sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-02-28 01:58:17 +03:00
Code

s4-torture: Expand whoami test to confirm the user token.

Browse Source 
This uses the tokenGroups attribute on LDAP and the posix whoami call
to confirm that user token matches between LDAP and CIFS.

I have a seperate patch for the anonymous case, because this isn't
consistent at this stage, and we need to study and fix that.

Andrew Bartlett

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Jun 20 18:43:43 CEST 2012 on sn-devel-104
This commit is contained in:
Andrew Bartlett 2012-06-20 18:23:18 +10:00
parent 06243510dc
commit bc9e12183f
2 changed files with 45 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
source3/selftest/tests.py
View File

@ -304,7 +304,7 @@ for t in tests:
plansmbtorturetestsuite(t, "plugin_s4_dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD --option=doscharset=ISO-8859-1')
elif t == "unix.whoami":
plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmpguest -U$USERNAME%$PASSWORD')
plansmbtorturetestsuite(t, "plugin_s4_dc", '//$SERVER_IP/tmpguest -U$USERNAME%$PASSWORD')
plansmbtorturetestsuite(t, "plugin_s4_dc", '//$SERVER_IP/tmpguest -U$USERNAME%$PASSWORD --option=torture:addc=true')
elif t == "raw.samba3posixtimedlock":
plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmpguest -U$USERNAME%$PASSWORD --option=torture:localdir=$SELFTEST_PREFIX/s3dc/share')
plansmbtorturetestsuite(t, "plugin_s4_dc", '//$SERVER_IP/tmpguest -U$USERNAME%$PASSWORD --option=torture:localdir=$SELFTEST_PREFIX/plugin_s4_dc/share')

46
source4/torture/unix/whoami.c
View File

@ -25,6 +25,12 @@
#include "auth/credentials/credentials.h"
#include "param/param.h"
#include "libcli/resolve/resolve.h"
#include <ldb.h>
#include "lib/util/util_ldb.h"
#include "ldb_wrap.h"
#include "dsdb/samdb/samdb.h"
#include "../libcli/security/security.h"
/* Size (in bytes) of the required fields in the SMBwhoami response. */
#define WHOAMI_REQUIRED_SIZE 40
@ -92,7 +98,7 @@ static struct smbcli_state *connect_to_server(struct torture_context *tctx,
return cli;
}
static bool sid_parse(void *mem_ctx,
static bool whoami_sid_parse(void *mem_ctx,
struct torture_context *torture,
DATA_BLOB *data, size_t *offset,
struct dom_sid **psid)
@ -248,7 +254,7 @@ static bool smb_raw_query_posix_whoami(void *mem_ctx,
"out of memory");
for (i = 0; i < whoami->num_sids; ++i) {
if (!sid_parse(mem_ctx, torture,
if (!whoami_sid_parse(mem_ctx, torture,
&tp.out.data, &offset,
&whoami->sid_list[i])) {
return false;
@ -264,12 +270,37 @@ static bool smb_raw_query_posix_whoami(void *mem_ctx,
return true;
}
static bool test_against_ldap(struct torture_context *torture, struct ldb_context *ldb, struct smb_whoami *whoami)
{
struct ldb_message *msg;
struct ldb_message_element *el;
const char *attrs[] = { "tokenGroups", NULL };
int i;
torture_assert_int_equal(torture, dsdb_search_one(ldb, torture, &msg, NULL, LDB_SCOPE_BASE, attrs, 0, NULL), LDB_SUCCESS, "searching for tokenGroups");
el = ldb_msg_find_element(msg, "tokenGroups");
torture_assert(torture, el, "obtaining tokenGroups");
torture_assert_int_equal(torture, el->num_values, whoami->num_sids, "Number of SIDs from LDAP and number of SIDs from CIFS does not match!");
for (i = 0; i < el->num_values; i++) {
struct dom_sid *sid = talloc(torture, struct dom_sid);
torture_assert(torture, sid != NULL, "talloc failed");
torture_assert(torture, sid_blob_parse(el->values[i], sid), "sid parse failed");
torture_assert_str_equal(torture, dom_sid_string(sid, sid), dom_sid_string(sid, whoami->sid_list[i]), "SID from LDAP and SID from CIFS does not match!");
talloc_free(sid);
}
return true;
}
bool torture_unix_whoami(struct torture_context *torture)
{
struct smbcli_state *cli;
struct cli_credentials *anon_credentials;
struct smb_whoami whoami;
bool ret;
struct ldb_context *ldb;
cli = connect_to_server(torture, cmdline_credentials);
torture_assert(torture, cli, "connecting to server with authenticated credentials");
@ -279,6 +310,17 @@ bool torture_unix_whoami(struct torture_context *torture)
cli, &whoami, 0xFFFF), ret, fail,
"calling SMB_QFS_POSIX_WHOAMI on an authenticated connection");
if (torture_setting_bool(torture, "addc", false)) {
ldb = ldb_wrap_connect(torture, torture->ev, torture->lp_ctx, talloc_asprintf(torture, "ldap://%s", torture_setting_string(torture, "host", NULL)),
NULL, cmdline_credentials, 0);
torture_assert(torture, ldb, "ldb connect failed");
/* We skip this testing if we could not contact the LDAP server */
if (!test_against_ldap(torture, ldb, &whoami)) {
goto fail;
}
}
/* Test that the server drops the UID and GID list. */
torture_assert_goto(torture, smb_raw_query_posix_whoami(torture, torture,
cli, &whoami, 0x40), ret, fail,