selftest: Run krb5.kdc test against users with a UPN

This tests both a UPN in our own realm, and a UPN with a non-realm suffix.

Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Jan 23 08:10:07 CET 2015 on sn-devel-104

selftest/target/Samba4.pm

@@ -821,6 +821,18 @@ sub provision_raw_step2($$$)
 		return undef;
 	}
 
+	my $ldbmodify = Samba::bindir_path($self, "ldbmodify");
+	my $base_dn = "DC=".join(",DC=", split(/\./, $ctx->{realm}));
+	my $user_dn = "cn=testallowed,cn=users,$base_dn";
+	open(LDIF, "|$ldbmodify -H $ctx->{privatedir}/sam.ldb");
+	print LDIF "dn: $user_dn
+changetype: modify
+replace: userPrincipalName
+userPrincipalName: testallowed_upn\@$ctx->{realm}
+-	    
+";
+	close(LDIF);
+
 	$samba_tool_cmd = Samba::bindir_path($self, "samba-tool") 
 	    . " user add --configfile=$ctx->{smb_conf} testdenied $ctx->{password}";
 	unless (system($samba_tool_cmd) == 0) {
@@ -828,6 +840,16 @@ sub provision_raw_step2($$$)
 		return undef;
 	}
 
+	my $user_dn = "cn=testdenied,cn=users,$base_dn";
+	open(LDIF, "|$ldbmodify -H $ctx->{privatedir}/sam.ldb");
+	print LDIF "dn: $user_dn
+changetype: modify
+replace: userPrincipalName
+userPrincipalName: testdenied_upn\@$ctx->{realm}.upn
+-	    
+";
+	close(LDIF);
+
 	$samba_tool_cmd = Samba::bindir_path($self, "samba-tool") 
 	    . " group addmembers --configfile=$ctx->{smb_conf} 'Allowed RODC Password Replication Group' testallowed";
 	unless (system($samba_tool_cmd) == 0) {

source4/selftest/tests.py

@@ -556,7 +556,7 @@ for env in ["dc", "rodc", "promoted_dc", "plugin_s4_dc", "fl2000dc", "fl2003dc",
 
     plansmbtorture4testsuite('krb5.kdc', env, ['ncacn_np:$SERVER_IP', "-k", "yes", '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN', '--realm=$REALM'] + extra_options,
                              "samba4.krb5.kdc with specified account")
-    plansmbtorture4testsuite('krb5.kdc', env, ['ncacn_np:$SERVER_IP', "-k", "yes", '-Utestdenied%$PASSWORD', '--workgroup=$DOMAIN', '--realm=$REALM'] + extra_options,
+    plansmbtorture4testsuite('krb5.kdc', env, ['ncacn_np:$SERVER_IP', "-k", "yes", '-Utestdenied%$PASSWORD', '--workgroup=$DOMAIN', '--realm=$REALM', '--option=torture:krb5-upn=testdenied_upn@$REALM.upn'] + extra_options,
                              "samba4.krb5.kdc with account DENIED permission to replicate to an RODC")
 
     # These last two tests are for users cached at the RODC
@@ -567,7 +567,7 @@ for env in ["dc", "rodc", "promoted_dc", "plugin_s4_dc", "fl2000dc", "fl2003dc",
 
     plansmbtorture4testsuite('krb5.kdc', "%s:local" % env, ['ncacn_np:$SERVER_IP', "-k", "yes", '-P', '--workgroup=$DOMAIN', '--realm=$REALM'] + extra_options,
                              "samba4.krb5.kdc with machine account")
-    plansmbtorture4testsuite('krb5.kdc', env, ['ncacn_np:$SERVER_IP', "-k", "yes", '-Utestallowed%$PASSWORD', '--workgroup=$DOMAIN', '--realm=$REALM'] + extra_options,
+    plansmbtorture4testsuite('krb5.kdc', env, ['ncacn_np:$SERVER_IP', "-k", "yes", '-Utestallowed%$PASSWORD', '--workgroup=$DOMAIN', '--realm=$REALM', '--option=torture:krb5-upn=testallowed_upn@$REALM'] + extra_options,
                              "samba4.krb5.kdc with account ALLOWED permission to replicate to an RODC")
 
 # TODO: Verifying the databases really should be a part of the