From 8f2be5ac5a8104c9db04c5984690b53dee39321d Mon Sep 17 00:00:00 2001 From: Joe Guo Date: Wed, 18 Apr 2018 15:31:12 +1200 Subject: [PATCH 1/5] traffic_replay: set gensec features to encrypt credentials While running traffic_replay script against windows dc, it will fail with a `LDAP_UNWILLING_TO_PERFORM` error for adding user. Windows requires the credentials to be encrypted before sending. `set_gensec_features` will fix it. Signed-off-by: Joe Guo --- script/traffic_replay | 3 +++ 1 file changed, 3 insertions(+) diff --git a/script/traffic_replay b/script/traffic_replay index 0e97d0a64af..df86115a48f 100755 --- a/script/traffic_replay +++ b/script/traffic_replay @@ -25,6 +25,7 @@ import shutil sys.path.insert(0, "bin/python") +from samba import gensec from samba.emulate import traffic import samba.getopt as options @@ -134,6 +135,7 @@ def main(): print_err("Removing user and machine accounts") lp = sambaopts.get_loadparm() creds = credopts.get_credentials(lp) + creds.set_gensec_features(creds.get_gensec_features() | gensec.FEATURE_SEAL) ldb = traffic.openLdb(host, creds, lp) traffic.clean_up_accounts(ldb, opts.instance_id) exit(0) @@ -155,6 +157,7 @@ def main(): lp = sambaopts.get_loadparm() creds = credopts.get_credentials(lp) + creds.set_gensec_features(creds.get_gensec_features() | gensec.FEATURE_SEAL) domain = opts.workgroup if domain: From a564a844c8471ebf47c1aaccd5c7150b17cf5574 Mon Sep 17 00:00:00 2001 From: Joe Guo Date: Wed, 18 Apr 2018 15:36:02 +1200 Subject: [PATCH 2/5] traffic: add paged_results control for ldb search While there are more then 1000 records in the search result, a `LDAP_SIZE_LIMIT_EXCEEDED` error will be returned. Add paged_results control to fix. Signed-off-by: Joe Guo --- python/samba/emulate/traffic.py | 1 + 1 file changed, 1 insertion(+) diff --git a/python/samba/emulate/traffic.py b/python/samba/emulate/traffic.py index 9d95e3a14d5..a99cf9163a5 100644 --- a/python/samba/emulate/traffic.py +++ b/python/samba/emulate/traffic.py @@ -343,6 +343,7 @@ def generate_ldap_search_tables(self): res = db.search(db.domain_dn(), scope=ldb.SCOPE_SUBTREE, + controls=["paged_results:1:1000"], attrs=['dn']) # find a list of dns for each pattern From a2f240b46ede543e4587850b4448ec55e54c02cf Mon Sep 17 00:00:00 2001 From: Joe Guo Date: Wed, 18 Apr 2018 15:40:18 +1200 Subject: [PATCH 3/5] traffic_replay: fix typo in message string Signed-off-by: Joe Guo --- script/traffic_replay | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/script/traffic_replay b/script/traffic_replay index df86115a48f..a56ea25d5c9 100755 --- a/script/traffic_replay +++ b/script/traffic_replay @@ -37,7 +37,7 @@ def print_err(*args, **kwargs): def main(): desc = ("Generates network traffic 'conversations' based on " - " (which should the output file produced by either traffic_learner" + " (which should be the output file produced by either traffic_learner" " or traffic_summary.pl). This traffic is sent to ," " which is the full DNS hostname of the DC being tested.") From 654e2920b42093fcb81ef546feea8fb662cb8d79 Mon Sep 17 00:00:00 2001 From: Joe Guo Date: Wed, 18 Apr 2018 15:45:10 +1200 Subject: [PATCH 4/5] traffic_packets: support NT_STATUS_NO_SUCH_DOMAIN in packet_lsarpc_39 For packet_lsarpc_39, samba will return NT_STATUS_OBJECT_NAME_NOT_FOUND, however, windows will return NT_STATUS_NO_SUCH_DOMAIN. Allow both status for now to keep compatiable with both samba and windows DC. Signed-off-by: Joe Guo --- python/samba/emulate/traffic_packets.py | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/python/samba/emulate/traffic_packets.py b/python/samba/emulate/traffic_packets.py index 688c935cdc0..89f97b41f8b 100644 --- a/python/samba/emulate/traffic_packets.py +++ b/python/samba/emulate/traffic_packets.py @@ -31,7 +31,10 @@ DONT_USE_KERBEROS ) from samba import NTSTATUSError -from samba.ntstatus import NT_STATUS_OBJECT_NAME_NOT_FOUND +from samba.ntstatus import ( + NT_STATUS_OBJECT_NAME_NOT_FOUND, + NT_STATUS_NO_SUCH_DOMAIN +) from samba.dcerpc.misc import SEC_CHAN_WKSTA import samba samba.ensure_third_party_module("dns", "dnspython") @@ -429,9 +432,11 @@ def packet_lsarpc_39(packet, conversation, context): try: c.QueryTrustedDomainInfoBySid(pol_handle, domsid, level) except NTSTATUSError as error: - # Object Not found is the expected result, anything else is a - # failure. - if not check_runtime_error(error, NT_STATUS_OBJECT_NAME_NOT_FOUND): + # Object Not found is the expected result from samba, + # while No Such Domain is the expected result from windows, + # anything else is a failure. + if not check_runtime_error(error, NT_STATUS_OBJECT_NAME_NOT_FOUND) \ + and not check_runtime_error(error, NT_STATUS_NO_SUCH_DOMAIN): raise return True From 5a1d213552d78f08f62bf3c21beb1c22da534379 Mon Sep 17 00:00:00 2001 From: Joe Guo Date: Thu, 19 Apr 2018 17:05:21 +1200 Subject: [PATCH 5/5] Fix a few typo for response reponse --> response Signed-off-by: Joe Guo --- auth/credentials/pycredentials.c | 2 +- auth/ntlmssp/ntlmssp_client.c | 2 +- examples/pcap2nbench/readandxresponse.hpp | 2 +- source4/torture/krb5/kdc-canon-heimdal.c | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/auth/credentials/pycredentials.c b/auth/credentials/pycredentials.c index 638ae8de2ed..68bb3060a99 100644 --- a/auth/credentials/pycredentials.c +++ b/auth/credentials/pycredentials.c @@ -130,7 +130,7 @@ static PyObject *py_creds_get_ntlm_response(PyObject *self, PyObject *args, PyOb ret = Py_BuildValue("{sis" PYARG_BYTES_LEN "s" PYARG_BYTES_LEN "s" PYARG_BYTES_LEN "s" PYARG_BYTES_LEN "}", "flags", flags, - "lm_reponse", + "lm_response", (const char *)lm_response.data, lm_response.length, "nt_response", (const char *)nt_response.data, nt_response.length, diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c index db2003f0d6b..c511290d36b 100644 --- a/auth/ntlmssp/ntlmssp_client.c +++ b/auth/ntlmssp/ntlmssp_client.c @@ -777,7 +777,7 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security) ntlmssp_state->unicode = gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "unicode", true); - ntlmssp_state->use_nt_response = gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "send_nt_reponse", true); + ntlmssp_state->use_nt_response = gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "send_nt_response", true); ntlmssp_state->allow_lm_response = lpcfg_client_lanman_auth(gensec_security->settings->lp_ctx); diff --git a/examples/pcap2nbench/readandxresponse.hpp b/examples/pcap2nbench/readandxresponse.hpp index 0a302cb6575..8ecb3a35c0c 100644 --- a/examples/pcap2nbench/readandxresponse.hpp +++ b/examples/pcap2nbench/readandxresponse.hpp @@ -22,7 +22,7 @@ #define _READ_AND_X_RESPONSE_HPP class ReadAndXResponse { - ReadAndXReponse(const uint8_t *data, size_t size); + ReadAndXResponse(const uint8_t *data, size_t size); uint8_t word_count; uint8_t and_x_command; diff --git a/source4/torture/krb5/kdc-canon-heimdal.c b/source4/torture/krb5/kdc-canon-heimdal.c index 7f806e73e66..5b782a23fc4 100644 --- a/source4/torture/krb5/kdc-canon-heimdal.c +++ b/source4/torture/krb5/kdc-canon-heimdal.c @@ -515,7 +515,7 @@ static bool torture_krb5_post_recv_tgs_req_krbtgt_canon_test(struct torture_krb5 torture_assert_str_equal(test_context->tctx, test_context->tgs_rep.ticket.sname.name_string.val[0], "krbtgt", - "Mismatch in name between reponse and expected response, expected krbtgt"); + "Mismatch in name between response and expected response, expected krbtgt"); torture_assert_str_equal(test_context->tctx, test_context->tgs_rep.ticket.sname.name_string.val[1], test_context->test_data->real_realm, "Mismatch in realm part of krbtgt/ in expected response, expected krbtgt/REALM@REALM");