IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Test that we can use a credentials cache with a user's service ticket
obtained with our Python code to connect to a service through SMB.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Test that we can use a credentials cache with a user's service ticket
obtained with our Python code to connect to a service through RPC.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Test that we can use a credentials cache with a user's service ticket
obtained with our Python code to connect to a service through LDAP.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Test that we can use a credentials cache with a user's service ticket
obtained with our Python code to connect to a service using the normal
credentials system backed on to MIT/Heimdal Kerberos 5 libraries. This
will allow us to validate the output of the MIT/Heimdal libraries in the
future.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This made Python 2's print behave like Python 3's print().
In some cases, where we had:
from __future__ import print_function
"""Intended module documentation..."""
this will have the side effect of making the intended module documentation
work as the actual module documentation (i.e. becoming __doc__), because
it is once again the first statement in the module.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This kind of test is better hosted in python than in C. More lines,
but the ones in source4/libcli/security/tests/sddl.c were preeetty
long...
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Apr 13 19:17:56 UTC 2021 on sn-devel-184
Tests of [MS-KILE]: Kerberos Protocol Extensions
section 3.3.5.6.1 Client Principal Lookup
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Apr 12 00:38:26 UTC 2021 on sn-devel-184
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14621
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
GNUstep as an mdfind binary, and both should be co-instalable.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14431
Signed-off-by: Mathieu Parent <math.parent@gmail.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Björn Baumbach <bb@sernet.de>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Mar 29 16:18:54 UTC 2021 on sn-devel-184
Running samba-gpupdate on a client is causing an
error in gp_access_ext, due to it attempting to
access sam.ldb before detecting whether we are on
an ad-dc.
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
This makes sure "--basedir=$SELFTEST_TMPDIR" is passed to smbtorture.
Tests should not create files in the build nor the source directory!
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Jan 27 11:01:32 UTC 2021 on sn-devel-184
That share will get the "honor change notify privilege = yes" option
once it's implemented. For now it's marked as knownfail.
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Björn Baumbach <bb@sernet.de>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Implement the tests in source4/torture/krb5/kdc-heimdal.c in python.
The following tests were not re-implemented as they are client side
tests for the "Orpheus Lyre" attack:
TORTURE_KRB5_TEST_CHANGE_SERVER_OUT
TORTURE_KRB5_TEST_CHANGE_SERVER_IN
TORTURE_KRB5_TEST_CHANGE_SERVER_BOTH
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Add new python test to document the differences between the MIT and
Heimdal Kerberos implementations.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Originally copied from 'source4/scripting/devel/createtrust'
(had to drop the TRUST_AUTH_TYPE_VERSION part though, as it
fails against samba DC).
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Add python canonicalization tests, loosely based on the code in
source4/torture/krb5/kdc-canon-heimdal.c. The long term goal is to move
the integration level tests out of kdc-canon-heimdal, leaving it as a
heimdal library unit test.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This tests a sorts of combinations in order to
demonstrate the visibility of objects depending on:
- with or without fDoListObject
- with or without explicit DENY ACEs
- A hierachy of objects with 4 levels from the base dn
- SEC_ADS_LIST (List Children)
- SEC_ADS_LIST_LIST_OBJECT (List Object)
- SEC_ADS_READ_PROP
- all possible scopes and basedns
This demonstrates that NO_SUCH_OBJECT doesn't depend purely
on the visibility of the base dn, it's still possible to
get children returned und an invisible base dn.
It also demonstrates the additional behavior with "List Object" mode.
See [MS-ADTS] 5.1.3.3.6 Checking Object Visibility
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14531
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Add a ZeroLogon test suite, to allow the ZeroLogon tests to be run against
the s3 and s4 netlogon servers.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Aug 31 19:09:24 UTC 2020 on sn-devel-184
LDAP connections should time out when the kerberos ticket used to authenticate
expires. Windows does this with a RFC4511 section 4.4.1 message (that as of
August 2020 is encoded not according to the RFC) followed by a TCP disconnect.
ldb sees the section 4.4.1 as a protocol violation and returns
LDB_ERR_PROTOCOL_ERROR.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14465
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Without this, test_multibind() only gets NULL for userdn and password,
not doing what the test claims. This now fails, because our LDAP
server does not allow plain text binds.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
The commit creates a dfs link in existing 'fileserver' env
share msdfs_share. Additionally we create a new dfs target in
a new share (with associated directory)
Additionally add a known fail as smbcacls doesn't not yet navigate DFS links.
A subsequent commit will fix smcacls to handle DFS (and remove the
knownfail)
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
We check the output with both --fullname and with the default shortname
to ensure it works as expected.
We also do tests for each level and test relative names are used.
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Sachin Prabhu <sprabhu@redhat.com>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User((no branch)): Stefan Metzmacher <metze@samba.org>
Autobuild-Date((no branch)): Tue Jul 7 12:16:34 UTC 2020 on sn-devel-184
These time the push and pull function in isolation.
Timing should be under 0.0001 seconds on even quite old hardware; we
assert it must be under 0.2 seconds.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
The client libraries don't allow us to make packets that are broken in
certain ways, so we need to construct them as byte strings.
These tests all fail at present, proving the server is rendered
unresponsive, which is the crux of CVE-2020-10745.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This allows the userPassword (not GPG) part of the test to run on hosts without
python3-gpg (eg RHEL7) while still testing the userPassword handling.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14424
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14233
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
To test the CRC32 I reverted the unkeyed-checksum fix (43958af1)
and the weak-crypto fix (389d1b97). Note that the unkeyed-md5
still worked even with weak-crypto disabled, and that the
unkeyed-sha1 never worked but I left it anyway.
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri May 15 12:25:40 UTC 2020 on sn-devel-184
Thanks to Andrei Popa <andrei.popa@next-gen.ro> for finding,
reporting and working with us to diagnose this issue!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14331
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Add tests to check that ASN.1 ldap requests with deeply nested elements
are rejected. Previously there was no check on the on the depth of
nesting and excessive nesting could cause a stack overflow.
Credit to OSS-Fuzz
REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The following tests which fail when run against a test env that
doesn't support SMB1
samba4.rpc.join on ncacn_ip_tcp with bigendian(ad_dc_default)
samba4.rpc.join on ncacn_ip_tcp with seal,padcheck(ad_dc_default)
samba4.rpc.join on ncacn_ip_tcp with validate(ad_dc_default)
samba4.rpc.join on ncacn_np with bigendian(ad_dc_default)
samba4.rpc.join on ncacn_np with seal,padcheck(ad_dc_default)
samba4.rpc.join on ncacn_np with validate(ad_dc_default)
samba4.rpc.join on ncalrpc with bigendian(ad_dc_default:local)
samba4.rpc.join on ncalrpc with seal,padcheck(ad_dc_default:local)
samba4.rpc.join on ncalrpc with validate(ad_dc_default:local)
have been moved to ad_dc_default_smb1
results verified with
VALIDATE="validate" python3 source4/selftest/tests.py | grep "^samba4.rpc.join" | grep ad_dc_default | sort
corrosponding entries have been removed from skip_smb1_fail
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Test samba4.ldap.passwordsettings fails when run against test env that
doesn't support SMB1 so move to ad_dc_default_smb1
Note: no skip entries to be removed as tests are known failures
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Test samba4.ldap.nested-search fails when run against test env
that doesn't support SMB1 so move to ad_dc_default_smb1
Also remove entry from skip_smb1_fail
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Test was using smbclient4 but this fails when used in environments that
don't support SMB1. We use smbclient(s3) instead. There remains one
failure due to behaviour differences between the smbclients.
The behavioural changes are related not to SMB1/SMB2 but
commits d4ea637eb8 &
fce66b22ea
Perhaps we need to modify s3 smbclient in a similar way? This is however
something that deserves further discussion.
Move this failing part to a knownfail for the moment.
Also the corrosponding entry in skip_smb1_fail has been removed
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
samba4.blackbox.pkinit falls to pass in environments that don't support
SMB2 because of use (s4) smbclient4. Change test to use (s3) smbclient
Additionally a test within the test script test_kinit_trusts_heimdal.sh
explicitly uses smbclient4 which can't negotiate SMB1 in environments
that don't support it. Add knownfail to cater for this & also remove entry
from the skip file
Further reference the smbclient4 specific test is associated with
https://bugzilla.samba.org/show_bug.cgi?id=12554 so maybe we should
keep it for the moment
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Test samba.tests.net_join_no_spnego when run in environment
doesn't support SMB1 so move it to ad_dc_smb1 and remove
skip_smb1_fail entry
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Test samba.tests.auth_log_pass_change will fail when run against
environments that don't support SMB1 so move this test to ad_dc_smb1
and remove entry from skip_smb1_fail
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Test samba.tests.auth_log will fail when run against environments that
don't support SMB1 so move this test to ad_dc_smb1 and removing
entry from skip_smb1_fail
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Moving
samba4.smb.spnego.krb5.no_optimistic(ad_dc)
samba4.smb.spnego.ntlmssp.no_optimistic(ad_dc)
and additionally removing the entries from skip_smb1_fails
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Move the following tests from ad_dc to ad_dc_smb1
samba4.rpc.join with bigendian(ad_dc)
samba4.rpc.join with seal,padcheck(ad_dc)
samba4.rpc.join with validate(ad_dc)
and additionally remove the corrosponding entries from skip_smb1_fails
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Move
samba4.rpc.authcontext with bigendian(ad_dc)
samba4.rpc.authcontext with seal,padcheck(ad_dc)
samba4.rpc.authcontext with validate(ad_dc)
to ad_dc_smb1 environment and remove the corrosponding entries in
skip_smb1_fail
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
additionally remove those related entries from skip_smb1_fails
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
smbclient4 only negotiates smb1, this test should use smbclient(s3)
instead.
Signed-off-by: Noel Power <npower@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(s4) smbclient doesn't negotiate smb2, (s3) smbclient is what
is used and what we really should be testing.
Additionally remove entry from ski_smb1_fails file
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Additionally we remove the entry from skip_smb1_fails as it is
no longer relevant
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
smbclient4 only negotiates smb1, tests probably should use smbclient
instead (except for tests that intentionally are testing smbclient4
itself)
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Mar 27 19:54:25 UTC 2020 on sn-devel-184
This makes our testing much more realistic and allows
the removal of some knowfail entries.
It also means the testing with network namespaces on Linux
can use the same addresses as our socket wrapper testing.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
The goal is to pass the raw protocol testsuite against s3 RPC server.
To do so we need to enable epmd and lsasd daemons, as the testsuite
connects to the endpoint mapper and lsa endpoints using NCACN_IP_TCP
and NCACN_NP transports.
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
For adapting unix extensions in our client libraries, we need a fresh start
with additional APIs. We can't change existing application behaviour.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
The libsmbclient readdir tests are broken just for the unix extension
case. For example they assume our "map archive" behaviour. This will
have to be parameterized once unix extensions become better
implemented in libsmbclient
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Feb 27 19:34:36 UTC 2020 on sn-devel-184
In case we would start to actually test kerberos auth via the libsmbclient API
(which we right now don't), this will change again. Until then,
make test TESTS=libsmbclient
is a lot faster this way.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Add tests to check that the '-lock' files for the dns partitions as well as
the data files are linked when running
samba_dnsupgrade --dns-backend=BIND9_DLZ
failure to create these links can cause corruption of the corresponding
data file.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14199
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The rpc.netlogon testsuite has a test that verifies LSA over netlogon which is
only enabled in the ad_dc_ntvfs env.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
ad_dc_default is currently an alias for ad_dc_ntvfs, so this is currently no
change in behaviour, but this is going to change.
As the ad_dc_ntvfs env specifies "ldap server require strong auth =
allow_sasl_over_tls" and this is needed for the test, we have to let the test
use the ad_dc_ntvfs env explicitly.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Add a test that shows that setting timestamps to the special
values (time_t) 4294967295, 0, -1 and anything below is broken.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=7771
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Tests to ensure that ndr_pull_string handles zero and one byte length
data correctly for both character strings and UTF-16 strings.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13874
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106
Signed-off-by: Isaac Boukris <iboukris@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
