From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 26 Jun 2015 07:15:31 +0000 (+1200)
Subject: selftest: Add test for GSSAPI with no authenticator checksum mode
X-Git-Tag: talloc-2.1.4~447
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=711a420eef90026bc08c8630a8ccd0e0a78207ef;p=thirdparty%2Fsamba.git

selftest: Add test for GSSAPI with no authenticator checksum mode

This was seen in the wild, with a Huawei Unified Storage System S5500 V3 against the AD DC

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11425

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Aug  5 09:43:40 CEST 2015 on sn-devel-104
---

diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c
index 56513c9e5d2..23c26f61e3b 100644
--- a/source4/auth/gensec/gensec_krb5.c
+++ b/source4/auth/gensec/gensec_krb5.c
@@ -285,13 +285,12 @@ static NTSTATUS gensec_krb5_common_client_creds(struct gensec_security *gensec_s
 	const char *error_string;
 	const char *principal;
 	const char *hostname;
-	krb5_data in_data;
+	krb5_data in_data = { .length = 0 };
 	krb5_data *in_data_p = NULL;
 	struct tevent_context *previous_ev;
 
 	if (lpcfg_parm_bool(gensec_security->settings->lp_ctx,
 			    NULL, "gensec_krb5", "send_authenticator_checksum", true)) {
-		in_data.length = 0;
 		in_data_p = &in_data;
 	}
 	
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 6a30164e932..3bc820cca5f 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -185,6 +185,7 @@ for env in ["ad_dc_ntvfs", "fl2000dc", "fl2003dc", "fl2008r2dc", "ad_dc"]:
     plansmbtorture4testsuite('rpc.lsa.secrets', env, ["%s:$SERVER[target_principal=$NETBIOSNAME\$]" % (transport, ), '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN'], "samba4.rpc.lsa.secrets on %s with Kerberos - netbios name principal dollar" % (transport,))
     plansmbtorture4testsuite('rpc.lsa.secrets', env, ["%s:$SERVER[target_principal=$NETBIOSNAME]" % (transport, ), '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN'], "samba4.rpc.lsa.secrets on %s with Kerberos - netbios name principal" % (transport,))
     plansmbtorture4testsuite('rpc.lsa.secrets.none*', env, ["%s:$SERVER" % transport, '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN', "--option=gensec:fake_gssapi_krb5=yes", '--option=gensec:gssapi_krb5=no', '--option=gensec:target_hostname=$NETBIOSNAME'], "samba4.rpc.lsa.secrets on %s with Kerberos - use Samba3 style login" % transport)
+    plansmbtorture4testsuite('rpc.lsa.secrets.none*', env, ["%s:$SERVER" % transport, '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN', "--option=gensec:fake_gssapi_krb5=yes", '--option=gensec:gssapi_krb5=no', '--option=gensec:target_hostname=$NETBIOSNAME', '--option=gensec_krb5:send_authenticator_checksum=false'], "samba4.rpc.lsa.secrets on %s with Kerberos - use raw-krb5-no-authenticator-checksum style login" % transport)
     plansmbtorture4testsuite('rpc.lsa.secrets.none*', env, ["%s:$SERVER" % transport, '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN', "--option=clientusespnegoprincipal=yes", '--option=gensec:fake_gssapi_krb5=yes', '--option=gensec:gssapi_krb5=no', '--option=gensec:target_hostname=$NETBIOSNAME'], "samba4.rpc.lsa.secrets on %s with Kerberos - use Samba3 style login, use target principal" % transport)
 
     # Winreg tests test bulk Kerberos encryption of DCE/RPC