From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 18 Mar 2011 18:13:43 +0000 (+0100)
Subject: s4:selftest: test ntvfs.cifs with s4u2proxy
X-Git-Url: http://git.samba.org/?a=commitdiff_plain;h=d7cc8571f756659661285f38ba61ff92683194f7;hp=67b2e2d67917c9201ec2fb30b5aa89e2b407960c;p=metze%2Fsamba%2Fwip.git

s4:selftest: test ntvfs.cifs with s4u2proxy

Pair-Programmed-With: Björn Baumbach <bb@sernet.de>

metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Fri Jun 24 20:35:30 CEST 2011 on sn-devel-104
---

diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index 2a3fe65e74f3..70e3cf7b1b79 100644
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -736,10 +736,11 @@ sub provision($$$$$$$$$)
 
 	max xmit = 32K
 	server max protocol = SMB2
-        $extra_smbconf_options
 	host msdfs = $msdfs
 	lanman auth = yes
 
+	$extra_smbconf_options
+
 [tmp]
 	path = $ctx->{tmpdir}
 	read only = no
@@ -766,8 +767,10 @@ sub provision($$$$$$$$$)
 	ntvfs handler = cifs
 	cifs:server = $ctx->{netbiosname}
 	cifs:share = tmp
-#There is no username specified here, instead the client is expected
-#to log in with kerberos, and the serverwill use delegated credentials.
+	cifs:use-s4u2proxy = yes
+	# There is no username specified here, instead the client is expected
+	# to log in with kerberos, and the serverwill use delegated credentials.
+	# Or the server tries s4u2self/s4u2proxy to impersonate the client
 
 [simple]
 	path = $ctx->{tmpdir}
@@ -877,9 +880,23 @@ sub provision_rpc_proxy($$$)
 	my ($self, $prefix, $dcvars) = @_;
 	print "PROVISIONING RPC PROXY...";
 
-	my $extra_smbconf_options = "dcerpc_remote:binding = ncacn_ip_tcp:$dcvars->{SERVER}
-       dcerpc endpoint servers = epmapper, remote
-       dcerpc_remote:interfaces = rpcecho
+	my $extra_smbconf_options = "
+
+	# rpc_proxy
+	dcerpc_remote:binding = ncacn_ip_tcp:$dcvars->{SERVER}
+	dcerpc endpoint servers = epmapper, remote
+	dcerpc_remote:interfaces = rpcecho
+
+[cifs_to_dc]
+	read only = no
+	ntvfs handler = cifs
+	cifs:server = $dcvars->{SERVER}
+	cifs:share = cifs
+	cifs:use-s4u2proxy = yes
+	# There is no username specified here, instead the client is expected
+	# to log in with kerberos, and the serverwill use delegated credentials.
+	# Or the server tries s4u2self/s4u2proxy to impersonate the client
+
 ";
 
 	my $ret = $self->provision($prefix,
@@ -898,6 +915,8 @@ sub provision_rpc_proxy($$$)
 	}
 
 	my $samba_tool =  Samba::bindir_path($self, "samba-tool");
+
+	# The joind runs in the context of the rpc_proxy/member for now
 	my $cmd = "";
 	$cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
 	$cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
@@ -909,6 +928,30 @@ sub provision_rpc_proxy($$$)
 		return undef;
 	}
 
+	# Setting up delegation runs in the context of the DC for now
+	my $cmd = "";
+	$cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$dcvars->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
+	$cmd .= "KRB5_CONFIG=\"$dcvars->{KRB5_CONFIG}\" ";
+	$cmd .= "$samba_tool delegation for-any-protocol '$ret->{NETBIOSNAME}\$' on";
+	$cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD} $dcvars->{CONFIGURATION}";
+
+	unless (system($cmd) == 0) {
+		warn("Delegation failed\n$cmd");
+		return undef;
+	}
+
+	# Setting up delegation runs in the context of the DC for now
+	my $cmd = "";
+	$cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$dcvars->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
+	$cmd .= "KRB5_CONFIG=\"$dcvars->{KRB5_CONFIG}\" ";
+	$cmd .= "$samba_tool delegation add-service '$ret->{NETBIOSNAME}\$' cifs/$dcvars->{SERVER}";
+	$cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD} $dcvars->{CONFIGURATION}";
+
+	unless (system($cmd) == 0) {
+		warn("Delegation failed\n$cmd");
+		return undef;
+	}
+
 	$ret->{RPC_PROXY_SERVER} = $ret->{SERVER};
 	$ret->{RPC_PROXY_SERVER_IP} = $ret->{SERVER_IP};
 	$ret->{RPC_PROXY_NETBIOSNAME} = $ret->{NETBIOSNAME};
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index bf42c7c303de..1ffc8cd74a39 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -244,7 +244,13 @@ for t in smb4torture_testsuites("rap."):
 
 # Tests against the NTVFS CIFS backend
 for t in base + raw:
-    plantestsuite_loadlist("samba4.ntvfs.cifs.%s" % t, "dc", [valgrindify(smb4torture), "$LISTOPT", '//$NETBIOSNAME/cifs', '-U$USERNAME%$PASSWORD'] + ntvfsargs + [t])
+    plantestsuite_loadlist("samba4.ntvfs.cifs.krb5.%s" % t, "dc", [valgrindify(smb4torture), "$LISTOPT", '//$NETBIOSNAME/cifs', '-U$USERNAME%$PASSWORD', '--kerberos=yes'] + ntvfsargs + [t])
+
+# Test NTVFS CIFS backend with S4U2Self and S4U2Proxy
+t = "base.unlink"
+plantestsuite_loadlist("samba4.ntvfs.cifs.ntlm.%s" % t, "dc", [valgrindify(smb4torture), "$LISTOPT", '//$NETBIOSNAME/cifs', '-U$USERNAME%$PASSWORD', '--kerberos=no'] + ntvfsargs + [t])
+plantestsuite_loadlist("samba4.ntvfs.cifs.krb5.%s" % t, "rpc_proxy", [valgrindify(smb4torture), "$LISTOPT", '//$NETBIOSNAME/cifs_to_dc', '-U$DC_USERNAME%$DC_PASSWORD', '--kerberos=yes'] + ntvfsargs + [t])
+plantestsuite_loadlist("samba4.ntvfs.cifs.ntlm.%s" % t, "rpc_proxy", [valgrindify(smb4torture), "$LISTOPT", '//$NETBIOSNAME/cifs_to_dc', '-U$DC_USERNAME%$DC_PASSWORD', '--kerberos=no'] + ntvfsargs + [t])
 
 plansmbtorturetestsuite('echo.udp', 'dc:local', '//$SERVER/whatever')