search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
ctdb-server: Use find_public_ip_vnn() in a couple of extra places
[samba4-gss.git] / selftest / target / Samba.pm
blob15d7692b5d64772affab789aee5ab15ad0f9c130
1 #!/usr/bin/perl
2 # Bootstrap Samba and run a number of tests against it.
3 # Copyright (C) 2005-2007 Jelmer Vernooij <jelmer@samba.org>
4 # Published under the GNU GPL, v3 or later.
5
6 package Samba;
7
8 use strict;
9 use warnings;
10 use target::Samba3;
11 use target::Samba4;
12 use POSIX;
13 use Cwd qw(abs_path);
14 use IO::Poll qw(POLLIN);
15
16 sub new($$$$$) {
17 my ($classname, $bindir, $srcdir, $server_maxtime,
18 $opt_socket_wrapper_pcap, $opt_socket_wrapper_keep_pcap,
19 $opt_libpam_matrix_so_path,
20 $default_ldb_backend) = @_;
21
22 my $self = {
23 opt_socket_wrapper_pcap => $opt_socket_wrapper_pcap,
24 opt_socket_wrapper_keep_pcap => $opt_socket_wrapper_keep_pcap,
25 opt_libpam_matrix_so_path => $opt_libpam_matrix_so_path,
26 };
27 $self->{samba3} = new Samba3($self, $bindir, $srcdir, $server_maxtime);
28 $self->{samba4} = new Samba4($self, $bindir, $srcdir, $server_maxtime, $default_ldb_backend);
29 bless $self;
30 return $self;
31 }
32
33 %Samba::ENV_DEPS = (%Samba3::ENV_DEPS, %Samba4::ENV_DEPS);
34 our %ENV_DEPS;
35
36 %Samba::ENV_DEPS_POST = (%Samba3::ENV_DEPS_POST, %Samba4::ENV_DEPS_POST);
37 our %ENV_DEPS_POST;
38
39 %Samba::ENV_TARGETS = (
40 (map { $_ => "Samba3" } keys %Samba3::ENV_DEPS),
41 (map { $_ => "Samba4" } keys %Samba4::ENV_DEPS),
42 );
43 our %ENV_TARGETS;
44
45 %Samba::ENV_NEEDS_AD_DC = (
46 (map { $_ => 1 } keys %Samba4::ENV_DEPS)
47 );
48 our %ENV_NEEDS_AD_DC;
49 foreach my $env (keys %Samba3::ENV_DEPS) {
50 $ENV_NEEDS_AD_DC{$env} = ($env =~ /^ad_/);
51 }
52
53 sub setup_pcap($$)
54 {
55 my ($self, $name) = @_;
56
57 return unless ($self->{opt_socket_wrapper_pcap});
58 return unless defined($ENV{SOCKET_WRAPPER_PCAP_DIR});
59
60 my $fname = $name;
61 $fname =~ s%[^abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789\-]%_%g;
62
63 my $pcap_file = "$ENV{SOCKET_WRAPPER_PCAP_DIR}/$fname.pcap";
64
65 SocketWrapper::setup_pcap($pcap_file);
66
67 return $pcap_file;
68 }
69
70 sub cleanup_pcap($$$)
71 {
72 my ($self, $pcap_file, $exitcode) = @_;
73
74 return unless ($self->{opt_socket_wrapper_pcap});
75 return if ($self->{opt_socket_wrapper_keep_pcap});
76 return unless ($exitcode == 0);
77 return unless defined($pcap_file);
78
79 unlink($pcap_file);
80 }
81
82 sub setup_env($$$)
83 {
84 my ($self, $envname, $path) = @_;
85
86 my $targetname = $ENV_TARGETS{$envname};
87 if (not defined($targetname)) {
88 warn("Samba can't provide environment '$envname'");
89 return "UNKNOWN";
90 }
91
92 my %targetlookup = (
93 "Samba3" => $self->{samba3},
94 "Samba4" => $self->{samba4}
95 );
96 my $target = $targetlookup{$targetname};
97
98 if (defined($target->{vars}->{$envname})) {
99 return $target->{vars}->{$envname};
100 }
101
102 $target->{vars}->{$envname} = "";
103
104 my @dep_vars;
105 foreach(@{$ENV_DEPS{$envname}}) {
106 my $vars = $self->setup_env($_, $path);
107 if (defined($vars)) {
108 push(@dep_vars, $vars);
109 } else {
110 warn("Failed setting up $_ as a dependency of $envname");
111 return undef;
112 }
113 }
114
115 $ENV{ENVNAME} = $envname;
116 # Avoid hitting system krb5.conf -
117 # An env that needs Kerberos will reset this to the real value.
118 $ENV{KRB5_CONFIG} = "$path/no_krb5.conf";
119 $ENV{RESOLV_CONF} = "$path/no_resolv.conf";
120
121 my $setup_name = $ENV_TARGETS{$envname}."::setup_".$envname;
122 my $setup_sub = \&$setup_name;
123 my $setup_pcap_file = $self->setup_pcap("env-$ENV{ENVNAME}-setup");
124 my $env = &$setup_sub($target, "$path/$envname", @dep_vars);
125 $self->cleanup_pcap($setup_pcap_file, not defined($env));
126 SocketWrapper::setup_pcap(undef);
127
128 if (not defined($env)) {
129 warn("failed to start up environment '$envname'");
130 return undef;
131 }
132 if ($env eq "UNKNOWN") {
133 warn("unknown environment '$envname'");
134 return $env;
135 }
136
137 $target->{vars}->{$envname} = $env;
138 $target->{vars}->{$envname}->{target} = $target;
139
140 foreach(@{$ENV_DEPS_POST{$envname}}) {
141 if (not defined $_) {
142 continue;
143 }
144 my $vars = $self->setup_env($_, $path);
145 if (not defined($vars)) {
146 return undef;
147 }
148 }
149
150 return $env;
151 }
152
153 sub bindir_path($$) {
154 my ($object, $path) = @_;
155
156 my $valpath = "$object->{bindir}/$path";
157 my $python_cmd = "";
158 my $result = $path;
159 if (defined $ENV{'PYTHON'}) {
160 $python_cmd = $ENV{'PYTHON'} . " ";
161 }
162
163 if (-f $valpath or -d $valpath) {
164 $result = $valpath;
165 }
166 # make sure we prepend samba-tool with calling $PYTHON python version
167 if ($path eq "samba-tool") {
168 $result = $python_cmd . $result;
169 }
170 return $result;
171 }
172
173 sub nss_wrapper_winbind_so_path($) {
174 my ($object) = @_;
175 my $ret = $ENV{NSS_WRAPPER_WINBIND_SO_PATH};
176 if (not defined($ret)) {
177 $ret = bindir_path($object, "plugins/libnss_wrapper_winbind.so.2");
178 $ret = abs_path($ret);
179 }
180 return $ret;
181 }
182
183 sub pam_matrix_so_path($) {
184 my ($self) = @_;
185 my $SambaCtx = $self;
186 $SambaCtx = $self->{SambaCtx} if defined($self->{SambaCtx});
187
188 return $SambaCtx->{opt_libpam_matrix_so_path};
189 }
190
191 sub copy_file_content($$)
192 {
193 my ($in, $out) = @_;
194 open(IN, "${in}") or die("failed to open in[${in}] for reading: $!");
195 open(OUT, ">${out}") or die("failed to open out[${out}] for writing: $!");
196 while(<IN>) {
197 print OUT $_;
198 }
199 close(OUT);
200 close(IN);
201 }
202
203 sub prepare_keyblobs($)
204 {
205 my ($ctx) = @_;
206
207 my $cadir = "$ENV{SRCDIR_ABS}/selftest/manage-ca/CA-samba.example.com";
208 my $cacert = "$cadir/Public/CA-samba.example.com-cert.pem";
209 # A file containing a CRL with no revocations.
210 my $cacrl_pem = "$cadir/Public/CA-samba.example.com-crl.pem";
211 my $dcdnsname = "$ctx->{hostname}.$ctx->{dnsname}";
212 my $dcdir = "$cadir/DCs/$dcdnsname";
213 my $dccert = "$dcdir/DC-$dcdnsname-cert.pem";
214 my $dckey_private = "$dcdir/DC-$dcdnsname-private-key.pem";
215 my $adminprincipalname = "administrator\@$ctx->{dnsname}";
216 my $admindir = "$cadir/Users/$adminprincipalname";
217 my $admincert = "$admindir/USER-$adminprincipalname-cert.pem";
218 my $adminkey_private = "$admindir/USER-$adminprincipalname-private-key.pem";
219 my $pkinitprincipalname = "pkinit\@$ctx->{dnsname}";
220 my $ca_pkinitdir = "$cadir/Users/$pkinitprincipalname";
221 my $pkinitcert = "$ca_pkinitdir/USER-$pkinitprincipalname-cert.pem";
222 my $pkinitkey_private = "$ca_pkinitdir/USER-$pkinitprincipalname-private-key.pem";
223
224 my $tlsdir = "$ctx->{tlsdir}";
225 my $pkinitdir = "$ctx->{prefix_abs}/pkinit";
226 #TLS and PKINIT crypto blobs
227 my $dhfile = "$tlsdir/dhparms.pem";
228 my $cafile = "$tlsdir/ca.pem";
229 my $crlfile = "$tlsdir/crl.pem";
230 my $certfile = "$tlsdir/cert.pem";
231 my $keyfile = "$tlsdir/key.pem";
232 my $admincertfile = "$pkinitdir/USER-$adminprincipalname-cert.pem";
233 my $adminkeyfile = "$pkinitdir/USER-$adminprincipalname-private-key.pem";
234 my $pkinitcertfile = "$pkinitdir/USER-$pkinitprincipalname-cert.pem";
235 my $pkinitkeyfile = "$pkinitdir/USER-$pkinitprincipalname-private-key.pem";
236
237 mkdir($tlsdir, 0700);
238 mkdir($pkinitdir, 0700);
239 my $oldumask = umask;
240 umask 0077;
241
242 # This is specified here to avoid draining entropy on every run
243 # generate by
244 # openssl dhparam -out dhparms.pem -text -2 8192
245 open(DHFILE, ">$dhfile");
246 print DHFILE <<EOF;
247 -----BEGIN DH PARAMETERS-----
248 MIIECAKCBAEAlcpjuJptCzC2bIIApLuyFLw2nODQUztqs/peysY9e3LgWh/xrc87
249 SWJNSUrqFJFh2m357WH0XGcTdTk0b/8aIYIWjbwEhWR/5hZ+1x2TDrX1awkYayAe
250 pr0arycmWHaAmhw+m+dBdj2O2jRMe7gn0ha85JALNl+Z3wv2q2eys8TIiQ2dbHPx
251 XvpMmlAv7QHZnpSpX/XgueQr6T3EYggljppZwk1fe4W2cxBjCv9w/Q83pJXMEVVB
252 WESEQPZC38v6hVIXIlF4J7jXjV3+NtCLL4nvsy0jrLEntyKz5OB8sNPRzJr0Ju2Y
253 yXORCSMMXMygP+dxJtQ6txzQYWyaCYN1HqHDZy3cFL9Qy8kTFqIcW56Lti2GsW/p
254 jSMzEOa1NevhKNFL3dSZJx5m+5ZeMvWXlCqXSptmVdbs5wz5jkMUm/E6pVfM5lyb
255 Ttlcq2iYPqnJz1jcL5xwhoufID8zSJCPJ7C0jb0Ngy5wLIUZfjXJUXxUyxTnNR9i
256 N9Sc+UkDvLxnCW+qzjyPXGlQU1SsJwMLWa2ZecL/uYE4bOdcN3g+5WHkevyDnXqR
257 +yy9x7sGXjBT3bRWK5tVHJWOi6eBu1hp39U6aK8oOJWiUt3vmC2qEdIsT6JaLNNi
258 YKrSfRGBf19IJBaagen1S19bb3dnmwoU1RaWM0EeJQW1oXOBg7zLisB2yuu5azBn
259 tse00+0nc+GbH2y+jP0sE7xil1QeilZl+aQ3tX9vL0cnCa+8602kXxU7P5HaX2+d
260 05pvoHmeZbDV85io36oF976gBYeYN+qAkTUMsIZhuLQDuyn0963XOLyn1Pm6SBrU
261 OkIZXW7WoKEuO/YSfizUIqXwmAMJjnEMJCWG51MZZKx//9Hsdp1RXSm/bRSbvXB7
262 MscjvQYWmfCFnIk8LYnEt3Yey40srEiS9xyZqdrvobxz+sU1XcqR38kpVf4gKASL
263 xURia64s4emuJF+YHIObyydazQ+6/wX/C+m+nyfhuxSO6j1janPwtYbU+Uj3TzeM
264 04K1mpPQpZcaMdZZiNiu7i8VJlOPKAz7aJT8TnMMF5GMyzyLpSMpc+NF9L/BSocV
265 /cUM4wQT2PTHrcyYzmTVH7c9bzBkuxqrwVB1BY1jitDV9LIYIVBglKcX88qrfHIM
266 XiXPAIwGclD59qm2cG8OdM9NA5pNMI119KuUAIJsUdgPbR1LkT2XTT15YVoHmFSQ
267 DlaWOXn4td031jr0EisX8QtFR7+/0Nfoni6ydFGs5fNH/L1ckq6FEO4OhgucJw9H
268 YRmiFlsQBQNny78vNchwZne3ZixkShtGW0hWDdi2n+h7St1peNJCNJjMbEhRsPRx
269 RmNGWh4AL8rho4RO9OBao0MnUdjbbffD+wIBAg==
270 -----END DH PARAMETERS-----
271 EOF
272 close(DHFILE);
273
274 if (! -e ${dckey_private}) {
275 umask $oldumask;
276 return;
277 }
278
279 copy_file_content(${cacert}, ${cafile});
280 copy_file_content(${cacrl_pem}, ${crlfile});
281 copy_file_content(${dccert}, ${certfile});
282 copy_file_content(${dckey_private}, ${keyfile});
283 if (-e ${adminkey_private}) {
284 copy_file_content(${admincert}, ${admincertfile});
285 copy_file_content(${adminkey_private}, ${adminkeyfile});
286 }
287 if (-e ${pkinitkey_private}) {
288 copy_file_content(${pkinitcert}, ${pkinitcertfile});
289 copy_file_content(${pkinitkey_private}, ${pkinitkeyfile});
290 }
291
292 # COMPAT stuff to be removed in a later commit
293 my $kdccertfile = "$tlsdir/kdc.pem";
294 copy_file_content(${dccert}, ${kdccertfile});
295
296 umask $oldumask;
297 }
298
299 sub copy_gnupg_home($)
300 {
301 my ($ctx) = @_;
302
303 my $gnupg_srcdir = "$ENV{SRCDIR_ABS}/selftest/gnupg";
304 my @files = (
305 "gpg.conf",
306 "pubring.gpg",
307 "secring.gpg",
308 "trustdb.gpg",
309 );
310
311 my $oldumask = umask;
312 umask 0077;
313 mkdir($ctx->{gnupghome}, 0777);
314 umask 0177;
315 foreach my $file (@files) {
316 my $srcfile = "${gnupg_srcdir}/${file}";
317 my $dstfile = "$ctx->{gnupghome}/${file}";
318 copy_file_content(${srcfile}, ${dstfile});
319 }
320 umask $oldumask;
321 }
322
323 sub mk_krb5_conf($$)
324 {
325 my ($ctx) = @_;
326
327 unless (open(KRB5CONF, ">$ctx->{krb5_conf}")) {
328 warn("can't open $ctx->{krb5_conf}$?");
329 return undef;
330 }
331
332 my $our_realms_stanza = mk_realms_stanza($ctx->{realm},
333 $ctx->{dnsname},
334 $ctx->{domain},
335 $ctx->{kdc_ipv4});
336 print KRB5CONF "
337 #Generated krb5.conf for $ctx->{realm}
338
339 [libdefaults]
340 default_realm = $ctx->{realm}
341 dns_lookup_realm = false
342 dns_lookup_kdc = true
343 ticket_lifetime = 24h
344 forwardable = yes
345
346 # We are running on the same machine, do not correct
347 # system clock differences
348 kdc_timesync = 0
349
350 fcache_strict_checking = false
351 ";
352
353 if (defined($ENV{MITKRB5})) {
354 print KRB5CONF "
355 # Set the grace clockskew to 5 seconds
356 # This is especially required by samba3.raw.session krb5 and
357 # reauth tests when not using Heimdal
358 clockskew = 5
359 # To allow the FL 2000 DC to still work for now
360 allow_rc4 = yes
361 ";
362 }
363
364 if (defined($ctx->{krb5_ccname})) {
365 print KRB5CONF "
366 default_ccache_name = $ctx->{krb5_ccname}
367 ";
368 }
369
370
371 if (defined($ctx->{supported_enctypes})) {
372 print KRB5CONF "
373 default_etypes = $ctx->{supported_enctypes}
374 default_as_etypes = $ctx->{supported_enctypes}
375 default_tgs_enctypes = $ctx->{supported_enctypes}
376 default_tkt_enctypes = $ctx->{supported_enctypes}
377 permitted_enctypes = $ctx->{supported_enctypes}
378 ";
379 }
380
381 if (defined($ctx->{tlsdir})) {
382 if (defined($ENV{MITKRB5})) {
383 print KRB5CONF "
384 pkinit_anchors = FILE:$ctx->{tlsdir}/ca.pem
385 pkinit_kdc_hostname = $ctx->{hostname}.$ctx->{dnsname}
386
387 ";
388 } else {
389 print KRB5CONF "
390
391 [appdefaults]
392 pkinit_anchors = FILE:$ctx->{tlsdir}/ca.pem
393
394 [kdc]
395 enable-pkinit = true
396 pkinit_identity = FILE:$ctx->{tlsdir}/kdc.pem,$ctx->{tlsdir}/key.pem
397 pkinit_anchors = FILE:$ctx->{tlsdir}/ca.pem
398 pkinit_revoke = FILE:$ctx->{tlsdir}/crl.pem
399
400 ";
401 }
402 }
403
404 print KRB5CONF "
405 [realms]
406 $our_realms_stanza
407 ";
408
409 close(KRB5CONF);
410 }
411
412 sub append_krb5_conf_trust_realms($$)
413 {
414 my ($ctx) = @_;
415
416 unless (open(KRB5CONF, ">>$ctx->{KRB5_CONFIG}")) {
417 warn("can't open $ctx->{KRB5_CONFIG}$?");
418 return undef;
419 }
420
421 my $trust_realms_stanza = mk_realms_stanza($ctx->{TRUST_REALM},
422 $ctx->{TRUST_DNSNAME},
423 $ctx->{TRUST_DOMAIN},
424 $ctx->{TRUST_SERVER_IP});
425
426 print KRB5CONF " $trust_realms_stanza";
427
428 close(KRB5CONF)
429 }
430
431 sub mk_realms_stanza($$$$)
432 {
433 my ($realm, $dnsname, $domain, $kdc_ipv4) = @_;
434 my $lc_domain = lc($domain);
435
436 # The pkinit_require_krbtgt_otherName = false
437 # is just because the certificates we have saved
438 # do not have the realm in the subjectAltName
439 # (specially encoded as a principal)
440 # per
441 # https://github.com/heimdal/heimdal/wiki/Setting-up-PK-INIT-and-Certificates
442 my $realms_stanza = "
443 $realm = {
444 kdc = $kdc_ipv4:88
445 admin_server = $kdc_ipv4:88
446 default_domain = $dnsname
447 pkinit_require_krbtgt_otherName = false
448 }
449 $dnsname = {
450 kdc = $kdc_ipv4:88
451 admin_server = $kdc_ipv4:88
452 default_domain = $dnsname
453 pkinit_require_krbtgt_otherName = false
454 }
455 $domain = {
456 kdc = $kdc_ipv4:88
457 admin_server = $kdc_ipv4:88
458 default_domain = $dnsname
459 pkinit_require_krbtgt_otherName = false
460 }
461 $lc_domain = {
462 kdc = $kdc_ipv4:88
463 admin_server = $kdc_ipv4:88
464 default_domain = $dnsname
465 pkinit_require_krbtgt_otherName = false
466 }
467
468 ";
469 return $realms_stanza;
470 }
471
472 sub mk_mitkdc_conf($$)
473 {
474 # samba_kdb_dir is the path to mit_samba.so
475 my ($ctx, $samba_kdb_dir) = @_;
476
477 unless (open(KDCCONF, ">$ctx->{mitkdc_conf}")) {
478 warn("can't open $ctx->{mitkdc_conf}$?");
479 return undef;
480 }
481
482 print KDCCONF "
483 # Generated kdc.conf for $ctx->{realm}
484
485 [kdcdefaults]
486 kdc_ports = 88
487 kdc_tcp_ports = 88
488 restrict_anonymous_to_tgt = true
489
490 [realms]
491 $ctx->{realm} = {
492 master_key_type = aes256-cts
493 default_principal_flags = +preauth
494 pkinit_identity = FILE:$ctx->{tlsdir}/kdc.pem,$ctx->{tlsdir}/key.pem
495 pkinit_anchors = FILE:$ctx->{tlsdir}/ca.pem
496 pkinit_eku_checking = scLogin
497 pkinit_indicator = pkinit
498 pkinit_allow_upn = true
499 }
500
501 $ctx->{dnsname} = {
502 master_key_type = aes256-cts
503 default_principal_flags = +preauth
504 pkinit_identity = FILE:$ctx->{tlsdir}/kdc.pem,$ctx->{tlsdir}/key.pem
505 pkinit_anchors = FILE:$ctx->{tlsdir}/ca.pem
506 pkinit_eku_checking = scLogin
507 pkinit_indicator = pkinit
508 pkinit_allow_upn = true
509 }
510
511 $ctx->{domain} = {
512 master_key_type = aes256-cts
513 default_principal_flags = +preauth
514 pkinit_identity = FILE:$ctx->{tlsdir}/kdc.pem,$ctx->{tlsdir}/key.pem
515 pkinit_anchors = FILE:$ctx->{tlsdir}/ca.pem
516 pkinit_eku_checking = scLogin
517 pkinit_indicator = pkinit
518 pkinit_allow_upn = true
519 }
520
521 [dbmodules]
522 db_module_dir = $samba_kdb_dir
523
524 $ctx->{realm} = {
525 db_library = samba
526 }
527
528 $ctx->{dnsname} = {
529 db_library = samba
530 }
531
532 $ctx->{domain} = {
533 db_library = samba
534 }
535
536 [logging]
537 kdc = FILE:$ctx->{logdir}/mit_kdc.log
538 ";
539
540 close(KDCCONF);
541 }
542
543 sub mk_resolv_conf($$)
544 {
545 my ($ctx) = @_;
546
547 unless (open(RESOLV_CONF, ">$ctx->{resolv_conf}")) {
548 warn("can't open $ctx->{resolv_conf}$?");
549 return undef;
550 }
551
552 print RESOLV_CONF "nameserver $ctx->{dns_ipv4}\n";
553 print RESOLV_CONF "nameserver $ctx->{dns_ipv6}\n";
554 close(RESOLV_CONF);
555 }
556
557 sub realm_to_ip_mappings
558 {
559 # this maps the DNS realms for the various testenvs to the corresponding
560 # PDC (i.e. the first DC created for that realm).
561 my %realm_to_pdc_mapping = (
562 'adnonssdom.samba.example.com' => 'addc_no_nss',
563 'adnontlmdom.samba.example.com' => 'addc_no_ntlm',
564 'samba2000.example.com' => 'dc5',
565 'samba2003.example.com' => 'dc6',
566 'samba2008r2.example.com' => 'dc7',
567 'addom.samba.example.com' => 'addc',
568 'addom2.samba.example.com' => 'addcsmb1',
569 'sub.samba.example.com' => 'localsubdc',
570 'chgdcpassword.samba.example.com' => 'chgdcpass',
571 'backupdom.samba.example.com' => 'backupfromdc',
572 'renamedom.samba.example.com' => 'renamedc',
573 'labdom.samba.example.com' => 'labdc',
574 'schema.samba.example.com' => 'liveupgrade1dc',
575 'prockilldom.samba.example.com' => 'prockilldc',
576 'proclimit.samba.example.com' => 'proclimitdc',
577 'samba.example.com' => 'localdc',
578 'fips.samba.example.com' => 'fipsdc',
579 );
580
581 my @mapping = ();
582
583 # convert the hashmap to a list of key=value strings, where key is the
584 # realm and value is the IP address
585 foreach my $realm (sort(keys %realm_to_pdc_mapping)) {
586 my $pdc = $realm_to_pdc_mapping{$realm};
587 my $ipaddr = get_ipv4_addr($pdc);
588 push(@mapping, "$realm=$ipaddr");
589 }
590 # return the mapping as a single comma-separated string
591 return join(',', @mapping);
592 }
593
594 sub get_interface($)
595 {
596 my ($netbiosname) = @_;
597 $netbiosname = lc($netbiosname);
598
599 # this maps the SOCKET_WRAPPER_DEFAULT_IFACE value for each possible
600 # testenv to the DC's NETBIOS name. This value also corresponds to last
601 # digit of the DC's IP address. Note that the NETBIOS name may differ from
602 # the testenv name.
603 # Note that when adding a DC with a new realm, also update
604 # get_realm_ip_mappings() above.
605 my %testenv_iface_mapping = (
606 localnt4dc2 => 3,
607 localnt4member3 => 4,
608 localshare4 => 5,
609 # 6 is spare
610 localktest6 => 7,
611 maptoguest => 8,
612 localnt4dc9 => 9,
613 # 10 is spare
614
615 # 11-16 are used by selftest.pl for the client.conf. Most tests only
616 # use the first .11 IP. However, some tests (like winsreplication) rely
617 # on the client having multiple IPs.
618 client => 11,
619
620 addc_no_nss => 17,
621 addc_no_ntlm => 18,
622 idmapadmember => 19,
623 idmapridmember => 20,
624 localdc => 21,
625 localvampiredc => 22,
626 s4member => 23,
627 localrpcproxy => 24,
628 dc5 => 25,
629 dc6 => 26,
630 dc7 => 27,
631 rodc => 28,
632 localadmember => 29,
633 addc => 30,
634 localsubdc => 31,
635 chgdcpass => 32,
636 promotedvdc => 33,
637 rfc2307member => 34,
638 fileserver => 35,
639 fakednsforwarder1 => 36,
640 fakednsforwarder2 => 37,
641 s4member_dflt => 38,
642 vampire2000dc => 39,
643 backupfromdc => 40,
644 restoredc => 41,
645 renamedc => 42,
646 labdc => 43,
647 offlinebackupdc => 44,
648 customdc => 45,
649 prockilldc => 46,
650 proclimitdc => 47,
651 liveupgrade1dc => 48,
652 liveupgrade2dc => 49,
653 ctdb0 => 50,
654 ctdb1 => 51,
655 ctdb2 => 52,
656 fileserversmb1 => 53,
657 addcsmb1 => 54,
658 lclnt4dc2smb1 => 55,
659 fipsdc => 56,
660 fipsadmember => 57,
661 offlineadmem => 58,
662 s2kmember => 59,
663 admemidmapnss => 60,
664 localadmember2 => 61,
665 admemautorid => 62,
666
667 rootdnsforwarder => 64,
668
669 # Note: that you also need to update dns_hub.py when adding a new
670 # multi-DC testenv
671 # update lib/socket_wrapper/socket_wrapper.c
672 # #define MAX_WRAPPED_INTERFACES 64
673 # if you wish to have more than 64 interfaces
674 );
675
676 if (not defined($testenv_iface_mapping{$netbiosname})) {
677 die();
678 }
679
680 return $testenv_iface_mapping{$netbiosname};
681 }
682
683 sub get_ipv4_addr
684 {
685 my ($hostname, $iface_num) = @_;
686 my $swiface = Samba::get_interface($hostname);
687
688 # Handle testenvs with multiple different addresses, i.e. IP multihoming.
689 # Currently only the selftest client has multiple IPv4 addresses.
690 if (defined($iface_num)) {
691 $swiface += $iface_num;
692 }
693
694 return "10.53.57.$swiface";
695 }
696
697 sub get_ipv6_addr
698 {
699 (my $hostname) = @_;
700 my $swiface = Samba::get_interface($hostname);
701
702 return sprintf("fd00:0000:0000:0000:0000:0000:5357:5f%02x", $swiface);
703 }
704
705 # returns the 'interfaces' setting for smb.conf, i.e. the IPv4/IPv6
706 # addresses for testenv
707 sub get_interfaces_config
708 {
709 my ($hostname, $num_ips) = @_;
710 my $interfaces = "";
711
712 # We give the client.conf multiple different IPv4 addresses.
713 # All other testenvs generally just have one IPv4 address.
714 if (! defined($num_ips)) {
715 $num_ips = 1;
716 }
717 for (my $i = 0; $i < $num_ips; $i++) {
718 my $ipv4_addr = Samba::get_ipv4_addr($hostname, $i);
719 if (use_namespaces()) {
720 # use a /24 subnet with network namespaces
721 $interfaces .= "$ipv4_addr/24 ";
722 } else {
723 $interfaces .= "$ipv4_addr/8 ";
724 }
725 }
726
727 my $ipv6_addr = Samba::get_ipv6_addr($hostname);
728 $interfaces .= "$ipv6_addr/64";
729
730 return $interfaces;
731 }
732
733 sub cleanup_child($$)
734 {
735 my ($pid, $name) = @_;
736
737 if (!defined($pid)) {
738 print STDERR "cleanup_child: pid not defined ... not calling waitpid\n";
739 return -1;
740 }
741
742 my $childpid = waitpid($pid, WNOHANG);
743
744 if ($childpid == 0) {
745 } elsif ($childpid < 0) {
746 printf STDERR "%s child process %d isn't here any more\n", $name, $pid;
747 return $childpid;
748 } elsif ($? & 127) {
749 printf STDERR "%s child process %d, died with signal %d, %s coredump\n",
750 $name, $childpid, ($? & 127), ($? & 128) ? 'with' : 'without';
751 } else {
752 printf STDERR "%s child process %d exited with value %d\n", $name, $childpid, $? >> 8;
753 }
754 return $childpid;
755 }
756
757 sub random_domain_sid()
758 {
759 my $domain_sid = "S-1-5-21-". int(rand(4294967295)) . "-" . int(rand(4294967295)) . "-" . int(rand(4294967295));
760 return $domain_sid;
761 }
762
763 # sets the environment variables ready for running a given process
764 sub set_env_for_process
765 {
766 my ($proc_name, $env_vars, $proc_envs) = @_;
767
768 if (not defined($proc_envs)) {
769 $proc_envs = get_env_for_process($proc_name, $env_vars);
770 }
771
772 foreach my $key (keys %{ $proc_envs }) {
773 $ENV{$key} = $proc_envs->{$key};
774 }
775 }
776
777 sub get_env_for_process
778 {
779 my ($proc_name, $env_vars) = @_;
780 my $proc_envs = {
781 RESOLV_CONF => $env_vars->{RESOLV_CONF},
782 KRB5_CONFIG => $env_vars->{KRB5_CONFIG},
783 KRB5CCNAME => "$env_vars->{KRB5_CCACHE}.$proc_name",
784 GNUPGHOME => $env_vars->{GNUPGHOME},
785 SELFTEST_WINBINDD_SOCKET_DIR => $env_vars->{SELFTEST_WINBINDD_SOCKET_DIR},
786 NMBD_SOCKET_DIR => $env_vars->{NMBD_SOCKET_DIR},
787 NSS_WRAPPER_PASSWD => $env_vars->{NSS_WRAPPER_PASSWD},
788 NSS_WRAPPER_GROUP => $env_vars->{NSS_WRAPPER_GROUP},
789 NSS_WRAPPER_HOSTS => $env_vars->{NSS_WRAPPER_HOSTS},
790 NSS_WRAPPER_HOSTNAME => $env_vars->{NSS_WRAPPER_HOSTNAME},
791 NSS_WRAPPER_MODULE_SO_PATH => $env_vars->{NSS_WRAPPER_MODULE_SO_PATH},
792 NSS_WRAPPER_MODULE_FN_PREFIX => $env_vars->{NSS_WRAPPER_MODULE_FN_PREFIX},
793 UID_WRAPPER_ROOT => "1",
794 ENVNAME => "$ENV{ENVNAME}.$proc_name",
795 };
796
797 if (defined($env_vars->{RESOLV_WRAPPER_CONF})) {
798 $proc_envs->{RESOLV_WRAPPER_CONF} = $env_vars->{RESOLV_WRAPPER_CONF};
799 } else {
800 $proc_envs->{RESOLV_WRAPPER_HOSTS} = $env_vars->{RESOLV_WRAPPER_HOSTS};
801 }
802 if (defined($env_vars->{GNUTLS_FORCE_FIPS_MODE})) {
803 $proc_envs->{GNUTLS_FORCE_FIPS_MODE} = $env_vars->{GNUTLS_FORCE_FIPS_MODE};
804 }
805 if (defined($env_vars->{OPENSSL_FORCE_FIPS_MODE})) {
806 $proc_envs->{OPENSSL_FORCE_FIPS_MODE} = $env_vars->{OPENSSL_FORCE_FIPS_MODE};
807 }
808
809 if (defined($env_vars->{PAM_WRAPPER})) {
810 $proc_envs->{PAM_WRAPPER} = $env_vars->{PAM_WRAPPER};
811 }
812 if (defined($env_vars->{PAM_WRAPPER_KEEP_DIR})) {
813 $proc_envs->{PAM_WRAPPER_KEEP_DIR} = $env_vars->{PAM_WRAPPER_KEEP_DIR};
814 }
815 if (defined($env_vars->{PAM_WRAPPER_SERVICE_DIR})) {
816 $proc_envs->{PAM_WRAPPER_SERVICE_DIR} = $env_vars->{PAM_WRAPPER_SERVICE_DIR};
817 }
818 if (defined($env_vars->{PAM_WRAPPER_DEBUGLEVEL})) {
819 $proc_envs->{PAM_WRAPPER_DEBUGLEVEL} = $env_vars->{PAM_WRAPPER_DEBUGLEVEL};
820 }
821
822 return $proc_envs;
823 }
824
825 sub fork_and_exec
826 {
827 my ($self, $env_vars, $daemon_ctx, $STDIN_READER, $child_cleanup) = @_;
828 my $SambaCtx = $self;
829 $SambaCtx = $self->{SambaCtx} if defined($self->{SambaCtx});
830
831 # we close the child's write-end of the pipe and redirect the
832 # read-end to its stdin. That way the daemon will receive an
833 # EOF on stdin when parent selftest process closes its
834 # write-end.
835 $child_cleanup //= sub { close($env_vars->{STDIN_PIPE}) };
836
837 unlink($daemon_ctx->{LOG_FILE});
838 print "STARTING $daemon_ctx->{NAME} for $ENV{ENVNAME}...";
839
840 my $parent_pid = $$;
841 my $pid = fork();
842
843 # exec the daemon in the child process
844 if ($pid == 0) {
845 my @preargs = ();
846
847 # redirect the daemon's stdout/stderr to a log file
848 if (defined($daemon_ctx->{TEE_STDOUT})) {
849 # in some cases, we want out from samba to go to the log file,
850 # but also to the users terminal when running 'make test' on the
851 # command line. This puts it on stderr on the terminal
852 open STDOUT, "| tee $daemon_ctx->{LOG_FILE} 1>&2";
853 } else {
854 open STDOUT, ">$daemon_ctx->{LOG_FILE}";
855 }
856 open STDERR, '>&STDOUT';
857
858 SocketWrapper::set_default_iface($env_vars->{SOCKET_WRAPPER_DEFAULT_IFACE});
859 if (defined($daemon_ctx->{PCAP_FILE})) {
860 $SambaCtx->setup_pcap("$daemon_ctx->{PCAP_FILE}");
861 }
862
863 # setup ENV variables in the child process
864 set_env_for_process($daemon_ctx->{NAME}, $env_vars,
865 $daemon_ctx->{ENV_VARS});
866
867 $child_cleanup->();
868
869 # not all s3 daemons run in all testenvs (e.g. fileserver doesn't
870 # run winbindd). In which case, the child process just sleeps
871 if (defined($daemon_ctx->{SKIP_DAEMON})) {
872 $SIG{USR1} = $SIG{ALRM} = $SIG{INT} = $SIG{QUIT} = $SIG{TERM} = sub {
873 my $signame = shift;
874 print("Skip $daemon_ctx->{NAME} received signal $signame");
875 exit 0;
876 };
877 my $poll = IO::Poll->new();
878 $poll->mask($STDIN_READER, POLLIN);
879 $poll->poll($self->{server_maxtime});
880 exit 0;
881 }
882
883 $ENV{MAKE_TEST_BINARY} = $daemon_ctx->{BINARY_PATH};
884
885 open STDIN, ">&", $STDIN_READER or die "can't dup STDIN_READER to STDIN: $!";
886
887 # if using kernel namespaces, prepend the command so the process runs in
888 # its own namespace
889 if (Samba::use_namespaces()) {
890 @preargs = ns_exec_preargs($parent_pid, $env_vars);
891 }
892
893 # the command args are stored as an array reference (because...Perl),
894 # so convert the reference back to an array
895 my @full_cmd = @{ $daemon_ctx->{FULL_CMD} };
896
897 exec(@preargs, @full_cmd) or die("Unable to start $ENV{MAKE_TEST_BINARY}: $!");
898 }
899
900 print "DONE ($pid)\n";
901
902 # if using kernel namespaces, we now establish a connection between the
903 # main selftest namespace (i.e. this process) and the new child namespace
904 if (use_namespaces()) {
905 ns_child_forked($pid, $env_vars);
906 }
907
908 return $pid;
909 }
910
911 my @exported_envvars = (
912 # domain stuff
913 "DOMAIN",
914 "DNSNAME",
915 "REALM",
916 "DOMSID",
917
918 # stuff related to a trusted domain
919 "TRUST_SERVER",
920 "TRUST_USERNAME",
921 "TRUST_PASSWORD",
922 "TRUST_DOMAIN",
923 "TRUST_REALM",
924 "TRUST_DOMSID",
925
926 # stuff related to a trusted domain, on a trust_member
927 # the domain behind a forest trust (two-way)
928 "TRUST_F_BOTH_SERVER",
929 "TRUST_F_BOTH_SERVER_IP",
930 "TRUST_F_BOTH_SERVER_IPV6",
931 "TRUST_F_BOTH_NETBIOSNAME",
932 "TRUST_F_BOTH_USERNAME",
933 "TRUST_F_BOTH_PASSWORD",
934 "TRUST_F_BOTH_DOMAIN",
935 "TRUST_F_BOTH_REALM",
936
937 # stuff related to a trusted domain, on a trust_member
938 # the domain behind an external trust (two-way)
939 "TRUST_E_BOTH_SERVER",
940 "TRUST_E_BOTH_SERVER_IP",
941 "TRUST_E_BOTH_SERVER_IPV6",
942 "TRUST_E_BOTH_NETBIOSNAME",
943 "TRUST_E_BOTH_USERNAME",
944 "TRUST_E_BOTH_PASSWORD",
945 "TRUST_E_BOTH_DOMAIN",
946 "TRUST_E_BOTH_REALM",
947
948 # stuff related to a trusted NT4 domain,
949 # used for one-way trust fl2008r2dc <- nt4_dc
950 "NT4_TRUST_SERVER",
951 "NT4_TRUST_SERVER_IP",
952 "NT4_TRUST_DOMAIN",
953 "NT4_TRUST_DOMSID",
954
955 # domain controller stuff
956 "DC_SERVER",
957 "DC_SERVER_IP",
958 "DC_SERVER_IPV6",
959 "DC_NETBIOSNAME",
960 "DC_NETBIOSALIAS",
961
962 # server stuff
963 "SERVER",
964 "SERVER_IP",
965 "SERVER_IPV6",
966 "NETBIOSNAME",
967 "NETBIOSALIAS",
968 "SAMSID",
969
970 # only use these 2 as a last resort. Some tests need to test both client-
971 # side and server-side. In this case, run as default client, and access
972 # server's smb.conf as needed, typically using:
973 # param.LoadParm(filename_for_non_global_lp=os.environ['SERVERCONFFILE'])
974 "SERVERCONFFILE",
975 "DC_SERVERCONFFILE",
976
977 # user stuff
978 "USERNAME",
979 "USERID",
980 "PASSWORD",
981 "DC_USERNAME",
982 "DC_PASSWORD",
983 "DOMAIN_ADMIN",
984 "DOMAIN_ADMIN_PASSWORD",
985 "DOMAIN_USER",
986 "DOMAIN_USER_PASSWORD",
987
988 # UID/GID for rfc2307 mapping tests
989 "UID_RFC2307TEST",
990 "GID_RFC2307TEST",
991
992 # misc stuff
993 "KRB5_CONFIG",
994 "KRB5CCNAME",
995 "GNUPGHOME",
996 "SELFTEST_WINBINDD_SOCKET_DIR",
997 "NMBD_SOCKET_DIR",
998 "LOCAL_PATH",
999 "DNS_FORWARDER1",
1000 "DNS_FORWARDER2",
1001 "RESOLV_CONF",
1002 "UNACCEPTABLE_PASSWORD",
1003 "LOCK_DIR",
1004 "SMBD_TEST_LOG",
1005 "KRB5_CRL_FILE",
1006
1007 # nss_wrapper
1008 "NSS_WRAPPER_PASSWD",
1009 "NSS_WRAPPER_GROUP",
1010 "NSS_WRAPPER_HOSTS",
1011 "NSS_WRAPPER_HOSTNAME",
1012 "NSS_WRAPPER_MODULE_SO_PATH",
1013 "NSS_WRAPPER_MODULE_FN_PREFIX",
1014
1015 # resolv_wrapper
1016 "RESOLV_WRAPPER_CONF",
1017 "RESOLV_WRAPPER_HOSTS",
1018
1019 # ctdb stuff
1020 "CTDB_PREFIX",
1021 "NUM_NODES",
1022 "CTDB_BASE",
1023 "CTDB_SOCKET",
1024 "CTDB_SERVER_NAME",
1025 "CTDB_IFACE_IP",
1026 "CTDB_BASE_NODE0",
1027 "CTDB_SOCKET_NODE0",
1028 "CTDB_SERVER_NAME_NODE0",
1029 "CTDB_IFACE_IP_NODE0",
1030 "CTDB_BASE_NODE1",
1031 "CTDB_SOCKET_NODE1",
1032 "CTDB_SERVER_NAME_NODE1",
1033 "CTDB_IFACE_IP_NODE1",
1034 "CTDB_BASE_NODE2",
1035 "CTDB_SOCKET_NODE2",
1036 "CTDB_SERVER_NAME_NODE2",
1037 "CTDB_IFACE_IP_NODE2",
1038 );
1039
1040 sub exported_envvars_str
1041 {
1042 my ($testenv_vars) = @_;
1043 my $out = "";
1044
1045 foreach (@exported_envvars) {
1046 next unless defined($testenv_vars->{$_});
1047 $out .= $_."=".$testenv_vars->{$_}."\n";
1048 }
1049
1050 return $out;
1051 }
1052
1053 sub clear_exported_envvars
1054 {
1055 foreach (@exported_envvars) {
1056 delete $ENV{$_};
1057 }
1058 }
1059
1060 sub export_envvars
1061 {
1062 my ($testenv_vars) = @_;
1063
1064 foreach (@exported_envvars) {
1065 if (defined($testenv_vars->{$_})) {
1066 $ENV{$_} = $testenv_vars->{$_};
1067 } else {
1068 delete $ENV{$_};
1069 }
1070 }
1071 }
1072
1073 sub export_envvars_to_file
1074 {
1075 my ($filepath, $testenv_vars) = @_;
1076 my $env_str = exported_envvars_str($testenv_vars);
1077
1078 open(FILE, "> $filepath");
1079 print FILE "$env_str";
1080 close(FILE);
1081 }
1082
1083 # Returns true if kernel namespaces are being used instead of socket-wrapper.
1084 # The default is false.
1085 sub use_namespaces
1086 {
1087 return defined($ENV{USE_NAMESPACES});
1088 }
1089
1090 # returns a given testenv's interface-name (only when USE_NAMESPACES=1)
1091 sub ns_interface_name
1092 {
1093 my ($hostname) = @_;
1094
1095 # when using namespaces, each testenv has its own vethX interface,
1096 # where X = Samba::get_interface(testenv_name)
1097 my $iface = get_interface($hostname);
1098 return "veth$iface";
1099 }
1100
1101 # Called after a new child namespace has been forked
1102 sub ns_child_forked
1103 {
1104 my ($child_pid, $env_vars) = @_;
1105
1106 # we only need to do this for the first child forked for this testenv
1107 if (defined($env_vars->{NS_PID})) {
1108 return;
1109 }
1110
1111 # store the child PID. It's the only way the main (selftest) namespace can
1112 # access the new child (testenv) namespace.
1113 $env_vars->{NS_PID} = $child_pid;
1114
1115 # Add the new child namespace's interface to the main selftest bridge.
1116 # This connects together the various testenvs so that selftest can talk to
1117 # them all
1118 my $iface = ns_interface_name($env_vars->{NETBIOSNAME});
1119 system "$ENV{SRCDIR}/selftest/ns/add_bridge_iface.sh $iface-br selftest0";
1120 }
1121
1122 # returns args to prepend to a command in order to execute it the correct
1123 # namespace for the testenv (creating a new namespace if needed).
1124 # This should only used when USE_NAMESPACES=1 is set.
1125 sub ns_exec_preargs
1126 {
1127 my ($parent_pid, $env_vars) = @_;
1128
1129 # NS_PID stores the pid of the first child daemon run in this namespace
1130 if (defined($env_vars->{NS_PID})) {
1131
1132 # the namespace has already been created previously. So we use nsenter
1133 # to execute the command in the given testenv's namespace. We need to
1134 # use the NS_PID to identify this particular namespace
1135 return ("nsenter", "-t", "$env_vars->{NS_PID}", "--net");
1136 } else {
1137
1138 # We need to create a new namespace for this daemon (i.e. we're
1139 # setting up a new testenv). First, write the environment variables to
1140 # an exports.sh file for this testenv (for convenient access by the
1141 # namespace scripts).
1142 my $exports_file = "$env_vars->{TESTENV_DIR}/exports.sh";
1143 export_envvars_to_file($exports_file, $env_vars);
1144
1145 # when using namespaces, each testenv has its own veth interface
1146 my $interface = ns_interface_name($env_vars->{NETBIOSNAME});
1147
1148 # we use unshare to create a new network namespace. The start_in_ns.sh
1149 # helper script gets run first to setup the new namespace's interfaces.
1150 # (This all gets prepended around the actual command to run in the new
1151 # namespace)
1152 return ("unshare", "--net", "$ENV{SRCDIR}/selftest/ns/start_in_ns.sh",
1153 $interface, $exports_file, $parent_pid);
1154 }
1155 }
1156
1157
1158 sub check_env {
1159 my ($self, $envvars) = @_;
1160 return 1;
1161 }
1162
1163 sub teardown_env {
1164 my ($self, $env) = @_;
1165 return 1;
1166 }
1167
1168
1169 sub getlog_env {
1170 return '';
1171 }
1172
1173 1;
GSS-enabled samba4