2 Unix SMB/CIFS implementation.
4 Copyright (C) David Mulder 2017
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 #include "param/param.h"
22 #include "param/loadparm.h"
23 #include "torture/smbtorture.h"
24 #include "lib/util/mkdir_p.h"
25 #include "dsdb/samdb/samdb.h"
26 #include "auth/session.h"
27 #include "lib/ldb/include/ldb.h"
28 #include "torture/gpo/proto.h"
31 struct torture_suite *gpo_apply_suite(TALLOC_CTX *ctx)
33 struct torture_suite *suite = torture_suite_create(ctx, "apply");
35 torture_suite_add_simple_test(suite, "gpo_param_from_gpo",
36 torture_gpo_system_access_policies);
38 suite->description = talloc_strdup(suite, "Group Policy apply tests");
43 static int exec_wait(char **cmd)
49 execv(cmd[0], &(cmd[1]));
56 if (waitpid(pid, &ret, 0) < 0)
63 static int unix2nttime(const char *sval)
65 return (strtoll(sval, NULL, 10) * -1 / 60 / 60 / 24 / 10000000);
68 #define GPODIR "addom.samba.example.com/Policies/"\
69 "{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/"\
71 #define GPOFILE "GptTmpl.inf"
72 #define GPTTMPL "[System Access]\n\
73 MinimumPasswordAge = %d\n\
74 MaximumPasswordAge = %d\n\
75 MinimumPasswordLength = %d\n\
76 PasswordComplexity = %d\n\
78 #define GPTINI "addom.samba.example.com/Policies/"\
79 "{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI"
81 bool torture_gpo_system_access_policies(struct torture_context *tctx)
83 TALLOC_CTX *ctx = talloc_new(tctx);
85 const char *sysvol_path = NULL, *gpo_dir = NULL;
86 const char *gpo_file = NULL, *gpt_file = NULL;
87 struct ldb_context *samdb = NULL;
88 struct ldb_result *result;
89 const char *attrs[] = {
97 const char **gpo_update_cmd;
98 char **gpo_unapply_cmd;
99 int minpwdcases[] = { 0, 1, 998 };
100 int maxpwdcases[] = { 0, 1, 999 };
101 int pwdlencases[] = { 0, 1, 14 };
102 int pwdpropcases[] = { 0, 1, 1 };
103 struct ldb_message *old_message = NULL;
105 int gpo_update_len = 0;
107 sysvol_path = lpcfg_path(lpcfg_service(tctx->lp_ctx, "sysvol"),
108 lpcfg_default_service(tctx->lp_ctx), tctx);
109 torture_assert(tctx, sysvol_path, "Failed to fetch the sysvol path");
111 /* Ensure the sysvol path exists */
112 gpo_dir = talloc_asprintf(ctx, "%s/%s", sysvol_path, GPODIR);
113 mkdir_p(gpo_dir, S_IRWXU | S_IRWXG | S_IROTH | S_IXOTH);
114 gpo_file = talloc_asprintf(ctx, "%s/%s", gpo_dir, GPOFILE);
116 /* Get the gpo update command */
117 gpo_update_cmd = lpcfg_gpo_update_command(tctx->lp_ctx);
118 torture_assert(tctx, gpo_update_cmd && gpo_update_cmd[0],
119 "Failed to fetch the gpo update command");
121 /* Open and read the samba db and store the initial password settings */
122 samdb = samdb_connect(ctx, tctx->ev, tctx->lp_ctx,
123 system_session(tctx->lp_ctx), 0);
124 torture_assert(tctx, samdb, "Failed to connect to the samdb");
126 ret = ldb_search(samdb, ctx, &result, ldb_get_default_basedn(samdb),
127 LDB_SCOPE_BASE, attrs, NULL);
128 torture_assert(tctx, ret == LDB_SUCCESS && result->count == 1,
129 "Searching the samdb failed");
131 old_message = result->msgs[0];
133 for (i = 0; i < 3; i++) {
134 /* Write out the sysvol */
135 if ( (fp = fopen(gpo_file, "w")) ) {
136 fputs(talloc_asprintf(ctx, GPTTMPL, minpwdcases[i],
137 maxpwdcases[i], pwdlencases[i],
138 pwdpropcases[i]), fp);
142 /* Update the version in the GPT.INI */
143 gpt_file = talloc_asprintf(ctx, "%s/%s", sysvol_path, GPTINI);
144 if ( (fp = fopen(gpt_file, "r")) ) {
146 while (fgets(line, 256, fp)) {
147 if (strncasecmp(line, "Version=", 8) == 0) {
154 if ( (fp = fopen(gpt_file, "w")) ) {
155 char *data = talloc_asprintf(ctx,
156 "[General]\nVersion=%d\n",
162 /* Run the gpo update command */
163 ret = exec_wait(discard_const_p(char *, gpo_update_cmd));
164 torture_assert(tctx, ret == 0,
165 "Failed to execute the gpo update command");
167 ret = ldb_search(samdb, ctx, &result,
168 ldb_get_default_basedn(samdb),
169 LDB_SCOPE_BASE, attrs, NULL);
170 torture_assert(tctx, ret == LDB_SUCCESS && result->count == 1,
171 "Searching the samdb failed");
174 torture_assert_int_equal(tctx, unix2nttime(
175 ldb_msg_find_attr_as_string(
178 "")), minpwdcases[i],
179 "The minPwdAge was not applied");
182 torture_assert_int_equal(tctx, unix2nttime(
183 ldb_msg_find_attr_as_string(
186 "")), maxpwdcases[i],
187 "The maxPwdAge was not applied");
190 torture_assert_int_equal(tctx, ldb_msg_find_attr_as_int(
195 "The minPwdLength was not applied");
198 torture_assert_int_equal(tctx, ldb_msg_find_attr_as_int(
203 "The pwdProperties were not applied");
206 /* Unapply the settings and verify they are removed */
207 for (itr = gpo_update_cmd; *itr != NULL; itr++) {
210 gpo_unapply_cmd = talloc_array(ctx, char*, gpo_update_len+2);
211 for (i = 0; i < gpo_update_len; i++) {
212 gpo_unapply_cmd[i] = talloc_strdup(gpo_unapply_cmd,
215 gpo_unapply_cmd[i] = talloc_asprintf(gpo_unapply_cmd, "--unapply");
216 gpo_unapply_cmd[i+1] = NULL;
217 ret = exec_wait(gpo_unapply_cmd);
218 torture_assert(tctx, ret == 0,
219 "Failed to execute the gpo unapply command");
220 ret = ldb_search(samdb, ctx, &result, ldb_get_default_basedn(samdb),
221 LDB_SCOPE_BASE, attrs, NULL);
222 torture_assert(tctx, ret == LDB_SUCCESS && result->count == 1,
223 "Searching the samdb failed");
225 torture_assert_int_equal(tctx, unix2nttime(ldb_msg_find_attr_as_string(
229 unix2nttime(ldb_msg_find_attr_as_string(old_message,
233 "The minPwdAge was not unapplied");
235 torture_assert_int_equal(tctx, unix2nttime(ldb_msg_find_attr_as_string(
239 unix2nttime(ldb_msg_find_attr_as_string(old_message,
243 "The maxPwdAge was not unapplied");
245 torture_assert_int_equal(tctx, ldb_msg_find_attr_as_int(
249 ldb_msg_find_attr_as_int(
253 "The minPwdLength was not unapplied");
255 torture_assert_int_equal(tctx, ldb_msg_find_attr_as_int(
259 ldb_msg_find_attr_as_int(
263 "The pwdProperties were not unapplied");