mirror of
https://github.com/samba-team/samba.git
synced 2025-01-10 01:18:15 +03:00
3ea1c55921
To run these tests standalone, you will need the certificate and private key of the Certificate Authority. These can be specified together in the same file with the environment variable CA_CERT, or the private key may be specified in its own file with CA_PRIVATE_KEY. If either of these files are encrypted, you can specify the password in the environment variable CA_PASS. These tests create a new certificate for the user account, signed with the private key of the Certificate Authority. We negotiate the reply key with either of the public-key and Diffie-Hellman PK-INIT variants, and use the reply key to decrypt the enc-part in the response. We also check that the KDC’s signatures are valid. Most of the failures with the Heimdal KDC are due to the wrong nonce being returned in the reply compared to Windows, which issue is simple enough to correct. An example command line for manual testing against Windows: SMB_CONF_PATH=ad_dc.conf KRB5_CONFIG=krb5.conf SERVICE_USERNAME=win2k19-dc.example.com ADMIN_USERNAME=Administrator ADMIN_PASSWORD=locDCpass ADMIN_KVNO=1 FOR_USER=Administrator USERNAME=Administrator PASSWORD=locDCpass DC_SERVER=win2k19-dc.example.com SERVER=win2k19-dc.example.com DOMAIN=example REALM=example.com PYTHONPATH=bin/python STRICT_CHECKING=1 FAST_SUPPORT=1 CLAIMS_SUPPORT=1 COMPOUND_ID_SUPPORT=1 TKT_SIG_SUPPORT=1 FULL_SIG_SUPPORT=1 GNUTLS_PBKDF2_SUPPORT=1 EXPECT_PAC=1 EXPECT_EXTRA_PAC_BUFFERS=1 CHECK_CNAME=1 CHECK_PADATA=1 KADMIN_IS_TGS=0 FORCED_RC4=1 DEFAULT_ETYPES=36 CA_CERT=./win2k19-ca.pfx CA_PASS=1234 python3 python/samba/tests/krb5/pkinit_tests.py To set up windows for this I first installed an Certificate Authority with an Enterprise CA. Then I exported the private key and certificate of the CA: 1. go into the Certification Authority snap-in for the relevant computer, 2. right-clicking the CA 3. clicking ‘All Tasks’ → ‘Back up CA...’ 4. and exporting the private key and CA certificate. (I downloaded the resulting file via smbclient). After setting up an Enterprise CA, I also needed to edit the domain controller GPO to enable auto-enrollment, otherwise Windows would refuse to accept as legitimate any certificates provided by the client. That can be done by first enabling the policy: ‘Computer Configuration/Policies/Windows Settings/Security Settings/Public Key Policies/Certificate Services Client — Auto-Enrollment’, and then ticking both ‘Renew expired certificates…’ and ‘Update certificates…’) Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> |
||
|---|---|---|
| .. | ||
| flapping.d | ||
| gnupg | ||
| knownfail.d | ||
| manage-ca | ||
| ns | ||
| sanitizer | ||
| target | ||
| checkpassword_arg1.sh | ||
| create_smb1_fail_skipfile.txt | ||
| devel_env.sh | ||
| filter-subunit | ||
| flapping | ||
| format-subunit | ||
| format-subunit-json | ||
| gdb_backtrace | ||
| gdb_backtrace_test.c | ||
| gdb_run | ||
| in_screen | ||
| knownfail | ||
| knownfail_heimdal_kdc | ||
| knownfail_mit_kdc | ||
| knownfail_mit_kdc_1_20 | ||
| knownfail_mit_kdc_pre_1_20 | ||
| knownfail-32bit | ||
| no-python-tests.txt | ||
| perf_tests.py | ||
| quick | ||
| README | ||
| save.env.sh | ||
| selftest.pl | ||
| selftest.pl.1 | ||
| selftesthelpers.py | ||
| skip | ||
| skip_mit_kdc | ||
| skip_mit_kdc_pre_1_20 | ||
| skip-32bit | ||
| skip.no-GSS_KRB5_CRED_NO_CI_FLAGS_X | ||
| skip.opath-required | ||
| slow | ||
| slow-none | ||
| SocketWrapper.pm | ||
| Subunit.pm | ||
| subunithelper.py | ||
| tap2subunit | ||
| tests.py | ||
| TODO | ||
| todo_smb2_tests_to_port.list | ||
| ubsan.supp | ||
| valgrind_run | ||
| wscript | ||
# vim: ft=rst
This directory contains test scripts that are useful for running a
bunch of tests all at once.
There are two parts to this:
* The test runner (selftest/selftest.pl)
* The test formatter
selftest.pl simply outputs subunit, which can then be formatted or analyzed
by tools that understand the subunit protocol. One of these tools is
format-subunit, which is used by default as part of "make test".
Available testsuites
====================
The available testsuites are obtained from a script, usually
source{3,4}/selftest/tests.py. This script should for each testsuite output
the name of the test, the command to run and the environment that should be
provided. Use the included "plantest" function to generate the required output.
Testsuite behaviour
===================
Exit code
------------
The testsuites should exit with a non-zero exit code if at least one
test failed. Skipped tests should not influence the exit code.
Output format
-------------
Testsuites can simply use the exit code to indicate whether all of their
tests have succeeded or one or more have failed. It is also possible to
provide more granular information using the Subunit protocol.
This protocol works by writing simple messages to standard output. Any
messages that can not be interpreted by this protocol are considered comments
for the last announced test.
For a full description of the subunit protocol, see the README file in the subunit
repository at http://github.com/testing-cabal/subunit.
The following commands are Samba extensions to Subunit:
start-testsuite
~~~~~~~~~~~~~~~
start-testsuite: name
The testsuite name is used as prefix for all containing tests.
skip-testsuite
~~~~~~~~~~~~~~
skip-testsuite: name
Mark the testsuite with the specified name as skipped.
testsuite-success
~~~~~~~~~~~~~~~~~
testsuite-success: name
Indicate that the testsuite has succeeded successfully.
testsuite-fail
~~~~~~~~~~~~~~
testsuite-fail: name
Indicate that a testsuite has failed.
Environments
============
Tests often need to run against a server with particular things set up,
a "environment". This environment is provided by the test "target": Samba 3,
Samba 4 or Windows.
The environments are currently available include
- none: No server set up, no variables set.
- dc,s3dc: Domain controller set up. The following environment variables will
be set:
* USERNAME: Administrator user name
* PASSWORD: Administrator password
* DOMAIN: Domain name
* REALM: Realm name
* SERVER: DC host name
* SERVER_IP: DC IPv4 address
* SERVER_IPV6: DC IPv6 address
* NETBIOSNAME: DC NetBIOS name
* NETIOSALIAS: DC NetBIOS alias
- member,s4member,s3member: Domain controller and member server that is joined to it set up. The
following environment variables will be set:
* USERNAME: Domain administrator user name
* PASSWORD: Domain administrator password
* DOMAIN: Domain name
* REALM: Realm name
* SERVER: Name of the member server
See Samba.pm, Samba3.pm and Samba4.pm for the full list.
Running tests
=============
To run all the tests use::
make test
To run a quicker subset run::
make quicktest
To run a specific test, use this syntax::
make test TESTS=testname
for example::
make test TESTS=samba4.BASE-DELETE