#!/usr/share/ucs-test/runner bash
# shellcheck shell=bash
## desc: "Test accessing sysvol with smbclient using kerberos authentication"
## exposure: safe
## packages:
##  - univention-samba4
## roles:
## - domaincontroller_master
## - domaincontroller_backup
## - domaincontroller_slave

# shellcheck source=../../lib/base.sh
. "$TESTLIBPATH/base.sh" || exit 137
# shellcheck source=../../lib/user.sh
. "$TESTLIBPATH/user.sh" || exit 137
# shellcheck source=../../lib/shares.sh
. "$TESTLIBPATH/shares.sh" || exit 137
# shellcheck source=../../lib/random.sh
. "$TESTLIBPATH/random.sh" || exit 137
# shellcheck source=../../lib/samba.sh
. "$TESTLIBPATH/samba.sh" || exit 137

#----create User
echo "----create User"
SAMBA="true"
MAIL="false"
KERBEROS="true"
PERSON="false"
POSIX="true"

username="$(user_randomname)"
password=univention
trap 'user_remove "$username"' INT TERM EXIT
user_create "$username" ||
	fail_fast 1 "User could not be created"


wait_for_replication
# force_drs_replication
wait_for_drs_replication "(sAMAccountName=$username)"

## Authentication with kinit
echo "----Authentication with kinit"
try_auth_kinit () {
	echo "$password" | kinit --password-file=STDIN "$username" 2>&1
}
retry_delay=3 retry 10 try_auth_kinit ||
	fail_test 1 "kinit $username failed"

## Wait until the real domain sambaSID has been synchronized back from Samba/AD to OpenLDAP
uidNumber=$(univention-ldapsearch "uid=$username" sambaSID uidNumber | VAL uidNumber)
tmpSID="S-1-4-$uidNumber"
wait_sambaSID () {
	sambaSID=$(univention-ldapsearch "uid=$username" sambaSID | VAL sambaSID)
	[ "$sambaSID" != "$tmpSID" ]
}
retry 10 wait_sambaSID ||
		echo "ERROR: Waiting for SID replication from Samba still fails after 10 attempts"

## Flushing the cache is only necessary if we do a wbinfo/smbclient before the real domain sambaSID has been written to idmap.ldb
## Let's check:
output=$(wbinfo --uid-to-sid "$uidNumber")
if [ "$output" = "$tmpSID" ]; then
	# echo "uidNumber: $uidNumber"
	# echo "wbinfo --uid-to-sid: $(wbinfo --uid-to-sid "$uidNumber")"
	# echo "wbinfo --sid-to-uid: $(wbinfo --sid-to-uid "$sambaSID")"
	# echo "wbinfo --sid-to-uid: $(wbinfo --sid-to-uid "$tmpSID")"
	echo "============================================"
	echo "Flushing Samba cache entry:"
	net cache list | grep "IDMAP/UID2SID/$uidNumber"
	net cache del "IDMAP/UID2SID/$uidNumber"
	net cache del "IDMAP/SID2XID/$sambaSID"
	# net cache del "IDMAP/SID2XID/$tmpSID"  # not necesssary, but cleaner
	echo "============================================"
fi
## Let's clean it anyway, for the sake of a clean test.
net cache del "IDMAP/UID2SID/$uidNumber" >/dev/null
net cache del "IDMAP/SID2XID/$sambaSID" >/dev/null

## Access sysvol using smbclient
echo "----Access sysvol using smbclient"
try_ls () {
	output="$(smbclient "//$(hostname -f)/sysvol" -k -c "ls $domainname/Policies" 2>&1)"
}
retry 10 try_ls || {
		echo "$output"
		echo "================================================================"
		echo "Could not access Policies on sysvol with Kerberos authentication:"
		echo "============================================"
		echo "kinit $username"
		echo "smbclient \"//$(hostname -f)/sysvol\" -k -c \"ls $domainname/Policies\""
		echo "============================================"
		net cache list | grep "IDMAP/UID2SID/$uidNumber"
		echo "============================================"
		fail_test 1 "Could not access Policies on sysvol with Kerberos authentication"
}

exit "$RETVAL"
