CVE-2020-25718 kdc: Confirm the RODC was allowed to issue a particular ticket
[Samba.git] / testprogs / blackbox / test_trust_token.sh
blob21de2244c1bbbfb93b671e7043c755992a0eda86
1 #!/bin/bash
2 # Copyright (C) 2017 Stefan Metzmacher <metze@samba.org>
4 if [ $# -lt 12 ]; then
5 cat <<EOF
6 Usage: $# test_trust_token.sh SERVER USERNAME PASSWORD REALM DOMAIN DOMSID TRUST_USERNAME TRUST_PASSWORD TRUST_REALM TRUST_DOMAIN TRUST_DOMSID TYPE
7 EOF
8 exit 1;
9 fi
11 SERVER=$1
12 shift 1
13 USERNAME=$1
14 PASSWORD=$2
15 REALM=$3
16 DOMAIN=$4
17 DOMSID=$5
18 shift 5
19 TRUST_USERNAME=$1
20 TRUST_PASSWORD=$2
21 TRUST_REALM=$3
22 TRUST_DOMAIN=$4
23 TRUST_DOMSID=$5
24 shift 5
25 TYPE=$1
26 shift 1
27 failed=0
29 samba4bindir="$BINDIR"
31 ldbsearch="$samba4bindir/ldbsearch"
33 . `dirname $0`/subunit.sh
34 . `dirname $0`/common_test_fns.inc
36 test_token()
38 auth_args="${1}"
39 auth_sid="${2-}"
41 out=$($VALGRIND $ldbsearch -H ldap://$SERVER.$REALM -U$TRUST_REALM\\$TRUST_USERNAME%$TRUST_PASSWORD -b '' --scope=base -k ${auth_args} tokenGroups 2>&1)
42 ret=$?
43 test x"$ret" = x"0" || {
44 echo "$out"
45 return 1
48 trust_sids=$(echo "$out" | grep '^tokenGroups' | grep "${TRUST_DOMSID}-" | wc -l)
49 test "$trust_sids" -ge "2" || {
50 echo "$out"
51 echo "Less than 2 sids from $TRUST_DOMAIN $TRUST_DOMSID"
52 return 1
55 domain_sids=$(echo "$out" | grep '^tokenGroups' | grep "${DOMSID}-" | wc -l)
56 test "$domain_sids" -ge "1" || {
57 echo "$out"
58 echo "Less than 1 sid from $DOMAIN $DOMSID"
59 return 1
62 builtin_sids=$(echo "$out" | grep '^tokenGroups' | grep "S-1-5-32-" | wc -l)
63 test "$builtin_sids" -ge "1" || {
64 echo "$out"
65 echo "Less than 1 sid from BUILTIN S-1-5-32"
66 return 1
70 # The following should always be present
72 # SID_WORLD(S-1-1-0)
73 # SID_NT_NETWORK(S-1-5-2)
74 # SID_NT_AUTHENTICATED_USERS(S-1-5-11)
76 required_sids="S-1-1-0 S-1-5-2 S-1-5-11 ${auth_sid}"
77 for sid in $required_sids; do
78 found=$(echo "$out" | grep "^tokenGroups: ${sid}$" | wc -l)
79 test x"$found" = x"1" || {
80 echo "$out"
81 echo "SID: ${sid} not found"
82 return 1
84 done
86 return 0
89 testit "Test token with kerberos" test_token "yes" "" || failed=`expr $failed + 1`
90 # Check that SID_NT_NTLM_AUTHENTICATION(S-1-5-64-10) is added for NTLMSSP
91 testit "Test token with NTLMSSP" test_token "no" "S-1-5-64-10" || failed=`expr $failed + 1`
93 exit $failed