selftest: s3member admember test to confirm s3/s4 interopability

This checks that Samba3 joins Samba4 correctly, and allows NTLM and
Kerberos logons from a live Samba4 DC.

This needs the common krb5.conf generation logic, and because we now
override KRB5_CONFIG we must update ktest to have a valid krb5.conf.

Based on an original patch by metze

Andrew Bartlett

3 files changed, 168 insertions, 54 deletions

diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm
index 820bd9e19c..cec12e528d 100644
--- a/selftest/target/Samba.pm
+++ b/selftest/target/Samba.pm
@@ -59,4 +59,60 @@ sub bindir_path($$) {
 	return $path;
 }
 
+sub mk_krb5_conf($)
+{
+	my ($ctx) = @_;
+
+	unless (open(KRB5CONF, ">$ctx->{krb5_conf}")) {
+		die("can't open $ctx->{krb5_conf}$?");
+		return undef;
+	}
+	print KRB5CONF "
+#Generated krb5.conf for $ctx->{realm}
+
+[libdefaults]
+ default_realm = $ctx->{realm}
+ dns_lookup_realm = false
+ dns_lookup_kdc = false
+ ticket_lifetime = 24h
+ forwardable = yes
+ allow_weak_crypto = yes
+
+[realms]
+ $ctx->{realm} = {
+  kdc = $ctx->{kdc_ipv4}:88
+  admin_server = $ctx->{kdc_ipv4}:88
+  default_domain = $ctx->{dnsname}
+ }
+ $ctx->{dnsname} = {
+  kdc = $ctx->{kdc_ipv4}:88
+  admin_server = $ctx->{kdc_ipv4}:88
+  default_domain = $ctx->{dnsname}
+ }
+ $ctx->{domain} = {
+  kdc = $ctx->{kdc_ipv4}:88
+  admin_server = $ctx->{kdc_ipv4}:88
+  default_domain = $ctx->{dnsname}
+ }
+
+[domain_realm]
+ .$ctx->{dnsname} = $ctx->{realm}
+";
+
+        if (defined($ctx->{tlsdir})) {
+	       print KRB5CONF "
+
+[appdefaults]
+	pkinit_anchors = FILE:$ctx->{tlsdir}/ca.pem
+
+[kdc]
+	enable-pkinit = true
+	pkinit_identity = FILE:$ctx->{tlsdir}/kdc.pem,$ctx->{tlsdir}/key.pem
+	pkinit_anchors = FILE:$ctx->{tlsdir}/ca.pem
+
+";
+        }
+	close(KRB5CONF);
+}
+
 1;
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index ee18a8e05a..d6dbe0cfa3 100644
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -195,6 +195,79 @@ sub setup_member($$$)
 	return $ret;
 }
 
+sub setup_admember($$$$)
+{
+	my ($self, $prefix, $dcvars, $iface) = @_;
+
+	print "PROVISIONING S3 AD MEMBER$iface...";
+
+	my $member_options = "
+	security = ads
+	server signing = on
+        workgroup = $dcvars->{DOMAIN}
+        realm = $dcvars->{REALM}
+";
+
+	my $ret = $self->provision($prefix,
+				   "LOCALADMEMBER$iface",
+				   $iface,
+				   "loCalMember${iface}Pass",
+				   $member_options);
+
+	$ret or return undef;
+
+	close(USERMAP);
+	$ret->{DOMAIN} = $dcvars->{DOMAIN};
+	$ret->{REALM} = $dcvars->{REALM};
+
+	my $ctx;
+	my $prefix_abs = abs_path($prefix);
+	$ctx = {};
+	$ctx->{krb5_conf} = "$prefix_abs/lib/krb5.conf";
+	$ctx->{domain} = $dcvars->{DOMAIN};
+	$ctx->{realm} = $dcvars->{REALM};
+	$ctx->{dnsname} = lc($dcvars->{REALM});
+	$ctx->{kdc_ipv4} = $dcvars->{SERVER_IP};
+	Samba::mk_krb5_conf($ctx);
+
+	$ret->{KRB5_CONFIG} = $ctx->{krb5_conf};
+
+	my $net = Samba::bindir_path($self, "net");
+	my $cmd = "";
+	$cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
+	$cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
+	$cmd .= "$net join $ret->{CONFIGURATION}";
+	$cmd .= " -U$dcvars->{USERNAME}\%$dcvars->{PASSWORD}";
+
+	system($cmd) == 0 or die("Join failed\n$cmd");
+
+	$self->check_or_start($ret,
+			      "yes", "yes", "yes");
+
+	$self->wait_for_start($ret);
+
+	my $smbcacls = Samba::bindir_path($self, "smbcacls");
+	#Allow domain users to manipulate the share
+	$cmd = "";
+	$cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
+	$cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
+	$cmd .= "$smbcacls //127.0.0.29/tmp / -U$ret->{USERNAME}%$ret->{PASSWORD} ";
+	$cmd .= "$ret->{CONFIGURATION} -S ACL:$dcvars->{DOMAIN}\\\\Domain\\ Users:ALLOWED/0x0/FULL";
+
+	system($cmd) == 0 or die("Join failed\n$cmd");
+
+	$ret->{DC_SERVER} = $dcvars->{SERVER};
+	$ret->{DC_SERVER_IP} = $dcvars->{SERVER_IP};
+	$ret->{DC_NETBIOSNAME} = $dcvars->{NETBIOSNAME};
+	$ret->{DC_USERNAME} = $dcvars->{USERNAME};
+	$ret->{DC_PASSWORD} = $dcvars->{PASSWORD};
+
+	# Special case, this is called from Samba4.pm but needs to use the Samba3 check_env and get_log_env
+	$ret->{target} = $self;
+
+	return $ret;
+}
+
 sub setup_secshare($$)
 {
 	my ($self, $path) = @_;
@@ -261,7 +334,7 @@ sub setup_secserver($$$)
 
 sub setup_ktest($$$)
 {
-	my ($self, $prefix, $s3dcvars) = @_;
+	my ($self, $prefix) = @_;
 
 	print "PROVISIONING server with security=ads...";
 
@@ -280,6 +353,18 @@ sub setup_ktest($$$)
 
 	$ret or return undef;
 
+	my $ctx;
+	my $prefix_abs = abs_path($prefix);
+	$ctx = {};
+	$ctx->{krb5_conf} = "$prefix_abs/lib/krb5.conf";
+	$ctx->{domain} = "KTEST";
+	$ctx->{realm} = "KTEST.SAMBA.EXAMPLE.COM";
+	$ctx->{dnsname} = lc($ctx->{realm});
+	$ctx->{kdc_ipv4} = "0.0.0.0";
+	Samba::mk_krb5_conf($ctx);
+
+	$ret->{KRB5_CONFIG} = $ctx->{krb5_conf};
+
 	open(USERMAP, ">$prefix/lib/username.map") or die("Unable to open $prefix/lib/username.map");
 	print USERMAP "
 $ret->{USERNAME} = KTEST\\Administrator
@@ -373,6 +458,7 @@ sub check_or_start($$$$) {
 
 		SocketWrapper::set_default_iface($env_vars->{SOCKET_WRAPPER_DEFAULT_IFACE});
 
+		$ENV{KRB5_CONFIG} = $env_vars->{KRB5_CONFIG};
 		$ENV{WINBINDD_SOCKET_DIR} = $env_vars->{WINBINDD_SOCKET_DIR};
 		$ENV{NMBD_SOCKET_DIR} = $env_vars->{NMBD_SOCKET_DIR};
 
@@ -416,6 +502,7 @@ sub check_or_start($$$$) {
 
 		SocketWrapper::set_default_iface($env_vars->{SOCKET_WRAPPER_DEFAULT_IFACE});
 
+		$ENV{KRB5_CONFIG} = $env_vars->{KRB5_CONFIG};
 		$ENV{WINBINDD_SOCKET_DIR} = $env_vars->{WINBINDD_SOCKET_DIR};
 		$ENV{NMBD_SOCKET_DIR} = $env_vars->{NMBD_SOCKET_DIR};
 
@@ -461,6 +548,7 @@ sub check_or_start($$$$) {
 
 		SocketWrapper::set_default_iface($env_vars->{SOCKET_WRAPPER_DEFAULT_IFACE});
 
+		$ENV{KRB5_CONFIG} = $env_vars->{KRB5_CONFIG};
 		$ENV{WINBINDD_SOCKET_DIR} = $env_vars->{WINBINDD_SOCKET_DIR};
 		$ENV{NMBD_SOCKET_DIR} = $env_vars->{NMBD_SOCKET_DIR};
 
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index 22f38b859f..959c16131a 100644
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -11,6 +11,7 @@ use FindBin qw($RealBin);
 use POSIX;
 use SocketWrapper;
 use target::Samba;
+use target::Samba3;
 
 sub new($$$$$) {
 	my ($classname, $bindir, $binary_mapping, $ldap, $srcdir, $exeext, $server_maxtime) = @_;
@@ -23,7 +24,8 @@ sub new($$$$$) {
 		binary_mapping => $binary_mapping,
 		srcdir => $srcdir,
 		exeext => $exeext,
-		server_maxtime => $server_maxtime
+		server_maxtime => $server_maxtime,
+		target3 => new Samba3($bindir, $binary_mapping, $srcdir, $exeext, $server_maxtime)
 	};
 	bless $self;
 	return $self;
@@ -452,56 +454,6 @@ Wfz/8alZ5aMezCQzXJyIaJsCLeKABosSwHcpAFmxlQ==
 EOF
 }
 
-sub mk_krb5_conf($$)
-{
-	my ($self, $ctx) = @_;
-
-	unless (open(KRB5CONF, ">$ctx->{krb5_conf}")) {
-		warn("can't open $ctx->{krb5_conf}$?");
-		return undef;
-	}
-	print KRB5CONF "
-#Generated krb5.conf for $ctx->{realm}
-
-[libdefaults]
- default_realm = $ctx->{realm}
- dns_lookup_realm = false
- dns_lookup_kdc = false
- ticket_lifetime = 24h
- forwardable = yes
- allow_weak_crypto = yes
-
-[realms]
- $ctx->{realm} = {
-  kdc = $ctx->{kdc_ipv4}:88
-  admin_server = $ctx->{kdc_ipv4}:88
-  default_domain = $ctx->{dnsname}
- }
- $ctx->{dnsname} = {
-  kdc = $ctx->{kdc_ipv4}:88
-  admin_server = $ctx->{kdc_ipv4}:88
-  default_domain = $ctx->{dnsname}
- }
- $ctx->{domain} = {
-  kdc = $ctx->{kdc_ipv4}:88
-  admin_server = $ctx->{kdc_ipv4}:88
-  default_domain = $ctx->{dnsname}
- }
-
-[appdefaults]
-	pkinit_anchors = FILE:$ctx->{tlsdir}/ca.pem
-
-[kdc]
-	enable-pkinit = true
-	pkinit_identity = FILE:$ctx->{tlsdir}/kdc.pem,$ctx->{tlsdir}/key.pem
-	pkinit_anchors = FILE:$ctx->{tlsdir}/ca.pem
-
-[domain_realm]
- .$ctx->{dnsname} = $ctx->{realm}
-";
-	close(KRB5CONF);
-}
-
 sub provision_raw_prepare($$$$$$$$$$)
 {
 	my ($self, $prefix, $server_role, $netbiosname, 
@@ -681,7 +633,7 @@ sub provision_raw_step1($$)
              $ctx->{kdc_ipv4} = $ctx->{ipv4};
         }
 
-	$self->mk_krb5_conf($ctx);
+	Samba::mk_krb5_conf($ctx);
 
 	open(PWD, ">$ctx->{nsswrap_passwd}");
 	print PWD "
@@ -1190,7 +1142,7 @@ sub provision_rodc($$$)
 	# so that use the RODC as kdc and test
 	# the proxy code
 	$ctx->{kdc_ipv4} = $ret->{SERVER_IP};
-	$self->mk_krb5_conf($ctx);
+	Samba::mk_krb5_conf($ctx);
 
 	$ret->{RODC_DC_SERVER} = $ret->{SERVER};
 	$ret->{RODC_DC_SERVER_IP} = $ret->{SERVER_IP};
@@ -1272,6 +1224,7 @@ sub check_env($$)
 sub setup_env($$$)
 {
 	my ($self, $envname, $path) = @_;
+	my $target3 = $self->{target3};
 
 	$ENV{ENVNAME} = $envname;
 
@@ -1303,6 +1256,11 @@ sub setup_env($$$)
 			$self->setup_dc("$path/dc");
 		}
 		return $self->setup_rodc("$path/rodc", $self->{vars}->{dc});
+	} elsif ($envname eq "s3member") {
+		if (not defined($self->{vars}->{dc})) {
+			$self->setup_dc("$path/dc");
+		}
+		return $target3->setup_admember("$path/s3member", $self->{vars}->{dc}, 29);
 	} elsif ($envname eq "all") {
 		if (not defined($self->{vars}->{dc})) {
 			$ENV{ENVNAME} = "dc";
@@ -1349,6 +1307,18 @@ sub setup_env($$$)
 			$ret->{FL2008R2DC_USERNAME} = $fl2008r2dc_ret->{USERNAME};
 			$ret->{FL2008R2DC_PASSWORD} = $fl2008r2dc_ret->{PASSWORD};
 		}
+		if (not defined($self->{vars}->{s3member})) {
+			$ENV{ENVNAME} = "s3member";
+			my $s3member_ret = $target3->setup_admember("$path/s3member", $self->{vars}->{dc}, 29);
+			$self->{vars}->{s3member} = $s3member_ret;
+
+			$ret->{S3MEMBER_SERVER} = $s3member_ret->{SERVER};
+			$ret->{S3MEMBER_SERVER_IP} = $s3member_ret->{SERVER_IP};
+			$ret->{S3MEMBER_NETBIOSNAME} = $s3member_ret->{NETBIOSNAME};
+			$ret->{S3MEMBER_NETBIOSALIAS} = $s3member_ret->{NETBIOSALIAS};
+			$ret->{S3MEMBER_USERNAME} = $s3member_ret->{USERNAME};
+			$ret->{S3MEMBER_PASSWORD} = $s3member_ret->{PASSWORD};
+		}
 		return $ret;
 	} else {
 		return undef;