diff options
author | Andrew Bartlett <abartlet@samba.org> | 2011-04-04 19:13:17 +1000 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2011-04-04 19:48:57 +1000 |
commit | 6351dee4d810bfa20c3a892d0eba3b2ac828e193 (patch) | |
tree | 85d70f906fc1a8820ad1bbd289bfbb7db1c8f84a | |
parent | 55134c9a9e4a47c6a8ed89ef10c95c0fa0d4daaf (diff) | |
download | samba-6351dee4d810bfa20c3a892d0eba3b2ac828e193.tar.gz samba-6351dee4d810bfa20c3a892d0eba3b2ac828e193.tar.bz2 samba-6351dee4d810bfa20c3a892d0eba3b2ac828e193.zip |
s3-selftest Add testing of kerberos login
This uses a pre-calculated credentials cache, that should be valid
until 2036.
Andrew Bartlett
-rw-r--r-- | selftest/target/Samba3.pm | 65 | ||||
-rw-r--r-- | source3/selftest/ktest-krb5_ccache | bin | 0 -> 11966 bytes | |||
-rw-r--r-- | source3/selftest/ktest-secrets.tdb | bin | 0 -> 45056 bytes | |||
-rwxr-xr-x | source3/selftest/tests.py | 19 |
4 files changed, 80 insertions, 4 deletions
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm index 6cb01d678b..de3fffbc93 100644 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm @@ -102,6 +102,8 @@ sub setup_env($$$) return $self->setup_dc("$path/dc"); } elsif ($envname eq "secshare") { return $self->setup_secshare("$path/secshare"); + } elsif ($envname eq "ktest") { + return $self->setup_ktest("$path/ktest"); } elsif ($envname eq "secserver") { if (not defined($self->{vars}->{dc})) { $self->setup_dc("$path/dc"); @@ -255,6 +257,69 @@ sub setup_secserver($$$) return $ret; } +sub setup_ktest($$$) +{ + my ($self, $prefix, $dcvars) = @_; + + print "PROVISIONING server with security=ads..."; + + my $ktest_options = " + workgroup = KTEST + realm = ktest.samba.example.com + security = ads + username map = $prefix/lib/username.map +"; + + my $ret = $self->provision($prefix, + "LOCALKTEST6", + 5, + "localktest6pass", + $ktest_options); + + $ret or die("Unable to provision"); + + open(USERMAP, ">$prefix/lib/username.map") or die("Unable to open $prefix/lib/username.map"); + print USERMAP " +$ret->{USERNAME} = KTEST\\Administrator +"; + close(USERMAP); + +#This is the secrets.tdb created by 'net ads join' from Samba3 to a +#Samba4 DC with the same parameters as are being used here. The +#domain SID is S-1-5-21-1071277805-689288055-3486227160 + + system("cp $self->{srcdir}/source3/selftest/ktest-secrets.tdb $prefix/private/secrets.tdb"); + chmod 0600, "$prefix/private/secrets.tdb"; + +#This uses a pre-calculated krb5 credentials cache, obtained by running Samba4 with: +# "--option=kdc:service ticket lifetime=239232" "--option=kdc:user ticket lifetime=239232" "--option=kdc:renewal lifetime=239232" +# +#and having in krb5.conf: +# ticket_lifetime = 799718400 +# renew_lifetime = 799718400 +# +# The commands run were: +# kinit administrator@KTEST.SAMBA.EXAMPLE.COM +# kvno host/localktest6@KTEST.SAMBA.EXAMPLE.COM +# kvno cifs/localktest6@KTEST.SAMBA.EXAMPLE.COM +# kvno host/LOCALKTEST6@KTEST.SAMBA.EXAMPLE.COM +# kvno cifs/LOCALKTEST6@KTEST.SAMBA.EXAMPLE.COM +# +# This creates a credential cache with a very long lifetime (2036 at at 2011-04) + + $ret->{KRB5_CCACHE}="FILE:$prefix/krb5_ccache"; + + system("cp $self->{srcdir}/source3/selftest/ktest-krb5_ccache $prefix/krb5_ccache"); + chmod 0600, "$prefix/krb5_ccache"; + + $self->check_or_start($ret, + ($ENV{SMBD_MAXTIME} or 2700), + "yes", "no", "yes"); + + $self->wait_for_start($ret); + return $ret; +} + sub stop_sig_term($$) { my ($self, $pid) = @_; kill("USR1", $pid) or kill("ALRM", $pid) or warn("Unable to kill $pid: $!"); diff --git a/source3/selftest/ktest-krb5_ccache b/source3/selftest/ktest-krb5_ccache Binary files differnew file mode 100644 index 0000000000..15102226f3 --- /dev/null +++ b/source3/selftest/ktest-krb5_ccache diff --git a/source3/selftest/ktest-secrets.tdb b/source3/selftest/ktest-secrets.tdb Binary files differnew file mode 100644 index 0000000000..c09c315288 --- /dev/null +++ b/source3/selftest/ktest-secrets.tdb diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py index 9ddb164b4d..826b84fa3b 100755 --- a/source3/selftest/tests.py +++ b/source3/selftest/tests.py @@ -207,12 +207,23 @@ if sub.returncode == 0: smb_options = ["", ",smb2"] endianness_options = ["", ",bigendian"] for z in smb_options: - for e in endianness_options: - for a in auth_options: - for s in signseal_options: - binding_string = "ncacn_np:$SERVER_IP[%s%s%s%s]" % (a, s, z, e) + for s in signseal_options: + for e in endianness_options: + for a in auth_options: + binding_string = "ncacn_np:$SERVER[%s%s%s%s]" % (a, s, z, e) options = binding_string + " -U$USERNAME%$PASSWORD" plansmbtorturetestsuite(test, "dc", options, 'over ncacn_np with [%s%s%s%s] ' % (a, s, z, e)) + + # We should try more combinations in future, but this is all + # the pre-calculated credentials cache supports at the moment + e = "" + a = "" + binding_string = "ncacn_np:$SERVER[%s%s%s%s]" % (a, s, z, e) + options = binding_string + " -k yes --krb5-ccache=$PREFIX/ktest/krb5_ccache" + plansmbtorturetestsuite(test, "ktest", options, 'over kerberos ncacn_np with [%s%s%s%s] ' % (a, s, z, e)) + + + for e in endianness_options: for a in auth_options: for s in signseal_options: |