summaryrefslogtreecommitdiffstats
path: root/selftest/target/Samba.pm
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-19 17:20:00 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-19 17:20:00 +0000
commit8daa83a594a2e98f39d764422bfbdbc62c9efd44 (patch)
tree4099e8021376c7d8c05bdf8503093d80e9c7bad0 /selftest/target/Samba.pm
parentInitial commit. (diff)
downloadsamba-8daa83a594a2e98f39d764422bfbdbc62c9efd44.tar.xz
samba-8daa83a594a2e98f39d764422bfbdbc62c9efd44.zip
Adding upstream version 2:4.20.0+dfsg.upstream/2%4.20.0+dfsg
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'selftest/target/Samba.pm')
-rw-r--r--selftest/target/Samba.pm1149
1 files changed, 1149 insertions, 0 deletions
diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm
new file mode 100644
index 0000000..516684e
--- /dev/null
+++ b/selftest/target/Samba.pm
@@ -0,0 +1,1149 @@
+#!/usr/bin/perl
+# Bootstrap Samba and run a number of tests against it.
+# Copyright (C) 2005-2007 Jelmer Vernooij <jelmer@samba.org>
+# Published under the GNU GPL, v3 or later.
+
+package Samba;
+
+use strict;
+use warnings;
+use target::Samba3;
+use target::Samba4;
+use POSIX;
+use Cwd qw(abs_path);
+use IO::Poll qw(POLLIN);
+
+sub new($$$$$) {
+ my ($classname, $bindir, $srcdir, $server_maxtime,
+ $opt_socket_wrapper_pcap, $opt_socket_wrapper_keep_pcap,
+ $default_ldb_backend) = @_;
+
+ my $self = {
+ opt_socket_wrapper_pcap => $opt_socket_wrapper_pcap,
+ opt_socket_wrapper_keep_pcap => $opt_socket_wrapper_keep_pcap,
+ };
+ $self->{samba3} = new Samba3($self, $bindir, $srcdir, $server_maxtime);
+ $self->{samba4} = new Samba4($self, $bindir, $srcdir, $server_maxtime, $default_ldb_backend);
+ bless $self;
+ return $self;
+}
+
+%Samba::ENV_DEPS = (%Samba3::ENV_DEPS, %Samba4::ENV_DEPS);
+our %ENV_DEPS;
+
+%Samba::ENV_DEPS_POST = (%Samba3::ENV_DEPS_POST, %Samba4::ENV_DEPS_POST);
+our %ENV_DEPS_POST;
+
+%Samba::ENV_TARGETS = (
+ (map { $_ => "Samba3" } keys %Samba3::ENV_DEPS),
+ (map { $_ => "Samba4" } keys %Samba4::ENV_DEPS),
+);
+our %ENV_TARGETS;
+
+%Samba::ENV_NEEDS_AD_DC = (
+ (map { $_ => 1 } keys %Samba4::ENV_DEPS)
+);
+our %ENV_NEEDS_AD_DC;
+foreach my $env (keys %Samba3::ENV_DEPS) {
+ $ENV_NEEDS_AD_DC{$env} = ($env =~ /^ad_/);
+}
+
+sub setup_pcap($$)
+{
+ my ($self, $name) = @_;
+
+ return unless ($self->{opt_socket_wrapper_pcap});
+ return unless defined($ENV{SOCKET_WRAPPER_PCAP_DIR});
+
+ my $fname = $name;
+ $fname =~ s%[^abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789\-]%_%g;
+
+ my $pcap_file = "$ENV{SOCKET_WRAPPER_PCAP_DIR}/$fname.pcap";
+
+ SocketWrapper::setup_pcap($pcap_file);
+
+ return $pcap_file;
+}
+
+sub cleanup_pcap($$$)
+{
+ my ($self, $pcap_file, $exitcode) = @_;
+
+ return unless ($self->{opt_socket_wrapper_pcap});
+ return if ($self->{opt_socket_wrapper_keep_pcap});
+ return unless ($exitcode == 0);
+ return unless defined($pcap_file);
+
+ unlink($pcap_file);
+}
+
+sub setup_env($$$)
+{
+ my ($self, $envname, $path) = @_;
+
+ my $targetname = $ENV_TARGETS{$envname};
+ if (not defined($targetname)) {
+ warn("Samba can't provide environment '$envname'");
+ return "UNKNOWN";
+ }
+
+ my %targetlookup = (
+ "Samba3" => $self->{samba3},
+ "Samba4" => $self->{samba4}
+ );
+ my $target = $targetlookup{$targetname};
+
+ if (defined($target->{vars}->{$envname})) {
+ return $target->{vars}->{$envname};
+ }
+
+ $target->{vars}->{$envname} = "";
+
+ my @dep_vars;
+ foreach(@{$ENV_DEPS{$envname}}) {
+ my $vars = $self->setup_env($_, $path);
+ if (defined($vars)) {
+ push(@dep_vars, $vars);
+ } else {
+ warn("Failed setting up $_ as a dependency of $envname");
+ return undef;
+ }
+ }
+
+ $ENV{ENVNAME} = $envname;
+ # Avoid hitting system krb5.conf -
+ # An env that needs Kerberos will reset this to the real value.
+ $ENV{KRB5_CONFIG} = "$path/no_krb5.conf";
+ $ENV{RESOLV_CONF} = "$path/no_resolv.conf";
+
+ my $setup_name = $ENV_TARGETS{$envname}."::setup_".$envname;
+ my $setup_sub = \&$setup_name;
+ my $setup_pcap_file = $self->setup_pcap("env-$ENV{ENVNAME}-setup");
+ my $env = &$setup_sub($target, "$path/$envname", @dep_vars);
+ $self->cleanup_pcap($setup_pcap_file, not defined($env));
+ SocketWrapper::setup_pcap(undef);
+
+ if (not defined($env)) {
+ warn("failed to start up environment '$envname'");
+ return undef;
+ }
+ if ($env eq "UNKNOWN") {
+ warn("unknown environment '$envname'");
+ return $env;
+ }
+
+ $target->{vars}->{$envname} = $env;
+ $target->{vars}->{$envname}->{target} = $target;
+
+ foreach(@{$ENV_DEPS_POST{$envname}}) {
+ if (not defined $_) {
+ continue;
+ }
+ my $vars = $self->setup_env($_, $path);
+ if (not defined($vars)) {
+ return undef;
+ }
+ }
+
+ return $env;
+}
+
+sub bindir_path($$) {
+ my ($object, $path) = @_;
+
+ my $valpath = "$object->{bindir}/$path";
+ my $python_cmd = "";
+ my $result = $path;
+ if (defined $ENV{'PYTHON'}) {
+ $python_cmd = $ENV{'PYTHON'} . " ";
+ }
+
+ if (-f $valpath or -d $valpath) {
+ $result = $valpath;
+ }
+ # make sure we prepend samba-tool with calling $PYTHON python version
+ if ($path eq "samba-tool") {
+ $result = $python_cmd . $result;
+ }
+ return $result;
+}
+
+sub nss_wrapper_winbind_so_path($) {
+ my ($object) = @_;
+ my $ret = $ENV{NSS_WRAPPER_WINBIND_SO_PATH};
+ if (not defined($ret)) {
+ $ret = bindir_path($object, "plugins/libnss_wrapper_winbind.so.2");
+ $ret = abs_path($ret);
+ }
+ return $ret;
+}
+
+sub copy_file_content($$)
+{
+ my ($in, $out) = @_;
+ open(IN, "${in}") or die("failed to open in[${in}] for reading: $!");
+ open(OUT, ">${out}") or die("failed to open out[${out}] for writing: $!");
+ while(<IN>) {
+ print OUT $_;
+ }
+ close(OUT);
+ close(IN);
+}
+
+sub prepare_keyblobs($)
+{
+ my ($ctx) = @_;
+
+ my $cadir = "$ENV{SRCDIR_ABS}/selftest/manage-ca/CA-samba.example.com";
+ my $cacert = "$cadir/Public/CA-samba.example.com-cert.pem";
+ # A file containing a CRL with no revocations.
+ my $cacrl_pem = "$cadir/Public/CA-samba.example.com-crl.pem";
+ my $dcdnsname = "$ctx->{hostname}.$ctx->{dnsname}";
+ my $dcdir = "$cadir/DCs/$dcdnsname";
+ my $dccert = "$dcdir/DC-$dcdnsname-cert.pem";
+ my $dckey_private = "$dcdir/DC-$dcdnsname-private-key.pem";
+ my $adminprincipalname = "administrator\@$ctx->{dnsname}";
+ my $admindir = "$cadir/Users/$adminprincipalname";
+ my $admincert = "$admindir/USER-$adminprincipalname-cert.pem";
+ my $adminkey_private = "$admindir/USER-$adminprincipalname-private-key.pem";
+ my $pkinitprincipalname = "pkinit\@$ctx->{dnsname}";
+ my $ca_pkinitdir = "$cadir/Users/$pkinitprincipalname";
+ my $pkinitcert = "$ca_pkinitdir/USER-$pkinitprincipalname-cert.pem";
+ my $pkinitkey_private = "$ca_pkinitdir/USER-$pkinitprincipalname-private-key.pem";
+
+ my $tlsdir = "$ctx->{tlsdir}";
+ my $pkinitdir = "$ctx->{prefix_abs}/pkinit";
+ #TLS and PKINIT crypto blobs
+ my $dhfile = "$tlsdir/dhparms.pem";
+ my $cafile = "$tlsdir/ca.pem";
+ my $crlfile = "$tlsdir/crl.pem";
+ my $certfile = "$tlsdir/cert.pem";
+ my $keyfile = "$tlsdir/key.pem";
+ my $admincertfile = "$pkinitdir/USER-$adminprincipalname-cert.pem";
+ my $adminkeyfile = "$pkinitdir/USER-$adminprincipalname-private-key.pem";
+ my $pkinitcertfile = "$pkinitdir/USER-$pkinitprincipalname-cert.pem";
+ my $pkinitkeyfile = "$pkinitdir/USER-$pkinitprincipalname-private-key.pem";
+
+ mkdir($tlsdir, 0700);
+ mkdir($pkinitdir, 0700);
+ my $oldumask = umask;
+ umask 0077;
+
+ # This is specified here to avoid draining entropy on every run
+ # generate by
+ # openssl dhparam -out dhparms.pem -text -2 8192
+ open(DHFILE, ">$dhfile");
+ print DHFILE <<EOF;
+-----BEGIN DH PARAMETERS-----
+MIIECAKCBAEAlcpjuJptCzC2bIIApLuyFLw2nODQUztqs/peysY9e3LgWh/xrc87
+SWJNSUrqFJFh2m357WH0XGcTdTk0b/8aIYIWjbwEhWR/5hZ+1x2TDrX1awkYayAe
+pr0arycmWHaAmhw+m+dBdj2O2jRMe7gn0ha85JALNl+Z3wv2q2eys8TIiQ2dbHPx
+XvpMmlAv7QHZnpSpX/XgueQr6T3EYggljppZwk1fe4W2cxBjCv9w/Q83pJXMEVVB
+WESEQPZC38v6hVIXIlF4J7jXjV3+NtCLL4nvsy0jrLEntyKz5OB8sNPRzJr0Ju2Y
+yXORCSMMXMygP+dxJtQ6txzQYWyaCYN1HqHDZy3cFL9Qy8kTFqIcW56Lti2GsW/p
+jSMzEOa1NevhKNFL3dSZJx5m+5ZeMvWXlCqXSptmVdbs5wz5jkMUm/E6pVfM5lyb
+Ttlcq2iYPqnJz1jcL5xwhoufID8zSJCPJ7C0jb0Ngy5wLIUZfjXJUXxUyxTnNR9i
+N9Sc+UkDvLxnCW+qzjyPXGlQU1SsJwMLWa2ZecL/uYE4bOdcN3g+5WHkevyDnXqR
++yy9x7sGXjBT3bRWK5tVHJWOi6eBu1hp39U6aK8oOJWiUt3vmC2qEdIsT6JaLNNi
+YKrSfRGBf19IJBaagen1S19bb3dnmwoU1RaWM0EeJQW1oXOBg7zLisB2yuu5azBn
+tse00+0nc+GbH2y+jP0sE7xil1QeilZl+aQ3tX9vL0cnCa+8602kXxU7P5HaX2+d
+05pvoHmeZbDV85io36oF976gBYeYN+qAkTUMsIZhuLQDuyn0963XOLyn1Pm6SBrU
+OkIZXW7WoKEuO/YSfizUIqXwmAMJjnEMJCWG51MZZKx//9Hsdp1RXSm/bRSbvXB7
+MscjvQYWmfCFnIk8LYnEt3Yey40srEiS9xyZqdrvobxz+sU1XcqR38kpVf4gKASL
+xURia64s4emuJF+YHIObyydazQ+6/wX/C+m+nyfhuxSO6j1janPwtYbU+Uj3TzeM
+04K1mpPQpZcaMdZZiNiu7i8VJlOPKAz7aJT8TnMMF5GMyzyLpSMpc+NF9L/BSocV
+/cUM4wQT2PTHrcyYzmTVH7c9bzBkuxqrwVB1BY1jitDV9LIYIVBglKcX88qrfHIM
+XiXPAIwGclD59qm2cG8OdM9NA5pNMI119KuUAIJsUdgPbR1LkT2XTT15YVoHmFSQ
+DlaWOXn4td031jr0EisX8QtFR7+/0Nfoni6ydFGs5fNH/L1ckq6FEO4OhgucJw9H
+YRmiFlsQBQNny78vNchwZne3ZixkShtGW0hWDdi2n+h7St1peNJCNJjMbEhRsPRx
+RmNGWh4AL8rho4RO9OBao0MnUdjbbffD+wIBAg==
+-----END DH PARAMETERS-----
+EOF
+ close(DHFILE);
+
+ if (! -e ${dckey_private}) {
+ umask $oldumask;
+ return;
+ }
+
+ copy_file_content(${cacert}, ${cafile});
+ copy_file_content(${cacrl_pem}, ${crlfile});
+ copy_file_content(${dccert}, ${certfile});
+ copy_file_content(${dckey_private}, ${keyfile});
+ if (-e ${adminkey_private}) {
+ copy_file_content(${admincert}, ${admincertfile});
+ copy_file_content(${adminkey_private}, ${adminkeyfile});
+ }
+ if (-e ${pkinitkey_private}) {
+ copy_file_content(${pkinitcert}, ${pkinitcertfile});
+ copy_file_content(${pkinitkey_private}, ${pkinitkeyfile});
+ }
+
+ # COMPAT stuff to be removed in a later commit
+ my $kdccertfile = "$tlsdir/kdc.pem";
+ copy_file_content(${dccert}, ${kdccertfile});
+
+ umask $oldumask;
+}
+
+sub copy_gnupg_home($)
+{
+ my ($ctx) = @_;
+
+ my $gnupg_srcdir = "$ENV{SRCDIR_ABS}/selftest/gnupg";
+ my @files = (
+ "gpg.conf",
+ "pubring.gpg",
+ "secring.gpg",
+ "trustdb.gpg",
+ );
+
+ my $oldumask = umask;
+ umask 0077;
+ mkdir($ctx->{gnupghome}, 0777);
+ umask 0177;
+ foreach my $file (@files) {
+ my $srcfile = "${gnupg_srcdir}/${file}";
+ my $dstfile = "$ctx->{gnupghome}/${file}";
+ copy_file_content(${srcfile}, ${dstfile});
+ }
+ umask $oldumask;
+}
+
+sub mk_krb5_conf($$)
+{
+ my ($ctx) = @_;
+
+ unless (open(KRB5CONF, ">$ctx->{krb5_conf}")) {
+ warn("can't open $ctx->{krb5_conf}$?");
+ return undef;
+ }
+
+ my $our_realms_stanza = mk_realms_stanza($ctx->{realm},
+ $ctx->{dnsname},
+ $ctx->{domain},
+ $ctx->{kdc_ipv4});
+ print KRB5CONF "
+#Generated krb5.conf for $ctx->{realm}
+
+[libdefaults]
+ default_realm = $ctx->{realm}
+ dns_lookup_realm = false
+ dns_lookup_kdc = true
+ ticket_lifetime = 24h
+ forwardable = yes
+
+ # We are running on the same machine, do not correct
+ # system clock differences
+ kdc_timesync = 0
+
+ fcache_strict_checking = false
+";
+
+ if (defined($ENV{MITKRB5})) {
+ print KRB5CONF "
+ # Set the grace clockskew to 5 seconds
+ # This is especially required by samba3.raw.session krb5 and
+ # reauth tests when not using Heimdal
+ clockskew = 5
+ # To allow the FL 2000 DC to still work for now
+ allow_rc4 = yes
+ ";
+ }
+
+ if (defined($ctx->{krb5_ccname})) {
+ print KRB5CONF "
+ default_ccache_name = $ctx->{krb5_ccname}
+";
+ }
+
+
+ if (defined($ctx->{supported_enctypes})) {
+ print KRB5CONF "
+ default_etypes = $ctx->{supported_enctypes}
+ default_as_etypes = $ctx->{supported_enctypes}
+ default_tgs_enctypes = $ctx->{supported_enctypes}
+ default_tkt_enctypes = $ctx->{supported_enctypes}
+ permitted_enctypes = $ctx->{supported_enctypes}
+";
+ }
+
+ if (defined($ctx->{tlsdir})) {
+ if (defined($ENV{MITKRB5})) {
+ print KRB5CONF "
+ pkinit_anchors = FILE:$ctx->{tlsdir}/ca.pem
+ pkinit_kdc_hostname = $ctx->{hostname}.$ctx->{dnsname}
+
+";
+ } else {
+ print KRB5CONF "
+
+[appdefaults]
+ pkinit_anchors = FILE:$ctx->{tlsdir}/ca.pem
+
+[kdc]
+ enable-pkinit = true
+ pkinit_identity = FILE:$ctx->{tlsdir}/kdc.pem,$ctx->{tlsdir}/key.pem
+ pkinit_anchors = FILE:$ctx->{tlsdir}/ca.pem
+ pkinit_revoke = FILE:$ctx->{tlsdir}/crl.pem
+
+";
+ }
+ }
+
+ print KRB5CONF "
+[realms]
+ $our_realms_stanza
+";
+
+ close(KRB5CONF);
+}
+
+sub append_krb5_conf_trust_realms($$)
+{
+ my ($ctx) = @_;
+
+ unless (open(KRB5CONF, ">>$ctx->{KRB5_CONFIG}")) {
+ warn("can't open $ctx->{KRB5_CONFIG}$?");
+ return undef;
+ }
+
+ my $trust_realms_stanza = mk_realms_stanza($ctx->{TRUST_REALM},
+ $ctx->{TRUST_DNSNAME},
+ $ctx->{TRUST_DOMAIN},
+ $ctx->{TRUST_SERVER_IP});
+
+ print KRB5CONF " $trust_realms_stanza";
+
+ close(KRB5CONF)
+}
+
+sub mk_realms_stanza($$$$)
+{
+ my ($realm, $dnsname, $domain, $kdc_ipv4) = @_;
+ my $lc_domain = lc($domain);
+
+ # The pkinit_require_krbtgt_otherName = false
+ # is just because the certificates we have saved
+ # do not have the realm in the subjectAltName
+ # (specially encoded as a principal)
+ # per
+ # https://github.com/heimdal/heimdal/wiki/Setting-up-PK-INIT-and-Certificates
+ my $realms_stanza = "
+ $realm = {
+ kdc = $kdc_ipv4:88
+ admin_server = $kdc_ipv4:88
+ default_domain = $dnsname
+ pkinit_require_krbtgt_otherName = false
+ }
+ $dnsname = {
+ kdc = $kdc_ipv4:88
+ admin_server = $kdc_ipv4:88
+ default_domain = $dnsname
+ pkinit_require_krbtgt_otherName = false
+ }
+ $domain = {
+ kdc = $kdc_ipv4:88
+ admin_server = $kdc_ipv4:88
+ default_domain = $dnsname
+ pkinit_require_krbtgt_otherName = false
+ }
+ $lc_domain = {
+ kdc = $kdc_ipv4:88
+ admin_server = $kdc_ipv4:88
+ default_domain = $dnsname
+ pkinit_require_krbtgt_otherName = false
+ }
+
+";
+ return $realms_stanza;
+}
+
+sub mk_mitkdc_conf($$)
+{
+ # samba_kdb_dir is the path to mit_samba.so
+ my ($ctx, $samba_kdb_dir) = @_;
+
+ unless (open(KDCCONF, ">$ctx->{mitkdc_conf}")) {
+ warn("can't open $ctx->{mitkdc_conf}$?");
+ return undef;
+ }
+
+ print KDCCONF "
+# Generated kdc.conf for $ctx->{realm}
+
+[kdcdefaults]
+ kdc_ports = 88
+ kdc_tcp_ports = 88
+ restrict_anonymous_to_tgt = true
+
+[realms]
+ $ctx->{realm} = {
+ master_key_type = aes256-cts
+ default_principal_flags = +preauth
+ pkinit_identity = FILE:$ctx->{tlsdir}/kdc.pem,$ctx->{tlsdir}/key.pem
+ pkinit_anchors = FILE:$ctx->{tlsdir}/ca.pem
+ pkinit_eku_checking = scLogin
+ pkinit_indicator = pkinit
+ pkinit_allow_upn = true
+ }
+
+ $ctx->{dnsname} = {
+ master_key_type = aes256-cts
+ default_principal_flags = +preauth
+ pkinit_identity = FILE:$ctx->{tlsdir}/kdc.pem,$ctx->{tlsdir}/key.pem
+ pkinit_anchors = FILE:$ctx->{tlsdir}/ca.pem
+ pkinit_eku_checking = scLogin
+ pkinit_indicator = pkinit
+ pkinit_allow_upn = true
+ }
+
+ $ctx->{domain} = {
+ master_key_type = aes256-cts
+ default_principal_flags = +preauth
+ pkinit_identity = FILE:$ctx->{tlsdir}/kdc.pem,$ctx->{tlsdir}/key.pem
+ pkinit_anchors = FILE:$ctx->{tlsdir}/ca.pem
+ pkinit_eku_checking = scLogin
+ pkinit_indicator = pkinit
+ pkinit_allow_upn = true
+ }
+
+[dbmodules]
+ db_module_dir = $samba_kdb_dir
+
+ $ctx->{realm} = {
+ db_library = samba
+ }
+
+ $ctx->{dnsname} = {
+ db_library = samba
+ }
+
+ $ctx->{domain} = {
+ db_library = samba
+ }
+
+[logging]
+ kdc = FILE:$ctx->{logdir}/mit_kdc.log
+";
+
+ close(KDCCONF);
+}
+
+sub mk_resolv_conf($$)
+{
+ my ($ctx) = @_;
+
+ unless (open(RESOLV_CONF, ">$ctx->{resolv_conf}")) {
+ warn("can't open $ctx->{resolv_conf}$?");
+ return undef;
+ }
+
+ print RESOLV_CONF "nameserver $ctx->{dns_ipv4}\n";
+ print RESOLV_CONF "nameserver $ctx->{dns_ipv6}\n";
+ close(RESOLV_CONF);
+}
+
+sub realm_to_ip_mappings
+{
+ # this maps the DNS realms for the various testenvs to the corresponding
+ # PDC (i.e. the first DC created for that realm).
+ my %realm_to_pdc_mapping = (
+ 'adnonssdom.samba.example.com' => 'addc_no_nss',
+ 'adnontlmdom.samba.example.com' => 'addc_no_ntlm',
+ 'samba2000.example.com' => 'dc5',
+ 'samba2003.example.com' => 'dc6',
+ 'samba2008r2.example.com' => 'dc7',
+ 'addom.samba.example.com' => 'addc',
+ 'addom2.samba.example.com' => 'addcsmb1',
+ 'sub.samba.example.com' => 'localsubdc',
+ 'chgdcpassword.samba.example.com' => 'chgdcpass',
+ 'backupdom.samba.example.com' => 'backupfromdc',
+ 'renamedom.samba.example.com' => 'renamedc',
+ 'labdom.samba.example.com' => 'labdc',
+ 'schema.samba.example.com' => 'liveupgrade1dc',
+ 'prockilldom.samba.example.com' => 'prockilldc',
+ 'proclimit.samba.example.com' => 'proclimitdc',
+ 'samba.example.com' => 'localdc',
+ 'fips.samba.example.com' => 'fipsdc',
+ );
+
+ my @mapping = ();
+
+ # convert the hashmap to a list of key=value strings, where key is the
+ # realm and value is the IP address
+ foreach my $realm (sort(keys %realm_to_pdc_mapping)) {
+ my $pdc = $realm_to_pdc_mapping{$realm};
+ my $ipaddr = get_ipv4_addr($pdc);
+ push(@mapping, "$realm=$ipaddr");
+ }
+ # return the mapping as a single comma-separated string
+ return join(',', @mapping);
+}
+
+sub get_interface($)
+{
+ my ($netbiosname) = @_;
+ $netbiosname = lc($netbiosname);
+
+ # this maps the SOCKET_WRAPPER_DEFAULT_IFACE value for each possible
+ # testenv to the DC's NETBIOS name. This value also corresponds to last
+ # digit of the DC's IP address. Note that the NETBIOS name may differ from
+ # the testenv name.
+ # Note that when adding a DC with a new realm, also update
+ # get_realm_ip_mappings() above.
+ my %testenv_iface_mapping = (
+ localnt4dc2 => 3,
+ localnt4member3 => 4,
+ localshare4 => 5,
+ # 6 is spare
+ localktest6 => 7,
+ maptoguest => 8,
+ localnt4dc9 => 9,
+ # 10 is spare
+
+ # 11-16 are used by selftest.pl for the client.conf. Most tests only
+ # use the first .11 IP. However, some tests (like winsreplication) rely
+ # on the client having multiple IPs.
+ client => 11,
+
+ addc_no_nss => 17,
+ addc_no_ntlm => 18,
+ idmapadmember => 19,
+ idmapridmember => 20,
+ localdc => 21,
+ localvampiredc => 22,
+ s4member => 23,
+ localrpcproxy => 24,
+ dc5 => 25,
+ dc6 => 26,
+ dc7 => 27,
+ rodc => 28,
+ localadmember => 29,
+ addc => 30,
+ localsubdc => 31,
+ chgdcpass => 32,
+ promotedvdc => 33,
+ rfc2307member => 34,
+ fileserver => 35,
+ fakednsforwarder1 => 36,
+ fakednsforwarder2 => 37,
+ s4member_dflt => 38,
+ vampire2000dc => 39,
+ backupfromdc => 40,
+ restoredc => 41,
+ renamedc => 42,
+ labdc => 43,
+ offlinebackupdc => 44,
+ customdc => 45,
+ prockilldc => 46,
+ proclimitdc => 47,
+ liveupgrade1dc => 48,
+ liveupgrade2dc => 49,
+ ctdb0 => 50,
+ ctdb1 => 51,
+ ctdb2 => 52,
+ fileserversmb1 => 53,
+ addcsmb1 => 54,
+ lclnt4dc2smb1 => 55,
+ fipsdc => 56,
+ fipsadmember => 57,
+ offlineadmem => 58,
+ s2kmember => 59,
+ admemidmapnss => 60,
+ localadmember2 => 61,
+ admemautorid => 62,
+
+ rootdnsforwarder => 64,
+
+ # Note: that you also need to update dns_hub.py when adding a new
+ # multi-DC testenv
+ # update lib/socket_wrapper/socket_wrapper.c
+ # #define MAX_WRAPPED_INTERFACES 64
+ # if you wish to have more than 64 interfaces
+ );
+
+ if (not defined($testenv_iface_mapping{$netbiosname})) {
+ die();
+ }
+
+ return $testenv_iface_mapping{$netbiosname};
+}
+
+sub get_ipv4_addr
+{
+ my ($hostname, $iface_num) = @_;
+ my $swiface = Samba::get_interface($hostname);
+
+ # Handle testenvs with multiple different addresses, i.e. IP multihoming.
+ # Currently only the selftest client has multiple IPv4 addresses.
+ if (defined($iface_num)) {
+ $swiface += $iface_num;
+ }
+
+ return "10.53.57.$swiface";
+}
+
+sub get_ipv6_addr
+{
+ (my $hostname) = @_;
+ my $swiface = Samba::get_interface($hostname);
+
+ return sprintf("fd00:0000:0000:0000:0000:0000:5357:5f%02x", $swiface);
+}
+
+# returns the 'interfaces' setting for smb.conf, i.e. the IPv4/IPv6
+# addresses for testenv
+sub get_interfaces_config
+{
+ my ($hostname, $num_ips) = @_;
+ my $interfaces = "";
+
+ # We give the client.conf multiple different IPv4 addresses.
+ # All other testenvs generally just have one IPv4 address.
+ if (! defined($num_ips)) {
+ $num_ips = 1;
+ }
+ for (my $i = 0; $i < $num_ips; $i++) {
+ my $ipv4_addr = Samba::get_ipv4_addr($hostname, $i);
+ if (use_namespaces()) {
+ # use a /24 subnet with network namespaces
+ $interfaces .= "$ipv4_addr/24 ";
+ } else {
+ $interfaces .= "$ipv4_addr/8 ";
+ }
+ }
+
+ my $ipv6_addr = Samba::get_ipv6_addr($hostname);
+ $interfaces .= "$ipv6_addr/64";
+
+ return $interfaces;
+}
+
+sub cleanup_child($$)
+{
+ my ($pid, $name) = @_;
+
+ if (!defined($pid)) {
+ print STDERR "cleanup_child: pid not defined ... not calling waitpid\n";
+ return -1;
+ }
+
+ my $childpid = waitpid($pid, WNOHANG);
+
+ if ($childpid == 0) {
+ } elsif ($childpid < 0) {
+ printf STDERR "%s child process %d isn't here any more\n", $name, $pid;
+ return $childpid;
+ } elsif ($? & 127) {
+ printf STDERR "%s child process %d, died with signal %d, %s coredump\n",
+ $name, $childpid, ($? & 127), ($? & 128) ? 'with' : 'without';
+ } else {
+ printf STDERR "%s child process %d exited with value %d\n", $name, $childpid, $? >> 8;
+ }
+ return $childpid;
+}
+
+sub random_domain_sid()
+{
+ my $domain_sid = "S-1-5-21-". int(rand(4294967295)) . "-" . int(rand(4294967295)) . "-" . int(rand(4294967295));
+ return $domain_sid;
+}
+
+# sets the environment variables ready for running a given process
+sub set_env_for_process
+{
+ my ($proc_name, $env_vars, $proc_envs) = @_;
+
+ if (not defined($proc_envs)) {
+ $proc_envs = get_env_for_process($proc_name, $env_vars);
+ }
+
+ foreach my $key (keys %{ $proc_envs }) {
+ $ENV{$key} = $proc_envs->{$key};
+ }
+}
+
+sub get_env_for_process
+{
+ my ($proc_name, $env_vars) = @_;
+ my $proc_envs = {
+ RESOLV_CONF => $env_vars->{RESOLV_CONF},
+ KRB5_CONFIG => $env_vars->{KRB5_CONFIG},
+ KRB5CCNAME => "$env_vars->{KRB5_CCACHE}.$proc_name",
+ GNUPGHOME => $env_vars->{GNUPGHOME},
+ SELFTEST_WINBINDD_SOCKET_DIR => $env_vars->{SELFTEST_WINBINDD_SOCKET_DIR},
+ NMBD_SOCKET_DIR => $env_vars->{NMBD_SOCKET_DIR},
+ NSS_WRAPPER_PASSWD => $env_vars->{NSS_WRAPPER_PASSWD},
+ NSS_WRAPPER_GROUP => $env_vars->{NSS_WRAPPER_GROUP},
+ NSS_WRAPPER_HOSTS => $env_vars->{NSS_WRAPPER_HOSTS},
+ NSS_WRAPPER_HOSTNAME => $env_vars->{NSS_WRAPPER_HOSTNAME},
+ NSS_WRAPPER_MODULE_SO_PATH => $env_vars->{NSS_WRAPPER_MODULE_SO_PATH},
+ NSS_WRAPPER_MODULE_FN_PREFIX => $env_vars->{NSS_WRAPPER_MODULE_FN_PREFIX},
+ UID_WRAPPER_ROOT => "1",
+ ENVNAME => "$ENV{ENVNAME}.$proc_name",
+ };
+
+ if (defined($env_vars->{RESOLV_WRAPPER_CONF})) {
+ $proc_envs->{RESOLV_WRAPPER_CONF} = $env_vars->{RESOLV_WRAPPER_CONF};
+ } else {
+ $proc_envs->{RESOLV_WRAPPER_HOSTS} = $env_vars->{RESOLV_WRAPPER_HOSTS};
+ }
+ if (defined($env_vars->{GNUTLS_FORCE_FIPS_MODE})) {
+ $proc_envs->{GNUTLS_FORCE_FIPS_MODE} = $env_vars->{GNUTLS_FORCE_FIPS_MODE};
+ }
+ if (defined($env_vars->{OPENSSL_FORCE_FIPS_MODE})) {
+ $proc_envs->{OPENSSL_FORCE_FIPS_MODE} = $env_vars->{OPENSSL_FORCE_FIPS_MODE};
+ }
+ return $proc_envs;
+}
+
+sub fork_and_exec
+{
+ my ($self, $env_vars, $daemon_ctx, $STDIN_READER, $child_cleanup) = @_;
+ my $SambaCtx = $self;
+ $SambaCtx = $self->{SambaCtx} if defined($self->{SambaCtx});
+
+ # we close the child's write-end of the pipe and redirect the
+ # read-end to its stdin. That way the daemon will receive an
+ # EOF on stdin when parent selftest process closes its
+ # write-end.
+ $child_cleanup //= sub { close($env_vars->{STDIN_PIPE}) };
+
+ unlink($daemon_ctx->{LOG_FILE});
+ print "STARTING $daemon_ctx->{NAME} for $ENV{ENVNAME}...";
+
+ my $parent_pid = $$;
+ my $pid = fork();
+
+ # exec the daemon in the child process
+ if ($pid == 0) {
+ my @preargs = ();
+
+ # redirect the daemon's stdout/stderr to a log file
+ if (defined($daemon_ctx->{TEE_STDOUT})) {
+ # in some cases, we want out from samba to go to the log file,
+ # but also to the users terminal when running 'make test' on the
+ # command line. This puts it on stderr on the terminal
+ open STDOUT, "| tee $daemon_ctx->{LOG_FILE} 1>&2";
+ } else {
+ open STDOUT, ">$daemon_ctx->{LOG_FILE}";
+ }
+ open STDERR, '>&STDOUT';
+
+ SocketWrapper::set_default_iface($env_vars->{SOCKET_WRAPPER_DEFAULT_IFACE});
+ if (defined($daemon_ctx->{PCAP_FILE})) {
+ $SambaCtx->setup_pcap("$daemon_ctx->{PCAP_FILE}");
+ }
+
+ # setup ENV variables in the child process
+ set_env_for_process($daemon_ctx->{NAME}, $env_vars,
+ $daemon_ctx->{ENV_VARS});
+
+ $child_cleanup->();
+
+ # not all s3 daemons run in all testenvs (e.g. fileserver doesn't
+ # run winbindd). In which case, the child process just sleeps
+ if (defined($daemon_ctx->{SKIP_DAEMON})) {
+ $SIG{USR1} = $SIG{ALRM} = $SIG{INT} = $SIG{QUIT} = $SIG{TERM} = sub {
+ my $signame = shift;
+ print("Skip $daemon_ctx->{NAME} received signal $signame");
+ exit 0;
+ };
+ my $poll = IO::Poll->new();
+ $poll->mask($STDIN_READER, POLLIN);
+ $poll->poll($self->{server_maxtime});
+ exit 0;
+ }
+
+ $ENV{MAKE_TEST_BINARY} = $daemon_ctx->{BINARY_PATH};
+
+ open STDIN, ">&", $STDIN_READER or die "can't dup STDIN_READER to STDIN: $!";
+
+ # if using kernel namespaces, prepend the command so the process runs in
+ # its own namespace
+ if (Samba::use_namespaces()) {
+ @preargs = ns_exec_preargs($parent_pid, $env_vars);
+ }
+
+ # the command args are stored as an array reference (because...Perl),
+ # so convert the reference back to an array
+ my @full_cmd = @{ $daemon_ctx->{FULL_CMD} };
+
+ exec(@preargs, @full_cmd) or die("Unable to start $ENV{MAKE_TEST_BINARY}: $!");
+ }
+
+ print "DONE ($pid)\n";
+
+ # if using kernel namespaces, we now establish a connection between the
+ # main selftest namespace (i.e. this process) and the new child namespace
+ if (use_namespaces()) {
+ ns_child_forked($pid, $env_vars);
+ }
+
+ return $pid;
+}
+
+my @exported_envvars = (
+ # domain stuff
+ "DOMAIN",
+ "DNSNAME",
+ "REALM",
+ "DOMSID",
+
+ # stuff related to a trusted domain
+ "TRUST_SERVER",
+ "TRUST_USERNAME",
+ "TRUST_PASSWORD",
+ "TRUST_DOMAIN",
+ "TRUST_REALM",
+ "TRUST_DOMSID",
+
+ # stuff related to a trusted domain, on a trust_member
+ # the domain behind a forest trust (two-way)
+ "TRUST_F_BOTH_SERVER",
+ "TRUST_F_BOTH_SERVER_IP",
+ "TRUST_F_BOTH_SERVER_IPV6",
+ "TRUST_F_BOTH_NETBIOSNAME",
+ "TRUST_F_BOTH_USERNAME",
+ "TRUST_F_BOTH_PASSWORD",
+ "TRUST_F_BOTH_DOMAIN",
+ "TRUST_F_BOTH_REALM",
+
+ # stuff related to a trusted domain, on a trust_member
+ # the domain behind an external trust (two-way)
+ "TRUST_E_BOTH_SERVER",
+ "TRUST_E_BOTH_SERVER_IP",
+ "TRUST_E_BOTH_SERVER_IPV6",
+ "TRUST_E_BOTH_NETBIOSNAME",
+ "TRUST_E_BOTH_USERNAME",
+ "TRUST_E_BOTH_PASSWORD",
+ "TRUST_E_BOTH_DOMAIN",
+ "TRUST_E_BOTH_REALM",
+
+ # stuff related to a trusted NT4 domain,
+ # used for one-way trust fl2008r2dc <- nt4_dc
+ "NT4_TRUST_SERVER",
+ "NT4_TRUST_SERVER_IP",
+ "NT4_TRUST_DOMAIN",
+ "NT4_TRUST_DOMSID",
+
+ # domain controller stuff
+ "DC_SERVER",
+ "DC_SERVER_IP",
+ "DC_SERVER_IPV6",
+ "DC_NETBIOSNAME",
+ "DC_NETBIOSALIAS",
+
+ # server stuff
+ "SERVER",
+ "SERVER_IP",
+ "SERVER_IPV6",
+ "NETBIOSNAME",
+ "NETBIOSALIAS",
+ "SAMSID",
+
+ # only use these 2 as a last resort. Some tests need to test both client-
+ # side and server-side. In this case, run as default client, and access
+ # server's smb.conf as needed, typically using:
+ # param.LoadParm(filename_for_non_global_lp=os.environ['SERVERCONFFILE'])
+ "SERVERCONFFILE",
+ "DC_SERVERCONFFILE",
+
+ # user stuff
+ "USERNAME",
+ "USERID",
+ "PASSWORD",
+ "DC_USERNAME",
+ "DC_PASSWORD",
+ "DOMAIN_ADMIN",
+ "DOMAIN_ADMIN_PASSWORD",
+ "DOMAIN_USER",
+ "DOMAIN_USER_PASSWORD",
+
+ # UID/GID for rfc2307 mapping tests
+ "UID_RFC2307TEST",
+ "GID_RFC2307TEST",
+
+ # misc stuff
+ "KRB5_CONFIG",
+ "KRB5CCNAME",
+ "GNUPGHOME",
+ "SELFTEST_WINBINDD_SOCKET_DIR",
+ "NMBD_SOCKET_DIR",
+ "LOCAL_PATH",
+ "DNS_FORWARDER1",
+ "DNS_FORWARDER2",
+ "RESOLV_CONF",
+ "UNACCEPTABLE_PASSWORD",
+ "LOCK_DIR",
+ "SMBD_TEST_LOG",
+ "KRB5_CRL_FILE",
+
+ # nss_wrapper
+ "NSS_WRAPPER_PASSWD",
+ "NSS_WRAPPER_GROUP",
+ "NSS_WRAPPER_HOSTS",
+ "NSS_WRAPPER_HOSTNAME",
+ "NSS_WRAPPER_MODULE_SO_PATH",
+ "NSS_WRAPPER_MODULE_FN_PREFIX",
+
+ # resolv_wrapper
+ "RESOLV_WRAPPER_CONF",
+ "RESOLV_WRAPPER_HOSTS",
+
+ # ctdb stuff
+ "CTDB_PREFIX",
+ "NUM_NODES",
+ "CTDB_BASE",
+ "CTDB_SOCKET",
+ "CTDB_SERVER_NAME",
+ "CTDB_IFACE_IP",
+ "CTDB_BASE_NODE0",
+ "CTDB_SOCKET_NODE0",
+ "CTDB_SERVER_NAME_NODE0",
+ "CTDB_IFACE_IP_NODE0",
+ "CTDB_BASE_NODE1",
+ "CTDB_SOCKET_NODE1",
+ "CTDB_SERVER_NAME_NODE1",
+ "CTDB_IFACE_IP_NODE1",
+ "CTDB_BASE_NODE2",
+ "CTDB_SOCKET_NODE2",
+ "CTDB_SERVER_NAME_NODE2",
+ "CTDB_IFACE_IP_NODE2",
+);
+
+sub exported_envvars_str
+{
+ my ($testenv_vars) = @_;
+ my $out = "";
+
+ foreach (@exported_envvars) {
+ next unless defined($testenv_vars->{$_});
+ $out .= $_."=".$testenv_vars->{$_}."\n";
+ }
+
+ return $out;
+}
+
+sub clear_exported_envvars
+{
+ foreach (@exported_envvars) {
+ delete $ENV{$_};
+ }
+}
+
+sub export_envvars
+{
+ my ($testenv_vars) = @_;
+
+ foreach (@exported_envvars) {
+ if (defined($testenv_vars->{$_})) {
+ $ENV{$_} = $testenv_vars->{$_};
+ } else {
+ delete $ENV{$_};
+ }
+ }
+}
+
+sub export_envvars_to_file
+{
+ my ($filepath, $testenv_vars) = @_;
+ my $env_str = exported_envvars_str($testenv_vars);
+
+ open(FILE, "> $filepath");
+ print FILE "$env_str";
+ close(FILE);
+}
+
+# Returns true if kernel namespaces are being used instead of socket-wrapper.
+# The default is false.
+sub use_namespaces
+{
+ return defined($ENV{USE_NAMESPACES});
+}
+
+# returns a given testenv's interface-name (only when USE_NAMESPACES=1)
+sub ns_interface_name
+{
+ my ($hostname) = @_;
+
+ # when using namespaces, each testenv has its own vethX interface,
+ # where X = Samba::get_interface(testenv_name)
+ my $iface = get_interface($hostname);
+ return "veth$iface";
+}
+
+# Called after a new child namespace has been forked
+sub ns_child_forked
+{
+ my ($child_pid, $env_vars) = @_;
+
+ # we only need to do this for the first child forked for this testenv
+ if (defined($env_vars->{NS_PID})) {
+ return;
+ }
+
+ # store the child PID. It's the only way the main (selftest) namespace can
+ # access the new child (testenv) namespace.
+ $env_vars->{NS_PID} = $child_pid;
+
+ # Add the new child namespace's interface to the main selftest bridge.
+ # This connects together the various testenvs so that selftest can talk to
+ # them all
+ my $iface = ns_interface_name($env_vars->{NETBIOSNAME});
+ system "$ENV{SRCDIR}/selftest/ns/add_bridge_iface.sh $iface-br selftest0";
+}
+
+# returns args to prepend to a command in order to execute it the correct
+# namespace for the testenv (creating a new namespace if needed).
+# This should only used when USE_NAMESPACES=1 is set.
+sub ns_exec_preargs
+{
+ my ($parent_pid, $env_vars) = @_;
+
+ # NS_PID stores the pid of the first child daemon run in this namespace
+ if (defined($env_vars->{NS_PID})) {
+
+ # the namespace has already been created previously. So we use nsenter
+ # to execute the command in the given testenv's namespace. We need to
+ # use the NS_PID to identify this particular namespace
+ return ("nsenter", "-t", "$env_vars->{NS_PID}", "--net");
+ } else {
+
+ # We need to create a new namespace for this daemon (i.e. we're
+ # setting up a new testenv). First, write the environment variables to
+ # an exports.sh file for this testenv (for convenient access by the
+ # namespace scripts).
+ my $exports_file = "$env_vars->{TESTENV_DIR}/exports.sh";
+ export_envvars_to_file($exports_file, $env_vars);
+
+ # when using namespaces, each testenv has its own veth interface
+ my $interface = ns_interface_name($env_vars->{NETBIOSNAME});
+
+ # we use unshare to create a new network namespace. The start_in_ns.sh
+ # helper script gets run first to setup the new namespace's interfaces.
+ # (This all gets prepended around the actual command to run in the new
+ # namespace)
+ return ("unshare", "--net", "$ENV{SRCDIR}/selftest/ns/start_in_ns.sh",
+ $interface, $exports_file, $parent_pid);
+ }
+}
+
+
+sub check_env {
+ my ($self, $envvars) = @_;
+ return 1;
+}
+
+sub teardown_env {
+ my ($self, $env) = @_;
+ return 1;
+}
+
+
+sub getlog_env {
+ return '';
+}
+
+1;
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-04 12:45:46 +0000