diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 17:20:00 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 17:20:00 +0000 |
| commit | 8daa83a594a2e98f39d764422bfbdbc62c9efd44 (patch) | |
| tree | 4099e8021376c7d8c05bdf8503093d80e9c7bad0 /testprogs/blackbox | |
| parent | Initial commit. (diff) | |
| download | samba-8daa83a594a2e98f39d764422bfbdbc62c9efd44.tar.xz samba-8daa83a594a2e98f39d764422bfbdbc62c9efd44.zip | |
Adding upstream version 2:4.20.0+dfsg.upstream/2%4.20.0+dfsg
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'testprogs/blackbox')
62 files changed, 9186 insertions, 0 deletions
diff --git a/testprogs/blackbox/b15464-testcase.sh b/testprogs/blackbox/b15464-testcase.sh new file mode 100755 index 0000000..b0c8826 --- /dev/null +++ b/testprogs/blackbox/b15464-testcase.sh @@ -0,0 +1,21 @@ +#!/bin/sh +# Blackbox wrapper for bug 15464 +# Copyright (C) 2023 Stefan Metzmacher + +if [ $# -lt 2 ]; then + cat <<EOF +Usage: b15464-testcase.sh B15464_TESTCASE LIBNSS_WINBIND +EOF + exit 1 +fi + +b15464_testcase=$1 +libnss_winbind=$2 +shift 2 +failed=0 + +. $(dirname $0)/subunit.sh + +testit "run b15464-testcase" $VALGRIND $b15464_testcase $libnss_winbind || failed=$(expr $failed + 1) + +testok $0 $failed diff --git a/testprogs/blackbox/bogus.sh b/testprogs/blackbox/bogus.sh new file mode 100755 index 0000000..2fa1107 --- /dev/null +++ b/testprogs/blackbox/bogus.sh @@ -0,0 +1,28 @@ +#!/bin/sh + +if [ $# -lt 1 ]; then + cat <<EOF +Usage: bogus.sh SERVER SHARE USER PASSWORD DC_USER DC_PASSWORD SMBCLIENT +EOF + exit 1 +fi + +. $(dirname $0)/subunit.sh + +SERVER=$1 +SHARE=$2 +USER=$3 +PWD=$4 +DC_USER=$5 +DC_PWD=$6 +smbclient=$7 +shift 7 + +TEST_USER=bogus_testuser +TEST_PWD=bogus_pass3#@ +net="$BINDIR/net" +testit_expect_failure "smbclient" $smbclient "//$SERVER/$SHARE" -W POUET -U$DC_USER%$DC_PWD -c "dir" || failed=$(expr $failed + 1) +testit "net.user.add" $net rpc user add $TEST_USER $TEST_PWD -W $SERVER -U$SERVER\\$USER%$PWD -S $SERVER +testit "smbclient" $smbclient "//$SERVER/$SHARE" -W POUET -U$TEST_USER%$TEST_PWD -c "dir" || failed=$(expr $failed + 1) +testit "net.user.delete" $net rpc user delete $TEST_USER -W $SERVER -U$SERVER\\$USER%$PWD -S $SERVER +exit $failed diff --git a/testprogs/blackbox/common-links.sh b/testprogs/blackbox/common-links.sh new file mode 100644 index 0000000..281b0d9 --- /dev/null +++ b/testprogs/blackbox/common-links.sh @@ -0,0 +1,211 @@ +release_dir=$SRCDIR_ABS/source4/selftest/provisions/$RELEASE + +ldbadd=$(system_or_builddir_binary ldbadd "${BINDIR}") +ldbmodify=$(system_or_builddir_binary ldbmodify "${BINDIR}") +ldbdel=$(system_or_builddir_binary ldbdel "${BINDIR}") +ldbsearch=$(system_or_builddir_binary ldbsearch "${BINDIR}") +ldbrename=$(system_or_builddir_binary ldbrename "${BINDIR}") +samba_tdbrestore=$(system_or_builddir_binary tdbrestore "${BINDIR}") + +samba_undump="$SRCDIR_ABS/source4/selftest/provisions/undump.sh" + +undump() +{ + $samba_undump $release_dir $PREFIX_ABS/$RELEASE $samba_tdbrestore +} + +add_dangling_link() +{ + ldif=$release_dir/add-dangling-forwardlink-user.ldif + TZ=UTC $ldbadd -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi + + ldif=$release_dir/add-initially-normal-link.ldif + TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi + + ldif=$release_dir/delete-only-backlink.ldif + TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +add_dangling_backlink() +{ + ldif=$release_dir/add-dangling-backlink-user.ldif + TZ=UTC $ldbadd -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi + + ldif=$release_dir/add-dangling-backlink.ldif + TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +add_deleted_dangling_backlink() +{ + ldif=$release_dir/add-deleted-backlink-user.ldif + TZ=UTC $ldbadd -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi + + ldif=$release_dir/add-deleted-backlink.ldif + TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +add_deleted_target_backlink() +{ + ldif=$release_dir/add-deleted-target-backlink-user.ldif + TZ=UTC $ldbadd -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi + + ldif=$release_dir/add-deleted-target-backlink.ldif + TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +revive_links_on_deleted_group() +{ + ldif=$release_dir/revive-links-on-deleted-group.ldif + TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +revive_backlink_on_deleted_group() +{ + ldif=$release_dir/revive-backlink-on-deleted-group.ldif + TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +add_deleted_target_link() +{ + ldif=$release_dir/add-dangling-deleted-link.ldif + TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +add_two_more_users() +{ + ldif=$release_dir/add-two-more-users.ldif + TZ=UTC $ldbadd -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +add_four_more_links() +{ + ldif=$release_dir/add-four-more-links.ldif + TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +remove_one_link() +{ + ldif=$release_dir/remove-one-more-link.ldif + TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +remove_one_user() +{ + ldif=$release_dir/remove-one-more-user.ldif + TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +move_one_user() +{ + TZ=UTC $ldbrename -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb 'cn=user1,cn=users,DC=release-4-5-0-pre1,DC=samba,DC=corp' 'cn=user1x,cn=users,DC=release-4-5-0-pre1,DC=samba,DC=corp' + if [ "$?" != "0" ]; then + return 1 + fi +} + +dangling_one_way_dn() +{ + ldif=$release_dir/dangling-one-way-dn.ldif + TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +deleted_one_way_dn() +{ + ldif=$release_dir/deleted-one-way-dn.ldif + TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +dangling_one_way_link() +{ + ldif=$release_dir/dangling-one-way-link.ldif + TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/CN%3DCONFIGURATION,DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +add_dangling_multi_valued() +{ + # multi1 - All 4 backlinks + # multi2 - Missing all 4 backlinks + # multi3 - Missing 2 backlinks + # Administrator - Has 2 too many backlinks + # multi5 - Has 2 backlinks but no forward links + ldif=$release_dir/add-dangling-multilink-users.ldif + TZ=UTC $ldbadd -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi + + ldif=$release_dir/add-initially-normal-multilink.ldif + TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi + + ldif=$release_dir/delete-only-multi-backlink.ldif + TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi + + ldif=$release_dir/add-dangling-multi-backlink.ldif + TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi +} diff --git a/testprogs/blackbox/common_test_fns.inc b/testprogs/blackbox/common_test_fns.inc new file mode 100755 index 0000000..df8fee0 --- /dev/null +++ b/testprogs/blackbox/common_test_fns.inc @@ -0,0 +1,155 @@ +# Common tests +# Pulled out of existing tests to prevent duplication. +# +test_smbclient() +{ + name="$1" + cmd="$2" + unc="$3" + shift + shift + shift + subunit_start_test "$name" + output=$($VALGRIND $smbclient $CONFIGURATION "$unc" -c "$cmd" "$@" 2>&1) + status=$? + if [ x$status = x0 ]; then + subunit_pass_test "$name" + else + printf '%s' "$output" | subunit_fail_test "$name" + fi + return $status +} + +test_smbclient_expect_failure() +{ + name="$1" + cmd="$2" + unc="$3" + shift + shift + shift + subunit_start_test "$name" + output=$($VALGRIND $smbclient $CONFIGURATION "$unc" -c "$cmd" "$@" 2>&1) + status=$? + if [ x$status = x0 ]; then + printf '%s' "$output" | subunit_fail_test "$name" + return 1 + else + subunit_pass_test "$name" + return 0 + fi +} + +test_rpcclient_grep() +{ + name="$1" + cmd="$2" + srv="$3" + grep="$4" + shift + shift + shift + shift + subunit_start_test "$name" + output=$($VALGRIND $rpcclient $CONFIGURATION "$srv" -c "$cmd" "$@" 2>&1) + status=$? + if [ x$status != x0 ]; then + printf '%s' "$output" | subunit_fail_test "$name" + return $status + fi + printf '%s' "$output" | grep -q "$grep" + gstatus=$? + if [ x$gstatus = x0 ]; then + subunit_pass_test "$name" + else + printf '%s' "$output" | subunit_fail_test "$name" + fi + return $gstatus +} + +test_rpcclient_expect_failure_grep() +{ + name="$1" + cmd="$2" + srv="$3" + grep="$4" + shift + shift + shift + shift + subunit_start_test "$name" + output=$($VALGRIND $rpcclient $CONFIGURATION "$srv" -c "$cmd" "$@" 2>&1) + status=$? + if [ x$status = x0 ]; then + printf '%s' "$output" | subunit_fail_test "$name" + return 1 + fi + printf '%s' "$output" | grep -q "$grep" + gstatus=$? + if [ x$gstatus = x0 ]; then + subunit_pass_test "$name" + else + printf '%s' "$output" | subunit_fail_test "$name" + fi + return $gstatus +} + +kerberos_kinit() +{ + kinit_tool="${1}" + principal="${2}" + password="${3}" + shift 3 + kbase=$(basename ${kinit_tool}) + if [ "${kbase}" = "samba4kinit" ]; then + kpassfile=$(mktemp) + echo $password >${kpassfile} + $kinit_tool -c ${KRB5CCNAME} --password-file=${kpassfile} "$@" $principal + status=$? + rm -f ${kpassfile} + else + echo $password | $kinit_tool "$@" $principal + status=$? + fi + return $status +} + +remove_directory() +{ + local xdir=${1} + shift + + if [ "$xdir" = "/" ] || [ ! -d "$xdir" ] || [ -z "$(ls -A "$xdir")" ]; then + return + fi + + rm -rf "$xdir" +} + +# This function should be used to either use a system tool or one of our +# build dir if available. +# +# Examples: +# +# system_or_builddir_binary ldbsearch ${BUILDDIR} +# system_or_builddir_binary kinit ${BUILDDIR} samba4kinit +# +system_or_builddir_binary() +{ + _bin_name="${1}" + _build_dir="${2}" + _alt_bin_name="${3}" + + _bin="$(command -v ${_bin_name})" + _bin_build_path="${_build_dir}/${_bin_name}" + + if [ -n "${_alt_bin_name}" ]; then + _bin_build_path="${_build_dir}/${_alt_bin_name}" + fi + + if [ -x "${_bin_build_path}" ]; then + _bin="${_bin_build_path}" + fi + + echo "${_bin}" +} diff --git a/testprogs/blackbox/dbcheck-links.sh b/testprogs/blackbox/dbcheck-links.sh new file mode 100755 index 0000000..63ad8db --- /dev/null +++ b/testprogs/blackbox/dbcheck-links.sh @@ -0,0 +1,1003 @@ +#!/bin/sh + +if [ $# -lt 1 ]; then + cat <<EOF +Usage: dbcheck-links.sh PREFIX RELEASE +EOF + exit 1 +fi + +PREFIX_ABS="$1" +RELEASE="$2" +shift 2 + +. $(dirname $0)/subunit.sh + +. $(dirname $0)/common_test_fns.inc +. $(dirname $0)/common-links.sh + +failed=0 + +if [ ! -x $samba_undump ] || [ ! -d $release_dir ]; then + subunit_start_test $RELEASE + subunit_skip_test $RELEASE <<EOF +no test provision +EOF + + subunit_start_test "tombstones_expunge" + subunit_skip_test "tombstones_expunge" <<EOF +no test provision +EOF + + exit 0 +fi + +dbcheck() +{ + tmpfile=$PREFIX_ABS/$RELEASE/expected-dbcheck-link-output${1}.txt.tmp + tmpldif1=$PREFIX_ABS/$RELEASE/expected-dbcheck-output${1}2.txt.tmp1 + + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --scope=base -b '' | grep highestCommittedUSN >$tmpldif1 + + $PYTHON $BINDIR/samba-tool dbcheck -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $3 --fix --yes >$tmpfile + if [ "$?" != "$2" ]; then + return 1 + fi + sort $tmpfile | grep -v "^INFO:" >$tmpfile.sorted + sort $release_dir/expected-dbcheck-link-output${1}.txt >$tmpfile.expected + diff -u $tmpfile.sorted $tmpfile.expected + if [ "$?" != "0" ]; then + return 1 + fi + + tmpldif2=$PREFIX_ABS/$RELEASE/expected-dbcheck-output${1}2.txt.tmp2 + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --scope=base -b '' | grep highestCommittedUSN >$tmpldif2 + + diff -u $tmpldif1 $tmpldif2 + if [ "$?" != "0" ]; then + return 1 + fi +} + +dbcheck_acl_reset() +{ + $PYTHON $BINDIR/samba-tool dbcheck -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --cross-ncs --fix --yes --attrs=nTSecurityDescriptor +} + +dbcheck_acl_clean() +{ + $PYTHON $BINDIR/samba-tool dbcheck -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --cross-ncs --attrs=nTSecurityDescriptor +} + +dbcheck_dangling() +{ + dbcheck "" "1" "--selftest-check-expired-tombstones" + return $? +} + +dbcheck_one_way() +{ + dbcheck "_one_way" "0" "CN=Configuration,DC=release-4-5-0-pre1,DC=samba,DC=corp --selftest-check-expired-tombstones" + return $? +} + +dbcheck_clean() +{ + tmpldif1=$PREFIX_ABS/$RELEASE/expected-dbcheck-output2.txt.tmp1 + + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --scope=base -b '' | grep highestCommittedUSN >$tmpldif1 + + $PYTHON $BINDIR/samba-tool dbcheck -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb + if [ "$?" != "0" ]; then + return 1 + fi + tmpldif2=$PREFIX_ABS/$RELEASE/expected-dbcheck-output2.txt.tmp2 + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --scope=base -b '' | grep highestCommittedUSN >$tmpldif2 + + diff -u $tmpldif1 $tmpldif2 + if [ "$?" != "0" ]; then + return 1 + fi +} + +check_expected_after_links() +{ + tmpldif=$PREFIX_ABS/$RELEASE/expected-links-after-link-dbcheck.ldif.tmp + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(|(cn=swimmers)(cn=leaders)(cn=helpers))' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --sorted member >$tmpldif + diff -u $tmpldif $release_dir/expected-links-after-link-dbcheck.ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +check_expected_after_deleted_links() +{ + tmpldif=$PREFIX_ABS/$RELEASE/expected-deleted-links-after-link-dbcheck.ldif.tmp + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(|(cn=swimmers)(cn=leaders)(cn=helpers))' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted member >$tmpldif + diff -u $tmpldif $release_dir/expected-deleted-links-after-link-dbcheck.ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +check_expected_after_objects() +{ + tmpldif=$PREFIX_ABS/$RELEASE/expected-objects-after-link-dbcheck.ldif.tmp + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(|(samaccountname=fred)(samaccountname=ddg)(samaccountname=usg)(samaccountname=user1)(samaccountname=user1x)(samaccountname=user2))' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted samAccountName | grep sAMAccountName >$tmpldif + diff -u $tmpldif $release_dir/expected-objects-after-link-dbcheck.ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +duplicate_member() +{ + # We use an existing group so we have a stable GUID in the + # dbcheck output + LDIF1=$(TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb -b 'CN=Enterprise Admins,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp' --scope=base --reveal --extended-dn member) + DN=$(echo "${LDIF1}" | grep '^dn: ') + MSG=$(echo "${LDIF1}" | grep -v '^dn: ' | grep -v '^#' | grep -v '^$') + ldif=$PREFIX_ABS/${RELEASE}/duplicate-member-multi.ldif + { + echo "${DN}" + echo "changetype: modify" + echo "replace: member" + echo "${MSG}" + echo "${MSG}" | sed -e 's!RMD_LOCAL_USN=[1-9][0-9]*!RMD_LOCAL_USN=0!' + } >$ldif + + TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +dbcheck_duplicate_member() +{ + dbcheck "_duplicate_member" "1" "--selftest-check-expired-tombstones" + return $? +} + +check_expected_after_duplicate_links() +{ + tmpldif=$PREFIX_ABS/$RELEASE/expected-duplicates-after-link-dbcheck.ldif.tmp + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(|(cn=administrator)(cn=enterprise admins))' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --sorted memberOf member >$tmpldif + diff -u $tmpldif $release_dir/expected-duplicates-after-link-dbcheck.ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +missing_link_sid_corruption() +{ + # Step1: add user "missingsidu1" + # + ldif=$PREFIX_ABS/${RELEASE}/missing_link_sid_corruption1.ldif + cat >$ldif <<EOF +dn: CN=missingsidu1,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp +changetype: add +objectclass: user +samaccountname: missingsidu1 +objectGUID: 0da8f25e-d110-11e8-80b7-3c970ec68461 +objectSid: S-1-5-21-4177067393-1453636373-93818738-771 +EOF + + out=$(TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --relax $ldif) + if [ "$?" != "0" ]; then + echo "ldbmodify returned:\n$out" + return 1 + fi + + # Step2: add user "missingsidu2" + # + ldif=$PREFIX_ABS/${RELEASE}/missing_link_sid_corruption2.ldif + cat >$ldif <<EOF +dn: CN=missingsidu2,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp +changetype: add +objectclass: user +samaccountname: missingsidu2 +objectGUID: 66eb8f52-d110-11e8-ab9b-3c970ec68461 +objectSid: S-1-5-21-4177067393-1453636373-93818738-772 +EOF + + out=$(TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --relax $ldif) + if [ "$?" != "0" ]; then + echo "ldbmodify returned:\n$out" + return 1 + fi + + # Step3: add group "missingsidg3" and add users as members + # + ldif=$PREFIX_ABS/${RELEASE}/missing_link_sid_corruption3.ldif + cat >$ldif <<EOF +dn: CN=missingsidg3,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp +changetype: add +objectclass: group +samaccountname: missingsidg3 +objectGUID: fd992424-d114-11e8-bb36-3c970ec68461 +objectSid: S-1-5-21-4177067393-1453636373-93818738-773 +member: CN=missingsidu1,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp +member: CN=missingsidu2,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp +EOF + + out=$(TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --relax $ldif) + if [ "$?" != "0" ]; then + echo "ldbmodify returned:\n$out" + return 1 + fi + + # Step4: remove one user again, so that we have one deleted link + # + ldif=$PREFIX_ABS/${RELEASE}/missing_link_sid_corruption4.ldif + cat >$ldif <<EOF +dn: CN=missingsidg3,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp +changetype: modify +delete: member +member: CN=missingsidu1,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp +EOF + + out=$(TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --relax $ldif) + if [ "$?" != "0" ]; then + echo "ldbmodify returned:\n$out" + return 1 + fi + + # + # Step5: remove the SIDS from the links + # + LDIF1=$(TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb -b 'CN=missingsidg3,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp' --scope=base --reveal --extended-dn --show-binary member) + DN=$(echo "${LDIF1}" | grep '^dn: ') + MSG=$(echo "${LDIF1}" | grep -v '^dn: ' | grep -v '^#' | grep -v '^$') + ldif=$PREFIX_ABS/${RELEASE}/missing_link_sid_corruption5.ldif + { + echo "${DN}" + echo "changetype: modify" + echo "replace: member" + #echo "${MSG}" + echo "${MSG}" | sed \ + -e 's!<SID=S-1-5-21-4177067393-1453636373-93818738-771>;!!g' \ + -e 's!<SID=S-1-5-21-4177067393-1453636373-93818738-772>;!!g' \ + -e 's!RMD_ADDTIME=[1-9][0-9]*!RMD_ADDTIME=123456789000000000!g' \ + -e 's!RMD_CHANGETIME=[1-9][0-9]*!RMD_CHANGETIME=123456789000000000!g' | + cat + } >$ldif + + out=$(TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif) + if [ "$?" != "0" ]; then + echo "ldbmodify returned:\n$out" + return 1 + fi + + return 0 +} + +dbcheck_missing_link_sid_corruption() +{ + dbcheck "-missing-link-sid-corruption" "1" "--selftest-check-expired-tombstones" + return $? +} + +add_lost_deleted_user1() +{ + ldif=$PREFIX_ABS/${RELEASE}/add_lost_deleted_user1.ldif + cat >$ldif <<EOF +dn: CN=fred\0ADEL:2301a64c-1234-5678-851e-12d4a711cfb4,OU=removed,DC=release-4-5-0-pre1,DC=samba,DC=corp +objectClass: top +objectClass: person +objectClass: organizationalPerson +objectClass: user +instanceType: 4 +whenCreated: 20160629043638.0Z +uSNCreated: 3740 +objectGUID: 2301a64c-1234-5678-851e-12d4a711cfb4 +objectSid: S-1-5-21-4177067393-1453636373-93818738-1011 +sAMAccountName: fred +userAccountControl: 512 +isDeleted: TRUE +lastKnownParent: <GUID=f28216e9-1234-5678-8b2d-6bb229563b62>;OU=removed,DC=rel + ease-4-5-0-pre1,DC=samba,DC=corp +isRecycled: TRUE +cn:: ZnJlZApERUw6MjMwMWE2NGMtMTIzNC01Njc4LTg1MWUtMTJkNGE3MTFjZmI0 +name:: ZnJlZApERUw6MjMwMWE2NGMtMTIzNC01Njc4LTg1MWUtMTJkNGE3MTFjZmI0 +replPropertyMetaData:: AQAAAAAAAAAXAAAAAAAAAAAAAAABAAAAVuGDDQMAAACjlkROuH+XT4o + z0jjbi14tnA4AAAAAAACcDgAAAAAAAAMAAAACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4A + AAAAAACiDgAAAAAAAAEAAgABAAAAVuGDDQMAAACjlkROuH+XT4oz0jjbi14tnA4AAAAAAACcDgAAA + AAAAAIAAgABAAAAVuGDDQMAAACjlkROuH+XT4oz0jjbi14tnA4AAAAAAACcDgAAAAAAADAAAgABAA + AAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAAAAABkBAgABAAAAVuGDDQMAAAC + jlkROuH+XT4oz0jjbi14tnA4AAAAAAACcDgAAAAAAAAEACQACAAAAV+GDDQMAAACjlkROuH+XT4oz + 0jjbi14tog4AAAAAAACiDgAAAAAAAAgACQADAAAAVuGDDQMAAACjlkROuH+XT4oz0jjbi14tng4AA + AAAAACeDgAAAAAAABAACQACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAA + AAABkACQACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAAAAAFoACQABAAA + AVuGDDQMAAACjlkROuH+XT4oz0jjbi14tnQ4AAAAAAACdDgAAAAAAAF4ACQABAAAAVuGDDQMAAACj + lkROuH+XT4oz0jjbi14tnQ4AAAAAAACdDgAAAAAAAGAACQADAAAAV+GDDQMAAACjlkROuH+XT4oz0 + jjbi14tog4AAAAAAACiDgAAAAAAAGIACQACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAA + AAAACiDgAAAAAAAH0ACQABAAAAVuGDDQMAAACjlkROuH+XT4oz0jjbi14tnQ4AAAAAAACdDgAAAAA + AAJIACQABAAAAVuGDDQMAAACjlkROuH+XT4oz0jjbi14tnA4AAAAAAACcDgAAAAAAAJ8ACQACAAAA + V+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAAAAAN0ACQABAAAAVuGDDQMAAACjl + kROuH+XT4oz0jjbi14tnA4AAAAAAACcDgAAAAAAAC4BCQACAAAAV+GDDQMAAACjlkROuH+XT4oz0j + jbi14tog4AAAAAAACiDgAAAAAAAJACCQACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAA + AAACiDgAAAAAAAA0DCQABAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAAAA + AA4DCQACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAAAAAAoICQABAAAAV + +GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAAAAAA== +whenChanged: 20160629043639.0Z +uSNChanged: 3746 +nTSecurityDescriptor:: AQAXjBQAAAAwAAAATAAAAMQAAAABBQAAAAAABRUAAACB/fj4FbukVnK + PlwUAAgAAAQUAAAAAAAUVAAAAgf34+BW7pFZyj5cFAAIAAAQAeAACAAAAB1o4ACAAAAADAAAAvjsO + 8/Cf0RG2AwAA+ANnwaV6lr/mDdARooUAqgAwSeIBAQAAAAAAAQAAAAAHWjgAIAAAAAMAAAC/Ow7z8 + J/REbYDAAD4A2fBpXqWv+YN0BGihQCqADBJ4gEBAAAAAAABAAAAAAQA1AcsAAAAAAAkAP8BDwABBQ + AAAAAABRUAAACB/fj4FbukVnKPlwUAAgAAAAAUAP8BDwABAQAAAAAABRIAAAAAABgA/wEPAAECAAA + AAAAFIAAAACQCAAAAABQAlAACAAEBAAAAAAAFCgAAAAUAKAAAAQAAAQAAAFMacqsvHtARmBkAqgBA + UpsBAQAAAAAABQoAAAAFACgAAAEAAAEAAABUGnKrLx7QEZgZAKoAQFKbAQEAAAAAAAUKAAAABQAoA + AABAAABAAAAVhpyqy8e0BGYGQCqAEBSmwEBAAAAAAAFCgAAAAUAKAAwAAAAAQAAAIa4tXdKlNERrr + 0AAPgDZ8EBAQAAAAAABQoAAAAFACgAMAAAAAEAAACylVfkVZTREa69AAD4A2fBAQEAAAAAAAUKAAA + ABQAoADAAAAABAAAAs5VX5FWU0RGuvQAA+ANnwQEBAAAAAAAFCgAAAAUAOAAQAAAAAQAAAPiIcAPh + CtIRtCIAoMlo+TkBBQAAAAAABRUAAACB/fj4FbukVnKPlwUpAgAABQA4ABAAAAABAAAAAEIWTMAg0 + BGnaACqAG4FKQEFAAAAAAAFFQAAAIH9+PgVu6RWco+XBSkCAAAFADgAEAAAAAEAAABAwgq8qXnQEZ + AgAMBPwtTPAQUAAAAAAAUVAAAAgf34+BW7pFZyj5cFKQIAAAAAFAAAAAIAAQEAAAAAAAULAAAABQA + oABAAAAABAAAAQi+6WaJ50BGQIADAT8LTzwEBAAAAAAAFCwAAAAUAKAAQAAAAAQAAAIa4tXdKlNER + rr0AAPgDZ8EBAQAAAAAABQsAAAAFACgAEAAAAAEAAACzlVfkVZTREa69AAD4A2fBAQEAAAAAAAULA + AAABQAoABAAAAABAAAAVAGN5Pi80RGHAgDAT7lgUAEBAAAAAAAFCwAAAAUAKAAAAQAAAQAAAFMacq + svHtARmBkAqgBAUpsBAQAAAAAAAQAAAAAFADgAEAAAAAEAAAAQICBfpXnQEZAgAMBPwtTPAQUAAAA + AAAUVAAAAgf34+BW7pFZyj5cFKQIAAAUAOAAwAAAAAQAAAH96lr/mDdARooUAqgAwSeIBBQAAAAAA + BRUAAACB/fj4FbukVnKPlwUFAgAABQAsABAAAAABAAAAHbGpRq5gWkC36P+KWNRW0gECAAAAAAAFI + AAAADACAAAFACwAMAAAAAEAAAAcmrZtIpTREa69AAD4A2fBAQIAAAAAAAUgAAAAMQIAAAUALAAwAA + AAAQAAAGK8BVjJvShEpeKFag9MGF4BAgAAAAAABSAAAAAxAgAABRo8ABAAAAADAAAAAEIWTMAg0BG + naACqAG4FKRTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAABRI8ABAAAAADAAAAAEIWTMAg + 0BGnaACqAG4FKbp6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqAgAABRo8ABAAAAADAAAAECAgX + 6V50BGQIADAT8LUzxTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAABRI8ABAAAAADAAAAEC + AgX6V50BGQIADAT8LUz7p6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqAgAABRo8ABAAAAADAAA + AQMIKvKl50BGQIADAT8LUzxTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAABRI8ABAAAAAD + AAAAQMIKvKl50BGQIADAT8LUz7p6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqAgAABRo8ABAAA + AADAAAAQi+6WaJ50BGQIADAT8LTzxTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAABRI8AB + AAAAADAAAAQi+6WaJ50BGQIADAT8LTz7p6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqAgAABRo + 8ABAAAAADAAAA+IhwA+EK0hG0IgCgyWj5ORTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAA + BRI8ABAAAAADAAAA+IhwA+EK0hG0IgCgyWj5Obp6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqA + gAABRo4ABAAAAADAAAAbZ7Gt8cs0hGFTgCgyYP2CIZ6lr/mDdARooUAqgAwSeIBAQAAAAAABQkAAA + AFGjgAEAAAAAMAAABtnsa3xyzSEYVOAKDJg/YInHqWv+YN0BGihQCqADBJ4gEBAAAAAAAFCQAAAAU + SOAAQAAAAAwAAAG2exrfHLNIRhU4AoMmD9gi6epa/5g3QEaKFAKoAMEniAQEAAAAAAAUJAAAABRos + AJQAAgACAAAAFMwoSDcUvEWbB61vAV5fKAECAAAAAAAFIAAAACoCAAAFGiwAlAACAAIAAACcepa/5 + g3QEaKFAKoAMEniAQIAAAAAAAUgAAAAKgIAAAUSLACUAAIAAgAAALp6lr/mDdARooUAqgAwSeIBAg + AAAAAABSAAAAAqAgAABRIoADABAAABAAAA3kfmkW/ZcEuVV9Y/9PPM2AEBAAAAAAAFCgAAAAASJAD + /AQ8AAQUAAAAAAAUVAAAAgf34+BW7pFZyj5cFBwIAAAASGAAEAAAAAQIAAAAAAAUgAAAAKgIAAAAS + GAC9AQ8AAQIAAAAAAAUgAAAAIAIAAA== +EOF + + out=$(TZ=UTC $ldbadd -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif) + if [ "$?" != "0" ]; then + echo "ldbadd returned:\n$out" + return 1 + fi + + return 0 +} + +dbcheck_lost_deleted_user1() +{ + dbcheck "-lost-deleted-user1" "1" "--selftest-check-expired-tombstones" + return $? +} + +remove_lost_deleted_user1() +{ + out=$(TZ=UTC $ldbdel -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb "<GUID=2301a64c-1234-5678-851e-12d4a711cfb4>" --show-recycled --relax) + if [ "$?" != "0" ]; then + echo "ldbdel returned:\n$out" + return 1 + fi + + return 0 +} + +add_lost_deleted_user2() +{ + ldif=$PREFIX_ABS/${RELEASE}/add_lost_deleted_user2.ldif + cat >$ldif <<EOF +dn: CN=fred\0ADEL:2301a64c-8765-4321-851e-12d4a711cfb4,CN=LostAndFound,DC=release-4-5-0-pre1,DC=samba,DC=corp +objectClass: top +objectClass: person +objectClass: organizationalPerson +objectClass: user +instanceType: 4 +whenCreated: 20160629043638.0Z +uSNCreated: 3740 +objectGUID: 2301a64c-8765-4321-851e-12d4a711cfb4 +objectSid: S-1-5-21-4177067393-1453636373-93818738-1001 +sAMAccountName: fred +userAccountControl: 512 +isDeleted: TRUE +lastKnownParent: OU=removed,DC=release-4-5-0-pre1,DC=samba,DC=corp +isRecycled: TRUE +cn:: ZnJlZApERUw6MjMwMWE2NGMtODc2NS00MzIxLTg1MWUtMTJkNGE3MTFjZmI0 +name:: ZnJlZApERUw6MjMwMWE2NGMtODc2NS00MzIxLTg1MWUtMTJkNGE3MTFjZmI0 +replPropertyMetaData:: AQAAAAAAAAAXAAAAAAAAAAAAAAABAAAAVuGDDQMAAACjlkROuH+XT4o + z0jjbi14tnA4AAAAAAACcDgAAAAAAAAMAAAACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4A + AAAAAACiDgAAAAAAAAEAAgABAAAAVuGDDQMAAACjlkROuH+XT4oz0jjbi14tnA4AAAAAAACcDgAAA + AAAAAIAAgABAAAAVuGDDQMAAACjlkROuH+XT4oz0jjbi14tnA4AAAAAAACcDgAAAAAAADAAAgABAA + AAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAAAAABkBAgABAAAAVuGDDQMAAAC + jlkROuH+XT4oz0jjbi14tnA4AAAAAAACcDgAAAAAAAAEACQAEAAAAePOWEgMAAACjlkROuH+XT4oz + 0jjbi14tvA4AAAAAAAC8DgAAAAAAAAgACQADAAAAVuGDDQMAAACjlkROuH+XT4oz0jjbi14tng4AA + AAAAACeDgAAAAAAABAACQACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAA + AAABkACQACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAAAAAFoACQABAAA + AVuGDDQMAAACjlkROuH+XT4oz0jjbi14tnQ4AAAAAAACdDgAAAAAAAF4ACQABAAAAVuGDDQMAAACj + lkROuH+XT4oz0jjbi14tnQ4AAAAAAACdDgAAAAAAAGAACQADAAAAV+GDDQMAAACjlkROuH+XT4oz0 + jjbi14tog4AAAAAAACiDgAAAAAAAGIACQACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAA + AAAACiDgAAAAAAAH0ACQABAAAAVuGDDQMAAACjlkROuH+XT4oz0jjbi14tnQ4AAAAAAACdDgAAAAA + AAJIACQABAAAAVuGDDQMAAACjlkROuH+XT4oz0jjbi14tnA4AAAAAAACcDgAAAAAAAJ8ACQACAAAA + V+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAAAAAN0ACQABAAAAVuGDDQMAAACjl + kROuH+XT4oz0jjbi14tnA4AAAAAAACcDgAAAAAAAC4BCQACAAAAV+GDDQMAAACjlkROuH+XT4oz0j + jbi14tog4AAAAAAACiDgAAAAAAAJACCQACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAA + AAACiDgAAAAAAAA0DCQADAAAAePOWEgMAAACjlkROuH+XT4oz0jjbi14tvQ4AAAAAAAC9DgAAAAAA + AA4DCQACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAAAAAAoICQABAAAAV + +GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAAAAAA== +whenChanged: 20160629043639.0Z +uSNChanged: 3746 +nTSecurityDescriptor:: AQAXjBQAAAAwAAAATAAAAMQAAAABBQAAAAAABRUAAACB/fj4FbukVnK + PlwUAAgAAAQUAAAAAAAUVAAAAgf34+BW7pFZyj5cFAAIAAAQAeAACAAAAB1o4ACAAAAADAAAAvjsO + 8/Cf0RG2AwAA+ANnwaV6lr/mDdARooUAqgAwSeIBAQAAAAAAAQAAAAAHWjgAIAAAAAMAAAC/Ow7z8 + J/REbYDAAD4A2fBpXqWv+YN0BGihQCqADBJ4gEBAAAAAAABAAAAAAQA1AcsAAAAAAAkAP8BDwABBQ + AAAAAABRUAAACB/fj4FbukVnKPlwUAAgAAAAAUAP8BDwABAQAAAAAABRIAAAAAABgA/wEPAAECAAA + AAAAFIAAAACQCAAAAABQAlAACAAEBAAAAAAAFCgAAAAUAKAAAAQAAAQAAAFMacqsvHtARmBkAqgBA + UpsBAQAAAAAABQoAAAAFACgAAAEAAAEAAABUGnKrLx7QEZgZAKoAQFKbAQEAAAAAAAUKAAAABQAoA + AABAAABAAAAVhpyqy8e0BGYGQCqAEBSmwEBAAAAAAAFCgAAAAUAKAAwAAAAAQAAAIa4tXdKlNERrr + 0AAPgDZ8EBAQAAAAAABQoAAAAFACgAMAAAAAEAAACylVfkVZTREa69AAD4A2fBAQEAAAAAAAUKAAA + ABQAoADAAAAABAAAAs5VX5FWU0RGuvQAA+ANnwQEBAAAAAAAFCgAAAAUAOAAQAAAAAQAAAPiIcAPh + CtIRtCIAoMlo+TkBBQAAAAAABRUAAACB/fj4FbukVnKPlwUpAgAABQA4ABAAAAABAAAAAEIWTMAg0 + BGnaACqAG4FKQEFAAAAAAAFFQAAAIH9+PgVu6RWco+XBSkCAAAFADgAEAAAAAEAAABAwgq8qXnQEZ + AgAMBPwtTPAQUAAAAAAAUVAAAAgf34+BW7pFZyj5cFKQIAAAAAFAAAAAIAAQEAAAAAAAULAAAABQA + oABAAAAABAAAAQi+6WaJ50BGQIADAT8LTzwEBAAAAAAAFCwAAAAUAKAAQAAAAAQAAAIa4tXdKlNER + rr0AAPgDZ8EBAQAAAAAABQsAAAAFACgAEAAAAAEAAACzlVfkVZTREa69AAD4A2fBAQEAAAAAAAULA + AAABQAoABAAAAABAAAAVAGN5Pi80RGHAgDAT7lgUAEBAAAAAAAFCwAAAAUAKAAAAQAAAQAAAFMacq + svHtARmBkAqgBAUpsBAQAAAAAAAQAAAAAFADgAEAAAAAEAAAAQICBfpXnQEZAgAMBPwtTPAQUAAAA + AAAUVAAAAgf34+BW7pFZyj5cFKQIAAAUAOAAwAAAAAQAAAH96lr/mDdARooUAqgAwSeIBBQAAAAAA + BRUAAACB/fj4FbukVnKPlwUFAgAABQAsABAAAAABAAAAHbGpRq5gWkC36P+KWNRW0gECAAAAAAAFI + AAAADACAAAFACwAMAAAAAEAAAAcmrZtIpTREa69AAD4A2fBAQIAAAAAAAUgAAAAMQIAAAUALAAwAA + AAAQAAAGK8BVjJvShEpeKFag9MGF4BAgAAAAAABSAAAAAxAgAABRo8ABAAAAADAAAAAEIWTMAg0BG + naACqAG4FKRTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAABRI8ABAAAAADAAAAAEIWTMAg + 0BGnaACqAG4FKbp6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqAgAABRo8ABAAAAADAAAAECAgX + 6V50BGQIADAT8LUzxTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAABRI8ABAAAAADAAAAEC + AgX6V50BGQIADAT8LUz7p6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqAgAABRo8ABAAAAADAAA + AQMIKvKl50BGQIADAT8LUzxTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAABRI8ABAAAAAD + AAAAQMIKvKl50BGQIADAT8LUz7p6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqAgAABRo8ABAAA + AADAAAAQi+6WaJ50BGQIADAT8LTzxTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAABRI8AB + AAAAADAAAAQi+6WaJ50BGQIADAT8LTz7p6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqAgAABRo + 8ABAAAAADAAAA+IhwA+EK0hG0IgCgyWj5ORTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAA + BRI8ABAAAAADAAAA+IhwA+EK0hG0IgCgyWj5Obp6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqA + gAABRo4ABAAAAADAAAAbZ7Gt8cs0hGFTgCgyYP2CIZ6lr/mDdARooUAqgAwSeIBAQAAAAAABQkAAA + AFGjgAEAAAAAMAAABtnsa3xyzSEYVOAKDJg/YInHqWv+YN0BGihQCqADBJ4gEBAAAAAAAFCQAAAAU + SOAAQAAAAAwAAAG2exrfHLNIRhU4AoMmD9gi6epa/5g3QEaKFAKoAMEniAQEAAAAAAAUJAAAABRos + AJQAAgACAAAAFMwoSDcUvEWbB61vAV5fKAECAAAAAAAFIAAAACoCAAAFGiwAlAACAAIAAACcepa/5 + g3QEaKFAKoAMEniAQIAAAAAAAUgAAAAKgIAAAUSLACUAAIAAgAAALp6lr/mDdARooUAqgAwSeIBAg + AAAAAABSAAAAAqAgAABRIoADABAAABAAAA3kfmkW/ZcEuVV9Y/9PPM2AEBAAAAAAAFCgAAAAASJAD + /AQ8AAQUAAAAAAAUVAAAAgf34+BW7pFZyj5cFBwIAAAASGAAEAAAAAQIAAAAAAAUgAAAAKgIAAAAS + GAC9AQ8AAQIAAAAAAAUgAAAAIAIAAA== +EOF + + out=$(TZ=UTC $ldbadd -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif) + if [ "$?" != "0" ]; then + echo "ldbadd returned:\n$out" + return 1 + fi + + return 0 +} + +dbcheck_lost_deleted_user2() +{ + dbcheck "-lost-deleted-user2" "1" "--selftest-check-expired-tombstones" + return $? +} + +add_lost_deleted_user3() +{ + ldif=$PREFIX_ABS/${RELEASE}/add_lost_deleted_user3.ldif + cat >$ldif <<EOF +dn: CN=fred\0ADEL:2301a64c-1122-5566-851e-12d4a711cfb4,OU=removed,DC=release-4-5-0-pre1,DC=samba,DC=corp +objectClass: top +objectClass: person +objectClass: organizationalPerson +objectClass: user +instanceType: 4 +whenCreated: 20160629043638.0Z +uSNCreated: 3740 +objectGUID: 2301a64c-1122-5566-851e-12d4a711cfb4 +objectSid: S-1-5-21-4177067393-1453636373-93818738-1010 +sAMAccountName: fred +userAccountControl: 512 +isDeleted: TRUE +lastKnownParent: <GUID=f28216e9-1234-5678-8b2d-6bb229563b62>;OU=removed,DC=rel + ease-4-5-0-pre1,DC=samba,DC=corp +isRecycled: TRUE +cn:: ZnJlZApERUw6MjMwMWE2NGMtMTEyMi01NTY2LTg1MWUtMTJkNGE3MTFjZmI0 +name:: ZnJlZApERUw6MjMwMWE2NGMtMTEyMi01NTY2LTg1MWUtMTJkNGE3MTFjZmI0 +replPropertyMetaData:: AQAAAAAAAAAXAAAAAAAAAAAAAAABAAAAVuGDDQMAAACjlkROuH+XT4o + z0jjbi14tnA4AAAAAAACcDgAAAAAAAAMAAAACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4A + AAAAAACiDgAAAAAAAAEAAgABAAAAVuGDDQMAAACjlkROuH+XT4oz0jjbi14tnA4AAAAAAACcDgAAA + AAAAAIAAgABAAAAVuGDDQMAAACjlkROuH+XT4oz0jjbi14tnA4AAAAAAACcDgAAAAAAADAAAgABAA + AAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAAAAABkBAgABAAAAVuGDDQMAAAC + jlkROuH+XT4oz0jjbi14tnA4AAAAAAACcDgAAAAAAAAEACQACAAAAV+GDDQMAAACjlkROuH+XT4oz + 0jjbi14tog4AAAAAAACiDgAAAAAAAAgACQADAAAAVuGDDQMAAACjlkROuH+XT4oz0jjbi14tng4AA + AAAAACeDgAAAAAAABAACQACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAA + AAABkACQACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAAAAAFoACQABAAA + AVuGDDQMAAACjlkROuH+XT4oz0jjbi14tnQ4AAAAAAACdDgAAAAAAAF4ACQABAAAAVuGDDQMAAACj + lkROuH+XT4oz0jjbi14tnQ4AAAAAAACdDgAAAAAAAGAACQADAAAAV+GDDQMAAACjlkROuH+XT4oz0 + jjbi14tog4AAAAAAACiDgAAAAAAAGIACQACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAA + AAAACiDgAAAAAAAH0ACQABAAAAVuGDDQMAAACjlkROuH+XT4oz0jjbi14tnQ4AAAAAAACdDgAAAAA + AAJIACQABAAAAVuGDDQMAAACjlkROuH+XT4oz0jjbi14tnA4AAAAAAACcDgAAAAAAAJ8ACQACAAAA + V+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAAAAAN0ACQABAAAAVuGDDQMAAACjl + kROuH+XT4oz0jjbi14tnA4AAAAAAACcDgAAAAAAAC4BCQACAAAAV+GDDQMAAACjlkROuH+XT4oz0j + jbi14tog4AAAAAAACiDgAAAAAAAJACCQACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAA + AAACiDgAAAAAAAA0DCQABAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAAAA + AA4DCQACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAAAAAAoICQABAAAAV + +GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAAAAAA== +whenChanged: 20160629043639.0Z +uSNChanged: 3746 +nTSecurityDescriptor:: AQAXjBQAAAAwAAAATAAAAMQAAAABBQAAAAAABRUAAACB/fj4FbukVnK + PlwUAAgAAAQUAAAAAAAUVAAAAgf34+BW7pFZyj5cFAAIAAAQAeAACAAAAB1o4ACAAAAADAAAAvjsO + 8/Cf0RG2AwAA+ANnwaV6lr/mDdARooUAqgAwSeIBAQAAAAAAAQAAAAAHWjgAIAAAAAMAAAC/Ow7z8 + J/REbYDAAD4A2fBpXqWv+YN0BGihQCqADBJ4gEBAAAAAAABAAAAAAQA1AcsAAAAAAAkAP8BDwABBQ + AAAAAABRUAAACB/fj4FbukVnKPlwUAAgAAAAAUAP8BDwABAQAAAAAABRIAAAAAABgA/wEPAAECAAA + AAAAFIAAAACQCAAAAABQAlAACAAEBAAAAAAAFCgAAAAUAKAAAAQAAAQAAAFMacqsvHtARmBkAqgBA + UpsBAQAAAAAABQoAAAAFACgAAAEAAAEAAABUGnKrLx7QEZgZAKoAQFKbAQEAAAAAAAUKAAAABQAoA + AABAAABAAAAVhpyqy8e0BGYGQCqAEBSmwEBAAAAAAAFCgAAAAUAKAAwAAAAAQAAAIa4tXdKlNERrr + 0AAPgDZ8EBAQAAAAAABQoAAAAFACgAMAAAAAEAAACylVfkVZTREa69AAD4A2fBAQEAAAAAAAUKAAA + ABQAoADAAAAABAAAAs5VX5FWU0RGuvQAA+ANnwQEBAAAAAAAFCgAAAAUAOAAQAAAAAQAAAPiIcAPh + CtIRtCIAoMlo+TkBBQAAAAAABRUAAACB/fj4FbukVnKPlwUpAgAABQA4ABAAAAABAAAAAEIWTMAg0 + BGnaACqAG4FKQEFAAAAAAAFFQAAAIH9+PgVu6RWco+XBSkCAAAFADgAEAAAAAEAAABAwgq8qXnQEZ + AgAMBPwtTPAQUAAAAAAAUVAAAAgf34+BW7pFZyj5cFKQIAAAAAFAAAAAIAAQEAAAAAAAULAAAABQA + oABAAAAABAAAAQi+6WaJ50BGQIADAT8LTzwEBAAAAAAAFCwAAAAUAKAAQAAAAAQAAAIa4tXdKlNER + rr0AAPgDZ8EBAQAAAAAABQsAAAAFACgAEAAAAAEAAACzlVfkVZTREa69AAD4A2fBAQEAAAAAAAULA + AAABQAoABAAAAABAAAAVAGN5Pi80RGHAgDAT7lgUAEBAAAAAAAFCwAAAAUAKAAAAQAAAQAAAFMacq + svHtARmBkAqgBAUpsBAQAAAAAAAQAAAAAFADgAEAAAAAEAAAAQICBfpXnQEZAgAMBPwtTPAQUAAAA + AAAUVAAAAgf34+BW7pFZyj5cFKQIAAAUAOAAwAAAAAQAAAH96lr/mDdARooUAqgAwSeIBBQAAAAAA + BRUAAACB/fj4FbukVnKPlwUFAgAABQAsABAAAAABAAAAHbGpRq5gWkC36P+KWNRW0gECAAAAAAAFI + AAAADACAAAFACwAMAAAAAEAAAAcmrZtIpTREa69AAD4A2fBAQIAAAAAAAUgAAAAMQIAAAUALAAwAA + AAAQAAAGK8BVjJvShEpeKFag9MGF4BAgAAAAAABSAAAAAxAgAABRo8ABAAAAADAAAAAEIWTMAg0BG + naACqAG4FKRTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAABRI8ABAAAAADAAAAAEIWTMAg + 0BGnaACqAG4FKbp6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqAgAABRo8ABAAAAADAAAAECAgX + 6V50BGQIADAT8LUzxTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAABRI8ABAAAAADAAAAEC + AgX6V50BGQIADAT8LUz7p6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqAgAABRo8ABAAAAADAAA + AQMIKvKl50BGQIADAT8LUzxTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAABRI8ABAAAAAD + AAAAQMIKvKl50BGQIADAT8LUz7p6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqAgAABRo8ABAAA + AADAAAAQi+6WaJ50BGQIADAT8LTzxTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAABRI8AB + AAAAADAAAAQi+6WaJ50BGQIADAT8LTz7p6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqAgAABRo + 8ABAAAAADAAAA+IhwA+EK0hG0IgCgyWj5ORTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAA + BRI8ABAAAAADAAAA+IhwA+EK0hG0IgCgyWj5Obp6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqA + gAABRo4ABAAAAADAAAAbZ7Gt8cs0hGFTgCgyYP2CIZ6lr/mDdARooUAqgAwSeIBAQAAAAAABQkAAA + AFGjgAEAAAAAMAAABtnsa3xyzSEYVOAKDJg/YInHqWv+YN0BGihQCqADBJ4gEBAAAAAAAFCQAAAAU + SOAAQAAAAAwAAAG2exrfHLNIRhU4AoMmD9gi6epa/5g3QEaKFAKoAMEniAQEAAAAAAAUJAAAABRos + AJQAAgACAAAAFMwoSDcUvEWbB61vAV5fKAECAAAAAAAFIAAAACoCAAAFGiwAlAACAAIAAACcepa/5 + g3QEaKFAKoAMEniAQIAAAAAAAUgAAAAKgIAAAUSLACUAAIAAgAAALp6lr/mDdARooUAqgAwSeIBAg + AAAAAABSAAAAAqAgAABRIoADABAAABAAAA3kfmkW/ZcEuVV9Y/9PPM2AEBAAAAAAAFCgAAAAASJAD + /AQ8AAQUAAAAAAAUVAAAAgf34+BW7pFZyj5cFBwIAAAASGAAEAAAAAQIAAAAAAAUgAAAAKgIAAAAS + GAC9AQ8AAQIAAAAAAAUgAAAAIAIAAA== +EOF + + out=$(TZ=UTC $ldbadd -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif) + if [ "$?" != "0" ]; then + echo "ldbadd returned:\n$out" + return 1 + fi + + return 0 +} + +dbcheck_lost_deleted_user3() +{ + # here we don't pass --selftest-check-expired-tombstones + # as we want to test the default + dbcheck "-lost-deleted-user3" "0" "" + return $? +} + +remove_lost_deleted_user3() +{ + out=$(TZ=UTC $ldbdel -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb "<GUID=2301a64c-1122-5566-851e-12d4a711cfb4>" --show-recycled --relax) + if [ "$?" != "0" ]; then + echo "ldbdel returned:\n$out" + return 1 + fi + + return 0 +} + +forward_link_corruption() +{ + # + # Step1: add a duplicate forward link from + # "CN=Enterprise Admins" to "CN=Administrator" + # + LDIF1=$(TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb -b 'CN=Enterprise Admins,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp' --scope=base --reveal --extended-dn member) + DN=$(echo "${LDIF1}" | grep '^dn: ') + MSG=$(echo "${LDIF1}" | grep -v '^dn: ' | grep -v '^#' | grep -v '^$') + ldif=$PREFIX_ABS/${RELEASE}/forward_link_corruption1.ldif + { + echo "${DN}" + echo "changetype: modify" + echo "replace: member" + echo "${MSG}" + echo "${MSG}" | sed -e 's!RMD_LOCAL_USN=[1-9][0-9]*!RMD_LOCAL_USN=0!' + } >$ldif + + out=$(TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif) + if [ "$?" != "0" ]; then + echo "ldbmodify returned:\n$out" + return 1 + fi + + # + # Step2: add user "dangling" + # + ldif=$PREFIX_ABS/${RELEASE}/forward_link_corruption2.ldif + cat >$ldif <<EOF +dn: CN=dangling,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp +changetype: add +objectclass: user +samaccountname: dangling +objectGUID: fd8a04ac-cea0-4921-b1a6-c173e1155c22 +EOF + + out=$(TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --relax $ldif) + if [ "$?" != "0" ]; then + echo "ldbmodify returned:\n$out" + return 1 + fi + + # + # Step3: add a dangling backlink from + # "CN=dangling" to "CN=Enterprise Admins" + # + ldif=$PREFIX_ABS/${RELEASE}/forward_link_corruption3.ldif + { + echo "dn: CN=dangling,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp" + echo "changetype: modify" + echo "add: memberOf" + echo "memberOf: <GUID=304ad703-468b-465e-9787-470b3dfd7d75>;<SID=S-1-5-21-4177067393-1453636373-93818738-519>;CN=Enterprise Admins,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp" + } >$ldif + + out=$(TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif) + if [ "$?" != "0" ]; then + echo "ldbmodify returned:\n$out" + return 1 + fi +} + +dbcheck_forward_link_corruption() +{ + dbcheck "-forward-link-corruption" "1" "--selftest-check-expired-tombstones" + return $? +} + +check_expected_after_dbcheck_forward_link_corruption() +{ + tmpldif=$PREFIX_ABS/$RELEASE/expected-after-dbcheck-forward-link-corruption.ldif.tmp + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(|(cn=dangling)(cn=enterprise admins))' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --sorted memberOf member >$tmpldif + diff -u $tmpldif $release_dir/expected-after-dbcheck-forward-link-corruption.ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +oneway_link_corruption() +{ + # + # Step1: add OU "dangling-ou" + # + ldif=$PREFIX_ABS/${RELEASE}/oneway_link_corruption.ldif + cat >$ldif <<EOF +dn: OU=dangling-ou,DC=release-4-5-0-pre1,DC=samba,DC=corp +changetype: add +objectclass: organizationalUnit +objectGUID: 20600e7c-92bb-492e-9552-f3ed7f8a2cad +EOF + + out=$(TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --relax $ldif) + if [ "$?" != "0" ]; then + echo "ldbmodify returned:\n$out" + return 1 + fi + + # + # Step2: add msExchConfigurationContainer "dangling-msexch" + # + ldif=$PREFIX_ABS/${RELEASE}/oneway_link_corruption2.ldif + cat >$ldif <<EOF +dn: OU=dangling-from,DC=release-4-5-0-pre1,DC=samba,DC=corp +changetype: add +objectclass: organizationalUnit +seeAlso: OU=dangling-ou,DC=release-4-5-0-pre1,DC=samba,DC=corp +EOF + + out=$(TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif) + if [ "$?" != "0" ]; then + echo "ldbmodify returned:\n$out" + return 1 + fi + + # + # Step3: rename dangling-ou to dangling-ou2 + # + # Because this is a one-way link we don't fix it at runtime + # + out=$(TZ=UTC $ldbrename -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb OU=dangling-ou,DC=release-4-5-0-pre1,DC=samba,DC=corp OU=dangling-ou2,DC=release-4-5-0-pre1,DC=samba,DC=corp) + if [ "$?" != "0" ]; then + echo "ldbmodify returned:\n$out" + return 1 + fi +} + +dbcheck_oneway_link_corruption() +{ + dbcheck "-oneway-link-corruption" "0" "--selftest-check-expired-tombstones" + return $? +} + +check_expected_after_dbcheck_oneway_link_corruption() +{ + tmpldif=$PREFIX_ABS/$RELEASE/expected-after-dbcheck-oneway-link-corruption.ldif.tmp + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(|(ou=dangling-ou)(ou=dangling-ou2)(ou=dangling-from))' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --sorted seeAlso >$tmpldif + diff -u $tmpldif $release_dir/expected-after-dbcheck-oneway-link-corruption.ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +dbcheck_dangling_multi_valued() +{ + + $PYTHON $BINDIR/samba-tool dbcheck -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --selftest-check-expired-tombstones --fix --yes + if [ "$?" != "1" ]; then + return 1 + fi +} + +dangling_multi_valued_check_missing() +{ + WORDS=$(TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(samaccountname=dangling-multi2)' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted msDS-RevealedDSAs | grep msDS-RevealedDSAs | wc -l) + if [ $WORDS -ne 4 ]; then + echo Got only $WORDS links for dangling-multi2 + return 1 + fi + WORDS=$(TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(samaccountname=dangling-multi3)' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted msDS-RevealedDSAs | grep msDS-RevealedDSAs | wc -l) + if [ $WORDS -ne 4 ]; then + echo Got only $WORDS links for dangling-multi3 + return 1 + fi +} + +dangling_multi_valued_check_equal_or_too_many() +{ + WORDS=$(TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(samaccountname=dangling-multi1)' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted msDS-RevealedDSAs | grep msDS-RevealedDSAs | wc -l) + if [ $WORDS -ne 4 ]; then + echo Got $WORDS links for dangling-multi1 + return 1 + fi + + WORDS=$(TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(samaccountname=dangling-multi5)' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted msDS-RevealedDSAs | grep msDS-RevealedDSAs | wc -l) + + if [ $WORDS -ne 0 ]; then + echo Got $WORDS links for dangling-multi5 + return 1 + fi + + WORDS=$(TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(samaccountname=Administrator)' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted msDS-RevealedDSAs | grep msDS-RevealedDSAs | wc -l) + + if [ $WORDS -ne 2 ]; then + echo Got $WORDS links for Administrator + return 1 + fi +} + +dangling_link_does_not_prevent_delete() +{ + + # + # Step1: add user "dangling" + # + ldif=$PREFIX_ABS/${RELEASE}/backlink_can_be_vanished1.ldif + dn='CN=dangling-for-vanish,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp' + cat >$ldif <<EOF +dn: $dn +changetype: add +objectclass: user +samaccountname: dangling-v +objectGUID: fd8a04ac-cea0-4921-b1a6-c173e1155c23 +EOF + + out=$(TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --relax $ldif) + if [ "$?" != "0" ]; then + echo "ldbmodify returned:\n$out" + return 1 + fi + + # + # Step2: add a dangling backlink from + # "CN=dangling-for-vanish" to "CN=Enterprise Admins" + # + ldif=$PREFIX_ABS/${RELEASE}/backlink_can_be_vanished2.ldif + { + echo "dn: $dn" + echo "changetype: modify" + echo "add: memberOf" + echo "memberOf: <GUID=304ad703-468b-465e-9787-470b3dfd7d75>;<SID=S-1-5-21-4177067393-1453636373-93818738-519>;CN=Enterprise Admins,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp" + } >$ldif + + out=$(TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif) + if [ "$?" != "0" ]; then + echo "ldbmodify returned:\n$out" + return 1 + fi + + out=$(TZ=UTC $ldbdel -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb "$dn") + if [ "$?" != "0" ]; then + echo "ldbdel returned:\n$out" + return 1 + fi +} + +dangling_link_to_unknown_does_not_prevent_delete() +{ + + # + # Step1: add user "dangling" + # + ldif=$PREFIX_ABS/${RELEASE}/backlink_can_be_vanished1.ldif + dn='CN=dangling-for-vanish,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp' + cat >$ldif <<EOF +dn: $dn +changetype: add +objectclass: user +samaccountname: dangling-v +objectGUID: a4090081-ac2a-410c-8924-b255375160e8 +EOF + + out=$(TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --relax $ldif) + if [ "$?" != "0" ]; then + echo "ldbmodify returned:\n$out" + return 1 + fi + + # + # Step2: add a dangling backlink from + # "CN=dangling-for-vanish" to "CN=NOT Enterprise Admins" + # + ldif=$PREFIX_ABS/${RELEASE}/backlink_can_be_vanished2.ldif + { + echo "dn: $dn" + echo "changetype: modify" + echo "add: memberOf" + echo "memberOf: <GUID=09a47bff-0227-44e1-a8e4-63f9e726515d>;<SID=S-1-5-21-4177067393-1453636373-93818738-588>;CN=NOT Enterprise Admins,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp" + } >$ldif + + out=$(TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif) + if [ "$?" != "0" ]; then + echo "ldbmodify returned:\n$out" + return 1 + fi + + out=$(TZ=UTC $ldbdel -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb "$dn") + if [ "$?" != "0" ]; then + echo "ldbdel returned:\n$out" + return 1 + fi +} + +dangling_link_to_known_and_unknown_does_not_prevent_delete() +{ + + # + # Step1: add user "dangling" + # + ldif=$PREFIX_ABS/${RELEASE}/backlink_can_be_vanished1.ldif + dn='CN=dangling-for-vanish,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp' + cat >$ldif <<EOF +dn: $dn +changetype: add +objectclass: user +samaccountname: dangling-v +objectGUID: 2882ffb1-31c3-485e-a7fc-184dfafc32d4 +EOF + + out=$(TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --relax $ldif) + if [ "$?" != "0" ]; then + echo "ldbmodify returned:\n$out" + return 1 + fi + + # + # Step2: add a dangling backlink from + # "CN=dangling-for-vanish" to "CN=Enterprise Admins", + # "CN=dangling-for-vanish" to "CN=NOT Enterprise Admins" and + # back to ourselves + # + ldif=$PREFIX_ABS/${RELEASE}/backlink_can_be_vanished2.ldif + { + echo "dn: $dn" + echo "changetype: modify" + echo "add: memberOf" + echo "memberOf: <GUID=304ad703-468b-465e-9787-470b3dfd7d75>;<SID=S-1-5-21-4177067393-1453636373-93818738-519>;CN=Enterprise Admins,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp" + echo "memberOf: <GUID=09a47bff-0227-44e1-a8e4-63f9e726515d>;<SID=S-1-5-21-4177067393-1453636373-93818738-588>;CN=NOT Enterprise Admins,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp" + echo "memberOf: <GUID=2882ffb1-31c3-485e-a7fc-184dfafc32d4>;CN=dangling-for-vanish,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp" + } >$ldif + + out=$(TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif) + if [ "$?" != "0" ]; then + echo "ldbmodify returned:\n$out" + return 1 + fi + + out=$(TZ=UTC $ldbdel -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb "$dn") + if [ "$?" != "0" ]; then + echo "ldbdel returned:\n$out" + return 1 + fi +} + +remove_directory $PREFIX_ABS/${RELEASE} + +testit $RELEASE undump || failed=$(expr $failed + 1) +testit_expect_failure "dbcheck_acl_reset" dbcheck_acl_reset || failed=$(expr $failed + 1) +testit "dbcheck_acl_clean" dbcheck_acl_clean || failed=$(expr $failed + 1) +testit "add_two_more_users" add_two_more_users || failed=$(expr $failed + 1) +testit "add_four_more_links" add_four_more_links || failed=$(expr $failed + 1) +testit "remove_one_link" remove_one_link || failed=$(expr $failed + 1) +testit "remove_one_user" remove_one_user || failed=$(expr $failed + 1) +testit "move_one_user" move_one_user || failed=$(expr $failed + 1) +testit "add_dangling_link" add_dangling_link || failed=$(expr $failed + 1) +testit "add_dangling_backlink" add_dangling_backlink || failed=$(expr $failed + 1) +testit "add_deleted_dangling_backlink" add_deleted_dangling_backlink || failed=$(expr $failed + 1) +testit "revive_links_on_deleted_group" revive_links_on_deleted_group || failed=$(expr $failed + 1) +testit "revive_backlink_on_deleted_group" revive_backlink_on_deleted_group || failed=$(expr $failed + 1) +testit "add_deleted_target_link" add_deleted_target_link || failed=$(expr $failed + 1) +testit "add_deleted_target_backlink" add_deleted_target_backlink || failed=$(expr $failed + 1) +testit "dbcheck_dangling" dbcheck_dangling || failed=$(expr $failed + 1) +testit "dbcheck_clean" dbcheck_clean || failed=$(expr $failed + 1) +testit "check_expected_after_deleted_links" check_expected_after_deleted_links || failed=$(expr $failed + 1) +testit "check_expected_after_links" check_expected_after_links || failed=$(expr $failed + 1) +testit "check_expected_after_objects" check_expected_after_objects || failed=$(expr $failed + 1) +testit "duplicate_member" duplicate_member || failed=$(expr $failed + 1) +testit "dbcheck_duplicate_member" dbcheck_duplicate_member || failed=$(expr $failed + 1) +testit "check_expected_after_duplicate_links" check_expected_after_duplicate_links || failed=$(expr $failed + 1) +testit "duplicate_clean" dbcheck_clean || failed=$(expr $failed + 1) +testit "forward_link_corruption" forward_link_corruption || failed=$(expr $failed + 1) +testit "dbcheck_forward_link_corruption" dbcheck_forward_link_corruption || failed=$(expr $failed + 1) +testit "check_expected_after_dbcheck_forward_link_corruption" check_expected_after_dbcheck_forward_link_corruption || failed=$(expr $failed + 1) +testit "forward_link_corruption_clean" dbcheck_clean || failed=$(expr $failed + 1) +testit "oneway_link_corruption" oneway_link_corruption || failed=$(expr $failed + 1) +testit "dbcheck_oneway_link_corruption" dbcheck_oneway_link_corruption || failed=$(expr $failed + 1) +testit "check_expected_after_dbcheck_oneway_link_corruption" check_expected_after_dbcheck_oneway_link_corruption || failed=$(expr $failed + 1) +testit "oneway_link_corruption_clean" dbcheck_clean || failed=$(expr $failed + 1) +testit "dangling_one_way_link" dangling_one_way_link || failed=$(expr $failed + 1) +testit "dbcheck_one_way" dbcheck_one_way || failed=$(expr $failed + 1) +testit "dbcheck_clean2" dbcheck_clean || failed=$(expr $failed + 1) +testit "missing_link_sid_corruption" missing_link_sid_corruption || failed=$(expr $failed + 1) +testit "dbcheck_missing_link_sid_corruption" dbcheck_missing_link_sid_corruption || failed=$(expr $failed + 1) +testit "missing_link_sid_clean" dbcheck_clean || failed=$(expr $failed + 1) +testit "add_lost_deleted_user1" add_lost_deleted_user1 || failed=$(expr $failed + 1) +testit "dbcheck_lost_deleted_user1" dbcheck_lost_deleted_user1 || failed=$(expr $failed + 1) +testit "lost_deleted_user1_clean_A" dbcheck_clean || failed=$(expr $failed + 1) +testit "remove_lost_deleted_user1" remove_lost_deleted_user1 || failed=$(expr $failed + 1) +testit "lost_deleted_user1_clean_B" dbcheck_clean || failed=$(expr $failed + 1) +testit "add_lost_deleted_user2" add_lost_deleted_user2 || failed=$(expr $failed + 1) +testit "dbcheck_lost_deleted_user2" dbcheck_lost_deleted_user2 || failed=$(expr $failed + 1) +testit "lost_deleted_user2_clean" dbcheck_clean || failed=$(expr $failed + 1) +testit "add_lost_deleted_user3" add_lost_deleted_user3 || failed=$(expr $failed + 1) +testit "dbcheck_lost_deleted_user3" dbcheck_lost_deleted_user3 || failed=$(expr $failed + 1) +testit "lost_deleted_user3_clean_A" dbcheck_clean || failed=$(expr $failed + 1) +testit "remove_lost_deleted_user3" remove_lost_deleted_user3 || failed=$(expr $failed + 1) +testit "lost_deleted_user3_clean_B" dbcheck_clean || failed=$(expr $failed + 1) +testit "dangling_one_way_dn" dangling_one_way_dn || failed=$(expr $failed + 1) +testit "deleted_one_way_dn" deleted_one_way_dn || failed=$(expr $failed + 1) +testit "dbcheck_clean3" dbcheck_clean || failed=$(expr $failed + 1) +testit "add_dangling_multi_valued" add_dangling_multi_valued || failed=$(expr $failed + 1) +testit "dbcheck_dangling_multi_valued" dbcheck_dangling_multi_valued || failed=$(expr $failed + 1) +testit "dangling_multi_valued_check_missing" dangling_multi_valued_check_missing || failed=$(expr $failed + 1) +testit "dangling_multi_valued_check_equal_or_too_many" dangling_multi_valued_check_equal_or_too_many || failed=$(expr $failed + 1) +# Currently this cannot pass +testit "dbcheck_dangling_multi_valued_clean" dbcheck_clean || failed=$(expr $failed + 1) +testit "dangling_link_does_not_prevent_delete" dangling_link_does_not_prevent_delete || failed=$(expr $failed + 1) +testit "dangling_link_to_unknown_does_not_prevent_delete" dangling_link_to_unknown_does_not_prevent_delete || failed=$(expr $failed + 1) +testit "dangling_link_to_known_and_unknown_does_not_prevent_delete" dangling_link_to_known_and_unknown_does_not_prevent_delete || failed=$(expr $failed + 1) + +remove_directory $PREFIX_ABS/${RELEASE} + +exit $failed diff --git a/testprogs/blackbox/dbcheck-oldrelease.sh b/testprogs/blackbox/dbcheck-oldrelease.sh new file mode 100755 index 0000000..73f7ec4 --- /dev/null +++ b/testprogs/blackbox/dbcheck-oldrelease.sh @@ -0,0 +1,547 @@ +#!/bin/sh + +if [ $# -lt 1 ]; then + cat <<EOF +Usage: dbcheck-oldrelease.sh PREFIX RELEASE +EOF + exit 1 +fi + +PREFIX_ABS="$1" +RELEASE="$2" +shift 2 + +failed=0 + +. $(dirname $0)/subunit.sh +. $(dirname $0)/common_test_fns.inc + +release_dir=$(dirname $0)/../../source4/selftest/provisions/$RELEASE + +ldbadd=$(system_or_builddir_binary ldbadd "${BINDIR}") +ldbmodify=$(system_or_builddir_binary ldbmodify "${BINDIR}") +ldbdel=$(system_or_builddir_binary ldbdel "${BINDIR}") +ldbsearch=$(system_or_builddir_binary ldbsearch "${BINDIR}") +ldbrename=$(system_or_builddir_binary ldbrename "${BINDIR}") +samba_tdbrestore=$(system_or_builddir_binary tdbrestore "${BINDIR}") + +samba_undump="$SRCDIR_ABS/source4/selftest/provisions/undump.sh" +if [ ! -x $samba_undump ] || [ ! -d $release_dir ]; then + subunit_start_test $RELEASE + subunit_skip_test $RELEASE <<EOF +no test provision +EOF + + subunit_start_test "reindex" + subunit_skip_test "reindex" <<EOF +no test provision +EOF + subunit_start_test check_expected_before_values + subunit_skip_test check_expected_before_values <<EOF +no test provision +EOF + subunit_start_test "dbcheck" + subunit_skip_test "dbcheck" <<EOF +no test provision +EOF + subunit_start_test "dbcheck_clean" + subunit_skip_test "dbcheck_clean" <<EOF +no test provision +EOF + subunit_start_test check_expected_after_values + subunit_skip_test check_expected_after_values <<EOF +no test provision +EOF + subunit_start_test "dbcheck_acl_reset" + subunit_skip_test "dbcheck_acl_reset" <<EOF +no test provision +EOF + subunit_start_test "dbcheck_clean_acl_reset" + subunit_skip_test "dbcheck_clean_acl_reset" <<EOF +no test provision +EOF + subunit_start_test add_userparameters0 + subunit_skip_test add_userparameters0 <<EOF +no test provision +EOF + + subunit_start_test add_userparameters1 + subunit_skip_test add_userparameters1 <<EOF +no test provision +EOF + + subunit_start_test add_userparameters2 + subunit_skip_test add_userparameters2 <<EOF +no test provision +EOF + + subunit_start_test add_userparameters3 + subunit_skip_test add_userparameters3 <<EOF +no test provision +EOF + + subunit_start_test check_expected_before_values + subunit_skip_test check_expected_before_values <<EOF +no test provision +EOF + + subunit_start_test "dbcheck2" + subunit_skip_test "dbcheck2" <<EOF +no test provision +EOF + + subunit_start_test "referenceprovision" + subunit_skip_test "referenceprovision" <<EOF +no test provision +EOF + subunit_start_test "ldapcmp" + subunit_skip_test "ldapcmp" <<EOF +no test provision +EOF + subunit_start_test "ldapcmp_sd" + subunit_skip_test "ldapcmp_sd" <<EOF +no test provision +EOF + + exit 0 +fi + +undump() +{ + $samba_undump $release_dir $PREFIX_ABS/$RELEASE $samba_tdbrestore +} + +add_userparameters0() +{ + if [ x$RELEASE = x"release-4-1-0rc3" ]; then + $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb <<EOF +dn: cn=localdc,cn=domain controllers,dc=release-4-1-0rc3,dc=samba,dc=corp +changetype: modify +replace: userParameters +userParameters:: IAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC + AAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAUAAQABoACAAB + AEMAdAB4AEMAZgBnAFAAcgBlAHMAZQBuAHQANTUxZTBiYjAYAAgAAQBDAHQAeABDAGYAZw + BGAGwAYQBnAHMAMQAwMGUwMDAxMBYACAABAEMAdAB4AEMAYQBsAGwAYgBhAGMAawAwMDAw + MDAwMBIACAABAEMAdAB4AFMAaABhAGQAbwB3ADAxMDAwMDAwKAAIAAEAQwB0AHgATQBhAH + gAQwBvAG4AbgBlAGMAdABpAG8AbgBUAGkAbQBlADAwMDAwMDAwLgAIAAEAQwB0AHgATQBh + AHgARABpAHMAYwBvAG4AbgBlAGMAdABpAG8AbgBUAGkAbQBlADAwMDAwMDAwHAAIAAEAQw + B0AHgATQBhAHgASQBkAGwAZQBUAGkAbQBlADAwMDAwMDAwIgAIAAEAQwB0AHgASwBlAHkA + YgBvAGEAcgBkAEwAYQB5AG8AdQB0ADAwMDAwMDAwKgACAAEAQwB0AHgATQBpAG4ARQBuAG + MAcgB5AHAAdABpAG8AbgBMAGUAdgBlAGwAMDAgAAIAAQBDAHQAeABXAG8AcgBrAEQAaQBy + AGUAYwB0AG8AcgB5ADAwIAACAAEAQwB0AHgATgBXAEwAbwBnAG8AbgBTAGUAcgB2AGUAcg + AwMBgAJAABAEMAdAB4AFcARgBIAG8AbQBlAEQAaQByADVjNWM3MzYxNzQ3NTcyNmU2NTVj + NzAyZTYyNjk2NDZmNmUwMCIABgABAEMAdAB4AFcARgBIAG8AbQBlAEQAaQByAEQAcgBpAH + YAZQA1MDNhMDAgADoAAQBDAHQAeABXAEYAUAByAG8AZgBpAGwAZQBQAGEAdABoADVjNWM3 + MzYxNzQ3NTcyNmU2NTVjNzA3MjZmNjY2OTZjNjU3NDczNjU1YzcwMmU2MjY5NjQ2ZjZlMD + AiAAIAAQBDAHQAeABJAG4AaQB0AGkAYQBsAFAAcgBvAGcAcgBhAG0AMDAiAAIAAQBDAHQA + eABDAGEAbABsAGIAYQBjAGsATgB1AG0AYgBlAHIAMDA= +- +EOF + fi +} +add_userparameters1() +{ + if [ x$RELEASE = x"release-4-1-0rc3" ]; then + $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb <<EOF +dn: cn=administrator,cn=users,dc=release-4-1-0rc3,dc=samba,dc=corp +changetype: modify +replace: userParameters +userParameters: IAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC + AAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAUAAQABoACAAB + AEMAdAB4AEMAZgBnAFAAcgBlAHMAZQBuAHQANTUxZTBiYjAYAAgAAQBDAHQAeABDAGYAZw + BGAGwAYQBnAHMAMQAwMGUwMDAxMBYACAABAEMAdAB4AEMAYQBsAGwAYgBhAGMAawAwMDAw + MDAwMBIACAABAEMAdAB4AFMAaABhAGQAbwB3ADAxMDAwMDAwKAAIAAEAQwB0AHgATQBhAH + gAQwBvAG4AbgBlAGMAdABpAG8AbgBUAGkAbQBlADAwMDAwMDAwLgAIAAEAQwB0AHgATQBh + AHgARABpAHMAYwBvAG4AbgBlAGMAdABpAG8AbgBUAGkAbQBlADAwMDAwMDAwHAAIAAEAQw + B0AHgATQBhAHgASQBkAGwAZQBUAGkAbQBlADAwMDAwMDAwIgAIAAEAQwB0AHgASwBlAHkA + YgBvAGEAcgBkAEwAYQB5AG8AdQB0ADAwMDAwMDAwKgACAAEAQwB0AHgATQBpAG4ARQBuAG + MAcgB5AHAAdABpAG8AbgBMAGUAdgBlAGwAMDAgAAIAAQBDAHQAeABXAG8AcgBrAEQAaQBy + AGUAYwB0AG8AcgB5ADAwIAACAAEAQwB0AHgATgBXAEwAbwBnAG8AbgBTAGUAcgB2AGUAcg + AwMBgAJAABAEMAdAB4AFcARgBIAG8AbQBlAEQAaQByADVjNWM3MzYxNzQ3NTcyNmU2NTVj + NzAyZTYyNjk2NDZmNmUwMCIABgABAEMAdAB4AFcARgBIAG8AbQBlAEQAaQByAEQAcgBpAH + YAZQA1MDNhMDAgADoAAQBDAHQAeABXAEYAUAByAG8AZgBpAGwAZQBQAGEAdABoADVjNWM3 + MzYxNzQ3NTcyNmU2NTVjNzA3MjZmNjY2OTZjNjU3NDczNjU1YzcwMmU2MjY5NjQ2ZjZlMD + AiAAIAAQBDAHQAeABJAG4AaQB0AGkAYQBsAFAAcgBvAGcAcgBhAG0AMDAiAAIAAQBDAHQA + eABDAGEAbABsAGIAYQBjAGsATgB1AG0AYgBlAHIAMDA= +- +EOF + fi +} +add_userparameters2() +{ + if [ x$RELEASE = x"release-4-1-0rc3" ]; then + $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb <<EOF +dn: cn=krbtgt,cn=users,dc=release-4-1-0rc3,dc=samba,dc=corp +changetype: modify +replace: userParameters +userParameters:: Q3R4Q2ZnUHJlc2VudCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgI + CAgUAsaCAFDdHhDZmdQcmVzZW5045S15pSx5oiw44GiIAIBQ3R4V0ZQcm9maWxlUGF0aOOAsBgCAU + N0eFdGSG9tZURpcuOAsCICAUN0eFdGSG9tZURpckRyaXZl44CwEggBQ3R4U2hhZG9344Sw44Cw44C + w44CwLggBQ3R4TWF4RGlzY29ubmVjdGlvblRpbWXjgaXjjLnjkLDjgLAoCAFDdHhNYXhDb25uZWN0 + aW9uVGltZeOAtOOct+aIseOAsBwIAUN0eE1heElkbGVUaW1l44Gj45yy46Sw44CwIAIBQ3R4V29ya + 0RpcmVjdG9yeeOAsBgIAUN0eENmZ0ZsYWdzMeOAsOOBpuOYsuOAuCICAUN0eEluaXRpYWxQcm9ncm + Ft44Cw +- +EOF + fi +} + +add_userparameters3() +{ + if [ x$RELEASE = x"release-4-1-0rc3" ]; then + $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb <<EOF +dn: cn=guest,cn=users,dc=release-4-1-0rc3,dc=samba,dc=corp +changetype: modify +replace: userParameters +userParameters:: QwAAAHQAAAB4AAAAQwAAAGYAAABnAAAAUAAAAHIAAABlAAAAcwAAAGUAAABuA + AAAdAAAACAAAAAgAAAAIAAAACAAAAAgAAAAIAAAACAAAAAgAAAAIAAAACAAAAAgAAAAIAAAACAAAA + AgAAAAIAAAACAAAAAgAAAAIAAAACAAAAAgAAAAIAAAACAAAAAgAAAAIAAAACAAAAAgAAAAIAAAACA + AAAAgAAAAIAAAACAAAAAgAAAAIAAAACAAAAAgAAAAUAAAAAsAAAAaAAAACAAAAAEAAABDAAAAdAAA + AHgAAABDAAAAZgAAAGcAAABQAAAAcgAAAGUAAABzAAAAZQAAAG4AAAB0AAAANQA1ADEAZQAwAGIAY + gAwACAAAAACAAAAAQAAAEMAAAB0AAAAeAAAAFcAAABGAAAAUAAAAHIAAABvAAAAZgAAAGkAAABsAA + AAZQAAAFAAAABhAAAAdAAAAGgAAAAwADAAGAAAAAIAAAABAAAAQwAAAHQAAAB4AAAAVwAAAEYAAAB + IAAAAbwAAAG0AAABlAAAARAAAAGkAAAByAAAAMAAwACIAAAACAAAAAQAAAEMAAAB0AAAAeAAAAFcA + AABGAAAASAAAAG8AAABtAAAAZQAAAEQAAABpAAAAcgAAAEQAAAByAAAAaQAAAHYAAABlAAAAMAAwA + BIAAAAIAAAAAQAAAEMAAAB0AAAAeAAAAFMAAABoAAAAYQAAAGQAAABvAAAAdwAAADAAMQAwADAAMA + AwADAAMAAuAAAACAAAAAEAAABDAAAAdAAAAHgAAABNAAAAYQAAAHgAAABEAAAAaQAAAHMAAABjAAA + AbwAAAG4AAABuAAAAZQAAAGMAAAB0AAAAaQAAAG8AAABuAAAAVAAAAGkAAABtAAAAZQAAAGUAMAA5 + ADMAMAA0ADAAMAAoAAAACAAAAAEAAABDAAAAdAAAAHgAAABNAAAAYQAAAHgAAABDAAAAbwAAAG4AA + ABuAAAAZQAAAGMAAAB0AAAAaQAAAG8AAABuAAAAVAAAAGkAAABtAAAAZQAAADQAMAA3ADcAMQBiAD + AAMAAcAAAACAAAAAEAAABDAAAAdAAAAHgAAABNAAAAYQAAAHgAAABJAAAAZAAAAGwAAABlAAAAVAA + AAGkAAABtAAAAZQAAAGMAMAAyADcAMAA5ADAAMAAgAAAAAgAAAAEAAABDAAAAdAAAAHgAAABXAAAA + bwAAAHIAAABrAAAARAAAAGkAAAByAAAAZQAAAGMAAAB0AAAAbwAAAHIAAAB5AAAAMAAwABgAAAAIA + AAAAQAAAEMAAAB0AAAAeAAAAEMAAABmAAAAZwAAAEYAAABsAAAAYQAAAGcAAABzAAAAMQAAADAAMA + BmADAAMgA2ADgAMAAiAAAAAgAAAAEAAABDAAAAdAAAAHgAAABJAAAAbgAAAGkAAAB0AAAAaQAAAGE + AAABsAAAAUAAAAHIAAABvAAAAZwAAAHIAAABhAAAAbQAAADAAMAA= +- +EOF + fi +} + +check_expected_userparameters() +{ + if [ x$RELEASE = x"release-4-1-0rc3" ]; then + tmpldif=$PREFIX_ABS/$RELEASE/expected-userParameters-after-dbcheck.ldif.tmp + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb userParameters=* --scope=sub -b DC=release-4-1-0rc3,DC=samba,DC=corp userParameters --sorted | grep -v \# >$tmpldif + diff -u $tmpldif $release_dir/expected-userParameters-after-dbcheck.ldif + if [ "$?" != "0" ]; then + return 1 + fi + fi + return 0 +} + +reindex() +{ + $PYTHON $BINDIR/samba-tool dbcheck --reindex -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb "$@" +} + +do_current_version_mod() +{ + if [ x$RELEASE = x"release-4-1-0rc3" ]; then + # Confirm (in combination with the ldbsearch below) that + # changing the attribute with current Samba fixes it, and that + # a fixed attriute isn't unfixed by dbcheck. + tmpldif=$release_dir/sudoers2-mod.ldif + $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $tmpldif + fi + return 0 +} + +check_expected_before_values() +{ + if [ x$RELEASE = x"release-4-1-0rc3" ]; then + tmpldif=$PREFIX_ABS/$RELEASE/expected-replpropertymetadata-before-dbcheck.ldif.tmp + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb cn=ops_run_anything --scope=one -b OU=SUDOers,DC=release-4-1-0rc3,DC=samba,DC=corp \* replpropertymetadata --sorted --show-binary >$tmpldif + diff -u $tmpldif $release_dir/expected-replpropertymetadata-before-dbcheck.ldif + if [ "$?" != "0" ]; then + return 1 + fi + + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb cn=ops_run_anything2 --scope=one -b OU=SUDOers,DC=release-4-1-0rc3,DC=samba,DC=corp \* replpropertymetadata --sorted --show-binary | grep -v originating_change_time | grep -v whenChanged >$tmpldif + + # Here we remove originating_change_time and whenChanged as + # these are time-dependent, caused by the ldbmodify above. + + diff -u $tmpldif $release_dir/expected-replpropertymetadata-before-dbcheck2.ldif + if [ "$?" != "0" ]; then + return 1 + fi + + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb cn=ops_run_anything3 --scope=one -b OU=SUDOers,DC=release-4-1-0rc3,DC=samba,DC=corp \* replpropertymetadata --sorted --show-binary >$tmpldif + diff -u $tmpldif $release_dir/expected-replpropertymetadata-before-dbcheck3.ldif + if [ "$?" != "0" ]; then + return 1 + fi + elif [ x$RELEASE = x"release-4-5-0-pre1" ]; then + tmpldif=$PREFIX_ABS/$RELEASE/rootdse-version.initial.txt.tmp + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --scope=base -b '' | grep highestCommittedUSN >$tmpldif + diff -u $tmpldif $release_dir/rootdse-version.initial.txt + if [ "$?" != "0" ]; then + return 1 + fi + fi + return 0 +} + +# This should 'fail', because it returns the number of modified records +dbcheck_objectclass() +{ + if [ x$RELEASE = x"release-4-1-6-partial-object" ]; then + $PYTHON $BINDIR/samba-tool dbcheck --selftest-check-expired-tombstones --cross-ncs --fix --yes -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --attrs=objectclass "$@" + else + return 1 + fi +} + +# This should 'fail', because it returns the number of wrong records, which it must if we did not skip the deleted objects +dbcheck_deleted_objects() +{ + if [ x$RELEASE = x"alpha13" ]; then + basedn=$($ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --scope base -b "" defaultNamingContext | grep -i defaultNamingContext | cut -d\ -f 2) + + $PYTHON $BINDIR/samba-tool dbcheck -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb "cn=deleted objects,$basedn" --scope base "$@" + else + return 1 + fi +} + +# This should 'fail', because it returns the number of modified records +dbcheck() +{ + $PYTHON $BINDIR/samba-tool dbcheck --selftest-check-expired-tombstones --cross-ncs --fix --yes -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb "$@" +} + +check_expected_after_values() +{ + if [ x$RELEASE = x"release-4-1-0rc3" ]; then + tmpldif=$PREFIX_ABS/$RELEASE/expected-replpropertymetadata-after-dbcheck.ldif.tmp + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb cn=ops_run_anything --scope=one -b OU=SUDOers,DC=release-4-1-0rc3,DC=samba,DC=corp \* replpropertymetadata --sorted --show-binary >$tmpldif + diff -u $tmpldif $release_dir/expected-replpropertymetadata-after-dbcheck.ldif + if [ "$?" != "0" ]; then + return 1 + fi + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb cn=ops_run_anything2 --scope=one -b OU=SUDOers,DC=release-4-1-0rc3,DC=samba,DC=corp \* replpropertymetadata --sorted --show-binary | grep -v originating_change_time | grep -v whenChanged >$tmpldif + diff -u $tmpldif $release_dir/expected-replpropertymetadata-after-dbcheck2.ldif + if [ "$?" != "0" ]; then + return 1 + fi + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb cn=ops_run_anything3 --scope=one -b OU=SUDOers,DC=release-4-1-0rc3,DC=samba,DC=corp \* replpropertymetadata --sorted --show-binary >$tmpldif + diff -u $tmpldif $release_dir/expected-replpropertymetadata-after-dbcheck3.ldif + if [ "$?" != "0" ]; then + return 1 + fi + # Check DomainDNS partition for replica locations + tmpldif=$PREFIX_ABS/$RELEASE/expected-replica-locations-after-dbcheck.ldif.tmp + $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb cn=49a69498-9a85-48af-9be4-aa0b3e0054f9 --scope=one -b CN=Partitions,CN=Configuration,DC=release-4-1-0rc3,DC=samba,DC=corp msDS-NC-Replica-Locations >$tmpldif + diff -u $tmpldif $release_dir/expected-replica-locations-after-dbcheck.ldif + if [ "$?" != "0" ]; then + return 1 + fi + # Check ForestDNS partition for replica locations + $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb cn=7d2a15af-c0d4-487c-847e-e036292bcc65 --scope=one -b CN=Partitions,CN=Configuration,DC=release-4-1-0rc3,DC=samba,DC=corp msDS-NC-Replica-Locations >$tmpldif + diff -u $tmpldif $release_dir/expected-replica-locations-after-dbcheck2.ldif + if [ "$?" != "0" ]; then + return 1 + fi + elif [ x$RELEASE = x"release-4-5-0-pre1" ]; then + echo $RELEASE checking after values + tmpldif=$PREFIX_ABS/$RELEASE/expected-links-after-dbcheck.ldif.tmp + $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --show-recycled --show-deleted --show-deactivated-link --reveal member memberOf lastKnownParent objectCategory lastKnownParent wellKnownObjects legacyExchangeDN sAMAccountType uSNChanged --sorted >$tmpldif + diff -u $tmpldif $release_dir/expected-links-after-dbcheck.ldif + if [ "$?" != "0" ]; then + return 1 + fi + + # If in the future dbcheck has to make a change recorded in replPropertyMetadata, + # this test will fail and can be removed. + tmpversion=$PREFIX_ABS/$RELEASE/rootdse-version.final.txt.tmp + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --scope=base -b '' | grep highestCommittedUSN >$tmpversion + diff -u $tmpversion $release_dir/rootdse-version.final.txt + if [ "$?" != "0" ]; then + return 1 + fi + fi + return 0 +} + +check_forced_duplicate_values() +{ + if [ x$RELEASE = x"release-4-1-0rc3" ]; then + ldif=$release_dir/forced-duplicate-value-for-dbcheck.ldif + TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-1-0RC3,DC%3DSAMBA,DC%3DCORP.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi + else + return 0 + fi +} + +# This should 'fail', because it returns the number of modified records +dbcheck_after_dup() +{ + if [ x$RELEASE = x"release-4-1-0rc3" ]; then + $PYTHON $BINDIR/samba-tool dbcheck --selftest-check-expired-tombstones --fix --yes -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb cn=administrator,cn=users,DC=release-4-1-0rc3,DC=samba,DC=corp "$@" + else + return 1 + fi +} + +check_expected_after_dup_values() +{ + if [ x$RELEASE = x"release-4-1-0rc3" ]; then + tmpldif=$PREFIX_ABS/$RELEASE/expected-otherphone-after-dbcheck.ldif.tmp + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb cn=administrator --scope=base -b cn=administrator,cn=users,DC=release-4-1-0rc3,DC=samba,DC=corp otherHomePhone --sorted --show-binary | grep -v \# | sort >$tmpldif + diff -u $tmpldif $release_dir/expected-otherphone-after-dbcheck.ldif + if [ "$?" != "0" ]; then + return 1 + fi + fi + return 0 +} + +# But having fixed it all up, this should pass +dbcheck_clean() +{ + $PYTHON $BINDIR/samba-tool dbcheck --cross-ncs -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb "$@" +} + +# This should 'fail', because it returns the number of modified records. +# We need to run this against all versions without adprep 2016 (before Samba 4.19) +dbcheck_acl_reset() +{ + $PYTHON $BINDIR/samba-tool dbcheck --reset-well-known-acls --cross-ncs --fix --yes -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb "$@" +} +# But having fixed it all up, this should pass. +# We don't need to run this against 4.1.0rc3 +dbcheck_acl_reset_clean() +{ + if [ x$RELEASE != x"release-4-1-0rc3" ]; then + $PYTHON $BINDIR/samba-tool dbcheck --reset-well-known-acls --cross-ncs -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb "$@" + fi +} + +# This should 'fail', because it returns the number of modified records +dbcheck2() +{ + if [ x$RELEASE = x"release-4-1-0rc3" ]; then + $PYTHON $BINDIR/samba-tool dbcheck --selftest-check-expired-tombstones --cross-ncs --fix --yes -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb "$@" + else + exit 1 + fi +} +# But having fixed it all up, this should pass +dbcheck_clean2() +{ + if [ x$RELEASE = x"release-4-1-0rc3" ]; then + $PYTHON $BINDIR/samba-tool dbcheck --selftest-check-expired-tombstones --cross-ncs -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb "$@" + fi +} + +rm_deleted_objects() +{ + if [ x$RELEASE = x"release-4-1-0rc3" ]; then + TZ=UTC $ldbdel -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-1-0RC3,DC%3DSAMBA,DC%3DCORP.ldb 'CN=Deleted Objects,DC=RELEASE-4-1-0RC3,DC=SAMBA,DC=CORP' + if [ "$?" != "0" ]; then + return 1 + fi + else + return 0 + fi +} +# This should 'fail', because it returns the number of modified records +dbcheck3() +{ + if [ x$RELEASE = x"release-4-1-0rc3" ]; then + $PYTHON $BINDIR/samba-tool dbcheck --selftest-check-expired-tombstones --cross-ncs --fix --yes -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb "$@" + else + exit 1 + fi +} +# But having fixed it all up, this should pass +dbcheck_clean3() +{ + if [ x$RELEASE = x"release-4-1-0rc3" ]; then + $PYTHON $BINDIR/samba-tool dbcheck --selftest-check-expired-tombstones --cross-ncs -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb "$@" + fi +} + +check_expected_after_deleted_objects() +{ + if [ x$RELEASE = x"release-4-1-0rc3" ]; then + tmpldif=$PREFIX_ABS/$RELEASE/expected-deleted_objects-after-dbcheck.ldif.tmp + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb cn=deleted\ objects --scope=base -b cn=deleted\ objects,DC=release-4-1-0rc3,DC=samba,DC=corp objectClass description isDeleted isCriticalSystemObject objectGUID showInAdvancedViewOnly systemFlags --sorted --show-binary --show-deleted | grep -v \# | sort >$tmpldif + diff -u $tmpldif $release_dir/expected-deleted_objects-after-dbcheck.ldif + if [ "$?" != "0" ]; then + return 1 + fi + fi + return 0 +} + +referenceprovision() +{ + if [ x$RELEASE = x"release-4-0-0" ]; then + $PYTHON $BINDIR/samba-tool domain provision --server-role="dc" --domain=SAMBA --host-name=ares --realm=${RELEASE}.samba.corp --targetdir=$PREFIX_ABS/${RELEASE}_reference --use-ntvfs --host-ip=127.0.0.1 --host-ip6=::1 --function-level=2003 --base-schema=2008_R2_old + + # on top of this, also apply 2008R2 changes we accidentally missed in the past + $PYTHON $BINDIR/samba-tool domain schemaupgrade -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --ldf-file=samba-4.7-missing-for-schema45.ldif,fix-forest-rev.ldf + fi +} + +ldapcmp() +{ + if [ x$RELEASE = x"release-4-0-0" ]; then + $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --two --skip-missing-dn --filter=dnsRecord,displayName,msDS-SupportedEncryptionTypes,servicePrincipalName + fi +} + +ldapcmp_sd() +{ + if [ x$RELEASE = x"release-4-0-0" ]; then + $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --two --sd --skip-missing-dn --filter=servicePrincipalName + fi +} + +remove_directory $PREFIX_ABS/${RELEASE}_reference + +testit $RELEASE undump || failed=$(expr $failed + 1) +testit "reindex" reindex || failed=$(expr $failed + 1) +testit "current_version_mod" do_current_version_mod || failed=$(expr $failed + 1) +testit "check_expected_before_values" check_expected_before_values || failed=$(expr $failed + 1) +testit_expect_failure "dbcheck_deleted_objects" dbcheck_deleted_objects || failed=$(expr $failed + 1) +testit_expect_failure "dbcheck_objectclass" dbcheck_objectclass || failed=$(expr $failed + 1) +testit_expect_failure "dbcheck" dbcheck || failed=$(expr $failed + 1) +testit "check_expected_after_values" check_expected_after_values || failed=$(expr $failed + 1) +testit "check_forced_duplicate_values" check_forced_duplicate_values || failed=$(expr $failed + 1) +testit_expect_failure "dbcheck_after_dup" dbcheck_after_dup || failed=$(expr $failed + 1) +testit "check_expected_after_dup_values" check_expected_after_dup_values || failed=$(expr $failed + 1) +testit "dbcheck_clean" dbcheck_clean || failed=$(expr $failed + 1) +testit_expect_failure "dbcheck_acl_reset" dbcheck_acl_reset || failed=$(expr $failed + 1) +testit "dbcheck_acl_reset_clean" dbcheck_acl_reset_clean || failed=$(expr $failed + 1) +testit "add_userparameters0" add_userparameters1 || failed=$(expr $failed + 1) +testit "add_userparameters1" add_userparameters1 || failed=$(expr $failed + 1) +testit "add_userparameters2" add_userparameters2 || failed=$(expr $failed + 1) +testit "add_userparameters3" add_userparameters3 || failed=$(expr $failed + 1) +testit_expect_failure "dbcheck2" dbcheck2 || failed=$(expr $failed + 1) +testit "dbcheck_clean2" dbcheck_clean2 || failed=$(expr $failed + 1) +testit "check_expected_userparameters" check_expected_userparameters || failed=$(expr $failed + 1) +testit "rm_deleted_objects" rm_deleted_objects || failed=$(expr $failed + 1) +# We must re-index again because rm_deleted_objects went behind +# the back of the main sam.ldb. +testit "reindex2" reindex || failed=$(expr $failed + 1) +testit_expect_failure "dbcheck3" dbcheck3 || failed=$(expr $failed + 1) +testit "dbcheck_clean3" dbcheck_clean3 || failed=$(expr $failed + 1) +testit "check_expected_after_deleted_objects" check_expected_after_deleted_objects || failed=$(expr $failed + 1) +testit "referenceprovision" referenceprovision || failed=$(expr $failed + 1) +testit "ldapcmp" ldapcmp || failed=$(expr $failed + 1) +testit "ldapcmp_sd" ldapcmp_sd || failed=$(expr $failed + 1) + +if [ -d $PREFIX_ABS/${RELEASE} ]; then + rm -fr $PREFIX_ABS/${RELEASE} +fi + +remove_directory $PREFIX_ABS/${RELEASE}_reference + +exit $failed diff --git a/testprogs/blackbox/dbcheck.sh b/testprogs/blackbox/dbcheck.sh new file mode 100755 index 0000000..0869a2b --- /dev/null +++ b/testprogs/blackbox/dbcheck.sh @@ -0,0 +1,72 @@ +#!/bin/sh + +if [ $# -lt 1 ]; then + cat <<EOF +Usage: dbcheck.sh PREFIX +EOF + exit 1 +fi + +PREFIX="$1" +shift 1 +ARGS=$@ + +. $(dirname $0)/subunit.sh + +dbcheck() +{ + $PYTHON $BINDIR/samba-tool dbcheck --cross-ncs $ARGS +} + +# This list of attributes can be freely extended +dbcheck_fix_one_way_links() +{ + $PYTHON $BINDIR/samba-tool dbcheck --quiet --fix --yes fix_all_old_dn_string_component_mismatch --attrs="lastKnownParent defaultObjectCategory fromServer rIDSetReferences" --cross-ncs $ARGS +} + +# This list of attributes can be freely extended +dbcheck_fix_stale_links() +{ + $PYTHON $BINDIR/samba-tool dbcheck --quiet --fix --yes remove_plausible_deleted_DN_links --attrs="member msDS-NC-Replica-Locations msDS-NC-RO-Replica-Locations msDS-RevealOnDemandGroup msDS-NeverRevealGroup msDS-RevealedUsers" --cross-ncs $ARGS +} + +# This list of attributes can be freely extended +dbcheck_fix_crosspartition_backlinks() +{ + # we may not know the target yet when we receive a cross-partition link, + # which can result in a missing backlink + $PYTHON $BINDIR/samba-tool dbcheck --quiet --fix --yes fix_all_missing_backlinks --attrs="serverReference" --cross-ncs $ARGS +} + +# This test shows that this does not do anything to a current +# provision (that would be a bug) +dbcheck_reset_well_known_acls() +{ + $PYTHON $BINDIR/samba-tool dbcheck --cross-ncs --reset-well-known-acls $ARGS +} + +reindex() +{ + $PYTHON $BINDIR/samba-tool dbcheck --reindex $ARGS +} + +fixed_attrs() +{ + $PYTHON $BINDIR/samba-tool dbcheck --attrs=cn $ARGS +} + +force_modules() +{ + $PYTHON $BINDIR/samba-tool dbcheck --force-modules $ARGS +} + +dbcheck_fix_one_way_links +dbcheck_fix_stale_links +dbcheck_fix_crosspartition_backlinks +testit "dbcheck" dbcheck || failed=$(expr $failed + 1) +testit "reindex" reindex || failed=$(expr $failed + 1) +testit "fixed_attrs" fixed_attrs || failed=$(expr $failed + 1) +testit "force_modules" force_modules || failed=$(expr $failed + 1) +testit "reset_well_known_acls" dbcheck_reset_well_known_acls || failed=$(expr $failed + 1) + +exit $failed diff --git a/testprogs/blackbox/demote-saveddb.sh b/testprogs/blackbox/demote-saveddb.sh new file mode 100755 index 0000000..4af9e97 --- /dev/null +++ b/testprogs/blackbox/demote-saveddb.sh @@ -0,0 +1,77 @@ +#!/bin/sh + +if [ $# -lt 1 ]; then + cat <<EOF +Usage: demote-saveddb.sh PREFIX RELEASE +EOF + exit 1 +fi + +PREFIX_ABS="$1" +shift 1 + +failed=0 + +. $(dirname $0)/subunit.sh +. $(dirname $0)/common_test_fns.inc + +samba_tree_dir="$SRCDIR_ABS/source4/selftest/provisions/multi-dc-samba-master-c596ac6" + +samba_tdbrestore=$(system_or_builddir_binary tdbrestore "${BINDIR}") + +# The undump script and the provision data is not part of release tarballs, +# skip the tests in this case! +samba_undump="$SRCDIR_ABS/source4/selftest/provisions/undump.sh" +if [ ! -x $samba_undump ] || [ ! -d $samba_tree_dir ]; then + subunit_start_test "undump" + subunit_skip_test "undump" <<EOF +EOF + + subunit_start_test "undump" + subunit_skip_test "undump" <<EOF +Skipping tests - no provision! +EOF + + subunit_start_test "demote-q-0-0" + subunit_skip_test "demote-q-0-0" <<EOF +Skipping tests - no provision! +EOF + subunit_start_test "demote-q-0-1" + subunit_skip_test "demote-q-0-1" <<EOF +Skipping tests - no provision! +EOF + subunit_start_test "demote-q-1-0" + subunit_skip_test "demote-q-1-0" <<EOF +Skipping tests - no provision! +EOF + subunit_start_test "demote-q-1-1" + subunit_skip_test "demote-q-1-1" <<EOF +Skipping tests - no provision! +EOF + + exit 0 +fi + +undump() +{ + $SRCDIR_ABS/source4/selftest/provisions/undump.sh $samba_tree_dir $PREFIX_ABS $samba_tdbrestore +} + +demote() +{ + $PYTHON $BINDIR/samba-tool domain demote -H tdb://$PREFIX_ABS/private/sam.ldb --remove-other-dead-server=$1 +} + +remove_directory $PREFIX_ABS + +testit "undump" undump || failed=$(expr $failed + 1) +testit "demote-q-0-0" demote "q-0-0" || failed=$(expr $failed + 1) +# The database was copied of q-0-1 so this will fail +# as we can't remove our own name +testit_expect_failure "demote-q-0-1" demote "q-0-1" || failed=$(expr $failed + 1) +testit "demote-q-1-0" demote "q-1-0" || failed=$(expr $failed + 1) +testit "demote-q-1-1" demote "q-1-1" || failed=$(expr $failed + 1) + +remove_directory $PREFIX_ABS + +exit $failed diff --git a/testprogs/blackbox/dfree.sh b/testprogs/blackbox/dfree.sh new file mode 100755 index 0000000..893bc59 --- /dev/null +++ b/testprogs/blackbox/dfree.sh @@ -0,0 +1,8 @@ +#!/bin/sh +if [ "$1" = "." ]; then + echo "1000 10 2048" +elif [ "$1" = "subdir1" ]; then + echo "2000 20 4096" +else + echo "4000 40 8192" +fi diff --git a/testprogs/blackbox/dom_parse.sh b/testprogs/blackbox/dom_parse.sh new file mode 100755 index 0000000..8a22ce2 --- /dev/null +++ b/testprogs/blackbox/dom_parse.sh @@ -0,0 +1,27 @@ +#!/bin/sh +# Blackbox wrapper for nsstest +# Copyright (C) 2006-2007 Jelmer Vernooij <jelmer@samba.org> +# Copyright (C) 2006-2008 Andrew Bartlett <abartlet@samba.org> + +if [ $# -lt 2 ]; then + cat <<EOF +Usage: dom_parse.sh [id|getent] $USER +EOF + exit 1 +fi + +USER=$2 +CMD=$1 +EXTRA="" +shift 2 +failed=0 + +. $(dirname $0)/subunit.sh + +if [ "$CMD" = "getent" ]; then + EXTRA="passwd" +fi + +testit "samba4.winbind.dom_name_parse.cmd.$CMD" $CMD $EXTRA $USER || failed=$(expr $failed + 1) + +exit $failed diff --git a/testprogs/blackbox/functionalprep.sh b/testprogs/blackbox/functionalprep.sh new file mode 100755 index 0000000..94099f4 --- /dev/null +++ b/testprogs/blackbox/functionalprep.sh @@ -0,0 +1,183 @@ +#!/bin/sh + +if [ $# -lt 1 ]; then + cat <<EOF +Usage: $0 PREFIX +EOF + exit 1 +fi + +PREFIX_ABS="$1" +shift 1 + +failed=0 + +. $(dirname $0)/subunit.sh +. $(dirname $0)/common_test_fns.inc + +RELEASE="release-4-8-0-pre1" +release_dir="$SRCDIR_ABS/source4/selftest/provisions/$RELEASE" + +OLD_RELEASE="release-4-1-0rc3" +old_release_dir="$SRCDIR_ABS/source4/selftest/provisions/$OLD_RELEASE" + +samba_tdbrestore=$(system_or_builddir_binary tdbrestore "${BINDIR}") + +samba_undump="$SRCDIR_ABS/source4/selftest/provisions/undump.sh" + +if [ ! -x $samba_undump ] || [ ! -d $release_dir ] || [ ! -d $old_release_dir ]; then + subunit_start_test $RELEASE + subunit_skip_test $RELEASE <<EOF +no test provision +EOF + + subunit_start_test "functional_prep" + subunit_skip_test "functional_prep" <<EOF +no test provision +EOF + + subunit_start_test "functional_prep_old" + subunit_skip_test "functional_prep_old" <<EOF +no test provision +EOF + + exit 0 +fi + +cleanup_output_directories() +{ + remove_directory $PREFIX_ABS/2012R2_schema + remove_directory $PREFIX_ABS/2019_schema + remove_directory $PREFIX_ABS/$RELEASE + remove_directory $PREFIX_ABS/$OLD_RELEASE +} + +undump() +{ + $samba_undump $release_dir $PREFIX_ABS/$RELEASE $samba_tdbrestore +} + +undump_old() +{ + $samba_undump $old_release_dir $PREFIX_ABS/$OLD_RELEASE $samba_tdbrestore +} + +PROVISION_OPTS="--use-ntvfs --host-ip6=::1 --host-ip=127.0.0.1" + +provision_schema_2019_prep_skip() +{ + $PYTHON $BINDIR/samba-tool domain provision $PROVISION_OPTS --domain=REALM --realm=REALM.COM --targetdir=$PREFIX_ABS/2019_schema --base-schema=2019 --adprep-level=SKIP --host-name=FLPREP +} + +provision_2012r2() +{ + $PYTHON $BINDIR/samba-tool domain provision $PROVISION_OPTS --domain=REALM --realm=REALM.COM --targetdir=$PREFIX_ABS/2012R2_schema --base-schema=2012_R2 --host-name=FLPREP +} + +ldapcmp_ignore() +{ + # At some point we will need to ignore, but right now, it should be perfect + IGNORE_ATTRS=$1 + $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/$2/private/sam.ldb tdb://$PREFIX_ABS/$3/private/sam.ldb --two --skip-missing-dn --filter msDS-SupportedEncryptionTypes,servicePrincipalName +} + +ldapcmp() +{ + # Our functional prep doesn't set these values as they were not provided + # These are XML schema based enumerations which are used for claims + ldapcmp_ignore "msDS-ClaimPossibleValues" "$RELEASE" "2012R2_schema" +} + +functional_prep_2016() +{ + $PYTHON $BINDIR/samba-tool domain functionalprep -H tdb://$PREFIX_ABS/2019_schema/private/sam.ldb --function-level=2016 +} + +level_raise_2012R2() +{ + $PYTHON $BINDIR/samba-tool domain level raise \ + -H tdb://$PREFIX_ABS/2019_schema/private/sam.ldb \ + --option="ad dc functional level = 2012_R2" \ + --domain-level=2012_R2 --forest-level=2012_R2 +} + +level_raise_2016() +{ + $PYTHON $BINDIR/samba-tool domain level raise \ + -H tdb://$PREFIX_ABS/2019_schema/private/sam.ldb \ + --option="ad dc functional level = 2016" \ + --domain-level=2016 --forest-level=2016 +} + +functional_prep_2012R2() +{ + $PYTHON $BINDIR/samba-tool domain functionalprep -H tdb://$PREFIX_ABS/2012R2_schema/private/sam.ldb --function-level=2012_R2 +} + +functional_prep_2012R2_old() +{ + $PYTHON $BINDIR/samba-tool domain functionalprep -H tdb://$PREFIX_ABS/$OLD_RELEASE/private/sam.ldb --function-level=2012_R2 +} + +functional_prep_2016_old() +{ + $PYTHON $BINDIR/samba-tool domain functionalprep -H tdb://$PREFIX_ABS/$OLD_RELEASE/private/sam.ldb --function-level=2016 +} + +steal_roles() +{ + # Must steal schema master and infrastructure roles first + $PYTHON $BINDIR/samba-tool fsmo seize --role=schema -H tdb://$PREFIX_ABS/$OLD_RELEASE/private/sam.ldb --force + $PYTHON $BINDIR/samba-tool fsmo seize --role=infrastructure -H tdb://$PREFIX_ABS/$OLD_RELEASE/private/sam.ldb --force +} + +schema_upgrade_2012R2_old() +{ + $PYTHON $BINDIR/samba-tool domain schemaupgrade -H tdb://$PREFIX_ABS/$OLD_RELEASE/private/sam.ldb --schema=2012_R2 +} + +schema_upgrade_2019_old() +{ + $PYTHON $BINDIR/samba-tool domain schemaupgrade -H tdb://$PREFIX_ABS/$OLD_RELEASE/private/sam.ldb --schema=2019 +} + +# double-check we cleaned up from the last test run +cleanup_output_directories + +testit $RELEASE undump || failed=$(expr $failed + 1) + +# Provision a DC based on 2012R2 schema +testit "provision_2012R2_schema" provision_2012r2 || failed=$(expr $failed + 1) + +# Perform functional prep up to 2012 R2 level +testit "functional_prep_2012R2" functional_prep_2012R2 || failed=$(expr $failed + 1) + +# check that the databases are now the same +testit "check_databases_same" ldapcmp || failed=$(expr $failed + 1) + +testit $OLD_RELEASE undump_old || failed=$(expr $failed + 1) + +testit "steal_roles" steal_roles || failed=$(expr $failed + 1) + +testit "schema_upgrade_2012R2_old" schema_upgrade_2012R2_old || failed=$(expr $failed + 1) +testit "functional_prep_2012R2_old" functional_prep_2012R2_old || failed=$(expr $failed + 1) + +testit "schema_upgrade_2019_old" schema_upgrade_2019_old || failed=$(expr $failed + 1) +testit "functional_prep_2016_old" functional_prep_2016_old || failed=$(expr $failed + 1) + +cleanup_output_directories + +# Provision a DC based on 2019 schema +testit "provision_schema_2019_prep_skip" provision_schema_2019_prep_skip || failed=$(expr $failed + 1) + +# Perform functional prep up to 2016 level +testit "functional_prep_2016" functional_prep_2016 || failed=$(expr $failed + 1) + +# raise the levels to 2012_R2 +testit "level_raise_2012R2" level_raise_2012R2 || failed=$(expr $failed + 1) +# raise the levels to 2016 +testit "level_raise_2016" level_raise_2016 || failed=$(expr $failed + 1) + +cleanup_output_directories + +exit $failed diff --git a/testprogs/blackbox/join_ldapcmp.sh b/testprogs/blackbox/join_ldapcmp.sh new file mode 100755 index 0000000..3e5b264 --- /dev/null +++ b/testprogs/blackbox/join_ldapcmp.sh @@ -0,0 +1,51 @@ +#!/bin/sh +# Does a join against the testenv's DC and then runs ldapcmp on the resulting DB + +. $(dirname $0)/subunit.sh + +TARGET_DIR="$PREFIX_ABS/join_$SERVER" + +cleanup_output_dir() +{ + if [ -d $TARGET_DIR ]; then + rm -fr $TARGET_DIR + fi +} + +SAMBA_TOOL="$PYTHON $BINDIR/samba-tool" + +join_dc() +{ + JOIN_ARGS="--targetdir=$TARGET_DIR --server=$SERVER -U$USERNAME%$PASSWORD" + $SAMBA_TOOL domain join $REALM dc $JOIN_ARGS --option="netbios name = TESTJOINDC" +} + +demote_joined_dc() +{ + DEMOTE_ARGS="--remove-other-dead-server=TESTJOINDC --server=$SERVER -U$USERNAME%$PASSWORD" + $SAMBA_TOOL domain demote $DEMOTE_ARGS +} + +ldapcmp_result() +{ + DB1_PATH="tdb://$PREFIX_ABS/$SERVER/private/sam.ldb" + DB2_PATH="tdb://$TARGET_DIR/private/sam.ldb" + + # interSiteTopologyGenerator gets periodically updated. With the restored + # testenvs, it can sometimes point to the old/deleted DC object still + $SAMBA_TOOL ldapcmp $DB1_PATH $DB2_PATH --filter=interSiteTopologyGenerator +} + +cleanup_output_dir + +# check that we can join this DC +testit "check_dc_join" join_dc + +# check resulting DB matches server DC +testit "new_db_matches" ldapcmp_result + +testit "demote_joined_dc" demote_joined_dc + +cleanup_output_dir + +exit $failed diff --git a/testprogs/blackbox/ldapcmp_restoredc.sh b/testprogs/blackbox/ldapcmp_restoredc.sh new file mode 100755 index 0000000..508b017 --- /dev/null +++ b/testprogs/blackbox/ldapcmp_restoredc.sh @@ -0,0 +1,73 @@ +#!/bin/sh +# Does an ldapcmp between a newly restored testenv and the original testenv it +# was based on + +if [ $# -lt 2 ]; then + cat <<EOF +Usage: $0 ORIG_DC_PREFIX RESTORED_DC_PREFIX +EOF + exit 1 +fi + +ORIG_DC_PREFIX_ABS="$1" +RESTORED_DC_PREFIX_ABS="$2" +shift 2 + +. $(dirname $0)/subunit.sh +. "$(dirname "${0}")/common_test_fns.inc" + +ldbsearch=$(system_or_builddir_binary ldbsearch "${BINDIR}") + +basedn() +{ + SAMDB_PATH=$1 + ${ldbsearch} -H $SAMDB_PATH --basedn='' --scope=base defaultNamingContext | grep defaultNamingContext | awk '{print $2}' +} + +ldapcmp_with_orig() +{ + + DB1_PATH="tdb://$ORIG_DC_PREFIX_ABS/private/sam.ldb" + DB2_PATH="tdb://$RESTORED_DC_PREFIX_ABS/private/sam.ldb" + + # check if the 2 DCs are in different domains + DC1_BASEDN=$(basedn $DB1_PATH) + DC2_BASEDN=$(basedn $DB2_PATH) + BASE_DN_OPTS="" + + # if necessary, pass extra args to ldapcmp to handle the difference in base DNs + if [ "$DC1_BASEDN" != "$DC2_BASEDN" ]; then + BASE_DN_OPTS="--base=$DC1_BASEDN --base2=$DC2_BASEDN" + fi + + # the restored DC will remove DNS entries for the old DC(s) + IGNORE_ATTRS="dnsRecord,dNSTombstoned" + + # DC2 joined DC1, so it will have different DRS info + IGNORE_ATTRS="$IGNORE_ATTRS,msDS-NC-Replica-Locations,msDS-HasInstantiatedNCs" + IGNORE_ATTRS="$IGNORE_ATTRS,interSiteTopologyGenerator" + + # there's a servicePrincipalName that uses the objectGUID of the DC's NTDS + # Settings that will differ between the two DCs + IGNORE_ATTRS="$IGNORE_ATTRS,servicePrincipalName" + + # the restore changes the new DC's password twice + IGNORE_ATTRS="$IGNORE_ATTRS,lastLogonTimestamp" + + # The RID pools get bumped during the restore process + IGNORE_ATTRS="$IGNORE_ATTRS,rIDAllocationPool,rIDAvailablePool" + + # these are just differences between provisioning a domain and joining a DC + IGNORE_ATTRS="$IGNORE_ATTRS,localPolicyFlags,operatingSystem,displayName" + + # the restored DC may use a different side compared to the original DC + IGNORE_ATTRS="$IGNORE_ATTRS,serverReferenceBL,msDS-IsDomainFor" + + LDAPCMP_CMD="$PYTHON $BINDIR/samba-tool ldapcmp" + $LDAPCMP_CMD $DB1_PATH $DB2_PATH --two --skip-missing-dn --filter=$IGNORE_ATTRS $BASE_DN_OPTS +} + +# check that the restored testenv DC basically matches the original +testit "orig_dc_matches" ldapcmp_with_orig + +exit $failed diff --git a/testprogs/blackbox/nsstest.sh b/testprogs/blackbox/nsstest.sh new file mode 100755 index 0000000..6bf6705 --- /dev/null +++ b/testprogs/blackbox/nsstest.sh @@ -0,0 +1,22 @@ +#!/bin/sh +# Blackbox wrapper for nsstest +# Copyright (C) 2006-2007 Jelmer Vernooij <jelmer@samba.org> +# Copyright (C) 2006-2008 Andrew Bartlett <abartlet@samba.org> + +if [ $# -lt 2 ]; then + cat <<EOF +Usage: nsstest.sh NSSTEST LIBNSS_WINBIND +EOF + exit 1 +fi + +nsstest=$1 +libnss_winbind=$2 +shift 2 +failed=0 + +. $(dirname $0)/subunit.sh + +testit "run nsstest" $VALGRIND $nsstest $libnss_winbind || failed=$(expr $failed + 1) + +exit $failed diff --git a/testprogs/blackbox/renamedc.sh b/testprogs/blackbox/renamedc.sh new file mode 100755 index 0000000..fc32cad --- /dev/null +++ b/testprogs/blackbox/renamedc.sh @@ -0,0 +1,103 @@ +#!/bin/sh + +if [ $# -lt 1 ]; then + cat <<EOF +Usage: renamedc.sh PREFIX +EOF + exit 1 +fi + +PREFIX="$1" +shift 1 + +. $(dirname $0)/subunit.sh +. "$(dirname "${0}")/common_test_fns.inc" + +ldbsearch=$(system_or_builddir_binary ldbsearch "${BINDIR}") + +if [ ! -d $PREFIX/renamedc_test ]; then + mkdir -p $PREFIX/renamedc_test +fi + +testprovision() +{ + $PYTHON $BINDIR/samba-tool domain provision --host-name=bar --domain=FOO --realm=foo.example.com --targetdir="$PREFIX/renamedc_test" --server-role="dc" --use-ntvfs +} + +testrenamedc() +{ + $PYTHON $SRCDIR/source4/scripting/bin/renamedc \ + --oldname="BAR" \ + --newname="RAYMONBAR" \ + --configfile=$PREFIX/renamedc_test/etc/smb.conf +} + +confirmrenamedc() +{ + $ldbsearch -H $PREFIX/renamedc_test/private/sam.ldb --scope=base -b 'cn=RAYMONBAR,ou=domain controllers,dc=foo,dc=example,dc=com' +} + +confirmrenamedc_server() +{ + $ldbsearch -H $PREFIX/renamedc_test/private/sam.ldb --scope=base -b 'cn=RAYMONBAR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=configuration,dc=foo,dc=example,dc=com' +} + +confirmrenamedc_sAMAccountName() +{ + $ldbsearch -H $PREFIX/renamedc_test/private/sam.ldb --scope=base -b 'cn=RAYMONBAR,ou=domain controllers,dc=foo,dc=example,dc=com' sAMAccountName | grep 'sAMAccountName: RAYMONBAR\$' +} + +confirmrenamedc_dNSHostName() +{ + $ldbsearch -H $PREFIX/renamedc_test/private/sam.ldb --scope=base -b 'cn=RAYMONBAR,ou=domain controllers,dc=foo,dc=example,dc=com' dNSHostName | grep 'dNSHostName: RAYMONBAR.foo.example.com' +} + +confirmrenamedc_rootdse_dnsHostName() +{ + $ldbsearch -H $PREFIX/renamedc_test/private/sam.ldb --scope=base -b '' dNSHostName | grep 'dnsHostName: RAYMONBAR.foo.example.com' +} + +confirmrenamedc_rootdse_dsServiceName() +{ + $ldbsearch -H $PREFIX/renamedc_test/private/sam.ldb --show-binary --scope=base -b '' dsServiceName | grep 'dsServiceName: CN=NTDS Settings,CN=RAYMONBAR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=foo,DC=example,DC=com' +} + +testrenamedc2() +{ + $PYTHON $SRCDIR/source4/scripting/bin/renamedc \ + --oldname="RAYMONBAR" \ + --newname="BAR" \ + --configfile=$PREFIX/renamedc_test/etc/smb.conf +} + +dbcheck_fix() +{ + # Unlike most calls to dbcheck --fix, this will not trigger an error, as + # we do not flag an error count for this old DN string case. + $PYTHON $BINDIR/samba-tool dbcheck --cross-ncs --configfile=$PREFIX/renamedc_test/etc/smb.conf --fix \ + --quiet --yes fix_all_old_dn_string_component_mismatch \ + --attrs="fsmoRoleOwner interSiteTopologyGenerator msDS-NC-Replica-Locations" +} + +dbcheck() +{ + $PYTHON $BINDIR/samba-tool dbcheck --cross-ncs --configfile=$PREFIX/renamedc_test/etc/smb.conf +} + +testit "renameprovision" testprovision || failed=$(expr $failed + 1) +testit "renamedc" testrenamedc || failed=$(expr $failed + 1) +testit "confirmrenamedc" confirmrenamedc || failed=$(expr $failed + 1) +testit "confirmrenamedc_server" confirmrenamedc_server || failed=$(expr $failed + 1) +testit "confirmrenamedc_sAMAccountName" confirmrenamedc_sAMAccountName || failed=$(expr $failed + 1) +testit "confirmrenamedc_dNSHostName" confirmrenamedc_dNSHostName || failed=$(expr $failed + 1) +testit "confirmrenamedc_rootdse_dnsHostName" confirmrenamedc_rootdse_dnsHostName || failed=$(expr $failed + 1) +testit "confirmrenamedc_rootdse_dsServiceName" confirmrenamedc_rootdse_dsServiceName || failed=$(expr $failed + 1) +testit "dbcheck_fix" dbcheck_fix || failed=$(expr $failed + 1) +testit "dbcheck" dbcheck || failed=$(expr $failed + 1) +testit "renamedc2" testrenamedc2 || failed=$(expr $failed + 1) + +if [ $failed -eq 0 ]; then + rm -rf $PREFIX/renamedc_test +fi + +exit $failed diff --git a/testprogs/blackbox/runtime-links.sh b/testprogs/blackbox/runtime-links.sh new file mode 100755 index 0000000..9cb49e4 --- /dev/null +++ b/testprogs/blackbox/runtime-links.sh @@ -0,0 +1,82 @@ +#!/bin/sh + +if [ $# -lt 1 ]; then + cat <<EOF +Usage: runtime-links.sh PREFIX RELEASE +EOF + exit 1 +fi + +PREFIX_ABS="$1" +RELEASE="$2" +shift 2 + +failed=0 + +. $(dirname $0)/subunit.sh + +. $(dirname $0)/common_test_fns.inc +. $(dirname $0)/common-links.sh + + +if [ ! -x $samba_undump ] || [ ! -d $release_dir ]; then + subunit_start_test $RELEASE + subunit_skip_test $RELEASE <<EOF +no test provision +EOF + + subunit_start_test "tombstones_expunge" + subunit_skip_test "tombstones_expunge" <<EOF +no test provision +EOF + + exit 0 +fi + +delete_member_of_deleted_group() +{ + TZ=UTC $ldbdel -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb 'CN=User1 UT. Tester,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp' + if [ "$?" != "0" ]; then + return 1 + fi +} + +delete_backlink_memberof_deleted_group() +{ + TZ=UTC $ldbdel -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb 'CN=User UT. Tester,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp' + if [ "$?" != "0" ]; then + return 1 + fi +} + +delete_dangling_backlink_memberof_group() +{ + TZ=UTC $ldbdel -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb 'CN=dangling-back,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp' + if [ "$?" != "0" ]; then + return 1 + fi +} + +remove_directory $PREFIX_ABS/${RELEASE} + +testit $RELEASE undump || failed=$(expr $failed + 1) +testit "add_dangling_link" add_dangling_link || failed=$(expr $failed + 1) +testit "add_dangling_backlink" add_dangling_backlink || failed=$(expr $failed + 1) +testit "add_deleted_dangling_backlink" add_deleted_dangling_backlink || failed=$(expr $failed + 1) +testit "revive_links_on_deleted_group" revive_links_on_deleted_group || failed=$(expr $failed + 1) +testit "revive_backlink_on_deleted_group" revive_backlink_on_deleted_group || failed=$(expr $failed + 1) +testit "add_deleted_target_link" add_deleted_target_link || failed=$(expr $failed + 1) +testit "add_deleted_target_backlink" add_deleted_target_backlink || failed=$(expr $failed + 1) +testit "dangling_one_way_link" dangling_one_way_link || failed=$(expr $failed + 1) +testit "dangling_one_way_dn" dangling_one_way_dn || failed=$(expr $failed + 1) +testit "deleted_one_way_dn" deleted_one_way_dn || failed=$(expr $failed + 1) +testit "add_dangling_multi_valued" add_dangling_multi_valued || failed=$(expr $failed + 1) + +#Now things are set up, work with the DB +testit "delete_member_of_deleted_group" delete_member_of_deleted_group || failed=$(expr $failed + 1) +testit "delete_backlink_memberof_deleted_group" delete_backlink_memberof_deleted_group || failed=$(expr $failed + 1) +testit "delete_dangling_backlink_memberof_group" delete_dangling_backlink_memberof_group || failed=$(expr $failed + 1) + +remove_directory $PREFIX_ABS/${RELEASE} + +exit $failed diff --git a/testprogs/blackbox/schemaupgrade.sh b/testprogs/blackbox/schemaupgrade.sh new file mode 100755 index 0000000..236a0bb --- /dev/null +++ b/testprogs/blackbox/schemaupgrade.sh @@ -0,0 +1,131 @@ +#!/bin/sh + +if [ $# -lt 1 ]; then + cat <<EOF +Usage: $0 PREFIX +EOF + exit 1 +fi + +PREFIX_ABS="$1" +shift 1 + +. $(dirname $0)/subunit.sh + +cleanup_output_directories() +{ + if [ -d $PREFIX_ABS/2012R2_schema ]; then + rm -fr $PREFIX_ABS/2012R2_schema + fi + + if [ -d $PREFIX_ABS/2008R2_schema ]; then + rm -fr $PREFIX_ABS/2008R2_schema + fi +} + +PROVISION_OPTS="--use-ntvfs --host-ip6=::1 --host-ip=127.0.0.1" + +provision_2012r2() +{ + $PYTHON $BINDIR/samba-tool domain provision $PROVISION_OPTS --domain=SAMBA --realm=w2012r2.samba.corp --targetdir=$PREFIX_ABS/2012R2_schema --base-schema=2012_R2 --adprep-level=SKIP +} + +provision_2008r2() +{ + $PYTHON $BINDIR/samba-tool domain provision $PROVISION_OPTS --domain=SAMBA --realm=w2008r2.samba.corp --targetdir=$PREFIX_ABS/2008R2_schema --base-schema=2008_R2 +} + +provision_2008r2_old() +{ + $PYTHON $BINDIR/samba-tool domain provision $PROVISION_OPTS --domain=SAMBA --realm=w2008r2.samba.corp --targetdir=$PREFIX_ABS/2008R2_old_schema --base-schema=2008_R2_old +} + +ldapcmp_ignore() +{ + + IGNORE_ATTRS=$1 + + # there's discrepancies between the SDDL strings in the adprep LDIF files + # vs the 2012 schema, where one source will have ACE rights repeated, e.g. + # "LOLO" in adprep vs "LO" in the schema + IGNORE_ATTRS="$IGNORE_ATTRS,defaultSecurityDescriptor" + + # the adprep LDIF files updates these attributes for the DisplaySpecifiers + # objects, but we don't have the 2012 DisplaySpecifiers documentation... + IGNORE_ATTRS="$IGNORE_ATTRS,adminContextMenu,adminPropertyPages" + + $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/$2_schema/private/sam.ldb tdb://$PREFIX_ABS/$3_schema/private/sam.ldb --two --filter=$IGNORE_ATTRS --skip-missing-dn +} + +ldapcmp_old() +{ + # the original 2008 schema we received from Microsoft was missing + # descriptions and display names. This has been fixed up in the current + # Microsoft schemas + IGNORE_ATTRS="adminDescription,description,adminDisplayName,displayName" + + # we didn't get showInAdvancedViewOnly right on Samba + IGNORE_ATTRS="$IGNORE_ATTRS,showInAdvancedViewOnly" + + ldapcmp_ignore "$IGNORE_ATTRS" "2008R2_old" "2012R2" +} + +ldapcmp() +{ + # The adminDescription and adminDisplayName have been editorially + # corrected in the 2012R2 schema but not in the adprep files. + ldapcmp_ignore "adminDescription,adminDisplayName" "2008R2" "2012R2" +} + +ldapcmp_2008R2_2008R2_old() +{ + # the original 2008 schema we received from Microsoft was missing + # descriptions and display names. This has been fixed up in the current + # Microsoft schemas + IGNORE_ATTRS="adminDescription,description,adminDisplayName,displayName" + + # we didn't get showInAdvancedViewOnly right on Samba + IGNORE_ATTRS="$IGNORE_ATTRS,showInAdvancedViewOnly" + + ldapcmp_ignore $IGNORE_ATTRS "2008R2" "2008R2_old" +} + +schema_upgrade() +{ + $PYTHON $BINDIR/samba-tool domain schemaupgrade -H tdb://$PREFIX_ABS/2008R2_schema/private/sam.ldb --schema=2012_R2 +} + +schema_upgrade_old() +{ + $PYTHON $BINDIR/samba-tool domain schemaupgrade -H tdb://$PREFIX_ABS/2008R2_old_schema/private/sam.ldb --schema=2012_R2 +} + +# double-check we cleaned up from the last test run +cleanup_output_directories + +# Provision 2 DCs, one based on the 2008R2 schema and one using 2012R2 +testit "provision_2008R2_schema" provision_2008r2 +testit "provision_2008R2_old_schema" provision_2008r2_old +testit "provision_2012R2_schema" provision_2012r2 + +# we expect the 2 schemas to be different +testit_expect_failure "expect_schema_differences" ldapcmp + +# check that the 2 schemas are now the same, ignoring Samba bugs +testit "check_2008R2_2008R2_schemas_same" ldapcmp_2008R2_2008R2_old + +# upgrade the 2008 schema to 2012 +testit "schema_upgrade" schema_upgrade + +# check that the 2 schemas are now the same +testit "check_schemas_same" ldapcmp + +# upgrade the 2008 schema to 2012 +testit "schema_upgrade_old" schema_upgrade_old + +# check that the 2 schemas are now the same, ignoring Samba bugs +testit "check_schemas_same_old" ldapcmp_old + +cleanup_output_directories + +exit $failed diff --git a/testprogs/blackbox/subunit.sh b/testprogs/blackbox/subunit.sh new file mode 100755 index 0000000..0c27775 --- /dev/null +++ b/testprogs/blackbox/subunit.sh @@ -0,0 +1,212 @@ +# +# subunit.sh: shell functions to report test status via the subunit protocol. +# Copyright (C) 2006 Robert Collins <robertc@robertcollins.net> +# Copyright (C) 2008 Jelmer Vernooij <jelmer@samba.org> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# + +timestamp() +{ + # mark the start time. With Gnu date, you get nanoseconds from %N + # (here truncated to microseconds with %6N), but not on BSDs, + # Solaris, etc, which will apparently leave either %N or N at the end. + date -u +'time: %Y-%m-%d %H:%M:%S.%6NZ' | sed 's/\..*NZ$/.000000Z/' +} + +subunit_start_test() +{ + # emit the current protocol start-marker for test $1 + timestamp + printf 'test: %s\n' "$1" +} + +subunit_pass_test() +{ + # emit the current protocol test passed marker for test $1 + timestamp + printf 'success: %s\n' "$1" +} + +# This is just a hack as we have some broken scripts +# which use "exit $failed", without initializing failed. +failed=0 + +subunit_fail_test() +{ + # emit the current protocol fail-marker for test $1, and emit stdin as + # the error text. + # we use stdin because the failure message can be arbitrarily long, and this + # makes it convenient to write in scripts (using <<END syntax. + timestamp + printf 'failure: %s [\n' "$1" + cat - + printf '\n]\n' +} + +subunit_error_test() +{ + # emit the current protocol error-marker for test $1, and emit stdin as + # the error text. + # we use stdin because the failure message can be arbitrarily long, and this + # makes it convenient to write in scripts (using <<END syntax. + timestamp + printf 'error: %s [\n' "$1" + cat - + printf '\n]\n' +} + +subunit_skip_test() +{ + # emit the current protocol skip-marker for test $1, and emit stdin as + # the error text. + # we use stdin because the failure message can be arbitrarily long, and this + # makes it convenient to write in scripts (using <<END syntax. + printf 'skip: %s [\n' "$1" + cat - + printf '\n]\n' +} + +testit() +{ + name="$1" + shift + cmdline="$*" + subunit_start_test "$name" + output=$($cmdline 2>&1) + status=$? + if [ ${status} -eq 0 ]; then + subunit_pass_test "$name" + else + echo "$output" | subunit_fail_test "$name" + fi + return $status +} + +# This returns 0 if the command gave success and the grep value was found +# all other cases return != 0 +testit_grep() +{ + name="$1" + shift + grep="$1" + shift + cmdline="$*" + subunit_start_test "$name" + output=$($cmdline 2>&1) + status=$? + if [ ${status} -ne 0 ]; then + printf '%s' "$output" | subunit_fail_test "$name" + return $status + fi + printf '%s' "$output" | grep -q "$grep" + gstatus=$? + if [ ${gstatus} -eq 0 ]; then + subunit_pass_test "$name" + else + printf 'GREP: "%s" not found in output:\n%s' "$grep" "$output" | subunit_fail_test "$name" + fi + return $gstatus +} + +# This returns 0 if the command gave success and the grep value was found +# num times all other cases return != 0 +testit_grep_count() +{ + name="$1" + shift + grep="$1" + shift + num="$1" + shift + cmdline="$*" + subunit_start_test "$name" + output=$($cmdline 2>&1) + status=$? + if [ ${status} -ne 0 ]; then + printf '%s' "$output" | subunit_fail_test "$name" + return $status + fi + found=$(printf '%s' "$output" | grep -c "$grep") + if [ "${found}" -eq "$num" ]; then + subunit_pass_test "$name" + else + printf 'GREP: "%s" found "%d" times, expected "%d" in output:\n%s'\ + "$grep" "$found" "$num" "$output" | + subunit_fail_test "$name" + return 1 + fi + return 0 +} + +testit_expect_failure() +{ + name="$1" + shift + cmdline="$*" + subunit_start_test "$name" + output=$($cmdline 2>&1) + status=$? + if [ ${status} = 0 ]; then + echo "$output" | subunit_fail_test "$name" + return 1 + else + subunit_pass_test "$name" + return 0 + fi +} + +# This returns 0 if the command gave a failure and the grep value was found +# all other cases return != 0 +testit_expect_failure_grep() +{ + name="$1" + shift + grep="$1" + shift + cmdline="$*" + subunit_start_test "$name" + output=$($cmdline 2>&1) + status=$? + if [ ${status} -eq 0 ]; then + printf '%s' "$output" | subunit_fail_test "$name" + return 1 + fi + printf '%s' "$output" | grep -q "$grep" + gstatus=$? + if [ ${gstatus} -eq 0 ]; then + subunit_pass_test "$name" + else + printf 'GREP: "%s" not found in output:\n%s' "$grep" "$output" | subunit_fail_test "$name" + return 1 + fi + return 0 +} + +testok() +{ + name=$(basename $1) + failed=$2 + + exit $failed +} + +# work out the top level source directory +if [ -d source4 ]; then + SRCDIR="." +else + SRCDIR=".." +fi +export SRCDIR diff --git a/testprogs/blackbox/test_alias_membership.sh b/testprogs/blackbox/test_alias_membership.sh new file mode 100755 index 0000000..510940a --- /dev/null +++ b/testprogs/blackbox/test_alias_membership.sh @@ -0,0 +1,194 @@ +#!/bin/bash + +if [ $# -lt 1 ]; then + cat <<EOF +Usage: test_alias_membership.sh PREFIX +EOF + exit 1 +fi + +PREFIX=$1 +ADDC_CONFIGFILE="$PREFIX/ad_dc/etc/smb.conf" +shift 5 +failed=0 + +. "$(dirname "$0")/subunit.sh" +. "$(dirname "$0")/common_test_fns.inc" + +net_tool="${BINDIR}/net" +wbinfo="${BINDIR}/wbinfo" + +# Create the following membership structure and test if exactly the 9 users +# are listed as members of the alias A1. +# +# A1 +# |- A1U1 +# |- A1U2 +# | +# |- G1 +# | |- G1U1 +# | |- G1U2 +# | +# |- G2 +# | |- G2U1 +# | |- G2U2 +# | | +# | |- G3 +# | |- G3U1 +# | |- G3U2 +# | +# |- LG1 +# |- user1 +# +# +# Local entities: +# +# Alias: A1 +# Group: LG1 +# User: user1 (no need to create, already available) +# +# Domain entities: +# +# Group: ADDOMAIN/G1 ADDOMAIN/G2 ADDOMAIN/G3 +# User: ADDOMAIN/A1U1 ADDOMAIN/A1U2 +# ADDOMAIN/G1U1 ADDOMAIN/G1U2 +# ADDOMAIN/G2U1 ADDOMAIN/G2U2 +# ADDOMAIN/G3U1 ADDOMAIN/G3U2 + + +LOCALPREFIX="IDMAPRIDMEMBER" + +function create_group() { + _group_name="${1}" + GNUPGHOME="${PREFIX}/ad_dc/gnupg" "${PYTHON}" "${BINDIR}/samba-tool" \ + group add "${_group_name}" --configfile="${ADDC_CONFIGFILE}" + _ret=$? + if [ ${_ret} -ne 0 ]; then + echo "Failed to create group ${_group_name}" + return 1 + fi + return 0 +} + +function delete_group() { + _group_name="${1}" + GNUPGHOME="${PREFIX}/ad_dc/gnupg" "${PYTHON}" "${BINDIR}/samba-tool" \ + group delete "${_group_name}" --configfile="${ADDC_CONFIGFILE}" + _ret=$? + if [ ${_ret} -ne 0 ]; then + echo "Failed to delete group ${_group_name}" + return 1 + fi + return 0 +} + +function create_user() { + _user_name="${1}" + _password="${2}" + GNUPGHOME="${PREFIX}/ad_dc/gnupg" "${PYTHON}" "${BINDIR}/samba-tool" \ + user create "${_user_name}" "${_password}" \ + --configfile="${ADDC_CONFIGFILE}" + _ret=$? + if [ ${_ret} -ne 0 ]; then + echo "Failed to create user ${_user_name}" + return 1 + fi + return 0 +} + +function delete_user() { + _user_name="${1}" + GNUPGHOME="${PREFIX}/ad_dc/gnupg" "${PYTHON}" "${BINDIR}/samba-tool" \ + user delete "${_user_name}" --configfile="${ADDC_CONFIGFILE}" + _ret=$? + if [ ${_ret} -ne 0 ]; then + echo "Failed to delete user ${_user_name}" + return 1 + fi + return 0 +} + +for G in G1 G2 G3 +do + testit "create group '$G'" create_group "${G}" || failed=$((failed + 1)) +done + +for U in G1U1 G1U2 G2U1 G2U2 G3U1 G3U2 A1U1 A1U2 +do + testit "create user '$U'" create_user "${U}" Passw0rd.7 || failed=$((failed + 1)) +done + +while read -a line +do + group=${line[0]} + member=${line[1]} + testit "add member '$member' to group '$group'" "$PYTHON" "$BINDIR/samba-tool" group addmembers --configfile="$ADDC_CONFIGFILE" "$group" "$member" || failed=$((failed + 1)) +done <<___MEMBERS +G1 G1U1 +G1 G1U2 +G2 G2U1 +G2 G2U2 +G2 G3 +G3 G3U1 +G3 G3U2 +___MEMBERS + +testit "net sam createlocalgroup A1" "$VALGRIND" "$net_tool" sam createlocalgroup A1 || failed=$((failed + 1)) +testit "net createdomaingroup LG1" "$VALGRIND" "$net_tool" sam createdomaingroup LG1 || failed=$((failed + 1)) +testit "net sam addmem user1 to LG1" "$VALGRIND" "$net_tool" sam addmem LG1 "${LOCALPREFIX}\user1" || failed=$((failed + 1)) + +for M in "ADDOMAIN\A1U1" "ADDOMAIN\A1U2" "ADDOMAIN\G1" "ADDOMAIN\G2" "${LOCALPREFIX}\LG1" +do + testit "net sam addmem $M to A1" "$VALGRIND" "$net_tool" sam addmem A1 "$M" || failed=$((failed + 1)) +done + +# do not use testit_grep (that would call 9 times wbinfo) but use grep on the +# stored output +a1_alias=$( "$wbinfo" --group-info A1 ) + +for U in ADDOMAIN/a1u1 "${LOCALPREFIX}/user1" ADDOMAIN/g1u1 ADDOMAIN/g1u2 ADDOMAIN/g2u1 ADDOMAIN/g2u2 ADDOMAIN/g3u1 ADDOMAIN/g3u2 ADDOMAIN/a1u2; +do + count=$(echo "$a1_alias" | grep -c "$U") + testit "User $U is in alias" test "$count" -eq 1 || failed=$((failed + 1)) +done + +# check that there are exactly 8 commas separating the 9 users +count=$(echo "$a1_alias" | grep -o , | wc -l) +testit "There are 9 users" test "$count" -eq 8 || failed=$((failed + 1)) + +# cleanup + +for M in "ADDOMAIN\A1U1" "ADDOMAIN\A1U2" "ADDOMAIN\G1" "ADDOMAIN\G2" "${LOCALPREFIX}\LG1" +do + testit "net sam delmem $M from A1" "$VALGRIND" "$net_tool" sam delmem A1 "$M" || failed=$((failed + 1)) +done +testit "net sam delmem user1 from LG1" "$VALGRIND" "$net_tool" sam delmem LG1 "${LOCALPREFIX}\user1" || failed=$((failed + 1)) +testit "net sam deletelocalgroup A1" "$VALGRIND" "$net_tool" sam deletelocalgroup A1 || failed=$((failed + 1)) +testit "net sam deletedomaingroup LG1" "$VALGRIND" "$net_tool" sam deletedomaingroup LG1 || failed=$((failed + 1)) + +while read -a line +do + group=${line[0]} + member=${line[1]} + testit "del member '$member' from group '$group'" "$PYTHON" "$BINDIR/samba-tool" group removemembers --configfile="$ADDC_CONFIGFILE" "$group" "$member" || failed=$((failed + 1)) +done <<___MEMBERS +G1 G1U1 +G1 G1U2 +G2 G2U1 +G2 G2U2 +G2 G3 +G3 G3U1 +G3 G3U2 +___MEMBERS + +for G in G1 G2 G3 +do + testit "delete group '$G'" delete_group "${G}" || failed=$((failed + 1)) +done + +for U in G1U1 G1U2 G2U1 G2U2 G3U1 G3U2 A1U1 A1U2 +do + testit "delete user '$U'" delete_user "${U}" || failed=$((failed + 1)) +done + +exit $failed diff --git a/testprogs/blackbox/test_chgdcpass.sh b/testprogs/blackbox/test_chgdcpass.sh new file mode 100755 index 0000000..ad1894e --- /dev/null +++ b/testprogs/blackbox/test_chgdcpass.sh @@ -0,0 +1,115 @@ +#!/bin/sh +# Blackbox tests for kinit and kerberos integration with smbclient etc +# Copyright (C) 2006-2007 Jelmer Vernooij <jelmer@samba.org> +# Copyright (C) 2006-2008 Andrew Bartlett <abartlet@samba.org> + +if [ $# -lt 4 ]; then + cat <<EOF +Usage: test_chgdcpass.sh SERVER USERNAME REALM DOMAIN PREFIX ENCTYPE PROVDIR SMBCLIENT +EOF + exit 1 +fi + +SERVER=$1 +USERNAME=$2 +REALM=$3 +DOMAIN=$4 +PREFIX=$5 +ENCTYPE=$6 +PROVDIR=$7 +smbclient=$8 +shift 8 +failed=0 + +samba4bindir="$BINDIR" +samba4srcdir="$SRCDIR/source4" + +samba4kinit_binary=kinit +heimdal=0 +if test -x $BINDIR/samba4kinit; then + heimdal=1 + samba4kinit_binary=bin/samba4kinit +fi + +machineaccountccache="$samba4srcdir/scripting/bin/machineaccountccache" + +unc="//$SERVER/tmp" + +. $(dirname $0)/subunit.sh +. $(dirname $0)/common_test_fns.inc + +test_drs() +{ + function="$1" + name="$2" + shift + shift + echo "test: $name" + echo $VALGRIND $PYTHON $samba4bindir/samba-tool drs $function $SERVER -k yes "$@" + $VALGRIND $PYTHON $samba4bindir/samba-tool drs $function $SERVER -k yes "$@" + status=$? + if [ x$status = x0 ]; then + echo "success: $name" + else + echo "failure: $name" + fi + return $status +} + +enctype="-e $ENCTYPE" + +KRB5CCNAME="$PREFIX/tmpccache" +samba4kinit="$samba4kinit_binary -c $KRB5CCNAME" +export KRB5CCNAME +rm -f $KRB5CCNAME + +if [ $heimdal -eq 1 ]; then + testit "kinit with keytab" $samba4kinit $enctype -t $PROVDIR/private/secrets.keytab --use-keytab $USERNAME || failed=$(expr $failed + 1) +else + testit "kinit with keytab" $samba4kinit -k -t $PROVDIR/private/secrets.keytab $USERNAME || failed=$(expr $failed + 1) +fi + +#This is important because it puts the ticket for the old KVNO and password into a local ccache +test_smbclient "Test login with kerberos ccache before password change" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +#check that drs bind works before we change the password (prime the ccache) +test_drs bind "Test drs bind with with kerberos ccache" || failed=$(expr $failed + 1) + +#check that drs options works before we change the password (prime the ccache) +test_drs options "Test drs options with with kerberos ccache" || failed=$(expr $failed + 1) + +testit "change dc password" $PYTHON $samba4srcdir/scripting/devel/chgtdcpass --configfile=$PROVDIR/etc/smb.conf || failed=$(expr $failed + 1) + +#This is important because it shows that the old ticket remains valid (as it must) for incoming connections after the DC password is changed +test_smbclient "Test login with kerberos ccache after password change" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +#check that drs bind works after we change the password +test_drs bind "Test drs bind with new password" || failed=$(expr $failed + 1) + +#check that drs options works after we change the password +test_drs options "Test drs options with new password" || failed=$(expr $failed + 1) + +testit "change dc password (2nd time)" $PYTHON $samba4srcdir/scripting/devel/chgtdcpass --configfile=$PROVDIR/etc/smb.conf || failed=$(expr $failed + 1) + +# This is important because it shows that the old ticket is discarded if the server rejects it (as it must) after the password was changed twice in succession. +# This also ensures we handle the case where the domain is re-provisioned etc +test_smbclient "Test login with kerberos ccache after 2nd password change" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +#check that drs bind works after we change the password a 2nd time +test_drs bind "Test drs bind after 2nd password change" || failed=$(expr $failed + 1) + +#check that drs options works after we change the password a 2nd time +test_drs options "Test drs options after 2nd password change" || failed=$(expr $failed + 1) + +#This confirms that the DC password is valid for a kinit too +if [ $heimdal -eq 1 ]; then + testit "kinit with keytab" $samba4kinit $enctype -t $PROVDIR/private/secrets.keytab --use-keytab $USERNAME || failed=$(expr $failed + 1) +else + testit "kinit with keytab" $samba4kinit -k -t $PROVDIR/private/secrets.keytab $USERNAME || failed=$(expr $failed + 1) +fi +test_smbclient "Test login with kerberos ccache with fresh kinit" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +rm -f $KRB5CCNAME + +rm -f $PREFIX/tmpccache tmpccfile tmppassfile tmpuserpassfile tmpuserccache +exit $failed diff --git a/testprogs/blackbox/test_client_etypes.sh b/testprogs/blackbox/test_client_etypes.sh new file mode 100755 index 0000000..0389cb3 --- /dev/null +++ b/testprogs/blackbox/test_client_etypes.sh @@ -0,0 +1,82 @@ +if [ $# -lt 6 ]; then + cat <<EOF +Usage: test_client_etypes.sh DC_SERVER DC_USERNAME DC_PASSWORD PREFIX_ABS ETYPE_CONF EXPECTED +EOF + exit 1 +fi + +DC_SERVER=$1 +DC_USERNAME=$2 +DC_PASSWORD=$3 +BASEDIR=$4 +ETYPE_CONF=$5 +EXPECTED_ETYPES="$6" + +# Load test functions +. $(dirname $0)/subunit.sh + +KRB5CCNAME_PATH="$PREFIX/test_client_etypes_krb5ccname" +rm -f $KRB5CCNAME_PATH + +KRB5CCNAME="FILE:$KRB5CCNAME_PATH" +export KRB5CCNAME + +#requires tshark and sha1sum +if ! which tshark >/dev/null 2>&1 || ! which sha1sum >/dev/null 2>&1; then + subunit_start_test "client encryption types" + subunit_skip_test "client encryption types" <<EOF +Skipping tests - tshark or sha1sum not installed +EOF + exit 0 +fi + +HOSTNAME=$(dd if=/dev/urandom bs=1 count=32 2>/dev/null | sha1sum | cut -b 1-10) + +RUNDIR=$(pwd) +cd $BASEDIR +WORKDIR=$(mktemp -d -p .) +WORKDIR=$(basename $WORKDIR) +cp -a client/* $WORKDIR/ +sed -ri "s@(dir|directory) = (.*)/client/@\1 = \2/$WORKDIR/@" $WORKDIR/client.conf +sed -ri "s/netbios name = .*/netbios name = $HOSTNAME/" $WORKDIR/client.conf +rm -f $WORKDIR/private/secrets.tdb +cd $RUNDIR + +failed=0 + +net_tool="$BINDIR/net --configfile=$BASEDIR/$WORKDIR/client.conf --option=security=ads --option=kerberosencryptiontypes=$ETYPE_CONF" +pcap_file=$BASEDIR/$WORKDIR/test.pcap + +export SOCKET_WRAPPER_PCAP_FILE=$pcap_file +testit "join" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD --use-kerberos=required || failed=$(expr $failed + 1) + +testit "testjoin" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=$(expr $failed + 1) + +#The leave command does not use the locally-generated +#krb5.conf +export SOCKET_WRAPPER_PCAP_FILE= +testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=$(expr $failed + 1) + +# +# Older versions of tshark do not support -Y option, +# They use -R which cannot be used with recent versions... +# +if ! tshark -r $pcap_file -nVY "kerberos" >/dev/null 2>&1; then + subunit_start_test "client encryption types" + subunit_skip_test "client encryption types" <<EOF +Skipping tests - old version of tshark detected +EOF + exit 0 +fi + +actual_types="$(tshark -r $pcap_file -nVY "kerberos" | + sed -rn -e 's/[[:space:]]*ENCTYPE:.*\(([^\)]*)\)$/\1/p' \ + -e 's/[[:space:]]*Encryption type:.*\(([^\)]*)\)$/\1/p' | + sort -u | tr '\n' '_' | sed s/_$//)" + +testit "verify types" test "x$actual_types" = "x$EXPECTED_ETYPES" || failed=$(expr $failed + 1) + +rm -rf $BASEDIR/$WORKDIR +rm -f $KRB5CCNAME_PATH + +exit $failed diff --git a/testprogs/blackbox/test_client_kerberos.sh b/testprogs/blackbox/test_client_kerberos.sh new file mode 100755 index 0000000..54554ea --- /dev/null +++ b/testprogs/blackbox/test_client_kerberos.sh @@ -0,0 +1,286 @@ +#!/bin/sh +# Blackbox tests for kerberos client options +# Copyright (c) 2019 Andreas Schneider <asn@samba.org> + +if [ $# -lt 6 ]; then + cat <<EOF +Usage: test_client_kerberos.sh DOMAIN REALM USERNAME PASSWORD SERVER PREFIX CONFIGURATION +EOF + exit 1 +fi + +DOMAIN=$1 +REALM=$2 +USERNAME=$3 +PASSWORD=$4 +SERVER=$5 +PREFIX=$6 +CONFIGURATION=$7 +shift 7 + +failed=0 + +. $(dirname $0)/subunit.sh +. $(dirname $0)/common_test_fns.inc + +samba_bindir="$BINDIR" +samba_rpcclient="$samba_bindir/rpcclient" +samba_smbclient="$samba_bindir/smbclient" +samba_smbtorture="$samba_bindir/smbtorture" + +samba_kinit=$(system_or_builddir_binary kinit "${BINDIR}" samba4kinit) +samba_kdestroy=$(system_or_builddir_binary kdestroy "${BINDIR}" samba4kdestroy) + +test_rpc_getusername() +{ + eval echo "$cmd" + out=$(eval $cmd) + ret=$? + if [ $ret -ne 0 ]; then + echo "Failed to connect! Error: $ret" + echo "$out" + return 1 + fi + + echo "$out" | grep -q "Account Name: $USERNAME, Authority Name: $DOMAIN" + ret=$? + if [ $ret -ne 0 ]; then + echo "Incorrect account/authority name! Error: $ret" + echo "$out" + return 1 + fi + + return 0 +} + +test_smbclient() +{ + eval echo "$cmd" + out=$(eval $cmd) + ret=$? + if [ $ret -ne 0 ]; then + echo "Failed to connect! Error: $ret" + echo "$out" + fi + + return $ret +} + +test_smbclient_kerberos() +{ + eval echo "$cmd -d5" + out=$(eval $cmd) + ret=$? + if [ $ret -ne 0 ]; then + echo "Failed to connect! Error: $ret" + echo "$out" + return 1 + fi + + echo "$out" | grep "Doing init for" >/dev/null 2>&1 + ret=$? + if [ $ret -eq 0 ]; then + echo "Kinit failed for smbclient" + echo "$out" + return 1 + fi + + return 0 +} + +KRB5CCNAME_PATH="$PREFIX/ccache_client_kerberos" +KRB5CCNAME="FILE:$KRB5CCNAME_PATH" +export KRB5CCNAME + +### RPCCLIENT (legacy) +cmd='$samba_rpcclient ncacn_np:${SERVER} -U${USERNAME}%${PASSWORD} --configfile=${CONFIGURATION} -c getusername 2>&1' +testit "test rpcclient legacy ntlm" \ + test_rpc_getusername || + failed=$(expr $failed + 1) + +cmd='echo ${PASSWORD} | USER=${USERNAME} $samba_rpcclient ncacn_np:${SERVER} --configfile=${CONFIGURATION} -c getusername 2>&1' +testit "test rpcclient legacy ntlm interactive" \ + test_rpc_getusername || + failed=$(expr $failed + 1) + +cmd='echo ${PASSWORD} | $samba_rpcclient ncacn_np:${SERVER} -U${USERNAME} --configfile=${CONFIGURATION} -c getusername 2>&1' +testit "test rpcclient legacy ntlm interactive with -U" \ + test_rpc_getusername || + failed=$(expr $failed + 1) + +cmd='$samba_rpcclient ncacn_np:${SERVER} -U${USERNAME}%${PASSWORD} -k --configfile=${CONFIGURATION} -c getusername 2>&1' +testit "test rpcclient legacy kerberos" \ + test_rpc_getusername || + failed=$(expr $failed + 1) + +cmd='echo ${PASSWORD} | $samba_rpcclient ncacn_np:${SERVER} -U${USERNAME} -k --configfile=${CONFIGURATION} -c getusername 2>&1' +testit_expect_failure "test rpcclient legacy kerberos interactive (negative test)" \ + test_rpc_getusername || + failed=$(expr $failed + 1) + +kerberos_kinit $samba_kinit ${USERNAME}@${REALM} ${PASSWORD} +cmd='$samba_rpcclient ncacn_np:${SERVER} -k --configfile=${CONFIGURATION} -c getusername 2>&1' +testit "test rpcclient legacy kerberos ccache" \ + test_rpc_getusername || + failed=$(expr $failed + 1) +$samba_kdestroy + +### RPCCLIENT +cmd='$samba_rpcclient ncacn_np:${SERVER} -U${USERNAME}%${PASSWORD} --use-kerberos=disabled --configfile=${CONFIGURATION} -c getusername 2>&1' +testit "test rpcclient ntlm" \ + test_rpc_getusername || + failed=$(expr $failed + 1) + +cmd='echo ${PASSWORD} | USER=${USERNAME} $samba_rpcclient ncacn_np:${SERVER} --use-kerberos=disabled --configfile=${CONFIGURATION} -c getusername 2>&1' +testit "test rpcclient ntlm interactive" \ + test_rpc_getusername || + failed=$(expr $failed + 1) + +cmd='echo ${PASSWORD} | $samba_rpcclient ncacn_np:${SERVER} -U${USERNAME} --use-kerberos=disabled --configfile=${CONFIGURATION} -c getusername 2>&1' +testit "test rpcclient ntlm interactive with -U" \ + test_rpc_getusername || + failed=$(expr $failed + 1) + +cmd='$samba_rpcclient ncacn_np:${SERVER} -U${USERNAME}%${PASSWORD} --use-kerberos=required --configfile=${CONFIGURATION} -c getusername 2>&1' +testit "test rpcclient kerberos" \ + test_rpc_getusername || + failed=$(expr $failed + 1) + +cmd='echo ${PASSWORD} | $samba_rpcclient ncacn_np:${SERVER} -U${USERNAME} --use-krb5-ccache=$KRB5CCNAME --configfile=${CONFIGURATION} -c getusername 2>&1' +testit_expect_failure "test rpcclient kerberos interactive (negative test)" \ + test_rpc_getusername || + failed=$(expr $failed + 1) + +kerberos_kinit $samba_kinit ${USERNAME}@${REALM} ${PASSWORD} +cmd='$samba_rpcclient ncacn_np:${SERVER} --use-krb5-ccache=$KRB5CCNAME --configfile=${CONFIGURATION} -c getusername 2>&1' +testit "test rpcclient kerberos ccache" \ + test_rpc_getusername || + failed=$(expr $failed + 1) +$samba_kdestroy + +### SMBTORTURE (legacy) + +cmd='$samba_smbtorture -U${USERNAME}%${PASSWORD} --configfile=${CONFIGURATION} --maximum-runtime=30 --basedir=$PREFIX --option=torture:progress=no --target=samba4 ncacn_np:${SERVER} rpc.lsa-getuser 2>&1' +testit "test smbtorture legacy default" \ + test_rpc_getusername || + failed=$(expr $failed + 1) + +cmd='$samba_smbtorture -U${USERNAME}%${PASSWORD} -k no --configfile=${CONFIGURATION} --maximum-runtime=30 --basedir=$PREFIX --option=torture:progress=no --target=samba4 ncacn_np:${SERVER} rpc.lsa-getuser 2>&1' +testit "test smbtorture legacy ntlm (kerberos=no)" \ + test_rpc_getusername || + failed=$(expr $failed + 1) + +cmd='$samba_smbtorture -U${USERNAME}%${PASSWORD} -k yes --configfile=${CONFIGURATION} --maximum-runtime=30 --basedir=$PREFIX --option=torture:progress=no --target=samba4 ncacn_np:${SERVER} rpc.lsa-getuser 2>&1' +testit "test smbtorture legacy kerberos=yes" \ + test_rpc_getusername || + failed=$(expr $failed + 1) + +kerberos_kinit $samba_kinit ${USERNAME}@${REALM} ${PASSWORD} +cmd='$samba_smbtorture -k yes --configfile=${CONFIGURATION} --maximum-runtime=30 --basedir=$PREFIX --option=torture:progress=no --target=samba4 ncacn_np:${SERVER} rpc.lsa-getuser 2>&1' +testit "test smbtorture legacy kerberos=yes ccache" \ + test_rpc_getusername || + failed=$(expr $failed + 1) +$samba_kdestroy + +kerberos_kinit $samba_kinit ${USERNAME}@${REALM} ${PASSWORD} +cmd='$samba_smbtorture -k no --configfile=${CONFIGURATION} --maximum-runtime=30 --basedir=$PREFIX --option=torture:progress=no --target=samba4 ncacn_np:${SERVER} rpc.lsa-getuser 2>&1' +testit_expect_failure "test smbtorture legacy kerberos=no ccache (negative test)" \ + test_rpc_getusername || + failed=$(expr $failed + 1) +$samba_kdestroy + +### SMBTORTURE + +cmd='$samba_smbtorture -U${USERNAME}%${PASSWORD} --configfile=${CONFIGURATION} --maximum-runtime=30 --basedir=$PREFIX --option=torture:progress=no --target=samba4 ncacn_np:${SERVER} rpc.lsa-getuser 2>&1' +testit "test smbtorture default" \ + test_rpc_getusername || + failed=$(expr $failed + 1) + +cmd='$samba_smbtorture -U${USERNAME}%${PASSWORD} --use-kerberos=disabled --configfile=${CONFIGURATION} --maximum-runtime=30 --basedir=$PREFIX --option=torture:progress=no --target=samba4 ncacn_np:${SERVER} rpc.lsa-getuser 2>&1' +testit "test smbtorture ntlm (kerberos=no)" \ + test_rpc_getusername || + failed=$(expr $failed + 1) + +cmd='$samba_smbtorture -U${USERNAME}%${PASSWORD} --use-kerberos=required --configfile=${CONFIGURATION} --maximum-runtime=30 --basedir=$PREFIX --option=torture:progress=no --target=samba4 ncacn_np:${SERVER} rpc.lsa-getuser 2>&1' +testit "test smbtorture kerberos=yes" \ + test_rpc_getusername || + failed=$(expr $failed + 1) + +kerberos_kinit $samba_kinit ${USERNAME}@${REALM} ${PASSWORD} +cmd='$samba_smbtorture --use-krb5-ccache=$KRB5CCNAME --configfile=${CONFIGURATION} --maximum-runtime=30 --basedir=$PREFIX --option=torture:progress=no --target=samba4 ncacn_np:${SERVER} rpc.lsa-getuser 2>&1' +testit "test smbtorture kerberos=yes ccache" \ + test_rpc_getusername || + failed=$(expr $failed + 1) +$samba_kdestroy + +kerberos_kinit $samba_kinit ${USERNAME}@${REALM} ${PASSWORD} +cmd='$samba_smbtorture --use-kerbers=required --configfile=${CONFIGURATION} --maximum-runtime=30 --basedir=$PREFIX --option=torture:progress=no --target=samba4 ncacn_np:${SERVER} rpc.lsa-getuser 2>&1' +testit_expect_failure "test smbtorture kerberos=no ccache (negative test)" \ + test_rpc_getusername || + failed=$(expr $failed + 1) +$samba_kdestroy + +### SMBCLIENT (legacy) +cmd='$samba_smbclient //${SERVER}/tmp -W ${DOMAIN} -U${USERNAME}%${PASSWORD} --configfile=${CONFIGURATION} -c "ls; quit"' +testit "test smbclient legacy ntlm" \ + test_smbclient || + failed=$(expr $failed + 1) + +cmd='echo ${PASSWORD} | USER=$USERNAME $samba_smbclient //${SERVER}/tmp -W ${DOMAIN} --configfile=${CONFIGURATION} -c "ls; quit"' +testit "test smbclient legacy ntlm interactive" \ + test_smbclient || + failed=$(expr $failed + 1) + +cmd='echo ${PASSWORD} | $samba_smbclient //${SERVER}/tmp -W ${DOMAIN} -U${USERNAME} --configfile=${CONFIGURATION} -c "ls; quit"' +testit "test smbclient legacy ntlm interactive with -U" \ + test_smbclient || + failed=$(expr $failed + 1) + +cmd='$samba_smbclient //${SERVER}/tmp -W ${DOMAIN} -U${USERNAME}%${PASSWORD} -k --configfile=${CONFIGURATION} -c "ls; quit"' +testit "test smbclient legacy kerberos" \ + test_smbclient || + failed=$(expr $failed + 1) + +kerberos_kinit $samba_kinit ${USERNAME}@${REALM} ${PASSWORD} +cmd='$samba_smbclient //${SERVER}/tmp -W ${DOMAIN} -k --configfile=${CONFIGURATION} -c "ls; quit"' +testit "test smbclient legacy kerberos ccache" \ + test_smbclient || + failed=$(expr $failed + 1) +$samba_kdestroy + +### SMBCLIENT tests for --use-kerberos=desired|required|disabled +cmd='$samba_smbclient //${SERVER}/tmp -W ${DOMAIN} -U${USERNAME}%${PASSWORD} --use-kerberos=disabled --configfile=${CONFIGURATION} -c "ls; quit"' +testit "test smbclient ntlm" \ + test_smbclient || + failed=$(expr $failed + 1) + +cmd='echo ${PASSWORD} | USER=$USERNAME $samba_smbclient //${SERVER}/tmp -W ${DOMAIN} --use-kerberos=disabled --configfile=${CONFIGURATION} -c "ls; quit"' +testit "test smbclient ntlm interactive" \ + test_smbclient || + failed=$(expr $failed + 1) + +cmd='echo ${PASSWORD} | $samba_smbclient //${SERVER}/tmp -W ${DOMAIN} -U${USERNAME} --use-kerberos=disabled --configfile=${CONFIGURATION} -c "ls; quit"' +testit "test smbclient ntlm interactive with -U" \ + test_smbclient || + failed=$(expr $failed + 1) + +cmd='$samba_smbclient //${SERVER}/tmp -W ${DOMAIN} -U${USERNAME}%${PASSWORD} --use-kerberos=desired --configfile=${CONFIGURATION} -c "ls; quit"' +testit "test smbclient kerberos=desired" \ + test_smbclient_kerberos || + failed=$(expr $failed + 1) + +cmd='$samba_smbclient //${SERVER}/tmp -W ${DOMAIN} -U${USERNAME}%${PASSWORD} --use-kerberos=required --configfile=${CONFIGURATION} -c "ls; quit"' +testit "test smbclient kerberos=required" \ + test_smbclient_kerberos || + failed=$(expr $failed + 1) + +kerberos_kinit $samba_kinit ${USERNAME}@${REALM} ${PASSWORD} +cmd='$samba_smbclient //${SERVER}/tmp --use-krb5-ccache=$KRB5CCNAME --configfile=${CONFIGURATION} -c "ls; quit"' +testit "test smbclient kerberos=required ccache" \ + test_smbclient || + failed=$(expr $failed + 1) +$samba_kdestroy + +rm -rf $KRB5CCNAME_PATH + +exit $failed diff --git a/testprogs/blackbox/test_kinit.sh b/testprogs/blackbox/test_kinit.sh new file mode 100755 index 0000000..d9fb6c4 --- /dev/null +++ b/testprogs/blackbox/test_kinit.sh @@ -0,0 +1,555 @@ +#!/bin/sh +# Blackbox tests for kinit and kerberos integration with smbclient etc +# Copyright (c) Andreas Schneider <asn@samba.org> +# Copyright (C) 2006-2007 Jelmer Vernooij <jelmer@samba.org> +# Copyright (C) 2006-2008 Andrew Bartlett <abartlet@samba.org> + +if [ $# -lt 8 ]; then + cat <<EOF +Usage: test_kinit.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX SMBCLIENT CONFIGURATION +EOF + exit 1 +fi + +SERVER=$1 +USERNAME=$2 +PASSWORD=$3 +REALM=$4 +DOMAIN=$5 +PREFIX=$6 +smbclient=$7 +CONFIGURATION="${8}" +shift 8 +failed=0 + +. "$(dirname "${0}")/subunit.sh" +. "$(dirname "${0}")/common_test_fns.inc" + +samba_bindir="$BINDIR" +samba_srcdir="$SRCDIR/source4" +samba_kinit=$(system_or_builddir_binary kinit "${BINDIR}" samba4kinit) +samba_kpasswd=$(system_or_builddir_binary kpasswd "${BINDIR}" samba4kpasswd) +samba_kvno=$(system_or_builddir_binary kvno "${BINDIR}" samba4kvno) + +samba_tool="${samba_bindir}/samba-tool" +samba_texpect="${samba_bindir}/texpect" + +samba_enableaccount="${samba_tool} user enable" +machineaccountccache="${samba_srcdir}/scripting/bin/machineaccountccache" + +ldbmodify=$(system_or_builddir_binary ldbmodify "${BINDIR}") +ldbsearch=$(system_or_builddir_binary ldbsearch "${BINDIR}") + +kbase="$(basename "${samba_kinit}")" +if [ "${kbase}" = "samba4kinit" ]; then + # HEIMDAL + OPTION_RENEWABLE="--renewable" + OPTION_RENEW_TICKET="--renew" + OPTION_ENTERPRISE_NAME="--enterprise" + OPTION_CANONICALIZATION="" + OPTION_WINDOWS="--windows" + OPTION_SERVICE="-S" +else + # MIT + OPTION_RENEWABLE="-r 1h" + OPTION_RENEW_TICKET="-R" + OPTION_ENTERPRISE_NAME="-E" + OPTION_CANONICALIZATION="-C" + OPTION_WINDOWS="" + OPTION_SERVICE="-S" +fi + +TEST_USER="$(mktemp -u kinittest-XXXXXX)" +UNC="//${SERVER}/tmp" + +ADMIN_LDBMODIFY_CONFIG="-H ldap://${SERVER} -U${USERNAME}%${PASSWORD}" +export ADMIN_LDBMODIFY_CONFIG + +KRB5CCNAME_PATH="${PREFIX}/tmpccache" +KRB5CCNAME="FILE:${KRB5CCNAME_PATH}" +export KRB5CCNAME +rm -rf "${KRB5CCNAME_PATH}" + +testit "reset password policies beside of minimum password age of 0 days" \ + "${VALGRIND}" "${PYTHON}" "${samba_tool}" domain passwordsettings set \ + "${ADMIN_LDBMODIFY_CONFIG}" \ + --complexity=default \ + --history-length=default \ + --min-pwd-length=default \ + --min-pwd-age=0 \ + --max-pwd-age=default || \ + failed=$((failed + 1)) + +########################################################### +### Test kinit defaults +########################################################### + +testit "kinit with password (initial)" \ + kerberos_kinit "${samba_kinit}" "${USERNAME}@${REALM}" "${PASSWORD}" \ + "${OPTION_RENEWABLE}" || \ + failed=$((failed + 1)) +test_smbclient "Test login with user kerberos ccache" \ + "ls" "${UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \ + failed=$((failed + 1)) + +testit "kinit renew ticket (initial)" \ + "${samba_kinit}" ${OPTION_RENEW_TICKET} || \ + failed=$((failed + 1)) + +test_smbclient "Test login with kerberos ccache (initial)" \ + "ls" "${UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \ + failed=$((failed + 1)) + +rm -f "${KRB5CCNAME_PATH}" + +########################################################### +### Test kinit with enterprise principal +########################################################### + +testit "kinit with password (enterprise style)" \ + kerberos_kinit "${samba_kinit}" \ + "${USERNAME}@${REALM}" "${PASSWORD}" "${OPTION_ENTERPRISE_NAME}" \ + "${OPTION_RENEWABLE}" || \ + failed=$((failed + 1)) + +test_smbclient "Test login with user kerberos ccache (enterprise style)" \ + "ls" "${UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \ + failed=$((failed + 1)) + +testit "kinit renew ticket (enterprise style)" \ + "${samba_kinit}" ${OPTION_RENEW_TICKET} || \ + failed=$((failed + 1)) + +test_smbclient "Test login with kerberos ccache (enterprise style)" \ + "ls" "${UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \ + failed=$((failed + 1)) + +rm -f "${KRB5CCNAME_PATH}" + +########################################################### +### Tests with kinit windows +########################################################### + +# HEIMDAL ONLY +if [ "${kbase}" = "samba4kinit" ]; then + testit "kinit with password (windows style)" \ + kerberos_kinit "${samba_kinit}" \ + "${USERNAME}@${REALM}" "${PASSWORD}" \ + "${OPTION_RENEWABLE}" "${OPTION_WINDOWS}" || \ + failed=$((failed + 1)) + + test_smbclient "Test login with kerberos ccache (windows style)" \ + "ls" "${UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \ + failed=$((failed + 1)) + + testit "kinit renew ticket (windows style)" \ + "${samba_kinit}" ${OPTION_RENEW_TICKET} || \ + failed=$((failed + 1)) + + test_smbclient "Test login with kerberos ccache (windows style)" \ + "ls" "${UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \ + failed=$((failed + 1)) + + rm -f "${KRB5CCNAME_PATH}" +fi # HEIMDAL ONLY + +########################################################### +### Tests with kinit default again +########################################################### + +testit "kinit with password (default)" \ + kerberos_kinit "${samba_kinit}" "${USERNAME}@${REALM}" "${PASSWORD}" || \ + failed=$((failed + 1)) + +testit "check time with kerberos ccache (default)" \ + "${VALGRIND}" "${PYTHON}" "${samba_tool}" time "${SERVER}" \ + "${CONFIGURATION}" --use-krb5-ccache="${KRB5CCNAME}" "$@" || \ + failed=$((failed + 1)) + +USERPASS="testPass@12%" + +testit "add user with kerberos ccache" \ + "${VALGRIND}" "${PYTHON}" "${samba_tool}" user create \ + "${TEST_USER}" "${USERPASS}" \ + "${CONFIGURATION}" --use-krb5-ccache="${KRB5CCNAME}" "$@" || \ + failed=$((failed + 1)) + +echo "Getting defaultNamingContext" +BASEDN=$(${ldbsearch} --basedn='' -H "ldap://${SERVER}" --scope=base \ + DUMMY=x defaultNamingContext | awk '/defaultNamingContext/ {print $2}') + + +TEST_UPN="$(mktemp -u test-XXXXXX)@${REALM}" +cat >"${PREFIX}/tmpldbmodify" <<EOF +dn: cn=${TEST_USER},cn=users,${BASEDN} +changetype: modify +add: servicePrincipalName +servicePrincipalName: host/${TEST_USER} +replace: userPrincipalName +userPrincipalName: ${TEST_UPN} +EOF + +testit "modify servicePrincipalName and userPrincpalName" \ + "${VALGRIND}" "${ldbmodify}" -H "ldap://${SERVER}" "${PREFIX}/tmpldbmodify" \ + --use-krb5-ccache="${KRB5CCNAME}" "$@" || \ + failed=$((failed + 1)) + +testit "set user password with kerberos ccache" \ + "${VALGRIND}" "${PYTHON}" "${samba_tool}" user setpassword "${TEST_USER}" \ + --newpassword="${USERPASS}" "${CONFIGURATION}" \ + --use-krb5-ccache="${KRB5CCNAME}" "$@" || \ + failed=$((failed + 1)) + +testit "enable user with kerberos cache" \ + "${VALGRIND}" "${PYTHON}" "${samba_enableaccount}" "${TEST_USER}" \ + -H "ldap://$SERVER" --use-krb5-ccache="${KRB5CCNAME}" "$@" || \ + failed=$((failed + 1)) + +testit "kinit with new user password" \ + kerberos_kinit "${samba_kinit}" "${TEST_USER}" "${USERPASS}" || \ + failed=$((failed + 1)) + +test_smbclient "Test login with new user kerberos ccache" \ + "ls" "${UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \ + failed=$((failed + 1)) + +rm -f "${KRB5CCNAME_PATH}" + +########################################################### +### Test kinit after changing password with samba-tool +########################################################### + +NEW_USERPASS="testPaSS@34%" +testit "change user password with 'samba-tool user password' (rpc)" \ + "${VALGRIND}" "${PYTHON}" "${samba_tool}" user password \ + -W"${DOMAIN}" -U"${TEST_USER}%${USERPASS}" "${CONFIGURATION}" \ + --newpassword="${NEW_USERPASS}" \ + --use-kerberos=off "$@" || \ + failed=$((failed + 1)) + +testit "kinit with user password (after rpc password change)" \ + kerberos_kinit "${samba_kinit}" \ + "${TEST_USER}@${REALM}" "${NEW_USERPASS}" || \ + failed=$((failed + 1)) + +test_smbclient "Test login with user kerberos (after rpc password change)" \ + "ls" "${UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \ + failed=$((failed + 1)) + +USERPASS="${NEW_USERPASS}" + +rm -f "${KRB5CCNAME_PATH}" + +########################################################### +### Test kinit with UPN +########################################################### + +testit "kinit with new (NT-Principal style) using UPN" \ + kerberos_kinit "${samba_kinit}" "${TEST_UPN}" "${USERPASS}" || \ + failed=$((failed + 1)) + +test_smbclient "Test login with user kerberos ccache from NT UPN" \ + "ls" "${UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \ + failed=$((failed + 1)) + +rm -f "${KRB5CCNAME_PATH}" + +testit "kinit with new (enterprise style) using UPN" \ + kerberos_kinit "${samba_kinit}" "${TEST_UPN}" "${USERPASS}" \ + ${OPTION_ENTERPRISE_NAME} || \ + failed=$((failed + 1)) + +test_smbclient "Test login with user kerberos ccache from enterprise UPN" \ + "ls" "${UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \ + failed=$((failed + 1)) + +rm -f "${KRB5CCNAME_PATH}" + +# HEIMDAL ONLY +if [ "${kbase}" = "samba4kinit" ]; then + testit "kinit with new (windows style) using UPN" \ + kerberos_kinit "${samba_kinit}" "${TEST_UPN}" "${USERPASS}" \ + ${OPTION_WINDOWS} || \ + failed=$((failed + 1)) + + test_smbclient "Test login with user kerberos ccache with (windows style) UPN" \ + "ls" "${UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \ + failed=$((failed + 1)) + + rm -f "${KRB5CCNAME_PATH}" +fi # HEIMDAL ONLY + +########################################################### +### Tests with SPN +########################################################### + +DNSDOMAIN=$(echo "${REALM}" | tr '[:upper:]' '[:lower:]') +testit "kinit with password (SPN)" \ + kerberos_kinit "${samba_kinit}" \ + "http/testupnspn.${DNSDOMAIN}" "${PASSWORD}" || \ + failed=$((failed + 1)) + +test_smbclient "Test login with kerberos ccache (SPN)" \ + "ls" "${UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \ + failed=$((failed + 1)) + +rm -f "${KRB5CCNAME_PATH}" + +########################################################### +### Test kinit with canonicalization +########################################################### + +upperusername=$(echo "${USERNAME}" | tr '[:lower:]' '[:upper:]') +testit "kinit with canonicalize and service" \ + kerberos_kinit "${samba_kinit}" "${upperusername}@${REALM}" "${PASSWORD}" \ + ${OPTION_CANONICALIZATION} \ + ${OPTION_SERVICE} "kadmin/changepw@${REALM}" || \ + failed=$((failed + 1)) + +rm -f "${KRB5CCNAME_PATH}" + +########################################################### +### Test kinit with user credentials and changed realm +########################################################### + +testit "kinit with password (default)" \ + kerberos_kinit "${samba_kinit}" "${USERNAME}@${REALM}" "${PASSWORD}" || \ + failed=$((failed + 1)) + +cat >"${PREFIX}/tmpldbmodify" <<EOF +dn: cn=${TEST_USER},cn=users,$BASEDN +changetype: modify +replace: userPrincipalName +userPrincipalName: ${TEST_UPN}.org +EOF + +testit "modify userPrincipalName to be a different domain" \ + "${VALGRIND}" "${ldbmodify}" "${ADMIN_LDBMODIFY_CONFIG}" \ + "${PREFIX}/tmpldbmodify" "${PREFIX}/tmpldbmodify" \ + --use-krb5-ccache="${KRB5CCNAME}" "$@" || \ + failed=$((failed + 1)) + +testit "kinit with new (enterprise style) using UPN" \ + kerberos_kinit "${samba_kinit}" "${TEST_UPN}.org" "${USERPASS}" \ + ${OPTION_ENTERPRISE_NAME} || failed=$((failed + 1)) + +test_smbclient "Test login with user kerberos ccache from enterprise UPN" \ + "ls" "${UNC}" \ + --use-krb5-ccache="${KRB5CCNAME}" || \ + failed=$((failed + 1)) + +rm -f "${KRB5CCNAME_PATH}" + +########################################################### +### Test password change with kpasswd +########################################################### + +testit "kinit with user password" \ + kerberos_kinit "${samba_kinit}" "${TEST_USER}@$REALM" "${USERPASS}" || \ + failed=$((failed + 1)) + +test_smbclient "Test login with user kerberos ccache" \ + "ls" "${UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \ + failed=$((failed + 1)) + +NEWUSERPASS=testPaSS@56% + +if [ "${kbase}" = "samba4kinit" ]; then + # HEIMDAL + cat >"${PREFIX}/tmpkpasswdscript" <<EOF +expect Password +password ${USERPASS}\n +expect New password +send ${NEWUSERPASS}\n +expect Verify password +send ${NEWUSERPASS}\n +expect Success +EOF + +else + # MIT + cat >"${PREFIX}/tmpkpasswdscript" <<EOF +expect Password for +password ${USERPASS}\n +expect Enter new password +send ${NEWUSERPASS}\n +expect Enter it again +send ${NEWUSERPASS}\n +expect Password changed +EOF +fi + +testit "change user password with kpasswd" \ + "${samba_texpect}" "${PREFIX}/tmpkpasswdscript" \ + "${samba_kpasswd}" "${TEST_USER}@$REALM" || \ + failed=$((failed + 1)) + +rm -f "${KRB5CCNAME_PATH}" + +USERPASS="${NEWUSERPASS}" + +testit "kinit with user password (after kpasswd)" \ + kerberos_kinit "${samba_kinit}" \ + "${TEST_USER}@${REALM}" "${USERPASS}" || \ + failed=$((failed + 1)) + +test_smbclient "Test login with user kerberos ccache (after kpasswd)" \ + "ls" "${UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \ + failed=$((failed + 1)) + +rm -f "${KRB5CCNAME_PATH}" + +########################################################### +### TODO Test set password with kpasswd +########################################################### + +# This is not implemented in kpasswd + +########################################################### +### Test password expiry +########################################################### + + cat >"${PREFIX}/tmpldbmodify" <<EOF +dn: cn=${TEST_USER},cn=users,${BASEDN} +changetype: modify +replace: pwdLastSet +pwdLastSet: 0 +EOF + + NEWUSERPASS=testPaSS@78% + + testit "modify pwdLastSet" \ + "${VALGRIND}" "${ldbmodify}" "${ADMIN_LDBMODIFY_CONFIG}" \ + "${PREFIX}/tmpldbmodify" "${PREFIX}/tmpldbmodify" \ + --use-krb5-ccache="${KRB5CCNAME}" "$@" || \ + failed=$((failed + 1)) + +if [ "${kbase}" = "samba4kinit" ]; then + # HEIMDAL branch + cat >"${PREFIX}/tmpkinituserpassscript" <<EOF +expect ${TEST_USER}@$REALM's Password +send ${USERPASS}\n +expect Password has expired +expect New password +send ${NEWUSERPASS}\n +expect Repeat new password +send ${NEWUSERPASS}\n +EOF +else + # MIT branch + cat >"${PREFIX}/tmpkinituserpassscript" <<EOF +expect Password for +send ${USERPASS}\n +expect Password expired. You must change it now. +expect Enter new password +send ${NEWUSERPASS}\n +expect Enter it again +send ${NEWUSERPASS}\n +EOF + +fi # END MIT ONLY + +testit "kinit with user password for expired password" \ + "${samba_texpect}" "$PREFIX/tmpkinituserpassscript" \ + "${samba_kinit}" "${TEST_USER}@$REALM" || \ + failed=$((failed + 1)) + +test_smbclient "Test login with user kerberos ccache" \ + "ls" "${UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \ + failed=$((failed + 1)) + +USERPASS="${NEWUSERPASS}" + +testit "kinit with user password" \ + kerberos_kinit "${samba_kinit}" \ + "${TEST_USER}@${REALM}" "${USERPASS}" || \ + failed=$((failed + 1)) + +test_smbclient "Test login with user kerberos ccache" \ + "ls" "${UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \ + failed=$((failed + 1)) + +########################################################### +### Test login with lowercase realm +########################################################### + +KRB5CCNAME_PATH="$PREFIX/tmpccache" +KRB5CCNAME="FILE:$KRB5CCNAME_PATH" +export KRB5CCNAME + +rm -rf "${KRB5CCNAME_PATH}" + +testit "kinit with user password" \ + kerberos_kinit "${samba_kinit}" "${TEST_USER}@${REALM}" "${USERPASS}" || \ + failed=$((failed + 1)) + +lowerrealm=$(echo "${REALM}" | tr '[:upper:]' '[:lower:]') +test_smbclient "Test login with user kerberos lowercase realm" \ + "ls" "${UNC}" --use-kerberos=required \ + -U"${TEST_USER}@${lowerrealm}%${NEWUSERPASS}" || \ + failed=$((failed + 1)) + +test_smbclient "Test login with user kerberos lowercase realm 2" \ + "ls" "${UNC}" --use-kerberos=required \ + -U"${TEST_USER}@${REALM}%${NEWUSERPASS}" --realm="${lowerrealm}" || \ + failed=$((failed + 1)) + +testit "del user with kerberos ccache" \ + "${VALGRIND}" "${PYTHON}" "${samba_tool}" user delete \ + "${TEST_USER}" "${CONFIGURATION}" \ + --use-krb5-ccache="${KRB5CCNAME}" "$@" || \ + failed=$((failed + 1)) + +########################################################### +### Test login with machine account +########################################################### + +rm -f "${KRB5CCNAME_PATH}" + +testit "kinit with machineaccountccache script" \ + "${PYTHON}" "${machineaccountccache}" "${CONFIGURATION}" \ + "${KRB5CCNAME}" || \ + failed=$((failed + 1)) + +test_smbclient "Test machine account login with kerberos ccache" \ + "ls" "${UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \ + failed=$((failed + 1)) + +testit "reset password policies" \ + "${VALGRIND}" "${PYTHON}" "${samba_tool}" domain passwordsettings set \ + "${ADMIN_LDBMODIFY_CONFIG}" \ + --complexity=default \ + --history-length=default \ + --min-pwd-length=default \ + --min-pwd-age=default \ + --max-pwd-age=default || \ + failed=$((failed + 1)) + +########################################################### +### Test basic s4u2self request +########################################################### + +# MIT ONLY +if [ "${kbase}" = "kinit" ]; then + +# Use previous acquired machine creds to request a ticket for self. +# We expect it to fail for now. +MACHINE_ACCOUNT="$(hostname -s | tr '[:lower:]' '[:upper:]')\$@${REALM}" + +${samba_kvno} -U"${MACHINE_ACCOUNT}" "${MACHINE_ACCOUNT}" + +# But we expect the KDC to be up and running still +testit "kinit with machineaccountccache after s4u2self" \ + "${machineaccountccache}" "${CONFIGURATION}" "${KRB5CCNAME}" || \ + failed=$((failed + 1)) + +fi # END MIT ONLY + +### Cleanup + +rm -f "${KRB5CCNAME_PATH}" +rm -f "${PREFIX}/tmpkinituserpassscript" +rm -f "${PREFIX}/tmpkinitscript" +rm -f "${PREFIX}/tmpkpasswdscript" + +exit $failed diff --git a/testprogs/blackbox/test_kinit_export_keytab.sh b/testprogs/blackbox/test_kinit_export_keytab.sh new file mode 100755 index 0000000..e520a1c --- /dev/null +++ b/testprogs/blackbox/test_kinit_export_keytab.sh @@ -0,0 +1,263 @@ +#!/bin/sh +# +# Blackbox tests for an exported keytab with kinit +# +# Copyright (C) 2006-2007 Jelmer Vernooij <jelmer@samba.org> +# Copyright (C) 2006-2008 Andrew Bartlett <abartlet@samba.org> +# Copyright (C) Andreas Schneider <asn@cryptomilk.org> + +if [ $# -lt 7 ]; then + cat <<EOF +Usage: test_kinit_export_keytab.sh SERVER USERNAME REALM DOMAIN PREFIX SMBCLIENT CONFIGURATION +EOF + exit 1 +fi + +SERVER=$1 +USERNAME=$2 +REALM=$3 +DOMAIN=$4 +PREFIX=$5 +smbclient=$6 +CONFIGURATION=${7} +shift 7 +failed=0 + +. "$(dirname "${0}")/subunit.sh" +. "$(dirname "${0}")/common_test_fns.inc" + +samba_bindir="${BINDIR}" +samba_tool="$samba_bindir/samba-tool" +samba_newuser="$samba_tool user create" +samba_ktutil="${BINDIR}/samba4ktutil" + +samba_kinit=$(system_or_builddir_binary kinit "${BINDIR}" samba4kinit) + +DNSDOMAIN=$(echo "${REALM}" | tr '[:upper:]' '[:lower:]') +SERVER_FQDN="${SERVER}.$(echo "${REALM}" | tr '[:upper:]' '[:lower:]')" +SMBCLIENT_UNC="//${SERVER}/tmp" + +TEST_USER="$(mktemp -u keytabtest-XXXXXX)" +TEST_PASSWORD=testPaSS@01% + +EXPECTED_NKEYS=3 +# MIT +kbase="$(basename "${samba_kinit}")" +if [ "${kbase}" != "samba4kinit" ]; then + krb5_version="$(krb5-config --version | cut -d ' ' -f 4)" + krb5_major_version="$(echo "${krb5_version}" | awk -F. '{ print $1; }')" + krb5_minor_version="$(echo "${krb5_version}" | awk -F. '{ print $2; }')" + + # MIT Kerberos < 1.18 has support for DES keys + if [ "${krb5_major_version}" -eq 1 ] && [ "${krb5_minor_version}" -lt 18 ]; then + EXPECTED_NKEYS=5 + fi +fi # MIT + +if [ "${kbase}" = "samba4kinit" ]; then + # HEIMDAL + OPTION_RENEWABLE="--renewable" + OPTION_RENEW_TICKET="--renew" + OPTION_ENTERPRISE_NAME="--enterprise" + OPTION_CANONICALIZATION="" + OPTION_WINDOWS="--windows" + OPTION_SERVICE="-S" + OPTION_USE_KEYTAB="-k" + OPTION_KEYTAB_FILENAME="-t" + + KEYTAB_GREP="[aes|arcfour]" +else + # MIT + OPTION_RENEWABLE="-r 1h" + OPTION_RENEW_TICKET="-R" + OPTION_ENTERPRISE_NAME="-E" + OPTION_CANONICALIZATION="-C" + OPTION_WINDOWS="" + OPTION_SERVICE="-S" + OPTION_USE_KEYTAB="-k" + OPTION_KEYTAB_FILENAME="-t" + + KEYTAB_GREP="[DES|AES|ArcFour]" +fi + +test_keytab() +{ + testname="$1" + keytab="$2" + principal="$3" + expected_nkeys="$4" + + subunit_start_test "$testname" + + if [ ! -r "${keytab}" ]; then + echo "Could not read keytab: ${keytab}" | \ + subunit_fail_test "${testname}" + return 1 + fi + + output=$($VALGRIND "${samba_ktutil}" "${keytab}" 2>&1) + status=$? + if [ ${status} -ne 0 ]; then + echo "${output}" | subunit_fail_test "${testname}" + return $status + fi + + NKEYS=$(echo "${output}" | grep -i "${principal}" | \ + grep -c -e "${KEYTAB_GREP}") + if [ "${NKEYS}" -ne "${expected_nkeys}" ]; then + echo "Unexpected number of keys passed ${NKEYS} != ${expected_nkeys}" | \ + subunit_fail_test "${testname}" + return 1 + fi + + subunit_pass_test "${testname}" + return 0 +} + +testit "create local user ${TEST_USER}" \ + "${VALGRIND}" "${PYTHON}" "${samba_newuser}" "${TEST_USER}" "${TEST_PASSWORD}" \ + "${CONFIGURATION}" "$@" || \ + failed=$((failed + 1)) + +testit "dump keytab from domain" \ + "${VALGRIND}" "${PYTHON}" "${samba_tool}" domain exportkeytab \ + "${PREFIX}/tmpkeytab-all" \ + "${CONFIGURATION}" "$@" || \ + failed=$((failed + 1)) + +test_keytab "read keytab from domain" \ + "${PREFIX}/tmpkeytab-all" "${SERVER}\\\$" "${EXPECTED_NKEYS}" || \ + failed=$((failed + 1)) + +testit "dump keytab from domain (2nd time)" \ + "${VALGRIND}" "${PYTHON}" "${samba_tool}" domain exportkeytab \ + "${PREFIX}/tmpkeytab-all" "${CONFIGURATION}" "$@" || \ + failed=$((failed + 1)) + +test_keytab "read keytab from domain (2nd time)" \ + "${PREFIX}/tmpkeytab-all" "${SERVER}\\\$" "${EXPECTED_NKEYS}" || \ + failed=$((failed + 1)) + +testit "dump keytab from domain for cifs service principal" \ + "${VALGRIND}" "${PYTHON}" "${samba_tool}" domain exportkeytab \ + "${PREFIX}/tmpkeytab-server" --principal="cifs/$SERVER_FQDN" \ + "${CONFIGURATION}" "$@" || \ + failed=$((failed + 1)) + +test_keytab "read keytab from domain for cifs service principal" \ + "${PREFIX}/tmpkeytab-server" "cifs/${SERVER_FQDN}" \ + "${EXPECTED_NKEYS}" || \ + failed=$((failed + 1)) + +testit "dump keytab from domain for cifs service principal (2nd time)" \ + "${VALGRIND}" "${PYTHON}" "${samba_tool}" domain exportkeytab \ + "$PREFIX/tmpkeytab-server" --principal="cifs/$SERVER_FQDN" \ + "${CONFIGURATION}" "$@" || \ + failed=$((failed + 1)) + +test_keytab "read keytab from domain for cifs service principal (2nd time)" \ + "${PREFIX}/tmpkeytab-server" "cifs/${SERVER_FQDN}" \ + "${EXPECTED_NKEYS}" || \ + failed=$((failed + 1)) + +testit "dump keytab from domain for user principal" \ + "${VALGRIND}" "${PYTHON}" "${samba_tool}" domain exportkeytab \ + "${PREFIX}/tmpkeytab-user-princ" --principal="${TEST_USER}" \ + "${CONFIGURATION}" "$@" || \ + failed=$((failed + 1)) + +test_keytab "read keytab from domain for user principal" \ + "${PREFIX}/tmpkeytab-user-princ" "${TEST_USER}@${REALM}" \ + "${EXPECTED_NKEYS}" || \ + failed=$((failed + 1)) + +testit "dump keytab from domain for user principal (2nd time)" \ + "${VALGRIND}" "${PYTHON}" "${samba_tool}" domain exportkeytab \ + "${PREFIX}/tmpkeytab-user-princ-2" --principal="${TEST_USER}@${REALM}" \ + "${CONFIGURATION}" "$@" || \ + failed=$((failed + 1)) + +test_keytab "read keytab from domain for user principal (2nd time)" \ + "${PREFIX}/tmpkeytab-user-princ-2" "${TEST_USER}@${REALM}" \ + "${EXPECTED_NKEYS}" || \ + failed=$((failed + 1)) + +testit "dump keytab from domain for user principal with SPN as UPN" \ + "${VALGRIND}" "${PYTHON}" "${samba_tool}" domain exportkeytab \ + "${PREFIX}/tmpkeytab-spn-upn" \ + --principal="http/testupnspn.${DNSDOMAIN}" "${CONFIGURATION}" "$@" || \ + failed=$((failed + 1)) + +test_keytab "read keytab from domain for user principal with SPN as UPN" \ + "${PREFIX}/tmpkeytab-spn-upn" "http/testupnspn.${DNSDOMAIN}@${REALM}" \ + "${EXPECTED_NKEYS}" + +KRB5CCNAME_PATH="${PREFIX}/tmpuserccache" +KRB5CCNAME="FILE:${PREFIX}/tmpuserccache" +export KRB5CCNAME + +testit "kinit with keytab as user" \ + "${VALGRIND}" "${samba_kinit}" \ + "${OPTION_USE_KEYTAB}" \ + "${OPTION_KEYTAB_FILENAME}" "${PREFIX}/tmpkeytab-all" \ + "${TEST_USER}@${REALM}" || \ + failed=$((failed + 1)) + +test_smbclient "Test login with user kerberos ccache" \ + "ls" "${SMBCLIENT_UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \ + failed=$((failed + 1)) + +testit "kinit with keytab as user (one princ)" \ + "${VALGRIND}" "$samba_kinit" \ + "${OPTION_USE_KEYTAB}" \ + "${OPTION_KEYTAB_FILENAME}" "${PREFIX}/tmpkeytab-user-princ" \ + "${TEST_USER}@$REALM" || \ + failed=$((failed + 1)) + +test_smbclient "Test login with user kerberos ccache (one princ)" \ + "ls" "${SMBCLIENT_UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \ + failed=$((failed + 1)) + +rm -f "${KRB5CCNAME_PATH}" + +KRB5CCNAME_PATH="${PREFIX}/tmpadminccache" +KRB5CCNAME="FILE:${PREFIX}/tmpadminccache" +export KRB5CCNAME + +testit "kinit with keytab as ${USERNAME}" \ + "${VALGRIND}" "${samba_kinit}" \ + "${OPTION_USE_KEYTAB}" \ + "${OPTION_KEYTAB_FILENAME}" "${PREFIX}/tmpkeytab-all" \ + "${USERNAME}@${REALM}" || \ + failed=$((failed + 1)) + +rm -f "${KRB5CCNAME_PATH}" + +KRB5CCNAME_PATH="${PREFIX}/tmpserverccache" +KRB5CCNAME="FILE:${PREFIX}/tmpserverccache" +export KRB5CCNAME + +testit "kinit with SPN from keytab" \ + "${VALGRIND}" "${samba_kinit}" \ + "${OPTION_USE_KEYTAB}" \ + "${OPTION_KEYTAB_FILENAME}" "${PREFIX}/tmpkeytab-spn-upn" \ + "http/testupnspn.${DNSDOMAIN}" || \ + failed=$((failed + 1)) + +# cleanup +testit "delete user ${TEST_USER}" \ + "${VALGRIND}" "${PYTHON}" "${samba_tool}" user delete "${TEST_USER}" \ + --use-krb5-ccache="${KRB5CCNAME}" "${CONFIGURATION}" "$@" || \ + failed=$((failed + 1)) + +rm -f "${KRB5CCNAME_PATH}" +rm -f "${PREFIX}/tmpadminccache" \ + "${PREFIX}/tmpuserccache" \ + "${PREFIX}/tmpkeytab" \ + "${PREFIX}/tmpkeytab-user-princ" \ + "${PREFIX}/tmpkeytab-user-princ-2" \ + "${PREFIX}/tmpkeytab-server" \ + "${PREFIX}/tmpkeytab-spn-upn" \ + "${PREFIX}/tmpkeytab-all" + +exit $failed diff --git a/testprogs/blackbox/test_kinit_trusts.sh b/testprogs/blackbox/test_kinit_trusts.sh new file mode 100755 index 0000000..e76d81b --- /dev/null +++ b/testprogs/blackbox/test_kinit_trusts.sh @@ -0,0 +1,247 @@ +#!/bin/sh +# Blackbox tests for kinit and trust validation +# Copyright (c) 2015 Stefan Metzmacher <metze@samba.org> +# Copyright (c) Andreas Schneider <asn@samba.org> + +if [ $# -lt 13 ]; then + cat <<EOF +Usage: test_kinit_trusts.sh SERVER USERNAME PASSWORD REALM DOMAIN TRUST_USERNAME TRUST_PASSWORD TRUST_REALM TRUST_DOMAIN PREFIX TYPE CONFIGURATION +EOF + exit 1 +fi + +SERVER=${1} +USERNAME=${2} +PASSWORD=${3} +REALM=${4} +DOMAIN=${5} +shift 5 +TRUST_SERVER=${1} +TRUST_USERNAME=${2} +TRUST_PASSWORD=${3} +TRUST_REALM=${4} +TRUST_DOMAIN=${5} +shift 5 +PREFIX=${1} +TYPE=${2} +CONFIGURATION="${3}" +shift 3 + +failed=0 + +. "$(dirname "${0}")/subunit.sh" +. "$(dirname "${0}")/common_test_fns.inc" + +samba_bindir="$BINDIR" +samba_kinit=$(system_or_builddir_binary kinit "${BINDIR}" samba4kinit) + +samba_tool="${samba_bindir}/samba-tool" + +smbclient="${samba_bindir}/smbclient" +wbinfo="${samba_bindir}/wbinfo" + +ldbsearch=$(system_or_builddir_binary ldbsearch "${BINDIR}") + +SMBCLIENT_UNC="//$SERVER.$REALM/tmp" + +kbase="$(basename "${samba_kinit}")" +if [ "${kbase}" = "samba4kinit" ]; then + # HEIMDAL + OPTION_LIFETIME_2M="--lifetime=2m" + OPTION_RENEWABLE="--renewable" + OPTION_RENEW_TICKET="--renew" + OPTION_ENTERPRISE_NAME="--enterprise" + OPTION_CANONICALIZATION="" + OPTION_WINDOWS="--windows" + OPTION_SERVICE="-S" +else + # MIT + OPTION_LIFETIME_2M="-l 2m" + OPTION_RENEWABLE="-r 1h" + OPTION_RENEW_TICKET="-R" + OPTION_ENTERPRISE_NAME="-E" + OPTION_CANONICALIZATION="-C" + OPTION_WINDOWS="" + OPTION_SERVICE="-S" +fi + +KRB5CCNAME_PATH="$PREFIX/test_kinit_trusts_ccache" +KRB5CCNAME="FILE:$KRB5CCNAME_PATH" +export KRB5CCNAME +rm -f "${KRB5CCNAME_PATH}" + +########################################################### +### Test incoming trust direction +########################################################### + +testit "kinit with password" \ + kerberos_kinit "${samba_kinit}" \ + "$TRUST_USERNAME@$TRUST_REALM" "${TRUST_PASSWORD}" || \ + failed=$((failed + 1)) + +test_smbclient "Test login with kerberos ccache" \ + "ls" "${SMBCLIENT_UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \ + failed=$((failed + 1)) + +rm -f "${KRB5CCNAME_PATH}" + +########################################################### +### Test with 2min lifetime +########################################################### + +# CVE-2022-2031 - test for short-lived ticket across an incoming trust +# +# We ensure that the KDC does not reject a TGS-REQ with our short-lived TGT +# over an incoming trust. +# +# BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 +if [ "${kbase}" = "samba4kinit" ]; then + # HEIMDAL ONLY + testit "kinit with password (lifetime 2min)" \ + kerberos_kinit "${samba_kinit}" \ + "${TRUST_USERNAME}@${TRUST_REALM}" "${TRUST_PASSWORD}" \ + "${OPTION_SERVICE}" "krbtgt/${REALM}@${TRUST_REALM}" \ + "${OPTION_LIFETIME_2M}" || \ + failed=$((failed + 1)) + + test_smbclient "Test login with kerberos ccache (lifetime 2min)" \ + "ls" "${SMBCLIENT_UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \ + failed=$((failed + 1)) +fi + +rm -f "${KRB5CCNAME_PATH}" + +########################################################### +### Test with smbclient4 to check gensec_gssapi works +########################################################### + +testit "kinit with password (smbclient4)" \ + kerberos_kinit "${samba_kinit}" \ + "${TRUST_USERNAME}@${TRUST_REALM}" "${TRUST_PASSWORD}" || \ + failed=$((failed + 1)) + +smbclient="${samba_bindir}/smbclient4" +test_smbclient "Test login with user kerberos ccache (smbclient4)" \ + 'ls' "$unc" --use-krb5-ccache="${KRB5CCNAME}" -d10 || \ + failed=$((failed + 1)) +smbclient="${samba_bindir}/smbclient" + +rm -f "${KRB5CCNAME_PATH}" + +########################################################### +### Test incoming trust direction (enterprise) +########################################################### + +testit "kinit with password (enterprise)" \ + kerberos_kinit "${samba_kinit}" \ + "$TRUST_USERNAME@$TRUST_REALM" "${TRUST_PASSWORD}" \ + "${OPTION_ENTERPRISE_NAME}" || \ + failed=$((failed + 1)) + +test_smbclient "Test login with user kerberos ccache (enterprise)" \ + "ls" "${SMBCLIENT_UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \ + failed=$((failed + 1)) + + +rm -f "${KRB5CCNAME_PATH}" + +if [ "${TYPE}" = "forest" ]; then + testit "kinit with password (enterprise UPN)" \ + kerberos_kinit "${samba_kinit}" \ + "testdenied_upn@${TRUST_REALM}.upn" "${TRUST_PASSWORD}" \ + "${OPTION_ENTERPRISE_NAME}" || \ + failed=$((failed + 1)) + + test_smbclient "Test login with user kerberos ccache (enterprise UPN)" \ + "ls" "${SMBCLIENT_UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \ + failed=$((failed + 1)) + + rm -f "${KRB5CCNAME_PATH}" +fi + +testit "kinit with password (enterprise)" \ + kerberos_kinit "${samba_kinit}" \ + "${TRUST_USERNAME}@${TRUST_REALM}" "${TRUST_PASSWORD}" \ + "${OPTION_ENTERPRISE_NAME}" "${OPTION_RENEWABLE}" || \ + failed=$((failed + 1)) + +test_smbclient "Test login with kerberos ccache (enterprise)" \ + "ls" "${SMBCLIENT_UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \ + failed=$((failed + 1)) + +testit "kinit renew ticket (enterprise)" \ + "${samba_kinit}" ${OPTION_RENEW_TICKET} \ + || failed=$((failed + 1)) + +test_smbclient "Test login with kerberos ccache (enterprise)" \ + "ls" "${SMBCLIENT_UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \ + failed=$((failed + 1)) + +testit "check time with kerberos ccache" \ + "${VALGRIND}" "${samba_tool}" time "${SERVER}.${REALM}" \ + "${CONFIGURATION}" --use-krb5-ccache="${KRB5CCNAME}" "$@" || \ + failed=$((failed + 1)) + +rm -f "${KRB5CCNAME_PATH}" + +########################################################### +### Test with password authentication +########################################################### + +lowerrealm="$(echo "${TRUST_REALM}" | tr '[:upper:]' '[:lower:]')" +test_smbclient "Test login with user kerberos lowercase realm" \ + "ls" "${SMBCLIENT_UNC}" \ + -U"${TRUST_USERNAME}@${lowerrealm}%${TRUST_PASSWORD}" \ + --use-kerberos=required || \ + failed=$((failed + 1)) + +test_smbclient "Test login with user kerberos lowercase realm 2" \ + "ls" "${SMBCLIENT_UNC}" \ + -U"${TRUST_USERNAME}@${TRUST_REALM}%${TRUST_PASSWORD}" \ + --realm="${lowerrealm}" \ + --use-kerberos=required || \ + failed=$((failed + 1)) + +########################################################### +### Test outgoing trust direction +########################################################### + +SMBCLIENT_UNC="//$TRUST_SERVER.$TRUST_REALM/tmp" + +test_smbclient "Test user login with the first outgoing secret" \ + "ls" "${SMBCLIENT_UNC}" \ + --use-kerberos=required \ + -U"${USERNAME}@${REALM}%${PASSWORD}" || \ + failed=$((failed + 1)) + +testit_expect_failure "setpassword should not work" \ + "${VALGRIND}" "${samba_tool}" user setpassword "${TRUST_DOMAIN}\$" \ + --random-password "${CONFIGURATION}" || \ + failed=$((failed + 1)) + +testit "wbinfo ping dc" \ + "${VALGRIND}" "${wbinfo}" \ + --ping-dc --domain="${TRUST_DOMAIN}" || \ + failed=$((failed + 1)) + +testit "wbinfo change outgoing trust pw" \ + "${VALGRIND}" "${wbinfo}" \ + --change-secret --domain="${TRUST_DOMAIN}" || \ + failed=$((failed + 1)) + +testit "wbinfo check outgoing trust pw" \ + "${VALGRIND}" "${wbinfo}" \ + --check-secret --domain="${TRUST_DOMAIN}" || \ + failed=$((failed + 1)) + +test_smbclient "Test user login with the changed outgoing secret" \ + "ls" "${SMBCLIENT_UNC}" \ + --use-kerberos=required \ + -U"${USERNAME}@${REALM}%${PASSWORD}" || \ + failed=$((failed + 1)) + +### Cleanup + +rm -f "${KRB5CCNAME_PATH}" + +exit $failed diff --git a/testprogs/blackbox/test_kpasswd_heimdal.sh b/testprogs/blackbox/test_kpasswd_heimdal.sh new file mode 100755 index 0000000..6a19763 --- /dev/null +++ b/testprogs/blackbox/test_kpasswd_heimdal.sh @@ -0,0 +1,245 @@ +#!/bin/sh +# Blackbox tests for chainging passwords with kinit and kpasswd +# +# Copyright (C) 2006-2007 Jelmer Vernooij <jelmer@samba.org> +# Copyright (C) 2006-2008 Andrew Bartlett <abartlet@samba.org> +# Copyright (C) 2016 Andreas Schneider <asn@samba.org> + +if [ $# -lt 7 ]; then + cat <<EOF +Usage: test_kpasswd_heimdal.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX SMBCLIENT CONFIGURATION +EOF + exit 1 +fi + +SERVER=$1 +USERNAME=$2 +PASSWORD=$3 +REALM=$4 +DOMAIN=$5 +PREFIX=$6 +CONFIGURATION=${7} +shift 7 +failed=0 + +samba_bindir="$BINDIR" + +smbclient="$samba_bindir/smbclient" +samba_kinit=$samba_bindir/samba4kinit +samba_kpasswd=$samba_bindir/samba4kpasswd + +mit_kpasswd="$(command -v kpasswd)" + +samba_tool="$samba_bindir/samba-tool" +net_tool="$samba_bindir/net ${CONFIGURATION}" +texpect="$samba_bindir/texpect" + +newuser="$samba_tool user create" +SMB_UNC="//$SERVER/tmp" + +. $(dirname $0)/subunit.sh +. $(dirname $0)/common_test_fns.inc + +do_kinit() +{ + principal="$1" + password="$2" + shift + shift + kerberos_kinit "$samba_kinit" "$principal" "$password" "$@" +} + +testit "reset password policies beside of minimum password age of 0 days" \ + $VALGRIND $PYTHON $samba_tool domain passwordsettings set "${CONFIGURATION}" --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=0 --max-pwd-age=default || failed=$(expr $failed + 1) + +TEST_USERNAME="$(mktemp -u alice-XXXXXX)" +TEST_PRINCIPAL="$TEST_USERNAME@$REALM" +TEST_PASSWORD="testPaSS@00%" +TEST_PASSWORD_NEW="testPaSS@01%" +TEST_PASSWORD_SHORT="secret" +TEST_PASSWORD_WEAK="Supersecret" + +testit "create user locally" \ + $VALGRIND $PYTHON $newuser "${CONFIGURATION}" $TEST_USERNAME $TEST_PASSWORD || failed=$(expr $failed + 1) + +KRB5CCNAME="$PREFIX/tmpuserccache" +export KRB5CCNAME + +testit "kinit with user password" \ + do_kinit $TEST_PRINCIPAL $TEST_PASSWORD || failed=$(expr $failed + 1) + +test_smbclient "Test login with user kerberos ccache" \ + "ls" "$SMB_UNC" --use-krb5-ccache=${KRB5CCNAME} || failed=$(expr $failed + 1) + +testit "change user password with 'samba-tool user password' (unforced)" \ + $VALGRIND $PYTHON $samba_tool user password "${CONFIGURATION}" -W$DOMAIN -U$TEST_USERNAME%$TEST_PASSWORD --use-kerberos=off --newpassword=$TEST_PASSWORD_NEW || failed=$(expr $failed + 1) + +TEST_PASSWORD_OLD=$TEST_PASSWORD +TEST_PASSWORD=$TEST_PASSWORD_NEW +TEST_PASSWORD_NEW="testPaSS@02%" + +testit "kinit with user password" \ + do_kinit $TEST_PRINCIPAL $TEST_PASSWORD || failed=$(expr $failed + 1) + +test_smbclient "Test login with user kerberos ccache" \ + "ls" "$SMB_UNC" --use-krb5-ccache=${KRB5CCNAME} || failed=$(expr $failed + 1) + +########################################################### +### check that a short password is rejected +########################################################### + +cat >$PREFIX/tmpkpasswdscript <<EOF +expect Password +password ${TEST_PASSWORD}\n +expect New password +send ${TEST_PASSWORD_SHORT}\n +expect Verify password +send ${TEST_PASSWORD_SHORT}\n +expect Password too short +EOF + +testit "kpasswd check short user password" \ + $texpect $PREFIX/tmpkpasswdscript $samba_kpasswd $TEST_PRINCIPAL || failed=$(expr $failed + 1) + +########################################################### +### check that a weak password is rejected +########################################################### + +echo "check that a short password is rejected" +cat >$PREFIX/tmpkpasswdscript <<EOF +expect Password +password ${TEST_PASSWORD}\n +expect New password +send $TEST_PASSWORD_WEAK\n +expect Verify password +send $TEST_PASSWORD_WEAK\n +expect Password does not meet complexity requirements +EOF + +testit "kpasswd check weak user password" \ + $texpect $PREFIX/tmpkpasswdscript $samba_kpasswd $TEST_PRINCIPAL || failed=$(expr $failed + 1) + +########################################################### +### check that a strong password is accepted +########################################################### + +cat >$PREFIX/tmpkpasswdscript <<EOF +expect Password +password ${TEST_PASSWORD}\n +expect New password +send ${TEST_PASSWORD_NEW}\n +expect Verify password +send ${TEST_PASSWORD_NEW}\n +expect Success +EOF + +testit "kpasswd change user password" \ + $texpect $PREFIX/tmpkpasswdscript $samba_kpasswd $TEST_PRINCIPAL || failed=$(expr $failed + 1) + +TEST_PASSWORD=$TEST_PASSWORD_NEW +TEST_PASSWORD_NEW="testPaSS@03%" + +########################################################### +### CVE-2022-2031 +########################################################### + +if [ -n "${mit_kpasswd}" ]; then + cat > "${PREFIX}/tmpkpasswdscript" <<EOF +expect Password for ${TEST_PRINCIPAL} +password ${TEST_PASSWORD}\n +expect Enter new password +send ${TEST_PASSWORD_NEW}\n +expect Enter it again +send ${TEST_PASSWORD_NEW}\n +expect Password changed. +EOF + + SAVE_KRB5_CONFIG="${KRB5_CONFIG}" + KRB5_CONFIG="${PREFIX}/tmpkrb5.conf" + export KRB5_CONFIG + sed -e 's/\[libdefaults\]/[libdefaults]\n canonicalize = yes/' \ + "${SAVE_KRB5_CONFIG}" > "${KRB5_CONFIG}" + testit "MIT kpasswd change user password" \ + "${texpect}" "${PREFIX}/tmpkpasswdscript" "${mit_kpasswd}" \ + "${TEST_PRINCIPAL}" || + failed=$((failed + 1)) + KRB5_CONFIG="${SAVE_KRB5_CONFIG}" + export KRB5_CONFIG +fi + +TEST_PASSWORD="${TEST_PASSWORD_NEW}" +TEST_PASSWORD_NEW="testPaSS@03force%" + +########################################################### +### Force password change at login +########################################################### + +testit "set password on user locally" \ + $VALGRIND $PYTHON $samba_tool user setpassword $TEST_USERNAME "${CONFIGURATION}" --newpassword=$TEST_PASSWORD_NEW --must-change-at-next-login || failed=$(expr $failed + 1) + +TEST_PASSWORD=$TEST_PASSWORD_NEW +TEST_PASSWORD_NEW="testPaSS@04%" + +rm -f $PREFIX/tmpuserccache + +cat >$PREFIX/tmpkinitscript <<EOF +expect Password +password ${TEST_PASSWORD}\n +expect Changing password +expect New password +send ${TEST_PASSWORD_NEW}\n +expect Repeat new password +send ${TEST_PASSWORD_NEW}\n +expect Success +EOF + +testit "kinit and change user password" \ + $texpect $PREFIX/tmpkinitscript $samba_kinit $TEST_PRINCIPAL || failed=$(expr $failed + 1) + +TEST_PASSWORD=$TEST_PASSWORD_NEW +TEST_PASSWORD_NEW="testPaSS@07%" + +test_smbclient "Test login with user (kerberos)" \ + "ls" "$SMB_UNC" -k yes -U$TEST_PRINCIPAL%$TEST_PASSWORD || failed=$(expr $failed + 1) + +########################################################### +### Test kpasswd service via 'net ads password' +########################################################### + +# NOTE: This works with heimdal because the krb5_set_password function tries +# set_password call first and falls back to change_password if it doesn't +# succeed. +testit "change user password with 'net ads password', admin: $DOMAIN/$TEST_USERNAME, target: $TEST_PRINCIPAL" \ + $VALGRIND $net_tool ads password -W$DOMAIN -U$TEST_PRINCIPAL%$TEST_PASSWORD $TEST_PRINCIPAL "$TEST_PASSWORD_NEW" || failed=$(expr $failed + 1) + +TEST_PASSWORD=$TEST_PASSWORD_NEW +TEST_PASSWORD_NEW="testPaSS@08%" + +test_smbclient "Test login with smbclient (ntlm)" \ + "ls" "$SMB_UNC" -k no -U$TEST_PRINCIPAL%$TEST_PASSWORD || failed=$(expr $failed + 1) + +########################################################### +### Test kpasswd service via 'net ads password' as admin +########################################################### + +testit "set user password with 'net ads password', admin: $DOMAIN/$USERNAME, target: $TEST_PRINCIPAL" \ + $VALGRIND $net_tool ads password -W$DOMAIN -U$USERNAME@$REALM%$PASSWORD $TEST_PRINCIPAL "$TEST_PASSWORD_NEW" || failed=$(expr $failed + 1) + +TEST_PASSWORD=$TEST_PASSWORD_NEW +TEST_PASSWORD_NEW="testPaSS@07%" + +test_smbclient "Test login with smbclient (ntlm)" \ + "ls" "$SMB_UNC" -k no -U$TEST_PRINCIPAL%$TEST_PASSWORD || failed=$(expr $failed + 1) + +########################################################### +### Cleanup +########################################################### + +testit "reset password policies" \ + $VALGRIND $PYTHON $samba_tool domain passwordsettings set "${CONFIGURATION}" --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=default --max-pwd-age=default || failed=$(expr $failed + 1) + +testit "delete user" \ + $VALGRIND $PYTHON $samba_tool user delete $TEST_USERNAME -U"$USERNAME%$PASSWORD" "${CONFIGURATION}" -k no || failed=$(expr $failed + 1) + +rm -f $PREFIX/tmpuserccache $PREFIX/tmpkpasswdscript $PREFIX/tmpkinitscript +exit $failed diff --git a/testprogs/blackbox/test_kpasswd_mit.sh b/testprogs/blackbox/test_kpasswd_mit.sh new file mode 100755 index 0000000..de22018 --- /dev/null +++ b/testprogs/blackbox/test_kpasswd_mit.sh @@ -0,0 +1,224 @@ +#!/bin/sh +# Blackbox tests for chainging passwords with kinit and kpasswd +# +# Copyright (c) 2006-2007 Jelmer Vernooij <jelmer@samba.org> +# Copyright (c) 2006-2008 Andrew Bartlett <abartlet@samba.org> +# Copyright (c) 2016 Andreas Schneider <asn@samba.org> + +if [ $# -lt 7 ]; then + cat <<EOF +Usage: test_kpasswd_mit.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX CONFIGURATION +EOF + exit 1 +fi + +SERVER=$1 +USERNAME=$2 +PASSWORD=$3 +REALM=$4 +DOMAIN=$5 +PREFIX=$6 +CONFIGURATION=${7} +shift 7 +failed=0 + +samba_bindir="$BINDIR" + +samba_kinit=kinit +samba_kpasswd=kpasswd + +smbclient="$samba_bindir/smbclient" +samba_tool="$samba_bindir/samba-tool" +net_tool="$samba_bindir/net ${CONFIGURATION}" +texpect="$samba_bindir/texpect" + +newuser="$samba_tool user create ${CONFIGURATION}" +SMB_UNC="//$SERVER/tmp" + +. $(dirname $0)/subunit.sh +. $(dirname $0)/common_test_fns.inc + +do_kinit() +{ + principal="$1" + password="$2" + shift + shift + echo $password | $samba_kinit $principal +} + +testit "reset password policies beside of minimum password age of 0 days" \ + $VALGRIND $PYTHON $samba_tool domain passwordsettings set "${CONFIGURATION}" --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=0 --max-pwd-age=default || failed=$(expr $failed + 1) + +TEST_USERNAME="$(mktemp -u samson-XXXXXX)" +TEST_PASSWORD="testPaSS@00%" +TEST_PASSWORD_NEW="testPaSS@01%" +TEST_PASSWORD_SHORT="secret" +TEST_PASSWORD_WEAK="Supersecret" +TEST_PRINCIPAL="$TEST_USERNAME@$REALM" + +testit "create user locally" \ + $VALGRIND $PYTHON $newuser "${CONFIGURATION}" $TEST_USERNAME $TEST_PASSWORD || failed=$(expr $failed + 1) + +KRB5CCNAME="$PREFIX/tmpuserccache" +export KRB5CCNAME + +testit "kinit with user password" \ + do_kinit $TEST_PRINCIPAL $TEST_PASSWORD || failed=$(expr $failed + 1) + +test_smbclient "Test login with user kerberos ccache" \ + "ls" "$SMB_UNC" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +testit "change user password with 'samba-tool user password' (unforced)" \ + $VALGRIND $PYTHON $samba_tool user password -W$DOMAIN -U$TEST_USERNAME%$TEST_PASSWORD --use-kerberos=off --newpassword=$TEST_PASSWORD_NEW || failed=$(expr $failed + 1) + +TEST_PASSWORD_OLD=$TEST_PASSWORD +TEST_PASSWORD=$TEST_PASSWORD_NEW +TEST_PASSWORD_NEW="testPaSS@02%" + +testit "kinit with user password" \ + do_kinit $TEST_PRINCIPAL $TEST_PASSWORD || failed=$(expr $failed + 1) + +test_smbclient "Test login with user kerberos ccache" \ + "ls" "$SMB_UNC" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +########################################################### +### check that a password mismatch is detected +########################################################### + +cat >$PREFIX/tmpkpasswdscript <<EOF +expect Password for $TEST_PRINCIPAL +password ${TEST_PASSWORD}\n +expect Enter new password +send ${TEST_PASSWORD_WEAK}\n +expect Enter it again +send ${TEST_PASSWORD_NEW}\n +expect kpasswd: Password mismatch while reading password +EOF + +testit_expect_failure "kpasswd check password mismatch" \ + $texpect $PREFIX/tmpkpasswdscript $samba_kpasswd $TEST_PRINCIPAL || failed=$(expr $failed + 1) + +########################################################### +### check that a short password is rejected +########################################################### + +cat >$PREFIX/tmpkpasswdscript <<EOF +expect Password for $TEST_PRINCIPAL +password ${TEST_PASSWORD}\n +expect Enter new password +send ${TEST_PASSWORD_SHORT}\n +expect Enter it again +send ${TEST_PASSWORD_SHORT}\n +expect Password change rejected: Password too short, password must be at least 7 characters long +EOF + +testit_expect_failure "kpasswd check short user password" \ + $texpect $PREFIX/tmpkpasswdscript $samba_kpasswd $TEST_PRINCIPAL || failed=$(expr $failed + 1) + +########################################################### +### check that a weak password is rejected +########################################################### + +cat >$PREFIX/tmpkpasswdscript <<EOF +expect Password for $TEST_PRINCIPAL +password ${TEST_PASSWORD}\n +expect Enter new password +send ${TEST_PASSWORD_WEAK}\n +expect Enter it again +send ${TEST_PASSWORD_WEAK}\n +expect Password change rejected: Password does not meet complexity requirement +EOF + +testit_expect_failure "kpasswd check weak user password" \ + $texpect $PREFIX/tmpkpasswdscript $samba_kpasswd $TEST_PRINCIPAL || failed=$(expr $failed + 1) + +########################################################### +### check that a strong password is accepted +########################################################### + +cat >$PREFIX/tmpkpasswdscript <<EOF +expect Password for $TEST_PRINCIPAL +password ${TEST_PASSWORD}\n +expect Enter new password +send ${TEST_PASSWORD_NEW}\n +expect Enter it again +send ${TEST_PASSWORD_NEW}\n +expect Password changed. +EOF + +testit "kpasswd change user password" \ + $texpect $PREFIX/tmpkpasswdscript $samba_kpasswd $TEST_PRINCIPAL || failed=$(expr $failed + 1) + +TEST_PASSWORD=$TEST_PASSWORD_NEW +TEST_PASSWORD_NEW="testPaSS@03%" + +test_smbclient "Test login with user kerberos" 'ls' "$SMB_UNC" --use-kerberos=required -U$TEST_PRINCIPAL%$TEST_PASSWORD || failed=$(expr $failed + 1) + +########################################################### +### Force password change at login +########################################################### + +testit "set password on user locally" \ + $VALGRIND $PYTHON $samba_tool user setpassword $TEST_USERNAME "${CONFIGURATION}" --newpassword=$TEST_PASSWORD_NEW --must-change-at-next-login || failed=$(expr $failed + 1) + +TEST_PASSWORD=$TEST_PASSWORD_NEW +TEST_PASSWORD_NEW="testPaSS@04%" + +cat >$PREFIX/tmpkinitscript <<EOF +expect Password for $TEST_PRINCIPAL +password ${TEST_PASSWORD}\n +expect Password expired +expect Enter new password +send ${TEST_PASSWORD_NEW}\n +expect Enter it again +send ${TEST_PASSWORD_NEW}\n +EOF + +testit "kinit and change user password" \ + $texpect $PREFIX/tmpkinitscript $samba_kinit $TEST_PRINCIPAL || failed=$(expr $failed + 1) + +TEST_PASSWORD=$TEST_PASSWORD_NEW +TEST_PASSWORD_NEW="testPaSS@05%" + +test_smbclient "Test login with user kerberos" \ + "ls" "$SMB_UNC" --use-kerberos=required -U$TEST_PRINCIPAL%$TEST_PASSWORD || failed=$(expr $failed + 1) + +########################################################### +### Test kpasswd service via 'net ads password' +########################################################### + +testit "change user password with 'net ads password', admin: $DOMAIN/$TEST_USERNAME, target: $TEST_PRINCIPAL" \ + $VALGRIND $net_tool ads password -W$DOMAIN -U$TEST_PRINCIPAL%$TEST_PASSWORD $TEST_PRINCIPAL "$TEST_PASSWORD_NEW" || failed=$(expr $failed + 1) + +#TEST_PASSWORD=$TEST_PASSWORD_NEW +#TEST_PASSWORD_NEW="testPaSS@06%" + +#test_smbclient "Test login with smbclient (ntlm)" \ +# "ls" "$SMB_UNC" --use-kerberos=disabled -U$TEST_PRINCIPAL%$TEST_PASSWORD || failed=`expr $failed + 1` + +########################################################### +### Test kpasswd service via 'net ads password' as admin +########################################################### + +testit "set user password with 'net ads password', admin: $DOMAIN/$USERNAME, target: $TEST_PRINCIPAL" \ + $VALGRIND $net_tool ads password -W$DOMAIN -U$USERNAME@$REALM%$PASSWORD $TEST_PRINCIPAL "$TEST_PASSWORD_NEW" || failed=$(expr $failed + 1) + +TEST_PASSWORD=$TEST_PASSWORD_NEW +TEST_PASSWORD_NEW="testPaSS@07%" + +test_smbclient "Test login with smbclient (ntlm)" \ + "ls" "$SMB_UNC" --use-kerberos=disabled -U$TEST_PRINCIPAL%$TEST_PASSWORD || failed=$(expr $failed + 1) + +########################################################### +### Cleanup +########################################################### + +testit "reset password policies" \ + $VALGRIND $PYTHON $samba_tool domain passwordsettings set "${CONFIGURATION}" --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=default --max-pwd-age=default || failed=$(expr $failed + 1) + +testit "delete user" \ + $VALGRIND $PYTHON $samba_tool user delete $TEST_USERNAME -U"$USERNAME%$PASSWORD" "${CONFIGURATION}" --use-kerberos=off || failed=$(expr $failed + 1) + +rm -f $PREFIX/tmpuserccache $PREFIX/tmpkpasswdscript $PREFIX/tmpkinitscript +exit $failed diff --git a/testprogs/blackbox/test_ktpass.sh b/testprogs/blackbox/test_ktpass.sh new file mode 100755 index 0000000..719d42f --- /dev/null +++ b/testprogs/blackbox/test_ktpass.sh @@ -0,0 +1,38 @@ +#!/bin/sh + +if [ $# -lt 1 ]; then + cat <<EOF +Usage: test_ktpass.sh PREFIX +EOF + exit 1 +fi + +PREFIX="$1" +shift 1 + +. $(dirname $0)/subunit.sh + +samba_tool="$BINDIR/samba-tool" +samba4bindir="$BINDIR" +samba4srcdir="$SRCDIR/source4" +samba4kinit_binary=$(system_or_builddir_binary kinit "${BINDIR}" samba4kinit) + +CONFIG="--configfile=$PREFIX/etc/smb.conf" + +TESTUSER="ktpassUser" + +testit "user create" $PYTHON $samba_tool user create $CONFIG $TESTUSER testp@ssw0Rd || failed=$(expr $failed + 1) + +KRB5CCNAME="$PREFIX/tmpccache" +samba4kinit="$samba4kinit_binary -c $KRB5CCNAME" +export KRB5CCNAME +echo "testp@ssw0Rd" >$PREFIX/tmppassfile +testit "kinit with passwd" $samba4kinit -e arcfour-hmac-md5 --password-file=$PREFIX/tmppassfile $TESTUSER@SAMBA.EXAMPLE.COM || failed=$(expr $failed + 1) +testit "ktpass" $samba4srcdir/scripting/bin/ktpass.sh --host LOCALDC --out $PREFIX/testuser.kt --princ $TESTUSER --pass "testp@ssw0Rd" --path-to-ldbsearch=$BINDIR/bin || failed=$(expr $failed + 1) + +rm -f $KRB5CCNAME + +testit "kinit with keytab" $samba4kinit -e arcfour-hmac-md5 --use-keytab -t $PREFIX/testuser.kt $TESTUSER@SAMBA.EXAMPLE.COM || failed=$(expr $failed + 1) + +rm -f $PREFIX/tmpccache $PREFIX/testuser.kt +exit $failed diff --git a/testprogs/blackbox/test_ldap_tls_reload.sh b/testprogs/blackbox/test_ldap_tls_reload.sh new file mode 100755 index 0000000..d0c9af1 --- /dev/null +++ b/testprogs/blackbox/test_ldap_tls_reload.sh @@ -0,0 +1,64 @@ +#!/bin/bash +# + +if [ $# -ne 3 ]; then + cat <<EOF +Usage: test_ldap_tls_reload.sh PREFIX TLSDIR SERVER +EOF + exit 1 +fi + +PREFIX=$1 +TLSDIR=$2 +SERVER=$3 + +. $(dirname $0)/subunit.sh +. "$(dirname "${0}")/common_test_fns.inc" + +ldbsearch="${VALGRIND} $(system_or_builddir_binary ldbsearch "${BINDIR}")" +smbcontrol="${VALGRIND} ${BINDIR}/smbcontrol" + +rm -rf "$PREFIX/ldap_tls_reload" + +store_cert() { + FILE=$1 + gnutls-cli --save-cert="$FILE" --no-ca-verification --verify-hostname=$SERVER --port 636 $SERVER < /dev/null + return $? +} + +delete_certs() { + ls "${TLSDIR}/"*.pem + rm -v "${TLSDIR}/ca.pem" "${TLSDIR}/cert.pem" "${TLSDIR}/key.pem" + return $? +} + +reload_certs() { + $smbcontrol ldap_server reload-certs + return $? +} + +testit "mkdir $PREFIX/ldap_tls_reload" mkdir $PREFIX/ldap_tls_reload || failed=$(expr $failed + 1) + +testit "currentTime 1" $ldbsearch --basedn='' -H ldaps://$SERVER --scope=base currentTime || failed=$(expr $failed + 1) + +testit "store cert output 1a" store_cert $PREFIX/ldap_tls_reload/cert1a.pem || failed=$(expr $failed + 1) + +testit "delete certs" delete_certs || failed=$(expr $failed + 1) + +testit "store cert output 1b" store_cert $PREFIX/ldap_tls_reload/cert1b.pem || failed=$(expr $failed + 1) + +testit "check cert1a == cert1b" cmp $PREFIX/ldap_tls_reload/cert1a.pem $PREFIX/ldap_tls_reload/cert1b.pem || failed=$(expr $failed + 1) + +testit "reload certs " reload_certs || failed=$(expr $failed + 1) + +testit "sleep 10" sleep 10 || failed=$(expr $failed + 1) + +testit "store cert output 2" store_cert $PREFIX/ldap_tls_reload/cert2.pem || failed=$(expr $failed + 1) + +testit_expect_failure "check cert1a != cert2" cmp $PREFIX/ldap_tls_reload/cert1a.pem $PREFIX/ldap_tls_reload/cert2.pem || failed=$(expr $failed + 1) + +testit "currentTime 2" $ldbsearch $CONFIGURATION --basedn='' -H ldaps://$SERVER --scope=base currentTime || failed=$(expr $failed + 1) + +rm -rf "$PREFIX/ldap_tls_reload" + +testok $0 $failed diff --git a/testprogs/blackbox/test_ldb.sh b/testprogs/blackbox/test_ldb.sh new file mode 100755 index 0000000..e35d66e --- /dev/null +++ b/testprogs/blackbox/test_ldb.sh @@ -0,0 +1,230 @@ +#!/bin/sh + +if [ $# -lt 2 ]; then + cat <<EOF +Usage: test_ldb.sh PROTOCOL SERVER [OPTIONS] +EOF + exit 1 +fi + +p=$1 +SERVER=$2 +PREFIX=$3 +shift 2 +options="$*" + +. $(dirname $0)/subunit.sh +. "$(dirname "${0}")/common_test_fns.inc" + +check() +{ + name="$1" + shift + cmdline="$*" + echo "test: $name" + $cmdline + status=$? + if [ x$status = x0 ]; then + echo "success: $name" + else + echo "failure: $name" + failed=$(expr $failed + 1) + fi + return $status +} + +ldbsearch="${VALGRIND} $(system_or_builddir_binary ldbsearch "${BINDIR}")" + +check "RootDSE" $ldbsearch $CONFIGURATION $options --basedn='' -H $p://$SERVER --scope=base DUMMY=x dnsHostName highestCommittedUSN || failed=$(expr $failed + 1) +check "RootDSE (full)" $ldbsearch $CONFIGURATION $options --basedn='' -H $p://$SERVER --scope=base '(objectClass=*)' || failed=$(expr $failed + 1) +check "RootDSE (extended)" $ldbsearch $CONFIGURATION $options --basedn='' -H $p://$SERVER --scope=base '(objectClass=*)' --extended-dn || failed=$(expr $failed + 1) +if [ x$p = x"ldaps" ]; then + testit_expect_failure "RootDSE over SSLv3 should fail" $ldbsearch $CONFIGURATION $options --basedn='' -H $p://$SERVER --scope=base DUMMY=x dnsHostName highestCommittedUSN --option='tlspriority=NONE:+VERS-SSL3.0:+MAC-ALL:+CIPHER-ALL:+RSA:+SIGN-ALL:+COMP-NULL' || failed=$(expr $failed + 1) +fi + +echo "Getting defaultNamingContext" +BASEDN=$($ldbsearch $CONFIGURATION $options --basedn='' -H $p://$SERVER --scope=base DUMMY=x defaultNamingContext | grep defaultNamingContext | awk '{print $2}') +echo "BASEDN is $BASEDN" + +check "Listing Users" $ldbsearch $options $CONFIGURATION -H $p://$SERVER '(objectclass=user)' sAMAccountName || failed=$(expr $failed + 1) + +check "Listing Users (sorted)" $ldbsearch -S $options $CONFIGURATION -H $p://$SERVER '(objectclass=user)' sAMAccountName || failed=$(expr $failed + 1) + +check "Listing Groups" $ldbsearch $options $CONFIGURATION -H $p://$SERVER '(objectclass=group)' sAMAccountName || failed=$(expr $failed + 1) + +nentries=$($ldbsearch $options -H $p://$SERVER $CONFIGURATION '(|(|(&(!(groupType:1.2.840.113556.1.4.803:=1))(groupType:1.2.840.113556.1.4.803:=2147483648)(groupType:1.2.840.113556.1.4.804:=10))(samAccountType=805306368))(samAccountType=805306369))' sAMAccountName | grep sAMAccountName | wc -l) +echo "Found $nentries entries" +if [ $nentries -lt 10 ]; then + echo "Should have found at least 10 entries" + failed=$(expr $failed + 1) +fi + +echo "Check rootDSE for Controls" +nentries=$($ldbsearch $options $CONFIGURATION -H $p://$SERVER --scope=base -b "" '(objectclass=*)' | grep -i supportedControl | wc -l) +if [ $nentries -lt 4 ]; then + echo "Should have found at least 4 entries" + failed=$(expr $failed + 1) +fi + +echo "Test Paged Results Control" +nentries=$($ldbsearch $options $CONFIGURATION -H $p://$SERVER --controls=paged_results:1:5 '(objectclass=user)' | grep sAMAccountName | wc -l) +if [ $nentries -lt 1 ]; then + echo "Paged Results Control test returned 0 items" + failed=$(expr $failed + 1) +fi + +echo "Test Server Sort Control" +nentries=$($ldbsearch $options $CONFIGURATION -H $p://$SERVER --controls=server_sort:1:0:sAMAccountName '(objectclass=user)' | grep sAMAccountName | wc -l) +if [ $nentries -lt 1 ]; then + echo "Server Sort Control test returned 0 items" + failed=$(expr $failed + 1) +fi + +echo "Test Extended DN Control" +nentries=$($ldbsearch $options $CONFIGURATION -H $p://$SERVER --controls=extended_dn:1 '(objectclass=user)' | grep sAMAccountName | wc -l) +if [ $nentries -lt 1 ]; then + echo "Extended DN Control test returned 0 items" + failed=$(expr $failed + 1) +fi +nentries=$($ldbsearch $options $CONFIGURATION -H $p://$SERVER --controls=extended_dn:1:0 '(objectclass=user)' | grep sAMAccountName | wc -l) +if [ $nentries -lt 1 ]; then + echo "Extended DN Control test returned 0 items" + failed=$(expr $failed + 1) +fi +nentries=$($ldbsearch $options $CONFIGURATION -H $p://$SERVER --controls=extended_dn:1:1 '(objectclass=user)' | grep sAMAccountName | wc -l) +if [ $nentries -lt 1 ]; then + echo "Extended DN Control test returned 0 items" + failed=$(expr $failed + 1) +fi + +echo "Test Domain scope Control" +nentries=$($ldbsearch $options $CONFIGURATION -H $p://$SERVER --controls=domain_scope:1 '(objectclass=user)' | grep sAMAccountName | wc -l) +if [ $nentries -lt 1 ]; then + echo "Extended Domain scope Control test returned 0 items" + failed=$(expr $failed + 1) +fi + +echo "Test Attribute Scope Query Control" +nentries=$($ldbsearch $options $CONFIGURATION -H $p://$SERVER --controls=asq:1:member --scope=base -b "CN=Administrators,CN=Builtin,$BASEDN" | grep sAMAccountName | wc -l) +if [ $nentries -lt 1 ]; then + echo "Attribute Scope Query test returned 0 items" + failed=$(expr $failed + 1) +fi + +echo "Test Search Options Control" +nentries=$($ldbsearch $options $CONFIGURATION -H $p://$SERVER --controls=search_options:1:2 '(objectclass=crossRef)' | grep crossRef | wc -l) +if [ $nentries -lt 1 ]; then + echo "Search Options Control Query test returned 0 items" + failed=$(expr $failed + 1) +fi + +echo "Test Search Options Control with Domain Scope Control" +nentries=$($ldbsearch $options $CONFIGURATION -H $p://$SERVER --controls=search_options:1:2,domain_scope:1 '(objectclass=crossRef)' | grep crossRef | wc -l) +if [ $nentries -lt 1 ]; then + echo "Search Options Control Query test returned 0 items" + failed=$(expr $failed + 1) +fi + +wellknown_object_test() +( + guid=$1 + object=$2 + failed=0 + + basedns="<WKGUID=${guid},${BASEDN}> <wkGuId=${guid},${BASEDN}>" + for dn in ${basedns}; do + echo "Test ${dn} => ${object}" + r=$($ldbsearch $options $CONFIGURATION -H $p://$SERVER '(objectClass=*)' -b "${dn}" | grep 'dn: ') + n=$(echo "${r}" | grep 'dn: ' | wc -l) + c=$(echo "${r}" | grep "${object}" | wc -l) + + if [ $n -lt 1 ]; then + echo "Object not found by WKGUID" + failed=$(expr $failed + 1) + continue + fi + if [ $c -lt 1 ]; then + echo "Wrong object found by WKGUID: [${r}]" + failed=$(expr $failed + 1) + continue + fi + done + + return $failed +) + +wellknown_object_test 22B70C67D56E4EFB91E9300FCA3DC1AA ForeignSecurityPrincipals +st=$? +if [ x"$st" != x"0" ]; then + failed=$(expr $failed + $st) +fi +wellknown_object_test 2FBAC1870ADE11D297C400C04FD8D5CD Infrastructure +st=$? +if [ x"$st" != x"0" ]; then + failed=$(expr $failed + $st) +fi +wellknown_object_test AB1D30F3768811D1ADED00C04FD8D5CD System +st=$? +if [ x"$st" != x"0" ]; then + failed=$(expr $failed + $st) +fi +wellknown_object_test A361B2FFFFD211D1AA4B00C04FD7D83A Domain Controllers +st=$? +if [ x"$st" != x"0" ]; then + failed=$(expr $failed + $st) +fi +wellknown_object_test AA312825768811D1ADED00C04FD8D5CD Computers +st=$? +if [ x"$st" != x"0" ]; then + failed=$(expr $failed + $st) +fi +wellknown_object_test A9D1CA15768811D1ADED00C04FD8D5CD Users +st=$? +if [ x"$st" != x"0" ]; then + failed=$(expr $failed + $st) +fi + +echo "Getting HEX GUID/SID of $BASEDN" +HEXDN=$($ldbsearch $CONFIGURATION $options -b "$BASEDN" -H $p://$SERVER --scope=base "(objectClass=*)" --controls=extended_dn:1:0 distinguishedName | grep 'distinguishedName: ' | cut -d ' ' -f2-) +HEXGUID=$(echo "$HEXDN" | cut -d ';' -f1) +echo "HEXGUID[$HEXGUID]" + +echo "Getting STR GUID/SID of $BASEDN" +STRDN=$($ldbsearch $CONFIGURATION $options -b "$BASEDN" -H $p://$SERVER --scope=base "(objectClass=*)" --controls=extended_dn:1:1 distinguishedName | grep 'distinguishedName: ' | cut -d ' ' -f2-) +echo "STRDN: $STRDN" +STRGUID=$(echo "$STRDN" | cut -d ';' -f1) +echo "STRGUID[$STRGUID]" + +echo "Getting STR GUID/SID of $BASEDN" +STRDN=$($ldbsearch $CONFIGURATION $options -b "$BASEDN" -H $p://$SERVER --scope=base "(objectClass=*)" --controls=extended_dn:1:1 | grep 'dn: ' | cut -d ' ' -f2-) +echo "STRDN: $STRDN" +STRSID=$(echo "$STRDN" | cut -d ';' -f2) +echo "STRSID[$STRSID]" + +SPECIALDNS="$HEXGUID $STRGUID $STRSID" +for SPDN in $SPECIALDNS; do + echo "Search for $SPDN" + nentries=$($ldbsearch $options $CONFIGURATION -H $p://$SERVER --scope=base -b "$SPDN" '(objectClass=*)' | grep "dn: $BASEDN" | wc -l) + if [ $nentries -lt 1 ]; then + echo "Special search returned 0 items" + failed=$(expr $failed + 1) + fi +done + +echo "Search using OIDs instead of names" +nentries1=$($ldbsearch $options $CONFIGURATION -H $p://$SERVER '(objectClass=user)' name | grep "^name: " | wc -l) +nentries2=$($ldbsearch $options $CONFIGURATION -H $p://$SERVER '(2.5.4.0=1.2.840.113556.1.5.9)' name | grep "^name: " | wc -l) +if [ $nentries1 -lt 1 ]; then + echo "Error: Searching user via (objectClass=user): '$nentries1' < 1" + failed=$(expr $failed + 1) +fi +if [ $nentries2 -lt 1 ]; then + echo "Error: Searching user via (2.5.4.0=1.2.840.113556.1.5.9) '$nentries2' < 1" + failed=$(expr $failed + 1) +fi +if [ x"$nentries1" != x"$nentries2" ]; then + echo "Error: Searching user with OIDS[$nentries1] doesn't return the same as STRINGS[$nentries2]" + failed=$(expr $failed + 1) +fi + +exit $failed diff --git a/testprogs/blackbox/test_ldb_simple.sh b/testprogs/blackbox/test_ldb_simple.sh new file mode 100755 index 0000000..5f5f9b8 --- /dev/null +++ b/testprogs/blackbox/test_ldb_simple.sh @@ -0,0 +1,40 @@ +#!/bin/sh + +if [ $# -lt 2 ]; then + cat <<EOF +Usage: test_ldb_simple.sh PROTOCOL SERVER [OPTIONS] +EOF + exit 1 +fi + +p=$1 +SERVER=$2 +PREFIX=$3 +shift 2 +options="$*" + +. $(dirname $0)/subunit.sh +. "$(dirname "${0}")/common_test_fns.inc" + +check() +{ + name="$1" + shift + cmdline="$*" + echo "test: $name" + $cmdline + status=$? + if [ x$status = x0 ]; then + echo "success: $name" + else + echo "failure: $name" + failed=$(expr $failed + 1) + fi + return $status +} + +ldbsearch="${VALGRIND} $(system_or_builddir_binary ldbsearch "${BINDIR}")" + +check "currentTime" $ldbsearch $CONFIGURATION $options --basedn='' -H $p://$SERVER --scope=base currentTime || failed=$(expr $failed + 1) + +exit $failed diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh new file mode 100755 index 0000000..7de064d --- /dev/null +++ b/testprogs/blackbox/test_net_ads.sh @@ -0,0 +1,364 @@ +if [ $# -lt 4 ]; then + cat <<EOF +Usage: test_net_ads.sh DC_SERVER DC_USERNAME DC_PASSWORD BASEDIR +EOF + exit 1 +fi + +DC_SERVER=$1 +DC_USERNAME=$2 +DC_PASSWORD=$3 +BASEDIR=$4 + +HOSTNAME=$(dd if=/dev/urandom bs=1 count=32 2>/dev/null | sha1sum | cut -b 1-10) + +RUNDIR=$(pwd) +cd $BASEDIR +WORKDIR=$(mktemp -d -p .) +WORKDIR=$(basename $WORKDIR) +cp -a client/* $WORKDIR/ +sed -ri "s@(dir|directory) = (.*)/client/@\1 = \2/$WORKDIR/@" $WORKDIR/client.conf +sed -ri "s/netbios name = .*/netbios name = $HOSTNAME/" $WORKDIR/client.conf +rm -f $WORKDIR/private/secrets.tdb +cd $RUNDIR + +failed=0 + +net_tool="$BINDIR/net --configfile=$BASEDIR/$WORKDIR/client.conf --option=security=ads" + +# Load test functions +. $(dirname $0)/subunit.sh +. "$(dirname "${0}")/common_test_fns.inc" + +ldbadd=$(system_or_builddir_binary ldbadd "${BINDIR}") +ldbmodify=$(system_or_builddir_binary ldbmodify "${BINDIR}") +ldbdel=$(system_or_builddir_binary ldbdel "${BINDIR}") +ldbsearch=$(system_or_builddir_binary ldbsearch "${BINDIR}") + +testit "join" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD || failed=$(expr $failed + 1) + +workgroup=$(awk '/workgroup =/ { print $NR }' "${BASEDIR}/${WORKDIR}/client.conf") +testit "local krb5.conf created" \ + test -r \ + "${BASEDIR}/${WORKDIR}/lockdir/smb_krb5/krb5.conf.${workgroup}" || + failed=$((failed + 1)) + +testit "testjoin" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=$(expr $failed + 1) + +netbios=$(grep "netbios name" $BASEDIR/$WORKDIR/client.conf | cut -f2 -d= | awk '{$1=$1};1') + +testit "test setspn list $netbios" $VALGRIND $net_tool ads setspn list $netbios -U$DC_USERNAME%$DC_PASSWORD || failed=$(expr $failed + 1) +spn="foo" +testit_expect_failure "test setspn add illegal windows spn ($spn)" $VALGRIND $net_tool ads setspn add $spn -U$DC_USERNAME%$DC_PASSWORD || failed=$(expr $failed + 1) + +spn="foo/somehost.domain.com" +testit "test setspn add ($spn)" $VALGRIND $net_tool ads setspn add $spn -U$DC_USERNAME%$DC_PASSWORD || failed=$(expr $failed + 1) + +found=$($net_tool ads setspn list -U$DC_USERNAME%$DC_PASSWORD | grep $spn | wc -l) +testit "test setspn list shows the newly added spn ($spn)" test $found -eq 1 || failed=$(expr $failed + 1) + +up_spn=$(echo $spn | tr '[:lower:]' '[:upper:]') +testit_expect_failure "test setspn add existing (case-insensitive) spn ($spn)" $VALGRIND $net_tool ads setspn add $up_spn -U$DC_USERNAME%$DC_PASSWORD || failed=$(expr $failed + 1) + +testit "test setspn delete existing (case-insensitive) ($spn)" $VALGRIND $net_tool ads setspn delete $spn -U$DC_USERNAME%$DC_PASSWORD || failed=$(expr $failed + 1) + +found=$($net_tool ads setspn list -U$DC_USERNAME%$DC_PASSWORD | grep $spn | wc -l) +testit "test setspn list shows the newly deleted spn ($spn) is gone" test $found -eq 0 || failed=$(expr $failed + 1) + +testit "changetrustpw" $VALGRIND $net_tool ads changetrustpw || failed=$(expr $failed + 1) + +testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=$(expr $failed + 1) + +# Test with kerberos method = secrets and keytab +dedicated_keytab_file="$BASEDIR/$WORKDIR/test_net_ads_dedicated_krb5.keytab" +testit "join (dedicated keytab)" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=$(expr $failed + 1) + +testit "testjoin (dedicated keytab)" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=$(expr $failed + 1) + +netbios=$(grep "netbios name" $BASEDIR/$WORKDIR/client.conf | cut -f2 -d= | awk '{$1=$1};1') +uc_netbios=$(echo $netbios | tr '[:lower:]' '[:upper:]') +lc_realm=$(echo $REALM | tr '[:upper:]' '[:lower:]') +fqdn="$netbios.$lc_realm" + +krb_princ="primary/instance@$REALM" +testit "test (dedicated keytab) add a fully qualified krb5 principal" $VALGRIND $net_tool ads keytab add $krb_princ -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=$(expr $failed + 1) + +found=$($net_tool ads keytab list -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" | grep $krb_princ | wc -l) + +testit "test (dedicated keytab) at least one fully qualified krb5 principal that was added is present in keytab" test $found -gt 1 || failed=$(expr $failed + 1) + +machinename="machine123" +testit "test (dedicated keytab) add a kerberos principal created from machinename to keytab" $VALGRIND $net_tool ads keytab add $machinename'$' -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=$(expr $failed + 1) +search_str="$machinename\$@$REALM" +found=$($net_tool ads keytab list -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" | grep $search_str | wc -l) +testit "test (dedicated keytab) at least one krb5 principal created from $machinename added is present in keytab" test $found -gt 1 || failed=$(expr $failed + 1) + +service="nfs" +testit "test (dedicated keytab) add a $service service to keytab" $VALGRIND $net_tool ads keytab add $service -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=$(expr $failed + 1) + +search_str="$service/$fqdn@$REALM" +found=$($net_tool ads keytab list -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" | grep $search_str | wc -l) +testit "test (dedicated keytab) at least one (long form) krb5 principal created from service added is present in keytab" test $found -gt 1 || failed=$(expr $failed + 1) + +search_str="$service/$uc_netbios@$REALM" +found=$($net_tool ads keytab list -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" | grep $search_str | wc -l) +testit "test (dedicated keytab) at least one (shorter form) krb5 principal created from service added is present in keytab" test $found -gt 1 || failed=$(expr $failed + 1) + +spn_service="random_srv" +spn_host="somehost.subdomain.domain" +spn_port="12345" + +windows_spn="$spn_service/$spn_host" +testit "test (dedicated keytab) add a $windows_spn windows style SPN to keytab" $VALGRIND $net_tool ads keytab add $windows_spn -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=$(expr $failed + 1) + +search_str="$spn_service/$spn_host@$REALM" +found=$($net_tool ads keytab list -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" | grep $search_str | wc -l) +testit "test (dedicated keytab) at least one krb5 principal created from windown SPN added is present in keytab" test $found -gt 1 || failed=$(expr $failed + 1) + +windows_spn="$spn_service/$spn_host:$spn_port" +testit "test (dedicated keytab) add a $windows_spn windows style SPN to keytab" $VALGRIND $net_tool ads keytab add $windows_spn -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=$(expr $failed + 1) + +search_str="$spn_service/$spn_host@$REALM" +found=$($net_tool ads keytab list -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" | grep $search_str | wc -l) +testit "test (dedicated keytab) at least one krb5 principal created from windown SPN (with port) added is present in keytab" test $found -gt 1 || failed=$(expr $failed + 1) + +# keytab add shouldn't have written spn to AD +found=$($net_tool ads setspn list -U$DC_USERNAME%$DC_PASSWORD | grep $service | wc -l) +testit "test (dedicated keytab) spn is not written to AD (using keytab add)" test $found -eq 0 || failed=$(expr $failed + 1) + +ad_service="writetoad" +testit "test (dedicated keytab) add a $ad_service service to keytab (using add_update_ads" $VALGRIND $net_tool ads keytab add_update_ads $ad_service -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=$(expr $failed + 1) + +found=$($net_tool ads setspn list -U$DC_USERNAME%$DC_PASSWORD | grep $ad_service | wc -l) +testit "test (dedicated keytab) spn is written to AD (using keytab add_update_ads)" test $found -eq 2 || failed=$(expr $failed + 1) + +# test existence in keytab of service (previously added) pulled from SPN post +# 'keytab create' is now present in keytab file +testit "test (dedicated keytab) keytab created succeeds" $VALGRIND $net_tool ads keytab create -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=$(expr $failed + 1) +found=$($net_tool ads keytab list -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" | grep $ad_service | wc -l) +testit "test (dedicated keytab) spn service that exists in AD (created via add_update_ads) is added to keytab file" test $found -gt 1 || failed=$(expr $failed + 1) + +found_ad=$($net_tool ads setspn list -U$DC_USERNAME%$DC_PASSWORD | grep $service | wc -l) +found_keytab=$($net_tool ads keytab list -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" | grep $service | wc -l) +# test after create that a spn that exists in the keytab but shouldn't +# be written to the AD. +testit "test spn service doesn't exist in AD but is present in keytab file after keytab create" test $found_ad -eq 0 -a $found_keytab -gt 1 || failed=$(expr $failed + 1) + +# SPN parser is very basic but does detect some illegal combination + +windows_spn="$spn_service/$spn_host:" +testit_expect_failure "test (dedicated keytab) fail to parse windows spn with missing port" $VALGRIND $net_tool ads keytab add $windows_spn -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=$(expr $failed + 1) + +windows_spn="$spn_service/$spn_host/" +testit_expect_failure "test (dedicated keytab) fail to parse windows spn with missing servicename" $VALGRIND $net_tool ads keytab add $windows_spn -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=$(expr $failed + 1) + +# now delete the keytab entries again... + +krb_princ="primary/instance@$REALM" +testit "test (dedicated keytab) delete a fully qualified krb5 principal" $VALGRIND $net_tool ads keytab delete $krb_princ -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=$(expr $failed + 1) + +found=`$net_tool ads keytab list -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" | grep $krb_princ | wc -l` + +testit "test (dedicated keytab) fully qualified krb5 principal was deleted and is no longer present in keytab" test $found -eq 0 || failed=$(expr $failed + 1) + +machinename="machine123" +testit "test (dedicated keytab) delete a kerberos principle created from machinename from keytab" $VALGRIND $net_tool ads keytab delete $machinename'$' -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=$(expr $failed + 1) +search_str="$machinename\$@$REALM" +found=`$net_tool ads keytab list -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" | grep $search_str | wc -l` +testit "test (dedicated keytab) krb5 principal created from $machinename was deleted and is no longer present in keytab" test $found -eq 0 || failed=$(expr $failed + 1) + +service="nfs" +testit "test (dedicated keytab) delete a $service service to keytab" $VALGRIND $net_tool ads keytab delete $service -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=$(expr $failed + 1) + +search_str="$service" +found=`$net_tool ads keytab list -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" | grep $search_str | wc -l` +testit "test (dedicated keytab) krb5 principal created from service was deleted and is no longer present in keytab" test $found -eq 0 || failed=$(expr $failed + 1) + +spn_service="random_srv" +spn_host="somehost.subdomain.domain" +spn_port="12345" + +windows_spn="$spn_service/$spn_host" +testit "test (dedicated keytab) delete a $windows_spn windows style SPN from keytab" $VALGRIND $net_tool ads keytab delete $windows_spn -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=$(expr $failed + 1) + +search_str="$spn_service/$spn_host@$REALM" +found=`$net_tool ads keytab list -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" | grep $search_str | wc -l` +testit "test (dedicated keytab) krb5 principal created from windown SPN was deleted and is no longer present in keytab" test $found -eq 0 || failed=$(expr $failed + 1) + +windows_spn="$spn_service/$spn_host:$spn_port" +testit "test (dedicated keytab) delete a $windows_spn windows style SPN to keytab" $VALGRIND $net_tool ads keytab delete $windows_spn -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=$(expr $failed + 1) + +search_str="$spn_service/$spn_host@$REALM" +found=`$net_tool ads keytab list -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" | grep $search_str | wc -l` +testit "test (dedicated keytab) krb5 principal created from windown SPN (with port) was deleted and is no longer present in keytab" test $found -eq 0 || failed=$(expr $failed + 1) + +# keytab add shouldn't have written spn to AD +found=$($net_tool ads setspn list -U$DC_USERNAME%$DC_PASSWORD | grep $service | wc -l) +testit "test (dedicated keytab) spn is not written to AD (using keytab add)" test $found -eq 0 || failed=$(expr $failed + 1) + +ad_service="writetoad" +testit "test (dedicated keytab) delete a $ad_service service from keytab (used add_update_ads)" $VALGRIND $net_tool ads keytab delete $ad_service -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=$(expr $failed + 1) + +search_str="$ad_service" +found=`$net_tool ads keytab list -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" | grep $search_str | wc -l` +testit "test (dedicated keytab) spn is written to AD (using keytab add_update_ads) was deleted and is no longer present in keytab" test $found -eq 0 || failed=$(expr $failed + 1) +# still in ad +found=$($net_tool ads setspn list -U$DC_USERNAME%$DC_PASSWORD | grep $ad_service | wc -l) +testit "test (dedicated keytab) spn is written to AD (using keytab add_update_ads) is still in ad after deletion from keytab" test $found -eq 2 || failed=$(expr $failed + 1) + +testit "changetrustpw (dedicated keytab)" $VALGRIND $net_tool ads changetrustpw || failed=$(expr $failed + 1) + +testit "leave (dedicated keytab)" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=$(expr $failed + 1) + +# if there is no keytab, try and create it +if [ ! -f $dedicated_keytab_file ]; then + if [ $(command -v ktutil) ] >/dev/null; then + printf "addent -password -p $DC_USERNAME@$REALM -k 1 -e rc4-hmac\n$DC_PASSWORD\nwkt $dedicated_keytab_file\n" | ktutil + fi +fi + +if [ -f $dedicated_keytab_file ]; then + testit "keytab list (dedicated keytab)" $VALGRIND $net_tool ads keytab list --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=$(expr $failed + 1) + testit "keytab list keytab specified on cmdline" $VALGRIND $net_tool ads keytab list $dedicated_keytab_file || failed=$(expr $failed + 1) +fi + +rm -f $dedicated_keytab_file + +testit_expect_failure "testjoin(not joined)" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=$(expr $failed + 1) + +testit "join+kerberos" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD --use-kerberos=required || failed=$(expr $failed + 1) + +testit "testjoin" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=$(expr $failed + 1) + +testit "leave+kerberos" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD --use-kerberos=required || failed=$(expr $failed + 1) + +testit_expect_failure "testjoin(not joined)" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=$(expr $failed + 1) + +testit "join+server" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD -S$DC_SERVER || failed=$(expr $failed + 1) + +testit "leave+server" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD -S$DC_SERVER || failed=$(expr $failed + 1) + +testit_expect_failure "join+invalid_server" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD -SINVALID || failed=$(expr $failed + 1) + +testit "join+server" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD || failed=$(expr $failed + 1) + +testit_expect_failure "leave+invalid_server" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD -SINVALID || failed=$(expr $failed + 1) + +testit "testjoin user+password" $VALGRIND $net_tool ads testjoin -U$DC_USERNAME%$DC_PASSWORD || failed=$(expr $failed + 1) + +testit "leave+keep_account" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD --keep-account || failed=$(expr $failed + 1) + +base_dn="DC=addom,DC=samba,DC=example,DC=com" +computers_dn="CN=Computers,$base_dn" +testit "ldb check for existence of machine account" $ldbsearch -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM --scope=base -b "cn=$HOSTNAME,$computers_dn" || failed=$(expr $failed + 1) + +dns_alias1="${netbios}_alias1.other.${lc_realm}" +dns_alias2="${netbios}_alias2.other2.${lc_realm}" +testit "join" $VALGRIND $net_tool --option=additionaldnshostnames=$dns_alias1,$dns_alias2 ads join -U$DC_USERNAME%$DC_PASSWORD || failed=$(expr $failed + 1) + +testit "testjoin" $VALGRIND $net_tool ads testjoin || failed=$(expr $failed + 1) + +testit_grep "check dNSHostName" $fqdn $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ dNSHostName || failed=$(expr $failed + 1) +testit_grep "check SPN" ${uc_netbios}.${lc_realm} $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=$(expr $failed + 1) + +testit_grep "dns alias SPN" $dns_alias1 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=$(expr $failed + 1) +testit_grep "dns alias SPN" $dns_alias2 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=$(expr $failed + 1) + +testit_grep "dns alias addl" $dns_alias1 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ msDS-AdditionalDnsHostName || failed=$(expr $failed + 1) +testit_grep "dns alias addl" $dns_alias2 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ msDS-AdditionalDnsHostName || failed=$(expr $failed + 1) + +# Test binary msDS-AdditionalDnsHostName like ones added by Windows DC +short_alias_file="$BASEDIR/$WORKDIR/short_alias_file" +printf 'short_alias\0$' >$short_alias_file +cat >$BASEDIR/$WORKDIR/tmpldbmodify <<EOF +dn: CN=$HOSTNAME,$computers_dn +changetype: modify +add: msDS-AdditionalDnsHostName +msDS-AdditionalDnsHostName:< file://$short_alias_file +EOF + +testit "add binary msDS-AdditionalDnsHostName" $VALGRIND $ldbmodify -k yes -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM $BASEDIR/$WORKDIR/tmpldbmodify || failed=$(expr $failed + 1) + +testit_grep "addl short alias" short_alias $ldbsearch --show-binary -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM --scope=base -b "CN=$HOSTNAME,CN=Computers,$base_dn" msDS-AdditionalDnsHostName || failed=$(expr $failed + 1) + +rm -f $BASEDIR/$WORKDIR/tmpldbmodify $short_alias_file + +dedicated_keytab_file="$BASEDIR/$WORKDIR/test_dns_aliases_dedicated_krb5.keytab" + +testit "dns alias create_keytab" $VALGRIND $net_tool ads keytab create --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=$(expr $failed + 1) + +testit_grep "dns alias1 check keytab" "host/${dns_alias1}@$REALM" $net_tool ads keytab list --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=$(expr $failed + 1) +testit_grep "dns alias2 check keytab" "host/${dns_alias2}@$REALM" $net_tool ads keytab list --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=$(expr $failed + 1) +testit_grep "addl short check keytab" "host/short_alias@$REALM" $net_tool ads keytab list --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=$(expr $failed + 1) + +rm -f $dedicated_keytab_file + +##Goodbye... +testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=$(expr $failed + 1) + +# netbios aliases tests +testit "join nb_alias" $VALGRIND $net_tool --option=netbiosaliases=nb_alias1,nb_alias2 ads join -U$DC_USERNAME%$DC_PASSWORD || failed=$(expr $failed + 1) + +testit "testjoin nb_alias" $VALGRIND $net_tool ads testjoin || failed=$(expr $failed + 1) + +testit_grep "nb_alias check dNSHostName" $fqdn $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ dNSHostName || failed=$(expr $failed + 1) +testit_grep "nb_alias check main SPN" ${uc_netbios}.${lc_realm} $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=$(expr $failed + 1) + +testit_grep "nb_alias1 SPN" nb_alias1 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=$(expr $failed + 1) +testit_grep "nb_alias2 SPN" nb_alias2 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=$(expr $failed + 1) + +##Goodbye... +testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=$(expr $failed + 1) + +# +# Test createcomputer option of 'net ads join' +# +testit "Create OU=Servers,$base_dn" $VALGRIND $ldbadd -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER <<EOF +dn: OU=Servers,$base_dn +objectClass: organizationalUnit +EOF + +testit "join+createcomputer" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD createcomputer=Servers || failed=$(expr $failed + 1) + +testit "ldb check for existence of machine account in OU=Servers" $ldbsearch -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM --scope=base -b "cn=$HOSTNAME,OU=Servers,$base_dn" || failed=$(expr $failed + 1) + +## Goodbye... +testit "leave+createcomputer" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=$(expr $failed + 1) + +testit "Remove OU=Servers" $VALGRIND $ldbdel -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER "OU=Servers,$base_dn" + +# +# Test createupn option of 'net ads join' +# +testit "join+createupn" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD createupn="host/test-$HOSTNAME@$REALM" || failed=$(expr $failed + 1) + +testit_grep "checkupn" "userPrincipalName: host/test-$HOSTNAME@$REALM" $ldbsearch -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM --scope=base -b "CN=$HOSTNAME,CN=Computers,$base_dn" || failed=$(expr $failed + 1) + +dedicated_keytab_file="$BASEDIR/$WORKDIR/test_net_create_dedicated_krb5.keytab" + +testit "create_keytab" $VALGRIND $net_tool ads keytab create --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=$(expr $failed + 1) + +testit_grep "checkupn+keytab" "host/test-$HOSTNAME@$REALM" $net_tool ads keytab list --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=$(expr $failed + 1) + +rm -f $dedicated_keytab_file + +testit "leave+createupn" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=$(expr $failed + 1) + +# +# Test dnshostname option of 'net ads join' +# +testit "join+dnshostname" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD dnshostname="alt.hostname.$HOSTNAME" || failed=$(expr $failed + 1) + +testit_grep "check dnshostname opt" "dNSHostName: alt.hostname.$HOSTNAME" $ldbsearch -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM --scope=base -b "CN=$HOSTNAME,CN=Computers,$base_dn" || failed=$(expr $failed + 1) + +testit "create_keytab+dnshostname" $VALGRIND $net_tool ads keytab create --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=$(expr $failed + 1) + +testit_grep "check dnshostname+keytab" "host/alt.hostname.$HOSTNAME@$REALM" $net_tool ads keytab list --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=$(expr $failed + 1) + +rm -f $dedicated_keytab_file + +testit "leave+dnshostname" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=$(expr $failed + 1) + +rm -rf $BASEDIR/$WORKDIR + +exit $failed diff --git a/testprogs/blackbox/test_net_ads_dns.sh b/testprogs/blackbox/test_net_ads_dns.sh new file mode 100755 index 0000000..20f917a --- /dev/null +++ b/testprogs/blackbox/test_net_ads_dns.sh @@ -0,0 +1,195 @@ +#!/bin/sh +# Blackbox tests for net ads dns register etc. +# Copyright (C) 2006-2007 Jelmer Vernooij <jelmer@samba.org> +# Copyright (C) 2006-2008 Andrew Bartlett <abartlet@samba.org> + +if [ $# -lt 6 ]; then + cat <<EOF +Usage: test_net_ads_dns.sh SERVER DC_USERNAME DC_PASSWORD REALM USER PASS +EOF + exit 1 +fi + +SERVER=$1 +DC_USERNAME=$2 +DC_PASSWORD=$3 +REALM=$4 +USERNAME=$5 +PASSWORD=$6 +shift 6 +failed=0 + +samba4bindir="$BINDIR" + +samba_tool="$samba4bindir/samba-tool" +net_tool="$samba4bindir/net" +smbpasswd="$samba4bindir/smbpasswd" +texpect="$samba4bindir/texpect" + +newuser="$samba_tool user create" +groupaddmem="$samba_tool group addmembers" + +. $(dirname $0)/subunit.sh +. "$(dirname "${0}")/common_test_fns.inc" + +ldbmodify=$(system_or_builddir_binary ldbmodify "${BINDIR}") +ldbsearch=$(system_or_builddir_binary ldbsearch "${BINDIR}") + +IPADDRESS=10.1.4.111 +IP6ADDRESS=fd00:1a1a::1:5ee:bad:c0de +IPADDRMAC=10.1.4.124 +UNPRIVIP=10.1.4.130 +ADMINNAME=testname.$$ +MACHINENAME=membername.$$ +UNPRIVNAME=unprivname.$$ +UNPRIVUSER=unprivuser.$$ +UNPRIVPASS=UnPrivPass1 + +# These tests check that privileged users can add DNS names and that +# unprivileged users cannot do so. +echo "Starting ..." + +testit "admin user should be able to add a DNS entry $ADMINNAME.$REALM $IPADDRESS $IP6ADDRESS" \ + $VALGRIND $net_tool ads dns register $ADMINNAME.$REALM $IPADDRESS $IP6ADDRESS -U$DC_USERNAME%$DC_PASSWORD || + failed=$(expr $failed + 1) + +testit_grep_count \ + "We should be able to see the new name $ADMINNAME.$REALM $IPADDRESS" \ + "$IPADDRESS" \ + 1 \ + dig @$SERVER +short -t a $ADMINNAME.$REALM || + failed=$(expr $failed + 1) +testit_grep_count \ + "We should be able to see the new name $ADMINNAME.$REALM $IP6ADDRESS" \ + "$IP6ADDRESS" \ + 1 \ + dig @$SERVER +short -t aaaa $ADMINNAME.$REALM || + failed=$(expr $failed + 1) + +testit "We should be able to unregister the name $ADMINNAME.$REALM" \ + $VALGRIND $net_tool ads dns unregister $ADMINNAME.$REALM -U$DC_USERNAME%$DC_PASSWORD || + failed=$(expr $failed + 1) + +testit_grep_count \ + "The name $ADMINNAME.$REALM $IPADDRESS should not be there any longer" \ + "$IPADDRESS" \ + 0 \ + dig @$SERVER +short -t a $ADMINNAME.$REALM || + failed=$(expr $failed + 1) + +testit_grep_count \ + "The name $ADMINNAME.$REALM $IP6ADDRESS should not be there any longer" \ + "$IP6ADDRESS" \ + 0 \ + dig @$SERVER +short -t aaaa $ADMINNAME.$REALM || + failed=$(expr $failed + 1) + +# prime the kpasswd server, see "git blame" for an explanation +$VALGRIND $net_tool user add $UNPRIVUSER $UNPRIVPASS -U$DC_USERNAME%$DC_PASSWORD +$VALGRIND $net_tool user delete $UNPRIVUSER -U$DC_USERNAME%$DC_PASSWORD + +# This should be an expect_failure test ... +testit "Adding an unprivileged user" $VALGRIND $net_tool user add $UNPRIVUSER $UNPRIVPASS -U$DC_USERNAME%$DC_PASSWORD || failed=$(expr $failed + 1) + +BASEDN=$($VALGRIND $ldbsearch -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM -b '' --scope=base defaultNamingContext | grep defaultNamingContext | sed -e 's!^defaultNamingContext: !!') + +LDIF="dn: CN=$UNPRIVUSER,CN=users,${BASEDN}+changetype: modify+replace: userAccountControl+userAccountControl: 512" + +echo $LDIF | tr '+' '\n' | $VALGRIND $ldbmodify -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM -i +STATUS=$? + +testit "We should have enabled the account" test $STATUS -eq 0 || failed=$(expr $failed + 1) + +#Unprivileged users should be able to add new names +testit "Unprivileged users should be able to add new names" $net_tool ads dns register $UNPRIVNAME.$REALM $UNPRIVIP -U$UNPRIVUSER%$UNPRIVPASS || failed=$(expr $failed + 1) + +# This should work as well +testit "machine account should be able to add a DNS entry net ads dns register $MACHINENAME.$REALM $IPADDRMAC -P" \ + $net_tool ads dns register $MACHINENAME.$REALM $IPADDRMAC -P || + failed=$(expr $failed + 1) + +testit_grep_count \ + "We should be able to see the new name $MACHINENAME.$REALM" \ + "$IPADDRMAC" \ + 1 \ + dig @$SERVER +short -t a $MACHINENAME.$REALM || + failed=$(expr $failed + 1) + +#Unprivileged users should not be able to overwrite other's names +testit_expect_failure \ + "Unprivileged users should not be able to modify existing names" \ + $net_tool ads dns register $MACHINENAME.$REALM $UNPRIVIP -U$UNPRIVUSER%$UNPRIVPASS || + failed=$(expr $failed + 1) + +testit "We should be able to unregister the name $UNPRIVNAME.$REALM $IPADDRESS" \ + $VALGRIND $net_tool ads dns unregister $UNPRIVNAME.$REALM -U$UNPRIVUSER%$UNPRIVPASS || + failed=$(expr $failed + 1) +testit "We should be able to unregister the name $MACHINENAME.$REALM $IPADDRESS" \ + $VALGRIND $net_tool ads dns unregister $MACHINENAME.$REALM -P || + failed=$(expr $failed + 1) + +# Remove the unprivileged user, which is not required anymore +$VALGRIND $net_tool user delete $UNPRIVUSER -U$DC_USERNAME%$DC_PASSWORD + +testit_grep_count \ + "The name $UNPRIVNAME.$REALM ($IPADDRESS) should not be there any longer" \ + "$IPADDRESS" \ + 0 \ + dig @$SERVER +short -t a $UNPRIVNAME.$REALM || + failed=$(expr $failed + 1) +testit_grep_count \ + "The name $UNPRIVNAME.$REALM ($IP6ADDRESS) should not be there any longer" \ + "$IP6ADDRESS" \ + 0 \ + dig @$SERVER +short -t aaaa $UNPRIVNAME.$REALM || + failed=$(expr $failed + 1) +testit_grep_count \ + "The name $MACHINENAME.$REALM ($IPADDRESS) should not be there any longer" \ + "$IPADDRESS" \ + 0 \ + dig @$SERVER +short -t a $MACHINENAME.$REALM || + failed=$(expr $failed + 1) +testit_grep_count \ + "The name $MACHINENAME.$REALM ($IP6ADDRESS) should not be there any longer" \ + "$IP6ADDRESS" \ + 0 \ + dig @$SERVER +short -t aaaa $MACHINENAME.$REALM || + failed=$(expr $failed + 1) + +# Tests with --dns-ttl option +testit "net ads dns register with default TTL" \ + $net_tool ads dns register $MACHINENAME.$REALM $IPADDRMAC -P || + failed=$(expr $failed + 1) +TTL=$(dig @$SERVER.$REALM +noall +ttlid +answer -t A $MACHINENAME.$REALM | + awk '{ print $2 }') +testit "Verify default TTL of 3600 seconds" \ + test "$TTL" = "3600" || + failed=$(expr $failed + 1) + +testit "Update record with TTL of 60 seconds" \ + $net_tool ads dns register --dns-ttl 60 --force $MACHINENAME.$REALM $IPADDRMAC -P || + failed=$(expr $failed + 1) +TTL=$(dig @$SERVER.$REALM +noall +ttlid +answer -t A $MACHINENAME.$REALM | + awk '{ print $2 }') +testit "Verify new TTL of 60 seconds" \ + test "$TTL" = "60" || + failed=$(expr $failed + 1) + +testit "We should be able to unregister the name $MACHINENAME.$REALM $IPADDRESS" \ + $VALGRIND $net_tool ads dns unregister $MACHINENAME.$REALM -P || + failed=$(expr $failed + 1) + +testit_grep_count \ + "The name $MACHINENAME.$REALM ($IPADDRESS) should not be there any longer" \ + "$IPADDRESS" \ + 0 \ + dig @$SERVER.$REALM +short -t A $MACHINENAME.$REALM || + failed=$(expr $failed + 1) +testit_grep_count \ + "The name $MACHINENAME.$REALM ($IP6ADDRESS) should not be there any longer" \ + "$IP6ADDRESS" \ + 0 \ + dig @$SERVER.$REALM +short -t AAAA $MACHINENAME.$REALM || + failed=$(expr $failed + 1) + +testok $0 $failed diff --git a/testprogs/blackbox/test_net_ads_fips.sh b/testprogs/blackbox/test_net_ads_fips.sh new file mode 100755 index 0000000..8d21e73 --- /dev/null +++ b/testprogs/blackbox/test_net_ads_fips.sh @@ -0,0 +1,43 @@ +if [ $# -lt 4 ]; then + cat <<EOF +Usage: test_net_ads_fips.sh DC_SERVER DC_USERNAME DC_PASSWORD PREFIX_ABS +EOF + exit 1 +fi + +DC_SERVER=$1 +DC_USERNAME=$2 +DC_PASSWORD=$3 +BASEDIR=$4 + +HOSTNAME=$(dd if=/dev/urandom bs=1 count=32 2>/dev/null | sha1sum | cut -b 1-10) + +RUNDIR=$(pwd) +cd $BASEDIR +WORKDIR=$(mktemp -d -p .) +WORKDIR=$(basename $WORKDIR) +cp -a client/* $WORKDIR/ +sed -ri "s@(dir|directory) = (.*)/client/@\1 = \2/$WORKDIR/@" $WORKDIR/client.conf +sed -ri "s/netbios name = .*/netbios name = $HOSTNAME/" $WORKDIR/client.conf +rm -f $WORKDIR/private/secrets.tdb +cd $RUNDIR + +failed=0 + +net_tool="$BINDIR/net --configfile=$BASEDIR/$WORKDIR/client.conf --option=security=ads" + +# Load test functions +. $(dirname $0)/subunit.sh + +# This make sure we are able to join AD in FIPS mode with Kerberos (NTLM doesn't work in FIPS mode). +testit "join" $VALGRIND $net_tool ads join --use-kerberos=required -U$DC_USERNAME%$DC_PASSWORD || failed=$(expr $failed + 1) + +testit "testjoin" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=$(expr $failed + 1) + +testit "changetrustpw" $VALGRIND $net_tool ads changetrustpw || failed=$(expr $failed + 1) + +testit "leave" $VALGRIND $net_tool ads leave --use-kerberos=required -U$DC_USERNAME%$DC_PASSWORD || failed=$(expr $failed + 1) + +rm -rf $BASEDIR/$WORKDIR + +exit $failed diff --git a/testprogs/blackbox/test_net_ads_search_server.sh b/testprogs/blackbox/test_net_ads_search_server.sh new file mode 100755 index 0000000..f8350c9 --- /dev/null +++ b/testprogs/blackbox/test_net_ads_search_server.sh @@ -0,0 +1,37 @@ +#!/bin/sh + +if [ $# -lt 2 ]; then +cat <<EOF +Usage: $0 SERVER REALM +EOF +exit 1; +fi + +SERVER=$1 +REALM=$2 +shift 2 + +failed=0 +. `dirname $0`/subunit.sh + +samba_net="$BINDIR/net" + +DN=$(echo "${REALM}" | tr '[:upper:]' '[:lower:]' | sed -e 's!^!DC=!' -e 's!\.!,DC=!g') +testit_grep_count \ + "net_ads_search.ntlmssp" \ + "distinguishedName: ${DN}" \ + 1 \ + $samba_net ads search --use-kerberos=off -P \ + --server "${SERVER}.${REALM}" \ + '(objectClass=domain)' distinguishedName || \ + failed=$((failed + 1)) +testit_grep_count \ + "net_ads_search.krb5" \ + "distinguishedName: ${DN}" \ + 1 \ + $samba_net ads search --use-kerberos=required -P \ + --server "${SERVER}.${REALM}" \ + '(objectClass=domain)' distinguishedName || \ + failed=$((failed + 1)) + +exit $failed diff --git a/testprogs/blackbox/test_net_offline.sh b/testprogs/blackbox/test_net_offline.sh new file mode 100755 index 0000000..d885b33 --- /dev/null +++ b/testprogs/blackbox/test_net_offline.sh @@ -0,0 +1,162 @@ +if [ $# -lt 4 ]; then + cat <<EOF +Usage: test_net_offline.sh DC_SERVER DC_USERNAME DC_PASSWORD PREFIX_ABS +EOF + exit 1 +fi + +DC_SERVER=$1 +DC_USERNAME=$2 +DC_PASSWORD=$3 +BASEDIR=$4 + +HOSTNAME=$(dd if=/dev/urandom bs=1 count=32 2>/dev/null | sha1sum | cut -b 1-10) + +RUNDIR=$(pwd) +cd $BASEDIR +WORKDIR=$(mktemp -d -p .) +WORKDIR=$(basename $WORKDIR) +ODJFILE="$BASEDIR/$WORKDIR/odj_provision.txt" + +cp -a client/* $WORKDIR/ +sed -ri "s@(dir|directory) = (.*)/client/@\1 = \2/$WORKDIR/@" $WORKDIR/client.conf +sed -ri "s/netbios name = .*/netbios name = $HOSTNAME/" $WORKDIR/client.conf +rm -f $WORKDIR/private/secrets.tdb +cd $RUNDIR + +failed=0 + +net_tool="$BINDIR/net --configfile=$BASEDIR/$WORKDIR/client.conf --option=security=ads" +samba_texpect="$BINDIR/texpect" + +# Load test functions +. $(dirname $0)/subunit.sh + +netbios=$(grep "netbios name" $BASEDIR/$WORKDIR/client.conf | cut -f2 -d= | awk '{$1=$1};1') + +# 1. Test w/o dcname + +testit "provision without dcname" $VALGRIND $net_tool offlinejoin provision domain=$REALM machine_name=$netbios savefile=$ODJFILE -U$DC_USERNAME%$DC_PASSWORD || failed=$(expr $failed + 1) + +testit "requestodj" $VALGRIND $net_tool offlinejoin requestodj loadfile=$ODJFILE || failed=$(expr $failed + 1) + +testit "testjoin" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=$(expr $failed + 1) + +rm -f $ODJFILE + +testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=$(expr $failed + 1) + +# 2. Test with dcname + +testit "provision with dcname" $VALGRIND $net_tool offlinejoin provision domain=$REALM machine_name=$netbios savefile=$ODJFILE dcname=$DC_SERVER -U$DC_USERNAME%$DC_PASSWORD || failed=$(expr $failed + 1) + +testit "requestodj" $VALGRIND $net_tool offlinejoin requestodj loadfile=$ODJFILE || failed=$(expr $failed + 1) + +testit "testjoin" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=$(expr $failed + 1) + +rm -f $ODJFILE + +testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=$(expr $failed + 1) + +# 3. Test with defpwd + +testit "provision with dcname and default password" $VALGRIND $net_tool offlinejoin provision domain=$REALM machine_name=$netbios savefile=$ODJFILE dcname=$DC_SERVER defpwd -U$DC_USERNAME%$DC_PASSWORD || failed=$(expr $failed + 1) + +testit "requestodj" $VALGRIND $net_tool offlinejoin requestodj loadfile=$ODJFILE || failed=$(expr $failed + 1) + +testit "testjoin" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=$(expr $failed + 1) + +rm -f $ODJFILE + +testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=$(expr $failed + 1) + +test_compose_odj() { + local mode=$1 + local composeargv=() + + # Retrieve the necessary information to compose the ODJ blob + # The machine needs to be correctly joined at this point + local netbios_domain_name=$($net_tool ads lookup | awk -F': ' '/^Pre-Win2k Domain/ {print $2}') + local domain_sid=$($net_tool getdomainsid | awk -F': ' "/^SID for domain $netbios_domain_name/ {print \$2}") + local domain_guid=$($net_tool ads lookup | awk -F': ' '/^GUID/ {print $2}') + local forest_name=$($net_tool ads lookup | awk -F': ' '/^Forest/ {print $2}') + local dc_name=$($net_tool ads info | awk -F': ' '/^LDAP server name/ {print $2}') + local dc_address=$($net_tool ads info | awk -F': ' '/^LDAP server:/ {print $2}') + local ret=1 + local out="" + + composeargv=( \ + "domain_sid=${domain_sid}" \ + "domain_guid=${domain_guid}" \ + "forest_name=${forest_name}" \ + "-S ${dc_name}" \ + "-I ${dc_address}" \ + "savefile=${ODJFILE}" + ) + case $mode in + machacct) + cmd='$net_tool offlinejoin composeodj ${composeargv[@]} -P 2>&1' + out=$(eval $cmd) + ret=$? + ;; + stdinfd) + cmd='echo ${netbios} | $net_tool offlinejoin composeodj ${composeargv[@]} -U${netbios^^}\$ 2>&1' + out=$(PASSWD_FD=0 eval $cmd) + ret=$? + ;; + callback) + tmpfile=$BASEDIR/$WORKDIR/composeodj_password_script + cat >$tmpfile <<EOF +expect Password for [${netbios_domain_name^^}\\${netbios^^}\$]: +send $netbios\n +EOF + cmd='$samba_texpect -v $tmpfile $net_tool offlinejoin composeodj ${composeargv[@]} 2>&1' + out=$(eval $cmd) + ret=$? + rm -f $tmpfile + ;; + *) + out="Unknown mode '$mode'" + ;; + esac + + if [ $ret -ne 0 ]; then + echo "Failed to compose ODJ blob: $out" + return 1 + fi +} + +# 4. Test composeodj + +modes=("machacct" "stdinfd" "callback") +for mode in "${modes[@]}"; do + + defpwd="defpwd" + if [ "$mode" == "machacct" ]; then + defpwd="" + fi + + testit "provision[$mode]" $VALGRIND $net_tool offlinejoin provision domain=$REALM machine_name=$netbios savefile=$ODJFILE $defpwd -U$DC_USERNAME%$DC_PASSWORD || failed=$(expr $failed + 1) + + testit "requestodj [$mode]" $VALGRIND $net_tool offlinejoin requestodj loadfile=$ODJFILE || failed=$(expr $failed + 1) + + testit "testjoin [$mode]" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=$(expr $failed + 1) + + testit "removeodjblob [$mode]" rm $ODJFILE || failed=$(expr $failed + 1) + + testit "composeodj [$mode]" test_compose_odj $mode || failed=$(expr $failed + 1) + + testit "removesecretsdb [$mode]" rm $BASEDIR/$WORKDIR/private/secrets.tdb || failed=$(expr $failed + 1) + + testit "requestodj [$mode]" $VALGRIND $net_tool offlinejoin requestodj loadfile=$ODJFILE || failed=$(expr $failed + 1) + + testit "removeodjblob [$mode]" rm $ODJFILE || failed=$(expr $failed + 1) + + testit "testjoin [$mode]" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=$(expr $failed + 1) + + testit "leave [$mode]" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=$(expr $failed + 1) +done + +rm -rf $BASEDIR/$WORKDIR + +exit $failed diff --git a/testprogs/blackbox/test_net_rpc_user.sh b/testprogs/blackbox/test_net_rpc_user.sh new file mode 100755 index 0000000..4d6fe75 --- /dev/null +++ b/testprogs/blackbox/test_net_rpc_user.sh @@ -0,0 +1,56 @@ +#!/bin/sh +# Blackbox tests for 'net rpc' +# +# Copyright (c) 2017 Andreas Schneider <asn@samba.org> + +if [ $# -lt 4 ]; then + cat <<EOF +Usage: test_net_rpc_user.sh SERVER ADMIN_ACCOUNT ADMIN_PASSWORD ADMIN_DOMAIN +EOF + exit 1 +fi + +SERVER=$1 +ADMIN_ACCOUNT=$2 +ADMIN_PASSWORD=$3 +ADMIN_DOMAIN=$4 +shift 4 + +failed=0 +samba_bindir="$BINDIR" + +samba_tool="$samba_bindir/samba-tool" +net_tool="$samba_bindir/net" + +TEST_USERNAME="$(mktemp -u samson-XXXXXX)" +TEST_PASSWORD="Passw0rd~01" + +newuser="$samba_tool user create" + +. $(dirname $0)/subunit.sh +. $(dirname $0)/common_test_fns.inc + +########################################################### +### Setup +########################################################### + +testit "net rpc user add" \ + $VALGRIND $net_tool rpc user add $TEST_USERNAME $TEST_PASSWORD -U$ADMIN_ACCOUNT%$ADMIN_PASSWORD -S $SERVER || failed=$(expr $failed + 1) + +########################################################### +### Tests +########################################################### + +TEST_PASSWORD_NEW="Passw0rd~02" + +testit "net rpc user password" \ + $VALGRIND $net_tool rpc user password $TEST_USERNAME $TEST_PASSWORD_NEW -U$ADMIN_ACCOUNT%$ADMIN_PASSWORD -S $SERVER || failed=$(expr $failed + 1) + +########################################################### +### Teardown +########################################################### + +testit "net rpc user delete" \ + $VALGRIND $net_tool rpc user delete $TEST_USERNAME -U$ADMIN_ACCOUNT%$ADMIN_PASSWORD -S $SERVER || failed=$(expr $failed + 1) + +exit $failed diff --git a/testprogs/blackbox/test_offline_logon.sh b/testprogs/blackbox/test_offline_logon.sh new file mode 100755 index 0000000..84da8a4 --- /dev/null +++ b/testprogs/blackbox/test_offline_logon.sh @@ -0,0 +1,43 @@ +#!/bin/sh +# Blackbox tests for winbind offline logon support +# Copyright (c) 2021 Andreas Schneider <asn@samba.org> + +if [ $# -lt 9 ]; then + cat <<EOF +Usage: test_offline_logon.sh DOMAIN CACHED_USER_NAME_1 CACHED_USER_PASS_1 CACHED_USER_NAME_2 CACHED_USER_PASS_2 ONLINE_USER_NAME_1 ONLINE_USER_PASS_1 ONLINE_USER_NAME_2 ONLINE_USER_PASS_2 +EOF + exit 1 +fi + +DOMAIN=$1 +CACHED_USER_NAME_1=$2 +CACHED_USER_PASS_1=$3 +CACHED_USER_NAME_2=$4 +CACHED_USER_PASS_2=$5 +ONLINE_USER_NAME_1=$6 +ONLINE_USER_PASS_1=$7 +ONLINE_USER_NAME_2=$8 +ONLINE_USER_PASS_2=$9 +shift 9 + +. $(dirname $0)/subunit.sh + +samba_bindir="$BINDIR" +wbinfo="$samba_bindir/wbinfo" + +# Check that the DC is offline +testit_expect_failure "wbinfo.ping-dc" $VALGRIND $wbinfo --ping-dc || failed=$(expr $failed + 1) + +# We should have cached credentials for alice and bob +# --pam-logon sets always the WBFLAG_PAM_CACHED_LOGIN flag +testit "wbinfo.pam_logon_$CACHED_USER_NAME_1" $VALGRIND $wbinfo --pam-logon=$DOMAIN/$CACHED_USER_NAME_1%$CACHED_USER_PASS_1 || failed=$(expr $failed + 1) +testit "wbinfo.kerberos_logon_$CACHED_USER_NAME_1" $VALGRIND $wbinfo --krb5auth=$DOMAIN/$CACHED_USER_NAME_2%$CACHED_USER_PASS_2 || failed=$(expr $failed + 1) + +testit "wbinfo.pam_logon_$CACHED_USER_NAME_2" $VALGRIND $wbinfo --pam-logon=$DOMAIN/$CACHED_USER_NAME_2%$CACHED_USER_PASS_2 || failed=$(expr $failed + 1) +testit "wbinfo.kerberos_logon_$CACHED_USER_NAME_2" $VALGRIND $wbinfo --krb5auth=$DOMAIN/$CACHED_USER_NAME_2%$CACHED_USER_PASS_2 || failed=$(expr $failed + 1) + +# We should not be able to auth with jane or joe +testit_expect_failure "wbinfo.pam_logon_$ONLINE_USER_NAME_1" $VALGRIND $wbinfo --pam-logon=$DOMAIN/$ONLINE_USER_NAME_1%$ONLINE_USER_PASS_1 || failed=$(expr $failed + 1) +testit_expect_failure "wbinfo.pam_logon_$ONLINE_USER_NAME_2" $VALGRIND $wbinfo --pam-logon=$DOMAIN/$ONLINE_USER_NAME_2%$ONLINE_USER_PASS_2 || failed=$(expr $failed + 1) + +exit $failed diff --git a/testprogs/blackbox/test_old_enctypes.sh b/testprogs/blackbox/test_old_enctypes.sh new file mode 100755 index 0000000..822e329 --- /dev/null +++ b/testprogs/blackbox/test_old_enctypes.sh @@ -0,0 +1,61 @@ +#!/bin/bash + +if [ $# -lt 5 ]; then + cat <<EOF +Usage: test_old_enctypes.sh SERVER USERNAME PASSWORD NETBIOSNAME PREFIX_ABS +EOF + exit 1 +fi + +SERVER=$1 +USERNAME=$2 +PASSWORD=$3 +NETBIOSNAME=$4 +PREFIX_ABS=$5 +shift 5 +failed=0 + +samba4bindir="$BINDIR" +samba4srcdir="$SRCDIR/source4" + +samba_tool="$samba4bindir/samba-tool" + +. $(dirname $0)/subunit.sh +. $(dirname $0)/common_test_fns.inc + +ldbmodify=$(system_or_builddir_binary ldbmodify "${BINDIR}") +ldbsearch=$(system_or_builddir_binary ldbsearch "${BINDIR}") + +out="${PREFIX_ABS}/tmpldbsearch.out" +$ldbsearch -H ldap://$SERVER -U$USERNAME%$PASSWORD -d0 sAMAccountName="$NETBIOSNAME\$" dn msDS-SupportedEncryptionTypes >$out +testit_grep "find my dn" msDS-SupportedEncryptionTypes cat $out || failed=$(expr $failed + 1) + +my_dn=$(cat $out | sed -n 's/^dn: //p') +my_encs=$(cat $out | sed -n 's/^msDS-SupportedEncryptionTypes: //p') +my_test_encs=$(expr $my_encs + 3) + +ldif="${PREFIX_ABS}/tmpldbmodify.ldif" + +cat >$ldif <<EOF +dn: $my_dn +changetype: modify +replace: msDS-SupportedEncryptionTypes +msDS-SupportedEncryptionTypes: $my_test_encs +EOF + +testit "Change msDS-SupportedEncryptionTypes to $my_test_encs" $VALGRIND $ldbmodify -H ldap://$SERVER -U$USERNAME%$PASSWORD -d0 <$ldif || failed=$(expr $failed + 1) +kt=${PREFIX_ABS}/tmp_host_out_keytab +testit "Export keytab while old enctypes are supported" $samba_tool domain exportkeytab --principal=$NETBIOSNAME\$ $kt + +cat >$ldif <<EOF +dn: $my_dn +changetype: modify +replace: msDS-SupportedEncryptionTypes +msDS-SupportedEncryptionTypes: $my_encs +EOF + +testit "Change msDS-SupportedEncryptionTypes back to $my_encs" $VALGRIND $ldbmodify -H ldap://$SERVER -U$USERNAME%$PASSWORD -d0 <$ldif || failed=$(expr $failed + 1) + +rm -rf $kt $out $ldif + +exit $failed diff --git a/testprogs/blackbox/test_password_settings.sh b/testprogs/blackbox/test_password_settings.sh new file mode 100755 index 0000000..b3b23f6 --- /dev/null +++ b/testprogs/blackbox/test_password_settings.sh @@ -0,0 +1,251 @@ +#!/bin/sh +# Blackbox tests for different password settings +# +# Copyright (c) 2006-2007 Jelmer Vernooij <jelmer@samba.org> +# Copyright (c) 2006-2008 Andrew Bartlett <abartlet@samba.org> +# Copyright (c) 2016 Andreas Schneider <asn@samba.org> + +if [ $# -lt 7 ]; then + cat <<EOF +Usage: test_passwords_settings.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX CONFIGURATION +EOF + exit 1 +fi + +SERVER=$1 +USERNAME=$2 +PASSWORD=$3 +REALM=$4 +DOMAIN=$5 +PREFIX=$6 +CONFIGURATION=${7} +shift 7 +failed=0 + +samba_bindir="$BINDIR" + +smbclient="$samba_bindir/smbclient" +samba_tool="$samba_bindir/samba-tool" +smbpasswd="$samba_bindir/smbpasswd" +texpect="$samba_bindir/texpect" + +newuser="$samba_tool user create" +SMB_UNC="//$SERVER/tmp" + +. $(dirname $0)/subunit.sh +. $(dirname $0)/common_test_fns.inc + +samba_kinit=$(system_or_builddir_binary kinit "${BINDIR}" samba4kinit) + +do_kinit() +{ + principal="$1" + password="$2" + shift + shift + kerberos_kinit "$samba_kinit" "$principal" "$password" "$@" +} + +test_smbpasswd() +{ + user=$1 + newpass=$2 + _config="$(echo "${CONFIGURATION}" | cut -d '=' -f 2)" + + tmpfile=$PREFIX/smbpasswd_change_password_script + cat >$tmpfile <<EOF +expect New SMB password: +send ${newpass}\n +expect Retype new SMB password: +send ${newpass}\n +EOF + + cmd='UID_WRAPPER_INITIAL_RUID=0 UID_WRAPPER_INITIAL_EUID=0 $texpect $tmpfile $smbpasswd -L -c ${_config} $user' + eval echo "$cmd" + out=$(eval $cmd) + ret=$? + rm -f $tmpfile + + if [ $ret -ne 0 ]; then + echo "Failed to change user password $user" + return 1 + fi +} + +testit "reset password policies beside of minimum password age of 0 days" \ + $VALGRIND $PYTHON $samba_tool domain passwordsettings set \ + "${CONFIGURATION}" --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=0 --max-pwd-age=default || failed=$(expr $failed + 1) + +TEST_USERNAME="$(mktemp -u alice-XXXXXX)" +TEST_PASSWORD="testPaSS@00%" +TEST_PASSWORD_NEW="testPaSS@01%" +TEST_PASSWORD_NON_ASCII="Täst123" +TEST_PASSWORD_SHORT="secret" +TEST_PASSWORD_WEAK="Supersecret" +TEST_PRINCIPAL="$TEST_USERNAME@$REALM" + +testit "create user locally" \ + $VALGRIND $PYTHON $newuser $TEST_USERNAME $TEST_PASSWORD \ + "${CONFIGURATION}" || failed=$(expr $failed + 1) + +########################################################### +### Test normal operation as user +########################################################### + +KRB5CCNAME_PATH="$PREFIX/test_password_settings_krb5ccache" +rm -f $KRB5CCNAME_PATH + +KRB5CCNAME="FILE:$KRB5CCNAME_PATH" +export KRB5CCNAME + +testit "kinit with user password" \ + do_kinit $TEST_PRINCIPAL $TEST_PASSWORD || failed=$(expr $failed + 1) + +test_smbclient "Test login with user kerberos ccache" \ + "ls" "$SMB_UNC" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +rm -f $KRB5CCNAME_PATH + +########################################################### +### Change the users password +########################################################### + +testit "change user password with 'samba-tool user password' (unforced)" \ + $VALGRIND $PYTHON $samba_tool user password "${CONFIGURATION}" -W$DOMAIN -U$TEST_USERNAME%$TEST_PASSWORD -k no --newpassword=$TEST_PASSWORD_NEW || failed=$(expr $failed + 1) + +TEST_PASSWORD_OLD=$TEST_PASSWORD +TEST_PASSWORD=$TEST_PASSWORD_NEW +TEST_PASSWORD_NEW="testPaSS@02%" + +testit "kinit with user password" \ + do_kinit $TEST_PRINCIPAL $TEST_PASSWORD || failed=$(expr $failed + 1) + +test_smbclient "Test login with user kerberos ccache" \ + "ls" "$SMB_UNC" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +########################################################### +### Change the users password +########################################################### + +testit "change user (non-ascii) password with 'samba-tool user password' (unforced)" \ + $VALGRIND $PYTHON $samba_tool user password "${CONFIGURATION}" -W$DOMAIN -U$TEST_USERNAME%$TEST_PASSWORD -k no --newpassword=$TEST_PASSWORD_NON_ASCII || failed=$(expr $failed + 1) + +TEST_PASSWORD_OLD=$TEST_PASSWORD_NEW +TEST_PASSWORD=$TEST_PASSWORD_NON_ASCII + +testit "kinit with user password" \ + do_kinit $TEST_PRINCIPAL $TEST_PASSWORD || failed=$(expr $failed + 1) + +test_smbclient "Test login with user kerberos ccache" \ + "ls" "$SMB_UNC" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1) + +# +# These tests demonstrate that a credential cache in the environment does not +# override a username/password, even an incorrect one, on the command line +# + +testit_expect_failure "Test login with user kerberos ccache, but wrong password specified" \ + $VALGRIND $smbclient //$SERVER/tmp -c 'ls' --use-krb5-ccache=$KRB5CCNAME -U$TEST_PRINCIPAL%invalidpass || failed=$(expr $failed + 1) +testit_expect_failure "Test login with user kerberos ccache, but old password specified" \ + $VALGRIND $smbclient //$SERVER/tmp -c 'ls' --use-krb5-ccache=$KRB5CCNAME -U$TEST_PRINCIPAL%$TEST_PASSWORD_OLD || failed=$(expr $failed + 1) + +rm -f $KRB5CCNAME_PATH + +########################################################### +### Set the password with smbpasswd +########################################################### + +testit "set user password with smbpasswd" \ + test_smbpasswd $TEST_USERNAME $TEST_PASSWORD_NEW || + failed=$(expr $failed + 1) + +TEST_PASSWORD=$TEST_PASSWORD_NEW +TEST_PASSWORD_NEW="testPaSS@03%" + +test_smbclient "Test login with user (ntlm)" \ + "ls" "$SMB_UNC" --use-kerberos=disabled -U$TEST_PRINCIPAL%$TEST_PASSWORD || failed=$(expr $failed + 1) + +testit "set password on user locally" $VALGRIND $PYTHON $samba_tool user setpassword $TEST_USERNAME "${CONFIGURATION}" --newpassword=$TEST_PASSWORD_NEW --must-change-at-next-login || failed=$(expr $failed + 1) + +TEST_PASSWORD=$TEST_PASSWORD_NEW +TEST_PASSWORD_NEW="testPaSS@04%" + +test_smbclient_expect_failure "Test login with user (NT_STATUS_PASSWORD_MUST_CHANGE)" \ + "ls" "$SMB_UNC" --use-kerberos=disabled -U$TEST_PRINCIPAL%$TEST_PASSWORD || failed=$(expr $failed + 1) + +testit "change user password with 'samba-tool user password' (after must change flag set)" \ + $VALGRIND $PYTHON $samba_tool user password "${CONFIGURATION}" -W$DOMAIN -U$DOMAIN/$TEST_USERNAME%$TEST_PASSWORD -k no --newpassword=$TEST_PASSWORD_NEW || failed=$(expr $failed + 1) + +TEST_PASSWORD=$TEST_PASSWORD_NEW +TEST_PASSWORD_NEW="testPaSS@05%" + +test_smbclient "Test login with user kerberos" 'ls' "$SMB_UNC" --use-kerberos=required -U$TEST_PRINCIPAL%$TEST_PASSWORD || failed=$(expr $failed + 1) + +rm -f $KRB5CCNAME_PATH + +cat >$PREFIX/tmpsmbpasswdscript <<EOF +expect Old SMB password: +password ${TEST_PASSWORD}\n +expect New SMB password: +send ${TEST_PASSWORD_NEW}\n +expect Retype new SMB password: +send ${TEST_PASSWORD_NEW}\n +EOF + +config="$(echo "${CONFIGURATION}" | cut -d '=' -f 2)" +testit "change user password with smbpasswd (after must change flag set)" \ + $texpect $PREFIX/tmpsmbpasswdscript $smbpasswd -r $SERVER -c ${config} -U $TEST_USERNAME || failed=$(expr $failed + 1) + +TEST_PASSWORD=$TEST_PASSWORD_NEW +TEST_PASSWORD_NEW="testPaSS@06%" + +test_smbclient "Test login with user kerberos" \ + "ls" "$SMB_UNC" --use-kerberos=required -U$TEST_PRINCIPAL%$TEST_PASSWORD || failed=$(expr $failed + 1) + +rm -f $KRB5CCNAME_PATH + +testit_expect_failure "try to set a non-complex password (command should not succeed)" \ + $VALGRIND $PYTHON $samba_tool user password "${CONFIGURATION}" -W$DOMAIN "-U$DOMAIN/$TEST_USERNAME%$TEST_PASSWORD" -k no --newpassword="$TEST_PASSWORD_WEAK" || failed=$(expr $failed + 1) + +testit "allow non-complex passwords" \ + $VALGRIND $PYTHON $samba_tool domain passwordsettings set "${CONFIGURATION}" --complexity=off || failed=$(expr $failed + 1) + +testit "try to set a non-complex password (command should succeed)" \ + $VALGRIND $PYTHON $samba_tool user password "${CONFIGURATION}" -W$DOMAIN "-U$DOMAIN/$TEST_USERNAME%$TEST_PASSWORD" -k no --newpassword="$TEST_PASSWORD_WEAK" || failed=$(expr $failed + 1) + +TEST_PASSWORD=$TEST_PASSWORD_WEAK + +test_smbclient "test login with non-complex password" \ + "ls" "$SMB_UNC" --use-kerberos=disabled -U$TEST_PRINCIPAL%$TEST_PASSWORD || failed=$(expr $failed + 1) + +testit_expect_failure "try to set a short password (command should not succeed)" \ + $VALGRIND $PYTHON $samba_tool user password "${CONFIGURATION}" -W$DOMAIN "-U$DOMAIN/$TEST_USERNAME%$TEST_PASSWORD" -k no --newpassword="$TEST_PASSWORD_SHORT" || failed=$(expr $failed + 1) + +testit "allow short passwords (length 1)" \ + $VALGRIND $PYTHON $samba_tool domain passwordsettings set "${CONFIGURATION}" --min-pwd-length=1 || failed=$(expr $failed + 1) + +testit "try to set a short password (command should succeed)" \ + $VALGRIND $PYTHON $samba_tool user password "${CONFIGURATION}" -W$DOMAIN "-U$DOMAIN/$TEST_USERNAME%$TEST_PASSWORD" -k no --newpassword="$TEST_PASSWORD_SHORT" || failed=$(expr $failed + 1) + +TEST_PASSWORD=$TEST_PASSWORD_SHORT +TEST_PASSWORD_NEW="testPaSS@07%" + +testit "require minimum password age of 1 day" \ + $VALGRIND $PYTHON $samba_tool domain passwordsettings set "${CONFIGURATION}" --min-pwd-age=1 || failed=$(expr $failed + 1) + +testit "show password settings" \ + $VALGRIND $PYTHON $samba_tool domain passwordsettings show "${CONFIGURATION}" || failed=$(expr $failed + 1) + +testit_expect_failure "try to change password too quickly (command should not succeed)" \ + $VALGRIND $PYTHON $samba_tool user password "${CONFIGURATION}" -W$DOMAIN "-U$DOMAIN/$TEST_USERNAME%$TEST_PASSWORD" -k no --newpassword="$TEST_PASSWORD_NEW" || failed=$(expr $failed + 1) + +testit "reset password policies" \ + $VALGRIND $PYTHON $samba_tool domain passwordsettings set "${CONFIGURATION}" --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=default --max-pwd-age=default || failed=$(expr $failed + 1) + +testit "delete user $TEST_USERNAME" \ + $VALGRIND $PYTHON $samba_tool user delete $TEST_USERNAME -U"$USERNAME%$PASSWORD" "${CONFIGURATION}" -k no || failed=$(expr $failed + 1) + +rm -f $PREFIX/tmpuserpassfile $PREFIX/tmpsmbpasswdscript +rm -f $KRB5CCNAME_PATH + +exit $failed diff --git a/testprogs/blackbox/test_pdbtest.sh b/testprogs/blackbox/test_pdbtest.sh new file mode 100755 index 0000000..2f4fad7 --- /dev/null +++ b/testprogs/blackbox/test_pdbtest.sh @@ -0,0 +1,116 @@ +#!/bin/sh +# Blackbox tests for pdbtest +# Copyright (C) 2006-2007 Jelmer Vernooij <jelmer@samba.org> +# Copyright (C) 2006-2012 Andrew Bartlett <abartlet@samba.org> + +if [ $# -lt 2 ]; then + cat <<EOF +Usage: test_pdbtest.sh SERVER PREFIX USER SMBCLIENT SMB_CONF +EOF + exit 1 +fi + +SERVER=$1 +PREFIX=$2 +USER=$3 +smbclient=$4 +SMB_CONF=$5 +shift 5 +failed=0 + +samba4bindir="$BINDIR" +pdbtest="$samba4bindir/pdbtest" +pdbedit="$samba4bindir/pdbedit" +net="$samba4bindir/net" +smbpasswd="$samba4bindir/smbpasswd" +texpect="$samba4bindir/texpect" +unc="//$SERVER/tmp" + +. $(dirname $0)/subunit.sh +. $(dirname $0)/common_test_fns.inc + +test_smbpasswd() +{ + user=$1 + newpass=$2 + + echo "set password with smbpasswd" + tmpfile=$PREFIX/smbpasswd_change_password_script + cat >$tmpfile <<EOF +expect New SMB password: +send ${newpass}\n +expect Retype new SMB password: +send ${newpass}\n +EOF + + cmd='UID_WRAPPER_INITIAL_RUID=0 UID_WRAPPER_INITIAL_EUID=0 $texpect $tmpfile $smbpasswd -L $user -c $SMB_CONF' + eval echo "$cmd" + out=$(eval $cmd) + ret=$? + rm -f $tmpfile + + if [ $ret -ne 0 ]; then + echo "Failed to change user password $user" + return 1 + fi +} + +testit "pdbtest" $VALGRIND $BINDIR/pdbtest -u $USER "$@" || failed=$(expr $failed + 1) + +NEWUSERPASS=testPaSS@01% + +echo "set password with pdbedit" +cat >$PREFIX/tmpsmbpasswdscript <<EOF +expect new password: +send ${NEWUSERPASS}\n +expect retype new password: +send ${NEWUSERPASS}\n +EOF + +testit "create user with pdbedit" $texpect $PREFIX/tmpsmbpasswdscript $VALGRIND $pdbedit --configfile=$SMB_CONF -a $USER --account-desc="pdbedit-test-user" "$@" || failed=$(expr $failed + 1) +USERPASS=$NEWUSERPASS + +test_smbclient "Test login with user (ntlm)" 'ls' "$unc" -U$USER%$NEWUSERPASS "$@" || failed=$(expr $failed + 1) + +testit "modify user" $VALGRIND $pdbedit --configfile=$SMB_CONF --modify $USER --drive="D:" "$@" || failed=$(expr $failed + 1) + +test_smbclient "Test login with user (ntlm)" 'ls' "$unc" -U$USER%$NEWUSERPASS "$@" || failed=$(expr $failed + 1) + +NEWUSERPASS=testPaSS@02% + +testit "set user password with smbpasswd" \ + test_smbpasswd $USER $NEWUSERPASS || + failed=$(expr $failed + 1) + +USERPASS=$NEWUSERPASS + +test_smbclient "Test login with user (ntlm)" 'ls' "$unc" -U$USER%$NEWUSERPASS "$@" || failed=$(expr $failed + 1) + +testit "modify user - disabled" $VALGRIND $net sam set disabled $USER yes "$@" || failed=$(expr $failed + 1) + +testit_expect_failure "Test login with disabled suer" $VALGRIND $smbclient //$SERVER/tmp -c 'ls' -U$USER@%$USERPASS || failed=$(expr $failed + 1) + +testit "modify user - enabled" $VALGRIND $net sam set disabled $USER no "$@" || failed=$(expr $failed + 1) + +test_smbclient "Test login with re-enabled user (ntlm)" 'ls' "$unc" -U$USER%$NEWUSERPASS || failed=$(expr $failed + 1) + +testit "modify user - must change password now" $VALGRIND $net sam set pwdmustchangenow $USER yes "$@" || failed=$(expr $failed + 1) + +testit_expect_failure "Test login with expired password" $VALGRIND $smbclient //$SERVER/tmp -c 'ls' -U$USER@%$USERPASS || failed=$(expr $failed + 1) + +testit "modify user - disable password expiry" $VALGRIND $net sam set pwnoexp $USER yes "$@" || failed=$(expr $failed + 1) + +test_smbclient "Test login with no expiry (ntlm)" 'ls' "$unc" -U$USER%$NEWUSERPASS || failed=$(expr $failed + 1) + +NEWUSERPASS=testPaSS@03% +NEWUSERHASH=062519096c45739c1938800f80906731 + +testit "Set user password with password hash" $VALGRIND $pdbedit --configfile=$SMB_CONF -u $USER --set-nt-hash $NEWUSERHASH "$@" || failed=$(expr $failed + 1) + +test_smbclient "Test login with new password (from hash)" 'ls' "$unc" -U$USER%$NEWUSERPASS || failed=$(expr $failed + 1) + +testit "del user" $VALGRIND $pdbedit --configfile=$SMB_CONF -x $USER "$@" || failed=$(expr $failed + 1) + +rm $PREFIX/tmpsmbpasswdscript + +exit $failed diff --git a/testprogs/blackbox/test_pkinit_pac.sh b/testprogs/blackbox/test_pkinit_pac.sh new file mode 100755 index 0000000..1f94ece --- /dev/null +++ b/testprogs/blackbox/test_pkinit_pac.sh @@ -0,0 +1,61 @@ +#!/bin/sh +# Blackbox tests for pkinit and pac verification +# +# Copyright (C) 2006-2008 Stefan Metzmacher +# Copyright (C) 2022 Andreas Schneider + +if [ $# -lt 6 ]; then + cat <<EOF +Usage: test_pkinit_pac.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX +EOF + exit 1 +fi + +SERVER=$1 +USERNAME=$2 +PASSWORD=$3 +REALM=$4 +DOMAIN=$5 +PREFIX=$6 +shift 6 +failed=0 + +samba_bindir="$BINDIR" + +samba_smbtorture="${samba_bindir}/smbtorture --basedir=$SELFTEST_TMPDIR" + +. "$(dirname "$0")"/subunit.sh +. "$(dirname "$0")"/common_test_fns.inc + +samba_kinit=$(system_or_builddir_binary kinit "${BINDIR}" samba4kinit) + +KRB5CCNAME_PATH="$PREFIX/tmpccache" +rm -f "${KRB5CCNAME_PATH}" +KRB5CCNAME="FILE:$KRB5CCNAME_PATH" +export KRB5CCNAME + +USER_PRINCIPAL_NAME="$(echo "${USERNAME}@${REALM}" | tr "[:upper:]" "[:lower:]")" + +kbase="$(basename "${samba_kinit}")" +if [ "${kbase}" = "samba4kinit" ]; then + # HEIMDAL + X509_USER_IDENTITY="--pk-user=FILE:${PREFIX}/pkinit/USER-${USER_PRINCIPAL_NAME}-cert.pem,${PREFIX}/pkinit/USER-${USER_PRINCIPAL_NAME}-private-key.pem" + OPTION_RENEWABLE="--renewable" +else + X509_USER_IDENTITY="-X X509_user_identity=FILE:${PREFIX}/pkinit/USER-${USER_PRINCIPAL_NAME}-cert.pem,${PREFIX}/pkinit/USER-${USER_PRINCIPAL_NAME}-private-key.pem" + OPTION_RENEWABLE="-r 1h" +fi +OPTION_REQUEST_PAC="--request-pac" + +testit "STEP1 kinit with pkinit (name specified)" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \ + "${X509_USER_IDENTITY}" "${USERNAME}@${REALM}" || + failed=$((failed + 1)) +testit "STEP1 remote.pac verification" \ + "${samba_smbtorture}" ncacn_np:"${SERVER}" rpc.pac \ + --workgroup="${DOMAIN}" -U"${USERNAME}%${PASSWORD}" \ + --option=torture:pkinit_ccache="${KRB5CCNAME}" || + failed=$((failed + 1)) + +rm -f "${KRB5CCNAME_PATH}" +exit ${failed} diff --git a/testprogs/blackbox/test_pkinit_simple.sh b/testprogs/blackbox/test_pkinit_simple.sh new file mode 100755 index 0000000..629bfad --- /dev/null +++ b/testprogs/blackbox/test_pkinit_simple.sh @@ -0,0 +1,331 @@ +#!/bin/sh +# Blackbox tests for kinit and kerberos integration with smbclient etc +# +# Copyright (C) 2006-2007 Jelmer Vernooij <jelmer@samba.org> +# Copyright (C) 2006-2008 Andrew Bartlett <abartlet@samba.org> +# Copyright (C) 2022 Andreas Schneider <asn@samba.org> + +if [ $# -lt 7 ]; then + cat <<EOF +Usage: test_pkinit_simple.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX SMBCLIENT +EOF + exit 1 +fi + +SERVER="${1}" +USERNAME="${2}" +PASSWORD="${3}" +REALM="${4}" +DOMAIN="${5}" +PREFIX="${6}" +smbclient="${7}" +shift 7 +failed=0 + +samba_bindir="${BINDIR}" + +samba_tool="${PYTHON} ${samba_bindir}/samba-tool" +wbinfo="${samba_bindir}/wbinfo" + +. "$(dirname "$0")"/subunit.sh +. "$(dirname "$0")"/common_test_fns.inc + +samba_kinit=$(system_or_builddir_binary kinit "${BINDIR}" samba4kinit) + +unc="//${SERVER}/tmp" + +KRB5CCNAME_PATH="$PREFIX/tmpccache" +rm -f "${KRB5CCNAME_PATH}" +KRB5CCNAME="FILE:$KRB5CCNAME_PATH" +export KRB5CCNAME + +USER_PRINCIPAL_NAME="$(echo "${USERNAME}@${REALM}" | tr "[:upper:]" "[:lower:]")" + +kbase="$(basename "${samba_kinit}")" +if [ "${kbase}" = "samba4kinit" ]; then + # HEIMDAL + X509_USER_IDENTITY="--pk-user=FILE:${PREFIX}/pkinit/USER-${USER_PRINCIPAL_NAME}-cert.pem,${PREFIX}/pkinit/USER-${USER_PRINCIPAL_NAME}-private-key.pem" + OPTION_RENEWABLE="--renewable" + OPTION_RENEW_TICKET="--renew" + OPTION_ENTERPRISE_NAME="--enterprise" +else + # MIT + X509_USER_IDENTITY="-X X509_user_identity=FILE:${PREFIX}/pkinit/USER-${USER_PRINCIPAL_NAME}-cert.pem,${PREFIX}/pkinit/USER-${USER_PRINCIPAL_NAME}-private-key.pem" + OPTION_RENEWABLE="-r 1h" + OPTION_RENEW_TICKET="-R" + OPTION_ENTERPRISE_NAME="-E" +fi +OPTION_REQUEST_PAC="--request-pac" + +# STEP0: +# Now we set the UF_SMARTCARD_REQUIRED bit +# This means we have a normal enabled account *without* a known password +testit "STEP0 samba-tool user create ${USERNAME} --smartcard-required" \ + "${samba_tool}" user create "${USERNAME}" --smartcard-required || + failed=$((failed + 1)) + +testit_expect_failure "STEP1 kinit with password" \ + kerberos_kinit "${samba_kinit}" "${USERNAME}@${REALM}" "${PASSWORD}" \ + "${OPTION_REQUEST_PAC}" || + failed=$((failed + 1)) +testit_expect_failure "STEP1 Test login with NTLM" \ + "${smbclient}" "${unc}" -c 'ls' "-U${USERNAME}%${PASSWORD}" || + failed=$((failed + 1)) +testit_expect_failure "STEP1 Test wbinfo with password" \ + "${wbinfo}" "--authenticate=$DOMAIN/$USERNAME%$PASSWORD" || + failed=$((failed + 1)) + +testit "STEP1 kinit with pkinit (name specified: ${USERNAME})" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \ + "${X509_USER_IDENTITY}" "${USERNAME}@${REALM}" || + failed=$((failed + 1)) + +testit "STEP1 kinit renew ticket (name specified)" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" || + failed=$((failed + 1)) +test_smbclient "STEP1 Test login with kerberos ccache (name specified)" \ + 'ls' "$unc" --use-krb5-ccache="${KRB5CCNAME}" || + failed=$((failed + 1)) + +# OK +testit_expect_failure "STEP1 kinit with pkinit (wrong name specified)" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \ + "${X509_USER_IDENTITY}" "not${USERNAME}@${REALM}" || + failed=$((failed + 1)) + +testit_expect_failure "STEP1 kinit with pkinit (wrong name specified 2)" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \ + "${X509_USER_IDENTITY}" "${SERVER}@${REALM}" || + failed=$((failed + 1)) + +testit "STEP1 kinit with pkinit (enterprise name specified)" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \ + "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" \ + "${USERNAME}@${REALM}" || + failed=$((failed + 1)) +testit "STEP1 kinit renew ticket (enterprise name specified)" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" || + failed=$((failed + 1)) +test_smbclient "STEP1 Test login with kerberos ccache (enterprise name specified)" \ + 'ls' "${unc}" --use-krb5-ccache="${KRB5CCNAME}" || + failed=$((failed + 1)) +testit_expect_failure "STEP1 kinit with pkinit (wrong enterprise name specified)" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \ + "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" \ + "not${USERNAME}@${REALM}" || + failed=$((failed + 1)) +testit_expect_failure "STEP1 kinit with pkinit (wrong enterprise name specified 2)" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \ + "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" \ + "${SERVER}@${REALM}" || + failed=$((failed + 1)) + +testit "STEP1 kinit with pkinit (enterprise name in cert)" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \ + "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" || + failed=$((failed + 1)) +testit "STEP1 kinit renew ticket (enterprise name in cert)" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" || + failed=$((failed + 1)) +test_smbclient "STEP1 Test login with kerberos ccache (enterprise name in cert)" \ + 'ls' "${unc}" --use-krb5-ccache="${KRB5CCNAME}" || + failed=$((failed + 1)) + +# STEP2: +# We still have UF_SMARTCARD_REQUIRED, but with a known password +testit "STEP2 samba-tool user setpassword ${USERNAME} --newpassword" \ + "${samba_tool}" user setpassword "${USERNAME}" \ + --newpassword="${PASSWORD}" || + failed=$((failed + 1)) + +testit_expect_failure "STEP2 kinit with password" \ + kerberos_kinit "${samba_kinit}" "${USERNAME}@${REALM}" "${PASSWORD}" \ + "${OPTION_REQUEST_PAC}" || + failed=$((failed + 1)) +test_smbclient "STEP2 Test login with NTLM" \ + 'ls' "$unc" -U"${USERNAME}%${PASSWORD}" || + failed=$((failed + 1)) +testit_expect_failure "STEP2 Test wbinfo with password" \ + "${wbinfo}" --authenticate="${DOMAIN}/${USERNAME}%${PASSWORD}" || + failed=$((failed + 1)) + +testit "STEP2 kinit with pkinit (name specified) " \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \ + "${X509_USER_IDENTITY}" "${USERNAME}@${REALM}" || + failed=$((failed + 1)) +testit "STEP2 kinit renew ticket (name specified)" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" || + failed=$((failed + 1)) +test_smbclient "STEP2 Test login with kerberos ccache (name specified)" \ + 'ls' "$unc" --use-krb5-ccache="${KRB5CCNAME}" || + failed=$((failed + 1)) + +testit "STEP2 kinit with pkinit (enterprise name specified)" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \ + "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" \ + "${USERNAME}@${REALM}" || + failed=$((failed + 1)) +testit "STEP2 kinit renew ticket (enterprise name specified)" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" || + failed=$((failed + 1)) +test_smbclient "STEP2 Test login with kerberos ccache (enterprise name specified)" \ + 'ls' "$unc" --use-krb5-ccache="${KRB5CCNAME}" || + failed=$((failed + 1)) + +testit "STEP2 kinit with pkinit (enterprise name in cert)" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \ + "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" || + failed=$((failed + 1)) +testit "STEP2 kinit renew ticket (enterprise name in cert)" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" || + failed=$((failed + 1)) +test_smbclient "STEP2 Test login with kerberos ccache (enterprise name in cert)" \ + 'ls' "$unc" --use-krb5-ccache="${KRB5CCNAME}" || + failed=$((failed + 1)) + +# STEP3: +# The account is a normal account without the UF_SMARTCARD_REQUIRED bit set +testit "STEP3 samba-tool user setpassword ${USERNAME} --clear-smartcard-required" \ + "${samba_tool}" user setpassword "${USERNAME}" \ + --newpassword="${PASSWORD}" --clear-smartcard-required || + failed=$((failed + 1)) + +testit "STEP3 kinit with password" \ + kerberos_kinit "${samba_kinit}" "${USERNAME}@${REALM}" "${PASSWORD}" \ + "${OPTION_REQUEST_PAC}" || + failed=$((failed + 1)) +test_smbclient "STEP3 Test login with user kerberos ccache" \ + 'ls' "$unc" --use-krb5-ccache="${KRB5CCNAME}" || + failed=$((failed + 1)) +test_smbclient "STEP3 Test login with NTLM" \ + 'ls' "$unc" -U"${USERNAME}%${PASSWORD}" || + failed=$((failed + 1)) +testit "STEP3 Test wbinfo with password" \ + "${wbinfo}" --authenticate="${DOMAIN}/${USERNAME}%${PASSWORD}" || + failed=$((failed + 1)) + +testit "STEP3 kinit with pkinit (name specified) " \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \ + "${X509_USER_IDENTITY}" "${USERNAME}@${REALM}" || + failed=$((failed + 1)) +testit "STEP3 kinit renew ticket (name specified)" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" || + failed=$((failed + 1)) +test_smbclient "STEP3 Test login with kerberos ccache (name specified)" \ + 'ls' "${unc}" --use-krb5-ccache="${KRB5CCNAME}" || + failed=$((failed + 1)) + +testit "STEP3 kinit with pkinit (enterprise name specified)" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \ + "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" \ + "${USERNAME}@${REALM}" || + failed=$((failed + 1)) +testit "STEP3 kinit renew ticket (enterprise name specified)" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" || + failed=$((failed + 1)) +test_smbclient "STEP3 Test login with kerberos ccache (enterprise name specified)" \ + 'ls' "${unc}" --use-krb5-ccache="${KRB5CCNAME}" || + failed=$((failed + 1)) + +testit "STEP3 kinit with pkinit (enterprise name in cert)" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \ + "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" || + failed=$((failed + 1)) +testit "STEP3 kinit renew ticket (enterprise name in cert)" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" || + failed=$((failed + 1)) +test_smbclient "STEP3 Test login with kerberos ccache (enterprise name in cert)" \ + 'ls' "${unc}" --use-krb5-ccache="${KRB5CCNAME}" || + failed=$((failed + 1)) + +# STEP4: +# Now we set the UF_SMARTCARD_REQUIRED bit +# This means we have a normal enabled account *without* a known password +testit "STEP4 samba-tool user setpassword $USERNAME --smartcard-required" \ + "${samba_tool}" user setpassword "${USERNAME}" --smartcard-required || + failed=$((failed + 1)) + +testit_expect_failure "STEP4 kinit with password" \ + kerberos_kinit "${samba_kinit}" "${USERNAME}@${REALM}" "${PASSWORD}" \ + "${OPTION_REQUEST_PAC}" || + failed=$((failed + 1)) +testit_expect_failure "STEP4 Test login with NTLM" \ + "${smbclient}" "${unc}" -c 'ls' -U"${USERNAME}%${PASSWORD}" || + failed=$((failed + 1)) +testit_expect_failure "STEP4 Test wbinfo with password" \ + "${wbinfo}" --authenticate="${DOMAIN}/${USERNAME}%${PASSWORD}" || + failed=$((failed + 1)) + +testit "STEP4 kinit with pkinit (name specified)" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \ + "${X509_USER_IDENTITY}" "${USERNAME}@${REALM}" || + failed=$((failed + 1)) +testit "STEP4 kinit renew ticket (name specified)" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" || + failed=$((failed + 1)) +test_smbclient "STEP4 Test login with kerberos ccache (name specified)" \ + 'ls' "$unc" --use-krb5-ccache="${KRB5CCNAME}" || + failed=$((failed + 1)) + +testit "STEP4 kinit with pkinit (enterprise name specified)" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \ + "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" \ + "${USERNAME}@${REALM}" || + failed=$((failed + 1)) +testit "STEP4 kinit renew ticket (enterprise name specified)" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" || + failed=$((failed + 1)) +test_smbclient "STEP4 Test login with kerberos ccache (enterprise name specified)" \ + 'ls' "${unc}" --use-krb5-ccache="${KRB5CCNAME}" || + failed=$((failed + 1)) + +testit "STEP4 kinit with pkinit (enterprise name in cert)" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \ + "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" || + failed=$((failed + 1)) +testit "STEP4 kinit renew ticket (enterprise name in cert)" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" || + failed=$((failed + 1)) +test_smbclient "STEP4 Test login with kerberos ccache (enterprise name in cert)" \ + 'ls' "${unc}" --use-krb5-ccache="${KRB5CCNAME}" || + failed=$((failed + 1)) + +# STEP5: +# disable the account +testit "STEP5 samba-tool user disable $USERNAME" \ + "${samba_tool}" user disable "${USERNAME}" || + failed=$((failed + 1)) + +testit_expect_failure "STEP5 kinit with password" \ + kerberos_kinit "${samba_kinit}" "${USERNAME}@${REALM}" "${PASSWORD}" \ + "${OPTION_REQUEST_PAC}" || + failed=$((failed + 1)) +testit_expect_failure "STEP5 Test login with NTLM" \ + "${smbclient}" "${unc}" -c 'ls' -U"${USERNAME}%${PASSWORD}" || + failed=$((failed + 1)) +testit_expect_failure "STEP5 Test wbinfo with password" \ + "${wbinfo}" --authenticate="${DOMAIN}/${USERNAME}%${PASSWORD}" || + failed=$((failed + 1)) + +testit_expect_failure "STEP5 kinit with pkinit (name specified)" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \ + "${X509_USER_IDENTITY}" "${USERNAME}@${REALM}" || + failed=$((failed + 1)) +testit_expect_failure "STEP5 kinit with pkinit (enterprise name specified)" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \ + "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" \ + "${USERNAME}@${REALM}" || + failed=$((failed + 1)) +testit_expect_failure "STEP5 kinit with pkinit (enterprise name in cert)" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \ + "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" || + failed=$((failed + 1)) + +# STEP6: +# cleanup +testit "STEP6 samba-tool user delete ${USERNAME}" \ + "${samba_tool}" user delete "${USERNAME}" || + failed=$((failed + 1)) + +rm -f "${KRB5CCNAME_PATH}" +exit ${failed} diff --git a/testprogs/blackbox/test_primary_group.sh b/testprogs/blackbox/test_primary_group.sh new file mode 100755 index 0000000..74a1ad5 --- /dev/null +++ b/testprogs/blackbox/test_primary_group.sh @@ -0,0 +1,93 @@ +#!/bin/bash + +if [ $# -lt 5 ]; then + cat <<EOF +Usage: test_primary_group.sh SERVER USERNAME PASSWORD DOMAIN PREFIX_ABS +EOF + exit 1 +fi + +SERVER=$1 +USERNAME=$2 +PASSWORD=$3 +DOMAIN=$4 +PREFIX_ABS=$5 +shift 5 +failed=0 + +TMPDIR="$PREFIX_ABS/$(basename $0)" +export TMPDIR + +. $(dirname $0)/subunit.sh +. $(dirname $0)/common_test_fns.inc + +ldbmodify=$(system_or_builddir_binary ldbmodify "${BINDIR}") +ldbsearch=$(system_or_builddir_binary ldbsearch "${BINDIR}") + +TZ=UTC +export TZ + +N=$(date +%H%M%S) + +testuser="testuser$N" +testgroup="testgroup$N" + +echo "testuser: $testuser" +echo "testgroup: $testgroup" + +testit "mkdir -p '${TMPDIR}'" mkdir -p ${TMPDIR} || failed=$(expr $failed + 1) + +testit "create '$testuser'" $VALGRIND $PYTHON $BINDIR/samba-tool user create "$testuser" Password.1 || failed=$(expr $failed + 1) +testit "add '$testgroup'" $VALGRIND $PYTHON $BINDIR/samba-tool group add "$testgroup" || failed=$(expr $failed + 1) +testit "addmembers '$testgroup' '$testuser'" $VALGRIND $PYTHON $BINDIR/samba-tool group addmembers "$testgroup" "$testuser" || failed=$(expr $failed + 1) + +testit "search1" ${ldbsearch} -H ldap://$SERVER_IP -U$USERNAME%$PASSWORD -d0 sAMAccountName="$testgroup" objectSid || failed=$(expr $failed + 1) +ldif="${TMPDIR}/search1.ldif" +${ldbsearch} -H ldap://$SERVER_IP -U$USERNAME%$PASSWORD -d0 sAMAccountName=$testgroup objectSid >$ldif +rid=$(cat $ldif | sed -n 's/^objectSid: S-1-5-21-.*-.*-.*-//p') + +testit "search2" ${ldbsearch} -H ldap://$SERVER_IP -U$USERNAME%$PASSWORD -d0 sAMAccountName="$testuser" dn || failed=$(expr $failed + 1) +ldif="${TMPDIR}/search2.ldif" +${ldbsearch} -H ldap://$SERVER_IP -U$USERNAME%$PASSWORD -d0 sAMAccountName=$testuser dn >$ldif +user_dn=$(cat $ldif | sed -n 's/^dn: //p') + +ldif="${TMPDIR}/modify1.ldif" +cat >$ldif <<EOF +dn: $user_dn +changetype: modify +replace: primaryGroupID +primaryGroupID: $rid +EOF +testit "Change primaryGroupID to $rid" ${ldbmodify} -H ldap://$SERVER_IP -U$USERNAME%$PASSWORD -d0 --verbose <$ldif || failed=$(expr $failed + 1) + +testit "dbcheck run1" $VALGRIND $PYTHON $BINDIR/samba-tool dbcheck --attrs=member || failed=$(expr $failed + 1) + +ldif="${TMPDIR}/modify2.ldif" +cat >$ldif <<EOF +dn: $user_dn +changetype: modify +replace: primaryGroupID +primaryGroupID: 513 +EOF +testit "Change primaryGroupID to 513" ${ldbmodify} -H ldap://$SERVER_IP -U$USERNAME%$PASSWORD -d0 <$ldif || failed=$(expr $failed + 1) + +testit "dbcheck run2" $VALGRIND $PYTHON $BINDIR/samba-tool dbcheck --attrs=member || failed=$(expr $failed + 1) + +testit "delete '$testuser'" $VALGRIND $PYTHON $BINDIR/samba-tool user delete "$testuser" || failed=$(expr $failed + 1) +testit "delete '$testgroup'" $VALGRIND $PYTHON $BINDIR/samba-tool group delete "$testgroup" || failed=$(expr $failed + 1) + +# +# As we don't support phantom objects and virtual backlinks +# the deletion of the user prior to the group causes dangling links, +# which are detected like this: +# +# WARNING: target DN is deleted for member in object +# +# Specifically, this happens because after the member link is +# deactivated the memberOf is gone, and so there is no way to find the +# now redundant forward link to clean it up. +# +testit_expect_failure "dbcheck run3" $VALGRIND $PYTHON $BINDIR/samba-tool dbcheck --attrs=member --fix --yes || failed=$(expr $failed + 1) +testit "dbcheck run4" $VALGRIND $PYTHON $BINDIR/samba-tool dbcheck --attrs=member || failed=$(expr $failed + 1) + +exit $failed diff --git a/testprogs/blackbox/test_rpcclient_schannel.sh b/testprogs/blackbox/test_rpcclient_schannel.sh new file mode 100755 index 0000000..798d235 --- /dev/null +++ b/testprogs/blackbox/test_rpcclient_schannel.sh @@ -0,0 +1,94 @@ +#!/bin/bash +# Blackbox tests rpcclient with schannel +# Copyright (c) 2021 Andreas Schneider <asn@samba.org> + +if [ $# -lt 8 ]; then + cat <<EOF +Usage: test_rpcclient_schannel.sh DOMAIN REALM USERNAME PASSWORD SERVER PREFIX CONFIGURATION TESTENV +EOF + exit 1 +fi + +DOMAIN=$1 +REALM=$2 +USERNAME=$3 +PASSWORD=$4 +SERVER=$5 +PREFIX=$6 +CONFIGURATION=$7 +TESTENV=$8 +shift 8 + +failed=0 + +samba_subunit_dir=$(dirname "$0") +. "${samba_subunit_dir}/subunit.sh" +. "${samba_subunit_dir}/common_test_fns.inc" + +samba_bindir="${BINDIR}" +samba_rpcclient="${samba_bindir}/rpcclient" + +test_rpc_getusername() +{ + cmd="$samba_rpcclient ncacn_np:${SERVER}[schannel] --machine-pass --configfile=${CONFIGURATION} -c getusername 2>&1" + out=$(eval "$cmd") + ret=$? + if [ $ret -ne 0 ]; then + echo "Failed to connect! Error: $ret" + echo "$out" + return 1 + fi + + echo "$out" | grep -q "Account Name: ANONYMOUS LOGON, Authority Name: NT AUTHORITY" + ret=$? + if [ $ret -ne 0 ]; then + echo "Incorrect account/authority name! Error: $ret" + echo "$out" + return 1 + fi + + return 0 +} + +test_rpc_lookupsids() +{ + cmd="$samba_rpcclient ncacn_ip_tcp:${SERVER}[schannel] --machine-pass --configfile=${CONFIGURATION} -c 'lookupsids3 S-1-1-0' 2>&1" + out=$(eval "$cmd") + ret=$? + if [ $ret -ne 0 ]; then + echo "Failed to connect! Error: $ret" + echo "$out" + return 1 + fi + + echo "$out" | grep -q "S-1-1-0 Everyone" + ret=$? + if [ $ret -ne 0 ]; then + echo "Incorrect account/authority name! Error: $ret" + echo "$out" + return 1 + fi + + return 0 +} + +testit "ncacn_np.getusername" \ + test_rpc_getusername || + failed=$((failed + 1)) + +if [[ "$TESTENV" == "ad_member_fips"* ]]; then + unset GNUTLS_FORCE_FIPS_MODE + + testit "ncacn_np.getusername.fips" \ + test_rpc_getusername || + failed=$((failed + 1)) + + GNUTLS_FORCE_FIPS_MODE=1 + export GNUTLS_FORCE_FIPS_MODE +fi + +testit "ncacn_ip_tcp.lookupsids" \ + test_rpc_lookupsids || + failed=$((failed + 1)) + +exit ${failed} diff --git a/testprogs/blackbox/test_s4u_heimdal.sh b/testprogs/blackbox/test_s4u_heimdal.sh new file mode 100755 index 0000000..a3b2dbb --- /dev/null +++ b/testprogs/blackbox/test_s4u_heimdal.sh @@ -0,0 +1,90 @@ +#!/bin/sh + +if [ $# -lt 5 ]; then + cat <<EOF +Usage: test_s4u_heimdal.sh SERVER USERNAME PASSWORD REALM DOMAIN TRUST_SERVER TRUST_USERNAME TRUST_PASSWORD TRUST_REALM TRUST_DOMAIN PREFIX +EOF + exit 1 +fi + +SERVER=$1 +USERNAME=$2 +PASSWORD=$3 +REALM=$4 +DOMAIN=$5 +TRUST_SERVER=$6 +TRUST_USERNAME=$7 +TRUST_PASSWORD=$8 +TRUST_REALM=$9 +TRUST_DOMAIN=${10} +PREFIX=${11} +shift 11 +failed=0 + +samba_tool="$VALGRIND $PYTHON $BINDIR/samba-tool" + +samba4kinit_binary=kinit +if test -x $BINDIR/samba4kinit; then + samba4kinit_binary=$BINDIR/samba4kinit +fi + +samba4kgetcred=kgetcred +if test -x $BINDIR/samba4kgetcred; then + samba4kgetcred=$BINDIR/samba4kgetcred +fi + +. $(dirname $0)/subunit.sh +. $(dirname $0)/common_test_fns.inc + +ocache="$PREFIX/tmpoutcache" +KRB5CCNAME_PATH="$PREFIX/tmpccache" +KRB5CCNAME="FILE:$KRB5CCNAME_PATH" +samba4kinit="$samba4kinit_binary -c $KRB5CCNAME" +export KRB5CCNAME +rm -rf $KRB5CCNAME_PATH + +princ=test_impersonate_princ +impersonator=test_impersonator.$REALM +target="CIFS/$SERVER.$REALM" + +testit "add impersonator principal" $samba_tool user add $impersonator $PASSWORD || failed=$(expr $failed + 1) +testit "become a service" $samba_tool spn add "HOST/$impersonator" $impersonator || failed=$(expr $failed + 1) + +testit "set TrustedToAuthForDelegation" $samba_tool delegation for-any-protocol $impersonator on || failed=$(expr $failed + 1) +testit "add msDS-AllowedToDelegateTo" $samba_tool delegation add-service $impersonator $target || failed=$(expr $failed + 1) + +testit "add a new principal" $samba_tool user add $princ --random-password || failed=$(expr $failed + 1) +testit "set not-delegated flag" $samba_tool user sensitive $princ on || failed=$(expr $failed + 1) + +echo $PASSWORD >$PREFIX/tmppassfile +testit "kinit impersonator" $samba4kinit -f --password-file=$PREFIX/tmppassfile $impersonator || failed=$(expr $failed + 1) + +testit "test S4U2Self with normal user" $samba4kgetcred --out-cache=$ocache --forwardable --impersonate=${USERNAME} $impersonator || failed=$(expr $failed + 1) +testit "test S4U2Proxy with normal user" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=$(expr $failed + 1) + +testit "test S4U2Self with sensitive user" $samba4kgetcred --out-cache=$ocache --forwardable --impersonate=$princ $impersonator || failed=$(expr $failed + 1) +testit_expect_failure "test S4U2Proxy with sensitive user" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=$(expr $failed + 1) + +rm -f $ocache +testit "unset not-delegated flag" $samba_tool user sensitive $princ off || failed=$(expr $failed + 1) + +testit "test S4U2Self after unsetting ND flag" $samba4kgetcred --out-cache=$ocache --forwardable --impersonate=$princ $impersonator || failed=$(expr $failed + 1) +testit "test S4U2Proxy after unsetting ND flag" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=$(expr $failed + 1) + +testit "kinit user cache" $samba4kinit -c $ocache -f --password-file=$PREFIX/tmppassfile $USERNAME || failed=$(expr $failed + 1) +testit "get a ticket to impersonator" $samba4kgetcred -c $ocache --forwardable $impersonator || failed=$(expr $failed + 1) +testit "test S4U2Proxy evidence ticket obtained by TGS" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=$(expr $failed + 1) + +echo $TRUST_PASSWORD >$PREFIX/tmppassfile +testit "kinit trust user cache" $samba4kinit -c $ocache -f --password-file=$PREFIX/tmppassfile $TRUST_USERNAME@$TRUST_REALM || failed=$(expr $failed + 1) +testit "get a ticket to impersonator for trust user" $samba4kgetcred -c $ocache --forwardable $impersonator || failed=$(expr $failed + 1) +testit "test S4U2Proxy evidence ticket obtained by TGS of trust user" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=$(expr $failed + 1) + +echo $PASSWORD >$PREFIX/tmppassfile +testit "set not-delegated on impersonator" $samba_tool user sensitive $impersonator on || failed=$(expr $failed + 1) +testit "kinit user cache again" $samba4kinit -c $ocache -f --password-file=$PREFIX/tmppassfile $USERNAME || failed=$(expr $failed + 1) +testit "get a ticket to sensitive impersonator" $samba4kgetcred -c $ocache --forwardable $impersonator || failed=$(expr $failed + 1) +testit_expect_failure "test S4U2Proxy using received ticket" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=$(expr $failed + 1) + +rm -f $ocache $PREFIX/tmpccache $PREFIX/tmppassfile +exit $failed diff --git a/testprogs/blackbox/test_samba-tool_ntacl.sh b/testprogs/blackbox/test_samba-tool_ntacl.sh new file mode 100755 index 0000000..1571b1a --- /dev/null +++ b/testprogs/blackbox/test_samba-tool_ntacl.sh @@ -0,0 +1,264 @@ +#!/bin/sh +# Blackbox tests for samba-tool ntacl get/set on member server +# Copyright (C) 2018 Björn Baumbach <bb@sernet.de> + +if [ $# -ne 3 ]; then + echo "Usage: test_samba-tool_ntacl.sh PREFIX DOMSID CONFIGURATION" + exit 1 +fi + +set -u +set -e + +PREFIX=$1 +domain_sid=$2 +CONFIGURATION=$3 + +failed=0 + +samba4bindir="$BINDIR" +samba_tool="$samba4bindir/samba-tool" + +testdirtop="$PREFIX/ntacl_testdirtop" +testfile="$testdirtop/testfile" +testdir1="$testdirtop/dir1" +testdir1f="$testdirtop/dir1/file" +testdir1l="$testdirtop/dir1/symlink" + +# acl from samba_tool/ntacl.py tests +acl="O:DAG:DUD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)" +new_acl="O:S-1-5-21-2212615479-2695158682-2101375468-512G:S-1-5-21-2212615479-2695158682-2101375468-513D:P(A;OICI;FA;;;S-1-5-21-2212615479-2695158682-2101375468-512)(A;OICI;FA;;;S-1-5-21-2212615479-2695158682-2101375468-519)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;S-1-5-21-2212615479-2695158682-2101375468-512)(A;OICI;FA;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)" +new_domain_sid="S-1-5-21-2212615479-2695158682-2101375468" + +acl_without_padding=$(echo -n "$acl" | perl -p -e 's/0x00/0x/g') +new_acl_without_padding=$(echo -n "$new_acl" | perl -p -e 's/0x00/0x/g') + +. $(dirname $0)/subunit.sh + +test_get_acl() +{ + testfile="$1" + exptextedacl="$2" + shift 2 + + retacl=$($PYTHON $samba_tool ntacl get "$testfile" --as-sddl "$@") || return $? + + test "$retacl" = "$exptextedacl" +} + +test_set_acl() +{ + testfile="$1" + acl="$2" + shift 2 + + $PYTHON $samba_tool ntacl set "$acl" "$testfile" "$@" +} + +test_get_acl_ntvfs() +{ + testfile="$1" + exptextedacl="$2" + + retacl=$($PYTHON $samba_tool ntacl get "$testfile" --as-sddl --use-ntvfs --xattr-backend=tdb $CONFIGURATION) || return $? + + test "$retacl" = "$exptextedacl" +} + +test_set_acl_ntvfs() +{ + testfile="$1" + acl="$2" + + $PYTHON $samba_tool ntacl set "$acl" "$testfile" --use-ntvfs --xattr-backend=tdb $CONFIGURATION +} + +test_changedomsid() +{ + testfile="$1" + shift 1 + + $PYTHON $samba_tool ntacl changedomsid \ + "$domain_sid" "$new_domain_sid" "$testfile" \ + --service=tmp \ + $CONFIGURATION "$@" +} + +test_changedomsid_ntvfs() +{ + testfile="$1" + + $PYTHON $samba_tool ntacl changedomsid \ + "$domain_sid" "$new_domain_sid" "$testfile" \ + --use-ntvfs \ + --xattr-backend=tdb \ + $CONFIGURATION + + retacl=$($PYTHON $samba_tool ntacl get \ + "$testfile" \ + --as-sddl \ + --xattr-backend=tdb \ + --use-ntvfs \ + $CONFIGURATION) || return $? + test "$retacl" = "$new_acl_without_padding" +} + +# work around include error - s4-loadparm does not allow missing include files +# +# Unable to load file /home/bbaumba/src/git/samba/st/ad_member/lib/server.conf +# File "bin/python/samba/netcmd/__init__.py", line 183, in _run +# return self.run(*args, **kwargs) +# File "bin/python/samba/netcmd/ntacl.py", line 175, in run +# lp = sambaopts.get_loadparm() +# File "bin/python/samba/getopt.py", line 92, in get_loadparm +# self._lp.load(os.getenv("SMB_CONF_PATH")) +# Processing section "[global]" +touch "$(dirname $SMB_CONF_PATH)/error_inject.conf" +touch "$(dirname $SMB_CONF_PATH)/delay_inject.conf" + +mkdir "$testdirtop" +touch "$testfile" +mkdir "$testdir1" +touch "$testdir1f" +ln -s "$testfile" "$testdir1l" + +testit "set_ntacl" test_set_acl "$testfile" "$acl" || failed=$(expr $failed + 1) + +testit "get_ntacl" test_get_acl "$testfile" "$acl_without_padding" || failed=$(expr $failed + 1) + +testit "changedomsid" test_changedomsid "$testfile" || failed=$(expr $failed + 1) +testit "get_ntacl_after_changedomsid" \ + test_get_acl "$testfile" "$new_acl_without_padding" \ + --service=tmp \ + $CONFIGURATION \ + || failed=$(expr $failed + 1) + +testit "set_ntacl_ntvfs" test_set_acl_ntvfs "$testfile" "$acl" || failed=$(expr $failed + 1) +testit "get_ntacl_ntvfs" test_get_acl_ntvfs "$testfile" "$acl_without_padding" || \ + failed=$(expr $failed + 1) + +testit "changedomsid_ntvfs" test_changedomsid_ntvfs "$testfile" || failed=$(expr $failed + 1) + +testit_grep "set_ntacl_recursive1 testdirtop" \ + "ignored symlink: $testdirtop" \ + test_set_acl "$testdirtop" "$acl" --recursive || failed=$(expr $failed + 1) +testit "get_ntacl_after_set_recursive1 testdirtop" \ + test_get_acl "$testdirtop" "$acl_without_padding" \ + --service=tmp \ + $CONFIGURATION \ + || failed=$(expr $failed + 1) +testit "get_ntacl_after_set_recursive1 testfile" \ + test_get_acl "$testfile" "$acl_without_padding" \ + --service=tmp \ + $CONFIGURATION \ + || failed=$(expr $failed + 1) +testit "get_ntacl_after_set_recursive1 testdir1" \ + test_get_acl "$testdir1" "$acl_without_padding" \ + --service=tmp \ + $CONFIGURATION \ + || failed=$(expr $failed + 1) +testit "get_ntacl_after_set_recursive1 testdir1f" \ + test_get_acl "$testdir1f" "$acl_without_padding" \ + --service=tmp \ + $CONFIGURATION \ + || failed=$(expr $failed + 1) + +testit_grep "changedomsid_recursive1 testdir1" \ + "ignored symlink: $testdir1l" \ + test_changedomsid "$testdir1" --recursive || failed=$(expr $failed + 1) +testit "get_ntacl_after_changedomsid_recursive1 testdirtop" \ + test_get_acl "$testdirtop" "$acl_without_padding" \ + --service=tmp \ + $CONFIGURATION \ + || failed=$(expr $failed + 1) +testit "get_ntacl_after_changedomsid_recursive1 testfile" \ + test_get_acl "$testfile" "$acl_without_padding" \ + --service=tmp \ + $CONFIGURATION \ + || failed=$(expr $failed + 1) +testit "get_ntacl_after_changedomsid_recursive1 testdir1" \ + test_get_acl "$testdir1" "$new_acl_without_padding" \ + --service=tmp \ + $CONFIGURATION \ + || failed=$(expr $failed + 1) +testit "get_ntacl_after_changedomsid_recursive1 testdir1f" \ + test_get_acl "$testdir1f" "$new_acl_without_padding" \ + --service=tmp \ + $CONFIGURATION \ + || failed=$(expr $failed + 1) + +testit_grep "changedomsid_recursive2 testdirtop" \ + "ignored symlink: $testdir1l" \ + test_changedomsid "$testdirtop" --recursive || failed=$(expr $failed + 1) +testit "get_ntacl_after_changedomsid_recursive2 testdirtop" \ + test_get_acl "$testdirtop" "$new_acl_without_padding" \ + --service=tmp \ + $CONFIGURATION \ + || failed=$(expr $failed + 1) +testit "get_ntacl_after_changedomsid_recursive2 testfile" \ + test_get_acl "$testfile" "$new_acl_without_padding" \ + --service=tmp \ + $CONFIGURATION \ + || failed=$(expr $failed + 1) +testit "get_ntacl_after_changedomsid_recursive2 testdir1" \ + test_get_acl "$testdir1" "$new_acl_without_padding" \ + --service=tmp \ + $CONFIGURATION \ + || failed=$(expr $failed + 1) +testit "get_ntacl_after_changedomsid_recursive2 testdir1f" \ + test_get_acl "$testdir1f" "$new_acl_without_padding" \ + --service=tmp \ + $CONFIGURATION \ + || failed=$(expr $failed + 1) + +testit_grep "set_ntacl_recursive2 testdir1" \ + "ignored symlink: $testdir1l" \ + test_set_acl "$testdir1" "$acl" --recursive || failed=$(expr $failed + 1) +testit "get_ntacl_after_set_recursive2 testdirtop" \ + test_get_acl "$testdirtop" "$new_acl_without_padding" \ + --service=tmp \ + $CONFIGURATION \ + || failed=$(expr $failed + 1) +testit "get_ntacl_after_set_recursive2 testfile" \ + test_get_acl "$testfile" "$new_acl_without_padding" \ + --service=tmp \ + $CONFIGURATION \ + || failed=$(expr $failed + 1) +testit "get_ntacl_after_set_recursive2 testdir1" \ + test_get_acl "$testdir1" "$acl_without_padding" \ + --service=tmp \ + $CONFIGURATION \ + || failed=$(expr $failed + 1) +testit "get_ntacl_after_set_recursive2 testdir1f" \ + test_get_acl "$testdir1f" "$acl_without_padding" \ + --service=tmp \ + $CONFIGURATION \ + || failed=$(expr $failed + 1) + +testit_grep "set_ntacl_recursive3 testdir1" \ + "symlink: $testdir1l" \ + test_set_acl "$testdir1" "$acl" --recursive --follow-symlinks --verbose || failed=$(expr $failed + 1) +testit "get_ntacl_after_set_recursive3 testdirtop" \ + test_get_acl "$testdirtop" "$new_acl_without_padding" \ + --service=tmp \ + $CONFIGURATION \ + || failed=$(expr $failed + 1) +testit "get_ntacl_after_set_recursive3 testfile" \ + test_get_acl "$testfile" "$acl_without_padding" \ + --service=tmp \ + $CONFIGURATION \ + || failed=$(expr $failed + 1) +testit "get_ntacl_after_set_recursive3 testdir1" \ + test_get_acl "$testdir1" "$acl_without_padding" \ + --service=tmp \ + $CONFIGURATION \ + || failed=$(expr $failed + 1) +testit "get_ntacl_after_set_recursive3 testdir1f" \ + test_get_acl "$testdir1f" "$acl_without_padding" \ + --service=tmp \ + $CONFIGURATION \ + || failed=$(expr $failed + 1) + +rm -rf "$testdirtop" + +exit $failed diff --git a/testprogs/blackbox/test_samba_upgradedns.sh b/testprogs/blackbox/test_samba_upgradedns.sh new file mode 100755 index 0000000..388249d --- /dev/null +++ b/testprogs/blackbox/test_samba_upgradedns.sh @@ -0,0 +1,36 @@ +#!/bin/sh +# Blackbox tests for the samba_upgradedns +# Copyright (C) 2006-2007 Jelmer Vernooij <jelmer@samba.org> +# Copyright (C) 2006-2012 Andrew Bartlett <abartlet@samba.org> + +if [ $# -lt 4 ]; then + cat <<EOF +Usage: test_samba_upgradedns.sh SERVER REALM PREFIX PROVDIR +EOF + exit 1 +fi + +SERVER=$1 +REALM=$2 +PREFIX=$3 +PROVDIR=$4 +shift 4 +failed=0 + +samba4bindir="$BINDIR" +samba4srcdir="$SRCDIR/source4" + +. $(dirname $0)/subunit.sh + +testit "run samba_upgradedns converting to bind9 DLZ" $PYTHON $samba4srcdir/scripting/bin/samba_upgradedns --dns-backend=BIND9_DLZ --configfile=$PROVDIR/etc/smb.conf || failed=$(expr $failed + 1) +testit "check that dns.keytab is present" test -f $PROVDIR/bind-dns/dns.keytab + +testit "run samba_upgradedns converting to internal" $PYTHON $samba4srcdir/scripting/bin/samba_upgradedns --dns-backend=SAMBA_INTERNAL --configfile=$PROVDIR/etc/smb.conf || failed=$(expr $failed + 1) + +testit "run samba_upgradedns converting to internal (2nd time)" $PYTHON $samba4srcdir/scripting/bin/samba_upgradedns --dns-backend=SAMBA_INTERNAL --configfile=$PROVDIR/etc/smb.conf || failed=$(expr $failed + 1) + +testit "run samba_upgradedns converting to bind9 DLZ (2nd time)" $PYTHON $samba4srcdir/scripting/bin/samba_upgradedns --dns-backend=BIND9_DLZ --configfile=$PROVDIR/etc/smb.conf || failed=$(expr $failed + 1) + +testit "run samba_upgradedns converting to bind9 DLZ (3rd time)" $PYTHON $samba4srcdir/scripting/bin/samba_upgradedns --dns-backend=BIND9_DLZ --configfile=$PROVDIR/etc/smb.conf || failed=$(expr $failed + 1) + +exit $failed diff --git a/testprogs/blackbox/test_smbtorture_test_names.sh b/testprogs/blackbox/test_smbtorture_test_names.sh new file mode 100755 index 0000000..19c747d --- /dev/null +++ b/testprogs/blackbox/test_smbtorture_test_names.sh @@ -0,0 +1,43 @@ +#!/bin/sh + +#Tests if the --fullname parameter passed to smbtorture is working as expected. + +if [ $# -ne 1 ]; then + cat <<EOF +Usage: test_smbtorture_test_names.sh SMBTORTURE +EOF + exit 1 +fi + +SMBTORTURE="$1 //a/b" + +. $(dirname $0)/subunit.sh + +failed=0 + +testit_grep "with_shortname local.smbtorture.level1.level2.level3.always_pass" \ + '^success: always_pass$' \ + $SMBTORTURE local.smbtorture.level1.level2.level3.always_pass || failed=$(expr $failed + 1) +testit_grep "with_shortname local.smbtorture.level1.level2.level3" \ + '^success: always_pass$' \ + $SMBTORTURE local.smbtorture.level1.level2.level3 || failed=$(expr $failed + 1) +testit_grep "with_shortname local.smbtorture.level1.level2" \ + '^success: level3.always_pass$' \ + $SMBTORTURE local.smbtorture.level1.level2 || failed=$(expr $failed + 1) +testit_grep "with_shortname local.smbtorture.level1" \ + '^success: level2.level3.always_pass$' \ + $SMBTORTURE local.smbtorture.level1 || failed=$(expr $failed + 1) +testit_grep "with_fullname local.smbtorture.level1.level2.level3.always_pass" \ + '^success: local.smbtorture.level1.level2.level3.always_pass$' \ + $SMBTORTURE --fullname local.smbtorture.level1.level2.level3.always_pass || failed=$(expr $failed + 1) +testit_grep "with_fullname local.smbtorture.level1.level2.level3" \ + '^success: local.smbtorture.level1.level2.level3.always_pass$' \ + $SMBTORTURE --fullname local.smbtorture.level1.level2.level3 || failed=$(expr $failed + 1) +testit_grep "with_fullname local.smbtorture.level1.level2" \ + '^success: local.smbtorture.level1.level2.level3.always_pass$' \ + $SMBTORTURE --fullname local.smbtorture.level1.level2 || failed=$(expr $failed + 1) +testit_grep "with_fullname local.smbtorture.level1" \ + '^success: local.smbtorture.level1.level2.level3.always_pass$' \ + $SMBTORTURE --fullname local.smbtorture.level1 || failed=$(expr $failed + 1) + +testok $0 $failed diff --git a/testprogs/blackbox/test_special_group.sh b/testprogs/blackbox/test_special_group.sh new file mode 100755 index 0000000..f0e8698 --- /dev/null +++ b/testprogs/blackbox/test_special_group.sh @@ -0,0 +1,58 @@ +#!/bin/sh + +if [ $# -lt 1 ]; then + cat <<EOF +Usage: $0 PREFIX +EOF + exit 1 +fi + +PREFIX_ABS="$1" +shift 1 + +failed=0 + +. $(dirname $0)/subunit.sh +. $(dirname $0)/common_test_fns.inc + +OLD_RELEASE="release-4-5-0-pre1" +old_release_dir="$SRCDIR_ABS/source4/selftest/provisions/$OLD_RELEASE" + +samba_tdbrestore=$(system_or_builddir_binary tdbrestore "${BINDIR}") + +samba_undump="$SRCDIR_ABS/source4/selftest/provisions/undump.sh" +if [ ! -x "${samba_undump}" ]; then + subunit_start_test "special group" + subunit_skip_test "special group" <<EOF +Skipping tests - undump.sh is not available in release tarballs +EOF + exit 0 +fi + +cleanup_output_directories() +{ + remove_directory $PREFIX_ABS/$OLD_RELEASE +} + +undump_old() +{ + $samba_undump $old_release_dir $PREFIX_ABS/$OLD_RELEASE $samba_tdbrestore +} + +add_special_group() +{ + $PYTHON $BINDIR/samba-tool group add 'protected users' --special -H tdb://$PREFIX_ABS/$OLD_RELEASE/private/sam.ldb +} + +# double-check we cleaned up from the last test run +cleanup_output_directories + +testit $OLD_RELEASE undump_old || failed=$(expr $failed + 1) + +testit "add_special_group" add_special_group || failed=$(expr $failed + 1) + +testit_expect_failure_grep "add_duplicate_special_group" "Failed to add group.*already exists" add_special_group || failed=$(expr $failed + 1) + +cleanup_output_directories + +testok $0 $failed diff --git a/testprogs/blackbox/test_trust_ntlm.sh b/testprogs/blackbox/test_trust_ntlm.sh new file mode 100755 index 0000000..0220c82 --- /dev/null +++ b/testprogs/blackbox/test_trust_ntlm.sh @@ -0,0 +1,205 @@ +#!/bin/sh +# Copyright (C) 2017 Stefan Metzmacher <metze@samba.org> + +if [ $# -lt 12 ]; then + cat <<EOF +Usage: $# test_trust_ntlm.sh SERVER USERNAME PASSWORD REALM DOMAIN TRUST_USERNAME TRUST_PASSWORD TRUST_REALM TRUST_DOMAIN TYPE UNTRUSTED TRUST_ERROR +EOF + exit 1 +fi + +SERVER=$1 +USERNAME=$2 +PASSWORD=$3 +REALM=$4 +DOMAIN=$5 +shift 5 +TRUST_USERNAME=$1 +TRUST_PASSWORD=$2 +TRUST_REALM=$3 +TRUST_DOMAIN=$4 +shift 4 +TYPE=$1 +UNTRUSTED=$2 +TRUST_ERROR=$3 +shift 3 +failed=0 + +samba4bindir="$BINDIR" + +rpcclient="$samba4bindir/rpcclient" +smbclient="$samba4bindir/smbclient" +wbinfo="$samba4bindir/wbinfo" + +unc="//$SERVER/tmp" + +. $(dirname $0)/subunit.sh +. $(dirname $0)/common_test_fns.inc + +DNAME="$DOMAIN" +NAME="$DNAME\\$USERNAME" +WBNAME="$DNAME/$USERNAME" +CREDS="$NAME%$PASSWORD" +WBCREDS="$WBNAME%$PASSWORD" +EXPCREDS="Account Name: $USERNAME, Authority Name: $DOMAIN" +EXPSID="(User: 1)" +EXPDSID="(Domain: 3)" +test_rpcclient_grep "Test01 rpcclient getusername with $CREDS" getusername "$SERVER" "$EXPCREDS" -U$CREDS || failed=$(expr $failed + 1) +test_smbclient "Test01 smbclient with $CREDS" 'ls' "$unc" -U$CREDS || failed=$(expr $failed + 1) +testit "Test01 wbinfo -a with $WBCREDS" $VALGRIND $wbinfo -a $WBCREDS || failed=$(expr $failed + 1) +test_rpcclient_grep "Test01 rpcclient lookupnames with $NAME" "lookupnames_level 1 '$NAME'" "$SERVER" "$EXPSID" -U$CREDS || failed=$(expr $failed + 1) +testit "Test01 wbinfo -n with $WBNAME" $VALGRIND $wbinfo -n "$WBNAME" || failed=$(expr $failed + 1) +test_rpcclient_grep "Test01 rpcclient lookupnames with $DNAME" "lookupnames_level 1 '$DNAME'" "$SERVER" "$EXPDSID" -U$CREDS || failed=$(expr $failed + 1) + +DNAME="$REALM" +NAME="$DNAME\\$USERNAME" +WBNAME="$DNAME/$USERNAME" +CREDS="$NAME%$PASSWORD" +WBCREDS="$WBNAME%$PASSWORD" +EXPCREDS="Account Name: $USERNAME, Authority Name: $DOMAIN" +EXPSID="(User: 1)" +EXPDSID="(Domain: 3)" +test_rpcclient_grep "Test02 rpcclient getusername with $CREDS" getusername "$SERVER" "$EXPCREDS" -U$CREDS || failed=$(expr $failed + 1) +test_smbclient "Test02 smbclient with $CREDS" 'ls' "$unc" -U$CREDS || failed=$(expr $failed + 1) +testit "Test02 wbinfo -a with $WBCREDS" $VALGRIND $wbinfo -a $WBCREDS || failed=$(expr $failed + 1) +test_rpcclient_grep "Test02 rpcclient lookupnames with $NAME" "lookupnames_level 1 '$NAME'" "$SERVER" "$EXPSID" -U$CREDS || failed=$(expr $failed + 1) +testit "Test02 wbinfo -n with $WBNAME" $VALGRIND $wbinfo -n "$WBNAME" || failed=$(expr $failed + 1) +test_rpcclient_grep "Test02 rpcclient lookupnames with $DNAME" "lookupnames_level 1 '$DNAME'" "$SERVER" "$EXPDSID" -U$CREDS || failed=$(expr $failed + 1) + +CREDS="$USERNAME@$DOMAIN%$PASSWORD" +WBCREDS="$USERNAME@$DOMAIN%$PASSWORD" +if [ x"$TYPE" = x"member" ]; then + EXPFAIL="NT_STATUS_LOGON_FAILURE" + # rpcclient doesn't handle -Uuser@domain yet + #test_rpcclient_expect_failure_grep "Fail03 rpcclient getusername with $CREDS" getusername "$SERVER" "$EXPFAIL" -U$CREDS || failed=`expr $failed + 1` + test_smbclient_expect_failure "Fail03 smbclient with $CREDS" 'ls' "$unc" -U$CREDS || failed=$(expr $failed + 1) + # winbindd doesn't handle user@domain yet + #testit_expect_failure "Fail03 wbinfo -a with $WBCREDS" $VALGRIND $wbinfo -a $WBCREDS || failed=`expr $failed + 1` +else + EXPCREDS="Account Name: $USERNAME, Authority Name: $DOMAIN" + # rpcclient doesn't handle -Uuser@domain yet + #test_rpcclient_grep "Test03 rpcclient getusername with $CREDS" getusername "$SERVER" "$EXPCREDS" -U$CREDS || failed=`expr $failed + 1` + test_smbclient "Test03 smbclient with $CREDS" 'ls' "$unc" -U$CREDS || failed=$(expr $failed + 1) + # winbindd doesn't handle user@domain yet + #testit "Test03 wbinfo -a with $WBCREDS" $VALGRIND $wbinfo -a $WBCREDS || failed=`expr $failed + 1` +fi + +CREDS="$USERNAME@$REALM%$PASSWORD" +WBCREDS="$USERNAME@$REALM%$PASSWORD" +if [ x"$TYPE" = x"member" ]; then + EXPFAIL="NT_STATUS_LOGON_FAILURE" + # rpcclient doesn't handle -Uuser@domain yet + #test_rpcclient_expect_failure_grep "Fail04 rpcclient getusername with $CREDS" getusername "$SERVER" "$EXPFAIL" -U$CREDS || failed=`expr $failed + 1` + test_smbclient_expect_failure "Fail04 smbclient with $CREDS" 'ls' "$unc" -U$CREDS || failed=$(expr $failed + 1) + # winbindd doesn't handle user@domain yet + #testit_expect_failure "Fail04 wbinfo -a with $WBCREDS" $VALGRIND $wbinfo -a $WBCREDS || failed=`expr $failed + 1` +else + EXPCREDS="Account Name: $USERNAME, Authority Name: $DOMAIN" + # rpcclient doesn't handle -Uuser@domain yet + #test_rpcclient_grep "Test04 rpcclient getusername with $CREDS" getusername "$SERVER" "$EXPCREDS" -U$CREDS || failed=`expr $failed + 1` + test_smbclient "Test04 smbclient with $CREDS" 'ls' "$unc" -U$CREDS || failed=$(expr $failed + 1) + # winbindd doesn't handle user@domain yet + #testit "Test04 wbinfo -a with $WBCREDS" $VALGRIND $wbinfo -a $WBCREDS || failed=`expr $failed + 1` +fi + +DNAME="UNKNOWNDOMAIN" +NAME="$DNAME\\$USERNAME" +WBNAME="$DNAME/$USERNAME" +CREDS="$NAME%$PASSWORD" +WBCREDS="$WBNAME%$PASSWORD" +EXPCREDS="Account Name: $USERNAME, Authority Name: $DOMAIN" +EXPSID="NT_STATUS_NONE_MAPPED" +EXPDSID="NT_STATUS_NONE_MAPPED" +test_rpcclient_grep "Test05 rpcclient getusername with $CREDS" getusername "$SERVER" "$EXPCREDS" -U$CREDS || failed=$(expr $failed + 1) +test_smbclient "Test05 smbclient with $CREDS" 'ls' "$unc" -U$CREDS || failed=$(expr $failed + 1) +testit_expect_failure "Fail05 wbinfo -a with $WBCREDS" $VALGRIND $wbinfo -a $WBCREDS || failed=$(expr $failed + 1) +test_rpcclient_expect_failure_grep "Test05 rpcclient lookupnames with $NAME" "lookupnames_level 1 '$NAME'" "$SERVER" "$EXPSID" -U$CREDS || failed=$(expr $failed + 1) +testit_expect_failure "Test05 wbinfo -n with $WBNAME" $VALGRIND $wbinfo -n "$WBNAME" || failed=$(expr $failed + 1) +test_rpcclient_expect_failure_grep "Test05 rpcclient lookupnames with $DNAME" "lookupnames_level 1 '$DNAME'" "$SERVER" "$EXPDSID" -U$CREDS || failed=$(expr $failed + 1) + +CREDS="$TRUST_DOMAIN\\$USERNAME%$PASSWORD" +WBCREDS="$TRUST_DOMAIN/$USERNAME%$PASSWORD" +EXPFAIL="$TRUST_ERROR" +test_rpcclient_expect_failure_grep "Fail06 rpcclient getusername with $CREDS" getusername "$SERVER" "$EXPFAIL" -U$CREDS || failed=$(expr $failed + 1) +test_smbclient_expect_failure "Fail06 smbclient with $CREDS" 'ls' "$unc" -U$CREDS || failed=$(expr $failed + 1) +testit_expect_failure "Fail06 wbinfo -a with $WBCREDS" $VALGRIND $wbinfo -a $WBCREDS || failed=$(expr $failed + 1) + +DNAME="$TRUST_DOMAIN" +NAME="$DNAME\\$TRUST_USERNAME" +WBNAME="$DNAME/$TRUST_USERNAME" +CREDS="$NAME%$TRUST_PASSWORD" +WBCREDS="$WBNAME%$TRUST_PASSWORD" +EXPCREDS="Account Name: $TRUST_USERNAME, Authority Name: $TRUST_DOMAIN" +EXPSID="(User: 1)" +EXPDSID="(Domain: 3)" +test_rpcclient_grep "Test07 rpcclient getusername with $CREDS" getusername "$SERVER" "$EXPCREDS" -U$CREDS || failed=$(expr $failed + 1) +test_smbclient "Test07 smbclient with $CREDS" 'ls' "$unc" -U$CREDS || failed=$(expr $failed + 1) +testit "Test07 wbinfo -a with $WBCREDS" $VALGRIND $wbinfo -a $WBCREDS || failed=$(expr $failed + 1) +test_rpcclient_grep "Test07 rpcclient lookupnames with $NAME" "lookupnames_level 1 '$NAME'" "$SERVER" "$EXPSID" -U$CREDS || failed=$(expr $failed + 1) +testit "Test07 wbinfo -n with $WBNAME" $VALGRIND $wbinfo -n "$WBNAME" || failed=$(expr $failed + 1) +test_rpcclient_grep "Test07 rpcclient lookupnames with $DNAME" "lookupnames_level 1 '$DNAME'" "$SERVER" "$EXPDSID" -U$CREDS || failed=$(expr $failed + 1) + +DNAME="$TRUST_REALM" +NAME="$DNAME\\$TRUST_USERNAME" +WBNAME="$DNAME/$TRUST_USERNAME" +CREDS="$NAME%$TRUST_PASSWORD" +WBCREDS="$WBNAME%$TRUST_PASSWORD" +EXPCREDS="Account Name: $TRUST_USERNAME, Authority Name: $TRUST_DOMAIN" +EXPSID="(User: 1)" +EXPDSID="(Domain: 3)" +test_rpcclient_grep "Test08 rpcclient getusername with $CREDS" getusername "$SERVER" "$EXPCREDS" -U$CREDS || failed=$(expr $failed + 1) +test_smbclient "Test08 smbclient with $CREDS" 'ls' "$unc" -U$CREDS || failed=$(expr $failed + 1) +testit "Test08 wbinfo -a with $WBCREDS" $VALGRIND $wbinfo -a $WBCREDS || failed=$(expr $failed + 1) +test_rpcclient_grep "Test08 rpcclient lookupnames with $NAME" "lookupnames_level 1 '$NAME'" "$SERVER" "$EXPSID" -U$CREDS || failed=$(expr $failed + 1) +testit "Test08 wbinfo -n with $WBNAME" $VALGRIND $wbinfo -n "$WBNAME" || failed=$(expr $failed + 1) +test_rpcclient_grep "Test08 rpcclient lookupnames with $DNAME" "lookupnames_level 1 '$DNAME'" "$SERVER" "$EXPDSID" -U$CREDS || failed=$(expr $failed + 1) + +CREDS="$TRUST_USERNAME@$TRUST_DOMAIN%$TRUST_PASSWORD" +WBCREDS="$TRUST_USERNAME@$TRUST_DOMAIN%$TRUST_PASSWORD" +if [ x"$TRUST_REALM" = x"$TRUST_DOMAIN" ]; then + # NT4 domain + EXPFAIL="NT_STATUS_LOGON_FAILURE" + # rpcclient doesn't handle -Uuser@domain yet + #test_rpcclient_expect_failure_grep "Fail09 rpcclient getusername with $CREDS" getusername "$SERVER" "$EXPFAIL" -U$CREDS || failed=`expr $failed + 1` + test_smbclient_expect_failure "Fail09 smbclient with $CREDS" 'ls' "$unc" -U$CREDS || failed=$(expr $failed + 1) + # winbindd doesn't handle user@domain yet + #testit_expect_failure "Fail09 wbinfo -a with $WBCREDS" $VALGRIND $wbinfo -a $WBCREDS || failed=`expr $failed + 1` +else + EXPCREDS="Account Name: $TRUST_USERNAME, Authority Name: $TRUST_DOMAIN" + # rpcclient doesn't handle -Uuser@domain yet + #test_rpcclient_grep "Test09 rpcclient getusername with $CREDS" getusername "$SERVER" "$EXPCREDS" -U$CREDS || failed=`expr $failed + 1` + test_smbclient "Test09 smbclient with $CREDS" 'ls' "$unc" -U$CREDS || failed=$(expr $failed + 1) + # winbindd doesn't handle user@domain yet + #testit "Test09 wbinfo -a with $WBCREDS" $VALGRIND $wbinfo -a $WBCREDS || failed=`expr $failed + 1` +fi + +CREDS="$TRUST_USERNAME@$TRUST_REALM%$TRUST_PASSWORD" +WBCREDS="$TRUST_USERNAME@$TRUST_REALM%$TRUST_PASSWORD" +if [ x"$TRUST_REALM" = x"$TRUST_DOMAIN" ]; then + # NT4 domain + EXPFAIL="NT_STATUS_LOGON_FAILURE" + # rpcclient doesn't handle -Uuser@domain yet + #test_rpcclient_expect_failure_grep "Fail10 rpcclient getusername with $CREDS" getusername "$SERVER" "$EXPFAIL" -U$CREDS || failed=`expr $failed + 1` + test_smbclient_expect_failure "Fail10 smbclient with $CREDS" 'ls' "$unc" -U$CREDS || failed=$(expr $failed + 1) + # winbindd doesn't handle user@domain yet + #testit_expect_failure "Fail10 wbinfo -a with $WBCREDS" $VALGRIND $wbinfo -a $WBCREDS || failed=`expr $failed + 1` +else + EXPCREDS="Account Name: $TRUST_USERNAME, Authority Name: $TRUST_DOMAIN" + # rpcclient doesn't handle -Uuser@domain yet, maybe smbclient for now? + #test_rpcclient_grep "Test10 rpcclient getusername with $CREDS" getusername "$SERVER" "$EXPCREDS" -U$CREDS || failed=`expr $failed + 1` + test_smbclient "Test10 smbclient with $CREDS" 'ls' "$unc" -U$CREDS || failed=$(expr $failed + 1) + # winbindd doesn't handle user@domain yet + #testit "Test10 wbinfo -a with $WBCREDS" $VALGRIND $wbinfo -a $WBCREDS || failed=`expr $failed + 1` +fi + +lowerrealm=$(echo $TRUST_REALM | tr '[A-Z]' '[a-z]') + +#if test x$TYPE = x"forest"; then +# +#fi +# +#if test x$UNTRUSTED = x"yes"; then +# +#fi + +exit $failed diff --git a/testprogs/blackbox/test_trust_token.sh b/testprogs/blackbox/test_trust_token.sh new file mode 100755 index 0000000..075c032 --- /dev/null +++ b/testprogs/blackbox/test_trust_token.sh @@ -0,0 +1,91 @@ +#!/bin/bash +# Copyright (C) 2017 Stefan Metzmacher <metze@samba.org> + +if [ $# -lt 12 ]; then + cat <<EOF +Usage: $# test_trust_token.sh SERVER USERNAME PASSWORD REALM DOMAIN DOMSID TRUST_USERNAME TRUST_PASSWORD TRUST_REALM TRUST_DOMAIN TRUST_DOMSID TYPE +EOF + exit 1 +fi + +SERVER=$1 +shift 1 +USERNAME=$1 +PASSWORD=$2 +REALM=$3 +DOMAIN=$4 +DOMSID=$5 +shift 5 +TRUST_USERNAME=$1 +TRUST_PASSWORD=$2 +TRUST_REALM=$3 +TRUST_DOMAIN=$4 +TRUST_DOMSID=$5 +shift 5 +TYPE=$1 +shift 1 +failed=0 + +. $(dirname $0)/subunit.sh +. $(dirname $0)/common_test_fns.inc + +ldbsearch=$(system_or_builddir_binary ldbsearch "${BINDIR}") + +test_token() +{ + auth_args="${1}" + auth_sid="${2-}" + + out=$($VALGRIND $ldbsearch -H ldap://$SERVER.$REALM -U$TRUST_REALM\\$TRUST_USERNAME%$TRUST_PASSWORD -b '' --scope=base -k ${auth_args} tokenGroups 2>&1) + ret=$? + test x"$ret" = x"0" || { + echo "$out" + return 1 + } + + trust_sids=$(echo "$out" | grep '^tokenGroups' | grep "${TRUST_DOMSID}-" | wc -l) + test "$trust_sids" -ge "2" || { + echo "$out" + echo "Less than 2 sids from $TRUST_DOMAIN $TRUST_DOMSID" + return 1 + } + + domain_sids=$(echo "$out" | grep '^tokenGroups' | grep "${DOMSID}-" | wc -l) + test "$domain_sids" -ge "1" || { + echo "$out" + echo "Less than 1 sid from $DOMAIN $DOMSID" + return 1 + } + + builtin_sids=$(echo "$out" | grep '^tokenGroups' | grep "S-1-5-32-" | wc -l) + test "$builtin_sids" -ge "1" || { + echo "$out" + echo "Less than 1 sid from BUILTIN S-1-5-32" + return 1 + } + + # + # The following should always be present + # + # SID_WORLD(S-1-1-0) + # SID_NT_NETWORK(S-1-5-2) + # SID_NT_AUTHENTICATED_USERS(S-1-5-11) + # + required_sids="S-1-1-0 S-1-5-2 S-1-5-11 ${auth_sid}" + for sid in $required_sids; do + found=$(echo "$out" | grep "^tokenGroups: ${sid}$" | wc -l) + test x"$found" = x"1" || { + echo "$out" + echo "SID: ${sid} not found" + return 1 + } + done + + return 0 +} + +testit "Test token with kerberos" test_token "yes" "" || failed=$(expr $failed + 1) +# Check that SID_NT_NTLM_AUTHENTICATION(S-1-5-64-10) is added for NTLMSSP +testit "Test token with NTLMSSP" test_token "no" "S-1-5-64-10" || failed=$(expr $failed + 1) + +exit $failed diff --git a/testprogs/blackbox/test_trust_user_account.sh b/testprogs/blackbox/test_trust_user_account.sh new file mode 100755 index 0000000..94a3aa3 --- /dev/null +++ b/testprogs/blackbox/test_trust_user_account.sh @@ -0,0 +1,58 @@ +#!/bin/sh + +if [ $# -lt 1 ]; then + cat <<EOF +Usage: test_trust_user_account.sh PREFIX OUR_REALM OUR_FLAT REMOTE_REALM REMOTE_FLAT +EOF + exit 1 +fi + +PREFIX="$1" +OUR_REALM="$2" +OUR_FLAT="$3" +REMOTE_REALM="$4" +REMOTE_FLAT="$5" +shift 5 + +. $(dirname $0)/subunit.sh + +samba_tool="$BINDIR/samba-tool" +samba4bindir="$BINDIR" +samba4srcdir="$SRCDIR/source4" +samba4kinit_binary="kinit -k" +if test -x $BINDIR/samba4kinit; then + samba4kinit_binary="$BINDIR/samba4kinit --use-keytab" +fi + +KEYTAB="$PREFIX/tmptda.keytab" + +KRB5_TRACE=/dev/stderr +export KRB5_TRACE + +testit "retrieve keytab for TDA of $REMOTE_REALM" $PYTHON $samba_tool domain exportkeytab $KEYTAB $CONFIGURATION --principal "$REMOTE_FLAT\$@$OUR_REALM" || failed=$(expr $failed + 1) + +KRB5CCNAME="$PREFIX/tmptda.ccache" +samba4kinit="$samba4kinit_binary -c $KRB5CCNAME" +export KRB5CCNAME + +rm -f $KRB5CCNAME + +EXPECTED_SALT="${OUR_REALM}krbtgt${REMOTE_FLAT}" +# +# Note the \$ is for the end of line in grep +# +# There must be no trailing '$' in the SALT string itself, +# it's removed from the sAMAccountName value (which includes the trailing '$') +# before construting the salt! +# +# Otherwise this would be: +# "^virtualKerberosSalt: ${EXPECTED_SALT}\\\$\$" +# +EXPECTED_GREP="^virtualKerberosSalt: ${EXPECTED_SALT}\$" +testit_grep "get virtualKerberosSalt for TDA of $REMOTE_FLAT\$" "$EXPECTED_GREP" $PYTHON $samba_tool user getpassword "$REMOTE_FLAT\$" $CONFIGURATION --attributes=virtualKerberosSalt || failed=$(expr $failed + 1) + +testit "kinit with keytab for TDA of $REMOTE_REALM" $samba4kinit -t $KEYTAB "$REMOTE_FLAT\$@$OUR_REALM" || failed=$(expr $failed + 1) + +rm -f $KRB5CCNAME $KEYTAB + +exit $failed diff --git a/testprogs/blackbox/test_trust_utils.sh b/testprogs/blackbox/test_trust_utils.sh new file mode 100755 index 0000000..3bd375a --- /dev/null +++ b/testprogs/blackbox/test_trust_utils.sh @@ -0,0 +1,144 @@ +#!/bin/sh +# Copyright (C) 2015 Stefan Metzmacher <metze@samba.org> + +if [ $# -lt 12 ]; then + cat <<EOF +Usage: $# test_trust_utils.sh SERVER USERNAME PASSWORD REALM DOMAIN TRUST_USERNAME TRUST_PASSWORD TRUST_REALM TRUST_DOMAIN PREFIX TYPE +EOF + exit 1 +fi + +SERVER=$1 +USERNAME=$2 +PASSWORD=$3 +REALM=$4 +DOMAIN=$5 +shift 5 +TRUST_SERVER=$1 +TRUST_USERNAME=$2 +TRUST_PASSWORD=$3 +TRUST_REALM=$4 +TRUST_DOMAIN=$5 +shift 5 +PREFIX=$1 +TYPE=$2 +shift 2 +failed=0 + +samba4bindir="$BINDIR" + +samba_tool="$samba4bindir/samba-tool" + +. $(dirname $0)/subunit.sh + +CREDS="${DOMAIN}\\${USERNAME}%${PASSWORD}" +TRUST_CREDS_DOMAIN="${TRUST_DOMAIN}\\${TRUST_USERNAME}%${TRUST_PASSWORD}" +TRUST_SERVER_CREDS_DOMAIN_ARGS="--local-dc-ipaddress ${TRUST_SERVER} --local-dc-username ${TRUST_CREDS_DOMAIN}" + +TRUST_CREDS_REALM="${TRUST_REALM}\\${TRUST_USERNAME}%${TRUST_PASSWORD}" +TRUST_SERVER_CREDS_REALM_ARGS="--local-dc-ipaddress ${TRUST_SERVER} --local-dc-username ${TRUST_CREDS_REALM}" + +list="$VALGRIND $PYTHON $samba_tool domain trust list" +testit "list domains default" $list || failed=$(expr $failed + 1) + +# Show that the domain name and realm work +testit "list domains reverse (DOMAIN)" $list ${TRUST_SERVER_CREDS_DOMAIN_ARGS} || failed=$(expr $failed + 1) +testit "list domains reverse (REALM)" $list ${TRUST_SERVER_CREDS_REALM_ARGS} || failed=$(expr $failed + 1) + +show="$VALGRIND $PYTHON $samba_tool domain trust show" +testit "show domains default realm" $show ${TRUST_REALM} || failed=$(expr $failed + 1) +testit "show domains reverse realm" $show ${REALM} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} || failed=$(expr $failed + 1) +testit "show domains default netbios" $show ${TRUST_DOMAIN} || failed=$(expr $failed + 1) +testit "show domains reverse netbios" $show ${DOMAIN} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} || failed=$(expr $failed + 1) + +validate="$VALGRIND $PYTHON $samba_tool domain trust validate" +testit "validate trust default both" $validate ${TRUST_REALM} -U${TRUST_CREDS_DOMAIN} || failed=$(expr $failed + 1) +testit "validate trust default local" $validate ${TRUST_REALM} --validate-location=local || failed=$(expr $failed + 1) +testit "validate trust reverse both" $validate ${REALM} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} -U${CREDS} || failed=$(expr $failed + 1) +testit "validate trust reverse local" $validate ${REALM} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --validate-location=local || failed=$(expr $failed + 1) + +namespaces="$VALGRIND $PYTHON $samba_tool domain trust namespaces" +testit "namespaces own default" $namespaces || failed=$(expr $failed + 1) +testit "namespaces own reverse" $namespaces ${TRUST_SERVER_CREDS_DOMAIN_ARGS} || failed=$(expr $failed + 1) + +DOMSID=$($namespaces | grep LocalDomain | sed -e 's!.*SID\[\(.*\)\].*!\1!') +#testit_expect_failure "namespaces domsid default" echo ${DOMSID} || failed=`expr $failed + 1` + +TRUST_DOMSID=$($namespaces ${TRUST_SERVER_CREDS_DOMAIN_ARGS} | grep LocalDomain | sed -e 's!.*SID\[\(.*\)\].*!\1!') +#testit_expect_failure "namespaces domsid reverse" echo ${TRUST_DOMSID} || failed=`expr $failed + 1` + +if test x$TYPE = x"forest"; then + testit "namespaces trust default realm 1" $namespaces ${TRUST_REALM} || failed=$(expr $failed + 1) + testit "namespaces trust reverse realm 1" $namespaces ${REALM} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} || failed=$(expr $failed + 1) + + testit "namespaces trust default domain 1" $namespaces ${TRUST_DOMAIN} || failed=$(expr $failed + 1) + testit "namespaces trust reverse domain 1" $namespaces ${DOMAIN} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} || failed=$(expr $failed + 1) + + testit "namespaces own default add-upn-suffix 1" $namespaces --add-upn-suffix=default.test_trust_utils.example.com || failed=$(expr $failed + 1) + testit "namespaces own reverse add-upn-suffix 1" $namespaces ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --add-upn-suffix=reverse.test_trust_utils.example.com || failed=$(expr $failed + 1) + + testit "namespaces own default add-upn-suffix 2" $namespaces --add-upn-suffix=${TRUST_REALM} || failed=$(expr $failed + 1) + testit "namespaces own reverse add-upn-suffix 2" $namespaces ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --add-upn-suffix=${REALM} || failed=$(expr $failed + 1) + + testit "namespaces own default add-spn-suffix 1" $namespaces --add-spn-suffix=spn.test_trust_utils.example.com || failed=$(expr $failed + 1) + testit "namespaces own reverse add-spn-suffix 1" $namespaces ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --add-spn-suffix=spn.test_trust_utils.example.com || failed=$(expr $failed + 1) + + testit "namespaces trust default check 1" $namespaces ${TRUST_REALM} --refresh=check || failed=$(expr $failed + 1) + testit "namespaces trust reverse check 1" $namespaces ${REALM} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --refresh=check || failed=$(expr $failed + 1) + + testit "namespaces trust default store 1" $namespaces ${TRUST_REALM} --refresh=store || failed=$(expr $failed + 1) + testit "namespaces trust reverse store 1" $namespaces ${REALM} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --refresh=store || failed=$(expr $failed + 1) + + testit "namespaces trust default enable-tln 1" $namespaces ${TRUST_REALM} --enable-tln=reverse.test_trust_utils.example.com || failed=$(expr $failed + 1) + testit "namespaces trust reverse enable-tln 1" $namespaces ${REALM} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --enable-tln=default.test_trust_utils.example.com || failed=$(expr $failed + 1) + + testit "namespaces trust default enable-tln 2" $namespaces ${TRUST_REALM} --enable-tln=spn.test_trust_utils.example.com || failed=$(expr $failed + 1) + testit "namespaces trust reverse enable-tln 2" $namespaces ${REALM} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --enable-tln=spn.test_trust_utils.example.com || failed=$(expr $failed + 1) + + testit "namespaces trust default enable-tln 3" $namespaces ${TRUST_REALM} --enable-tln=${TRUST_REALM} || failed=$(expr $failed + 1) + testit "namespaces trust reverse enable-tln 3" $namespaces ${REALM} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --enable-tln=${REALM} || failed=$(expr $failed + 1) + + testit "namespaces trust default disable-nb 1" $namespaces ${TRUST_REALM} --disable-nb=${TRUST_DOMAIN} || failed=$(expr $failed + 1) + testit "namespaces trust reverse disable-nb 1" $namespaces ${REALM} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --disable-nb=${DOMAIN} || failed=$(expr $failed + 1) + + testit "namespaces trust default disable-sid 1" $namespaces ${TRUST_REALM} --disable-sid=${TRUST_DOMSID} || failed=$(expr $failed + 1) + testit "namespaces trust reverse disable-sid 1" $namespaces ${REALM} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --disable-sid=${DOMSID} || failed=$(expr $failed + 1) + + testit "namespaces trust default disable-tln 1" $namespaces ${TRUST_REALM} --disable-tln=reverse.test_trust_utils.example.com || failed=$(expr $failed + 1) + testit "namespaces trust reverse disable-tln 1" $namespaces ${REALM} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --disable-tln=default.test_trust_utils.example.com || failed=$(expr $failed + 1) + + testit "namespaces trust default add-tln-ex 1" $namespaces ${TRUST_REALM} --add-tln-ex=exclude.${TRUST_REALM} || failed=$(expr $failed + 1) + testit "namespaces trust reverse add-tln-ex 1" $namespaces ${REALM} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --add-tln-ex=exclude.${REALM} || failed=$(expr $failed + 1) + + testit "namespaces trust default add-tln-ex 2" $namespaces ${TRUST_REALM} --add-tln-ex=sub.exclude.${TRUST_REALM} || failed=$(expr $failed + 1) + testit "namespaces trust reverse add-tln-ex 2" $namespaces ${REALM} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --add-tln-ex=sub.exclude.${REALM} || failed=$(expr $failed + 1) + + testit "namespaces trust default realm 2" $namespaces ${TRUST_REALM} || failed=$(expr $failed + 1) + testit "namespaces trust reverse realm 2" $namespaces ${REALM} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} || failed=$(expr $failed + 1) + + testit "namespaces trust default delete-tln-ex 1" $namespaces ${TRUST_REALM} --delete-tln-ex=exclude.${TRUST_REALM} || failed=$(expr $failed + 1) + testit "namespaces trust reverse delete-tln-ex 1" $namespaces ${REALM} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --delete-tln-ex=exclude.${REALM} || failed=$(expr $failed + 1) + + testit "namespaces trust default delete-tln-ex 2" $namespaces ${TRUST_REALM} --delete-tln-ex=sub.exclude.${TRUST_REALM} || failed=$(expr $failed + 1) + testit "namespaces trust reverse delete-tln-ex 2" $namespaces ${REALM} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --delete-tln-ex=sub.exclude.${REALM} || failed=$(expr $failed + 1) + + testit "namespaces own default delete-upn-suffix 1" $namespaces --delete-upn-suffix=default.test_trust_utils.example.com || failed=$(expr $failed + 1) + testit "namespaces own reverse delete-upn-suffix 1" $namespaces ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --delete-upn-suffix=reverse.test_trust_utils.example.com || failed=$(expr $failed + 1) + + testit "namespaces own default delete-upn-suffix 2" $namespaces --delete-upn-suffix=${TRUST_REALM} || failed=$(expr $failed + 1) + testit "namespaces own reverse delete-upn-suffix 2" $namespaces ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --delete-upn-suffix=${REALM} || failed=$(expr $failed + 1) + + testit "namespaces own default delete-spn-suffix 1" $namespaces --delete-spn-suffix=spn.test_trust_utils.example.com || failed=$(expr $failed + 1) + testit "namespaces own reverse delete-spn-suffix 1" $namespaces ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --delete-spn-suffix=spn.test_trust_utils.example.com || failed=$(expr $failed + 1) + + testit "namespaces trust default enable-nb 1" $namespaces ${TRUST_REALM} --enable-nb=${TRUST_DOMAIN} || failed=$(expr $failed + 1) + testit "namespaces trust reverse enable-nb 1" $namespaces ${REALM} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --enable-nb=${DOMAIN} || failed=$(expr $failed + 1) + + testit "namespaces trust default enable-sid 1" $namespaces ${TRUST_REALM} --enable-sid=${TRUST_DOMSID} || failed=$(expr $failed + 1) + testit "namespaces trust reverse enable-sid 1" $namespaces ${REALM} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --enable-sid=${DOMSID} || failed=$(expr $failed + 1) + + testit "namespaces trust default reset final" $namespaces ${TRUST_REALM} --refresh=store --enable-all || failed=$(expr $failed + 1) + testit "namespaces trust reverse reset final" $namespaces ${REALM} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --refresh=store --enable-all || failed=$(expr $failed + 1) +fi + +exit $failed diff --git a/testprogs/blackbox/test_weak_crypto.sh b/testprogs/blackbox/test_weak_crypto.sh new file mode 100755 index 0000000..e938bb0 --- /dev/null +++ b/testprogs/blackbox/test_weak_crypto.sh @@ -0,0 +1,51 @@ +#!/bin/sh + +# +# Blackbox tests for weak crypto +# Copyright (c) 2020 Andreas Schneider <asn@samba.org> +# + +if [ $# -lt 6 ]; then + cat <<EOF +Usage: $0 SERVER USERNAME PASSWORD REALM DOMAIN PREFIX +EOF + exit 1 +fi + +SERVER=$1 +USERNAME=$2 +PASSWORD=$3 +REALM=$4 +DOMAIN=$5 +PREFIX=$6 +shift 6 + +failed=0 +. $(dirname $0)/subunit.sh + +samba_bindir="$BINDIR" +samba_testparm="$BINDIR/testparm" +samba_rpcclient="$samba_bindir/rpcclient" + +opt="--option=gensec:gse_krb5=no -U${USERNAME}%${PASSWORD}" + +unset GNUTLS_FORCE_FIPS_MODE + +# Checks that testparm reports: Weak crypto is allowed +testit_grep "testparm" "Weak crypto is allowed" $samba_testparm --suppress-prompt $SMB_CONF_PATH 2>&1 || failed=$(expr $failed + 1) + +# We should be allowed to use NTLM for connecting +testit "rpclient.ntlm" $samba_rpcclient ncacn_np:$SERVER $opt -c "getusername" || failed=$(expr $failed + 1) + +GNUTLS_FORCE_FIPS_MODE=1 +export GNUTLS_FORCE_FIPS_MODE + +# Checks that testparm reports: Weak crypto is disallowed +testit_grep "testparm" "Weak crypto is disallowed" $samba_testparm --suppress-prompt $SMB_CONF_PATH 2>&1 || failed=$(expr $failed + 1) + +# We should not be allowed to use NTLM for connecting +testit_expect_failure "rpclient.ntlm" $samba_rpcclient ncacn_np:$SERVER $opt -c "getusername" || failed=$(expr $failed + 1) + +unset GNUTLS_FORCE_FIPS_MODE + +exit $failed diff --git a/testprogs/blackbox/test_weak_crypto_server.sh b/testprogs/blackbox/test_weak_crypto_server.sh new file mode 100755 index 0000000..963861b --- /dev/null +++ b/testprogs/blackbox/test_weak_crypto_server.sh @@ -0,0 +1,64 @@ +#!/bin/sh + +# +# Blackbox tests for weak crypto +# Copyright (c) 2020 Andreas Schneider <asn@samba.org> +# + +if [ $# -lt 7 ]; then + cat <<EOF +Usage: $0 SERVER USERNAME PASSWORD REALM DOMAIN PREFIX +EOF + exit 1 +fi + +SERVER=$1 +USERNAME=$2 +PASSWORD=$3 +REALM=$4 +DOMAIN=$5 +PREFIX=$6 +CONFIGURATION=$7 +shift 7 + +failed=0 +. $(dirname $0)/subunit.sh + +samba_bindir="$BINDIR" +samba_testparm="$BINDIR/testparm" +samba_rpcclient="$samba_bindir/rpcclient" + +# remove the --configfile= +configuration="${CONFIGURATION##*=}" + +test_weak_crypto_allowed() +{ + local testparm_stderr_output_path="$PREFIX/testparm_stderr_output" + + $samba_testparm --suppress-prompt $configuration 2>$testparm_stderr_output_path >/dev/null + + grep "Weak crypto is allowed" $testparm_stderr_output_path >/dev/null 2>&1 + if [ $ret -ne 0 ]; then + echo "Invalid crypto state:" + cat $testparm_stderr_output_path + rm -f $testparm_stderr_output_path + return 1 + fi + + rm -f $testparm_stderr_output_path + + return 0 +} + +unset GNUTLS_FORCE_FIPS_MODE + +# Checks that testparm reports: Weak crypto is disallowed +testit "testparm-weak-crypto" test_weak_crypto_allowed || failed=$(expr $failed + 1) + +# We should not be allowed to use NTLM for connecting +testit_expect_failure "rpclient.ntlm" $samba_rpcclient ncacn_np:${SERVER_IP}[ntlm] -U$USERNAME%$PASSWORD -c "getusername" || failed=$(expr $failed + 1) + +GNUTLS_FORCE_FIPS_MODE=1 +export GNUTLS_FORCE_FIPS_MODE + +exit $failed diff --git a/testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh b/testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh new file mode 100755 index 0000000..d2f1c8f --- /dev/null +++ b/testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh @@ -0,0 +1,41 @@ +#!/bin/sh +# Blackbox tests for diabing NTLMSSP for ldap client connections +# Copyright (c) 2022 Pavel Filipenský <pfilipen@redhat.com> + +if [ $# -lt 2 ]; then + cat <<EOF +Usage: $0 USERNAME PASSWORD +EOF + exit 1 +fi + +USERNAME=$1 +PASSWORD=$2 +shift 2 + +failed=0 +. $(dirname $0)/subunit.sh + +samba_testparm="$BINDIR/testparm" +samba_net="$BINDIR/net" + +unset GNUTLS_FORCE_FIPS_MODE + +# Checks that testparm reports: Weak crypto is allowed +testit_grep "testparm" "Weak crypto is allowed" $samba_testparm --suppress-prompt $SMB_CONF_PATH 2>&1 || failed=$(expr $failed + 1) + +# We should be allowed to use NTLM for connecting +testit "net_ads_search.ntlm" $samba_net ads search --use-kerberos=off '(objectCategory=group)' sAMAccountName -U${USERNAME}%${PASSWORD} || failed=$(expr $failed + 1) + +GNUTLS_FORCE_FIPS_MODE=1 +export GNUTLS_FORCE_FIPS_MODE + +# Checks that testparm reports: Weak crypto is disallowed +testit_grep "testparm" "Weak crypto is disallowed" $samba_testparm --suppress-prompt $SMB_CONF_PATH 2>&1 || failed=$(expr $failed + 1) + +# We should not be allowed to use NTLM for connecting +testit_expect_failure_grep "net_ads_search.ntlm" "We can't fallback to NTLMSSP, weak crypto is disallowed." $samba_net ads search --use-kerberos=off -d10 '(objectCategory=group)' sAMAccountName -U${USERNAME}%${PASSWORD} || failed=$(expr $failed + 1) + +unset GNUTLS_FORCE_FIPS_MODE + +testok $0 $failed diff --git a/testprogs/blackbox/test_wintest.sh b/testprogs/blackbox/test_wintest.sh new file mode 100755 index 0000000..1015a1e --- /dev/null +++ b/testprogs/blackbox/test_wintest.sh @@ -0,0 +1,43 @@ +#!/bin/sh +# Blackbox tests for testing against windows machines +# Copyright (C) 2008 Jim McDonough + +testwithconf() +{ + # define test variables, startup/shutdown scripts + . $1 + shift 1 + + if [ -n "$WINTEST_STARTUP" ]; then + . $WINTEST_STARTUP + fi + + testit "smbtorture" $smbtorture //$SERVER/$SHARE RAW-OPEN -W "$DOMAIN" -U"$USERNAME%$PASSWORD" "$@" || failed=$(expr $failed + 1) + + if [ -n "$WINTEST_SHUTDOWN" ]; then + . $WINTEST_SHUTDOWN + fi +} + +# main +# skip without WINTEST_CONF_DIR +if [ -z "$WINTEST_CONF_DIR" ]; then + exit 0 +fi + +unset SOCKET_WRAPPER_DIR + +failed=0 + +basedir=$(pwd) + +samba4bindir=$(dirname $0)/../../source4/bin +smbtorture=$samba4bindir/smbtorture + +. $(dirname $0)/subunit.sh + +for wintest_conf in $WINTEST_CONF_DIR/*.conf; do + testwithconf "$wintest_conf" "$@" +done + +exit $failed diff --git a/testprogs/blackbox/tfork.sh b/testprogs/blackbox/tfork.sh new file mode 100755 index 0000000..0f75a8c --- /dev/null +++ b/testprogs/blackbox/tfork.sh @@ -0,0 +1,15 @@ +#!/bin/sh + +sleep 1 + +echo stdout >&1 +echo $1 >&1 +echo stderror >&2 + +# close stdout and stderror, but don't exit yet +exec 1>&- +exec 2>&- + +sleep 1 + +exit 0 diff --git a/testprogs/blackbox/tombstones-expunge.sh b/testprogs/blackbox/tombstones-expunge.sh new file mode 100755 index 0000000..a1a6d02 --- /dev/null +++ b/testprogs/blackbox/tombstones-expunge.sh @@ -0,0 +1,246 @@ +#!/bin/sh + +if [ $# -lt 1 ]; then + cat <<EOF +Usage: tombstones-expunge.sh PREFIX RELEASE +EOF + exit 1 +fi + +PREFIX_ABS="$1" +RELEASE="$2" +shift 2 + +failed=0 + +. $(dirname $0)/subunit.sh +. $(dirname $0)/common_test_fns.inc + +release_dir="$SRCDIR_ABS/source4/selftest/provisions/$RELEASE" + +ldbadd=$(system_or_builddir_binary ldbadd "${BINDIR}") +ldbmodify=$(system_or_builddir_binary ldbmodify "${BINDIR}") +ldbsearch=$(system_or_builddir_binary ldbsearch "${BINDIR}") +samba_tdbrestore=$(system_or_builddir_binary tdbrestore "${BINDIR}") + +samba_undump="$SRCDIR_ABS/source4/selftest/provisions/undump.sh" +if [ ! -x $samba_undump ] || [ ! -d $release_dir ]; then + subunit_start_test $RELEASE + subunit_skip_test $RELEASE <<EOF +no test provision +EOF + + subunit_start_test "tombstones_expunge" + subunit_skip_test "tombstones_expunge" <<EOF +no test provision +EOF + + exit 0 +fi + +undump() +{ + $samba_undump $release_dir $PREFIX_ABS/$RELEASE $samba_tdbrestore +} + +tombstones_expunge() +{ + tmpfile=$PREFIX_ABS/$RELEASE/expected-expunge-output.txt.tmp + tmpldif1=$PREFIX_ABS/$RELEASE/expected-expunge-output2.txt.tmp1 + + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --scope=base -b '' | grep highestCommittedUSN >$tmpldif1 + + $PYTHON $BINDIR/samba-tool domain tombstones expunge -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --current-time=2016-07-30 --tombstone-lifetime=4 >$tmpfile + if [ "$?" != "0" ]; then + return 1 + fi + diff -u $tmpfile $release_dir/expected-expunge-output.txt + if [ "$?" != "0" ]; then + return 1 + fi + + tmpldif2=$PREFIX_ABS/$RELEASE/expected-expunge-output2.txt.tmp2 + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --scope=base -b '' | grep highestCommittedUSN >$tmpldif2 + + diff -u $tmpldif1 $tmpldif2 + if [ "$?" != "0" ]; then + return 1 + fi +} + +add_dangling_link() +{ + ldif=$release_dir/add-dangling-link.ldif + TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +add_two_more_users() +{ + ldif=$release_dir/add-two-more-users.ldif + TZ=UTC $ldbadd -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +add_four_more_links() +{ + ldif=$release_dir/add-four-more-links.ldif + TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +add_unsorted_links() +{ + ldif=$release_dir/add-unsorted-links-step1.ldif + TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif --relax + if [ "$?" != "0" ]; then + return 1 + fi + ldif=$release_dir/add-unsorted-links-step2.ldif + TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +remove_one_link() +{ + ldif=$release_dir/remove-one-more-link.ldif + TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +remove_one_user() +{ + ldif=$release_dir/remove-one-more-user.ldif + TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +check_match_rule_links() +{ + tmpldif=$PREFIX_ABS/$RELEASE/expected-match-rule-links.ldif.tmp + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(member:1.3.6.1.4.1.7165.4.5.2:=131139216000000000)' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted no_attrs >$tmpldif + diff -u $tmpldif $release_dir/expected-match-rule-links.ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +check_match_rule_links_negative() +{ + $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(member:1.3.6.1.4.1.7165.4.5.2:=-131139216000000000)' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted member +} + +check_match_rule_links_overflow() +{ + $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(member:1.3.6.1.4.1.7165.4.5.2:=18446744073709551617)' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted member +} + +check_match_rule_links_null() +{ + $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(member:1.3.6.1.4.1.7165.4.5.2:=18446744\073709551617)' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted member +} + +check_match_rule_links_hex() +{ + $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(member:1.3.6.1.4.1.7165.4.5.2:=abcd)' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted member +} + +check_match_rule_links_hex2() +{ + $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(member:1.3.6.1.4.1.7165.4.5.2:=0xabcd)' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted member +} + +check_match_rule_links_decimal() +{ + $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(member:1.3.6.1.4.1.7165.4.5.2:=131139216000000000.00)' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted member +} + +check_match_rule_links_backlink() +{ + $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(memberOf:1.3.6.1.4.1.7165.4.5.2:=131139216000000000)' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted memberOf +} + +check_match_rule_links_notlink() +{ + $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(samAccountName:1.3.6.1.4.1.7165.4.5.2:=131139216000000000)' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted samAccountName +} + +check_expected_after_links() +{ + tmpldif=$PREFIX_ABS/$RELEASE/expected-links-after-expunge.ldif.tmp + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(|(cn=swimmers)(cn=leaders)(cn=helpers))' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --sorted member >$tmpldif + diff -u $tmpldif $release_dir/expected-links-after-expunge.ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +check_expected_after_deleted_links() +{ + tmpldif=$PREFIX_ABS/$RELEASE/expected-deleted-links-after-expunge.ldif.tmp + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(|(cn=swimmers)(cn=leaders)(cn=helpers))' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted member >$tmpldif + diff -u $tmpldif $release_dir/expected-deleted-links-after-expunge.ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +check_expected_after_objects() +{ + tmpldif=$PREFIX_ABS/$RELEASE/expected-objects-after-expunge.ldif.tmp + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(|(samaccountname=fred)(samaccountname=ddg)(samaccountname=usg)(samaccountname=user1)(samaccountname=user2))' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted samAccountName | grep sAMAccountName >$tmpldif + diff -u $tmpldif $release_dir/expected-objects-after-expunge.ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +check_expected_unsorted_links() +{ + tmpldif=$PREFIX_ABS/$RELEASE/expected-unsorted-links-after-expunge.ldif.tmp + TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(name=unsorted-g)' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted member >$tmpldif + diff -u $tmpldif $release_dir/expected-unsorted-links-after-expunge.ldif + if [ "$?" != "0" ]; then + return 1 + fi +} + +remove_directory $PREFIX_ABS/${RELEASE} + +testit $RELEASE undump || failed=$(expr $failed + 1) +testit "add_two_more_users" add_two_more_users || failed=$(expr $failed + 1) +testit "add_four_more_links" add_four_more_links || failed=$(expr $failed + 1) +testit "add_dangling_link" add_dangling_link || failed=$(expr $failed + 1) +testit "remove_one_link" remove_one_link || failed=$(expr $failed + 1) +testit "remove_one_user" remove_one_user || failed=$(expr $failed + 1) +testit "check_match_rule_links" check_match_rule_links || failed=$(expr $failed + 1) +testit_expect_failure "check_match_rule_links_negative" check_match_rule_links_negative || failed=$(expr $failed + 1) +testit_expect_failure "check_match_rule_links_overflow" check_match_rule_links_overflow || failed=$(expr $failed + 1) +testit_expect_failure "check_match_rule_links_null" check_match_rule_links_null || failed=$(expr $failed + 1) +testit_expect_failure "check_match_rule_links_hex" check_match_rule_links_hex || failed=$(expr $failed + 1) +testit_expect_failure "check_match_rule_links_hex2" check_match_rule_links_hex2 || failed=$(expr $failed + 1) +testit_expect_failure "check_match_rule_links_decimal" check_match_rule_links_decimal || failed=$(expr $failed + 1) +testit_expect_failure "check_match_rule_links_backlink" check_match_rule_links_backlink || failed=$(expr $failed + 1) +testit_expect_failure "check_match_rule_links_notlink" check_match_rule_links_notlink || failed=$(expr $failed + 1) +testit "add_unsorted_links" add_unsorted_links || failed=$(expr $failed + 1) +testit "tombstones_expunge" tombstones_expunge || failed=$(expr $failed + 1) +testit "check_expected_after_deleted_links" check_expected_after_deleted_links || failed=$(expr $failed + 1) +testit "check_expected_after_links" check_expected_after_links || failed=$(expr $failed + 1) +testit "check_expected_after_objects" check_expected_after_objects || failed=$(expr $failed + 1) +testit "check_expected_unsorted_links" check_expected_unsorted_links || failed=$(expr $failed + 1) + +remove_directory $PREFIX_ABS/${RELEASE} + +exit $failed diff --git a/testprogs/blackbox/upgradeprovision-oldrelease.sh b/testprogs/blackbox/upgradeprovision-oldrelease.sh new file mode 100755 index 0000000..e8267ea --- /dev/null +++ b/testprogs/blackbox/upgradeprovision-oldrelease.sh @@ -0,0 +1,234 @@ +#!/bin/sh + +if [ $# -lt 1 ]; then + cat <<EOF +Usage: upgradeprovision-oldrelease.sh PREFIX RELEASE +EOF + exit 1 +fi + +PREFIX_ABS="$1" +RELEASE="$2" +shift 2 + +failed=0 + +. $(dirname $0)/subunit.sh +. $(dirname $0)/common_test_fns.inc + +release_dir="$SRCDIR_ABS/source4/selftest/provisions/${RELEASE}" + +ldbdel=$(system_or_builddir_binary ldbdel "${BINDIR}") +samba_tdbrestore=$(system_or_builddir_binary tdbrestore "${BINDIR}") + +samba_undump="$SRCDIR_ABS/source4/selftest/provisions/undump.sh" +if [ ! -x $samba_undump ] || [ ! -d $release_dir ]; then + subunit_start_test "${RELEASE}" + subunit_skip_test "${RELEASE}" <<EOF +no test provision +EOF + + subunit_start_test "remove_dns_user" + subunit_skip_test "remove_dns_user" <<EOF +no test provision +EOF + + subunit_start_test "upgradeprovision" + subunit_skip_test "upgradeprovision" <<EOF +no test provision +EOF + subunit_start_test "upgradeprovision_full" + subunit_skip_test "upgradeprovision_full" <<EOF +no test provision +EOF + subunit_start_test "reindex" + subunit_skip_test "reindex" <<EOF +no test provision +EOF + subunit_start_test "dbcheck" + subunit_skip_test "dbcheck" <<EOF +no test provision +EOF + subunit_start_test "dbcheck_clean" + subunit_skip_test "dbcheck_clean" <<EOF +no test provision +EOF + # So far, only releases before 4.0.0rc6 need a dbcheck if upgradeprovision has already been run + if [ x$RELEASE != x"release-4-0-0" ]; then + subunit_start_test "dbcheck_full" + subunit_skip_test "dbcheck_full" <<EOF +no test provision +EOF + fi + subunit_start_test "dbcheck_full_clean" + subunit_skip_test "dbcheck_full_clean" <<EOF +no test provision +EOF + subunit_start_test "dbcheck_full_clean_well_known_acls" + subunit_skip_test "dbcheck_full_clean_well_known_acls" <<EOF +no test provision +EOF + subunit_start_test "samba_dnsupgrade" + subunit_skip_test "samba_dnsupgrade" <<EOF +no test provision +EOF + subunit_start_test "referenceprovision" + subunit_skip_test "referenceprovision" <<EOF +no test provision +EOF + subunit_start_test "ldapcmp" + subunit_skip_test "ldapcmp" <<EOF +no test provision +EOF + subunit_start_test "ldapcmp_full" + subunit_skip_test "ldapcmp_full" <<EOF +no test provision +EOF + subunit_start_test "ldapcmp_sd" + subunit_skip_test "ldapcmp_sd" <<EOF +no test provision +EOF + subunit_start_test "ldapcmp_full_sd" + subunit_skip_test "ldapcmp_full_sd" <<EOF +no test provision +EOF + + exit 0 +fi + +undump() +{ + $samba_undump $release_dir $PREFIX_ABS/${RELEASE}_upgrade $samba_tdbrestore + $samba_undump $release_dir $PREFIX_ABS/${RELEASE}_upgrade_full $samba_tdbrestore + + cp -a $release_dir/private/*.keytab $PREFIX_ABS/${RELEASE}_upgrade/private/ + cp -a $release_dir/sysvol $PREFIX_ABS/${RELEASE}_upgrade/ + mkdir $PREFIX_ABS/${RELEASE}_upgrade/etc/ + sed -e "s|@@PREFIX@@|$PREFIX_ABS/${RELEASE}_upgrade|g" $release_dir/etc/smb.conf.template \ + >$PREFIX_ABS/${RELEASE}_upgrade/etc/smb.conf + + cp -a $release_dir/private/*.keytab $PREFIX_ABS/${RELEASE}_upgrade_full/private/ + cp -a $release_dir/sysvol $PREFIX_ABS/${RELEASE}_upgrade_full/ + mkdir $PREFIX_ABS/${RELEASE}_upgrade_full/etc/ + sed -e "s|@@PREFIX@@|$PREFIX_ABS/${RELEASE}_upgrade_full|g" $release_dir/etc/smb.conf.template \ + >$PREFIX_ABS/${RELEASE}_upgrade_full/etc/smb.conf +} + +remove_dns_user() +{ + if [ x$RELEASE != x"release-4-0-0" ]; then + # This is done, because otherwise the upgrdeprovision will not run without --full + ${ldbdel} -H tdb://$PREFIX_ABS/${RELEASE}_upgrade/private/sam.ldb cn=dns,cn=users,dc=${RELEASE},dc=samba,dc=corp + fi +} + +reindex() +{ + $PYTHON $BINDIR/samba-tool dbcheck --reindex -H tdb://$PREFIX_ABS/${RELEASE}_upgrade/private/sam.ldb "$@" +} + +# This should 'fail', because it returns the number of modified records +dbcheck() +{ + $PYTHON $BINDIR/samba-tool dbcheck --cross-ncs --fix --yes -H tdb://$PREFIX_ABS/${RELEASE}_upgrade/private/sam.ldb "$@" +} + +dbcheck_clean() +{ + $PYTHON $BINDIR/samba-tool dbcheck --cross-ncs -H tdb://$PREFIX_ABS/${RELEASE}_upgrade/private/sam.ldb "$@" +} + +# This should 'fail', because it returns the number of modified records +dbcheck_full() +{ + $PYTHON $BINDIR/samba-tool dbcheck --cross-ncs --fix --yes -H tdb://$PREFIX_ABS/${RELEASE}_upgrade_full/private/sam.ldb "$@" +} + +dbcheck_full_clean() +{ + $PYTHON $BINDIR/samba-tool dbcheck --cross-ncs -H tdb://$PREFIX_ABS/${RELEASE}_upgrade_full/private/sam.ldb "$@" +} + +# This checks that after the upgrade, the well known ACLs are correct, so this reset should not want to do anything +dbcheck_full_clean_well_known_acls() +{ + $PYTHON $BINDIR/samba-tool dbcheck --reset-well-known-acls --cross-ncs -H tdb://$PREFIX_ABS/${RELEASE}_upgrade_full/private/sam.ldb "$@" +} + +upgradeprovision() +{ + # bring the really old Samba schema in line with a more recent 2008R2 schema + $PYTHON $BINDIR/samba_upgradeprovision --configfile="$PREFIX_ABS/${RELEASE}_upgrade/etc/smb.conf" --debugchange + + # on top of this, also apply 2008R2 changes we accidentally missed in the past + $PYTHON $BINDIR/samba-tool domain schemaupgrade -H tdb://$PREFIX_ABS/${RELEASE}_upgrade/private/sam.ldb --ldf-file=samba-4.7-missing-for-schema45.ldif,fix-forest-rev.ldf + + # add missing domain prep for 2008R2 + $PYTHON $BINDIR/samba-tool domain functionalprep -H tdb://$PREFIX_ABS/${RELEASE}_upgrade/private/sam.ldb --domain --function-level 2008_R2 +} + +upgradeprovision_full() +{ + # add missing domain prep for 2008R2 + $PYTHON $BINDIR/samba-tool domain functionalprep -H tdb://$PREFIX_ABS/${RELEASE}_upgrade_full/private/sam.ldb --domain --function-level 2008_R2 + + $PYTHON $BINDIR/samba_upgradeprovision --configfile="$PREFIX_ABS/${RELEASE}_upgrade_full/etc/smb.conf" --full --debugchange +} + +samba_upgradedns() +{ + $PYTHON $BINDIR/samba_upgradedns --dns-backend=SAMBA_INTERNAL --configfile="$PREFIX_ABS/${RELEASE}_upgrade_full/etc/smb.conf" +} + +referenceprovision() +{ + $PYTHON $BINDIR/samba-tool domain provision --server-role="dc" --domain=SAMBA --host-name=ares --realm=${RELEASE}.samba.corp --targetdir=$PREFIX_ABS/${RELEASE}_upgrade_reference --use-ntvfs --host-ip=127.0.0.1 --host-ip6=::1 --function-level=2003 --base-schema=2008_R2_old +} + +ldapcmp() +{ + if [ x$RELEASE != x"alpha13" ]; then + $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_upgrade_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}_upgrade/private/sam.ldb --two --skip-missing-dn --filter=dnsRecord,displayName,msDS-SupportedEncryptionTypes,servicePrincipalName + fi +} + +ldapcmp_full() +{ + $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_upgrade_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}_upgrade_full/private/sam.ldb --two --filter=dNSProperty,dnsRecord,cn,displayName,versionNumber,systemFlags,msDS-HasInstantiatedNCs,servicePrincipalName --skip-missing-dn +} + +ldapcmp_sd() +{ + $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_upgrade_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}_upgrade/private/sam.ldb --two --sd --skip-missing-dn +} + +ldapcmp_full_sd() +{ + $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_upgrade_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}_upgrade_full/private/sam.ldb --two --sd --skip-missing-dn +} + +remove_directory $PREFIX_ABS/${RELEASE}_upgrade +remove_directory $PREFIX_ABS/${RELEASE}_upgrade_full +remove_directory $PREFIX_ABS/${RELEASE}_upgrade_reference + +testit $RELEASE undump || failed=$(expr $failed + 1) +testit "remove_dns_user" remove_dns_user || failed=$(expr $failed + 1) +testit "upgradeprovision" upgradeprovision || failed=$(expr $failed + 1) +testit "upgradeprovision_full" upgradeprovision_full || failed=$(expr $failed + 1) +testit "reindex" reindex || failed=$(expr $failed + 1) +testit_expect_failure "dbcheck" dbcheck || failed=$(expr $failed + 1) +testit_expect_failure "dbcheck_full" dbcheck_full || failed=$(expr $failed + 1) +testit "dbcheck_clean" dbcheck_clean || failed=$(expr $failed + 1) +testit "dbcheck_full_clean" dbcheck_full_clean || failed=$(expr $failed + 1) +testit "dbcheck_full_clean_well_known_acls" dbcheck_full_clean_well_known_acls || failed=$(expr $failed + 1) +testit "referenceprovision" referenceprovision || failed=$(expr $failed + 1) +testit "samba_upgradedns" samba_upgradedns || failed=$(expr $failed + 1) +testit "ldapcmp" ldapcmp || failed=$(expr $failed + 1) +testit "ldapcmp_sd" ldapcmp_sd || failed=$(expr $failed + 1) +testit "ldapcmp_full_sd" ldapcmp_full_sd || failed=$(expr $failed + 1) + +remove_directory $PREFIX_ABS/${RELEASE}_upgrade +remove_directory $PREFIX_ABS/${RELEASE}_upgrade_full +remove_directory $PREFIX_ABS/${RELEASE}_upgrade_reference + +exit $failed diff --git a/testprogs/blackbox/wintest/wintest.conf b/testprogs/blackbox/wintest/wintest.conf new file mode 100644 index 0000000..d140366 --- /dev/null +++ b/testprogs/blackbox/wintest/wintest.conf @@ -0,0 +1,7 @@ +#export WINTEST_STARTUP="/tmp/startup client" +#export WINTEST_SHUTDOWN=/tmp/shutdown client" +export DOMAIN="client" +export USERNAME="administrator" +export PASSWORD="samba" +export SERVER="192.168.213.161" +export SHARE="c\$"
\ No newline at end of file |