[PATCH] Some more changes to the NTLM-disabled tests
Tim Beale
timbeale at catalyst.net.nz
Tue Aug 22 23:46:54 UTC 2017
Hi,
Attached are some follow-up test changes related to the NTLM-disabled
work Andrew did a while ago (i.e. commit 00db3aba6cf9ebaafdf3, etc).
Specifically, the changes are:
- Add a testenv to check NTLM disabled against a source4 Samba DC.
- Rename the NTLM-Disabled test to better reflect what it does.
- While working on this, we also noticed that the no_nss testenv seems
to reuse the same hostname/IP as the ad_dc testenv, which didn't look right.
Cheers,
Tim
-------------- next part --------------
From 21677fd288d65c894284a2d585bc90f7da879f2f Mon Sep 17 00:00:00 2001
From: Tim Beale <timbeale at catalyst.net.nz>
Date: Wed, 5 Jul 2017 14:03:17 +1200
Subject: [PATCH 1/3] selftest: Add new AD DC testenv with NTLM disabled
This is so that we test the source4 case as well. Currently the only
testenv with NTLM disabled is ktest, and that only exercises the source3
code.
I've tried to support the new test environment with minimal changes to the
Samba4.pm setup code.
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
---
selftest/knownfail | 2 ++
selftest/target/Samba.pm | 1 +
selftest/target/Samba4.pm | 45 +++++++++++++++++++++++++++++++++++++++------
source4/selftest/tests.py | 2 +-
4 files changed, 43 insertions(+), 7 deletions(-)
diff --git a/selftest/knownfail b/selftest/knownfail
index aa89dab..ffd4a54 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -333,5 +333,7 @@
^samba.tests.netlogonsvc.python\(fileserver\)
# NTLM authentication is (intentionally) disabled in ktest
^samba.tests.ntlmauth.python\(ktest\).ntlmauth.NtlmAuthTests.test_ntlm_connection\(ktest\)
+^samba.tests.ntlmauth.python\(ad_dc_no_ntlm\).ntlmauth.NtlmAuthTests.test_samr_change_password\(ad_dc_no_ntlm\)
# Disabling NTLM means you can't use samr to change the password
^samba.tests.ntlmauth.python\(ktest\).ntlmauth.NtlmAuthTests.test_samr_change_password\(ktest\)
+^samba.tests.ntlmauth.python\(ad_dc_no_ntlm\).ntlmauth.NtlmAuthTests.test_ntlm_connection\(ad_dc_no_ntlm\)
diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm
index 5968772..dc6b3d5 100644
--- a/selftest/target/Samba.pm
+++ b/selftest/target/Samba.pm
@@ -346,6 +346,7 @@ sub get_interface($)
# 11-16 used by selftest.pl for client interfaces
+ $interfaces{"addc_no_ntlm"} = 18;
$interfaces{"idmapadmember"} = 19;
$interfaces{"idmapridmember"} = 20;
$interfaces{"localdc"} = 21;
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index 205e281..d86d38d 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -1748,9 +1748,9 @@ sub read_config_h($)
return \%ret;
}
-sub provision_ad_dc($$)
+sub provision_ad_dc($$$$$$)
{
- my ($self, $prefix) = @_;
+ my ($self, $prefix, $hostname, $domain, $realm, $smbconf_args) = @_;
my $prefix_abs = abs_path($prefix);
@@ -1814,6 +1814,7 @@ sub provision_ad_dc($$)
print notify backchannel = yes
auth event notification = true
+ $smbconf_args
";
my $extra_smbconf_shares = "
@@ -1858,9 +1859,9 @@ sub provision_ad_dc($$)
print "PROVISIONING AD DC...\n";
my $ret = $self->provision($prefix,
"domain controller",
- "addc",
- "ADDOMAIN",
- "addom.samba.example.com",
+ $hostname,
+ $domain,
+ $realm,
"2008",
"locDCpass1",
undef,
@@ -2118,6 +2119,8 @@ sub setup_env($$$)
return $self->setup_ad_dc("$path/ad_dc");
} elsif ($envname eq "ad_dc_no_nss") {
return $self->setup_ad_dc("$path/ad_dc_no_nss", "no_nss");
+ } elsif ($envname eq "ad_dc_no_ntlm") {
+ return $self->setup_ad_dc_no_ntlm("$path/ad_dc_no_ntlm");
} elsif ($envname eq "ad_member_rfc2307") {
if (not defined($self->{vars}->{ad_dc_ntvfs})) {
$self->setup_ad_dc_ntvfs("$path/ad_dc_ntvfs");
@@ -2497,7 +2500,8 @@ sub setup_ad_dc($$)
return "UNKNOWN";
}
- my $env = $self->provision_ad_dc($path);
+ my $env = $self->provision_ad_dc($path, "addc", "ADDOMAIN",
+ "addom.samba.example.com", "");
unless ($env) {
return undef;
}
@@ -2520,6 +2524,35 @@ sub setup_ad_dc($$)
return $env;
}
+sub setup_ad_dc_no_ntlm($$)
+{
+ my ($self, $path) = @_;
+
+ # If we didn't build with ADS, pretend this env was never available
+ if (not $self->{target3}->have_ads()) {
+ return "UNKNOWN";
+ }
+
+ my $env = $self->provision_ad_dc($path, "addc_no_ntlm", "ADNONTLMDOMAIN",
+ "adnontlmdom.samba.example.com",
+ "ntlm auth = disabled");
+ unless ($env) {
+ return undef;
+ }
+
+ if (not defined($self->check_or_start($env, "single"))) {
+ return undef;
+ }
+
+ my $upn_array = ["$env->{REALM}.upn"];
+ my $spn_array = ["$env->{REALM}.spn"];
+
+ $self->setup_namespaces($env, $upn_array, $spn_array);
+
+ $self->{vars}->{ad_dc_no_ntlm} = $env;
+ return $env;
+}
+
sub setup_none($$)
{
my ($self, $path) = @_;
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 2152573..1442a7d 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -954,7 +954,7 @@ for env in [ "simpleserver", "fileserver", "nt4_dc", "ad_dc", "ad_dc_ntvfs", "ad
extra_path=[os.path.join(srcdir(), 'python/samba/tests')],
name="samba.tests.netlogonsvc.python(%s)" % env)
-for env in [ "ktest", "ad_member"]:
+for env in [ "ktest", "ad_member", "ad_dc_no_ntlm" ]:
planoldpythontestsuite(env, "ntlmauth",
extra_path=[os.path.join(srcdir(), 'python/samba/tests')],
name="samba.tests.ntlmauth.python(%s)" % env)
--
2.7.4
From 1f2c55460c1ee480bcec3027e86df254d593dfa9 Mon Sep 17 00:00:00 2001
From: Tim Beale <timbeale at catalyst.net.nz>
Date: Wed, 5 Jul 2017 14:32:54 +1200
Subject: [PATCH 2/3] selftest: Rename ntlmauth tests to ntlmdisabled
There are already some existing ntlm_auth tests, so the new tests I've
added make things a bit confusing. Also, ntlmdisabled probably better
reflects the specific case we're trying to test.
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
---
python/samba/tests/ntlmauth.py | 88 --------------------------------------
python/samba/tests/ntlmdisabled.py | 88 ++++++++++++++++++++++++++++++++++++++
selftest/knownfail | 8 ++--
source4/selftest/tests.py | 4 +-
4 files changed, 94 insertions(+), 94 deletions(-)
delete mode 100644 python/samba/tests/ntlmauth.py
create mode 100644 python/samba/tests/ntlmdisabled.py
diff --git a/python/samba/tests/ntlmauth.py b/python/samba/tests/ntlmauth.py
deleted file mode 100644
index a232bf2..0000000
--- a/python/samba/tests/ntlmauth.py
+++ /dev/null
@@ -1,88 +0,0 @@
-# Tests to check basic NTLM authentication
-#
-# Copyright (C) Catalyst IT Ltd. 2017
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
-#
-from samba.tests import TestCase
-import os
-
-import samba
-from samba.credentials import Credentials, DONT_USE_KERBEROS, MUST_USE_KERBEROS
-
-from samba import NTSTATUSError, ntstatus
-import ctypes
-
-from samba import credentials
-from samba.dcerpc import srvsvc, samr, lsa
-
-"""
-Tests basic NTLM authentication
-"""
-
-class NtlmAuthTests(TestCase):
-
- def setUp(self):
- super(NtlmAuthTests, self).setUp()
-
- self.lp = self.get_loadparm()
- self.server = os.getenv("SERVER")
-
- self.creds = Credentials()
- self.creds.guess(self.lp)
- self.creds.set_username(os.getenv("USERNAME"))
- self.creds.set_domain(self.server)
- self.creds.set_password(os.getenv("PASSWORD"))
- self.creds.set_kerberos_state(DONT_USE_KERBEROS)
-
- def tearDown(self):
- super(NtlmAuthTests, self).tearDown()
-
- def test_ntlm_connection(self):
- try:
- conn = srvsvc.srvsvc("ncacn_np:%s[smb2,ntlm]" % self.server, self.lp, self.creds)
-
- self.assertIsNotNone(conn)
- except NTSTATUSError as e:
- # NTLM might be blocked on this server
- enum = ctypes.c_uint32(e[0]).value
- if enum == ntstatus.NT_STATUS_NTLM_BLOCKED:
- self.fail("NTLM is disabled on this server")
- else:
- raise
-
- def test_samr_change_password(self):
- self.creds.set_kerberos_state(MUST_USE_KERBEROS)
- conn = samr.samr("ncacn_np:%s[krb5,seal,smb2]" % os.getenv("SERVER"))
-
- # we want to check whether this gets rejected outright because NTLM is
- # disabled, so we don't actually need to encrypt a valid password here
- server = lsa.String()
- server.string = self.server
- username = lsa.String()
- username.string = os.getenv("USERNAME")
-
- try:
- conn.ChangePasswordUser2(server, username, None, None, True, None, None)
- except NTSTATUSError as e:
- # changing passwords is rejected when NTLM is disabled
- enum = ctypes.c_uint32(e[0]).value
- if enum == ntstatus.NT_STATUS_NTLM_BLOCKED:
- self.fail("NTLM is disabled on this server")
- elif enum == ntstatus.NT_STATUS_WRONG_PASSWORD:
- # expected error case when NTLM is enabled
- pass
- else:
- raise
-
diff --git a/python/samba/tests/ntlmdisabled.py b/python/samba/tests/ntlmdisabled.py
new file mode 100644
index 0000000..90341a5
--- /dev/null
+++ b/python/samba/tests/ntlmdisabled.py
@@ -0,0 +1,88 @@
+# Tests basic behaviour when NTLM is disabled
+#
+# Copyright (C) Catalyst IT Ltd. 2017
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+from samba.tests import TestCase
+import os
+
+import samba
+from samba.credentials import Credentials, DONT_USE_KERBEROS, MUST_USE_KERBEROS
+
+from samba import NTSTATUSError, ntstatus
+import ctypes
+
+from samba import credentials
+from samba.dcerpc import srvsvc, samr, lsa
+
+"""
+Tests behaviour when NTLM is disabled
+"""
+
+class NtlmDisabledTests(TestCase):
+
+ def setUp(self):
+ super(NtlmDisabledTests, self).setUp()
+
+ self.lp = self.get_loadparm()
+ self.server = os.getenv("SERVER")
+
+ self.creds = Credentials()
+ self.creds.guess(self.lp)
+ self.creds.set_username(os.getenv("USERNAME"))
+ self.creds.set_domain(self.server)
+ self.creds.set_password(os.getenv("PASSWORD"))
+ self.creds.set_kerberos_state(DONT_USE_KERBEROS)
+
+ def tearDown(self):
+ super(NtlmDisabledTests, self).tearDown()
+
+ def test_ntlm_connection(self):
+ try:
+ conn = srvsvc.srvsvc("ncacn_np:%s[smb2,ntlm]" % self.server, self.lp, self.creds)
+
+ self.assertIsNotNone(conn)
+ except NTSTATUSError as e:
+ # NTLM might be blocked on this server
+ enum = ctypes.c_uint32(e[0]).value
+ if enum == ntstatus.NT_STATUS_NTLM_BLOCKED:
+ self.fail("NTLM is disabled on this server")
+ else:
+ raise
+
+ def test_samr_change_password(self):
+ self.creds.set_kerberos_state(MUST_USE_KERBEROS)
+ conn = samr.samr("ncacn_np:%s[krb5,seal,smb2]" % os.getenv("SERVER"))
+
+ # we want to check whether this gets rejected outright because NTLM is
+ # disabled, so we don't actually need to encrypt a valid password here
+ server = lsa.String()
+ server.string = self.server
+ username = lsa.String()
+ username.string = os.getenv("USERNAME")
+
+ try:
+ conn.ChangePasswordUser2(server, username, None, None, True, None, None)
+ except NTSTATUSError as e:
+ # changing passwords should be rejected when NTLM is disabled
+ enum = ctypes.c_uint32(e[0]).value
+ if enum == ntstatus.NT_STATUS_NTLM_BLOCKED:
+ self.fail("NTLM is disabled on this server")
+ elif enum == ntstatus.NT_STATUS_WRONG_PASSWORD:
+ # expected error case when NTLM is enabled
+ pass
+ else:
+ raise
+
diff --git a/selftest/knownfail b/selftest/knownfail
index ffd4a54..35d7f3b 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -332,8 +332,8 @@
^samba.tests.netlogonsvc.python\(simpleserver\)
^samba.tests.netlogonsvc.python\(fileserver\)
# NTLM authentication is (intentionally) disabled in ktest
-^samba.tests.ntlmauth.python\(ktest\).ntlmauth.NtlmAuthTests.test_ntlm_connection\(ktest\)
-^samba.tests.ntlmauth.python\(ad_dc_no_ntlm\).ntlmauth.NtlmAuthTests.test_samr_change_password\(ad_dc_no_ntlm\)
+^samba.tests.ntlmdisabled.python\(ktest\).ntlmdisabled.NtlmDisabledTests.test_ntlm_connection\(ktest\)
+^samba.tests.ntlmdisabled.python\(ad_dc_no_ntlm\).ntlmdisabled.NtlmDisabledTests.test_samr_change_password\(ad_dc_no_ntlm\)
# Disabling NTLM means you can't use samr to change the password
-^samba.tests.ntlmauth.python\(ktest\).ntlmauth.NtlmAuthTests.test_samr_change_password\(ktest\)
-^samba.tests.ntlmauth.python\(ad_dc_no_ntlm\).ntlmauth.NtlmAuthTests.test_ntlm_connection\(ad_dc_no_ntlm\)
+^samba.tests.ntlmdisabled.python\(ktest\).ntlmdisabled.NtlmDisabledTests.test_samr_change_password\(ktest\)
+^samba.tests.ntlmdisabled.python\(ad_dc_no_ntlm\).ntlmdisabled.NtlmDisabledTests.test_ntlm_connection\(ad_dc_no_ntlm\)
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 1442a7d..adbbda0 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -955,9 +955,9 @@ for env in [ "simpleserver", "fileserver", "nt4_dc", "ad_dc", "ad_dc_ntvfs", "ad
name="samba.tests.netlogonsvc.python(%s)" % env)
for env in [ "ktest", "ad_member", "ad_dc_no_ntlm" ]:
- planoldpythontestsuite(env, "ntlmauth",
+ planoldpythontestsuite(env, "ntlmdisabled",
extra_path=[os.path.join(srcdir(), 'python/samba/tests')],
- name="samba.tests.ntlmauth.python(%s)" % env)
+ name="samba.tests.ntlmdisabled.python(%s)" % env)
# Demote the vampire DC, it must be the last test each DC, before the dbcheck
for env in ['vampire_dc', 'promoted_dc', 'rodc']:
--
2.7.4
From a65b2e3b5bd06d033a141fb9e44f07fc6ca9f324 Mon Sep 17 00:00:00 2001
From: Tim Beale <timbeale at catalyst.net.nz>
Date: Tue, 1 Aug 2017 17:18:45 +1200
Subject: [PATCH 3/3] selftest: Use a unique hostname/IP for the no_nss testenv
The ad_dc_no_nss was re-using the ad_dc testenv but changing an
environment variable to disable the NSS wrapper module.
Presumably this would setup a second AD DC server with the same
hostname/IP as another DC (but with NSS disabled). This doesn't seem
like a good thing to be doing in the selftests. This patch changes
it so that the no_nss testenv uses a unique IP/hostname.
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
---
selftest/target/Samba.pm | 1 +
selftest/target/Samba4.pm | 38 ++++++++++++++++++++++++++++++++------
2 files changed, 33 insertions(+), 6 deletions(-)
diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm
index dc6b3d5..ba0cc7d 100644
--- a/selftest/target/Samba.pm
+++ b/selftest/target/Samba.pm
@@ -346,6 +346,7 @@ sub get_interface($)
# 11-16 used by selftest.pl for client interfaces
+ $interfaces{"addc_no_nss"} = 17;
$interfaces{"addc_no_ntlm"} = 18;
$interfaces{"idmapadmember"} = 19;
$interfaces{"idmapridmember"} = 20;
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index d86d38d..01c4859 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -2118,7 +2118,7 @@ sub setup_env($$$)
} elsif ($envname eq "ad_dc") {
return $self->setup_ad_dc("$path/ad_dc");
} elsif ($envname eq "ad_dc_no_nss") {
- return $self->setup_ad_dc("$path/ad_dc_no_nss", "no_nss");
+ return $self->setup_ad_dc_no_nss("$path/ad_dc_no_nss");
} elsif ($envname eq "ad_dc_no_ntlm") {
return $self->setup_ad_dc_no_ntlm("$path/ad_dc_no_ntlm");
} elsif ($envname eq "ad_member_rfc2307") {
@@ -2493,7 +2493,7 @@ sub setup_rodc($$$)
sub setup_ad_dc($$)
{
- my ($self, $path, $no_nss) = @_;
+ my ($self, $path) = @_;
# If we didn't build with ADS, pretend this env was never available
if (not $self->{target3}->have_ads()) {
@@ -2506,11 +2506,37 @@ sub setup_ad_dc($$)
return undef;
}
- if (defined($no_nss) and $no_nss) {
- $env->{NSS_WRAPPER_MODULE_SO_PATH} = undef;
- $env->{NSS_WRAPPER_MODULE_FN_PREFIX} = undef;
+ if (not defined($self->check_or_start($env, "single"))) {
+ return undef;
+ }
+
+ my $upn_array = ["$env->{REALM}.upn"];
+ my $spn_array = ["$env->{REALM}.spn"];
+
+ $self->setup_namespaces($env, $upn_array, $spn_array);
+
+ $self->{vars}->{ad_dc} = $env;
+ return $env;
+}
+
+sub setup_ad_dc_no_nss($$)
+{
+ my ($self, $path) = @_;
+
+ # If we didn't build with ADS, pretend this env was never available
+ if (not $self->{target3}->have_ads()) {
+ return "UNKNOWN";
+ }
+
+ my $env = $self->provision_ad_dc($path, "addc_no_nss", "ADNONSSDOMAIN",
+ "adnonssdom.samba.example.com", "");
+ unless ($env) {
+ return undef;
}
+ $env->{NSS_WRAPPER_MODULE_SO_PATH} = undef;
+ $env->{NSS_WRAPPER_MODULE_FN_PREFIX} = undef;
+
if (not defined($self->check_or_start($env, "single"))) {
return undef;
}
@@ -2520,7 +2546,7 @@ sub setup_ad_dc($$)
$self->setup_namespaces($env, $upn_array, $spn_array);
- $self->{vars}->{ad_dc} = $env;
+ $self->{vars}->{ad_dc_no_nss} = $env;
return $env;
}
--
2.7.4
More information about the samba-technical
mailing list