diff options
Diffstat (limited to 'testprogs/blackbox')
62 files changed, 8543 insertions, 0 deletions
diff --git a/testprogs/blackbox/bogus.sh b/testprogs/blackbox/bogus.sh new file mode 100755 index 0000000..1edd153 --- /dev/null +++ b/testprogs/blackbox/bogus.sh @@ -0,0 +1,28 @@ +#!/bin/sh + +if [ $# -lt 1 ]; then + cat <<EOF +Usage: bogus.sh SERVER SHARE USER PASSWORD DC_USER DC_PASSWORD SMBCLIENT +EOF + exit 1 +fi + +. $(dirname $0)/subunit.sh + +SERVER=$1 +SHARE=$2 +USER=$3 +PWD=$4 +DC_USER=$5 +DC_PWD=$6 +smbclient=$7 +shift 7 + +TEST_USER=bogus_testuser +TEST_PWD=bogus_pass3#@ +net="$BINDIR/net" +testit_expect_failure "smbclient" $smbclient "//$SERVER/$SHARE" -W POUET -U$DC_USER%$DC_PWD -c "dir" && failed=$(expr $failed + 1) +testit "net.user.add" $net rpc user add $TEST_USER $TEST_PWD -W $SERVER -U$SERVER\\$USER%$PWD -S $SERVER +testit "smbclient" $smbclient "//$SERVER/$SHARE" -W POUET -U$TEST_USER%$TEST_PWD -c "dir" || failed=$(expr $failed + 1) +testit "net.user.delete" $net rpc user delete $TEST_USER -W $SERVER -U$SERVER\\$USER%$PWD -S $SERVER +exit $failed diff --git a/testprogs/blackbox/common-links.sh b/testprogs/blackbox/common-links.sh new file mode 100644 index 0000000..92cf730 --- /dev/null +++ b/testprogs/blackbox/common-links.sh @@ -0,0 +1,234 @@ +release_dir=$SRCDIR_ABS/source4/selftest/provisions/$RELEASE + +ldbadd="ldbadd" +if [ -x "$BINDIR/ldbadd" ]; then + ldbadd="$BINDIR/ldbadd" +fi + +ldbmodify="ldbmodify" +if [ -x "$BINDIR/ldbmodify" ]; then + ldbmodify="$BINDIR/ldbmodify" +fi + +ldbdel="ldbdel" +if [ -x "$BINDIR/ldbdel" ]; then + ldbdel="$BINDIR/ldbdel" +fi + +ldbsearch="ldbsearch" +if [ -x "$BINDIR/ldbsearch" ]; then + ldbsearch="$BINDIR/ldbsearch" +fi + +ldbrename="ldbrename" +if [ -x "$BINDIR/ldbrename" ]; then + ldbrename="$BINDIR/ldbrename" +fi + +samba_tdbrestore="tdbrestore" +if [ -x "$BINDIR/tdbrestore" ]; then + samba_tdbrestore="$BINDIR/tdbrestore" +fi + +samba_undump="$SRCDIR_ABS/source4/selftest/provisions/undump.sh" + +undump() +{ + $samba_undump $release_dir $PREFIX_ABS/$RELEASE $samba_tdbrestore +} + +add_dangling_link() +{ + ldif=$release_dir/add-dangling-forwardlink-user.ldif + TZ=UTC $ldbadd -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi + + ldif=$release_dir/add-initially-normal-link.ldif + TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi + + ldif=$release_dir/delete-only-backlink.ldif + TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +add_dangling_backlink() +{ + ldif=$release_dir/add-dangling-backlink-user.ldif + TZ=UTC $ldbadd -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi + + ldif=$release_dir/add-dangling-backlink.ldif + TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +add_deleted_dangling_backlink() +{ + ldif=$release_dir/add-deleted-backlink-user.ldif + TZ=UTC $ldbadd -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi + + ldif=$release_dir/add-deleted-backlink.ldif + TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +add_deleted_target_backlink() +{ + ldif=$release_dir/add-deleted-target-backlink-user.ldif + TZ=UTC $ldbadd -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi + + ldif=$release_dir/add-deleted-target-backlink.ldif + TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +revive_links_on_deleted_group() +{ + ldif=$release_dir/revive-links-on-deleted-group.ldif + TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +revive_backlink_on_deleted_group() +{ + ldif=$release_dir/revive-backlink-on-deleted-group.ldif + TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +add_deleted_target_link() +{ + ldif=$release_dir/add-dangling-deleted-link.ldif + TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +add_two_more_users() +{ + ldif=$release_dir/add-two-more-users.ldif + TZ=UTC $ldbadd -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +add_four_more_links() +{ + ldif=$release_dir/add-four-more-links.ldif + TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +remove_one_link() +{ + ldif=$release_dir/remove-one-more-link.ldif + TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +remove_one_user() +{ + ldif=$release_dir/remove-one-more-user.ldif + TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +move_one_user() +{ + TZ=UTC $ldbrename -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb 'cn=user1,cn=users,DC=release-4-5-0-pre1,DC=samba,DC=corp' 'cn=user1x,cn=users,DC=release-4-5-0-pre1,DC=samba,DC=corp' + if [ "$?" != "0" ]; then + return 1 + fi +} + +dangling_one_way_dn() +{ + ldif=$release_dir/dangling-one-way-dn.ldif + TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +deleted_one_way_dn() +{ + ldif=$release_dir/deleted-one-way-dn.ldif + TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +dangling_one_way_link() +{ + ldif=$release_dir/dangling-one-way-link.ldif + TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/CN%3DCONFIGURATION,DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +add_dangling_multi_valued() +{ + # multi1 - All 4 backlinks + # multi2 - Missing all 4 backlinks + # multi3 - Missing 2 backlinks + # Administrator - Has 2 too many backlinks + # multi5 - Has 2 backlinks but no forward links + ldif=$release_dir/add-dangling-multilink-users.ldif + TZ=UTC $ldbadd -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi + + ldif=$release_dir/add-initially-normal-multilink.ldif + TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi + + ldif=$release_dir/delete-only-multi-backlink.ldif + TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi + + ldif=$release_dir/add-dangling-multi-backlink.ldif + TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi +} diff --git a/testprogs/blackbox/common_test_fns.inc b/testprogs/blackbox/common_test_fns.inc new file mode 100755 index 0000000..a253130 --- /dev/null +++ b/testprogs/blackbox/common_test_fns.inc @@ -0,0 +1,126 @@ +# Common tests +# Pulled out of existing tests to prevent duplication. +# +test_smbclient() +{ + name="$1" + cmd="$2" + unc="$3" + shift + shift + shift + subunit_start_test "$name" + output=$($VALGRIND $smbclient $CONFIGURATION "$unc" -c "$cmd" $@ 2>&1) + status=$? + if [ x$status = x0 ]; then + subunit_pass_test "$name" + else + printf '%s' "$output" | subunit_fail_test "$name" + fi + return $status +} + +test_smbclient_expect_failure() +{ + name="$1" + cmd="$2" + unc="$3" + shift + shift + shift + subunit_start_test "$name" + output=$($VALGRIND $smbclient $CONFIGURATION "$unc" -c "$cmd" $@ 2>&1) + status=$? + if [ x$status = x0 ]; then + printf '%s' "$output" | subunit_fail_test "$name" + else + subunit_pass_test "$name" + fi + return $status +} + +test_rpcclient_grep() +{ + name="$1" + cmd="$2" + srv="$3" + grep="$4" + shift + shift + shift + shift + subunit_start_test "$name" + output=$($VALGRIND $rpcclient $CONFIGURATION "$srv" -c "$cmd" $@ 2>&1) + status=$? + if [ x$status != x0 ]; then + printf '%s' "$output" | subunit_fail_test "$name" + return $status + fi + printf '%s' "$output" | grep -q "$grep" + gstatus=$? + if [ x$gstatus = x0 ]; then + subunit_pass_test "$name" + else + printf '%s' "$output" | subunit_fail_test "$name" + fi + return $status +} + +test_rpcclient_expect_failure_grep() +{ + name="$1" + cmd="$2" + srv="$3" + grep="$4" + shift + shift + shift + shift + subunit_start_test "$name" + output=$($VALGRIND $rpcclient $CONFIGURATION "$srv" -c "$cmd" $@ 2>&1) + status=$? + if [ x$status = x0 ]; then + printf '%s' "$output" | subunit_fail_test "$name" + return $status + fi + printf '%s' "$output" | grep -q "$grep" + gstatus=$? + if [ x$gstatus = x0 ]; then + subunit_pass_test "$name" + else + printf '%s' "$output" | subunit_fail_test "$name" + fi + return $status +} + +kerberos_kinit() +{ + kinit_tool="${1}" + principal="${2}" + password="${3}" + shift 3 + kbase=$(basename ${kinit_tool}) + if [ "${kbase}" = "samba4kinit" ]; then + kpassfile=$(mktemp) + echo $password >${kpassfile} + $kinit_tool -c ${KRB5CCNAME} --password-file=${kpassfile} $@ $principal + status=$? + rm -f ${kpassfile} + else + echo $password | $kinit_tool $@ $principal + status=$? + fi + return $status +} + +remove_directory() +{ + local xdir=${1} + shift + + if [ "$xdir" == "/" ] || [ ! -d "$xdir" ] || [ ! $(ls -A "$xdir") ]; then + return + fi + + rm -rf "$xdir" +} diff --git a/testprogs/blackbox/dbcheck-links.sh b/testprogs/blackbox/dbcheck-links.sh new file mode 100755 index 0000000..29fb5b8 --- /dev/null +++ b/testprogs/blackbox/dbcheck-links.sh @@ -0,0 +1,991 @@ +#!/bin/sh + +if [ $# -lt 1 ]; then + cat <<EOF +Usage: dbcheck-links.sh PREFIX RELEASE +EOF + exit 1 +fi + +PREFIX_ABS="$1" +RELEASE="$2" +shift 2 + +. $(dirname $0)/subunit.sh + +. $(dirname $0)/common-links.sh +. $(dirname $0)/common_test_fns.inc + +failed=0 + +if [ ! -x $samba_undump ] || [ ! -d $release_dir ]; then + subunit_start_test $RELEASE + subunit_skip_test $RELEASE <<EOF +no test provision +EOF + + subunit_start_test "tombstones_expunge" + subunit_skip_test "tombstones_expunge" <<EOF +no test provision +EOF + + exit 0 +fi + +dbcheck() +{ + tmpfile=$PREFIX_ABS/$RELEASE/expected-dbcheck-link-output${1}.txt.tmp + tmpldif1=$PREFIX_ABS/$RELEASE/expected-dbcheck-output${1}2.txt.tmp1 + + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --scope=base -b '' | grep highestCommittedUSN >$tmpldif1 + + $PYTHON $BINDIR/samba-tool dbcheck -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $3 --fix --yes >$tmpfile + if [ "$?" != "$2" ]; then + return 1 + fi + sort $tmpfile | grep -v "^INFO:" >$tmpfile.sorted + sort $release_dir/expected-dbcheck-link-output${1}.txt >$tmpfile.expected + diff -u $tmpfile.sorted $tmpfile.expected + if [ "$?" != "0" ]; then + return 1 + fi + + tmpldif2=$PREFIX_ABS/$RELEASE/expected-dbcheck-output${1}2.txt.tmp2 + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --scope=base -b '' | grep highestCommittedUSN >$tmpldif2 + + diff -u $tmpldif1 $tmpldif2 + if [ "$?" != "0" ]; then + return 1 + fi +} + +dbcheck_dangling() +{ + dbcheck "" "1" "--selftest-check-expired-tombstones" + return $? +} + +dbcheck_one_way() +{ + dbcheck "_one_way" "0" "CN=Configuration,DC=release-4-5-0-pre1,DC=samba,DC=corp --selftest-check-expired-tombstones" + return $? +} + +dbcheck_clean() +{ + tmpldif1=$PREFIX_ABS/$RELEASE/expected-dbcheck-output2.txt.tmp1 + + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --scope=base -b '' | grep highestCommittedUSN >$tmpldif1 + + $PYTHON $BINDIR/samba-tool dbcheck -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb + if [ "$?" != "0" ]; then + return 1 + fi + tmpldif2=$PREFIX_ABS/$RELEASE/expected-dbcheck-output2.txt.tmp2 + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --scope=base -b '' | grep highestCommittedUSN >$tmpldif2 + + diff -u $tmpldif1 $tmpldif2 + if [ "$?" != "0" ]; then + return 1 + fi +} + +check_expected_after_links() +{ + tmpldif=$PREFIX_ABS/$RELEASE/expected-links-after-link-dbcheck.ldif.tmp + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(|(cn=swimmers)(cn=leaders)(cn=helpers))' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --sorted member >$tmpldif + diff -u $tmpldif $release_dir/expected-links-after-link-dbcheck.ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +check_expected_after_deleted_links() +{ + tmpldif=$PREFIX_ABS/$RELEASE/expected-deleted-links-after-link-dbcheck.ldif.tmp + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(|(cn=swimmers)(cn=leaders)(cn=helpers))' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted member >$tmpldif + diff -u $tmpldif $release_dir/expected-deleted-links-after-link-dbcheck.ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +check_expected_after_objects() +{ + tmpldif=$PREFIX_ABS/$RELEASE/expected-objects-after-link-dbcheck.ldif.tmp + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(|(samaccountname=fred)(samaccountname=ddg)(samaccountname=usg)(samaccountname=user1)(samaccountname=user1x)(samaccountname=user2))' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted samAccountName | grep sAMAccountName >$tmpldif + diff -u $tmpldif $release_dir/expected-objects-after-link-dbcheck.ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +duplicate_member() +{ + # We use an existing group so we have a stable GUID in the + # dbcheck output + LDIF1=$(TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb -b 'CN=Enterprise Admins,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp' --scope=base --reveal --extended-dn member) + DN=$(echo "${LDIF1}" | grep '^dn: ') + MSG=$(echo "${LDIF1}" | grep -v '^dn: ' | grep -v '^#' | grep -v '^$') + ldif=$PREFIX_ABS/${RELEASE}/duplicate-member-multi.ldif + { + echo "${DN}" + echo "changetype: modify" + echo "replace: member" + echo "${MSG}" + echo "${MSG}" | sed -e 's!RMD_LOCAL_USN=[1-9][0-9]*!RMD_LOCAL_USN=0!' + } >$ldif + + TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +dbcheck_duplicate_member() +{ + dbcheck "_duplicate_member" "1" "--selftest-check-expired-tombstones" + return $? +} + +check_expected_after_duplicate_links() +{ + tmpldif=$PREFIX_ABS/$RELEASE/expected-duplicates-after-link-dbcheck.ldif.tmp + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(|(cn=administrator)(cn=enterprise admins))' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --sorted memberOf member >$tmpldif + diff -u $tmpldif $release_dir/expected-duplicates-after-link-dbcheck.ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +missing_link_sid_corruption() +{ + # Step1: add user "missingsidu1" + # + ldif=$PREFIX_ABS/${RELEASE}/missing_link_sid_corruption1.ldif + cat >$ldif <<EOF +dn: CN=missingsidu1,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp +changetype: add +objectclass: user +samaccountname: missingsidu1 +objectGUID: 0da8f25e-d110-11e8-80b7-3c970ec68461 +objectSid: S-1-5-21-4177067393-1453636373-93818738-771 +EOF + + out=$(TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --relax $ldif) + if [ "$?" != "0" ]; then + echo "ldbmodify returned:\n$out" + return 1 + fi + + # Step2: add user "missingsidu2" + # + ldif=$PREFIX_ABS/${RELEASE}/missing_link_sid_corruption2.ldif + cat >$ldif <<EOF +dn: CN=missingsidu2,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp +changetype: add +objectclass: user +samaccountname: missingsidu2 +objectGUID: 66eb8f52-d110-11e8-ab9b-3c970ec68461 +objectSid: S-1-5-21-4177067393-1453636373-93818738-772 +EOF + + out=$(TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --relax $ldif) + if [ "$?" != "0" ]; then + echo "ldbmodify returned:\n$out" + return 1 + fi + + # Step3: add group "missingsidg3" and add users as members + # + ldif=$PREFIX_ABS/${RELEASE}/missing_link_sid_corruption3.ldif + cat >$ldif <<EOF +dn: CN=missingsidg3,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp +changetype: add +objectclass: group +samaccountname: missingsidg3 +objectGUID: fd992424-d114-11e8-bb36-3c970ec68461 +objectSid: S-1-5-21-4177067393-1453636373-93818738-773 +member: CN=missingsidu1,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp +member: CN=missingsidu2,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp +EOF + + out=$(TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --relax $ldif) + if [ "$?" != "0" ]; then + echo "ldbmodify returned:\n$out" + return 1 + fi + + # Step4: remove one user again, so that we have one deleted link + # + ldif=$PREFIX_ABS/${RELEASE}/missing_link_sid_corruption4.ldif + cat >$ldif <<EOF +dn: CN=missingsidg3,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp +changetype: modify +delete: member +member: CN=missingsidu1,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp +EOF + + out=$(TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --relax $ldif) + if [ "$?" != "0" ]; then + echo "ldbmodify returned:\n$out" + return 1 + fi + + # + # Step5: remove the SIDS from the links + # + LDIF1=$(TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb -b 'CN=missingsidg3,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp' --scope=base --reveal --extended-dn --show-binary member) + DN=$(echo "${LDIF1}" | grep '^dn: ') + MSG=$(echo "${LDIF1}" | grep -v '^dn: ' | grep -v '^#' | grep -v '^$') + ldif=$PREFIX_ABS/${RELEASE}/missing_link_sid_corruption5.ldif + { + echo "${DN}" + echo "changetype: modify" + echo "replace: member" + #echo "${MSG}" + echo "${MSG}" | sed \ + -e 's!<SID=S-1-5-21-4177067393-1453636373-93818738-771>;!!g' \ + -e 's!<SID=S-1-5-21-4177067393-1453636373-93818738-772>;!!g' \ + -e 's!RMD_ADDTIME=[1-9][0-9]*!RMD_ADDTIME=123456789000000000!g' \ + -e 's!RMD_CHANGETIME=[1-9][0-9]*!RMD_CHANGETIME=123456789000000000!g' | + cat + } >$ldif + + out=$(TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif) + if [ "$?" != "0" ]; then + echo "ldbmodify returned:\n$out" + return 1 + fi + + return 0 +} + +dbcheck_missing_link_sid_corruption() +{ + dbcheck "-missing-link-sid-corruption" "1" "--selftest-check-expired-tombstones" + return $? +} + +add_lost_deleted_user1() +{ + ldif=$PREFIX_ABS/${RELEASE}/add_lost_deleted_user1.ldif + cat >$ldif <<EOF +dn: CN=fred\0ADEL:2301a64c-1234-5678-851e-12d4a711cfb4,OU=removed,DC=release-4-5-0-pre1,DC=samba,DC=corp +objectClass: top +objectClass: person +objectClass: organizationalPerson +objectClass: user +instanceType: 4 +whenCreated: 20160629043638.0Z +uSNCreated: 3740 +objectGUID: 2301a64c-1234-5678-851e-12d4a711cfb4 +objectSid: S-1-5-21-4177067393-1453636373-93818738-1011 +sAMAccountName: fred +userAccountControl: 512 +isDeleted: TRUE +lastKnownParent: <GUID=f28216e9-1234-5678-8b2d-6bb229563b62>;OU=removed,DC=rel + ease-4-5-0-pre1,DC=samba,DC=corp +isRecycled: TRUE +cn:: ZnJlZApERUw6MjMwMWE2NGMtMTIzNC01Njc4LTg1MWUtMTJkNGE3MTFjZmI0 +name:: ZnJlZApERUw6MjMwMWE2NGMtMTIzNC01Njc4LTg1MWUtMTJkNGE3MTFjZmI0 +replPropertyMetaData:: AQAAAAAAAAAXAAAAAAAAAAAAAAABAAAAVuGDDQMAAACjlkROuH+XT4o + z0jjbi14tnA4AAAAAAACcDgAAAAAAAAMAAAACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4A + AAAAAACiDgAAAAAAAAEAAgABAAAAVuGDDQMAAACjlkROuH+XT4oz0jjbi14tnA4AAAAAAACcDgAAA + AAAAAIAAgABAAAAVuGDDQMAAACjlkROuH+XT4oz0jjbi14tnA4AAAAAAACcDgAAAAAAADAAAgABAA + AAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAAAAABkBAgABAAAAVuGDDQMAAAC + jlkROuH+XT4oz0jjbi14tnA4AAAAAAACcDgAAAAAAAAEACQACAAAAV+GDDQMAAACjlkROuH+XT4oz + 0jjbi14tog4AAAAAAACiDgAAAAAAAAgACQADAAAAVuGDDQMAAACjlkROuH+XT4oz0jjbi14tng4AA + AAAAACeDgAAAAAAABAACQACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAA + AAABkACQACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAAAAAFoACQABAAA + AVuGDDQMAAACjlkROuH+XT4oz0jjbi14tnQ4AAAAAAACdDgAAAAAAAF4ACQABAAAAVuGDDQMAAACj + lkROuH+XT4oz0jjbi14tnQ4AAAAAAACdDgAAAAAAAGAACQADAAAAV+GDDQMAAACjlkROuH+XT4oz0 + jjbi14tog4AAAAAAACiDgAAAAAAAGIACQACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAA + AAAACiDgAAAAAAAH0ACQABAAAAVuGDDQMAAACjlkROuH+XT4oz0jjbi14tnQ4AAAAAAACdDgAAAAA + AAJIACQABAAAAVuGDDQMAAACjlkROuH+XT4oz0jjbi14tnA4AAAAAAACcDgAAAAAAAJ8ACQACAAAA + V+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAAAAAN0ACQABAAAAVuGDDQMAAACjl + kROuH+XT4oz0jjbi14tnA4AAAAAAACcDgAAAAAAAC4BCQACAAAAV+GDDQMAAACjlkROuH+XT4oz0j + jbi14tog4AAAAAAACiDgAAAAAAAJACCQACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAA + AAACiDgAAAAAAAA0DCQABAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAAAA + AA4DCQACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAAAAAAoICQABAAAAV + +GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAAAAAA== +whenChanged: 20160629043639.0Z +uSNChanged: 3746 +nTSecurityDescriptor:: AQAXjBQAAAAwAAAATAAAAMQAAAABBQAAAAAABRUAAACB/fj4FbukVnK + PlwUAAgAAAQUAAAAAAAUVAAAAgf34+BW7pFZyj5cFAAIAAAQAeAACAAAAB1o4ACAAAAADAAAAvjsO + 8/Cf0RG2AwAA+ANnwaV6lr/mDdARooUAqgAwSeIBAQAAAAAAAQAAAAAHWjgAIAAAAAMAAAC/Ow7z8 + J/REbYDAAD4A2fBpXqWv+YN0BGihQCqADBJ4gEBAAAAAAABAAAAAAQA1AcsAAAAAAAkAP8BDwABBQ + AAAAAABRUAAACB/fj4FbukVnKPlwUAAgAAAAAUAP8BDwABAQAAAAAABRIAAAAAABgA/wEPAAECAAA + AAAAFIAAAACQCAAAAABQAlAACAAEBAAAAAAAFCgAAAAUAKAAAAQAAAQAAAFMacqsvHtARmBkAqgBA + UpsBAQAAAAAABQoAAAAFACgAAAEAAAEAAABUGnKrLx7QEZgZAKoAQFKbAQEAAAAAAAUKAAAABQAoA + AABAAABAAAAVhpyqy8e0BGYGQCqAEBSmwEBAAAAAAAFCgAAAAUAKAAwAAAAAQAAAIa4tXdKlNERrr + 0AAPgDZ8EBAQAAAAAABQoAAAAFACgAMAAAAAEAAACylVfkVZTREa69AAD4A2fBAQEAAAAAAAUKAAA + ABQAoADAAAAABAAAAs5VX5FWU0RGuvQAA+ANnwQEBAAAAAAAFCgAAAAUAOAAQAAAAAQAAAPiIcAPh + CtIRtCIAoMlo+TkBBQAAAAAABRUAAACB/fj4FbukVnKPlwUpAgAABQA4ABAAAAABAAAAAEIWTMAg0 + BGnaACqAG4FKQEFAAAAAAAFFQAAAIH9+PgVu6RWco+XBSkCAAAFADgAEAAAAAEAAABAwgq8qXnQEZ + AgAMBPwtTPAQUAAAAAAAUVAAAAgf34+BW7pFZyj5cFKQIAAAAAFAAAAAIAAQEAAAAAAAULAAAABQA + oABAAAAABAAAAQi+6WaJ50BGQIADAT8LTzwEBAAAAAAAFCwAAAAUAKAAQAAAAAQAAAIa4tXdKlNER + rr0AAPgDZ8EBAQAAAAAABQsAAAAFACgAEAAAAAEAAACzlVfkVZTREa69AAD4A2fBAQEAAAAAAAULA + AAABQAoABAAAAABAAAAVAGN5Pi80RGHAgDAT7lgUAEBAAAAAAAFCwAAAAUAKAAAAQAAAQAAAFMacq + svHtARmBkAqgBAUpsBAQAAAAAAAQAAAAAFADgAEAAAAAEAAAAQICBfpXnQEZAgAMBPwtTPAQUAAAA + AAAUVAAAAgf34+BW7pFZyj5cFKQIAAAUAOAAwAAAAAQAAAH96lr/mDdARooUAqgAwSeIBBQAAAAAA + BRUAAACB/fj4FbukVnKPlwUFAgAABQAsABAAAAABAAAAHbGpRq5gWkC36P+KWNRW0gECAAAAAAAFI + AAAADACAAAFACwAMAAAAAEAAAAcmrZtIpTREa69AAD4A2fBAQIAAAAAAAUgAAAAMQIAAAUALAAwAA + AAAQAAAGK8BVjJvShEpeKFag9MGF4BAgAAAAAABSAAAAAxAgAABRo8ABAAAAADAAAAAEIWTMAg0BG + naACqAG4FKRTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAABRI8ABAAAAADAAAAAEIWTMAg + 0BGnaACqAG4FKbp6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqAgAABRo8ABAAAAADAAAAECAgX + 6V50BGQIADAT8LUzxTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAABRI8ABAAAAADAAAAEC + AgX6V50BGQIADAT8LUz7p6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqAgAABRo8ABAAAAADAAA + AQMIKvKl50BGQIADAT8LUzxTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAABRI8ABAAAAAD + AAAAQMIKvKl50BGQIADAT8LUz7p6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqAgAABRo8ABAAA + AADAAAAQi+6WaJ50BGQIADAT8LTzxTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAABRI8AB + AAAAADAAAAQi+6WaJ50BGQIADAT8LTz7p6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqAgAABRo + 8ABAAAAADAAAA+IhwA+EK0hG0IgCgyWj5ORTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAA + BRI8ABAAAAADAAAA+IhwA+EK0hG0IgCgyWj5Obp6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqA + gAABRo4ABAAAAADAAAAbZ7Gt8cs0hGFTgCgyYP2CIZ6lr/mDdARooUAqgAwSeIBAQAAAAAABQkAAA + AFGjgAEAAAAAMAAABtnsa3xyzSEYVOAKDJg/YInHqWv+YN0BGihQCqADBJ4gEBAAAAAAAFCQAAAAU + SOAAQAAAAAwAAAG2exrfHLNIRhU4AoMmD9gi6epa/5g3QEaKFAKoAMEniAQEAAAAAAAUJAAAABRos + AJQAAgACAAAAFMwoSDcUvEWbB61vAV5fKAECAAAAAAAFIAAAACoCAAAFGiwAlAACAAIAAACcepa/5 + g3QEaKFAKoAMEniAQIAAAAAAAUgAAAAKgIAAAUSLACUAAIAAgAAALp6lr/mDdARooUAqgAwSeIBAg + AAAAAABSAAAAAqAgAABRIoADABAAABAAAA3kfmkW/ZcEuVV9Y/9PPM2AEBAAAAAAAFCgAAAAASJAD + /AQ8AAQUAAAAAAAUVAAAAgf34+BW7pFZyj5cFBwIAAAASGAAEAAAAAQIAAAAAAAUgAAAAKgIAAAAS + GAC9AQ8AAQIAAAAAAAUgAAAAIAIAAA== +EOF + + out=$(TZ=UTC $ldbadd -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif) + if [ "$?" != "0" ]; then + echo "ldbadd returned:\n$out" + return 1 + fi + + return 0 +} + +dbcheck_lost_deleted_user1() +{ + dbcheck "-lost-deleted-user1" "1" "--selftest-check-expired-tombstones" + return $? +} + +remove_lost_deleted_user1() +{ + out=$(TZ=UTC $ldbdel -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb "<GUID=2301a64c-1234-5678-851e-12d4a711cfb4>" --show-recycled --relax) + if [ "$?" != "0" ]; then + echo "ldbdel returned:\n$out" + return 1 + fi + + return 0 +} + +add_lost_deleted_user2() +{ + ldif=$PREFIX_ABS/${RELEASE}/add_lost_deleted_user2.ldif + cat >$ldif <<EOF +dn: CN=fred\0ADEL:2301a64c-8765-4321-851e-12d4a711cfb4,CN=LostAndFound,DC=release-4-5-0-pre1,DC=samba,DC=corp +objectClass: top +objectClass: person +objectClass: organizationalPerson +objectClass: user +instanceType: 4 +whenCreated: 20160629043638.0Z +uSNCreated: 3740 +objectGUID: 2301a64c-8765-4321-851e-12d4a711cfb4 +objectSid: S-1-5-21-4177067393-1453636373-93818738-1001 +sAMAccountName: fred +userAccountControl: 512 +isDeleted: TRUE +lastKnownParent: OU=removed,DC=release-4-5-0-pre1,DC=samba,DC=corp +isRecycled: TRUE +cn:: ZnJlZApERUw6MjMwMWE2NGMtODc2NS00MzIxLTg1MWUtMTJkNGE3MTFjZmI0 +name:: ZnJlZApERUw6MjMwMWE2NGMtODc2NS00MzIxLTg1MWUtMTJkNGE3MTFjZmI0 +replPropertyMetaData:: AQAAAAAAAAAXAAAAAAAAAAAAAAABAAAAVuGDDQMAAACjlkROuH+XT4o + z0jjbi14tnA4AAAAAAACcDgAAAAAAAAMAAAACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4A + AAAAAACiDgAAAAAAAAEAAgABAAAAVuGDDQMAAACjlkROuH+XT4oz0jjbi14tnA4AAAAAAACcDgAAA + AAAAAIAAgABAAAAVuGDDQMAAACjlkROuH+XT4oz0jjbi14tnA4AAAAAAACcDgAAAAAAADAAAgABAA + AAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAAAAABkBAgABAAAAVuGDDQMAAAC + jlkROuH+XT4oz0jjbi14tnA4AAAAAAACcDgAAAAAAAAEACQAEAAAAePOWEgMAAACjlkROuH+XT4oz + 0jjbi14tvA4AAAAAAAC8DgAAAAAAAAgACQADAAAAVuGDDQMAAACjlkROuH+XT4oz0jjbi14tng4AA + AAAAACeDgAAAAAAABAACQACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAA + AAABkACQACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAAAAAFoACQABAAA + AVuGDDQMAAACjlkROuH+XT4oz0jjbi14tnQ4AAAAAAACdDgAAAAAAAF4ACQABAAAAVuGDDQMAAACj + lkROuH+XT4oz0jjbi14tnQ4AAAAAAACdDgAAAAAAAGAACQADAAAAV+GDDQMAAACjlkROuH+XT4oz0 + jjbi14tog4AAAAAAACiDgAAAAAAAGIACQACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAA + AAAACiDgAAAAAAAH0ACQABAAAAVuGDDQMAAACjlkROuH+XT4oz0jjbi14tnQ4AAAAAAACdDgAAAAA + AAJIACQABAAAAVuGDDQMAAACjlkROuH+XT4oz0jjbi14tnA4AAAAAAACcDgAAAAAAAJ8ACQACAAAA + V+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAAAAAN0ACQABAAAAVuGDDQMAAACjl + kROuH+XT4oz0jjbi14tnA4AAAAAAACcDgAAAAAAAC4BCQACAAAAV+GDDQMAAACjlkROuH+XT4oz0j + jbi14tog4AAAAAAACiDgAAAAAAAJACCQACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAA + AAACiDgAAAAAAAA0DCQADAAAAePOWEgMAAACjlkROuH+XT4oz0jjbi14tvQ4AAAAAAAC9DgAAAAAA + AA4DCQACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAAAAAAoICQABAAAAV + +GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAAAAAA== +whenChanged: 20160629043639.0Z +uSNChanged: 3746 +nTSecurityDescriptor:: AQAXjBQAAAAwAAAATAAAAMQAAAABBQAAAAAABRUAAACB/fj4FbukVnK + PlwUAAgAAAQUAAAAAAAUVAAAAgf34+BW7pFZyj5cFAAIAAAQAeAACAAAAB1o4ACAAAAADAAAAvjsO + 8/Cf0RG2AwAA+ANnwaV6lr/mDdARooUAqgAwSeIBAQAAAAAAAQAAAAAHWjgAIAAAAAMAAAC/Ow7z8 + J/REbYDAAD4A2fBpXqWv+YN0BGihQCqADBJ4gEBAAAAAAABAAAAAAQA1AcsAAAAAAAkAP8BDwABBQ + AAAAAABRUAAACB/fj4FbukVnKPlwUAAgAAAAAUAP8BDwABAQAAAAAABRIAAAAAABgA/wEPAAECAAA + AAAAFIAAAACQCAAAAABQAlAACAAEBAAAAAAAFCgAAAAUAKAAAAQAAAQAAAFMacqsvHtARmBkAqgBA + UpsBAQAAAAAABQoAAAAFACgAAAEAAAEAAABUGnKrLx7QEZgZAKoAQFKbAQEAAAAAAAUKAAAABQAoA + AABAAABAAAAVhpyqy8e0BGYGQCqAEBSmwEBAAAAAAAFCgAAAAUAKAAwAAAAAQAAAIa4tXdKlNERrr + 0AAPgDZ8EBAQAAAAAABQoAAAAFACgAMAAAAAEAAACylVfkVZTREa69AAD4A2fBAQEAAAAAAAUKAAA + ABQAoADAAAAABAAAAs5VX5FWU0RGuvQAA+ANnwQEBAAAAAAAFCgAAAAUAOAAQAAAAAQAAAPiIcAPh + CtIRtCIAoMlo+TkBBQAAAAAABRUAAACB/fj4FbukVnKPlwUpAgAABQA4ABAAAAABAAAAAEIWTMAg0 + BGnaACqAG4FKQEFAAAAAAAFFQAAAIH9+PgVu6RWco+XBSkCAAAFADgAEAAAAAEAAABAwgq8qXnQEZ + AgAMBPwtTPAQUAAAAAAAUVAAAAgf34+BW7pFZyj5cFKQIAAAAAFAAAAAIAAQEAAAAAAAULAAAABQA + oABAAAAABAAAAQi+6WaJ50BGQIADAT8LTzwEBAAAAAAAFCwAAAAUAKAAQAAAAAQAAAIa4tXdKlNER + rr0AAPgDZ8EBAQAAAAAABQsAAAAFACgAEAAAAAEAAACzlVfkVZTREa69AAD4A2fBAQEAAAAAAAULA + AAABQAoABAAAAABAAAAVAGN5Pi80RGHAgDAT7lgUAEBAAAAAAAFCwAAAAUAKAAAAQAAAQAAAFMacq + svHtARmBkAqgBAUpsBAQAAAAAAAQAAAAAFADgAEAAAAAEAAAAQICBfpXnQEZAgAMBPwtTPAQUAAAA + AAAUVAAAAgf34+BW7pFZyj5cFKQIAAAUAOAAwAAAAAQAAAH96lr/mDdARooUAqgAwSeIBBQAAAAAA + BRUAAACB/fj4FbukVnKPlwUFAgAABQAsABAAAAABAAAAHbGpRq5gWkC36P+KWNRW0gECAAAAAAAFI + AAAADACAAAFACwAMAAAAAEAAAAcmrZtIpTREa69AAD4A2fBAQIAAAAAAAUgAAAAMQIAAAUALAAwAA + AAAQAAAGK8BVjJvShEpeKFag9MGF4BAgAAAAAABSAAAAAxAgAABRo8ABAAAAADAAAAAEIWTMAg0BG + naACqAG4FKRTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAABRI8ABAAAAADAAAAAEIWTMAg + 0BGnaACqAG4FKbp6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqAgAABRo8ABAAAAADAAAAECAgX + 6V50BGQIADAT8LUzxTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAABRI8ABAAAAADAAAAEC + AgX6V50BGQIADAT8LUz7p6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqAgAABRo8ABAAAAADAAA + AQMIKvKl50BGQIADAT8LUzxTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAABRI8ABAAAAAD + AAAAQMIKvKl50BGQIADAT8LUz7p6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqAgAABRo8ABAAA + AADAAAAQi+6WaJ50BGQIADAT8LTzxTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAABRI8AB + AAAAADAAAAQi+6WaJ50BGQIADAT8LTz7p6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqAgAABRo + 8ABAAAAADAAAA+IhwA+EK0hG0IgCgyWj5ORTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAA + BRI8ABAAAAADAAAA+IhwA+EK0hG0IgCgyWj5Obp6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqA + gAABRo4ABAAAAADAAAAbZ7Gt8cs0hGFTgCgyYP2CIZ6lr/mDdARooUAqgAwSeIBAQAAAAAABQkAAA + AFGjgAEAAAAAMAAABtnsa3xyzSEYVOAKDJg/YInHqWv+YN0BGihQCqADBJ4gEBAAAAAAAFCQAAAAU + SOAAQAAAAAwAAAG2exrfHLNIRhU4AoMmD9gi6epa/5g3QEaKFAKoAMEniAQEAAAAAAAUJAAAABRos + AJQAAgACAAAAFMwoSDcUvEWbB61vAV5fKAECAAAAAAAFIAAAACoCAAAFGiwAlAACAAIAAACcepa/5 + g3QEaKFAKoAMEniAQIAAAAAAAUgAAAAKgIAAAUSLACUAAIAAgAAALp6lr/mDdARooUAqgAwSeIBAg + AAAAAABSAAAAAqAgAABRIoADABAAABAAAA3kfmkW/ZcEuVV9Y/9PPM2AEBAAAAAAAFCgAAAAASJAD + /AQ8AAQUAAAAAAAUVAAAAgf34+BW7pFZyj5cFBwIAAAASGAAEAAAAAQIAAAAAAAUgAAAAKgIAAAAS + GAC9AQ8AAQIAAAAAAAUgAAAAIAIAAA== +EOF + + out=$(TZ=UTC $ldbadd -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif) + if [ "$?" != "0" ]; then + echo "ldbadd returned:\n$out" + return 1 + fi + + return 0 +} + +dbcheck_lost_deleted_user2() +{ + dbcheck "-lost-deleted-user2" "1" "--selftest-check-expired-tombstones" + return $? +} + +add_lost_deleted_user3() +{ + ldif=$PREFIX_ABS/${RELEASE}/add_lost_deleted_user3.ldif + cat >$ldif <<EOF +dn: CN=fred\0ADEL:2301a64c-1122-5566-851e-12d4a711cfb4,OU=removed,DC=release-4-5-0-pre1,DC=samba,DC=corp +objectClass: top +objectClass: person +objectClass: organizationalPerson +objectClass: user +instanceType: 4 +whenCreated: 20160629043638.0Z +uSNCreated: 3740 +objectGUID: 2301a64c-1122-5566-851e-12d4a711cfb4 +objectSid: S-1-5-21-4177067393-1453636373-93818738-1010 +sAMAccountName: fred +userAccountControl: 512 +isDeleted: TRUE +lastKnownParent: <GUID=f28216e9-1234-5678-8b2d-6bb229563b62>;OU=removed,DC=rel + ease-4-5-0-pre1,DC=samba,DC=corp +isRecycled: TRUE +cn:: ZnJlZApERUw6MjMwMWE2NGMtMTEyMi01NTY2LTg1MWUtMTJkNGE3MTFjZmI0 +name:: ZnJlZApERUw6MjMwMWE2NGMtMTEyMi01NTY2LTg1MWUtMTJkNGE3MTFjZmI0 +replPropertyMetaData:: AQAAAAAAAAAXAAAAAAAAAAAAAAABAAAAVuGDDQMAAACjlkROuH+XT4o + z0jjbi14tnA4AAAAAAACcDgAAAAAAAAMAAAACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4A + AAAAAACiDgAAAAAAAAEAAgABAAAAVuGDDQMAAACjlkROuH+XT4oz0jjbi14tnA4AAAAAAACcDgAAA + AAAAAIAAgABAAAAVuGDDQMAAACjlkROuH+XT4oz0jjbi14tnA4AAAAAAACcDgAAAAAAADAAAgABAA + AAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAAAAABkBAgABAAAAVuGDDQMAAAC + jlkROuH+XT4oz0jjbi14tnA4AAAAAAACcDgAAAAAAAAEACQACAAAAV+GDDQMAAACjlkROuH+XT4oz + 0jjbi14tog4AAAAAAACiDgAAAAAAAAgACQADAAAAVuGDDQMAAACjlkROuH+XT4oz0jjbi14tng4AA + AAAAACeDgAAAAAAABAACQACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAA + AAABkACQACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAAAAAFoACQABAAA + AVuGDDQMAAACjlkROuH+XT4oz0jjbi14tnQ4AAAAAAACdDgAAAAAAAF4ACQABAAAAVuGDDQMAAACj + lkROuH+XT4oz0jjbi14tnQ4AAAAAAACdDgAAAAAAAGAACQADAAAAV+GDDQMAAACjlkROuH+XT4oz0 + jjbi14tog4AAAAAAACiDgAAAAAAAGIACQACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAA + AAAACiDgAAAAAAAH0ACQABAAAAVuGDDQMAAACjlkROuH+XT4oz0jjbi14tnQ4AAAAAAACdDgAAAAA + AAJIACQABAAAAVuGDDQMAAACjlkROuH+XT4oz0jjbi14tnA4AAAAAAACcDgAAAAAAAJ8ACQACAAAA + V+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAAAAAN0ACQABAAAAVuGDDQMAAACjl + kROuH+XT4oz0jjbi14tnA4AAAAAAACcDgAAAAAAAC4BCQACAAAAV+GDDQMAAACjlkROuH+XT4oz0j + jbi14tog4AAAAAAACiDgAAAAAAAJACCQACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAA + AAACiDgAAAAAAAA0DCQABAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAAAA + AA4DCQACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAAAAAAoICQABAAAAV + +GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAAAAAA== +whenChanged: 20160629043639.0Z +uSNChanged: 3746 +nTSecurityDescriptor:: AQAXjBQAAAAwAAAATAAAAMQAAAABBQAAAAAABRUAAACB/fj4FbukVnK + PlwUAAgAAAQUAAAAAAAUVAAAAgf34+BW7pFZyj5cFAAIAAAQAeAACAAAAB1o4ACAAAAADAAAAvjsO + 8/Cf0RG2AwAA+ANnwaV6lr/mDdARooUAqgAwSeIBAQAAAAAAAQAAAAAHWjgAIAAAAAMAAAC/Ow7z8 + J/REbYDAAD4A2fBpXqWv+YN0BGihQCqADBJ4gEBAAAAAAABAAAAAAQA1AcsAAAAAAAkAP8BDwABBQ + AAAAAABRUAAACB/fj4FbukVnKPlwUAAgAAAAAUAP8BDwABAQAAAAAABRIAAAAAABgA/wEPAAECAAA + AAAAFIAAAACQCAAAAABQAlAACAAEBAAAAAAAFCgAAAAUAKAAAAQAAAQAAAFMacqsvHtARmBkAqgBA + UpsBAQAAAAAABQoAAAAFACgAAAEAAAEAAABUGnKrLx7QEZgZAKoAQFKbAQEAAAAAAAUKAAAABQAoA + AABAAABAAAAVhpyqy8e0BGYGQCqAEBSmwEBAAAAAAAFCgAAAAUAKAAwAAAAAQAAAIa4tXdKlNERrr + 0AAPgDZ8EBAQAAAAAABQoAAAAFACgAMAAAAAEAAACylVfkVZTREa69AAD4A2fBAQEAAAAAAAUKAAA + ABQAoADAAAAABAAAAs5VX5FWU0RGuvQAA+ANnwQEBAAAAAAAFCgAAAAUAOAAQAAAAAQAAAPiIcAPh + CtIRtCIAoMlo+TkBBQAAAAAABRUAAACB/fj4FbukVnKPlwUpAgAABQA4ABAAAAABAAAAAEIWTMAg0 + BGnaACqAG4FKQEFAAAAAAAFFQAAAIH9+PgVu6RWco+XBSkCAAAFADgAEAAAAAEAAABAwgq8qXnQEZ + AgAMBPwtTPAQUAAAAAAAUVAAAAgf34+BW7pFZyj5cFKQIAAAAAFAAAAAIAAQEAAAAAAAULAAAABQA + oABAAAAABAAAAQi+6WaJ50BGQIADAT8LTzwEBAAAAAAAFCwAAAAUAKAAQAAAAAQAAAIa4tXdKlNER + rr0AAPgDZ8EBAQAAAAAABQsAAAAFACgAEAAAAAEAAACzlVfkVZTREa69AAD4A2fBAQEAAAAAAAULA + AAABQAoABAAAAABAAAAVAGN5Pi80RGHAgDAT7lgUAEBAAAAAAAFCwAAAAUAKAAAAQAAAQAAAFMacq + svHtARmBkAqgBAUpsBAQAAAAAAAQAAAAAFADgAEAAAAAEAAAAQICBfpXnQEZAgAMBPwtTPAQUAAAA + AAAUVAAAAgf34+BW7pFZyj5cFKQIAAAUAOAAwAAAAAQAAAH96lr/mDdARooUAqgAwSeIBBQAAAAAA + BRUAAACB/fj4FbukVnKPlwUFAgAABQAsABAAAAABAAAAHbGpRq5gWkC36P+KWNRW0gECAAAAAAAFI + AAAADACAAAFACwAMAAAAAEAAAAcmrZtIpTREa69AAD4A2fBAQIAAAAAAAUgAAAAMQIAAAUALAAwAA + AAAQAAAGK8BVjJvShEpeKFag9MGF4BAgAAAAAABSAAAAAxAgAABRo8ABAAAAADAAAAAEIWTMAg0BG + naACqAG4FKRTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAABRI8ABAAAAADAAAAAEIWTMAg + 0BGnaACqAG4FKbp6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqAgAABRo8ABAAAAADAAAAECAgX + 6V50BGQIADAT8LUzxTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAABRI8ABAAAAADAAAAEC + AgX6V50BGQIADAT8LUz7p6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqAgAABRo8ABAAAAADAAA + AQMIKvKl50BGQIADAT8LUzxTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAABRI8ABAAAAAD + AAAAQMIKvKl50BGQIADAT8LUz7p6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqAgAABRo8ABAAA + AADAAAAQi+6WaJ50BGQIADAT8LTzxTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAABRI8AB + AAAAADAAAAQi+6WaJ50BGQIADAT8LTz7p6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqAgAABRo + 8ABAAAAADAAAA+IhwA+EK0hG0IgCgyWj5ORTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAA + BRI8ABAAAAADAAAA+IhwA+EK0hG0IgCgyWj5Obp6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqA + gAABRo4ABAAAAADAAAAbZ7Gt8cs0hGFTgCgyYP2CIZ6lr/mDdARooUAqgAwSeIBAQAAAAAABQkAAA + AFGjgAEAAAAAMAAABtnsa3xyzSEYVOAKDJg/YInHqWv+YN0BGihQCqADBJ4gEBAAAAAAAFCQAAAAU + SOAAQAAAAAwAAAG2exrfHLNIRhU4AoMmD9gi6epa/5g3QEaKFAKoAMEniAQEAAAAAAAUJAAAABRos + AJQAAgACAAAAFMwoSDcUvEWbB61vAV5fKAECAAAAAAAFIAAAACoCAAAFGiwAlAACAAIAAACcepa/5 + g3QEaKFAKoAMEniAQIAAAAAAAUgAAAAKgIAAAUSLACUAAIAAgAAALp6lr/mDdARooUAqgAwSeIBAg + AAAAAABSAAAAAqAgAABRIoADABAAABAAAA3kfmkW/ZcEuVV9Y/9PPM2AEBAAAAAAAFCgAAAAASJAD + /AQ8AAQUAAAAAAAUVAAAAgf34+BW7pFZyj5cFBwIAAAASGAAEAAAAAQIAAAAAAAUgAAAAKgIAAAAS + GAC9AQ8AAQIAAAAAAAUgAAAAIAIAAA== +EOF + + out=$(TZ=UTC $ldbadd -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif) + if [ "$?" != "0" ]; then + echo "ldbadd returned:\n$out" + return 1 + fi + + return 0 +} + +dbcheck_lost_deleted_user3() +{ + # here we don't pass --selftest-check-expired-tombstones + # as we want to test the default + dbcheck "-lost-deleted-user3" "0" "" + return $? +} + +remove_lost_deleted_user3() +{ + out=$(TZ=UTC $ldbdel -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb "<GUID=2301a64c-1122-5566-851e-12d4a711cfb4>" --show-recycled --relax) + if [ "$?" != "0" ]; then + echo "ldbdel returned:\n$out" + return 1 + fi + + return 0 +} + +forward_link_corruption() +{ + # + # Step1: add a duplicate forward link from + # "CN=Enterprise Admins" to "CN=Administrator" + # + LDIF1=$(TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb -b 'CN=Enterprise Admins,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp' --scope=base --reveal --extended-dn member) + DN=$(echo "${LDIF1}" | grep '^dn: ') + MSG=$(echo "${LDIF1}" | grep -v '^dn: ' | grep -v '^#' | grep -v '^$') + ldif=$PREFIX_ABS/${RELEASE}/forward_link_corruption1.ldif + { + echo "${DN}" + echo "changetype: modify" + echo "replace: member" + echo "${MSG}" + echo "${MSG}" | sed -e 's!RMD_LOCAL_USN=[1-9][0-9]*!RMD_LOCAL_USN=0!' + } >$ldif + + out=$(TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif) + if [ "$?" != "0" ]; then + echo "ldbmodify returned:\n$out" + return 1 + fi + + # + # Step2: add user "dangling" + # + ldif=$PREFIX_ABS/${RELEASE}/forward_link_corruption2.ldif + cat >$ldif <<EOF +dn: CN=dangling,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp +changetype: add +objectclass: user +samaccountname: dangling +objectGUID: fd8a04ac-cea0-4921-b1a6-c173e1155c22 +EOF + + out=$(TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --relax $ldif) + if [ "$?" != "0" ]; then + echo "ldbmodify returned:\n$out" + return 1 + fi + + # + # Step3: add a dangling backlink from + # "CN=dangling" to "CN=Enterprise Admins" + # + ldif=$PREFIX_ABS/${RELEASE}/forward_link_corruption3.ldif + { + echo "dn: CN=dangling,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp" + echo "changetype: modify" + echo "add: memberOf" + echo "memberOf: <GUID=304ad703-468b-465e-9787-470b3dfd7d75>;<SID=S-1-5-21-4177067393-1453636373-93818738-519>;CN=Enterprise Admins,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp" + } >$ldif + + out=$(TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif) + if [ "$?" != "0" ]; then + echo "ldbmodify returned:\n$out" + return 1 + fi +} + +dbcheck_forward_link_corruption() +{ + dbcheck "-forward-link-corruption" "1" "--selftest-check-expired-tombstones" + return $? +} + +check_expected_after_dbcheck_forward_link_corruption() +{ + tmpldif=$PREFIX_ABS/$RELEASE/expected-after-dbcheck-forward-link-corruption.ldif.tmp + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(|(cn=dangling)(cn=enterprise admins))' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --sorted memberOf member >$tmpldif + diff -u $tmpldif $release_dir/expected-after-dbcheck-forward-link-corruption.ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +oneway_link_corruption() +{ + # + # Step1: add OU "dangling-ou" + # + ldif=$PREFIX_ABS/${RELEASE}/oneway_link_corruption.ldif + cat >$ldif <<EOF +dn: OU=dangling-ou,DC=release-4-5-0-pre1,DC=samba,DC=corp +changetype: add +objectclass: organizationalUnit +objectGUID: 20600e7c-92bb-492e-9552-f3ed7f8a2cad +EOF + + out=$(TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --relax $ldif) + if [ "$?" != "0" ]; then + echo "ldbmodify returned:\n$out" + return 1 + fi + + # + # Step2: add msExchConfigurationContainer "dangling-msexch" + # + ldif=$PREFIX_ABS/${RELEASE}/oneway_link_corruption2.ldif + cat >$ldif <<EOF +dn: OU=dangling-from,DC=release-4-5-0-pre1,DC=samba,DC=corp +changetype: add +objectclass: organizationalUnit +seeAlso: OU=dangling-ou,DC=release-4-5-0-pre1,DC=samba,DC=corp +EOF + + out=$(TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif) + if [ "$?" != "0" ]; then + echo "ldbmodify returned:\n$out" + return 1 + fi + + # + # Step3: rename dangling-ou to dangling-ou2 + # + # Because this is a one-way link we don't fix it at runtime + # + out=$(TZ=UTC $ldbrename -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb OU=dangling-ou,DC=release-4-5-0-pre1,DC=samba,DC=corp OU=dangling-ou2,DC=release-4-5-0-pre1,DC=samba,DC=corp) + if [ "$?" != "0" ]; then + echo "ldbmodify returned:\n$out" + return 1 + fi +} + +dbcheck_oneway_link_corruption() +{ + dbcheck "-oneway-link-corruption" "0" "--selftest-check-expired-tombstones" + return $? +} + +check_expected_after_dbcheck_oneway_link_corruption() +{ + tmpldif=$PREFIX_ABS/$RELEASE/expected-after-dbcheck-oneway-link-corruption.ldif.tmp + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(|(ou=dangling-ou)(ou=dangling-ou2)(ou=dangling-from))' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --sorted seeAlso >$tmpldif + diff -u $tmpldif $release_dir/expected-after-dbcheck-oneway-link-corruption.ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +dbcheck_dangling_multi_valued() +{ + + $PYTHON $BINDIR/samba-tool dbcheck -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --selftest-check-expired-tombstones --fix --yes + if [ "$?" != "1" ]; then + return 1 + fi +} + +dangling_multi_valued_check_missing() +{ + WORDS=$(TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(samaccountname=dangling-multi2)' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted msDS-RevealedDSAs | grep msDS-RevealedDSAs | wc -l) + if [ $WORDS -ne 4 ]; then + echo Got only $WORDS links for dangling-multi2 + return 1 + fi + WORDS=$(TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(samaccountname=dangling-multi3)' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted msDS-RevealedDSAs | grep msDS-RevealedDSAs | wc -l) + if [ $WORDS -ne 4 ]; then + echo Got only $WORDS links for dangling-multi3 + return 1 + fi +} + +dangling_multi_valued_check_equal_or_too_many() +{ + WORDS=$(TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(samaccountname=dangling-multi1)' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted msDS-RevealedDSAs | grep msDS-RevealedDSAs | wc -l) + if [ $WORDS -ne 4 ]; then + echo Got $WORDS links for dangling-multi1 + return 1 + fi + + WORDS=$(TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(samaccountname=dangling-multi5)' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted msDS-RevealedDSAs | grep msDS-RevealedDSAs | wc -l) + + if [ $WORDS -ne 0 ]; then + echo Got $WORDS links for dangling-multi5 + return 1 + fi + + WORDS=$(TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(samaccountname=Administrator)' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted msDS-RevealedDSAs | grep msDS-RevealedDSAs | wc -l) + + if [ $WORDS -ne 2 ]; then + echo Got $WORDS links for Administrator + return 1 + fi +} + +dangling_link_does_not_prevent_delete() +{ + + # + # Step1: add user "dangling" + # + ldif=$PREFIX_ABS/${RELEASE}/backlink_can_be_vanished1.ldif + dn='CN=dangling-for-vanish,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp' + cat >$ldif <<EOF +dn: $dn +changetype: add +objectclass: user +samaccountname: dangling-v +objectGUID: fd8a04ac-cea0-4921-b1a6-c173e1155c23 +EOF + + out=$(TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --relax $ldif) + if [ "$?" != "0" ]; then + echo "ldbmodify returned:\n$out" + return 1 + fi + + # + # Step2: add a dangling backlink from + # "CN=dangling-for-vanish" to "CN=Enterprise Admins" + # + ldif=$PREFIX_ABS/${RELEASE}/backlink_can_be_vanished2.ldif + { + echo "dn: $dn" + echo "changetype: modify" + echo "add: memberOf" + echo "memberOf: <GUID=304ad703-468b-465e-9787-470b3dfd7d75>;<SID=S-1-5-21-4177067393-1453636373-93818738-519>;CN=Enterprise Admins,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp" + } >$ldif + + out=$(TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif) + if [ "$?" != "0" ]; then + echo "ldbmodify returned:\n$out" + return 1 + fi + + out=$(TZ=UTC $ldbdel -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb "$dn") + if [ "$?" != "0" ]; then + echo "ldbdel returned:\n$out" + return 1 + fi +} + +dangling_link_to_unknown_does_not_prevent_delete() +{ + + # + # Step1: add user "dangling" + # + ldif=$PREFIX_ABS/${RELEASE}/backlink_can_be_vanished1.ldif + dn='CN=dangling-for-vanish,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp' + cat >$ldif <<EOF +dn: $dn +changetype: add +objectclass: user +samaccountname: dangling-v +objectGUID: a4090081-ac2a-410c-8924-b255375160e8 +EOF + + out=$(TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --relax $ldif) + if [ "$?" != "0" ]; then + echo "ldbmodify returned:\n$out" + return 1 + fi + + # + # Step2: add a dangling backlink from + # "CN=dangling-for-vanish" to "CN=NOT Enterprise Admins" + # + ldif=$PREFIX_ABS/${RELEASE}/backlink_can_be_vanished2.ldif + { + echo "dn: $dn" + echo "changetype: modify" + echo "add: memberOf" + echo "memberOf: <GUID=09a47bff-0227-44e1-a8e4-63f9e726515d>;<SID=S-1-5-21-4177067393-1453636373-93818738-588>;CN=NOT Enterprise Admins,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp" + } >$ldif + + out=$(TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif) + if [ "$?" != "0" ]; then + echo "ldbmodify returned:\n$out" + return 1 + fi + + out=$(TZ=UTC $ldbdel -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb "$dn") + if [ "$?" != "0" ]; then + echo "ldbdel returned:\n$out" + return 1 + fi +} + +dangling_link_to_known_and_unknown_does_not_prevent_delete() +{ + + # + # Step1: add user "dangling" + # + ldif=$PREFIX_ABS/${RELEASE}/backlink_can_be_vanished1.ldif + dn='CN=dangling-for-vanish,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp' + cat >$ldif <<EOF +dn: $dn +changetype: add +objectclass: user +samaccountname: dangling-v +objectGUID: 2882ffb1-31c3-485e-a7fc-184dfafc32d4 +EOF + + out=$(TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --relax $ldif) + if [ "$?" != "0" ]; then + echo "ldbmodify returned:\n$out" + return 1 + fi + + # + # Step2: add a dangling backlink from + # "CN=dangling-for-vanish" to "CN=Enterprise Admins", + # "CN=dangling-for-vanish" to "CN=NOT Enterprise Admins" and + # back to ourselves + # + ldif=$PREFIX_ABS/${RELEASE}/backlink_can_be_vanished2.ldif + { + echo "dn: $dn" + echo "changetype: modify" + echo "add: memberOf" + echo "memberOf: <GUID=304ad703-468b-465e-9787-470b3dfd7d75>;<SID=S-1-5-21-4177067393-1453636373-93818738-519>;CN=Enterprise Admins,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp" + echo "memberOf: <GUID=09a47bff-0227-44e1-a8e4-63f9e726515d>;<SID=S-1-5-21-4177067393-1453636373-93818738-588>;CN=NOT Enterprise Admins,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp" + echo "memberOf: <GUID=2882ffb1-31c3-485e-a7fc-184dfafc32d4>;CN=dangling-for-vanish,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp" + } >$ldif + + out=$(TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif) + if [ "$?" != "0" ]; then + echo "ldbmodify returned:\n$out" + return 1 + fi + + out=$(TZ=UTC $ldbdel -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb "$dn") + if [ "$?" != "0" ]; then + echo "ldbdel returned:\n$out" + return 1 + fi +} + +remove_directory $PREFIX_ABS/${RELEASE} + +testit $RELEASE undump || failed=$(expr $failed + 1) +testit "add_two_more_users" add_two_more_users || failed=$(expr $failed + 1) +testit "add_four_more_links" add_four_more_links || failed=$(expr $failed + 1) +testit "remove_one_link" remove_one_link || failed=$(expr $failed + 1) +testit "remove_one_user" remove_one_user || failed=$(expr $failed + 1) +testit "move_one_user" move_one_user || failed=$(expr $failed + 1) +testit "add_dangling_link" add_dangling_link || failed=$(expr $failed + 1) +testit "add_dangling_backlink" add_dangling_backlink || failed=$(expr $failed + 1) +testit "add_deleted_dangling_backlink" add_deleted_dangling_backlink || failed=$(expr $failed + 1) +testit "revive_links_on_deleted_group" revive_links_on_deleted_group || failed=$(expr $failed + 1) +testit "revive_backlink_on_deleted_group" revive_backlink_on_deleted_group || failed=$(expr $failed + 1) +testit "add_deleted_target_link" add_deleted_target_link || failed=$(expr $failed + 1) +testit "add_deleted_target_backlink" add_deleted_target_backlink || failed=$(expr $failed + 1) +testit "dbcheck_dangling" dbcheck_dangling || failed=$(expr $failed + 1) +testit "dbcheck_clean" dbcheck_clean || failed=$(expr $failed + 1) +testit "check_expected_after_deleted_links" check_expected_after_deleted_links || failed=$(expr $failed + 1) +testit "check_expected_after_links" check_expected_after_links || failed=$(expr $failed + 1) +testit "check_expected_after_objects" check_expected_after_objects || failed=$(expr $failed + 1) +testit "duplicate_member" duplicate_member || failed=$(expr $failed + 1) +testit "dbcheck_duplicate_member" dbcheck_duplicate_member || failed=$(expr $failed + 1) +testit "check_expected_after_duplicate_links" check_expected_after_duplicate_links || failed=$(expr $failed + 1) +testit "duplicate_clean" dbcheck_clean || failed=$(expr $failed + 1) +testit "forward_link_corruption" forward_link_corruption || failed=$(expr $failed + 1) +testit "dbcheck_forward_link_corruption" dbcheck_forward_link_corruption || failed=$(expr $failed + 1) +testit "check_expected_after_dbcheck_forward_link_corruption" check_expected_after_dbcheck_forward_link_corruption || failed=$(expr $failed + 1) +testit "forward_link_corruption_clean" dbcheck_clean || failed=$(expr $failed + 1) +testit "oneway_link_corruption" oneway_link_corruption || failed=$(expr $failed + 1) +testit "dbcheck_oneway_link_corruption" dbcheck_oneway_link_corruption || failed=$(expr $failed + 1) +testit "check_expected_after_dbcheck_oneway_link_corruption" check_expected_after_dbcheck_oneway_link_corruption || failed=$(expr $failed + 1) +testit "oneway_link_corruption_clean" dbcheck_clean || failed=$(expr $failed + 1) +testit "dangling_one_way_link" dangling_one_way_link || failed=$(expr $failed + 1) +testit "dbcheck_one_way" dbcheck_one_way || failed=$(expr $failed + 1) +testit "dbcheck_clean2" dbcheck_clean || failed=$(expr $failed + 1) +testit "missing_link_sid_corruption" missing_link_sid_corruption || failed=$(expr $failed + 1) +testit "dbcheck_missing_link_sid_corruption" dbcheck_missing_link_sid_corruption || failed=$(expr $failed + 1) +testit "missing_link_sid_clean" dbcheck_clean || failed=$(expr $failed + 1) +testit "add_lost_deleted_user1" add_lost_deleted_user1 || failed=$(expr $failed + 1) +testit "dbcheck_lost_deleted_user1" dbcheck_lost_deleted_user1 || failed=$(expr $failed + 1) +testit "lost_deleted_user1_clean_A" dbcheck_clean || failed=$(expr $failed + 1) +testit "remove_lost_deleted_user1" remove_lost_deleted_user1 || failed=$(expr $failed + 1) +testit "lost_deleted_user1_clean_B" dbcheck_clean || failed=$(expr $failed + 1) +testit "add_lost_deleted_user2" add_lost_deleted_user2 || failed=$(expr $failed + 1) +testit "dbcheck_lost_deleted_user2" dbcheck_lost_deleted_user2 || failed=$(expr $failed + 1) +testit "lost_deleted_user2_clean" dbcheck_clean || failed=$(expr $failed + 1) +testit "add_lost_deleted_user3" add_lost_deleted_user3 || failed=$(expr $failed + 1) +testit "dbcheck_lost_deleted_user3" dbcheck_lost_deleted_user3 || failed=$(expr $failed + 1) +testit "lost_deleted_user3_clean_A" dbcheck_clean || failed=$(expr $failed + 1) +testit "remove_lost_deleted_user3" remove_lost_deleted_user3 || failed=$(expr $failed + 1) +testit "lost_deleted_user3_clean_B" dbcheck_clean || failed=$(expr $failed + 1) +testit "dangling_one_way_dn" dangling_one_way_dn || failed=$(expr $failed + 1) +testit "deleted_one_way_dn" deleted_one_way_dn || failed=$(expr $failed + 1) +testit "dbcheck_clean3" dbcheck_clean || failed=$(expr $failed + 1) +testit "add_dangling_multi_valued" add_dangling_multi_valued || failed=$(expr $failed + 1) +testit "dbcheck_dangling_multi_valued" dbcheck_dangling_multi_valued || failed=$(expr $failed + 1) +testit "dangling_multi_valued_check_missing" dangling_multi_valued_check_missing || failed=$(expr $failed + 1) +testit "dangling_multi_valued_check_equal_or_too_many" dangling_multi_valued_check_equal_or_too_many || failed=$(expr $failed + 1) +# Currently this cannot pass +testit "dbcheck_dangling_multi_valued_clean" dbcheck_clean || failed=$(expr $failed + 1) +testit "dangling_link_does_not_prevent_delete" dangling_link_does_not_prevent_delete || failed=$(expr $failed + 1) +testit "dangling_link_to_unknown_does_not_prevent_delete" dangling_link_to_unknown_does_not_prevent_delete || failed=$(expr $failed + 1) +testit "dangling_link_to_known_and_unknown_does_not_prevent_delete" dangling_link_to_known_and_unknown_does_not_prevent_delete || failed=$(expr $failed + 1) + +remove_directory $PREFIX_ABS/${RELEASE} + +exit $failed diff --git a/testprogs/blackbox/dbcheck-oldrelease.sh b/testprogs/blackbox/dbcheck-oldrelease.sh new file mode 100755 index 0000000..2df08ad --- /dev/null +++ b/testprogs/blackbox/dbcheck-oldrelease.sh @@ -0,0 +1,564 @@ +#!/bin/sh + +if [ $# -lt 1 ]; then + cat <<EOF +Usage: dbcheck.sh PREFIX RELEASE +EOF + exit 1 +fi + +PREFIX_ABS="$1" +RELEASE="$2" +shift 2 + +failed=0 + +. $(dirname $0)/subunit.sh +. $(dirname $0)/common_test_fns.inc + +release_dir=$(dirname $0)/../../source4/selftest/provisions/$RELEASE + +ldbmodify="ldbmodify" +if [ -x "$BINDIR/ldbmodify" ]; then + ldbmodify="$BINDIR/ldbmodify" +fi + +ldbdel="ldbdel" +if [ -x "$BINDIR/ldbdel" ]; then + ldbdel="$BINDIR/ldbdel" +fi + +ldbsearch="ldbsearch" +if [ -x "$BINDIR/ldbsearch" ]; then + ldbsearch="$BINDIR/ldbsearch" +fi + +samba_tdbrestore="tdbrestore" +if [ -x "$BINDIR/tdbrestore" ]; then + samba_tdbrestore="$BINDIR/tdbrestore" +fi + +samba_undump="$SRCDIR_ABS/source4/selftest/provisions/undump.sh" +if [ ! -x $samba_undump ] || [ ! -d $release_dir ]; then + subunit_start_test $RELEASE + subunit_skip_test $RELEASE <<EOF +no test provision +EOF + + subunit_start_test "reindex" + subunit_skip_test "reindex" <<EOF +no test provision +EOF + subunit_start_test check_expected_before_values + subunit_skip_test check_expected_before_values <<EOF +no test provision +EOF + subunit_start_test "dbcheck" + subunit_skip_test "dbcheck" <<EOF +no test provision +EOF + subunit_start_test "dbcheck_clean" + subunit_skip_test "dbcheck_clean" <<EOF +no test provision +EOF + subunit_start_test check_expected_after_values + subunit_skip_test check_expected_after_values <<EOF +no test provision +EOF + subunit_start_test "dbcheck_acl_reset" + subunit_skip_test "dbcheck_acl_reset" <<EOF +no test provision +EOF + subunit_start_test "dbcheck_clean_acl_reset" + subunit_skip_test "dbcheck_clean_acl_reset" <<EOF +no test provision +EOF + subunit_start_test add_userparameters0 + subunit_skip_test add_userparameters0 <<EOF +no test provision +EOF + + subunit_start_test add_userparameters1 + subunit_skip_test add_userparameters1 <<EOF +no test provision +EOF + + subunit_start_test add_userparameters2 + subunit_skip_test add_userparameters2 <<EOF +no test provision +EOF + + subunit_start_test add_userparameters3 + subunit_skip_test add_userparameters3 <<EOF +no test provision +EOF + + subunit_start_test check_expected_before_values + subunit_skip_test check_expected_before_values <<EOF +no test provision +EOF + + subunit_start_test "dbcheck2" + subunit_skip_test "dbcheck2" <<EOF +no test provision +EOF + + subunit_start_test "referenceprovision" + subunit_skip_test "referenceprovision" <<EOF +no test provision +EOF + subunit_start_test "ldapcmp" + subunit_skip_test "ldapcmp" <<EOF +no test provision +EOF + subunit_start_test "ldapcmp_sd" + subunit_skip_test "ldapcmp_sd" <<EOF +no test provision +EOF + + exit 0 +fi + +undump() +{ + $samba_undump $release_dir $PREFIX_ABS/$RELEASE $samba_tdbrestore +} + +add_userparameters0() +{ + if [ x$RELEASE = x"release-4-1-0rc3" ]; then + $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb <<EOF +dn: cn=localdc,cn=domain controllers,dc=release-4-1-0rc3,dc=samba,dc=corp +changetype: modify +replace: userParameters +userParameters:: IAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC + AAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAUAAQABoACAAB + AEMAdAB4AEMAZgBnAFAAcgBlAHMAZQBuAHQANTUxZTBiYjAYAAgAAQBDAHQAeABDAGYAZw + BGAGwAYQBnAHMAMQAwMGUwMDAxMBYACAABAEMAdAB4AEMAYQBsAGwAYgBhAGMAawAwMDAw + MDAwMBIACAABAEMAdAB4AFMAaABhAGQAbwB3ADAxMDAwMDAwKAAIAAEAQwB0AHgATQBhAH + gAQwBvAG4AbgBlAGMAdABpAG8AbgBUAGkAbQBlADAwMDAwMDAwLgAIAAEAQwB0AHgATQBh + AHgARABpAHMAYwBvAG4AbgBlAGMAdABpAG8AbgBUAGkAbQBlADAwMDAwMDAwHAAIAAEAQw + B0AHgATQBhAHgASQBkAGwAZQBUAGkAbQBlADAwMDAwMDAwIgAIAAEAQwB0AHgASwBlAHkA + YgBvAGEAcgBkAEwAYQB5AG8AdQB0ADAwMDAwMDAwKgACAAEAQwB0AHgATQBpAG4ARQBuAG + MAcgB5AHAAdABpAG8AbgBMAGUAdgBlAGwAMDAgAAIAAQBDAHQAeABXAG8AcgBrAEQAaQBy + AGUAYwB0AG8AcgB5ADAwIAACAAEAQwB0AHgATgBXAEwAbwBnAG8AbgBTAGUAcgB2AGUAcg + AwMBgAJAABAEMAdAB4AFcARgBIAG8AbQBlAEQAaQByADVjNWM3MzYxNzQ3NTcyNmU2NTVj + NzAyZTYyNjk2NDZmNmUwMCIABgABAEMAdAB4AFcARgBIAG8AbQBlAEQAaQByAEQAcgBpAH + YAZQA1MDNhMDAgADoAAQBDAHQAeABXAEYAUAByAG8AZgBpAGwAZQBQAGEAdABoADVjNWM3 + MzYxNzQ3NTcyNmU2NTVjNzA3MjZmNjY2OTZjNjU3NDczNjU1YzcwMmU2MjY5NjQ2ZjZlMD + AiAAIAAQBDAHQAeABJAG4AaQB0AGkAYQBsAFAAcgBvAGcAcgBhAG0AMDAiAAIAAQBDAHQA + eABDAGEAbABsAGIAYQBjAGsATgB1AG0AYgBlAHIAMDA= +- +EOF + fi +} +add_userparameters1() +{ + if [ x$RELEASE = x"release-4-1-0rc3" ]; then + $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb <<EOF +dn: cn=administrator,cn=users,dc=release-4-1-0rc3,dc=samba,dc=corp +changetype: modify +replace: userParameters +userParameters: IAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC + AAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAUAAQABoACAAB + AEMAdAB4AEMAZgBnAFAAcgBlAHMAZQBuAHQANTUxZTBiYjAYAAgAAQBDAHQAeABDAGYAZw + BGAGwAYQBnAHMAMQAwMGUwMDAxMBYACAABAEMAdAB4AEMAYQBsAGwAYgBhAGMAawAwMDAw + MDAwMBIACAABAEMAdAB4AFMAaABhAGQAbwB3ADAxMDAwMDAwKAAIAAEAQwB0AHgATQBhAH + gAQwBvAG4AbgBlAGMAdABpAG8AbgBUAGkAbQBlADAwMDAwMDAwLgAIAAEAQwB0AHgATQBh + AHgARABpAHMAYwBvAG4AbgBlAGMAdABpAG8AbgBUAGkAbQBlADAwMDAwMDAwHAAIAAEAQw + B0AHgATQBhAHgASQBkAGwAZQBUAGkAbQBlADAwMDAwMDAwIgAIAAEAQwB0AHgASwBlAHkA + YgBvAGEAcgBkAEwAYQB5AG8AdQB0ADAwMDAwMDAwKgACAAEAQwB0AHgATQBpAG4ARQBuAG + MAcgB5AHAAdABpAG8AbgBMAGUAdgBlAGwAMDAgAAIAAQBDAHQAeABXAG8AcgBrAEQAaQBy + AGUAYwB0AG8AcgB5ADAwIAACAAEAQwB0AHgATgBXAEwAbwBnAG8AbgBTAGUAcgB2AGUAcg + AwMBgAJAABAEMAdAB4AFcARgBIAG8AbQBlAEQAaQByADVjNWM3MzYxNzQ3NTcyNmU2NTVj + NzAyZTYyNjk2NDZmNmUwMCIABgABAEMAdAB4AFcARgBIAG8AbQBlAEQAaQByAEQAcgBpAH + YAZQA1MDNhMDAgADoAAQBDAHQAeABXAEYAUAByAG8AZgBpAGwAZQBQAGEAdABoADVjNWM3 + MzYxNzQ3NTcyNmU2NTVjNzA3MjZmNjY2OTZjNjU3NDczNjU1YzcwMmU2MjY5NjQ2ZjZlMD + AiAAIAAQBDAHQAeABJAG4AaQB0AGkAYQBsAFAAcgBvAGcAcgBhAG0AMDAiAAIAAQBDAHQA + eABDAGEAbABsAGIAYQBjAGsATgB1AG0AYgBlAHIAMDA= +- +EOF + fi +} +add_userparameters2() +{ + if [ x$RELEASE = x"release-4-1-0rc3" ]; then + $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb <<EOF +dn: cn=krbtgt,cn=users,dc=release-4-1-0rc3,dc=samba,dc=corp +changetype: modify +replace: userParameters +userParameters:: Q3R4Q2ZnUHJlc2VudCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgI + CAgUAsaCAFDdHhDZmdQcmVzZW5045S15pSx5oiw44GiIAIBQ3R4V0ZQcm9maWxlUGF0aOOAsBgCAU + N0eFdGSG9tZURpcuOAsCICAUN0eFdGSG9tZURpckRyaXZl44CwEggBQ3R4U2hhZG9344Sw44Cw44C + w44CwLggBQ3R4TWF4RGlzY29ubmVjdGlvblRpbWXjgaXjjLnjkLDjgLAoCAFDdHhNYXhDb25uZWN0 + aW9uVGltZeOAtOOct+aIseOAsBwIAUN0eE1heElkbGVUaW1l44Gj45yy46Sw44CwIAIBQ3R4V29ya + 0RpcmVjdG9yeeOAsBgIAUN0eENmZ0ZsYWdzMeOAsOOBpuOYsuOAuCICAUN0eEluaXRpYWxQcm9ncm + Ft44Cw +- +EOF + fi +} + +add_userparameters3() +{ + if [ x$RELEASE = x"release-4-1-0rc3" ]; then + $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb <<EOF +dn: cn=guest,cn=users,dc=release-4-1-0rc3,dc=samba,dc=corp +changetype: modify +replace: userParameters +userParameters:: QwAAAHQAAAB4AAAAQwAAAGYAAABnAAAAUAAAAHIAAABlAAAAcwAAAGUAAABuA + AAAdAAAACAAAAAgAAAAIAAAACAAAAAgAAAAIAAAACAAAAAgAAAAIAAAACAAAAAgAAAAIAAAACAAAA + AgAAAAIAAAACAAAAAgAAAAIAAAACAAAAAgAAAAIAAAACAAAAAgAAAAIAAAACAAAAAgAAAAIAAAACA + AAAAgAAAAIAAAACAAAAAgAAAAIAAAACAAAAAgAAAAUAAAAAsAAAAaAAAACAAAAAEAAABDAAAAdAAA + AHgAAABDAAAAZgAAAGcAAABQAAAAcgAAAGUAAABzAAAAZQAAAG4AAAB0AAAANQA1ADEAZQAwAGIAY + gAwACAAAAACAAAAAQAAAEMAAAB0AAAAeAAAAFcAAABGAAAAUAAAAHIAAABvAAAAZgAAAGkAAABsAA + AAZQAAAFAAAABhAAAAdAAAAGgAAAAwADAAGAAAAAIAAAABAAAAQwAAAHQAAAB4AAAAVwAAAEYAAAB + IAAAAbwAAAG0AAABlAAAARAAAAGkAAAByAAAAMAAwACIAAAACAAAAAQAAAEMAAAB0AAAAeAAAAFcA + AABGAAAASAAAAG8AAABtAAAAZQAAAEQAAABpAAAAcgAAAEQAAAByAAAAaQAAAHYAAABlAAAAMAAwA + BIAAAAIAAAAAQAAAEMAAAB0AAAAeAAAAFMAAABoAAAAYQAAAGQAAABvAAAAdwAAADAAMQAwADAAMA + AwADAAMAAuAAAACAAAAAEAAABDAAAAdAAAAHgAAABNAAAAYQAAAHgAAABEAAAAaQAAAHMAAABjAAA + AbwAAAG4AAABuAAAAZQAAAGMAAAB0AAAAaQAAAG8AAABuAAAAVAAAAGkAAABtAAAAZQAAAGUAMAA5 + ADMAMAA0ADAAMAAoAAAACAAAAAEAAABDAAAAdAAAAHgAAABNAAAAYQAAAHgAAABDAAAAbwAAAG4AA + ABuAAAAZQAAAGMAAAB0AAAAaQAAAG8AAABuAAAAVAAAAGkAAABtAAAAZQAAADQAMAA3ADcAMQBiAD + AAMAAcAAAACAAAAAEAAABDAAAAdAAAAHgAAABNAAAAYQAAAHgAAABJAAAAZAAAAGwAAABlAAAAVAA + AAGkAAABtAAAAZQAAAGMAMAAyADcAMAA5ADAAMAAgAAAAAgAAAAEAAABDAAAAdAAAAHgAAABXAAAA + bwAAAHIAAABrAAAARAAAAGkAAAByAAAAZQAAAGMAAAB0AAAAbwAAAHIAAAB5AAAAMAAwABgAAAAIA + AAAAQAAAEMAAAB0AAAAeAAAAEMAAABmAAAAZwAAAEYAAABsAAAAYQAAAGcAAABzAAAAMQAAADAAMA + BmADAAMgA2ADgAMAAiAAAAAgAAAAEAAABDAAAAdAAAAHgAAABJAAAAbgAAAGkAAAB0AAAAaQAAAGE + AAABsAAAAUAAAAHIAAABvAAAAZwAAAHIAAABhAAAAbQAAADAAMAA= +- +EOF + fi +} + +check_expected_userparameters() +{ + if [ x$RELEASE = x"release-4-1-0rc3" ]; then + tmpldif=$PREFIX_ABS/$RELEASE/expected-userParameters-after-dbcheck.ldif.tmp + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb userParameters=* --scope=sub -b DC=release-4-1-0rc3,DC=samba,DC=corp userParameters --sorted | grep -v \# >$tmpldif + diff -u $tmpldif $release_dir/expected-userParameters-after-dbcheck.ldif + if [ "$?" != "0" ]; then + return 1 + fi + fi + return 0 +} + +reindex() +{ + $PYTHON $BINDIR/samba-tool dbcheck --reindex -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $@ +} + +do_current_version_mod() +{ + if [ x$RELEASE = x"release-4-1-0rc3" ]; then + # Confirm (in combination with the ldbsearch below) that + # changing the attribute with current Samba fixes it, and that + # a fixed attriute isn't unfixed by dbcheck. + tmpldif=$release_dir/sudoers2-mod.ldif + $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $tmpldif + fi + return 0 +} + +check_expected_before_values() +{ + if [ x$RELEASE = x"release-4-1-0rc3" ]; then + tmpldif=$PREFIX_ABS/$RELEASE/expected-replpropertymetadata-before-dbcheck.ldif.tmp + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb cn=ops_run_anything --scope=one -b OU=SUDOers,DC=release-4-1-0rc3,DC=samba,DC=corp \* replpropertymetadata --sorted --show-binary >$tmpldif + diff -u $tmpldif $release_dir/expected-replpropertymetadata-before-dbcheck.ldif + if [ "$?" != "0" ]; then + return 1 + fi + + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb cn=ops_run_anything2 --scope=one -b OU=SUDOers,DC=release-4-1-0rc3,DC=samba,DC=corp \* replpropertymetadata --sorted --show-binary | grep -v originating_change_time | grep -v whenChanged >$tmpldif + + # Here we remove originating_change_time and whenChanged as + # these are time-dependent, caused by the ldbmodify above. + + diff -u $tmpldif $release_dir/expected-replpropertymetadata-before-dbcheck2.ldif + if [ "$?" != "0" ]; then + return 1 + fi + + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb cn=ops_run_anything3 --scope=one -b OU=SUDOers,DC=release-4-1-0rc3,DC=samba,DC=corp \* replpropertymetadata --sorted --show-binary >$tmpldif + diff -u $tmpldif $release_dir/expected-replpropertymetadata-before-dbcheck3.ldif + if [ "$?" != "0" ]; then + return 1 + fi + elif [ x$RELEASE = x"release-4-5-0-pre1" ]; then + tmpldif=$PREFIX_ABS/$RELEASE/rootdse-version.initial.txt.tmp + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --scope=base -b '' | grep highestCommittedUSN >$tmpldif + diff -u $tmpldif $release_dir/rootdse-version.initial.txt + if [ "$?" != "0" ]; then + return 1 + fi + fi + return 0 +} + +# This should 'fail', because it returns the number of modified records +dbcheck_objectclass() +{ + if [ x$RELEASE = x"release-4-1-6-partial-object" ]; then + $PYTHON $BINDIR/samba-tool dbcheck --selftest-check-expired-tombstones --cross-ncs --fix --yes -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --attrs=objectclass $@ + else + return 1 + fi +} + +# This should 'fail', because it returns the number of wrong records, which it must if we did not skip the deleted objects +dbcheck_deleted_objects() +{ + if [ x$RELEASE = x"alpha13" ]; then + basedn=$($ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --scope base -b "" defaultNamingContext | grep -i defaultNamingContext | cut -d\ -f 2) + + $PYTHON $BINDIR/samba-tool dbcheck -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb "cn=deleted objects,$basedn" --scope base $@ + else + return 1 + fi +} + +# This should 'fail', because it returns the number of modified records +dbcheck() +{ + $PYTHON $BINDIR/samba-tool dbcheck --selftest-check-expired-tombstones --cross-ncs --fix --yes -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $@ +} + +check_expected_after_values() +{ + if [ x$RELEASE = x"release-4-1-0rc3" ]; then + tmpldif=$PREFIX_ABS/$RELEASE/expected-replpropertymetadata-after-dbcheck.ldif.tmp + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb cn=ops_run_anything --scope=one -b OU=SUDOers,DC=release-4-1-0rc3,DC=samba,DC=corp \* replpropertymetadata --sorted --show-binary >$tmpldif + diff -u $tmpldif $release_dir/expected-replpropertymetadata-after-dbcheck.ldif + if [ "$?" != "0" ]; then + return 1 + fi + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb cn=ops_run_anything2 --scope=one -b OU=SUDOers,DC=release-4-1-0rc3,DC=samba,DC=corp \* replpropertymetadata --sorted --show-binary | grep -v originating_change_time | grep -v whenChanged >$tmpldif + diff -u $tmpldif $release_dir/expected-replpropertymetadata-after-dbcheck2.ldif + if [ "$?" != "0" ]; then + return 1 + fi + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb cn=ops_run_anything3 --scope=one -b OU=SUDOers,DC=release-4-1-0rc3,DC=samba,DC=corp \* replpropertymetadata --sorted --show-binary >$tmpldif + diff -u $tmpldif $release_dir/expected-replpropertymetadata-after-dbcheck3.ldif + if [ "$?" != "0" ]; then + return 1 + fi + # Check DomainDNS partition for replica locations + tmpldif=$PREFIX_ABS/$RELEASE/expected-replica-locations-after-dbcheck.ldif.tmp + $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb cn=49a69498-9a85-48af-9be4-aa0b3e0054f9 --scope=one -b CN=Partitions,CN=Configuration,DC=release-4-1-0rc3,DC=samba,DC=corp msDS-NC-Replica-Locations >$tmpldif + diff -u $tmpldif $release_dir/expected-replica-locations-after-dbcheck.ldif + if [ "$?" != "0" ]; then + return 1 + fi + # Check ForestDNS partition for replica locations + $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb cn=7d2a15af-c0d4-487c-847e-e036292bcc65 --scope=one -b CN=Partitions,CN=Configuration,DC=release-4-1-0rc3,DC=samba,DC=corp msDS-NC-Replica-Locations >$tmpldif + diff -u $tmpldif $release_dir/expected-replica-locations-after-dbcheck2.ldif + if [ "$?" != "0" ]; then + return 1 + fi + elif [ x$RELEASE = x"release-4-5-0-pre1" ]; then + echo $RELEASE checking after values + tmpldif=$PREFIX_ABS/$RELEASE/expected-links-after-dbcheck.ldif.tmp + $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --show-recycled --show-deleted --show-deactivated-link --reveal member memberOf lastKnownParent objectCategory lastKnownParent wellKnownObjects legacyExchangeDN sAMAccountType uSNChanged --sorted >$tmpldif + diff -u $tmpldif $release_dir/expected-links-after-dbcheck.ldif + if [ "$?" != "0" ]; then + return 1 + fi + + # If in the future dbcheck has to make a change recorded in replPropertyMetadata, + # this test will fail and can be removed. + tmpversion=$PREFIX_ABS/$RELEASE/rootdse-version.final.txt.tmp + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --scope=base -b '' | grep highestCommittedUSN >$tmpversion + diff -u $tmpversion $release_dir/rootdse-version.final.txt + if [ "$?" != "0" ]; then + return 1 + fi + fi + return 0 +} + +check_forced_duplicate_values() +{ + if [ x$RELEASE = x"release-4-1-0rc3" ]; then + ldif=$release_dir/forced-duplicate-value-for-dbcheck.ldif + TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-1-0RC3,DC%3DSAMBA,DC%3DCORP.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi + else + return 0 + fi +} + +# This should 'fail', because it returns the number of modified records +dbcheck_after_dup() +{ + if [ x$RELEASE = x"release-4-1-0rc3" ]; then + $PYTHON $BINDIR/samba-tool dbcheck --selftest-check-expired-tombstones --fix --yes -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb cn=administrator,cn=users,DC=release-4-1-0rc3,DC=samba,DC=corp $@ + else + return 1 + fi +} + +check_expected_after_dup_values() +{ + if [ x$RELEASE = x"release-4-1-0rc3" ]; then + tmpldif=$PREFIX_ABS/$RELEASE/expected-otherphone-after-dbcheck.ldif.tmp + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb cn=administrator --scope=base -b cn=administrator,cn=users,DC=release-4-1-0rc3,DC=samba,DC=corp otherHomePhone --sorted --show-binary | grep -v \# | sort >$tmpldif + diff -u $tmpldif $release_dir/expected-otherphone-after-dbcheck.ldif + if [ "$?" != "0" ]; then + return 1 + fi + fi + return 0 +} + +# But having fixed it all up, this should pass +dbcheck_clean() +{ + $PYTHON $BINDIR/samba-tool dbcheck --cross-ncs -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $@ +} + +# This should 'fail', because it returns the number of modified records. +# We don't need to run this against 4.1 releases +dbcheck_acl_reset() +{ + if [ x$RELEASE = x"release-4-0-0" -o x$RELEASE = x"alpha13" ]; then + $PYTHON $BINDIR/samba-tool dbcheck --reset-well-known-acls --cross-ncs --fix --yes -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $@ + else + return 1 + fi +} +# But having fixed it all up, this should pass. +# We don't need to run this against 4.1.0rc3 +dbcheck_acl_reset_clean() +{ + if [ x$RELEASE != x"release-4-1-0rc3" ]; then + $PYTHON $BINDIR/samba-tool dbcheck --reset-well-known-acls --cross-ncs -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $@ + fi +} + +# This should 'fail', because it returns the number of modified records +dbcheck2() +{ + if [ x$RELEASE = x"release-4-1-0rc3" ]; then + $PYTHON $BINDIR/samba-tool dbcheck --selftest-check-expired-tombstones --cross-ncs --fix --yes -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $@ + else + exit 1 + fi +} +# But having fixed it all up, this should pass +dbcheck_clean2() +{ + if [ x$RELEASE = x"release-4-1-0rc3" ]; then + $PYTHON $BINDIR/samba-tool dbcheck --selftest-check-expired-tombstones --cross-ncs -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $@ + fi +} + +rm_deleted_objects() +{ + if [ x$RELEASE = x"release-4-1-0rc3" ]; then + TZ=UTC $ldbdel -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-1-0RC3,DC%3DSAMBA,DC%3DCORP.ldb 'CN=Deleted Objects,DC=RELEASE-4-1-0RC3,DC=SAMBA,DC=CORP' + if [ "$?" != "0" ]; then + return 1 + fi + else + return 0 + fi +} +# This should 'fail', because it returns the number of modified records +dbcheck3() +{ + if [ x$RELEASE = x"release-4-1-0rc3" ]; then + $PYTHON $BINDIR/samba-tool dbcheck --selftest-check-expired-tombstones --cross-ncs --fix --yes -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $@ + else + exit 1 + fi +} +# But having fixed it all up, this should pass +dbcheck_clean3() +{ + if [ x$RELEASE = x"release-4-1-0rc3" ]; then + $PYTHON $BINDIR/samba-tool dbcheck --selftest-check-expired-tombstones --cross-ncs -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $@ + fi +} + +check_expected_after_deleted_objects() +{ + if [ x$RELEASE = x"release-4-1-0rc3" ]; then + tmpldif=$PREFIX_ABS/$RELEASE/expected-deleted_objects-after-dbcheck.ldif.tmp + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb cn=deleted\ objects --scope=base -b cn=deleted\ objects,DC=release-4-1-0rc3,DC=samba,DC=corp objectClass description isDeleted isCriticalSystemObject objectGUID showInAdvancedViewOnly systemFlags --sorted --show-binary --show-deleted | grep -v \# | sort >$tmpldif + diff -u $tmpldif $release_dir/expected-deleted_objects-after-dbcheck.ldif + if [ "$?" != "0" ]; then + return 1 + fi + fi + return 0 +} + +referenceprovision() +{ + if [ x$RELEASE = x"release-4-0-0" ]; then + $PYTHON $BINDIR/samba-tool domain provision --server-role="dc" --domain=SAMBA --host-name=ares --realm=${RELEASE}.samba.corp --targetdir=$PREFIX_ABS/${RELEASE}_reference --use-ntvfs --host-ip=127.0.0.1 --host-ip6=::1 --function-level=2003 --base-schema=2008_R2_old + + # on top of this, also apply 2008R2 changes we accidentally missed in the past + $PYTHON $BINDIR/samba-tool domain schemaupgrade -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --ldf-file=samba-4.7-missing-for-schema45.ldif,fix-forest-rev.ldf + fi +} + +ldapcmp() +{ + if [ x$RELEASE = x"release-4-0-0" ]; then + $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --two --skip-missing-dn --filter=dnsRecord,displayName,msDS-SupportedEncryptionTypes,servicePrincipalName + fi +} + +ldapcmp_sd() +{ + if [ x$RELEASE = x"release-4-0-0" ]; then + $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --two --sd --skip-missing-dn --filter=servicePrincipalName + fi +} + +remove_directory $PREFIX_ABS/${RELEASE}_reference + +testit $RELEASE undump || failed=$(expr $failed + 1) +testit "reindex" reindex || failed=$(expr $failed + 1) +testit "current_version_mod" do_current_version_mod || failed=$(expr $failed + 1) +testit "check_expected_before_values" check_expected_before_values || failed=$(expr $failed + 1) +testit_expect_failure "dbcheck_deleted_objects" dbcheck_deleted_objects || failed=$(expr $failed + 1) +testit_expect_failure "dbcheck_objectclass" dbcheck_objectclass || failed=$(expr $failed + 1) +testit_expect_failure "dbcheck" dbcheck || failed=$(expr $failed + 1) +testit "check_expected_after_values" check_expected_after_values || failed=$(expr $failed + 1) +testit "check_forced_duplicate_values" check_forced_duplicate_values || failed=$(expr $failed + 1) +testit_expect_failure "dbcheck_after_dup" dbcheck_after_dup || failed=$(expr $failed + 1) +testit "check_expected_after_dup_values" check_expected_after_dup_values || failed=$(expr $failed + 1) +testit "dbcheck_clean" dbcheck_clean || failed=$(expr $failed + 1) +testit_expect_failure "dbcheck_acl_reset" dbcheck_acl_reset || failed=$(expr $failed + 1) +testit "dbcheck_acl_reset_clean" dbcheck_acl_reset_clean || failed=$(expr $failed + 1) +testit "add_userparameters0" add_userparameters1 || failed=$(expr $failed + 1) +testit "add_userparameters1" add_userparameters1 || failed=$(expr $failed + 1) +testit "add_userparameters2" add_userparameters2 || failed=$(expr $failed + 1) +testit "add_userparameters3" add_userparameters3 || failed=$(expr $failed + 1) +testit_expect_failure "dbcheck2" dbcheck2 || failed=$(expr $failed + 1) +testit "dbcheck_clean2" dbcheck_clean2 || failed=$(expr $failed + 1) +testit "check_expected_userparameters" check_expected_userparameters || failed=$(expr $failed + 1) +testit "rm_deleted_objects" rm_deleted_objects || failed=$(expr $failed + 1) +# We must re-index again because rm_deleted_objects went behind +# the back of the main sam.ldb. +testit "reindex2" reindex || failed=$(expr $failed + 1) +testit_expect_failure "dbcheck3" dbcheck3 || failed=$(expr $failed + 1) +testit "dbcheck_clean3" dbcheck_clean3 || failed=$(expr $failed + 1) +testit "check_expected_after_deleted_objects" check_expected_after_deleted_objects || failed=$(expr $failed + 1) +testit "referenceprovision" referenceprovision || failed=$(expr $failed + 1) +testit "ldapcmp" ldapcmp || failed=$(expr $failed + 1) +testit "ldapcmp_sd" ldapcmp_sd || failed=$(expr $failed + 1) + +if [ -d $PREFIX_ABS/${RELEASE} ]; then + rm -fr $PREFIX_ABS/${RELEASE} +fi + +remove_directory $PREFIX_ABS/${RELEASE}_reference + +exit $failed diff --git a/testprogs/blackbox/dbcheck.sh b/testprogs/blackbox/dbcheck.sh new file mode 100755 index 0000000..1f1d432 --- /dev/null +++ b/testprogs/blackbox/dbcheck.sh @@ -0,0 +1,71 @@ +#!/bin/sh + +if [ $# -lt 1 ]; then + cat <<EOF +Usage: dbcheck.sh PREFIX +EOF + exit 1 +fi + +PREFIX="$1" +shift 1 +ARGS=$@ + +. $(dirname $0)/subunit.sh + +dbcheck() +{ + $PYTHON $BINDIR/samba-tool dbcheck --cross-ncs $ARGS +} + +# This list of attributes can be freely extended +dbcheck_fix_one_way_links() +{ + $PYTHON $BINDIR/samba-tool dbcheck --quiet --fix --yes fix_all_old_dn_string_component_mismatch --attrs="lastKnownParent defaultObjectCategory fromServer rIDSetReferences" --cross-ncs $ARGS +} + +# This list of attributes can be freely extended +dbcheck_fix_stale_links() +{ + $PYTHON $BINDIR/samba-tool dbcheck --quiet --fix --yes remove_plausible_deleted_DN_links --attrs="member msDS-NC-Replica-Locations msDS-NC-RO-Replica-Locations msDS-RevealOnDemandGroup msDS-NeverRevealGroup msDS-RevealedUsers" --cross-ncs $ARGS +} + +# This list of attributes can be freely extended +dbcheck_fix_crosspartition_backlinks() +{ + # we may not know the target yet when we receive a cross-partition link, + # which can result in a missing backlink + $PYTHON $BINDIR/samba-tool dbcheck --quiet --fix --yes fix_all_missing_backlinks --attrs="serverReference" --cross-ncs $ARGS +} + +# This test shows that this does not do anything to a current +# provision (that would be a bug) +dbcheck_reset_well_known_acls() +{ + $PYTHON $BINDIR/samba-tool dbcheck --cross-ncs --reset-well-known-acls $ARGS +} + +reindex() +{ + $PYTHON $BINDIR/samba-tool dbcheck --reindex $ARGS +} + +fixed_attrs() +{ + $PYTHON $BINDIR/samba-tool dbcheck --attrs=cn $ARGS +} + +force_modules() +{ + $PYTHON $BINDIR/samba-tool dbcheck --force-modules $ARGS +} + +dbcheck_fix_one_way_links +dbcheck_fix_stale_links +dbcheck_fix_crosspartition_backlinks +testit "dbcheck" dbcheck +testit "reindex" reindex +testit "fixed_attrs" fixed_attrs +testit "force_modules" force_modules + +exit $failed diff --git a/testprogs/blackbox/demote-saveddb.sh b/testprogs/blackbox/demote-saveddb.sh new file mode 100755 index 0000000..56ad136 --- /dev/null +++ b/testprogs/blackbox/demote-saveddb.sh @@ -0,0 +1,80 @@ +#!/bin/sh + +if [ $# -lt 1 ]; then + cat <<EOF +Usage: demote.sh PREFIX RELEASE +EOF + exit 1 +fi + +PREFIX_ABS="$1" +shift 1 + +failed=0 + +. $(dirname $0)/subunit.sh +. $(dirname $0)/common_test_fns.inc + +samba_tree_dir="$SRCDIR_ABS/source4/selftest/provisions/multi-dc-samba-master-c596ac6" + +samba_tdbrestore="tdbrestore" +if [ -x $BINDIR/tdbrestore ]; then + samba_tdbrestore="$BINDIR/tdbrestore" +fi + +# The undump script and the provision data is not part of release tarballs, +# skip the tests in this case! +samba_undump="$SRCDIR_ABS/source4/selftest/provisions/undump.sh" +if [ ! -x $samba_undump ] || [ ! -d $samba_tree_dir ]; then + subunit_start_test "undump" + subunit_skip_test "undump" <<EOF +EOF + + subunit_start_test "undump" + subunit_skip_test "undump" <<EOF +Skipping tests - no provision! +EOF + + subunit_start_test "demote-q-0-0" + subunit_skip_test "demote-q-0-0" <<EOF +Skipping tests - no provision! +EOF + subunit_start_test "demote-q-0-1" + subunit_skip_test "demote-q-0-1" <<EOF +Skipping tests - no provision! +EOF + subunit_start_test "demote-q-1-0" + subunit_skip_test "demote-q-1-0" <<EOF +Skipping tests - no provision! +EOF + subunit_start_test "demote-q-1-1" + subunit_skip_test "demote-q-1-1" <<EOF +Skipping tests - no provision! +EOF + + exit 0 +fi + +undump() +{ + $SRCDIR_ABS/source4/selftest/provisions/undump.sh $samba_tree_dir $PREFIX_ABS $samba_tdbrestore +} + +demote() +{ + $PYTHON $BINDIR/samba-tool domain demote -H tdb://$PREFIX_ABS/private/sam.ldb --remove-other-dead-server=$1 +} + +remove_directory $PREFIX_ABS + +testit "undump" undump || failed=$(expr $failed + 1) +testit "demote-q-0-0" demote "q-0-0" || failed=$(expr $failed + 1) +# The database was copied of q-0-1 so this will fail +# as we can't remove our own name +testit_expect_failure "demote-q-0-1" demote "q-0-1" || failed=$(expr $failed + 1) +testit "demote-q-1-0" demote "q-1-0" || failed=$(expr $failed + 1) +testit "demote-q-1-1" demote "q-1-1" || failed=$(expr $failed + 1) + +remove_directory $PREFIX_ABS + +exit $failed diff --git a/testprogs/blackbox/dfree.sh b/testprogs/blackbox/dfree.sh new file mode 100755 index 0000000..893bc59 --- /dev/null +++ b/testprogs/blackbox/dfree.sh @@ -0,0 +1,8 @@ +#!/bin/sh +if [ "$1" = "." ]; then + echo "1000 10 2048" +elif [ "$1" = "subdir1" ]; then + echo "2000 20 4096" +else + echo "4000 40 8192" +fi diff --git a/testprogs/blackbox/dom_parse.sh b/testprogs/blackbox/dom_parse.sh new file mode 100755 index 0000000..8a22ce2 --- /dev/null +++ b/testprogs/blackbox/dom_parse.sh @@ -0,0 +1,27 @@ +#!/bin/sh +# Blackbox wrapper for nsstest +# Copyright (C) 2006-2007 Jelmer Vernooij <jelmer@samba.org> +# Copyright (C) 2006-2008 Andrew Bartlett <abartlet@samba.org> + +if [ $# -lt 2 ]; then + cat <<EOF +Usage: dom_parse.sh [id|getent] $USER +EOF + exit 1 +fi + +USER=$2 +CMD=$1 +EXTRA="" +shift 2 +failed=0 + +. $(dirname $0)/subunit.sh + +if [ "$CMD" = "getent" ]; then + EXTRA="passwd" +fi + +testit "samba4.winbind.dom_name_parse.cmd.$CMD" $CMD $EXTRA $USER || failed=$(expr $failed + 1) + +exit $failed diff --git a/testprogs/blackbox/functionalprep.sh b/testprogs/blackbox/functionalprep.sh new file mode 100755 index 0000000..9c68047 --- /dev/null +++ b/testprogs/blackbox/functionalprep.sh @@ -0,0 +1,134 @@ +#!/bin/sh + +if [ $# -lt 1 ]; then + cat <<EOF +Usage: $0 PREFIX +EOF + exit 1 +fi + +PREFIX_ABS="$1" +shift 1 + +failed=0 + +. $(dirname $0)/subunit.sh +. $(dirname $0)/common_test_fns.inc + +RELEASE="release-4-8-0-pre1" +release_dir="$SRCDIR_ABS/source4/selftest/provisions/$RELEASE" + +OLD_RELEASE="release-4-1-0rc3" +old_release_dir="$SRCDIR_ABS/source4/selftest/provisions/$OLD_RELEASE" + +samba_tdbrestore="tdbrestore" +if [ -x "$BINDIR/tdbrestore" ]; then + samba_tdbrestore="$BINDIR/tdbrestore" +fi + +samba_undump="$SRCDIR_ABS/source4/selftest/provisions/undump.sh" + +if [ ! -x $samba_undump ] || [ ! -d $release_dir ] || [ ! -d $old_release_dir ]; then + subunit_start_test $RELEASE + subunit_skip_test $RELEASE <<EOF +no test provision +EOF + + subunit_start_test "functional_prep" + subunit_skip_test "functional_prep" <<EOF +no test provision +EOF + + subunit_start_test "functional_prep_old" + subunit_skip_test "functional_prep_old" <<EOF +no test provision +EOF + + exit 0 +fi + +cleanup_output_directories() +{ + remove_directory $PREFIX_ABS/2012R2_schema + remove_directory $PREFIX_ABS/$RELEASE + remove_directory $PREFIX_ABS/$OLD_RELEASE +} + +undump() +{ + $samba_undump $release_dir $PREFIX_ABS/$RELEASE $samba_tdbrestore +} + +undump_old() +{ + $samba_undump $old_release_dir $PREFIX_ABS/$OLD_RELEASE $samba_tdbrestore +} + +PROVISION_OPTS="--use-ntvfs --host-ip6=::1 --host-ip=127.0.0.1" + +provision_2012r2() +{ + $PYTHON $BINDIR/samba-tool domain provision $PROVISION_OPTS --domain=REALM --realm=REALM.COM --targetdir=$PREFIX_ABS/2012R2_schema --base-schema=2012_R2 --host-name=FLPREP +} + +ldapcmp_ignore() +{ + # At some point we will need to ignore, but right now, it should be perfect + IGNORE_ATTRS=$1 + $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/$2/private/sam.ldb tdb://$PREFIX_ABS/$3/private/sam.ldb --two --skip-missing-dn --filter msDS-SupportedEncryptionTypes,servicePrincipalName +} + +ldapcmp() +{ + # Our functional prep doesn't set these values as they were not provided + # These are XML schema based enumerations which are used for claims + ldapcmp_ignore "msDS-ClaimPossibleValues" "$RELEASE" "2012R2_schema" +} + +functional_prep() +{ + $PYTHON $BINDIR/samba-tool domain functionalprep -H tdb://$PREFIX_ABS/2012R2_schema/private/sam.ldb --function-level=2012_R2 +} + +functional_prep_old() +{ + $PYTHON $BINDIR/samba-tool domain functionalprep -H tdb://$PREFIX_ABS/$OLD_RELEASE/private/sam.ldb --function-level=2012_R2 +} + +steal_roles() +{ + # Must steal schema master and infrastructure roles first + $PYTHON $BINDIR/samba-tool fsmo seize --role=schema -H tdb://$PREFIX_ABS/$OLD_RELEASE/private/sam.ldb --force + $PYTHON $BINDIR/samba-tool fsmo seize --role=infrastructure -H tdb://$PREFIX_ABS/$OLD_RELEASE/private/sam.ldb --force +} + +schema_upgrade() +{ + $PYTHON $BINDIR/samba-tool domain schemaupgrade -H tdb://$PREFIX_ABS/$OLD_RELEASE/private/sam.ldb --schema=2012_R2 +} + +# double-check we cleaned up from the last test run +cleanup_output_directories + +testit $RELEASE undump || failed=$(expr $failed + 1) + +# Provision a DC based on 2012R2 schema +testit "provision_2012R2_schema" provision_2012r2 || failed=$(expr $failed + 1) + +# Perform functional prep up to 2012 R2 level +testit "functional_prep" functional_prep || failed=$(expr $failed + 1) + +# check that the databases are now the same +testit "check_databases_same" ldapcmp || failed=$(expr $failed + 1) + +testit $OLD_RELEASE undump_old || failed=$(expr $failed + 1) + +testit "steal_roles" steal_roles || failed=$(expr $failed + 1) + +testit "schema_upgrade" schema_upgrade || failed=$(expr $failed + 1) + +testit "functional_prep_old" functional_prep_old || failed=$(expr $failed + 1) + +cleanup_output_directories + +exit $failed diff --git a/testprogs/blackbox/join_ldapcmp.sh b/testprogs/blackbox/join_ldapcmp.sh new file mode 100755 index 0000000..3e5b264 --- /dev/null +++ b/testprogs/blackbox/join_ldapcmp.sh @@ -0,0 +1,51 @@ +#!/bin/sh +# Does a join against the testenv's DC and then runs ldapcmp on the resulting DB + +. $(dirname $0)/subunit.sh + +TARGET_DIR="$PREFIX_ABS/join_$SERVER" + +cleanup_output_dir() +{ + if [ -d $TARGET_DIR ]; then + rm -fr $TARGET_DIR + fi +} + +SAMBA_TOOL="$PYTHON $BINDIR/samba-tool" + +join_dc() +{ + JOIN_ARGS="--targetdir=$TARGET_DIR --server=$SERVER -U$USERNAME%$PASSWORD" + $SAMBA_TOOL domain join $REALM dc $JOIN_ARGS --option="netbios name = TESTJOINDC" +} + +demote_joined_dc() +{ + DEMOTE_ARGS="--remove-other-dead-server=TESTJOINDC --server=$SERVER -U$USERNAME%$PASSWORD" + $SAMBA_TOOL domain demote $DEMOTE_ARGS +} + +ldapcmp_result() +{ + DB1_PATH="tdb://$PREFIX_ABS/$SERVER/private/sam.ldb" + DB2_PATH="tdb://$TARGET_DIR/private/sam.ldb" + + # interSiteTopologyGenerator gets periodically updated. With the restored + # testenvs, it can sometimes point to the old/deleted DC object still + $SAMBA_TOOL ldapcmp $DB1_PATH $DB2_PATH --filter=interSiteTopologyGenerator +} + +cleanup_output_dir + +# check that we can join this DC +testit "check_dc_join" join_dc + +# check resulting DB matches server DC +testit "new_db_matches" ldapcmp_result + +testit "demote_joined_dc" demote_joined_dc + +cleanup_output_dir + +exit $failed diff --git a/testprogs/blackbox/ldapcmp_restoredc.sh b/testprogs/blackbox/ldapcmp_restoredc.sh new file mode 100755 index 0000000..831b992 --- /dev/null +++ b/testprogs/blackbox/ldapcmp_restoredc.sh @@ -0,0 +1,70 @@ +#!/bin/sh +# Does an ldapcmp between a newly restored testenv and the original testenv it +# was based on + +if [ $# -lt 2 ]; then + cat <<EOF +Usage: $0 ORIG_DC_PREFIX RESTORED_DC_PREFIX +EOF + exit 1 +fi + +ORIG_DC_PREFIX_ABS="$1" +RESTORED_DC_PREFIX_ABS="$2" +shift 2 + +. $(dirname $0)/subunit.sh + +basedn() +{ + SAMDB_PATH=$1 + $BINDIR/ldbsearch -H $SAMDB_PATH --basedn='' --scope=base defaultNamingContext | grep defaultNamingContext | awk '{print $2}' +} + +ldapcmp_with_orig() +{ + + DB1_PATH="tdb://$ORIG_DC_PREFIX_ABS/private/sam.ldb" + DB2_PATH="tdb://$RESTORED_DC_PREFIX_ABS/private/sam.ldb" + + # check if the 2 DCs are in different domains + DC1_BASEDN=$(basedn $DB1_PATH) + DC2_BASEDN=$(basedn $DB2_PATH) + BASE_DN_OPTS="" + + # if necessary, pass extra args to ldapcmp to handle the difference in base DNs + if [ "$DC1_BASEDN" != "$DC2_BASEDN" ]; then + BASE_DN_OPTS="--base=$DC1_BASEDN --base2=$DC2_BASEDN" + fi + + # the restored DC will remove DNS entries for the old DC(s) + IGNORE_ATTRS="dnsRecord,dNSTombstoned" + + # DC2 joined DC1, so it will have different DRS info + IGNORE_ATTRS="$IGNORE_ATTRS,msDS-NC-Replica-Locations,msDS-HasInstantiatedNCs" + IGNORE_ATTRS="$IGNORE_ATTRS,interSiteTopologyGenerator" + + # there's a servicePrincipalName that uses the objectGUID of the DC's NTDS + # Settings that will differ between the two DCs + IGNORE_ATTRS="$IGNORE_ATTRS,servicePrincipalName" + + # the restore changes the new DC's password twice + IGNORE_ATTRS="$IGNORE_ATTRS,lastLogonTimestamp" + + # The RID pools get bumped during the restore process + IGNORE_ATTRS="$IGNORE_ATTRS,rIDAllocationPool,rIDAvailablePool" + + # these are just differences between provisioning a domain and joining a DC + IGNORE_ATTRS="$IGNORE_ATTRS,localPolicyFlags,operatingSystem,displayName" + + # the restored DC may use a different side compared to the original DC + IGNORE_ATTRS="$IGNORE_ATTRS,serverReferenceBL,msDS-IsDomainFor" + + LDAPCMP_CMD="$PYTHON $BINDIR/samba-tool ldapcmp" + $LDAPCMP_CMD $DB1_PATH $DB2_PATH --two --skip-missing-dn --filter=$IGNORE_ATTRS $BASE_DN_OPTS +} + +# check that the restored testenv DC basically matches the original +testit "orig_dc_matches" ldapcmp_with_orig + +exit $failed diff --git a/testprogs/blackbox/nsstest.sh b/testprogs/blackbox/nsstest.sh new file mode 100755 index 0000000..6bf6705 --- /dev/null +++ b/testprogs/blackbox/nsstest.sh @@ -0,0 +1,22 @@ +#!/bin/sh +# Blackbox wrapper for nsstest +# Copyright (C) 2006-2007 Jelmer Vernooij <jelmer@samba.org> +# Copyright (C) 2006-2008 Andrew Bartlett <abartlet@samba.org> + +if [ $# -lt 2 ]; then + cat <<EOF +Usage: nsstest.sh NSSTEST LIBNSS_WINBIND +EOF + exit 1 +fi + +nsstest=$1 +libnss_winbind=$2 +shift 2 +failed=0 + +. $(dirname $0)/subunit.sh + +testit "run nsstest" $VALGRIND $nsstest $libnss_winbind || failed=$(expr $failed + 1) + +exit $failed diff --git a/testprogs/blackbox/renamedc.sh b/testprogs/blackbox/renamedc.sh new file mode 100755 index 0000000..6e24cdf --- /dev/null +++ b/testprogs/blackbox/renamedc.sh @@ -0,0 +1,106 @@ +#!/bin/sh + +if [ $# -lt 1 ]; then + cat <<EOF +Usage: renamedc.sh PREFIX +EOF + exit 1 +fi + +PREFIX="$1" +shift 1 + +samba4bindir="$BINDIR" +ldbsearch="ldbsearch" +if [ -x "$samba4bindir/ldbsearch" ]; then + ldbsearch="$samba4bindir/ldbsearch" +fi + +. $(dirname $0)/subunit.sh + +if [ ! -d $PREFIX/renamedc_test ]; then + mkdir -p $PREFIX/renamedc_test +fi + +testprovision() +{ + $PYTHON $BINDIR/samba-tool domain provision --host-name=bar --domain=FOO --realm=foo.example.com --targetdir="$PREFIX/renamedc_test" --server-role="dc" --use-ntvfs +} + +testrenamedc() +{ + $PYTHON $SRCDIR/source4/scripting/bin/renamedc \ + --oldname="BAR" \ + --newname="RAYMONBAR" \ + --configfile=$PREFIX/renamedc_test/etc/smb.conf +} + +confirmrenamedc() +{ + $ldbsearch -H $PREFIX/renamedc_test/private/sam.ldb --scope=base -b 'cn=RAYMONBAR,ou=domain controllers,dc=foo,dc=example,dc=com' +} + +confirmrenamedc_server() +{ + $ldbsearch -H $PREFIX/renamedc_test/private/sam.ldb --scope=base -b 'cn=RAYMONBAR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=configuration,dc=foo,dc=example,dc=com' +} + +confirmrenamedc_sAMAccountName() +{ + $ldbsearch -H $PREFIX/renamedc_test/private/sam.ldb --scope=base -b 'cn=RAYMONBAR,ou=domain controllers,dc=foo,dc=example,dc=com' sAMAccountName | grep 'sAMAccountName: RAYMONBAR\$' +} + +confirmrenamedc_dNSHostName() +{ + $ldbsearch -H $PREFIX/renamedc_test/private/sam.ldb --scope=base -b 'cn=RAYMONBAR,ou=domain controllers,dc=foo,dc=example,dc=com' dNSHostName | grep 'dNSHostName: RAYMONBAR.foo.example.com' +} + +confirmrenamedc_rootdse_dnsHostName() +{ + $ldbsearch -H $PREFIX/renamedc_test/private/sam.ldb --scope=base -b '' dNSHostName | grep 'dnsHostName: RAYMONBAR.foo.example.com' +} + +confirmrenamedc_rootdse_dsServiceName() +{ + $ldbsearch -H $PREFIX/renamedc_test/private/sam.ldb --show-binary --scope=base -b '' dsServiceName | grep 'dsServiceName: CN=NTDS Settings,CN=RAYMONBAR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=foo,DC=example,DC=com' +} + +testrenamedc2() +{ + $PYTHON $SRCDIR/source4/scripting/bin/renamedc \ + --oldname="RAYMONBAR" \ + --newname="BAR" \ + --configfile=$PREFIX/renamedc_test/etc/smb.conf +} + +dbcheck_fix() +{ + # Unlike most calls to dbcheck --fix, this will not trigger an error, as + # we do not flag an error count for this old DN string case. + $PYTHON $BINDIR/samba-tool dbcheck --cross-ncs --configfile=$PREFIX/renamedc_test/etc/smb.conf --fix \ + --quiet --yes fix_all_old_dn_string_component_mismatch \ + --attrs="fsmoRoleOwner interSiteTopologyGenerator msDS-NC-Replica-Locations" +} + +dbcheck() +{ + $PYTHON $BINDIR/samba-tool dbcheck --cross-ncs --configfile=$PREFIX/renamedc_test/etc/smb.conf +} + +testit "renameprovision" testprovision || failed=$(expr $failed + 1) +testit "renamedc" testrenamedc || failed=$(expr $failed + 1) +testit "confirmrenamedc" confirmrenamedc || failed=$(expr $failed + 1) +testit "confirmrenamedc_server" confirmrenamedc_server || failed=$(expr $failed + 1) +testit "confirmrenamedc_sAMAccountName" confirmrenamedc_sAMAccountName || failed=$(expr $failed + 1) +testit "confirmrenamedc_dNSHostName" confirmrenamedc_dNSHostName || failed=$(expr $failed + 1) +testit "confirmrenamedc_rootdse_dnsHostName" confirmrenamedc_rootdse_dnsHostName || failed=$(expr $failed + 1) +testit "confirmrenamedc_rootdse_dsServiceName" confirmrenamedc_rootdse_dsServiceName || failed=$(expr $failed + 1) +testit "dbcheck_fix" dbcheck_fix || failed=$(expr $failed + 1) +testit "dbcheck" dbcheck || failed=$(expr $failed + 1) +testit "renamedc2" testrenamedc2 || failed=$(expr $failed + 1) + +if [ $failed -eq 0 ]; then + rm -rf $PREFIX/renamedc_test +fi + +exit $failed diff --git a/testprogs/blackbox/runtime-links.sh b/testprogs/blackbox/runtime-links.sh new file mode 100755 index 0000000..3862dd9 --- /dev/null +++ b/testprogs/blackbox/runtime-links.sh @@ -0,0 +1,82 @@ +#!/bin/sh + +if [ $# -lt 1 ]; then + cat <<EOF +Usage: dbcheck-links.sh PREFIX RELEASE +EOF + exit 1 +fi + +PREFIX_ABS="$1" +RELEASE="$2" +shift 2 + +failed=0 + +. $(dirname $0)/subunit.sh + +. $(dirname $0)/common-links.sh + +. $(dirname $0)/common_test_fns.inc + +if [ ! -x $samba_undump ] || [ ! -d $release_dir ]; then + subunit_start_test $RELEASE + subunit_skip_test $RELEASE <<EOF +no test provision +EOF + + subunit_start_test "tombstones_expunge" + subunit_skip_test "tombstones_expunge" <<EOF +no test provision +EOF + + exit 0 +fi + +delete_member_of_deleted_group() +{ + TZ=UTC $ldbdel -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb 'CN=User1 UT. Tester,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp' + if [ "$?" != "0" ]; then + return 1 + fi +} + +delete_backlink_memberof_deleted_group() +{ + TZ=UTC $ldbdel -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb 'CN=User UT. Tester,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp' + if [ "$?" != "0" ]; then + return 1 + fi +} + +delete_dangling_backlink_memberof_group() +{ + TZ=UTC $ldbdel -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb 'CN=dangling-back,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp' + if [ "$?" != "0" ]; then + return 1 + fi +} + +remove_directory $PREFIX_ABS/${RELEASE} + +testit $RELEASE undump || failed=$(expr $failed + 1) +testit "add_dangling_link" add_dangling_link || failed=$(expr $failed + 1) +testit "add_dangling_backlink" add_dangling_backlink || failed=$(expr $failed + 1) +testit "add_deleted_dangling_backlink" add_deleted_dangling_backlink || failed=$(expr $failed + 1) +testit "revive_links_on_deleted_group" revive_links_on_deleted_group || failed=$(expr $failed + 1) +testit "revive_backlink_on_deleted_group" revive_backlink_on_deleted_group || failed=$(expr $failed + 1) +testit "add_deleted_target_link" add_deleted_target_link || failed=$(expr $failed + 1) +testit "add_deleted_target_backlink" add_deleted_target_backlink || failed=$(expr $failed + 1) +testit "dangling_one_way_link" dangling_one_way_link || failed=$(expr $failed + 1) +testit "dangling_one_way_dn" dangling_one_way_dn || failed=$(expr $failed + 1) +testit "deleted_one_way_dn" deleted_one_way_dn || failed=$(expr $failed + 1) +testit "add_dangling_multi_valued" add_dangling_multi_valued || failed=$(expr $failed + 1) + +#Now things are set up, work with the DB +testit "delete_member_of_deleted_group" delete_member_of_deleted_group || failed=$(expr $failed + 1) +testit "delete_backlink_memberof_deleted_group" delete_backlink_memberof_deleted_group || failed=$(expr $failed + 1) +testit "delete_dangling_backlink_memberof_group" delete_dangling_backlink_memberof_group || failed=$(expr $failed + 1) + +remove_directory $PREFIX_ABS/${RELEASE} + +exit $failed diff --git a/testprogs/blackbox/schemaupgrade.sh b/testprogs/blackbox/schemaupgrade.sh new file mode 100755 index 0000000..b5b638d --- /dev/null +++ b/testprogs/blackbox/schemaupgrade.sh @@ -0,0 +1,131 @@ +#!/bin/sh + +if [ $# -lt 1 ]; then + cat <<EOF +Usage: $0 PREFIX +EOF + exit 1 +fi + +PREFIX_ABS="$1" +shift 1 + +. $(dirname $0)/subunit.sh + +cleanup_output_directories() +{ + if [ -d $PREFIX_ABS/2012R2_schema ]; then + rm -fr $PREFIX_ABS/2012R2_schema + fi + + if [ -d $PREFIX_ABS/2008R2_schema ]; then + rm -fr $PREFIX_ABS/2008R2_schema + fi +} + +PROVISION_OPTS="--use-ntvfs --host-ip6=::1 --host-ip=127.0.0.1" + +provision_2012r2() +{ + $PYTHON $BINDIR/samba-tool domain provision $PROVISION_OPTS --domain=SAMBA --realm=w2012r2.samba.corp --targetdir=$PREFIX_ABS/2012R2_schema --base-schema=2012_R2 +} + +provision_2008r2() +{ + $PYTHON $BINDIR/samba-tool domain provision $PROVISION_OPTS --domain=SAMBA --realm=w2008r2.samba.corp --targetdir=$PREFIX_ABS/2008R2_schema --base-schema=2008_R2 +} + +provision_2008r2_old() +{ + $PYTHON $BINDIR/samba-tool domain provision $PROVISION_OPTS --domain=SAMBA --realm=w2008r2.samba.corp --targetdir=$PREFIX_ABS/2008R2_old_schema --base-schema=2008_R2_old +} + +ldapcmp_ignore() +{ + + IGNORE_ATTRS=$1 + + # there's discrepancies between the SDDL strings in the adprep LDIF files + # vs the 2012 schema, where one source will have ACE rights repeated, e.g. + # "LOLO" in adprep vs "LO" in the schema + IGNORE_ATTRS="$IGNORE_ATTRS,defaultSecurityDescriptor" + + # the adprep LDIF files updates these attributes for the DisplaySpecifiers + # objects, but we don't have the 2012 DisplaySpecifiers documentation... + IGNORE_ATTRS="$IGNORE_ATTRS,adminContextMenu,adminPropertyPages" + + $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/$2_schema/private/sam.ldb tdb://$PREFIX_ABS/$3_schema/private/sam.ldb --two --filter=$IGNORE_ATTRS --skip-missing-dn +} + +ldapcmp_old() +{ + # the original 2008 schema we received from Microsoft was missing + # descriptions and display names. This has been fixed up in the current + # Microsoft schemas + IGNORE_ATTRS="adminDescription,description,adminDisplayName,displayName" + + # we didn't get showInAdvancedViewOnly right on Samba + IGNORE_ATTRS="$IGNORE_ATTRS,showInAdvancedViewOnly" + + ldapcmp_ignore "$IGNORE_ATTRS" "2008R2_old" "2012R2" +} + +ldapcmp() +{ + # The adminDescription and adminDisplayName have been editorially + # corrected in the 2012R2 schema but not in the adprep files. + ldapcmp_ignore "adminDescription,adminDisplayName" "2008R2" "2012R2" +} + +ldapcmp_2008R2_2008R2_old() +{ + # the original 2008 schema we received from Microsoft was missing + # descriptions and display names. This has been fixed up in the current + # Microsoft schemas + IGNORE_ATTRS="adminDescription,description,adminDisplayName,displayName" + + # we didn't get showInAdvancedViewOnly right on Samba + IGNORE_ATTRS="$IGNORE_ATTRS,showInAdvancedViewOnly" + + ldapcmp_ignore $IGNORE_ATTRS "2008R2" "2008R2_old" +} + +schema_upgrade() +{ + $PYTHON $BINDIR/samba-tool domain schemaupgrade -H tdb://$PREFIX_ABS/2008R2_schema/private/sam.ldb --schema=2012_R2 +} + +schema_upgrade_old() +{ + $PYTHON $BINDIR/samba-tool domain schemaupgrade -H tdb://$PREFIX_ABS/2008R2_old_schema/private/sam.ldb --schema=2012_R2 +} + +# double-check we cleaned up from the last test run +cleanup_output_directories + +# Provision 2 DCs, one based on the 2008R2 schema and one using 2012R2 +testit "provision_2008R2_schema" provision_2008r2 +testit "provision_2008R2_old_schema" provision_2008r2_old +testit "provision_2012R2_schema" provision_2012r2 + +# we expect the 2 schemas to be different +testit_expect_failure "expect_schema_differences" ldapcmp + +# check that the 2 schemas are now the same, ignoring Samba bugs +testit "check_2008R2_2008R2_schemas_same" ldapcmp_2008R2_2008R2_old + +# upgrade the 2008 schema to 2012 +testit "schema_upgrade" schema_upgrade + +# check that the 2 schemas are now the same +testit "check_schemas_same" ldapcmp + +# upgrade the 2008 schema to 2012 +testit "schema_upgrade_old" schema_upgrade_old + +# check that the 2 schemas are now the same, ignoring Samba bugs +testit "check_schemas_same_old" ldapcmp_old + +cleanup_output_directories + +exit $failed diff --git a/testprogs/blackbox/subunit.sh b/testprogs/blackbox/subunit.sh new file mode 100755 index 0000000..ba4e997 --- /dev/null +++ b/testprogs/blackbox/subunit.sh @@ -0,0 +1,209 @@ +# +# subunit.sh: shell functions to report test status via the subunit protocol. +# Copyright (C) 2006 Robert Collins <robertc@robertcollins.net> +# Copyright (C) 2008 Jelmer Vernooij <jelmer@samba.org> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# + +timestamp() +{ + # mark the start time. With Gnu date, you get nanoseconds from %N + # (here truncated to microseconds with %6N), but not on BSDs, + # Solaris, etc, which will apparently leave either %N or N at the end. + date -u +'time: %Y-%m-%d %H:%M:%S.%6NZ' | sed 's/\..*NZ$/.000000Z/' +} + +subunit_start_test() +{ + # emit the current protocol start-marker for test $1 + timestamp + printf 'test: %s\n' "$1" +} + +subunit_pass_test() +{ + # emit the current protocol test passed marker for test $1 + timestamp + printf 'success: %s\n' "$1" +} + +# This is just a hack as we have some broken scripts +# which use "exit $failed", without initializing failed. +failed=0 + +subunit_fail_test() +{ + # emit the current protocol fail-marker for test $1, and emit stdin as + # the error text. + # we use stdin because the failure message can be arbitrarily long, and this + # makes it convenient to write in scripts (using <<END syntax. + timestamp + printf 'failure: %s [\n' "$1" + cat - + printf '\n]\n' +} + +subunit_error_test() +{ + # emit the current protocol error-marker for test $1, and emit stdin as + # the error text. + # we use stdin because the failure message can be arbitrarily long, and this + # makes it convenient to write in scripts (using <<END syntax. + timestamp + printf 'error: %s [\n' "$1" + cat - + printf '\n]\n' +} + +subunit_skip_test() +{ + # emit the current protocol skip-marker for test $1, and emit stdin as + # the error text. + # we use stdin because the failure message can be arbitrarily long, and this + # makes it convenient to write in scripts (using <<END syntax. + printf 'skip: %s [\n' "$1" + cat - + printf '\n]\n' +} + +testit() +{ + name="$1" + shift + cmdline="$@" + subunit_start_test "$name" + output=$($cmdline 2>&1) + status=$? + if [ x$status = x0 ]; then + subunit_pass_test "$name" + else + echo "$output" | subunit_fail_test "$name" + fi + return $status +} + +# This returns 0 if the command gave success and the grep value was found +# all other cases return != 0 +testit_grep() +{ + name="$1" + shift + grep="$1" + shift + cmdline="$@" + subunit_start_test "$name" + output=$($cmdline 2>&1) + status=$? + if [ x$status != x0 ]; then + printf '%s' "$output" | subunit_fail_test "$name" + return $status + fi + printf '%s' "$output" | grep -q "$grep" + gstatus=$? + if [ x$gstatus = x0 ]; then + subunit_pass_test "$name" + else + printf 'GREP: "%s" not found in output:\n%s' "$grep" "$output" | subunit_fail_test "$name" + fi + return $status +} + +# This returns 0 if the command gave success and the grep value was found +# num times all other cases return != 0 +testit_grep_count() +{ + name="$1" + shift + grep="$1" + shift + num="$1" + shift + cmdline="$@" + subunit_start_test "$name" + output=$($cmdline 2>&1) + status=$? + if [ x$status != x0 ]; then + printf '%s' "$output" | subunit_fail_test "$name" + return $status + fi + found=$(printf '%s' "$output" | grep -c "$grep") + if [ x"$found" = x"$num" ]; then + subunit_pass_test "$name" + else + printf 'GREP: "%s" found "%d" times, expected "%d" in output:\n%s'\ + "$grep" "$found" "$num" "$output" | + subunit_fail_test "$name" + fi + return $status +} + +testit_expect_failure() +{ + name="$1" + shift + cmdline="$@" + subunit_start_test "$name" + output=$($cmdline 2>&1) + status=$? + if [ x$status = x0 ]; then + echo "$output" | subunit_fail_test "$name" + else + subunit_pass_test "$name" + fi + return $status +} + +# This returns 0 if the command gave a failure and the grep value was found +# all other cases return != 0 +testit_expect_failure_grep() +{ + name="$1" + shift + grep="$1" + shift + cmdline="$@" + subunit_start_test "$name" + output=$($cmdline 2>&1) + status=$? + if [ x$status = x0 ]; then + printf '%s' "$output" | subunit_fail_test "$name" + return 1 + fi + printf '%s' "$output" | grep -q "$grep" + gstatus=$? + if [ x$gstatus = x0 ]; then + subunit_pass_test "$name" + else + printf 'GREP: "%s" not found in output:\n%s' "$grep" "$output" | subunit_fail_test "$name" + fi + return $status +} + +testok() +{ + name=$(basename $1) + failed=$2 + + exit $failed +} + +# work out the top level source directory +if [ -d source4 ]; then + SRCDIR="." +else + SRCDIR=".." +fi +export SRCDIR diff --git a/testprogs/blackbox/test_chgdcpass.sh b/testprogs/blackbox/test_chgdcpass.sh new file mode 100755 index 0000000..8b0ef45 --- /dev/null +++ b/testprogs/blackbox/test_chgdcpass.sh @@ -0,0 +1,115 @@ +#!/bin/sh +# Blackbox tests for kinit and kerberos integration with smbclient etc +# Copyright (C) 2006-2007 Jelmer Vernooij <jelmer@samba.org> +# Copyright (C) 2006-2008 Andrew Bartlett <abartlet@samba.org> + +if [ $# -lt 4 ]; then + cat <<EOF +Usage: test_kinit.sh SERVER USERNAME REALM DOMAIN PREFIX SMBCLIENT +EOF + exit 1 +fi + +SERVER=$1 +USERNAME=$2 +REALM=$3 +DOMAIN=$4 +PREFIX=$5 +ENCTYPE=$6 +PROVDIR=$7 +smbclient=$8 +shift 8 +failed=0 + +samba4bindir="$BINDIR" +samba4srcdir="$SRCDIR/source4" + +samba4kinit_binary=kinit +heimdal=0 +if test -x $BINDIR/samba4kinit; then + heimdal=1 + samba4kinit_binary=bin/samba4kinit +fi + +machineaccountccache="$samba4srcdir/scripting/bin/machineaccountccache" + +unc="//$SERVER/tmp" + +. $(dirname $0)/subunit.sh +. $(dirname $0)/common_test_fns.inc + +test_drs() +{ + function="$1" + name="$2" + shift + shift + echo "test: $name" + echo $VALGRIND $PYTHON $samba4bindir/samba-tool drs $function $SERVER -k yes $@ + $VALGRIND $PYTHON $samba4bindir/samba-tool drs $function $SERVER -k yes $@ + status=$? + if [ x$status = x0 ]; then + echo "success: $name" + else + echo "failure: $name" + fi + return $status +} + +enctype="-e $ENCTYPE" + +KRB5CCNAME="$PREFIX/tmpccache" +samba4kinit="$samba4kinit_binary -c $KRB5CCNAME" +export KRB5CCNAME +rm -f $KRB5CCNAME + +if [ $heimdal -eq 1 ]; then + testit "kinit with keytab" $samba4kinit $enctype -t $PROVDIR/private/secrets.keytab --use-keytab $USERNAME || failed=$(expr $failed + 1) +else + testit "kinit with keytab" $samba4kinit -k -t $PROVDIR/private/secrets.keytab $USERNAME || failed=$(expr $failed + 1) +fi + +#This is important because it puts the ticket for the old KVNO and password into a local ccache +test_smbclient "Test login with kerberos ccache before password change" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +#check that drs bind works before we change the password (prime the ccache) +test_drs bind "Test drs bind with with kerberos ccache" || failed=$(expr $failed + 1) + +#check that drs options works before we change the password (prime the ccache) +test_drs options "Test drs options with with kerberos ccache" || failed=$(expr $failed + 1) + +testit "change dc password" $PYTHON $samba4srcdir/scripting/devel/chgtdcpass --configfile=$PROVDIR/etc/smb.conf || failed=$(expr $failed + 1) + +#This is important because it shows that the old ticket remains valid (as it must) for incoming connections after the DC password is changed +test_smbclient "Test login with kerberos ccache after password change" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +#check that drs bind works after we change the password +test_drs bind "Test drs bind with new password" || failed=$(expr $failed + 1) + +#check that drs options works after we change the password +test_drs options "Test drs options with new password" || failed=$(expr $failed + 1) + +testit "change dc password (2nd time)" $PYTHON $samba4srcdir/scripting/devel/chgtdcpass --configfile=$PROVDIR/etc/smb.conf || failed=$(expr $failed + 1) + +# This is important because it shows that the old ticket is discarded if the server rejects it (as it must) after the password was changed twice in succession. +# This also ensures we handle the case where the domain is re-provisioned etc +test_smbclient "Test login with kerberos ccache after 2nd password change" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +#check that drs bind works after we change the password a 2nd time +test_drs bind "Test drs bind after 2nd password change" || failed=$(expr $failed + 1) + +#check that drs options works after we change the password a 2nd time +test_drs options "Test drs options after 2nd password change" || failed=$(expr $failed + 1) + +#This confirms that the DC password is valid for a kinit too +if [ $heimdal -eq 1 ]; then + testit "kinit with keytab" $samba4kinit $enctype -t $PROVDIR/private/secrets.keytab --use-keytab $USERNAME || failed=$(expr $failed + 1) +else + testit "kinit with keytab" $samba4kinit -k -t $PROVDIR/private/secrets.keytab $USERNAME || failed=$(expr $failed + 1) +fi +test_smbclient "Test login with kerberos ccache with fresh kinit" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +rm -f $KRB5CCNAME + +rm -f $PREFIX/tmpccache tmpccfile tmppassfile tmpuserpassfile tmpuserccache +exit $failed diff --git a/testprogs/blackbox/test_client_etypes.sh b/testprogs/blackbox/test_client_etypes.sh new file mode 100755 index 0000000..0389cb3 --- /dev/null +++ b/testprogs/blackbox/test_client_etypes.sh @@ -0,0 +1,82 @@ +if [ $# -lt 6 ]; then + cat <<EOF +Usage: test_client_etypes.sh DC_SERVER DC_USERNAME DC_PASSWORD PREFIX_ABS ETYPE_CONF EXPECTED +EOF + exit 1 +fi + +DC_SERVER=$1 +DC_USERNAME=$2 +DC_PASSWORD=$3 +BASEDIR=$4 +ETYPE_CONF=$5 +EXPECTED_ETYPES="$6" + +# Load test functions +. $(dirname $0)/subunit.sh + +KRB5CCNAME_PATH="$PREFIX/test_client_etypes_krb5ccname" +rm -f $KRB5CCNAME_PATH + +KRB5CCNAME="FILE:$KRB5CCNAME_PATH" +export KRB5CCNAME + +#requires tshark and sha1sum +if ! which tshark >/dev/null 2>&1 || ! which sha1sum >/dev/null 2>&1; then + subunit_start_test "client encryption types" + subunit_skip_test "client encryption types" <<EOF +Skipping tests - tshark or sha1sum not installed +EOF + exit 0 +fi + +HOSTNAME=$(dd if=/dev/urandom bs=1 count=32 2>/dev/null | sha1sum | cut -b 1-10) + +RUNDIR=$(pwd) +cd $BASEDIR +WORKDIR=$(mktemp -d -p .) +WORKDIR=$(basename $WORKDIR) +cp -a client/* $WORKDIR/ +sed -ri "s@(dir|directory) = (.*)/client/@\1 = \2/$WORKDIR/@" $WORKDIR/client.conf +sed -ri "s/netbios name = .*/netbios name = $HOSTNAME/" $WORKDIR/client.conf +rm -f $WORKDIR/private/secrets.tdb +cd $RUNDIR + +failed=0 + +net_tool="$BINDIR/net --configfile=$BASEDIR/$WORKDIR/client.conf --option=security=ads --option=kerberosencryptiontypes=$ETYPE_CONF" +pcap_file=$BASEDIR/$WORKDIR/test.pcap + +export SOCKET_WRAPPER_PCAP_FILE=$pcap_file +testit "join" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD --use-kerberos=required || failed=$(expr $failed + 1) + +testit "testjoin" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=$(expr $failed + 1) + +#The leave command does not use the locally-generated +#krb5.conf +export SOCKET_WRAPPER_PCAP_FILE= +testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=$(expr $failed + 1) + +# +# Older versions of tshark do not support -Y option, +# They use -R which cannot be used with recent versions... +# +if ! tshark -r $pcap_file -nVY "kerberos" >/dev/null 2>&1; then + subunit_start_test "client encryption types" + subunit_skip_test "client encryption types" <<EOF +Skipping tests - old version of tshark detected +EOF + exit 0 +fi + +actual_types="$(tshark -r $pcap_file -nVY "kerberos" | + sed -rn -e 's/[[:space:]]*ENCTYPE:.*\(([^\)]*)\)$/\1/p' \ + -e 's/[[:space:]]*Encryption type:.*\(([^\)]*)\)$/\1/p' | + sort -u | tr '\n' '_' | sed s/_$//)" + +testit "verify types" test "x$actual_types" = "x$EXPECTED_ETYPES" || failed=$(expr $failed + 1) + +rm -rf $BASEDIR/$WORKDIR +rm -f $KRB5CCNAME_PATH + +exit $failed diff --git a/testprogs/blackbox/test_client_kerberos.sh b/testprogs/blackbox/test_client_kerberos.sh new file mode 100755 index 0000000..b436192 --- /dev/null +++ b/testprogs/blackbox/test_client_kerberos.sh @@ -0,0 +1,293 @@ +#!/bin/sh +# Blackbox tests for kerberos client options +# Copyright (c) 2019 Andreas Schneider <asn@samba.org> + +if [ $# -lt 6 ]; then + cat <<EOF +Usage: test_client_kerberos.sh DOMAIN REALM USERNAME PASSWORD SERVER PREFIX CONFIGURATION +EOF + exit 1 +fi + +DOMAIN=$1 +REALM=$2 +USERNAME=$3 +PASSWORD=$4 +SERVER=$5 +PREFIX=$6 +CONFIGURATION=$7 +shift 7 + +failed=0 + +. $(dirname $0)/subunit.sh +. $(dirname $0)/common_test_fns.inc + +samba_bindir="$BINDIR" +samba_rpcclient="$samba_bindir/rpcclient" +samba_smbclient="$samba_bindir/smbclient" +samba_smbtorture="$samba_bindir/smbtorture" + +samba_kinit=kinit +if test -x ${samba_bindir}/samba4kinit; then + samba_kinit=${samba_bindir}/samba4kinit +fi + +samba_kdestroy=kdestroy +if test -x ${samba_bindir}/samba4kdestroy; then + samba_kinit=${samba_bindir}/samba4kdestroy +fi + +test_rpc_getusername() +{ + eval echo "$cmd" + out=$(eval $cmd) + ret=$? + if [ $ret -ne 0 ]; then + echo "Failed to connect! Error: $ret" + echo "$out" + return 1 + fi + + echo "$out" | grep -q "Account Name: $USERNAME, Authority Name: $DOMAIN" + ret=$? + if [ $ret -ne 0 ]; then + echo "Incorrect account/authority name! Error: $ret" + echo "$out" + return 1 + fi + + return 0 +} + +test_smbclient() +{ + eval echo "$cmd" + out=$(eval $cmd) + ret=$? + if [ $ret -ne 0 ]; then + echo "Failed to connect! Error: $ret" + echo "$out" + fi + + return $ret +} + +test_smbclient_kerberos() +{ + eval echo "$cmd -d5" + out=$(eval $cmd) + ret=$? + if [ $ret -ne 0 ]; then + echo "Failed to connect! Error: $ret" + echo "$out" + return 1 + fi + + echo "$out" | grep "Doing init for" >/dev/null 2>&1 + ret=$? + if [ $ret -eq 0 ]; then + echo "Kinit failed for smbclient" + echo "$out" + return 1 + fi + + return 0 +} + +KRB5CCNAME_PATH="$PREFIX/ccache_client_kerberos" +KRB5CCNAME="FILE:$KRB5CCNAME_PATH" +export KRB5CCNAME + +### RPCCLIENT (legacy) +cmd='$samba_rpcclient ncacn_np:${SERVER} -U${USERNAME}%${PASSWORD} --configfile=${CONFIGURATION} -c getusername 2>&1' +testit "test rpcclient legacy ntlm" \ + test_rpc_getusername || + failed=$(expr $failed + 1) + +cmd='echo ${PASSWORD} | USER=${USERNAME} $samba_rpcclient ncacn_np:${SERVER} --configfile=${CONFIGURATION} -c getusername 2>&1' +testit "test rpcclient legacy ntlm interactive" \ + test_rpc_getusername || + failed=$(expr $failed + 1) + +cmd='echo ${PASSWORD} | $samba_rpcclient ncacn_np:${SERVER} -U${USERNAME} --configfile=${CONFIGURATION} -c getusername 2>&1' +testit "test rpcclient legacy ntlm interactive with -U" \ + test_rpc_getusername || + failed=$(expr $failed + 1) + +cmd='$samba_rpcclient ncacn_np:${SERVER} -U${USERNAME}%${PASSWORD} -k --configfile=${CONFIGURATION} -c getusername 2>&1' +testit "test rpcclient legacy kerberos" \ + test_rpc_getusername || + failed=$(expr $failed + 1) + +cmd='echo ${PASSWORD} | $samba_rpcclient ncacn_np:${SERVER} -U${USERNAME} -k --configfile=${CONFIGURATION} -c getusername 2>&1' +testit_expect_failure "test rpcclient legacy kerberos interactive (negative test)" \ + test_rpc_getusername || + failed=$(expr $failed + 1) + +kerberos_kinit $samba_kinit ${USERNAME}@${REALM} ${PASSWORD} +cmd='$samba_rpcclient ncacn_np:${SERVER} -k --configfile=${CONFIGURATION} -c getusername 2>&1' +testit "test rpcclient legacy kerberos ccache" \ + test_rpc_getusername || + failed=$(expr $failed + 1) +$samba_kdestroy + +### RPCCLIENT +cmd='$samba_rpcclient ncacn_np:${SERVER} -U${USERNAME}%${PASSWORD} --use-kerberos=disabled --configfile=${CONFIGURATION} -c getusername 2>&1' +testit "test rpcclient ntlm" \ + test_rpc_getusername || + failed=$(expr $failed + 1) + +cmd='echo ${PASSWORD} | USER=${USERNAME} $samba_rpcclient ncacn_np:${SERVER} --use-kerberos=disabled --configfile=${CONFIGURATION} -c getusername 2>&1' +testit "test rpcclient ntlm interactive" \ + test_rpc_getusername || + failed=$(expr $failed + 1) + +cmd='echo ${PASSWORD} | $samba_rpcclient ncacn_np:${SERVER} -U${USERNAME} --use-kerberos=disabled --configfile=${CONFIGURATION} -c getusername 2>&1' +testit "test rpcclient ntlm interactive with -U" \ + test_rpc_getusername || + failed=$(expr $failed + 1) + +cmd='$samba_rpcclient ncacn_np:${SERVER} -U${USERNAME}%${PASSWORD} --use-kerberos=required --configfile=${CONFIGURATION} -c getusername 2>&1' +testit "test rpcclient kerberos" \ + test_rpc_getusername || + failed=$(expr $failed + 1) + +cmd='echo ${PASSWORD} | $samba_rpcclient ncacn_np:${SERVER} -U${USERNAME} --use-krb5-ccache=$KRB5CCNAME --configfile=${CONFIGURATION} -c getusername 2>&1' +testit_expect_failure "test rpcclient kerberos interactive (negative test)" \ + test_rpc_getusername || + failed=$(expr $failed + 1) + +kerberos_kinit $samba_kinit ${USERNAME}@${REALM} ${PASSWORD} +cmd='$samba_rpcclient ncacn_np:${SERVER} --use-krb5-ccache=$KRB5CCNAME --configfile=${CONFIGURATION} -c getusername 2>&1' +testit "test rpcclient kerberos ccache" \ + test_rpc_getusername || + failed=$(expr $failed + 1) +$samba_kdestroy + +### SMBTORTURE (legacy) + +cmd='$samba_smbtorture -U${USERNAME}%${PASSWORD} --configfile=${CONFIGURATION} --maximum-runtime=30 --basedir=$PREFIX --option=torture:progress=no --target=samba4 ncacn_np:${SERVER} rpc.lsa-getuser 2>&1' +testit "test smbtorture legacy default" \ + test_rpc_getusername || + failed=$(expr $failed + 1) + +cmd='$samba_smbtorture -U${USERNAME}%${PASSWORD} -k no --configfile=${CONFIGURATION} --maximum-runtime=30 --basedir=$PREFIX --option=torture:progress=no --target=samba4 ncacn_np:${SERVER} rpc.lsa-getuser 2>&1' +testit "test smbtorture legacy ntlm (kerberos=no)" \ + test_rpc_getusername || + failed=$(expr $failed + 1) + +cmd='$samba_smbtorture -U${USERNAME}%${PASSWORD} -k yes --configfile=${CONFIGURATION} --maximum-runtime=30 --basedir=$PREFIX --option=torture:progress=no --target=samba4 ncacn_np:${SERVER} rpc.lsa-getuser 2>&1' +testit "test smbtorture legacy kerberos=yes" \ + test_rpc_getusername || + failed=$(expr $failed + 1) + +kerberos_kinit $samba_kinit ${USERNAME}@${REALM} ${PASSWORD} +cmd='$samba_smbtorture -k yes --configfile=${CONFIGURATION} --maximum-runtime=30 --basedir=$PREFIX --option=torture:progress=no --target=samba4 ncacn_np:${SERVER} rpc.lsa-getuser 2>&1' +testit "test smbtorture legacy kerberos=yes ccache" \ + test_rpc_getusername || + failed=$(expr $failed + 1) +$samba_kdestroy + +kerberos_kinit $samba_kinit ${USERNAME}@${REALM} ${PASSWORD} +cmd='$samba_smbtorture -k no --configfile=${CONFIGURATION} --maximum-runtime=30 --basedir=$PREFIX --option=torture:progress=no --target=samba4 ncacn_np:${SERVER} rpc.lsa-getuser 2>&1' +testit_expect_failure "test smbtorture legacy kerberos=no ccache (negative test)" \ + test_rpc_getusername || + failed=$(expr $failed + 1) +$samba_kdestroy + +### SMBTORTURE + +cmd='$samba_smbtorture -U${USERNAME}%${PASSWORD} --configfile=${CONFIGURATION} --maximum-runtime=30 --basedir=$PREFIX --option=torture:progress=no --target=samba4 ncacn_np:${SERVER} rpc.lsa-getuser 2>&1' +testit "test smbtorture default" \ + test_rpc_getusername || + failed=$(expr $failed + 1) + +cmd='$samba_smbtorture -U${USERNAME}%${PASSWORD} --use-kerberos=disabled --configfile=${CONFIGURATION} --maximum-runtime=30 --basedir=$PREFIX --option=torture:progress=no --target=samba4 ncacn_np:${SERVER} rpc.lsa-getuser 2>&1' +testit "test smbtorture ntlm (kerberos=no)" \ + test_rpc_getusername || + failed=$(expr $failed + 1) + +cmd='$samba_smbtorture -U${USERNAME}%${PASSWORD} --use-kerberos=required --configfile=${CONFIGURATION} --maximum-runtime=30 --basedir=$PREFIX --option=torture:progress=no --target=samba4 ncacn_np:${SERVER} rpc.lsa-getuser 2>&1' +testit "test smbtorture kerberos=yes" \ + test_rpc_getusername || + failed=$(expr $failed + 1) + +kerberos_kinit $samba_kinit ${USERNAME}@${REALM} ${PASSWORD} +cmd='$samba_smbtorture --use-krb5-ccache=$KRB5CCNAME --configfile=${CONFIGURATION} --maximum-runtime=30 --basedir=$PREFIX --option=torture:progress=no --target=samba4 ncacn_np:${SERVER} rpc.lsa-getuser 2>&1' +testit "test smbtorture kerberos=yes ccache" \ + test_rpc_getusername || + failed=$(expr $failed + 1) +$samba_kdestroy + +kerberos_kinit $samba_kinit ${USERNAME}@${REALM} ${PASSWORD} +cmd='$samba_smbtorture --use-kerbers=required --configfile=${CONFIGURATION} --maximum-runtime=30 --basedir=$PREFIX --option=torture:progress=no --target=samba4 ncacn_np:${SERVER} rpc.lsa-getuser 2>&1' +testit_expect_failure "test smbtorture kerberos=no ccache (negative test)" \ + test_rpc_getusername || + failed=$(expr $failed + 1) +$samba_kdestroy + +### SMBCLIENT (legacy) +cmd='$samba_smbclient //${SERVER}/tmp -W ${DOMAIN} -U${USERNAME}%${PASSWORD} --configfile=${CONFIGURATION} -c "ls; quit"' +testit "test smbclient legacy ntlm" \ + test_smbclient || + failed=$(expr $failed + 1) + +cmd='echo ${PASSWORD} | USER=$USERNAME $samba_smbclient //${SERVER}/tmp -W ${DOMAIN} --configfile=${CONFIGURATION} -c "ls; quit"' +testit "test smbclient legacy ntlm interactive" \ + test_smbclient || + failed=$(expr $failed + 1) + +cmd='echo ${PASSWORD} | $samba_smbclient //${SERVER}/tmp -W ${DOMAIN} -U${USERNAME} --configfile=${CONFIGURATION} -c "ls; quit"' +testit "test smbclient legacy ntlm interactive with -U" \ + test_smbclient || + failed=$(expr $failed + 1) + +cmd='$samba_smbclient //${SERVER}/tmp -W ${DOMAIN} -U${USERNAME}%${PASSWORD} -k --configfile=${CONFIGURATION} -c "ls; quit"' +testit "test smbclient legacy kerberos" \ + test_smbclient || + failed=$(expr $failed + 1) + +kerberos_kinit $samba_kinit ${USERNAME}@${REALM} ${PASSWORD} +cmd='$samba_smbclient //${SERVER}/tmp -W ${DOMAIN} -k --configfile=${CONFIGURATION} -c "ls; quit"' +testit "test smbclient legacy kerberos ccache" \ + test_smbclient || + failed=$(expr $failed + 1) +$samba_kdestroy + +### SMBCLIENT tests for --use-kerberos=desired|required|disabled +cmd='$samba_smbclient //${SERVER}/tmp -W ${DOMAIN} -U${USERNAME}%${PASSWORD} --use-kerberos=disabled --configfile=${CONFIGURATION} -c "ls; quit"' +testit "test smbclient ntlm" \ + test_smbclient || + failed=$(expr $failed + 1) + +cmd='echo ${PASSWORD} | USER=$USERNAME $samba_smbclient //${SERVER}/tmp -W ${DOMAIN} --use-kerberos=disabled --configfile=${CONFIGURATION} -c "ls; quit"' +testit "test smbclient ntlm interactive" \ + test_smbclient || + failed=$(expr $failed + 1) + +cmd='echo ${PASSWORD} | $samba_smbclient //${SERVER}/tmp -W ${DOMAIN} -U${USERNAME} --use-kerberos=disabled --configfile=${CONFIGURATION} -c "ls; quit"' +testit "test smbclient ntlm interactive with -U" \ + test_smbclient || + failed=$(expr $failed + 1) + +cmd='$samba_smbclient //${SERVER}/tmp -W ${DOMAIN} -U${USERNAME}%${PASSWORD} --use-kerberos=desired --configfile=${CONFIGURATION} -c "ls; quit"' +testit "test smbclient kerberos=desired" \ + test_smbclient_kerberos || + failed=$(expr $failed + 1) + +cmd='$samba_smbclient //${SERVER}/tmp -W ${DOMAIN} -U${USERNAME}%${PASSWORD} --use-kerberos=required --configfile=${CONFIGURATION} -c "ls; quit"' +testit "test smbclient kerberos=required" \ + test_smbclient_kerberos || + failed=$(expr $failed + 1) + +kerberos_kinit $samba_kinit ${USERNAME}@${REALM} ${PASSWORD} +cmd='$samba_smbclient //${SERVER}/tmp --use-krb5-ccache=$KRB5CCNAME --configfile=${CONFIGURATION} -c "ls; quit"' +testit "test smbclient kerberos=required ccache" \ + test_smbclient || + failed=$(expr $failed + 1) +$samba_kdestroy + +rm -rf $KRB5CCNAME_PATH + +exit $failed diff --git a/testprogs/blackbox/test_export_keytab_heimdal.sh b/testprogs/blackbox/test_export_keytab_heimdal.sh new file mode 100755 index 0000000..f2cec4c --- /dev/null +++ b/testprogs/blackbox/test_export_keytab_heimdal.sh @@ -0,0 +1,115 @@ +#!/bin/sh +# Blackbox tests for kinit and kerberos integration with smbclient etc +# Copyright (C) 2006-2007 Jelmer Vernooij <jelmer@samba.org> +# Copyright (C) 2006-2008 Andrew Bartlett <abartlet@samba.org> + +if [ $# -lt 5 ]; then + cat <<EOF +Usage: test_extract_keytab.sh SERVER USERNAME REALM DOMAIN PREFIX SMBCLIENT +EOF + exit 1 +fi + +SERVER=$1 +USERNAME=$2 +REALM=$3 +DOMAIN=$4 +PREFIX=$5 +smbclient=$6 +shift 6 +failed=0 + +samba4bindir="$BINDIR" +samba_tool="$samba4bindir/samba-tool" +samba4ktutil="$BINDIR/samba4ktutil" +newuser="$samba_tool user create" + +DNSDOMAIN=$(echo $REALM | tr '[:upper:]' '[:lower:]') +SERVER_FQDN="$SERVER.$DNSDOMAIN" + +samba4kinit_binary=kinit +if test -x $BINDIR/samba4kinit; then + samba4kinit_binary=$BINDIR/samba4kinit +fi + +. $(dirname $0)/subunit.sh +. $(dirname $0)/common_test_fns.inc + +test_keytab() +{ + testname="$1" + keytab="$2" + principal="$3" + expected_nkeys="$4" + + echo "test: $testname" + + NKEYS=$($VALGRIND $samba4ktutil $keytab | grep -i "$principal" | egrep -c "aes|arcfour") + status=$? + if [ x$status != x0 ]; then + echo "failure: $testname" + return $status + fi + + if [ x$NKEYS != x$expected_nkeys ]; then + echo "failure: $testname" + return 1 + fi + echo "success: $testname" + return 0 +} + +USERPASS=testPaSS@01% +unc="//$SERVER/tmp" + +testit "create user locally" $VALGRIND $PYTHON $newuser nettestuser $USERPASS $@ || failed=$(expr $failed + 1) + +testit "dump keytab from domain" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab $@ || failed=$(expr $failed + 1) +test_keytab "read keytab from domain" "$PREFIX/tmpkeytab" "$SERVER\\\$" 3 +testit "dump keytab from domain (2nd time)" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab $@ || failed=$(expr $failed + 1) +test_keytab "read keytab from domain (2nd time)" "$PREFIX/tmpkeytab" "$SERVER\\\$" 3 + +testit "dump keytab from domain for cifs principal" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-server --principal=cifs/$SERVER_FQDN $@ || failed=$(expr $failed + 1) +test_keytab "read keytab from domain for cifs principal" "$PREFIX/tmpkeytab-server" "cifs/$SERVER_FQDN" 3 +testit "dump keytab from domain for cifs principal (2nd time)" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-server --principal=cifs/$SERVER_FQDN $@ || failed=$(expr $failed + 1) +test_keytab "read keytab from domain for cifs principal (2nd time)" "$PREFIX/tmpkeytab-server" "cifs/$SERVER_FQDN" 3 + +testit "dump keytab from domain for user principal" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-2 --principal=nettestuser $@ || failed=$(expr $failed + 1) +test_keytab "dump keytab from domain for user principal" "$PREFIX/tmpkeytab-2" "nettestuser@$REALM" 3 +testit "dump keytab from domain for user principal (2nd time)" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-2 --principal=nettestuser@$REALM $@ || failed=$(expr $failed + 1) +test_keytab "dump keytab from domain for user principal (2nd time)" "$PREFIX/tmpkeytab-2" "nettestuser@$REALM" 3 + +testit "dump keytab from domain for user principal with SPN as UPN" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-3 --principal=http/testupnspn.$DNSDOMAIN $@ || failed=$(expr $failed + 1) +test_keytab "dump keytab from domain for user principal" "$PREFIX/tmpkeytab-3" "http/testupnspn.$DNSDOMAIN@$REALM" 3 + +KRB5CCNAME="$PREFIX/tmpuserccache" +samba4kinit="$samba4kinit_binary -c $KRB5CCNAME" +export KRB5CCNAME + +testit "kinit with keytab as user" $VALGRIND $samba4kinit --keytab=$PREFIX/tmpkeytab --request-pac nettestuser@$REALM || failed=$(expr $failed + 1) + +test_smbclient "Test login with user kerberos ccache" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +testit "kinit with keytab as user (2)" $VALGRIND $samba4kinit --keytab=$PREFIX/tmpkeytab-2 --request-pac nettestuser@$REALM || failed=$(expr $failed + 1) + +test_smbclient "Test login with user kerberos ccache as user (2)" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +KRB5CCNAME="$PREFIX/tmpadminccache" +samba4kinit="$samba4kinit_binary -c $KRB5CCNAME" +export KRB5CCNAME + +testit "kinit with keytab as $USERNAME" $VALGRIND $samba4kinit --keytab=$PREFIX/tmpkeytab --request-pac $USERNAME@$REALM || failed=$(expr $failed + 1) + +KRB5CCNAME="$PREFIX/tmpspnupnccache" +samba4kinit="$samba4kinit_binary -c $KRB5CCNAME" +export KRB5CCNAME +testit "kinit with SPN from keytab" $VALGRIND $samba4kinit -k -t $PREFIX/tmpkeytab-3 http/testupnspn.$DNSDOMAIN || failed=$(expr $failed + 1) + +KRB5CCNAME="$PREFIX/tmpadminccache" +samba4kinit="$samba4kinit_binary -c $KRB5CCNAME" +export KRB5CCNAME + +testit "del user" $VALGRIND $PYTHON $samba_tool user delete nettestuser -k yes $@ || failed=$(expr $failed + 1) + +rm -f $PREFIX/tmpadminccache $PREFIX/tmpuserccache $PREFIX/tmpkeytab $PREFIX/tmpkeytab-2 $PREFIX/tmpkeytab-2 $PREFIX/tmpkeytab-server $PREFIX/tmpspnupnccache +exit $failed diff --git a/testprogs/blackbox/test_export_keytab_mit.sh b/testprogs/blackbox/test_export_keytab_mit.sh new file mode 100755 index 0000000..abc6040 --- /dev/null +++ b/testprogs/blackbox/test_export_keytab_mit.sh @@ -0,0 +1,137 @@ +#!/bin/sh +# +# Blackbox tests for an exported keytab with kinit +# +# Copyright (C) 2006-2007 Jelmer Vernooij <jelmer@samba.org> +# Copyright (C) 2006-2008 Andrew Bartlett <abartlet@samba.org> +# Copyright (C) 2016 Andreas Schneider <asn@cryptomilk.org> + +if [ $# -lt 5 ]; then + cat <<EOF +Usage: test_extract_keytab.sh SERVER USERNAME REALM DOMAIN PREFIX SMBCLIENT +EOF + exit 1 +fi + +SERVER=$1 +USERNAME=$2 +REALM=$3 +DOMAIN=$4 +PREFIX=$5 +smbclient=$6 +shift 6 +failed=0 + +samba_bindir="$BINDIR" +samba_tool="$samba_bindir/samba-tool" +samba_newuser="$samba_tool user create" +samba_texpect="$samba_bindir/texpect" +samba_ktutil="$BINDIR/samba4ktutil" + +samba_kinit=kinit +samba_kdestroy=kdestroy + +SERVER_FQDN="$SERVER.$(echo $REALM | tr '[:upper:]' '[:lower:]')" + +source $(dirname $0)/subunit.sh + +test_smbclient() +{ + name="$1" + cmd="$2" + shift + shift + echo "test: $name" + $VALGRIND $smbclient //$SERVER/tmp -c "$cmd" $@ + status=$? + if [ x$status = x0 ]; then + echo "success: $name" + else + echo "failure: $name" + fi + return $status +} + +test_keytab() +{ + testname="$1" + keytab="$2" + principal="$3" + expected_nkeys="$4" + + echo "test: $testname" + + NKEYS=$($VALGRIND $samba_ktutil $keytab | grep -i "$principal" | egrep -c "DES|AES|ArcFour") + status=$? + if [ x$status != x0 ]; then + echo "failure: $testname" + return $status + fi + + if [ x$NKEYS != x$expected_nkeys ]; then + echo "failure: $testname" + return 1 + fi + echo "success: $testname" + return 0 +} + +TEST_USER=nettestuser +TEST_PASSWORD=testPaSS@01% + +EXPECTED_NKEYS=3 +krb5_version="$(krb5-config --version | cut -d ' ' -f 4)" +krb5_major_version="$(echo $krb5_version | awk -F. '{ print $1; }')" +krb5_minor_version="$(echo $krb5_version | awk -F. '{ print $2; }')" + +# MIT Kerberos < 1.18 has support for DES keys +if [ $krb5_major_version -eq 1 ] && [ $krb5_minor_version -lt 18 ]; then + EXPECTED_NKEYS=5 +fi + +testit "create local user $TEST_USER" $VALGRIND $PYTHON $samba_newuser $TEST_USER $TEST_PASSWORD $@ || failed=$(expr $failed + 1) + +testit "dump keytab from domain" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-all $@ || failed=$(expr $failed + 1) +test_keytab "read keytab from domain" "$PREFIX/tmpkeytab-all" "$SERVER\\\$" $EXPECTED_NKEYS + +testit "dump keytab from domain (2nd time)" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-all $@ || failed=$(expr $failed + 1) +test_keytab "read keytab from domain (2nd time)" "$PREFIX/tmpkeytab-all" "$SERVER\\\$" $EXPECTED_NKEYS + +testit "dump keytab from domain for cifs service principal" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-server --principal=cifs/$SERVER_FQDN $@ || failed=$(expr $failed + 1) +test_keytab "read keytab from domain for cifs service principal" "$PREFIX/tmpkeytab-server" "cifs/$SERVER_FQDN" $EXPECTED_NKEYS +testit "dump keytab from domain for cifs service principal (2nd time)" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-server --principal=cifs/$SERVER_FQDN $@ || failed=$(expr $failed + 1) +test_keytab "read keytab from domain for cifs service principal (2nd time)" "$PREFIX/tmpkeytab-server" "cifs/$SERVER_FQDN" $EXPECTED_NKEYS + +testit "dump keytab from domain for user principal" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-user-princ --principal=$TEST_USER $@ || failed=$(expr $failed + 1) +test_keytab "dump keytab from domain for user principal" "$PREFIX/tmpkeytab-user-princ" "$TEST_USER@$REALM" $EXPECTED_NKEYS +testit "dump keytab from domain for user principal (2nd time)" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-user-princ --principal=$TEST_USER@$REALM $@ || failed=$(expr $failed + 1) +test_keytab "dump keytab from domain for user principal (2nd time)" "$PREFIX/tmpkeytab-user-princ" "$TEST_USER@$REALM" $EXPECTED_NKEYS + +KRB5CCNAME="$PREFIX/tmpuserccache" +export KRB5CCNAME + +testit "kinit with keytab as user" $VALGRIND $samba_kinit -k -t $PREFIX/tmpkeytab-all $TEST_USER@$REALM || failed=$(expr $failed + 1) +test_smbclient "Test login with user kerberos ccache" 'ls' --use-kerberos=required || failed=$(expr $failed + 1) +$samba_kdestroy + +testit "kinit with keytab as user (one princ)" $VALGRIND $samba_kinit -k -t $PREFIX/tmpkeytab-user-princ $TEST_USER@$REALM || failed=$(expr $failed + 1) +test_smbclient "Test login with user kerberos ccache (one princ)" 'ls' --use-kerberos=required || failed=$(expr $failed + 1) +$samba_kdestroy + +KRB5CCNAME="$PREFIX/tmpadminccache" +export KRB5CCNAME + +testit "kinit with keytab as $USERNAME" $VALGRIND $samba_kinit -k -t $PREFIX/tmpkeytab-all $USERNAME@$REALM || failed=$(expr $failed + 1) + +KRB5CCNAME="$PREFIX/tmpserverccache" +export KRB5CCNAME +echo "$samba_kinit -k -t $PREFIX/tmpkeytab-server cifs/$SERVER_FQDN" +testit "kinit with SPN from keytab" $VALGRIND $samba_kinit -k -t $PREFIX/tmpkeytab-server cifs/$SERVER_FQDN || failed=$(expr $failed + 1) + +# cleanup +testit "delete user $TEST_USER" $VALGRIND $PYTHON $samba_tool user delete nettestuser -k yes $@ || failed=$(expr $failed + 1) + +$samba_kdestroy +rm -f $PREFIX/tmpadminccache $PREFIX/tmpuserccache $PREFIX/tmpkeytab $PREFIX/tmpkeytab-2 $PREFIX/tmpkeytab-server + +exit $failed diff --git a/testprogs/blackbox/test_kinit_heimdal.sh b/testprogs/blackbox/test_kinit_heimdal.sh new file mode 100755 index 0000000..2db03da --- /dev/null +++ b/testprogs/blackbox/test_kinit_heimdal.sh @@ -0,0 +1,260 @@ +#!/bin/sh +# Blackbox tests for kinit and kerberos integration with smbclient etc +# Copyright (C) 2006-2007 Jelmer Vernooij <jelmer@samba.org> +# Copyright (C) 2006-2008 Andrew Bartlett <abartlet@samba.org> + +if [ $# -lt 5 ]; then + cat <<EOF +Usage: test_kinit.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX ENCTYPE SMBCLIENT +EOF + exit 1 +fi + +SERVER=$1 +USERNAME=$2 +PASSWORD=$3 +REALM=$4 +DOMAIN=$5 +PREFIX=$6 +ENCTYPE=$7 +smbclient=$8 +shift 8 +failed=0 + +samba4bindir="$BINDIR" +samba4srcdir="$SRCDIR/source4" +samba4kinit_binary=kinit +if test -x $BINDIR/samba4kinit; then + samba4kinit_binary=$BINDIR/samba4kinit +fi + +samba_tool="$samba4bindir/samba-tool" +texpect="$samba4bindir/texpect" +samba4kpasswd=kpasswd +if test -x $BINDIR/samba4kpasswd; then + samba4kpasswd=$BINDIR/samba4kpasswd +fi + +enableaccount="$samba_tool user enable" +machineaccountccache="$samba4srcdir/scripting/bin/machineaccountccache" + +ldbmodify="ldbmodify" +if [ -x "$samba4bindir/ldbmodify" ]; then + ldbmodify="$samba4bindir/ldbmodify" +fi + +ldbsearch="ldbsearch" +if [ -x "$samba4bindir/ldbsearch" ]; then + ldbsearch="$samba4bindir/ldbsearch" +fi + +. $(dirname $0)/subunit.sh +. $(dirname $0)/common_test_fns.inc + +enctype="-e $ENCTYPE" +unc="//$SERVER/tmp" + +ADMIN_LDBMODIFY_CONFIG="-H ldap://$SERVER -U$USERNAME%$PASSWORD" +export ADMIN_LDBMODIFY_CONFIG + +KRB5CCNAME_PATH="$PREFIX/tmpccache" +KRB5CCNAME="FILE:$KRB5CCNAME_PATH" +samba4kinit="$samba4kinit_binary -c $KRB5CCNAME" +ADMIN_KRB5CCNAME="FILE:$KRB5CCNAME_PATH" +export KRB5CCNAME +rm -rf $KRB5CCNAME_PATH + +testit "reset password policies beside of minimum password age of 0 days" $VALGRIND $PYTHON $samba_tool domain passwordsettings set $ADMIN_LDBMODIFY_CONFIG --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=0 --max-pwd-age=default || failed=$(expr $failed + 1) + +echo $PASSWORD >$PREFIX/tmppassfile +testit "kinit with password (initial)" $samba4kinit $enctype --password-file=$PREFIX/tmppassfile --request-pac $USERNAME@$REALM || failed=$(expr $failed + 1) +test_smbclient "Test login with user kerberos ccache" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +testit "kinit with password (enterprise style)" $samba4kinit $enctype --enterprise --password-file=$PREFIX/tmppassfile --request-pac $USERNAME@$REALM || failed=$(expr $failed + 1) +test_smbclient "Test login with user kerberos ccache" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +testit "kinit with password (windows style)" $samba4kinit $enctype --renewable --windows --password-file=$PREFIX/tmppassfile --request-pac $USERNAME@$REALM || failed=$(expr $failed + 1) +test_smbclient "Test login with user kerberos ccache" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +testit "kinit renew ticket" $samba4kinit $enctype --request-pac -R + +test_smbclient "Test login with kerberos ccache" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +testit "check time with kerberos ccache" $VALGRIND $PYTHON $samba_tool time $SERVER $CONFIGURATION -k yes $@ || failed=$(expr $failed + 1) + +USERPASS=testPass@12% +echo $USERPASS >$PREFIX/tmpuserpassfile +testit "add user with kerberos ccache" $VALGRIND $PYTHON $samba_tool user create nettestuser $USERPASS $CONFIGURATION -k yes $@ || failed=$(expr $failed + 1) + +echo "Getting defaultNamingContext" +BASEDN=$($ldbsearch $options --basedn='' -H ldap://$SERVER --scope=base DUMMY=x defaultNamingContext | grep defaultNamingContext | awk '{print $2}') + +cat >$PREFIX/tmpldbmodify <<EOF +dn: cn=nettestuser,cn=users,$BASEDN +changetype: modify +add: servicePrincipalName +servicePrincipalName: host/nettestuser +replace: userPrincipalName +userPrincipalName: nettest@$REALM +EOF + +testit "modify servicePrincipalName and userPrincpalName" $VALGRIND $ldbmodify -H ldap://$SERVER $PREFIX/tmpldbmodify -k yes $@ || failed=$(expr $failed + 1) + +testit "set user password with kerberos ccache" $VALGRIND $PYTHON $samba_tool user setpassword nettestuser --newpassword=$USERPASS $CONFIGURATION -k yes $@ || failed=$(expr $failed + 1) + +testit "enable user with kerberos cache" $VALGRIND $PYTHON $enableaccount nettestuser -H ldap://$SERVER -k yes $@ || failed=$(expr $failed + 1) + +KRB5CCNAME_PATH="$PREFIX/tmpuserccache" +KRB5CCNAME="FILE:$KRB5CCNAME_PATH" +samba4kinit="$samba4kinit_binary -c $KRB5CCNAME" +export KRB5CCNAME + +rm -f $KRB5CCNAME_PATH +testit "kinit with user password (after enable of user and password change)" $samba4kinit $enctype --password-file=$PREFIX/tmpuserpassfile --request-pac nettestuser@$REALM || failed=$(expr $failed + 1) + +test_smbclient "Test login with user kerberos ccache" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +NEWUSERPASS=testPaSS@34% +testit "change user password with 'samba-tool user password' (rpc)" $VALGRIND $PYTHON $samba_tool user password -W$DOMAIN -Unettestuser%$USERPASS $CONFIGURATION -k no --newpassword=$NEWUSERPASS $@ || failed=$(expr $failed + 1) + +echo $NEWUSERPASS >$PREFIX/tmpuserpassfile +rm -f $KRB5CCNAME_PATH +testit "kinit with user password (after rpc password change)" $samba4kinit $enctype --password-file=$PREFIX/tmpuserpassfile --request-pac nettestuser@$REALM || failed=$(expr $failed + 1) + +test_smbclient "Test login with user kerberos ccache" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +rm -f $KRB5CCNAME_PATH +testit "kinit with password (NT-Principal style) using UPN" $samba4kinit $enctype --password-file=$PREFIX/tmpuserpassfile --request-pac nettest@$REALM || failed=$(expr $failed + 1) +test_smbclient "Test login with user kerberos ccache from enterprise UPN" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +rm -f $KRB5CCNAME_PATH +testit "kinit with password (enterprise style) using UPN" $samba4kinit $enctype --enterprise --password-file=$PREFIX/tmpuserpassfile --request-pac nettest@$REALM || failed=$(expr $failed + 1) +test_smbclient "Test login with user kerberos ccache from enterprise UPN" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +rm -f $KRB5CCNAME_PATH +testit "kinit with password (windows style) using UPN" $samba4kinit $enctype --renewable --windows --password-file=$PREFIX/tmpuserpassfile --request-pac nettest@$REALM || failed=$(expr $failed + 1) +test_smbclient "Test login with user kerberos ccache from windows UPN" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +cat >$PREFIX/tmpldbmodify <<EOF +dn: cn=nettestuser,cn=users,$BASEDN +changetype: modify +replace: userPrincipalName +userPrincipalName: nettest@$REALM.org +EOF + +testit "modify userPrincipalName to be a different domain" $VALGRIND $ldbmodify $ADMIN_LDBMODIFY_CONFIG $PREFIX/tmpldbmodify $PREFIX/tmpldbmodify -k yes $@ || failed=$(expr $failed + 1) + +rm -f $KRB5CCNAME_PATH +testit "kinit with password (enterprise style) using UPN" $samba4kinit $enctype --enterprise --password-file=$PREFIX/tmpuserpassfile --request-pac nettest@$REALM.org || failed=$(expr $failed + 1) +test_smbclient "Test login with user kerberos ccache from enterprise UPN, different domain" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +USERPASS=$NEWUSERPASS +NEWUSERPASS=testPaSS@56% +echo $NEWUSERPASS >$PREFIX/tmpuserpassfile + +cat >$PREFIX/tmpkpasswdscript <<EOF +expect Password +password ${USERPASS}\n +expect New password +send ${NEWUSERPASS}\n +expect Verify password +send ${NEWUSERPASS}\n +expect Success +EOF + +testit "change user password with kpasswd" $texpect $PREFIX/tmpkpasswdscript $samba4kpasswd nettestuser@$REALM || failed=$(expr $failed + 1) + +rm -f $KRB5CCNAME_PATH +testit "kinit with user password (after kpasswd change)" $samba4kinit $enctype --password-file=$PREFIX/tmpuserpassfile --request-pac nettestuser@$REALM || failed=$(expr $failed + 1) + +NEWUSERPASS=testPaSS@78% +echo $NEWUSERPASS >$PREFIX/tmpuserpassfile + +test_smbclient "Test login with user kerberos ccache (after kpasswd change)" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +cat >$PREFIX/tmpkpasswdscript <<EOF +expect New password +send ${NEWUSERPASS}\n +expect Verify password +send ${NEWUSERPASS}\n +expect Success +EOF + +testit "set user password with kpasswd" $texpect $PREFIX/tmpkpasswdscript $samba4kpasswd --cache=$ADMIN_KRB5CCNAME nettestuser@$REALM || failed=$(expr $failed + 1) + +rm -f $KRB5CCNAME_PATH +testit "kinit with user password (after kpasswd set)" $samba4kinit $enctype --password-file=$PREFIX/tmpuserpassfile --request-pac nettestuser@$REALM || failed=$(expr $failed + 1) + +test_smbclient "Test login with user kerberos ccache (after kpasswd set)" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +NEWUSERPASS=testPaSS@910% +echo $NEWUSERPASS >$PREFIX/tmpuserpassfile + +cat >$PREFIX/tmpkpasswdscript <<EOF +expect New password +send ${NEWUSERPASS}\n +expect Verify password +send ${NEWUSERPASS}\n +expect Success +EOF + +testit "set user password with kpasswd and servicePrincipalName" $texpect $PREFIX/tmpkpasswdscript $samba4kpasswd --cache=$PREFIX/tmpccache host/nettestuser@$REALM || failed=$(expr $failed + 1) + +testit "kinit with user password (after set with kpasswd and spn)" $samba4kinit $enctype --password-file=$PREFIX/tmpuserpassfile --request-pac nettestuser@$REALM || failed=$(expr $failed + 1) + +test_smbclient "Test login with user kerberos ccache (after set with kpasswd and spn)" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +cat >$PREFIX/tmpldbmodify <<EOF +dn: cn=nettestuser,cn=users,$BASEDN +changetype: modify +replace: pwdLastSet +pwdLastSet: 0 +EOF + +USERPASS=$NEWUSERPASS +NEWUSERPASS=testPaSS@911% + +testit "modify pwdLastSet" $VALGRIND $ldbmodify $ADMIN_LDBMODIFY_CONFIG $PREFIX/tmpldbmodify $PREFIX/tmpldbmodify -k yes $@ || failed=$(expr $failed + 1) + +cat >$PREFIX/tmppasswordchange <<EOF +expect nettestuser@${REALM}'s Password: +send ${USERPASS}\n +expect Your password will expire at +expect Changing password +expect New password: +send ${NEWUSERPASS}\n +expect Repeat new password: +send ${NEWUSERPASS}\n +expect Success: Password changed +EOF + +testit "kinit with user password for expired password" $texpect $PREFIX/tmppasswordchange $samba4kinit $enctype --request-pac nettestuser@$REALM && failed=$(expr $failed + 1) + +test_smbclient "Test login with user kerberos ccache" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +echo $NEWUSERPASS >$PREFIX/tmpuserpassfile +testit "kinit with user password (after password change forced by expiration)" $samba4kinit $enctype --password-file=$PREFIX/tmpuserpassfile --request-pac nettestuser@$REALM || failed=$(expr $failed + 1) + +test_smbclient "Test login with user kerberos ccache" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +KRB5CCNAME_PATH="$PREFIX/tmpccache" +KRB5CCNAME="FILE:$KRB5CCNAME_PATH" +samba4kinit="$samba4kinit_binary -c $KRB5CCNAME" +export KRB5CCNAME + +rm -rf $KRB5CCNAME_PATH + +lowerrealm=$(echo $REALM | tr '[A-Z]' '[a-z]') +test_smbclient "Test login with user kerberos lowercase realm" 'ls' "$unc" --use-kerberos=required -Unettestuser@$lowerrealm%$NEWUSERPASS || failed=$(expr $failed + 1) +test_smbclient "Test login with user kerberos lowercase realm 2" 'ls' "$unc" --use-kerberos=required -Unettestuser@$REALM%$NEWUSERPASS --realm=$lowerrealm || failed=$(expr $failed + 1) + +testit "del user with kerberos ccache" $VALGRIND $PYTHON $samba_tool user delete nettestuser $CONFIGURATION -k yes $@ || failed=$(expr $failed + 1) + +rm -f $KRB5CCNAME_PATH +testit "kinit with machineaccountccache script" $PYTHON $machineaccountccache $CONFIGURATION $KRB5CCNAME || failed=$(expr $failed + 1) +test_smbclient "Test machine account login with kerberos ccache" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +testit "reset password policies" $VALGRIND $PYTHON $samba_tool domain passwordsettings set $ADMIN_LDBMODIFY_CONFIG --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=default --max-pwd-age=default || failed=$(expr $failed + 1) + +rm -f $PREFIX/tmpccache tmpccfile tmppassfile tmpuserpassfile tmpuserccache tmpkpasswdscript +exit $failed diff --git a/testprogs/blackbox/test_kinit_mit.sh b/testprogs/blackbox/test_kinit_mit.sh new file mode 100755 index 0000000..bde140a --- /dev/null +++ b/testprogs/blackbox/test_kinit_mit.sh @@ -0,0 +1,332 @@ +#!/bin/sh +# Blackbox tests for kinit and kerberos integration with smbclient etc +# Copyright (c) 2015-2016 Andreas Schneider <asn@samba.org> + +if [ $# -lt 5 ]; then + cat <<EOF +Usage: test_kinit.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX SMBCLIENT +EOF + exit 1 +fi + +SERVER=$1 +USERNAME=$2 +PASSWORD=$3 +REALM=$4 +DOMAIN=$5 +PREFIX=$6 +smbclient=$7 +shift 7 +failed=0 + +samba_bindir="$BINDIR" +samba_srcdir="$SRCDIR/source4" +samba_kinit=kinit +samba_kdestroy=kdestroy +samba_kpasswd=kpasswd +samba_kvno=kvno + +samba_tool="$samba_bindir/samba-tool" +samba_texpect="$samba_bindir/texpect" + +samba_enableaccount="$samba_tool user enable" +machineaccountccache="$samba_srcdir/scripting/bin/machineaccountccache" + +ldbmodify="ldbmodify" +if [ -x "$samba_bindir/ldbmodify" ]; then + ldbmodify="$samba_bindir/ldbmodify" +fi + +ldbsearch="ldbsearch" +if [ -x "$samba_bindir/ldbsearch" ]; then + ldbsearch="$samba_bindir/ldbsearch" +fi + +. $(dirname $0)/subunit.sh + +test_smbclient() +{ + name="$1" + cmd="$2" + shift + shift + echo "test: $name" + $VALGRIND $smbclient $CONFIGURATION //$SERVER/tmp -c "$cmd" $@ + status=$? + if [ x$status = x0 ]; then + echo "success: $name" + else + echo "failure: $name" + fi + return $status +} + +ADMIN_LDBMODIFY_CONFIG="-H ldap://$SERVER -U$USERNAME%$PASSWORD" +export ADMIN_LDBMODIFY_CONFIG + +KRB5CCNAME_PATH="$PREFIX/tmpccache" +KRB5CCNAME="FILE:$KRB5CCNAME_PATH" +ADMIN_KRB5CCNAME="FILE:$KRB5CCNAME_PATH" +export KRB5CCNAME +rm -rf $KRB5CCNAME_PATH + +testit "reset password policies beside of minimum password age of 0 days" $VALGRIND $PYTHON $samba_tool domain passwordsettings set $ADMIN_LDBMODIFY_CONFIG --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=0 --max-pwd-age=default || failed=$(expr $failed + 1) + +cat >$PREFIX/tmpkinitscript <<EOF +expect Password for +send ${PASSWORD}\n +EOF + +########################################################### +### Test kinit defaults +########################################################### + +testit "kinit with password" $samba_texpect $PREFIX/tmpkinitscript $samba_kinit $USERNAME@$REALM || failed=$(expr $failed + 1) +test_smbclient "Test login with user kerberos ccache" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +testit "kinit renew ticket" $samba_kinit -R || failed=$(expr $failed + 1) +test_smbclient "Test login with kerberos ccache" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +$samba_kdestroy + +########################################################### +### Test kinit with enterprice principal +########################################################### + +testit "kinit with password (enterprise style)" $samba_texpect $PREFIX/tmpkinitscript $samba_kinit -E $USERNAME@$REALM || failed=$(expr $failed + 1) +test_smbclient "Test login with user kerberos ccache" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +# This does not work with MIT Kerberos 1.14 or older +testit "kinit renew ticket (enterprise style)" $samba_kinit -R || failed=$(expr $failed + 1) +test_smbclient "Test login with kerberos ccache" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +$samba_kdestroy + +########################################################### +### Tests with kinit default again +########################################################### + +testit "kinit with password" $samba_texpect $PREFIX/tmpkinitscript $samba_kinit $USERNAME@$REALM || failed=$(expr $failed + 1) +testit "check time with kerberos ccache" $VALGRIND $PYTHON $samba_tool time $SERVER $CONFIGURATION -k yes $@ || failed=$(expr $failed + 1) + +USERPASS="testPass@12%" + +testit "add user with kerberos ccache" $VALGRIND $PYTHON $samba_tool user create nettestuser $USERPASS $CONFIGURATION -k yes $@ || failed=$(expr $failed + 1) + +echo "Getting defaultNamingContext" +BASEDN=$($ldbsearch $options --basedn='' -H ldap://$SERVER --scope=base DUMMY=x defaultNamingContext | grep defaultNamingContext | awk '{print $2}') + +cat >$PREFIX/tmpldbmodify <<EOF +dn: cn=nettestuser,cn=users,$BASEDN +changetype: modify +add: servicePrincipalName +servicePrincipalName: host/nettestuser +replace: userPrincipalName +userPrincipalName: nettest@$REALM +EOF + +testit "modify servicePrincipalName and userPrincpalName" $VALGRIND $ldbmodify -H ldap://$SERVER $PREFIX/tmpldbmodify -k yes $@ || failed=$(expr $failed + 1) + +testit "set user password with kerberos ccache" $VALGRIND $PYTHON $samba_tool user setpassword nettestuser --newpassword=$USERPASS $CONFIGURATION -k yes $@ || failed=$(expr $failed + 1) + +testit "enable user with kerberos cache" $VALGRIND $PYTHON $samba_enableaccount nettestuser -H ldap://$SERVER -k yes $@ || failed=$(expr $failed + 1) + +########################################################### +### Test kinit with canonicalization +########################################################### + +upperusername=$(echo $USERNAME | tr '[a-z]' '[A-Z]') +testit "kinit with canonicalize" $samba_texpect $PREFIX/tmpkinitscript $samba_kinit -C $upperusername@$REALM -S kadmin/changepw@$REALM || failed=$(expr $failed + 1) + +$samba_kdestroy + +########################################################### +### Test kinit with user credentials +########################################################### + +KRB5CCNAME_PATH="$PREFIX/tmpuserccache" +KRB5CCNAME="FILE:$KRB5CCNAME_PATH" +export KRB5CCNAME + +rm -f $KRB5CCNAME_PATH + +cat >$PREFIX/tmpkinituserpassscript <<EOF +expect Password for +send ${USERPASS}\n +EOF + +testit "kinit with user password" $samba_texpect $PREFIX/tmpkinituserpassscript $samba_kinit nettestuser@$REALM || failed=$(expr $failed + 1) +test_smbclient "Test login with user kerberos ccache" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +### Change password + +NEWUSERPASS="testPaSS@34%" +testit "change user password with 'samba-tool user password' (rpc)" $VALGRIND $PYTHON $samba_tool user password -W$DOMAIN -Unettestuser%$USERPASS $CONFIGURATION -k no --newpassword=$NEWUSERPASS $@ || failed=$(expr $failed + 1) + +cat >$PREFIX/tmpkinituserpassscript <<EOF +expect Password for +send ${NEWUSERPASS}\n +EOF + +testit "kinit with new user password" $samba_texpect $PREFIX/tmpkinituserpassscript $samba_kinit nettestuser@$REALM || failed=$(expr $failed + 1) +test_smbclient "Test login with user kerberos ccache" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +$samba_kdestroy + +########################################################### +### Test kinit with user credentials in special formats +########################################################### + +testit "kinit with new (NT-Principal style) using UPN" $samba_texpect $PREFIX/tmpkinituserpassscript $samba_kinit nettest@$REALM || failed=$(expr $failed + 1) +test_smbclient "Test login with user kerberos ccache from NT UPN" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +$samba_kdestroy + +testit "kinit with new (enterprise style) using UPN" $samba_texpect $PREFIX/tmpkinituserpassscript $samba_kinit -E nettest@$REALM || failed=$(expr $failed + 1) +test_smbclient "Test login with user kerberos ccache from enterprise UPN" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +$samba_kdestroy + +########################################################### +### Test kinit with user credentials and changed realm +########################################################### + +cat >$PREFIX/tmpldbmodify <<EOF +dn: cn=nettestuser,cn=users,$BASEDN +changetype: modify +replace: userPrincipalName +userPrincipalName: nettest@$REALM.org +EOF + +testit "modify userPrincipalName to be a different domain" $VALGRIND $ldbmodify $ADMIN_LDBMODIFY_CONFIG $PREFIX/tmpldbmodify $PREFIX/tmpldbmodify -k yes $@ || failed=$(expr $failed + 1) + +testit "kinit with new (enterprise style) using UPN" $samba_texpect $PREFIX/tmpkinituserpassscript $samba_kinit -E nettest@$REALM.org || failed=$(expr $failed + 1) +test_smbclient "Test login with user kerberos ccache from enterprise UPN" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +$samba_kdestroy + +########################################################### +### Test password change with kpasswd +########################################################### + +testit "kinit with user password" $samba_texpect $PREFIX/tmpkinituserpassscript $samba_kinit nettestuser@$REALM || failed=$(expr $failed + 1) +test_smbclient "Test login with user kerberos ccache" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +USERPASS=$NEWUSERPASS +NEWUSERPASS=testPaSS@56% + +cat >$PREFIX/tmpkpasswdscript <<EOF +expect Password for +password ${USERPASS}\n +expect Enter new password +send ${NEWUSERPASS}\n +expect Enter it again +send ${NEWUSERPASS}\n +expect Password changed +EOF + +testit "change user password with kpasswd" $samba_texpect $PREFIX/tmpkpasswdscript $samba_kpasswd nettestuser@$REALM || failed=$(expr $failed + 1) + +$samba_kdestroy + +USERPASS=$NEWUSERPASS +cat >$PREFIX/tmpkinituserpassscript <<EOF +expect Password for +send ${USERPASS}\n +EOF + +testit "kinit with user password" $samba_texpect $PREFIX/tmpkinituserpassscript $samba_kinit nettestuser@$REALM || failed=$(expr $failed + 1) +test_smbclient "Test login with user kerberos ccache" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +$samba_kdestroy + +########################################################### +### TODO Test set password with kpasswd +########################################################### + +# This is not implemented in kpasswd + +########################################################### +### Test password expiry +########################################################### + +cat >$PREFIX/tmpldbmodify <<EOF +dn: cn=nettestuser,cn=users,$BASEDN +changetype: modify +replace: pwdLastSet +pwdLastSet: 0 +EOF + +USERPASS=$NEWUSERPASS +NEWUSERPASS=testPaSS@911% + +testit "modify pwdLastSet" $VALGRIND $ldbmodify $ADMIN_LDBMODIFY_CONFIG $PREFIX/tmpldbmodify $PREFIX/tmpldbmodify -k yes $@ || failed=$(expr $failed + 1) + +cat >$PREFIX/tmpkinituserpassscript <<EOF +expect Password for +send ${USERPASS}\n +expect Password expired. You must change it now. +expect Enter new password +send ${NEWUSERPASS}\n +expect Enter it again +send ${NEWUSERPASS}\n +EOF + +testit "kinit (MIT) with user password for expired password" $samba_texpect $PREFIX/tmpkinituserpassscript $samba_kinit nettestuser@$REALM || failed=$(expr $failed + 1) +test_smbclient "Test login with user kerberos ccache" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +USERPASS=$NEWUSERPASS +cat >$PREFIX/tmpkinituserpassscript <<EOF +expect Password for +send ${USERPASS}\n +EOF + +testit "kinit with user password" $samba_texpect $PREFIX/tmpkinituserpassscript $samba_kinit nettestuser@$REALM || failed=$(expr $failed + 1) +test_smbclient "Test login with user kerberos ccache" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +########################################################### +### Test login with lowercase realm +########################################################### + +KRB5CCNAME_PATH="$PREFIX/tmpccache" +KRB5CCNAME="FILE:$KRB5CCNAME_PATH" +export KRB5CCNAME + +rm -rf $KRB5CCNAME_PATH + +lowerrealm=$(echo $REALM | tr '[A-Z]' '[a-z]') +test_smbclient "Test login with user kerberos lowercase realm" 'ls' --use-kerberos=required -Unettestuser@$lowerrealm%$NEWUSERPASS || failed=$(expr $failed + 1) +test_smbclient "Test login with user kerberos lowercase realm 2" 'ls' --use-kerberos=required -Unettestuser@$REALM%$NEWUSERPASS --realm=$lowerrealm || failed=$(expr $failed + 1) + +testit "del user with kerberos ccache" $VALGRIND $PYTHON $samba_tool user delete nettestuser $CONFIGURATION -k yes $@ || failed=$(expr $failed + 1) + +########################################################### +### Test login with machine account +########################################################### + +rm -f $KRB5CCNAME_PATH +testit "kinit with machineaccountccache script" $PYTHON $machineaccountccache $CONFIGURATION $KRB5CCNAME || failed=$(expr $failed + 1) +test_smbclient "Test machine account login with kerberos ccache" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +testit "reset password policies" $VALGRIND $PYTHON $samba_tool domain passwordsettings set $ADMIN_LDBMODIFY_CONFIG --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=default --max-pwd-age=default || failed=$(expr $failed + 1) + +########################################################### +### Test basic s4u2self request +########################################################### + +# Use previous acquired machine creds to request a ticket for self. +# We expect it to fail for now. +MACHINE_ACCOUNT="$(hostname -s | tr [a-z] [A-Z])\$@$REALM" +$samba_kvno -U$MACHINE_ACCOUNT $MACHINE_ACCOUNT +# But we expect the KDC to be up and running still +testit "kinit with machineaccountccache after s4u2self" $machineaccountccache $CONFIGURATION $KRB5CCNAME || failed=$(expr $failed + 1) + +### Cleanup + +$samba_kdestroy + +rm -f $KRB5CCNAME_PATH +rm -f $PREFIX/tmpkinituserpassscript +rm -f $PREFIX/tmpkinitscript +rm -f $PREFIX/tmpkpasswdscript +exit $failed diff --git a/testprogs/blackbox/test_kinit_trusts_heimdal.sh b/testprogs/blackbox/test_kinit_trusts_heimdal.sh new file mode 100755 index 0000000..552808d --- /dev/null +++ b/testprogs/blackbox/test_kinit_trusts_heimdal.sh @@ -0,0 +1,103 @@ +#!/bin/sh +# Copyright (C) 2015 Stefan Metzmacher <metze@samba.org> + +if [ $# -lt 13 ]; then + cat <<EOF +Usage: test_kinit_trusts.sh SERVER USERNAME PASSWORD REALM DOMAIN TRUST_USERNAME TRUST_PASSWORD TRUST_REALM TRUST_DOMAIN PREFIX TYPE ENCTYPE +EOF + exit 1 +fi + +SERVER=$1 +USERNAME=$2 +PASSWORD=$3 +REALM=$4 +DOMAIN=$5 +shift 5 +TRUST_SERVER=$1 +TRUST_USERNAME=$2 +TRUST_PASSWORD=$3 +TRUST_REALM=$4 +TRUST_DOMAIN=$5 +shift 5 +PREFIX=$1 +TYPE=$2 +ENCTYPE=$3 +shift 3 +failed=0 + +samba4bindir="$BINDIR" +samba4kinit_binary=kinit +if test -x $BINDIR/samba4kinit; then + samba4kinit_binary=$BINDIR/samba4kinit +fi + +smbclient="$samba4bindir/smbclient" +wbinfo="$samba4bindir/wbinfo" +rpcclient="$samba4bindir/rpcclient" +samba_tool="$samba4bindir/samba-tool" + +. $(dirname $0)/subunit.sh +. $(dirname $0)/common_test_fns.inc + +unc="//$SERVER.$REALM/tmp" + +enctype="-e $ENCTYPE" + +KRB5CCNAME_PATH="$PREFIX/tmpccache" +KRB5CCNAME="FILE:$KRB5CCNAME_PATH" +samba4kinit="$samba4kinit_binary -c $KRB5CCNAME" +export KRB5CCNAME +rm -rf $KRB5CCNAME_PATH + +echo $TRUST_PASSWORD >$PREFIX/tmppassfile +testit "kinit with password" $samba4kinit $enctype --password-file=$PREFIX/tmppassfile --request-pac $TRUST_USERNAME@$TRUST_REALM || failed=$(expr $failed + 1) +test_smbclient "Test login with user kerberos ccache" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) +rm -rf $KRB5CCNAME_PATH + +testit "kinit with password and two minute lifetime" $samba4kinit $enctype --password-file=$PREFIX/tmppassfile --request-pac --server=krbtgt/$REALM@$TRUST_REALM --lifetime=2m $TRUST_USERNAME@$TRUST_REALM || failed=`expr $failed + 1` +test_smbclient "Test login with user kerberos ccache and two minute lifetime" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=`expr $failed + 1` +rm -rf $KRB5CCNAME_PATH + +# Test with smbclient4 +smbclient="$samba4bindir/smbclient4" +testit "kinit with password" $samba4kinit $enctype --password-file=$PREFIX/tmppassfile --request-pac $TRUST_USERNAME@$TRUST_REALM || failed=$(expr $failed + 1) +test_smbclient "Test login with user kerberos ccache (smbclient4)" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) +rm -rf $KRB5CCNAME_PATH + +testit "kinit with password (enterprise style)" $samba4kinit $enctype --enterprise --password-file=$PREFIX/tmppassfile --request-pac $TRUST_USERNAME@$TRUST_REALM || failed=$(expr $failed + 1) +smbclient="$samba4bindir/smbclient" +test_smbclient "Test login with user kerberos ccache" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +if test x"${TYPE}" = x"forest"; then + testit "kinit with password (upn enterprise style)" $samba4kinit $enctype --enterprise --password-file=$PREFIX/tmppassfile --request-pac testdenied_upn@${TRUST_REALM}.upn || failed=$(expr $failed + 1) + test_smbclient "Test login with user kerberos ccache" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) +fi + +testit "kinit with password (windows style)" $samba4kinit $enctype --renewable --windows --password-file=$PREFIX/tmppassfile --request-pac $TRUST_USERNAME@$TRUST_REALM || failed=$(expr $failed + 1) +test_smbclient "Test login with user kerberos ccache" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +testit "kinit renew ticket" $samba4kinit $enctype --request-pac -R + +test_smbclient "Test login with kerberos ccache" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +testit "check time with kerberos ccache" $VALGRIND $PYTHON $samba_tool time $SERVER.$REALM $CONFIGURATION -k yes $@ || failed=$(expr $failed + 1) + +lowerrealm=$(echo $TRUST_REALM | tr '[A-Z]' '[a-z]') +test_smbclient "Test login with user kerberos lowercase realm" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME -U$TRUST_USERNAME@$lowerrealm%$TRUST_PASSWORD || failed=$(expr $failed + 1) +test_smbclient "Test login with user kerberos lowercase realm 2" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME -U$TRUST_USERNAME@$TRUST_REALM%$TRUST_PASSWORD --realm=$lowerrealm || failed=$(expr $failed + 1) + +# Test the outgoing direction +unc="//$TRUST_SERVER.$TRUST_REALM/tmp" +test_smbclient "Test user login with the first outgoing secret" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME -U$USERNAME@$REALM%$PASSWORD || failed=$(expr $failed + 1) + +testit_expect_failure "setpassword should not work" $VALGRIND $PYTHON $samba_tool user setpassword "${TRUST_DOMAIN}\$" --random-password || failed=$(expr $failed + 1) + +testit "wbinfo ping dc" $VALGRIND $wbinfo --ping-dc --domain=$TRUST_DOMAIN || failed=$(expr $failed + 1) +testit "wbinfo change outgoing trust pw" $VALGRIND $wbinfo --change-secret --domain=$TRUST_DOMAIN || failed=$(expr $failed + 1) +testit "wbinfo check outgoing trust pw" $VALGRIND $wbinfo --check-secret --domain=$TRUST_DOMAIN || failed=$(expr $failed + 1) + +test_smbclient "Test user login with the changed outgoing secret" 'ls' "$unc" --use-kerberos=required -U$USERNAME@$REALM%$PASSWORD || failed=$(expr $failed + 1) + +rm -f $PREFIX/tmpccache $PREFIX/tmppassfile +exit $failed diff --git a/testprogs/blackbox/test_kinit_trusts_mit.sh b/testprogs/blackbox/test_kinit_trusts_mit.sh new file mode 100755 index 0000000..35fcb6d --- /dev/null +++ b/testprogs/blackbox/test_kinit_trusts_mit.sh @@ -0,0 +1,140 @@ +#!/bin/sh +# Blackbox tests for kinit and trust validation +# Copyright (c) 2015 Stefan Metzmacher <metze@samba.org> +# Copyright (c) 2016 Andreas Schneider <asn@samba.org> + +if [ $# -lt 5 ]; then + cat <<EOF +Usage: test_kinit_trusts.sh SERVER USERNAME PASSWORD REALM DOMAIN TRUST_USERNAME TRUST_PASSWORD TRUST_REALM TRUST_DOMAIN PREFIX TYPE +EOF + exit 1 +fi + +SERVER=$1 +USERNAME=$2 +PASSWORD=$3 +REALM=$4 +DOMAIN=$5 +shift 5 +TRUST_SERVER=$1 +TRUST_USERNAME=$2 +TRUST_PASSWORD=$3 +TRUST_REALM=$4 +TRUST_DOMAIN=$5 +shift 5 +PREFIX=$1 +TYPE=$2 +shift 2 + +failed=0 + +samba_bindir="$BINDIR" +samba_srcdir="$SRCDIR/source4" +samba_kinit=kinit +samba_kdestroy=kdestroy +samba_kpasswd=kpasswd + +samba_tool="$samba_bindir/samba-tool" +samba_texpect="$samba_bindir/texpect" + +smbclient="$samba_bindir/smbclient" +wbinfo="$samba_bindir/wbinfo" +rpcclient="$samba_bindir/rpcclient" + +SMBCLIENT_UNC="//$SERVER.$REALM/tmp" + +. $(dirname $0)/subunit.sh + +test_smbclient() +{ + name="$1" + cmd="$2" + shift + shift + echo "test: $name" + $VALGRIND $smbclient $CONFIGURATION $SMBCLIENT_UNC -c "$cmd" $@ + status=$? + if [ x$status = x0 ]; then + echo "success: $name" + else + echo "failure: $name" + fi + return $status +} + +KRB5CCNAME_PATH="$PREFIX/test_kinit_trusts_ccache" +KRB5CCNAME="FILE:$KRB5CCNAME_PATH" +export KRB5CCNAME +rm -rf $KRB5CCNAME_PATH + +cat >$PREFIX/tmpkinitscript <<EOF +expect Password for +send ${TRUST_PASSWORD}\n +EOF + +########################################################### +### Test incoming trust direction +########################################################### + +testit "kinit with password" $samba_texpect $PREFIX/tmpkinitscript $samba_kinit $TRUST_USERNAME@$TRUST_REALM || failed=$(expr $failed + 1) +test_smbclient "Test login with kerberos ccache" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) +$samba_kdestroy + +smbclient="$samba_bindir/smbclient4" + +testit "kinit with password" $samba_texpect $PREFIX/tmpkinitscript $samba_kinit $TRUST_USERNAME@$TRUST_REALM || failed=$(expr $failed + 1) +test_smbclient "Test login with user kerberos ccache (smbclient4)" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) +$samba_kdestroy + +smbclient="$samba_bindir/smbclient" + +testit "kinit with password (enterprise)" $samba_texpect $PREFIX/tmpkinitscript $samba_kinit -E $TRUST_USERNAME@$TRUST_REALM || failed=$(expr $failed + 1) +test_smbclient "Test login with kerberos ccache" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +$samba_kdestroy + +if test x"${TYPE}" = x"forest"; then + testit "kinit with password (enterprise UPN)" $samba_texpect $PREFIX/tmpkinitscript $samba_kinit -E testdenied_upn@${TRUST_REALM}.upn || failed=$(expr $failed + 1) + test_smbclient "Test login with user kerberos ccache" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) +fi + +$samba_kdestroy + +testit "kinit with password (enterprise)" $samba_texpect $PREFIX/tmpkinitscript $samba_kinit -E $TRUST_USERNAME@$TRUST_REALM || failed=$(expr $failed + 1) +test_smbclient "Test login with kerberos ccache" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +testit "kinit renew ticket" $samba_kinit -R +test_smbclient "Test login with kerberos ccache" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +testit "check time with kerberos ccache" $VALGRIND $samba_tool time $SERVER.$REALM $CONFIGURATION -k yes $@ || failed=$(expr $failed + 1) + +$samba_kdestroy + +lowerrealm=$(echo $TRUST_REALM | tr '[A-Z]' '[a-z]') +test_smbclient "Test login with user kerberos lowercase realm" 'ls' --use-kerberos=required -U$TRUST_USERNAME@$lowerrealm%$TRUST_PASSWORD || failed=$(expr $failed + 1) +test_smbclient "Test login with user kerberos lowercase realm 2" 'ls' --use-kerberos=required -U$TRUST_USERNAME@$TRUST_REALM%$TRUST_PASSWORD --realm=$lowerrealm || failed=$(expr $failed + 1) + +########################################################### +### Test outgoing trust direction +########################################################### + +SMBCLIENT_UNC="//$TRUST_SERVER.$TRUST_REALM/tmp" +test_smbclient "Test user login with the first outgoing secret" 'ls' --use-kerberos=required -U$USERNAME@$REALM%$PASSWORD || failed=$(expr $failed + 1) + +testit_expect_failure "setpassword should not work" $VALGRIND $samba_tool user setpassword "${TRUST_DOMAIN}\$" --random-password || failed=$(expr $failed + 1) + +testit "wbinfo ping dc" $VALGRIND $wbinfo --ping-dc --domain=$TRUST_DOMAIN || failed=$(expr $failed + 1) +testit "wbinfo change outgoing trust pw" $VALGRIND $wbinfo --change-secret --domain=$TRUST_DOMAIN || failed=$(expr $failed + 1) +testit "wbinfo check outgoing trust pw" $VALGRIND $wbinfo --check-secret --domain=$TRUST_DOMAIN || failed=$(expr $failed + 1) + +test_smbclient "Test user login with the changed outgoing secret" 'ls' --use-kerberos=required -U$USERNAME@$REALM%$PASSWORD || failed=$(expr $failed + 1) + +### Cleanup + +$samba_kdestroy + +rm -f $KRB5CCNAME_PATH +rm -f $PREFIX/tmpkinituserpassscript +rm -f $PREFIX/tmpkinitscript + +exit $failed diff --git a/testprogs/blackbox/test_kpasswd_heimdal.sh b/testprogs/blackbox/test_kpasswd_heimdal.sh new file mode 100755 index 0000000..0585e7b --- /dev/null +++ b/testprogs/blackbox/test_kpasswd_heimdal.sh @@ -0,0 +1,250 @@ +#!/bin/sh +# Blackbox tests for chainging passwords with kinit and kpasswd +# +# Copyright (C) 2006-2007 Jelmer Vernooij <jelmer@samba.org> +# Copyright (C) 2006-2008 Andrew Bartlett <abartlet@samba.org> +# Copyright (C) 2016 Andreas Schneider <asn@samba.org> + +if [ $# -lt 6 ]; then + cat <<EOF +Usage: test_kpasswd_heimdal.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX SMBCLIENT +EOF + exit 1 +fi + +SERVER=$1 +USERNAME=$2 +PASSWORD=$3 +REALM=$4 +DOMAIN=$5 +PREFIX=$6 +shift 6 +failed=0 + +samba_bindir="$BINDIR" + +smbclient="$samba_bindir/smbclient" +samba_kinit=$samba_bindir/samba4kinit +samba_kpasswd=$samba_bindir/samba4kpasswd + +mit_kpasswd="$(command -v kpasswd)" + +samba_tool="$samba_bindir/samba-tool" +net_tool="$samba_bindir/net" +texpect="$samba_bindir/texpect" + +newuser="$samba_tool user create" +SMB_UNC="//$SERVER/tmp" + +. $(dirname $0)/subunit.sh +. $(dirname $0)/common_test_fns.inc + +do_kinit() +{ + principal="$1" + password="$2" + shift + shift + kerberos_kinit "$samba_kinit" "$principal" "$password" $@ +} + +UID_WRAPPER_ROOT=1 +export UID_WRAPPER_ROOT + +CONFIG="--configfile=$PREFIX/etc/smb.conf" +export CONFIG + +testit "reset password policies beside of minimum password age of 0 days" \ + $VALGRIND $PYTHON $samba_tool domain passwordsettings set $CONFIG --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=0 --max-pwd-age=default || failed=$(expr $failed + 1) + +TEST_USERNAME="$(mktemp -u alice-XXXXXX)" +TEST_PRINCIPAL="$TEST_USERNAME@$REALM" +TEST_PASSWORD="testPaSS@00%" +TEST_PASSWORD_NEW="testPaSS@01%" +TEST_PASSWORD_SHORT="secret" +TEST_PASSWORD_WEAK="Supersecret" + +testit "create user locally" \ + $VALGRIND $PYTHON $newuser $CONFIG $TEST_USERNAME $TEST_PASSWORD || failed=$(expr $failed + 1) + +KRB5CCNAME="$PREFIX/tmpuserccache" +export KRB5CCNAME + +testit "kinit with user password" \ + do_kinit $TEST_PRINCIPAL $TEST_PASSWORD || failed=$(expr $failed + 1) + +test_smbclient "Test login with user kerberos ccache" \ + "ls" "$SMB_UNC" --use-krb5-ccache=${KRB5CCNAME} || failed=$(expr $failed + 1) + +testit "change user password with 'samba-tool user password' (unforced)" \ + $VALGRIND $PYTHON $samba_tool user password -W$DOMAIN -U$TEST_USERNAME%$TEST_PASSWORD --use-kerberos=off --newpassword=$TEST_PASSWORD_NEW || failed=$(expr $failed + 1) + +TEST_PASSWORD_OLD=$TEST_PASSWORD +TEST_PASSWORD=$TEST_PASSWORD_NEW +TEST_PASSWORD_NEW="testPaSS@02%" + +testit "kinit with user password" \ + do_kinit $TEST_PRINCIPAL $TEST_PASSWORD || failed=$(expr $failed + 1) + +test_smbclient "Test login with user kerberos ccache" \ + "ls" "$SMB_UNC" --use-krb5-ccache=${KRB5CCNAME} || failed=$(expr $failed + 1) + +########################################################### +### check that a short password is rejected +########################################################### + +cat >$PREFIX/tmpkpasswdscript <<EOF +expect Password +password ${TEST_PASSWORD}\n +expect New password +send ${TEST_PASSWORD_SHORT}\n +expect Verify password +send ${TEST_PASSWORD_SHORT}\n +expect Password too short +EOF + +testit "kpasswd check short user password" \ + $texpect $PREFIX/tmpkpasswdscript $samba_kpasswd $TEST_PRINCIPAL || failed=$(expr $failed + 1) + +########################################################### +### check that a weak password is rejected +########################################################### + +echo "check that a short password is rejected" +cat >$PREFIX/tmpkpasswdscript <<EOF +expect Password +password ${TEST_PASSWORD}\n +expect New password +send $TEST_PASSWORD_WEAK\n +expect Verify password +send $TEST_PASSWORD_WEAK\n +expect Password does not meet complexity requirements +EOF + +testit "kpasswd check weak user password" \ + $texpect $PREFIX/tmpkpasswdscript $samba_kpasswd $TEST_PRINCIPAL || failed=$(expr $failed + 1) + +########################################################### +### check that a strong password is accepted +########################################################### + +cat >$PREFIX/tmpkpasswdscript <<EOF +expect Password +password ${TEST_PASSWORD}\n +expect New password +send ${TEST_PASSWORD_NEW}\n +expect Verify password +send ${TEST_PASSWORD_NEW}\n +expect Success +EOF + +testit "kpasswd change user password" \ + $texpect $PREFIX/tmpkpasswdscript $samba_kpasswd $TEST_PRINCIPAL || failed=$(expr $failed + 1) + +TEST_PASSWORD=$TEST_PASSWORD_NEW +TEST_PASSWORD_NEW="testPaSS@03%" + +########################################################### +### CVE-2022-XXXXX +########################################################### + +if [ -n "${mit_kpasswd}" ]; then + cat > "${PREFIX}/tmpkpasswdscript" <<EOF +expect Password for ${TEST_PRINCIPAL} +password ${TEST_PASSWORD}\n +expect Enter new password +send ${TEST_PASSWORD_NEW}\n +expect Enter it again +send ${TEST_PASSWORD_NEW}\n +expect Password changed. +EOF + + SAVE_KRB5_CONFIG="${KRB5_CONFIG}" + KRB5_CONFIG="${PREFIX}/tmpkrb5.conf" + export KRB5_CONFIG + sed -e 's/\[libdefaults\]/[libdefaults]\n canonicalize = yes/' \ + "${SAVE_KRB5_CONFIG}" > "${KRB5_CONFIG}" + testit "MIT kpasswd change user password" \ + "${texpect}" "${PREFIX}/tmpkpasswdscript" "${mit_kpasswd}" \ + "${TEST_PRINCIPAL}" || + failed=$((failed + 1)) + KRB5_CONFIG="${SAVE_KRB5_CONFIG}" + export KRB5_CONFIG +fi + +TEST_PASSWORD="${TEST_PASSWORD_NEW}" +TEST_PASSWORD_NEW="testPaSS@03force%" + +########################################################### +### Force password change at login +########################################################### + +testit "set password on user locally" \ + $VALGRIND $PYTHON $samba_tool user setpassword $TEST_USERNAME $CONFIG --newpassword=$TEST_PASSWORD_NEW --must-change-at-next-login || failed=$(expr $failed + 1) + +TEST_PASSWORD=$TEST_PASSWORD_NEW +TEST_PASSWORD_NEW="testPaSS@04%" + +rm -f $PREFIX/tmpuserccache + +cat >$PREFIX/tmpkinitscript <<EOF +expect Password +password ${TEST_PASSWORD}\n +expect Changing password +expect New password +send ${TEST_PASSWORD_NEW}\n +expect Repeat new password +send ${TEST_PASSWORD_NEW}\n +expect Success +EOF + +testit "kinit and change user password" \ + $texpect $PREFIX/tmpkinitscript $samba_kinit $TEST_PRINCIPAL || failed=$(expr $failed + 1) + +TEST_PASSWORD=$TEST_PASSWORD_NEW +TEST_PASSWORD_NEW="testPaSS@07%" + +test_smbclient "Test login with user (kerberos)" \ + "ls" "$SMB_UNC" -k yes -U$TEST_PRINCIPAL%$TEST_PASSWORD || failed=$(expr $failed + 1) + +########################################################### +### Test kpasswd service via 'net ads password' +########################################################### + +# NOTE: This works with heimdal because the krb5_set_password function tries +# set_password call first and falls back to change_password if it doesn't +# succeed. +testit "change user password with 'net ads password', admin: $DOMAIN/$TEST_USERNAME, target: $TEST_PRINCIPAL" \ + $VALGRIND $net_tool ads password -W$DOMAIN -U$TEST_PRINCIPAL%$TEST_PASSWORD $TEST_PRINCIPAL "$TEST_PASSWORD_NEW" || failed=$(expr $failed + 1) + +TEST_PASSWORD=$TEST_PASSWORD_NEW +TEST_PASSWORD_NEW="testPaSS@08%" + +test_smbclient "Test login with smbclient (ntlm)" \ + "ls" "$SMB_UNC" -k no -U$TEST_PRINCIPAL%$TEST_PASSWORD || failed=$(expr $failed + 1) + +########################################################### +### Test kpasswd service via 'net ads password' as admin +########################################################### + +testit "set user password with 'net ads password', admin: $DOMAIN/$USERNAME, target: $TEST_PRINCIPAL" \ + $VALGRIND $net_tool ads password -W$DOMAIN -U$USERNAME@$REALM%$PASSWORD $TEST_PRINCIPAL "$TEST_PASSWORD_NEW" || failed=$(expr $failed + 1) + +TEST_PASSWORD=$TEST_PASSWORD_NEW +TEST_PASSWORD_NEW="testPaSS@07%" + +test_smbclient "Test login with smbclient (ntlm)" \ + "ls" "$SMB_UNC" -k no -U$TEST_PRINCIPAL%$TEST_PASSWORD || failed=$(expr $failed + 1) + +########################################################### +### Cleanup +########################################################### + +testit "reset password policies" \ + $VALGRIND $PYTHON $samba_tool domain passwordsettings set $CONFIG --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=default --max-pwd-age=default || failed=$(expr $failed + 1) + +testit "delete user" \ + $VALGRIND $PYTHON $samba_tool user delete $TEST_USERNAME -U"$USERNAME%$PASSWORD" $CONFIG -k no || failed=$(expr $failed + 1) + +rm -f $PREFIX/tmpuserccache $PREFIX/tmpkpasswdscript $PREFIX/tmpkinitscript +exit $failed diff --git a/testprogs/blackbox/test_kpasswd_mit.sh b/testprogs/blackbox/test_kpasswd_mit.sh new file mode 100755 index 0000000..ad577a6 --- /dev/null +++ b/testprogs/blackbox/test_kpasswd_mit.sh @@ -0,0 +1,229 @@ +#!/bin/sh +# Blackbox tests for chainging passwords with kinit and kpasswd +# +# Copyright (c) 2006-2007 Jelmer Vernooij <jelmer@samba.org> +# Copyright (c) 2006-2008 Andrew Bartlett <abartlet@samba.org> +# Copyright (c) 2016 Andreas Schneider <asn@samba.org> + +if [ $# -lt 6 ]; then + cat <<EOF +Usage: test_kpasswd_mit.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX +EOF + exit 1 +fi + +SERVER=$1 +USERNAME=$2 +PASSWORD=$3 +REALM=$4 +DOMAIN=$5 +PREFIX=$6 +shift 6 +failed=0 + +samba_bindir="$BINDIR" + +samba_kinit=kinit +samba_kpasswd=kpasswd + +smbclient="$samba_bindir/smbclient" +samba_tool="$samba_bindir/samba-tool" +net_tool="$samba_bindir/net" +texpect="$samba_bindir/texpect" + +newuser="$samba_tool user create" +SMB_UNC="//$SERVER/tmp" + +. $(dirname $0)/subunit.sh +. $(dirname $0)/common_test_fns.inc + +do_kinit() +{ + principal="$1" + password="$2" + shift + shift + echo $password | $samba_kinit $principal +} + +UID_WRAPPER_ROOT=1 +export UID_WRAPPER_ROOT + +CONFIG="--configfile=$PREFIX/etc/smb.conf" +export CONFIG + +testit "reset password policies beside of minimum password age of 0 days" \ + $VALGRIND $PYTHON $samba_tool domain passwordsettings set $CONFIG --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=0 --max-pwd-age=default || failed=$(expr $failed + 1) + +TEST_USERNAME="samson" +TEST_PASSWORD="testPaSS@00%" +TEST_PASSWORD_NEW="testPaSS@01%" +TEST_PASSWORD_SHORT="secret" +TEST_PASSWORD_WEAK="Supersecret" +TEST_PRINCIPAL="$TEST_USERNAME@$REALM" + +testit "create user locally" \ + $VALGRIND $PYTHON $newuser $CONFIG $TEST_USERNAME $TEST_PASSWORD || failed=$(expr $failed + 1) + +KRB5CCNAME="$PREFIX/tmpuserccache" +export KRB5CCNAME + +testit "kinit with user password" \ + do_kinit $TEST_PRINCIPAL $TEST_PASSWORD || failed=$(expr $failed + 1) + +test_smbclient "Test login with user kerberos ccache" \ + "ls" "$SMB_UNC" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +testit "change user password with 'samba-tool user password' (unforced)" \ + $VALGRIND $PYTHON $samba_tool user password -W$DOMAIN -U$TEST_USERNAME%$TEST_PASSWORD --use-kerberos=off --newpassword=$TEST_PASSWORD_NEW || failed=$(expr $failed + 1) + +TEST_PASSWORD_OLD=$TEST_PASSWORD +TEST_PASSWORD=$TEST_PASSWORD_NEW +TEST_PASSWORD_NEW="testPaSS@02%" + +testit "kinit with user password" \ + do_kinit $TEST_PRINCIPAL $TEST_PASSWORD || failed=$(expr $failed + 1) + +test_smbclient "Test login with user kerberos ccache" \ + "ls" "$SMB_UNC" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +########################################################### +### check that a password mismatch is detected +########################################################### + +cat >$PREFIX/tmpkpasswdscript <<EOF +expect Password for $TEST_PRINCIPAL +password ${TEST_PASSWORD}\n +expect Enter new password +send ${TEST_PASSWORD_WEAK}\n +expect Enter it again +send ${TEST_PASSWORD_NEW}\n +expect kpasswd: Password mismatch while reading password +EOF + +testit_expect_failure "kpasswd check password mismatch" \ + $texpect $PREFIX/tmpkpasswdscript $samba_kpasswd $TEST_PRINCIPAL && failed=$(expr $failed + 1) + +########################################################### +### check that a short password is rejected +########################################################### + +cat >$PREFIX/tmpkpasswdscript <<EOF +expect Password for $TEST_PRINCIPAL +password ${TEST_PASSWORD}\n +expect Enter new password +send ${TEST_PASSWORD_SHORT}\n +expect Enter it again +send ${TEST_PASSWORD_SHORT}\n +expect Password change rejected: Password too short, password must be at least 7 characters long +EOF + +testit_expect_failure "kpasswd check short user password" \ + $texpect $PREFIX/tmpkpasswdscript $samba_kpasswd $TEST_PRINCIPAL && failed=$(expr $failed + 1) + +########################################################### +### check that a weak password is rejected +########################################################### + +cat >$PREFIX/tmpkpasswdscript <<EOF +expect Password for $TEST_PRINCIPAL +password ${TEST_PASSWORD}\n +expect Enter new password +send ${TEST_PASSWORD_WEAK}\n +expect Enter it again +send ${TEST_PASSWORD_WEAK}\n +expect Password change rejected: Password does not meet complexity requirement +EOF + +testit_expect_failure "kpasswd check weak user password" \ + $texpect $PREFIX/tmpkpasswdscript $samba_kpasswd $TEST_PRINCIPAL && failed=$(expr $failed + 1) + +########################################################### +### check that a strong password is accepted +########################################################### + +cat >$PREFIX/tmpkpasswdscript <<EOF +expect Password for $TEST_PRINCIPAL +password ${TEST_PASSWORD}\n +expect Enter new password +send ${TEST_PASSWORD_NEW}\n +expect Enter it again +send ${TEST_PASSWORD_NEW}\n +expect Password changed. +EOF + +testit "kpasswd change user password" \ + $texpect $PREFIX/tmpkpasswdscript $samba_kpasswd $TEST_PRINCIPAL || failed=$(expr $failed + 1) + +TEST_PASSWORD=$TEST_PASSWORD_NEW +TEST_PASSWORD_NEW="testPaSS@03%" + +test_smbclient "Test login with user kerberos" 'ls' "$SMB_UNC" --use-kerberos=required -U$TEST_PRINCIPAL%$TEST_PASSWORD || failed=$(expr $failed + 1) + +########################################################### +### Force password change at login +########################################################### + +testit "set password on user locally" \ + $VALGRIND $PYTHON $samba_tool user setpassword $TEST_USERNAME $CONFIG --newpassword=$TEST_PASSWORD_NEW --must-change-at-next-login || failed=$(expr $failed + 1) + +TEST_PASSWORD=$TEST_PASSWORD_NEW +TEST_PASSWORD_NEW="testPaSS@04%" + +cat >$PREFIX/tmpkinitscript <<EOF +expect Password for $TEST_PRINCIPAL +password ${TEST_PASSWORD}\n +expect Password expired +expect Enter new password +send ${TEST_PASSWORD_NEW}\n +expect Enter it again +send ${TEST_PASSWORD_NEW}\n +EOF + +testit "kinit and change user password" \ + $texpect $PREFIX/tmpkinitscript $samba_kinit $TEST_PRINCIPAL || failed=$(expr $failed + 1) + +TEST_PASSWORD=$TEST_PASSWORD_NEW +TEST_PASSWORD_NEW="testPaSS@05%" + +test_smbclient "Test login with user kerberos" \ + "ls" "$SMB_UNC" --use-kerberos=required -U$TEST_PRINCIPAL%$TEST_PASSWORD || failed=$(expr $failed + 1) + +########################################################### +### Test kpasswd service via 'net ads password' +########################################################### + +testit "change user password with 'net ads password', admin: $DOMAIN/$TEST_USERNAME, target: $TEST_PRINCIPAL" \ + $VALGRIND $net_tool ads password -W$DOMAIN -U$TEST_PRINCIPAL%$TEST_PASSWORD $TEST_PRINCIPAL "$TEST_PASSWORD_NEW" || failed=$(expr $failed + 1) + +#TEST_PASSWORD=$TEST_PASSWORD_NEW +#TEST_PASSWORD_NEW="testPaSS@06%" + +#test_smbclient "Test login with smbclient (ntlm)" \ +# "ls" "$SMB_UNC" --use-kerberos=disabled -U$TEST_PRINCIPAL%$TEST_PASSWORD || failed=`expr $failed + 1` + +########################################################### +### Test kpasswd service via 'net ads password' as admin +########################################################### + +testit "set user password with 'net ads password', admin: $DOMAIN/$USERNAME, target: $TEST_PRINCIPAL" \ + $VALGRIND $net_tool ads password -W$DOMAIN -U$USERNAME@$REALM%$PASSWORD $TEST_PRINCIPAL "$TEST_PASSWORD_NEW" || failed=$(expr $failed + 1) + +TEST_PASSWORD=$TEST_PASSWORD_NEW +TEST_PASSWORD_NEW="testPaSS@07%" + +test_smbclient "Test login with smbclient (ntlm)" \ + "ls" "$SMB_UNC" --use-kerberos=disabled -U$TEST_PRINCIPAL%$TEST_PASSWORD || failed=$(expr $failed + 1) + +########################################################### +### Cleanup +########################################################### + +testit "reset password policies" \ + $VALGRIND $PYTHON $samba_tool domain passwordsettings set $CONFIG --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=default --max-pwd-age=default || failed=$(expr $failed + 1) + +testit "delete user" \ + $VALGRIND $PYTHON $samba_tool user delete $TEST_USERNAME -U"$USERNAME%$PASSWORD" $CONFIG -k no || failed=$(expr $failed + 1) + +rm -f $PREFIX/tmpuserccache $PREFIX/tmpkpasswdscript $PREFIX/tmpkinitscript +exit $failed diff --git a/testprogs/blackbox/test_ktpass.sh b/testprogs/blackbox/test_ktpass.sh new file mode 100755 index 0000000..81b7544 --- /dev/null +++ b/testprogs/blackbox/test_ktpass.sh @@ -0,0 +1,41 @@ +#!/bin/sh + +if [ $# -lt 1 ]; then + cat <<EOF +Usage: blackbox_newuser.sh PREFIX +EOF + exit 1 +fi + +PREFIX="$1" +shift 1 + +. $(dirname $0)/subunit.sh + +samba_tool="$BINDIR/samba-tool" +samba4bindir="$BINDIR" +samba4srcdir="$SRCDIR/source4" +samba4kinit_binary=kinit +if test -x $BINDIR/samba4kinit; then + samba4kinit_binary=$BINDIR/samba4kinit +fi + +CONFIG="--configfile=$PREFIX/etc/smb.conf" + +TESTUSER="ktpassUser" + +testit "user create" $PYTHON $samba_tool user create $CONFIG $TESTUSER testp@ssw0Rd || failed=$(expr $failed + 1) + +KRB5CCNAME="$PREFIX/tmpccache" +samba4kinit="$samba4kinit_binary -c $KRB5CCNAME" +export KRB5CCNAME +echo "testp@ssw0Rd" >$PREFIX/tmppassfile +testit "kinit with passwd" $samba4kinit -e arcfour-hmac-md5 --password-file=$PREFIX/tmppassfile $TESTUSER@SAMBA.EXAMPLE.COM || failed=$(expr $failed + 1) +testit "ktpass" $samba4srcdir/scripting/bin/ktpass.sh --host LOCALDC --out $PREFIX/testuser.kt --princ $TESTUSER --pass "testp@ssw0Rd" --path-to-ldbsearch=$BINDIR/bin || failed=$(expr $failed + 1) + +rm -f $KRB5CCNAME + +testit "kinit with keytab" $samba4kinit -e arcfour-hmac-md5 --use-keytab -t $PREFIX/testuser.kt $TESTUSER@SAMBA.EXAMPLE.COM || failed=$(expr $failed + 1) + +rm -f $PREFIX/tmpccache $PREFIX/testuser.kt +exit $failed diff --git a/testprogs/blackbox/test_ldb.sh b/testprogs/blackbox/test_ldb.sh new file mode 100755 index 0000000..d9485d7 --- /dev/null +++ b/testprogs/blackbox/test_ldb.sh @@ -0,0 +1,231 @@ +#!/bin/sh + +if [ $# -lt 2 ]; then +cat <<EOF +Usage: test_ldb.sh PROTOCOL SERVER [OPTIONS] +EOF +exit 1; +fi + + +p=$1 +SERVER=$2 +PREFIX=$3 +shift 2 +options="$*" + +. `dirname $0`/subunit.sh + +check() { + name="$1" + shift + cmdline="$*" + echo "test: $name" + $cmdline + status=$? + if [ x$status = x0 ]; then + echo "success: $name" + else + echo "failure: $name" + failed=`expr $failed + 1` + fi + return $status +} + +export PATH="$BINDIR:$PATH" + +ldbsearch="$VALGRIND ldbsearch" + +check "RootDSE" $ldbsearch $CONFIGURATION $options --basedn='' -H $p://$SERVER --scope=base DUMMY=x dnsHostName highestCommittedUSN || failed=`expr $failed + 1` +check "RootDSE (full)" $ldbsearch $CONFIGURATION $options --basedn='' -H $p://$SERVER --scope=base '(objectClass=*)' || failed=`expr $failed + 1` +check "RootDSE (extended)" $ldbsearch $CONFIGURATION $options --basedn='' -H $p://$SERVER --scope=base '(objectClass=*)' --extended-dn || failed=`expr $failed + 1` +if [ x$p = x"ldaps" ]; then + testit_expect_failure "RootDSE over SSLv3 should fail" $ldbsearch $CONFIGURATION $options --basedn='' -H $p://$SERVER --scope=base DUMMY=x dnsHostName highestCommittedUSN --option='tlspriority=NONE:+VERS-SSL3.0:+MAC-ALL:+CIPHER-ALL:+RSA:+SIGN-ALL:+COMP-NULL' && failed=`expr $failed + 1` +fi + +echo "Getting defaultNamingContext" +BASEDN=`$ldbsearch $CONFIGURATION $options --basedn='' -H $p://$SERVER --scope=base DUMMY=x defaultNamingContext | grep defaultNamingContext | awk '{print $2}'` +echo "BASEDN is $BASEDN" + +check "Listing Users" $ldbsearch $options $CONFIGURATION -H $p://$SERVER '(objectclass=user)' sAMAccountName || failed=`expr $failed + 1` + +check "Listing Users (sorted)" $ldbsearch -S $options $CONFIGURATION -H $p://$SERVER '(objectclass=user)' sAMAccountName || failed=`expr $failed + 1` + +check "Listing Groups" $ldbsearch $options $CONFIGURATION -H $p://$SERVER '(objectclass=group)' sAMAccountName || failed=`expr $failed + 1` + +nentries=`$ldbsearch $options -H $p://$SERVER $CONFIGURATION '(|(|(&(!(groupType:1.2.840.113556.1.4.803:=1))(groupType:1.2.840.113556.1.4.803:=2147483648)(groupType:1.2.840.113556.1.4.804:=10))(samAccountType=805306368))(samAccountType=805306369))' sAMAccountName | grep sAMAccountName | wc -l` +echo "Found $nentries entries" +if [ $nentries -lt 10 ]; then +echo "Should have found at least 10 entries" +failed=`expr $failed + 1` +fi + +echo "Check rootDSE for Controls" +nentries=`$ldbsearch $options $CONFIGURATION -H $p://$SERVER --scope=base -b "" '(objectclass=*)' | grep -i supportedControl | wc -l` +if [ $nentries -lt 4 ]; then +echo "Should have found at least 4 entries" +failed=`expr $failed + 1` +fi + +echo "Test Paged Results Control" +nentries=`$ldbsearch $options $CONFIGURATION -H $p://$SERVER --controls=paged_results:1:5 '(objectclass=user)' | grep sAMAccountName | wc -l` +if [ $nentries -lt 1 ]; then +echo "Paged Results Control test returned 0 items" +failed=`expr $failed + 1` +fi + +echo "Test Server Sort Control" +nentries=`$ldbsearch $options $CONFIGURATION -H $p://$SERVER --controls=server_sort:1:0:sAMAccountName '(objectclass=user)' | grep sAMAccountName | wc -l` +if [ $nentries -lt 1 ]; then +echo "Server Sort Control test returned 0 items" +failed=`expr $failed + 1` +fi + +echo "Test Extended DN Control" +nentries=`$ldbsearch $options $CONFIGURATION -H $p://$SERVER --controls=extended_dn:1 '(objectclass=user)' | grep sAMAccountName | wc -l` +if [ $nentries -lt 1 ]; then +echo "Extended DN Control test returned 0 items" +failed=`expr $failed + 1` +fi +nentries=`$ldbsearch $options $CONFIGURATION -H $p://$SERVER --controls=extended_dn:1:0 '(objectclass=user)' | grep sAMAccountName | wc -l` +if [ $nentries -lt 1 ]; then +echo "Extended DN Control test returned 0 items" +failed=`expr $failed + 1` +fi +nentries=`$ldbsearch $options $CONFIGURATION -H $p://$SERVER --controls=extended_dn:1:1 '(objectclass=user)' | grep sAMAccountName | wc -l` +if [ $nentries -lt 1 ]; then +echo "Extended DN Control test returned 0 items" +failed=`expr $failed + 1` +fi + +echo "Test Domain scope Control" +nentries=`$ldbsearch $options $CONFIGURATION -H $p://$SERVER --controls=domain_scope:1 '(objectclass=user)' | grep sAMAccountName | wc -l` +if [ $nentries -lt 1 ]; then +echo "Extended Domain scope Control test returned 0 items" +failed=`expr $failed + 1` +fi + +echo "Test Attribute Scope Query Control" +nentries=`$ldbsearch $options $CONFIGURATION -H $p://$SERVER --controls=asq:1:member --scope=base -b "CN=Administrators,CN=Builtin,$BASEDN" | grep sAMAccountName | wc -l` +if [ $nentries -lt 1 ]; then +echo "Attribute Scope Query test returned 0 items" +failed=`expr $failed + 1` +fi + +echo "Test Search Options Control" +nentries=`$ldbsearch $options $CONFIGURATION -H $p://$SERVER --controls=search_options:1:2 '(objectclass=crossRef)' | grep crossRef | wc -l` +if [ $nentries -lt 1 ]; then +echo "Search Options Control Query test returned 0 items" +failed=`expr $failed + 1` +fi + +echo "Test Search Options Control with Domain Scope Control" +nentries=`$ldbsearch $options $CONFIGURATION -H $p://$SERVER --controls=search_options:1:2,domain_scope:1 '(objectclass=crossRef)' | grep crossRef | wc -l` +if [ $nentries -lt 1 ]; then +echo "Search Options Control Query test returned 0 items" +failed=`expr $failed + 1` +fi + +wellknown_object_test() +( + guid=$1 + object=$2 + failed=0 + + basedns="<WKGUID=${guid},${BASEDN}> <wkGuId=${guid},${BASEDN}>" + for dn in ${basedns}; do + echo "Test ${dn} => ${object}" + r=`$ldbsearch $options $CONFIGURATION -H $p://$SERVER '(objectClass=*)' -b "${dn}" | grep 'dn: '` + n=`echo "${r}" | grep 'dn: ' | wc -l` + c=`echo "${r}" | grep "${object}" | wc -l` + + if [ $n -lt 1 ]; then + echo "Object not found by WKGUID" + failed=`expr $failed + 1` + continue + fi + if [ $c -lt 1 ]; then + echo "Wrong object found by WKGUID: [${r}]" + failed=`expr $failed + 1` + continue + fi + done + + return $failed +) + +wellknown_object_test 22B70C67D56E4EFB91E9300FCA3DC1AA ForeignSecurityPrincipals +st=$? +if [ x"$st" != x"0" ]; then + failed=`expr $failed + $st` +fi +wellknown_object_test 2FBAC1870ADE11D297C400C04FD8D5CD Infrastructure +st=$? +if [ x"$st" != x"0" ]; then + failed=`expr $failed + $st` +fi +wellknown_object_test AB1D30F3768811D1ADED00C04FD8D5CD System +st=$? +if [ x"$st" != x"0" ]; then + failed=`expr $failed + $st` +fi +wellknown_object_test A361B2FFFFD211D1AA4B00C04FD7D83A Domain Controllers +st=$? +if [ x"$st" != x"0" ]; then + failed=`expr $failed + $st` +fi +wellknown_object_test AA312825768811D1ADED00C04FD8D5CD Computers +st=$? +if [ x"$st" != x"0" ]; then + failed=`expr $failed + $st` +fi +wellknown_object_test A9D1CA15768811D1ADED00C04FD8D5CD Users +st=$? +if [ x"$st" != x"0" ]; then + failed=`expr $failed + $st` +fi + +echo "Getting HEX GUID/SID of $BASEDN" +HEXDN=`$ldbsearch $CONFIGURATION $options -b "$BASEDN" -H $p://$SERVER --scope=base "(objectClass=*)" --controls=extended_dn:1:0 distinguishedName | grep 'distinguishedName: ' | cut -d ' ' -f2-` +HEXGUID=`echo "$HEXDN" | cut -d ';' -f1` +echo "HEXGUID[$HEXGUID]" + +echo "Getting STR GUID/SID of $BASEDN" +STRDN=`$ldbsearch $CONFIGURATION $options -b "$BASEDN" -H $p://$SERVER --scope=base "(objectClass=*)" --controls=extended_dn:1:1 distinguishedName | grep 'distinguishedName: ' | cut -d ' ' -f2-` +echo "STRDN: $STRDN" +STRGUID=`echo "$STRDN" | cut -d ';' -f1` +echo "STRGUID[$STRGUID]" + +echo "Getting STR GUID/SID of $BASEDN" +STRDN=`$ldbsearch $CONFIGURATION $options -b "$BASEDN" -H $p://$SERVER --scope=base "(objectClass=*)" --controls=extended_dn:1:1 | grep 'dn: ' | cut -d ' ' -f2-` +echo "STRDN: $STRDN" +STRSID=`echo "$STRDN" | cut -d ';' -f2` +echo "STRSID[$STRSID]" + +SPECIALDNS="$HEXGUID $STRGUID $STRSID" +for SPDN in $SPECIALDNS; do + echo "Search for $SPDN" + nentries=`$ldbsearch $options $CONFIGURATION -H $p://$SERVER --scope=base -b "$SPDN" '(objectClass=*)' | grep "dn: $BASEDN" | wc -l` + if [ $nentries -lt 1 ]; then + echo "Special search returned 0 items" + failed=`expr $failed + 1` + fi +done + +echo "Search using OIDs instead of names" +nentries1=`$ldbsearch $options $CONFIGURATION -H $p://$SERVER '(objectClass=user)' name | grep "^name: " | wc -l` +nentries2=`$ldbsearch $options $CONFIGURATION -H $p://$SERVER '(2.5.4.0=1.2.840.113556.1.5.9)' name | grep "^name: " | wc -l` +if [ $nentries1 -lt 1 ]; then + echo "Error: Searching user via (objectClass=user): '$nentries1' < 1" + failed=`expr $failed + 1` +fi +if [ $nentries2 -lt 1 ]; then + echo "Error: Searching user via (2.5.4.0=1.2.840.113556.1.5.9) '$nentries2' < 1" + failed=`expr $failed + 1` +fi +if [ x"$nentries1" != x"$nentries2" ]; then + echo "Error: Searching user with OIDS[$nentries1] doesn't return the same as STRINGS[$nentries2]" + failed=`expr $failed + 1` +fi + +exit $failed diff --git a/testprogs/blackbox/test_ldb_simple.sh b/testprogs/blackbox/test_ldb_simple.sh new file mode 100755 index 0000000..604c4a6 --- /dev/null +++ b/testprogs/blackbox/test_ldb_simple.sh @@ -0,0 +1,41 @@ +#!/bin/sh + +if [ $# -lt 2 ]; then +cat <<EOF +Usage: test_ldb_simple.sh PROTOCOL SERVER [OPTIONS] +EOF +exit 1; +fi + + +p=$1 +SERVER=$2 +PREFIX=$3 +shift 2 +options="$*" + +. `dirname $0`/subunit.sh + +check() { + name="$1" + shift + cmdline="$*" + echo "test: $name" + $cmdline + status=$? + if [ x$status = x0 ]; then + echo "success: $name" + else + echo "failure: $name" + failed=`expr $failed + 1` + fi + return $status +} + +export PATH="$BINDIR:$PATH" + +ldbsearch="$VALGRIND ldbsearch" + +check "currentTime" $ldbsearch $CONFIGURATION $options --basedn='' -H $p://$SERVER --scope=base currentTime || failed=`expr $failed + 1` + +exit $failed diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh new file mode 100755 index 0000000..cfafb94 --- /dev/null +++ b/testprogs/blackbox/test_net_ads.sh @@ -0,0 +1,325 @@ +if [ $# -lt 4 ]; then +cat <<EOF +Usage: test_net.sh DC_SERVER DC_USERNAME DC_PASSWORD PREFIX_ABS +EOF +exit 1; +fi + +DC_SERVER=$1 +DC_USERNAME=$2 +DC_PASSWORD=$3 +BASEDIR=$4 + +HOSTNAME=`dd if=/dev/urandom bs=1 count=32 2>/dev/null | sha1sum | cut -b 1-10` + +RUNDIR=`pwd` +cd $BASEDIR +WORKDIR=`mktemp -d -p .` +WORKDIR=`basename $WORKDIR` +cp -a client/* $WORKDIR/ +sed -ri "s@(dir|directory) = (.*)/client/@\1 = \2/$WORKDIR/@" $WORKDIR/client.conf +sed -ri "s/netbios name = .*/netbios name = $HOSTNAME/" $WORKDIR/client.conf +rm -f $WORKDIR/private/secrets.tdb +cd $RUNDIR + +failed=0 + +net_tool="$BINDIR/net --configfile=$BASEDIR/$WORKDIR/client.conf --option=security=ads" + +ldbsearch="ldbsearch" +if [ -x "$BINDIR/ldbsearch" ]; then + ldbsearch="$BINDIR/ldbsearch" +fi + +ldbadd="ldbadd" +if [ -x "$BINDIR/ldbadd" ]; then + ldbadd="$BINDIR/ldbadd" +fi + +ldbdel="ldbdel" +if [ -x "$BINDIR/ldbdel" ]; then + ldbdel="$BINDIR/ldbdel" +fi + +ldbmodify="ldbmodify" +if [ -x "$BINDIR/ldbmodify" ]; then + ldbmodify="$BINDIR/ldbmodify" +fi + +# Load test functions +. `dirname $0`/subunit.sh + +testit "join" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` + +workgroup=$(awk '/workgroup =/ { print $NR }' "${BASEDIR}/${WORKDIR}/client.conf") +testit "local krb5.conf created" \ + test -r \ + "${BASEDIR}/${WORKDIR}/lockdir/smb_krb5/krb5.conf.${workgroup}" || + failed=$((failed + 1)) + +testit "testjoin" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=`expr $failed + 1` + +netbios=$(grep "netbios name" $BASEDIR/$WORKDIR/client.conf | cut -f2 -d= | awk '{$1=$1};1') + +testit "test setspn list $netbios" $VALGRIND $net_tool ads setspn list $netbios -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` +spn="foo" +testit_expect_failure "test setspn add illegal windows spn ($spn)" $VALGRIND $net_tool ads setspn add $spn -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` + +spn="foo/somehost.domain.com" +testit "test setspn add ($spn)" $VALGRIND $net_tool ads setspn add $spn -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` + +found=$($net_tool ads setspn list -U$DC_USERNAME%$DC_PASSWORD | grep $spn | wc -l) +testit "test setspn list shows the newly added spn ($spn)" test $found -eq 1 || failed=`expr $failed + 1` + +up_spn=$(echo $spn | tr '[:lower:]' '[:upper:]') +testit_expect_failure "test setspn add existing (case-insensitive) spn ($spn)" $VALGRIND $net_tool ads setspn add $up_spn -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` + +testit "test setspn delete existing (case-insensitive) ($spn)" $VALGRIND $net_tool ads setspn delete $spn -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` + +found=$($net_tool ads setspn list -U$DC_USERNAME%$DC_PASSWORD | grep $spn | wc -l) +testit "test setspn list shows the newly deleted spn ($spn) is gone" test $found -eq 0 || failed=`expr $failed + 1` + +testit "changetrustpw" $VALGRIND $net_tool ads changetrustpw || failed=`expr $failed + 1` + +testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` + +# Test with kerberos method = secrets and keytab +dedicated_keytab_file="$PREFIX_ABS/test_net_ads_dedicated_krb5.keytab" +testit "join (dedicated keytab)" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1` + +testit "testjoin (dedicated keytab)" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=`expr $failed + 1` + +netbios=$(grep "netbios name" $BASEDIR/$WORKDIR/client.conf | cut -f2 -d= | awk '{$1=$1};1') +uc_netbios=$(echo $netbios | tr '[:lower:]' '[:upper:]') +lc_realm=$(echo $REALM | tr '[:upper:]' '[:lower:]') +fqdn="$netbios.$lc_realm" + +krb_princ="primary/instance@$REALM" +testit "test (dedicated keytab) add a fully qualified krb5 principal" $VALGRIND $net_tool ads keytab add $krb_princ -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1` + +found=`$net_tool ads keytab list -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" | grep $krb_princ | wc -l` + +testit "test (dedicated keytab) at least one fully qualified krb5 principal that was added is present in keytab" test $found -gt 1 || failed=`expr $failed + 1` + +machinename="machine123" +testit "test (dedicated keytab) add a kerberos prinicple created from machinename to keytab" $VALGRIND $net_tool ads keytab add $machinename'$' -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1` +search_str="$machinename\$@$REALM" +found=`$net_tool ads keytab list -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" | grep $search_str | wc -l` +testit "test (dedicated keytab) at least one krb5 principal created from $machinename added is present in keytab" test $found -gt 1 || failed=`expr $failed + 1` + +service="nfs" +testit "test (dedicated keytab) add a $service service to keytab" $VALGRIND $net_tool ads keytab add $service -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1` + +search_str="$service/$fqdn@$REALM" +found=`$net_tool ads keytab list -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" | grep $search_str | wc -l` +testit "test (dedicated keytab) at least one (long form) krb5 principal created from service added is present in keytab" test $found -gt 1 || failed=`expr $failed + 1` + +search_str="$service/$uc_netbios@$REALM" +found=`$net_tool ads keytab list -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" | grep $search_str | wc -l` +testit "test (dedicated keytab) at least one (shorter form) krb5 principal created from service added is present in keytab" test $found -gt 1 || failed=`expr $failed + 1` + +spn_service="random_srv" +spn_host="somehost.subdomain.domain" +spn_port="12345" + +windows_spn="$spn_service/$spn_host" +testit "test (dedicated keytab) add a $windows_spn windows style SPN to keytab" $VALGRIND $net_tool ads keytab add $windows_spn -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1` + +search_str="$spn_service/$spn_host@$REALM" +found=`$net_tool ads keytab list -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" | grep $search_str | wc -l` +testit "test (dedicated keytab) at least one krb5 principal created from windown SPN added is present in keytab" test $found -gt 1 || failed=`expr $failed + 1` + +windows_spn="$spn_service/$spn_host:$spn_port" +testit "test (dedicated keytab) add a $windows_spn windows style SPN to keytab" $VALGRIND $net_tool ads keytab add $windows_spn -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1` + +search_str="$spn_service/$spn_host@$REALM" +found=`$net_tool ads keytab list -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" | grep $search_str | wc -l` +testit "test (dedicated keytab) at least one krb5 principal created from windown SPN (with port) added is present in keytab" test $found -gt 1 || failed=`expr $failed + 1` + +# keytab add shouldn't have written spn to AD +found=$($net_tool ads setspn list -U$DC_USERNAME%$DC_PASSWORD | grep $service | wc -l) +testit "test (dedicated keytab) spn is not written to AD (using keytab add)" test $found -eq 0 || failed=`expr $failed + 1` + +ad_service="writetoad" +testit "test (dedicated keytab) add a $ad_service service to keytab (using add_update_ads" $VALGRIND $net_tool ads keytab add_update_ads $ad_service -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1` + +found=$($net_tool ads setspn list -U$DC_USERNAME%$DC_PASSWORD | grep $ad_service | wc -l) +testit "test (dedicated keytab) spn is written to AD (using keytab add_update_ads)" test $found -eq 2 || failed=`expr $failed + 1` + + +# test existence in keytab of service (previously added) pulled from SPN post +# 'keytab create' is now present in keytab file +testit "test (dedicated keytab) keytab created succeeds" $VALGRIND $net_tool ads keytab create -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1` +found=$($net_tool ads keytab list -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" | grep $ad_service | wc -l) +testit "test (dedicated keytab) spn service that exists in AD (created via add_update_ads) is added to keytab file" test $found -gt 1 || failed=`expr $failed + 1` + +found_ad=$($net_tool ads setspn list -U$DC_USERNAME%$DC_PASSWORD | grep $service | wc -l) +found_keytab=$($net_tool ads keytab list -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" | grep $service | wc -l) +# test after create that a spn that exists in the keytab but shouldn't +# be written to the AD. +testit "test spn service doensn't exist in AD but is present in keytab file after keytab create" test $found_ad -eq 0 -a $found_keytab -gt 1 || failed=`expr $failed + 1` + +# SPN parser is very basic but does detect some illegal combination + +windows_spn="$spn_service/$spn_host:" +testit_expect_failure "test (dedicated keytab) fail to parse windows spn with missing port" $VALGRIND $net_tool ads keytab add $windows_spn -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1` + +windows_spn="$spn_service/$spn_host/" +testit_expect_failure "test (dedicated keytab) fail to parse windows spn with missing servicename" $VALGRIND $net_tool ads keytab add $windows_spn -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1` + +testit "changetrustpw (dedicated keytab)" $VALGRIND $net_tool ads changetrustpw || failed=`expr $failed + 1` + +testit "leave (dedicated keytab)" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` + +# if there is no keytab, try and create it +if [ ! -f $dedicated_keytab_file ]; then + if [ $(command -v ktutil) >/dev/null ]; then + printf "addent -password -p $DC_USERNAME@$REALM -k 1 -e rc4-hmac\n$DC_PASSWORD\nwkt $dedicated_keytab_file\n" | ktutil + fi +fi + +if [ -f $dedicated_keytab_file ]; then + testit "keytab list (dedicated keytab)" $VALGRIND $net_tool ads keytab list --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1` + testit "keytab list keytab specified on cmdline" $VALGRIND $net_tool ads keytab list $dedicated_keytab_file || failed=`expr $failed + 1` +fi + +rm -f $dedicated_keytab_file + +testit_expect_failure "testjoin(not joined)" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=`expr $failed + 1` + +testit "join+kerberos" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD --use-kerberos=required || failed=`expr $failed + 1` + +testit "testjoin" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=`expr $failed + 1` + +testit "leave+kerberos" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD --use-kerberos=required || failed=`expr $failed + 1` + +testit_expect_failure "testjoin(not joined)" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=`expr $failed + 1` + +testit "join+server" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD -S$DC_SERVER || failed=`expr $failed + 1` + +testit "leave+server" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD -S$DC_SERVER || failed=`expr $failed + 1` + +testit_expect_failure "join+invalid_server" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD -SINVALID && failed=`expr $failed + 1` + +testit "join+server" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` + +testit_expect_failure "leave+invalid_server" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD -SINVALID && failed=`expr $failed + 1` + +testit "testjoin user+password" $VALGRIND $net_tool ads testjoin -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` + +testit "leave+keep_account" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD --keep-account || failed=`expr $failed + 1` + +base_dn="DC=addom,DC=samba,DC=example,DC=com" +computers_dn="CN=Computers,$base_dn" +testit "ldb check for existence of machine account" $ldbsearch -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM --scope=base -b "cn=$HOSTNAME,$computers_dn" || failed=`expr $failed + 1` + +dns_alias1="${netbios}_alias1.other.${lc_realm}" +dns_alias2="${netbios}_alias2.other2.${lc_realm}" +testit "join" $VALGRIND $net_tool --option=additionaldnshostnames=$dns_alias1,$dns_alias2 ads join -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` + +testit "testjoin" $VALGRIND $net_tool ads testjoin || failed=`expr $failed + 1` + +testit_grep "check dNSHostName" $fqdn $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ dNSHostName || failed=`expr $failed + 1` +testit_grep "check SPN" ${uc_netbios}.${lc_realm} $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1` + +testit_grep "dns alias SPN" $dns_alias1 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1` +testit_grep "dns alias SPN" $dns_alias2 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1` + +testit_grep "dns alias addl" $dns_alias1 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ msDS-AdditionalDnsHostName || failed=`expr $failed + 1` +testit_grep "dns alias addl" $dns_alias2 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ msDS-AdditionalDnsHostName || failed=`expr $failed + 1` + +# Test binary msDS-AdditionalDnsHostName like ones added by Windows DC +short_alias_file="$PREFIX_ABS/short_alias_file" +printf 'short_alias\0$' > $short_alias_file +cat > $PREFIX_ABS/tmpldbmodify <<EOF +dn: CN=$HOSTNAME,$computers_dn +changetype: modify +add: msDS-AdditionalDnsHostName +msDS-AdditionalDnsHostName:< file://$short_alias_file +EOF + +testit "add binary msDS-AdditionalDnsHostName" $VALGRIND $ldbmodify -k yes -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM $PREFIX_ABS/tmpldbmodify || failed=`expr $failed + 1` + +testit_grep "addl short alias" short_alias $ldbsearch --show-binary -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM --scope=base -b "CN=$HOSTNAME,CN=Computers,$base_dn" msDS-AdditionalDnsHostName || failed=`expr $failed + 1` + +rm -f $PREFIX_ABS/tmpldbmodify $short_alias_file + +dedicated_keytab_file="$PREFIX_ABS/test_dns_aliases_dedicated_krb5.keytab" + +testit "dns alias create_keytab" $VALGRIND $net_tool ads keytab create --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1` + +testit_grep "dns alias1 check keytab" "host/${dns_alias1}@$REALM" $net_tool ads keytab list --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1` +testit_grep "dns alias2 check keytab" "host/${dns_alias2}@$REALM" $net_tool ads keytab list --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1` +testit_grep "addl short check keytab" "host/short_alias@$REALM" $net_tool ads keytab list --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1` + +rm -f $dedicated_keytab_file + +##Goodbye... +testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` + +# netbios aliases tests +testit "join nb_alias" $VALGRIND $net_tool --option=netbiosaliases=nb_alias1,nb_alias2 ads join -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` + +testit "testjoin nb_alias" $VALGRIND $net_tool ads testjoin || failed=`expr $failed + 1` + +testit_grep "nb_alias check dNSHostName" $fqdn $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ dNSHostName || failed=`expr $failed + 1` +testit_grep "nb_alias check main SPN" ${uc_netbios}.${lc_realm} $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1` + +testit_grep "nb_alias1 SPN" nb_alias1 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1` +testit_grep "nb_alias2 SPN" nb_alias2 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1` + +##Goodbye... +testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` + +# +# Test createcomputer option of 'net ads join' +# +testit "Create OU=Servers,$base_dn" $VALGRIND $ldbadd -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER <<EOF +dn: OU=Servers,$base_dn +objectClass: organizationalUnit +EOF + +testit "join+createcomputer" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD createcomputer=Servers || failed=`expr $failed + 1` + +testit "ldb check for existence of machine account in OU=Servers" $ldbsearch -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM --scope=base -b "cn=$HOSTNAME,OU=Servers,$base_dn" || failed=`expr $failed + 1` + +## Goodbye... +testit "leave+createcomputer" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` + +testit "Remove OU=Servers" $VALGRIND $ldbdel -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER "OU=Servers,$base_dn" + +# +# Test createupn option of 'net ads join' +# +testit "join+createupn" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD createupn="host/test-$HOSTNAME@$REALM" || failed=`expr $failed + 1` + +testit_grep "checkupn" "userPrincipalName: host/test-$HOSTNAME@$REALM" $ldbsearch -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM --scope=base -b "CN=$HOSTNAME,CN=Computers,$base_dn" || failed=`expr $failed + 1` + +dedicated_keytab_file="$PREFIX_ABS/test_net_create_dedicated_krb5.keytab" + +testit "create_keytab" $VALGRIND $net_tool ads keytab create --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1` + +testit_grep "checkupn+keytab" "host/test-$HOSTNAME@$REALM" $net_tool ads keytab list --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1` + +rm -f $dedicated_keytab_file + +testit "leave+createupn" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` + +# +# Test dnshostname option of 'net ads join' +# +testit "join+dnshostname" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD dnshostname="alt.hostname.$HOSTNAME" || failed=`expr $failed + 1` + +testit_grep "check dnshostname opt" "dNSHostName: alt.hostname.$HOSTNAME" $ldbsearch -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM --scope=base -b "CN=$HOSTNAME,CN=Computers,$base_dn" || failed=`expr $failed + 1` + +testit "create_keytab+dnshostname" $VALGRIND $net_tool ads keytab create --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1` + +testit_grep "check dnshostname+keytab" "host/alt.hostname.$HOSTNAME@$REALM" $net_tool ads keytab list --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1` + +rm -f $dedicated_keytab_file + +testit "leave+dnshostname" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` + +rm -rf $BASEDIR/$WORKDIR + +exit $failed diff --git a/testprogs/blackbox/test_net_ads_dns.sh b/testprogs/blackbox/test_net_ads_dns.sh new file mode 100755 index 0000000..1d2c090 --- /dev/null +++ b/testprogs/blackbox/test_net_ads_dns.sh @@ -0,0 +1,94 @@ +#!/bin/sh +# Blackbox tests for net ads dns register etc. +# Copyright (C) 2006-2007 Jelmer Vernooij <jelmer@samba.org> +# Copyright (C) 2006-2008 Andrew Bartlett <abartlet@samba.org> + +if [ $# -lt 6 ]; then +cat <<EOF +Usage: test_net_ads_dns.sh SERVER DC_USERNAME DC_PASSWORD REALM USER PASS +EOF +exit 1; +fi + +SERVER=$1 +DC_USERNAME=$2 +DC_PASSWORD=$3 +REALM=$4 +USERNAME=$5 +PASSWORD=$6 +shift 6 +failed=0 + +samba4bindir="$BINDIR" + +samba_tool="$samba4bindir/samba-tool" +net_tool="$samba4bindir/net" +smbpasswd="$samba4bindir/smbpasswd" +texpect="$samba4bindir/texpect" +ldbsearch="$samba4bindir/ldbsearch" +ldbmodify="$samba4bindir/ldbmodify" + +newuser="$samba_tool user create" +groupaddmem="$samba_tool group addmembers" + +. `dirname $0`/subunit.sh + +UID_WRAPPER_ROOT=1 +export UID_WRAPPER_ROOT + +IPADDRESS=10.1.4.111 +IP6ADDRESS=fd00:1a1a::1:5ee:bad:c0de +IPADDRMAC=10.1.4.124 +UNPRIVIP=10.1.4.130 +NAME=testname +UNPRIVNAME=unprivname +UNPRIVUSER=unprivuser +UNPRIVPASS=UnPrivPass1 + +# These tests check that privileged users can add DNS names and that +# unprivileged users cannot do so. +echo "Starting ..." + +testit "admin user should be able to add a DNS entry $NAME.$REALM $IPADDRESS $IP6ADDRESS" $VALGRIND $net_tool ads dns register $NAME.$REALM $IPADDRESS $IP6ADDRESS -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` + +testit "We should be able to see the new name $NAME.$REALM $IPADDRESS" dig @$SERVER +short -t a $NAME.$REALM | grep -q $IPADDRESS || failed=`expr $failed + 1` +testit "We should be able to see the new name $NAME.$REALM $IP6ADDRESS" dig @$SERVER +short -t aaaa $NAME.$REALM | grep -q $IP6ADDRESS || failed=`expr $failed + 1` + +testit "We should be able to unregister the name $NAME.$REALM" $VALGRIND $net_tool ads dns unregister $NAME.$REALM -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` + +testit "The name $NAME.$REALM $IPADDRESS should not be there any longer" dig @$SERVER +short -t a $NAME.$REALM | grep -q $IPADDRESS && failed=`expr $failed + 1` +testit "The name $NAME.$REALM $IP6ADDRESS should not be there any longer" dig @$SERVER +short -t aaaa $NAME.$REALM | grep -q $IP6ADDRESS && failed=`expr $failed + 1` + +# prime the kpasswd server, see "git blame" for an explanation +$VALGRIND $net_tool user add $UNPRIVUSER $UNPRIVPASS -U$DC_USERNAME%$DC_PASSWORD +$VALGRIND $net_tool user delete $UNPRIVUSER -U$DC_USERNAME%$DC_PASSWORD + +# This should be an expect_failure test ... +testit "Adding an unprivileged user" $VALGRIND $net_tool user add $UNPRIVUSER $UNPRIVPASS -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` + +BASEDN=$($VALGRIND $ldbsearch -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM -b '' --scope=base defaultNamingContext | grep defaultNamingContext | sed -e 's!^defaultNamingContext: !!') + +LDIF="dn: CN=$UNPRIVUSER,CN=users,${BASEDN}+changetype: modify+replace: userAccountControl+userAccountControl: 512" + +echo $LDIF | tr '+' '\n' | $VALGRIND $ldbmodify -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM -i +STATUS=$? + +testit "We should have enabled the account" test $STATUS -eq 0 || failed=`expr $failed + 1` + +#Unprivileged users should be able to add new names +testit "Unprivileged users should be able to add new names" $net_tool ads dns register $UNPRIVNAME.$REALM $UNPRIVIP -U$UNPRIVUSER%$UNPRIVPASS || failed=`expr $failed + 1` + +# This should work as well +testit "machine account should be able to add a DNS entry net ads dns register membername.$REALM $IPADDRMAC -P " $net_tool ads dns register membername.$REALM $IPADDRMAC -P || failed=`expr $failed + 1` + +testit "We should be able to see the new name membername.$REALM" dig @$SERVER +short -t a membername.$REALM | grep -q $IPADDRMAC || failed=`expr $failed + 1` + +#Unprivileged users should not be able to overwrite other's names +testit_expect_failure "Unprivileged users should not be able to modify existing names" $net_tool ads dns register membername.$REALM $UNPRIVIP -U$UNPRIVUSER%$UNPRIVPASS || failed=`expr $failed + 1` + +testit "We should be able to unregister the name $NAME.$REALM $IPADDRESS" $VALGRIND $net_tool ads dns unregister $NAME.$REALM -P || failed=`expr $failed + 1` + +testit "The name $NAME.$REALM ($IPADDRESS) should not be there any longer" dig @$SERVER +short -t a $NAME.$REALM | grep -q $IPADDRESS && failed=`expr $failed + 1` +testit "The name $NAME.$REALM ($IP6ADDRESS) should not be there any longer" dig @$SERVER +short -t aaaa $NAME.$REALM | grep -q $IP6ADDRESS && failed=`expr $failed + 1` + +exit $failed diff --git a/testprogs/blackbox/test_net_ads_fips.sh b/testprogs/blackbox/test_net_ads_fips.sh new file mode 100755 index 0000000..57df650 --- /dev/null +++ b/testprogs/blackbox/test_net_ads_fips.sh @@ -0,0 +1,43 @@ +if [ $# -lt 4 ]; then +cat <<EOF +Usage: test_net_ads_fips.sh DC_SERVER DC_USERNAME DC_PASSWORD PREFIX_ABS +EOF +exit 1; +fi + +DC_SERVER=$1 +DC_USERNAME=$2 +DC_PASSWORD=$3 +BASEDIR=$4 + +HOSTNAME=`dd if=/dev/urandom bs=1 count=32 2>/dev/null | sha1sum | cut -b 1-10` + +RUNDIR=`pwd` +cd $BASEDIR +WORKDIR=`mktemp -d -p .` +WORKDIR=`basename $WORKDIR` +cp -a client/* $WORKDIR/ +sed -ri "s@(dir|directory) = (.*)/client/@\1 = \2/$WORKDIR/@" $WORKDIR/client.conf +sed -ri "s/netbios name = .*/netbios name = $HOSTNAME/" $WORKDIR/client.conf +rm -f $WORKDIR/private/secrets.tdb +cd $RUNDIR + +failed=0 + +net_tool="$BINDIR/net --configfile=$BASEDIR/$WORKDIR/client.conf --option=security=ads" + +# Load test functions +. `dirname $0`/subunit.sh + +# This make sure we are able to join AD in FIPS mode with Kerberos (NTLM doesn't work in FIPS mode). +testit "join" $VALGRIND $net_tool ads join --use-kerberos=required -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` + +testit "testjoin" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=`expr $failed + 1` + +testit "changetrustpw" $VALGRIND $net_tool ads changetrustpw || failed=`expr $failed + 1` + +testit "leave" $VALGRIND $net_tool ads leave --use-kerberos=required -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` + +rm -rf $BASEDIR/$WORKDIR + +exit $failed diff --git a/testprogs/blackbox/test_net_ads_search_server.sh b/testprogs/blackbox/test_net_ads_search_server.sh new file mode 100755 index 0000000..f8350c9 --- /dev/null +++ b/testprogs/blackbox/test_net_ads_search_server.sh @@ -0,0 +1,37 @@ +#!/bin/sh + +if [ $# -lt 2 ]; then +cat <<EOF +Usage: $0 SERVER REALM +EOF +exit 1; +fi + +SERVER=$1 +REALM=$2 +shift 2 + +failed=0 +. `dirname $0`/subunit.sh + +samba_net="$BINDIR/net" + +DN=$(echo "${REALM}" | tr '[:upper:]' '[:lower:]' | sed -e 's!^!DC=!' -e 's!\.!,DC=!g') +testit_grep_count \ + "net_ads_search.ntlmssp" \ + "distinguishedName: ${DN}" \ + 1 \ + $samba_net ads search --use-kerberos=off -P \ + --server "${SERVER}.${REALM}" \ + '(objectClass=domain)' distinguishedName || \ + failed=$((failed + 1)) +testit_grep_count \ + "net_ads_search.krb5" \ + "distinguishedName: ${DN}" \ + 1 \ + $samba_net ads search --use-kerberos=required -P \ + --server "${SERVER}.${REALM}" \ + '(objectClass=domain)' distinguishedName || \ + failed=$((failed + 1)) + +exit $failed diff --git a/testprogs/blackbox/test_net_offline.sh b/testprogs/blackbox/test_net_offline.sh new file mode 100755 index 0000000..a174520 --- /dev/null +++ b/testprogs/blackbox/test_net_offline.sh @@ -0,0 +1,69 @@ +if [ $# -lt 4 ]; then +cat <<EOF +Usage: test_net.sh DC_SERVER DC_USERNAME DC_PASSWORD PREFIX_ABS +EOF +exit 1; +fi + +DC_SERVER=$1 +DC_USERNAME=$2 +DC_PASSWORD=$3 +BASEDIR=$4 + +HOSTNAME=`dd if=/dev/urandom bs=1 count=32 2>/dev/null | sha1sum | cut -b 1-10` + +RUNDIR=`pwd` +cd $BASEDIR +WORKDIR=`mktemp -d -p .` +WORKDIR=`basename $WORKDIR` +ODJFILE="$BASEDIR/$WORKDIR/odj_provision.txt" + + +cp -a client/* $WORKDIR/ +sed -ri "s@(dir|directory) = (.*)/client/@\1 = \2/$WORKDIR/@" $WORKDIR/client.conf +sed -ri "s/netbios name = .*/netbios name = $HOSTNAME/" $WORKDIR/client.conf +rm -f $WORKDIR/private/secrets.tdb +cd $RUNDIR + +failed=0 + +net_tool="$BINDIR/net --configfile=$BASEDIR/$WORKDIR/client.conf --option=security=ads" + +# Load test functions +. `dirname $0`/subunit.sh + +netbios=$(grep "netbios name" $BASEDIR/$WORKDIR/client.conf | cut -f2 -d= | awk '{$1=$1};1') + +# 1. Test w/o dcname + +testit "provision without dcname" $VALGRIND $net_tool offlinejoin provision domain=$REALM machine_name=$netbios savefile=$ODJFILE -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` + +testit "requestodj" $VALGRIND $net_tool offlinejoin requestodj loadfile=$ODJFILE || failed=`expr $failed + 1` + +testit "testjoin" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=`expr $failed + 1` + +rm -f $ODJFILE + +# 2. Test with dcname + +testit "provision with dcname" $VALGRIND $net_tool offlinejoin provision domain=$REALM machine_name=$netbios savefile=$ODJFILE dcname=$DC_SERVER -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` + +testit "requestodj" $VALGRIND $net_tool offlinejoin requestodj loadfile=$ODJFILE || failed=`expr $failed + 1` + +testit "testjoin" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=`expr $failed + 1` + +rm -f $ODJFILE + +# 3. Test with defpwd + +testit "provision with dcname and default password" $VALGRIND $net_tool offlinejoin provision domain=$REALM machine_name=$netbios savefile=$ODJFILE dcname=$DC_SERVER defpwd -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` + +testit "requestodj" $VALGRIND $net_tool offlinejoin requestodj loadfile=$ODJFILE || failed=`expr $failed + 1` + +testit "testjoin" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=`expr $failed + 1` + +rm -f $ODJFILE + +rm -rf $BASEDIR/$WORKDIR + +exit $failed diff --git a/testprogs/blackbox/test_net_rpc_user.sh b/testprogs/blackbox/test_net_rpc_user.sh new file mode 100755 index 0000000..64ab01b --- /dev/null +++ b/testprogs/blackbox/test_net_rpc_user.sh @@ -0,0 +1,56 @@ +#!/bin/sh +# Blackbox tests for 'net rpc' +# +# Copyright (c) 2017 Andreas Schneider <asn@samba.org> + +if [ $# -lt 4 ]; then +cat << EOF +Usage: net_rpc.sh SERVER ADMIN_ACCOUNT ADMIN_PASSWORD ADMIN_DOMAIN +EOF +exit 1 +fi + +SERVER=$1 +ADMIN_ACCOUNT=$2 +ADMIN_PASSWORD=$3 +ADMIN_DOMAIN=$4 +shift 4 + +failed=0 +samba_bindir="$BINDIR" + +samba_tool="$samba_bindir/samba-tool" +net_tool="$samba_bindir/net" + +TEST_USERNAME="$(mktemp -u samson-XXXXXX)" +TEST_PASSWORD="Passw0rd~01" + +newuser="$samba_tool user create" + +. `dirname $0`/subunit.sh +. `dirname $0`/common_test_fns.inc + +########################################################### +### Setup +########################################################### + +testit "net rpc user add" \ + $VALGRIND $net_tool rpc user add $TEST_USERNAME $TEST_PASSWORD -U$ADMIN_ACCOUNT%$ADMIN_PASSWORD -S $SERVER || failed=$(expr $failed + 1) + +########################################################### +### Tests +########################################################### + +TEST_PASSWORD_NEW="Passw0rd~02" + +testit "net rpc user password" \ + $VALGRIND $net_tool rpc user password $TEST_USERNAME $TEST_PASSWORD_NEW -U$ADMIN_ACCOUNT%$ADMIN_PASSWORD -S $SERVER || failed=$(expr $failed + 1) + +########################################################### +### Teardown +########################################################### + +testit "net rpc user delete" \ + $VALGRIND $net_tool rpc user delete $TEST_USERNAME -U$ADMIN_ACCOUNT%$ADMIN_PASSWORD -S $SERVER || failed=$(expr $failed + 1) + +exit $failed diff --git a/testprogs/blackbox/test_offline_logon.sh b/testprogs/blackbox/test_offline_logon.sh new file mode 100755 index 0000000..6b54a38 --- /dev/null +++ b/testprogs/blackbox/test_offline_logon.sh @@ -0,0 +1,43 @@ +#!/bin/sh +# Blackbox tests for winbind offline logon support +# Copyright (c) 2021 Andreas Schneider <asn@samba.org> + +if [ $# -lt 9 ]; then +cat <<EOF +Usage: test_offline_logon.sh DOMAIN CACHED_USER_NAME_1 CACHED_USER_PASS_1 CACHED_USER_NAME_2 CACHED_USER_PASS_2 ONLINE_USER_NAME_1 ONLINE_USER_PASS_1 ONLINE_USER_NAME_2 ONLINE_USER_PASS_2 +EOF + exit 1; +fi + +DOMAIN=$1 +CACHED_USER_NAME_1=$2 +CACHED_USER_PASS_1=$3 +CACHED_USER_NAME_2=$4 +CACHED_USER_PASS_2=$5 +ONLINE_USER_NAME_1=$6 +ONLINE_USER_PASS_1=$7 +ONLINE_USER_NAME_2=$8 +ONLINE_USER_PASS_2=$9 +shift 9 + +. `dirname $0`/subunit.sh + +samba_bindir="$BINDIR" +wbinfo="$samba_bindir/wbinfo" + +# Check that the DC is offline +testit_expect_failure "wbinfo.ping-dc" $VALGRIND $wbinfo --ping-dc || failed=`expr $failed + 1` + +# We should have cached credentials for alice and bob +# --pam-logon sets always the WBFLAG_PAM_CACHED_LOGIN flag +testit "wbinfo.pam_logon_$CACHED_USER_NAME_1" $VALGRIND $wbinfo --pam-logon=$DOMAIN/$CACHED_USER_NAME_1%$CACHED_USER_PASS_1 || failed=`expr $failed + 1` +testit "wbinfo.kerberos_logon_$CACHED_USER_NAME_1" $VALGRIND $wbinfo --krb5auth=$DOMAIN/$CACHED_USER_NAME_2%$CACHED_USER_PASS_2 || failed=`expr $failed + 1` + +testit "wbinfo.pam_logon_$CACHED_USER_NAME_2" $VALGRIND $wbinfo --pam-logon=$DOMAIN/$CACHED_USER_NAME_2%$CACHED_USER_PASS_2 || failed=`expr $failed + 1` +testit "wbinfo.kerberos_logon_$CACHED_USER_NAME_2" $VALGRIND $wbinfo --krb5auth=$DOMAIN/$CACHED_USER_NAME_2%$CACHED_USER_PASS_2 || failed=`expr $failed + 1` + +# We should not be able to auth with jane or joe +testit_expect_failure "wbinfo.pam_logon_$ONLINE_USER_NAME_1" $VALGRIND $wbinfo --pam-logon=$DOMAIN/$ONLINE_USER_NAME_1%$ONLINE_USER_PASS_1 || failed=`expr $failed + 1` +testit_expect_failure "wbinfo.pam_logon_$ONLINE_USER_NAME_2" $VALGRIND $wbinfo --pam-logon=$DOMAIN/$ONLINE_USER_NAME_2%$ONLINE_USER_PASS_2 || failed=`expr $failed + 1` + +exit $failed diff --git a/testprogs/blackbox/test_old_enctypes.sh b/testprogs/blackbox/test_old_enctypes.sh new file mode 100755 index 0000000..794a265 --- /dev/null +++ b/testprogs/blackbox/test_old_enctypes.sh @@ -0,0 +1,68 @@ +#!/bin/bash + +if [ $# -lt 5 ]; then +cat <<EOF +Usage: test_primary_group.sh SERVER USERNAME PASSWORD NETBIOSNAME PREFIX_ABS +EOF +exit 1; +fi + +SERVER=$1 +USERNAME=$2 +PASSWORD=$3 +NETBIOSNAME=$4 +PREFIX_ABS=$5 +shift 5 +failed=0 + +samba4bindir="$BINDIR" +samba4srcdir="$SRCDIR/source4" + +samba_tool="$samba4bindir/samba-tool" + +ldbmodify="ldbmodify" +if [ -x "$samba4bindir/ldbmodify" ]; then + ldbmodify="$samba4bindir/ldbmodify" +fi + +ldbsearch="ldbsearch" +if [ -x "$samba4bindir/ldbsearch" ]; then + ldbsearch="$samba4bindir/ldbsearch" +fi + +. `dirname $0`/subunit.sh +. `dirname $0`/common_test_fns.inc + +out="${PREFIX_ABS}/tmpldbsearch.out" +$ldbsearch -H ldap://$SERVER -U$USERNAME%$PASSWORD -d0 sAMAccountName="$NETBIOSNAME\$" dn msDS-SupportedEncryptionTypes > $out +testit_grep "find my dn" msDS-SupportedEncryptionTypes cat $out || failed=`expr $failed + 1` + +my_dn=$(cat $out | sed -n 's/^dn: //p') +my_encs=$(cat $out | sed -n 's/^msDS-SupportedEncryptionTypes: //p') +my_test_encs=`expr $my_encs + 3` + +ldif="${PREFIX_ABS}/tmpldbmodify.ldif" + +cat > $ldif <<EOF +dn: $my_dn +changetype: modify +replace: msDS-SupportedEncryptionTypes +msDS-SupportedEncryptionTypes: $my_test_encs +EOF + +testit "Change msDS-SupportedEncryptionTypes to $my_test_encs" $VALGRIND $ldbmodify -H ldap://$SERVER -U$USERNAME%$PASSWORD -d0 < $ldif || failed=`expr $failed + 1` +kt=${PREFIX_ABS}/tmp_host_out_keytab +testit "Export keytab while old enctypes are supported" $samba_tool domain exportkeytab --principal=$NETBIOSNAME\$ $kt + +cat > $ldif <<EOF +dn: $my_dn +changetype: modify +replace: msDS-SupportedEncryptionTypes +msDS-SupportedEncryptionTypes: $my_encs +EOF + +testit "Change msDS-SupportedEncryptionTypes back to $my_encs" $VALGRIND $ldbmodify -H ldap://$SERVER -U$USERNAME%$PASSWORD -d0 < $ldif || failed=`expr $failed + 1` + +rm -rf $kt $out $ldif + +exit $failed diff --git a/testprogs/blackbox/test_password_settings.sh b/testprogs/blackbox/test_password_settings.sh new file mode 100755 index 0000000..9a4846a --- /dev/null +++ b/testprogs/blackbox/test_password_settings.sh @@ -0,0 +1,254 @@ +#!/bin/sh +# Blackbox tests for different password settings +# +# Copyright (c) 2006-2007 Jelmer Vernooij <jelmer@samba.org> +# Copyright (c) 2006-2008 Andrew Bartlett <abartlet@samba.org> +# Copyright (c) 2016 Andreas Schneider <asn@samba.org> + +if [ $# -lt 6 ]; then +cat <<EOF +Usage: test_passwords_settings.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX +EOF +exit 1; +fi + +SERVER=$1 +USERNAME=$2 +PASSWORD=$3 +REALM=$4 +DOMAIN=$5 +PREFIX=$6 +shift 6 +failed=0 + +samba_bindir="$BINDIR" + +samba_kinit=kinit +if test -x $samba_bindir/samba4kinit; then + samba_kinit=$samba_bindir/samba4kinit +fi + +smbclient="$samba_bindir/smbclient" +samba_tool="$samba_bindir/samba-tool" +smbpasswd="$samba_bindir/smbpasswd" +texpect="$samba_bindir/texpect" + +newuser="$samba_tool user create" +SMB_UNC="//$SERVER/tmp" + +. `dirname $0`/subunit.sh +. `dirname $0`/common_test_fns.inc + +do_kinit() { + principal="$1" + password="$2" + shift + shift + kerberos_kinit "$samba_kinit" "$principal" "$password" $@ +} + +test_smbpasswd() +{ + user=$1 + newpass=$2 + + tmpfile=$PREFIX/smbpasswd_change_password_script + cat > $tmpfile <<EOF +expect New SMB password: +send ${newpass}\n +expect Retype new SMB password: +send ${newpass}\n +EOF + + cmd='UID_WRAPPER_INITIAL_RUID=0 UID_WRAPPER_INITIAL_EUID=0 $texpect $tmpfile $smbpasswd -L -c $PREFIX/etc/smb.conf $user' + eval echo "$cmd" + out=$(eval $cmd) + ret=$? + rm -f $tmpfile + + if [ $ret -ne 0 ]; then + echo "Failed to change user password $user" + return 1 + fi +} + +UID_WRAPPER_ROOT=1 +export UID_WRAPPER_ROOT + +CONFIG="--configfile=$PREFIX/etc/smb.conf" +export CONFIG + +testit "reset password policies beside of minimum password age of 0 days" \ + $VALGRIND $PYTHON $samba_tool domain passwordsettings set $CONFIG --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=0 --max-pwd-age=default || failed=`expr $failed + 1` + +TEST_USERNAME="$(mktemp -u alice-XXXXXX)" +TEST_PASSWORD="testPaSS@00%" +TEST_PASSWORD_NEW="testPaSS@01%" +TEST_PASSWORD_NON_ASCII="Täst123" +TEST_PASSWORD_SHORT="secret" +TEST_PASSWORD_WEAK="Supersecret" +TEST_PRINCIPAL="$TEST_USERNAME@$REALM" + +testit "create user locally" \ + $VALGRIND $PYTHON $newuser $CONFIG $TEST_USERNAME $TEST_PASSWORD || failed=`expr $failed + 1` + +########################################################### +### Test normal operation as user +########################################################### + +KRB5CCNAME_PATH="$PREFIX/test_password_settings_krb5ccache" +rm -f $KRB5CCNAME_PATH + +KRB5CCNAME="FILE:$KRB5CCNAME_PATH" +export KRB5CCNAME + +testit "kinit with user password" \ + do_kinit $TEST_PRINCIPAL $TEST_PASSWORD || failed=`expr $failed + 1` + +test_smbclient "Test login with user kerberos ccache" \ + "ls" "$SMB_UNC" --use-krb5-ccache=$KRB5CCNAME || failed=`expr $failed + 1` + +rm -f $KRB5CCNAME_PATH + +########################################################### +### Change the users password +########################################################### + +testit "change user password with 'samba-tool user password' (unforced)" \ + $VALGRIND $PYTHON $samba_tool user password -W$DOMAIN -U$TEST_USERNAME%$TEST_PASSWORD -k no --newpassword=$TEST_PASSWORD_NEW || failed=`expr $failed + 1` + +TEST_PASSWORD_OLD=$TEST_PASSWORD +TEST_PASSWORD=$TEST_PASSWORD_NEW +TEST_PASSWORD_NEW="testPaSS@02%" + +testit "kinit with user password" \ + do_kinit $TEST_PRINCIPAL $TEST_PASSWORD || failed=`expr $failed + 1` + +test_smbclient "Test login with user kerberos ccache" \ + "ls" "$SMB_UNC" --use-krb5-ccache=$KRB5CCNAME || failed=`expr $failed + 1` + +########################################################### +### Change the users password +########################################################### + +testit "change user (non-ascii) password with 'samba-tool user password' (unforced)" \ + $VALGRIND $PYTHON $samba_tool user password -W$DOMAIN -U$TEST_USERNAME%$TEST_PASSWORD -k no --newpassword=$TEST_PASSWORD_NON_ASCII || failed=`expr $failed + 1` + +TEST_PASSWORD_OLD=$TEST_PASSWORD_NEW +TEST_PASSWORD=$TEST_PASSWORD_NON_ASCII + +testit "kinit with user password" \ + do_kinit $TEST_PRINCIPAL $TEST_PASSWORD || failed=`expr $failed + 1` + +test_smbclient "Test login with user kerberos ccache" \ + "ls" "$SMB_UNC" --use-krb5-ccache=$KRB5CCNAME || failed=`expr $failed + 1` + +# +# These tests demonstrate that a credential cache in the environment does not +# override a username/password, even an incorrect one, on the command line +# + +testit_expect_failure "Test login with user kerberos ccache, but wrong password specified" \ + $VALGRIND $smbclient //$SERVER/tmp -c 'ls' --use-krb5-ccache=$KRB5CCNAME -U$TEST_PRINCIPAL%invalidpass && failed=`expr $failed + 1` +testit_expect_failure "Test login with user kerberos ccache, but old password specified" \ + $VALGRIND $smbclient //$SERVER/tmp -c 'ls' --use-krb5-ccache=$KRB5CCNAME -U$TEST_PRINCIPAL%$TEST_PASSWORD_OLD && failed=`expr $failed + 1` + +rm -f $KRB5CCNAME_PATH + +########################################################### +### Set the password with smbpasswd +########################################################### + +testit "set user password with smbpasswd" \ + test_smbpasswd $TEST_USERNAME $TEST_PASSWORD_NEW \ + || failed=$(expr $failed + 1) + +TEST_PASSWORD=$TEST_PASSWORD_NEW +TEST_PASSWORD_NEW="testPaSS@03%" + +test_smbclient "Test login with user (ntlm)" \ + "ls" "$SMB_UNC" --use-kerberos=disabled -U$TEST_PRINCIPAL%$TEST_PASSWORD || failed=`expr $failed + 1` + +testit "set password on user locally" $VALGRIND $PYTHON $samba_tool user setpassword $TEST_USERNAME $CONFIG --newpassword=$TEST_PASSWORD_NEW --must-change-at-next-login || failed=`expr $failed + 1` + +TEST_PASSWORD=$TEST_PASSWORD_NEW +TEST_PASSWORD_NEW="testPaSS@04%" + +test_smbclient_expect_failure "Test login with user (NT_STATUS_PASSWORD_MUST_CHANGE)" \ + "ls" "$SMB_UNC" --use-kerberos=disabled -U$TEST_PRINCIPAL%$TEST_PASSWORD && failed=`expr $failed + 1` + +testit "change user password with 'samba-tool user password' (after must change flag set)" \ + $VALGRIND $PYTHON $samba_tool user password -W$DOMAIN -U$DOMAIN/$TEST_USERNAME%$TEST_PASSWORD -k no --newpassword=$TEST_PASSWORD_NEW || failed=`expr $failed + 1` + +TEST_PASSWORD=$TEST_PASSWORD_NEW +TEST_PASSWORD_NEW="testPaSS@05%" + +test_smbclient "Test login with user kerberos" 'ls' "$SMB_UNC" --use-kerberos=required -U$TEST_PRINCIPAL%$TEST_PASSWORD || failed=`expr $failed + 1` + +rm -f $KRB5CCNAME_PATH + +cat > $PREFIX/tmpsmbpasswdscript <<EOF +expect Old SMB password: +password ${TEST_PASSWORD}\n +expect New SMB password: +send ${TEST_PASSWORD_NEW}\n +expect Retype new SMB password: +send ${TEST_PASSWORD_NEW}\n +EOF + +testit "change user password with smbpasswd (after must change flag set)" \ + $texpect $PREFIX/tmpsmbpasswdscript $smbpasswd -r $SERVER -c $PREFIX/etc/smb.conf -U $TEST_USERNAME || failed=`expr $failed + 1` + +TEST_PASSWORD=$TEST_PASSWORD_NEW +TEST_PASSWORD_NEW="testPaSS@06%" + +test_smbclient "Test login with user kerberos" \ + "ls" "$SMB_UNC" --use-kerberos=required -U$TEST_PRINCIPAL%$TEST_PASSWORD || failed=`expr $failed + 1` + +rm -f $KRB5CCNAME_PATH + +testit_expect_failure "try to set a non-complex password (command should not succeed)" \ + $VALGRIND $PYTHON $samba_tool user password -W$DOMAIN "-U$DOMAIN/$TEST_USERNAME%$TEST_PASSWORD" -k no --newpassword="$TEST_PASSWORD_WEAK" && failed=`expr $failed + 1` + +testit "allow non-complex passwords" \ + $VALGRIND $PYTHON $samba_tool domain passwordsettings set $CONFIG --complexity=off || failed=`expr $failed + 1` + +testit "try to set a non-complex password (command should succeed)" \ + $VALGRIND $PYTHON $samba_tool user password -W$DOMAIN "-U$DOMAIN/$TEST_USERNAME%$TEST_PASSWORD" -k no --newpassword="$TEST_PASSWORD_WEAK" || failed=`expr $failed + 1` + +TEST_PASSWORD=$TEST_PASSWORD_WEAK + +test_smbclient "test login with non-complex password" \ + "ls" "$SMB_UNC" --use-kerberos=disabled -U$TEST_PRINCIPAL%$TEST_PASSWORD || failed=`expr $failed + 1` + +testit_expect_failure "try to set a short password (command should not succeed)" \ + $VALGRIND $PYTHON $samba_tool user password -W$DOMAIN "-U$DOMAIN/$TEST_USERNAME%$TEST_PASSWORD" -k no --newpassword="$TEST_PASSWORD_SHORT" && failed=`expr $failed + 1` + +testit "allow short passwords (length 1)" \ + $VALGRIND $PYTHON $samba_tool domain passwordsettings set $CONFIG --min-pwd-length=1 || failed=`expr $failed + 1` + +testit "try to set a short password (command should succeed)" \ + $VALGRIND $PYTHON $samba_tool user password -W$DOMAIN "-U$DOMAIN/$TEST_USERNAME%$TEST_PASSWORD" -k no --newpassword="$TEST_PASSWORD_SHORT" || failed=`expr $failed + 1` + +TEST_PASSWORD=$TEST_PASSWORD_SHORT +TEST_PASSWORD_NEW="testPaSS@07%" + +testit "require minimum password age of 1 day" \ + $VALGRIND $PYTHON $samba_tool domain passwordsettings set $CONFIG --min-pwd-age=1 || failed=`expr $failed + 1` + +testit "show password settings" \ + $VALGRIND $PYTHON $samba_tool domain passwordsettings show $CONFIG || failed=`expr $failed + 1` + +testit_expect_failure "try to change password too quickly (command should not succeed)" \ + $VALGRIND $PYTHON $samba_tool user password -W$DOMAIN "-U$DOMAIN/$TEST_USERNAME%$TEST_PASSWORD" -k no --newpassword="$TEST_PASSWORD_NEW" && failed=`expr $failed + 1` + +testit "reset password policies" \ + $VALGRIND $PYTHON $samba_tool domain passwordsettings set $CONFIG --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=default --max-pwd-age=default || failed=`expr $failed + 1` + +testit "delete user $TEST_USERNAME" \ + $VALGRIND $PYTHON $samba_tool user delete $TEST_USERNAME -U"$USERNAME%$PASSWORD" $CONFIG -k no || failed=`expr $failed + 1` + +rm -f $PREFIX/tmpuserpassfile $PREFIX/tmpsmbpasswdscript +rm -f $KRB5CCNAME_PATH + +exit $failed diff --git a/testprogs/blackbox/test_pdbtest.sh b/testprogs/blackbox/test_pdbtest.sh new file mode 100755 index 0000000..43852b3 --- /dev/null +++ b/testprogs/blackbox/test_pdbtest.sh @@ -0,0 +1,119 @@ +#!/bin/sh +# Blackbox tests for pdbtest +# Copyright (C) 2006-2007 Jelmer Vernooij <jelmer@samba.org> +# Copyright (C) 2006-2012 Andrew Bartlett <abartlet@samba.org> + +if [ $# -lt 2 ]; then +cat <<EOF +Usage: test_pdbtest.sh SERVER PREFIX USER SMBCLIENT SMB_CONF +EOF +exit 1; +fi + +SERVER=$1 +PREFIX=$2 +USER=$3 +smbclient=$4 +SMB_CONF=$5 +shift 5 +failed=0 + +samba4bindir="$BINDIR" +pdbtest="$samba4bindir/pdbtest" +pdbedit="$samba4bindir/pdbedit" +net="$samba4bindir/net" +smbpasswd="$samba4bindir/smbpasswd" +texpect="$samba4bindir/texpect" +unc="//$SERVER/tmp" + +. `dirname $0`/subunit.sh +. `dirname $0`/common_test_fns.inc + +UID_WRAPPER_ROOT=1 +export UID_WRAPPER_ROOT + +test_smbpasswd() +{ + user=$1 + newpass=$2 + + echo "set password with smbpasswd" + tmpfile=$PREFIX/smbpasswd_change_password_script + cat > $tmpfile <<EOF +expect New SMB password: +send ${newpass}\n +expect Retype new SMB password: +send ${newpass}\n +EOF + + cmd='UID_WRAPPER_INITIAL_RUID=0 UID_WRAPPER_INITIAL_EUID=0 $texpect $tmpfile $smbpasswd -L $user -c $SMB_CONF' + eval echo "$cmd" + out=$(eval $cmd) + ret=$? + rm -f $tmpfile + + if [ $ret -ne 0 ]; then + echo "Failed to change user password $user" + return 1 + fi +} + +testit "pdbtest" $VALGRIND $BINDIR/pdbtest -u $USER $@ || failed=`expr $failed + 1` + +NEWUSERPASS=testPaSS@01% + +echo "set password with pdbedit" +cat > $PREFIX/tmpsmbpasswdscript <<EOF +expect new password: +send ${NEWUSERPASS}\n +expect retype new password: +send ${NEWUSERPASS}\n +EOF + +testit "create user with pdbedit" $texpect $PREFIX/tmpsmbpasswdscript $VALGRIND $pdbedit --configfile=$SMB_CONF -a $USER --account-desc="pdbedit-test-user" $@ || failed=`expr $failed + 1` +USERPASS=$NEWUSERPASS + +test_smbclient "Test login with user (ntlm)" 'ls' "$unc" -U$USER%$NEWUSERPASS $@ || failed=`expr $failed + 1` + +testit "modify user" $VALGRIND $pdbedit --configfile=$SMB_CONF --modify $USER --drive="D:" $@ || failed=`expr $failed + 1` + +test_smbclient "Test login with user (ntlm)" 'ls' "$unc" -U$USER%$NEWUSERPASS $@|| failed=`expr $failed + 1` + +NEWUSERPASS=testPaSS@02% + +testit "set user password with smbpasswd" \ + test_smbpasswd $USER $NEWUSERPASS \ + || failed=$(expr $failed + 1) + +USERPASS=$NEWUSERPASS + +test_smbclient "Test login with user (ntlm)" 'ls' "$unc" -U$USER%$NEWUSERPASS $@|| failed=`expr $failed + 1` + +testit "modify user - disabled" $VALGRIND $net sam set disabled $USER yes $@ || failed=`expr $failed + 1` + +testit_expect_failure "Test login with disabled suer" $VALGRIND $smbclient //$SERVER/tmp -c 'ls' -U$USER@%$USERPASS && failed=`expr $failed + 1` + +testit "modify user - enabled" $VALGRIND $net sam set disabled $USER no $@ || failed=`expr $failed + 1` + +test_smbclient "Test login with re-enabled user (ntlm)" 'ls' "$unc" -U$USER%$NEWUSERPASS || failed=`expr $failed + 1` + +testit "modify user - must change password now" $VALGRIND $net sam set pwdmustchangenow $USER yes $@ || failed=`expr $failed + 1` + +testit_expect_failure "Test login with expired password" $VALGRIND $smbclient //$SERVER/tmp -c 'ls' -U$USER@%$USERPASS && failed=`expr $failed + 1` + +testit "modify user - disable password expiry" $VALGRIND $net sam set pwnoexp $USER yes $@ || failed=`expr $failed + 1` + +test_smbclient "Test login with no expiry (ntlm)" 'ls' "$unc" -U$USER%$NEWUSERPASS || failed=`expr $failed + 1` + +NEWUSERPASS=testPaSS@03% +NEWUSERHASH=062519096c45739c1938800f80906731 + +testit "Set user password with password hash" $VALGRIND $pdbedit --configfile=$SMB_CONF -u $USER --set-nt-hash $NEWUSERHASH $@ || failed=`expr $failed + 1` + +test_smbclient "Test login with new password (from hash)" 'ls' "$unc" -U$USER%$NEWUSERPASS || failed=`expr $failed + 1` + +testit "del user" $VALGRIND $pdbedit --configfile=$SMB_CONF -x $USER $@ || failed=`expr $failed + 1` + +rm $PREFIX/tmpsmbpasswdscript + +exit $failed diff --git a/testprogs/blackbox/test_pkinit_pac.sh b/testprogs/blackbox/test_pkinit_pac.sh new file mode 100755 index 0000000..8047517 --- /dev/null +++ b/testprogs/blackbox/test_pkinit_pac.sh @@ -0,0 +1,63 @@ +#!/bin/sh +# Blackbox tests for pkinit and pac verification +# +# Copyright (C) 2006-2008 Stefan Metzmacher +# Copyright (C) 2022 Andreas Schneider + +if [ $# -lt 6 ]; then + cat <<EOF +Usage: test_pkinit_pac.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX +EOF + exit 1 +fi + +SERVER=$1 +USERNAME=$2 +PASSWORD=$3 +REALM=$4 +DOMAIN=$5 +PREFIX=$6 +shift 6 +failed=0 + +samba_bindir="$BINDIR" + +samba_kinit="$(command -v kinit)" +if [ -x "${samba_bindir}/samba4kinit" ]; then + samba_kinit="${samba_bindir}/samba4kinit" +fi +samba_smbtorture="${samba_bindir}/smbtorture --basedir=$SELFTEST_TMPDIR" + +. "$(dirname "$0")"/subunit.sh +. "$(dirname "$0")"/common_test_fns.inc + +KRB5CCNAME_PATH="$PREFIX/tmpccache" +rm -f "${KRB5CCNAME_PATH}" +KRB5CCNAME="FILE:$KRB5CCNAME_PATH" +export KRB5CCNAME + +USER_PRINCIPAL_NAME="$(echo "${USERNAME}@${REALM}" | tr "[:upper:]" "[:lower:]")" + +kbase="$(basename "${samba_kinit}")" +if [ "${kbase}" = "samba4kinit" ]; then + # HEIMDAL + X509_USER_IDENTITY="--pk-user=FILE:${PREFIX}/pkinit/USER-${USER_PRINCIPAL_NAME}-cert.pem,${PREFIX}/pkinit/USER-${USER_PRINCIPAL_NAME}-private-key.pem" + OPTION_RENEWABLE="--renewable" +else + X509_USER_IDENTITY="-X X509_user_identity=FILE:${PREFIX}/pkinit/USER-${USER_PRINCIPAL_NAME}-cert.pem,${PREFIX}/pkinit/USER-${USER_PRINCIPAL_NAME}-private-key.pem" + OPTION_RENEWABLE="-r 1h" +fi +OPTION_REQUEST_PAC="--request-pac" + +testit "STEP1 kinit with pkinit (name specified)" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \ + "${X509_USER_IDENTITY}" "${USERNAME}@${REALM}" || + failed=$((failed + 1)) +testit "STEP1 remote.pac verification" \ + "${samba_smbtorture}" ncacn_np:"${SERVER}" rpc.pac \ + --workgroup="${DOMAIN}" -U"${USERNAME}%${PASSWORD}" \ + --option=torture:pkinit_ccache="${KRB5CCNAME}" || + failed=$((failed + 1)) + +rm -f "${KRB5CCNAME_PATH}" +exit ${failed} diff --git a/testprogs/blackbox/test_pkinit_simple.sh b/testprogs/blackbox/test_pkinit_simple.sh new file mode 100755 index 0000000..c63d1da --- /dev/null +++ b/testprogs/blackbox/test_pkinit_simple.sh @@ -0,0 +1,333 @@ +#!/bin/sh +# Blackbox tests for kinit and kerberos integration with smbclient etc +# +# Copyright (C) 2006-2007 Jelmer Vernooij <jelmer@samba.org> +# Copyright (C) 2006-2008 Andrew Bartlett <abartlet@samba.org> +# Copyright (C) 2022 Andreas Schneider <asn@samba.org> + +if [ $# -lt 7 ]; then + cat <<EOF +Usage: test_pkinit_mit.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX SMBCLINET +EOF + exit 1 +fi + +SERVER="${1}" +USERNAME="${2}" +PASSWORD="${3}" +REALM="${4}" +DOMAIN="${5}" +PREFIX="${6}" +smbclient="${7}" +shift 7 +failed=0 + +samba_bindir="${BINDIR}" + +samba_kinit="$(command -v kinit)" +if [ -x "${samba_bindir}/samba4kinit" ]; then + samba_kinit="${samba_bindir}/samba4kinit" +fi +samba_tool="${PYTHON} ${samba_bindir}/samba-tool" +wbinfo="${samba_bindir}/wbinfo" + +. "$(dirname "$0")"/subunit.sh +. "$(dirname "$0")"/common_test_fns.inc + +unc="//${SERVER}/tmp" + +KRB5CCNAME_PATH="$PREFIX/tmpccache" +rm -f "${KRB5CCNAME_PATH}" +KRB5CCNAME="FILE:$KRB5CCNAME_PATH" +export KRB5CCNAME + +USER_PRINCIPAL_NAME="$(echo "${USERNAME}@${REALM}" | tr "[:upper:]" "[:lower:]")" + +kbase="$(basename "${samba_kinit}")" +if [ "${kbase}" = "samba4kinit" ]; then + # HEIMDAL + X509_USER_IDENTITY="--pk-user=FILE:${PREFIX}/pkinit/USER-${USER_PRINCIPAL_NAME}-cert.pem,${PREFIX}/pkinit/USER-${USER_PRINCIPAL_NAME}-private-key.pem" + OPTION_RENEWABLE="--renewable" + OPTION_RENEW_TICKET="--renew" + OPTION_ENTERPRISE_NAME="--enterprise" +else + # MIT + X509_USER_IDENTITY="-X X509_user_identity=FILE:${PREFIX}/pkinit/USER-${USER_PRINCIPAL_NAME}-cert.pem,${PREFIX}/pkinit/USER-${USER_PRINCIPAL_NAME}-private-key.pem" + OPTION_RENEWABLE="-r 1h" + OPTION_RENEW_TICKET="-R" + OPTION_ENTERPRISE_NAME="-E" +fi +OPTION_REQUEST_PAC="--request-pac" + +# STEP0: +# Now we set the UF_SMARTCARD_REQUIRED bit +# This means we have a normal enabled account *without* a known password +testit "STEP0 samba-tool user create ${USERNAME} --smartcard-required" \ + "${samba_tool}" user create "${USERNAME}" --smartcard-required || + failed=$((failed + 1)) + +testit_expect_failure "STEP1 kinit with password" \ + kerberos_kinit "${samba_kinit}" "${USERNAME}@${REALM}" "${PASSWORD}" \ + "${OPTION_REQUEST_PAC}" || + failed=$((failed + 1)) +testit_expect_failure "STEP1 Test login with NTLM" \ + "${smbclient}" "${unc}" -c 'ls' "-U${USERNAME}%${PASSWORD}" || + failed=$((failed + 1)) +testit_expect_failure "STEP1 Test wbinfo with password" \ + "${wbinfo}" "--authenticate=$DOMAIN/$USERNAME%$PASSWORD" || + failed=$((failed + 1)) + +testit "STEP1 kinit with pkinit (name specified: ${USERNAME})" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \ + "${X509_USER_IDENTITY}" "${USERNAME}@${REALM}" || + failed=$((failed + 1)) + +testit "STEP1 kinit renew ticket (name specified)" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" || + failed=$((failed + 1)) +test_smbclient "STEP1 Test login with kerberos ccache (name specified)" \ + 'ls' "$unc" --use-krb5-ccache="${KRB5CCNAME}" || + failed=$((failed + 1)) + +# OK +testit_expect_failure "STEP1 kinit with pkinit (wrong name specified)" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \ + "${X509_USER_IDENTITY}" "not${USERNAME}@${REALM}" || + failed=$((failed + 1)) + +testit_expect_failure "STEP1 kinit with pkinit (wrong name specified 2)" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \ + "${X509_USER_IDENTITY}" "${SERVER}@${REALM}" || + failed=$((failed + 1)) + +testit "STEP1 kinit with pkinit (enterprise name specified)" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \ + "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" \ + "${USERNAME}@${REALM}" || + failed=$((failed + 1)) +testit "STEP1 kinit renew ticket (enterprise name specified)" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" || + failed=$((failed + 1)) +test_smbclient "STEP1 Test login with kerberos ccache (enterprise name specified)" \ + 'ls' "${unc}" --use-krb5-ccache="${KRB5CCNAME}" || + failed=$((failed + 1)) +testit_expect_failure "STEP1 kinit with pkinit (wrong enterprise name specified)" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \ + "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" \ + "not${USERNAME}@${REALM}" || + failed=$((failed + 1)) +testit_expect_failure "STEP1 kinit with pkinit (wrong enterprise name specified 2)" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \ + "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" \ + "${SERVER}@${REALM}" || + failed=$((failed + 1)) + +testit "STEP1 kinit with pkinit (enterprise name in cert)" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \ + "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" || + failed=$((failed + 1)) +testit "STEP1 kinit renew ticket (enterprise name in cert)" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" || + failed=$((failed + 1)) +test_smbclient "STEP1 Test login with kerberos ccache (enterprise name in cert)" \ + 'ls' "${unc}" --use-krb5-ccache="${KRB5CCNAME}" || + failed=$((failed + 1)) + +# STEP2: +# We still have UF_SMARTCARD_REQUIRED, but with a known password +testit "STEP2 samba-tool user setpassword ${USERNAME} --newpassword" \ + "${samba_tool}" user setpassword "${USERNAME}" \ + --newpassword="${PASSWORD}" || + failed=$((failed + 1)) + +testit_expect_failure "STEP2 kinit with password" \ + kerberos_kinit "${samba_kinit}" "${USERNAME}@${REALM}" "${PASSWORD}" \ + "${OPTION_REQUEST_PAC}" || + failed=$((failed + 1)) +test_smbclient "STEP2 Test login with NTLM" \ + 'ls' "$unc" -U"${USERNAME}%${PASSWORD}" || + failed=$((failed + 1)) +testit_expect_failure "STEP2 Test wbinfo with password" \ + "${wbinfo}" --authenticate="${DOMAIN}/${USERNAME}%${PASSWORD}" || + failed=$((failed + 1)) + +testit "STEP2 kinit with pkinit (name specified) " \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \ + "${X509_USER_IDENTITY}" "${USERNAME}@${REALM}" || + failed=$((failed + 1)) +testit "STEP2 kinit renew ticket (name specified)" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" || + failed=$((failed + 1)) +test_smbclient "STEP2 Test login with kerberos ccache (name specified)" \ + 'ls' "$unc" --use-krb5-ccache="${KRB5CCNAME}" || + failed=$((failed + 1)) + +testit "STEP2 kinit with pkinit (enterprise name specified)" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \ + "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" \ + "${USERNAME}@${REALM}" || + failed=$((failed + 1)) +testit "STEP2 kinit renew ticket (enterprise name specified)" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" || + failed=$((failed + 1)) +test_smbclient "STEP2 Test login with kerberos ccache (enterprise name specified)" \ + 'ls' "$unc" --use-krb5-ccache="${KRB5CCNAME}" || + failed=$((failed + 1)) + +testit "STEP2 kinit with pkinit (enterprise name in cert)" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \ + "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" || + failed=$((failed + 1)) +testit "STEP2 kinit renew ticket (enterprise name in cert)" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" || + failed=$((failed + 1)) +test_smbclient "STEP2 Test login with kerberos ccache (enterprise name in cert)" \ + 'ls' "$unc" --use-krb5-ccache="${KRB5CCNAME}" || + failed=$((failed + 1)) + +# STEP3: +# The account is a normal account without the UF_SMARTCARD_REQUIRED bit set +testit "STEP3 samba-tool user setpassword ${USERNAME} --clear-smartcard-required" \ + "${samba_tool}" user setpassword "${USERNAME}" \ + --newpassword="${PASSWORD}" --clear-smartcard-required || + failed=$((failed + 1)) + +testit "STEP3 kinit with password" \ + kerberos_kinit "${samba_kinit}" "${USERNAME}@${REALM}" "${PASSWORD}" \ + "${OPTION_REQUEST_PAC}" || + failed=$((failed + 1)) +test_smbclient "STEP3 Test login with user kerberos ccache" \ + 'ls' "$unc" --use-krb5-ccache="${KRB5CCNAME}" || + failed=$((failed + 1)) +test_smbclient "STEP3 Test login with NTLM" \ + 'ls' "$unc" -U"${USERNAME}%${PASSWORD}" || + failed=$((failed + 1)) +testit "STEP3 Test wbinfo with password" \ + "${wbinfo}" --authenticate="${DOMAIN}/${USERNAME}%${PASSWORD}" || + failed=$((failed + 1)) + +testit "STEP3 kinit with pkinit (name specified) " \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \ + "${X509_USER_IDENTITY}" "${USERNAME}@${REALM}" || + failed=$((failed + 1)) +testit "STEP3 kinit renew ticket (name specified)" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" || + failed=$((failed + 1)) +test_smbclient "STEP3 Test login with kerberos ccache (name specified)" \ + 'ls' "${unc}" --use-krb5-ccache="${KRB5CCNAME}" || + failed=$((failed + 1)) + +testit "STEP3 kinit with pkinit (enterprise name specified)" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \ + "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" \ + "${USERNAME}@${REALM}" || + failed=$((failed + 1)) +testit "STEP3 kinit renew ticket (enterprise name specified)" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" || + failed=$((failed + 1)) +test_smbclient "STEP3 Test login with kerberos ccache (enterprise name specified)" \ + 'ls' "${unc}" --use-krb5-ccache="${KRB5CCNAME}" || + failed=$((failed + 1)) + +testit "STEP3 kinit with pkinit (enterprise name in cert)" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \ + "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" || + failed=$((failed + 1)) +testit "STEP3 kinit renew ticket (enterprise name in cert)" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" || + failed=$((failed + 1)) +test_smbclient "STEP3 Test login with kerberos ccache (enterprise name in cert)" \ + 'ls' "${unc}" --use-krb5-ccache="${KRB5CCNAME}" || + failed=$((failed + 1)) + +# STEP4: +# Now we set the UF_SMARTCARD_REQUIRED bit +# This means we have a normal enabled account *without* a known password +testit "STEP4 samba-tool user setpassword $USERNAME --smartcard-required" \ + "${samba_tool}" user setpassword "${USERNAME}" --smartcard-required || + failed=$((failed + 1)) + +testit_expect_failure "STEP4 kinit with password" \ + kerberos_kinit "${samba_kinit}" "${USERNAME}@${REALM}" "${PASSWORD}" \ + "${OPTION_REQUEST_PAC}" || + failed=$((failed + 1)) +testit_expect_failure "STEP4 Test login with NTLM" \ + "${smbclient}" "${unc}" -c 'ls' -U"${USERNAME}%${PASSWORD}" || + failed=$((failed + 1)) +testit_expect_failure "STEP4 Test wbinfo with password" \ + "${wbinfo}" --authenticate="${DOMAIN}/${USERNAME}%${PASSWORD}" || + failed=$((failed + 1)) + +testit "STEP4 kinit with pkinit (name specified)" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \ + "${X509_USER_IDENTITY}" "${USERNAME}@${REALM}" || + failed=$((failed + 1)) +testit "STEP4 kinit renew ticket (name specified)" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" || + failed=$((failed + 1)) +test_smbclient "STEP4 Test login with kerberos ccache (name specified)" \ + 'ls' "$unc" --use-krb5-ccache="${KRB5CCNAME}" || + failed=$((failed + 1)) + +testit "STEP4 kinit with pkinit (enterprise name specified)" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \ + "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" \ + "${USERNAME}@${REALM}" || + failed=$((failed + 1)) +testit "STEP4 kinit renew ticket (enterprise name specified)" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" || + failed=$((failed + 1)) +test_smbclient "STEP4 Test login with kerberos ccache (enterprise name specified)" \ + 'ls' "${unc}" --use-krb5-ccache="${KRB5CCNAME}" || + failed=$((failed + 1)) + +testit "STEP4 kinit with pkinit (enterprise name in cert)" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \ + "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" || + failed=$((failed + 1)) +testit "STEP4 kinit renew ticket (enterprise name in cert)" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" || + failed=$((failed + 1)) +test_smbclient "STEP4 Test login with kerberos ccache (enterprise name in cert)" \ + 'ls' "${unc}" --use-krb5-ccache="${KRB5CCNAME}" || + failed=$((failed + 1)) + +# STEP5: +# disable the account +testit "STEP5 samba-tool user disable $USERNAME" \ + "${samba_tool}" user disable "${USERNAME}" || + failed=$((failed + 1)) + +testit_expect_failure "STEP5 kinit with password" \ + kerberos_kinit "${samba_kinit}" "${USERNAME}@${REALM}" "${PASSWORD}" \ + "${OPTION_REQUEST_PAC}" || + failed=$((failed + 1)) +testit_expect_failure "STEP5 Test login with NTLM" \ + "${smbclient}" "${unc}" -c 'ls' -U"${USERNAME}%${PASSWORD}" || + failed=$((failed + 1)) +testit_expect_failure "STEP5 Test wbinfo with password" \ + "${wbinfo}" --authenticate="${DOMAIN}/${USERNAME}%${PASSWORD}" || + failed=$((failed + 1)) + +testit_expect_failure "STEP5 kinit with pkinit (name specified)" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \ + "${X509_USER_IDENTITY}" "${USERNAME}@${REALM}" || + failed=$((failed + 1)) +testit_expect_failure "STEP5 kinit with pkinit (enterprise name specified)" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \ + "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" \ + "${USERNAME}@${REALM}" || + failed=$((failed + 1)) +testit_expect_failure "STEP5 kinit with pkinit (enterprise name in cert)" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \ + "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" || + failed=$((failed + 1)) + +# STEP6: +# cleanup +testit "STEP6 samba-tool user delete ${USERNAME}" \ + "${samba_tool}" user delete "${USERNAME}" || + failed=$((failed + 1)) + +rm -f "${KRB5CCNAME_PATH}" +exit ${failed} diff --git a/testprogs/blackbox/test_primary_group.sh b/testprogs/blackbox/test_primary_group.sh new file mode 100755 index 0000000..0fbc287 --- /dev/null +++ b/testprogs/blackbox/test_primary_group.sh @@ -0,0 +1,90 @@ +#!/bin/bash + +if [ $# -lt 5 ]; then +cat <<EOF +Usage: test_primary_group.sh SERVER USERNAME PASSWORD DOMAIN PREFIX_ABS +EOF +exit 1; +fi + +TMPDIR="$PREFIX_ABS/$(basename $0)" +export TMPDIR + +SERVER=$1 +USERNAME=$2 +PASSWORD=$3 +DOMAIN=$4 +PREFIX_ABS=$5 +shift 5 +failed=0 + +. `dirname $0`/subunit.sh +. `dirname $0`/common_test_fns.inc + +TZ=UTC +export TZ + +N=$(date +%H%M%S) + +testuser="testuser$N" +testgroup="testgroup$N" + +echo "testuser: $testuser" +echo "testgroup: $testgroup" + +testit "mkdir -p '${TMPDIR}'" mkdir -p ${TMPDIR} || failed=`expr $failed + 1` + +testit "create '$testuser'" $VALGRIND $PYTHON $BINDIR/samba-tool user create "$testuser" Password.1 || failed=`expr $failed + 1` +testit "add '$testgroup'" $VALGRIND $PYTHON $BINDIR/samba-tool group add "$testgroup" || failed=`expr $failed + 1` +testit "addmembers '$testgroup' '$testuser'" $VALGRIND $PYTHON $BINDIR/samba-tool group addmembers "$testgroup" "$testuser" || failed=`expr $failed + 1` + +testit "search1" $VALGRIND $BINDIR/ldbsearch -H ldap://$SERVER_IP -U$USERNAME%$PASSWORD -d0 sAMAccountName="$testgroup" objectSid || failed=`expr $failed + 1` +ldif="${TMPDIR}/search1.ldif" +$VALGRIND $BINDIR/ldbsearch -H ldap://$SERVER_IP -U$USERNAME%$PASSWORD -d0 sAMAccountName=$testgroup objectSid > $ldif +rid=$(cat $ldif | sed -n 's/^objectSid: S-1-5-21-.*-.*-.*-//p') + +testit "search2" $VALGRIND $BINDIR/ldbsearch -H ldap://$SERVER_IP -U$USERNAME%$PASSWORD -d0 sAMAccountName="$testuser" dn || failed=`expr $failed + 1` +ldif="${TMPDIR}/search2.ldif" +$VALGRIND $BINDIR/ldbsearch -H ldap://$SERVER_IP -U$USERNAME%$PASSWORD -d0 sAMAccountName=$testuser dn > $ldif +user_dn=$(cat $ldif | sed -n 's/^dn: //p') + +ldif="${TMPDIR}/modify1.ldif" +cat > $ldif <<EOF +dn: $user_dn +changetype: modify +replace: primaryGroupID +primaryGroupID: $rid +EOF +testit "Change primaryGroupID to $rid" $VALGRIND $BINDIR/ldbmodify -H ldap://$SERVER_IP -U$USERNAME%$PASSWORD -d0 --verbose < $ldif || failed=`expr $failed + 1` + +testit "dbcheck run1" $VALGRIND $PYTHON $BINDIR/samba-tool dbcheck --attrs=member || failed=`expr $failed + 1` + +ldif="${TMPDIR}/modify2.ldif" +cat > $ldif <<EOF +dn: $user_dn +changetype: modify +replace: primaryGroupID +primaryGroupID: 513 +EOF +testit "Change primaryGroupID to 513" $VALGRIND $BINDIR/ldbmodify -H ldap://$SERVER_IP -U$USERNAME%$PASSWORD -d0 < $ldif || failed=`expr $failed + 1` + +testit "dbcheck run2" $VALGRIND $PYTHON $BINDIR/samba-tool dbcheck --attrs=member || failed=`expr $failed + 1` + +testit "delete '$testuser'" $VALGRIND $PYTHON $BINDIR/samba-tool user delete "$testuser" || failed=`expr $failed + 1` +testit "delete '$testgroup'" $VALGRIND $PYTHON $BINDIR/samba-tool group delete "$testgroup" || failed=`expr $failed + 1` + +# +# As we don't support phantom objects and virtual backlinks +# the deletion of the user prior to the group causes dangling links, +# which are detected like this: +# +# WARNING: target DN is deleted for member in object +# +# Specifically, this happens because after the member link is +# deactivated the memberOf is gone, and so there is no way to find the +# now redundant forward link to clean it up. +# +testit_expect_failure "dbcheck run3" $VALGRIND $PYTHON $BINDIR/samba-tool dbcheck --attrs=member --fix --yes || failed=`expr $failed + 1` +testit "dbcheck run4" $VALGRIND $PYTHON $BINDIR/samba-tool dbcheck --attrs=member || failed=`expr $failed + 1` + +exit $failed diff --git a/testprogs/blackbox/test_rpcclient_schannel.sh b/testprogs/blackbox/test_rpcclient_schannel.sh new file mode 100755 index 0000000..9981d4d --- /dev/null +++ b/testprogs/blackbox/test_rpcclient_schannel.sh @@ -0,0 +1,94 @@ +#!/bin/bash +# Blackbox tests rpcclient with schannel +# Copyright (c) 2021 Andreas Schneider <asn@samba.org> + +if [ $# -lt 8 ]; then + cat << EOF +Usage: test_rpcclient_schannel.sh DOMAIN REALM USERNAME PASSWORD SERVER PREFIX CONFIGURATION TESTENV +EOF + exit 1 +fi + +DOMAIN=$1 +REALM=$2 +USERNAME=$3 +PASSWORD=$4 +SERVER=$5 +PREFIX=$6 +CONFIGURATION=$7 +TESTENV=$8 +shift 8 + +failed=0 + +samba_subunit_dir=$(dirname "$0") +. "${samba_subunit_dir}/subunit.sh" +. "${samba_subunit_dir}/common_test_fns.inc" + +samba_bindir="${BINDIR}" +samba_rpcclient="${samba_bindir}/rpcclient" + +test_rpc_getusername() +{ + cmd="$samba_rpcclient ncacn_np:${SERVER}[schannel] --machine-pass --configfile=${CONFIGURATION} -c getusername 2>&1" + out=$(eval "$cmd") + ret=$? + if [ $ret -ne 0 ]; then + echo "Failed to connect! Error: $ret" + echo "$out" + return 1 + fi + + echo "$out" | grep -q "Account Name: ANONYMOUS LOGON, Authority Name: NT AUTHORITY" + ret=$? + if [ $ret -ne 0 ]; then + echo "Incorrect account/authority name! Error: $ret" + echo "$out" + return 1 + fi + + return 0 +} + +test_rpc_lookupsids() +{ + cmd="$samba_rpcclient ncacn_ip_tcp:${SERVER}[schannel] --machine-pass --configfile=${CONFIGURATION} -c 'lookupsids3 S-1-1-0' 2>&1" + out=$(eval "$cmd") + ret=$? + if [ $ret -ne 0 ]; then + echo "Failed to connect! Error: $ret" + echo "$out" + return 1 + fi + + echo "$out" | grep -q "S-1-1-0 Everyone" + ret=$? + if [ $ret -ne 0 ]; then + echo "Incorrect account/authority name! Error: $ret" + echo "$out" + return 1 + fi + + return 0 +} + +testit "ncacn_np.getusername" \ + test_rpc_getusername || \ + failed=$((failed + 1)) + +if [[ "$TESTENV" == "ad_member_fips"* ]]; then + unset GNUTLS_FORCE_FIPS_MODE + + testit "ncacn_np.getusername.fips" \ + test_rpc_getusername || \ + failed=$((failed + 1)) + + GNUTLS_FORCE_FIPS_MODE=1 + export GNUTLS_FORCE_FIPS_MODE +fi + +testit "ncacn_ip_tcp.lookupsids" \ + test_rpc_lookupsids || \ + failed=$((failed + 1)) + +exit ${failed} diff --git a/testprogs/blackbox/test_s4u_heimdal.sh b/testprogs/blackbox/test_s4u_heimdal.sh new file mode 100755 index 0000000..f27c7d6 --- /dev/null +++ b/testprogs/blackbox/test_s4u_heimdal.sh @@ -0,0 +1,94 @@ +#!/bin/sh + +if [ $# -lt 5 ]; then +cat <<EOF +Usage: test_kinit.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX +EOF +exit 1; +fi + +SERVER=$1 +USERNAME=$2 +PASSWORD=$3 +REALM=$4 +DOMAIN=$5 +TRUST_SERVER=$6 +TRUST_USERNAME=$7 +TRUST_PASSWORD=$8 +TRUST_REALM=$9 +TRUST_DOMAIN=${10} +PREFIX=${11} +shift 11 +failed=0 + + +samba_tool="$VALGRIND $PYTHON $BINDIR/samba-tool" + +samba4kinit_binary=kinit +if test -x $BINDIR/samba4kinit; then + samba4kinit_binary=$BINDIR/samba4kinit +fi + +samba4kgetcred=kgetcred +if test -x $BINDIR/samba4kgetcred; then + samba4kgetcred=$BINDIR/samba4kgetcred +fi + +. `dirname $0`/subunit.sh +. `dirname $0`/common_test_fns.inc + +ocache="$PREFIX/tmpoutcache" +KRB5CCNAME_PATH="$PREFIX/tmpccache" +KRB5CCNAME="FILE:$KRB5CCNAME_PATH" +samba4kinit="$samba4kinit_binary -c $KRB5CCNAME" +export KRB5CCNAME +rm -rf $KRB5CCNAME_PATH + +princ=test_impersonate_princ +impersonator=test_impersonator.$REALM +target="CIFS/$SERVER.$REALM" + + +testit "add impersonator principal" $samba_tool user add $impersonator $PASSWORD || failed=`expr $failed + 1` +testit "become a service" $samba_tool spn add "HOST/$impersonator" $impersonator || failed=`expr $failed + 1` + +testit "set TrustedToAuthForDelegation" $samba_tool delegation for-any-protocol $impersonator on || failed=`expr $failed + 1` +testit "add msDS-AllowedToDelegateTo" $samba_tool delegation add-service $impersonator $target || failed=`expr $failed + 1` + +testit "add a new principal" $samba_tool user add $princ --random-password || failed=`expr $failed + 1` +testit "set not-delegated flag" $samba_tool user sensitive $princ on || failed=`expr $failed + 1` + + +echo $PASSWORD > $PREFIX/tmppassfile +testit "kinit impersonator" $samba4kinit -f --password-file=$PREFIX/tmppassfile $impersonator || failed=`expr $failed + 1` + +testit "test S4U2Self with normal user" $samba4kgetcred --out-cache=$ocache --forwardable --impersonate=${USERNAME} $impersonator || failed=`expr $failed + 1` +testit "test S4U2Proxy with normal user" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1` + +testit "test S4U2Self with sensitive user" $samba4kgetcred --out-cache=$ocache --forwardable --impersonate=$princ $impersonator || failed=`expr $failed + 1` +testit_expect_failure "test S4U2Proxy with sensitive user" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1` + +rm -f $ocache +testit "unset not-delegated flag" $samba_tool user sensitive $princ off || failed=`expr $failed + 1` + +testit "test S4U2Self after unsetting ND flag" $samba4kgetcred --out-cache=$ocache --forwardable --impersonate=$princ $impersonator || failed=`expr $failed + 1` +testit "test S4U2Proxy after unsetting ND flag" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1` + +testit "kinit user cache" $samba4kinit -c $ocache -f --password-file=$PREFIX/tmppassfile $USERNAME || failed=`expr $failed + 1` +testit "get a ticket to impersonator" $samba4kgetcred -c $ocache --forwardable $impersonator || failed=`expr $failed + 1` +testit "test S4U2Proxy evidence ticket obtained by TGS" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1` + +echo $TRUST_PASSWORD > $PREFIX/tmppassfile +testit "kinit trust user cache" $samba4kinit -c $ocache -f --password-file=$PREFIX/tmppassfile $TRUST_USERNAME@$TRUST_REALM || failed=`expr $failed + 1` +testit "get a ticket to impersonator for trust user" $samba4kgetcred -c $ocache --forwardable $impersonator || failed=`expr $failed + 1` +testit "test S4U2Proxy evidence ticket obtained by TGS of trust user" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1` + +echo $PASSWORD > $PREFIX/tmppassfile +testit "set not-delegated on impersonator" $samba_tool user sensitive $impersonator on || failed=`expr $failed + 1` +testit "kinit user cache again" $samba4kinit -c $ocache -f --password-file=$PREFIX/tmppassfile $USERNAME || failed=`expr $failed + 1` +testit "get a ticket to sensitive impersonator" $samba4kgetcred -c $ocache --forwardable $impersonator || failed=`expr $failed + 1` +testit_expect_failure "test S4U2Proxy using received ticket" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1` + + +rm -f $ocache $PREFIX/tmpccache $PREFIX/tmppassfile +exit $failed diff --git a/testprogs/blackbox/test_samba-tool_ntacl.sh b/testprogs/blackbox/test_samba-tool_ntacl.sh new file mode 100755 index 0000000..4648fa6 --- /dev/null +++ b/testprogs/blackbox/test_samba-tool_ntacl.sh @@ -0,0 +1,132 @@ +#!/bin/sh +# Blackbox tests for samba-tool ntacl get/set on member server +# Copyright (C) 2018 Björn Baumbach <bb@sernet.de> + +if [ $# -ne 2 ]; then + echo "Usage: test_samba-tool_ntacl.sh PREFIX DOMSID" + exit 1 +fi + +PREFIX=$1 +domain_sid=$2 + +failed=0 + +samba4bindir="$BINDIR" +samba_tool="$samba4bindir/samba-tool" + +testfile="$PREFIX/ntacl_testfile" + +# acl from samba_tool/ntacl.py tests +acl="O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)" +new_acl="O:S-1-5-21-2212615479-2695158682-2101375468-512G:S-1-5-21-2212615479-2695158682-2101375468-513D:P(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375468-512)(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375468-519)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375468-512)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)" +new_domain_sid="S-1-5-21-2212615479-2695158682-2101375468" + +. `dirname $0`/subunit.sh + +UID_WRAPPER_ROOT=1 +export UID_WRAPPER_ROOT + +test_get_acl() +{ + testfile="$1" + exptextedacl="$2" + + retacl=$($PYTHON $samba_tool ntacl get "$testfile" --as-sddl) || return $? + + test "$retacl" = "$exptextedacl" +} + +test_set_acl() +{ + testfile="$1" + acl="$2" + + $PYTHON $samba_tool ntacl set "$acl" "$testfile" +} + +test_get_acl_ntvfs() +{ + testfile="$1" + exptextedacl="$2" + + retacl=$($PYTHON $samba_tool ntacl get "$testfile" --as-sddl --use-ntvfs --xattr-backend=tdb --configfile=$PREFIX/ad_member/lib/server.conf) || return $? + + test "$retacl" = "$exptextedacl" +} + +test_set_acl_ntvfs() +{ + testfile="$1" + acl="$2" + + $PYTHON $samba_tool ntacl set "$acl" "$testfile" --use-ntvfs --xattr-backend=tdb --configfile=$PREFIX/ad_member/lib/server.conf +} + +test_changedomsid() +{ + testfile="$1" + + $PYTHON $samba_tool ntacl changedomsid \ + "$domain_sid" "$new_domain_sid" "$testfile" \ + --service=tmp \ + --configfile=$PREFIX/ad_member/lib/server.conf + + retacl=$($PYTHON $samba_tool ntacl get \ + "$testfile" \ + --as-sddl \ + --service=tmp \ + --configfile=$PREFIX/ad_member/lib/server.conf) || return $? + + test "$retacl" = "$new_acl" +} + +test_changedomsid_ntvfs() +{ + testfile="$1" + + $PYTHON $samba_tool ntacl changedomsid \ + "$domain_sid" "$new_domain_sid" "$testfile" \ + --use-ntvfs \ + --xattr-backend=tdb \ + --configfile=$PREFIX/ad_member/lib/server.conf + + retacl=$($PYTHON $samba_tool ntacl get \ + "$testfile" \ + --as-sddl \ + --xattr-backend=tdb \ + --use-ntvfs \ + --configfile=$PREFIX/ad_member/lib/server.conf) || return $? + + test "$retacl" = "$new_acl" +} + +# work around include error - s4-loadparm does not allow missing include files +# +# Unable to load file /home/bbaumba/src/git/samba/st/ad_member/lib/server.conf +# File "bin/python/samba/netcmd/__init__.py", line 183, in _run +# return self.run(*args, **kwargs) +# File "bin/python/samba/netcmd/ntacl.py", line 175, in run +# lp = sambaopts.get_loadparm() +# File "bin/python/samba/getopt.py", line 92, in get_loadparm +# self._lp.load(os.getenv("SMB_CONF_PATH")) +# Processing section "[global]" +touch "$(dirname $SMB_CONF_PATH)/error_inject.conf" +touch "$(dirname $SMB_CONF_PATH)/delay_inject.conf" + +touch "$testfile" + +testit "set_ntacl" test_set_acl "$testfile" "$acl" || failed=`expr $failed + 1` + +testit "get_ntacl" test_get_acl "$testfile" "$acl" || failed=`expr $failed + 1` + +testit "changedomsid" test_changedomsid "$testfile" || failed=`expr $failed + 1` + +testit "set_ntacl_ntvfs" test_set_acl_ntvfs "$testfile" "$acl" || failed=`expr $failed + 1` +testit "get_ntacl_ntvfs" test_get_acl_ntvfs "$testfile" "$acl" || failed=`expr $failed + 1` + +testit "changedomsid_ntvfs" test_changedomsid_ntvfs "$testfile" || failed=`expr $failed + 1` + +rm -f "$testfile" + +exit $failed diff --git a/testprogs/blackbox/test_samba_upgradedns.sh b/testprogs/blackbox/test_samba_upgradedns.sh new file mode 100755 index 0000000..93799d4 --- /dev/null +++ b/testprogs/blackbox/test_samba_upgradedns.sh @@ -0,0 +1,38 @@ +#!/bin/sh +# Blackbox tests for the samba_upgradedns +# Copyright (C) 2006-2007 Jelmer Vernooij <jelmer@samba.org> +# Copyright (C) 2006-2012 Andrew Bartlett <abartlet@samba.org> + +if [ $# -lt 4 ]; then +cat <<EOF +Usage: test_samba_upgradedns.sh SERVER REALM PREFIX PROVDIR +EOF +exit 1; +fi + +SERVER=$1 +REALM=$2 +PREFIX=$3 +PROVDIR=$4 +shift 4 +failed=0 + +samba4bindir="$BINDIR" +samba4srcdir="$SRCDIR/source4" + + +. `dirname $0`/subunit.sh + +testit "run samba_upgradedns converting to bind9 DLZ" $PYTHON $samba4srcdir/scripting/bin/samba_upgradedns --dns-backend=BIND9_DLZ --configfile=$PROVDIR/etc/smb.conf || failed=`expr $failed + 1` +testit "check that dns.keytab is present" test -f $PROVDIR/bind-dns/dns.keytab + +testit "run samba_upgradedns converting to internal" $PYTHON $samba4srcdir/scripting/bin/samba_upgradedns --dns-backend=SAMBA_INTERNAL --configfile=$PROVDIR/etc/smb.conf || failed=`expr $failed + 1` + +testit "run samba_upgradedns converting to internal (2nd time)" $PYTHON $samba4srcdir/scripting/bin/samba_upgradedns --dns-backend=SAMBA_INTERNAL --configfile=$PROVDIR/etc/smb.conf || failed=`expr $failed + 1` + +testit "run samba_upgradedns converting to bind9 DLZ (2nd time)" $PYTHON $samba4srcdir/scripting/bin/samba_upgradedns --dns-backend=BIND9_DLZ --configfile=$PROVDIR/etc/smb.conf || failed=`expr $failed + 1` + +testit "run samba_upgradedns converting to bind9 DLZ (3rd time)" $PYTHON $samba4srcdir/scripting/bin/samba_upgradedns --dns-backend=BIND9_DLZ --configfile=$PROVDIR/etc/smb.conf || failed=`expr $failed + 1` + + +exit $failed diff --git a/testprogs/blackbox/test_smbtorture_test_names.sh b/testprogs/blackbox/test_smbtorture_test_names.sh new file mode 100755 index 0000000..a451310 --- /dev/null +++ b/testprogs/blackbox/test_smbtorture_test_names.sh @@ -0,0 +1,43 @@ +#!/bin/sh + +#Tests if the --fullname parameter passed to smbtorture is working as expected. + +if [ $# -ne 1 ]; then +cat <<EOF +Usage: test_smbtorture_test_names.sh SMBTORTURE +EOF +exit 1; +fi + +SMBTORTURE="$1 //a/b" + +. `dirname $0`/subunit.sh + +failed=0 + +testit_grep "with_shortname local.smbtorture.level1.level2.level3.always_pass" \ + '^success: always_pass$' \ + $SMBTORTURE local.smbtorture.level1.level2.level3.always_pass || failed=`expr $failed + 1` +testit_grep "with_shortname local.smbtorture.level1.level2.level3" \ + '^success: always_pass$' \ + $SMBTORTURE local.smbtorture.level1.level2.level3 || failed=`expr $failed + 1` +testit_grep "with_shortname local.smbtorture.level1.level2"\ + '^success: level3.always_pass$' \ + $SMBTORTURE local.smbtorture.level1.level2 || failed=`expr $failed + 1` +testit_grep "with_shortname local.smbtorture.level1" \ + '^success: level2.level3.always_pass$' \ + $SMBTORTURE local.smbtorture.level1 || failed=`expr $failed + 1` +testit_grep "with_fullname local.smbtorture.level1.level2.level3.always_pass" \ + '^success: local.smbtorture.level1.level2.level3.always_pass$' \ + $SMBTORTURE --fullname local.smbtorture.level1.level2.level3.always_pass || failed=`expr $failed + 1` +testit_grep "with_fullname local.smbtorture.level1.level2.level3" \ + '^success: local.smbtorture.level1.level2.level3.always_pass$' \ + $SMBTORTURE --fullname local.smbtorture.level1.level2.level3 || failed=`expr $failed + 1` +testit_grep "with_fullname local.smbtorture.level1.level2" \ + '^success: local.smbtorture.level1.level2.level3.always_pass$' \ + $SMBTORTURE --fullname local.smbtorture.level1.level2 || failed=`expr $failed + 1` +testit_grep "with_fullname local.smbtorture.level1" \ + '^success: local.smbtorture.level1.level2.level3.always_pass$' \ + $SMBTORTURE --fullname local.smbtorture.level1 || failed=`expr $failed + 1` + +testok $0 $failed diff --git a/testprogs/blackbox/test_special_group.sh b/testprogs/blackbox/test_special_group.sh new file mode 100755 index 0000000..84bb95f --- /dev/null +++ b/testprogs/blackbox/test_special_group.sh @@ -0,0 +1,52 @@ +#!/bin/sh + +if [ $# -lt 1 ]; then +cat <<EOF +Usage: $0 PREFIX +EOF +exit 1; +fi + +PREFIX_ABS="$1" +shift 1 + +failed=0 + +. `dirname $0`/subunit.sh +. `dirname $0`/common_test_fns.inc + +OLD_RELEASE="release-4-5-0-pre1" +old_release_dir="$SRCDIR_ABS/source4/selftest/provisions/$OLD_RELEASE" + +samba_tdbrestore="tdbrestore" +if [ -x "$BINDIR/tdbrestore" ]; then + samba_tdbrestore="$BINDIR/tdbrestore" +fi + +samba_undump="$SRCDIR_ABS/source4/selftest/provisions/undump.sh" + +cleanup_output_directories() +{ + remove_directory $PREFIX_ABS/$OLD_RELEASE +} + +undump_old() { + $samba_undump $old_release_dir $PREFIX_ABS/$OLD_RELEASE $samba_tdbrestore +} + +add_special_group() { + $PYTHON $BINDIR/samba-tool group add 'protected users' --special -H tdb://$PREFIX_ABS/$OLD_RELEASE/private/sam.ldb +} + +# double-check we cleaned up from the last test run +cleanup_output_directories + +testit $OLD_RELEASE undump_old || failed=`expr $failed + 1` + +testit "add_special_group" add_special_group || failed=`expr $failed + 1` + +testit_expect_failure_grep "add_duplicate_special_group" "Failed to add group.*already exists" add_special_group || failed=`expr $failed + 1` + +cleanup_output_directories + +exit $failed diff --git a/testprogs/blackbox/test_trust_ntlm.sh b/testprogs/blackbox/test_trust_ntlm.sh new file mode 100755 index 0000000..101303e --- /dev/null +++ b/testprogs/blackbox/test_trust_ntlm.sh @@ -0,0 +1,205 @@ +#!/bin/sh +# Copyright (C) 2017 Stefan Metzmacher <metze@samba.org> + +if [ $# -lt 12 ]; then +cat <<EOF +Usage: $# test_trust_ntlm.sh SERVER USERNAME PASSWORD REALM DOMAIN TRUST_USERNAME TRUST_PASSWORD TRUST_REALM TRUST_DOMAIN TYPE UNTRUSTED TRUST_ERROR +EOF +exit 1; +fi + +SERVER=$1 +USERNAME=$2 +PASSWORD=$3 +REALM=$4 +DOMAIN=$5 +shift 5 +TRUST_USERNAME=$1 +TRUST_PASSWORD=$2 +TRUST_REALM=$3 +TRUST_DOMAIN=$4 +shift 4 +TYPE=$1 +UNTRUSTED=$2 +TRUST_ERROR=$3 +shift 3 +failed=0 + +samba4bindir="$BINDIR" + +rpcclient="$samba4bindir/rpcclient" +smbclient="$samba4bindir/smbclient" +wbinfo="$samba4bindir/wbinfo" + +unc="//$SERVER/tmp" + +. `dirname $0`/subunit.sh +. `dirname $0`/common_test_fns.inc + +DNAME="$DOMAIN" +NAME="$DNAME\\$USERNAME" +WBNAME="$DNAME/$USERNAME" +CREDS="$NAME%$PASSWORD" +WBCREDS="$WBNAME%$PASSWORD" +EXPCREDS="Account Name: $USERNAME, Authority Name: $DOMAIN" +EXPSID="(User: 1)" +EXPDSID="(Domain: 3)" +test_rpcclient_grep "Test01 rpcclient getusername with $CREDS" getusername "$SERVER" "$EXPCREDS" -U$CREDS || failed=`expr $failed + 1` +test_smbclient "Test01 smbclient with $CREDS" 'ls' "$unc" -U$CREDS || failed=`expr $failed + 1` +testit "Test01 wbinfo -a with $WBCREDS" $VALGRIND $wbinfo -a $WBCREDS || failed=`expr $failed + 1` +test_rpcclient_grep "Test01 rpcclient lookupnames with $NAME" "lookupnames_level 1 '$NAME'" "$SERVER" "$EXPSID" -U$CREDS || failed=`expr $failed + 1` +testit "Test01 wbinfo -n with $WBNAME" $VALGRIND $wbinfo -n "$WBNAME" || failed=`expr $failed + 1` +test_rpcclient_grep "Test01 rpcclient lookupnames with $DNAME" "lookupnames_level 1 '$DNAME'" "$SERVER" "$EXPDSID" -U$CREDS || failed=`expr $failed + 1` + +DNAME="$REALM" +NAME="$DNAME\\$USERNAME" +WBNAME="$DNAME/$USERNAME" +CREDS="$NAME%$PASSWORD" +WBCREDS="$WBNAME%$PASSWORD" +EXPCREDS="Account Name: $USERNAME, Authority Name: $DOMAIN" +EXPSID="(User: 1)" +EXPDSID="(Domain: 3)" +test_rpcclient_grep "Test02 rpcclient getusername with $CREDS" getusername "$SERVER" "$EXPCREDS" -U$CREDS || failed=`expr $failed + 1` +test_smbclient "Test02 smbclient with $CREDS" 'ls' "$unc" -U$CREDS || failed=`expr $failed + 1` +testit "Test02 wbinfo -a with $WBCREDS" $VALGRIND $wbinfo -a $WBCREDS || failed=`expr $failed + 1` +test_rpcclient_grep "Test02 rpcclient lookupnames with $NAME" "lookupnames_level 1 '$NAME'" "$SERVER" "$EXPSID" -U$CREDS || failed=`expr $failed + 1` +testit "Test02 wbinfo -n with $WBNAME" $VALGRIND $wbinfo -n "$WBNAME" || failed=`expr $failed + 1` +test_rpcclient_grep "Test02 rpcclient lookupnames with $DNAME" "lookupnames_level 1 '$DNAME'" "$SERVER" "$EXPDSID" -U$CREDS || failed=`expr $failed + 1` + +CREDS="$USERNAME@$DOMAIN%$PASSWORD" +WBCREDS="$USERNAME@$DOMAIN%$PASSWORD" +if [ x"$TYPE" = x"member" ]; then + EXPFAIL="NT_STATUS_LOGON_FAILURE" + # rpcclient doesn't handle -Uuser@domain yet + #test_rpcclient_expect_failure_grep "Fail03 rpcclient getusername with $CREDS" getusername "$SERVER" "$EXPFAIL" -U$CREDS && failed=`expr $failed + 1` + test_smbclient_expect_failure "Fail03 smbclient with $CREDS" 'ls' "$unc" -U$CREDS && failed=`expr $failed + 1` + # winbindd doesn't handle user@domain yet + #testit_expect_failure "Fail03 wbinfo -a with $WBCREDS" $VALGRIND $wbinfo -a $WBCREDS && failed=`expr $failed + 1` +else + EXPCREDS="Account Name: $USERNAME, Authority Name: $DOMAIN" + # rpcclient doesn't handle -Uuser@domain yet + #test_rpcclient_grep "Test03 rpcclient getusername with $CREDS" getusername "$SERVER" "$EXPCREDS" -U$CREDS || failed=`expr $failed + 1` + test_smbclient "Test03 smbclient with $CREDS" 'ls' "$unc" -U$CREDS || failed=`expr $failed + 1` + # winbindd doesn't handle user@domain yet + #testit "Test03 wbinfo -a with $WBCREDS" $VALGRIND $wbinfo -a $WBCREDS || failed=`expr $failed + 1` +fi + +CREDS="$USERNAME@$REALM%$PASSWORD" +WBCREDS="$USERNAME@$REALM%$PASSWORD" +if [ x"$TYPE" = x"member" ]; then + EXPFAIL="NT_STATUS_LOGON_FAILURE" + # rpcclient doesn't handle -Uuser@domain yet + #test_rpcclient_expect_failure_grep "Fail04 rpcclient getusername with $CREDS" getusername "$SERVER" "$EXPFAIL" -U$CREDS && failed=`expr $failed + 1` + test_smbclient_expect_failure "Fail04 smbclient with $CREDS" 'ls' "$unc" -U$CREDS && failed=`expr $failed + 1` + # winbindd doesn't handle user@domain yet + #testit_expect_failure "Fail04 wbinfo -a with $WBCREDS" $VALGRIND $wbinfo -a $WBCREDS && failed=`expr $failed + 1` +else + EXPCREDS="Account Name: $USERNAME, Authority Name: $DOMAIN" + # rpcclient doesn't handle -Uuser@domain yet + #test_rpcclient_grep "Test04 rpcclient getusername with $CREDS" getusername "$SERVER" "$EXPCREDS" -U$CREDS || failed=`expr $failed + 1` + test_smbclient "Test04 smbclient with $CREDS" 'ls' "$unc" -U$CREDS || failed=`expr $failed + 1` + # winbindd doesn't handle user@domain yet + #testit "Test04 wbinfo -a with $WBCREDS" $VALGRIND $wbinfo -a $WBCREDS || failed=`expr $failed + 1` +fi + +DNAME="UNKNOWNDOMAIN" +NAME="$DNAME\\$USERNAME" +WBNAME="$DNAME/$USERNAME" +CREDS="$NAME%$PASSWORD" +WBCREDS="$WBNAME%$PASSWORD" +EXPCREDS="Account Name: $USERNAME, Authority Name: $DOMAIN" +EXPSID="NT_STATUS_NONE_MAPPED" +EXPDSID="NT_STATUS_NONE_MAPPED" +test_rpcclient_grep "Test05 rpcclient getusername with $CREDS" getusername "$SERVER" "$EXPCREDS" -U$CREDS || failed=`expr $failed + 1` +test_smbclient "Test05 smbclient with $CREDS" 'ls' "$unc" -U$CREDS || failed=`expr $failed + 1` +testit_expect_failure "Fail05 wbinfo -a with $WBCREDS" $VALGRIND $wbinfo -a $WBCREDS || failed=`expr $failed + 1` +test_rpcclient_expect_failure_grep "Test05 rpcclient lookupnames with $NAME" "lookupnames_level 1 '$NAME'" "$SERVER" "$EXPSID" -U$CREDS || failed=`expr $failed + 1` +testit_expect_failure "Test05 wbinfo -n with $WBNAME" $VALGRIND $wbinfo -n "$WBNAME" || failed=`expr $failed + 1` +test_rpcclient_expect_failure_grep "Test05 rpcclient lookupnames with $DNAME" "lookupnames_level 1 '$DNAME'" "$SERVER" "$EXPDSID" -U$CREDS || failed=`expr $failed + 1` + +CREDS="$TRUST_DOMAIN\\$USERNAME%$PASSWORD" +WBCREDS="$TRUST_DOMAIN/$USERNAME%$PASSWORD" +EXPFAIL="$TRUST_ERROR" +test_rpcclient_expect_failure_grep "Fail06 rpcclient getusername with $CREDS" getusername "$SERVER" "$EXPFAIL" -U$CREDS && failed=`expr $failed + 1` +test_smbclient_expect_failure "Fail06 smbclient with $CREDS" 'ls' "$unc" -U$CREDS && failed=`expr $failed + 1` +testit_expect_failure "Fail06 wbinfo -a with $WBCREDS" $VALGRIND $wbinfo -a $WBCREDS && failed=`expr $failed + 1` + +DNAME="$TRUST_DOMAIN" +NAME="$DNAME\\$TRUST_USERNAME" +WBNAME="$DNAME/$TRUST_USERNAME" +CREDS="$NAME%$TRUST_PASSWORD" +WBCREDS="$WBNAME%$TRUST_PASSWORD" +EXPCREDS="Account Name: $TRUST_USERNAME, Authority Name: $TRUST_DOMAIN" +EXPSID="(User: 1)" +EXPDSID="(Domain: 3)" +test_rpcclient_grep "Test07 rpcclient getusername with $CREDS" getusername "$SERVER" "$EXPCREDS" -U$CREDS || failed=`expr $failed + 1` +test_smbclient "Test07 smbclient with $CREDS" 'ls' "$unc" -U$CREDS || failed=`expr $failed + 1` +testit "Test07 wbinfo -a with $WBCREDS" $VALGRIND $wbinfo -a $WBCREDS || failed=`expr $failed + 1` +test_rpcclient_grep "Test07 rpcclient lookupnames with $NAME" "lookupnames_level 1 '$NAME'" "$SERVER" "$EXPSID" -U$CREDS || failed=`expr $failed + 1` +testit "Test07 wbinfo -n with $WBNAME" $VALGRIND $wbinfo -n "$WBNAME" || failed=`expr $failed + 1` +test_rpcclient_grep "Test07 rpcclient lookupnames with $DNAME" "lookupnames_level 1 '$DNAME'" "$SERVER" "$EXPDSID" -U$CREDS || failed=`expr $failed + 1` + +DNAME="$TRUST_REALM" +NAME="$DNAME\\$TRUST_USERNAME" +WBNAME="$DNAME/$TRUST_USERNAME" +CREDS="$NAME%$TRUST_PASSWORD" +WBCREDS="$WBNAME%$TRUST_PASSWORD" +EXPCREDS="Account Name: $TRUST_USERNAME, Authority Name: $TRUST_DOMAIN" +EXPSID="(User: 1)" +EXPDSID="(Domain: 3)" +test_rpcclient_grep "Test08 rpcclient getusername with $CREDS" getusername "$SERVER" "$EXPCREDS" -U$CREDS || failed=`expr $failed + 1` +test_smbclient "Test08 smbclient with $CREDS" 'ls' "$unc" -U$CREDS || failed=`expr $failed + 1` +testit "Test08 wbinfo -a with $WBCREDS" $VALGRIND $wbinfo -a $WBCREDS || failed=`expr $failed + 1` +test_rpcclient_grep "Test08 rpcclient lookupnames with $NAME" "lookupnames_level 1 '$NAME'" "$SERVER" "$EXPSID" -U$CREDS || failed=`expr $failed + 1` +testit "Test08 wbinfo -n with $WBNAME" $VALGRIND $wbinfo -n "$WBNAME" || failed=`expr $failed + 1` +test_rpcclient_grep "Test08 rpcclient lookupnames with $DNAME" "lookupnames_level 1 '$DNAME'" "$SERVER" "$EXPDSID" -U$CREDS || failed=`expr $failed + 1` + +CREDS="$TRUST_USERNAME@$TRUST_DOMAIN%$TRUST_PASSWORD" +WBCREDS="$TRUST_USERNAME@$TRUST_DOMAIN%$TRUST_PASSWORD" +if [ x"$TRUST_REALM" = x"$TRUST_DOMAIN" ]; then + # NT4 domain + EXPFAIL="NT_STATUS_LOGON_FAILURE" + # rpcclient doesn't handle -Uuser@domain yet + #test_rpcclient_expect_failure_grep "Fail09 rpcclient getusername with $CREDS" getusername "$SERVER" "$EXPFAIL" -U$CREDS && failed=`expr $failed + 1` + test_smbclient_expect_failure "Fail09 smbclient with $CREDS" 'ls' "$unc" -U$CREDS && failed=`expr $failed + 1` + # winbindd doesn't handle user@domain yet + #testit_expect_failure "Fail09 wbinfo -a with $WBCREDS" $VALGRIND $wbinfo -a $WBCREDS && failed=`expr $failed + 1` +else + EXPCREDS="Account Name: $TRUST_USERNAME, Authority Name: $TRUST_DOMAIN" + # rpcclient doesn't handle -Uuser@domain yet + #test_rpcclient_grep "Test09 rpcclient getusername with $CREDS" getusername "$SERVER" "$EXPCREDS" -U$CREDS || failed=`expr $failed + 1` + test_smbclient "Test09 smbclient with $CREDS" 'ls' "$unc" -U$CREDS || failed=`expr $failed + 1` + # winbindd doesn't handle user@domain yet + #testit "Test09 wbinfo -a with $WBCREDS" $VALGRIND $wbinfo -a $WBCREDS || failed=`expr $failed + 1` +fi + +CREDS="$TRUST_USERNAME@$TRUST_REALM%$TRUST_PASSWORD" +WBCREDS="$TRUST_USERNAME@$TRUST_REALM%$TRUST_PASSWORD" +if [ x"$TRUST_REALM" = x"$TRUST_DOMAIN" ]; then + # NT4 domain + EXPFAIL="NT_STATUS_LOGON_FAILURE" + # rpcclient doesn't handle -Uuser@domain yet + #test_rpcclient_expect_failure_grep "Fail10 rpcclient getusername with $CREDS" getusername "$SERVER" "$EXPFAIL" -U$CREDS && failed=`expr $failed + 1` + test_smbclient_expect_failure "Fail10 smbclient with $CREDS" 'ls' "$unc" -U$CREDS && failed=`expr $failed + 1` + # winbindd doesn't handle user@domain yet + #testit_expect_failure "Fail10 wbinfo -a with $WBCREDS" $VALGRIND $wbinfo -a $WBCREDS && failed=`expr $failed + 1` +else + EXPCREDS="Account Name: $TRUST_USERNAME, Authority Name: $TRUST_DOMAIN" + # rpcclient doesn't handle -Uuser@domain yet, maybe smbclient for now? + #test_rpcclient_grep "Test10 rpcclient getusername with $CREDS" getusername "$SERVER" "$EXPCREDS" -U$CREDS || failed=`expr $failed + 1` + test_smbclient "Test10 smbclient with $CREDS" 'ls' "$unc" -U$CREDS || failed=`expr $failed + 1` + # winbindd doesn't handle user@domain yet + #testit "Test10 wbinfo -a with $WBCREDS" $VALGRIND $wbinfo -a $WBCREDS || failed=`expr $failed + 1` +fi + +lowerrealm=$(echo $TRUST_REALM | tr '[A-Z]' '[a-z]') + +#if test x$TYPE = x"forest"; then +# +#fi +# +#if test x$UNTRUSTED = x"yes"; then +# +#fi + +exit $failed diff --git a/testprogs/blackbox/test_trust_token.sh b/testprogs/blackbox/test_trust_token.sh new file mode 100755 index 0000000..21de224 --- /dev/null +++ b/testprogs/blackbox/test_trust_token.sh @@ -0,0 +1,93 @@ +#!/bin/bash +# Copyright (C) 2017 Stefan Metzmacher <metze@samba.org> + +if [ $# -lt 12 ]; then +cat <<EOF +Usage: $# test_trust_token.sh SERVER USERNAME PASSWORD REALM DOMAIN DOMSID TRUST_USERNAME TRUST_PASSWORD TRUST_REALM TRUST_DOMAIN TRUST_DOMSID TYPE +EOF +exit 1; +fi + +SERVER=$1 +shift 1 +USERNAME=$1 +PASSWORD=$2 +REALM=$3 +DOMAIN=$4 +DOMSID=$5 +shift 5 +TRUST_USERNAME=$1 +TRUST_PASSWORD=$2 +TRUST_REALM=$3 +TRUST_DOMAIN=$4 +TRUST_DOMSID=$5 +shift 5 +TYPE=$1 +shift 1 +failed=0 + +samba4bindir="$BINDIR" + +ldbsearch="$samba4bindir/ldbsearch" + +. `dirname $0`/subunit.sh +. `dirname $0`/common_test_fns.inc + +test_token() +{ + auth_args="${1}" + auth_sid="${2-}" + + out=$($VALGRIND $ldbsearch -H ldap://$SERVER.$REALM -U$TRUST_REALM\\$TRUST_USERNAME%$TRUST_PASSWORD -b '' --scope=base -k ${auth_args} tokenGroups 2>&1) + ret=$? + test x"$ret" = x"0" || { + echo "$out" + return 1 + } + + trust_sids=$(echo "$out" | grep '^tokenGroups' | grep "${TRUST_DOMSID}-" | wc -l) + test "$trust_sids" -ge "2" || { + echo "$out" + echo "Less than 2 sids from $TRUST_DOMAIN $TRUST_DOMSID" + return 1 + } + + domain_sids=$(echo "$out" | grep '^tokenGroups' | grep "${DOMSID}-" | wc -l) + test "$domain_sids" -ge "1" || { + echo "$out" + echo "Less than 1 sid from $DOMAIN $DOMSID" + return 1 + } + + builtin_sids=$(echo "$out" | grep '^tokenGroups' | grep "S-1-5-32-" | wc -l) + test "$builtin_sids" -ge "1" || { + echo "$out" + echo "Less than 1 sid from BUILTIN S-1-5-32" + return 1 + } + + # + # The following should always be present + # + # SID_WORLD(S-1-1-0) + # SID_NT_NETWORK(S-1-5-2) + # SID_NT_AUTHENTICATED_USERS(S-1-5-11) + # + required_sids="S-1-1-0 S-1-5-2 S-1-5-11 ${auth_sid}" + for sid in $required_sids; do + found=$(echo "$out" | grep "^tokenGroups: ${sid}$" | wc -l) + test x"$found" = x"1" || { + echo "$out" + echo "SID: ${sid} not found" + return 1 + } + done + + return 0 +} + +testit "Test token with kerberos" test_token "yes" "" || failed=`expr $failed + 1` +# Check that SID_NT_NTLM_AUTHENTICATION(S-1-5-64-10) is added for NTLMSSP +testit "Test token with NTLMSSP" test_token "no" "S-1-5-64-10" || failed=`expr $failed + 1` + +exit $failed diff --git a/testprogs/blackbox/test_trust_user_account.sh b/testprogs/blackbox/test_trust_user_account.sh new file mode 100755 index 0000000..63024a9 --- /dev/null +++ b/testprogs/blackbox/test_trust_user_account.sh @@ -0,0 +1,59 @@ +#!/bin/sh + +if [ $# -lt 1 ]; then +cat <<EOF +Usage: test_trust_user_account.sh PREFIX OUR_REALM OUR_FLAT REMOTE_REALM REMOTE_FLAT +EOF +exit 1; +fi + +PREFIX="$1" +OUR_REALM="$2" +OUR_FLAT="$3" +REMOTE_REALM="$4" +REMOTE_FLAT="$5" +shift 5 + +. `dirname $0`/subunit.sh + + +samba_tool="$BINDIR/samba-tool" +samba4bindir="$BINDIR" +samba4srcdir="$SRCDIR/source4" +samba4kinit_binary="kinit -k" +if test -x $BINDIR/samba4kinit; then + samba4kinit_binary="$BINDIR/samba4kinit --use-keytab" +fi + +KEYTAB="$PREFIX/tmptda.keytab" + +KRB5_TRACE=/dev/stderr +export KRB5_TRACE + +testit "retrieve keytab for TDA of $REMOTE_REALM" $PYTHON $samba_tool domain exportkeytab $KEYTAB $CONFIGURATION --principal "$REMOTE_FLAT\$@$OUR_REALM" || failed=`expr $failed + 1` + +KRB5CCNAME="$PREFIX/tmptda.ccache" +samba4kinit="$samba4kinit_binary -c $KRB5CCNAME" +export KRB5CCNAME + +rm -f $KRB5CCNAME + +EXPECTED_SALT="${OUR_REALM}krbtgt${REMOTE_FLAT}" +# +# Note the \$ is for the end of line in grep +# +# There must be no trailing '$' in the SALT string itself, +# it's removed from the sAMAccountName value (which includes the trailing '$') +# before construting the salt! +# +# Otherwise this would be: +# "^virtualKerberosSalt: ${EXPECTED_SALT}\\\$\$" +# +EXPECTED_GREP="^virtualKerberosSalt: ${EXPECTED_SALT}\$" +testit_grep "get virtualKerberosSalt for TDA of $REMOTE_FLAT\$" "$EXPECTED_GREP" $PYTHON $samba_tool user getpassword "$REMOTE_FLAT\$" $CONFIGURATION --attributes=virtualKerberosSalt || failed=`expr $failed + 1` + +testit "kinit with keytab for TDA of $REMOTE_REALM" $samba4kinit -t $KEYTAB "$REMOTE_FLAT\$@$OUR_REALM" || failed=`expr $failed + 1` + +rm -f $KRB5CCNAME $KEYTAB + +exit $failed diff --git a/testprogs/blackbox/test_trust_utils.sh b/testprogs/blackbox/test_trust_utils.sh new file mode 100755 index 0000000..7da1e05 --- /dev/null +++ b/testprogs/blackbox/test_trust_utils.sh @@ -0,0 +1,144 @@ +#!/bin/sh +# Copyright (C) 2015 Stefan Metzmacher <metze@samba.org> + +if [ $# -lt 12 ]; then +cat <<EOF +Usage: $# test_trust_utils.sh SERVER USERNAME PASSWORD REALM DOMAIN TRUST_USERNAME TRUST_PASSWORD TRUST_REALM TRUST_DOMAIN PREFIX TYPE +EOF +exit 1; +fi + +SERVER=$1 +USERNAME=$2 +PASSWORD=$3 +REALM=$4 +DOMAIN=$5 +shift 5 +TRUST_SERVER=$1 +TRUST_USERNAME=$2 +TRUST_PASSWORD=$3 +TRUST_REALM=$4 +TRUST_DOMAIN=$5 +shift 5 +PREFIX=$1 +TYPE=$2 +shift 2 +failed=0 + +samba4bindir="$BINDIR" + +samba_tool="$samba4bindir/samba-tool" + +. `dirname $0`/subunit.sh + +CREDS="${DOMAIN}\\${USERNAME}%${PASSWORD}" +TRUST_CREDS_DOMAIN="${TRUST_DOMAIN}\\${TRUST_USERNAME}%${TRUST_PASSWORD}" +TRUST_SERVER_CREDS_DOMAIN_ARGS="--local-dc-ipaddress ${TRUST_SERVER} --local-dc-username ${TRUST_CREDS_DOMAIN}" + +TRUST_CREDS_REALM="${TRUST_REALM}\\${TRUST_USERNAME}%${TRUST_PASSWORD}" +TRUST_SERVER_CREDS_REALM_ARGS="--local-dc-ipaddress ${TRUST_SERVER} --local-dc-username ${TRUST_CREDS_REALM}" + +list="$VALGRIND $PYTHON $samba_tool domain trust list" +testit "list domains default" $list || failed=`expr $failed + 1` + +# Show that the domain name and realm work +testit "list domains reverse (DOMAIN)" $list ${TRUST_SERVER_CREDS_DOMAIN_ARGS} || failed=`expr $failed + 1` +testit "list domains reverse (REALM)" $list ${TRUST_SERVER_CREDS_REALM_ARGS} || failed=`expr $failed + 1` + +show="$VALGRIND $PYTHON $samba_tool domain trust show" +testit "show domains default realm" $show ${TRUST_REALM} || failed=`expr $failed + 1` +testit "show domains reverse realm" $show ${REALM} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} || failed=`expr $failed + 1` +testit "show domains default netbios" $show ${TRUST_DOMAIN} || failed=`expr $failed + 1` +testit "show domains reverse netbios" $show ${DOMAIN} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} || failed=`expr $failed + 1` + +validate="$VALGRIND $PYTHON $samba_tool domain trust validate" +testit "validate trust default both" $validate ${TRUST_REALM} -U${TRUST_CREDS_DOMAIN}|| failed=`expr $failed + 1` +testit "validate trust default local" $validate ${TRUST_REALM} --validate-location=local || failed=`expr $failed + 1` +testit "validate trust reverse both" $validate ${REALM} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} -U${CREDS} || failed=`expr $failed + 1` +testit "validate trust reverse local" $validate ${REALM} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --validate-location=local || failed=`expr $failed + 1` + +namespaces="$VALGRIND $PYTHON $samba_tool domain trust namespaces" +testit "namespaces own default" $namespaces || failed=`expr $failed + 1` +testit "namespaces own reverse" $namespaces ${TRUST_SERVER_CREDS_DOMAIN_ARGS} || failed=`expr $failed + 1` + +DOMSID=`$namespaces | grep LocalDomain | sed -e 's!.*SID\[\(.*\)\].*!\1!'` +#testit_expect_failure "namespaces domsid default" echo ${DOMSID} || failed=`expr $failed + 1` + +TRUST_DOMSID=`$namespaces ${TRUST_SERVER_CREDS_DOMAIN_ARGS} | grep LocalDomain | sed -e 's!.*SID\[\(.*\)\].*!\1!'` +#testit_expect_failure "namespaces domsid reverse" echo ${TRUST_DOMSID} || failed=`expr $failed + 1` + +if test x$TYPE = x"forest"; then + testit "namespaces trust default realm 1" $namespaces ${TRUST_REALM} || failed=`expr $failed + 1` + testit "namespaces trust reverse realm 1" $namespaces ${REALM} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} || failed=`expr $failed + 1` + + testit "namespaces trust default domain 1" $namespaces ${TRUST_DOMAIN} || failed=`expr $failed + 1` + testit "namespaces trust reverse domain 1" $namespaces ${DOMAIN} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} || failed=`expr $failed + 1` + + testit "namespaces own default add-upn-suffix 1" $namespaces --add-upn-suffix=default.test_trust_utils.example.com || failed=`expr $failed + 1` + testit "namespaces own reverse add-upn-suffix 1" $namespaces ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --add-upn-suffix=reverse.test_trust_utils.example.com || failed=`expr $failed + 1` + + testit "namespaces own default add-upn-suffix 2" $namespaces --add-upn-suffix=${TRUST_REALM} || failed=`expr $failed + 1` + testit "namespaces own reverse add-upn-suffix 2" $namespaces ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --add-upn-suffix=${REALM} || failed=`expr $failed + 1` + + testit "namespaces own default add-spn-suffix 1" $namespaces --add-spn-suffix=spn.test_trust_utils.example.com || failed=`expr $failed + 1` + testit "namespaces own reverse add-spn-suffix 1" $namespaces ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --add-spn-suffix=spn.test_trust_utils.example.com || failed=`expr $failed + 1` + + testit "namespaces trust default check 1" $namespaces ${TRUST_REALM} --refresh=check || failed=`expr $failed + 1` + testit "namespaces trust reverse check 1" $namespaces ${REALM} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --refresh=check || failed=`expr $failed + 1` + + testit "namespaces trust default store 1" $namespaces ${TRUST_REALM} --refresh=store || failed=`expr $failed + 1` + testit "namespaces trust reverse store 1" $namespaces ${REALM} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --refresh=store || failed=`expr $failed + 1` + + testit "namespaces trust default enable-tln 1" $namespaces ${TRUST_REALM} --enable-tln=reverse.test_trust_utils.example.com || failed=`expr $failed + 1` + testit "namespaces trust reverse enable-tln 1" $namespaces ${REALM} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --enable-tln=default.test_trust_utils.example.com || failed=`expr $failed + 1` + + testit "namespaces trust default enable-tln 2" $namespaces ${TRUST_REALM} --enable-tln=spn.test_trust_utils.example.com || failed=`expr $failed + 1` + testit "namespaces trust reverse enable-tln 2" $namespaces ${REALM} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --enable-tln=spn.test_trust_utils.example.com || failed=`expr $failed + 1` + + testit "namespaces trust default enable-tln 3" $namespaces ${TRUST_REALM} --enable-tln=${TRUST_REALM} || failed=`expr $failed + 1` + testit "namespaces trust reverse enable-tln 3" $namespaces ${REALM} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --enable-tln=${REALM} || failed=`expr $failed + 1` + + testit "namespaces trust default disable-nb 1" $namespaces ${TRUST_REALM} --disable-nb=${TRUST_DOMAIN} || failed=`expr $failed + 1` + testit "namespaces trust reverse disable-nb 1" $namespaces ${REALM} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --disable-nb=${DOMAIN} || failed=`expr $failed + 1` + + testit "namespaces trust default disable-sid 1" $namespaces ${TRUST_REALM} --disable-sid=${TRUST_DOMSID} || failed=`expr $failed + 1` + testit "namespaces trust reverse disable-sid 1" $namespaces ${REALM} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --disable-sid=${DOMSID} || failed=`expr $failed + 1` + + testit "namespaces trust default disable-tln 1" $namespaces ${TRUST_REALM} --disable-tln=reverse.test_trust_utils.example.com || failed=`expr $failed + 1` + testit "namespaces trust reverse disable-tln 1" $namespaces ${REALM} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --disable-tln=default.test_trust_utils.example.com || failed=`expr $failed + 1` + + testit "namespaces trust default add-tln-ex 1" $namespaces ${TRUST_REALM} --add-tln-ex=exclude.${TRUST_REALM} || failed=`expr $failed + 1` + testit "namespaces trust reverse add-tln-ex 1" $namespaces ${REALM} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --add-tln-ex=exclude.${REALM} || failed=`expr $failed + 1` + + testit "namespaces trust default add-tln-ex 2" $namespaces ${TRUST_REALM} --add-tln-ex=sub.exclude.${TRUST_REALM} || failed=`expr $failed + 1` + testit "namespaces trust reverse add-tln-ex 2" $namespaces ${REALM} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --add-tln-ex=sub.exclude.${REALM} || failed=`expr $failed + 1` + + testit "namespaces trust default realm 2" $namespaces ${TRUST_REALM} || failed=`expr $failed + 1` + testit "namespaces trust reverse realm 2" $namespaces ${REALM} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} || failed=`expr $failed + 1` + + testit "namespaces trust default delete-tln-ex 1" $namespaces ${TRUST_REALM} --delete-tln-ex=exclude.${TRUST_REALM} || failed=`expr $failed + 1` + testit "namespaces trust reverse delete-tln-ex 1" $namespaces ${REALM} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --delete-tln-ex=exclude.${REALM} || failed=`expr $failed + 1` + + testit "namespaces trust default delete-tln-ex 2" $namespaces ${TRUST_REALM} --delete-tln-ex=sub.exclude.${TRUST_REALM} || failed=`expr $failed + 1` + testit "namespaces trust reverse delete-tln-ex 2" $namespaces ${REALM} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --delete-tln-ex=sub.exclude.${REALM} || failed=`expr $failed + 1` + + testit "namespaces own default delete-upn-suffix 1" $namespaces --delete-upn-suffix=default.test_trust_utils.example.com || failed=`expr $failed + 1` + testit "namespaces own reverse delete-upn-suffix 1" $namespaces ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --delete-upn-suffix=reverse.test_trust_utils.example.com || failed=`expr $failed + 1` + + testit "namespaces own default delete-upn-suffix 2" $namespaces --delete-upn-suffix=${TRUST_REALM} || failed=`expr $failed + 1` + testit "namespaces own reverse delete-upn-suffix 2" $namespaces ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --delete-upn-suffix=${REALM} || failed=`expr $failed + 1` + + testit "namespaces own default delete-spn-suffix 1" $namespaces --delete-spn-suffix=spn.test_trust_utils.example.com || failed=`expr $failed + 1` + testit "namespaces own reverse delete-spn-suffix 1" $namespaces ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --delete-spn-suffix=spn.test_trust_utils.example.com || failed=`expr $failed + 1` + + testit "namespaces trust default enable-nb 1" $namespaces ${TRUST_REALM} --enable-nb=${TRUST_DOMAIN} || failed=`expr $failed + 1` + testit "namespaces trust reverse enable-nb 1" $namespaces ${REALM} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --enable-nb=${DOMAIN} || failed=`expr $failed + 1` + + testit "namespaces trust default enable-sid 1" $namespaces ${TRUST_REALM} --enable-sid=${TRUST_DOMSID} || failed=`expr $failed + 1` + testit "namespaces trust reverse enable-sid 1" $namespaces ${REALM} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --enable-sid=${DOMSID} || failed=`expr $failed + 1` + + testit "namespaces trust default reset final" $namespaces ${TRUST_REALM} --refresh=store --enable-all || failed=`expr $failed + 1` + testit "namespaces trust reverse reset final" $namespaces ${REALM} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --refresh=store --enable-all || failed=`expr $failed + 1` +fi + +exit $failed diff --git a/testprogs/blackbox/test_weak_crypto.sh b/testprogs/blackbox/test_weak_crypto.sh new file mode 100755 index 0000000..e2cdfa7 --- /dev/null +++ b/testprogs/blackbox/test_weak_crypto.sh @@ -0,0 +1,51 @@ +#!/bin/sh + +# +# Blackbox tests for weak crytpo +# Copyright (c) 2020 Andreas Schneider <asn@samba.org> +# + +if [ $# -lt 6 ]; then +cat <<EOF +Usage: $0 SERVER USERNAME PASSWORD REALM DOMAIN PREFIX +EOF +exit 1; +fi + +SERVER=$1 +USERNAME=$2 +PASSWORD=$3 +REALM=$4 +DOMAIN=$5 +PREFIX=$6 +shift 6 + +failed=0 +. `dirname $0`/subunit.sh + +samba_bindir="$BINDIR" +samba_testparm="$BINDIR/testparm" +samba_rpcclient="$samba_bindir/rpcclient" + +opt="--option=gensec:gse_krb5=no -U${USERNAME}%${PASSWORD}" + +unset GNUTLS_FORCE_FIPS_MODE + +# Checks that testparm reports: Weak crypto is allowed +testit_grep "testparm" "Weak crypto is allowed" $samba_testparm --suppress-prompt $SMB_CONF_PATH 2>&1 || failed=`expr $failed + 1` + +# We should be allowed to use NTLM for connecting +testit "rpclient.ntlm" $samba_rpcclient ncacn_np:$SERVER $opt -c "getusername" || failed=`expr $failed + 1` + +GNUTLS_FORCE_FIPS_MODE=1 +export GNUTLS_FORCE_FIPS_MODE + +# Checks that testparm reports: Weak crypto is disallowed +testit_grep "testparm" "Weak crypto is disallowed" $samba_testparm --suppress-prompt $SMB_CONF_PATH 2>&1 || failed=`expr $failed + 1` + +# We should not be allowed to use NTLM for connecting +testit_expect_failure "rpclient.ntlm" $samba_rpcclient ncacn_np:$SERVER $opt -c "getusername" || failed=`expr $failed + 1` + +unset GNUTLS_FORCE_FIPS_MODE + +exit $failed diff --git a/testprogs/blackbox/test_weak_crypto_server.sh b/testprogs/blackbox/test_weak_crypto_server.sh new file mode 100755 index 0000000..fcd266d --- /dev/null +++ b/testprogs/blackbox/test_weak_crypto_server.sh @@ -0,0 +1,64 @@ +#!/bin/sh + +# +# Blackbox tests for weak crytpo +# Copyright (c) 2020 Andreas Schneider <asn@samba.org> +# + +if [ $# -lt 7 ]; then +cat <<EOF +Usage: $0 SERVER USERNAME PASSWORD REALM DOMAIN PREFIX +EOF +exit 1; +fi + +SERVER=$1 +USERNAME=$2 +PASSWORD=$3 +REALM=$4 +DOMAIN=$5 +PREFIX=$6 +CONFIGURATION=$7 +shift 7 + +failed=0 +. `dirname $0`/subunit.sh + +samba_bindir="$BINDIR" +samba_testparm="$BINDIR/testparm" +samba_rpcclient="$samba_bindir/rpcclient" + +# remove the --configfile= +configuration="${CONFIGURATION##*=}" + +test_weak_crypto_allowed() +{ + local testparm_stderr_output_path="$PREFIX/testparm_stderr_output" + + $samba_testparm --suppress-prompt $configuration 2>$testparm_stderr_output_path >/dev/null + + grep "Weak crypto is allowed" $testparm_stderr_output_path >/dev/null 2>&1 + if [ $ret -ne 0 ]; then + echo "Invalid crypto state:" + cat $testparm_stderr_output_path + rm -f $testparm_stderr_output_path + return 1 + fi + + rm -f $testparm_stderr_output_path + + return 0 +} + +unset GNUTLS_FORCE_FIPS_MODE + +# Checks that testparm reports: Weak crypto is disallowed +testit "testparm-weak-crypto" test_weak_crypto_allowed || failed=`expr $failed + 1` + +# We should not be allowed to use NTLM for connecting +testit_expect_failure "rpclient.ntlm" $samba_rpcclient ncacn_np:$SERVER_IP[ntlm] -U$USERNAME%$PASSWORD -c "getusername" && failed=`expr $failed + 1` + +GNUTLS_FORCE_FIPS_MODE=1 +export GNUTLS_FORCE_FIPS_MODE + +exit $failed diff --git a/testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh b/testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh new file mode 100755 index 0000000..2822ab2 --- /dev/null +++ b/testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh @@ -0,0 +1,41 @@ +#!/bin/sh +# Blackbox tests for diabing NTLMSSP for ldap clinet connections +# Copyright (c) 2022 Pavel Filipenský <pfilipen@redhat.com> + +if [ $# -lt 2 ]; then +cat <<EOF +Usage: $0 USERNAME PASSWORD +EOF +exit 1; +fi + +USERNAME=$1 +PASSWORD=$2 +shift 2 + +failed=0 +. `dirname $0`/subunit.sh + +samba_testparm="$BINDIR/testparm" +samba_net="$BINDIR/net" + +unset GNUTLS_FORCE_FIPS_MODE + +# Checks that testparm reports: Weak crypto is allowed +testit_grep "testparm" "Weak crypto is allowed" $samba_testparm --suppress-prompt $SMB_CONF_PATH 2>&1 || failed=`expr $failed + 1` + +# We should be allowed to use NTLM for connecting +testit "net_ads_search.ntlm" $samba_net ads search --use-kerberos=off '(objectCategory=group)' sAMAccountName -U${USERNAME}%${PASSWORD} || failed=`expr $failed + 1` + +GNUTLS_FORCE_FIPS_MODE=1 +export GNUTLS_FORCE_FIPS_MODE + +# Checks that testparm reports: Weak crypto is disallowed +testit_grep "testparm" "Weak crypto is disallowed" $samba_testparm --suppress-prompt $SMB_CONF_PATH 2>&1 || failed=`expr $failed + 1` + +# We should not be allowed to use NTLM for connecting +testit_expect_failure_grep "net_ads_search.ntlm" "We can't fallback to NTLMSSP, weak crypto is disallowed." $samba_net ads search --use-kerberos=off -d10 '(objectCategory=group)' sAMAccountName -U${USERNAME}%${PASSWORD} || failed=`expr $failed + 1` + +unset GNUTLS_FORCE_FIPS_MODE + +exit $failed diff --git a/testprogs/blackbox/test_wintest.sh b/testprogs/blackbox/test_wintest.sh new file mode 100755 index 0000000..5019900 --- /dev/null +++ b/testprogs/blackbox/test_wintest.sh @@ -0,0 +1,44 @@ +#!/bin/sh +# Blackbox tests for testing against windows machines +# Copyright (C) 2008 Jim McDonough + + +testwithconf() { +# define test variables, startup/shutdown scripts +. $1 +shift 1 + +if [ -n "$WINTEST_STARTUP" ]; then +. $WINTEST_STARTUP; +fi + +testit "smbtorture" $smbtorture //$SERVER/$SHARE RAW-OPEN -W "$DOMAIN" -U"$USERNAME%$PASSWORD" $@ || failed=`expr $failed + 1` + +if [ -n "$WINTEST_SHUTDOWN" ]; then +. $WINTEST_SHUTDOWN; +fi +} + + +# main +# skip without WINTEST_CONF_DIR +if [ -z "$WINTEST_CONF_DIR" ]; then +exit 0; +fi + +unset SOCKET_WRAPPER_DIR + +failed=0 + +$basedir=`pwd` + +samba4bindir=`dirname $0`/../../source4/bin +smbtorture=$samba4bindir/smbtorture + +. `dirname $0`/subunit.sh + +for wintest_conf in $WINTEST_CONF_DIR/*.conf; do +testwithconf "$wintest_conf" $@; +done + +exit $failed diff --git a/testprogs/blackbox/tfork.sh b/testprogs/blackbox/tfork.sh new file mode 100755 index 0000000..0f75a8c --- /dev/null +++ b/testprogs/blackbox/tfork.sh @@ -0,0 +1,15 @@ +#!/bin/sh + +sleep 1 + +echo stdout >&1 +echo $1 >&1 +echo stderror >&2 + +# close stdout and stderror, but don't exit yet +exec 1>&- +exec 2>&- + +sleep 1 + +exit 0 diff --git a/testprogs/blackbox/tombstones-expunge.sh b/testprogs/blackbox/tombstones-expunge.sh new file mode 100755 index 0000000..e2b064d --- /dev/null +++ b/testprogs/blackbox/tombstones-expunge.sh @@ -0,0 +1,245 @@ +#!/bin/sh + +if [ $# -lt 1 ]; then +cat <<EOF +Usage: tombstones-expunge.sh PREFIX RELEASE +EOF +exit 1; +fi + +PREFIX_ABS="$1" +RELEASE="$2" +shift 2 + +failed=0 + +. `dirname $0`/subunit.sh +. `dirname $0`/common_test_fns.inc + +release_dir="$SRCDIR_ABS/source4/selftest/provisions/$RELEASE" + +ldbadd="ldbadd" +if [ -x "$BINDIR/ldbadd" ]; then + ldbadd="$BINDIR/ldbadd" +fi + +ldbmodify="ldbmodify" +if [ -x "$BINDIR/ldbmodify" ]; then + ldbmodify="$BINDIR/ldbmodify" +fi + +ldbdel="ldbdel" +if [ -x "$BINDIR/ldbdel" ]; then + ldbdel="$BINDIR/ldbdel" +fi + +ldbsearch="ldbsearch" +if [ -x "$BINDIR/ldbsearch" ]; then + ldbsearch="$BINDIR/ldbsearch" +fi + +samba_tdbrestore="tdbrestore" +if [ -x "$BINDIR/tdbrestore" ]; then + samba_tdbrestore="$BINDIR/tdbrestore" +fi + +samba_undump="$SRCDIR_ABS/source4/selftest/provisions/undump.sh" +if [ ! -x $samba_undump ] || [ ! -d $release_dir ]; then + subunit_start_test $RELEASE + subunit_skip_test $RELEASE <<EOF +no test provision +EOF + + subunit_start_test "tombstones_expunge" + subunit_skip_test "tombstones_expunge" <<EOF +no test provision +EOF + + exit 0 +fi + +undump() { + $samba_undump $release_dir $PREFIX_ABS/$RELEASE $samba_tdbrestore +} + +tombstones_expunge() { + tmpfile=$PREFIX_ABS/$RELEASE/expected-expunge-output.txt.tmp + tmpldif1=$PREFIX_ABS/$RELEASE/expected-expunge-output2.txt.tmp1 + + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --scope=base -b '' | grep highestCommittedUSN > $tmpldif1 + + $PYTHON $BINDIR/samba-tool domain tombstones expunge -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --current-time=2016-07-30 --tombstone-lifetime=4 > $tmpfile + if [ "$?" != "0" ]; then + return 1 + fi + diff -u $tmpfile $release_dir/expected-expunge-output.txt + if [ "$?" != "0" ]; then + return 1 + fi + + tmpldif2=$PREFIX_ABS/$RELEASE/expected-expunge-output2.txt.tmp2 + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --scope=base -b '' | grep highestCommittedUSN > $tmpldif2 + + diff -u $tmpldif1 $tmpldif2 + if [ "$?" != "0" ]; then + return 1 + fi +} + +add_dangling_link() { + ldif=$release_dir/add-dangling-link.ldif + TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +add_two_more_users() { + ldif=$release_dir/add-two-more-users.ldif + TZ=UTC $ldbadd -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +add_four_more_links() { + ldif=$release_dir/add-four-more-links.ldif + TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +add_unsorted_links() { + ldif=$release_dir/add-unsorted-links-step1.ldif + TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif --relax + if [ "$?" != "0" ]; then + return 1 + fi + ldif=$release_dir/add-unsorted-links-step2.ldif + TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +remove_one_link() { + ldif=$release_dir/remove-one-more-link.ldif + TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +remove_one_user() { + ldif=$release_dir/remove-one-more-user.ldif + TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +check_match_rule_links() { + tmpldif=$PREFIX_ABS/$RELEASE/expected-match-rule-links.ldif.tmp + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(member:1.3.6.1.4.1.7165.4.5.2:=131139216000000000)' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted no_attrs > $tmpldif + diff -u $tmpldif $release_dir/expected-match-rule-links.ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +check_match_rule_links_negative() { + $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(member:1.3.6.1.4.1.7165.4.5.2:=-131139216000000000)' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted member +} + +check_match_rule_links_overflow() { + $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(member:1.3.6.1.4.1.7165.4.5.2:=18446744073709551617)' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted member +} + +check_match_rule_links_null() { + $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(member:1.3.6.1.4.1.7165.4.5.2:=18446744\073709551617)' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted member +} + +check_match_rule_links_hex() { + $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(member:1.3.6.1.4.1.7165.4.5.2:=abcd)' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted member +} + +check_match_rule_links_hex2() { + $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(member:1.3.6.1.4.1.7165.4.5.2:=0xabcd)' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted member +} + +check_match_rule_links_decimal() { + $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(member:1.3.6.1.4.1.7165.4.5.2:=131139216000000000.00)' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted member +} + +check_match_rule_links_backlink() { + $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(memberOf:1.3.6.1.4.1.7165.4.5.2:=131139216000000000)' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted memberOf +} + +check_match_rule_links_notlink() { + $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(samAccountName:1.3.6.1.4.1.7165.4.5.2:=131139216000000000)' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted samAccountName +} + +check_expected_after_links() { + tmpldif=$PREFIX_ABS/$RELEASE/expected-links-after-expunge.ldif.tmp + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(|(cn=swimmers)(cn=leaders)(cn=helpers))' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --sorted member > $tmpldif + diff -u $tmpldif $release_dir/expected-links-after-expunge.ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +check_expected_after_deleted_links() { + tmpldif=$PREFIX_ABS/$RELEASE/expected-deleted-links-after-expunge.ldif.tmp + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(|(cn=swimmers)(cn=leaders)(cn=helpers))' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted member > $tmpldif + diff -u $tmpldif $release_dir/expected-deleted-links-after-expunge.ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +check_expected_after_objects() { + tmpldif=$PREFIX_ABS/$RELEASE/expected-objects-after-expunge.ldif.tmp + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(|(samaccountname=fred)(samaccountname=ddg)(samaccountname=usg)(samaccountname=user1)(samaccountname=user2))' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted samAccountName | grep sAMAccountName > $tmpldif + diff -u $tmpldif $release_dir/expected-objects-after-expunge.ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +check_expected_unsorted_links() { + tmpldif=$PREFIX_ABS/$RELEASE/expected-unsorted-links-after-expunge.ldif.tmp + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(name=unsorted-g)' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted member > $tmpldif + diff -u $tmpldif $release_dir/expected-unsorted-links-after-expunge.ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +remove_directory $PREFIX_ABS/${RELEASE} + +testit $RELEASE undump || failed=`expr $failed + 1` +testit "add_two_more_users" add_two_more_users || failed=`expr $failed + 1` +testit "add_four_more_links" add_four_more_links || failed=`expr $failed + 1` +testit "add_dangling_link" add_dangling_link || failed=`expr $failed + 1` +testit "remove_one_link" remove_one_link || failed=`expr $failed + 1` +testit "remove_one_user" remove_one_user || failed=`expr $failed + 1` +testit "check_match_rule_links" check_match_rule_links || failed=`expr $failed + 1` +testit_expect_failure "check_match_rule_links_negative" check_match_rule_links_negative || failed=`expr $failed + 1` +testit_expect_failure "check_match_rule_links_overflow" check_match_rule_links_overflow || failed=`expr $failed + 1` +testit_expect_failure "check_match_rule_links_null" check_match_rule_links_null || failed=`expr $failed + 1` +testit_expect_failure "check_match_rule_links_hex" check_match_rule_links_hex || failed=`expr $failed + 1` +testit_expect_failure "check_match_rule_links_hex2" check_match_rule_links_hex2 || failed=`expr $failed + 1` +testit_expect_failure "check_match_rule_links_decimal" check_match_rule_links_decimal || failed=`expr $failed + 1` +testit_expect_failure "check_match_rule_links_backlink" check_match_rule_links_backlink || failed=`expr $failed + 1` +testit_expect_failure "check_match_rule_links_notlink" check_match_rule_links_notlink || failed=`expr $failed + 1` +testit "add_unsorted_links" add_unsorted_links || failed=`expr $failed + 1` +testit "tombstones_expunge" tombstones_expunge || failed=`expr $failed + 1` +testit "check_expected_after_deleted_links" check_expected_after_deleted_links || failed=`expr $failed + 1` +testit "check_expected_after_links" check_expected_after_links || failed=`expr $failed + 1` +testit "check_expected_after_objects" check_expected_after_objects || failed=`expr $failed + 1` +testit "check_expected_unsorted_links" check_expected_unsorted_links || failed=`expr $failed + 1` + +remove_directory $PREFIX_ABS/${RELEASE} + +exit $failed diff --git a/testprogs/blackbox/upgradeprovision-oldrelease.sh b/testprogs/blackbox/upgradeprovision-oldrelease.sh new file mode 100755 index 0000000..c625179 --- /dev/null +++ b/testprogs/blackbox/upgradeprovision-oldrelease.sh @@ -0,0 +1,225 @@ +#!/bin/sh + +if [ $# -lt 1 ]; then +cat <<EOF +Usage: dbcheck.sh PREFIX RELEASE +EOF +exit 1; +fi + +PREFIX_ABS="$1" +RELEASE="$2" +shift 2 + +failed=0 + +. `dirname $0`/subunit.sh +. `dirname $0`/common_test_fns.inc + +release_dir="$SRCDIR_ABS/source4/selftest/provisions/${RELEASE}" + +LDBDEL_BIN=ldbdel +if [ -x "$BINDIR/ldbdel" ]; then + LDBDEL_BIN=$BINDIR/ldbdel +fi + +samba_tdbrestore="tdbrestore" +if [ -x "$BINDIR/tdbrestore" ]; then + samba_tdbrestore="$BINDIR/tdbrestore" +fi + +samba_undump="$SRCDIR_ABS/source4/selftest/provisions/undump.sh" +if [ ! -x $samba_undump ] || [ ! -d $release_dir ]; then + subunit_start_test "${RELEASE}" + subunit_skip_test "${RELEASE}" <<EOF +no test provision +EOF + + subunit_start_test "remove_dns_user" + subunit_skip_test "remove_dns_user" <<EOF +no test provision +EOF + + subunit_start_test "upgradeprovision" + subunit_skip_test "upgradeprovision" <<EOF +no test provision +EOF + subunit_start_test "upgradeprovision_full" + subunit_skip_test "upgradeprovision_full" <<EOF +no test provision +EOF + subunit_start_test "reindex" + subunit_skip_test "reindex" <<EOF +no test provision +EOF + subunit_start_test "dbcheck" + subunit_skip_test "dbcheck" <<EOF +no test provision +EOF + subunit_start_test "dbcheck_clean" + subunit_skip_test "dbcheck_clean" <<EOF +no test provision +EOF + # So far, only releases before 4.0.0rc6 need a dbcheck if upgradeprovision has already been run + if [ x$RELEASE != x"release-4-0-0" ]; then + subunit_start_test "dbcheck_full" + subunit_skip_test "dbcheck_full" <<EOF +no test provision +EOF + fi + subunit_start_test "dbcheck_full_clean" + subunit_skip_test "dbcheck_full_clean" <<EOF +no test provision +EOF + subunit_start_test "dbcheck_full_clean_well_known_acls" + subunit_skip_test "dbcheck_full_clean_well_known_acls" <<EOF +no test provision +EOF + subunit_start_test "samba_dnsupgrade" + subunit_skip_test "samba_dnsupgrade" <<EOF +no test provision +EOF + subunit_start_test "referenceprovision" + subunit_skip_test "referenceprovision" <<EOF +no test provision +EOF + subunit_start_test "ldapcmp" + subunit_skip_test "ldapcmp" <<EOF +no test provision +EOF + subunit_start_test "ldapcmp_full" + subunit_skip_test "ldapcmp_full" <<EOF +no test provision +EOF + subunit_start_test "ldapcmp_sd" + subunit_skip_test "ldapcmp_sd" <<EOF +no test provision +EOF + subunit_start_test "ldapcmp_full_sd" + subunit_skip_test "ldapcmp_full_sd" <<EOF +no test provision +EOF + + exit 0 +fi + +undump() { + $samba_undump $release_dir $PREFIX_ABS/${RELEASE}_upgrade $samba_tdbrestore + $samba_undump $release_dir $PREFIX_ABS/${RELEASE}_upgrade_full $samba_tdbrestore + + cp -a $release_dir/private/*.keytab $PREFIX_ABS/${RELEASE}_upgrade/private/ + cp -a $release_dir/sysvol $PREFIX_ABS/${RELEASE}_upgrade/ + mkdir $PREFIX_ABS/${RELEASE}_upgrade/etc/ + sed -e "s|@@PREFIX@@|$PREFIX_ABS/${RELEASE}_upgrade|g" $release_dir/etc/smb.conf.template \ + > $PREFIX_ABS/${RELEASE}_upgrade/etc/smb.conf + + cp -a $release_dir/private/*.keytab $PREFIX_ABS/${RELEASE}_upgrade_full/private/ + cp -a $release_dir/sysvol $PREFIX_ABS/${RELEASE}_upgrade_full/ + mkdir $PREFIX_ABS/${RELEASE}_upgrade_full/etc/ + sed -e "s|@@PREFIX@@|$PREFIX_ABS/${RELEASE}_upgrade_full|g" $release_dir/etc/smb.conf.template \ + > $PREFIX_ABS/${RELEASE}_upgrade_full/etc/smb.conf +} + +remove_dns_user() { + if [ x$RELEASE != x"release-4-0-0" ]; then + # This is done, because otherwise the upgrdeprovision will not run without --full + ${LDBDEL_BIN} -H tdb://$PREFIX_ABS/${RELEASE}_upgrade/private/sam.ldb cn=dns,cn=users,dc=${RELEASE},dc=samba,dc=corp + fi +} + +reindex() { + $PYTHON $BINDIR/samba-tool dbcheck --reindex -H tdb://$PREFIX_ABS/${RELEASE}_upgrade/private/sam.ldb $@ +} + +# This should 'fail', because it returns the number of modified records +dbcheck() { + $PYTHON $BINDIR/samba-tool dbcheck --cross-ncs --fix --yes -H tdb://$PREFIX_ABS/${RELEASE}_upgrade/private/sam.ldb $@ +} + +dbcheck_clean() { + $PYTHON $BINDIR/samba-tool dbcheck --cross-ncs -H tdb://$PREFIX_ABS/${RELEASE}_upgrade/private/sam.ldb $@ +} + +# This should 'fail', because it returns the number of modified records +dbcheck_full() { + $PYTHON $BINDIR/samba-tool dbcheck --cross-ncs --fix --yes -H tdb://$PREFIX_ABS/${RELEASE}_upgrade_full/private/sam.ldb $@ +} + +dbcheck_full_clean() { + $PYTHON $BINDIR/samba-tool dbcheck --cross-ncs -H tdb://$PREFIX_ABS/${RELEASE}_upgrade_full/private/sam.ldb $@ +} + +# This checks that after the upgrade, the well known ACLs are correct, so this reset should not want to do anything +dbcheck_full_clean_well_known_acls() { + $PYTHON $BINDIR/samba-tool dbcheck --reset-well-known-acls --cross-ncs -H tdb://$PREFIX_ABS/${RELEASE}_upgrade_full/private/sam.ldb $@ +} + +upgradeprovision() { + # bring the really old Samba schema in line with a more recent 2008R2 schema + $PYTHON $BINDIR/samba_upgradeprovision --configfile="$PREFIX_ABS/${RELEASE}_upgrade/etc/smb.conf" --debugchange + + # on top of this, also apply 2008R2 changes we accidentally missed in the past + $PYTHON $BINDIR/samba-tool domain schemaupgrade -H tdb://$PREFIX_ABS/${RELEASE}_upgrade/private/sam.ldb --ldf-file=samba-4.7-missing-for-schema45.ldif,fix-forest-rev.ldf + + # add missing domain prep for 2008R2 + $PYTHON $BINDIR/samba-tool domain functionalprep -H tdb://$PREFIX_ABS/${RELEASE}_upgrade/private/sam.ldb --domain --function-level 2008_R2 +} + +upgradeprovision_full() { + # add missing domain prep for 2008R2 + $PYTHON $BINDIR/samba-tool domain functionalprep -H tdb://$PREFIX_ABS/${RELEASE}_upgrade_full/private/sam.ldb --domain --function-level 2008_R2 + + $PYTHON $BINDIR/samba_upgradeprovision --configfile="$PREFIX_ABS/${RELEASE}_upgrade_full/etc/smb.conf" --full --debugchange +} + +samba_upgradedns() { + $PYTHON $BINDIR/samba_upgradedns --dns-backend=SAMBA_INTERNAL --configfile="$PREFIX_ABS/${RELEASE}_upgrade_full/etc/smb.conf" +} + +referenceprovision() { + $PYTHON $BINDIR/samba-tool domain provision --server-role="dc" --domain=SAMBA --host-name=ares --realm=${RELEASE}.samba.corp --targetdir=$PREFIX_ABS/${RELEASE}_upgrade_reference --use-ntvfs --host-ip=127.0.0.1 --host-ip6=::1 --function-level=2003 --base-schema=2008_R2_old +} + +ldapcmp() { + if [ x$RELEASE != x"alpha13" ]; then + $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_upgrade_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}_upgrade/private/sam.ldb --two --skip-missing-dn --filter=dnsRecord,displayName,msDS-SupportedEncryptionTypes,servicePrincipalName + fi +} + +ldapcmp_full() { + $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_upgrade_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}_upgrade_full/private/sam.ldb --two --filter=dNSProperty,dnsRecord,cn,displayName,versionNumber,systemFlags,msDS-HasInstantiatedNCs,servicePrincipalName --skip-missing-dn +} + +ldapcmp_sd() { + $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_upgrade_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}_upgrade/private/sam.ldb --two --sd --skip-missing-dn +} + +ldapcmp_full_sd() { + $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_upgrade_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}_upgrade_full/private/sam.ldb --two --sd --skip-missing-dn +} + +remove_directory $PREFIX_ABS/${RELEASE}_upgrade +remove_directory $PREFIX_ABS/${RELEASE}_upgrade_full +remove_directory $PREFIX_ABS/${RELEASE}_upgrade_reference + +testit $RELEASE undump || failed=`expr $failed + 1` +testit "remove_dns_user" remove_dns_user || failed=`expr $failed + 1` +testit "upgradeprovision" upgradeprovision || failed=`expr $failed + 1` +testit "upgradeprovision_full" upgradeprovision_full || failed=`expr $failed + 1` +testit "reindex" reindex || failed=`expr $failed + 1` +testit_expect_failure "dbcheck" dbcheck || failed=`expr $failed + 1` +testit_expect_failure "dbcheck_full" dbcheck_full || failed=`expr $failed + 1` +testit "dbcheck_clean" dbcheck_clean || failed=`expr $failed + 1` +testit "dbcheck_full_clean" dbcheck_full_clean || failed=`expr $failed + 1` +testit "dbcheck_full_clean_well_known_acls" dbcheck_full_clean_well_known_acls || failed=`expr $failed + 1` +testit "referenceprovision" referenceprovision || failed=`expr $failed + 1` +testit "samba_upgradedns" samba_upgradedns || failed=`expr $failed + 1` +testit "ldapcmp" ldapcmp || failed=`expr $failed + 1` +testit "ldapcmp_sd" ldapcmp_sd || failed=`expr $failed + 1` +testit "ldapcmp_full_sd" ldapcmp_full_sd || failed=`expr $failed + 1` + +remove_directory $PREFIX_ABS/${RELEASE}_upgrade +remove_directory $PREFIX_ABS/${RELEASE}_upgrade_full +remove_directory $PREFIX_ABS/${RELEASE}_upgrade_reference + +exit $failed diff --git a/testprogs/blackbox/wintest/wintest.conf b/testprogs/blackbox/wintest/wintest.conf new file mode 100644 index 0000000..d140366 --- /dev/null +++ b/testprogs/blackbox/wintest/wintest.conf @@ -0,0 +1,7 @@ +#export WINTEST_STARTUP="/tmp/startup client" +#export WINTEST_SHUTDOWN=/tmp/shutdown client" +export DOMAIN="client" +export USERNAME="administrator" +export PASSWORD="samba" +export SERVER="192.168.213.161" +export SHARE="c\$"
\ No newline at end of file |