testcases/smbtorture: update selftest files

Head of samba repo when this copy was made
062dc07e9b9 (s3-libnet: avoid using lp_dns_hostname() in join code, 2025-01-14)

Signed-off-by: Sachin Prabhu <[email protected]>

Author: spuiuk

testcases/smbtorture/selftest/README

@@ -1,4 +1,4 @@
 Scripts and modules copied over from the samba source tree.
 
 At the time of copy, the samba head is at
-0caaa2d1723 (vfs: Remove shadow_copy2_get_real_filename_at(), 2024-01-11)
+062dc07e9b9 (s3-libnet: avoid using lp_dns_hostname() in join code, 2025-01-14)

testcases/smbtorture/selftest/expectedfail.d/encrypted_secrets

@@ -1,5 +1,5 @@
 # The fl2000dc environment is provisioned with the --plaintext-secrets option
-# running the ecnrypted secrets tests on it and expecting them to fail.
+# running the encrypted secrets tests on it and expecting them to fail.
 # verifies that:
 #   * --plaintext-secrets option correctly provisions a domain
 #   * the dsdb operational module correctly handles unencrypted secrets

testcases/smbtorture/selftest/expectedfail.d/kdc_test_pw_expired

@@ -0,0 +1,2 @@
+# This tests needs Password Settings Objects to work, so is expected to fail in this environment
+^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_pw_expired\(fl2003dc\)

testcases/smbtorture/selftest/expectedfail.d/ldap-tlsverifypeer

@@ -0,0 +1,10 @@
+# These are supposed to fail as we want to verify the "tls verify peer"
+# restrictions. Note that fl2008r2dc uses a self-signed certificate
+# with does not have a crl file.
+#
+^samba4.ldb.simple.ldaps.*SERVER_NAME.*tlsverifypeer=ca_and_name_if_available\(
+^samba4.ldb.simple.ldaps.*SERVER_NAME.*tlsverifypeer=ca_and_name\(
+^samba4.ldb.simple.ldaps.*SERVER_NAME.*tlsverifypeer=as_strict_as_possible\(
+^samba4.ldb.simple.ldaps.*SERVER_IP.*tlsverifypeer=ca_and_name\(
+^samba4.ldb.simple.ldaps.*SERVER_IP.*tlsverifypeer=as_strict_as_possible\(
+^samba4.ldb.simple.ldaps.*SERVER.REALM.*tlsverifypeer=as_strict_as_possible.*fl2008r2dc

testcases/smbtorture/selftest/expectedfail.d/ntlm-auth

@@ -19,3 +19,7 @@
 ^samba.tests.dcerpc.raw_protocol.*.TestDCERPC_BIND.test_last_only_requests\(ad_member\)
 ^samba.tests.dcerpc.raw_protocol.*.TestDCERPC_BIND.test_mix_requests\(ad_member\)
 ^samba.tests.dcerpc.raw_protocol.*.TestDCERPC_BIND.test_none_only_requests\(ad_member\)
+^samba.tests.dcerpc.raw_protocol.*.TestDCERPC_BIND.test_schannel_invalid_alter_no_padding\(ad_member\)
+^samba.tests.dcerpc.raw_protocol.*.TestDCERPC_BIND.test_schannel_invalid_alter_tail_padding\(ad_member\)
+^samba.tests.dcerpc.raw_protocol.*.TestDCERPC_BIND.test_schannel_invalid_auth3_no_padding\(ad_member\)
+^samba.tests.dcerpc.raw_protocol.*.TestDCERPC_BIND.test_schannel_invalid_auth3_tail_padding\(ad_member\)

testcases/smbtorture/selftest/expectedfail.d/samba4.ldb.simple.ldap-tls

@@ -0,0 +1,28 @@
+#
+## We assert all "ldap server require strong auth" combinations
+#
+^samba4.ldb.simple.ldap with SIMPLE-BIND.*ad_dc_ntvfs # ldap server require strong auth = allow_sasl_without_tls_channel_bindings
+^samba4.ldb.simple.ldap with SIMPLE-BIND.*fl2003dc    # ldap server require strong auth = yes
+# fl2003dc has ldap server require strong auth = yes
+# and correct channel bindings are required for TLS
+^samba4.ldb.simple.ldaps.*SASL-BIND.*ldap_testing:tls_channel_bindings=no.*fl2003dc
+^samba4.ldb.simple.ldap.starttls.*SASL-BIND.*ldap_testing:tls_channel_bindings=no.*fl2003dc
+# ad_dc_ntvfs and fl2008r2dc have
+# ldap server require strong auth = allow_sasl_without_tls_channel_bindings
+# it means correct channel bindings are required, if the client indicated
+# explicit (even null) channel bindings are provided
+#
+# The following are in expectedfail_heimdal for now, as MIT
+# behaves differently:
+#^samba4.ldb.simple.ldaps.with.SASL-BIND.*use-kerberos=required.*ldap_testing:channel_bound=yes.*ldap_testing:tls_channel_bindings=no.*ad_dc_ntvfs
+#^samba4.ldb.simple.ldap.starttls.*SASL-BIND.*use-kerberos=required.*ldap_testing:channel_bound=yes.*ldap_testing:tls_channel_bindings=no.*ad_dc_ntvfs
+#^samba4.ldb.simple.ldaps.with.SASL-BIND.*use-kerberos=required.*ldap_testing:channel_bound=yes.*ldap_testing:tls_channel_bindings=no.*fl2008r2dc
+#^samba4.ldb.simple.ldap.starttls.*SASL-BIND.*use-kerberos=required.*ldap_testing:channel_bound=yes.*ldap_testing:tls_channel_bindings=no.*fl2008r2dc
+^samba4.ldb.simple.ldaps.with.SASL-BIND.*ldap_testing:channel_bound=yes.*ldap_testing:forced_channel_binding=wRoNg
+^samba4.ldb.simple.ldaps.with.SASL-BIND.*ldap_testing:channel_bound=no.*ldap_testing:forced_channel_binding=wRoNg
+^samba4.ldb.simple.ldap.starttls.*SASL-BIND.*ldap_testing:channel_bound=yes.*ldap_testing:forced_channel_binding=wRoNg
+^samba4.ldb.simple.ldap.starttls.*SASL-BIND.*ldap_testing:channel_bound=no.*ldap_testing:forced_channel_binding=wRoNg
+^samba4.ldb.simple.ldaps.with.SASL-BIND.*use-kerberos=disabled.*ldap_testing:channel_bound=yes.*ldap_testing:tls_channel_bindings=no.*ad_dc_ntvfs
+^samba4.ldb.simple.ldaps.with.SASL-BIND.*use-kerberos=disabled.*ldap_testing:channel_bound=yes.*ldap_testing:tls_channel_bindings=no.*fl2008r2dc
+^samba4.ldb.simple.ldap.starttls.*SASL-BIND.*use-kerberos=disabled.*ldap_testing:channel_bound=yes.*ldap_testing:tls_channel_bindings=no.*ad_dc_ntvfs
+^samba4.ldb.simple.ldap.starttls.*SASL-BIND.*use-kerberos=disabled.*ldap_testing:channel_bound=yes.*ldap_testing:tls_channel_bindings=no.*fl2008r2dc

testcases/smbtorture/selftest/expectedfail.d/samba4.rpc.backupkey

@@ -0,0 +1,28 @@
+# We require seal and the test also runs differently against Windows 2022 with sign
+^samba4.rpc.backupkey.with.sign.backupkey.restore_guid\(ad_dc_default\)
+^samba4.rpc.backupkey.with.sign.backupkey.restore_guid.version.3\(ad_dc_default\)
+^samba4.rpc.backupkey.with.sign.backupkey.restore_guid_2nd\(ad_dc_default\)
+^samba4.rpc.backupkey.with.sign.backupkey.unable_to_decrypt_secret\(ad_dc_default\)
+^samba4.rpc.backupkey.with.sign.backupkey.wrong_user_restore_guid\(ad_dc_default\)
+^samba4.rpc.backupkey.with.sign.backupkey.wrong_version_restore_guid\(ad_dc_default\)
+^samba4.rpc.backupkey.with.sign.backupkey.bad_magic_on_secret_restore_guid\(ad_dc_default\)
+^samba4.rpc.backupkey.with.sign.backupkey.bad_hash_on_secret_restore_guid\(ad_dc_default\)
+^samba4.rpc.backupkey.with.sign.backupkey.bad_magic_on_accesscheck_restore_guid\(ad_dc_default\)
+^samba4.rpc.backupkey.with.sign.backupkey.bad_cert_guid_restore_guid\(ad_dc_default\)
+^samba4.rpc.backupkey.with.sign.backupkey.empty_request_restore_guid\(ad_dc_default\)
+^samba4.rpc.backupkey.with.sign.backupkey.retreive_backup_key_guid_validate\(ad_dc_default\)
+^samba4.rpc.backupkey.with.sign.backupkey.server_wrap_encrypt_decrypt\(ad_dc_default\)
+^samba4.rpc.backupkey.with.sign.backupkey.server_wrap_decrypt_wrong_keyGUID\(ad_dc_default\)
+^samba4.rpc.backupkey.with.sign.backupkey.server_wrap_empty_request\(ad_dc_default\)
+^samba4.rpc.backupkey.with.sign.backupkey.server_wrap_decrypt_short_request\(ad_dc_default\)
+^samba4.rpc.backupkey.with.sign.backupkey.server_wrap_decrypt_wrong_magic\(ad_dc_default\)
+^samba4.rpc.backupkey.with.sign.backupkey.server_wrap_decrypt_wrong_r2\(ad_dc_default\)
+^samba4.rpc.backupkey.with.sign.backupkey.server_wrap_decrypt_wrong_payload_length\(ad_dc_default\)
+^samba4.rpc.backupkey.with.sign.backupkey.server_wrap_decrypt_short_payload_length\(ad_dc_default\)
+^samba4.rpc.backupkey.with.sign.backupkey.server_wrap_decrypt_zero_payload_length\(ad_dc_default\)
+^samba4.rpc.backupkey.with.sign.backupkey.server_wrap_decrypt_wrong_ciphertext_length\(ad_dc_default\)
+^samba4.rpc.backupkey.with.sign.backupkey.server_wrap_decrypt_short_ciphertext_length\(ad_dc_default\)
+^samba4.rpc.backupkey.with.sign.backupkey.server_wrap_decrypt_zero_ciphertext_length\(ad_dc_default\)
+^samba4.rpc.backupkey.with.sign.backupkey.server_wrap_encrypt_decrypt_remote_key\(ad_dc_default\)
+^samba4.rpc.backupkey.with.sign.backupkey.server_wrap_encrypt_decrypt_wrong_key\(ad_dc_default\)
+^samba4.rpc.backupkey.with.sign.backupkey.server_wrap_encrypt_decrypt_wrong_sid\(ad_dc_default\)

testcases/smbtorture/selftest/expectedfail.d/samba4.rpc.pac.krb5

@@ -0,0 +1,5 @@
+# fl2000dc and fl2003dc don't have 'server support krb5 netlogon = yes'
+^samba4.rpc.pac.on.ncacn_np.netr-bdc-krb5.verify-sig-krb5\(fl2000dc\)
+^samba4.rpc.pac.on.ncacn_np.netr-mem-krb5.verify-sig-krb5\(fl2000dc\)
+^samba4.rpc.pac.on.ncacn_np.netr-bdc-krb5.verify-sig-krb5\(fl2003dc\)
+^samba4.rpc.pac.on.ncacn_np.netr-mem-krb5.verify-sig-krb5\(fl2003dc\)

testcases/smbtorture/selftest/flapping.d/gitlab-setxattr-security

@@ -0,0 +1,18 @@
+# gitlab runners with kernel 5.15.109+
+# allow setxattr() on security.NTACL
+#
+# It's not clear in detail why there's a difference
+# between various systems, one reason could be that
+# with selinux inode_owner_or_capable() is used to check
+# setxattr() permissions:
+# it checks for the fileowner too, as well as CAP_FOWNER.
+# Otherwise cap_inode_setxattr() is used, which checks for
+# CAP_SYS_ADMIN.
+#
+# But the kernel doesn't have selinux only apparmor...
+#
+# test_setntacl_forcenative expects
+# PermissionError: [Errno 1] Operation not permitted
+#
+# So for now we allow this to fail...
+^samba.tests.ntacls.samba.tests.ntacls.NtaclsTests.test_setntacl_forcenative.none