use target::Samba3;
sub new($$$$$) {
- my ($classname, $bindir, $binary_mapping, $ldap, $srcdir, $server_maxtime) = @_;
+ my ($classname, $bindir, $ldap, $srcdir, $server_maxtime) = @_;
my $self = {
vars => {},
ldap => $ldap,
bindir => $bindir,
- binary_mapping => $binary_mapping,
srcdir => $srcdir,
server_maxtime => $server_maxtime,
- target3 => new Samba3($bindir, $binary_mapping, $srcdir, $server_maxtime)
+ target3 => new Samba3($bindir, $srcdir, $server_maxtime)
};
bless $self;
return $self;
sub slapd_start($$)
{
my $count = 0;
- my ($self, $env_vars) = @_;
+ my ($self, $env_vars, $STDIN_READER) = @_;
my $ldbsearch = Samba::bindir_path($self, "ldbsearch");
my $uri = $env_vars->{LDAP_URI};
}
# running slapd in the background means it stays in the same process group, so it can be
# killed by timelimit
- if ($self->{ldap} eq "fedora-ds") {
- system("$ENV{FEDORA_DS_ROOT}/sbin/ns-slapd -D $env_vars->{FEDORA_DS_DIR} -d0 -i $env_vars->{FEDORA_DS_PIDFILE}> $env_vars->{LDAPDIR}/logs 2>&1 &");
- } elsif ($self->{ldap} eq "openldap") {
- system("$ENV{OPENLDAP_SLAPD} -d0 -F $env_vars->{SLAPD_CONF_D} -h $uri > $env_vars->{LDAPDIR}/logs 2>&1 &");
+ my $pid = fork();
+ if ($pid == 0) {
+ open STDOUT, ">$env_vars->{LDAPDIR}/logs";
+ open STDERR, '>&STDOUT';
+ close($env_vars->{STDIN_PIPE});
+ open STDIN, ">&", $STDIN_READER or die "can't dup STDIN_READER to STDIN: $!";
+
+ if ($self->{ldap} eq "fedora-ds") {
+ exec("$ENV{FEDORA_DS_ROOT}/sbin/ns-slapd", "-D", $env_vars->{FEDORA_DS_DIR}, "-d0", "-i", $env_vars->{FEDORA_DS_PIDFILE});
+ } elsif ($self->{ldap} eq "openldap") {
+ exec($ENV{OPENLDAP_SLAPD}, "-dnone", "-F", $env_vars->{SLAPD_CONF_D}, "-h", $uri);
+ }
+ die("Unable to start slapd: $!");
}
+ $env_vars->{SLAPD_PID} = $pid;
+ sleep(1);
while (system("$ldbsearch -H $uri -s base -b \"\" supportedLDAPVersion > /dev/null") != 0) {
$count++;
if ($count > 40) {
sub slapd_stop($$)
{
my ($self, $envvars) = @_;
- if ($self->{ldap} eq "fedora-ds") {
- system("$envvars->{LDAPDIR}/slapd-$envvars->{LDAP_INSTANCE}/stop-slapd");
- } elsif ($self->{ldap} eq "openldap") {
- unless (open(IN, "<$envvars->{OPENLDAP_PIDFILE}")) {
- warn("unable to open slapd pid file: $envvars->{OPENLDAP_PIDFILE}");
- return 0;
- }
- kill 9, <IN>;
- close(IN);
- }
+ kill 9, $envvars->{SLAPD_PID};
return 1;
}
sub check_or_start($$$)
{
my ($self, $env_vars, $process_model) = @_;
+ my $STDIN_READER;
- return 0 if $self->check_env($env_vars);
+ my $env_ok = $self->check_env($env_vars);
+ if ($env_ok) {
+ return $env_vars->{SAMBA_PID};
+ }
# use a pipe for stdin in the child processes. This allows
# those processes to monitor the pipe for EOF to ensure they
# exit when the test script exits
- pipe(STDIN_READER, $env_vars->{STDIN_PIPE});
+ pipe($STDIN_READER, $env_vars->{STDIN_PIPE});
+
+ # Start slapd before samba, but with the fifo on stdin
+ if (defined($self->{ldap})) {
+ unless($self->slapd_start($env_vars, $STDIN_READER)) {
+ warn("couldn't start slapd (main run)");
+ return undef;
+ }
+ }
print "STARTING SAMBA...";
my $pid = fork();
SocketWrapper::set_default_iface($env_vars->{SOCKET_WRAPPER_DEFAULT_IFACE});
$ENV{KRB5_CONFIG} = $env_vars->{KRB5_CONFIG};
- $ENV{WINBINDD_SOCKET_DIR} = $env_vars->{WINBINDD_SOCKET_DIR};
+ $ENV{SELFTEST_WINBINDD_SOCKET_DIR} = $env_vars->{SELFTEST_WINBINDD_SOCKET_DIR};
$ENV{NMBD_SOCKET_DIR} = $env_vars->{NMBD_SOCKET_DIR};
$ENV{NSS_WRAPPER_PASSWD} = $env_vars->{NSS_WRAPPER_PASSWD};
$ENV{NSS_WRAPPER_GROUP} = $env_vars->{NSS_WRAPPER_GROUP};
- $ENV{NSS_WRAPPER_WINBIND_SO_PATH} = $env_vars->{NSS_WRAPPER_WINBIND_SO_PATH};
+ $ENV{NSS_WRAPPER_HOSTS} = $env_vars->{NSS_WRAPPER_HOSTS};
+ $ENV{NSS_WRAPPER_MODULE_SO_PATH} = $env_vars->{NSS_WRAPPER_MODULE_SO_PATH};
+ $ENV{NSS_WRAPPER_MODULE_FN_PREFIX} = $env_vars->{NSS_WRAPPER_MODULE_FN_PREFIX};
+
+ if (defined($env_vars->{RESOLV_WRAPPER_CONF})) {
+ $ENV{RESOLV_WRAPPER_CONF} = $env_vars->{RESOLV_WRAPPER_CONF};
+ } else {
+ $ENV{RESOLV_WRAPPER_HOSTS} = $env_vars->{RESOLV_WRAPPER_HOSTS};
+ }
$ENV{UID_WRAPPER} = "1";
+ $ENV{UID_WRAPPER_ROOT} = "1";
$ENV{MAKE_TEST_BINARY} = Samba::bindir_path($self, "samba");
my @preargs = ();
}
close($env_vars->{STDIN_PIPE});
- open STDIN, ">&", \*STDIN_READER or die "can't dup STDIN_READER to STDIN: $!";
+ open STDIN, ">&", $STDIN_READER or die "can't dup STDIN_READER to STDIN: $!";
exec(@preargs, Samba::bindir_path($self, "samba"), "-M", $process_model, "-i", "--maximum-runtime=$self->{server_maxtime}", $env_vars->{CONFIGURATION}, @optargs) or die("Unable to start samba: $!");
}
$env_vars->{SAMBA_PID} = $pid;
- print "DONE\n";
+ print "DONE ($pid)\n";
- close(STDIN_READER);
+ close($STDIN_READER);
+
+ if ($self->wait_for_start($env_vars) != 0) {
+ warn("Samba $pid failed to start up");
+ return undef;
+ }
return $pid;
}
sub wait_for_start($$)
{
my ($self, $testenv_vars) = @_;
+ my $ret = 0;
+
+ if (not $self->check_env($testenv_vars)) {
+ warn("unable to confirm Samba $testenv_vars->{SAMBA_PID} is running");
+ return -1;
+ }
+
# give time for nbt server to register its names
print "delaying for nbt name registration\n";
sleep 2;
system("$nmblookup $testenv_vars->{CONFIGURATION} $testenv_vars->{NETBIOSNAME}");
system("$nmblookup $testenv_vars->{CONFIGURATION} -U $testenv_vars->{SERVER_IP} $testenv_vars->{NETBIOSNAME}");
+ # Ensure we have the first RID Set before we start tests. This makes the tests more reliable.
+ if ($testenv_vars->{SERVER_ROLE} eq "domain controller" and not ($testenv_vars->{NETBIOSNAME} eq "RODC")) {
+ # Add hosts file for name lookups
+ $ENV{NSS_WRAPPER_HOSTS} = $testenv_vars->{NSS_WRAPPER_HOSTS};
+ if (defined($testenv_vars->{RESOLV_WRAPPER_CONF})) {
+ $ENV{RESOLV_WRAPPER_CONF} = $testenv_vars->{RESOLV_WRAPPER_CONF};
+ } else {
+ $ENV{RESOLV_WRAPPER_HOSTS} = $testenv_vars->{RESOLV_WRAPPER_HOSTS};
+ }
+
+ print "waiting for working LDAP and a RID Set to be allocated\n";
+ my $ldbsearch = Samba::bindir_path($self, "ldbsearch");
+ my $count = 0;
+ my $base_dn = "DC=".join(",DC=", split(/\./, $testenv_vars->{REALM}));
+ my $rid_set_dn = "cn=RID Set,cn=$testenv_vars->{NETBIOSNAME},ou=domain controllers,$base_dn";
+ sleep(1);
+ while (system("$ldbsearch -H ldap://$testenv_vars->{SERVER} -U$testenv_vars->{USERNAME}%$testenv_vars->{PASSWORD} -s base -b \"$rid_set_dn\" rIDAllocationPool > /dev/null") != 0) {
+ $count++;
+ if ($count > 40) {
+ $ret = -1;
+ last;
+ }
+ sleep(1);
+ }
+ }
print $self->getlog_env($testenv_vars);
+
+ return $ret
}
sub write_ldb_file($$$)
return ($slapd_conf_d, $pidfile);
}
-sub mk_keyblobs($$)
+sub setup_namespaces($$:$$)
{
- my ($self, $tlsdir) = @_;
-
- #TLS and PKINIT crypto blobs
- my $dhfile = "$tlsdir/dhparms.pem";
- my $cafile = "$tlsdir/ca.pem";
- my $certfile = "$tlsdir/cert.pem";
- my $reqkdc = "$tlsdir/req-kdc.der";
- my $kdccertfile = "$tlsdir/kdc.pem";
- my $keyfile = "$tlsdir/key.pem";
- my $adminkeyfile = "$tlsdir/adminkey.pem";
- my $reqadmin = "$tlsdir/req-admin.der";
- my $admincertfile = "$tlsdir/admincert.pem";
- my $admincertupnfile = "$tlsdir/admincertupn.pem";
-
- mkdir($tlsdir, 0777);
-
- #This is specified here to avoid draining entropy on every run
- open(DHFILE, ">$dhfile");
- print DHFILE <<EOF;
------BEGIN DH PARAMETERS-----
-MGYCYQC/eWD2xkb7uELmqLi+ygPMKyVcpHUo2yCluwnbPutEueuxrG/Cys8j8wLO
-svCN/jYNyR2NszOmg7ZWcOC/4z/4pWDVPUZr8qrkhj5MRKJc52MncfaDglvEdJrv
-YX70obsCAQI=
------END DH PARAMETERS-----
-EOF
- close(DHFILE);
-
- #Likewise, we pregenerate the key material. This allows the
- #other certificates to be pre-generated
- open(KEYFILE, ">$keyfile");
- print KEYFILE <<EOF;
------BEGIN RSA PRIVATE KEY-----
-MIICXQIBAAKBgQDKg6pAwCHUMA1DfHDmWhZfd+F0C+9Jxcqvpw9ii9En3E1uflpc
-ol3+S9/6I/uaTmJHZre+DF3dTzb/UOZo0Zem8N+IzzkgoGkFafjXuT3BL5UPY2/H
-6H+pPqVIRLOmrWImai359YyoKhFyo37Y6HPeU8QcZ+u2rS9geapIWfeuowIDAQAB
-AoGAAqDLzFRR/BF1kpsiUfL4WFvTarCe9duhwj7ORc6fs785qAXuwUYAJ0Uvzmy6
-HqoGv3t3RfmeHDmjcpPHsbOKnsOQn2MgmthidQlPBMWtQMff5zdoYNUFiPS0XQBq
-szNW4PRjaA9KkLQVTwnzdXGkBSkn/nGxkaVu7OR3vJOBoo0CQQDO4upypesnbe6p
-9/xqfZ2uim8IwV1fLlFClV7WlCaER8tsQF4lEi0XSzRdXGUD/dilpY88Nb+xok/X
-8Z8OvgAXAkEA+pcLsx1gN7kxnARxv54jdzQjC31uesJgMKQXjJ0h75aUZwTNHmZQ
-vPxi6u62YiObrN5oivkixwFNncT9MxTxVQJBAMaWUm2SjlLe10UX4Zdm1MEB6OsC
-kVoX37CGKO7YbtBzCfTzJGt5Mwc1DSLA2cYnGJqIfSFShptALlwedot0HikCQAJu
-jNKEKnbf+TdGY8Q0SKvTebOW2Aeg80YFkaTvsXCdyXrmdQcifw4WdO9KucJiDhSz
-Y9hVapz7ykEJtFtWjLECQQDIlfc63I5ZpXfg4/nN4IJXUW6AmPVOYIA5215itgki
-cSlMYli1H9MEXH0pQMGv5Qyd0OYIx2DDg96mZ+aFvqSG
------END RSA PRIVATE KEY-----
-EOF
- close(KEYFILE);
-
- open(ADMINKEYFILE, ">$adminkeyfile");
-
- print ADMINKEYFILE <<EOF;
------BEGIN RSA PRIVATE KEY-----
-MIICXQIBAAKBgQD0+OL7TQBj0RejbIH1+g5GeRaWaM9xF43uE5y7jUHEsi5owhZF
-5iIoHZeeL6cpDF5y1BZRs0JlA1VqMry1jjKlzFYVEMMFxB6esnXhl0Jpip1JkUMM
-XLOP1m/0dqayuHBWozj9f/cdyCJr0wJIX1Z8Pr+EjYRGPn/MF0xdl3JRlwIDAQAB
-AoGAP8mjCP628Ebc2eACQzOWjgEvwYCPK4qPmYOf1zJkArzG2t5XAGJ5WGrENRuB
-cm3XFh1lpmaADl982UdW3gul4gXUy6w4XjKK4vVfhyHj0kZ/LgaXUK9BAGhroJ2L
-osIOUsaC6jdx9EwSRctwdlF3wWJ8NK0g28AkvIk+FlolW4ECQQD7w5ouCDnf58CN
-u4nARx4xv5XJXekBvOomkCQAmuOsdOb6b9wn3mm2E3au9fueITjb3soMR31AF6O4
-eAY126rXAkEA+RgHzybzZEP8jCuznMqoN2fq/Vrs6+W3M8/G9mzGEMgLLpaf2Jiz
-I9tLZ0+OFk9tkRaoCHPfUOCrVWJZ7Y53QQJBAMhoA6rw0WDyUcyApD5yXg6rusf4
-ASpo/tqDkqUIpoL464Qe1tjFqtBM3gSXuhs9xsz+o0bzATirmJ+WqxrkKTECQHt2
-OLCpKqwAspU7N+w32kaUADoRLisCEdrhWklbwpQgwsIVsCaoEOpt0CLloJRYTANE
-yoZeAErTALjyZYZEPcECQQDlUi0N8DFxQ/lOwWyR3Hailft+mPqoPCa8QHlQZnlG
-+cfgNl57YHMTZFwgUVFRdJNpjH/WdZ5QxDcIVli0q+Ko
------END RSA PRIVATE KEY-----
-EOF
-
- #generated with
- # hxtool issue-certificate --self-signed --issue-ca \
- # --ca-private-key="FILE:$KEYFILE" \
- # --subject="CN=CA,DC=samba,DC=example,DC=com" \
- # --certificate="FILE:$CAFILE" --lifetime="25 years"
-
- open(CAFILE, ">$cafile");
- print CAFILE <<EOF;
------BEGIN CERTIFICATE-----
-MIICcTCCAdqgAwIBAgIUaBPmjnPVqyFqR5foICmLmikJTzgwCwYJKoZIhvcNAQEFMFIxEzAR
-BgoJkiaJk/IsZAEZDANjb20xFzAVBgoJkiaJk/IsZAEZDAdleGFtcGxlMRUwEwYKCZImiZPy
-LGQBGQwFc2FtYmExCzAJBgNVBAMMAkNBMCIYDzIwMDgwMzAxMTIyMzEyWhgPMjAzMzAyMjQx
-MjIzMTJaMFIxEzARBgoJkiaJk/IsZAEZDANjb20xFzAVBgoJkiaJk/IsZAEZDAdleGFtcGxl
-MRUwEwYKCZImiZPyLGQBGQwFc2FtYmExCzAJBgNVBAMMAkNBMIGfMA0GCSqGSIb3DQEBAQUA
-A4GNADCBiQKBgQDKg6pAwCHUMA1DfHDmWhZfd+F0C+9Jxcqvpw9ii9En3E1uflpcol3+S9/6
-I/uaTmJHZre+DF3dTzb/UOZo0Zem8N+IzzkgoGkFafjXuT3BL5UPY2/H6H+pPqVIRLOmrWIm
-ai359YyoKhFyo37Y6HPeU8QcZ+u2rS9geapIWfeuowIDAQABo0IwQDAOBgNVHQ8BAf8EBAMC
-AaYwHQYDVR0OBBYEFMLZufegDKLZs0VOyFXYK1L6M8oyMA8GA1UdEwEB/wQFMAMBAf8wDQYJ
-KoZIhvcNAQEFBQADgYEAAZJbCAAkaqgFJ0xgNovn8Ydd0KswQPjicwiODPgw9ZPoD2HiOUVO
-yYDRg/dhFF9y656OpcHk4N7qZ2sl3RlHkzDu+dseETW+CnKvQIoXNyeARRJSsSlwrwcoD4JR
-HTLk2sGigsWwrJ2N99sG/cqSJLJ1MFwLrs6koweBnYU0f/g=
------END CERTIFICATE-----
-EOF
-
- #generated with GNUTLS internally in Samba.
-
- open(CERTFILE, ">$certfile");
- print CERTFILE <<EOF;
------BEGIN CERTIFICATE-----
-MIICYTCCAcygAwIBAgIE5M7SRDALBgkqhkiG9w0BAQUwZTEdMBsGA1UEChMUU2Ft
-YmEgQWRtaW5pc3RyYXRpb24xNDAyBgNVBAsTK1NhbWJhIC0gdGVtcG9yYXJ5IGF1
-dG9nZW5lcmF0ZWQgY2VydGlmaWNhdGUxDjAMBgNVBAMTBVNhbWJhMB4XDTA2MDgw
-NDA0MzY1MloXDTA4MDcwNDA0MzY1MlowZTEdMBsGA1UEChMUU2FtYmEgQWRtaW5p
-c3RyYXRpb24xNDAyBgNVBAsTK1NhbWJhIC0gdGVtcG9yYXJ5IGF1dG9nZW5lcmF0
-ZWQgY2VydGlmaWNhdGUxDjAMBgNVBAMTBVNhbWJhMIGcMAsGCSqGSIb3DQEBAQOB
-jAAwgYgCgYDKg6pAwCHUMA1DfHDmWhZfd+F0C+9Jxcqvpw9ii9En3E1uflpcol3+
-S9/6I/uaTmJHZre+DF3dTzb/UOZo0Zem8N+IzzkgoGkFafjXuT3BL5UPY2/H6H+p
-PqVIRLOmrWImai359YyoKhFyo37Y6HPeU8QcZ+u2rS9geapIWfeuowIDAQABoyUw
-IzAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGCSqGSIb3DQEB
-BQOBgQAmkN6XxvDnoMkGcWLCTwzxGfNNSVcYr7TtL2aJh285Xw9zaxcm/SAZBFyG
-LYOChvh6hPU7joMdDwGfbiLrBnMag+BtGlmPLWwp/Kt1wNmrRhduyTQFhN3PP6fz
-nBr9vVny2FewB2gHmelaPS//tXdxivSXKz3NFqqXLDJjq7P8wA==
------END CERTIFICATE-----
-EOF
- close(CERTFILE);
-
- #KDC certificate
- # hxtool request-create \
- # --subject="CN=krbtgt,CN=users,DC=samba,DC=example,DC=com" \
- # --key="FILE:$KEYFILE" $KDCREQ
-
- # hxtool issue-certificate --ca-certificate=FILE:$CAFILE,$KEYFILE \
- # --type="pkinit-kdc" \
- # --pk-init-principal="krbtgt/SAMBA.EXAMPLE.COM@SAMBA.EXAMPLE.COM" \
- # --req="PKCS10:$KDCREQ" --certificate="FILE:$KDCCERTFILE" \
- # --lifetime="25 years"
-
- open(KDCCERTFILE, ">$kdccertfile");
- print KDCCERTFILE <<EOF;
------BEGIN CERTIFICATE-----
-MIIDDDCCAnWgAwIBAgIUI2Tzj+JnMzMcdeabcNo30rovzFAwCwYJKoZIhvcNAQEFMFIxEzAR
-BgoJkiaJk/IsZAEZDANjb20xFzAVBgoJkiaJk/IsZAEZDAdleGFtcGxlMRUwEwYKCZImiZPy
-LGQBGQwFc2FtYmExCzAJBgNVBAMMAkNBMCIYDzIwMDgwMzAxMTMxOTIzWhgPMjAzMzAyMjQx
-MzE5MjNaMGYxEzARBgoJkiaJk/IsZAEZDANjb20xFzAVBgoJkiaJk/IsZAEZDAdleGFtcGxl
-MRUwEwYKCZImiZPyLGQBGQwFc2FtYmExDjAMBgNVBAMMBXVzZXJzMQ8wDQYDVQQDDAZrcmJ0
-Z3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMqDqkDAIdQwDUN8cOZaFl934XQL70nF
-yq+nD2KL0SfcTW5+WlyiXf5L3/oj+5pOYkdmt74MXd1PNv9Q5mjRl6bw34jPOSCgaQVp+Ne5
-PcEvlQ9jb8fof6k+pUhEs6atYiZqLfn1jKgqEXKjftjoc95TxBxn67atL2B5qkhZ966jAgMB
-AAGjgcgwgcUwDgYDVR0PAQH/BAQDAgWgMBIGA1UdJQQLMAkGBysGAQUCAwUwVAYDVR0RBE0w
-S6BJBgYrBgEFAgKgPzA9oBMbEVNBTUJBLkVYQU1QTEUuQ09NoSYwJKADAgEBoR0wGxsGa3Ji
-dGd0GxFTQU1CQS5FWEFNUExFLkNPTTAfBgNVHSMEGDAWgBTC2bn3oAyi2bNFTshV2CtS+jPK
-MjAdBgNVHQ4EFgQUwtm596AMotmzRU7IVdgrUvozyjIwCQYDVR0TBAIwADANBgkqhkiG9w0B
-AQUFAAOBgQBmrVD5MCmZjfHp1nEnHqTIh8r7lSmVtDx4s9MMjxm9oNrzbKXynvdhwQYFVarc
-ge4yRRDXtSebErOl71zVJI9CVeQQpwcH+tA85oGA7oeFtO/S7ls581RUU6tGgyxV4veD+lJv
-KPH5LevUtgD+q9H4LU4Sq5N3iFwBaeryB0g2wg==
------END CERTIFICATE-----
-EOF
-
- # hxtool request-create \
- # --subject="CN=Administrator,CN=users,DC=samba,DC=example,DC=com" \
- # --key="FILE:$ADMINKEYFILE" $ADMINREQFILE
-
- # hxtool issue-certificate --ca-certificate=FILE:$CAFILE,$KEYFILE \
- # --type="pkinit-client" \
- # --pk-init-principal="administrator@SAMBA.EXAMPLE.COM" \
- # --req="PKCS10:$ADMINREQFILE" --certificate="FILE:$ADMINCERTFILE" \
- # --lifetime="25 years"
-
- open(ADMINCERTFILE, ">$admincertfile");
- print ADMINCERTFILE <<EOF;
------BEGIN CERTIFICATE-----
-MIIDHTCCAoagAwIBAgIUUggzW4lLRkMKe1DAR2NKatkMDYwwCwYJKoZIhvcNAQELMFIxEzAR
-BgoJkiaJk/IsZAEZDANjb20xFzAVBgoJkiaJk/IsZAEZDAdleGFtcGxlMRUwEwYKCZImiZPy
-LGQBGQwFc2FtYmExCzAJBgNVBAMMAkNBMCIYDzIwMDkwNzI3MDMzMjE1WhgPMjAzNDA3MjIw
-MzMyMTVaMG0xEzARBgoJkiaJk/IsZAEZDANjb20xFzAVBgoJkiaJk/IsZAEZDAdleGFtcGxl
-MRUwEwYKCZImiZPyLGQBGQwFc2FtYmExDjAMBgNVBAMMBXVzZXJzMRYwFAYDVQQDDA1BZG1p
-bmlzdHJhdG9yMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD0+OL7TQBj0RejbIH1+g5G
-eRaWaM9xF43uE5y7jUHEsi5owhZF5iIoHZeeL6cpDF5y1BZRs0JlA1VqMry1jjKlzFYVEMMF
-xB6esnXhl0Jpip1JkUMMXLOP1m/0dqayuHBWozj9f/cdyCJr0wJIX1Z8Pr+EjYRGPn/MF0xd
-l3JRlwIDAQABo4HSMIHPMA4GA1UdDwEB/wQEAwIFoDAoBgNVHSUEITAfBgcrBgEFAgMEBggr
-BgEFBQcDAgYKKwYBBAGCNxQCAjBIBgNVHREEQTA/oD0GBisGAQUCAqAzMDGgExsRU0FNQkEu
-RVhBTVBMRS5DT02hGjAYoAMCAQGhETAPGw1BZG1pbmlzdHJhdG9yMB8GA1UdIwQYMBaAFMLZ
-ufegDKLZs0VOyFXYK1L6M8oyMB0GA1UdDgQWBBQg81bLyfCA88C2B/BDjXlGuaFaxjAJBgNV
-HRMEAjAAMA0GCSqGSIb3DQEBCwUAA4GBAEf/OSHUDJaGdtWGNuJeqcVYVMwrfBAc0OSwVhz1
-7/xqKHWo8wIMPkYRtaRHKLNDsF8GkhQPCpVsa6mX/Nt7YQnNvwd+1SBP5E8GvwWw9ZzLJvma
-nk2n89emuayLpVtp00PymrDLRBcNaRjFReQU8f0o509kiVPHduAp3jOiy13l
------END CERTIFICATE-----
-EOF
- close(ADMINCERTFILE);
-
- # hxtool issue-certificate --ca-certificate=FILE:$CAFILE,$KEYFILE \
- # --type="pkinit-client" \
- # --ms-upn="administrator@samba.example.com" \
- # --req="PKCS10:$ADMINREQFILE" --certificate="FILE:$ADMINCERTUPNFILE" \
- # --lifetime="25 years"
-
- open(ADMINCERTUPNFILE, ">$admincertupnfile");
- print ADMINCERTUPNFILE <<EOF;
------BEGIN CERTIFICATE-----
-MIIDDzCCAnigAwIBAgIUUp3CJMuNaEaAdPKp3QdNIwG7a4wwCwYJKoZIhvcNAQELMFIxEzAR
-BgoJkiaJk/IsZAEZDANjb20xFzAVBgoJkiaJk/IsZAEZDAdleGFtcGxlMRUwEwYKCZImiZPy
-LGQBGQwFc2FtYmExCzAJBgNVBAMMAkNBMCIYDzIwMDkwNzI3MDMzMzA1WhgPMjAzNDA3MjIw
-MzMzMDVaMG0xEzARBgoJkiaJk/IsZAEZDANjb20xFzAVBgoJkiaJk/IsZAEZDAdleGFtcGxl
-MRUwEwYKCZImiZPyLGQBGQwFc2FtYmExDjAMBgNVBAMMBXVzZXJzMRYwFAYDVQQDDA1BZG1p
-bmlzdHJhdG9yMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD0+OL7TQBj0RejbIH1+g5G
-eRaWaM9xF43uE5y7jUHEsi5owhZF5iIoHZeeL6cpDF5y1BZRs0JlA1VqMry1jjKlzFYVEMMF
-xB6esnXhl0Jpip1JkUMMXLOP1m/0dqayuHBWozj9f/cdyCJr0wJIX1Z8Pr+EjYRGPn/MF0xd
-l3JRlwIDAQABo4HEMIHBMA4GA1UdDwEB/wQEAwIFoDAoBgNVHSUEITAfBgcrBgEFAgMEBggr
-BgEFBQcDAgYKKwYBBAGCNxQCAjA6BgNVHREEMzAxoC8GCisGAQQBgjcUAgOgIQwfYWRtaW5p
-c3RyYXRvckBzYW1iYS5leGFtcGxlLmNvbTAfBgNVHSMEGDAWgBTC2bn3oAyi2bNFTshV2CtS
-+jPKMjAdBgNVHQ4EFgQUIPNWy8nwgPPAtgfwQ415RrmhWsYwCQYDVR0TBAIwADANBgkqhkiG
-9w0BAQsFAAOBgQBk42+egeUB3Ji2PC55fbt3FNKxvmm2xUUFkV9POK/YR9rajKOwk5jtYSeS
-Zd7J9s//rNFNa7waklFkDaY56+QWTFtdvxfE+KoHaqt6X8u6pqi7p3M4wDKQox+9Dx8yWFyq
-Wfz/8alZ5aMezCQzXJyIaJsCLeKABosSwHcpAFmxlQ==
------END CERTIFICATE-----
-EOF
+ my ($self, $localenv, $upn_array, $spn_array) = @_;
+
+ @{$upn_array} = [] unless defined($upn_array);
+ my $upn_args = "";
+ foreach my $upn (@{$upn_array}) {
+ $upn_args .= " --add-upn-suffix=$upn";
+ }
+
+ @{$spn_array} = [] unless defined($spn_array);
+ my $spn_args = "";
+ foreach my $spn (@{$spn_array}) {
+ $spn_args .= " --add-spn-suffix=$spn";
+ }
+
+ my $samba_tool = Samba::bindir_path($self, "samba-tool");
+
+ my $cmd_env = "";
+ $cmd_env .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$localenv->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
+ if (defined($localenv->{RESOLV_WRAPPER_CONF})) {
+ $cmd_env .= "RESOLV_WRAPPER_CONF=\"$localenv->{RESOLV_WRAPPER_CONF}\" ";
+ } else {
+ $cmd_env .= "RESOLV_WRAPPER_HOSTS=\"$localenv->{RESOLV_WRAPPER_HOSTS}\" ";
+ }
+ $cmd_env .= " KRB5_CONFIG=\"$localenv->{KRB5_CONFIG}\"";
+
+ my $cmd_config = " $localenv->{CONFIGURATION}";
+
+ my $namespaces = $cmd_env;
+ $namespaces .= " $samba_tool domain trust namespaces $upn_args $spn_args";
+ $namespaces .= $cmd_config;
+ unless (system($namespaces) == 0) {
+ warn("Failed to add namespaces \n$namespaces");
+ return;
+ }
+
+ return;
}
-sub provision_raw_prepare($$$$$$$$$$)
+sub setup_trust($$$$$)
+{
+ my ($self, $localenv, $remoteenv, $type, $extra_args) = @_;
+
+ $localenv->{TRUST_SERVER} = $remoteenv->{SERVER};
+ $localenv->{TRUST_SERVER_IP} = $remoteenv->{SERVER_IP};
+ $localenv->{TRUST_SERVER_IPV6} = $remoteenv->{SERVER_IPV6};
+ $localenv->{TRUST_NETBIOSNAME} = $remoteenv->{NETBIOSNAME};
+ $localenv->{TRUST_USERNAME} = $remoteenv->{USERNAME};
+ $localenv->{TRUST_PASSWORD} = $remoteenv->{PASSWORD};
+ $localenv->{TRUST_DOMAIN} = $remoteenv->{DOMAIN};
+ $localenv->{TRUST_REALM} = $remoteenv->{REALM};
+
+ my $samba_tool = Samba::bindir_path($self, "samba-tool");
+ # setup the trust
+ my $cmd_env = "";
+ $cmd_env .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$localenv->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
+ if (defined($localenv->{RESOLV_WRAPPER_CONF})) {
+ $cmd_env .= "RESOLV_WRAPPER_CONF=\"$localenv->{RESOLV_WRAPPER_CONF}\" ";
+ } else {
+ $cmd_env .= "RESOLV_WRAPPER_HOSTS=\"$localenv->{RESOLV_WRAPPER_HOSTS}\" ";
+ }
+ $cmd_env .= " KRB5_CONFIG=\"$localenv->{KRB5_CONFIG}\"";
+
+ my $cmd_config = " $localenv->{CONFIGURATION}";
+ my $cmd_creds = $cmd_config;
+ $cmd_creds .= " -U$localenv->{TRUST_DOMAIN}\\\\$localenv->{TRUST_USERNAME}\%$localenv->{TRUST_PASSWORD}";
+
+ my $create = $cmd_env;
+ $create .= " $samba_tool domain trust create --type=${type} $localenv->{TRUST_REALM}";
+ $create .= " $extra_args";
+ $create .= $cmd_creds;
+ unless (system($create) == 0) {
+ warn("Failed to create trust \n$create");
+ return undef;
+ }
+
+ return $localenv
+}
+
+sub provision_raw_prepare($$$$$$$$$$$)
{
my ($self, $prefix, $server_role, $hostname,
$domain, $realm, $functional_level,
- $password, $kdc_ipv4) = @_;
+ $password, $kdc_ipv4, $kdc_ipv6) = @_;
my $ctx;
my $netbiosname = uc($hostname);
$ctx->{prefix} = $prefix;
$ctx->{prefix_abs} = $prefix_abs;
-
- $ctx->{dns_host_file} = "$ENV{SELFTEST_PREFIX}/dns_host_file";
$ctx->{server_role} = $server_role;
$ctx->{hostname} = $hostname;
$ctx->{swiface} = $swiface;
$ctx->{password} = $password;
$ctx->{kdc_ipv4} = $kdc_ipv4;
+ $ctx->{kdc_ipv6} = $kdc_ipv6;
#
# Set smbd log level here.
chomp $unix_name;
$ctx->{unix_name} = $unix_name;
$ctx->{unix_uid} = $>;
+ my @mygid = split(" ", $();
+ $ctx->{unix_gid} = $mygid[0];
$ctx->{unix_gids_str} = $);
@{$ctx->{unix_gids}} = split(" ", $ctx->{unix_gids_str});
$ctx->{ntp_signd_socket_dir} = "$prefix_abs/ntp_signd_socket";
$ctx->{nsswrap_passwd} = "$ctx->{etcdir}/passwd";
$ctx->{nsswrap_group} = "$ctx->{etcdir}/group";
+ $ctx->{nsswrap_hosts} = "$ENV{SELFTEST_PREFIX}/hosts";
+ if ($ENV{SAMBA_DNS_FAKING}) {
+ $ctx->{dns_host_file} = "$ENV{SELFTEST_PREFIX}/dns_host_file";
+ $ctx->{samba_dnsupdate} = "$ENV{SRCDIR_ABS}/source4/scripting/bin/samba_dnsupdate -s $ctx->{smb_conf} --all-interfaces --use-file=$ctx->{dns_host_file}";
+ } else {
+ $ctx->{resolv_conf} = "$ctx->{etcdir}/resolv.conf";
+ $ctx->{samba_dnsupdate} = "$ENV{SRCDIR_ABS}/source4/scripting/bin/samba_dnsupdate -s $ctx->{smb_conf}";
+ }
$ctx->{tlsdir} = "$ctx->{privatedir}/tls";
$ctx->{ipv4} = "127.0.0.$swiface";
- $ctx->{interfaces} = "$ctx->{ipv4}/8";
+ $ctx->{ipv6} = sprintf("fd00:0000:0000:0000:0000:0000:5357:5f%02x", $swiface);
+ $ctx->{interfaces} = "$ctx->{ipv4}/8 $ctx->{ipv6}/64";
push(@{$ctx->{directories}}, $ctx->{privatedir});
push(@{$ctx->{directories}}, $ctx->{etcdir});
$ctx->{smb_conf_extra_options} = "";
my @provision_options = ();
+ push (@provision_options, "KRB5_CONFIG=\"$ctx->{krb5_config}\"");
push (@provision_options, "NSS_WRAPPER_PASSWD=\"$ctx->{nsswrap_passwd}\"");
push (@provision_options, "NSS_WRAPPER_GROUP=\"$ctx->{nsswrap_group}\"");
+ push (@provision_options, "NSS_WRAPPER_HOSTS=\"$ctx->{nsswrap_hosts}\"");
+ if (defined($ctx->{resolv_conf})) {
+ push (@provision_options, "RESOLV_WRAPPER_CONF=\"$ctx->{resolv_conf}\"");
+ } else {
+ push (@provision_options, "RESOLV_WRAPPER_HOSTS=\"$ctx->{dns_host_file}\"");
+ }
if (defined($ENV{GDB_PROVISION})) {
push (@provision_options, "gdb --args");
if (!defined($ENV{PYTHON})) {
warn("can't open $ctx->{smb_conf}$?");
return undef;
}
+
+ Samba::prepare_keyblobs($ctx);
+ my $crlfile = "$ctx->{tlsdir}/crl.pem";
+ $crlfile = "" unless -e ${crlfile};
+
print CONFFILE "
[global]
netbios name = $ctx->{netbiosname}
winbindd privileged socket directory = $ctx->{winbindd_privileged_socket_dir}
ntp signd socket directory = $ctx->{ntp_signd_socket_dir}
winbind separator = /
- name resolve order = file bcast
interfaces = $ctx->{interfaces}
tls dh params file = $ctx->{tlsdir}/dhparms.pem
+ tls crlfile = ${crlfile}
+ tls verify peer = no_check
panic action = $RealBin/gdb_backtrace \%d
wins support = yes
server role = $ctx->{server_role}
dcerpc endpoint servers = +winreg +srvsvc
notify:inotify = false
ldb:nosync = true
+ ldap server require strong auth = yes
#We don't want to pass our self-tests if the PAC code is wrong
gensec:require_pac = true
log file = $ctx->{logdir}/log.\%m
log level = $ctx->{server_loglevel}
lanman auth = Yes
rndc command = true
- dns update command = $ENV{SRCDIR_ABS}/source4/scripting/bin/samba_dnsupdate --all-interfaces --use-file=$ctx->{dns_host_file} -s $ctx->{smb_conf}
+ dns update command = $ctx->{samba_dnsupdate}
spn update command = $ENV{SRCDIR_ABS}/source4/scripting/bin/samba_spnupdate -s $ctx->{smb_conf}
- resolv:host file = $ctx->{dns_host_file}
dreplsrv:periodic_startup_interval = 0
dsdb:schema update allowed = yes
server signing = on
idmap_ldb:use rfc2307=yes
+ winbind enum users = yes
+ winbind enum groups = yes
";
print CONFFILE "
";
close(CONFFILE);
- $self->mk_keyblobs($ctx->{tlsdir});
-
#Default the KDC IP to the server's IP
if (not defined($ctx->{kdc_ipv4})) {
- $ctx->{kdc_ipv4} = $ctx->{ipv4};
- }
+ $ctx->{kdc_ipv4} = $ctx->{ipv4};
+ }
+ if (not defined($ctx->{kdc_ipv6})) {
+ $ctx->{kdc_ipv6} = $ctx->{ipv6};
+ }
- Samba::mk_krb5_conf($ctx, "");
+ Samba::mk_krb5_conf($ctx);
open(PWD, ">$ctx->{nsswrap_passwd}");
- print PWD "
-root:x:0:0:root gecos:$ctx->{prefix_abs}:/bin/false
-nobody:x:65534:65533:nobody gecos:$ctx->{prefix_abs}:/bin/false
+ if ($ctx->{unix_uid} != 0) {
+ print PWD "root:x:0:0:root gecos:$ctx->{prefix_abs}:/bin/false\n";
+ }
+ print PWD "$ctx->{unix_name}:x:$ctx->{unix_uid}:65531:$ctx->{unix_name} gecos:$ctx->{prefix_abs}:/bin/false\n";
+ print PWD "nobody:x:65534:65533:nobody gecos:$ctx->{prefix_abs}:/bin/false
pdbtest:x:65533:65533:pdbtest gecos:$ctx->{prefix_abs}:/bin/false
+pdbtest2:x:65532:65533:pdbtest gecos:$ctx->{prefix_abs}:/bin/false
+pdbtest3:x:65531:65533:pdbtest gecos:$ctx->{prefix_abs}:/bin/false
+pdbtest4:x:65530:65533:pdbtest gecos:$ctx->{prefix_abs}:/bin/false
";
close(PWD);
my $uid_rfc2307test = 65533;
open(GRP, ">$ctx->{nsswrap_group}");
- print GRP "
-root:x:0:
-wheel:x:10:
-users:x:100:
+ if ($ctx->{unix_gid} != 0) {
+ print GRP "root:x:0:\n";
+ }
+ print GRP "$ctx->{unix_name}:x:$ctx->{unix_gid}:\n";
+ print GRP "wheel:x:10:
+users:x:65531:
nobody:x:65533:
nogroup:x:65534:nobody
";
close(GRP);
my $gid_rfc2307test = 65532;
+ my $hostname = lc($ctx->{hostname});
+ open(HOSTS, ">>$ctx->{nsswrap_hosts}");
+ if ($hostname eq "localdc") {
+ print HOSTS "$ctx->{ipv4} ${hostname}.$ctx->{dnsname} $ctx->{dnsname} ${hostname}\n";
+ print HOSTS "$ctx->{ipv6} ${hostname}.$ctx->{dnsname} $ctx->{dnsname} ${hostname}\n";
+ } else {
+ print HOSTS "$ctx->{ipv4} ${hostname}.$ctx->{dnsname} ${hostname}\n";
+ print HOSTS "$ctx->{ipv6} ${hostname}.$ctx->{dnsname} ${hostname}\n";
+ }
+ close(HOSTS);
+
+ if (defined($ctx->{resolv_conf})) {
+ open(RESOLV_CONF, ">$ctx->{resolv_conf}");
+ print RESOLV_CONF "nameserver $ctx->{kdc_ipv4}\n";
+ print RESOLV_CONF "nameserver $ctx->{kdc_ipv6}\n";
+ close(RESOLV_CONF);
+ }
+
my $configuration = "--configfile=$ctx->{smb_conf}";
#Ensure the config file is valid before we start
PIDDIR => $ctx->{piddir},
SERVER => $ctx->{hostname},
SERVER_IP => $ctx->{ipv4},
+ SERVER_IPV6 => $ctx->{ipv6},
NETBIOSNAME => $ctx->{netbiosname},
DOMAIN => $ctx->{domain},
USERNAME => $ctx->{username},
PASSWORD => $ctx->{password},
LDAPDIR => $ctx->{ldapdir},
LDAP_INSTANCE => $ctx->{ldap_instance},
- WINBINDD_SOCKET_DIR => $ctx->{winbindd_socket_dir},
+ SELFTEST_WINBINDD_SOCKET_DIR => $ctx->{winbindd_socket_dir},
NCALRPCDIR => $ctx->{ncalrpcdir},
LOCKDIR => $ctx->{lockdir},
STATEDIR => $ctx->{statedir},
SOCKET_WRAPPER_DEFAULT_IFACE => $ctx->{swiface},
NSS_WRAPPER_PASSWD => $ctx->{nsswrap_passwd},
NSS_WRAPPER_GROUP => $ctx->{nsswrap_group},
+ NSS_WRAPPER_HOSTS => $ctx->{nsswrap_hosts},
SAMBA_TEST_FIFO => "$ctx->{prefix}/samba_test.fifo",
SAMBA_TEST_LOG => "$ctx->{prefix}/samba_test.log",
SAMBA_TEST_LOG_POS => 0,
- NSS_WRAPPER_WINBIND_SO_PATH => Samba::nss_wrapper_winbind_so_path($self),
+ NSS_WRAPPER_MODULE_SO_PATH => Samba::nss_wrapper_winbind_so_path($self),
+ NSS_WRAPPER_MODULE_FN_PREFIX => "winbind",
LOCAL_PATH => $ctx->{share},
UID_RFC2307TEST => $uid_rfc2307test,
- GID_RFC2307TEST => $gid_rfc2307test
+ GID_RFC2307TEST => $gid_rfc2307test,
+ SERVER_ROLE => $ctx->{server_role}
};
+ if (defined($ctx->{resolv_conf})) {
+ $ret->{RESOLV_WRAPPER_CONF} = $ctx->{resolv_conf};
+ } else {
+ $ret->{RESOLV_WRAPPER_HOSTS} = $ctx->{dns_host_file};
+ }
+
return $ret;
}
return undef;
}
+ my $testallowed_account = "testallowed";
+ my $samba_tool_cmd = "";
+ $samba_tool_cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
+ $samba_tool_cmd .= Samba::bindir_path($self, "samba-tool")
+ . " user add --configfile=$ctx->{smb_conf} $testallowed_account $ctx->{password}";
+ unless (system($samba_tool_cmd) == 0) {
+ warn("Unable to add testallowed user: \n$samba_tool_cmd\n");
+ return undef;
+ }
+
+ my $ldbmodify = "";
+ $ldbmodify .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
+ $ldbmodify .= Samba::bindir_path($self, "ldbmodify");
+ my $base_dn = "DC=".join(",DC=", split(/\./, $ctx->{realm}));
+
+ if ($ctx->{server_role} ne "domain controller") {
+ $base_dn = "DC=$ctx->{netbiosname}";
+ }
+
+ my $user_dn = "cn=$testallowed_account,cn=users,$base_dn";
+ $testallowed_account = "testallowed account";
+ open(LDIF, "|$ldbmodify -H $ctx->{privatedir}/sam.ldb");
+ print LDIF "dn: $user_dn
+changetype: modify
+replace: samAccountName
+samAccountName: $testallowed_account
+-
+";
+ close(LDIF);
+
+ open(LDIF, "|$ldbmodify -H $ctx->{privatedir}/sam.ldb");
+ print LDIF "dn: $user_dn
+changetype: modify
+replace: userPrincipalName
+userPrincipalName: testallowed upn\@$ctx->{realm}
+replace: servicePrincipalName
+servicePrincipalName: host/testallowed
+-
+";
+ close(LDIF);
+
+ $samba_tool_cmd = "";
+ $samba_tool_cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
+ $samba_tool_cmd .= Samba::bindir_path($self, "samba-tool")
+ . " user add --configfile=$ctx->{smb_conf} testdenied $ctx->{password}";
+ unless (system($samba_tool_cmd) == 0) {
+ warn("Unable to add testdenied user: \n$samba_tool_cmd\n");
+ return undef;
+ }
+
+ my $user_dn = "cn=testdenied,cn=users,$base_dn";
+ open(LDIF, "|$ldbmodify -H $ctx->{privatedir}/sam.ldb");
+ print LDIF "dn: $user_dn
+changetype: modify
+replace: userPrincipalName
+userPrincipalName: testdenied_upn\@$ctx->{realm}.upn
+-
+";
+ close(LDIF);
+
+ $samba_tool_cmd = "";
+ $samba_tool_cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
+ $samba_tool_cmd .= Samba::bindir_path($self, "samba-tool")
+ . " group addmembers --configfile=$ctx->{smb_conf} 'Allowed RODC Password Replication Group' '$testallowed_account'";
+ unless (system($samba_tool_cmd) == 0) {
+ warn("Unable to add '$testallowed_account' user to 'Allowed RODC Password Replication Group': \n$samba_tool_cmd\n");
+ return undef;
+ }
+
return $ret;
}
-sub provision($$$$$$$$$)
+sub provision($$$$$$$$$$)
{
my ($self, $prefix, $server_role, $hostname,
$domain, $realm, $functional_level,
- $password, $kdc_ipv4, $extra_smbconf_options, $extra_smbconf_shares,
+ $password, $kdc_ipv4, $kdc_ipv6, $extra_smbconf_options, $extra_smbconf_shares,
$extra_provision_options) = @_;
my $ctx = $self->provision_raw_prepare($prefix, $server_role,
$hostname,
$domain, $realm, $functional_level,
- $password, $kdc_ipv4);
+ $password, $kdc_ipv4, $kdc_ipv6);
if (defined($extra_provision_options)) {
push (@{$ctx->{provision_options}}, @{$extra_provision_options});
server max protocol = SMB2
host msdfs = $msdfs
lanman auth = yes
+ allow nt4 crypto = yes
+
+ # fruit:copyfile is a global option
+ fruit:copyfile = yes
$extra_smbconf_options
[tmp]
path = $ctx->{share}
read only = no
- posix:sharedelay = 10000
+ posix:sharedelay = 100000
posix:oplocktimeout = 3
- posix:writetimeupdatedelay = 50000
+ posix:writetimeupdatedelay = 500000
[xcopy_share]
path = $ctx->{share}
read only = no
- posix:sharedelay = 10000
+ posix:sharedelay = 100000
posix:oplocktimeout = 3
- posix:writetimeupdatedelay = 50000
+ posix:writetimeupdatedelay = 500000
create mask = 777
force create mode = 777
[test1]
path = $ctx->{share}/test1
read only = no
- posix:sharedelay = 10000
+ posix:sharedelay = 100000
posix:oplocktimeout = 3
- posix:writetimeupdatedelay = 50000
+ posix:writetimeupdatedelay = 500000
[test2]
path = $ctx->{share}/test2
read only = no
- posix:sharedelay = 10000
+ posix:sharedelay = 100000
posix:oplocktimeout = 3
- posix:writetimeupdatedelay = 50000
+ posix:writetimeupdatedelay = 500000
[cifs]
+ path = $ctx->{share}/_ignore_cifs_
read only = no
ntvfs handler = cifs
cifs:server = $ctx->{netbiosname}
copy = simple
ntvfs handler = cifsposix
+[vfs_fruit]
+ path = $ctx->{share}
+ vfs objects = catia fruit streams_xattr acl_xattr
+ ea support = yes
+ fruit:ressource = file
+ fruit:metadata = netatalk
+ fruit:locking = netatalk
+ fruit:encoding = native
+
$extra_smbconf_shares
";
return $self->provision_raw_step2($ctx, $ret);
}
-sub provision_member($$$)
+sub provision_s4member($$$)
{
my ($self, $prefix, $dcvars) = @_;
print "PROVISIONING MEMBER...";
-
+ my $extra_smb_conf = "
+ passdb backend = samba_dsdb
+winbindd:use external pipes = true
+
+rpc_server:default = external
+rpc_server:svcctl = embedded
+rpc_server:srvsvc = embedded
+rpc_server:eventlog = embedded
+rpc_server:ntsvcs = embedded
+rpc_server:winreg = embedded
+rpc_server:spoolss = embedded
+rpc_daemon:spoolssd = embedded
+rpc_server:tcpip = no
+";
my $ret = $self->provision($prefix,
"member server",
"s4member",
"2008",
"locMEMpass3",
$dcvars->{SERVER_IP},
- "", "", undef);
+ $dcvars->{SERVER_IPV6},
+ $extra_smb_conf, "", undef);
unless ($ret) {
return undef;
}
my $samba_tool = Samba::bindir_path($self, "samba-tool");
my $cmd = "";
$cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
+ if (defined($ret->{RESOLV_WRAPPER_CONF})) {
+ $cmd .= "RESOLV_WRAPPER_CONF=\"$ret->{RESOLV_WRAPPER_CONF}\" ";
+ } else {
+ $cmd .= "RESOLV_WRAPPER_HOSTS=\"$ret->{RESOLV_WRAPPER_HOSTS}\" ";
+ }
$cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
$cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $dcvars->{REALM} member";
$cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}";
- $cmd .= " --machinepass=machine$ret->{password}";
+ $cmd .= " --machinepass=machine$ret->{PASSWORD}";
unless (system($cmd) == 0) {
warn("Join failed\n$cmd");
$ret->{MEMBER_SERVER} = $ret->{SERVER};
$ret->{MEMBER_SERVER_IP} = $ret->{SERVER_IP};
+ $ret->{MEMBER_SERVER_IPV6} = $ret->{SERVER_IPV6};
$ret->{MEMBER_NETBIOSNAME} = $ret->{NETBIOSNAME};
$ret->{MEMBER_USERNAME} = $ret->{USERNAME};
$ret->{MEMBER_PASSWORD} = $ret->{PASSWORD};
$ret->{DC_SERVER} = $dcvars->{DC_SERVER};
$ret->{DC_SERVER_IP} = $dcvars->{DC_SERVER_IP};
+ $ret->{DC_SERVER_IPV6} = $dcvars->{DC_SERVER_IPV6};
$ret->{DC_NETBIOSNAME} = $dcvars->{DC_NETBIOSNAME};
$ret->{DC_USERNAME} = $dcvars->{DC_USERNAME};
$ret->{DC_PASSWORD} = $dcvars->{DC_PASSWORD};
print "PROVISIONING RPC PROXY...";
my $extra_smbconf_options = "
+ passdb backend = samba_dsdb
# rpc_proxy
dcerpc_remote:binding = ncacn_ip_tcp:$dcvars->{SERVER}
dcerpc_remote:interfaces = rpcecho
[cifs_to_dc]
+ path = /tmp/_ignore_cifs_to_dc_/_none_
read only = no
ntvfs handler = cifs
cifs:server = $dcvars->{SERVER}
"2008",
"locRPCproxypass4",
$dcvars->{SERVER_IP},
+ $dcvars->{SERVER_IPV6},
$extra_smbconf_options, "", undef);
unless ($ret) {
# The joind runs in the context of the rpc_proxy/member for now
my $cmd = "";
$cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
+ if (defined($ret->{RESOLV_WRAPPER_CONF})) {
+ $cmd .= "RESOLV_WRAPPER_CONF=\"$ret->{RESOLV_WRAPPER_CONF}\" ";
+ } else {
+ $cmd .= "RESOLV_WRAPPER_HOSTS=\"$ret->{RESOLV_WRAPPER_HOSTS}\" ";
+ }
$cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
$cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $dcvars->{REALM} member";
$cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}";
- $cmd .= " --machinepass=machine$ret->{password}";
+ $cmd .= " --machinepass=machine$ret->{PASSWORD}";
unless (system($cmd) == 0) {
warn("Join failed\n$cmd");
$cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$dcvars->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
$cmd .= "KRB5_CONFIG=\"$dcvars->{KRB5_CONFIG}\" ";
$cmd .= "$samba_tool delegation for-any-protocol '$ret->{NETBIOSNAME}\$' on";
- $cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD} $dcvars->{CONFIGURATION}";
+ $cmd .= " $dcvars->{CONFIGURATION}";
+ print $cmd;
unless (system($cmd) == 0) {
warn("Delegation failed\n$cmd");
$cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$dcvars->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
$cmd .= "KRB5_CONFIG=\"$dcvars->{KRB5_CONFIG}\" ";
$cmd .= "$samba_tool delegation add-service '$ret->{NETBIOSNAME}\$' cifs/$dcvars->{SERVER}";
- $cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD} $dcvars->{CONFIGURATION}";
+ $cmd .= " $dcvars->{CONFIGURATION}";
unless (system($cmd) == 0) {
warn("Delegation failed\n$cmd");
$ret->{RPC_PROXY_SERVER} = $ret->{SERVER};
$ret->{RPC_PROXY_SERVER_IP} = $ret->{SERVER_IP};
+ $ret->{RPC_PROXY_SERVER_IPV6} = $ret->{SERVER_IPV6};
$ret->{RPC_PROXY_NETBIOSNAME} = $ret->{NETBIOSNAME};
$ret->{RPC_PROXY_USERNAME} = $ret->{USERNAME};
$ret->{RPC_PROXY_PASSWORD} = $ret->{PASSWORD};
$ret->{DC_SERVER} = $dcvars->{DC_SERVER};
$ret->{DC_SERVER_IP} = $dcvars->{DC_SERVER_IP};
+ $ret->{DC_SERVER_IPV6} = $dcvars->{DC_SERVER_IPV6};
$ret->{DC_NETBIOSNAME} = $dcvars->{DC_NETBIOSNAME};
$ret->{DC_USERNAME} = $dcvars->{DC_USERNAME};
$ret->{DC_PASSWORD} = $dcvars->{DC_PASSWORD};
return $ret;
}
-sub provision_promoted_vampire_dc($$$)
+sub provision_promoted_dc($$$)
{
my ($self, $prefix, $dcvars) = @_;
- print "PROVISIONING VAMPIRE DC...";
+ print "PROVISIONING PROMOTED DC...";
- # We do this so that we don't run the provision. That's the job of 'net vampire'.
+ # We do this so that we don't run the provision. That's the job of 'samba-tool domain dcpromo'.
my $ctx = $self->provision_raw_prepare($prefix, "domain controller",
"promotedvdc",
"SAMBADOMAIN",
"samba.example.com",
"2008",
$dcvars->{PASSWORD},
- $dcvars->{SERVER_IP});
+ $dcvars->{SERVER_IP},
+ $dcvars->{SERVER_IPV6});
push (@{$ctx->{provision_options}}, "--use-ntvfs");
my $samba_tool = Samba::bindir_path($self, "samba-tool");
my $cmd = "";
$cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
+ if (defined($ret->{RESOLV_WRAPPER_CONF})) {
+ $cmd .= "RESOLV_WRAPPER_CONF=\"$ret->{RESOLV_WRAPPER_CONF}\" ";
+ } else {
+ $cmd .= "RESOLV_WRAPPER_HOSTS=\"$ret->{RESOLV_WRAPPER_HOSTS}\" ";
+ }
$cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
$cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $dcvars->{REALM} MEMBER --realm=$dcvars->{REALM}";
$cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}";
- $cmd .= " --machinepass=machine$ret->{password}";
+ $cmd .= " --machinepass=machine$ret->{PASSWORD}";
unless (system($cmd) == 0) {
warn("Join failed\n$cmd");
$cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
$cmd .= "$samba_tool domain dcpromo $ret->{CONFIGURATION} $dcvars->{REALM} DC --realm=$dcvars->{REALM}";
$cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}";
- $cmd .= " --machinepass=machine$ret->{password} --use-ntvfs";
+ $cmd .= " --machinepass=machine$ret->{PASSWORD} --use-ntvfs --dns-backend=BIND9_DLZ";
unless (system($cmd) == 0) {
warn("Join failed\n$cmd");
return undef;
}
- $ret->{PROMOTED_VAMPIRE_DC_SERVER} = $ret->{SERVER};
- $ret->{PROMOTED_VAMPIRE_DC_SERVER_IP} = $ret->{SERVER_IP};
- $ret->{PROMOTED_VAMPIRE_DC_NETBIOSNAME} = $ret->{NETBIOSNAME};
+ $ret->{PROMOTED_DC_SERVER} = $ret->{SERVER};
+ $ret->{PROMOTED_DC_SERVER_IP} = $ret->{SERVER_IP};
+ $ret->{PROMOTED_DC_SERVER_IPV6} = $ret->{SERVER_IPV6};
+ $ret->{PROMOTED_DC_NETBIOSNAME} = $ret->{NETBIOSNAME};
$ret->{DC_SERVER} = $dcvars->{DC_SERVER};
$ret->{DC_SERVER_IP} = $dcvars->{DC_SERVER_IP};
+ $ret->{DC_SERVER_IPV6} = $dcvars->{DC_SERVER_IPV6};
$ret->{DC_NETBIOSNAME} = $dcvars->{DC_NETBIOSNAME};
$ret->{DC_USERNAME} = $dcvars->{DC_USERNAME};
$ret->{DC_PASSWORD} = $dcvars->{DC_PASSWORD};
"samba.example.com",
"2008",
$dcvars->{PASSWORD},
- $dcvars->{SERVER_IP});
+ $dcvars->{SERVER_IP},
+ $dcvars->{SERVER_IPV6});
push (@{$ctx->{provision_options}}, "--use-ntvfs");
my $samba_tool = Samba::bindir_path($self, "samba-tool");
my $cmd = "";
$cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
+ if (defined($ret->{RESOLV_WRAPPER_CONF})) {
+ $cmd .= "RESOLV_WRAPPER_CONF=\"$ret->{RESOLV_WRAPPER_CONF}\" ";
+ } else {
+ $cmd .= "RESOLV_WRAPPER_HOSTS=\"$ret->{RESOLV_WRAPPER_HOSTS}\" ";
+ }
$cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
$cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $dcvars->{REALM} DC --realm=$dcvars->{REALM}";
$cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD} --domain-critical-only";
- $cmd .= " --machinepass=machine$ret->{password} --use-ntvfs";
+ $cmd .= " --machinepass=machine$ret->{PASSWORD} --use-ntvfs";
unless (system($cmd) == 0) {
warn("Join failed\n$cmd");
$ret->{VAMPIRE_DC_SERVER} = $ret->{SERVER};
$ret->{VAMPIRE_DC_SERVER_IP} = $ret->{SERVER_IP};
+ $ret->{VAMPIRE_DC_SERVER_IPV6} = $ret->{SERVER_IPV6};
$ret->{VAMPIRE_DC_NETBIOSNAME} = $ret->{NETBIOSNAME};
$ret->{DC_SERVER} = $dcvars->{DC_SERVER};
$ret->{DC_SERVER_IP} = $dcvars->{DC_SERVER_IP};
+ $ret->{DC_SERVER_IPV6} = $dcvars->{DC_SERVER_IPV6};
$ret->{DC_NETBIOSNAME} = $dcvars->{DC_NETBIOSNAME};
$ret->{DC_USERNAME} = $dcvars->{DC_USERNAME};
$ret->{DC_PASSWORD} = $dcvars->{DC_PASSWORD};
+ $ret->{DC_REALM} = $dcvars->{DC_REALM};
return $ret;
}
return undef;
}
- my $dc_realms = Samba::mk_realms_stanza($dcvars->{REALM}, lc($dcvars->{REALM}),
- $dcvars->{DOMAIN}, $dcvars->{SERVER_IP});
- Samba::mk_krb5_conf($ctx, $dc_realms);
+ Samba::mk_krb5_conf($ctx);
my $samba_tool = Samba::bindir_path($self, "samba-tool");
my $cmd = "";
$cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
+ if (defined($ret->{RESOLV_WRAPPER_CONF})) {
+ $cmd .= "RESOLV_WRAPPER_CONF=\"$ret->{RESOLV_WRAPPER_CONF}\" ";
+ } else {
+ $cmd .= "RESOLV_WRAPPER_HOSTS=\"$ret->{RESOLV_WRAPPER_HOSTS}\" ";
+ }
$cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
- $cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $ctx->{realm} subdomain ";
+ $cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $ctx->{dnsname} subdomain ";
$cmd .= "--parent-domain=$dcvars->{REALM} -U$dcvars->{DC_USERNAME}\@$dcvars->{REALM}\%$dcvars->{DC_PASSWORD}";
- $cmd .= " --machinepass=machine$ret->{password} --use-ntvfs";
+ $cmd .= " --machinepass=machine$ret->{PASSWORD} --use-ntvfs";
+ $cmd .= " --adminpass=$ret->{PASSWORD}";
unless (system($cmd) == 0) {
warn("Join failed\n$cmd");
$ret->{SUBDOM_DC_SERVER} = $ret->{SERVER};
$ret->{SUBDOM_DC_SERVER_IP} = $ret->{SERVER_IP};
+ $ret->{SUBDOM_DC_SERVER_IPV6} = $ret->{SERVER_IPV6};
$ret->{SUBDOM_DC_NETBIOSNAME} = $ret->{NETBIOSNAME};
$ret->{DC_SERVER} = $dcvars->{DC_SERVER};
$ret->{DC_SERVER_IP} = $dcvars->{DC_SERVER_IP};
+ $ret->{DC_SERVER_IPV6} = $dcvars->{DC_SERVER_IPV6};
$ret->{DC_NETBIOSNAME} = $dcvars->{DC_NETBIOSNAME};
$ret->{DC_USERNAME} = $dcvars->{DC_USERNAME};
$ret->{DC_PASSWORD} = $dcvars->{DC_PASSWORD};
return $ret;
}
-sub provision_dc($$)
+sub provision_ad_dc_ntvfs($$)
{
my ($self, $prefix) = @_;
- print "PROVISIONING DC...";
- my $extra_conf_options = "netbios aliases = localDC1-a";
+ # We keep the old 'winbind' name here in server services to
+ # ensure upgrades which used that name still work with the now
+ # alias.
+
+ print "PROVISIONING AD DC (NTVFS)...";
+ my $extra_conf_options = "netbios aliases = localDC1-a
+ server services = +winbind -winbindd
+ ldap server require strong auth = allow_sasl_over_tls
+ ";
my $ret = $self->provision($prefix,
"domain controller",
"localdc",
"samba.example.com",
"2008",
"locDCpass1",
- undef, $extra_conf_options, "", undef);
+ undef,
+ undef,
+ $extra_conf_options,
+ "",
+ undef);
return undef unless(defined $ret);
unless($self->add_wins_config("$prefix/private")) {
$ret->{NETBIOSALIAS} = "localdc1-a";
$ret->{DC_SERVER} = $ret->{SERVER};
$ret->{DC_SERVER_IP} = $ret->{SERVER_IP};
+ $ret->{DC_SERVER_IPV6} = $ret->{SERVER_IPV6};
$ret->{DC_NETBIOSNAME} = $ret->{NETBIOSNAME};
$ret->{DC_USERNAME} = $ret->{USERNAME};
$ret->{DC_PASSWORD} = $ret->{PASSWORD};
+ $ret->{DC_REALM} = $ret->{REALM};
return $ret;
}
{
my ($self, $prefix) = @_;
- print "PROVISIONING DC...";
+ print "PROVISIONING DC WITH FOREST LEVEL 2000...";
my $ret = $self->provision($prefix,
"domain controller",
"dc5",
"samba2000.example.com",
"2000",
"locDCpass5",
- undef, "", "", undef);
+ undef,
+ undef,
+ "",
+ "",
+ undef);
unless($self->add_wins_config("$prefix/private")) {
warn("Unable to add wins configuration");
return $ret;
}
-sub provision_fl2003dc($$)
+sub provision_fl2003dc($$$)
{
- my ($self, $prefix) = @_;
+ my ($self, $prefix, $dcvars) = @_;
- print "PROVISIONING DC...";
+ print "PROVISIONING DC WITH FOREST LEVEL 2003...";
+ my $extra_conf_options = "allow dns updates = nonsecure and secure";
my $ret = $self->provision($prefix,
"domain controller",
"dc6",
"samba2003.example.com",
"2003",
"locDCpass6",
- undef, "allow dns updates = nonsecure and secure", "", undef);
+ undef,
+ undef,
+ $extra_conf_options,
+ "",
+ undef);
+
+ unless (defined $ret) {
+ return undef;
+ }
+
+ $ret->{DC_SERVER} = $ret->{SERVER};
+ $ret->{DC_SERVER_IP} = $ret->{SERVER_IP};
+ $ret->{DC_SERVER_IPV6} = $ret->{SERVER_IPV6};
+ $ret->{DC_NETBIOSNAME} = $ret->{NETBIOSNAME};
+ $ret->{DC_USERNAME} = $ret->{USERNAME};
+ $ret->{DC_PASSWORD} = $ret->{PASSWORD};
+
+ my @samba_tool_options;
+ push (@samba_tool_options, Samba::bindir_path($self, "samba-tool"));
+ push (@samba_tool_options, "domain");
+ push (@samba_tool_options, "passwordsettings");
+ push (@samba_tool_options, "set");
+ push (@samba_tool_options, "--configfile=$ret->{SERVERCONFFILE}");
+ push (@samba_tool_options, "--min-pwd-age=0");
+ push (@samba_tool_options, "--history-length=1");
+
+ my $samba_tool_cmd = join(" ", @samba_tool_options);
+
+ unless (system($samba_tool_cmd) == 0) {
+ warn("Unable to set min password age to 0: \n$samba_tool_cmd\n");
+ return undef;
+ }
+
+ return $ret;
unless($self->add_wins_config("$prefix/private")) {
warn("Unable to add wins configuration");
return $ret;
}
-sub provision_fl2008r2dc($$)
+sub provision_fl2008r2dc($$$)
{
- my ($self, $prefix) = @_;
+ my ($self, $prefix, $dcvars) = @_;
- print "PROVISIONING DC...";
+ print "PROVISIONING DC WITH FOREST LEVEL 2008r2...";
+ my $extra_conf_options = "ldap server require strong auth = no";
my $ret = $self->provision($prefix,
"domain controller",
"dc7",
"samba2008R2.example.com",
"2008_R2",
"locDCpass7",
- undef, "", "", undef);
+ undef,
+ undef,
+ $extra_conf_options,
+ "",
+ undef);
unless ($self->add_wins_config("$prefix/private")) {
warn("Unable to add wins configuration");
"samba.example.com",
"2008",
$dcvars->{PASSWORD},
- $dcvars->{SERVER_IP});
+ $dcvars->{SERVER_IP},
+ $dcvars->{SERVER_IPV6});
unless ($ctx) {
return undef;
}
my $samba_tool = Samba::bindir_path($self, "samba-tool");
my $cmd = "";
$cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
+ if (defined($ret->{RESOLV_WRAPPER_CONF})) {
+ $cmd .= "RESOLV_WRAPPER_CONF=\"$ret->{RESOLV_WRAPPER_CONF}\" ";
+ } else {
+ $cmd .= "RESOLV_WRAPPER_HOSTS=\"$ret->{RESOLV_WRAPPER_HOSTS}\" ";
+ }
$cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
$cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $dcvars->{REALM} RODC";
$cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}";
return undef;
}
+ # This ensures deterministic behaviour for tests that want to have the 'testallowed account'
+ # user password verified on the RODC
+ my $testallowed_account = "testallowed account";
+ $cmd = "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
+ $cmd .= "$samba_tool rodc preload '$testallowed_account' $ret->{CONFIGURATION}";
+ $cmd .= " --server=$dcvars->{DC_SERVER}";
+
+ unless (system($cmd) == 0) {
+ warn("RODC join failed\n$cmd");
+ return undef;
+ }
+
# we overwrite the kdc after the RODC join
# so that use the RODC as kdc and test
# the proxy code
$ctx->{kdc_ipv4} = $ret->{SERVER_IP};
+ $ctx->{kdc_ipv6} = $ret->{SERVER_IPV6};
Samba::mk_krb5_conf($ctx);
$ret->{RODC_DC_SERVER} = $ret->{SERVER};
$ret->{RODC_DC_SERVER_IP} = $ret->{SERVER_IP};
+ $ret->{RODC_DC_SERVER_IPV6} = $ret->{SERVER_IPV6};
$ret->{RODC_DC_NETBIOSNAME} = $ret->{NETBIOSNAME};
$ret->{DC_SERVER} = $dcvars->{DC_SERVER};
$ret->{DC_SERVER_IP} = $dcvars->{DC_SERVER_IP};
+ $ret->{DC_SERVER_IPV6} = $dcvars->{DC_SERVER_IPV6};
$ret->{DC_NETBIOSNAME} = $dcvars->{DC_NETBIOSNAME};
$ret->{DC_USERNAME} = $dcvars->{DC_USERNAME};
$ret->{DC_PASSWORD} = $dcvars->{DC_PASSWORD};
return $ret;
}
-sub provision_plugin_s4_dc($$)
+sub provision_ad_dc($$)
{
my ($self, $prefix) = @_;
my $lockdir="$prefix_abs/lockdir";
my $conffile="$prefix_abs/etc/smb.conf";
+ my $require_mutexes = "dbwrap_tdb_require_mutexes:* = yes";
+ $require_mutexes = "" if ($ENV{SELFTEST_DONT_REQUIRE_TDB_MUTEX_SUPPORT} eq "1");
+
my $extra_smbconf_options = "
server services = -smb +s3fs
xattr_tdb:file = $prefix_abs/statedir/xattr.tdb
+ dbwrap_tdb_mutexes:* = yes
+ ${require_mutexes}
+
kernel oplocks = no
kernel change notify = no
- syslog = no
+ logging = file
printing = bsd
printcap name = /dev/null
smbd:sharedelay = 100000
smbd:writetimeupdatedelay = 500000
- create mask = 0777
- directory mask = 0777
+ create mask = 755
dos filemode = yes
dcerpc endpoint servers = -winreg -srvsvc
queue pause command = $bindir_abs/vlp tdbfile=$lockdir/vlp.tdb queuepause %p
queue resume command = $bindir_abs/vlp tdbfile=$lockdir/vlp.tdb queueresume %p
lpq cache time = 0
-
+ print notify backchannel = yes
";
my $extra_smbconf_shares = "
copy = print1
";
- print "PROVISIONING PLUGIN S4 DC...";
+ print "PROVISIONING AD DC...";
my $ret = $self->provision($prefix,
"domain controller",
- "plugindc",
- "PLUGINDOMAIN",
- "plugin.samba.example.com",
+ "addc",
+ "ADDOMAIN",
+ "addom.samba.example.com",
"2008",
"locDCpass1",
- undef, $extra_smbconf_options,
- $extra_smbconf_shares, undef);
+ undef,
+ undef,
+ $extra_smbconf_options,
+ $extra_smbconf_shares,
+ undef);
return undef unless(defined $ret);
unless($self->add_wins_config("$prefix/private")) {
$ret->{DC_SERVER} = $ret->{SERVER};
$ret->{DC_SERVER_IP} = $ret->{SERVER_IP};
+ $ret->{DC_SERVER_IPV6} = $ret->{SERVER_IPV6};
$ret->{DC_NETBIOSNAME} = $ret->{NETBIOSNAME};
$ret->{DC_USERNAME} = $ret->{USERNAME};
$ret->{DC_PASSWORD} = $ret->{PASSWORD};
"chgdcpassword.samba.example.com",
"2008",
"chgDCpass1",
- undef, "server services = -dns", "",
+ undef,
+ undef,
+ "",
+ "",
$extra_provision_options);
return undef unless(defined $ret);
return undef;
}
- # Remove secrets.tdb from this environment to test that we still start up
- # on systems without the new matching secrets.tdb records
- unless (unlink("$ret->{PRIVATEDIR}/secrets.tdb")) {
+ # Remove secrets.tdb from this environment to test that we
+ # still start up on systems without the new matching
+ # secrets.tdb records.
+ unless (unlink("$ret->{PRIVATEDIR}/secrets.tdb") || unlink("$ret->{PRIVATEDIR}/secrets.ntdb")) {
warn("Unable to remove $ret->{PRIVATEDIR}/secrets.tdb added during provision");
return undef;
}
$ret->{DC_SERVER} = $ret->{SERVER};
$ret->{DC_SERVER_IP} = $ret->{SERVER_IP};
+ $ret->{DC_SERVER_IPV6} = $ret->{SERVER_IPV6};
$ret->{DC_NETBIOSNAME} = $ret->{NETBIOSNAME};
$ret->{DC_USERNAME} = $ret->{USERNAME};
$ret->{DC_PASSWORD} = $ret->{PASSWORD};
$count++;
}
- if ($count <= 20 && kill(0, $pid) == 0) {
- return;
- }
-
- kill "TERM", $pid;
+ if ($count > 30 || kill(0, $pid)) {
+ kill "TERM", $pid;
- until ($count > 20) {
- if (Samba::cleanup_child($pid, "samba") == -1) {
- last;
+ until ($count > 40) {
+ if (Samba::cleanup_child($pid, "samba") == -1) {
+ last;
+ }
+ sleep(1);
+ $count++;
}
- sleep(1);
- $count++;
- }
-
- # If it is still around, kill it
- if ($count > 20 && kill(0, $pid) == 0) {
+ # If it is still around, kill it
warn "server process $pid took more than $count seconds to exit, killing\n";
kill 9, $pid;
}
sub check_env($$)
{
my ($self, $envvars) = @_;
+ my $samba_pid = $envvars->{SAMBA_PID};
- my $childpid = Samba::cleanup_child($envvars->{SAMBA_PID}, "samba");
+ if (not defined($samba_pid)) {
+ return 0;
+ } elsif ($samba_pid > 0) {
+ my $childpid = Samba::cleanup_child($samba_pid, "samba");
+
+ if ($childpid == 0) {
+ return 1;
+ }
+ return 0;
+ } else {
+ return 1;
+ }
- return ($childpid == 0);
}
sub setup_env($$$)
return $self->{vars}->{$envname};
}
- if ($envname eq "dc") {
- return $self->setup_dc("$path/dc");
+ if ($envname eq "ad_dc_ntvfs") {
+ return $self->setup_ad_dc_ntvfs("$path/ad_dc_ntvfs");
} elsif ($envname eq "fl2000dc") {
return $self->setup_fl2000dc("$path/fl2000dc");
} elsif ($envname eq "fl2003dc") {
- return $self->setup_fl2003dc("$path/fl2003dc");
+ if (not defined($self->{vars}->{ad_dc})) {
+ $self->setup_ad_dc("$path/ad_dc");
+ }
+ return $self->setup_fl2003dc("$path/fl2003dc", $self->{vars}->{ad_dc});
} elsif ($envname eq "fl2008r2dc") {
- return $self->setup_fl2008r2dc("$path/fl2008r2dc");
+ if (not defined($self->{vars}->{ad_dc})) {
+ $self->setup_ad_dc("$path/ad_dc");
+ }
+ return $self->setup_fl2008r2dc("$path/fl2008r2dc", $self->{vars}->{ad_dc});
} elsif ($envname eq "rpc_proxy") {
- if (not defined($self->{vars}->{dc})) {
- $self->setup_dc("$path/dc");
+ if (not defined($self->{vars}->{ad_dc_ntvfs})) {
+ $self->setup_ad_dc_ntvfs("$path/ad_dc_ntvfs");
}
- return $self->setup_rpc_proxy("$path/rpc_proxy", $self->{vars}->{dc});
+ return $self->setup_rpc_proxy("$path/rpc_proxy", $self->{vars}->{ad_dc_ntvfs});
} elsif ($envname eq "vampire_dc") {
- if (not defined($self->{vars}->{dc})) {
- $self->setup_dc("$path/dc");
+ if (not defined($self->{vars}->{ad_dc_ntvfs})) {
+ $self->setup_ad_dc_ntvfs("$path/ad_dc_ntvfs");
}
- return $self->setup_vampire_dc("$path/vampire_dc", $self->{vars}->{dc});
- } elsif ($envname eq "promoted_vampire_dc") {
- if (not defined($self->{vars}->{dc})) {
- $self->setup_dc("$path/dc");
+ return $self->setup_vampire_dc("$path/vampire_dc", $self->{vars}->{ad_dc_ntvfs});
+ } elsif ($envname eq "promoted_dc") {
+ if (not defined($self->{vars}->{ad_dc_ntvfs})) {
+ $self->setup_ad_dc_ntvfs("$path/ad_dc_ntvfs");
}
- return $self->setup_promoted_vampire_dc("$path/promoted_vampire_dc", $self->{vars}->{dc});
+ return $self->setup_promoted_dc("$path/promoted_dc", $self->{vars}->{ad_dc_ntvfs});
} elsif ($envname eq "subdom_dc") {
- if (not defined($self->{vars}->{dc})) {
- $self->setup_dc("$path/dc");
+ if (not defined($self->{vars}->{ad_dc_ntvfs})) {
+ $self->setup_ad_dc_ntvfs("$path/ad_dc_ntvfs");
}
- return $self->setup_subdom_dc("$path/subdom_dc", $self->{vars}->{dc});
+ return $self->setup_subdom_dc("$path/subdom_dc", $self->{vars}->{ad_dc_ntvfs});
} elsif ($envname eq "s4member") {
- if (not defined($self->{vars}->{dc})) {
- $self->setup_dc("$path/dc");
+ if (not defined($self->{vars}->{ad_dc_ntvfs})) {
+ $self->setup_ad_dc_ntvfs("$path/ad_dc_ntvfs");
}
- return $self->setup_member("$path/s4member", $self->{vars}->{dc});
+ return $self->setup_s4member("$path/s4member", $self->{vars}->{ad_dc_ntvfs});
} elsif ($envname eq "rodc") {
- if (not defined($self->{vars}->{dc})) {
- $self->setup_dc("$path/dc");
+ if (not defined($self->{vars}->{ad_dc_ntvfs})) {
+ $self->setup_ad_dc_ntvfs("$path/ad_dc_ntvfs");
}
- return $self->setup_rodc("$path/rodc", $self->{vars}->{dc});
+ return $self->setup_rodc("$path/rodc", $self->{vars}->{ad_dc_ntvfs});
} elsif ($envname eq "chgdcpass") {
return $self->setup_chgdcpass("$path/chgdcpass", $self->{vars}->{chgdcpass});
- } elsif ($envname eq "s3member") {
- if (not defined($self->{vars}->{dc})) {
- $self->setup_dc("$path/dc");
+ } elsif ($envname eq "ad_member") {
+ if (not defined($self->{vars}->{ad_dc_ntvfs})) {
+ $self->setup_ad_dc_ntvfs("$path/ad_dc_ntvfs");
}
- return $target3->setup_admember("$path/s3member", $self->{vars}->{dc}, 29);
- } elsif ($envname eq "plugin_s4_dc") {
- return $self->setup_plugin_s4_dc("$path/plugin_s4_dc");
+ return $target3->setup_admember("$path/ad_member", $self->{vars}->{ad_dc_ntvfs}, 29);
+ } elsif ($envname eq "ad_dc") {
+ return $self->setup_ad_dc("$path/ad_dc");
+ } elsif ($envname eq "ad_dc_no_nss") {
+ return $self->setup_ad_dc("$path/ad_dc_no_nss", "no_nss");
+ } elsif ($envname eq "ad_member_rfc2307") {
+ if (not defined($self->{vars}->{ad_dc_ntvfs})) {
+ $self->setup_ad_dc_ntvfs("$path/ad_dc_ntvfs");
+ }
+ return $target3->setup_admember_rfc2307("$path/ad_member_rfc2307",
+ $self->{vars}->{ad_dc_ntvfs}, 34);
+ } elsif ($envname eq "none") {
+ return $self->setup_none("$path/none");
} else {
return "UNKNOWN";
}
}
-sub setup_member($$$)
+sub setup_s4member($$$)
{
my ($self, $path, $dc_vars) = @_;
- my $env = $self->provision_member($path, $dc_vars);
+ my $env = $self->provision_s4member($path, $dc_vars);
if (defined $env) {
- $self->check_or_start($env, "single");
-
- $self->wait_for_start($env);
+ if (not defined($self->check_or_start($env, "standard"))) {
+ return undef;
+ }
- $self->{vars}->{member} = $env;
+ $self->{vars}->{s4member} = $env;
}
return $env;
my $env = $self->provision_rpc_proxy($path, $dc_vars);
if (defined $env) {
- $self->check_or_start($env, "single");
-
- $self->wait_for_start($env);
+ if (not defined($self->check_or_start($env, "standard"))) {
+ return undef;
+ }
$self->{vars}->{rpc_proxy} = $env;
}
return $env;
}
-sub setup_dc($$)
+sub setup_ad_dc_ntvfs($$)
{
my ($self, $path) = @_;
- my $env = $self->provision_dc($path);
+ my $env = $self->provision_ad_dc_ntvfs($path);
if (defined $env) {
- $self->check_or_start($env, "standard");
-
- $self->wait_for_start($env);
+ if (not defined($self->check_or_start($env, "standard"))) {
+ warn("Failed to start ad_dc_ntvfs");
+ return undef;
+ }
- $self->{vars}->{dc} = $env;
+ $self->{vars}->{ad_dc_ntvfs} = $env;
}
return $env;
}
my $env = $self->provision_chgdcpass($path);
if (defined $env) {
- $self->check_or_start($env, "single");
-
- $self->wait_for_start($env);
+ if (not defined($self->check_or_start($env, "standard"))) {
+ return undef;
+ }
$self->{vars}->{chgdcpass} = $env;
}
my $env = $self->provision_fl2000dc($path);
if (defined $env) {
- $self->check_or_start($env, "single");
-
- $self->wait_for_start($env);
+ if (not defined($self->check_or_start($env, "standard"))) {
+ return undef;
+ }
$self->{vars}->{fl2000dc} = $env;
}
return $env;
}
-sub setup_fl2003dc($$)
+sub setup_fl2003dc($$$)
{
- my ($self, $path) = @_;
+ my ($self, $path, $dc_vars) = @_;
my $env = $self->provision_fl2003dc($path);
if (defined $env) {
- $self->check_or_start($env, "single");
+ if (not defined($self->check_or_start($env, "standard"))) {
+ return undef;
+ }
- $self->wait_for_start($env);
+ $env = $self->setup_trust($env, $dc_vars, "external", "--no-aes-keys");
$self->{vars}->{fl2003dc} = $env;
}
return $env;
}
-sub setup_fl2008r2dc($$)
+sub setup_fl2008r2dc($$$)
{
- my ($self, $path) = @_;
+ my ($self, $path, $dc_vars) = @_;
my $env = $self->provision_fl2008r2dc($path);
if (defined $env) {
- $self->check_or_start($env, "single");
+ if (not defined($self->check_or_start($env, "standard"))) {
+ return undef;
+ }
+
+ my $upn_array = ["$env->{REALM}.upn"];
+ my $spn_array = ["$env->{REALM}.spn"];
+
+ $self->setup_namespaces($env, $upn_array, $spn_array);
- $self->wait_for_start($env);
+ $env = $self->setup_trust($env, $dc_vars, "forest", "");
$self->{vars}->{fl2008r2dc} = $env;
}
my $env = $self->provision_vampire_dc($path, $dc_vars);
if (defined $env) {
- $self->check_or_start($env, "single");
-
- $self->wait_for_start($env);
+ if (not defined($self->check_or_start($env, "single"))) {
+ return undef;
+ }
$self->{vars}->{vampire_dc} = $env;
# for vampired partitions
my $samba_tool = Samba::bindir_path($self, "samba-tool");
my $cmd = "";
- $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\"";
+ $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
+ if (defined($env->{RESOLV_WRAPPER_CONF})) {
+ $cmd .= "RESOLV_WRAPPER_CONF=\"$env->{RESOLV_WRAPPER_CONF}\" ";
+ } else {
+ $cmd .= "RESOLV_WRAPPER_HOSTS=\"$env->{RESOLV_WRAPPER_HOSTS}\" ";
+ }
$cmd .= " KRB5_CONFIG=\"$env->{KRB5_CONFIG}\"";
- $cmd .= " $samba_tool drs kcc $env->{DC_SERVER}";
+ $cmd .= " $samba_tool drs kcc -k no $env->{DC_SERVER}";
$cmd .= " $env->{CONFIGURATION}";
$cmd .= " -U$dc_vars->{DC_USERNAME}\%$dc_vars->{DC_PASSWORD}";
unless (system($cmd) == 0) {
# as 'vampired' dc may add data in its local replica
# we need to synchronize data between DCs
my $base_dn = "DC=".join(",DC=", split(/\./, $dc_vars->{REALM}));
- $cmd = "SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\"";
+ $cmd = "";
+ $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
+ if (defined($env->{RESOLV_WRAPPER_CONF})) {
+ $cmd .= "RESOLV_WRAPPER_CONF=\"$env->{RESOLV_WRAPPER_CONF}\" ";
+ } else {
+ $cmd .= "RESOLV_WRAPPER_HOSTS=\"$env->{RESOLV_WRAPPER_HOSTS}\" ";
+ }
$cmd .= " KRB5_CONFIG=\"$env->{KRB5_CONFIG}\"";
$cmd .= " $samba_tool drs replicate $env->{DC_SERVER} $env->{SERVER}";
$cmd .= " $dc_vars->{CONFIGURATION}";
return $env;
}
-sub setup_promoted_vampire_dc($$$)
+sub setup_promoted_dc($$$)
{
my ($self, $path, $dc_vars) = @_;
- my $env = $self->provision_promoted_vampire_dc($path, $dc_vars);
+ my $env = $self->provision_promoted_dc($path, $dc_vars);
if (defined $env) {
- $self->check_or_start($env, "single");
-
- $self->wait_for_start($env);
+ if (not defined($self->check_or_start($env, "single"))) {
+ return undef;
+ }
- $self->{vars}->{promoted_vampire_dc} = $env;
+ $self->{vars}->{promoted_dc} = $env;
- # force replicated DC to update repsTo/repsFrom
+ # force source and replicated DC to update repsTo/repsFrom
# for vampired partitions
my $samba_tool = Samba::bindir_path($self, "samba-tool");
my $cmd = "";
return undef;
}
+ my $samba_tool = Samba::bindir_path($self, "samba-tool");
+ my $cmd = "";
+ $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\"";
+ $cmd .= " KRB5_CONFIG=\"$env->{KRB5_CONFIG}\"";
+ $cmd .= " $samba_tool drs kcc $env->{SERVER}";
+ $cmd .= " $env->{CONFIGURATION}";
+ $cmd .= " -U$dc_vars->{DC_USERNAME}\%$dc_vars->{DC_PASSWORD}";
+ unless (system($cmd) == 0) {
+ warn("Failed to exec kcc\n$cmd");
+ return undef;
+ }
+
# as 'vampired' dc may add data in its local replica
# we need to synchronize data between DCs
my $base_dn = "DC=".join(",DC=", split(/\./, $dc_vars->{REALM}));
my $env = $self->provision_subdom_dc($path, $dc_vars);
if (defined $env) {
- $self->check_or_start($env, "single");
-
- $self->wait_for_start($env);
+ if (not defined($self->check_or_start($env, "single"))) {
+ return undef;
+ }
$self->{vars}->{subdom_dc} = $env;
return undef;
}
- $self->check_or_start($env, "single");
+ if (not defined($self->check_or_start($env, "single"))) {
+ return undef;
+ }
- $self->wait_for_start($env);
+ # force source and replicated DC to update repsTo/repsFrom
+ # for vampired partitions
+ my $samba_tool = Samba::bindir_path($self, "samba-tool");
+ my $cmd = "";
+ $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\"";
+ $cmd .= " KRB5_CONFIG=\"$env->{KRB5_CONFIG}\"";
+ $cmd .= " $samba_tool drs kcc -k no $env->{DC_SERVER}";
+ $cmd .= " $env->{CONFIGURATION}";
+ $cmd .= " -U$dc_vars->{DC_USERNAME}\%$dc_vars->{DC_PASSWORD}";
+ unless (system($cmd) == 0) {
+ warn("Failed to exec kcc\n$cmd");
+ return undef;
+ }
+
+ my $samba_tool = Samba::bindir_path($self, "samba-tool");
+ my $cmd = "";
+ $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\"";
+ $cmd .= " KRB5_CONFIG=\"$env->{KRB5_CONFIG}\"";
+ $cmd .= " $samba_tool drs kcc -k no $env->{SERVER}";
+ $cmd .= " $env->{CONFIGURATION}";
+ $cmd .= " -U$dc_vars->{DC_USERNAME}\%$dc_vars->{DC_PASSWORD}";
+ unless (system($cmd) == 0) {
+ warn("Failed to exec kcc\n$cmd");
+ return undef;
+ }
+
+ my $base_dn = "DC=".join(",DC=", split(/\./, $dc_vars->{REALM}));
+ $cmd = "SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\"";
+ $cmd .= " KRB5_CONFIG=\"$env->{KRB5_CONFIG}\"";
+ $cmd .= " $samba_tool drs replicate $env->{SERVER} $env->{DC_SERVER}";
+ $cmd .= " $dc_vars->{CONFIGURATION}";
+ $cmd .= " -U$dc_vars->{DC_USERNAME}\%$dc_vars->{DC_PASSWORD}";
+ # replicate Configuration NC
+ my $cmd_repl = "$cmd \"CN=Configuration,$base_dn\"";
+ unless(system($cmd_repl) == 0) {
+ warn("Failed to replicate\n$cmd_repl");
+ return undef;
+ }
+ # replicate Default NC
+ $cmd_repl = "$cmd \"$base_dn\"";
+ unless(system($cmd_repl) == 0) {
+ warn("Failed to replicate\n$cmd_repl");
+ return undef;
+ }
$self->{vars}->{rodc} = $env;
return $env;
}
-sub setup_plugin_s4_dc($$)
+sub setup_ad_dc($$)
{
- my ($self, $path) = @_;
+ my ($self, $path, $no_nss) = @_;
# If we didn't build with ADS, pretend this env was never available
if (not $self->{target3}->have_ads()) {
return "UNKNOWN";
}
- my $env = $self->provision_plugin_s4_dc($path);
+ my $env = $self->provision_ad_dc($path);
unless ($env) {
return undef;
}
- $self->check_or_start($env, "single");
-
- $self->wait_for_start($env);
-
- $self->{vars}->{plugin_s4_dc} = $env;
+ if (defined($no_nss) and $no_nss) {
+ $env->{NSS_WRAPPER_MODULE_SO_PATH} = undef;
+ $env->{NSS_WRAPPER_MODULE_FN_PREFIX} = undef;
+ }
+
+ if (not defined($self->check_or_start($env, "single"))) {
+ return undef;
+ }
+
+ my $upn_array = ["$env->{REALM}.upn"];
+ my $spn_array = ["$env->{REALM}.spn"];
+
+ $self->setup_namespaces($env, $upn_array, $spn_array);
+
+ $self->{vars}->{ad_dc} = $env;
return $env;
}
+sub setup_none($$)
+{
+ my ($self, $path) = @_;
+
+ my $ret = {
+ KRB5_CONFIG => abs_path($path) . "/no_krb5.conf",
+ SAMBA_PID => -1,
+ }
+}
+
1;