From fb5e1f4a65042b89c74e545cb739f1720565807d Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 19 Apr 2011 16:38:46 +1000 Subject: selftest: s3member admember test to confirm s3/s4 interopability This checks that Samba3 joins Samba4 correctly, and allows NTLM and Kerberos logons from a live Samba4 DC. This needs the common krb5.conf generation logic, and because we now override KRB5_CONFIG we must update ktest to have a valid krb5.conf. Based on an original patch by metze Andrew Bartlett --- selftest/target/Samba.pm | 56 +++++++++++++++++++++++++++++ selftest/target/Samba3.pm | 90 ++++++++++++++++++++++++++++++++++++++++++++++- selftest/target/Samba4.pm | 76 ++++++++++++--------------------------- 3 files changed, 168 insertions(+), 54 deletions(-) (limited to 'selftest') diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm index 820bd9e19c..cec12e528d 100644 --- a/selftest/target/Samba.pm +++ b/selftest/target/Samba.pm @@ -59,4 +59,60 @@ sub bindir_path($$) { return $path; } +sub mk_krb5_conf($) +{ + my ($ctx) = @_; + + unless (open(KRB5CONF, ">$ctx->{krb5_conf}")) { + die("can't open $ctx->{krb5_conf}$?"); + return undef; + } + print KRB5CONF " +#Generated krb5.conf for $ctx->{realm} + +[libdefaults] + default_realm = $ctx->{realm} + dns_lookup_realm = false + dns_lookup_kdc = false + ticket_lifetime = 24h + forwardable = yes + allow_weak_crypto = yes + +[realms] + $ctx->{realm} = { + kdc = $ctx->{kdc_ipv4}:88 + admin_server = $ctx->{kdc_ipv4}:88 + default_domain = $ctx->{dnsname} + } + $ctx->{dnsname} = { + kdc = $ctx->{kdc_ipv4}:88 + admin_server = $ctx->{kdc_ipv4}:88 + default_domain = $ctx->{dnsname} + } + $ctx->{domain} = { + kdc = $ctx->{kdc_ipv4}:88 + admin_server = $ctx->{kdc_ipv4}:88 + default_domain = $ctx->{dnsname} + } + +[domain_realm] + .$ctx->{dnsname} = $ctx->{realm} +"; + + if (defined($ctx->{tlsdir})) { + print KRB5CONF " + +[appdefaults] + pkinit_anchors = FILE:$ctx->{tlsdir}/ca.pem + +[kdc] + enable-pkinit = true + pkinit_identity = FILE:$ctx->{tlsdir}/kdc.pem,$ctx->{tlsdir}/key.pem + pkinit_anchors = FILE:$ctx->{tlsdir}/ca.pem + +"; + } + close(KRB5CONF); +} + 1; diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm index ee18a8e05a..d6dbe0cfa3 100644 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm @@ -195,6 +195,79 @@ sub setup_member($$$) return $ret; } +sub setup_admember($$$$) +{ + my ($self, $prefix, $dcvars, $iface) = @_; + + print "PROVISIONING S3 AD MEMBER$iface..."; + + my $member_options = " + security = ads + server signing = on + workgroup = $dcvars->{DOMAIN} + realm = $dcvars->{REALM} +"; + + my $ret = $self->provision($prefix, + "LOCALADMEMBER$iface", + $iface, + "loCalMember${iface}Pass", + $member_options); + + $ret or return undef; + + close(USERMAP); + $ret->{DOMAIN} = $dcvars->{DOMAIN}; + $ret->{REALM} = $dcvars->{REALM}; + + my $ctx; + my $prefix_abs = abs_path($prefix); + $ctx = {}; + $ctx->{krb5_conf} = "$prefix_abs/lib/krb5.conf"; + $ctx->{domain} = $dcvars->{DOMAIN}; + $ctx->{realm} = $dcvars->{REALM}; + $ctx->{dnsname} = lc($dcvars->{REALM}); + $ctx->{kdc_ipv4} = $dcvars->{SERVER_IP}; + Samba::mk_krb5_conf($ctx); + + $ret->{KRB5_CONFIG} = $ctx->{krb5_conf}; + + my $net = Samba::bindir_path($self, "net"); + my $cmd = ""; + $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" "; + $cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" "; + $cmd .= "$net join $ret->{CONFIGURATION}"; + $cmd .= " -U$dcvars->{USERNAME}\%$dcvars->{PASSWORD}"; + + system($cmd) == 0 or die("Join failed\n$cmd"); + + $self->check_or_start($ret, + "yes", "yes", "yes"); + + $self->wait_for_start($ret); + + my $smbcacls = Samba::bindir_path($self, "smbcacls"); + #Allow domain users to manipulate the share + $cmd = ""; + $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" "; + $cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" "; + $cmd .= "$smbcacls //127.0.0.29/tmp / -U$ret->{USERNAME}%$ret->{PASSWORD} "; + $cmd .= "$ret->{CONFIGURATION} -S ACL:$dcvars->{DOMAIN}\\\\Domain\\ Users:ALLOWED/0x0/FULL"; + + system($cmd) == 0 or die("Join failed\n$cmd"); + + $ret->{DC_SERVER} = $dcvars->{SERVER}; + $ret->{DC_SERVER_IP} = $dcvars->{SERVER_IP}; + $ret->{DC_NETBIOSNAME} = $dcvars->{NETBIOSNAME}; + $ret->{DC_USERNAME} = $dcvars->{USERNAME}; + $ret->{DC_PASSWORD} = $dcvars->{PASSWORD}; + + # Special case, this is called from Samba4.pm but needs to use the Samba3 check_env and get_log_env + $ret->{target} = $self; + + return $ret; +} + sub setup_secshare($$) { my ($self, $path) = @_; @@ -261,7 +334,7 @@ sub setup_secserver($$$) sub setup_ktest($$$) { - my ($self, $prefix, $s3dcvars) = @_; + my ($self, $prefix) = @_; print "PROVISIONING server with security=ads..."; @@ -280,6 +353,18 @@ sub setup_ktest($$$) $ret or return undef; + my $ctx; + my $prefix_abs = abs_path($prefix); + $ctx = {}; + $ctx->{krb5_conf} = "$prefix_abs/lib/krb5.conf"; + $ctx->{domain} = "KTEST"; + $ctx->{realm} = "KTEST.SAMBA.EXAMPLE.COM"; + $ctx->{dnsname} = lc($ctx->{realm}); + $ctx->{kdc_ipv4} = "0.0.0.0"; + Samba::mk_krb5_conf($ctx); + + $ret->{KRB5_CONFIG} = $ctx->{krb5_conf}; + open(USERMAP, ">$prefix/lib/username.map") or die("Unable to open $prefix/lib/username.map"); print USERMAP " $ret->{USERNAME} = KTEST\\Administrator @@ -373,6 +458,7 @@ sub check_or_start($$$$) { SocketWrapper::set_default_iface($env_vars->{SOCKET_WRAPPER_DEFAULT_IFACE}); + $ENV{KRB5_CONFIG} = $env_vars->{KRB5_CONFIG}; $ENV{WINBINDD_SOCKET_DIR} = $env_vars->{WINBINDD_SOCKET_DIR}; $ENV{NMBD_SOCKET_DIR} = $env_vars->{NMBD_SOCKET_DIR}; @@ -416,6 +502,7 @@ sub check_or_start($$$$) { SocketWrapper::set_default_iface($env_vars->{SOCKET_WRAPPER_DEFAULT_IFACE}); + $ENV{KRB5_CONFIG} = $env_vars->{KRB5_CONFIG}; $ENV{WINBINDD_SOCKET_DIR} = $env_vars->{WINBINDD_SOCKET_DIR}; $ENV{NMBD_SOCKET_DIR} = $env_vars->{NMBD_SOCKET_DIR}; @@ -461,6 +548,7 @@ sub check_or_start($$$$) { SocketWrapper::set_default_iface($env_vars->{SOCKET_WRAPPER_DEFAULT_IFACE}); + $ENV{KRB5_CONFIG} = $env_vars->{KRB5_CONFIG}; $ENV{WINBINDD_SOCKET_DIR} = $env_vars->{WINBINDD_SOCKET_DIR}; $ENV{NMBD_SOCKET_DIR} = $env_vars->{NMBD_SOCKET_DIR}; diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm index 22f38b859f..959c16131a 100644 --- a/selftest/target/Samba4.pm +++ b/selftest/target/Samba4.pm @@ -11,6 +11,7 @@ use FindBin qw($RealBin); use POSIX; use SocketWrapper; use target::Samba; +use target::Samba3; sub new($$$$$) { my ($classname, $bindir, $binary_mapping, $ldap, $srcdir, $exeext, $server_maxtime) = @_; @@ -23,7 +24,8 @@ sub new($$$$$) { binary_mapping => $binary_mapping, srcdir => $srcdir, exeext => $exeext, - server_maxtime => $server_maxtime + server_maxtime => $server_maxtime, + target3 => new Samba3($bindir, $binary_mapping, $srcdir, $exeext, $server_maxtime) }; bless $self; return $self; @@ -452,56 +454,6 @@ Wfz/8alZ5aMezCQzXJyIaJsCLeKABosSwHcpAFmxlQ== EOF } -sub mk_krb5_conf($$) -{ - my ($self, $ctx) = @_; - - unless (open(KRB5CONF, ">$ctx->{krb5_conf}")) { - warn("can't open $ctx->{krb5_conf}$?"); - return undef; - } - print KRB5CONF " -#Generated krb5.conf for $ctx->{realm} - -[libdefaults] - default_realm = $ctx->{realm} - dns_lookup_realm = false - dns_lookup_kdc = false - ticket_lifetime = 24h - forwardable = yes - allow_weak_crypto = yes - -[realms] - $ctx->{realm} = { - kdc = $ctx->{kdc_ipv4}:88 - admin_server = $ctx->{kdc_ipv4}:88 - default_domain = $ctx->{dnsname} - } - $ctx->{dnsname} = { - kdc = $ctx->{kdc_ipv4}:88 - admin_server = $ctx->{kdc_ipv4}:88 - default_domain = $ctx->{dnsname} - } - $ctx->{domain} = { - kdc = $ctx->{kdc_ipv4}:88 - admin_server = $ctx->{kdc_ipv4}:88 - default_domain = $ctx->{dnsname} - } - -[appdefaults] - pkinit_anchors = FILE:$ctx->{tlsdir}/ca.pem - -[kdc] - enable-pkinit = true - pkinit_identity = FILE:$ctx->{tlsdir}/kdc.pem,$ctx->{tlsdir}/key.pem - pkinit_anchors = FILE:$ctx->{tlsdir}/ca.pem - -[domain_realm] - .$ctx->{dnsname} = $ctx->{realm} -"; - close(KRB5CONF); -} - sub provision_raw_prepare($$$$$$$$$$) { my ($self, $prefix, $server_role, $netbiosname, @@ -681,7 +633,7 @@ sub provision_raw_step1($$) $ctx->{kdc_ipv4} = $ctx->{ipv4}; } - $self->mk_krb5_conf($ctx); + Samba::mk_krb5_conf($ctx); open(PWD, ">$ctx->{nsswrap_passwd}"); print PWD " @@ -1190,7 +1142,7 @@ sub provision_rodc($$$) # so that use the RODC as kdc and test # the proxy code $ctx->{kdc_ipv4} = $ret->{SERVER_IP}; - $self->mk_krb5_conf($ctx); + Samba::mk_krb5_conf($ctx); $ret->{RODC_DC_SERVER} = $ret->{SERVER}; $ret->{RODC_DC_SERVER_IP} = $ret->{SERVER_IP}; @@ -1272,6 +1224,7 @@ sub check_env($$) sub setup_env($$$) { my ($self, $envname, $path) = @_; + my $target3 = $self->{target3}; $ENV{ENVNAME} = $envname; @@ -1303,6 +1256,11 @@ sub setup_env($$$) $self->setup_dc("$path/dc"); } return $self->setup_rodc("$path/rodc", $self->{vars}->{dc}); + } elsif ($envname eq "s3member") { + if (not defined($self->{vars}->{dc})) { + $self->setup_dc("$path/dc"); + } + return $target3->setup_admember("$path/s3member", $self->{vars}->{dc}, 29); } elsif ($envname eq "all") { if (not defined($self->{vars}->{dc})) { $ENV{ENVNAME} = "dc"; @@ -1349,6 +1307,18 @@ sub setup_env($$$) $ret->{FL2008R2DC_USERNAME} = $fl2008r2dc_ret->{USERNAME}; $ret->{FL2008R2DC_PASSWORD} = $fl2008r2dc_ret->{PASSWORD}; } + if (not defined($self->{vars}->{s3member})) { + $ENV{ENVNAME} = "s3member"; + my $s3member_ret = $target3->setup_admember("$path/s3member", $self->{vars}->{dc}, 29); + $self->{vars}->{s3member} = $s3member_ret; + + $ret->{S3MEMBER_SERVER} = $s3member_ret->{SERVER}; + $ret->{S3MEMBER_SERVER_IP} = $s3member_ret->{SERVER_IP}; + $ret->{S3MEMBER_NETBIOSNAME} = $s3member_ret->{NETBIOSNAME}; + $ret->{S3MEMBER_NETBIOSALIAS} = $s3member_ret->{NETBIOSALIAS}; + $ret->{S3MEMBER_USERNAME} = $s3member_ret->{USERNAME}; + $ret->{S3MEMBER_PASSWORD} = $s3member_ret->{PASSWORD}; + } return $ret; } else { return undef; -- cgit