The branch, master has been updated
via 4b68871 ntlm_auth: added require-membership tests
via 6608402 torture: test_ntlm_auth.py now has a require-membership-of
argument
from ca1e4af As David Woodhouse points out, this breaks backwards
compatibility.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 4b68871ae80d1834f5f5cecb0ab65ca9abb283bc
Author: Garming Sam <garm...@catalyst.net.nz>
Date: Wed Jun 11 17:07:44 2014 +1200
ntlm_auth: added require-membership tests
(updated by abartlet to fix knownfail changes due to AD DC winbindd
use in master)
Change-Id: Iec41fbfc0f501888fd16323bf78da61aa549b4de
Signed-off-by: Garming Sam <garm...@catalyst.net.nz> Reviewed-by:
Andrew Bartlett <abart...@samba.org>
Reviewed-by: Kamen Mazdrashki <kame...@samba.org>
Autobuild-User(master): Kamen Mazdrashki <kame...@samba.org>
Autobuild-Date(master): Tue Jul 15 15:59:49 CEST 2014 on sn-devel-104
commit 66084025273ee8c793e6a947f69579ec0f0a7640
Author: Garming Sam <garm...@catalyst.net.nz>
Date: Fri Jul 4 12:50:37 2014 +1200
torture: test_ntlm_auth.py now has a require-membership-of argument
Change-Id: I90c2172af792a082fbf49ee0ab7d6eedf5471440
Signed-off-by: Garming Sam <garm...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Kamen Mazdrashki <kame...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
selftest/knownfail | 2 +
source3/script/tests/test_ntlm_auth_s3.sh | 74 +++++++++++++++++++++++++++++
source3/torture/test_ntlm_auth.py | 7 +++
3 files changed, 83 insertions(+), 0 deletions(-)
Changeset truncated at 500 lines:
diff --git a/selftest/knownfail b/selftest/knownfail
index 7d1702d..214a170 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -298,3 +298,5 @@
^samba.blackbox.wbinfo\(s3member:local\).wbinfo -U check for sane
mapping\(s3member:local\)
^samba.blackbox.wbinfo\(s3member:local\).wbinfo -G against
s3member\(s3member:local\)
^samba.blackbox.wbinfo\(s3member:local\).wbinfo -G check for sane
mapping\(s3member:local\)
+^samba.ntlm_auth.\(dc:local\).ntlm_auth against winbindd with failed
require-membership-of
+^samba.ntlm_auth.\(dc:local\).ntlm_auth with NTLMSSP gss-spnego-client and
gss-spnego server against winbind with failed require-membership-of
diff --git a/source3/script/tests/test_ntlm_auth_s3.sh
b/source3/script/tests/test_ntlm_auth_s3.sh
index ca7a952..655556b 100755
--- a/source3/script/tests/test_ntlm_auth_s3.sh
+++ b/source3/script/tests/test_ntlm_auth_s3.sh
@@ -19,8 +19,73 @@ ADDARGS="$*"
incdir=`dirname $0`/../../../testprogs/blackbox
. $incdir/subunit.sh
+SID=`eval $BINDIR/wbinfo -n $USERNAME | cut -d ' ' -f1`
+BADSID=`eval $BINDIR/wbinfo -n $USERNAME | cut -d ' ' -f1 | sed 's/..$//'`
+
failed=0
+test_interactive_prompt_stdout()
+{
+ tmpfile=$PREFIX/ntlm_commands
+
+ cat > $tmpfile <<EOF
+$DOMAIN/$USERNAME $PASSWORD
+EOF
+ cmd='$NTLM_AUTH "$@" --require-membership-of=$SID
--helper-protocol=squid-2.5-basic < $tmpfile 2>&1'
+ eval echo "$cmd"
+ out=`eval $cmd`
+ ret=$?
+ rm -f $tmpfile
+
+ if [ $ret != 0 ] ; then
+ echo "$out"
+ echo "command failed"
+ false
+ return
+ fi
+
+ echo "$out" | grep "OK" >/dev/null 2>&1
+
+ if [ $? = 0 ] ; then
+ # authenticated .. succeed
+ true
+ else
+ echo failed to get successful authentication
+ false
+ fi
+}
+
+test_interactive_prompt_stdout_fail()
+{
+ tmpfile=$PREFIX/ntlm_commands
+
+ cat > $tmpfile <<EOF
+$DOMAIN\\$USERNAME $PASSWORD
+EOF
+ cmd='$NTLM_AUTH "$@" --require-membership-of=$BADSID
--helper-protocol=squid-2.5-basic < $tmpfile 2>&1'
+ eval echo "$cmd"
+ out=`eval $cmd`
+ ret=$?
+ rm -f $tmpfile
+
+ if [ $ret != 0 ] ; then
+ echo "$out"
+ echo "command failed"
+ false
+ return
+ fi
+
+ echo "$out" | grep "ERR" >/dev/null 2>&1
+
+ if [ $? = 0 ] ; then
+ # failed to authenticate .. success
+ true
+ else
+ echo "incorrectly gave a successful authentication"
+ false
+ fi
+}
+
testit "ntlm_auth" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH
$ADDARGS || failed=`expr $failed + 1`
# This should work even with NTLMv2
testit "ntlm_auth with specified domain" $PYTHON
$SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH $ADDARGS --client-domain=fOo
--server-domain=fOo || failed=`expr $failed + 1`
@@ -30,4 +95,13 @@ testit "ntlm_auth with NTLMSSP gss-spnego-client and
gss-spnego server" $PYTHON
testit "ntlm_auth with NTLMSSP gss-spnego-client and gss-spnego server against
winbind" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH
--client-username=$USERNAME --client-domain=$DOMAIN --client-password=$PASSWORD
--server-use-winbindd --client-helper=gss-spnego-client
--server-helper=gss-spnego $ADDARGS || failed=`expr $failed + 1`
+testit "ntlm_auth against winbindd with require-membership-of" $PYTHON
$SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH --client-username=$USERNAME
--client-domain=$DOMAIN --client-password=$PASSWORD --server-use-winbindd
$ADDARGS --require-membership-of=$SID || failed=`expr $failed + 1`
+testit "ntlm_auth with NTLMSSP gss-spnego-client and gss-spnego server against
winbind with require-membership-of" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py
$NTLM_AUTH --client-username=$USERNAME --client-domain=$DOMAIN
--client-password=$PASSWORD --server-use-winbindd
--client-helper=gss-spnego-client --server-helper=gss-spnego $ADDARGS
--require-membership-of=$SID || failed=`expr $failed + 1`
+
+testit_expect_failure "ntlm_auth against winbindd with failed
require-membership-of" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH
--client-username=$USERNAME --client-domain=$DOMAIN --client-password=$PASSWORD
--server-use-winbindd $ADDARGS --require-membership-of=$BADSID && failed=`expr
$failed + 1`
+testit_expect_failure "ntlm_auth with NTLMSSP gss-spnego-client and gss-spnego
server against winbind with failed require-membership-of" $PYTHON
$SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH --client-username=$USERNAME
--client-domain=$DOMAIN --client-password=$PASSWORD --server-use-winbindd
--client-helper=gss-spnego-client --server-helper=gss-spnego $ADDARGS
--require-membership-of=$BADSID && failed=`expr $failed + 1`
+
+testit "ntlm_auth plaintext authentication with require-membership-of"
test_interactive_prompt_stdout || failed=`expr $failed + 1`
+testit "ntlm_auth plaintext authentication with failed require-membership-of"
test_interactive_prompt_stdout_fail || failed=`expr $failed + 1`
+
testok $0 $failed
diff --git a/source3/torture/test_ntlm_auth.py
b/source3/torture/test_ntlm_auth.py
index cb181be..d17af9b 100755
--- a/source3/torture/test_ntlm_auth.py
+++ b/source3/torture/test_ntlm_auth.py
@@ -97,6 +97,8 @@ def parseCommandLine():
help="Helper mode for the ntlm_auth server.
[default: squid-2.5-server]")
parser.add_option("--server-use-winbindd", dest="server_use_winbindd",\
help="Use winbindd to check the password
(rather than default username/pw)", action="store_true")
+ parser.add_option("--require-membership-of", dest="sid",\
+ help="Require that the user is a member of this
group to authenticate.")
parser.add_option("-s", "--configfile", dest="config_file",\
@@ -180,6 +182,11 @@ def main():
server_args.append("--username=%s" %
opts.server_username)
server_args.append("--password=%s" %
opts.server_password)
server_args.append("--domain=%s" % opts.server_domain)
+ if opts.sid:
+ raise Exception("Server must be using winbindd
for require-membership-of.")
+ else:
+ if opts.sid:
+ server_args.append("--require-membership-of=%s"
% opts.sid)
server_args.append("--configfile=%s" % opts.config_file)
--
Samba Shared Repository
