From 31bdcfe4b647c8c783efa32da3c333b5f166a42d Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Thu, 20 Jun 2024 06:07:27 +0200 Subject: Adding upstream version 2:4.20.2+dfsg. Signed-off-by: Daniel Baumann --- testprogs/blackbox/test_ldap_token.sh | 115 +++++++++++++++++++++++++++++++++ testprogs/blackbox/test_trust_token.sh | 5 +- 2 files changed, 118 insertions(+), 2 deletions(-) create mode 100755 testprogs/blackbox/test_ldap_token.sh (limited to 'testprogs') diff --git a/testprogs/blackbox/test_ldap_token.sh b/testprogs/blackbox/test_ldap_token.sh new file mode 100755 index 0000000..5965590 --- /dev/null +++ b/testprogs/blackbox/test_ldap_token.sh @@ -0,0 +1,115 @@ +#!/bin/bash +# Copyright (C) 2017 Stefan Metzmacher + +if [ $# -lt 6 ]; then + cat <&1) + ret=$? + test x"$ret" = x"0" || { + echo "$out" + return 1 + } + + domain_sids=$(echo "$out" | grep '^tokenGroups' | grep "${DOMSID}-" | wc -l) + test "$domain_sids" -ge "1" || { + echo "$out" + echo "Less than 1 sid from $DOMAIN $DOMSID" + return 1 + } + + builtin_sids=$(echo "$out" | grep '^tokenGroups' | grep "S-1-5-32-" | wc -l) + test "$builtin_sids" -ge "1" || { + echo "$out" + echo "Less than 1 sid from BUILTIN S-1-5-32" + return 1 + } + + # + # The following should always be present + # + # SID_WORLD(S-1-1-0) + # SID_NT_NETWORK(S-1-5-2) + # SID_NT_AUTHENTICATED_USERS(S-1-5-11) + # + required_sids="S-1-1-0 S-1-5-2 S-1-5-11 ${auth_sid}" + for sid in $required_sids; do + found=$(echo "$out" | grep "^tokenGroups: ${sid}$" | wc -l) + test x"$found" = x"1" || { + echo "$out" + echo "SID: ${sid} not found" + return 1 + } + done + + return 0 +} + +UARGS="-U$REALM\\$USERNAME%$PASSWORD" +# Check that SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY(S-1-18-1) is added for krb5 +AARGS="-k yes" +testit "Test token with kerberos USER (${AARGS})" test_token "${UARGS}" "S-1-18-1" "${AARGS}" || failed=$(expr $failed + 1) +AARGS="--use-kerberos=required" +testit "Test token with kerberos USER (${AARGS})" test_token "${UARGS}" "S-1-18-1" "${AARGS}" || failed=$(expr $failed + 1) +AARGS="--option=clientusekerberos=required" +testit "Test token with kerberos USER (${AARGS})" test_token "${UARGS}" "S-1-18-1" "${AARGS}" || failed=$(expr $failed + 1) +AARGS="--use-kerberos=required --option=clientusekerberos=off" +testit "Test token with kerberos USER (${AARGS})" test_token "${UARGS}" "S-1-18-1" "${AARGS}" || failed=$(expr $failed + 1) +# Check that SID_NT_NTLM_AUTHENTICATION(S-1-5-64-10) is added for NTLMSSP +AARGS="-k no" +testit "Test token with NTLMSSP USER (${AARGS})" test_token "${UARGS}" "S-1-5-64-10" "${AARGS}" || failed=$(expr $failed + 1) +AARGS="--use-kerberos=off" +testit "Test token with NTLMSSP USER (${AARGS})" test_token "${UARGS}" "S-1-5-64-10" "${AARGS}" || failed=$(expr $failed + 1) +AARGS="--option=clientusekerberos=off" +testit "Test token with NTLMSSP USER (${AARGS})" test_token "${UARGS}" "S-1-5-64-10" "${AARGS}" || failed=$(expr $failed + 1) +AARGS="--use-kerberos=off --option=clientusekerberos=required" +testit "Test token with NTLMSSP USER (${AARGS})" test_token "${UARGS}" "S-1-5-64-10" "${AARGS}" || failed=$(expr $failed + 1) + +UARGS="-P" +# Check that SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY(S-1-18-1) is added for krb5 +AARGS="-k yes" +testit "Test token with kerberos MACHINE (${AARGS})" test_token "${UARGS}" "S-1-18-1" "${AARGS}" || failed=$(expr $failed + 1) +AARGS="--use-kerberos=required" +testit "Test token with kerberos MACHINE (${AARGS})" test_token "${UARGS}" "S-1-18-1" "${AARGS}" || failed=$(expr $failed + 1) +AARGS="--option=clientusekerberos=required" +testit "Test token with kerberos MACHINE (${AARGS})" test_token "${UARGS}" "S-1-18-1" "${AARGS}" || failed=$(expr $failed + 1) +AARGS="--use-kerberos=required --option=clientusekerberos=off" +testit "Test token with kerberos MACHINE (${AARGS})" test_token "${UARGS}" "S-1-18-1" "${AARGS}" || failed=$(expr $failed + 1) +# Check that SID_NT_NTLM_AUTHENTICATION(S-1-5-64-10) is added for NTLMSSP +AARGS="-k no" +testit "Test token with NTLMSSP MACHINE (${AARGS})" test_token "${UARGS}" "S-1-5-64-10" "${AARGS}" || failed=$(expr $failed + 1) +AARGS="--use-kerberos=off" +testit "Test token with NTLMSSP MACHINE (${AARGS})" test_token "${UARGS}" "S-1-5-64-10" "${AARGS}" || failed=$(expr $failed + 1) +AARGS="--option=clientusekerberos=off" +testit "Test token with NTLMSSP MACHINE (${AARGS})" test_token "${UARGS}" "S-1-5-64-10" "${AARGS}" || failed=$(expr $failed + 1) +AARGS="--use-kerberos=off --option=clientusekerberos=required" +testit "Test token with NTLMSSP MACHINE (${AARGS})" test_token "${UARGS}" "S-1-5-64-10" "${AARGS}" || failed=$(expr $failed + 1) + +exit $failed diff --git a/testprogs/blackbox/test_trust_token.sh b/testprogs/blackbox/test_trust_token.sh index 075c032..92d4ad5 100755 --- a/testprogs/blackbox/test_trust_token.sh +++ b/testprogs/blackbox/test_trust_token.sh @@ -34,7 +34,7 @@ ldbsearch=$(system_or_builddir_binary ldbsearch "${BINDIR}") test_token() { auth_args="${1}" - auth_sid="${2-}" + auth_sid="${2}" out=$($VALGRIND $ldbsearch -H ldap://$SERVER.$REALM -U$TRUST_REALM\\$TRUST_USERNAME%$TRUST_PASSWORD -b '' --scope=base -k ${auth_args} tokenGroups 2>&1) ret=$? @@ -84,7 +84,8 @@ test_token() return 0 } -testit "Test token with kerberos" test_token "yes" "" || failed=$(expr $failed + 1) +# Check that SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY(S-1-18-1) is added for krb5 +testit "Test token with kerberos" test_token "yes" "S-1-18-1" || failed=$(expr $failed + 1) # Check that SID_NT_NTLM_AUTHENTICATION(S-1-5-64-10) is added for NTLMSSP testit "Test token with NTLMSSP" test_token "no" "S-1-5-64-10" || failed=$(expr $failed + 1) -- cgit v1.2.3