[SCM] Samba Shared Repository - branch v4-7-test updated

Karolin Seeger kseeger at samba.org
Wed Aug 16 11:04:03 UTC 2017 

The branch, v4-7-test has been updated
       via  67612bb selftest: Add test for password change when NTLM is disabled
       via  5e1e86e WHATSNEW: Fix some typos.
      from  e131010 VERSION: Bump version up to 4.7.0rc5...

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test


- Log -----------------------------------------------------------------
commit 67612bbe87bc61886daf407851c83511fa991e79
Author: Tim Beale <timbeale at catalyst.net.nz>
Date:   Tue Jul 4 17:27:27 2017 +1200

    selftest: Add test for password change when NTLM is disabled
    
    When NTLM is disabled, the server should reject NTLM-based password
    changes. Changing the password is a bit complicated from python, but
    because the server should reject the password change outright with
    NTLM_BLOCKED, the test doesn't actually need to provide valid
    credentials.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923
    Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>
    
    Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
    Autobuild-Date(master): Fri Jul 21 13:54:35 CEST 2017 on sn-devel-144
    
    (cherry picked from commit 4e04f025a0665e2573bdd92efe9ba5aa9dcd82d7)
    
    Autobuild-User(v4-7-test): Karolin Seeger <kseeger at samba.org>
    Autobuild-Date(v4-7-test): Wed Aug 16 13:03:26 CEST 2017 on sn-devel-144

commit 5e1e86e5e9eae26106aa6f3133161b360d4c3b3d
Author: Karolin Seeger <kseeger at samba.org>
Date:   Tue Aug 15 10:25:30 2017 +0200

    WHATSNEW: Fix some typos.
    
    Signed-off-by: Karolin Seeger <kseeger at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 WHATSNEW.txt                   | 37 ++++++++++++++++-----------------
 python/samba/tests/ntlmauth.py | 46 ++++++++++++++++++++++++++++++------------
 selftest/knownfail             |  2 ++
 3 files changed, 54 insertions(+), 31 deletions(-)


Changeset truncated at 500 lines:

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index a40feb3..d738e4d 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -12,13 +12,13 @@ Samba 4.7 will be the next version of the Samba suite.
 UPGRADING
 =========
 
-smbclient changes
------------------
+'smbclient' changes
+------------------
 
-smbclient no longer prints a 'Domain=[...] OS=[Windows 6.1] Server=[...]'
-banner when connecting to the first server. With SMB2 and Kerberos
-there's no way to print this information reliable. Now we avoid it at all
-consistently. In interactive session the following banner is now presented
+'smbclient' no longer prints a 'Domain=[...] OS=[Windows 6.1] Server=[...]'
+banner when connecting to the first server. With SMB2 and Kerberos,
+there's no way to print this information reliably. Now we avoid it at all
+consistently. In interactive sessions the following banner is now presented
 to the user: 'Try "help" do get a list of possible commands.'.
 
 The default for "client max protocol" has changed to "SMB3_11",
@@ -26,22 +26,23 @@ which means that smbclient (and related commands) will work against
 servers without SMB1 support.
 
 It's possible to use the '-m/--max-protocol' option to overwrite
-the "client max protocol" option temporary.
+the "client max protocol" option temporarily.
 
 Note that the '-e/--encrypt' option also works with most SMB3 servers
 (e.g. Windows >= 2012 and Samba >= 4.0.0), so the SMB1 unix extensions
 are not required for encryption.
 
-The change to SMB3_11 as default also  means smbclient no longer
+The change to SMB3_11 as default also means smbclient no longer
 negotiates SMB1 unix extensions by default, when talking to a Samba server with
-"unix extensions = yes".  As a result some commands are not available, e.g.
-posix_encrypt, posix_open, posix_mkdir, posix_rmdir, posix_unlink, posix_whoami,
-getfacl and symlink. Using "-mNT1" reenabled them, if the server supports SMB1.
+"unix extensions = yes".  As a result, some commands are not available, e.g.
+'posix_encrypt', 'posix_open', 'posix_mkdir', 'posix_rmdir', 'posix_unlink',
+'posix_whoami', 'getfacl' and 'symlink'. Using "-mNT1" reenables them, if the
+server supports SMB1.
 
 Note the default ("CORE") for "client min protocol" hasn't changed,
 so it's still possible to connect to SMB1-only servers by default.
 
-smbclient learned a new command "deltree" that is able to do
+'smbclient' learned a new command "deltree" that is able to do
 a recursive deletion of a directory tree.
 
 
@@ -106,15 +107,15 @@ Dynamic RPC port range
 ----------------------
 
 The dynamic port range for RPC services has been changed from the old default
-value 1024-1300 to 49152-65535. This port range is not only used by a
-Samba AD DC but also applies to all other server roles including NT4-style
+value "1024-1300" to "49152-65535". This port range is not only used by a
+Samba AD DC, but also applies to all other server roles including NT4-style
 domain controllers. The new value has been defined by Microsoft in Windows
 Server 2008 and newer versions. To make it easier for Administrators to control
 those port ranges we use the same default and make it configurable with the
-option: 'rpc server dynamic port range'.
+option: "rpc server dynamic port range".
 
-The 'rpc server port' option sets the first available port from the new
-'rpc server dynamic port range' option. The option 'rpc server port' only
+The "rpc server port" option sets the first available port from the new
+"rpc server dynamic port range" option. The option "rpc server port" only
 applies to Samba provisioned as an AD DC.
 
 Authentication and Authorization audit support
@@ -139,7 +140,7 @@ Multi-process LDAP Server
 -------------------------
 
 The LDAP server in the AD DC now honours the process model used for
-the rest of the samba process, rather than being forced into a single
+the rest of the 'samba' process, rather than being forced into a single
 process.  This aids in Samba's ability to scale to larger numbers of AD
 clients and the AD DC's overall resiliency, but will mean that there is a
 fork()ed child for every LDAP client, which may be more resource
diff --git a/python/samba/tests/ntlmauth.py b/python/samba/tests/ntlmauth.py
index 8db1ad0..a232bf2 100644
--- a/python/samba/tests/ntlmauth.py
+++ b/python/samba/tests/ntlmauth.py
@@ -19,13 +19,13 @@ from samba.tests import TestCase
 import os
 
 import samba
-from samba.credentials import Credentials, DONT_USE_KERBEROS
+from samba.credentials import Credentials, DONT_USE_KERBEROS, MUST_USE_KERBEROS
 
 from samba import NTSTATUSError, ntstatus
 import ctypes
 
 from samba import credentials
-from samba.dcerpc import srvsvc
+from samba.dcerpc import srvsvc, samr, lsa
 
 """
 Tests basic NTLM authentication
@@ -37,24 +37,21 @@ class NtlmAuthTests(TestCase):
         super(NtlmAuthTests, self).setUp()
 
         self.lp          = self.get_loadparm()
+        self.server      = os.getenv("SERVER")
 
-
+        self.creds = Credentials()
+        self.creds.guess(self.lp)
+        self.creds.set_username(os.getenv("USERNAME"))
+        self.creds.set_domain(self.server)
+        self.creds.set_password(os.getenv("PASSWORD"))
+        self.creds.set_kerberos_state(DONT_USE_KERBEROS)
 
     def tearDown(self):
         super(NtlmAuthTests, self).tearDown()
 
     def test_ntlm_connection(self):
-        server = os.getenv("SERVER")
-
-        creds = credentials.Credentials()
-        creds.guess(self.lp)
-        creds.set_username(os.getenv("USERNAME"))
-        creds.set_domain(server)
-        creds.set_password(os.getenv("PASSWORD"))
-        creds.set_kerberos_state(DONT_USE_KERBEROS)
-
         try:
-            conn = srvsvc.srvsvc("ncacn_np:%s[smb2,ntlm]" % server, self.lp, creds)
+            conn = srvsvc.srvsvc("ncacn_np:%s[smb2,ntlm]" % self.server, self.lp, self.creds)
 
             self.assertIsNotNone(conn)
         except NTSTATUSError as e:
@@ -65,4 +62,27 @@ class NtlmAuthTests(TestCase):
             else:
                 raise
 
+    def test_samr_change_password(self):
+        self.creds.set_kerberos_state(MUST_USE_KERBEROS)
+        conn = samr.samr("ncacn_np:%s[krb5,seal,smb2]" % os.getenv("SERVER"))
+
+        # we want to check whether this gets rejected outright because NTLM is
+        # disabled, so we don't actually need to encrypt a valid password here
+        server = lsa.String()
+        server.string = self.server
+        username = lsa.String()
+        username.string = os.getenv("USERNAME")
+
+        try:
+            conn.ChangePasswordUser2(server, username, None, None, True, None, None)
+        except NTSTATUSError as e:
+            # changing passwords is rejected when NTLM is disabled
+            enum = ctypes.c_uint32(e[0]).value
+            if enum == ntstatus.NT_STATUS_NTLM_BLOCKED:
+                self.fail("NTLM is disabled on this server")
+            elif enum == ntstatus.NT_STATUS_WRONG_PASSWORD:
+                # expected error case when NTLM is enabled
+                pass
+            else:
+                raise
 
diff --git a/selftest/knownfail b/selftest/knownfail
index 1cba331..f41b99d 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -342,3 +342,5 @@
 ^samba.tests.netlogonsvc.python\(fileserver\)
 # NTLM authentication is (intentionally) disabled in ktest
 ^samba.tests.ntlmauth.python\(ktest\).ntlmauth.NtlmAuthTests.test_ntlm_connection\(ktest\)
+# Disabling NTLM means you can't use samr to change the password
+^samba.tests.ntlmauth.python\(ktest\).ntlmauth.NtlmAuthTests.test_samr_change_password\(ktest\)


-- 
Samba Shared Repository

More information about the samba-cvs mailing list