pytest:dsdb: check that there is a gkdi root key

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/python/samba/tests/dsdb_quiet_provision_tests.py b/python/samba/tests/dsdb_quiet_provision_tests.py
new file mode 100644 (file)
index 0000000..da642a7
--- /dev/null
+++ b/python/samba/tests/dsdb_quiet_provision_tests.py
@@ -0,0 +1,59 @@
+# Unix SMB/CIFS implementation. Tests for dsdb
+# Copyright (C) Matthieu Patou <mat@matws.net> 2010
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+"""These tests want to be run on a freshly provisioned domain that has
+not been greatly modified by other tests (which at the time of writing
+probably means 'chgdcpass').
+
+Tests here should only read the database.
+
+This is to avoid flapping tests.
+"""
+
+from samba.credentials import Credentials
+from samba.samdb import SamDB
+from samba.auth import system_session
+from samba.tests import TestCase
+import ldb
+import samba
+
+
+class DsdbQuietProvisionTests(TestCase):
+
+    @classmethod
+    def setUpClass(cls):
+        super().setUpClass()
+        cls.lp = samba.tests.env_loadparm()
+        cls.creds = Credentials()
+        cls.creds.guess(cls.lp)
+        cls.session = system_session()
+        cls.samdb = SamDB(session_info=cls.session,
+                          credentials=cls.creds,
+                          lp=cls.lp)
+
+    def test_dsdb_dn_gkdi_gmsa_root_keys_exist(self):
+        """In provision we set up a GKDI root key.
+
+        There should always be at least one.
+        """
+        dn = self.samdb.get_config_basedn()
+        dn.add_child("CN=Master Root Keys,CN=Group Key Distribution Service,CN=Services")
+        res = self.samdb.search(dn,
+                                scope=ldb.SCOPE_SUBTREE,
+                                expression="(objectClass = msKds-ProvRootKey)")
+
+        self.assertGreater(len(res), 0)

diff --git a/selftest/knownfail.d/gkdi-root-key-at-provision b/selftest/knownfail.d/gkdi-root-key-at-provision
new file mode 100644 (file)
index 0000000..9ef4f22
--- /dev/null
+++ b/selftest/knownfail.d/gkdi-root-key-at-provision
@@ -0,0 +1 @@
+^samba.tests.dsdb_quiet_provision_tests.+test_dsdb_dn_gkdi_gmsa_root_keys_exist
\ No newline at end of file

diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index d70d7d56118d5ff27b08cb0d4c0fdc622df73946..c7ecf46d25d6e2bbd9492fc5226f1b0030f406ee 100755 (executable)
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -566,6 +566,10 @@ plantestsuite_loadlist("samba.tests.sddl_conditional_ace",
 for t in smbtorture4_testsuites("dns_internal."):
     plansmbtorture4testsuite(t, "ad_dc_default:local", '//$SERVER/whavever')
 
+# These tests want to run on a barely changed fresh provision, before
+# too much happens to this environment.
+planpythontestsuite("chgdcpass:local", "samba.tests.dsdb_quiet_provision_tests")
+
 # Local tests
 for t in smbtorture4_testsuites("dlz_bind9."):
     # The dlz_bind9 tests needs to look at the DNS database