Ubuntu
samba package

Merge ~ahasenack/ubuntu/+source/samba:jammy-samba-kb5028166-2027716 into ubuntu/+source/samba:ubuntu/jammy-devel

  1. Git
  2. lp:~ahasenack/ubuntu/+source/samba
  3. jammy-samba-kb5028166-2027716
  4. Merge into ubuntu/jammy-devel
Proposed by Andreas Hasenack
Status: Merged
Approved by: git-ubuntu bot
Approved revision: not available
Merged at revision: 1b97ed30dceab15beb88db4498e217cfb7f83bca
Proposed branch: ~ahasenack/ubuntu/+source/samba:jammy-samba-kb5028166-2027716
Merge into: ubuntu/+source/samba:ubuntu/jammy-devel
Diff against target: 805 lines (+753/-1)
6 files modified
debian/changelog (+18/-0)
debian/patches/secure-channel-faulty-kb5028166.patch (+215/-0)
debian/patches/series (+1/-0)
debian/tests/control (+4/-0)
debian/tests/samba-ad-dc-provisioning-internal-dns (+404/-0)
debian/tests/util (+111/-1)
Reviewer Review Type Date Requested Status
git-ubuntu bot Approve
Lucas Kanashiro (community) Approve
Canonical Server Reporter Pending
Review via email: mp+447459@code.launchpad.net

Description of the change

PPA: https://launchpad.net/~ahasenack/+archive/ubuntu/samba-kb5028166/

Bug fix for #2027716. SRU template is filled in, including a test case.

I split the patch in two commits: one that introduces the upstream patch, pristine, and another that removes the hunks that changed the upstream test suite. We don't run that test suite, and I think a smaller patch is easier to review, specially when comparing to the other ubuntu releases which needed a small backport change.

I tried to make incremental changes to this branch when compared to lunar, so it's easier to review. But range-diff is still a bit noisy, because the patch that fixes the problem needed a small backport.

The DEP8 test also needed tweaking for jammy, and I tried to keep the differences as additional commits.

DEP8 is green. It doesn't exercise this bug in particular, but does exercise a domain join with linux<->linux, which is a good regression test.

To post a comment you must log in.
Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :
Download full text (14.4 KiB)

Thanks for this MP Andreas! The packaging changes look good to me. I tried to build the package locally to run the DEP-8 test you are introducing locally and I got the following build error:

[2984/4247] Compiling source4/torture/smb2/sessid.c
20:35:19 runner ['/usr/bin/gcc', '-D_SAMBA_BUILD_=4', '-DHAVE_CONFIG_H=1', '-g', '-O2', '-ffile-prefix-map=/<<PKGBUILDDIR>>=.', '-flto=auto', '-ffat-lto-objects', '-flto=auto', '-ffat-lto-objects', '-fstack-protector-strong', '-Wformat', '-Werror=format-security', '-MMD', '-D_GNU_SOURCE=1', '-D_XOPEN_SOURCE_EXTENDED=1', '-DHAVE_CONFIG_H=1', '-fPIC', '-D__STDC_WANT_LIB_EXT1__=1', '-D_REENTRANT', '-DCTDB_HELPER_BINDIR="/usr/lib/x86_64-linux-gnu/ctdb"', '-DLOGDIR="/var/log/ctdb"', '-DCTDB_DATADIR="/usr/share/ctdb"', '-DCTDB_ETCDIR="/etc/ctdb"', '-DCTDB_VARDIR="/var/lib/ctdb"', '-DCTDB_RUNDIR="/var/run/ctdb"', '-fstack-protector-strong', '-fstack-clash-protection', '-DSTATIC_TORTURE_SMB2_MODULES=NULL', '-DSTATIC_TORTURE_SMB2_MODULES_PROTO=extern void __TORTURE_SMB2_dummy_module_proto(void)', '-Isource4/torture/smb2', '-I../../source4/torture/smb2', '-Iinclude/public', '-I../../include/public', '-Isource4', '-I../../source4', '-Ilib', '-I../../lib', '-Isource4/lib', '-I../../source4/lib', '-Isource4/include', '-I../../source4/include', '-Iinclude', '-I../../include', '-Ilib/replace', '-I../../lib/replace', '-Ictdb/include', '-I../../ctdb/include', '-Ictdb', '-I../../ctdb', '-I.', '-I../..', '-Ilib/torture', '-I../../lib/torture', '-Ilibrpc', '-I../../librpc', '-Ilib/tsocket', '-I../../lib/tsocket', '-Iauth', '-I../../auth', '-Ilib/util/<<PKGBUILDDIR>>/third_party/gpfs', '-I../../lib/util/<<PKGBUILDDIR>>/third_party/gpfs', '-Ilib/ldb-samba', '-I../../lib/ldb-samba', '-Ilibcli/util', '-I../../libcli/util', '-Ilib/dbwrap', '-I../../lib/dbwrap', '-Isource4/auth/kerberos', '-I../../source4/auth/kerberos', '-Iauth/credentials', '-I../../auth/credentials', '-Isource4/heimdal/lib/asn1', '-I../../source4/heimdal/lib/asn1', '-Isource4/heimdal_build', '-I../../source4/heimdal_build', '-Ilibcli/auth', '-I../../libcli/auth', '-Isource4/heimdal/lib/roken', '-I../../source4/heimdal/lib/roken', '-Isource4/heimdal/include', '-I../../source4/heimdal/include', '-Isource4/heimdal_build/include', '-I../../source4/heimdal_build/include', '-Isource4/auth', '-I../../source4/auth', '-Isource4/libcli/smb2', '-I../../source4/libcli/smb2', '-Isource4/dsdb', '-I../../source4/dsdb', '-Isource4/heimdal/lib/gssapi', '-I../../source4/heimdal/lib/gssapi', '-Isource4/heimdal/lib/gssapi/gssapi', '-I../../source4/heimdal/lib/gssapi/gssapi', '-Isource4/heimdal/lib/gssapi/spnego', '-I../../source4/heimdal/lib/gssapi/spnego', '-Isource4/heimdal/lib/gssapi/krb5', '-I../../source4/heimdal/lib/gssapi/krb5', '-Isource4/heimdal/lib/gssapi/mech', '-I../../source4/heimdal/lib/gssapi/mech', '-Isource4/heimdal/lib/hx509', '-I../../source4/heimdal/lib/hx509', '-Ilib/param', '-I../../lib/param', '-Isource4/libcli', '-I../../source4/libcli', '-Iauth/gensec', '-I../../auth/gensec', '-Isource3', '-I../../source3', '-Isource3/include', '-I../../source3/include', '-Isource3/lib', '-I../../source3/lib', '-Isource4/heimdal/lib/com_err', '-I../../source4/heimdal/lib...

review: Needs Information
Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

Argh, it built fine locally now, not sure exactly what happened, but there is this DEP-8 test failing locally for me:

autopkgtest [18:17:02]: test samba-ad-dc-provisioning-internal-dns: - - - - - - - - - - results - - - - - - - - - -
samba-ad-dc-provisioning-internal-dns FAIL non-zero exit status 253

Summary of a local autopkgtest run:

autopkgtest [19:09:04]: @@@@@@@@@@@@@@@@@@@@ summary
cifs-share-access PASS
cifs-share-access-uring PASS
python-smoke PASS
smbclient-anonymous-share-list PASS
smbclient-authenticated-share-list PASS
smbclient-share-access PASS
smbclient-share-access-uring PASS
samba-ad-dc-provisioning-internal-dns FAIL non-zero exit status 253

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Hm, that's odd:

660s Error loading module '/usr/lib/x86_64-linux-gnu/samba/vfs/acl_xattr.so': /usr/lib/x86_64-linux-gnu/samba/vfs/acl_xattr.so: cannot open shared object file: No such file or directory

Looks like jammy also needs the samba-vfs-modules package added to the test dependency, just like I found out for focal. Not sure how I didn't see this before.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

PPA rebuilt (jammy), all tests re-triggered, let's see tomorrow what we get.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

And this time it's green all around:
Results: (from http://autopkgtest.ubuntu.com/results/autopkgtest-jammy-ahasenack-samba-kb5028166/?format=plain)
  samba @ amd64:
    26.07.23 00:00:56 Log 🗒️ ✅ Triggers: samba/2:4.15.13+dfsg-0ubuntu1.3~ppa2
  samba @ arm64:
    26.07.23 00:40:52 Log 🗒️ ✅ Triggers: samba/2:4.15.13+dfsg-0ubuntu1.3~ppa2
  samba @ armhf:
    26.07.23 00:01:31 Log 🗒️ ✅ Triggers: samba/2:4.15.13+dfsg-0ubuntu1.3~ppa2
  samba @ ppc64el:
    26.07.23 00:15:03 Log 🗒️ ✅ Triggers: samba/2:4.15.13+dfsg-0ubuntu1.3~ppa2
  samba @ s390x:
    26.07.23 00:18:25 Log 🗒️ ✅ Triggers: samba/2:4.15.13+dfsg-0ubuntu1.3~ppa2

Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

Awesome! Now, LGTM, +1.

review: Approve
Revision history for this message
git-ubuntu bot (git-ubuntu-bot) wrote :

Approvers: ahasenack, lucaskanashiro
Uploaders: ahasenack, lucaskanashiro
MP auto-approved

review: Approve
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Thanks, uploaded with rich history:

Uploading samba_4.15.13+dfsg-0ubuntu1.3.dsc
Uploading samba_4.15.13+dfsg-0ubuntu1.3.debian.tar.xz
Uploading samba_4.15.13+dfsg-0ubuntu1.3_source.buildinfo
Uploading samba_4.15.13+dfsg-0ubuntu1.3_source.changes

Update scan failed

At least one of the branches involved have failed to scan. You can manually schedule a rescan if required.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/changelog b/debian/changelog
index b951fb0..5e12a5e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,21 @@
1samba (2:4.15.13+dfsg-0ubuntu1.3) jammy; urgency=medium
2
3 * d/p/secure-channel-faulty-kb5028166.patch: fix domain membership
4 after Windows KB5028166 update (LP: #2027716)
5 * Cherry pick samba AD DC provisioning DEP8 test from later Ubuntu
6 releases (LP: #1977746, LP: #2011745):
7 - d/t/control, d/t/util, d/t/samba-ad-dc-provisioning-internal-dns:
8 samba AD DC provisioning and domain join tests with internal DNS
9 + d/t/control: adjust package dependencies
10 + d/t/samba-ad-dc-provisioning-internal-dns: handle the case where
11 libnss-winbind does not automatically add winbind to
12 /etc/nsswitch.conf (that is done only in Lunar and later)
13 + d/t/samba-ad-dc-provisioning-internal-dns: use case insensitive
14 match when inspecting kerberos tickets, as the hostname may be
15 capitalized
16
17 -- Andreas Hasenack <andreas@canonical.com> Sun, 23 Jul 2023 17:09:59 -0300
18
1samba (2:4.15.13+dfsg-0ubuntu1.2) jammy-security; urgency=medium19samba (2:4.15.13+dfsg-0ubuntu1.2) jammy-security; urgency=medium
220
3 * SECURITY UPDATE: Out-Of-Bounds read in winbind AUTH_CRAP21 * SECURITY UPDATE: Out-Of-Bounds read in winbind AUTH_CRAP
diff --git a/debian/patches/secure-channel-faulty-kb5028166.patch b/debian/patches/secure-channel-faulty-kb5028166.patch
4new file mode 10064422new file mode 100644
index 0000000..c1367f7
--- /dev/null
+++ b/debian/patches/secure-channel-faulty-kb5028166.patch
@@ -0,0 +1,215 @@
1From 2150e7f3dc409b415ca8b6a541729a49932c5073 Mon Sep 17 00:00:00 2001
2From: Stefan Metzmacher <metze@samba.org>
3Date: Sat, 15 Jul 2023 17:20:32 +0200
4Subject: [PATCH 1/4] netlogon.idl: add support for netr_LogonGetCapabilities
5 response level 2
6
7We don't have any documentation about this yet, but tests against
8a Windows Server 2022 patched with KB5028166 revealed that
9the response for query_level=2 is exactly the same as
10for querey_level=1.
11
12Until we know the reason for query_level=2 we won't
13use it as client nor support it in the server, but
14we want ndrdump to work.
15
16BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418
17
18Signed-off-by: Stefan Metzmacher <metze@samba.org>
19Reviewed-by: Andrew Bartlett <abartlet@samba.org>
20(cherry picked from commit 5f87888ed53320538cf773d64868390d8641a40e)
21---
22 librpc/idl/netlogon.idl | 1 +
23 1 file changed, 1 insertion(+)
24
25Ubuntu patch note: removed the parts that changed the upstream test suite
26
27Origin: backport, https://bugzilla.samba.org/attachment.cgi?id=17987
28Bug: https://bugzilla.samba.org/show_bug.cgi?id=15418
29Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/2027716
30Last-Update: 2023-07-17
31
32diff --git a/librpc/idl/netlogon.idl b/librpc/idl/netlogon.idl
33index d956a661fff7..b51767136d3c 100644
34--- a/librpc/idl/netlogon.idl
35+++ b/librpc/idl/netlogon.idl
36@@ -1241,6 +1241,7 @@ interface netlogon
37 /* Function 0x15 */
38 typedef [switch_type(uint32)] union {
39 [case(1)] netr_NegotiateFlags server_capabilities;
40+ [case(2)] netr_NegotiateFlags server_capabilities;
41 } netr_Capabilities;
42
43 NTSTATUS netr_LogonGetCapabilities(
44--
452.34.1
46
47
48From fa71e7b4b027dc8224fda7125f1faaefa4e71eae Mon Sep 17 00:00:00 2001
49From: Stefan Metzmacher <metze@samba.org>
50Date: Sat, 15 Jul 2023 16:11:48 +0200
51Subject: [PATCH 3/4] s4:rpc_server:netlogon: generate FAULT_INVALID_TAG for
52 invalid netr_LogonGetCapabilities levels
53
54This is important as Windows clients with KB5028166 seem to
55call netr_LogonGetCapabilities with query_level=2 after
56a call with query_level=1.
57
58An unpatched Windows Server returns DCERPC_NCA_S_FAULT_INVALID_TAG
59for query_level values other than 1.
60While Samba tries to return NT_STATUS_NOT_SUPPORTED, but
61later fails to marshall the response, which results
62in DCERPC_FAULT_BAD_STUB_DATA instead.
63
64Because we don't have any documentation for level 2 yet,
65we just try to behave like an unpatched server and
66generate DCERPC_NCA_S_FAULT_INVALID_TAG instead of
67DCERPC_FAULT_BAD_STUB_DATA.
68Which allows patched Windows clients to keep working
69against a Samba DC.
70
71BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418
72
73Signed-off-by: Stefan Metzmacher <metze@samba.org>
74Reviewed-by: Andrew Bartlett <abartlet@samba.org>
75(cherry picked from commit d5f1097b6220676d56ed5fc6707acf667b704518)
76---
77 .../knownfail.d/netr_LogonGetCapabilities | 2 --
78 source4/rpc_server/netlogon/dcerpc_netlogon.c | 28 ++++++++++++++++---
79 2 files changed, 24 insertions(+), 6 deletions(-)
80
81diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
82index 6a3e044eb9da..26be4f567513 100644
83--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
84+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
85@@ -2399,6 +2399,30 @@ static NTSTATUS dcesrv_netr_LogonGetCapabilities(struct dcesrv_call_state *dce_c
86 struct netlogon_creds_CredentialState *creds;
87 NTSTATUS status;
88
89+ switch (r->in.query_level) {
90+ case 1:
91+ break;
92+ case 2:
93+ /*
94+ * Until we know the details behind KB5028166
95+ * just return DCERPC_NCA_S_FAULT_INVALID_TAG
96+ * like an unpatched Windows Server.
97+ */
98+ FALL_THROUGH;
99+ default:
100+ /*
101+ * There would not be a way to marshall the
102+ * the response. Which would mean our final
103+ * ndr_push would fail an we would return
104+ * an RPC-level fault with DCERPC_FAULT_BAD_STUB_DATA.
105+ *
106+ * But it's important to match a Windows server
107+ * especially before KB5028166, see also our bug #15418
108+ * Otherwise Windows client would stop talking to us.
109+ */
110+ DCESRV_FAULT(DCERPC_NCA_S_FAULT_INVALID_TAG);
111+ }
112+
113 status = dcesrv_netr_creds_server_step_check(dce_call,
114 mem_ctx,
115 r->in.computer_name,
116@@ -2410,10 +2434,6 @@ static NTSTATUS dcesrv_netr_LogonGetCapabilities(struct dcesrv_call_state *dce_c
117 }
118 NT_STATUS_NOT_OK_RETURN(status);
119
120- if (r->in.query_level != 1) {
121- return NT_STATUS_NOT_SUPPORTED;
122- }
123-
124 r->out.capabilities->server_capabilities = creds->negotiate_flags;
125
126 return NT_STATUS_OK;
127--
1282.34.1
129
130
131From 05f110e1a4d4b38bfbaaa3a92fda7a9127b3b456 Mon Sep 17 00:00:00 2001
132From: Stefan Metzmacher <metze@samba.org>
133Date: Sat, 15 Jul 2023 16:11:48 +0200
134Subject: [PATCH 4/4] s3:rpc_server:netlogon: generate FAULT_INVALID_TAG for
135 invalid netr_LogonGetCapabilities levels
136
137This is important as Windows clients with KB5028166 seem to
138call netr_LogonGetCapabilities with query_level=2 after
139a call with query_level=1.
140
141An unpatched Windows Server returns DCERPC_NCA_S_FAULT_INVALID_TAG
142for query_level values other than 1.
143While Samba tries to return NT_STATUS_NOT_SUPPORTED, but
144later fails to marshall the response, which results
145in DCERPC_FAULT_BAD_STUB_DATA instead.
146
147Because we don't have any documentation for level 2 yet,
148we just try to behave like an unpatched server and
149generate DCERPC_NCA_S_FAULT_INVALID_TAG instead of
150DCERPC_FAULT_BAD_STUB_DATA.
151Which allows patched Windows clients to keep working
152against a Samba DC.
153
154BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418
155
156Signed-off-by: Stefan Metzmacher <metze@samba.org>
157Reviewed-by: Andrew Bartlett <abartlet@samba.org>
158
159Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
160Autobuild-Date(master): Mon Jul 17 07:35:09 UTC 2023 on atb-devel-224
161
162(cherry picked from commit dfeabce44fbb78083fbbb2aa634fc4172cf83db9)
163---
164 .../knownfail.d/netr_LogonGetCapabilities | 1 -
165 source3/rpc_server/netlogon/srv_netlog_nt.c | 29 ++++++++++++++++---
166 2 files changed, 25 insertions(+), 5 deletions(-)
167 delete mode 100644 selftest/knownfail.d/netr_LogonGetCapabilities
168
169diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
170index 5906464a9f3..35433ec6781 100644
171--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
172+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
173@@ -2421,6 +2421,31 @@ NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct *p,
174 struct netlogon_creds_CredentialState *creds;
175 NTSTATUS status;
176
177+ switch (r->in.query_level) {
178+ case 1:
179+ break;
180+ case 2:
181+ /*
182+ * Until we know the details behind KB5028166
183+ * just return DCERPC_NCA_S_FAULT_INVALID_TAG
184+ * like an unpatched Windows Server.
185+ */
186+ FALL_THROUGH;
187+ default:
188+ /*
189+ * There would not be a way to marshall the
190+ * the response. Which would mean our final
191+ * ndr_push would fail an we would return
192+ * an RPC-level fault with DCERPC_FAULT_BAD_STUB_DATA.
193+ *
194+ * But it's important to match a Windows server
195+ * especially before KB5028166, see also our bug #15418
196+ * Otherwise Windows client would stop talking to us.
197+ */
198+ p->fault_state = DCERPC_NCA_S_FAULT_INVALID_TAG;
199+ return NT_STATUS_NOT_SUPPORTED;
200+ }
201+
202 become_root();
203 status = netr_creds_server_step_check(p, p->mem_ctx,
204 r->in.computer_name,
205@@ -2432,10 +2457,6 @@ NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct *p,
206 return status;
207 }
208
209- if (r->in.query_level != 1) {
210- return NT_STATUS_NOT_SUPPORTED;
211- }
212-
213 r->out.capabilities->server_capabilities = creds->negotiate_flags;
214
215 return NT_STATUS_OK;
diff --git a/debian/patches/series b/debian/patches/series
index 5791d76..0a6a142 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -64,3 +64,4 @@ CVE-2023-34968-09.patch
64CVE-2023-34968-10.patch64CVE-2023-34968-10.patch
65CVE-2023-34968-11.patch65CVE-2023-34968-11.patch
66CVE-2023-34968-12.patch66CVE-2023-34968-12.patch
67secure-channel-faulty-kb5028166.patch
diff --git a/debian/tests/control b/debian/tests/control
index 3ecb853..6814243 100644
--- a/debian/tests/control
+++ b/debian/tests/control
@@ -24,3 +24,7 @@ Restrictions: needs-root, allow-stderr, isolation-container
24Tests: smbclient-share-access-uring24Tests: smbclient-share-access-uring
25Depends: samba, samba-vfs-modules, smbclient, coreutils, systemd, passwd25Depends: samba, samba-vfs-modules, smbclient, coreutils, systemd, passwd
26Restrictions: needs-root, allow-stderr, isolation-container, skippable26Restrictions: needs-root, allow-stderr, isolation-container, skippable
27
28Tests: samba-ad-dc-provisioning-internal-dns
29Depends: samba, samba-dsdb-modules, samba-vfs-modules, winbind, smbclient, krb5-user, bind9-dnsutils, lxd | snapd, lsb-release, dctrl-tools
30Restrictions: needs-root, isolation-machine, allow-stderr, breaks-testbed
diff --git a/debian/tests/samba-ad-dc-provisioning-internal-dns b/debian/tests/samba-ad-dc-provisioning-internal-dns
27new file mode 10075531new file mode 100755
index 0000000..592a608
--- /dev/null
+++ b/debian/tests/samba-ad-dc-provisioning-internal-dns
@@ -0,0 +1,404 @@
1#!/bin/bash
2
3set -e
4set -o pipefail
5
6source debian/tests/util
7
8declare -r domain="EXAMPLE"
9declare -r realm="EXAMPLE.FAKE"
10declare -r adminpass="Passw0rd"
11declare -r test_user="test_user_${RANDOM}"
12declare -r test_pw="test_user_secret_${RANDOM}"
13declare -A user_pass
14user_pass[Administrator]="${adminpass}"
15user_pass[${test_user}]="${test_pw}"
16declare -A join_method_deps
17# Minimum set of deps: let realmd install the extra dependencies
18# as needed, depending on the join method.
19join_method_deps[realmd_sssd]="realmd krb5-user smbclient"
20join_method_deps[realmd_winbind]="realmd krb5-user smbclient"
21
22
23cleanup() {
24 rc=$?
25 set +e # so we don't exit midcleanup
26 if [ ${rc} -ne 0 ]; then
27 echo "## Something failed, gathering logs"
28 echo
29 echo "## smb.conf"
30 cat /etc/samba/smb.conf
31 echo
32 echo "## resolv.conf"
33 cat /etc/resolv.conf
34 echo
35 echo "## resolvectl status"
36 resolvectl status
37 echo "## journal for samba-ad-dc.service"
38 journalctl -u samba-ad-dc.service --lines 500
39 echo
40 for log in /var/log/samba/log.*; do
41 # skip compressed logrotated files
42 if [ "${log%.gz}" != "${log}" ]; then
43 continue
44 fi
45 [ -s "${log}" ] || continue
46 echo "## $(basename ${log}):"
47 tail -n 500 "${log}"
48 echo
49 done
50 echo "## syslog"
51 tail -n 500 /var/log/syslog
52 fi
53}
54
55trap cleanup EXIT
56
57assert_testparm() {
58 local parameter="${1}"
59 local expected_value="${2}"
60 local current_value=""
61 local -i retval=0
62
63 echo -n "Asserting ${parameter} is ${expected_value}: "
64 current_value=$(testparm -s --parameter-name "${parameter}" 2>/dev/null) || {
65 retval=$?
66 echo "FAIL"
67 return ${retval}
68 }
69 if [ "${current_value}" = "${expected_value}" ]; then
70 echo "OK"
71 return 0
72 else
73 echo "FAIL"
74 return 1
75 fi
76}
77
78basic_config_tests() {
79 echo "## Basic config tests"
80 testparm -s > /dev/null
81 assert_testparm "realm" "${realm}"
82 assert_testparm "workgroup" "${domain}"
83 assert_testparm "server role" "active directory domain controller"
84 echo
85}
86
87dns_tests() {
88 echo "## DNS tests"
89 echo "Obtaining administrator kerberos ticket"
90 echo "${adminpass}" | timeout --verbose 30 kinit Administrator
91 echo
92 echo "Querying server info"
93 samba-tool dns serverinfo "$(hostname)"
94 echo
95 echo "Checking we got a service ticket of type host/"
96 klist | grep -i "host/$(hostname)"
97 echo
98 echo "Checking specific DNS records"
99 for srv in _ldap._tcp _kerberos._tcp _kerberos._udp _kpasswd._udp; do
100 echo -n "${srv}.${realm,,}: "
101 dig @localhost +short -t SRV ${srv}.${realm,,}
102 echo
103 done
104 echo
105 echo -n "Checking that our hostname \"$(hostname)\" is in DNS: "
106 myip=$(dig @localhost +short -t A "$(hostname).${realm,,}")
107 echo "${myip}"
108 echo
109}
110
111user_creation_tests() {
112 echo "## User creation tests"
113 samba-tool domain passwordsettings set --complexity=off
114 echo "Creating user \"${test_user}\" with password ${test_pw}"
115 samba-tool user add "${test_user}" "${test_pw}"
116 echo
117 echo "Attempting to obtain kerberos ticket for user \"${test_user}\""
118 # just in case it ends up waiting at a prompt, we use "timeout"
119 echo "${test_pw}" | timeout --verbose 30 kinit "${test_user}"
120 echo "Ticket obtained"
121 klist
122 echo
123}
124
125smbclient_tests() {
126 echo "## smbclient tests"
127 kdestroy || :
128 echo
129 echo "Obtaining a TGT for ${test_user}"
130 echo "${test_pw}" | timeout --verbose 30 kinit "${test_user}"
131 klist | grep krbtgt
132 echo
133 echo "Attempting password-less authentication with smbclient"
134 echo
135 echo "Listing shares"
136 smbclient -L "$(hostname)" --use-kerberos=required -k
137 echo
138 echo "Listing the sysvol share"
139 smbclient "//$(hostname)/sysvol" --use-kerberos=required -k -c "ls"
140 echo
141 echo "Listing policies"
142 # lowercase the ${realm}
143 smbclient "//$(hostname)/sysvol" --use-kerberos=required -k -c "ls ${realm,,}/Policies/*"
144 echo
145 echo "Checking that we have a ticket for the cifs service after all these commands"
146 klist | grep cifs/
147 echo
148}
149
150server_join_tests() {
151 local member_server
152 # the join methods are the keys of the join_method_deps dict
153 local -a methods=("${!join_method_deps[@]}")
154 local member_server="member-server"
155
156 echo "## Server join tests"
157 echo "## Initializing lxd"
158 setup_lxd "${realm,,}"
159
160 for method in "${methods[@]}"; do
161 echo "## Setting up member server to join a domain using method ${method}"
162 setup_member_server "${member_server}" "${method}"
163 echo "## Joining domain with method ${method}"
164 join_domain "${member_server}" "${method}"
165 echo
166 echo "## Verifying join with method ${method}"
167 verify_join "${member_server}" "${method}"
168 echo
169 echo "## Leaving domain with method ${method}"
170 leave_domain "${member_server}" "${method}"
171 echo
172 echo "## Destroying member server"
173 lxc delete --force "${member_server}"
174 done
175}
176
177setup_member_server() {
178 local container_name="${1}"
179 local method="${2}"
180 local release
181
182 release="$(lsb_release -cs)"
183 if [ -z "${join_method_deps[${method}]}" ]; then
184 echo "## INTERNAL ERROR, invalid join method: ${method}"
185 return 1
186 fi
187 echo "## Got test dependencies: ${join_method_deps[${method}]}"
188 # can't use cloud-init here to install packages, because we first need to
189 # sync the apt config from the host to the container
190 echo "## Launching ${release} container"
191 lxc launch "ubuntu-daily:${release}" "${container_name}" -q
192 wait_container_ready "${container_name}"
193 send_apt_config "${container_name}"
194 copy_local_apt_files "${container_name}"
195 echo "## Installing dependencies in test container"
196 install_packages_in_container "${container_name}" ${join_method_deps[${method}]}
197}
198
199join_domain_realmd_winbind() {
200 local server="${1}"
201 local discover_cmd="realm discover -v --membership-software=samba --client-software=winbind ${realm,,}"
202 local join_cmd="realm join -v --membership-software=samba --client-software=winbind ${realm,,}"
203
204 echo "## Domain information"
205 lxc exec "${server}" -- ${discover_cmd}
206 echo
207 echo "## Running join command: ${join_cmd}"
208 echo "${adminpass}" | lxc exec "${server}" -- ${join_cmd}
209 # LP: #1980246
210 # So far, only lunar and later automatically add winbind to /etc/nsswitch.conf.
211 lxc exec "${server}" -- sed -r -i \
212 -e '/^(passwd|group):.*[[:space:]]winbind\b/b' \
213 -e 's/^(passwd|group):.*/& winbind/' \
214 /etc/nsswitch.conf
215}
216
217verify_join_realmd_winbind() {
218 local server="${1}"
219 local member_domain
220
221 echo -n "## Verifying member server joined domain name: "
222 member_domain=$(lxc exec "${server}" -- wbinfo --own-domain)
223 echo "${member_domain}"
224 if [ "${member_domain}" != "${domain}" ]; then
225 echo "ERROR: expected member server domain to match the joined domain:"
226 echo "member server domain: ${member_domain}"
227 echo "AD domain: ${domain}"
228 return 1
229 fi
230 echo
231 # we just want to see the output, not parse it
232 echo "## Domain status in member server"
233 lxc exec "${server}" -- wbinfo --domain-info "${member_domain}"
234 echo
235 echo "## User status in member server"
236 for u in "${!user_pass[@]}"; do
237 echo "## User \"${u}@${realm}\" information:"
238 lxc exec "${server}" -- wbinfo --user-info "${u}@${realm}"
239 echo
240 echo "## id ${u}@${realm}"
241 lxc exec "${server}" -- id ${u}@${realm}
242 echo
243 echo "## kinit authentication check for user \"${u}@${realm}\" inside member server"
244 echo "${user_pass[${u}]}" | lxc exec "${server}" -- timeout --verbose 30 kinit "${u}@${realm}"
245 lxc exec "${server}" -- klist
246 echo
247 echo "## Listing shares with the obtained kerberos ticket"
248 lxc exec "${server}" -- smbclient -L "$(hostname)" --use-kerberos=required -k
249 lxc exec "${server}" -- kdestroy
250 echo
251 echo "## wbinfo authentication check for user \"${u}@${realm}\" inside member server"
252 # non-interactive format for username is user%password
253 lxc exec "${server}" -- wbinfo --authenticate="${u}@${realm}%${user_pass[${u}]}"
254 echo
255 echo "## wbinfo kerberos authentication check for user \"${u}@${realm}\" inside member server"
256 lxc exec "${server}" -- wbinfo --krb5auth="${u}@${realm}%${user_pass[${u}]}"
257 echo
258 echo "## Listing shares with the obtained kerberos ticket"
259 lxc exec "${server}" -- smbclient -L "$(hostname)" --use-kerberos=required -k
260 lxc exec "${server}" -- kdestroy
261 done
262}
263
264leave_domain_realmd_winbind() {
265 local server="${1}"
266 local leave_cmd="realm leave -v --remove --client-software=winbind"
267
268 echo "## Running leave command: ${leave_cmd}"
269 echo "${adminpass}" | lxc exec "${server}" -- ${leave_cmd}
270}
271
272join_domain_realmd_sssd() {
273 local server="${1}"
274 local discover_cmd="realm discover -v --membership-software=adcli --client-software=sssd ${realm,,}"
275 local join_cmd="realm join -v --membership-software=adcli --client-software=sssd ${realm,,}"
276
277 echo "## Domain information"
278 lxc exec "${server}" -- ${discover_cmd}
279 echo
280 echo "## Running join command: ${join_cmd}"
281 echo "${adminpass}" | lxc exec "${server}" -- ${join_cmd}
282 echo
283}
284
285verify_join_realmd_sssd() {
286 local server="${1}"
287 local samba_domain
288
289 echo -n "## Verifying member server joined domain name: "
290 samba_domain=$(lxc exec "${server}" -- sssctl domain-list)
291 echo "${samba_domain}"
292 if [ "${samba_domain}" != "${realm,,}" ]; then
293 echo "ERROR: expected member server domain to match the joined domain:"
294 echo "member server domain: ${samba_domain}"
295 echo "AD domain: ${realm,,}"
296 return 1
297 fi
298 echo
299 # we just want to see the output, not parse it
300 echo "## Domain status in member server"
301 lxc exec "${server}" -- sssctl domain-status "${realm}"
302 echo
303 echo "## User status in member server"
304 for u in "${!user_pass[@]}"; do
305 echo "## User \"${u}@${realm}\" information:"
306 lxc exec "${server}" -- sssctl user-checks "${u}@${realm}"
307 echo
308 echo "## id ${u}@${realm}"
309 lxc exec "${server}" -- id "${u}@${realm}"
310 echo
311 echo "## kinit authentication check for user \"${u}@${realm}\" inside member server"
312 echo "${user_pass[${u}]}" | lxc exec "${server}" -- timeout --verbose 30 kinit "${u}@${realm}"
313 lxc exec "${server}" -- klist
314 echo
315 echo "## Listing shares with the obtained kerberos ticket"
316 lxc exec "${server}" -- smbclient -L "$(hostname)" --use-kerberos=required -k
317 lxc exec "${server}" -- kdestroy
318 done
319}
320
321leave_domain_realmd_sssd() {
322 local server="${1}"
323 local leave_cmd="realm leave -v --remove --client-software=sssd"
324
325 echo "## Running leave command: ${leave_cmd}"
326 echo "${adminpass}" | lxc exec "${server}" -- ${leave_cmd}
327}
328
329join_domain() {
330 local server="${1}"
331 local m="${2}"
332
333 join_domain_${m} "${server}"
334}
335
336verify_join() {
337 local server="${1}"
338 local m="${2}"
339
340 verify_join_${m} "${server}"
341}
342
343leave_domain() {
344 local server="${1}"
345 local m="${2}"
346
347 leave_domain_${m} "${server}"
348}
349
350systemctl stop smbd nmbd winbind
351systemctl disable smbd nmbd winbind
352systemctl mask smbd nmbd winbind
353
354systemctl unmask samba-ad-dc
355systemctl enable samba-ad-dc
356
357if [ -f /etc/samba/smb.conf ]; then
358 mv /etc/samba/smb.conf{,.orig}
359fi
360
361# make sure we are starting fresh, as previous tests might left things around
362
363rm -rf /var/lib/samba/* /var/cache/samba/* /run/samba/*
364kdestroy || :
365
366samba-tool domain provision \
367 --domain="${domain}" \
368 --realm="${realm}" \
369 --adminpass="${adminpass}" \
370 --server-role=dc \
371 --use-rfc2307 \
372 --dns-backend=SAMBA_INTERNAL
373
374current_dns=$(resolvectl status | grep "^Current DNS Server:" | awk '{print $4}')
375
376if [ -n "${current_dns}" ]; then
377 echo "## Setting dns forwarder to ${current_dns} in smb.conf"
378 sed -r -i "s,dns forwarder = .*,dns forwarder = ${current_dns}," \
379 /etc/samba/smb.conf
380 unlink /etc/resolv.conf
381 echo "nameserver 127.0.0.1" > /etc/resolv.conf
382 # lowercase substitution
383 echo "search ${realm,,}" >> /etc/resolv.conf
384 systemctl stop systemd-resolved
385 systemctl disable systemd-resolved
386else
387 echo "## Warning, couldn't detect the current DNS server to use as forwarder in smb.conf"
388 echo "## resolvectl status:"
389 resolvectl status
390 echo "## Continuing, and hoping for the best"
391fi
392
393cp -f /var/lib/samba/private/krb5.conf /etc/krb5.conf
394
395systemctl start samba-ad-dc
396
397# give it some time, it's a lot of services to start
398sleep 5s
399
400basic_config_tests
401dns_tests
402user_creation_tests
403smbclient_tests
404server_join_tests
diff --git a/debian/tests/util b/debian/tests/util
index 87a2ccd..af7a0aa 100644
--- a/debian/tests/util
+++ b/debian/tests/util
@@ -16,7 +16,7 @@ EOFEOF
16 if [ -n "${vfs}" ]; then16 if [ -n "${vfs}" ]; then
17 echo "vfs objects = ${vfs}" >> /etc/samba/smb.conf17 echo "vfs objects = ${vfs}" >> /etc/samba/smb.conf
18 fi18 fi
19 systemctl restart smbd.service19 systemctl reload smbd.service
20 else20 else
21 echo "Share [${share}] already exists, continuing"21 echo "Share [${share}] already exists, continuing"
22 fi22 fi
@@ -63,3 +63,113 @@ check_kernel_version() {
63 return 163 return 1
64 fi64 fi
65}65}
66
67wait_container_ready() {
68 local container="${1}"
69 local -i limit=120 # seconds
70 local -i i=0
71 local -i result=0
72 local ip
73 local output
74
75 while /bin/true; do
76 ip=$(lxc list "${container}" -c 4 --format=compact | tail -1 | awk '{print $1}')
77 if [ -n "${ip}" ]; then
78 break
79 fi
80 i=$((i+1))
81 if [ ${i} -ge ${limit} ]; then
82 return 1
83 fi
84 sleep 1s
85 echo -n "."
86 done
87 while ! nc -z "${ip}" 22; do
88 echo -n "."
89 i=$((i+1))
90 if [ ${i} -ge ${limit} ]; then
91 return 1
92 fi
93 sleep 1s
94 done
95 # cloud-init might still be doing things...
96 # this call blocks, so wrap it in its own little timeout
97 output=$(lxc exec "${container}" -- timeout --verbose $((limit-i)) cloud-init status --wait) || {
98 result=$?
99 echo "cloud-init status --wait failed on container ${container}"
100 echo "${output}"
101 return ${result}
102 }
103 echo
104}
105
106install_lxd() {
107 if ! command -v lxd > /dev/null 2>&1; then
108 # the test depends has "lxd | snapd", so if we don't have lxd, we must
109 # install the snap
110 snap list lxd > /dev/null 2>&1 || {
111 echo "Installing the LXD snap..."
112 snap install lxd
113 }
114 fi
115}
116
117setup_lxd() {
118 local dns_domain="${1}"
119 local network
120 local nic
121 local dns_ip
122
123 install_lxd
124 # Stop samba while lxd is setup, to avoid conflicts on lxdbr0:53
125 systemctl stop samba-ad-dc
126 lxd init --auto
127 lxd waitready --timeout 600
128 network=$(lxc network list --format=compact | grep -E "bridge.*YES.*CREATED")
129 nic=$(echo "${network}" | awk '{print $1}')
130 dns_ip=$(echo "${network}" | awk '{print $4}' | cut -d / -f 1) # strip the cidr
131 # port=0 effectively disables dnsmasq's DNS, so it doesn't conflict with samba's DNS
132 lxc network set "${nic:-lxdbr0}" ipv6.address=none dns.domain="${dns_domain}" raw.dnsmasq="$(echo -e port=0\\ndhcp-option=option:dns-server,${dns_ip})"
133 if [ -n "${http_proxy}" ]; then
134 lxc config set core.proxy_http "${http_proxy}"
135 fi
136 if [ -n "${https_proxy}" ]; then
137 lxc config set core.proxy_https "${https_proxy}"
138 fi
139 if [ -n "${noproxy}" ]; then
140 lxc config set core.proxy_ignore_hosts "${noproxy}"
141 fi
142 systemctl start samba-ad-dc
143 # give it some time, it's a lot of services to start
144 sleep 5s
145}
146
147# Copy the local apt package archive over to the lxd container.
148copy_local_apt_files() {
149 local container_name="${1:-docker}"
150
151 for local_source in $(apt-get indextargets | grep-dctrl -F URI -e '^file:/' -sURI | awk '{print $2}'); do
152 local_source=${local_source#file:}
153 local_dir=$(dirname "${local_source}")
154 lxc exec "${container_name}" -- mkdir -p "${local_dir}"
155 tar -cC "${local_dir}" . | lxc exec "${container_name}" -- tar -xC "${local_dir}"
156 done
157}
158
159send_apt_config() {
160 echo "Copying over /etc/apt to container ${1}"
161 lxc exec "${1}" -- rm -rf /etc/apt
162 lxc exec "${1}" -- mkdir -p /etc/apt
163 tar -cC /etc/apt . | lxc exec "${1}" -- tar -xC /etc/apt
164}
165
166install_packages_in_container() {
167 local container="${1}"
168 shift
169 local packages="${*}"
170
171 echo "### Installing dependencies in member server container: ${packages}"
172 lxc exec "${container}" --env DEBIAN_FRONTEND=noninteractive -- apt-get update -q
173 lxc exec "${container}" --env DEBIAN_FRONTEND=noninteractive -- apt-get dist-upgrade -q -y
174 lxc exec "${container}" --env DEBIAN_FRONTEND=noninteractive -- apt-get install -q -y ${packages}
175}

Subscribers

People subscribed via source and target branches