diff options
author | Andrew Bartlett <abartlet@samba.org> | 2012-12-28 21:00:28 +1100 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2013-09-04 11:25:10 +0200 |
commit | 38e43961c01f6f491b069e7106fe2a2ec80bd840 (patch) | |
tree | 9be8eea9d5331d66bb56a5e7ed5ace331567f79a /source4/torture | |
parent | 16b26eafa75280e576333975cff5dd1505c118fa (diff) | |
download | samba-38e43961c01f6f491b069e7106fe2a2ec80bd840.tar.gz samba-38e43961c01f6f491b069e7106fe2a2ec80bd840.tar.bz2 samba-38e43961c01f6f491b069e7106fe2a2ec80bd840.zip |
torture: Ensure that GSSAPI and SPNEGO packets are accepted by dlz_bind9
This exercises some more of the dlz_bind9 code outside BIND, by
sending in a ticket to be access checked, wrapped either in SPNEGO or
just in GSSAPI.
Andrew Bartlett
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Sep 4 11:25:10 CEST 2013 on sn-devel-104
Diffstat (limited to 'source4/torture')
-rw-r--r-- | source4/torture/dns/dlz_bind9.c | 78 | ||||
-rw-r--r-- | source4/torture/winbind/winbind.c | 1 |
2 files changed, 79 insertions, 0 deletions
diff --git a/source4/torture/dns/dlz_bind9.c b/source4/torture/dns/dlz_bind9.c index 18d65a3268..d7d1736a6f 100644 --- a/source4/torture/dns/dlz_bind9.c +++ b/source4/torture/dns/dlz_bind9.c @@ -26,6 +26,9 @@ #include "dsdb/samdb/samdb.h" #include "dsdb/common/util.h" #include "auth/session.h" +#include "auth/gensec/gensec.h" +#include "auth/credentials/credentials.h" +#include "lib/cmdline/popt_common.h" struct torture_context *tctx_static; @@ -121,7 +124,80 @@ static bool test_dlz_bind9_configure(struct torture_context *tctx) return true; } +/* + * Test that a ticket obtained for the DNS service will be accepted on the Samba DLZ side + * + */ +static bool test_dlz_bind9_gensec(struct torture_context *tctx, const char *mech) +{ + NTSTATUS status; + + struct gensec_security *gensec_client_context; + + DATA_BLOB client_to_server, server_to_client; + + void *dbdata; + const char *argv[] = { + "samba_dlz", + "-H", + lpcfg_private_path(tctx, tctx->lp_ctx, "dns/sam.ldb"), + NULL + }; + tctx_static = tctx; + torture_assert_int_equal(tctx, dlz_create("samba_dlz", 3, discard_const_p(char *, argv), &dbdata, + "log", dlz_bind9_log_wrapper, + "writeable_zone", dlz_bind9_writeable_zone_hook, NULL), + ISC_R_SUCCESS, + "Failed to create samba_dlz"); + + torture_assert_int_equal(tctx, dlz_configure((void*)tctx, dbdata), + ISC_R_SUCCESS, + "Failed to configure samba_dlz"); + + status = gensec_client_start(tctx, &gensec_client_context, + lpcfg_gensec_settings(tctx, tctx->lp_ctx)); + torture_assert_ntstatus_ok(tctx, status, "gensec_client_start (client) failed"); + + status = gensec_set_target_hostname(gensec_client_context, torture_setting_string(tctx, "host", NULL)); + torture_assert_ntstatus_ok(tctx, status, "gensec_set_target_hostname (client) failed"); + + status = gensec_set_credentials(gensec_client_context, cmdline_credentials); + torture_assert_ntstatus_ok(tctx, status, "gensec_set_credentials (client) failed"); + + status = gensec_start_mech_by_sasl_name(gensec_client_context, mech); + torture_assert_ntstatus_ok(tctx, status, "gensec_start_mech_by_sasl_name (client) failed"); + + server_to_client = data_blob(NULL, 0); + + /* Do one step of the client-server update dance */ + status = gensec_update(gensec_client_context, tctx, tctx->ev, server_to_client, &client_to_server); + if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {; + torture_assert_ntstatus_ok(tctx, status, "gensec_update (client) failed"); + } + + torture_assert_int_equal(tctx, dlz_ssumatch(cli_credentials_get_username(cmdline_credentials), + lpcfg_dnsdomain(tctx->lp_ctx), + "127.0.0.1", "type", "key", + client_to_server.length, + client_to_server.data, + dbdata), + ISC_R_SUCCESS, + "Failed to check key for update rights samba_dlz"); + dlz_destroy(dbdata); + + return true; +} + +static bool test_dlz_bind9_gssapi(struct torture_context *tctx) +{ + return test_dlz_bind9_gensec(tctx, "GSSAPI"); +} + +static bool test_dlz_bind9_spnego(struct torture_context *tctx) +{ + return test_dlz_bind9_gensec(tctx, "GSS-SPNEGO"); +} static struct torture_suite *dlz_bind9_suite(TALLOC_CTX *ctx) { @@ -132,6 +208,8 @@ static struct torture_suite *dlz_bind9_suite(TALLOC_CTX *ctx) torture_suite_add_simple_test(suite, "version", test_dlz_bind9_version); torture_suite_add_simple_test(suite, "create", test_dlz_bind9_create); torture_suite_add_simple_test(suite, "configure", test_dlz_bind9_configure); + torture_suite_add_simple_test(suite, "gssapi", test_dlz_bind9_gssapi); + torture_suite_add_simple_test(suite, "spnego", test_dlz_bind9_spnego); return suite; } diff --git a/source4/torture/winbind/winbind.c b/source4/torture/winbind/winbind.c index 5956834efa..65382a9083 100644 --- a/source4/torture/winbind/winbind.c +++ b/source4/torture/winbind/winbind.c @@ -201,6 +201,7 @@ static bool torture_winbind_pac(struct torture_context *tctx) torture_assert_ntstatus_ok(tctx, status, "gensec_client_start (client) failed"); status = gensec_set_target_hostname(gensec_client_context, cli_credentials_get_workstation(cmdline_credentials)); + torture_assert_ntstatus_ok(tctx, status, "gensec_set_target_hostname (client) failed"); status = gensec_set_credentials(gensec_client_context, cmdline_credentials); torture_assert_ntstatus_ok(tctx, status, "gensec_set_credentials (client) failed"); |