From: Andrew Bartlett Date: Thu, 12 Jul 2012 02:59:29 +0000 (+1000) Subject: s4-torture: Allow unix.whoami to test against a member server X-Git-Url: http://git.samba.org/?a=commitdiff_plain;h=624f11e4b46884c13056709ba6abc8dc2a659bc3;p=metze%2Fsamba%2Fwip.git s4-torture: Allow unix.whoami to test against a member server This compares only the domain SIDs betwen the two servers, rather than the full token, as well known and other SIDs may be added locally in both cases. This also expands the test environments this is run against to verify this between our AD server and domain members. Andrew Bartlett --- diff --git a/selftest/knownfail b/selftest/knownfail index e5bff1b17ea7..19f728d139bb 100644 --- a/selftest/knownfail +++ b/selftest/knownfail @@ -42,6 +42,7 @@ ^samba3.raw.samba3closeerr.samba3closeerr\(s3dc\) # This test fails against an smbd environment with NT ACLs enabled ^samba3.raw.acls.generic\(s3dc\) # This fails against smbd ^samba3.unix.whoami anonymous connection.whoami\(plugin_s4_dc\) # We need to resolve if we should be including SID_NT_WORLD and SID_NT_NETWORK in this token +^samba3.unix.whoami anonymous connection.whoami\(s3member\) # smbd maps anonymous logins to domain guest in the local domain, not SID_NT_ANONYMOUS # these show that we still have some differences between our system # with our internal iconv because it passes except when we bypass our # internal iconv modules diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py index 41a1111e81b4..6f7ab32c5deb 100755 --- a/source3/selftest/tests.py +++ b/source3/selftest/tests.py @@ -305,11 +305,13 @@ for t in tests: plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD --option=doscharset=ISO-8859-1') plansmbtorturetestsuite(t, "plugin_s4_dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD --option=doscharset=ISO-8859-1') elif t == "unix.whoami": - plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD') - plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmpguest -U%', description='anonymous connection') - plansmbtorturetestsuite(t, "plugin_s4_dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD --option=torture:addc=true') - plansmbtorturetestsuite(t, "plugin_s4_dc", '//$SERVER/tmp -k yes -U$USERNAME%$PASSWORD --option=torture:addc=true', description='kerberos connection') - plansmbtorturetestsuite(t, "plugin_s4_dc", '//$SERVER_IP/tmpguest -U% --option=torture:addc=true', description='anonymous connection') + for env in ["s3dc", "member"]: + plansmbtorturetestsuite(t, env, '//$SERVER/tmp -U$DC_USERNAME%$DC_PASSWORD') + plansmbtorturetestsuite(t, env, '//$SERVER/tmpguest -U%', description='anonymous connection') + for env in ["plugin_s4_dc", "s3member"]: + plansmbtorturetestsuite(t, env, '//$SERVER/tmp -U$DC_USERNAME@$REALM%$DC_PASSWORD --option=torture:addc=$DC_SERVER') + plansmbtorturetestsuite(t, env, '//$SERVER/tmp -k yes -U$DC_USERNAME@$REALM%$DC_PASSWORD --option=torture:addc=$DC_SERVER', description='kerberos connection') + plansmbtorturetestsuite(t, env, '//$SERVER/tmpguest -U% --option=torture:addc=$DC_SERVER', description='anonymous connection') elif t == "raw.samba3posixtimedlock": plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmpguest -U$USERNAME%$PASSWORD --option=torture:localdir=$SELFTEST_PREFIX/s3dc/share') plansmbtorturetestsuite(t, "plugin_s4_dc", '//$SERVER_IP/tmpguest -U$USERNAME%$PASSWORD --option=torture:localdir=$SELFTEST_PREFIX/plugin_s4_dc/share') diff --git a/source4/torture/unix/whoami.c b/source4/torture/unix/whoami.c index 2bfbc0448105..968af6b4a25b 100644 --- a/source4/torture/unix/whoami.c +++ b/source4/torture/unix/whoami.c @@ -277,7 +277,8 @@ static bool smb_raw_query_posix_whoami(void *mem_ctx, return true; } -static bool test_against_ldap(struct torture_context *torture, struct ldb_context *ldb, struct smb_whoami *whoami) +static bool test_against_ldap(struct torture_context *torture, struct ldb_context *ldb, bool is_dc, + struct smb_whoami *whoami) { struct ldb_message *msg; struct ldb_message_element *el; @@ -288,15 +289,54 @@ static bool test_against_ldap(struct torture_context *torture, struct ldb_contex torture_assert_int_equal(torture, dsdb_search_one(ldb, torture, &msg, NULL, LDB_SCOPE_BASE, attrs, 0, NULL), LDB_SUCCESS, "searching for tokenGroups"); el = ldb_msg_find_element(msg, "tokenGroups"); torture_assert(torture, el, "obtaining tokenGroups"); - torture_assert_int_equal(torture, el->num_values, whoami->num_sids, "Number of SIDs from LDAP and number of SIDs from CIFS does not match!"); + torture_assert(torture, el->num_values > 0, "Number of SIDs from LDAP needs to be more than 0"); + torture_assert(torture, whoami->num_sids > 0, "Number of SIDs from LDAP needs to be more than 0"); + + if (is_dc) { + torture_assert_int_equal(torture, el->num_values, whoami->num_sids, "Number of SIDs from LDAP and number of SIDs from CIFS does not match!"); + + for (i = 0; i < el->num_values; i++) { + struct dom_sid *sid = talloc(torture, struct dom_sid); + torture_assert(torture, sid != NULL, "talloc failed"); + + torture_assert(torture, sid_blob_parse(el->values[i], sid), "sid parse failed"); + torture_assert_str_equal(torture, dom_sid_string(sid, sid), dom_sid_string(sid, whoami->sid_list[i]), "SID from LDAP and SID from CIFS does not match!"); + talloc_free(sid); + } + } else { + unsigned int num_domain_sids_dc = 0, num_domain_sids_member = 0; + struct dom_sid *user_sid = talloc(torture, struct dom_sid); + struct dom_sid *dom_sid = talloc(torture, struct dom_sid); + struct dom_sid *dc_sids = talloc_array(torture, struct dom_sid, el->num_values); + struct dom_sid *member_sids = talloc_array(torture, struct dom_sid, whoami->num_sids); + torture_assert(torture, user_sid != NULL, "talloc failed"); + torture_assert(torture, sid_blob_parse(el->values[0], user_sid), "sid parse failed"); + torture_assert_ntstatus_equal(torture, dom_sid_split_rid(torture, user_sid, &dom_sid, NULL), NT_STATUS_OK, "failed to split domain SID from user SID"); + for (i = 0; i < el->num_values; i++) { + struct dom_sid *sid = talloc(dc_sids, struct dom_sid); + torture_assert(torture, sid != NULL, "talloc failed"); + + torture_assert(torture, sid_blob_parse(el->values[i], sid), "sid parse failed"); + if (dom_sid_in_domain(dom_sid, sid)) { + dc_sids[num_domain_sids_dc] = *sid; + num_domain_sids_dc++; + } + talloc_free(sid); + } - for (i = 0; i < el->num_values; i++) { - struct dom_sid *sid = talloc(torture, struct dom_sid); - torture_assert(torture, sid != NULL, "talloc failed"); + for (i = 0; i < whoami->num_sids; i++) { + if (dom_sid_in_domain(dom_sid, whoami->sid_list[i])) { + member_sids[num_domain_sids_member] = *whoami->sid_list[i]; + num_domain_sids_member++; + } + } - torture_assert(torture, sid_blob_parse(el->values[i], sid), "sid parse failed"); - torture_assert_str_equal(torture, dom_sid_string(sid, sid), dom_sid_string(sid, whoami->sid_list[i]), "SID from LDAP and SID from CIFS does not match!"); - talloc_free(sid); + torture_assert_int_equal(torture, num_domain_sids_dc, num_domain_sids_member, "Number of Domain SIDs from LDAP DC and number of SIDs from CIFS member does not match!"); + for (i = 0; i < num_domain_sids_dc; i++) { + torture_assert_str_equal(torture, dom_sid_string(dc_sids, &dc_sids[i]), dom_sid_string(member_sids, &member_sids[i]), "Domain SID from LDAP DC and SID from CIFS member server does not match!"); + } + talloc_free(dc_sids); + talloc_free(member_sids); } return true; } @@ -307,6 +347,7 @@ bool torture_unix_whoami(struct torture_context *torture) struct smb_whoami whoami; bool ret; struct ldb_context *ldb; + const char *addc, *host; cli = connect_to_server(torture, cmdline_credentials); torture_assert(torture, cli, "connecting to server with authenticated credentials"); @@ -316,13 +357,16 @@ bool torture_unix_whoami(struct torture_context *torture) cli, &whoami, 0xFFFF), ret, fail, "calling SMB_QFS_POSIX_WHOAMI on an authenticated connection"); - if (torture_setting_bool(torture, "addc", false)) { - ldb = ldb_wrap_connect(torture, torture->ev, torture->lp_ctx, talloc_asprintf(torture, "ldap://%s", torture_setting_string(torture, "host", NULL)), + addc = torture_setting_string(torture, "addc", NULL); + host = torture_setting_string(torture, "host", NULL); + + if (addc) { + ldb = ldb_wrap_connect(torture, torture->ev, torture->lp_ctx, talloc_asprintf(torture, "ldap://%s", addc), NULL, cmdline_credentials, 0); torture_assert(torture, ldb, "ldb connect failed"); /* We skip this testing if we could not contact the LDAP server */ - if (!test_against_ldap(torture, ldb, &whoami)) { + if (!test_against_ldap(torture, ldb, strcasecmp(addc, host) == 0, &whoami)) { goto fail; } }