summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2011-03-18 19:13:43 +0100
committerStefan Metzmacher <metze@samba.org>2011-06-24 20:35:30 +0200
commitd7cc8571f756659661285f38ba61ff92683194f7 (patch)
tree317be492a4cacaa2354a9d4c0450916bc215eb8e
parent67b2e2d67917c9201ec2fb30b5aa89e2b407960c (diff)
downloadsamba-d7cc8571f756659661285f38ba61ff92683194f7.tar.gz
samba-d7cc8571f756659661285f38ba61ff92683194f7.tar.bz2
samba-d7cc8571f756659661285f38ba61ff92683194f7.zip
s4:selftest: test ntvfs.cifs with s4u2proxy
Pair-Programmed-With: Björn Baumbach <bb@sernet.de> metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Fri Jun 24 20:35:30 CEST 2011 on sn-devel-104
-rw-r--r--selftest/target/Samba4.pm55
-rwxr-xr-xsource4/selftest/tests.py8
2 files changed, 56 insertions, 7 deletions
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index 2a3fe65e74..70e3cf7b1b 100644
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -736,10 +736,11 @@ sub provision($$$$$$$$$)
max xmit = 32K
server max protocol = SMB2
- $extra_smbconf_options
host msdfs = $msdfs
lanman auth = yes
+ $extra_smbconf_options
+
[tmp]
path = $ctx->{tmpdir}
read only = no
@@ -766,8 +767,10 @@ sub provision($$$$$$$$$)
ntvfs handler = cifs
cifs:server = $ctx->{netbiosname}
cifs:share = tmp
-#There is no username specified here, instead the client is expected
-#to log in with kerberos, and the serverwill use delegated credentials.
+ cifs:use-s4u2proxy = yes
+ # There is no username specified here, instead the client is expected
+ # to log in with kerberos, and the serverwill use delegated credentials.
+ # Or the server tries s4u2self/s4u2proxy to impersonate the client
[simple]
path = $ctx->{tmpdir}
@@ -877,9 +880,23 @@ sub provision_rpc_proxy($$$)
my ($self, $prefix, $dcvars) = @_;
print "PROVISIONING RPC PROXY...";
- my $extra_smbconf_options = "dcerpc_remote:binding = ncacn_ip_tcp:$dcvars->{SERVER}
- dcerpc endpoint servers = epmapper, remote
- dcerpc_remote:interfaces = rpcecho
+ my $extra_smbconf_options = "
+
+ # rpc_proxy
+ dcerpc_remote:binding = ncacn_ip_tcp:$dcvars->{SERVER}
+ dcerpc endpoint servers = epmapper, remote
+ dcerpc_remote:interfaces = rpcecho
+
+[cifs_to_dc]
+ read only = no
+ ntvfs handler = cifs
+ cifs:server = $dcvars->{SERVER}
+ cifs:share = cifs
+ cifs:use-s4u2proxy = yes
+ # There is no username specified here, instead the client is expected
+ # to log in with kerberos, and the serverwill use delegated credentials.
+ # Or the server tries s4u2self/s4u2proxy to impersonate the client
+
";
my $ret = $self->provision($prefix,
@@ -898,6 +915,8 @@ sub provision_rpc_proxy($$$)
}
my $samba_tool = Samba::bindir_path($self, "samba-tool");
+
+ # The joind runs in the context of the rpc_proxy/member for now
my $cmd = "";
$cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
$cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
@@ -909,6 +928,30 @@ sub provision_rpc_proxy($$$)
return undef;
}
+ # Setting up delegation runs in the context of the DC for now
+ my $cmd = "";
+ $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$dcvars->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
+ $cmd .= "KRB5_CONFIG=\"$dcvars->{KRB5_CONFIG}\" ";
+ $cmd .= "$samba_tool delegation for-any-protocol '$ret->{NETBIOSNAME}\$' on";
+ $cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD} $dcvars->{CONFIGURATION}";
+
+ unless (system($cmd) == 0) {
+ warn("Delegation failed\n$cmd");
+ return undef;
+ }
+
+ # Setting up delegation runs in the context of the DC for now
+ my $cmd = "";
+ $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$dcvars->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
+ $cmd .= "KRB5_CONFIG=\"$dcvars->{KRB5_CONFIG}\" ";
+ $cmd .= "$samba_tool delegation add-service '$ret->{NETBIOSNAME}\$' cifs/$dcvars->{SERVER}";
+ $cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD} $dcvars->{CONFIGURATION}";
+
+ unless (system($cmd) == 0) {
+ warn("Delegation failed\n$cmd");
+ return undef;
+ }
+
$ret->{RPC_PROXY_SERVER} = $ret->{SERVER};
$ret->{RPC_PROXY_SERVER_IP} = $ret->{SERVER_IP};
$ret->{RPC_PROXY_NETBIOSNAME} = $ret->{NETBIOSNAME};
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index bf42c7c303..1ffc8cd74a 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -244,7 +244,13 @@ for t in smb4torture_testsuites("rap."):
# Tests against the NTVFS CIFS backend
for t in base + raw:
- plantestsuite_loadlist("samba4.ntvfs.cifs.%s" % t, "dc", [valgrindify(smb4torture), "$LISTOPT", '//$NETBIOSNAME/cifs', '-U$USERNAME%$PASSWORD'] + ntvfsargs + [t])
+ plantestsuite_loadlist("samba4.ntvfs.cifs.krb5.%s" % t, "dc", [valgrindify(smb4torture), "$LISTOPT", '//$NETBIOSNAME/cifs', '-U$USERNAME%$PASSWORD', '--kerberos=yes'] + ntvfsargs + [t])
+
+# Test NTVFS CIFS backend with S4U2Self and S4U2Proxy
+t = "base.unlink"
+plantestsuite_loadlist("samba4.ntvfs.cifs.ntlm.%s" % t, "dc", [valgrindify(smb4torture), "$LISTOPT", '//$NETBIOSNAME/cifs', '-U$USERNAME%$PASSWORD', '--kerberos=no'] + ntvfsargs + [t])
+plantestsuite_loadlist("samba4.ntvfs.cifs.krb5.%s" % t, "rpc_proxy", [valgrindify(smb4torture), "$LISTOPT", '//$NETBIOSNAME/cifs_to_dc', '-U$DC_USERNAME%$DC_PASSWORD', '--kerberos=yes'] + ntvfsargs + [t])
+plantestsuite_loadlist("samba4.ntvfs.cifs.ntlm.%s" % t, "rpc_proxy", [valgrindify(smb4torture), "$LISTOPT", '//$NETBIOSNAME/cifs_to_dc', '-U$DC_USERNAME%$DC_PASSWORD', '--kerberos=no'] + ntvfsargs + [t])
plansmbtorturetestsuite('echo.udp', 'dc:local', '//$SERVER/whatever')