[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Thu Mar 17 02:48:01 UTC 2022
The branch, master has been updated
via ef1dbcdc6cb torture: Allow Samba as an AD DC to use zeros for LM key
via cb691c51ee2 torture: Do not expect LM passwords to be accepted except by samba3
via ac79ce221f0 torture: Update rpc.samlogon to match Win19 and newer Samba behaviour for LM key
via faea2f8a6b5 selftest: Remove auth_log test for RAP password change
via d0b922bd51d ntlm_auth: Adapt --diagnostics mode to expect that the DC does not support LANMAN by default
via 4234e9b05fa s3-ntlm_auth: Convert table of tests in --diagnostics to designated initialisers
via 75c54d54ad9 dsdb: Remove LM hash parameter from samdb_set_password() and callers
via a2fa7f427aa selftest: Allow RPC-SAMR to cope with OemChangePasswordUser2 being un-implemented
via 45af51fd6e1 selftest: Cope with LM hash not being stored in the tombstone_reanimation test
via f161e3f18f0 dsdb: Remove parsing of LM password hash from "dBCSPwd" attribute
via 0f53bfe7230 s4-rpc_server: Do not use LM hash in password changes
via 6aaa1245630 s4-auth: Do not supply the LM hash to the AD DC authentication code
via 2dbc8b98435 s4-auth: Disable LM authenticaton in the AD DC despite "lanman auth = yes"
via 09eaf7403e8 s4/dsdb: Remove LM password generation and storage from password_hash
via 338492d3457 s4-rpc_server: Remove pre-check for existing NT and LM hash from netlogon
via 557b1ab5f96 kdc: Remove pre-check for existing NT and LM hash from kpasswd
via 0a907c2f45c dsdb: Return dsdb_password_change control name to DSDB_CONTROL_PASSWORD_CHANGE_OLD_PW_CHECKED_OID
via 1144addec50 dsdb: No longer supply exact password hashes in a control to indicate password changes
via 9cec421d4df selftest: run s4member tests less
via 4e21be7e89c selftest: Remove duplicate run of rpc.lsa tests against ad_dc as "samba3"
via 5e9cb0ad208 selftest: Remove duplicate run of rpc.samr tests against ad_dc as "samba3"
via 28fc8df722b selftest: Allow samba.tests.ntlm_auth to fail rather than error checking --diagnostics
via 5b41c871d9b selftest: Use more torture_assert_goto() et al in rpc.samlogon test
from def505e68be wafsamba: Fix call to sorted()
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit ef1dbcdc6cbf723bb98280c798484ea7de36eb96
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Feb 28 13:24:31 2022 +1300
torture: Allow Samba as an AD DC to use zeros for LM key
This is simple, explainable and secure.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Thu Mar 17 02:47:13 UTC 2022 on sn-devel-184
commit cb691c51ee2e4b0a2d64234383dffddba00bb257
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Feb 28 13:19:58 2022 +1300
torture: Do not expect LM passwords to be accepted except by samba3
This allows Samba as an AD DC (compared with the fileserver/NT4-like DC mode) to match
windows and refuse all LM passwords, no matter what.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit ac79ce221f0536bf0643b25f157bac2621bef4cf
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Feb 28 10:07:35 2022 +1300
torture: Update rpc.samlogon to match Win19 and newer Samba behaviour for LM key
Not all cases are covered, but this much covers the areas that Samba and Win19
will agree on.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit faea2f8a6b54714c50e0a5b15bd1775d67944e06
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Feb 18 12:55:57 2022 +1300
selftest: Remove auth_log test for RAP password change
RAP is SMB1, the password change routine requires LM hashes and so everything
here is going away or has now gone, so remove the test.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit d0b922bd51d0c75ac9d850ceac689707cd24cf92
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Feb 17 17:50:43 2022 +1300
ntlm_auth: Adapt --diagnostics mode to expect that the DC does not support LANMAN by default
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 4234e9b05fade4339dab99f296776d5f55bd8629
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Feb 17 10:48:54 2022 +1300
s3-ntlm_auth: Convert table of tests in --diagnostics to designated initialisers
This makes it easeir to set some as "LM auth".
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 75c54d54ad9fdff7098c1b4f11252528f35ea658
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Feb 17 07:35:54 2022 +1300
dsdb: Remove LM hash parameter from samdb_set_password() and callers
This fixes the rpc.samr test because we no longer specify an LM hash
to the DSDB layer only to have it rejected by password_hash.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit a2fa7f427aafdd463bbbd18bb495e9f95407e6f4
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Feb 16 17:24:19 2022 +1300
selftest: Allow RPC-SAMR to cope with OemChangePasswordUser2 being un-implemented
This is important to allow, after other changes, for the Samba AD DC to again
pass rpc.samr after the removal of LM hash support from the DC.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 45af51fd6e1fc29dfc682c778ea9e19762892cd2
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Feb 16 12:56:41 2022 +1300
selftest: Cope with LM hash not being stored in the tombstone_reanimation test
The removal of LM hash storage changes the expected metadata.
We do not need to track these values exactly to prove the
behaviour here.
This is not due to the changes in password_hash directly, which in
update_final_msg() sets DSDB_FLAG_INTERNAL_FORCE_META_DATA to force
a push out of the removed attribute to the replication state.
However at the stage of a subsequent LDAP Delete there is no longer
a lmPwdHistory nor dBCSPwd attribute, in the directory, so there is
no subsequent version bump to remove them when building a tombstone.
Samba's behaviour is different to that seen by Metze on windows 2022,
where he sees dBCSPwd removed (for the no LM store case) but
lmPwdHistory kept. We in Samba choose to differ, not storing an
ambiguous LM hsitory (of "" values likely), so allowing any version
for these two attributes is the sensible choice.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit f161e3f18f07595208454dea8675553d27dd1183
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Feb 10 18:58:52 2022 +1300
dsdb: Remove parsing of LM password hash from "dBCSPwd" attribute
This means Samba will essentially ignore this attribute, not even attempting
to read it from the AD DC sam.ldb
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 0f53bfe7230c5e76f7ceb8baf98a9ef38a35356f
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Feb 10 18:40:31 2022 +1300
s4-rpc_server: Do not use LM hash in password changes
We now only change passwords based on the NT hash.
This means we no longer support samr_OemChangePasswordUser2()
and we do not check the LM verifier din samr_ChangePasswordUser3()
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 6aaa12456308204a659e3dce2b9049f00d55244a
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Feb 10 18:19:50 2022 +1300
s4-auth: Do not supply the LM hash to the AD DC authentication code
This still passes in the value in the LM field for checking
in case it is an NT response or LMv2.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 2dbc8b98435bd2dde93830a0aaa07053eda75bc6
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Feb 10 18:15:58 2022 +1300
s4-auth: Disable LM authenticaton in the AD DC despite "lanman auth = yes"
LM authentication is very weak and a very bad idea, so has been deprecated since
Samba 4.11.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 09eaf7403e8cfdb227ffc3fc1610fbd0dc0bf893
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Feb 10 17:40:29 2022 +1300
s4/dsdb: Remove LM password generation and storage from password_hash
We no longer generate nor store the LM hash in the Samba AD DC.
This adds much to the knownfail, some future commits will trim this
back down by making the tests understand that the server will not
support or store the LM hash.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 338492d3457cf80e3ca7c88ad9d7668d7dbb308e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Mar 14 16:06:36 2022 +1300
s4-rpc_server: Remove pre-check for existing NT and LM hash from netlogon
We no longer use the old NT and LM hash as proof of performing a
password change, and this removes the privileged status of these
attributes.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 557b1ab5f9661f52c2a47b648294603cf108404c
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Feb 10 14:11:03 2022 +1300
kdc: Remove pre-check for existing NT and LM hash from kpasswd
We no longer use the old NT and LM hash as proof of performing a
password change, and this removes the privileged status of these
attributes.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 0a907c2f45c34efcac784738c9d75303b9d04d2f
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Feb 9 16:53:08 2022 +1300
dsdb: Return dsdb_password_change control name to DSDB_CONTROL_PASSWORD_CHANGE_OLD_PW_CHECKED_OID
This makes it clearer that the purpose of this control is to indicate that the password
was already checked (by an out-of-band mechanism, eg kpasswd) and so can safely be changed
subject to ACLs etc.
This essentially reverts bbb9dc806e4399c65dee9b5dc2cde0bfaa9609bd
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 1144addec5043d39fc5149aa2b93fe6b974cab7d
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Feb 9 16:33:23 2022 +1300
dsdb: No longer supply exact password hashes in a control to indicate password changes
This returns the API for password changes via (eg) kpasswd to the
previous design as at 7eebcebbab8f62935bd1d5460e58b0a8f2cc30e8
where a control but no partiuclar values were specified.
This avoids the issues that were attempted to be addressed between
7eebcebbab8f62935bd1d5460e58b0a8f2cc30e8 and 786c41b0954b541518d1096019e1ce7ca11e5e98
by still keeping the ACL check from 23bd3a74176be4a1f8d6d70b148ababee397cf8c.
The purpose of this change is to move away from the NT hash (unicodePwd) being
the primary password in Samba, to allow installations to operate without this
unsalted hash.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 9cec421d4df7cc59905062450cdbcf67f43e8382
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sat Feb 12 11:26:37 2022 +1300
selftest: run s4member tests less
The s4member test environment is a historical artifact, provisioned like an
AD DC using sam.ldb and joined using the historical S4 join code.
Once running however it is nothing particualr special in winbindd, so
there is no need to run the tests against ad_member and s4member.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 4e21be7e89c52aa94d151dd3929f53e22a45245c
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sat Feb 12 14:09:34 2022 +1300
selftest: Remove duplicate run of rpc.lsa tests against ad_dc as "samba3"
Running these tests twice is a waste (sorry, thas was my choice when
merging s3 and s4 to just run all the tests against the AD DC) and
more importantly means that tests are run in "samba3" mode against
the AD DC, making it difficult to change the tests to expect a different
behaivour against the AD DC compared to the NT4 DC.
To assure that we have not lost tests, I ran:
grep command st/subunit | grep ad_dc| cut -f 2 -d\" | cut -f 2- -d. | sort | uniq -c
The two blocks (for rpc.lsa and rpc.lsa.*) are because the rpc.lsa.*
subtests were not previously run under ncacn_ip_tcp: and this is the
minimal change.
The output is:
--- /tmp/3 2022-02-12 14:01:50.435761067 +1300
+++ /tmp/now 2022-02-12 14:01:37.427595351 +1300
@@ -13,9 +13,8 @@
2 rpc.lsa-getuser on ncalrpc with validate.
2 rpc.lsa-getuser with bigendian.
2 rpc.lsa-getuser with seal,padcheck.
2 rpc.lsa-getuser with validate.
- 2 rpc.lsa.lookupnames.
2 rpc.lsa.lookupnames with .
2 rpc.lsa.lookupnames with bigendian.
2 rpc.lsa.lookupnames with validate.
2 rpc.lsalookup on ncacn_ip_tcp with bigendian.
@@ -26,9 +25,8 @@
2 rpc.lsalookup on ncacn_np with validate.
2 rpc.lsalookup on ncalrpc with bigendian.
2 rpc.lsalookup on ncalrpc with seal,padcheck.
2 rpc.lsalookup on ncalrpc with validate.
- 2 rpc.lsa.lookupsids.
2 rpc.lsa.lookupsids with .
2 rpc.lsa.lookupsids with bigendian.
2 rpc.lsa.lookupsids with validate.
2 rpc.lsalookup with bigendian.
@@ -42,15 +40,11 @@
2 rpc.lsa on ncacn_np with validate.
2 rpc.lsa on ncalrpc with bigendian.
2 rpc.lsa on ncalrpc with seal,padcheck.
2 rpc.lsa on ncalrpc with validate.
- 2 rpc.lsa over ncacn_ip_tcp .
- 2 rpc.lsa over ncacn_np .
- 2 rpc.lsa.privileges.
2 rpc.lsa.privileges with .
2 rpc.lsa.privileges with bigendian.
2 rpc.lsa.privileges with validate.
- 2 rpc.lsa.secrets.
2 rpc.lsa.secrets on ncacn_np with with -k no --option=clientusespnego=no.
2 rpc.lsa.secrets on ncacn_np with with -k no --option=clientusespnego=no --option=clientntlmv2auth=yes.
2 rpc.lsa.secrets on ncacn_np with with -k no --option=clientusespnego=yes.
2 rpc.lsa.secrets on ncacn_np with with -k no --option=clientusespnego=yes --option=clientntlmv2auth=yes.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 5e9cb0ad2081a4e7512e4e4d94bf81424edbd583
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Feb 11 21:05:38 2022 +1300
selftest: Remove duplicate run of rpc.samr tests against ad_dc as "samba3"
Running these tests twice is a waste (sorry, thas was my choice when
merging s3 and s4 to just run all the tests against the AD DC) and
more importantly means that tests are run in "samba3" mode against
the AD DC, making it difficult to change the tests to expect a different
behaivour against the AD DC compared to the NT4 DC.
To assure that we have not lost tests, I ran:
grep command st/subunit | grep ad_dc| cut -f 2 -d\" | cut -f 2- -d. | sort | uniq -c
The output is:
--- /tmp/2 2022-02-11 21:00:54.033610748 +1300
+++ /tmp/now 2022-02-11 21:01:13.849823721 +1300
@@ -1,32 +1,21 @@
- 2 rpc.samr.
- 2 rpc.samr.handletype.
2 rpc.samr.handletype with .
2 rpc.samr.handletype with bigendian.
2 rpc.samr.handletype with validate.
- 2 rpc.samr.large-dc.
2 rpc.samr.large-dc on ncacn_np with .
- 2 rpc.samr.machine.auth.
2 rpc.samr.machine.auth with .
2 rpc.samr.machine.auth with bigendian.
2 rpc.samr.machine.auth with validate.
2 rpc.samr on ncacn_np with .
- 2 rpc.samr.passwords.
- 2 rpc.samr.passwords.badpwdcount.
2 rpc.samr.passwords.badpwdcount on ncacn_np with .
2 rpc.samr.passwords.lockout on ncacn_np with .
2 rpc.samr.passwords on ncacn_np with .
- 2 rpc.samr.passwords.pwdlastset.
2 rpc.samr.passwords.pwdlastset on ncacn_np with .
2 rpc.samr.passwords.validate on ncacn_ip_tcp with bigendian.
2 rpc.samr.passwords.validate on ncacn_ip_tcp with seal,padcheck.
2 rpc.samr.passwords.validate on ncacn_ip_tcp with validate.
- 2 rpc.samr.passwords.validate over ncacn_ip_tcp .
- 2 rpc.samr.priv.
2 rpc.samr.priv with .
2 rpc.samr.priv with bigendian.
2 rpc.samr.priv with validate.
- 2 rpc.samr.users.
2 rpc.samr.users on ncacn_np with .
- 2 rpc.samr.users.privileges.
2 rpc.samr.users.privileges on ncacn_np with .
4 tests.dcerpc.samr_change_password.
It is clear that the tests are all still being run at least once against the AD DC.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 28fc8df722b1e505ffae60c2cc9fa7d77f553629
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sat Feb 12 14:52:44 2022 +1300
selftest: Allow samba.tests.ntlm_auth to fail rather than error checking --diagnostics
This allows a knownfail entry to be written for this test.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 5b41c871d9b1873f9c489a4c1f7fde83217f6230
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Feb 15 20:21:00 2022 +1300
selftest: Use more torture_assert_goto() et al in rpc.samlogon test
This testsuite can otherwise fail with an error, which cannot be covered with
a knownfail.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
-----------------------------------------------------------------------
Summary of changes:
python/samba/tests/auth_log_pass_change.py | 29 ---
python/samba/tests/ntlm_auth.py | 19 +-
selftest/knownfail | 5 +-
selftest/knownfail.d/lm-hash-support-gone | 8 +
source3/selftest/tests.py | 18 +-
source3/utils/ntlm_auth.c | 4 +-
source3/utils/ntlm_auth_diagnostics.c | 264 +++++++++++++------
source3/utils/ntlm_auth_proto.h | 2 +-
source4/auth/ntlm/auth_sam.c | 26 +-
source4/auth/sam.c | 1 -
source4/dsdb/common/util.c | 63 ++---
source4/dsdb/samdb/ldb_modules/acl.c | 6 +-
source4/dsdb/samdb/ldb_modules/password_hash.c | 253 ++++--------------
source4/dsdb/samdb/samdb.h | 11 +-
source4/dsdb/tests/python/tombstone_reanimation.py | 4 +-
source4/kdc/kpasswd-helper.c | 4 +-
source4/kdc/kpasswd-service-heimdal.c | 1 -
source4/kdc/kpasswd-service-mit.c | 1 -
source4/kdc/kpasswd_glue.c | 41 +--
source4/kdc/kpasswd_glue.h | 1 -
source4/kdc/mit_samba.c | 1 -
source4/libcli/ldap/ldap_controls.c | 2 +-
source4/rpc_server/netlogon/dcerpc_netlogon.c | 52 +---
source4/rpc_server/samr/samr_password.c | 281 +-------------------
source4/selftest/tests.py | 7 +-
source4/torture/rpc/samlogon.c | 288 +++++++++++----------
source4/torture/rpc/samr.c | 12 +
27 files changed, 519 insertions(+), 885 deletions(-)
create mode 100644 selftest/knownfail.d/lm-hash-support-gone
Changeset truncated at 500 lines:
diff --git a/python/samba/tests/auth_log_pass_change.py b/python/samba/tests/auth_log_pass_change.py
index f19512deaf8..cb4c42167d2 100644
--- a/python/samba/tests/auth_log_pass_change.py
+++ b/python/samba/tests/auth_log_pass_change.py
@@ -200,35 +200,6 @@ class AuthLogPassChangeTests(samba.tests.auth_log_base.AuthLogTestBase):
self.assertTrue(self.waitForMessages(isLastExpectedMessage),
"Did not receive the expected message")
- # net rap password changes are broken, but they trigger enough of the
- # server side behaviour to exercise the code paths of interest.
- # if we used the real password it would be too long and does not hash
- # correctly, so we just check it triggers the wrong password path.
- def test_rap_change_password(self):
- def isLastExpectedMessage(msg):
- return ((msg["type"] == "Authentication") and
- (msg["Authentication"]["serviceDescription"] ==
- "SAMR Password Change") and
- (msg["Authentication"]["status"] ==
- "NT_STATUS_WRONG_PASSWORD") and
- (msg["Authentication"]["authDescription"] ==
- "OemChangePasswordUser2") and
- (msg["Authentication"]["eventId"] ==
- EVT_ID_UNSUCCESSFUL_LOGON) and
- (msg["Authentication"]["logonType"] ==
- EVT_LOGON_NETWORK))
-
- username = os.environ["USERNAME"]
- server = os.environ["SERVER"]
- password = os.environ["PASSWORD"]
- server_param = "--server=%s" % server
- creds = "-U%s%%%s" % (username, password)
- call(["bin/net", "rap", server_param,
- "password", USER_NAME, "notMyPassword", "notGoingToBeMyPassword",
- server, creds, "--option=client ipc max protocol=nt1"])
- self.assertTrue(self.waitForMessages(isLastExpectedMessage),
- "Did not receive the expected message")
-
def test_ldap_change_password(self):
def isLastExpectedMessage(msg):
return ((msg["type"] == "Authentication") and
diff --git a/python/samba/tests/ntlm_auth.py b/python/samba/tests/ntlm_auth.py
index b909db4e8a1..8a43d6e1209 100644
--- a/python/samba/tests/ntlm_auth.py
+++ b/python/samba/tests/ntlm_auth.py
@@ -18,6 +18,7 @@
import os
from subprocess import Popen, PIPE
+from samba.tests import BlackboxProcessError
from samba.tests.ntlm_auth_base import NTLMAuthTestCase
from samba.common import get_string
@@ -322,4 +323,20 @@ class NTLMAuthHelpersTests(NTLMAuthTestCase):
"--password", self.password,
"--domain", self.domain,
"--diagnostics"]
- self.check_exit_code(cmd_line, 0)
+ try:
+ self.check_exit_code(cmd_line, 0)
+ except BlackboxProcessError as e:
+ self.fail(e)
+
+ def test_diagnostics_lm(self):
+ """ ntlm_auth diagnostics """
+ cmd_line = [self.ntlm_auth_path,
+ "--username", self.username,
+ "--password", self.password,
+ "--domain", self.domain,
+ "--diagnostics",
+ "--request-lm-key"]
+ try:
+ self.check_exit_code(cmd_line, 0)
+ except BlackboxProcessError as e:
+ self.fail(e)
diff --git a/selftest/knownfail b/selftest/knownfail
index 7e897dd026d..99c8768485b 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -371,10 +371,7 @@
^samba.tests.dcerpc.dnsserver.samba.tests.dcerpc.dnsserver.DnsserverTests.test_security_descriptor.*
^samba4.blackbox.dbcheck-links.release-4-5-0-pre1.dbcheck_dangling_multi_valued_clean
^samba4.blackbox.dbcheck-links.release-4-5-0-pre1.dangling_multi_valued_check_missing
-#
-# rap password tests don't function in the ad_dc_ntvfs environment
-#
-^samba.tests.auth_log_pass_change.samba.tests.auth_log_pass_change.AuthLogPassChangeTests.test_rap_change_password\(ad_dc_ntvfs\)
+
# We currently don't send referrals for LDAP modify of non-replicated attrs
^samba4.ldap.rodc.python\(rodc\).__main__.RodcTests.test_modify_nonreplicated.*
# NETLOGON is disabled in any non-DC environments
diff --git a/selftest/knownfail.d/lm-hash-support-gone b/selftest/knownfail.d/lm-hash-support-gone
new file mode 100644
index 00000000000..cced585c531
--- /dev/null
+++ b/selftest/knownfail.d/lm-hash-support-gone
@@ -0,0 +1,8 @@
+^samba4.blackbox.smbclient .*LANMAN*
+^samba.tests.ntlm_auth.samba.tests.ntlm_auth.NTLMAuthHelpersTests.test_diagnostics_lm\(ad_dc:local\)
+^samba.tests.ntlm_auth.samba.tests.ntlm_auth.NTLMAuthHelpersTests.test_diagnostics_lm\(ad_member:local\)
+^samba.tests.ntlm_auth.samba.tests.ntlm_auth.NTLMAuthHelpersTests.test_diagnostics_lm\(chgdcpass:local\)
+^samba.tests.ntlm_auth.samba.tests.ntlm_auth.NTLMAuthHelpersTests.test_diagnostics_lm\(rodc:local\)
+# These fail as they expect no LM support (compared with the _lm test test does)
+^samba.tests.ntlm_auth.samba.tests.ntlm_auth.NTLMAuthHelpersTests.test_diagnostics\(nt4_dc:local\)
+^samba.tests.ntlm_auth.samba.tests.ntlm_auth.NTLMAuthHelpersTests.test_diagnostics\(nt4_member:local\)
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 9561e49d7e1..5849d39445a 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -845,13 +845,12 @@ for t in tests:
elif t == "rpc.lsa":
plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD', 'over ncacn_np ')
plansmbtorture4testsuite(t, "nt4_dc", 'ncacn_ip_tcp:$SERVER_IP -U$USERNAME%$PASSWORD', 'over ncacn_ip_tcp ')
- plansmbtorture4testsuite(t, "ad_dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD', 'over ncacn_np ')
- plansmbtorture4testsuite(t, "ad_dc", 'ncacn_ip_tcp:$SERVER_IP -U$USERNAME%$PASSWORD', 'over ncacn_ip_tcp ')
+ elif t.startswith("rpc.lsa."):
+ # This avoids the rpc.lsa.* tests runing under ncacn_ip_tcp:
+ # (there is rpc.lsa.secrets fails due to OpenPolicy2 for example)
+ plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD')
elif t == "rpc.mdssvc":
plansmbtorture4testsuite(t, "fileserver", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD --option=torture:no_spotlight_localdir=$SELFTEST_PREFIX/fileserver/share')
- elif t == "rpc.samr.passwords.validate":
- plansmbtorture4testsuite(t, "nt4_dc", 'ncacn_ip_tcp:$SERVER_IP[seal] -U$USERNAME%$PASSWORD', 'over ncacn_ip_tcp ')
- plansmbtorture4testsuite(t, "ad_dc", 'ncacn_ip_tcp:$SERVER_IP[seal] -U$USERNAME%$PASSWORD', 'over ncacn_ip_tcp ')
elif t == "smb2.durable-open" or t == "smb2.durable-v2-open" or t == "smb2.replay" or t == "smb2.durable-v2-delay":
plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/durable -U$USERNAME%$PASSWORD')
plansmbtorture4testsuite(t, "ad_dc", '//$SERVER_IP/durable -U$USERNAME%$PASSWORD')
@@ -963,9 +962,6 @@ for t in tests:
elif t == "smb2.compound_find":
plansmbtorture4testsuite(t, "fileserver", '//$SERVER/compound_find -U$USERNAME%$PASSWORD')
plansmbtorture4testsuite(t, "fileserver", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD')
- elif t == "rpc.samr.users.privileges":
- plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD --option=torture:nt4_dc=true')
- plansmbtorture4testsuite(t, "ad_dc", '//$SERVER/tmp -U$USERNAME%$PASSWORD')
elif t == "smb2.compound":
plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD')
plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/aio -U$USERNAME%$PASSWORD', 'aio')
@@ -1043,6 +1039,12 @@ for t in tests:
elif t in ["base.mangle", "base.tcon", "raw.mkdir"]:
plansmbtorture4testsuite(t, "nt4_dc_smb1_done", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD')
plansmbtorture4testsuite(t, "ad_dc_smb1_done", '//$SERVER/tmp -U$USERNAME%$PASSWORD')
+ elif t == "rpc.samr.passwords.validate":
+ plansmbtorture4testsuite(t, "nt4_dc", 'ncacn_ip_tcp:$SERVER_IP[seal] -U$USERNAME%$PASSWORD', 'over ncacn_ip_tcp ')
+ elif t == "rpc.samr.users.privileges":
+ plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD --option=torture:nt4_dc=true')
+ elif t == "rpc.samr" or t.startswith("rpc.samr."):
+ plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD')
else:
plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD')
plansmbtorture4testsuite(t, "ad_dc", '//$SERVER/tmp -U$USERNAME%$PASSWORD')
diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index 517354514ce..7d17e33c9fe 100644
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -2588,7 +2588,7 @@ enum {
.argInfo = POPT_ARG_NONE,
.arg = &request_lm_key,
.val = OPT_LM_KEY,
- .descrip = "Retrieve LM session key"
+ .descrip = "Retrieve LM session key (or, with --diagnostics, expect LM support)"
},
{
.longName = "request-nt-key",
@@ -2817,7 +2817,7 @@ enum {
}
if (diagnostics) {
- if (!diagnose_ntlm_auth()) {
+ if (!diagnose_ntlm_auth(request_lm_key)) {
poptFreeContext(pc);
return 1;
}
diff --git a/source3/utils/ntlm_auth_diagnostics.c b/source3/utils/ntlm_auth_diagnostics.c
index fc0fc19bacb..18e69d81d9f 100644
--- a/source3/utils/ntlm_auth_diagnostics.c
+++ b/source3/utils/ntlm_auth_diagnostics.c
@@ -46,7 +46,8 @@ enum ntlm_break {
* Test the normal 'LM and NTLM' combination
*/
-static bool test_lm_ntlm_broken(enum ntlm_break break_which)
+static bool test_lm_ntlm_broken(enum ntlm_break break_which,
+ bool lanman_support_expected)
{
bool pass = True;
NTSTATUS nt_status;
@@ -114,14 +115,26 @@ static bool test_lm_ntlm_broken(enum ntlm_break break_which)
return break_which == BREAK_NT;
}
- if (memcmp(lm_hash, lm_key,
- sizeof(lm_key)) != 0) {
- DEBUG(1, ("LM Key does not match expectations!\n"));
- DEBUG(1, ("lm_key:\n"));
- dump_data(1, lm_key, 8);
- DEBUG(1, ("expected:\n"));
- dump_data(1, lm_hash, 8);
- pass = False;
+ /* If we are told the DC is Samba4, expect an LM key of zeros */
+ if (!lanman_support_expected) {
+ if (!all_zero(lm_key,
+ sizeof(lm_key))) {
+ DEBUG(1, ("LM Key does not match expectations!\n"));
+ DEBUG(1, ("lm_key:\n"));
+ dump_data(1, lm_key, 8);
+ DEBUG(1, ("expected: all zeros\n"));
+ pass = False;
+ }
+ } else {
+ if (memcmp(lm_hash, lm_key,
+ sizeof(lm_key)) != 0) {
+ DEBUG(1, ("LM Key does not match expectations!\n"));
+ DEBUG(1, ("lm_key:\n"));
+ dump_data(1, lm_key, 8);
+ DEBUG(1, ("expected:\n"));
+ dump_data(1, lm_hash, 8);
+ pass = False;
+ }
}
if (break_which == NO_NT) {
@@ -152,26 +165,26 @@ static bool test_lm_ntlm_broken(enum ntlm_break break_which)
* Test LM authentication, no NT response supplied
*/
-static bool test_lm(void)
+static bool test_lm(bool lanman_support_expected)
{
- return test_lm_ntlm_broken(NO_NT);
+ return test_lm_ntlm_broken(NO_NT, lanman_support_expected);
}
/*
* Test the NTLM response only, no LM.
*/
-static bool test_ntlm(void)
+static bool test_ntlm(bool lanman_support_expected)
{
- return test_lm_ntlm_broken(NO_LM);
+ return test_lm_ntlm_broken(NO_LM, lanman_support_expected);
}
/*
* Test the NTLM response only, but in the LM field.
*/
-static bool test_ntlm_in_lm(void)
+static bool test_ntlm_in_lm(bool lanman_support_expected)
{
bool pass = True;
NTSTATUS nt_status;
@@ -214,22 +227,42 @@ static bool test_ntlm_in_lm(void)
return False;
}
- if (memcmp(lm_hash, lm_key,
- sizeof(lm_key)) != 0) {
- DEBUG(1, ("LM Key does not match expectations!\n"));
- DEBUG(1, ("lm_key:\n"));
- dump_data(1, lm_key, 8);
- DEBUG(1, ("expected:\n"));
- dump_data(1, lm_hash, 8);
- pass = False;
- }
- if (memcmp(lm_hash, user_session_key, 8) != 0) {
- DEBUG(1, ("Session Key (first 8 lm hash) does not match expectations!\n"));
- DEBUG(1, ("user_session_key:\n"));
- dump_data(1, user_session_key, 16);
- DEBUG(1, ("expected:\n"));
- dump_data(1, lm_hash, 8);
- pass = False;
+ /* If we are told the DC is Samba4, expect an LM key of zeros */
+ if (!lanman_support_expected) {
+ if (!all_zero(lm_key,
+ sizeof(lm_key))) {
+ DEBUG(1, ("LM Key does not match expectations!\n"));
+ DEBUG(1, ("lm_key:\n"));
+ dump_data(1, lm_key, 8);
+ DEBUG(1, ("expected: all zeros\n"));
+ pass = False;
+ }
+ if (!all_zero(user_session_key,
+ sizeof(user_session_key))) {
+ DEBUG(1, ("Session Key (normally first 8 lm hash) does not match expectations!\n"));
+ DEBUG(1, ("user_session_key:\n"));
+ dump_data(1, user_session_key, 16);
+ DEBUG(1, ("expected all zeros:\n"));
+ pass = False;
+ }
+ } else {
+ if (memcmp(lm_hash, lm_key,
+ sizeof(lm_key)) != 0) {
+ DEBUG(1, ("LM Key does not match expectations!\n"));
+ DEBUG(1, ("lm_key:\n"));
+ dump_data(1, lm_key, 8);
+ DEBUG(1, ("expected:\n"));
+ dump_data(1, lm_hash, 8);
+ pass = False;
+ }
+ if (memcmp(lm_hash, user_session_key, 8) != 0) {
+ DEBUG(1, ("Session Key (first 8 lm hash) does not match expectations!\n"));
+ DEBUG(1, ("user_session_key:\n"));
+ dump_data(1, user_session_key, 16);
+ DEBUG(1, ("expected:\n"));
+ dump_data(1, lm_hash, 8);
+ pass = False;
+ }
}
return pass;
}
@@ -238,7 +271,7 @@ static bool test_ntlm_in_lm(void)
* Test the NTLM response only, but in the both the NT and LM fields.
*/
-static bool test_ntlm_in_both(void)
+static bool test_ntlm_in_both(bool lanman_support_expected)
{
bool pass = True;
NTSTATUS nt_status;
@@ -286,14 +319,26 @@ static bool test_ntlm_in_both(void)
return False;
}
- if (memcmp(lm_hash, lm_key,
- sizeof(lm_key)) != 0) {
- DEBUG(1, ("LM Key does not match expectations!\n"));
- DEBUG(1, ("lm_key:\n"));
- dump_data(1, lm_key, 8);
- DEBUG(1, ("expected:\n"));
- dump_data(1, lm_hash, 8);
- pass = False;
+ /* If we are told the DC is Samba4, expect an LM key of zeros */
+ if (!lanman_support_expected) {
+ if (!all_zero(lm_key,
+ sizeof(lm_key))) {
+ DEBUG(1, ("LM Key does not match expectations!\n"));
+ DEBUG(1, ("lm_key:\n"));
+ dump_data(1, lm_key, 8);
+ DEBUG(1, ("expected: all zeros\n"));
+ pass = False;
+ }
+ } else {
+ if (memcmp(lm_hash, lm_key,
+ sizeof(lm_key)) != 0) {
+ DEBUG(1, ("LM Key does not match expectations!\n"));
+ DEBUG(1, ("lm_key:\n"));
+ dump_data(1, lm_key, 8);
+ DEBUG(1, ("expected:\n"));
+ dump_data(1, lm_hash, 8);
+ pass = False;
+ }
}
if (memcmp(session_key.data, user_session_key,
sizeof(user_session_key)) != 0) {
@@ -395,7 +440,7 @@ static bool test_lmv2_ntlmv2_broken(enum ntlm_break break_which)
* Test the NTLMv2 and LMv2 responses
*/
-static bool test_lmv2_ntlmv2(void)
+static bool test_lmv2_ntlmv2(bool lanman_support_expected)
{
return test_lmv2_ntlmv2_broken(BREAK_NONE);
}
@@ -404,7 +449,7 @@ static bool test_lmv2_ntlmv2(void)
* Test the LMv2 response only
*/
-static bool test_lmv2(void)
+static bool test_lmv2(bool lanman_support_expected)
{
return test_lmv2_ntlmv2_broken(NO_NT);
}
@@ -413,32 +458,32 @@ static bool test_lmv2(void)
* Test the NTLMv2 response only
*/
-static bool test_ntlmv2(void)
+static bool test_ntlmv2(bool lanman_support_expected)
{
return test_lmv2_ntlmv2_broken(NO_LM);
}
-static bool test_lm_ntlm(void)
+static bool test_lm_ntlm(bool lanman_support_expected)
{
- return test_lm_ntlm_broken(BREAK_NONE);
+ return test_lm_ntlm_broken(BREAK_NONE, lanman_support_expected);
}
-static bool test_ntlm_lm_broken(void)
+static bool test_ntlm_lm_broken(bool lanman_support_expected)
{
- return test_lm_ntlm_broken(BREAK_LM);
+ return test_lm_ntlm_broken(BREAK_LM, lanman_support_expected);
}
-static bool test_ntlm_ntlm_broken(void)
+static bool test_ntlm_ntlm_broken(bool lanman_support_expected)
{
- return test_lm_ntlm_broken(BREAK_NT);
+ return test_lm_ntlm_broken(BREAK_NT, lanman_support_expected);
}
-static bool test_ntlmv2_lmv2_broken(void)
+static bool test_ntlmv2_lmv2_broken(bool lanman_support_expected)
{
return test_lmv2_ntlmv2_broken(BREAK_LM);
}
-static bool test_ntlmv2_ntlmv2_broken(void)
+static bool test_ntlmv2_ntlmv2_broken(bool lanman_support_expected)
{
return test_lmv2_ntlmv2_broken(BREAK_NT);
}
@@ -535,23 +580,23 @@ static bool test_plaintext(enum ntlm_break break_which)
return break_which != BREAK_NT;
}
-static bool test_plaintext_none_broken(void) {
+static bool test_plaintext_none_broken(bool lanman_support_expected) {
return test_plaintext(BREAK_NONE);
}
-static bool test_plaintext_lm_broken(void) {
+static bool test_plaintext_lm_broken(bool lanman_support_expected) {
return test_plaintext(BREAK_LM);
}
-static bool test_plaintext_nt_broken(void) {
+static bool test_plaintext_nt_broken(bool lanman_support_expected) {
return test_plaintext(BREAK_NT);
}
-static bool test_plaintext_nt_only(void) {
+static bool test_plaintext_nt_only(bool lanman_support_expected) {
return test_plaintext(NO_LM);
}
-static bool test_plaintext_lm_only(void) {
+static bool test_plaintext_lm_only(bool lanman_support_expected) {
return test_plaintext(NO_NT);
}
@@ -574,37 +619,102 @@ static bool test_plaintext_lm_only(void) {
*/
static const struct ntlm_tests {
- bool (*fn)(void);
+ bool (*fn)(bool lanman_support_expected);
const char *name;
+ bool lanman;
} test_table[] = {
- {test_lm, "LM"},
- {test_lm_ntlm, "LM and NTLM"},
- {test_ntlm, "NTLM"},
- {test_ntlm_in_lm, "NTLM in LM"},
- {test_ntlm_in_both, "NTLM in both"},
- {test_ntlmv2, "NTLMv2"},
- {test_lmv2_ntlmv2, "NTLMv2 and LMv2"},
- {test_lmv2, "LMv2"},
- {test_ntlmv2_lmv2_broken, "NTLMv2 and LMv2, LMv2 broken"},
- {test_ntlmv2_ntlmv2_broken, "NTLMv2 and LMv2, NTLMv2 broken"},
- {test_ntlm_lm_broken, "NTLM and LM, LM broken"},
- {test_ntlm_ntlm_broken, "NTLM and LM, NTLM broken"},
- {test_plaintext_none_broken, "Plaintext"},
- {test_plaintext_lm_broken, "Plaintext LM broken"},
- {test_plaintext_nt_broken, "Plaintext NT broken"},
- {test_plaintext_nt_only, "Plaintext NT only"},
- {test_plaintext_lm_only, "Plaintext LM only"},
- {NULL, NULL}
+ {
+ .fn = test_lm,
+ .name = "LM",
+ .lanman = true
+ },
+ {
+ .fn = test_lm_ntlm,
+ .name = "LM and NTLM"
+ },
+ {
+ .fn = test_ntlm,
+ .name = "NTLM"
+ },
+ {
+ .fn = test_ntlm_in_lm,
+ .name = "NTLM in LM"
+ },
+ {
+ .fn = test_ntlm_in_both,
+ .name = "NTLM in both"
+ },
+ {
+ .fn = test_ntlmv2,
+ .name = "NTLMv2"
+ },
+ {
+ .fn = test_lmv2_ntlmv2,
+ .name = "NTLMv2 and LMv2"
+ },
--
Samba Shared Repository
More information about the samba-cvs
mailing list