1 # Unix SMB/CIFS implementation.
2 # Copyright (C) Sean Dague <sdague@linux.vnet.ibm.com> 2011
4 # This program is free software; you can redistribute it and/or modify
5 # it under the terms of the GNU General Public License as published by
6 # the Free Software Foundation; either version 3 of the License, or
7 # (at your option) any later version.
9 # This program is distributed in the hope that it will be useful,
10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 # GNU General Public License for more details.
14 # You should have received a copy of the GNU General Public License
15 # along with this program. If not, see <http://www.gnu.org/licenses/>.
22 from samba.tests.samba_tool.base import SambaToolCmdTest
28 from samba.ndr import ndr_unpack
29 from samba.dcerpc import drsblobs
31 class UserCmdTestCase(SambaToolCmdTest):
32 """Tests for samba-tool user subcommands"""
37 super(UserCmdTestCase, self).setUp()
38 self.samdb = self.getSamDB("-H", "ldap://%s" % os.environ["DC_SERVER"],
39 "-U%s%%%s" % (os.environ["DC_USERNAME"], os.environ["DC_PASSWORD"]))
41 self.users.append(self._randomUser({"name": "sambatool1", "company": "comp1"}))
42 self.users.append(self._randomUser({"name": "sambatool2", "company": "comp1"}))
43 self.users.append(self._randomUser({"name": "sambatool3", "company": "comp2"}))
44 self.users.append(self._randomUser({"name": "sambatool4", "company": "comp2"}))
45 self.users.append(self._randomPosixUser({"name": "posixuser1"}))
46 self.users.append(self._randomPosixUser({"name": "posixuser2"}))
47 self.users.append(self._randomPosixUser({"name": "posixuser3"}))
48 self.users.append(self._randomPosixUser({"name": "posixuser4"}))
50 # setup the 8 users and ensure they are correct
51 for user in self.users:
52 (result, out, err) = user["createUserFn"](user)
54 self.assertCmdSuccess(result, out, err)
55 self.assertEquals(err,"","Shouldn't be any error messages")
56 self.assertIn("User '%s' created successfully" % user["name"], out)
58 user["checkUserFn"](user)
62 super(UserCmdTestCase, self).tearDown()
63 # clean up all the left over users, just in case
64 for user in self.users:
65 if self._find_user(user["name"]):
66 self.runsubcmd("user", "delete", user["name"])
69 def test_newuser(self):
70 # try to add all the users again, this should fail
71 for user in self.users:
72 (result, out, err) = self._create_user(user)
73 self.assertCmdFail(result, "Ensure that create user fails")
74 self.assertIn("LDAP error 68 LDAP_ENTRY_ALREADY_EXISTS", err)
76 # try to delete all the 4 users we just added
77 for user in self.users:
78 (result, out, err) = self.runsubcmd("user", "delete", user["name"])
79 self.assertCmdSuccess(result, out, err, "Can we delete users")
80 found = self._find_user(user["name"])
81 self.assertIsNone(found)
83 # test adding users with --use-username-as-cn
84 for user in self.users:
85 (result, out, err) = self.runsubcmd("user", "create", user["name"], user["password"],
86 "--use-username-as-cn",
87 "--surname=%s" % user["surname"],
88 "--given-name=%s" % user["given-name"],
89 "--job-title=%s" % user["job-title"],
90 "--department=%s" % user["department"],
91 "--description=%s" % user["description"],
92 "--company=%s" % user["company"],
93 "-H", "ldap://%s" % os.environ["DC_SERVER"],
94 "-U%s%%%s" % (os.environ["DC_USERNAME"], os.environ["DC_PASSWORD"]))
96 self.assertCmdSuccess(result, out, err)
97 self.assertEquals(err,"","Shouldn't be any error messages")
98 self.assertIn("User '%s' created successfully" % user["name"], out)
100 found = self._find_user(user["name"])
102 self.assertEquals("%s" % found.get("cn"), "%(name)s" % user)
103 self.assertEquals("%s" % found.get("name"), "%(name)s" % user)
105 def _verify_supplementalCredentials(self, ldif,
108 msgs = self.samdb.parse_ldif(ldif)
109 (changetype, obj) = next(msgs)
111 self.assertIn("supplementalCredentials", obj, "supplementalCredentials attribute required")
112 sc_blob = obj["supplementalCredentials"][0]
113 sc = ndr_unpack(drsblobs.supplementalCredentialsBlob, sc_blob)
115 self.assertGreaterEqual(sc.sub.num_packages,
116 min_packages, "min_packages check")
117 self.assertLessEqual(sc.sub.num_packages,
118 max_packages, "max_packages check")
120 if max_packages == 0:
123 def find_package(packages, name, start_idx=0):
124 for i in xrange(start_idx, len(packages)):
125 if packages[i].name == name:
126 return (i, packages[i])
129 # The ordering is this
131 # Primary:Kerberos-Newer-Keys (optional)
134 # Primary:CLEARTEXT (optional)
135 # Primary:SambaGPG (optional)
137 # And the 'Packages' package is insert before the last
141 (pidx, pp) = find_package(sc.sub.packages, "Packages", start_idx=nidx)
142 self.assertIsNotNone(pp, "Packages required")
143 self.assertEqual(pidx + 1, sc.sub.num_packages - 1,
144 "Packages needs to be at num_packages - 1")
146 (knidx, knp) = find_package(sc.sub.packages, "Primary:Kerberos-Newer-Keys",
148 if knidx is not None:
149 self.assertEqual(knidx, nidx, "Primary:Kerberos-Newer-Keys at wrong position")
154 (kidx, kp) = find_package(sc.sub.packages, "Primary:Kerberos",
156 self.assertIsNotNone(pp, "Primary:Kerberos required")
157 self.assertEqual(kidx, nidx, "Primary:Kerberos at wrong position")
162 (widx, wp) = find_package(sc.sub.packages, "Primary:WDigest",
164 self.assertIsNotNone(pp, "Primary:WDigest required")
165 self.assertEqual(widx, nidx, "Primary:WDigest at wrong position")
170 (cidx, cp) = find_package(sc.sub.packages, "Primary:CLEARTEXT",
173 self.assertEqual(cidx, nidx, "Primary:CLEARTEXT at wrong position")
178 (gidx, gp) = find_package(sc.sub.packages, "Primary:SambaGPG",
181 self.assertEqual(gidx, nidx, "Primary:SambaGPG at wrong position")
186 self.assertEqual(nidx, sc.sub.num_packages, "Unknown packages found")
188 def test_setpassword(self):
189 for user in self.users:
190 newpasswd = self.randomPass()
191 (result, out, err) = self.runsubcmd("user", "setpassword",
193 "--newpassword=%s" % newpasswd,
194 "-H", "ldap://%s" % os.environ["DC_SERVER"],
195 "-U%s%%%s" % (os.environ["DC_USERNAME"], os.environ["DC_PASSWORD"]))
196 self.assertCmdSuccess(result, out, err, "Ensure setpassword runs")
197 self.assertEquals(err,"","setpassword with url")
198 self.assertMatch(out, "Changed password OK", "setpassword with url")
200 attributes = "sAMAccountName,unicodePwd,supplementalCredentials,virtualClearTextUTF8,virtualClearTextUTF16,virtualSSHA,virtualSambaGPG"
201 (result, out, err) = self.runsubcmd("user", "syncpasswords",
202 "--cache-ldb-initialize",
203 "--attributes=%s" % attributes,
204 "--decrypt-samba-gpg")
205 self.assertCmdSuccess(result, out, err, "Ensure syncpasswords --cache-ldb-initialize runs")
206 self.assertEqual(err,"","getpassword without url")
208 "objectClass": { "value": "userSyncPasswords" },
210 "dirsyncFilter": { },
211 "dirsyncAttribute": { },
212 "dirsyncControl": { "value": "dirsync:1:0:0"},
213 "passwordAttribute": { },
214 "decryptSambaGPG": { },
217 for a in cache_attrs.keys():
218 v = cache_attrs[a].get("value", "")
219 self.assertMatch(out, "%s: %s" % (a, v),
220 "syncpasswords --cache-ldb-initialize: %s: %s out[%s]" % (a, v, out))
222 (result, out, err) = self.runsubcmd("user", "syncpasswords", "--no-wait")
223 self.assertCmdSuccess(result, out, err, "Ensure syncpasswords --no-wait runs")
224 self.assertEqual(err,"","syncpasswords --no-wait")
225 self.assertMatch(out, "dirsync_loop(): results 0",
226 "syncpasswords --no-wait: 'dirsync_loop(): results 0': out[%s]" % (out))
227 for user in self.users:
228 self.assertMatch(out, "sAMAccountName: %s" % (user["name"]),
229 "syncpasswords --no-wait: 'sAMAccountName': %s out[%s]" % (user["name"], out))
231 for user in self.users:
232 newpasswd = self.randomPass()
233 creds = credentials.Credentials()
234 creds.set_anonymous()
235 creds.set_password(newpasswd)
236 nthash = creds.get_nt_hash()
237 unicodePwd = base64.b64encode(creds.get_nt_hash())
238 virtualClearTextUTF8 = base64.b64encode(newpasswd)
239 virtualClearTextUTF16 = base64.b64encode(unicode(newpasswd, 'utf-8').encode('utf-16-le'))
241 (result, out, err) = self.runsubcmd("user", "setpassword",
243 "--newpassword=%s" % newpasswd)
244 self.assertCmdSuccess(result, out, err, "Ensure setpassword runs")
245 self.assertEquals(err,"","setpassword without url")
246 self.assertMatch(out, "Changed password OK", "setpassword without url")
248 (result, out, err) = self.runsubcmd("user", "syncpasswords", "--no-wait")
249 self.assertCmdSuccess(result, out, err, "Ensure syncpasswords --no-wait runs")
250 self.assertEqual(err,"","syncpasswords --no-wait")
251 self.assertMatch(out, "dirsync_loop(): results 0",
252 "syncpasswords --no-wait: 'dirsync_loop(): results 0': out[%s]" % (out))
253 self.assertMatch(out, "sAMAccountName: %s" % (user["name"]),
254 "syncpasswords --no-wait: 'sAMAccountName': %s out[%s]" % (user["name"], out))
255 self.assertMatch(out, "# unicodePwd::: REDACTED SECRET ATTRIBUTE",
256 "getpassword '# unicodePwd::: REDACTED SECRET ATTRIBUTE': out[%s]" % out)
257 self.assertMatch(out, "unicodePwd:: %s" % unicodePwd,
258 "getpassword unicodePwd: out[%s]" % out)
259 self.assertMatch(out, "# supplementalCredentials::: REDACTED SECRET ATTRIBUTE",
260 "getpassword '# supplementalCredentials::: REDACTED SECRET ATTRIBUTE': out[%s]" % out)
261 self.assertMatch(out, "supplementalCredentials:: ",
262 "getpassword supplementalCredentials: out[%s]" % out)
263 if "virtualSambaGPG:: " in out:
264 self.assertMatch(out, "virtualClearTextUTF8:: %s" % virtualClearTextUTF8,
265 "getpassword virtualClearTextUTF8: out[%s]" % out)
266 self.assertMatch(out, "virtualClearTextUTF16:: %s" % virtualClearTextUTF16,
267 "getpassword virtualClearTextUTF16: out[%s]" % out)
268 self.assertMatch(out, "virtualSSHA: ",
269 "getpassword virtualSSHA: out[%s]" % out)
271 (result, out, err) = self.runsubcmd("user", "getpassword",
273 "--attributes=%s" % attributes,
274 "--decrypt-samba-gpg")
275 self.assertCmdSuccess(result, out, err, "Ensure getpassword runs")
276 self.assertEqual(err,"","getpassword without url")
277 self.assertMatch(out, "Got password OK", "getpassword without url")
278 self.assertMatch(out, "sAMAccountName: %s" % (user["name"]),
279 "getpassword: 'sAMAccountName': %s out[%s]" % (user["name"], out))
280 self.assertMatch(out, "unicodePwd:: %s" % unicodePwd,
281 "getpassword unicodePwd: out[%s]" % out)
282 self.assertMatch(out, "supplementalCredentials:: ",
283 "getpassword supplementalCredentials: out[%s]" % out)
284 self._verify_supplementalCredentials(out.replace("\nGot password OK\n", ""))
285 if "virtualSambaGPG:: " in out:
286 self.assertMatch(out, "virtualClearTextUTF8:: %s" % virtualClearTextUTF8,
287 "getpassword virtualClearTextUTF8: out[%s]" % out)
288 self.assertMatch(out, "virtualClearTextUTF16:: %s" % virtualClearTextUTF16,
289 "getpassword virtualClearTextUTF16: out[%s]" % out)
290 self.assertMatch(out, "virtualSSHA: ",
291 "getpassword virtualSSHA: out[%s]" % out)
293 for user in self.users:
294 newpasswd = self.randomPass()
295 (result, out, err) = self.runsubcmd("user", "setpassword",
297 "--newpassword=%s" % newpasswd,
298 "--must-change-at-next-login",
299 "-H", "ldap://%s" % os.environ["DC_SERVER"],
300 "-U%s%%%s" % (os.environ["DC_USERNAME"], os.environ["DC_PASSWORD"]))
301 self.assertCmdSuccess(result, out, err, "Ensure setpassword runs")
302 self.assertEquals(err,"","setpassword with forced change")
303 self.assertMatch(out, "Changed password OK", "setpassword with forced change")
308 def test_setexpiry(self):
309 twodays = time.time() + (2 * 24 * 60 * 60)
311 for user in self.users:
312 (result, out, err) = self.runsubcmd("user", "setexpiry", user["name"],
314 "-H", "ldap://%s" % os.environ["DC_SERVER"],
315 "-U%s%%%s" % (os.environ["DC_USERNAME"], os.environ["DC_PASSWORD"]))
316 self.assertCmdSuccess(result, out, err, "Can we run setexpiry with names")
317 self.assertIn("Expiry for user '%s' set to 2 days." % user["name"], out)
319 for user in self.users:
320 found = self._find_user(user["name"])
322 expires = nttime2unix(int("%s" % found.get("accountExpires")))
323 self.assertWithin(expires, twodays, 5, "Ensure account expires is within 5 seconds of the expected time")
325 # TODO: renable this after the filter case is sorted out
326 if "filters are broken, bail now":
329 # now run the expiration based on a filter
330 fourdays = time.time() + (4 * 24 * 60 * 60)
331 (result, out, err) = self.runsubcmd("user", "setexpiry",
332 "--filter", "(&(objectClass=user)(company=comp2))",
334 "-H", "ldap://%s" % os.environ["DC_SERVER"],
335 "-U%s%%%s" % (os.environ["DC_USERNAME"], os.environ["DC_PASSWORD"]))
336 self.assertCmdSuccess(result, out, err, "Can we run setexpiry with a filter")
338 for user in self.users:
339 found = self._find_user(user["name"])
340 if ("%s" % found.get("company")) == "comp2":
341 expires = nttime2unix(int("%s" % found.get("accountExpires")))
342 self.assertWithin(expires, fourdays, 5, "Ensure account expires is within 5 seconds of the expected time")
344 expires = nttime2unix(int("%s" % found.get("accountExpires")))
345 self.assertWithin(expires, twodays, 5, "Ensure account expires is within 5 seconds of the expected time")
349 (result, out, err) = self.runsubcmd("user", "list",
350 "-H", "ldap://%s" % os.environ["DC_SERVER"],
351 "-U%s%%%s" % (os.environ["DC_USERNAME"],
352 os.environ["DC_PASSWORD"]))
353 self.assertCmdSuccess(result, out, err, "Error running list")
355 search_filter = ("(&(objectClass=user)(userAccountControl:%s:=%u))" %
356 (ldb.OID_COMPARATOR_AND, dsdb.UF_NORMAL_ACCOUNT))
358 userlist = self.samdb.search(base=self.samdb.domain_dn(),
359 scope=ldb.SCOPE_SUBTREE,
360 expression=search_filter,
361 attrs=["samaccountname"])
363 self.assertTrue(len(userlist) > 0, "no users found in samdb")
365 for userobj in userlist:
366 name = userobj.get("samaccountname", idx=0)
367 found = self.assertMatch(out, name,
368 "user '%s' not found" % name)
369 def test_getpwent(self):
373 self.skipTest("Skipping getpwent test, no 'pwd' module available")
376 # get the current user's data for the test
379 u = pwd.getpwuid(uid)
381 self.skipTest("Skipping getpwent test, current EUID not found in NSS")
385 # samba-tool user create command didn't support users with empty gecos if none is
386 # specified on the command line and the user hasn't one in the passwd file it
387 # will fail, so let's add some contents
390 if (gecos is None or len(gecos) == 0):
392 user = self._randomPosixUser({
400 # check if --rfc2307-from-nss sets the same values as we got from pwd.getpwuid()
401 (result, out, err) = self.runsubcmd("user", "create", user["name"], user["password"],
402 "--surname=%s" % user["surname"],
403 "--given-name=%s" % user["given-name"],
404 "--job-title=%s" % user["job-title"],
405 "--department=%s" % user["department"],
406 "--description=%s" % user["description"],
407 "--company=%s" % user["company"],
408 "--gecos=%s" % user["gecos"],
409 "--rfc2307-from-nss",
410 "-H", "ldap://%s" % os.environ["DC_SERVER"],
411 "-U%s%%%s" % (os.environ["DC_USERNAME"], os.environ["DC_PASSWORD"]))
413 self.assertCmdSuccess(result, out, err)
414 self.assertEquals(err,"","Shouldn't be any error messages")
415 self.assertIn("User '%s' created successfully" % user["name"], out)
417 self._check_posix_user(user)
418 self.runsubcmd("user", "delete", user["name"])
420 # Check if overriding the attributes from NSS with explicit values works
422 # get a user with all random posix attributes
423 user = self._randomPosixUser({"name": u[0]})
424 # create a user with posix attributes from nss but override all of them with the
425 # random ones just obtained
426 (result, out, err) = self.runsubcmd("user", "create", user["name"], user["password"],
427 "--surname=%s" % user["surname"],
428 "--given-name=%s" % user["given-name"],
429 "--job-title=%s" % user["job-title"],
430 "--department=%s" % user["department"],
431 "--description=%s" % user["description"],
432 "--company=%s" % user["company"],
433 "--rfc2307-from-nss",
434 "--gecos=%s" % user["gecos"],
435 "--login-shell=%s" % user["loginShell"],
436 "--uid=%s" % user["uid"],
437 "--uid-number=%s" % user["uidNumber"],
438 "--gid-number=%s" % user["gidNumber"],
439 "-H", "ldap://%s" % os.environ["DC_SERVER"],
440 "-U%s%%%s" % (os.environ["DC_USERNAME"], os.environ["DC_PASSWORD"]))
442 self.assertCmdSuccess(result, out, err)
443 self.assertEquals(err,"","Shouldn't be any error messages")
444 self.assertIn("User '%s' created successfully" % user["name"], out)
446 self._check_posix_user(user)
447 self.runsubcmd("user", "delete", user["name"])
449 def _randomUser(self, base={}):
450 """create a user with random attribute values, you can specify base attributes"""
452 "name": self.randomName(),
453 "password": self.randomPass(),
454 "surname": self.randomName(),
455 "given-name": self.randomName(),
456 "job-title": self.randomName(),
457 "department": self.randomName(),
458 "company": self.randomName(),
459 "description": self.randomName(count=100),
460 "createUserFn": self._create_user,
461 "checkUserFn": self._check_user,
466 def _randomPosixUser(self, base={}):
467 """create a user with random attribute values and additional RFC2307
468 attributes, you can specify base attributes"""
469 user = self._randomUser({})
472 "uid": self.randomName(),
473 "loginShell": self.randomName(),
474 "gecos": self.randomName(),
475 "uidNumber": self.randomXid(),
476 "gidNumber": self.randomXid(),
477 "createUserFn": self._create_posix_user,
478 "checkUserFn": self._check_posix_user,
480 user.update(posixAttributes)
484 def _check_user(self, user):
485 """ check if a user from SamDB has the same attributes as its template """
486 found = self._find_user(user["name"])
488 self.assertEquals("%s" % found.get("name"), "%(given-name)s %(surname)s" % user)
489 self.assertEquals("%s" % found.get("title"), user["job-title"])
490 self.assertEquals("%s" % found.get("company"), user["company"])
491 self.assertEquals("%s" % found.get("description"), user["description"])
492 self.assertEquals("%s" % found.get("department"), user["department"])
494 def _check_posix_user(self, user):
495 """ check if a posix_user from SamDB has the same attributes as its template """
496 found = self._find_user(user["name"])
498 self.assertEquals("%s" % found.get("loginShell"), user["loginShell"])
499 self.assertEquals("%s" % found.get("gecos"), user["gecos"])
500 self.assertEquals("%s" % found.get("uidNumber"), "%s" % user["uidNumber"])
501 self.assertEquals("%s" % found.get("gidNumber"), "%s" % user["gidNumber"])
502 self.assertEquals("%s" % found.get("uid"), user["uid"])
503 self._check_user(user)
505 def _create_user(self, user):
506 return self.runsubcmd("user", "create", user["name"], user["password"],
507 "--surname=%s" % user["surname"],
508 "--given-name=%s" % user["given-name"],
509 "--job-title=%s" % user["job-title"],
510 "--department=%s" % user["department"],
511 "--description=%s" % user["description"],
512 "--company=%s" % user["company"],
513 "-H", "ldap://%s" % os.environ["DC_SERVER"],
514 "-U%s%%%s" % (os.environ["DC_USERNAME"], os.environ["DC_PASSWORD"]))
515 def _create_posix_user(self, user):
516 """ create a new user with RFC2307 attributes """
517 return self.runsubcmd("user", "create", user["name"], user["password"],
518 "--surname=%s" % user["surname"],
519 "--given-name=%s" % user["given-name"],
520 "--job-title=%s" % user["job-title"],
521 "--department=%s" % user["department"],
522 "--description=%s" % user["description"],
523 "--company=%s" % user["company"],
524 "--gecos=%s" % user["gecos"],
525 "--login-shell=%s" % user["loginShell"],
526 "--uid=%s" % user["uid"],
527 "--uid-number=%s" % user["uidNumber"],
528 "--gid-number=%s" % user["gidNumber"],
529 "-H", "ldap://%s" % os.environ["DC_SERVER"],
530 "-U%s%%%s" % (os.environ["DC_USERNAME"], os.environ["DC_PASSWORD"]))
532 def _find_user(self, name):
533 search_filter = "(&(sAMAccountName=%s)(objectCategory=%s,%s))" % (ldb.binary_encode(name), "CN=Person,CN=Schema,CN=Configuration", self.samdb.domain_dn())
534 userlist = self.samdb.search(base=self.samdb.domain_dn(),
535 scope=ldb.SCOPE_SUBTREE,
536 expression=search_filter, attrs=[])