LSA forest trust tests

Andrew Bartlett abartlet at samba.org
Mon Dec 12 13:32:15 MST 2011 

On Mon, 2011-12-12 at 09:57 +0100, Sumit Bose wrote:
> On Sat, Dec 10, 2011 at 03:07:01PM +1100, Andrew Bartlett wrote:
> > Sumit,
> > 
> > I've been looking into the rpc.lsa.forest.trust test that you wrote,
> > because running it against Samba4 found some segfaults, and it looks
> > like a really good way to properly cover our inter-domain trust logic.  
> > 
> > However in doing this, I have some questions:
> > 
> > Which version of windows and what functional level is this expected to
> > pass against? I'm guessing it was written to Win2008 with functional
> > level Windows 2000, but I wanted to double-check.  
> 
> I think it was Win2008 with a functional level Win2008, but I'm not sure
> since I delete the test environment some time ago. I did test with
> Windows 2003 R3 as well, but mostly I used Win2008. So chances are that
> the current version might have some issues with 2003 as you mention
> below.
> 
> > 
> > The reason that I'm a little confused is that this test expects that
> > both LSA_TRUSTED_DOMAIN_SUPPORTED_ENCRYPTION_TYPES exist, and
> > TRUST_ATTRIBUTE_FOREST_TRANSITIVE be supported.  I've been testing with
> > Windows 2003 R2 in functional level Windows 2003 R2, and that particular
> > combination supports neither, so I have modified the test to cope.
> > 
> 
> ok
> 
> > I also cannot find any instance where this test is currently run in
> > Samba, so I presume it was written for some manual testing.  Can you
> > fill me in on any details I should know of, so I can avoid breaking it
> > as I fix up the test?
> 
> I used the test primarily to test the work I did for IPA. Günther is
> planning to enhance tdbsam so that the tests can also be used with 'make
> check'. Since he hasn't started I think your changes will not break
> anything.
> 
> > 
> > I would also like to modify the test to not use a fixed password, but to
> > generate a random one at runtime.  This will avoid leaving fixed
> > passwords on domains that may have been placed under test if the test is
> > interrupted and the trust not removed.  Would that be OK?
> 
> Yes, please do. It would be nice if you can send me a note when you are
> done. Then I will check if my environment still passes the new tests
> which I expect to be more rigid and profound than my simple ones.

Thanks.  I'll push my current simple fixes, and hope to rework the
testsuite as I get time.  Even as it is, this is an important testsuite,
and having it in use will help ensure it keeps working into the future.

In terms of changes, I hope to make much more use of the
torture_assert() macros, rather than the current comment and return
false.  This will integrate much more cleanly with our subunit
framework.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list