[SCM] Samba Shared Repository - branch v4-7-test updated
Karolin Seeger
kseeger at samba.org
Mon Jul 31 13:50:03 UTC 2017
The branch, v4-7-test has been updated
via 1a90ffe mit-kdb: Fix NULL pointer check after malloc
via 0309fcf s4:kcc: Add a NULL check before qsort()
via 2a2ba42 selftest: Make --include-env and --exclude-env use the base env name
via 6d469e7 selftest: Use NETLOGON_NEG_STRONG_KEYS constant in AuthLogTestsNetLogonBadCreds
via 9fbfd46 s4-netlogon: Use log_escape to protect against un-validated strings
via 3a65622 s4-netlogon: Extend ServerAuthenticate3 logging to split up username forms
via 32e9367 source4 netlogon: Add authentication logging for ServerAuthenticate3
via 280621c tests auth_log: Add new tests for NETLOGON
via 09ed546 tests auth_log: Modify existing tests to handle NETLOGON messages
via d8b9a83 auth_log: use symbolic constant to replace /root/ncalrpc_as_system
via 0523140 rpc: use symbolic constant to replace /root/ncalrpc_as_system
via eb6e820 dcerpc.idl Add symbolic constant for /root/ncalrpc_as_system
via e7d6201 samdb/cracknames: support user and service principal as desired format
via 87103e3 samdb/cracknames: do not show recycled when a guid is desired
via 08a0206 python/tests: add python test for cracknames
via a432712 s4-rpc_server: Improve debug of new endpoints
via c991fd9 s4-rpc_server: ensure we get a new endpoint for netlogon
via f81665e WHATSNEW: Fix typo.
via 762d338 vfs_ceph: fix cephwrap_chdir()
from eb874b9 VERSION: Bump version up to 4.7.0rc4...
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test
- Log -----------------------------------------------------------------
commit 1a90ffedddd6d125fba6d509ba2721527fd113e7
Author: Andreas Schneider <asn at samba.org>
Date: Mon Jul 24 12:19:27 2017 +0200
mit-kdb: Fix NULL pointer check after malloc
This fixes building with GCC 7.1.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12930
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 9b64b11c2f2c1bc77ae887b34d7efcb9f1452da7)
Autobuild-User(v4-7-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-7-test): Mon Jul 31 15:49:51 CEST 2017 on sn-devel-144
commit 0309fcfbdad1209eda38cfcd991a8542248a96b6
Author: Andreas Schneider <asn at samba.org>
Date: Mon Jul 24 12:13:50 2017 +0200
s4:kcc: Add a NULL check before qsort()
This fixes building with GCC 7.1.1
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12930
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 314cf608932c21d593afd04769b07435bcd4fc53)
commit 2a2ba42a66f3fcff07f4e65bda8c5cf8653e15f4
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Jul 21 20:10:43 2017 +1200
selftest: Make --include-env and --exclude-env use the base env name
The code as deployed would have required (eg) '--include-env=ktest
--include-env=ktest:local' which was not done in autobuild, causing
tests to be skipped. This patch restores the intended behaviour.
This causes 33 testsuites to run, one more test (the newly added
samba.tests.ntlmauth) than the old regex provided (before
602772159dfd1213385f42ecbf31136f57693b63).
(The regression dropped us down to matching only 7 tests).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12922
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Mon Jul 24 03:33:01 CEST 2017 on sn-devel-144
(cherry picked from commit 61455ad82e293df4a094204fdf28162baad686ae)
commit 6d469e7ecb1b283064bc4768ba591b824964fbdf
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Jul 18 09:03:17 2017 +1200
selftest: Use NETLOGON_NEG_STRONG_KEYS constant in AuthLogTestsNetLogonBadCreds
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Tue Jul 25 03:21:19 CEST 2017 on sn-devel-144
(cherry picked from commit a420b1bdccbba72faf1108f7fae8b8202075db97)
commit 9fbfd465ff64bc7bdfe3bdae1b5bd91c11a1e9c0
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Jul 18 08:57:03 2017 +1200
s4-netlogon: Use log_escape to protect against un-validated strings
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
(cherry picked from commit 427a11b812d1872879658c998ef0328dd7c2a53a)
commit 3a65622d77994c63c456ed1535fc3991af7cd94f
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Jul 18 08:46:08 2017 +1200
s4-netlogon: Extend ServerAuthenticate3 logging to split up username forms
This splits out the username into the input, mapped and obtained
just as we do elsewhere.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
(cherry picked from commit abd821b76b27eb8d9bc2f8acfcf9d98caf015f5f)
commit 32e9367d37be9c6c40e6a1ea896094e5cdf141ea
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Mon Jul 10 07:48:08 2017 +1200
source4 netlogon: Add authentication logging for ServerAuthenticate3
Log NETLOGON authentication activity by instrumenting the
netr_ServerAuthenticate3 processing.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12865
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
(cherry picked from commit efc335a03062740f51a6edd09d765a8b77e239c5)
commit 280621c333d80db7530c3ee6ff5f5076e0d8a566
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Mon Jul 10 07:46:26 2017 +1200
tests auth_log: Add new tests for NETLOGON
Tests for the logging of NETLOGON authentications in the
netr_ServerAuthenticate3 message processing
Test code based on the existing auth_log tests.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12865
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
(cherry picked from commit f3d3e6da5a42833b8de86e9b7c0aa1c56e1c4e80)
commit 09ed5465dc4d6fa5702169060b95e65cf3806804
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Mon Jul 10 07:45:16 2017 +1200
tests auth_log: Modify existing tests to handle NETLOGON messages
Modify the existing tests to ignore auth logging for NETLOGON messages.
NETLOGON authentication is logged once per session, and is tested
separately. Ignoring it in these tests avoids order dependencies.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12865
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
(cherry picked from commit 5c27c5b6efb4226aa8bdaf4e5cbb770f8b3ef22f)
commit d8b9a836331b2e710e45b3f9a0258334d10f5edd
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Mon Jul 24 10:59:18 2017 +1200
auth_log: use symbolic constant to replace /root/ncalrpc_as_system
Modified to use constant AS_SYSTEM_MAGIC_PATH_TOKEN instead of
string literal "/root/ncalrpc_as_system"
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
(cherry picked from commit ddfe8aa9cccd78426456b6397bc7b352d9705648)
commit 05231408b4db97f9223f9586d3a51435ba5a8d6f
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Mon Jul 24 11:00:45 2017 +1200
rpc: use symbolic constant to replace /root/ncalrpc_as_system
Modified to use constant AS_SYSTEM_MAGIC_PATH_TOKEN instead of string literal
"/root/ncalrpc_as_system"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12865
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
(cherry picked from commit 1898096c7ecef4c323b14b7cf30db4283386f913)
commit eb6e82035566dfb44e1bfc6d6eec383ad0ba66b9
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Mon Jul 24 10:55:48 2017 +1200
dcerpc.idl Add symbolic constant for /root/ncalrpc_as_system
This is string is used several places in the code and tests, so it
should be a constant.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12865
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
(cherry picked from commit 6ab9f789ff6e6328cf222fdb1a39457af7ed58b4)
commit e7d620193c0608d9108420759926615289bb1ecc
Author: Bob Campbell <bobcampbell at catalyst.net.nz>
Date: Wed Jul 5 16:08:11 2017 +1200
samdb/cracknames: support user and service principal as desired format
This adds support for DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL and
DRSUAPI_DS_NAME_FORMAT_SERVICE_PRINCIPAL as desired formats.
This also causes the test in cracknames.py to no longer fail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12842
Signed-off-by: Bob Campbell <bobcampbell at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Mon Jul 24 11:10:26 CEST 2017 on sn-devel-144
(cherry picked from commit eb2e77970e41c1cb62c041877565e939c78ff52d)
commit 87103e357c0254a7881ed759f0ef33c6494793bd
Author: Bob Campbell <bobcampbell at catalyst.net.nz>
Date: Wed Jul 5 11:15:04 2017 +1200
samdb/cracknames: do not show recycled when a guid is desired
Previously, when a GUID was desired to
cracknames, it would include recycled objects as well. This would
sometimes result in two objects being returned from a query which is
supposed to return a unique GUID. For example, if a deleted user had
the same sAMAccountName as a non-deleted user and cracknames was used to
find the GUID of this account, it would return two GUIDs, and so would
fail with DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12842
Signed-off-by: Bob Campbell <bobcampbell at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
(cherry picked from commit c186e02b40c921d33e23c8b2f7c5f1abb235a438)
commit 08a02063aa8acdc9d316c9e5d1f1b9c40f8de1d0
Author: Bob Campbell <bobcampbell at catalyst.net.nz>
Date: Wed Jul 5 11:08:45 2017 +1200
python/tests: add python test for cracknames
This fails due the bug, which causes the related test in
drsuapi_cracknames.c to flap. It also fails due to us not yet supporting
DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL or
DRSUAPI_DS_NAME_FORMAT_SERVICE_PRINCIPAL.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12842
Signed-off-by: Bob Campbell <bobcampbell at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
(cherry picked from commit 4779afe0d2dd14371b68e80f47d11942456bb365)
commit a43271217a5a1fcf1b27149627cf5430971902ba
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jul 27 11:10:43 2017 +1200
s4-rpc_server: Improve debug of new endpoints
This helps us know what process model is required and what one is in use.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12939
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Fri Jul 28 04:12:08 CEST 2017 on sn-devel-144
(cherry picked from commit 1ea6b5168f146d23d139b570084cb32ec02538fe)
commit c991fd990187c386c607ef33d5dae3ba2eed4ea4
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jul 27 11:44:12 2017 +1200
s4-rpc_server: ensure we get a new endpoint for netlogon
If we share the single process RPC servers with the multi-process RPC servers
on the same endpoint, they will default to running in an single process
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12939
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit bc48c4b54b9c50d76fc967a1aa4fa013079605bc)
commit f81665efd2c9d76049570f428c5995170ba35cc7
Author: Karolin Seeger <kseeger at samba.org>
Date: Mon Jul 31 11:13:20 2017 +0200
WHATSNEW: Fix typo.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
commit 762d338117c769a50a47800ef01ae45d7c477422
Author: David Disseldorp <ddiss at samba.org>
Date: Fri Jul 14 23:55:29 2017 +0200
vfs_ceph: fix cephwrap_chdir()
When provided a '/' path (i.e. CephFS root), vfs_ceph does a *local*
chdir() to the share path. This breaks smb client directory listings.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12911
Signed-off-by: David Disseldorp <ddiss at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): David Disseldorp <ddiss at samba.org>
Autobuild-Date(master): Fri Jul 21 19:10:46 CEST 2017 on sn-devel-144
(cherry picked from commit 1dcacff083019810e207a3d123a81fe32d9dde1a)
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 2 +-
auth/auth_log.c | 12 ++
auth/gensec/ncalrpc.c | 2 +-
librpc/idl/dcerpc.idl | 1 +
python/samba/tests/auth_log.py | 11 ++
python/samba/tests/auth_log_base.py | 17 +++
python/samba/tests/auth_log_ncalrpc.py | 3 +-
python/samba/tests/auth_log_netlogon.py | 131 ++++++++++++++++
python/samba/tests/auth_log_netlogon_bad_creds.py | 178 ++++++++++++++++++++++
python/samba/tests/auth_log_samlogon.py | 4 +-
selftest/selftest.pl | 6 +-
source3/modules/vfs_ceph.c | 8 -
source3/rpc_server/rpc_server.c | 2 +-
source4/dsdb/kcc/kcc_topology.c | 4 +
source4/dsdb/samdb/cracknames.c | 38 ++++-
source4/kdc/mit-kdb/kdb_samba_pac.c | 2 +-
source4/rpc_server/dcerpc_server.c | 25 ++-
source4/rpc_server/netlogon/dcerpc_netlogon.c | 134 ++++++++++------
source4/rpc_server/service_rpc.c | 16 ++
source4/selftest/tests.py | 23 +++
source4/torture/drs/python/cracknames.py | 166 ++++++++++++++++++++
21 files changed, 718 insertions(+), 67 deletions(-)
create mode 100644 python/samba/tests/auth_log_netlogon.py
create mode 100644 python/samba/tests/auth_log_netlogon_bad_creds.py
create mode 100644 source4/torture/drs/python/cracknames.py
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 3bddec7..8302e5f 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -88,7 +88,7 @@ running Samba AD with MIT Kerberos. You can enable it with:
Samba requires version 1.15.1 of MIT Kerberos to build with AD DC support.
The krb5-devel and krb5-server packages are required.
-The feature set is not on par with with the Heimdal build but the most important
+The feature set is not on par with the Heimdal build but the most important
things, like forest and external trusts, are working. Samba uses the KDC binary
provided by MIT Kerberos.
diff --git a/auth/auth_log.c b/auth/auth_log.c
index 9dbf8f2..d4c6c44 100644
--- a/auth/auth_log.c
+++ b/auth/auth_log.c
@@ -639,6 +639,18 @@ static const char* get_password_type(const struct auth_usersupplied_info *ui)
if (ui->password_type != NULL) {
password_type = ui->password_type;
+ } else if (ui->auth_description != NULL &&
+ strncmp("ServerAuthenticate", ui->auth_description, 18) == 0)
+ {
+ if (ui->netlogon_trust_account.negotiate_flags
+ & NETLOGON_NEG_SUPPORTS_AES) {
+ password_type = "HMAC-SHA256";
+ } else if (ui->netlogon_trust_account.negotiate_flags
+ & NETLOGON_NEG_STRONG_KEYS) {
+ password_type = "HMAC-MD5";
+ } else {
+ password_type = "DES";
+ }
} else if (ui->password_state == AUTH_PASSWORD_RESPONSE &&
(ui->logon_parameters & MSV1_0_ALLOW_MSVCHAPV2) &&
ui->password.response.nt.length == 24) {
diff --git a/auth/gensec/ncalrpc.c b/auth/gensec/ncalrpc.c
index f28a1c4..70b3bb5 100644
--- a/auth/gensec/ncalrpc.c
+++ b/auth/gensec/ncalrpc.c
@@ -203,7 +203,7 @@ static NTSTATUS gensec_ncalrpc_update_internal(
return NT_STATUS_LOGON_FAILURE;
}
- cmp = strcmp(unix_path, "/root/ncalrpc_as_system");
+ cmp = strcmp(unix_path, AS_SYSTEM_MAGIC_PATH_TOKEN);
TALLOC_FREE(unix_path);
if (cmp != 0) {
state->step = GENSEC_NCALRPC_ERROR;
diff --git a/librpc/idl/dcerpc.idl b/librpc/idl/dcerpc.idl
index 1e06bc1..bbb17f0 100644
--- a/librpc/idl/dcerpc.idl
+++ b/librpc/idl/dcerpc.idl
@@ -247,6 +247,7 @@ interface dcerpc
DCERPC_AUTH_TYPE_MSMQ = 100,
DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM = 200
} dcerpc_AuthType;
+ const char *AS_SYSTEM_MAGIC_PATH_TOKEN = "/root/ncalrpc_as_system";
typedef [enum8bit] enum {
DCERPC_AUTH_LEVEL_NONE = 1,
diff --git a/python/samba/tests/auth_log.py b/python/samba/tests/auth_log.py
index 65800c9..6b032a8 100644
--- a/python/samba/tests/auth_log.py
+++ b/python/samba/tests/auth_log.py
@@ -991,6 +991,7 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
call(["bin/rpcclient", "-c", samlogon, "-U%", server])
messages = self.waitForMessages( isLastExpectedMessage)
+ messages = self.remove_netlogon_messages(messages)
received = len(messages)
self.assertIs(True,
(received == 5 or received == 6),
@@ -1020,6 +1021,7 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
call(["bin/rpcclient", "-c", samlogon, "-U%", server])
messages = self.waitForMessages( isLastExpectedMessage)
+ messages = self.remove_netlogon_messages(messages)
received = len(messages)
self.assertIs(True,
(received == 5 or received == 6),
@@ -1049,6 +1051,7 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
call(["bin/rpcclient", "-c", samlogon, "-U%", server])
messages = self.waitForMessages( isLastExpectedMessage)
+ messages = self.remove_netlogon_messages(messages)
received = len(messages)
self.assertIs(True,
(received == 5 or received == 6),
@@ -1077,6 +1080,7 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
call(["bin/rpcclient", "-c", samlogon, "-U%", server])
messages = self.waitForMessages( isLastExpectedMessage)
+ messages = self.remove_netlogon_messages(messages)
received = len(messages)
self.assertIs(True,
(received == 5 or received == 6),
@@ -1106,6 +1110,7 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
call(["bin/rpcclient", "-c", samlogon, "-U%", server])
messages = self.waitForMessages( isLastExpectedMessage)
+ messages = self.remove_netlogon_messages(messages)
received = len(messages)
self.assertIs(True,
(received == 5 or received == 6),
@@ -1135,6 +1140,7 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
call(["bin/rpcclient", "-c", samlogon, "-U%", server])
messages = self.waitForMessages( isLastExpectedMessage)
+ messages = self.remove_netlogon_messages(messages)
received = len(messages)
self.assertIs(True,
(received == 5 or received == 6),
@@ -1164,6 +1170,7 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
call(["bin/rpcclient", "-c", samlogon, "-U%", server])
messages = self.waitForMessages( isLastExpectedMessage)
+ messages = self.remove_netlogon_messages(messages)
received = len(messages)
self.assertIs(True,
(received == 5 or received == 6),
@@ -1194,6 +1201,7 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
call(["bin/rpcclient", "-c", samlogon, "-U%", server])
messages = self.waitForMessages( isLastExpectedMessage)
+ messages = self.remove_netlogon_messages(messages)
received = len(messages)
self.assertIs(True,
(received == 5 or received == 6),
@@ -1224,6 +1232,7 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
call(["bin/rpcclient", "-c", samlogon, "-U%", server])
messages = self.waitForMessages( isLastExpectedMessage)
+ messages = self.remove_netlogon_messages(messages)
received = len(messages)
self.assertIs(True,
(received == 5 or received == 6),
@@ -1252,6 +1261,7 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
call(["bin/rpcclient", "-c", samlogon, "-U%", server])
messages = self.waitForMessages( isLastExpectedMessage)
+ messages = self.remove_netlogon_messages(messages)
received = len(messages)
self.assertIs(True,
(received == 5 or received == 6),
@@ -1290,6 +1300,7 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
call(["bin/rpcclient", "-c", samlogon, "-U%", server])
messages = self.waitForMessages( isLastExpectedMessage)
+ messages = self.remove_netlogon_messages(messages)
received = len(messages)
self.assertIs(True,
(received == 5 or received == 6),
diff --git a/python/samba/tests/auth_log_base.py b/python/samba/tests/auth_log_base.py
index e9ae464..aefd57e 100644
--- a/python/samba/tests/auth_log_base.py
+++ b/python/samba/tests/auth_log_base.py
@@ -62,6 +62,10 @@ class AuthLogTestBase(samba.tests.TestCase):
def waitForMessages(self, isLastExpectedMessage, connection=None):
+ """Wait for all the expected messages to arrive
+ The connection is passed through to keep the connection alive
+ until all the logging messages have been received.
+ """
def completed( messages):
for message in messages:
@@ -102,3 +106,16 @@ class AuthLogTestBase(samba.tests.TestCase):
while len( self.context["messages"]):
self.msg_ctx.loop_once(0.001)
self.context["messages"] = []
+
+ # Remove any NETLOGON authentication messages
+ # NETLOGON is only performed once per session, so to avoid ordering
+ # dependencies within the tests it's best to strip out NETLOGON messages.
+ #
+ def remove_netlogon_messages(self, messages):
+ def is_not_netlogon(msg):
+ if "Authentication" not in msg:
+ return True
+ sd = msg["Authentication"]["serviceDescription"]
+ return sd != "NETLOGON"
+
+ return list(filter(is_not_netlogon, messages))
diff --git a/python/samba/tests/auth_log_ncalrpc.py b/python/samba/tests/auth_log_ncalrpc.py
index 2538c61..be7f6b2 100644
--- a/python/samba/tests/auth_log_ncalrpc.py
+++ b/python/samba/tests/auth_log_ncalrpc.py
@@ -22,6 +22,7 @@ from samba import auth
import samba.tests
from samba.messaging import Messaging
from samba.dcerpc.messaging import MSG_AUTH_LOG, AUTH_EVENT_NAME
+from samba.dcerpc.dcerpc import AS_SYSTEM_MAGIC_PATH_TOKEN
from samba.dcerpc import samr
import time
import json
@@ -35,7 +36,7 @@ class AuthLogTestsNcalrpc(samba.tests.auth_log_base.AuthLogTestBase):
def setUp(self):
super(AuthLogTestsNcalrpc, self).setUp()
- self.remoteAddress = "/root/ncalrpc_as_system"
+ self.remoteAddress = AS_SYSTEM_MAGIC_PATH_TOKEN
def tearDown(self):
super(AuthLogTestsNcalrpc , self).tearDown()
diff --git a/python/samba/tests/auth_log_netlogon.py b/python/samba/tests/auth_log_netlogon.py
new file mode 100644
index 0000000..228fbe9
--- /dev/null
+++ b/python/samba/tests/auth_log_netlogon.py
@@ -0,0 +1,131 @@
+# Unix SMB/CIFS implementation.
+# Copyright (C) Andrew Bartlett <abartlet at samba.org> 2017
+# Copyright (C) Catalyst IT Ltd. 2017
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+"""
+ Tests that exercise the auth logging for a successful netlogon attempt
+
+ NOTE: As the netlogon authentication is performed once per session,
+ there is only one test in this routine. If another test is added
+ only the test executed first will generate the netlogon auth message
+"""
+
+import samba.tests
+import os
+from samba.samdb import SamDB
+import samba.tests.auth_log_base
+from samba.credentials import Credentials
+from samba.dcerpc import netlogon
+from samba.dcerpc.dcerpc import AS_SYSTEM_MAGIC_PATH_TOKEN
+from samba.auth import system_session
+from samba.tests import delete_force
+from samba.dsdb import UF_WORKSTATION_TRUST_ACCOUNT, UF_PASSWD_NOTREQD
+from samba.dcerpc.misc import SEC_CHAN_WKSTA
+
+
+class AuthLogTestsNetLogon(samba.tests.auth_log_base.AuthLogTestBase):
+
+ def setUp(self):
+ super(AuthLogTestsNetLogon, self).setUp()
+ self.lp = samba.tests.env_loadparm()
+ self.creds = Credentials()
+
+ self.session = system_session()
+ self.ldb = SamDB(
+ session_info=self.session,
+ credentials=self.creds,
+ lp=self.lp)
+
+ self.domain = os.environ["DOMAIN"]
+ self.netbios_name = "NetLogonGood"
+ self.machinepass = "abcdefghij"
+ self.remoteAddress = AS_SYSTEM_MAGIC_PATH_TOKEN
+ self.base_dn = self.ldb.domain_dn()
+ self.dn = ("cn=%s,cn=users,%s" %
+ (self.netbios_name, self.base_dn))
+
+ utf16pw = unicode(
+ '"' + self.machinepass.encode('utf-8') + '"', 'utf-8'
+ ).encode('utf-16-le')
+ self.ldb.add({
+ "dn": self.dn,
+ "objectclass": "computer",
+ "sAMAccountName": "%s$" % self.netbios_name,
+ "userAccountControl":
+ str(UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD),
+ "unicodePwd": utf16pw})
+
+ def tearDown(self):
+ super(AuthLogTestsNetLogon, self).tearDown()
+ delete_force(self.ldb, self.dn)
+
+ def _test_netlogon(self, binding, checkFunction):
+
+ def isLastExpectedMessage(msg):
+ return (
+ msg["type"] == "Authorization" and
+ msg["Authorization"]["serviceDescription"] == "DCE/RPC" and
+ msg["Authorization"]["authType"] == "schannel" and
+ msg["Authorization"]["transportProtection"] == "SEAL")
+
+ if binding:
+ binding = "[schannel,%s]" % binding
+ else:
+ binding = "[schannel]"
+
+ machine_creds = Credentials()
+ machine_creds.guess(self.get_loadparm())
+ machine_creds.set_secure_channel_type(SEC_CHAN_WKSTA)
+ machine_creds.set_password(self.machinepass)
+ machine_creds.set_username(self.netbios_name + "$")
+
+ netlogon_conn = netlogon.netlogon("ncalrpc:%s" % binding,
+ self.get_loadparm(),
+ machine_creds)
+
+ messages = self.waitForMessages(isLastExpectedMessage, netlogon_conn)
+ checkFunction(messages)
+
+ def netlogon_check(self, messages):
+
+ expected_messages = 5
+ self.assertEquals(expected_messages,
+ len(messages),
+ "Did not receive the expected number of messages")
+
+ # Check the first message it should be an Authorization
+ msg = messages[0]
+ self.assertEquals("Authorization", msg["type"])
+ self.assertEquals("DCE/RPC",
+ msg["Authorization"]["serviceDescription"])
+ self.assertEquals("ncalrpc", msg["Authorization"]["authType"])
+ self.assertEquals("NONE", msg["Authorization"]["transportProtection"])
+
+ # Check the fourth message it should be a NETLOGON Authentication
+ msg = messages[3]
+ self.assertEquals("Authentication", msg["type"])
+ self.assertEquals("NETLOGON",
+ msg["Authentication"]["serviceDescription"])
+ self.assertEquals("ServerAuthenticate",
+ msg["Authentication"]["authDescription"])
+ self.assertEquals("NT_STATUS_OK",
+ msg["Authentication"]["status"])
+ self.assertEquals("HMAC-SHA256",
+ msg["Authentication"]["passwordType"])
+
+ def test_netlogon(self):
+ self._test_netlogon("SEAL", self.netlogon_check)
diff --git a/python/samba/tests/auth_log_netlogon_bad_creds.py b/python/samba/tests/auth_log_netlogon_bad_creds.py
new file mode 100644
index 0000000..2bae02e
--- /dev/null
+++ b/python/samba/tests/auth_log_netlogon_bad_creds.py
@@ -0,0 +1,178 @@
+# Unix SMB/CIFS implementation.
+# Copyright (C) Andrew Bartlett <abartlet at samba.org> 2017
+# Copyright (C) Catalyst IT Ltd. 2017
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+"""
+ Tests that exercise auth logging for unsuccessful netlogon attempts.
+
+ NOTE: netlogon is only done once per session, so this file should only
+ test failed logons. Adding a successful case will potentially break
+ the other tests, depending on the order of execution.
+"""
+
+import samba.tests
+import os
+from samba import NTSTATUSError
+from samba.samdb import SamDB
+import samba.tests.auth_log_base
+from samba.credentials import Credentials
+from samba.dcerpc import netlogon
+from samba.dcerpc.dcerpc import AS_SYSTEM_MAGIC_PATH_TOKEN
+from samba.auth import system_session
+from samba.tests import delete_force
+from samba.dsdb import UF_WORKSTATION_TRUST_ACCOUNT, UF_PASSWD_NOTREQD
+from samba.dcerpc.misc import SEC_CHAN_WKSTA
+from samba.dcerpc.netlogon import NETLOGON_NEG_STRONG_KEYS
+
+class AuthLogTestsNetLogonBadCreds(samba.tests.auth_log_base.AuthLogTestBase):
+
+ def setUp(self):
+ super(AuthLogTestsNetLogonBadCreds, self).setUp()
+ self.lp = samba.tests.env_loadparm()
+ self.creds = Credentials()
+
+ self.session = system_session()
+ self.ldb = SamDB(
+ session_info=self.session,
+ credentials=self.creds,
+ lp=self.lp)
+
+ self.domain = os.environ["DOMAIN"]
+ self.netbios_name = "NetLogonBad"
+ self.machinepass = "abcdefghij"
+ self.remoteAddress = AS_SYSTEM_MAGIC_PATH_TOKEN
+ self.base_dn = self.ldb.domain_dn()
+ self.dn = ("cn=%s,cn=users,%s" %
+ (self.netbios_name, self.base_dn))
+
+ utf16pw = unicode(
+ '"' + self.machinepass.encode('utf-8') + '"', 'utf-8'
+ ).encode('utf-16-le')
+ self.ldb.add({
+ "dn": self.dn,
+ "objectclass": "computer",
+ "sAMAccountName": "%s$" % self.netbios_name,
+ "userAccountControl":
+ str(UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD),
+ "unicodePwd": utf16pw})
+
+ def tearDown(self):
+ super(AuthLogTestsNetLogonBadCreds, self).tearDown()
+ delete_force(self.ldb, self.dn)
+
+ def _test_netlogon(self, name, pwd, status, checkFunction):
+
+ def isLastExpectedMessage(msg):
+ return (
+ msg["type"] == "Authentication" and
+ msg["Authentication"]["serviceDescription"] == "NETLOGON" and
+ msg["Authentication"]["authDescription"] ==
+ "ServerAuthenticate" and
+ msg["Authentication"]["status"] == status)
+
+ machine_creds = Credentials()
+ machine_creds.guess(self.get_loadparm())
+ machine_creds.set_secure_channel_type(SEC_CHAN_WKSTA)
+ machine_creds.set_password(pwd)
+ machine_creds.set_username(name + "$")
+
+ try:
+ netlogon.netlogon("ncalrpc:[schannel]",
+ self.get_loadparm(),
+ machine_creds)
+ self.fail("NTSTATUSError not raised")
+ except NTSTATUSError:
+ pass
+
+ messages = self.waitForMessages(isLastExpectedMessage)
+ checkFunction(messages)
+
+ def netlogon_check(self, messages):
+
+ expected_messages = 4
+ self.assertEquals(expected_messages,
+ len(messages),
+ "Did not receive the expected number of messages")
+
+ # Check the first message it should be an Authorization
+ msg = messages[0]
+ self.assertEquals("Authorization", msg["type"])
+ self.assertEquals("DCE/RPC",
+ msg["Authorization"]["serviceDescription"])
+ self.assertEquals("ncalrpc", msg["Authorization"]["authType"])
+ self.assertEquals("NONE", msg["Authorization"]["transportProtection"])
+
+ def test_netlogon_bad_machine_name(self):
+ self._test_netlogon("bad_name",
+ self.machinepass,
+ "NT_STATUS_NO_TRUST_SAM_ACCOUNT",
+ self.netlogon_check)
+
+ def test_netlogon_bad_password(self):
+ self._test_netlogon(self.netbios_name,
+ "badpass",
+ "NT_STATUS_ACCESS_DENIED",
+ self.netlogon_check)
+
+ def test_netlogon_password_DES(self):
+ """Logon failure that exercises the "DES" passwordType path.
+ """
+ def isLastExpectedMessage(msg):
+ return (
+ msg["type"] == "Authentication" and
+ msg["Authentication"]["serviceDescription"] == "NETLOGON" and
+ msg["Authentication"]["authDescription"] ==
+ "ServerAuthenticate" and
+ msg["Authentication"]["passwordType"] == "DES")
+
+ c = netlogon.netlogon("ncalrpc:[schannel]", self.get_loadparm())
+ creds = netlogon.netr_Credential()
+ c.netr_ServerReqChallenge(self.server, self.netbios_name, creds)
+ try:
+ c.netr_ServerAuthenticate3(self.server,
+ self.netbios_name,
+ SEC_CHAN_WKSTA,
+ self.netbios_name,
+ creds,
+ 0)
--
Samba Shared Repository
More information about the samba-cvs
mailing list