nsswitch/tests/test_ticket_expiry.sh

   1 #!/bin/sh
   2 # Test winbind ad backend behaviour when the kerberos ticket expires
   3
   4 if [ $# -ne 1 ]; then
   5         echo Usage: $0 DOMAIN
   6         exit 1
   7 fi
   8
   9 DOMAIN="$1"
  10
  11 wbinfo="$VALGRIND $BINDIR/wbinfo"
  12 net="$VALGRIND $BINDIR/net"
  13
  14 failed=0
  15
  16 . $(dirname $0)/../../testprogs/blackbox/subunit.sh
  17
  18 DOMAIN_SID=$($wbinfo -n "$DOMAIN/" | cut -f 1 -d " ")
  19 if [ $? -ne 0 ]; then
  20         echo "Could not find domain SID" | subunit_fail_test "test_idmap_ad"
  21         exit 1
  22 fi
  23 ADMINS_SID="$DOMAIN_SID-512"
  24
  25 # Previous tests might have put in a mapping
  26 $net cache del IDMAP/SID2XID/"$ADMINS_SID"
  27
  28 # Trigger a winbind ad connection with a 5-second ticket lifetime,
  29 # see the smb.conf for the ad_member_idmap_ad environment we're in
  30 #
  31 # We expect failure here because there are no mappings in AD. In this
  32 # test we are only interested in the winbind LDAP connection as such,
  33 # we don't really care whether idmap_ad works fine. This is done in
  34 # different tests. And a negative lookup also triggers the LDAP
  35 # connection.
  36
  37 testit_expect_failure "Deleting0 IDMAP/SID2XID/$ADMINS_SID" $net cache del IDMAP/SID2XID/"$ADMINS_SID" ||
  38         failed=$(expr $failed + 1)
  39
  40 testit_expect_failure "Expecting failure1, no mapping in AD" $wbinfo --sid-to-gid "$ADMINS_SID" ||
  41         failed=$(expr $failed + 1)
  42
  43 testit "Deleting1 IDMAP/SID2XID/$ADMINS_SID" $net cache del IDMAP/SID2XID/"$ADMINS_SID" ||
  44         failed=$(expr $failed + 1)
  45
  46 # allow our kerberos ticket to expire
  47 testit "Sleeping for 6 seconds" sleep 6 || failed=$(expr $failed + 1)
  48
  49 # Try again, check how long it took to recover from ticket expiry
  50 #
  51 # On the LDAP connection two things happen: First we get an
  52 # unsolicited exop response telling us the network session was
  53 # abandoned, and secondly the LDAP server will kill the TCP
  54 # connection. Our ldap server is configured to defer the TCP
  55 # disconnect by 10 seconds. We need to make sure that winbind already
  56 # reacts to the unsolicited exop reply, discarding the connection. The
  57 # only way is to make sure the following wbinfo does not take too
  58 # long.
  59
  60 # We need to do the test command in this funny way as on gitlab we're
  61 # using the bash builtin
  62
  63 START=$(date +%s)
  64 testit_expect_failure "Expecting failure2, no mapping in AD" $wbinfo --sid-to-gid "$ADMINS_SID" ||
  65         failed=$(expr $failed + 1)
  66 END=$(date +%s)
  67 DURATION=$(expr $END - $START)
  68 testit "timeout DURATION[$DURATION] < 8" test "$DURATION" -le 8 ||
  69         failed=$(expr $failed + 1)
  70
  71 testit "Deleting2 IDMAP/SID2XID/$ADMINS_SID" $net cache del IDMAP/SID2XID/"$ADMINS_SID" ||
  72         failed=$(expr $failed + 1)
  73
  74 exit $failed