search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4:kdc: Implement KDC plugin hardware authentication policy
[Samba.git] / selftest / target / Samba.pm
blob516684ee900ae1bf074bb208c9ff07c4bd9a051f
1 #!/usr/bin/perl
2 # Bootstrap Samba and run a number of tests against it.
3 # Copyright (C) 2005-2007 Jelmer Vernooij <jelmer@samba.org>
4 # Published under the GNU GPL, v3 or later.
5
6 package Samba;
7
8 use strict;
9 use warnings;
10 use target::Samba3;
11 use target::Samba4;
12 use POSIX;
13 use Cwd qw(abs_path);
14 use IO::Poll qw(POLLIN);
15
16 sub new($$$$$) {
17 my ($classname, $bindir, $srcdir, $server_maxtime,
18 $opt_socket_wrapper_pcap, $opt_socket_wrapper_keep_pcap,
19 $default_ldb_backend) = @_;
20
21 my $self = {
22 opt_socket_wrapper_pcap => $opt_socket_wrapper_pcap,
23 opt_socket_wrapper_keep_pcap => $opt_socket_wrapper_keep_pcap,
24 };
25 $self->{samba3} = new Samba3($self, $bindir, $srcdir, $server_maxtime);
26 $self->{samba4} = new Samba4($self, $bindir, $srcdir, $server_maxtime, $default_ldb_backend);
27 bless $self;
28 return $self;
29 }
30
31 %Samba::ENV_DEPS = (%Samba3::ENV_DEPS, %Samba4::ENV_DEPS);
32 our %ENV_DEPS;
33
34 %Samba::ENV_DEPS_POST = (%Samba3::ENV_DEPS_POST, %Samba4::ENV_DEPS_POST);
35 our %ENV_DEPS_POST;
36
37 %Samba::ENV_TARGETS = (
38 (map { $_ => "Samba3" } keys %Samba3::ENV_DEPS),
39 (map { $_ => "Samba4" } keys %Samba4::ENV_DEPS),
40 );
41 our %ENV_TARGETS;
42
43 %Samba::ENV_NEEDS_AD_DC = (
44 (map { $_ => 1 } keys %Samba4::ENV_DEPS)
45 );
46 our %ENV_NEEDS_AD_DC;
47 foreach my $env (keys %Samba3::ENV_DEPS) {
48 $ENV_NEEDS_AD_DC{$env} = ($env =~ /^ad_/);
49 }
50
51 sub setup_pcap($$)
52 {
53 my ($self, $name) = @_;
54
55 return unless ($self->{opt_socket_wrapper_pcap});
56 return unless defined($ENV{SOCKET_WRAPPER_PCAP_DIR});
57
58 my $fname = $name;
59 $fname =~ s%[^abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789\-]%_%g;
60
61 my $pcap_file = "$ENV{SOCKET_WRAPPER_PCAP_DIR}/$fname.pcap";
62
63 SocketWrapper::setup_pcap($pcap_file);
64
65 return $pcap_file;
66 }
67
68 sub cleanup_pcap($$$)
69 {
70 my ($self, $pcap_file, $exitcode) = @_;
71
72 return unless ($self->{opt_socket_wrapper_pcap});
73 return if ($self->{opt_socket_wrapper_keep_pcap});
74 return unless ($exitcode == 0);
75 return unless defined($pcap_file);
76
77 unlink($pcap_file);
78 }
79
80 sub setup_env($$$)
81 {
82 my ($self, $envname, $path) = @_;
83
84 my $targetname = $ENV_TARGETS{$envname};
85 if (not defined($targetname)) {
86 warn("Samba can't provide environment '$envname'");
87 return "UNKNOWN";
88 }
89
90 my %targetlookup = (
91 "Samba3" => $self->{samba3},
92 "Samba4" => $self->{samba4}
93 );
94 my $target = $targetlookup{$targetname};
95
96 if (defined($target->{vars}->{$envname})) {
97 return $target->{vars}->{$envname};
98 }
99
100 $target->{vars}->{$envname} = "";
101
102 my @dep_vars;
103 foreach(@{$ENV_DEPS{$envname}}) {
104 my $vars = $self->setup_env($_, $path);
105 if (defined($vars)) {
106 push(@dep_vars, $vars);
107 } else {
108 warn("Failed setting up $_ as a dependency of $envname");
109 return undef;
110 }
111 }
112
113 $ENV{ENVNAME} = $envname;
114 # Avoid hitting system krb5.conf -
115 # An env that needs Kerberos will reset this to the real value.
116 $ENV{KRB5_CONFIG} = "$path/no_krb5.conf";
117 $ENV{RESOLV_CONF} = "$path/no_resolv.conf";
118
119 my $setup_name = $ENV_TARGETS{$envname}."::setup_".$envname;
120 my $setup_sub = \&$setup_name;
121 my $setup_pcap_file = $self->setup_pcap("env-$ENV{ENVNAME}-setup");
122 my $env = &$setup_sub($target, "$path/$envname", @dep_vars);
123 $self->cleanup_pcap($setup_pcap_file, not defined($env));
124 SocketWrapper::setup_pcap(undef);
125
126 if (not defined($env)) {
127 warn("failed to start up environment '$envname'");
128 return undef;
129 }
130 if ($env eq "UNKNOWN") {
131 warn("unknown environment '$envname'");
132 return $env;
133 }
134
135 $target->{vars}->{$envname} = $env;
136 $target->{vars}->{$envname}->{target} = $target;
137
138 foreach(@{$ENV_DEPS_POST{$envname}}) {
139 if (not defined $_) {
140 continue;
141 }
142 my $vars = $self->setup_env($_, $path);
143 if (not defined($vars)) {
144 return undef;
145 }
146 }
147
148 return $env;
149 }
150
151 sub bindir_path($$) {
152 my ($object, $path) = @_;
153
154 my $valpath = "$object->{bindir}/$path";
155 my $python_cmd = "";
156 my $result = $path;
157 if (defined $ENV{'PYTHON'}) {
158 $python_cmd = $ENV{'PYTHON'} . " ";
159 }
160
161 if (-f $valpath or -d $valpath) {
162 $result = $valpath;
163 }
164 # make sure we prepend samba-tool with calling $PYTHON python version
165 if ($path eq "samba-tool") {
166 $result = $python_cmd . $result;
167 }
168 return $result;
169 }
170
171 sub nss_wrapper_winbind_so_path($) {
172 my ($object) = @_;
173 my $ret = $ENV{NSS_WRAPPER_WINBIND_SO_PATH};
174 if (not defined($ret)) {
175 $ret = bindir_path($object, "plugins/libnss_wrapper_winbind.so.2");
176 $ret = abs_path($ret);
177 }
178 return $ret;
179 }
180
181 sub copy_file_content($$)
182 {
183 my ($in, $out) = @_;
184 open(IN, "${in}") or die("failed to open in[${in}] for reading: $!");
185 open(OUT, ">${out}") or die("failed to open out[${out}] for writing: $!");
186 while(<IN>) {
187 print OUT $_;
188 }
189 close(OUT);
190 close(IN);
191 }
192
193 sub prepare_keyblobs($)
194 {
195 my ($ctx) = @_;
196
197 my $cadir = "$ENV{SRCDIR_ABS}/selftest/manage-ca/CA-samba.example.com";
198 my $cacert = "$cadir/Public/CA-samba.example.com-cert.pem";
199 # A file containing a CRL with no revocations.
200 my $cacrl_pem = "$cadir/Public/CA-samba.example.com-crl.pem";
201 my $dcdnsname = "$ctx->{hostname}.$ctx->{dnsname}";
202 my $dcdir = "$cadir/DCs/$dcdnsname";
203 my $dccert = "$dcdir/DC-$dcdnsname-cert.pem";
204 my $dckey_private = "$dcdir/DC-$dcdnsname-private-key.pem";
205 my $adminprincipalname = "administrator\@$ctx->{dnsname}";
206 my $admindir = "$cadir/Users/$adminprincipalname";
207 my $admincert = "$admindir/USER-$adminprincipalname-cert.pem";
208 my $adminkey_private = "$admindir/USER-$adminprincipalname-private-key.pem";
209 my $pkinitprincipalname = "pkinit\@$ctx->{dnsname}";
210 my $ca_pkinitdir = "$cadir/Users/$pkinitprincipalname";
211 my $pkinitcert = "$ca_pkinitdir/USER-$pkinitprincipalname-cert.pem";
212 my $pkinitkey_private = "$ca_pkinitdir/USER-$pkinitprincipalname-private-key.pem";
213
214 my $tlsdir = "$ctx->{tlsdir}";
215 my $pkinitdir = "$ctx->{prefix_abs}/pkinit";
216 #TLS and PKINIT crypto blobs
217 my $dhfile = "$tlsdir/dhparms.pem";
218 my $cafile = "$tlsdir/ca.pem";
219 my $crlfile = "$tlsdir/crl.pem";
220 my $certfile = "$tlsdir/cert.pem";
221 my $keyfile = "$tlsdir/key.pem";
222 my $admincertfile = "$pkinitdir/USER-$adminprincipalname-cert.pem";
223 my $adminkeyfile = "$pkinitdir/USER-$adminprincipalname-private-key.pem";
224 my $pkinitcertfile = "$pkinitdir/USER-$pkinitprincipalname-cert.pem";
225 my $pkinitkeyfile = "$pkinitdir/USER-$pkinitprincipalname-private-key.pem";
226
227 mkdir($tlsdir, 0700);
228 mkdir($pkinitdir, 0700);
229 my $oldumask = umask;
230 umask 0077;
231
232 # This is specified here to avoid draining entropy on every run
233 # generate by
234 # openssl dhparam -out dhparms.pem -text -2 8192
235 open(DHFILE, ">$dhfile");
236 print DHFILE <<EOF;
237 -----BEGIN DH PARAMETERS-----
238 MIIECAKCBAEAlcpjuJptCzC2bIIApLuyFLw2nODQUztqs/peysY9e3LgWh/xrc87
239 SWJNSUrqFJFh2m357WH0XGcTdTk0b/8aIYIWjbwEhWR/5hZ+1x2TDrX1awkYayAe
240 pr0arycmWHaAmhw+m+dBdj2O2jRMe7gn0ha85JALNl+Z3wv2q2eys8TIiQ2dbHPx
241 XvpMmlAv7QHZnpSpX/XgueQr6T3EYggljppZwk1fe4W2cxBjCv9w/Q83pJXMEVVB
242 WESEQPZC38v6hVIXIlF4J7jXjV3+NtCLL4nvsy0jrLEntyKz5OB8sNPRzJr0Ju2Y
243 yXORCSMMXMygP+dxJtQ6txzQYWyaCYN1HqHDZy3cFL9Qy8kTFqIcW56Lti2GsW/p
244 jSMzEOa1NevhKNFL3dSZJx5m+5ZeMvWXlCqXSptmVdbs5wz5jkMUm/E6pVfM5lyb
245 Ttlcq2iYPqnJz1jcL5xwhoufID8zSJCPJ7C0jb0Ngy5wLIUZfjXJUXxUyxTnNR9i
246 N9Sc+UkDvLxnCW+qzjyPXGlQU1SsJwMLWa2ZecL/uYE4bOdcN3g+5WHkevyDnXqR
247 +yy9x7sGXjBT3bRWK5tVHJWOi6eBu1hp39U6aK8oOJWiUt3vmC2qEdIsT6JaLNNi
248 YKrSfRGBf19IJBaagen1S19bb3dnmwoU1RaWM0EeJQW1oXOBg7zLisB2yuu5azBn
249 tse00+0nc+GbH2y+jP0sE7xil1QeilZl+aQ3tX9vL0cnCa+8602kXxU7P5HaX2+d
250 05pvoHmeZbDV85io36oF976gBYeYN+qAkTUMsIZhuLQDuyn0963XOLyn1Pm6SBrU
251 OkIZXW7WoKEuO/YSfizUIqXwmAMJjnEMJCWG51MZZKx//9Hsdp1RXSm/bRSbvXB7
252 MscjvQYWmfCFnIk8LYnEt3Yey40srEiS9xyZqdrvobxz+sU1XcqR38kpVf4gKASL
253 xURia64s4emuJF+YHIObyydazQ+6/wX/C+m+nyfhuxSO6j1janPwtYbU+Uj3TzeM
254 04K1mpPQpZcaMdZZiNiu7i8VJlOPKAz7aJT8TnMMF5GMyzyLpSMpc+NF9L/BSocV
255 /cUM4wQT2PTHrcyYzmTVH7c9bzBkuxqrwVB1BY1jitDV9LIYIVBglKcX88qrfHIM
256 XiXPAIwGclD59qm2cG8OdM9NA5pNMI119KuUAIJsUdgPbR1LkT2XTT15YVoHmFSQ
257 DlaWOXn4td031jr0EisX8QtFR7+/0Nfoni6ydFGs5fNH/L1ckq6FEO4OhgucJw9H
258 YRmiFlsQBQNny78vNchwZne3ZixkShtGW0hWDdi2n+h7St1peNJCNJjMbEhRsPRx
259 RmNGWh4AL8rho4RO9OBao0MnUdjbbffD+wIBAg==
260 -----END DH PARAMETERS-----
261 EOF
262 close(DHFILE);
263
264 if (! -e ${dckey_private}) {
265 umask $oldumask;
266 return;
267 }
268
269 copy_file_content(${cacert}, ${cafile});
270 copy_file_content(${cacrl_pem}, ${crlfile});
271 copy_file_content(${dccert}, ${certfile});
272 copy_file_content(${dckey_private}, ${keyfile});
273 if (-e ${adminkey_private}) {
274 copy_file_content(${admincert}, ${admincertfile});
275 copy_file_content(${adminkey_private}, ${adminkeyfile});
276 }
277 if (-e ${pkinitkey_private}) {
278 copy_file_content(${pkinitcert}, ${pkinitcertfile});
279 copy_file_content(${pkinitkey_private}, ${pkinitkeyfile});
280 }
281
282 # COMPAT stuff to be removed in a later commit
283 my $kdccertfile = "$tlsdir/kdc.pem";
284 copy_file_content(${dccert}, ${kdccertfile});
285
286 umask $oldumask;
287 }
288
289 sub copy_gnupg_home($)
290 {
291 my ($ctx) = @_;
292
293 my $gnupg_srcdir = "$ENV{SRCDIR_ABS}/selftest/gnupg";
294 my @files = (
295 "gpg.conf",
296 "pubring.gpg",
297 "secring.gpg",
298 "trustdb.gpg",
299 );
300
301 my $oldumask = umask;
302 umask 0077;
303 mkdir($ctx->{gnupghome}, 0777);
304 umask 0177;
305 foreach my $file (@files) {
306 my $srcfile = "${gnupg_srcdir}/${file}";
307 my $dstfile = "$ctx->{gnupghome}/${file}";
308 copy_file_content(${srcfile}, ${dstfile});
309 }
310 umask $oldumask;
311 }
312
313 sub mk_krb5_conf($$)
314 {
315 my ($ctx) = @_;
316
317 unless (open(KRB5CONF, ">$ctx->{krb5_conf}")) {
318 warn("can't open $ctx->{krb5_conf}$?");
319 return undef;
320 }
321
322 my $our_realms_stanza = mk_realms_stanza($ctx->{realm},
323 $ctx->{dnsname},
324 $ctx->{domain},
325 $ctx->{kdc_ipv4});
326 print KRB5CONF "
327 #Generated krb5.conf for $ctx->{realm}
328
329 [libdefaults]
330 default_realm = $ctx->{realm}
331 dns_lookup_realm = false
332 dns_lookup_kdc = true
333 ticket_lifetime = 24h
334 forwardable = yes
335
336 # We are running on the same machine, do not correct
337 # system clock differences
338 kdc_timesync = 0
339
340 fcache_strict_checking = false
341 ";
342
343 if (defined($ENV{MITKRB5})) {
344 print KRB5CONF "
345 # Set the grace clockskew to 5 seconds
346 # This is especially required by samba3.raw.session krb5 and
347 # reauth tests when not using Heimdal
348 clockskew = 5
349 # To allow the FL 2000 DC to still work for now
350 allow_rc4 = yes
351 ";
352 }
353
354 if (defined($ctx->{krb5_ccname})) {
355 print KRB5CONF "
356 default_ccache_name = $ctx->{krb5_ccname}
357 ";
358 }
359
360
361 if (defined($ctx->{supported_enctypes})) {
362 print KRB5CONF "
363 default_etypes = $ctx->{supported_enctypes}
364 default_as_etypes = $ctx->{supported_enctypes}
365 default_tgs_enctypes = $ctx->{supported_enctypes}
366 default_tkt_enctypes = $ctx->{supported_enctypes}
367 permitted_enctypes = $ctx->{supported_enctypes}
368 ";
369 }
370
371 if (defined($ctx->{tlsdir})) {
372 if (defined($ENV{MITKRB5})) {
373 print KRB5CONF "
374 pkinit_anchors = FILE:$ctx->{tlsdir}/ca.pem
375 pkinit_kdc_hostname = $ctx->{hostname}.$ctx->{dnsname}
376
377 ";
378 } else {
379 print KRB5CONF "
380
381 [appdefaults]
382 pkinit_anchors = FILE:$ctx->{tlsdir}/ca.pem
383
384 [kdc]
385 enable-pkinit = true
386 pkinit_identity = FILE:$ctx->{tlsdir}/kdc.pem,$ctx->{tlsdir}/key.pem
387 pkinit_anchors = FILE:$ctx->{tlsdir}/ca.pem
388 pkinit_revoke = FILE:$ctx->{tlsdir}/crl.pem
389
390 ";
391 }
392 }
393
394 print KRB5CONF "
395 [realms]
396 $our_realms_stanza
397 ";
398
399 close(KRB5CONF);
400 }
401
402 sub append_krb5_conf_trust_realms($$)
403 {
404 my ($ctx) = @_;
405
406 unless (open(KRB5CONF, ">>$ctx->{KRB5_CONFIG}")) {
407 warn("can't open $ctx->{KRB5_CONFIG}$?");
408 return undef;
409 }
410
411 my $trust_realms_stanza = mk_realms_stanza($ctx->{TRUST_REALM},
412 $ctx->{TRUST_DNSNAME},
413 $ctx->{TRUST_DOMAIN},
414 $ctx->{TRUST_SERVER_IP});
415
416 print KRB5CONF " $trust_realms_stanza";
417
418 close(KRB5CONF)
419 }
420
421 sub mk_realms_stanza($$$$)
422 {
423 my ($realm, $dnsname, $domain, $kdc_ipv4) = @_;
424 my $lc_domain = lc($domain);
425
426 # The pkinit_require_krbtgt_otherName = false
427 # is just because the certificates we have saved
428 # do not have the realm in the subjectAltName
429 # (specially encoded as a principal)
430 # per
431 # https://github.com/heimdal/heimdal/wiki/Setting-up-PK-INIT-and-Certificates
432 my $realms_stanza = "
433 $realm = {
434 kdc = $kdc_ipv4:88
435 admin_server = $kdc_ipv4:88
436 default_domain = $dnsname
437 pkinit_require_krbtgt_otherName = false
438 }
439 $dnsname = {
440 kdc = $kdc_ipv4:88
441 admin_server = $kdc_ipv4:88
442 default_domain = $dnsname
443 pkinit_require_krbtgt_otherName = false
444 }
445 $domain = {
446 kdc = $kdc_ipv4:88
447 admin_server = $kdc_ipv4:88
448 default_domain = $dnsname
449 pkinit_require_krbtgt_otherName = false
450 }
451 $lc_domain = {
452 kdc = $kdc_ipv4:88
453 admin_server = $kdc_ipv4:88
454 default_domain = $dnsname
455 pkinit_require_krbtgt_otherName = false
456 }
457
458 ";
459 return $realms_stanza;
460 }
461
462 sub mk_mitkdc_conf($$)
463 {
464 # samba_kdb_dir is the path to mit_samba.so
465 my ($ctx, $samba_kdb_dir) = @_;
466
467 unless (open(KDCCONF, ">$ctx->{mitkdc_conf}")) {
468 warn("can't open $ctx->{mitkdc_conf}$?");
469 return undef;
470 }
471
472 print KDCCONF "
473 # Generated kdc.conf for $ctx->{realm}
474
475 [kdcdefaults]
476 kdc_ports = 88
477 kdc_tcp_ports = 88
478 restrict_anonymous_to_tgt = true
479
480 [realms]
481 $ctx->{realm} = {
482 master_key_type = aes256-cts
483 default_principal_flags = +preauth
484 pkinit_identity = FILE:$ctx->{tlsdir}/kdc.pem,$ctx->{tlsdir}/key.pem
485 pkinit_anchors = FILE:$ctx->{tlsdir}/ca.pem
486 pkinit_eku_checking = scLogin
487 pkinit_indicator = pkinit
488 pkinit_allow_upn = true
489 }
490
491 $ctx->{dnsname} = {
492 master_key_type = aes256-cts
493 default_principal_flags = +preauth
494 pkinit_identity = FILE:$ctx->{tlsdir}/kdc.pem,$ctx->{tlsdir}/key.pem
495 pkinit_anchors = FILE:$ctx->{tlsdir}/ca.pem
496 pkinit_eku_checking = scLogin
497 pkinit_indicator = pkinit
498 pkinit_allow_upn = true
499 }
500
501 $ctx->{domain} = {
502 master_key_type = aes256-cts
503 default_principal_flags = +preauth
504 pkinit_identity = FILE:$ctx->{tlsdir}/kdc.pem,$ctx->{tlsdir}/key.pem
505 pkinit_anchors = FILE:$ctx->{tlsdir}/ca.pem
506 pkinit_eku_checking = scLogin
507 pkinit_indicator = pkinit
508 pkinit_allow_upn = true
509 }
510
511 [dbmodules]
512 db_module_dir = $samba_kdb_dir
513
514 $ctx->{realm} = {
515 db_library = samba
516 }
517
518 $ctx->{dnsname} = {
519 db_library = samba
520 }
521
522 $ctx->{domain} = {
523 db_library = samba
524 }
525
526 [logging]
527 kdc = FILE:$ctx->{logdir}/mit_kdc.log
528 ";
529
530 close(KDCCONF);
531 }
532
533 sub mk_resolv_conf($$)
534 {
535 my ($ctx) = @_;
536
537 unless (open(RESOLV_CONF, ">$ctx->{resolv_conf}")) {
538 warn("can't open $ctx->{resolv_conf}$?");
539 return undef;
540 }
541
542 print RESOLV_CONF "nameserver $ctx->{dns_ipv4}\n";
543 print RESOLV_CONF "nameserver $ctx->{dns_ipv6}\n";
544 close(RESOLV_CONF);
545 }
546
547 sub realm_to_ip_mappings
548 {
549 # this maps the DNS realms for the various testenvs to the corresponding
550 # PDC (i.e. the first DC created for that realm).
551 my %realm_to_pdc_mapping = (
552 'adnonssdom.samba.example.com' => 'addc_no_nss',
553 'adnontlmdom.samba.example.com' => 'addc_no_ntlm',
554 'samba2000.example.com' => 'dc5',
555 'samba2003.example.com' => 'dc6',
556 'samba2008r2.example.com' => 'dc7',
557 'addom.samba.example.com' => 'addc',
558 'addom2.samba.example.com' => 'addcsmb1',
559 'sub.samba.example.com' => 'localsubdc',
560 'chgdcpassword.samba.example.com' => 'chgdcpass',
561 'backupdom.samba.example.com' => 'backupfromdc',
562 'renamedom.samba.example.com' => 'renamedc',
563 'labdom.samba.example.com' => 'labdc',
564 'schema.samba.example.com' => 'liveupgrade1dc',
565 'prockilldom.samba.example.com' => 'prockilldc',
566 'proclimit.samba.example.com' => 'proclimitdc',
567 'samba.example.com' => 'localdc',
568 'fips.samba.example.com' => 'fipsdc',
569 );
570
571 my @mapping = ();
572
573 # convert the hashmap to a list of key=value strings, where key is the
574 # realm and value is the IP address
575 foreach my $realm (sort(keys %realm_to_pdc_mapping)) {
576 my $pdc = $realm_to_pdc_mapping{$realm};
577 my $ipaddr = get_ipv4_addr($pdc);
578 push(@mapping, "$realm=$ipaddr");
579 }
580 # return the mapping as a single comma-separated string
581 return join(',', @mapping);
582 }
583
584 sub get_interface($)
585 {
586 my ($netbiosname) = @_;
587 $netbiosname = lc($netbiosname);
588
589 # this maps the SOCKET_WRAPPER_DEFAULT_IFACE value for each possible
590 # testenv to the DC's NETBIOS name. This value also corresponds to last
591 # digit of the DC's IP address. Note that the NETBIOS name may differ from
592 # the testenv name.
593 # Note that when adding a DC with a new realm, also update
594 # get_realm_ip_mappings() above.
595 my %testenv_iface_mapping = (
596 localnt4dc2 => 3,
597 localnt4member3 => 4,
598 localshare4 => 5,
599 # 6 is spare
600 localktest6 => 7,
601 maptoguest => 8,
602 localnt4dc9 => 9,
603 # 10 is spare
604
605 # 11-16 are used by selftest.pl for the client.conf. Most tests only
606 # use the first .11 IP. However, some tests (like winsreplication) rely
607 # on the client having multiple IPs.
608 client => 11,
609
610 addc_no_nss => 17,
611 addc_no_ntlm => 18,
612 idmapadmember => 19,
613 idmapridmember => 20,
614 localdc => 21,
615 localvampiredc => 22,
616 s4member => 23,
617 localrpcproxy => 24,
618 dc5 => 25,
619 dc6 => 26,
620 dc7 => 27,
621 rodc => 28,
622 localadmember => 29,
623 addc => 30,
624 localsubdc => 31,
625 chgdcpass => 32,
626 promotedvdc => 33,
627 rfc2307member => 34,
628 fileserver => 35,
629 fakednsforwarder1 => 36,
630 fakednsforwarder2 => 37,
631 s4member_dflt => 38,
632 vampire2000dc => 39,
633 backupfromdc => 40,
634 restoredc => 41,
635 renamedc => 42,
636 labdc => 43,
637 offlinebackupdc => 44,
638 customdc => 45,
639 prockilldc => 46,
640 proclimitdc => 47,
641 liveupgrade1dc => 48,
642 liveupgrade2dc => 49,
643 ctdb0 => 50,
644 ctdb1 => 51,
645 ctdb2 => 52,
646 fileserversmb1 => 53,
647 addcsmb1 => 54,
648 lclnt4dc2smb1 => 55,
649 fipsdc => 56,
650 fipsadmember => 57,
651 offlineadmem => 58,
652 s2kmember => 59,
653 admemidmapnss => 60,
654 localadmember2 => 61,
655 admemautorid => 62,
656
657 rootdnsforwarder => 64,
658
659 # Note: that you also need to update dns_hub.py when adding a new
660 # multi-DC testenv
661 # update lib/socket_wrapper/socket_wrapper.c
662 # #define MAX_WRAPPED_INTERFACES 64
663 # if you wish to have more than 64 interfaces
664 );
665
666 if (not defined($testenv_iface_mapping{$netbiosname})) {
667 die();
668 }
669
670 return $testenv_iface_mapping{$netbiosname};
671 }
672
673 sub get_ipv4_addr
674 {
675 my ($hostname, $iface_num) = @_;
676 my $swiface = Samba::get_interface($hostname);
677
678 # Handle testenvs with multiple different addresses, i.e. IP multihoming.
679 # Currently only the selftest client has multiple IPv4 addresses.
680 if (defined($iface_num)) {
681 $swiface += $iface_num;
682 }
683
684 return "10.53.57.$swiface";
685 }
686
687 sub get_ipv6_addr
688 {
689 (my $hostname) = @_;
690 my $swiface = Samba::get_interface($hostname);
691
692 return sprintf("fd00:0000:0000:0000:0000:0000:5357:5f%02x", $swiface);
693 }
694
695 # returns the 'interfaces' setting for smb.conf, i.e. the IPv4/IPv6
696 # addresses for testenv
697 sub get_interfaces_config
698 {
699 my ($hostname, $num_ips) = @_;
700 my $interfaces = "";
701
702 # We give the client.conf multiple different IPv4 addresses.
703 # All other testenvs generally just have one IPv4 address.
704 if (! defined($num_ips)) {
705 $num_ips = 1;
706 }
707 for (my $i = 0; $i < $num_ips; $i++) {
708 my $ipv4_addr = Samba::get_ipv4_addr($hostname, $i);
709 if (use_namespaces()) {
710 # use a /24 subnet with network namespaces
711 $interfaces .= "$ipv4_addr/24 ";
712 } else {
713 $interfaces .= "$ipv4_addr/8 ";
714 }
715 }
716
717 my $ipv6_addr = Samba::get_ipv6_addr($hostname);
718 $interfaces .= "$ipv6_addr/64";
719
720 return $interfaces;
721 }
722
723 sub cleanup_child($$)
724 {
725 my ($pid, $name) = @_;
726
727 if (!defined($pid)) {
728 print STDERR "cleanup_child: pid not defined ... not calling waitpid\n";
729 return -1;
730 }
731
732 my $childpid = waitpid($pid, WNOHANG);
733
734 if ($childpid == 0) {
735 } elsif ($childpid < 0) {
736 printf STDERR "%s child process %d isn't here any more\n", $name, $pid;
737 return $childpid;
738 } elsif ($? & 127) {
739 printf STDERR "%s child process %d, died with signal %d, %s coredump\n",
740 $name, $childpid, ($? & 127), ($? & 128) ? 'with' : 'without';
741 } else {
742 printf STDERR "%s child process %d exited with value %d\n", $name, $childpid, $? >> 8;
743 }
744 return $childpid;
745 }
746
747 sub random_domain_sid()
748 {
749 my $domain_sid = "S-1-5-21-". int(rand(4294967295)) . "-" . int(rand(4294967295)) . "-" . int(rand(4294967295));
750 return $domain_sid;
751 }
752
753 # sets the environment variables ready for running a given process
754 sub set_env_for_process
755 {
756 my ($proc_name, $env_vars, $proc_envs) = @_;
757
758 if (not defined($proc_envs)) {
759 $proc_envs = get_env_for_process($proc_name, $env_vars);
760 }
761
762 foreach my $key (keys %{ $proc_envs }) {
763 $ENV{$key} = $proc_envs->{$key};
764 }
765 }
766
767 sub get_env_for_process
768 {
769 my ($proc_name, $env_vars) = @_;
770 my $proc_envs = {
771 RESOLV_CONF => $env_vars->{RESOLV_CONF},
772 KRB5_CONFIG => $env_vars->{KRB5_CONFIG},
773 KRB5CCNAME => "$env_vars->{KRB5_CCACHE}.$proc_name",
774 GNUPGHOME => $env_vars->{GNUPGHOME},
775 SELFTEST_WINBINDD_SOCKET_DIR => $env_vars->{SELFTEST_WINBINDD_SOCKET_DIR},
776 NMBD_SOCKET_DIR => $env_vars->{NMBD_SOCKET_DIR},
777 NSS_WRAPPER_PASSWD => $env_vars->{NSS_WRAPPER_PASSWD},
778 NSS_WRAPPER_GROUP => $env_vars->{NSS_WRAPPER_GROUP},
779 NSS_WRAPPER_HOSTS => $env_vars->{NSS_WRAPPER_HOSTS},
780 NSS_WRAPPER_HOSTNAME => $env_vars->{NSS_WRAPPER_HOSTNAME},
781 NSS_WRAPPER_MODULE_SO_PATH => $env_vars->{NSS_WRAPPER_MODULE_SO_PATH},
782 NSS_WRAPPER_MODULE_FN_PREFIX => $env_vars->{NSS_WRAPPER_MODULE_FN_PREFIX},
783 UID_WRAPPER_ROOT => "1",
784 ENVNAME => "$ENV{ENVNAME}.$proc_name",
785 };
786
787 if (defined($env_vars->{RESOLV_WRAPPER_CONF})) {
788 $proc_envs->{RESOLV_WRAPPER_CONF} = $env_vars->{RESOLV_WRAPPER_CONF};
789 } else {
790 $proc_envs->{RESOLV_WRAPPER_HOSTS} = $env_vars->{RESOLV_WRAPPER_HOSTS};
791 }
792 if (defined($env_vars->{GNUTLS_FORCE_FIPS_MODE})) {
793 $proc_envs->{GNUTLS_FORCE_FIPS_MODE} = $env_vars->{GNUTLS_FORCE_FIPS_MODE};
794 }
795 if (defined($env_vars->{OPENSSL_FORCE_FIPS_MODE})) {
796 $proc_envs->{OPENSSL_FORCE_FIPS_MODE} = $env_vars->{OPENSSL_FORCE_FIPS_MODE};
797 }
798 return $proc_envs;
799 }
800
801 sub fork_and_exec
802 {
803 my ($self, $env_vars, $daemon_ctx, $STDIN_READER, $child_cleanup) = @_;
804 my $SambaCtx = $self;
805 $SambaCtx = $self->{SambaCtx} if defined($self->{SambaCtx});
806
807 # we close the child's write-end of the pipe and redirect the
808 # read-end to its stdin. That way the daemon will receive an
809 # EOF on stdin when parent selftest process closes its
810 # write-end.
811 $child_cleanup //= sub { close($env_vars->{STDIN_PIPE}) };
812
813 unlink($daemon_ctx->{LOG_FILE});
814 print "STARTING $daemon_ctx->{NAME} for $ENV{ENVNAME}...";
815
816 my $parent_pid = $$;
817 my $pid = fork();
818
819 # exec the daemon in the child process
820 if ($pid == 0) {
821 my @preargs = ();
822
823 # redirect the daemon's stdout/stderr to a log file
824 if (defined($daemon_ctx->{TEE_STDOUT})) {
825 # in some cases, we want out from samba to go to the log file,
826 # but also to the users terminal when running 'make test' on the
827 # command line. This puts it on stderr on the terminal
828 open STDOUT, "| tee $daemon_ctx->{LOG_FILE} 1>&2";
829 } else {
830 open STDOUT, ">$daemon_ctx->{LOG_FILE}";
831 }
832 open STDERR, '>&STDOUT';
833
834 SocketWrapper::set_default_iface($env_vars->{SOCKET_WRAPPER_DEFAULT_IFACE});
835 if (defined($daemon_ctx->{PCAP_FILE})) {
836 $SambaCtx->setup_pcap("$daemon_ctx->{PCAP_FILE}");
837 }
838
839 # setup ENV variables in the child process
840 set_env_for_process($daemon_ctx->{NAME}, $env_vars,
841 $daemon_ctx->{ENV_VARS});
842
843 $child_cleanup->();
844
845 # not all s3 daemons run in all testenvs (e.g. fileserver doesn't
846 # run winbindd). In which case, the child process just sleeps
847 if (defined($daemon_ctx->{SKIP_DAEMON})) {
848 $SIG{USR1} = $SIG{ALRM} = $SIG{INT} = $SIG{QUIT} = $SIG{TERM} = sub {
849 my $signame = shift;
850 print("Skip $daemon_ctx->{NAME} received signal $signame");
851 exit 0;
852 };
853 my $poll = IO::Poll->new();
854 $poll->mask($STDIN_READER, POLLIN);
855 $poll->poll($self->{server_maxtime});
856 exit 0;
857 }
858
859 $ENV{MAKE_TEST_BINARY} = $daemon_ctx->{BINARY_PATH};
860
861 open STDIN, ">&", $STDIN_READER or die "can't dup STDIN_READER to STDIN: $!";
862
863 # if using kernel namespaces, prepend the command so the process runs in
864 # its own namespace
865 if (Samba::use_namespaces()) {
866 @preargs = ns_exec_preargs($parent_pid, $env_vars);
867 }
868
869 # the command args are stored as an array reference (because...Perl),
870 # so convert the reference back to an array
871 my @full_cmd = @{ $daemon_ctx->{FULL_CMD} };
872
873 exec(@preargs, @full_cmd) or die("Unable to start $ENV{MAKE_TEST_BINARY}: $!");
874 }
875
876 print "DONE ($pid)\n";
877
878 # if using kernel namespaces, we now establish a connection between the
879 # main selftest namespace (i.e. this process) and the new child namespace
880 if (use_namespaces()) {
881 ns_child_forked($pid, $env_vars);
882 }
883
884 return $pid;
885 }
886
887 my @exported_envvars = (
888 # domain stuff
889 "DOMAIN",
890 "DNSNAME",
891 "REALM",
892 "DOMSID",
893
894 # stuff related to a trusted domain
895 "TRUST_SERVER",
896 "TRUST_USERNAME",
897 "TRUST_PASSWORD",
898 "TRUST_DOMAIN",
899 "TRUST_REALM",
900 "TRUST_DOMSID",
901
902 # stuff related to a trusted domain, on a trust_member
903 # the domain behind a forest trust (two-way)
904 "TRUST_F_BOTH_SERVER",
905 "TRUST_F_BOTH_SERVER_IP",
906 "TRUST_F_BOTH_SERVER_IPV6",
907 "TRUST_F_BOTH_NETBIOSNAME",
908 "TRUST_F_BOTH_USERNAME",
909 "TRUST_F_BOTH_PASSWORD",
910 "TRUST_F_BOTH_DOMAIN",
911 "TRUST_F_BOTH_REALM",
912
913 # stuff related to a trusted domain, on a trust_member
914 # the domain behind an external trust (two-way)
915 "TRUST_E_BOTH_SERVER",
916 "TRUST_E_BOTH_SERVER_IP",
917 "TRUST_E_BOTH_SERVER_IPV6",
918 "TRUST_E_BOTH_NETBIOSNAME",
919 "TRUST_E_BOTH_USERNAME",
920 "TRUST_E_BOTH_PASSWORD",
921 "TRUST_E_BOTH_DOMAIN",
922 "TRUST_E_BOTH_REALM",
923
924 # stuff related to a trusted NT4 domain,
925 # used for one-way trust fl2008r2dc <- nt4_dc
926 "NT4_TRUST_SERVER",
927 "NT4_TRUST_SERVER_IP",
928 "NT4_TRUST_DOMAIN",
929 "NT4_TRUST_DOMSID",
930
931 # domain controller stuff
932 "DC_SERVER",
933 "DC_SERVER_IP",
934 "DC_SERVER_IPV6",
935 "DC_NETBIOSNAME",
936 "DC_NETBIOSALIAS",
937
938 # server stuff
939 "SERVER",
940 "SERVER_IP",
941 "SERVER_IPV6",
942 "NETBIOSNAME",
943 "NETBIOSALIAS",
944 "SAMSID",
945
946 # only use these 2 as a last resort. Some tests need to test both client-
947 # side and server-side. In this case, run as default client, and access
948 # server's smb.conf as needed, typically using:
949 # param.LoadParm(filename_for_non_global_lp=os.environ['SERVERCONFFILE'])
950 "SERVERCONFFILE",
951 "DC_SERVERCONFFILE",
952
953 # user stuff
954 "USERNAME",
955 "USERID",
956 "PASSWORD",
957 "DC_USERNAME",
958 "DC_PASSWORD",
959 "DOMAIN_ADMIN",
960 "DOMAIN_ADMIN_PASSWORD",
961 "DOMAIN_USER",
962 "DOMAIN_USER_PASSWORD",
963
964 # UID/GID for rfc2307 mapping tests
965 "UID_RFC2307TEST",
966 "GID_RFC2307TEST",
967
968 # misc stuff
969 "KRB5_CONFIG",
970 "KRB5CCNAME",
971 "GNUPGHOME",
972 "SELFTEST_WINBINDD_SOCKET_DIR",
973 "NMBD_SOCKET_DIR",
974 "LOCAL_PATH",
975 "DNS_FORWARDER1",
976 "DNS_FORWARDER2",
977 "RESOLV_CONF",
978 "UNACCEPTABLE_PASSWORD",
979 "LOCK_DIR",
980 "SMBD_TEST_LOG",
981 "KRB5_CRL_FILE",
982
983 # nss_wrapper
984 "NSS_WRAPPER_PASSWD",
985 "NSS_WRAPPER_GROUP",
986 "NSS_WRAPPER_HOSTS",
987 "NSS_WRAPPER_HOSTNAME",
988 "NSS_WRAPPER_MODULE_SO_PATH",
989 "NSS_WRAPPER_MODULE_FN_PREFIX",
990
991 # resolv_wrapper
992 "RESOLV_WRAPPER_CONF",
993 "RESOLV_WRAPPER_HOSTS",
994
995 # ctdb stuff
996 "CTDB_PREFIX",
997 "NUM_NODES",
998 "CTDB_BASE",
999 "CTDB_SOCKET",
1000 "CTDB_SERVER_NAME",
1001 "CTDB_IFACE_IP",
1002 "CTDB_BASE_NODE0",
1003 "CTDB_SOCKET_NODE0",
1004 "CTDB_SERVER_NAME_NODE0",
1005 "CTDB_IFACE_IP_NODE0",
1006 "CTDB_BASE_NODE1",
1007 "CTDB_SOCKET_NODE1",
1008 "CTDB_SERVER_NAME_NODE1",
1009 "CTDB_IFACE_IP_NODE1",
1010 "CTDB_BASE_NODE2",
1011 "CTDB_SOCKET_NODE2",
1012 "CTDB_SERVER_NAME_NODE2",
1013 "CTDB_IFACE_IP_NODE2",
1014 );
1015
1016 sub exported_envvars_str
1017 {
1018 my ($testenv_vars) = @_;
1019 my $out = "";
1020
1021 foreach (@exported_envvars) {
1022 next unless defined($testenv_vars->{$_});
1023 $out .= $_."=".$testenv_vars->{$_}."\n";
1024 }
1025
1026 return $out;
1027 }
1028
1029 sub clear_exported_envvars
1030 {
1031 foreach (@exported_envvars) {
1032 delete $ENV{$_};
1033 }
1034 }
1035
1036 sub export_envvars
1037 {
1038 my ($testenv_vars) = @_;
1039
1040 foreach (@exported_envvars) {
1041 if (defined($testenv_vars->{$_})) {
1042 $ENV{$_} = $testenv_vars->{$_};
1043 } else {
1044 delete $ENV{$_};
1045 }
1046 }
1047 }
1048
1049 sub export_envvars_to_file
1050 {
1051 my ($filepath, $testenv_vars) = @_;
1052 my $env_str = exported_envvars_str($testenv_vars);
1053
1054 open(FILE, "> $filepath");
1055 print FILE "$env_str";
1056 close(FILE);
1057 }
1058
1059 # Returns true if kernel namespaces are being used instead of socket-wrapper.
1060 # The default is false.
1061 sub use_namespaces
1062 {
1063 return defined($ENV{USE_NAMESPACES});
1064 }
1065
1066 # returns a given testenv's interface-name (only when USE_NAMESPACES=1)
1067 sub ns_interface_name
1068 {
1069 my ($hostname) = @_;
1070
1071 # when using namespaces, each testenv has its own vethX interface,
1072 # where X = Samba::get_interface(testenv_name)
1073 my $iface = get_interface($hostname);
1074 return "veth$iface";
1075 }
1076
1077 # Called after a new child namespace has been forked
1078 sub ns_child_forked
1079 {
1080 my ($child_pid, $env_vars) = @_;
1081
1082 # we only need to do this for the first child forked for this testenv
1083 if (defined($env_vars->{NS_PID})) {
1084 return;
1085 }
1086
1087 # store the child PID. It's the only way the main (selftest) namespace can
1088 # access the new child (testenv) namespace.
1089 $env_vars->{NS_PID} = $child_pid;
1090
1091 # Add the new child namespace's interface to the main selftest bridge.
1092 # This connects together the various testenvs so that selftest can talk to
1093 # them all
1094 my $iface = ns_interface_name($env_vars->{NETBIOSNAME});
1095 system "$ENV{SRCDIR}/selftest/ns/add_bridge_iface.sh $iface-br selftest0";
1096 }
1097
1098 # returns args to prepend to a command in order to execute it the correct
1099 # namespace for the testenv (creating a new namespace if needed).
1100 # This should only used when USE_NAMESPACES=1 is set.
1101 sub ns_exec_preargs
1102 {
1103 my ($parent_pid, $env_vars) = @_;
1104
1105 # NS_PID stores the pid of the first child daemon run in this namespace
1106 if (defined($env_vars->{NS_PID})) {
1107
1108 # the namespace has already been created previously. So we use nsenter
1109 # to execute the command in the given testenv's namespace. We need to
1110 # use the NS_PID to identify this particular namespace
1111 return ("nsenter", "-t", "$env_vars->{NS_PID}", "--net");
1112 } else {
1113
1114 # We need to create a new namespace for this daemon (i.e. we're
1115 # setting up a new testenv). First, write the environment variables to
1116 # an exports.sh file for this testenv (for convenient access by the
1117 # namespace scripts).
1118 my $exports_file = "$env_vars->{TESTENV_DIR}/exports.sh";
1119 export_envvars_to_file($exports_file, $env_vars);
1120
1121 # when using namespaces, each testenv has its own veth interface
1122 my $interface = ns_interface_name($env_vars->{NETBIOSNAME});
1123
1124 # we use unshare to create a new network namespace. The start_in_ns.sh
1125 # helper script gets run first to setup the new namespace's interfaces.
1126 # (This all gets prepended around the actual command to run in the new
1127 # namespace)
1128 return ("unshare", "--net", "$ENV{SRCDIR}/selftest/ns/start_in_ns.sh",
1129 $interface, $exports_file, $parent_pid);
1130 }
1131 }
1132
1133
1134 sub check_env {
1135 my ($self, $envvars) = @_;
1136 return 1;
1137 }
1138
1139 sub teardown_env {
1140 my ($self, $env) = @_;
1141 return 1;
1142 }
1143
1144
1145 sub getlog_env {
1146 return '';
1147 }
1148
1149 1;
Samba GIT mirror