diff options
author | David Mulder <dmulder@suse.com> | 2017-03-03 12:54:30 -0700 |
---|---|---|
committer | Garming Sam <garming@samba.org> | 2017-11-20 21:41:15 +0100 |
commit | e750e4a35f201f2e59e06933eb813e244279e73d (patch) | |
tree | 3b9e4a2abef945b4ba3fd2ca835864d03f2283e8 /source4/torture/gpo | |
parent | 05235a56e3261bacf27aca2a2e9e80b54f37f68d (diff) | |
download | samba-e750e4a35f201f2e59e06933eb813e244279e73d.tar.gz |
gpo: Add gpo tests
Lays down a sysvol gpttmpl.inf with password policies, then runs the samba_gpoupdate command. Verifies policies are applied to the samdb.
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'source4/torture/gpo')
-rw-r--r-- | source4/torture/gpo/apply.c | 177 | ||||
-rw-r--r-- | source4/torture/gpo/gpo.c | 35 | ||||
-rw-r--r-- | source4/torture/gpo/wscript_build | 13 |
3 files changed, 225 insertions, 0 deletions
diff --git a/source4/torture/gpo/apply.c b/source4/torture/gpo/apply.c new file mode 100644 index 00000000000..b6b9b0ee76a --- /dev/null +++ b/source4/torture/gpo/apply.c @@ -0,0 +1,177 @@ +/* + Unix SMB/CIFS implementation. + + Copyright (C) David Mulder 2017 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "param/param.h" +#include "param/loadparm.h" +#include "torture/smbtorture.h" +#include "lib/util/mkdir_p.h" +#include "dsdb/samdb/samdb.h" +#include "auth/session.h" +#include "lib/ldb/include/ldb.h" +#include "torture/gpo/proto.h" +#include <unistd.h> + +struct torture_suite *gpo_apply_suite(TALLOC_CTX *ctx) +{ + struct torture_suite *suite = torture_suite_create(ctx, "apply"); + + torture_suite_add_simple_test(suite, "gpo_param_from_gpo", torture_gpo_system_access_policies); + + suite->description = talloc_strdup(suite, "Group Policy apply tests"); + + return suite; +} + +static int exec_wait(const char **cmd) +{ + int ret; + pid_t pid = fork(); + switch (pid) { + case 0: + execv(cmd[0], discard_const_p(char *, &(cmd[1]))); + ret = -1; + break; + case -1: + ret = errno; + break; + default: + if (waitpid(pid, &ret, 0) < 0) + ret = errno; + break; + } + return ret; +} + +static int unix2nttime(char *sval) +{ + return (strtoll(sval, NULL, 10) * -1 / 60 / 60 / 24 / 10000000); +} + +#define GPODIR "addom.samba.example.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit" +#define GPOFILE "GptTmpl.inf" +#define GPTTMPL "[System Access]\n\ +MinimumPasswordAge = %d\n\ +MaximumPasswordAge = %d\n\ +MinimumPasswordLength = %d\n\ +PasswordComplexity = %d\n\ +" +#define GPTINI "addom.samba.example.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI" + +bool torture_gpo_system_access_policies(struct torture_context *tctx) +{ + int ret, vers = 0, i; + const char *sysvol_path = NULL, *gpo_dir = NULL, *gpo_file = NULL, *gpt_file = NULL; + struct ldb_context *samdb = NULL; + struct ldb_result *result; + const char *attrs[] = { + "minPwdAge", + "maxPwdAge", + "minPwdLength", + "pwdProperties", + NULL + }; + const struct ldb_val *val; + FILE *fp = NULL; + const char **gpo_update_cmd; + int minpwdcases[] = { 0, 1, 998 }; + int maxpwdcases[] = { 0, 1, 999 }; + int pwdlencases[] = { 0, 1, 14 }; + int pwdpropcases[] = { 0, 1, 1 }; + struct ldb_message *old_message = NULL; + + sysvol_path = lpcfg_path(lpcfg_service(tctx->lp_ctx, "sysvol"), lpcfg_default_service(tctx->lp_ctx), tctx); + torture_assert(tctx, sysvol_path, "Failed to fetch the sysvol path"); + + /* Ensure the sysvol path exists */ + gpo_dir = talloc_asprintf(tctx, "%s/%s", sysvol_path, GPODIR); + mkdir_p(gpo_dir, S_IRWXU | S_IRWXG | S_IROTH | S_IXOTH); + gpo_file = talloc_asprintf(tctx, "%s/%s", gpo_dir, GPOFILE); + + /* Get the gpo update command */ + gpo_update_cmd = lpcfg_gpo_update_command(tctx->lp_ctx); + torture_assert(tctx, gpo_update_cmd && gpo_update_cmd[0], "Failed to fetch the gpo update command"); + + /* Open and read the samba db and store the initial password settings */ + samdb = samdb_connect(tctx, tctx->ev, tctx->lp_ctx, system_session(tctx->lp_ctx), 0); + torture_assert(tctx, samdb, "Failed to connect to the samdb"); + + ret = ldb_search(samdb, tctx, &result, ldb_get_default_basedn(samdb), LDB_SCOPE_BASE, attrs, NULL); + torture_assert(tctx, ret == LDB_SUCCESS && result->count == 1, "Searching the samdb failed"); + + old_message = result->msgs[0]; + + for (i = 0; i < 3; i++) { + /* Write out the sysvol */ + if ( (fp = fopen(gpo_file, "w")) ) { + fputs(talloc_asprintf(tctx, GPTTMPL, minpwdcases[i], maxpwdcases[i], pwdlencases[i], pwdpropcases[i]), fp); + fclose(fp); + } + + /* Update the version in the GPT.INI */ + gpt_file = talloc_asprintf(tctx, "%s/%s", sysvol_path, GPTINI); + if ( (fp = fopen(gpt_file, "r")) ) { + char line[256]; + while (fgets(line, 256, fp)) { + if (strncasecmp(line, "Version=", 8) == 0) { + vers = atoi(line+8); + break; + } + } + fclose(fp); + } + if ( (fp = fopen(gpt_file, "w")) ) { + char *data = talloc_asprintf(tctx, "[General]\nVersion=%d\n", ++vers); + fputs(data, fp); + fclose(fp); + } + + /* Run the gpo update command */ + ret = exec_wait(gpo_update_cmd); + torture_assert(tctx, ret == 0, "Failed to execute the gpo update command"); + + ret = ldb_search(samdb, tctx, &result, ldb_get_default_basedn(samdb), LDB_SCOPE_BASE, attrs, NULL); + torture_assert(tctx, ret == LDB_SUCCESS && result->count == 1, "Searching the samdb failed"); + + /* minPwdAge */ + val = ldb_msg_find_ldb_val(result->msgs[0], attrs[0]); + torture_assert(tctx, unix2nttime((char*)val->data) == minpwdcases[i], "The minPwdAge was not applied"); + + /* maxPwdAge */ + val = ldb_msg_find_ldb_val(result->msgs[0], attrs[1]); + torture_assert(tctx, unix2nttime((char*)val->data) == maxpwdcases[i], "The maxPwdAge was not applied"); + + /* minPwdLength */ + val = ldb_msg_find_ldb_val(result->msgs[0], attrs[2]); + torture_assert(tctx, atoi((char*)val->data) == pwdlencases[i], "The minPwdLength was not applied"); + + /* pwdProperties */ + val = ldb_msg_find_ldb_val(result->msgs[0], attrs[3]); + torture_assert(tctx, atoi((char*)val->data) == pwdpropcases[i], "The pwdProperties were not applied"); + } + + for (i = 0; i < old_message->num_elements; i++) { + old_message->elements[i].flags = LDB_FLAG_MOD_REPLACE; + } + + ret = ldb_modify(samdb, old_message); + torture_assert(tctx, ret == 0, "Failed to reset password settings."); + + return true; +} diff --git a/source4/torture/gpo/gpo.c b/source4/torture/gpo/gpo.c new file mode 100644 index 00000000000..4a06809588e --- /dev/null +++ b/source4/torture/gpo/gpo.c @@ -0,0 +1,35 @@ +/* + Unix SMB/CIFS implementation. + + Copyright (C) David Mulder 2017 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "torture/smbtorture.h" +#include "torture/gpo/proto.h" + +NTSTATUS torture_gpo_init(TALLOC_CTX *ctx) +{ + struct torture_suite *suite = torture_suite_create(ctx, "gpo"); + + torture_suite_add_suite(suite, gpo_apply_suite(suite)); + + suite->description = talloc_strdup(suite, "Group Policy tests"); + + torture_register_suite(ctx, suite); + + return NT_STATUS_OK; +} diff --git a/source4/torture/gpo/wscript_build b/source4/torture/gpo/wscript_build new file mode 100644 index 00000000000..d7b131f8095 --- /dev/null +++ b/source4/torture/gpo/wscript_build @@ -0,0 +1,13 @@ +#!/usr/bin/env python + +bld.SAMBA_MODULE('TORTURE_GPO', + source=''' + gpo.c + apply.c + ''', + subsystem='smbtorture', + deps='torture samba-util-core ldb', + internal_module=True, + autoproto='proto.h', + init_function='torture_gpo_init' + ) |