Merge ~ahasenack/ubuntu/+source/samba:focal-samba-kb5028166-2027716 into ubuntu/+source/samba:ubuntu/focal-devel
- Git
- lp:~ahasenack/ubuntu/+source/samba
- focal-samba-kb5028166-2027716
- Merge into ubuntu/focal-devel
Status: | Merged | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Approved by: | git-ubuntu bot | ||||||||||||
Approved revision: | not available | ||||||||||||
Merged at revision: | e3f13ab02ab932d6e0acb12b10f30dfad31df166 | ||||||||||||
Proposed branch: | ~ahasenack/ubuntu/+source/samba:focal-samba-kb5028166-2027716 | ||||||||||||
Merge into: | ubuntu/+source/samba:ubuntu/focal-devel | ||||||||||||
Diff against target: |
875 lines (+833/-0) 6 files modified
debian/changelog (+27/-0) debian/patches/secure-channel-faulty-kb5028166.patch (+215/-0) debian/patches/series (+1/-0) debian/tests/control (+4/-0) debian/tests/samba-ad-dc-provisioning-internal-dns (+408/-0) debian/tests/util (+178/-0) |
||||||||||||
Related bugs: |
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
git-ubuntu bot | Approve | ||
Lucas Kanashiro (community) | Approve | ||
Canonical Server Reporter | Pending | ||
Review via email: mp+447460@code.launchpad.net |
Commit message
Description of the change
PPA: https:/
Bug fix for #2027716. SRU template is filled in, including a test case.
I split the patch in two commits: one that introduces the upstream patch, pristine, and another that removes the hunks that changed the upstream test suite. We don't run that test suite, and I think a smaller patch is easier to review, specially when comparing to the other ubuntu releases which needed a small backport change.
I tried to make incremental changes to this branch when compared to lunar, so it's easier to review. But range-diff is still a bit noisy, specially because focal did not have d/t/util.
The DEP8 test needed even more tweaking for focal, and I tried to keep the differences as additional commits.
DEP8 is green. It doesn't exercise this bug in particular, but does exercise a domain join with linux<->linux, which is a good regression test.
Lucas Kanashiro (lucaskanashiro) wrote : | # |
Andreas Hasenack (ahasenack) wrote : | # |
Thanks. I don't know why it failed, all of the previous, complicated, checks, passed, even kerberos ones, and it failed close to the end:
1927s ## wbinfo kerberos authentication check for user "<email address hidden>" inside member server
1927s plaintext kerberos password authentication for [<email address hidden>] failed (requesting cctype: FILE)
1927s Could not authenticate user [<email address hidden>%Passw0rd] with Kerberos (ccache: FILE)
1927s ## Something failed, gathering logs
Let's see what the new run brings.
Andreas Hasenack (ahasenack) wrote : | # |
It failed again, let me see if I can get a ppc64el machine to poke around it...
Andreas Hasenack (ahasenack) wrote : | # |
Ok, so when wbinfo --krb5auth fails in the DEP8 test, the winbind service logs this error on ppc64el:
[2023/07/26 18:21:42.215411, 0] ../../source3/
failed to mlock memory: Cannot allocate memory (12)
Andreas Hasenack (ahasenack) wrote : | # |
In that situation, if I restart winbind, and then try again, then it works :/
This is a lxd container inside a 2Gb VM. Maybe ppc64el needs more memory...? I remember having to adjust some packages to use a bigger VM in the dep8 infrastructure.
Andreas Hasenack (ahasenack) wrote : | # |
Tests passed on ppc64el this time, and kept passing in all other arches as well:
Results: (from http://
samba @ amd64:
26.07.23 22:31:46 Log 🗒️ ✅ Triggers: samba/2:
samba @ arm64:
27.07.23 00:06:46 Log 🗒️ ✅ Triggers: samba/2:
samba @ armhf:
26.07.23 22:15:14 Log 🗒️ ✅ Triggers: samba/2:
samba @ ppc64el:
26.07.23 22:35:14 Log 🗒️ ✅ Triggers: samba/2:
samba @ s390x:
26.07.23 22:33:21 Log 🗒️ ✅ Triggers: samba/2:
Lucas Kanashiro (lucaskanashiro) wrote : | # |
Thanks Andreas!
git-ubuntu bot (git-ubuntu-bot) wrote : | # |
Approvers: ahasenack, lucaskanashiro
Uploaders: ahasenack, lucaskanashiro
MP auto-approved
Andreas Hasenack (ahasenack) wrote : | # |
Thanks, uploaded with rich history:
Uploading samba_4.
Uploading samba_4.
Uploading samba_4.
Uploading samba_4.
Preview Diff
1 | diff --git a/debian/changelog b/debian/changelog |
2 | index 3ea7797..373ec2d 100644 |
3 | --- a/debian/changelog |
4 | +++ b/debian/changelog |
5 | @@ -1,3 +1,30 @@ |
6 | +samba (2:4.15.13+dfsg-0ubuntu0.20.04.4) focal; urgency=medium |
7 | + |
8 | + * d/p/secure-channel-faulty-kb5028166.patch: fix domain membership |
9 | + after Windows KB5028166 update (LP: #2027716) |
10 | + * Cherry pick samba AD DC provisioning DEP8 test from later Ubuntu |
11 | + releases (LP: #1977746, LP: #2011745): |
12 | + - d/t/control, d/t/util,d/t/samba-ad-dc-provisioning-internal-dns: |
13 | + samba AD DC provisioning and domain join tests with internal DNS |
14 | + + d/t/control: adjust package dependencies |
15 | + + d/t/samba-ad-dc-provisioning-internal-dns: handle the case where |
16 | + libnss-winbind does not automatically add winbind to |
17 | + /etc/nsswitch.conf (that is done only in Lunar and later) |
18 | + + d/t/samba-ad-dc-provisioning-internal-dns: use case insensitive |
19 | + match when inspecting kerberos tickets, as the hostname may be |
20 | + capitalized |
21 | + + d/t/samba-ad-dc-provisioning-internal-dns: Adjust regexp for |
22 | + slightly different resolvectl output |
23 | + + d/t/util: several lxc command output parsing changes, needed for |
24 | + this older version of the lxd snap |
25 | + + d/t/samba-ad-dc-provisioning-internal-dns: more dependencies for |
26 | + the winbind and sssd domain join tests, which don't get |
27 | + installed automatically for us by this version of realmd |
28 | + + d/t/util: increase the RLIMIT_MEMLOCK limit for lxd containers, |
29 | + as the default of 64kb is too low for at least ppc64el on focal |
30 | + |
31 | + -- Andreas Hasenack <andreas@canonical.com> Sun, 23 Jul 2023 17:19:48 -0300 |
32 | + |
33 | samba (2:4.15.13+dfsg-0ubuntu0.20.04.3) focal-security; urgency=medium |
34 | |
35 | * SECURITY UPDATE: Out-Of-Bounds read in winbind AUTH_CRAP |
36 | diff --git a/debian/patches/secure-channel-faulty-kb5028166.patch b/debian/patches/secure-channel-faulty-kb5028166.patch |
37 | new file mode 100644 |
38 | index 0000000..c1367f7 |
39 | --- /dev/null |
40 | +++ b/debian/patches/secure-channel-faulty-kb5028166.patch |
41 | @@ -0,0 +1,215 @@ |
42 | +From 2150e7f3dc409b415ca8b6a541729a49932c5073 Mon Sep 17 00:00:00 2001 |
43 | +From: Stefan Metzmacher <metze@samba.org> |
44 | +Date: Sat, 15 Jul 2023 17:20:32 +0200 |
45 | +Subject: [PATCH 1/4] netlogon.idl: add support for netr_LogonGetCapabilities |
46 | + response level 2 |
47 | + |
48 | +We don't have any documentation about this yet, but tests against |
49 | +a Windows Server 2022 patched with KB5028166 revealed that |
50 | +the response for query_level=2 is exactly the same as |
51 | +for querey_level=1. |
52 | + |
53 | +Until we know the reason for query_level=2 we won't |
54 | +use it as client nor support it in the server, but |
55 | +we want ndrdump to work. |
56 | + |
57 | +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418 |
58 | + |
59 | +Signed-off-by: Stefan Metzmacher <metze@samba.org> |
60 | +Reviewed-by: Andrew Bartlett <abartlet@samba.org> |
61 | +(cherry picked from commit 5f87888ed53320538cf773d64868390d8641a40e) |
62 | +--- |
63 | + librpc/idl/netlogon.idl | 1 + |
64 | + 1 file changed, 1 insertion(+) |
65 | + |
66 | +Ubuntu patch note: removed the parts that changed the upstream test suite |
67 | + |
68 | +Origin: backport, https://bugzilla.samba.org/attachment.cgi?id=17987 |
69 | +Bug: https://bugzilla.samba.org/show_bug.cgi?id=15418 |
70 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/2027716 |
71 | +Last-Update: 2023-07-17 |
72 | + |
73 | +diff --git a/librpc/idl/netlogon.idl b/librpc/idl/netlogon.idl |
74 | +index d956a661fff7..b51767136d3c 100644 |
75 | +--- a/librpc/idl/netlogon.idl |
76 | ++++ b/librpc/idl/netlogon.idl |
77 | +@@ -1241,6 +1241,7 @@ interface netlogon |
78 | + /* Function 0x15 */ |
79 | + typedef [switch_type(uint32)] union { |
80 | + [case(1)] netr_NegotiateFlags server_capabilities; |
81 | ++ [case(2)] netr_NegotiateFlags server_capabilities; |
82 | + } netr_Capabilities; |
83 | + |
84 | + NTSTATUS netr_LogonGetCapabilities( |
85 | +-- |
86 | +2.34.1 |
87 | + |
88 | + |
89 | +From fa71e7b4b027dc8224fda7125f1faaefa4e71eae Mon Sep 17 00:00:00 2001 |
90 | +From: Stefan Metzmacher <metze@samba.org> |
91 | +Date: Sat, 15 Jul 2023 16:11:48 +0200 |
92 | +Subject: [PATCH 3/4] s4:rpc_server:netlogon: generate FAULT_INVALID_TAG for |
93 | + invalid netr_LogonGetCapabilities levels |
94 | + |
95 | +This is important as Windows clients with KB5028166 seem to |
96 | +call netr_LogonGetCapabilities with query_level=2 after |
97 | +a call with query_level=1. |
98 | + |
99 | +An unpatched Windows Server returns DCERPC_NCA_S_FAULT_INVALID_TAG |
100 | +for query_level values other than 1. |
101 | +While Samba tries to return NT_STATUS_NOT_SUPPORTED, but |
102 | +later fails to marshall the response, which results |
103 | +in DCERPC_FAULT_BAD_STUB_DATA instead. |
104 | + |
105 | +Because we don't have any documentation for level 2 yet, |
106 | +we just try to behave like an unpatched server and |
107 | +generate DCERPC_NCA_S_FAULT_INVALID_TAG instead of |
108 | +DCERPC_FAULT_BAD_STUB_DATA. |
109 | +Which allows patched Windows clients to keep working |
110 | +against a Samba DC. |
111 | + |
112 | +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418 |
113 | + |
114 | +Signed-off-by: Stefan Metzmacher <metze@samba.org> |
115 | +Reviewed-by: Andrew Bartlett <abartlet@samba.org> |
116 | +(cherry picked from commit d5f1097b6220676d56ed5fc6707acf667b704518) |
117 | +--- |
118 | + .../knownfail.d/netr_LogonGetCapabilities | 2 -- |
119 | + source4/rpc_server/netlogon/dcerpc_netlogon.c | 28 ++++++++++++++++--- |
120 | + 2 files changed, 24 insertions(+), 6 deletions(-) |
121 | + |
122 | +diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c |
123 | +index 6a3e044eb9da..26be4f567513 100644 |
124 | +--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c |
125 | ++++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c |
126 | +@@ -2399,6 +2399,30 @@ static NTSTATUS dcesrv_netr_LogonGetCapabilities(struct dcesrv_call_state *dce_c |
127 | + struct netlogon_creds_CredentialState *creds; |
128 | + NTSTATUS status; |
129 | + |
130 | ++ switch (r->in.query_level) { |
131 | ++ case 1: |
132 | ++ break; |
133 | ++ case 2: |
134 | ++ /* |
135 | ++ * Until we know the details behind KB5028166 |
136 | ++ * just return DCERPC_NCA_S_FAULT_INVALID_TAG |
137 | ++ * like an unpatched Windows Server. |
138 | ++ */ |
139 | ++ FALL_THROUGH; |
140 | ++ default: |
141 | ++ /* |
142 | ++ * There would not be a way to marshall the |
143 | ++ * the response. Which would mean our final |
144 | ++ * ndr_push would fail an we would return |
145 | ++ * an RPC-level fault with DCERPC_FAULT_BAD_STUB_DATA. |
146 | ++ * |
147 | ++ * But it's important to match a Windows server |
148 | ++ * especially before KB5028166, see also our bug #15418 |
149 | ++ * Otherwise Windows client would stop talking to us. |
150 | ++ */ |
151 | ++ DCESRV_FAULT(DCERPC_NCA_S_FAULT_INVALID_TAG); |
152 | ++ } |
153 | ++ |
154 | + status = dcesrv_netr_creds_server_step_check(dce_call, |
155 | + mem_ctx, |
156 | + r->in.computer_name, |
157 | +@@ -2410,10 +2434,6 @@ static NTSTATUS dcesrv_netr_LogonGetCapabilities(struct dcesrv_call_state *dce_c |
158 | + } |
159 | + NT_STATUS_NOT_OK_RETURN(status); |
160 | + |
161 | +- if (r->in.query_level != 1) { |
162 | +- return NT_STATUS_NOT_SUPPORTED; |
163 | +- } |
164 | +- |
165 | + r->out.capabilities->server_capabilities = creds->negotiate_flags; |
166 | + |
167 | + return NT_STATUS_OK; |
168 | +-- |
169 | +2.34.1 |
170 | + |
171 | + |
172 | +From 05f110e1a4d4b38bfbaaa3a92fda7a9127b3b456 Mon Sep 17 00:00:00 2001 |
173 | +From: Stefan Metzmacher <metze@samba.org> |
174 | +Date: Sat, 15 Jul 2023 16:11:48 +0200 |
175 | +Subject: [PATCH 4/4] s3:rpc_server:netlogon: generate FAULT_INVALID_TAG for |
176 | + invalid netr_LogonGetCapabilities levels |
177 | + |
178 | +This is important as Windows clients with KB5028166 seem to |
179 | +call netr_LogonGetCapabilities with query_level=2 after |
180 | +a call with query_level=1. |
181 | + |
182 | +An unpatched Windows Server returns DCERPC_NCA_S_FAULT_INVALID_TAG |
183 | +for query_level values other than 1. |
184 | +While Samba tries to return NT_STATUS_NOT_SUPPORTED, but |
185 | +later fails to marshall the response, which results |
186 | +in DCERPC_FAULT_BAD_STUB_DATA instead. |
187 | + |
188 | +Because we don't have any documentation for level 2 yet, |
189 | +we just try to behave like an unpatched server and |
190 | +generate DCERPC_NCA_S_FAULT_INVALID_TAG instead of |
191 | +DCERPC_FAULT_BAD_STUB_DATA. |
192 | +Which allows patched Windows clients to keep working |
193 | +against a Samba DC. |
194 | + |
195 | +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418 |
196 | + |
197 | +Signed-off-by: Stefan Metzmacher <metze@samba.org> |
198 | +Reviewed-by: Andrew Bartlett <abartlet@samba.org> |
199 | + |
200 | +Autobuild-User(master): Stefan Metzmacher <metze@samba.org> |
201 | +Autobuild-Date(master): Mon Jul 17 07:35:09 UTC 2023 on atb-devel-224 |
202 | + |
203 | +(cherry picked from commit dfeabce44fbb78083fbbb2aa634fc4172cf83db9) |
204 | +--- |
205 | + .../knownfail.d/netr_LogonGetCapabilities | 1 - |
206 | + source3/rpc_server/netlogon/srv_netlog_nt.c | 29 ++++++++++++++++--- |
207 | + 2 files changed, 25 insertions(+), 5 deletions(-) |
208 | + delete mode 100644 selftest/knownfail.d/netr_LogonGetCapabilities |
209 | + |
210 | +diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c |
211 | +index 5906464a9f3..35433ec6781 100644 |
212 | +--- a/source3/rpc_server/netlogon/srv_netlog_nt.c |
213 | ++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c |
214 | +@@ -2421,6 +2421,31 @@ NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct *p, |
215 | + struct netlogon_creds_CredentialState *creds; |
216 | + NTSTATUS status; |
217 | + |
218 | ++ switch (r->in.query_level) { |
219 | ++ case 1: |
220 | ++ break; |
221 | ++ case 2: |
222 | ++ /* |
223 | ++ * Until we know the details behind KB5028166 |
224 | ++ * just return DCERPC_NCA_S_FAULT_INVALID_TAG |
225 | ++ * like an unpatched Windows Server. |
226 | ++ */ |
227 | ++ FALL_THROUGH; |
228 | ++ default: |
229 | ++ /* |
230 | ++ * There would not be a way to marshall the |
231 | ++ * the response. Which would mean our final |
232 | ++ * ndr_push would fail an we would return |
233 | ++ * an RPC-level fault with DCERPC_FAULT_BAD_STUB_DATA. |
234 | ++ * |
235 | ++ * But it's important to match a Windows server |
236 | ++ * especially before KB5028166, see also our bug #15418 |
237 | ++ * Otherwise Windows client would stop talking to us. |
238 | ++ */ |
239 | ++ p->fault_state = DCERPC_NCA_S_FAULT_INVALID_TAG; |
240 | ++ return NT_STATUS_NOT_SUPPORTED; |
241 | ++ } |
242 | ++ |
243 | + become_root(); |
244 | + status = netr_creds_server_step_check(p, p->mem_ctx, |
245 | + r->in.computer_name, |
246 | +@@ -2432,10 +2457,6 @@ NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct *p, |
247 | + return status; |
248 | + } |
249 | + |
250 | +- if (r->in.query_level != 1) { |
251 | +- return NT_STATUS_NOT_SUPPORTED; |
252 | +- } |
253 | +- |
254 | + r->out.capabilities->server_capabilities = creds->negotiate_flags; |
255 | + |
256 | + return NT_STATUS_OK; |
257 | diff --git a/debian/patches/series b/debian/patches/series |
258 | index 54984e0..be2f88c 100644 |
259 | --- a/debian/patches/series |
260 | +++ b/debian/patches/series |
261 | @@ -66,3 +66,4 @@ CVE-2023-34968-09.patch |
262 | CVE-2023-34968-10.patch |
263 | CVE-2023-34968-11.patch |
264 | CVE-2023-34968-12.patch |
265 | +secure-channel-faulty-kb5028166.patch |
266 | diff --git a/debian/tests/control b/debian/tests/control |
267 | index efc23b7..5e1cd04 100644 |
268 | --- a/debian/tests/control |
269 | +++ b/debian/tests/control |
270 | @@ -20,3 +20,7 @@ Restrictions: needs-root, allow-stderr, isolation-container |
271 | Tests: reinstall-samba-common-bin |
272 | Depends: samba-common, samba-common-bin |
273 | Restrictions: needs-root, needs-reboot, isolation-machine, allow-stderr |
274 | + |
275 | +Tests: samba-ad-dc-provisioning-internal-dns |
276 | +Depends: samba, samba-dsdb-modules, samba-vfs-modules, winbind, smbclient, krb5-user, bind9-dnsutils, lxd | snapd, lsb-release, dctrl-tools |
277 | +Restrictions: needs-root, isolation-machine, allow-stderr, breaks-testbed |
278 | diff --git a/debian/tests/samba-ad-dc-provisioning-internal-dns b/debian/tests/samba-ad-dc-provisioning-internal-dns |
279 | new file mode 100755 |
280 | index 0000000..f84372c |
281 | --- /dev/null |
282 | +++ b/debian/tests/samba-ad-dc-provisioning-internal-dns |
283 | @@ -0,0 +1,408 @@ |
284 | +#!/bin/bash |
285 | + |
286 | +set -e |
287 | +set -o pipefail |
288 | + |
289 | +source debian/tests/util |
290 | + |
291 | +declare -r domain="EXAMPLE" |
292 | +declare -r realm="EXAMPLE.FAKE" |
293 | +declare -r adminpass="Passw0rd" |
294 | +declare -r test_user="test_user_${RANDOM}" |
295 | +declare -r test_pw="test_user_secret_${RANDOM}" |
296 | +declare -A user_pass |
297 | +user_pass[Administrator]="${adminpass}" |
298 | +user_pass[${test_user}]="${test_pw}" |
299 | +declare -A join_method_deps |
300 | +# Minimum set of deps: let realmd install the extra dependencies |
301 | +# as needed, depending on the join method. |
302 | +# sssd-dbus is needed by the sssctl tool, and is not installed automatically |
303 | +# via deps in focal |
304 | +join_method_deps[realmd_sssd]="realmd krb5-user smbclient sssd-dbus" |
305 | +# libnss-winbind needs to be explicitly listed because realmd only started |
306 | +# installing it in version 0.17.0, that's >= focal |
307 | +join_method_deps[realmd_winbind]="realmd krb5-user smbclient libnss-winbind" |
308 | + |
309 | + |
310 | +cleanup() { |
311 | + rc=$? |
312 | + set +e # so we don't exit midcleanup |
313 | + if [ ${rc} -ne 0 ]; then |
314 | + echo "## Something failed, gathering logs" |
315 | + echo |
316 | + echo "## smb.conf" |
317 | + cat /etc/samba/smb.conf |
318 | + echo |
319 | + echo "## resolv.conf" |
320 | + cat /etc/resolv.conf |
321 | + echo |
322 | + echo "## resolvectl status" |
323 | + resolvectl status |
324 | + echo "## journal for samba-ad-dc.service" |
325 | + journalctl -u samba-ad-dc.service --lines 500 |
326 | + echo |
327 | + for log in /var/log/samba/log.*; do |
328 | + # skip compressed logrotated files |
329 | + if [ "${log%.gz}" != "${log}" ]; then |
330 | + continue |
331 | + fi |
332 | + [ -s "${log}" ] || continue |
333 | + echo "## $(basename ${log}):" |
334 | + tail -n 500 "${log}" |
335 | + echo |
336 | + done |
337 | + echo "## syslog" |
338 | + tail -n 500 /var/log/syslog |
339 | + fi |
340 | +} |
341 | + |
342 | +trap cleanup EXIT |
343 | + |
344 | +assert_testparm() { |
345 | + local parameter="${1}" |
346 | + local expected_value="${2}" |
347 | + local current_value="" |
348 | + local -i retval=0 |
349 | + |
350 | + echo -n "Asserting ${parameter} is ${expected_value}: " |
351 | + current_value=$(testparm -s --parameter-name "${parameter}" 2>/dev/null) || { |
352 | + retval=$? |
353 | + echo "FAIL" |
354 | + return ${retval} |
355 | + } |
356 | + if [ "${current_value}" = "${expected_value}" ]; then |
357 | + echo "OK" |
358 | + return 0 |
359 | + else |
360 | + echo "FAIL" |
361 | + return 1 |
362 | + fi |
363 | +} |
364 | + |
365 | +basic_config_tests() { |
366 | + echo "## Basic config tests" |
367 | + testparm -s > /dev/null |
368 | + assert_testparm "realm" "${realm}" |
369 | + assert_testparm "workgroup" "${domain}" |
370 | + assert_testparm "server role" "active directory domain controller" |
371 | + echo |
372 | +} |
373 | + |
374 | +dns_tests() { |
375 | + echo "## DNS tests" |
376 | + echo "Obtaining administrator kerberos ticket" |
377 | + echo "${adminpass}" | timeout --verbose 30 kinit Administrator |
378 | + echo |
379 | + echo "Querying server info" |
380 | + samba-tool dns serverinfo "$(hostname)" |
381 | + echo |
382 | + echo "Checking we got a service ticket of type host/" |
383 | + klist | grep -i "host/$(hostname)" |
384 | + echo |
385 | + echo "Checking specific DNS records" |
386 | + for srv in _ldap._tcp _kerberos._tcp _kerberos._udp _kpasswd._udp; do |
387 | + echo -n "${srv}.${realm,,}: " |
388 | + dig @localhost +short -t SRV ${srv}.${realm,,} |
389 | + echo |
390 | + done |
391 | + echo |
392 | + echo -n "Checking that our hostname \"$(hostname)\" is in DNS: " |
393 | + myip=$(dig @localhost +short -t A "$(hostname).${realm,,}") |
394 | + echo "${myip}" |
395 | + echo |
396 | +} |
397 | + |
398 | +user_creation_tests() { |
399 | + echo "## User creation tests" |
400 | + samba-tool domain passwordsettings set --complexity=off |
401 | + echo "Creating user \"${test_user}\" with password ${test_pw}" |
402 | + samba-tool user add "${test_user}" "${test_pw}" |
403 | + echo |
404 | + echo "Attempting to obtain kerberos ticket for user \"${test_user}\"" |
405 | + # just in case it ends up waiting at a prompt, we use "timeout" |
406 | + echo "${test_pw}" | timeout --verbose 30 kinit "${test_user}" |
407 | + echo "Ticket obtained" |
408 | + klist |
409 | + echo |
410 | +} |
411 | + |
412 | +smbclient_tests() { |
413 | + echo "## smbclient tests" |
414 | + kdestroy || : |
415 | + echo |
416 | + echo "Obtaining a TGT for ${test_user}" |
417 | + echo "${test_pw}" | timeout --verbose 30 kinit "${test_user}" |
418 | + klist | grep krbtgt |
419 | + echo |
420 | + echo "Attempting password-less authentication with smbclient" |
421 | + echo |
422 | + echo "Listing shares" |
423 | + smbclient -L "$(hostname)" --use-kerberos=required -k |
424 | + echo |
425 | + echo "Listing the sysvol share" |
426 | + smbclient "//$(hostname)/sysvol" --use-kerberos=required -k -c "ls" |
427 | + echo |
428 | + echo "Listing policies" |
429 | + # lowercase the ${realm} |
430 | + smbclient "//$(hostname)/sysvol" --use-kerberos=required -k -c "ls ${realm,,}/Policies/*" |
431 | + echo |
432 | + echo "Checking that we have a ticket for the cifs service after all these commands" |
433 | + klist | grep cifs/ |
434 | + echo |
435 | +} |
436 | + |
437 | +server_join_tests() { |
438 | + local member_server |
439 | + # the join methods are the keys of the join_method_deps dict |
440 | + local -a methods=("${!join_method_deps[@]}") |
441 | + local member_server="member-server" |
442 | + |
443 | + echo "## Server join tests" |
444 | + echo "## Initializing lxd" |
445 | + setup_lxd "${realm,,}" |
446 | + |
447 | + for method in "${methods[@]}"; do |
448 | + echo "## Setting up member server to join a domain using method ${method}" |
449 | + setup_member_server "${member_server}" "${method}" |
450 | + echo "## Joining domain with method ${method}" |
451 | + join_domain "${member_server}" "${method}" |
452 | + echo |
453 | + echo "## Verifying join with method ${method}" |
454 | + verify_join "${member_server}" "${method}" |
455 | + echo |
456 | + echo "## Leaving domain with method ${method}" |
457 | + leave_domain "${member_server}" "${method}" |
458 | + echo |
459 | + echo "## Destroying member server" |
460 | + lxc delete --force "${member_server}" |
461 | + done |
462 | +} |
463 | + |
464 | +setup_member_server() { |
465 | + local container_name="${1}" |
466 | + local method="${2}" |
467 | + local release |
468 | + |
469 | + release="$(lsb_release -cs)" |
470 | + if [ -z "${join_method_deps[${method}]}" ]; then |
471 | + echo "## INTERNAL ERROR, invalid join method: ${method}" |
472 | + return 1 |
473 | + fi |
474 | + echo "## Got test dependencies: ${join_method_deps[${method}]}" |
475 | + # can't use cloud-init here to install packages, because we first need to |
476 | + # sync the apt config from the host to the container |
477 | + echo "## Launching ${release} container" |
478 | + lxc launch "ubuntu-daily:${release}" "${container_name}" -q |
479 | + wait_container_ready "${container_name}" |
480 | + send_apt_config "${container_name}" |
481 | + copy_local_apt_files "${container_name}" |
482 | + echo "## Installing dependencies in test container" |
483 | + install_packages_in_container "${container_name}" ${join_method_deps[${method}]} |
484 | +} |
485 | + |
486 | +join_domain_realmd_winbind() { |
487 | + local server="${1}" |
488 | + local discover_cmd="realm discover -v --membership-software=samba --client-software=winbind ${realm,,}" |
489 | + local join_cmd="realm join -v --membership-software=samba --client-software=winbind ${realm,,}" |
490 | + |
491 | + echo "## Domain information" |
492 | + lxc exec "${server}" -- ${discover_cmd} |
493 | + echo |
494 | + echo "## Running join command: ${join_cmd}" |
495 | + echo "${adminpass}" | lxc exec "${server}" -- ${join_cmd} |
496 | + # LP: #1980246 |
497 | + # So far, only lunar and later automatically add winbind to /etc/nsswitch.conf. |
498 | + lxc exec "${server}" -- sed -r -i \ |
499 | + -e '/^(passwd|group):.*[[:space:]]winbind\b/b' \ |
500 | + -e 's/^(passwd|group):.*/& winbind/' \ |
501 | + /etc/nsswitch.conf |
502 | +} |
503 | + |
504 | +verify_join_realmd_winbind() { |
505 | + local server="${1}" |
506 | + local member_domain |
507 | + |
508 | + echo -n "## Verifying member server joined domain name: " |
509 | + member_domain=$(lxc exec "${server}" -- wbinfo --own-domain) |
510 | + echo "${member_domain}" |
511 | + if [ "${member_domain}" != "${domain}" ]; then |
512 | + echo "ERROR: expected member server domain to match the joined domain:" |
513 | + echo "member server domain: ${member_domain}" |
514 | + echo "AD domain: ${domain}" |
515 | + return 1 |
516 | + fi |
517 | + echo |
518 | + # we just want to see the output, not parse it |
519 | + echo "## Domain status in member server" |
520 | + lxc exec "${server}" -- wbinfo --domain-info "${member_domain}" |
521 | + echo |
522 | + echo "## User status in member server" |
523 | + for u in "${!user_pass[@]}"; do |
524 | + echo "## User \"${u}@${realm}\" information:" |
525 | + lxc exec "${server}" -- wbinfo --user-info "${u}@${realm}" |
526 | + echo |
527 | + echo "## id ${u}@${realm}" |
528 | + lxc exec "${server}" -- id ${u}@${realm} |
529 | + echo |
530 | + echo "## kinit authentication check for user \"${u}@${realm}\" inside member server" |
531 | + echo "${user_pass[${u}]}" | lxc exec "${server}" -- timeout --verbose 30 kinit "${u}@${realm}" |
532 | + lxc exec "${server}" -- klist |
533 | + echo |
534 | + echo "## Listing shares with the obtained kerberos ticket" |
535 | + lxc exec "${server}" -- smbclient -L "$(hostname)" --use-kerberos=required -k |
536 | + lxc exec "${server}" -- kdestroy |
537 | + echo |
538 | + echo "## wbinfo authentication check for user \"${u}@${realm}\" inside member server" |
539 | + # non-interactive format for username is user%password |
540 | + lxc exec "${server}" -- wbinfo --authenticate="${u}@${realm}%${user_pass[${u}]}" |
541 | + echo |
542 | + echo "## wbinfo kerberos authentication check for user \"${u}@${realm}\" inside member server" |
543 | + lxc exec "${server}" -- wbinfo --krb5auth="${u}@${realm}%${user_pass[${u}]}" |
544 | + echo |
545 | + echo "## Listing shares with the obtained kerberos ticket" |
546 | + lxc exec "${server}" -- smbclient -L "$(hostname)" --use-kerberos=required -k |
547 | + lxc exec "${server}" -- kdestroy |
548 | + done |
549 | +} |
550 | + |
551 | +leave_domain_realmd_winbind() { |
552 | + local server="${1}" |
553 | + local leave_cmd="realm leave -v --remove --client-software=winbind" |
554 | + |
555 | + echo "## Running leave command: ${leave_cmd}" |
556 | + echo "${adminpass}" | lxc exec "${server}" -- ${leave_cmd} |
557 | +} |
558 | + |
559 | +join_domain_realmd_sssd() { |
560 | + local server="${1}" |
561 | + local discover_cmd="realm discover -v --membership-software=adcli --client-software=sssd ${realm,,}" |
562 | + local join_cmd="realm join -v --membership-software=adcli --client-software=sssd ${realm,,}" |
563 | + |
564 | + echo "## Domain information" |
565 | + lxc exec "${server}" -- ${discover_cmd} |
566 | + echo |
567 | + echo "## Running join command: ${join_cmd}" |
568 | + echo "${adminpass}" | lxc exec "${server}" -- ${join_cmd} |
569 | + echo |
570 | +} |
571 | + |
572 | +verify_join_realmd_sssd() { |
573 | + local server="${1}" |
574 | + local samba_domain |
575 | + |
576 | + echo -n "## Verifying member server joined domain name: " |
577 | + samba_domain=$(lxc exec "${server}" -- sssctl domain-list) |
578 | + echo "${samba_domain}" |
579 | + if [ "${samba_domain}" != "${realm,,}" ]; then |
580 | + echo "ERROR: expected member server domain to match the joined domain:" |
581 | + echo "member server domain: ${samba_domain}" |
582 | + echo "AD domain: ${realm,,}" |
583 | + return 1 |
584 | + fi |
585 | + echo |
586 | + # we just want to see the output, not parse it |
587 | + echo "## Domain status in member server" |
588 | + lxc exec "${server}" -- sssctl domain-status "${realm}" |
589 | + echo |
590 | + echo "## User status in member server" |
591 | + for u in "${!user_pass[@]}"; do |
592 | + echo "## User \"${u}@${realm}\" information:" |
593 | + lxc exec "${server}" -- sssctl user-checks "${u}@${realm}" |
594 | + echo |
595 | + echo "## id ${u}@${realm}" |
596 | + lxc exec "${server}" -- id "${u}@${realm}" |
597 | + echo |
598 | + echo "## kinit authentication check for user \"${u}@${realm}\" inside member server" |
599 | + echo "${user_pass[${u}]}" | lxc exec "${server}" -- timeout --verbose 30 kinit "${u}@${realm}" |
600 | + lxc exec "${server}" -- klist |
601 | + echo |
602 | + echo "## Listing shares with the obtained kerberos ticket" |
603 | + lxc exec "${server}" -- smbclient -L "$(hostname)" --use-kerberos=required -k |
604 | + lxc exec "${server}" -- kdestroy |
605 | + done |
606 | +} |
607 | + |
608 | +leave_domain_realmd_sssd() { |
609 | + local server="${1}" |
610 | + local leave_cmd="realm leave -v --remove --client-software=sssd" |
611 | + |
612 | + echo "## Running leave command: ${leave_cmd}" |
613 | + echo "${adminpass}" | lxc exec "${server}" -- ${leave_cmd} |
614 | +} |
615 | + |
616 | +join_domain() { |
617 | + local server="${1}" |
618 | + local m="${2}" |
619 | + |
620 | + join_domain_${m} "${server}" |
621 | +} |
622 | + |
623 | +verify_join() { |
624 | + local server="${1}" |
625 | + local m="${2}" |
626 | + |
627 | + verify_join_${m} "${server}" |
628 | +} |
629 | + |
630 | +leave_domain() { |
631 | + local server="${1}" |
632 | + local m="${2}" |
633 | + |
634 | + leave_domain_${m} "${server}" |
635 | +} |
636 | + |
637 | +systemctl stop smbd nmbd winbind |
638 | +systemctl disable smbd nmbd winbind |
639 | +systemctl mask smbd nmbd winbind |
640 | + |
641 | +systemctl unmask samba-ad-dc |
642 | +systemctl enable samba-ad-dc |
643 | + |
644 | +if [ -f /etc/samba/smb.conf ]; then |
645 | + mv /etc/samba/smb.conf{,.orig} |
646 | +fi |
647 | + |
648 | +# make sure we are starting fresh, as previous tests might left things around |
649 | + |
650 | +rm -rf /var/lib/samba/* /var/cache/samba/* /run/samba/* |
651 | +kdestroy || : |
652 | + |
653 | +samba-tool domain provision \ |
654 | + --domain="${domain}" \ |
655 | + --realm="${realm}" \ |
656 | + --adminpass="${adminpass}" \ |
657 | + --server-role=dc \ |
658 | + --use-rfc2307 \ |
659 | + --dns-backend=SAMBA_INTERNAL |
660 | + |
661 | +current_dns=$(resolvectl status | grep -E "^[[:blank:]]*Current DNS Server:" | awk '{print $4}') |
662 | + |
663 | +if [ -n "${current_dns}" ]; then |
664 | + echo "## Setting dns forwarder to ${current_dns} in smb.conf" |
665 | + sed -r -i "s,dns forwarder = .*,dns forwarder = ${current_dns}," \ |
666 | + /etc/samba/smb.conf |
667 | + unlink /etc/resolv.conf |
668 | + echo "nameserver 127.0.0.1" > /etc/resolv.conf |
669 | + # lowercase substitution |
670 | + echo "search ${realm,,}" >> /etc/resolv.conf |
671 | + systemctl stop systemd-resolved |
672 | + systemctl disable systemd-resolved |
673 | +else |
674 | + echo "## Warning, couldn't detect the current DNS server to use as forwarder in smb.conf" |
675 | + echo "## resolvectl status:" |
676 | + resolvectl status |
677 | + echo "## Continuing, and hoping for the best" |
678 | +fi |
679 | + |
680 | +cp -f /var/lib/samba/private/krb5.conf /etc/krb5.conf |
681 | + |
682 | +systemctl start samba-ad-dc |
683 | + |
684 | +# give it some time, it's a lot of services to start |
685 | +sleep 5s |
686 | + |
687 | +basic_config_tests |
688 | +dns_tests |
689 | +user_creation_tests |
690 | +smbclient_tests |
691 | +server_join_tests |
692 | diff --git a/debian/tests/util b/debian/tests/util |
693 | new file mode 100644 |
694 | index 0000000..66ed247 |
695 | --- /dev/null |
696 | +++ b/debian/tests/util |
697 | @@ -0,0 +1,178 @@ |
698 | +#!/bin/sh |
699 | + |
700 | +# $1: share name |
701 | +# $2: comma separated list of vfs_objects to use, if any |
702 | +add_share() { |
703 | + local share="$1" |
704 | + local vfs="$2" |
705 | + if ! testparm -s 2>&1 | grep -E "^\[${share}\]"; then |
706 | + echo "Adding [${share}] share" |
707 | + cat >> /etc/samba/smb.conf <<EOFEOF |
708 | +[${share}] |
709 | + read only = no |
710 | + guest ok = no |
711 | + path = /${share} |
712 | +EOFEOF |
713 | + if [ -n "${vfs}" ]; then |
714 | + echo "vfs objects = ${vfs}" >> /etc/samba/smb.conf |
715 | + fi |
716 | + systemctl reload smbd.service |
717 | + else |
718 | + echo "Share [${share}] already exists, continuing" |
719 | + fi |
720 | +} |
721 | + |
722 | +# $1: username |
723 | +# $2: password |
724 | +add_user() { |
725 | + local username="$1" |
726 | + local password="$2" |
727 | + |
728 | + echo "Creating a local and samba user called ${username}" |
729 | + useradd -m "${username}" |
730 | + echo "Setting samba password for the ${username} user" |
731 | + (echo "${password}"; echo "${password}") | smbpasswd -s -a ${username} |
732 | +} |
733 | + |
734 | +# $1: share name |
735 | +populate_share() { |
736 | + local sharename="$1" |
737 | + local usergroup="$2" |
738 | + local sharepath="/${sharename}" |
739 | + |
740 | + mkdir -p "${sharepath}" |
741 | + dd if=/dev/urandom bs=4096 count=1000 2>/dev/null | base64 > "${sharepath}/data" |
742 | + cd "${sharepath}" |
743 | + md5sum data > data.md5 |
744 | + chown -R "${usergroup}:${usergroup}" "${sharepath}" |
745 | +} |
746 | + |
747 | + |
748 | +# $1: kernel version in the form major.minor.patch |
749 | +check_kernel_version() { |
750 | + local k_ver=$1 |
751 | + local k_major=$(echo ${k_ver} | cut -d . -f 1) |
752 | + local k_minor=$(echo ${k_ver} | cut -d . -f 2) |
753 | + |
754 | + # uring is supported starting with kernel 5.1.x |
755 | + if [ ${k_major} -eq 5 ] && [ ${k_minor} -ge 1 ]; then |
756 | + return 0 |
757 | + elif [ ${k_major} -ge 6 ]; then |
758 | + return 0 |
759 | + else |
760 | + return 1 |
761 | + fi |
762 | +} |
763 | + |
764 | +wait_container_ready() { |
765 | + local container="${1}" |
766 | + local -i limit=120 # seconds |
767 | + local -i i=0 |
768 | + local -i result=0 |
769 | + local ip |
770 | + local output |
771 | + |
772 | + while /bin/true; do |
773 | + ip=$(lxc list "${container}" -c 4 --format=csv | tail -1 | awk '{print $1}') |
774 | + if [ -n "${ip}" ]; then |
775 | + break |
776 | + fi |
777 | + i=$((i+1)) |
778 | + if [ ${i} -ge ${limit} ]; then |
779 | + return 1 |
780 | + fi |
781 | + sleep 1s |
782 | + echo -n "." |
783 | + done |
784 | + while ! nc -z "${ip}" 22; do |
785 | + echo -n "." |
786 | + i=$((i+1)) |
787 | + if [ ${i} -ge ${limit} ]; then |
788 | + return 1 |
789 | + fi |
790 | + sleep 1s |
791 | + done |
792 | + # cloud-init might still be doing things... |
793 | + # this call blocks, so wrap it in its own little timeout |
794 | + output=$(lxc exec "${container}" -- timeout --verbose $((limit-i)) cloud-init status --wait) || { |
795 | + result=$? |
796 | + echo "cloud-init status --wait failed on container ${container}" |
797 | + echo "${output}" |
798 | + return ${result} |
799 | + } |
800 | + echo |
801 | +} |
802 | + |
803 | +install_lxd() { |
804 | + if ! command -v lxd > /dev/null 2>&1; then |
805 | + # the test depends has "lxd | snapd", so if we don't have lxd, we must |
806 | + # install the snap |
807 | + snap list lxd > /dev/null 2>&1 || { |
808 | + echo "Installing the LXD snap..." |
809 | + snap install lxd |
810 | + } |
811 | + fi |
812 | +} |
813 | + |
814 | +setup_lxd() { |
815 | + local dns_domain="${1}" |
816 | + local nic |
817 | + local dns_ip |
818 | + |
819 | + install_lxd |
820 | + # Stop samba while lxd is setup, to avoid conflicts on lxdbr0:53 |
821 | + systemctl stop samba-ad-dc |
822 | + lxd init --auto |
823 | + lxd waitready --timeout 600 |
824 | + # sample csv output. Columns are NAME,TYPE,MANAGED,DESCRIPTION,USED_BY |
825 | + #enp1s0,physical,NO,,0 |
826 | + #lxdbr0,bridge,YES,,1 |
827 | + nic=$(lxc network list --format=csv | grep -E "bridge,YES,,1" | cut -d , -f 1) |
828 | + dns_ip=$(lxc network info "${nic}" | grep -w inet | awk '{print $2}') |
829 | + # port=0 effectively disables dnsmasq's DNS, so it doesn't conflict with samba's DNS |
830 | + lxc network set "${nic:-lxdbr0}" ipv6.address=none dns.domain="${dns_domain}" raw.dnsmasq="$(echo -e port=0\\ndhcp-option=option:dns-server,${dns_ip})" |
831 | + if [ -n "${http_proxy}" ]; then |
832 | + lxc config set core.proxy_http "${http_proxy}" |
833 | + fi |
834 | + if [ -n "${https_proxy}" ]; then |
835 | + lxc config set core.proxy_https "${https_proxy}" |
836 | + fi |
837 | + if [ -n "${noproxy}" ]; then |
838 | + lxc config set core.proxy_ignore_hosts "${noproxy}" |
839 | + fi |
840 | + # the default of 64k is too low for, at least, ppc64el on focal |
841 | + lxc profile set default limits.kernel.memlock 262144 |
842 | + systemctl start samba-ad-dc |
843 | + # give it some time, it's a lot of services to start |
844 | + sleep 5s |
845 | +} |
846 | + |
847 | +# Copy the local apt package archive over to the lxd container. |
848 | +copy_local_apt_files() { |
849 | + local container_name="${1:-docker}" |
850 | + |
851 | + for local_source in $(apt-get indextargets | grep-dctrl -F URI -e '^file:/' -sURI | awk '{print $2}'); do |
852 | + local_source=${local_source#file:} |
853 | + local_dir=$(dirname "${local_source}") |
854 | + lxc exec "${container_name}" -- mkdir -p "${local_dir}" |
855 | + tar -cC "${local_dir}" . | lxc exec "${container_name}" -- tar -xC "${local_dir}" |
856 | + done |
857 | +} |
858 | + |
859 | +send_apt_config() { |
860 | + echo "Copying over /etc/apt to container ${1}" |
861 | + lxc exec "${1}" -- rm -rf /etc/apt |
862 | + lxc exec "${1}" -- mkdir -p /etc/apt |
863 | + tar -cC /etc/apt . | lxc exec "${1}" -- tar -xC /etc/apt |
864 | +} |
865 | + |
866 | +install_packages_in_container() { |
867 | + local container="${1}" |
868 | + shift |
869 | + local packages="${*}" |
870 | + |
871 | + echo "### Installing dependencies in member server container: ${packages}" |
872 | + lxc exec "${container}" --env DEBIAN_FRONTEND=noninteractive -- apt-get update -q |
873 | + lxc exec "${container}" --env DEBIAN_FRONTEND=noninteractive -- apt-get dist-upgrade -q -y |
874 | + lxc exec "${container}" --env DEBIAN_FRONTEND=noninteractive -- apt-get install -q -y ${packages} |
875 | +} |
Thanks for this MP Andreas! I found no issue in the packaging changes, but the autopgktest execution against the package in your PPA has a failure in ppc64el:
- samba/2: 4.15.13+ dfsg-0ubuntu0. 20.04.4~ ppa1 /autopkgtest. ubuntu. com/results/ autopkgtest- focal-ahasenack -samba- kb5028166/ focal/ppc64el/ s/samba/ 20230720_ 180837_ 9f4b6@/ log.gz /autopkgtest. ubuntu. com/results/ autopkgtest- focal-ahasenack -samba- kb5028166/ focal/ppc64el/ s/samba/ 20230720_ 202115_ 59d84@/ log.gz
+ ✅ samba on focal for amd64 @ 20.07.23 17:52:59
+ ✅ samba on focal for arm64 @ 20.07.23 18:34:00
+ ✅ samba on focal for armhf @ 20.07.23 17:56:16
+ ❌ samba on focal for ppc64el @ 20.07.23 18:08:37
• Status: FAIL
• Log: https:/
• 2064s PASS 🟩
• 2064s PASS 🟩
• 2064s PASS 🟩
• 2064s PASS 🟩
• 2064s PASS 🟩
• 2064s PASS 🟩
• 2064s FAIL 🟥
+ ❌ samba on focal for ppc64el @ 20.07.23 20:21:15
• Status: FAIL
• Log: https:/
• 1929s PASS 🟩
• 1929s PASS 🟩
• 1929s PASS 🟩
• 1929s PASS 🟩
• 1929s PASS 🟩
• 1929s PASS 🟩
• 1929s FAIL 🟥
+ ✅ samba on focal for s390x @ 21.07.23 17:35:21
I just re-triggered the test to make sure it is failing again:
* Running: samba-kb5028166 samba/2: 4.15.13+ dfsg-0ubuntu0. 20.04.4~ ppa1
# time pkg release arch ppa trigger
- 530 samba focal ppc64el ahasenack/
Waiting for the results now.