s4-torture: Allow unix.whoami to test against a member server

This compares only the domain SIDs betwen the two servers, rather than the full token, as well known and other SIDs may be added locally in both cases. This also expands the test environments this is run against to verify this between our AD server and domain members. Andrew Bartlett
author: Andrew Bartlett <abartlet@samba.org> 2012-07-12 12:59:29 +1000
committer: Andrew Bartlett <abartlet@samba.org> 2012-07-19 04:04:20 +0200
commit: 624f11e4b46884c13056709ba6abc8dc2a659bc3 (patch)
tree: fe80b763e08b2d98117883738a9ef3193efea80b
parent: 8825085ea40d80d1061e83cd471b7732934619ad (diff)
download: samba-624f11e4b46884c13056709ba6abc8dc2a659bc3.tar.gz
samba-624f11e4b46884c13056709ba6abc8dc2a659bc3.tar.bz2
samba-624f11e4b46884c13056709ba6abc8dc2a659bc3.zip
3 files changed, 63 insertions, 16 deletions
diff --git a/selftest/knownfail b/selftest/knownfail
index e5bff1b17e..19f728d139 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -42,6 +42,7 @@
 ^samba3.raw.samba3closeerr.samba3closeerr\(s3dc\) # This test fails against an smbd environment with NT ACLs enabled
 ^samba3.raw.acls.generic\(s3dc\) # This fails against smbd
 ^samba3.unix.whoami anonymous connection.whoami\(plugin_s4_dc\) # We need to resolve if we should be including SID_NT_WORLD and SID_NT_NETWORK in this token
+^samba3.unix.whoami anonymous connection.whoami\(s3member\) # smbd maps anonymous logins to domain guest in the local domain, not SID_NT_ANONYMOUS
 # these show that we still have some differences between our system
 # with our internal iconv because it passes except when we bypass our
 # internal iconv modules
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 41a1111e81..6f7ab32c5d 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -305,11 +305,13 @@ for t in tests:
         plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD --option=doscharset=ISO-8859-1')
         plansmbtorturetestsuite(t, "plugin_s4_dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD --option=doscharset=ISO-8859-1')
     elif t == "unix.whoami":
-        plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD')
-        plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmpguest -U%', description='anonymous connection')
-        plansmbtorturetestsuite(t, "plugin_s4_dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD --option=torture:addc=true')
-        plansmbtorturetestsuite(t, "plugin_s4_dc", '//$SERVER/tmp -k yes -U$USERNAME%$PASSWORD --option=torture:addc=true', description='kerberos connection')
-        plansmbtorturetestsuite(t, "plugin_s4_dc", '//$SERVER_IP/tmpguest -U% --option=torture:addc=true', description='anonymous connection')
+        for env in ["s3dc", "member"]:
+            plansmbtorturetestsuite(t, env, '//$SERVER/tmp -U$DC_USERNAME%$DC_PASSWORD')
+            plansmbtorturetestsuite(t, env, '//$SERVER/tmpguest -U%', description='anonymous connection')
+        for env in ["plugin_s4_dc", "s3member"]:
+            plansmbtorturetestsuite(t, env, '//$SERVER/tmp -U$DC_USERNAME@$REALM%$DC_PASSWORD --option=torture:addc=$DC_SERVER')
+            plansmbtorturetestsuite(t, env, '//$SERVER/tmp -k yes -U$DC_USERNAME@$REALM%$DC_PASSWORD --option=torture:addc=$DC_SERVER', description='kerberos connection')
+            plansmbtorturetestsuite(t, env, '//$SERVER/tmpguest -U% --option=torture:addc=$DC_SERVER', description='anonymous connection')
     elif t == "raw.samba3posixtimedlock":
         plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmpguest -U$USERNAME%$PASSWORD --option=torture:localdir=$SELFTEST_PREFIX/s3dc/share')
         plansmbtorturetestsuite(t, "plugin_s4_dc", '//$SERVER_IP/tmpguest -U$USERNAME%$PASSWORD --option=torture:localdir=$SELFTEST_PREFIX/plugin_s4_dc/share')
diff --git a/source4/torture/unix/whoami.c b/source4/torture/unix/whoami.c
index 2bfbc04481..968af6b4a2 100644
--- a/source4/torture/unix/whoami.c
+++ b/source4/torture/unix/whoami.c
@@ -277,7 +277,8 @@ static bool smb_raw_query_posix_whoami(void *mem_ctx,
 	return true;
 }
 
-static bool test_against_ldap(struct torture_context *torture, struct ldb_context *ldb, struct smb_whoami *whoami)
+static bool test_against_ldap(struct torture_context *torture, struct ldb_context *ldb, bool is_dc, 
+			      struct smb_whoami *whoami)
 {
 	struct ldb_message *msg;
 	struct ldb_message_element *el;
@@ -288,15 +289,54 @@ static bool test_against_ldap(struct torture_context *torture, struct ldb_contex
 	torture_assert_int_equal(torture, dsdb_search_one(ldb, torture, &msg, NULL, LDB_SCOPE_BASE, attrs, 0, NULL), LDB_SUCCESS, "searching for tokenGroups");
 	el = ldb_msg_find_element(msg, "tokenGroups");
 	torture_assert(torture, el, "obtaining tokenGroups");
-	torture_assert_int_equal(torture, el->num_values, whoami->num_sids, "Number of SIDs from LDAP and number of SIDs from CIFS does not match!");
+	torture_assert(torture, el->num_values > 0, "Number of SIDs from LDAP needs to be more than 0");
+	torture_assert(torture, whoami->num_sids > 0, "Number of SIDs from LDAP needs to be more than 0");
+	
+	if (is_dc) {
+		torture_assert_int_equal(torture, el->num_values, whoami->num_sids, "Number of SIDs from LDAP and number of SIDs from CIFS does not match!");
+		
+		for (i = 0; i < el->num_values; i++) {
+			struct dom_sid *sid = talloc(torture, struct dom_sid);
+			torture_assert(torture, sid != NULL, "talloc failed");
+			
+			torture_assert(torture, sid_blob_parse(el->values[i], sid), "sid parse failed");
+			torture_assert_str_equal(torture, dom_sid_string(sid, sid), dom_sid_string(sid, whoami->sid_list[i]), "SID from LDAP and SID from CIFS does not match!");
+			talloc_free(sid);
+		}
+	} else {
+		unsigned int num_domain_sids_dc = 0, num_domain_sids_member = 0;
+		struct dom_sid *user_sid = talloc(torture, struct dom_sid);
+		struct dom_sid *dom_sid = talloc(torture, struct dom_sid);
+		struct dom_sid *dc_sids = talloc_array(torture, struct dom_sid, el->num_values);
+		struct dom_sid *member_sids = talloc_array(torture, struct dom_sid, whoami->num_sids);
+		torture_assert(torture, user_sid != NULL, "talloc failed");
+		torture_assert(torture, sid_blob_parse(el->values[0], user_sid), "sid parse failed");
+		torture_assert_ntstatus_equal(torture, dom_sid_split_rid(torture, user_sid, &dom_sid, NULL), NT_STATUS_OK, "failed to split domain SID from user SID");
+		for (i = 0; i < el->num_values; i++) {
+			struct dom_sid *sid = talloc(dc_sids, struct dom_sid);
+			torture_assert(torture, sid != NULL, "talloc failed");
+			
+			torture_assert(torture, sid_blob_parse(el->values[i], sid), "sid parse failed");
+			if (dom_sid_in_domain(dom_sid, sid)) {
+				dc_sids[num_domain_sids_dc] = *sid;
+				num_domain_sids_dc++;
+			}
+			talloc_free(sid);
+		}
 
-	for (i = 0; i < el->num_values; i++) {
-		struct dom_sid *sid = talloc(torture, struct dom_sid);
-		torture_assert(torture, sid != NULL, "talloc failed");
+		for (i = 0; i < whoami->num_sids; i++) {
+			if (dom_sid_in_domain(dom_sid, whoami->sid_list[i])) {
+				member_sids[num_domain_sids_member] = *whoami->sid_list[i];
+				num_domain_sids_member++;
+			}
+		}
 
-		torture_assert(torture, sid_blob_parse(el->values[i], sid), "sid parse failed");
-		torture_assert_str_equal(torture, dom_sid_string(sid, sid), dom_sid_string(sid, whoami->sid_list[i]), "SID from LDAP and SID from CIFS does not match!");
-		talloc_free(sid);
+		torture_assert_int_equal(torture, num_domain_sids_dc, num_domain_sids_member, "Number of Domain SIDs from LDAP DC and number of SIDs from CIFS member does not match!");
+		for (i = 0; i < num_domain_sids_dc; i++) {
+			torture_assert_str_equal(torture, dom_sid_string(dc_sids, &dc_sids[i]), dom_sid_string(member_sids, &member_sids[i]), "Domain SID from LDAP DC and SID from CIFS member server does not match!");
+		}
+		talloc_free(dc_sids);
+		talloc_free(member_sids);
 	}
 	return true;
 }
@@ -307,6 +347,7 @@ bool torture_unix_whoami(struct torture_context *torture)
 	struct smb_whoami whoami;
 	bool ret;
 	struct ldb_context *ldb;
+	const char *addc, *host;
 
 	cli = connect_to_server(torture, cmdline_credentials);
 	torture_assert(torture, cli, "connecting to server with authenticated credentials");
@@ -316,13 +357,16 @@ bool torture_unix_whoami(struct torture_context *torture)
 						       cli, &whoami, 0xFFFF), ret, fail,
 			    "calling SMB_QFS_POSIX_WHOAMI on an authenticated connection");
 
-	if (torture_setting_bool(torture, "addc", false)) {
-		ldb = ldb_wrap_connect(torture, torture->ev, torture->lp_ctx, talloc_asprintf(torture, "ldap://%s", torture_setting_string(torture, "host", NULL)),
+	addc = torture_setting_string(torture, "addc", NULL);
+	host = torture_setting_string(torture, "host", NULL);
+	
+ 	if (addc) {
+		ldb = ldb_wrap_connect(torture, torture->ev, torture->lp_ctx, talloc_asprintf(torture, "ldap://%s", addc),
 				       NULL, cmdline_credentials, 0);
 		torture_assert(torture, ldb, "ldb connect failed");
 
 		/* We skip this testing if we could not contact the LDAP server */
-		if (!test_against_ldap(torture, ldb, &whoami)) {
+		if (!test_against_ldap(torture, ldb, strcasecmp(addc, host) == 0, &whoami)) {
 			goto fail;
 		}
 	}
author	Andrew Bartlett <abartlet@samba.org>	2012-07-12 12:59:29 +1000
committer	Andrew Bartlett <abartlet@samba.org>	2012-07-19 04:04:20 +0200
commit	624f11e4b46884c13056709ba6abc8dc2a659bc3 (patch)
tree	fe80b763e08b2d98117883738a9ef3193efea80b
parent	8825085ea40d80d1061e83cd471b7732934619ad (diff)
download	samba-624f11e4b46884c13056709ba6abc8dc2a659bc3.tar.gz samba-624f11e4b46884c13056709ba6abc8dc2a659bc3.tar.bz2 samba-624f11e4b46884c13056709ba6abc8dc2a659bc3.zip