[SCM] Samba Shared Repository - branch master updated

Anatoliy Atanasov anatoliy at samba.org
Fri Nov 5 00:33:01 MDT 2010


The branch, master has been updated
       via  211f6d5 s4/auth: Add logon_parameters to authenticate_username_pw
       via  d952f6c s4/test: Added test for simple bind with machine account
      from  cd172e7 talloc: Add python talloc module, move convenience functions to it.

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 211f6d5f557c7a737f3ccc1b4ef592c0ea8d7b94
Author: Anatoliy Atanasov <anatoliy.atanasov at postpath.com>
Date:   Fri Nov 5 00:00:13 2010 +0200

    s4/auth: Add logon_parameters to authenticate_username_pw
    
    We need to be able to set the logon parameters in the same way as in the
    ntlm server so we can handle openldap simple authentication call correctly.
    
    Autobuild-User: Anatoliy Atanasov <anatoliy at samba.org>
    Autobuild-Date: Fri Nov  5 06:32:43 UTC 2010 on sn-devel-104

commit d952f6c3918c1bbc96a55ded2e03e4695448a46d
Author: Anatoliy Atanasov <anatoliy.atanasov at postpath.com>
Date:   Thu Nov 4 23:57:48 2010 +0200

    s4/test: Added test for simple bind with machine account
    
    Samba4 returns error on simple bind, when we do it using openldap
    simple_bind_s api.

-----------------------------------------------------------------------

Summary of changes:
 source4/auth/auth.h                    |   15 ++--
 source4/auth/credentials/tests/bind.py |  116 ++++++++++++++++++++++++++++++++
 source4/auth/ntlm/auth_simple.c        |    5 +-
 source4/ldap_server/ldap_bind.c        |    2 +
 4 files changed, 130 insertions(+), 8 deletions(-)
 create mode 100755 source4/auth/credentials/tests/bind.py


Changeset truncated at 500 lines:

diff --git a/source4/auth/auth.h b/source4/auth/auth.h
index 2f0af02..0f6386f 100644
--- a/source4/auth/auth.h
+++ b/source4/auth/auth.h
@@ -248,13 +248,14 @@ NTSTATUS auth_init(void);
 NTSTATUS auth_register(const struct auth_operations *ops);
 NTSTATUS server_service_auth_init(void);
 NTSTATUS authenticate_username_pw(TALLOC_CTX *mem_ctx,
-					   struct tevent_context *ev,
-					   struct messaging_context *msg,
-					   struct loadparm_context *lp_ctx,
-					   const char *nt4_domain,
-					   const char *nt4_username,
-					   const char *password,
-					   struct auth_session_info **session_info);
+				  struct tevent_context *ev,
+				  struct messaging_context *msg,
+				  struct loadparm_context *lp_ctx,
+				  const char *nt4_domain,
+				  const char *nt4_username,
+				  const char *password,
+				  const uint32_t logon_parameters,
+				  struct auth_session_info **session_info);
 
 struct tevent_req *auth_check_password_send(TALLOC_CTX *mem_ctx,
 					    struct tevent_context *ev,
diff --git a/source4/auth/credentials/tests/bind.py b/source4/auth/credentials/tests/bind.py
new file mode 100755
index 0000000..231852c
--- /dev/null
+++ b/source4/auth/credentials/tests/bind.py
@@ -0,0 +1,116 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+# This is unit with tests for LDAP access checks
+
+import optparse
+import sys
+import base64
+import re
+import os
+
+sys.path.append("bin/python")
+import samba
+samba.ensure_external_module("subunit", "subunit/python")
+samba.ensure_external_module("testtools", "testtools")
+
+import samba.getopt as options
+
+from ldb import (
+    SCOPE_BASE, SCOPE_SUBTREE, LdbError, ERR_NO_SUCH_OBJECT)
+from samba.dcerpc import security
+
+from samba.auth import system_session
+from samba import gensec
+from samba.samdb import SamDB
+from samba.credentials import Credentials
+import samba.tests
+from subunit.run import SubunitTestRunner
+import unittest
+
+parser = optparse.OptionParser("ldap [options] <host>")
+sambaopts = options.SambaOptions(parser)
+parser.add_option_group(sambaopts)
+
+# use command line creds if available
+credopts = options.CredentialsOptions(parser)
+parser.add_option_group(credopts)
+opts, args = parser.parse_args()
+
+if len(args) < 1:
+    parser.print_usage()
+    sys.exit(1)
+
+host = args[0]
+lp = sambaopts.get_loadparm()
+creds = credopts.get_credentials(lp)
+creds.set_gensec_features(creds.get_gensec_features() | gensec.FEATURE_SEAL)
+creds_machine = creds
+
+class BindTests(samba.tests.TestCase):
+    def delete_force(self, ldb, dn):
+        try:
+            ldb.delete(dn)
+        except LdbError, (num, _):
+            self.assertEquals(num, ERR_NO_SUCH_OBJECT)
+
+    def find_basedn(self, ldb):
+        res = ldb.search(base="", expression="", scope=SCOPE_BASE,
+                         attrs=["defaultNamingContext"])
+        self.assertEquals(len(res), 1)
+        return res[0]["defaultNamingContext"][0]
+
+    def setUp(self):
+        super(BindTests, self).setUp()
+        self.base_dn = self.find_basedn(ldb)
+
+    def tearDown(self):
+        super(BindTests, self).tearDown()
+
+    def test_computer_account_bind(self):
+        # create a computer acocount for the test
+        self.user_dn = "CN=centos53,CN=Computers,%s" % self.base_dn
+        self.password = "P at ssw0rd"
+        self.acc_name = "centos53$"
+
+        self.delete_force(ldb, self.user_dn)
+        ldb.add_ldif("""
+dn: """ + self.user_dn + """
+cn: CENTOS53
+displayName: CENTOS53$
+name: CENTOS53
+sAMAccountName: CENTOS53$
+countryCode: 0
+objectClass: computer
+objectClass: organizationalPerson
+objectClass: person
+objectClass: top
+objectClass: user
+codePage: 0
+userAccountControl: 4096
+dNSHostName: centos53.alabala.test
+operatingSystemVersion: 5.2 (3790)
+operatingSystem: Windows Server 2003
+""")
+        ldb.modify_ldif("""
+dn: """ + self.user_dn + """
+changetype: modify
+replace: unicodePwd
+unicodePwd:: """ + base64.b64encode("\"P at ssw0rd\"".encode('utf-16-le')) + """
+""")
+
+        # do a simple bind and search with the machine account
+        creds_machine.set_bind_dn(self.user_dn)
+        creds_machine.set_password(self.password)
+        ldb_machine = SamDB(host, credentials=creds_machine, session_info=system_session(), lp=lp)
+        self.find_basedn(ldb_machine)
+
+if not "://" in host:
+    host = "ldap://%s" % host
+ldb = SamDB(host, credentials=creds, session_info=system_session(), lp=lp)
+
+runner = SubunitTestRunner()
+rc = 0
+if not runner.run(unittest.makeSuite(BindTests)).wasSuccessful():
+    rc = 1
+
+sys.exit(rc)
diff --git a/source4/auth/ntlm/auth_simple.c b/source4/auth/ntlm/auth_simple.c
index 65a08cd..1079fba 100644
--- a/source4/auth/ntlm/auth_simple.c
+++ b/source4/auth/ntlm/auth_simple.c
@@ -35,6 +35,7 @@ _PUBLIC_ NTSTATUS authenticate_username_pw(TALLOC_CTX *mem_ctx,
 					   const char *nt4_domain,
 					   const char *nt4_username,
 					   const char *password,
+					   const uint32_t logon_parameters,
 					   struct auth_session_info **session_info) 
 {
 	struct auth_context *auth_context;
@@ -78,7 +79,9 @@ _PUBLIC_ NTSTATUS authenticate_username_pw(TALLOC_CTX *mem_ctx,
 	user_info->flags = USER_INFO_CASE_INSENSITIVE_USERNAME |
 		USER_INFO_DONT_CHECK_UNIX_ACCOUNT;
 
-	user_info->logon_parameters = 0;
+	user_info->logon_parameters = logon_parameters |
+		MSV1_0_CLEARTEXT_PASSWORD_ALLOWED |
+		MSV1_0_CLEARTEXT_PASSWORD_SUPPLIED;
 
 	nt_status = auth_check_password(auth_context, tmp_ctx, user_info, &server_info);
 	if (!NT_STATUS_IS_OK(nt_status)) {
diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c
index 5036353..25be480 100644
--- a/source4/ldap_server/ldap_bind.c
+++ b/source4/ldap_server/ldap_bind.c
@@ -53,6 +53,8 @@ static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call)
 						  call->conn->lp_ctx,
 						  nt4_domain, nt4_account, 
 						  req->creds.password,
+						  MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT |
+						  MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT,
 						  &session_info);
 	}
 


-- 
Samba Shared Repository


More information about the samba-cvs mailing list