testprogs/blackbox/test_trust_token.sh

   1 #!/bin/bash
   2 # Copyright (C) 2017 Stefan Metzmacher <metze@samba.org>
   3
   4 if [ $# -lt 12 ]; then
   5 cat <<EOF
   6 Usage: $# test_trust_token.sh SERVER USERNAME PASSWORD REALM DOMAIN DOMSID TRUST_USERNAME TRUST_PASSWORD TRUST_REALM TRUST_DOMAIN TRUST_DOMSID TYPE
   7 EOF
   8 exit 1;
   9 fi
  10
  11 SERVER=$1
  12 shift 1
  13 USERNAME=$1
  14 PASSWORD=$2
  15 REALM=$3
  16 DOMAIN=$4
  17 DOMSID=$5
  18 shift 5
  19 TRUST_USERNAME=$1
  20 TRUST_PASSWORD=$2
  21 TRUST_REALM=$3
  22 TRUST_DOMAIN=$4
  23 TRUST_DOMSID=$5
  24 shift 5
  25 TYPE=$1
  26 shift 1
  27 failed=0
  28
  29 samba4bindir="$BINDIR"
  30
  31 ldbsearch="$samba4bindir/ldbsearch"
  32
  33 . `dirname $0`/subunit.sh
  34 . `dirname $0`/common_test_fns.inc
  35
  36 test_token()
  37 {
  38         auth_args="${1}"
  39         auth_sid="${2-}"
  40
  41         out=$($VALGRIND $ldbsearch -H ldap://$SERVER.$REALM -U$TRUST_REALM\\$TRUST_USERNAME%$TRUST_PASSWORD -b '' -s base -k ${auth_args} tokenGroups 2>&1)
  42         ret=$?
  43         test x"$ret" = x"0" || {
  44                 echo "$out"
  45                 return 1
  46         }
  47
  48         trust_sids=$(echo "$out" | grep '^tokenGroups' | grep "${TRUST_DOMSID}-" | wc -l)
  49         test "$trust_sids" -ge "2" || {
  50                 echo "$out"
  51                 echo "Less than 2 sids from $TRUST_DOMAIN $TRUST_DOMSID"
  52                 return 1
  53         }
  54
  55         domain_sids=$(echo "$out" | grep '^tokenGroups' | grep "${DOMSID}-" | wc -l)
  56         test "$domain_sids" -ge "1" || {
  57                 echo "$out"
  58                 echo "Less than 1 sid from $DOMAIN $DOMSID"
  59                 return 1
  60         }
  61
  62         builtin_sids=$(echo "$out" | grep '^tokenGroups' | grep "S-1-5-32-" | wc -l)
  63         test "$builtin_sids" -ge "1" || {
  64                 echo "$out"
  65                 echo "Less than 1 sid from BUILTIN S-1-5-32"
  66                 return 1
  67         }
  68
  69         #
  70         # The following should always be present
  71         #
  72         # SID_WORLD(S-1-1-0)
  73         # SID_NT_NETWORK(S-1-5-2)
  74         # SID_NT_AUTHENTICATED_USERS(S-1-5-11)
  75         #
  76         required_sids="S-1-1-0 S-1-5-2 S-1-5-11 ${auth_sid}"
  77         for sid in $required_sids; do
  78                 found=$(echo "$out" | grep "^tokenGroups: ${sid}$" | wc -l)
  79                 test x"$found" = x"1" || {
  80                         echo "$out"
  81                         echo "SID: ${sid} not found"
  82                         return 1
  83                 }
  84         done
  85
  86         return 0
  87 }
  88
  89 testit "Test token with kerberos" test_token "yes" "" || failed=`expr $failed + 1`
  90 # Check that SID_NT_NTLM_AUTHENTICATION(S-1-5-64-10) is added for NTLMSSP
  91 testit "Test token with NTLMSSP" test_token "no" "S-1-5-64-10" || failed=`expr $failed + 1`
  92
  93 exit $failed