From 3b25f764e714dee0327fd4f068bd14650f7e7ab4 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 7 Dec 2023 09:18:26 +0100
Subject: [PATCH 01/13] s3:tests: Fix authentication with smbget_user in smbget
 tests

Currently the smget share is broken. We set `guest ok = yes` so if you
specify invalid names, the authentication will still succeed as we
are mapped to guest.

The smbget_user is a local ad_member user. We need to set the
workstation as the "domain" for the user.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit c14c5dec09fe1c86b29b3091ad521e73a2e1c3e9)
---
 source3/script/tests/test_smbget.sh | 28 ++++++++++++++--------------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/source3/script/tests/test_smbget.sh b/source3/script/tests/test_smbget.sh
index bdc62a71eff..5ab35a03e24 100755
--- a/source3/script/tests/test_smbget.sh
+++ b/source3/script/tests/test_smbget.sh
@@ -72,7 +72,7 @@ test_singlefile_guest()
 test_singlefile_U()
 {
 	clear_download_area
-	$SMBGET --verbose -U$USERNAME%$PASSWORD smb://$SERVER_IP/smbget/testfile
+	$SMBGET --verbose -U${SERVER}/${USERNAME}%$PASSWORD smb://$SERVER_IP/smbget/testfile
 	if [ $? -ne 0 ]; then
 		echo 'ERROR: RC does not match, expected: 0'
 		return 1
@@ -132,7 +132,7 @@ test_singlefile_U_domain()
 test_singlefile_smburl()
 {
 	clear_download_area
-	$SMBGET --workgroup $DOMAIN smb://$USERNAME:$PASSWORD@$SERVER_IP/smbget/testfile
+	$SMBGET --workgroup $DOMAIN smb://${USERNAME}:$PASSWORD@$SERVER_IP/smbget/testfile
 	if [ $? -ne 0 ]; then
 		echo 'ERROR: RC does not match, expected: 0'
 		return 1
@@ -148,7 +148,7 @@ test_singlefile_smburl()
 test_singlefile_smburl2()
 {
 	clear_download_area
-	$SMBGET "smb://$DOMAIN;$USERNAME:$PASSWORD@$SERVER_IP/smbget/testfile"
+	$SMBGET "smb://$DOMAIN;${USERNAME}:$PASSWORD@$SERVER_IP/smbget/testfile"
 	if [ $? -ne 0 ]; then
 		echo 'ERROR: RC does not match, expected: 0'
 		return 1
@@ -165,7 +165,7 @@ test_singlefile_authfile()
 {
 	clear_download_area
 	cat >"${TMPDIR}/authfile" << EOF
-username = $USERNAME
+username = ${SERVER}/${USERNAME}
 password = $PASSWORD
 EOF
 	$SMBGET --verbose --authentication-file="${TMPDIR}/authfile" smb://$SERVER_IP/smbget/testfile
@@ -186,7 +186,7 @@ EOF
 test_recursive_U()
 {
 	clear_download_area
-	$SMBGET --verbose --recursive -U$USERNAME%$PASSWORD smb://$SERVER_IP/smbget/
+	$SMBGET --verbose --recursive -U${SERVER}/${USERNAME}%$PASSWORD smb://$SERVER_IP/smbget/
 	if [ $? -ne 0 ]; then
 		echo 'ERROR: RC does not match, expected: 0'
 		return 1
@@ -207,7 +207,7 @@ test_recursive_existing_dir()
 {
 	clear_download_area
 	mkdir dir1
-	$SMBGET --verbose --recursive -U$USERNAME%$PASSWORD smb://$SERVER_IP/smbget/
+	$SMBGET --verbose --recursive -U${SERVER}/${USERNAME}%$PASSWORD smb://$SERVER_IP/smbget/
 	if [ $? -ne 0 ]; then
 		echo 'ERROR: RC does not match, expected: 0'
 		return 1
@@ -230,7 +230,7 @@ test_recursive_with_empty()
 	# create some additional empty directories
 	mkdir -p $WORKDIR/dir001/dir002/dir003
 	mkdir -p $WORKDIR/dir004/dir005/dir006
-	$SMBGET --verbose --recursive -U$USERNAME%$PASSWORD smb://$SERVER_IP/smbget/
+	$SMBGET --verbose --recursive -U${SERVER}/${USERNAME}%$PASSWORD smb://$SERVER_IP/smbget/
 	rc=$?
 	rm -rf $WORKDIR/dir001
 	rm -rf $WORKDIR/dir004
@@ -260,7 +260,7 @@ test_resume()
 	clear_download_area
 	cp $WORKDIR/testfile .
 	truncate -s 1024 testfile
-	$SMBGET --verbose --resume -U$USERNAME%$PASSWORD smb://$SERVER_IP/smbget/testfile
+	$SMBGET --verbose --resume -U${SERVER}/${USERNAME}%$PASSWORD smb://$SERVER_IP/smbget/testfile
 	if [ $? -ne 0 ]; then
 		echo 'ERROR: RC does not match, expected: 0'
 		return 1
@@ -279,7 +279,7 @@ test_resume_modified()
 {
 	clear_download_area
 	dd if=/dev/urandom bs=1024 count=2 of=testfile
-	$SMBGET --verbose --resume -U$USERNAME%$PASSWORD smb://$SERVER_IP/smbget/testfile
+	$SMBGET --verbose --resume -U${SERVER}/${USERNAME}%$PASSWORD smb://$SERVER_IP/smbget/testfile
 	if [ $? -ne 1 ]; then
 		echo 'ERROR: RC does not match, expected: 1'
 		return 1
@@ -291,14 +291,14 @@ test_resume_modified()
 test_update()
 {
 	clear_download_area
-	$SMBGET --verbose -U$USERNAME%$PASSWORD smb://$SERVER_IP/smbget/testfile
+	$SMBGET --verbose -U${SERVER}/${USERNAME}%$PASSWORD smb://$SERVER_IP/smbget/testfile
 	if [ $? -ne 0 ]; then
 		echo 'ERROR: RC does not match, expected: 0'
 		return 1
 	fi
 
 	# secondary download should pass
-	$SMBGET --verbose --update -U$USERNAME%$PASSWORD smb://$SERVER_IP/smbget/testfile
+	$SMBGET --verbose --update -U${SERVER}/${USERNAME}%$PASSWORD smb://$SERVER_IP/smbget/testfile
 	if [ $? -ne 0 ]; then
 		echo 'ERROR: RC does not match, expected: 0'
 		return 1
@@ -308,7 +308,7 @@ test_update()
 	# touch source to trigger new download
 	sleep 2
 	touch -m $WORKDIR/testfile
-	$SMBGET --verbose --update -U$USERNAME%$PASSWORD smb://$SERVER_IP/smbget/testfile
+	$SMBGET --verbose --update -U${SERVER}/${USERNAME}%$PASSWORD smb://$SERVER_IP/smbget/testfile
 	if [ $? -ne 0 ]; then
 		echo 'ERROR: RC does not match, expected: 0'
 		return 1
@@ -397,7 +397,7 @@ test_limit_rate()
 test_encrypt()
 {
 	clear_download_area
-	$SMBGET --verbose --encrypt -U$USERNAME%$PASSWORD smb://$SERVER_IP/smbget/testfile
+	$SMBGET --verbose --encrypt -U${SERVER}/${USERNAME}%$PASSWORD smb://$SERVER_IP/smbget/testfile
 	if [ $? -ne 0 ]; then
 		echo 'ERROR: RC does not match, expected: 0'
 		return 1
@@ -409,7 +409,7 @@ test_encrypt()
 	fi
 
 	clear_download_area
-	$SMBGET --verbose --client-protection=encrypt -U$USERNAME%$PASSWORD smb://$SERVER_IP/smbget/testfile
+	$SMBGET --verbose --client-protection=encrypt -U${SERVER}/${USERNAME}%$PASSWORD smb://$SERVER_IP/smbget/testfile
 	if [ $? -ne 0 ]; then
 		echo 'ERROR: RC does not match, expected: 0'
 		return 1
-- 
2.43.0


From a61c1ed2e21640a60b219b8efb16fed7ddfbce7c Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 8 Dec 2023 13:06:27 +0100
Subject: [PATCH 02/13] selftest: Remove trailing tabs/white spaces in
 Samba4.pm

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit a2af6946f5e53b7d954aa54d3d115dbe4975b1c4)
---
 selftest/target/Samba4.pm | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index a10c1313322..e559bf888a9 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -559,7 +559,7 @@ sub provision_raw_prepare($$$$$$$$$$$$$$)
 		warn("Unable to clean up");
 	}
 
-	
+
 	my $swiface = Samba::get_interface($hostname);
 
 	$ctx->{prefix} = $prefix;
@@ -1034,7 +1034,7 @@ replace: userPrincipalName
 userPrincipalName: testallowed upn\@$ctx->{realm}
 replace: servicePrincipalName
 servicePrincipalName: host/testallowed
--	    
+-
 ";
 	close($ldif);
 	unless ($? == 0) {
@@ -1057,7 +1057,7 @@ servicePrincipalName: host/testallowed
 changetype: modify
 replace: userPrincipalName
 userPrincipalName: testdenied_upn\@$ctx->{realm}.upn
--	    
+-
 ";
 	close($ldif);
 	unless ($? == 0) {
@@ -2225,7 +2225,7 @@ sub provision_chgdcpass($$)
 		warn("Unable to add wins configuration");
 		return undef;
 	}
-	
+
 	# Remove secrets.tdb from this environment to test that we
 	# still start up on systems without the new matching
 	# secrets.tdb records.
-- 
2.43.0


From 4177d6b866f8a0a72ebe208c5025ad643a2610d8 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 8 Dec 2023 13:07:19 +0100
Subject: [PATCH 03/13] selftest: Add DOMAIN_ADMIN and DOMAIN_USER variables

We should start using those in future. So we can distinguish which
privileges we want. Currently DC_USERNAME is the Administrator. Whatever
possible should use DOMIAN_USER instead.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 56d0c3a0263ed166452c129219e7a391ba4d014c)
---
 selftest/target/Samba.pm  |  4 ++++
 selftest/target/Samba3.pm | 24 ++++++++++++++++++++++++
 selftest/target/Samba4.pm |  8 ++++++++
 3 files changed, 36 insertions(+)

diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm
index b959db493ca..e4bd6a0d5d2 100644
--- a/selftest/target/Samba.pm
+++ b/selftest/target/Samba.pm
@@ -947,6 +947,10 @@ my @exported_envvars = (
 	"PASSWORD",
 	"DC_USERNAME",
 	"DC_PASSWORD",
+	"DOMAIN_ADMIN",
+	"DOMAIN_ADMIN_PASSWORD",
+	"DOMAIN_USER",
+	"DOMAIN_USER_PASSWORD",
 
 	# UID/GID for rfc2307 mapping tests
 	"UID_RFC2307TEST",
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 85e69e4b72d..8755d0a2f1f 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -1006,6 +1006,10 @@ sub provision_ad_member
 	$ret->{DC_NETBIOSNAME} = $dcvars->{NETBIOSNAME};
 	$ret->{DC_USERNAME} = $dcvars->{USERNAME};
 	$ret->{DC_PASSWORD} = $dcvars->{PASSWORD};
+	$ret->{DOMAIN_ADMIN} = $dcvars->{DOMAIN_ADMIN};
+	$ret->{DOMAIN_ADMIN_PASSWORD} = $dcvars->{DOMAIN_ADMIN_PASSWORD};
+	$ret->{DOMAIN_USER} = $dcvars->{DOMAIN_USER};
+	$ret->{DOMAIN_USER_PASSWORD} = $dcvars->{DOMAIN_USER_PASSWORD};
 
 	# forest trust
 	$ret->{TRUST_F_BOTH_SERVER} = $trustvars_f->{SERVER};
@@ -1171,6 +1175,10 @@ sub setup_ad_member_rfc2307
 	$ret->{DC_NETBIOSNAME} = $dcvars->{NETBIOSNAME};
 	$ret->{DC_USERNAME} = $dcvars->{USERNAME};
 	$ret->{DC_PASSWORD} = $dcvars->{PASSWORD};
+	$ret->{DOMAIN_ADMIN} = $dcvars->{DOMAIN_ADMIN};
+	$ret->{DOMAIN_ADMIN_PASSWORD} = $dcvars->{DOMAIN_ADMIN_PASSWORD};
+	$ret->{DOMAIN_USER} = $dcvars->{DOMAIN_USER};
+	$ret->{DOMAIN_USER_PASSWORD} = $dcvars->{DOMAIN_USER_PASSWORD};
 
 	return $ret;
 }
@@ -1267,6 +1275,10 @@ sub setup_admem_idmap_autorid
 	$ret->{DC_NETBIOSNAME} = $dcvars->{NETBIOSNAME};
 	$ret->{DC_USERNAME} = $dcvars->{USERNAME};
 	$ret->{DC_PASSWORD} = $dcvars->{PASSWORD};
+	$ret->{DOMAIN_ADMIN} = $dcvars->{DOMAIN_ADMIN};
+	$ret->{DOMAIN_ADMIN_PASSWORD} = $dcvars->{DOMAIN_ADMIN_PASSWORD};
+	$ret->{DOMAIN_USER} = $dcvars->{DOMAIN_USER};
+	$ret->{DOMAIN_USER_PASSWORD} = $dcvars->{DOMAIN_USER_PASSWORD};
 
 	return $ret;
 }
@@ -1366,6 +1378,10 @@ sub setup_ad_member_idmap_rid
 	$ret->{DC_NETBIOSNAME} = $dcvars->{NETBIOSNAME};
 	$ret->{DC_USERNAME} = $dcvars->{USERNAME};
 	$ret->{DC_PASSWORD} = $dcvars->{PASSWORD};
+	$ret->{DOMAIN_ADMIN} = $dcvars->{DOMAIN_ADMIN};
+	$ret->{DOMAIN_ADMIN_PASSWORD} = $dcvars->{DOMAIN_ADMIN_PASSWORD};
+	$ret->{DOMAIN_USER} = $dcvars->{DOMAIN_USER};
+	$ret->{DOMAIN_USER_PASSWORD} = $dcvars->{DOMAIN_USER_PASSWORD};
 
 	return $ret;
 }
@@ -1466,6 +1482,10 @@ sub setup_ad_member_idmap_ad
 	$ret->{DC_NETBIOSNAME} = $dcvars->{NETBIOSNAME};
 	$ret->{DC_USERNAME} = $dcvars->{USERNAME};
 	$ret->{DC_PASSWORD} = $dcvars->{PASSWORD};
+	$ret->{DOMAIN_ADMIN} = $dcvars->{DOMAIN_ADMIN};
+	$ret->{DOMAIN_ADMIN_PASSWORD} = $dcvars->{DOMAIN_ADMIN_PASSWORD};
+	$ret->{DOMAIN_USER} = $dcvars->{DOMAIN_USER};
+	$ret->{DOMAIN_USER_PASSWORD} = $dcvars->{DOMAIN_USER_PASSWORD};
 
 	$ret->{TRUST_SERVER} = $dcvars->{TRUST_SERVER};
 	$ret->{TRUST_USERNAME} = $dcvars->{TRUST_USERNAME};
@@ -1558,6 +1578,10 @@ sub setup_ad_member_oneway
 	$ret->{DC_NETBIOSNAME} = $dcvars->{NETBIOSNAME};
 	$ret->{DC_USERNAME} = $dcvars->{USERNAME};
 	$ret->{DC_PASSWORD} = $dcvars->{PASSWORD};
+	$ret->{DOMAIN_ADMIN} = $dcvars->{DOMAIN_ADMIN};
+	$ret->{DOMAIN_ADMIN_PASSWORD} = $dcvars->{DOMAIN_ADMIN_PASSWORD};
+	$ret->{DOMAIN_USER} = $dcvars->{DOMAIN_USER};
+	$ret->{DOMAIN_USER_PASSWORD} = $dcvars->{DOMAIN_USER_PASSWORD};
 
 	$ret->{TRUST_SERVER} = $dcvars->{TRUST_SERVER};
 	$ret->{TRUST_USERNAME} = $dcvars->{TRUST_USERNAME};
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index e559bf888a9..cbaacce48da 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -587,6 +587,10 @@ sub provision_raw_prepare($$$$$$$$$$$$$$)
 	$ctx->{realm} = uc($realm);
 	$ctx->{dnsname} = lc($realm);
 	$ctx->{samsid} = $samsid;
+	$ctx->{domain_admin} = "Administrator";
+	$ctx->{domain_admin_password} = $password;
+	$ctx->{domain_user} = "alice";
+	$ctx->{domain_user_password} = "Secret007";
 
 	$ctx->{functional_level} = $functional_level;
 
@@ -906,6 +910,10 @@ nogroup:x:65534:nobody
 		DOMAIN => $ctx->{domain},
 		USERNAME => $ctx->{username},
 		DC_USERNAME => $ctx->{username},
+		DOMAIN_ADMIN => $ctx->{domain_admin},
+		DOMAIN_ADMIN_PASSWORD => $ctx->{domain_admin_password},
+		DOMAIN_USER => $ctx->{domain_user},
+		DOMAIN_USER_PASSWORD => $ctx->{domain_user_password},
 		REALM => $ctx->{realm},
 		DNSNAME => $ctx->{dnsname},
 		SAMSID => $ctx->{samsid},
-- 
2.43.0


From c5839fd47591e46431d56091f151f22a5e35d16c Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 7 Dec 2023 09:45:54 +0100
Subject: [PATCH 04/13] s3:tests: Pass down a normal domain user for
 test_smbget.sh

It is better to test with a normal user than administrator.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 337034e675aaeb366d360a791ec0d003426230af)
---
 source3/script/tests/test_smbget.sh | 22 ++++++++++++----------
 source3/selftest/tests.py           |  2 ++
 2 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/source3/script/tests/test_smbget.sh b/source3/script/tests/test_smbget.sh
index 5ab35a03e24..257291b18ff 100755
--- a/source3/script/tests/test_smbget.sh
+++ b/source3/script/tests/test_smbget.sh
@@ -16,9 +16,11 @@ DOMAIN=${3}
 REALM=${4}
 USERNAME=${5}
 PASSWORD=${6}
-WORKDIR=${7}
-SMBGET="$VALGRIND ${8}"
-shift 8
+DOMAIN_USER=${7}
+DOMAIN_USER_PASSWORD=${8}
+WORKDIR=${9}
+SMBGET="$VALGRIND ${10}"
+shift 10
 
 TMPDIR="$SELFTEST_TMPDIR"
 
@@ -89,7 +91,7 @@ test_singlefile_U_UPN()
 {
 	clear_download_area
 
-	${SMBGET} --verbose -U"${DC_USERNAME}@${REALM}%${DC_PASSWORD}" \
+	${SMBGET} --verbose -U"${DOMAIN_USER}@${REALM}%${DOMAIN_USER_PASSWORD}" \
 		"smb://${SERVER_IP}/smbget/testfile"
 	ret=${?}
 	if [ ${ret} -ne 0 ]; then
@@ -111,7 +113,7 @@ test_singlefile_U_domain()
 {
 	clear_download_area
 
-	${SMBGET} --verbose -U"${DOMAIN}/${DC_USERNAME}%${DC_PASSWORD}" \
+	${SMBGET} --verbose -U"${DOMAIN}/${DOMAIN_USER}%${DOMAIN_USER_PASSWORD}" \
 		"smb://${SERVER_IP}/smbget/testfile"
 	ret=${?}
 	if [ ${ret} -ne 0 ]; then
@@ -132,7 +134,7 @@ test_singlefile_U_domain()
 test_singlefile_smburl()
 {
 	clear_download_area
-	$SMBGET --workgroup $DOMAIN smb://${USERNAME}:$PASSWORD@$SERVER_IP/smbget/testfile
+	$SMBGET --workgroup $DOMAIN smb://${DOMAIN_USER}:$DOMAIN_USER_PASSWORD@$SERVER_IP/smbget/testfile
 	if [ $? -ne 0 ]; then
 		echo 'ERROR: RC does not match, expected: 0'
 		return 1
@@ -148,7 +150,7 @@ test_singlefile_smburl()
 test_singlefile_smburl2()
 {
 	clear_download_area
-	$SMBGET "smb://$DOMAIN;${USERNAME}:$PASSWORD@$SERVER_IP/smbget/testfile"
+	$SMBGET "smb://$DOMAIN;${DOMAIN_USER}:$DOMAIN_USER_PASSWORD@$SERVER_IP/smbget/testfile"
 	if [ $? -ne 0 ]; then
 		echo 'ERROR: RC does not match, expected: 0'
 		return 1
@@ -343,7 +345,7 @@ test_msdfs_link_domain()
 {
 	clear_download_area
 
-	${SMBGET} --verbose "-U${DOMAIN}/${DC_USERNAME}%${DC_PASSWORD}" \
+	${SMBGET} --verbose "-U${DOMAIN}/${DOMAIN_USER}%${DOMAIN_USER_PASSWORD}" \
 		"smb://${SERVER}/msdfs-share/deeppath/msdfs-src2/readable_file"
 	ret=$?
 	if [ ${ret} -ne 0 ]; then
@@ -358,7 +360,7 @@ test_msdfs_link_upn()
 {
 	clear_download_area
 
-	${SMBGET} --verbose "-U${DC_USERNAME}@${REALM}%${DC_PASSWORD}" \
+	${SMBGET} --verbose "-U${DOMAIN_USER}@${REALM}%${DOMAIN_USER_PASSWORD}" \
 		"smb://${SERVER}/msdfs-share/deeppath/msdfs-src2/readable_file"
 	ret=$?
 	if [ ${ret} -ne 0 ]; then
@@ -433,7 +435,7 @@ test_kerberos()
 	KRB5CCNAME="FILE:${KRB5CCNAME_PATH}"
 	export KRB5CCNAME
 	kerberos_kinit "${samba_kinit}" \
-		"${DC_USERNAME}@${REALM}" "${DC_PASSWORD}"
+		"${DOMAIN_USER}@${REALM}" "${DOMAIN_USER_PASSWORD}"
 
 	$SMBGET --verbose --use-krb5-ccache="${KRB5CCNAME}" \
 		smb://$SERVER/smbget/testfile
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 5a784f1c5aa..973384f8c53 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -931,6 +931,8 @@ plantestsuite("samba3.blackbox.smbget",
                   '$REALM',
                   'smbget_user',
                   '$PASSWORD',
+                  '$DOMAIN_USER',
+                  '$DOMAIN_USER_PASSWORD',
                   '$LOCAL_PATH/smbget',
                   smbget
               ])
-- 
2.43.0


From 43f8a0acbcda931efb40403b15ef4c8d8ec94c8b Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 7 Dec 2023 10:51:32 +0100
Subject: [PATCH 05/13] s3:tests: Fix test_kerberos in smbget tests

We switched to a temporary directory, so $PREFIX doesn't exist.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 62b0b79ce065246417996dec61afa6a10f6ab99b)
---
 source3/script/tests/test_smbget.sh | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/source3/script/tests/test_smbget.sh b/source3/script/tests/test_smbget.sh
index 257291b18ff..5b65db89a26 100755
--- a/source3/script/tests/test_smbget.sh
+++ b/source3/script/tests/test_smbget.sh
@@ -429,13 +429,17 @@ test_kerberos()
 {
 	clear_download_area
 
-	KRB5CCNAME_PATH="$PREFIX/smget_krb5ccache"
+	KRB5CCNAME_PATH="${TMPDIR}/smget_krb5ccache"
 	rm -f "${KRB5CCNAME_PATH}"
 
 	KRB5CCNAME="FILE:${KRB5CCNAME_PATH}"
 	export KRB5CCNAME
 	kerberos_kinit "${samba_kinit}" \
 		"${DOMAIN_USER}@${REALM}" "${DOMAIN_USER_PASSWORD}"
+	if [ $? -ne 0 ]; then
+		echo 'Failed to get Kerberos ticket'
+		return 1
+	fi
 
 	$SMBGET --verbose --use-krb5-ccache="${KRB5CCNAME}" \
 		smb://$SERVER/smbget/testfile
-- 
2.43.0


From 26be99f6ac11bd3c6cfd737b332ee3aca660b390 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 7 Dec 2023 11:43:33 +0100
Subject: [PATCH 06/13] s3:tests: Fix the test_kerberos_trust in smbget
 testsuite

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 468fb05d6357779228e411076e286abcdb70cf96)
---
 source3/script/tests/test_smbget.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source3/script/tests/test_smbget.sh b/source3/script/tests/test_smbget.sh
index 5b65db89a26..50e8cea3900 100755
--- a/source3/script/tests/test_smbget.sh
+++ b/source3/script/tests/test_smbget.sh
@@ -465,7 +465,7 @@ test_kerberos_trust()
 
 	$SMBGET --verbose --use-kerberos=required \
 		-U"${TRUST_F_BOTH_USERNAME}@${TRUST_F_BOTH_REALM}%${TRUST_F_BOTH_PASSWORD}" \
-		smb://$SERVER/smbget/testfile
+		smb://$SERVER.${REALM}/smbget/testfile
 	if [ $? -ne 0 ]; then
 		echo 'ERROR: RC does not match, expected: 0'
 		return 1
-- 
2.43.0


From 0cbea3a4c5b7f5356c209ba2826f01506b40f1f8 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 7 Dec 2023 13:11:46 +0100
Subject: [PATCH 07/13] s3:tests: Remove the non-working
 test_kerberos_upn_denied of smbget

See TODO code comment for details.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 1a04fd255c2c94e01bda9840bfd6b372007bb3c7)
---
 source3/script/tests/test_smbget.sh | 52 +++++++++++++++++------------
 1 file changed, 30 insertions(+), 22 deletions(-)

diff --git a/source3/script/tests/test_smbget.sh b/source3/script/tests/test_smbget.sh
index 50e8cea3900..1956fc5b38e 100755
--- a/source3/script/tests/test_smbget.sh
+++ b/source3/script/tests/test_smbget.sh
@@ -480,26 +480,34 @@ test_kerberos_trust()
 	return 0
 }
 
-test_kerberos_upn_denied()
-{
-	clear_download_area
-
-	$SMBGET --verbose --use-kerberos=required \
-		-U"testdenied_upn@${REALM}.upn%${PASSWORD}" \
-		"smb://${SERVER}/smbget/testfile"
-	if [ $? -ne 0 ]; then
-		echo 'ERROR: RC does not match, expected: 0'
-		return 1
-	fi
-
-	cmp --silent $WORKDIR/testfile ./testfile
-	if [ $? -ne 0 ]; then
-		echo 'ERROR: file content does not match'
-		return 1
-	fi
-
-	return 0
-}
+# TODO FIXME
+# This test does not work, as we can't tell the libsmb code that the
+# principal is an enterprice principal. We need support for enterprise
+# principals in kerberos_kinit_password_ext() and a way to pass it via the
+# credenitals structure and commandline options.
+# It works if you do: kinit -E testdenied_upn@${REALM}.upn
+#
+# test_kerberos_upn_denied()
+# {
+# 	set -x
+# 	clear_download_area
+#
+# 	$SMBGET --verbose --use-kerberos=required \
+# 		-U"testdenied_upn@${REALM}.upn%${DC_PASSWORD}" \
+# 		"smb://${SERVER}.${REALM}/smbget/testfile" -d10
+# 	if [ $? -ne 0 ]; then
+# 		echo 'ERROR: RC does not match, expected: 0'
+# 		return 1
+# 	fi
+#
+# 	cmp --silent $WORKDIR/testfile ./testfile
+# 	if [ $? -ne 0 ]; then
+# 		echo 'ERROR: file content does not match'
+# 		return 1
+# 	fi
+#
+# 	return 0
+# }
 
 create_test_data
 
@@ -567,8 +575,8 @@ testit "kerberos" test_kerberos ||
 testit "kerberos_trust" test_kerberos_trust ||
 	failed=$((failed + 1))
 
-testit "kerberos_upn_denied" test_kerberos_upn_denied ||
-	failed=$((failed + 1))
+# testit "kerberos_upn_denied" test_kerberos_upn_denied ||
+# 	failed=$((failed + 1))
 
 clear_download_area
 
-- 
2.43.0


From b3d5792525df99cf149ce08392c359fb97f68ec5 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 7 Dec 2023 09:47:14 +0100
Subject: [PATCH 08/13] s3:tests: Fix smbget test

Time to fix the smget share to not have `guest ok = yes` set. A new
[smbget_guest] will be used for guest only tests. This way we can
correctly test different authentication mechanisms.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit c46769f3f10d21ed802e17aa79ae17e345168e63)
---
 selftest/target/Samba3.pm           | 4 ++++
 source3/script/tests/test_smbget.sh | 8 ++++----
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 8755d0a2f1f..2c69993c56a 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -3587,6 +3587,10 @@ sub provision($$)
 [smbget]
 	path = $smbget_sharedir
 	comment = smb username is [%U]
+
+[smbget_guest]
+	path = $smbget_sharedir
+	comment = smb username is [%U]
 	guest ok = yes
 
 include = $aliceconfdir/%U.conf
diff --git a/source3/script/tests/test_smbget.sh b/source3/script/tests/test_smbget.sh
index 1956fc5b38e..0af28c6ff89 100755
--- a/source3/script/tests/test_smbget.sh
+++ b/source3/script/tests/test_smbget.sh
@@ -57,8 +57,8 @@ clear_download_area()
 test_singlefile_guest()
 {
 	clear_download_area
-	echo "$SMBGET --verbose --guest smb://$SERVER_IP/smbget/testfile"
-	$SMBGET --verbose --guest smb://$SERVER_IP/smbget/testfile
+	echo "$SMBGET --verbose --guest smb://$SERVER_IP/smbget_guest/testfile"
+	$SMBGET --verbose --guest smb://$SERVER_IP/smbget_guest/testfile
 	if [ $? -ne 0 ]; then
 		echo 'ERROR: RC does not match, expected: 0'
 		return 1
@@ -376,9 +376,9 @@ test_msdfs_link_upn()
 test_limit_rate()
 {
 	clear_download_area
-	echo "$SMBGET --verbose --guest --limit-rate 100 smb://$SERVER_IP/smbget/testfile"
+	echo "$SMBGET --verbose --guest --limit-rate 100 smb://$SERVER_IP/smbget_guest/testfile"
 	time_begin=$(date +%s)
-	$SMBGET --verbose --guest --limit-rate 100 smb://$SERVER_IP/smbget/testfile
+	$SMBGET --verbose --guest --limit-rate 100 smb://$SERVER_IP/smbget_guest/testfile
 	if [ $? -ne 0 ]; then
 		echo 'ERROR: RC does not match, expected: 0'
 		return 1
-- 
2.43.0


From b40c350a6550946129aadbace4e6cecc219c666a Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 6 Dec 2023 13:16:26 +0100
Subject: [PATCH 09/13] auth:creds:tests: Add test for password callback

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit ab4b25964a43a1ef550f10580ad395e178fe647e)
---
 auth/credentials/tests/test_creds.c | 32 +++++++++++++++++++++++++++++
 selftest/knownfail.d/creds          |  1 +
 2 files changed, 33 insertions(+)
 create mode 100644 selftest/knownfail.d/creds

diff --git a/auth/credentials/tests/test_creds.c b/auth/credentials/tests/test_creds.c
index a2f9642bfe0..414dd46a6b0 100644
--- a/auth/credentials/tests/test_creds.c
+++ b/auth/credentials/tests/test_creds.c
@@ -285,6 +285,37 @@ static void torture_creds_gensec_feature(void **state)
 	assert_int_equal(creds->gensec_features, GENSEC_FEATURE_SIGN);
 }
 
+static const char *torture_get_password(struct cli_credentials *creds)
+{
+	return talloc_strdup(creds, "SECRET");
+}
+
+static void torture_creds_password_callback(void **state)
+{
+	TALLOC_CTX *mem_ctx = *state;
+	struct cli_credentials *creds = NULL;
+	const char *password = NULL;
+	enum credentials_obtained pwd_obtained = CRED_UNINITIALISED;
+	bool ok;
+
+	creds = cli_credentials_init(mem_ctx);
+	assert_non_null(creds);
+
+	ok = cli_credentials_set_domain(creds, "WURST", CRED_SPECIFIED);
+	assert_true(ok);
+	ok = cli_credentials_set_username(creds, "brot", CRED_SPECIFIED);
+	assert_true(ok);
+
+	ok = cli_credentials_set_password_callback(creds, torture_get_password);
+	assert_true(ok);
+	assert_int_equal(creds->password_obtained, CRED_CALLBACK);
+
+	password = cli_credentials_get_password_and_obtained(creds,
+							     &pwd_obtained);
+	assert_int_equal(pwd_obtained, CRED_CALLBACK_RESULT);
+	assert_string_equal(password, "SECRET");
+}
+
 int main(int argc, char *argv[])
 {
 	int rc;
@@ -296,6 +327,7 @@ int main(int argc, char *argv[])
 		cmocka_unit_test(torture_creds_parse_string),
 		cmocka_unit_test(torture_creds_krb5_state),
 		cmocka_unit_test(torture_creds_gensec_feature),
+		cmocka_unit_test(torture_creds_password_callback)
 	};
 
 	if (argc == 2) {
diff --git a/selftest/knownfail.d/creds b/selftest/knownfail.d/creds
new file mode 100644
index 00000000000..09491f22c65
--- /dev/null
+++ b/selftest/knownfail.d/creds
@@ -0,0 +1 @@
+^samba.unittests.credentials.torture_creds_password_callback.none
-- 
2.43.0


From 42f5976603f2dfab9e3179535f9d137014621b54 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 6 Dec 2023 13:06:42 +0100
Subject: [PATCH 10/13] auth:creds: Fix
 cli_credentials_get_password_and_obtained() with callback

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 1041dae03f0f7e9e2b6b4a649eb1d298a34ce699)
---
 auth/credentials/credentials.c | 4 +++-
 selftest/knownfail.d/creds     | 1 -
 2 files changed, 3 insertions(+), 2 deletions(-)
 delete mode 100644 selftest/knownfail.d/creds

diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
index 0485cc4e64e..8cabdd8d1c3 100644
--- a/auth/credentials/credentials.c
+++ b/auth/credentials/credentials.c
@@ -465,11 +465,13 @@ _PUBLIC_ const char *
 cli_credentials_get_password_and_obtained(struct cli_credentials *cred,
 					  enum credentials_obtained *obtained)
 {
+	const char *password = cli_credentials_get_password(cred);
+
 	if (obtained != NULL) {
 		*obtained = cred->password_obtained;
 	}
 
-	return cli_credentials_get_password(cred);
+	return password;
 }
 
 /* Set a password on the credentials context, including an indication
diff --git a/selftest/knownfail.d/creds b/selftest/knownfail.d/creds
deleted file mode 100644
index 09491f22c65..00000000000
--- a/selftest/knownfail.d/creds
+++ /dev/null
@@ -1 +0,0 @@
-^samba.unittests.credentials.torture_creds_password_callback.none
-- 
2.43.0


From 619185a178f00bbf88a853309225773b02fdbda4 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 6 Dec 2023 13:26:43 +0100
Subject: [PATCH 11/13] auth:creds: Add
 cli_credentials_get_domain_and_obtained()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit a7622bc7db093558c6f6e3da4d2a899a764dec09)
---
 auth/credentials/credentials.c      | 22 ++++++++++++++++++++++
 auth/credentials/credentials.h      |  3 +++
 auth/credentials/tests/test_creds.c |  6 ++++++
 3 files changed, 31 insertions(+)

diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
index 8cabdd8d1c3..7a00279b8b4 100644
--- a/auth/credentials/credentials.c
+++ b/auth/credentials/credentials.c
@@ -738,6 +738,28 @@ _PUBLIC_ const char *cli_credentials_get_domain(struct cli_credentials *cred)
 	return cred->domain;
 }
 
+/**
+ * @brief Obtain the domain for this credential context.
+ *
+ * @param[in] cred  The credential context.
+ *
+ * @param[out] obtained A pointer to store the obtained information.
+ *
+ * @return The domain name or NULL if an error occurred.
+ */
+_PUBLIC_ const char *cli_credentials_get_domain_and_obtained(
+	struct cli_credentials *cred,
+	enum credentials_obtained *obtained)
+{
+	const char *domain = cli_credentials_get_domain(cred);
+
+	if (obtained != NULL) {
+		*obtained = cred->domain_obtained;
+	}
+
+	return domain;
+}
+
 
 _PUBLIC_ bool cli_credentials_set_domain(struct cli_credentials *cred,
 				const char *val,
diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
index c3a048ecc8d..c5ffe536e07 100644
--- a/auth/credentials/credentials.h
+++ b/auth/credentials/credentials.h
@@ -127,6 +127,9 @@ int cli_credentials_get_keytab(struct cli_credentials *cred,
 			       struct loadparm_context *lp_ctx,
 			       struct keytab_container **_ktc);
 const char *cli_credentials_get_domain(struct cli_credentials *cred);
+const char *cli_credentials_get_domain_and_obtained(
+	struct cli_credentials *cred,
+	enum credentials_obtained *obtained);
 struct netlogon_creds_CredentialState *cli_credentials_get_netlogon_creds(struct cli_credentials *cred);
 void cli_credentials_set_machine_account_pending(struct cli_credentials *cred,
 						 struct loadparm_context *lp_ctx);
diff --git a/auth/credentials/tests/test_creds.c b/auth/credentials/tests/test_creds.c
index 414dd46a6b0..2cb2e6d0e34 100644
--- a/auth/credentials/tests/test_creds.c
+++ b/auth/credentials/tests/test_creds.c
@@ -48,6 +48,7 @@ static void torture_creds_init(void **state)
 	const char *username = NULL;
 	const char *domain = NULL;
 	const char *password = NULL;
+	enum credentials_obtained dom_obtained = CRED_UNINITIALISED;
 	enum credentials_obtained usr_obtained = CRED_UNINITIALISED;
 	enum credentials_obtained pwd_obtained = CRED_UNINITIALISED;
 	bool ok;
@@ -65,6 +66,11 @@ static void torture_creds_init(void **state)
 	domain = cli_credentials_get_domain(creds);
 	assert_string_equal(domain, "WURST");
 
+	domain = cli_credentials_get_domain_and_obtained(creds,
+							 &dom_obtained);
+	assert_int_equal(dom_obtained, CRED_SPECIFIED);
+	assert_string_equal(domain, "WURST");
+
 	username = cli_credentials_get_username(creds);
 	assert_null(username);
 	ok = cli_credentials_set_username(creds, "brot", CRED_SPECIFIED);
-- 
2.43.0


From a72e035090075ff1b36c5d67daf5f601277bceaa Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 6 Dec 2023 15:58:08 +0100
Subject: [PATCH 12/13] s3:tests: Add interactive smbget test for password
 entry

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 5b38f3be8cb986aa2db3aab5c3c3d2e8739893ce)
---
 source3/script/tests/test_smbget.sh | 32 +++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/source3/script/tests/test_smbget.sh b/source3/script/tests/test_smbget.sh
index 0af28c6ff89..74050f6951a 100755
--- a/source3/script/tests/test_smbget.sh
+++ b/source3/script/tests/test_smbget.sh
@@ -29,6 +29,7 @@ incdir=$(dirname $0)/../../../testprogs/blackbox
 . "${incdir}/common_test_fns.inc"
 
 samba_kinit=$(system_or_builddir_binary kinit "${BINDIR}" samba4kinit)
+samba_texpect="${BINDIR}/texpect"
 
 create_test_data()
 {
@@ -163,6 +164,33 @@ test_singlefile_smburl2()
 	return 0
 }
 
+test_singlefile_smburl_interactive()
+{
+	clear_download_area
+
+	tmpfile="$(mktemp --tmpdir="${TMPDIR}" expect_XXXXXXXXXX)"
+
+	cat >"${tmpfile}" <<EOF
+expect Password for
+send ${DOMAIN_USER_PASSWORD}\n
+EOF
+
+	USER="hanswurst" ${samba_texpect} "${tmpfile}" ${SMBGET} "smb://${DOMAIN};${DOMAIN_USER}@${SERVER_IP}/smbget/testfile"
+	ret=$?
+	rm -f "${tmpfile}"
+	if [ ${ret} -ne 0 ]; then
+		echo 'ERROR: RC does not match, expected: 0'
+		return 1
+	fi
+	cmp --silent $WORKDIR/testfile ./testfile
+	ret=$?
+	if [ ${ret} -ne 0 ]; then
+		echo 'ERROR: file content does not match'
+		return 1
+	fi
+	return 0
+}
+
 test_singlefile_authfile()
 {
 	clear_download_area
@@ -533,6 +561,10 @@ testit "download single file with smb URL including domain" \
 	test_singlefile_smburl2 ||
 	failed=$(expr $failed + 1)
 
+testit "download single file with smb URL interactive" \
+	test_singlefile_smburl_interactive ||
+	failed=$(expr $failed + 1)
+
 testit "download single file with authfile" test_singlefile_authfile ||
 	failed=$(expr $failed + 1)
 
-- 
2.43.0


From 7d13ed182ebd57d7ba38fc343b13b040f258d3a6 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 6 Dec 2023 13:16:53 +0100
Subject: [PATCH 13/13] s3:utils: Fix auth callback with smburl

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit f2f7ed419e03e5ae8cc85f42af5b2bcf91abefe2)
---
 source3/utils/smbget.c | 40 ++++++++++++++++++++++++++++++++++------
 1 file changed, 34 insertions(+), 6 deletions(-)

diff --git a/source3/utils/smbget.c b/source3/utils/smbget.c
index 8d98ba24602..598607ea391 100644
--- a/source3/utils/smbget.c
+++ b/source3/utils/smbget.c
@@ -114,20 +114,48 @@ static void get_auth_data_with_context_fn(SMBCCTX *ctx,
 	const char *username = NULL;
 	const char *password = NULL;
 	const char *domain = NULL;
+	enum credentials_obtained obtained = CRED_UNINITIALISED;
 
-	username = cli_credentials_get_username(creds);
+	username = cli_credentials_get_username_and_obtained(creds, &obtained);
 	if (username != NULL) {
-		strncpy(usr, username, usr_len - 1);
+		bool overwrite = false;
+		if (usr[0] == '\0') {
+			overwrite = true;
+		}
+		if (obtained >= CRED_CALLBACK_RESULT) {
+			overwrite = true;
+		}
+		if (overwrite) {
+			strncpy(usr, username, usr_len - 1);
+		}
 	}
 
-	password = cli_credentials_get_password(creds);
+	password = cli_credentials_get_password_and_obtained(creds, &obtained);
 	if (password != NULL) {
-		strncpy(pwd, password, pwd_len - 1);
+		bool overwrite = false;
+		if (usr[0] == '\0') {
+			overwrite = true;
+		}
+		if (obtained >= CRED_CALLBACK_RESULT) {
+			overwrite = true;
+		}
+		if (overwrite) {
+			strncpy(pwd, password, pwd_len - 1);
+		}
 	}
 
-	domain = cli_credentials_get_domain(creds);
+	domain = cli_credentials_get_domain_and_obtained(creds, &obtained);
 	if (domain != NULL) {
-		strncpy(dom, domain, dom_len - 1);
+		bool overwrite = false;
+		if (usr[0] == '\0') {
+			overwrite = true;
+		}
+		if (obtained >= CRED_CALLBACK_RESULT) {
+			overwrite = true;
+		}
+		if (overwrite) {
+			strncpy(dom, domain, dom_len - 1);
+		}
 	}
 
 	smbc_set_credentials_with_fallback(ctx, domain, username, password);
-- 
2.43.0