2 # Copyright (C) 2017 Stefan Metzmacher <metze@samba.org>
6 Usage: $# test_trust_token.sh SERVER USERNAME PASSWORD REALM DOMAIN DOMSID TRUST_USERNAME TRUST_PASSWORD TRUST_REALM TRUST_DOMAIN TRUST_DOMSID TYPE
29 samba4bindir
="$BINDIR"
31 ldbsearch
="$samba4bindir/ldbsearch"
33 .
`dirname $0`/subunit.sh
34 .
`dirname $0`/common_test_fns.inc
41 out
=$
($VALGRIND $ldbsearch -H ldap
://$SERVER.
$REALM -U$TRUST_REALM\\$TRUST_USERNAME%$TRUST_PASSWORD -b '' --scope=base
-k ${auth_args} tokenGroups
2>&1)
43 test x
"$ret" = x
"0" ||
{
48 trust_sids
=$
(echo "$out" |
grep '^tokenGroups' |
grep "${TRUST_DOMSID}-" |
wc -l)
49 test "$trust_sids" -ge "2" ||
{
51 echo "Less than 2 sids from $TRUST_DOMAIN $TRUST_DOMSID"
55 domain_sids
=$
(echo "$out" |
grep '^tokenGroups' |
grep "${DOMSID}-" |
wc -l)
56 test "$domain_sids" -ge "1" ||
{
58 echo "Less than 1 sid from $DOMAIN $DOMSID"
62 builtin_sids
=$
(echo "$out" |
grep '^tokenGroups' |
grep "S-1-5-32-" |
wc -l)
63 test "$builtin_sids" -ge "1" ||
{
65 echo "Less than 1 sid from BUILTIN S-1-5-32"
70 # The following should always be present
73 # SID_NT_NETWORK(S-1-5-2)
74 # SID_NT_AUTHENTICATED_USERS(S-1-5-11)
76 required_sids
="S-1-1-0 S-1-5-2 S-1-5-11 ${auth_sid}"
77 for sid
in $required_sids; do
78 found
=$
(echo "$out" |
grep "^tokenGroups: ${sid}$" |
wc -l)
79 test x
"$found" = x
"1" ||
{
81 echo "SID: ${sid} not found"
89 testit
"Test token with kerberos" test_token
"yes" "" || failed
=`expr $failed + 1`
90 # Check that SID_NT_NTLM_AUTHENTICATION(S-1-5-64-10) is added for NTLMSSP
91 testit
"Test token with NTLMSSP" test_token
"no" "S-1-5-64-10" || failed
=`expr $failed + 1`