The branch, master has been updated via fe7ab7d5132 tests/ntlm_auth: Port ntlm_auth_diagnostics tests to python via 4846d4a7136 selftest: Remove test_ntlm_auth.py helper via 129ab34baf0 tests/ntlm_auth: Port ntlm_auth_krb5 tests to python via 91c4f260360 tests/ntlm_auth: Port ntlm_auth tests to python: ntlm_auth ntlm-server-1 with incorrect fixed password against winbind via 3ae7095bbee tests/ntlm_auth: Port ntlm_auth tests to python: ntlm_auth ntlm-server-1 with plaintext password against winbind but wrong sid via 8d4258f43de tests/ntlm_auth: Port ntlm_auth tests to python: ntlm_auth ntlm-server-1 with plaintext password against winbind via 7c0c683b2ea tests/ntlm_auth: Port ntlm_auth tests to python: ntlm_auth ntlm-server-1 with incorrect fixed password via 28ea2f7220d tests/ntlm_auth: Port ntlm_auth tests to python: ntlm_auth ntlm-server-1 with fixed password via 3794c1c5274 tests/ntlm_auth: Port ntlm_auth tests to python: ntlm_auth plaintext authentication with failed require-membership-of via dfa149276f1 tests/ntlm_auth: Port ntlm_auth tests to python: ntlm_auth plaintext authentication with require-membership-of via caa505302f5 tests/ntlm_auth: Port ntlm_auth tests to python: ntlm_auth with NTLMSSP gss-spnego-client and gss-spnego server against winbind with failed require-membership-of via 377e87a2347 tests/ntlm_auth: Port ntlm_auth tests to python: ntlm_auth against winbindd with failed require-membership-of via 8d11a54e370 tests/ntlm_auth: Port ntlm_auth tests to python: ntlm_auth with NTLMSSP gss-spnego-client and gss-spnego server against winbind with require-membership-of via 1f704496ea6 tests/ntlm_auth: Port ntlm_auth tests to python: ntlm_auth against winbindd with require-membership-of via 06d101e3f08 tests/ntlm_auth: Port ntlm_auth tests to python: ntlm_auth ccached credentials with NTLMSSP client and gss-spnego server via 4ce9371f5fa tests/ntlm_auth: Port ntlm_auth tests to python: ntlm_auth with NTLMSSP gss-spnego-client and gss-spnego server against winbind via c9a5bf3c82c tests/ntlm_auth: Port ntlm_auth tests to python: ntlm_auth with NTLMSSP gss-spnego-client and gss-spnego server via d3fd3d01f19 tests/ntlm_auth: Port ntlm_auth tests to python: ntlm_auth with NTLMSSP client and gss-spnego server via 4a11ab373b3 tests/ntlm_auth: Port ntlm_auth tests to python: ntlm_auth against winbindd via 247592f7162 tests/ntlm_auth: Port ntlm_auth tests to python: ntlm_auth and ntlm_auth with specified domain via e8144129111 selftest: Add a new base class for ntlm_auth tests via d0b5e216b07 selftest: Create included files during provision from b1ad5a880fd krb5_wrap: Fix bit shifting
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit fe7ab7d5132b2312f617b3c51db9d4c9f9271a51 Author: Samuel Cabrero <scabr...@suse.de> Date: Thu Sep 6 13:56:53 2018 +0200 tests/ntlm_auth: Port ntlm_auth_diagnostics tests to python Port ntlm_auth_diagnostics bash script tests to python Signed-off-by: Samuel Cabrero <scabr...@suse.de> Reviewed-by: Noel Power <npo...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Autobuild-User(master): Noel Power <npo...@samba.org> Autobuild-Date(master): Wed Dec 19 16:21:32 CET 2018 on sn-devel-144 commit 4846d4a713679957f31b8da179be192d8b6e7506 Author: Samuel Cabrero <scabr...@suse.de> Date: Thu Nov 15 11:17:43 2018 +0100 selftest: Remove test_ntlm_auth.py helper Signed-off-by: Samuel Cabrero <scabr...@suse.de> Reviewed-by: Noel Power <npo...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 129ab34baf0b1554dea3d93506b95439bffcb30f Author: Samuel Cabrero <scabr...@suse.de> Date: Thu Sep 6 12:58:42 2018 +0200 tests/ntlm_auth: Port ntlm_auth_krb5 tests to python Port ntlm_auth_krb5 bash script tests to python Signed-off-by: Samuel Cabrero <scabr...@suse.de> Reviewed-by: Noel Power <npo...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 91c4f2603607a917c1f1006b2f9f83232ac489c4 Author: Samuel Cabrero <scabr...@suse.de> Date: Fri Aug 31 19:28:06 2018 +0200 tests/ntlm_auth: Port ntlm_auth tests to python: ntlm_auth ntlm-server-1 with incorrect fixed password against winbind Port ntlm_auth bash script tests to python and remove bash test script Signed-off-by: Samuel Cabrero <scabr...@suse.de> Reviewed-by: Noel Power <npo...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 3ae7095bbee9ca19056c00a61084d49e5e278728 Author: Samuel Cabrero <scabr...@suse.de> Date: Fri Aug 31 19:27:20 2018 +0200 tests/ntlm_auth: Port ntlm_auth tests to python: ntlm_auth ntlm-server-1 with plaintext password against winbind but wrong sid Port ntlm_auth bash script tests to python Signed-off-by: Samuel Cabrero <scabr...@suse.de> Reviewed-by: Noel Power <npo...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 8d4258f43dea153cc60a6b9dbd36f0ca0b5abf0e Author: Samuel Cabrero <scabr...@suse.de> Date: Fri Aug 31 19:15:05 2018 +0200 tests/ntlm_auth: Port ntlm_auth tests to python: ntlm_auth ntlm-server-1 with plaintext password against winbind Port ntlm_auth bash script tests to python Signed-off-by: Samuel Cabrero <scabr...@suse.de> Reviewed-by: Noel Power <npo...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 7c0c683b2eafc6f5c8474a4547d970ad3ce5a759 Author: Samuel Cabrero <scabr...@suse.de> Date: Fri Aug 31 19:06:18 2018 +0200 tests/ntlm_auth: Port ntlm_auth tests to python: ntlm_auth ntlm-server-1 with incorrect fixed password Port ntlm_auth bash script tests to python Signed-off-by: Samuel Cabrero <scabr...@suse.de> Reviewed-by: Noel Power <npo...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 28ea2f7220dfc4f90bc099f306c8a0e5324fee5a Author: Samuel Cabrero <scabr...@suse.de> Date: Fri Aug 31 18:49:13 2018 +0200 tests/ntlm_auth: Port ntlm_auth tests to python: ntlm_auth ntlm-server-1 with fixed password Port ntlm_auth bash script tests to python Signed-off-by: Samuel Cabrero <scabr...@suse.de> Reviewed-by: Noel Power <npo...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 3794c1c5274f88c32fa8937b92f30a1308d57bb0 Author: Samuel Cabrero <scabr...@suse.de> Date: Fri Aug 31 18:27:50 2018 +0200 tests/ntlm_auth: Port ntlm_auth tests to python: ntlm_auth plaintext authentication with failed require-membership-of Port ntlm_auth bash script tests to python Signed-off-by: Samuel Cabrero <scabr...@suse.de> Reviewed-by: Noel Power <npo...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit dfa149276f1e2c1a64208ff33ca161008f012d6d Author: Samuel Cabrero <scabr...@suse.de> Date: Fri Aug 31 18:24:56 2018 +0200 tests/ntlm_auth: Port ntlm_auth tests to python: ntlm_auth plaintext authentication with require-membership-of Port ntlm_auth bash script tests to python Signed-off-by: Samuel Cabrero <scabr...@suse.de> Reviewed-by: Noel Power <npo...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit caa505302f5e8752f997fe8aef6cef878f2e3f35 Author: Samuel Cabrero <scabr...@suse.de> Date: Fri Aug 31 18:01:17 2018 +0200 tests/ntlm_auth: Port ntlm_auth tests to python: ntlm_auth with NTLMSSP gss-spnego-client and gss-spnego server against winbind with failed require-membership-of Port ntlm_auth bash script tests to python Signed-off-by: Samuel Cabrero <scabr...@suse.de> Reviewed-by: Noel Power <npo...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 377e87a2347a96a75adf8932651ca607114c95a1 Author: Samuel Cabrero <scabr...@suse.de> Date: Fri Aug 31 17:53:16 2018 +0200 tests/ntlm_auth: Port ntlm_auth tests to python: ntlm_auth against winbindd with failed require-membership-of Port ntlm_auth bash script tests to python Signed-off-by: Samuel Cabrero <scabr...@suse.de> Reviewed-by: Noel Power <npo...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 8d11a54e3707e77c78a2f0005c9f4b1922a791b1 Author: Samuel Cabrero <scabr...@suse.de> Date: Fri Aug 31 17:46:59 2018 +0200 tests/ntlm_auth: Port ntlm_auth tests to python: ntlm_auth with NTLMSSP gss-spnego-client and gss-spnego server against winbind with require-membership-of Port ntlm_auth bash script tests to python Signed-off-by: Samuel Cabrero <scabr...@suse.de> Reviewed-by: Noel Power <npo...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 1f704496ea6948b503c3c01eec7812eb8cb12b79 Author: Samuel Cabrero <scabr...@suse.de> Date: Fri Aug 31 17:41:40 2018 +0200 tests/ntlm_auth: Port ntlm_auth tests to python: ntlm_auth against winbindd with require-membership-of Port ntlm_auth bash script tests to python Signed-off-by: Samuel Cabrero <scabr...@suse.de> Reviewed-by: Noel Power <npo...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Signed-off-by: Noel Power <noel.po...@suse.com> commit 06d101e3f087ee82ead8f7792a3ddd2a655b7a4b Author: Samuel Cabrero <scabr...@suse.de> Date: Fri Aug 31 17:07:23 2018 +0200 tests/ntlm_auth: Port ntlm_auth tests to python: ntlm_auth ccached credentials with NTLMSSP client and gss-spnego server Port ntlm_auth bash script tests to python Signed-off-by: Samuel Cabrero <scabr...@suse.de> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 4ce9371f5fa99d49f16e0563d0cd185459b58ea3 Author: Samuel Cabrero <scabr...@suse.de> Date: Fri Aug 31 16:42:05 2018 +0200 tests/ntlm_auth: Port ntlm_auth tests to python: ntlm_auth with NTLMSSP gss-spnego-client and gss-spnego server against winbind Port ntlm_auth bash script tests to python Signed-off-by: Samuel Cabrero <scabr...@suse.de> Reviewed-by: Noel Power <npo...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit c9a5bf3c82c988aa424e804305aafa127749837f Author: Samuel Cabrero <scabr...@suse.de> Date: Fri Aug 31 16:28:37 2018 +0200 tests/ntlm_auth: Port ntlm_auth tests to python: ntlm_auth with NTLMSSP gss-spnego-client and gss-spnego server Port ntlm_auth bash script tests to python Signed-off-by: Samuel Cabrero <scabr...@suse.de> Reviewed-by: Noel Power <npo...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit d3fd3d01f19c227d78f9ba77660c2e73e067aab2 Author: Samuel Cabrero <scabr...@suse.de> Date: Fri Aug 31 16:05:34 2018 +0200 tests/ntlm_auth: Port ntlm_auth tests to python: ntlm_auth with NTLMSSP client and gss-spnego server Port ntlm_auth bash script tests to python Signed-off-by: Samuel Cabrero <scabr...@suse.de> Reviewed-by: Noel Power <npo...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 4a11ab373b309ae7b97c03e367ba509897c20fcc Author: Samuel Cabrero <scabr...@suse.de> Date: Fri Aug 31 14:26:59 2018 +0200 tests/ntlm_auth: Port ntlm_auth tests to python: ntlm_auth against winbindd Port ntlm_auth bash script tests to python Signed-off-by: Samuel Cabrero <scabr...@suse.de> Reviewed-by: Noel Power <npo...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 247592f7162d0e22e8edb889adce1eac5a4cf5f1 Author: Samuel Cabrero <scabr...@suse.de> Date: Fri Aug 31 12:47:11 2018 +0200 tests/ntlm_auth: Port ntlm_auth tests to python: ntlm_auth and ntlm_auth with specified domain Port ntlm_auth bash script tests to python Signed-off-by: Samuel Cabrero <scabr...@suse.de> Reviewed-by: Noel Power <npo...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit e8144129111b026444052713618fc5837d43fd96 Author: Samuel Cabrero <scabr...@suse.de> Date: Sat Dec 9 10:44:15 2017 +0100 selftest: Add a new base class for ntlm_auth tests The class is based on test_ntlm_auth.py script. Signed-off-by: Samuel Cabrero <scabr...@suse.de> Reviewed-by: Noel Power <npo...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Pair-programmed-by: Andrew Bartlett <abart...@samba.org> commit d0b5e216b0732a95c0fee3e04659ee7d3792baf6 Author: Samuel Cabrero <scabr...@suse.de> Date: Fri Aug 31 12:44:09 2018 +0200 selftest: Create included files during provision Files included from smb.conf have to exists, otherwise python fails to load the configuration. Found while trying to run a python test before samba3.blackbox.smbd_error creates the included file. Signed-off-by: Samuel Cabrero <scabr...@suse.de> Reviewed-by: Noel Power <npo...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> ----------------------------------------------------------------------- Summary of changes: python/samba/tests/ntlm_auth.py | 325 ++++++++++++++++++++ python/samba/tests/ntlm_auth_base.py | 210 +++++++++++++ python/samba/tests/ntlm_auth_krb5.py | 83 +++++ selftest/target/Samba3.pm | 18 +- source3/script/tests/test_ntlm_auth_diagnostics.sh | 23 -- source3/script/tests/test_ntlm_auth_krb5.sh | 32 -- source3/script/tests/test_ntlm_auth_s3.sh | 297 ------------------ source3/selftest/tests.py | 5 - source3/torture/test_ntlm_auth.py | 335 --------------------- source4/selftest/tests.py | 7 +- 10 files changed, 637 insertions(+), 698 deletions(-) create mode 100644 python/samba/tests/ntlm_auth.py create mode 100644 python/samba/tests/ntlm_auth_base.py create mode 100644 python/samba/tests/ntlm_auth_krb5.py delete mode 100755 source3/script/tests/test_ntlm_auth_diagnostics.sh delete mode 100755 source3/script/tests/test_ntlm_auth_krb5.sh delete mode 100755 source3/script/tests/test_ntlm_auth_s3.sh delete mode 100755 source3/torture/test_ntlm_auth.py Changeset truncated at 500 lines: diff --git a/python/samba/tests/ntlm_auth.py b/python/samba/tests/ntlm_auth.py new file mode 100644 index 00000000000..c93d38a0f0f --- /dev/null +++ b/python/samba/tests/ntlm_auth.py @@ -0,0 +1,325 @@ +# Unix SMB/CIFS implementation. +# +# Copyright (C) Samuel Cabrero <scabr...@suse.de> 2018 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# + +import os +from subprocess import Popen, PIPE +from samba.tests.ntlm_auth_base import NTLMAuthTestCase +from samba.compat import get_string + +class NTLMAuthHelpersTests(NTLMAuthTestCase): + + def setUp(self): + super(NTLMAuthHelpersTests, self).setUp() + self.username = os.environ["DC_USERNAME"] + self.password = os.environ["DC_PASSWORD"] + self.domain = os.environ["DOMAIN"] + out = get_string(self.check_output("wbinfo -n %s" % self.username)) + self.group_sid = out.split(" ")[0] + self.assertTrue(self.group_sid.startswith("S-1-5-21-")) + self.bad_group_sid = self.group_sid[:-2] + + def test_specified_domain(self): + """ ntlm_auth with specified domain """ + + username = "foo" + password = "secret" + domain = "FOO" + + ret = self.run_helper(client_username=username, + client_password=password, + client_domain=domain, + server_username=username, + server_password=password, + server_domain=domain, + server_use_winbind=False) + self.assertTrue(ret) + + username = "foo" + password = "secret" + domain = "fOo" + + ret = self.run_helper(client_username=username, + client_password=password, + client_domain=domain, + server_username=username, + server_password=password, + server_domain=domain, + server_use_winbind=False) + self.assertTrue(ret) + + def test_agaist_winbind(self): + """ ntlm_auth against winbindd """ + + ret = self.run_helper(client_username=self.username, + client_password=self.password, + client_domain=self.domain, + server_use_winbind=True) + self.assertTrue(ret) + + def test_ntlmssp_gss_spnego(self): + """ ntlm_auth with NTLMSSP client and gss-spnego server """ + + username = "foo" + password = "secret" + domain = "fOo" + + ret = self.run_helper(client_username=username, + client_password=password, + client_domain=domain, + server_username=username, + server_password=password, + server_domain=domain, + client_helper="ntlmssp-client-1", + server_helper="gss-spnego", + server_use_winbind=False) + self.assertTrue(ret) + + def test_gss_spnego(self): + """ ntlm_auth with NTLMSSP gss-spnego-client and gss-spnego server """ + + username = "foo" + password = "secret" + domain = "fOo" + + ret = self.run_helper(client_username=username, + client_password=password, + client_domain=domain, + server_username=username, + server_password=password, + server_domain=domain, + client_helper="gss-spnego-client", + server_helper="gss-spnego", + server_use_winbind=False) + self.assertTrue(ret) + + def test_gss_spnego_winbind(self): + """ ntlm_auth with NTLMSSP gss-spnego-client and gss-spnego server + against winbind """ + + ret = self.run_helper(client_username=self.username, + client_password=self.password, + client_domain=self.domain, + client_helper="gss-spnego-client", + server_helper="gss-spnego", + server_use_winbind=True) + self.assertTrue(ret) + + def test_ntlmssp_gss_spnego_cached_creds(self): + """ ntlm_auth with NTLMSSP client and gss-spnego server against + winbind with cached credentials """ + + param = "--ccache-save=%s%s%s%%%s" % (self.domain, + self.winbind_separator, + self.username, + self.password) + cache_cmd = ["wbinfo", + param] + self.check_exit_code(cache_cmd, 0) + + ret = self.run_helper(client_username=self.username, + client_password=self.password, + client_domain=self.domain, + client_use_cached_creds=True, + client_helper="ntlmssp-client-1", + server_helper="gss-spnego", + server_use_winbind=True) + self.assertTrue(ret) + + def test_require_membership(self): + """ ntlm_auth against winbindd with require-membership-of """ + + ret = self.run_helper(client_username=self.username, + client_password=self.password, + client_domain=self.domain, + require_membership=self.group_sid, + server_use_winbind=True) + self.assertTrue(ret) + + ret = self.run_helper(client_username=self.username, + client_password=self.password, + client_domain=self.domain, + require_membership=self.bad_group_sid, + server_use_winbind=True) + self.assertFalse(ret) + + def test_require_membership_gss_spnego(self): + """ ntlm_auth with NTLMSSP gss-spnego-client and gss-spnego server + against winbind with require-membership-of """ + + ret = self.run_helper(client_username=self.username, + client_password=self.password, + client_domain=self.domain, + require_membership=self.group_sid, + client_helper="gss-spnego-client", + server_helper="gss-spnego", + server_use_winbind=True) + self.assertTrue(ret) + + ret = self.run_helper(client_username=self.username, + client_password=self.password, + client_domain=self.domain, + require_membership=self.bad_group_sid, + client_helper="gss-spnego-client", + server_helper="gss-spnego", + server_use_winbind=True) + self.assertFalse(ret) + + def test_plaintext_with_membership(self): + """ ntlm_auth plaintext authentication with require-membership-of """ + + proc = Popen([self.ntlm_auth_path, + "--require-membership-of", self.group_sid, + "--helper-protocol", "squid-2.5-basic"], + stdout=PIPE, stdin=PIPE, stderr=PIPE) + creds = "%s%s%s %s\n" % (self.domain, self.winbind_separator, + self.username, + self.password) + (out, err) = proc.communicate(input=creds.encode('utf-8')) + self.assertEqual(proc.returncode, 0) + self.assertTrue(out.startswith(b"OK\n")) + + # Check membership failure + proc = Popen([self.ntlm_auth_path, + "--require-membership-of", self.bad_group_sid, + "--helper-protocol", "squid-2.5-basic"], + stdout=PIPE, stdin=PIPE, stderr=PIPE) + creds = "%s%s%s %s\n" % (self.domain, + self.winbind_separator, + self.username, + self.password) + (out, err) = proc.communicate(input=creds.encode('utf-8')) + self.assertEqual(proc.returncode, 0) + self.assertTrue(out.startswith(b"ERR\n")) + + def test_ntlm_server_1_with_fixed_password(self): + """ ntlm_auth ntlm-server-1 with fixed password """ + + ntlm_cmds = [ + "LANMAN-Challenge: 0123456789abcdef", + "NT-Response: 25a98c1c31e81847466b29b2df4680f39958fb8c213a9cc6", + "NT-Domain: TEST", + "Username: testuser", + "Request-User-Session-Key: Yes", + ".\n" ] + + proc = Popen([self.ntlm_auth_path, + "--password", "SecREt01", + "--helper-protocol", "ntlm-server-1"], + stdout=PIPE, stdin=PIPE, stderr=PIPE) + buf = "\n".join(ntlm_cmds) + (out, err) = proc.communicate(input=buf.encode('utf-8')) + self.assertEqual(proc.returncode, 0) + + lines = out.split(b"\n") + + self.assertEqual(len(lines), 4) + self.assertEquals(lines[0], b"Authenticated: Yes") + self.assertEquals( + lines[1], b"User-Session-Key: 3F373EA8E4AF954F14FAA506F8EEBDC4") + self.assertEquals(lines[2], b".") + self.assertEquals(lines[3], b"") + + # Break the password with a leading A on the challenge + ntlm_cmds[0] = "LANMAN-Challenge: A123456789abcdef" + + proc = Popen([self.ntlm_auth_path, + "--password", "SecREt01", + "--helper-protocol", "ntlm-server-1"], + stdout=PIPE, stdin=PIPE, stderr=PIPE) + buf = "\n".join(ntlm_cmds) + (out, err) = proc.communicate(input=buf.encode('utf-8')) + self.assertEqual(proc.returncode, 0) + + lines = out.split(b"\n") + self.assertEqual(len(lines), 5) + self.assertEquals(lines[0], b"Authenticated: No") + + def test_ntlm_server_1_with_plaintext_winbind(self): + """ ntlm_auth ntlm-server-1 with plaintext password against winbind """ + + ntlm_cmds = [ + "Password: %s" % self.password, + "NT-Domain: %s" % self.domain, + "Username: %s" % self.username, + "Request-User-Session-Key: Yes", + ".\n" ] + + proc = Popen([self.ntlm_auth_path, + "--require-membership-of", self.group_sid, + "--helper-protocol", "ntlm-server-1"], + stdout=PIPE, stdin=PIPE, stderr=PIPE) + buf = "\n".join(ntlm_cmds) + (out, err) = proc.communicate(input=buf.encode('utf-8')) + self.assertEqual(proc.returncode, 0) + + lines = out.split(b"\n") + + self.assertEqual(len(lines), 3) + self.assertEquals(lines[0], b"Authenticated: Yes") + self.assertEquals(lines[1], b".") + self.assertEquals(lines[2], b"") + + # Check membership failure + + proc = Popen([self.ntlm_auth_path, + "--require-membership-of", self.bad_group_sid, + "--helper-protocol", "ntlm-server-1"], + stdout=PIPE, stdin=PIPE, stderr=PIPE) + buf = "\n".join(ntlm_cmds) + (out, err) = proc.communicate(input=buf.encode('utf-8')) + self.assertEqual(proc.returncode, 0) + + lines = out.split(b"\n") + + self.assertEqual(len(lines), 3) + self.assertEquals(lines[0], b"Authenticated: No") + self.assertEquals(lines[1], b".") + self.assertEquals(lines[2], b"") + + def test_ntlm_server_1_with_incorrect_password_winbind(self): + """ ntlm_auth ntlm-server-1 with incorrect fixed password against + winbind """ + + ntlm_cmds = [ + "LANMAN-Challenge: 0123456789abcdef", + "NT-Response: 25a98c1c31e81847466b29b2df4680f39958fb8c213a9cc6", + "NT-Domain: %s" % self.domain, + "Username: %s" % self.username, + "Request-User-Session-Key: Yes", + ".\n" ] + + proc = Popen([self.ntlm_auth_path, + "--helper-protocol", "ntlm-server-1"], + stdout=PIPE, stdin=PIPE, stderr=PIPE) + buf = "\n".join(ntlm_cmds) + (out, err) = proc.communicate(input=buf.encode('utf-8')) + self.assertEqual(proc.returncode, 0) + + lines = out.split(b"\n") + + self.assertEqual(len(lines), 5) + self.assertEquals(lines[0], b"Authenticated: No") + + def test_diagnostics(self): + """ ntlm_auth diagnostics """ + cmd_line = [self.ntlm_auth_path, + "--username", self.username, + "--password", self.password, + "--domain", self.domain, + "--diagnostics"] + self.check_exit_code(cmd_line, 0) diff --git a/python/samba/tests/ntlm_auth_base.py b/python/samba/tests/ntlm_auth_base.py new file mode 100644 index 00000000000..546c89762cc --- /dev/null +++ b/python/samba/tests/ntlm_auth_base.py @@ -0,0 +1,210 @@ +# Unix SMB/CIFS implementation. +# A test for the ntlm_auth tool +# Copyright (C) Kai Blin <k...@samba.org> 2008 +# Copyright (C) Samuel Cabrero <scabr...@suse.de> 2018 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# +"""Test ntlm_auth +This test program will start ntlm_auth with the given command line switches and +see if it will get the expected results. +""" + +import os +import samba +import subprocess +from samba.tests import BlackboxTestCase + +class NTLMAuthTestCase(BlackboxTestCase): + + def setUp(self): + super(NTLMAuthTestCase, self).setUp() + bindir = os.path.normpath(os.getenv("BINDIR", "./bin")) + self.ntlm_auth_path = os.path.join(bindir, 'ntlm_auth') + self.lp = samba.tests.env_loadparm() + self.winbind_separator = self.lp.get('winbind separator') + + def readLine(self, text_stream): + buf = text_stream.readline() + newline = buf.find('\n') + if newline == -1: + raise Exception("Failed to read line") + return buf[:newline] + + def writeLine(self, text_stream, buf): + text_stream.write(buf) + text_stream.write("\n") + + def run_helper(self, + client_username=None, + client_password=None, + client_domain=None, + client_use_cached_creds=False, + server_username=None, + server_password=None, + server_domain=None, + client_helper="ntlmssp-client-1", + server_helper="squid-2.5-ntlmssp", + server_use_winbind=False, + require_membership=None, + target_hostname=None, + target_service=None): + self.assertTrue(os.access(self.ntlm_auth_path, os.X_OK)) + + if client_username is None: + raise Exception("client_username required") + + # Client helper args + client_args = [] + client_args.append(self.ntlm_auth_path) + client_args.append("--helper-protocol=%s" % client_helper) + client_args.append("--username=%s" % client_username) + if client_domain: + client_args.append("--domain=%s" % client_domain) + if client_use_cached_creds: + client_args.append("--use-cached-creds") + else: + if client_password is None: + raise Exception("client_password required") + client_args.append("--password=%s" % client_password) + if target_service: + client_args.append("--target-service=%s" % target_service) + if target_hostname: + client_args.append("--target-hostname=%s" % target_hostname) + client_args.append("--configfile=%s" % self.lp.configfile) + + # Server helper args + server_args = [] + server_args.append(self.ntlm_auth_path) + server_args.append("--helper-protocol=%s" % server_helper) + server_args.append("--configfile=%s" % self.lp.configfile) + if not server_use_winbind: + if server_username is None or server_password is None or server_domain is None: + raise Exception("Server credentials required if not using winbind") + server_args.append("--username=%s" % server_username) + server_args.append("--password=%s" % server_password) + server_args.append("--domain=%s" % server_domain) + if require_membership is not None: + raise Exception("Server must be using winbind for require-membership-of") + else: + if require_membership is not None: + server_args.append("--require-membership-of=%s" % require_membership) + + # Run helpers + result = False + server_proc = subprocess.Popen(server_args, stdout=subprocess.PIPE, stdin=subprocess.PIPE, bufsize=0, universal_newlines=True) + client_proc = subprocess.Popen(client_args, stdout=subprocess.PIPE, stdin=subprocess.PIPE, bufsize=0, universal_newlines=True) + + try: + if client_helper == "ntlmssp-client-1" and server_helper == "squid-2.5-ntlmssp": + self.writeLine(client_proc.stdin, "YR") + buf = self.readLine(client_proc.stdout) + self.assertTrue(buf.startswith("YR ")) + + self.writeLine(server_proc.stdin, buf) + buf = self.readLine(server_proc.stdout) + self.assertTrue(buf.startswith("TT ")) + + self.writeLine(client_proc.stdin, buf) + buf = self.readLine(client_proc.stdout) + self.assertTrue(buf.startswith("AF ")) + + # Client sends 'AF <base64 blob>' but server + # expects 'KK <base64 blob>' + buf = buf.replace("AF", "KK", 1) + + self.writeLine(server_proc.stdin, buf) + buf = self.readLine(server_proc.stdout) + result = buf.startswith("AF ") + elif client_helper == "ntlmssp-client-1" and server_helper == "gss-spnego": + self.writeLine(client_proc.stdin, "YR") + buf = self.readLine(client_proc.stdout) + self.assertTrue(buf.startswith("YR ")) + + self.writeLine(server_proc.stdin, buf) + buf = self.readLine(server_proc.stdout) + self.assertTrue(buf.startswith("TT ")) + + self.writeLine(client_proc.stdin, buf) + buf = self.readLine(client_proc.stdout) + self.assertTrue(buf.startswith("AF ")) + + # Client sends 'AF <base64 blob>' but server expects 'KK <abse64 blob>' + buf = buf.replace("AF", "KK", 1) + + self.writeLine(server_proc.stdin, buf) + buf = self.readLine(server_proc.stdout) + result = buf.startswith("AF * ") + elif client_helper == "gss-spnego-client" and server_helper == "gss-spnego": + self.writeLine(server_proc.stdin, "YR") + buf = self.readLine(server_proc.stdout) + + while True: + if (buf.startswith("NA * ")): + result = False + break + + self.assertTrue(buf.startswith("AF ") or buf.startswith("TT ")) + + self.writeLine(client_proc.stdin, buf) + buf = self.readLine(client_proc.stdout) + + if buf.startswith("AF"): -- Samba Shared Repository