class PassWordHashTests(TestCase):
def setUp(self):
+ self.lp = samba.tests.env_loadparm()
super(PassWordHashTests, self).setUp()
# Add a user to ldb, this will exercise the password_hash code
# and calculate the appropriate supplemental credentials
- def add_user(self, options=None, clear_text=False):
- self.lp = samba.tests.env_loadparm()
+ def add_user(self, options=None, clear_text=False, ldb=None):
# set any needed options
if options is not None:
for (option, value) in options:
self.lp.set(option, value)
- self.creds = Credentials()
- self.session = system_session()
- self.ldb = SamDB(
- session_info=self.session,
- credentials=self.creds,
- lp=self.lp)
+ if ldb is None:
+ self.creds = Credentials()
+ self.session = system_session()
+ self.creds.guess(self.lp)
+ self.session = system_session()
+ self.ldb = SamDB(session_info=self.session,
+ credentials=self.creds,
+ lp=self.lp)
+ else:
+ self.ldb = ldb
+
+ res = self.ldb.search(base=self.ldb.get_config_basedn(),
+ expression="ncName=%s" % self.ldb.get_default_basedn(),
+ attrs=["nETBIOSName"])
+ self.netbios_domain = res[0]["nETBIOSName"][0]
+ self.dns_domain = self.ldb.domain_dns_name()
+
# Gets back the basedn
base_dn = self.ldb.domain_dn()
# Using the n-1 pattern in the array indexes to make it easier
# to check the tests against the spec and the samba-tool user tests.
self.check_digest(USER_NAME,
- self.lp.get("workgroup"),
+ self.netbios_domain,
USER_PASS,
digests.hashes[1-1].hash)
self.check_digest(USER_NAME.lower(),
- self.lp.get("workgroup").lower(),
+ self.netbios_domain.lower(),
USER_PASS,
digests.hashes[2-1].hash)
self.check_digest(USER_NAME.upper(),
- self.lp.get("workgroup").upper(),
+ self.netbios_domain.upper(),
USER_PASS,
digests.hashes[3-1].hash)
self.check_digest(USER_NAME,
- self.lp.get("workgroup").upper(),
+ self.netbios_domain.upper(),
USER_PASS,
digests.hashes[4-1].hash)
self.check_digest(USER_NAME,
- self.lp.get("workgroup").lower(),
+ self.netbios_domain.lower(),
USER_PASS,
digests.hashes[5-1].hash)
self.check_digest(USER_NAME.upper(),
- self.lp.get("workgroup").lower(),
+ self.netbios_domain.lower(),
USER_PASS,
digests.hashes[6-1].hash)
self.check_digest(USER_NAME.lower(),
- self.lp.get("workgroup").upper(),
+ self.netbios_domain.upper(),
USER_PASS,
digests.hashes[7-1].hash)
self.check_digest(USER_NAME,
- self.lp.get("realm").lower(),
+ self.dns_domain,
USER_PASS,
digests.hashes[8-1].hash)
self.check_digest(USER_NAME.lower(),
- self.lp.get("realm").lower(),
+ self.dns_domain.lower(),
USER_PASS,
digests.hashes[9-1].hash)
self.check_digest(USER_NAME.upper(),
- self.lp.get("realm"),
+ self.dns_domain.upper(),
USER_PASS,
digests.hashes[10-1].hash)
self.check_digest(USER_NAME,
- self.lp.get("realm"),
+ self.dns_domain.upper(),
USER_PASS,
digests.hashes[11-1].hash)
self.check_digest(USER_NAME,
- self.lp.get("realm").lower(),
+ self.dns_domain.lower(),
USER_PASS,
digests.hashes[12-1].hash)
self.check_digest(USER_NAME.upper(),
- self.lp.get("realm").lower(),
+ self.dns_domain.lower(),
USER_PASS,
digests.hashes[13-1].hash)
self.check_digest(USER_NAME.lower(),
- self.lp.get("realm"),
+ self.dns_domain.upper(),
USER_PASS,
digests.hashes[14-1].hash)
self.check_digest(UPN,
USER_PASS,
digests.hashes[17-1].hash)
- name = "%s\\%s" % (self.lp.get("workgroup"), USER_NAME)
+ name = "%s\\%s" % (self.netbios_domain, USER_NAME)
self.check_digest(name,
"",
USER_PASS,
digests.hashes[18-1].hash)
- name = "%s\\%s" % (self.lp.get("workgroup").lower(), USER_NAME.lower())
+ name = "%s\\%s" % (self.netbios_domain.lower(), USER_NAME.lower())
self.check_digest(name,
"",
USER_PASS,
digests.hashes[19-1].hash)
- name = "%s\\%s" % (self.lp.get("workgroup").upper(), USER_NAME.upper())
+ name = "%s\\%s" % (self.netbios_domain.upper(), USER_NAME.upper())
self.check_digest(name,
"",
USER_PASS,
"Digest",
USER_PASS,
digests.hashes[26-1].hash)
- name = "%s\\%s" % (self.lp.get("workgroup"), USER_NAME)
+ name = "%s\\%s" % (self.netbios_domain, USER_NAME)
self.check_digest(name,
"Digest",
USER_PASS,
digests.hashes[27-1].hash)
- name = "%s\\%s" % (self.lp.get("workgroup").lower(), USER_NAME.lower())
+ name = "%s\\%s" % (self.netbios_domain.lower(), USER_NAME.lower())
self.check_digest(name,
"Digest",
USER_PASS,
digests.hashes[28-1].hash)
- name = "%s\\%s" % (self.lp.get("workgroup").upper(), USER_NAME.upper())
+ name = "%s\\%s" % (self.netbios_domain.upper(), USER_NAME.upper())
self.check_digest(name,
"Digest",
USER_PASS,
--- /dev/null
+# Tests for Tests for source4/dsdb/samdb/ldb_modules/password_hash.c
+#
+# Copyright (C) Andrew Bartlett <abartlet@samba.org> 2017
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+"""
+Tests for source4/dsdb/samdb/ldb_modules/password_hash.c
+
+These tests are designed to also run against Windows to confirm the values
+returned from Windows.
+
+To run against Windows:
+Set the following environment variables:
+ PASSWORD=Administrator password
+ USERNAME=Administrator
+ SMB_CONF_PATH=/dev/null
+ PYTHONPATH=bin/python
+ SERVER=Windows server IP
+
+ /usr/bin/python source4/scripting/bin/subunitrun
+ samba.tests.password_hash_ldap.PassWordHashLDAPTests
+ -U"Administrator%adminpassword"
+"""
+
+from samba.tests.password_hash import (
+ PassWordHashTests,
+ get_package,
+ USER_NAME,
+ USER_PASS
+)
+from samba.samdb import SamDB
+from samba.ndr import ndr_unpack
+from samba.dcerpc import drsblobs, drsuapi, misc
+from samba import drs_utils, net
+from samba.credentials import Credentials
+import binascii
+import os
+
+def attid_equal(a1, a2):
+ return (a1 & 0xffffffff) == (a2 & 0xffffffff)
+
+class PassWordHashLDAPTests(PassWordHashTests):
+
+ def setUp(self):
+ super(PassWordHashLDAPTests, self).setUp()
+
+ # Get the supplemental credentials for the user under test
+ def get_supplemental_creds_drs(self):
+ binding_str = "ncacn_ip_tcp:%s[seal]" % os.environ["SERVER"]
+ dn = "cn=" + USER_NAME + ",cn=users," + self.base_dn
+ drs = drsuapi.drsuapi(binding_str, self.get_loadparm(), self.creds)
+ (drs_handle, supported_extensions) = drs_utils.drs_DsBind(drs)
+
+ req8 = drsuapi.DsGetNCChangesRequest8()
+
+ null_guid = misc.GUID()
+ req8.destination_dsa_guid = null_guid
+ req8.source_dsa_invocation_id = null_guid
+ req8.naming_context = drsuapi.DsReplicaObjectIdentifier()
+ req8.naming_context.dn = unicode(dn)
+
+ req8.highwatermark = drsuapi.DsReplicaHighWaterMark()
+ req8.highwatermark.tmp_highest_usn = 0
+ req8.highwatermark.reserved_usn = 0
+ req8.highwatermark.highest_usn = 0
+ req8.uptodateness_vector = None
+ req8.replica_flags = (drsuapi.DRSUAPI_DRS_INIT_SYNC |
+ drsuapi.DRSUAPI_DRS_PER_SYNC |
+ drsuapi.DRSUAPI_DRS_GET_ANC |
+ drsuapi.DRSUAPI_DRS_NEVER_SYNCED |
+ drsuapi.DRSUAPI_DRS_WRIT_REP)
+ req8.max_object_count = 402
+ req8.max_ndr_size = 402116
+ req8.extended_op = drsuapi.DRSUAPI_EXOP_REPL_OBJ
+ req8.fsmo_info = 0
+ req8.partial_attribute_set = None
+ req8.partial_attribute_set_ex = None
+ req8.mapping_ctr.num_mappings = 0
+ req8.mapping_ctr.mappings = None
+ (level, ctr) = drs.DsGetNCChanges(drs_handle, 8, req8)
+
+ obj_item = ctr.first_object
+ obj = obj_item.object
+
+ sc_blob = None
+
+ for i in range(0, obj.attribute_ctr.num_attributes):
+ attr = obj.attribute_ctr.attributes[i]
+ if attid_equal(attr.attid,
+ drsuapi.DRSUAPI_ATTID_supplementalCredentials):
+ net_ctx = net.Net(self.creds)
+ net_ctx.replicate_decrypt(drs, attr, 0)
+ sc_blob = attr.value_ctr.values[0].blob
+
+
+ sc = ndr_unpack(drsblobs.supplementalCredentialsBlob, sc_blob)
+ return sc
+
+ def test_wDigest_supplementalCredentials(self):
+ self.creds = Credentials()
+ self.creds.set_username(os.environ["USERNAME"])
+ self.creds.set_password(os.environ["PASSWORD"])
+ self.creds.guess(self.lp)
+ ldb = SamDB("ldap://" + os.environ["SERVER"],
+ credentials=self.creds,
+ lp=self.lp)
+
+ self.add_user(ldb=ldb)
+
+ sc = self.get_supplemental_creds_drs()
+
+ (pos, package) = get_package(sc, "Primary:WDigest")
+ self.assertEquals("Primary:WDigest", package.name)
+
+ # Check that the WDigest values are correct.
+ #
+ digests = ndr_unpack(drsblobs.package_PrimaryWDigestBlob,
+ binascii.a2b_hex(package.data))
+ self.check_wdigests(digests)
.user = &sAMAccountName_l,
.realm = &netbios_domain_u,
},
- /*
+ /*
* sAMAccountName, dns_domain
+ *
+ * TODO:
+ * Windows preserves the case of the DNS domain,
+ * Samba lower cases the domain at provision time
+ * This means that for mixed case Domains, the WDigest08 hash
+ * calculated by Samba differs from that calculated by Windows.
+ * Until we get a real world use case this will remain a known
+ * bug, as changing the case could have unforeseen impacts.
+ *
*/
{
.user = &sAMAccountName,
planoldpythontestsuite("fl2003dc:local",
"samba.tests.password_hash_fl2003",
extra_args=['-U"$USERNAME%$PASSWORD"'])
+# ad_dc: wDigest values over ldap
+planoldpythontestsuite("ad_dc",
+ "samba.tests.password_hash_ldap",
+ extra_args=['-U"$USERNAME%$PASSWORD"'])
planoldpythontestsuite("ad_dc", "samba.tests.dcerpc.dnsserver", extra_args=['-U"$USERNAME%$PASSWORD"'])
planoldpythontestsuite("ad_dc", "samba.tests.dcerpc.raw_protocol", extra_args=['-U"$USERNAME%$PASSWORD"'])
plantestsuite_loadlist("samba4.ldap.python(ad_dc_ntvfs)", "ad_dc_ntvfs", [python, os.path.join(samba4srcdir, "dsdb/tests/python/ldap.py"), '$SERVER', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN', '$LOADLIST', '$LISTOPT'])