From 6351dee4d810bfa20c3a892d0eba3b2ac828e193 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Mon, 4 Apr 2011 19:13:17 +1000
Subject: s3-selftest Add testing of kerberos login

This uses a pre-calculated credentials cache, that should be valid
until 2036.

Andrew Bartlett
---
 selftest/target/Samba3.pm          |  65 +++++++++++++++++++++++++++++++++++++
 source3/selftest/ktest-krb5_ccache | Bin 0 -> 11966 bytes
 source3/selftest/ktest-secrets.tdb | Bin 0 -> 45056 bytes
 source3/selftest/tests.py          |  19 ++++++++---
 4 files changed, 80 insertions(+), 4 deletions(-)
 create mode 100644 source3/selftest/ktest-krb5_ccache
 create mode 100644 source3/selftest/ktest-secrets.tdb

diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 6cb01d678b..de3fffbc93 100644
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -102,6 +102,8 @@ sub setup_env($$$)
 		return $self->setup_dc("$path/dc");
 	} elsif ($envname eq "secshare") {
 		return $self->setup_secshare("$path/secshare");
+	} elsif ($envname eq "ktest") {
+		return $self->setup_ktest("$path/ktest");
 	} elsif ($envname eq "secserver") {
 		if (not defined($self->{vars}->{dc})) {
 			$self->setup_dc("$path/dc");
@@ -255,6 +257,69 @@ sub setup_secserver($$$)
 	return $ret;
 }
 
+sub setup_ktest($$$)
+{
+	my ($self, $prefix, $dcvars) = @_;
+
+	print "PROVISIONING server with security=ads...";
+
+	my $ktest_options = "
+        workgroup = KTEST
+        realm = ktest.samba.example.com
+	security = ads
+        username map = $prefix/lib/username.map
+";
+
+	my $ret = $self->provision($prefix,
+				   "LOCALKTEST6",
+				   5,
+				   "localktest6pass",
+				   $ktest_options);
+
+	$ret or die("Unable to provision");
+
+	open(USERMAP, ">$prefix/lib/username.map") or die("Unable to open $prefix/lib/username.map");
+	print USERMAP "
+$ret->{USERNAME} = KTEST\\Administrator
+";
+	close(USERMAP);
+
+#This is the secrets.tdb created by 'net ads join' from Samba3 to a
+#Samba4 DC with the same parameters as are being used here.  The
+#domain SID is S-1-5-21-1071277805-689288055-3486227160
+
+	system("cp $self->{srcdir}/source3/selftest/ktest-secrets.tdb $prefix/private/secrets.tdb");
+	chmod 0600, "$prefix/private/secrets.tdb";
+
+#This uses a pre-calculated krb5 credentials cache, obtained by running Samba4 with:
+# "--option=kdc:service ticket lifetime=239232" "--option=kdc:user ticket lifetime=239232" "--option=kdc:renewal lifetime=239232"
+#
+#and having in krb5.conf:
+# ticket_lifetime = 799718400
+# renew_lifetime = 799718400
+#
+# The commands run were:
+# kinit administrator@KTEST.SAMBA.EXAMPLE.COM
+# kvno host/localktest6@KTEST.SAMBA.EXAMPLE.COM
+# kvno cifs/localktest6@KTEST.SAMBA.EXAMPLE.COM
+# kvno host/LOCALKTEST6@KTEST.SAMBA.EXAMPLE.COM
+# kvno cifs/LOCALKTEST6@KTEST.SAMBA.EXAMPLE.COM
+#
+# This creates a credential cache with a very long lifetime (2036 at at 2011-04)
+
+	$ret->{KRB5_CCACHE}="FILE:$prefix/krb5_ccache";
+
+	system("cp $self->{srcdir}/source3/selftest/ktest-krb5_ccache $prefix/krb5_ccache");
+	chmod 0600, "$prefix/krb5_ccache";
+
+	$self->check_or_start($ret,
+			      ($ENV{SMBD_MAXTIME} or 2700),
+			       "yes", "no", "yes");
+
+	$self->wait_for_start($ret);
+	return $ret;
+}
+
 sub stop_sig_term($$) {
 	my ($self, $pid) = @_;
 	kill("USR1", $pid) or kill("ALRM", $pid) or warn("Unable to kill $pid: $!");
diff --git a/source3/selftest/ktest-krb5_ccache b/source3/selftest/ktest-krb5_ccache
new file mode 100644
index 0000000000..15102226f3
Binary files /dev/null and b/source3/selftest/ktest-krb5_ccache differ
diff --git a/source3/selftest/ktest-secrets.tdb b/source3/selftest/ktest-secrets.tdb
new file mode 100644
index 0000000000..c09c315288
Binary files /dev/null and b/source3/selftest/ktest-secrets.tdb differ
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 9ddb164b4d..826b84fa3b 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -207,12 +207,23 @@ if sub.returncode == 0:
     smb_options = ["", ",smb2"]
     endianness_options = ["", ",bigendian"]
     for z in smb_options:
-        for e in endianness_options:
-            for a in auth_options:
-                for s in signseal_options:
-                    binding_string = "ncacn_np:$SERVER_IP[%s%s%s%s]" % (a, s, z, e)
+        for s in signseal_options:
+            for e in endianness_options:
+                for a in auth_options:
+                    binding_string = "ncacn_np:$SERVER[%s%s%s%s]" % (a, s, z, e)
                     options = binding_string + " -U$USERNAME%$PASSWORD"
                     plansmbtorturetestsuite(test, "dc", options, 'over ncacn_np with [%s%s%s%s] ' % (a, s, z, e))
+
+            # We should try more combinations in future, but this is all
+            # the pre-calculated credentials cache supports at the moment
+            e = ""
+            a = ""
+            binding_string = "ncacn_np:$SERVER[%s%s%s%s]" % (a, s, z, e)
+            options = binding_string + " -k yes --krb5-ccache=$PREFIX/ktest/krb5_ccache"
+            plansmbtorturetestsuite(test, "ktest", options, 'over kerberos ncacn_np with [%s%s%s%s] ' % (a, s, z, e))
+
+
+
     for e in endianness_options:
         for a in auth_options:
             for s in signseal_options:
-- 
cgit