diff options
author | Tim Beale <timbeale@catalyst.net.nz> | 2018-06-21 15:04:00 +1200 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2018-07-03 10:39:14 +0200 |
commit | 00d22122e5c0eb0c4e45c40b6a292628ab023f2d (patch) | |
tree | e6aac499551252309129ba62a50addff2b9b472c /testprogs | |
parent | ccba77a9d8ead63acee11b15e1ca5f70afe168ad (diff) | |
download | samba-00d22122e5c0eb0c4e45c40b6a292628ab023f2d.tar.gz |
tests: Add a sub-set of tests to show the restored DC is sound
+ Add a new ldapcmp_restoredc.sh test that asserts that the original DC
backed up (backupfromdc) matches the new restored DC.
+ Add a new join_ldapcmp.sh test that asserts we can join a given DC,
and that the resulting DB matches the joined DC
+ Add a new login_basics.py test that sanity-checks Kerberos and NTLM
user login works. (This reuses the password_lockout base code, without
taking as long as the password_lockout tests do). Basic LDAP and SAMR
connections are also tested as a side-effect.
+ run the netlogonsvc test against the restored DC to prove we can
establish a netlogon connection.
+ run the same subset of rpc.echo tests that we do for RODC
+ run dbcheck over the new testenvs at the end of the test run
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Diffstat (limited to 'testprogs')
-rwxr-xr-x | testprogs/blackbox/join_ldapcmp.sh | 41 | ||||
-rwxr-xr-x | testprogs/blackbox/ldapcmp_restoredc.sh | 65 |
2 files changed, 106 insertions, 0 deletions
diff --git a/testprogs/blackbox/join_ldapcmp.sh b/testprogs/blackbox/join_ldapcmp.sh new file mode 100755 index 00000000000..30d3e1e0192 --- /dev/null +++ b/testprogs/blackbox/join_ldapcmp.sh @@ -0,0 +1,41 @@ +#!/bin/sh +# Does a join against the testenv's DC and then runs ldapcmp on the resulting DB + +. `dirname $0`/subunit.sh + +TARGET_DIR="$PREFIX_ABS/join_$SERVER" + +cleanup_output_dir() +{ + if [ -d $TARGET_DIR ]; then + rm -fr $TARGET_DIR + fi +} + +SAMBA_TOOL="$PYTHON $BINDIR/samba-tool" + +join_dc() { + JOIN_ARGS="--targetdir=$TARGET_DIR --server=$SERVER -U$USERNAME%$PASSWORD" + $SAMBA_TOOL domain join $REALM dc $JOIN_ARGS --option="netbios name = TESTJOINDC" +} + +ldapcmp_result() { + DB1_PATH="tdb://$PREFIX_ABS/$SERVER/private/sam.ldb" + DB2_PATH="tdb://$TARGET_DIR/private/sam.ldb" + + # interSiteTopologyGenerator gets periodically updated. With the restored + # testenvs, it can sometimes point to the old/deleted DC object still + $SAMBA_TOOL ldapcmp $DB1_PATH $DB2_PATH --filter=interSiteTopologyGenerator +} + +cleanup_output_dir + +# check that we can join this DC +testit "check_dc_join" join_dc + +# check resulting DB matches server DC +testit "new_db_matches" ldapcmp_result + +cleanup_output_dir + +exit $failed diff --git a/testprogs/blackbox/ldapcmp_restoredc.sh b/testprogs/blackbox/ldapcmp_restoredc.sh new file mode 100755 index 00000000000..51951ba8ce2 --- /dev/null +++ b/testprogs/blackbox/ldapcmp_restoredc.sh @@ -0,0 +1,65 @@ +#!/bin/sh +# Does an ldapcmp between a newly restored testenv and the original testenv it +# was based on + +if [ $# -lt 2 ]; then +cat <<EOF +Usage: $0 ORIG_DC_PREFIX RESTORED_DC_PREFIX +EOF +exit 1; +fi + +ORIG_DC_PREFIX_ABS="$1" +RESTORED_DC_PREFIX_ABS="$2" +shift 2 + +. `dirname $0`/subunit.sh + +basedn() { + SAMDB_PATH=$1 + $BINDIR/ldbsearch -H $SAMDB_PATH --basedn='' -s base defaultNamingContext | grep defaultNamingContext | awk '{print $2}' +} + +ldapcmp_with_orig() { + + DB1_PATH="tdb://$ORIG_DC_PREFIX_ABS/private/sam.ldb" + DB2_PATH="tdb://$RESTORED_DC_PREFIX_ABS/private/sam.ldb" + + # check if the 2 DCs are in different domains + DC1_BASEDN=$(basedn $DB1_PATH) + DC2_BASEDN=$(basedn $DB2_PATH) + BASE_DN_OPTS="" + + # if necessary, pass extra args to ldapcmp to handle the difference in base DNs + if [ "$DC1_BASEDN" != "$DC2_BASEDN" ] ; then + BASE_DN_OPTS="--base=$DC1_BASEDN --base2=$DC2_BASEDN" + fi + + # the restored DC will remove DNS entries for the old DC(s) + IGNORE_ATTRS="dnsRecord,dNSTombstoned" + + # DC2 joined DC1, so it will have different DRS info + IGNORE_ATTRS="$IGNORE_ATTRS,msDS-NC-Replica-Locations,msDS-HasInstantiatedNCs" + IGNORE_ATTRS="$IGNORE_ATTRS,interSiteTopologyGenerator" + + # there's a servicePrincipalName that uses the objectGUID of the DC's NTDS + # Settings that will differ between the two DCs + IGNORE_ATTRS="$IGNORE_ATTRS,servicePrincipalName" + + # the restore changes the new DC's password twice + IGNORE_ATTRS="$IGNORE_ATTRS,lastLogonTimestamp" + + # The RID pools get bumped during the restore process + IGNORE_ATTRS="$IGNORE_ATTRS,rIDAllocationPool,rIDAvailablePool" + + # these are just differences between provisioning a domain and joining a DC + IGNORE_ATTRS="$IGNORE_ATTRS,localPolicyFlags,operatingSystem,displayName" + + LDAPCMP_CMD="$PYTHON $BINDIR/samba-tool ldapcmp" + $LDAPCMP_CMD $DB1_PATH $DB2_PATH --two --filter=$IGNORE_ATTRS $BASE_DN_OPTS +} + +# check that the restored testenv DC basically matches the original +testit "orig_dc_matches" ldapcmp_with_orig + +exit $failed |