[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Thu Apr 6 08:07:03 UTC 2017
The branch, master has been updated
via 5ee494c tests dsdb: load paramaters from test environment
via 62bbfda password_hash: refactor setup_supplemental_field
via d1f4fc9 password_hash: Add tests to allow refactoring
from 78403a8 selftest: fix SID composition in a test script
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 5ee494cbd77d3b988f4472bca9e936bd540f055f
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Tue Apr 4 08:56:47 2017 +1200
tests dsdb: load paramaters from test environment
Load the test environment specific parameters
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Thu Apr 6 10:06:05 CEST 2017 on sn-devel-144
commit 62bbfda8677d5ed576849b83fcaea1b94f3c3689
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Fri Mar 31 09:17:07 2017 +1300
password_hash: refactor setup_supplemental_field
refactored to make it easier to add extra password hashes.
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d1f4fc9ee38bc6f1a318ceee940d8408e2050a50
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Fri Mar 31 15:50:31 2017 +1300
password_hash: Add tests to allow refactoring
Add tests for password_hash.c to allow refactoring of setup_supplemental_field
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
python/samba/tests/dsdb.py | 11 +-
python/samba/tests/password_hash.py | 290 ++++++++++++++++++
python/samba/tests/password_hash_fl2003.py | 107 +++++++
python/samba/tests/password_hash_fl2008.py | 112 +++++++
python/samba/tests/password_hash_gpgme.py | 126 ++++++++
source4/dsdb/samdb/ldb_modules/password_hash.c | 398 ++++++++++++-------------
source4/selftest/tests.py | 15 +
7 files changed, 853 insertions(+), 206 deletions(-)
create mode 100644 python/samba/tests/password_hash.py
create mode 100644 python/samba/tests/password_hash_fl2003.py
create mode 100644 python/samba/tests/password_hash_fl2008.py
create mode 100644 python/samba/tests/password_hash_gpgme.py
Changeset truncated at 500 lines:
diff --git a/python/samba/tests/dsdb.py b/python/samba/tests/dsdb.py
index a3b94fb..4a34bac 100644
--- a/python/samba/tests/dsdb.py
+++ b/python/samba/tests/dsdb.py
@@ -32,16 +32,13 @@ class DsdbTests(TestCase):
def setUp(self):
super(DsdbTests, self).setUp()
- self.lp = samba.param.LoadParm()
- self.lp.load(os.path.join(os.path.join(self.baseprovpath(), "etc"), "smb.conf"))
+ self.lp = samba.tests.env_loadparm()
self.creds = Credentials()
self.creds.guess(self.lp)
self.session = system_session()
- self.samdb = SamDB(os.path.join(self.baseprovpath(), "private", "sam.ldb"),
- session_info=self.session, credentials=self.creds,lp=self.lp)
-
- def baseprovpath(self):
- return os.path.join(os.environ['SELFTEST_PREFIX'], "ad_dc_ntvfs")
+ self.samdb = SamDB(session_info=self.session,
+ credentials=self.creds,
+ lp=self.lp)
def test_get_oid_from_attrid(self):
oid = self.samdb.get_oid_from_attid(591614)
diff --git a/python/samba/tests/password_hash.py b/python/samba/tests/password_hash.py
new file mode 100644
index 0000000..c1631c6
--- /dev/null
+++ b/python/samba/tests/password_hash.py
@@ -0,0 +1,290 @@
+# Tests for Tests for source4/dsdb/samdb/ldb_modules/password_hash.c
+#
+# Copyright (C) Catalyst IT Ltd. 2017
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+"""
+Base class for tests for source4/dsdb/samdb/ldb_modules/password_hash.c
+"""
+
+from samba.credentials import Credentials
+from samba.samdb import SamDB
+from samba.auth import system_session
+from samba.tests import TestCase
+from samba.ndr import ndr_unpack
+from samba.dcerpc import drsblobs
+from samba.dcerpc.samr import DOMAIN_PASSWORD_STORE_CLEARTEXT
+from samba.dsdb import UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED
+from samba.tests import delete_force
+import ldb
+import os
+import samba
+import binascii
+import md5
+
+
+USER_NAME = "PasswordHashTestUser"
+USER_PASS = samba.generate_random_password(32,32)
+UPN = "PWHash at User.Principle"
+
+# Get named package from the passed supplemental credentials
+#
+# returns the package and it's position within the supplemental credentials
+def get_package(sc, name):
+ if sc is None:
+ return None
+
+ idx = 0
+ for p in sc.sub.packages:
+ idx += 1
+ if name == p.name:
+ return (idx, p)
+
+ return None
+
+# Calculate the MD5 password digest from the supplied user, realm and password
+#
+def calc_digest(user, realm, password):
+
+ data = "%s:%s:%s" % (user, realm, password)
+ return binascii.hexlify(md5.new(data).digest())
+
+
+class PassWordHashTests(TestCase):
+
+ def setUp(self):
+ super(PassWordHashTests, self).setUp()
+
+ # Add a user to ldb, this will exercise the password_hash code
+ # and calculate the appropriate supplemental credentials
+ def add_user(self, options=None, clear_text=False):
+ self.lp = samba.tests.env_loadparm()
+ # set any needed options
+ if options is not None:
+ for (option,value) in options:
+ self.lp.set(option, value)
+
+ self.creds = Credentials()
+ self.session = system_session()
+ self.ldb = SamDB(
+ session_info=self.session,
+ credentials=self.creds,
+ lp=self.lp)
+
+ # Gets back the basedn
+ base_dn = self.ldb.domain_dn()
+
+ # Gets back the configuration basedn
+ configuration_dn = self.ldb.get_config_basedn().get_linearized()
+
+ # Get the old "dSHeuristics" if it was set
+ dsheuristics = self.ldb.get_dsheuristics()
+
+ # Set the "dSHeuristics" to activate the correct "userPassword"
+ # behaviour
+ self.ldb.set_dsheuristics("000000001")
+
+ # Reset the "dSHeuristics" as they were before
+ self.addCleanup(self.ldb.set_dsheuristics, dsheuristics)
+
+ # Get the old "minPwdAge"
+ minPwdAge = self.ldb.get_minPwdAge()
+
+ # Set it temporarily to "0"
+ self.ldb.set_minPwdAge("0")
+ self.base_dn = self.ldb.domain_dn()
+
+ # Reset the "minPwdAge" as it was before
+ self.addCleanup(self.ldb.set_minPwdAge, minPwdAge)
+
+ account_control = 0
+ if clear_text:
+ # get the current pwdProperties
+ pwdProperties = self.ldb.get_pwdProperties()
+ # enable clear text properties
+ props = int(pwdProperties)
+ props |= DOMAIN_PASSWORD_STORE_CLEARTEXT
+ self.ldb.set_pwdProperties(str(props))
+ # Restore the value on exit.
+ self.addCleanup(self.ldb.set_pwdProperties, pwdProperties)
+ account_control |= UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED
+
+ # (Re)adds the test user USER_NAME with password USER_PASS
+ # and userPrincipalName UPN
+ delete_force(self.ldb, "cn=" + USER_NAME + ",cn=users," + self.base_dn)
+ self.ldb.add({
+ "dn": "cn=" + USER_NAME + ",cn=users," + self.base_dn,
+ "objectclass": "user",
+ "sAMAccountName": USER_NAME,
+ "userPassword": USER_PASS,
+ "userPrincipalName": UPN,
+ "userAccountControl": str(account_control)
+ })
+
+ # Get the supplemental credentials for the user under test
+ def get_supplemental_creds(self):
+ base = "cn=" + USER_NAME + ",cn=users," + self.base_dn
+ res = self.ldb.search(scope=ldb.SCOPE_BASE,
+ base=base,
+ attrs=["supplementalCredentials"])
+ self.assertIs( True, len(res) > 0)
+ obj = res[0]
+ sc_blob = obj["supplementalCredentials"][0]
+ sc = ndr_unpack(drsblobs.supplementalCredentialsBlob, sc_blob)
+ return sc
+
+ # Calculate and validate a Wdigest value
+ def check_digest(self, user, realm, password, digest):
+ expected = calc_digest( user, realm, password)
+ actual = binascii.hexlify(bytearray(digest))
+ error = "Digest expected[%s], actual[%s], " \
+ "user[%s], realm[%s], pass[%s]" % \
+ (expected, actual, user, realm, password)
+ self.assertEquals(expected, actual, error)
+
+ # Check all of the 29 expected WDigest values
+ #
+ def check_wdigests(self, digests):
+
+ self.assertEquals(29, digests.num_hashes)
+
+ self.check_digest(USER_NAME,
+ self.lp.get("workgroup"),
+ USER_PASS,
+ digests.hashes[0].hash)
+ self.check_digest(USER_NAME.lower(),
+ self.lp.get("workgroup").lower(),
+ USER_PASS,
+ digests.hashes[1].hash)
+ self.check_digest(USER_NAME.upper(),
+ self.lp.get("workgroup").upper(),
+ USER_PASS,
+ digests.hashes[2].hash)
+ self.check_digest(USER_NAME,
+ self.lp.get("workgroup").upper(),
+ USER_PASS,
+ digests.hashes[3].hash)
+ self.check_digest(USER_NAME,
+ self.lp.get("workgroup").lower(),
+ USER_PASS,
+ digests.hashes[4].hash)
+ self.check_digest(USER_NAME.upper(),
+ self.lp.get("workgroup").lower(),
+ USER_PASS,
+ digests.hashes[5].hash)
+ self.check_digest(USER_NAME.lower(),
+ self.lp.get("workgroup").upper(),
+ USER_PASS,
+ digests.hashes[6].hash)
+ self.check_digest(USER_NAME,
+ self.lp.get("realm").lower(),
+ USER_PASS,
+ digests.hashes[7].hash)
+ self.check_digest(USER_NAME.lower(),
+ self.lp.get("realm").lower(),
+ USER_PASS,
+ digests.hashes[8].hash)
+ self.check_digest(USER_NAME.upper(),
+ self.lp.get("realm"),
+ USER_PASS,
+ digests.hashes[9].hash)
+ self.check_digest(USER_NAME,
+ self.lp.get("realm"),
+ USER_PASS,
+ digests.hashes[10].hash)
+ self.check_digest(USER_NAME,
+ self.lp.get("realm").lower(),
+ USER_PASS,
+ digests.hashes[11].hash)
+ self.check_digest(USER_NAME.upper(),
+ self.lp.get("realm").lower(),
+ USER_PASS,
+ digests.hashes[12].hash)
+ self.check_digest(USER_NAME.lower(),
+ self.lp.get("realm"),
+ USER_PASS,
+ digests.hashes[13].hash)
+ self.check_digest(UPN,
+ "",
+ USER_PASS,
+ digests.hashes[14].hash)
+ self.check_digest(UPN.lower(),
+ "",
+ USER_PASS,
+ digests.hashes[15].hash)
+ self.check_digest(UPN.upper(),
+ "",
+ USER_PASS,
+ digests.hashes[16].hash)
+
+ name = "%s\\%s" % (self.lp.get("workgroup"), USER_NAME)
+ self.check_digest(name,
+ "",
+ USER_PASS,
+ digests.hashes[17].hash)
+
+ name = "%s\\%s" % (self.lp.get("workgroup").lower(), USER_NAME.lower())
+ self.check_digest(name,
+ "",
+ USER_PASS,
+ digests.hashes[18].hash)
+
+ name = "%s\\%s" % (self.lp.get("workgroup").upper(), USER_NAME.upper())
+ self.check_digest(name,
+ "",
+ USER_PASS,
+ digests.hashes[19].hash)
+ self.check_digest(USER_NAME,
+ "Digest",
+ USER_PASS,
+ digests.hashes[20].hash)
+ self.check_digest(USER_NAME.lower(),
+ "Digest",
+ USER_PASS,
+ digests.hashes[21].hash)
+ self.check_digest(USER_NAME.upper(),
+ "Digest",
+ USER_PASS,
+ digests.hashes[22].hash)
+ self.check_digest(UPN,
+ "Digest",
+ USER_PASS,
+ digests.hashes[23].hash)
+ self.check_digest(UPN.lower(),
+ "Digest",
+ USER_PASS,
+ digests.hashes[24].hash)
+ self.check_digest(UPN.upper(),
+ "Digest",
+ USER_PASS,
+ digests.hashes[25].hash)
+ name = "%s\\%s" % (self.lp.get("workgroup"), USER_NAME)
+ self.check_digest(name,
+ "Digest",
+ USER_PASS,
+ digests.hashes[26].hash)
+
+ name = "%s\\%s" % (self.lp.get("workgroup").lower(), USER_NAME.lower())
+ self.check_digest(name,
+ "Digest",
+ USER_PASS,
+ digests.hashes[27].hash)
+
+ name = "%s\\%s" % (self.lp.get("workgroup").upper(), USER_NAME.upper())
+ self.check_digest(name,
+ "Digest",
+ USER_PASS,
+ digests.hashes[28].hash)
diff --git a/python/samba/tests/password_hash_fl2003.py b/python/samba/tests/password_hash_fl2003.py
new file mode 100644
index 0000000..f83dc3a
--- /dev/null
+++ b/python/samba/tests/password_hash_fl2003.py
@@ -0,0 +1,107 @@
+# Tests for Tests for source4/dsdb/samdb/ldb_modules/password_hash.c
+#
+# Copyright (C) Catalyst IT Ltd. 2017
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+"""
+Tests for source4/dsdb/samdb/ldb_modules/password_hash.c
+
+These tests need to be run in an environment in which
+io->ac->gpg_key_ids == NULL, so that the gpg supplemental credentials
+are not generated. And also need to be in an environment with a
+functional level less than 2008 to ensure the kerberos newer keys are not
+generated
+"""
+
+from samba.tests.password_hash import (
+ PassWordHashTests,
+ get_package,
+ USER_PASS
+)
+from samba.ndr import ndr_unpack
+from samba.dcerpc import drsblobs
+import binascii
+
+
+class PassWordHashFl2003Tests(PassWordHashTests):
+
+ def setUp(self):
+ super(PassWordHashFl2003Tests, self).setUp()
+
+ def test_default_supplementalCredentials(self):
+ self.add_user()
+
+ sc = self.get_supplemental_creds()
+
+ # Check that we got all the expected supplemental credentials
+ # And they are in the expected order.
+ size = len(sc.sub.packages)
+ self.assertEquals(3, size)
+
+ (pos, package) = get_package(sc, "Primary:Kerberos")
+ self.assertEquals(1, pos)
+ self.assertEquals("Primary:Kerberos", package.name)
+
+ (pos, package) = get_package(sc, "Packages")
+ self.assertEquals(2, pos)
+ self.assertEquals("Packages", package.name)
+
+ (pos, package) = get_package(sc, "Primary:WDigest")
+ self.assertEquals(3, pos)
+ self.assertEquals("Primary:WDigest", package.name)
+
+ # Check that the WDigest values are correct.
+ #
+ digests = ndr_unpack(drsblobs.package_PrimaryWDigestBlob,
+ binascii.a2b_hex(package.data))
+ self.check_wdigests(digests)
+
+ def test_supplementalCredentials_cleartext(self):
+ self.add_user(clear_text=True)
+
+ sc = self.get_supplemental_creds()
+
+ # Check that we got all the expected supplemental credentials
+ # And they are in the expected order.
+ size = len(sc.sub.packages)
+ self.assertEquals(4, size)
+
+ (pos, package) = get_package(sc, "Primary:Kerberos")
+ self.assertEquals(1, pos)
+ self.assertEquals("Primary:Kerberos", package.name)
+
+ (pos, wd_package) = get_package(sc, "Primary:WDigest")
+ self.assertEquals(2, pos)
+ self.assertEquals("Primary:WDigest", wd_package.name)
+
+ (pos, package) = get_package(sc, "Packages")
+ self.assertEquals(3, pos)
+ self.assertEquals("Packages", package.name)
+
+ (pos, ct_package) = get_package(sc, "Primary:CLEARTEXT")
+ self.assertEquals(4, pos)
+ self.assertEquals("Primary:CLEARTEXT", ct_package.name)
+
+ # Check that the WDigest values are correct.
+ #
+ digests = ndr_unpack(drsblobs.package_PrimaryWDigestBlob,
+ binascii.a2b_hex(wd_package.data))
+ self.check_wdigests(digests)
+
+ # Check the clear text value is correct.
+ ct = ndr_unpack(drsblobs.package_PrimaryCLEARTEXTBlob,
+ binascii.a2b_hex(ct_package.data))
+ self.assertEquals(USER_PASS.encode('utf-16-le'), ct.cleartext)
diff --git a/python/samba/tests/password_hash_fl2008.py b/python/samba/tests/password_hash_fl2008.py
new file mode 100644
index 0000000..9d296dd
--- /dev/null
+++ b/python/samba/tests/password_hash_fl2008.py
@@ -0,0 +1,112 @@
+# Tests for Tests for source4/dsdb/samdb/ldb_modules/password_hash.c
+#
+# Copyright (C) Catalyst IT Ltd. 2017
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+"""
+Tests for source4/dsdb/samdb/ldb_modules/password_hash.c
+
+These tests need to be run in an environment in which
+io->ac->gpg_key_ids == NULL, so that the gpg supplemental credentials
+are not generated. And also need to be in an environment with a
+functional level of 2008 or greater to ensure the kerberos newer keys are
+generated
+"""
+from samba.tests.password_hash import (
+ PassWordHashTests,
+ get_package,
+ USER_PASS
+)
+from samba.ndr import ndr_unpack
+from samba.dcerpc import drsblobs
+import binascii
+
+class PassWordHashFl2008Tests(PassWordHashTests):
+
+ def setUp(self):
+ super(PassWordHashFl2008Tests, self).setUp()
+
+
+ def test_default_supplementalCredentials(self):
+ self.add_user()
+
+ sc = self.get_supplemental_creds()
+
+ # Check that we got all the expected supplemental credentials
+ # And they are in the expected order.
+ size = len(sc.sub.packages)
+ self.assertEquals(4, size)
+ (pos, package) = get_package(sc, "Primary:Kerberos-Newer-Keys")
+ self.assertEquals(1, pos)
+ self.assertEquals("Primary:Kerberos-Newer-Keys", package.name)
+
+ (pos, package) = get_package(sc, "Primary:Kerberos")
+ self.assertEquals(2, pos)
+ self.assertEquals("Primary:Kerberos", package.name)
+
+ (pos, package) = get_package(sc, "Packages")
--
Samba Shared Repository
More information about the samba-cvs
mailing list