testprogs/blackbox: add test_ldap_token.sh to test "client use kerberos" and --use...

author Stefan Metzmacher <metze@samba.org>

Tue, 18 Jun 2024 17:34:30 +0000 (19:34 +0200)

committer Jule Anger <janger@samba.org>

Wed, 3 Jul 2024 08:48:12 +0000 (08:48 +0000)
author Stefan Metzmacher <metze@samba.org>
Tue, 18 Jun 2024 17:34:30 +0000 (19:34 +0200)
committer Jule Anger <janger@samba.org>
Wed, 3 Jul 2024 08:48:12 +0000 (08:48 +0000)
diff --git a/selftest/knownfail.d/samba4.blackbox.ldap_token b/selftest/knownfail.d/samba4.blackbox.ldap_token

new file mode 100644 (file)

index 0000000..559c749
--- /dev/null
+++ b/selftest/knownfail.d/samba4.blackbox.ldap_token
@@ -0,0 +1 @@
+^samba4.blackbox.ldap_token.Test token with NTLMSSP MACHINE.*ad_member
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py

index ec787f97aa0467659bad2884ea909fb16d1ace65..02cc7a0c7736e56213f855542e772a7124b877a9 100755 (executable)
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -789,6 +789,11 @@ plantestsuite("samba4.blackbox.trust_ntlm", "fl2000dc:local", [os.path.join(bbdi
  plantestsuite("samba4.blackbox.trust_ntlm", "ad_member:local", [os.path.join(bbdir, "test_trust_ntlm.sh"), '$SERVER_IP', '$USERNAME', '$PASSWORD', '$SERVER', '$SERVER', '$DC_USERNAME', '$DC_PASSWORD', '$REALM', '$DOMAIN', 'member', 'auto', 'NT_STATUS_LOGON_FAILURE'])
  plantestsuite("samba4.blackbox.trust_ntlm", "nt4_member:local", [os.path.join(bbdir, "test_trust_ntlm.sh"), '$SERVER_IP', '$USERNAME', '$PASSWORD', '$SERVER', '$SERVER', '$DC_USERNAME', '$DC_PASSWORD', '$DOMAIN', '$DOMAIN', 'member', 'auto', 'NT_STATUS_LOGON_FAILURE'])
  
+plantestsuite("samba4.blackbox.ldap_token", "fl2008r2dc:local", [os.path.join(bbdir, "test_ldap_token.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$DOMSID'])
+plantestsuite("samba4.blackbox.ldap_token", "fl2003dc:local", [os.path.join(bbdir, "test_ldap_token.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$DOMSID'])
+plantestsuite("samba4.blackbox.ldap_token", "fl2000dc:local", [os.path.join(bbdir, "test_ldap_token.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$DOMSID'])
+plantestsuite("samba4.blackbox.ldap_token", "ad_member:local", [os.path.join(bbdir, "test_ldap_token.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', '$REALM', '$DOMAIN', '$DOMSID'])
+
  plantestsuite("samba4.blackbox.trust_utils(fl2008r2dc:local)", "fl2008r2dc:local", [os.path.join(bbdir, "test_trust_utils.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$TRUST_SERVER', '$TRUST_USERNAME', '$TRUST_PASSWORD', '$TRUST_REALM', '$TRUST_DOMAIN', '$PREFIX', "forest"])
  plantestsuite("samba4.blackbox.trust_utils(fl2003dc:local)", "fl2003dc:local", [os.path.join(bbdir, "test_trust_utils.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$TRUST_SERVER', '$TRUST_USERNAME', '$TRUST_PASSWORD', '$TRUST_REALM', '$TRUST_DOMAIN', '$PREFIX', "external"])
  plantestsuite("samba4.blackbox.trust_utils(fl2000dc:local)", "fl2000dc:local", [os.path.join(bbdir, "test_trust_utils.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$TRUST_SERVER', '$TRUST_USERNAME', '$TRUST_PASSWORD', '$TRUST_REALM', '$TRUST_DOMAIN', '$PREFIX', "external"])
diff --git a/testprogs/blackbox/test_ldap_token.sh b/testprogs/blackbox/test_ldap_token.sh

new file mode 100755 (executable)

index 0000000..5965590
--- /dev/null
+++ b/testprogs/blackbox/test_ldap_token.sh
@@ -0,0 +1,115 @@
+#!/bin/bash
+# Copyright (C) 2017 Stefan Metzmacher <metze@samba.org>
+
+if [ $# -lt 6 ]; then
+       cat <<EOF
+Usage: $# test_ldap_token.sh SERVER USERNAME PASSWORD REALM DOMAIN DOMSID
+EOF
+       exit 1
+fi
+
+SERVER=$1
+shift 1
+USERNAME=$1
+PASSWORD=$2
+REALM=$3
+DOMAIN=$4
+DOMSID=$5
+shift 5
+failed=0
+
+. $(dirname $0)/subunit.sh
+. $(dirname $0)/common_test_fns.inc
+
+ldbsearch=$(system_or_builddir_binary ldbsearch "${BINDIR}")
+
+test_token()
+{
+       auth_user="${1}"
+       shift 1
+       auth_sid="${1}"
+       shift 1
+       auth_args="$@"
+
+       out=$($VALGRIND $ldbsearch -H ldap://$SERVER.$REALM ${auth_user} -b '' --scope=base ${auth_args} tokenGroups 2>&1)
+       ret=$?
+       test x"$ret" = x"0" || {
+               echo "$out"
+               return 1
+       }
+
+       domain_sids=$(echo "$out" | grep '^tokenGroups' | grep "${DOMSID}-" | wc -l)
+       test "$domain_sids" -ge "1" || {
+               echo "$out"
+               echo "Less than 1 sid from $DOMAIN $DOMSID"
+               return 1
+       }
+
+       builtin_sids=$(echo "$out" | grep '^tokenGroups' | grep "S-1-5-32-" | wc -l)
+       test "$builtin_sids" -ge "1" || {
+               echo "$out"
+               echo "Less than 1 sid from BUILTIN S-1-5-32"
+               return 1
+       }
+
+       #
+       # The following should always be present
+       #
+       # SID_WORLD(S-1-1-0)
+       # SID_NT_NETWORK(S-1-5-2)
+       # SID_NT_AUTHENTICATED_USERS(S-1-5-11)
+       #
+       required_sids="S-1-1-0 S-1-5-2 S-1-5-11 ${auth_sid}"
+       for sid in $required_sids; do
+               found=$(echo "$out" | grep "^tokenGroups: ${sid}$" | wc -l)
+               test x"$found" = x"1" || {
+                       echo "$out"
+                       echo "SID: ${sid} not found"
+                       return 1
+               }
+       done
+
+       return 0
+}
+
+UARGS="-U$REALM\\$USERNAME%$PASSWORD"
+# Check that SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY(S-1-18-1) is added for krb5
+AARGS="-k yes"
+testit "Test token with kerberos USER (${AARGS})" test_token "${UARGS}" "S-1-18-1" "${AARGS}" || failed=$(expr $failed + 1)
+AARGS="--use-kerberos=required"
+testit "Test token with kerberos USER (${AARGS})" test_token "${UARGS}" "S-1-18-1" "${AARGS}" || failed=$(expr $failed + 1)
+AARGS="--option=clientusekerberos=required"
+testit "Test token with kerberos USER (${AARGS})" test_token "${UARGS}" "S-1-18-1" "${AARGS}" || failed=$(expr $failed + 1)
+AARGS="--use-kerberos=required --option=clientusekerberos=off"
+testit "Test token with kerberos USER (${AARGS})" test_token "${UARGS}" "S-1-18-1" "${AARGS}" || failed=$(expr $failed + 1)
+# Check that SID_NT_NTLM_AUTHENTICATION(S-1-5-64-10) is added for NTLMSSP
+AARGS="-k no"
+testit "Test token with NTLMSSP USER (${AARGS})" test_token "${UARGS}" "S-1-5-64-10" "${AARGS}" || failed=$(expr $failed + 1)
+AARGS="--use-kerberos=off"
+testit "Test token with NTLMSSP USER (${AARGS})" test_token "${UARGS}" "S-1-5-64-10" "${AARGS}" || failed=$(expr $failed + 1)
+AARGS="--option=clientusekerberos=off"
+testit "Test token with NTLMSSP USER (${AARGS})" test_token "${UARGS}" "S-1-5-64-10" "${AARGS}" || failed=$(expr $failed + 1)
+AARGS="--use-kerberos=off --option=clientusekerberos=required"
+testit "Test token with NTLMSSP USER (${AARGS})" test_token "${UARGS}" "S-1-5-64-10" "${AARGS}" || failed=$(expr $failed + 1)
+
+UARGS="-P"
+# Check that SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY(S-1-18-1) is added for krb5
+AARGS="-k yes"
+testit "Test token with kerberos MACHINE (${AARGS})" test_token "${UARGS}" "S-1-18-1" "${AARGS}" || failed=$(expr $failed + 1)
+AARGS="--use-kerberos=required"
+testit "Test token with kerberos MACHINE (${AARGS})" test_token "${UARGS}" "S-1-18-1" "${AARGS}" || failed=$(expr $failed + 1)
+AARGS="--option=clientusekerberos=required"
+testit "Test token with kerberos MACHINE (${AARGS})" test_token "${UARGS}" "S-1-18-1" "${AARGS}" || failed=$(expr $failed + 1)
+AARGS="--use-kerberos=required --option=clientusekerberos=off"
+testit "Test token with kerberos MACHINE (${AARGS})" test_token "${UARGS}" "S-1-18-1" "${AARGS}" || failed=$(expr $failed + 1)
+# Check that SID_NT_NTLM_AUTHENTICATION(S-1-5-64-10) is added for NTLMSSP
+AARGS="-k no"
+testit "Test token with NTLMSSP MACHINE (${AARGS})" test_token "${UARGS}" "S-1-5-64-10" "${AARGS}" || failed=$(expr $failed + 1)
+AARGS="--use-kerberos=off"
+testit "Test token with NTLMSSP MACHINE (${AARGS})" test_token "${UARGS}" "S-1-5-64-10" "${AARGS}" || failed=$(expr $failed + 1)
+AARGS="--option=clientusekerberos=off"
+testit "Test token with NTLMSSP MACHINE (${AARGS})" test_token "${UARGS}" "S-1-5-64-10" "${AARGS}" || failed=$(expr $failed + 1)
+AARGS="--use-kerberos=off --option=clientusekerberos=required"
+testit "Test token with NTLMSSP MACHINE (${AARGS})" test_token "${UARGS}" "S-1-5-64-10" "${AARGS}" || failed=$(expr $failed + 1)
+
+exit $failed
author	Stefan Metzmacher <metze@samba.org>
	Tue, 18 Jun 2024 17:34:30 +0000 (19:34 +0200)
committer	Jule Anger <janger@samba.org>
	Wed, 3 Jul 2024 08:48:12 +0000 (08:48 +0000)
selftest/knownfail.d/samba4.blackbox.ldap_token	[new file with mode: 0644]	patch \| blob
source4/selftest/tests.py		patch \| blob \| blame \| history
testprogs/blackbox/test_ldap_token.sh	[new file with mode: 0755]	patch \| blob