sub have_ads($) {
my ($self) = @_;
my $found_ads = 0;
- my $smbd_build_options = Samba::bindir_path($self, "smbd") . " -b|";
+ my $smbd_build_options = Samba::bindir_path($self, "smbd") . " --configfile=/dev/null -b|";
open(IN, $smbd_build_options) or die("Unable to run $smbd_build_options: $!");
while (<IN>) {
my $smbdpid = $envvars->{SMBD_TL_PID};
my $nmbdpid = $envvars->{NMBD_TL_PID};
my $winbinddpid = $envvars->{WINBINDD_TL_PID};
+ my $samba_dcerpcdpid = $envvars->{SAMBA_DCERPCD_TL_PID};
# This should give it time to write out the gcov data
until ($count > 20) {
my $smbdchild = Samba::cleanup_child($smbdpid, "smbd");
my $nmbdchild = Samba::cleanup_child($nmbdpid, "nmbd");
my $winbinddchild = Samba::cleanup_child($winbinddpid, "winbindd");
+ my $samba_dcerpcdchild = Samba::cleanup_child(
+ $samba_dcerpcdpid, "samba-dcerpcd");
if ($smbdchild == -1
&& $nmbdchild == -1
- && $winbinddchild == -1) {
+ && $winbinddchild == -1
+ && $samba_dcerpcdpid == -1) {
last;
}
sleep(1);
$count++;
}
- if ($count <= 20 && kill(0, $smbdpid, $nmbdpid, $winbinddpid) == 0) {
+ if ($count <= 20 &&
+ kill(0, $smbdpid, $nmbdpid, $winbinddpid, $samba_dcerpcdpid) == 0) {
return;
}
$self->stop_sig_term($smbdpid);
$self->stop_sig_term($nmbdpid);
$self->stop_sig_term($winbinddpid);
+ $self->stop_sig_term($samba_dcerpcdpid);
$count = 0;
until ($count > 10) {
my $smbdchild = Samba::cleanup_child($smbdpid, "smbd");
my $nmbdchild = Samba::cleanup_child($nmbdpid, "nmbd");
my $winbinddchild = Samba::cleanup_child($winbinddpid, "winbindd");
+ my $samba_dcerpcdpid = Samba::cleanup_child(
+ $samba_dcerpcdpid, "samba-dcerpcd");
if ($smbdchild == -1
&& $nmbdchild == -1
- && $winbinddchild == -1) {
+ && $winbinddchild == -1
+ && $samba_dcerpcdpid == -1) {
last;
}
sleep(1);
$count++;
}
- if ($count <= 10 && kill(0, $smbdpid, $nmbdpid, $winbinddpid) == 0) {
+ if ($count <= 10 &&
+ kill(0, $smbdpid, $nmbdpid, $winbinddpid, $samba_dcerpcdpid) == 0) {
return;
}
$self->stop_sig_kill($smbdpid);
$self->stop_sig_kill($nmbdpid);
$self->stop_sig_kill($winbinddpid);
+ $self->stop_sig_kill($samba_dcerpcdpid);
return 0;
}
close(LOG);
return "" if $out eq $title;
-
+
return $out;
}
ad_member => ["ad_dc", "fl2008r2dc", "fl2003dc"],
ad_member_rfc2307 => ["ad_dc_ntvfs"],
ad_member_idmap_rid => ["ad_dc"],
+ admem_idmap_autorid => ["ad_dc"],
ad_member_idmap_ad => ["fl2008r2dc"],
ad_member_fips => ["ad_dc_fips"],
+ ad_member_offlogon => ["ad_dc"],
+ ad_member_oneway => ["fl2000dc"],
+ ad_member_idmap_nss => ["ad_dc"],
+ ad_member_s3_join => ["vampire_dc"],
clusteredmember => ["nt4_dc"],
);
sub setup_nt4_dc
{
- my ($self, $path, $more_conf, $server) = @_;
+ my ($self, $path, $more_conf, $domain, $server) = @_;
print "PROVISIONING NT4 DC...";
lanman auth = yes
ntlm auth = yes
raw NTLMv2 auth = yes
- server schannel = auto
-
- rpc_server:epmapper = external
- rpc_server:spoolss = external
- rpc_server:lsarpc = external
- rpc_server:samr = external
- rpc_server:netlogon = external
- rpc_server:register_embedded_np = yes
- rpc_server:FssagentRpc = external
-
- rpc_daemon:epmd = fork
- rpc_daemon:spoolssd = fork
- rpc_daemon:lsasd = fork
- rpc_daemon:fssd = fork
+ rpc start on demand helpers = false
+
+ CVE_2020_1472:warn_about_unused_debug_level = 3
+ server require schannel:schannel0\$ = no
+ server require schannel:schannel1\$ = no
+ server require schannel:schannel2\$ = no
+ server require schannel:schannel3\$ = no
+ server require schannel:schannel4\$ = no
+ server require schannel:schannel5\$ = no
+ server require schannel:schannel6\$ = no
+ server require schannel:schannel7\$ = no
+ server require schannel:schannel8\$ = no
+ server require schannel:schannel9\$ = no
+ server require schannel:schannel10\$ = no
+ server require schannel:schannel11\$ = no
+ server require schannel:torturetest\$ = no
+
+ server schannel require seal:schannel0\$ = no
+ server schannel require seal:schannel1\$ = no
+ server schannel require seal:schannel2\$ = no
+ server schannel require seal:schannel3\$ = no
+ server schannel require seal:schannel4\$ = no
+ server schannel require seal:schannel5\$ = no
+ server schannel require seal:schannel6\$ = no
+ server schannel require seal:schannel7\$ = no
+ server schannel require seal:schannel8\$ = no
+ server schannel require seal:schannel9\$ = no
+ server schannel require seal:schannel10\$ = no
+ server schannel require seal:schannel11\$ = no
+ server schannel require seal:torturetest\$ = no
+
+ vfs_default:VFS_OPEN_HOW_RESOLVE_NO_SYMLINKS = no
+
fss: sequence timeout = 1
check parent directory delete on close = yes
";
if (defined($more_conf)) {
$nt4_dc_options = $nt4_dc_options . $more_conf;
}
+ if (!defined($domain)) {
+ $domain = "SAMBA-TEST";
+ }
if (!defined($server)) {
$server = "LOCALNT4DC2";
}
my $vars = $self->provision(
prefix => $path,
- domain => "SAMBA-TEST",
+ domain => $domain,
server => $server,
password => "localntdc2pass",
extra_options => $nt4_dc_options);
if (not $self->check_or_start(
env_vars => $vars,
+ samba_dcerpcd => "yes",
nmbd => "yes",
winbindd => "yes",
smbd => "yes")) {
client min protocol = CORE
server min protocol = LANMAN1
";
- return $self->setup_nt4_dc($path, $conf, "LCLNT4DC2SMB1");
+ return $self->setup_nt4_dc($path, $conf, "NT4SMB1", "LCLNT4DC2SMB1");
}
sub setup_nt4_dc_smb1_done
domain logons = yes
lanman auth = yes
- rpc_server:epmapper = external
- rpc_server:spoolss = external
- rpc_server:lsarpc = external
- rpc_server:samr = external
- rpc_server:netlogon = external
- rpc_server:register_embedded_np = yes
-
- rpc_daemon:epmd = fork
- rpc_daemon:spoolssd = fork
- rpc_daemon:lsasd = fork
-
server schannel = yes
# used to reproduce bug #12772
server max protocol = SMB2_02
my $prefix_abs = abs_path($prefix);
mkdir($prefix_abs, 0777);
- my $server_name = "CLUSTEREDMEMBER";
-
my $ctdb_data = $self->setup_ctdb($prefix);
if (not $ctdb_data) {
my $pub_iface = $node->{SOCKET_WRAPPER_DEFAULT_IFACE};
my $node_prefix = $node->{NODE_PREFIX};
- print "NODE_PREFIX=${node_prefix}\n";
- print "SOCKET=${socket}\n";
+ print "CTDB_BASE=${node_prefix}\n";
+ print "CTDB_SOCKET=${socket}\n";
my $require_mutexes = "dbwrap_tdb_require_mutexes:* = yes";
if ($ENV{SELFTEST_DONT_REQUIRE_TDB_MUTEX_SUPPORT} // '' eq "1") {
security = domain
server signing = on
clustering = yes
+ rpc start on demand helpers = false
+ rpcd witness:include node ips = yes
ctdbd socket = ${socket}
+ include = registry
dbwrap_tdb_mutexes:* = yes
${require_mutexes}
";
return undef;
}
+ my $registry_share_template = "$node_ret->{SERVERCONFFILE}.registry_share_template";
+ unless (open(REGISTRYCONF, ">$registry_share_template")) {
+ warn("Unable to open $registry_share_template");
+ teardown_env($self, $node_ret);
+ teardown_env($self, $ctdb_data);
+ return undef;
+ }
+
+ print REGISTRYCONF "
+[registry_share]
+ copy = tmp
+ comment = smb username is [%U]
+";
+
+ close(REGISTRYCONF);
+
+ my $net = Samba::bindir_path($self, "net");
+ my $cmd = "";
+
+ $cmd .= "UID_WRAPPER_ROOT=1 ";
+ $cmd .= "$net conf import $node_ret->{CONFIGURATION} ${registry_share_template}";
+
+ my $net_ret = system($cmd);
+ if ($net_ret != 0) {
+ warn("net conf import failed: $net_ret\n$cmd");
+ teardown_env($self, $node_ret);
+ teardown_env($self, $ctdb_data);
+ return undef;
+ }
+
my $nmblookup = Samba::bindir_path($self, "nmblookup");
do {
print "Waiting for the LOGON SERVER registration ...\n";
my $ok;
$ok = $self->check_or_start(
env_vars => $node_provision,
+ samba_dcerpcd => "yes",
winbindd => "yes",
smbd => "yes",
child_cleanup => sub {
{
my ($self,
$prefix,
+ $machine_account,
$dcvars,
$trustvars_f,
$trustvars_e,
- $force_fips_mode) = @_;
+ $extra_member_options,
+ $force_fips_mode,
+ $offline_logon,
+ $no_nss_winbind) = @_;
+
+ if (defined($offline_logon) && defined($no_nss_winbind)) {
+ warn ("Offline logon incompatible with no nss winbind\n");
+ return undef;
+ }
my $prefix_abs = abs_path($prefix);
my @dirs = ();
$substitution_path = "$share_dir/D_$dcvars->{DOMAIN}/u_$dcvars->{DOMAIN}/alice/g_$dcvars->{DOMAIN}/domain users";
push(@dirs, $substitution_path);
+ my $smbcacls_sharedir="$share_dir/smbcacls";
+ push(@dirs,$smbcacls_sharedir);
+
+ my $option_offline_logon = "no";
+ if (defined($offline_logon)) {
+ $option_offline_logon = "yes";
+ }
+
+ my $netbios_aliases = "";
+ if ($machine_account eq "LOCALADMEMBER") {
+ $netbios_aliases = "netbios aliases = foo bar";
+ }
+
+ unless (defined($extra_member_options)) {
+ $extra_member_options = "";
+ }
+
my $member_options = "
security = ads
workgroup = $dcvars->{DOMAIN}
realm = $dcvars->{REALM}
- netbios aliases = foo bar
+ $netbios_aliases
template homedir = /home/%D/%G/%U
auth event notification = true
password server = $dcvars->{SERVER}
winbind scan trusted domains = no
- winbind use krb5 enterprise principals = yes
+ winbind offline logon = $option_offline_logon
allow dcerpc auth level connect:lsarpc = yes
dcesrv:max auth states = 8
+ rpc start on demand helpers = false
- rpc_server:epmapper = external
- rpc_server:lsarpc = external
- rpc_server:samr = external
- rpc_server:netlogon = disabled
- rpc_server:register_embedded_np = yes
-
- rpc_daemon:epmd = fork
- rpc_daemon:lsasd = fork
+ # Begin extra member options
+ $extra_member_options
+ # End extra member options
[sub_dug]
path = $share_dir/D_%D/U_%U/G_%G
my $ret = $self->provision(
prefix => $prefix,
domain => $dcvars->{DOMAIN},
- server => "LOCALADMEMBER",
+ realm => $dcvars->{REALM},
+ server => $machine_account,
password => "loCalMemberPass",
extra_options => $member_options,
resolv_conf => $dcvars->{RESOLV_CONF});
mkdir($_, 0777) foreach(@dirs);
- close(USERMAP);
$ret->{DOMAIN} = $dcvars->{DOMAIN};
$ret->{REALM} = $dcvars->{REALM};
$ret->{DOMSID} = $dcvars->{DOMSID};
$cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
$cmd .= "SELFTEST_WINBINDD_SOCKET_DIR=\"$ret->{SELFTEST_WINBINDD_SOCKET_DIR}\" ";
$cmd .= "$net join $ret->{CONFIGURATION}";
- $cmd .= " -U$dcvars->{USERNAME}\%$dcvars->{PASSWORD} -k";
+ $cmd .= " -U$dcvars->{USERNAME}\%$dcvars->{PASSWORD} --use-kerberos=required";
if (system($cmd) != 0) {
warn("Join failed\n$cmd");
# access the share for tests.
chmod 0777, "$prefix/share";
- if (not $self->check_or_start(
- env_vars => $ret,
- nmbd => "yes",
- winbindd => "yes",
- smbd => "yes")) {
- return undef;
+ if (defined($offline_logon)) {
+ my $wbinfo = Samba::bindir_path($self, "wbinfo");
+
+ if (not $self->check_or_start(
+ env_vars => $ret,
+ winbindd => "yes")) {
+ return undef;
+ }
+
+ # Fill samlogoncache for alice
+ $cmd = "NSS_WRAPPER_PASSWD='$ret->{NSS_WRAPPER_PASSWD}' ";
+ $cmd .= "NSS_WRAPPER_GROUP='$ret->{NSS_WRAPPER_GROUP}' ";
+ $cmd .= "SELFTEST_WINBINDD_SOCKET_DIR=\"$ret->{SELFTEST_WINBINDD_SOCKET_DIR}\" ";
+ $cmd .= "$wbinfo --pam-logon=ADDOMAIN/alice%Secret007";
+ if (system($cmd) != 0) {
+ warn("Filling the cache failed\n$cmd");
+ return undef;
+ }
+
+ $cmd = "NSS_WRAPPER_PASSWD='$ret->{NSS_WRAPPER_PASSWD}' ";
+ $cmd .= "NSS_WRAPPER_GROUP='$ret->{NSS_WRAPPER_GROUP}' ";
+ $cmd .= "SELFTEST_WINBINDD_SOCKET_DIR=\"$ret->{SELFTEST_WINBINDD_SOCKET_DIR}\" ";
+ $cmd .= "$wbinfo --ccache-save=ADDOMAIN/alice%Secret007";
+ if (system($cmd) != 0) {
+ warn("Filling the cache failed\n$cmd");
+ return undef;
+ }
+
+ # Fill samlogoncache for bob
+ $cmd = "NSS_WRAPPER_PASSWD='$ret->{NSS_WRAPPER_PASSWD}' ";
+ $cmd .= "NSS_WRAPPER_GROUP='$ret->{NSS_WRAPPER_GROUP}' ";
+ $cmd .= "SELFTEST_WINBINDD_SOCKET_DIR=\"$ret->{SELFTEST_WINBINDD_SOCKET_DIR}\" ";
+ $cmd .= "$wbinfo --pam-logon=ADDOMAIN/bob%Secret007";
+ if (system($cmd) != 0) {
+ warn("Filling the cache failed\n$cmd");
+ return undef;
+ }
+
+ $cmd = "NSS_WRAPPER_PASSWD='$ret->{NSS_WRAPPER_PASSWD}' ";
+ $cmd .= "NSS_WRAPPER_GROUP='$ret->{NSS_WRAPPER_GROUP}' ";
+ $cmd .= "SELFTEST_WINBINDD_SOCKET_DIR=\"$ret->{SELFTEST_WINBINDD_SOCKET_DIR}\" ";
+ $cmd .= "$wbinfo --ccache-save=ADDOMAIN/bob%Secret007";
+ if (system($cmd) != 0) {
+ warn("Filling the cache failed\n$cmd");
+ return undef;
+ }
+
+ # Set windindd offline
+ my $smbcontrol = Samba::bindir_path($self, "smbcontrol");
+ $cmd = "NSS_WRAPPER_PASSWD='$ret->{NSS_WRAPPER_PASSWD}' ";
+ $cmd .= "NSS_WRAPPER_GROUP='$ret->{NSS_WRAPPER_GROUP}' ";
+ $cmd .= "UID_WRAPPER_ROOT='1' ";
+ $cmd .= "$smbcontrol $ret->{CONFIGURATION} winbindd offline";
+ if (system($cmd) != 0) {
+ warn("Setting winbindd offline failed\n$cmd");
+ return undef;
+ }
+
+ # Validate the offline cache
+ $cmd = "NSS_WRAPPER_PASSWD='$ret->{NSS_WRAPPER_PASSWD}' ";
+ $cmd .= "NSS_WRAPPER_GROUP='$ret->{NSS_WRAPPER_GROUP}' ";
+ $cmd .= "UID_WRAPPER_ROOT='1' ";
+ $cmd .= "$smbcontrol $ret->{CONFIGURATION} winbindd validate-cache";
+ if (system($cmd) != 0) {
+ warn("Validation of winbind credential cache failed\n$cmd");
+ teardown_env($self, $ret);
+ return undef;
+ }
+
+ # Shut down winbindd
+ teardown_env($self, $ret);
+
+ ### Change SOCKET_WRAPPER_DIR so it can't connect to AD
+ my $swrap_env = $ENV{SOCKET_WRAPPER_DIR};
+ $ENV{SOCKET_WRAPPER_DIR} = "$prefix_abs";
+
+ # Start winbindd in offline mode
+ if (not $self->check_or_start(
+ env_vars => $ret,
+ winbindd => "offline")) {
+ return undef;
+ }
+
+ # Set socket dir again
+ $ENV{SOCKET_WRAPPER_DIR} = $swrap_env;
+
+ } else {
+ if (defined($no_nss_winbind)) {
+ $ret->{NSS_WRAPPER_MODULE_SO_PATH} = "";
+ $ret->{NSS_WRAPPER_MODULE_FN_PREFIX} = "";
+ }
+
+ if (not $self->check_or_start(
+ env_vars => $ret,
+ samba_dcerpcd => "yes",
+ nmbd => "yes",
+ winbindd => "yes",
+ smbd => "yes")) {
+ return undef;
+ }
}
$ret->{DC_SERVER} = $dcvars->{SERVER};
$ret->{DC_NETBIOSNAME} = $dcvars->{NETBIOSNAME};
$ret->{DC_USERNAME} = $dcvars->{USERNAME};
$ret->{DC_PASSWORD} = $dcvars->{PASSWORD};
+ $ret->{DOMAIN_ADMIN} = $dcvars->{DOMAIN_ADMIN};
+ $ret->{DOMAIN_ADMIN_PASSWORD} = $dcvars->{DOMAIN_ADMIN_PASSWORD};
+ $ret->{DOMAIN_USER} = $dcvars->{DOMAIN_USER};
+ $ret->{DOMAIN_USER_PASSWORD} = $dcvars->{DOMAIN_USER_PASSWORD};
# forest trust
$ret->{TRUST_F_BOTH_SERVER} = $trustvars_f->{SERVER};
print "PROVISIONING AD MEMBER...";
- return $self->provision_ad_member($prefix, $dcvars, $trustvars_f, $trustvars_e);
+ return $self->provision_ad_member($prefix,
+ "LOCALADMEMBER",
+ $dcvars,
+ $trustvars_f,
+ $trustvars_e);
+}
+
+sub setup_ad_member_s3_join
+{
+ my ($self,
+ $prefix,
+ $dcvars,
+ $trustvars_f,
+ $trustvars_e) = @_;
+
+ # If we didn't build with ADS, pretend this env was never available
+ if (not $self->have_ads()) {
+ return "UNKNOWN";
+ }
+
+ print "PROVISIONING AD MEMBER...";
+
+ return $self->provision_ad_member($prefix,
+ "LOCALADMEMBER2",
+ $dcvars,
+ $trustvars_f,
+ $trustvars_e);
}
sub setup_ad_member_rfc2307
my $ret = $self->provision(
prefix => $prefix,
domain => $dcvars->{DOMAIN},
+ realm => $dcvars->{REALM},
server => "RFC2307MEMBER",
password => "loCalMemberPass",
extra_options => $member_options,
$ret or return undef;
- close(USERMAP);
$ret->{DOMAIN} = $dcvars->{DOMAIN};
$ret->{REALM} = $dcvars->{REALM};
$ret->{DOMSID} = $dcvars->{DOMSID};
$ret->{DC_NETBIOSNAME} = $dcvars->{NETBIOSNAME};
$ret->{DC_USERNAME} = $dcvars->{USERNAME};
$ret->{DC_PASSWORD} = $dcvars->{PASSWORD};
+ $ret->{DOMAIN_ADMIN} = $dcvars->{DOMAIN_ADMIN};
+ $ret->{DOMAIN_ADMIN_PASSWORD} = $dcvars->{DOMAIN_ADMIN_PASSWORD};
+ $ret->{DOMAIN_USER} = $dcvars->{DOMAIN_USER};
+ $ret->{DOMAIN_USER_PASSWORD} = $dcvars->{DOMAIN_USER_PASSWORD};
+
+ return $ret;
+}
+
+sub setup_admem_idmap_autorid
+{
+ my ($self, $prefix, $dcvars) = @_;
+
+ # If we didn't build with ADS, pretend this env was never available
+ if (not $self->have_ads()) {
+ return "UNKNOWN";
+ }
+
+ print "PROVISIONING S3 AD MEMBER WITH idmap_autorid config...";
+
+ my $member_options = "
+ security = ads
+ workgroup = $dcvars->{DOMAIN}
+ realm = $dcvars->{REALM}
+ idmap config * : backend = autorid
+ idmap config * : range = 1000000-19999999
+ idmap config * : rangesize = 1000000
+
+ # Prevent overriding the provisioned lib/krb5.conf which sets certain
+ # values required for tests to succeed
+ create krb5 conf = no
+";
+
+ my $ret = $self->provision(
+ prefix => $prefix,
+ domain => $dcvars->{DOMAIN},
+ realm => $dcvars->{REALM},
+ server => "ADMEMAUTORID",
+ password => "loCalMemberPass",
+ extra_options => $member_options,
+ resolv_conf => $dcvars->{RESOLV_CONF});
+
+ $ret or return undef;
+
+ $ret->{DOMAIN} = $dcvars->{DOMAIN};
+ $ret->{REALM} = $dcvars->{REALM};
+ $ret->{DOMSID} = $dcvars->{DOMSID};
+
+ my $ctx;
+ my $prefix_abs = abs_path($prefix);
+ $ctx = {};
+ $ctx->{krb5_conf} = "$prefix_abs/lib/krb5.conf";
+ $ctx->{domain} = $dcvars->{DOMAIN};
+ $ctx->{realm} = $dcvars->{REALM};
+ $ctx->{dnsname} = lc($dcvars->{REALM});
+ $ctx->{kdc_ipv4} = $dcvars->{SERVER_IP};
+ $ctx->{kdc_ipv6} = $dcvars->{SERVER_IPV6};
+ $ctx->{krb5_ccname} = "$prefix_abs/krb5cc_%{uid}";
+ Samba::mk_krb5_conf($ctx, "");
+
+ $ret->{KRB5_CONFIG} = $ctx->{krb5_conf};
+
+ my $net = Samba::bindir_path($self, "net");
+ # Add hosts file for name lookups
+ my $cmd = "NSS_WRAPPER_HOSTS='$ret->{NSS_WRAPPER_HOSTS}' ";
+ $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
+ if (defined($ret->{RESOLV_WRAPPER_CONF})) {
+ $cmd .= "RESOLV_WRAPPER_CONF=\"$ret->{RESOLV_WRAPPER_CONF}\" ";
+ } else {
+ $cmd .= "RESOLV_WRAPPER_HOSTS=\"$ret->{RESOLV_WRAPPER_HOSTS}\" ";
+ }
+ $cmd .= "RESOLV_CONF=\"$ret->{RESOLV_CONF}\" ";
+ $cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
+ $cmd .= "SELFTEST_WINBINDD_SOCKET_DIR=\"$ret->{SELFTEST_WINBINDD_SOCKET_DIR}\" ";
+ $cmd .= "$net join $ret->{CONFIGURATION}";
+ $cmd .= " -U$dcvars->{USERNAME}\%$dcvars->{PASSWORD}";
+
+ if (system($cmd) != 0) {
+ warn("Join failed\n$cmd");
+ return undef;
+ }
+
+ # We need world access to this share, as otherwise the domain
+ # administrator from the AD domain provided by Samba4 can't
+ # access the share for tests.
+ chmod 0777, "$prefix/share";
+
+ if (not $self->check_or_start(
+ env_vars => $ret,
+ nmbd => "yes",
+ winbindd => "yes",
+ smbd => "yes")) {
+ return undef;
+ }
+
+ $ret->{DC_SERVER} = $dcvars->{SERVER};
+ $ret->{DC_SERVER_IP} = $dcvars->{SERVER_IP};
+ $ret->{DC_SERVER_IPV6} = $dcvars->{SERVER_IPV6};
+ $ret->{DC_NETBIOSNAME} = $dcvars->{NETBIOSNAME};
+ $ret->{DC_USERNAME} = $dcvars->{USERNAME};
+ $ret->{DC_PASSWORD} = $dcvars->{PASSWORD};
+ $ret->{DOMAIN_ADMIN} = $dcvars->{DOMAIN_ADMIN};
+ $ret->{DOMAIN_ADMIN_PASSWORD} = $dcvars->{DOMAIN_ADMIN_PASSWORD};
+ $ret->{DOMAIN_USER} = $dcvars->{DOMAIN_USER};
+ $ret->{DOMAIN_USER_PASSWORD} = $dcvars->{DOMAIN_USER_PASSWORD};
return $ret;
}
idmap config * : range = 1000000-1999999
idmap config $dcvars->{DOMAIN} : backend = rid
idmap config $dcvars->{DOMAIN} : range = 2000000-2999999
- # Prevent overridding the provisioned lib/krb5.conf which sets certain
+ # Prevent overriding the provisioned lib/krb5.conf which sets certain
# values required for tests to succeed
create krb5 conf = no
map to guest = bad user
+ winbind expand groups = 10
+ server signing = required
";
my $ret = $self->provision(
prefix => $prefix,
domain => $dcvars->{DOMAIN},
+ realm => $dcvars->{REALM},
server => "IDMAPRIDMEMBER",
password => "loCalMemberPass",
extra_options => $member_options,
$ret or return undef;
- close(USERMAP);
$ret->{DOMAIN} = $dcvars->{DOMAIN};
$ret->{REALM} = $dcvars->{REALM};
$ret->{DOMSID} = $dcvars->{DOMSID};
$ret->{DC_NETBIOSNAME} = $dcvars->{NETBIOSNAME};
$ret->{DC_USERNAME} = $dcvars->{USERNAME};
$ret->{DC_PASSWORD} = $dcvars->{PASSWORD};
+ $ret->{DOMAIN_ADMIN} = $dcvars->{DOMAIN_ADMIN};
+ $ret->{DOMAIN_ADMIN_PASSWORD} = $dcvars->{DOMAIN_ADMIN_PASSWORD};
+ $ret->{DOMAIN_USER} = $dcvars->{DOMAIN_USER};
+ $ret->{DOMAIN_USER_PASSWORD} = $dcvars->{DOMAIN_USER_PASSWORD};
return $ret;
}
idmap config $dcvars->{DOMAIN} : range = 2000000-2999999
idmap config $dcvars->{DOMAIN} : unix_primary_group = yes
idmap config $dcvars->{DOMAIN} : unix_nss_info = yes
+ idmap config $dcvars->{DOMAIN} : deny ous = \"ou=sub,DC=samba2008r2,DC=example,DC=com\"
idmap config $dcvars->{TRUST_DOMAIN} : backend = ad
idmap config $dcvars->{TRUST_DOMAIN} : range = 2000000-2999999
gensec_gssapi:requested_life_time = 5
+ winbind scan trusted domains = yes
+ winbind expand groups = 1
";
my $ret = $self->provision(
prefix => $prefix,
domain => $dcvars->{DOMAIN},
+ realm => $dcvars->{REALM},
server => "IDMAPADMEMBER",
password => "loCalMemberPass",
extra_options => $member_options,
$ret or return undef;
- close(USERMAP);
$ret->{DOMAIN} = $dcvars->{DOMAIN};
$ret->{REALM} = $dcvars->{REALM};
$ret->{DOMSID} = $dcvars->{DOMSID};
$ret->{DC_NETBIOSNAME} = $dcvars->{NETBIOSNAME};
$ret->{DC_USERNAME} = $dcvars->{USERNAME};
$ret->{DC_PASSWORD} = $dcvars->{PASSWORD};
+ $ret->{DOMAIN_ADMIN} = $dcvars->{DOMAIN_ADMIN};
+ $ret->{DOMAIN_ADMIN_PASSWORD} = $dcvars->{DOMAIN_ADMIN_PASSWORD};
+ $ret->{DOMAIN_USER} = $dcvars->{DOMAIN_USER};
+ $ret->{DOMAIN_USER_PASSWORD} = $dcvars->{DOMAIN_USER_PASSWORD};
+
+ $ret->{TRUST_SERVER} = $dcvars->{TRUST_SERVER};
+ $ret->{TRUST_USERNAME} = $dcvars->{TRUST_USERNAME};
+ $ret->{TRUST_PASSWORD} = $dcvars->{TRUST_PASSWORD};
+ $ret->{TRUST_DOMAIN} = $dcvars->{TRUST_DOMAIN};
+ $ret->{TRUST_REALM} = $dcvars->{TRUST_REALM};
+ $ret->{TRUST_DOMSID} = $dcvars->{TRUST_DOMSID};
+
+ return $ret;
+}
+
+sub setup_ad_member_oneway
+{
+ my ($self, $prefix, $dcvars) = @_;
+
+ # If we didn't build with ADS, pretend this env was never available
+ if (not $self->have_ads()) {
+ return "UNKNOWN";
+ }
+
+ print "PROVISIONING S3 AD MEMBER WITH one-way trust...";
+
+ my $member_options = "
+ security = ads
+ workgroup = $dcvars->{DOMAIN}
+ realm = $dcvars->{REALM}
+ password server = $dcvars->{SERVER}
+ idmap config * : backend = tdb
+ idmap config * : range = 1000000-1999999
+ gensec_gssapi:requested_life_time = 5
+";
+
+ my $ret = $self->provision(
+ prefix => $prefix,
+ domain => $dcvars->{DOMAIN},
+ server => "S2KMEMBER",
+ password => "loCalS2KMemberPass",
+ extra_options => $member_options,
+ resolv_conf => $dcvars->{RESOLV_CONF});
+
+ $ret or return undef;
+
+ $ret->{DOMAIN} = $dcvars->{DOMAIN};
+ $ret->{REALM} = $dcvars->{REALM};
+ $ret->{DOMSID} = $dcvars->{DOMSID};
+
+ my $ctx;
+ my $prefix_abs = abs_path($prefix);
+ $ctx = {};
+ $ctx->{krb5_conf} = "$prefix_abs/lib/krb5.conf";
+ $ctx->{domain} = $dcvars->{DOMAIN};
+ $ctx->{realm} = $dcvars->{REALM};
+ $ctx->{dnsname} = lc($dcvars->{REALM});
+ $ctx->{kdc_ipv4} = $dcvars->{SERVER_IP};
+ $ctx->{kdc_ipv6} = $dcvars->{SERVER_IPV6};
+ $ctx->{krb5_ccname} = "$prefix_abs/krb5cc_%{uid}";
+ Samba::mk_krb5_conf($ctx, "");
+
+ $ret->{KRB5_CONFIG} = $ctx->{krb5_conf};
+
+ my $net = Samba::bindir_path($self, "net");
+ # Add hosts file for name lookups
+ my $cmd = "NSS_WRAPPER_HOSTS='$ret->{NSS_WRAPPER_HOSTS}' ";
+ $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
+ if (defined($ret->{RESOLV_WRAPPER_CONF})) {
+ $cmd .= "RESOLV_WRAPPER_CONF=\"$ret->{RESOLV_WRAPPER_CONF}\" ";
+ } else {
+ $cmd .= "RESOLV_WRAPPER_HOSTS=\"$ret->{RESOLV_WRAPPER_HOSTS}\" ";
+ }
+ $cmd .= "RESOLV_CONF=\"$ret->{RESOLV_CONF}\" ";
+ $cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
+ $cmd .= "SELFTEST_WINBINDD_SOCKET_DIR=\"$ret->{SELFTEST_WINBINDD_SOCKET_DIR}\" ";
+ $cmd .= "$net join $ret->{CONFIGURATION}";
+ $cmd .= " -U$dcvars->{USERNAME}\%$dcvars->{PASSWORD}";
+
+ if (system($cmd) != 0) {
+ warn("Join failed\n$cmd");
+ return undef;
+ }
+
+ if (not $self->check_or_start(
+ env_vars => $ret,
+ winbindd => "yes")) {
+ return undef;
+ }
+
+ $ret->{DC_SERVER} = $dcvars->{SERVER};
+ $ret->{DC_SERVER_IP} = $dcvars->{SERVER_IP};
+ $ret->{DC_SERVER_IPV6} = $dcvars->{SERVER_IPV6};
+ $ret->{DC_NETBIOSNAME} = $dcvars->{NETBIOSNAME};
+ $ret->{DC_USERNAME} = $dcvars->{USERNAME};
+ $ret->{DC_PASSWORD} = $dcvars->{PASSWORD};
+ $ret->{DOMAIN_ADMIN} = $dcvars->{DOMAIN_ADMIN};
+ $ret->{DOMAIN_ADMIN_PASSWORD} = $dcvars->{DOMAIN_ADMIN_PASSWORD};
+ $ret->{DOMAIN_USER} = $dcvars->{DOMAIN_USER};
+ $ret->{DOMAIN_USER_PASSWORD} = $dcvars->{DOMAIN_USER_PASSWORD};
$ret->{TRUST_SERVER} = $dcvars->{TRUST_SERVER};
$ret->{TRUST_USERNAME} = $dcvars->{TRUST_USERNAME};
print "PROVISIONING AD FIPS MEMBER...";
return $self->provision_ad_member($prefix,
+ "FIPSADMEMBER",
$dcvars,
$trustvars_f,
$trustvars_e,
+ undef,
1);
}
+sub setup_ad_member_offlogon
+{
+ my ($self,
+ $prefix,
+ $dcvars,
+ $trustvars_f,
+ $trustvars_e) = @_;
+
+ # If we didn't build with ADS, pretend this env was never available
+ if (not $self->have_ads()) {
+ return "UNKNOWN";
+ }
+
+ print "PROVISIONING AD MEMBER OFFLINE LOGON...";
+
+ return $self->provision_ad_member($prefix,
+ "OFFLINEADMEM",
+ $dcvars,
+ $trustvars_f,
+ $trustvars_e,
+ undef,
+ undef,
+ 1);
+}
+
+sub setup_ad_member_idmap_nss
+{
+ my ($self,
+ $prefix,
+ $dcvars,
+ $trustvars_f,
+ $trustvars_e) = @_;
+
+ # If we didn't build with ADS, pretend this env was never available
+ if (not $self->have_ads()) {
+ return "UNKNOWN";
+ }
+
+ print "PROVISIONING AD MEMBER WITHOUT NSS WINBIND WITH idmap_nss config...";
+
+ my $extra_member_options = "
+ # bob:x:65521:65531:localbob gecos:/:/bin/false
+ # jane:x:65520:65531:localjane gecos:/:/bin/false
+ # jackthemapper:x:65519:65531:localjackthemaper gecos:/:/bin/false
+ # jacknomapper:x:65518:65531:localjacknomaper gecos:/:/bin/false
+ idmap config $dcvars->{DOMAIN} : backend = nss
+ idmap config $dcvars->{DOMAIN} : range = 65518-65521
+
+ # Support SMB1 so that we can use posix_whoami().
+ client min protocol = CORE
+ server min protocol = LANMAN1
+
+ username map = $prefix/lib/username.map
+";
+
+ my $ret = $self->provision_ad_member($prefix,
+ "ADMEMIDMAPNSS",
+ $dcvars,
+ $trustvars_f,
+ $trustvars_e,
+ $extra_member_options,
+ undef,
+ undef,
+ 1);
+
+ open(USERMAP, ">$prefix/lib/username.map") or die("Unable to open $prefix/lib/username.map");
+ print USERMAP "
+!jacknomapper = \@jackthemappergroup
+!root = jacknomappergroup
+root = $dcvars->{DOMAIN}/root
+bob = $dcvars->{DOMAIN}/bob
+";
+ close(USERMAP);
+
+ return $ret;
+}
+
sub setup_simpleserver
{
my ($self, $path) = @_;
print "PROVISIONING simple server...";
my $prefix_abs = abs_path($path);
+ mkdir($prefix_abs, 0777);
+
+ my $external_streams_depot="$prefix_abs/external_streams_depot";
+ remove_tree($external_streams_depot);
+ mkdir($external_streams_depot, 0777);
my $simpleserver_options = "
lanman auth = yes
vfs objects = xattr_tdb streams_depot
change notify = no
server smb encrypt = off
+ allow trusted domains = no
[vfs_aio_pthread]
path = $prefix_abs/share
read only = no
vfs objects = aio_pthread
aio_pthread:aio open = yes
- smbd:async dosmode = no
+ smbd async dosmode = no
[vfs_aio_pthread_async_dosmode_default1]
path = $prefix_abs/share
vfs objects = aio_pthread
store dos attributes = yes
aio_pthread:aio open = yes
- smbd:async dosmode = yes
+ smbd async dosmode = yes
[vfs_aio_pthread_async_dosmode_default2]
path = $prefix_abs/share
vfs objects = aio_pthread xattr_tdb
store dos attributes = yes
aio_pthread:aio open = yes
- smbd:async dosmode = yes
+ smbd async dosmode = yes
-[vfs_aio_pthread_async_dosmode_force_sync1]
+[async_dosmode_shadow_copy2]
path = $prefix_abs/share
read only = no
- vfs objects = aio_pthread
- store dos attributes = yes
- aio_pthread:aio open = yes
- smbd:async dosmode = yes
- # This simulates non linux systems
- smbd:force sync user path safe threadpool = yes
- smbd:force sync user chdir safe threadpool = yes
- smbd:force sync root path safe threadpool = yes
- smbd:force sync root chdir safe threadpool = yes
-
-[vfs_aio_pthread_async_dosmode_force_sync2]
- path = $prefix_abs/share
- read only = no
- vfs objects = aio_pthread xattr_tdb
- store dos attributes = yes
- aio_pthread:aio open = yes
- smbd:async dosmode = yes
- # This simulates non linux systems
- smbd:force sync user path safe threadpool = yes
- smbd:force sync user chdir safe threadpool = yes
- smbd:force sync root path safe threadpool = yes
- smbd:force sync root chdir safe threadpool = yes
+ vfs objects = shadow_copy2 xattr_tdb
+ smbd async dosmode = yes
[vfs_aio_fork]
path = $prefix_abs/share
[hidenewfiles]
path = $prefix_abs/share
hide new files timeout = 5
+
+[external_streams_depot]
+ path = $prefix_abs/share
+ read only = no
+ streams_depot:directory = $external_streams_depot
";
my $vars = $self->provision(
my $force_user_valid_users_dir = "$share_dir/force_user_valid_users";
push(@dirs, $force_user_valid_users_dir);
- my $smbget_sharedir="$share_dir/smbget";
- push(@dirs,$smbget_sharedir);
-
my $tarmode_sharedir="$share_dir/tarmode";
push(@dirs,$tarmode_sharedir);
my $bad_iconv_sharedir="$share_dir/bad_iconv";
push(@dirs, $bad_iconv_sharedir);
+ my $veto_sharedir="$share_dir/veto";
+ push(@dirs,$veto_sharedir);
+
+ my $virusfilter_sharedir="$share_dir/virusfilter";
+ push(@dirs,$virusfilter_sharedir);
+
+ my $delete_unwrite_sharedir="$share_dir/delete_unwrite";
+ push(@dirs,$delete_unwrite_sharedir);
+ push(@dirs, "$delete_unwrite_sharedir/delete_veto_yes");
+ push(@dirs, "$delete_unwrite_sharedir/delete_veto_no");
+
+ my $volume_serial_number_sharedir="$share_dir/volume_serial_number";
+ push(@dirs, $volume_serial_number_sharedir);
+
my $ip4 = Samba::get_ipv4_addr("FILESERVER");
my $fileserver_options = "
+ smb3 unix extensions = yes
kernel change notify = yes
- rpc_server:mdssvc = embedded
spotlight backend = elasticsearch
elasticsearch:address = $ip4
elasticsearch:port = 8080
force group = everyone
write list = force_user
-[smbget]
- path = $smbget_sharedir
- comment = smb username is [%U]
- guest ok = yes
[ign_sysacls]
path = $share_dir
comment = ignore system acls
comment = smb username is [%U]
vfs objects =
+[veto_files_nodelete]
+ path = $veto_sharedir
+ read only = no
+ msdfs root = yes
+ veto files = /veto_name*/
+ delete veto files = no
+
+[veto_files_delete]
+ path = $veto_sharedir
+ msdfs root = yes
+ veto files = /veto_name*/
+ delete veto files = yes
+
+[delete_veto_files_only]
+ path = $veto_sharedir
+ delete veto files = yes
+
+[veto_files_nohidden]
+ path = $veto_sharedir
+ veto files = /.*/
+
+[veto_files]
+ path = $veto_sharedir
+ veto files = /veto_name*/
+
+[delete_yes_unwrite]
+ read only = no
+ path = $delete_unwrite_sharedir
+ hide unwriteable files = yes
+ delete veto files = yes
+
+[delete_no_unwrite]
+ read only = no
+ path = $delete_unwrite_sharedir
+ hide unwriteable files = yes
+ delete veto files = no
+
+[virusfilter]
+ path = $virusfilter_sharedir
+ vfs objects = acl_xattr virusfilter
+ virusfilter:scanner = dummy
+ virusfilter:min file size = 0
+ virusfilter:infected files = *infected*
+ virusfilter:infected file action = rename
+ virusfilter:scan on close = yes
+ vfs_default:VFS_OPEN_HOW_RESOLVE_NO_SYMLINKS = no
+
+[volumeserialnumber]
+ path = $volume_serial_number_sharedir
+ volume serial number = 0xdeadbeef
+
+[ea_acl_xattr]
+ path = $share_dir
+ vfs objects = acl_xattr
+ acl_xattr:security_acl_name = user.hackme
+ read only = no
+
+[io_uring]
+ path = $share_dir
+ vfs objects = acl_xattr fake_acls xattr_tdb streams_depot time_audit full_audit io_uring
+ read only = no
+
[homes]
comment = Home directories
browseable = No
##
create_file_chmod("$bad_iconv_sharedir/\xED\x9F\xBF", 0644) or return undef;
+ ##
+ ## create unwritable files inside inside the delete unwrite veto share dirs.
+ ##
+ unlink("$delete_unwrite_sharedir/delete_veto_yes/file_444");
+ create_file_chmod("$delete_unwrite_sharedir/delete_veto_yes/file_444", 0444) or return undef;
+ unlink("$delete_unwrite_sharedir/delete_veto_no/file_444");
+ create_file_chmod("$delete_unwrite_sharedir/delete_veto_no/file_444", 0444) or return undef;
+
return $vars;
}
[global]
client min protocol = CORE
server min protocol = LANMAN1
+ check parent directory delete on close = yes
[hidenewfiles]
path = $prefix_abs/share
read only = no
vfs objects = aio_pthread
aio_pthread:aio open = yes
- smbd:async dosmode = no
+ smbd async dosmode = no
[vfs_aio_pthread_async_dosmode_default1]
path = $prefix_abs/share
vfs objects = aio_pthread
store dos attributes = yes
aio_pthread:aio open = yes
- smbd:async dosmode = yes
+ smbd async dosmode = yes
[vfs_aio_pthread_async_dosmode_default2]
path = $prefix_abs/share
vfs objects = aio_pthread xattr_tdb
store dos attributes = yes
aio_pthread:aio open = yes
- smbd:async dosmode = yes
-
-[vfs_aio_pthread_async_dosmode_force_sync1]
- path = $prefix_abs/share
- read only = no
- vfs objects = aio_pthread
- store dos attributes = yes
- aio_pthread:aio open = yes
- smbd:async dosmode = yes
- # This simulates non linux systems
- smbd:force sync user path safe threadpool = yes
- smbd:force sync user chdir safe threadpool = yes
- smbd:force sync root path safe threadpool = yes
- smbd:force sync root chdir safe threadpool = yes
-
-[vfs_aio_pthread_async_dosmode_force_sync2]
- path = $prefix_abs/share
- read only = no
- vfs objects = aio_pthread xattr_tdb
- store dos attributes = yes
- aio_pthread:aio open = yes
- smbd:async dosmode = yes
- # This simulates non linux systems
- smbd:force sync user path safe threadpool = yes
- smbd:force sync user chdir safe threadpool = yes
- smbd:force sync root path safe threadpool = yes
- smbd:force sync root chdir safe threadpool = yes
+ smbd async dosmode = yes
[vfs_aio_fork]
path = $prefix_abs/share
workgroup = KTEST
realm = ktest.samba.example.com
security = ads
- username map = $prefix/lib/username.map
server signing = required
server min protocol = SMB3_00
client max protocol = SMB3
# This disables NTLM auth against the local SAM, which
# we use can then test this setting by.
ntlm auth = disabled
+
+ idmap config * : backend = autorid
+ idmap config * : range = 1000000-1999999
+ idmap config * : rangesize = 100000
";
my $ret = $self->provision(
$ret->{KRB5_CONFIG} = $ctx->{krb5_conf};
- open(USERMAP, ">$prefix/lib/username.map") or die("Unable to open $prefix/lib/username.map");
- print USERMAP "
-$ret->{USERNAME} = KTEST\\Administrator
-";
- close(USERMAP);
-
#This is the secrets.tdb created by 'net ads join' from Samba3 to a
#Samba4 DC with the same parameters as are being used here. The
#domain SID is S-1-5-21-1071277805-689288055-3486227160
if (not $self->check_or_start(
env_vars => $ret,
nmbd => "yes",
+ winbindd => "offline",
smbd => "yes")) {
return undef;
}
sub setup_maptoguest
{
my ($self, $path) = @_;
+ my $prefix_abs = abs_path($path);
+ my $libdir="$prefix_abs/lib";
+ my $share_dir="$prefix_abs/share";
+ my $errorinjectconf="$libdir/error_inject.conf";
print "PROVISIONING maptoguest...";
my $options = "
+domain logons = yes
map to guest = bad user
ntlm auth = yes
+server min protocol = LANMAN1
+
+[force_user_error_inject]
+ path = $share_dir
+ vfs objects = acl_xattr fake_acls xattr_tdb error_inject
+ force user = user1
+ include = $errorinjectconf
";
my $vars = $self->provision(
if (not $self->check_or_start(
env_vars => $vars,
nmbd => "yes",
+ winbindd => "yes",
smbd => "yes")) {
return undef;
}
{
my ($self, $binary, $env_vars, $options, $valgrind, $dont_log_stdout) = @_;
- my @optargs = ("-d0");
+ my @optargs = ();
if (defined($options)) {
@optargs = split(/ /, $options);
}
@preargs = split(/ /, $valgrind);
}
my @args = ("-F", "--no-process-group",
- "-s", $env_vars->{SERVERCONFFILE},
+ "--configfile=$env_vars->{SERVERCONFFILE}",
"-l", $env_vars->{LOGDIR});
if (not defined($dont_log_stdout)) {
- push(@args, "--log-stdout");
+ push(@args, "--debug-stdout");
}
return (@preargs, $binary, @args, @optargs);
}
my $nmbd = $args{nmbd} // "no";
my $winbindd = $args{winbindd} // "no";
my $smbd = $args{smbd} // "no";
+ my $samba_dcerpcd = $args{samba_dcerpcd} // "no";
my $child_cleanup = $args{child_cleanup};
my $STDIN_READER;
# exit when the test script exits
pipe($STDIN_READER, $env_vars->{STDIN_PIPE});
- my $binary = Samba::bindir_path($self, "nmbd");
- my @full_cmd = $self->make_bin_cmd($binary, $env_vars,
- $ENV{NMBD_OPTIONS}, $ENV{NMBD_VALGRIND},
- $ENV{NMBD_DONT_LOG_STDOUT});
+ my $binary = Samba::bindir_path($self, "samba-dcerpcd");
+ my @full_cmd = $self->make_bin_cmd(
+ $binary,
+ $env_vars,
+ $ENV{SAMBA_DCERPCD_OPTIONS},
+ $ENV{SAMBA_DCERPCD_VALGRIND},
+ $ENV{SAMBA_DCERPCD_DONT_LOG_STDOUT});
+ push(@full_cmd, '--libexec-rpcds');
+
+ my $samba_dcerpcd_envs = Samba::get_env_for_process(
+ "samba_dcerpcd", $env_vars);
+
+ # fork and exec() samba_dcerpcd in the child process
+ my $daemon_ctx = {
+ NAME => "samba_dcerpcd",
+ BINARY_PATH => $binary,
+ FULL_CMD => [ @full_cmd ],
+ LOG_FILE => $env_vars->{SAMBA_DCERPCD_TEST_LOG},
+ PCAP_FILE => "env-$ENV{ENVNAME}-samba_dcerpcd",
+ ENV_VARS => $samba_dcerpcd_envs,
+ };
+ if ($samba_dcerpcd ne "yes") {
+ $daemon_ctx->{SKIP_DAEMON} = 1;
+ }
+
+ my $pid = Samba::fork_and_exec(
+ $self, $env_vars, $daemon_ctx, $STDIN_READER, $child_cleanup);
+
+ $env_vars->{SAMBA_DCERPCD_TL_PID} = $pid;
+ write_pid($env_vars, "samba_dcerpcd", $pid);
+
+ $binary = Samba::bindir_path($self, "nmbd");
+ @full_cmd = $self->make_bin_cmd($binary, $env_vars,
+ $ENV{NMBD_OPTIONS}, $ENV{NMBD_VALGRIND},
+ $ENV{NMBD_DONT_LOG_STDOUT});
my $nmbd_envs = Samba::get_env_for_process("nmbd", $env_vars);
delete $nmbd_envs->{RESOLV_WRAPPER_CONF};
delete $nmbd_envs->{RESOLV_WRAPPER_HOSTS};
# fork and exec() nmbd in the child process
- my $daemon_ctx = {
+ $daemon_ctx = {
NAME => "nmbd",
BINARY_PATH => $binary,
FULL_CMD => [ @full_cmd ],
if ($nmbd ne "yes") {
$daemon_ctx->{SKIP_DAEMON} = 1;
}
- my $pid = Samba::fork_and_exec(
+ $pid = Samba::fork_and_exec(
$self, $env_vars, $daemon_ctx, $STDIN_READER, $child_cleanup);
$env_vars->{NMBD_TL_PID} = $pid;
$binary = Samba::bindir_path($self, "winbindd");
@full_cmd = $self->make_bin_cmd($binary, $env_vars,
- $ENV{WINBINDD_OPTIONS}, $ENV{WINBINDD_VALGRIND}, "N/A");
-
- if (not defined($ENV{WINBINDD_DONT_LOG_STDOUT})) {
- push(@full_cmd, "--stdout");
- }
+ $ENV{WINBINDD_OPTIONS},
+ $ENV{WINBINDD_VALGRIND},
+ $ENV{WINBINDD_DONT_LOG_STDOUT});
# fork and exec() winbindd in the child process
$daemon_ctx = {
LOG_FILE => $env_vars->{WINBINDD_TEST_LOG},
PCAP_FILE => "env-$ENV{ENVNAME}-winbindd",
};
- if ($winbindd ne "yes") {
+ if ($winbindd ne "yes" and $winbindd ne "offline") {
$daemon_ctx->{SKIP_DAEMON} = 1;
}
# close the parent's read-end of the pipe
close($STDIN_READER);
- return $self->wait_for_start($env_vars, $nmbd, $winbindd, $smbd);
+ return $self->wait_for_start($env_vars,
+ $nmbd,
+ $winbindd,
+ $smbd,
+ $samba_dcerpcd);
}
sub createuser($$$$$)
my $prefix = $args{prefix};
my $domain = $args{domain};
+ my $realm = $args{realm};
my $server = $args{server};
my $password = $args{password};
my $extra_options = $args{extra_options};
my $resolv_conf = $args{resolv_conf};
my $no_delete_prefix= $args{no_delete_prefix};
my $netbios_name = $args{netbios_name} // $server;
+ my $server_log_level = $ENV{SERVER_LOG_LEVEL} || 1;
##
## setup the various environment variables we need
my %createuser_env = ();
my $server_ip = Samba::get_ipv4_addr($server);
my $server_ipv6 = Samba::get_ipv6_addr($server);
+ my $dns_domain;
+ if (defined($realm)) {
+ $dns_domain = lc($realm);
+ } else {
+ $dns_domain = "samba.example.com";
+ }
my $unix_name = ($ENV{USER} or $ENV{LOGNAME} or `PATH=/usr/ucb:$ENV{PATH} whoami`);
chomp $unix_name;
my $msdfs_shrdir="$shrdir/msdfsshare";
push(@dirs,$msdfs_shrdir);
+ my $msdfs_shrdir2="$shrdir/msdfsshare2";
+ push(@dirs,$msdfs_shrdir2);
+
+ my $msdfs_pathname_share="$shrdir/msdfs_pathname_share";
+ push(@dirs,$msdfs_pathname_share);
+
+ my $non_msdfs_pathname_share="$shrdir/non_msdfs_pathname_share";
+ push(@dirs,$non_msdfs_pathname_share);
+
my $msdfs_deeppath="$msdfs_shrdir/deeppath";
push(@dirs,$msdfs_deeppath);
my $badnames_shrdir="$shrdir/badnames";
push(@dirs,$badnames_shrdir);
- my $lease1_shrdir="$shrdir/SMB2_10";
+ my $lease1_shrdir="$shrdir/dynamic";
push(@dirs,$lease1_shrdir);
- my $lease2_shrdir="$shrdir/SMB3_00";
- push(@dirs,$lease2_shrdir);
-
my $manglenames_shrdir="$shrdir/manglenames";
push(@dirs,$manglenames_shrdir);
my $local_symlinks_shrdir="$shrdir/local_symlinks";
push(@dirs,$local_symlinks_shrdir);
+ my $worm_shrdir="$shrdir/worm";
+ push(@dirs,$worm_shrdir);
+
+ my $fruit_resource_stream_shrdir="$shrdir/fruit_resource_stream";
+ push(@dirs,$fruit_resource_stream_shrdir);
+
+ my $smbget_sharedir="$shrdir/smbget";
+ push(@dirs, $smbget_sharedir);
+
+ my $recycle_shrdir="$shrdir/recycle";
+ push(@dirs,$recycle_shrdir);
+
+ my $fakedircreatetimes_shrdir="$shrdir/fakedircreatetimes";
+ push(@dirs,$fakedircreatetimes_shrdir);
+
# this gets autocreated by winbindd
- my $wbsockdir="$prefix_abs/winbindd";
+ my $wbsockdir="$prefix_abs/wbsock";
my $nmbdsockdir="$prefix_abs/nmbd";
unlink($nmbdsockdir);
- ##
+ ##
## create the test directory layout
##
die ("prefix_abs = ''") if $prefix_abs eq "";
chmod 0755, $ro_shrdir;
+ create_file_chmod("$ro_shrdir/readable_file", 0644) or return undef;
create_file_chmod("$ro_shrdir/unreadable_file", 0600) or return undef;
create_file_chmod("$ro_shrdir/msdfs-target", 0600) or return undef;
symlink "msdfs:$server_ip\\smbcacls_sharedir_dfs,$server_ipv6\\smbcacls_sharedir_dfs",
"$msdfs_shrdir/smbcacls_sharedir_dfs";
+ symlink "msdfs:$server_ip\\msdfs-share2,$server_ipv6\\msdfs-share2", "$msdfs_shrdir/dfshop1";
+ symlink "msdfs:$server_ip\\tmp,$server_ipv6\\tmp", "$msdfs_shrdir2/dfshop2";
##
## create bad names in $badnames_shrdir
##
create_file_chmod("$widelinks_target", 0666) or return undef;
##
- ## This link should get ACCESS_DENIED
+ ## This link should get an error
##
symlink "$widelinks_target", "$widelinks_shrdir/source";
##
my $errorinjectconf="$libdir/error_inject.conf";
my $delayinjectconf="$libdir/delay_inject.conf";
my $globalinjectconf="$libdir/global_inject.conf";
+ my $aliceconfdir="$libdir";
+ my $aliceconffile="$libdir/alice.conf";
my $nss_wrapper_pl = "$ENV{PERL} $self->{srcdir}/third_party/nss_wrapper/nss_wrapper.pl";
my $nss_wrapper_passwd = "$privatedir/passwd";
my ($gid_nobody, $gid_nogroup, $gid_root, $gid_domusers, $gid_domadmins);
my ($gid_userdup, $gid_everyone);
my ($gid_force_user);
+ my ($gid_jackthemapper);
+ my ($gid_jacknomapper);
my ($uid_user1);
my ($uid_user2);
my ($uid_gooduser);
my ($uid_eviluser);
my ($uid_slashuser);
+ my ($uid_localbob);
+ my ($uid_localjane);
+ my ($uid_localjackthemapper);
+ my ($uid_localjacknomapper);
if ($unix_uid < 0xffff - 13) {
$max_uid = 0xffff;
$uid_gooduser = $max_uid - 11;
$uid_eviluser = $max_uid - 12;
$uid_slashuser = $max_uid - 13;
+ $uid_localbob = $max_uid - 14;
+ $uid_localjane = $max_uid - 15;
+ $uid_localjackthemapper = $max_uid - 16;
+ $uid_localjacknomapper = $max_uid - 17;
if ($unix_gids[0] < 0xffff - 8) {
$max_gid = 0xffff;
$gid_userdup = $max_gid - 6;
$gid_everyone = $max_gid - 7;
$gid_force_user = $max_gid - 8;
+ $gid_jackthemapper = $max_gid - 9;
+ $gid_jacknomapper = $max_gid - 10;
##
## create conffile
panic action = cd $self->{srcdir} && $self->{srcdir}/selftest/gdb_backtrace %d %\$(MAKE_TEST_BINARY)
smbd:suicide mode = yes
smbd:FSCTL_SMBTORTURE = yes
+ smbd:validate_oplock_types = yes
client min protocol = SMB2_02
server min protocol = SMB2_02
+ server multi channel support = yes
+
workgroup = $domain
private dir = $privatedir
pid directory = $piddir
lock directory = $lockdir
log file = $logdir/log.\%m
- log level = 1
+ log level = $server_log_level
+ winbind debug traceid = yes
debug pid = yes
max log size = 0
+ debug syslog format = always
+ debug hires timestamp = yes
+
state directory = $lockdir
cache directory = $lockdir
msdfs root = yes
msdfs shuffle referrals = yes
guest ok = yes
+[msdfs-share-wl]
+ path = $msdfs_shrdir
+ msdfs root = yes
+ wide links = yes
+ guest ok = yes
+[msdfs-share2]
+ path = $msdfs_shrdir2
+ msdfs root = yes
+ guest ok = yes
+[msdfs-pathname-share]
+ path = $msdfs_pathname_share
+ msdfs root = yes
+ guest ok = yes
+[non-msdfs-pathname-share]
+ path = $non_msdfs_pathname_share
+ msdfs root = no
+ guest ok = yes
[hideunread]
copy = tmp
hide unreadable = yes
[print3]
copy = print1
default devmode = no
+
+[print_var_exp]
+ copy = print1
+ print command = $self->{srcdir}/source3/script/tests/printing/printing_var_exp_lpr_cmd.sh \"Windows user: %U\" \"UNIX user: %u\" \"Domain: %D\"
+
[lp]
copy = print1
directory mask = 0777
force directory mode = 0
vfs objects = xattr_tdb streams_depot
+[smb3_posix_share]
+ vfs objects = fake_acls xattr_tdb streams_depot time_audit full_audit
+ create mask = 07777
+ directory mask = 07777
+ mangled names = no
+ path = $shrdir
+ read only = no
+ guest ok = yes
[aio]
copy = durable
aio read size = 1
fruit:resource = file
fruit:metadata = stream
fruit:zero_file_id=yes
+ fruit:validate_afpinfo = no
+
+[fruit_resource_stream]
+ path = $fruit_resource_stream_shrdir
+ vfs objects = fruit streams_xattr acl_xattr xattr_tdb
+ fruit:resource = stream
+ fruit:metadata = stream
[badname-tmp]
path = $badnames_shrdir
guest ok = yes
[dynamic_share]
- path = $shrdir/%R
+ path = $shrdir/dynamic/%t
guest ok = yes
+ root preexec = mkdir %P
[widelinks_share]
path = $widelinks_shrdir
[fsrvp_share]
path = $fsrvp_shrdir
- comment = fake shapshots using rsync
+ comment = fake snapshots using rsync
vfs objects = shell_snap shadow_copy2
shell_snap:check path command = $fake_snap_pl --check
shell_snap:create command = $fake_snap_pl --create
[shadow_write]
path = $shadow_tstdir
comment = previous versions snapshots under mount point
- vfs objects = shadow_copy2 streams_xattr error_inject
- aio write size = 0
- error_inject:pwrite = EBADF
+ vfs objects = shadow_copy2 streams_xattr
shadow:mountpoint = $shadow_tstdir
+ shadow:fixinodes = yes
+ smbd async dosmode = yes
+
+[shadow_depot]
+ path = $shadow_shrdir
+ comment = previous versions with streams_depot
+ vfs objects = streams_depot shadow_copy2
[dfq]
path = $shrdir/dfree
copy = tmp
path = $nosymlinks_shrdir
follow symlinks = no
+[nosymlinks_smb1allow]
+ copy=nosymlinks
+ follow symlinks = yes
[local_symlinks]
copy = tmp
path = $local_symlinks_shrdir
follow symlinks = yes
+[worm]
+ copy = tmp
+ path = $worm_shrdir
+ vfs objects = worm
+ worm:grace_period = 1
+ comment = vfs_worm with 1s grace_period
+
[kernel_oplocks]
copy = tmp
kernel oplocks = yes
copy = tmp
vfs objects = streams_xattr xattr_tdb
+[streams_xattr_nostrict]
+ copy = tmp
+ strict rename = no
+ vfs objects = streams_xattr xattr_tdb
+
+[acl_streams_xattr]
+ copy = tmp
+ vfs objects = acl_xattr streams_xattr fake_acls xattr_tdb
+ acl_xattr:ignore system acls = yes
+ acl_xattr:security_acl_name = user.acl
+ xattr_tdb:ignore_user_xattr = yes
+
[compound_find]
copy = tmp
smbd:find async delay usec = 10000
[notify_priv]
copy = tmp
honor change notify privilege = yes
+
+[acls_non_canonical]
+ copy = tmp
+ acl flag inherited canonicalization = no
+
+[full_audit_success_bad_name]
+ copy = tmp
+ full_audit:success = badname
+
+[full_audit_fail_bad_name]
+ copy = tmp
+ full_audit:failure = badname
+
+[only_ipv6]
+ copy = tmpguest
+ server addresses = $server_ipv6
+
+[smbget]
+ path = $smbget_sharedir
+ comment = smb username is [%U]
+
+[recycle]
+ copy = tmp
+ path = $recycle_shrdir
+ vfs objects = recycle
+ recycle : repository = .trash
+ recycle : exclude = *.tmp
+ recycle : directory_mode = 755
+
+[fakedircreatetimes]
+ copy = tmp
+ path = $fakedircreatetimes_shrdir
+ fake directory create times = yes
+
+[smbget_guest]
+ path = $smbget_sharedir
+ comment = smb username is [%U]
+ guest ok = yes
+
+include = $aliceconfdir/%U.conf
";
close(CONF);
}
close(DELAYCONF);
+ unless (open(ALICECONF, ">$aliceconffile")) {
+ warn("Unable to open $aliceconffile");
+ return undef;
+ }
+
+ print ALICECONF "
+[alice_share]
+ path = $shrdir
+ comment = smb username is [%U]
+ ";
+
+ close(ALICECONF);
+
##
## create a test account
##
unless (open(PASSWD, ">$nss_wrapper_passwd")) {
warn("Unable to open $nss_wrapper_passwd");
return undef;
- }
+ }
print PASSWD "nobody:x:$uid_nobody:$gid_nobody:nobody gecos:$prefix_abs:/bin/false
$unix_name:x:$unix_uid:$unix_gids[0]:$unix_name gecos:$prefix_abs:/bin/false
pdbtest:x:$uid_pdbtest:$gid_nogroup:pdbtest gecos:$prefix_abs:/bin/false
gooduser:x:$uid_gooduser:$gid_domusers:gooduser gecos:$prefix_abs:/bin/false
eviluser:x:$uid_eviluser:$gid_domusers:eviluser gecos::/bin/false
slashuser:x:$uid_slashuser:$gid_domusers:slashuser gecos:/:/bin/false
+bob:x:$uid_localbob:$gid_domusers:localbob gecos:/:/bin/false
+jane:x:$uid_localjane:$gid_domusers:localjane gecos:/:/bin/false
+jackthemapper:x:$uid_localjackthemapper:$gid_domusers:localjackthemaper gecos:/:/bin/false
+jacknomapper:x:$uid_localjacknomapper:$gid_domusers:localjacknomaper gecos:/:/bin/false
";
if ($unix_uid != 0) {
print PASSWD "root:x:$uid_root:$gid_root:root gecos:$prefix_abs:/bin/false
userdup:x:$gid_userdup:$unix_name
everyone:x:$gid_everyone:
force_user:x:$gid_force_user:
+jackthemappergroup:x:$gid_jackthemapper:jackthemapper
+jacknomappergroup:x:$gid_jacknomapper:jacknomapper
";
if ($unix_gids[0] != 0) {
print GROUP "root:x:$gid_root:
warn("Unable to open $nss_wrapper_hosts");
return undef;
}
- print HOSTS "${server_ip} ${hostname}.samba.example.com ${hostname}\n";
- print HOSTS "${server_ipv6} ${hostname}.samba.example.com ${hostname}\n";
+ print HOSTS "${server_ip} ${hostname}.${dns_domain} ${hostname}\n";
+ print HOSTS "${server_ipv6} ${hostname}.${dns_domain} ${hostname}\n";
close(HOSTS);
$resolv_conf = "$privatedir/no_resolv.conf" unless defined($resolv_conf);
$createuser_env{NSS_WRAPPER_PASSWD} = $nss_wrapper_passwd;
$createuser_env{NSS_WRAPPER_GROUP} = $nss_wrapper_group;
$createuser_env{NSS_WRAPPER_HOSTS} = $nss_wrapper_hosts;
- $createuser_env{NSS_WRAPPER_HOSTNAME} = "${hostname}.samba.example.com";
+ $createuser_env{NSS_WRAPPER_HOSTNAME} = "${hostname}.${dns_domain}";
if ($ENV{SAMBA_DNS_FAKING}) {
$createuser_env{RESOLV_WRAPPER_HOSTS} = $dns_host_file;
} else {
createuser($self, "gooduser", $password, $conffile, \%createuser_env) || die("Unable to create gooduser");
createuser($self, "eviluser", $password, $conffile, \%createuser_env) || die("Unable to create eviluser");
createuser($self, "slashuser", $password, $conffile, \%createuser_env) || die("Unable to create slashuser");
+ createuser($self, "jackthemapper", "mApsEcrEt", $conffile, \%createuser_env) || die("Unable to create jackthemapper");
+ createuser($self, "jacknomapper", "nOmApsEcrEt", $conffile, \%createuser_env) || die("Unable to create jacknomapper");
open(DNS_UPDATE_LIST, ">$prefix/dns_update_list") or die("Unable to open $$prefix/dns_update_list");
print DNS_UPDATE_LIST "A $server. $server_ip\n";
$ret{SERVER_IP} = $server_ip;
$ret{SERVER_IPV6} = $server_ipv6;
+ $ret{SAMBA_DCERPCD_TEST_LOG} = "$prefix/samba_dcerpcd_test.log";
+ $ret{SAMBA_DCERPCD_LOG_POS} = 0;
$ret{NMBD_TEST_LOG} = "$prefix/nmbd_test.log";
$ret{NMBD_TEST_LOG_POS} = 0;
$ret{WINBINDD_TEST_LOG} = "$prefix/winbindd_test.log";
$ret{SMBD_TEST_LOG_POS} = 0;
$ret{SERVERCONFFILE} = $conffile;
$ret{TESTENV_DIR} = $prefix_abs;
- $ret{CONFIGURATION} ="-s $conffile";
+ $ret{CONFIGURATION} ="--configfile=$conffile";
$ret{LOCK_DIR} = $lockdir;
$ret{SERVER} = $server;
$ret{USERNAME} = $unix_name;
$ret{USERID} = $unix_uid;
$ret{DOMAIN} = $domain;
$ret{SAMSID} = $samsid;
- $ret{NETBIOSNAME} = $server;
+ $ret{NETBIOSNAME} = $netbios_name;
$ret{PASSWORD} = $password;
$ret{PIDDIR} = $piddir;
$ret{SELFTEST_WINBINDD_SOCKET_DIR} = $wbsockdir;
$ret{NSS_WRAPPER_PASSWD} = $nss_wrapper_passwd;
$ret{NSS_WRAPPER_GROUP} = $nss_wrapper_group;
$ret{NSS_WRAPPER_HOSTS} = $nss_wrapper_hosts;
- $ret{NSS_WRAPPER_HOSTNAME} = "${hostname}.samba.example.com";
+ $ret{NSS_WRAPPER_HOSTNAME} = "${hostname}.${dns_domain}";
$ret{NSS_WRAPPER_MODULE_SO_PATH} = Samba::nss_wrapper_winbind_so_path($self);
$ret{NSS_WRAPPER_MODULE_FN_PREFIX} = "winbind";
if ($ENV{SAMBA_DNS_FAKING}) {
sub wait_for_start($$$$$)
{
- my ($self, $envvars, $nmbd, $winbindd, $smbd) = @_;
+ my ($self, $envvars, $nmbd, $winbindd, $smbd, $samba_dcerpcd) = @_;
my $cmd;
my $netcmd;
my $ret;
+ if ($samba_dcerpcd eq "yes") {
+ my $count = 0;
+ my $rpcclient = Samba::bindir_path($self, "rpcclient");
+
+ print "checking for samba_dcerpcd\n";
+
+ do {
+ $ret = system("UID_WRAPPER_ROOT=1 $rpcclient $envvars->{CONFIGURATION} ncalrpc: -c epmmap");
+
+ if ($ret != 0) {
+ sleep(1);
+ }
+ $count++
+ } while ($ret != 0 && $count < 10);
+
+ if ($count == 10) {
+ print "samba_dcerpcd not reachable after 10 retries\n";
+ teardown_env($self, $envvars);
+ return 0;
+ }
+ }
+
if ($nmbd eq "yes") {
my $count = 0;
}
}
- if ($winbindd eq "yes") {
+ if ($winbindd eq "yes" or $winbindd eq "offline") {
print "checking for winbindd\n";
my $count = 0;
$cmd = "SELFTEST_WINBINDD_SOCKET_DIR='$envvars->{SELFTEST_WINBINDD_SOCKET_DIR}' ";
$cmd .= "NSS_WRAPPER_PASSWD='$envvars->{NSS_WRAPPER_PASSWD}' ";
$cmd .= "NSS_WRAPPER_GROUP='$envvars->{NSS_WRAPPER_GROUP}' ";
- $cmd .= Samba::bindir_path($self, "wbinfo") . " --ping-dc";
+ if ($winbindd eq "yes") {
+ $cmd .= Samba::bindir_path($self, "wbinfo") . " --ping-dc";
+ } elsif ($winbindd eq "offline") {
+ $cmd .= Samba::bindir_path($self, "wbinfo") . " --ping";
+ }
do {
$ret = system($cmd);
$ret{CTDB_NODES} = \@nodes;
$ret{CTDB_NODES_FILE} = $nodes_file;
+ for (my $i = 0; $i < $num_nodes; $i++) {
+ my $node = $nodes[$i];
+ my $socket = $node->{SOCKET_FILE};
+ my $server_name = $node->{SERVER_NAME};
+ my $node_prefix = $node->{NODE_PREFIX};
+ my $ip = $node->{IP};
+
+ $ret{"CTDB_BASE_NODE${i}"} = $node_prefix;
+ $ret{"CTDB_SOCKET_NODE${i}"} = $socket;
+ $ret{"CTDB_SERVER_NAME_NODE${i}"} = $server_name;
+ $ret{"CTDB_IFACE_IP_NODE${i}"} = $ip;
+ }
+
+ $ret{CTDB_BASE} = $ret{CTDB_BASE_NODE0};
+ $ret{CTDB_SOCKET} = $ret{CTDB_SOCKET_NODE0};
+ $ret{CTDB_SERVER_NAME} = $ret{CTDB_SERVER_NAME_NODE0};
+ $ret{CTDB_IFACE_IP} = $ret{CTDB_IFACE_IP_NODE0};
+
return \%ret;
}
git.samba.org / samba.git / blobdiff