summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2011-04-04 19:13:17 +1000
committerAndrew Bartlett <abartlet@samba.org>2011-04-04 19:48:57 +1000
commit6351dee4d810bfa20c3a892d0eba3b2ac828e193 (patch)
tree85d70f906fc1a8820ad1bbd289bfbb7db1c8f84a
parent55134c9a9e4a47c6a8ed89ef10c95c0fa0d4daaf (diff)
downloadsamba-6351dee4d810bfa20c3a892d0eba3b2ac828e193.tar.gz
samba-6351dee4d810bfa20c3a892d0eba3b2ac828e193.tar.bz2
samba-6351dee4d810bfa20c3a892d0eba3b2ac828e193.zip
s3-selftest Add testing of kerberos login
This uses a pre-calculated credentials cache, that should be valid until 2036. Andrew Bartlett
-rw-r--r--selftest/target/Samba3.pm65
-rw-r--r--source3/selftest/ktest-krb5_ccachebin0 -> 11966 bytes
-rw-r--r--source3/selftest/ktest-secrets.tdbbin0 -> 45056 bytes
-rwxr-xr-xsource3/selftest/tests.py19
4 files changed, 80 insertions, 4 deletions
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 6cb01d678b..de3fffbc93 100644
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -102,6 +102,8 @@ sub setup_env($$$)
return $self->setup_dc("$path/dc");
} elsif ($envname eq "secshare") {
return $self->setup_secshare("$path/secshare");
+ } elsif ($envname eq "ktest") {
+ return $self->setup_ktest("$path/ktest");
} elsif ($envname eq "secserver") {
if (not defined($self->{vars}->{dc})) {
$self->setup_dc("$path/dc");
@@ -255,6 +257,69 @@ sub setup_secserver($$$)
return $ret;
}
+sub setup_ktest($$$)
+{
+ my ($self, $prefix, $dcvars) = @_;
+
+ print "PROVISIONING server with security=ads...";
+
+ my $ktest_options = "
+ workgroup = KTEST
+ realm = ktest.samba.example.com
+ security = ads
+ username map = $prefix/lib/username.map
+";
+
+ my $ret = $self->provision($prefix,
+ "LOCALKTEST6",
+ 5,
+ "localktest6pass",
+ $ktest_options);
+
+ $ret or die("Unable to provision");
+
+ open(USERMAP, ">$prefix/lib/username.map") or die("Unable to open $prefix/lib/username.map");
+ print USERMAP "
+$ret->{USERNAME} = KTEST\\Administrator
+";
+ close(USERMAP);
+
+#This is the secrets.tdb created by 'net ads join' from Samba3 to a
+#Samba4 DC with the same parameters as are being used here. The
+#domain SID is S-1-5-21-1071277805-689288055-3486227160
+
+ system("cp $self->{srcdir}/source3/selftest/ktest-secrets.tdb $prefix/private/secrets.tdb");
+ chmod 0600, "$prefix/private/secrets.tdb";
+
+#This uses a pre-calculated krb5 credentials cache, obtained by running Samba4 with:
+# "--option=kdc:service ticket lifetime=239232" "--option=kdc:user ticket lifetime=239232" "--option=kdc:renewal lifetime=239232"
+#
+#and having in krb5.conf:
+# ticket_lifetime = 799718400
+# renew_lifetime = 799718400
+#
+# The commands run were:
+# kinit administrator@KTEST.SAMBA.EXAMPLE.COM
+# kvno host/localktest6@KTEST.SAMBA.EXAMPLE.COM
+# kvno cifs/localktest6@KTEST.SAMBA.EXAMPLE.COM
+# kvno host/LOCALKTEST6@KTEST.SAMBA.EXAMPLE.COM
+# kvno cifs/LOCALKTEST6@KTEST.SAMBA.EXAMPLE.COM
+#
+# This creates a credential cache with a very long lifetime (2036 at at 2011-04)
+
+ $ret->{KRB5_CCACHE}="FILE:$prefix/krb5_ccache";
+
+ system("cp $self->{srcdir}/source3/selftest/ktest-krb5_ccache $prefix/krb5_ccache");
+ chmod 0600, "$prefix/krb5_ccache";
+
+ $self->check_or_start($ret,
+ ($ENV{SMBD_MAXTIME} or 2700),
+ "yes", "no", "yes");
+
+ $self->wait_for_start($ret);
+ return $ret;
+}
+
sub stop_sig_term($$) {
my ($self, $pid) = @_;
kill("USR1", $pid) or kill("ALRM", $pid) or warn("Unable to kill $pid: $!");
diff --git a/source3/selftest/ktest-krb5_ccache b/source3/selftest/ktest-krb5_ccache
new file mode 100644
index 0000000000..15102226f3
--- /dev/null
+++ b/source3/selftest/ktest-krb5_ccache
Binary files differ
diff --git a/source3/selftest/ktest-secrets.tdb b/source3/selftest/ktest-secrets.tdb
new file mode 100644
index 0000000000..c09c315288
--- /dev/null
+++ b/source3/selftest/ktest-secrets.tdb
Binary files differ
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 9ddb164b4d..826b84fa3b 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -207,12 +207,23 @@ if sub.returncode == 0:
smb_options = ["", ",smb2"]
endianness_options = ["", ",bigendian"]
for z in smb_options:
- for e in endianness_options:
- for a in auth_options:
- for s in signseal_options:
- binding_string = "ncacn_np:$SERVER_IP[%s%s%s%s]" % (a, s, z, e)
+ for s in signseal_options:
+ for e in endianness_options:
+ for a in auth_options:
+ binding_string = "ncacn_np:$SERVER[%s%s%s%s]" % (a, s, z, e)
options = binding_string + " -U$USERNAME%$PASSWORD"
plansmbtorturetestsuite(test, "dc", options, 'over ncacn_np with [%s%s%s%s] ' % (a, s, z, e))
+
+ # We should try more combinations in future, but this is all
+ # the pre-calculated credentials cache supports at the moment
+ e = ""
+ a = ""
+ binding_string = "ncacn_np:$SERVER[%s%s%s%s]" % (a, s, z, e)
+ options = binding_string + " -k yes --krb5-ccache=$PREFIX/ktest/krb5_ccache"
+ plansmbtorturetestsuite(test, "ktest", options, 'over kerberos ncacn_np with [%s%s%s%s] ' % (a, s, z, e))
+
+
+
for e in endianness_options:
for a in auth_options:
for s in signseal_options: