2 # Copyright (C) 2017 Stefan Metzmacher <metze@samba.org>
6 Usage: $# test_ldap_token.sh SERVER USERNAME PASSWORD REALM DOMAIN DOMSID
21 . $
(dirname $0)/subunit.sh
22 . $
(dirname $0)/common_test_fns.inc
24 ldbsearch
=$
(system_or_builddir_binary ldbsearch
"${BINDIR}")
34 out
=$
($VALGRIND $ldbsearch -H ldap
://$SERVER.
$REALM ${auth_user} -b '' --scope=base
${auth_args} tokenGroups
2>&1)
36 test x
"$ret" = x
"0" ||
{
41 domain_sids
=$
(echo "$out" |
grep '^tokenGroups' |
grep "${DOMSID}-" |
wc -l)
42 test "$domain_sids" -ge "1" ||
{
44 echo "Less than 1 sid from $DOMAIN $DOMSID"
48 builtin_sids
=$
(echo "$out" |
grep '^tokenGroups' |
grep "S-1-5-32-" |
wc -l)
49 test "$builtin_sids" -ge "1" ||
{
51 echo "Less than 1 sid from BUILTIN S-1-5-32"
56 # The following should always be present
59 # SID_NT_NETWORK(S-1-5-2)
60 # SID_NT_AUTHENTICATED_USERS(S-1-5-11)
62 required_sids
="S-1-1-0 S-1-5-2 S-1-5-11 ${auth_sid}"
63 for sid
in $required_sids; do
64 found
=$
(echo "$out" |
grep "^tokenGroups: ${sid}$" |
wc -l)
65 test x
"$found" = x
"1" ||
{
67 echo "SID: ${sid} not found"
75 UARGS
="-U$REALM\\$USERNAME%$PASSWORD"
76 # Check that SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY(S-1-18-1) is added for krb5
78 testit
"Test token with kerberos USER (${AARGS})" test_token "${UARGS}" "S-1-18-1" "${AARGS}" || failed
=$
(expr $failed + 1)
79 AARGS
="--use-kerberos=required"
80 testit
"Test token with kerberos USER (${AARGS})" test_token "${UARGS}" "S-1-18-1" "${AARGS}" || failed
=$
(expr $failed + 1)
81 AARGS
="--option=clientusekerberos=required"
82 testit
"Test token with kerberos USER (${AARGS})" test_token "${UARGS}" "S-1-18-1" "${AARGS}" || failed
=$
(expr $failed + 1)
83 AARGS
="--use-kerberos=required --option=clientusekerberos=off"
84 testit
"Test token with kerberos USER (${AARGS})" test_token "${UARGS}" "S-1-18-1" "${AARGS}" || failed
=$
(expr $failed + 1)
85 # Check that SID_NT_NTLM_AUTHENTICATION(S-1-5-64-10) is added for NTLMSSP
87 testit
"Test token with NTLMSSP USER (${AARGS})" test_token "${UARGS}" "S-1-5-64-10" "${AARGS}" || failed
=$
(expr $failed + 1)
88 AARGS
="--use-kerberos=off"
89 testit
"Test token with NTLMSSP USER (${AARGS})" test_token "${UARGS}" "S-1-5-64-10" "${AARGS}" || failed
=$
(expr $failed + 1)
90 AARGS
="--option=clientusekerberos=off"
91 testit
"Test token with NTLMSSP USER (${AARGS})" test_token "${UARGS}" "S-1-5-64-10" "${AARGS}" || failed
=$
(expr $failed + 1)
92 AARGS
="--use-kerberos=off --option=clientusekerberos=required"
93 testit
"Test token with NTLMSSP USER (${AARGS})" test_token "${UARGS}" "S-1-5-64-10" "${AARGS}" || failed
=$
(expr $failed + 1)
96 # Check that SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY(S-1-18-1) is added for krb5
98 testit
"Test token with kerberos MACHINE (${AARGS})" test_token "${UARGS}" "S-1-18-1" "${AARGS}" || failed
=$
(expr $failed + 1)
99 AARGS
="--use-kerberos=required"
100 testit
"Test token with kerberos MACHINE (${AARGS})" test_token "${UARGS}" "S-1-18-1" "${AARGS}" || failed
=$
(expr $failed + 1)
101 AARGS
="--option=clientusekerberos=required"
102 testit
"Test token with kerberos MACHINE (${AARGS})" test_token "${UARGS}" "S-1-18-1" "${AARGS}" || failed
=$
(expr $failed + 1)
103 AARGS
="--use-kerberos=required --option=clientusekerberos=off"
104 testit
"Test token with kerberos MACHINE (${AARGS})" test_token "${UARGS}" "S-1-18-1" "${AARGS}" || failed
=$
(expr $failed + 1)
105 # Check that SID_NT_NTLM_AUTHENTICATION(S-1-5-64-10) is added for NTLMSSP
107 testit
"Test token with NTLMSSP MACHINE (${AARGS})" test_token "${UARGS}" "S-1-5-64-10" "${AARGS}" || failed
=$
(expr $failed + 1)
108 AARGS
="--use-kerberos=off"
109 testit
"Test token with NTLMSSP MACHINE (${AARGS})" test_token "${UARGS}" "S-1-5-64-10" "${AARGS}" || failed
=$
(expr $failed + 1)
110 AARGS
="--option=clientusekerberos=off"
111 testit
"Test token with NTLMSSP MACHINE (${AARGS})" test_token "${UARGS}" "S-1-5-64-10" "${AARGS}" || failed
=$
(expr $failed + 1)
112 AARGS
="--use-kerberos=off --option=clientusekerberos=required"
113 testit
"Test token with NTLMSSP MACHINE (${AARGS})" test_token "${UARGS}" "S-1-5-64-10" "${AARGS}" || failed
=$
(expr $failed + 1)