The branch, master has been updated
via 51dd39b selftest: Rename samba4.blackbox.pdbtest to
samba.blackbox.pdbtest
via b7b4879 s3-torture: Extend pdbtest to also run an authentication
unit-test
via de2d813 build: Remove pdbtest from the autoconf build
from 528d3fe libcli/smb: do not set SMB2_TF_MSG_SIZE in the caller
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 51dd39b2cf800ccf89cc1ae5ce6fe1ce2edff9c3
Author: Andrew Bartlett <abart...@samba.org>
Date: Wed Aug 8 16:02:29 2012 +1000
selftest: Rename samba4.blackbox.pdbtest to samba.blackbox.pdbtest
This test covers s3dc as well.
Andrew Bartlett
Autobuild-User(master): Andrew Bartlett <abart...@samba.org>
Autobuild-Date(master): Wed Aug 8 09:57:14 CEST 2012 on sn-devel-104
commit b7b48793501915ecf5cb52b3044fd2f902987802
Author: Andrew Bartlett <abart...@samba.org>
Date: Wed Aug 8 15:22:03 2012 +1000
s3-torture: Extend pdbtest to also run an authentication unit-test
This tests both the builtin auth_sam against passdb directly and the
configured auth module.
Andrew Bartlett
commit de2d813898bcfc530d13753a57ac8356b7c7bf0e
Author: Andrew Bartlett <abart...@samba.org>
Date: Wed Aug 8 15:53:36 2012 +1000
build: Remove pdbtest from the autoconf build
pdbtest is internal test utility that is not installed. It is only
run from the full (waf) make test, and does not need to be built in
the autoconf build.
Removing it from the autoconf build makes it easier to expand this
test to depend on more parts of Samba.
Andrew Bartlett
-----------------------------------------------------------------------
Summary of changes:
source3/Makefile.in | 13 +-----
source3/torture/pdbtest.c | 117 ++++++++++++++++++++++++++++++++++++++++++++-
source3/wscript_build | 4 +-
source4/selftest/tests.py | 2 +-
4 files changed, 121 insertions(+), 15 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/Makefile.in b/source3/Makefile.in
index e42c1b5..2635cfa 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -223,7 +223,7 @@ BIN_PROGS3 = bin/smbpasswd bin/rpcclient bin/smbcacls \
TORTURE_PROGS = bin/smbtorture bin/msgtest \
bin/masktest bin/locktest \
bin/locktest2 bin/nsstest bin/vfstest \
- bin/pdbtest $(TALLOCTORT) bin/replacetort \
+ $(TALLOCTORT) bin/replacetort \
$(TDBTORTURE) $(PTHREADPOOLTEST) \
bin/smbconftort bin/vlp
@@ -1323,11 +1323,6 @@ LOCKTEST_OBJ = torture/locktest.o $(PARAM_OBJ)
$(LOCKING_OBJ) $(KRBCLIENT_OBJ) \
NSSTEST_OBJ = ../nsswitch/nsstest.o ../lib/util/setid.o $(LIBSAMBAUTIL_OBJ)
-PDBTEST_OBJ = torture/pdbtest.o $(PARAM_OBJ) $(LIBSMB_OBJ) $(KRBCLIENT_OBJ) \
- $(LIB_NONSMBD_OBJ) $(PASSDB_OBJ) $(GROUPDB_OBJ) \
- $(SMBLDAP_OBJ) $(POPT_LIB_OBJ) \
- $(LIBMSRPC_OBJ) $(LIBMSRPC_GEN_OBJ)
-
VFSTEST_OBJ = torture/cmd_vfs.o torture/vfstest.o $(SMBD_OBJ_BASE)
$(READLINE_OBJ) \
torture/vfstest_chain.o
@@ -2073,12 +2068,6 @@ bin/nsstest: $(BINARY_PREREQS) $(NSSTEST_OBJ)
$(LIBTALLOC)
@$(CC) -o $@ $(NSSTEST_OBJ) $(LDFLAGS) $(DYNEXP) $(LIBS) \
$(LIBTALLOC_LIBS)
-bin/pdbtest: $(BINARY_PREREQS) $(PDBTEST_OBJ) @BUILD_POPT@ $(LIBTALLOC)
$(LIBTDB) $(LIBWBCLIENT)
- @echo Linking $@
- @$(CC) -o $@ $(PDBTEST_OBJ) $(LDFLAGS) $(DYNEXP) \
- $(LIBS) $(KRB5LIBS) $(LDAP_LIBS) $(PASSDB_LIBS) \
- $(POPT_LIBS) $(LIBTALLOC_LIBS) $(LIBTDB_LIBS)
$(LIBWBCLIENT_LIBS) $(ZLIB_LIBS)
-
bin/vfstest: $(BINARY_PREREQS) $(VFSTEST_OBJ) @BUILD_POPT@ $(LIBTALLOC)
$(LIBTDB) $(LIBWBCLIENT)
@echo Linking $@
@$(CC) -o $@ $(VFSTEST_OBJ) $(LDFLAGS) $(TERMLDFLAGS) $(AVAHI_LIBS) \
diff --git a/source3/torture/pdbtest.c b/source3/torture/pdbtest.c
index 821f39b..d0d529e 100644
--- a/source3/torture/pdbtest.c
+++ b/source3/torture/pdbtest.c
@@ -4,6 +4,7 @@
Copyright (C) Wilco Baan Hofman 2006
Copyright (C) Jelmer Vernooij 2006
+ Copyright (C) Andrew Bartlett 2012
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -27,6 +28,10 @@
#include "../librpc/gen_ndr/drsblobs.h"
#include "../librpc/gen_ndr/ndr_drsblobs.h"
#include "../libcli/security/dom_sid.h"
+#include "../libcli/auth/libcli_auth.h"
+#include "../auth/common_auth.h"
+#include "lib/tsocket/tsocket.h"
+#include "include/auth.h"
#define TRUST_DOM "trustdom"
#define TRUST_PWD "trustpwd1232"
@@ -38,6 +43,7 @@ static bool samu_correct(struct samu *s1, struct samu *s2)
uint32 s1_len, s2_len;
const char *s1_buf, *s2_buf;
const uint8 *d1_buf, *d2_buf;
+ const struct dom_sid *s1_sid, *s2_sid;
/* Check Unix username */
s1_buf = pdb_get_username(s1);
@@ -233,11 +239,111 @@ static bool samu_correct(struct samu *s1, struct samu
*s2)
ret = False;
}
- /* TODO Check user and group sids */
+ /* Check user and group sids */
+ s1_sid = pdb_get_user_sid(s1);
+ s2_sid = pdb_get_user_sid(s2);
+ if (s2_sid == NULL && s1_sid != NULL) {
+ DEBUG(0, ("USER SID not set\n"));
+ ret = False;
+ } else if (s1_sid == NULL) {
+ /* Do nothing */
+ } else if (!dom_sid_equal(s1_sid, s2_sid)) {
+ DEBUG(0, ("USER SID is not written correctly\n"));
+ ret = False;
+ }
return ret;
}
+static bool test_auth(TALLOC_CTX *mem_ctx, struct samu *pdb_entry)
+{
+ struct auth_usersupplied_info *user_info;
+ struct auth_context *auth_context;
+ static const uint8_t challenge_8[8] = {1, 2, 3, 4, 5, 6, 7, 8};
+ DATA_BLOB challenge = data_blob_const(challenge_8, sizeof(challenge_8));
+ struct tsocket_address *tsocket_address;
+ unsigned char local_nt_response[24];
+ DATA_BLOB nt_resp = data_blob_const(local_nt_response,
sizeof(local_nt_response));
+ unsigned char local_nt_session_key[16];
+ struct netr_SamInfo3 *info3_sam, *info3_auth;
+ struct auth_serversupplied_info *server_info;
+ NTSTATUS status;
+
+ SMBOWFencrypt(pdb_get_nt_passwd(pdb_entry), challenge_8,
+ local_nt_response);
+ SMBsesskeygen_ntv1(pdb_get_nt_passwd(pdb_entry), local_nt_session_key);
+
+ if (tsocket_address_inet_from_strings(NULL, "ip", NULL, 0,
&tsocket_address) != 0) {
+ return False;
+ }
+
+ status = make_user_info(&user_info, pdb_get_username(pdb_entry),
pdb_get_username(pdb_entry),
+ pdb_get_domain(pdb_entry),
pdb_get_domain(pdb_entry), lp_netbios_name(),
+ tsocket_address, NULL, &nt_resp, NULL, NULL,
NULL,
+ AUTH_PASSWORD_RESPONSE);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("Failed to test authentication with
check_sam_security_info3: %s\n", nt_errstr(status)));
+ return False;
+ }
+
+ status = check_sam_security_info3(&challenge, NULL, user_info,
&info3_sam);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("Failed to test authentication with
check_sam_security_info3: %s\n", nt_errstr(status)));
+ return False;
+ }
+
+ if (memcmp(info3_sam->base.key.key, local_nt_session_key, 16) != 0) {
+ DEBUG(0, ("Returned NT session key is incorrect\n"));
+ return False;
+ }
+
+ status = make_auth_context_fixed(NULL, &auth_context, challenge.data);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("Failed to test authentication with
check_sam_security_info3: %s\n", nt_errstr(status)));
+ return False;
+ }
+
+ status = auth_check_ntlm_password(auth_context, user_info,
&server_info);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("Failed to test authentication with auth module:
%s\n", nt_errstr(status)));
+ return False;
+ }
+
+ info3_auth = talloc_zero(mem_ctx, struct netr_SamInfo3);
+ if (info3_auth == NULL) {
+ return False;
+ }
+
+ status = serverinfo_to_SamInfo3(server_info, NULL, 0, info3_auth);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("serverinfo_to_SamInfo3 failed: %s\n",
+ nt_errstr(status)));
+ return False;
+ }
+
+ if (memcmp(info3_auth->base.key.key, local_nt_session_key, 16) != 0) {
+ DEBUG(0, ("Returned NT session key is incorrect\n"));
+ return False;
+ }
+
+ if (!dom_sid_equal(info3_sam->base.domain_sid,
info3_auth->base.domain_sid)) {
+ DEBUG(0, ("domain_sid in SAM info3 %s does not match domain_sid
in AUTH info3 %s\n",
+ dom_sid_string(NULL, info3_sam->base.domain_sid),
+ dom_sid_string(NULL, info3_auth->base.domain_sid)));
+ return False;
+ }
+
+ /* TODO:
+ * Compre more details from the two info3 structures,
+ * then test that an expired/disabled/pwdmustchange account
+ * returns the correct errors
+ */
+
+ return True;
+}
+
static bool test_trusted_domains(TALLOC_CTX *ctx,
struct pdb_methods *pdb,
bool *error)
@@ -363,6 +469,7 @@ int main(int argc, char **argv)
/* Load configuration */
lp_load_global(get_dyn_CONFIGFILE());
setup_logging("pdbtest", DEBUG_STDOUT);
+ init_names();
if (backend == NULL) {
backend = lp_passdb_backend();
@@ -464,6 +571,14 @@ int main(int argc, char **argv)
error = True;
}
+ if (test_auth(ctx, out)) {
+ printf("Authentication module test passed\n");
+ } else {
+ printf("Authentication module test failed!\n");
+ error = True;
+ }
+
+
/* Delete account */
if (!NT_STATUS_IS_OK(rv = pdb->delete_sam_account(pdb, out))) {
fprintf(stderr, "Error in delete_sam_account %s\n",
diff --git a/source3/wscript_build b/source3/wscript_build
index 9125667..2b00a16 100755
--- a/source3/wscript_build
+++ b/source3/wscript_build
@@ -1480,7 +1480,9 @@ bld.SAMBA3_BINARY('pdbtest',
deps='''
talloc
pdb
- popt_samba3''',
+ popt_samba3
+ AUTH_COMMON
+ auth''',
vars=locals())
bld.SAMBA3_BINARY('vfstest',
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 25b22b7..12c84a3 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -188,7 +188,7 @@ for env in ["dc", "s3dc"]:
"-k no --option=usespnego=no"]:
name = "rpc.lsa.secrets on %s with with %s" % (transport, ntlmoptions)
plansmbtorturetestsuite('rpc.lsa.secrets', env, ["%s:$SERVER[]" %
(transport), ntlmoptions, '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN',
'--option=gensec:target_hostname=$NETBIOSNAME'], "samba4.%s" % name)
- plantestsuite("samba4.blackbox.pdbtest", "%s:local" % env,
[os.path.join(bbdir, "test_pdbtest.sh"), '$SERVER', "$PREFIX", smbclient,
'$SMB_CONF_PATH', configuration])
+ plantestsuite("samba.blackbox.pdbtest", "%s:local" % env,
[os.path.join(bbdir, "test_pdbtest.sh"), '$SERVER', "$PREFIX", smbclient,
'$SMB_CONF_PATH', configuration])
transports = ["ncacn_np", "ncacn_ip_tcp"]
--
Samba Shared Repository
