From 16b430e7401bb01cdaba7e39681d9d494228af03 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 13 Feb 2024 15:50:14 +0100 Subject: [PATCH] s4:selftest: also test samba4.ldb.simple.ldap*SASL-BIND with ldap_testing:{channel_bound,tls_channel_bindings,forced_channel_binding} BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett (cherry picked from commit 065da873296c23ef3b9051fba39be097cfff60fa) Autobuild-User(v4-20-test): Jule Anger Autobuild-Date(v4-20-test): Tue Jul 9 10:53:40 UTC 2024 on atb-devel-224 --- .../expectedfail.d/samba4.ldb.simple.ldap-tls | 19 ++++++++++-- selftest/expectedfail_heimdal | 12 +++++++ selftest/wscript | 4 +++ source4/selftest/tests.py | 31 +++++++++++++++++-- 4 files changed, 61 insertions(+), 5 deletions(-) create mode 100644 selftest/expectedfail_heimdal diff --git a/selftest/expectedfail.d/samba4.ldb.simple.ldap-tls b/selftest/expectedfail.d/samba4.ldb.simple.ldap-tls index 963076d5d33..24b9b94a428 100644 --- a/selftest/expectedfail.d/samba4.ldb.simple.ldap-tls +++ b/selftest/expectedfail.d/samba4.ldb.simple.ldap-tls @@ -1,6 +1,21 @@ # ## We assert all "ldap server require strong auth" combinations # -^samba4.ldb.simple.ldap with SIMPLE-BIND.*ad_dc_ntvfs # ldap server require strong auth = allow_sasl_over_tls +^samba4.ldb.simple.ldap with SIMPLE-BIND.*ad_dc_ntvfs # ldap server require strong auth = allow_sasl_without_tls_channel_bindings ^samba4.ldb.simple.ldap with SIMPLE-BIND.*fl2003dc # ldap server require strong auth = yes -^samba4.ldb.simple.ldaps with SASL-BIND.*fl2003dc # ldap server require strong auth = yes +# fl2003dc has ldap server require strong auth = yes +# and correct channel bindings are required for TLS +^samba4.ldb.simple.ldaps.*SASL-BIND.*ldap_testing:tls_channel_bindings=no.*fl2003dc +# ad_dc_ntvfs and fl2008r2dc have +# ldap server require strong auth = allow_sasl_without_tls_channel_bindings +# it means correct channel bindings are required, if the client indicated +# explicit (even null) channel bindings are provided +# +# The following are in expectedfail_heimdal for now, as MIT +# behaves differently: +#^samba4.ldb.simple.ldaps.with.SASL-BIND.*use-kerberos=required.*ldap_testing:channel_bound=yes.*ldap_testing:tls_channel_bindings=no.*ad_dc_ntvfs +#^samba4.ldb.simple.ldaps.with.SASL-BIND.*use-kerberos=required.*ldap_testing:channel_bound=yes.*ldap_testing:tls_channel_bindings=no.*fl2008r2dc +^samba4.ldb.simple.ldaps.with.SASL-BIND.*ldap_testing:channel_bound=yes.*ldap_testing:forced_channel_binding=wRoNg +^samba4.ldb.simple.ldaps.with.SASL-BIND.*ldap_testing:channel_bound=no.*ldap_testing:forced_channel_binding=wRoNg +^samba4.ldb.simple.ldaps.with.SASL-BIND.*use-kerberos=disabled.*ldap_testing:channel_bound=yes.*ldap_testing:tls_channel_bindings=no.*ad_dc_ntvfs +^samba4.ldb.simple.ldaps.with.SASL-BIND.*use-kerberos=disabled.*ldap_testing:channel_bound=yes.*ldap_testing:tls_channel_bindings=no.*fl2008r2dc diff --git a/selftest/expectedfail_heimdal b/selftest/expectedfail_heimdal new file mode 100644 index 00000000000..6415a6ebb22 --- /dev/null +++ b/selftest/expectedfail_heimdal @@ -0,0 +1,12 @@ +# ad_dc_ntvfs and fl2008r2dc have +# ldap server require strong auth = allow_sasl_without_tls_channel_bindings +# it means correct channel bindings are required, if the client indicated +# explicit (even null) channel bindings are provided +# +# Note currently only embedded_heimdal supports +# GSS_C_CHANNEL_BOUND_FLAG as client. +# See also: +# https://github.com/heimdal/heimdal/pull/1234 +# https://github.com/krb5/krb5/pull/1329 +^samba4.ldb.simple.ldaps.with.SASL-BIND.*use-kerberos=required.*ldap_testing:channel_bound=yes.*ldap_testing:tls_channel_bindings=no.*ad_dc_ntvfs +^samba4.ldb.simple.ldaps.with.SASL-BIND.*use-kerberos=required.*ldap_testing:channel_bound=yes.*ldap_testing:tls_channel_bindings=no.*fl2008r2dc diff --git a/selftest/wscript b/selftest/wscript index daf497d5e62..b8faf6dbc84 100644 --- a/selftest/wscript +++ b/selftest/wscript @@ -274,6 +274,10 @@ def cmd_testonly(opt): env.FILTER_XFAIL += " --expected-failures=${srcdir}/selftest/"\ "knownfail_heimdal_kdc" + if CONFIG_SET(opt, 'USING_EMBEDDED_HEIMDAL'): + env.FILTER_XFAIL += " --expected-failures=${srcdir}/selftest/"\ + "expectedfail_heimdal" + if CONFIG_GET(opt, 'SIZEOF_VOID_P') == 4: env.FILTER_XFAIL += " --expected-failures=${srcdir}/selftest/knownfail-32bit" env.OPTIONS += " --default-ldb-backend=tdb --exclude=${srcdir}/selftest/skip-32bit" diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index e47eb5766da..363a1a24fa7 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -163,19 +163,44 @@ for env in ["ad_dc_ntvfs", "fl2008r2dc", "fl2003dc"]: '--use-kerberos=required --option=clientldapsaslwrapping=plain', '--use-kerberos=required --client-protection=sign', '--use-kerberos=required --client-protection=encrypt', + '--use-kerberos=required --client-protection=sign --option="ldap_testing:channel_bound=yes"', + '--use-kerberos=required --client-protection=sign --option="ldap_testing:channel_bound=no"', + '--use-kerberos=required --client-protection=sign --option="ldap_testing:channel_bound=yes" --option="ldap_testing:forced_channel_binding=wRoNg"', + '--use-kerberos=required --client-protection=sign --option="ldap_testing:channel_bound=no" --option="ldap_testing:forced_channel_binding=wRoNg"', '--use-kerberos=disabled --option=clientldapsaslwrapping=plain', '--use-kerberos=disabled --client-protection=sign --option=ntlmssp_client:ldap_style_send_seal=no', '--use-kerberos=disabled --client-protection=sign', '--use-kerberos=disabled --client-protection=encrypt', + '--use-kerberos=disabled --client-protection=sign --option="ldap_testing:channel_bound=yes"', + '--use-kerberos=disabled --client-protection=sign --option="ldap_testing:channel_bound=no"', + '--use-kerberos=disabled --client-protection=sign --option="ldap_testing:channel_bound=yes" --option="ldap_testing:forced_channel_binding=wRoNg"', + '--use-kerberos=disabled --client-protection=sign --option="ldap_testing:channel_bound=no" --option="ldap_testing:forced_channel_binding=wRoNg"', ] for auth_option in auth_options: options = '-U"$USERNAME%$PASSWORD"' + ' ' + auth_option plantestsuite("samba4.ldb.simple.ldap with SASL-BIND %s(%s)" % (options, env), env, "%s/test_ldb_simple.sh ldap $SERVER %s" % (bbdir, options)) - options = '-U"$USERNAME%$PASSWORD" --option="tlsverifypeer=no_check"' - plantestsuite("samba4.ldb.simple.ldaps with SASL-BIND %s(%s)" % (options, env), - env, "%s/test_ldb_simple.sh ldaps $SERVER %s" % (bbdir, options)) + + auth_options = [ + '--use-kerberos=required --option="ldap_testing:channel_bound=yes" --option="ldap_testing:tls_channel_bindings=yes"', + '--use-kerberos=required --option="ldap_testing:channel_bound=yes" --option="ldap_testing:tls_channel_bindings=no"', + '--use-kerberos=required --option="ldap_testing:channel_bound=yes" --option="ldap_testing:forced_channel_binding=wRoNg"', + '--use-kerberos=required --option="ldap_testing:channel_bound=no" --option="ldap_testing:tls_channel_bindings=no"', + '--use-kerberos=required --option="ldap_testing:channel_bound=no" --option="ldap_testing:tls_channel_bindings=yes"', + '--use-kerberos=required --option="ldap_testing:channel_bound=no" --option="ldap_testing:forced_channel_binding=wRoNg"', + '--use-kerberos=disabled --option="ldap_testing:channel_bound=yes" --option="ldap_testing:tls_channel_bindings=yes"', + '--use-kerberos=disabled --option="ldap_testing:channel_bound=yes" --option="ldap_testing:tls_channel_bindings=no"', + '--use-kerberos=disabled --option="ldap_testing:channel_bound=yes" --option="ldap_testing:forced_channel_binding=wRoNg"', + '--use-kerberos=disabled --option="ldap_testing:channel_bound=no" --option="ldap_testing:tls_channel_bindings=no"', + '--use-kerberos=disabled --option="ldap_testing:channel_bound=no" --option="ldap_testing:tls_channel_bindings=yes"', + '--use-kerberos=disabled --option="ldap_testing:channel_bound=no" --option="ldap_testing:forced_channel_binding=wRoNg"', + ] + for auth_option in auth_options: + options = '-U"$USERNAME%$PASSWORD" --option="tlsverifypeer=no_check" ' + auth_option + plantestsuite("samba4.ldb.simple.ldaps with SASL-BIND %s(%s)" % (options, env), + env, "%s/test_ldb_simple.sh ldaps $SERVER %s" % (bbdir, options)) + envraw = "fl2008r2dc" env = "%s:local" % envraw