diff options
author | Volker Lendecke <vl@samba.org> | 2020-08-12 15:50:58 +0200 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2020-09-03 13:34:10 +0000 |
commit | 6179ac98e6f3ad0cf268905f54b8d86c39c7a7d9 (patch) | |
tree | 7c1eb23bb171314ceb04e95727fef78db64e118e /source4 | |
parent | fa74a0a2f661f89c821aeb7840597d8193a45189 (diff) | |
download | samba-6179ac98e6f3ad0cf268905f54b8d86c39c7a7d9.tar.gz |
torture: Test ldap session expiry
LDAP connections should time out when the kerberos ticket used to authenticate
expires. Windows does this with a RFC4511 section 4.4.1 message (that as of
August 2020 is encoded not according to the RFC) followed by a TCP disconnect.
ldb sees the section 4.4.1 as a protocol violation and returns
LDB_ERR_PROTOCOL_ERROR.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14465
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 35c4bb0b0c55a65490fe199edb1a534548104e95)
Diffstat (limited to 'source4')
-rwxr-xr-x | source4/selftest/tests.py | 4 | ||||
-rw-r--r-- | source4/torture/ldap/common.c | 2 | ||||
-rw-r--r-- | source4/torture/ldap/session_expiry.c | 121 | ||||
-rw-r--r-- | source4/torture/wscript_build | 1 |
4 files changed, 128 insertions, 0 deletions
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index f4d91520a12..0b74b6c8984 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -156,6 +156,10 @@ for options in ['-U"$USERNAME%$PASSWORD"']: for t in smbtorture4_testsuites("ldap."): if t == "ldap.nested-search": plansmbtorture4testsuite(t, "ad_dc_default_smb1", '-U"$USERNAME%$PASSWORD" //$SERVER_IP/_none_') + elif t == "ldap.session-expiry": + # This requires kerberos and thus the server name + plansmbtorture4testsuite( + t, "ad_dc_default", '-U"$USERNAME%$PASSWORD" //$DC_SERVER/_none_') else: plansmbtorture4testsuite(t, "ad_dc_default", '-U"$USERNAME%$PASSWORD" //$SERVER_IP/_none_') diff --git a/source4/torture/ldap/common.c b/source4/torture/ldap/common.c index 9482e0392bc..d16f611fa77 100644 --- a/source4/torture/ldap/common.c +++ b/source4/torture/ldap/common.c @@ -124,6 +124,8 @@ NTSTATUS torture_ldap_init(TALLOC_CTX *ctx) torture_suite_add_simple_test(suite, "schema", torture_ldap_schema); torture_suite_add_simple_test(suite, "uptodatevector", torture_ldap_uptodatevector); torture_suite_add_simple_test(suite, "nested-search", test_ldap_nested_search); + torture_suite_add_simple_test( + suite, "session-expiry", torture_ldap_session_expiry); suite->description = talloc_strdup(suite, "LDAP and CLDAP tests"); diff --git a/source4/torture/ldap/session_expiry.c b/source4/torture/ldap/session_expiry.c new file mode 100644 index 00000000000..35dda439b17 --- /dev/null +++ b/source4/torture/ldap/session_expiry.c @@ -0,0 +1,121 @@ +/* + * Unix SMB/CIFS implementation. + * + * Test LDB attribute functions + * + * Copyright (C) Andrew Bartlet <abartlet@samba.org> 2008-2009 + * Copyright (C) Matthieu Patou <mat@matws.net> 2009 + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + */ + +#include "includes.h" +#include "lib/events/events.h" +#include <ldb.h> +#include <ldb_errors.h> +#include "ldb_wrap.h" +#include "param/param.h" +#include "lib/cmdline/popt_common.h" +#include "auth/credentials/credentials.h" +#include "libcli/ldap/ldap_client.h" +#include "torture/smbtorture.h" +#include "torture/ldap/proto.h" + +bool torture_ldap_session_expiry(struct torture_context *torture) +{ + const char *host = torture_setting_string(torture, "host", NULL); + struct cli_credentials *credentials = popt_get_cmdline_credentials(); + struct ldb_context *ldb = NULL; + const char *url = NULL; + bool ret = false; + bool ok; + struct ldb_dn *rootdn = NULL; + struct ldb_result *result = NULL; + int rc = LDB_SUCCESS; + + /* + * Further down we request a ticket lifetime of 4 + * seconds. Give the server 10 seconds for this to kick in + */ + const struct timeval endtime = timeval_current_ofs(10, 0); + + url = talloc_asprintf(torture, "ldap://%s/", host); + torture_assert_goto( + torture, url!=NULL, ret, fail, "talloc_asprintf failed"); + + cli_credentials_set_kerberos_state( + credentials, CRED_MUST_USE_KERBEROS); + + ok = lpcfg_set_option( + torture->lp_ctx, "gensec_gssapi:requested_life_time=4"); + torture_assert_goto( + torture, ok, ret, fail, "lpcfg_set_option failed"); + + ldb = ldb_wrap_connect( + torture, + torture->ev, + torture->lp_ctx, + url, + NULL, + credentials, + 0); + torture_assert_goto( + torture, ldb!=NULL, ret, fail, "ldb_wrap_connect failed"); + + rootdn = ldb_dn_new(ldb, ldb, NULL); + torture_assert_goto( + torture, rootdn!=NULL, ret, fail, "ldb_dn_new failed"); + + rc = ldb_search( + ldb, /* ldb */ + ldb, /* mem_ctx */ + &result, /* result */ + rootdn, /* base */ + LDB_SCOPE_BASE, /* scope */ + NULL, /* attrs */ + "(objectclass=*)"); /* exp_fmt */ + torture_assert_goto( + torture, rc==LDB_SUCCESS, ret, fail, "1st ldb_search failed"); + + do { + smb_msleep(1000); + + rc = ldb_search( + ldb, /* ldb */ + ldb, /* mem_ctx */ + &result, /* result */ + rootdn, /* base */ + LDB_SCOPE_BASE, /* scope */ + NULL, /* attrs */ + "(objectclass=*)"); /* exp_fmt */ + printf("ldb_search returned %s\n", ldb_strerror(rc)); + TALLOC_FREE(result); + + if (rc != LDB_SUCCESS) { + break; + } + } while (!timeval_expired(&endtime)); + + torture_assert_goto( + torture, + rc==LDB_ERR_PROTOCOL_ERROR, + ret, + fail, + "expected LDB_ERR_PROTOCOL_ERROR after 4 seconds"); + + ret = true; +fail: + TALLOC_FREE(ldb); + return ret; +} diff --git a/source4/torture/wscript_build b/source4/torture/wscript_build index 10b486b1ded..1b781266e43 100644 --- a/source4/torture/wscript_build +++ b/source4/torture/wscript_build @@ -259,6 +259,7 @@ bld.SAMBA_MODULE('TORTURE_LDAP', ldap/cldapbench.c ldap/ldap_sort.c ldap/nested_search.c + ldap/session_expiry.c ''', subsystem='smbtorture', deps='cli-ldap cli_cldap samdb popt POPT_CREDENTIALS torture ldbsamba', |