selftest: Add tests for keytab update in clustered samba

BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 77ad661189cc338178941afc12136d06248b59a9..8d7f690ecf62e5e8f579ac5a1dde7e0195224b5d 100755 (executable)
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -551,6 +551,7 @@ sub setup_clusteredmember
        include = registry
        dbwrap_tdb_mutexes:* = yes
        ${require_mutexes}
+       sync machine password to keytab = $node_prefix/keytab0:account_name:machine_password:sync_kvno
 ";
 
                my $node_ret = $self->provision(

diff --git a/source3/script/tests/test_update_keytab_clustered.sh b/source3/script/tests/test_update_keytab_clustered.sh
new file mode 100755 (executable)
index 0000000..a001613
--- /dev/null
+++ b/source3/script/tests/test_update_keytab_clustered.sh
@@ -0,0 +1,165 @@
+#!/bin/sh
+
+if [ $# -lt 1 ]; then
+cat <<EOF
+Usage: test_update_keytab.sh DOMAIN CONFIGURATION
+EOF
+exit 1
+fi
+
+incdir="$(dirname "$0")/../../../testprogs/blackbox"
+. "${incdir}/subunit.sh"
+. "${incdir}/common_test_fns.inc"
+
+DOMAIN="${1}"
+CONFIGURATION="${2}"
+shift 2
+
+samba_wbinfo="$BINDIR/wbinfo"
+samba_net="$BINDIR/net $CONFIGURATION"
+samba_rpcclient="$BINDIR/rpcclient $CONFIGURATION"
+smbclient="${BINDIR}/smbclient"
+smbcontrol="$BINDIR/smbcontrol"
+
+keytabs_sync_kvno="keytab0k keytab1k keytab2k keytab3k"
+keytabs_nosync_kvno="keytab0 keytab1 keytab2 keytab3"
+keytabs_all="$keytabs_sync_kvno $keytabs_nosync_kvno"
+
+# find the biggest vno and store it into global variable vno
+get_biggest_vno()
+{
+       keytab="$1"
+       local cmd="UID_WRAPPER_ROOT=1 UID_WRAPPER_INITIAL_RUID=0 UID_WRAPPER_INITIAL_EUID=0 $samba_net ads keytab list $keytab"
+       eval echo "$cmd"
+       out=$(eval "$cmd")
+       ret=$?
+
+       echo "$out"
+
+       if [ $ret != 0 ] ; then
+               echo "command failed"
+               return 1
+       fi
+
+       #global variable vno
+       vno=$(echo "$out" | sort -n | tail -1 | awk '{printf $1}')
+
+       if [ -z "$vno" ] ; then
+               echo "There is no key with vno in the keytab list above."
+               return 1
+       fi
+
+       return 0
+}
+
+test_pwd_change()
+{
+       testname="$1"
+       shift
+       # command to change the password
+       local cmd="$*";
+
+       # get biggest vno before password change
+       get_biggest_vno "$PREFIX_ABS/clusteredmember/node.0/keytab0"
+       old_vno_node0=$vno
+       get_biggest_vno "$PREFIX_ABS/clusteredmember/node.1/keytab0"
+       old_vno_node1=$vno
+       get_biggest_vno "$PREFIX_ABS/clusteredmember/node.2/keytab0"
+       old_vno_node2=$vno
+
+       if [ ! "$old_vno_node0" -gt 0 ] ; then
+               echo "There is no key with vno in the keytab list above."
+               return 1
+       fi
+       if [ "$old_vno_node0" -ne "$old_vno_node1" ] || [ "$old_vno_node0" -ne "$old_vno_node2" ] ; then
+               echo "VNOs differs on nodes!"
+               return 1
+       fi
+
+       # change the password
+       eval echo "$cmd"
+       out=$(eval "$cmd")
+       ret=$?
+
+       if [ $ret != 0 ] ; then
+               echo "$out"
+               echo "command failed"
+               return 1
+       fi
+
+       # test ads join
+       cmd="UID_WRAPPER_ROOT=1 UID_WRAPPER_INITIAL_RUID=0 UID_WRAPPER_INITIAL_EUID=0 $samba_net ads testjoin"
+       eval echo "$cmd"
+       out=$(eval "$cmd")
+       ret=$?
+
+       if [ $ret != 0 ] ; then
+               echo "$out"
+               echo "command failed"
+               return 1
+       fi
+
+       # if keytab was updated the bigest vno should be incremented by one
+       get_biggest_vno "$PREFIX_ABS/clusteredmember/node.0/keytab0"
+       new_vno_node0=$vno
+       get_biggest_vno "$PREFIX_ABS/clusteredmember/node.0/keytab0"
+       new_vno_node1=$vno
+       get_biggest_vno "$PREFIX_ABS/clusteredmember/node.0/keytab0"
+       new_vno_node2=$vno
+
+       if [ ! "$new_vno_node0" -eq $((old_vno_node0 + 1)) ] ; then
+               echo "Old vno=$old_vno_node0, new vno=$new_vno_node0. Increment by one failed."
+               return 1
+       fi
+       if [ "$new_vno_node0" -ne "$new_vno_node1" ] || [ "$new_vno_node0" -ne "$new_vno_node2" ] ; then
+               echo "VNOs differs on nodes!"
+               return 1
+       fi
+
+       return 0
+}
+
+test_keytab_create()
+{
+       UID_WRAPPER_INITIAL_EUID=0 UID_WRAPPER_INITIAL_RUID=0 UID_WRAPPER_ROOT=1 $samba_net ads keytab create || return 1
+       return 0
+}
+
+DC_DNSNAME="${DC_SERVER}.${REALM}"
+SMBCLIENT_UNC="//${DC_DNSNAME}/tmp"
+
+install source3/script/updatekeytab_test.sh "$PREFIX_ABS/clusteredmember/updatekeytab.sh"
+global_inject_conf=$(dirname $SMB_CONF_PATH)/global_inject.conf
+echo "sync machine password script = $PREFIX_ABS/clusteredmember/updatekeytab.sh" >$global_inject_conf
+UID_WRAPPER_ROOT=1 $smbcontrol winbindd reload-config
+
+# To have both old and older password we do one unnecessary password change:
+testit "wbinfo_change_secret_initial" \
+       "$samba_wbinfo" --change-secret --domain="${DOMAIN}" \
+       || failed=$((failed + 1))
+
+testit "wbinfo_check_secret_initial" \
+       "$samba_wbinfo" --check-secret --domain="${DOMAIN}" \
+       || failed=$((failed + 1))
+
+# Create/sync all keytabs
+testit "net_ads_keytab_sync" test_keytab_create || failed=$((failed + 1))
+
+testit "wbinfo_change_secret" \
+       test_pwd_change "wbinfo_changesecret" \
+       "$samba_wbinfo --change-secret --domain=${DOMAIN}" \
+       || failed=$((failed + 1))
+
+testit "wbinfo_check_secret" \
+       "$samba_wbinfo" --check-secret --domain="${DOMAIN}" \
+       || failed=$((failed + 1))
+
+test_smbclient "Test machine login with the changed secret" \
+       "ls" "${SMBCLIENT_UNC}" \
+       --machine-pass ||
+       failed=$((failed + 1))
+
+echo "" >$global_inject_conf
+UID_WRAPPER_ROOT=1 $smbcontrol winbindd reload-config
+
+testok "$0" "$failed"

diff --git a/source3/script/updatekeytab_test.sh b/source3/script/updatekeytab_test.sh
new file mode 100755 (executable)
index 0000000..19a197b
--- /dev/null
+++ b/source3/script/updatekeytab_test.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+ ./ctdb/tests/local_daemons.sh "$PREFIX_ABS/clusteredmember" onnode all 'net ads keytab create --option="sync machine password script=" --configfile=$CTDB_BASE/lib/server.conf'

diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 2474b36325f7b9a3140991c09bcc72155a59e11f..2de6c8ecd45662fe15edd05cbde73e1b95d7b79e 100755 (executable)
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -679,6 +679,15 @@ plantestsuite(
         configuration,
     ],
 )
+plantestsuite(
+    "samba3.blackbox.update_keytab_clustered",
+    "clusteredmember:local",
+    [
+        os.path.join(samba3srcdir, "script/tests/test_update_keytab_clustered.sh"),
+        "$DOMAIN",
+        configuration,
+    ],
+)
 
 env = "ad_member"
 t = "--krb5auth=$DOMAIN/$DC_USERNAME%$DC_PASSWORD"