summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2012-12-28 21:00:28 +1100
committerStefan Metzmacher <metze@samba.org>2013-09-04 11:25:10 +0200
commit38e43961c01f6f491b069e7106fe2a2ec80bd840 (patch)
tree9be8eea9d5331d66bb56a5e7ed5ace331567f79a
parent16b26eafa75280e576333975cff5dd1505c118fa (diff)
downloadsamba-38e43961c01f6f491b069e7106fe2a2ec80bd840.tar.gz
samba-38e43961c01f6f491b069e7106fe2a2ec80bd840.tar.bz2
samba-38e43961c01f6f491b069e7106fe2a2ec80bd840.zip
torture: Ensure that GSSAPI and SPNEGO packets are accepted by dlz_bind9
This exercises some more of the dlz_bind9 code outside BIND, by sending in a ticket to be access checked, wrapped either in SPNEGO or just in GSSAPI. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Wed Sep 4 11:25:10 CEST 2013 on sn-devel-104
-rwxr-xr-xsource4/selftest/tests.py2
-rw-r--r--source4/torture/dns/dlz_bind9.c78
-rw-r--r--source4/torture/winbind/winbind.c1
3 files changed, 80 insertions, 1 deletions
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index f656acd8e1..e738d1d97d 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -283,7 +283,7 @@ for t in smbtorture4_testsuites("dns_internal."):
# Local tests
for t in smbtorture4_testsuites("dlz_bind9."):
#The dlz_bind9 tests needs to look at the DNS database
- plansmbtorture4testsuite(t, "chgdcpass:local", "ncalrpc:localhost")
+ plansmbtorture4testsuite(t, "chgdcpass:local", ["ncalrpc:$SERVER", '-U$USERNAME%$PASSWORD'])
planpythontestsuite("s3dc", "samba.tests.libsmb_samba_internal");
diff --git a/source4/torture/dns/dlz_bind9.c b/source4/torture/dns/dlz_bind9.c
index 18d65a3268..d7d1736a6f 100644
--- a/source4/torture/dns/dlz_bind9.c
+++ b/source4/torture/dns/dlz_bind9.c
@@ -26,6 +26,9 @@
#include "dsdb/samdb/samdb.h"
#include "dsdb/common/util.h"
#include "auth/session.h"
+#include "auth/gensec/gensec.h"
+#include "auth/credentials/credentials.h"
+#include "lib/cmdline/popt_common.h"
struct torture_context *tctx_static;
@@ -121,7 +124,80 @@ static bool test_dlz_bind9_configure(struct torture_context *tctx)
return true;
}
+/*
+ * Test that a ticket obtained for the DNS service will be accepted on the Samba DLZ side
+ *
+ */
+static bool test_dlz_bind9_gensec(struct torture_context *tctx, const char *mech)
+{
+ NTSTATUS status;
+
+ struct gensec_security *gensec_client_context;
+
+ DATA_BLOB client_to_server, server_to_client;
+
+ void *dbdata;
+ const char *argv[] = {
+ "samba_dlz",
+ "-H",
+ lpcfg_private_path(tctx, tctx->lp_ctx, "dns/sam.ldb"),
+ NULL
+ };
+ tctx_static = tctx;
+ torture_assert_int_equal(tctx, dlz_create("samba_dlz", 3, discard_const_p(char *, argv), &dbdata,
+ "log", dlz_bind9_log_wrapper,
+ "writeable_zone", dlz_bind9_writeable_zone_hook, NULL),
+ ISC_R_SUCCESS,
+ "Failed to create samba_dlz");
+
+ torture_assert_int_equal(tctx, dlz_configure((void*)tctx, dbdata),
+ ISC_R_SUCCESS,
+ "Failed to configure samba_dlz");
+
+ status = gensec_client_start(tctx, &gensec_client_context,
+ lpcfg_gensec_settings(tctx, tctx->lp_ctx));
+ torture_assert_ntstatus_ok(tctx, status, "gensec_client_start (client) failed");
+
+ status = gensec_set_target_hostname(gensec_client_context, torture_setting_string(tctx, "host", NULL));
+ torture_assert_ntstatus_ok(tctx, status, "gensec_set_target_hostname (client) failed");
+
+ status = gensec_set_credentials(gensec_client_context, cmdline_credentials);
+ torture_assert_ntstatus_ok(tctx, status, "gensec_set_credentials (client) failed");
+
+ status = gensec_start_mech_by_sasl_name(gensec_client_context, mech);
+ torture_assert_ntstatus_ok(tctx, status, "gensec_start_mech_by_sasl_name (client) failed");
+
+ server_to_client = data_blob(NULL, 0);
+
+ /* Do one step of the client-server update dance */
+ status = gensec_update(gensec_client_context, tctx, tctx->ev, server_to_client, &client_to_server);
+ if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {;
+ torture_assert_ntstatus_ok(tctx, status, "gensec_update (client) failed");
+ }
+
+ torture_assert_int_equal(tctx, dlz_ssumatch(cli_credentials_get_username(cmdline_credentials),
+ lpcfg_dnsdomain(tctx->lp_ctx),
+ "127.0.0.1", "type", "key",
+ client_to_server.length,
+ client_to_server.data,
+ dbdata),
+ ISC_R_SUCCESS,
+ "Failed to check key for update rights samba_dlz");
+ dlz_destroy(dbdata);
+
+ return true;
+}
+
+static bool test_dlz_bind9_gssapi(struct torture_context *tctx)
+{
+ return test_dlz_bind9_gensec(tctx, "GSSAPI");
+}
+
+static bool test_dlz_bind9_spnego(struct torture_context *tctx)
+{
+ return test_dlz_bind9_gensec(tctx, "GSS-SPNEGO");
+}
static struct torture_suite *dlz_bind9_suite(TALLOC_CTX *ctx)
{
@@ -132,6 +208,8 @@ static struct torture_suite *dlz_bind9_suite(TALLOC_CTX *ctx)
torture_suite_add_simple_test(suite, "version", test_dlz_bind9_version);
torture_suite_add_simple_test(suite, "create", test_dlz_bind9_create);
torture_suite_add_simple_test(suite, "configure", test_dlz_bind9_configure);
+ torture_suite_add_simple_test(suite, "gssapi", test_dlz_bind9_gssapi);
+ torture_suite_add_simple_test(suite, "spnego", test_dlz_bind9_spnego);
return suite;
}
diff --git a/source4/torture/winbind/winbind.c b/source4/torture/winbind/winbind.c
index 5956834efa..65382a9083 100644
--- a/source4/torture/winbind/winbind.c
+++ b/source4/torture/winbind/winbind.c
@@ -201,6 +201,7 @@ static bool torture_winbind_pac(struct torture_context *tctx)
torture_assert_ntstatus_ok(tctx, status, "gensec_client_start (client) failed");
status = gensec_set_target_hostname(gensec_client_context, cli_credentials_get_workstation(cmdline_credentials));
+ torture_assert_ntstatus_ok(tctx, status, "gensec_set_target_hostname (client) failed");
status = gensec_set_credentials(gensec_client_context, cmdline_credentials);
torture_assert_ntstatus_ok(tctx, status, "gensec_set_credentials (client) failed");