from selftesthelpers import plantestsuite_loadlist
from selftesthelpers import skiptestsuite, source4dir, valgrindify
from selftesthelpers import smbtorture4_options, smbtorture4_testsuites
-from selftesthelpers import smbtorture4, ntlm_auth3, samba3srcdir
+from selftesthelpers import smbtorture4, samba3srcdir
print("OPTIONS %s" % " ".join(smbtorture4_options), file=sys.stderr)
samba4srcdir = source4dir()
DSDB_PYTEST_DIR = os.path.join(samba4srcdir, "dsdb/tests/python/")
+subunitrun = valgrindify(python) + " " + os.path.join(samba4srcdir, "scripting/bin/subunitrun")
+
+
+def planoldpythontestsuite(env, module, name=None, extra_path=None, environ=None, extra_args=None):
+ if extra_path is None:
+ extra_path = []
+ if environ is None:
+ environ = {}
+ if extra_args is None:
+ extra_args = []
+ environ = dict(environ)
+ py_path = list(extra_path)
+ if py_path:
+ environ["PYTHONPATH"] = ":".join(["$PYTHONPATH"] + py_path)
+ args = ["%s=%s" % item for item in environ.items()]
+ args += [subunitrun, "$LISTOPT", "$LOADLIST", module]
+ args += extra_args
+ if name is None:
+ name = module
+ plantestsuite_loadlist(name, env, args)
+
samba4bindir = bindir()
validate = os.getenv("VALIDATE", "")
'--use-kerberos=required --option=clientldapsaslwrapping=plain',
'--use-kerberos=required --client-protection=sign',
'--use-kerberos=required --client-protection=encrypt',
+ '--use-kerberos=required --client-protection=sign --option="ldap_testing:channel_bound=yes"',
+ '--use-kerberos=required --client-protection=sign --option="ldap_testing:channel_bound=no"',
+ '--use-kerberos=required --client-protection=sign --option="ldap_testing:channel_bound=yes" --option="ldap_testing:forced_channel_binding=wRoNg"',
+ '--use-kerberos=required --client-protection=sign --option="ldap_testing:channel_bound=no" --option="ldap_testing:forced_channel_binding=wRoNg"',
'--use-kerberos=disabled --option=clientldapsaslwrapping=plain',
'--use-kerberos=disabled --client-protection=sign --option=ntlmssp_client:ldap_style_send_seal=no',
'--use-kerberos=disabled --client-protection=sign',
'--use-kerberos=disabled --client-protection=encrypt',
+ '--use-kerberos=disabled --client-protection=sign --option="ldap_testing:channel_bound=yes"',
+ '--use-kerberos=disabled --client-protection=sign --option="ldap_testing:channel_bound=no"',
+ '--use-kerberos=disabled --client-protection=sign --option="ldap_testing:channel_bound=yes" --option="ldap_testing:forced_channel_binding=wRoNg"',
+ '--use-kerberos=disabled --client-protection=sign --option="ldap_testing:channel_bound=no" --option="ldap_testing:forced_channel_binding=wRoNg"',
]
for auth_option in auth_options:
options = '-U"$USERNAME%$PASSWORD"' + ' ' + auth_option
plantestsuite("samba4.ldb.simple.ldap with SASL-BIND %s(%s)" % (options, env),
env, "%s/test_ldb_simple.sh ldap $SERVER %s" % (bbdir, options))
- options = '-U"$USERNAME%$PASSWORD" --option="tlsverifypeer=no_check"'
- plantestsuite("samba4.ldb.simple.ldaps with SASL-BIND %s(%s)" % (options, env),
- env, "%s/test_ldb_simple.sh ldaps $SERVER %s" % (bbdir, options))
+
+ auth_options = [
+ '--use-kerberos=required --option="ldap_testing:channel_bound=yes" --option="ldap_testing:tls_channel_bindings=yes"',
+ '--use-kerberos=required --option="ldap_testing:channel_bound=yes" --option="ldap_testing:tls_channel_bindings=no"',
+ '--use-kerberos=required --option="ldap_testing:channel_bound=yes" --option="ldap_testing:forced_channel_binding=wRoNg"',
+ '--use-kerberos=required --option="ldap_testing:channel_bound=no" --option="ldap_testing:tls_channel_bindings=no"',
+ '--use-kerberos=required --option="ldap_testing:channel_bound=no" --option="ldap_testing:tls_channel_bindings=yes"',
+ '--use-kerberos=required --option="ldap_testing:channel_bound=no" --option="ldap_testing:forced_channel_binding=wRoNg"',
+ '--use-kerberos=disabled --option="ldap_testing:channel_bound=yes" --option="ldap_testing:tls_channel_bindings=yes"',
+ '--use-kerberos=disabled --option="ldap_testing:channel_bound=yes" --option="ldap_testing:tls_channel_bindings=no"',
+ '--use-kerberos=disabled --option="ldap_testing:channel_bound=yes" --option="ldap_testing:forced_channel_binding=wRoNg"',
+ '--use-kerberos=disabled --option="ldap_testing:channel_bound=no" --option="ldap_testing:tls_channel_bindings=no"',
+ '--use-kerberos=disabled --option="ldap_testing:channel_bound=no" --option="ldap_testing:tls_channel_bindings=yes"',
+ '--use-kerberos=disabled --option="ldap_testing:channel_bound=no" --option="ldap_testing:forced_channel_binding=wRoNg"',
+ ]
+ for auth_option in auth_options:
+ options = '-U"$USERNAME%$PASSWORD" --option="tlsverifypeer=no_check" ' + auth_option
+ plantestsuite("samba4.ldb.simple.ldaps with SASL-BIND %s(%s)" % (options, env),
+ env, "%s/test_ldb_simple.sh ldaps $SERVER %s" % (bbdir, options))
+ options += ' --option="clientldapsaslwrapping=starttls"'
+ plantestsuite("samba4.ldb.simple.ldap starttls with SASL-BIND %s(%s)" % (options, env),
+ env, "%s/test_ldb_simple.sh ldap $SERVER %s" % (bbdir, options))
+
envraw = "fl2008r2dc"
env = "%s:local" % envraw
for t in smbtorture4_testsuites("dsdb."):
plansmbtorture4testsuite(t, "ad_dc:local", "localhost")
-ldbdir = os.path.join(srcdir(), "lib/ldb")
-# Don't run LDB tests when using system ldb, as we won't have ldbtest installed
-if os.path.exists(os.path.join(samba4bindir, "ldbtest")):
- plantestsuite("ldb.base", "none", "%s/tests/test-tdb-subunit.sh %s" % (ldbdir, samba4bindir))
-else:
- skiptestsuite("ldb.base", "Using system LDB, ldbtest not available")
-
plantestsuite_loadlist("samba4.tests.attr_from_server.python(ad_dc_ntvfs)",
"ad_dc_ntvfs:local",
[python, os.path.join(DSDB_PYTEST_DIR, "attr_from_server.py"),
"samba.tests.sddl"
])
+plantestsuite_loadlist("samba.tests.sddl_conditional_ace",
+ "none",
+ [python,
+ '-msamba.subunit.run',
+ '$LOADLIST',
+ "$LISTOPT"
+ "samba.tests.sddl_conditional_ace"
+ ])
+
for t in smbtorture4_testsuites("dns_internal."):
plansmbtorture4testsuite(t, "ad_dc_default:local", '//$SERVER/whavever')
+# These tests want to run on a barely changed fresh provision, before
+# too much happens to this environment, it is read only and local
+# (direct to the DB) so we use proclimitdc as it is otherwise empty
+# bar a test for process limits.
+planpythontestsuite("proclimitdc:local", "samba.tests.dsdb_quiet_provision_tests")
+
+# We want this local test to run in an environment where not much is happening that could use root keys
+planpythontestsuite("chgdcpass:local", "samba.tests.dsdb_quiet_env_tests")
+
# Local tests
for t in smbtorture4_testsuites("dlz_bind9."):
# The dlz_bind9 tests needs to look at the DNS database
plantestsuite("samba4.blackbox.test_old_enctypes", "fl2003dc:local", [os.path.join(bbdir, "test_old_enctypes.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$NETBIOSNAME', '$PREFIX_ABS'])
+planpythontestsuite("ad_dc_default", "samba.tests.blackbox.claims")
+
+planpythontestsuite("ad_dc_default", "samba.tests.blackbox.gmsa")
+
if have_heimdal_support:
plantestsuite("samba4.blackbox.kpasswd",
"ad_dc:local",
else:
skiptestsuite("samba.nss.test using winbind(%s)" % env, "nsstest not available")
-subunitrun = valgrindify(python) + " " + os.path.join(samba4srcdir, "scripting/bin/subunitrun")
-
-
-def planoldpythontestsuite(env, module, name=None, extra_path=None, environ=None, extra_args=None):
- if extra_path is None:
- extra_path = []
- if environ is None:
- environ = {}
- if extra_args is None:
- extra_args = []
- environ = dict(environ)
- py_path = list(extra_path)
- if py_path:
- environ["PYTHONPATH"] = ":".join(["$PYTHONPATH"] + py_path)
- args = ["%s=%s" % item for item in environ.items()]
- args += [subunitrun, "$LISTOPT", "$LOADLIST", module]
- args += extra_args
- if name is None:
- name = module
- plantestsuite_loadlist(name, env, args)
if have_gnutls_fips_mode_support:
planoldpythontestsuite("ad_dc",
- "samba.tests.dcerpc.createtrustrelax",
+ "samba.tests.dcerpc.lsa_utils",
environ={'GNUTLS_FORCE_FIPS_MODE': '1',
'OPENSSL_FORCE_FIPS_MODE': '1'})
planoldpythontestsuite("ad_dc_fips",
- "samba.tests.dcerpc.createtrustrelax",
+ "samba.tests.dcerpc.lsa_utils",
environ={'GNUTLS_FORCE_FIPS_MODE': '1',
'OPENSSL_FORCE_FIPS_MODE': '1'})
for testenv in [mdb_testenv, tdb_testenv]:
planoldpythontestsuite(testenv, "samba.tests.complex_expressions", extra_args=['-U"$USERNAME%$PASSWORD"'])
-planoldpythontestsuite("ad_dc_default:local", "samba.tests.gensec", extra_args=['-U"$USERNAME%$PASSWORD"'])
+# samba.tests.gensec is only run in ad_dc to ensure it runs with and
+# MIT and Heimdal build, it can run against any environment that
+# supports FAST
+planoldpythontestsuite("ad_dc:local", "samba.tests.gensec", extra_args=['-U"$USERNAME%$PASSWORD"'])
+
planoldpythontestsuite("none", "simple", extra_path=["%s/lib/tdb/python/tests" % srcdir()], name="tdb.python")
planpythontestsuite("ad_dc_default:local", "samba.tests.dcerpc.sam")
planpythontestsuite("ad_dc_default:local", "samba.tests.dsdb")
for env in all_fl_envs:
planpythontestsuite(env + ":local", "samba.tests.samba_tool.fsmo")
+# test getpassword for group managed service accounts
+planpythontestsuite("ad_dc_default", "samba.tests.samba_tool.user_getpassword_gmsa")
+
# test samba-tool user, group, contact and computer edit command
for env in all_fl_envs:
env += ":local"
planpythontestsuite("ad_dc_default:local", "samba.tests.samba_tool.processes")
planpythontestsuite("ad_dc_ntvfs:local", "samba.tests.samba_tool.user")
+planpythontestsuite("ad_dc_default", "samba.tests.samba_tool.user_auth_policy")
+planpythontestsuite("ad_dc_default", "samba.tests.samba_tool.user_auth_silo")
for env in ["ad_dc_default:local", "ad_dc_no_ntlm:local"]:
planpythontestsuite(env, "samba.tests.samba_tool.user_wdigest")
for env, nt_hash in [("ad_dc:local", True),
("ad_dc_no_ntlm:local", False)]:
planpythontestsuite(env, "samba.tests.samba_tool.user",
environ={"EXPECT_NT_HASH": int(nt_hash)})
+ # test get-kerberos-ticket for locally accessible and group managed service accounts
+ planpythontestsuite(env, "samba.tests.samba_tool.user_get_kerberos_ticket")
planpythontestsuite(env, "samba.tests.samba_tool.user_virtualCryptSHA_userPassword")
planpythontestsuite(env, "samba.tests.samba_tool.user_virtualCryptSHA_gpg")
planpythontestsuite("chgdcpass:local", "samba.tests.samba_tool.user_check_password_script")
planpythontestsuite("ad_dc_default", "samba.tests.samba_tool.domain_claim")
planpythontestsuite("ad_dc_default", "samba.tests.samba_tool.domain_auth_policy")
planpythontestsuite("ad_dc_default", "samba.tests.samba_tool.domain_auth_silo")
+
+# This test needs to be run in an environment well apart from most
+# other tests as it deletes root keys and we don't want this to happen
+# where a gMSA account might be live.
+planpythontestsuite("chgdcpass", "samba.tests.samba_tool.domain_kds_root_key")
+
planpythontestsuite("ad_dc_default", "samba.tests.samba_tool.domain_models")
+planpythontestsuite("ad_dc_default", "samba.tests.samba_tool.service_account")
planpythontestsuite("schema_dc:local", "samba.tests.samba_tool.schema")
planpythontestsuite("ad_dc:local", "samba.tests.samba_tool.ntacl")
planpythontestsuite("none", "samba.tests.samba_tool.provision_password_check")
extra_args=['-U"$USERNAME%$PASSWORD"'])
planoldpythontestsuite("ad_dc",
"samba.tests.segfault",
- extra_args=['-U"$USERNAME%$PASSWORD"'])
+ extra_args=['-U"$USERNAME%$PASSWORD"'],
+ environ={"TALLOC_FREE_FILL": "0xab"})
# Need to test the password hashing in multiple environments to ensure that
# all the possible options are covered
#
# Run smbcacls_propagate_inhertance tests on non msdfs root share
planoldpythontestsuite("fileserver",
"samba.tests.blackbox.smbcacls_propagate_inhertance")
+planoldpythontestsuite("fileserver",
+ "samba.tests.blackbox.smbcacls_save_restore")
+planoldpythontestsuite("ad_member",
+ "samba.tests.blackbox.smbcacls_save_restore",
+ environ={'USER': '$DC_USERNAME',
+ 'PASSWORD' : '$DC_PASSWORD'}
+ )
+
#
# A) Run the smbcacls_propagate_inhertance tests on a msdfs root share
# *without* any nested dfs links
# we also test joining backupfromdc here, as it's a bit special in that it
# doesn't have Default-First-Site-Name
for env in ['backupfromdc', 'offlinebackupdc', 'restoredc', 'renamedc',
- 'labdc']:
+ 'labdc']:
# basic test that we can join the testenv DC
plantestsuite("samba4.blackbox.join_ldapcmp", env,
["PYTHON=%s" % python, os.path.join(bbdir, "join_ldapcmp.sh")])
extra_path=[os.path.join(samba4srcdir, 'torture/drs/python')],
name="samba4.drs.replica_sync_rodc.python(rodc)",
environ={'DC1': '$DC_SERVER', 'DC2': '$SERVER'},
- extra_args=['-U$DOMAIN/$DC_USERNAME%$DC_PASSWORD'])
+ extra_args=['-U$DOMAIN/$DC_USERNAME%$DC_PASSWORD'])
planoldpythontestsuite("ad_dc_default_smb1", "password_settings",
extra_path=[os.path.join(samba4srcdir, 'dsdb/tests/python')],
extra_path=[os.path.join(samba4srcdir, 'torture/drs/python')],
name="samba4.drs.link_conflicts.python(%s)" % env,
environ={'DC1': "$DC_SERVER", 'DC2': '$SERVER'},
- extra_args=['-U$DOMAIN/$DC_USERNAME%$DC_PASSWORD'])
+ extra_args=['-U$DOMAIN/$DC_USERNAME%$DC_PASSWORD'])
# Environment chgdcpass has the Samba 4.5 GET_ANC behaviour, which we
# set a knownfail to expect
extra_path=[os.path.join(samba4srcdir, 'torture/drs/python')],
name="samba4.drs.getncchanges.python(%s)" % env,
environ={'DC1': "$DC_SERVER", 'DC2': '$SERVER'},
- extra_args=['-U$DOMAIN/$DC_USERNAME%$DC_PASSWORD'])
+ extra_args=['-U$DOMAIN/$DC_USERNAME%$DC_PASSWORD'])
for env in ['ad_dc_ntvfs']:
planoldpythontestsuite(env, "repl_rodc",
'ad_dc',
'samba.tests.krb5.pkinit_tests',
environ=krb5_environ)
+planoldpythontestsuite(
+ 'ad_dc',
+ 'samba.tests.krb5.conditional_ace_tests',
+ environ=krb5_environ)
+planoldpythontestsuite(
+ 'ad_dc',
+ 'samba.tests.krb5.gkdi_tests',
+ environ=krb5_environ)
+planoldpythontestsuite(
+ 'ad_dc:local',
+ 'samba.tests.krb5.gmsa_tests',
+ environ=krb5_environ)
for env in [
'vampire_dc',
[os.path.join(bindir(), "test_ndr_macros")])
plantestsuite("librpc.ndr.ndr_dns_nbt", "none",
[os.path.join(bindir(), "test_ndr_dns_nbt")])
+plantestsuite("librpc.ndr.test_ndr_gmsa", "none",
+ [os.path.join(bindir(), "test_ndr_gmsa")])
plantestsuite("libcli.ldap.ldap_message", "none",
[os.path.join(bindir(), "test_ldap_message")])
planpythontestsuite("fileserver", "samba.tests.dcerpc.mdssvc")
planoldpythontestsuite("none", "samba.tests.compression")
planpythontestsuite("none", "samba.tests.security_descriptors")
+
+if have_cluster_support:
+ cluster_environ = {
+ "SERVER_HOSTNAME": "$NETBIOSNAME",
+ "INTERFACE_GROUP_NAME": "$NETBIOSNAME",
+ "CLUSTER_SHARE": "registry_share",
+ "USERNAME": "$DC_USERNAME",
+ "PASSWORD": "$DC_PASSWORD",
+ }
+ planpythontestsuite("clusteredmember:local",
+ "samba.tests.blackbox.rpcd_witness_samba_only",
+ environ=cluster_environ)