summaryrefslogtreecommitdiffstats
path: root/testsuite
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-19 17:20:00 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-19 17:20:00 +0000
commit8daa83a594a2e98f39d764422bfbdbc62c9efd44 (patch)
tree4099e8021376c7d8c05bdf8503093d80e9c7bad0 /testsuite
parentInitial commit. (diff)
downloadsamba-8daa83a594a2e98f39d764422bfbdbc62c9efd44.tar.xz
samba-8daa83a594a2e98f39d764422bfbdbc62c9efd44.zip
Adding upstream version 2:4.20.0+dfsg.upstream/2%4.20.0+dfsg
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r--testsuite/README13
-rw-r--r--testsuite/headers/test_headers.c45
-rw-r--r--testsuite/headers/wscript_build35
-rw-r--r--testsuite/nsswitch/Makefile.longarg5
-rw-r--r--testsuite/nsswitch/bigfd.c38
-rw-r--r--testsuite/nsswitch/bigfd.exp28
-rw-r--r--testsuite/nsswitch/domusers.exp38
-rw-r--r--testsuite/nsswitch/envvar.exp282
-rw-r--r--testsuite/nsswitch/finger.exp39
-rw-r--r--testsuite/nsswitch/getent.c150
-rw-r--r--testsuite/nsswitch/getent.exp148
-rw-r--r--testsuite/nsswitch/getent_grent.c100
-rw-r--r--testsuite/nsswitch/getent_pwent.c112
-rwxr-xr-xtestsuite/nsswitch/getent_r.sh34
-rw-r--r--testsuite/nsswitch/getgrent_r.c84
-rw-r--r--testsuite/nsswitch/getgrent_r.exp41
-rw-r--r--testsuite/nsswitch/getgrgid.c57
-rw-r--r--testsuite/nsswitch/getgrgid.exp50
-rw-r--r--testsuite/nsswitch/getgrnam.c51
-rw-r--r--testsuite/nsswitch/getgrnam.exp28
-rw-r--r--testsuite/nsswitch/getpwent_r.c85
-rw-r--r--testsuite/nsswitch/getpwent_r.exp41
-rw-r--r--testsuite/nsswitch/getpwnam.c37
-rw-r--r--testsuite/nsswitch/getpwnam.exp28
-rw-r--r--testsuite/nsswitch/getpwuid.c43
-rw-r--r--testsuite/nsswitch/getpwuid.exp59
-rw-r--r--testsuite/nsswitch/groupmem_dom.exp33
-rw-r--r--testsuite/nsswitch/initgroups.c42
-rw-r--r--testsuite/nsswitch/initgroups.exp37
-rw-r--r--testsuite/nsswitch/login.exp102
-rw-r--r--testsuite/nsswitch/longarg.exp29
-rw-r--r--testsuite/nsswitch/longarg_getgrnam.c41
-rw-r--r--testsuite/nsswitch/longarg_getpwnam.c41
-rw-r--r--testsuite/nsswitch/longarg_utils.h26
-rw-r--r--testsuite/nsswitch/nss_winbind_syms.c63
-rw-r--r--testsuite/nsswitch/nss_winbind_syms.exp42
-rw-r--r--testsuite/nsswitch/pam_winbind_syms.c55
-rw-r--r--testsuite/nsswitch/pam_winbind_syms.exp44
-rw-r--r--testsuite/nsswitch/wbinfo.exp360
-rw-r--r--testsuite/smbd/Makefile.se_access_check24
-rw-r--r--testsuite/smbd/Makefile.sec_ctx57
-rw-r--r--testsuite/smbd/se_access_check.exp53
-rw-r--r--testsuite/smbd/se_access_check_allowall.c86
-rw-r--r--testsuite/smbd/se_access_check_allowsome.c103
-rw-r--r--testsuite/smbd/se_access_check_denyall.c85
-rw-r--r--testsuite/smbd/se_access_check_denysome.c105
-rw-r--r--testsuite/smbd/se_access_check_empty.c108
-rw-r--r--testsuite/smbd/se_access_check_nullsd.c73
-rw-r--r--testsuite/smbd/se_access_check_printer.c211
-rw-r--r--testsuite/smbd/se_access_check_utils.c158
-rw-r--r--testsuite/smbd/se_access_check_utils.h45
-rw-r--r--testsuite/smbd/sec_ctx.exp66
-rw-r--r--testsuite/smbd/sec_ctx1.c39
-rw-r--r--testsuite/smbd/sec_ctx_current_user.c113
-rw-r--r--testsuite/smbd/sec_ctx_flow.c72
-rw-r--r--testsuite/smbd/sec_ctx_groups.c130
-rw-r--r--testsuite/smbd/sec_ctx_nonroot.c41
-rw-r--r--testsuite/smbd/sec_ctx_root.c60
-rw-r--r--testsuite/smbd/sec_ctx_stack.c85
-rw-r--r--testsuite/smbd/sec_ctx_torture.c102
-rw-r--r--testsuite/smbd/sec_ctx_utils.c64
-rw-r--r--testsuite/smbd/sec_ctx_utils.h29
-rw-r--r--testsuite/smbd/sighup.exp107
-rw-r--r--testsuite/unittests/rpc_test_dummy_module.c21
-rw-r--r--testsuite/unittests/test_background_send.c82
-rw-r--r--testsuite/unittests/test_krb5_samba.c145
-rw-r--r--testsuite/unittests/test_lib_util_modules.c66
-rw-r--r--testsuite/unittests/wscript36
68 files changed, 4952 insertions, 0 deletions
diff --git a/testsuite/README b/testsuite/README
new file mode 100644
index 0000000..e04a783
--- /dev/null
+++ b/testsuite/README
@@ -0,0 +1,13 @@
+README for testsuite directory
+------------------------------
+
+The Samba testsuite is divided up into the following subdirectories.
+
+ - lib Various library files used by tool directories
+
+ - nsswitch Tests for nsswitch extensions
+
+All the scripts require an unreleased
+version of DejaGNU, and although they contain some useful tests they
+are not so useful at the moment. All scripts are migrating to a
+single test framework, Satyr. <cvs://cvs.samba.org/data/cvs/satyr>
diff --git a/testsuite/headers/test_headers.c b/testsuite/headers/test_headers.c
new file mode 100644
index 0000000..4e63e99
--- /dev/null
+++ b/testsuite/headers/test_headers.c
@@ -0,0 +1,45 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ Copyright (C) Andrew Tridgell 2011
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+/*
+ this tests that all of our public headers will build
+ */
+
+#define _GNU_SOURCE 1
+
+#ifdef HAVE_PYTHON_H
+# include <Python.h>
+#endif
+#include <stdio.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <stdbool.h>
+
+/* pre-include some of the public headers to avoid ordering issues */
+#include "core/ntstatus.h"
+
+/* include all our public headers */
+#include "test_headers.h"
+
+int main(void)
+{
+ printf("All OK\n");
+ return 0;
+}
diff --git a/testsuite/headers/wscript_build b/testsuite/headers/wscript_build
new file mode 100644
index 0000000..190fe69
--- /dev/null
+++ b/testsuite/headers/wscript_build
@@ -0,0 +1,35 @@
+import os
+
+def build_test_headers(task):
+ '''symlink a header in the build tree'''
+ tgt = task.outputs[0].bldpath(task.env)
+ f = open(tgt, mode='w')
+ f.write('/* generated header test */\n')
+ hlist = task.env.public_headers_list[:]
+ hlist.sort()
+
+ for h in hlist:
+ f.write('#include "%s"\n' % os.path.normpath(h))
+ f.close()
+
+relpath1 = os.path.relpath(bld.srcnode.abspath(), bld.path.abspath())
+public_headers = []
+for h in bld.env.public_headers_list:
+ public_headers.append(os.path.join(relpath1, bld.env.build_public_headers, h))
+
+bld.SAMBA_GENERATOR('test_headers.h',
+ group='main',
+ rule=build_test_headers,
+ source=public_headers,
+ target='test_headers.h')
+
+if bld.env.DEVELOPER_MODE:
+ bld.SAMBA_BINARY('test_headers',
+ source='test_headers.c',
+ includes="#include/public",
+ pyembed=True,
+ local_include=True,
+ global_include=False,
+ use_global_deps=False,
+ install=False,
+ deps='talloc tdb ldb tevent popt')
diff --git a/testsuite/nsswitch/Makefile.longarg b/testsuite/nsswitch/Makefile.longarg
new file mode 100644
index 0000000..6cc7ef8
--- /dev/null
+++ b/testsuite/nsswitch/Makefile.longarg
@@ -0,0 +1,5 @@
+#
+# Makefile for null tests
+#
+
+longarg_getpwnam: longarg_getpwnam.o \ No newline at end of file
diff --git a/testsuite/nsswitch/bigfd.c b/testsuite/nsswitch/bigfd.c
new file mode 100644
index 0000000..99e402e
--- /dev/null
+++ b/testsuite/nsswitch/bigfd.c
@@ -0,0 +1,38 @@
+/*
+ * Test maximum number of file descriptors winbind daemon can handle
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <pwd.h>
+#include <sys/types.h>
+
+int main(int argc, char **argv)
+{
+ struct passwd *pw;
+ int i;
+
+ while(1) {
+
+ /* Start getpwent until we get an NT user. This way we know we
+ have at least opened a connection to the winbind daemon */
+
+ setpwent();
+
+ while((pw = getpwent()) != NULL) {
+ if (strchr(pw->pw_name, '/') != NULL) {
+ break;
+ }
+ }
+
+ if (pw != NULL) {
+ i++;
+ printf("got pwent handle %d\n", i);
+ } else {
+ printf("winbind daemon not running?\n");
+ exit(1);
+ }
+
+ sleep(1);
+ }
+}
diff --git a/testsuite/nsswitch/bigfd.exp b/testsuite/nsswitch/bigfd.exp
new file mode 100644
index 0000000..62fc9ea
--- /dev/null
+++ b/testsuite/nsswitch/bigfd.exp
@@ -0,0 +1,28 @@
+#
+# @(#) Test maximum number of clients (file descriptors) for winbindd
+#
+
+load_lib util-defs.exp
+
+# Unimplemented - eek!
+
+untested "bigfd"
+return
+
+# Compile bigfd.c
+
+set output [target_compile "$srcdir/$subdir/bigfd.c" \
+ "$srcdir/$subdir/bigfd" executable {additional_flags="-g"}]
+
+if {$output != ""} {
+ perror "compile bigfd"
+ puts $output
+ return
+}
+
+# Run bigfd
+
+set output [util_start "$srcdir/$subdir/bigfd" "" ""]
+puts $output
+
+pass "bigfd"
diff --git a/testsuite/nsswitch/domusers.exp b/testsuite/nsswitch/domusers.exp
new file mode 100644
index 0000000..3b291ab
--- /dev/null
+++ b/testsuite/nsswitch/domusers.exp
@@ -0,0 +1,38 @@
+#
+# @(#) Test that all users are members of the Domain Users group.
+#
+# Note that this isn't necessarily true all the time but you have to
+# explicitly move people out of that group so it should be OK for te
+#
+
+load_lib util-defs.exp
+load_lib $srcdir/lib/nsswitch-config.exp
+
+# Get list of users and stick usernames in a hash
+
+set user_list [util_start "getent" "passwd" ""]
+
+foreach { user } [split $user_list "\n"] {
+ set user_elts [split $user ":"]
+ set users([lindex $user_elts 0]) 1
+}
+
+# Get list of groups
+
+set group_list [util_start "getent" "group" ""]
+
+foreach { group } [split $group_list "\n"] {
+ set group_elts [split $group ":"]
+
+ # Look for domain users group
+
+ if { ![regexp "Domain Users" [lindex $group_elts 0]] } {
+ continue
+ }
+
+ # Check each member of group was found in getent passwd
+
+ foreach { mem } [split [lindex $group_elts 3] ","] {
+ set mems($mem) 1
+ }
+}
diff --git a/testsuite/nsswitch/envvar.exp b/testsuite/nsswitch/envvar.exp
new file mode 100644
index 0000000..134a8b3
--- /dev/null
+++ b/testsuite/nsswitch/envvar.exp
@@ -0,0 +1,282 @@
+#
+# @(#) Test operation of WINBINDD_DOMAIN environment variable
+#
+
+load_lib "util-defs.exp"
+load_lib "$srcdir/lib/nsswitch-config.exp"
+
+#
+# @(#) Test that there is at least one domain user and domain group
+# @(#) in the output of getent passwd and getent group.
+#
+
+# Get list of users and groups
+
+set user_list [util_start "getent passwd"]
+set group_list [util_start "getent group"]
+
+verbose "user list is:\n$user_list"
+verbose "group list is:\n$group_list"
+
+# Check for domain users
+
+set no_dom 0
+
+if { ![regexp "$domain/" $user_list] } {
+ fail "no domain users in getent"
+ set no_dom 1
+}
+
+# Check for domain groups
+
+if { ![regexp "$domain/" $group_list] } {
+ fail "no domain groups in getent group"
+ set no_dom 1
+}
+
+if { $no_dom } {
+ return
+}
+
+#
+# @(#) Check for "leakage" between different domains using the
+# @(#) WINBINDD_DOMAIN environment variable.
+#
+
+verbose "Domain is $domain"
+
+set output [util_start "bin/wbinfo" "-m"]
+verbose "Trusted domains are $output"
+set trusted_domain_list [split $output "\n"]
+
+# Test simple inclusion by setting $WINBINDD_DOMAIN to each trusted domain
+# in turn and checking there are no users/groups from other domains in the
+# output of getent.
+
+set domain_list $trusted_domain_list
+lappend domain_list $domain
+
+foreach { the_domain } $domain_list {
+
+ set env(WINBINDD_DOMAIN) $the_domain
+
+ set user_out [util_start "getent passwd"]
+ set group_out [util_start "getent group"]
+
+ verbose "users in $the_domain:\n$user_out\n"
+ verbose "groups in $the_domain:\n$group_out\n"
+
+ # Users
+
+ set test_desc "users in WINBINDD_DOMAIN $the_domain"
+ set failed 0
+
+ foreach { user } [split $user_out "\n"] {
+ set user_name [lindex [split $user ":"] 0]
+ if { [regexp "/" $user_name] && ![regexp $the_domain $user_name]} {
+ set failed 1
+ }
+ }
+
+ if { $failed } {
+ fail $test_desc
+ } else {
+ pass $test_desc
+ }
+
+ # Groups
+
+ set test_desc "groups in WINBINDD_DOMAIN $the_domain"
+ set failed 0
+
+ foreach { group } [split $group_out "\n"] {
+ set group_name [lindex [split $group ":"] 0]
+ if { [regexp "/" $group_name] && ![regexp $the_domain $group_name]} {
+ set failed 1
+ }
+ }
+
+ if { $failed } {
+ fail $test_desc
+ } else {
+ pass $test_desc
+ }
+}
+
+#
+# @(#) Test inclusion of a dummy domain doesn't generate users/groups
+# @(#) from that domain.
+#
+
+set env(WINBINDD_DOMAIN) "asmithee"
+set user_out [util_start "getent passwd"]
+set group_out [util_start "getent group"]
+
+# Users
+
+set test_desc "users in different WINBINDD_DOMAIN"
+if { [regexp $domain $user_out] } {
+ fail $test_desc
+} else {
+ pass $test_desc
+}
+
+# Groups
+
+set test_desc "groups in different WINBINDD_DOMAIN"
+if { [regexp $domain $group_out] } {
+ fail $test_desc
+} else {
+ pass $test_desc
+}
+
+#
+# @(#) Test comma separated inclusion of dummy domain doesn't generate
+# @(#) users/groups in the dummy domain.
+#
+
+foreach { the_domain } $domain_list {
+ set env(WINBINDD_DOMAIN) "$the_domain,asmithee"
+ set user_out [util_start "getent passwd"]
+ set group_out [util_start "getent group"]
+
+ verbose "users in $the_domain:\n$user_out\n"
+ verbose "groups in $the_domain:\n$group_out\n"
+
+ # Users
+
+ set test_desc "users in comma separated WINBINDD_DOMAIN $the_domain"
+ set failed 0
+
+ foreach { user } [split $user_out "\n"] {
+ set user_name [lindex [split $user ":"] 0]
+ if { [regexp "/" $user_name] && ![regexp $the_domain $user_name]} {
+ set failed 1
+ }
+ }
+
+ if { $failed } {
+ fail $test_desc
+ } else {
+ pass $test_desc
+ }
+
+ # Groups
+
+ set test_desc "groups in comma separated WINBINDD_DOMAIN $the_domain"
+ set failed 0
+
+ foreach { group } [split $group_out "\n"] {
+ set group_name [lindex [split $group ":"] 0]
+ if { [regexp "/" $group_name] && ![regexp $the_domain $group_name]} {
+ set failed 1
+ }
+ }
+
+ if { $failed } {
+ fail $test_desc
+ } else {
+ pass $test_desc
+ }
+}
+
+#
+# @(#) Test two comma separated dummy domains do not generate any domain
+# @(#) users or groups.
+#
+
+foreach { the_domain } $domain_list {
+
+ set env(WINBINDD_DOMAIN) "moose,asmithee"
+ set user_out [util_start "getent passwd"]
+ set group_out [util_start "getent group"]
+
+ verbose "users in $the_domain:\n$user_out\n"
+ verbose "groups in $the_domain:\n$group_out\n"
+
+ # Users
+
+ set test_desc "users in comma separated invalid WINBINDD_DOMAIN"
+ if { [regexp $the_domain $user_out] } {
+ fail $test_desc
+ } else {
+ pass $test_desc
+ }
+
+ # Groups
+
+ set test_desc "groups in comma separated invalid WINBINDD_DOMAIN"
+ if { [regexp $the_domain $group_out] } {
+ fail $test_desc
+ } else {
+ pass $test_desc
+ }
+}
+
+set env(WINBINDD_DOMAIN) ""
+
+#
+# @(#) Test _NO_WINBINDD doesn't return any domain users or groups
+#
+
+set env(_NO_WINBINDD) "1"
+set user_out [util_start "getent passwd"]
+set group_out [util_start "getent group"]
+
+verbose "users with _NO_WINBINDD:\n$user_out\n"
+verbose "groups with _NO_WINBINDD:\n$group_out\n"
+
+foreach { the_domain } $domain_list {
+
+ # Users
+
+ set test_desc "users found with _NO_WINBINDD environment variable set"
+ if { [regexp $the_domain $user_out] } {
+ fail $test_desc
+ } else {
+ pass $test_desc
+ }
+
+ # Groups
+
+ set test_desc "groups found with _NO_WINBINDD environment variable set"
+ if { [regexp $the_domain $group_out] } {
+ fail $test_desc
+ } else {
+ pass $test_desc
+ }
+}
+
+# Unset _NO_WINBINDD and make sure everything still works
+
+unset env(_NO_WINBINDD)
+
+set user_out [util_start "getent passwd"]
+set group_out [util_start "getent group"]
+
+verbose "users with _NO_WINBINDD unset:\n$user_out\n"
+verbose "groups with _NO_WINBINDD unset:\n$group_out\n"
+
+# Users
+
+set test_desc "no users found with _NO_WINBINDD environment variable set"
+if { $user_out != $user_list } {
+ fail $test_desc
+} else {
+ pass $test_desc
+}
+
+# Groups
+
+set test_desc "no groups found with _NO_WINBINDD environment variable set"
+if { $group_out != $group_list } {
+ fail $test_desc
+} else {
+ pass $test_desc
+}
+
+# Make sure we unset the environment vars so we don't cause subsequent tests
+# any grief.
+
+catch { unset env(WINBINDD_DOMAIN) } tmp
+catch { unset env(_NO_WINBINDD) } tmp
diff --git a/testsuite/nsswitch/finger.exp b/testsuite/nsswitch/finger.exp
new file mode 100644
index 0000000..36bab8e
--- /dev/null
+++ b/testsuite/nsswitch/finger.exp
@@ -0,0 +1,39 @@
+#
+# @(#) Test default domain users resolve using the finger command
+#
+
+load_lib util-defs.exp
+
+set output [util_start "bin/wbinfo" "-u"]
+if { [regexp "Error" $output] } {
+ fail "error running wbinfo"
+ return
+}
+
+set user_list [split $output "\n"]
+
+# Look up all users using finger -m. This should test getpwnam()
+
+foreach { user } $user_list {
+ set output [util_start "finger" "-m \"$user\"" "" "no such user"]
+ verbose $output
+
+ if { [regexp "no such user" $output] } {
+ fail "finger -m $user"
+ } else {
+ pass "finger -m $user"
+ }
+}
+
+# Run finger without the -m to also test set/get/endpwent()
+
+foreach { user } $user_list {
+ set output [util_start "finger" "\"$user\""]
+ verbose $output
+
+ if { [regexp "no such user" $output] } {
+ fail "finger $user"
+ } else {
+ pass "finger $user"
+ }
+}
diff --git a/testsuite/nsswitch/getent.c b/testsuite/nsswitch/getent.c
new file mode 100644
index 0000000..5babfc5
--- /dev/null
+++ b/testsuite/nsswitch/getent.c
@@ -0,0 +1,150 @@
+/* Cut down version of getent which only returns passwd and group database
+ entries and seems to compile on most systems without too much fuss.
+ Original copyright notice below. */
+
+/* Copyright (c) 1998, 1999, 2000 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+ Contributed by Thorsten Kukuk <kukuk@suse.de>, 1998.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public License as
+ published by the Free Software Foundation; either version 3 of the
+ License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Library General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; see the file COPYING.LIB. If not,
+ see <http://www.gnu.org/licenses/>. */
+
+#include <stdio.h>
+#include <pwd.h>
+#include <grp.h>
+
+group_keys (int number, char *key[])
+{
+ int result = 0;
+ int i;
+
+ for (i = 0; i < number; ++i)
+ {
+ struct group *grp;
+
+ if (isdigit (key[i][0]))
+ grp = getgrgid (atol (key[i]));
+ else
+ grp = getgrnam (key[i]);
+
+ if (grp == NULL)
+ result = 2;
+ else
+ print_group (grp);
+ }
+
+ return result;
+}
+
+passwd_keys (int number, char *key[])
+{
+ int result = 0;
+ int i;
+
+ for (i = 0; i < number; ++i)
+ {
+ struct passwd *pwd;
+
+ if (isdigit (key[i][0]))
+ pwd = getpwuid (atol (key[i]));
+ else
+ pwd = getpwnam (key[i]);
+
+ if (pwd == NULL)
+ result = 2;
+ else
+ print_passwd (pwd);
+ }
+
+ return result;
+}
+
+print_group (struct group *grp)
+{
+ unsigned int i = 0;
+
+ printf ("%s:%s:%ld:", grp->gr_name ? grp->gr_name : "",
+ grp->gr_passwd ? grp->gr_passwd : "",
+ (unsigned long)grp->gr_gid);
+
+ while (grp->gr_mem[i] != NULL)
+ {
+ fputs (grp->gr_mem[i], stdout);
+ ++i;
+ if (grp->gr_mem[i] != NULL)
+ fputs (",", stdout);
+ }
+ fputs ("\n", stdout);
+}
+
+print_passwd (struct passwd *pwd)
+{
+ printf ("%s:%s:%ld:%ld:%s:%s:%s\n",
+ pwd->pw_name ? pwd->pw_name : "",
+ pwd->pw_passwd ? pwd->pw_passwd : "",
+ (unsigned long)pwd->pw_uid,
+ (unsigned long)pwd->pw_gid,
+ pwd->pw_gecos ? pwd->pw_gecos : "",
+ pwd->pw_dir ? pwd->pw_dir : "",
+ pwd->pw_shell ? pwd->pw_shell : "");
+}
+
+int main(int argc, char **argv)
+{
+ switch(argv[1][0])
+ {
+ case 'g': /* group */
+ if (strcmp (argv[1], "group") == 0)
+ {
+ if (argc == 2)
+ {
+ struct group *grp;
+
+ setgrent ();
+ while ((grp = getgrent()) != NULL)
+ print_group (grp);
+ endgrent ();
+ }
+ else
+ return group_keys (argc - 2, &argv[2]);
+ }
+ else
+ goto error;
+ break;
+
+ case 'p': /* passwd, protocols */
+ if (strcmp (argv[1], "passwd") == 0)
+ {
+ if (argc == 2)
+ {
+ struct passwd *pwd;
+
+ setpwent ();
+ while ((pwd = getpwent()) != NULL)
+ print_passwd (pwd);
+ endpwent ();
+ }
+ else
+ return passwd_keys (argc - 2, &argv[2]);
+ }
+ else
+ goto error;
+ break;
+ default:
+ error:
+ fprintf (stderr, "Unknown database: %s\n", argv[1]);
+ return 1;
+ }
+ return 0;
+}
diff --git a/testsuite/nsswitch/getent.exp b/testsuite/nsswitch/getent.exp
new file mode 100644
index 0000000..72bf2ea
--- /dev/null
+++ b/testsuite/nsswitch/getent.exp
@@ -0,0 +1,148 @@
+#
+# @(#) Test the getent command returns domain/local users and groups
+#
+
+load_lib util-defs.exp
+load_lib compile.exp
+load_lib $srcdir/lib/nsswitch-config.exp
+
+#
+# @(#) Test getent passwd returns domain users
+#
+
+set wbinfo_output [util_start "bin/wbinfo" "-u"]
+set getent_output [util_start "getent" "passwd" ""]
+
+if { ![regexp "$domain/" $getent_output] } {
+ fail "no domain users in getent passwd"
+ return
+}
+
+if { [regexp "Error" $wbinfo_output] } {
+ fail "wbinfo -u failed"
+ return
+}
+
+#
+# @(#) Test each user in the output of wbinfo is also in the output of
+# @(#) getent.
+#
+
+# Test wbinfo user names are in getent user names
+
+foreach { user } [split $wbinfo_output "\n"] {
+
+ verbose "looking for $user"
+
+ set test_desc "getent passwd does not contain $user"
+
+ if { ![regexp "$user" $getent_output] } {
+ fail $test_desc
+ } else {
+ pass $test_desc
+ }
+}
+
+# Test getent user names are in wbinfo user names
+
+foreach { user } [split $getent_output "\n"] {
+
+ set user_info [split $user ":"]
+ set username [lindex $user_info 0]
+
+ if { [regexp {^[^/]+/} $username] } {
+
+ set test_desc "wbinfo -u does not contain $username"
+
+ if { ![regexp "$username" $wbinfo_output] } {
+ fail $test_desc
+ } else {
+ pass $test_desc
+ }
+ } else {
+ verbose "ignoring non-domain user $username"
+ }
+}
+
+#
+# @(#) Test each group in the output of wbinfo is also in the output of
+# @(#) getent.
+#
+
+set wbinfo_output [util_start "bin/wbinfo" "-g"]
+set getent_output [util_start "getent" "group" ""]
+
+if { ![regexp "$domain/" $getent_output] } {
+ fail "no domain groups in getent passwd"
+ return
+}
+
+if { [regexp "Error" $wbinfo_output] } {
+ fail "wbinfo -g failed"
+ return
+}
+
+# Test wbinfo group names are in getent group names
+
+foreach { group } [split $wbinfo_output "\n"] {
+
+ verbose "looking for $group"
+
+ set test_desc "getent group does not contain $group"
+
+ if { ![regexp "$group" $getent_output] } {
+ fail $test_desc
+ } else {
+ pass $test_desc
+ }
+}
+
+# Test getent group names are in wbinfo group names
+
+foreach { group } [split $getent_output "\n"] {
+
+ set group_info [split $group ":"]
+ set groupname [lindex $group_info 0]
+
+ if { [regexp {^[^/]+/} $groupname] } {
+
+ set test_desc "wbinfo -g does not contain $groupname"
+
+ if { ![regexp "$groupname" $wbinfo_output] } {
+ fail $test_desc
+ } else {
+ pass $test_desc
+ }
+ } else {
+ verbose "ignoring non-domain group $groupname"
+ }
+}
+
+#
+# @(#) Test out of order and repeat calls of pwent functions
+# @(#) Test out of order and repeat calls of grent functions
+#
+
+set getent_tests [list \
+ { "out of order pwent operations" "getent_pwent" } \
+ { "out of order grent operations" "getent_grent" } \
+ ]
+
+# Compile and run each test
+
+foreach { test } $getent_tests {
+ set test_desc [lindex $test 0]
+ set test_file [lindex $test 1]
+
+ simple_compile $test_file
+ set output [util_start "$srcdir/$subdir/$test_file" ]
+
+ if { [regexp "PASS" $output] } {
+ pass $test_desc
+ file delete "$srcdir/$subdir/$test_file" "$srcdir/$subdir/$test_file.o"
+ } else {
+ fail $test_desc
+ puts $output
+ }
+
+}
diff --git a/testsuite/nsswitch/getent_grent.c b/testsuite/nsswitch/getent_grent.c
new file mode 100644
index 0000000..4660b6a
--- /dev/null
+++ b/testsuite/nsswitch/getent_grent.c
@@ -0,0 +1,100 @@
+/* Test out of order operations with {set,get,end}grent */
+
+/*
+ Unix SMB/Netbios implementation.
+ Version 1.9.
+ Security context tests
+ Copyright (C) Tim Potter 2000
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include <stdio.h>
+#include <grp.h>
+
+int main (int argc, char **argv)
+{
+ struct group *gr;
+ int found = 0;
+ int num_users, i;
+
+ /* Test getgrent() without setgrent() */
+
+ for (i = 0; i < 100; i++) {
+ gr = getgrent();
+
+ /* This is supposed to work */
+
+#if 0
+ if (gr != NULL) {
+ printf("FAIL: getgrent() with no setgrent()\n");
+ return 1;
+ }
+#endif
+ }
+
+ /* Work out how many user till first domain group */
+
+ num_users = 0;
+ setgrent();
+
+ while (1) {
+ gr = getgrent();
+ num_users++;
+
+ if (gr == NULL) break;
+
+ if (strchr(gr->gr_name, '/')) {
+ found = 1;
+ break;
+ }
+
+ }
+
+ if (!found) {
+ printf("FAIL: could not find any domain groups\n");
+ return 1;
+ }
+
+ /* Test stopping getgrent in the middle of a set of users */
+
+ endgrent();
+
+ /* Test setgrent() without any getgrent() calls */
+
+ setgrent();
+
+ for (i = 0; i < (num_users - 1); i++) {
+ getgrent();
+ }
+
+ endgrent();
+
+ /* Test lots of setgrent() calls */
+
+ for (i = 0; i < 100; i++) {
+ setgrent();
+ }
+
+ /* Test lots of endgrent() calls */
+
+ for (i = 0; i < 100; i++) {
+ endgrent();
+ }
+
+ /* Everything's cool */
+
+ printf("PASS\n");
+ return 0;
+}
diff --git a/testsuite/nsswitch/getent_pwent.c b/testsuite/nsswitch/getent_pwent.c
new file mode 100644
index 0000000..14200b0
--- /dev/null
+++ b/testsuite/nsswitch/getent_pwent.c
@@ -0,0 +1,112 @@
+/* Test out of order operations with {set,get,end}pwent */
+
+/*
+ Unix SMB/Netbios implementation.
+ Version 1.9.
+ Security context tests
+ Copyright (C) Tim Potter 2000
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include <stdio.h>
+#include <pwd.h>
+
+int main (int argc, char **argv)
+{
+ struct passwd *pw;
+ int found = 0;
+ int num_users, i;
+
+ /* Test getpwent() without setpwent() */
+
+ for (i = 0; i < 100; i++) {
+ pw = getpwent();
+
+ /* This is supposed to work */
+
+#if 0
+ if (pw != NULL) {
+ printf("FAIL: getpwent() with no setpwent()\n");
+ return 1;
+ }
+#endif
+ }
+
+ /* Work out how many user till first domain user */
+
+ num_users = 0;
+ setpwent();
+
+ while (1) {
+ pw = getpwent();
+ num_users++;
+
+ if (pw == NULL) break;
+
+ if (strchr(pw->pw_name, '/')) {
+ found = 1;
+ break;
+ }
+
+ }
+
+ if (!found) {
+ printf("FAIL: could not find any domain users\n");
+ return 1;
+ }
+
+ /* Test stopping getpwent in the middle of a set of users */
+
+ endpwent();
+
+ /* Test setpwent() without any getpwent() calls */
+
+ setpwent();
+
+ for (i = 0; i < (num_users - 1); i++) {
+ getpwent();
+ }
+
+ endpwent();
+
+ /* Test lots of setpwent() calls */
+
+ setpwent();
+
+ for (i = 0; i < (num_users - 1); i++) {
+ getpwent();
+ }
+
+ for (i = 0; i < 100; i++) {
+ setpwent();
+ }
+
+ /* Test lots of endpwent() calls */
+
+ setpwent();
+
+ for (i = 0; i < (num_users - 1); i++) {
+ getpwent();
+ }
+
+ for (i = 0; i < 100; i++) {
+ endpwent();
+ }
+
+ /* Everything's cool */
+
+ printf("PASS\n");
+ return 0;
+}
diff --git a/testsuite/nsswitch/getent_r.sh b/testsuite/nsswitch/getent_r.sh
new file mode 100755
index 0000000..981aaf5
--- /dev/null
+++ b/testsuite/nsswitch/getent_r.sh
@@ -0,0 +1,34 @@
+#!/bin/sh
+#
+# Verify test output. Basically we check to see if all the files generated
+# in /tmp by the get{pw,gr}ent_r.c and program are identical. If there is
+# some problem with the re-entrancy of the code then the information in the
+# two files will be different.
+#
+
+TYPE=$1
+ID=$2
+FILES="/tmp/${TYPE}_r-${ID}.out-*"
+
+# Sort files
+
+for file in $FILES; do
+ cat $file | sort >$file.sorted
+done
+
+# Diff files
+
+SORTED="/tmp/${TYPE}_r-${ID}.out-*.sorted"
+failed=0
+
+for file1 in $SORTED; do
+ for file2 in $SORTED; do
+ if [ $file1 != $file2 ]; then
+ diff $file1 $file2
+ fi
+ done
+done
+
+# Clean up
+
+rm -f $SORTED
diff --git a/testsuite/nsswitch/getgrent_r.c b/testsuite/nsswitch/getgrent_r.c
new file mode 100644
index 0000000..883c897
--- /dev/null
+++ b/testsuite/nsswitch/getgrent_r.c
@@ -0,0 +1,84 @@
+/*
+ * Use set/get/endgrent calls from two processes to iterate over the
+ * password database. This checks the multithreaded stuff works.
+ */
+
+#include <stdio.h>
+#include <grp.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <wait.h>
+
+void dump_grent(char *id)
+{
+ struct group *gr;
+ char fname[255];
+ FILE *fptr;
+
+ /* Open results file */
+
+ sprintf(fname, "/tmp/getgrent_r-%s.out-%d", id, getpid());
+
+ if ((fptr = fopen(fname, "w")) == NULL) {
+ fprintf(stderr, "ERROR: could not open file %s: %s\n", fname,
+ sys_errlist[errno]);
+ return;
+ }
+
+ /* Dump group database */
+
+ setgrent();
+
+ while((gr = getgrent()) != NULL) {
+ fprintf(fptr,"%s:%s:%d\n", gr->gr_name, gr->gr_passwd,
+ gr->gr_gid);
+ }
+
+ endgrent();
+
+ /* Close results file */
+
+ fclose(fptr);
+}
+
+int main(int argc, char **argv)
+{
+ pid_t pid;
+
+ /* Check args */
+
+ if (argc != 2) {
+ printf("ERROR: must specify output file identifier\n");
+ return 1;
+ }
+
+ /* Fork child process */
+
+ if ((pid = fork()) == -1) {
+ printf("ERROR: unable to fork\n");
+ return 1;
+ }
+
+ /* Handle test case */
+
+ if (pid > 0) {
+ int status;
+
+ /* Parent */
+
+ dump_grent(argv[1]);
+ wait(&status);
+
+ } else {
+
+ /* Child */
+
+ dump_grent(argv[1]);
+ return 0;
+ }
+
+ printf("PASS: run getgrent_r.c\n");
+ return 0;
+}
diff --git a/testsuite/nsswitch/getgrent_r.exp b/testsuite/nsswitch/getgrent_r.exp
new file mode 100644
index 0000000..c03237c
--- /dev/null
+++ b/testsuite/nsswitch/getgrent_r.exp
@@ -0,0 +1,41 @@
+#
+# @(#) Test multiple threads can enumerate groups correctly
+#
+
+load_lib util-defs.exp
+load_lib "$srcdir/lib/nsswitch-config.exp"
+
+# Compile getgrent_r.c
+
+set output [target_compile "$srcdir/$subdir/getgrent_r.c" \
+ "$srcdir/$subdir/getgrent_r" executable {additional_flags="-g"}]
+
+if {$output != ""} {
+ perror "compile getgrent_r"
+ puts $output
+ return
+}
+
+# Clean up output from previous tests
+
+set pid [pid]
+file delete [glob -nocomplain "/tmp/getgrent_r-$pid.out-*"]
+
+# Run test proggy
+
+set output [util_start "$srcdir/$subdir/getgrent_r" "$pid" ""]
+if {![regexp "^PASS:" $output]} {
+ perror "run getgrent_r"
+ puts $output
+ return -1
+}
+
+# Sort and compare output
+
+set output [util_start "$srcdir/$subdir/getent_r.sh" "getgrent $pid" ""]
+if {$output == ""} {
+ pass "getgrent_r"
+} else {
+ fail "getgrent_r"
+ puts $output
+}
diff --git a/testsuite/nsswitch/getgrgid.c b/testsuite/nsswitch/getgrgid.c
new file mode 100644
index 0000000..947dd0a
--- /dev/null
+++ b/testsuite/nsswitch/getgrgid.c
@@ -0,0 +1,57 @@
+/*
+ * Lookup a group by gid.
+ */
+
+#include <stdio.h>
+#include <grp.h>
+#include <sys/types.h>
+
+int main(int argc, char **argv)
+{
+ struct group *gr;
+ gid_t gid;
+
+ /* Check args */
+
+ if (argc != 2) {
+ printf("ERROR: no arg specified\n");
+ exit(1);
+ }
+
+ if ((gid = atoi(argv[1])) == 0) {
+ printf("ERROR: invalid gid specified\n");
+ exit(1);
+ }
+
+ /* Do getgrgid() */
+
+ if ((gr = getgrgid(gid)) == NULL) {
+ printf("FAIL: gid %d does not exist\n", gid);
+ exit(1);
+ }
+
+ /* Print group info */
+
+ printf("PASS: gid %d exists\n", gid);
+ printf("gr_name = %s\n", gr->gr_name);
+ printf("gr_passwd = %s\n", gr->gr_passwd);
+ printf("gr_gid = %d\n", gr->gr_gid);
+
+ /* Group membership */
+
+ if (gr->gr_mem != NULL) {
+ int i = 0;
+
+ printf("gr_mem = ");
+ while(gr->gr_mem[i] != NULL) {
+ printf("%s", gr->gr_mem[i]);
+ i++;
+ if (gr->gr_mem != NULL) {
+ printf(",");
+ }
+ }
+ printf("\n");
+ }
+
+ exit(0);
+}
diff --git a/testsuite/nsswitch/getgrgid.exp b/testsuite/nsswitch/getgrgid.exp
new file mode 100644
index 0000000..c53749f
--- /dev/null
+++ b/testsuite/nsswitch/getgrgid.exp
@@ -0,0 +1,50 @@
+#
+# @(#) Test reverse lookup of group ids from getent match getgrgid() output
+#
+
+load_lib util-defs.exp
+load_lib compile.exp
+
+# Compile getgruid.c
+
+simple_compile "getgrgid"
+
+# Get list of gids using getent
+
+set output [util_start "getent" "group" ""]
+set got_entries 0
+
+verbose $output
+
+foreach {line} [split $output "\n"] {
+
+ # Process user
+
+ set grp_entry [split $line ":"]
+ set group [lindex $grp_entry 0]
+
+ if {[regexp {^[^/]+/} $group]} {
+
+ set got_entries 1
+
+ # Only lookup winbindd users
+
+ set gid [lindex $grp_entry 2]
+
+ # Test lookup of gid succeeds
+
+ set output [util_start "$srcdir/$subdir/getgrgid" "$gid" ""]
+ verbose $output
+
+ if {[regexp "PASS:" $output]} {
+ pass "getgrgid $gid ($group)"
+ } else {
+ fail "getgrgid $gid ($group)"
+ }
+ }
+
+}
+
+if {!$got_entries} {
+ perror "No domain groups returned from getent"
+}
diff --git a/testsuite/nsswitch/getgrnam.c b/testsuite/nsswitch/getgrnam.c
new file mode 100644
index 0000000..8ab4046
--- /dev/null
+++ b/testsuite/nsswitch/getgrnam.c
@@ -0,0 +1,51 @@
+/*
+ * Lookup a group by name
+ */
+
+#include <stdio.h>
+#include <grp.h>
+#include <sys/types.h>
+
+int main(int argc, char **argv)
+{
+ struct group *gr;
+
+ /* Check args */
+
+ if (argc != 2) {
+ printf("ERROR: no arg specified\n");
+ exit(1);
+ }
+
+ /* Do getgrnam() */
+
+ if ((gr = getgrnam(argv[1])) == NULL) {
+ printf("FAIL: group %s does not exist\n", argv[1]);
+ exit(1);
+ }
+
+ /* Print group info */
+
+ printf("PASS: group %s exists\n", argv[1]);
+ printf("gr_name = %s\n", gr->gr_name);
+ printf("gr_passwd = %s\n", gr->gr_passwd);
+ printf("gr_gid = %d\n", gr->gr_gid);
+
+ /* Group membership */
+
+ if (gr->gr_mem != NULL) {
+ int i = 0;
+
+ printf("gr_mem = ");
+ while(gr->gr_mem[i] != NULL) {
+ printf("%s", gr->gr_mem[i]);
+ i++;
+ if (gr->gr_mem != NULL) {
+ printf(",");
+ }
+ }
+ printf("\n");
+ }
+
+ exit(0);
+}
diff --git a/testsuite/nsswitch/getgrnam.exp b/testsuite/nsswitch/getgrnam.exp
new file mode 100644
index 0000000..92c5b76
--- /dev/null
+++ b/testsuite/nsswitch/getgrnam.exp
@@ -0,0 +1,28 @@
+#
+# @(#) Test domain groups resolve using getgrnam()
+#
+
+load_lib "util-defs.exp"
+load_lib "compile.exp"
+
+# Compile getgrnam.c
+
+simple_compile "getgrnam"
+
+# Test domain groups
+
+set group_list [split [util_start "bin/wbinfo" "-g"] "\n"]
+
+verbose $group_list
+
+foreach {group} $group_list {
+ set output [util_start "$srcdir/$subdir/getgrnam" "\"$group\"" ""]
+
+ verbose $output
+
+ if {[regexp "PASS:" $output]} {
+ pass "getgrnam $group"
+ } else {
+ fail "getgrnam $group"
+ }
+}
diff --git a/testsuite/nsswitch/getpwent_r.c b/testsuite/nsswitch/getpwent_r.c
new file mode 100644
index 0000000..5e77491
--- /dev/null
+++ b/testsuite/nsswitch/getpwent_r.c
@@ -0,0 +1,85 @@
+/*
+ * Use set/get/endpwent calls from two processes to iterate over the
+ * password database. This checks the multithreaded stuff works.
+ */
+
+#include <stdio.h>
+#include <pwd.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <wait.h>
+
+void dump_pwent(char *id)
+{
+ struct passwd *pw;
+ char fname[255];
+ FILE *fptr;
+
+ /* Open results file */
+
+ sprintf(fname, "/tmp/getpwent_r-%s.out-%d", id, getpid());
+
+ if ((fptr = fopen(fname, "w")) == 0) {
+ fprintf(stderr, "ERROR: could not open file %s: %s\n", fname,
+ sys_errlist[errno]);
+ return;
+ }
+
+ /* Dump passwd database */
+
+ setpwent();
+
+ while((pw = getpwent()) != NULL) {
+ fprintf(fptr,"%s:%s:%s:%d:%d\n", pw->pw_name, pw->pw_passwd,
+ pw->pw_gecos, pw->pw_uid, pw->pw_gid);
+ }
+
+ endpwent();
+
+ /* Close results file */
+
+ fclose(fptr);
+}
+
+#define NUM_FORKS 2
+
+int main(int argc, char **argv)
+{
+ pid_t pids[NUM_FORKS];
+ int i, status;
+
+ /* Check args */
+
+ if (argc != 2) {
+ printf("ERROR: must specify output file identifier\n");
+ return 1;
+ }
+
+ for(i = 0; i < NUM_FORKS; i++) {
+
+ /* Fork off lots */
+
+ if ((pids[i] = fork()) == -1) {
+ perror("fork");
+ return 1;
+ }
+
+ /* Child does tests */
+
+ if (pids[i] == 0) {
+ dump_pwent(argv[1]);
+ return 0;
+ }
+ }
+
+ /* Wait for everyone to finish */
+
+ for (i = 0; i < NUM_FORKS; i++) {
+ waitpid(pids[i], &status, 0);
+ }
+
+ printf("PASS: getpwent_r.c\n");
+ return 0;
+}
diff --git a/testsuite/nsswitch/getpwent_r.exp b/testsuite/nsswitch/getpwent_r.exp
new file mode 100644
index 0000000..95c155d
--- /dev/null
+++ b/testsuite/nsswitch/getpwent_r.exp
@@ -0,0 +1,41 @@
+#
+# @(#) Test multiple threads can enumerate users correctly
+#
+
+load_lib util-defs.exp
+load_lib "$srcdir/lib/nsswitch-config.exp"
+
+# Compile getpwent_r.c
+
+set output [target_compile "$srcdir/$subdir/getpwent_r.c" \
+ "$srcdir/$subdir/getpwent_r" executable {additional_flags="-g"}]
+
+if {$output != ""} {
+ perror "compile getpwent_r"
+ puts $output
+ fail ""
+}
+
+# Clean up output from previous tests
+
+set pid [pid]
+file delete [glob -nocomplain "/tmp/getpwent_r-$pid.out-*"]
+
+# Run test proggy
+
+set output [util_start "$srcdir/$subdir/getpwent_r" "$pid" ""]
+if {![regexp "^PASS:" $output]} {
+ perror "run getpwent_r"
+ puts $output
+ return -1
+}
+
+# Sort and compare output
+
+set output [util_start "$srcdir/$subdir/getent_r.sh" "getpwent $pid" ""]
+if {$output == ""} {
+ pass "getpwent_r"
+} else {
+ fail "getpwent_r"
+ puts $output
+}
diff --git a/testsuite/nsswitch/getpwnam.c b/testsuite/nsswitch/getpwnam.c
new file mode 100644
index 0000000..e7dd291
--- /dev/null
+++ b/testsuite/nsswitch/getpwnam.c
@@ -0,0 +1,37 @@
+/*
+ * Lookup a user by name
+ */
+
+#include <stdio.h>
+#include <pwd.h>
+#include <sys/types.h>
+
+int main(int argc, char **argv)
+{
+ struct passwd *pw;
+
+ /* Check args */
+
+ if (argc != 2) {
+ printf("ERROR: no arg specified\n");
+ exit(1);
+ }
+
+ /* Do getpwnam() */
+
+ if ((pw = getpwnam(argv[1])) == NULL) {
+ printf("FAIL: user %s does not exist\n", argv[1]);
+ exit(1);
+ }
+
+ printf("PASS: user %s exists\n", argv[1]);
+ printf("pw_name = %s\n", pw->pw_name);
+ printf("pw_passwd = %s\n", pw->pw_passwd);
+ printf("pw_uid = %d\n", pw->pw_uid);
+ printf("pw_gid = %d\n", pw->pw_gid);
+ printf("pw_gecos = %s\n", pw->pw_gecos);
+ printf("pw_dir = %s\n", pw->pw_dir);
+ printf("pw_shell = %s\n", pw->pw_shell);
+
+ exit(0);
+}
diff --git a/testsuite/nsswitch/getpwnam.exp b/testsuite/nsswitch/getpwnam.exp
new file mode 100644
index 0000000..5f6b234
--- /dev/null
+++ b/testsuite/nsswitch/getpwnam.exp
@@ -0,0 +1,28 @@
+#
+# @(#) Test domain users resolve using getpwnam()
+#
+
+load_lib util-defs.exp
+load_lib "compile.exp"
+
+# Compile getpwnam.c
+
+simple_compile "getpwnam"
+
+# Test domain users
+
+set user_list [split [util_start "bin/wbinfo" "-u"] "\n"]
+
+verbose $user_list
+
+foreach { user } $user_list {
+ set output [util_start "$srcdir/$subdir/getpwnam" "\"$user\"" ""]
+
+ verbose $output
+
+ if {[regexp "PASS:" $output]} {
+ pass "getpwnam $user"
+ } else {
+ fail "getpwnam $user"
+ }
+}
diff --git a/testsuite/nsswitch/getpwuid.c b/testsuite/nsswitch/getpwuid.c
new file mode 100644
index 0000000..3f364df
--- /dev/null
+++ b/testsuite/nsswitch/getpwuid.c
@@ -0,0 +1,43 @@
+/*
+ * Lookup a user by uid.
+ */
+
+#include <stdio.h>
+#include <pwd.h>
+#include <sys/types.h>
+
+int main(int argc, char **argv)
+{
+ struct passwd *pw;
+ uid_t uid;
+
+ /* Check args */
+
+ if (argc != 2) {
+ printf("ERROR: no arg specified\n");
+ exit(1);
+ }
+
+ if ((uid = atoi(argv[1])) == 0) {
+ printf("ERROR: invalid uid specified\n");
+ exit(1);
+ }
+
+ /* Do getpwuid() */
+
+ if ((pw = getpwuid(uid)) == NULL) {
+ printf("FAIL: uid %d does not exist\n", uid);
+ exit(1);
+ }
+
+ printf("PASS: uid %d exists\n", uid);
+ printf("pw_name = %s\n", pw->pw_name);
+ printf("pw_passwd = %s\n", pw->pw_passwd);
+ printf("pw_uid = %d\n", pw->pw_uid);
+ printf("pw_gid = %d\n", pw->pw_gid);
+ printf("pw_gecos = %s\n", pw->pw_gecos);
+ printf("pw_dir = %s\n", pw->pw_dir);
+ printf("pw_shell = %s\n", pw->pw_shell);
+
+ exit(0);
+}
diff --git a/testsuite/nsswitch/getpwuid.exp b/testsuite/nsswitch/getpwuid.exp
new file mode 100644
index 0000000..be6a01c
--- /dev/null
+++ b/testsuite/nsswitch/getpwuid.exp
@@ -0,0 +1,59 @@
+#
+# @(#) Test reverse lookup of user ids from getent match getpwuid() output
+#
+
+load_lib util-defs.exp
+
+# Compile getpwuid.c
+
+set output [target_compile "$srcdir/$subdir/getpwuid.c" \
+ "$srcdir/$subdir/getpwuid" executable {additional_flags="-g"}]
+
+if {$output != ""} {
+ perror "compile getpwuid"
+ puts $output
+ return
+}
+
+# Get list of uids using getent
+
+set output [util_start "getent" "passwd" ""]
+set got_entries 0
+
+verbose $output
+
+foreach {line} [split $output "\n"] {
+
+ # Process user
+
+ set pwd_entry [split $line ":"]
+ set user [lindex $pwd_entry 0]
+
+ if {[regexp {^[^/]+/} $user]} {
+
+ set got_entries 1
+
+ # Only lookup winbindd users
+
+ set uid [lindex $pwd_entry 2]
+ set gid [lindex $pwd_entry 3]
+
+ # Test lookup of uid succeeds
+
+ set output [util_start "$srcdir/$subdir/getpwuid" "$uid" ""]
+
+ verbose $output
+
+ set test_desc "getpwuid $uid ($user)"
+
+ if {[regexp "PASS:" $output]} {
+ pass $test_desc
+ } else {
+ fail $test_desc
+ }
+ }
+}
+
+if {!$got_entries} {
+ perror "No domain users returned from getent"
+}
diff --git a/testsuite/nsswitch/groupmem_dom.exp b/testsuite/nsswitch/groupmem_dom.exp
new file mode 100644
index 0000000..3ba34bb
--- /dev/null
+++ b/testsuite/nsswitch/groupmem_dom.exp
@@ -0,0 +1,33 @@
+#
+# @(#) Test whether members of domain groups all have domain names
+#
+
+load_lib util-defs.exp
+
+set group_list [split [util_start "getent group" ""] "\n"]
+set failed 0
+
+foreach { group } $group_list {
+ set group_entry [split $group ":"]
+
+ set group_name [lindex $group_entry 0]
+ set group_members [split [lindex $group_entry 3] ","]
+
+ if { [regexp {^[^/]+/} $group_name] } {
+
+ verbose "group $group_name has members $group_members"
+
+ foreach { user } $group_members {
+ if { ![regexp {^[^/]+/} $user] } {
+ fail "group $group has non-domain user $user"
+ set failed 1
+ }
+ }
+ } else {
+ verbose "ignoring non-domain group $group_name"
+ }
+}
+
+if { !$failed } {
+ pass "domain groups contain only domain members"
+}
diff --git a/testsuite/nsswitch/initgroups.c b/testsuite/nsswitch/initgroups.c
new file mode 100644
index 0000000..b7d9c50
--- /dev/null
+++ b/testsuite/nsswitch/initgroups.c
@@ -0,0 +1,42 @@
+#include <stdio.h>
+#include <unistd.h>
+#include <grp.h>
+#include <pwd.h>
+#include <sys/types.h>
+
+int main(int argc, char **argv)
+{
+ int result, ngroups, i;
+ gid_t *groups;
+ struct passwd *pw;
+
+ if (!(pw = getpwnam(argv[1]))) {
+ printf("FAIL: no passwd entry for %s\n", argv[1]);
+ return 1;
+ }
+
+ result = initgroups(argv[1], pw->pw_gid);
+
+ if (result == -1) {
+ printf("FAIL");
+ return 1;
+ }
+
+ ngroups = getgroups(0, NULL);
+
+ groups = (gid_t *)malloc(sizeof(gid_t) * ngroups);
+ ngroups = getgroups(ngroups, groups);
+
+ printf("%s is a member of groups:\n", argv[1]);
+
+ for (i = 0; i < ngroups; i++) {
+ struct group *grp;
+
+ grp = getgrgid(groups[i]);
+
+ printf("%d (%s)\n", groups[i], grp ? grp->gr_name : "?");
+ }
+
+ printf("PASS\n");
+ return 0;
+}
diff --git a/testsuite/nsswitch/initgroups.exp b/testsuite/nsswitch/initgroups.exp
new file mode 100644
index 0000000..ab21bcc
--- /dev/null
+++ b/testsuite/nsswitch/initgroups.exp
@@ -0,0 +1,37 @@
+#
+# @(#) Test initgroups function
+#
+
+load_lib util-defs.exp
+load_lib compile.exp
+
+if { [util_start "id -u"] != 0 } {
+ set test_desc "must be userid 0 to run"
+ note $test_desc
+ untested $test_desc
+ return
+}
+
+# Compile test program
+
+simple_compile "initgroups"
+
+# Test domain users
+
+set user_list [split [util_start "bin/wbinfo" "-u"] "\n"]
+
+verbose $user_list
+
+foreach { user } $user_list {
+ set output [util_start "$srcdir/$subdir/initgroups" "\"$user\"" ""]
+
+ verbose $output
+
+ set test_desc "initgroups $user"
+
+ if { [regexp "PASS" $output] } {
+ pass $test_desc
+ } else {
+ fail $test_desc
+ }
+}
diff --git a/testsuite/nsswitch/login.exp b/testsuite/nsswitch/login.exp
new file mode 100644
index 0000000..c2bb0e5
--- /dev/null
+++ b/testsuite/nsswitch/login.exp
@@ -0,0 +1,102 @@
+#
+# @(#) Test logins using pam_winbind.so module using telnet
+#
+
+load_lib util-defs.exp
+load_lib nsswitch-config.exp
+
+#
+# @(#) Test user can login
+#
+
+spawn telnet localhost
+
+set test_desc "telnet localhost (login)"
+
+expect {
+ "login:" { }
+ timeout { fail "timed out in $test_desc"; return }
+ eof { fail "end of file in $test_desc"; return }
+}
+
+send "$domain/$USER\r"
+
+set test_desc "telnet localhost (password)"
+
+expect {
+ "Password:" { }
+ timeout { fail "timed out in $test_desc"; return }
+ eof { fail "end of file in $test_desc"; return }
+}
+
+send "$PASSWORD\r"
+
+expect {
+ "$ " { }
+ "Login incorrect" { fail "login incorrect"; return }
+ timeout { fail "timed out in $test_desc"; return }
+ eof { fail "end of file in $test_desc"; return }
+}
+
+pass "login $domain/$USER"
+
+#
+# @(#) Check supplementary group membership
+#
+
+set test_desc "supplementary groups"
+
+# Get list of groups
+
+send "id -G\r"
+
+expect {
+ -re "((\[0-9]+ )*\[0-9]+\r)" { exp_continue; }
+ "$ " { }
+ timeout { fail "timed out in $test_desc"; return }
+ eof { fail "end of file in $test_desc"; return }
+}
+
+set groups $expect_out(1,string)
+set wb_groups [util_start "bin/wbinfo" "-r $domain/$USER"]
+
+verbose "id groups are $groups"
+verbose "wbinfo groups are $wb_groups"
+
+# Check all groups from id are in wbinfo and vice-versa
+
+set failed 0
+
+foreach { group } $groups {
+ set got_group 0
+ foreach { wb_group } $wb_groups {
+ if { $wb_group == $group } {
+ set got_group 1
+ break
+ }
+ }
+
+ if { !$got_group } {
+ fail "group $group not in output of wbinfo -r"
+ set failed 1
+ }
+}
+
+foreach { wb_group } $wb_groups {
+ set got_group 0
+ foreach { group } $groups {
+ if { $group == $wb_group } {
+ set got_group 1
+ break
+ }
+ }
+
+ if { !$got_group } {
+ fail "group $group not in output of id -G"
+ set failed 1
+ }
+}
+
+if { !$failed } {
+ pass "id/wbinfo groups match"
+}
diff --git a/testsuite/nsswitch/longarg.exp b/testsuite/nsswitch/longarg.exp
new file mode 100644
index 0000000..e1d0eda
--- /dev/null
+++ b/testsuite/nsswitch/longarg.exp
@@ -0,0 +1,29 @@
+#
+# @(#) Test handling of long arguments passed to various nss functions
+#
+
+load_lib compile.exp
+load_lib util-defs.exp
+
+# Run tests from C source files
+
+set longarg_tests [list \
+ { "long arg to getpwnam()" "longarg_getpwnam" } \
+ { "long arg to getgrnam()" "longarg_getgrnam" } \
+ ]
+
+foreach { test } $longarg_tests {
+ set test_desc [lindex $test 0]
+ set test_file [lindex $test 1]
+
+ simple_make "longarg" $test_file
+ set output [util_start "$srcdir/$subdir/$test_file" ]
+
+ if { [regexp "PASS" $output] } {
+ pass $test_desc
+ file delete "$srcdir/$subdir/$test_file" "$srcdir/$subdir/$test_file.o"
+ } else {
+ fail $test_desc
+ puts $output
+ }
+}
diff --git a/testsuite/nsswitch/longarg_getgrnam.c b/testsuite/nsswitch/longarg_getgrnam.c
new file mode 100644
index 0000000..4128424
--- /dev/null
+++ b/testsuite/nsswitch/longarg_getgrnam.c
@@ -0,0 +1,41 @@
+/*
+ Unix SMB/Netbios implementation.
+ Version 1.9.
+ Security context tests
+ Copyright (C) Tim Potter 2000
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <grp.h>
+#include <sys/types.h>
+
+#include "longarg_utils.h"
+
+int main(void)
+{
+ struct group *grp;
+ char *domain = getenv("TEST_WORKGROUP");
+ char long_name[65535];
+ int failed = 0;
+
+ sprintf(long_name, "%s/%s", domain, LONG_STRING);
+
+ grp = getgrnam(long_name);
+ printf("%s\n", !grp ? "PASS" : "FAIL");
+
+ return grp == NULL;
+}
diff --git a/testsuite/nsswitch/longarg_getpwnam.c b/testsuite/nsswitch/longarg_getpwnam.c
new file mode 100644
index 0000000..1b6f544
--- /dev/null
+++ b/testsuite/nsswitch/longarg_getpwnam.c
@@ -0,0 +1,41 @@
+/*
+ Unix SMB/Netbios implementation.
+ Version 1.9.
+ Security context tests
+ Copyright (C) Tim Potter 2000
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <pwd.h>
+#include <sys/types.h>
+
+#include "longarg_utils.h"
+
+int main(void)
+{
+ struct passwd *pwd;
+ char *domain = getenv("TEST_WORKGROUP");
+ char long_name[65535];
+ int failed = 0;
+
+ sprintf(long_name, "%s/%s", domain, LONG_STRING);
+
+ pwd = getpwnam(long_name);
+ printf("%s\n", !pwd ? "PASS" : "FAIL");
+
+ return pwd == NULL;
+}
diff --git a/testsuite/nsswitch/longarg_utils.h b/testsuite/nsswitch/longarg_utils.h
new file mode 100644
index 0000000..9c6088e
--- /dev/null
+++ b/testsuite/nsswitch/longarg_utils.h
@@ -0,0 +1,26 @@
+/*
+ Unix SMB/Netbios implementation.
+ Version 1.9.
+ Security context tests
+ Copyright (C) Tim Potter 2000
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#ifndef _LONGARG_UTILS_H
+#define _LONGARG_UTILS_H
+
+#define LONG_STRING "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+
+#endif
diff --git a/testsuite/nsswitch/nss_winbind_syms.c b/testsuite/nsswitch/nss_winbind_syms.c
new file mode 100644
index 0000000..29d1da9
--- /dev/null
+++ b/testsuite/nsswitch/nss_winbind_syms.c
@@ -0,0 +1,63 @@
+/*
+ * Test required functions are exported from the libnss_winbind.so library
+ */
+
+#include <stdio.h>
+#include <dlfcn.h>
+
+/* Symbol list to check */
+
+static char *symlist[] = {
+ "_nss_winbind_getgrent_r",
+ "_nss_winbind_endgrent",
+ "_nss_winbind_endpwent",
+ "_nss_winbind_getgrgid_r",
+ "_nss_winbind_getgrnam_r",
+ "_nss_winbind_getpwent_r",
+ "_nss_winbind_getpwnam_r",
+ "_nss_winbind_getpwuid_r",
+ "_nss_winbind_setgrent",
+ "_nss_winbind_setpwent",
+ "_nss_winbind_initgroups",
+ NULL
+};
+
+/* Main function */
+
+int main(int argc, char **argv)
+{
+ void *handle, *sym;
+ int i, y;
+
+ /* Open library */
+
+ if (argc != 2) {
+ printf("FAIL: usage '%s sharedlibname'\n", argv[0]);
+ return 1;
+ }
+
+ handle = dlopen(argv[1], RTLD_NOW);
+
+ if (handle == NULL) {
+ printf("FAIL: could not dlopen library: %s\n", dlerror());
+ return 1;
+ }
+
+ /* Read symbols */
+
+ for (i = 0; symlist[i] != NULL; i++) {
+ sym = dlsym(handle, symlist[i]);
+ if (sym == NULL) {
+ printf("FAIL: could not resolve symbol '%s': %s\n",
+ symlist[i], dlerror());
+ return 1;
+ } else {
+ printf("loaded symbol '%s' ok\n", symlist[i]);
+ }
+ }
+
+ /* Clean up */
+
+ dlclose(handle);
+ return 0;
+}
diff --git a/testsuite/nsswitch/nss_winbind_syms.exp b/testsuite/nsswitch/nss_winbind_syms.exp
new file mode 100644
index 0000000..ab84cc5
--- /dev/null
+++ b/testsuite/nsswitch/nss_winbind_syms.exp
@@ -0,0 +1,42 @@
+#
+# @(#) Test nss functions are exported from the libnss_winbind.so library
+# @(#) Test there are no external dependencies in the libnss_winbind.so library
+#
+# We expect the following symbols to be exported:
+#
+# _nss_winbind_getgrent_r
+# _nss_winbind_endgrent
+# _nss_winbind_endpwent
+# _nss_winbind_getgrgid_r
+# _nss_winbind_getgrnam_r
+# _nss_winbind_getpwent_r
+# _nss_winbind_getpwnam_r
+# _nss_winbind_getpwuid_r
+# _nss_winbind_setgrent
+# _nss_winbind_setpwent
+# _nss_winbind_initgroups
+#
+# This test also has the nice side-effect of showing any unresolved symbols
+# in the library.
+#
+
+load_lib util-defs.exp
+load_lib compile.exp
+
+simple_compile "nss_winbind_syms" "-ldl"
+
+set output [util_start "$srcdir/$subdir/nss_winbind_syms" \
+ "nsswitch/libnss_winbind.so"]
+
+verbose $output
+
+if { [regexp "FAIL:" $output] } {
+ fail "run nss_winbind_syms"
+ return
+}
+
+pass "nss_winbind_syms"
+
+# Clean up
+
+file delete "$srcdir/$subdir/nss_winbind_syms"
diff --git a/testsuite/nsswitch/pam_winbind_syms.c b/testsuite/nsswitch/pam_winbind_syms.c
new file mode 100644
index 0000000..1264bdb
--- /dev/null
+++ b/testsuite/nsswitch/pam_winbind_syms.c
@@ -0,0 +1,55 @@
+/*
+ * Test required functions are exported from the pam_winbind.so library
+ */
+
+#include <stdio.h>
+#include <dlfcn.h>
+
+/* Symbol list to check */
+
+static char *symlist[] = {
+ "pam_sm_acct_mgmt",
+ "pam_sm_authenticate",
+ "pam_sm_setcred",
+ NULL
+};
+
+/* Main function */
+
+int main(int argc, char **argv)
+{
+ void *handle, *sym;
+ int i, y;
+
+ /* Open library */
+
+ if (argc != 2) {
+ printf("FAIL: usage '%s sharedlibname'\n", argv[0]);
+ return 1;
+ }
+
+ handle = dlopen(argv[1], RTLD_NOW);
+
+ if (handle == NULL) {
+ printf("FAIL: could not dlopen library: %s\n", dlerror());
+ return 1;
+ }
+
+ /* Read symbols */
+
+ for (i = 0; symlist[i] != NULL; i++) {
+ sym = dlsym(handle, symlist[i]);
+ if (sym == NULL) {
+ printf("FAIL: could not resolve symbol '%s': %s\n",
+ symlist[i], dlerror());
+ return 1;
+ } else {
+ printf("loaded symbol '%s' ok\n", symlist[i]);
+ }
+ }
+
+ /* Clean up */
+
+ dlclose(handle);
+ return 0;
+}
diff --git a/testsuite/nsswitch/pam_winbind_syms.exp b/testsuite/nsswitch/pam_winbind_syms.exp
new file mode 100644
index 0000000..7c85a2d
--- /dev/null
+++ b/testsuite/nsswitch/pam_winbind_syms.exp
@@ -0,0 +1,44 @@
+#
+# @(#) Test nss functions are exported from the pam_winbind.so library
+# @(#) Test there are no external dependencies in the pam_winbind.so library
+#
+# We expect the following symbols to be exported:
+#
+# pam_sm_acct_mgmt
+# pam_sm_authenticate
+# pam_sm_setcred
+#
+# This test also has the nice side-effect of showing any unresolved symbols
+# in the library.
+#
+
+load_lib util-defs.exp
+
+# Compile pam_winbind_syms.c
+
+set output [target_compile "$srcdir/$subdir/pam_winbind_syms.c" \
+ "$srcdir/$subdir/pam_winbind_syms" executable \
+ {"libs=-ldl -lpam" "additional_flags=-g"}]
+
+if {$output != ""} {
+ perror "compile pam_winbind_syms.c"
+ puts $output
+ return
+}
+
+# Run load-dl.c
+
+set output [util_start "$srcdir/$subdir/pam_winbind_syms" \
+ "bin/pam_winbind.so"]
+
+if {[regexp "FAIL:" $output]} {
+ fail "run pam_winbind_syms"
+ puts $output
+ return
+}
+
+pass "pam_winbind_syms"
+
+# Clean up
+
+file delete "$srcdir/$subdir/pam_winbind_syms"
diff --git a/testsuite/nsswitch/wbinfo.exp b/testsuite/nsswitch/wbinfo.exp
new file mode 100644
index 0000000..8be25b2
--- /dev/null
+++ b/testsuite/nsswitch/wbinfo.exp
@@ -0,0 +1,360 @@
+#
+# @(#) Test wbinfo client access to winbind daemon
+#
+
+load_lib "util-defs.exp"
+load_lib "$srcdir/lib/nsswitch-config.exp"
+load_lib "$srcdir/lib/default-nt-names.exp"
+
+# Name types
+
+set SID_NAME_USER 1
+set SID_NAME_DOM_GRP 2
+set SID_NAME_DOMAIN 3
+set SID_NAME_ALIAS 4
+set SID_NAME_UNKNOWN 8
+
+# Get list of users and groups
+
+set user_list [util_start "bin/wbinfo" "-u"]
+set group_list [util_start "bin/wbinfo" "-g"]
+
+verbose "user list is:\n$user_list"
+verbose "group list is:\n$group_list"
+
+set user_list [split $user_list "\n"]
+set group_list [split $group_list "\n"]
+
+#
+# @(#) Check list of users and groups contain default NT user and group
+# @(#) names
+#
+
+# Users
+
+foreach { user } $domain_users {
+ set test_desc "user $user in wbinfo domain users"
+ if {![regexp $user $user_list]} {
+ fail $test_desc
+ } else {
+ pass $test_desc
+ }
+}
+
+# Groups
+
+foreach { group } $domain_groups {
+ set test_desc "group $group in wbinfo domain groups"
+ if {![regexp $group $group_list]} {
+ fail $test_desc
+ } else {
+ pass $test_desc
+ }
+}
+
+#
+# @(#) Lookup sids for all user and group names returned by wbinfo
+#
+
+# Users
+
+foreach { user } $user_list {
+ set test_desc "get sid for user $user"
+ set output [util_start "bin/wbinfo" "-n \"$user\""]
+
+ verbose $output
+
+ # Split output into name and name_type
+
+ set list [split $output " "]
+ set sid_type [lindex $list [expr [llength $list] - 1]]
+ set sid [join [lrange $list 0 [expr [llength $list] - 2]] " "]
+
+ if { ![regexp "S-" $sid] } {
+ fail $test_desc
+ } else {
+ pass $test_desc
+ }
+
+ set test_desc "sid type for user $user"
+ if { $sid_type != $SID_NAME_USER } {
+ fail $test_desc
+ } else {
+ pass $test_desc
+ }
+
+ lappend user_sid_list $sid
+}
+
+# Groups
+
+foreach { group } $group_list {
+ set test_desc "get sid for group $group"
+ set output [util_start "bin/wbinfo" "-n \"$group\""]
+
+ verbose $output
+
+ # Split output into sid and sid type
+
+ set list [split $output " "]
+ set sid_type [lindex $list [expr [llength $list] - 1]]
+ set sid [join [lrange $list 0 [expr [llength $list] - 2]] " "]
+
+ if { ![regexp "S-" $sid] } {
+ fail $test_desc
+ } else {
+ pass $test_desc
+ }
+
+ set test_desc "sid type for group group"
+ if { $sid_type != $SID_NAME_DOM_GRP } {
+ fail $test_desc
+ } else {
+ pass $test_desc
+ }
+
+ lappend group_sid_list $sid
+}
+
+#
+# @(#) Check reverse lookup of sids to names
+#
+
+# Users
+
+set count 0
+
+foreach { sid } $user_sid_list {
+ set test_desc "reverse user name lookup for sid $sid"
+ set output [util_start "bin/wbinfo" "-s $sid"]
+
+ verbose $output
+
+ # Split output into name and name_type
+
+ set list [split $output " "]
+ set name_type [lindex $list [expr [llength $list] - 1]]
+ set name [join [lrange $list 0 [expr [llength $list] - 2]] " "]
+
+ if { $name != [lindex $user_list $count] } {
+ fail $test_desc
+ } else {
+ pass $test_desc
+ }
+
+ set test_desc "reverse user name type lookup for sid $sid"
+
+ if { $name_type != 1 } {
+ fail $test_desc
+ } else {
+ pass $test_desc
+ }
+
+ incr count
+}
+
+# Groups
+
+set count 0
+
+foreach { sid } $group_sid_list {
+ set test_desc "reverse group name lookup for sid $sid"
+ set output [util_start "bin/wbinfo" "-s $sid"]
+
+ verbose $output
+
+ # Split output into name and name_type
+
+ set list [split $output " "]
+ set name_type [lindex $list [expr [llength $list] - 1]]
+ set name [join [lrange $list 0 [expr [llength $list] - 2]] " "]
+
+ if { $name != [lindex $group_list $count] } {
+ fail $test_desc
+ } else {
+ pass $test_desc
+ }
+
+ set test_desc "reverse group name type lookup for sid $sid"
+
+ if { $name_type != 2 } {
+ fail $test_desc
+ } else {
+ pass $test_desc
+ }
+
+ incr count
+}
+
+#
+# @(#) Cross-check the output of wbinfo -n, getent passwd/group and
+# @(#) wbinfo -S
+#
+
+# Get mapped list of uids from winbindd
+
+set output [util_start "getent" "passwd"]
+set user_list [split $output "\n"]
+
+foreach { user_entry } $user_list {
+ if { [regexp $domain $user_entry] } {
+ set field_list [split $user_entry ":"]
+ set name_output [util_start "bin/wbinfo" \
+ "-n \"[lindex $field_list 0]\""]
+ set list [split $name_output " "]
+ set name_type [lindex $list [expr [llength $list] - 1]]
+ set name [join [lrange $list 0 [expr [llength $list] - 2]] " "]
+ set username_uid_sid [lappend username_uid_sid [list \
+ [lindex $field_list 0] \
+ [lindex $field_list 2] \
+ $name]]
+ }
+}
+
+# Get mapped list of gids from winbindd
+
+set output [util_start "getent" "group"]
+set group_list [split $output "\n"]
+
+foreach { group_entry } $group_list {
+ if { [regexp $domain $group_entry] } {
+ set field_list [split $group_entry ":"]
+ set groupname_gid_sid [lappend groupname_gid_sid [list \
+ [lindex $field_list 0] \
+ [lindex $field_list 2] \
+ [util_start "bin/wbinfo" "-n \"[lindex $field_list 0]\""]]]
+ }
+}
+
+# OK, now we have enough info to cross-check the uid/gid -> sid and
+# sid -> uid/gid functions
+
+foreach { user } $username_uid_sid {
+ set sid [util_start "bin/wbinfo" "-U [lindex $user 1]"]
+ set uid [util_start "bin/wbinfo" "-S [lindex $user 2]"]
+
+ set test_desc "lookup sid by uid [lindex $user 1]"
+
+ if { $sid != [lindex $user 2] } {
+ fail $test_desc
+ } else {
+ pass $test_desc
+ }
+
+ set test_desc "lookup uid by sid [lindex $user 2]"
+
+ if { $uid != [lindex $user 1] } {
+ fail $test_desc
+ } else {
+ pass $test_desc
+ }
+}
+
+foreach { group } $groupname_gid_sid {
+ set sid [util_start "bin/wbinfo" "-G [lindex $group 1]"]
+ set gid [util_start "bin/wbinfo" "-Y [lindex $group 2]"]
+
+ set test_desc "lookup sid by gid [lindex $group 1]"
+
+ if { $sid != [lindex [split [lindex $group 2] " "] 0] ||
+ [lindex [split [lindex $group 2] " " ] 1] != 2 } {
+ fail $test_desc
+ } else {
+ pass $test_desc
+ }
+
+ set test_desc "lookup gid by sid [lindex $group 2]"
+
+ if { $gid != [lindex $group 1] } {
+ fail $test_desc
+ } else {
+ pass $test_desc
+ }
+}
+
+# Check exit codes
+
+proc check_errcode { args } {
+ global errorCode
+ set test_desc [lindex $args 0]
+ set cmd [lindex $args 1]
+ set result [lindex $args 2]
+
+ set errorCode ""
+ verbose "Spawning $cmd"
+ catch "exec $cmd" output
+ set exit_code [lindex $errorCode 2]
+ if { $exit_code == "" } { set exit_code 0 }
+
+ if { $exit_code == $result } {
+ verbose "process returned correct exit code $exit_code"
+ pass $test_desc
+ } else {
+ verbose "process returned bad exit code $exit_code instead of $result"
+ fail $test_desc
+ }
+}
+
+set gooduser_name [lindex [split [lindex $user_list 0] ":"] 0]
+set gooduser_sid [util_start "bin/wbinfo" "-n $gooduser_name"]
+
+set goodgroup_name [lindex [split [lindex $group_list 0] ":"] 0]
+set goodgroup_sid [util_start "bin/wbinfo" "-n $goodgroup_name"]
+
+# Some conditions not tested:
+# - bad list users/groups
+# - good uid/gid to sid
+
+set errcode_tests [list \
+ { "exit code, no arg" "bin/wbinfo" 1 } \
+ { "exit code, invalid arg" "bin/wbinfo -@" 1 } \
+ { "exit code, list users" "bin/wbinfo -u" 0 } \
+ { "exit code, list groups" "bin/wbinfo -g" 0 } \
+ { "exit code, good name to sid" "bin/wbinfo -n $gooduser_name" 0 } \
+ { "exit code, bad name to sid" "bin/wbinfo -n asmithee" 1 } \
+ { "exit code, good sid to name" "bin/wbinfo -s $gooduser_sid" 0 } \
+ { "exit code, bad sid to name" "bin/wbinfo -s S-1234" 1 } \
+ { "exit code, bad uid to sid" "bin/wbinfo -U 0" 1 } \
+ { "exit code, bad gid to sid" "bin/wbinfo -G 0" 1} \
+ { "exit code, good sid to uid" "bin/wbinfo -S $gooduser_sid" 0 } \
+ { "exit code, bad sid to uid" "bin/wbinfo -S S-1234" 1 } \
+ { "exit code, good sid to gid" "bin/wbinfo -Y $goodgroup_sid" 0 } \
+ { "exit code, bad sid to gid" "bin/wbinfo -Y S-1234" 1 } \
+ ]
+
+foreach { test } $errcode_tests {
+ check_errcode [lindex $test 0] [lindex $test 1] [lindex $test 2]
+}
+
+# Test enumerate trusted domains
+
+set test_desc "enumerate trusted domains"
+set output [util_start "bin/wbinfo" "-m"]
+
+verbose $output
+
+foreach { the_domain } $output {
+ if { $the_domain == $domain} {
+ fail "own domain appears in trusted list"
+ }
+}
+
+if {[regexp "Usage" $output] || [regexp "Could not" $output]} {
+ fail $test_desc
+} else {
+ pass $test_desc
+}
+
+# Test check machine account
+
+set test_desc "check machine account"
+set output [util_start "bin/wbinfo" "-t"]
+
+verbose $output
+
+if {[regexp "Usage" $output] || [regexp "Could not" $output] || \
+ ![regexp "(good|bad)" $output]} {
+ fail $test_desc
+} else {
+ pass $test_desc
+}
diff --git a/testsuite/smbd/Makefile.se_access_check b/testsuite/smbd/Makefile.se_access_check
new file mode 100644
index 0000000..5637fa2
--- /dev/null
+++ b/testsuite/smbd/Makefile.se_access_check
@@ -0,0 +1,24 @@
+#
+# Makefile for se_access_check tests
+#
+
+include ../../source/Makefile
+
+# Objects common to all tests
+
+SE_ACCESS_CHECK_OBJ1 = $(LIB_OBJ) $(UBIQX_OBJ) $(PARAM_OBJ) $(RPC_PARSE_OBJ) \
+ $(LIBSMB_OBJ) lib/util_seaccess.o nsswitch/common.o
+
+SE_ACCESS_CHECK_OBJS = $(SE_ACCESS_CHECK_OBJ1:%=$(srcdir)/%) \
+ se_access_check_utils.o
+
+# Targets for individual tests
+
+se_access_check_nullsd: $(SE_ACCESS_CHECK_OBJS) se_access_check_nullsd.o
+se_access_check_everyone: $(SE_ACCESS_CHECK_OBJS) se_access_check_everyone.o
+se_access_check_allowall: $(SE_ACCESS_CHECK_OBJS) se_access_check_allowall.o
+se_access_check_denyall: $(SE_ACCESS_CHECK_OBJS) se_access_check_denyall.o
+se_access_check_allowsome: $(SE_ACCESS_CHECK_OBJS) se_access_check_allowsome.o
+se_access_check_denysome: $(SE_ACCESS_CHECK_OBJS) se_access_check_denysome.o
+se_access_check_empty: $(SE_ACCESS_CHECK_OBJS) se_access_check_empty.o
+se_access_check_printer: $(SE_ACCESS_CHECK_OBJS) se_access_check_printer.o
diff --git a/testsuite/smbd/Makefile.sec_ctx b/testsuite/smbd/Makefile.sec_ctx
new file mode 100644
index 0000000..c45ab5b
--- /dev/null
+++ b/testsuite/smbd/Makefile.sec_ctx
@@ -0,0 +1,57 @@
+#
+# Makefile for sec_ctx tests
+#
+
+include ../../source/Makefile
+
+# Objects common to all tests
+
+SEC_CTX_OBJ1 = $(RPC_CLIENT_OBJ) $(LIB_OBJ) $(RPC_PARSE_OBJ) $(PARAM_OBJ) \
+ $(LIBSMB_OBJ) $(PASSDB_OBJ) $(UBIQX_OBJ) smbd/password.o smbd/uid.o \
+ smbd/chgpasswd.o smbd/sec_ctx.o
+
+SEC_CTX_OBJS = $(SEC_CTX_OBJ1:%=$(srcdir)/%) sec_ctx_utils.o
+
+# Targets for tests
+
+SEC_CTX_NONROOT_OBJS = $(SEC_CTX_OBJS) sec_ctx_nonroot.o
+
+sec_ctx_nonroot: $(SEC_CTX_NONROOT_OBJS)
+ @echo Linking $@
+ @$(CC) $(FLAGS) -o $@ $(SEC_CTX_NONROOT_OBJS) $(LIBS)
+
+SEC_CTX_STACK_OBJS = $(SEC_CTX_OBJS) sec_ctx_stack.o
+
+sec_ctx_stack: $(SEC_CTX_STACK_OBJS)
+ @echo Linking $@
+ @$(CC) $(FLAGS) -o $@ $(SEC_CTX_STACK_OBJS) $(LIBS)
+
+SEC_CTX_FLOW_OBJS = $(SEC_CTX_OBJS) sec_ctx_flow.o
+
+sec_ctx_flow: $(SEC_CTX_FLOW_OBJS)
+ @echo Linking $@
+ @$(CC) $(FLAGS) -o $@ $(SEC_CTX_FLOW_OBJS) $(LIBS)
+
+SEC_CTX_TORTURE_OBJS = $(SEC_CTX_OBJS) sec_ctx_torture.o
+
+sec_ctx_torture: $(SEC_CTX_TORTURE_OBJS)
+ @echo Linking $@
+ @$(CC) $(FLAGS) -o $@ $(SEC_CTX_TORTURE_OBJS) $(LIBS)
+
+SEC_CTX_CURRENT_USER_OBJS = $(SEC_CTX_OBJS) sec_ctx_current_user.o
+
+sec_ctx_current_user: $(SEC_CTX_CURRENT_USER_OBJS)
+ @echo Linking $@
+ @$(CC) $(FLAGS) -o $@ $(SEC_CTX_CURRENT_USER_OBJS) $(LIBS)
+
+SEC_CTX_GROUPS_OBJS = $(SEC_CTX_OBJS) sec_ctx_groups.o
+
+sec_ctx_groups: $(SEC_CTX_GROUPS_OBJS)
+ @echo Linking $@
+ @$(CC) $(FLAGS) -o $@ $(SEC_CTX_GROUPS_OBJS) $(LIBS)
+
+SEC_CTX_ROOT_OBJS = $(SEC_CTX_OBJS) sec_ctx_root.o
+
+sec_ctx_root: $(SEC_CTX_ROOT_OBJS)
+ @echo Linking $@
+ @$(CC) $(FLAGS) -o $@ $(SEC_CTX_ROOT_OBJS) $(LIBS)
diff --git a/testsuite/smbd/se_access_check.exp b/testsuite/smbd/se_access_check.exp
new file mode 100644
index 0000000..a8d92cf
--- /dev/null
+++ b/testsuite/smbd/se_access_check.exp
@@ -0,0 +1,53 @@
+#
+# @(#) Test se_access_check() function
+#
+
+#
+# Unix SMB/Netbios implementation.
+# Copyright (C) Tim Potter 2000
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+#
+
+load_lib "compile.exp"
+load_lib "util-defs.exp"
+
+# Run tests from C source files
+
+set se_access_check_tests [list \
+ { "null security descriptor" "se_access_check_nullsd" } \
+ { "security descriptor allow everyone" "se_access_check_allowall" } \
+ { "security descriptor allow everyone" "se_access_check_allowall" } \
+ { "security descriptor deny everyone" "se_access_check_denyall" } \
+ { "empty security descriptor" "se_access_check_empty" } \
+ { "allow some users access" "se_access_check_allowsome" } \
+ { "deny some users access" "se_access_check_denysome" } \
+ { "printer access permissions" "se_access_check_printer" } \
+ ]
+
+foreach { test } $se_access_check_tests {
+ set test_desc [lindex $test 0]
+ set test_file [lindex $test 1]
+
+ simple_make "se_access_check" $test_file
+ set output [util_start "$srcdir/$subdir/$test_file" ]
+
+ if { [regexp "PASS" $output] } {
+ pass $test_desc
+ file delete "$srcdir/$subdir/$test_file" "$srcdir/$subdir/$test_file.o"
+ } else {
+ fail $test_desc
+ puts $output
+ }
+}
diff --git a/testsuite/smbd/se_access_check_allowall.c b/testsuite/smbd/se_access_check_allowall.c
new file mode 100644
index 0000000..74b9a37
--- /dev/null
+++ b/testsuite/smbd/se_access_check_allowall.c
@@ -0,0 +1,86 @@
+/*
+ Unix SMB/Netbios implementation.
+ Version 1.9.
+ Security context tests
+ Copyright (C) Tim Potter 2000
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "se_access_check_utils.h"
+
+/* Globals */
+
+BOOL failed;
+SEC_DESC *sd;
+
+struct ace_entry acl_allowall[] = {
+ { SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_ACE_FLAG_CONTAINER_INHERIT,
+ GENERIC_ALL_ACCESS, "S-1-1-0" },
+ { 0, 0, 0, NULL}
+};
+
+/* Check that access is always allowed for a NULL security descriptor */
+
+BOOL allowall_check(struct passwd *pw, int ngroups, gid_t *groups)
+{
+ uint32 acc_granted, status;
+ BOOL result;
+
+ result = se_access_check(sd, pw->pw_uid, pw->pw_gid,
+ ngroups, groups,
+ SEC_RIGHTS_MAXIMUM_ALLOWED,
+ &acc_granted, &status);
+
+ if (!result || status != NT_STATUS_NO_PROBLEMO ||
+ acc_granted != GENERIC_ALL_ACCESS) {
+ printf("FAIL: allowall se_access_check %d/%d\n",
+ pw->pw_uid, pw->pw_gid);
+ failed = True;
+ }
+
+ return True;
+}
+
+/* Main function */
+
+int main(int argc, char **argv)
+{
+ /* Initialisation */
+
+ generate_wellknown_sids();
+
+ /* Create security descriptor */
+
+ sd = build_sec_desc(acl_allowall, NULL, NULL_SID, NULL_SID);
+
+ if (!sd) {
+ printf("FAIL: could not build security descriptor\n");
+ return 1;
+ }
+
+ /* Run test */
+
+ visit_pwdb(allowall_check);
+
+ /* Return */
+
+ if (!failed) {
+ printf("PASS\n");
+ return 0;
+ }
+
+ return 1;
+}
diff --git a/testsuite/smbd/se_access_check_allowsome.c b/testsuite/smbd/se_access_check_allowsome.c
new file mode 100644
index 0000000..1394d5f
--- /dev/null
+++ b/testsuite/smbd/se_access_check_allowsome.c
@@ -0,0 +1,103 @@
+/*
+ Unix SMB/Netbios implementation.
+ Version 1.9.
+ Security context tests
+ Copyright (C) Tim Potter 2000
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "se_access_check_utils.h"
+
+/* Globals */
+
+BOOL failed;
+SEC_DESC *sd;
+
+struct ace_entry acl_allowsome[] = {
+ { SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_ACE_FLAG_CONTAINER_INHERIT,
+ GENERIC_ALL_ACCESS, "user0" },
+ { SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_ACE_FLAG_CONTAINER_INHERIT,
+ GENERIC_ALL_ACCESS, "user2" },
+ { 0, 0, 0, NULL}
+};
+
+BOOL allowsome_check(struct passwd *pw, int ngroups, gid_t *groups)
+{
+ uint32 acc_granted, status;
+ fstring name;
+ BOOL result;
+ int len1, len2;
+
+ /* Check only user0 and user2 allowed access */
+
+ result = se_access_check(sd, pw->pw_uid, pw->pw_gid,
+ ngroups, groups,
+ SEC_RIGHTS_MAXIMUM_ALLOWED,
+ &acc_granted, &status);
+
+ len1 = (int)strlen(pw->pw_name) - strlen("user0");
+ len2 = (int)strlen(pw->pw_name) - strlen("user2");
+
+ if ((strncmp("user0", &pw->pw_name[MAX(len1, 0)],
+ strlen("user0")) == 0) ||
+ (strncmp("user2", &pw->pw_name[MAX(len2, 0)],
+ strlen("user2")) == 0)) {
+ if (!result || acc_granted != GENERIC_ALL_ACCESS) {
+ printf("FAIL: access not granted for %s\n",
+ pw->pw_name);
+ }
+ } else {
+ if (result || acc_granted != 0) {
+ printf("FAIL: access granted for %s\n", pw->pw_name);
+ }
+ }
+
+ printf("result %s for user %s\n", result ? "allowed" : "denied",
+ pw->pw_name);
+
+ return True;
+}
+
+/* Main function */
+
+int main(int argc, char **argv)
+{
+ /* Initialisation */
+
+ generate_wellknown_sids();
+
+ /* Create security descriptor */
+
+ sd = build_sec_desc(acl_allowsome, NULL, NULL_SID, NULL_SID);
+
+ if (!sd) {
+ printf("FAIL: could not build security descriptor\n");
+ return 1;
+ }
+
+ /* Run test */
+
+ visit_pwdb(allowsome_check);
+
+ /* Return */
+
+ if (!failed) {
+ printf("PASS\n");
+ return 0;
+ }
+
+ return 1;
+}
diff --git a/testsuite/smbd/se_access_check_denyall.c b/testsuite/smbd/se_access_check_denyall.c
new file mode 100644
index 0000000..efec172
--- /dev/null
+++ b/testsuite/smbd/se_access_check_denyall.c
@@ -0,0 +1,85 @@
+/*
+ Unix SMB/Netbios implementation.
+ Version 1.9.
+ Security context tests
+ Copyright (C) Tim Potter 2000
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "se_access_check_utils.h"
+
+/* Globals */
+
+BOOL failed;
+SEC_DESC *sd;
+
+struct ace_entry acl_denyall[] = {
+ { SEC_ACE_TYPE_ACCESS_DENIED, SEC_ACE_FLAG_CONTAINER_INHERIT,
+ GENERIC_ALL_ACCESS, "S-1-1-0" },
+ { 0, 0, 0, NULL}
+};
+
+/* Check that access is always allowed for a NULL security descriptor */
+
+BOOL denyall_check(struct passwd *pw, int ngroups, gid_t *groups)
+{
+ uint32 acc_granted, status;
+ BOOL result;
+
+ result = se_access_check(sd, pw->pw_uid, pw->pw_gid,
+ ngroups, groups,
+ SEC_RIGHTS_MAXIMUM_ALLOWED,
+ &acc_granted, &status);
+
+ if (result || acc_granted != 0) {
+ printf("FAIL: denyall se_access_check %d/%d\n",
+ pw->pw_uid, pw->pw_gid);
+ failed = True;
+ }
+
+ return True;
+}
+
+/* Main function */
+
+int main(int argc, char **argv)
+{
+ /* Initialisation */
+
+ generate_wellknown_sids();
+
+ /* Create security descriptor */
+
+ sd = build_sec_desc(acl_denyall, NULL, NULL_SID, NULL_SID);
+
+ if (!sd) {
+ printf("FAIL: could not build security descriptor\n");
+ return 1;
+ }
+
+ /* Run test */
+
+ visit_pwdb(denyall_check);
+
+ /* Return */
+
+ if (!failed) {
+ printf("PASS\n");
+ return 0;
+ }
+
+ return 1;
+}
diff --git a/testsuite/smbd/se_access_check_denysome.c b/testsuite/smbd/se_access_check_denysome.c
new file mode 100644
index 0000000..e690e1a
--- /dev/null
+++ b/testsuite/smbd/se_access_check_denysome.c
@@ -0,0 +1,105 @@
+/*
+ Unix SMB/Netbios implementation.
+ Version 1.9.
+ Security context tests
+ Copyright (C) Tim Potter 2000
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "se_access_check_utils.h"
+
+/* Globals */
+
+BOOL failed;
+SEC_DESC *sd;
+
+struct ace_entry acl_denysome[] = {
+ { SEC_ACE_TYPE_ACCESS_DENIED, SEC_ACE_FLAG_CONTAINER_INHERIT,
+ GENERIC_ALL_ACCESS, "user1" },
+ { SEC_ACE_TYPE_ACCESS_DENIED, SEC_ACE_FLAG_CONTAINER_INHERIT,
+ GENERIC_ALL_ACCESS, "user3" },
+ { SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_ACE_FLAG_CONTAINER_INHERIT,
+ GENERIC_ALL_ACCESS, "S-1-1-0" },
+ { 0, 0, 0, NULL}
+};
+
+BOOL denysome_check(struct passwd *pw, int ngroups, gid_t *groups)
+{
+ uint32 acc_granted, status;
+ fstring name;
+ BOOL result;
+ int len1, len2;
+
+ /* Check only user1 and user3 denied access */
+
+ result = se_access_check(sd, pw->pw_uid, pw->pw_gid,
+ ngroups, groups,
+ SEC_RIGHTS_MAXIMUM_ALLOWED,
+ &acc_granted, &status);
+
+ len1 = (int)strlen(pw->pw_name) - strlen("user1");
+ len2 = (int)strlen(pw->pw_name) - strlen("user3");
+
+ if ((strncmp("user1", &pw->pw_name[MAX(len1, 0)],
+ strlen("user1")) == 0) ||
+ (strncmp("user3", &pw->pw_name[MAX(len2, 0)],
+ strlen("user3")) == 0)) {
+ if (result || acc_granted != 0) {
+ printf("FAIL: access not denied for %s\n",
+ pw->pw_name);
+ }
+ } else {
+ if (!result || acc_granted != GENERIC_ALL_ACCESS) {
+ printf("FAIL: access denied for %s\n", pw->pw_name);
+ }
+ }
+
+ printf("result %s for user %s\n", result ? "allowed" : "denied",
+ pw->pw_name);
+
+ return True;
+}
+
+/* Main function */
+
+int main(int argc, char **argv)
+{
+ /* Initialisation */
+
+ generate_wellknown_sids();
+
+ /* Create security descriptor */
+
+ sd = build_sec_desc(acl_denysome, NULL, NULL_SID, NULL_SID);
+
+ if (!sd) {
+ printf("FAIL: could not build security descriptor\n");
+ return 1;
+ }
+
+ /* Run test */
+
+ visit_pwdb(denysome_check);
+
+ /* Return */
+
+ if (!failed) {
+ printf("PASS\n");
+ return 0;
+ }
+
+ return 1;
+}
diff --git a/testsuite/smbd/se_access_check_empty.c b/testsuite/smbd/se_access_check_empty.c
new file mode 100644
index 0000000..44f5949
--- /dev/null
+++ b/testsuite/smbd/se_access_check_empty.c
@@ -0,0 +1,108 @@
+/*
+ Unix SMB/Netbios implementation.
+ Version 1.9.
+ Security context tests
+ Copyright (C) Tim Potter 2000
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "se_access_check_utils.h"
+
+/* Globals */
+
+BOOL failed;
+SEC_DESC *sd;
+
+struct ace_entry acl_empty[] = {
+ { 0, 0, 0, NULL}
+};
+
+/* Check that access is always allowed for a NULL security descriptor */
+
+BOOL emptysd_check(struct passwd *pw, int ngroups, gid_t *groups)
+{
+ uint32 acc_granted, status;
+ BOOL result;
+
+ /* For no DACL, access is allowed and the desired access mask is
+ returned */
+
+ result = se_access_check(sd, pw->pw_uid, pw->pw_gid,
+ ngroups, groups,
+ SEC_RIGHTS_MAXIMUM_ALLOWED,
+ &acc_granted, &status);
+
+ if (!result || !(acc_granted == SEC_RIGHTS_MAXIMUM_ALLOWED)) {
+ printf("FAIL: no dacl for %s (%d/%d)\n", pw->pw_name,
+ pw->pw_uid, pw->pw_gid);
+ failed = True;
+ }
+
+ result = se_access_check(sd, pw->pw_uid, pw->pw_gid,
+ ngroups, groups, 0x1234,
+ &acc_granted, &status);
+
+ if (!result || !(acc_granted == 0x1234)) {
+ printf("FAIL: no dacl2 for %s (%d/%d)\n", pw->pw_name,
+ pw->pw_uid, pw->pw_gid);
+ failed = True;
+ }
+
+ /* If desired access mask is empty then no access is allowed */
+
+ result = se_access_check(sd, pw->pw_uid, pw->pw_gid,
+ ngroups, groups, 0,
+ &acc_granted, &status);
+
+ if (result) {
+ printf("FAIL: zero desired access for %s (%d/%d)\n",
+ pw->pw_name, pw->pw_uid, pw->pw_gid);
+ failed = True;
+ }
+
+ return True;
+}
+
+/* Main function */
+
+int main(int argc, char **argv)
+{
+ /* Initialisation */
+
+ generate_wellknown_sids();
+
+ /* Create security descriptor */
+
+ sd = build_sec_desc(acl_empty, NULL, NULL_SID, NULL_SID);
+
+ if (!sd) {
+ printf("FAIL: could not build security descriptor\n");
+ return 1;
+ }
+
+ /* Run test */
+
+ visit_pwdb(emptysd_check);
+
+ /* Return */
+
+ if (!failed) {
+ printf("PASS\n");
+ return 0;
+ }
+
+ return 1;
+}
diff --git a/testsuite/smbd/se_access_check_nullsd.c b/testsuite/smbd/se_access_check_nullsd.c
new file mode 100644
index 0000000..872b2f6
--- /dev/null
+++ b/testsuite/smbd/se_access_check_nullsd.c
@@ -0,0 +1,73 @@
+/*
+ Unix SMB/Netbios implementation.
+ Version 1.9.
+ Security context tests
+ Copyright (C) Tim Potter 2000
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "se_access_check_utils.h"
+
+/* Globals */
+
+BOOL failed;
+
+/* Check that access is always allowed for a NULL security descriptor */
+
+BOOL nullsd_check(struct passwd *pw, int ngroups, gid_t *groups)
+{
+ uint32 acc_granted, status;
+ BOOL result;
+
+ result = se_access_check(NULL, pw->pw_uid, pw->pw_gid,
+ ngroups, groups,
+ SEC_RIGHTS_MAXIMUM_ALLOWED,
+ &acc_granted, &status);
+
+ if (!result || status != NT_STATUS_NO_PROBLEMO ||
+ acc_granted != SEC_RIGHTS_MAXIMUM_ALLOWED) {
+ printf("FAIL: null se_access_check %d/%d\n",
+ pw->pw_uid, pw->pw_gid);
+ failed = True;
+ }
+
+ printf("access check passed for user %s (%d/%d)\n",
+ pw->pw_name, pw->pw_uid, pw->pw_gid);
+
+ return True;
+}
+
+/* Main function */
+
+int main(int argc, char **argv)
+{
+ /* Initialisation */
+
+ generate_wellknown_sids();
+
+ /* Run test */
+
+ visit_pwdb(nullsd_check);
+
+ /* Return */
+
+ if (!failed) {
+ printf("PASS\n");
+ return 0;
+ }
+
+ return 1;
+}
diff --git a/testsuite/smbd/se_access_check_printer.c b/testsuite/smbd/se_access_check_printer.c
new file mode 100644
index 0000000..e2645c6
--- /dev/null
+++ b/testsuite/smbd/se_access_check_printer.c
@@ -0,0 +1,211 @@
+/*
+ Unix SMB/Netbios implementation.
+ Version 1.9.
+ Security context tests
+ Copyright (C) Tim Potter 2000
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "se_access_check_utils.h"
+
+/* Globals */
+
+BOOL failed;
+SEC_DESC *sd;
+
+struct ace_entry acl_printer[] = {
+
+ /* Everyone is allowed to print */
+
+ { SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_ACE_FLAG_CONTAINER_INHERIT,
+ PRINTER_ACE_PRINT, "S-1-1-0" },
+
+ /* Except for user0 who uses too much paper */
+
+ { SEC_ACE_TYPE_ACCESS_DENIED, SEC_ACE_FLAG_CONTAINER_INHERIT,
+ PRINTER_ACE_FULL_CONTROL, "user0" },
+
+ /* Users 1 and 2 can manage documents */
+
+ { SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_ACE_FLAG_CONTAINER_INHERIT,
+ PRINTER_ACE_MANAGE_DOCUMENTS, "user1" },
+
+ { SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_ACE_FLAG_CONTAINER_INHERIT,
+ PRINTER_ACE_MANAGE_DOCUMENTS, "user2" },
+
+ /* Domain Admins can also manage documents */
+
+ { SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_ACE_FLAG_CONTAINER_INHERIT,
+ PRINTER_ACE_MANAGE_DOCUMENTS, "Domain Admins" },
+
+ /* User 3 is da man */
+
+ { SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_ACE_FLAG_CONTAINER_INHERIT,
+ PRINTER_ACE_FULL_CONTROL, "user3" },
+
+ { 0, 0, 0, NULL}
+};
+
+BOOL test_user(char *username, uint32 acc_desired, uint32 *acc_granted)
+{
+ struct passwd *pw;
+ uint32 status;
+
+ if (!(pw = getpwnam(username))) {
+ printf("FAIL: could not lookup user info for %s\n",
+ username);
+ exit(1);
+ }
+
+ return se_access_check(sd, pw->pw_uid, pw->pw_gid, 0, NULL,
+ acc_desired, acc_granted, &status);
+}
+
+static char *pace_str(uint32 ace_flags)
+{
+ if ((ace_flags & PRINTER_ACE_FULL_CONTROL) ==
+ PRINTER_ACE_FULL_CONTROL) return "full control";
+
+ if ((ace_flags & PRINTER_ACE_MANAGE_DOCUMENTS) ==
+ PRINTER_ACE_MANAGE_DOCUMENTS) return "manage documents";
+
+ if ((ace_flags & PRINTER_ACE_PRINT) == PRINTER_ACE_PRINT)
+ return "print";
+
+ return "UNKNOWN";
+}
+
+uint32 perms[] = {
+ PRINTER_ACE_PRINT,
+ PRINTER_ACE_FULL_CONTROL,
+ PRINTER_ACE_MANAGE_DOCUMENTS,
+ 0
+};
+
+void runtest(void)
+{
+ uint32 acc_granted;
+ BOOL result;
+ int i, j;
+
+ for (i = 0; perms[i]; i++) {
+
+ /* Test 10 users */
+
+ for (j = 0; j < 10; j++) {
+ fstring name;
+
+ /* Test user against ACL */
+
+ snprintf(name, sizeof(fstring), "%s/user%d",
+ getenv("TEST_WORKGROUP"), j);
+
+ result = test_user(name, perms[i], &acc_granted);
+
+ printf("%s: %s %s 0x%08x\n", name,
+ pace_str(perms[i]),
+ result ? "TRUE " : "FALSE", acc_granted);
+
+ /* Check results */
+
+ switch (perms[i]) {
+
+ case PRINTER_ACE_PRINT: {
+ if (!result || acc_granted !=
+ PRINTER_ACE_PRINT) {
+ printf("FAIL: user %s can't print\n",
+ name);
+ failed = True;
+ }
+ break;
+ }
+
+ case PRINTER_ACE_FULL_CONTROL: {
+ if (j == 3) {
+ if (!result || acc_granted !=
+ PRINTER_ACE_FULL_CONTROL) {
+ printf("FAIL: user %s doesn't "
+ "have full control\n",
+ name);
+ failed = True;
+ }
+ } else {
+ if (result || acc_granted != 0) {
+ printf("FAIL: user %s has full "
+ "control\n", name);
+ failed = True;
+ }
+ }
+ break;
+ }
+ case PRINTER_ACE_MANAGE_DOCUMENTS: {
+ if (j == 1 || j == 2) {
+ if (!result || acc_granted !=
+ PRINTER_ACE_MANAGE_DOCUMENTS) {
+ printf("FAIL: user %s can't "
+ "manage documents\n",
+ name);
+ failed = True;
+ }
+ } else {
+ if (result || acc_granted != 0) {
+ printf("FAIL: user %s can "
+ "manage documents\n",
+ name);
+ failed = True;
+ }
+ }
+ break;
+ }
+
+ default:
+ printf("FAIL: internal error\n");
+ exit(1);
+ }
+ }
+ }
+}
+
+/* Main function */
+
+int main(int argc, char **argv)
+{
+ /* Initialisation */
+
+ generate_wellknown_sids();
+
+ /* Create security descriptor */
+
+ sd = build_sec_desc(acl_printer, NULL, NULL_SID, NULL_SID);
+
+ if (!sd) {
+ printf("FAIL: could not build security descriptor\n");
+ return 1;
+ }
+
+ /* Run test */
+
+ runtest();
+
+ /* Return */
+
+ if (!failed) {
+ printf("PASS\n");
+ return 0;
+ }
+
+ return 1;
+}
diff --git a/testsuite/smbd/se_access_check_utils.c b/testsuite/smbd/se_access_check_utils.c
new file mode 100644
index 0000000..bd20a7b
--- /dev/null
+++ b/testsuite/smbd/se_access_check_utils.c
@@ -0,0 +1,158 @@
+/*
+ Unix SMB/Netbios implementation.
+ Version 1.9.
+ Security context tests
+ Copyright (C) Tim Potter 2000
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "se_access_check_utils.h"
+#include "lib/util/string_wrappers.h"
+
+void char_to_sid(struct dom_sid *sid, char *sid_str)
+{
+ /* If it looks like a SID, call string_to_sid() else look it up
+ using wbinfo. */
+
+ if (strncmp(sid_str, "S-", 2) == 0) {
+ string_to_sid(sid, sid_str);
+ } else {
+ struct winbindd_request request;
+ struct winbindd_response response;
+
+ /* Send off request */
+
+ ZERO_STRUCT(request);
+ ZERO_STRUCT(response);
+
+ fstrcpy(request.data.name, sid_str);
+ if (winbindd_request(WINBINDD_LOOKUPNAME, &request,
+ &response) != NSS_STATUS_SUCCESS) {
+ printf("FAIL: unable to look up sid for name %s\n",
+ sid_str);
+ exit(1);
+ }
+
+ string_to_sid(sid, response.data.sid.sid);
+ printf("converted char %s to sid %s\n", sid_str,
+ response.data.sid.sid);
+ }
+}
+
+/* Construct an ACL from a list of ace_entry structures */
+
+SEC_ACL *build_acl(struct ace_entry *ace_list)
+{
+ SEC_ACE *aces = NULL;
+ SEC_ACL *result;
+ int num_aces = 0;
+
+ if (ace_list == NULL) return NULL;
+
+ /* Create aces */
+
+ while(ace_list->sid) {
+ SEC_ACCESS sa;
+ struct dom_sid sid;
+
+ /* Create memory for new ACE */
+
+ if (!(aces = Realloc(aces,
+ sizeof(SEC_ACE) * (num_aces + 1)))) {
+ return NULL;
+ }
+
+ /* Create ace */
+
+ init_sec_access(&sa, ace_list->mask);
+
+ char_to_sid(&sid, ace_list->sid);
+ init_sec_ace(&aces[num_aces], &sid, ace_list->type,
+ sa, ace_list->flags);
+
+ num_aces++;
+ ace_list++;
+ }
+
+ /* Create ACL from list of ACEs */
+
+ result = make_sec_acl(ACL_REVISION, num_aces, aces);
+ free(aces);
+
+ return result;
+}
+
+/* Make a security descriptor */
+
+SEC_DESC *build_sec_desc(struct ace_entry *dacl, struct ace_entry *sacl,
+ char *owner_sid, char *group_sid)
+{
+ struct dom_sid the_owner_sid, the_group_sid;
+ SEC_ACL *the_dacl, *the_sacl;
+ SEC_DESC *result;
+ size_t size;
+
+ /* Build up bits of security descriptor */
+
+ char_to_sid(&the_owner_sid, owner_sid);
+ char_to_sid(&the_group_sid, group_sid);
+
+ the_dacl = build_acl(dacl);
+ the_sacl = build_acl(sacl);
+
+ result = make_sec_desc(SEC_DESC_REVISION,
+ SEC_DESC_SELF_RELATIVE | SEC_DESC_DACL_PRESENT,
+ &the_owner_sid, &the_group_sid,
+ the_sacl, the_dacl, &size);
+
+ free_sec_acl(&the_dacl);
+ free_sec_acl(&the_sacl);
+
+ return result;
+}
+
+/* Iterate over password database and call a user-specified function */
+
+void visit_pwdb(BOOL (*fn)(struct passwd *pw, int ngroups, gid_t *groups))
+{
+ struct passwd *pw;
+ int ngroups;
+ gid_t *groups;
+
+ setpwent();
+
+ while ((pw = getpwent())) {
+ BOOL result;
+
+ /* Get grouplist */
+
+ ngroups = getgroups(0, NULL);
+
+ groups = malloc(sizeof(gid_t) * ngroups);
+ getgroups(ngroups, groups);
+
+ /* Call function */
+
+ result = fn(pw, ngroups, groups);
+ if (!result) break;
+
+ /* Clean up */
+
+ free(groups);
+ }
+
+ endpwent();
+}
diff --git a/testsuite/smbd/se_access_check_utils.h b/testsuite/smbd/se_access_check_utils.h
new file mode 100644
index 0000000..706c223
--- /dev/null
+++ b/testsuite/smbd/se_access_check_utils.h
@@ -0,0 +1,45 @@
+/*
+ Unix SMB/Netbios implementation.
+ Version 1.9.
+ Security context tests
+ Copyright (C) Tim Potter 2000
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#ifndef _SE_ACCESS_CHECK_UTILS_H
+#define _SE_ACCESS_CHECK_UTILS_H
+
+#include "includes.h"
+
+/* Structure to build ACE lists from */
+
+struct ace_entry {
+ uint8 type, flags;
+ uint32 mask;
+ char *sid;
+};
+
+#define NULL_SID "S-1-0-0"
+#define WORLD_SID "S-1-1-0"
+
+/* Function prototypes */
+
+SEC_ACL *build_acl(struct ace_entry *ace_list);
+SEC_DESC *build_sec_desc(struct ace_entry *dacl, struct ace_entry *sacl,
+ char *owner_sid, char *group_sid);
+
+void visit_pwdb(BOOL (*fn)(struct passwd *pw, int ngroups, gid_t *groups));
+
+#endif
diff --git a/testsuite/smbd/sec_ctx.exp b/testsuite/smbd/sec_ctx.exp
new file mode 100644
index 0000000..9ced9e5
--- /dev/null
+++ b/testsuite/smbd/sec_ctx.exp
@@ -0,0 +1,66 @@
+#
+# @(#) Test the push_sec_ctx() and pop_sec_ctx() functions
+#
+
+#
+# Unix SMB/Netbios implementation.
+# Copyright (C) Tim Potter 2000
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+#
+
+load_lib "compile.exp"
+load_lib "util-defs.exp"
+
+# Non-root test
+
+set test_desc "change sec_ctx as non-root"
+set test_prog "sec_ctx_nonroot"
+simple_make "sec_ctx" $test_prog
+set output [util_start "$srcdir/$subdir/$test_prog"]
+
+if { [regexp "child killed" $output] } {
+ pass $test_desc
+ file delete "$srcdir/$subdir/$test_prog" "$srcdir/$subdir/$test_prog.o"
+} else {
+ fail $test_desc
+}
+
+# Run tests from C files as root
+
+set sec_ctx_tests [list \
+ { "security contexts are stackable" "sec_ctx_stack" } \
+ { "over/underflow tests" "sec_ctx_flow" } \
+ { "torture test" "sec_ctx_torture" } \
+ { "current_user global" "sec_ctx_current_user" } \
+ { "group membership" "sec_ctx_groups" } \
+ { "become root" "sec_ctx_root" } \
+ ]
+
+foreach { test } $sec_ctx_tests {
+ set test_desc [lindex $test 0]
+ set test_file [lindex $test 1]
+
+ simple_make "sec_ctx" $test_file
+ set output [util_start "sudo $srcdir/$subdir/$test_file" ]
+
+ if { [regexp "PASS" $output] } {
+ pass $test_desc
+ file delete "$srcdir/$subdir/$test_file" "$srcdir/$subdir/$test_file.o"
+ } else {
+ fail $test_desc
+ puts $output
+ }
+
+}
diff --git a/testsuite/smbd/sec_ctx1.c b/testsuite/smbd/sec_ctx1.c
new file mode 100644
index 0000000..ab85ae1
--- /dev/null
+++ b/testsuite/smbd/sec_ctx1.c
@@ -0,0 +1,39 @@
+/*
+ Unix SMB/Netbios implementation.
+ Version 1.9.
+ Security context tests
+ Copyright (C) Tim Potter 2000
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+void exit_server(char *reason) {}
+
+int main (int argc, char **argv)
+{
+ /* Become a non-root user */
+
+ samba_setuid(1);
+ samba_setgid(1);
+
+ /* Try to push a security context. This should fail with a
+ smb_assert() error. */
+
+ push_sec_ctx(2, 2);
+ printf("FAIL\n");
+
+ return 0;
+}
diff --git a/testsuite/smbd/sec_ctx_current_user.c b/testsuite/smbd/sec_ctx_current_user.c
new file mode 100644
index 0000000..6361b16
--- /dev/null
+++ b/testsuite/smbd/sec_ctx_current_user.c
@@ -0,0 +1,113 @@
+/*
+ Unix SMB/Netbios implementation.
+ Version 1.9.
+ Security context tests
+ Copyright (C) Tim Potter 2000
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "sec_ctx_utils.h"
+
+int main(int argc, char **argv)
+{
+ extern struct current_user current_user;
+ uid_t initial_uid = current_user.uid;
+ gid_t initial_gid = current_user.gid;
+ int ngroups;
+ gid_t *groups;
+
+ init_sec_ctx();
+
+ /* Check initial id */
+
+ if (initial_uid != 0 || initial_gid != 0) {
+ printf("FAIL: current_user not initialised to root\n");
+ return 1;
+ }
+
+ /* Push a context and check current user is updated */
+
+ if (!push_sec_ctx()) {
+ printf("FAIL: push_sec_ctx\n");
+ return 1;
+ }
+
+ set_sec_ctx(1, 2, 0, NULL);
+
+ if (current_user.uid != 1 || current_user.gid != 2) {
+ printf("FAIL: current_user id not updated after push\n");
+ return 1;
+ }
+
+ if (current_user.ngroups != 0 || current_user.groups) {
+ printf("FAIL: current_user groups not updated after push\n");
+ return 1;
+ }
+
+ /* Push another */
+
+ get_random_grouplist(&ngroups, &groups);
+
+ if (!push_sec_ctx()) {
+ printf("FAIL: push_sec_ctx\n");
+ return 1;
+ }
+
+ set_sec_ctx(2, 3, ngroups, groups);
+
+ if (current_user.uid != 2 || current_user.gid != 3) {
+ printf("FAIL: current_user id not updated after second "
+ "push\n");
+ return 1;
+ }
+
+ if (current_user.ngroups != ngroups ||
+ (memcmp(current_user.groups, groups,
+ sizeof(gid_t) * ngroups) != 0)) {
+ printf("FAIL: current_user groups not updated\n");
+ return 1;
+ }
+
+ /* Pop them both off */
+
+ if (!pop_sec_ctx()) {
+ printf("FAIL: pop_sec_ctx\n");
+ return 1;
+ }
+
+ if (current_user.uid != 1 || current_user.gid != 2) {
+ printf("FAIL: current_user not updaded pop\n");
+ return 1;
+ }
+
+ if (!pop_sec_ctx()) {
+ printf("FAIL: pop_sec_ctx\n");
+ return 1;
+ }
+
+ /* Check initial state was returned */
+
+ if (current_user.uid != initial_uid ||
+ current_user.gid != initial_gid) {
+ printf("FAIL: current_user not updaded pop\n");
+ return 1;
+ }
+
+ /* Everything's cool */
+
+ printf("PASS\n");
+ return 0;
+}
diff --git a/testsuite/smbd/sec_ctx_flow.c b/testsuite/smbd/sec_ctx_flow.c
new file mode 100644
index 0000000..f3c0564
--- /dev/null
+++ b/testsuite/smbd/sec_ctx_flow.c
@@ -0,0 +1,72 @@
+/*
+ Unix SMB/Netbios implementation.
+ Version 1.9.
+ Security context tests
+ Copyright (C) Tim Potter 2000
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "sec_ctx_utils.h"
+
+int main (int argc, char **argv)
+{
+ int i;
+
+ init_sec_ctx();
+
+ /* Check for underflow */
+
+ if (!push_sec_ctx()) {
+ printf("FAIL: push_sec_ctx\n");
+ return 1;
+ }
+
+ set_sec_ctx(1, 1, 0, NULL);
+
+ if (!pop_sec_ctx()) {
+ printf("FAIL: pop_sec_ctx\n");
+ return 1;
+ }
+
+ if (pop_sec_ctx()) {
+ printf("FAIL: underflow push_sec_ctx\n");
+ return 1;
+ }
+
+ /* Check for overflow */
+
+ for (i = 0; i < MAX_SEC_CTX_DEPTH + 1; i++) {
+ BOOL result;
+
+ result = push_sec_ctx();
+ set_sec_ctx(i, i, 0, NULL);
+
+ if ((i < MAX_SEC_CTX_DEPTH) && !result) {
+ printf("FAIL: push_sec_ctx(%d)\n", i);
+ return 1;
+ }
+
+ if ((i == MAX_SEC_CTX_DEPTH + 1) && result) {
+ printf("FAIL: overflow push_sec_ctx(%d)\n", i);
+ return 1;
+ }
+ }
+
+ /* Everything's cool */
+
+ printf("PASS\n");
+ return 0;
+}
diff --git a/testsuite/smbd/sec_ctx_groups.c b/testsuite/smbd/sec_ctx_groups.c
new file mode 100644
index 0000000..6310963
--- /dev/null
+++ b/testsuite/smbd/sec_ctx_groups.c
@@ -0,0 +1,130 @@
+/*
+ Unix SMB/Netbios implementation.
+ Version 1.9.
+ Security context tests
+ Copyright (C) Tim Potter 2000
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "sec_ctx_utils.h"
+
+int main (int argc, char **argv)
+{
+ int ngroups, initial_ngroups, check_ngroups, final_ngroups;
+ gid_t *groups, *initial_groups, *check_groups, *final_groups;
+ int i;
+
+ init_sec_ctx();
+
+ /* Save current groups */
+
+ initial_ngroups = sys_getgroups(0, NULL);
+ initial_groups = malloc(sizeof(gid_t) * initial_ngroups);
+ sys_getgroups(initial_ngroups, initial_groups);
+
+ printf("Initial groups are: ");
+ for (i = 0; i < initial_ngroups; i++) {
+ printf("%d, ", initial_groups[i]);
+ }
+ printf("\n");
+
+ /* Push a context plus groups */
+
+ get_random_grouplist(&ngroups, &groups);
+
+ printf("Random groups are: ");
+ for (i = 0; i < ngroups; i++) {
+ printf("%d, ", groups[i]);
+ }
+ printf("\n");
+
+ if (!push_sec_ctx()) {
+ printf("FAIL: push_sec_ctx\n");
+ return 1;
+ }
+
+ set_sec_ctx(1, 2, ngroups, groups);
+
+ /* Check grouplist stuck */
+
+ check_ngroups = sys_getgroups(0, NULL);
+ check_groups = malloc(sizeof(gid_t) * check_ngroups);
+ sys_getgroups(check_ngroups, check_groups);
+
+ printf("Actual groups are: ");
+ for (i = 0; i < check_ngroups; i++) {
+ printf("%d, ", check_groups[i]);
+ }
+ printf("\n");
+
+ if (ngroups != check_ngroups) {
+ printf("FAIL: number of groups differs\n");
+ return 1;
+ }
+
+ for (i = 0; i < ngroups; i++) {
+ if (groups[i] != check_groups[i]) {
+ printf("FAIL: group %d differs\n", i);
+ return 1;
+ }
+ }
+
+ safe_free(groups);
+ safe_free(check_groups);
+
+ /* Pop and check initial groups are back */
+
+ if (!pop_sec_ctx()) {
+ printf("FAIL: pop_sec_ctx\n");
+ return 1;
+ }
+
+ final_ngroups = sys_getgroups(0, NULL);
+ final_groups = malloc(sizeof(gid_t) * final_ngroups);
+ sys_getgroups(final_ngroups, final_groups);
+
+ printf("Final groups are: ");
+ for (i = 0; i < final_ngroups; i++) {
+ printf("%d, ", final_groups[i]);
+ }
+ printf("\n");
+
+ if (initial_ngroups != final_ngroups) {
+ printf("FAIL: final number of groups differ\n");
+ return 1;
+ }
+
+ for (i = 0; i < initial_ngroups; i++) {
+ if (initial_groups[i] != final_groups[i]) {
+ printf("FAIL: final group %d differs\n", i);
+ return 1;
+ }
+ }
+
+ printf("Final groups are: ");
+ for (i = 0; i < final_ngroups; i++) {
+ printf("%d, ", final_groups[i]);
+ }
+ printf("\n");
+
+ safe_free(initial_groups);
+ safe_free(final_groups);
+
+ /* Everything's cool */
+
+ printf("PASS\n");
+ return 0;
+}
diff --git a/testsuite/smbd/sec_ctx_nonroot.c b/testsuite/smbd/sec_ctx_nonroot.c
new file mode 100644
index 0000000..6d4dbf3
--- /dev/null
+++ b/testsuite/smbd/sec_ctx_nonroot.c
@@ -0,0 +1,41 @@
+/*
+ Unix SMB/Netbios implementation.
+ Version 1.9.
+ Security context tests
+ Copyright (C) Tim Potter 2000
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "sec_ctx_utils.h"
+
+int main (int argc, char **argv)
+{
+ init_sec_ctx();
+
+ /* Become a non-root user */
+
+ samba_setuid(1);
+ samba_setgid(1);
+
+ /* Try to push a security context. This should fail with a
+ smb_assert() error. */
+
+ push_sec_ctx();
+ set_sec_ctx(2, 2, 0, NULL);
+ printf("FAIL\n");
+
+ return 0;
+}
diff --git a/testsuite/smbd/sec_ctx_root.c b/testsuite/smbd/sec_ctx_root.c
new file mode 100644
index 0000000..0969978
--- /dev/null
+++ b/testsuite/smbd/sec_ctx_root.c
@@ -0,0 +1,60 @@
+/*
+ Unix SMB/Netbios implementation.
+ Version 1.9.
+ Security context tests
+ Copyright (C) Tim Potter 2000
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "sec_ctx_utils.h"
+
+int main (int argc, char **argv)
+{
+ int ngroups, actual_ngroups;
+ gid_t *groups, *actual_groups;
+ extern struct current_user current_user;
+
+ init_sec_ctx();
+
+ /* Initialise a security context */
+
+ get_random_grouplist(&ngroups, &groups);
+ set_sec_ctx(1, 1, ngroups, groups);
+
+ /* Become root and check */
+
+ set_root_sec_ctx();
+
+ actual_ngroups = getgroups(0, NULL);
+ actual_groups = (gid_t *)malloc(actual_ngroups * sizeof(gid_t));
+
+ getgroups(actual_ngroups, actual_groups);
+
+ if (geteuid() != 0 || getegid() != 0 || actual_ngroups != 0) {
+ printf("FAIL: root id not set\n");
+ return 1;
+ }
+
+ if (current_user.uid != 0 || current_user.gid != 0 ||
+ current_user.ngroups != 0 || current_user.groups) {
+ printf("FAIL: current_user not set correctly\n");
+ return 1;
+ }
+
+ printf("PASS\n");
+
+ return 0;
+}
diff --git a/testsuite/smbd/sec_ctx_stack.c b/testsuite/smbd/sec_ctx_stack.c
new file mode 100644
index 0000000..98dd0e1
--- /dev/null
+++ b/testsuite/smbd/sec_ctx_stack.c
@@ -0,0 +1,85 @@
+/*
+ Unix SMB/Netbios implementation.
+ Version 1.9.
+ Security context tests
+ Copyright (C) Tim Potter 2000
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "sec_ctx_utils.h"
+
+int main (int argc, char **argv)
+{
+ BOOL result;
+ int i;
+
+ init_sec_ctx();
+
+ /* Push a whole bunch of security contexts */
+
+ for (i = 0; i < MAX_SEC_CTX_DEPTH; i++) {
+
+ result = push_sec_ctx();
+ set_sec_ctx(i + 1, i + 2, 0, NULL);
+
+ if (!result) {
+ printf("FAIL: push_sec_ctx(%d)\n", i);
+ return 1;
+ }
+
+ printf("pushed context (%d, %d) eff=(%d, %d)\n",
+ getuid(), getgid(), geteuid(), getegid());
+
+ if ((geteuid() != i + 1) || (getegid() != i + 2)) {
+ printf("FAIL: incorrect context pushed\n");
+ return 1;
+ }
+ }
+
+ /* Pop them all off */
+
+ for (i = MAX_SEC_CTX_DEPTH; i > 0; i--) {
+
+ result = pop_sec_ctx();
+
+ if (!result) {
+ printf("FAIL: pop_sec_ctx(%d)\n", i);
+ return 1;
+ }
+
+ printf("popped context (%d, %d) eff=(%d, %d)\n",
+ getuid(), getgid(), geteuid(), getegid());
+
+ printf("i = %d\n",i);
+
+ if (i > 1) {
+ if ((geteuid() != i - 1) || (getegid() != i)) {
+ printf("FAIL: incorrect context popped\n");
+ return 1;
+ }
+ } else {
+ if ((geteuid() != 0) || (getegid() != 0)) {
+ printf("FAIL: incorrect context popped\n");
+ return 1;
+ }
+ }
+ }
+
+ /* Everything's cool */
+
+ printf("PASS\n");
+ return 0;
+}
diff --git a/testsuite/smbd/sec_ctx_torture.c b/testsuite/smbd/sec_ctx_torture.c
new file mode 100644
index 0000000..2e4d140
--- /dev/null
+++ b/testsuite/smbd/sec_ctx_torture.c
@@ -0,0 +1,102 @@
+/*
+ Unix SMB/Netbios implementation.
+ Version 1.9.
+ Security context tests
+ Copyright (C) Tim Potter 2000
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "sec_ctx_utils.h"
+
+#define NUM_TESTS 10000
+
+int main (int argc, char **argv)
+{
+ int seed, level = 0, num_tests = 0;
+
+ init_sec_ctx();
+
+ if (argc == 1) {
+ seed = time(NULL);
+ } else {
+ seed = atoi(argv[1]);
+ }
+
+ printf("seed = %d\n", seed);
+
+ while(num_tests < NUM_TESTS) {
+ switch (random() % 2) {
+
+ /* Push a random context */
+
+ case 0:
+ if (level < MAX_SEC_CTX_DEPTH) {
+ int ngroups;
+ gid_t *groups;
+
+ if (!push_sec_ctx()) {
+ printf("FAIL: push random ctx\n");
+ return 1;
+ }
+
+ get_random_grouplist(&ngroups, &groups);
+
+ set_sec_ctx(random() % 32767,
+ random() % 32767,
+ ngroups, groups);
+
+ if (!verify_current_groups(ngroups,
+ groups)) {
+ printf("FAIL: groups did not stick\n");
+ return 1;
+ }
+
+ printf("pushed (%d, %d) eff=(%d, %d)\n",
+ getuid(), getgid(), geteuid(),
+ getegid());
+
+ level++;
+ num_tests++;
+
+ free(groups);
+ }
+ break;
+
+ /* Pop a random context */
+
+ case 1:
+ if (level > 0) {
+ if (!pop_sec_ctx()) {
+ printf("FAIL: pop random ctx\n");
+ return 1;
+ }
+
+ printf("popped (%d, %d) eff=(%d, %d)\n",
+ getuid(), getgid(), geteuid(),
+ getegid());
+
+ level--;
+ num_tests++;
+ }
+ break;
+ }
+ }
+
+ /* Everything's cool */
+
+ printf("PASS\n");
+ return 0;
+}
diff --git a/testsuite/smbd/sec_ctx_utils.c b/testsuite/smbd/sec_ctx_utils.c
new file mode 100644
index 0000000..3834cfd
--- /dev/null
+++ b/testsuite/smbd/sec_ctx_utils.c
@@ -0,0 +1,64 @@
+/*
+ Unix SMB/Netbios implementation.
+ Version 1.9.
+ Security context tests
+ Copyright (C) Tim Potter 2000
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+/* Keep linker happy */
+
+void exit_server(char *reason) {}
+
+/* Generate random list of groups */
+
+void get_random_grouplist(int *ngroups, gid_t **groups)
+{
+ int i;
+
+ *ngroups = random() % setgroups_max();
+ *groups = malloc(*ngroups * sizeof(gid_t));
+
+ if (!groups) {
+ printf("FAIL: malloc random grouplist\n");
+ return;
+ }
+
+ for (i = 0; i < *ngroups; i++) {
+ (*groups)[i] = random() % 32767;
+ }
+}
+
+/* Check a list of groups with current groups */
+
+BOOL verify_current_groups(int ngroups, gid_t *groups)
+{
+ int actual_ngroups;
+ gid_t *actual_groups;
+
+ actual_ngroups = getgroups(0, NULL);
+ actual_groups = (gid_t *)malloc(actual_ngroups * sizeof(gid_t));
+
+ getgroups(actual_ngroups, actual_groups);
+
+ if (actual_ngroups != ngroups) {
+ return False;
+ }
+
+ return memcmp(actual_groups, groups, actual_ngroups *
+ sizeof(gid_t)) == 0;
+}
diff --git a/testsuite/smbd/sec_ctx_utils.h b/testsuite/smbd/sec_ctx_utils.h
new file mode 100644
index 0000000..03c90e7
--- /dev/null
+++ b/testsuite/smbd/sec_ctx_utils.h
@@ -0,0 +1,29 @@
+/*
+ Unix SMB/Netbios implementation.
+ Version 1.9.
+ Security context tests
+ Copyright (C) Tim Potter 2000
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#ifndef _SEC_CTX_UTILS_H
+#define _SEC_CTX_UTILS_H
+
+/* Function prototypes */
+
+void get_random_grouplist(int *ngroups, gid_t **groups);
+BOOL verify_current_groups(int ngroups, gid_t *groups);
+
+#endif /* _SEC_CTX_UTILS_H */
diff --git a/testsuite/smbd/sighup.exp b/testsuite/smbd/sighup.exp
new file mode 100644
index 0000000..a9e1bff
--- /dev/null
+++ b/testsuite/smbd/sighup.exp
@@ -0,0 +1,107 @@
+#
+# @(#) Check services file reloaded after SIGHUP
+#
+
+load_lib "util-defs.exp"
+
+# Create a smb.conf file from a list of sections. Each section consists of
+# a name and a list of lines which are the contents of that section.
+# Returns a temporary filename which must be deleted after use.
+
+proc write_smb_conf { args } {
+
+ # Set up temporary file
+
+ set name "/tmp/smb.conf-test-[pid]"
+ set f [open $name "w"]
+
+ # Parse sections
+
+ foreach section [lindex $args 0] {
+ set secname [lindex $section 0]
+ set contents [lindex $section 1]
+
+ puts $f "\[$secname]"
+
+ foreach { line } $contents {
+ puts $f "\t$line"
+ }
+
+ puts $f ""
+ }
+
+ close $f
+
+ # Return filename of smb.conf file
+
+ return $name
+}
+
+proc append_smb_conf { args } {
+
+ set name [lindex $args 0]
+ set f [open $name "a"]
+
+ foreach section [lindex $args 1] {
+ set secname [lindex $section 0]
+ set contents [lindex $section 1]
+
+ puts $f "\[$secname]"
+
+ foreach { line } $contents {
+ puts $f "\t$line"
+ }
+
+ puts $f ""
+ }
+
+ close $f
+}
+
+# Create a smb.conf file
+
+set smb_conf [list \
+ [list "global" \
+ [list "netbios name = testing" \
+ "guest ok = true"]]]
+
+set name [write_smb_conf $smb_conf]
+
+# Run smbd and smbclient output
+
+set smbd_output [util_start "bin/smbd" "-s $name"]
+set nmbd_output [util_start "bin/nmbd" "-s $name"]
+
+sleep 5
+
+set smbclient_output [util_start "bin/smbclient -L //testing -N"]
+verbose $smbclient_output
+
+if { ![regexp "Anonymous login successful" $smbclient_output] } {
+ untested "smbd could not be started"
+ util_start "killall" "smbd nmbd"
+ file delete $name
+ return
+}
+
+# Append another share and sighup
+
+append_smb_conf $name [list [list "tmp" [list "browseable = true"]]]
+set output [util_start "killall" "-HUP smbd"]
+verbose $output
+
+sleep 2
+
+set smbclient_output2 [util_start "bin/smbclient -L //testing -N"]
+verbose $smbclient_output2
+
+if { [regexp "tmp.*Disk" $smbclient_output2] } {
+ pass "sighup reload"
+} else {
+ fail "sighup reload"
+}
+
+# Clean up
+
+util_start "killall" "smbd nmbd"
+file delete $name
diff --git a/testsuite/unittests/rpc_test_dummy_module.c b/testsuite/unittests/rpc_test_dummy_module.c
new file mode 100644
index 0000000..2b4e6e2
--- /dev/null
+++ b/testsuite/unittests/rpc_test_dummy_module.c
@@ -0,0 +1,21 @@
+#include "replace.h"
+#include <sys/types.h>
+#include <signal.h>
+#include <unistd.h>
+#include "libcli/util/ntstatus.h"
+
+NTSTATUS samba_init_module(void);
+NTSTATUS samba_init_module(void)
+{
+ int rc;
+
+ fprintf(stderr, "Test dummy executed!\n");
+
+ rc = setenv("UNITTEST_DUMMY_MODULE_LOADED", "TRUE", 1);
+ if (rc < 0) {
+ kill(getpid(), SIGILL);
+ exit(-1);
+ }
+
+ return NT_STATUS_OK;
+}
diff --git a/testsuite/unittests/test_background_send.c b/testsuite/unittests/test_background_send.c
new file mode 100644
index 0000000..ea65428
--- /dev/null
+++ b/testsuite/unittests/test_background_send.c
@@ -0,0 +1,82 @@
+/*
+ * Unix SMB/CIFS implementation.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "replace.h"
+#include <assert.h>
+#include "source3/lib/background.h"
+#include "source3/include/messages.h"
+#include "lib/util/talloc_stack.h"
+#include "source3/param/loadparm.h"
+#include "dynconfig/dynconfig.h"
+
+static int bg_trigger(void *private_data)
+{
+ return 1;
+}
+
+static void test_background_send(void)
+{
+ TALLOC_CTX *frame = talloc_stackframe();
+ struct tevent_context *ev = NULL;
+ struct messaging_context *msg_ctx = NULL;
+ struct tevent_req *req = NULL;
+ uint32_t ping_msg = MSG_PING;
+
+ ev = tevent_context_init(frame);
+ assert(ev != NULL);
+
+ msg_ctx = messaging_init(frame, ev);
+ assert(msg_ctx != NULL);
+
+ req = background_job_send(
+ frame, ev, msg_ctx, &ping_msg, 1, 0, bg_trigger, NULL);
+ assert(req != NULL);
+
+ /*
+ * Here's the core of this test: TALLOC_FREE msg_ctx before
+ * req. This happens if you use background_job_send() smbd and
+ * don't manually TALLOC_FREE req before exit_server()
+ */
+ TALLOC_FREE(msg_ctx);
+ TALLOC_FREE(req);
+
+ TALLOC_FREE(frame);
+}
+
+int main(int argc, const char *argv[])
+{
+ const char testname[] = "test_background_send";
+ bool ok;
+
+ if (argc != 2) {
+ fprintf(stderr, "usage: %s <configfile>\n", argv[0]);
+ return 1;
+ }
+
+ printf("test: %s\n", testname);
+
+ ok = lp_load_initial_only(argv[1]);
+ if (!ok) {
+ fprintf(stderr, "lp_load_initial_only(%s) failed\n", argv[1]);
+ return 1;
+ }
+
+ test_background_send(); /* crashes on failure */
+
+ printf("success: %s\n", testname);
+ return 0;
+}
diff --git a/testsuite/unittests/test_krb5_samba.c b/testsuite/unittests/test_krb5_samba.c
new file mode 100644
index 0000000..8b7e843
--- /dev/null
+++ b/testsuite/unittests/test_krb5_samba.c
@@ -0,0 +1,145 @@
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+#include <krb5.h>
+
+#include "includes.h"
+#include "lib/krb5_wrap/krb5_samba.h"
+
+
+static int setup_krb5_context(void **state)
+{
+ krb5_context context = NULL;
+ krb5_error_code code;
+
+ code = krb5_init_context(&context);
+ assert_return_code(code, code);
+
+ *state = context;
+
+ return 0;
+}
+
+static int teardown_krb5_context(void **state)
+{
+ krb5_context context = *state;
+
+ if (context != NULL) {
+ krb5_free_context(context);
+ }
+ return 0;
+}
+
+static void test_smb_krb5_kt_open(void **state)
+{
+ krb5_context context = *state;
+ krb5_keytab keytab = NULL;
+ krb5_error_code code;
+ char keytab_template[] = "/tmp/keytab.XXXXXX";
+ int fd;
+
+ fd = mkstemp(keytab_template);
+ assert_return_code(fd, errno);
+ unlink(keytab_template);
+
+ code = smb_krb5_kt_open(context,
+ keytab_template,
+ false,
+ &keytab);
+ assert_int_equal(code, 0);
+
+ krb5_kt_close(context, keytab);
+ close(fd);
+}
+
+static void test_smb_krb5_kt_open_file(void **state)
+{
+ krb5_context context = *state;
+ krb5_keytab keytab = NULL;
+ krb5_error_code code;
+ char keytab_template[] = "/tmp/keytab.XXXXXX";
+ char keytab_file[6 + strlen(keytab_template)];
+ int fd;
+
+ fd = mkstemp(keytab_template);
+ assert_return_code(fd, errno);
+ unlink(keytab_template);
+
+ snprintf(keytab_file, sizeof(keytab_file), "FILE:%s", keytab_template);
+
+ code = smb_krb5_kt_open(context,
+ keytab_file,
+ false,
+ &keytab);
+ assert_int_equal(code, 0);
+
+ krb5_kt_close(context, keytab);
+ close(fd);
+}
+
+static void test_smb_krb5_kt_open_fail(void **state)
+{
+ krb5_context context = *state;
+ krb5_keytab keytab = NULL;
+ krb5_error_code code;
+
+ code = smb_krb5_kt_open(context,
+ NULL,
+ false,
+ &keytab);
+ assert_int_equal(code, KRB5_KT_BADNAME);
+ code = smb_krb5_kt_open(context,
+ "wurst",
+ false,
+ &keytab);
+ assert_int_equal(code, KRB5_KT_BADNAME);
+
+ code = smb_krb5_kt_open(context,
+ "FILE:wurst",
+ false,
+ &keytab);
+ assert_int_equal(code, KRB5_KT_BADNAME);
+
+ code = smb_krb5_kt_open(context,
+ "WRFILE:wurst",
+ false,
+ &keytab);
+ assert_int_equal(code, KRB5_KT_BADNAME);
+}
+
+static void test_smb_krb5_kt_open_relative_memory(void **state)
+{
+ krb5_context context = *state;
+ krb5_keytab keytab = NULL;
+ krb5_error_code code;
+
+ code = smb_krb5_kt_open_relative(context,
+ NULL,
+ true,
+ &keytab);
+ assert_int_equal(code, 0);
+
+ krb5_kt_close(context, keytab);
+}
+
+int main(void) {
+ const struct CMUnitTest tests[] = {
+ cmocka_unit_test_setup_teardown(test_smb_krb5_kt_open,
+ setup_krb5_context,
+ teardown_krb5_context),
+ cmocka_unit_test_setup_teardown(test_smb_krb5_kt_open_file,
+ setup_krb5_context,
+ teardown_krb5_context),
+ cmocka_unit_test_setup_teardown(test_smb_krb5_kt_open_fail,
+ setup_krb5_context,
+ teardown_krb5_context),
+ cmocka_unit_test_setup_teardown(test_smb_krb5_kt_open_relative_memory,
+ setup_krb5_context,
+ teardown_krb5_context),
+ };
+
+ cmocka_set_message_output(CM_OUTPUT_SUBUNIT);
+ return cmocka_run_group_tests(tests, NULL, NULL);
+}
diff --git a/testsuite/unittests/test_lib_util_modules.c b/testsuite/unittests/test_lib_util_modules.c
new file mode 100644
index 0000000..647fc1f
--- /dev/null
+++ b/testsuite/unittests/test_lib_util_modules.c
@@ -0,0 +1,66 @@
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <stdbool.h>
+#include <unistd.h>
+#include <sys/stat.h>
+#include <talloc.h>
+
+#include "include/config.h"
+#include "libcli/util/ntstatus.h"
+#include "lib/util/samba_modules.h"
+
+static int teardown(void **state)
+{
+ unsetenv("UNITTEST_DUMMY_MODULE_LOADED");
+
+ return 0;
+}
+
+static void test_samba_module_probe_dummy(void **state)
+{
+ const char *module_env;
+ NTSTATUS status;
+
+ status = smb_probe_module("rpc", "test_dummy_module");
+ assert_true(NT_STATUS_IS_OK(status));
+
+ module_env = getenv("UNITTEST_DUMMY_MODULE_LOADED");
+ assert_non_null(module_env);
+ assert_string_equal(module_env, "TRUE");
+}
+
+static void test_samba_module_probe_slash(void **state)
+{
+ char dummy_module_path[4096] = {0};
+ const char *module_env;
+ NTSTATUS status;
+
+ snprintf(dummy_module_path,
+ sizeof(dummy_module_path),
+ "%s/bin/modules/rpc/test_dummy_module.so",
+ SRCDIR);
+
+ status = smb_probe_module("rpc", dummy_module_path);
+ assert_true(NT_STATUS_IS_ERR(status));
+
+ module_env = getenv("UNITTEST_DUMMY_MODULE_LOADED");
+ assert_null(module_env);
+}
+
+int main(void) {
+ const struct CMUnitTest tests[] = {
+ cmocka_unit_test_teardown(test_samba_module_probe_dummy,
+ teardown),
+ cmocka_unit_test_teardown(test_samba_module_probe_slash,
+ teardown),
+ };
+
+ cmocka_set_message_output(CM_OUTPUT_SUBUNIT);
+ return cmocka_run_group_tests(tests, NULL, NULL);
+}
diff --git a/testsuite/unittests/wscript b/testsuite/unittests/wscript
new file mode 100644
index 0000000..10ab024
--- /dev/null
+++ b/testsuite/unittests/wscript
@@ -0,0 +1,36 @@
+#!/usr/bin/env python
+
+import os
+
+def configure(conf):
+ return
+
+def build(bld):
+ bld.SAMBA_BINARY('test_krb5samba',
+ source='test_krb5_samba.c',
+ deps='krb5samba cmocka',
+ for_selftest=True)
+
+ bld.SAMBA_BINARY('test_lib_util_modules',
+ source='test_lib_util_modules.c',
+ deps='''
+ samba-modules
+ cmocka
+ ''',
+ for_selftest=True)
+
+ bld.SAMBA_BINARY('test_background_send',
+ source='test_background_send.c',
+ deps='''
+ samba3core
+ ''',
+ for_selftest=True)
+
+ bld.SAMBA_MODULE('rpc_test_dummy_module',
+ source='rpc_test_dummy_module.c',
+ deps='ndr smbd_base RPC_SERVICE RPC_SOCK_HELPER',
+ subsystem='rpc',
+ allow_undefined_symbols=True,
+ init_function='',
+ internal_module=False,
+ install=False)