summaryrefslogtreecommitdiffstats
path: root/nsswitch/tests
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-05 17:47:29 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-05 17:47:29 +0000
commit4f5791ebd03eaec1c7da0865a383175b05102712 (patch)
tree8ce7b00f7a76baa386372422adebbe64510812d4 /nsswitch/tests
parentInitial commit. (diff)
downloadsamba-4f5791ebd03eaec1c7da0865a383175b05102712.tar.xz
samba-4f5791ebd03eaec1c7da0865a383175b05102712.zip
Adding upstream version 2:4.17.12+dfsg.upstream/2%4.17.12+dfsgupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'nsswitch/tests')
-rwxr-xr-xnsswitch/tests/test_idmap_ad.sh248
-rwxr-xr-xnsswitch/tests/test_idmap_nss.sh41
-rwxr-xr-xnsswitch/tests/test_idmap_rfc2307.sh221
-rwxr-xr-xnsswitch/tests/test_idmap_rid.sh198
-rwxr-xr-xnsswitch/tests/test_rfc2307_mapping.sh187
-rwxr-xr-xnsswitch/tests/test_ticket_expiry.sh74
-rwxr-xr-xnsswitch/tests/test_wbinfo.sh321
-rwxr-xr-xnsswitch/tests/test_wbinfo_name_lookup.sh64
-rwxr-xr-xnsswitch/tests/test_wbinfo_sids_to_xids.sh32
-rwxr-xr-xnsswitch/tests/test_wbinfo_simple.sh25
-rwxr-xr-xnsswitch/tests/test_wbinfo_user_info.sh140
-rwxr-xr-xnsswitch/tests/test_wbinfo_user_info_cached.sh50
12 files changed, 1601 insertions, 0 deletions
diff --git a/nsswitch/tests/test_idmap_ad.sh b/nsswitch/tests/test_idmap_ad.sh
new file mode 100755
index 0000000..323aa17
--- /dev/null
+++ b/nsswitch/tests/test_idmap_ad.sh
@@ -0,0 +1,248 @@
+#!/bin/sh
+#
+# Basic testing of id mapping with idmap_ad
+#
+
+if [ $# -ne 6 ]; then
+ echo Usage: $0 DOMAIN DC_SERVER DC_PASSWORD TRUST_DOMAIN TRUST_SERVER TRUST_PASSWORD
+ exit 1
+fi
+
+DOMAIN="$1"
+DC_SERVER="$2"
+DC_PASSWORD="$3"
+TRUST_DOMAIN="$4"
+TRUST_SERVER="$5"
+TRUST_PASSWORD="$6"
+
+wbinfo="$VALGRIND $BINDIR/wbinfo"
+ldbmodify="$VALGRIND $BINDIR/ldbmodify"
+ldbsearch="$VALGRIND $BINDIR/ldbsearch"
+
+failed=0
+
+. $(dirname $0)/../../testprogs/blackbox/subunit.sh
+
+DOMAIN_SID=$($wbinfo -n "$DOMAIN/" | cut -f 1 -d " ")
+if [ $? -ne 0 ]; then
+ echo "Could not find domain SID" | subunit_fail_test "test_idmap_ad"
+ exit 1
+fi
+
+TRUST_DOMAIN_SID=$($wbinfo -n "$TRUST_DOMAIN/" | cut -f 1 -d " ")
+if [ $? -ne 0 ]; then
+ echo "Could not find trusted domain SID" | subunit_fail_test "test_idmap_ad"
+ exit 1
+fi
+
+BASE_DN=$($ldbsearch -H ldap://$DC_SERVER -b "" --scope=base defaultNamingContext | awk '/^defaultNamingContext/ {print $2}')
+if [ $? -ne 0 ]; then
+ echo "Could not find base DN" | subunit_fail_test "test_idmap_ad"
+ exit 1
+fi
+
+TRUST_BASE_DN=$($ldbsearch -H ldap://$TRUST_SERVER -b "" --scope=base defaultNamingContext | awk '/^defaultNamingContext/ {print $2}')
+if [ $? -ne 0 ]; then
+ echo "Could not find trusted base DN" | subunit_fail_test "test_idmap_ad"
+ exit 1
+fi
+
+#
+# Add POSIX ids to AD
+#
+cat <<EOF | $ldbmodify -H ldap://$DC_SERVER -U "$DOMAIN\Administrator%$DC_PASSWORD"
+dn: CN=Administrator,CN=Users,$BASE_DN
+changetype: modify
+add: uidNumber
+uidNumber: 2000000
+add: gidNumber
+gidNumber: 2000100
+add: unixHomeDirectory
+unixHomeDirectory: /home/admin
+add: loginShell
+loginShell: /bin/tcsh
+add: gecos
+gecos: Administrator Full Name
+EOF
+
+cat <<EOF | $ldbmodify -H ldap://$DC_SERVER -U "$DOMAIN\Administrator%$DC_PASSWORD"
+dn: CN=Domain Users,CN=Users,$BASE_DN
+changetype: modify
+add: gidNumber
+gidNumber: 2000001
+EOF
+
+cat <<EOF | $ldbmodify -H ldap://$DC_SERVER -U "$DOMAIN\Administrator%$DC_PASSWORD"
+dn: CN=Domain Admins,CN=Users,$BASE_DN
+changetype: modify
+add: gidNumber
+gidNumber: 2000002
+EOF
+
+#
+# Add POSIX ids to trusted domain
+#
+cat <<EOF | $ldbmodify -H ldap://$TRUST_SERVER \
+ -U "$TRUST_DOMAIN\Administrator%$TRUST_PASSWORD"
+dn: CN=Administrator,CN=Users,$TRUST_BASE_DN
+changetype: modify
+add: uidNumber
+uidNumber: 2500000
+EOF
+
+cat <<EOF | $ldbmodify -H ldap://$TRUST_SERVER \
+ -U "$TRUST_DOMAIN\Administrator%$TRUST_PASSWORD"
+dn: CN=Domain Users,CN=Users,$TRUST_BASE_DN
+changetype: modify
+add: gidNumber
+gidNumber: 2500001
+EOF
+
+cat <<EOF | $ldbmodify -H ldap://$TRUST_SERVER \
+ -U "$TRUST_DOMAIN\Administrator%$TRUST_PASSWORD"
+dn: CN=Domain Admins,CN=Users,$TRUST_BASE_DN
+changetype: modify
+add: gidNumber
+gidNumber: 2500002
+EOF
+
+#
+# Test 1: Test uid of Administrator, should be 2000000
+#
+
+out="$($wbinfo -S $DOMAIN_SID-500)"
+echo "wbinfo returned: \"$out\", expecting \"2000000\""
+test "$out" = "2000000"
+ret=$?
+testit "Test uid of Administrator is 2000000" test $ret -eq 0 || failed=$(expr $failed + 1)
+
+#
+# Test 2: Test gid of Domain Users, should be 2000001
+#
+
+out="$($wbinfo -Y $DOMAIN_SID-513)"
+echo "wbinfo returned: \"$out\", expecting \"2000001\""
+test "$out" = "2000001"
+ret=$?
+testit "Test uid of Domain Users is 2000001" test $ret -eq 0 || failed=$(expr $failed + 1)
+
+#
+# Test 3: Test get userinfo for Administrator works
+#
+
+out="$($wbinfo -i $DOMAIN/Administrator)"
+echo "wbinfo returned: \"$out\", expecting \"$DOMAIN/administrator:*:2000000:2000100:Administrator Full Name:/home/admin:/bin/tcsh\""
+test "$out" = "$DOMAIN/administrator:*:2000000:2000100:Administrator Full Name:/home/admin:/bin/tcsh"
+ret=$?
+testit "Test get userinfo for Administrator works" test $ret -eq 0 || failed=$(expr $failed + 1)
+
+#
+# Test 4: Test lookup from gid to sid
+#
+
+out="$($wbinfo -G 2000002)"
+echo "wbinfo returned: \"$out\", expecting \"$DOMAIN_SID-512\""
+test "$out" = "$DOMAIN_SID-512"
+ret=$?
+testit "Test gid lookup of Domain Admins" test $ret -eq 0 || failed=$(expr $failed + 1)
+
+#
+# Trusted domain test 1: Test uid of Administrator, should be 2500000
+#
+
+out="$($wbinfo -S $TRUST_DOMAIN_SID-500)"
+echo "wbinfo returned: \"$out\", expecting \"2500000\""
+test "$out" = "2500000"
+ret=$?
+testit "Test uid of Administrator in trusted domain is 2500000" test $ret -eq 0 || failed=$(expr $failed + 1)
+
+#
+# Trusted domain test 2: Test gid of Domain Users, should be 2500001
+#
+
+out="$($wbinfo -Y $TRUST_DOMAIN_SID-513)"
+echo "wbinfo returned: \"$out\", expecting \"2500001\""
+test "$out" = "2500001"
+ret=$?
+testit "Test uid of Domain Users in trusted domain is 2500001" test $ret -eq 0 || failed=$(expr $failed + 1)
+
+#
+# Trusted domain test 3: Test get userinfo for Administrator works
+#
+
+out="$($wbinfo -i $TRUST_DOMAIN/Administrator)"
+echo "wbinfo returned: \"$out\", expecting \"$TRUST_DOMAIN/administrator:*:2500000:2500001::/home/$TRUST_DOMAIN/administrator:/bin/false\""
+test "$out" = "$TRUST_DOMAIN/administrator:*:2500000:2500001::/home/$TRUST_DOMAIN/administrator:/bin/false"
+ret=$?
+testit "Test get userinfo for Administrator works" test $ret -eq 0 || failed=$(expr $failed + 1)
+
+#
+# Trusted domain test 4: Test lookup from gid to sid
+#
+
+out="$($wbinfo -G 2500002)"
+echo "wbinfo returned: \"$out\", expecting \"$TRUST_DOMAIN_SID-512\""
+test "$out" = "$TRUST_DOMAIN_SID-512"
+ret=$?
+testit "Test gid lookup of Domain Admins in trusted domain." test $ret -eq 0 || failed=$(expr $failed + 1)
+
+#
+# Remove POSIX ids from AD
+#
+cat <<EOF | $ldbmodify -H ldap://$DC_SERVER -U "$DOMAIN\Administrator%$DC_PASSWORD"
+dn: CN=Administrator,CN=Users,$BASE_DN
+changetype: modify
+delete: uidNumber
+uidNumber: 2000000
+delete: gidNumber
+gidNumber: 2000100
+delete: unixHomeDirectory
+unixHomeDirectory: /home/admin
+delete: loginShell
+loginShell: /bin/tcsh
+delete: gecos
+gecos: Administrator Full Name
+EOF
+
+cat <<EOF | $ldbmodify -H ldap://$DC_SERVER -U "$DOMAIN\Administrator%$DC_PASSWORD"
+dn: CN=Domain Users,CN=Users,$BASE_DN
+changetype: modify
+delete: gidNumber
+gidNumber: 2000001
+EOF
+
+cat <<EOF | $ldbmodify -H ldap://$DC_SERVER -U "$DOMAIN\Administrator%$DC_PASSWORD"
+dn: CN=Domain Admins,CN=Users,$BASE_DN
+changetype: modify
+delete: gidNumber
+gidNumber: 2000002
+EOF
+
+#
+# Remove POSIX ids from trusted domain
+#
+cat <<EOF | $ldbmodify -H ldap://$TRUST_SERVER \
+ -U "$TRUST_DOMAIN\Administrator%$TRUST_PASSWORD"
+dn: CN=Administrator,CN=Users,$TRUST_BASE_DN
+changetype: modify
+delete: uidNumber
+uidNumber: 2500000
+EOF
+
+cat <<EOF | $ldbmodify -H ldap://$TRUST_SERVER \
+ -U "$TRUST_DOMAIN\Administrator%$TRUST_PASSWORD"
+dn: CN=Domain Users,CN=Users,$TRUST_BASE_DN
+changetype: modify
+delete: gidNumber
+gidNumber: 2500001
+EOF
+
+cat <<EOF | $ldbmodify -H ldap://$TRUST_SERVER \
+ -U "$TRUST_DOMAIN\Administrator%$TRUST_PASSWORD"
+dn: CN=Domain Admins,CN=Users,$TRUST_BASE_DN
+changetype: modify
+delete: gidNumber
+gidNumber: 2500002
+EOF
+
+exit $failed
diff --git a/nsswitch/tests/test_idmap_nss.sh b/nsswitch/tests/test_idmap_nss.sh
new file mode 100755
index 0000000..e7a57dc
--- /dev/null
+++ b/nsswitch/tests/test_idmap_nss.sh
@@ -0,0 +1,41 @@
+#!/bin/sh
+# Test id mapping with unknown SID and non-allocating idmap backend
+if [ $# -lt 1 ]; then
+ echo Usage: $0 DOMAIN
+ exit 1
+fi
+
+DOMAIN="$1"
+
+wbinfo="$VALGRIND $BINDIR/wbinfo"
+
+failed=0
+
+. $(dirname $0)/../../testprogs/blackbox/subunit.sh
+
+testit "wbinfo returns domain SID" $wbinfo -n "$DOMAIN/" || exit 1
+DOMAIN_SID=$($wbinfo -n "$DOMAIN/" | cut -f 1 -d " ")
+echo "Domain $DOMAIN has SID $DOMAIN_SID"
+
+# Find an unused uid and SID
+RID=66666
+while true; do
+ id $RID
+ if [ $? -ne 0 ]; then
+ $wbinfo -s $DOMAIN_SID-$RID
+ if [ $? -ne 0 ]; then
+ break
+ fi
+ fi
+ RID=$(expr $RID + 1)
+done
+
+echo "Using non-existing SID $DOMAIN_SID-$RID to check no id allocation is done by the backend"
+
+out="$($wbinfo --sids-to-unix-ids=$DOMAIN_SID-$RID)"
+echo "wbinfo returned: $out"
+test "$out" = "$DOMAIN_SID-$RID -> unmapped"
+ret=$?
+testit "wbinfo SID to xid returns unmapped for unknown SID" test $ret -eq 0 || failed=$(expr $failed + 1)
+
+exit $failed
diff --git a/nsswitch/tests/test_idmap_rfc2307.sh b/nsswitch/tests/test_idmap_rfc2307.sh
new file mode 100755
index 0000000..b24cf45
--- /dev/null
+++ b/nsswitch/tests/test_idmap_rfc2307.sh
@@ -0,0 +1,221 @@
+#!/bin/sh
+# Test id mapping through idmap_rfc2307 module
+if [ $# -lt 15 ]; then
+ echo Usage: $0 DOMAIN USERNAME UID USERNAME2 UID2 \
+ GROUPNAME GID GROUPNAME2 GID2 GID_START NUMGROUPS \
+ LDAPPREFIX DC_SERVER DC_USERNAME DC_PASSWORD
+ exit 1
+fi
+
+DOMAIN="$1"
+USERNAME="$2"
+USERUID="$3"
+USERNAME2="$4"
+USERUID2="$5"
+GROUPNAME="$6"
+GROUPGID="$7"
+GROUPNAME2="$8"
+GROUPGID2="$9"
+shift 9
+GID_START="$1"
+NUMGROUPS="$2"
+LDAPPREFIX="$3"
+DC_SERVER="$4"
+DC_USERNAME="$5"
+DC_PASSWORD="$6"
+
+wbinfo="$VALGRIND $BINDIR/wbinfo"
+net="$VALGRIND $BINDIR/net"
+
+ldbsearch="ldbsearch"
+if [ -x "$BINDIR/ldbsearch" ]; then
+ ldbsearch="$BINDIR/ldbsearch"
+fi
+
+ldbadd="ldbadd"
+if [ -x "$BINDIR/ldbadd" ]; then
+ ldbadd="$BINDIR/ldbadd"
+fi
+
+ldbdel="ldbdel"
+if [ -x "$BINDIR/ldbdel" ]; then
+ ldbdel="$BINDIR/ldbdel"
+fi
+
+failed=0
+
+. $(dirname $0)/../../testprogs/blackbox/subunit.sh
+
+# Delete LDAP records
+$VALGRIND $ldbdel -H ldap://$DC_SERVER -U$DOMAIN/$DC_USERNAME%$DC_PASSWORD "$LDAPPREFIX" --controls="tree_delete:1"
+
+# Add id mapping information to LDAP
+
+testit "add ldap prefix" $VALGRIND $ldbadd -H ldap://$DC_SERVER \
+ -U$DOMAIN/$DC_USERNAME%$DC_PASSWORD <<EOF
+dn: $LDAPPREFIX
+objectclass: organizationalUnit
+EOF
+
+testit "add ldap user mapping record" $VALGRIND $ldbadd -H ldap://$DC_SERVER \
+ -U$DOMAIN/$DC_USERNAME%$DC_PASSWORD <<EOF
+dn: cn=$USERNAME,$LDAPPREFIX
+objectClass: organizationalPerson
+objectClass: posixAccount
+ou: People
+cn: $USERNAME
+uid: $USERNAME
+uidNumber: $USERUID
+gidNumber: 1
+homeDirectory: /home/admin
+EOF
+
+testit "add second ldap user mapping record" $VALGRIND $ldbadd \
+ -H ldap://$DC_SERVER -U$DOMAIN/$DC_USERNAME%$DC_PASSWORD <<EOF
+dn: cn=$USERNAME2,$LDAPPREFIX
+objectClass: organizationalPerson
+objectClass: posixAccount
+ou: People
+cn: $USERNAME2
+uid: $USERNAME2
+uidNumber: $USERUID2
+gidNumber: 2
+homeDirectory: /home/admin
+EOF
+
+testit "add ldap group mapping record" $VALGRIND $ldbadd \
+ -H ldap://$DC_SERVER -U$DOMAIN/$DC_USERNAME%$DC_PASSWORD <<EOF
+dn: cn=$GROUPNAME,$LDAPPREFIX
+objectClass: posixGroup
+objectClass: groupOfNames
+cn: $GROUPNAME
+gidNumber: $GROUPGID
+member: cn=$USERNAME,$LDAPPREFIX
+EOF
+
+testit "add second ldap group mapping record" $VALGRIND $ldbadd \
+ -H ldap://$DC_SERVER -U$DOMAIN/$DC_USERNAME%$DC_PASSWORD <<EOF
+dn: cn=$GROUPNAME2,$LDAPPREFIX
+objectClass: posixGroup
+objectClass: groupOfNames
+cn: $GROUPNAME2
+gidNumber: $GROUPGID2
+member: cn=$USERNAME,$LDAPPREFIX
+EOF
+
+testit "wbinfo --name-to-sid" $wbinfo --name-to-sid "$DOMAIN/$USERNAME" || failed=$(expr $failed + 1)
+user_sid=$($wbinfo -n "$DOMAIN/$USERNAME" | cut -d " " -f1)
+echo "$DOMAIN/$USERNAME resolved to $user_sid"
+
+testit "wbinfo --sid-to-uid=$user_sid" $wbinfo --sid-to-uid=$user_sid || failed=$(expr $failed + 1)
+user_uid=$($wbinfo --sid-to-uid=$user_sid | cut -d " " -f1)
+echo "$DOMAIN/$USERNAME resolved to $user_uid"
+
+testit "test $user_uid -eq $USERUID" test $user_uid -eq $USERUID || failed=$(expr $failed + 1)
+
+# Not sure how to get group names with spaces to resolve through testit
+#testit "wbinfo --name-to-sid" $wbinfo --name-to-sid="$DOMAIN/$GROUPNAME" || failed=$(expr $failed + 1)
+group_sid=$($wbinfo --name-to-sid="$DOMAIN/$GROUPNAME" | cut -d " " -f1)
+echo "$DOMAIN/$GROUPNAME resolved to $group_sid"
+
+testit "wbinfo --sid-to-gid=$group_sid" $wbinfo --sid-to-gid=$group_sid || failed=$(expr $failed + 1)
+group_gid=$($wbinfo --sid-to-gid=$group_sid | cut -d " " -f1)
+echo "$DOMAIN/$GROUPNAME resolved to $group_gid"
+
+testit "test $group_gid -eq $GROUPGID" test $group_gid -eq $GROUPGID || failed=$(expr $failed + 1)
+
+# Use different user and group for reverse lookup to not read from cache
+
+testit "$wbinfo --uid-to-sid=$USERUID2" $wbinfo --uid-to-sid=$USERUID2 || failed=$(expr $failed + 1)
+user_sid2=$($wbinfo --uid-to-sid=$USERUID2 | cut -d " " -f1)
+echo "UID $USERUID2 resolved to SID $user_sid2"
+
+testit "$wbinfo --sid-to-name=$user_sid2" $wbinfo --sid-to-name=$user_sid2 || failed=$(expr $failed + 1)
+user_name2=$($wbinfo --sid-to-name=$user_sid2 | cut -d " " -f1)
+echo "SID $user_sid2 resolved to $user_name2"
+
+testit "test $user_name2 = $DOMAIN/$USERNAME2" test "$(echo $user_name2 | tr A-Z a-z)" = "$(echo $DOMAIN/$USERNAME2 | tr A-Z a-z)" || failed=$(expr $failed + 1)
+
+testit "$wbinfo --gid-to-sid=$GROUPGID2" $wbinfo --gid-to-sid=$GROUPGID2 || failed=$(expr $failed + 1)
+group_sid2=$($wbinfo --gid-to-sid=$GROUPGID2 | cut -d " " -f1)
+echo "GID $GROUPGID2 resolved to SID $group_sid2"
+
+testit "$wbinfo --sid-to-name=$group_sid2" $wbinfo --sid-to-name=$group_sid2 || failed=$(expr $failed + 1)
+group_name2=$($wbinfo --sid-to-name=$group_sid2 | cut -d " " -f1)
+echo "SID $group_sid2 resolved to $group_name2"
+
+testit "test $group_name2 = $DOMAIN/$GROUPNAME2" test "$(echo $group_name2 | tr A-Z a-z)" = "$(echo $DOMAIN/$GROUPNAME2 | tr A-Z a-z)" || failed=$(expr $failed + 1)
+
+i=0
+while [ ${i} -lt ${NUMGROUPS} ]; do
+ GRP=$(printf "test_rfc2307_group_%3.3d" "$i")
+ GRP_GID=$(expr "$GID_START" + "$i")
+ testit "Add group $GRP" $net rpc group add "$GRP" -S "$DC_SERVER" \
+ -U"${DOMAIN}\\${DC_USERNAME}"%"${DC_PASSWORD}" ||
+ failed=$(expr $failed + 1)
+ testit "Add groupmem $GRP $USERNAME" \
+ $net rpc group addmem "$GRP" "$USERNAME" \
+ -S "$DC_SERVER" \
+ -U"${DOMAIN}\\${DC_USERNAME}"%"${DC_PASSWORD}" ||
+ failed=$(expr $failed + 1)
+ testit "Add group object for $GRP $GRP_GID" \
+ $VALGRIND $ldbadd \
+ -H ldap://$DC_SERVER -U$DOMAIN/$DC_USERNAME%$DC_PASSWORD <<EOF
+dn: cn=$GRP,$LDAPPREFIX
+objectClass: posixGroup
+objectClass: groupOfNames
+cn: $GRP
+gidNumber: $GRP_GID
+member: cn=$USERNAME,$LDAPPREFIX
+EOF
+ i=$(expr "$i" + 1)
+done
+
+# Test whether wbinfo --xids-to-sids finds everything
+
+GIDS=""
+i=0
+while [ ${i} -lt ${NUMGROUPS} ]; do
+ GIDS="$GIDS g$(expr ${i} + ${GID_START})"
+ i=$(expr "$i" + 1)
+done
+NUM_VALID_SIDS=$($wbinfo --unix-ids-to-sids="$GIDS" | grep -v ^"NOT MAPPED" | wc -l)
+
+testit "Count number of valid sids found" \
+ test ${NUM_VALID_SIDS} = ${NUMGROUPS} ||
+ failed=$(expr $failed + 1)
+
+# Prime the cache so we test idmap, not the harder problem of
+# consistent group memberships for users without a login.
+
+testit "Authenticate the user to prime the netlogon cache" \
+ $wbinfo -a $DOMAIN/$DC_USERNAME%$DC_PASSWORD || failed=$(expr $failed + 1)
+
+# Test whether wbinfo -r shows all groups
+
+EXPECTED_USERGROUPS="1000000/1000001/2000002/"
+i=0
+while [ ${i} -lt ${NUMGROUPS} ]; do
+ EXPECTED_USERGROUPS="$EXPECTED_USERGROUPS$(expr ${i} + ${GID_START})/"
+ i=$(expr "$i" + 1)
+done
+
+USERGROUPS=$($wbinfo -r $DOMAIN/$USERNAME | sort -n | tr '\n' '/')
+
+testit "Testing for expected group memberships" \
+ test "$USERGROUPS" = "$EXPECTED_USERGROUPS" ||
+ failed=$(expr $failed + 1)
+
+i=0
+while [ ${i} -lt ${NUMGROUPS} ]; do
+ GRP=$(printf "test_rfc2307_group_%3.3d" ${i})
+ testit "Del group $GRP" $net rpc group delete "$GRP" -S "$DC_SERVER" \
+ -U"${DOMAIN}\\${DC_USERNAME}"%"${DC_PASSWORD}" ||
+ failed=$(expr $failed + 1)
+ i=$(expr "$i" + 1)
+done
+
+# Delete LDAP records
+$VALGRIND $ldbdel -H ldap://$DC_SERVER -U$DOMAIN/$DC_USERNAME%$DC_PASSWORD "$LDAPPREFIX" --controls="tree_delete:1"
+
+exit $failed
diff --git a/nsswitch/tests/test_idmap_rid.sh b/nsswitch/tests/test_idmap_rid.sh
new file mode 100755
index 0000000..1487aa2
--- /dev/null
+++ b/nsswitch/tests/test_idmap_rid.sh
@@ -0,0 +1,198 @@
+#!/bin/sh
+#
+# Test id mapping with various SIDs and idmap_rid
+#
+
+if [ $# -lt 1 ]; then
+ echo Usage: $0 DOMAIN RANGE_START
+ exit 1
+fi
+
+DOMAIN="$1"
+RANGE_START="$2"
+
+wbinfo="$VALGRIND $BINDIR/wbinfo"
+failed=0
+
+. $(dirname $0)/../../testprogs/blackbox/subunit.sh
+
+DOMAIN_SID=$($wbinfo -n "$DOMAIN/" | cut -f 1 -d " ")
+if [ $? -ne 0 ]; then
+ echo "Could not find domain SID" | subunit_fail_test "test_idmap_rid"
+ exit 1
+fi
+
+# Find an unused uid and SID
+RID=66666
+MAX_RID=77777
+while true; do
+ id $RID
+ if [ $? -ne 0 ]; then
+ SID="$DOMAIN_SID-$RID"
+ $wbinfo -s $SID
+ if [ $? -ne 0 ]; then
+ break
+ fi
+ fi
+ RID=$(expr $RID + 1)
+ if [ $RID -eq $MAX_RID ]; then
+ echo "Could not find free SID" | subunit_fail_test "test_idmap_rid"
+ exit 1
+ fi
+done
+
+#
+# Test 1: Using non-existing SID to check backend returns a mapping
+#
+
+EXPECTED_ID=$(expr $RID + $RANGE_START)
+out="$($wbinfo --sids-to-unix-ids=$SID)"
+echo "wbinfo returned: \"$out\", expecting \"$SID -> uid/gid $EXPECTED_ID\""
+test "$out" = "$SID -> uid/gid $EXPECTED_ID"
+ret=$?
+testit "Unknown RID from primary domain returns a mapping" test $ret -eq 0 || failed=$(expr $failed + 1)
+
+#
+# Test 2: Using bogus SID with bad domain part to check idmap backend does not generate a mapping
+#
+
+SID=S-1-5-21-1111-2222-3333-666
+out="$($wbinfo --sids-to-unix-ids=$SID)"
+echo "wbinfo returned: \"$out\", expecting \"$SID -> unmapped\""
+test "$out" = "$SID -> unmapped"
+ret=$?
+testit "Bogus SID returns unmapped" test $ret -eq 0 || failed=$(expr $failed + 1)
+
+#
+# Test 3: ID_TYPE_BOTH mappings for group
+#
+
+GROUP="$DOMAIN/Domain Users"
+GROUP_SID=$($wbinfo --name-to-sid="$GROUP" | sed -e 's/ .*//')
+
+uid=$($wbinfo --sid-to-uid=$GROUP_SID)
+ret=$?
+testit "ID_TYPE_BOTH group map to uid succeeds" test $ret -eq 0 ||
+ failed=$(expr $failed + 1)
+testit "ID_TYPE_BOTH group map to uid has result" test -n $uid ||
+ failed=$(expr $failed + 1)
+
+gid=$($wbinfo --sid-to-gid=$GROUP_SID)
+ret=$?
+testit "ID_TYPE_BOTH group map to gid succeeds" test $ret -eq 0 ||
+ failed=$(expr $failed + 1)
+testit "ID_TYPE_BOTH group map to gid has result" test -n $gid ||
+ failed=$(expr $failed + 1)
+
+testit "ID_TYPE_BOTH group uid equals gid" test $uid -eq $gid ||
+ failed=$(expr $failed + 1)
+
+group_pw="$DOMAIN/domain users:*:$uid:$gid::/home/$DOMAIN/domain users:/bin/false"
+
+out=$(getent passwd "$GROUP")
+ret=$?
+testit "getpwnam for ID_TYPE_BOTH group succeeds" test $ret -eq 0 ||
+ failed=$(expr $failed + 1)
+
+test "$out" = "$group_pw"
+ret=$?
+testit "getpwnam for ID_TYPE_BOTH group output" test $ret -eq 0 ||
+ failed=$(expr $failed + 1)
+
+out=$(getent passwd $uid)
+ret=$?
+testit "getpwuid for ID_TYPE_BOTH group succeeds" test $ret -eq 0 ||
+ failed=$(expr $failed + 1)
+test "$out" = "$group_pw"
+ret=$?
+testit "getpwuid for ID_TYPE_BOTH group output" test $ret -eq 0 ||
+ failed=$(expr $failed + 1)
+
+group_gr="$DOMAIN/domain users:x:$gid:"
+
+out=$(getent group "$GROUP")
+ret=$?
+testit "getgrnam for ID_TYPE_BOTH group succeeds" test $ret -eq 0 ||
+ failed=$(expr $failed + 1)
+test "$out" = "$group_gr"
+ret=$?
+testit "getgrnam for ID_TYPE_BOTH group output" test $ret -eq 0 ||
+ failed=$(expr $failed + 1)
+
+out=$(getent group "$gid")
+ret=$?
+testit "getgrgid for ID_TYPE_BOTH group succeeds" test $ret -eq 0 ||
+ failed=$(expr $failed + 1)
+test "$out" = "$group_gr"
+ret=$?
+testit "getgrgid for ID_TYPE_BOTH group output" test $ret -eq 0 ||
+ failed=$(expr $failed + 1)
+
+#
+# Test 4: ID_TYPE_BOTH mappings for user
+#
+
+dom_users_gid=$gid
+
+USER="$DOMAIN/Administrator"
+USER_SID=$($wbinfo --name-to-sid="$USER" | sed -e 's/ .*//')
+
+uid=$($wbinfo --sid-to-uid=$USER_SID)
+ret=$?
+testit "ID_TYPE_BOTH user map to uid succeeds" test $ret -eq 0 ||
+ failed=$(expr $failed + 1)
+testit "ID_TYPE_BOTH user map to uid has result" test -n $uid ||
+ failed=$(expr $failed + 1)
+
+gid=$($wbinfo --sid-to-gid=$USER_SID)
+ret=$?
+testit "ID_TYPE_BOTH user map to gid succeeds" test $ret -eq 0 ||
+ failed=$(expr $failed + 1)
+testit "ID_TYPE_BOTH user map to gid has result" test -n $gid ||
+ failed=$(expr $failed + 1)
+
+testit "ID_TYPE_BOTH user uid equals gid" test $uid -eq $gid ||
+ failed=$(expr $failed + 1)
+
+user_pw="$DOMAIN/administrator:*:$uid:$dom_users_gid::/home/$DOMAIN/administrator:/bin/false"
+
+out=$(getent passwd "$USER")
+ret=$?
+testit "getpwnam for ID_TYPE_BOTH user succeeds" test $ret -eq 0 ||
+ failed=$(expr $failed + 1)
+
+test "$out" = "$user_pw"
+ret=$?
+testit "getpwnam for ID_TYPE_BOTH user output" test $ret -eq 0 ||
+ failed=$(expr $failed + 1)
+
+out=$(getent passwd $uid)
+ret=$?
+testit "getpwuid for ID_TYPE_BOTH user succeeds" test $ret -eq 0 ||
+ failed=$(expr $failed + 1)
+test "$out" = "$user_pw"
+ret=$?
+testit "getpwuid for ID_TYPE_BOTH user output" test $ret -eq 0 ||
+ failed=$(expr $failed + 1)
+
+user_gr="$DOMAIN/administrator:x:$gid:$DOMAIN/administrator"
+
+out=$(getent group "$USER")
+ret=$?
+testit "getgrnam for ID_TYPE_BOTH user succeeds" test $ret -eq 0 ||
+ failed=$(expr $failed + 1)
+test "$out" = "$user_gr"
+ret=$?
+testit "getgrnam for ID_TYPE_BOTH user output" test $ret -eq 0 ||
+ failed=$(expr $failed + 1)
+
+out=$(getent group "$gid")
+ret=$?
+testit "getgrgid for ID_TYPE_BOTH user succeeds" test $ret -eq 0 ||
+ failed=$(expr $failed + 1)
+test "$out" = "$user_gr"
+ret=$?
+testit "getgrgid for ID_TYPE_BOTH user output" test $ret -eq 0 ||
+ failed=$(expr $failed + 1)
+
+exit $failed
diff --git a/nsswitch/tests/test_rfc2307_mapping.sh b/nsswitch/tests/test_rfc2307_mapping.sh
new file mode 100755
index 0000000..8cd2e5d
--- /dev/null
+++ b/nsswitch/tests/test_rfc2307_mapping.sh
@@ -0,0 +1,187 @@
+#!/bin/sh
+# Blackbox test for wbinfo and rfc2307 mappings
+if [ $# -lt 4 ]; then
+ cat <<EOF
+Usage: test_rfc2307_mapping.sh DOMAIN USERNAME PASSWORD SERVER UID_RFC2307TEST GID_RFC2307TEST
+EOF
+ exit 1
+fi
+
+DOMAIN=$1
+USERNAME=$2
+PASSWORD=$3
+SERVER=$4
+UID_RFC2307TEST=$5
+GID_RFC2307TEST=$6
+shift 6
+
+failed=0
+samba4bindir="$BINDIR"
+wbinfo="$VALGRIND $samba4bindir/wbinfo"
+samba_tool="$VALGRIND $samba4bindir/samba-tool"
+if [ -f "$samba4bindir/ldbmodify" ]; then
+ ldbmodify="$samba4bindir/ldbmodify"
+else
+ # Using system ldbmodify
+ ldbmodify="ldbmodify"
+fi
+
+. $(dirname $0)/../../testprogs/blackbox/subunit.sh
+
+testfail()
+{
+ name="$1"
+ shift
+ cmdline="$*"
+ echo "test: $name"
+ $cmdline
+ status=$?
+ if [ x$status = x0 ]; then
+ echo "failure: $name"
+ else
+ echo "success: $name"
+ fi
+ return $status
+}
+
+knownfail()
+{
+ name="$1"
+ shift
+ cmdline="$*"
+ echo "test: $name"
+ $cmdline
+ status=$?
+ if [ x$status = x0 ]; then
+ echo "failure: $name [unexpected success]"
+ status=1
+ else
+ echo "knownfail: $name"
+ status=0
+ fi
+ return $status
+}
+
+# Create new testing account
+testit "user add" $PYTHON $samba_tool user create --given-name="rfc2307" --surname="Tester" --initial="UT" rfc2307_test_user testp@ssw0Rd $@
+
+#test creation of six different groups
+testit "group add" $PYTHON $samba_tool group add $CONFIG --group-scope='Domain' --group-type='Security' rfc2307_test_group $@
+
+# Create new testing group
+
+# Convert name to SID
+testit "wbinfo -n against $TARGET" $wbinfo -n "$DOMAIN/rfc2307_test_user" || failed=$(expr $failed + 1)
+user_sid=$($wbinfo -n "$DOMAIN/rfc2307_test_user" | cut -d " " -f1)
+echo "$DOMAIN/rfc2307_test_user resolved to $user_sid"
+
+testit "wbinfo -s $user_sid against $TARGET" $wbinfo -s $user_sid || failed=$(expr $failed + 1)
+user_name=$($wbinfo -s $user_sid | cut -d " " -f1 | tr a-z A-Z)
+echo "$user_sid resolved to $user_name"
+
+tested_name=$(echo $DOMAIN/rfc2307_test_user | tr a-z A-Z)
+
+# Now check that wbinfo works correctly (sid <=> name)
+echo "test: wbinfo -s check for sane mapping"
+if test x$user_name != x$tested_name; then
+ echo "$user_name does not match $tested_name"
+ echo "failure: wbinfo -s check for sane mapping"
+ failed=$(expr $failed + 1)
+else
+ echo "success: wbinfo -s check for sane mapping"
+fi
+
+testit "wbinfo -n on the returned name against $TARGET" $wbinfo -n $user_name || failed=$(expr $failed + 1)
+test_sid=$($wbinfo -n $tested_name | cut -d " " -f1)
+
+echo "test: wbinfo -n check for sane mapping"
+if test x$user_sid != x$test_sid; then
+ echo "$user_sid does not match $test_sid"
+ echo "failure: wbinfo -n check for sane mapping"
+ failed=$(expr $failed + 1)
+else
+ echo "success: wbinfo -n check for sane mapping"
+fi
+
+testit "wbinfo -n against $TARGET" $wbinfo -n "$DOMAIN/rfc2307_test_group" || failed=$(expr $failed + 1)
+group_sid=$($wbinfo -n "$DOMAIN/rfc2307_test_group" | cut -d " " -f1)
+echo "$DOMAIN/rfc2307_test_group resolved to $group_sid"
+
+# Then add a uidNumber to the group record using ldbmodify
+cat >$PREFIX/tmpldbmodify <<EOF
+dn: <SID=$user_sid>
+changetype: modify
+add: uidNumber
+uidNumber: $UID_RFC2307TEST
+EOF
+
+testit "modify gidNumber on group" $VALGRIND $ldbmodify -H ldap://$SERVER $PREFIX/tmpldbmodify -U$DOMAIN/$USERNAME%$PASSWORD $@ || failed=$(expr $failed + 1)
+
+# Then add a gidNumber to the group record using ldbmodify
+cat >$PREFIX/tmpldbmodify <<EOF
+dn: <SID=$group_sid>
+changetype: modify
+add: gidNumber
+gidNumber: $GID_RFC2307TEST
+EOF
+
+testit "modify gidNumber on group" $VALGRIND $ldbmodify -H ldap://$SERVER $PREFIX/tmpldbmodify -U$DOMAIN/$USERNAME%$PASSWORD $@ || failed=$(expr $failed + 1)
+
+rm -f $PREFIX/tmpldbmodify
+
+# Now check we get a correct SID for the UID
+
+testit "wbinfo -U against $TARGET" $wbinfo -U $UID_RFC2307TEST || failed=$(expr $failed + 1)
+
+echo "test: wbinfo -U check for sane mapping"
+sid_for_user=$($wbinfo -U $UID_RFC2307TEST)
+if test x"$sid_for_user" != x"$user_sid"; then
+ echo "uid $UID_RFC2307TEST mapped to $sid_for_user, not $user_sid"
+ echo "failure: wbinfo -U check for sane mapping"
+ failed=$(expr $failed + 1)
+else
+ echo "success: wbinfo -U check for sane mapping"
+fi
+
+testit "wbinfo -G against $TARGET" $wbinfo -G $GID_RFC2307TEST || failed=$(expr $failed + 1)
+
+echo "test: wbinfo -G check for sane mapping"
+sid_for_group=$($wbinfo -G $GID_RFC2307TEST)
+if test x$sid_for_group != "x$group_sid"; then
+ echo "gid $GID_RFC2307TEST mapped to $sid_for_group, not $group_sid"
+ echo "failure: wbinfo -G check for sane mapping"
+ failed=$(expr $failed + 1)
+else
+ echo "success: wbinfo -G check for sane mapping"
+fi
+
+# Now check we get the right UID from the SID
+testit "wbinfo -S against $TARGET" $wbinfo -S "$user_sid" || failed=$(expr $failed + 1)
+
+echo "test: wbinfo -S check for sane mapping"
+uid_for_user_sid=$($wbinfo -S $user_sid)
+if test 0$uid_for_user_sid -ne $UID_RFC2307TEST; then
+ echo "$user_sid mapped to $uid_for_sid, not $UID_RFC2307TEST"
+ echo "failure: wbinfo -S check for sane mapping"
+ failed=$(expr $failed + 1)
+else
+ echo "success: wbinfo -S check for sane mapping"
+fi
+
+# Now check we get the right GID from the SID
+testit "wbinfo -Y" $wbinfo -Y "$group_sid" || failed=$(expr $failed + 1)
+
+echo "test: wbinfo -Y check for sane mapping"
+gid_for_user_sid=$($wbinfo -Y $group_sid)
+if test 0$gid_for_user_sid -ne $GID_RFC2307TEST; then
+ echo "$group_sid mapped to $gid_for_sid, not $GID_RFC2307TEST"
+ echo "failure: wbinfo -Y check for sane mapping"
+ failed=$(expr $failed + 1)
+else
+ echo "success: wbinfo -Y check for sane mapping"
+fi
+
+testit "group delete" $PYTHON $samba_tool group delete rfc2307_test_group $@
+testit "user delete" $PYTHON $samba_tool user delete rfc2307_test_user $@
+
+exit $failed
diff --git a/nsswitch/tests/test_ticket_expiry.sh b/nsswitch/tests/test_ticket_expiry.sh
new file mode 100755
index 0000000..f2fed55
--- /dev/null
+++ b/nsswitch/tests/test_ticket_expiry.sh
@@ -0,0 +1,74 @@
+#!/bin/sh
+# Test winbind ad backend behaviour when the kerberos ticket expires
+
+if [ $# -ne 1 ]; then
+ echo Usage: $0 DOMAIN
+ exit 1
+fi
+
+DOMAIN="$1"
+
+wbinfo="$VALGRIND $BINDIR/wbinfo"
+net="$VALGRIND $BINDIR/net"
+
+failed=0
+
+. $(dirname $0)/../../testprogs/blackbox/subunit.sh
+
+DOMAIN_SID=$($wbinfo -n "$DOMAIN/" | cut -f 1 -d " ")
+if [ $? -ne 0 ]; then
+ echo "Could not find domain SID" | subunit_fail_test "test_idmap_ad"
+ exit 1
+fi
+ADMINS_SID="$DOMAIN_SID-512"
+
+# Previous tests might have put in a mapping
+$net cache del IDMAP/SID2XID/"$ADMINS_SID"
+
+# Trigger a winbind ad connection with a 5-second ticket lifetime,
+# see the smb.conf for the ad_member_idmap_ad environment we're in
+#
+# We expect failure here because there are no mappings in AD. In this
+# test we are only interested in the winbind LDAP connection as such,
+# we don't really care whether idmap_ad works fine. This is done in
+# different tests. And a negative lookup also triggers the LDAP
+# connection.
+
+testit_expect_failure "Deleting0 IDMAP/SID2XID/$ADMINS_SID" $net cache del IDMAP/SID2XID/"$ADMINS_SID" ||
+ failed=$(expr $failed + 1)
+
+testit_expect_failure "Expecting failure1, no mapping in AD" $wbinfo --sid-to-gid "$ADMINS_SID" ||
+ failed=$(expr $failed + 1)
+
+testit "Deleting1 IDMAP/SID2XID/$ADMINS_SID" $net cache del IDMAP/SID2XID/"$ADMINS_SID" ||
+ failed=$(expr $failed + 1)
+
+# allow our kerberos ticket to expire
+testit "Sleeping for 6 seconds" sleep 6 || failed=$(expr $failed + 1)
+
+# Try again, check how long it took to recover from ticket expiry
+#
+# On the LDAP connection two things happen: First we get an
+# unsolicited exop response telling us the network session was
+# abandoned, and secondly the LDAP server will kill the TCP
+# connection. Our ldap server is configured to defer the TCP
+# disconnect by 10 seconds. We need to make sure that winbind already
+# reacts to the unsolicited exop reply, discarding the connection. The
+# only way is to make sure the following wbinfo does not take too
+# long.
+
+# We need to do the test command in this funny way as on gitlab we're
+# using the bash builtin
+
+START=$(date +%s)
+testit_expect_failure "Expecting failure2, no mapping in AD" $wbinfo --sid-to-gid "$ADMINS_SID" ||
+ failed=$(expr $failed + 1)
+END=$(date +%s)
+DURATION=$(expr $END - $START)
+testit "timeout DURATION[$DURATION] < 8" test "$DURATION" -le 8 ||
+ failed=$(expr $failed + 1)
+
+testit "Deleting2 IDMAP/SID2XID/$ADMINS_SID" $net cache del IDMAP/SID2XID/"$ADMINS_SID" ||
+ failed=$(expr $failed + 1)
+
+exit $failed
diff --git a/nsswitch/tests/test_wbinfo.sh b/nsswitch/tests/test_wbinfo.sh
new file mode 100755
index 0000000..8b48abc
--- /dev/null
+++ b/nsswitch/tests/test_wbinfo.sh
@@ -0,0 +1,321 @@
+#!/bin/sh
+# Blackbox test for wbinfo
+if [ $# -lt 4 ]; then
+ cat <<EOF
+Usage: test_wbinfo.sh DOMAIN USERNAME PASSWORD TARGET
+EOF
+ exit 1
+fi
+
+DOMAIN=$1
+USERNAME=$2
+PASSWORD=$3
+TARGET=$4
+shift 4
+
+failed=0
+samba4bindir="$BINDIR"
+wbinfo="$VALGRIND $samba4bindir/wbinfo"
+
+. $(dirname $0)/../../testprogs/blackbox/subunit.sh
+
+testfail()
+{
+ name="$1"
+ shift
+ cmdline="$*"
+ echo "test: $name"
+ $cmdline
+ status=$?
+ if [ x$status = x0 ]; then
+ echo "failure: $name"
+ else
+ echo "success: $name"
+ fi
+ return $status
+}
+
+knownfail()
+{
+ name="$1"
+ shift
+ cmdline="$*"
+ echo "test: $name"
+ $cmdline
+ status=$?
+ if [ x$status = x0 ]; then
+ echo "failure: $name [unexpected success]"
+ status=1
+ else
+ echo "knownfail: $name"
+ status=0
+ fi
+ return $status
+}
+
+KRB5CCNAME_PATH="$PREFIX/test_wbinfo_krb5ccache"
+rm -f $KRB5CCNAME_PATH
+
+KRB5CCNAME="FILE:$KRB5CCNAME_PATH"
+export KRB5CCNAME
+
+# List users
+testit "wbinfo -u against $TARGET" $wbinfo -u || failed=$(expr $failed + 1)
+# List groups
+testit "wbinfo -g against $TARGET" $wbinfo -g || failed=$(expr $failed + 1)
+# Convert netbios name to IP
+# Does not work yet
+testit "wbinfo -N against $TARGET" $wbinfo -N $NETBIOSNAME || failed=$(expr $failed + 1)
+# Convert IP to netbios name
+# Does not work yet
+testit "wbinfo -I against $TARGET" $wbinfo -I $SERVER_IP || failed=$(expr $failed + 1)
+
+# Convert name to SID
+testit "wbinfo -n against $TARGET" $wbinfo -n "$DOMAIN/$USERNAME" || failed=$(expr $failed + 1)
+admin_sid=$($wbinfo -n "$DOMAIN/$USERNAME" | cut -d " " -f1)
+echo "$DOMAIN/$USERNAME resolved to $admin_sid"
+
+testit "wbinfo -s $admin_sid against $TARGET" $wbinfo -s $admin_sid || failed=$(expr $failed + 1)
+admin_name=$($wbinfo -s $admin_sid | cut -d " " -f1 | tr a-z A-Z)
+echo "$admin_sid resolved to $admin_name"
+
+tested_name=$(echo $DOMAIN/$USERNAME | tr a-z A-Z)
+
+echo "test: wbinfo -s check for sane mapping"
+if test x$admin_name != x$tested_name; then
+ echo "$admin_name does not match $tested_name"
+ echo "failure: wbinfo -s check for sane mapping"
+ failed=$(expr $failed + 1)
+else
+ echo "success: wbinfo -s check for sane mapping"
+fi
+
+while read SID; do
+ read NAME
+
+ testit "wbinfo -s $SID against $TARGET" $wbinfo -s $SID || failed=$(expr $failed + 1)
+
+ RESOLVED_NAME=$($wbinfo -s $SID | tr a-z A-Z)
+ echo "$SID resolved to $RESOLVED_NAME"
+
+ echo "test: wbinfo -s $SID against $TARGET"
+ if test x"$RESOLVED_NAME" != x"$NAME"; then
+ echo "$RESOLVED_NAME does not match $NAME"
+ echo "failure: wbinfo -s $SID against $TARGET"
+ failed=$(expr $failed + 1)
+ else
+ echo "success: wbinfo -s $SID against $TARGET"
+ fi
+done <<EOF
+S-1-1-0
+/EVERYONE 5
+S-1-3-1
+/CREATOR GROUP 5
+S-1-5-1
+NT AUTHORITY/DIALUP 5
+EOF
+
+testit "wbinfo -n on the returned name against $TARGET" $wbinfo -n $admin_name || failed=$(expr $failed + 1)
+test_sid=$($wbinfo -n $tested_name | cut -d " " -f1)
+
+echo "test: wbinfo -n check for sane mapping"
+if test x$admin_sid != x$test_sid; then
+ echo "$admin_sid does not match $test_sid"
+ echo "failure: wbinfo -n check for sane mapping"
+ failed=$(expr $failed + 1)
+else
+ echo "success: wbinfo -n check for sane mapping"
+fi
+
+echo "test: wbinfo -n NT Authority/Authenticated Users"
+$wbinfo -n "NT Authority/Authenticated Users"
+if [ $? -ne 0 ]; then
+ echo "failure: wbinfo -n NT Authority/Authenticated Users"
+ failed=$(expr $failed + 1)
+else
+ echo "success: wbinfo -n NT Authority/Authenticated Users"
+fi
+
+echo "test: wbinfo --group-info NT Authority/Authenticated Users"
+$wbinfo --group-info "NT Authority/Authenticated Users"
+if [ $? -ne 0 ]; then
+ echo "failure: wbinfo --group-info NT Authority/Authenticated Users"
+ failed=$(expr $failed + 1)
+else
+ echo "success: wbinfo --group-info NT Authority/Authenticated Users"
+fi
+
+testit "wbinfo -U against $TARGET" $wbinfo -U 30000 || failed=$(expr $failed + 1)
+
+echo "test: wbinfo -U check for sane mapping"
+sid_for_30000=$($wbinfo -U 30000)
+if test x$sid_for_30000 != "xS-1-22-1-30000"; then
+ echo "uid 30000 mapped to $sid_for_30000, not S-1-22-1-30000"
+ echo "failure: wbinfo -U check for sane mapping"
+ failed=$(expr $failed + 1)
+else
+ echo "success: wbinfo -U check for sane mapping"
+fi
+
+admin_uid=$($wbinfo -S $admin_sid)
+
+testit "wbinfo -G against $TARGET" $wbinfo -G 30000 || failed=$(expr $failed + 1)
+
+echo "test: wbinfo -G check for sane mapping"
+sid_for_30000=$($wbinfo -G 30000)
+if test x$sid_for_30000 != "xS-1-22-2-30000"; then
+ echo "gid 30000 mapped to $sid_for_30000, not S-1-22-2-30000"
+ echo "failure: wbinfo -G check for sane mapping"
+ failed=$(expr $failed + 1)
+else
+ echo "success: wbinfo -G check for sane mapping"
+fi
+
+testit "wbinfo -S against $TARGET" $wbinfo -S "S-1-22-1-30000" || failed=$(expr $failed + 1)
+
+echo "test: wbinfo -S check for sane mapping"
+uid_for_sid=$($wbinfo -S S-1-22-1-30000)
+if test 0$uid_for_sid -ne 30000; then
+ echo "S-1-22-1-30000 mapped to $uid_for_sid, not 30000"
+ echo "failure: wbinfo -S check for sane mapping"
+ failed=$(expr $failed + 1)
+else
+ echo "success: wbinfo -S check for sane mapping"
+fi
+
+testfail "wbinfo -S against $TARGET using invalid SID" $wbinfo -S "S-1-22-2-30000" && failed=$(expr $failed + 1)
+
+testit "wbinfo -Y against $TARGET" $wbinfo -Y "S-1-22-2-30000" || failed=$(expr $failed + 1)
+
+echo "test: wbinfo -Y check for sane mapping"
+gid_for_sid=$($wbinfo -Y S-1-22-2-30000)
+if test 0$gid_for_sid -ne 30000; then
+ echo "S-1-22-2-30000 mapped to $gid_for_sid, not 30000"
+ echo "failure: wbinfo -Y check for sane mapping"
+ failed=$(expr $failed + 1)
+else
+ echo "success: wbinfo -Y check for sane mapping"
+fi
+
+testfail "wbinfo -Y against $TARGET using invalid SID" $wbinfo -Y "S-1-22-1-30000" && failed=$(expr $failed + 1)
+
+testit "wbinfo -t against $TARGET" $wbinfo -t || failed=$(expr $failed + 1)
+
+#didn't really work anyway
+testit "wbinfo --trusted-domains against $TARGET" $wbinfo --trusted-domains || failed=$(expr $failed + 1)
+testit "wbinfo --all-domains against $TARGET" $wbinfo --all-domains || failed=$(expr $failed + 1)
+
+testit "wbinfo --own-domain against $TARGET" $wbinfo --own-domain || failed=$(expr $failed + 1)
+
+echo "test: wbinfo --own-domain against $TARGET check output"
+own_domain=$($wbinfo --own-domain)
+if test x$own_domain = x$DOMAIN; then
+ echo "success: wbinfo --own-domain against $TARGET check output"
+else
+ echo "Own domain reported as $own_domain instead of $DOMAIN"
+ echo "failure: wbinfo --own-domain against $TARGET check output"
+ failed=$(expr $failed + 1)
+fi
+
+# this does not work
+knownfail "wbinfo --sequence against $TARGET" $wbinfo --sequence
+
+# this is stubbed out now
+testit "wbinfo -D against $TARGET" $wbinfo -D $DOMAIN || failed=$(expr $failed + 1)
+
+testit "wbinfo -i against $TARGET" $wbinfo -i "$DOMAIN/$USERNAME" || failed=$(expr $failed + 1)
+
+echo "test: wbinfo --group-info against $TARGET"
+gid=$($wbinfo --group-info "$DOMAIN/Domain users" | cut -d: -f3)
+if test x$? = x0; then
+ echo "success: wbinfo --group-info against $TARGET"
+else
+ echo "failure: wbinfo --group-info against $TARGET"
+ failed=$(expr $failed + 1)
+fi
+
+test_name="wbinfo -i against $TARGET"
+subunit_start_test "$test_name"
+passwd_line=$($wbinfo -i "$DOMAIN/$USERNAME")
+if test x$? = x0; then
+ subunit_pass_test "$test_name"
+else
+ subunit_fail_test "$test_name"
+ failed=$(expr $failed + 1)
+fi
+
+test_name="confirm output of wbinfo -i against $TARGET"
+subunit_start_test "$test_name"
+
+# The full name (GECOS) is based on name (the RDN, in this case CN)
+# and displayName in winbindd_ads, and is based only on displayName in
+# winbindd_msrpc and winbindd_rpc. Allow both versions.
+if test "$TARGET" = "ad_member"; then
+ expected1_line="$DOMAIN/administrator:*:$admin_uid:$gid:Administrator:/home/$DOMAIN/Domain Users/administrator:/bin/false"
+ expected2_line="$DOMAIN/administrator:*:$admin_uid:$gid::/home/$DOMAIN/Domain Users/administrator:/bin/false"
+else
+ expected1_line="$DOMAIN/administrator:*:$admin_uid:$gid:Administrator:/home/$DOMAIN/administrator:/bin/false"
+ expected2_line="$DOMAIN/administrator:*:$admin_uid:$gid::/home/$DOMAIN/administrator:/bin/false"
+fi
+
+if test "x$passwd_line" = "x$expected1_line" -o "x$passwd_line" = "x$expected2_line"; then
+ subunit_pass_test "$test_name"
+else
+ echo "expected '$expected1_line' or '$expected2_line' got '$passwd_line'" | subunit_fail_test "$test_name"
+ failed=$(expr $failed + 1)
+fi
+
+test_name="wbinfo --uid-info against $TARGET"
+subunit_start_test "$test_name"
+passwd_line=$($wbinfo --uid-info=$admin_uid)
+if test x$? = x0; then
+ subunit_pass_test "$test_name"
+else
+ subunit_fail_test "$test_name"
+ failed=$(expr $failed + 1)
+fi
+
+test_name="confirm output of wbinfo --uid-info against $TARGET"
+subunit_start_test "$test_name"
+if test "x$passwd_line" = "x$expected1_line" -o "x$passwd_line" = "x$expected2_line"; then
+ subunit_pass_test "$test_name"
+else
+ echo "expected '$expected1_line' or '$expected2_line' got '$passwd_line'" | subunit_fail_test "$test_name"
+ failed=$(expr $failed + 1)
+fi
+
+testfail "wbinfo --group-info against $TARGET with $USERNAME" $wbinfo --group-info $USERNAME && failed=$(expr $failed + 1)
+
+testit "wbinfo --gid-info against $TARGET" $wbinfo --gid-info $gid || failed=$(expr $failed + 1)
+
+testit "wbinfo -r against $TARGET" $wbinfo -r "$DOMAIN/$USERNAME" || failed=$(expr $failed + 1)
+
+testit "wbinfo --user-domgroups against $TARGET" $wbinfo --user-domgroups $admin_sid || failed=$(expr $failed + 1)
+
+testit "wbinfo --user-sids against $TARGET" $wbinfo --user-sids $admin_sid || failed=$(expr $failed + 1)
+
+testit "wbinfo -a against $TARGET with domain creds" $wbinfo -a "$DOMAIN/$USERNAME"%"$PASSWORD" || failed=$(expr $failed + 1)
+
+testit "wbinfo -a against $TARGET with domain upn creds" $wbinfo -a "$USERNAME@$DOMAIN"%"$PASSWORD" || failed=$(expr $failed + 1)
+
+testit "wbinfo --getdcname against $TARGET" $wbinfo --getdcname=$DOMAIN
+
+testit "wbinfo -p against $TARGET" $wbinfo -p || failed=$(expr $failed + 1)
+
+testit "wbinfo -K against $TARGET with domain creds" $wbinfo --krb5ccname=$KRB5CCNAME --krb5auth="$DOMAIN/$USERNAME"%"$PASSWORD" || failed=$(expr $failed + 1)
+
+testit "wbinfo --separator against $TARGET" $wbinfo --separator || failed=$(expr $failed + 1)
+
+if test "$TARGET" = "ad_member"; then
+ testit "wbinfo --domain-info=$DOMAIN" $wbinfo --domain-info=$DOMAIN || failed=$(expr $failed + 1)
+
+ testit "wbinfo --dc-info=$DOMAIN" $wbinfo --dc-info=$DOMAIN || failed=$(expr $failed + 1)
+fi
+
+testit_expect_failure "wbinfo -a against $TARGET with invalid password" $wbinfo -a "$DOMAIN/$USERNAME%InvalidPassword" && failed=$(expr $failed + 1)
+
+testit_expect_failure "wbinfo -K against $TARGET with invalid password" $wbinfo -K "$DOMAIN/$USERNAME%InvalidPassword" && failed=$(expr $failed + 1)
+
+rm -f $KRB5CCNAME_PATH
+
+exit $failed
diff --git a/nsswitch/tests/test_wbinfo_name_lookup.sh b/nsswitch/tests/test_wbinfo_name_lookup.sh
new file mode 100755
index 0000000..2b2b29a
--- /dev/null
+++ b/nsswitch/tests/test_wbinfo_name_lookup.sh
@@ -0,0 +1,64 @@
+#!/bin/sh
+# Blackbox test for wbinfo name lookup
+if [ $# -lt 3 ]; then
+ cat <<EOF
+Usage: test_wbinfo.sh DOMAIN REALM DC_USERNAME
+EOF
+ exit 1
+fi
+
+DOMAIN=$1
+REALM=$2
+DC_USERNAME=$3
+shift 3
+
+failed=0
+sambabindir="$BINDIR"
+wbinfo="$VALGRIND $sambabindir/wbinfo"
+
+. $(dirname $0)/../../testprogs/blackbox/subunit.sh
+
+# Correct query is expected to work
+testit "name-to-sid.single-separator" \
+ $wbinfo -n $DOMAIN/$DC_USERNAME ||
+ failed=$(expr $failed + 1)
+
+testit "name-to-sid.at_domain" \
+ $wbinfo -n $DOMAIN/ ||
+ failed=$(expr $failed + 1)
+
+testit "name-to-sid.upn" \
+ $wbinfo -n $DC_USERNAME@$REALM ||
+ failed=$(expr $failed + 1)
+
+testit "name-to-sid.realm-user" \
+ $wbinfo -n $REALM/$DC_USERNAME ||
+ failed=$(expr $failed + 1)
+
+# For the name-to-sid.realm-user query, ensure
+# that this does not change subsequent sid-to-name
+# queries.
+sid=$($wbinfo -n $REALM/$DC_USERNAME | sed -e 's/ .*//')
+out=$($wbinfo -s $sid | sed -e 's/ .//')
+# winbindd returns usernames in lowercase
+lcuser=$(echo $DC_USERNAME | tr A-Z a-z)
+testit "Verify DOMAIN/USER output" \
+ test "$out" = "$DOMAIN/$lcuser" ||
+ failed=$(expr $failed + 1)
+
+# Two separator characters should fail
+testit_expect_failure "name-to-sid.double-separator" \
+ $wbinfo -n $DOMAIN//$DC_USERNAME ||
+ failed=$(expr $failed + 1)
+
+# Invalid domain is expected to fail
+testit_expect_failure "name-to-sid.invalid-domain" \
+ $wbinfo -n INVALID/$DC_USERNAME ||
+ failed=$(expr $failed + 1)
+
+# Invalid domain with two separator characters is expected to fail
+testit_expect_failure "name-to-sid.double-separator-invalid-domain" \
+ $wbinfo -n INVALID//$DC_USERNAME ||
+ failed=$(expr $failed + 1)
+
+exit $failed
diff --git a/nsswitch/tests/test_wbinfo_sids_to_xids.sh b/nsswitch/tests/test_wbinfo_sids_to_xids.sh
new file mode 100755
index 0000000..c910d19
--- /dev/null
+++ b/nsswitch/tests/test_wbinfo_sids_to_xids.sh
@@ -0,0 +1,32 @@
+#!/bin/sh
+
+incdir=$(dirname $0)/../../testprogs/blackbox
+. $incdir/subunit.sh
+
+#
+# S-1-5-123456789 fails, but S-1-5-11 succeeds. Check that S-1-5-11 is
+# mapped successfully with a GID in the 1000x range
+#
+wbinfo_some_mapped()
+{
+ output=$($VALGRIND $BINDIR/wbinfo --sids-to-unix-ids=S-1-5-123456789,S-1-5-11)
+ test x"$?" = x"0" || {
+ return 1
+ }
+
+ printf '%s' "$output" | grep -q 'S-1-5-123456789 -> unmapped' || {
+ printf '%s' "$output"
+ return 1
+ }
+
+ printf '%s' "$output" | grep -q 'S-1-5-11 -> gid 10000' || {
+ printf '%s' "$output"
+ return 1
+ }
+
+ return 0
+}
+
+testit "wbinfo some mapped" wbinfo_some_mapped || failed=$(expr $failed + 1)
+
+testok $0 $failed
diff --git a/nsswitch/tests/test_wbinfo_simple.sh b/nsswitch/tests/test_wbinfo_simple.sh
new file mode 100755
index 0000000..226715a
--- /dev/null
+++ b/nsswitch/tests/test_wbinfo_simple.sh
@@ -0,0 +1,25 @@
+#!/bin/sh
+
+if [ $# -lt 1 ]; then
+ cat <<EOF
+Usage: test_wbinfo_simple.sh <wbinfo args>
+EOF
+ exit 1
+fi
+
+ADDARGS="$*"
+
+incdir=$(dirname $0)/../../testprogs/blackbox
+. $incdir/subunit.sh
+
+KRB5CCNAME_PATH="$PREFIX/test_wbinfo_simple_krb5ccname"
+rm -f $KRB5CCNAME_PATH
+
+KRB5CCNAME="FILE:$KRB5CCNAME_PATH"
+export KRB5CCNAME
+
+testit "wbinfo" $VALGRIND $BINDIR/wbinfo --krb5ccname="$KRB5CCNAME" $ADDARGS || failed=$(expr $failed + 1)
+
+rm -f $KRB5CCNAME_PATH
+
+testok $0 $failed
diff --git a/nsswitch/tests/test_wbinfo_user_info.sh b/nsswitch/tests/test_wbinfo_user_info.sh
new file mode 100755
index 0000000..b9a720d
--- /dev/null
+++ b/nsswitch/tests/test_wbinfo_user_info.sh
@@ -0,0 +1,140 @@
+#!/bin/sh
+# Blackbox test for wbinfo lookup for account name and upn
+# Copyright (c) 2018 Andreas Schneider <asn@samba.org>
+
+if [ $# -lt 6 ]; then
+ cat <<EOF
+Usage: $(basename $0) DOMAIN REALM OWN_DOMAIN USERNAME1 UPN_NAME1 USERNAME2 UPN_NAME2 ENVNAME
+EOF
+ exit 1
+fi
+
+DOMAIN=$1
+REALM=$2
+OWN_DOMAIN=$3
+USERNAME1=$4
+UPN_NAME1=$5
+USERNAME2=$6
+UPN_NAME2=$7
+ENVNAME=$8
+shift 7
+
+failed=0
+
+samba_bindir="$BINDIR"
+wbinfo_tool="$VALGRIND $samba_bindir/wbinfo"
+
+UPN1="$UPN_NAME1@$REALM"
+UPN2="$UPN_NAME2@$REALM"
+
+. $(dirname $0)/../../testprogs/blackbox/subunit.sh
+
+test_user_info()
+{
+ local cmd out ret user domain upn userinfo
+
+ local domain="$1"
+ local user="$2"
+ local upn="$3"
+
+ if [ $# -lt 3 ]; then
+ userinfo="$domain/$user"
+ else
+ userinfo="$upn"
+ fi
+
+ cmd='$wbinfo_tool --user-info $userinfo'
+ eval echo "$cmd"
+ out=$(eval $cmd)
+ ret=$?
+ if [ $ret -ne 0 ]; then
+ echo "failed to lookup $userinfo"
+ echo "$out"
+ return 1
+ fi
+
+ echo "$out" | grep "$domain/$user:.*:.*:.*::/home/$domain/Domain Users/$user"
+ ret=$?
+ if [ $ret != 0 ]; then
+ echo "failed to lookup $userinfo"
+ echo "$out"
+ return 1
+ fi
+
+ return 0
+}
+
+test_getpwnam()
+{
+ local cmd out ret
+
+ local lookup_username=$1
+ local expected_return=$2
+ local expected_output=$3
+
+ cmd='getent passwd $lookup_username'
+ eval echo "$cmd"
+ out=$(eval $cmd)
+ ret=$?
+
+ if [ $ret -ne $expected_return ]; then
+ echo "return code: $ret, expected return code is: $expected_return"
+ echo "$out"
+ return 1
+ fi
+
+ if [ -n "$expected_output" ]; then
+ echo "$out" | grep "$expected_output"
+ ret=$?
+
+ if [ $ret -ne 0 ]; then
+ echo "Unable to find $expected_output in:"
+ echo "$out"
+ return 1
+ fi
+ fi
+
+ return 0
+}
+
+testit "name_to_sid.domain.$USERNAME1" $wbinfo_tool --name-to-sid $DOMAIN/$USERNAME1 || failed=$(expr $failed + 1)
+testit "name_to_sid.upn.$UPN_NAME1" $wbinfo_tool --name-to-sid $UPN1 || failed=$(expr $failed + 1)
+
+testit "user_info.domain.$USERNAME1" test_user_info $DOMAIN $USERNAME1 || failed=$(expr $failed + 1)
+testit "user_info.upn.$UPN_NAME1" test_user_info $DOMAIN $USERNAME1 $UPN1 || failed=$(expr $failed + 1)
+
+testit "name_to_sid.domain.$USERNAME2" $wbinfo_tool --name-to-sid $DOMAIN/$USERNAME2 || failed=$(expr $failed + 1)
+testit "name_to_sid.upn.$UPN_NAME2" $wbinfo_tool --name-to-sid $UPN2 || failed=$(expr $failed + 1)
+
+testit "user_info.domain.$USERNAME2" test_user_info $DOMAIN $USERNAME2 || failed=$(expr $failed + 1)
+testit "user_info.upn.$UPN_NAME2" test_user_info $DOMAIN $USERNAME2 $UPN2 || failed=$(expr $failed + 1)
+
+USERNAME3="testdenied"
+UPN_NAME3="testdenied_upn"
+UPN3="$UPN_NAME3@${REALM}.upn"
+testit "name_to_sid.upn.$UPN_NAME3" $wbinfo_tool --name-to-sid $UPN3 || failed=$(expr $failed + 1)
+testit "user_info.upn.$UPN_NAME3" test_user_info $DOMAIN $USERNAME3 $UPN3 || failed=$(expr $failed + 1)
+
+testit "getpwnam.domain.$DOMAIN.$USERNAME1" test_getpwnam "$DOMAIN/$USERNAME1" 0 "$DOMAIN/$USERNAME1" || failed=$(expr $failed + 1)
+
+testit "getpwnam.upn.$UPN_NAME1" test_getpwnam "$UPN1" 0 "$DOMAIN/$USERNAME1" || failed=$(expr $failed + 1)
+
+case ${ENVNAME} in
+ad_member*)
+ # We should not be able to lookup the user just by the name
+ test_ret=2
+ test_output=""
+ ;;
+fl2008r2dc*)
+ test_ret=0
+ test_output="$OWN_DOMAIN/$USERNAME1"
+ ;;
+*)
+ test_ret=0
+ test_output="$DOMAIN/$USERNAME1"
+ ;;
+esac
+
+testit "getpwnam.local.$USERNAME1" test_getpwnam "$USERNAME1" $test_ret $test_output || failed=$(expr $failed + 1)
+
+exit $failed
diff --git a/nsswitch/tests/test_wbinfo_user_info_cached.sh b/nsswitch/tests/test_wbinfo_user_info_cached.sh
new file mode 100755
index 0000000..a7ed471
--- /dev/null
+++ b/nsswitch/tests/test_wbinfo_user_info_cached.sh
@@ -0,0 +1,50 @@
+#!/bin/sh
+# Blackbox test for wbinfo primary groups and samlogon caching
+# Copyright (c) 2020 Andreas Schneider <asn@samba.org>
+
+if [ $# -lt 5 ]; then
+ cat <<EOF
+Usage: $(basename $0) DOMAIN REALM USERNAME PASSWORD PRIMARY_GROUP
+EOF
+ exit 1
+fi
+
+DOMAIN=$1
+REALM=$2
+USERNAME=$3
+PASSWORD=$4
+PRIMARY_GROUP=$5
+shift 5
+
+DEFAULT_GROUP="Domain Users"
+
+failed=0
+
+samba_bindir="$BINDIR"
+wbinfo_tool="$VALGRIND $samba_bindir/wbinfo"
+net_tool="$VALGRIND $samba_bindir/net --configfile=$SERVERCONFFILE"
+
+. $(dirname $0)/../../testprogs/blackbox/subunit.sh
+
+KRB5CCNAME_PATH="$PREFIX/test_wbinfo_user_info_cached_krb5ccache"
+rm -f $KRB5CCNAME_PATH
+
+KRB5CCNAME="FILE:$KRB5CCNAME_PATH"
+export KRB5CCNAME
+
+USER="$DOMAIN/$USERNAME"
+USER_SID=$($wbinfo_tool --name-to-sid="$USER" | sed -e 's/ .*//')
+
+testit_grep "user_info.no_cache" "$DEFAULT_GROUP" $wbinfo_tool --user-info=$USER || failed=$(expr $failed + 1)
+
+# Fill the samlogon cache
+testit "kerberos_login" $wbinfo_tool --krb5ccname=$KRB5CCNAME --krb5auth=$USER%$PASSWORD || failed=$(expr $failed + 1)
+
+testit_grep "user_info.samlogon_cache" "$PRIMARY_GROUP" $wbinfo_tool --user-info=$USER || failed=$(expr $failed + 1)
+
+# Cleanup
+$net_tool cache samlogon delete $USER_SID
+
+rm -f $KRB5CCNAME_PATH
+
+exit $failed