From: Noel Power <noel.power@suse.com>
Date: Thu, 12 Dec 2019 14:48:54 +0000 (+0000)
Subject: s4/selftest: Adjust samba4.blackbox.pkinit to use (s3) smbclient
X-Git-Tag: ldb-2.2.0~1062
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=572bc3e643c53ef5d95d9116d0aeac72f7ec2b5b;p=thirdparty%2Fsamba.git

s4/selftest: Adjust samba4.blackbox.pkinit to use (s3) smbclient

samba4.blackbox.pkinit falls to pass in environments that don't support
SMB2 because of use (s4) smbclient4. Change test to use (s3) smbclient

Additionally a test within the test script test_kinit_trusts_heimdal.sh
explicitly uses smbclient4 which can't negotiate SMB1 in environments
that don't support it. Add knownfail to cater for this & also remove entry
from the skip file

Further reference the smbclient4 specific test is associated with
https://bugzilla.samba.org/show_bug.cgi?id=12554 so maybe we should
keep it for the moment

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
---

diff --git a/selftest/knownfail.d/kinit_trust b/selftest/knownfail.d/kinit_trust
new file mode 100644
index 00000000000..c4ac2cae870
--- /dev/null
+++ b/selftest/knownfail.d/kinit_trust
@@ -0,0 +1,2 @@
+^samba4.blackbox.kinit_trust.Test login with.*kerberos ccache \(smbclient4\)\(fl2008r2dc:local\)
+^samba4.blackbox.kinit_trust.Test login with.* kerberos ccache \(smbclient4\)\(fl2003dc:local\)
diff --git a/selftest/skip_smb1_fails b/selftest/skip_smb1_fails
index f1fcc16bdfe..cce229e7265 100644
--- a/selftest/skip_smb1_fails
+++ b/selftest/skip_smb1_fails
@@ -166,9 +166,6 @@
 ^samba3.unix.whoami\(nt4_member\)
 ^samba3.unix.whoami ntlm user@realm\(ad_member\)
 ^samba4.blackbox.chgdcpass\(chgdcpass\)
-^samba4.blackbox.kinit_trust\(fl2003dc:local\)
-^samba4.blackbox.kinit_trust\(fl2008r2dc:local\)
-^samba4.blackbox.pkinit\(ad_dc:local\)
 ^samba4.blackbox.smbclient\(ad_member:local\)\(ad_member:local\)
 ^samba4.blackbox.smbclient\(chgdcpass:local\)\(chgdcpass:local\)
 ^samba4.ldap.nested-search\(ad_dc_default\)
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index c4a0b44d96c..be8ed3a323f 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -470,7 +470,7 @@ plantestsuite("samba4.blackbox.test_primary_group", "ad_dc:local", [os.path.join
 
 if have_heimdal_support:
     for env in ["ad_dc_ntvfs", "ad_dc"]:
-        plantestsuite("samba4.blackbox.pkinit", "%s:local" % env, [os.path.join(bbdir, "test_pkinit_heimdal.sh"), '$SERVER', 'pkinit', '$PASSWORD', '$REALM', '$DOMAIN', '$PREFIX/%s' % env, "aes256-cts-hmac-sha1-96", smbclient4, configuration])
+        plantestsuite("samba4.blackbox.pkinit", "%s:local" % env, [os.path.join(bbdir, "test_pkinit_heimdal.sh"), '$SERVER', 'pkinit', '$PASSWORD', '$REALM', '$DOMAIN', '$PREFIX/%s' % env, "aes256-cts-hmac-sha1-96", smbclient3, configuration])
         plantestsuite("samba4.blackbox.pkinit_pac", "%s:local" % env, [os.path.join(bbdir, "test_pkinit_pac_heimdal.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$PREFIX/%s' % env, "aes256-cts-hmac-sha1-96", configuration])
     plantestsuite("samba4.blackbox.kinit", "ad_dc_ntvfs:local", [os.path.join(bbdir, "test_kinit_heimdal.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$PREFIX', "aes256-cts-hmac-sha1-96", smbclient4, configuration])
     plantestsuite("samba4.blackbox.kinit", "fl2000dc:local", [os.path.join(bbdir, "test_kinit_heimdal.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$PREFIX', "arcfour-hmac-md5", smbclient3, configuration])
diff --git a/testprogs/blackbox/test_pkinit_heimdal.sh b/testprogs/blackbox/test_pkinit_heimdal.sh
index 559a4533fee..641453b4e55 100755
--- a/testprogs/blackbox/test_pkinit_heimdal.sh
+++ b/testprogs/blackbox/test_pkinit_heimdal.sh
@@ -68,12 +68,12 @@ PKUSER="--pk-user=FILE:$PREFIX/pkinit/USER-${USER_PRINCIPAL_NAME}-cert.pem,$PREF
 testit "STEP1 samba-tool user create $USERNAME --smartcard-required" $PYTHON ${samba_tool} user create $USERNAME --smartcard-required || failed=`expr $failed + 1`
 
 testit_expect_failure "STEP1 kinit with password" $samba4kinit $enctype --password-file=$PASSFILE_PATH --request-pac $USERNAME@$REALM   && failed=`expr $failed + 1`
-testit_expect_failure "STEP1 Test login with NTLM" $smbclient "$unc" -c 'ls' -k no -U$USERNAME%$PASSWORD && failed=`expr $failed + 1`
+testit_expect_failure "STEP1 Test login with NTLM" $smbclient "$unc" -c 'ls' -U$USERNAME%$PASSWORD && failed=`expr $failed + 1`
 testit_expect_failure "STEP1 Test wbinfo with password" $wbinfo --authenticate=$DOMAIN/$USERNAME%$PASSWORD && failed=`expr $failed + 1`
 
 testit "STEP1 kinit with pkinit (name specified) " $samba4kinit $enctype --request-pac --renewable $PKUSER $USERNAME@$REALM || failed=`expr $failed + 1`
 testit "STEP1 kinit renew ticket (name specified)" $samba4kinit --request-pac -R  || failed=`expr $failed + 1`
-test_smbclient "STEP1 Test login with kerberos ccache (name specified)" 'ls' "$unc" -k yes || failed=`expr $failed + 1`
+test_smbclient "STEP1 Test login with kerberos ccache (name specified)" 'ls' "$unc" -k || failed=`expr $failed + 1`
 
 testit_expect_failure "STEP1 kinit with pkinit (wrong name specified) " $samba4kinit $enctype --request-pac --renewable $PKUSER not$USERNAME@$REALM || failed=`expr $failed + 1`
 
@@ -81,7 +81,7 @@ testit_expect_failure "STEP1 kinit with pkinit (wrong name specified 2) " $samba
 
 testit "STEP1 kinit with pkinit (enterprise name specified)" $samba4kinit $enctype --request-pac --renewable $PKUSER --enterprise $USERNAME@$REALM || failed=`expr $failed + 1`
 testit "STEP1 kinit renew ticket (enterprise name specified)" $samba4kinit --request-pac -R  || failed=`expr $failed + 1`
-test_smbclient "STEP1 Test login with kerberos ccache (enterprise name specified)" 'ls' "$unc" -k yes || failed=`expr $failed + 1`
+test_smbclient "STEP1 Test login with kerberos ccache (enterprise name specified)" 'ls' "$unc" -k || failed=`expr $failed + 1`
 
 testit_expect_failure "STEP1 kinit with pkinit (wrong enterprise name specified) " $samba4kinit $enctype --request-pac --renewable $PKUSER --enterprise not$USERNAME@$REALM || failed=`expr $failed + 1`
 
@@ -89,48 +89,48 @@ testit_expect_failure "STEP1 kinit with pkinit (wrong enterprise name specified
 
 testit "STEP1 kinit with pkinit (enterprise name in cert)" $samba4kinit $enctype --request-pac --renewable $PKUSER --pk-enterprise || failed=`expr $failed + 1`
 testit "STEP1 kinit renew ticket (enterprise name in cert)" $samba4kinit --request-pac -R  || failed=`expr $failed + 1`
-test_smbclient "STEP1 Test login with kerberos ccache (enterprise name in cert)" 'ls' "$unc" -k yes || failed=`expr $failed + 1`
+test_smbclient "STEP1 Test login with kerberos ccache (enterprise name in cert)" 'ls' "$unc" -k || failed=`expr $failed + 1`
 
 # STEP2:
 # We still have UF_SMARTCARD_REQUIRED, but with a known password
 testit "STEP2 samba-tool user setpassword $USERNAME --newpassword" $PYTHON ${samba_tool} user setpassword $USERNAME --newpassword=$PASSWORD || failed=`expr $failed + 1`
 
 testit_expect_failure "STEP2 kinit with password" $samba4kinit $enctype --password-file=$PASSFILE_PATH --request-pac $USERNAME@$REALM   && failed=`expr $failed + 1`
-test_smbclient "STEP2 Test login with NTLM" 'ls' "$unc" -k no -U$USERNAME%$PASSWORD || failed=`expr $failed + 1`
+test_smbclient "STEP2 Test login with NTLM" 'ls' "$unc" -U$USERNAME%$PASSWORD || failed=`expr $failed + 1`
 testit_expect_failure "STEP2 Test wbinfo with password" $wbinfo --authenticate=$DOMAIN/$USERNAME%$PASSWORD && failed=`expr $failed + 1`
 
 testit "STEP2 kinit with pkinit (name specified) " $samba4kinit $enctype --request-pac --renewable $PKUSER $USERNAME@$REALM || failed=`expr $failed + 1`
 testit "STEP2 kinit renew ticket (name specified)" $samba4kinit --request-pac -R  || failed=`expr $failed + 1`
-test_smbclient "STEP2 Test login with kerberos ccache (name specified)" 'ls' "$unc" -k yes || failed=`expr $failed + 1`
+test_smbclient "STEP2 Test login with kerberos ccache (name specified)" 'ls' "$unc" -k || failed=`expr $failed + 1`
 
 testit "STEP2 kinit with pkinit (enterprise name specified)" $samba4kinit $enctype --request-pac --renewable $PKUSER --enterprise $USERNAME@$REALM || failed=`expr $failed + 1`
 testit "STEP2 kinit renew ticket (enterprise name specified)" $samba4kinit --request-pac -R  || failed=`expr $failed + 1`
-test_smbclient "STEP2 Test login with kerberos ccache (enterprise name specified)" 'ls' "$unc" -k yes || failed=`expr $failed + 1`
+test_smbclient "STEP2 Test login with kerberos ccache (enterprise name specified)" 'ls' "$unc" -k || failed=`expr $failed + 1`
 
 testit "STEP2 kinit with pkinit (enterprise name in cert)" $samba4kinit $enctype --request-pac --renewable $PKUSER --pk-enterprise || failed=`expr $failed + 1`
 testit "STEP2 kinit renew ticket (enterprise name in cert)" $samba4kinit --request-pac -R  || failed=`expr $failed + 1`
-test_smbclient "STEP2 Test login with kerberos ccache (enterprise name in cert)" 'ls' "$unc" -k yes || failed=`expr $failed + 1`
+test_smbclient "STEP2 Test login with kerberos ccache (enterprise name in cert)" 'ls' "$unc" -k || failed=`expr $failed + 1`
 
 # STEP3:
 # The account is a normal account without the UF_SMARTCARD_REQUIRED bit set
 testit "STEP3 samba-tool user setpassword $USERNAME --smartcard-required" $PYTHON ${samba_tool} user setpassword $USERNAME --newpassword=$PASSWORD --clear-smartcard-required  || failed=`expr $failed + 1`
 
 testit "STEP3 kinit with password" $samba4kinit $enctype --password-file=$PASSFILE_PATH --request-pac $USERNAME@$REALM   || failed=`expr $failed + 1`
-test_smbclient "STEP3 Test login with user kerberos ccache" 'ls' "$unc" -k yes || failed=`expr $failed + 1`
-test_smbclient "STEP3 Test login with NTLM" 'ls' "$unc" -k no -U$USERNAME%$PASSWORD || failed=`expr $failed + 1`
+test_smbclient "STEP3 Test login with user kerberos ccache" 'ls' "$unc" -k || failed=`expr $failed + 1`
+test_smbclient "STEP3 Test login with NTLM" 'ls' "$unc" -U$USERNAME%$PASSWORD || failed=`expr $failed + 1`
 testit "STEP3 Test wbinfo with password" $wbinfo --authenticate=$DOMAIN/$USERNAME%$PASSWORD || failed=`expr $failed + 1`
 
 testit "STEP3 kinit with pkinit (name specified) " $samba4kinit $enctype --request-pac --renewable $PKUSER $USERNAME@$REALM || failed=`expr $failed + 1`
 testit "STEP3 kinit renew ticket (name specified)" $samba4kinit --request-pac -R  || failed=`expr $failed + 1`
-test_smbclient "STEP3 Test login with kerberos ccache (name specified)" 'ls' "$unc" -k yes || failed=`expr $failed + 1`
+test_smbclient "STEP3 Test login with kerberos ccache (name specified)" 'ls' "$unc" -k || failed=`expr $failed + 1`
 
 testit "STEP3 kinit with pkinit (enterprise name specified)" $samba4kinit $enctype --request-pac --renewable $PKUSER --enterprise $USERNAME@$REALM || failed=`expr $failed + 1`
 testit "STEP3 kinit renew ticket (enterprise name specified)" $samba4kinit --request-pac -R  || failed=`expr $failed + 1`
-test_smbclient "STEP3 Test login with kerberos ccache (enterprise name specified)" 'ls' "$unc" -k yes || failed=`expr $failed + 1`
+test_smbclient "STEP3 Test login with kerberos ccache (enterprise name specified)" 'ls' "$unc" -k || failed=`expr $failed + 1`
 
 testit "STEP3 kinit with pkinit (enterprise name in cert)" $samba4kinit $enctype --request-pac --renewable $PKUSER --pk-enterprise || failed=`expr $failed + 1`
 testit "STEP3 kinit renew ticket (enterprise name in cert)" $samba4kinit --request-pac -R  || failed=`expr $failed + 1`
-test_smbclient "STEP3 Test login with kerberos ccache (enterprise name in cert)" 'ls' "$unc" -k yes || failed=`expr $failed + 1`
+test_smbclient "STEP3 Test login with kerberos ccache (enterprise name in cert)" 'ls' "$unc" -k || failed=`expr $failed + 1`
 
 # STEP4:
 # Now we set the UF_SMARTCARD_REQUIRED bit
@@ -138,27 +138,27 @@ test_smbclient "STEP3 Test login with kerberos ccache (enterprise name in cert)"
 testit "STEP4 samba-tool user setpassword $USERNAME --smartcard-required" $PYTHON ${samba_tool} user setpassword $USERNAME --smartcard-required || failed=`expr $failed + 1`
 
 testit_expect_failure "STEP4 kinit with password" $samba4kinit $enctype --password-file=$PASSFILE_PATH --request-pac $USERNAME@$REALM   && failed=`expr $failed + 1`
-testit_expect_failure "STEP4 Test login with NTLM" $smbclient "$unc" -c 'ls' -k no -U$USERNAME%$PASSWORD && failed=`expr $failed + 1`
+testit_expect_failure "STEP4 Test login with NTLM" $smbclient "$unc" -c 'ls' -U$USERNAME%$PASSWORD && failed=`expr $failed + 1`
 testit_expect_failure "STEP4 Test wbinfo with password" $wbinfo --authenticate=$DOMAIN/$USERNAME%$PASSWORD && failed=`expr $failed + 1`
 
 testit "STEP4 kinit with pkinit (name specified) " $samba4kinit $enctype --request-pac --renewable $PKUSER $USERNAME@$REALM || failed=`expr $failed + 1`
 testit "STEP4 kinit renew ticket (name specified)" $samba4kinit --request-pac -R  || failed=`expr $failed + 1`
-test_smbclient "STEP4 Test login with kerberos ccache (name specified)" 'ls' "$unc" -k yes || failed=`expr $failed + 1`
+test_smbclient "STEP4 Test login with kerberos ccache (name specified)" 'ls' "$unc" -k || failed=`expr $failed + 1`
 
 testit "STEP4 kinit with pkinit (enterprise name specified)" $samba4kinit $enctype --request-pac --renewable $PKUSER --enterprise $USERNAME@$REALM || failed=`expr $failed + 1`
 testit "STEP4 kinit renew ticket (enterprise name specified)" $samba4kinit --request-pac -R  || failed=`expr $failed + 1`
-test_smbclient "STEP4 Test login with kerberos ccache (enterprise name specified)" 'ls' "$unc" -k yes || failed=`expr $failed + 1`
+test_smbclient "STEP4 Test login with kerberos ccache (enterprise name specified)" 'ls' "$unc" -k || failed=`expr $failed + 1`
 
 testit "STEP4 kinit with pkinit (enterprise name in cert)" $samba4kinit $enctype --request-pac --renewable $PKUSER --pk-enterprise || failed=`expr $failed + 1`
 testit "STEP4 kinit renew ticket (enterprise name in cert)" $samba4kinit --request-pac -R  || failed=`expr $failed + 1`
-test_smbclient "STEP4 Test login with kerberos ccache (enterprise name in cert)" 'ls' "$unc" -k yes || failed=`expr $failed + 1`
+test_smbclient "STEP4 Test login with kerberos ccache (enterprise name in cert)" 'ls' "$unc" -k || failed=`expr $failed + 1`
 
 # STEP5:
 # disable the account
 testit "STEP5 samba-tool user disable $USERNAME" $PYTHON ${samba_tool} user disable $USERNAME || failed=`expr $failed + 1`
 
 testit_expect_failure "STEP5 kinit with password" $samba4kinit $enctype --password-file=$PASSFILE_PATH --request-pac $USERNAME@$REALM   && failed=`expr $failed + 1`
-testit_expect_failure "STEP5 Test login with NTLM" $smbclient "$unc" -c 'ls' -k no -U$USERNAME%$PASSWORD && failed=`expr $failed + 1`
+testit_expect_failure "STEP5 Test login with NTLM" $smbclient "$unc" -c 'ls' -U$USERNAME%$PASSWORD && failed=`expr $failed + 1`
 testit_expect_failure "STEP5 Test wbinfo with password" $wbinfo --authenticate=$DOMAIN/$USERNAME%$PASSWORD && failed=`expr $failed + 1`
 
 testit_expect_failure "STEP5 kinit with pkinit (name specified) " $samba4kinit $enctype --request-pac --renewable $PKUSER $USERNAME@$REALM && failed=`expr $failed + 1`