$ENV{KRB5_CONFIG} = $env_vars->{KRB5_CONFIG};
$ENV{KRB5CCNAME} = "$env_vars->{KRB5_CCACHE}.samba";
+ if (defined($ENV{MITKRB5})) {
+ $ENV{KRB5_KDC_PROFILE} = $env_vars->{MITKDC_CONFIG};
+ }
$ENV{SELFTEST_WINBINDD_SOCKET_DIR} = $env_vars->{SELFTEST_WINBINDD_SOCKET_DIR};
$ENV{NMBD_SOCKET_DIR} = $env_vars->{NMBD_SOCKET_DIR};
close($env_vars->{STDIN_PIPE});
open STDIN, ">&", $STDIN_READER or die "can't dup STDIN_READER to STDIN: $!";
- exec(@preargs, Samba::bindir_path($self, "samba"), "-M", $process_model, "-i", "--maximum-runtime=$self->{server_maxtime}", $env_vars->{CONFIGURATION}, @optargs) or die("Unable to start samba: $!");
+ exec(@preargs, Samba::bindir_path($self, "samba"), "-M", $process_model, "-i", "--no-process-group", "--maximum-runtime=$self->{server_maxtime}", $env_vars->{CONFIGURATION}, @optargs) or die("Unable to start samba: $!");
}
$env_vars->{SAMBA_PID} = $pid;
print "DONE ($pid)\n";
}
$count++;
} while ($ret != 0 && $count < 20);
- if ($count == 10) {
+ if ($count == 20) {
warn("nbt not reachable after 20 retries\n");
teardown_env($self, $testenv_vars);
return 0;
sleep(1);
}
}
+
+ my $wbinfo = Samba::bindir_path($self, "wbinfo");
+
+ $count = 0;
+ do {
+ my $cmd = "NSS_WRAPPER_PASSWD=$testenv_vars->{NSS_WRAPPER_PASSWD} ";
+ $cmd .= "NSS_WRAPPER_GROUP=$testenv_vars->{NSS_WRAPPER_GROUP} ";
+ $cmd .= "SELFTEST_WINBINDD_SOCKET_DIR=$testenv_vars->{SELFTEST_WINBINDD_SOCKET_DIR} ";
+ $cmd .= "$wbinfo -p";
+ $ret = system($cmd);
+
+ if ($ret != 0) {
+ sleep(1);
+ }
+ $count++;
+ } while ($ret != 0 && $count < 20);
+ if ($count == 20) {
+ warn("winbind not reachable after 20 retries\n");
+ teardown_env($self, $testenv_vars);
+ return 0;
+ }
+
print $self->getlog_env($testenv_vars);
return $ret
$ctx->{smb_conf} = "$ctx->{etcdir}/smb.conf";
$ctx->{krb5_conf} = "$ctx->{etcdir}/krb5.conf";
$ctx->{krb5_ccache} = "$prefix_abs/krb5_ccache";
+ $ctx->{mitkdc_conf} = "$ctx->{etcdir}/mitkdc.conf";
$ctx->{privatedir} = "$prefix_abs/private";
+ $ctx->{binddnsdir} = "$prefix_abs/bind-dns";
$ctx->{ncalrpcdir} = "$prefix_abs/ncalrpc";
$ctx->{lockdir} = "$prefix_abs/lockdir";
$ctx->{logdir} = "$prefix_abs/logs";
$ctx->{interfaces} = "$ctx->{ipv4}/8 $ctx->{ipv6}/64";
push(@{$ctx->{directories}}, $ctx->{privatedir});
+ push(@{$ctx->{directories}}, $ctx->{binddnsdir});
push(@{$ctx->{directories}}, $ctx->{etcdir});
push(@{$ctx->{directories}}, $ctx->{piddir});
push(@{$ctx->{directories}}, $ctx->{lockdir});
workgroup = $ctx->{domain}
realm = $ctx->{realm}
private dir = $ctx->{privatedir}
+ binddns dir = $ctx->{binddnsdir}
pid directory = $ctx->{piddir}
ncalrpc dir = $ctx->{ncalrpcdir}
lock dir = $ctx->{lockdir}
rndc command = true
dns update command = $ctx->{samba_dnsupdate}
spn update command = $ENV{SRCDIR_ABS}/source4/scripting/bin/samba_spnupdate -s $ctx->{smb_conf}
+ gpo update command = $ENV{SRCDIR_ABS}/source4/scripting/bin/samba_gpoupdate -s $ctx->{smb_conf} -H $ctx->{privatedir}/sam.ldb --machine
dreplsrv:periodic_startup_interval = 0
dsdb:schema update allowed = yes
+ prefork children = 4
+
vfs objects = dfs_samba4 acl_xattr fake_acls xattr_tdb streams_depot
idmap_ldb:use rfc2307=yes
}
Samba::mk_krb5_conf($ctx);
+ Samba::mk_mitkdc_conf($ctx, abs_path(Samba::bindir_path($self, "shared")));
open(PWD, ">$ctx->{nsswrap_passwd}");
if ($ctx->{unix_uid} != 0) {
my $ret = {
KRB5_CONFIG => $ctx->{krb5_conf},
KRB5_CCACHE => $ctx->{krb5_ccache},
+ MITKDC_CONFIG => $ctx->{mitkdc_conf},
PIDDIR => $ctx->{piddir},
SERVER => $ctx->{hostname},
SERVER_IP => $ctx->{ipv4},
STATEDIR => $ctx->{statedir},
CACHEDIR => $ctx->{cachedir},
PRIVATEDIR => $ctx->{privatedir},
+ BINDDNSDIR => $ctx->{binddnsdir},
SERVERCONFFILE => $ctx->{smb_conf},
CONFIGURATION => $configuration,
SOCKET_WRAPPER_DEFAULT_IFACE => $ctx->{swiface},
# the source4 smb server doesn't allow signing by default
server signing = enabled
+raw NTLMv2 auth = yes
rpc_server:default = external
rpc_server:svcctl = embedded
max xmit = 32K
server max protocol = SMB2
+ ntlm auth = ntlmv2-only
+
[sysvol]
path = $ctx->{statedir}/sysvol
read only = yes
my ($self, $prefix, $dcvars, $fl) = @_;
print "PROVISIONING VAMPIRE DC @ FL $fl...\n";
my $name = "localvampiredc";
+ my $extra_conf = "";
if ($fl == "2000") {
- $name = "vampire2000dc";
+ $name = "vampire2000dc";
+ } else {
+ $extra_conf = "drs: immediate link sync = yes
+ drs: max link sync = 250";
}
# We do this so that we don't run the provision. That's the job of 'net vampire'.
max xmit = 32K
server max protocol = SMB2
+ ntlm auth = mschapv2-and-ntlmv2-only
+ $extra_conf
+
[sysvol]
path = $ctx->{statedir}/sysvol
read only = yes
}
Samba::mk_krb5_conf($ctx);
+ Samba::mk_mitkdc_conf($ctx, abs_path(Samba::bindir_path($self, "shared")));
my $samba_tool = Samba::bindir_path($self, "samba-tool");
my $cmd = "";
server services = +winbind -winbindd
ldap server require strong auth = allow_sasl_over_tls
allow nt4 crypto = yes
+ raw NTLMv2 auth = yes
lsa over netlogon = yes
rpc server port = 1027
auth event notification = true
+ server schannel = auto
";
my $ret = $self->provision($prefix,
"domain controller",
spnego:simulate_w2k=yes
ntlmssp_server:force_old_spnego=yes
";
+ my $extra_provision_options = undef;
+ # This environment uses plain text secrets
+ # i.e. secret attributes are not encrypted on disk.
+ # This allows testing of the --plaintext-secrets option for
+ # provision
+ push (@{$extra_provision_options}, "--plaintext-secrets");
my $ret = $self->provision($prefix,
"domain controller",
"dc5",
undef,
$extra_conf_options,
"",
- undef);
+ $extra_provision_options);
unless ($ret) {
return undef;
}
print "PROVISIONING DC WITH FOREST LEVEL 2003...\n";
my $extra_conf_options = "allow dns updates = nonsecure and secure
+ dcesrv:header signing = no
dns forwarder = 127.0.0.$swiface1 127.0.0.$swiface2";
my $ret = $self->provision($prefix,
"domain controller",
$ctx->{smb_conf_extra_options} = "
max xmit = 32K
server max protocol = SMB2
+ password server = $dcvars->{DC_SERVER}
[sysvol]
path = $ctx->{statedir}/sysvol
$ctx->{kdc_ipv4} = $ret->{SERVER_IP};
$ctx->{kdc_ipv6} = $ret->{SERVER_IPV6};
Samba::mk_krb5_conf($ctx);
+ Samba::mk_mitkdc_conf($ctx, abs_path(Samba::bindir_path($self, "shared")));
$ret->{RODC_DC_SERVER} = $ret->{SERVER};
$ret->{RODC_DC_SERVER_IP} = $ret->{SERVER_IP};
return \%ret;
}
-sub provision_ad_dc($$)
+sub provision_ad_dc($$$$$$)
{
- my ($self, $prefix) = @_;
+ my ($self, $prefix, $hostname, $domain, $realm, $smbconf_args) = @_;
my $prefix_abs = abs_path($prefix);
lpq cache time = 0
print notify backchannel = yes
+ server schannel = auto
auth event notification = true
+ $smbconf_args
";
my $extra_smbconf_shares = "
print "PROVISIONING AD DC...\n";
my $ret = $self->provision($prefix,
"domain controller",
- "addc",
- "ADDOMAIN",
- "addom.samba.example.com",
+ $hostname,
+ $domain,
+ $realm,
"2008",
"locDCpass1",
undef,
} elsif ($envname eq "chgdcpass") {
return $self->setup_chgdcpass("$path/chgdcpass", $self->{vars}->{chgdcpass});
} elsif ($envname eq "ad_member") {
- if (not defined($self->{vars}->{ad_dc_ntvfs})) {
- $self->setup_ad_dc_ntvfs("$path/ad_dc_ntvfs");
+ if (not defined($self->{vars}->{ad_dc})) {
+ $self->setup_ad_dc("$path/ad_dc");
}
- return $target3->setup_admember("$path/ad_member", $self->{vars}->{ad_dc_ntvfs}, 29);
+ return $target3->setup_admember("$path/ad_member", $self->{vars}->{ad_dc}, 29);
} elsif ($envname eq "ad_dc") {
return $self->setup_ad_dc("$path/ad_dc");
} elsif ($envname eq "ad_dc_no_nss") {
- return $self->setup_ad_dc("$path/ad_dc_no_nss", "no_nss");
+ return $self->setup_ad_dc_no_nss("$path/ad_dc_no_nss");
+ } elsif ($envname eq "ad_dc_no_ntlm") {
+ return $self->setup_ad_dc_no_ntlm("$path/ad_dc_no_ntlm");
} elsif ($envname eq "ad_member_rfc2307") {
if (not defined($self->{vars}->{ad_dc_ntvfs})) {
$self->setup_ad_dc_ntvfs("$path/ad_dc_ntvfs");
}
return $target3->setup_ad_member_idmap_rid("$path/ad_member_idmap_rid",
$self->{vars}->{ad_dc});
+ } elsif ($envname eq "ad_member_idmap_ad") {
+ if (not defined($self->{vars}->{ad_dc})) {
+ $self->setup_ad_dc("$path/ad_dc");
+ }
+ return $target3->setup_ad_member_idmap_ad("$path/ad_member_idmap_ad",
+ $self->{vars}->{ad_dc});
} elsif ($envname eq "none") {
return $self->setup_none("$path/none");
} else {
# force replicated DC to update repsTo/repsFrom
# for vampired partitions
my $samba_tool = Samba::bindir_path($self, "samba-tool");
- my $cmd = "";
- $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
- if (defined($env->{RESOLV_WRAPPER_CONF})) {
- $cmd .= "RESOLV_WRAPPER_CONF=\"$env->{RESOLV_WRAPPER_CONF}\" ";
- } else {
- $cmd .= "RESOLV_WRAPPER_HOSTS=\"$env->{RESOLV_WRAPPER_HOSTS}\" ";
- }
- $cmd .= " KRB5_CONFIG=\"$env->{KRB5_CONFIG}\"";
- $cmd .= "KRB5CCNAME=\"$env->{KRB5_CCACHE}\" ";
- $cmd .= " $samba_tool drs kcc -k no $env->{DC_SERVER}";
- $cmd .= " $env->{CONFIGURATION}";
- $cmd .= " -U$dc_vars->{DC_USERNAME}\%$dc_vars->{DC_PASSWORD}";
- unless (system($cmd) == 0) {
- warn("Failed to exec kcc on remote DC\n$cmd");
- return undef;
- }
# as 'vampired' dc may add data in its local replica
# we need to synchronize data between DCs
my $base_dn = "DC=".join(",DC=", split(/\./, $dc_vars->{REALM}));
- $cmd = "";
+ my $cmd = "";
$cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
if (defined($env->{RESOLV_WRAPPER_CONF})) {
$cmd .= "RESOLV_WRAPPER_CONF=\"$env->{RESOLV_WRAPPER_CONF}\" ";
# for vampired partitions
my $samba_tool = Samba::bindir_path($self, "samba-tool");
my $cmd = "";
- $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\"";
- $cmd .= " KRB5_CONFIG=\"$env->{KRB5_CONFIG}\"";
- $cmd .= "KRB5CCNAME=\"$env->{KRB5_CCACHE}\" ";
- $cmd .= " $samba_tool drs kcc $env->{DC_SERVER}";
- $cmd .= " $env->{CONFIGURATION}";
- $cmd .= " -U$dc_vars->{DC_USERNAME}\%$dc_vars->{DC_PASSWORD}";
- unless (system($cmd) == 0) {
- warn("Failed to exec kcc on remote DC\n$cmd");
- return undef;
- }
-
- my $samba_tool = Samba::bindir_path($self, "samba-tool");
- my $cmd = "";
- $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\"";
- $cmd .= " KRB5_CONFIG=\"$env->{KRB5_CONFIG}\"";
- $cmd .= "KRB5CCNAME=\"$env->{KRB5_CCACHE}\" ";
- $cmd .= " $samba_tool drs kcc $env->{SERVER}";
- $cmd .= " $env->{CONFIGURATION}";
- $cmd .= " -U$dc_vars->{DC_USERNAME}\%$dc_vars->{DC_PASSWORD}";
- unless (system($cmd) == 0) {
- warn("Failed to exec kcc on promoted DC\n$cmd");
- return undef;
- }
-
# as 'vampired' dc may add data in its local replica
# we need to synchronize data between DCs
my $base_dn = "DC=".join(",DC=", split(/\./, $dc_vars->{REALM}));
# for primary domain partitions
my $samba_tool = Samba::bindir_path($self, "samba-tool");
my $cmd = "";
- $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\"";
- $cmd .= " KRB5_CONFIG=\"$env->{KRB5_CONFIG}\"";
- $cmd .= "KRB5CCNAME=\"$env->{KRB5_CCACHE}\" ";
- $cmd .= " $samba_tool drs kcc $env->{DC_SERVER}";
- $cmd .= " $env->{CONFIGURATION}";
- $cmd .= " -U$dc_vars->{DC_USERNAME}\%$dc_vars->{DC_PASSWORD} --realm=$dc_vars->{DC_REALM}";
- unless (system($cmd) == 0) {
- warn("Failed to exec kcc on remote DC\n$cmd");
- return undef;
- }
-
# as 'subdomain' dc may add data in its local replica
# we need to synchronize data between DCs
my $base_dn = "DC=".join(",DC=", split(/\./, $env->{REALM}));
return undef;
}
- if (not defined($self->check_or_start($env, "single"))) {
+ if (not defined($self->check_or_start($env, "standard"))) {
return undef;
}
sub setup_ad_dc($$)
{
- my ($self, $path, $no_nss) = @_;
+ my ($self, $path) = @_;
# If we didn't build with ADS, pretend this env was never available
if (not $self->{target3}->have_ads()) {
return "UNKNOWN";
}
- my $env = $self->provision_ad_dc($path);
+ my $env = $self->provision_ad_dc($path, "addc", "ADDOMAIN",
+ "addom.samba.example.com", "");
unless ($env) {
return undef;
}
- if (defined($no_nss) and $no_nss) {
- $env->{NSS_WRAPPER_MODULE_SO_PATH} = undef;
- $env->{NSS_WRAPPER_MODULE_FN_PREFIX} = undef;
+ if (not defined($self->check_or_start($env, "single"))) {
+ return undef;
}
+ my $upn_array = ["$env->{REALM}.upn"];
+ my $spn_array = ["$env->{REALM}.spn"];
+
+ $self->setup_namespaces($env, $upn_array, $spn_array);
+
+ $self->{vars}->{ad_dc} = $env;
+ return $env;
+}
+
+sub setup_ad_dc_no_nss($$)
+{
+ my ($self, $path) = @_;
+
+ # If we didn't build with ADS, pretend this env was never available
+ if (not $self->{target3}->have_ads()) {
+ return "UNKNOWN";
+ }
+
+ my $env = $self->provision_ad_dc($path, "addc_no_nss", "ADNONSSDOMAIN",
+ "adnonssdom.samba.example.com", "");
+ unless ($env) {
+ return undef;
+ }
+
+ $env->{NSS_WRAPPER_MODULE_SO_PATH} = undef;
+ $env->{NSS_WRAPPER_MODULE_FN_PREFIX} = undef;
+
if (not defined($self->check_or_start($env, "single"))) {
return undef;
}
$self->setup_namespaces($env, $upn_array, $spn_array);
- $self->{vars}->{ad_dc} = $env;
+ $self->{vars}->{ad_dc_no_nss} = $env;
+ return $env;
+}
+
+sub setup_ad_dc_no_ntlm($$)
+{
+ my ($self, $path) = @_;
+
+ # If we didn't build with ADS, pretend this env was never available
+ if (not $self->{target3}->have_ads()) {
+ return "UNKNOWN";
+ }
+
+ my $env = $self->provision_ad_dc($path, "addc_no_ntlm", "ADNONTLMDOMAIN",
+ "adnontlmdom.samba.example.com",
+ "ntlm auth = disabled");
+ unless ($env) {
+ return undef;
+ }
+
+ if (not defined($self->check_or_start($env, "prefork"))) {
+ return undef;
+ }
+
+ my $upn_array = ["$env->{REALM}.upn"];
+ my $spn_array = ["$env->{REALM}.spn"];
+
+ $self->setup_namespaces($env, $upn_array, $spn_array);
+
+ $self->{vars}->{ad_dc_no_ntlm} = $env;
return $env;
}