[PATCH] Convert auth_log tests to use s3 SMB Py bindings

Tim Beale timbeale at catalyst.net.nz
Wed Jan 16 03:24:31 UTC 2019


This converts the auth_log tests over to use the s3 SMB client Python
bindings.

The auth_log tests and the GPO code are the last 2 things that uses the
s4 bindings. Once those 2 patch-sets are in, we should be able to delete
the redundant s4 pysmb.c bindings in master.

CI link: https://gitlab.com/catalyst-samba/samba/pipelines/43497816

-------------- next part --------------
From 57d046f60a479f99018d0662a055c65eba9e2474 Mon Sep 17 00:00:00 2001
From: Tim Beale <timbeale at catalyst.net.nz>
Date: Wed, 16 Jan 2019 11:18:27 +1300
Subject: [PATCH 1/4] tests: Relax auth_log SMB assertions to cover v1 *or* v2

The s4 Python bindings currently only support SMBv1 connections.
If we change the bindings to support *either* v1 or v2, they'll
end up negotiating v2. In which case the server is "SMB2", not "SMB",
and these assertions fail.

Long-term we want to get rid of SMBv1, so it makes sense to write the
tests so that they pass against either v1 or v2.

Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
---
 python/samba/tests/auth_log.py | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/python/samba/tests/auth_log.py b/python/samba/tests/auth_log.py
index c0d0aab..29976ae 100644
--- a/python/samba/tests/auth_log.py
+++ b/python/samba/tests/auth_log.py
@@ -701,7 +701,7 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
     def test_smb(self):
         def isLastExpectedMessage(msg):
             return (msg["type"] == "Authorization" and
-                    msg["Authorization"]["serviceDescription"] == "SMB" and
+                    "SMB" in msg["Authorization"]["serviceDescription"] and
                     msg["Authorization"]["authType"] == "krb5" and
                     msg["Authorization"]["transportProtection"] == "SMB")
 
@@ -910,7 +910,7 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
     def test_smb_no_krb_spnego(self):
         def isLastExpectedMessage(msg):
             return (msg["type"] == "Authorization" and
-                    msg["Authorization"]["serviceDescription"] == "SMB" and
+                    "SMB" in msg["Authorization"]["serviceDescription"] and
                     msg["Authorization"]["authType"] == "NTLMSSP" and
                     msg["Authorization"]["transportProtection"] == "SMB")
 
@@ -929,8 +929,8 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
         msg = messages[0]
         self.assertEquals("Authentication", msg["type"])
         self.assertEquals("NT_STATUS_OK", msg["Authentication"]["status"])
-        self.assertEquals("SMB",
-                          msg["Authentication"]["serviceDescription"])
+        self.assertIn(msg["Authentication"]["serviceDescription"],
+                      ["SMB", "SMB2"])
         self.assertEquals("NTLMSSP",
                           msg["Authentication"]["authDescription"])
         self.assertEquals("NTLMv2",
@@ -943,7 +943,7 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
     def test_smb_no_krb_spnego_bad_password(self):
         def isLastExpectedMessage(msg):
             return (msg["type"] == "Authentication" and
-                    msg["Authentication"]["serviceDescription"] == "SMB" and
+                    "SMB" in msg["Authentication"]["serviceDescription"] and
                     msg["Authentication"]["authDescription"] == "NTLMSSP" and
                     msg["Authentication"]["passwordType"] == "NTLMv2" and
                     (msg["Authentication"]["status"] ==
@@ -975,7 +975,7 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
     def test_smb_no_krb_spnego_bad_user(self):
         def isLastExpectedMessage(msg):
             return (msg["type"] == "Authentication" and
-                    msg["Authentication"]["serviceDescription"] == "SMB" and
+                    "SMB" in msg["Authentication"]["serviceDescription"] and
                     msg["Authentication"]["authDescription"] == "NTLMSSP" and
                     msg["Authentication"]["passwordType"] == "NTLMv2" and
                     (msg["Authentication"]["status"] ==
-- 
2.7.4


From c0d7e5a450474eba3b196e5c13dee4ffb6013d01 Mon Sep 17 00:00:00 2001
From: Tim Beale <timbeale at catalyst.net.nz>
Date: Wed, 16 Jan 2019 12:12:16 +1300
Subject: [PATCH 2/4] tests: Use MUST_USE_KERBEROS over AUTO_USE_KERBEROS in
 auth_log tests

The s3 SMB client bindings seem slightly different to s4, in that they
default to setting the CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS flag.
This seems to fallback to finding a valid KRB TGT (from a previous
successful test), which results in the connection succeeding rather than
failing.

Setting MUST_USE_KERBEROS explicitly avoids this behaviour.

Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
---
 python/samba/tests/auth_log.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/python/samba/tests/auth_log.py b/python/samba/tests/auth_log.py
index 29976ae..9c93589 100644
--- a/python/samba/tests/auth_log.py
+++ b/python/samba/tests/auth_log.py
@@ -752,6 +752,7 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
                         "ENC-TS Pre-authentication"))
 
         creds = self.insta_creds(template=self.get_credentials())
+        creds.set_kerberos_state(MUST_USE_KERBEROS)
         creds.set_password("badPassword")
 
         thrown = False
@@ -784,6 +785,7 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
                         EVT_LOGON_NETWORK))
 
         creds = self.insta_creds(template=self.get_credentials())
+        creds.set_kerberos_state(MUST_USE_KERBEROS)
         creds.set_username("badUser")
 
         thrown = False
-- 
2.7.4


From b8826f6a8fb89e0b03b0d6e33fb84d76c7a3c416 Mon Sep 17 00:00:00 2001
From: Tim Beale <timbeale at catalyst.net.nz>
Date: Wed, 16 Jan 2019 13:20:12 +1300
Subject: [PATCH 3/4] tests: Refactor auth_log SMB connection to be in a single
 place

This should not alter the behaviour of the tests at all. It just makes
it easier to switch over the underlying SMB client bindings.

Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
---
 python/samba/tests/auth_log.py | 62 ++++++++++++++----------------------------
 1 file changed, 20 insertions(+), 42 deletions(-)

diff --git a/python/samba/tests/auth_log.py b/python/samba/tests/auth_log.py
index 9c93589..e073877 100644
--- a/python/samba/tests/auth_log.py
+++ b/python/samba/tests/auth_log.py
@@ -47,6 +47,11 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
     def tearDown(self):
         super(AuthLogTests, self).tearDown()
 
+    def smb_connection(self, creds, use_spnego=True, ntlmv2_auth=True):
+        lp = self.get_loadparm()
+        return smb.SMB(self.server, "sysvol", lp=lp, creds=creds,
+                           use_spnego=use_spnego, ntlmv2_auth=ntlmv2_auth)
+
     def _test_rpc_ncacn_np(self, authTypes, creds, service,
                            binding, protection, checkFunction):
         def isLastExpectedMessage(msg):
@@ -706,10 +711,7 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
                     msg["Authorization"]["transportProtection"] == "SMB")
 
         creds = self.insta_creds(template=self.get_credentials())
-        smb.SMB(self.server,
-                "sysvol",
-                lp=self.get_loadparm(),
-                creds=creds)
+        self.smb_connection(creds)
 
         messages = self.waitForMessages(isLastExpectedMessage)
         self.assertEquals(3,
@@ -757,10 +759,7 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
 
         thrown = False
         try:
-            smb.SMB(self.server,
-                    "sysvol",
-                    lp=self.get_loadparm(),
-                    creds=creds)
+            self.smb_connection(creds)
         except NTSTATUSError:
             thrown = True
         self.assertEquals(thrown, True)
@@ -790,10 +789,7 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
 
         thrown = False
         try:
-            smb.SMB(self.server,
-                    "sysvol",
-                    lp=self.get_loadparm(),
-                    creds=creds)
+            self.smb_connection(creds)
         except NTSTATUSError:
             thrown = True
         self.assertEquals(thrown, True)
@@ -918,10 +914,7 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
 
         creds = self.insta_creds(template=self.get_credentials(),
                                  kerberos_state=DONT_USE_KERBEROS)
-        smb.SMB(self.server,
-                "sysvol",
-                lp=self.get_loadparm(),
-                creds=creds)
+        self.smb_connection(creds)
 
         messages = self.waitForMessages(isLastExpectedMessage)
         self.assertEquals(2,
@@ -961,10 +954,7 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
 
         thrown = False
         try:
-            smb.SMB(self.server,
-                    "sysvol",
-                    lp=self.get_loadparm(),
-                    creds=creds)
+            self.smb_connection(creds)
         except NTSTATUSError:
             thrown = True
         self.assertEquals(thrown, True)
@@ -993,10 +983,7 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
 
         thrown = False
         try:
-            smb.SMB(self.server,
-                    "sysvol",
-                    lp=self.get_loadparm(),
-                    creds=creds)
+            self.smb_connection(creds)
         except NTSTATUSError:
             thrown = True
         self.assertEquals(thrown, True)
@@ -1015,12 +1002,9 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
 
         creds = self.insta_creds(template=self.get_credentials(),
                                  kerberos_state=DONT_USE_KERBEROS)
-        smb.SMB(self.server,
-                "sysvol",
-                lp=self.get_loadparm(),
-                creds=creds,
-                ntlmv2_auth=False,
-                use_spnego=False)
+        self.smb_connection(creds,
+                            ntlmv2_auth=False,
+                            use_spnego=False)
 
         messages = self.waitForMessages(isLastExpectedMessage)
         self.assertEquals(2,
@@ -1060,12 +1044,9 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
 
         thrown = False
         try:
-            smb.SMB(self.server,
-                    "sysvol",
-                    lp=self.get_loadparm(),
-                    creds=creds,
-                    ntlmv2_auth=False,
-                    use_spnego=False)
+            self.smb_connection(creds,
+                                ntlmv2_auth=False,
+                                use_spnego=False)
         except NTSTATUSError:
             thrown = True
         self.assertEquals(thrown, True)
@@ -1094,12 +1075,9 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
 
         thrown = False
         try:
-            smb.SMB(self.server,
-                    "sysvol",
-                    lp=self.get_loadparm(),
-                    creds=creds,
-                    ntlmv2_auth=False,
-                    use_spnego=False)
+            self.smb_connection(creds,
+                                ntlmv2_auth=False,
+                                use_spnego=False)
         except NTSTATUSError:
             thrown = True
         self.assertEquals(thrown, True)
-- 
2.7.4


From 5bbb0ee3c60d6cb74d58ec3dcb4c5727893a81b0 Mon Sep 17 00:00:00 2001
From: Tim Beale <timbeale at catalyst.net.nz>
Date: Wed, 16 Jan 2019 13:34:29 +1300
Subject: [PATCH 4/4] tests: Switchover auth_log from s4 SMB client bindings to
 s4

The main changes required are:
- we need to use an s3 loadparm instead of the standard s4 lp.
- the s3 SMB bindings don't support the use_spnego/ntlmv2_auth params,
  however, we can set these in the loadparm instead, which will get the
  SMB client code to do what we want. Instead of passing in boolean
  parameters, we need to use yes/no strings that the lp will accept.
  (We always set these values because the underlying lp context is
  actually global, and setting a value is 'sticky' and will persist
  across test cases. These conf settings are only used by the SMB client
  code, and so will only affect the SMB test cases).
- For the no_spnego_no_ntlmv2 test cases, we now explicitly force it to
  an SMBv1 connection. The s4 bindings only ever supported SMBv1
  connections, so this is the same behaviour. The other test cases will
  now try to negotiate SMBv2 connections, however, the no_ntlmv2 test
  cases are explicitly checking for bare-NTLM (with the s3 bindings, it
  now ends up as NTLMSSP by default).

Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
---
 python/samba/tests/auth_log.py | 33 +++++++++++++++++++++++----------
 1 file changed, 23 insertions(+), 10 deletions(-)

diff --git a/python/samba/tests/auth_log.py b/python/samba/tests/auth_log.py
index e073877..daf088f 100644
--- a/python/samba/tests/auth_log.py
+++ b/python/samba/tests/auth_log.py
@@ -21,7 +21,8 @@ from __future__ import print_function
 import samba.tests
 from samba.dcerpc import srvsvc, dnsserver
 import os
-from samba import smb
+from samba.samba3 import libsmb_samba_internal as libsmb
+from samba.samba3 import param as s3param
 from samba.samdb import SamDB
 import samba.tests.auth_log_base
 from samba.credentials import DONT_USE_KERBEROS, MUST_USE_KERBEROS
@@ -47,10 +48,19 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
     def tearDown(self):
         super(AuthLogTests, self).tearDown()
 
-    def smb_connection(self, creds, use_spnego=True, ntlmv2_auth=True):
+    def smb_connection(self, creds, use_spnego="yes", ntlmv2_auth="yes",
+                       force_smb1=False):
+        # the SMB bindings rely on having a s3 loadparm
         lp = self.get_loadparm()
-        return smb.SMB(self.server, "sysvol", lp=lp, creds=creds,
-                           use_spnego=use_spnego, ntlmv2_auth=ntlmv2_auth)
+        s3_lp = s3param.get_context()
+        s3_lp.load(lp.configfile)
+
+        # Allow the testcase to skip SPNEGO or use NTLMv1
+        s3_lp.set("client use spnego", use_spnego)
+        s3_lp.set("client ntlmv2 auth", ntlmv2_auth)
+
+        return libsmb.Conn(self.server, "sysvol", lp=s3_lp, creds=creds,
+                           force_smb1=force_smb1)
 
     def _test_rpc_ncacn_np(self, authTypes, creds, service,
                            binding, protection, checkFunction):
@@ -1003,8 +1013,9 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
         creds = self.insta_creds(template=self.get_credentials(),
                                  kerberos_state=DONT_USE_KERBEROS)
         self.smb_connection(creds,
-                            ntlmv2_auth=False,
-                            use_spnego=False)
+                            force_smb1=True,
+                            ntlmv2_auth="no",
+                            use_spnego="no")
 
         messages = self.waitForMessages(isLastExpectedMessage)
         self.assertEquals(2,
@@ -1045,8 +1056,9 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
         thrown = False
         try:
             self.smb_connection(creds,
-                                ntlmv2_auth=False,
-                                use_spnego=False)
+                                force_smb1=True,
+                                ntlmv2_auth="no",
+                                use_spnego="no")
         except NTSTATUSError:
             thrown = True
         self.assertEquals(thrown, True)
@@ -1076,8 +1088,9 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
         thrown = False
         try:
             self.smb_connection(creds,
-                                ntlmv2_auth=False,
-                                use_spnego=False)
+                                force_smb1=True,
+                                ntlmv2_auth="no",
+                                use_spnego="no")
         except NTSTATUSError:
             thrown = True
         self.assertEquals(thrown, True)
-- 
2.7.4



More information about the samba-technical mailing list