[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Fri Jul 21 11:55:03 UTC 2017
The branch, master has been updated
via 4e04f02 selftest: Add test for password change when NTLM is disabled
via 4031b30 getncchanges: Do not segfault if somehow we get 0 results from an ldb_search with scope BASE
from ff7df3d build: fix ceph_statx check when configured with libcephfs_dir
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 4e04f025a0665e2573bdd92efe9ba5aa9dcd82d7
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Tue Jul 4 17:27:27 2017 +1200
selftest: Add test for password change when NTLM is disabled
When NTLM is disabled, the server should reject NTLM-based password
changes. Changing the password is a bit complicated from python, but
because the server should reject the password change outright with
NTLM_BLOCKED, the test doesn't actually need to provide valid
credentials.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Fri Jul 21 13:54:35 CEST 2017 on sn-devel-144
commit 4031b303e495210ee8d6a4e2dd49974d90f9c402
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Apr 20 14:00:21 2017 +1200
getncchanges: Do not segfault if somehow we get 0 results from an ldb_search with scope BASE
This should not happen, but we have seen this happen in autobuild
before the whole-DB locking issues were resolved by
https://bugzilla.samba.org/show_bug.cgi?id=12858
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
-----------------------------------------------------------------------
Summary of changes:
python/samba/tests/ntlmauth.py | 46 ++++++++++++++++++++++---------
selftest/knownfail | 2 ++
source4/rpc_server/drsuapi/getncchanges.c | 19 +++++++++++--
3 files changed, 52 insertions(+), 15 deletions(-)
Changeset truncated at 500 lines:
diff --git a/python/samba/tests/ntlmauth.py b/python/samba/tests/ntlmauth.py
index 8db1ad0..a232bf2 100644
--- a/python/samba/tests/ntlmauth.py
+++ b/python/samba/tests/ntlmauth.py
@@ -19,13 +19,13 @@ from samba.tests import TestCase
import os
import samba
-from samba.credentials import Credentials, DONT_USE_KERBEROS
+from samba.credentials import Credentials, DONT_USE_KERBEROS, MUST_USE_KERBEROS
from samba import NTSTATUSError, ntstatus
import ctypes
from samba import credentials
-from samba.dcerpc import srvsvc
+from samba.dcerpc import srvsvc, samr, lsa
"""
Tests basic NTLM authentication
@@ -37,24 +37,21 @@ class NtlmAuthTests(TestCase):
super(NtlmAuthTests, self).setUp()
self.lp = self.get_loadparm()
+ self.server = os.getenv("SERVER")
-
+ self.creds = Credentials()
+ self.creds.guess(self.lp)
+ self.creds.set_username(os.getenv("USERNAME"))
+ self.creds.set_domain(self.server)
+ self.creds.set_password(os.getenv("PASSWORD"))
+ self.creds.set_kerberos_state(DONT_USE_KERBEROS)
def tearDown(self):
super(NtlmAuthTests, self).tearDown()
def test_ntlm_connection(self):
- server = os.getenv("SERVER")
-
- creds = credentials.Credentials()
- creds.guess(self.lp)
- creds.set_username(os.getenv("USERNAME"))
- creds.set_domain(server)
- creds.set_password(os.getenv("PASSWORD"))
- creds.set_kerberos_state(DONT_USE_KERBEROS)
-
try:
- conn = srvsvc.srvsvc("ncacn_np:%s[smb2,ntlm]" % server, self.lp, creds)
+ conn = srvsvc.srvsvc("ncacn_np:%s[smb2,ntlm]" % self.server, self.lp, self.creds)
self.assertIsNotNone(conn)
except NTSTATUSError as e:
@@ -65,4 +62,27 @@ class NtlmAuthTests(TestCase):
else:
raise
+ def test_samr_change_password(self):
+ self.creds.set_kerberos_state(MUST_USE_KERBEROS)
+ conn = samr.samr("ncacn_np:%s[krb5,seal,smb2]" % os.getenv("SERVER"))
+
+ # we want to check whether this gets rejected outright because NTLM is
+ # disabled, so we don't actually need to encrypt a valid password here
+ server = lsa.String()
+ server.string = self.server
+ username = lsa.String()
+ username.string = os.getenv("USERNAME")
+
+ try:
+ conn.ChangePasswordUser2(server, username, None, None, True, None, None)
+ except NTSTATUSError as e:
+ # changing passwords is rejected when NTLM is disabled
+ enum = ctypes.c_uint32(e[0]).value
+ if enum == ntstatus.NT_STATUS_NTLM_BLOCKED:
+ self.fail("NTLM is disabled on this server")
+ elif enum == ntstatus.NT_STATUS_WRONG_PASSWORD:
+ # expected error case when NTLM is enabled
+ pass
+ else:
+ raise
diff --git a/selftest/knownfail b/selftest/knownfail
index 1cba331..f41b99d 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -342,3 +342,5 @@
^samba.tests.netlogonsvc.python\(fileserver\)
# NTLM authentication is (intentionally) disabled in ktest
^samba.tests.ntlmauth.python\(ktest\).ntlmauth.NtlmAuthTests.test_ntlm_connection\(ktest\)
+# Disabling NTLM means you can't use samr to change the password
+^samba.tests.ntlmauth.python\(ktest\).ntlmauth.NtlmAuthTests.test_samr_change_password\(ktest\)
diff --git a/source4/rpc_server/drsuapi/getncchanges.c b/source4/rpc_server/drsuapi/getncchanges.c
index da294a6..a2063aa 100644
--- a/source4/rpc_server/drsuapi/getncchanges.c
+++ b/source4/rpc_server/drsuapi/getncchanges.c
@@ -2578,8 +2578,13 @@ allowed:
W_ERROR_HAVE_NO_MEMORY(msg_dn);
- /* by re-searching here we avoid having a lot of full
- * records in memory between calls to getncchanges
+ /*
+ * by re-searching here we avoid having a lot of full
+ * records in memory between calls to getncchanges.
+ *
+ * We expect that we may get some objects that vanish
+ * (tombstone expunge) between the first and second
+ * check.
*/
ret = drsuapi_search_with_extended_dn(sam_ctx, obj, &msg_res,
msg_dn,
@@ -2593,6 +2598,16 @@ allowed:
continue;
}
+ if (msg_res->count == 0) {
+ DEBUG(1,("getncchanges: got LDB_SUCCESS but failed"
+ "to get any results in fetch of DN "
+ "%s (race with tombstone expunge?)\n",
+ ldb_dn_get_extended_linearized(obj,
+ msg_dn, 1)));
+ talloc_free(obj);
+ continue;
+ }
+
msg = msg_res->msgs[0];
/*
--
Samba Shared Repository
More information about the samba-cvs
mailing list