From: Pavel Filipenský <pfilipensky@samba.org>
Date: Mon, 15 Jul 2024 15:07:59 +0000 (+0200)
Subject: selftest: Add tests for keytab update in clustered samba
X-Git-Tag: tdb-1.4.11~11
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6a97f8e16d888ac16069dcccccb81541520f6e5e;p=thirdparty%2Fsamba.git

selftest: Add tests for keytab update in clustered samba

BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---

diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 77ad661189c..8d7f690ecf6 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -551,6 +551,7 @@ sub setup_clusteredmember
        include = registry
        dbwrap_tdb_mutexes:* = yes
        ${require_mutexes}
+       sync machine password to keytab = $node_prefix/keytab0:account_name:machine_password:sync_kvno
 ";
 
 		my $node_ret = $self->provision(
diff --git a/source3/script/tests/test_update_keytab_clustered.sh b/source3/script/tests/test_update_keytab_clustered.sh
new file mode 100755
index 00000000000..a0016139db5
--- /dev/null
+++ b/source3/script/tests/test_update_keytab_clustered.sh
@@ -0,0 +1,165 @@
+#!/bin/sh
+
+if [ $# -lt 1 ]; then
+cat <<EOF
+Usage: test_update_keytab.sh DOMAIN CONFIGURATION
+EOF
+exit 1
+fi
+
+incdir="$(dirname "$0")/../../../testprogs/blackbox"
+. "${incdir}/subunit.sh"
+. "${incdir}/common_test_fns.inc"
+
+DOMAIN="${1}"
+CONFIGURATION="${2}"
+shift 2
+
+samba_wbinfo="$BINDIR/wbinfo"
+samba_net="$BINDIR/net $CONFIGURATION"
+samba_rpcclient="$BINDIR/rpcclient $CONFIGURATION"
+smbclient="${BINDIR}/smbclient"
+smbcontrol="$BINDIR/smbcontrol"
+
+keytabs_sync_kvno="keytab0k keytab1k keytab2k keytab3k"
+keytabs_nosync_kvno="keytab0 keytab1 keytab2 keytab3"
+keytabs_all="$keytabs_sync_kvno $keytabs_nosync_kvno"
+
+# find the biggest vno and store it into global variable vno
+get_biggest_vno()
+{
+	keytab="$1"
+	local cmd="UID_WRAPPER_ROOT=1 UID_WRAPPER_INITIAL_RUID=0 UID_WRAPPER_INITIAL_EUID=0 $samba_net ads keytab list $keytab"
+	eval echo "$cmd"
+	out=$(eval "$cmd")
+	ret=$?
+
+	echo "$out"
+
+	if [ $ret != 0 ] ; then
+		echo "command failed"
+		return 1
+	fi
+
+	#global variable vno
+	vno=$(echo "$out" | sort -n | tail -1 | awk '{printf $1}')
+
+	if [ -z "$vno" ] ; then
+		echo "There is no key with vno in the keytab list above."
+		return 1
+	fi
+
+	return 0
+}
+
+test_pwd_change()
+{
+	testname="$1"
+	shift
+	# command to change the password
+	local cmd="$*";
+
+	# get biggest vno before password change
+	get_biggest_vno "$PREFIX_ABS/clusteredmember/node.0/keytab0"
+	old_vno_node0=$vno
+	get_biggest_vno "$PREFIX_ABS/clusteredmember/node.1/keytab0"
+	old_vno_node1=$vno
+	get_biggest_vno "$PREFIX_ABS/clusteredmember/node.2/keytab0"
+	old_vno_node2=$vno
+
+	if [ ! "$old_vno_node0" -gt 0 ] ; then
+		echo "There is no key with vno in the keytab list above."
+		return 1
+	fi
+	if [ "$old_vno_node0" -ne "$old_vno_node1" ] || [ "$old_vno_node0" -ne "$old_vno_node2" ] ; then
+		echo "VNOs differs on nodes!"
+		return 1
+	fi
+
+	# change the password
+	eval echo "$cmd"
+	out=$(eval "$cmd")
+	ret=$?
+
+	if [ $ret != 0 ] ; then
+		echo "$out"
+		echo "command failed"
+		return 1
+	fi
+
+	# test ads join
+	cmd="UID_WRAPPER_ROOT=1 UID_WRAPPER_INITIAL_RUID=0 UID_WRAPPER_INITIAL_EUID=0 $samba_net ads testjoin"
+	eval echo "$cmd"
+	out=$(eval "$cmd")
+	ret=$?
+
+	if [ $ret != 0 ] ; then
+		echo "$out"
+		echo "command failed"
+		return 1
+	fi
+
+	# if keytab was updated the bigest vno should be incremented by one
+	get_biggest_vno "$PREFIX_ABS/clusteredmember/node.0/keytab0"
+	new_vno_node0=$vno
+	get_biggest_vno "$PREFIX_ABS/clusteredmember/node.0/keytab0"
+	new_vno_node1=$vno
+	get_biggest_vno "$PREFIX_ABS/clusteredmember/node.0/keytab0"
+	new_vno_node2=$vno
+
+	if [ ! "$new_vno_node0" -eq $((old_vno_node0 + 1)) ] ; then
+		echo "Old vno=$old_vno_node0, new vno=$new_vno_node0. Increment by one failed."
+		return 1
+	fi
+	if [ "$new_vno_node0" -ne "$new_vno_node1" ] || [ "$new_vno_node0" -ne "$new_vno_node2" ] ; then
+		echo "VNOs differs on nodes!"
+		return 1
+	fi
+
+	return 0
+}
+
+test_keytab_create()
+{
+	UID_WRAPPER_INITIAL_EUID=0 UID_WRAPPER_INITIAL_RUID=0 UID_WRAPPER_ROOT=1 $samba_net ads keytab create || return 1
+	return 0
+}
+
+DC_DNSNAME="${DC_SERVER}.${REALM}"
+SMBCLIENT_UNC="//${DC_DNSNAME}/tmp"
+
+install source3/script/updatekeytab_test.sh "$PREFIX_ABS/clusteredmember/updatekeytab.sh"
+global_inject_conf=$(dirname $SMB_CONF_PATH)/global_inject.conf
+echo "sync machine password script = $PREFIX_ABS/clusteredmember/updatekeytab.sh" >$global_inject_conf
+UID_WRAPPER_ROOT=1 $smbcontrol winbindd reload-config
+
+# To have both old and older password we do one unnecessary password change:
+testit "wbinfo_change_secret_initial" \
+	"$samba_wbinfo" --change-secret --domain="${DOMAIN}" \
+	|| failed=$((failed + 1))
+
+testit "wbinfo_check_secret_initial" \
+	"$samba_wbinfo" --check-secret --domain="${DOMAIN}" \
+	|| failed=$((failed + 1))
+
+# Create/sync all keytabs
+testit "net_ads_keytab_sync" test_keytab_create || failed=$((failed + 1))
+
+testit "wbinfo_change_secret" \
+	test_pwd_change "wbinfo_changesecret" \
+	"$samba_wbinfo --change-secret --domain=${DOMAIN}" \
+	|| failed=$((failed + 1))
+
+testit "wbinfo_check_secret" \
+	"$samba_wbinfo" --check-secret --domain="${DOMAIN}" \
+	|| failed=$((failed + 1))
+
+test_smbclient "Test machine login with the changed secret" \
+	"ls" "${SMBCLIENT_UNC}" \
+	--machine-pass ||
+	failed=$((failed + 1))
+
+echo "" >$global_inject_conf
+UID_WRAPPER_ROOT=1 $smbcontrol winbindd reload-config
+
+testok "$0" "$failed"
diff --git a/source3/script/updatekeytab_test.sh b/source3/script/updatekeytab_test.sh
new file mode 100755
index 00000000000..19a197b501e
--- /dev/null
+++ b/source3/script/updatekeytab_test.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+ ./ctdb/tests/local_daemons.sh "$PREFIX_ABS/clusteredmember" onnode all 'net ads keytab create --option="sync machine password script=" --configfile=$CTDB_BASE/lib/server.conf'
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 2474b36325f..2de6c8ecd45 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -679,6 +679,15 @@ plantestsuite(
         configuration,
     ],
 )
+plantestsuite(
+    "samba3.blackbox.update_keytab_clustered",
+    "clusteredmember:local",
+    [
+        os.path.join(samba3srcdir, "script/tests/test_update_keytab_clustered.sh"),
+        "$DOMAIN",
+        configuration,
+    ],
+)
 
 env = "ad_member"
 t = "--krb5auth=$DOMAIN/$DC_USERNAME%$DC_PASSWORD"