2 # Blackbox tests for net ads dns register etc.
3 # Copyright (C) 2006-2007 Jelmer Vernooij <jelmer@samba.org>
4 # Copyright (C) 2006-2008 Andrew Bartlett <abartlet@samba.org>
8 Usage: test_net_ads_dns.sh SERVER DC_USERNAME DC_PASSWORD REALM USER PASS
22 samba4bindir
="$BINDIR"
24 samba_tool
="$samba4bindir/samba-tool"
25 net_tool
="$samba4bindir/net"
26 smbpasswd
="$samba4bindir/smbpasswd"
27 texpect
="$samba4bindir/texpect"
29 newuser
="$samba_tool user create"
30 groupaddmem
="$samba_tool group addmembers"
32 . $
(dirname $0)/subunit.sh
33 .
"$(dirname "${0}")/common_test_fns.inc"
35 ldbmodify
=$
(system_or_builddir_binary ldbmodify
"${BINDIR}")
36 ldbsearch
=$
(system_or_builddir_binary ldbsearch
"${BINDIR}")
39 export UID_WRAPPER_ROOT
42 IP6ADDRESS
=fd00
:1a1a
::1:5ee
:bad
:c0de
46 MACHINENAME
=membername.$$
47 UNPRIVNAME
=unprivname.$$
48 UNPRIVUSER
=unprivuser.$$
49 UNPRIVPASS
=UnPrivPass1
51 # These tests check that privileged users can add DNS names and that
52 # unprivileged users cannot do so.
55 testit
"admin user should be able to add a DNS entry $ADMINNAME.$REALM $IPADDRESS $IP6ADDRESS" \
56 $VALGRIND $net_tool ads dns register
$ADMINNAME.
$REALM $IPADDRESS $IP6ADDRESS -U$DC_USERNAME%$DC_PASSWORD ||
57 failed
=$
(expr $failed + 1)
60 "We should be able to see the new name $ADMINNAME.$REALM $IPADDRESS" \
63 dig @
$SERVER +short
-t a
$ADMINNAME.
$REALM ||
64 failed
=$
(expr $failed + 1)
66 "We should be able to see the new name $ADMINNAME.$REALM $IP6ADDRESS" \
69 dig @
$SERVER +short
-t aaaa
$ADMINNAME.
$REALM ||
70 failed
=$
(expr $failed + 1)
72 testit
"We should be able to unregister the name $ADMINNAME.$REALM" \
73 $VALGRIND $net_tool ads dns unregister
$ADMINNAME.
$REALM -U$DC_USERNAME%$DC_PASSWORD ||
74 failed
=$
(expr $failed + 1)
77 "The name $ADMINNAME.$REALM $IPADDRESS should not be there any longer" \
80 dig @
$SERVER +short
-t a
$ADMINNAME.
$REALM ||
81 failed
=$
(expr $failed + 1)
84 "The name $ADMINNAME.$REALM $IP6ADDRESS should not be there any longer" \
87 dig @
$SERVER +short
-t aaaa
$ADMINNAME.
$REALM ||
88 failed
=$
(expr $failed + 1)
90 # prime the kpasswd server, see "git blame" for an explanation
91 $VALGRIND $net_tool user add
$UNPRIVUSER $UNPRIVPASS -U$DC_USERNAME%$DC_PASSWORD
92 $VALGRIND $net_tool user delete
$UNPRIVUSER -U$DC_USERNAME%$DC_PASSWORD
94 # This should be an expect_failure test ...
95 testit
"Adding an unprivileged user" $VALGRIND $net_tool user add
$UNPRIVUSER $UNPRIVPASS -U$DC_USERNAME%$DC_PASSWORD || failed
=$
(expr $failed + 1)
97 BASEDN
=$
($VALGRIND $ldbsearch -U$DC_USERNAME%$DC_PASSWORD -H ldap
://$SERVER.
$REALM -b '' --scope=base defaultNamingContext |
grep defaultNamingContext |
sed -e 's!^defaultNamingContext: !!')
99 LDIF
="dn: CN=$UNPRIVUSER,CN=users,${BASEDN}+changetype: modify+replace: userAccountControl+userAccountControl: 512"
101 echo $LDIF |
tr '+' '\n' |
$VALGRIND $ldbmodify -U$DC_USERNAME%$DC_PASSWORD -H ldap
://$SERVER.
$REALM -i
104 testit
"We should have enabled the account" test $STATUS -eq 0 || failed
=$
(expr $failed + 1)
106 #Unprivileged users should be able to add new names
107 testit
"Unprivileged users should be able to add new names" $net_tool ads dns register
$UNPRIVNAME.
$REALM $UNPRIVIP -U$UNPRIVUSER%$UNPRIVPASS || failed
=$
(expr $failed + 1)
109 # This should work as well
110 testit
"machine account should be able to add a DNS entry net ads dns register $MACHINENAME.$REALM $IPADDRMAC -P" \
111 $net_tool ads dns register
$MACHINENAME.
$REALM $IPADDRMAC -P ||
112 failed
=$
(expr $failed + 1)
115 "We should be able to see the new name $MACHINENAME.$REALM" \
118 dig @
$SERVER +short
-t a
$MACHINENAME.
$REALM ||
119 failed
=$
(expr $failed + 1)
121 #Unprivileged users should not be able to overwrite other's names
122 testit_expect_failure \
123 "Unprivileged users should not be able to modify existing names" \
124 $net_tool ads dns register
$MACHINENAME.
$REALM $UNPRIVIP -U$UNPRIVUSER%$UNPRIVPASS ||
125 failed
=$
(expr $failed + 1)
127 testit
"We should be able to unregister the name $UNPRIVNAME.$REALM $IPADDRESS" \
128 $VALGRIND $net_tool ads dns unregister
$UNPRIVNAME.
$REALM -U$UNPRIVUSER%$UNPRIVPASS ||
129 failed
=$
(expr $failed + 1)
130 testit
"We should be able to unregister the name $MACHINENAME.$REALM $IPADDRESS" \
131 $VALGRIND $net_tool ads dns unregister
$MACHINENAME.
$REALM -P ||
132 failed
=$
(expr $failed + 1)
134 # Remove the unprivileged user, which is not required anymore
135 $VALGRIND $net_tool user delete
$UNPRIVUSER -U$DC_USERNAME%$DC_PASSWORD
138 "The name $UNPRIVNAME.$REALM ($IPADDRESS) should not be there any longer" \
141 dig @
$SERVER +short
-t a
$UNPRIVNAME.
$REALM ||
142 failed
=$
(expr $failed + 1)
144 "The name $UNPRIVNAME.$REALM ($IP6ADDRESS) should not be there any longer" \
147 dig @
$SERVER +short
-t aaaa
$UNPRIVNAME.
$REALM ||
148 failed
=$
(expr $failed + 1)
150 "The name $MACHINENAME.$REALM ($IPADDRESS) should not be there any longer" \
153 dig @
$SERVER +short
-t a
$MACHINENAME.
$REALM ||
154 failed
=$
(expr $failed + 1)
156 "The name $MACHINENAME.$REALM ($IP6ADDRESS) should not be there any longer" \
159 dig @
$SERVER +short
-t aaaa
$MACHINENAME.
$REALM ||
160 failed
=$
(expr $failed + 1)
162 # Tests with --dns-ttl option
163 testit
"net ads dns register with default TTL" \
164 $net_tool ads dns register
$MACHINENAME.
$REALM $IPADDRMAC -P ||
165 failed
=$
(expr $failed + 1)
166 TTL
=$
(dig @
$SERVER.
$REALM +noall
+ttlid
+answer
-t A
$MACHINENAME.
$REALM |
168 testit
"Verify default TTL of 3600 seconds" \
169 test "$TTL" = "3600" ||
170 failed
=$
(expr $failed + 1)
172 testit
"Update record with TTL of 60 seconds" \
173 $net_tool ads dns register
--dns-ttl 60 --force $MACHINENAME.
$REALM $IPADDRMAC -P ||
174 failed
=$
(expr $failed + 1)
175 TTL
=$
(dig @
$SERVER.
$REALM +noall
+ttlid
+answer
-t A
$MACHINENAME.
$REALM |
177 testit
"Verify new TTL of 60 seconds" \
178 test "$TTL" = "60" ||
179 failed
=$
(expr $failed + 1)
181 testit
"We should be able to unregister the name $MACHINENAME.$REALM $IPADDRESS" \
182 $VALGRIND $net_tool ads dns unregister
$MACHINENAME.
$REALM -P ||
183 failed
=$
(expr $failed + 1)
186 "The name $MACHINENAME.$REALM ($IPADDRESS) should not be there any longer" \
189 dig @
$SERVER.
$REALM +short
-t A
$MACHINENAME.
$REALM ||
190 failed
=$
(expr $failed + 1)
192 "The name $MACHINENAME.$REALM ($IP6ADDRESS) should not be there any longer" \
195 dig @
$SERVER.
$REALM +short
-t AAAA
$MACHINENAME.
$REALM ||
196 failed
=$
(expr $failed + 1)