2022-01-03 17:33:46 +03:00
#!/bin/sh
# Blackbox tests for diabing NTLMSSP for ldap clinet connections
# Copyright (c) 2022 Pavel Filipenský <pfilipen@redhat.com>
if [ $# -lt 2 ] ; then
2022-04-22 16:46:06 +03:00
cat <<EOF
2022-01-03 17:33:46 +03:00
Usage: $0 USERNAME PASSWORD
EOF
2022-04-22 16:46:06 +03:00
exit 1
2022-01-03 17:33:46 +03:00
fi
USERNAME = $1
PASSWORD = $2
shift 2
failed = 0
2022-04-22 16:46:06 +03:00
. $( dirname $0 ) /subunit.sh
2022-01-03 17:33:46 +03:00
samba_testparm = " $BINDIR /testparm "
samba_net = " $BINDIR /net "
unset GNUTLS_FORCE_FIPS_MODE
# Checks that testparm reports: Weak crypto is allowed
2022-04-22 16:46:06 +03:00
testit_grep "testparm" "Weak crypto is allowed" $samba_testparm --suppress-prompt $SMB_CONF_PATH 2>& 1 || failed = $( expr $failed + 1)
2022-01-03 17:33:46 +03:00
# We should be allowed to use NTLM for connecting
2022-04-22 16:46:06 +03:00
testit "net_ads_search.ntlm" $samba_net ads search --use-kerberos= off '(objectCategory=group)' sAMAccountName -U${ USERNAME } %${ PASSWORD } || failed = $( expr $failed + 1)
2022-01-03 17:33:46 +03:00
GNUTLS_FORCE_FIPS_MODE = 1
export GNUTLS_FORCE_FIPS_MODE
# Checks that testparm reports: Weak crypto is disallowed
2022-04-22 16:46:06 +03:00
testit_grep "testparm" "Weak crypto is disallowed" $samba_testparm --suppress-prompt $SMB_CONF_PATH 2>& 1 || failed = $( expr $failed + 1)
2022-01-03 17:33:46 +03:00
# We should not be allowed to use NTLM for connecting
2022-04-22 16:46:06 +03:00
testit_expect_failure_grep "net_ads_search.ntlm" "We can't fallback to NTLMSSP, weak crypto is disallowed." $samba_net ads search --use-kerberos= off -d10 '(objectCategory=group)' sAMAccountName -U${ USERNAME } %${ PASSWORD } || failed = $( expr $failed + 1)
2022-01-03 17:33:46 +03:00
unset GNUTLS_FORCE_FIPS_MODE
exit $failed
