2 # Copyright (C) 2017 Stefan Metzmacher <metze@samba.org>
6 Usage: $# test_trust_token.sh SERVER USERNAME PASSWORD REALM DOMAIN DOMSID TRUST_USERNAME TRUST_PASSWORD TRUST_REALM TRUST_DOMAIN TRUST_DOMSID TYPE
29 . $
(dirname $0)/subunit.sh
30 . $
(dirname $0)/common_test_fns.inc
32 ldbsearch
=$
(system_or_builddir_binary ldbsearch
"${BINDIR}")
39 out
=$
($VALGRIND $ldbsearch -H ldap
://$SERVER.
$REALM -U$TRUST_REALM\\$TRUST_USERNAME%$TRUST_PASSWORD -b '' --scope=base
-k ${auth_args} tokenGroups
2>&1)
41 test x
"$ret" = x
"0" ||
{
46 trust_sids
=$
(echo "$out" |
grep '^tokenGroups' |
grep "${TRUST_DOMSID}-" |
wc -l)
47 test "$trust_sids" -ge "2" ||
{
49 echo "Less than 2 sids from $TRUST_DOMAIN $TRUST_DOMSID"
53 domain_sids
=$
(echo "$out" |
grep '^tokenGroups' |
grep "${DOMSID}-" |
wc -l)
54 test "$domain_sids" -ge "1" ||
{
56 echo "Less than 1 sid from $DOMAIN $DOMSID"
60 builtin_sids
=$
(echo "$out" |
grep '^tokenGroups' |
grep "S-1-5-32-" |
wc -l)
61 test "$builtin_sids" -ge "1" ||
{
63 echo "Less than 1 sid from BUILTIN S-1-5-32"
68 # The following should always be present
71 # SID_NT_NETWORK(S-1-5-2)
72 # SID_NT_AUTHENTICATED_USERS(S-1-5-11)
74 required_sids
="S-1-1-0 S-1-5-2 S-1-5-11 ${auth_sid}"
75 for sid
in $required_sids; do
76 found
=$
(echo "$out" |
grep "^tokenGroups: ${sid}$" |
wc -l)
77 test x
"$found" = x
"1" ||
{
79 echo "SID: ${sid} not found"
87 testit
"Test token with kerberos" test_token
"yes" "" || failed
=$
(expr $failed + 1)
88 # Check that SID_NT_NTLM_AUTHENTICATION(S-1-5-64-10) is added for NTLMSSP
89 testit
"Test token with NTLMSSP" test_token
"no" "S-1-5-64-10" || failed
=$
(expr $failed + 1)