diff options
author | Isaac Boukris <iboukris@gmail.com> | 2019-10-07 23:51:19 +0300 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2019-10-16 12:15:54 +0000 |
commit | 9d2d4cf9c93684ddb0dda0ed51febc6a2a2132c4 (patch) | |
tree | 03687941590729d1b4f1b0e0eb4820e3f4855002 | |
parent | 24a43d7c7429fd89938bed410d2a433c61c5f9d7 (diff) | |
download | samba-9d2d4cf9c93684ddb0dda0ed51febc6a2a2132c4.tar.gz |
selftest: s3: add a test for spnego downgrade from krb5 to ntlm
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106
Signed-off-by: Isaac Boukris <iboukris@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
-rw-r--r-- | selftest/knownfail.d/spnego_downgrade | 1 | ||||
-rwxr-xr-x | selftest/target/Samba3.pm | 9 | ||||
-rwxr-xr-x | source3/script/tests/test_smbd_no_krb5.sh | 46 | ||||
-rwxr-xr-x | source3/selftest/tests.py | 4 |
4 files changed, 60 insertions, 0 deletions
diff --git a/selftest/knownfail.d/spnego_downgrade b/selftest/knownfail.d/spnego_downgrade new file mode 100644 index 00000000000..494a55fd43d --- /dev/null +++ b/selftest/knownfail.d/spnego_downgrade @@ -0,0 +1 @@ +^samba3.blackbox.smbd_no_krb5.test_spnego_downgrade diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm index 70f535e1a49..75960dbc790 100755 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm @@ -1679,6 +1679,7 @@ sub provision($$$$$$$$$) my $dfqconffile="$libdir/dfq.conf"; my $errorinjectconf="$libdir/error_inject.conf"; my $delayinjectconf="$libdir/delay_inject.conf"; + my $globalinjectconf="$libdir/global_inject.conf"; my $nss_wrapper_pl = "$ENV{PERL} $self->{srcdir}/third_party/nss_wrapper/nss_wrapper.pl"; my $nss_wrapper_passwd = "$privatedir/passwd"; @@ -1860,6 +1861,8 @@ sub provision($$$$$$$$$) #it just means we ALLOW one to be configured. allow insecure wide links = yes + include = $globalinjectconf + # Begin extra options $extra_options # End extra options @@ -2358,6 +2361,12 @@ sub provision($$$$$$$$$) } close(DFQCONF); + unless (open(DELAYCONF, ">$globalinjectconf")) { + warn("Unable to open $globalinjectconf"); + return undef; + } + close(DELAYCONF); + ## ## create a test account ## diff --git a/source3/script/tests/test_smbd_no_krb5.sh b/source3/script/tests/test_smbd_no_krb5.sh new file mode 100755 index 00000000000..e9dbb4ae80e --- /dev/null +++ b/source3/script/tests/test_smbd_no_krb5.sh @@ -0,0 +1,46 @@ +#!/bin/sh + +if [ $# -lt 1 ]; then +cat <<EOF +Usage: test_smbd_no_krb5.sh SERVER USERNAME PASSWORD PREFIX +EOF +exit 1; +fi + +smbclient=$1 +SERVER=$2 +USERNAME=$3 +PASSWORD=$4 +PREFIX=$5 +shift 5 + +samba_bindir="$BINDIR" +samba_kinit=kinit +if test -x ${samba_bindir}/samba4kinit; then + samba_kinit=${samba_bindir}/samba4kinit +fi + +incdir=`dirname $0`/../../../testprogs/blackbox +. $incdir/subunit.sh +. $incdir/common_test_fns.inc + +failed=0 + +opt="--option=gensec:gse_krb5=yes -U${USERNAME}%${PASSWORD}" + +# check kerberos access +test_smbclient "test_krb5" "ls" "//$SERVER/tmp" $opt -k || failed=`expr $failed + 1` + +# disbale krb5 globally so smbd won't accept it +global_inject_conf=$(dirname $SMB_CONF_PATH)/global_inject.conf +echo 'gensec:gse_krb5=no' > $global_inject_conf + +# verify that kerberos fails +test_smbclient_expect_failure "smbd_no_krb5" "ls" "//$SERVER/tmp" -k $opt || failed=`expr $failed + 1` + +# verify downgrade to ntlmssp +test_smbclient "test_spnego_downgrade" "ls" "//$SERVER/tmp" $opt || failed=`expr $failed + 1` + +echo '' > $global_inject_conf + +testok $0 $failed diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py index a71075f88b3..5b9a5e0ba08 100755 --- a/source3/selftest/tests.py +++ b/source3/selftest/tests.py @@ -721,6 +721,10 @@ plantestsuite("samba3.blackbox.net_tdb", "simpleserver:local", plantestsuite("samba3.blackbox.smbd_error", "simpleserver:local", [os.path.join(samba3srcdir, "script/tests/test_smbd_error.sh")]) +plantestsuite("samba3.blackbox.smbd_no_krb5", "ad_member:local", + [os.path.join(samba3srcdir, "script/tests/test_smbd_no_krb5.sh"), + smbclient3, '$SERVER', "$DC_USERNAME", "$DC_PASSWORD", "$PREFIX"]) + plantestsuite("samba3.blackbox.durable_v2_delay", "simpleserver:local", [os.path.join(samba3srcdir, "script/tests/test_durable_handle_reconnect.sh")]) |