1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

1362 Commits

Author SHA1 Message Date
Volker Lendecke
35c4bb0b0c torture: Test ldap session expiry
LDAP connections should time out when the kerberos ticket used to authenticate
expires. Windows does this with a RFC4511 section 4.4.1 message (that as of
August 2020 is encoded not according to the RFC) followed by a TCP disconnect.

ldb sees the section 4.4.1 as a protocol violation and returns
LDB_ERR_PROTOCOL_ERROR.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=14465

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-08-21 19:14:32 +00:00
Volker Lendecke
0c36316ecb torture: Pass DN and password to ldap.basic test
Without this, test_multibind() only gets NULL for userdn and password,
not doing what the test claims. This now fails, because our LDAP
server does not allow plain text binds.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-08-20 17:20:29 +00:00
Isaac Boukris
08909e66ef Revert "selftest: add tests for net-ads over TLS"
As we are removing the option.

This reverts commit 10f61cd39b.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14462

Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-08-11 09:32:34 +00:00
Jeremy Allison
156f1dfc39 s4: tests: Add new async DNS unit test - samba4.blackbox.net_ads_dns_async(ad_member:local).
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-08-07 06:34:36 +00:00
Isaac Boukris
0739983179 Add a test with old msDS-SupportedEncryptionTypes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14354

Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-07-28 12:40:26 +00:00
Isaac Boukris
10f61cd39b selftest: add tests for net-ads over TLS
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439

Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-07-13 10:41:37 +00:00
Noel Power
449259f6e1 selftest: run smbcacls test against a share with a DFS link
The commit creates a dfs link in existing 'fileserver' env
share msdfs_share. Additionally we create a new dfs target in
a new share (with associated directory)

Additionally add a known fail as smbcacls doesn't not yet navigate DFS links.
A subsequent commit will fix smcacls to handle DFS (and remove the
knownfail)

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-07-07 21:40:33 +00:00
Noel Power
3dced6a436 selftest: Add basic smbcacls test(s)
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-07-07 21:40:33 +00:00
Sachin Prabhu
31d187be0f s4:selftest: test for smbtorture subunit names with and without --fullname
We check the output with both --fullname and with the default shortname
to ensure it works as expected.

We also do tests for each level and test relative names are used.

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Sachin Prabhu <sprabhu@redhat.com>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User((no branch)): Stefan Metzmacher <metze@samba.org>
Autobuild-Date((no branch)): Tue Jul  7 12:16:34 UTC 2020 on sn-devel-184
2020-07-07 12:16:34 +00:00
Douglas Bagnall
bc896d7529 CVE-2020-10745: librpc/tests: cmocka tests of dns and ndr strings
These time the push and pull function in isolation.

Timing should be under 0.0001 seconds on even quite old hardware; we
assert it must be under 0.2 seconds.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-07-02 09:01:41 +00:00
Douglas Bagnall
f4b2fd00fe CVE-2020-10745: pytests: hand-rolled invalid dns/nbt packet tests
The client libraries don't allow us to make packets that are broken in
certain ways, so we need to construct them as byte strings.

These tests all fail at present, proving the server is rendered
unresponsive, which is the crux of CVE-2020-10745.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-07-02 09:01:41 +00:00
Andrew Bartlett
2c4ecf002a selftest: Split samba.tests.samba_tool.user_virtualCryptSHA into GPG and not GPG parts
This allows the userPassword (not GPG) part of the test to run on hosts without
python3-gpg (eg RHEL7) while still testing the userPassword handling.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14424

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2020-07-01 13:34:30 +00:00
Isaac Boukris
fb7dfdbe8f selftest: test forwardable flag in cross-realm with s4u2proxy
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-06-12 20:42:38 +00:00
Isaac Boukris
9b302a57ff selftest: test forwardable flag in cross-realm tgt tickets
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14233

Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-06-12 20:42:38 +00:00
Andreas Schneider
55cbdac15e selftest: Run some tests against ad_member_fips
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2020-05-18 14:43:40 +00:00
Isaac Boukris
8b5e764413 selftest: add python S4U2Self tests including unkeyed checksums
To test the CRC32 I reverted the unkeyed-checksum fix (43958af1)
and the weak-crypto fix (389d1b97). Note that the unkeyed-md5
still worked even with weak-crypto disabled, and that the
unkeyed-sha1 never worked but I left it anyway.

Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri May 15 12:25:40 UTC 2020 on sn-devel-184
2020-05-15 12:25:40 +00:00
Andreas Schneider
ab70153c20 testprogs: Add 'net ads join' test for fips
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Thu May 14 14:27:26 UTC 2020 on sn-devel-184
2020-05-14 14:27:26 +00:00
Andrew Bartlett
5603d26770 CVE-2020-10700: dsdb: Add test for ASQ and ASQ in combination with paged_results
Thanks to Andrei Popa <andrei.popa@next-gen.ro> for finding,
reporting and working with us to diagnose this issue!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14331

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2020-05-04 08:19:41 +00:00
Gary Lockyer
5d6bcef4b4 CVE-2020-10704: ldapserver tests: Limit search request sizes
Add tests to ensure that overly long (> 256000 bytes) LDAP search
requests are rejected.

Credit to OSS-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-05-04 02:59:32 +00:00
Gary Lockyer
b0832d2016 CVE-2020-10704: libcli ldap: test recursion depth in ldap_decode_filter_tree
Add tests to check that ASN.1 ldap requests with deeply nested elements
are rejected.  Previously there was no check on the on the depth of
nesting and excessive nesting could cause a stack overflow.

Credit to OSS-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-05-04 02:59:32 +00:00
Andreas Schneider
a454c9cd42 testprogs: Add client kerberos test
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Apr 29 11:53:41 UTC 2020 on sn-devel-184
2020-04-29 11:53:41 +00:00
Volker Lendecke
833303b8bd torture: Test smbc_utimes()
Prove that smbc_utimes throws away the tv_nsec field

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2020-04-08 14:46:40 +00:00
Andreas Schneider
ff67642dc2 tests: Add test to check the server doesn't allow NTLM
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2020-04-08 13:02:40 +00:00
Noel Power
0463960488 s4/selftest: Move samba4.rpc.join tests to ad_dc_default_smb1
The following tests which fail when run against a test env that
doesn't support SMB1

samba4.rpc.join on ncacn_ip_tcp with bigendian(ad_dc_default)
samba4.rpc.join on ncacn_ip_tcp with seal,padcheck(ad_dc_default)
samba4.rpc.join on ncacn_ip_tcp with validate(ad_dc_default)
samba4.rpc.join on ncacn_np with bigendian(ad_dc_default)
samba4.rpc.join on ncacn_np with seal,padcheck(ad_dc_default)
samba4.rpc.join on ncacn_np with validate(ad_dc_default)
samba4.rpc.join on ncalrpc with bigendian(ad_dc_default:local)
samba4.rpc.join on ncalrpc with seal,padcheck(ad_dc_default:local)
samba4.rpc.join on ncalrpc with validate(ad_dc_default:local)

have been moved to ad_dc_default_smb1

results verified with

VALIDATE="validate" python3 source4/selftest/tests.py | grep "^samba4.rpc.join" | grep ad_dc_default | sort

corrosponding entries have been removed from skip_smb1_fail

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
2020-04-03 15:08:32 +00:00
Noel Power
e362ad23ee s4/selftest: Move samba4.ldap.passwordsettings to ad_dc_default_smb1
Test samba4.ldap.passwordsettings fails when run against test env that
doesn't support SMB1 so move to ad_dc_default_smb1

Note: no skip entries to be removed as tests are known failures

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
2020-04-03 15:08:32 +00:00
Noel Power
1553641724 s4/selftest: Move samba4.ldap.nested-search to ad_dc_default_smb1
Test samba4.ldap.nested-search fails when run against test env
that doesn't support SMB1 so move to ad_dc_default_smb1

Also remove entry from skip_smb1_fail

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
2020-04-03 15:08:32 +00:00
Noel Power
c83fafacbb s4/selftest: Modify samba4.blackbox.chgdcpass to use smbclient(s3)
Test was using smbclient4 but this fails when used in environments that
don't support SMB1. We use smbclient(s3) instead. There remains one
failure due to behaviour differences between the smbclients.

The behavioural changes are related not to SMB1/SMB2 but
commits d4ea637eb8 &
fce66b22ea

Perhaps we need to modify s3 smbclient in a similar way? This is however
something that deserves further discussion.

Move this failing part to a knownfail for the moment.

Also the corrosponding entry in skip_smb1_fail has been removed

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
2020-04-03 15:08:32 +00:00
Noel Power
aa688a8de6 s4/selftest: Move samba.tests.libsmb to nt4_dc_smb1
Also remove associated entry from skip_smb1_fail

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
2020-04-03 15:08:32 +00:00
Noel Power
572bc3e643 s4/selftest: Adjust samba4.blackbox.pkinit to use (s3) smbclient
samba4.blackbox.pkinit falls to pass in environments that don't support
SMB2 because of use (s4) smbclient4. Change test to use (s3) smbclient

Additionally a test within the test script test_kinit_trusts_heimdal.sh
explicitly uses smbclient4 which can't negotiate SMB1 in environments
that don't support it. Add knownfail to cater for this & also remove entry
from the skip file

Further reference the smbclient4 specific test is associated with
https://bugzilla.samba.org/show_bug.cgi?id=12554 so maybe we should
keep it for the moment

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
2020-04-03 15:08:30 +00:00
Noel Power
4c92489383 s4/selftest: Move samba.tests.net_join_no_spnego to ad_dc_smb1
Test samba.tests.net_join_no_spnego when run in environment
doesn't support SMB1 so move it to ad_dc_smb1 and remove
skip_smb1_fail entry

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
2020-04-03 15:08:30 +00:00
Noel Power
6edb46682d s4/selftest: Move samba.tests.auth_log_pass_change to ad_dc_smb1
Test samba.tests.auth_log_pass_change  will fail when run against
environments that don't support SMB1 so move this test to ad_dc_smb1
and remove entry from skip_smb1_fail

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
2020-04-03 15:08:30 +00:00
Noel Power
fc1121bc6b s4/selftest: Move samba.tests.auth_log to ad_dc_smb1
Test samba.tests.auth_log will fail when run against environments that
don't support SMB1 so move this test to ad_dc_smb1 and removing
entry from skip_smb1_fail

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
2020-04-03 15:08:29 +00:00
Noel Power
a166ddc740 s4/selftest: Move samba4.smb.spnego to ad_dc_smb1
Moving

samba4.smb.spnego.krb5.no_optimistic(ad_dc)
samba4.smb.spnego.ntlmssp.no_optimistic(ad_dc)

and additionally removing the entries from skip_smb1_fails

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
2020-04-03 15:08:29 +00:00
Noel Power
ed3b15b33c s4/selftest: Move samba4.rpc.join tests from ad_dc to ad_dc_smb1
Move the following tests from ad_dc to ad_dc_smb1

samba4.rpc.join with bigendian(ad_dc)
samba4.rpc.join with seal,padcheck(ad_dc)
samba4.rpc.join with validate(ad_dc)

and additionally remove the corrosponding entries from skip_smb1_fails

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
2020-04-03 15:08:29 +00:00
Noel Power
b056425340 s4/selftest: Move failing samba4.rpc.authcontext.* (ad_dc) to ad_dc_smb1
Move
samba4.rpc.authcontext with bigendian(ad_dc)
samba4.rpc.authcontext with seal,padcheck(ad_dc)
samba4.rpc.authcontext with validate(ad_dc)

to ad_dc_smb1 environment and remove the corrosponding entries in
skip_smb1_fail

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
2020-04-03 15:08:29 +00:00
Noel Power
1c8974b421 s4/selftest: run samba4.libsmbclient.*.NT1.* tests in ad_dc_smb1
additionally remove those related entries from skip_smb1_fails

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
2020-04-03 15:08:29 +00:00
Noel Power
0aa44c88d2 s4/selftest: move samba4.dfs.domain to ad_dc_smb1
Additionally remove the test entry from skip_smb1_fails

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
2020-04-03 15:08:29 +00:00
Noel Power
422e6c5a79 s4/selftest: adjust samba.blackbox.pdbtest to use (s3) smbclient
smbclient4 only negotiates smb1, this test should use smbclient(s3)
instead.

Signed-off-by: Noel Power <npower@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2020-04-03 15:08:28 +00:00
Noel Power
7e04d84b5f s4/selftest: Adjust samba4.blackbox.samba_tool to use (s3) smbclient
(s4) smbclient doesn't negotiate smb2, (s3) smbclient is what
is used and what we really should be testing.

Additionally remove entry from ski_smb1_fails file

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
2020-04-03 15:08:28 +00:00
Noel Power
1c3f954ab4 s4/selftest: Use (s3) smbclient for test samba4.blackbox.kinit
Additionally we remove the entry from skip_smb1_fails as it is
no longer relevant

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
2020-04-03 15:08:28 +00:00
Noel Power
3558332228 s4/selftest: Use s3 smbclient for samba4.blackbox.bogusdomain
Additionally remove the test from skip_smb1_fails

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
2020-04-03 15:08:28 +00:00
Noel Power
87d77b3ea9 s4/selftest: Add smbclient (s3 version) binary to s4/tests
smbclient4 only negotiates smb1, tests probably should use smbclient
instead (except for tests that intentionally are testing smbclient4
itself)

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
2020-04-03 15:08:28 +00:00
Stefan Metzmacher
c4ccdf4b30 s4:selftest: run samba.tests.krb5.simple_tests against ad_dc_default
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Mar 27 19:54:25 UTC 2020 on sn-devel-184
2020-03-27 19:54:25 +00:00
Stefan Metzmacher
7010a1311d s4:selftest: run samba.tests.krb5.kcrypto test
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
2020-03-27 18:17:35 +00:00
Stefan Metzmacher
05d3a909d5 selftest: use 10.53.57.0/8 instead of 127.0.0.1/8
This makes our testing much more realistic and allows
the removal of some knowfail entries.

It also means the testing with network namespaces on Linux
can use the same addresses as our socket wrapper testing.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-03-27 09:02:38 +00:00
Samuel Cabrero
d809da3ace selftest: Run python.samba.tests.dcerpc.raw_protocol against S3 ad_member
The goal is to pass the raw protocol testsuite against s3 RPC server.
To do so we need to enable epmd and lsasd daemons, as the testsuite
connects to the endpoint mapper and lsa endpoints using NCACN_IP_TCP
and NCACN_NP transports.

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-03-20 15:36:31 +00:00
Andreas Schneider
ff70d7cc3a tests: Add test for weak crypto
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-03-19 20:46:42 +00:00
Volker Lendecke
9653a10738 libsmbclient: Put it back to a known, well-working state
For adapting unix extensions in our client libraries, we need a fresh start
with additional APIs. We can't change existing application behaviour.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-03-10 21:25:33 +00:00
Volker Lendecke
a7bdb2936f selftest: Inform smbtorture about running with unix extensions
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-03-03 17:48:38 +00:00
Volker Lendecke
dfa01af749 selftest: run libsmbclient unix ext tests against "posix_share"
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-03-03 17:48:38 +00:00