diff options
Diffstat (limited to 'nsswitch/tests')
| -rwxr-xr-x | nsswitch/tests/test_idmap_ad.sh | 269 | ||||
| -rwxr-xr-x | nsswitch/tests/test_idmap_nss.sh | 41 | ||||
| -rwxr-xr-x | nsswitch/tests/test_idmap_nss_use_upn.sh | 79 | ||||
| -rwxr-xr-x | nsswitch/tests/test_idmap_rfc2307.sh | 221 | ||||
| -rwxr-xr-x | nsswitch/tests/test_idmap_rid.sh | 202 | ||||
| -rwxr-xr-x | nsswitch/tests/test_rfc2307_mapping.sh | 159 | ||||
| -rwxr-xr-x | nsswitch/tests/test_ticket_expiry.sh | 74 | ||||
| -rwxr-xr-x | nsswitch/tests/test_wbinfo.sh | 322 | ||||
| -rwxr-xr-x | nsswitch/tests/test_wbinfo_name_lookup.sh | 64 | ||||
| -rwxr-xr-x | nsswitch/tests/test_wbinfo_sids_to_xids.sh | 32 | ||||
| -rwxr-xr-x | nsswitch/tests/test_wbinfo_simple.sh | 25 | ||||
| -rwxr-xr-x | nsswitch/tests/test_wbinfo_user_info.sh | 140 | ||||
| -rwxr-xr-x | nsswitch/tests/test_wbinfo_user_info_cached.sh | 50 |
13 files changed, 1678 insertions, 0 deletions
diff --git a/nsswitch/tests/test_idmap_ad.sh b/nsswitch/tests/test_idmap_ad.sh new file mode 100755 index 0000000..7ae112a --- /dev/null +++ b/nsswitch/tests/test_idmap_ad.sh @@ -0,0 +1,269 @@ +#!/bin/sh +# +# Basic testing of id mapping with idmap_ad +# + +if [ $# -ne 6 ]; then + echo Usage: $0 DOMAIN DC_SERVER DC_PASSWORD TRUST_DOMAIN TRUST_SERVER TRUST_PASSWORD + exit 1 +fi + +DOMAIN="$1" +DC_SERVER="$2" +DC_PASSWORD="$3" +TRUST_DOMAIN="$4" +TRUST_SERVER="$5" +TRUST_PASSWORD="$6" + +wbinfo="$VALGRIND $BINDIR/wbinfo" +ldbmodify="${VALGRIND} ldbmodify" +if [ -x "${BINDIR}/ldbmodify" ]; then + ldbmodify="${VALGRIND} ${BINDIR}/ldbmodify" +fi + +ldbsearch="${VALGRIND} ldbsearch" +if [ -x "${BINDIR}/ldbsearch" ]; then + ldbsearch="${VALGRIND} ${BINDIR}/ldbsearch" +fi + +failed=0 + +. $(dirname $0)/../../testprogs/blackbox/subunit.sh + +DOMAIN_SID=$($wbinfo -n "$DOMAIN/" | cut -f 1 -d " ") +if [ $? -ne 0 ]; then + echo "Could not find domain SID" | subunit_fail_test "test_idmap_ad" + exit 1 +fi + +TRUST_DOMAIN_SID=$($wbinfo -n "$TRUST_DOMAIN/" | cut -f 1 -d " ") +if [ $? -ne 0 ]; then + echo "Could not find trusted domain SID" | subunit_fail_test "test_idmap_ad" + exit 1 +fi + +BASE_DN=$($ldbsearch -H ldap://$DC_SERVER -b "" --scope=base defaultNamingContext | awk '/^defaultNamingContext/ {print $2}') +if [ $? -ne 0 ]; then + echo "Could not find base DN" | subunit_fail_test "test_idmap_ad" + exit 1 +fi + +TRUST_BASE_DN=$($ldbsearch -H ldap://$TRUST_SERVER -b "" --scope=base defaultNamingContext | awk '/^defaultNamingContext/ {print $2}') +if [ $? -ne 0 ]; then + echo "Could not find trusted base DN" | subunit_fail_test "test_idmap_ad" + exit 1 +fi + +# +# Add POSIX ids to AD +# +cat <<EOF | $ldbmodify -H ldap://$DC_SERVER -U "$DOMAIN\Administrator%$DC_PASSWORD" +dn: CN=Administrator,CN=Users,$BASE_DN +changetype: modify +add: uidNumber +uidNumber: 2000000 +add: gidNumber +gidNumber: 2000100 +add: unixHomeDirectory +unixHomeDirectory: /home/admin +add: loginShell +loginShell: /bin/tcsh +add: gecos +gecos: Administrator Full Name + +dn: CN=Domain Users,CN=Users,$BASE_DN +changetype: modify +add: gidNumber +gidNumber: 2000001 + +dn: CN=Domain Admins,CN=Users,$BASE_DN +changetype: modify +add: gidNumber +gidNumber: 2000002 + +dn: ou=sub,$BASE_DN +changetype: add +objectClass: organizationalUnit + +dn: cn=forbidden,ou=sub,$BASE_DN +changetype: add +objectClass: user +samaccountName: forbidden +uidNumber: 2000003 +gidNumber: 2000001 +unixHomeDirectory: /home/forbidden +loginShell: /bin/tcsh +gecos: User in forbidden OU +EOF + +# +# Add POSIX ids to trusted domain +# +cat <<EOF | $ldbmodify -H ldap://$TRUST_SERVER \ + -U "$TRUST_DOMAIN\Administrator%$TRUST_PASSWORD" +dn: CN=Administrator,CN=Users,$TRUST_BASE_DN +changetype: modify +add: uidNumber +uidNumber: 2500000 + +dn: CN=Domain Users,CN=Users,$TRUST_BASE_DN +changetype: modify +add: gidNumber +gidNumber: 2500001 + +dn: CN=Domain Admins,CN=Users,$TRUST_BASE_DN +changetype: modify +add: gidNumber +gidNumber: 2500002 +EOF + +# +# Test 1: Test uid of Administrator, should be 2000000 +# + +out="$($wbinfo -S $DOMAIN_SID-500)" +echo "wbinfo returned: \"$out\", expecting \"2000000\"" +test "$out" = "2000000" +ret=$? +testit "Test uid of Administrator is 2000000" test $ret -eq 0 || failed=$(expr $failed + 1) + +# +# Test 2: Test gid of Domain Users, should be 2000001 +# + +out="$($wbinfo -Y $DOMAIN_SID-513)" +echo "wbinfo returned: \"$out\", expecting \"2000001\"" +test "$out" = "2000001" +ret=$? +testit "Test uid of Domain Users is 2000001" test $ret -eq 0 || failed=$(expr $failed + 1) + +# +# Test 3: Test get userinfo for Administrator works +# + +out="$($wbinfo -i $DOMAIN/Administrator)" +echo "wbinfo returned: \"$out\", expecting \"$DOMAIN/administrator:*:2000000:2000100:Administrator Full Name:/home/admin:/bin/tcsh\"" +test "$out" = "$DOMAIN/administrator:*:2000000:2000100:Administrator Full Name:/home/admin:/bin/tcsh" +ret=$? +testit "Test get userinfo for Administrator works" test $ret -eq 0 || failed=$(expr $failed + 1) + +# +# Test 4: Test lookup from gid to sid +# + +out="$($wbinfo -G 2000002)" +echo "wbinfo returned: \"$out\", expecting \"$DOMAIN_SID-512\"" +test "$out" = "$DOMAIN_SID-512" +ret=$? +testit "Test gid lookup of Domain Admins" test $ret -eq 0 || failed=$(expr $failed + 1) + +# +# Test 5: Make sure deny_ou is really denied +# This depends on the "deny ous" setting in Samba3.pm +# + +sid="$($wbinfo -n $DOMAIN/forbidden | awk '{print $1}')" +testit "Could create forbidden" test -n "$sid" || failed=$(expr $failed + 1) +if [ -n "$sid" ] +then + uid="$($wbinfo --sid-to-uid $sid)" + testit "Can not resolve forbidden user" test -z "$uid" || + failed=$(($failed + 1)) +fi + +# +# Trusted domain test 1: Test uid of Administrator, should be 2500000 +# + +out="$($wbinfo -S $TRUST_DOMAIN_SID-500)" +echo "wbinfo returned: \"$out\", expecting \"2500000\"" +test "$out" = "2500000" +ret=$? +testit "Test uid of Administrator in trusted domain is 2500000" test $ret -eq 0 || failed=$(expr $failed + 1) + +# +# Trusted domain test 2: Test gid of Domain Users, should be 2500001 +# + +out="$($wbinfo -Y $TRUST_DOMAIN_SID-513)" +echo "wbinfo returned: \"$out\", expecting \"2500001\"" +test "$out" = "2500001" +ret=$? +testit "Test uid of Domain Users in trusted domain is 2500001" test $ret -eq 0 || failed=$(expr $failed + 1) + +# +# Trusted domain test 3: Test get userinfo for Administrator works +# + +out="$($wbinfo -i $TRUST_DOMAIN/Administrator)" +echo "wbinfo returned: \"$out\", expecting \"$TRUST_DOMAIN/administrator:*:2500000:2500001::/home/$TRUST_DOMAIN/administrator:/bin/false\"" +test "$out" = "$TRUST_DOMAIN/administrator:*:2500000:2500001::/home/$TRUST_DOMAIN/administrator:/bin/false" +ret=$? +testit "Test get userinfo for Administrator works" test $ret -eq 0 || failed=$(expr $failed + 1) + +# +# Trusted domain test 4: Test lookup from gid to sid +# + +out="$($wbinfo -G 2500002)" +echo "wbinfo returned: \"$out\", expecting \"$TRUST_DOMAIN_SID-512\"" +test "$out" = "$TRUST_DOMAIN_SID-512" +ret=$? +testit "Test gid lookup of Domain Admins in trusted domain." test $ret -eq 0 || failed=$(expr $failed + 1) + +# +# Remove POSIX ids from AD +# +cat <<EOF | $ldbmodify -H ldap://$DC_SERVER -U "$DOMAIN\Administrator%$DC_PASSWORD" +dn: CN=Administrator,CN=Users,$BASE_DN +changetype: modify +delete: uidNumber +uidNumber: 2000000 +delete: gidNumber +gidNumber: 2000100 +delete: unixHomeDirectory +unixHomeDirectory: /home/admin +delete: loginShell +loginShell: /bin/tcsh +delete: gecos +gecos: Administrator Full Name + +dn: CN=Domain Users,CN=Users,$BASE_DN +changetype: modify +delete: gidNumber +gidNumber: 2000001 + +dn: CN=Domain Admins,CN=Users,$BASE_DN +changetype: modify +delete: gidNumber +gidNumber: 2000002 + +dn: cn=forbidden,ou=sub,$BASE_DN +changetype: delete + +dn: ou=sub,$BASE_DN +changetype: delete +EOF + +# +# Remove POSIX ids from trusted domain +# +cat <<EOF | $ldbmodify -H ldap://$TRUST_SERVER \ + -U "$TRUST_DOMAIN\Administrator%$TRUST_PASSWORD" +dn: CN=Administrator,CN=Users,$TRUST_BASE_DN +changetype: modify +delete: uidNumber +uidNumber: 2500000 + +dn: CN=Domain Users,CN=Users,$TRUST_BASE_DN +changetype: modify +delete: gidNumber +gidNumber: 2500001 + +dn: CN=Domain Admins,CN=Users,$TRUST_BASE_DN +changetype: modify +delete: gidNumber +gidNumber: 2500002 +EOF + +exit $failed diff --git a/nsswitch/tests/test_idmap_nss.sh b/nsswitch/tests/test_idmap_nss.sh new file mode 100755 index 0000000..e7a57dc --- /dev/null +++ b/nsswitch/tests/test_idmap_nss.sh @@ -0,0 +1,41 @@ +#!/bin/sh +# Test id mapping with unknown SID and non-allocating idmap backend +if [ $# -lt 1 ]; then + echo Usage: $0 DOMAIN + exit 1 +fi + +DOMAIN="$1" + +wbinfo="$VALGRIND $BINDIR/wbinfo" + +failed=0 + +. $(dirname $0)/../../testprogs/blackbox/subunit.sh + +testit "wbinfo returns domain SID" $wbinfo -n "$DOMAIN/" || exit 1 +DOMAIN_SID=$($wbinfo -n "$DOMAIN/" | cut -f 1 -d " ") +echo "Domain $DOMAIN has SID $DOMAIN_SID" + +# Find an unused uid and SID +RID=66666 +while true; do + id $RID + if [ $? -ne 0 ]; then + $wbinfo -s $DOMAIN_SID-$RID + if [ $? -ne 0 ]; then + break + fi + fi + RID=$(expr $RID + 1) +done + +echo "Using non-existing SID $DOMAIN_SID-$RID to check no id allocation is done by the backend" + +out="$($wbinfo --sids-to-unix-ids=$DOMAIN_SID-$RID)" +echo "wbinfo returned: $out" +test "$out" = "$DOMAIN_SID-$RID -> unmapped" +ret=$? +testit "wbinfo SID to xid returns unmapped for unknown SID" test $ret -eq 0 || failed=$(expr $failed + 1) + +exit $failed diff --git a/nsswitch/tests/test_idmap_nss_use_upn.sh b/nsswitch/tests/test_idmap_nss_use_upn.sh new file mode 100755 index 0000000..df2c672 --- /dev/null +++ b/nsswitch/tests/test_idmap_nss_use_upn.sh @@ -0,0 +1,79 @@ +#!/bin/sh + +wbinfo="$BINDIR/wbinfo" +smbcontrol="$BINDIR/smbcontrol" +net="$BINDIR/net" +global_inject_conf=$(dirname $SMB_CONF_PATH)/global_inject.conf + +failed=0 + +. $(dirname $0)/../../testprogs/blackbox/subunit.sh + +# Reset idmap_nss configuration and clear cache +echo "idmap config $DOMAIN : use_upn = no" >$global_inject_conf +$smbcontrol winbindd reload-config +if [ $? -ne 0 ]; then + echo "Could not reload config" | subunit_fail_test "test_idmap_nss_use_upn" +fi + +$net cache flush +if [ $? -ne 0 ]; then + echo "Could not flush cache" | subunit_fail_test "test_idmap_nss_use_upn" +fi + +# Get the user SID +USER="bob" +USER_SID=$($wbinfo --name-to-sid="$USER") +if [ $? -ne 0 ]; then + echo "Could not find SID for user '$USER'" | subunit_fail_test "test_idmap_nss_use_upn" + exit 1 +fi + +USER_SID=$(echo $USER_SID | cut -d " " -f 1) +if [ $? -ne 0 ]; then + echo "Could not find SID for user '$USER'" | subunit_fail_test "test_idmap_nss_use_upn" + exit 1 +fi + +testit "SID to UID (use_upn = no)" $wbinfo --sid-to-uid=${USER_SID} || failed=$(expr $failed + 1) + +echo "idmap config $DOMAIN : use_upn = yes" >$global_inject_conf +$smbcontrol winbindd reload-config +if [ $? -ne 0 ]; then + echo "Could not reload config" | subunit_fail_test "test_idmap_nss_use_upn" +fi + +$net cache flush +if [ $? -ne 0 ]; then + echo "Could not flush cache" | subunit_fail_test "test_idmap_nss_use_upn" +fi + +# The following test will fail because idmap_nss will search ADDOMAIN/bob, which does not +# exists in NSS_WRAPPER_PASSWD +testit_expect_failure "SID to UID (use_upn = yes)" $wbinfo --sid-to-uid=${USER_SID} || failed=$(expr $failed + 1) + +$net cache flush +if [ $? -ne 0 ]; then + echo "Could not flush cache" | subunit_fail_test "test_idmap_nss_use_upn" +fi + +# Add the ADDOMAIN/bob temporarily +ENTRY="$(getent passwd bob)" +ENTRY="$DOMAIN/${ENTRY}" +sed -i "1i ${ENTRY}" $NSS_WRAPPER_PASSWD +testit "Get user UID (use_upn = yes)" $wbinfo --sid-to-uid=${USER_SID} || failed=$(expr $failed + 1) +sed -i "1d" $NSS_WRAPPER_PASSWD + +# Reset config +echo "idmap config $DOMAIN : use_upn = no" >$global_inject_conf +$smbcontrol winbindd reload-config +if [ $? -ne 0 ]; then + echo "Could not reload config" | subunit_fail_test "test_idmap_nss_use_upn" +fi + +$net cache flush +if [ $? -ne 0 ]; then + echo "Could not flush cache" | subunit_fail_test "test_idmap_nss_use_upn" +fi + +exit $failed diff --git a/nsswitch/tests/test_idmap_rfc2307.sh b/nsswitch/tests/test_idmap_rfc2307.sh new file mode 100755 index 0000000..b24cf45 --- /dev/null +++ b/nsswitch/tests/test_idmap_rfc2307.sh @@ -0,0 +1,221 @@ +#!/bin/sh +# Test id mapping through idmap_rfc2307 module +if [ $# -lt 15 ]; then + echo Usage: $0 DOMAIN USERNAME UID USERNAME2 UID2 \ + GROUPNAME GID GROUPNAME2 GID2 GID_START NUMGROUPS \ + LDAPPREFIX DC_SERVER DC_USERNAME DC_PASSWORD + exit 1 +fi + +DOMAIN="$1" +USERNAME="$2" +USERUID="$3" +USERNAME2="$4" +USERUID2="$5" +GROUPNAME="$6" +GROUPGID="$7" +GROUPNAME2="$8" +GROUPGID2="$9" +shift 9 +GID_START="$1" +NUMGROUPS="$2" +LDAPPREFIX="$3" +DC_SERVER="$4" +DC_USERNAME="$5" +DC_PASSWORD="$6" + +wbinfo="$VALGRIND $BINDIR/wbinfo" +net="$VALGRIND $BINDIR/net" + +ldbsearch="ldbsearch" +if [ -x "$BINDIR/ldbsearch" ]; then + ldbsearch="$BINDIR/ldbsearch" +fi + +ldbadd="ldbadd" +if [ -x "$BINDIR/ldbadd" ]; then + ldbadd="$BINDIR/ldbadd" +fi + +ldbdel="ldbdel" +if [ -x "$BINDIR/ldbdel" ]; then + ldbdel="$BINDIR/ldbdel" +fi + +failed=0 + +. $(dirname $0)/../../testprogs/blackbox/subunit.sh + +# Delete LDAP records +$VALGRIND $ldbdel -H ldap://$DC_SERVER -U$DOMAIN/$DC_USERNAME%$DC_PASSWORD "$LDAPPREFIX" --controls="tree_delete:1" + +# Add id mapping information to LDAP + +testit "add ldap prefix" $VALGRIND $ldbadd -H ldap://$DC_SERVER \ + -U$DOMAIN/$DC_USERNAME%$DC_PASSWORD <<EOF +dn: $LDAPPREFIX +objectclass: organizationalUnit +EOF + +testit "add ldap user mapping record" $VALGRIND $ldbadd -H ldap://$DC_SERVER \ + -U$DOMAIN/$DC_USERNAME%$DC_PASSWORD <<EOF +dn: cn=$USERNAME,$LDAPPREFIX +objectClass: organizationalPerson +objectClass: posixAccount +ou: People +cn: $USERNAME +uid: $USERNAME +uidNumber: $USERUID +gidNumber: 1 +homeDirectory: /home/admin +EOF + +testit "add second ldap user mapping record" $VALGRIND $ldbadd \ + -H ldap://$DC_SERVER -U$DOMAIN/$DC_USERNAME%$DC_PASSWORD <<EOF +dn: cn=$USERNAME2,$LDAPPREFIX +objectClass: organizationalPerson +objectClass: posixAccount +ou: People +cn: $USERNAME2 +uid: $USERNAME2 +uidNumber: $USERUID2 +gidNumber: 2 +homeDirectory: /home/admin +EOF + +testit "add ldap group mapping record" $VALGRIND $ldbadd \ + -H ldap://$DC_SERVER -U$DOMAIN/$DC_USERNAME%$DC_PASSWORD <<EOF +dn: cn=$GROUPNAME,$LDAPPREFIX +objectClass: posixGroup +objectClass: groupOfNames +cn: $GROUPNAME +gidNumber: $GROUPGID +member: cn=$USERNAME,$LDAPPREFIX +EOF + +testit "add second ldap group mapping record" $VALGRIND $ldbadd \ + -H ldap://$DC_SERVER -U$DOMAIN/$DC_USERNAME%$DC_PASSWORD <<EOF +dn: cn=$GROUPNAME2,$LDAPPREFIX +objectClass: posixGroup +objectClass: groupOfNames +cn: $GROUPNAME2 +gidNumber: $GROUPGID2 +member: cn=$USERNAME,$LDAPPREFIX +EOF + +testit "wbinfo --name-to-sid" $wbinfo --name-to-sid "$DOMAIN/$USERNAME" || failed=$(expr $failed + 1) +user_sid=$($wbinfo -n "$DOMAIN/$USERNAME" | cut -d " " -f1) +echo "$DOMAIN/$USERNAME resolved to $user_sid" + +testit "wbinfo --sid-to-uid=$user_sid" $wbinfo --sid-to-uid=$user_sid || failed=$(expr $failed + 1) +user_uid=$($wbinfo --sid-to-uid=$user_sid | cut -d " " -f1) +echo "$DOMAIN/$USERNAME resolved to $user_uid" + +testit "test $user_uid -eq $USERUID" test $user_uid -eq $USERUID || failed=$(expr $failed + 1) + +# Not sure how to get group names with spaces to resolve through testit +#testit "wbinfo --name-to-sid" $wbinfo --name-to-sid="$DOMAIN/$GROUPNAME" || failed=$(expr $failed + 1) +group_sid=$($wbinfo --name-to-sid="$DOMAIN/$GROUPNAME" | cut -d " " -f1) +echo "$DOMAIN/$GROUPNAME resolved to $group_sid" + +testit "wbinfo --sid-to-gid=$group_sid" $wbinfo --sid-to-gid=$group_sid || failed=$(expr $failed + 1) +group_gid=$($wbinfo --sid-to-gid=$group_sid | cut -d " " -f1) +echo "$DOMAIN/$GROUPNAME resolved to $group_gid" + +testit "test $group_gid -eq $GROUPGID" test $group_gid -eq $GROUPGID || failed=$(expr $failed + 1) + +# Use different user and group for reverse lookup to not read from cache + +testit "$wbinfo --uid-to-sid=$USERUID2" $wbinfo --uid-to-sid=$USERUID2 || failed=$(expr $failed + 1) +user_sid2=$($wbinfo --uid-to-sid=$USERUID2 | cut -d " " -f1) +echo "UID $USERUID2 resolved to SID $user_sid2" + +testit "$wbinfo --sid-to-name=$user_sid2" $wbinfo --sid-to-name=$user_sid2 || failed=$(expr $failed + 1) +user_name2=$($wbinfo --sid-to-name=$user_sid2 | cut -d " " -f1) +echo "SID $user_sid2 resolved to $user_name2" + +testit "test $user_name2 = $DOMAIN/$USERNAME2" test "$(echo $user_name2 | tr A-Z a-z)" = "$(echo $DOMAIN/$USERNAME2 | tr A-Z a-z)" || failed=$(expr $failed + 1) + +testit "$wbinfo --gid-to-sid=$GROUPGID2" $wbinfo --gid-to-sid=$GROUPGID2 || failed=$(expr $failed + 1) +group_sid2=$($wbinfo --gid-to-sid=$GROUPGID2 | cut -d " " -f1) +echo "GID $GROUPGID2 resolved to SID $group_sid2" + +testit "$wbinfo --sid-to-name=$group_sid2" $wbinfo --sid-to-name=$group_sid2 || failed=$(expr $failed + 1) +group_name2=$($wbinfo --sid-to-name=$group_sid2 | cut -d " " -f1) +echo "SID $group_sid2 resolved to $group_name2" + +testit "test $group_name2 = $DOMAIN/$GROUPNAME2" test "$(echo $group_name2 | tr A-Z a-z)" = "$(echo $DOMAIN/$GROUPNAME2 | tr A-Z a-z)" || failed=$(expr $failed + 1) + +i=0 +while [ ${i} -lt ${NUMGROUPS} ]; do + GRP=$(printf "test_rfc2307_group_%3.3d" "$i") + GRP_GID=$(expr "$GID_START" + "$i") + testit "Add group $GRP" $net rpc group add "$GRP" -S "$DC_SERVER" \ + -U"${DOMAIN}\\${DC_USERNAME}"%"${DC_PASSWORD}" || + failed=$(expr $failed + 1) + testit "Add groupmem $GRP $USERNAME" \ + $net rpc group addmem "$GRP" "$USERNAME" \ + -S "$DC_SERVER" \ + -U"${DOMAIN}\\${DC_USERNAME}"%"${DC_PASSWORD}" || + failed=$(expr $failed + 1) + testit "Add group object for $GRP $GRP_GID" \ + $VALGRIND $ldbadd \ + -H ldap://$DC_SERVER -U$DOMAIN/$DC_USERNAME%$DC_PASSWORD <<EOF +dn: cn=$GRP,$LDAPPREFIX +objectClass: posixGroup +objectClass: groupOfNames +cn: $GRP +gidNumber: $GRP_GID +member: cn=$USERNAME,$LDAPPREFIX +EOF + i=$(expr "$i" + 1) +done + +# Test whether wbinfo --xids-to-sids finds everything + +GIDS="" +i=0 +while [ ${i} -lt ${NUMGROUPS} ]; do + GIDS="$GIDS g$(expr ${i} + ${GID_START})" + i=$(expr "$i" + 1) +done +NUM_VALID_SIDS=$($wbinfo --unix-ids-to-sids="$GIDS" | grep -v ^"NOT MAPPED" | wc -l) + +testit "Count number of valid sids found" \ + test ${NUM_VALID_SIDS} = ${NUMGROUPS} || + failed=$(expr $failed + 1) + +# Prime the cache so we test idmap, not the harder problem of +# consistent group memberships for users without a login. + +testit "Authenticate the user to prime the netlogon cache" \ + $wbinfo -a $DOMAIN/$DC_USERNAME%$DC_PASSWORD || failed=$(expr $failed + 1) + +# Test whether wbinfo -r shows all groups + +EXPECTED_USERGROUPS="1000000/1000001/2000002/" +i=0 +while [ ${i} -lt ${NUMGROUPS} ]; do + EXPECTED_USERGROUPS="$EXPECTED_USERGROUPS$(expr ${i} + ${GID_START})/" + i=$(expr "$i" + 1) +done + +USERGROUPS=$($wbinfo -r $DOMAIN/$USERNAME | sort -n | tr '\n' '/') + +testit "Testing for expected group memberships" \ + test "$USERGROUPS" = "$EXPECTED_USERGROUPS" || + failed=$(expr $failed + 1) + +i=0 +while [ ${i} -lt ${NUMGROUPS} ]; do + GRP=$(printf "test_rfc2307_group_%3.3d" ${i}) + testit "Del group $GRP" $net rpc group delete "$GRP" -S "$DC_SERVER" \ + -U"${DOMAIN}\\${DC_USERNAME}"%"${DC_PASSWORD}" || + failed=$(expr $failed + 1) + i=$(expr "$i" + 1) +done + +# Delete LDAP records +$VALGRIND $ldbdel -H ldap://$DC_SERVER -U$DOMAIN/$DC_USERNAME%$DC_PASSWORD "$LDAPPREFIX" --controls="tree_delete:1" + +exit $failed diff --git a/nsswitch/tests/test_idmap_rid.sh b/nsswitch/tests/test_idmap_rid.sh new file mode 100755 index 0000000..2cd43a7 --- /dev/null +++ b/nsswitch/tests/test_idmap_rid.sh @@ -0,0 +1,202 @@ +#!/bin/sh +# +# Test id mapping with various SIDs and idmap_rid +# + +if [ $# -lt 1 ]; then + echo Usage: $0 DOMAIN RANGE_START + exit 1 +fi + +DOMAIN="$1" +RANGE_START="$2" + +wbinfo="$VALGRIND $BINDIR/wbinfo" +failed=0 + +. $(dirname $0)/../../testprogs/blackbox/subunit.sh + +DOMAIN_SID=$($wbinfo -n "$DOMAIN/" | cut -f 1 -d " ") +if [ $? -ne 0 ]; then + echo "Could not find domain SID" | subunit_fail_test "test_idmap_rid" + exit 1 +fi + +# Find an unused uid and SID +RID=66666 +MAX_RID=77777 +while true; do + id $RID + if [ $? -ne 0 ]; then + SID="$DOMAIN_SID-$RID" + $wbinfo -s $SID + if [ $? -ne 0 ]; then + break + fi + fi + RID=$(expr $RID + 1) + if [ $RID -eq $MAX_RID ]; then + echo "Could not find free SID" | subunit_fail_test "test_idmap_rid" + exit 1 + fi +done + +# +# Test 1: Using non-existing SID to check backend returns a mapping +# + +EXPECTED_ID=$(expr $RID + $RANGE_START) +out="$($wbinfo --sids-to-unix-ids=$SID)" +echo "wbinfo returned: \"$out\", expecting \"$SID -> uid/gid $EXPECTED_ID\"" +test "$out" = "$SID -> uid/gid $EXPECTED_ID" +ret=$? +testit "Unknown RID from primary domain returns a mapping" test $ret -eq 0 || failed=$(expr $failed + 1) + +# +# Test 2: Using bogus SID with bad domain part to check idmap backend does not generate a mapping +# + +SID=S-1-5-21-1111-2222-3333-666 +out="$($wbinfo --sids-to-unix-ids=$SID)" +echo "wbinfo returned: \"$out\", expecting \"$SID -> unmapped\"" +test "$out" = "$SID -> unmapped" +ret=$? +testit "Bogus SID returns unmapped" test $ret -eq 0 || failed=$(expr $failed + 1) + +# +# Test 3: ID_TYPE_BOTH mappings for group +# + +GROUP="$DOMAIN/Domain Users" +GROUP_SID=$($wbinfo --name-to-sid="$GROUP" | sed -e 's/ .*//') + +uid=$($wbinfo --sid-to-uid=$GROUP_SID) +ret=$? +testit "ID_TYPE_BOTH group map to uid succeeds" test $ret -eq 0 || + failed=$(expr $failed + 1) +testit "ID_TYPE_BOTH group map to uid has result" test -n $uid || + failed=$(expr $failed + 1) + +gid=$($wbinfo --sid-to-gid=$GROUP_SID) +ret=$? +testit "ID_TYPE_BOTH group map to gid succeeds" test $ret -eq 0 || + failed=$(expr $failed + 1) +testit "ID_TYPE_BOTH group map to gid has result" test -n $gid || + failed=$(expr $failed + 1) + +testit "ID_TYPE_BOTH group uid equals gid" test $uid -eq $gid || + failed=$(expr $failed + 1) + +group_pw="$DOMAIN/domain users:*:$uid:$gid::/home/$DOMAIN/domain users:/bin/false" + +out=$(getent passwd "$GROUP") +ret=$? +testit "getpwnam for ID_TYPE_BOTH group succeeds" test $ret -eq 0 || + failed=$(expr $failed + 1) + +test "$out" = "$group_pw" +ret=$? +testit "getpwnam for ID_TYPE_BOTH group output" test $ret -eq 0 || + failed=$(expr $failed + 1) + +out=$(getent passwd $uid) +ret=$? +testit "getpwuid for ID_TYPE_BOTH group succeeds" test $ret -eq 0 || + failed=$(expr $failed + 1) +test "$out" = "$group_pw" +ret=$? +testit "getpwuid for ID_TYPE_BOTH group output" test $ret -eq 0 || + failed=$(expr $failed + 1) + +group_gr="$DOMAIN/domain users:x:$gid" + +out=$(getent group "$GROUP") +ret=$? +testit "getgrnam for ID_TYPE_BOTH group succeeds" test $ret -eq 0 || + failed=$(expr $failed + 1) +# Compare only 'groupname:x:gid' part, drop the members +normalized_out=$(echo "$out" | cut -d: -f1-3) +test "$normalized_out" = "$group_gr" +ret=$? +testit "getgrnam for ID_TYPE_BOTH group output" test $ret -eq 0 || + failed=$(expr $failed + 1) + +out=$(getent group "$gid") +ret=$? +testit "getgrgid for ID_TYPE_BOTH group succeeds" test $ret -eq 0 || + failed=$(expr $failed + 1) +# Compare only 'groupname:x:gid' part, drop the members +normalized_out=$(echo "$out" | cut -d: -f1-3) +test "$normalized_out" = "$group_gr" +ret=$? +testit "getgrgid for ID_TYPE_BOTH group output" test $ret -eq 0 || + failed=$(expr $failed + 1) + +# +# Test 4: ID_TYPE_BOTH mappings for user +# + +dom_users_gid=$gid + +USER="$DOMAIN/Administrator" +USER_SID=$($wbinfo --name-to-sid="$USER" | sed -e 's/ .*//') + +uid=$($wbinfo --sid-to-uid=$USER_SID) +ret=$? +testit "ID_TYPE_BOTH user map to uid succeeds" test $ret -eq 0 || + failed=$(expr $failed + 1) +testit "ID_TYPE_BOTH user map to uid has result" test -n $uid || + failed=$(expr $failed + 1) + +gid=$($wbinfo --sid-to-gid=$USER_SID) +ret=$? +testit "ID_TYPE_BOTH user map to gid succeeds" test $ret -eq 0 || + failed=$(expr $failed + 1) +testit "ID_TYPE_BOTH user map to gid has result" test -n $gid || + failed=$(expr $failed + 1) + +testit "ID_TYPE_BOTH user uid equals gid" test $uid -eq $gid || + failed=$(expr $failed + 1) + +user_pw="$DOMAIN/administrator:*:$uid:$dom_users_gid::/home/$DOMAIN/administrator:/bin/false" + +out=$(getent passwd "$USER") +ret=$? +testit "getpwnam for ID_TYPE_BOTH user succeeds" test $ret -eq 0 || + failed=$(expr $failed + 1) + +test "$out" = "$user_pw" +ret=$? +testit "getpwnam for ID_TYPE_BOTH user output" test $ret -eq 0 || + failed=$(expr $failed + 1) + +out=$(getent passwd $uid) +ret=$? +testit "getpwuid for ID_TYPE_BOTH user succeeds" test $ret -eq 0 || + failed=$(expr $failed + 1) +test "$out" = "$user_pw" +ret=$? +testit "getpwuid for ID_TYPE_BOTH user output" test $ret -eq 0 || + failed=$(expr $failed + 1) + +user_gr="$DOMAIN/administrator:x:$gid:$DOMAIN/administrator" + +out=$(getent group "$USER") +ret=$? +testit "getgrnam for ID_TYPE_BOTH user succeeds" test $ret -eq 0 || + failed=$(expr $failed + 1) +test "$out" = "$user_gr" +ret=$? +testit "getgrnam for ID_TYPE_BOTH user output" test $ret -eq 0 || + failed=$(expr $failed + 1) + +out=$(getent group "$gid") +ret=$? +testit "getgrgid for ID_TYPE_BOTH user succeeds" test $ret -eq 0 || + failed=$(expr $failed + 1) +test "$out" = "$user_gr" +ret=$? +testit "getgrgid for ID_TYPE_BOTH user output" test $ret -eq 0 || + failed=$(expr $failed + 1) + +exit $failed diff --git a/nsswitch/tests/test_rfc2307_mapping.sh b/nsswitch/tests/test_rfc2307_mapping.sh new file mode 100755 index 0000000..440a924 --- /dev/null +++ b/nsswitch/tests/test_rfc2307_mapping.sh @@ -0,0 +1,159 @@ +#!/bin/sh +# Blackbox test for wbinfo and rfc2307 mappings +if [ $# -lt 7 ]; then + cat <<EOF +Usage: test_rfc2307_mapping.sh DOMAIN USERNAME PASSWORD SERVER UID_RFC2307TEST GID_RFC2307TEST CONFIGURATION +EOF + exit 1 +fi + +DOMAIN=$1 +USERNAME=$2 +PASSWORD=$3 +SERVER=$4 +UID_RFC2307TEST=$5 +GID_RFC2307TEST=$6 +CONFIGURATION=${7} +shift 6 + +failed=0 +samba4bindir="$BINDIR" +wbinfo="$VALGRIND $samba4bindir/wbinfo" +samba_tool="$VALGRIND $samba4bindir/samba-tool" + +. $(dirname $0)/../../testprogs/blackbox/subunit.sh +. "$(dirname "${0}")/../../testprogs/blackbox/common_test_fns.inc" + +ldbmodify=$(system_or_builddir_binary ldbmodify "${BINDIR}") + +# Create new testing account +testit "user add" $PYTHON $samba_tool user create --given-name="rfc2307" \ + --surname="Tester" --initial="UT" rfc2307_test_user testp@ssw0Rd \ + "${CONFIGURATION}" "$@" + +#test creation of six different groups +testit "group add" $PYTHON $samba_tool group add \ + --group-scope='Domain' --group-type='Security' rfc2307_test_group \ + "${CONFIGURATION}" "$@" + +# Create new testing group + +# Convert name to SID +testit "wbinfo -n against $TARGET" $wbinfo -n "$DOMAIN/rfc2307_test_user" || failed=$(expr $failed + 1) +user_sid=$($wbinfo -n "$DOMAIN/rfc2307_test_user" | cut -d " " -f1) +echo "$DOMAIN/rfc2307_test_user resolved to $user_sid" + +testit "wbinfo -s $user_sid against $TARGET" $wbinfo -s $user_sid || failed=$(expr $failed + 1) +user_name=$($wbinfo -s $user_sid | cut -d " " -f1 | tr a-z A-Z) +echo "$user_sid resolved to $user_name" + +tested_name=$(echo $DOMAIN/rfc2307_test_user | tr a-z A-Z) + +# Now check that wbinfo works correctly (sid <=> name) +echo "test: wbinfo -s check for sane mapping" +if test x$user_name != x$tested_name; then + echo "$user_name does not match $tested_name" + echo "failure: wbinfo -s check for sane mapping" + failed=$(expr $failed + 1) +else + echo "success: wbinfo -s check for sane mapping" +fi + +testit "wbinfo -n on the returned name against $TARGET" $wbinfo -n $user_name || failed=$(expr $failed + 1) +test_sid=$($wbinfo -n $tested_name | cut -d " " -f1) + +echo "test: wbinfo -n check for sane mapping" +if test x$user_sid != x$test_sid; then + echo "$user_sid does not match $test_sid" + echo "failure: wbinfo -n check for sane mapping" + failed=$(expr $failed + 1) +else + echo "success: wbinfo -n check for sane mapping" +fi + +testit "wbinfo -n against $TARGET" $wbinfo -n "$DOMAIN/rfc2307_test_group" || failed=$(expr $failed + 1) +group_sid=$($wbinfo -n "$DOMAIN/rfc2307_test_group" | cut -d " " -f1) +echo "$DOMAIN/rfc2307_test_group resolved to $group_sid" + +# Then add a uidNumber to the group record using ldbmodify +cat >$PREFIX/tmpldbmodify <<EOF +dn: <SID=$user_sid> +changetype: modify +add: uidNumber +uidNumber: $UID_RFC2307TEST +EOF + +testit "modify gidNumber on group" $VALGRIND $ldbmodify -H ldap://$SERVER \ + $PREFIX/tmpldbmodify -U$DOMAIN/$USERNAME%$PASSWORD "$@" || + failed=$(expr $failed + 1) + +# Then add a gidNumber to the group record using ldbmodify +cat >$PREFIX/tmpldbmodify <<EOF +dn: <SID=$group_sid> +changetype: modify +add: gidNumber +gidNumber: $GID_RFC2307TEST +EOF + +testit "modify gidNumber on group" $VALGRIND $ldbmodify -H ldap://$SERVER \ + $PREFIX/tmpldbmodify -U$DOMAIN/$USERNAME%$PASSWORD "$@" || + failed=$(expr $failed + 1) + +rm -f $PREFIX/tmpldbmodify + +# Now check we get a correct SID for the UID + +testit "wbinfo -U against $TARGET" $wbinfo -U $UID_RFC2307TEST || failed=$(expr $failed + 1) + +echo "test: wbinfo -U check for sane mapping" +sid_for_user=$($wbinfo -U $UID_RFC2307TEST) +if test x"$sid_for_user" != x"$user_sid"; then + echo "uid $UID_RFC2307TEST mapped to $sid_for_user, not $user_sid" + echo "failure: wbinfo -U check for sane mapping" + failed=$(expr $failed + 1) +else + echo "success: wbinfo -U check for sane mapping" +fi + +testit "wbinfo -G against $TARGET" $wbinfo -G $GID_RFC2307TEST || failed=$(expr $failed + 1) + +echo "test: wbinfo -G check for sane mapping" +sid_for_group=$($wbinfo -G $GID_RFC2307TEST) +if test x$sid_for_group != "x$group_sid"; then + echo "gid $GID_RFC2307TEST mapped to $sid_for_group, not $group_sid" + echo "failure: wbinfo -G check for sane mapping" + failed=$(expr $failed + 1) +else + echo "success: wbinfo -G check for sane mapping" +fi + +# Now check we get the right UID from the SID +testit "wbinfo -S against $TARGET" $wbinfo -S "$user_sid" || failed=$(expr $failed + 1) + +echo "test: wbinfo -S check for sane mapping" +uid_for_user_sid=$($wbinfo -S $user_sid) +if test 0$uid_for_user_sid -ne $UID_RFC2307TEST; then + echo "$user_sid mapped to $uid_for_sid, not $UID_RFC2307TEST" + echo "failure: wbinfo -S check for sane mapping" + failed=$(expr $failed + 1) +else + echo "success: wbinfo -S check for sane mapping" +fi + +# Now check we get the right GID from the SID +testit "wbinfo -Y" $wbinfo -Y "$group_sid" || failed=$(expr $failed + 1) + +echo "test: wbinfo -Y check for sane mapping" +gid_for_user_sid=$($wbinfo -Y $group_sid) +if test 0$gid_for_user_sid -ne $GID_RFC2307TEST; then + echo "$group_sid mapped to $gid_for_sid, not $GID_RFC2307TEST" + echo "failure: wbinfo -Y check for sane mapping" + failed=$(expr $failed + 1) +else + echo "success: wbinfo -Y check for sane mapping" +fi + +testit "group delete" $PYTHON $samba_tool group delete rfc2307_test_group "${CONFIGURATION}" "$@" +testit "user delete" $PYTHON $samba_tool user delete rfc2307_test_user "${CONFIGURATION}" "$@" + +exit $failed diff --git a/nsswitch/tests/test_ticket_expiry.sh b/nsswitch/tests/test_ticket_expiry.sh new file mode 100755 index 0000000..f2fed55 --- /dev/null +++ b/nsswitch/tests/test_ticket_expiry.sh @@ -0,0 +1,74 @@ +#!/bin/sh +# Test winbind ad backend behaviour when the kerberos ticket expires + +if [ $# -ne 1 ]; then + echo Usage: $0 DOMAIN + exit 1 +fi + +DOMAIN="$1" + +wbinfo="$VALGRIND $BINDIR/wbinfo" +net="$VALGRIND $BINDIR/net" + +failed=0 + +. $(dirname $0)/../../testprogs/blackbox/subunit.sh + +DOMAIN_SID=$($wbinfo -n "$DOMAIN/" | cut -f 1 -d " ") +if [ $? -ne 0 ]; then + echo "Could not find domain SID" | subunit_fail_test "test_idmap_ad" + exit 1 +fi +ADMINS_SID="$DOMAIN_SID-512" + +# Previous tests might have put in a mapping +$net cache del IDMAP/SID2XID/"$ADMINS_SID" + +# Trigger a winbind ad connection with a 5-second ticket lifetime, +# see the smb.conf for the ad_member_idmap_ad environment we're in +# +# We expect failure here because there are no mappings in AD. In this +# test we are only interested in the winbind LDAP connection as such, +# we don't really care whether idmap_ad works fine. This is done in +# different tests. And a negative lookup also triggers the LDAP +# connection. + +testit_expect_failure "Deleting0 IDMAP/SID2XID/$ADMINS_SID" $net cache del IDMAP/SID2XID/"$ADMINS_SID" || + failed=$(expr $failed + 1) + +testit_expect_failure "Expecting failure1, no mapping in AD" $wbinfo --sid-to-gid "$ADMINS_SID" || + failed=$(expr $failed + 1) + +testit "Deleting1 IDMAP/SID2XID/$ADMINS_SID" $net cache del IDMAP/SID2XID/"$ADMINS_SID" || + failed=$(expr $failed + 1) + +# allow our kerberos ticket to expire +testit "Sleeping for 6 seconds" sleep 6 || failed=$(expr $failed + 1) + +# Try again, check how long it took to recover from ticket expiry +# +# On the LDAP connection two things happen: First we get an +# unsolicited exop response telling us the network session was +# abandoned, and secondly the LDAP server will kill the TCP +# connection. Our ldap server is configured to defer the TCP +# disconnect by 10 seconds. We need to make sure that winbind already +# reacts to the unsolicited exop reply, discarding the connection. The +# only way is to make sure the following wbinfo does not take too +# long. + +# We need to do the test command in this funny way as on gitlab we're +# using the bash builtin + +START=$(date +%s) +testit_expect_failure "Expecting failure2, no mapping in AD" $wbinfo --sid-to-gid "$ADMINS_SID" || + failed=$(expr $failed + 1) +END=$(date +%s) +DURATION=$(expr $END - $START) +testit "timeout DURATION[$DURATION] < 8" test "$DURATION" -le 8 || + failed=$(expr $failed + 1) + +testit "Deleting2 IDMAP/SID2XID/$ADMINS_SID" $net cache del IDMAP/SID2XID/"$ADMINS_SID" || + failed=$(expr $failed + 1) + +exit $failed diff --git a/nsswitch/tests/test_wbinfo.sh b/nsswitch/tests/test_wbinfo.sh new file mode 100755 index 0000000..b36e4c6 --- /dev/null +++ b/nsswitch/tests/test_wbinfo.sh @@ -0,0 +1,322 @@ +#!/bin/sh +# Blackbox test for wbinfo +if [ $# -lt 4 ]; then + cat <<EOF +Usage: test_wbinfo.sh DOMAIN USERNAME PASSWORD TARGET +EOF + exit 1 +fi + +DOMAIN=$1 +USERNAME=$2 +PASSWORD=$3 +TARGET=$4 +shift 4 + +failed=0 +samba4bindir="$BINDIR" +wbinfo="$VALGRIND $samba4bindir/wbinfo" + +. $(dirname $0)/../../testprogs/blackbox/subunit.sh + +testfail() +{ + name="$1" + shift + cmdline="$*" + echo "test: $name" + $cmdline + status=$? + if [ x$status = x0 ]; then + echo "failure: $name" + return 1 + else + echo "success: $name" + return 0 + fi +} + +knownfail() +{ + name="$1" + shift + cmdline="$*" + echo "test: $name" + $cmdline + status=$? + if [ x$status = x0 ]; then + echo "failure: $name [unexpected success]" + status=1 + else + echo "knownfail: $name" + status=0 + fi + return $status +} + +KRB5CCNAME_PATH="$PREFIX/test_wbinfo_krb5ccache" +rm -f $KRB5CCNAME_PATH + +KRB5CCNAME="FILE:$KRB5CCNAME_PATH" +export KRB5CCNAME + +# List users +testit "wbinfo -u against $TARGET" $wbinfo -u || failed=$(expr $failed + 1) +# List groups +testit "wbinfo -g against $TARGET" $wbinfo -g || failed=$(expr $failed + 1) +# Convert netbios name to IP +# Does not work yet +testit "wbinfo -N against $TARGET" $wbinfo -N $NETBIOSNAME || failed=$(expr $failed + 1) +# Convert IP to netbios name +# Does not work yet +testit "wbinfo -I against $TARGET" $wbinfo -I $SERVER_IP || failed=$(expr $failed + 1) + +# Convert name to SID +testit "wbinfo -n against $TARGET" $wbinfo -n "$DOMAIN/$USERNAME" || failed=$(expr $failed + 1) +admin_sid=$($wbinfo -n "$DOMAIN/$USERNAME" | cut -d " " -f1) +echo "$DOMAIN/$USERNAME resolved to $admin_sid" + +testit "wbinfo -s $admin_sid against $TARGET" $wbinfo -s $admin_sid || failed=$(expr $failed + 1) +admin_name=$($wbinfo -s $admin_sid | cut -d " " -f1 | tr a-z A-Z) +echo "$admin_sid resolved to $admin_name" + +tested_name=$(echo $DOMAIN/$USERNAME | tr a-z A-Z) + +echo "test: wbinfo -s check for sane mapping" +if test x$admin_name != x$tested_name; then + echo "$admin_name does not match $tested_name" + echo "failure: wbinfo -s check for sane mapping" + failed=$(expr $failed + 1) +else + echo "success: wbinfo -s check for sane mapping" +fi + +while read SID; do + read NAME + + testit "wbinfo -s $SID against $TARGET" $wbinfo -s $SID || failed=$(expr $failed + 1) + + RESOLVED_NAME=$($wbinfo -s $SID | tr a-z A-Z) + echo "$SID resolved to $RESOLVED_NAME" + + echo "test: wbinfo -s $SID against $TARGET" + if test x"$RESOLVED_NAME" != x"$NAME"; then + echo "$RESOLVED_NAME does not match $NAME" + echo "failure: wbinfo -s $SID against $TARGET" + failed=$(expr $failed + 1) + else + echo "success: wbinfo -s $SID against $TARGET" + fi +done <<EOF +S-1-1-0 +/EVERYONE 5 +S-1-3-1 +/CREATOR GROUP 5 +S-1-5-1 +NT AUTHORITY/DIALUP 5 +EOF + +testit "wbinfo -n on the returned name against $TARGET" $wbinfo -n $admin_name || failed=$(expr $failed + 1) +test_sid=$($wbinfo -n $tested_name | cut -d " " -f1) + +echo "test: wbinfo -n check for sane mapping" +if test x$admin_sid != x$test_sid; then + echo "$admin_sid does not match $test_sid" + echo "failure: wbinfo -n check for sane mapping" + failed=$(expr $failed + 1) +else + echo "success: wbinfo -n check for sane mapping" +fi + +echo "test: wbinfo -n NT Authority/Authenticated Users" +$wbinfo -n "NT Authority/Authenticated Users" +if [ $? -ne 0 ]; then + echo "failure: wbinfo -n NT Authority/Authenticated Users" + failed=$(expr $failed + 1) +else + echo "success: wbinfo -n NT Authority/Authenticated Users" +fi + +echo "test: wbinfo --group-info NT Authority/Authenticated Users" +$wbinfo --group-info "NT Authority/Authenticated Users" +if [ $? -ne 0 ]; then + echo "failure: wbinfo --group-info NT Authority/Authenticated Users" + failed=$(expr $failed + 1) +else + echo "success: wbinfo --group-info NT Authority/Authenticated Users" +fi + +testit "wbinfo -U against $TARGET" $wbinfo -U 30000 || failed=$(expr $failed + 1) + +echo "test: wbinfo -U check for sane mapping" +sid_for_30000=$($wbinfo -U 30000) +if test x$sid_for_30000 != "xS-1-22-1-30000"; then + echo "uid 30000 mapped to $sid_for_30000, not S-1-22-1-30000" + echo "failure: wbinfo -U check for sane mapping" + failed=$(expr $failed + 1) +else + echo "success: wbinfo -U check for sane mapping" +fi + +admin_uid=$($wbinfo -S $admin_sid) + +testit "wbinfo -G against $TARGET" $wbinfo -G 30000 || failed=$(expr $failed + 1) + +echo "test: wbinfo -G check for sane mapping" +sid_for_30000=$($wbinfo -G 30000) +if test x$sid_for_30000 != "xS-1-22-2-30000"; then + echo "gid 30000 mapped to $sid_for_30000, not S-1-22-2-30000" + echo "failure: wbinfo -G check for sane mapping" + failed=$(expr $failed + 1) +else + echo "success: wbinfo -G check for sane mapping" +fi + +testit "wbinfo -S against $TARGET" $wbinfo -S "S-1-22-1-30000" || failed=$(expr $failed + 1) + +echo "test: wbinfo -S check for sane mapping" +uid_for_sid=$($wbinfo -S S-1-22-1-30000) +if test 0$uid_for_sid -ne 30000; then + echo "S-1-22-1-30000 mapped to $uid_for_sid, not 30000" + echo "failure: wbinfo -S check for sane mapping" + failed=$(expr $failed + 1) +else + echo "success: wbinfo -S check for sane mapping" +fi + +testfail "wbinfo -S against $TARGET using invalid SID" $wbinfo -S "S-1-22-2-30000" || failed=$(expr $failed + 1) + +testit "wbinfo -Y against $TARGET" $wbinfo -Y "S-1-22-2-30000" || failed=$(expr $failed + 1) + +echo "test: wbinfo -Y check for sane mapping" +gid_for_sid=$($wbinfo -Y S-1-22-2-30000) +if test 0$gid_for_sid -ne 30000; then + echo "S-1-22-2-30000 mapped to $gid_for_sid, not 30000" + echo "failure: wbinfo -Y check for sane mapping" + failed=$(expr $failed + 1) +else + echo "success: wbinfo -Y check for sane mapping" +fi + +testfail "wbinfo -Y against $TARGET using invalid SID" $wbinfo -Y "S-1-22-1-30000" || failed=$(expr $failed + 1) + +testit "wbinfo -t against $TARGET" $wbinfo -t || failed=$(expr $failed + 1) + +#didn't really work anyway +testit "wbinfo --trusted-domains against $TARGET" $wbinfo --trusted-domains || failed=$(expr $failed + 1) +testit "wbinfo --all-domains against $TARGET" $wbinfo --all-domains || failed=$(expr $failed + 1) + +testit "wbinfo --own-domain against $TARGET" $wbinfo --own-domain || failed=$(expr $failed + 1) + +echo "test: wbinfo --own-domain against $TARGET check output" +own_domain=$($wbinfo --own-domain) +if test x$own_domain = x$DOMAIN; then + echo "success: wbinfo --own-domain against $TARGET check output" +else + echo "Own domain reported as $own_domain instead of $DOMAIN" + echo "failure: wbinfo --own-domain against $TARGET check output" + failed=$(expr $failed + 1) +fi + +# this does not work +knownfail "wbinfo --sequence against $TARGET" $wbinfo --sequence + +# this is stubbed out now +testit "wbinfo -D against $TARGET" $wbinfo -D $DOMAIN || failed=$(expr $failed + 1) + +testit "wbinfo -i against $TARGET" $wbinfo -i "$DOMAIN/$USERNAME" || failed=$(expr $failed + 1) + +echo "test: wbinfo --group-info against $TARGET" +gid=$($wbinfo --group-info "$DOMAIN/Domain users" | cut -d: -f3) +if test x$? = x0; then + echo "success: wbinfo --group-info against $TARGET" +else + echo "failure: wbinfo --group-info against $TARGET" + failed=$(expr $failed + 1) +fi + +test_name="wbinfo -i against $TARGET" +subunit_start_test "$test_name" +passwd_line=$($wbinfo -i "$DOMAIN/$USERNAME") +if test x$? = x0; then + subunit_pass_test "$test_name" +else + subunit_fail_test "$test_name" + failed=$(expr $failed + 1) +fi + +test_name="confirm output of wbinfo -i against $TARGET" +subunit_start_test "$test_name" + +# The full name (GECOS) is based on name (the RDN, in this case CN) +# and displayName in winbindd_ads, and is based only on displayName in +# winbindd_msrpc and winbindd_rpc. Allow both versions. +if test "$TARGET" = "ad_member"; then + expected1_line="$DOMAIN/administrator:*:$admin_uid:$gid:Administrator:/home/$DOMAIN/Domain Users/administrator:/bin/false" + expected2_line="$DOMAIN/administrator:*:$admin_uid:$gid::/home/$DOMAIN/Domain Users/administrator:/bin/false" +else + expected1_line="$DOMAIN/administrator:*:$admin_uid:$gid:Administrator:/home/$DOMAIN/administrator:/bin/false" + expected2_line="$DOMAIN/administrator:*:$admin_uid:$gid::/home/$DOMAIN/administrator:/bin/false" +fi + +if test "x$passwd_line" = "x$expected1_line" -o "x$passwd_line" = "x$expected2_line"; then + subunit_pass_test "$test_name" +else + echo "expected '$expected1_line' or '$expected2_line' got '$passwd_line'" | subunit_fail_test "$test_name" + failed=$(expr $failed + 1) +fi + +test_name="wbinfo --uid-info against $TARGET" +subunit_start_test "$test_name" +passwd_line=$($wbinfo --uid-info=$admin_uid) +if test x$? = x0; then + subunit_pass_test "$test_name" +else + subunit_fail_test "$test_name" + failed=$(expr $failed + 1) +fi + +test_name="confirm output of wbinfo --uid-info against $TARGET" +subunit_start_test "$test_name" +if test "x$passwd_line" = "x$expected1_line" -o "x$passwd_line" = "x$expected2_line"; then + subunit_pass_test "$test_name" +else + echo "expected '$expected1_line' or '$expected2_line' got '$passwd_line'" | subunit_fail_test "$test_name" + failed=$(expr $failed + 1) +fi + +testfail "wbinfo --group-info against $TARGET with $USERNAME" $wbinfo --group-info $USERNAME || failed=$(expr $failed + 1) + +testit "wbinfo --gid-info against $TARGET" $wbinfo --gid-info $gid || failed=$(expr $failed + 1) + +testit "wbinfo -r against $TARGET" $wbinfo -r "$DOMAIN/$USERNAME" || failed=$(expr $failed + 1) + +testit "wbinfo --user-domgroups against $TARGET" $wbinfo --user-domgroups $admin_sid || failed=$(expr $failed + 1) + +testit "wbinfo --user-sids against $TARGET" $wbinfo --user-sids $admin_sid || failed=$(expr $failed + 1) + +testit "wbinfo -a against $TARGET with domain creds" $wbinfo -a "$DOMAIN/$USERNAME"%"$PASSWORD" || failed=$(expr $failed + 1) + +testit "wbinfo -a against $TARGET with domain upn creds" $wbinfo -a "$USERNAME@$DOMAIN"%"$PASSWORD" || failed=$(expr $failed + 1) + +testit "wbinfo --getdcname against $TARGET" $wbinfo --getdcname=$DOMAIN + +testit "wbinfo -p against $TARGET" $wbinfo -p || failed=$(expr $failed + 1) + +testit "wbinfo -K against $TARGET with domain creds" $wbinfo --krb5ccname=$KRB5CCNAME --krb5auth="$DOMAIN/$USERNAME"%"$PASSWORD" || failed=$(expr $failed + 1) + +testit "wbinfo --separator against $TARGET" $wbinfo --separator || failed=$(expr $failed + 1) + +if test "$TARGET" = "ad_member"; then + testit "wbinfo --domain-info=$DOMAIN" $wbinfo --domain-info=$DOMAIN || failed=$(expr $failed + 1) + + testit "wbinfo --dc-info=$DOMAIN" $wbinfo --dc-info=$DOMAIN || failed=$(expr $failed + 1) +fi + +testit_expect_failure "wbinfo -a against $TARGET with invalid password" $wbinfo -a "$DOMAIN/$USERNAME%InvalidPassword" || failed=$(expr $failed + 1) + +testit_expect_failure "wbinfo -K against $TARGET with invalid password" $wbinfo -K "$DOMAIN/$USERNAME%InvalidPassword" || failed=$(expr $failed + 1) + +rm -f $KRB5CCNAME_PATH + +exit $failed diff --git a/nsswitch/tests/test_wbinfo_name_lookup.sh b/nsswitch/tests/test_wbinfo_name_lookup.sh new file mode 100755 index 0000000..048fdfc --- /dev/null +++ b/nsswitch/tests/test_wbinfo_name_lookup.sh @@ -0,0 +1,64 @@ +#!/bin/sh +# Blackbox test for wbinfo name lookup +if [ $# -lt 3 ]; then + cat <<EOF +Usage: test_wbinfo_name_lookup.sh DOMAIN REALM DC_USERNAME +EOF + exit 1 +fi + +DOMAIN=$1 +REALM=$2 +DC_USERNAME=$3 +shift 3 + +failed=0 +sambabindir="$BINDIR" +wbinfo="$VALGRIND $sambabindir/wbinfo" + +. $(dirname $0)/../../testprogs/blackbox/subunit.sh + +# Correct query is expected to work +testit "name-to-sid.single-separator" \ + $wbinfo -n $DOMAIN/$DC_USERNAME || + failed=$(expr $failed + 1) + +testit "name-to-sid.at_domain" \ + $wbinfo -n $DOMAIN/ || + failed=$(expr $failed + 1) + +testit "name-to-sid.upn" \ + $wbinfo -n $DC_USERNAME@$REALM || + failed=$(expr $failed + 1) + +testit "name-to-sid.realm-user" \ + $wbinfo -n $REALM/$DC_USERNAME || + failed=$(expr $failed + 1) + +# For the name-to-sid.realm-user query, ensure +# that this does not change subsequent sid-to-name +# queries. +sid=$($wbinfo -n $REALM/$DC_USERNAME | sed -e 's/ .*//') +out=$($wbinfo -s $sid | sed -e 's/ .//') +# winbindd returns usernames in lowercase +lcuser=$(echo $DC_USERNAME | tr A-Z a-z) +testit "Verify DOMAIN/USER output" \ + test "$out" = "$DOMAIN/$lcuser" || + failed=$(expr $failed + 1) + +# Two separator characters should fail +testit_expect_failure "name-to-sid.double-separator" \ + $wbinfo -n $DOMAIN//$DC_USERNAME || + failed=$(expr $failed + 1) + +# Invalid domain is expected to fail +testit_expect_failure "name-to-sid.invalid-domain" \ + $wbinfo -n INVALID/$DC_USERNAME || + failed=$(expr $failed + 1) + +# Invalid domain with two separator characters is expected to fail +testit_expect_failure "name-to-sid.double-separator-invalid-domain" \ + $wbinfo -n INVALID//$DC_USERNAME || + failed=$(expr $failed + 1) + +exit $failed diff --git a/nsswitch/tests/test_wbinfo_sids_to_xids.sh b/nsswitch/tests/test_wbinfo_sids_to_xids.sh new file mode 100755 index 0000000..c910d19 --- /dev/null +++ b/nsswitch/tests/test_wbinfo_sids_to_xids.sh @@ -0,0 +1,32 @@ +#!/bin/sh + +incdir=$(dirname $0)/../../testprogs/blackbox +. $incdir/subunit.sh + +# +# S-1-5-123456789 fails, but S-1-5-11 succeeds. Check that S-1-5-11 is +# mapped successfully with a GID in the 1000x range +# +wbinfo_some_mapped() +{ + output=$($VALGRIND $BINDIR/wbinfo --sids-to-unix-ids=S-1-5-123456789,S-1-5-11) + test x"$?" = x"0" || { + return 1 + } + + printf '%s' "$output" | grep -q 'S-1-5-123456789 -> unmapped' || { + printf '%s' "$output" + return 1 + } + + printf '%s' "$output" | grep -q 'S-1-5-11 -> gid 10000' || { + printf '%s' "$output" + return 1 + } + + return 0 +} + +testit "wbinfo some mapped" wbinfo_some_mapped || failed=$(expr $failed + 1) + +testok $0 $failed diff --git a/nsswitch/tests/test_wbinfo_simple.sh b/nsswitch/tests/test_wbinfo_simple.sh new file mode 100755 index 0000000..226715a --- /dev/null +++ b/nsswitch/tests/test_wbinfo_simple.sh @@ -0,0 +1,25 @@ +#!/bin/sh + +if [ $# -lt 1 ]; then + cat <<EOF +Usage: test_wbinfo_simple.sh <wbinfo args> +EOF + exit 1 +fi + +ADDARGS="$*" + +incdir=$(dirname $0)/../../testprogs/blackbox +. $incdir/subunit.sh + +KRB5CCNAME_PATH="$PREFIX/test_wbinfo_simple_krb5ccname" +rm -f $KRB5CCNAME_PATH + +KRB5CCNAME="FILE:$KRB5CCNAME_PATH" +export KRB5CCNAME + +testit "wbinfo" $VALGRIND $BINDIR/wbinfo --krb5ccname="$KRB5CCNAME" $ADDARGS || failed=$(expr $failed + 1) + +rm -f $KRB5CCNAME_PATH + +testok $0 $failed diff --git a/nsswitch/tests/test_wbinfo_user_info.sh b/nsswitch/tests/test_wbinfo_user_info.sh new file mode 100755 index 0000000..b9a720d --- /dev/null +++ b/nsswitch/tests/test_wbinfo_user_info.sh @@ -0,0 +1,140 @@ +#!/bin/sh +# Blackbox test for wbinfo lookup for account name and upn +# Copyright (c) 2018 Andreas Schneider <asn@samba.org> + +if [ $# -lt 6 ]; then + cat <<EOF +Usage: $(basename $0) DOMAIN REALM OWN_DOMAIN USERNAME1 UPN_NAME1 USERNAME2 UPN_NAME2 ENVNAME +EOF + exit 1 +fi + +DOMAIN=$1 +REALM=$2 +OWN_DOMAIN=$3 +USERNAME1=$4 +UPN_NAME1=$5 +USERNAME2=$6 +UPN_NAME2=$7 +ENVNAME=$8 +shift 7 + +failed=0 + +samba_bindir="$BINDIR" +wbinfo_tool="$VALGRIND $samba_bindir/wbinfo" + +UPN1="$UPN_NAME1@$REALM" +UPN2="$UPN_NAME2@$REALM" + +. $(dirname $0)/../../testprogs/blackbox/subunit.sh + +test_user_info() +{ + local cmd out ret user domain upn userinfo + + local domain="$1" + local user="$2" + local upn="$3" + + if [ $# -lt 3 ]; then + userinfo="$domain/$user" + else + userinfo="$upn" + fi + + cmd='$wbinfo_tool --user-info $userinfo' + eval echo "$cmd" + out=$(eval $cmd) + ret=$? + if [ $ret -ne 0 ]; then + echo "failed to lookup $userinfo" + echo "$out" + return 1 + fi + + echo "$out" | grep "$domain/$user:.*:.*:.*::/home/$domain/Domain Users/$user" + ret=$? + if [ $ret != 0 ]; then + echo "failed to lookup $userinfo" + echo "$out" + return 1 + fi + + return 0 +} + +test_getpwnam() +{ + local cmd out ret + + local lookup_username=$1 + local expected_return=$2 + local expected_output=$3 + + cmd='getent passwd $lookup_username' + eval echo "$cmd" + out=$(eval $cmd) + ret=$? + + if [ $ret -ne $expected_return ]; then + echo "return code: $ret, expected return code is: $expected_return" + echo "$out" + return 1 + fi + + if [ -n "$expected_output" ]; then + echo "$out" | grep "$expected_output" + ret=$? + + if [ $ret -ne 0 ]; then + echo "Unable to find $expected_output in:" + echo "$out" + return 1 + fi + fi + + return 0 +} + +testit "name_to_sid.domain.$USERNAME1" $wbinfo_tool --name-to-sid $DOMAIN/$USERNAME1 || failed=$(expr $failed + 1) +testit "name_to_sid.upn.$UPN_NAME1" $wbinfo_tool --name-to-sid $UPN1 || failed=$(expr $failed + 1) + +testit "user_info.domain.$USERNAME1" test_user_info $DOMAIN $USERNAME1 || failed=$(expr $failed + 1) +testit "user_info.upn.$UPN_NAME1" test_user_info $DOMAIN $USERNAME1 $UPN1 || failed=$(expr $failed + 1) + +testit "name_to_sid.domain.$USERNAME2" $wbinfo_tool --name-to-sid $DOMAIN/$USERNAME2 || failed=$(expr $failed + 1) +testit "name_to_sid.upn.$UPN_NAME2" $wbinfo_tool --name-to-sid $UPN2 || failed=$(expr $failed + 1) + +testit "user_info.domain.$USERNAME2" test_user_info $DOMAIN $USERNAME2 || failed=$(expr $failed + 1) +testit "user_info.upn.$UPN_NAME2" test_user_info $DOMAIN $USERNAME2 $UPN2 || failed=$(expr $failed + 1) + +USERNAME3="testdenied" +UPN_NAME3="testdenied_upn" +UPN3="$UPN_NAME3@${REALM}.upn" +testit "name_to_sid.upn.$UPN_NAME3" $wbinfo_tool --name-to-sid $UPN3 || failed=$(expr $failed + 1) +testit "user_info.upn.$UPN_NAME3" test_user_info $DOMAIN $USERNAME3 $UPN3 || failed=$(expr $failed + 1) + +testit "getpwnam.domain.$DOMAIN.$USERNAME1" test_getpwnam "$DOMAIN/$USERNAME1" 0 "$DOMAIN/$USERNAME1" || failed=$(expr $failed + 1) + +testit "getpwnam.upn.$UPN_NAME1" test_getpwnam "$UPN1" 0 "$DOMAIN/$USERNAME1" || failed=$(expr $failed + 1) + +case ${ENVNAME} in +ad_member*) + # We should not be able to lookup the user just by the name + test_ret=2 + test_output="" + ;; +fl2008r2dc*) + test_ret=0 + test_output="$OWN_DOMAIN/$USERNAME1" + ;; +*) + test_ret=0 + test_output="$DOMAIN/$USERNAME1" + ;; +esac + +testit "getpwnam.local.$USERNAME1" test_getpwnam "$USERNAME1" $test_ret $test_output || failed=$(expr $failed + 1) + +exit $failed diff --git a/nsswitch/tests/test_wbinfo_user_info_cached.sh b/nsswitch/tests/test_wbinfo_user_info_cached.sh new file mode 100755 index 0000000..a7ed471 --- /dev/null +++ b/nsswitch/tests/test_wbinfo_user_info_cached.sh @@ -0,0 +1,50 @@ +#!/bin/sh +# Blackbox test for wbinfo primary groups and samlogon caching +# Copyright (c) 2020 Andreas Schneider <asn@samba.org> + +if [ $# -lt 5 ]; then + cat <<EOF +Usage: $(basename $0) DOMAIN REALM USERNAME PASSWORD PRIMARY_GROUP +EOF + exit 1 +fi + +DOMAIN=$1 +REALM=$2 +USERNAME=$3 +PASSWORD=$4 +PRIMARY_GROUP=$5 +shift 5 + +DEFAULT_GROUP="Domain Users" + +failed=0 + +samba_bindir="$BINDIR" +wbinfo_tool="$VALGRIND $samba_bindir/wbinfo" +net_tool="$VALGRIND $samba_bindir/net --configfile=$SERVERCONFFILE" + +. $(dirname $0)/../../testprogs/blackbox/subunit.sh + +KRB5CCNAME_PATH="$PREFIX/test_wbinfo_user_info_cached_krb5ccache" +rm -f $KRB5CCNAME_PATH + +KRB5CCNAME="FILE:$KRB5CCNAME_PATH" +export KRB5CCNAME + +USER="$DOMAIN/$USERNAME" +USER_SID=$($wbinfo_tool --name-to-sid="$USER" | sed -e 's/ .*//') + +testit_grep "user_info.no_cache" "$DEFAULT_GROUP" $wbinfo_tool --user-info=$USER || failed=$(expr $failed + 1) + +# Fill the samlogon cache +testit "kerberos_login" $wbinfo_tool --krb5ccname=$KRB5CCNAME --krb5auth=$USER%$PASSWORD || failed=$(expr $failed + 1) + +testit_grep "user_info.samlogon_cache" "$PRIMARY_GROUP" $wbinfo_tool --user-info=$USER || failed=$(expr $failed + 1) + +# Cleanup +$net_tool cache samlogon delete $USER_SID + +rm -f $KRB5CCNAME_PATH + +exit $failed |