The branch, master has been updated
via 7e9c97ba1cd selftest: Add test for one-way trust wbinfo auth
via a5012df8614 selftest: fl2000dc: Add outgoing trust from fl2000dc to
ad_dc
via 194d726a800 selftest: Fix "outgoing" test in kinit_trust heimdal
via 8d71afb4e6d testprogs: Show that DOM\user and REALM\user work for
auth
via 4b2b5c8f68a testprogs: Rename TRUST_CREDS variables in
test_trust_utils.sh
via d5a0ba473c0 selftest: Add the trusted domain realms to krb5.conf
via 372e1f30305 s3:tests: Fix wbinfo_lookuprids_cache test with system
tdb-tools
from ced1d018ce1 Add editorconfig config file
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 7e9c97ba1cd960df2688718561c4a117b79b259b
Author: Isaac Boukris <ibouk...@samba.org>
Date: Thu Oct 8 14:00:44 2020 +0200
selftest: Add test for one-way trust wbinfo auth
Signed-off-by: Isaac Boukris <ibouk...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Autobuild-User(master): Andreas Schneider <a...@cryptomilk.org>
Autobuild-Date(master): Wed Jul 7 15:01:22 UTC 2021 on sn-devel-184
commit a5012df86145cb13851c3b65a1c2ece39b062a03
Author: Andreas Schneider <a...@samba.org>
Date: Fri Jun 9 15:03:29 2017 +0200
selftest: fl2000dc: Add outgoing trust from fl2000dc to ad_dc
Pair-Programmed-With: Andreas Schneider <a...@samba.org>
Signed-off-by: Andreas Schneider <a...@samba.org>
Signed-off-by: Isaac Boukris <ibouk...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 194d726a800e167366b37d69e69d8521df083b18
Author: Isaac Boukris <ibouk...@samba.org>
Date: Tue Oct 6 22:33:45 2020 +0200
selftest: Fix "outgoing" test in kinit_trust heimdal
Found by the test not failing in one-way trust.
Signed-off-by: Isaac Boukris <ibouk...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 8d71afb4e6dc53e951ca9f9a298a507f2db2f2b4
Author: Andreas Schneider <a...@samba.org>
Date: Wed Jun 23 10:55:04 2021 +0200
testprogs: Show that DOM\user and REALM\user work for auth
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 4b2b5c8f68a3e46bcebe5297522df94033375346
Author: Andreas Schneider <a...@samba.org>
Date: Wed Jun 23 10:50:23 2021 +0200
testprogs: Rename TRUST_CREDS variables in test_trust_utils.sh
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit d5a0ba473c06892af21523c3bd849afb3847d44b
Author: Andreas Schneider <a...@samba.org>
Date: Fri Jun 18 13:40:59 2021 +0200
selftest: Add the trusted domain realms to krb5.conf
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 372e1f30305c70febdb7a8143d6917b312b1d0de
Author: Andreas Schneider <a...@samba.org>
Date: Mon Jun 14 11:38:44 2021 +0200
s3:tests: Fix wbinfo_lookuprids_cache test with system tdb-tools
If libtdb is used from the system, we should use those tools by default.
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
script/autobuild.py | 4 +
selftest/knownfail.d/oneway | 9 +++
selftest/target/Samba.pm | 32 ++++++--
selftest/target/Samba3.pm | 94 ++++++++++++++++++++++
selftest/target/Samba4.pm | 11 ++-
.../script/tests/test_wbinfo_lookuprids_cache.sh | 14 +++-
source4/selftest/tests.py | 13 +++
testprogs/blackbox/test_kinit_trusts_heimdal.sh | 2 +-
testprogs/blackbox/test_kinit_trusts_mit.sh | 2 +-
testprogs/blackbox/test_trust_utils.sh | 74 +++++++++--------
10 files changed, 209 insertions(+), 46 deletions(-)
create mode 100644 selftest/knownfail.d/oneway
Changeset truncated at 500 lines:
diff --git a/script/autobuild.py b/script/autobuild.py
index a1ba61cdce1..85dff88a773 100755
--- a/script/autobuild.py
+++ b/script/autobuild.py
@@ -300,6 +300,7 @@ tasks = {
"ad_member_idmap_rid",
"ad_member_idmap_ad",
"ad_member_rfc2307",
+ "ad_member_oneway",
"chgdcpass",
"vampire_2000_dc",
"fl2000dc",
@@ -365,6 +366,7 @@ tasks = {
"ad_member_idmap_rid",
"ad_member_idmap_ad",
"ad_member_rfc2307",
+ "ad_member_oneway",
"chgdcpass",
"vampire_2000_dc",
"fl2000dc",
@@ -534,6 +536,7 @@ tasks = {
("random-sleep", random_sleep(1, 1)),
("test", make_test(include_envs=[
"fl2000dc",
+ "ad_member_oneway",
"fl2003dc",
])),
("lcov", LCOV_CMD),
@@ -674,6 +677,7 @@ tasks = {
("random-sleep", random_sleep(1, 1)),
("test", make_test(include_envs=[
"fl2000dc",
+ "ad_member_oneway",
"fl2003dc",
])),
("lcov", LCOV_CMD),
diff --git a/selftest/knownfail.d/oneway b/selftest/knownfail.d/oneway
new file mode 100644
index 00000000000..4a182f0714b
--- /dev/null
+++ b/selftest/knownfail.d/oneway
@@ -0,0 +1,9 @@
+# One way trust, the first one is weird (smbclient4), the rest are logical
+^samba4.blackbox.kinit_trust.Test login with user kerberos ccache
\(smbclient4\)\(fl2000dc:local\)
+^samba4.blackbox.kinit_trust.Test user login with the first outgoing
secret\(fl2000dc:local\)
+^samba4.blackbox.kinit_trust.Test user login with the changed outgoing
secret\(fl2000dc:local\)
+# More one-way trust
+^samba4.blackbox.trust_utils\(fl2000dc:local\).validate trust default
both\(fl2000dc:local\)
+^samba4.blackbox.trust_utils\(fl2000dc:local\).validate trust reverse
both\(fl2000dc:local\)
+^samba4.blackbox.trust_utils\(fl2000dc:local\).validate trust reverse
local\(fl2000dc:local\)
+^samba4.blackbox.trust_utils\(fl2000dc:local\).namespaces own
default\(fl2000dc:local\)
diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm
index c9104aa350e..8d6ca3eb2ee 100644
--- a/selftest/target/Samba.pm
+++ b/selftest/target/Samba.pm
@@ -359,12 +359,6 @@ sub mk_krb5_conf($$)
";
}
- print KRB5CONF "
-[realms]
- $our_realms_stanza
-";
-
-
if (defined($ctx->{tlsdir})) {
print KRB5CONF "
@@ -378,9 +372,34 @@ sub mk_krb5_conf($$)
";
}
+
+ print KRB5CONF "
+[realms]
+ $our_realms_stanza
+";
+
close(KRB5CONF);
}
+sub append_krb5_conf_trust_realms($$)
+{
+ my ($ctx) = @_;
+
+ unless (open(KRB5CONF, ">>$ctx->{KRB5_CONFIG}")) {
+ warn("can't open $ctx->{KRB5_CONFIG}$?");
+ return undef;
+ }
+
+ my $trust_realms_stanza = mk_realms_stanza($ctx->{TRUST_REALM},
+ $ctx->{TRUST_DNSNAME},
+ $ctx->{TRUST_DOMAIN},
+ $ctx->{TRUST_SERVER_IP});
+
+ print KRB5CONF " $trust_realms_stanza";
+
+ close(KRB5CONF)
+}
+
sub mk_realms_stanza($$$$)
{
my ($realm, $dnsname, $domain, $kdc_ipv4) = @_;
@@ -590,6 +609,7 @@ sub get_interface($)
fipsdc => 56,
fipsadmember => 57,
offlineadmem => 58,
+ s2kmember => 59,
rootdnsforwarder => 64,
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index efa63626ecb..f958c49c716 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -239,6 +239,7 @@ sub check_env($$)
ad_member_idmap_ad => ["fl2008r2dc"],
ad_member_fips => ["ad_dc_fips"],
ad_member_offlogon => ["ad_dc"],
+ ad_member_oneway => ["fl2000dc"],
clusteredmember => ["nt4_dc"],
);
@@ -1309,6 +1310,99 @@ sub setup_ad_member_idmap_ad
return $ret;
}
+sub setup_ad_member_oneway
+{
+ my ($self, $prefix, $dcvars) = @_;
+
+ # If we didn't build with ADS, pretend this env was never available
+ if (not $self->have_ads()) {
+ return "UNKNOWN";
+ }
+
+ print "PROVISIONING S3 AD MEMBER WITH one-way trust...";
+
+ my $member_options = "
+ security = ads
+ workgroup = $dcvars->{DOMAIN}
+ realm = $dcvars->{REALM}
+ password server = $dcvars->{SERVER}
+ idmap config * : backend = tdb
+ idmap config * : range = 1000000-1999999
+ gensec_gssapi:requested_life_time = 5
+";
+
+ my $ret = $self->provision(
+ prefix => $prefix,
+ domain => $dcvars->{DOMAIN},
+ server => "S2KMEMBER",
+ password => "loCalS2KMemberPass",
+ extra_options => $member_options,
+ resolv_conf => $dcvars->{RESOLV_CONF});
+
+ $ret or return undef;
+
+ close(USERMAP);
+ $ret->{DOMAIN} = $dcvars->{DOMAIN};
+ $ret->{REALM} = $dcvars->{REALM};
+ $ret->{DOMSID} = $dcvars->{DOMSID};
+
+ my $ctx;
+ my $prefix_abs = abs_path($prefix);
+ $ctx = {};
+ $ctx->{krb5_conf} = "$prefix_abs/lib/krb5.conf";
+ $ctx->{domain} = $dcvars->{DOMAIN};
+ $ctx->{realm} = $dcvars->{REALM};
+ $ctx->{dnsname} = lc($dcvars->{REALM});
+ $ctx->{kdc_ipv4} = $dcvars->{SERVER_IP};
+ $ctx->{kdc_ipv6} = $dcvars->{SERVER_IPV6};
+ $ctx->{krb5_ccname} = "$prefix_abs/krb5cc_%{uid}";
+ Samba::mk_krb5_conf($ctx, "");
+
+ $ret->{KRB5_CONFIG} = $ctx->{krb5_conf};
+
+ my $net = Samba::bindir_path($self, "net");
+ # Add hosts file for name lookups
+ my $cmd = "NSS_WRAPPER_HOSTS='$ret->{NSS_WRAPPER_HOSTS}' ";
+ $cmd .=
"SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
+ if (defined($ret->{RESOLV_WRAPPER_CONF})) {
+ $cmd .= "RESOLV_WRAPPER_CONF=\"$ret->{RESOLV_WRAPPER_CONF}\" ";
+ } else {
+ $cmd .= "RESOLV_WRAPPER_HOSTS=\"$ret->{RESOLV_WRAPPER_HOSTS}\"
";
+ }
+ $cmd .= "RESOLV_CONF=\"$ret->{RESOLV_CONF}\" ";
+ $cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
+ $cmd .=
"SELFTEST_WINBINDD_SOCKET_DIR=\"$ret->{SELFTEST_WINBINDD_SOCKET_DIR}\" ";
+ $cmd .= "$net join $ret->{CONFIGURATION}";
+ $cmd .= " -U$dcvars->{USERNAME}\%$dcvars->{PASSWORD}";
+
+ if (system($cmd) != 0) {
+ warn("Join failed\n$cmd");
+ return undef;
+ }
+
+ if (not $self->check_or_start(
+ env_vars => $ret,
+ winbindd => "yes")) {
+ return undef;
+ }
+
+ $ret->{DC_SERVER} = $dcvars->{SERVER};
+ $ret->{DC_SERVER_IP} = $dcvars->{SERVER_IP};
+ $ret->{DC_SERVER_IPV6} = $dcvars->{SERVER_IPV6};
+ $ret->{DC_NETBIOSNAME} = $dcvars->{NETBIOSNAME};
+ $ret->{DC_USERNAME} = $dcvars->{USERNAME};
+ $ret->{DC_PASSWORD} = $dcvars->{PASSWORD};
+
+ $ret->{TRUST_SERVER} = $dcvars->{TRUST_SERVER};
+ $ret->{TRUST_USERNAME} = $dcvars->{TRUST_USERNAME};
+ $ret->{TRUST_PASSWORD} = $dcvars->{TRUST_PASSWORD};
+ $ret->{TRUST_DOMAIN} = $dcvars->{TRUST_DOMAIN};
+ $ret->{TRUST_REALM} = $dcvars->{TRUST_REALM};
+ $ret->{TRUST_DOMSID} = $dcvars->{TRUST_DOMSID};
+
+ return $ret;
+}
+
sub setup_ad_member_fips
{
my ($self,
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index 81359375837..f15daa54e59 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -467,6 +467,8 @@ sub setup_trust($$$$$)
my ($self, $localenv, $remoteenv, $type, $extra_args) = @_;
$localenv->{TRUST_SERVER} = $remoteenv->{SERVER};
+ $localenv->{TRUST_SERVER_IP} = $remoteenv->{SERVER_IP};
+ $localenv->{TRUST_DNSNAME} = $remoteenv->{DNSNAME};
$localenv->{TRUST_USERNAME} = $remoteenv->{USERNAME};
$localenv->{TRUST_PASSWORD} = $remoteenv->{PASSWORD};
@@ -474,6 +476,9 @@ sub setup_trust($$$$$)
$localenv->{TRUST_REALM} = $remoteenv->{REALM};
$localenv->{TRUST_DOMSID} = $remoteenv->{DOMSID};
+ # Add trusted domain realms to krb5.conf
+ Samba::append_krb5_conf_trust_realms($localenv);
+
my $samba_tool = Samba::bindir_path($self, "samba-tool");
# setup the trust
@@ -2198,7 +2203,7 @@ sub check_env($$)
fl2008r2dc => ["ad_dc"],
fl2003dc => ["ad_dc"],
- fl2000dc => ["dns_hub"],
+ fl2000dc => ["ad_dc"],
vampire_2000_dc => ["fl2000dc"],
vampire_dc => ["ad_dc_ntvfs"],
@@ -2368,13 +2373,15 @@ sub setup_chgdcpass
sub setup_fl2000dc
{
- my ($self, $path) = @_;
+ my ($self, $path, $dc_vars) = @_;
my $env = $self->provision_fl2000dc($path);
if (defined $env) {
if (not defined($self->check_or_start($env, "standard"))) {
return undef;
}
+
+ $env = $self->setup_trust($env, $dc_vars, "external",
"--no-aes-keys --direction=outgoing");
}
return $env;
diff --git a/source3/script/tests/test_wbinfo_lookuprids_cache.sh
b/source3/script/tests/test_wbinfo_lookuprids_cache.sh
index 0b21ffcd7c9..34ba50fe2d7 100755
--- a/source3/script/tests/test_wbinfo_lookuprids_cache.sh
+++ b/source3/script/tests/test_wbinfo_lookuprids_cache.sh
@@ -1,8 +1,18 @@
#!/bin/sh
WBINFO="$VALGRIND ${WBINFO:-$BINDIR/wbinfo}"
-TDBTOOL="${TDBTOOL:-$BINDIR/tdbtool}"
-TDBDUMP="${TDBDUMP:-$BINDIR/tdbdump}"
+samba_tdbtool=tdbtool
+if test -x $BINDIR/tdbtool; then
+ samba_tdbtool=$BINDIR/tdbtool
+fi
+TDBTOOL="${TDBTOOL:-$samba_tdbtool}"
+
+samba_tdbdump=tdbdump
+if test -x $BINDIR/tdbdump; then
+ samba_tdbdump=$BINDIR/tdbdump
+fi
+TDBDUMP="${TDBDUMP:-$samba_tdbdump}"
+
NET="$VALGRIND ${NET:-$BINDIR/net}"
cache="$LOCK_DIR"/winbindd_cache.tdb
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 5e6daa44b71..e429b2dbce7 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -537,6 +537,7 @@ if have_heimdal_support:
plantestsuite("samba4.blackbox.kinit", "fl2008r2dc:local",
[os.path.join(bbdir, "test_kinit_heimdal.sh"), '$SERVER', '$USERNAME',
'$PASSWORD', '$REALM', '$DOMAIN', '$PREFIX', "aes256-cts-hmac-sha1-96",
smbclient3, configuration])
plantestsuite("samba4.blackbox.kinit_trust", "fl2008r2dc:local",
[os.path.join(bbdir, "test_kinit_trusts_heimdal.sh"), '$SERVER', '$USERNAME',
'$PASSWORD', '$REALM', '$DOMAIN', '$TRUST_SERVER', '$TRUST_USERNAME',
'$TRUST_PASSWORD', '$TRUST_REALM', '$TRUST_DOMAIN', '$PREFIX', "forest",
"aes256-cts-hmac-sha1-96"])
plantestsuite("samba4.blackbox.kinit_trust", "fl2003dc:local",
[os.path.join(bbdir, "test_kinit_trusts_heimdal.sh"), '$SERVER', '$USERNAME',
'$PASSWORD', '$REALM', '$DOMAIN', '$TRUST_SERVER', '$TRUST_USERNAME',
'$TRUST_PASSWORD', '$TRUST_REALM', '$TRUST_DOMAIN', '$PREFIX', "external",
"arcfour-hmac-md5"])
+ plantestsuite("samba4.blackbox.kinit_trust", "fl2000dc:local",
[os.path.join(bbdir, "test_kinit_trusts_heimdal.sh"), '$SERVER', '$USERNAME',
'$PASSWORD', '$REALM', '$DOMAIN', '$TRUST_SERVER', '$TRUST_USERNAME',
'$TRUST_PASSWORD', '$TRUST_REALM', '$TRUST_DOMAIN', '$PREFIX', "external",
"arcfour-hmac-md5"])
plantestsuite("samba4.blackbox.export.keytab", "ad_dc_ntvfs:local",
[os.path.join(bbdir, "test_export_keytab_heimdal.sh"), '$SERVER', '$USERNAME',
'$REALM', '$DOMAIN', "$PREFIX", smbclient4])
plantestsuite("samba4.blackbox.kpasswd", "ad_dc_ntvfs:local",
[os.path.join(bbdir, "test_kpasswd_heimdal.sh"), '$SERVER', '$USERNAME',
'$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc_ntvfs"])
plantestsuite("samba4.blackbox.krb5.s4u", "fl2008r2dc:local",
[os.path.join(bbdir, "test_s4u_heimdal.sh"), '$SERVER', '$USERNAME',
'$PASSWORD', '$REALM', '$DOMAIN', '$TRUST_SERVER', '$TRUST_USERNAME',
'$TRUST_PASSWORD', '$TRUST_REALM', '$TRUST_DOMAIN', '$PREFIX', configuration])
@@ -546,6 +547,7 @@ else:
plantestsuite("samba4.blackbox.kinit", "fl2008r2dc:local",
[os.path.join(bbdir, "test_kinit_mit.sh"), '$SERVER', '$USERNAME', '$PASSWORD',
'$REALM', '$DOMAIN', '$PREFIX', smbclient3, configuration])
plantestsuite("samba4.blackbox.kinit_trust", "fl2008r2dc:local",
[os.path.join(bbdir, "test_kinit_trusts_mit.sh"), '$SERVER', '$USERNAME',
'$PASSWORD', '$REALM', '$DOMAIN', '$TRUST_SERVER', '$TRUST_USERNAME',
'$TRUST_PASSWORD', '$TRUST_REALM', '$TRUST_DOMAIN', '$PREFIX', "forest"])
plantestsuite("samba4.blackbox.kinit_trust", "fl2003dc:local",
[os.path.join(bbdir, "test_kinit_trusts_mit.sh"), '$SERVER', '$USERNAME',
'$PASSWORD', '$REALM', '$DOMAIN', '$TRUST_SERVER', '$TRUST_USERNAME',
'$TRUST_PASSWORD', '$TRUST_REALM', '$TRUST_DOMAIN', '$PREFIX', "external"])
+ plantestsuite("samba4.blackbox.kinit_trust", "fl2000dc:local",
[os.path.join(bbdir, "test_kinit_trusts_mit.sh"), '$SERVER', '$USERNAME',
'$PASSWORD', '$REALM', '$DOMAIN', '$TRUST_SERVER', '$TRUST_USERNAME',
'$TRUST_PASSWORD', '$TRUST_REALM', '$TRUST_DOMAIN', '$PREFIX', "external"])
plantestsuite("samba4.blackbox.export.keytab", "ad_dc_ntvfs:local",
[os.path.join(bbdir, "test_export_keytab_mit.sh"), '$SERVER', '$USERNAME',
'$REALM', '$DOMAIN', "$PREFIX", smbclient4])
plantestsuite("samba4.blackbox.kpasswd", "ad_dc_ntvfs:local",
[os.path.join(bbdir, "test_kpasswd_mit.sh"), '$SERVER', '$USERNAME',
'$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc_ntvfs"])
@@ -553,13 +555,16 @@ plantestsuite("samba.blackbox.client_kerberos", "ad_dc",
[os.path.join(bbdir, "t
plantestsuite("samba4.blackbox.trust_ntlm", "fl2008r2dc:local",
[os.path.join(bbdir, "test_trust_ntlm.sh"), '$SERVER_IP', '$USERNAME',
'$PASSWORD', '$REALM', '$DOMAIN', '$TRUST_USERNAME', '$TRUST_PASSWORD',
'$TRUST_REALM', '$TRUST_DOMAIN', 'forest', 'auto', 'NT_STATUS_LOGON_FAILURE'])
plantestsuite("samba4.blackbox.trust_ntlm", "fl2003dc:local",
[os.path.join(bbdir, "test_trust_ntlm.sh"), '$SERVER_IP', '$USERNAME',
'$PASSWORD', '$REALM', '$DOMAIN', '$TRUST_USERNAME', '$TRUST_PASSWORD',
'$TRUST_REALM', '$TRUST_DOMAIN', 'external', 'auto', 'NT_STATUS_LOGON_FAILURE'])
+plantestsuite("samba4.blackbox.trust_ntlm", "fl2000dc:local",
[os.path.join(bbdir, "test_trust_ntlm.sh"), '$SERVER_IP', '$USERNAME',
'$PASSWORD', '$REALM', '$DOMAIN', '$TRUST_USERNAME', '$TRUST_PASSWORD',
'$TRUST_REALM', '$TRUST_DOMAIN', 'external', 'auto', 'NT_STATUS_LOGON_FAILURE'])
plantestsuite("samba4.blackbox.trust_ntlm", "ad_member:local",
[os.path.join(bbdir, "test_trust_ntlm.sh"), '$SERVER_IP', '$USERNAME',
'$PASSWORD', '$SERVER', '$SERVER', '$DC_USERNAME', '$DC_PASSWORD', '$REALM',
'$DOMAIN', 'member', 'auto', 'NT_STATUS_LOGON_FAILURE'])
plantestsuite("samba4.blackbox.trust_ntlm", "nt4_member:local",
[os.path.join(bbdir, "test_trust_ntlm.sh"), '$SERVER_IP', '$USERNAME',
'$PASSWORD', '$SERVER', '$SERVER', '$DC_USERNAME', '$DC_PASSWORD', '$DOMAIN',
'$DOMAIN', 'member', 'auto', 'NT_STATUS_LOGON_FAILURE'])
plantestsuite("samba4.blackbox.trust_utils(fl2008r2dc:local)",
"fl2008r2dc:local", [os.path.join(bbdir, "test_trust_utils.sh"), '$SERVER',
'$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$TRUST_SERVER',
'$TRUST_USERNAME', '$TRUST_PASSWORD', '$TRUST_REALM', '$TRUST_DOMAIN',
'$PREFIX', "forest"])
plantestsuite("samba4.blackbox.trust_utils(fl2003dc:local)", "fl2003dc:local",
[os.path.join(bbdir, "test_trust_utils.sh"), '$SERVER', '$USERNAME',
'$PASSWORD', '$REALM', '$DOMAIN', '$TRUST_SERVER', '$TRUST_USERNAME',
'$TRUST_PASSWORD', '$TRUST_REALM', '$TRUST_DOMAIN', '$PREFIX', "external"])
+plantestsuite("samba4.blackbox.trust_utils(fl2000dc:local)", "fl2000dc:local",
[os.path.join(bbdir, "test_trust_utils.sh"), '$SERVER', '$USERNAME',
'$PASSWORD', '$REALM', '$DOMAIN', '$TRUST_SERVER', '$TRUST_USERNAME',
'$TRUST_PASSWORD', '$TRUST_REALM', '$TRUST_DOMAIN', '$PREFIX', "external"])
plantestsuite("samba4.blackbox.trust_token", "fl2008r2dc",
[os.path.join(bbdir, "test_trust_token.sh"), '$SERVER', '$USERNAME',
'$PASSWORD', '$REALM', '$DOMAIN', '$DOMSID', '$TRUST_USERNAME',
'$TRUST_PASSWORD', '$TRUST_REALM', '$TRUST_DOMAIN', '$TRUST_DOMSID', 'forest'])
plantestsuite("samba4.blackbox.trust_token", "fl2003dc", [os.path.join(bbdir,
"test_trust_token.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM',
'$DOMAIN', '$DOMSID', '$TRUST_USERNAME', '$TRUST_PASSWORD', '$TRUST_REALM',
'$TRUST_DOMAIN', '$TRUST_DOMSID', 'external'])
+plantestsuite("samba4.blackbox.trust_token", "fl2000dc", [os.path.join(bbdir,
"test_trust_token.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM',
'$DOMAIN', '$DOMSID', '$TRUST_USERNAME', '$TRUST_PASSWORD', '$TRUST_REALM',
'$TRUST_DOMAIN', '$TRUST_DOMSID', 'external'])
plantestsuite("samba4.blackbox.ktpass(ad_dc_ntvfs)", "ad_dc_ntvfs",
[os.path.join(bbdir, "test_ktpass.sh"), '$PREFIX/ad_dc_ntvfs'])
plantestsuite("samba4.blackbox.password_settings(ad_dc_ntvfs:local)",
"ad_dc_ntvfs:local", [os.path.join(bbdir, "test_password_settings.sh"),
'$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN',
"$PREFIX/ad_dc_ntvfs"])
plantestsuite("samba4.blackbox.trust_user_account", "fl2008r2dc:local",
[os.path.join(bbdir, "test_trust_user_account.sh"), '$PREFIX', '$REALM',
'$DOMAIN', '$TRUST_REALM', '$TRUST_DOMAIN'])
@@ -597,6 +602,14 @@ if have_gnutls_fips_mode_support:
plansmbtorture4testsuite('rpc.echo', "ad_dc_ntvfs", ['ncacn_np:$NETBIOSALIAS',
'-U$DOMAIN/$USERNAME%$PASSWORD'], "samba4.rpc.echo against NetBIOS alias")
+# Test wbinfo trust auth
+for env in ["ad_member_oneway:local", "fl2000dc:local", "fl2003dc:local",
"fl2008r2dc:local"]:
+ for t in ["--krb5auth=$TRUST_REALM/$TRUST_USERNAME%$TRUST_PASSWORD",
+ "--krb5auth=$TRUST_DOMAIN/$TRUST_USERNAME%$TRUST_PASSWORD",
+ "--authenticate=$TRUST_REALM/$TRUST_USERNAME%$TRUST_PASSWORD",
+ "--authenticate=$TRUST_DOMAIN/$TRUST_USERNAME%$TRUST_PASSWORD"]:
+ plantestsuite("samba3.wbinfo_simple.trust:%s" % t, env,
[os.path.join(srcdir(), "nsswitch/tests/test_wbinfo_simple.sh"), t])
+
# json tests hook into ``chgdcpass'' to make them run in contributor CI on
# gitlab
planpythontestsuite("chgdcpass", "samba.tests.blackbox.netads_json")
diff --git a/testprogs/blackbox/test_kinit_trusts_heimdal.sh
b/testprogs/blackbox/test_kinit_trusts_heimdal.sh
index f0529667cf8..52b1ac6589c 100755
--- a/testprogs/blackbox/test_kinit_trusts_heimdal.sh
+++ b/testprogs/blackbox/test_kinit_trusts_heimdal.sh
@@ -84,7 +84,7 @@ test_smbclient "Test login with user kerberos lowercase
realm" 'ls' "$unc" --use
test_smbclient "Test login with user kerberos lowercase realm 2" 'ls' "$unc"
--use-krb5-ccache=$KRB5CCNAME -U$TRUST_USERNAME@$TRUST_REALM%$TRUST_PASSWORD
--realm=$lowerrealm || failed=`expr $failed + 1`
# Test the outgoing direction
-SMBCLIENT_UNC="//$TRUST_SERVER.$TRUST_REALM/tmp"
+unc="//$TRUST_SERVER.$TRUST_REALM/tmp"
test_smbclient "Test user login with the first outgoing secret" 'ls' "$unc"
--use-krb5-ccache=$KRB5CCNAME -U$USERNAME@$REALM%$PASSWORD || failed=`expr
$failed + 1`
testit_expect_failure "setpassword should not work" $VALGRIND $PYTHON
$samba_tool user setpassword "${TRUST_DOMAIN}\$" --random-password ||
failed=`expr $failed + 1`
diff --git a/testprogs/blackbox/test_kinit_trusts_mit.sh
b/testprogs/blackbox/test_kinit_trusts_mit.sh
index 15a8d6c4d48..29f454daa26 100755
--- a/testprogs/blackbox/test_kinit_trusts_mit.sh
+++ b/testprogs/blackbox/test_kinit_trusts_mit.sh
@@ -82,7 +82,7 @@ $samba_kdestroy
smbclient="$samba_bindir/smbclient4"
testit "kinit with password" $samba_texpect $PREFIX/tmpkinitscript
$samba_kinit $TRUST_USERNAME@$TRUST_REALM || failed=`expr $failed + 1`
-test_smbclient "Test login with kerberos ccache (smbclient4)" 'ls'
--use-krb5-ccache=$KRB5CCNAME || failed=`expr $failed + 1`
+test_smbclient "Test login with user kerberos ccache (smbclient4)" 'ls'
--use-krb5-ccache=$KRB5CCNAME || failed=`expr $failed + 1`
$samba_kdestroy
smbclient="$samba_bindir/smbclient"
diff --git a/testprogs/blackbox/test_trust_utils.sh
b/testprogs/blackbox/test_trust_utils.sh
index ddc7097c93f..7da1e05598f 100755
--- a/testprogs/blackbox/test_trust_utils.sh
+++ b/testprogs/blackbox/test_trust_utils.sh
@@ -32,107 +32,113 @@ samba_tool="$samba4bindir/samba-tool"
. `dirname $0`/subunit.sh
CREDS="${DOMAIN}\\${USERNAME}%${PASSWORD}"
-TRUST_CREDS="${TRUST_DOMAIN}\\${TRUST_USERNAME}%${TRUST_PASSWORD}"
-TRUST_SERVER_CREDS_ARGS="--local-dc-ipaddress ${TRUST_SERVER}
--local-dc-username ${TRUST_CREDS}"
+TRUST_CREDS_DOMAIN="${TRUST_DOMAIN}\\${TRUST_USERNAME}%${TRUST_PASSWORD}"
+TRUST_SERVER_CREDS_DOMAIN_ARGS="--local-dc-ipaddress ${TRUST_SERVER}
--local-dc-username ${TRUST_CREDS_DOMAIN}"
+
+TRUST_CREDS_REALM="${TRUST_REALM}\\${TRUST_USERNAME}%${TRUST_PASSWORD}"
+TRUST_SERVER_CREDS_REALM_ARGS="--local-dc-ipaddress ${TRUST_SERVER}
--local-dc-username ${TRUST_CREDS_REALM}"
list="$VALGRIND $PYTHON $samba_tool domain trust list"
testit "list domains default" $list || failed=`expr $failed + 1`
-testit "list domains reverse" $list ${TRUST_SERVER_CREDS_ARGS} || failed=`expr
$failed + 1`
+
+# Show that the domain name and realm work
+testit "list domains reverse (DOMAIN)" $list ${TRUST_SERVER_CREDS_DOMAIN_ARGS}
|| failed=`expr $failed + 1`
+testit "list domains reverse (REALM)" $list ${TRUST_SERVER_CREDS_REALM_ARGS}
|| failed=`expr $failed + 1`
show="$VALGRIND $PYTHON $samba_tool domain trust show"
testit "show domains default realm" $show ${TRUST_REALM} || failed=`expr
$failed + 1`
-testit "show domains reverse realm" $show ${REALM} ${TRUST_SERVER_CREDS_ARGS}
|| failed=`expr $failed + 1`
+testit "show domains reverse realm" $show ${REALM}
${TRUST_SERVER_CREDS_DOMAIN_ARGS} || failed=`expr $failed + 1`
testit "show domains default netbios" $show ${TRUST_DOMAIN} || failed=`expr
$failed + 1`
-testit "show domains reverse netbios" $show ${DOMAIN}
${TRUST_SERVER_CREDS_ARGS} || failed=`expr $failed + 1`
+testit "show domains reverse netbios" $show ${DOMAIN}
${TRUST_SERVER_CREDS_DOMAIN_ARGS} || failed=`expr $failed + 1`
validate="$VALGRIND $PYTHON $samba_tool domain trust validate"
-testit "validate trust default both" $validate ${TRUST_REALM}
-U${TRUST_CREDS}|| failed=`expr $failed + 1`
+testit "validate trust default both" $validate ${TRUST_REALM}
-U${TRUST_CREDS_DOMAIN}|| failed=`expr $failed + 1`
testit "validate trust default local" $validate ${TRUST_REALM}
--validate-location=local || failed=`expr $failed + 1`
-testit "validate trust reverse both" $validate ${REALM}
${TRUST_SERVER_CREDS_ARGS} -U${CREDS} || failed=`expr $failed + 1`
-testit "validate trust reverse local" $validate ${REALM}
${TRUST_SERVER_CREDS_ARGS} --validate-location=local || failed=`expr $failed +
1`
+testit "validate trust reverse both" $validate ${REALM}
${TRUST_SERVER_CREDS_DOMAIN_ARGS} -U${CREDS} || failed=`expr $failed + 1`
+testit "validate trust reverse local" $validate ${REALM}
${TRUST_SERVER_CREDS_DOMAIN_ARGS} --validate-location=local || failed=`expr
$failed + 1`
namespaces="$VALGRIND $PYTHON $samba_tool domain trust namespaces"
testit "namespaces own default" $namespaces || failed=`expr $failed + 1`
-testit "namespaces own reverse" $namespaces ${TRUST_SERVER_CREDS_ARGS} ||
failed=`expr $failed + 1`
+testit "namespaces own reverse" $namespaces ${TRUST_SERVER_CREDS_DOMAIN_ARGS}
|| failed=`expr $failed + 1`
DOMSID=`$namespaces | grep LocalDomain | sed -e 's!.*SID\[\(.*\)\].*!\1!'`
#testit_expect_failure "namespaces domsid default" echo ${DOMSID} ||
failed=`expr $failed + 1`
-TRUST_DOMSID=`$namespaces ${TRUST_SERVER_CREDS_ARGS} | grep LocalDomain | sed
-e 's!.*SID\[\(.*\)\].*!\1!'`
+TRUST_DOMSID=`$namespaces ${TRUST_SERVER_CREDS_DOMAIN_ARGS} | grep LocalDomain
| sed -e 's!.*SID\[\(.*\)\].*!\1!'`
#testit_expect_failure "namespaces domsid reverse" echo ${TRUST_DOMSID} ||
failed=`expr $failed + 1`
if test x$TYPE = x"forest"; then
testit "namespaces trust default realm 1" $namespaces ${TRUST_REALM} ||
failed=`expr $failed + 1`
- testit "namespaces trust reverse realm 1" $namespaces ${REALM}
${TRUST_SERVER_CREDS_ARGS} || failed=`expr $failed + 1`
+ testit "namespaces trust reverse realm 1" $namespaces ${REALM}
${TRUST_SERVER_CREDS_DOMAIN_ARGS} || failed=`expr $failed + 1`
testit "namespaces trust default domain 1" $namespaces ${TRUST_DOMAIN}
|| failed=`expr $failed + 1`
- testit "namespaces trust reverse domain 1" $namespaces ${DOMAIN}
${TRUST_SERVER_CREDS_ARGS} || failed=`expr $failed + 1`
+ testit "namespaces trust reverse domain 1" $namespaces ${DOMAIN}
${TRUST_SERVER_CREDS_DOMAIN_ARGS} || failed=`expr $failed + 1`
testit "namespaces own default add-upn-suffix 1" $namespaces
--add-upn-suffix=default.test_trust_utils.example.com || failed=`expr $failed +
1`
- testit "namespaces own reverse add-upn-suffix 1" $namespaces
${TRUST_SERVER_CREDS_ARGS}
--add-upn-suffix=reverse.test_trust_utils.example.com || failed=`expr $failed +
1`
+ testit "namespaces own reverse add-upn-suffix 1" $namespaces
${TRUST_SERVER_CREDS_DOMAIN_ARGS}
--add-upn-suffix=reverse.test_trust_utils.example.com || failed=`expr $failed +
1`
testit "namespaces own default add-upn-suffix 2" $namespaces
--add-upn-suffix=${TRUST_REALM} || failed=`expr $failed + 1`
- testit "namespaces own reverse add-upn-suffix 2" $namespaces
${TRUST_SERVER_CREDS_ARGS} --add-upn-suffix=${REALM} || failed=`expr $failed +
1`
+ testit "namespaces own reverse add-upn-suffix 2" $namespaces
${TRUST_SERVER_CREDS_DOMAIN_ARGS} --add-upn-suffix=${REALM} || failed=`expr
$failed + 1`
testit "namespaces own default add-spn-suffix 1" $namespaces
--add-spn-suffix=spn.test_trust_utils.example.com || failed=`expr $failed + 1`
- testit "namespaces own reverse add-spn-suffix 1" $namespaces
${TRUST_SERVER_CREDS_ARGS} --add-spn-suffix=spn.test_trust_utils.example.com ||
failed=`expr $failed + 1`
+ testit "namespaces own reverse add-spn-suffix 1" $namespaces
${TRUST_SERVER_CREDS_DOMAIN_ARGS}
--add-spn-suffix=spn.test_trust_utils.example.com || failed=`expr $failed + 1`
testit "namespaces trust default check 1" $namespaces ${TRUST_REALM}
--refresh=check || failed=`expr $failed + 1`
- testit "namespaces trust reverse check 1" $namespaces ${REALM}
${TRUST_SERVER_CREDS_ARGS} --refresh=check || failed=`expr $failed + 1`
+ testit "namespaces trust reverse check 1" $namespaces ${REALM}
${TRUST_SERVER_CREDS_DOMAIN_ARGS} --refresh=check || failed=`expr $failed + 1`
testit "namespaces trust default store 1" $namespaces ${TRUST_REALM}
--refresh=store || failed=`expr $failed + 1`
- testit "namespaces trust reverse store 1" $namespaces ${REALM}
${TRUST_SERVER_CREDS_ARGS} --refresh=store || failed=`expr $failed + 1`
+ testit "namespaces trust reverse store 1" $namespaces ${REALM}
${TRUST_SERVER_CREDS_DOMAIN_ARGS} --refresh=store || failed=`expr $failed + 1`
testit "namespaces trust default enable-tln 1" $namespaces
${TRUST_REALM} --enable-tln=reverse.test_trust_utils.example.com ||
failed=`expr $failed + 1`
- testit "namespaces trust reverse enable-tln 1" $namespaces ${REALM}
${TRUST_SERVER_CREDS_ARGS} --enable-tln=default.test_trust_utils.example.com ||
failed=`expr $failed + 1`
+ testit "namespaces trust reverse enable-tln 1" $namespaces ${REALM}
${TRUST_SERVER_CREDS_DOMAIN_ARGS}
--enable-tln=default.test_trust_utils.example.com || failed=`expr $failed + 1`
testit "namespaces trust default enable-tln 2" $namespaces
${TRUST_REALM} --enable-tln=spn.test_trust_utils.example.com || failed=`expr
$failed + 1`
- testit "namespaces trust reverse enable-tln 2" $namespaces ${REALM}
${TRUST_SERVER_CREDS_ARGS} --enable-tln=spn.test_trust_utils.example.com ||
failed=`expr $failed + 1`
+ testit "namespaces trust reverse enable-tln 2" $namespaces ${REALM}
${TRUST_SERVER_CREDS_DOMAIN_ARGS} --enable-tln=spn.test_trust_utils.example.com
|| failed=`expr $failed + 1`
testit "namespaces trust default enable-tln 3" $namespaces
${TRUST_REALM} --enable-tln=${TRUST_REALM} || failed=`expr $failed + 1`
- testit "namespaces trust reverse enable-tln 3" $namespaces ${REALM}
${TRUST_SERVER_CREDS_ARGS} --enable-tln=${REALM} || failed=`expr $failed + 1`
+ testit "namespaces trust reverse enable-tln 3" $namespaces ${REALM}
${TRUST_SERVER_CREDS_DOMAIN_ARGS} --enable-tln=${REALM} || failed=`expr $failed
+ 1`
testit "namespaces trust default disable-nb 1" $namespaces
${TRUST_REALM} --disable-nb=${TRUST_DOMAIN} || failed=`expr $failed + 1`
- testit "namespaces trust reverse disable-nb 1" $namespaces ${REALM}
${TRUST_SERVER_CREDS_ARGS} --disable-nb=${DOMAIN} || failed=`expr $failed + 1`
+ testit "namespaces trust reverse disable-nb 1" $namespaces ${REALM}
${TRUST_SERVER_CREDS_DOMAIN_ARGS} --disable-nb=${DOMAIN} || failed=`expr
$failed + 1`
testit "namespaces trust default disable-sid 1" $namespaces
${TRUST_REALM} --disable-sid=${TRUST_DOMSID} || failed=`expr $failed + 1`
- testit "namespaces trust reverse disable-sid 1" $namespaces ${REALM}
${TRUST_SERVER_CREDS_ARGS} --disable-sid=${DOMSID} || failed=`expr $failed + 1`
+ testit "namespaces trust reverse disable-sid 1" $namespaces ${REALM}
${TRUST_SERVER_CREDS_DOMAIN_ARGS} --disable-sid=${DOMSID} || failed=`expr
$failed + 1`
testit "namespaces trust default disable-tln 1" $namespaces
${TRUST_REALM} --disable-tln=reverse.test_trust_utils.example.com ||
failed=`expr $failed + 1`
- testit "namespaces trust reverse disable-tln 1" $namespaces ${REALM}
${TRUST_SERVER_CREDS_ARGS} --disable-tln=default.test_trust_utils.example.com
|| failed=`expr $failed + 1`
+ testit "namespaces trust reverse disable-tln 1" $namespaces ${REALM}
${TRUST_SERVER_CREDS_DOMAIN_ARGS}
--disable-tln=default.test_trust_utils.example.com || failed=`expr $failed + 1`
testit "namespaces trust default add-tln-ex 1" $namespaces
${TRUST_REALM} --add-tln-ex=exclude.${TRUST_REALM} || failed=`expr $failed + 1`
- testit "namespaces trust reverse add-tln-ex 1" $namespaces ${REALM}
${TRUST_SERVER_CREDS_ARGS} --add-tln-ex=exclude.${REALM} || failed=`expr
$failed + 1`
+ testit "namespaces trust reverse add-tln-ex 1" $namespaces ${REALM}
${TRUST_SERVER_CREDS_DOMAIN_ARGS} --add-tln-ex=exclude.${REALM} || failed=`expr
$failed + 1`
testit "namespaces trust default add-tln-ex 2" $namespaces
${TRUST_REALM} --add-tln-ex=sub.exclude.${TRUST_REALM} || failed=`expr $failed
+ 1`
- testit "namespaces trust reverse add-tln-ex 2" $namespaces ${REALM}
${TRUST_SERVER_CREDS_ARGS} --add-tln-ex=sub.exclude.${REALM} || failed=`expr
$failed + 1`
+ testit "namespaces trust reverse add-tln-ex 2" $namespaces ${REALM}
${TRUST_SERVER_CREDS_DOMAIN_ARGS} --add-tln-ex=sub.exclude.${REALM} ||
failed=`expr $failed + 1`
testit "namespaces trust default realm 2" $namespaces ${TRUST_REALM} ||
failed=`expr $failed + 1`
- testit "namespaces trust reverse realm 2" $namespaces ${REALM}
${TRUST_SERVER_CREDS_ARGS} || failed=`expr $failed + 1`
+ testit "namespaces trust reverse realm 2" $namespaces ${REALM}
${TRUST_SERVER_CREDS_DOMAIN_ARGS} || failed=`expr $failed + 1`
testit "namespaces trust default delete-tln-ex 1" $namespaces
${TRUST_REALM} --delete-tln-ex=exclude.${TRUST_REALM} || failed=`expr $failed +
1`
- testit "namespaces trust reverse delete-tln-ex 1" $namespaces ${REALM}
${TRUST_SERVER_CREDS_ARGS} --delete-tln-ex=exclude.${REALM} || failed=`expr
$failed + 1`
+ testit "namespaces trust reverse delete-tln-ex 1" $namespaces ${REALM}
${TRUST_SERVER_CREDS_DOMAIN_ARGS} --delete-tln-ex=exclude.${REALM} ||
failed=`expr $failed + 1`
testit "namespaces trust default delete-tln-ex 2" $namespaces
${TRUST_REALM} --delete-tln-ex=sub.exclude.${TRUST_REALM} || failed=`expr
$failed + 1`
- testit "namespaces trust reverse delete-tln-ex 2" $namespaces ${REALM}
${TRUST_SERVER_CREDS_ARGS} --delete-tln-ex=sub.exclude.${REALM} || failed=`expr
$failed + 1`
+ testit "namespaces trust reverse delete-tln-ex 2" $namespaces ${REALM}
${TRUST_SERVER_CREDS_DOMAIN_ARGS} --delete-tln-ex=sub.exclude.${REALM} ||
failed=`expr $failed + 1`
--
Samba Shared Repository
