sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-10 01:18:15 +03:00
Code

test: Add a test for "deny ous"

Browse Source 
Not a comprehensive test for all possible combinations, but it shows
the basic functionality, and it found a bug in the initial
implementation :-)

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
This commit is contained in:
Volker Lendecke 2023-03-07 17:21:56 +01:00 committed by Ralph Boehme
parent f9849dbf4f
commit b755b81d66
2 changed files with 35 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
nsswitch/tests/test_idmap_ad.sh
View File

@ -80,6 +80,20 @@ dn: CN=Domain Admins,CN=Users,$BASE_DN
changetype: modify
add: gidNumber
gidNumber: 2000002
dn: ou=sub,$BASE_DN
changetype: add
objectClass: organizationalUnit
dn: cn=forbidden,ou=sub,$BASE_DN
changetype: add
objectClass: user
samaccountName: forbidden
uidNumber: 2000003
gidNumber: 2000001
unixHomeDirectory: /home/forbidden
loginShell: /bin/tcsh
gecos: User in forbidden OU
EOF
#
@ -143,6 +157,20 @@ test "$out" = "$DOMAIN_SID-512"
ret=$?
testit "Test gid lookup of Domain Admins" test $ret -eq 0 || failed=$(expr $failed + 1)
#
# Test 5: Make sure deny_ou is really denied
# This depends on the "deny ous" setting in Samba3.pm
#
sid="$($wbinfo -n $DOMAIN/forbidden | awk '{print $1}')"
testit "Could create forbidden" test -n "$sid" || failed=$(expr $failed + 1)
if [ -n "$sid" ]
then
uid="$($wbinfo --sid-to-uid $sid)"
testit "Can not resolve forbidden user" test -z "$uid" ||
failed=$(($failed + 1))
fi
#
# Trusted domain test 1: Test uid of Administrator, should be 2500000
#
@ -209,6 +237,12 @@ dn: CN=Domain Admins,CN=Users,$BASE_DN
changetype: modify
delete: gidNumber
gidNumber: 2000002
dn: cn=forbidden,ou=sub,$BASE_DN
changetype: delete
dn: ou=sub,$BASE_DN
changetype: delete
EOF
#

1
selftest/target/Samba3.pm
View File

@ -1390,6 +1390,7 @@ sub setup_ad_member_idmap_ad
idmap config $dcvars->{DOMAIN} : range = 2000000-2999999
idmap config $dcvars->{DOMAIN} : unix_primary_group = yes
idmap config $dcvars->{DOMAIN} : unix_nss_info = yes
idmap config $dcvars->{DOMAIN} : deny ous = \"ou=sub,DC=samba2008r2,DC=example,DC=com\"
idmap config $dcvars->{TRUST_DOMAIN} : backend = ad
idmap config $dcvars->{TRUST_DOMAIN} : range = 2000000-2999999
gensec_gssapi:requested_life_time = 5