From b79e3492f809af3b50b57f3e85089fed2c8c4ae9 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 18 Jun 2024 19:34:30 +0200
Subject: [PATCH] testprogs/blackbox: add test_ldap_token.sh to test "client
 use kerberos" and --use-kerberos

This shows that they are ignored for machine accounts as domain member.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15666

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit db2c576f329675e8d66e19c336fe04ccba918b4a)
---
 .../knownfail.d/samba4.blackbox.ldap_token    |   1 +
 source4/selftest/tests.py                     |   5 +
 testprogs/blackbox/test_ldap_token.sh         | 115 ++++++++++++++++++
 3 files changed, 121 insertions(+)
 create mode 100644 selftest/knownfail.d/samba4.blackbox.ldap_token
 create mode 100755 testprogs/blackbox/test_ldap_token.sh

diff --git a/selftest/knownfail.d/samba4.blackbox.ldap_token b/selftest/knownfail.d/samba4.blackbox.ldap_token
new file mode 100644
index 00000000000..559c749a315
--- /dev/null
+++ b/selftest/knownfail.d/samba4.blackbox.ldap_token
@@ -0,0 +1 @@
+^samba4.blackbox.ldap_token.Test token with NTLMSSP MACHINE.*ad_member
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index ec787f97aa0..02cc7a0c773 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -789,6 +789,11 @@ plantestsuite("samba4.blackbox.trust_ntlm", "fl2000dc:local", [os.path.join(bbdi
 plantestsuite("samba4.blackbox.trust_ntlm", "ad_member:local", [os.path.join(bbdir, "test_trust_ntlm.sh"), '$SERVER_IP', '$USERNAME', '$PASSWORD', '$SERVER', '$SERVER', '$DC_USERNAME', '$DC_PASSWORD', '$REALM', '$DOMAIN', 'member', 'auto', 'NT_STATUS_LOGON_FAILURE'])
 plantestsuite("samba4.blackbox.trust_ntlm", "nt4_member:local", [os.path.join(bbdir, "test_trust_ntlm.sh"), '$SERVER_IP', '$USERNAME', '$PASSWORD', '$SERVER', '$SERVER', '$DC_USERNAME', '$DC_PASSWORD', '$DOMAIN', '$DOMAIN', 'member', 'auto', 'NT_STATUS_LOGON_FAILURE'])
 
+plantestsuite("samba4.blackbox.ldap_token", "fl2008r2dc:local", [os.path.join(bbdir, "test_ldap_token.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$DOMSID'])
+plantestsuite("samba4.blackbox.ldap_token", "fl2003dc:local", [os.path.join(bbdir, "test_ldap_token.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$DOMSID'])
+plantestsuite("samba4.blackbox.ldap_token", "fl2000dc:local", [os.path.join(bbdir, "test_ldap_token.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$DOMSID'])
+plantestsuite("samba4.blackbox.ldap_token", "ad_member:local", [os.path.join(bbdir, "test_ldap_token.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', '$REALM', '$DOMAIN', '$DOMSID'])
+
 plantestsuite("samba4.blackbox.trust_utils(fl2008r2dc:local)", "fl2008r2dc:local", [os.path.join(bbdir, "test_trust_utils.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$TRUST_SERVER', '$TRUST_USERNAME', '$TRUST_PASSWORD', '$TRUST_REALM', '$TRUST_DOMAIN', '$PREFIX', "forest"])
 plantestsuite("samba4.blackbox.trust_utils(fl2003dc:local)", "fl2003dc:local", [os.path.join(bbdir, "test_trust_utils.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$TRUST_SERVER', '$TRUST_USERNAME', '$TRUST_PASSWORD', '$TRUST_REALM', '$TRUST_DOMAIN', '$PREFIX', "external"])
 plantestsuite("samba4.blackbox.trust_utils(fl2000dc:local)", "fl2000dc:local", [os.path.join(bbdir, "test_trust_utils.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$TRUST_SERVER', '$TRUST_USERNAME', '$TRUST_PASSWORD', '$TRUST_REALM', '$TRUST_DOMAIN', '$PREFIX', "external"])
diff --git a/testprogs/blackbox/test_ldap_token.sh b/testprogs/blackbox/test_ldap_token.sh
new file mode 100755
index 00000000000..5965590b351
--- /dev/null
+++ b/testprogs/blackbox/test_ldap_token.sh
@@ -0,0 +1,115 @@
+#!/bin/bash
+# Copyright (C) 2017 Stefan Metzmacher <metze@samba.org>
+
+if [ $# -lt 6 ]; then
+	cat <<EOF
+Usage: $# test_ldap_token.sh SERVER USERNAME PASSWORD REALM DOMAIN DOMSID
+EOF
+	exit 1
+fi
+
+SERVER=$1
+shift 1
+USERNAME=$1
+PASSWORD=$2
+REALM=$3
+DOMAIN=$4
+DOMSID=$5
+shift 5
+failed=0
+
+. $(dirname $0)/subunit.sh
+. $(dirname $0)/common_test_fns.inc
+
+ldbsearch=$(system_or_builddir_binary ldbsearch "${BINDIR}")
+
+test_token()
+{
+	auth_user="${1}"
+	shift 1
+	auth_sid="${1}"
+	shift 1
+	auth_args="$@"
+
+	out=$($VALGRIND $ldbsearch -H ldap://$SERVER.$REALM ${auth_user} -b '' --scope=base ${auth_args} tokenGroups 2>&1)
+	ret=$?
+	test x"$ret" = x"0" || {
+		echo "$out"
+		return 1
+	}
+
+	domain_sids=$(echo "$out" | grep '^tokenGroups' | grep "${DOMSID}-" | wc -l)
+	test "$domain_sids" -ge "1" || {
+		echo "$out"
+		echo "Less than 1 sid from $DOMAIN $DOMSID"
+		return 1
+	}
+
+	builtin_sids=$(echo "$out" | grep '^tokenGroups' | grep "S-1-5-32-" | wc -l)
+	test "$builtin_sids" -ge "1" || {
+		echo "$out"
+		echo "Less than 1 sid from BUILTIN S-1-5-32"
+		return 1
+	}
+
+	#
+	# The following should always be present
+	#
+	# SID_WORLD(S-1-1-0)
+	# SID_NT_NETWORK(S-1-5-2)
+	# SID_NT_AUTHENTICATED_USERS(S-1-5-11)
+	#
+	required_sids="S-1-1-0 S-1-5-2 S-1-5-11 ${auth_sid}"
+	for sid in $required_sids; do
+		found=$(echo "$out" | grep "^tokenGroups: ${sid}$" | wc -l)
+		test x"$found" = x"1" || {
+			echo "$out"
+			echo "SID: ${sid} not found"
+			return 1
+		}
+	done
+
+	return 0
+}
+
+UARGS="-U$REALM\\$USERNAME%$PASSWORD"
+# Check that SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY(S-1-18-1) is added for krb5
+AARGS="-k yes"
+testit "Test token with kerberos USER (${AARGS})" test_token "${UARGS}" "S-1-18-1" "${AARGS}" || failed=$(expr $failed + 1)
+AARGS="--use-kerberos=required"
+testit "Test token with kerberos USER (${AARGS})" test_token "${UARGS}" "S-1-18-1" "${AARGS}" || failed=$(expr $failed + 1)
+AARGS="--option=clientusekerberos=required"
+testit "Test token with kerberos USER (${AARGS})" test_token "${UARGS}" "S-1-18-1" "${AARGS}" || failed=$(expr $failed + 1)
+AARGS="--use-kerberos=required --option=clientusekerberos=off"
+testit "Test token with kerberos USER (${AARGS})" test_token "${UARGS}" "S-1-18-1" "${AARGS}" || failed=$(expr $failed + 1)
+# Check that SID_NT_NTLM_AUTHENTICATION(S-1-5-64-10) is added for NTLMSSP
+AARGS="-k no"
+testit "Test token with NTLMSSP USER (${AARGS})" test_token "${UARGS}" "S-1-5-64-10" "${AARGS}" || failed=$(expr $failed + 1)
+AARGS="--use-kerberos=off"
+testit "Test token with NTLMSSP USER (${AARGS})" test_token "${UARGS}" "S-1-5-64-10" "${AARGS}" || failed=$(expr $failed + 1)
+AARGS="--option=clientusekerberos=off"
+testit "Test token with NTLMSSP USER (${AARGS})" test_token "${UARGS}" "S-1-5-64-10" "${AARGS}" || failed=$(expr $failed + 1)
+AARGS="--use-kerberos=off --option=clientusekerberos=required"
+testit "Test token with NTLMSSP USER (${AARGS})" test_token "${UARGS}" "S-1-5-64-10" "${AARGS}" || failed=$(expr $failed + 1)
+
+UARGS="-P"
+# Check that SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY(S-1-18-1) is added for krb5
+AARGS="-k yes"
+testit "Test token with kerberos MACHINE (${AARGS})" test_token "${UARGS}" "S-1-18-1" "${AARGS}" || failed=$(expr $failed + 1)
+AARGS="--use-kerberos=required"
+testit "Test token with kerberos MACHINE (${AARGS})" test_token "${UARGS}" "S-1-18-1" "${AARGS}" || failed=$(expr $failed + 1)
+AARGS="--option=clientusekerberos=required"
+testit "Test token with kerberos MACHINE (${AARGS})" test_token "${UARGS}" "S-1-18-1" "${AARGS}" || failed=$(expr $failed + 1)
+AARGS="--use-kerberos=required --option=clientusekerberos=off"
+testit "Test token with kerberos MACHINE (${AARGS})" test_token "${UARGS}" "S-1-18-1" "${AARGS}" || failed=$(expr $failed + 1)
+# Check that SID_NT_NTLM_AUTHENTICATION(S-1-5-64-10) is added for NTLMSSP
+AARGS="-k no"
+testit "Test token with NTLMSSP MACHINE (${AARGS})" test_token "${UARGS}" "S-1-5-64-10" "${AARGS}" || failed=$(expr $failed + 1)
+AARGS="--use-kerberos=off"
+testit "Test token with NTLMSSP MACHINE (${AARGS})" test_token "${UARGS}" "S-1-5-64-10" "${AARGS}" || failed=$(expr $failed + 1)
+AARGS="--option=clientusekerberos=off"
+testit "Test token with NTLMSSP MACHINE (${AARGS})" test_token "${UARGS}" "S-1-5-64-10" "${AARGS}" || failed=$(expr $failed + 1)
+AARGS="--use-kerberos=off --option=clientusekerberos=required"
+testit "Test token with NTLMSSP MACHINE (${AARGS})" test_token "${UARGS}" "S-1-5-64-10" "${AARGS}" || failed=$(expr $failed + 1)
+
+exit $failed
-- 
2.47.2