[PATCH] NTLM tests ported to Python3

Samuel Cabrero scabrero at suse.de
Thu Nov 29 11:26:14 UTC 2018


Hi,

with the idea of extending the NTLM tests I have started by porting the
current mix of bash and python scripts to python3.

These tests looks to me more stable now using python's subprocess
module, before that I was getting broken pipe errors from time to time.

Please review and push if you agree.

Cheers.
-------------- next part --------------
From 9801c987eded14f87f35f5771ea3c3d0048a895e Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero at suse.de>
Date: Fri, 31 Aug 2018 12:44:09 +0200
Subject: [PATCH 01/22] selftest: Create included files during provision

Files included from smb.conf have to exists, otherwise python fails to
load the configuration. Found while trying to run a python test before
samba3.blackbox.smbd_error creates the included file.

Signed-off-by: Samuel Cabrero <scabrero at suse.de>
---
 selftest/target/Samba3.pm | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 363840e4521..e52fd357116 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -1638,6 +1638,8 @@ sub provision($$$$$$$$$)
 
 	my $conffile="$libdir/server.conf";
 	my $dfqconffile="$libdir/dfq.conf";
+	my $errorinjectconf="$libdir/error_inject.conf";
+	my $delayinjectconf="$libdir/delay_inject.conf";
 
 	my $nss_wrapper_pl = "$ENV{PERL} $self->{srcdir}/third_party/nss_wrapper/nss_wrapper.pl";
 	my $nss_wrapper_passwd = "$privatedir/passwd";
@@ -2248,7 +2250,7 @@ sub provision($$$$$$$$$)
 [error_inject]
 	copy = tmp
 	vfs objects = error_inject
-	include = $libdir/error_inject.conf
+	include = $errorinjectconf
 
 [delay_inject]
 	copy = tmp
@@ -2256,7 +2258,7 @@ sub provision($$$$$$$$$)
 	kernel share modes = no
 	kernel oplocks = no
 	posix locking = no
-	include = $libdir/delay_inject.conf
+	include = $delayinjectconf
 
 [aio_delay_inject]
 	copy = tmp
@@ -2280,6 +2282,18 @@ sub provision($$$$$$$$$)
 	    return undef;
 	}
 
+	unless (open(ERRORCONF, ">$errorinjectconf")) {
+		warn("Unable to open $errorinjectconf");
+		return undef;
+	}
+	close(ERRORCONF);
+
+	unless (open(DELAYCONF, ">$delayinjectconf")) {
+		warn("Unable to open $delayinjectconf");
+		return undef;
+	}
+	close(DELAYCONF);
+
 	unless (open(DFQCONF, ">$dfqconffile")) {
 	        warn("Unable to open $dfqconffile");
 		return undef;
-- 
2.19.1


From e695e005f0737b37bca2a7af396626d734431cf8 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero at suse.de>
Date: Sat, 9 Dec 2017 10:44:15 +0100
Subject: [PATCH 02/22] selftest: Add a new base class for ntlm_auth tests

The class is based on test_ntlm_auth.py script.

Signed-off-by: Samuel Cabrero <scabrero at suse.de>
---
 python/samba/tests/__init__.py | 183 +++++++++++++++++++++++++++++++++
 1 file changed, 183 insertions(+)

diff --git a/python/samba/tests/__init__.py b/python/samba/tests/__init__.py
index d79fcfbb997..ecd44d2ba35 100644
--- a/python/samba/tests/__init__.py
+++ b/python/samba/tests/__init__.py
@@ -23,6 +23,7 @@ import tempfile
 import warnings
 import ldb
 import samba
+import time
 from samba import param
 from samba import credentials
 from samba.credentials import Credentials
@@ -435,6 +436,188 @@ class BlackboxTestCase(TestCaseInTempDir):
                     string.digits) for x in range(count - 3))
         return password
 
+class NTLMAuthTestCase(TestCase):
+
+    def setUp(self):
+        super(NTLMAuthTestCase, self).setUp()
+        bindir = os.path.normpath(os.getenv("BINDIR", "./bin"))
+        self.ntlm_auth_path = os.path.join(bindir, 'ntlm_auth')
+        self.lp = samba.tests.env_loadparm()
+        self.winbind_separator = self.lp.get('winbind separator')
+
+    def readLine(self, text_stream):
+        buf = text_stream.readline()
+        newline = buf.find('\n')
+        if newline == -1:
+            raise Exception("Failed to read line")
+        return buf[:newline]
+
+    def writeLine(self, text_stream, buf):
+        text_stream.write(buf)
+        text_stream.write("\n")
+
+    def run_helper(self,
+                   client_username=None,
+                   client_password=None,
+                   client_domain=None,
+                   client_use_cached_creds=False,
+                   server_username=None,
+                   server_password=None,
+                   server_domain=None,
+                   client_helper="ntlmssp-client-1",
+                   server_helper="squid-2.5-ntlmssp",
+                   server_use_winbind=False,
+                   require_membership=None,
+                   target_hostname=None,
+                   target_service=None):
+        self.assertTrue(os.access(self.ntlm_auth_path, os.X_OK))
+
+        if client_username is None:
+            raise Exception("client_username required")
+
+        # Client helper args
+        client_args = []
+        client_args.append(self.ntlm_auth_path)
+        client_args.append("--helper-protocol=%s" % client_helper)
+        client_args.append("--username=%s" % client_username)
+        if client_domain:
+            client_args.append("--domain=%s" % client_domain)
+        if client_use_cached_creds:
+            client_args.append("--use-cached-creds")
+        else:
+            if client_password is None:
+                raise Exception("client_password required")
+            client_args.append("--password=%s" % client_password)
+        if target_service:
+            client_args.append("--target-service=%s" % target_service)
+        if target_hostname:
+            client_args.append("--target-hostname=%s" % target_hostname)
+        client_args.append("--configfile=%s" % self.lp.configfile)
+
+        # Server helper args
+        server_args = []
+        server_args.append(self.ntlm_auth_path)
+        server_args.append("--helper-protocol=%s" % server_helper)
+        server_args.append("--configfile=%s" % self.lp.configfile)
+        if not server_use_winbind:
+            if server_username is None or server_password is None or server_domain is None:
+                raise Exception("Server credentials required if not using winbind")
+            server_args.append("--username=%s" % server_username)
+            server_args.append("--password=%s" % server_password)
+            server_args.append("--domain=%s" % server_domain)
+            if require_membership is not None:
+                raise Exception("Server must be using winbind for require-membership-of")
+        else:
+            if require_membership is not None:
+                server_args.append("--require-membership-of=%s" % require_membership)
+
+        # Run helpers
+        result = False
+        server_proc = subprocess.Popen(server_args, stdout=subprocess.PIPE, stdin=subprocess.PIPE, bufsize=0, universal_newlines=True)
+        client_proc = subprocess.Popen(client_args, stdout=subprocess.PIPE, stdin=subprocess.PIPE, bufsize=0, universal_newlines=True)
+
+        try:
+            if client_helper == "ntlmssp-client-1" and server_helper == "squid-2.5-ntlmssp":
+                self.writeLine(client_proc.stdin, "YR")
+                buf = self.readLine(client_proc.stdout)
+                self.assertTrue(buf.startswith("YR "))
+
+                self.writeLine(server_proc.stdin, buf)
+                buf = self.readLine(server_proc.stdout)
+                self.assertTrue(buf.startswith("TT "))
+
+                self.writeLine(client_proc.stdin, buf)
+                buf = self.readLine(client_proc.stdout)
+                self.assertTrue(buf.startswith("AF "))
+
+                # Client sends 'AF <base64 blob>' but server
+                # expects 'KK <base64 blob>'
+                buf = buf.replace("AF", "KK", 1)
+
+                self.writeLine(server_proc.stdin, buf)
+                buf = self.readLine(server_proc.stdout)
+                result = buf.startswith("AF ")
+            elif client_helper == "ntlmssp-client-1" and server_helper == "gss-spnego":
+                self.writeLine(client_proc.stdin, "YR")
+                buf = self.readLine(client_proc.stdout)
+                self.assertTrue(buf.startswith("YR "))
+
+                self.writeLine(server_proc.stdin, buf)
+                buf = self.readLine(server_proc.stdout)
+                self.assertTrue(buf.startswith("TT "))
+
+                self.writeLine(client_proc.stdin, buf)
+                buf = self.readLine(client_proc.stdout)
+                self.assertTrue(buf.startswith("AF "))
+
+                # Client sends 'AF <base64 blob>' but server expects 'KK <abse64 blob>'
+                buf = buf.replace("AF", "KK", 1)
+
+                self.writeLine(server_proc.stdin, buf)
+                buf = self.readLine(server_proc.stdout)
+                result = buf.startswith("AF * ")
+            elif client_helper == "gss-spnego-client" and server_helper == "gss-spnego":
+                self.writeLine(server_proc.stdin, "YR")
+                buf = self.readLine(server_proc.stdout)
+
+                while True:
+                    if (buf.startswith("NA * ")):
+                        result = False
+                        break
+
+                    self.assertTrue(buf.startswith("AF ") or buf.startswith("TT "))
+
+                    self.writeLine(client_proc.stdin, buf)
+                    buf = self.readLine(client_proc.stdout)
+
+                    if buf.startswith("AF"):
+                        result = True
+                        break
+
+                    self.assertTrue(buf.startswith("AF ") or buf.startswith("KK ") or buf.startswith("TT "))
+
+                    self.writeLine(server_proc.stdin, buf)
+                    buf = self.readLine(server_proc.stdout)
+
+                    if buf.startswith("AF * "):
+                        result = True
+                        break
+            else:
+                self.fail("Helper protocols not handled")
+
+            if result is True and client_helper == "ntlmssp-client-1":
+                self.writeLine(client_proc.stdin, "GK")
+                buf = self.readLine(client_proc.stdout)
+                self.assertTrue(buf.startswith("GK "))
+
+                self.writeLine(client_proc.stdin, "GF")
+                buf = self.readLine(client_proc.stdout)
+                self.assertTrue(buf.startswith("GF "))
+
+            if result is True and server_helper == "squid-2.5-ntlmssp":
+                self.writeLine(server_proc.stdin, "GK")
+                buf = self.readLine(server_proc.stdout)
+                self.assertTrue(buf.startswith("GK "))
+
+                self.writeLine(server_proc.stdin, "GF")
+                buf = self.readLine(server_proc.stdout)
+                self.assertTrue(buf.startswith("GF "))
+
+            client_proc.stdin.close()
+            client_proc.wait()
+            self.assertEqual(client_proc.returncode, 0)
+
+            server_proc.stdin.close()
+            server_proc.wait()
+            self.assertEqual(server_proc.returncode, 0)
+
+            return result
+        except:
+            client_proc.kill()
+            client_proc.wait()
+            server_proc.kill()
+            server_proc.wait()
+            raise
 
 def connect_samdb(samdb_url, lp=None, session_info=None, credentials=None,
                   flags=0, ldb_options=None, ldap_only=False, global_schema=True):
-- 
2.19.1


From d5b34ce7794cbb45ad98b1efa954ab04d55f89fc Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero at suse.de>
Date: Fri, 31 Aug 2018 12:47:11 +0200
Subject: [PATCH 03/22] tests/ntlm_auth: Port ntlm_auth tests to python

Port ntlm_auth bash script tests to python

Signed-off-by: Samuel Cabrero <scabrero at suse.de>
---
 python/samba/tests/ntlm_auth.py           | 51 +++++++++++++++++++++++
 source3/script/tests/test_ntlm_auth_s3.sh |  2 -
 source4/selftest/tests.py                 |  2 +
 3 files changed, 53 insertions(+), 2 deletions(-)
 create mode 100644 python/samba/tests/ntlm_auth.py

diff --git a/python/samba/tests/ntlm_auth.py b/python/samba/tests/ntlm_auth.py
new file mode 100644
index 00000000000..ff2e925d4dc
--- /dev/null
+++ b/python/samba/tests/ntlm_auth.py
@@ -0,0 +1,51 @@
+# Unix SMB/CIFS implementation.
+#
+# Copyright (C) Samuel Cabrero <scabrero at suse.de> 2018
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+import os
+from samba.tests import NTLMAuthTestCase
+
+class NTLMAuthHelpersTests(NTLMAuthTestCase):
+
+    def test_specified_domain(self):
+        """ ntlm_auth with specified domain """
+
+        username = "foo"
+        password = "secret"
+        domain = "FOO"
+
+        ret = self.run_helper(client_username=username,
+                              client_password=password,
+                              client_domain=domain,
+                              server_username=username,
+                              server_password=password,
+                              server_domain=domain,
+                              server_use_winbind=False)
+        self.assertTrue(ret)
+
+        username = "foo"
+        password = "secret"
+        domain = "fOo"
+
+        ret = self.run_helper(client_username=username,
+                              client_password=password,
+                              client_domain=domain,
+                              server_username=username,
+                              server_password=password,
+                              server_domain=domain,
+                              server_use_winbind=False)
+        self.assertTrue(ret)
diff --git a/source3/script/tests/test_ntlm_auth_s3.sh b/source3/script/tests/test_ntlm_auth_s3.sh
index 2b5e4353557..3d3d9f98048 100755
--- a/source3/script/tests/test_ntlm_auth_s3.sh
+++ b/source3/script/tests/test_ntlm_auth_s3.sh
@@ -268,9 +268,7 @@ EOF
 	fi
 }
 
-testit "ntlm_auth" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH $ADDARGS || failed=`expr $failed + 1`
 # This should work even with NTLMv2
-testit "ntlm_auth with specified domain" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH $ADDARGS --client-domain=fOo --server-domain=fOo || failed=`expr $failed + 1`
 testit "ntlm_auth against winbindd" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH --client-username=$USERNAME --client-domain=$DOMAIN --client-password=$PASSWORD --server-use-winbindd $ADDARGS || failed=`expr $failed + 1`
 testit "ntlm_auth with NTLMSSP client and gss-spnego server" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH $ADDARGS --client-domain=fOo --server-domain=fOo --client-helper=ntlmssp-client-1 --server-helper=gss-spnego || failed=`expr $failed + 1`
 testit "ntlm_auth with NTLMSSP gss-spnego-client and gss-spnego server" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH $ADDARGS --client-domain=fOo --server-domain=fOo --client-helper=gss-spnego-client --server-helper=gss-spnego || failed=`expr $failed + 1`
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index c4b7d18444c..2087515dd96 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -589,6 +589,8 @@ for env in ["nt4_dc", "nt4_member", "ad_dc", "ad_member", "s4member", "chgdcpass
 
     plantestsuite("samba.ntlm_auth.(%s:local)" % env, "%s:local" % env, [os.path.join(samba3srcdir, "script/tests/test_ntlm_auth_s3.sh"), valgrindify(python), samba3srcdir, ntlm_auth3, '$DOMAIN', '$DC_USERNAME', '$DC_PASSWORD', configuration])
 
+    planpythontestsuite(env + ":local", "samba.tests.ntlm_auth", py3_compatible=True)
+
 for env in ["s4member_dflt_domain", "s4member"]:
     for cmd in ["id", "getent"]:
         users = ["$DC_USERNAME", "$DC_USERNAME@$REALM"]
-- 
2.19.1


From cb65420fa74b36bbadd25cc716bcf430e28b7888 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero at suse.de>
Date: Fri, 31 Aug 2018 14:26:59 +0200
Subject: [PATCH 04/22] tests/ntlm_auth: Port ntlm_auth tests to python

Port ntlm_auth bash script tests to python

Signed-off-by: Samuel Cabrero <scabrero at suse.de>
---
 python/samba/tests/ntlm_auth.py           | 9 +++++++++
 source3/script/tests/test_ntlm_auth_s3.sh | 1 -
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/python/samba/tests/ntlm_auth.py b/python/samba/tests/ntlm_auth.py
index ff2e925d4dc..de3c6459bc8 100644
--- a/python/samba/tests/ntlm_auth.py
+++ b/python/samba/tests/ntlm_auth.py
@@ -49,3 +49,12 @@ class NTLMAuthHelpersTests(NTLMAuthTestCase):
                               server_domain=domain,
                               server_use_winbind=False)
         self.assertTrue(ret)
+
+    def test_agaist_winbind(self):
+        """ ntlm_auth against winbindd """
+
+        ret = self.run_helper(client_username=os.environ["DC_USERNAME"],
+                              client_password=os.environ["DC_PASSWORD"],
+                              client_domain=os.environ["DOMAIN"],
+                              server_use_winbind=True)
+        self.assertTrue(ret)
diff --git a/source3/script/tests/test_ntlm_auth_s3.sh b/source3/script/tests/test_ntlm_auth_s3.sh
index 3d3d9f98048..3baed4acfb1 100755
--- a/source3/script/tests/test_ntlm_auth_s3.sh
+++ b/source3/script/tests/test_ntlm_auth_s3.sh
@@ -269,7 +269,6 @@ EOF
 }
 
 # This should work even with NTLMv2
-testit "ntlm_auth against winbindd" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH --client-username=$USERNAME --client-domain=$DOMAIN --client-password=$PASSWORD --server-use-winbindd $ADDARGS || failed=`expr $failed + 1`
 testit "ntlm_auth with NTLMSSP client and gss-spnego server" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH $ADDARGS --client-domain=fOo --server-domain=fOo --client-helper=ntlmssp-client-1 --server-helper=gss-spnego || failed=`expr $failed + 1`
 testit "ntlm_auth with NTLMSSP gss-spnego-client and gss-spnego server" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH $ADDARGS --client-domain=fOo --server-domain=fOo --client-helper=gss-spnego-client --server-helper=gss-spnego || failed=`expr $failed + 1`
 testit "ntlm_auth with NTLMSSP gss-spnego-client and gss-spnego server against winbind" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH --client-username=$USERNAME --client-domain=$DOMAIN --client-password=$PASSWORD --server-use-winbindd --client-helper=gss-spnego-client --server-helper=gss-spnego $ADDARGS || failed=`expr $failed + 1`
-- 
2.19.1


From b0bb5d5d1e2b1700239697fbb30f284bdb342356 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero at suse.de>
Date: Fri, 31 Aug 2018 16:05:34 +0200
Subject: [PATCH 05/22] tests/ntlm_auth: Port ntlm_auth tests to python

Port ntlm_auth bash script tests to python

Signed-off-by: Samuel Cabrero <scabrero at suse.de>
---
 python/samba/tests/ntlm_auth.py           | 18 ++++++++++++++++++
 source3/script/tests/test_ntlm_auth_s3.sh |  1 -
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/python/samba/tests/ntlm_auth.py b/python/samba/tests/ntlm_auth.py
index de3c6459bc8..8e921cfc1cc 100644
--- a/python/samba/tests/ntlm_auth.py
+++ b/python/samba/tests/ntlm_auth.py
@@ -58,3 +58,21 @@ class NTLMAuthHelpersTests(NTLMAuthTestCase):
                               client_domain=os.environ["DOMAIN"],
                               server_use_winbind=True)
         self.assertTrue(ret)
+
+    def test_ntlmssp_gss_spnego(self):
+        """ ntlm_auth with NTLMSSP client and gss-spnego server """
+
+        username = "foo"
+        password = "secret"
+        domain = "fOo"
+
+        ret = self.run_helper(client_username=username,
+                              client_password=password,
+                              client_domain=domain,
+                              server_username=username,
+                              server_password=password,
+                              server_domain=domain,
+                              client_helper="ntlmssp-client-1",
+                              server_helper="gss-spnego",
+                              server_use_winbind=False)
+        self.assertTrue(ret)
diff --git a/source3/script/tests/test_ntlm_auth_s3.sh b/source3/script/tests/test_ntlm_auth_s3.sh
index 3baed4acfb1..f0646276d04 100755
--- a/source3/script/tests/test_ntlm_auth_s3.sh
+++ b/source3/script/tests/test_ntlm_auth_s3.sh
@@ -269,7 +269,6 @@ EOF
 }
 
 # This should work even with NTLMv2
-testit "ntlm_auth with NTLMSSP client and gss-spnego server" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH $ADDARGS --client-domain=fOo --server-domain=fOo --client-helper=ntlmssp-client-1 --server-helper=gss-spnego || failed=`expr $failed + 1`
 testit "ntlm_auth with NTLMSSP gss-spnego-client and gss-spnego server" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH $ADDARGS --client-domain=fOo --server-domain=fOo --client-helper=gss-spnego-client --server-helper=gss-spnego || failed=`expr $failed + 1`
 testit "ntlm_auth with NTLMSSP gss-spnego-client and gss-spnego server against winbind" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH --client-username=$USERNAME --client-domain=$DOMAIN --client-password=$PASSWORD --server-use-winbindd --client-helper=gss-spnego-client --server-helper=gss-spnego $ADDARGS || failed=`expr $failed + 1`
 
-- 
2.19.1


From 1766231a379e7f7b700bccc6bab93b91942ef39b Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero at suse.de>
Date: Fri, 31 Aug 2018 16:28:37 +0200
Subject: [PATCH 06/22] tests/ntlm_auth: Port ntlm_auth tests to python

Port ntlm_auth bash script tests to python

Signed-off-by: Samuel Cabrero <scabrero at suse.de>
---
 python/samba/tests/ntlm_auth.py           | 18 ++++++++++++++++++
 source3/script/tests/test_ntlm_auth_s3.sh |  1 -
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/python/samba/tests/ntlm_auth.py b/python/samba/tests/ntlm_auth.py
index 8e921cfc1cc..2cdb0a3a675 100644
--- a/python/samba/tests/ntlm_auth.py
+++ b/python/samba/tests/ntlm_auth.py
@@ -76,3 +76,21 @@ class NTLMAuthHelpersTests(NTLMAuthTestCase):
                               server_helper="gss-spnego",
                               server_use_winbind=False)
         self.assertTrue(ret)
+
+    def test_gss_spnego(self):
+        """ ntlm_auth with NTLMSSP gss-spnego-client and gss-spnego server """
+
+        username = "foo"
+        password = "secret"
+        domain = "fOo"
+
+        ret = self.run_helper(client_username=username,
+                              client_password=password,
+                              client_domain=domain,
+                              server_username=username,
+                              server_password=password,
+                              server_domain=domain,
+                              client_helper="gss-spnego-client",
+                              server_helper="gss-spnego",
+                              server_use_winbind=False)
+        self.assertTrue(ret)
diff --git a/source3/script/tests/test_ntlm_auth_s3.sh b/source3/script/tests/test_ntlm_auth_s3.sh
index f0646276d04..2b9b87e75b0 100755
--- a/source3/script/tests/test_ntlm_auth_s3.sh
+++ b/source3/script/tests/test_ntlm_auth_s3.sh
@@ -269,7 +269,6 @@ EOF
 }
 
 # This should work even with NTLMv2
-testit "ntlm_auth with NTLMSSP gss-spnego-client and gss-spnego server" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH $ADDARGS --client-domain=fOo --server-domain=fOo --client-helper=gss-spnego-client --server-helper=gss-spnego || failed=`expr $failed + 1`
 testit "ntlm_auth with NTLMSSP gss-spnego-client and gss-spnego server against winbind" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH --client-username=$USERNAME --client-domain=$DOMAIN --client-password=$PASSWORD --server-use-winbindd --client-helper=gss-spnego-client --server-helper=gss-spnego $ADDARGS || failed=`expr $failed + 1`
 
 testit "wbinfo store cached credentials" $BINDIR/wbinfo --ccache-save=$DOMAIN/$USERNAME%$PASSWORD || failed=`expr $failed + 1`
-- 
2.19.1


From 4e50259aed07d037120b54da2dfad6bee82eca6c Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero at suse.de>
Date: Fri, 31 Aug 2018 16:42:05 +0200
Subject: [PATCH 07/22] tests/ntlm_auth: Port ntlm_auth tests to python

Port ntlm_auth bash script tests to python

Signed-off-by: Samuel Cabrero <scabrero at suse.de>
---
 python/samba/tests/ntlm_auth.py           | 12 ++++++++++++
 source3/script/tests/test_ntlm_auth_s3.sh |  2 --
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/python/samba/tests/ntlm_auth.py b/python/samba/tests/ntlm_auth.py
index 2cdb0a3a675..3164a392de1 100644
--- a/python/samba/tests/ntlm_auth.py
+++ b/python/samba/tests/ntlm_auth.py
@@ -94,3 +94,15 @@ class NTLMAuthHelpersTests(NTLMAuthTestCase):
                               server_helper="gss-spnego",
                               server_use_winbind=False)
         self.assertTrue(ret)
+
+    def test_gss_spnego_winbind(self):
+        """ ntlm_auth with NTLMSSP gss-spnego-client and gss-spnego server
+        against winbind """
+
+        ret = self.run_helper(client_username=os.environ["DC_USERNAME"],
+                              client_password=os.environ["DC_PASSWORD"],
+                              client_domain=os.environ["DOMAIN"],
+                              client_helper="gss-spnego-client",
+                              server_helper="gss-spnego",
+                              server_use_winbind=True)
+        self.assertTrue(ret)
diff --git a/source3/script/tests/test_ntlm_auth_s3.sh b/source3/script/tests/test_ntlm_auth_s3.sh
index 2b9b87e75b0..12bdc65e897 100755
--- a/source3/script/tests/test_ntlm_auth_s3.sh
+++ b/source3/script/tests/test_ntlm_auth_s3.sh
@@ -269,8 +269,6 @@ EOF
 }
 
 # This should work even with NTLMv2
-testit "ntlm_auth with NTLMSSP gss-spnego-client and gss-spnego server against winbind" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH --client-username=$USERNAME --client-domain=$DOMAIN --client-password=$PASSWORD --server-use-winbindd --client-helper=gss-spnego-client --server-helper=gss-spnego $ADDARGS || failed=`expr $failed + 1`
-
 testit "wbinfo store cached credentials" $BINDIR/wbinfo --ccache-save=$DOMAIN/$USERNAME%$PASSWORD || failed=`expr $failed + 1`
 testit "ntlm_auth ccached credentials with NTLMSSP client and gss-spnego server" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH $ADDARGS --client-username=$USERNAME --client-domain=$DOMAIN --client-use-cached-creds --client-helper=ntlmssp-client-1 --server-helper=gss-spnego --server-use-winbindd || failed=`expr $failed + 1`
 
-- 
2.19.1


From d568cdf2e804d665cc149c9549c80607798bcdc9 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero at suse.de>
Date: Fri, 31 Aug 2018 17:07:23 +0200
Subject: [PATCH 08/22] tests/ntlm_auth: Port ntlm_auth tests to python

Port ntlm_auth bash script tests to python

Signed-off-by: Samuel Cabrero <scabrero at suse.de>
---
 python/samba/tests/ntlm_auth.py           | 24 +++++++++++++++++++++++
 source3/script/tests/test_ntlm_auth_s3.sh |  3 ---
 2 files changed, 24 insertions(+), 3 deletions(-)

diff --git a/python/samba/tests/ntlm_auth.py b/python/samba/tests/ntlm_auth.py
index 3164a392de1..060a9c5127b 100644
--- a/python/samba/tests/ntlm_auth.py
+++ b/python/samba/tests/ntlm_auth.py
@@ -106,3 +106,27 @@ class NTLMAuthHelpersTests(NTLMAuthTestCase):
                               server_helper="gss-spnego",
                               server_use_winbind=True)
         self.assertTrue(ret)
+
+    def test_ntlmssp_gss_spnego_cached_creds(self):
+        """ ntlm_auth with NTLMSSP client and gss-spnego server against
+        winbind with cached credentials """
+
+        username = os.environ["DC_USERNAME"]
+        password = os.environ["DC_PASSWORD"]
+        domain = os.environ["DOMAIN"]
+
+        # Store cached credentials
+        bindir = os.path.normpath(os.getenv("BINDIR", "./bin"))
+        wbinfo = os.path.join(bindir, "wbinfo")
+        ret = os.system("%s --ccache-save=%s%s%s%%%s" % (
+            wbinfo, domain, self.winbind_separator, username, password))
+        self.assertEqual(ret, 0)
+
+        ret = self.run_helper(client_username=username,
+                              client_password=password,
+                              client_domain=domain,
+                              client_use_cached_creds=True,
+                              client_helper="ntlmssp-client-1",
+                              server_helper="gss-spnego",
+                              server_use_winbind=True)
+        self.assertTrue(ret)
diff --git a/source3/script/tests/test_ntlm_auth_s3.sh b/source3/script/tests/test_ntlm_auth_s3.sh
index 12bdc65e897..4df0788fa15 100755
--- a/source3/script/tests/test_ntlm_auth_s3.sh
+++ b/source3/script/tests/test_ntlm_auth_s3.sh
@@ -269,9 +269,6 @@ EOF
 }
 
 # This should work even with NTLMv2
-testit "wbinfo store cached credentials" $BINDIR/wbinfo --ccache-save=$DOMAIN/$USERNAME%$PASSWORD || failed=`expr $failed + 1`
-testit "ntlm_auth ccached credentials with NTLMSSP client and gss-spnego server" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH $ADDARGS --client-username=$USERNAME --client-domain=$DOMAIN --client-use-cached-creds --client-helper=ntlmssp-client-1 --server-helper=gss-spnego --server-use-winbindd || failed=`expr $failed + 1`
-
 testit "ntlm_auth against winbindd with require-membership-of" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH --client-username=$USERNAME --client-domain=$DOMAIN --client-password=$PASSWORD --server-use-winbindd $ADDARGS --require-membership-of=$SID || failed=`expr $failed + 1`
 testit "ntlm_auth with NTLMSSP gss-spnego-client and gss-spnego server against winbind with require-membership-of" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH --client-username=$USERNAME --client-domain=$DOMAIN --client-password=$PASSWORD --server-use-winbindd --client-helper=gss-spnego-client --server-helper=gss-spnego $ADDARGS --require-membership-of=$SID || failed=`expr $failed + 1`
 
-- 
2.19.1


From 11780a725edf3025627f261c32b293bb3e8d54f3 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero at suse.de>
Date: Fri, 31 Aug 2018 17:41:40 +0200
Subject: [PATCH 09/22] tests/ntlm_auth: Port ntlm_auth tests to python

Port ntlm_auth bash script tests to python

Signed-off-by: Samuel Cabrero <scabrero at suse.de>
---
 python/samba/tests/ntlm_auth.py           | 20 ++++++++++++++++++++
 source3/script/tests/test_ntlm_auth_s3.sh |  1 -
 2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/python/samba/tests/ntlm_auth.py b/python/samba/tests/ntlm_auth.py
index 060a9c5127b..6b5a9a15490 100644
--- a/python/samba/tests/ntlm_auth.py
+++ b/python/samba/tests/ntlm_auth.py
@@ -17,6 +17,7 @@
 #
 
 import os
+from subprocess import Popen, PIPE
 from samba.tests import NTLMAuthTestCase
 
 class NTLMAuthHelpersTests(NTLMAuthTestCase):
@@ -130,3 +131,22 @@ class NTLMAuthHelpersTests(NTLMAuthTestCase):
                               server_helper="gss-spnego",
                               server_use_winbind=True)
         self.assertTrue(ret)
+
+    def test_require_membership(self):
+        """ ntlm_auth against winbindd with require-membership-of """
+
+        bindir = os.path.normpath(os.getenv("BINDIR", "./bin"))
+        wbinfo = os.path.join(bindir, "wbinfo")
+
+        proc = Popen([wbinfo, '-n', os.environ["DC_USERNAME"]],
+                     stdout=PIPE, stderr=PIPE)
+        (out, err) = proc.communicate()
+        group_sid = out.decode().split(" ")[0]
+        self.assertTrue(group_sid.startswith("S-1-5-21-"))
+
+        ret = self.run_helper(client_username=os.environ["DC_USERNAME"],
+                              client_password=os.environ["DC_PASSWORD"],
+                              client_domain=os.environ["DOMAIN"],
+                              require_membership=group_sid,
+                              server_use_winbind=True)
+        self.assertTrue(ret)
diff --git a/source3/script/tests/test_ntlm_auth_s3.sh b/source3/script/tests/test_ntlm_auth_s3.sh
index 4df0788fa15..9ca123f96d6 100755
--- a/source3/script/tests/test_ntlm_auth_s3.sh
+++ b/source3/script/tests/test_ntlm_auth_s3.sh
@@ -269,7 +269,6 @@ EOF
 }
 
 # This should work even with NTLMv2
-testit "ntlm_auth against winbindd with require-membership-of" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH --client-username=$USERNAME --client-domain=$DOMAIN --client-password=$PASSWORD --server-use-winbindd $ADDARGS --require-membership-of=$SID || failed=`expr $failed + 1`
 testit "ntlm_auth with NTLMSSP gss-spnego-client and gss-spnego server against winbind with require-membership-of" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH --client-username=$USERNAME --client-domain=$DOMAIN --client-password=$PASSWORD --server-use-winbindd --client-helper=gss-spnego-client --server-helper=gss-spnego $ADDARGS --require-membership-of=$SID || failed=`expr $failed + 1`
 
 testit_expect_failure "ntlm_auth against winbindd with failed require-membership-of" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH --client-username=$USERNAME --client-domain=$DOMAIN --client-password=$PASSWORD --server-use-winbindd $ADDARGS --require-membership-of=$BADSID && failed=`expr $failed + 1`
-- 
2.19.1


From fc086767f721a5b53cda51391ed90e70f1f06477 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero at suse.de>
Date: Fri, 31 Aug 2018 17:46:59 +0200
Subject: [PATCH 10/22] tests/ntlm_auth: Port ntlm_auth tests to python

Port ntlm_auth bash script tests to python

Signed-off-by: Samuel Cabrero <scabrero at suse.de>
---
 python/samba/tests/ntlm_auth.py           | 22 ++++++++++++++++++++++
 source3/script/tests/test_ntlm_auth_s3.sh |  2 --
 2 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/python/samba/tests/ntlm_auth.py b/python/samba/tests/ntlm_auth.py
index 6b5a9a15490..e13c3d3d55e 100644
--- a/python/samba/tests/ntlm_auth.py
+++ b/python/samba/tests/ntlm_auth.py
@@ -150,3 +150,25 @@ class NTLMAuthHelpersTests(NTLMAuthTestCase):
                               require_membership=group_sid,
                               server_use_winbind=True)
         self.assertTrue(ret)
+
+    def test_require_membership_gss_spnego(self):
+        """ ntlm_auth with NTLMSSP gss-spnego-client and gss-spnego server
+        against winbind with require-membership-of """
+
+        bindir = os.path.normpath(os.getenv("BINDIR", "./bin"))
+        wbinfo = os.path.join(bindir, "wbinfo")
+
+        proc = Popen([wbinfo, '-n', os.environ["DC_USERNAME"]],
+                     stdout=PIPE, stderr=PIPE)
+        (out, err) = proc.communicate()
+        group_sid = out.decode().split(" ")[0]
+        self.assertTrue(group_sid.startswith("S-1-5-21-"))
+
+        ret = self.run_helper(client_username=os.environ["DC_USERNAME"],
+                              client_password=os.environ["DC_PASSWORD"],
+                              client_domain=os.environ["DOMAIN"],
+                              require_membership=group_sid,
+                              client_helper="gss-spnego-client",
+                              server_helper="gss-spnego",
+                              server_use_winbind=True)
+        self.assertTrue(ret)
diff --git a/source3/script/tests/test_ntlm_auth_s3.sh b/source3/script/tests/test_ntlm_auth_s3.sh
index 9ca123f96d6..3a411e0d2b0 100755
--- a/source3/script/tests/test_ntlm_auth_s3.sh
+++ b/source3/script/tests/test_ntlm_auth_s3.sh
@@ -269,8 +269,6 @@ EOF
 }
 
 # This should work even with NTLMv2
-testit "ntlm_auth with NTLMSSP gss-spnego-client and gss-spnego server against winbind with require-membership-of" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH --client-username=$USERNAME --client-domain=$DOMAIN --client-password=$PASSWORD --server-use-winbindd --client-helper=gss-spnego-client --server-helper=gss-spnego $ADDARGS --require-membership-of=$SID || failed=`expr $failed + 1`
-
 testit_expect_failure "ntlm_auth against winbindd with failed require-membership-of" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH --client-username=$USERNAME --client-domain=$DOMAIN --client-password=$PASSWORD --server-use-winbindd $ADDARGS --require-membership-of=$BADSID && failed=`expr $failed + 1`
 testit_expect_failure "ntlm_auth with NTLMSSP gss-spnego-client and gss-spnego server against winbind with failed require-membership-of" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH --client-username=$USERNAME --client-domain=$DOMAIN --client-password=$PASSWORD --server-use-winbindd --client-helper=gss-spnego-client --server-helper=gss-spnego $ADDARGS --require-membership-of=$BADSID && failed=`expr $failed + 1`
 
-- 
2.19.1


From 26dbfac8666be156f06b0d855219fd757456d412 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero at suse.de>
Date: Fri, 31 Aug 2018 17:53:16 +0200
Subject: [PATCH 11/22] tests/ntlm_auth: Port ntlm_auth tests to python

Port ntlm_auth bash script tests to python

Signed-off-by: Samuel Cabrero <scabrero at suse.de>
---
 python/samba/tests/ntlm_auth.py           | 9 +++++++++
 source3/script/tests/test_ntlm_auth_s3.sh | 1 -
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/python/samba/tests/ntlm_auth.py b/python/samba/tests/ntlm_auth.py
index e13c3d3d55e..09c13b98c42 100644
--- a/python/samba/tests/ntlm_auth.py
+++ b/python/samba/tests/ntlm_auth.py
@@ -151,6 +151,15 @@ class NTLMAuthHelpersTests(NTLMAuthTestCase):
                               server_use_winbind=True)
         self.assertTrue(ret)
 
+        group_sid = group_sid[:-2]
+
+        ret = self.run_helper(client_username=os.environ["DC_USERNAME"],
+                              client_password=os.environ["DC_PASSWORD"],
+                              client_domain=os.environ["DOMAIN"],
+                              require_membership=group_sid,
+                              server_use_winbind=True)
+        self.assertFalse(ret)
+
     def test_require_membership_gss_spnego(self):
         """ ntlm_auth with NTLMSSP gss-spnego-client and gss-spnego server
         against winbind with require-membership-of """
diff --git a/source3/script/tests/test_ntlm_auth_s3.sh b/source3/script/tests/test_ntlm_auth_s3.sh
index 3a411e0d2b0..725e9e3dbfa 100755
--- a/source3/script/tests/test_ntlm_auth_s3.sh
+++ b/source3/script/tests/test_ntlm_auth_s3.sh
@@ -269,7 +269,6 @@ EOF
 }
 
 # This should work even with NTLMv2
-testit_expect_failure "ntlm_auth against winbindd with failed require-membership-of" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH --client-username=$USERNAME --client-domain=$DOMAIN --client-password=$PASSWORD --server-use-winbindd $ADDARGS --require-membership-of=$BADSID && failed=`expr $failed + 1`
 testit_expect_failure "ntlm_auth with NTLMSSP gss-spnego-client and gss-spnego server against winbind with failed require-membership-of" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH --client-username=$USERNAME --client-domain=$DOMAIN --client-password=$PASSWORD --server-use-winbindd --client-helper=gss-spnego-client --server-helper=gss-spnego $ADDARGS --require-membership-of=$BADSID && failed=`expr $failed + 1`
 
 testit "ntlm_auth plaintext authentication with require-membership-of" test_plaintext_check_output_stdout || failed=`expr $failed + 1`
-- 
2.19.1


From 16108fd47ce9b6597645729508cf765f17ba8fba Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero at suse.de>
Date: Fri, 31 Aug 2018 18:01:17 +0200
Subject: [PATCH 12/22] tests/ntlm_auth: Port ntlm_auth tests to python

Port ntlm_auth bash script tests to python

Signed-off-by: Samuel Cabrero <scabrero at suse.de>
---
 python/samba/tests/ntlm_auth.py           | 11 +++++++++++
 source3/script/tests/test_ntlm_auth_s3.sh |  2 --
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/python/samba/tests/ntlm_auth.py b/python/samba/tests/ntlm_auth.py
index 09c13b98c42..6e9b66e8311 100644
--- a/python/samba/tests/ntlm_auth.py
+++ b/python/samba/tests/ntlm_auth.py
@@ -181,3 +181,14 @@ class NTLMAuthHelpersTests(NTLMAuthTestCase):
                               server_helper="gss-spnego",
                               server_use_winbind=True)
         self.assertTrue(ret)
+
+        group_sid = group_sid[:-2]
+
+        ret = self.run_helper(client_username=os.environ["DC_USERNAME"],
+                              client_password=os.environ["DC_PASSWORD"],
+                              client_domain=os.environ["DOMAIN"],
+                              require_membership=group_sid,
+                              client_helper="gss-spnego-client",
+                              server_helper="gss-spnego",
+                              server_use_winbind=True)
+        self.assertFalse(ret)
diff --git a/source3/script/tests/test_ntlm_auth_s3.sh b/source3/script/tests/test_ntlm_auth_s3.sh
index 725e9e3dbfa..3b3c5dfe7ef 100755
--- a/source3/script/tests/test_ntlm_auth_s3.sh
+++ b/source3/script/tests/test_ntlm_auth_s3.sh
@@ -269,8 +269,6 @@ EOF
 }
 
 # This should work even with NTLMv2
-testit_expect_failure "ntlm_auth with NTLMSSP gss-spnego-client and gss-spnego server against winbind with failed require-membership-of" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH --client-username=$USERNAME --client-domain=$DOMAIN --client-password=$PASSWORD --server-use-winbindd --client-helper=gss-spnego-client --server-helper=gss-spnego $ADDARGS --require-membership-of=$BADSID && failed=`expr $failed + 1`
-
 testit "ntlm_auth plaintext authentication with require-membership-of" test_plaintext_check_output_stdout || failed=`expr $failed + 1`
 testit "ntlm_auth plaintext authentication with failed require-membership-of" test_plaintext_check_output_fail || failed=`expr $failed + 1`
 
-- 
2.19.1


From dcdd2b5aaa285e808b5c508829304e6b51a1a3de Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero at suse.de>
Date: Fri, 31 Aug 2018 18:24:56 +0200
Subject: [PATCH 13/22] tests/ntlm_auth: Port ntlm_auth tests to python

Port ntlm_auth bash script tests to python

Signed-off-by: Samuel Cabrero <scabrero at suse.de>
---
 python/samba/tests/ntlm_auth.py           | 26 ++++++++++++++++++
 source3/script/tests/test_ntlm_auth_s3.sh | 32 -----------------------
 2 files changed, 26 insertions(+), 32 deletions(-)

diff --git a/python/samba/tests/ntlm_auth.py b/python/samba/tests/ntlm_auth.py
index 6e9b66e8311..eff3c1430eb 100644
--- a/python/samba/tests/ntlm_auth.py
+++ b/python/samba/tests/ntlm_auth.py
@@ -192,3 +192,29 @@ class NTLMAuthHelpersTests(NTLMAuthTestCase):
                               server_helper="gss-spnego",
                               server_use_winbind=True)
         self.assertFalse(ret)
+
+    def test_plaintext_with_membership(self):
+        """ ntlm_auth plaintext authentication with require-membership-of """
+
+        bindir = os.path.normpath(os.getenv("BINDIR", "./bin"))
+        wbinfo = os.path.join(bindir, "wbinfo")
+
+        proc = Popen([wbinfo, '-n', os.environ["DC_USERNAME"]],
+                     stdout=PIPE, stderr=PIPE)
+        (out, err) = proc.communicate()
+        group_sid = out.decode().split(" ")[0]
+        self.assertTrue(group_sid.startswith("S-1-5-21-"))
+
+        username = os.environ["DC_USERNAME"]
+        password = os.environ["DC_PASSWORD"]
+        domain = os.environ["DOMAIN"]
+
+        proc = Popen([self.ntlm_auth_path,
+                      "--require-membership-of", group_sid,
+                      "--helper-protocol", "squid-2.5-basic"],
+                      stdout=PIPE, stdin=PIPE, stderr=PIPE)
+        creds = "%s%s%s %s\n" % (domain, self.winbind_separator, username,
+                               password)
+        (out, err) = proc.communicate(input=creds.encode('utf-8'))
+        self.assertEqual(proc.returncode, 0)
+        self.assertTrue(out.startswith(b"OK\n"))
diff --git a/source3/script/tests/test_ntlm_auth_s3.sh b/source3/script/tests/test_ntlm_auth_s3.sh
index 3b3c5dfe7ef..2a4942bb9f5 100755
--- a/source3/script/tests/test_ntlm_auth_s3.sh
+++ b/source3/script/tests/test_ntlm_auth_s3.sh
@@ -24,37 +24,6 @@ BADSID=`eval $BINDIR/wbinfo -n $USERNAME | cut -d ' ' -f1 | sed 's/..$//'`
 
 failed=0
 
-test_plaintext_check_output_stdout()
-{
-	tmpfile=$PREFIX/ntlm_commands
-
-	cat > $tmpfile <<EOF
-$DOMAIN/$USERNAME $PASSWORD
-EOF
-	cmd='$NTLM_AUTH "$@" --require-membership-of=$SID --helper-protocol=squid-2.5-basic < $tmpfile 2>&1'
-	eval echo "$cmd"
-	out=`eval $cmd`
-	ret=$?
-	rm -f $tmpfile
-
-	if [ $ret != 0 ] ; then
-		echo "$out"
-		echo "command failed"
-		false
-		return
-	fi
-
-	echo "$out" | grep "OK" >/dev/null 2>&1
-
-	if [ $? = 0 ] ; then
-		# authenticated .. succeed
-		true
-	else
-		echo failed to get successful authentication
-		false
-	fi
-}
-
 test_plaintext_check_output_fail()
 {
 	tmpfile=$PREFIX/ntlm_commands
@@ -269,7 +238,6 @@ EOF
 }
 
 # This should work even with NTLMv2
-testit "ntlm_auth plaintext authentication with require-membership-of" test_plaintext_check_output_stdout || failed=`expr $failed + 1`
 testit "ntlm_auth plaintext authentication with failed require-membership-of" test_plaintext_check_output_fail || failed=`expr $failed + 1`
 
 testit "ntlm_auth ntlm-server-1 with fixed password" test_ntlm_server_1_check_output || failed=`expr $failed + 1`
-- 
2.19.1


From bbe5ba0de18e8415597f13dc6147ac24ac49b526 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero at suse.de>
Date: Fri, 31 Aug 2018 18:27:50 +0200
Subject: [PATCH 14/22] tests/ntlm_auth: Port ntlm_auth tests to python

Port ntlm_auth bash script tests to python

Signed-off-by: Samuel Cabrero <scabrero at suse.de>
---
 python/samba/tests/ntlm_auth.py           | 13 +++++++++
 source3/script/tests/test_ntlm_auth_s3.sh | 33 -----------------------
 2 files changed, 13 insertions(+), 33 deletions(-)

diff --git a/python/samba/tests/ntlm_auth.py b/python/samba/tests/ntlm_auth.py
index eff3c1430eb..86593088064 100644
--- a/python/samba/tests/ntlm_auth.py
+++ b/python/samba/tests/ntlm_auth.py
@@ -218,3 +218,16 @@ class NTLMAuthHelpersTests(NTLMAuthTestCase):
         (out, err) = proc.communicate(input=creds.encode('utf-8'))
         self.assertEqual(proc.returncode, 0)
         self.assertTrue(out.startswith(b"OK\n"))
+
+        # Check membership failure
+        group_sid = group_sid[:-2]
+
+        proc = Popen([self.ntlm_auth_path,
+                      "--require-membership-of", group_sid,
+                      "--helper-protocol", "squid-2.5-basic"],
+                      stdout=PIPE, stdin=PIPE, stderr=PIPE)
+        creds = "%s%s%s %s\n" % (domain, self.winbind_separator, username,
+                               password)
+        (out, err) = proc.communicate(input=creds.encode('utf-8'))
+        self.assertEqual(proc.returncode, 0)
+        self.assertTrue(out.startswith(b"ERR\n"))
diff --git a/source3/script/tests/test_ntlm_auth_s3.sh b/source3/script/tests/test_ntlm_auth_s3.sh
index 2a4942bb9f5..56e327c8ec2 100755
--- a/source3/script/tests/test_ntlm_auth_s3.sh
+++ b/source3/script/tests/test_ntlm_auth_s3.sh
@@ -24,37 +24,6 @@ BADSID=`eval $BINDIR/wbinfo -n $USERNAME | cut -d ' ' -f1 | sed 's/..$//'`
 
 failed=0
 
-test_plaintext_check_output_fail()
-{
-	tmpfile=$PREFIX/ntlm_commands
-
-	cat > $tmpfile <<EOF
-$DOMAIN\\$USERNAME $PASSWORD
-EOF
-	cmd='$NTLM_AUTH "$@" --require-membership-of=$BADSID --helper-protocol=squid-2.5-basic < $tmpfile 2>&1'
-	eval echo "$cmd"
-	out=`eval $cmd`
-	ret=$?
-	rm -f $tmpfile
-
-	if [ $ret != 0 ] ; then
-		echo "$out"
-		echo "command failed"
-		false
-		return
-	fi
-
-	echo "$out" | grep "ERR" >/dev/null 2>&1
-
-	if [ $? = 0 ] ; then
-		# failed to authenticate .. success
-		true
-	else
-		echo "incorrectly gave a successful authentication"
-		false
-	fi
-}
-
 test_ntlm_server_1_check_output()
 {
 	tmpfile=$PREFIX/ntlm_commands
@@ -238,8 +207,6 @@ EOF
 }
 
 # This should work even with NTLMv2
-testit "ntlm_auth plaintext authentication with failed require-membership-of" test_plaintext_check_output_fail || failed=`expr $failed + 1`
-
 testit "ntlm_auth ntlm-server-1 with fixed password" test_ntlm_server_1_check_output || failed=`expr $failed + 1`
 testit "ntlm_auth ntlm-server-1 with incorrect fixed password" test_ntlm_server_1_check_output_fail || failed=`expr $failed + 1`
 testit "ntlm_auth ntlm-server-1 with plaintext password against winbind" test_ntlm_server_1_check_winbind_output || failed=`expr $failed + 1`
-- 
2.19.1


From 5622c70cf69ebd8d06916fb2a08cfa8e8224ba21 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero at suse.de>
Date: Fri, 31 Aug 2018 18:49:13 +0200
Subject: [PATCH 15/22] tests/ntlm_auth: Port ntlm_auth tests to python

Port ntlm_auth bash script tests to python

Signed-off-by: Samuel Cabrero <scabrero at suse.de>
---
 python/samba/tests/ntlm_auth.py           | 28 +++++++++++++++++
 source3/script/tests/test_ntlm_auth_s3.sh | 37 -----------------------
 2 files changed, 28 insertions(+), 37 deletions(-)

diff --git a/python/samba/tests/ntlm_auth.py b/python/samba/tests/ntlm_auth.py
index 86593088064..f2f157ed57c 100644
--- a/python/samba/tests/ntlm_auth.py
+++ b/python/samba/tests/ntlm_auth.py
@@ -231,3 +231,31 @@ class NTLMAuthHelpersTests(NTLMAuthTestCase):
         (out, err) = proc.communicate(input=creds.encode('utf-8'))
         self.assertEqual(proc.returncode, 0)
         self.assertTrue(out.startswith(b"ERR\n"))
+
+    def test_ntlm_server_1_with_fixed_password(self):
+        """ ntlm_auth ntlm-server-1 with fixed password """
+
+        ntlm_cmds = [
+            "LANMAN-Challenge: 0123456789abcdef",
+            "NT-Response: 25a98c1c31e81847466b29b2df4680f39958fb8c213a9cc6",
+            "NT-Domain: TEST",
+            "Username: testuser",
+            "Request-User-Session-Key: Yes",
+            ".\n" ]
+
+        proc = Popen([self.ntlm_auth_path,
+                      "--password", "SecREt01",
+                      "--helper-protocol", "ntlm-server-1"],
+                      stdout=PIPE, stdin=PIPE, stderr=PIPE)
+        buf = "\n".join(ntlm_cmds)
+        (out, err) = proc.communicate(input=buf.encode('utf-8'))
+        self.assertEqual(proc.returncode, 0)
+
+        lines = out.split(b"\n")
+
+        self.assertEqual(len(lines), 4)
+        self.assertEquals(lines[0], b"Authenticated: Yes")
+        self.assertEquals(
+            lines[1], b"User-Session-Key: 3F373EA8E4AF954F14FAA506F8EEBDC4")
+        self.assertEquals(lines[2], b".")
+        self.assertEquals(lines[3], b"")
diff --git a/source3/script/tests/test_ntlm_auth_s3.sh b/source3/script/tests/test_ntlm_auth_s3.sh
index 56e327c8ec2..82aebfef39c 100755
--- a/source3/script/tests/test_ntlm_auth_s3.sh
+++ b/source3/script/tests/test_ntlm_auth_s3.sh
@@ -24,42 +24,6 @@ BADSID=`eval $BINDIR/wbinfo -n $USERNAME | cut -d ' ' -f1 | sed 's/..$//'`
 
 failed=0
 
-test_ntlm_server_1_check_output()
-{
-	tmpfile=$PREFIX/ntlm_commands
-
-	cat > $tmpfile <<EOF
-LANMAN-Challenge: 0123456789abcdef
-NT-Response: 25a98c1c31e81847466b29b2df4680f39958fb8c213a9cc6
-NT-Domain: TEST
-Username: testuser
-Request-User-Session-Key: Yes
-.
-EOF
-	cmd='$NTLM_AUTH "$@" --helper-protocol=ntlm-server-1  --password=SecREt01< $tmpfile 2>&1'
-	eval echo "$cmd"
-	out=`eval $cmd`
-	ret=$?
-	rm -f $tmpfile
-
-	if [ $ret != 0 ] ; then
-		echo "$out"
-		echo "command failed"
-		false
-		return
-	fi
-
-	echo "$out" | grep "User-Session-Key: 3F373EA8E4AF954F14FAA506F8EEBDC4" >/dev/null 2>&1
-
-	if [ $? = 0 ] ; then
-		# authenticated .. succeed
-		true
-	else
-		echo failed to get successful authentication
-		false
-	fi
-}
-
 test_ntlm_server_1_check_output_fail()
 {
 	tmpfile=$PREFIX/ntlm_commands
@@ -207,7 +171,6 @@ EOF
 }
 
 # This should work even with NTLMv2
-testit "ntlm_auth ntlm-server-1 with fixed password" test_ntlm_server_1_check_output || failed=`expr $failed + 1`
 testit "ntlm_auth ntlm-server-1 with incorrect fixed password" test_ntlm_server_1_check_output_fail || failed=`expr $failed + 1`
 testit "ntlm_auth ntlm-server-1 with plaintext password against winbind" test_ntlm_server_1_check_winbind_output || failed=`expr $failed + 1`
 testit "ntlm_auth ntlm-server-1 with plaintext password against winbind but wrong sid" test_ntlm_server_1_check_winbind_output_wrong_sid || failed=`expr $failed + 1`
-- 
2.19.1


From 67656fa624d14de19a8fffb196b6f49f6b1b3c93 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero at suse.de>
Date: Fri, 31 Aug 2018 19:06:18 +0200
Subject: [PATCH 16/22] tests/ntlm_auth: Port ntlm_auth tests to python

Port ntlm_auth bash script tests to python

Signed-off-by: Samuel Cabrero <scabrero at suse.de>
---
 python/samba/tests/ntlm_auth.py           | 15 +++++++++
 source3/script/tests/test_ntlm_auth_s3.sh | 38 -----------------------
 2 files changed, 15 insertions(+), 38 deletions(-)

diff --git a/python/samba/tests/ntlm_auth.py b/python/samba/tests/ntlm_auth.py
index f2f157ed57c..5665f1a9275 100644
--- a/python/samba/tests/ntlm_auth.py
+++ b/python/samba/tests/ntlm_auth.py
@@ -259,3 +259,18 @@ class NTLMAuthHelpersTests(NTLMAuthTestCase):
             lines[1], b"User-Session-Key: 3F373EA8E4AF954F14FAA506F8EEBDC4")
         self.assertEquals(lines[2], b".")
         self.assertEquals(lines[3], b"")
+
+        # Break the password with a leading A on the challenge
+        ntlm_cmds[0] = "LANMAN-Challenge: A123456789abcdef"
+
+        proc = Popen([self.ntlm_auth_path,
+                      "--password", "SecREt01",
+                      "--helper-protocol", "ntlm-server-1"],
+                      stdout=PIPE, stdin=PIPE, stderr=PIPE)
+        buf = "\n".join(ntlm_cmds)
+        (out, err) = proc.communicate(input=buf.encode('utf-8'))
+        self.assertEqual(proc.returncode, 0)
+
+        lines = out.split(b"\n")
+        self.assertEqual(len(lines), 5)
+        self.assertEquals(lines[0], b"Authenticated: No")
diff --git a/source3/script/tests/test_ntlm_auth_s3.sh b/source3/script/tests/test_ntlm_auth_s3.sh
index 82aebfef39c..b41368c4e3b 100755
--- a/source3/script/tests/test_ntlm_auth_s3.sh
+++ b/source3/script/tests/test_ntlm_auth_s3.sh
@@ -24,43 +24,6 @@ BADSID=`eval $BINDIR/wbinfo -n $USERNAME | cut -d ' ' -f1 | sed 's/..$//'`
 
 failed=0
 
-test_ntlm_server_1_check_output_fail()
-{
-	tmpfile=$PREFIX/ntlm_commands
-
-	# Break the password with a leading A on the challenge
-	cat > $tmpfile <<EOF
-LANMAN-Challenge: A123456789abcdef
-NT-Response: 25a98c1c31e81847466b29b2df4680f39958fb8c213a9cc6
-NT-Domain: TEST
-Username: testuser
-Request-User-Session-Key: Yes
-.
-EOF
-	cmd='$NTLM_AUTH "$@" --helper-protocol=ntlm-server-1 --password=SecREt01 < $tmpfile 2>&1'
-	eval echo "$cmd"
-	out=`eval $cmd`
-	ret=$?
-	rm -f $tmpfile
-
-	if [ $ret != 0 ] ; then
-		echo "$out"
-		echo "command failed"
-		false
-		return
-	fi
-
-	echo "$out" | grep "Authenticated: No" >/dev/null 2>&1
-
-	if [ $? = 0 ] ; then
-		# failed to authenticate .. success
-		true
-	else
-		echo "incorrectly gave a successful authentication"
-		false
-	fi
-}
-
 test_ntlm_server_1_check_winbind_output()
 {
 	tmpfile=$PREFIX/ntlm_commands
@@ -171,7 +134,6 @@ EOF
 }
 
 # This should work even with NTLMv2
-testit "ntlm_auth ntlm-server-1 with incorrect fixed password" test_ntlm_server_1_check_output_fail || failed=`expr $failed + 1`
 testit "ntlm_auth ntlm-server-1 with plaintext password against winbind" test_ntlm_server_1_check_winbind_output || failed=`expr $failed + 1`
 testit "ntlm_auth ntlm-server-1 with plaintext password against winbind but wrong sid" test_ntlm_server_1_check_winbind_output_wrong_sid || failed=`expr $failed + 1`
 testit "ntlm_auth ntlm-server-1 with incorrect fixed password against winbind" test_ntlm_server_1_check_winbind_output_fail || failed=`expr $failed + 1`
-- 
2.19.1


From 8719c7cbe7dd626f01cc0257eab38c0c5a4a9149 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero at suse.de>
Date: Fri, 31 Aug 2018 19:15:05 +0200
Subject: [PATCH 17/22] tests/ntlm_auth: Port ntlm_auth tests to python

Port ntlm_auth bash script tests to python

Signed-off-by: Samuel Cabrero <scabrero at suse.de>
---
 python/samba/tests/ntlm_auth.py           | 34 +++++++++++++++++++++
 source3/script/tests/test_ntlm_auth_s3.sh | 37 -----------------------
 2 files changed, 34 insertions(+), 37 deletions(-)

diff --git a/python/samba/tests/ntlm_auth.py b/python/samba/tests/ntlm_auth.py
index 5665f1a9275..d586a4919c5 100644
--- a/python/samba/tests/ntlm_auth.py
+++ b/python/samba/tests/ntlm_auth.py
@@ -274,3 +274,37 @@ class NTLMAuthHelpersTests(NTLMAuthTestCase):
         lines = out.split(b"\n")
         self.assertEqual(len(lines), 5)
         self.assertEquals(lines[0], b"Authenticated: No")
+
+    def test_ntlm_server_1_with_plaintext_winbind(self):
+        """ ntlm_auth ntlm-server-1 with plaintext password against winbind """
+
+        bindir = os.path.normpath(os.getenv("BINDIR", "./bin"))
+        wbinfo = os.path.join(bindir, "wbinfo")
+
+        proc = Popen([wbinfo, '-n', os.environ["DC_USERNAME"]],
+                     stdout=PIPE, stderr=PIPE)
+        (out, err) = proc.communicate()
+        group_sid = out.decode().split(' ')[0]
+        self.assertTrue(group_sid.startswith("S-1-5-21-"))
+
+        ntlm_cmds = [
+            "Password: %s" % os.environ["DC_PASSWORD"],
+            "NT-Domain: %s" % os.environ["DOMAIN"],
+            "Username: %s" % os.environ["DC_USERNAME"],
+            "Request-User-Session-Key: Yes",
+            ".\n" ]
+
+        proc = Popen([self.ntlm_auth_path,
+                      "--require-membership-of", group_sid,
+                      "--helper-protocol", "ntlm-server-1"],
+                      stdout=PIPE, stdin=PIPE, stderr=PIPE)
+        buf = "\n".join(ntlm_cmds)
+        (out, err) = proc.communicate(input=buf.encode('utf-8'))
+        self.assertEqual(proc.returncode, 0)
+
+        lines = out.split(b"\n")
+
+        self.assertEqual(len(lines), 3)
+        self.assertEquals(lines[0], b"Authenticated: Yes")
+        self.assertEquals(lines[1], b".")
+        self.assertEquals(lines[2], b"")
diff --git a/source3/script/tests/test_ntlm_auth_s3.sh b/source3/script/tests/test_ntlm_auth_s3.sh
index b41368c4e3b..4048b804be2 100755
--- a/source3/script/tests/test_ntlm_auth_s3.sh
+++ b/source3/script/tests/test_ntlm_auth_s3.sh
@@ -24,42 +24,6 @@ BADSID=`eval $BINDIR/wbinfo -n $USERNAME | cut -d ' ' -f1 | sed 's/..$//'`
 
 failed=0
 
-test_ntlm_server_1_check_winbind_output()
-{
-	tmpfile=$PREFIX/ntlm_commands
-
-	# This isn't the correct password
-	cat > $tmpfile <<EOF
-Password: $PASSWORD
-NT-Domain: $DOMAIN
-Username: $USERNAME
-Request-User-Session-Key: Yes
-.
-EOF
-	cmd='$NTLM_AUTH "$@" --helper-protocol=ntlm-server-1 --require-membership-of=$SID < $tmpfile 2>&1'
-	eval echo "$cmd"
-	out=`eval $cmd`
-	ret=$?
-	rm -f $tmpfile
-
-	if [ $ret != 0 ] ; then
-		echo "$out"
-		echo "command failed"
-		false
-		return
-	fi
-
-	echo "$out" | grep "Authenticated: Yes" >/dev/null 2>&1
-
-	if [ $? = 0 ] ; then
-		# authenticated .. success
-		true
-	else
-		echo "Failed to authenticate the user or match with SID $SID"
-		false
-	fi
-}
-
 test_ntlm_server_1_check_winbind_output_wrong_sid()
 {
 	tmpfile=$PREFIX/ntlm_commands
@@ -134,7 +98,6 @@ EOF
 }
 
 # This should work even with NTLMv2
-testit "ntlm_auth ntlm-server-1 with plaintext password against winbind" test_ntlm_server_1_check_winbind_output || failed=`expr $failed + 1`
 testit "ntlm_auth ntlm-server-1 with plaintext password against winbind but wrong sid" test_ntlm_server_1_check_winbind_output_wrong_sid || failed=`expr $failed + 1`
 testit "ntlm_auth ntlm-server-1 with incorrect fixed password against winbind" test_ntlm_server_1_check_winbind_output_fail || failed=`expr $failed + 1`
 
-- 
2.19.1


From 67184a3c74b6f304de89f987e822f7720aeb937c Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero at suse.de>
Date: Fri, 31 Aug 2018 19:27:20 +0200
Subject: [PATCH 18/22] tests/ntlm_auth: Port ntlm_auth tests to python

Port ntlm_auth bash script tests to python

Signed-off-by: Samuel Cabrero <scabrero at suse.de>
---
 python/samba/tests/ntlm_auth.py           | 18 +++++++++++
 source3/script/tests/test_ntlm_auth_s3.sh | 37 -----------------------
 2 files changed, 18 insertions(+), 37 deletions(-)

diff --git a/python/samba/tests/ntlm_auth.py b/python/samba/tests/ntlm_auth.py
index d586a4919c5..a8d9ce80326 100644
--- a/python/samba/tests/ntlm_auth.py
+++ b/python/samba/tests/ntlm_auth.py
@@ -308,3 +308,21 @@ class NTLMAuthHelpersTests(NTLMAuthTestCase):
         self.assertEquals(lines[0], b"Authenticated: Yes")
         self.assertEquals(lines[1], b".")
         self.assertEquals(lines[2], b"")
+
+        # Check membership failure
+        group_sid = group_sid[:-2]
+
+        proc = Popen([self.ntlm_auth_path,
+                      "--require-membership-of", group_sid,
+                      "--helper-protocol", "ntlm-server-1"],
+                      stdout=PIPE, stdin=PIPE, stderr=PIPE)
+        buf = "\n".join(ntlm_cmds)
+        (out, err) = proc.communicate(input=buf.encode('utf-8'))
+        self.assertEqual(proc.returncode, 0)
+
+        lines = out.split(b"\n")
+
+        self.assertEqual(len(lines), 3)
+        self.assertEquals(lines[0], b"Authenticated: No")
+        self.assertEquals(lines[1], b".")
+        self.assertEquals(lines[2], b"")
diff --git a/source3/script/tests/test_ntlm_auth_s3.sh b/source3/script/tests/test_ntlm_auth_s3.sh
index 4048b804be2..041cb7d9cb8 100755
--- a/source3/script/tests/test_ntlm_auth_s3.sh
+++ b/source3/script/tests/test_ntlm_auth_s3.sh
@@ -24,42 +24,6 @@ BADSID=`eval $BINDIR/wbinfo -n $USERNAME | cut -d ' ' -f1 | sed 's/..$//'`
 
 failed=0
 
-test_ntlm_server_1_check_winbind_output_wrong_sid()
-{
-	tmpfile=$PREFIX/ntlm_commands
-
-	# This isn't the correct password
-	cat > $tmpfile <<EOF
-Password: $PASSWORD
-NT-Domain: $DOMAIN
-Username: $USERNAME
-Request-User-Session-Key: Yes
-.
-EOF
-	cmd='$NTLM_AUTH "$@" --helper-protocol=ntlm-server-1 --require-membership-of=$BADSID < $tmpfile 2>&1'
-	eval echo "$cmd"
-	out=`eval $cmd`
-	ret=$?
-	rm -f $tmpfile
-
-	if [ $ret != 0 ] ; then
-		echo "$out"
-		echo "command failed"
-		false
-		return
-	fi
-
-	echo "$out" | grep "Authenticated: No" >/dev/null 2>&1
-
-	if [ $? = 0 ] ; then
-		# failed to authenticate .. success
-		true
-	else
-		echo "incorrectly gave a successful authentication"
-		false
-	fi
-}
-
 test_ntlm_server_1_check_winbind_output_fail()
 {
 	tmpfile=$PREFIX/ntlm_commands
@@ -98,7 +62,6 @@ EOF
 }
 
 # This should work even with NTLMv2
-testit "ntlm_auth ntlm-server-1 with plaintext password against winbind but wrong sid" test_ntlm_server_1_check_winbind_output_wrong_sid || failed=`expr $failed + 1`
 testit "ntlm_auth ntlm-server-1 with incorrect fixed password against winbind" test_ntlm_server_1_check_winbind_output_fail || failed=`expr $failed + 1`
 
 testok $0 $failed
-- 
2.19.1


From bcf6f6649329b609232937d8f372feb5216e1fd1 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero at suse.de>
Date: Fri, 31 Aug 2018 19:28:06 +0200
Subject: [PATCH 19/22] tests/ntlm_auth: Port ntlm_auth tests to python

Port ntlm_auth bash script tests to python and remove bash test script

Signed-off-by: Samuel Cabrero <scabrero at suse.de>
---
 python/samba/tests/ntlm_auth.py           | 24 ++++++++
 source3/script/tests/test_ntlm_auth_s3.sh | 67 -----------------------
 source4/selftest/tests.py                 |  2 -
 3 files changed, 24 insertions(+), 69 deletions(-)
 delete mode 100755 source3/script/tests/test_ntlm_auth_s3.sh

diff --git a/python/samba/tests/ntlm_auth.py b/python/samba/tests/ntlm_auth.py
index a8d9ce80326..6d947617c11 100644
--- a/python/samba/tests/ntlm_auth.py
+++ b/python/samba/tests/ntlm_auth.py
@@ -326,3 +326,27 @@ class NTLMAuthHelpersTests(NTLMAuthTestCase):
         self.assertEquals(lines[0], b"Authenticated: No")
         self.assertEquals(lines[1], b".")
         self.assertEquals(lines[2], b"")
+
+    def test_ntlm_server_1_with_incorrect_password_winbind(self):
+        """ ntlm_auth ntlm-server-1 with incorrect fixed password against
+        winbind """
+
+        ntlm_cmds = [
+            "LANMAN-Challenge: 0123456789abcdef",
+            "NT-Response: 25a98c1c31e81847466b29b2df4680f39958fb8c213a9cc6",
+            "NT-Domain: %s" % os.environ["DOMAIN"],
+            "Username: %s" % os.environ["DC_USERNAME"],
+            "Request-User-Session-Key: Yes",
+            ".\n" ]
+
+        proc = Popen([self.ntlm_auth_path,
+                      "--helper-protocol", "ntlm-server-1"],
+                      stdout=PIPE, stdin=PIPE, stderr=PIPE)
+        buf = "\n".join(ntlm_cmds)
+        (out, err) = proc.communicate(input=buf.encode('utf-8'))
+        self.assertEqual(proc.returncode, 0)
+
+        lines = out.split(b"\n")
+
+        self.assertEqual(len(lines), 5)
+        self.assertEquals(lines[0], b"Authenticated: No")
diff --git a/source3/script/tests/test_ntlm_auth_s3.sh b/source3/script/tests/test_ntlm_auth_s3.sh
deleted file mode 100755
index 041cb7d9cb8..00000000000
--- a/source3/script/tests/test_ntlm_auth_s3.sh
+++ /dev/null
@@ -1,67 +0,0 @@
-#!/bin/sh
-
-if [ $# -lt 2 ]; then
-cat <<EOF
-Usage: test_ntlm_auth_s3.sh PYTHON SRC3DIR NTLM_AUTH
-EOF
-exit 1;
-fi
-
-PYTHON=$1
-SRC3DIR=$2
-NTLM_AUTH=$3
-DOMAIN=$4
-USERNAME=$5
-PASSWORD=$6
-shift 6
-ADDARGS="$*"
-
-incdir=`dirname $0`/../../../testprogs/blackbox
-. $incdir/subunit.sh
-
-SID=`eval $BINDIR/wbinfo -n $USERNAME | cut -d ' ' -f1`
-BADSID=`eval $BINDIR/wbinfo -n $USERNAME | cut -d ' ' -f1 | sed 's/..$//'`
-
-failed=0
-
-test_ntlm_server_1_check_winbind_output_fail()
-{
-	tmpfile=$PREFIX/ntlm_commands
-
-	# This isn't the correct password
-	cat > $tmpfile <<EOF
-LANMAN-Challenge: 0123456789abcdef
-NT-Response: 25a98c1c31e81847466b29b2df4680f39958fb8c213a9cc6
-NT-Domain: $DOMAIN
-Username: $USERNAME
-Request-User-Session-Key: Yes
-.
-EOF
-	cmd='$NTLM_AUTH "$@" --helper-protocol=ntlm-server-1 < $tmpfile 2>&1'
-	eval echo "$cmd"
-	out=`eval $cmd`
-	ret=$?
-	rm -f $tmpfile
-
-	if [ $ret != 0 ] ; then
-		echo "$out"
-		echo "command failed"
-		false
-		return
-	fi
-
-	echo "$out" | grep "Authenticated: No" >/dev/null 2>&1
-
-	if [ $? = 0 ] ; then
-		# failed to authenticate .. success
-		true
-	else
-		echo "incorrectly gave a successful authentication"
-		false
-	fi
-}
-
-# This should work even with NTLMv2
-testit "ntlm_auth ntlm-server-1 with incorrect fixed password against winbind" test_ntlm_server_1_check_winbind_output_fail || failed=`expr $failed + 1`
-
-testok $0 $failed
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 2087515dd96..ce9d5095d3c 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -587,8 +587,6 @@ for env in ["nt4_dc", "nt4_member", "ad_dc", "ad_member", "s4member", "chgdcpass
         "samba.ntlm_auth.diagnostics(%s:local)" % env, "%s:local" % env,
         [os.path.join(samba3srcdir, "script/tests/test_ntlm_auth_diagnostics.sh"), ntlm_auth3, '$DOMAIN', '$DC_USERNAME', '$DC_PASSWORD', configuration])
 
-    plantestsuite("samba.ntlm_auth.(%s:local)" % env, "%s:local" % env, [os.path.join(samba3srcdir, "script/tests/test_ntlm_auth_s3.sh"), valgrindify(python), samba3srcdir, ntlm_auth3, '$DOMAIN', '$DC_USERNAME', '$DC_PASSWORD', configuration])
-
     planpythontestsuite(env + ":local", "samba.tests.ntlm_auth", py3_compatible=True)
 
 for env in ["s4member_dflt_domain", "s4member"]:
-- 
2.19.1


From 6372b369301ceba37464e3c27811a9b5984155d0 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero at suse.de>
Date: Thu, 6 Sep 2018 12:58:42 +0200
Subject: [PATCH 20/22] tests/ntlm_auth: Port ntlm_auth_krb5 tests to python

Port ntlm_auth_krb5 bash script tests to python

Signed-off-by: Samuel Cabrero <scabrero at suse.de>
---
 python/samba/tests/ntlm_auth_krb5.py        | 82 +++++++++++++++++++++
 source3/script/tests/test_ntlm_auth_krb5.sh | 32 --------
 source3/selftest/tests.py                   |  5 --
 source4/selftest/tests.py                   |  3 +
 4 files changed, 85 insertions(+), 37 deletions(-)
 create mode 100644 python/samba/tests/ntlm_auth_krb5.py
 delete mode 100755 source3/script/tests/test_ntlm_auth_krb5.sh

diff --git a/python/samba/tests/ntlm_auth_krb5.py b/python/samba/tests/ntlm_auth_krb5.py
new file mode 100644
index 00000000000..4fb1e9994e9
--- /dev/null
+++ b/python/samba/tests/ntlm_auth_krb5.py
@@ -0,0 +1,82 @@
+# Unix SMB/CIFS implementation.
+#
+# Copyright (C) Samuel Cabrero <scabrero at suse.de> 2018
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+import os
+from subprocess import Popen, PIPE
+from samba.tests import NTLMAuthTestCase
+
+class NTLMAuthKerberosTests(NTLMAuthTestCase):
+
+    def setUp(self):
+        super(NTLMAuthKerberosTests, self).setUp()
+        self.old_ccache = os.path.join(os.environ["SELFTEST_PREFIX"],
+                                       "ktest", "krb5_ccache-2")
+        self.ccache = os.path.join(os.environ["SELFTEST_PREFIX"],
+                                   "ktest", "krb5_ccache-3")
+
+    def test_krb5_gss_spnego_client_gss_spnego_server(self):
+        """ ntlm_auth with krb5 gss-spnego-client and gss-spnego server """
+
+        os.environ["KRB5CCNAME"] = self.old_ccache
+        ret = self.run_helper(client_username="foo",
+                              client_password="secret",
+                              client_domain="FOO",
+                              target_hostname=os.environ["SERVER"],
+                              target_service="host",
+                              client_helper="gss-spnego-client",
+                              server_helper="gss-spnego",
+                              server_use_winbind=True)
+        self.assertTrue(ret)
+
+        os.environ["KRB5CCNAME"] = self.ccache
+        ret = self.run_helper(client_username="foo",
+                              client_password="secret",
+                              client_domain="FOO",
+                              target_hostname=os.environ["SERVER"],
+                              target_service="host",
+                              client_helper="gss-spnego-client",
+                              server_helper="gss-spnego",
+                              server_use_winbind=True)
+        self.assertTrue(ret)
+
+    def test_krb5_invalid_keytab(self):
+        """ ntlm_auth with krb5 and an invalid keytab """
+
+        dedicated_keytab = "FILE:%s.%s" % (
+                self.old_ccache, "keytab-does-not-exists")
+        proc = Popen([self.ntlm_auth_path,
+                      "--helper-protocol", "gss-spnego",
+                      "--option", "security=ads",
+                      "--option", "kerberosmethod=dedicatedkeytab",
+                      "--option", "dedicatedkeytabfile=%s" % dedicated_keytab],
+                      stdout=PIPE, stdin=PIPE, stderr=PIPE)
+        buf = "YR\n"
+        (out, err) = proc.communicate(input=buf.encode('utf-8'))
+        self.assertEqual(proc.returncode, 0)
+
+        dedicated_keytab = "FILE:%s.%s" % (
+                self.ccache, "keytab-does-not-exists")
+        proc = Popen([self.ntlm_auth_path,
+                      "--helper-protocol", "gss-spnego",
+                      "--option", "security=ads",
+                      "--option", "kerberosmethod=dedicatedkeytab",
+                      "--option", "dedicatedkeytabfile=%s" % dedicated_keytab],
+                      stdout=PIPE, stdin=PIPE, stderr=PIPE)
+        buf = "YR\n"
+        (out, err) = proc.communicate(input=buf.encode('utf-8'))
+        self.assertEqual(proc.returncode, 0)
diff --git a/source3/script/tests/test_ntlm_auth_krb5.sh b/source3/script/tests/test_ntlm_auth_krb5.sh
deleted file mode 100755
index 773cb575811..00000000000
--- a/source3/script/tests/test_ntlm_auth_krb5.sh
+++ /dev/null
@@ -1,32 +0,0 @@
-#!/bin/sh
-
-if [ $# -lt 2 ]; then
-cat <<EOF
-Usage: test_ntlm_auth_s3.sh PYTHON SRC3DIR NTLM_AUTH CCACHE SERVER
-EOF
-exit 1;
-fi
-
-PYTHON=$1
-SRC3DIR=$2
-NTLM_AUTH=$3
-CCACHE=$4
-SERVER=$5
-shift 5
-ADDARGS="$*"
-
-incdir=`dirname $0`/../../../testprogs/blackbox
-. $incdir/subunit.sh
-
-failed=0
-
-KRB5CCNAME=$CCACHE
-export KRB5CCNAME
-
-# --server-use-winbindd is set so we know it isn't cheating and using the hard-coded passwords
-
-testit "ntlm_auth with krb5 gss-spnego-client and gss-spnego server" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH $ADDARGS --target-hostname=$SERVER --target-service=host --client-helper=gss-spnego-client --server-helper=gss-spnego --server-use-winbindd || failed=`expr $failed + 1`
-
-echo YR| testit "ntlm_auth with krb5 and an invalid keytab" $NTLM_AUTH --helper-protocol=gss-spnego --option=security=ads --option=kerberosmethod='dedicatedkeytab' --option=dedicatedkeytabfile=FILE:`pwd`/$CCACHE.keytab-does-not-exist || failed=`expr $failed + 1`
-
-testok $0 $failed
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index f3c5c39664b..a383810f2e6 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -267,11 +267,6 @@ t = "WBCLIENT-MULTI-PING"
 plantestsuite("samba3.smbtorture_s3.%s" % t, env, [os.path.join(samba3srcdir, "script/tests/test_smbtorture_s3.sh"), t, '//foo/bar', '""', '""', smbtorture3, ""])
 plantestsuite("samba3.substitutions", env, [os.path.join(samba3srcdir, "script/tests/test_substitutions.sh"), "$SERVER", "alice", "Secret007", "$PREFIX"])
 
-plantestsuite("samba3.ntlm_auth.krb5 with old ccache(ktest:local)", "ktest:local", [os.path.join(samba3srcdir, "script/tests/test_ntlm_auth_krb5.sh"), valgrindify(python), samba3srcdir, ntlm_auth3, '$PREFIX/ktest/krb5_ccache-2', '$SERVER', configuration])
-
-plantestsuite("samba3.ntlm_auth.krb5(ktest:local)", "ktest:local", [os.path.join(samba3srcdir, "script/tests/test_ntlm_auth_krb5.sh"), valgrindify(python), samba3srcdir, ntlm_auth3, '$PREFIX/ktest/krb5_ccache-3', '$SERVER', configuration])
-
-
 for env in ["maptoguest", "simpleserver"]:
     plantestsuite("samba3.blackbox.smbclient_auth.plain (%s) local creds" % env, env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', '$USERNAME', '$PASSWORD', smbclient3, configuration + " --option=clientntlmv2auth=no --option=clientlanmanauth=yes"])
 
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index ce9d5095d3c..48e27ea13e9 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -589,6 +589,9 @@ for env in ["nt4_dc", "nt4_member", "ad_dc", "ad_member", "s4member", "chgdcpass
 
     planpythontestsuite(env + ":local", "samba.tests.ntlm_auth", py3_compatible=True)
 
+for env in ["ktest"]:
+    planpythontestsuite(env + ":local", "samba.tests.ntlm_auth_krb5", py3_compatible=True)
+
 for env in ["s4member_dflt_domain", "s4member"]:
     for cmd in ["id", "getent"]:
         users = ["$DC_USERNAME", "$DC_USERNAME@$REALM"]
-- 
2.19.1


From e4ff8cfc3ef104080d893b5c4cc9faa98286ea40 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero at suse.de>
Date: Thu, 15 Nov 2018 11:17:43 +0100
Subject: [PATCH 21/22] selftest: Remove test_ntlm_auth.py helper

Signed-off-by: Samuel Cabrero <scabrero at suse.de>
---
 source3/torture/test_ntlm_auth.py | 335 ------------------------------
 1 file changed, 335 deletions(-)
 delete mode 100755 source3/torture/test_ntlm_auth.py

diff --git a/source3/torture/test_ntlm_auth.py b/source3/torture/test_ntlm_auth.py
deleted file mode 100755
index ac60632347d..00000000000
--- a/source3/torture/test_ntlm_auth.py
+++ /dev/null
@@ -1,335 +0,0 @@
-#!/usr/bin/env python
-
-# Unix SMB/CIFS implementation.
-# A test for the ntlm_auth tool
-# Copyright (C) Kai Blin <kai at samba.org> 2008
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-#
-"""Test ntlm_auth
-This test program will start ntlm_auth with the given command line switches and
-see if it will get the expected results.
-"""
-
-import os
-import sys
-from optparse import OptionParser
-
-
-class ReadChildError(Exception):
-    pass
-
-
-class WriteChildError(Exception):
-    pass
-
-
-def readLine(pipe):
-    """readLine(pipe) -> str
-    Read a line from the child's pipe, returns the string read.
-    Throws ReadChildError if the read fails.
-    """
-    newline = -1
-    buf = b""
-    while newline == -1:
-        more = os.read(pipe, 2047)
-        buf = buf + more
-        newline = buf.find(b'\n')
-        if more == b"":
-            raise ReadChildError()
-
-    return buf[:newline]
-
-
-def writeLine(pipe, buf):
-    """writeLine(pipe, buf) -> nul
-    Write a line to the child's pipe.
-    Raises WriteChildError if the write fails.
-    """
-    written = os.write(pipe, buf)
-    if written != len(buf):
-        raise WriteChildError()
-    os.write(pipe, b"\n")
-
-
-def parseCommandLine():
-    """parseCommandLine() -> (opts, ntlm_auth_path)
-    Parse the command line.
-    Return a tuple consisting of the options and the path to ntlm_auth.
-    """
-    usage = "usage: %prog [options] path/to/ntlm_auth"
-    parser = OptionParser(usage)
-
-    parser.set_defaults(client_username="foo")
-    parser.set_defaults(client_password="secret")
-    parser.set_defaults(client_domain="FOO")
-    parser.set_defaults(client_helper="ntlmssp-client-1")
-
-    parser.set_defaults(server_username="foo")
-    parser.set_defaults(server_password="secret")
-    parser.set_defaults(server_domain="FOO")
-    parser.set_defaults(server_helper="squid-2.5-ntlmssp")
-    parser.set_defaults(config_file="/etc/samba/smb.conf")
-
-    parser.add_option("--client-username", dest="client_username",
-                      help="User name for the client. [default: foo]")
-    parser.add_option("--client-password", dest="client_password",
-                      help="Password the client will send. [default: secret]")
-    parser.add_option("--client-domain", dest="client_domain",
-                      help="Domain the client authenticates for. [default: FOO]")
-    parser.add_option("--client-helper", dest="client_helper",
-                      help="Helper mode for the ntlm_auth client. [default: ntlmssp-client-1]")
-    parser.add_option("--client-use-cached-creds", dest="client_use_cached_creds",
-                      help="Use winbindd credentials cache (rather than default username/pw)", action="store_true")
-
-    parser.add_option("--target-hostname", dest="target_hostname",
-                      help="Target hostname for kerberos")
-    parser.add_option("--target-service", dest="target_service",
-                      help="Target service for kerberos")
-
-    parser.add_option("--server-username", dest="server_username",
-                      help="User name server uses for local auth. [default: foo]")
-    parser.add_option("--server-password", dest="server_password",
-                      help="Password server uses for local auth. [default: secret]")
-    parser.add_option("--server-domain", dest="server_domain",
-                      help="Domain server uses for local auth. [default: FOO]")
-    parser.add_option("--server-helper", dest="server_helper",
-                      help="Helper mode for the ntlm_auth server. [default: squid-2.5-server]")
-    parser.add_option("--server-use-winbindd", dest="server_use_winbindd",
-                      help="Use winbindd to check the password (rather than default username/pw)", action="store_true")
-    parser.add_option("--require-membership-of", dest="sid",
-                      help="Require that the user is a member of this group to authenticate.")
-
-    parser.add_option("-s", "--configfile", dest="config_file",
-                      help="Path to smb.conf file. [default:/etc/samba/smb.conf")
-
-    (opts, args) = parser.parse_args()
-    if len(args) != 1:
-        parser.error("Invalid number of arguments.")
-
-    if not os.access(args[0], os.X_OK):
-        parser.error("%s is not executable." % args[0])
-
-    return (opts, args[0])
-
-
-def main():
-    """main() -> int
-    Run the test.
-    Returns 0 if test succeeded, <>0 otherwise.
-    """
-    (opts, ntlm_auth_path) = parseCommandLine()
-
-    (client_in_r, client_in_w) = os.pipe()
-    (client_out_r, client_out_w) = os.pipe()
-
-    client_pid = os.fork()
-
-    if not client_pid:
-        # We're in the client child
-        os.close(0)
-        os.close(1)
-
-        os.dup2(client_out_r, 0)
-        os.close(client_out_r)
-        os.close(client_out_w)
-
-        os.dup2(client_in_w, 1)
-        os.close(client_in_r)
-        os.close(client_in_w)
-
-        client_args = []
-        client_args.append("--helper-protocol=%s" % opts.client_helper)
-        client_args.append("--username=%s" % opts.client_username)
-        if opts.client_use_cached_creds:
-            client_args.append("--use-cached-creds")
-        else:
-            client_args.append("--password=%s" % opts.client_password)
-        client_args.append("--domain=%s" % opts.client_domain)
-        client_args.append("--configfile=%s" % opts.config_file)
-        if opts.target_service:
-            client_args.append("--target-service=%s" % opts.target_service)
-        if opts.target_hostname:
-            client_args.append("--target-hostname=%s" % opts.target_hostname)
-
-        os.execv(ntlm_auth_path, client_args)
-
-    client_in = client_in_r
-    os.close(client_in_w)
-
-    client_out = client_out_w
-    os.close(client_out_r)
-
-    (server_in_r, server_in_w) = os.pipe()
-    (server_out_r, server_out_w) = os.pipe()
-
-    server_pid = os.fork()
-
-    if not server_pid:
-        # We're in the server child
-        os.close(0)
-        os.close(1)
-
-        os.dup2(server_out_r, 0)
-        os.close(server_out_r)
-        os.close(server_out_w)
-
-        os.dup2(server_in_w, 1)
-        os.close(server_in_r)
-        os.close(server_in_w)
-
-        server_args = []
-        server_args.append("--helper-protocol=%s" % opts.server_helper)
-        if not opts.server_use_winbindd:
-            server_args.append("--username=%s" % opts.server_username)
-            server_args.append("--password=%s" % opts.server_password)
-            server_args.append("--domain=%s" % opts.server_domain)
-            if opts.sid:
-                raise Exception("Server must be using winbindd for require-membership-of.")
-        else:
-            if opts.sid:
-                server_args.append("--require-membership-of=%s" % opts.sid)
-
-        server_args.append("--configfile=%s" % opts.config_file)
-
-        os.execv(ntlm_auth_path, server_args)
-
-    server_in = server_in_r
-    os.close(server_in_w)
-
-    server_out = server_out_w
-    os.close(server_out_r)
-
-    if opts.client_helper == "ntlmssp-client-1" and opts.server_helper == "squid-2.5-ntlmssp":
-
-        # We're in the parent
-        writeLine(client_out, b"YR")
-        buf = readLine(client_in)
-        if buf.count(b"YR ", 0, 3) != 1:
-            sys.exit(1)
-
-        writeLine(server_out, buf)
-        buf = readLine(server_in)
-
-        if buf.count(b"TT ", 0, 3) != 1:
-            sys.exit(2)
-
-        writeLine(client_out, buf)
-        buf = readLine(client_in)
-
-        if buf.count(b"AF ", 0, 3) != 1:
-            sys.exit(3)
-
-        # Client sends 'AF <base64 blob>' but server expects 'KK <abse64 blob>'
-        buf = buf.replace(b"AF", b"KK", 1)
-
-        writeLine(server_out, buf)
-        buf = readLine(server_in)
-
-        if buf.count(b"AF ", 0, 3) != 1:
-            sys.exit(4)
-
-    elif opts.client_helper == "ntlmssp-client-1" and opts.server_helper == "gss-spnego":
-        # We're in the parent
-        writeLine(client_out, b"YR")
-        buf = readLine(client_in)
-
-        if buf.count(b"YR ", 0, 3) != 1:
-            sys.exit(1)
-
-        writeLine(server_out, buf)
-        buf = readLine(server_in)
-
-        if buf.count(b"TT ", 0, 3) != 1:
-            sys.exit(2)
-
-        writeLine(client_out, buf)
-        buf = readLine(client_in)
-
-        if buf.count(b"AF ", 0, 3) != 1:
-            sys.exit(3)
-
-        # Client sends 'AF <base64 blob>' but server expects 'KK <abse64 blob>'
-        buf = buf.replace(b"AF", b"KK", 1)
-
-        writeLine(server_out, buf)
-        buf = readLine(server_in)
-
-        if buf.count(b"AF * ", 0, 5) != 1:
-            sys.exit(4)
-
-    elif opts.client_helper == "gss-spnego-client" and opts.server_helper == "gss-spnego":
-        # We're in the parent
-        writeLine(server_out, b"YR")
-        buf = readLine(server_in)
-
-        while True:
-            if buf.count(b"AF ", 0, 3) != 1 and buf.count(b"TT ", 0, 3) != 1:
-                sys.exit(1)
-
-            writeLine(client_out, buf)
-            buf = readLine(client_in)
-
-            if buf.count(b"AF", 0, 2) == 1:
-                break
-
-            if buf.count(b"AF ", 0, 5) != 1 and buf.count(b"KK ", 0, 3) != 1 and buf.count(b"TT ", 0, 3) != 1:
-                sys.exit(2)
-
-            writeLine(server_out, buf)
-            buf = readLine(server_in)
-
-            if buf.count(b"AF * ", 0, 5) == 1:
-                break
-
-    else:
-        sys.exit(5)
-
-    if opts.client_helper == "ntlmssp-client-1":
-        writeLine(client_out, b"GK")
-        buf = readLine(client_in)
-
-        if buf.count(b"GK ", 0, 3) != 1:
-            sys.exit(4)
-
-        writeLine(client_out, b"GF")
-        buf = readLine(client_in)
-
-        if buf.count(b"GF ", 0, 3) != 1:
-            sys.exit(4)
-
-    if opts.server_helper == "squid-2.5-ntlmssp":
-        writeLine(server_out, b"GK")
-        buf = readLine(server_in)
-
-        if buf.count(b"GK ", 0, 3) != 1:
-            sys.exit(4)
-
-        writeLine(server_out, b"GF")
-        buf = readLine(server_in)
-
-        if buf.count(b"GF ", 0, 3) != 1:
-            sys.exit(4)
-
-    os.close(server_in)
-    os.close(server_out)
-    os.close(client_in)
-    os.close(client_out)
-    os.waitpid(server_pid, 0)
-    os.waitpid(client_pid, 0)
-    sys.exit(0)
-
-
-if __name__ == "__main__":
-    main()
-- 
2.19.1


From 1ef427a6e9827aeafcca986da24adab503435a81 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero at suse.de>
Date: Thu, 6 Sep 2018 13:56:53 +0200
Subject: [PATCH 22/22] tests/ntlm_auth: Port ntlm_auth_diagnostics tests to
 python

Port ntlm_auth_diagnostics bash script tests to python

Signed-off-by: Samuel Cabrero <scabrero at suse.de>
---
 python/samba/tests/ntlm_auth.py               | 11 +++++++++
 .../tests/test_ntlm_auth_diagnostics.sh       | 23 -------------------
 source4/selftest/tests.py                     |  4 ----
 3 files changed, 11 insertions(+), 27 deletions(-)
 delete mode 100755 source3/script/tests/test_ntlm_auth_diagnostics.sh

diff --git a/python/samba/tests/ntlm_auth.py b/python/samba/tests/ntlm_auth.py
index 6d947617c11..8b5ac942e97 100644
--- a/python/samba/tests/ntlm_auth.py
+++ b/python/samba/tests/ntlm_auth.py
@@ -350,3 +350,14 @@ class NTLMAuthHelpersTests(NTLMAuthTestCase):
 
         self.assertEqual(len(lines), 5)
         self.assertEquals(lines[0], b"Authenticated: No")
+
+    def test_diagnostics(self):
+        """ ntlm_auth diagnostics """
+        proc = Popen([self.ntlm_auth_path,
+                      "--username", os.environ["DC_USERNAME"],
+                      "--password", os.environ["DC_PASSWORD"],
+                      "--domain", os.environ["DOMAIN"],
+                      "--diagnostics"],
+                      stdout=PIPE, stderr=PIPE)
+        (out, err) = proc.communicate()
+        self.assertEqual(proc.returncode, 0)
diff --git a/source3/script/tests/test_ntlm_auth_diagnostics.sh b/source3/script/tests/test_ntlm_auth_diagnostics.sh
deleted file mode 100755
index 6e0c3eef42b..00000000000
--- a/source3/script/tests/test_ntlm_auth_diagnostics.sh
+++ /dev/null
@@ -1,23 +0,0 @@
-#!/bin/sh
-
-if [ $# -lt 1 ]; then
-cat <<EOF
-Usage: test_ntlm_auth_diagnostics.sh NTLM_AUTH DOMAIN USERNAME PASSWORD
-EOF
-exit 1;
-fi
-
-NTLM_AUTH=$1
-DOMAIN=$2
-USERNAME=$3
-PASSWORD=$4
-shift 4
-
-ADDARGS="$*"
-
-incdir=`dirname $0`/../../../testprogs/blackbox
-. $incdir/subunit.sh
-
-testit "ntlm_auth" $VALGRIND $NTLM_AUTH --domain=$DOMAIN --username=$USERNAME --password=$PASSWORD --diagnostics $ADDARGS || failed=`expr $failed + 1`
-
-testok $0 $failed
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 48e27ea13e9..1881be734e4 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -583,10 +583,6 @@ for env in ["nt4_dc", "nt4_member", "ad_dc", "ad_member", "s4member", "chgdcpass
         "samba.wbinfo_sids2xids.(%s:local)" % env, "%s:local" % env,
         [os.path.join(samba3srcdir, "script/tests/test_wbinfo_sids2xids.sh")])
 
-    plantestsuite(
-        "samba.ntlm_auth.diagnostics(%s:local)" % env, "%s:local" % env,
-        [os.path.join(samba3srcdir, "script/tests/test_ntlm_auth_diagnostics.sh"), ntlm_auth3, '$DOMAIN', '$DC_USERNAME', '$DC_PASSWORD', configuration])
-
     planpythontestsuite(env + ":local", "samba.tests.ntlm_auth", py3_compatible=True)
 
 for env in ["ktest"]:
-- 
2.19.1



More information about the samba-technical mailing list