#!/usr/share/ucs-test/runner bash
# shellcheck shell=bash
## desc: "Test accessing sysvol with smbclient using kerberos authentication"
## exposure: safe
## packages:
##  - univention-samba4
## roles:
## - domaincontroller_master
## - domaincontroller_backup
## - domaincontroller_slave

# shellcheck source=../../lib/user.sh
. "$TESTLIBPATH/user.sh" || exit 137
# shellcheck source=../../lib/shares.sh
. "$TESTLIBPATH/shares.sh" || exit 137
# shellcheck source=../../lib/random.sh
. "$TESTLIBPATH/random.sh" || exit 137
# shellcheck source=../../lib/samba.sh
. "$TESTLIBPATH/samba.sh" || exit 137

#----create User
echo "----create User"
SAMBA="true"
MAIL="false"
KERBEROS="true"
PERSON="false"
POSIX="true"

username="$(user_randomname)"
password=univention
trap 'user_remove "$username"' INT TERM EXIT
if ! user_create "$username"; then
	fail_fast 1 "User could not be created"
fi


wait_for_replication
# force_drs_replication
wait_for_drs_replication "(sAMAccountName=$username)"

## Authentication with kinit
echo "----Authentication with kinit"
i=0
while ! output="$(echo "$password" | kinit --password-file=STDIN "$username" 2>&1)"
do
	let i=$i+1
	if [ "$i" = 10 ]; then
		fail_test 1 "kinit $username failed"
		break
	fi
	sleep 3
done

## Wait until the real domain sambaSID has been synchronized back from Samba/AD to OpenLDAP
output=$(univention-ldapsearch "uid=$username" sambaSID uidnumber)
uidNumber=$(sed -n 's/^uidNumber: //p' <<<"$output")
tmpSID="S-1-4-$uidNumber"
sambaSID=$(sed -n 's/^sambaSID: //p' <<<"$output")
i=0
while [ "$sambaSID" = "$tmpSID" ]; do
	if [ "$i" = 10 ]; then
		echo "ERROR: Waiting for SID replication from Samba still fails after 10 attempts"
		break
	fi
	echo "Waiting for SID replication from Samba, currently the sambaSID in OpenLDAP is still $tmpSID"
	sleep 1
	let i=$i+1
	## and check again
	output=$(univention-ldapsearch "uid=$username" sambaSID)
	sambaSID=$(sed -n 's/^sambaSID: //p' <<<"$output")
done

## Flushing the cache is only necessary if we do a wbinfo/smbclient before the real domain sambaSID has been written to idmap.ldb
## Let's check:
output=$(wbinfo --uid-to-sid "$uidNumber")
if [ "$output" = "$tmpSID" ]; then
	# echo "uidNumber: $uidNumber"
	# echo "wbinfo --uid-to-sid: $(wbinfo --uid-to-sid "$uidNumber")"
	# echo "wbinfo --sid-to-uid: $(wbinfo --sid-to-uid "$sambaSID")"
	# echo "wbinfo --sid-to-uid: $(wbinfo --sid-to-uid "$tmpSID")"
	echo "============================================"
	echo "Flushing Samba cache entry:"
	net cache list | grep "IDMAP/UID2SID/$uidNumber"
	net cache del "IDMAP/UID2SID/$uidNumber"
	net cache del "IDMAP/SID2XID/$sambaSID"
	# net cache del "IDMAP/SID2XID/$tmpSID"  # not necesssary, but cleaner
	echo "============================================"
fi
## Let's clean it anyway, for the sake of a clean test.
net cache del "IDMAP/UID2SID/$uidNumber" >/dev/null
net cache del "IDMAP/SID2XID/$sambaSID" >/dev/null

## Access sysvol using smbclient
echo "----Access sysvol using smbclient"
i=0
while ! output="$(smbclient "//$(hostname -f)/sysvol" -k -c "ls $domainname/Policies" 2>&1)"
do
	let i=$i+1
	if [ "$i" = 10 ]; then
		echo "$output"
		echo "================================================================"
		echo "Could not access Policies on sysvol with Kerberos authentication:"
		echo "============================================"
		echo "kinit $username"
		echo "smbclient \"//$(hostname -f)/sysvol\" -k -c \"ls $domainname/Policies\""
		echo "============================================"
		net cache list | grep "IDMAP/UID2SID/$uidNumber"
		echo "============================================"
		fail_test 1 "Could not access Policies on sysvol with Kerberos authentication"
	fi
	sleep 1
done

exit $RETVAL
