The branch, master has been updated via 91eb3f1d223 testprogs/blackbox: add --recursive tests to test_samba-tool_ntacl.sh via 11741791cc6 testprogs/blackbox: move 'ntacl get' out of test_changedomsid() in test_samba-tool_ntacl.sh via 619f097b7d4 testprogs/blackbox: pass $CONFIGURATION to test_samba-tool_ntacl.sh via 16b9b508af4 samba-tool/ntacl: implement set --recursive via 27b29cfa766 samba-tool/ntacl: add set --verbose and print out the file/directory name via 6327fd9cdba samba-tool/ntacl: don't announce -q,--quiet in --help as it's not used at all via 4ca5b78f5b7 samba-tool/ntacl: let changedomsid ignore symlinks via 3694f2ce620 vfs_aio_pthread: don't crash without a pthreadpool via 0e9f1eec5a2 samba-tool: print default (domain) for --dns-directory-partition option in help message via b26dcfba10e tests/krb5/s4u_tests.py: add test_constrained_delegation_authtime via 489cdefa6ab tests/krb5/s4u_tests.py: add test_constrained_delegation_with_enc_auth_data_[no_]subkey() from 0ef8083cca0 WHATSNEW: Mention new default schema and Functional Level prep
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 91eb3f1d2236ad88eb3cf6ad036ae16ea2eac6b8 Author: Stefan Metzmacher <me...@samba.org> Date: Wed May 17 11:26:48 2023 +0200 testprogs/blackbox: add --recursive tests to test_samba-tool_ntacl.sh Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Thu Jun 22 00:22:47 UTC 2023 on atb-devel-224 commit 11741791cc6ae339efd71b122ea9313b710bf1ac Author: Stefan Metzmacher <me...@samba.org> Date: Wed May 17 11:26:48 2023 +0200 testprogs/blackbox: move 'ntacl get' out of test_changedomsid() in test_samba-tool_ntacl.sh Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 619f097b7d4c0fa4614ab12042292c1e9a8fe234 Author: Stefan Metzmacher <me...@samba.org> Date: Wed May 17 11:26:48 2023 +0200 testprogs/blackbox: pass $CONFIGURATION to test_samba-tool_ntacl.sh Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 16b9b508af4432abe5717da129b1be921c0227c6 Author: Stefan Metzmacher <me...@samba.org> Date: Tue May 2 16:18:51 2023 +0200 samba-tool/ntacl: implement set --recursive Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 27b29cfa766099252b417da06599aee585a228bc Author: Stefan Metzmacher <me...@samba.org> Date: Tue May 2 16:18:26 2023 +0200 samba-tool/ntacl: add set --verbose and print out the file/directory name Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 6327fd9cdbaf3dad4b09ce291de1f42259e11d2b Author: Stefan Metzmacher <me...@samba.org> Date: Tue May 2 16:18:26 2023 +0200 samba-tool/ntacl: don't announce -q,--quiet in --help as it's not used at all Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 4ca5b78f5b7c35e6276d92f7948334dad7a59456 Author: Stefan Metzmacher <me...@samba.org> Date: Tue May 16 13:57:51 2023 +0200 samba-tool/ntacl: let changedomsid ignore symlinks Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 3694f2ce6205a647eb5dab2115785fb45decaf0b Author: Stefan Metzmacher <me...@samba.org> Date: Tue May 2 15:15:16 2023 +0200 vfs_aio_pthread: don't crash without a pthreadpool During 'samba-tool ntacl sysvolreset' and similar. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 0e9f1eec5a2e484d947a433cc854d9903de8537f Author: Björn Baumbach <b...@sernet.de> Date: Wed Jun 21 20:52:03 2023 +0200 samba-tool: print default (domain) for --dns-directory-partition option in help message Signed-off-by: Björn Baumbach <b...@sernet.de> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit b26dcfba10e3e38c04f3fe20dbf49e7e6ef4f0ed Author: Stefan Metzmacher <me...@samba.org> Date: Thu Mar 24 00:12:47 2022 +0100 tests/krb5/s4u_tests.py: add test_constrained_delegation_authtime This demonstrates that we use the correct authtime when doing constrained delegation. The actual fix for the problem is already in place via commit 75ec66c729faad60fa18b9504ba4053b3e2f47bc third_party/heimdal: Import lorikeet-heimdal-202306091507 (commit 7d8afc9d7e3d309ddccc2aea6405a8ca6280f6de) The related patch is: 006a365a6aa3047a4e685e1607973746a28cc1f1 kdc: use the correct authtime from addtitional ticket for S4U2Proxy tickets BUG: https://bugzilla.samba.org/show_bug.cgi?id=13137 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 489cdefa6ab1bf7bd5cf3ea0ea64c03dc08fa8bd Author: Stefan Metzmacher <me...@samba.org> Date: Thu Mar 17 14:46:55 2022 +0100 tests/krb5/s4u_tests.py: add test_constrained_delegation_with_enc_auth_data_[no_]subkey() This demonstrates that we use the correct key for EncAuthorizationData together with constrained delegation. The actual fix for the problem is already in place via commit 75ec66c729faad60fa18b9504ba4053b3e2f47bc third_party/heimdal: Import lorikeet-heimdal-202306091507 (commit 7d8afc9d7e3d309ddccc2aea6405a8ca6280f6de) The related patches are: 38c47c54f0c78fed5afc1aea9c5f6683e06ec842 kdc: fix memory leak when decryption AuthorizationData 61c0089ea3f5387953818a3ac99fb529244196e6 kdc: decrypt b->enc_authorization_data in tgs_build_reply() fed5579814108ee90f701ca6bfb5500f7d839bc4 kdc: if we don't have an authenticator subkey for S4U2Proxy we need to use the keys from evidence_tkt BUG: https://bugzilla.samba.org/show_bug.cgi?id=13131 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> ----------------------------------------------------------------------- Summary of changes: python/samba/netcmd/dns.py | 2 +- python/samba/netcmd/ntacl.py | 97 +++++++++++----- python/samba/tests/krb5/s4u_tests.py | 126 ++++++++++++++++++++- source3/modules/vfs_aio_pthread.c | 7 ++ source4/selftest/tests.py | 2 +- testprogs/blackbox/test_samba-tool_ntacl.sh | 170 ++++++++++++++++++++++++---- 6 files changed, 350 insertions(+), 54 deletions(-) Changeset truncated at 500 lines: diff --git a/python/samba/netcmd/dns.py b/python/samba/netcmd/dns.py index f10e67e0d4e..d40f01fa1cd 100644 --- a/python/samba/netcmd/dns.py +++ b/python/samba/netcmd/dns.py @@ -917,7 +917,7 @@ class cmd_zonecreate(Command): Option('--dns-directory-partition', help='Specify the naming context for the new zone, which ' 'affects the replication scope (domain or forest wide ' - 'replication).', + 'replication, default: domain).', default='domain', metavar='domain|forest', choices=['domain', 'forest'], diff --git a/python/samba/netcmd/ntacl.py b/python/samba/netcmd/ntacl.py index 8675719017d..b6aaed7712a 100644 --- a/python/samba/netcmd/ntacl.py +++ b/python/samba/netcmd/ntacl.py @@ -70,7 +70,7 @@ def get_local_domain_sid(lp): class cmd_ntacl_set(Command): """Set ACLs on a file.""" - synopsis = "%prog <acl> <file> [options]" + synopsis = "%prog <acl> <path> [options]" takes_optiongroups = { "sambaopts": options.SambaOptions, @@ -79,21 +79,25 @@ class cmd_ntacl_set(Command): } takes_options = [ - Option("-q", "--quiet", help="Be quiet", action="store_true"), + # --quiet is not used at all... + Option("-q", "--quiet", help=Option.SUPPRESS_HELP, action="store_true"), + Option("-v", "--verbose", help="Be verbose", action="store_true"), Option("--xattr-backend", type="choice", help="xattr backend type (native fs or tdb)", choices=["native", "tdb"]), Option("--eadb-file", help="Name of the tdb file where attributes are stored", type="string"), Option("--use-ntvfs", help="Set the ACLs directly to the TDB or xattr for use with the ntvfs file server", action="store_true"), Option("--use-s3fs", help="Set the ACLs for use with the default s3fs file server via the VFS layer", action="store_true"), + Option("--recursive", help="Set the ACLs for directories and their contents recursively", action="store_true"), + Option("--follow-symlinks", help="Follow symlinks", action="store_true"), Option("--service", help="Name of the smb.conf service to use when applying the ACLs", type="string") ] - takes_args = ["acl", "file"] + takes_args = ["acl", "path"] - def run(self, acl, file, use_ntvfs=False, use_s3fs=False, - quiet=False, xattr_backend=None, eadb_file=None, + def run(self, acl, path, use_ntvfs=False, use_s3fs=False, + quiet=False, verbose=False, xattr_backend=None, eadb_file=None, credopts=None, sambaopts=None, versionopts=None, - service=None): + recursive=False, follow_symlinks=False, service=None): logger = self.get_logger() lp = sambaopts.get_loadparm() domain_sid = get_local_domain_sid(lp) @@ -103,15 +107,41 @@ class cmd_ntacl_set(Command): elif use_s3fs: use_ntvfs = False - setntacl(lp, - file, - acl, - str(domain_sid), - system_session_unix(), - xattr_backend, - eadb_file, - use_ntvfs=use_ntvfs, - service=service) + def _setntacl_path(_path): + if not follow_symlinks and os.path.islink(_path): + if recursive: + self.outf.write("ignored symlink: %s\n" % _path) + return + raise CommandError("symlink: %s: requires --follow-symlinks" % (_path)) + + if verbose: + if os.path.islink(_path): + self.outf.write("symlink: %s\n" % _path) + elif os.path.isdir(_path): + self.outf.write("dir: %s\n" % _path) + else: + self.outf.write("file: %s\n" % _path) + try: + return setntacl(lp, + _path, + acl, + str(domain_sid), + system_session_unix(), + xattr_backend, + eadb_file, + use_ntvfs=use_ntvfs, + service=service) + except Exception as e: + raise CommandError("Could not set acl for %s: %s" % (_path, e)) + + _setntacl_path(path) + + if recursive and os.path.isdir(path): + for root, dirs, files in os.walk(path, followlinks=follow_symlinks): + for name in files: + _setntacl_path(os.path.join(root, name)) + for name in dirs: + _setntacl_path(os.path.join(root, name)) if use_ntvfs: logger.warning("Please note that POSIX permissions have NOT been changed, only the stored NT ACL") @@ -234,12 +264,12 @@ class cmd_ntacl_changedomsid(Command): action="store_true"), ] - takes_args = ["old_domain_sid", "new_domain_sid", "file"] + takes_args = ["old_domain_sid", "new_domain_sid", "path"] def run(self, old_domain_sid_str, new_domain_sid_str, - file, + path, use_ntvfs=False, use_s3fs=False, service=None, @@ -274,20 +304,31 @@ class cmd_ntacl_changedomsid(Command): raise CommandError("Could not parse old sid %s: %s" % (new_domain_sid_str, e)) - def changedom_sids(file): + def changedom_sids(_path): + if not follow_symlinks and os.path.islink(_path): + if recursive: + self.outf.write("ignored symlink: %s\n" % _path) + return + raise CommandError("symlink: %s: requires --follow-symlinks" % (_path)) + if verbose: - self.outf.write("file: %s\n" % file) + if os.path.islink(_path): + self.outf.write("symlink: %s\n" % _path) + elif os.path.isdir(_path): + self.outf.write("dir: %s\n" % _path) + else: + self.outf.write("file: %s\n" % _path) try: acl = getntacl(lp, - file, + _path, system_session_unix(), xattr_backend, eadb_file, direct_db_access=use_ntvfs, service=service) except Exception as e: - raise CommandError("Could not get acl for %s: %s" % (file, e)) + raise CommandError("Could not get acl for %s: %s" % (_path, e)) orig_sddl = acl.as_sddl(domain_sid) if verbose: @@ -320,7 +361,7 @@ class cmd_ntacl_changedomsid(Command): try: setntacl(lp, - file, + _path, acl, new_domain_sid, system_session_unix(), @@ -329,19 +370,19 @@ class cmd_ntacl_changedomsid(Command): use_ntvfs=use_ntvfs, service=service) except Exception as e: - raise CommandError("Could not set acl for %s: %s" % (file, e)) + raise CommandError("Could not set acl for %s: %s" % (_path, e)) - def recursive_changedom_sids(file): - for root, dirs, files in os.walk(file, followlinks=follow_symlinks): + def recursive_changedom_sids(_path): + for root, dirs, files in os.walk(_path, followlinks=follow_symlinks): for f in files: changedom_sids(os.path.join(root, f)) for d in dirs: changedom_sids(os.path.join(root, d)) - changedom_sids(file) - if recursive and os.path.isdir(file): - recursive_changedom_sids(file) + changedom_sids(path) + if recursive and os.path.isdir(path): + recursive_changedom_sids(path) if use_ntvfs: logger.warning("Please note that POSIX permissions have NOT been " diff --git a/python/samba/tests/krb5/s4u_tests.py b/python/samba/tests/krb5/s4u_tests.py index 83ca06e4577..fbd32d00dd1 100755 --- a/python/samba/tests/krb5/s4u_tests.py +++ b/python/samba/tests/krb5/s4u_tests.py @@ -23,6 +23,7 @@ sys.path.insert(0, "bin/python") os.environ["PYTHONUNBUFFERED"] = "1" import functools +import time from samba import dsdb, ntstatus from samba.dcerpc import krb5pac, lsa, security @@ -37,6 +38,7 @@ from samba.tests.krb5.raw_testcase import ( ) from samba.tests.krb5.rfc4120_constants import ( AES256_CTS_HMAC_SHA1_96, + AD_IF_RELEVANT, ARCFOUR_HMAC_MD5, KDC_ERR_BADMATCH, KDC_ERR_BADOPTION, @@ -49,7 +51,9 @@ from samba.tests.krb5.rfc4120_constants import ( KU_PA_ENC_TIMESTAMP, KU_AS_REP_ENC_PART, KU_TGS_REP_ENC_PART_SUB_KEY, - NT_PRINCIPAL + KU_TGS_REQ_AUTH_DAT_SESSION, + KU_TGS_REQ_AUTH_DAT_SUBKEY, + NT_PRINCIPAL, ) import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 @@ -559,6 +563,8 @@ class S4UKerberosTests(KDCBaseTest): def _run_delegation_test(self, kdc_dict): s4u2self = kdc_dict.pop('s4u2self', False) + authtime_delay = kdc_dict.pop('authtime_delay', 0) + client_opts = kdc_dict.pop('client_opts', None) client_creds = self.get_cached_creds( account_type=self.AccountType.USER, @@ -598,6 +604,8 @@ class S4UKerberosTests(KDCBaseTest): opts=service1_opts) service1_tgt = self.get_tgt(service1_creds) + self.assertElementPresent(service1_tgt.ticket_private, 'authtime') + service1_tgt_authtime = self.getElementValue(service1_tgt.ticket_private, 'authtime') client_username = client_creds.get_username() client_realm = client_creds.get_realm() @@ -625,6 +633,8 @@ class S4UKerberosTests(KDCBaseTest): ARCFOUR_HMAC_MD5)) if s4u2self: + self.assertEqual(authtime_delay, 0) + def generate_s4u2self_padata(_kdc_exchange_dict, _callback_dict, req_body): @@ -670,19 +680,32 @@ class S4UKerberosTests(KDCBaseTest): client_service_tkt = s4u2self_kdc_exchange_dict['rep_ticket_creds'] else: + if authtime_delay != 0: + time.sleep(authtime_delay) + fresh = True + else: + fresh = False + client_tgt = self.get_tgt(client_creds, kdc_options=client_tkt_options, - expected_flags=expected_flags) + expected_flags=expected_flags, + fresh=fresh) client_service_tkt = self.get_service_ticket( client_tgt, service1_creds, kdc_options=client_tkt_options, - expected_flags=expected_flags) + expected_flags=expected_flags, + fresh=fresh) modify_client_tkt_fn = kdc_dict.pop('modify_client_tkt_fn', None) if modify_client_tkt_fn is not None: client_service_tkt = modify_client_tkt_fn(client_service_tkt) + self.assertElementPresent(client_service_tkt.ticket_private, 'authtime') + expected_authtime = self.getElementValue(client_service_tkt.ticket_private, 'authtime') + if authtime_delay > 1: + self.assertNotEqual(expected_authtime, service1_tgt_authtime) + additional_tickets = [client_service_tkt.ticket] modify_service_tgt_fn = kdc_dict.pop('modify_service_tgt_fn', None) @@ -722,7 +745,11 @@ class S4UKerberosTests(KDCBaseTest): pac_options = kdc_dict.pop('pac_options', None) - authenticator_subkey = self.RandomKey(Enctype.AES256) + use_authenticator_subkey = kdc_dict.pop('use_authenticator_subkey', True) + if use_authenticator_subkey: + authenticator_subkey = self.RandomKey(Enctype.AES256) + else: + authenticator_subkey = None expected_proxy_target = service2_creds.get_spn() @@ -759,22 +786,65 @@ class S4UKerberosTests(KDCBaseTest): expected_transited_services=expected_transited_services, expect_pac=expect_pac) + EncAuthorizationData = kdc_dict.pop('enc-authorization-data', None) + + if EncAuthorizationData is not None: + if authenticator_subkey is not None: + EncAuthorizationData_key = authenticator_subkey + EncAuthorizationData_usage = KU_TGS_REQ_AUTH_DAT_SUBKEY + else: + EncAuthorizationData_key = client_service_tkt.session_key + EncAuthorizationData_usage = KU_TGS_REQ_AUTH_DAT_SESSION + else: + EncAuthorizationData_key = None + EncAuthorizationData_usage = None + self._generic_kdc_exchange(kdc_exchange_dict, cname=None, realm=service2_realm, sname=service2_sname, etypes=etypes, - additional_tickets=additional_tickets) + additional_tickets=additional_tickets, + EncAuthorizationData=EncAuthorizationData, + EncAuthorizationData_key=EncAuthorizationData_key, + EncAuthorizationData_usage=EncAuthorizationData_usage) if not expected_error_mode: # Check whether the ticket contains a PAC. ticket = kdc_exchange_dict['rep_ticket_creds'] + self.assertElementEqual(ticket.ticket_private, 'authtime', expected_authtime) pac = self.get_ticket_pac(ticket, expect_pac=expect_pac) + ticket_auth_data = ticket.ticket_private.get('authorization-data') + expected_num_ticket_auth_data = 0 if expect_pac: self.assertIsNotNone(pac) + expected_num_ticket_auth_data += 1 else: self.assertIsNone(pac) + if EncAuthorizationData is not None: + expected_num_ticket_auth_data += len(EncAuthorizationData) + + if expected_num_ticket_auth_data == 0: + self.assertIsNone(ticket_auth_data) + else: + self.assertIsNotNone(ticket_auth_data) + self.assertEqual(len(ticket_auth_data), + expected_num_ticket_auth_data) + + if EncAuthorizationData is not None: + enc_ad_plain = self.der_encode( + EncAuthorizationData, + asn1Spec=krb5_asn1.AuthorizationData()) + req_EncAuthorizationData = self.der_decode( + enc_ad_plain, + asn1Spec=krb5_asn1.AuthorizationData()) + + rep_EncAuthorizationData = ticket_auth_data.copy() + if expect_pac: + rep_EncAuthorizationData.pop(0) + self.assertEqual(rep_EncAuthorizationData, req_EncAuthorizationData) + # Ensure we used all the parameters given to us. self.assertEqual({}, kdc_dict) @@ -793,6 +863,52 @@ class S4UKerberosTests(KDCBaseTest): 'allow_delegation': True }) + def test_constrained_delegation_authtime(self): + # Test constrained delegation. + self._run_delegation_test( + { + 'expected_error_mode': 0, + 'allow_delegation': True, + 'authtime_delay': 2, + }) + + def test_constrained_delegation_with_enc_auth_data_subkey(self): + # Test constrained delegation. + EncAuthorizationData = [] + relevant_elems = [] + auth_data777 = self.AuthorizationData_create(777, b'AuthorizationData777') + relevant_elems.append(auth_data777) + auth_data999 = self.AuthorizationData_create(999, b'AuthorizationData999') + relevant_elems.append(auth_data999) + ad_relevant = self.der_encode(relevant_elems, asn1Spec=krb5_asn1.AD_IF_RELEVANT()) + ad_data = self.AuthorizationData_create(AD_IF_RELEVANT, ad_relevant) + EncAuthorizationData.append(ad_data) + self._run_delegation_test( + { + 'expected_error_mode': 0, + 'allow_delegation': True, + 'enc-authorization-data': EncAuthorizationData, + }) + + def test_constrained_delegation_with_enc_auth_data_no_subkey(self): + # Test constrained delegation. + EncAuthorizationData = [] + relevant_elems = [] + auth_data777 = self.AuthorizationData_create(777, b'AuthorizationData777') + relevant_elems.append(auth_data777) + auth_data999 = self.AuthorizationData_create(999, b'AuthorizationData999') + relevant_elems.append(auth_data999) + ad_relevant = self.der_encode(relevant_elems, asn1Spec=krb5_asn1.AD_IF_RELEVANT()) + ad_data = self.AuthorizationData_create(AD_IF_RELEVANT, ad_relevant) + EncAuthorizationData.append(ad_data) + self._run_delegation_test( + { + 'expected_error_mode': 0, + 'allow_delegation': True, + 'enc-authorization-data': EncAuthorizationData, + 'use_authenticator_subkey': False, + }) + def test_constrained_delegation_authentication_asserted_identity(self): # Test constrained delegation and check asserted identity is the # authentication authority. Note that we should always find this diff --git a/source3/modules/vfs_aio_pthread.c b/source3/modules/vfs_aio_pthread.c index 5d051b4f7da..428ae5f2a4c 100644 --- a/source3/modules/vfs_aio_pthread.c +++ b/source3/modules/vfs_aio_pthread.c @@ -468,6 +468,13 @@ static int aio_pthread_openat_fn(vfs_handle_struct *handle, return -1; } + if (fsp->conn->sconn->pool == NULL) { + /* + * a threadpool is required for async support + */ + aio_allow_open = false; + } + if (fsp->conn->sconn->client->server_multi_channel_enabled) { /* * This module is not compatible with multi channel yet. diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index 51b5e1ac4f6..235d87266fd 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -826,7 +826,7 @@ plantestsuite("samba4.blackbox.client_etypes_all(ad_dc:client)", "ad_dc:client", plantestsuite("samba4.blackbox.client_etypes_legacy(ad_dc:client)", "ad_dc:client", [os.path.join(bbdir, "test_client_etypes.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', '$PREFIX_ABS', 'legacy', '23']) plantestsuite("samba4.blackbox.client_etypes_strong(ad_dc:client)", "ad_dc:client", [os.path.join(bbdir, "test_client_etypes.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', '$PREFIX_ABS', 'strong', '17_18']) plantestsuite("samba4.blackbox.net_ads_dns(ad_member:local)", "ad_member:local", [os.path.join(bbdir, "test_net_ads_dns.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', '$REALM', '$USERNAME', '$PASSWORD']) -plantestsuite("samba4.blackbox.samba-tool_ntacl(ad_member:local)", "ad_member:local", [os.path.join(bbdir, "test_samba-tool_ntacl.sh"), '$PREFIX', '$DOMSID']) +plantestsuite("samba4.blackbox.samba-tool_ntacl(ad_member:local)", "ad_member:local", [os.path.join(bbdir, "test_samba-tool_ntacl.sh"), '$PREFIX', '$DOMSID', configuration]) env = "ad_member:local" plantestsuite("samba4.blackbox.net_ads_search_server_P.primary", env, diff --git a/testprogs/blackbox/test_samba-tool_ntacl.sh b/testprogs/blackbox/test_samba-tool_ntacl.sh index 24589729791..1571b1a72c5 100755 --- a/testprogs/blackbox/test_samba-tool_ntacl.sh +++ b/testprogs/blackbox/test_samba-tool_ntacl.sh @@ -2,20 +2,28 @@ # Blackbox tests for samba-tool ntacl get/set on member server # Copyright (C) 2018 Björn Baumbach <b...@sernet.de> -if [ $# -ne 2 ]; then - echo "Usage: test_samba-tool_ntacl.sh PREFIX DOMSID" +if [ $# -ne 3 ]; then + echo "Usage: test_samba-tool_ntacl.sh PREFIX DOMSID CONFIGURATION" exit 1 fi +set -u +set -e + PREFIX=$1 domain_sid=$2 +CONFIGURATION=$3 failed=0 samba4bindir="$BINDIR" samba_tool="$samba4bindir/samba-tool" -testfile="$PREFIX/ntacl_testfile" +testdirtop="$PREFIX/ntacl_testdirtop" +testfile="$testdirtop/testfile" +testdir1="$testdirtop/dir1" +testdir1f="$testdirtop/dir1/file" +testdir1l="$testdirtop/dir1/symlink" # acl from samba_tool/ntacl.py tests acl="O:DAG:DUD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)" @@ -31,8 +39,9 @@ test_get_acl() { testfile="$1" exptextedacl="$2" + shift 2 - retacl=$($PYTHON $samba_tool ntacl get "$testfile" --as-sddl) || return $? + retacl=$($PYTHON $samba_tool ntacl get "$testfile" --as-sddl "$@") || return $? test "$retacl" = "$exptextedacl" } @@ -41,8 +50,9 @@ test_set_acl() { -- Samba Shared Repository