1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
samba-mirror/testprogs/blackbox/test_trust_token.sh
Stefan Metzmacher cda8beea45 testprogs/blackbox: let test_trust_token.sh check for S-1-18-1 with kerberos
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15666

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-06-19 09:07:36 +00:00

93 lines
2.1 KiB
Bash
Executable File

#!/bin/bash
# Copyright (C) 2017 Stefan Metzmacher <metze@samba.org>
if [ $# -lt 12 ]; then
cat <<EOF
Usage: $# test_trust_token.sh SERVER USERNAME PASSWORD REALM DOMAIN DOMSID TRUST_USERNAME TRUST_PASSWORD TRUST_REALM TRUST_DOMAIN TRUST_DOMSID TYPE
EOF
exit 1
fi
SERVER=$1
shift 1
USERNAME=$1
PASSWORD=$2
REALM=$3
DOMAIN=$4
DOMSID=$5
shift 5
TRUST_USERNAME=$1
TRUST_PASSWORD=$2
TRUST_REALM=$3
TRUST_DOMAIN=$4
TRUST_DOMSID=$5
shift 5
TYPE=$1
shift 1
failed=0
. $(dirname $0)/subunit.sh
. $(dirname $0)/common_test_fns.inc
ldbsearch=$(system_or_builddir_binary ldbsearch "${BINDIR}")
test_token()
{
auth_args="${1}"
auth_sid="${2}"
out=$($VALGRIND $ldbsearch -H ldap://$SERVER.$REALM -U$TRUST_REALM\\$TRUST_USERNAME%$TRUST_PASSWORD -b '' --scope=base -k ${auth_args} tokenGroups 2>&1)
ret=$?
test x"$ret" = x"0" || {
echo "$out"
return 1
}
trust_sids=$(echo "$out" | grep '^tokenGroups' | grep "${TRUST_DOMSID}-" | wc -l)
test "$trust_sids" -ge "2" || {
echo "$out"
echo "Less than 2 sids from $TRUST_DOMAIN $TRUST_DOMSID"
return 1
}
domain_sids=$(echo "$out" | grep '^tokenGroups' | grep "${DOMSID}-" | wc -l)
test "$domain_sids" -ge "1" || {
echo "$out"
echo "Less than 1 sid from $DOMAIN $DOMSID"
return 1
}
builtin_sids=$(echo "$out" | grep '^tokenGroups' | grep "S-1-5-32-" | wc -l)
test "$builtin_sids" -ge "1" || {
echo "$out"
echo "Less than 1 sid from BUILTIN S-1-5-32"
return 1
}
#
# The following should always be present
#
# SID_WORLD(S-1-1-0)
# SID_NT_NETWORK(S-1-5-2)
# SID_NT_AUTHENTICATED_USERS(S-1-5-11)
#
required_sids="S-1-1-0 S-1-5-2 S-1-5-11 ${auth_sid}"
for sid in $required_sids; do
found=$(echo "$out" | grep "^tokenGroups: ${sid}$" | wc -l)
test x"$found" = x"1" || {
echo "$out"
echo "SID: ${sid} not found"
return 1
}
done
return 0
}
# Check that SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY(S-1-18-1) is added for krb5
testit "Test token with kerberos" test_token "yes" "S-1-18-1" || failed=$(expr $failed + 1)
# Check that SID_NT_NTLM_AUTHENTICATION(S-1-5-64-10) is added for NTLMSSP
testit "Test token with NTLMSSP" test_token "no" "S-1-5-64-10" || failed=$(expr $failed + 1)
exit $failed