[SCM] Samba Shared Repository - branch master updated

Andrew Bartlett abartlet at samba.org
Tue Jul 4 09:15:02 UTC 2017


The branch, master has been updated
       via  332b179 smbldap: expose bind callback via API and increase smbldap ABI version
       via  fca8536 samr: Disable NTLM-based password changes on the server if NTLM is disabled
       via  831861e selftest: Disable NTLM authentication in ktest environment
       via  00db3ab param: Add new "disabled" value to "ntlm auth" to disable NTLM totally
       via  c278fa6 selftest: Add test to confirm NTLM authentication is enabled
       via  d0d266b param: Disable LanMan authentication unless NTLMv1 is also enabled
       via  8b398a4 selftest: Use new ntlmv2-only and mschapv2-and-ntlmv2-only options
       via  d139d77 auth: Allow NTLMv1 if MSV1_0_ALLOW_MSVCHAPV2 is given and re-factor 'ntlm auth ='
       via  353de79 selftest: Add test for support for MSCHAPv2 and NTLMv1 on a server
       via  e23e8d9 s3-rpc_server: Disable the NETLOGON server by default
       via  e13b21d tests: Add simple check whether netlogon server is running
       via  d10e27c auth: Disable SChannel authentication if we are not a DC
       via  1319f19 dns_server: Only install common library if AD DC is enabled.
      from  a760324 net: add net cache samlogon list|show|ndrdump|delete

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 332b179143f4cccda3f6b4c84abb3c52fac8589c
Author: Alexander Bokovoy <ab at samba.org>
Date:   Mon Jul 3 11:58:50 2017 +0300

    smbldap: expose bind callback via API and increase smbldap ABI version
    
    Until we fully migrate to use gensec in smbldap, we need to continue
    exposing bind callback to allow FreeIPA to integrate with smbldap.
    
    Since smbldap API is now lacking direct access to 'struct
    smbldap_state' and new API functions were added to give access to
    individual members of this structure, it makes sense to increase ABI
    version too.
    
    Signed-off-by: Alexander Bokovoy <ab at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    
    Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
    Autobuild-Date(master): Tue Jul  4 11:14:49 CEST 2017 on sn-devel-144

commit fca8536a827bff142290bf736d3294116fefebb1
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Mon Jul 3 14:39:09 2017 +1200

    samr: Disable NTLM-based password changes on the server if NTLM is disabled
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>

commit 831861ecf910504eecab30a7e132f0fa210ed212
Author: Tim Beale <timbeale at catalyst.net.nz>
Date:   Tue Jul 4 13:40:31 2017 +1200

    selftest: Disable NTLM authentication in ktest environment
    
    This allows us to prove that "ntlm auth = disabled" works
    
    Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923

commit 00db3aba6cf9ebaafdf39ee2f9c7ba5ec2281ea0
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Mon Jul 3 14:16:50 2017 +1200

    param: Add new "disabled" value to "ntlm auth" to disable NTLM totally
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>

commit c278fa65ebe18063a09bb1f2af5e39459f9f2a7d
Author: Tim Beale <timbeale at catalyst.net.nz>
Date:   Tue Jul 4 13:31:11 2017 +1200

    selftest: Add test to confirm NTLM authentication is enabled
    
    (or later, that it is disabled)
    
    Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923

commit d0d266bbf79fac956ca5de0b48dfac08b6f18628
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Mon Jul 3 14:11:47 2017 +1200

    param: Disable LanMan authentication unless NTLMv1 is also enabled
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923

commit 8b398a4d72a53b57e622afb4aeefa026b96c3d2a
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Tue Jul 4 10:31:40 2017 +1200

    selftest: Use new ntlmv2-only and mschapv2-and-ntlmv2-only options
    
    This will allow the py_credentials test to tell if these are in use
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>

commit d139d77ae3dbc490525ac94f46276d790bc2d879
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Mon Jul 3 12:11:51 2017 +1200

    auth: Allow NTLMv1 if MSV1_0_ALLOW_MSVCHAPV2 is given and re-factor 'ntlm auth ='
    
    The ntlm auth parameter is expanded to more clearly describe the
    role of each option, and to allow the new mode that permits MSCHAPv2
    (as declared by the client over the NETLOGON protocol) while
    still banning NTLMv1.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12252
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    
    Based on a patch by Mantas Mikul─Śnas <mantas at utenos-kolegija.lt>:
    
    Commit 0b500d413c5b ("Added MSV1_0_ALLOW_MSVCHAPV2 flag to ntlm_auth")
    added the --allow-mschapv2 option, but didn't implement checking for it
    server-side. This implements such checking.
    
    Additionally, Samba now disables NTLMv1 authentication by default for
    security reasons. To avoid having to re-enable it globally, 'ntlm auth'
    becomes an enum and a new setting is added to allow only MSCHAPv2.
    
    Signed-off-by: Mantas Mikul─Śnas <mantas at utenos-kolegija.lt>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>

commit 353de79af2888afedaf54aa3c16bc2f1c470271a
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Mon Jul 3 17:28:05 2017 +1200

    selftest: Add test for support for MSCHAPv2 and NTLMv1 on a server
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>

commit e23e8d9ff9144dabea8738c9ab28862c5996c9a8
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Mon Jul 3 11:28:06 2017 +1200

    s3-rpc_server: Disable the NETLOGON server by default
    
    The NETLOGON server is only needed when the classic/NT4 DC is enabled
    and has been the source of security issues in the past.  Therefore
    reduce the attack surface.
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>

commit e13b21d9644445636a7657c73f501772ac8d96bf
Author: Tim Beale <timbeale at catalyst.net.nz>
Date:   Tue Jul 4 09:31:54 2017 +1200

    tests: Add simple check whether netlogon server is running
    
    Netlogon only needs to run in DC environment. This is a simple test to
    check whether the netlogon service is running. This will allow us to
    disable the netlogon service on setups that don't require it.
    
    Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit d10e27c350d6e4b389fa15cdbc32dc0689e4fcc6
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Mon Jul 3 13:10:35 2017 +1200

    auth: Disable SChannel authentication if we are not a DC
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>

commit 1319f199587ac82742ab39850bd2ea38d7c013ad
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Tue Jul 4 16:11:12 2017 +1200

    dns_server: Only install common library if AD DC is enabled.
    
    The library is used in selftest, so must still be built
    
    This reverts commit d32b66b40c931fe8214faa2e1d40b34b86667d4c and
    replaces the behaviour.
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>

-----------------------------------------------------------------------

Summary of changes:
 auth/gensec/schannel.c                             |  17 +++-
 docs-xml/smbdotconf/security/lanmanauth.xml        |   1 +
 docs-xml/smbdotconf/security/ntlmauth.xml          |  53 +++++++++--
 lib/param/loadparm.c                               |  19 +++-
 lib/param/param_table.c                            |  15 +++
 libcli/auth/ntlm_check.c                           |  11 ++-
 libcli/auth/ntlm_check.h                           |  12 ++-
 python/samba/tests/netlogonsvc.py                  |  69 ++++++++++++++
 python/samba/tests/ntlmauth.py                     |  68 ++++++++++++++
 python/samba/tests/py_credentials.py               | 102 ++++++++++++++++++++-
 selftest/knownfail                                 |   6 ++
 selftest/knownfail.d/ntlmv1-restrictions           |   5 +
 selftest/target/Samba3.pm                          |   4 +
 selftest/target/Samba4.pm                          |   4 +
 source3/include/proto.h                            |   1 +
 source3/include/smbldap.h                          |   7 ++
 source3/lib/ABI/{smbldap-1.sigs => smbldap-2.sigs} |   1 +
 source3/lib/smbldap.c                              |  16 ++--
 source3/param/loadparm.c                           |  21 ++++-
 source3/rpc_server/rpc_config.c                    |  16 ++++
 source3/rpc_server/samr/srv_samr_chgpasswd.c       |   8 ++
 source3/wscript_build                              |   2 +-
 source4/dns_server/wscript_build                   |   3 +-
 source4/rpc_server/samr/samr_password.c            |   9 ++
 source4/selftest/tests.py                          |  17 +++-
 25 files changed, 456 insertions(+), 31 deletions(-)
 create mode 100644 python/samba/tests/netlogonsvc.py
 create mode 100644 python/samba/tests/ntlmauth.py
 create mode 100644 selftest/knownfail.d/ntlmv1-restrictions
 copy source3/lib/ABI/{smbldap-1.sigs => smbldap-2.sigs} (96%)


Changeset truncated at 500 lines:

diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c
index 41f6351..8e58e73 100644
--- a/auth/gensec/schannel.c
+++ b/auth/gensec/schannel.c
@@ -34,6 +34,7 @@
 #include "param/param.h"
 #include "auth/gensec/gensec_toplevel_proto.h"
 #include "lib/crypto/crypto.h"
+#include "libds/common/roles.h"
 
 struct schannel_state {
 	struct gensec_security *gensec;
@@ -723,9 +724,23 @@ static NTSTATUS schannel_session_info(struct gensec_security *gensec_security,
 	return NT_STATUS_OK;
 }
 
+/*
+ * Reduce the attack surface by ensuring schannel is not availble when
+ * we are not a DC
+ */
 static NTSTATUS schannel_server_start(struct gensec_security *gensec_security)
 {
-	return NT_STATUS_OK;
+	enum server_role server_role
+		= lpcfg_server_role(gensec_security->settings->lp_ctx);
+
+	switch (server_role) {
+	case ROLE_DOMAIN_BDC:
+	case ROLE_DOMAIN_PDC:
+	case ROLE_ACTIVE_DIRECTORY_DC:
+		return NT_STATUS_OK;
+	default:
+		return NT_STATUS_NOT_IMPLEMENTED;
+	}
 }
 
 static NTSTATUS schannel_client_start(struct gensec_security *gensec_security)
diff --git a/docs-xml/smbdotconf/security/lanmanauth.xml b/docs-xml/smbdotconf/security/lanmanauth.xml
index 138a24f..a9e4f88 100644
--- a/docs-xml/smbdotconf/security/lanmanauth.xml
+++ b/docs-xml/smbdotconf/security/lanmanauth.xml
@@ -1,6 +1,7 @@
 <samba:parameter name="lanman auth"
                  context="G"
                  type="boolean"
+		 function="_lanman_auth"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
     <para>This parameter determines whether or not <citerefentry><refentrytitle>smbd</refentrytitle>
diff --git a/docs-xml/smbdotconf/security/ntlmauth.xml b/docs-xml/smbdotconf/security/ntlmauth.xml
index 884ee9d..f0969bf 100644
--- a/docs-xml/smbdotconf/security/ntlmauth.xml
+++ b/docs-xml/smbdotconf/security/ntlmauth.xml
@@ -1,25 +1,60 @@
 <samba:parameter name="ntlm auth"
                  context="G"
-                 type="boolean"
+                 type="enum"
+                 enumlist="enum_ntlm_auth"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
     <para>This parameter determines whether or not <citerefentry><refentrytitle>smbd</refentrytitle>
     <manvolnum>8</manvolnum></citerefentry> will attempt to
     authenticate users using the NTLM encrypted password response.
-    If disabled, either the lanman password hash or an NTLMv2 response
-    will need to be sent by the client.</para>
+    If disabled, NTLM and LanMan authencication is disabled server-wide.</para>
 
-    <para>If this option, and <command moreinfo="none">lanman
-    auth</command> are both disabled, then only NTLMv2 logins will be
-    permited.  Not all clients support NTLMv2, and most will require
-    special configuration to use it.</para>
+    <para>By default with <command moreinfo="none">lanman
+    auth</command> set to <constant>no</constant> and
+    <command moreinfo="none">ntlm auth</command> set to
+    <constant>ntlmv2-only</constant> only NTLMv2 logins will be
+    permited.  Most clients support NTLMv2 by default, but some older
+    clients will require special configuration to use it.</para>
 
     <para>The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x.</para>
 
-    <para>The default changed from "yes" to "no" with Samba 4.5.</para>
+    <para>The available settings are:</para>
+
+    <itemizedlist>
+        <listitem>
+          <para><constant>ntlmv1-permitted</constant>
+	  (alias <constant>yes</constant>) - Allow NTLMv1 and above for all clients.</para>
+
+        </listitem>
+
+        <listitem>
+          <para><constant>ntlmv2-only</constant>
+	  (alias <constant>no</constant>) - Do not allow NTLMv1 to be used,
+	  but permit NTLMv2.</para>
+        </listitem>
+
+        <listitem>
+            <para><constant>mschapv2-and-ntlmv2-only</constant> - Only
+            allow NTLMv1 when the client promises that it is providing
+            MSCHAPv2 authentication (such as the <command
+            moreinfo="none">ntlm_auth</command> tool).</para>
+        </listitem>
+
+        <listitem>
+          <para><constant>disabled</constant> - Do not allow NTLM (or
+          LanMan) authentication of any level as a server, nor permit
+          NTLM password changes.</para>
+        </listitem>
+
+    </itemizedlist>
+
+    <para>The default changed from <constant>yes</constant> to
+    <constant>no</constant> with Samba 4.5.  The default chagned again
+    to <constant>ntlmv2-only</constant> with Samba 4.7, however the
+    behaviour is unchanged.</para>
 </description>
 
 <related>lanman auth</related>
 <related>raw NTLMv2 auth</related>
-<value type="default">no</value>
+<value type="default">ntlmv2-only</value>
 </samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 3ceea50..a221e87 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -70,6 +70,7 @@
 #include "librpc/gen_ndr/nbt.h"
 #include "libds/common/roles.h"
 #include "lib/util/samba_util.h"
+#include "libcli/auth/ntlm_check.h"
 
 #ifdef HAVE_HTTPCONNECTENCRYPT
 #include <cups/http.h>
@@ -2709,7 +2710,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
 	lpcfg_do_global_parameter(lp_ctx, "ClientLanManAuth", "False");
 	lpcfg_do_global_parameter(lp_ctx, "ClientNTLMv2Auth", "True");
 	lpcfg_do_global_parameter(lp_ctx, "LanmanAuth", "False");
-	lpcfg_do_global_parameter(lp_ctx, "NTLMAuth", "False");
+	lpcfg_do_global_parameter(lp_ctx, "NTLMAuth", "ntlmv2-only");
 	lpcfg_do_global_parameter(lp_ctx, "RawNTLMv2Auth", "False");
 	lpcfg_do_global_parameter(lp_ctx, "client use spnego principal", "False");
 
@@ -3510,3 +3511,19 @@ int lpcfg_tdb_flags(struct loadparm_context *lp_ctx, int tdb_flags)
 	}
 	return tdb_flags;
 }
+
+/*
+ * Do not allow LanMan auth if unless NTLMv1 is also allowed
+ *
+ * This also ensures it is disabled if NTLM is totally disabled
+ */
+bool lpcfg_lanman_auth(struct loadparm_context *lp_ctx)
+{
+	enum ntlm_auth_level ntlm_auth_level = lpcfg_ntlm_auth(lp_ctx);
+
+	if (ntlm_auth_level == NTLM_AUTH_ON) {
+		return lpcfg__lanman_auth(lp_ctx);
+	} else {
+		return false;
+	}
+}
diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index 21cac10..f905230 100644
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -31,6 +31,7 @@
 #include "lib/param/param.h"
 #include "lib/param/loadparm.h"
 #include "lib/param/param_global.h"
+#include "libcli/auth/ntlm_check.h"
 #include "libcli/smb/smb_constants.h"
 #include "libds/common/roles.h"
 #include "source4/lib/tls/tls.h"
@@ -330,6 +331,20 @@ static const struct enum_list enum_mangled_names[] = {
 	{-1, NULL}
 };
 
+static const struct enum_list enum_ntlm_auth[] = {
+	{NTLM_AUTH_DISABLED, "disabled"},
+	{NTLM_AUTH_NTLMV2_ONLY, "ntlmv2-only"},
+	{NTLM_AUTH_NTLMV2_ONLY, "no"},
+	{NTLM_AUTH_NTLMV2_ONLY, "false"},
+	{NTLM_AUTH_NTLMV2_ONLY, "0"},
+	{NTLM_AUTH_ON, "ntlmv1-permitted"},
+	{NTLM_AUTH_ON, "yes"},
+	{NTLM_AUTH_ON, "true"},
+	{NTLM_AUTH_ON, "1"},
+	{NTLM_AUTH_MSCHAPv2_NTLMV2_ONLY, "mschapv2-and-ntlmv2-only"},
+	{-1, NULL}
+};
+
 /* Note: We do not initialise the defaults union - it is not allowed in ANSI C
  *
  * NOTE: Handling of duplicated (synonym) parameters:
diff --git a/libcli/auth/ntlm_check.c b/libcli/auth/ntlm_check.c
index d7fba34..3b02adc 100644
--- a/libcli/auth/ntlm_check.c
+++ b/libcli/auth/ntlm_check.c
@@ -280,7 +280,7 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
 
 NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
 			     bool lanman_auth,
-			     bool ntlm_auth,
+			     enum ntlm_auth_level ntlm_auth,
 			     uint32_t logon_parameters,
 			     const DATA_BLOB *challenge,
 			     const DATA_BLOB *lm_response,
@@ -296,6 +296,12 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
 	DATA_BLOB tmp_sess_key;
 	const char *upper_client_domain = NULL;
 
+	if (ntlm_auth == NTLM_AUTH_DISABLED) {
+		DBG_WARNING("ntlm_password_check: NTLM authentication not "
+			    "permitted by configuration.\n");
+		return NT_STATUS_NTLM_BLOCKED;
+	}
+
 	if (client_domain != NULL) {
 		upper_client_domain = talloc_strdup_upper(mem_ctx, client_domain);
 		if (upper_client_domain == NULL) {
@@ -397,7 +403,8 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
 			DEBUG(3,("ntlm_password_check: NTLMv2 password check failed\n"));
 		}
 	} else if (nt_response->length == 24 && stored_nt) {
-		if (ntlm_auth) {		
+		if (ntlm_auth == NTLM_AUTH_ON
+		    || (ntlm_auth == NTLM_AUTH_MSCHAPv2_NTLMV2_ONLY && (logon_parameters & MSV1_0_ALLOW_MSVCHAPV2))) {
 			/* We have the NT MD4 hash challenge available - see if we can
 			   use it (ie. does it exist in the smbpasswd file).
 			*/
diff --git a/libcli/auth/ntlm_check.h b/libcli/auth/ntlm_check.h
index df11f7d..86cab9b 100644
--- a/libcli/auth/ntlm_check.h
+++ b/libcli/auth/ntlm_check.h
@@ -18,7 +18,15 @@
    You should have received a copy of the GNU General Public License
    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
+#ifndef __LIBCLI_AUTH_NTLM_CHECK_H__
+#define __LIBCLI_AUTH_NTLM_CHECK_H__
 
+/* mangled names options */
+enum ntlm_auth_level {NTLM_AUTH_DISABLED, NTLM_AUTH_ON,
+		      NTLM_AUTH_NTLMV2_ONLY,
+		      NTLM_AUTH_MSCHAPv2_NTLMV2_ONLY};
+
+struct samr_Password;
 
 /**
  * Compare password hashes against those from the SAM
@@ -62,7 +70,7 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
 
 NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
 				 bool lanman_auth,
-				 bool ntlm_auth,
+				 enum ntlm_auth_level ntlm_auth,
 			     uint32_t logon_parameters,
 			     const DATA_BLOB *challenge,
 			     const DATA_BLOB *lm_response,
@@ -74,3 +82,5 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
 			     const struct samr_Password *stored_nt, 
 			     DATA_BLOB *user_sess_key, 
 			     DATA_BLOB *lm_sess_key);
+
+#endif /* __LIBCLI_AUTH_NTLM_CHECK_H__ */
diff --git a/python/samba/tests/netlogonsvc.py b/python/samba/tests/netlogonsvc.py
new file mode 100644
index 0000000..87afa3e
--- /dev/null
+++ b/python/samba/tests/netlogonsvc.py
@@ -0,0 +1,69 @@
+# Tests to check the netlogon service is only running when it's required
+#
+# Copyright (C) Catalyst IT Ltd. 2017
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+from samba.tests import TestCase
+import os
+
+import samba
+from samba.credentials import Credentials
+from samba.dcerpc import netlogon
+from samba import NTSTATUSError, ntstatus
+import ctypes
+
+"""
+Tests whether the netlogon service is running
+"""
+
+class NetlogonServiceTests(TestCase):
+
+    def setUp(self):
+        super(NetlogonServiceTests, self).setUp()
+
+        self.server      = os.environ["SERVER"]
+        self.lp          = self.get_loadparm()
+        self.creds = Credentials()
+
+        # prefer the DC user/password in environments that have it
+        if "DC_USERNAME" in os.environ and "DC_PASSWORD" in os.environ:
+            self.creds.set_username(os.environ["DC_USERNAME"])
+            self.creds.set_password(os.environ["DC_PASSWORD"])
+        else:
+            self.creds.set_username(os.environ["USERNAME"])
+            self.creds.set_password(os.environ["PASSWORD"])
+
+        self.creds.guess(self.lp)
+
+    def tearDown(self):
+        super(NetlogonServiceTests, self).tearDown()
+
+    def test_have_netlogon_connection(self):
+        try:
+            c = self.get_netlogon_connection()
+            self.assertIsNotNone(c)
+        except NTSTATUSError as e:
+            # On non-DC test environments, netlogon should not be running on
+            # the server, so we expect the test to fail here
+            enum = ctypes.c_uint32(e[0]).value
+            if enum == ntstatus.NT_STATUS_OBJECT_NAME_NOT_FOUND:
+                self.fail("netlogon service is not running")
+            else:
+                raise
+
+    # Establish netlogon connection over NP
+    def get_netlogon_connection(self):
+        return netlogon.netlogon("ncacn_np:%s[seal]" % self.server, self.lp,
+                                 self.creds)
diff --git a/python/samba/tests/ntlmauth.py b/python/samba/tests/ntlmauth.py
new file mode 100644
index 0000000..8db1ad0
--- /dev/null
+++ b/python/samba/tests/ntlmauth.py
@@ -0,0 +1,68 @@
+# Tests to check basic NTLM authentication
+#
+# Copyright (C) Catalyst IT Ltd. 2017
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+from samba.tests import TestCase
+import os
+
+import samba
+from samba.credentials import Credentials, DONT_USE_KERBEROS
+
+from samba import NTSTATUSError, ntstatus
+import ctypes
+
+from samba import credentials
+from samba.dcerpc import srvsvc
+
+"""
+Tests basic NTLM authentication
+"""
+
+class NtlmAuthTests(TestCase):
+
+    def setUp(self):
+        super(NtlmAuthTests, self).setUp()
+
+        self.lp          = self.get_loadparm()
+
+
+
+    def tearDown(self):
+        super(NtlmAuthTests, self).tearDown()
+
+    def test_ntlm_connection(self):
+        server = os.getenv("SERVER")
+
+        creds = credentials.Credentials()
+        creds.guess(self.lp)
+        creds.set_username(os.getenv("USERNAME"))
+        creds.set_domain(server)
+        creds.set_password(os.getenv("PASSWORD"))
+        creds.set_kerberos_state(DONT_USE_KERBEROS)
+
+        try:
+            conn = srvsvc.srvsvc("ncacn_np:%s[smb2,ntlm]" % server, self.lp, creds)
+
+            self.assertIsNotNone(conn)
+        except NTSTATUSError as e:
+            # NTLM might be blocked on this server
+            enum = ctypes.c_uint32(e[0]).value
+            if enum == ntstatus.NT_STATUS_NTLM_BLOCKED:
+                self.fail("NTLM is disabled on this server")
+            else:
+                raise
+
+
diff --git a/python/samba/tests/py_credentials.py b/python/samba/tests/py_credentials.py
index 326438a..ff017ec 100644
--- a/python/samba/tests/py_credentials.py
+++ b/python/samba/tests/py_credentials.py
@@ -20,9 +20,17 @@ import os
 
 import samba
 from samba.auth import system_session
-from samba.credentials import Credentials, CLI_CRED_NTLMv2_AUTH
+from samba.credentials import (
+    Credentials,
+    CLI_CRED_NTLMv2_AUTH,
+    CLI_CRED_NTLM_AUTH,
+    DONT_USE_KERBEROS)
 from samba.dcerpc import netlogon, ntlmssp, srvsvc
-from samba.dcerpc.netlogon import netr_Authenticator, netr_WorkstationInformation
+from samba.dcerpc.netlogon import (
+    netr_Authenticator,
+    netr_WorkstationInformation,
+    MSV1_0_ALLOW_MSVCHAPV2
+    )
 from samba.dcerpc.misc import SEC_CHAN_WKSTA
 from samba.dsdb import (
     UF_WORKSTATION_TRUST_ACCOUNT,
@@ -30,6 +38,9 @@ from samba.dsdb import (
     UF_NORMAL_ACCOUNT)
 from samba.ndr import ndr_pack
 from samba.samdb import SamDB
+from samba import NTSTATUSError, ntstatus
+import ctypes
+
 """
 Integration tests for pycredentials
 """
@@ -92,6 +103,87 @@ class PyCredentialsTests(TestCase):
         (authenticator, subsequent) = self.get_authenticator(c)
         self.do_NetrLogonGetDomainInfo(c, authenticator, subsequent)
 
+
+    def test_SamLogonEx(self):
+        c = self.get_netlogon_connection()
+
+        logon = samlogon_logon_info(self.domain,
+                                    self.machine_name,
+                                    self.user_creds)
+
+        logon_level = netlogon.NetlogonNetworkTransitiveInformation
+        validation_level = netlogon.NetlogonValidationSamInfo4
+        netr_flags = 0
+
+        try:
+            c.netr_LogonSamLogonEx(self.server,
+                                   self.user_creds.get_workstation(),
+                                   logon_level,
+                                   logon,
+                                   validation_level,
+                                   netr_flags)
+        except NTSTATUSError as e:
+            enum = ctypes.c_uint32(e[0]).value
+            if enum == ntstatus.NT_STATUS_WRONG_PASSWORD:
+                self.fail("got wrong password error")
+            else:
+                raise
+
+    def test_SamLogonExNTLM(self):
+        c = self.get_netlogon_connection()
+
+        logon = samlogon_logon_info(self.domain,
+                                    self.machine_name,
+                                    self.user_creds,
+                                    flags=CLI_CRED_NTLM_AUTH)
+
+        logon_level = netlogon.NetlogonNetworkTransitiveInformation
+        validation_level = netlogon.NetlogonValidationSamInfo4
+        netr_flags = 0
+
+        try:
+            c.netr_LogonSamLogonEx(self.server,
+                                   self.user_creds.get_workstation(),
+                                   logon_level,
+                                   logon,
+                                   validation_level,
+                                   netr_flags)


-- 
Samba Shared Repository



More information about the samba-cvs mailing list