summaryrefslogtreecommitdiffstats
path: root/selftest
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2011-04-19 16:38:46 +1000
committerAndrew Bartlett <abartlet@samba.org>2011-04-28 05:30:21 +0200
commitfb5e1f4a65042b89c74e545cb739f1720565807d (patch)
tree16ecabf158f0c56b54cf91a56e3af23708084fe6 /selftest
parenta427652010820fdf8fa82cf425f5162cc70348e0 (diff)
downloadsamba-fb5e1f4a65042b89c74e545cb739f1720565807d.tar.gz
samba-fb5e1f4a65042b89c74e545cb739f1720565807d.tar.xz
samba-fb5e1f4a65042b89c74e545cb739f1720565807d.zip
selftest: s3member admember test to confirm s3/s4 interopability
This checks that Samba3 joins Samba4 correctly, and allows NTLM and Kerberos logons from a live Samba4 DC. This needs the common krb5.conf generation logic, and because we now override KRB5_CONFIG we must update ktest to have a valid krb5.conf. Based on an original patch by metze Andrew Bartlett
Diffstat (limited to 'selftest')
-rw-r--r--selftest/target/Samba.pm56
-rw-r--r--selftest/target/Samba3.pm90
-rw-r--r--selftest/target/Samba4.pm76
3 files changed, 168 insertions, 54 deletions
diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm
index 820bd9e19c..cec12e528d 100644
--- a/selftest/target/Samba.pm
+++ b/selftest/target/Samba.pm
@@ -59,4 +59,60 @@ sub bindir_path($$) {
return $path;
}
+sub mk_krb5_conf($)
+{
+ my ($ctx) = @_;
+
+ unless (open(KRB5CONF, ">$ctx->{krb5_conf}")) {
+ die("can't open $ctx->{krb5_conf}$?");
+ return undef;
+ }
+ print KRB5CONF "
+#Generated krb5.conf for $ctx->{realm}
+
+[libdefaults]
+ default_realm = $ctx->{realm}
+ dns_lookup_realm = false
+ dns_lookup_kdc = false
+ ticket_lifetime = 24h
+ forwardable = yes
+ allow_weak_crypto = yes
+
+[realms]
+ $ctx->{realm} = {
+ kdc = $ctx->{kdc_ipv4}:88
+ admin_server = $ctx->{kdc_ipv4}:88
+ default_domain = $ctx->{dnsname}
+ }
+ $ctx->{dnsname} = {
+ kdc = $ctx->{kdc_ipv4}:88
+ admin_server = $ctx->{kdc_ipv4}:88
+ default_domain = $ctx->{dnsname}
+ }
+ $ctx->{domain} = {
+ kdc = $ctx->{kdc_ipv4}:88
+ admin_server = $ctx->{kdc_ipv4}:88
+ default_domain = $ctx->{dnsname}
+ }
+
+[domain_realm]
+ .$ctx->{dnsname} = $ctx->{realm}
+";
+
+ if (defined($ctx->{tlsdir})) {
+ print KRB5CONF "
+
+[appdefaults]
+ pkinit_anchors = FILE:$ctx->{tlsdir}/ca.pem
+
+[kdc]
+ enable-pkinit = true
+ pkinit_identity = FILE:$ctx->{tlsdir}/kdc.pem,$ctx->{tlsdir}/key.pem
+ pkinit_anchors = FILE:$ctx->{tlsdir}/ca.pem
+
+";
+ }
+ close(KRB5CONF);
+}
+
1;
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index ee18a8e05a..d6dbe0cfa3 100644
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -195,6 +195,79 @@ sub setup_member($$$)
return $ret;
}
+sub setup_admember($$$$)
+{
+ my ($self, $prefix, $dcvars, $iface) = @_;
+
+ print "PROVISIONING S3 AD MEMBER$iface...";
+
+ my $member_options = "
+ security = ads
+ server signing = on
+ workgroup = $dcvars->{DOMAIN}
+ realm = $dcvars->{REALM}
+";
+
+ my $ret = $self->provision($prefix,
+ "LOCALADMEMBER$iface",
+ $iface,
+ "loCalMember${iface}Pass",
+ $member_options);
+
+ $ret or return undef;
+
+ close(USERMAP);
+ $ret->{DOMAIN} = $dcvars->{DOMAIN};
+ $ret->{REALM} = $dcvars->{REALM};
+
+ my $ctx;
+ my $prefix_abs = abs_path($prefix);
+ $ctx = {};
+ $ctx->{krb5_conf} = "$prefix_abs/lib/krb5.conf";
+ $ctx->{domain} = $dcvars->{DOMAIN};
+ $ctx->{realm} = $dcvars->{REALM};
+ $ctx->{dnsname} = lc($dcvars->{REALM});
+ $ctx->{kdc_ipv4} = $dcvars->{SERVER_IP};
+ Samba::mk_krb5_conf($ctx);
+
+ $ret->{KRB5_CONFIG} = $ctx->{krb5_conf};
+
+ my $net = Samba::bindir_path($self, "net");
+ my $cmd = "";
+ $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
+ $cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
+ $cmd .= "$net join $ret->{CONFIGURATION}";
+ $cmd .= " -U$dcvars->{USERNAME}\%$dcvars->{PASSWORD}";
+
+ system($cmd) == 0 or die("Join failed\n$cmd");
+
+ $self->check_or_start($ret,
+ "yes", "yes", "yes");
+
+ $self->wait_for_start($ret);
+
+ my $smbcacls = Samba::bindir_path($self, "smbcacls");
+ #Allow domain users to manipulate the share
+ $cmd = "";
+ $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
+ $cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
+ $cmd .= "$smbcacls //127.0.0.29/tmp / -U$ret->{USERNAME}%$ret->{PASSWORD} ";
+ $cmd .= "$ret->{CONFIGURATION} -S ACL:$dcvars->{DOMAIN}\\\\Domain\\ Users:ALLOWED/0x0/FULL";
+
+ system($cmd) == 0 or die("Join failed\n$cmd");
+
+ $ret->{DC_SERVER} = $dcvars->{SERVER};
+ $ret->{DC_SERVER_IP} = $dcvars->{SERVER_IP};
+ $ret->{DC_NETBIOSNAME} = $dcvars->{NETBIOSNAME};
+ $ret->{DC_USERNAME} = $dcvars->{USERNAME};
+ $ret->{DC_PASSWORD} = $dcvars->{PASSWORD};
+
+ # Special case, this is called from Samba4.pm but needs to use the Samba3 check_env and get_log_env
+ $ret->{target} = $self;
+
+ return $ret;
+}
+
sub setup_secshare($$)
{
my ($self, $path) = @_;
@@ -261,7 +334,7 @@ sub setup_secserver($$$)
sub setup_ktest($$$)
{
- my ($self, $prefix, $s3dcvars) = @_;
+ my ($self, $prefix) = @_;
print "PROVISIONING server with security=ads...";
@@ -280,6 +353,18 @@ sub setup_ktest($$$)
$ret or return undef;
+ my $ctx;
+ my $prefix_abs = abs_path($prefix);
+ $ctx = {};
+ $ctx->{krb5_conf} = "$prefix_abs/lib/krb5.conf";
+ $ctx->{domain} = "KTEST";
+ $ctx->{realm} = "KTEST.SAMBA.EXAMPLE.COM";
+ $ctx->{dnsname} = lc($ctx->{realm});
+ $ctx->{kdc_ipv4} = "0.0.0.0";
+ Samba::mk_krb5_conf($ctx);
+
+ $ret->{KRB5_CONFIG} = $ctx->{krb5_conf};
+
open(USERMAP, ">$prefix/lib/username.map") or die("Unable to open $prefix/lib/username.map");
print USERMAP "
$ret->{USERNAME} = KTEST\\Administrator
@@ -373,6 +458,7 @@ sub check_or_start($$$$) {
SocketWrapper::set_default_iface($env_vars->{SOCKET_WRAPPER_DEFAULT_IFACE});
+ $ENV{KRB5_CONFIG} = $env_vars->{KRB5_CONFIG};
$ENV{WINBINDD_SOCKET_DIR} = $env_vars->{WINBINDD_SOCKET_DIR};
$ENV{NMBD_SOCKET_DIR} = $env_vars->{NMBD_SOCKET_DIR};
@@ -416,6 +502,7 @@ sub check_or_start($$$$) {
SocketWrapper::set_default_iface($env_vars->{SOCKET_WRAPPER_DEFAULT_IFACE});
+ $ENV{KRB5_CONFIG} = $env_vars->{KRB5_CONFIG};
$ENV{WINBINDD_SOCKET_DIR} = $env_vars->{WINBINDD_SOCKET_DIR};
$ENV{NMBD_SOCKET_DIR} = $env_vars->{NMBD_SOCKET_DIR};
@@ -461,6 +548,7 @@ sub check_or_start($$$$) {
SocketWrapper::set_default_iface($env_vars->{SOCKET_WRAPPER_DEFAULT_IFACE});
+ $ENV{KRB5_CONFIG} = $env_vars->{KRB5_CONFIG};
$ENV{WINBINDD_SOCKET_DIR} = $env_vars->{WINBINDD_SOCKET_DIR};
$ENV{NMBD_SOCKET_DIR} = $env_vars->{NMBD_SOCKET_DIR};
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index 22f38b859f..959c16131a 100644
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -11,6 +11,7 @@ use FindBin qw($RealBin);
use POSIX;
use SocketWrapper;
use target::Samba;
+use target::Samba3;
sub new($$$$$) {
my ($classname, $bindir, $binary_mapping, $ldap, $srcdir, $exeext, $server_maxtime) = @_;
@@ -23,7 +24,8 @@ sub new($$$$$) {
binary_mapping => $binary_mapping,
srcdir => $srcdir,
exeext => $exeext,
- server_maxtime => $server_maxtime
+ server_maxtime => $server_maxtime,
+ target3 => new Samba3($bindir, $binary_mapping, $srcdir, $exeext, $server_maxtime)
};
bless $self;
return $self;
@@ -452,56 +454,6 @@ Wfz/8alZ5aMezCQzXJyIaJsCLeKABosSwHcpAFmxlQ==
EOF
}
-sub mk_krb5_conf($$)
-{
- my ($self, $ctx) = @_;
-
- unless (open(KRB5CONF, ">$ctx->{krb5_conf}")) {
- warn("can't open $ctx->{krb5_conf}$?");
- return undef;
- }
- print KRB5CONF "
-#Generated krb5.conf for $ctx->{realm}
-
-[libdefaults]
- default_realm = $ctx->{realm}
- dns_lookup_realm = false
- dns_lookup_kdc = false
- ticket_lifetime = 24h
- forwardable = yes
- allow_weak_crypto = yes
-
-[realms]
- $ctx->{realm} = {
- kdc = $ctx->{kdc_ipv4}:88
- admin_server = $ctx->{kdc_ipv4}:88
- default_domain = $ctx->{dnsname}
- }
- $ctx->{dnsname} = {
- kdc = $ctx->{kdc_ipv4}:88
- admin_server = $ctx->{kdc_ipv4}:88
- default_domain = $ctx->{dnsname}
- }
- $ctx->{domain} = {
- kdc = $ctx->{kdc_ipv4}:88
- admin_server = $ctx->{kdc_ipv4}:88
- default_domain = $ctx->{dnsname}
- }
-
-[appdefaults]
- pkinit_anchors = FILE:$ctx->{tlsdir}/ca.pem
-
-[kdc]
- enable-pkinit = true
- pkinit_identity = FILE:$ctx->{tlsdir}/kdc.pem,$ctx->{tlsdir}/key.pem
- pkinit_anchors = FILE:$ctx->{tlsdir}/ca.pem
-
-[domain_realm]
- .$ctx->{dnsname} = $ctx->{realm}
-";
- close(KRB5CONF);
-}
-
sub provision_raw_prepare($$$$$$$$$$)
{
my ($self, $prefix, $server_role, $netbiosname,
@@ -681,7 +633,7 @@ sub provision_raw_step1($$)
$ctx->{kdc_ipv4} = $ctx->{ipv4};
}
- $self->mk_krb5_conf($ctx);
+ Samba::mk_krb5_conf($ctx);
open(PWD, ">$ctx->{nsswrap_passwd}");
print PWD "
@@ -1190,7 +1142,7 @@ sub provision_rodc($$$)
# so that use the RODC as kdc and test
# the proxy code
$ctx->{kdc_ipv4} = $ret->{SERVER_IP};
- $self->mk_krb5_conf($ctx);
+ Samba::mk_krb5_conf($ctx);
$ret->{RODC_DC_SERVER} = $ret->{SERVER};
$ret->{RODC_DC_SERVER_IP} = $ret->{SERVER_IP};
@@ -1272,6 +1224,7 @@ sub check_env($$)
sub setup_env($$$)
{
my ($self, $envname, $path) = @_;
+ my $target3 = $self->{target3};
$ENV{ENVNAME} = $envname;
@@ -1303,6 +1256,11 @@ sub setup_env($$$)
$self->setup_dc("$path/dc");
}
return $self->setup_rodc("$path/rodc", $self->{vars}->{dc});
+ } elsif ($envname eq "s3member") {
+ if (not defined($self->{vars}->{dc})) {
+ $self->setup_dc("$path/dc");
+ }
+ return $target3->setup_admember("$path/s3member", $self->{vars}->{dc}, 29);
} elsif ($envname eq "all") {
if (not defined($self->{vars}->{dc})) {
$ENV{ENVNAME} = "dc";
@@ -1349,6 +1307,18 @@ sub setup_env($$$)
$ret->{FL2008R2DC_USERNAME} = $fl2008r2dc_ret->{USERNAME};
$ret->{FL2008R2DC_PASSWORD} = $fl2008r2dc_ret->{PASSWORD};
}
+ if (not defined($self->{vars}->{s3member})) {
+ $ENV{ENVNAME} = "s3member";
+ my $s3member_ret = $target3->setup_admember("$path/s3member", $self->{vars}->{dc}, 29);
+ $self->{vars}->{s3member} = $s3member_ret;
+
+ $ret->{S3MEMBER_SERVER} = $s3member_ret->{SERVER};
+ $ret->{S3MEMBER_SERVER_IP} = $s3member_ret->{SERVER_IP};
+ $ret->{S3MEMBER_NETBIOSNAME} = $s3member_ret->{NETBIOSNAME};
+ $ret->{S3MEMBER_NETBIOSALIAS} = $s3member_ret->{NETBIOSALIAS};
+ $ret->{S3MEMBER_USERNAME} = $s3member_ret->{USERNAME};
+ $ret->{S3MEMBER_PASSWORD} = $s3member_ret->{PASSWORD};
+ }
return $ret;
} else {
return undef;