selftest: s3: add a test for spnego downgrade from krb5 to ntlm

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106

Signed-off-by: Isaac Boukris <iboukris@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

4 files changed, 60 insertions, 0 deletions

diff --git a/selftest/knownfail.d/spnego_downgrade b/selftest/knownfail.d/spnego_downgrade
new file mode 100644
index 00000000000..494a55fd43d
--- /dev/null
+++ b/selftest/knownfail.d/spnego_downgrade
@@ -0,0 +1 @@
+^samba3.blackbox.smbd_no_krb5.test_spnego_downgrade
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 70f535e1a49..75960dbc790 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -1679,6 +1679,7 @@ sub provision($$$$$$$$$)
 	my $dfqconffile="$libdir/dfq.conf";
 	my $errorinjectconf="$libdir/error_inject.conf";
 	my $delayinjectconf="$libdir/delay_inject.conf";
+	my $globalinjectconf="$libdir/global_inject.conf";
 
 	my $nss_wrapper_pl = "$ENV{PERL} $self->{srcdir}/third_party/nss_wrapper/nss_wrapper.pl";
 	my $nss_wrapper_passwd = "$privatedir/passwd";
@@ -1860,6 +1861,8 @@ sub provision($$$$$$$$$)
 	#it just means we ALLOW one to be configured.
 	allow insecure wide links = yes
 
+	include = $globalinjectconf
+
 	# Begin extra options
 	$extra_options
 	# End extra options
@@ -2358,6 +2361,12 @@ sub provision($$$$$$$$$)
 	}
 	close(DFQCONF);
 
+	unless (open(DELAYCONF, ">$globalinjectconf")) {
+		warn("Unable to open $globalinjectconf");
+		return undef;
+	}
+	close(DELAYCONF);
+
 	##
 	## create a test account
 	##
diff --git a/source3/script/tests/test_smbd_no_krb5.sh b/source3/script/tests/test_smbd_no_krb5.sh
new file mode 100755
index 00000000000..e9dbb4ae80e
--- /dev/null
+++ b/source3/script/tests/test_smbd_no_krb5.sh
@@ -0,0 +1,46 @@
+#!/bin/sh
+
+if [ $# -lt 1 ]; then
+cat <<EOF
+Usage: test_smbd_no_krb5.sh SERVER USERNAME PASSWORD PREFIX
+EOF
+exit 1;
+fi
+
+smbclient=$1
+SERVER=$2
+USERNAME=$3
+PASSWORD=$4
+PREFIX=$5
+shift 5
+
+samba_bindir="$BINDIR"
+samba_kinit=kinit
+if test -x ${samba_bindir}/samba4kinit; then
+	samba_kinit=${samba_bindir}/samba4kinit
+fi
+
+incdir=`dirname $0`/../../../testprogs/blackbox
+. $incdir/subunit.sh
+. $incdir/common_test_fns.inc
+
+failed=0
+
+opt="--option=gensec:gse_krb5=yes -U${USERNAME}%${PASSWORD}"
+
+# check kerberos access
+test_smbclient "test_krb5" "ls" "//$SERVER/tmp" $opt -k || failed=`expr $failed + 1`
+
+# disbale krb5 globally so smbd won't accept it
+global_inject_conf=$(dirname $SMB_CONF_PATH)/global_inject.conf
+echo 'gensec:gse_krb5=no' > $global_inject_conf
+
+# verify that kerberos fails
+test_smbclient_expect_failure "smbd_no_krb5" "ls" "//$SERVER/tmp" -k $opt || failed=`expr $failed + 1`
+
+# verify downgrade to ntlmssp
+test_smbclient "test_spnego_downgrade" "ls" "//$SERVER/tmp" $opt || failed=`expr $failed + 1`
+
+echo '' > $global_inject_conf
+
+testok $0 $failed
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index a71075f88b3..5b9a5e0ba08 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -721,6 +721,10 @@ plantestsuite("samba3.blackbox.net_tdb", "simpleserver:local",
 plantestsuite("samba3.blackbox.smbd_error", "simpleserver:local",
               [os.path.join(samba3srcdir, "script/tests/test_smbd_error.sh")])
 
+plantestsuite("samba3.blackbox.smbd_no_krb5", "ad_member:local",
+              [os.path.join(samba3srcdir, "script/tests/test_smbd_no_krb5.sh"),
+               smbclient3, '$SERVER', "$DC_USERNAME", "$DC_PASSWORD", "$PREFIX"])
+
 plantestsuite("samba3.blackbox.durable_v2_delay", "simpleserver:local",
               [os.path.join(samba3srcdir, "script/tests/test_durable_handle_reconnect.sh")])