The RODC should answer some requests locally, and others it should defer to the main DC.
We can tell which KDC we talk do by the KVNO of the encrypted parts that are returned
to the KDC.
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
return undef;
}
+ # This ensures deterministic behaviour for tests that want to have the testallowed
+ # user password verified on the RODC
+ $cmd = "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
+ $cmd .= "$samba_tool rodc preload testallowed $ret->{CONFIGURATION}";
+ $cmd .= " --server=$dcvars->{DC_SERVER}";
+
+ unless (system($cmd) == 0) {
+ warn("RODC join failed\n$cmd");
+ return undef;
+ }
+
# we overwrite the kdc after the RODC join
# so that use the RODC as kdc and test
# the proxy code
for env in ["dc", "rodc", "promoted_dc", "plugin_s4_dc", "fl2000dc", "fl2003dc", "fl2008r2dc"]:
plansmbtorture4testsuite('krb5.kdc', env, ['ncacn_np:$SERVER_IP', "-k", "yes", '-U$USERNAME@$REALM%$PASSWORD', '--workgroup=$DOMAIN'],
"samba4.krb5.kdc with specified account")
- plansmbtorture4testsuite('krb5.kdc', env, ['ncacn_np:$SERVER_IP', "-k", "yes", '-Utestallowed@$REALM%$PASSWORD', '--workgroup=$DOMAIN'],
- "samba4.krb5.kdc with account ALLOWED permission to replicate to an RODC")
plansmbtorture4testsuite('krb5.kdc', env, ['ncacn_np:$SERVER_IP', "-k", "yes", '-Utestdenied@$REALM%$PASSWORD', '--workgroup=$DOMAIN'],
"samba4.krb5.kdc with account DENIED permission to replicate to an RODC")
- plansmbtorture4testsuite('krb5.kdc', "%s:local" % env, ['ncacn_np:$SERVER_IP', "-k", "yes", '-P', '--workgroup=$DOMAIN'],
- "samba4.krb5.kdc with machine account")
+ if env == "rodc":
+ extra_options = ['--option=torture:expect_rodc=true']
+ else:
+ extra_options = []
+ plansmbtorture4testsuite('krb5.kdc', "%s:local" % env, ['ncacn_np:$SERVER_IP', "-k", "yes", '-P', '--workgroup=$DOMAIN'] + extra_options,
+ "samba4.krb5.kdc with machine account")
+ plansmbtorture4testsuite('krb5.kdc', env, ['ncacn_np:$SERVER_IP', "-k", "yes", '-Utestallowed@$REALM%$PASSWORD', '--workgroup=$DOMAIN'] + extra_options,
+ "samba4.krb5.kdc with account ALLOWED permission to replicate to an RODC")
# TODO: Verifying the databases really should be a part of the
# environment teardown.
decode_AS_REP(recv_buf->data, recv_buf->length, &test_context->as_rep, &used), 0,
"decode_AS_REP failed");
torture_assert_int_equal(test_context->tctx, used, recv_buf->length, "length mismatch");
- torture_assert_int_equal(test_context->tctx, test_context->as_rep.pvno, 5, "Got wrong as_rep->pvno");
+ torture_assert_int_equal(test_context->tctx,
+ test_context->as_rep.pvno, 5,
+ "Got wrong as_rep->pvno");
+ torture_assert_int_equal(test_context->tctx,
+ test_context->as_rep.ticket.tkt_vno, 5,
+ "Got wrong as_rep->ticket.tkt_vno");
+ torture_assert(test_context->tctx,
+ test_context->as_rep.ticket.enc_part.kvno,
+ "Did not get a KVNO in test_context->as_rep.ticket.enc_part.kvno");
+ if (torture_setting_bool(test_context->tctx, "expect_rodc", false)) {
+ torture_assert_int_not_equal(test_context->tctx,
+ *test_context->as_rep.ticket.enc_part.kvno & 0xFFFF0000,
+ 0, "Did not get a RODC number in the KVNO");
+ } else {
+ torture_assert_int_equal(test_context->tctx,
+ *test_context->as_rep.ticket.enc_part.kvno & 0xFFFF0000,
+ 0, "Unexpecedly got a RODC number in the KVNO");
+ }
free_AS_REP(&test_context->as_rep);
}
torture_assert(test_context->tctx, test_context->packet_count < 3, "too many packets");