Merge ~ahasenack/ubuntu/+source/samba:focal-samba-kb5028166-2027716 into ubuntu/+source/samba:ubuntu/focal-devel
- Git
- lp:~ahasenack/ubuntu/+source/samba
- focal-samba-kb5028166-2027716
- Merge into ubuntu/focal-devel
Status: | Merged | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Approved by: | git-ubuntu bot | ||||||||||||
Approved revision: | not available | ||||||||||||
Merged at revision: | e3f13ab02ab932d6e0acb12b10f30dfad31df166 | ||||||||||||
Proposed branch: | ~ahasenack/ubuntu/+source/samba:focal-samba-kb5028166-2027716 | ||||||||||||
Merge into: | ubuntu/+source/samba:ubuntu/focal-devel | ||||||||||||
Diff against target: |
875 lines (+833/-0) 6 files modified
debian/changelog (+27/-0) debian/patches/secure-channel-faulty-kb5028166.patch (+215/-0) debian/patches/series (+1/-0) debian/tests/control (+4/-0) debian/tests/samba-ad-dc-provisioning-internal-dns (+408/-0) debian/tests/util (+178/-0) |
||||||||||||
Related bugs: |
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
git-ubuntu bot | Approve | ||
Lucas Kanashiro (community) | Approve | ||
Canonical Server Reporter | Pending | ||
Review via email: mp+447460@code.launchpad.net |
Commit message
Description of the change
PPA: https:/
Bug fix for #2027716. SRU template is filled in, including a test case.
I split the patch in two commits: one that introduces the upstream patch, pristine, and another that removes the hunks that changed the upstream test suite. We don't run that test suite, and I think a smaller patch is easier to review, specially when comparing to the other ubuntu releases which needed a small backport change.
I tried to make incremental changes to this branch when compared to lunar, so it's easier to review. But range-diff is still a bit noisy, specially because focal did not have d/t/util.
The DEP8 test needed even more tweaking for focal, and I tried to keep the differences as additional commits.
DEP8 is green. It doesn't exercise this bug in particular, but does exercise a domain join with linux<->linux, which is a good regression test.
Lucas Kanashiro (lucaskanashiro) wrote : | # |
Andreas Hasenack (ahasenack) wrote : | # |
Thanks. I don't know why it failed, all of the previous, complicated, checks, passed, even kerberos ones, and it failed close to the end:
1927s ## wbinfo kerberos authentication check for user "<email address hidden>" inside member server
1927s plaintext kerberos password authentication for [<email address hidden>] failed (requesting cctype: FILE)
1927s Could not authenticate user [<email address hidden>%Passw0rd] with Kerberos (ccache: FILE)
1927s ## Something failed, gathering logs
Let's see what the new run brings.
Andreas Hasenack (ahasenack) wrote : | # |
It failed again, let me see if I can get a ppc64el machine to poke around it...
Andreas Hasenack (ahasenack) wrote : | # |
Ok, so when wbinfo --krb5auth fails in the DEP8 test, the winbind service logs this error on ppc64el:
[2023/07/26 18:21:42.215411, 0] ../../source3/
failed to mlock memory: Cannot allocate memory (12)
Andreas Hasenack (ahasenack) wrote : | # |
In that situation, if I restart winbind, and then try again, then it works :/
This is a lxd container inside a 2Gb VM. Maybe ppc64el needs more memory...? I remember having to adjust some packages to use a bigger VM in the dep8 infrastructure.
Andreas Hasenack (ahasenack) wrote : | # |
Tests passed on ppc64el this time, and kept passing in all other arches as well:
Results: (from http://
samba @ amd64:
26.07.23 22:31:46 Log 🗒️ ✅ Triggers: samba/2:
samba @ arm64:
27.07.23 00:06:46 Log 🗒️ ✅ Triggers: samba/2:
samba @ armhf:
26.07.23 22:15:14 Log 🗒️ ✅ Triggers: samba/2:
samba @ ppc64el:
26.07.23 22:35:14 Log 🗒️ ✅ Triggers: samba/2:
samba @ s390x:
26.07.23 22:33:21 Log 🗒️ ✅ Triggers: samba/2:
Lucas Kanashiro (lucaskanashiro) wrote : | # |
Thanks Andreas!
git-ubuntu bot (git-ubuntu-bot) wrote : | # |
Approvers: ahasenack, lucaskanashiro
Uploaders: ahasenack, lucaskanashiro
MP auto-approved
Andreas Hasenack (ahasenack) wrote : | # |
Thanks, uploaded with rich history:
Uploading samba_4.
Uploading samba_4.
Uploading samba_4.
Uploading samba_4.
Update scan failed
At least one of the branches involved have failed to scan. You can manually schedule a rescan if required.
Preview Diff
1 | diff --git a/debian/changelog b/debian/changelog | |||
2 | index 3ea7797..373ec2d 100644 | |||
3 | --- a/debian/changelog | |||
4 | +++ b/debian/changelog | |||
5 | @@ -1,3 +1,30 @@ | |||
6 | 1 | samba (2:4.15.13+dfsg-0ubuntu0.20.04.4) focal; urgency=medium | ||
7 | 2 | |||
8 | 3 | * d/p/secure-channel-faulty-kb5028166.patch: fix domain membership | ||
9 | 4 | after Windows KB5028166 update (LP: #2027716) | ||
10 | 5 | * Cherry pick samba AD DC provisioning DEP8 test from later Ubuntu | ||
11 | 6 | releases (LP: #1977746, LP: #2011745): | ||
12 | 7 | - d/t/control, d/t/util,d/t/samba-ad-dc-provisioning-internal-dns: | ||
13 | 8 | samba AD DC provisioning and domain join tests with internal DNS | ||
14 | 9 | + d/t/control: adjust package dependencies | ||
15 | 10 | + d/t/samba-ad-dc-provisioning-internal-dns: handle the case where | ||
16 | 11 | libnss-winbind does not automatically add winbind to | ||
17 | 12 | /etc/nsswitch.conf (that is done only in Lunar and later) | ||
18 | 13 | + d/t/samba-ad-dc-provisioning-internal-dns: use case insensitive | ||
19 | 14 | match when inspecting kerberos tickets, as the hostname may be | ||
20 | 15 | capitalized | ||
21 | 16 | + d/t/samba-ad-dc-provisioning-internal-dns: Adjust regexp for | ||
22 | 17 | slightly different resolvectl output | ||
23 | 18 | + d/t/util: several lxc command output parsing changes, needed for | ||
24 | 19 | this older version of the lxd snap | ||
25 | 20 | + d/t/samba-ad-dc-provisioning-internal-dns: more dependencies for | ||
26 | 21 | the winbind and sssd domain join tests, which don't get | ||
27 | 22 | installed automatically for us by this version of realmd | ||
28 | 23 | + d/t/util: increase the RLIMIT_MEMLOCK limit for lxd containers, | ||
29 | 24 | as the default of 64kb is too low for at least ppc64el on focal | ||
30 | 25 | |||
31 | 26 | -- Andreas Hasenack <andreas@canonical.com> Sun, 23 Jul 2023 17:19:48 -0300 | ||
32 | 27 | |||
33 | 1 | samba (2:4.15.13+dfsg-0ubuntu0.20.04.3) focal-security; urgency=medium | 28 | samba (2:4.15.13+dfsg-0ubuntu0.20.04.3) focal-security; urgency=medium |
34 | 2 | 29 | ||
35 | 3 | * SECURITY UPDATE: Out-Of-Bounds read in winbind AUTH_CRAP | 30 | * SECURITY UPDATE: Out-Of-Bounds read in winbind AUTH_CRAP |
36 | diff --git a/debian/patches/secure-channel-faulty-kb5028166.patch b/debian/patches/secure-channel-faulty-kb5028166.patch | |||
37 | 4 | new file mode 100644 | 31 | new file mode 100644 |
38 | index 0000000..c1367f7 | |||
39 | --- /dev/null | |||
40 | +++ b/debian/patches/secure-channel-faulty-kb5028166.patch | |||
41 | @@ -0,0 +1,215 @@ | |||
42 | 1 | From 2150e7f3dc409b415ca8b6a541729a49932c5073 Mon Sep 17 00:00:00 2001 | ||
43 | 2 | From: Stefan Metzmacher <metze@samba.org> | ||
44 | 3 | Date: Sat, 15 Jul 2023 17:20:32 +0200 | ||
45 | 4 | Subject: [PATCH 1/4] netlogon.idl: add support for netr_LogonGetCapabilities | ||
46 | 5 | response level 2 | ||
47 | 6 | |||
48 | 7 | We don't have any documentation about this yet, but tests against | ||
49 | 8 | a Windows Server 2022 patched with KB5028166 revealed that | ||
50 | 9 | the response for query_level=2 is exactly the same as | ||
51 | 10 | for querey_level=1. | ||
52 | 11 | |||
53 | 12 | Until we know the reason for query_level=2 we won't | ||
54 | 13 | use it as client nor support it in the server, but | ||
55 | 14 | we want ndrdump to work. | ||
56 | 15 | |||
57 | 16 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418 | ||
58 | 17 | |||
59 | 18 | Signed-off-by: Stefan Metzmacher <metze@samba.org> | ||
60 | 19 | Reviewed-by: Andrew Bartlett <abartlet@samba.org> | ||
61 | 20 | (cherry picked from commit 5f87888ed53320538cf773d64868390d8641a40e) | ||
62 | 21 | --- | ||
63 | 22 | librpc/idl/netlogon.idl | 1 + | ||
64 | 23 | 1 file changed, 1 insertion(+) | ||
65 | 24 | |||
66 | 25 | Ubuntu patch note: removed the parts that changed the upstream test suite | ||
67 | 26 | |||
68 | 27 | Origin: backport, https://bugzilla.samba.org/attachment.cgi?id=17987 | ||
69 | 28 | Bug: https://bugzilla.samba.org/show_bug.cgi?id=15418 | ||
70 | 29 | Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/2027716 | ||
71 | 30 | Last-Update: 2023-07-17 | ||
72 | 31 | |||
73 | 32 | diff --git a/librpc/idl/netlogon.idl b/librpc/idl/netlogon.idl | ||
74 | 33 | index d956a661fff7..b51767136d3c 100644 | ||
75 | 34 | --- a/librpc/idl/netlogon.idl | ||
76 | 35 | +++ b/librpc/idl/netlogon.idl | ||
77 | 36 | @@ -1241,6 +1241,7 @@ interface netlogon | ||
78 | 37 | /* Function 0x15 */ | ||
79 | 38 | typedef [switch_type(uint32)] union { | ||
80 | 39 | [case(1)] netr_NegotiateFlags server_capabilities; | ||
81 | 40 | + [case(2)] netr_NegotiateFlags server_capabilities; | ||
82 | 41 | } netr_Capabilities; | ||
83 | 42 | |||
84 | 43 | NTSTATUS netr_LogonGetCapabilities( | ||
85 | 44 | -- | ||
86 | 45 | 2.34.1 | ||
87 | 46 | |||
88 | 47 | |||
89 | 48 | From fa71e7b4b027dc8224fda7125f1faaefa4e71eae Mon Sep 17 00:00:00 2001 | ||
90 | 49 | From: Stefan Metzmacher <metze@samba.org> | ||
91 | 50 | Date: Sat, 15 Jul 2023 16:11:48 +0200 | ||
92 | 51 | Subject: [PATCH 3/4] s4:rpc_server:netlogon: generate FAULT_INVALID_TAG for | ||
93 | 52 | invalid netr_LogonGetCapabilities levels | ||
94 | 53 | |||
95 | 54 | This is important as Windows clients with KB5028166 seem to | ||
96 | 55 | call netr_LogonGetCapabilities with query_level=2 after | ||
97 | 56 | a call with query_level=1. | ||
98 | 57 | |||
99 | 58 | An unpatched Windows Server returns DCERPC_NCA_S_FAULT_INVALID_TAG | ||
100 | 59 | for query_level values other than 1. | ||
101 | 60 | While Samba tries to return NT_STATUS_NOT_SUPPORTED, but | ||
102 | 61 | later fails to marshall the response, which results | ||
103 | 62 | in DCERPC_FAULT_BAD_STUB_DATA instead. | ||
104 | 63 | |||
105 | 64 | Because we don't have any documentation for level 2 yet, | ||
106 | 65 | we just try to behave like an unpatched server and | ||
107 | 66 | generate DCERPC_NCA_S_FAULT_INVALID_TAG instead of | ||
108 | 67 | DCERPC_FAULT_BAD_STUB_DATA. | ||
109 | 68 | Which allows patched Windows clients to keep working | ||
110 | 69 | against a Samba DC. | ||
111 | 70 | |||
112 | 71 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418 | ||
113 | 72 | |||
114 | 73 | Signed-off-by: Stefan Metzmacher <metze@samba.org> | ||
115 | 74 | Reviewed-by: Andrew Bartlett <abartlet@samba.org> | ||
116 | 75 | (cherry picked from commit d5f1097b6220676d56ed5fc6707acf667b704518) | ||
117 | 76 | --- | ||
118 | 77 | .../knownfail.d/netr_LogonGetCapabilities | 2 -- | ||
119 | 78 | source4/rpc_server/netlogon/dcerpc_netlogon.c | 28 ++++++++++++++++--- | ||
120 | 79 | 2 files changed, 24 insertions(+), 6 deletions(-) | ||
121 | 80 | |||
122 | 81 | diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c | ||
123 | 82 | index 6a3e044eb9da..26be4f567513 100644 | ||
124 | 83 | --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c | ||
125 | 84 | +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c | ||
126 | 85 | @@ -2399,6 +2399,30 @@ static NTSTATUS dcesrv_netr_LogonGetCapabilities(struct dcesrv_call_state *dce_c | ||
127 | 86 | struct netlogon_creds_CredentialState *creds; | ||
128 | 87 | NTSTATUS status; | ||
129 | 88 | |||
130 | 89 | + switch (r->in.query_level) { | ||
131 | 90 | + case 1: | ||
132 | 91 | + break; | ||
133 | 92 | + case 2: | ||
134 | 93 | + /* | ||
135 | 94 | + * Until we know the details behind KB5028166 | ||
136 | 95 | + * just return DCERPC_NCA_S_FAULT_INVALID_TAG | ||
137 | 96 | + * like an unpatched Windows Server. | ||
138 | 97 | + */ | ||
139 | 98 | + FALL_THROUGH; | ||
140 | 99 | + default: | ||
141 | 100 | + /* | ||
142 | 101 | + * There would not be a way to marshall the | ||
143 | 102 | + * the response. Which would mean our final | ||
144 | 103 | + * ndr_push would fail an we would return | ||
145 | 104 | + * an RPC-level fault with DCERPC_FAULT_BAD_STUB_DATA. | ||
146 | 105 | + * | ||
147 | 106 | + * But it's important to match a Windows server | ||
148 | 107 | + * especially before KB5028166, see also our bug #15418 | ||
149 | 108 | + * Otherwise Windows client would stop talking to us. | ||
150 | 109 | + */ | ||
151 | 110 | + DCESRV_FAULT(DCERPC_NCA_S_FAULT_INVALID_TAG); | ||
152 | 111 | + } | ||
153 | 112 | + | ||
154 | 113 | status = dcesrv_netr_creds_server_step_check(dce_call, | ||
155 | 114 | mem_ctx, | ||
156 | 115 | r->in.computer_name, | ||
157 | 116 | @@ -2410,10 +2434,6 @@ static NTSTATUS dcesrv_netr_LogonGetCapabilities(struct dcesrv_call_state *dce_c | ||
158 | 117 | } | ||
159 | 118 | NT_STATUS_NOT_OK_RETURN(status); | ||
160 | 119 | |||
161 | 120 | - if (r->in.query_level != 1) { | ||
162 | 121 | - return NT_STATUS_NOT_SUPPORTED; | ||
163 | 122 | - } | ||
164 | 123 | - | ||
165 | 124 | r->out.capabilities->server_capabilities = creds->negotiate_flags; | ||
166 | 125 | |||
167 | 126 | return NT_STATUS_OK; | ||
168 | 127 | -- | ||
169 | 128 | 2.34.1 | ||
170 | 129 | |||
171 | 130 | |||
172 | 131 | From 05f110e1a4d4b38bfbaaa3a92fda7a9127b3b456 Mon Sep 17 00:00:00 2001 | ||
173 | 132 | From: Stefan Metzmacher <metze@samba.org> | ||
174 | 133 | Date: Sat, 15 Jul 2023 16:11:48 +0200 | ||
175 | 134 | Subject: [PATCH 4/4] s3:rpc_server:netlogon: generate FAULT_INVALID_TAG for | ||
176 | 135 | invalid netr_LogonGetCapabilities levels | ||
177 | 136 | |||
178 | 137 | This is important as Windows clients with KB5028166 seem to | ||
179 | 138 | call netr_LogonGetCapabilities with query_level=2 after | ||
180 | 139 | a call with query_level=1. | ||
181 | 140 | |||
182 | 141 | An unpatched Windows Server returns DCERPC_NCA_S_FAULT_INVALID_TAG | ||
183 | 142 | for query_level values other than 1. | ||
184 | 143 | While Samba tries to return NT_STATUS_NOT_SUPPORTED, but | ||
185 | 144 | later fails to marshall the response, which results | ||
186 | 145 | in DCERPC_FAULT_BAD_STUB_DATA instead. | ||
187 | 146 | |||
188 | 147 | Because we don't have any documentation for level 2 yet, | ||
189 | 148 | we just try to behave like an unpatched server and | ||
190 | 149 | generate DCERPC_NCA_S_FAULT_INVALID_TAG instead of | ||
191 | 150 | DCERPC_FAULT_BAD_STUB_DATA. | ||
192 | 151 | Which allows patched Windows clients to keep working | ||
193 | 152 | against a Samba DC. | ||
194 | 153 | |||
195 | 154 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418 | ||
196 | 155 | |||
197 | 156 | Signed-off-by: Stefan Metzmacher <metze@samba.org> | ||
198 | 157 | Reviewed-by: Andrew Bartlett <abartlet@samba.org> | ||
199 | 158 | |||
200 | 159 | Autobuild-User(master): Stefan Metzmacher <metze@samba.org> | ||
201 | 160 | Autobuild-Date(master): Mon Jul 17 07:35:09 UTC 2023 on atb-devel-224 | ||
202 | 161 | |||
203 | 162 | (cherry picked from commit dfeabce44fbb78083fbbb2aa634fc4172cf83db9) | ||
204 | 163 | --- | ||
205 | 164 | .../knownfail.d/netr_LogonGetCapabilities | 1 - | ||
206 | 165 | source3/rpc_server/netlogon/srv_netlog_nt.c | 29 ++++++++++++++++--- | ||
207 | 166 | 2 files changed, 25 insertions(+), 5 deletions(-) | ||
208 | 167 | delete mode 100644 selftest/knownfail.d/netr_LogonGetCapabilities | ||
209 | 168 | |||
210 | 169 | diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c | ||
211 | 170 | index 5906464a9f3..35433ec6781 100644 | ||
212 | 171 | --- a/source3/rpc_server/netlogon/srv_netlog_nt.c | ||
213 | 172 | +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c | ||
214 | 173 | @@ -2421,6 +2421,31 @@ NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct *p, | ||
215 | 174 | struct netlogon_creds_CredentialState *creds; | ||
216 | 175 | NTSTATUS status; | ||
217 | 176 | |||
218 | 177 | + switch (r->in.query_level) { | ||
219 | 178 | + case 1: | ||
220 | 179 | + break; | ||
221 | 180 | + case 2: | ||
222 | 181 | + /* | ||
223 | 182 | + * Until we know the details behind KB5028166 | ||
224 | 183 | + * just return DCERPC_NCA_S_FAULT_INVALID_TAG | ||
225 | 184 | + * like an unpatched Windows Server. | ||
226 | 185 | + */ | ||
227 | 186 | + FALL_THROUGH; | ||
228 | 187 | + default: | ||
229 | 188 | + /* | ||
230 | 189 | + * There would not be a way to marshall the | ||
231 | 190 | + * the response. Which would mean our final | ||
232 | 191 | + * ndr_push would fail an we would return | ||
233 | 192 | + * an RPC-level fault with DCERPC_FAULT_BAD_STUB_DATA. | ||
234 | 193 | + * | ||
235 | 194 | + * But it's important to match a Windows server | ||
236 | 195 | + * especially before KB5028166, see also our bug #15418 | ||
237 | 196 | + * Otherwise Windows client would stop talking to us. | ||
238 | 197 | + */ | ||
239 | 198 | + p->fault_state = DCERPC_NCA_S_FAULT_INVALID_TAG; | ||
240 | 199 | + return NT_STATUS_NOT_SUPPORTED; | ||
241 | 200 | + } | ||
242 | 201 | + | ||
243 | 202 | become_root(); | ||
244 | 203 | status = netr_creds_server_step_check(p, p->mem_ctx, | ||
245 | 204 | r->in.computer_name, | ||
246 | 205 | @@ -2432,10 +2457,6 @@ NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct *p, | ||
247 | 206 | return status; | ||
248 | 207 | } | ||
249 | 208 | |||
250 | 209 | - if (r->in.query_level != 1) { | ||
251 | 210 | - return NT_STATUS_NOT_SUPPORTED; | ||
252 | 211 | - } | ||
253 | 212 | - | ||
254 | 213 | r->out.capabilities->server_capabilities = creds->negotiate_flags; | ||
255 | 214 | |||
256 | 215 | return NT_STATUS_OK; | ||
257 | diff --git a/debian/patches/series b/debian/patches/series | |||
258 | index 54984e0..be2f88c 100644 | |||
259 | --- a/debian/patches/series | |||
260 | +++ b/debian/patches/series | |||
261 | @@ -66,3 +66,4 @@ CVE-2023-34968-09.patch | |||
262 | 66 | CVE-2023-34968-10.patch | 66 | CVE-2023-34968-10.patch |
263 | 67 | CVE-2023-34968-11.patch | 67 | CVE-2023-34968-11.patch |
264 | 68 | CVE-2023-34968-12.patch | 68 | CVE-2023-34968-12.patch |
265 | 69 | secure-channel-faulty-kb5028166.patch | ||
266 | diff --git a/debian/tests/control b/debian/tests/control | |||
267 | index efc23b7..5e1cd04 100644 | |||
268 | --- a/debian/tests/control | |||
269 | +++ b/debian/tests/control | |||
270 | @@ -20,3 +20,7 @@ Restrictions: needs-root, allow-stderr, isolation-container | |||
271 | 20 | Tests: reinstall-samba-common-bin | 20 | Tests: reinstall-samba-common-bin |
272 | 21 | Depends: samba-common, samba-common-bin | 21 | Depends: samba-common, samba-common-bin |
273 | 22 | Restrictions: needs-root, needs-reboot, isolation-machine, allow-stderr | 22 | Restrictions: needs-root, needs-reboot, isolation-machine, allow-stderr |
274 | 23 | |||
275 | 24 | Tests: samba-ad-dc-provisioning-internal-dns | ||
276 | 25 | Depends: samba, samba-dsdb-modules, samba-vfs-modules, winbind, smbclient, krb5-user, bind9-dnsutils, lxd | snapd, lsb-release, dctrl-tools | ||
277 | 26 | Restrictions: needs-root, isolation-machine, allow-stderr, breaks-testbed | ||
278 | diff --git a/debian/tests/samba-ad-dc-provisioning-internal-dns b/debian/tests/samba-ad-dc-provisioning-internal-dns | |||
279 | 23 | new file mode 100755 | 27 | new file mode 100755 |
280 | index 0000000..f84372c | |||
281 | --- /dev/null | |||
282 | +++ b/debian/tests/samba-ad-dc-provisioning-internal-dns | |||
283 | @@ -0,0 +1,408 @@ | |||
284 | 1 | #!/bin/bash | ||
285 | 2 | |||
286 | 3 | set -e | ||
287 | 4 | set -o pipefail | ||
288 | 5 | |||
289 | 6 | source debian/tests/util | ||
290 | 7 | |||
291 | 8 | declare -r domain="EXAMPLE" | ||
292 | 9 | declare -r realm="EXAMPLE.FAKE" | ||
293 | 10 | declare -r adminpass="Passw0rd" | ||
294 | 11 | declare -r test_user="test_user_${RANDOM}" | ||
295 | 12 | declare -r test_pw="test_user_secret_${RANDOM}" | ||
296 | 13 | declare -A user_pass | ||
297 | 14 | user_pass[Administrator]="${adminpass}" | ||
298 | 15 | user_pass[${test_user}]="${test_pw}" | ||
299 | 16 | declare -A join_method_deps | ||
300 | 17 | # Minimum set of deps: let realmd install the extra dependencies | ||
301 | 18 | # as needed, depending on the join method. | ||
302 | 19 | # sssd-dbus is needed by the sssctl tool, and is not installed automatically | ||
303 | 20 | # via deps in focal | ||
304 | 21 | join_method_deps[realmd_sssd]="realmd krb5-user smbclient sssd-dbus" | ||
305 | 22 | # libnss-winbind needs to be explicitly listed because realmd only started | ||
306 | 23 | # installing it in version 0.17.0, that's >= focal | ||
307 | 24 | join_method_deps[realmd_winbind]="realmd krb5-user smbclient libnss-winbind" | ||
308 | 25 | |||
309 | 26 | |||
310 | 27 | cleanup() { | ||
311 | 28 | rc=$? | ||
312 | 29 | set +e # so we don't exit midcleanup | ||
313 | 30 | if [ ${rc} -ne 0 ]; then | ||
314 | 31 | echo "## Something failed, gathering logs" | ||
315 | 32 | echo | ||
316 | 33 | echo "## smb.conf" | ||
317 | 34 | cat /etc/samba/smb.conf | ||
318 | 35 | echo | ||
319 | 36 | echo "## resolv.conf" | ||
320 | 37 | cat /etc/resolv.conf | ||
321 | 38 | echo | ||
322 | 39 | echo "## resolvectl status" | ||
323 | 40 | resolvectl status | ||
324 | 41 | echo "## journal for samba-ad-dc.service" | ||
325 | 42 | journalctl -u samba-ad-dc.service --lines 500 | ||
326 | 43 | echo | ||
327 | 44 | for log in /var/log/samba/log.*; do | ||
328 | 45 | # skip compressed logrotated files | ||
329 | 46 | if [ "${log%.gz}" != "${log}" ]; then | ||
330 | 47 | continue | ||
331 | 48 | fi | ||
332 | 49 | [ -s "${log}" ] || continue | ||
333 | 50 | echo "## $(basename ${log}):" | ||
334 | 51 | tail -n 500 "${log}" | ||
335 | 52 | echo | ||
336 | 53 | done | ||
337 | 54 | echo "## syslog" | ||
338 | 55 | tail -n 500 /var/log/syslog | ||
339 | 56 | fi | ||
340 | 57 | } | ||
341 | 58 | |||
342 | 59 | trap cleanup EXIT | ||
343 | 60 | |||
344 | 61 | assert_testparm() { | ||
345 | 62 | local parameter="${1}" | ||
346 | 63 | local expected_value="${2}" | ||
347 | 64 | local current_value="" | ||
348 | 65 | local -i retval=0 | ||
349 | 66 | |||
350 | 67 | echo -n "Asserting ${parameter} is ${expected_value}: " | ||
351 | 68 | current_value=$(testparm -s --parameter-name "${parameter}" 2>/dev/null) || { | ||
352 | 69 | retval=$? | ||
353 | 70 | echo "FAIL" | ||
354 | 71 | return ${retval} | ||
355 | 72 | } | ||
356 | 73 | if [ "${current_value}" = "${expected_value}" ]; then | ||
357 | 74 | echo "OK" | ||
358 | 75 | return 0 | ||
359 | 76 | else | ||
360 | 77 | echo "FAIL" | ||
361 | 78 | return 1 | ||
362 | 79 | fi | ||
363 | 80 | } | ||
364 | 81 | |||
365 | 82 | basic_config_tests() { | ||
366 | 83 | echo "## Basic config tests" | ||
367 | 84 | testparm -s > /dev/null | ||
368 | 85 | assert_testparm "realm" "${realm}" | ||
369 | 86 | assert_testparm "workgroup" "${domain}" | ||
370 | 87 | assert_testparm "server role" "active directory domain controller" | ||
371 | 88 | echo | ||
372 | 89 | } | ||
373 | 90 | |||
374 | 91 | dns_tests() { | ||
375 | 92 | echo "## DNS tests" | ||
376 | 93 | echo "Obtaining administrator kerberos ticket" | ||
377 | 94 | echo "${adminpass}" | timeout --verbose 30 kinit Administrator | ||
378 | 95 | echo | ||
379 | 96 | echo "Querying server info" | ||
380 | 97 | samba-tool dns serverinfo "$(hostname)" | ||
381 | 98 | echo | ||
382 | 99 | echo "Checking we got a service ticket of type host/" | ||
383 | 100 | klist | grep -i "host/$(hostname)" | ||
384 | 101 | echo | ||
385 | 102 | echo "Checking specific DNS records" | ||
386 | 103 | for srv in _ldap._tcp _kerberos._tcp _kerberos._udp _kpasswd._udp; do | ||
387 | 104 | echo -n "${srv}.${realm,,}: " | ||
388 | 105 | dig @localhost +short -t SRV ${srv}.${realm,,} | ||
389 | 106 | echo | ||
390 | 107 | done | ||
391 | 108 | echo | ||
392 | 109 | echo -n "Checking that our hostname \"$(hostname)\" is in DNS: " | ||
393 | 110 | myip=$(dig @localhost +short -t A "$(hostname).${realm,,}") | ||
394 | 111 | echo "${myip}" | ||
395 | 112 | echo | ||
396 | 113 | } | ||
397 | 114 | |||
398 | 115 | user_creation_tests() { | ||
399 | 116 | echo "## User creation tests" | ||
400 | 117 | samba-tool domain passwordsettings set --complexity=off | ||
401 | 118 | echo "Creating user \"${test_user}\" with password ${test_pw}" | ||
402 | 119 | samba-tool user add "${test_user}" "${test_pw}" | ||
403 | 120 | echo | ||
404 | 121 | echo "Attempting to obtain kerberos ticket for user \"${test_user}\"" | ||
405 | 122 | # just in case it ends up waiting at a prompt, we use "timeout" | ||
406 | 123 | echo "${test_pw}" | timeout --verbose 30 kinit "${test_user}" | ||
407 | 124 | echo "Ticket obtained" | ||
408 | 125 | klist | ||
409 | 126 | echo | ||
410 | 127 | } | ||
411 | 128 | |||
412 | 129 | smbclient_tests() { | ||
413 | 130 | echo "## smbclient tests" | ||
414 | 131 | kdestroy || : | ||
415 | 132 | echo | ||
416 | 133 | echo "Obtaining a TGT for ${test_user}" | ||
417 | 134 | echo "${test_pw}" | timeout --verbose 30 kinit "${test_user}" | ||
418 | 135 | klist | grep krbtgt | ||
419 | 136 | echo | ||
420 | 137 | echo "Attempting password-less authentication with smbclient" | ||
421 | 138 | echo | ||
422 | 139 | echo "Listing shares" | ||
423 | 140 | smbclient -L "$(hostname)" --use-kerberos=required -k | ||
424 | 141 | echo | ||
425 | 142 | echo "Listing the sysvol share" | ||
426 | 143 | smbclient "//$(hostname)/sysvol" --use-kerberos=required -k -c "ls" | ||
427 | 144 | echo | ||
428 | 145 | echo "Listing policies" | ||
429 | 146 | # lowercase the ${realm} | ||
430 | 147 | smbclient "//$(hostname)/sysvol" --use-kerberos=required -k -c "ls ${realm,,}/Policies/*" | ||
431 | 148 | echo | ||
432 | 149 | echo "Checking that we have a ticket for the cifs service after all these commands" | ||
433 | 150 | klist | grep cifs/ | ||
434 | 151 | echo | ||
435 | 152 | } | ||
436 | 153 | |||
437 | 154 | server_join_tests() { | ||
438 | 155 | local member_server | ||
439 | 156 | # the join methods are the keys of the join_method_deps dict | ||
440 | 157 | local -a methods=("${!join_method_deps[@]}") | ||
441 | 158 | local member_server="member-server" | ||
442 | 159 | |||
443 | 160 | echo "## Server join tests" | ||
444 | 161 | echo "## Initializing lxd" | ||
445 | 162 | setup_lxd "${realm,,}" | ||
446 | 163 | |||
447 | 164 | for method in "${methods[@]}"; do | ||
448 | 165 | echo "## Setting up member server to join a domain using method ${method}" | ||
449 | 166 | setup_member_server "${member_server}" "${method}" | ||
450 | 167 | echo "## Joining domain with method ${method}" | ||
451 | 168 | join_domain "${member_server}" "${method}" | ||
452 | 169 | echo | ||
453 | 170 | echo "## Verifying join with method ${method}" | ||
454 | 171 | verify_join "${member_server}" "${method}" | ||
455 | 172 | echo | ||
456 | 173 | echo "## Leaving domain with method ${method}" | ||
457 | 174 | leave_domain "${member_server}" "${method}" | ||
458 | 175 | echo | ||
459 | 176 | echo "## Destroying member server" | ||
460 | 177 | lxc delete --force "${member_server}" | ||
461 | 178 | done | ||
462 | 179 | } | ||
463 | 180 | |||
464 | 181 | setup_member_server() { | ||
465 | 182 | local container_name="${1}" | ||
466 | 183 | local method="${2}" | ||
467 | 184 | local release | ||
468 | 185 | |||
469 | 186 | release="$(lsb_release -cs)" | ||
470 | 187 | if [ -z "${join_method_deps[${method}]}" ]; then | ||
471 | 188 | echo "## INTERNAL ERROR, invalid join method: ${method}" | ||
472 | 189 | return 1 | ||
473 | 190 | fi | ||
474 | 191 | echo "## Got test dependencies: ${join_method_deps[${method}]}" | ||
475 | 192 | # can't use cloud-init here to install packages, because we first need to | ||
476 | 193 | # sync the apt config from the host to the container | ||
477 | 194 | echo "## Launching ${release} container" | ||
478 | 195 | lxc launch "ubuntu-daily:${release}" "${container_name}" -q | ||
479 | 196 | wait_container_ready "${container_name}" | ||
480 | 197 | send_apt_config "${container_name}" | ||
481 | 198 | copy_local_apt_files "${container_name}" | ||
482 | 199 | echo "## Installing dependencies in test container" | ||
483 | 200 | install_packages_in_container "${container_name}" ${join_method_deps[${method}]} | ||
484 | 201 | } | ||
485 | 202 | |||
486 | 203 | join_domain_realmd_winbind() { | ||
487 | 204 | local server="${1}" | ||
488 | 205 | local discover_cmd="realm discover -v --membership-software=samba --client-software=winbind ${realm,,}" | ||
489 | 206 | local join_cmd="realm join -v --membership-software=samba --client-software=winbind ${realm,,}" | ||
490 | 207 | |||
491 | 208 | echo "## Domain information" | ||
492 | 209 | lxc exec "${server}" -- ${discover_cmd} | ||
493 | 210 | echo | ||
494 | 211 | echo "## Running join command: ${join_cmd}" | ||
495 | 212 | echo "${adminpass}" | lxc exec "${server}" -- ${join_cmd} | ||
496 | 213 | # LP: #1980246 | ||
497 | 214 | # So far, only lunar and later automatically add winbind to /etc/nsswitch.conf. | ||
498 | 215 | lxc exec "${server}" -- sed -r -i \ | ||
499 | 216 | -e '/^(passwd|group):.*[[:space:]]winbind\b/b' \ | ||
500 | 217 | -e 's/^(passwd|group):.*/& winbind/' \ | ||
501 | 218 | /etc/nsswitch.conf | ||
502 | 219 | } | ||
503 | 220 | |||
504 | 221 | verify_join_realmd_winbind() { | ||
505 | 222 | local server="${1}" | ||
506 | 223 | local member_domain | ||
507 | 224 | |||
508 | 225 | echo -n "## Verifying member server joined domain name: " | ||
509 | 226 | member_domain=$(lxc exec "${server}" -- wbinfo --own-domain) | ||
510 | 227 | echo "${member_domain}" | ||
511 | 228 | if [ "${member_domain}" != "${domain}" ]; then | ||
512 | 229 | echo "ERROR: expected member server domain to match the joined domain:" | ||
513 | 230 | echo "member server domain: ${member_domain}" | ||
514 | 231 | echo "AD domain: ${domain}" | ||
515 | 232 | return 1 | ||
516 | 233 | fi | ||
517 | 234 | echo | ||
518 | 235 | # we just want to see the output, not parse it | ||
519 | 236 | echo "## Domain status in member server" | ||
520 | 237 | lxc exec "${server}" -- wbinfo --domain-info "${member_domain}" | ||
521 | 238 | echo | ||
522 | 239 | echo "## User status in member server" | ||
523 | 240 | for u in "${!user_pass[@]}"; do | ||
524 | 241 | echo "## User \"${u}@${realm}\" information:" | ||
525 | 242 | lxc exec "${server}" -- wbinfo --user-info "${u}@${realm}" | ||
526 | 243 | echo | ||
527 | 244 | echo "## id ${u}@${realm}" | ||
528 | 245 | lxc exec "${server}" -- id ${u}@${realm} | ||
529 | 246 | echo | ||
530 | 247 | echo "## kinit authentication check for user \"${u}@${realm}\" inside member server" | ||
531 | 248 | echo "${user_pass[${u}]}" | lxc exec "${server}" -- timeout --verbose 30 kinit "${u}@${realm}" | ||
532 | 249 | lxc exec "${server}" -- klist | ||
533 | 250 | echo | ||
534 | 251 | echo "## Listing shares with the obtained kerberos ticket" | ||
535 | 252 | lxc exec "${server}" -- smbclient -L "$(hostname)" --use-kerberos=required -k | ||
536 | 253 | lxc exec "${server}" -- kdestroy | ||
537 | 254 | echo | ||
538 | 255 | echo "## wbinfo authentication check for user \"${u}@${realm}\" inside member server" | ||
539 | 256 | # non-interactive format for username is user%password | ||
540 | 257 | lxc exec "${server}" -- wbinfo --authenticate="${u}@${realm}%${user_pass[${u}]}" | ||
541 | 258 | echo | ||
542 | 259 | echo "## wbinfo kerberos authentication check for user \"${u}@${realm}\" inside member server" | ||
543 | 260 | lxc exec "${server}" -- wbinfo --krb5auth="${u}@${realm}%${user_pass[${u}]}" | ||
544 | 261 | echo | ||
545 | 262 | echo "## Listing shares with the obtained kerberos ticket" | ||
546 | 263 | lxc exec "${server}" -- smbclient -L "$(hostname)" --use-kerberos=required -k | ||
547 | 264 | lxc exec "${server}" -- kdestroy | ||
548 | 265 | done | ||
549 | 266 | } | ||
550 | 267 | |||
551 | 268 | leave_domain_realmd_winbind() { | ||
552 | 269 | local server="${1}" | ||
553 | 270 | local leave_cmd="realm leave -v --remove --client-software=winbind" | ||
554 | 271 | |||
555 | 272 | echo "## Running leave command: ${leave_cmd}" | ||
556 | 273 | echo "${adminpass}" | lxc exec "${server}" -- ${leave_cmd} | ||
557 | 274 | } | ||
558 | 275 | |||
559 | 276 | join_domain_realmd_sssd() { | ||
560 | 277 | local server="${1}" | ||
561 | 278 | local discover_cmd="realm discover -v --membership-software=adcli --client-software=sssd ${realm,,}" | ||
562 | 279 | local join_cmd="realm join -v --membership-software=adcli --client-software=sssd ${realm,,}" | ||
563 | 280 | |||
564 | 281 | echo "## Domain information" | ||
565 | 282 | lxc exec "${server}" -- ${discover_cmd} | ||
566 | 283 | echo | ||
567 | 284 | echo "## Running join command: ${join_cmd}" | ||
568 | 285 | echo "${adminpass}" | lxc exec "${server}" -- ${join_cmd} | ||
569 | 286 | echo | ||
570 | 287 | } | ||
571 | 288 | |||
572 | 289 | verify_join_realmd_sssd() { | ||
573 | 290 | local server="${1}" | ||
574 | 291 | local samba_domain | ||
575 | 292 | |||
576 | 293 | echo -n "## Verifying member server joined domain name: " | ||
577 | 294 | samba_domain=$(lxc exec "${server}" -- sssctl domain-list) | ||
578 | 295 | echo "${samba_domain}" | ||
579 | 296 | if [ "${samba_domain}" != "${realm,,}" ]; then | ||
580 | 297 | echo "ERROR: expected member server domain to match the joined domain:" | ||
581 | 298 | echo "member server domain: ${samba_domain}" | ||
582 | 299 | echo "AD domain: ${realm,,}" | ||
583 | 300 | return 1 | ||
584 | 301 | fi | ||
585 | 302 | echo | ||
586 | 303 | # we just want to see the output, not parse it | ||
587 | 304 | echo "## Domain status in member server" | ||
588 | 305 | lxc exec "${server}" -- sssctl domain-status "${realm}" | ||
589 | 306 | echo | ||
590 | 307 | echo "## User status in member server" | ||
591 | 308 | for u in "${!user_pass[@]}"; do | ||
592 | 309 | echo "## User \"${u}@${realm}\" information:" | ||
593 | 310 | lxc exec "${server}" -- sssctl user-checks "${u}@${realm}" | ||
594 | 311 | echo | ||
595 | 312 | echo "## id ${u}@${realm}" | ||
596 | 313 | lxc exec "${server}" -- id "${u}@${realm}" | ||
597 | 314 | echo | ||
598 | 315 | echo "## kinit authentication check for user \"${u}@${realm}\" inside member server" | ||
599 | 316 | echo "${user_pass[${u}]}" | lxc exec "${server}" -- timeout --verbose 30 kinit "${u}@${realm}" | ||
600 | 317 | lxc exec "${server}" -- klist | ||
601 | 318 | echo | ||
602 | 319 | echo "## Listing shares with the obtained kerberos ticket" | ||
603 | 320 | lxc exec "${server}" -- smbclient -L "$(hostname)" --use-kerberos=required -k | ||
604 | 321 | lxc exec "${server}" -- kdestroy | ||
605 | 322 | done | ||
606 | 323 | } | ||
607 | 324 | |||
608 | 325 | leave_domain_realmd_sssd() { | ||
609 | 326 | local server="${1}" | ||
610 | 327 | local leave_cmd="realm leave -v --remove --client-software=sssd" | ||
611 | 328 | |||
612 | 329 | echo "## Running leave command: ${leave_cmd}" | ||
613 | 330 | echo "${adminpass}" | lxc exec "${server}" -- ${leave_cmd} | ||
614 | 331 | } | ||
615 | 332 | |||
616 | 333 | join_domain() { | ||
617 | 334 | local server="${1}" | ||
618 | 335 | local m="${2}" | ||
619 | 336 | |||
620 | 337 | join_domain_${m} "${server}" | ||
621 | 338 | } | ||
622 | 339 | |||
623 | 340 | verify_join() { | ||
624 | 341 | local server="${1}" | ||
625 | 342 | local m="${2}" | ||
626 | 343 | |||
627 | 344 | verify_join_${m} "${server}" | ||
628 | 345 | } | ||
629 | 346 | |||
630 | 347 | leave_domain() { | ||
631 | 348 | local server="${1}" | ||
632 | 349 | local m="${2}" | ||
633 | 350 | |||
634 | 351 | leave_domain_${m} "${server}" | ||
635 | 352 | } | ||
636 | 353 | |||
637 | 354 | systemctl stop smbd nmbd winbind | ||
638 | 355 | systemctl disable smbd nmbd winbind | ||
639 | 356 | systemctl mask smbd nmbd winbind | ||
640 | 357 | |||
641 | 358 | systemctl unmask samba-ad-dc | ||
642 | 359 | systemctl enable samba-ad-dc | ||
643 | 360 | |||
644 | 361 | if [ -f /etc/samba/smb.conf ]; then | ||
645 | 362 | mv /etc/samba/smb.conf{,.orig} | ||
646 | 363 | fi | ||
647 | 364 | |||
648 | 365 | # make sure we are starting fresh, as previous tests might left things around | ||
649 | 366 | |||
650 | 367 | rm -rf /var/lib/samba/* /var/cache/samba/* /run/samba/* | ||
651 | 368 | kdestroy || : | ||
652 | 369 | |||
653 | 370 | samba-tool domain provision \ | ||
654 | 371 | --domain="${domain}" \ | ||
655 | 372 | --realm="${realm}" \ | ||
656 | 373 | --adminpass="${adminpass}" \ | ||
657 | 374 | --server-role=dc \ | ||
658 | 375 | --use-rfc2307 \ | ||
659 | 376 | --dns-backend=SAMBA_INTERNAL | ||
660 | 377 | |||
661 | 378 | current_dns=$(resolvectl status | grep -E "^[[:blank:]]*Current DNS Server:" | awk '{print $4}') | ||
662 | 379 | |||
663 | 380 | if [ -n "${current_dns}" ]; then | ||
664 | 381 | echo "## Setting dns forwarder to ${current_dns} in smb.conf" | ||
665 | 382 | sed -r -i "s,dns forwarder = .*,dns forwarder = ${current_dns}," \ | ||
666 | 383 | /etc/samba/smb.conf | ||
667 | 384 | unlink /etc/resolv.conf | ||
668 | 385 | echo "nameserver 127.0.0.1" > /etc/resolv.conf | ||
669 | 386 | # lowercase substitution | ||
670 | 387 | echo "search ${realm,,}" >> /etc/resolv.conf | ||
671 | 388 | systemctl stop systemd-resolved | ||
672 | 389 | systemctl disable systemd-resolved | ||
673 | 390 | else | ||
674 | 391 | echo "## Warning, couldn't detect the current DNS server to use as forwarder in smb.conf" | ||
675 | 392 | echo "## resolvectl status:" | ||
676 | 393 | resolvectl status | ||
677 | 394 | echo "## Continuing, and hoping for the best" | ||
678 | 395 | fi | ||
679 | 396 | |||
680 | 397 | cp -f /var/lib/samba/private/krb5.conf /etc/krb5.conf | ||
681 | 398 | |||
682 | 399 | systemctl start samba-ad-dc | ||
683 | 400 | |||
684 | 401 | # give it some time, it's a lot of services to start | ||
685 | 402 | sleep 5s | ||
686 | 403 | |||
687 | 404 | basic_config_tests | ||
688 | 405 | dns_tests | ||
689 | 406 | user_creation_tests | ||
690 | 407 | smbclient_tests | ||
691 | 408 | server_join_tests | ||
692 | diff --git a/debian/tests/util b/debian/tests/util | |||
693 | 0 | new file mode 100644 | 409 | new file mode 100644 |
694 | index 0000000..66ed247 | |||
695 | --- /dev/null | |||
696 | +++ b/debian/tests/util | |||
697 | @@ -0,0 +1,178 @@ | |||
698 | 1 | #!/bin/sh | ||
699 | 2 | |||
700 | 3 | # $1: share name | ||
701 | 4 | # $2: comma separated list of vfs_objects to use, if any | ||
702 | 5 | add_share() { | ||
703 | 6 | local share="$1" | ||
704 | 7 | local vfs="$2" | ||
705 | 8 | if ! testparm -s 2>&1 | grep -E "^\[${share}\]"; then | ||
706 | 9 | echo "Adding [${share}] share" | ||
707 | 10 | cat >> /etc/samba/smb.conf <<EOFEOF | ||
708 | 11 | [${share}] | ||
709 | 12 | read only = no | ||
710 | 13 | guest ok = no | ||
711 | 14 | path = /${share} | ||
712 | 15 | EOFEOF | ||
713 | 16 | if [ -n "${vfs}" ]; then | ||
714 | 17 | echo "vfs objects = ${vfs}" >> /etc/samba/smb.conf | ||
715 | 18 | fi | ||
716 | 19 | systemctl reload smbd.service | ||
717 | 20 | else | ||
718 | 21 | echo "Share [${share}] already exists, continuing" | ||
719 | 22 | fi | ||
720 | 23 | } | ||
721 | 24 | |||
722 | 25 | # $1: username | ||
723 | 26 | # $2: password | ||
724 | 27 | add_user() { | ||
725 | 28 | local username="$1" | ||
726 | 29 | local password="$2" | ||
727 | 30 | |||
728 | 31 | echo "Creating a local and samba user called ${username}" | ||
729 | 32 | useradd -m "${username}" | ||
730 | 33 | echo "Setting samba password for the ${username} user" | ||
731 | 34 | (echo "${password}"; echo "${password}") | smbpasswd -s -a ${username} | ||
732 | 35 | } | ||
733 | 36 | |||
734 | 37 | # $1: share name | ||
735 | 38 | populate_share() { | ||
736 | 39 | local sharename="$1" | ||
737 | 40 | local usergroup="$2" | ||
738 | 41 | local sharepath="/${sharename}" | ||
739 | 42 | |||
740 | 43 | mkdir -p "${sharepath}" | ||
741 | 44 | dd if=/dev/urandom bs=4096 count=1000 2>/dev/null | base64 > "${sharepath}/data" | ||
742 | 45 | cd "${sharepath}" | ||
743 | 46 | md5sum data > data.md5 | ||
744 | 47 | chown -R "${usergroup}:${usergroup}" "${sharepath}" | ||
745 | 48 | } | ||
746 | 49 | |||
747 | 50 | |||
748 | 51 | # $1: kernel version in the form major.minor.patch | ||
749 | 52 | check_kernel_version() { | ||
750 | 53 | local k_ver=$1 | ||
751 | 54 | local k_major=$(echo ${k_ver} | cut -d . -f 1) | ||
752 | 55 | local k_minor=$(echo ${k_ver} | cut -d . -f 2) | ||
753 | 56 | |||
754 | 57 | # uring is supported starting with kernel 5.1.x | ||
755 | 58 | if [ ${k_major} -eq 5 ] && [ ${k_minor} -ge 1 ]; then | ||
756 | 59 | return 0 | ||
757 | 60 | elif [ ${k_major} -ge 6 ]; then | ||
758 | 61 | return 0 | ||
759 | 62 | else | ||
760 | 63 | return 1 | ||
761 | 64 | fi | ||
762 | 65 | } | ||
763 | 66 | |||
764 | 67 | wait_container_ready() { | ||
765 | 68 | local container="${1}" | ||
766 | 69 | local -i limit=120 # seconds | ||
767 | 70 | local -i i=0 | ||
768 | 71 | local -i result=0 | ||
769 | 72 | local ip | ||
770 | 73 | local output | ||
771 | 74 | |||
772 | 75 | while /bin/true; do | ||
773 | 76 | ip=$(lxc list "${container}" -c 4 --format=csv | tail -1 | awk '{print $1}') | ||
774 | 77 | if [ -n "${ip}" ]; then | ||
775 | 78 | break | ||
776 | 79 | fi | ||
777 | 80 | i=$((i+1)) | ||
778 | 81 | if [ ${i} -ge ${limit} ]; then | ||
779 | 82 | return 1 | ||
780 | 83 | fi | ||
781 | 84 | sleep 1s | ||
782 | 85 | echo -n "." | ||
783 | 86 | done | ||
784 | 87 | while ! nc -z "${ip}" 22; do | ||
785 | 88 | echo -n "." | ||
786 | 89 | i=$((i+1)) | ||
787 | 90 | if [ ${i} -ge ${limit} ]; then | ||
788 | 91 | return 1 | ||
789 | 92 | fi | ||
790 | 93 | sleep 1s | ||
791 | 94 | done | ||
792 | 95 | # cloud-init might still be doing things... | ||
793 | 96 | # this call blocks, so wrap it in its own little timeout | ||
794 | 97 | output=$(lxc exec "${container}" -- timeout --verbose $((limit-i)) cloud-init status --wait) || { | ||
795 | 98 | result=$? | ||
796 | 99 | echo "cloud-init status --wait failed on container ${container}" | ||
797 | 100 | echo "${output}" | ||
798 | 101 | return ${result} | ||
799 | 102 | } | ||
800 | 103 | echo | ||
801 | 104 | } | ||
802 | 105 | |||
803 | 106 | install_lxd() { | ||
804 | 107 | if ! command -v lxd > /dev/null 2>&1; then | ||
805 | 108 | # the test depends has "lxd | snapd", so if we don't have lxd, we must | ||
806 | 109 | # install the snap | ||
807 | 110 | snap list lxd > /dev/null 2>&1 || { | ||
808 | 111 | echo "Installing the LXD snap..." | ||
809 | 112 | snap install lxd | ||
810 | 113 | } | ||
811 | 114 | fi | ||
812 | 115 | } | ||
813 | 116 | |||
814 | 117 | setup_lxd() { | ||
815 | 118 | local dns_domain="${1}" | ||
816 | 119 | local nic | ||
817 | 120 | local dns_ip | ||
818 | 121 | |||
819 | 122 | install_lxd | ||
820 | 123 | # Stop samba while lxd is setup, to avoid conflicts on lxdbr0:53 | ||
821 | 124 | systemctl stop samba-ad-dc | ||
822 | 125 | lxd init --auto | ||
823 | 126 | lxd waitready --timeout 600 | ||
824 | 127 | # sample csv output. Columns are NAME,TYPE,MANAGED,DESCRIPTION,USED_BY | ||
825 | 128 | #enp1s0,physical,NO,,0 | ||
826 | 129 | #lxdbr0,bridge,YES,,1 | ||
827 | 130 | nic=$(lxc network list --format=csv | grep -E "bridge,YES,,1" | cut -d , -f 1) | ||
828 | 131 | dns_ip=$(lxc network info "${nic}" | grep -w inet | awk '{print $2}') | ||
829 | 132 | # port=0 effectively disables dnsmasq's DNS, so it doesn't conflict with samba's DNS | ||
830 | 133 | lxc network set "${nic:-lxdbr0}" ipv6.address=none dns.domain="${dns_domain}" raw.dnsmasq="$(echo -e port=0\\ndhcp-option=option:dns-server,${dns_ip})" | ||
831 | 134 | if [ -n "${http_proxy}" ]; then | ||
832 | 135 | lxc config set core.proxy_http "${http_proxy}" | ||
833 | 136 | fi | ||
834 | 137 | if [ -n "${https_proxy}" ]; then | ||
835 | 138 | lxc config set core.proxy_https "${https_proxy}" | ||
836 | 139 | fi | ||
837 | 140 | if [ -n "${noproxy}" ]; then | ||
838 | 141 | lxc config set core.proxy_ignore_hosts "${noproxy}" | ||
839 | 142 | fi | ||
840 | 143 | # the default of 64k is too low for, at least, ppc64el on focal | ||
841 | 144 | lxc profile set default limits.kernel.memlock 262144 | ||
842 | 145 | systemctl start samba-ad-dc | ||
843 | 146 | # give it some time, it's a lot of services to start | ||
844 | 147 | sleep 5s | ||
845 | 148 | } | ||
846 | 149 | |||
847 | 150 | # Copy the local apt package archive over to the lxd container. | ||
848 | 151 | copy_local_apt_files() { | ||
849 | 152 | local container_name="${1:-docker}" | ||
850 | 153 | |||
851 | 154 | for local_source in $(apt-get indextargets | grep-dctrl -F URI -e '^file:/' -sURI | awk '{print $2}'); do | ||
852 | 155 | local_source=${local_source#file:} | ||
853 | 156 | local_dir=$(dirname "${local_source}") | ||
854 | 157 | lxc exec "${container_name}" -- mkdir -p "${local_dir}" | ||
855 | 158 | tar -cC "${local_dir}" . | lxc exec "${container_name}" -- tar -xC "${local_dir}" | ||
856 | 159 | done | ||
857 | 160 | } | ||
858 | 161 | |||
859 | 162 | send_apt_config() { | ||
860 | 163 | echo "Copying over /etc/apt to container ${1}" | ||
861 | 164 | lxc exec "${1}" -- rm -rf /etc/apt | ||
862 | 165 | lxc exec "${1}" -- mkdir -p /etc/apt | ||
863 | 166 | tar -cC /etc/apt . | lxc exec "${1}" -- tar -xC /etc/apt | ||
864 | 167 | } | ||
865 | 168 | |||
866 | 169 | install_packages_in_container() { | ||
867 | 170 | local container="${1}" | ||
868 | 171 | shift | ||
869 | 172 | local packages="${*}" | ||
870 | 173 | |||
871 | 174 | echo "### Installing dependencies in member server container: ${packages}" | ||
872 | 175 | lxc exec "${container}" --env DEBIAN_FRONTEND=noninteractive -- apt-get update -q | ||
873 | 176 | lxc exec "${container}" --env DEBIAN_FRONTEND=noninteractive -- apt-get dist-upgrade -q -y | ||
874 | 177 | lxc exec "${container}" --env DEBIAN_FRONTEND=noninteractive -- apt-get install -q -y ${packages} | ||
875 | 178 | } |
Thanks for this MP Andreas! I found no issue in the packaging changes, but the autopgktest execution against the package in your PPA has a failure in ppc64el:
- samba/2: 4.15.13+ dfsg-0ubuntu0. 20.04.4~ ppa1 /autopkgtest. ubuntu. com/results/ autopkgtest- focal-ahasenack -samba- kb5028166/ focal/ppc64el/ s/samba/ 20230720_ 180837_ 9f4b6@/ log.gz /autopkgtest. ubuntu. com/results/ autopkgtest- focal-ahasenack -samba- kb5028166/ focal/ppc64el/ s/samba/ 20230720_ 202115_ 59d84@/ log.gz
+ ✅ samba on focal for amd64 @ 20.07.23 17:52:59
+ ✅ samba on focal for arm64 @ 20.07.23 18:34:00
+ ✅ samba on focal for armhf @ 20.07.23 17:56:16
+ ❌ samba on focal for ppc64el @ 20.07.23 18:08:37
• Status: FAIL
• Log: https:/
• 2064s PASS 🟩
• 2064s PASS 🟩
• 2064s PASS 🟩
• 2064s PASS 🟩
• 2064s PASS 🟩
• 2064s PASS 🟩
• 2064s FAIL 🟥
+ ❌ samba on focal for ppc64el @ 20.07.23 20:21:15
• Status: FAIL
• Log: https:/
• 1929s PASS 🟩
• 1929s PASS 🟩
• 1929s PASS 🟩
• 1929s PASS 🟩
• 1929s PASS 🟩
• 1929s PASS 🟩
• 1929s FAIL 🟥
+ ✅ samba on focal for s390x @ 21.07.23 17:35:21
I just re-triggered the test to make sure it is failing again:
* Running: samba-kb5028166 samba/2: 4.15.13+ dfsg-0ubuntu0. 20.04.4~ ppa1
# time pkg release arch ppa trigger
- 530 samba focal ppc64el ahasenack/
Waiting for the results now.