't detect the current DNS server to use as forwarder in smb.conf" | ||
662 | 388 | echo "## resolvectl status:" | ||
663 | 389 | resolvectl status | ||
664 | 390 | echo "## Continuing, and hoping for the best" | ||
665 | 391 | fi | ||
666 | 392 | |||
667 | 393 | cp -f /var/lib/samba/private/krb5.conf /etc/krb5.conf | ||
668 | 394 | |||
669 | 395 | systemctl start samba-ad-dc | ||
670 | 396 | |||
671 | 397 | # give it some time, it's a lot of services to start | ||
672 | 398 | sleep 5s | ||
673 | 399 | |||
674 | 400 | basic_config_tests | ||
675 | 401 | dns_tests | ||
676 | 402 | user_creation_tests | ||
677 | 403 | smbclient_tests | ||
678 | 404 | server_join_tests | ||
679 | diff --git a/debian/tests/util b/debian/tests/util | |||
680 | index 87a2ccd..af7a0aa 100644 | |||
681 | --- a/debian/tests/util | |||
682 | +++ b/debian/tests/util | |||
683 | @@ -16,7 +16,7 @@ EOFEOF | |||
684 | 16 | if [ -n "${vfs}" ]; then | 16 | if [ -n "${vfs}" ]; then |
685 | 17 | echo "vfs objects = ${vfs}" >> /etc/samba/smb.conf | 17 | echo "vfs objects = ${vfs}" >> /etc/samba/smb.conf |
686 | 18 | fi | 18 | fi |
688 | 19 | systemctl restart smbd.service | 19 | systemctl reload smbd.service |
689 | 20 | else | 20 | else |
690 | 21 | echo "Share [${share}] already exists, continuing" | 21 | echo "Share [${share}] already exists, continuing" |
691 | 22 | fi | 22 | fi |
692 | @@ -63,3 +63,113 @@ check_kernel_version() { | |||
693 | 63 | return 1 | 63 | return 1 |
694 | 64 | fi | 64 | fi |
695 | 65 | } | 65 | } |
696 | 66 | |||
697 | 67 | wait_container_ready() { | ||
698 | 68 | local container="${1}" | ||
699 | 69 | local -i limit=120 # seconds | ||
700 | 70 | local -i i=0 | ||
701 | 71 | local -i result=0 | ||
702 | 72 | local ip | ||
703 | 73 | local output | ||
704 | 74 | |||
705 | 75 | while /bin/true; do | ||
706 | 76 | ip=$(lxc list "${container}" -c 4 --format=compact | tail -1 | awk '{print $1}') | ||
707 | 77 | if [ -n "${ip}" ]; then | ||
708 | 78 | break | ||
709 | 79 | fi | ||
710 | 80 | i=$((i+1)) | ||
711 | 81 | if [ ${i} -ge ${limit} ]; then | ||
712 | 82 | return 1 | ||
713 | 83 | fi | ||
714 | 84 | sleep 1s | ||
715 | 85 | echo -n "." | ||
716 | 86 | done | ||
717 | 87 | while ! nc -z "${ip}" 22; do | ||
718 | 88 | echo -n "." | ||
719 | 89 | i=$((i+1)) | ||
720 | 90 | if [ ${i} -ge ${limit} ]; then | ||
721 | 91 | return 1 | ||
722 | 92 | fi | ||
723 | 93 | sleep 1s | ||
724 | 94 | done | ||
725 | 95 | # cloud-init might still be doing things... | ||
726 | 96 | # this call blocks, so wrap it in its own little timeout | ||
727 | 97 | output=$(lxc exec "${container}" -- timeout --verbose $((limit-i)) cloud-init status --wait) || { | ||
728 | 98 | result=$? | ||
729 | 99 | echo "cloud-init status --wait failed on container ${container}" | ||
730 | 100 | echo "${output}" | ||
731 | 101 | return ${result} | ||
732 | 102 | } | ||
733 | 103 | echo | ||
734 | 104 | } | ||
735 | 105 | |||
736 | 106 | install_lxd() { | ||
737 | 107 | if ! command -v lxd > /dev/null 2>&1; then | ||
738 | 108 | # the test depends has "lxd | snapd", so if we don't have lxd, we must | ||
739 | 109 | # install the snap | ||
740 | 110 | snap list lxd > /dev/null 2>&1 || { | ||
741 | 111 | echo "Installing the LXD snap..." | ||
742 | 112 | snap install lxd | ||
743 | 113 | } | ||
744 | 114 | fi | ||
745 | 115 | } | ||
746 | 116 | |||
747 | 117 | setup_lxd() { | ||
748 | 118 | local dns_domain="${1}" | ||
749 | 119 | local network | ||
750 | 120 | local nic | ||
751 | 121 | local dns_ip | ||
752 | 122 | |||
753 | 123 | install_lxd | ||
754 | 124 | # Stop samba while lxd is setup, to avoid conflicts on lxdbr0:53 | ||
755 | 125 | systemctl stop samba-ad-dc | ||
756 | 126 | lxd init --auto | ||
757 | 127 | lxd waitready --timeout 600 | ||
758 | 128 | network=$(lxc network list --format=compact | grep -E "bridge.*YES.*CREATED") | ||
759 | 129 | nic=$(echo "${network}" | awk '{print $1}') | ||
760 | 130 | dns_ip=$(echo "${network}" | awk '{print $4}' | cut -d / -f 1) # strip the cidr | ||
761 | 131 | # port=0 effectively disables dnsmasq's DNS, so it doesn't conflict with samba's DNS | ||
762 | 132 | lxc network set "${nic:-lxdbr0}" ipv6.address=none dns.domain="${dns_domain}" raw.dnsmasq="$(echo -e port=0\\ndhcp-option=option:dns-server,${dns_ip})" | ||
763 | 133 | if [ -n "${http_proxy}" ]; then | ||
764 | 134 | lxc config set core.proxy_http "${http_proxy}" | ||
765 | 135 | fi | ||
766 | 136 | if [ -n "${https_proxy}" ]; then | ||
767 | 137 | lxc config set core.proxy_https "${https_proxy}" | ||
768 | 138 | fi | ||
769 | 139 | if [ -n "${noproxy}" ]; then | ||
770 | 140 | lxc config set core.proxy_ignore_hosts "${noproxy}" | ||
771 | 141 | fi | ||
772 | 142 | systemctl start samba-ad-dc | ||
773 | 143 | # give it some time, it's a lot of services to start | ||
774 | 144 | sleep 5s | ||
775 | 145 | } | ||
776 | 146 | |||
777 | 147 | # Copy the local apt package archive over to the lxd container. | ||
778 | 148 | copy_local_apt_files() { | ||
779 | 149 | local container_name="${1:-docker}" | ||
780 | 150 | |||
781 | 151 | for local_source in $(apt-get indextargets | grep-dctrl -F URI -e '^file:/' -sURI | awk '{print $2}'); do | ||
782 | 152 | local_source=${local_source#file:} | ||
783 | 153 | local_dir=$(dirname "${local_source}") | ||
784 | 154 | lxc exec "${container_name}" -- mkdir -p "${local_dir}" | ||
785 | 155 | tar -cC "${local_dir}" . | lxc exec "${container_name}" -- tar -xC "${local_dir}" | ||
786 | 156 | done | ||
787 | 157 | } | ||
788 | 158 | |||
789 | 159 | send_apt_config() { | ||
790 | 160 | echo "Copying over /etc/apt to container ${1}" | ||
791 | 161 | lxc exec "${1}" -- rm -rf /etc/apt | ||
792 | 162 | lxc exec "${1}" -- mkdir -p /etc/apt | ||
793 | 163 | tar -cC /etc/apt . | lxc exec "${1}" -- tar -xC /etc/apt | ||
794 | 164 | } | ||
795 | 165 | |||
796 | 166 | install_packages_in_container() { | ||
797 | 167 | local container="${1}" | ||
798 | 168 | shift | ||
799 | 169 | local packages="${*}" | ||
800 | 170 | |||
801 | 171 | echo "### Installing dependencies in member server container: ${packages}" | ||
802 | 172 | lxc exec "${container}" --env DEBIAN_FRONTEND=noninteractive -- apt-get update -q | ||
803 | 173 | lxc exec "${container}" --env DEBIAN_FRONTEND=noninteractive -- apt-get dist-upgrade -q -y | ||
804 | 174 | lxc exec "${container}" --env DEBIAN_FRONTEND=noninteractive -- apt-get install -q -y ${packages} | ||
805 | 175 | } |
Thanks for this MP Andreas! The packaging changes look good to me. I tried to build the package locally to run the DEP-8 test you are introducing locally and I got the following build error:
[2984/4247] Compiling source4/ torture/ smb2/sessid. c BUILD_= 4', '-DHAVE_ CONFIG_ H=1', '-g', '-O2', '-ffile- prefix- map=/<< PKGBUILDDIR> >=.', '-flto=auto', '-ffat- lto-objects' , '-flto=auto', '-ffat- lto-objects' , '-fstack- protector- strong' , '-Wformat', '-Werror= format- security' , '-MMD', '-D_GNU_SOURCE=1', '-D_XOPEN_ SOURCE_ EXTENDED= 1', '-DHAVE_ CONFIG_ H=1', '-fPIC', '-D__STDC_ WANT_LIB_ EXT1__= 1', '-D_REENTRANT', '-DCTDB_ HELPER_ BINDIR= "/usr/lib/ x86_64- linux-gnu/ ctdb"', '-DLOGDIR= "/var/log/ ctdb"', '-DCTDB_ DATADIR= "/usr/share/ ctdb"', '-DCTDB_ ETCDIR= "/etc/ctdb" ', '-DCTDB_ VARDIR= "/var/lib/ ctdb"', '-DCTDB_ RUNDIR= "/var/run/ ctdb"', '-fstack- protector- strong' , '-fstack- clash-protectio n', '-DSTATIC_ TORTURE_ SMB2_MODULES= NULL', '-DSTATIC_ TORTURE_ SMB2_MODULES_ PROTO=extern void __TORTURE_ SMB2_dummy_ module_ proto(void) ', '-Isource4/ torture/ smb2', '-I../. ./source4/ torture/ smb2', '-Iinclude/public', '-I../. ./include/ public' , '-Isource4', '-I../../source4', '-Ilib', '-I../../lib', '-Isource4/lib', '-I../. ./source4/ lib', '-Isource4/ include' , '-I../. ./source4/ include' , '-Iinclude', '-I../../include', '-Ilib/replace', '-I../. ./lib/replace' , '-Ictdb/include', '-I../. ./ctdb/ include' , '-Ictdb', '-I../../ctdb', '-I.', '-I../..', '-Ilib/torture', '-I../. ./lib/torture' , '-Ilibrpc', '-I../../librpc', '-Ilib/tsocket', '-I../. ./lib/tsocket' , '-Iauth', '-I../../auth', '-Ilib/ util/<< PKGBUILDDIR> >/third_ party/gpfs' , '-I../. ./lib/util/ <<PKGBUILDDIR> >/third_ party/gpfs' , '-Ilib/ldb-samba', '-I../. ./lib/ldb- samba', '-Ilibcli/util', '-I../. ./libcli/ util', '-Ilib/dbwrap', '-I../. ./lib/dbwrap' , '-Isource4/ auth/kerberos' , '-I../. ./source4/ auth/kerberos' , '-Iauth/ credentials' , '-I../. ./auth/ credentials' , '-Isource4/ heimdal/ lib/asn1' , '-I../. ./source4/ heimdal/ lib/asn1' , '-Isource4/ heimdal_ build', '-I../. ./source4/ heimdal_ build', '-Ilibcli/auth', '-I../. ./libcli/ auth', '-Isource4/ heimdal/ lib/roken' , '-I../. ./source4/ heimdal/ lib/roken' , '-Isource4/ heimdal/ include' , '-I../. ./source4/ heimdal/ include' , '-Isource4/ heimdal_ build/include' , '-I../. ./source4/ heimdal_ build/include' , '-Isource4/auth', '-I../. ./source4/ auth', '-Isource4/ libcli/ smb2', '-I../. ./source4/ libcli/ smb2', '-Isource4/dsdb', '-I../. ./source4/ dsdb', '-Isource4/ heimdal/ lib/gssapi' , '-I../. ./source4/ heimdal/ lib/gssapi' , '-Isource4/ heimdal/ lib/gssapi/ gssapi' , '-I../. ./source4/ heimdal/ lib/gssapi/ gssapi' , '-Isource4/ heimdal/ lib/gssapi/ spnego' , '-I../. ./source4/ heimdal/ lib/gssapi/ spnego' , '-Isource4/ heimdal/ lib/gssapi/ krb5', '-I../. ./source4/ heimdal/ lib/gssapi/ krb5', '-Isource4/ heimdal/ lib/gssapi/ mech', '-I../. ./source4/ heimdal/ lib/gssapi/ mech', '-Isource4/ heimdal/ lib/hx509' , '-I../. ./source4/ heimdal/ lib/hx509' , '-Ilib/param', '-I../. ./lib/param' , '-Isource4/libcli', '-I../. ./source4/ libcli' , '-Iauth/gensec', '-I../. ./auth/ gensec' , '-Isource3', '-I../../source3', '-Isource3/ include' , '-I../. ./source3/ include' , '-Isource3/lib', '-I../. ./source3/ lib', '-Isource4/ heimdal/ lib/com_ err', '-I../. ./source4/ heimdal/ lib...
20:35:19 runner ['/usr/bin/gcc', '-D_SAMBA_