From ff240c84e471fb6e83f663fef6b0ec7f257832e2 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Mon, 5 Jan 2015 16:32:23 +1300
Subject: [PATCH] torture: Additionally run testsuite for krb5 and KDC
 behaviour with unprivileged accounts

Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
---
 selftest/target/Samba4.pm | 21 +++++++++++++++++++++
 source4/selftest/tests.py |  4 ++++
 2 files changed, 25 insertions(+)

diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index 59188947c7f..97eeeb6d252 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -814,6 +814,27 @@ sub provision_raw_step2($$$)
 		return undef;
 	}
 
+	my $samba_tool_cmd = Samba::bindir_path($self, "samba-tool") 
+	    . " user add --configfile=$ctx->{smb_conf} testallowed $ctx->{password}";
+	unless (system($samba_tool_cmd) == 0) {
+		warn("Unable to add testallowed user: \n$samba_tool_cmd\n");
+		return undef;
+	}
+
+	$samba_tool_cmd = Samba::bindir_path($self, "samba-tool") 
+	    . " user add --configfile=$ctx->{smb_conf} testdenied $ctx->{password}";
+	unless (system($samba_tool_cmd) == 0) {
+		warn("Unable to add testdenied user: \n$samba_tool_cmd\n");
+		return undef;
+	}
+
+	$samba_tool_cmd = Samba::bindir_path($self, "samba-tool") 
+	    . " group addmembers --configfile=$ctx->{smb_conf} 'Allowed RODC Password Replication Group' testallowed";
+	unless (system($samba_tool_cmd) == 0) {
+		warn("Unable to add testallowed user to 'Allowed RODC Password Replication Group': \n$samba_tool_cmd\n");
+		return undef;
+	}
+
 	return $ret;
 }
 
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 64fb243c772..8c060a602b0 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -551,6 +551,10 @@ for env in ["dc", "s4member", "rodc", "promoted_dc", "plugin_s4_dc", "s3member"]
 for env in ["dc", "rodc", "promoted_dc", "plugin_s4_dc"]:
     plansmbtorture4testsuite('krb5.kdc', env, ['ncacn_np:$SERVER', "-k", "yes", '-U$USERNAME@$REALM%$PASSWORD', '--workgroup=$DOMAIN'],
                              "samba4.krb5.kdc with specified account")
+    plansmbtorture4testsuite('krb5.kdc', env, ['ncacn_np:$SERVER', "-k", "yes", '-Utestallowed@$REALM%$PASSWORD', '--workgroup=$DOMAIN'],
+                             "samba4.krb5.kdc with account ALLOWED permission to replicate to an RODC")
+    plansmbtorture4testsuite('krb5.kdc', env, ['ncacn_np:$SERVER', "-k", "yes", '-Utestdenied@$REALM%$PASSWORD', '--workgroup=$DOMAIN'],
+                             "samba4.krb5.kdc with account DENIED permission to replicate to an RODC")
     plansmbtorture4testsuite('krb5.kdc', "%s:local" % env, ['ncacn_np:$SERVER', "-k", "yes", '-P', '--workgroup=$DOMAIN'],
                              "samba4.krb5.kdc with machine account")
 
-- 
2.11.4.GIT