1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-25 23:21:54 +03:00
Commit Graph

947 Commits

Author SHA1 Message Date
Noel Power
ebfe3c85d0 Add a blackbox tests for id & getent to test domain@realm type credentials
Using domain@realm credentials has been problematic when
global conf setting "winbind use default domain" is enabled, this patch
creates a new s4member_dflt_domain environment (where
"winbind use default domain" is enabled) and runs getent & id against the
normal s4member & and new s4member_dflt_domain environments

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12298

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-10-03 19:49:19 +02:00
Andreas Schneider
5ae447e102 testprogs: Test only what the Heimdal kpasswd test should test
The test_password_settings.sh test does test using different password
settings and is not specific to the kpasswd implementation. This
test tests the kpasswd service.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-09-11 02:58:22 +02:00
Andreas Schneider
e5289191a9 testprogs: Make test_passwords.sh a Heimdal kpasswd test
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-09-11 02:58:22 +02:00
Andreas Schneider
13fdeb0a98 testprogs: Add a new test_password_settings.sh script
This test is not Kerberos implementation specific.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-09-11 02:58:22 +02:00
Garming Sam
0ab3263724 dbcheck: assert uSNChanged values in release-4-5-0-pre1
This shows that dbcheck doesn't change the replPropertyMetadata when
fixing the links on these objects.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Thu Sep  8 14:39:19 CEST 2016 on sn-devel-144
2016-09-08 14:39:19 +02:00
Andrew Bartlett
737756b060 lib/ldb-samba: Add test for DSDB_MATCH_FOR_EXPUNGE match rule
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2016-09-01 05:49:15 +02:00
Andrew Bartlett
a999e8c0cb selftest: Add test for 'samba-tool tombstones expunge'
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2016-09-01 05:49:15 +02:00
Uri Simchoni
3fcd937f05 selftest: tests for kerberos encryption types
This test uses tshark and cwrap's packet capturing capability
to observe the Kerberos handshakes and ensure the correct
encryption types are being used.

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Aug  9 07:43:52 CEST 2016 on sn-devel-144
2016-08-09 07:43:52 +02:00
Stefan Metzmacher
661e1a229e s4:selftest: run the pkinit test in the ad_dc and ad_dc_ntvfs environment
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-22 23:34:21 +02:00
Stefan Metzmacher
4ab53657cb s4:selftest: run test_pkinit_pac_heimdal.sh test
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-22 23:34:21 +02:00
Stefan Metzmacher
303906225a test_pkinit_heimdal.sh: add some more tests regarding the UF_SMARTCARD_REQUIRED behavior
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-22 23:34:21 +02:00
Stefan Metzmacher
d903338ed6 s4:selftest: run samba.tests.samba_tool.user also against ad_dc:local
In future ad_dc_ntvfs and ad_dc will differ regarding the Primary:SambaGPG
password feature. So we should test both.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2016-07-22 16:03:27 +02:00
Garming Sam
56771ec6d0 dbcheck/release-4-1-0rc3: Add a check regarding replica locations
This DC has repsFrom for the DNS partitions, but not the corresponding
link. This ensures that dbcheck has fixed them up. This will currently
fail without the actual changes to dbcheck coming in the following
commit.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9200

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-21 06:37:08 +02:00
Douglas Bagnall
58acf513f9 dbcheck linked attribute tests: save environment with bad links
We save a database snapshot that contains linked attributes that
should have been deleted, and make sure dbcheck fixes those links
without ruining anything else.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-15 10:01:30 +02:00
Douglas Bagnall
d8e7ffd029 s4/selftest/provisions/dump.sh: dump to target dir if supplied
This is clearly what was meant to happen.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-15 10:01:29 +02:00
Douglas Bagnall
9d8e7666c0 drs tests: querying linked attribute over DRS
Without the deactivated links control, we assert certain conditions over DRS
instead.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-15 10:01:28 +02:00
Douglas Bagnall
4cb565bc87 dsdb tests: add linked attribute tests
Note that this test will not work properly across ldap as the
marked-deleted linked attributes will not appear.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-15 10:01:28 +02:00
Andrew Bartlett
fb9af9727f Revert "dsdb: Disable tombstone_reanimation module until we isolate what causes flaky tests"
This reverts commit 252b62c54e.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-07-09 15:06:19 +02:00
Andrew Bartlett
6e4e914c76 selftest: Add more tests for samba-tool drs replicate
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Jul  8 13:39:01 CEST 2016 on sn-devel-144
2016-07-08 13:39:01 +02:00
Bob Campbell
ef0cbc5560 selftest: add check password script test
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-05 00:00:14 +02:00
Uri Simchoni
2352e49f32 selftest: Add test for domain join + kerberos-only auth
Add "net ads join/leave -k" tests to the net_ads test suite.

Shift the test suite from ad_member env to ad_dc env, because:
1. Seems more appropriate (the member server plays no role in this
   test)
2. The -k test breaks against the ntvfs file server for some reason,
   when trying to open the netlogon named pipe after having established
   the session with Kerberos (the create fails).

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Jul  1 15:36:37 CEST 2016 on sn-devel-144
2016-07-01 15:36:37 +02:00
Richard Sharpe
ed4af82a4f s4/selftests: test net ads dns register/unregister.
Add a new test for the net ads dns commands and the needed self test
setup. Currently tests that we can register a name and that it
turns up. Also, tests that we can register with -P.

Signed-off-by: Richard Sharpe <rsharpe@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Jun 28 22:35:35 CEST 2016 on sn-devel-144
2016-06-28 22:35:35 +02:00
Stefan Metzmacher
c38a717681 s4:selftest: run samba4.ldap.password_lockout.python only against ad_dc_ntvfs
This test runs over 4-5 mins.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-27 05:00:16 +02:00
Andrew Bartlett
947996b7cb selftest: Do not run winbind tests against ad_dc_ntvfs
This runs the same winbindd as ad_dc, there is no need to duplicate the runs
2016-06-27 00:18:17 +02:00
Ralph Boehme
2db5c10ac5 s4/torture: add a test for dosmode and hidden files
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11992

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-06-25 18:47:17 +02:00
Andrew Bartlett
f67a3c2eb9 selftest: confirm samba_dnsupdate works in both nsupdate and samba_tool mode
This can be extended, but already checks the basic functionality

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2016-06-16 04:40:14 +02:00
Andrew Bartlett
215c20b94b samba-tool domain join: Refuse to re-join a DC with a still-valid password
While the DC will eventually get back to the same state, it can take a
while, so try harder not to overwrite our already-working account

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2016-06-16 04:40:12 +02:00
Ralph Boehme
721b21bb80 selftest: add test for DNS updates with TKEY/TSIG
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11520

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Thu Jun 16 04:07:41 CEST 2016 on sn-devel-144
2016-06-16 04:07:41 +02:00
Andrew Bartlett
a8430d15a5 dsdb: Fix incorrect sorting of replPropertyMetaData with RDN last
Per tests against Windows 2012R2 the RDN is not sorted last and is
instead sorted normally with all the other elements.

The RDN attribute, unlike name, is not replicated over DRS, so this
has no interopability impact.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz
2016-06-07 10:28:10 +02:00
Andrew Bartlett
8f1557a2c4 selftest: Run the krb5.kdc test on a more selective basis
The previous tests would take 20mins, the new set of tests take around 7 mins and still cover
the important combinations, given that it is the same KDC code in each environment

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2016-06-07 10:28:10 +02:00
Andrew Bartlett
ca37c7146c selftest/drs: Show we return the correct 3 objects for DRSUAPI_EXOP_FSMO_RID_ALLOC
This does not depend on DRSUAPI_DRS_GET_ANC.

This test is not new, but it was not previously being run.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2016-06-06 16:36:23 +02:00
Andrew Bartlett
c5ed894006 selftest: initial version of new repl_move test
This tests complex rename and modify combinations in a way that
demonstrated a number of replication failures, due to incorrect
handling in Samba when the parent of the record changes.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz
2016-06-06 16:36:23 +02:00
Andrew Bartlett
db15993401 dbcheck: Find and fix a missing Deleted Objects container
Older Samba versions could delete this.  This patch tries very hard
to put back the original object, with the original GUID, so that
if another replica has the correct container, that we just merge
rather than conflict.

The existing "wrong dn" check can then put any deleted objects
under this container correctly.

Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Pair-programmed-with: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2016-06-06 08:50:09 +02:00
Rowland Penny
7583377473 samba-too: Allow 'samba-tool fsmo' to cope with empty or missing fsmo roles
samba-too: Allow 'samba-tool fsmo' to cope with empty or missing fsmo roles

Signed-off-by: Rowland Penny <rpenny@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2016-06-01 00:57:32 +02:00
Dirk Godau
6ded4f5230 drsuapi tests for DsBind with w2k8
These are marked as known_fail pending the next patch ("Extend DsBind
and DsGetDomainControllerInfo to work with w2k8").

Signed-off-by: Dirk Godau <voidswitch@gmail.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2016-05-26 02:44:31 +02:00
Garming Sam
61f1eaf0b4 tests/dns_forwarder: remove statically defined IPs
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-05-03 08:10:09 +02:00
Garming Sam
3b2f9f8756 tests/dns_forwarder: Add testing for DNS forwarding
The new tests show that single and multiple forwarders work as expected.
They also describe the behaviour encountered when the DNS server
encounters a CNAME from a forwarded request (which is not to pursue any
further).

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2016-05-03 08:10:09 +02:00
Stefan Metzmacher
4ec5ff49b8 CVE-2015-5370: s4:selftest: run samba.tests.dcerpc.raw_protocol against ad_dc
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:33 +02:00
Stefan Metzmacher
80dae9afda CVE-2016-2118: s4:rpc_server/drsuapi: require DCERPC_AUTH_LEVEL_PRIVACY
This matches windows and prevents man in the middle downgrade attacks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:27 +02:00
Stefan Metzmacher
942e4ed851 CVE-2016-2113: selftest: test all "tls verify peer" combinations with ldaps
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:25 +02:00
Stefan Metzmacher
e72b2c94b5 CVE-2016-2113: s4:selftest: explicitly use '--option="tlsverifypeer=no_check" for some ldaps tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:25 +02:00
Stefan Metzmacher
2b40fb8509 CVE-2016-2112: s4:selftest: run some ldap test against ad_dc_ntvfs, fl2008r2dc and fl2003dc
We want to test against all "ldap server require strong auth" combinations.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2016-04-12 19:25:25 +02:00
Stefan Metzmacher
c5c5735c1f CVE-2016-2112: s4:selftest: run samba4.ldap.bind against fl2008r2dc
This uses "ldap server require strong auth = no".

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2016-04-12 19:25:25 +02:00
Stefan Metzmacher
98ff297ed0 CVE-2016-2112: s4:selftest: use --option=clientldapsaslwrapping=plain for plain connections
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:24 +02:00
Douglas Bagnall
79c58c2543 Implement Virtual List View (VLV)
VLV is a more sophisticated version of a paged searches that allows
you to ask for arbitrary windows in a previously performed sorted
search. If clients use VLV correctly the original search will not be
repeated.

Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-22 08:00:31 +01:00
Stefan Metzmacher
e8e2386bf6 s4:selftest: run rpc.netlogon.admin also over ncalrpc and ncacn_ip_tcp
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Mar 18 12:39:51 CET 2016 on sn-devel-144
2016-03-18 12:39:51 +01:00
Uri Simchoni
b27cf10c0c selftest: run net ads join test in a private client env
net ads join command changes machine password, thus affecting
the test environment beyond the thing we want to test.

This cange runs the test in a private client env, with its
own hostname, newly-generated machine SID, and a separate
secrets.tdb, thus not affecting the running AD member server,

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-03-10 11:27:29 +01:00
Stefan Metzmacher
f699eb3b1a s4:selftest: run rpc.samr over ncacn_np instead of ncacn_ip_tcp
It requires a transport session key, which is only reliable available
over SMB.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-10 06:52:31 +01:00
Stefan Metzmacher
c431543fb9 s4:selftest: simplify the loops over samba4.ldb.ldap
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-03-10 06:52:29 +01:00
Stefan Metzmacher
5cf8546674 s4:selftest: we don't need to run ldap test with --option=socket:testnonblock=true
The LDAP client library uses tstream and that handles non blocking
sockets natively.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-03-10 06:52:29 +01:00