1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
samba-mirror/selftest
Stefan Metzmacher c7a3ce95ac auth/ntlmssp: fix handling of GENSEC_FEATURE_LDAP_STYLE as a server
This fixes "NTLMSSP NTLM2 packet check failed due to invalid signature!"
error messages, which were generated if the client only sends
NTLMSSP_NEGOTIATE_SIGN without NTLMSSP_NEGOTIATE_SEAL on an LDAP
connection.

This fixes a regession in the combination of commits
77adac8c3c and
3a0b835408.

We need to evaluate GENSEC_FEATURE_LDAP_STYLE at the end
of the authentication (as a server, while we already
do so at the beginning as a client).

As a reminder I introduced GENSEC_FEATURE_LDAP_STYLE
(as an internal flag) in order to let us work as a
Windows using NTLMSSP for LDAP. Even if only signing is
negotiated during the authentication the following PDUs
will still be encrypted if NTLMSSP is used. This is exactly the
same as if the client would have negotiated NTLMSSP_NEGOTIATE_SEAL.
I guess it's a bug in Windows, but we have to reimplement that
bug. Note this only applies to NTLMSSP and only to LDAP!
Signing only works fine for LDAP with Kerberos
or DCERPC and NTLMSSP.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13427

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed May 16 03:26:03 CEST 2018 on sn-devel-144
2018-05-16 03:26:03 +02:00
..
flapping.d netlogon: Forward GetDCNameEx2 to winbind via IRPC 2018-05-04 06:12:10 +02:00
gnupg selftest:gnupg: add a gpg key for Samba Selftest <selftest@samba.example.com> 2016-07-22 16:03:27 +02:00
knownfail.d auth/ntlmssp: fix handling of GENSEC_FEATURE_LDAP_STYLE as a server 2018-05-16 03:26:03 +02:00
manage-ca selftest/manage-ca: update manage-CA-samba.example.com.sh 2016-07-22 23:34:21 +02:00
target selftest: Add a user with a different userPrincipalName 2018-05-11 09:07:36 +02:00
devel_env.sh selftest: Add a bash env file you can source. 2014-04-17 14:56:05 +02:00
filter-subunit selftest: use an additional directory of knownfail/flapping files 2017-06-03 13:55:41 +02:00
flapping source4 rpc: binding.c enable DCERPC_SCHANNEL_AUTO for schannel connections 2017-05-25 02:25:13 +02:00
format-subunit format-subunit: Remove import of unnecessary third party modules testtools and subunit. 2015-03-06 04:41:47 +01:00
format-subunit-json selftest/wscript: format perftest as json 2016-08-31 07:09:26 +02:00
gdb_backtrace selftest/gdb_*: make use of 'mktemp' 2016-12-01 05:54:21 +01:00
gdb_backtrace_test.c
gdb_run selftest/gdb_*: make use of 'mktemp' 2016-12-01 05:54:21 +01:00
in_screen selftest: Give tmux a bit of time to establish 2017-06-21 03:14:17 +02:00
knownfail rpc_server: Fix NetSessEnum with stale sessions 2018-04-25 22:49:07 +02:00
perf_tests.py add provision performance tests 2017-06-23 02:25:25 +02:00
quick selftest: Have only one set of selftest knownfail and skip files 2011-10-28 13:10:27 +02:00
README Remove documentation for testsuite-count subunit extension, which is no longer used. 2015-02-17 15:41:10 +01:00
save.env.sh selftest: add save.env.sh helper script. 2016-06-27 05:00:15 +02:00
selftest.pl selftest: Allow make test to run with --address-sanitizer 2018-05-03 08:17:44 +02:00
selftest.pl.1 selftest: Move manual page into a separate file. 2012-03-02 03:49:09 +01:00
selftesthelpers.py selftest: convert print func to be py2/py3 compatible 2018-03-23 07:28:24 +01:00
skip torture: Remove GETADDRINFO test 2017-10-20 20:03:13 +02:00
skip_mit_kdc selftest: Skip s4u2proxy tests, no support yet 2017-04-29 23:31:11 +02:00
skip.no-GSS_KRB5_CRED_NO_CI_FLAGS_X script/autobuild.py: try make test TESTS=samba3.*ktest for samba-systemkrb5 2017-01-10 13:54:17 +01:00
slow selftest: Have only one set of selftest knownfail and skip files 2011-10-28 13:10:27 +02:00
SocketWrapper.pm
Subunit.pm selftest: consistently produce high-res UTC time 2018-03-22 13:26:44 +01:00
subunithelper.py python: bulk replace dict.iteritems to items for py3 2018-04-13 07:27:12 +02:00
tap2subunit Add basic tap2subunit converter, rather than relying on the one from subunit-tools. 2015-03-06 04:41:47 +01:00
tests.py auth: keytab invalidation test 2018-05-15 12:41:55 +02:00
TODO
valgrind_run selftest: set valgrind options 2013-12-11 17:14:21 +01:00
wscript selftest: Allow make test to run with --address-sanitizer 2018-05-03 08:17:44 +02:00

# vim: ft=rst

This directory contains test scripts that are useful for running a
bunch of tests all at once.

There are two parts to this:

 * The test runner (selftest/selftest.pl)
 * The test formatter

selftest.pl simply outputs subunit, which can then be formatted or analyzed
by tools that understand the subunit protocol. One of these tools is
format-subunit, which is used by default as part of "make test".

Available testsuites
====================
The available testsuites are obtained from a script, usually
source{3,4}/selftest/tests.py. This script should for each testsuite output
the name of the test, the command to run and the environment that should be
provided. Use the included "plantest" function to generate the required output.

Testsuite behaviour
===================

Exit code
------------
The testsuites should exit with a non-zero exit code if at least one
test failed. Skipped tests should not influence the exit code.

Output format
-------------
Testsuites can simply use the exit code to indicate whether all of their
tests have succeeded or one or more have failed. It is also possible to
provide more granular information using the Subunit protocol.

This protocol works by writing simple messages to standard output. Any
messages that can not be interpreted by this protocol are considered comments
for the last announced test.

For a full description of the subunit protocol, see the README file in the subunit
repository at http://github.com/testing-cabal/subunit.

The following commands are Samba extensions to Subunit:

start-testsuite
~~~~~~~~~~~~~~~
start-testsuite: name

The testsuite name is used as prefix for all containing tests.

skip-testsuite
~~~~~~~~~~~~~~
skip-testsuite: name

Mark the testsuite with the specified name as skipped.

testsuite-success
~~~~~~~~~~~~~~~~~
testsuite-success: name

Indicate that the testsuite has succeeded successfully.

testsuite-fail
~~~~~~~~~~~~~~
testsuite-fail: name

Indicate that a testsuite has failed.

Environments
============
Tests often need to run against a server with particular things set up,
a "environment". This environment is provided by the test "target": Samba 3,
Samba 4 or Windows.

The environments are currently available include

 - none: No server set up, no variables set.
 - dc,s3dc: Domain controller set up. The following environment variables will
   be set:

     * USERNAME: Administrator user name
     * PASSWORD: Administrator password
     * DOMAIN: Domain name
     * REALM: Realm name
     * SERVER: DC host name
     * SERVER_IP: DC IPv4 address
     * SERVER_IPV6: DC IPv6 address
     * NETBIOSNAME: DC NetBIOS name
     * NETIOSALIAS: DC NetBIOS alias

 - member,s4member,s3member: Domain controller and member server that is joined to it set up. The
   following environment variables will be set:

     * USERNAME: Domain administrator user name
     * PASSWORD: Domain administrator password
     * DOMAIN: Domain name
     * REALM: Realm name
     * SERVER: Name of the member server

See Samba.pm, Samba3.pm and Samba4.pm for the full list.

Running tests
=============

To run all the tests use::

   make test

To run a quicker subset run::

   make quicktest

To run a specific test, use this syntax::

   make test TESTS=testname

for example::

   make test TESTS=samba4.BASE-DELETE