s4-torture: Expand whoami test to confirm the user token.

This uses the tokenGroups attribute on LDAP and the posix whoami call
to confirm that user token matches between LDAP and CIFS.

I have a seperate patch for the anonymous case, because this isn't
consistent at this stage, and we need to study and fix that.

Andrew Bartlett

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Jun 20 18:43:43 CEST 2012 on sn-devel-104

diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 0d3bf04dd1e56764ff4fc7d6812700b01e226e40..11056b9c8afcc2b67236f4f73ebd24f15825f6af 100755 (executable)
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -304,7 +304,7 @@ for t in tests:
         plansmbtorturetestsuite(t, "plugin_s4_dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD --option=doscharset=ISO-8859-1')
     elif t == "unix.whoami":
         plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmpguest -U$USERNAME%$PASSWORD')
-        plansmbtorturetestsuite(t, "plugin_s4_dc", '//$SERVER_IP/tmpguest -U$USERNAME%$PASSWORD')
+        plansmbtorturetestsuite(t, "plugin_s4_dc", '//$SERVER_IP/tmpguest -U$USERNAME%$PASSWORD --option=torture:addc=true')
     elif t == "raw.samba3posixtimedlock":
         plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmpguest -U$USERNAME%$PASSWORD --option=torture:localdir=$SELFTEST_PREFIX/s3dc/share')
         plansmbtorturetestsuite(t, "plugin_s4_dc", '//$SERVER_IP/tmpguest -U$USERNAME%$PASSWORD --option=torture:localdir=$SELFTEST_PREFIX/plugin_s4_dc/share')

diff --git a/source4/torture/unix/whoami.c b/source4/torture/unix/whoami.c
index caaeb0f294894ef4ea5cf5790a60960ab0a489c5..302282752a7f86091d42338e1fc5e55bff254a7c 100644 (file)
--- a/source4/torture/unix/whoami.c
+++ b/source4/torture/unix/whoami.c
@@ -25,6 +25,12 @@
 #include "auth/credentials/credentials.h"
 #include "param/param.h"
 #include "libcli/resolve/resolve.h"
+#include <ldb.h>
+#include "lib/util/util_ldb.h"
+#include "ldb_wrap.h"
+#include "dsdb/samdb/samdb.h"
+#include "../libcli/security/security.h"
+
 
 /* Size (in bytes) of the required fields in the SMBwhoami response. */
 #define WHOAMI_REQUIRED_SIZE   40
@@ -92,7 +98,7 @@ static struct smbcli_state *connect_to_server(struct torture_context *tctx,
        return cli;
 }
 
-static bool sid_parse(void *mem_ctx,
+static bool whoami_sid_parse(void *mem_ctx,
                struct torture_context *torture,
                DATA_BLOB *data, size_t *offset,
                struct dom_sid **psid)
@@ -248,7 +254,7 @@ static bool smb_raw_query_posix_whoami(void *mem_ctx,
                                "out of memory");
 
                for (i = 0; i < whoami->num_sids; ++i) {
-                       if (!sid_parse(mem_ctx, torture,
+                       if (!whoami_sid_parse(mem_ctx, torture,
                                        &tp.out.data, &offset,
                                        &whoami->sid_list[i])) {
                                return false;
@@ -264,12 +270,37 @@ static bool smb_raw_query_posix_whoami(void *mem_ctx,
        return true;
 }
 
+static bool test_against_ldap(struct torture_context *torture, struct ldb_context *ldb, struct smb_whoami *whoami)
+{
+       struct ldb_message *msg;
+       struct ldb_message_element *el;
+
+       const char *attrs[] = { "tokenGroups", NULL };
+       int i;
+
+       torture_assert_int_equal(torture, dsdb_search_one(ldb, torture, &msg, NULL, LDB_SCOPE_BASE, attrs, 0, NULL), LDB_SUCCESS, "searching for tokenGroups");
+       el = ldb_msg_find_element(msg, "tokenGroups");
+       torture_assert(torture, el, "obtaining tokenGroups");
+       torture_assert_int_equal(torture, el->num_values, whoami->num_sids, "Number of SIDs from LDAP and number of SIDs from CIFS does not match!");
+
+       for (i = 0; i < el->num_values; i++) {
+               struct dom_sid *sid = talloc(torture, struct dom_sid);
+               torture_assert(torture, sid != NULL, "talloc failed");
+
+               torture_assert(torture, sid_blob_parse(el->values[i], sid), "sid parse failed");
+               torture_assert_str_equal(torture, dom_sid_string(sid, sid), dom_sid_string(sid, whoami->sid_list[i]), "SID from LDAP and SID from CIFS does not match!");
+               talloc_free(sid);
+       }
+       return true;
+}
+
 bool torture_unix_whoami(struct torture_context *torture)
 {
        struct smbcli_state *cli;
        struct cli_credentials *anon_credentials;
        struct smb_whoami whoami;
        bool ret;
+       struct ldb_context *ldb;
 
        cli = connect_to_server(torture, cmdline_credentials);
        torture_assert(torture, cli, "connecting to server with authenticated credentials");
@@ -279,6 +310,17 @@ bool torture_unix_whoami(struct torture_context *torture)
                                                       cli, &whoami, 0xFFFF), ret, fail,
                            "calling SMB_QFS_POSIX_WHOAMI on an authenticated connection");
 
+       if (torture_setting_bool(torture, "addc", false)) {
+               ldb = ldb_wrap_connect(torture, torture->ev, torture->lp_ctx, talloc_asprintf(torture, "ldap://%s", torture_setting_string(torture, "host", NULL)),
+                                      NULL, cmdline_credentials, 0);
+               torture_assert(torture, ldb, "ldb connect failed");
+
+               /* We skip this testing if we could not contact the LDAP server */
+               if (!test_against_ldap(torture, ldb, &whoami)) {
+                       goto fail;
+               }
+       }
+
        /* Test that the server drops the UID and GID list. */
        torture_assert_goto(torture, smb_raw_query_posix_whoami(torture, torture,
                                                  cli, &whoami, 0x40), ret, fail,