[SCM] Samba Shared Repository - branch v4-7-stable updated
Karolin Seeger
kseeger at samba.org
Tue Aug 15 07:19:34 UTC 2017
The branch, v4-7-stable has been updated
via 842bac1 VERSION: Disable GIT_SNAPSHOT for the 4.7.0rc4 release.
via 7bc3506 WHATSNEW: Add release notes for Samba 4.7.0rc4.
via 11a6fd3 source3/client: Fix typo in help message displayed by default
via d7ab149 vfs_fruit: factor out common code from ad_get() and ad_fget()
via 67649b7 vfs_fruit: return fake pipe fd in fruit_open_meta_netatalk()
via 6f00dc7 vfs_fruit: don't open basefile in ad_open() and simplify API
via dafa192 vfs_fruit: use path based setxattr call in ad_fset()
via 4a742a6 s4/torture: additional tests for kernel-oplocks
via 60a551e s4/torture: reproducer for kernel oplocks issue with streams
via a89dca2 vfs_streams_xattr: return a fake fd in streams_xattr_open()
via 715bae3 vfs_streams_xattr: implement all missing handle based VFS functions
via 577a3c1 vfs_streams_xattr: always pass NULL as fsp arg to get_ea_value()
via cc0ada5 vfs_streams_xattr: remove fsp argument from get_xattr_size()
via 2987e49 vfs_streams_xattr: remove all uses of fd, use name based functions
via a0727ee vfs_streams_xattr: invalidate stat info if xattr was not found
via ca32a25 s3: torture: Add a test for cli_setpathinfo_basic() to smbtorture3.
via 4cc812b s3: libsmb: Implement cli_smb2_setatr() by calling cli_smb2_setpathinfo().
via a899335 s3: libsmb: Add cli_smb2_setpathinfo(), to be called by cli_setpathinfo_basic().
via 527d1aa s3: libsmbclient: Fix cli_setpathinfo_basic() to treat mode == -1 as no change.
via 53643ac vfs_gpfs: handle EACCES when fetching DOS attributes from xattr
via 07b678b s3/smbd: handle EACCES when fetching DOS attributes from xattr
via a64088b s3/smbd: handling of failed DOS attributes reading
via cb38898 python: Fix incorrect kdc.conf parameter name in kerberos.py
via ee55090 WHATSNEW: Update doc for Samba AD with MIT Kerberos
via 9461ede dsdb: Do not force a re-index of sam.ldb on upgrade to 4.7
via c13e416 dsdb: Fix dsdb_next_callback to correctly use ldb_module_done() etc
via d77de9a s4-cldap/netlogon: Match Windows 2012R2 and return NETLOGON_NT_VERSION_5 when version unspecified
via cf4e08f s4-dsdb/netlogon: allow missing ntver in cldap ping
via 11cbf1f s4:torture/ldap: Test netlogon without NtVer
via 66707ea s3/utils: smbcacls failed to detect DIRECTORIES using SMB2 (windows only)
via 1a90ffe mit-kdb: Fix NULL pointer check after malloc
via 0309fcf s4:kcc: Add a NULL check before qsort()
via 2a2ba42 selftest: Make --include-env and --exclude-env use the base env name
via 6d469e7 selftest: Use NETLOGON_NEG_STRONG_KEYS constant in AuthLogTestsNetLogonBadCreds
via 9fbfd46 s4-netlogon: Use log_escape to protect against un-validated strings
via 3a65622 s4-netlogon: Extend ServerAuthenticate3 logging to split up username forms
via 32e9367 source4 netlogon: Add authentication logging for ServerAuthenticate3
via 280621c tests auth_log: Add new tests for NETLOGON
via 09ed546 tests auth_log: Modify existing tests to handle NETLOGON messages
via d8b9a83 auth_log: use symbolic constant to replace /root/ncalrpc_as_system
via 0523140 rpc: use symbolic constant to replace /root/ncalrpc_as_system
via eb6e820 dcerpc.idl Add symbolic constant for /root/ncalrpc_as_system
via e7d6201 samdb/cracknames: support user and service principal as desired format
via 87103e3 samdb/cracknames: do not show recycled when a guid is desired
via 08a0206 python/tests: add python test for cracknames
via a432712 s4-rpc_server: Improve debug of new endpoints
via c991fd9 s4-rpc_server: ensure we get a new endpoint for netlogon
via f81665e WHATSNEW: Fix typo.
via 762d338 vfs_ceph: fix cephwrap_chdir()
via eb874b9 VERSION: Bump version up to 4.7.0rc4...
from ce4fa8f VERSION: Disable GIT_SNAPSHOTS for the 4.7.0rc3 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-stable
- Log -----------------------------------------------------------------
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 54 ++-
auth/auth_log.c | 12 +
auth/gensec/ncalrpc.c | 2 +-
librpc/idl/dcerpc.idl | 1 +
python/samba/provision/kerberos.py | 2 +-
python/samba/tests/auth_log.py | 11 +
python/samba/tests/auth_log_base.py | 17 +
python/samba/tests/auth_log_ncalrpc.py | 3 +-
python/samba/tests/auth_log_netlogon.py | 131 +++++
python/samba/tests/auth_log_netlogon_bad_creds.py | 178 +++++++
python/samba/tests/auth_log_samlogon.py | 4 +-
python/samba/tests/dsdb.py | 23 +
selftest/selftest.pl | 6 +-
source3/client/client.c | 2 +-
source3/libsmb/cli_smb2_fnum.c | 73 ++-
source3/libsmb/cli_smb2_fnum.h | 5 +
source3/libsmb/clirap.c | 27 +-
source3/modules/vfs_ceph.c | 8 -
source3/modules/vfs_fruit.c | 268 ++++-------
source3/modules/vfs_gpfs.c | 69 ++-
source3/modules/vfs_streams_xattr.c | 558 ++++++++++++++++++----
source3/rpc_server/rpc_server.c | 2 +-
source3/script/tests/test_smbclient_s3.sh | 4 +-
source3/smbd/dosmode.c | 43 +-
source3/torture/torture.c | 137 ++++++
source3/utils/smbcacls.c | 14 +-
source4/dsdb/kcc/kcc_topology.c | 4 +
source4/dsdb/pydsdb.c | 1 +
source4/dsdb/samdb/cracknames.c | 38 +-
source4/dsdb/samdb/ldb_modules/netlogon.c | 6 +-
source4/dsdb/samdb/ldb_modules/util.c | 25 +-
source4/dsdb/samdb/samdb.h | 2 +
source4/dsdb/schema/schema_set.c | 22 +-
source4/kdc/mit-kdb/kdb_samba_pac.c | 2 +-
source4/rpc_server/dcerpc_server.c | 25 +-
source4/rpc_server/netlogon/dcerpc_netlogon.c | 134 ++++--
source4/rpc_server/service_rpc.c | 16 +
source4/selftest/tests.py | 23 +
source4/torture/drs/python/cracknames.py | 166 +++++++
source4/torture/ldap/netlogon.c | 48 ++
source4/torture/smb2/oplock.c | 346 ++++++++++++++
42 files changed, 2114 insertions(+), 400 deletions(-)
create mode 100644 python/samba/tests/auth_log_netlogon.py
create mode 100644 python/samba/tests/auth_log_netlogon_bad_creds.py
create mode 100644 source4/torture/drs/python/cracknames.py
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index ba67ae3..46085e2 100644
--- a/VERSION
+++ b/VERSION
@@ -87,7 +87,7 @@ SAMBA_VERSION_PRE_RELEASE=
# e.g. SAMBA_VERSION_RC_RELEASE=1 #
# -> "3.0.0rc1" #
########################################################
-SAMBA_VERSION_RC_RELEASE=3
+SAMBA_VERSION_RC_RELEASE=4
########################################################
# To mark SVN snapshots this should be set to 'yes' #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 3bddec7..a40feb3 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,7 +1,7 @@
Release Announcements
=====================
-This is the third release candidate of Samba 4.7. This is *not*
+This is the fourth release candidate of Samba 4.7. This is *not*
intended for production environments and is designed for testing
purposes only. Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.
@@ -88,7 +88,7 @@ running Samba AD with MIT Kerberos. You can enable it with:
Samba requires version 1.15.1 of MIT Kerberos to build with AD DC support.
The krb5-devel and krb5-server packages are required.
-The feature set is not on par with with the Heimdal build but the most important
+The feature set is not on par with the Heimdal build but the most important
things, like forest and external trusts, are working. Samba uses the KDC binary
provided by MIT Kerberos.
@@ -100,10 +100,7 @@ Missing features, compared to Heimdal, are:
The Samba AD process will take care of starting the MIT KDC and it will load a
KDB (Kerberos Database) driver to access the Samba AD database. When
provisioning an AD DC using 'samba-tool' it will take care of creating a correct
-kdc.conf file for the MIT KDC. Note that 'samba-tool' will overwrite the system
-kdc.conf by default. It is possible to use a different location during
-provision. You should consult the 'samba-tool' help and smb.conf manpage for
-details.
+kdc.conf file for the MIT KDC.
Dynamic RPC port range
----------------------
@@ -330,6 +327,51 @@ KNOWN ISSUES
https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.7#Release_blocking_bugs
+CHANGES SINCE 4.7.0rc3
+======================
+
+o Jeremy Allison <jra at samba.org>
+ * BUG 12913: Implement cli_smb2_setatr() by calling cli_smb2_setpathinfo().
+
+o Andrew Bartlett <abartlet at samba.org>
+ * BUG 11392: s4-cldap/netlogon: Match Windows 2012R2 and return
+ NETLOGON_NT_VERSION_5 when version unspecified.
+ * BUG 12855: dsdb: Do not force a re-index of sam.ldb on upgrade to 4.7.
+ * BUG 12904: dsdb: Fix dsdb_next_callback to correctly use ldb_module_done()
+ etc.
+ * BUG 12939: s4-rpc_server: Improve debug of new endpoints.
+
+o Ralph Boehme <slow at samba.org>
+ * BUG 12791: Fix kernel oplocks issues with named streams.
+ * BUG 12944: vfs_gpfs: Handle EACCES when fetching DOS attributes from xattr.
+
+o Bob Campbell <bobcampbell at catalyst.net.nz>
+ * BUG 12842: samdb/cracknames: Support user and service principal as desired
+ format.
+
+o David Disseldorp <ddiss at samba.org>
+ * BUG 12911: vfs_ceph: Fix cephwrap_chdir().
+
+o Gary Lockyer <gary at catalyst.net.nz>
+ * BUG 12865: Track machine account ServerAuthenticate3.
+
+o Marc Muehlfeld <mmuehlfeld at samba.org>
+ * BUG 12947: python: Fix incorrect kdc.conf parameter name in kerberos.py.
+
+o Noel Power <noel.power at suse.com>
+ * BUG 12937: s3/utils: 'smbcacls' failed to detect DIRECTORIES using SMB2
+ (Windows only).
+
+o Arvid Requate <requate at univention.de>
+ * BUG 11392: s4-dsdb/netlogon: Allow missing ntver in cldap ping.
+
+o Anoop C S <anoopcs at redhat.com>
+ * BUG 12936: source3/client: Fix typo in help message displayed by default.
+
+o Andreas Schneider <asn at samba.org>
+ * BUG 12930: Fix building with GCC 7.1.1.
+
+
CHANGES SINCE 4.7.0rc2
======================
diff --git a/auth/auth_log.c b/auth/auth_log.c
index 9dbf8f2..d4c6c44 100644
--- a/auth/auth_log.c
+++ b/auth/auth_log.c
@@ -639,6 +639,18 @@ static const char* get_password_type(const struct auth_usersupplied_info *ui)
if (ui->password_type != NULL) {
password_type = ui->password_type;
+ } else if (ui->auth_description != NULL &&
+ strncmp("ServerAuthenticate", ui->auth_description, 18) == 0)
+ {
+ if (ui->netlogon_trust_account.negotiate_flags
+ & NETLOGON_NEG_SUPPORTS_AES) {
+ password_type = "HMAC-SHA256";
+ } else if (ui->netlogon_trust_account.negotiate_flags
+ & NETLOGON_NEG_STRONG_KEYS) {
+ password_type = "HMAC-MD5";
+ } else {
+ password_type = "DES";
+ }
} else if (ui->password_state == AUTH_PASSWORD_RESPONSE &&
(ui->logon_parameters & MSV1_0_ALLOW_MSVCHAPV2) &&
ui->password.response.nt.length == 24) {
diff --git a/auth/gensec/ncalrpc.c b/auth/gensec/ncalrpc.c
index f28a1c4..70b3bb5 100644
--- a/auth/gensec/ncalrpc.c
+++ b/auth/gensec/ncalrpc.c
@@ -203,7 +203,7 @@ static NTSTATUS gensec_ncalrpc_update_internal(
return NT_STATUS_LOGON_FAILURE;
}
- cmp = strcmp(unix_path, "/root/ncalrpc_as_system");
+ cmp = strcmp(unix_path, AS_SYSTEM_MAGIC_PATH_TOKEN);
TALLOC_FREE(unix_path);
if (cmp != 0) {
state->step = GENSEC_NCALRPC_ERROR;
diff --git a/librpc/idl/dcerpc.idl b/librpc/idl/dcerpc.idl
index 1e06bc1..bbb17f0 100644
--- a/librpc/idl/dcerpc.idl
+++ b/librpc/idl/dcerpc.idl
@@ -247,6 +247,7 @@ interface dcerpc
DCERPC_AUTH_TYPE_MSMQ = 100,
DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM = 200
} dcerpc_AuthType;
+ const char *AS_SYSTEM_MAGIC_PATH_TOKEN = "/root/ncalrpc_as_system";
typedef [enum8bit] enum {
DCERPC_AUTH_LEVEL_NONE = 1,
diff --git a/python/samba/provision/kerberos.py b/python/samba/provision/kerberos.py
index 24ced9c..4ed4d57 100644
--- a/python/samba/provision/kerberos.py
+++ b/python/samba/provision/kerberos.py
@@ -69,7 +69,7 @@ def create_kdc_conf(kdcconf, realm, domain, logdir):
f.write("[dbmodules]\n")
- f.write("\tdb_modules_dir = %s\n" % kdb_modules_dir)
+ f.write("\tdb_module_dir = %s\n" % kdb_modules_dir)
f.write("\n")
f.write("\t%s = {\n" % realm)
diff --git a/python/samba/tests/auth_log.py b/python/samba/tests/auth_log.py
index 65800c9..6b032a8 100644
--- a/python/samba/tests/auth_log.py
+++ b/python/samba/tests/auth_log.py
@@ -991,6 +991,7 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
call(["bin/rpcclient", "-c", samlogon, "-U%", server])
messages = self.waitForMessages( isLastExpectedMessage)
+ messages = self.remove_netlogon_messages(messages)
received = len(messages)
self.assertIs(True,
(received == 5 or received == 6),
@@ -1020,6 +1021,7 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
call(["bin/rpcclient", "-c", samlogon, "-U%", server])
messages = self.waitForMessages( isLastExpectedMessage)
+ messages = self.remove_netlogon_messages(messages)
received = len(messages)
self.assertIs(True,
(received == 5 or received == 6),
@@ -1049,6 +1051,7 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
call(["bin/rpcclient", "-c", samlogon, "-U%", server])
messages = self.waitForMessages( isLastExpectedMessage)
+ messages = self.remove_netlogon_messages(messages)
received = len(messages)
self.assertIs(True,
(received == 5 or received == 6),
@@ -1077,6 +1080,7 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
call(["bin/rpcclient", "-c", samlogon, "-U%", server])
messages = self.waitForMessages( isLastExpectedMessage)
+ messages = self.remove_netlogon_messages(messages)
received = len(messages)
self.assertIs(True,
(received == 5 or received == 6),
@@ -1106,6 +1110,7 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
call(["bin/rpcclient", "-c", samlogon, "-U%", server])
messages = self.waitForMessages( isLastExpectedMessage)
+ messages = self.remove_netlogon_messages(messages)
received = len(messages)
self.assertIs(True,
(received == 5 or received == 6),
@@ -1135,6 +1140,7 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
call(["bin/rpcclient", "-c", samlogon, "-U%", server])
messages = self.waitForMessages( isLastExpectedMessage)
+ messages = self.remove_netlogon_messages(messages)
received = len(messages)
self.assertIs(True,
(received == 5 or received == 6),
@@ -1164,6 +1170,7 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
call(["bin/rpcclient", "-c", samlogon, "-U%", server])
messages = self.waitForMessages( isLastExpectedMessage)
+ messages = self.remove_netlogon_messages(messages)
received = len(messages)
self.assertIs(True,
(received == 5 or received == 6),
@@ -1194,6 +1201,7 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
call(["bin/rpcclient", "-c", samlogon, "-U%", server])
messages = self.waitForMessages( isLastExpectedMessage)
+ messages = self.remove_netlogon_messages(messages)
received = len(messages)
self.assertIs(True,
(received == 5 or received == 6),
@@ -1224,6 +1232,7 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
call(["bin/rpcclient", "-c", samlogon, "-U%", server])
messages = self.waitForMessages( isLastExpectedMessage)
+ messages = self.remove_netlogon_messages(messages)
received = len(messages)
self.assertIs(True,
(received == 5 or received == 6),
@@ -1252,6 +1261,7 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
call(["bin/rpcclient", "-c", samlogon, "-U%", server])
messages = self.waitForMessages( isLastExpectedMessage)
+ messages = self.remove_netlogon_messages(messages)
received = len(messages)
self.assertIs(True,
(received == 5 or received == 6),
@@ -1290,6 +1300,7 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
call(["bin/rpcclient", "-c", samlogon, "-U%", server])
messages = self.waitForMessages( isLastExpectedMessage)
+ messages = self.remove_netlogon_messages(messages)
received = len(messages)
self.assertIs(True,
(received == 5 or received == 6),
diff --git a/python/samba/tests/auth_log_base.py b/python/samba/tests/auth_log_base.py
index e9ae464..aefd57e 100644
--- a/python/samba/tests/auth_log_base.py
+++ b/python/samba/tests/auth_log_base.py
@@ -62,6 +62,10 @@ class AuthLogTestBase(samba.tests.TestCase):
def waitForMessages(self, isLastExpectedMessage, connection=None):
+ """Wait for all the expected messages to arrive
+ The connection is passed through to keep the connection alive
+ until all the logging messages have been received.
+ """
def completed( messages):
for message in messages:
@@ -102,3 +106,16 @@ class AuthLogTestBase(samba.tests.TestCase):
while len( self.context["messages"]):
self.msg_ctx.loop_once(0.001)
self.context["messages"] = []
+
+ # Remove any NETLOGON authentication messages
+ # NETLOGON is only performed once per session, so to avoid ordering
+ # dependencies within the tests it's best to strip out NETLOGON messages.
+ #
+ def remove_netlogon_messages(self, messages):
+ def is_not_netlogon(msg):
+ if "Authentication" not in msg:
+ return True
+ sd = msg["Authentication"]["serviceDescription"]
+ return sd != "NETLOGON"
+
+ return list(filter(is_not_netlogon, messages))
diff --git a/python/samba/tests/auth_log_ncalrpc.py b/python/samba/tests/auth_log_ncalrpc.py
index 2538c61..be7f6b2 100644
--- a/python/samba/tests/auth_log_ncalrpc.py
+++ b/python/samba/tests/auth_log_ncalrpc.py
@@ -22,6 +22,7 @@ from samba import auth
import samba.tests
from samba.messaging import Messaging
from samba.dcerpc.messaging import MSG_AUTH_LOG, AUTH_EVENT_NAME
+from samba.dcerpc.dcerpc import AS_SYSTEM_MAGIC_PATH_TOKEN
from samba.dcerpc import samr
import time
import json
@@ -35,7 +36,7 @@ class AuthLogTestsNcalrpc(samba.tests.auth_log_base.AuthLogTestBase):
def setUp(self):
super(AuthLogTestsNcalrpc, self).setUp()
- self.remoteAddress = "/root/ncalrpc_as_system"
+ self.remoteAddress = AS_SYSTEM_MAGIC_PATH_TOKEN
def tearDown(self):
super(AuthLogTestsNcalrpc , self).tearDown()
diff --git a/python/samba/tests/auth_log_netlogon.py b/python/samba/tests/auth_log_netlogon.py
new file mode 100644
index 0000000..228fbe9
--- /dev/null
+++ b/python/samba/tests/auth_log_netlogon.py
@@ -0,0 +1,131 @@
+# Unix SMB/CIFS implementation.
+# Copyright (C) Andrew Bartlett <abartlet at samba.org> 2017
+# Copyright (C) Catalyst IT Ltd. 2017
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+"""
+ Tests that exercise the auth logging for a successful netlogon attempt
+
+ NOTE: As the netlogon authentication is performed once per session,
+ there is only one test in this routine. If another test is added
+ only the test executed first will generate the netlogon auth message
+"""
+
+import samba.tests
+import os
+from samba.samdb import SamDB
+import samba.tests.auth_log_base
+from samba.credentials import Credentials
+from samba.dcerpc import netlogon
+from samba.dcerpc.dcerpc import AS_SYSTEM_MAGIC_PATH_TOKEN
+from samba.auth import system_session
+from samba.tests import delete_force
+from samba.dsdb import UF_WORKSTATION_TRUST_ACCOUNT, UF_PASSWD_NOTREQD
+from samba.dcerpc.misc import SEC_CHAN_WKSTA
+
+
+class AuthLogTestsNetLogon(samba.tests.auth_log_base.AuthLogTestBase):
+
+ def setUp(self):
+ super(AuthLogTestsNetLogon, self).setUp()
+ self.lp = samba.tests.env_loadparm()
+ self.creds = Credentials()
+
+ self.session = system_session()
+ self.ldb = SamDB(
+ session_info=self.session,
+ credentials=self.creds,
+ lp=self.lp)
+
+ self.domain = os.environ["DOMAIN"]
+ self.netbios_name = "NetLogonGood"
+ self.machinepass = "abcdefghij"
+ self.remoteAddress = AS_SYSTEM_MAGIC_PATH_TOKEN
+ self.base_dn = self.ldb.domain_dn()
+ self.dn = ("cn=%s,cn=users,%s" %
+ (self.netbios_name, self.base_dn))
+
+ utf16pw = unicode(
+ '"' + self.machinepass.encode('utf-8') + '"', 'utf-8'
+ ).encode('utf-16-le')
+ self.ldb.add({
+ "dn": self.dn,
+ "objectclass": "computer",
+ "sAMAccountName": "%s$" % self.netbios_name,
+ "userAccountControl":
+ str(UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD),
+ "unicodePwd": utf16pw})
+
+ def tearDown(self):
+ super(AuthLogTestsNetLogon, self).tearDown()
+ delete_force(self.ldb, self.dn)
+
+ def _test_netlogon(self, binding, checkFunction):
+
+ def isLastExpectedMessage(msg):
+ return (
+ msg["type"] == "Authorization" and
+ msg["Authorization"]["serviceDescription"] == "DCE/RPC" and
+ msg["Authorization"]["authType"] == "schannel" and
+ msg["Authorization"]["transportProtection"] == "SEAL")
+
+ if binding:
+ binding = "[schannel,%s]" % binding
+ else:
+ binding = "[schannel]"
+
+ machine_creds = Credentials()
+ machine_creds.guess(self.get_loadparm())
+ machine_creds.set_secure_channel_type(SEC_CHAN_WKSTA)
+ machine_creds.set_password(self.machinepass)
+ machine_creds.set_username(self.netbios_name + "$")
+
+ netlogon_conn = netlogon.netlogon("ncalrpc:%s" % binding,
+ self.get_loadparm(),
+ machine_creds)
+
+ messages = self.waitForMessages(isLastExpectedMessage, netlogon_conn)
+ checkFunction(messages)
+
+ def netlogon_check(self, messages):
+
+ expected_messages = 5
+ self.assertEquals(expected_messages,
+ len(messages),
+ "Did not receive the expected number of messages")
+
+ # Check the first message it should be an Authorization
+ msg = messages[0]
+ self.assertEquals("Authorization", msg["type"])
+ self.assertEquals("DCE/RPC",
+ msg["Authorization"]["serviceDescription"])
+ self.assertEquals("ncalrpc", msg["Authorization"]["authType"])
+ self.assertEquals("NONE", msg["Authorization"]["transportProtection"])
+
+ # Check the fourth message it should be a NETLOGON Authentication
+ msg = messages[3]
+ self.assertEquals("Authentication", msg["type"])
+ self.assertEquals("NETLOGON",
+ msg["Authentication"]["serviceDescription"])
+ self.assertEquals("ServerAuthenticate",
+ msg["Authentication"]["authDescription"])
+ self.assertEquals("NT_STATUS_OK",
+ msg["Authentication"]["status"])
+ self.assertEquals("HMAC-SHA256",
+ msg["Authentication"]["passwordType"])
+
+ def test_netlogon(self):
+ self._test_netlogon("SEAL", self.netlogon_check)
diff --git a/python/samba/tests/auth_log_netlogon_bad_creds.py b/python/samba/tests/auth_log_netlogon_bad_creds.py
new file mode 100644
index 0000000..2bae02e
--- /dev/null
+++ b/python/samba/tests/auth_log_netlogon_bad_creds.py
@@ -0,0 +1,178 @@
+# Unix SMB/CIFS implementation.
+# Copyright (C) Andrew Bartlett <abartlet at samba.org> 2017
+# Copyright (C) Catalyst IT Ltd. 2017
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+"""
+ Tests that exercise auth logging for unsuccessful netlogon attempts.
+
+ NOTE: netlogon is only done once per session, so this file should only
+ test failed logons. Adding a successful case will potentially break
+ the other tests, depending on the order of execution.
+"""
+
+import samba.tests
+import os
+from samba import NTSTATUSError
+from samba.samdb import SamDB
+import samba.tests.auth_log_base
+from samba.credentials import Credentials
+from samba.dcerpc import netlogon
+from samba.dcerpc.dcerpc import AS_SYSTEM_MAGIC_PATH_TOKEN
+from samba.auth import system_session
+from samba.tests import delete_force
+from samba.dsdb import UF_WORKSTATION_TRUST_ACCOUNT, UF_PASSWD_NOTREQD
+from samba.dcerpc.misc import SEC_CHAN_WKSTA
+from samba.dcerpc.netlogon import NETLOGON_NEG_STRONG_KEYS
+
+class AuthLogTestsNetLogonBadCreds(samba.tests.auth_log_base.AuthLogTestBase):
+
+ def setUp(self):
+ super(AuthLogTestsNetLogonBadCreds, self).setUp()
+ self.lp = samba.tests.env_loadparm()
+ self.creds = Credentials()
+
+ self.session = system_session()
+ self.ldb = SamDB(
+ session_info=self.session,
+ credentials=self.creds,
+ lp=self.lp)
--
Samba Shared Repository
More information about the samba-cvs
mailing list