summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2012-06-20 18:23:18 +1000
committerAndrew Bartlett <abartlet@samba.org>2012-06-20 18:43:43 +0200
commitbc9e12183f98225d165541448391d896faf4ab7b (patch)
tree4564b2de3c4d41a5a78709c6a80b5ff55a99303c
parent06243510dc9e7c29b6a92c2dfe782763e348cebd (diff)
downloadsamba-bc9e12183f98225d165541448391d896faf4ab7b.tar.gz
samba-bc9e12183f98225d165541448391d896faf4ab7b.tar.bz2
samba-bc9e12183f98225d165541448391d896faf4ab7b.zip
s4-torture: Expand whoami test to confirm the user token.
This uses the tokenGroups attribute on LDAP and the posix whoami call to confirm that user token matches between LDAP and CIFS. I have a seperate patch for the anonymous case, because this isn't consistent at this stage, and we need to study and fix that. Andrew Bartlett Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed Jun 20 18:43:43 CEST 2012 on sn-devel-104
-rwxr-xr-xsource3/selftest/tests.py2
-rw-r--r--source4/torture/unix/whoami.c46
2 files changed, 45 insertions, 3 deletions
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 0d3bf04dd1..11056b9c8a 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -304,7 +304,7 @@ for t in tests:
plansmbtorturetestsuite(t, "plugin_s4_dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD --option=doscharset=ISO-8859-1')
elif t == "unix.whoami":
plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmpguest -U$USERNAME%$PASSWORD')
- plansmbtorturetestsuite(t, "plugin_s4_dc", '//$SERVER_IP/tmpguest -U$USERNAME%$PASSWORD')
+ plansmbtorturetestsuite(t, "plugin_s4_dc", '//$SERVER_IP/tmpguest -U$USERNAME%$PASSWORD --option=torture:addc=true')
elif t == "raw.samba3posixtimedlock":
plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmpguest -U$USERNAME%$PASSWORD --option=torture:localdir=$SELFTEST_PREFIX/s3dc/share')
plansmbtorturetestsuite(t, "plugin_s4_dc", '//$SERVER_IP/tmpguest -U$USERNAME%$PASSWORD --option=torture:localdir=$SELFTEST_PREFIX/plugin_s4_dc/share')
diff --git a/source4/torture/unix/whoami.c b/source4/torture/unix/whoami.c
index caaeb0f294..302282752a 100644
--- a/source4/torture/unix/whoami.c
+++ b/source4/torture/unix/whoami.c
@@ -25,6 +25,12 @@
#include "auth/credentials/credentials.h"
#include "param/param.h"
#include "libcli/resolve/resolve.h"
+#include <ldb.h>
+#include "lib/util/util_ldb.h"
+#include "ldb_wrap.h"
+#include "dsdb/samdb/samdb.h"
+#include "../libcli/security/security.h"
+
/* Size (in bytes) of the required fields in the SMBwhoami response. */
#define WHOAMI_REQUIRED_SIZE 40
@@ -92,7 +98,7 @@ static struct smbcli_state *connect_to_server(struct torture_context *tctx,
return cli;
}
-static bool sid_parse(void *mem_ctx,
+static bool whoami_sid_parse(void *mem_ctx,
struct torture_context *torture,
DATA_BLOB *data, size_t *offset,
struct dom_sid **psid)
@@ -248,7 +254,7 @@ static bool smb_raw_query_posix_whoami(void *mem_ctx,
"out of memory");
for (i = 0; i < whoami->num_sids; ++i) {
- if (!sid_parse(mem_ctx, torture,
+ if (!whoami_sid_parse(mem_ctx, torture,
&tp.out.data, &offset,
&whoami->sid_list[i])) {
return false;
@@ -264,12 +270,37 @@ static bool smb_raw_query_posix_whoami(void *mem_ctx,
return true;
}
+static bool test_against_ldap(struct torture_context *torture, struct ldb_context *ldb, struct smb_whoami *whoami)
+{
+ struct ldb_message *msg;
+ struct ldb_message_element *el;
+
+ const char *attrs[] = { "tokenGroups", NULL };
+ int i;
+
+ torture_assert_int_equal(torture, dsdb_search_one(ldb, torture, &msg, NULL, LDB_SCOPE_BASE, attrs, 0, NULL), LDB_SUCCESS, "searching for tokenGroups");
+ el = ldb_msg_find_element(msg, "tokenGroups");
+ torture_assert(torture, el, "obtaining tokenGroups");
+ torture_assert_int_equal(torture, el->num_values, whoami->num_sids, "Number of SIDs from LDAP and number of SIDs from CIFS does not match!");
+
+ for (i = 0; i < el->num_values; i++) {
+ struct dom_sid *sid = talloc(torture, struct dom_sid);
+ torture_assert(torture, sid != NULL, "talloc failed");
+
+ torture_assert(torture, sid_blob_parse(el->values[i], sid), "sid parse failed");
+ torture_assert_str_equal(torture, dom_sid_string(sid, sid), dom_sid_string(sid, whoami->sid_list[i]), "SID from LDAP and SID from CIFS does not match!");
+ talloc_free(sid);
+ }
+ return true;
+}
+
bool torture_unix_whoami(struct torture_context *torture)
{
struct smbcli_state *cli;
struct cli_credentials *anon_credentials;
struct smb_whoami whoami;
bool ret;
+ struct ldb_context *ldb;
cli = connect_to_server(torture, cmdline_credentials);
torture_assert(torture, cli, "connecting to server with authenticated credentials");
@@ -279,6 +310,17 @@ bool torture_unix_whoami(struct torture_context *torture)
cli, &whoami, 0xFFFF), ret, fail,
"calling SMB_QFS_POSIX_WHOAMI on an authenticated connection");
+ if (torture_setting_bool(torture, "addc", false)) {
+ ldb = ldb_wrap_connect(torture, torture->ev, torture->lp_ctx, talloc_asprintf(torture, "ldap://%s", torture_setting_string(torture, "host", NULL)),
+ NULL, cmdline_credentials, 0);
+ torture_assert(torture, ldb, "ldb connect failed");
+
+ /* We skip this testing if we could not contact the LDAP server */
+ if (!test_against_ldap(torture, ldb, &whoami)) {
+ goto fail;
+ }
+ }
+
/* Test that the server drops the UID and GID list. */
torture_assert_goto(torture, smb_raw_query_posix_whoami(torture, torture,
cli, &whoami, 0x40), ret, fail,