+ my ($self, $prefix, $dcvars, $iface) = @_;
+
+ print "PROVISIONING S4 PLUGIN AD DC$iface...";
+
+ my $plugin_s4_dc_options = "
+ workgroup = $dcvars->{DOMAIN}
+ realm = $dcvars->{REALM}
+
+ security = ads
+ domain logons = yes
+ passdb backend = samba4
+ auth methods = guest samba4
+ server signing = on
+
+ rpc_server:epmapper = disabled
+ rpc_server:rpcecho = disabled
+ rpc_server:dssetup = disabled
+ rpc_server:svctl = disabled
+ rpc_server:ntsvcs = disabled
+ rpc_server:eventlog = disabled
+ rpc_server:initshutdown = disabled
+
+ rpc_server:winreg = embedded
+ rpc_server:srvsvc = embedded
+ rpc_server:netdfs = embedded
+ rpc_server:wkssvc = embedded
+ rpc_server:spoolss = embedded
+
+ rpc_server:lsarpc = external
+ rpc_server:netlogon = external
+ rpc_server:samr = external
+
+ rpc_daemon:epmd = disabled
+ rpc_daemon:lsasd = disabled
+ rpc_daemon:spoolssd = disabled
+
+ rpc_server:tcpip = no
+
+[IPC\$]
+ vfs objects = dfs_samba4
+";
+
+ my $ret = $self->provision($prefix,
+ "plugindc",
+ $iface,
+ "pluGin${iface}Pass",
+ $plugin_s4_dc_options, 1);
+
+ $ret or return undef;
+
+ close(USERMAP);
+ $ret->{DOMAIN} = $dcvars->{DOMAIN};
+ $ret->{REALM} = $dcvars->{REALM};
+ $ret->{KRB5_CONFIG} = $dcvars->{KRB5_CONFIG};
+
+ # We need world access to this share, as otherwise the domain
+ # administrator from the AD domain provided by Samba4 can't
+ # access the share for tests.
+ chmod 0777, "$prefix/share";
+
+ $self->check_or_start($ret,
+ "no", "no", "yes");
+
+ $self->wait_for_start($ret);
+
+ # Special case, this is called from Samba4.pm but needs to use the Samba3 check_env and get_log_env
+ $ret->{target} = $self;
+
+ return $ret;
+}
+
+sub setup_secshare($$)
+{
+ my ($self, $path) = @_;
+
+ print "PROVISIONING server with security=share...";
+
+ my $secshare_options = "
+ security = share
+ lanman auth = yes
+";
+
+ my $vars = $self->provision($path,
+ "LOCALSHARE4",
+ 4,
+ "local4pass",
+ $secshare_options);
+
+ $vars or return undef;
+
+ $self->check_or_start($vars, "yes", "no", "yes");
+
+ if (not $self->wait_for_start($vars)) {
+ return undef;
+ }
+
+ $self->{vars}->{secshare} = $vars;
+
+ return $vars;
+}
+
+sub setup_secserver($$$)
+{
+ my ($self, $prefix, $s3dcvars) = @_;
+
+ print "PROVISIONING server with security=server...";
+
+ my $secserver_options = "
+ security = server
+ password server = $s3dcvars->{SERVER_IP}
+";
+
+ my $ret = $self->provision($prefix,
+ "LOCALSERVER5",
+ 5,
+ "localserver5pass",
+ $secserver_options);
+
+ $ret or return undef;
+
+ $self->check_or_start($ret, "yes", "no", "yes");
+
+ if (not $self->wait_for_start($ret)) {
+ return undef;
+ }
+
+ $ret->{DC_SERVER} = $s3dcvars->{SERVER};
+ $ret->{DC_SERVER_IP} = $s3dcvars->{SERVER_IP};
+ $ret->{DC_NETBIOSNAME} = $s3dcvars->{NETBIOSNAME};
+ $ret->{DC_USERNAME} = $s3dcvars->{USERNAME};
+ $ret->{DC_PASSWORD} = $s3dcvars->{PASSWORD};
+
+ return $ret;
+}
+
+sub setup_ktest($$$)
+{
+ my ($self, $prefix) = @_;
+
+ print "PROVISIONING server with security=ads...";
+
+ my $ktest_options = "
+ workgroup = KTEST
+ realm = ktest.samba.example.com
+ security = ads
+ username map = $prefix/lib/username.map
+";
+
+ my $ret = $self->provision($prefix,
+ "LOCALKTEST6",
+ 6,
+ "localktest6pass",
+ $ktest_options);
+
+ $ret or return undef;
+
+ my $ctx;
+ my $prefix_abs = abs_path($prefix);
+ $ctx = {};
+ $ctx->{krb5_conf} = "$prefix_abs/lib/krb5.conf";
+ $ctx->{domain} = "KTEST";
+ $ctx->{realm} = "KTEST.SAMBA.EXAMPLE.COM";
+ $ctx->{dnsname} = lc($ctx->{realm});
+ $ctx->{kdc_ipv4} = "0.0.0.0";
+ Samba::mk_krb5_conf($ctx, "");
+
+ $ret->{KRB5_CONFIG} = $ctx->{krb5_conf};
+
+ open(USERMAP, ">$prefix/lib/username.map") or die("Unable to open $prefix/lib/username.map");
+ print USERMAP "
+$ret->{USERNAME} = KTEST\\Administrator
+";
+ close(USERMAP);
+
+#This is the secrets.tdb created by 'net ads join' from Samba3 to a
+#Samba4 DC with the same parameters as are being used here. The
+#domain SID is S-1-5-21-1071277805-689288055-3486227160
+
+ system("cp $self->{srcdir}/source3/selftest/ktest-secrets.tdb $prefix/private/secrets.tdb");
+ chmod 0600, "$prefix/private/secrets.tdb";
+
+#This uses a pre-calculated krb5 credentials cache, obtained by running Samba4 with:
+# "--option=kdc:service ticket lifetime=239232" "--option=kdc:user ticket lifetime=239232" "--option=kdc:renewal lifetime=239232"
+#
+#and having in krb5.conf:
+# ticket_lifetime = 799718400
+# renew_lifetime = 799718400
+#
+# The commands for the -2 keytab where were:
+# kinit administrator@KTEST.SAMBA.EXAMPLE.COM
+# kvno host/localktest6@KTEST.SAMBA.EXAMPLE.COM
+# kvno cifs/localktest6@KTEST.SAMBA.EXAMPLE.COM
+# kvno host/LOCALKTEST6@KTEST.SAMBA.EXAMPLE.COM
+# kvno cifs/LOCALKTEST6@KTEST.SAMBA.EXAMPLE.COM
+#
+# and then for the -3 keytab, I did
+#
+# net changetrustpw; kdestroy and the same again.
+#
+# This creates a credential cache with a very long lifetime (2036 at
+# at 2011-04), and shows that running 'net changetrustpw' does not
+# break existing logins (for the secrets.tdb method at least).
+#
+
+ $ret->{KRB5_CCACHE}="FILE:$prefix/krb5_ccache";
+
+ system("cp $self->{srcdir}/source3/selftest/ktest-krb5_ccache-2 $prefix/krb5_ccache-2");
+ chmod 0600, "$prefix/krb5_ccache-2";
+
+ system("cp $self->{srcdir}/source3/selftest/ktest-krb5_ccache-3 $prefix/krb5_ccache-3");
+ chmod 0600, "$prefix/krb5_ccache-3";
+
+ $self->check_or_start($ret, "yes", "no", "yes");
+
+ if (not $self->wait_for_start($ret)) {
+ return undef;
+ }
+ return $ret;
+}
+
+sub setup_maptoguest($$)
+{
+ my ($self, $path) = @_;
+
+ print "PROVISIONING maptoguest...";
+
+ my $options = "
+map to guest = bad user
+";
+
+ my $vars = $self->provision($path,
+ "maptoguest",
+ 7,
+ "maptoguestpass",
+ $options);
+
+ $vars or return undef;
+
+ $self->check_or_start($vars,
+ "yes", "no", "yes");
+
+ if (not $self->wait_for_start($vars)) {
+ return undef;
+ }
+
+ $self->{vars}->{s3maptoguest} = $vars;
+
+ return $vars;