2016-06-19 07:51:26 +03:00
#!/bin/sh
# Blackbox tests for net ads dns register etc.
# Copyright (C) 2006-2007 Jelmer Vernooij <jelmer@samba.org>
# Copyright (C) 2006-2008 Andrew Bartlett <abartlet@samba.org>
2017-06-12 17:02:32 +03:00
if [ $# -lt 6 ] ; then
2022-04-22 16:46:05 +03:00
cat <<EOF
2016-06-19 07:51:26 +03:00
Usage: test_net_ads_dns.sh SERVER DC_USERNAME DC_PASSWORD REALM USER PASS
EOF
2022-04-22 16:46:05 +03:00
exit 1
2016-06-19 07:51:26 +03:00
fi
SERVER = $1
DC_USERNAME = $2
DC_PASSWORD = $3
REALM = $4
USERNAME = $5
PASSWORD = $6
shift 6
failed = 0
samba4bindir = " $BINDIR "
samba_tool = " $samba4bindir /samba-tool "
net_tool = " $samba4bindir /net "
smbpasswd = " $samba4bindir /smbpasswd "
texpect = " $samba4bindir /texpect "
2022-12-04 21:44:52 +03:00
2016-06-19 07:51:26 +03:00
newuser = " $samba_tool user create "
groupaddmem = " $samba_tool group addmembers "
2022-04-22 16:46:05 +03:00
. $( dirname $0 ) /subunit.sh
2022-12-22 16:02:04 +03:00
. " $( dirname " ${ 0 } " ) /common_test_fns.inc "
ldbmodify = $( system_or_builddir_binary ldbmodify " ${ BINDIR } " )
ldbsearch = $( system_or_builddir_binary ldbsearch " ${ BINDIR } " )
2016-06-19 07:51:26 +03:00
IPADDRESS = 10.1.4.111
2020-12-22 20:10:44 +03:00
IP6ADDRESS = fd00:1a1a::1:5ee:bad:c0de
2016-06-19 07:51:26 +03:00
IPADDRMAC = 10.1.4.124
2016-07-01 07:07:19 +03:00
UNPRIVIP = 10.1.4.130
2023-02-24 18:27:17 +03:00
ADMINNAME = testname.$$
MACHINENAME = membername.$$
2023-02-22 22:15:23 +03:00
UNPRIVNAME = unprivname.$$
UNPRIVUSER = unprivuser.$$
2016-07-01 07:07:19 +03:00
UNPRIVPASS = UnPrivPass1
2016-06-19 07:51:26 +03:00
# These tests check that privileged users can add DNS names and that
# unprivileged users cannot do so.
echo "Starting ..."
2023-02-24 18:27:17 +03:00
testit " admin user should be able to add a DNS entry $ADMINNAME . $REALM $IPADDRESS $IP6ADDRESS " \
$VALGRIND $net_tool ads dns register $ADMINNAME .$REALM $IPADDRESS $IP6ADDRESS -U$DC_USERNAME %$DC_PASSWORD ||
failed = $( expr $failed + 1)
2016-06-19 07:51:26 +03:00
2023-02-22 17:22:58 +03:00
testit_grep_count \
2023-02-24 18:27:17 +03:00
" We should be able to see the new name $ADMINNAME . $REALM $IPADDRESS " \
2023-02-22 17:22:58 +03:00
" $IPADDRESS " \
1 \
2023-02-24 18:27:17 +03:00
dig @$SERVER +short -t a $ADMINNAME .$REALM ||
2023-02-22 17:22:58 +03:00
failed = $( expr $failed + 1)
testit_grep_count \
2023-02-24 18:27:17 +03:00
" We should be able to see the new name $ADMINNAME . $REALM $IP6ADDRESS " \
2023-02-22 17:22:58 +03:00
" $IP6ADDRESS " \
1 \
2023-02-24 18:27:17 +03:00
dig @$SERVER +short -t aaaa $ADMINNAME .$REALM ||
2023-02-22 17:22:58 +03:00
failed = $( expr $failed + 1)
2016-06-19 07:51:26 +03:00
2023-02-24 18:27:17 +03:00
testit " We should be able to unregister the name $ADMINNAME . $REALM " \
$VALGRIND $net_tool ads dns unregister $ADMINNAME .$REALM -U$DC_USERNAME %$DC_PASSWORD ||
failed = $( expr $failed + 1)
2016-06-19 07:51:26 +03:00
2023-02-22 17:22:58 +03:00
testit_grep_count \
2023-02-24 18:27:17 +03:00
" The name $ADMINNAME . $REALM $IPADDRESS should not be there any longer " \
2023-02-22 17:22:58 +03:00
" $IPADDRESS " \
0 \
2023-02-24 18:27:17 +03:00
dig @$SERVER +short -t a $ADMINNAME .$REALM ||
2023-02-22 17:22:58 +03:00
failed = $( expr $failed + 1)
testit_grep_count \
2023-02-24 18:27:17 +03:00
" The name $ADMINNAME . $REALM $IP6ADDRESS should not be there any longer " \
2023-02-22 17:22:58 +03:00
" $IP6ADDRESS " \
0 \
2023-02-24 18:27:17 +03:00
dig @$SERVER +short -t aaaa $ADMINNAME .$REALM ||
2023-02-22 17:22:58 +03:00
failed = $( expr $failed + 1)
2016-06-19 07:51:26 +03:00
2021-09-01 13:04:43 +03:00
# prime the kpasswd server, see "git blame" for an explanation
$VALGRIND $net_tool user add $UNPRIVUSER $UNPRIVPASS -U$DC_USERNAME %$DC_PASSWORD
$VALGRIND $net_tool user delete $UNPRIVUSER -U$DC_USERNAME %$DC_PASSWORD
2016-06-19 07:51:26 +03:00
# This should be an expect_failure test ...
2022-04-22 16:46:05 +03:00
testit "Adding an unprivileged user" $VALGRIND $net_tool user add $UNPRIVUSER $UNPRIVPASS -U$DC_USERNAME %$DC_PASSWORD || failed = $( expr $failed + 1)
2016-07-01 07:07:19 +03:00
2020-12-17 14:25:15 +03:00
BASEDN = $( $VALGRIND $ldbsearch -U$DC_USERNAME %$DC_PASSWORD -H ldap://$SERVER .$REALM -b '' --scope= base defaultNamingContext | grep defaultNamingContext | sed -e 's!^defaultNamingContext: !!' )
2016-07-01 07:07:19 +03:00
2017-06-12 17:02:32 +03:00
LDIF = " dn: CN= $UNPRIVUSER ,CN=users, ${ BASEDN } +changetype: modify+replace: userAccountControl+userAccountControl: 512 "
echo $LDIF | tr '+' '\n' | $VALGRIND $ldbmodify -U$DC_USERNAME %$DC_PASSWORD -H ldap://$SERVER .$REALM -i
2016-07-01 07:07:19 +03:00
STATUS = $?
2022-04-22 16:46:05 +03:00
testit "We should have enabled the account" test $STATUS -eq 0 || failed = $( expr $failed + 1)
2016-07-01 07:07:19 +03:00
#Unprivileged users should be able to add new names
2022-04-22 16:46:05 +03:00
testit "Unprivileged users should be able to add new names" $net_tool ads dns register $UNPRIVNAME .$REALM $UNPRIVIP -U$UNPRIVUSER %$UNPRIVPASS || failed = $( expr $failed + 1)
2016-06-19 07:51:26 +03:00
# This should work as well
2023-02-24 18:27:17 +03:00
testit " machine account should be able to add a DNS entry net ads dns register $MACHINENAME . $REALM $IPADDRMAC -P " \
$net_tool ads dns register $MACHINENAME .$REALM $IPADDRMAC -P ||
failed = $( expr $failed + 1)
2016-06-19 07:51:26 +03:00
2023-02-22 17:22:58 +03:00
testit_grep_count \
2023-02-24 18:27:17 +03:00
" We should be able to see the new name $MACHINENAME . $REALM " \
2023-02-22 17:22:58 +03:00
" $IPADDRMAC " \
1 \
2023-02-24 18:27:17 +03:00
dig @$SERVER +short -t a $MACHINENAME .$REALM ||
2023-02-22 17:22:58 +03:00
failed = $( expr $failed + 1)
2016-06-19 07:51:26 +03:00
2016-07-01 07:07:19 +03:00
#Unprivileged users should not be able to overwrite other's names
2023-02-22 22:20:51 +03:00
testit_expect_failure \
"Unprivileged users should not be able to modify existing names" \
2023-04-11 05:04:59 +03:00
$net_tool ads dns register $MACHINENAME .$REALM $UNPRIVIP -U$UNPRIVUSER %$UNPRIVPASS ||
2023-02-24 18:27:17 +03:00
failed = $( expr $failed + 1)
2016-07-01 07:07:19 +03:00
2023-02-24 18:35:02 +03:00
testit " We should be able to unregister the name $UNPRIVNAME . $REALM $IPADDRESS " \
$VALGRIND $net_tool ads dns unregister $UNPRIVNAME .$REALM -U$UNPRIVUSER %$UNPRIVPASS ||
failed = $( expr $failed + 1)
2023-02-24 18:52:05 +03:00
testit " We should be able to unregister the name $MACHINENAME . $REALM $IPADDRESS " \
$VALGRIND $net_tool ads dns unregister $MACHINENAME .$REALM -P ||
failed = $( expr $failed + 1)
2016-06-19 07:51:26 +03:00
2023-02-22 17:57:54 +03:00
# Remove the unprivileged user, which is not required anymore
$VALGRIND $net_tool user delete $UNPRIVUSER -U$DC_USERNAME %$DC_PASSWORD
2023-02-22 17:22:58 +03:00
testit_grep_count \
2023-02-24 18:35:02 +03:00
" The name $UNPRIVNAME . $REALM ( $IPADDRESS ) should not be there any longer " \
2023-02-22 17:22:58 +03:00
" $IPADDRESS " \
0 \
2023-02-24 18:35:02 +03:00
dig @$SERVER +short -t a $UNPRIVNAME .$REALM ||
2023-02-22 17:22:58 +03:00
failed = $( expr $failed + 1)
testit_grep_count \
2023-02-24 18:35:02 +03:00
" The name $UNPRIVNAME . $REALM ( $IP6ADDRESS ) should not be there any longer " \
2023-02-22 17:22:58 +03:00
" $IP6ADDRESS " \
0 \
2023-02-24 18:35:02 +03:00
dig @$SERVER +short -t aaaa $UNPRIVNAME .$REALM ||
2023-02-22 17:22:58 +03:00
failed = $( expr $failed + 1)
2023-02-24 18:52:05 +03:00
testit_grep_count \
" The name $MACHINENAME . $REALM ( $IPADDRESS ) should not be there any longer " \
" $IPADDRESS " \
0 \
dig @$SERVER +short -t a $MACHINENAME .$REALM ||
failed = $( expr $failed + 1)
testit_grep_count \
" The name $MACHINENAME . $REALM ( $IP6ADDRESS ) should not be there any longer " \
" $IP6ADDRESS " \
0 \
dig @$SERVER +short -t aaaa $MACHINENAME .$REALM ||
failed = $( expr $failed + 1)
2016-06-19 07:51:26 +03:00
2023-02-21 20:00:41 +03:00
# Tests with --dns-ttl option
testit "net ads dns register with default TTL" \
$net_tool ads dns register $MACHINENAME .$REALM $IPADDRMAC -P ||
failed = $( expr $failed + 1)
TTL = $( dig @$SERVER .$REALM +noall +ttlid +answer -t A $MACHINENAME .$REALM |
awk '{ print $2 }' )
testit "Verify default TTL of 3600 seconds" \
test " $TTL " = "3600" ||
failed = $( expr $failed + 1)
testit "Update record with TTL of 60 seconds" \
$net_tool ads dns register --dns-ttl 60 --force $MACHINENAME .$REALM $IPADDRMAC -P ||
failed = $( expr $failed + 1)
TTL = $( dig @$SERVER .$REALM +noall +ttlid +answer -t A $MACHINENAME .$REALM |
awk '{ print $2 }' )
testit "Verify new TTL of 60 seconds" \
test " $TTL " = "60" ||
failed = $( expr $failed + 1)
testit " We should be able to unregister the name $MACHINENAME . $REALM $IPADDRESS " \
$VALGRIND $net_tool ads dns unregister $MACHINENAME .$REALM -P ||
failed = $( expr $failed + 1)
testit_grep_count \
" The name $MACHINENAME . $REALM ( $IPADDRESS ) should not be there any longer " \
" $IPADDRESS " \
0 \
dig @$SERVER .$REALM +short -t A $MACHINENAME .$REALM ||
failed = $( expr $failed + 1)
testit_grep_count \
" The name $MACHINENAME . $REALM ( $IP6ADDRESS ) should not be there any longer " \
" $IP6ADDRESS " \
0 \
dig @$SERVER .$REALM +short -t AAAA $MACHINENAME .$REALM ||
failed = $( expr $failed + 1)
2023-02-22 22:26:34 +03:00
testok $0 $failed