From 78ffcd0164fe3b01511f8f7bffe1a2904d8f872e Mon Sep 17 00:00:00 2001
From: root <3c2b2ff5@inbox.ru>
Date: Thu, 7 Nov 2019 21:12:40 +0100
Subject: [PATCH] Install samba4 AD and test nsscache

---
 .travis.yml         |  36 ++++++++++------
 tests/nsscache.conf | 103 ++++++++++++++++++++++++++++++++++++++++++++
 tests/samba.sh      |  80 +++++++++++++++-------------------
 3 files changed, 160 insertions(+), 59 deletions(-)
 create mode 100644 tests/nsscache.conf

diff --git a/.travis.yml b/.travis.yml
index 3b22d8e4..905eaa3c 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,22 +1,30 @@
 language: python
 
 install:
- - travis_retry sudo apt-get update -qq
- - travis_retry sudo apt-get install -y libnss-db libdb-dev libcurl4-gnutls-dev libgnutls28-dev libldap2-dev libsasl2-dev
- - pip install .
- - travis_retry pip install -r requirements.txt
- - pip install yapf
+  - travis_retry sudo apt-get update -qq
+  - travis_retry sudo apt-get install -y libnss-db libdb-dev libcurl4-gnutls-dev libgnutls28-dev libldap2-dev libsasl2-dev
+  - pip install .
+  - travis_retry pip install -r requirements.txt
+  - pip install yapf
+
+addons:
+  hosts:
+    - local.domain
 
 script:
- - PYTHONTRACEMALLOC=1 python runtests.py -vvv
- - python setup.py install --root=/tmp/nsscache
- #- yapf --diff --recursive . | tee /dev/tty | wc -l | xargs test 0 -eq || echo "Please format your code (with `yapf`)"
+  - PYTHONTRACEMALLOC=1 python3 runtests.py -vvv
+  - python3 setup.py install --root=/tmp/nsscache
+  #- yapf --diff --recursive . | tee /dev/tty | wc -l | xargs test 0 -eq || echo "Please format your code (with `yapf`)"
+  - sudo /bin/sh -c tests/samba.sh
+  - sudo -E $(which python3) $(which nsscache) -c tests/nsscache.conf --debug verify
+  - sudo -E $(which python3) $(which nsscache) -c tests/nsscache.conf --debug update --full
 
 python:
- - "3.7"
- - "3.8"
- - "nightly"
+  - "3.7"
+  - "3.8"
+  - "nightly"
+
 matrix:
- fast_finish: true
- allow_failures:
-  - python: nightly
+  fast_finish: true
+  allow_failures:
+   - python: nightly
diff --git a/tests/nsscache.conf b/tests/nsscache.conf
new file mode 100644
index 00000000..edece724
--- /dev/null
+++ b/tests/nsscache.conf
@@ -0,0 +1,103 @@
+# Example /etc/nsscache.conf - configuration for nsscache
+#
+# nsscache loads a config file from the environment variable NSSCACHE_CONFIG
+#
+# By default this is /etc/nsscache.conf
+#
+# Commented values are overrideable defaults, uncommented values
+# require you to set them.
+
+[DEFAULT]
+
+# Default NSS data source module name
+source = ldap
+
+# Default NSS data cache module name; 'files' is compatible with the
+# libnss-cache NSS module.  'nssdb' is deprecated, and should not be used for
+# new installations.
+cache = files
+
+# NSS maps to be cached
+maps = passwd, group, shadow
+
+# Directory to store our update/modify timestamps
+timestamp_dir = /var/lib/nsscache
+
+# Lockfile to use for update/repair operations
+lockfile = /var/run/nsscache
+
+# Defaults for specific modules; prefaced with "modulename_"
+
+##
+# ldap module defaults.
+#
+
+# Enable to connect to Active Directory.
+# Leave disabled if connecting to openldap or slapd
+ldap_ad = 1
+
+# LDAP URI to query for NSS data
+ldap_uri = ldaps://local.domain
+
+# Default LDAP search scope
+ldap_scope = sub
+
+# Default LDAP BIND DN, empty string is an anonymous bind
+ldap_bind_dn = administrator@local.domain
+
+# Default LDAP password, empty DN and empty password is used for
+# anonymous binds
+ldap_bind_password = 4dm1n_s3cr36_v3ry_c0mpl3x
+
+# Default setting for requiring tls certificates, one of:
+# never, hard, demand, allow, try
+ldap_tls_require_cert = 'never'
+
+# Default directoy for trusted CAs
+ldap_tls_cacertdir = '/etc/ssl/certs/'
+
+# Default filename for trusted CAs
+ldap_tls_cacertfile = '/etc/ssl/certs/ad.pem'
+
+# Replace all users' shells with the specified one.
+ldap_override_shell = '/bin/bash'
+
+# Set directory for all users in passwd under /home.
+ldap_home_dir = 1
+
+# Debug logging
+ldap_debug = 3
+
+# Directory to store nssdb databases.  Current libnss_db code requires
+# the path below
+nssdb_dir = /var/lib/misc
+
+##
+# files module defaults
+
+# Directory to store the plain text files
+files_dir = /etc
+
+# Suffix used on the files module database files
+files_cache_filename_suffix = cache
+
+###
+# Optional per-map sections, if present they will override the above
+# defaults.  The examples below show you some common values to override
+#
+
+[passwd]
+ldap_base = DC=local,DC=domain
+ldap_filter = (&(objectCategory=User)(memberOf=CN=Admins,CN=Users,DC=local,DC=domain))
+
+[group]
+ldap_base = DC=local,DC=domain
+ldap_filter = (|(&(objectCategory=Group)(CN=Admins))(&(objectCategory=User)(memberOf=CN=Admins,CN=Users,DC=local,DC=domain)))
+
+[shadow]
+ldap_base = DC=local,DC=domain
+ldap_filter = (&(objectCategory=User)(memberOf=CN=Admins,CN=Users,DC=local,DC=domain))
+
+[suffix]
+prefix = ""
+suffix = ""
diff --git a/tests/samba.sh b/tests/samba.sh
index a9f757cb..eb086e87 100755
--- a/tests/samba.sh
+++ b/tests/samba.sh
@@ -3,13 +3,12 @@
 export DEBIAN_FRONTEND=noninteractive
 
 apt-get update
-apt-get upgrade -y
-apt-get dist-upgrade -y
 
 PACKAGES=(
 'samba'
+'samba-dsdb-modules'
+'samba-vfs-modules'
 'winbind'
-'resolvconf'
 'heimdal-clients'
 )
 
@@ -19,56 +18,25 @@ for package in "${PACKAGES[@]}"; do
 done
 
 # Samba must not be running during the provisioning
-rm -fr /etc/systemd/system/samba-ad-dc.service
-/usr/bin/systemctl daemon-reload
-/usr/bin/systemctl stop samba-ad-dc.service smbd.service nmbd.service winbind.service
-/usr/bin/systemctl disable samba-ad-dc.service smbd.service nmbd.service winbind.service
+service smbd stop
+service nmbd stop 
+service winbind stop
+service samba-ad-dc stop
 
 # Domain provision
-echo '' > /etc/samba/smb.conf && samba-tool domain provision --realm=LOCAL.DOMAIN --domain=LOCAL --server-role='dc' --dns-backend='SAMBA_INTERNAL' --option 'dns forwarder'='127.0.0.1' --adminpass='4dm1n_s3cr36_v3ry_c0mpl3x' --use-rfc2307 -d 1
-
-# Add name server
-cat > '/etc/resolvconf/resolv.conf.d/head' << EOF
-nameserver 127.0.0.1
-EOF
-
-# Kerberos settings
-rm -fr /etc/krb5.conf
-cp /var/lib/samba/private/krb5.conf /etc/
+rm -fr /etc/samba/smb.conf
+/usr/bin/samba-tool domain provision --realm=LOCAL.DOMAIN --domain=LOCAL --server-role=dc --dns-backend=SAMBA_INTERNAL --adminpass='4dm1n_s3cr36_v3ry_c0mpl3x' --use-rfc2307 -d 1
 
 # Start samba-ad-dc service only
 rm -fr /etc/systemd/system/samba-ad-dc.service
-/usr/bin/systemctl daemon-reload
-/usr/bin/systemctl start samba-ad-dc.service
-/usr/bin/systemctl enable samba-ad-dc.service
-
-# I don't know if this is needed for CI environment
-cat > '/etc/network/interfaces' << EOF
-auto lo
-iface lo inet loopback
-
-allow-hotplug eth0
-    iface eth0 inet static
-    address 127.0.0.1
-    netmask 255.255.255.0
-    gateway 127.0.0.1
-    dns-nameservers 127.0.0.1
-    dns-search local.domain
-    pre-up /sbin/ip link set eth0 up
-EOF
-
-# Request a kerberos ticket
-cat > '/root/.kinit' << EOF
-4dm1n_s3cr36_v3ry_c0mpl3x
-EOF
-
-/usr/bin/kinit --password-file="/root/.kinit" administrator@LOCAL.DOMAIN
+service samba-ad-dc start
 
 # Add users and groups
 /usr/bin/samba-tool user create user1 --use-username-as-cn --surname=Test1 --given-name=User1 --random-password
 /usr/bin/samba-tool user create user2 --use-username-as-cn --surname=Test2 --given-name=User2 --random-password
 /usr/bin/samba-tool user create user3 --use-username-as-cn --surname=Test3 --given-name=User3 --random-password
 /usr/bin/samba-tool user create user4 --use-username-as-cn --surname=Test4 --given-name=User4 --random-password
+/usr/bin/samba-tool user create user5 --use-username-as-cn --surname=Test5 --given-name=User5 --random-password
 
 # Add some groups
 /usr/bin/samba-tool group add IT
@@ -78,6 +46,28 @@ EOF
 
 # Create members
 /usr/bin/samba-tool group addmembers IT Admins,Devs,DevOps,user1
-/usr/bin/samba-tool group addmembers Admins user2
-/usr/bin/samba-tool group addmembers Devs user3
-/usr/bin/samba-tool group addmembers DevOps user4
+/usr/bin/samba-tool group addmembers Admins user2,user3
+/usr/bin/samba-tool group addmembers Devs user4
+/usr/bin/samba-tool group addmembers DevOps user5
+
+# Add AD certificate
+echo -n | openssl s_client -connect localhost:636 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /usr/local/share/ca-certificates/ad.crt
+update-ca-certificates
+
+# Add cache to nsswitch
+cat > '/etc/nsswitch.conf' << EOF
+passwd:         files cache
+group:          files cache
+shadow:         files cache
+gshadow:        files
+
+hosts:          files dns
+networks:       files
+
+protocols:      db files
+services:       db files
+ethers:         db files
+rpc:            db files
+
+netgroup:       nis
+EOF