Ubuntu
samba package

Merge ~ahasenack/ubuntu/+source/samba:focal-samba-kb5028166-2027716 into ubuntu/+source/samba:ubuntu/focal-devel

  1. Git
  2. lp:~ahasenack/ubuntu/+source/samba
  3. focal-samba-kb5028166-2027716
  4. Merge into ubuntu/focal-devel
Proposed by Andreas Hasenack
Status: Merged
Approved by: git-ubuntu bot
Approved revision: not available
Merged at revision: e3f13ab02ab932d6e0acb12b10f30dfad31df166
Proposed branch: ~ahasenack/ubuntu/+source/samba:focal-samba-kb5028166-2027716
Merge into: ubuntu/+source/samba:ubuntu/focal-devel
Diff against target: 875 lines (+833/-0)
6 files modified
debian/changelog (+27/-0)
debian/patches/secure-channel-faulty-kb5028166.patch (+215/-0)
debian/patches/series (+1/-0)
debian/tests/control (+4/-0)
debian/tests/samba-ad-dc-provisioning-internal-dns (+408/-0)
debian/tests/util (+178/-0)
Reviewer Review Type Date Requested Status
git-ubuntu bot Approve
Lucas Kanashiro (community) Approve
Canonical Server Reporter Pending
Review via email: mp+447460@code.launchpad.net

Description of the change

PPA: https://launchpad.net/~ahasenack/+archive/ubuntu/samba-kb5028166/

Bug fix for #2027716. SRU template is filled in, including a test case.

I split the patch in two commits: one that introduces the upstream patch, pristine, and another that removes the hunks that changed the upstream test suite. We don't run that test suite, and I think a smaller patch is easier to review, specially when comparing to the other ubuntu releases which needed a small backport change.

I tried to make incremental changes to this branch when compared to lunar, so it's easier to review. But range-diff is still a bit noisy, specially because focal did not have d/t/util.

The DEP8 test needed even more tweaking for focal, and I tried to keep the differences as additional commits.

DEP8 is green. It doesn't exercise this bug in particular, but does exercise a domain join with linux<->linux, which is a good regression test.

To post a comment you must log in.
Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

Thanks for this MP Andreas! I found no issue in the packaging changes, but the autopgktest execution against the package in your PPA has a failure in ppc64el:

  - samba/2:4.15.13+dfsg-0ubuntu0.20.04.4~ppa1
    + ✅ samba on focal for amd64 @ 20.07.23 17:52:59
    + ✅ samba on focal for arm64 @ 20.07.23 18:34:00
    + ✅ samba on focal for armhf @ 20.07.23 17:56:16
    + ❌ samba on focal for ppc64el @ 20.07.23 18:08:37
      • Status: FAIL
      • Log: https://autopkgtest.ubuntu.com/results/autopkgtest-focal-ahasenack-samba-kb5028166/focal/ppc64el/s/samba/20230720_180837_9f4b6@/log.gz
      • 2064s PASS 🟩
      • 2064s PASS 🟩
      • 2064s PASS 🟩
      • 2064s PASS 🟩
      • 2064s PASS 🟩
      • 2064s PASS 🟩
      • 2064s FAIL 🟥
    + ❌ samba on focal for ppc64el @ 20.07.23 20:21:15
      • Status: FAIL
      • Log: https://autopkgtest.ubuntu.com/results/autopkgtest-focal-ahasenack-samba-kb5028166/focal/ppc64el/s/samba/20230720_202115_59d84@/log.gz
      • 1929s PASS 🟩
      • 1929s PASS 🟩
      • 1929s PASS 🟩
      • 1929s PASS 🟩
      • 1929s PASS 🟩
      • 1929s PASS 🟩
      • 1929s FAIL 🟥
    + ✅ samba on focal for s390x @ 21.07.23 17:35:21

I just re-triggered the test to make sure it is failing again:

* Running:
  # time pkg release arch ppa trigger
  - 530 samba focal ppc64el ahasenack/samba-kb5028166 samba/2:4.15.13+dfsg-0ubuntu0.20.04.4~ppa1

Waiting for the results now.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Thanks. I don't know why it failed, all of the previous, complicated, checks, passed, even kerberos ones, and it failed close to the end:

1927s ## wbinfo kerberos authentication check for user "<email address hidden>" inside member server
1927s plaintext kerberos password authentication for [<email address hidden>] failed (requesting cctype: FILE)
1927s Could not authenticate user [<email address hidden>%Passw0rd] with Kerberos (ccache: FILE)
1927s ## Something failed, gathering logs

Let's see what the new run brings.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

It failed again, let me see if I can get a ppc64el machine to poke around it...

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Ok, so when wbinfo --krb5auth fails in the DEP8 test, the winbind service logs this error on ppc64el:

[2023/07/26 18:21:42.215411, 0] ../../source3/winbindd/winbindd_cred_cache.c:836(store_memory_creds)
failed to mlock memory: Cannot allocate memory (12)

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

In that situation, if I restart winbind, and then try again, then it works :/

This is a lxd container inside a 2Gb VM. Maybe ppc64el needs more memory...? I remember having to adjust some packages to use a bigger VM in the dep8 infrastructure.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Tests passed on ppc64el this time, and kept passing in all other arches as well:

Results: (from http://autopkgtest.ubuntu.com/results/autopkgtest-focal-ahasenack-samba-kb5028166/?format=plain)
  samba @ amd64:
    26.07.23 22:31:46 Log 🗒️ ✅ Triggers: samba/2:4.15.13+dfsg-0ubuntu0.20.04.4~ppa2
  samba @ arm64:
    27.07.23 00:06:46 Log 🗒️ ✅ Triggers: samba/2:4.15.13+dfsg-0ubuntu0.20.04.4~ppa2
  samba @ armhf:
    26.07.23 22:15:14 Log 🗒️ ✅ Triggers: samba/2:4.15.13+dfsg-0ubuntu0.20.04.4~ppa2
  samba @ ppc64el:
    26.07.23 22:35:14 Log 🗒️ ✅ Triggers: samba/2:4.15.13+dfsg-0ubuntu0.20.04.4~ppa2
  samba @ s390x:
    26.07.23 22:33:21 Log 🗒️ ✅ Triggers: samba/2:4.15.13+dfsg-0ubuntu0.20.04.4~ppa2

Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

Thanks Andreas!

review: Approve
Revision history for this message
git-ubuntu bot (git-ubuntu-bot) wrote :

Approvers: ahasenack, lucaskanashiro
Uploaders: ahasenack, lucaskanashiro
MP auto-approved

review: Approve
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Thanks, uploaded with rich history:

Uploading samba_4.15.13+dfsg-0ubuntu0.20.04.4.dsc
Uploading samba_4.15.13+dfsg-0ubuntu0.20.04.4.debian.tar.xz
Uploading samba_4.15.13+dfsg-0ubuntu0.20.04.4_source.buildinfo
Uploading samba_4.15.13+dfsg-0ubuntu0.20.04.4_source.changes

Update scan failed

At least one of the branches involved have failed to scan. You can manually schedule a rescan if required.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/changelog b/debian/changelog
index 3ea7797..373ec2d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,30 @@
1samba (2:4.15.13+dfsg-0ubuntu0.20.04.4) focal; urgency=medium
2
3 * d/p/secure-channel-faulty-kb5028166.patch: fix domain membership
4 after Windows KB5028166 update (LP: #2027716)
5 * Cherry pick samba AD DC provisioning DEP8 test from later Ubuntu
6 releases (LP: #1977746, LP: #2011745):
7 - d/t/control, d/t/util,d/t/samba-ad-dc-provisioning-internal-dns:
8 samba AD DC provisioning and domain join tests with internal DNS
9 + d/t/control: adjust package dependencies
10 + d/t/samba-ad-dc-provisioning-internal-dns: handle the case where
11 libnss-winbind does not automatically add winbind to
12 /etc/nsswitch.conf (that is done only in Lunar and later)
13 + d/t/samba-ad-dc-provisioning-internal-dns: use case insensitive
14 match when inspecting kerberos tickets, as the hostname may be
15 capitalized
16 + d/t/samba-ad-dc-provisioning-internal-dns: Adjust regexp for
17 slightly different resolvectl output
18 + d/t/util: several lxc command output parsing changes, needed for
19 this older version of the lxd snap
20 + d/t/samba-ad-dc-provisioning-internal-dns: more dependencies for
21 the winbind and sssd domain join tests, which don't get
22 installed automatically for us by this version of realmd
23 + d/t/util: increase the RLIMIT_MEMLOCK limit for lxd containers,
24 as the default of 64kb is too low for at least ppc64el on focal
25
26 -- Andreas Hasenack <andreas@canonical.com> Sun, 23 Jul 2023 17:19:48 -0300
27
1samba (2:4.15.13+dfsg-0ubuntu0.20.04.3) focal-security; urgency=medium28samba (2:4.15.13+dfsg-0ubuntu0.20.04.3) focal-security; urgency=medium
229
3 * SECURITY UPDATE: Out-Of-Bounds read in winbind AUTH_CRAP30 * SECURITY UPDATE: Out-Of-Bounds read in winbind AUTH_CRAP
diff --git a/debian/patches/secure-channel-faulty-kb5028166.patch b/debian/patches/secure-channel-faulty-kb5028166.patch
4new file mode 10064431new file mode 100644
index 0000000..c1367f7
--- /dev/null
+++ b/debian/patches/secure-channel-faulty-kb5028166.patch
@@ -0,0 +1,215 @@
1From 2150e7f3dc409b415ca8b6a541729a49932c5073 Mon Sep 17 00:00:00 2001
2From: Stefan Metzmacher <metze@samba.org>
3Date: Sat, 15 Jul 2023 17:20:32 +0200
4Subject: [PATCH 1/4] netlogon.idl: add support for netr_LogonGetCapabilities
5 response level 2
6
7We don't have any documentation about this yet, but tests against
8a Windows Server 2022 patched with KB5028166 revealed that
9the response for query_level=2 is exactly the same as
10for querey_level=1.
11
12Until we know the reason for query_level=2 we won't
13use it as client nor support it in the server, but
14we want ndrdump to work.
15
16BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418
17
18Signed-off-by: Stefan Metzmacher <metze@samba.org>
19Reviewed-by: Andrew Bartlett <abartlet@samba.org>
20(cherry picked from commit 5f87888ed53320538cf773d64868390d8641a40e)
21---
22 librpc/idl/netlogon.idl | 1 +
23 1 file changed, 1 insertion(+)
24
25Ubuntu patch note: removed the parts that changed the upstream test suite
26
27Origin: backport, https://bugzilla.samba.org/attachment.cgi?id=17987
28Bug: https://bugzilla.samba.org/show_bug.cgi?id=15418
29Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/2027716
30Last-Update: 2023-07-17
31
32diff --git a/librpc/idl/netlogon.idl b/librpc/idl/netlogon.idl
33index d956a661fff7..b51767136d3c 100644
34--- a/librpc/idl/netlogon.idl
35+++ b/librpc/idl/netlogon.idl
36@@ -1241,6 +1241,7 @@ interface netlogon
37 /* Function 0x15 */
38 typedef [switch_type(uint32)] union {
39 [case(1)] netr_NegotiateFlags server_capabilities;
40+ [case(2)] netr_NegotiateFlags server_capabilities;
41 } netr_Capabilities;
42
43 NTSTATUS netr_LogonGetCapabilities(
44--
452.34.1
46
47
48From fa71e7b4b027dc8224fda7125f1faaefa4e71eae Mon Sep 17 00:00:00 2001
49From: Stefan Metzmacher <metze@samba.org>
50Date: Sat, 15 Jul 2023 16:11:48 +0200
51Subject: [PATCH 3/4] s4:rpc_server:netlogon: generate FAULT_INVALID_TAG for
52 invalid netr_LogonGetCapabilities levels
53
54This is important as Windows clients with KB5028166 seem to
55call netr_LogonGetCapabilities with query_level=2 after
56a call with query_level=1.
57
58An unpatched Windows Server returns DCERPC_NCA_S_FAULT_INVALID_TAG
59for query_level values other than 1.
60While Samba tries to return NT_STATUS_NOT_SUPPORTED, but
61later fails to marshall the response, which results
62in DCERPC_FAULT_BAD_STUB_DATA instead.
63
64Because we don't have any documentation for level 2 yet,
65we just try to behave like an unpatched server and
66generate DCERPC_NCA_S_FAULT_INVALID_TAG instead of
67DCERPC_FAULT_BAD_STUB_DATA.
68Which allows patched Windows clients to keep working
69against a Samba DC.
70
71BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418
72
73Signed-off-by: Stefan Metzmacher <metze@samba.org>
74Reviewed-by: Andrew Bartlett <abartlet@samba.org>
75(cherry picked from commit d5f1097b6220676d56ed5fc6707acf667b704518)
76---
77 .../knownfail.d/netr_LogonGetCapabilities | 2 --
78 source4/rpc_server/netlogon/dcerpc_netlogon.c | 28 ++++++++++++++++---
79 2 files changed, 24 insertions(+), 6 deletions(-)
80
81diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
82index 6a3e044eb9da..26be4f567513 100644
83--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
84+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
85@@ -2399,6 +2399,30 @@ static NTSTATUS dcesrv_netr_LogonGetCapabilities(struct dcesrv_call_state *dce_c
86 struct netlogon_creds_CredentialState *creds;
87 NTSTATUS status;
88
89+ switch (r->in.query_level) {
90+ case 1:
91+ break;
92+ case 2:
93+ /*
94+ * Until we know the details behind KB5028166
95+ * just return DCERPC_NCA_S_FAULT_INVALID_TAG
96+ * like an unpatched Windows Server.
97+ */
98+ FALL_THROUGH;
99+ default:
100+ /*
101+ * There would not be a way to marshall the
102+ * the response. Which would mean our final
103+ * ndr_push would fail an we would return
104+ * an RPC-level fault with DCERPC_FAULT_BAD_STUB_DATA.
105+ *
106+ * But it's important to match a Windows server
107+ * especially before KB5028166, see also our bug #15418
108+ * Otherwise Windows client would stop talking to us.
109+ */
110+ DCESRV_FAULT(DCERPC_NCA_S_FAULT_INVALID_TAG);
111+ }
112+
113 status = dcesrv_netr_creds_server_step_check(dce_call,
114 mem_ctx,
115 r->in.computer_name,
116@@ -2410,10 +2434,6 @@ static NTSTATUS dcesrv_netr_LogonGetCapabilities(struct dcesrv_call_state *dce_c
117 }
118 NT_STATUS_NOT_OK_RETURN(status);
119
120- if (r->in.query_level != 1) {
121- return NT_STATUS_NOT_SUPPORTED;
122- }
123-
124 r->out.capabilities->server_capabilities = creds->negotiate_flags;
125
126 return NT_STATUS_OK;
127--
1282.34.1
129
130
131From 05f110e1a4d4b38bfbaaa3a92fda7a9127b3b456 Mon Sep 17 00:00:00 2001
132From: Stefan Metzmacher <metze@samba.org>
133Date: Sat, 15 Jul 2023 16:11:48 +0200
134Subject: [PATCH 4/4] s3:rpc_server:netlogon: generate FAULT_INVALID_TAG for
135 invalid netr_LogonGetCapabilities levels
136
137This is important as Windows clients with KB5028166 seem to
138call netr_LogonGetCapabilities with query_level=2 after
139a call with query_level=1.
140
141An unpatched Windows Server returns DCERPC_NCA_S_FAULT_INVALID_TAG
142for query_level values other than 1.
143While Samba tries to return NT_STATUS_NOT_SUPPORTED, but
144later fails to marshall the response, which results
145in DCERPC_FAULT_BAD_STUB_DATA instead.
146
147Because we don't have any documentation for level 2 yet,
148we just try to behave like an unpatched server and
149generate DCERPC_NCA_S_FAULT_INVALID_TAG instead of
150DCERPC_FAULT_BAD_STUB_DATA.
151Which allows patched Windows clients to keep working
152against a Samba DC.
153
154BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418
155
156Signed-off-by: Stefan Metzmacher <metze@samba.org>
157Reviewed-by: Andrew Bartlett <abartlet@samba.org>
158
159Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
160Autobuild-Date(master): Mon Jul 17 07:35:09 UTC 2023 on atb-devel-224
161
162(cherry picked from commit dfeabce44fbb78083fbbb2aa634fc4172cf83db9)
163---
164 .../knownfail.d/netr_LogonGetCapabilities | 1 -
165 source3/rpc_server/netlogon/srv_netlog_nt.c | 29 ++++++++++++++++---
166 2 files changed, 25 insertions(+), 5 deletions(-)
167 delete mode 100644 selftest/knownfail.d/netr_LogonGetCapabilities
168
169diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
170index 5906464a9f3..35433ec6781 100644
171--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
172+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
173@@ -2421,6 +2421,31 @@ NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct *p,
174 struct netlogon_creds_CredentialState *creds;
175 NTSTATUS status;
176
177+ switch (r->in.query_level) {
178+ case 1:
179+ break;
180+ case 2:
181+ /*
182+ * Until we know the details behind KB5028166
183+ * just return DCERPC_NCA_S_FAULT_INVALID_TAG
184+ * like an unpatched Windows Server.
185+ */
186+ FALL_THROUGH;
187+ default:
188+ /*
189+ * There would not be a way to marshall the
190+ * the response. Which would mean our final
191+ * ndr_push would fail an we would return
192+ * an RPC-level fault with DCERPC_FAULT_BAD_STUB_DATA.
193+ *
194+ * But it's important to match a Windows server
195+ * especially before KB5028166, see also our bug #15418
196+ * Otherwise Windows client would stop talking to us.
197+ */
198+ p->fault_state = DCERPC_NCA_S_FAULT_INVALID_TAG;
199+ return NT_STATUS_NOT_SUPPORTED;
200+ }
201+
202 become_root();
203 status = netr_creds_server_step_check(p, p->mem_ctx,
204 r->in.computer_name,
205@@ -2432,10 +2457,6 @@ NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct *p,
206 return status;
207 }
208
209- if (r->in.query_level != 1) {
210- return NT_STATUS_NOT_SUPPORTED;
211- }
212-
213 r->out.capabilities->server_capabilities = creds->negotiate_flags;
214
215 return NT_STATUS_OK;
diff --git a/debian/patches/series b/debian/patches/series
index 54984e0..be2f88c 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -66,3 +66,4 @@ CVE-2023-34968-09.patch
66CVE-2023-34968-10.patch66CVE-2023-34968-10.patch
67CVE-2023-34968-11.patch67CVE-2023-34968-11.patch
68CVE-2023-34968-12.patch68CVE-2023-34968-12.patch
69secure-channel-faulty-kb5028166.patch
diff --git a/debian/tests/control b/debian/tests/control
index efc23b7..5e1cd04 100644
--- a/debian/tests/control
+++ b/debian/tests/control
@@ -20,3 +20,7 @@ Restrictions: needs-root, allow-stderr, isolation-container
20Tests: reinstall-samba-common-bin20Tests: reinstall-samba-common-bin
21Depends: samba-common, samba-common-bin21Depends: samba-common, samba-common-bin
22Restrictions: needs-root, needs-reboot, isolation-machine, allow-stderr22Restrictions: needs-root, needs-reboot, isolation-machine, allow-stderr
23
24Tests: samba-ad-dc-provisioning-internal-dns
25Depends: samba, samba-dsdb-modules, samba-vfs-modules, winbind, smbclient, krb5-user, bind9-dnsutils, lxd | snapd, lsb-release, dctrl-tools
26Restrictions: needs-root, isolation-machine, allow-stderr, breaks-testbed
diff --git a/debian/tests/samba-ad-dc-provisioning-internal-dns b/debian/tests/samba-ad-dc-provisioning-internal-dns
23new file mode 10075527new file mode 100755
index 0000000..f84372c
--- /dev/null
+++ b/debian/tests/samba-ad-dc-provisioning-internal-dns
@@ -0,0 +1,408 @@
1#!/bin/bash
2
3set -e
4set -o pipefail
5
6source debian/tests/util
7
8declare -r domain="EXAMPLE"
9declare -r realm="EXAMPLE.FAKE"
10declare -r adminpass="Passw0rd"
11declare -r test_user="test_user_${RANDOM}"
12declare -r test_pw="test_user_secret_${RANDOM}"
13declare -A user_pass
14user_pass[Administrator]="${adminpass}"
15user_pass[${test_user}]="${test_pw}"
16declare -A join_method_deps
17# Minimum set of deps: let realmd install the extra dependencies
18# as needed, depending on the join method.
19# sssd-dbus is needed by the sssctl tool, and is not installed automatically
20# via deps in focal
21join_method_deps[realmd_sssd]="realmd krb5-user smbclient sssd-dbus"
22# libnss-winbind needs to be explicitly listed because realmd only started
23# installing it in version 0.17.0, that's >= focal
24join_method_deps[realmd_winbind]="realmd krb5-user smbclient libnss-winbind"
25
26
27cleanup() {
28 rc=$?
29 set +e # so we don't exit midcleanup
30 if [ ${rc} -ne 0 ]; then
31 echo "## Something failed, gathering logs"
32 echo
33 echo "## smb.conf"
34 cat /etc/samba/smb.conf
35 echo
36 echo "## resolv.conf"
37 cat /etc/resolv.conf
38 echo
39 echo "## resolvectl status"
40 resolvectl status
41 echo "## journal for samba-ad-dc.service"
42 journalctl -u samba-ad-dc.service --lines 500
43 echo
44 for log in /var/log/samba/log.*; do
45 # skip compressed logrotated files
46 if [ "${log%.gz}" != "${log}" ]; then
47 continue
48 fi
49 [ -s "${log}" ] || continue
50 echo "## $(basename ${log}):"
51 tail -n 500 "${log}"
52 echo
53 done
54 echo "## syslog"
55 tail -n 500 /var/log/syslog
56 fi
57}
58
59trap cleanup EXIT
60
61assert_testparm() {
62 local parameter="${1}"
63 local expected_value="${2}"
64 local current_value=""
65 local -i retval=0
66
67 echo -n "Asserting ${parameter} is ${expected_value}: "
68 current_value=$(testparm -s --parameter-name "${parameter}" 2>/dev/null) || {
69 retval=$?
70 echo "FAIL"
71 return ${retval}
72 }
73 if [ "${current_value}" = "${expected_value}" ]; then
74 echo "OK"
75 return 0
76 else
77 echo "FAIL"
78 return 1
79 fi
80}
81
82basic_config_tests() {
83 echo "## Basic config tests"
84 testparm -s > /dev/null
85 assert_testparm "realm" "${realm}"
86 assert_testparm "workgroup" "${domain}"
87 assert_testparm "server role" "active directory domain controller"
88 echo
89}
90
91dns_tests() {
92 echo "## DNS tests"
93 echo "Obtaining administrator kerberos ticket"
94 echo "${adminpass}" | timeout --verbose 30 kinit Administrator
95 echo
96 echo "Querying server info"
97 samba-tool dns serverinfo "$(hostname)"
98 echo
99 echo "Checking we got a service ticket of type host/"
100 klist | grep -i "host/$(hostname)"
101 echo
102 echo "Checking specific DNS records"
103 for srv in _ldap._tcp _kerberos._tcp _kerberos._udp _kpasswd._udp; do
104 echo -n "${srv}.${realm,,}: "
105 dig @localhost +short -t SRV ${srv}.${realm,,}
106 echo
107 done
108 echo
109 echo -n "Checking that our hostname \"$(hostname)\" is in DNS: "
110 myip=$(dig @localhost +short -t A "$(hostname).${realm,,}")
111 echo "${myip}"
112 echo
113}
114
115user_creation_tests() {
116 echo "## User creation tests"
117 samba-tool domain passwordsettings set --complexity=off
118 echo "Creating user \"${test_user}\" with password ${test_pw}"
119 samba-tool user add "${test_user}" "${test_pw}"
120 echo
121 echo "Attempting to obtain kerberos ticket for user \"${test_user}\""
122 # just in case it ends up waiting at a prompt, we use "timeout"
123 echo "${test_pw}" | timeout --verbose 30 kinit "${test_user}"
124 echo "Ticket obtained"
125 klist
126 echo
127}
128
129smbclient_tests() {
130 echo "## smbclient tests"
131 kdestroy || :
132 echo
133 echo "Obtaining a TGT for ${test_user}"
134 echo "${test_pw}" | timeout --verbose 30 kinit "${test_user}"
135 klist | grep krbtgt
136 echo
137 echo "Attempting password-less authentication with smbclient"
138 echo
139 echo "Listing shares"
140 smbclient -L "$(hostname)" --use-kerberos=required -k
141 echo
142 echo "Listing the sysvol share"
143 smbclient "//$(hostname)/sysvol" --use-kerberos=required -k -c "ls"
144 echo
145 echo "Listing policies"
146 # lowercase the ${realm}
147 smbclient "//$(hostname)/sysvol" --use-kerberos=required -k -c "ls ${realm,,}/Policies/*"
148 echo
149 echo "Checking that we have a ticket for the cifs service after all these commands"
150 klist | grep cifs/
151 echo
152}
153
154server_join_tests() {
155 local member_server
156 # the join methods are the keys of the join_method_deps dict
157 local -a methods=("${!join_method_deps[@]}")
158 local member_server="member-server"
159
160 echo "## Server join tests"
161 echo "## Initializing lxd"
162 setup_lxd "${realm,,}"
163
164 for method in "${methods[@]}"; do
165 echo "## Setting up member server to join a domain using method ${method}"
166 setup_member_server "${member_server}" "${method}"
167 echo "## Joining domain with method ${method}"
168 join_domain "${member_server}" "${method}"
169 echo
170 echo "## Verifying join with method ${method}"
171 verify_join "${member_server}" "${method}"
172 echo
173 echo "## Leaving domain with method ${method}"
174 leave_domain "${member_server}" "${method}"
175 echo
176 echo "## Destroying member server"
177 lxc delete --force "${member_server}"
178 done
179}
180
181setup_member_server() {
182 local container_name="${1}"
183 local method="${2}"
184 local release
185
186 release="$(lsb_release -cs)"
187 if [ -z "${join_method_deps[${method}]}" ]; then
188 echo "## INTERNAL ERROR, invalid join method: ${method}"
189 return 1
190 fi
191 echo "## Got test dependencies: ${join_method_deps[${method}]}"
192 # can't use cloud-init here to install packages, because we first need to
193 # sync the apt config from the host to the container
194 echo "## Launching ${release} container"
195 lxc launch "ubuntu-daily:${release}" "${container_name}" -q
196 wait_container_ready "${container_name}"
197 send_apt_config "${container_name}"
198 copy_local_apt_files "${container_name}"
199 echo "## Installing dependencies in test container"
200 install_packages_in_container "${container_name}" ${join_method_deps[${method}]}
201}
202
203join_domain_realmd_winbind() {
204 local server="${1}"
205 local discover_cmd="realm discover -v --membership-software=samba --client-software=winbind ${realm,,}"
206 local join_cmd="realm join -v --membership-software=samba --client-software=winbind ${realm,,}"
207
208 echo "## Domain information"
209 lxc exec "${server}" -- ${discover_cmd}
210 echo
211 echo "## Running join command: ${join_cmd}"
212 echo "${adminpass}" | lxc exec "${server}" -- ${join_cmd}
213 # LP: #1980246
214 # So far, only lunar and later automatically add winbind to /etc/nsswitch.conf.
215 lxc exec "${server}" -- sed -r -i \
216 -e '/^(passwd|group):.*[[:space:]]winbind\b/b' \
217 -e 's/^(passwd|group):.*/& winbind/' \
218 /etc/nsswitch.conf
219}
220
221verify_join_realmd_winbind() {
222 local server="${1}"
223 local member_domain
224
225 echo -n "## Verifying member server joined domain name: "
226 member_domain=$(lxc exec "${server}" -- wbinfo --own-domain)
227 echo "${member_domain}"
228 if [ "${member_domain}" != "${domain}" ]; then
229 echo "ERROR: expected member server domain to match the joined domain:"
230 echo "member server domain: ${member_domain}"
231 echo "AD domain: ${domain}"
232 return 1
233 fi
234 echo
235 # we just want to see the output, not parse it
236 echo "## Domain status in member server"
237 lxc exec "${server}" -- wbinfo --domain-info "${member_domain}"
238 echo
239 echo "## User status in member server"
240 for u in "${!user_pass[@]}"; do
241 echo "## User \"${u}@${realm}\" information:"
242 lxc exec "${server}" -- wbinfo --user-info "${u}@${realm}"
243 echo
244 echo "## id ${u}@${realm}"
245 lxc exec "${server}" -- id ${u}@${realm}
246 echo
247 echo "## kinit authentication check for user \"${u}@${realm}\" inside member server"
248 echo "${user_pass[${u}]}" | lxc exec "${server}" -- timeout --verbose 30 kinit "${u}@${realm}"
249 lxc exec "${server}" -- klist
250 echo
251 echo "## Listing shares with the obtained kerberos ticket"
252 lxc exec "${server}" -- smbclient -L "$(hostname)" --use-kerberos=required -k
253 lxc exec "${server}" -- kdestroy
254 echo
255 echo "## wbinfo authentication check for user \"${u}@${realm}\" inside member server"
256 # non-interactive format for username is user%password
257 lxc exec "${server}" -- wbinfo --authenticate="${u}@${realm}%${user_pass[${u}]}"
258 echo
259 echo "## wbinfo kerberos authentication check for user \"${u}@${realm}\" inside member server"
260 lxc exec "${server}" -- wbinfo --krb5auth="${u}@${realm}%${user_pass[${u}]}"
261 echo
262 echo "## Listing shares with the obtained kerberos ticket"
263 lxc exec "${server}" -- smbclient -L "$(hostname)" --use-kerberos=required -k
264 lxc exec "${server}" -- kdestroy
265 done
266}
267
268leave_domain_realmd_winbind() {
269 local server="${1}"
270 local leave_cmd="realm leave -v --remove --client-software=winbind"
271
272 echo "## Running leave command: ${leave_cmd}"
273 echo "${adminpass}" | lxc exec "${server}" -- ${leave_cmd}
274}
275
276join_domain_realmd_sssd() {
277 local server="${1}"
278 local discover_cmd="realm discover -v --membership-software=adcli --client-software=sssd ${realm,,}"
279 local join_cmd="realm join -v --membership-software=adcli --client-software=sssd ${realm,,}"
280
281 echo "## Domain information"
282 lxc exec "${server}" -- ${discover_cmd}
283 echo
284 echo "## Running join command: ${join_cmd}"
285 echo "${adminpass}" | lxc exec "${server}" -- ${join_cmd}
286 echo
287}
288
289verify_join_realmd_sssd() {
290 local server="${1}"
291 local samba_domain
292
293 echo -n "## Verifying member server joined domain name: "
294 samba_domain=$(lxc exec "${server}" -- sssctl domain-list)
295 echo "${samba_domain}"
296 if [ "${samba_domain}" != "${realm,,}" ]; then
297 echo "ERROR: expected member server domain to match the joined domain:"
298 echo "member server domain: ${samba_domain}"
299 echo "AD domain: ${realm,,}"
300 return 1
301 fi
302 echo
303 # we just want to see the output, not parse it
304 echo "## Domain status in member server"
305 lxc exec "${server}" -- sssctl domain-status "${realm}"
306 echo
307 echo "## User status in member server"
308 for u in "${!user_pass[@]}"; do
309 echo "## User \"${u}@${realm}\" information:"
310 lxc exec "${server}" -- sssctl user-checks "${u}@${realm}"
311 echo
312 echo "## id ${u}@${realm}"
313 lxc exec "${server}" -- id "${u}@${realm}"
314 echo
315 echo "## kinit authentication check for user \"${u}@${realm}\" inside member server"
316 echo "${user_pass[${u}]}" | lxc exec "${server}" -- timeout --verbose 30 kinit "${u}@${realm}"
317 lxc exec "${server}" -- klist
318 echo
319 echo "## Listing shares with the obtained kerberos ticket"
320 lxc exec "${server}" -- smbclient -L "$(hostname)" --use-kerberos=required -k
321 lxc exec "${server}" -- kdestroy
322 done
323}
324
325leave_domain_realmd_sssd() {
326 local server="${1}"
327 local leave_cmd="realm leave -v --remove --client-software=sssd"
328
329 echo "## Running leave command: ${leave_cmd}"
330 echo "${adminpass}" | lxc exec "${server}" -- ${leave_cmd}
331}
332
333join_domain() {
334 local server="${1}"
335 local m="${2}"
336
337 join_domain_${m} "${server}"
338}
339
340verify_join() {
341 local server="${1}"
342 local m="${2}"
343
344 verify_join_${m} "${server}"
345}
346
347leave_domain() {
348 local server="${1}"
349 local m="${2}"
350
351 leave_domain_${m} "${server}"
352}
353
354systemctl stop smbd nmbd winbind
355systemctl disable smbd nmbd winbind
356systemctl mask smbd nmbd winbind
357
358systemctl unmask samba-ad-dc
359systemctl enable samba-ad-dc
360
361if [ -f /etc/samba/smb.conf ]; then
362 mv /etc/samba/smb.conf{,.orig}
363fi
364
365# make sure we are starting fresh, as previous tests might left things around
366
367rm -rf /var/lib/samba/* /var/cache/samba/* /run/samba/*
368kdestroy || :
369
370samba-tool domain provision \
371 --domain="${domain}" \
372 --realm="${realm}" \
373 --adminpass="${adminpass}" \
374 --server-role=dc \
375 --use-rfc2307 \
376 --dns-backend=SAMBA_INTERNAL
377
378current_dns=$(resolvectl status | grep -E "^[[:blank:]]*Current DNS Server:" | awk '{print $4}')
379
380if [ -n "${current_dns}" ]; then
381 echo "## Setting dns forwarder to ${current_dns} in smb.conf"
382 sed -r -i "s,dns forwarder = .*,dns forwarder = ${current_dns}," \
383 /etc/samba/smb.conf
384 unlink /etc/resolv.conf
385 echo "nameserver 127.0.0.1" > /etc/resolv.conf
386 # lowercase substitution
387 echo "search ${realm,,}" >> /etc/resolv.conf
388 systemctl stop systemd-resolved
389 systemctl disable systemd-resolved
390else
391 echo "## Warning, couldn't detect the current DNS server to use as forwarder in smb.conf"
392 echo "## resolvectl status:"
393 resolvectl status
394 echo "## Continuing, and hoping for the best"
395fi
396
397cp -f /var/lib/samba/private/krb5.conf /etc/krb5.conf
398
399systemctl start samba-ad-dc
400
401# give it some time, it's a lot of services to start
402sleep 5s
403
404basic_config_tests
405dns_tests
406user_creation_tests
407smbclient_tests
408server_join_tests
diff --git a/debian/tests/util b/debian/tests/util
0new file mode 100644409new file mode 100644
index 0000000..66ed247
--- /dev/null
+++ b/debian/tests/util
@@ -0,0 +1,178 @@
1#!/bin/sh
2
3# $1: share name
4# $2: comma separated list of vfs_objects to use, if any
5add_share() {
6 local share="$1"
7 local vfs="$2"
8 if ! testparm -s 2>&1 | grep -E "^\[${share}\]"; then
9 echo "Adding [${share}] share"
10 cat >> /etc/samba/smb.conf <<EOFEOF
11[${share}]
12 read only = no
13 guest ok = no
14 path = /${share}
15EOFEOF
16 if [ -n "${vfs}" ]; then
17 echo "vfs objects = ${vfs}" >> /etc/samba/smb.conf
18 fi
19 systemctl reload smbd.service
20 else
21 echo "Share [${share}] already exists, continuing"
22 fi
23}
24
25# $1: username
26# $2: password
27add_user() {
28 local username="$1"
29 local password="$2"
30
31 echo "Creating a local and samba user called ${username}"
32 useradd -m "${username}"
33 echo "Setting samba password for the ${username} user"
34 (echo "${password}"; echo "${password}") | smbpasswd -s -a ${username}
35}
36
37# $1: share name
38populate_share() {
39 local sharename="$1"
40 local usergroup="$2"
41 local sharepath="/${sharename}"
42
43 mkdir -p "${sharepath}"
44 dd if=/dev/urandom bs=4096 count=1000 2>/dev/null | base64 > "${sharepath}/data"
45 cd "${sharepath}"
46 md5sum data > data.md5
47 chown -R "${usergroup}:${usergroup}" "${sharepath}"
48}
49
50
51# $1: kernel version in the form major.minor.patch
52check_kernel_version() {
53 local k_ver=$1
54 local k_major=$(echo ${k_ver} | cut -d . -f 1)
55 local k_minor=$(echo ${k_ver} | cut -d . -f 2)
56
57 # uring is supported starting with kernel 5.1.x
58 if [ ${k_major} -eq 5 ] && [ ${k_minor} -ge 1 ]; then
59 return 0
60 elif [ ${k_major} -ge 6 ]; then
61 return 0
62 else
63 return 1
64 fi
65}
66
67wait_container_ready() {
68 local container="${1}"
69 local -i limit=120 # seconds
70 local -i i=0
71 local -i result=0
72 local ip
73 local output
74
75 while /bin/true; do
76 ip=$(lxc list "${container}" -c 4 --format=csv | tail -1 | awk '{print $1}')
77 if [ -n "${ip}" ]; then
78 break
79 fi
80 i=$((i+1))
81 if [ ${i} -ge ${limit} ]; then
82 return 1
83 fi
84 sleep 1s
85 echo -n "."
86 done
87 while ! nc -z "${ip}" 22; do
88 echo -n "."
89 i=$((i+1))
90 if [ ${i} -ge ${limit} ]; then
91 return 1
92 fi
93 sleep 1s
94 done
95 # cloud-init might still be doing things...
96 # this call blocks, so wrap it in its own little timeout
97 output=$(lxc exec "${container}" -- timeout --verbose $((limit-i)) cloud-init status --wait) || {
98 result=$?
99 echo "cloud-init status --wait failed on container ${container}"
100 echo "${output}"
101 return ${result}
102 }
103 echo
104}
105
106install_lxd() {
107 if ! command -v lxd > /dev/null 2>&1; then
108 # the test depends has "lxd | snapd", so if we don't have lxd, we must
109 # install the snap
110 snap list lxd > /dev/null 2>&1 || {
111 echo "Installing the LXD snap..."
112 snap install lxd
113 }
114 fi
115}
116
117setup_lxd() {
118 local dns_domain="${1}"
119 local nic
120 local dns_ip
121
122 install_lxd
123 # Stop samba while lxd is setup, to avoid conflicts on lxdbr0:53
124 systemctl stop samba-ad-dc
125 lxd init --auto
126 lxd waitready --timeout 600
127 # sample csv output. Columns are NAME,TYPE,MANAGED,DESCRIPTION,USED_BY
128 #enp1s0,physical,NO,,0
129 #lxdbr0,bridge,YES,,1
130 nic=$(lxc network list --format=csv | grep -E "bridge,YES,,1" | cut -d , -f 1)
131 dns_ip=$(lxc network info "${nic}" | grep -w inet | awk '{print $2}')
132 # port=0 effectively disables dnsmasq's DNS, so it doesn't conflict with samba's DNS
133 lxc network set "${nic:-lxdbr0}" ipv6.address=none dns.domain="${dns_domain}" raw.dnsmasq="$(echo -e port=0\\ndhcp-option=option:dns-server,${dns_ip})"
134 if [ -n "${http_proxy}" ]; then
135 lxc config set core.proxy_http "${http_proxy}"
136 fi
137 if [ -n "${https_proxy}" ]; then
138 lxc config set core.proxy_https "${https_proxy}"
139 fi
140 if [ -n "${noproxy}" ]; then
141 lxc config set core.proxy_ignore_hosts "${noproxy}"
142 fi
143 # the default of 64k is too low for, at least, ppc64el on focal
144 lxc profile set default limits.kernel.memlock 262144
145 systemctl start samba-ad-dc
146 # give it some time, it's a lot of services to start
147 sleep 5s
148}
149
150# Copy the local apt package archive over to the lxd container.
151copy_local_apt_files() {
152 local container_name="${1:-docker}"
153
154 for local_source in $(apt-get indextargets | grep-dctrl -F URI -e '^file:/' -sURI | awk '{print $2}'); do
155 local_source=${local_source#file:}
156 local_dir=$(dirname "${local_source}")
157 lxc exec "${container_name}" -- mkdir -p "${local_dir}"
158 tar -cC "${local_dir}" . | lxc exec "${container_name}" -- tar -xC "${local_dir}"
159 done
160}
161
162send_apt_config() {
163 echo "Copying over /etc/apt to container ${1}"
164 lxc exec "${1}" -- rm -rf /etc/apt
165 lxc exec "${1}" -- mkdir -p /etc/apt
166 tar -cC /etc/apt . | lxc exec "${1}" -- tar -xC /etc/apt
167}
168
169install_packages_in_container() {
170 local container="${1}"
171 shift
172 local packages="${*}"
173
174 echo "### Installing dependencies in member server container: ${packages}"
175 lxc exec "${container}" --env DEBIAN_FRONTEND=noninteractive -- apt-get update -q
176 lxc exec "${container}" --env DEBIAN_FRONTEND=noninteractive -- apt-get dist-upgrade -q -y
177 lxc exec "${container}" --env DEBIAN_FRONTEND=noninteractive -- apt-get install -q -y ${packages}
178}

Subscribers

People subscribed via source and target branches