From: Isaac Boukris Date: Thu, 8 Oct 2020 12:00:44 +0000 (+0200) Subject: selftest: Add test for one-way trust wbinfo auth X-Git-Tag: talloc-2.3.3~96 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7e9c97ba1cd960df2688718561c4a117b79b259b;p=thirdparty%2Fsamba.git selftest: Add test for one-way trust wbinfo auth Signed-off-by: Isaac Boukris Reviewed-by: Andreas Schneider Reviewed-by: Andrew Bartlett Autobuild-User(master): Andreas Schneider Autobuild-Date(master): Wed Jul 7 15:01:22 UTC 2021 on sn-devel-184 --- diff --git a/script/autobuild.py b/script/autobuild.py index a1ba61cdce1..85dff88a773 100755 --- a/script/autobuild.py +++ b/script/autobuild.py @@ -300,6 +300,7 @@ tasks = { "ad_member_idmap_rid", "ad_member_idmap_ad", "ad_member_rfc2307", + "ad_member_oneway", "chgdcpass", "vampire_2000_dc", "fl2000dc", @@ -365,6 +366,7 @@ tasks = { "ad_member_idmap_rid", "ad_member_idmap_ad", "ad_member_rfc2307", + "ad_member_oneway", "chgdcpass", "vampire_2000_dc", "fl2000dc", @@ -534,6 +536,7 @@ tasks = { ("random-sleep", random_sleep(1, 1)), ("test", make_test(include_envs=[ "fl2000dc", + "ad_member_oneway", "fl2003dc", ])), ("lcov", LCOV_CMD), @@ -674,6 +677,7 @@ tasks = { ("random-sleep", random_sleep(1, 1)), ("test", make_test(include_envs=[ "fl2000dc", + "ad_member_oneway", "fl2003dc", ])), ("lcov", LCOV_CMD), diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm index e19017e3f14..8d6ca3eb2ee 100644 --- a/selftest/target/Samba.pm +++ b/selftest/target/Samba.pm @@ -609,6 +609,7 @@ sub get_interface($) fipsdc => 56, fipsadmember => 57, offlineadmem => 58, + s2kmember => 59, rootdnsforwarder => 64, diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm index efa63626ecb..f958c49c716 100755 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm @@ -239,6 +239,7 @@ sub check_env($$) ad_member_idmap_ad => ["fl2008r2dc"], ad_member_fips => ["ad_dc_fips"], ad_member_offlogon => ["ad_dc"], + ad_member_oneway => ["fl2000dc"], clusteredmember => ["nt4_dc"], ); @@ -1309,6 +1310,99 @@ sub setup_ad_member_idmap_ad return $ret; } +sub setup_ad_member_oneway +{ + my ($self, $prefix, $dcvars) = @_; + + # If we didn't build with ADS, pretend this env was never available + if (not $self->have_ads()) { + return "UNKNOWN"; + } + + print "PROVISIONING S3 AD MEMBER WITH one-way trust..."; + + my $member_options = " + security = ads + workgroup = $dcvars->{DOMAIN} + realm = $dcvars->{REALM} + password server = $dcvars->{SERVER} + idmap config * : backend = tdb + idmap config * : range = 1000000-1999999 + gensec_gssapi:requested_life_time = 5 +"; + + my $ret = $self->provision( + prefix => $prefix, + domain => $dcvars->{DOMAIN}, + server => "S2KMEMBER", + password => "loCalS2KMemberPass", + extra_options => $member_options, + resolv_conf => $dcvars->{RESOLV_CONF}); + + $ret or return undef; + + close(USERMAP); + $ret->{DOMAIN} = $dcvars->{DOMAIN}; + $ret->{REALM} = $dcvars->{REALM}; + $ret->{DOMSID} = $dcvars->{DOMSID}; + + my $ctx; + my $prefix_abs = abs_path($prefix); + $ctx = {}; + $ctx->{krb5_conf} = "$prefix_abs/lib/krb5.conf"; + $ctx->{domain} = $dcvars->{DOMAIN}; + $ctx->{realm} = $dcvars->{REALM}; + $ctx->{dnsname} = lc($dcvars->{REALM}); + $ctx->{kdc_ipv4} = $dcvars->{SERVER_IP}; + $ctx->{kdc_ipv6} = $dcvars->{SERVER_IPV6}; + $ctx->{krb5_ccname} = "$prefix_abs/krb5cc_%{uid}"; + Samba::mk_krb5_conf($ctx, ""); + + $ret->{KRB5_CONFIG} = $ctx->{krb5_conf}; + + my $net = Samba::bindir_path($self, "net"); + # Add hosts file for name lookups + my $cmd = "NSS_WRAPPER_HOSTS='$ret->{NSS_WRAPPER_HOSTS}' "; + $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" "; + if (defined($ret->{RESOLV_WRAPPER_CONF})) { + $cmd .= "RESOLV_WRAPPER_CONF=\"$ret->{RESOLV_WRAPPER_CONF}\" "; + } else { + $cmd .= "RESOLV_WRAPPER_HOSTS=\"$ret->{RESOLV_WRAPPER_HOSTS}\" "; + } + $cmd .= "RESOLV_CONF=\"$ret->{RESOLV_CONF}\" "; + $cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" "; + $cmd .= "SELFTEST_WINBINDD_SOCKET_DIR=\"$ret->{SELFTEST_WINBINDD_SOCKET_DIR}\" "; + $cmd .= "$net join $ret->{CONFIGURATION}"; + $cmd .= " -U$dcvars->{USERNAME}\%$dcvars->{PASSWORD}"; + + if (system($cmd) != 0) { + warn("Join failed\n$cmd"); + return undef; + } + + if (not $self->check_or_start( + env_vars => $ret, + winbindd => "yes")) { + return undef; + } + + $ret->{DC_SERVER} = $dcvars->{SERVER}; + $ret->{DC_SERVER_IP} = $dcvars->{SERVER_IP}; + $ret->{DC_SERVER_IPV6} = $dcvars->{SERVER_IPV6}; + $ret->{DC_NETBIOSNAME} = $dcvars->{NETBIOSNAME}; + $ret->{DC_USERNAME} = $dcvars->{USERNAME}; + $ret->{DC_PASSWORD} = $dcvars->{PASSWORD}; + + $ret->{TRUST_SERVER} = $dcvars->{TRUST_SERVER}; + $ret->{TRUST_USERNAME} = $dcvars->{TRUST_USERNAME}; + $ret->{TRUST_PASSWORD} = $dcvars->{TRUST_PASSWORD}; + $ret->{TRUST_DOMAIN} = $dcvars->{TRUST_DOMAIN}; + $ret->{TRUST_REALM} = $dcvars->{TRUST_REALM}; + $ret->{TRUST_DOMSID} = $dcvars->{TRUST_DOMSID}; + + return $ret; +} + sub setup_ad_member_fips { my ($self, diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index 6cf2aff4470..e429b2dbce7 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -602,6 +602,14 @@ if have_gnutls_fips_mode_support: plansmbtorture4testsuite('rpc.echo', "ad_dc_ntvfs", ['ncacn_np:$NETBIOSALIAS', '-U$DOMAIN/$USERNAME%$PASSWORD'], "samba4.rpc.echo against NetBIOS alias") +# Test wbinfo trust auth +for env in ["ad_member_oneway:local", "fl2000dc:local", "fl2003dc:local", "fl2008r2dc:local"]: + for t in ["--krb5auth=$TRUST_REALM/$TRUST_USERNAME%$TRUST_PASSWORD", + "--krb5auth=$TRUST_DOMAIN/$TRUST_USERNAME%$TRUST_PASSWORD", + "--authenticate=$TRUST_REALM/$TRUST_USERNAME%$TRUST_PASSWORD", + "--authenticate=$TRUST_DOMAIN/$TRUST_USERNAME%$TRUST_PASSWORD"]: + plantestsuite("samba3.wbinfo_simple.trust:%s" % t, env, [os.path.join(srcdir(), "nsswitch/tests/test_wbinfo_simple.sh"), t]) + # json tests hook into ``chgdcpass'' to make them run in contributor CI on # gitlab planpythontestsuite("chgdcpass", "samba.tests.blackbox.netads_json")