The branch, master has been updated via 4b68871 ntlm_auth: added require-membership tests via 6608402 torture: test_ntlm_auth.py now has a require-membership-of argument from ca1e4af As David Woodhouse points out, this breaks backwards compatibility.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 4b68871ae80d1834f5f5cecb0ab65ca9abb283bc Author: Garming Sam <garm...@catalyst.net.nz> Date: Wed Jun 11 17:07:44 2014 +1200 ntlm_auth: added require-membership tests (updated by abartlet to fix knownfail changes due to AD DC winbindd use in master) Change-Id: Iec41fbfc0f501888fd16323bf78da61aa549b4de Signed-off-by: Garming Sam <garm...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Kamen Mazdrashki <kame...@samba.org> Autobuild-User(master): Kamen Mazdrashki <kame...@samba.org> Autobuild-Date(master): Tue Jul 15 15:59:49 CEST 2014 on sn-devel-104 commit 66084025273ee8c793e6a947f69579ec0f0a7640 Author: Garming Sam <garm...@catalyst.net.nz> Date: Fri Jul 4 12:50:37 2014 +1200 torture: test_ntlm_auth.py now has a require-membership-of argument Change-Id: I90c2172af792a082fbf49ee0ab7d6eedf5471440 Signed-off-by: Garming Sam <garm...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Kamen Mazdrashki <kame...@samba.org> ----------------------------------------------------------------------- Summary of changes: selftest/knownfail | 2 + source3/script/tests/test_ntlm_auth_s3.sh | 74 +++++++++++++++++++++++++++++ source3/torture/test_ntlm_auth.py | 7 +++ 3 files changed, 83 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/selftest/knownfail b/selftest/knownfail index 7d1702d..214a170 100644 --- a/selftest/knownfail +++ b/selftest/knownfail @@ -298,3 +298,5 @@ ^samba.blackbox.wbinfo\(s3member:local\).wbinfo -U check for sane mapping\(s3member:local\) ^samba.blackbox.wbinfo\(s3member:local\).wbinfo -G against s3member\(s3member:local\) ^samba.blackbox.wbinfo\(s3member:local\).wbinfo -G check for sane mapping\(s3member:local\) +^samba.ntlm_auth.\(dc:local\).ntlm_auth against winbindd with failed require-membership-of +^samba.ntlm_auth.\(dc:local\).ntlm_auth with NTLMSSP gss-spnego-client and gss-spnego server against winbind with failed require-membership-of diff --git a/source3/script/tests/test_ntlm_auth_s3.sh b/source3/script/tests/test_ntlm_auth_s3.sh index ca7a952..655556b 100755 --- a/source3/script/tests/test_ntlm_auth_s3.sh +++ b/source3/script/tests/test_ntlm_auth_s3.sh @@ -19,8 +19,73 @@ ADDARGS="$*" incdir=`dirname $0`/../../../testprogs/blackbox . $incdir/subunit.sh +SID=`eval $BINDIR/wbinfo -n $USERNAME | cut -d ' ' -f1` +BADSID=`eval $BINDIR/wbinfo -n $USERNAME | cut -d ' ' -f1 | sed 's/..$//'` + failed=0 +test_interactive_prompt_stdout() +{ + tmpfile=$PREFIX/ntlm_commands + + cat > $tmpfile <<EOF +$DOMAIN/$USERNAME $PASSWORD +EOF + cmd='$NTLM_AUTH "$@" --require-membership-of=$SID --helper-protocol=squid-2.5-basic < $tmpfile 2>&1' + eval echo "$cmd" + out=`eval $cmd` + ret=$? + rm -f $tmpfile + + if [ $ret != 0 ] ; then + echo "$out" + echo "command failed" + false + return + fi + + echo "$out" | grep "OK" >/dev/null 2>&1 + + if [ $? = 0 ] ; then + # authenticated .. succeed + true + else + echo failed to get successful authentication + false + fi +} + +test_interactive_prompt_stdout_fail() +{ + tmpfile=$PREFIX/ntlm_commands + + cat > $tmpfile <<EOF +$DOMAIN\\$USERNAME $PASSWORD +EOF + cmd='$NTLM_AUTH "$@" --require-membership-of=$BADSID --helper-protocol=squid-2.5-basic < $tmpfile 2>&1' + eval echo "$cmd" + out=`eval $cmd` + ret=$? + rm -f $tmpfile + + if [ $ret != 0 ] ; then + echo "$out" + echo "command failed" + false + return + fi + + echo "$out" | grep "ERR" >/dev/null 2>&1 + + if [ $? = 0 ] ; then + # failed to authenticate .. success + true + else + echo "incorrectly gave a successful authentication" + false + fi +} + testit "ntlm_auth" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH $ADDARGS || failed=`expr $failed + 1` # This should work even with NTLMv2 testit "ntlm_auth with specified domain" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH $ADDARGS --client-domain=fOo --server-domain=fOo || failed=`expr $failed + 1` @@ -30,4 +95,13 @@ testit "ntlm_auth with NTLMSSP gss-spnego-client and gss-spnego server" $PYTHON testit "ntlm_auth with NTLMSSP gss-spnego-client and gss-spnego server against winbind" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH --client-username=$USERNAME --client-domain=$DOMAIN --client-password=$PASSWORD --server-use-winbindd --client-helper=gss-spnego-client --server-helper=gss-spnego $ADDARGS || failed=`expr $failed + 1` +testit "ntlm_auth against winbindd with require-membership-of" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH --client-username=$USERNAME --client-domain=$DOMAIN --client-password=$PASSWORD --server-use-winbindd $ADDARGS --require-membership-of=$SID || failed=`expr $failed + 1` +testit "ntlm_auth with NTLMSSP gss-spnego-client and gss-spnego server against winbind with require-membership-of" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH --client-username=$USERNAME --client-domain=$DOMAIN --client-password=$PASSWORD --server-use-winbindd --client-helper=gss-spnego-client --server-helper=gss-spnego $ADDARGS --require-membership-of=$SID || failed=`expr $failed + 1` + +testit_expect_failure "ntlm_auth against winbindd with failed require-membership-of" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH --client-username=$USERNAME --client-domain=$DOMAIN --client-password=$PASSWORD --server-use-winbindd $ADDARGS --require-membership-of=$BADSID && failed=`expr $failed + 1` +testit_expect_failure "ntlm_auth with NTLMSSP gss-spnego-client and gss-spnego server against winbind with failed require-membership-of" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH --client-username=$USERNAME --client-domain=$DOMAIN --client-password=$PASSWORD --server-use-winbindd --client-helper=gss-spnego-client --server-helper=gss-spnego $ADDARGS --require-membership-of=$BADSID && failed=`expr $failed + 1` + +testit "ntlm_auth plaintext authentication with require-membership-of" test_interactive_prompt_stdout || failed=`expr $failed + 1` +testit "ntlm_auth plaintext authentication with failed require-membership-of" test_interactive_prompt_stdout_fail || failed=`expr $failed + 1` + testok $0 $failed diff --git a/source3/torture/test_ntlm_auth.py b/source3/torture/test_ntlm_auth.py index cb181be..d17af9b 100755 --- a/source3/torture/test_ntlm_auth.py +++ b/source3/torture/test_ntlm_auth.py @@ -97,6 +97,8 @@ def parseCommandLine(): help="Helper mode for the ntlm_auth server. [default: squid-2.5-server]") parser.add_option("--server-use-winbindd", dest="server_use_winbindd",\ help="Use winbindd to check the password (rather than default username/pw)", action="store_true") + parser.add_option("--require-membership-of", dest="sid",\ + help="Require that the user is a member of this group to authenticate.") parser.add_option("-s", "--configfile", dest="config_file",\ @@ -180,6 +182,11 @@ def main(): server_args.append("--username=%s" % opts.server_username) server_args.append("--password=%s" % opts.server_password) server_args.append("--domain=%s" % opts.server_domain) + if opts.sid: + raise Exception("Server must be using winbindd for require-membership-of.") + else: + if opts.sid: + server_args.append("--require-membership-of=%s" % opts.sid) server_args.append("--configfile=%s" % opts.config_file) -- Samba Shared Repository