testprogs: Add 'net ads join' test for fips

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Thu May 14 14:27:26 UTC 2020 on sn-devel-184

diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index a3831b5d67c5a8b3dfd31c17aa1b264003f72c6d..15af32a04150f6ce958df287b59a02f2a5d5427d 100755 (executable)
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -530,6 +530,7 @@ plantestsuite("samba4.blackbox.samba-tool_ntacl(ad_member:local)", "ad_member:lo
 if have_gnutls_crypto_policies:
     plantestsuite("samba4.blackbox.weak_crypto.client", "ad_dc", [os.path.join(bbdir, "test_weak_crypto.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc"])
     plantestsuite("samba4.blackbox.weak_crypto.server", "ad_dc_fips", [os.path.join(bbdir, "test_weak_crypto_server.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc_fips", configuration])
+    plantestsuite("samba4.blackbox.net_ads_fips", "ad_dc_fips:client", [os.path.join(bbdir, "test_net_ads_fips.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', '$PREFIX_ABS'])
 
 plantestsuite_loadlist("samba4.rpc.echo against NetBIOS alias", "ad_dc_ntvfs", [valgrindify(smbtorture4), "$LISTOPT", "$LOADLIST", 'ncacn_np:$NETBIOSALIAS', '-U$DOMAIN/$USERNAME%$PASSWORD', 'rpc.echo'])
 # json tests hook into ``chgdcpass'' to make them run in contributor CI on

diff --git a/testprogs/blackbox/test_net_ads_fips.sh b/testprogs/blackbox/test_net_ads_fips.sh
new file mode 100755 (executable)
index 0000000..6364f9d
--- /dev/null
+++ b/testprogs/blackbox/test_net_ads_fips.sh
@@ -0,0 +1,43 @@
+if [ $# -lt 4 ]; then
+cat <<EOF
+Usage: test_net_ads_fips.sh DC_SERVER DC_USERNAME DC_PASSWORD PREFIX_ABS
+EOF
+exit 1;
+fi
+
+DC_SERVER=$1
+DC_USERNAME=$2
+DC_PASSWORD=$3
+BASEDIR=$4
+
+HOSTNAME=`dd if=/dev/urandom bs=1 count=32 2>/dev/null | sha1sum | cut -b 1-10`
+
+RUNDIR=`pwd`
+cd $BASEDIR
+WORKDIR=`mktemp -d -p .`
+WORKDIR=`basename $WORKDIR`
+cp -a client/* $WORKDIR/
+sed -ri "s@(dir|directory) = (.*)/client/@\1 = \2/$WORKDIR/@" $WORKDIR/client.conf
+sed -ri "s/netbios name = .*/netbios name = $HOSTNAME/" $WORKDIR/client.conf
+rm -f $WORKDIR/private/secrets.tdb
+cd $RUNDIR
+
+failed=0
+
+net_tool="$BINDIR/net -s $BASEDIR/$WORKDIR/client.conf --option=security=ads"
+
+# Load test functions
+. `dirname $0`/subunit.sh
+
+# This make sure we are able to join AD in FIPS mode with Kerberos (NTLM doesn't work in FIPS mode).
+testit "join" $VALGRIND $net_tool ads join -k -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+
+testit "testjoin" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed + 1`
+
+testit "changetrustpw" $VALGRIND $net_tool ads changetrustpw || failed=`expr $failed + 1`
+
+testit "leave" $VALGRIND $net_tool ads leave -k -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+
+rm -rf $BASEDIR/$WORKDIR
+
+exit $failed