From fba69f4a89bedaf799b3a3c78cde43f4f1d1aba3 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 23 Jan 2015 17:19:41 +1300 Subject: selftest: Run krb5.kdc test against users with a UPN This tests both a UPN in our own realm, and a UPN with a non-realm suffix. Pair-programmed-with: Garming Sam Signed-off-by: Garming Sam Signed-off-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri Jan 23 08:10:07 CET 2015 on sn-devel-104 --- selftest/target/Samba4.pm | 22 ++++++++++++++++++++++ source4/selftest/tests.py | 4 ++-- 2 files changed, 24 insertions(+), 2 deletions(-) diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm index cdbbea4c7b..91db4f87bd 100755 --- a/selftest/target/Samba4.pm +++ b/selftest/target/Samba4.pm @@ -821,6 +821,18 @@ sub provision_raw_step2($$$) return undef; } + my $ldbmodify = Samba::bindir_path($self, "ldbmodify"); + my $base_dn = "DC=".join(",DC=", split(/\./, $ctx->{realm})); + my $user_dn = "cn=testallowed,cn=users,$base_dn"; + open(LDIF, "|$ldbmodify -H $ctx->{privatedir}/sam.ldb"); + print LDIF "dn: $user_dn +changetype: modify +replace: userPrincipalName +userPrincipalName: testallowed_upn\@$ctx->{realm} +- +"; + close(LDIF); + $samba_tool_cmd = Samba::bindir_path($self, "samba-tool") . " user add --configfile=$ctx->{smb_conf} testdenied $ctx->{password}"; unless (system($samba_tool_cmd) == 0) { @@ -828,6 +840,16 @@ sub provision_raw_step2($$$) return undef; } + my $user_dn = "cn=testdenied,cn=users,$base_dn"; + open(LDIF, "|$ldbmodify -H $ctx->{privatedir}/sam.ldb"); + print LDIF "dn: $user_dn +changetype: modify +replace: userPrincipalName +userPrincipalName: testdenied_upn\@$ctx->{realm}.upn +- +"; + close(LDIF); + $samba_tool_cmd = Samba::bindir_path($self, "samba-tool") . " group addmembers --configfile=$ctx->{smb_conf} 'Allowed RODC Password Replication Group' testallowed"; unless (system($samba_tool_cmd) == 0) { diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index ec202b4881..09486fa961 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -556,7 +556,7 @@ for env in ["dc", "rodc", "promoted_dc", "plugin_s4_dc", "fl2000dc", "fl2003dc", plansmbtorture4testsuite('krb5.kdc', env, ['ncacn_np:$SERVER_IP', "-k", "yes", '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN', '--realm=$REALM'] + extra_options, "samba4.krb5.kdc with specified account") - plansmbtorture4testsuite('krb5.kdc', env, ['ncacn_np:$SERVER_IP', "-k", "yes", '-Utestdenied%$PASSWORD', '--workgroup=$DOMAIN', '--realm=$REALM'] + extra_options, + plansmbtorture4testsuite('krb5.kdc', env, ['ncacn_np:$SERVER_IP', "-k", "yes", '-Utestdenied%$PASSWORD', '--workgroup=$DOMAIN', '--realm=$REALM', '--option=torture:krb5-upn=testdenied_upn@$REALM.upn'] + extra_options, "samba4.krb5.kdc with account DENIED permission to replicate to an RODC") # These last two tests are for users cached at the RODC @@ -567,7 +567,7 @@ for env in ["dc", "rodc", "promoted_dc", "plugin_s4_dc", "fl2000dc", "fl2003dc", plansmbtorture4testsuite('krb5.kdc', "%s:local" % env, ['ncacn_np:$SERVER_IP', "-k", "yes", '-P', '--workgroup=$DOMAIN', '--realm=$REALM'] + extra_options, "samba4.krb5.kdc with machine account") - plansmbtorture4testsuite('krb5.kdc', env, ['ncacn_np:$SERVER_IP', "-k", "yes", '-Utestallowed%$PASSWORD', '--workgroup=$DOMAIN', '--realm=$REALM'] + extra_options, + plansmbtorture4testsuite('krb5.kdc', env, ['ncacn_np:$SERVER_IP', "-k", "yes", '-Utestallowed%$PASSWORD', '--workgroup=$DOMAIN', '--realm=$REALM', '--option=torture:krb5-upn=testallowed_upn@$REALM'] + extra_options, "samba4.krb5.kdc with account ALLOWED permission to replicate to an RODC") # TODO: Verifying the databases really should be a part of the -- cgit