.gitlab-ci.yml

+# see https://docs.gitlab.com/ce/ci/yaml/README.html for all available options
+
+before_script:
+  - echo "Build starting ..."
+
+build_samba:
+  stage: build
+  tags:
+    - autobuild
+  script:
+    # this one takes about 4 hours to finish
+    - python script/autobuild.py samba            --verbose --tail --testbase /tmp/samba-testbase
+
+build_samba_others:
+  stage: build
+  tags:
+    - autobuild
+  script:
+    - python script/autobuild.py samba-nopython   --verbose --tail --testbase /tmp/samba-testbase
+    - python script/autobuild.py samba-systemkrb5 --verbose --tail --testbase /tmp/samba-testbase
+    - python script/autobuild.py samba-xc         --verbose --tail --testbase /tmp/samba-testbase
+    - python script/autobuild.py samba-o3         --verbose --tail --testbase /tmp/samba-testbase
+    - python script/autobuild.py samba-libs       --verbose --tail --testbase /tmp/samba-testbase
+    - python script/autobuild.py samba-static     --verbose --tail --testbase /tmp/samba-testbase
+
+build_ctdb:
+  stage: build
+  tags:
+    - autobuild
+  script:
+    - python script/autobuild.py samba-ctdb       --verbose --tail --testbase /tmp/samba-testbase
+    - python script/autobuild.py ctdb             --verbose --tail --testbase /tmp/samba-testbase
+
+build_others:
+  stage: build
+  tags:
+    - autobuild
+  script:
+    - python script/autobuild.py ldb              --verbose --tail --testbase /tmp/samba-testbase
+    - python script/autobuild.py pidl             --verbose --tail --testbase /tmp/samba-testbase
+    - python script/autobuild.py replace          --verbose --tail --testbase /tmp/samba-testbase
+    - python script/autobuild.py talloc           --verbose --tail --testbase /tmp/samba-testbase
+    - python script/autobuild.py tdb              --verbose --tail --testbase /tmp/samba-testbase
+    - python script/autobuild.py tevent           --verbose --tail --testbase /tmp/samba-testbase
+
+after_script:
+  - echo "Build finished!"

.travis.yml

@@ -27,7 +27,7 @@ matrix:
 
 before_install:
  - sudo apt-get update -qq
- - sudo apt-get install --assume-yes acl attr autoconf bison build-essential debhelper dnsutils docbook-xml docbook-xsl flex gdb git krb5-user libacl1-dev libaio-dev libattr1-dev libblkid-dev libbsd-dev libcap-dev libcups2-dev libgnutls-dev libgpgme11-dev libldap2-dev libncurses5-dev libpam0g-dev libparse-yapp-perl libpopt-dev libreadline-dev perl perl-modules pkg-config python-crypto python-dev python-dnspython python-gpgme python3-crypto python3-dev python3-dnspython python3-gpgme realpath screen xsltproc zlib1g-dev
+ - sudo apt-get install --assume-yes acl attr autoconf bind9utils bison build-essential debhelper dnsutils docbook-xml docbook-xsl flex gdb libjansson-dev krb5-user libacl1-dev libaio-dev libarchive-dev libattr1-dev libblkid-dev libbsd-dev libcap-dev libcups2-dev libgnutls-dev libgpgme11-dev libjson-perl libldap2-dev libncurses5-dev libpam0g-dev libparse-yapp-perl libpopt-dev libreadline-dev nettle-dev perl perl-modules pkg-config python-all-dev python-crypto python-dbg python-dev python-dnspython python3-dnspython python-gpgme python3-gpgme python-markdown python3-markdown python3-dev xsltproc zlib1g-dev
 
 script:
  - git fetch --unshallow

.ycm_extra_conf.py

@@ -49,27 +49,159 @@ flags = [
     '-DHAVE_IPV6=1',
     '-I/usr/local/include',
     '-I.',
+    '-Iauth',
+    '-Iauth/credentials',
+    '-Iauth/gensec',
+    '-Iauth/kerberos',
+    '-Iauth/ntlmssp',
+    '-Ictdb',
+    '-Ictdb/include',
+    '-Idynconfig',
     '-Iinclude',
     '-Iinclude/public',
     '-Ilib',
+    '-Ilib/addns',
+    '-Ilib/afs',
+    '-Ilib/async_req',
+    '-Ilib/compression',
+    '-Ilib/crypto',
+    '-Ilib/dbwrap',
+    '-Ilib/krb5_wrap',
+    '-Ilib/ldb',
+    '-Ilib/ldb-samba',
+    '-Ilib/ldb/include',
+    '-Ilib/param',
+    '-Ilib/pthreadpool',
     '-Ilib/replace',
+    '-Ilib/smbconf',
+    '-Ilib/socket',
+    '-Ilib/talloc',
+    '-Ilib/tdb',
+    '-Ilib/tdb/include',
+    '-Ilib/tevent',
+    '-Ilib/tsocket',
+    '-Ilib/util/charset',
+    '-Ilibcli/auth',
+    '-Ilibcli/cldap',
+    '-Ilibcli/drsuapi',
+    '-Ilibcli/ldap',
+    '-Ilibcli/lsarpc',
+    '-Ilibcli/named_pipe_auth',
+    '-Ilibcli/nbt',
+    '-Ilibcli/netlogon',
+    '-Ilibcli/registry',
+    '-Ilibcli/security',
+    '-Ilibcli/smb',
+    '-Ilibcli/util',
+    '-Ilibds/common',
+    '-Ilibrpc',
+    '-Insswitch',
+    '-Insswitch/libwbclient',
     '-Isource3',
+    '-Isource3/auth',
     '-Isource3/include',
     '-Isource3/lib',
+    '-Isource3/librpc',
+    '-Isource3/modules',
+    '-Isource3/param',
+    '-Isource3/rpc_server',
+    '-Isource3/smbd/notifyd',
     '-Isource4',
+    '-Isource4/auth',
+    '-Isource4/auth/gensec',
+    '-Isource4/auth/kerberos',
+    '-Isource4/cluster',
+    '-Isource4/dsdb',
     '-Isource4/include',
     '-Isource4/lib',
+    '-Isource4/lib/events',
+    '-Isource4/lib/http',
+    '-Isource4/lib/messaging',
+    '-Isource4/lib/socket',
+    '-Isource4/lib/stream',
+    '-Isource4/lib/tls',
+    '-Isource4/libcli',
+    '-Isource4/libcli/ldap',
+    '-Isource4/librpc',
+    '-Isource4/param',
+    '-Ithird_party/zlib',
     '-Ibin/default',
+    '-Ibin/default/auth',
+    '-Ibin/default/auth/credentials',
+    '-Ibin/default/auth/gensec',
+    '-Ibin/default/auth/kerberos',
+    '-Ibin/default/auth/ntlmssp',
+    '-Ibin/default/ctdb',
+    '-Ibin/default/ctdb/include',
+    '-Ibin/default/dynconfig',
     '-Ibin/default/include',
     '-Ibin/default/include/public',
     '-Ibin/default/lib',
+    '-Ibin/default/lib/addns',
+    '-Ibin/default/lib/afs',
+    '-Ibin/default/lib/async_req',
+    '-Ibin/default/lib/compression',
+    '-Ibin/default/lib/crypto',
+    '-Ibin/default/lib/dbwrap',
+    '-Ibin/default/lib/krb5_wrap',
+    '-Ibin/default/lib/ldb',
+    '-Ibin/default/lib/ldb-samba',
+    '-Ibin/default/lib/ldb/include',
+    '-Ibin/default/lib/param',
+    '-Ibin/default/lib/pthreadpool',
     '-Ibin/default/lib/replace',
+    '-Ibin/default/lib/smbconf',
+    '-Ibin/default/lib/socket',
+    '-Ibin/default/lib/talloc',
+    '-Ibin/default/lib/tdb',
+    '-Ibin/default/lib/tdb/include',
+    '-Ibin/default/lib/tevent',
+    '-Ibin/default/lib/tsocket',
+    '-Ibin/default/lib/util/charset',
+    '-Ibin/default/libcli/auth',
+    '-Ibin/default/libcli/cldap',
+    '-Ibin/default/libcli/drsuapi',
+    '-Ibin/default/libcli/ldap',
+    '-Ibin/default/libcli/lsarpc',
+    '-Ibin/default/libcli/named_pipe_auth',
+    '-Ibin/default/libcli/nbt',
+    '-Ibin/default/libcli/netlogon',
+    '-Ibin/default/libcli/registry',
+    '-Ibin/default/libcli/security',
+    '-Ibin/default/libcli/smb',
+    '-Ibin/default/libcli/util',
+    '-Ibin/default/libds/common',
+    '-Ibin/default/librpc',
+    '-Ibin/default/nsswitch',
+    '-Ibin/default/nsswitch/libwbclient',
     '-Ibin/default/source3',
+    '-Ibin/default/source3/auth',
     '-Ibin/default/source3/include',
     '-Ibin/default/source3/lib',
+    '-Ibin/default/source3/librpc',
+    '-Ibin/default/source3/modules',
+    '-Ibin/default/source3/param',
+    '-Ibin/default/source3/rpc_server',
+    '-Ibin/default/source3/smbd/notifyd',
     '-Ibin/default/source4',
+    '-Ibin/default/source4/auth',
+    '-Ibin/default/source4/auth/gensec',
+    '-Ibin/default/source4/auth/kerberos',
+    '-Ibin/default/source4/cluster',
+    '-Ibin/default/source4/dsdb',
     '-Ibin/default/source4/include',
     '-Ibin/default/source4/lib',
+    '-Ibin/default/source4/lib/events',
+    '-Ibin/default/source4/lib/http',
+    '-Ibin/default/source4/lib/messaging',
+    '-Ibin/default/source4/lib/socket',
+    '-Ibin/default/source4/lib/stream',
+    '-Ibin/default/source4/lib/tls',
+    '-Ibin/default/source4/libcli',
+    '-Ibin/default/source4/libcli/ldap',
+    '-Ibin/default/source4/librpc',
+    '-Ibin/default/source4/param',
+    '-Ibin/default/third_party/zlib',
     '-Wall',
     '-Wcast-align',
     '-Wcast-qual',

README.Coding

@@ -445,6 +445,55 @@ The only exception is the test code that depends repeated use of calls
 like CHECK_STATUS, CHECK_VAL and others.
 
 
+Error and out logic
+-------------------
+
+Don't do this:
+
+	frame = talloc_stackframe();
+
+	if (ret == LDB_SUCCESS) {
+		if (result->count == 0) {
+			ret = LDB_ERR_NO_SUCH_OBJECT;
+		} else {
+			struct ldb_message *match =
+				get_best_match(dn, result);
+			if (match == NULL) {
+				TALLOC_FREE(frame);
+				return LDB_ERR_OPERATIONS_ERROR;
+			}
+			*msg = talloc_move(mem_ctx, &match);
+		}
+	}
+
+	TALLOC_FREE(frame);
+	return ret;
+
+It should be:
+
+	frame = talloc_stackframe();
+
+	if (ret != LDB_SUCCESS) {
+		TALLOC_FREE(frame);
+		return ret;
+	}
+
+	if (result->count == 0) {
+		TALLOC_FREE(frame);
+		return LDB_ERR_NO_SUCH_OBJECT;
+	}
+
+	match = get_best_match(dn, result);
+	if (match == NULL) {
+		TALLOC_FREE(frame);
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	*msg = talloc_move(mem_ctx, &match);
+	TALLOC_FREE(frame);
+	return LDB_SUCCESS;
+
+
 DEBUG statements
 ----------------
 

VERSION

@@ -24,8 +24,8 @@
 #  ->  "3.0.0"                                         #
 ########################################################
 SAMBA_VERSION_MAJOR=4
-SAMBA_VERSION_MINOR=7
-SAMBA_VERSION_RELEASE=4
+SAMBA_VERSION_MINOR=8
+SAMBA_VERSION_RELEASE=0
 
 ########################################################
 # If a official release has a serious bug              #

auth/common_auth.h

@@ -131,6 +131,16 @@ struct auth4_context {
 					uint8_t *pauthoritative,
 					void **server_returned_info,
 					DATA_BLOB *nt_session_key, DATA_BLOB *lm_session_key);
+	struct tevent_req *(*check_ntlm_password_send)(TALLOC_CTX *mem_ctx,
+					struct tevent_context *ev,
+					struct auth4_context *auth_ctx,
+					const struct auth_usersupplied_info *user_info);
+	NTSTATUS (*check_ntlm_password_recv)(struct tevent_req *req,
+					TALLOC_CTX *mem_ctx,
+					uint8_t *pauthoritative,
+					void **server_returned_info,
+					DATA_BLOB *nt_session_key,
+					DATA_BLOB *lm_session_key);
 
 	NTSTATUS (*get_ntlm_challenge)(struct auth4_context *auth_ctx, uint8_t chal[8]);
 

auth/credentials/credentials.c

@@ -550,7 +550,7 @@ _PUBLIC_ struct samr_Password *cli_credentials_get_nt_hash(struct cli_credential
 					  password, password_len);
 		if (converted != sizeof(nt_hash->hash)) {
 			TALLOC_FREE(nt_hash);
-			return false;
+			return NULL;
 		}
 	} else {
 		E_md4hash(password, nt_hash->hash);
@@ -700,7 +700,7 @@ _PUBLIC_ const char *cli_credentials_get_realm(struct cli_credentials *cred)
 
 /**
  * Set the realm for this credentials context, and force it to
- * uppercase for the sainity of our local kerberos libraries 
+ * uppercase for the sanity of our local kerberos libraries
  */
 _PUBLIC_ bool cli_credentials_set_realm(struct cli_credentials *cred, 
 			       const char *val, 
@@ -975,8 +975,9 @@ _PUBLIC_ void cli_credentials_guess(struct cli_credentials *cred,
  * Attach NETLOGON credentials for use with SCHANNEL
  */
 
-_PUBLIC_ void cli_credentials_set_netlogon_creds(struct cli_credentials *cred, 
-						 struct netlogon_creds_CredentialState *netlogon_creds)
+_PUBLIC_ void cli_credentials_set_netlogon_creds(
+	struct cli_credentials *cred,
+	const struct netlogon_creds_CredentialState *netlogon_creds)
 {
 	TALLOC_FREE(cred->netlogon_creds);
 	if (netlogon_creds == NULL) {

auth/credentials/credentials.h

@@ -158,8 +158,9 @@ void cli_credentials_set_secure_channel_type(struct cli_credentials *cred,
 				     enum netr_SchannelType secure_channel_type);
 void cli_credentials_set_password_last_changed_time(struct cli_credentials *cred,
 							     time_t last_change_time);
-void cli_credentials_set_netlogon_creds(struct cli_credentials *cred, 
-					struct netlogon_creds_CredentialState *netlogon_creds);
+void cli_credentials_set_netlogon_creds(
+	struct cli_credentials *cred,
+	const struct netlogon_creds_CredentialState *netlogon_creds);
 NTSTATUS cli_credentials_set_krb5_context(struct cli_credentials *cred, 
 					  struct smb_krb5_context *smb_krb5_context);
 NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *cred,

auth/credentials/credentials_krb5.c

@@ -35,6 +35,9 @@
 #include "auth/kerberos/pac_utils.h"
 #include "param/param.h"
 
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_AUTH
+
 static void cli_credentials_invalidate_client_gss_creds(
 					struct cli_credentials *cred,
 					enum credentials_obtained obtained);
@@ -1151,16 +1154,17 @@ _PUBLIC_ int cli_credentials_get_server_gss_creds(struct cli_credentials *cred,
 	}
 
 	if (ktc->password_based || obtained < CRED_SPECIFIED) {
-		/* This creates a GSSAPI cred_id_t for match-by-key with only the keytab set */
-		maj_stat = smb_gss_krb5_import_cred(&min_stat, smb_krb5_context->krb5_context,
-						    NULL, NULL, ktc->keytab,
-						    &gcc->creds);
-	} else {
-		/* This creates a GSSAPI cred_id_t with the principal and keytab set, matching by name */
-		maj_stat = smb_gss_krb5_import_cred(&min_stat, smb_krb5_context->krb5_context,
-						    NULL, princ, ktc->keytab,
-						    &gcc->creds);
+		/*
+		 * This creates a GSSAPI cred_id_t for match-by-key with only
+		 * the keytab set
+		 */
+		princ = NULL;
 	}
+	maj_stat = smb_gss_krb5_import_cred(&min_stat,
+					    smb_krb5_context->krb5_context,
+					    NULL, princ,
+					    ktc->keytab,
+					    &gcc->creds);
 	if (maj_stat) {
 		if (min_stat) {
 			ret = min_stat;

auth/credentials/credentials_ntlm.c

@@ -28,6 +28,9 @@
 #include "auth/credentials/credentials.h"
 #include "auth/credentials/credentials_internal.h"
 
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_AUTH
+
 _PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred, TALLOC_CTX *mem_ctx, 
 					   int *flags,
 					   DATA_BLOB challenge,

auth/credentials/credentials_secrets.c

@@ -41,6 +41,9 @@
 #include "lib/util/util_tdb.h"
 #include "libds/common/roles.h"
 
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_AUTH
+
 /**
  * Fill in credentials for the machine trust account, from the secrets database.
  *

auth/credentials/pycredentials.c

@@ -31,6 +31,8 @@
 #include <tevent.h>
 #include "libcli/auth/libcli_auth.h"
 #include "auth/credentials/credentials_internal.h"
+#include "system/kerberos.h"
+#include "auth/kerberos/kerberos.h"
 
 void initcredentials(void);
 
@@ -526,7 +528,7 @@ static PyObject *PyCredentialCacheContainer_from_ccache_container(struct ccache_
 static PyObject *py_creds_get_named_ccache(PyObject *self, PyObject *args)
 {
 	PyObject *py_lp_ctx = Py_None;
-	char *ccache_name;
+	char *ccache_name = NULL;
 	struct loadparm_context *lp_ctx;
 	struct ccache_container *ccc;
 	struct tevent_context *event_ctx;
@@ -569,6 +571,48 @@ static PyObject *py_creds_get_named_ccache(PyObject *self, PyObject *args)
 	return NULL;
 }
 
+static PyObject *py_creds_set_named_ccache(PyObject *self, PyObject *args)
+{
+	struct loadparm_context *lp_ctx = NULL;
+	enum credentials_obtained obt = CRED_SPECIFIED;
+	const char *error_string = NULL;
+	TALLOC_CTX *mem_ctx = NULL;
+	char *newval = NULL;
+	PyObject *py_lp_ctx = Py_None;
+	int _obt = obt;
+	int ret;
+
+	if (!PyArg_ParseTuple(args, "s|iO", &newval, &_obt, &py_lp_ctx))
+		return NULL;
+
+	mem_ctx = talloc_new(NULL);
+	if (mem_ctx == NULL) {
+		PyErr_NoMemory();
+		return NULL;
+	}
+
+	lp_ctx = lpcfg_from_py_object(mem_ctx, py_lp_ctx);
+	if (lp_ctx == NULL) {
+		talloc_free(mem_ctx);
+		return NULL;
+	}
+
+	ret = cli_credentials_set_ccache(PyCredentials_AsCliCredentials(self),
+					 lp_ctx,
+					 newval, CRED_SPECIFIED,
+					 &error_string);
+
+	if (ret != 0) {
+		PyErr_SetString(PyExc_RuntimeError,
+				error_string != NULL ? error_string : "NULL");
+		talloc_free(mem_ctx);
+		return NULL;
+	}
+
+	talloc_free(mem_ctx);
+	Py_RETURN_NONE;
+}
+
 static PyObject *py_creds_set_gensec_features(PyObject *self, PyObject *args)
 {
 	unsigned int gensec_features;
@@ -754,6 +798,9 @@ static PyMethodDef py_creds_methods[] = {
 	{ "guess", py_creds_guess, METH_VARARGS, NULL },
 	{ "set_machine_account", py_creds_set_machine_account, METH_VARARGS, NULL },
 	{ "get_named_ccache", py_creds_get_named_ccache, METH_VARARGS, NULL },
+	{ "set_named_ccache", py_creds_set_named_ccache, METH_VARARGS,
+		"S.set_named_ccache(krb5_ccache_name, obtained, lp) -> None\n"
+		"Set credentials to KRB5 Credentials Cache (by name)." },
 	{ "set_gensec_features", py_creds_set_gensec_features, METH_VARARGS, NULL },
 	{ "get_gensec_features", py_creds_get_gensec_features, METH_NOARGS, NULL },
 	{ "get_forced_sasl_mech", py_creds_get_forced_sasl_mech, METH_NOARGS,
@@ -793,10 +840,38 @@ PyTypeObject PyCredentials = {
 	.tp_methods = py_creds_methods,
 };
 
+static PyObject *py_ccache_name(PyObject *self, PyObject *unused)
+{
+	struct ccache_container *ccc = NULL;
+	char *name = NULL;
+	PyObject *py_name = NULL;
+	int ret;
+
+	ccc = pytalloc_get_type(self, struct ccache_container);
+
+	ret = krb5_cc_get_full_name(ccc->smb_krb5_context->krb5_context,
+				    ccc->ccache, &name);
+	if (ret == 0) {
+		py_name = PyString_FromStringOrNULL(name);
+		SAFE_FREE(name);
+	} else {
+		PyErr_SetString(PyExc_RuntimeError,
+				"Failed to get ccache name");
+		return NULL;
+	}
+	return py_name;
+}
+
+static PyMethodDef py_ccache_container_methods[] = {
+	{ "get_name", py_ccache_name, METH_NOARGS,
+	  "S.get_name() -> name\nObtain KRB5 credentials cache name." },
+	{ NULL }
+};
 
 PyTypeObject PyCredentialCacheContainer = {
 	.tp_name = "credentials.CredentialCacheContainer",
 	.tp_flags = Py_TPFLAGS_DEFAULT,
+	.tp_methods = py_ccache_container_methods,
 };
 
 MODULE_INIT_FUNC(credentials)

auth/credentials/tests/bind.py

@@ -43,6 +43,7 @@ creds_machine = copy.deepcopy(creds)
 creds_user1 = copy.deepcopy(creds)
 creds_user2 = copy.deepcopy(creds)
 creds_user3 = copy.deepcopy(creds)
+creds_user4 = copy.deepcopy(creds)
 
 class BindTests(samba.tests.TestCase):
 
@@ -64,7 +65,7 @@ class BindTests(samba.tests.TestCase):
         self.config_dn = self.info_dc["configurationNamingContext"][0]
         self.computer_dn = "CN=centos53,CN=Computers,%s" % self.domain_dn
         self.password = "P@ssw0rd"
-        self.username = "BindTestUser_" + time.strftime("%s", time.gmtime())
+        self.username = "BindTestUser"
 
     def tearDown(self):
         super(BindTests, self).tearDown()
@@ -113,6 +114,7 @@ unicodePwd:: """ + base64.b64encode("\"P@ssw0rd\"".encode('utf-16-le')) + """
                                       expression="(samAccountName=%s)" % self.username)
         self.assertEquals(len(ldb_res), 1)
         user_dn = ldb_res[0]["dn"]
+        self.addCleanup(delete_force, self.ldb, user_dn)
 
         # do a simple bind and search with the user account in format user@realm
         creds_user1.set_bind_dn(self.username + "@" + creds.get_realm())
@@ -138,5 +140,27 @@ unicodePwd:: """ + base64.b64encode("\"P@ssw0rd\"".encode('utf-16-le')) + """
                                               lp=lp, ldap_only=True)
         res = ldb_user3.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"])
 
+    def test_user_account_bind_no_domain(self):
+        # create user
+        self.ldb.newuser(username=self.username, password=self.password)
+        ldb_res = self.ldb.search(base=self.domain_dn,
+                                      scope=SCOPE_SUBTREE,
+                                      expression="(samAccountName=%s)" % self.username)
+        self.assertEquals(len(ldb_res), 1)
+        user_dn = ldb_res[0]["dn"]
+        self.addCleanup(delete_force, self.ldb, user_dn)
+
+        creds_user4.set_username(self.username)
+        creds_user4.set_password(self.password)
+        creds_user4.set_domain('')
+        creds_user4.set_workstation('')
+        print "BindTest (no domain) with: " + self.username
+        try:
+            ldb_user4 = samba.tests.connect_samdb(host, credentials=creds_user4,
+                                              lp=lp, ldap_only=True)
+        except:
+            self.fail("Failed to connect without the domain set")
+
+        res = ldb_user4.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"])
 
 TestProgram(module=__name__, opts=subunitopts)

auth/gensec/external.c

@@ -28,6 +28,9 @@
 #include "auth/gensec/gensec_proto.h"
 #include "auth/gensec/gensec_toplevel_proto.h"
 
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_AUTH
+
 /* SASL/EXTERNAL is essentially a no-op; it is only usable when the transport
  * layer is already mutually authenticated.
  */

auth/gensec/gensec.c

@@ -31,6 +31,9 @@
 #include "librpc/gen_ndr/dcerpc.h"
 #include "auth/common_auth.h"
 
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_AUTH
+
 _PRIVATE_ NTSTATUS gensec_may_reset_crypto(struct gensec_security *gensec_security,
 					   bool full_reset)
 {
@@ -319,38 +322,48 @@ static NTSTATUS gensec_verify_features(struct gensec_security *gensec_security)
 	return NT_STATUS_OK;
 }
 
-_PUBLIC_ NTSTATUS gensec_update_ev(struct gensec_security *gensec_security,
-				   TALLOC_CTX *out_mem_ctx,
-				   struct tevent_context *ev,
-				   const DATA_BLOB in, DATA_BLOB *out)
+/**
+ * Next state function for the GENSEC state machine
+ *
+ * @param gensec_security GENSEC State
+ * @param out_mem_ctx The TALLOC_CTX for *out to be allocated on
+ * @param in The request, as a DATA_BLOB
+ * @param out The reply, as an talloc()ed DATA_BLOB, on *out_mem_ctx
+ * @return Error, MORE_PROCESSING_REQUIRED if a reply is sent,
+ *                or NT_STATUS_OK if the user is authenticated.
+ */
+_PUBLIC_ NTSTATUS gensec_update(struct gensec_security *gensec_security,
+				TALLOC_CTX *out_mem_ctx,
+				const DATA_BLOB in, DATA_BLOB *out)
 {
 	NTSTATUS status;
-	const struct gensec_security_ops *ops = gensec_security->ops;
 	TALLOC_CTX *frame = NULL;
+	struct tevent_context *ev = NULL;
 	struct tevent_req *subreq = NULL;
 	bool ok;
 
-	if (gensec_security->child_security != NULL) {
-		return NT_STATUS_INVALID_PARAMETER;
+	if (gensec_security->subcontext) {
+		/*
+		 * gensec modules are not allowed to call the sync version.
+		 */
+		return NT_STATUS_INTERNAL_ERROR;
 	}
 
 	frame = talloc_stackframe();
 
+	ev = samba_tevent_context_init(frame);
 	if (ev == NULL) {
-		ev = samba_tevent_context_init(frame);
-		if (ev == NULL) {
-			status = NT_STATUS_NO_MEMORY;
-			goto fail;
-		}
-
-		/*
-		 * TODO: remove this hack once the backends
-		 * are fixed.
-		 */
-		tevent_loop_allow_nesting(ev);
+		status = NT_STATUS_NO_MEMORY;
+		goto fail;
 	}
 
-	subreq = ops->update_send(frame, ev, gensec_security, in);
+	/*
+	 * TODO: remove this hack once the backends
+	 * are fixed.
+	 */
+	tevent_loop_allow_nesting(ev);
+
+	subreq = gensec_update_send(frame, ev, gensec_security, in);
 	if (subreq == NULL) {
 		status = NT_STATUS_NO_MEMORY;
 		goto fail;
@@ -359,43 +372,12 @@ _PUBLIC_ NTSTATUS gensec_update_ev(struct gensec_security *gensec_security,
 	if (!ok) {
 		goto fail;
 	}
-	status = ops->update_recv(subreq, out_mem_ctx, out);
-	if (!NT_STATUS_IS_OK(status)) {
-		goto fail;
-	}
-
-	/*
-	 * Because callers using the
-	 * gensec_start_mech_by_auth_type() never call
-	 * gensec_want_feature(), it isn't sensible for them
-	 * to have to call gensec_have_feature() manually, and
-	 * these are not points of negotiation, but are
-	 * asserted by the client
-	 */
-	status = gensec_verify_features(gensec_security);
+	status = gensec_update_recv(subreq, out_mem_ctx, out);
  fail:
 	TALLOC_FREE(frame);
 	return status;
 }
 
-/**
- * Next state function for the GENSEC state machine
- *
- * @param gensec_security GENSEC State
- * @param out_mem_ctx The TALLOC_CTX for *out to be allocated on
- * @param in The request, as a DATA_BLOB
- * @param out The reply, as an talloc()ed DATA_BLOB, on *out_mem_ctx
- * @return Error, MORE_PROCESSING_REQUIRED if a reply is sent,
- *                or NT_STATUS_OK if the user is authenticated.
- */
-
-_PUBLIC_ NTSTATUS gensec_update(struct gensec_security *gensec_security,
-				TALLOC_CTX *out_mem_ctx,
-				const DATA_BLOB in, DATA_BLOB *out)
-{
-	return gensec_update_ev(gensec_security, out_mem_ctx, NULL, in, out);
-}
-
 struct gensec_update_state {
 	const struct gensec_security_ops *ops;
 	struct gensec_security *gensec_security;
@@ -454,6 +436,9 @@ _PUBLIC_ struct tevent_req *gensec_update_send(TALLOC_CTX *mem_ctx,
 	}
 	tevent_req_set_callback(subreq, gensec_update_done, req);
 
+	DBG_DEBUG("%s[%p]: subreq: %p\n", state->ops->name,
+		  state->gensec_security, subreq);
+
 	return req;
 }
 
@@ -484,15 +469,35 @@ static void gensec_update_done(struct tevent_req *subreq)
 		tevent_req_data(req,
 		struct gensec_update_state);
 	NTSTATUS status;
+	const char *debug_subreq = NULL;
+
+	if (CHECK_DEBUGLVL(DBGLVL_DEBUG)) {
+		/*
+		 * We need to call tevent_req_print()
+		 * before calling the _recv function,
+		 * before tevent_req_received() was called.
+		 * in order to print the pointer value of
+		 * the subreq state.
+		 */
+		debug_subreq = tevent_req_print(state, subreq);
+	}
 
 	status = state->ops->update_recv(subreq, state, &state->out);
 	TALLOC_FREE(subreq);
 	state->status = status;
-	if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
-		tevent_req_done(req);
+	if (GENSEC_UPDATE_IS_NTERROR(status)) {
+		DBG_INFO("%s[%p]: %s%s%s\n", state->ops->name,
+			 state->gensec_security, nt_errstr(status),
+			 debug_subreq ? " " : "",
+			 debug_subreq ? debug_subreq : "");
+		tevent_req_nterror(req, status);
 		return;
 	}
-	if (tevent_req_nterror(req, status)) {
+	DBG_DEBUG("%s[%p]: %s %s\n", state->ops->name,
+		  state->gensec_security, nt_errstr(status),
+		  debug_subreq);
+	if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+		tevent_req_done(req);
 		return;
 	}
 

auth/gensec/gensec.h

@@ -138,10 +138,6 @@ size_t gensec_max_update_size(struct gensec_security *gensec_security);
 NTSTATUS gensec_update(struct gensec_security *gensec_security,
 		       TALLOC_CTX *out_mem_ctx,
 		       const DATA_BLOB in, DATA_BLOB *out);
-NTSTATUS gensec_update_ev(struct gensec_security *gensec_security,
-			  TALLOC_CTX *out_mem_ctx,
-			  struct tevent_context *ev,
-			  const DATA_BLOB in, DATA_BLOB *out);
 struct tevent_req *gensec_update_send(TALLOC_CTX *mem_ctx,
 				      struct tevent_context *ev,
 				      struct gensec_security *gensec_security,

auth/gensec/gensec_internal.h

@@ -86,6 +86,7 @@ struct gensec_security_ops {
 	bool enabled;
 	bool kerberos;
 	enum gensec_priority priority;
+	bool glue;
 };
 
 struct gensec_security_ops_wrapper {

auth/gensec/gensec_start.c

@@ -33,6 +33,9 @@
 #include "lib/util/samba_modules.h"
 #include "lib/util/base64.h"
 
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_AUTH
+
 /* the list of currently registered GENSEC backends */
 static const struct gensec_security_ops **generic_security_ops;
 static int gensec_num_backends;
@@ -98,15 +101,12 @@ _PUBLIC_ const struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX
 
 	j = 0;
 	for (i=0; old_gensec_list && old_gensec_list[i]; i++) {
-		int oid_idx;
 		bool keep = false;
 
-		for (oid_idx = 0; old_gensec_list[i]->oid && old_gensec_list[i]->oid[oid_idx]; oid_idx++) {
-			if (strcmp(old_gensec_list[i]->oid[oid_idx], GENSEC_OID_SPNEGO) == 0) {
-				keep = true;
-				break;
-			}
-		}
+		/*
+		 * We want to keep SPNGEO and other backends
+		 */
+		keep = old_gensec_list[i]->glue;
 
 		if (old_gensec_list[i]->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
 			keep = keep_schannel;

auth/gensec/gensec_util.c

@@ -26,6 +26,9 @@
 #include "auth/common_auth.h"
 #include "../lib/util/asn1.h"
 
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_AUTH
+
 NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx,
 					  struct gensec_security *gensec_security,
 					  struct smb_krb5_context *smb_krb5_context,