From 4f5791ebd03eaec1c7da0865a383175b05102712 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sun, 5 May 2024 19:47:29 +0200 Subject: Adding upstream version 2:4.17.12+dfsg. Signed-off-by: Daniel Baumann --- testprogs/blackbox/bogus.sh | 28 + testprogs/blackbox/common-links.sh | 234 +++++ testprogs/blackbox/common_test_fns.inc | 126 +++ testprogs/blackbox/dbcheck-links.sh | 991 +++++++++++++++++++++ testprogs/blackbox/dbcheck-oldrelease.sh | 564 ++++++++++++ testprogs/blackbox/dbcheck.sh | 71 ++ testprogs/blackbox/demote-saveddb.sh | 80 ++ testprogs/blackbox/dfree.sh | 8 + testprogs/blackbox/dom_parse.sh | 27 + testprogs/blackbox/functionalprep.sh | 134 +++ testprogs/blackbox/join_ldapcmp.sh | 51 ++ testprogs/blackbox/ldapcmp_restoredc.sh | 70 ++ testprogs/blackbox/nsstest.sh | 22 + testprogs/blackbox/renamedc.sh | 106 +++ testprogs/blackbox/runtime-links.sh | 82 ++ testprogs/blackbox/schemaupgrade.sh | 131 +++ testprogs/blackbox/subunit.sh | 209 +++++ testprogs/blackbox/test_chgdcpass.sh | 115 +++ testprogs/blackbox/test_client_etypes.sh | 82 ++ testprogs/blackbox/test_client_kerberos.sh | 293 ++++++ testprogs/blackbox/test_export_keytab_heimdal.sh | 115 +++ testprogs/blackbox/test_export_keytab_mit.sh | 137 +++ testprogs/blackbox/test_kinit_heimdal.sh | 260 ++++++ testprogs/blackbox/test_kinit_mit.sh | 332 +++++++ testprogs/blackbox/test_kinit_trusts_heimdal.sh | 103 +++ testprogs/blackbox/test_kinit_trusts_mit.sh | 140 +++ testprogs/blackbox/test_kpasswd_heimdal.sh | 250 ++++++ testprogs/blackbox/test_kpasswd_mit.sh | 229 +++++ testprogs/blackbox/test_ktpass.sh | 41 + testprogs/blackbox/test_ldb.sh | 231 +++++ testprogs/blackbox/test_ldb_simple.sh | 41 + testprogs/blackbox/test_net_ads.sh | 325 +++++++ testprogs/blackbox/test_net_ads_dns.sh | 94 ++ testprogs/blackbox/test_net_ads_fips.sh | 43 + testprogs/blackbox/test_net_ads_search_server.sh | 37 + testprogs/blackbox/test_net_offline.sh | 69 ++ testprogs/blackbox/test_net_rpc_user.sh | 56 ++ testprogs/blackbox/test_offline_logon.sh | 43 + testprogs/blackbox/test_old_enctypes.sh | 68 ++ testprogs/blackbox/test_password_settings.sh | 254 ++++++ testprogs/blackbox/test_pdbtest.sh | 119 +++ testprogs/blackbox/test_pkinit_pac.sh | 63 ++ testprogs/blackbox/test_pkinit_simple.sh | 333 +++++++ testprogs/blackbox/test_primary_group.sh | 90 ++ testprogs/blackbox/test_rpcclient_schannel.sh | 94 ++ testprogs/blackbox/test_s4u_heimdal.sh | 94 ++ testprogs/blackbox/test_samba-tool_ntacl.sh | 132 +++ testprogs/blackbox/test_samba_upgradedns.sh | 38 + testprogs/blackbox/test_smbtorture_test_names.sh | 43 + testprogs/blackbox/test_special_group.sh | 52 ++ testprogs/blackbox/test_trust_ntlm.sh | 205 +++++ testprogs/blackbox/test_trust_token.sh | 93 ++ testprogs/blackbox/test_trust_user_account.sh | 59 ++ testprogs/blackbox/test_trust_utils.sh | 144 +++ testprogs/blackbox/test_weak_crypto.sh | 51 ++ testprogs/blackbox/test_weak_crypto_server.sh | 64 ++ .../blackbox/test_weak_disable_ntlmssp_ldap.sh | 41 + testprogs/blackbox/test_wintest.sh | 44 + testprogs/blackbox/tfork.sh | 15 + testprogs/blackbox/tombstones-expunge.sh | 245 +++++ testprogs/blackbox/upgradeprovision-oldrelease.sh | 225 +++++ testprogs/blackbox/wintest/wintest.conf | 7 + 62 files changed, 8543 insertions(+) create mode 100755 testprogs/blackbox/bogus.sh create mode 100644 testprogs/blackbox/common-links.sh create mode 100755 testprogs/blackbox/common_test_fns.inc create mode 100755 testprogs/blackbox/dbcheck-links.sh create mode 100755 testprogs/blackbox/dbcheck-oldrelease.sh create mode 100755 testprogs/blackbox/dbcheck.sh create mode 100755 testprogs/blackbox/demote-saveddb.sh create mode 100755 testprogs/blackbox/dfree.sh create mode 100755 testprogs/blackbox/dom_parse.sh create mode 100755 testprogs/blackbox/functionalprep.sh create mode 100755 testprogs/blackbox/join_ldapcmp.sh create mode 100755 testprogs/blackbox/ldapcmp_restoredc.sh create mode 100755 testprogs/blackbox/nsstest.sh create mode 100755 testprogs/blackbox/renamedc.sh create mode 100755 testprogs/blackbox/runtime-links.sh create mode 100755 testprogs/blackbox/schemaupgrade.sh create mode 100755 testprogs/blackbox/subunit.sh create mode 100755 testprogs/blackbox/test_chgdcpass.sh create mode 100755 testprogs/blackbox/test_client_etypes.sh create mode 100755 testprogs/blackbox/test_client_kerberos.sh create mode 100755 testprogs/blackbox/test_export_keytab_heimdal.sh create mode 100755 testprogs/blackbox/test_export_keytab_mit.sh create mode 100755 testprogs/blackbox/test_kinit_heimdal.sh create mode 100755 testprogs/blackbox/test_kinit_mit.sh create mode 100755 testprogs/blackbox/test_kinit_trusts_heimdal.sh create mode 100755 testprogs/blackbox/test_kinit_trusts_mit.sh create mode 100755 testprogs/blackbox/test_kpasswd_heimdal.sh create mode 100755 testprogs/blackbox/test_kpasswd_mit.sh create mode 100755 testprogs/blackbox/test_ktpass.sh create mode 100755 testprogs/blackbox/test_ldb.sh create mode 100755 testprogs/blackbox/test_ldb_simple.sh create mode 100755 testprogs/blackbox/test_net_ads.sh create mode 100755 testprogs/blackbox/test_net_ads_dns.sh create mode 100755 testprogs/blackbox/test_net_ads_fips.sh create mode 100755 testprogs/blackbox/test_net_ads_search_server.sh create mode 100755 testprogs/blackbox/test_net_offline.sh create mode 100755 testprogs/blackbox/test_net_rpc_user.sh create mode 100755 testprogs/blackbox/test_offline_logon.sh create mode 100755 testprogs/blackbox/test_old_enctypes.sh create mode 100755 testprogs/blackbox/test_password_settings.sh create mode 100755 testprogs/blackbox/test_pdbtest.sh create mode 100755 testprogs/blackbox/test_pkinit_pac.sh create mode 100755 testprogs/blackbox/test_pkinit_simple.sh create mode 100755 testprogs/blackbox/test_primary_group.sh create mode 100755 testprogs/blackbox/test_rpcclient_schannel.sh create mode 100755 testprogs/blackbox/test_s4u_heimdal.sh create mode 100755 testprogs/blackbox/test_samba-tool_ntacl.sh create mode 100755 testprogs/blackbox/test_samba_upgradedns.sh create mode 100755 testprogs/blackbox/test_smbtorture_test_names.sh create mode 100755 testprogs/blackbox/test_special_group.sh create mode 100755 testprogs/blackbox/test_trust_ntlm.sh create mode 100755 testprogs/blackbox/test_trust_token.sh create mode 100755 testprogs/blackbox/test_trust_user_account.sh create mode 100755 testprogs/blackbox/test_trust_utils.sh create mode 100755 testprogs/blackbox/test_weak_crypto.sh create mode 100755 testprogs/blackbox/test_weak_crypto_server.sh create mode 100755 testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh create mode 100755 testprogs/blackbox/test_wintest.sh create mode 100755 testprogs/blackbox/tfork.sh create mode 100755 testprogs/blackbox/tombstones-expunge.sh create mode 100755 testprogs/blackbox/upgradeprovision-oldrelease.sh create mode 100644 testprogs/blackbox/wintest/wintest.conf (limited to 'testprogs/blackbox') diff --git a/testprogs/blackbox/bogus.sh b/testprogs/blackbox/bogus.sh new file mode 100755 index 0000000..1edd153 --- /dev/null +++ b/testprogs/blackbox/bogus.sh @@ -0,0 +1,28 @@ +#!/bin/sh + +if [ $# -lt 1 ]; then + cat <&1) + status=$? + if [ x$status = x0 ]; then + subunit_pass_test "$name" + else + printf '%s' "$output" | subunit_fail_test "$name" + fi + return $status +} + +test_smbclient_expect_failure() +{ + name="$1" + cmd="$2" + unc="$3" + shift + shift + shift + subunit_start_test "$name" + output=$($VALGRIND $smbclient $CONFIGURATION "$unc" -c "$cmd" $@ 2>&1) + status=$? + if [ x$status = x0 ]; then + printf '%s' "$output" | subunit_fail_test "$name" + else + subunit_pass_test "$name" + fi + return $status +} + +test_rpcclient_grep() +{ + name="$1" + cmd="$2" + srv="$3" + grep="$4" + shift + shift + shift + shift + subunit_start_test "$name" + output=$($VALGRIND $rpcclient $CONFIGURATION "$srv" -c "$cmd" $@ 2>&1) + status=$? + if [ x$status != x0 ]; then + printf '%s' "$output" | subunit_fail_test "$name" + return $status + fi + printf '%s' "$output" | grep -q "$grep" + gstatus=$? + if [ x$gstatus = x0 ]; then + subunit_pass_test "$name" + else + printf '%s' "$output" | subunit_fail_test "$name" + fi + return $status +} + +test_rpcclient_expect_failure_grep() +{ + name="$1" + cmd="$2" + srv="$3" + grep="$4" + shift + shift + shift + shift + subunit_start_test "$name" + output=$($VALGRIND $rpcclient $CONFIGURATION "$srv" -c "$cmd" $@ 2>&1) + status=$? + if [ x$status = x0 ]; then + printf '%s' "$output" | subunit_fail_test "$name" + return $status + fi + printf '%s' "$output" | grep -q "$grep" + gstatus=$? + if [ x$gstatus = x0 ]; then + subunit_pass_test "$name" + else + printf '%s' "$output" | subunit_fail_test "$name" + fi + return $status +} + +kerberos_kinit() +{ + kinit_tool="${1}" + principal="${2}" + password="${3}" + shift 3 + kbase=$(basename ${kinit_tool}) + if [ "${kbase}" = "samba4kinit" ]; then + kpassfile=$(mktemp) + echo $password >${kpassfile} + $kinit_tool -c ${KRB5CCNAME} --password-file=${kpassfile} $@ $principal + status=$? + rm -f ${kpassfile} + else + echo $password | $kinit_tool $@ $principal + status=$? + fi + return $status +} + +remove_directory() +{ + local xdir=${1} + shift + + if [ "$xdir" == "/" ] || [ ! -d "$xdir" ] || [ ! $(ls -A "$xdir") ]; then + return + fi + + rm -rf "$xdir" +} diff --git a/testprogs/blackbox/dbcheck-links.sh b/testprogs/blackbox/dbcheck-links.sh new file mode 100755 index 0000000..29fb5b8 --- /dev/null +++ b/testprogs/blackbox/dbcheck-links.sh @@ -0,0 +1,991 @@ +#!/bin/sh + +if [ $# -lt 1 ]; then + cat <$tmpldif1 + + $PYTHON $BINDIR/samba-tool dbcheck -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $3 --fix --yes >$tmpfile + if [ "$?" != "$2" ]; then + return 1 + fi + sort $tmpfile | grep -v "^INFO:" >$tmpfile.sorted + sort $release_dir/expected-dbcheck-link-output${1}.txt >$tmpfile.expected + diff -u $tmpfile.sorted $tmpfile.expected + if [ "$?" != "0" ]; then + return 1 + fi + + tmpldif2=$PREFIX_ABS/$RELEASE/expected-dbcheck-output${1}2.txt.tmp2 + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --scope=base -b '' | grep highestCommittedUSN >$tmpldif2 + + diff -u $tmpldif1 $tmpldif2 + if [ "$?" != "0" ]; then + return 1 + fi +} + +dbcheck_dangling() +{ + dbcheck "" "1" "--selftest-check-expired-tombstones" + return $? +} + +dbcheck_one_way() +{ + dbcheck "_one_way" "0" "CN=Configuration,DC=release-4-5-0-pre1,DC=samba,DC=corp --selftest-check-expired-tombstones" + return $? +} + +dbcheck_clean() +{ + tmpldif1=$PREFIX_ABS/$RELEASE/expected-dbcheck-output2.txt.tmp1 + + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --scope=base -b '' | grep highestCommittedUSN >$tmpldif1 + + $PYTHON $BINDIR/samba-tool dbcheck -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb + if [ "$?" != "0" ]; then + return 1 + fi + tmpldif2=$PREFIX_ABS/$RELEASE/expected-dbcheck-output2.txt.tmp2 + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --scope=base -b '' | grep highestCommittedUSN >$tmpldif2 + + diff -u $tmpldif1 $tmpldif2 + if [ "$?" != "0" ]; then + return 1 + fi +} + +check_expected_after_links() +{ + tmpldif=$PREFIX_ABS/$RELEASE/expected-links-after-link-dbcheck.ldif.tmp + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(|(cn=swimmers)(cn=leaders)(cn=helpers))' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --sorted member >$tmpldif + diff -u $tmpldif $release_dir/expected-links-after-link-dbcheck.ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +check_expected_after_deleted_links() +{ + tmpldif=$PREFIX_ABS/$RELEASE/expected-deleted-links-after-link-dbcheck.ldif.tmp + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(|(cn=swimmers)(cn=leaders)(cn=helpers))' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted member >$tmpldif + diff -u $tmpldif $release_dir/expected-deleted-links-after-link-dbcheck.ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +check_expected_after_objects() +{ + tmpldif=$PREFIX_ABS/$RELEASE/expected-objects-after-link-dbcheck.ldif.tmp + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(|(samaccountname=fred)(samaccountname=ddg)(samaccountname=usg)(samaccountname=user1)(samaccountname=user1x)(samaccountname=user2))' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted samAccountName | grep sAMAccountName >$tmpldif + diff -u $tmpldif $release_dir/expected-objects-after-link-dbcheck.ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +duplicate_member() +{ + # We use an existing group so we have a stable GUID in the + # dbcheck output + LDIF1=$(TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb -b 'CN=Enterprise Admins,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp' --scope=base --reveal --extended-dn member) + DN=$(echo "${LDIF1}" | grep '^dn: ') + MSG=$(echo "${LDIF1}" | grep -v '^dn: ' | grep -v '^#' | grep -v '^$') + ldif=$PREFIX_ABS/${RELEASE}/duplicate-member-multi.ldif + { + echo "${DN}" + echo "changetype: modify" + echo "replace: member" + echo "${MSG}" + echo "${MSG}" | sed -e 's!RMD_LOCAL_USN=[1-9][0-9]*!RMD_LOCAL_USN=0!' + } >$ldif + + TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +dbcheck_duplicate_member() +{ + dbcheck "_duplicate_member" "1" "--selftest-check-expired-tombstones" + return $? +} + +check_expected_after_duplicate_links() +{ + tmpldif=$PREFIX_ABS/$RELEASE/expected-duplicates-after-link-dbcheck.ldif.tmp + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(|(cn=administrator)(cn=enterprise admins))' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --sorted memberOf member >$tmpldif + diff -u $tmpldif $release_dir/expected-duplicates-after-link-dbcheck.ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +missing_link_sid_corruption() +{ + # Step1: add user "missingsidu1" + # + ldif=$PREFIX_ABS/${RELEASE}/missing_link_sid_corruption1.ldif + cat >$ldif <$ldif <$ldif <$ldif <;!!g' \ + -e 's!;!!g' \ + -e 's!RMD_ADDTIME=[1-9][0-9]*!RMD_ADDTIME=123456789000000000!g' \ + -e 's!RMD_CHANGETIME=[1-9][0-9]*!RMD_CHANGETIME=123456789000000000!g' | + cat + } >$ldif + + out=$(TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif) + if [ "$?" != "0" ]; then + echo "ldbmodify returned:\n$out" + return 1 + fi + + return 0 +} + +dbcheck_missing_link_sid_corruption() +{ + dbcheck "-missing-link-sid-corruption" "1" "--selftest-check-expired-tombstones" + return $? +} + +add_lost_deleted_user1() +{ + ldif=$PREFIX_ABS/${RELEASE}/add_lost_deleted_user1.ldif + cat >$ldif <;OU=removed,DC=rel + ease-4-5-0-pre1,DC=samba,DC=corp +isRecycled: TRUE +cn:: ZnJlZApERUw6MjMwMWE2NGMtMTIzNC01Njc4LTg1MWUtMTJkNGE3MTFjZmI0 +name:: ZnJlZApERUw6MjMwMWE2NGMtMTIzNC01Njc4LTg1MWUtMTJkNGE3MTFjZmI0 +replPropertyMetaData:: AQAAAAAAAAAXAAAAAAAAAAAAAAABAAAAVuGDDQMAAACjlkROuH+XT4o + z0jjbi14tnA4AAAAAAACcDgAAAAAAAAMAAAACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4A + AAAAAACiDgAAAAAAAAEAAgABAAAAVuGDDQMAAACjlkROuH+XT4oz0jjbi14tnA4AAAAAAACcDgAAA + AAAAAIAAgABAAAAVuGDDQMAAACjlkROuH+XT4oz0jjbi14tnA4AAAAAAACcDgAAAAAAADAAAgABAA + AAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAAAAABkBAgABAAAAVuGDDQMAAAC + jlkROuH+XT4oz0jjbi14tnA4AAAAAAACcDgAAAAAAAAEACQACAAAAV+GDDQMAAACjlkROuH+XT4oz + 0jjbi14tog4AAAAAAACiDgAAAAAAAAgACQADAAAAVuGDDQMAAACjlkROuH+XT4oz0jjbi14tng4AA + AAAAACeDgAAAAAAABAACQACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAA + AAABkACQACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAAAAAFoACQABAAA + AVuGDDQMAAACjlkROuH+XT4oz0jjbi14tnQ4AAAAAAACdDgAAAAAAAF4ACQABAAAAVuGDDQMAAACj + lkROuH+XT4oz0jjbi14tnQ4AAAAAAACdDgAAAAAAAGAACQADAAAAV+GDDQMAAACjlkROuH+XT4oz0 + jjbi14tog4AAAAAAACiDgAAAAAAAGIACQACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAA + AAAACiDgAAAAAAAH0ACQABAAAAVuGDDQMAAACjlkROuH+XT4oz0jjbi14tnQ4AAAAAAACdDgAAAAA + AAJIACQABAAAAVuGDDQMAAACjlkROuH+XT4oz0jjbi14tnA4AAAAAAACcDgAAAAAAAJ8ACQACAAAA + V+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAAAAAN0ACQABAAAAVuGDDQMAAACjl + kROuH+XT4oz0jjbi14tnA4AAAAAAACcDgAAAAAAAC4BCQACAAAAV+GDDQMAAACjlkROuH+XT4oz0j + jbi14tog4AAAAAAACiDgAAAAAAAJACCQACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAA + AAACiDgAAAAAAAA0DCQABAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAAAA + AA4DCQACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAAAAAAoICQABAAAAV + +GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAAAAAA== +whenChanged: 20160629043639.0Z +uSNChanged: 3746 +nTSecurityDescriptor:: AQAXjBQAAAAwAAAATAAAAMQAAAABBQAAAAAABRUAAACB/fj4FbukVnK + PlwUAAgAAAQUAAAAAAAUVAAAAgf34+BW7pFZyj5cFAAIAAAQAeAACAAAAB1o4ACAAAAADAAAAvjsO + 8/Cf0RG2AwAA+ANnwaV6lr/mDdARooUAqgAwSeIBAQAAAAAAAQAAAAAHWjgAIAAAAAMAAAC/Ow7z8 + J/REbYDAAD4A2fBpXqWv+YN0BGihQCqADBJ4gEBAAAAAAABAAAAAAQA1AcsAAAAAAAkAP8BDwABBQ + AAAAAABRUAAACB/fj4FbukVnKPlwUAAgAAAAAUAP8BDwABAQAAAAAABRIAAAAAABgA/wEPAAECAAA + AAAAFIAAAACQCAAAAABQAlAACAAEBAAAAAAAFCgAAAAUAKAAAAQAAAQAAAFMacqsvHtARmBkAqgBA + UpsBAQAAAAAABQoAAAAFACgAAAEAAAEAAABUGnKrLx7QEZgZAKoAQFKbAQEAAAAAAAUKAAAABQAoA + AABAAABAAAAVhpyqy8e0BGYGQCqAEBSmwEBAAAAAAAFCgAAAAUAKAAwAAAAAQAAAIa4tXdKlNERrr + 0AAPgDZ8EBAQAAAAAABQoAAAAFACgAMAAAAAEAAACylVfkVZTREa69AAD4A2fBAQEAAAAAAAUKAAA + ABQAoADAAAAABAAAAs5VX5FWU0RGuvQAA+ANnwQEBAAAAAAAFCgAAAAUAOAAQAAAAAQAAAPiIcAPh + CtIRtCIAoMlo+TkBBQAAAAAABRUAAACB/fj4FbukVnKPlwUpAgAABQA4ABAAAAABAAAAAEIWTMAg0 + BGnaACqAG4FKQEFAAAAAAAFFQAAAIH9+PgVu6RWco+XBSkCAAAFADgAEAAAAAEAAABAwgq8qXnQEZ + AgAMBPwtTPAQUAAAAAAAUVAAAAgf34+BW7pFZyj5cFKQIAAAAAFAAAAAIAAQEAAAAAAAULAAAABQA + oABAAAAABAAAAQi+6WaJ50BGQIADAT8LTzwEBAAAAAAAFCwAAAAUAKAAQAAAAAQAAAIa4tXdKlNER + rr0AAPgDZ8EBAQAAAAAABQsAAAAFACgAEAAAAAEAAACzlVfkVZTREa69AAD4A2fBAQEAAAAAAAULA + AAABQAoABAAAAABAAAAVAGN5Pi80RGHAgDAT7lgUAEBAAAAAAAFCwAAAAUAKAAAAQAAAQAAAFMacq + svHtARmBkAqgBAUpsBAQAAAAAAAQAAAAAFADgAEAAAAAEAAAAQICBfpXnQEZAgAMBPwtTPAQUAAAA + AAAUVAAAAgf34+BW7pFZyj5cFKQIAAAUAOAAwAAAAAQAAAH96lr/mDdARooUAqgAwSeIBBQAAAAAA + BRUAAACB/fj4FbukVnKPlwUFAgAABQAsABAAAAABAAAAHbGpRq5gWkC36P+KWNRW0gECAAAAAAAFI + AAAADACAAAFACwAMAAAAAEAAAAcmrZtIpTREa69AAD4A2fBAQIAAAAAAAUgAAAAMQIAAAUALAAwAA + AAAQAAAGK8BVjJvShEpeKFag9MGF4BAgAAAAAABSAAAAAxAgAABRo8ABAAAAADAAAAAEIWTMAg0BG + naACqAG4FKRTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAABRI8ABAAAAADAAAAAEIWTMAg + 0BGnaACqAG4FKbp6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqAgAABRo8ABAAAAADAAAAECAgX + 6V50BGQIADAT8LUzxTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAABRI8ABAAAAADAAAAEC + AgX6V50BGQIADAT8LUz7p6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqAgAABRo8ABAAAAADAAA + AQMIKvKl50BGQIADAT8LUzxTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAABRI8ABAAAAAD + AAAAQMIKvKl50BGQIADAT8LUz7p6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqAgAABRo8ABAAA + AADAAAAQi+6WaJ50BGQIADAT8LTzxTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAABRI8AB + AAAAADAAAAQi+6WaJ50BGQIADAT8LTz7p6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqAgAABRo + 8ABAAAAADAAAA+IhwA+EK0hG0IgCgyWj5ORTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAA + BRI8ABAAAAADAAAA+IhwA+EK0hG0IgCgyWj5Obp6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqA + gAABRo4ABAAAAADAAAAbZ7Gt8cs0hGFTgCgyYP2CIZ6lr/mDdARooUAqgAwSeIBAQAAAAAABQkAAA + AFGjgAEAAAAAMAAABtnsa3xyzSEYVOAKDJg/YInHqWv+YN0BGihQCqADBJ4gEBAAAAAAAFCQAAAAU + SOAAQAAAAAwAAAG2exrfHLNIRhU4AoMmD9gi6epa/5g3QEaKFAKoAMEniAQEAAAAAAAUJAAAABRos + AJQAAgACAAAAFMwoSDcUvEWbB61vAV5fKAECAAAAAAAFIAAAACoCAAAFGiwAlAACAAIAAACcepa/5 + g3QEaKFAKoAMEniAQIAAAAAAAUgAAAAKgIAAAUSLACUAAIAAgAAALp6lr/mDdARooUAqgAwSeIBAg + AAAAAABSAAAAAqAgAABRIoADABAAABAAAA3kfmkW/ZcEuVV9Y/9PPM2AEBAAAAAAAFCgAAAAASJAD + /AQ8AAQUAAAAAAAUVAAAAgf34+BW7pFZyj5cFBwIAAAASGAAEAAAAAQIAAAAAAAUgAAAAKgIAAAAS + GAC9AQ8AAQIAAAAAAAUgAAAAIAIAAA== +EOF + + out=$(TZ=UTC $ldbadd -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif) + if [ "$?" != "0" ]; then + echo "ldbadd returned:\n$out" + return 1 + fi + + return 0 +} + +dbcheck_lost_deleted_user1() +{ + dbcheck "-lost-deleted-user1" "1" "--selftest-check-expired-tombstones" + return $? +} + +remove_lost_deleted_user1() +{ + out=$(TZ=UTC $ldbdel -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb "" --show-recycled --relax) + if [ "$?" != "0" ]; then + echo "ldbdel returned:\n$out" + return 1 + fi + + return 0 +} + +add_lost_deleted_user2() +{ + ldif=$PREFIX_ABS/${RELEASE}/add_lost_deleted_user2.ldif + cat >$ldif <$ldif <;OU=removed,DC=rel + ease-4-5-0-pre1,DC=samba,DC=corp +isRecycled: TRUE +cn:: ZnJlZApERUw6MjMwMWE2NGMtMTEyMi01NTY2LTg1MWUtMTJkNGE3MTFjZmI0 +name:: ZnJlZApERUw6MjMwMWE2NGMtMTEyMi01NTY2LTg1MWUtMTJkNGE3MTFjZmI0 +replPropertyMetaData:: AQAAAAAAAAAXAAAAAAAAAAAAAAABAAAAVuGDDQMAAACjlkROuH+XT4o + z0jjbi14tnA4AAAAAAACcDgAAAAAAAAMAAAACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4A + AAAAAACiDgAAAAAAAAEAAgABAAAAVuGDDQMAAACjlkROuH+XT4oz0jjbi14tnA4AAAAAAACcDgAAA + AAAAAIAAgABAAAAVuGDDQMAAACjlkROuH+XT4oz0jjbi14tnA4AAAAAAACcDgAAAAAAADAAAgABAA + AAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAAAAABkBAgABAAAAVuGDDQMAAAC + jlkROuH+XT4oz0jjbi14tnA4AAAAAAACcDgAAAAAAAAEACQACAAAAV+GDDQMAAACjlkROuH+XT4oz + 0jjbi14tog4AAAAAAACiDgAAAAAAAAgACQADAAAAVuGDDQMAAACjlkROuH+XT4oz0jjbi14tng4AA + AAAAACeDgAAAAAAABAACQACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAA + AAABkACQACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAAAAAFoACQABAAA + AVuGDDQMAAACjlkROuH+XT4oz0jjbi14tnQ4AAAAAAACdDgAAAAAAAF4ACQABAAAAVuGDDQMAAACj + lkROuH+XT4oz0jjbi14tnQ4AAAAAAACdDgAAAAAAAGAACQADAAAAV+GDDQMAAACjlkROuH+XT4oz0 + jjbi14tog4AAAAAAACiDgAAAAAAAGIACQACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAA + AAAACiDgAAAAAAAH0ACQABAAAAVuGDDQMAAACjlkROuH+XT4oz0jjbi14tnQ4AAAAAAACdDgAAAAA + AAJIACQABAAAAVuGDDQMAAACjlkROuH+XT4oz0jjbi14tnA4AAAAAAACcDgAAAAAAAJ8ACQACAAAA + V+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAAAAAN0ACQABAAAAVuGDDQMAAACjl + kROuH+XT4oz0jjbi14tnA4AAAAAAACcDgAAAAAAAC4BCQACAAAAV+GDDQMAAACjlkROuH+XT4oz0j + jbi14tog4AAAAAAACiDgAAAAAAAJACCQACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAA + AAACiDgAAAAAAAA0DCQABAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAAAA + AA4DCQACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAAAAAAoICQABAAAAV + +GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAAAAAA== +whenChanged: 20160629043639.0Z +uSNChanged: 3746 +nTSecurityDescriptor:: AQAXjBQAAAAwAAAATAAAAMQAAAABBQAAAAAABRUAAACB/fj4FbukVnK + PlwUAAgAAAQUAAAAAAAUVAAAAgf34+BW7pFZyj5cFAAIAAAQAeAACAAAAB1o4ACAAAAADAAAAvjsO + 8/Cf0RG2AwAA+ANnwaV6lr/mDdARooUAqgAwSeIBAQAAAAAAAQAAAAAHWjgAIAAAAAMAAAC/Ow7z8 + J/REbYDAAD4A2fBpXqWv+YN0BGihQCqADBJ4gEBAAAAAAABAAAAAAQA1AcsAAAAAAAkAP8BDwABBQ + AAAAAABRUAAACB/fj4FbukVnKPlwUAAgAAAAAUAP8BDwABAQAAAAAABRIAAAAAABgA/wEPAAECAAA + AAAAFIAAAACQCAAAAABQAlAACAAEBAAAAAAAFCgAAAAUAKAAAAQAAAQAAAFMacqsvHtARmBkAqgBA + UpsBAQAAAAAABQoAAAAFACgAAAEAAAEAAABUGnKrLx7QEZgZAKoAQFKbAQEAAAAAAAUKAAAABQAoA + AABAAABAAAAVhpyqy8e0BGYGQCqAEBSmwEBAAAAAAAFCgAAAAUAKAAwAAAAAQAAAIa4tXdKlNERrr + 0AAPgDZ8EBAQAAAAAABQoAAAAFACgAMAAAAAEAAACylVfkVZTREa69AAD4A2fBAQEAAAAAAAUKAAA + ABQAoADAAAAABAAAAs5VX5FWU0RGuvQAA+ANnwQEBAAAAAAAFCgAAAAUAOAAQAAAAAQAAAPiIcAPh + CtIRtCIAoMlo+TkBBQAAAAAABRUAAACB/fj4FbukVnKPlwUpAgAABQA4ABAAAAABAAAAAEIWTMAg0 + BGnaACqAG4FKQEFAAAAAAAFFQAAAIH9+PgVu6RWco+XBSkCAAAFADgAEAAAAAEAAABAwgq8qXnQEZ + AgAMBPwtTPAQUAAAAAAAUVAAAAgf34+BW7pFZyj5cFKQIAAAAAFAAAAAIAAQEAAAAAAAULAAAABQA + oABAAAAABAAAAQi+6WaJ50BGQIADAT8LTzwEBAAAAAAAFCwAAAAUAKAAQAAAAAQAAAIa4tXdKlNER + rr0AAPgDZ8EBAQAAAAAABQsAAAAFACgAEAAAAAEAAACzlVfkVZTREa69AAD4A2fBAQEAAAAAAAULA + AAABQAoABAAAAABAAAAVAGN5Pi80RGHAgDAT7lgUAEBAAAAAAAFCwAAAAUAKAAAAQAAAQAAAFMacq + svHtARmBkAqgBAUpsBAQAAAAAAAQAAAAAFADgAEAAAAAEAAAAQICBfpXnQEZAgAMBPwtTPAQUAAAA + AAAUVAAAAgf34+BW7pFZyj5cFKQIAAAUAOAAwAAAAAQAAAH96lr/mDdARooUAqgAwSeIBBQAAAAAA + BRUAAACB/fj4FbukVnKPlwUFAgAABQAsABAAAAABAAAAHbGpRq5gWkC36P+KWNRW0gECAAAAAAAFI + AAAADACAAAFACwAMAAAAAEAAAAcmrZtIpTREa69AAD4A2fBAQIAAAAAAAUgAAAAMQIAAAUALAAwAA + AAAQAAAGK8BVjJvShEpeKFag9MGF4BAgAAAAAABSAAAAAxAgAABRo8ABAAAAADAAAAAEIWTMAg0BG + naACqAG4FKRTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAABRI8ABAAAAADAAAAAEIWTMAg + 0BGnaACqAG4FKbp6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqAgAABRo8ABAAAAADAAAAECAgX + 6V50BGQIADAT8LUzxTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAABRI8ABAAAAADAAAAEC + AgX6V50BGQIADAT8LUz7p6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqAgAABRo8ABAAAAADAAA + AQMIKvKl50BGQIADAT8LUzxTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAABRI8ABAAAAAD + AAAAQMIKvKl50BGQIADAT8LUz7p6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqAgAABRo8ABAAA + AADAAAAQi+6WaJ50BGQIADAT8LTzxTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAABRI8AB + AAAAADAAAAQi+6WaJ50BGQIADAT8LTz7p6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqAgAABRo + 8ABAAAAADAAAA+IhwA+EK0hG0IgCgyWj5ORTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAA + BRI8ABAAAAADAAAA+IhwA+EK0hG0IgCgyWj5Obp6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqA + gAABRo4ABAAAAADAAAAbZ7Gt8cs0hGFTgCgyYP2CIZ6lr/mDdARooUAqgAwSeIBAQAAAAAABQkAAA + AFGjgAEAAAAAMAAABtnsa3xyzSEYVOAKDJg/YInHqWv+YN0BGihQCqADBJ4gEBAAAAAAAFCQAAAAU + SOAAQAAAAAwAAAG2exrfHLNIRhU4AoMmD9gi6epa/5g3QEaKFAKoAMEniAQEAAAAAAAUJAAAABRos + AJQAAgACAAAAFMwoSDcUvEWbB61vAV5fKAECAAAAAAAFIAAAACoCAAAFGiwAlAACAAIAAACcepa/5 + g3QEaKFAKoAMEniAQIAAAAAAAUgAAAAKgIAAAUSLACUAAIAAgAAALp6lr/mDdARooUAqgAwSeIBAg + AAAAAABSAAAAAqAgAABRIoADABAAABAAAA3kfmkW/ZcEuVV9Y/9PPM2AEBAAAAAAAFCgAAAAASJAD + /AQ8AAQUAAAAAAAUVAAAAgf34+BW7pFZyj5cFBwIAAAASGAAEAAAAAQIAAAAAAAUgAAAAKgIAAAAS + GAC9AQ8AAQIAAAAAAAUgAAAAIAIAAA== +EOF + + out=$(TZ=UTC $ldbadd -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif) + if [ "$?" != "0" ]; then + echo "ldbadd returned:\n$out" + return 1 + fi + + return 0 +} + +dbcheck_lost_deleted_user3() +{ + # here we don't pass --selftest-check-expired-tombstones + # as we want to test the default + dbcheck "-lost-deleted-user3" "0" "" + return $? +} + +remove_lost_deleted_user3() +{ + out=$(TZ=UTC $ldbdel -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb "" --show-recycled --relax) + if [ "$?" != "0" ]; then + echo "ldbdel returned:\n$out" + return 1 + fi + + return 0 +} + +forward_link_corruption() +{ + # + # Step1: add a duplicate forward link from + # "CN=Enterprise Admins" to "CN=Administrator" + # + LDIF1=$(TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb -b 'CN=Enterprise Admins,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp' --scope=base --reveal --extended-dn member) + DN=$(echo "${LDIF1}" | grep '^dn: ') + MSG=$(echo "${LDIF1}" | grep -v '^dn: ' | grep -v '^#' | grep -v '^$') + ldif=$PREFIX_ABS/${RELEASE}/forward_link_corruption1.ldif + { + echo "${DN}" + echo "changetype: modify" + echo "replace: member" + echo "${MSG}" + echo "${MSG}" | sed -e 's!RMD_LOCAL_USN=[1-9][0-9]*!RMD_LOCAL_USN=0!' + } >$ldif + + out=$(TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif) + if [ "$?" != "0" ]; then + echo "ldbmodify returned:\n$out" + return 1 + fi + + # + # Step2: add user "dangling" + # + ldif=$PREFIX_ABS/${RELEASE}/forward_link_corruption2.ldif + cat >$ldif <;;CN=Enterprise Admins,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp" + } >$ldif + + out=$(TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif) + if [ "$?" != "0" ]; then + echo "ldbmodify returned:\n$out" + return 1 + fi +} + +dbcheck_forward_link_corruption() +{ + dbcheck "-forward-link-corruption" "1" "--selftest-check-expired-tombstones" + return $? +} + +check_expected_after_dbcheck_forward_link_corruption() +{ + tmpldif=$PREFIX_ABS/$RELEASE/expected-after-dbcheck-forward-link-corruption.ldif.tmp + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(|(cn=dangling)(cn=enterprise admins))' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --sorted memberOf member >$tmpldif + diff -u $tmpldif $release_dir/expected-after-dbcheck-forward-link-corruption.ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +oneway_link_corruption() +{ + # + # Step1: add OU "dangling-ou" + # + ldif=$PREFIX_ABS/${RELEASE}/oneway_link_corruption.ldif + cat >$ldif <$ldif <$tmpldif + diff -u $tmpldif $release_dir/expected-after-dbcheck-oneway-link-corruption.ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +dbcheck_dangling_multi_valued() +{ + + $PYTHON $BINDIR/samba-tool dbcheck -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --selftest-check-expired-tombstones --fix --yes + if [ "$?" != "1" ]; then + return 1 + fi +} + +dangling_multi_valued_check_missing() +{ + WORDS=$(TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(samaccountname=dangling-multi2)' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted msDS-RevealedDSAs | grep msDS-RevealedDSAs | wc -l) + if [ $WORDS -ne 4 ]; then + echo Got only $WORDS links for dangling-multi2 + return 1 + fi + WORDS=$(TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(samaccountname=dangling-multi3)' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted msDS-RevealedDSAs | grep msDS-RevealedDSAs | wc -l) + if [ $WORDS -ne 4 ]; then + echo Got only $WORDS links for dangling-multi3 + return 1 + fi +} + +dangling_multi_valued_check_equal_or_too_many() +{ + WORDS=$(TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(samaccountname=dangling-multi1)' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted msDS-RevealedDSAs | grep msDS-RevealedDSAs | wc -l) + if [ $WORDS -ne 4 ]; then + echo Got $WORDS links for dangling-multi1 + return 1 + fi + + WORDS=$(TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(samaccountname=dangling-multi5)' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted msDS-RevealedDSAs | grep msDS-RevealedDSAs | wc -l) + + if [ $WORDS -ne 0 ]; then + echo Got $WORDS links for dangling-multi5 + return 1 + fi + + WORDS=$(TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(samaccountname=Administrator)' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted msDS-RevealedDSAs | grep msDS-RevealedDSAs | wc -l) + + if [ $WORDS -ne 2 ]; then + echo Got $WORDS links for Administrator + return 1 + fi +} + +dangling_link_does_not_prevent_delete() +{ + + # + # Step1: add user "dangling" + # + ldif=$PREFIX_ABS/${RELEASE}/backlink_can_be_vanished1.ldif + dn='CN=dangling-for-vanish,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp' + cat >$ldif <;;CN=Enterprise Admins,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp" + } >$ldif + + out=$(TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif) + if [ "$?" != "0" ]; then + echo "ldbmodify returned:\n$out" + return 1 + fi + + out=$(TZ=UTC $ldbdel -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb "$dn") + if [ "$?" != "0" ]; then + echo "ldbdel returned:\n$out" + return 1 + fi +} + +dangling_link_to_unknown_does_not_prevent_delete() +{ + + # + # Step1: add user "dangling" + # + ldif=$PREFIX_ABS/${RELEASE}/backlink_can_be_vanished1.ldif + dn='CN=dangling-for-vanish,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp' + cat >$ldif <;;CN=NOT Enterprise Admins,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp" + } >$ldif + + out=$(TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif) + if [ "$?" != "0" ]; then + echo "ldbmodify returned:\n$out" + return 1 + fi + + out=$(TZ=UTC $ldbdel -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb "$dn") + if [ "$?" != "0" ]; then + echo "ldbdel returned:\n$out" + return 1 + fi +} + +dangling_link_to_known_and_unknown_does_not_prevent_delete() +{ + + # + # Step1: add user "dangling" + # + ldif=$PREFIX_ABS/${RELEASE}/backlink_can_be_vanished1.ldif + dn='CN=dangling-for-vanish,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp' + cat >$ldif <;;CN=Enterprise Admins,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp" + echo "memberOf: ;;CN=NOT Enterprise Admins,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp" + echo "memberOf: ;CN=dangling-for-vanish,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp" + } >$ldif + + out=$(TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif) + if [ "$?" != "0" ]; then + echo "ldbmodify returned:\n$out" + return 1 + fi + + out=$(TZ=UTC $ldbdel -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb "$dn") + if [ "$?" != "0" ]; then + echo "ldbdel returned:\n$out" + return 1 + fi +} + +remove_directory $PREFIX_ABS/${RELEASE} + +testit $RELEASE undump || failed=$(expr $failed + 1) +testit "add_two_more_users" add_two_more_users || failed=$(expr $failed + 1) +testit "add_four_more_links" add_four_more_links || failed=$(expr $failed + 1) +testit "remove_one_link" remove_one_link || failed=$(expr $failed + 1) +testit "remove_one_user" remove_one_user || failed=$(expr $failed + 1) +testit "move_one_user" move_one_user || failed=$(expr $failed + 1) +testit "add_dangling_link" add_dangling_link || failed=$(expr $failed + 1) +testit "add_dangling_backlink" add_dangling_backlink || failed=$(expr $failed + 1) +testit "add_deleted_dangling_backlink" add_deleted_dangling_backlink || failed=$(expr $failed + 1) +testit "revive_links_on_deleted_group" revive_links_on_deleted_group || failed=$(expr $failed + 1) +testit "revive_backlink_on_deleted_group" revive_backlink_on_deleted_group || failed=$(expr $failed + 1) +testit "add_deleted_target_link" add_deleted_target_link || failed=$(expr $failed + 1) +testit "add_deleted_target_backlink" add_deleted_target_backlink || failed=$(expr $failed + 1) +testit "dbcheck_dangling" dbcheck_dangling || failed=$(expr $failed + 1) +testit "dbcheck_clean" dbcheck_clean || failed=$(expr $failed + 1) +testit "check_expected_after_deleted_links" check_expected_after_deleted_links || failed=$(expr $failed + 1) +testit "check_expected_after_links" check_expected_after_links || failed=$(expr $failed + 1) +testit "check_expected_after_objects" check_expected_after_objects || failed=$(expr $failed + 1) +testit "duplicate_member" duplicate_member || failed=$(expr $failed + 1) +testit "dbcheck_duplicate_member" dbcheck_duplicate_member || failed=$(expr $failed + 1) +testit "check_expected_after_duplicate_links" check_expected_after_duplicate_links || failed=$(expr $failed + 1) +testit "duplicate_clean" dbcheck_clean || failed=$(expr $failed + 1) +testit "forward_link_corruption" forward_link_corruption || failed=$(expr $failed + 1) +testit "dbcheck_forward_link_corruption" dbcheck_forward_link_corruption || failed=$(expr $failed + 1) +testit "check_expected_after_dbcheck_forward_link_corruption" check_expected_after_dbcheck_forward_link_corruption || failed=$(expr $failed + 1) +testit "forward_link_corruption_clean" dbcheck_clean || failed=$(expr $failed + 1) +testit "oneway_link_corruption" oneway_link_corruption || failed=$(expr $failed + 1) +testit "dbcheck_oneway_link_corruption" dbcheck_oneway_link_corruption || failed=$(expr $failed + 1) +testit "check_expected_after_dbcheck_oneway_link_corruption" check_expected_after_dbcheck_oneway_link_corruption || failed=$(expr $failed + 1) +testit "oneway_link_corruption_clean" dbcheck_clean || failed=$(expr $failed + 1) +testit "dangling_one_way_link" dangling_one_way_link || failed=$(expr $failed + 1) +testit "dbcheck_one_way" dbcheck_one_way || failed=$(expr $failed + 1) +testit "dbcheck_clean2" dbcheck_clean || failed=$(expr $failed + 1) +testit "missing_link_sid_corruption" missing_link_sid_corruption || failed=$(expr $failed + 1) +testit "dbcheck_missing_link_sid_corruption" dbcheck_missing_link_sid_corruption || failed=$(expr $failed + 1) +testit "missing_link_sid_clean" dbcheck_clean || failed=$(expr $failed + 1) +testit "add_lost_deleted_user1" add_lost_deleted_user1 || failed=$(expr $failed + 1) +testit "dbcheck_lost_deleted_user1" dbcheck_lost_deleted_user1 || failed=$(expr $failed + 1) +testit "lost_deleted_user1_clean_A" dbcheck_clean || failed=$(expr $failed + 1) +testit "remove_lost_deleted_user1" remove_lost_deleted_user1 || failed=$(expr $failed + 1) +testit "lost_deleted_user1_clean_B" dbcheck_clean || failed=$(expr $failed + 1) +testit "add_lost_deleted_user2" add_lost_deleted_user2 || failed=$(expr $failed + 1) +testit "dbcheck_lost_deleted_user2" dbcheck_lost_deleted_user2 || failed=$(expr $failed + 1) +testit "lost_deleted_user2_clean" dbcheck_clean || failed=$(expr $failed + 1) +testit "add_lost_deleted_user3" add_lost_deleted_user3 || failed=$(expr $failed + 1) +testit "dbcheck_lost_deleted_user3" dbcheck_lost_deleted_user3 || failed=$(expr $failed + 1) +testit "lost_deleted_user3_clean_A" dbcheck_clean || failed=$(expr $failed + 1) +testit "remove_lost_deleted_user3" remove_lost_deleted_user3 || failed=$(expr $failed + 1) +testit "lost_deleted_user3_clean_B" dbcheck_clean || failed=$(expr $failed + 1) +testit "dangling_one_way_dn" dangling_one_way_dn || failed=$(expr $failed + 1) +testit "deleted_one_way_dn" deleted_one_way_dn || failed=$(expr $failed + 1) +testit "dbcheck_clean3" dbcheck_clean || failed=$(expr $failed + 1) +testit "add_dangling_multi_valued" add_dangling_multi_valued || failed=$(expr $failed + 1) +testit "dbcheck_dangling_multi_valued" dbcheck_dangling_multi_valued || failed=$(expr $failed + 1) +testit "dangling_multi_valued_check_missing" dangling_multi_valued_check_missing || failed=$(expr $failed + 1) +testit "dangling_multi_valued_check_equal_or_too_many" dangling_multi_valued_check_equal_or_too_many || failed=$(expr $failed + 1) +# Currently this cannot pass +testit "dbcheck_dangling_multi_valued_clean" dbcheck_clean || failed=$(expr $failed + 1) +testit "dangling_link_does_not_prevent_delete" dangling_link_does_not_prevent_delete || failed=$(expr $failed + 1) +testit "dangling_link_to_unknown_does_not_prevent_delete" dangling_link_to_unknown_does_not_prevent_delete || failed=$(expr $failed + 1) +testit "dangling_link_to_known_and_unknown_does_not_prevent_delete" dangling_link_to_known_and_unknown_does_not_prevent_delete || failed=$(expr $failed + 1) + +remove_directory $PREFIX_ABS/${RELEASE} + +exit $failed diff --git a/testprogs/blackbox/dbcheck-oldrelease.sh b/testprogs/blackbox/dbcheck-oldrelease.sh new file mode 100755 index 0000000..2df08ad --- /dev/null +++ b/testprogs/blackbox/dbcheck-oldrelease.sh @@ -0,0 +1,564 @@ +#!/bin/sh + +if [ $# -lt 1 ]; then + cat <$tmpldif + diff -u $tmpldif $release_dir/expected-userParameters-after-dbcheck.ldif + if [ "$?" != "0" ]; then + return 1 + fi + fi + return 0 +} + +reindex() +{ + $PYTHON $BINDIR/samba-tool dbcheck --reindex -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $@ +} + +do_current_version_mod() +{ + if [ x$RELEASE = x"release-4-1-0rc3" ]; then + # Confirm (in combination with the ldbsearch below) that + # changing the attribute with current Samba fixes it, and that + # a fixed attriute isn't unfixed by dbcheck. + tmpldif=$release_dir/sudoers2-mod.ldif + $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $tmpldif + fi + return 0 +} + +check_expected_before_values() +{ + if [ x$RELEASE = x"release-4-1-0rc3" ]; then + tmpldif=$PREFIX_ABS/$RELEASE/expected-replpropertymetadata-before-dbcheck.ldif.tmp + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb cn=ops_run_anything --scope=one -b OU=SUDOers,DC=release-4-1-0rc3,DC=samba,DC=corp \* replpropertymetadata --sorted --show-binary >$tmpldif + diff -u $tmpldif $release_dir/expected-replpropertymetadata-before-dbcheck.ldif + if [ "$?" != "0" ]; then + return 1 + fi + + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb cn=ops_run_anything2 --scope=one -b OU=SUDOers,DC=release-4-1-0rc3,DC=samba,DC=corp \* replpropertymetadata --sorted --show-binary | grep -v originating_change_time | grep -v whenChanged >$tmpldif + + # Here we remove originating_change_time and whenChanged as + # these are time-dependent, caused by the ldbmodify above. + + diff -u $tmpldif $release_dir/expected-replpropertymetadata-before-dbcheck2.ldif + if [ "$?" != "0" ]; then + return 1 + fi + + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb cn=ops_run_anything3 --scope=one -b OU=SUDOers,DC=release-4-1-0rc3,DC=samba,DC=corp \* replpropertymetadata --sorted --show-binary >$tmpldif + diff -u $tmpldif $release_dir/expected-replpropertymetadata-before-dbcheck3.ldif + if [ "$?" != "0" ]; then + return 1 + fi + elif [ x$RELEASE = x"release-4-5-0-pre1" ]; then + tmpldif=$PREFIX_ABS/$RELEASE/rootdse-version.initial.txt.tmp + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --scope=base -b '' | grep highestCommittedUSN >$tmpldif + diff -u $tmpldif $release_dir/rootdse-version.initial.txt + if [ "$?" != "0" ]; then + return 1 + fi + fi + return 0 +} + +# This should 'fail', because it returns the number of modified records +dbcheck_objectclass() +{ + if [ x$RELEASE = x"release-4-1-6-partial-object" ]; then + $PYTHON $BINDIR/samba-tool dbcheck --selftest-check-expired-tombstones --cross-ncs --fix --yes -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --attrs=objectclass $@ + else + return 1 + fi +} + +# This should 'fail', because it returns the number of wrong records, which it must if we did not skip the deleted objects +dbcheck_deleted_objects() +{ + if [ x$RELEASE = x"alpha13" ]; then + basedn=$($ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --scope base -b "" defaultNamingContext | grep -i defaultNamingContext | cut -d\ -f 2) + + $PYTHON $BINDIR/samba-tool dbcheck -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb "cn=deleted objects,$basedn" --scope base $@ + else + return 1 + fi +} + +# This should 'fail', because it returns the number of modified records +dbcheck() +{ + $PYTHON $BINDIR/samba-tool dbcheck --selftest-check-expired-tombstones --cross-ncs --fix --yes -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $@ +} + +check_expected_after_values() +{ + if [ x$RELEASE = x"release-4-1-0rc3" ]; then + tmpldif=$PREFIX_ABS/$RELEASE/expected-replpropertymetadata-after-dbcheck.ldif.tmp + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb cn=ops_run_anything --scope=one -b OU=SUDOers,DC=release-4-1-0rc3,DC=samba,DC=corp \* replpropertymetadata --sorted --show-binary >$tmpldif + diff -u $tmpldif $release_dir/expected-replpropertymetadata-after-dbcheck.ldif + if [ "$?" != "0" ]; then + return 1 + fi + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb cn=ops_run_anything2 --scope=one -b OU=SUDOers,DC=release-4-1-0rc3,DC=samba,DC=corp \* replpropertymetadata --sorted --show-binary | grep -v originating_change_time | grep -v whenChanged >$tmpldif + diff -u $tmpldif $release_dir/expected-replpropertymetadata-after-dbcheck2.ldif + if [ "$?" != "0" ]; then + return 1 + fi + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb cn=ops_run_anything3 --scope=one -b OU=SUDOers,DC=release-4-1-0rc3,DC=samba,DC=corp \* replpropertymetadata --sorted --show-binary >$tmpldif + diff -u $tmpldif $release_dir/expected-replpropertymetadata-after-dbcheck3.ldif + if [ "$?" != "0" ]; then + return 1 + fi + # Check DomainDNS partition for replica locations + tmpldif=$PREFIX_ABS/$RELEASE/expected-replica-locations-after-dbcheck.ldif.tmp + $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb cn=49a69498-9a85-48af-9be4-aa0b3e0054f9 --scope=one -b CN=Partitions,CN=Configuration,DC=release-4-1-0rc3,DC=samba,DC=corp msDS-NC-Replica-Locations >$tmpldif + diff -u $tmpldif $release_dir/expected-replica-locations-after-dbcheck.ldif + if [ "$?" != "0" ]; then + return 1 + fi + # Check ForestDNS partition for replica locations + $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb cn=7d2a15af-c0d4-487c-847e-e036292bcc65 --scope=one -b CN=Partitions,CN=Configuration,DC=release-4-1-0rc3,DC=samba,DC=corp msDS-NC-Replica-Locations >$tmpldif + diff -u $tmpldif $release_dir/expected-replica-locations-after-dbcheck2.ldif + if [ "$?" != "0" ]; then + return 1 + fi + elif [ x$RELEASE = x"release-4-5-0-pre1" ]; then + echo $RELEASE checking after values + tmpldif=$PREFIX_ABS/$RELEASE/expected-links-after-dbcheck.ldif.tmp + $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --show-recycled --show-deleted --show-deactivated-link --reveal member memberOf lastKnownParent objectCategory lastKnownParent wellKnownObjects legacyExchangeDN sAMAccountType uSNChanged --sorted >$tmpldif + diff -u $tmpldif $release_dir/expected-links-after-dbcheck.ldif + if [ "$?" != "0" ]; then + return 1 + fi + + # If in the future dbcheck has to make a change recorded in replPropertyMetadata, + # this test will fail and can be removed. + tmpversion=$PREFIX_ABS/$RELEASE/rootdse-version.final.txt.tmp + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --scope=base -b '' | grep highestCommittedUSN >$tmpversion + diff -u $tmpversion $release_dir/rootdse-version.final.txt + if [ "$?" != "0" ]; then + return 1 + fi + fi + return 0 +} + +check_forced_duplicate_values() +{ + if [ x$RELEASE = x"release-4-1-0rc3" ]; then + ldif=$release_dir/forced-duplicate-value-for-dbcheck.ldif + TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-1-0RC3,DC%3DSAMBA,DC%3DCORP.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi + else + return 0 + fi +} + +# This should 'fail', because it returns the number of modified records +dbcheck_after_dup() +{ + if [ x$RELEASE = x"release-4-1-0rc3" ]; then + $PYTHON $BINDIR/samba-tool dbcheck --selftest-check-expired-tombstones --fix --yes -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb cn=administrator,cn=users,DC=release-4-1-0rc3,DC=samba,DC=corp $@ + else + return 1 + fi +} + +check_expected_after_dup_values() +{ + if [ x$RELEASE = x"release-4-1-0rc3" ]; then + tmpldif=$PREFIX_ABS/$RELEASE/expected-otherphone-after-dbcheck.ldif.tmp + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb cn=administrator --scope=base -b cn=administrator,cn=users,DC=release-4-1-0rc3,DC=samba,DC=corp otherHomePhone --sorted --show-binary | grep -v \# | sort >$tmpldif + diff -u $tmpldif $release_dir/expected-otherphone-after-dbcheck.ldif + if [ "$?" != "0" ]; then + return 1 + fi + fi + return 0 +} + +# But having fixed it all up, this should pass +dbcheck_clean() +{ + $PYTHON $BINDIR/samba-tool dbcheck --cross-ncs -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $@ +} + +# This should 'fail', because it returns the number of modified records. +# We don't need to run this against 4.1 releases +dbcheck_acl_reset() +{ + if [ x$RELEASE = x"release-4-0-0" -o x$RELEASE = x"alpha13" ]; then + $PYTHON $BINDIR/samba-tool dbcheck --reset-well-known-acls --cross-ncs --fix --yes -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $@ + else + return 1 + fi +} +# But having fixed it all up, this should pass. +# We don't need to run this against 4.1.0rc3 +dbcheck_acl_reset_clean() +{ + if [ x$RELEASE != x"release-4-1-0rc3" ]; then + $PYTHON $BINDIR/samba-tool dbcheck --reset-well-known-acls --cross-ncs -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $@ + fi +} + +# This should 'fail', because it returns the number of modified records +dbcheck2() +{ + if [ x$RELEASE = x"release-4-1-0rc3" ]; then + $PYTHON $BINDIR/samba-tool dbcheck --selftest-check-expired-tombstones --cross-ncs --fix --yes -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $@ + else + exit 1 + fi +} +# But having fixed it all up, this should pass +dbcheck_clean2() +{ + if [ x$RELEASE = x"release-4-1-0rc3" ]; then + $PYTHON $BINDIR/samba-tool dbcheck --selftest-check-expired-tombstones --cross-ncs -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $@ + fi +} + +rm_deleted_objects() +{ + if [ x$RELEASE = x"release-4-1-0rc3" ]; then + TZ=UTC $ldbdel -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-1-0RC3,DC%3DSAMBA,DC%3DCORP.ldb 'CN=Deleted Objects,DC=RELEASE-4-1-0RC3,DC=SAMBA,DC=CORP' + if [ "$?" != "0" ]; then + return 1 + fi + else + return 0 + fi +} +# This should 'fail', because it returns the number of modified records +dbcheck3() +{ + if [ x$RELEASE = x"release-4-1-0rc3" ]; then + $PYTHON $BINDIR/samba-tool dbcheck --selftest-check-expired-tombstones --cross-ncs --fix --yes -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $@ + else + exit 1 + fi +} +# But having fixed it all up, this should pass +dbcheck_clean3() +{ + if [ x$RELEASE = x"release-4-1-0rc3" ]; then + $PYTHON $BINDIR/samba-tool dbcheck --selftest-check-expired-tombstones --cross-ncs -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $@ + fi +} + +check_expected_after_deleted_objects() +{ + if [ x$RELEASE = x"release-4-1-0rc3" ]; then + tmpldif=$PREFIX_ABS/$RELEASE/expected-deleted_objects-after-dbcheck.ldif.tmp + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb cn=deleted\ objects --scope=base -b cn=deleted\ objects,DC=release-4-1-0rc3,DC=samba,DC=corp objectClass description isDeleted isCriticalSystemObject objectGUID showInAdvancedViewOnly systemFlags --sorted --show-binary --show-deleted | grep -v \# | sort >$tmpldif + diff -u $tmpldif $release_dir/expected-deleted_objects-after-dbcheck.ldif + if [ "$?" != "0" ]; then + return 1 + fi + fi + return 0 +} + +referenceprovision() +{ + if [ x$RELEASE = x"release-4-0-0" ]; then + $PYTHON $BINDIR/samba-tool domain provision --server-role="dc" --domain=SAMBA --host-name=ares --realm=${RELEASE}.samba.corp --targetdir=$PREFIX_ABS/${RELEASE}_reference --use-ntvfs --host-ip=127.0.0.1 --host-ip6=::1 --function-level=2003 --base-schema=2008_R2_old + + # on top of this, also apply 2008R2 changes we accidentally missed in the past + $PYTHON $BINDIR/samba-tool domain schemaupgrade -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --ldf-file=samba-4.7-missing-for-schema45.ldif,fix-forest-rev.ldf + fi +} + +ldapcmp() +{ + if [ x$RELEASE = x"release-4-0-0" ]; then + $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --two --skip-missing-dn --filter=dnsRecord,displayName,msDS-SupportedEncryptionTypes,servicePrincipalName + fi +} + +ldapcmp_sd() +{ + if [ x$RELEASE = x"release-4-0-0" ]; then + $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --two --sd --skip-missing-dn --filter=servicePrincipalName + fi +} + +remove_directory $PREFIX_ABS/${RELEASE}_reference + +testit $RELEASE undump || failed=$(expr $failed + 1) +testit "reindex" reindex || failed=$(expr $failed + 1) +testit "current_version_mod" do_current_version_mod || failed=$(expr $failed + 1) +testit "check_expected_before_values" check_expected_before_values || failed=$(expr $failed + 1) +testit_expect_failure "dbcheck_deleted_objects" dbcheck_deleted_objects || failed=$(expr $failed + 1) +testit_expect_failure "dbcheck_objectclass" dbcheck_objectclass || failed=$(expr $failed + 1) +testit_expect_failure "dbcheck" dbcheck || failed=$(expr $failed + 1) +testit "check_expected_after_values" check_expected_after_values || failed=$(expr $failed + 1) +testit "check_forced_duplicate_values" check_forced_duplicate_values || failed=$(expr $failed + 1) +testit_expect_failure "dbcheck_after_dup" dbcheck_after_dup || failed=$(expr $failed + 1) +testit "check_expected_after_dup_values" check_expected_after_dup_values || failed=$(expr $failed + 1) +testit "dbcheck_clean" dbcheck_clean || failed=$(expr $failed + 1) +testit_expect_failure "dbcheck_acl_reset" dbcheck_acl_reset || failed=$(expr $failed + 1) +testit "dbcheck_acl_reset_clean" dbcheck_acl_reset_clean || failed=$(expr $failed + 1) +testit "add_userparameters0" add_userparameters1 || failed=$(expr $failed + 1) +testit "add_userparameters1" add_userparameters1 || failed=$(expr $failed + 1) +testit "add_userparameters2" add_userparameters2 || failed=$(expr $failed + 1) +testit "add_userparameters3" add_userparameters3 || failed=$(expr $failed + 1) +testit_expect_failure "dbcheck2" dbcheck2 || failed=$(expr $failed + 1) +testit "dbcheck_clean2" dbcheck_clean2 || failed=$(expr $failed + 1) +testit "check_expected_userparameters" check_expected_userparameters || failed=$(expr $failed + 1) +testit "rm_deleted_objects" rm_deleted_objects || failed=$(expr $failed + 1) +# We must re-index again because rm_deleted_objects went behind +# the back of the main sam.ldb. +testit "reindex2" reindex || failed=$(expr $failed + 1) +testit_expect_failure "dbcheck3" dbcheck3 || failed=$(expr $failed + 1) +testit "dbcheck_clean3" dbcheck_clean3 || failed=$(expr $failed + 1) +testit "check_expected_after_deleted_objects" check_expected_after_deleted_objects || failed=$(expr $failed + 1) +testit "referenceprovision" referenceprovision || failed=$(expr $failed + 1) +testit "ldapcmp" ldapcmp || failed=$(expr $failed + 1) +testit "ldapcmp_sd" ldapcmp_sd || failed=$(expr $failed + 1) + +if [ -d $PREFIX_ABS/${RELEASE} ]; then + rm -fr $PREFIX_ABS/${RELEASE} +fi + +remove_directory $PREFIX_ABS/${RELEASE}_reference + +exit $failed diff --git a/testprogs/blackbox/dbcheck.sh b/testprogs/blackbox/dbcheck.sh new file mode 100755 index 0000000..1f1d432 --- /dev/null +++ b/testprogs/blackbox/dbcheck.sh @@ -0,0 +1,71 @@ +#!/bin/sh + +if [ $# -lt 1 ]; then + cat < +# Copyright (C) 2006-2008 Andrew Bartlett + +if [ $# -lt 2 ]; then + cat < +# Copyright (C) 2006-2008 Andrew Bartlett + +if [ $# -lt 2 ]; then + cat < +# Copyright (C) 2008 Jelmer Vernooij +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# + +timestamp() +{ + # mark the start time. With Gnu date, you get nanoseconds from %N + # (here truncated to microseconds with %6N), but not on BSDs, + # Solaris, etc, which will apparently leave either %N or N at the end. + date -u +'time: %Y-%m-%d %H:%M:%S.%6NZ' | sed 's/\..*NZ$/.000000Z/' +} + +subunit_start_test() +{ + # emit the current protocol start-marker for test $1 + timestamp + printf 'test: %s\n' "$1" +} + +subunit_pass_test() +{ + # emit the current protocol test passed marker for test $1 + timestamp + printf 'success: %s\n' "$1" +} + +# This is just a hack as we have some broken scripts +# which use "exit $failed", without initializing failed. +failed=0 + +subunit_fail_test() +{ + # emit the current protocol fail-marker for test $1, and emit stdin as + # the error text. + # we use stdin because the failure message can be arbitrarily long, and this + # makes it convenient to write in scripts (using <&1) + status=$? + if [ x$status = x0 ]; then + subunit_pass_test "$name" + else + echo "$output" | subunit_fail_test "$name" + fi + return $status +} + +# This returns 0 if the command gave success and the grep value was found +# all other cases return != 0 +testit_grep() +{ + name="$1" + shift + grep="$1" + shift + cmdline="$@" + subunit_start_test "$name" + output=$($cmdline 2>&1) + status=$? + if [ x$status != x0 ]; then + printf '%s' "$output" | subunit_fail_test "$name" + return $status + fi + printf '%s' "$output" | grep -q "$grep" + gstatus=$? + if [ x$gstatus = x0 ]; then + subunit_pass_test "$name" + else + printf 'GREP: "%s" not found in output:\n%s' "$grep" "$output" | subunit_fail_test "$name" + fi + return $status +} + +# This returns 0 if the command gave success and the grep value was found +# num times all other cases return != 0 +testit_grep_count() +{ + name="$1" + shift + grep="$1" + shift + num="$1" + shift + cmdline="$@" + subunit_start_test "$name" + output=$($cmdline 2>&1) + status=$? + if [ x$status != x0 ]; then + printf '%s' "$output" | subunit_fail_test "$name" + return $status + fi + found=$(printf '%s' "$output" | grep -c "$grep") + if [ x"$found" = x"$num" ]; then + subunit_pass_test "$name" + else + printf 'GREP: "%s" found "%d" times, expected "%d" in output:\n%s'\ + "$grep" "$found" "$num" "$output" | + subunit_fail_test "$name" + fi + return $status +} + +testit_expect_failure() +{ + name="$1" + shift + cmdline="$@" + subunit_start_test "$name" + output=$($cmdline 2>&1) + status=$? + if [ x$status = x0 ]; then + echo "$output" | subunit_fail_test "$name" + else + subunit_pass_test "$name" + fi + return $status +} + +# This returns 0 if the command gave a failure and the grep value was found +# all other cases return != 0 +testit_expect_failure_grep() +{ + name="$1" + shift + grep="$1" + shift + cmdline="$@" + subunit_start_test "$name" + output=$($cmdline 2>&1) + status=$? + if [ x$status = x0 ]; then + printf '%s' "$output" | subunit_fail_test "$name" + return 1 + fi + printf '%s' "$output" | grep -q "$grep" + gstatus=$? + if [ x$gstatus = x0 ]; then + subunit_pass_test "$name" + else + printf 'GREP: "%s" not found in output:\n%s' "$grep" "$output" | subunit_fail_test "$name" + fi + return $status +} + +testok() +{ + name=$(basename $1) + failed=$2 + + exit $failed +} + +# work out the top level source directory +if [ -d source4 ]; then + SRCDIR="." +else + SRCDIR=".." +fi +export SRCDIR diff --git a/testprogs/blackbox/test_chgdcpass.sh b/testprogs/blackbox/test_chgdcpass.sh new file mode 100755 index 0000000..8b0ef45 --- /dev/null +++ b/testprogs/blackbox/test_chgdcpass.sh @@ -0,0 +1,115 @@ +#!/bin/sh +# Blackbox tests for kinit and kerberos integration with smbclient etc +# Copyright (C) 2006-2007 Jelmer Vernooij +# Copyright (C) 2006-2008 Andrew Bartlett + +if [ $# -lt 4 ]; then + cat </dev/null 2>&1 || ! which sha1sum >/dev/null 2>&1; then + subunit_start_test "client encryption types" + subunit_skip_test "client encryption types" </dev/null | sha1sum | cut -b 1-10) + +RUNDIR=$(pwd) +cd $BASEDIR +WORKDIR=$(mktemp -d -p .) +WORKDIR=$(basename $WORKDIR) +cp -a client/* $WORKDIR/ +sed -ri "s@(dir|directory) = (.*)/client/@\1 = \2/$WORKDIR/@" $WORKDIR/client.conf +sed -ri "s/netbios name = .*/netbios name = $HOSTNAME/" $WORKDIR/client.conf +rm -f $WORKDIR/private/secrets.tdb +cd $RUNDIR + +failed=0 + +net_tool="$BINDIR/net --configfile=$BASEDIR/$WORKDIR/client.conf --option=security=ads --option=kerberosencryptiontypes=$ETYPE_CONF" +pcap_file=$BASEDIR/$WORKDIR/test.pcap + +export SOCKET_WRAPPER_PCAP_FILE=$pcap_file +testit "join" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD --use-kerberos=required || failed=$(expr $failed + 1) + +testit "testjoin" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=$(expr $failed + 1) + +#The leave command does not use the locally-generated +#krb5.conf +export SOCKET_WRAPPER_PCAP_FILE= +testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=$(expr $failed + 1) + +# +# Older versions of tshark do not support -Y option, +# They use -R which cannot be used with recent versions... +# +if ! tshark -r $pcap_file -nVY "kerberos" >/dev/null 2>&1; then + subunit_start_test "client encryption types" + subunit_skip_test "client encryption types" < + +if [ $# -lt 6 ]; then + cat </dev/null 2>&1 + ret=$? + if [ $ret -eq 0 ]; then + echo "Kinit failed for smbclient" + echo "$out" + return 1 + fi + + return 0 +} + +KRB5CCNAME_PATH="$PREFIX/ccache_client_kerberos" +KRB5CCNAME="FILE:$KRB5CCNAME_PATH" +export KRB5CCNAME + +### RPCCLIENT (legacy) +cmd='$samba_rpcclient ncacn_np:${SERVER} -U${USERNAME}%${PASSWORD} --configfile=${CONFIGURATION} -c getusername 2>&1' +testit "test rpcclient legacy ntlm" \ + test_rpc_getusername || + failed=$(expr $failed + 1) + +cmd='echo ${PASSWORD} | USER=${USERNAME} $samba_rpcclient ncacn_np:${SERVER} --configfile=${CONFIGURATION} -c getusername 2>&1' +testit "test rpcclient legacy ntlm interactive" \ + test_rpc_getusername || + failed=$(expr $failed + 1) + +cmd='echo ${PASSWORD} | $samba_rpcclient ncacn_np:${SERVER} -U${USERNAME} --configfile=${CONFIGURATION} -c getusername 2>&1' +testit "test rpcclient legacy ntlm interactive with -U" \ + test_rpc_getusername || + failed=$(expr $failed + 1) + +cmd='$samba_rpcclient ncacn_np:${SERVER} -U${USERNAME}%${PASSWORD} -k --configfile=${CONFIGURATION} -c getusername 2>&1' +testit "test rpcclient legacy kerberos" \ + test_rpc_getusername || + failed=$(expr $failed + 1) + +cmd='echo ${PASSWORD} | $samba_rpcclient ncacn_np:${SERVER} -U${USERNAME} -k --configfile=${CONFIGURATION} -c getusername 2>&1' +testit_expect_failure "test rpcclient legacy kerberos interactive (negative test)" \ + test_rpc_getusername || + failed=$(expr $failed + 1) + +kerberos_kinit $samba_kinit ${USERNAME}@${REALM} ${PASSWORD} +cmd='$samba_rpcclient ncacn_np:${SERVER} -k --configfile=${CONFIGURATION} -c getusername 2>&1' +testit "test rpcclient legacy kerberos ccache" \ + test_rpc_getusername || + failed=$(expr $failed + 1) +$samba_kdestroy + +### RPCCLIENT +cmd='$samba_rpcclient ncacn_np:${SERVER} -U${USERNAME}%${PASSWORD} --use-kerberos=disabled --configfile=${CONFIGURATION} -c getusername 2>&1' +testit "test rpcclient ntlm" \ + test_rpc_getusername || + failed=$(expr $failed + 1) + +cmd='echo ${PASSWORD} | USER=${USERNAME} $samba_rpcclient ncacn_np:${SERVER} --use-kerberos=disabled --configfile=${CONFIGURATION} -c getusername 2>&1' +testit "test rpcclient ntlm interactive" \ + test_rpc_getusername || + failed=$(expr $failed + 1) + +cmd='echo ${PASSWORD} | $samba_rpcclient ncacn_np:${SERVER} -U${USERNAME} --use-kerberos=disabled --configfile=${CONFIGURATION} -c getusername 2>&1' +testit "test rpcclient ntlm interactive with -U" \ + test_rpc_getusername || + failed=$(expr $failed + 1) + +cmd='$samba_rpcclient ncacn_np:${SERVER} -U${USERNAME}%${PASSWORD} --use-kerberos=required --configfile=${CONFIGURATION} -c getusername 2>&1' +testit "test rpcclient kerberos" \ + test_rpc_getusername || + failed=$(expr $failed + 1) + +cmd='echo ${PASSWORD} | $samba_rpcclient ncacn_np:${SERVER} -U${USERNAME} --use-krb5-ccache=$KRB5CCNAME --configfile=${CONFIGURATION} -c getusername 2>&1' +testit_expect_failure "test rpcclient kerberos interactive (negative test)" \ + test_rpc_getusername || + failed=$(expr $failed + 1) + +kerberos_kinit $samba_kinit ${USERNAME}@${REALM} ${PASSWORD} +cmd='$samba_rpcclient ncacn_np:${SERVER} --use-krb5-ccache=$KRB5CCNAME --configfile=${CONFIGURATION} -c getusername 2>&1' +testit "test rpcclient kerberos ccache" \ + test_rpc_getusername || + failed=$(expr $failed + 1) +$samba_kdestroy + +### SMBTORTURE (legacy) + +cmd='$samba_smbtorture -U${USERNAME}%${PASSWORD} --configfile=${CONFIGURATION} --maximum-runtime=30 --basedir=$PREFIX --option=torture:progress=no --target=samba4 ncacn_np:${SERVER} rpc.lsa-getuser 2>&1' +testit "test smbtorture legacy default" \ + test_rpc_getusername || + failed=$(expr $failed + 1) + +cmd='$samba_smbtorture -U${USERNAME}%${PASSWORD} -k no --configfile=${CONFIGURATION} --maximum-runtime=30 --basedir=$PREFIX --option=torture:progress=no --target=samba4 ncacn_np:${SERVER} rpc.lsa-getuser 2>&1' +testit "test smbtorture legacy ntlm (kerberos=no)" \ + test_rpc_getusername || + failed=$(expr $failed + 1) + +cmd='$samba_smbtorture -U${USERNAME}%${PASSWORD} -k yes --configfile=${CONFIGURATION} --maximum-runtime=30 --basedir=$PREFIX --option=torture:progress=no --target=samba4 ncacn_np:${SERVER} rpc.lsa-getuser 2>&1' +testit "test smbtorture legacy kerberos=yes" \ + test_rpc_getusername || + failed=$(expr $failed + 1) + +kerberos_kinit $samba_kinit ${USERNAME}@${REALM} ${PASSWORD} +cmd='$samba_smbtorture -k yes --configfile=${CONFIGURATION} --maximum-runtime=30 --basedir=$PREFIX --option=torture:progress=no --target=samba4 ncacn_np:${SERVER} rpc.lsa-getuser 2>&1' +testit "test smbtorture legacy kerberos=yes ccache" \ + test_rpc_getusername || + failed=$(expr $failed + 1) +$samba_kdestroy + +kerberos_kinit $samba_kinit ${USERNAME}@${REALM} ${PASSWORD} +cmd='$samba_smbtorture -k no --configfile=${CONFIGURATION} --maximum-runtime=30 --basedir=$PREFIX --option=torture:progress=no --target=samba4 ncacn_np:${SERVER} rpc.lsa-getuser 2>&1' +testit_expect_failure "test smbtorture legacy kerberos=no ccache (negative test)" \ + test_rpc_getusername || + failed=$(expr $failed + 1) +$samba_kdestroy + +### SMBTORTURE + +cmd='$samba_smbtorture -U${USERNAME}%${PASSWORD} --configfile=${CONFIGURATION} --maximum-runtime=30 --basedir=$PREFIX --option=torture:progress=no --target=samba4 ncacn_np:${SERVER} rpc.lsa-getuser 2>&1' +testit "test smbtorture default" \ + test_rpc_getusername || + failed=$(expr $failed + 1) + +cmd='$samba_smbtorture -U${USERNAME}%${PASSWORD} --use-kerberos=disabled --configfile=${CONFIGURATION} --maximum-runtime=30 --basedir=$PREFIX --option=torture:progress=no --target=samba4 ncacn_np:${SERVER} rpc.lsa-getuser 2>&1' +testit "test smbtorture ntlm (kerberos=no)" \ + test_rpc_getusername || + failed=$(expr $failed + 1) + +cmd='$samba_smbtorture -U${USERNAME}%${PASSWORD} --use-kerberos=required --configfile=${CONFIGURATION} --maximum-runtime=30 --basedir=$PREFIX --option=torture:progress=no --target=samba4 ncacn_np:${SERVER} rpc.lsa-getuser 2>&1' +testit "test smbtorture kerberos=yes" \ + test_rpc_getusername || + failed=$(expr $failed + 1) + +kerberos_kinit $samba_kinit ${USERNAME}@${REALM} ${PASSWORD} +cmd='$samba_smbtorture --use-krb5-ccache=$KRB5CCNAME --configfile=${CONFIGURATION} --maximum-runtime=30 --basedir=$PREFIX --option=torture:progress=no --target=samba4 ncacn_np:${SERVER} rpc.lsa-getuser 2>&1' +testit "test smbtorture kerberos=yes ccache" \ + test_rpc_getusername || + failed=$(expr $failed + 1) +$samba_kdestroy + +kerberos_kinit $samba_kinit ${USERNAME}@${REALM} ${PASSWORD} +cmd='$samba_smbtorture --use-kerbers=required --configfile=${CONFIGURATION} --maximum-runtime=30 --basedir=$PREFIX --option=torture:progress=no --target=samba4 ncacn_np:${SERVER} rpc.lsa-getuser 2>&1' +testit_expect_failure "test smbtorture kerberos=no ccache (negative test)" \ + test_rpc_getusername || + failed=$(expr $failed + 1) +$samba_kdestroy + +### SMBCLIENT (legacy) +cmd='$samba_smbclient //${SERVER}/tmp -W ${DOMAIN} -U${USERNAME}%${PASSWORD} --configfile=${CONFIGURATION} -c "ls; quit"' +testit "test smbclient legacy ntlm" \ + test_smbclient || + failed=$(expr $failed + 1) + +cmd='echo ${PASSWORD} | USER=$USERNAME $samba_smbclient //${SERVER}/tmp -W ${DOMAIN} --configfile=${CONFIGURATION} -c "ls; quit"' +testit "test smbclient legacy ntlm interactive" \ + test_smbclient || + failed=$(expr $failed + 1) + +cmd='echo ${PASSWORD} | $samba_smbclient //${SERVER}/tmp -W ${DOMAIN} -U${USERNAME} --configfile=${CONFIGURATION} -c "ls; quit"' +testit "test smbclient legacy ntlm interactive with -U" \ + test_smbclient || + failed=$(expr $failed + 1) + +cmd='$samba_smbclient //${SERVER}/tmp -W ${DOMAIN} -U${USERNAME}%${PASSWORD} -k --configfile=${CONFIGURATION} -c "ls; quit"' +testit "test smbclient legacy kerberos" \ + test_smbclient || + failed=$(expr $failed + 1) + +kerberos_kinit $samba_kinit ${USERNAME}@${REALM} ${PASSWORD} +cmd='$samba_smbclient //${SERVER}/tmp -W ${DOMAIN} -k --configfile=${CONFIGURATION} -c "ls; quit"' +testit "test smbclient legacy kerberos ccache" \ + test_smbclient || + failed=$(expr $failed + 1) +$samba_kdestroy + +### SMBCLIENT tests for --use-kerberos=desired|required|disabled +cmd='$samba_smbclient //${SERVER}/tmp -W ${DOMAIN} -U${USERNAME}%${PASSWORD} --use-kerberos=disabled --configfile=${CONFIGURATION} -c "ls; quit"' +testit "test smbclient ntlm" \ + test_smbclient || + failed=$(expr $failed + 1) + +cmd='echo ${PASSWORD} | USER=$USERNAME $samba_smbclient //${SERVER}/tmp -W ${DOMAIN} --use-kerberos=disabled --configfile=${CONFIGURATION} -c "ls; quit"' +testit "test smbclient ntlm interactive" \ + test_smbclient || + failed=$(expr $failed + 1) + +cmd='echo ${PASSWORD} | $samba_smbclient //${SERVER}/tmp -W ${DOMAIN} -U${USERNAME} --use-kerberos=disabled --configfile=${CONFIGURATION} -c "ls; quit"' +testit "test smbclient ntlm interactive with -U" \ + test_smbclient || + failed=$(expr $failed + 1) + +cmd='$samba_smbclient //${SERVER}/tmp -W ${DOMAIN} -U${USERNAME}%${PASSWORD} --use-kerberos=desired --configfile=${CONFIGURATION} -c "ls; quit"' +testit "test smbclient kerberos=desired" \ + test_smbclient_kerberos || + failed=$(expr $failed + 1) + +cmd='$samba_smbclient //${SERVER}/tmp -W ${DOMAIN} -U${USERNAME}%${PASSWORD} --use-kerberos=required --configfile=${CONFIGURATION} -c "ls; quit"' +testit "test smbclient kerberos=required" \ + test_smbclient_kerberos || + failed=$(expr $failed + 1) + +kerberos_kinit $samba_kinit ${USERNAME}@${REALM} ${PASSWORD} +cmd='$samba_smbclient //${SERVER}/tmp --use-krb5-ccache=$KRB5CCNAME --configfile=${CONFIGURATION} -c "ls; quit"' +testit "test smbclient kerberos=required ccache" \ + test_smbclient || + failed=$(expr $failed + 1) +$samba_kdestroy + +rm -rf $KRB5CCNAME_PATH + +exit $failed diff --git a/testprogs/blackbox/test_export_keytab_heimdal.sh b/testprogs/blackbox/test_export_keytab_heimdal.sh new file mode 100755 index 0000000..f2cec4c --- /dev/null +++ b/testprogs/blackbox/test_export_keytab_heimdal.sh @@ -0,0 +1,115 @@ +#!/bin/sh +# Blackbox tests for kinit and kerberos integration with smbclient etc +# Copyright (C) 2006-2007 Jelmer Vernooij +# Copyright (C) 2006-2008 Andrew Bartlett + +if [ $# -lt 5 ]; then + cat < +# Copyright (C) 2006-2008 Andrew Bartlett +# Copyright (C) 2016 Andreas Schneider + +if [ $# -lt 5 ]; then + cat < +# Copyright (C) 2006-2008 Andrew Bartlett + +if [ $# -lt 5 ]; then + cat <$PREFIX/tmppassfile +testit "kinit with password (initial)" $samba4kinit $enctype --password-file=$PREFIX/tmppassfile --request-pac $USERNAME@$REALM || failed=$(expr $failed + 1) +test_smbclient "Test login with user kerberos ccache" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +testit "kinit with password (enterprise style)" $samba4kinit $enctype --enterprise --password-file=$PREFIX/tmppassfile --request-pac $USERNAME@$REALM || failed=$(expr $failed + 1) +test_smbclient "Test login with user kerberos ccache" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +testit "kinit with password (windows style)" $samba4kinit $enctype --renewable --windows --password-file=$PREFIX/tmppassfile --request-pac $USERNAME@$REALM || failed=$(expr $failed + 1) +test_smbclient "Test login with user kerberos ccache" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +testit "kinit renew ticket" $samba4kinit $enctype --request-pac -R + +test_smbclient "Test login with kerberos ccache" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +testit "check time with kerberos ccache" $VALGRIND $PYTHON $samba_tool time $SERVER $CONFIGURATION -k yes $@ || failed=$(expr $failed + 1) + +USERPASS=testPass@12% +echo $USERPASS >$PREFIX/tmpuserpassfile +testit "add user with kerberos ccache" $VALGRIND $PYTHON $samba_tool user create nettestuser $USERPASS $CONFIGURATION -k yes $@ || failed=$(expr $failed + 1) + +echo "Getting defaultNamingContext" +BASEDN=$($ldbsearch $options --basedn='' -H ldap://$SERVER --scope=base DUMMY=x defaultNamingContext | grep defaultNamingContext | awk '{print $2}') + +cat >$PREFIX/tmpldbmodify <$PREFIX/tmpuserpassfile +rm -f $KRB5CCNAME_PATH +testit "kinit with user password (after rpc password change)" $samba4kinit $enctype --password-file=$PREFIX/tmpuserpassfile --request-pac nettestuser@$REALM || failed=$(expr $failed + 1) + +test_smbclient "Test login with user kerberos ccache" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +rm -f $KRB5CCNAME_PATH +testit "kinit with password (NT-Principal style) using UPN" $samba4kinit $enctype --password-file=$PREFIX/tmpuserpassfile --request-pac nettest@$REALM || failed=$(expr $failed + 1) +test_smbclient "Test login with user kerberos ccache from enterprise UPN" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +rm -f $KRB5CCNAME_PATH +testit "kinit with password (enterprise style) using UPN" $samba4kinit $enctype --enterprise --password-file=$PREFIX/tmpuserpassfile --request-pac nettest@$REALM || failed=$(expr $failed + 1) +test_smbclient "Test login with user kerberos ccache from enterprise UPN" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +rm -f $KRB5CCNAME_PATH +testit "kinit with password (windows style) using UPN" $samba4kinit $enctype --renewable --windows --password-file=$PREFIX/tmpuserpassfile --request-pac nettest@$REALM || failed=$(expr $failed + 1) +test_smbclient "Test login with user kerberos ccache from windows UPN" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +cat >$PREFIX/tmpldbmodify <$PREFIX/tmpuserpassfile + +cat >$PREFIX/tmpkpasswdscript <$PREFIX/tmpuserpassfile + +test_smbclient "Test login with user kerberos ccache (after kpasswd change)" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +cat >$PREFIX/tmpkpasswdscript <$PREFIX/tmpuserpassfile + +cat >$PREFIX/tmpkpasswdscript <$PREFIX/tmpldbmodify <$PREFIX/tmppasswordchange <$PREFIX/tmpuserpassfile +testit "kinit with user password (after password change forced by expiration)" $samba4kinit $enctype --password-file=$PREFIX/tmpuserpassfile --request-pac nettestuser@$REALM || failed=$(expr $failed + 1) + +test_smbclient "Test login with user kerberos ccache" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +KRB5CCNAME_PATH="$PREFIX/tmpccache" +KRB5CCNAME="FILE:$KRB5CCNAME_PATH" +samba4kinit="$samba4kinit_binary -c $KRB5CCNAME" +export KRB5CCNAME + +rm -rf $KRB5CCNAME_PATH + +lowerrealm=$(echo $REALM | tr '[A-Z]' '[a-z]') +test_smbclient "Test login with user kerberos lowercase realm" 'ls' "$unc" --use-kerberos=required -Unettestuser@$lowerrealm%$NEWUSERPASS || failed=$(expr $failed + 1) +test_smbclient "Test login with user kerberos lowercase realm 2" 'ls' "$unc" --use-kerberos=required -Unettestuser@$REALM%$NEWUSERPASS --realm=$lowerrealm || failed=$(expr $failed + 1) + +testit "del user with kerberos ccache" $VALGRIND $PYTHON $samba_tool user delete nettestuser $CONFIGURATION -k yes $@ || failed=$(expr $failed + 1) + +rm -f $KRB5CCNAME_PATH +testit "kinit with machineaccountccache script" $PYTHON $machineaccountccache $CONFIGURATION $KRB5CCNAME || failed=$(expr $failed + 1) +test_smbclient "Test machine account login with kerberos ccache" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +testit "reset password policies" $VALGRIND $PYTHON $samba_tool domain passwordsettings set $ADMIN_LDBMODIFY_CONFIG --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=default --max-pwd-age=default || failed=$(expr $failed + 1) + +rm -f $PREFIX/tmpccache tmpccfile tmppassfile tmpuserpassfile tmpuserccache tmpkpasswdscript +exit $failed diff --git a/testprogs/blackbox/test_kinit_mit.sh b/testprogs/blackbox/test_kinit_mit.sh new file mode 100755 index 0000000..bde140a --- /dev/null +++ b/testprogs/blackbox/test_kinit_mit.sh @@ -0,0 +1,332 @@ +#!/bin/sh +# Blackbox tests for kinit and kerberos integration with smbclient etc +# Copyright (c) 2015-2016 Andreas Schneider + +if [ $# -lt 5 ]; then + cat <$PREFIX/tmpkinitscript <$PREFIX/tmpldbmodify <$PREFIX/tmpkinituserpassscript <$PREFIX/tmpkinituserpassscript <$PREFIX/tmpldbmodify <$PREFIX/tmpkpasswdscript <$PREFIX/tmpkinituserpassscript <$PREFIX/tmpldbmodify <$PREFIX/tmpkinituserpassscript <$PREFIX/tmpkinituserpassscript < + +if [ $# -lt 13 ]; then + cat <$PREFIX/tmppassfile +testit "kinit with password" $samba4kinit $enctype --password-file=$PREFIX/tmppassfile --request-pac $TRUST_USERNAME@$TRUST_REALM || failed=$(expr $failed + 1) +test_smbclient "Test login with user kerberos ccache" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) +rm -rf $KRB5CCNAME_PATH + +testit "kinit with password and two minute lifetime" $samba4kinit $enctype --password-file=$PREFIX/tmppassfile --request-pac --server=krbtgt/$REALM@$TRUST_REALM --lifetime=2m $TRUST_USERNAME@$TRUST_REALM || failed=`expr $failed + 1` +test_smbclient "Test login with user kerberos ccache and two minute lifetime" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=`expr $failed + 1` +rm -rf $KRB5CCNAME_PATH + +# Test with smbclient4 +smbclient="$samba4bindir/smbclient4" +testit "kinit with password" $samba4kinit $enctype --password-file=$PREFIX/tmppassfile --request-pac $TRUST_USERNAME@$TRUST_REALM || failed=$(expr $failed + 1) +test_smbclient "Test login with user kerberos ccache (smbclient4)" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) +rm -rf $KRB5CCNAME_PATH + +testit "kinit with password (enterprise style)" $samba4kinit $enctype --enterprise --password-file=$PREFIX/tmppassfile --request-pac $TRUST_USERNAME@$TRUST_REALM || failed=$(expr $failed + 1) +smbclient="$samba4bindir/smbclient" +test_smbclient "Test login with user kerberos ccache" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +if test x"${TYPE}" = x"forest"; then + testit "kinit with password (upn enterprise style)" $samba4kinit $enctype --enterprise --password-file=$PREFIX/tmppassfile --request-pac testdenied_upn@${TRUST_REALM}.upn || failed=$(expr $failed + 1) + test_smbclient "Test login with user kerberos ccache" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) +fi + +testit "kinit with password (windows style)" $samba4kinit $enctype --renewable --windows --password-file=$PREFIX/tmppassfile --request-pac $TRUST_USERNAME@$TRUST_REALM || failed=$(expr $failed + 1) +test_smbclient "Test login with user kerberos ccache" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +testit "kinit renew ticket" $samba4kinit $enctype --request-pac -R + +test_smbclient "Test login with kerberos ccache" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +testit "check time with kerberos ccache" $VALGRIND $PYTHON $samba_tool time $SERVER.$REALM $CONFIGURATION -k yes $@ || failed=$(expr $failed + 1) + +lowerrealm=$(echo $TRUST_REALM | tr '[A-Z]' '[a-z]') +test_smbclient "Test login with user kerberos lowercase realm" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME -U$TRUST_USERNAME@$lowerrealm%$TRUST_PASSWORD || failed=$(expr $failed + 1) +test_smbclient "Test login with user kerberos lowercase realm 2" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME -U$TRUST_USERNAME@$TRUST_REALM%$TRUST_PASSWORD --realm=$lowerrealm || failed=$(expr $failed + 1) + +# Test the outgoing direction +unc="//$TRUST_SERVER.$TRUST_REALM/tmp" +test_smbclient "Test user login with the first outgoing secret" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME -U$USERNAME@$REALM%$PASSWORD || failed=$(expr $failed + 1) + +testit_expect_failure "setpassword should not work" $VALGRIND $PYTHON $samba_tool user setpassword "${TRUST_DOMAIN}\$" --random-password || failed=$(expr $failed + 1) + +testit "wbinfo ping dc" $VALGRIND $wbinfo --ping-dc --domain=$TRUST_DOMAIN || failed=$(expr $failed + 1) +testit "wbinfo change outgoing trust pw" $VALGRIND $wbinfo --change-secret --domain=$TRUST_DOMAIN || failed=$(expr $failed + 1) +testit "wbinfo check outgoing trust pw" $VALGRIND $wbinfo --check-secret --domain=$TRUST_DOMAIN || failed=$(expr $failed + 1) + +test_smbclient "Test user login with the changed outgoing secret" 'ls' "$unc" --use-kerberos=required -U$USERNAME@$REALM%$PASSWORD || failed=$(expr $failed + 1) + +rm -f $PREFIX/tmpccache $PREFIX/tmppassfile +exit $failed diff --git a/testprogs/blackbox/test_kinit_trusts_mit.sh b/testprogs/blackbox/test_kinit_trusts_mit.sh new file mode 100755 index 0000000..35fcb6d --- /dev/null +++ b/testprogs/blackbox/test_kinit_trusts_mit.sh @@ -0,0 +1,140 @@ +#!/bin/sh +# Blackbox tests for kinit and trust validation +# Copyright (c) 2015 Stefan Metzmacher +# Copyright (c) 2016 Andreas Schneider + +if [ $# -lt 5 ]; then + cat <$PREFIX/tmpkinitscript < +# Copyright (C) 2006-2008 Andrew Bartlett +# Copyright (C) 2016 Andreas Schneider + +if [ $# -lt 6 ]; then + cat <$PREFIX/tmpkpasswdscript <$PREFIX/tmpkpasswdscript <$PREFIX/tmpkpasswdscript < "${PREFIX}/tmpkpasswdscript" < "${KRB5_CONFIG}" + testit "MIT kpasswd change user password" \ + "${texpect}" "${PREFIX}/tmpkpasswdscript" "${mit_kpasswd}" \ + "${TEST_PRINCIPAL}" || + failed=$((failed + 1)) + KRB5_CONFIG="${SAVE_KRB5_CONFIG}" + export KRB5_CONFIG +fi + +TEST_PASSWORD="${TEST_PASSWORD_NEW}" +TEST_PASSWORD_NEW="testPaSS@03force%" + +########################################################### +### Force password change at login +########################################################### + +testit "set password on user locally" \ + $VALGRIND $PYTHON $samba_tool user setpassword $TEST_USERNAME $CONFIG --newpassword=$TEST_PASSWORD_NEW --must-change-at-next-login || failed=$(expr $failed + 1) + +TEST_PASSWORD=$TEST_PASSWORD_NEW +TEST_PASSWORD_NEW="testPaSS@04%" + +rm -f $PREFIX/tmpuserccache + +cat >$PREFIX/tmpkinitscript < +# Copyright (c) 2006-2008 Andrew Bartlett +# Copyright (c) 2016 Andreas Schneider + +if [ $# -lt 6 ]; then + cat <$PREFIX/tmpkpasswdscript <$PREFIX/tmpkpasswdscript <$PREFIX/tmpkpasswdscript <$PREFIX/tmpkpasswdscript <$PREFIX/tmpkinitscript <$PREFIX/tmppassfile +testit "kinit with passwd" $samba4kinit -e arcfour-hmac-md5 --password-file=$PREFIX/tmppassfile $TESTUSER@SAMBA.EXAMPLE.COM || failed=$(expr $failed + 1) +testit "ktpass" $samba4srcdir/scripting/bin/ktpass.sh --host LOCALDC --out $PREFIX/testuser.kt --princ $TESTUSER --pass "testp@ssw0Rd" --path-to-ldbsearch=$BINDIR/bin || failed=$(expr $failed + 1) + +rm -f $KRB5CCNAME + +testit "kinit with keytab" $samba4kinit -e arcfour-hmac-md5 --use-keytab -t $PREFIX/testuser.kt $TESTUSER@SAMBA.EXAMPLE.COM || failed=$(expr $failed + 1) + +rm -f $PREFIX/tmpccache $PREFIX/testuser.kt +exit $failed diff --git a/testprogs/blackbox/test_ldb.sh b/testprogs/blackbox/test_ldb.sh new file mode 100755 index 0000000..d9485d7 --- /dev/null +++ b/testprogs/blackbox/test_ldb.sh @@ -0,0 +1,231 @@ +#!/bin/sh + +if [ $# -lt 2 ]; then +cat < ${object}" + r=`$ldbsearch $options $CONFIGURATION -H $p://$SERVER '(objectClass=*)' -b "${dn}" | grep 'dn: '` + n=`echo "${r}" | grep 'dn: ' | wc -l` + c=`echo "${r}" | grep "${object}" | wc -l` + + if [ $n -lt 1 ]; then + echo "Object not found by WKGUID" + failed=`expr $failed + 1` + continue + fi + if [ $c -lt 1 ]; then + echo "Wrong object found by WKGUID: [${r}]" + failed=`expr $failed + 1` + continue + fi + done + + return $failed +) + +wellknown_object_test 22B70C67D56E4EFB91E9300FCA3DC1AA ForeignSecurityPrincipals +st=$? +if [ x"$st" != x"0" ]; then + failed=`expr $failed + $st` +fi +wellknown_object_test 2FBAC1870ADE11D297C400C04FD8D5CD Infrastructure +st=$? +if [ x"$st" != x"0" ]; then + failed=`expr $failed + $st` +fi +wellknown_object_test AB1D30F3768811D1ADED00C04FD8D5CD System +st=$? +if [ x"$st" != x"0" ]; then + failed=`expr $failed + $st` +fi +wellknown_object_test A361B2FFFFD211D1AA4B00C04FD7D83A Domain Controllers +st=$? +if [ x"$st" != x"0" ]; then + failed=`expr $failed + $st` +fi +wellknown_object_test AA312825768811D1ADED00C04FD8D5CD Computers +st=$? +if [ x"$st" != x"0" ]; then + failed=`expr $failed + $st` +fi +wellknown_object_test A9D1CA15768811D1ADED00C04FD8D5CD Users +st=$? +if [ x"$st" != x"0" ]; then + failed=`expr $failed + $st` +fi + +echo "Getting HEX GUID/SID of $BASEDN" +HEXDN=`$ldbsearch $CONFIGURATION $options -b "$BASEDN" -H $p://$SERVER --scope=base "(objectClass=*)" --controls=extended_dn:1:0 distinguishedName | grep 'distinguishedName: ' | cut -d ' ' -f2-` +HEXGUID=`echo "$HEXDN" | cut -d ';' -f1` +echo "HEXGUID[$HEXGUID]" + +echo "Getting STR GUID/SID of $BASEDN" +STRDN=`$ldbsearch $CONFIGURATION $options -b "$BASEDN" -H $p://$SERVER --scope=base "(objectClass=*)" --controls=extended_dn:1:1 distinguishedName | grep 'distinguishedName: ' | cut -d ' ' -f2-` +echo "STRDN: $STRDN" +STRGUID=`echo "$STRDN" | cut -d ';' -f1` +echo "STRGUID[$STRGUID]" + +echo "Getting STR GUID/SID of $BASEDN" +STRDN=`$ldbsearch $CONFIGURATION $options -b "$BASEDN" -H $p://$SERVER --scope=base "(objectClass=*)" --controls=extended_dn:1:1 | grep 'dn: ' | cut -d ' ' -f2-` +echo "STRDN: $STRDN" +STRSID=`echo "$STRDN" | cut -d ';' -f2` +echo "STRSID[$STRSID]" + +SPECIALDNS="$HEXGUID $STRGUID $STRSID" +for SPDN in $SPECIALDNS; do + echo "Search for $SPDN" + nentries=`$ldbsearch $options $CONFIGURATION -H $p://$SERVER --scope=base -b "$SPDN" '(objectClass=*)' | grep "dn: $BASEDN" | wc -l` + if [ $nentries -lt 1 ]; then + echo "Special search returned 0 items" + failed=`expr $failed + 1` + fi +done + +echo "Search using OIDs instead of names" +nentries1=`$ldbsearch $options $CONFIGURATION -H $p://$SERVER '(objectClass=user)' name | grep "^name: " | wc -l` +nentries2=`$ldbsearch $options $CONFIGURATION -H $p://$SERVER '(2.5.4.0=1.2.840.113556.1.5.9)' name | grep "^name: " | wc -l` +if [ $nentries1 -lt 1 ]; then + echo "Error: Searching user via (objectClass=user): '$nentries1' < 1" + failed=`expr $failed + 1` +fi +if [ $nentries2 -lt 1 ]; then + echo "Error: Searching user via (2.5.4.0=1.2.840.113556.1.5.9) '$nentries2' < 1" + failed=`expr $failed + 1` +fi +if [ x"$nentries1" != x"$nentries2" ]; then + echo "Error: Searching user with OIDS[$nentries1] doesn't return the same as STRINGS[$nentries2]" + failed=`expr $failed + 1` +fi + +exit $failed diff --git a/testprogs/blackbox/test_ldb_simple.sh b/testprogs/blackbox/test_ldb_simple.sh new file mode 100755 index 0000000..604c4a6 --- /dev/null +++ b/testprogs/blackbox/test_ldb_simple.sh @@ -0,0 +1,41 @@ +#!/bin/sh + +if [ $# -lt 2 ]; then +cat </dev/null | sha1sum | cut -b 1-10` + +RUNDIR=`pwd` +cd $BASEDIR +WORKDIR=`mktemp -d -p .` +WORKDIR=`basename $WORKDIR` +cp -a client/* $WORKDIR/ +sed -ri "s@(dir|directory) = (.*)/client/@\1 = \2/$WORKDIR/@" $WORKDIR/client.conf +sed -ri "s/netbios name = .*/netbios name = $HOSTNAME/" $WORKDIR/client.conf +rm -f $WORKDIR/private/secrets.tdb +cd $RUNDIR + +failed=0 + +net_tool="$BINDIR/net --configfile=$BASEDIR/$WORKDIR/client.conf --option=security=ads" + +ldbsearch="ldbsearch" +if [ -x "$BINDIR/ldbsearch" ]; then + ldbsearch="$BINDIR/ldbsearch" +fi + +ldbadd="ldbadd" +if [ -x "$BINDIR/ldbadd" ]; then + ldbadd="$BINDIR/ldbadd" +fi + +ldbdel="ldbdel" +if [ -x "$BINDIR/ldbdel" ]; then + ldbdel="$BINDIR/ldbdel" +fi + +ldbmodify="ldbmodify" +if [ -x "$BINDIR/ldbmodify" ]; then + ldbmodify="$BINDIR/ldbmodify" +fi + +# Load test functions +. `dirname $0`/subunit.sh + +testit "join" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` + +workgroup=$(awk '/workgroup =/ { print $NR }' "${BASEDIR}/${WORKDIR}/client.conf") +testit "local krb5.conf created" \ + test -r \ + "${BASEDIR}/${WORKDIR}/lockdir/smb_krb5/krb5.conf.${workgroup}" || + failed=$((failed + 1)) + +testit "testjoin" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=`expr $failed + 1` + +netbios=$(grep "netbios name" $BASEDIR/$WORKDIR/client.conf | cut -f2 -d= | awk '{$1=$1};1') + +testit "test setspn list $netbios" $VALGRIND $net_tool ads setspn list $netbios -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` +spn="foo" +testit_expect_failure "test setspn add illegal windows spn ($spn)" $VALGRIND $net_tool ads setspn add $spn -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` + +spn="foo/somehost.domain.com" +testit "test setspn add ($spn)" $VALGRIND $net_tool ads setspn add $spn -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` + +found=$($net_tool ads setspn list -U$DC_USERNAME%$DC_PASSWORD | grep $spn | wc -l) +testit "test setspn list shows the newly added spn ($spn)" test $found -eq 1 || failed=`expr $failed + 1` + +up_spn=$(echo $spn | tr '[:lower:]' '[:upper:]') +testit_expect_failure "test setspn add existing (case-insensitive) spn ($spn)" $VALGRIND $net_tool ads setspn add $up_spn -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` + +testit "test setspn delete existing (case-insensitive) ($spn)" $VALGRIND $net_tool ads setspn delete $spn -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` + +found=$($net_tool ads setspn list -U$DC_USERNAME%$DC_PASSWORD | grep $spn | wc -l) +testit "test setspn list shows the newly deleted spn ($spn) is gone" test $found -eq 0 || failed=`expr $failed + 1` + +testit "changetrustpw" $VALGRIND $net_tool ads changetrustpw || failed=`expr $failed + 1` + +testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` + +# Test with kerberos method = secrets and keytab +dedicated_keytab_file="$PREFIX_ABS/test_net_ads_dedicated_krb5.keytab" +testit "join (dedicated keytab)" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1` + +testit "testjoin (dedicated keytab)" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=`expr $failed + 1` + +netbios=$(grep "netbios name" $BASEDIR/$WORKDIR/client.conf | cut -f2 -d= | awk '{$1=$1};1') +uc_netbios=$(echo $netbios | tr '[:lower:]' '[:upper:]') +lc_realm=$(echo $REALM | tr '[:upper:]' '[:lower:]') +fqdn="$netbios.$lc_realm" + +krb_princ="primary/instance@$REALM" +testit "test (dedicated keytab) add a fully qualified krb5 principal" $VALGRIND $net_tool ads keytab add $krb_princ -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1` + +found=`$net_tool ads keytab list -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" | grep $krb_princ | wc -l` + +testit "test (dedicated keytab) at least one fully qualified krb5 principal that was added is present in keytab" test $found -gt 1 || failed=`expr $failed + 1` + +machinename="machine123" +testit "test (dedicated keytab) add a kerberos prinicple created from machinename to keytab" $VALGRIND $net_tool ads keytab add $machinename'$' -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1` +search_str="$machinename\$@$REALM" +found=`$net_tool ads keytab list -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" | grep $search_str | wc -l` +testit "test (dedicated keytab) at least one krb5 principal created from $machinename added is present in keytab" test $found -gt 1 || failed=`expr $failed + 1` + +service="nfs" +testit "test (dedicated keytab) add a $service service to keytab" $VALGRIND $net_tool ads keytab add $service -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1` + +search_str="$service/$fqdn@$REALM" +found=`$net_tool ads keytab list -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" | grep $search_str | wc -l` +testit "test (dedicated keytab) at least one (long form) krb5 principal created from service added is present in keytab" test $found -gt 1 || failed=`expr $failed + 1` + +search_str="$service/$uc_netbios@$REALM" +found=`$net_tool ads keytab list -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" | grep $search_str | wc -l` +testit "test (dedicated keytab) at least one (shorter form) krb5 principal created from service added is present in keytab" test $found -gt 1 || failed=`expr $failed + 1` + +spn_service="random_srv" +spn_host="somehost.subdomain.domain" +spn_port="12345" + +windows_spn="$spn_service/$spn_host" +testit "test (dedicated keytab) add a $windows_spn windows style SPN to keytab" $VALGRIND $net_tool ads keytab add $windows_spn -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1` + +search_str="$spn_service/$spn_host@$REALM" +found=`$net_tool ads keytab list -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" | grep $search_str | wc -l` +testit "test (dedicated keytab) at least one krb5 principal created from windown SPN added is present in keytab" test $found -gt 1 || failed=`expr $failed + 1` + +windows_spn="$spn_service/$spn_host:$spn_port" +testit "test (dedicated keytab) add a $windows_spn windows style SPN to keytab" $VALGRIND $net_tool ads keytab add $windows_spn -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1` + +search_str="$spn_service/$spn_host@$REALM" +found=`$net_tool ads keytab list -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" | grep $search_str | wc -l` +testit "test (dedicated keytab) at least one krb5 principal created from windown SPN (with port) added is present in keytab" test $found -gt 1 || failed=`expr $failed + 1` + +# keytab add shouldn't have written spn to AD +found=$($net_tool ads setspn list -U$DC_USERNAME%$DC_PASSWORD | grep $service | wc -l) +testit "test (dedicated keytab) spn is not written to AD (using keytab add)" test $found -eq 0 || failed=`expr $failed + 1` + +ad_service="writetoad" +testit "test (dedicated keytab) add a $ad_service service to keytab (using add_update_ads" $VALGRIND $net_tool ads keytab add_update_ads $ad_service -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1` + +found=$($net_tool ads setspn list -U$DC_USERNAME%$DC_PASSWORD | grep $ad_service | wc -l) +testit "test (dedicated keytab) spn is written to AD (using keytab add_update_ads)" test $found -eq 2 || failed=`expr $failed + 1` + + +# test existence in keytab of service (previously added) pulled from SPN post +# 'keytab create' is now present in keytab file +testit "test (dedicated keytab) keytab created succeeds" $VALGRIND $net_tool ads keytab create -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1` +found=$($net_tool ads keytab list -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" | grep $ad_service | wc -l) +testit "test (dedicated keytab) spn service that exists in AD (created via add_update_ads) is added to keytab file" test $found -gt 1 || failed=`expr $failed + 1` + +found_ad=$($net_tool ads setspn list -U$DC_USERNAME%$DC_PASSWORD | grep $service | wc -l) +found_keytab=$($net_tool ads keytab list -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" | grep $service | wc -l) +# test after create that a spn that exists in the keytab but shouldn't +# be written to the AD. +testit "test spn service doensn't exist in AD but is present in keytab file after keytab create" test $found_ad -eq 0 -a $found_keytab -gt 1 || failed=`expr $failed + 1` + +# SPN parser is very basic but does detect some illegal combination + +windows_spn="$spn_service/$spn_host:" +testit_expect_failure "test (dedicated keytab) fail to parse windows spn with missing port" $VALGRIND $net_tool ads keytab add $windows_spn -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1` + +windows_spn="$spn_service/$spn_host/" +testit_expect_failure "test (dedicated keytab) fail to parse windows spn with missing servicename" $VALGRIND $net_tool ads keytab add $windows_spn -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1` + +testit "changetrustpw (dedicated keytab)" $VALGRIND $net_tool ads changetrustpw || failed=`expr $failed + 1` + +testit "leave (dedicated keytab)" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` + +# if there is no keytab, try and create it +if [ ! -f $dedicated_keytab_file ]; then + if [ $(command -v ktutil) >/dev/null ]; then + printf "addent -password -p $DC_USERNAME@$REALM -k 1 -e rc4-hmac\n$DC_PASSWORD\nwkt $dedicated_keytab_file\n" | ktutil + fi +fi + +if [ -f $dedicated_keytab_file ]; then + testit "keytab list (dedicated keytab)" $VALGRIND $net_tool ads keytab list --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1` + testit "keytab list keytab specified on cmdline" $VALGRIND $net_tool ads keytab list $dedicated_keytab_file || failed=`expr $failed + 1` +fi + +rm -f $dedicated_keytab_file + +testit_expect_failure "testjoin(not joined)" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=`expr $failed + 1` + +testit "join+kerberos" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD --use-kerberos=required || failed=`expr $failed + 1` + +testit "testjoin" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=`expr $failed + 1` + +testit "leave+kerberos" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD --use-kerberos=required || failed=`expr $failed + 1` + +testit_expect_failure "testjoin(not joined)" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=`expr $failed + 1` + +testit "join+server" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD -S$DC_SERVER || failed=`expr $failed + 1` + +testit "leave+server" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD -S$DC_SERVER || failed=`expr $failed + 1` + +testit_expect_failure "join+invalid_server" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD -SINVALID && failed=`expr $failed + 1` + +testit "join+server" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` + +testit_expect_failure "leave+invalid_server" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD -SINVALID && failed=`expr $failed + 1` + +testit "testjoin user+password" $VALGRIND $net_tool ads testjoin -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` + +testit "leave+keep_account" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD --keep-account || failed=`expr $failed + 1` + +base_dn="DC=addom,DC=samba,DC=example,DC=com" +computers_dn="CN=Computers,$base_dn" +testit "ldb check for existence of machine account" $ldbsearch -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM --scope=base -b "cn=$HOSTNAME,$computers_dn" || failed=`expr $failed + 1` + +dns_alias1="${netbios}_alias1.other.${lc_realm}" +dns_alias2="${netbios}_alias2.other2.${lc_realm}" +testit "join" $VALGRIND $net_tool --option=additionaldnshostnames=$dns_alias1,$dns_alias2 ads join -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` + +testit "testjoin" $VALGRIND $net_tool ads testjoin || failed=`expr $failed + 1` + +testit_grep "check dNSHostName" $fqdn $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ dNSHostName || failed=`expr $failed + 1` +testit_grep "check SPN" ${uc_netbios}.${lc_realm} $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1` + +testit_grep "dns alias SPN" $dns_alias1 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1` +testit_grep "dns alias SPN" $dns_alias2 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1` + +testit_grep "dns alias addl" $dns_alias1 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ msDS-AdditionalDnsHostName || failed=`expr $failed + 1` +testit_grep "dns alias addl" $dns_alias2 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ msDS-AdditionalDnsHostName || failed=`expr $failed + 1` + +# Test binary msDS-AdditionalDnsHostName like ones added by Windows DC +short_alias_file="$PREFIX_ABS/short_alias_file" +printf 'short_alias\0$' > $short_alias_file +cat > $PREFIX_ABS/tmpldbmodify < +# Copyright (C) 2006-2008 Andrew Bartlett + +if [ $# -lt 6 ]; then +cat </dev/null | sha1sum | cut -b 1-10` + +RUNDIR=`pwd` +cd $BASEDIR +WORKDIR=`mktemp -d -p .` +WORKDIR=`basename $WORKDIR` +cp -a client/* $WORKDIR/ +sed -ri "s@(dir|directory) = (.*)/client/@\1 = \2/$WORKDIR/@" $WORKDIR/client.conf +sed -ri "s/netbios name = .*/netbios name = $HOSTNAME/" $WORKDIR/client.conf +rm -f $WORKDIR/private/secrets.tdb +cd $RUNDIR + +failed=0 + +net_tool="$BINDIR/net --configfile=$BASEDIR/$WORKDIR/client.conf --option=security=ads" + +# Load test functions +. `dirname $0`/subunit.sh + +# This make sure we are able to join AD in FIPS mode with Kerberos (NTLM doesn't work in FIPS mode). +testit "join" $VALGRIND $net_tool ads join --use-kerberos=required -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` + +testit "testjoin" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=`expr $failed + 1` + +testit "changetrustpw" $VALGRIND $net_tool ads changetrustpw || failed=`expr $failed + 1` + +testit "leave" $VALGRIND $net_tool ads leave --use-kerberos=required -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` + +rm -rf $BASEDIR/$WORKDIR + +exit $failed diff --git a/testprogs/blackbox/test_net_ads_search_server.sh b/testprogs/blackbox/test_net_ads_search_server.sh new file mode 100755 index 0000000..f8350c9 --- /dev/null +++ b/testprogs/blackbox/test_net_ads_search_server.sh @@ -0,0 +1,37 @@ +#!/bin/sh + +if [ $# -lt 2 ]; then +cat </dev/null | sha1sum | cut -b 1-10` + +RUNDIR=`pwd` +cd $BASEDIR +WORKDIR=`mktemp -d -p .` +WORKDIR=`basename $WORKDIR` +ODJFILE="$BASEDIR/$WORKDIR/odj_provision.txt" + + +cp -a client/* $WORKDIR/ +sed -ri "s@(dir|directory) = (.*)/client/@\1 = \2/$WORKDIR/@" $WORKDIR/client.conf +sed -ri "s/netbios name = .*/netbios name = $HOSTNAME/" $WORKDIR/client.conf +rm -f $WORKDIR/private/secrets.tdb +cd $RUNDIR + +failed=0 + +net_tool="$BINDIR/net --configfile=$BASEDIR/$WORKDIR/client.conf --option=security=ads" + +# Load test functions +. `dirname $0`/subunit.sh + +netbios=$(grep "netbios name" $BASEDIR/$WORKDIR/client.conf | cut -f2 -d= | awk '{$1=$1};1') + +# 1. Test w/o dcname + +testit "provision without dcname" $VALGRIND $net_tool offlinejoin provision domain=$REALM machine_name=$netbios savefile=$ODJFILE -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` + +testit "requestodj" $VALGRIND $net_tool offlinejoin requestodj loadfile=$ODJFILE || failed=`expr $failed + 1` + +testit "testjoin" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=`expr $failed + 1` + +rm -f $ODJFILE + +# 2. Test with dcname + +testit "provision with dcname" $VALGRIND $net_tool offlinejoin provision domain=$REALM machine_name=$netbios savefile=$ODJFILE dcname=$DC_SERVER -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` + +testit "requestodj" $VALGRIND $net_tool offlinejoin requestodj loadfile=$ODJFILE || failed=`expr $failed + 1` + +testit "testjoin" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=`expr $failed + 1` + +rm -f $ODJFILE + +# 3. Test with defpwd + +testit "provision with dcname and default password" $VALGRIND $net_tool offlinejoin provision domain=$REALM machine_name=$netbios savefile=$ODJFILE dcname=$DC_SERVER defpwd -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` + +testit "requestodj" $VALGRIND $net_tool offlinejoin requestodj loadfile=$ODJFILE || failed=`expr $failed + 1` + +testit "testjoin" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=`expr $failed + 1` + +rm -f $ODJFILE + +rm -rf $BASEDIR/$WORKDIR + +exit $failed diff --git a/testprogs/blackbox/test_net_rpc_user.sh b/testprogs/blackbox/test_net_rpc_user.sh new file mode 100755 index 0000000..64ab01b --- /dev/null +++ b/testprogs/blackbox/test_net_rpc_user.sh @@ -0,0 +1,56 @@ +#!/bin/sh +# Blackbox tests for 'net rpc' +# +# Copyright (c) 2017 Andreas Schneider + +if [ $# -lt 4 ]; then +cat << EOF +Usage: net_rpc.sh SERVER ADMIN_ACCOUNT ADMIN_PASSWORD ADMIN_DOMAIN +EOF +exit 1 +fi + +SERVER=$1 +ADMIN_ACCOUNT=$2 +ADMIN_PASSWORD=$3 +ADMIN_DOMAIN=$4 +shift 4 + +failed=0 +samba_bindir="$BINDIR" + +samba_tool="$samba_bindir/samba-tool" +net_tool="$samba_bindir/net" + +TEST_USERNAME="$(mktemp -u samson-XXXXXX)" +TEST_PASSWORD="Passw0rd~01" + +newuser="$samba_tool user create" + +. `dirname $0`/subunit.sh +. `dirname $0`/common_test_fns.inc + +########################################################### +### Setup +########################################################### + +testit "net rpc user add" \ + $VALGRIND $net_tool rpc user add $TEST_USERNAME $TEST_PASSWORD -U$ADMIN_ACCOUNT%$ADMIN_PASSWORD -S $SERVER || failed=$(expr $failed + 1) + +########################################################### +### Tests +########################################################### + +TEST_PASSWORD_NEW="Passw0rd~02" + +testit "net rpc user password" \ + $VALGRIND $net_tool rpc user password $TEST_USERNAME $TEST_PASSWORD_NEW -U$ADMIN_ACCOUNT%$ADMIN_PASSWORD -S $SERVER || failed=$(expr $failed + 1) + +########################################################### +### Teardown +########################################################### + +testit "net rpc user delete" \ + $VALGRIND $net_tool rpc user delete $TEST_USERNAME -U$ADMIN_ACCOUNT%$ADMIN_PASSWORD -S $SERVER || failed=$(expr $failed + 1) + +exit $failed diff --git a/testprogs/blackbox/test_offline_logon.sh b/testprogs/blackbox/test_offline_logon.sh new file mode 100755 index 0000000..6b54a38 --- /dev/null +++ b/testprogs/blackbox/test_offline_logon.sh @@ -0,0 +1,43 @@ +#!/bin/sh +# Blackbox tests for winbind offline logon support +# Copyright (c) 2021 Andreas Schneider + +if [ $# -lt 9 ]; then +cat < $out +testit_grep "find my dn" msDS-SupportedEncryptionTypes cat $out || failed=`expr $failed + 1` + +my_dn=$(cat $out | sed -n 's/^dn: //p') +my_encs=$(cat $out | sed -n 's/^msDS-SupportedEncryptionTypes: //p') +my_test_encs=`expr $my_encs + 3` + +ldif="${PREFIX_ABS}/tmpldbmodify.ldif" + +cat > $ldif < $ldif < +# Copyright (c) 2006-2008 Andrew Bartlett +# Copyright (c) 2016 Andreas Schneider + +if [ $# -lt 6 ]; then +cat < $tmpfile < $PREFIX/tmpsmbpasswdscript < +# Copyright (C) 2006-2012 Andrew Bartlett + +if [ $# -lt 2 ]; then +cat < $tmpfile < $PREFIX/tmpsmbpasswdscript < +# Copyright (C) 2006-2008 Andrew Bartlett +# Copyright (C) 2022 Andreas Schneider + +if [ $# -lt 7 ]; then + cat < $ldif +rid=$(cat $ldif | sed -n 's/^objectSid: S-1-5-21-.*-.*-.*-//p') + +testit "search2" $VALGRIND $BINDIR/ldbsearch -H ldap://$SERVER_IP -U$USERNAME%$PASSWORD -d0 sAMAccountName="$testuser" dn || failed=`expr $failed + 1` +ldif="${TMPDIR}/search2.ldif" +$VALGRIND $BINDIR/ldbsearch -H ldap://$SERVER_IP -U$USERNAME%$PASSWORD -d0 sAMAccountName=$testuser dn > $ldif +user_dn=$(cat $ldif | sed -n 's/^dn: //p') + +ldif="${TMPDIR}/modify1.ldif" +cat > $ldif < $ldif < + +if [ $# -lt 8 ]; then + cat << EOF +Usage: test_rpcclient_schannel.sh DOMAIN REALM USERNAME PASSWORD SERVER PREFIX CONFIGURATION TESTENV +EOF + exit 1 +fi + +DOMAIN=$1 +REALM=$2 +USERNAME=$3 +PASSWORD=$4 +SERVER=$5 +PREFIX=$6 +CONFIGURATION=$7 +TESTENV=$8 +shift 8 + +failed=0 + +samba_subunit_dir=$(dirname "$0") +. "${samba_subunit_dir}/subunit.sh" +. "${samba_subunit_dir}/common_test_fns.inc" + +samba_bindir="${BINDIR}" +samba_rpcclient="${samba_bindir}/rpcclient" + +test_rpc_getusername() +{ + cmd="$samba_rpcclient ncacn_np:${SERVER}[schannel] --machine-pass --configfile=${CONFIGURATION} -c getusername 2>&1" + out=$(eval "$cmd") + ret=$? + if [ $ret -ne 0 ]; then + echo "Failed to connect! Error: $ret" + echo "$out" + return 1 + fi + + echo "$out" | grep -q "Account Name: ANONYMOUS LOGON, Authority Name: NT AUTHORITY" + ret=$? + if [ $ret -ne 0 ]; then + echo "Incorrect account/authority name! Error: $ret" + echo "$out" + return 1 + fi + + return 0 +} + +test_rpc_lookupsids() +{ + cmd="$samba_rpcclient ncacn_ip_tcp:${SERVER}[schannel] --machine-pass --configfile=${CONFIGURATION} -c 'lookupsids3 S-1-1-0' 2>&1" + out=$(eval "$cmd") + ret=$? + if [ $ret -ne 0 ]; then + echo "Failed to connect! Error: $ret" + echo "$out" + return 1 + fi + + echo "$out" | grep -q "S-1-1-0 Everyone" + ret=$? + if [ $ret -ne 0 ]; then + echo "Incorrect account/authority name! Error: $ret" + echo "$out" + return 1 + fi + + return 0 +} + +testit "ncacn_np.getusername" \ + test_rpc_getusername || \ + failed=$((failed + 1)) + +if [[ "$TESTENV" == "ad_member_fips"* ]]; then + unset GNUTLS_FORCE_FIPS_MODE + + testit "ncacn_np.getusername.fips" \ + test_rpc_getusername || \ + failed=$((failed + 1)) + + GNUTLS_FORCE_FIPS_MODE=1 + export GNUTLS_FORCE_FIPS_MODE +fi + +testit "ncacn_ip_tcp.lookupsids" \ + test_rpc_lookupsids || \ + failed=$((failed + 1)) + +exit ${failed} diff --git a/testprogs/blackbox/test_s4u_heimdal.sh b/testprogs/blackbox/test_s4u_heimdal.sh new file mode 100755 index 0000000..f27c7d6 --- /dev/null +++ b/testprogs/blackbox/test_s4u_heimdal.sh @@ -0,0 +1,94 @@ +#!/bin/sh + +if [ $# -lt 5 ]; then +cat < $PREFIX/tmppassfile +testit "kinit impersonator" $samba4kinit -f --password-file=$PREFIX/tmppassfile $impersonator || failed=`expr $failed + 1` + +testit "test S4U2Self with normal user" $samba4kgetcred --out-cache=$ocache --forwardable --impersonate=${USERNAME} $impersonator || failed=`expr $failed + 1` +testit "test S4U2Proxy with normal user" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1` + +testit "test S4U2Self with sensitive user" $samba4kgetcred --out-cache=$ocache --forwardable --impersonate=$princ $impersonator || failed=`expr $failed + 1` +testit_expect_failure "test S4U2Proxy with sensitive user" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1` + +rm -f $ocache +testit "unset not-delegated flag" $samba_tool user sensitive $princ off || failed=`expr $failed + 1` + +testit "test S4U2Self after unsetting ND flag" $samba4kgetcred --out-cache=$ocache --forwardable --impersonate=$princ $impersonator || failed=`expr $failed + 1` +testit "test S4U2Proxy after unsetting ND flag" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1` + +testit "kinit user cache" $samba4kinit -c $ocache -f --password-file=$PREFIX/tmppassfile $USERNAME || failed=`expr $failed + 1` +testit "get a ticket to impersonator" $samba4kgetcred -c $ocache --forwardable $impersonator || failed=`expr $failed + 1` +testit "test S4U2Proxy evidence ticket obtained by TGS" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1` + +echo $TRUST_PASSWORD > $PREFIX/tmppassfile +testit "kinit trust user cache" $samba4kinit -c $ocache -f --password-file=$PREFIX/tmppassfile $TRUST_USERNAME@$TRUST_REALM || failed=`expr $failed + 1` +testit "get a ticket to impersonator for trust user" $samba4kgetcred -c $ocache --forwardable $impersonator || failed=`expr $failed + 1` +testit "test S4U2Proxy evidence ticket obtained by TGS of trust user" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1` + +echo $PASSWORD > $PREFIX/tmppassfile +testit "set not-delegated on impersonator" $samba_tool user sensitive $impersonator on || failed=`expr $failed + 1` +testit "kinit user cache again" $samba4kinit -c $ocache -f --password-file=$PREFIX/tmppassfile $USERNAME || failed=`expr $failed + 1` +testit "get a ticket to sensitive impersonator" $samba4kgetcred -c $ocache --forwardable $impersonator || failed=`expr $failed + 1` +testit_expect_failure "test S4U2Proxy using received ticket" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1` + + +rm -f $ocache $PREFIX/tmpccache $PREFIX/tmppassfile +exit $failed diff --git a/testprogs/blackbox/test_samba-tool_ntacl.sh b/testprogs/blackbox/test_samba-tool_ntacl.sh new file mode 100755 index 0000000..4648fa6 --- /dev/null +++ b/testprogs/blackbox/test_samba-tool_ntacl.sh @@ -0,0 +1,132 @@ +#!/bin/sh +# Blackbox tests for samba-tool ntacl get/set on member server +# Copyright (C) 2018 Björn Baumbach + +if [ $# -ne 2 ]; then + echo "Usage: test_samba-tool_ntacl.sh PREFIX DOMSID" + exit 1 +fi + +PREFIX=$1 +domain_sid=$2 + +failed=0 + +samba4bindir="$BINDIR" +samba_tool="$samba4bindir/samba-tool" + +testfile="$PREFIX/ntacl_testfile" + +# acl from samba_tool/ntacl.py tests +acl="O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)" +new_acl="O:S-1-5-21-2212615479-2695158682-2101375468-512G:S-1-5-21-2212615479-2695158682-2101375468-513D:P(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375468-512)(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375468-519)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375468-512)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)" +new_domain_sid="S-1-5-21-2212615479-2695158682-2101375468" + +. `dirname $0`/subunit.sh + +UID_WRAPPER_ROOT=1 +export UID_WRAPPER_ROOT + +test_get_acl() +{ + testfile="$1" + exptextedacl="$2" + + retacl=$($PYTHON $samba_tool ntacl get "$testfile" --as-sddl) || return $? + + test "$retacl" = "$exptextedacl" +} + +test_set_acl() +{ + testfile="$1" + acl="$2" + + $PYTHON $samba_tool ntacl set "$acl" "$testfile" +} + +test_get_acl_ntvfs() +{ + testfile="$1" + exptextedacl="$2" + + retacl=$($PYTHON $samba_tool ntacl get "$testfile" --as-sddl --use-ntvfs --xattr-backend=tdb --configfile=$PREFIX/ad_member/lib/server.conf) || return $? + + test "$retacl" = "$exptextedacl" +} + +test_set_acl_ntvfs() +{ + testfile="$1" + acl="$2" + + $PYTHON $samba_tool ntacl set "$acl" "$testfile" --use-ntvfs --xattr-backend=tdb --configfile=$PREFIX/ad_member/lib/server.conf +} + +test_changedomsid() +{ + testfile="$1" + + $PYTHON $samba_tool ntacl changedomsid \ + "$domain_sid" "$new_domain_sid" "$testfile" \ + --service=tmp \ + --configfile=$PREFIX/ad_member/lib/server.conf + + retacl=$($PYTHON $samba_tool ntacl get \ + "$testfile" \ + --as-sddl \ + --service=tmp \ + --configfile=$PREFIX/ad_member/lib/server.conf) || return $? + + test "$retacl" = "$new_acl" +} + +test_changedomsid_ntvfs() +{ + testfile="$1" + + $PYTHON $samba_tool ntacl changedomsid \ + "$domain_sid" "$new_domain_sid" "$testfile" \ + --use-ntvfs \ + --xattr-backend=tdb \ + --configfile=$PREFIX/ad_member/lib/server.conf + + retacl=$($PYTHON $samba_tool ntacl get \ + "$testfile" \ + --as-sddl \ + --xattr-backend=tdb \ + --use-ntvfs \ + --configfile=$PREFIX/ad_member/lib/server.conf) || return $? + + test "$retacl" = "$new_acl" +} + +# work around include error - s4-loadparm does not allow missing include files +# +# Unable to load file /home/bbaumba/src/git/samba/st/ad_member/lib/server.conf +# File "bin/python/samba/netcmd/__init__.py", line 183, in _run +# return self.run(*args, **kwargs) +# File "bin/python/samba/netcmd/ntacl.py", line 175, in run +# lp = sambaopts.get_loadparm() +# File "bin/python/samba/getopt.py", line 92, in get_loadparm +# self._lp.load(os.getenv("SMB_CONF_PATH")) +# Processing section "[global]" +touch "$(dirname $SMB_CONF_PATH)/error_inject.conf" +touch "$(dirname $SMB_CONF_PATH)/delay_inject.conf" + +touch "$testfile" + +testit "set_ntacl" test_set_acl "$testfile" "$acl" || failed=`expr $failed + 1` + +testit "get_ntacl" test_get_acl "$testfile" "$acl" || failed=`expr $failed + 1` + +testit "changedomsid" test_changedomsid "$testfile" || failed=`expr $failed + 1` + +testit "set_ntacl_ntvfs" test_set_acl_ntvfs "$testfile" "$acl" || failed=`expr $failed + 1` +testit "get_ntacl_ntvfs" test_get_acl_ntvfs "$testfile" "$acl" || failed=`expr $failed + 1` + +testit "changedomsid_ntvfs" test_changedomsid_ntvfs "$testfile" || failed=`expr $failed + 1` + +rm -f "$testfile" + +exit $failed diff --git a/testprogs/blackbox/test_samba_upgradedns.sh b/testprogs/blackbox/test_samba_upgradedns.sh new file mode 100755 index 0000000..93799d4 --- /dev/null +++ b/testprogs/blackbox/test_samba_upgradedns.sh @@ -0,0 +1,38 @@ +#!/bin/sh +# Blackbox tests for the samba_upgradedns +# Copyright (C) 2006-2007 Jelmer Vernooij +# Copyright (C) 2006-2012 Andrew Bartlett + +if [ $# -lt 4 ]; then +cat < + +if [ $# -lt 12 ]; then +cat < + +if [ $# -lt 12 ]; then +cat <&1) + ret=$? + test x"$ret" = x"0" || { + echo "$out" + return 1 + } + + trust_sids=$(echo "$out" | grep '^tokenGroups' | grep "${TRUST_DOMSID}-" | wc -l) + test "$trust_sids" -ge "2" || { + echo "$out" + echo "Less than 2 sids from $TRUST_DOMAIN $TRUST_DOMSID" + return 1 + } + + domain_sids=$(echo "$out" | grep '^tokenGroups' | grep "${DOMSID}-" | wc -l) + test "$domain_sids" -ge "1" || { + echo "$out" + echo "Less than 1 sid from $DOMAIN $DOMSID" + return 1 + } + + builtin_sids=$(echo "$out" | grep '^tokenGroups' | grep "S-1-5-32-" | wc -l) + test "$builtin_sids" -ge "1" || { + echo "$out" + echo "Less than 1 sid from BUILTIN S-1-5-32" + return 1 + } + + # + # The following should always be present + # + # SID_WORLD(S-1-1-0) + # SID_NT_NETWORK(S-1-5-2) + # SID_NT_AUTHENTICATED_USERS(S-1-5-11) + # + required_sids="S-1-1-0 S-1-5-2 S-1-5-11 ${auth_sid}" + for sid in $required_sids; do + found=$(echo "$out" | grep "^tokenGroups: ${sid}$" | wc -l) + test x"$found" = x"1" || { + echo "$out" + echo "SID: ${sid} not found" + return 1 + } + done + + return 0 +} + +testit "Test token with kerberos" test_token "yes" "" || failed=`expr $failed + 1` +# Check that SID_NT_NTLM_AUTHENTICATION(S-1-5-64-10) is added for NTLMSSP +testit "Test token with NTLMSSP" test_token "no" "S-1-5-64-10" || failed=`expr $failed + 1` + +exit $failed diff --git a/testprogs/blackbox/test_trust_user_account.sh b/testprogs/blackbox/test_trust_user_account.sh new file mode 100755 index 0000000..63024a9 --- /dev/null +++ b/testprogs/blackbox/test_trust_user_account.sh @@ -0,0 +1,59 @@ +#!/bin/sh + +if [ $# -lt 1 ]; then +cat < + +if [ $# -lt 12 ]; then +cat < +# + +if [ $# -lt 6 ]; then +cat <&1 || failed=`expr $failed + 1` + +# We should be allowed to use NTLM for connecting +testit "rpclient.ntlm" $samba_rpcclient ncacn_np:$SERVER $opt -c "getusername" || failed=`expr $failed + 1` + +GNUTLS_FORCE_FIPS_MODE=1 +export GNUTLS_FORCE_FIPS_MODE + +# Checks that testparm reports: Weak crypto is disallowed +testit_grep "testparm" "Weak crypto is disallowed" $samba_testparm --suppress-prompt $SMB_CONF_PATH 2>&1 || failed=`expr $failed + 1` + +# We should not be allowed to use NTLM for connecting +testit_expect_failure "rpclient.ntlm" $samba_rpcclient ncacn_np:$SERVER $opt -c "getusername" || failed=`expr $failed + 1` + +unset GNUTLS_FORCE_FIPS_MODE + +exit $failed diff --git a/testprogs/blackbox/test_weak_crypto_server.sh b/testprogs/blackbox/test_weak_crypto_server.sh new file mode 100755 index 0000000..fcd266d --- /dev/null +++ b/testprogs/blackbox/test_weak_crypto_server.sh @@ -0,0 +1,64 @@ +#!/bin/sh + +# +# Blackbox tests for weak crytpo +# Copyright (c) 2020 Andreas Schneider +# + +if [ $# -lt 7 ]; then +cat <$testparm_stderr_output_path >/dev/null + + grep "Weak crypto is allowed" $testparm_stderr_output_path >/dev/null 2>&1 + if [ $ret -ne 0 ]; then + echo "Invalid crypto state:" + cat $testparm_stderr_output_path + rm -f $testparm_stderr_output_path + return 1 + fi + + rm -f $testparm_stderr_output_path + + return 0 +} + +unset GNUTLS_FORCE_FIPS_MODE + +# Checks that testparm reports: Weak crypto is disallowed +testit "testparm-weak-crypto" test_weak_crypto_allowed || failed=`expr $failed + 1` + +# We should not be allowed to use NTLM for connecting +testit_expect_failure "rpclient.ntlm" $samba_rpcclient ncacn_np:$SERVER_IP[ntlm] -U$USERNAME%$PASSWORD -c "getusername" && failed=`expr $failed + 1` + +GNUTLS_FORCE_FIPS_MODE=1 +export GNUTLS_FORCE_FIPS_MODE + +exit $failed diff --git a/testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh b/testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh new file mode 100755 index 0000000..2822ab2 --- /dev/null +++ b/testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh @@ -0,0 +1,41 @@ +#!/bin/sh +# Blackbox tests for diabing NTLMSSP for ldap clinet connections +# Copyright (c) 2022 Pavel Filipenský + +if [ $# -lt 2 ]; then +cat <&1 || failed=`expr $failed + 1` + +# We should be allowed to use NTLM for connecting +testit "net_ads_search.ntlm" $samba_net ads search --use-kerberos=off '(objectCategory=group)' sAMAccountName -U${USERNAME}%${PASSWORD} || failed=`expr $failed + 1` + +GNUTLS_FORCE_FIPS_MODE=1 +export GNUTLS_FORCE_FIPS_MODE + +# Checks that testparm reports: Weak crypto is disallowed +testit_grep "testparm" "Weak crypto is disallowed" $samba_testparm --suppress-prompt $SMB_CONF_PATH 2>&1 || failed=`expr $failed + 1` + +# We should not be allowed to use NTLM for connecting +testit_expect_failure_grep "net_ads_search.ntlm" "We can't fallback to NTLMSSP, weak crypto is disallowed." $samba_net ads search --use-kerberos=off -d10 '(objectCategory=group)' sAMAccountName -U${USERNAME}%${PASSWORD} || failed=`expr $failed + 1` + +unset GNUTLS_FORCE_FIPS_MODE + +exit $failed diff --git a/testprogs/blackbox/test_wintest.sh b/testprogs/blackbox/test_wintest.sh new file mode 100755 index 0000000..5019900 --- /dev/null +++ b/testprogs/blackbox/test_wintest.sh @@ -0,0 +1,44 @@ +#!/bin/sh +# Blackbox tests for testing against windows machines +# Copyright (C) 2008 Jim McDonough + + +testwithconf() { +# define test variables, startup/shutdown scripts +. $1 +shift 1 + +if [ -n "$WINTEST_STARTUP" ]; then +. $WINTEST_STARTUP; +fi + +testit "smbtorture" $smbtorture //$SERVER/$SHARE RAW-OPEN -W "$DOMAIN" -U"$USERNAME%$PASSWORD" $@ || failed=`expr $failed + 1` + +if [ -n "$WINTEST_SHUTDOWN" ]; then +. $WINTEST_SHUTDOWN; +fi +} + + +# main +# skip without WINTEST_CONF_DIR +if [ -z "$WINTEST_CONF_DIR" ]; then +exit 0; +fi + +unset SOCKET_WRAPPER_DIR + +failed=0 + +$basedir=`pwd` + +samba4bindir=`dirname $0`/../../source4/bin +smbtorture=$samba4bindir/smbtorture + +. `dirname $0`/subunit.sh + +for wintest_conf in $WINTEST_CONF_DIR/*.conf; do +testwithconf "$wintest_conf" $@; +done + +exit $failed diff --git a/testprogs/blackbox/tfork.sh b/testprogs/blackbox/tfork.sh new file mode 100755 index 0000000..0f75a8c --- /dev/null +++ b/testprogs/blackbox/tfork.sh @@ -0,0 +1,15 @@ +#!/bin/sh + +sleep 1 + +echo stdout >&1 +echo $1 >&1 +echo stderror >&2 + +# close stdout and stderror, but don't exit yet +exec 1>&- +exec 2>&- + +sleep 1 + +exit 0 diff --git a/testprogs/blackbox/tombstones-expunge.sh b/testprogs/blackbox/tombstones-expunge.sh new file mode 100755 index 0000000..e2b064d --- /dev/null +++ b/testprogs/blackbox/tombstones-expunge.sh @@ -0,0 +1,245 @@ +#!/bin/sh + +if [ $# -lt 1 ]; then +cat < $tmpldif1 + + $PYTHON $BINDIR/samba-tool domain tombstones expunge -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --current-time=2016-07-30 --tombstone-lifetime=4 > $tmpfile + if [ "$?" != "0" ]; then + return 1 + fi + diff -u $tmpfile $release_dir/expected-expunge-output.txt + if [ "$?" != "0" ]; then + return 1 + fi + + tmpldif2=$PREFIX_ABS/$RELEASE/expected-expunge-output2.txt.tmp2 + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --scope=base -b '' | grep highestCommittedUSN > $tmpldif2 + + diff -u $tmpldif1 $tmpldif2 + if [ "$?" != "0" ]; then + return 1 + fi +} + +add_dangling_link() { + ldif=$release_dir/add-dangling-link.ldif + TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +add_two_more_users() { + ldif=$release_dir/add-two-more-users.ldif + TZ=UTC $ldbadd -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +add_four_more_links() { + ldif=$release_dir/add-four-more-links.ldif + TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +add_unsorted_links() { + ldif=$release_dir/add-unsorted-links-step1.ldif + TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif --relax + if [ "$?" != "0" ]; then + return 1 + fi + ldif=$release_dir/add-unsorted-links-step2.ldif + TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +remove_one_link() { + ldif=$release_dir/remove-one-more-link.ldif + TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +remove_one_user() { + ldif=$release_dir/remove-one-more-user.ldif + TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +check_match_rule_links() { + tmpldif=$PREFIX_ABS/$RELEASE/expected-match-rule-links.ldif.tmp + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(member:1.3.6.1.4.1.7165.4.5.2:=131139216000000000)' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted no_attrs > $tmpldif + diff -u $tmpldif $release_dir/expected-match-rule-links.ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +check_match_rule_links_negative() { + $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(member:1.3.6.1.4.1.7165.4.5.2:=-131139216000000000)' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted member +} + +check_match_rule_links_overflow() { + $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(member:1.3.6.1.4.1.7165.4.5.2:=18446744073709551617)' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted member +} + +check_match_rule_links_null() { + $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(member:1.3.6.1.4.1.7165.4.5.2:=18446744\073709551617)' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted member +} + +check_match_rule_links_hex() { + $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(member:1.3.6.1.4.1.7165.4.5.2:=abcd)' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted member +} + +check_match_rule_links_hex2() { + $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(member:1.3.6.1.4.1.7165.4.5.2:=0xabcd)' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted member +} + +check_match_rule_links_decimal() { + $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(member:1.3.6.1.4.1.7165.4.5.2:=131139216000000000.00)' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted member +} + +check_match_rule_links_backlink() { + $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(memberOf:1.3.6.1.4.1.7165.4.5.2:=131139216000000000)' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted memberOf +} + +check_match_rule_links_notlink() { + $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(samAccountName:1.3.6.1.4.1.7165.4.5.2:=131139216000000000)' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted samAccountName +} + +check_expected_after_links() { + tmpldif=$PREFIX_ABS/$RELEASE/expected-links-after-expunge.ldif.tmp + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(|(cn=swimmers)(cn=leaders)(cn=helpers))' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --sorted member > $tmpldif + diff -u $tmpldif $release_dir/expected-links-after-expunge.ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +check_expected_after_deleted_links() { + tmpldif=$PREFIX_ABS/$RELEASE/expected-deleted-links-after-expunge.ldif.tmp + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(|(cn=swimmers)(cn=leaders)(cn=helpers))' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted member > $tmpldif + diff -u $tmpldif $release_dir/expected-deleted-links-after-expunge.ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +check_expected_after_objects() { + tmpldif=$PREFIX_ABS/$RELEASE/expected-objects-after-expunge.ldif.tmp + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(|(samaccountname=fred)(samaccountname=ddg)(samaccountname=usg)(samaccountname=user1)(samaccountname=user2))' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted samAccountName | grep sAMAccountName > $tmpldif + diff -u $tmpldif $release_dir/expected-objects-after-expunge.ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +check_expected_unsorted_links() { + tmpldif=$PREFIX_ABS/$RELEASE/expected-unsorted-links-after-expunge.ldif.tmp + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(name=unsorted-g)' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted member > $tmpldif + diff -u $tmpldif $release_dir/expected-unsorted-links-after-expunge.ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +remove_directory $PREFIX_ABS/${RELEASE} + +testit $RELEASE undump || failed=`expr $failed + 1` +testit "add_two_more_users" add_two_more_users || failed=`expr $failed + 1` +testit "add_four_more_links" add_four_more_links || failed=`expr $failed + 1` +testit "add_dangling_link" add_dangling_link || failed=`expr $failed + 1` +testit "remove_one_link" remove_one_link || failed=`expr $failed + 1` +testit "remove_one_user" remove_one_user || failed=`expr $failed + 1` +testit "check_match_rule_links" check_match_rule_links || failed=`expr $failed + 1` +testit_expect_failure "check_match_rule_links_negative" check_match_rule_links_negative || failed=`expr $failed + 1` +testit_expect_failure "check_match_rule_links_overflow" check_match_rule_links_overflow || failed=`expr $failed + 1` +testit_expect_failure "check_match_rule_links_null" check_match_rule_links_null || failed=`expr $failed + 1` +testit_expect_failure "check_match_rule_links_hex" check_match_rule_links_hex || failed=`expr $failed + 1` +testit_expect_failure "check_match_rule_links_hex2" check_match_rule_links_hex2 || failed=`expr $failed + 1` +testit_expect_failure "check_match_rule_links_decimal" check_match_rule_links_decimal || failed=`expr $failed + 1` +testit_expect_failure "check_match_rule_links_backlink" check_match_rule_links_backlink || failed=`expr $failed + 1` +testit_expect_failure "check_match_rule_links_notlink" check_match_rule_links_notlink || failed=`expr $failed + 1` +testit "add_unsorted_links" add_unsorted_links || failed=`expr $failed + 1` +testit "tombstones_expunge" tombstones_expunge || failed=`expr $failed + 1` +testit "check_expected_after_deleted_links" check_expected_after_deleted_links || failed=`expr $failed + 1` +testit "check_expected_after_links" check_expected_after_links || failed=`expr $failed + 1` +testit "check_expected_after_objects" check_expected_after_objects || failed=`expr $failed + 1` +testit "check_expected_unsorted_links" check_expected_unsorted_links || failed=`expr $failed + 1` + +remove_directory $PREFIX_ABS/${RELEASE} + +exit $failed diff --git a/testprogs/blackbox/upgradeprovision-oldrelease.sh b/testprogs/blackbox/upgradeprovision-oldrelease.sh new file mode 100755 index 0000000..c625179 --- /dev/null +++ b/testprogs/blackbox/upgradeprovision-oldrelease.sh @@ -0,0 +1,225 @@ +#!/bin/sh + +if [ $# -lt 1 ]; then +cat < $PREFIX_ABS/${RELEASE}_upgrade/etc/smb.conf + + cp -a $release_dir/private/*.keytab $PREFIX_ABS/${RELEASE}_upgrade_full/private/ + cp -a $release_dir/sysvol $PREFIX_ABS/${RELEASE}_upgrade_full/ + mkdir $PREFIX_ABS/${RELEASE}_upgrade_full/etc/ + sed -e "s|@@PREFIX@@|$PREFIX_ABS/${RELEASE}_upgrade_full|g" $release_dir/etc/smb.conf.template \ + > $PREFIX_ABS/${RELEASE}_upgrade_full/etc/smb.conf +} + +remove_dns_user() { + if [ x$RELEASE != x"release-4-0-0" ]; then + # This is done, because otherwise the upgrdeprovision will not run without --full + ${LDBDEL_BIN} -H tdb://$PREFIX_ABS/${RELEASE}_upgrade/private/sam.ldb cn=dns,cn=users,dc=${RELEASE},dc=samba,dc=corp + fi +} + +reindex() { + $PYTHON $BINDIR/samba-tool dbcheck --reindex -H tdb://$PREFIX_ABS/${RELEASE}_upgrade/private/sam.ldb $@ +} + +# This should 'fail', because it returns the number of modified records +dbcheck() { + $PYTHON $BINDIR/samba-tool dbcheck --cross-ncs --fix --yes -H tdb://$PREFIX_ABS/${RELEASE}_upgrade/private/sam.ldb $@ +} + +dbcheck_clean() { + $PYTHON $BINDIR/samba-tool dbcheck --cross-ncs -H tdb://$PREFIX_ABS/${RELEASE}_upgrade/private/sam.ldb $@ +} + +# This should 'fail', because it returns the number of modified records +dbcheck_full() { + $PYTHON $BINDIR/samba-tool dbcheck --cross-ncs --fix --yes -H tdb://$PREFIX_ABS/${RELEASE}_upgrade_full/private/sam.ldb $@ +} + +dbcheck_full_clean() { + $PYTHON $BINDIR/samba-tool dbcheck --cross-ncs -H tdb://$PREFIX_ABS/${RELEASE}_upgrade_full/private/sam.ldb $@ +} + +# This checks that after the upgrade, the well known ACLs are correct, so this reset should not want to do anything +dbcheck_full_clean_well_known_acls() { + $PYTHON $BINDIR/samba-tool dbcheck --reset-well-known-acls --cross-ncs -H tdb://$PREFIX_ABS/${RELEASE}_upgrade_full/private/sam.ldb $@ +} + +upgradeprovision() { + # bring the really old Samba schema in line with a more recent 2008R2 schema + $PYTHON $BINDIR/samba_upgradeprovision --configfile="$PREFIX_ABS/${RELEASE}_upgrade/etc/smb.conf" --debugchange + + # on top of this, also apply 2008R2 changes we accidentally missed in the past + $PYTHON $BINDIR/samba-tool domain schemaupgrade -H tdb://$PREFIX_ABS/${RELEASE}_upgrade/private/sam.ldb --ldf-file=samba-4.7-missing-for-schema45.ldif,fix-forest-rev.ldf + + # add missing domain prep for 2008R2 + $PYTHON $BINDIR/samba-tool domain functionalprep -H tdb://$PREFIX_ABS/${RELEASE}_upgrade/private/sam.ldb --domain --function-level 2008_R2 +} + +upgradeprovision_full() { + # add missing domain prep for 2008R2 + $PYTHON $BINDIR/samba-tool domain functionalprep -H tdb://$PREFIX_ABS/${RELEASE}_upgrade_full/private/sam.ldb --domain --function-level 2008_R2 + + $PYTHON $BINDIR/samba_upgradeprovision --configfile="$PREFIX_ABS/${RELEASE}_upgrade_full/etc/smb.conf" --full --debugchange +} + +samba_upgradedns() { + $PYTHON $BINDIR/samba_upgradedns --dns-backend=SAMBA_INTERNAL --configfile="$PREFIX_ABS/${RELEASE}_upgrade_full/etc/smb.conf" +} + +referenceprovision() { + $PYTHON $BINDIR/samba-tool domain provision --server-role="dc" --domain=SAMBA --host-name=ares --realm=${RELEASE}.samba.corp --targetdir=$PREFIX_ABS/${RELEASE}_upgrade_reference --use-ntvfs --host-ip=127.0.0.1 --host-ip6=::1 --function-level=2003 --base-schema=2008_R2_old +} + +ldapcmp() { + if [ x$RELEASE != x"alpha13" ]; then + $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_upgrade_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}_upgrade/private/sam.ldb --two --skip-missing-dn --filter=dnsRecord,displayName,msDS-SupportedEncryptionTypes,servicePrincipalName + fi +} + +ldapcmp_full() { + $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_upgrade_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}_upgrade_full/private/sam.ldb --two --filter=dNSProperty,dnsRecord,cn,displayName,versionNumber,systemFlags,msDS-HasInstantiatedNCs,servicePrincipalName --skip-missing-dn +} + +ldapcmp_sd() { + $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_upgrade_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}_upgrade/private/sam.ldb --two --sd --skip-missing-dn +} + +ldapcmp_full_sd() { + $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_upgrade_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}_upgrade_full/private/sam.ldb --two --sd --skip-missing-dn +} + +remove_directory $PREFIX_ABS/${RELEASE}_upgrade +remove_directory $PREFIX_ABS/${RELEASE}_upgrade_full +remove_directory $PREFIX_ABS/${RELEASE}_upgrade_reference + +testit $RELEASE undump || failed=`expr $failed + 1` +testit "remove_dns_user" remove_dns_user || failed=`expr $failed + 1` +testit "upgradeprovision" upgradeprovision || failed=`expr $failed + 1` +testit "upgradeprovision_full" upgradeprovision_full || failed=`expr $failed + 1` +testit "reindex" reindex || failed=`expr $failed + 1` +testit_expect_failure "dbcheck" dbcheck || failed=`expr $failed + 1` +testit_expect_failure "dbcheck_full" dbcheck_full || failed=`expr $failed + 1` +testit "dbcheck_clean" dbcheck_clean || failed=`expr $failed + 1` +testit "dbcheck_full_clean" dbcheck_full_clean || failed=`expr $failed + 1` +testit "dbcheck_full_clean_well_known_acls" dbcheck_full_clean_well_known_acls || failed=`expr $failed + 1` +testit "referenceprovision" referenceprovision || failed=`expr $failed + 1` +testit "samba_upgradedns" samba_upgradedns || failed=`expr $failed + 1` +testit "ldapcmp" ldapcmp || failed=`expr $failed + 1` +testit "ldapcmp_sd" ldapcmp_sd || failed=`expr $failed + 1` +testit "ldapcmp_full_sd" ldapcmp_full_sd || failed=`expr $failed + 1` + +remove_directory $PREFIX_ABS/${RELEASE}_upgrade +remove_directory $PREFIX_ABS/${RELEASE}_upgrade_full +remove_directory $PREFIX_ABS/${RELEASE}_upgrade_reference + +exit $failed diff --git a/testprogs/blackbox/wintest/wintest.conf b/testprogs/blackbox/wintest/wintest.conf new file mode 100644 index 0000000..d140366 --- /dev/null +++ b/testprogs/blackbox/wintest/wintest.conf @@ -0,0 +1,7 @@ +#export WINTEST_STARTUP="/tmp/startup client" +#export WINTEST_SHUTDOWN=/tmp/shutdown client" +export DOMAIN="client" +export USERNAME="administrator" +export PASSWORD="samba" +export SERVER="192.168.213.161" +export SHARE="c\$" \ No newline at end of file -- cgit v1.2.3