2023-06-14 13:47:20 +12:00
#!/usr/bin/env python3
2017-03-14 16:43:06 +13:00
# Unix SMB/CIFS implementation.
# Copyright (C) Andrew Bartlett <abartlet@samba.org> 2017
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
""" Tests for the Auth and AuthZ logging.
"""
2023-06-14 13:47:20 +12:00
import sys
sys . path . insert ( 0 , ' bin/python ' )
2017-03-14 16:43:06 +13:00
import samba . tests
from samba . dcerpc import srvsvc , dnsserver
import os
tests: Switchover auth_log from s4 SMB client bindings to s4
The main changes required are:
- we need to use an s3 loadparm instead of the standard s4 lp.
- the s3 SMB bindings don't support the use_spnego/ntlmv2_auth params,
however, we can set these in the loadparm instead, which will get the
SMB client code to do what we want. Instead of passing in boolean
parameters, we need to use yes/no strings that the lp will accept.
(We always set these values because the underlying lp context is
actually global, and setting a value is 'sticky' and will persist
across test cases. These conf settings are only used by the SMB client
code, and so will only affect the SMB test cases).
- For the no_spnego_no_ntlmv2 test cases, we now explicitly force it to
an SMBv1 connection. The s4 bindings only ever supported SMBv1
connections, so this is the same behaviour. The other test cases will
now try to negotiate SMBv2 connections, however, the no_ntlmv2 test
cases are explicitly checking for bare-NTLM (with the s3 bindings, it
now ends up as NTLMSSP by default).
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jan 17 04:47:56 CET 2019 on sn-devel-144
2019-01-16 13:34:29 +13:00
from samba . samba3 import libsmb_samba_internal as libsmb
from samba . samba3 import param as s3param
2017-03-14 16:43:06 +13:00
from samba . samdb import SamDB
import samba . tests . auth_log_base
2018-04-30 10:35:25 +12:00
from samba . credentials import DONT_USE_KERBEROS , MUST_USE_KERBEROS
2017-03-14 16:43:06 +13:00
from samba import NTSTATUSError
from subprocess import call
2017-03-23 12:39:25 +13:00
from ldb import LdbError
2018-12-13 10:20:28 +13:00
from samba . dcerpc . windows_event_ids import (
EVT_ID_SUCCESSFUL_LOGON ,
2018-12-13 14:46:31 +13:00
EVT_ID_UNSUCCESSFUL_LOGON ,
EVT_LOGON_NETWORK ,
EVT_LOGON_INTERACTIVE ,
EVT_LOGON_NETWORK_CLEAR_TEXT
2018-12-13 10:20:28 +13:00
)
2018-07-19 14:07:39 +03:00
import re
2017-03-14 16:43:06 +13:00
2018-04-30 10:35:25 +12:00
2017-03-14 16:43:06 +13:00
class AuthLogTests ( samba . tests . auth_log_base . AuthLogTestBase ) :
def setUp ( self ) :
2023-11-28 16:38:22 +13:00
super ( ) . setUp ( )
2017-03-14 16:43:06 +13:00
self . remoteAddress = os . environ [ " CLIENT_IP " ]
tests: Switchover auth_log from s4 SMB client bindings to s4
The main changes required are:
- we need to use an s3 loadparm instead of the standard s4 lp.
- the s3 SMB bindings don't support the use_spnego/ntlmv2_auth params,
however, we can set these in the loadparm instead, which will get the
SMB client code to do what we want. Instead of passing in boolean
parameters, we need to use yes/no strings that the lp will accept.
(We always set these values because the underlying lp context is
actually global, and setting a value is 'sticky' and will persist
across test cases. These conf settings are only used by the SMB client
code, and so will only affect the SMB test cases).
- For the no_spnego_no_ntlmv2 test cases, we now explicitly force it to
an SMBv1 connection. The s4 bindings only ever supported SMBv1
connections, so this is the same behaviour. The other test cases will
now try to negotiate SMBv2 connections, however, the no_ntlmv2 test
cases are explicitly checking for bare-NTLM (with the s3 bindings, it
now ends up as NTLMSSP by default).
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jan 17 04:47:56 CET 2019 on sn-devel-144
2019-01-16 13:34:29 +13:00
def smb_connection ( self , creds , use_spnego = " yes " , ntlmv2_auth = " yes " ,
force_smb1 = False ) :
# the SMB bindings rely on having a s3 loadparm
2019-01-16 13:20:12 +13:00
lp = self . get_loadparm ( )
tests: Switchover auth_log from s4 SMB client bindings to s4
The main changes required are:
- we need to use an s3 loadparm instead of the standard s4 lp.
- the s3 SMB bindings don't support the use_spnego/ntlmv2_auth params,
however, we can set these in the loadparm instead, which will get the
SMB client code to do what we want. Instead of passing in boolean
parameters, we need to use yes/no strings that the lp will accept.
(We always set these values because the underlying lp context is
actually global, and setting a value is 'sticky' and will persist
across test cases. These conf settings are only used by the SMB client
code, and so will only affect the SMB test cases).
- For the no_spnego_no_ntlmv2 test cases, we now explicitly force it to
an SMBv1 connection. The s4 bindings only ever supported SMBv1
connections, so this is the same behaviour. The other test cases will
now try to negotiate SMBv2 connections, however, the no_ntlmv2 test
cases are explicitly checking for bare-NTLM (with the s3 bindings, it
now ends up as NTLMSSP by default).
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jan 17 04:47:56 CET 2019 on sn-devel-144
2019-01-16 13:34:29 +13:00
s3_lp = s3param . get_context ( )
s3_lp . load ( lp . configfile )
# Allow the testcase to skip SPNEGO or use NTLMv1
s3_lp . set ( " client use spnego " , use_spnego )
s3_lp . set ( " client ntlmv2 auth " , ntlmv2_auth )
return libsmb . Conn ( self . server , " sysvol " , lp = s3_lp , creds = creds ,
force_smb1 = force_smb1 )
2019-01-16 13:20:12 +13:00
2017-03-14 16:43:06 +13:00
def _test_rpc_ncacn_np ( self , authTypes , creds , service ,
binding , protection , checkFunction ) :
2017-03-24 10:51:05 +13:00
def isLastExpectedMessage ( msg ) :
return ( msg [ " type " ] == " Authorization " and
( msg [ " Authorization " ] [ " serviceDescription " ] == " DCE/RPC " or
msg [ " Authorization " ] [ " serviceDescription " ] == service ) and
msg [ " Authorization " ] [ " authType " ] == authTypes [ 0 ] and
msg [ " Authorization " ] [ " transportProtection " ] == protection )
2017-03-14 16:43:06 +13:00
if binding :
binding = " [ %s ] " % binding
if service == " dnsserver " :
x = dnsserver . dnsserver ( " ncacn_np: %s %s " % ( self . server , binding ) ,
2018-04-30 10:35:25 +12:00
self . get_loadparm ( ) ,
creds )
2017-03-14 16:43:06 +13:00
elif service == " srvsvc " :
x = srvsvc . srvsvc ( " ncacn_np: %s %s " % ( self . server , binding ) ,
self . get_loadparm ( ) ,
creds )
# The connection is passed to ensure the server
# messaging context stays up until all the messages have been received.
messages = self . waitForMessages ( isLastExpectedMessage , x )
checkFunction ( messages , authTypes , service , binding , protection )
2018-07-19 14:07:39 +03:00
def _assert_ncacn_np_serviceDescription ( self , binding , serviceDescription ) :
# Turn "[foo,bar]" into a list ("foo", "bar") to test
# lambda x: x removes anything that evaluates to False,
# including empty strings, so we handle "" as well
2018-12-17 10:04:42 +13:00
binding_list = \
2022-10-12 13:56:32 +13:00
list ( filter ( lambda x : x , re . compile ( r ' [ \ [, \ ]] ' ) . split ( binding ) ) )
2018-07-19 14:07:39 +03:00
# Handle explicit smb2, smb1 or auto negotiation
if " smb2 " in binding_list :
2020-02-07 11:02:38 +13:00
self . assertEqual ( serviceDescription , " SMB2 " )
2018-07-19 14:07:39 +03:00
elif " smb1 " in binding_list :
2020-02-07 11:02:38 +13:00
self . assertEqual ( serviceDescription , " SMB " )
2018-07-19 14:07:39 +03:00
else :
self . assertIn ( serviceDescription , [ " SMB " , " SMB2 " ] )
2017-03-14 16:43:06 +13:00
def rpc_ncacn_np_ntlm_check ( self , messages , authTypes , service ,
binding , protection ) :
expected_messages = len ( authTypes )
2020-02-07 11:02:38 +13:00
self . assertEqual ( expected_messages ,
2017-03-14 16:43:06 +13:00
len ( messages ) ,
" Did not receive the expected number of messages " )
2017-03-24 10:51:05 +13:00
# Check the first message it should be an Authentication
2017-03-14 16:43:06 +13:00
msg = messages [ 0 ]
2020-02-07 11:02:38 +13:00
self . assertEqual ( " Authentication " , msg [ " type " ] )
self . assertEqual ( " NT_STATUS_OK " , msg [ " Authentication " ] [ " status " ] )
self . assertEqual (
2018-12-13 10:20:28 +13:00
EVT_ID_SUCCESSFUL_LOGON , msg [ " Authentication " ] [ " eventId " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual (
2018-12-13 14:46:31 +13:00
EVT_LOGON_NETWORK , msg [ " Authentication " ] [ " logonType " ] )
2018-12-17 10:04:42 +13:00
self . _assert_ncacn_np_serviceDescription (
binding , msg [ " Authentication " ] [ " serviceDescription " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual ( authTypes [ 1 ] ,
2018-04-30 10:35:25 +12:00
msg [ " Authentication " ] [ " authDescription " ] )
2017-03-14 16:43:06 +13:00
# Check the second message it should be an Authorization
msg = messages [ 1 ]
2020-02-07 11:02:38 +13:00
self . assertEqual ( " Authorization " , msg [ " type " ] )
2018-12-17 10:04:42 +13:00
self . _assert_ncacn_np_serviceDescription (
binding , msg [ " Authorization " ] [ " serviceDescription " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual ( authTypes [ 2 ] , msg [ " Authorization " ] [ " authType " ] )
self . assertEqual ( " SMB " , msg [ " Authorization " ] [ " transportProtection " ] )
2018-04-30 09:13:58 +12:00
self . assertTrue ( self . is_guid ( msg [ " Authorization " ] [ " sessionId " ] ) )
2017-03-14 16:43:06 +13:00
# Check the third message it should be an Authentication
# if we are expecting 4 messages
if expected_messages == 4 :
2017-03-24 10:51:05 +13:00
def checkServiceDescription ( desc ) :
2017-03-14 16:43:06 +13:00
return ( desc == " DCE/RPC " or desc == service )
msg = messages [ 2 ]
2020-02-07 11:02:38 +13:00
self . assertEqual ( " Authentication " , msg [ " type " ] )
self . assertEqual ( " NT_STATUS_OK " , msg [ " Authentication " ] [ " status " ] )
2017-03-14 16:43:06 +13:00
self . assertTrue (
2018-04-30 10:35:25 +12:00
checkServiceDescription (
msg [ " Authentication " ] [ " serviceDescription " ] ) )
2017-03-14 16:43:06 +13:00
2020-02-07 11:02:38 +13:00
self . assertEqual ( authTypes [ 3 ] ,
2018-04-30 10:35:25 +12:00
msg [ " Authentication " ] [ " authDescription " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual (
2018-12-13 10:20:28 +13:00
EVT_ID_SUCCESSFUL_LOGON , msg [ " Authentication " ] [ " eventId " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual (
2018-12-13 14:46:31 +13:00
EVT_LOGON_NETWORK , msg [ " Authentication " ] [ " logonType " ] )
2017-03-14 16:43:06 +13:00
2018-04-30 10:35:25 +12:00
def rpc_ncacn_np_krb5_check (
self ,
messages ,
authTypes ,
service ,
binding ,
protection ) :
2017-03-14 16:43:06 +13:00
expected_messages = len ( authTypes )
2020-02-07 11:02:38 +13:00
self . assertEqual ( expected_messages ,
2017-03-14 16:43:06 +13:00
len ( messages ) ,
" Did not receive the expected number of messages " )
2017-03-24 10:51:05 +13:00
# Check the first message it should be an Authentication
2017-03-14 16:43:06 +13:00
# This is almost certainly Authentication over UDP, and is probably
# returning message too big,
msg = messages [ 0 ]
2020-02-07 11:02:38 +13:00
self . assertEqual ( " Authentication " , msg [ " type " ] )
2023-06-14 15:28:39 +12:00
self . assertEqual ( " NT_STATUS_PROTOCOL_UNREACHABLE " , # RESPONSE_TOO_BIG
msg [ " Authentication " ] [ " status " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual ( " Kerberos KDC " ,
2018-04-30 10:35:25 +12:00
msg [ " Authentication " ] [ " serviceDescription " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual ( authTypes [ 1 ] ,
2018-04-30 10:35:25 +12:00
msg [ " Authentication " ] [ " authDescription " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual (
2023-06-14 15:28:39 +12:00
EVT_ID_UNSUCCESSFUL_LOGON , msg [ " Authentication " ] [ " eventId " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual (
2018-12-13 14:46:31 +13:00
EVT_LOGON_NETWORK , msg [ " Authentication " ] [ " logonType " ] )
2017-03-14 16:43:06 +13:00
# Check the second message it should be an Authentication
# This this the TCP Authentication in response to the message too big
# response to the UDP Authentication
msg = messages [ 1 ]
2020-02-07 11:02:38 +13:00
self . assertEqual ( " Authentication " , msg [ " type " ] )
self . assertEqual ( " NT_STATUS_OK " , msg [ " Authentication " ] [ " status " ] )
self . assertEqual ( " Kerberos KDC " ,
2018-04-30 10:35:25 +12:00
msg [ " Authentication " ] [ " serviceDescription " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual ( authTypes [ 2 ] ,
2018-04-30 10:35:25 +12:00
msg [ " Authentication " ] [ " authDescription " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual (
2018-12-13 10:20:28 +13:00
EVT_ID_SUCCESSFUL_LOGON , msg [ " Authentication " ] [ " eventId " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual (
2018-12-13 14:46:31 +13:00
EVT_LOGON_NETWORK , msg [ " Authentication " ] [ " logonType " ] )
2017-03-14 16:43:06 +13:00
# Check the third message it should be an Authorization
msg = messages [ 2 ]
2020-02-07 11:02:38 +13:00
self . assertEqual ( " Authorization " , msg [ " type " ] )
2018-12-17 10:04:42 +13:00
self . _assert_ncacn_np_serviceDescription (
binding , msg [ " Authorization " ] [ " serviceDescription " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual ( authTypes [ 3 ] , msg [ " Authorization " ] [ " authType " ] )
self . assertEqual ( " SMB " , msg [ " Authorization " ] [ " transportProtection " ] )
2018-04-30 09:13:58 +12:00
self . assertTrue ( self . is_guid ( msg [ " Authorization " ] [ " sessionId " ] ) )
2017-03-14 16:43:06 +13:00
def test_rpc_ncacn_np_ntlm_dns_sign ( self ) :
creds = self . insta_creds ( template = self . get_credentials ( ) ,
kerberos_state = DONT_USE_KERBEROS )
self . _test_rpc_ncacn_np ( [ " NTLMSSP " ,
" NTLMSSP " ,
" NTLMSSP " ,
" NTLMSSP " ] ,
creds , " dnsserver " , " sign " , " SIGN " ,
self . rpc_ncacn_np_ntlm_check )
def test_rpc_ncacn_np_ntlm_srv_sign ( self ) :
creds = self . insta_creds ( template = self . get_credentials ( ) ,
kerberos_state = DONT_USE_KERBEROS )
self . _test_rpc_ncacn_np ( [ " NTLMSSP " ,
" NTLMSSP " ,
" NTLMSSP " ,
" NTLMSSP " ] ,
creds , " srvsvc " , " sign " , " SIGN " ,
self . rpc_ncacn_np_ntlm_check )
def test_rpc_ncacn_np_ntlm_dns ( self ) :
creds = self . insta_creds ( template = self . get_credentials ( ) ,
kerberos_state = DONT_USE_KERBEROS )
self . _test_rpc_ncacn_np ( [ " ncacn_np " ,
" NTLMSSP " ,
" NTLMSSP " ] ,
creds , " dnsserver " , " " , " SMB " ,
self . rpc_ncacn_np_ntlm_check )
def test_rpc_ncacn_np_ntlm_srv ( self ) :
creds = self . insta_creds ( template = self . get_credentials ( ) ,
kerberos_state = DONT_USE_KERBEROS )
self . _test_rpc_ncacn_np ( [ " ncacn_np " ,
" NTLMSSP " ,
" NTLMSSP " ] ,
creds , " srvsvc " , " " , " SMB " ,
self . rpc_ncacn_np_ntlm_check )
def test_rpc_ncacn_np_krb_dns_sign ( self ) :
creds = self . insta_creds ( template = self . get_credentials ( ) ,
kerberos_state = MUST_USE_KERBEROS )
self . _test_rpc_ncacn_np ( [ " krb5 " ,
" ENC-TS Pre-authentication " ,
" ENC-TS Pre-authentication " ,
" krb5 " ] ,
2018-04-30 10:35:25 +12:00
creds , " dnsserver " , " sign " , " SIGN " ,
self . rpc_ncacn_np_krb5_check )
2017-03-14 16:43:06 +13:00
def test_rpc_ncacn_np_krb_srv_sign ( self ) :
creds = self . insta_creds ( template = self . get_credentials ( ) ,
kerberos_state = MUST_USE_KERBEROS )
self . _test_rpc_ncacn_np ( [ " krb5 " ,
" ENC-TS Pre-authentication " ,
" ENC-TS Pre-authentication " ,
" krb5 " ] ,
2018-04-30 10:35:25 +12:00
creds , " srvsvc " , " sign " , " SIGN " ,
self . rpc_ncacn_np_krb5_check )
2017-03-14 16:43:06 +13:00
def test_rpc_ncacn_np_krb_dns ( self ) :
creds = self . insta_creds ( template = self . get_credentials ( ) ,
kerberos_state = MUST_USE_KERBEROS )
self . _test_rpc_ncacn_np ( [ " ncacn_np " ,
" ENC-TS Pre-authentication " ,
" ENC-TS Pre-authentication " ,
" krb5 " ] ,
creds , " dnsserver " , " " , " SMB " ,
self . rpc_ncacn_np_krb5_check )
def test_rpc_ncacn_np_krb_dns_smb2 ( self ) :
creds = self . insta_creds ( template = self . get_credentials ( ) ,
kerberos_state = MUST_USE_KERBEROS )
self . _test_rpc_ncacn_np ( [ " ncacn_np " ,
" ENC-TS Pre-authentication " ,
" ENC-TS Pre-authentication " ,
" krb5 " ] ,
creds , " dnsserver " , " smb2 " , " SMB " ,
self . rpc_ncacn_np_krb5_check )
def test_rpc_ncacn_np_krb_srv ( self ) :
creds = self . insta_creds ( template = self . get_credentials ( ) ,
kerberos_state = MUST_USE_KERBEROS )
self . _test_rpc_ncacn_np ( [ " ncacn_np " ,
2018-04-30 10:35:25 +12:00
" ENC-TS Pre-authentication " ,
" ENC-TS Pre-authentication " ,
" krb5 " ] ,
2017-03-14 16:43:06 +13:00
creds , " srvsvc " , " " , " SMB " ,
self . rpc_ncacn_np_krb5_check )
def _test_rpc_ncacn_ip_tcp ( self , authTypes , creds , service ,
binding , protection , checkFunction ) :
2017-03-24 10:51:05 +13:00
def isLastExpectedMessage ( msg ) :
return ( msg [ " type " ] == " Authorization " and
msg [ " Authorization " ] [ " serviceDescription " ] == " DCE/RPC " and
msg [ " Authorization " ] [ " authType " ] == authTypes [ 0 ] and
msg [ " Authorization " ] [ " transportProtection " ] == protection )
2017-03-14 16:43:06 +13:00
if binding :
binding = " [ %s ] " % binding
if service == " dnsserver " :
2018-04-30 10:35:25 +12:00
conn = dnsserver . dnsserver (
" ncacn_ip_tcp: %s %s " % ( self . server , binding ) ,
self . get_loadparm ( ) ,
creds )
2017-03-14 16:43:06 +13:00
elif service == " srvsvc " :
2017-06-13 11:20:58 +12:00
conn = srvsvc . srvsvc ( " ncacn_ip_tcp: %s %s " % ( self . server , binding ) ,
self . get_loadparm ( ) ,
creds )
2017-03-14 16:43:06 +13:00
2017-06-13 11:20:58 +12:00
messages = self . waitForMessages ( isLastExpectedMessage , conn )
2017-03-14 16:43:06 +13:00
checkFunction ( messages , authTypes , service , binding , protection )
def rpc_ncacn_ip_tcp_ntlm_check ( self , messages , authTypes , service ,
binding , protection ) :
expected_messages = len ( authTypes )
2020-02-07 11:02:38 +13:00
self . assertEqual ( expected_messages ,
2017-03-14 16:43:06 +13:00
len ( messages ) ,
" Did not receive the expected number of messages " )
# Check the first message it should be an Authorization
msg = messages [ 0 ]
2020-02-07 11:02:38 +13:00
self . assertEqual ( " Authorization " , msg [ " type " ] )
self . assertEqual ( " DCE/RPC " ,
2017-03-14 16:43:06 +13:00
msg [ " Authorization " ] [ " serviceDescription " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual ( authTypes [ 1 ] , msg [ " Authorization " ] [ " authType " ] )
self . assertEqual ( " NONE " , msg [ " Authorization " ] [ " transportProtection " ] )
2018-04-30 09:13:58 +12:00
self . assertTrue ( self . is_guid ( msg [ " Authorization " ] [ " sessionId " ] ) )
2017-03-14 16:43:06 +13:00
# Check the second message it should be an Authentication
msg = messages [ 1 ]
2020-02-07 11:02:38 +13:00
self . assertEqual ( " Authentication " , msg [ " type " ] )
self . assertEqual ( " NT_STATUS_OK " , msg [ " Authentication " ] [ " status " ] )
self . assertEqual ( " DCE/RPC " ,
2018-04-30 10:35:25 +12:00
msg [ " Authentication " ] [ " serviceDescription " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual ( authTypes [ 2 ] ,
2018-04-30 10:35:25 +12:00
msg [ " Authentication " ] [ " authDescription " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual (
2018-12-13 10:20:28 +13:00
EVT_ID_SUCCESSFUL_LOGON , msg [ " Authentication " ] [ " eventId " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual (
2018-12-13 14:46:31 +13:00
EVT_LOGON_NETWORK , msg [ " Authentication " ] [ " logonType " ] )
2017-03-14 16:43:06 +13:00
def rpc_ncacn_ip_tcp_krb5_check ( self , messages , authTypes , service ,
binding , protection ) :
expected_messages = len ( authTypes )
2020-02-07 11:02:38 +13:00
self . assertEqual ( expected_messages ,
2017-03-14 16:43:06 +13:00
len ( messages ) ,
" Did not receive the expected number of messages " )
# Check the first message it should be an Authorization
msg = messages [ 0 ]
2020-02-07 11:02:38 +13:00
self . assertEqual ( " Authorization " , msg [ " type " ] )
self . assertEqual ( " DCE/RPC " ,
2017-03-14 16:43:06 +13:00
msg [ " Authorization " ] [ " serviceDescription " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual ( authTypes [ 1 ] , msg [ " Authorization " ] [ " authType " ] )
self . assertEqual ( " NONE " , msg [ " Authorization " ] [ " transportProtection " ] )
2018-04-30 09:13:58 +12:00
self . assertTrue ( self . is_guid ( msg [ " Authorization " ] [ " sessionId " ] ) )
2017-03-14 16:43:06 +13:00
# Check the second message it should be an Authentication
msg = messages [ 1 ]
2020-02-07 11:02:38 +13:00
self . assertEqual ( " Authentication " , msg [ " type " ] )
2023-06-14 15:28:39 +12:00
self . assertEqual ( " NT_STATUS_PROTOCOL_UNREACHABLE " , # RESPONSE_TOO_BIG
msg [ " Authentication " ] [ " status " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual ( " Kerberos KDC " ,
2018-04-30 10:35:25 +12:00
msg [ " Authentication " ] [ " serviceDescription " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual ( authTypes [ 2 ] ,
2018-04-30 10:35:25 +12:00
msg [ " Authentication " ] [ " authDescription " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual (
2023-06-14 15:28:39 +12:00
EVT_ID_UNSUCCESSFUL_LOGON , msg [ " Authentication " ] [ " eventId " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual (
2018-12-13 14:46:31 +13:00
EVT_LOGON_NETWORK , msg [ " Authentication " ] [ " logonType " ] )
2017-03-14 16:43:06 +13:00
# Check the third message it should be an Authentication
msg = messages [ 2 ]
2020-02-07 11:02:38 +13:00
self . assertEqual ( " Authentication " , msg [ " type " ] )
self . assertEqual ( " NT_STATUS_OK " , msg [ " Authentication " ] [ " status " ] )
self . assertEqual ( " Kerberos KDC " ,
2018-04-30 10:35:25 +12:00
msg [ " Authentication " ] [ " serviceDescription " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual ( authTypes [ 2 ] ,
2018-04-30 10:35:25 +12:00
msg [ " Authentication " ] [ " authDescription " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual (
2018-12-13 10:20:28 +13:00
EVT_ID_SUCCESSFUL_LOGON , msg [ " Authentication " ] [ " eventId " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual (
2018-12-13 14:46:31 +13:00
EVT_LOGON_NETWORK , msg [ " Authentication " ] [ " logonType " ] )
2017-03-14 16:43:06 +13:00
def test_rpc_ncacn_ip_tcp_ntlm_dns_sign ( self ) :
creds = self . insta_creds ( template = self . get_credentials ( ) ,
kerberos_state = DONT_USE_KERBEROS )
self . _test_rpc_ncacn_ip_tcp ( [ " NTLMSSP " ,
" ncacn_ip_tcp " ,
" NTLMSSP " ] ,
2018-04-30 10:35:25 +12:00
creds , " dnsserver " , " sign " , " SIGN " ,
self . rpc_ncacn_ip_tcp_ntlm_check )
2017-03-14 16:43:06 +13:00
def test_rpc_ncacn_ip_tcp_krb5_dns_sign ( self ) :
creds = self . insta_creds ( template = self . get_credentials ( ) ,
kerberos_state = MUST_USE_KERBEROS )
self . _test_rpc_ncacn_ip_tcp ( [ " krb5 " ,
" ncacn_ip_tcp " ,
" ENC-TS Pre-authentication " ,
" ENC-TS Pre-authentication " ] ,
2018-04-30 10:35:25 +12:00
creds , " dnsserver " , " sign " , " SIGN " ,
self . rpc_ncacn_ip_tcp_krb5_check )
2017-03-14 16:43:06 +13:00
def test_rpc_ncacn_ip_tcp_ntlm_dns ( self ) :
creds = self . insta_creds ( template = self . get_credentials ( ) ,
kerberos_state = DONT_USE_KERBEROS )
self . _test_rpc_ncacn_ip_tcp ( [ " NTLMSSP " ,
" ncacn_ip_tcp " ,
" NTLMSSP " ] ,
2018-04-30 10:35:25 +12:00
creds , " dnsserver " , " " , " SIGN " ,
self . rpc_ncacn_ip_tcp_ntlm_check )
2017-03-14 16:43:06 +13:00
def test_rpc_ncacn_ip_tcp_krb5_dns ( self ) :
creds = self . insta_creds ( template = self . get_credentials ( ) ,
kerberos_state = MUST_USE_KERBEROS )
self . _test_rpc_ncacn_ip_tcp ( [ " krb5 " ,
" ncacn_ip_tcp " ,
" ENC-TS Pre-authentication " ,
" ENC-TS Pre-authentication " ] ,
2018-04-30 10:35:25 +12:00
creds , " dnsserver " , " " , " SIGN " ,
self . rpc_ncacn_ip_tcp_krb5_check )
2017-03-14 16:43:06 +13:00
def test_rpc_ncacn_ip_tcp_ntlm_dns_connect ( self ) :
creds = self . insta_creds ( template = self . get_credentials ( ) ,
kerberos_state = DONT_USE_KERBEROS )
self . _test_rpc_ncacn_ip_tcp ( [ " NTLMSSP " ,
" ncacn_ip_tcp " ,
" NTLMSSP " ] ,
2018-04-30 10:35:25 +12:00
creds , " dnsserver " , " connect " , " NONE " ,
self . rpc_ncacn_ip_tcp_ntlm_check )
2017-03-14 16:43:06 +13:00
def test_rpc_ncacn_ip_tcp_krb5_dns_connect ( self ) :
creds = self . insta_creds ( template = self . get_credentials ( ) ,
kerberos_state = MUST_USE_KERBEROS )
self . _test_rpc_ncacn_ip_tcp ( [ " krb5 " ,
" ncacn_ip_tcp " ,
" ENC-TS Pre-authentication " ,
" ENC-TS Pre-authentication " ] ,
2018-04-30 10:35:25 +12:00
creds , " dnsserver " , " connect " , " NONE " ,
self . rpc_ncacn_ip_tcp_krb5_check )
2017-03-14 16:43:06 +13:00
def test_rpc_ncacn_ip_tcp_ntlm_dns_seal ( self ) :
creds = self . insta_creds ( template = self . get_credentials ( ) ,
kerberos_state = DONT_USE_KERBEROS )
self . _test_rpc_ncacn_ip_tcp ( [ " NTLMSSP " ,
" ncacn_ip_tcp " ,
" NTLMSSP " ] ,
2018-04-30 10:35:25 +12:00
creds , " dnsserver " , " seal " , " SEAL " ,
self . rpc_ncacn_ip_tcp_ntlm_check )
2017-03-14 16:43:06 +13:00
def test_rpc_ncacn_ip_tcp_krb5_dns_seal ( self ) :
creds = self . insta_creds ( template = self . get_credentials ( ) ,
kerberos_state = MUST_USE_KERBEROS )
self . _test_rpc_ncacn_ip_tcp ( [ " krb5 " ,
" ncacn_ip_tcp " ,
" ENC-TS Pre-authentication " ,
" ENC-TS Pre-authentication " ] ,
2018-04-30 10:35:25 +12:00
creds , " dnsserver " , " seal " , " SEAL " ,
self . rpc_ncacn_ip_tcp_krb5_check )
2017-03-14 16:43:06 +13:00
def test_ldap ( self ) :
2017-03-24 10:51:05 +13:00
def isLastExpectedMessage ( msg ) :
2017-03-14 16:43:06 +13:00
return ( msg [ " type " ] == " Authorization " and
2017-03-24 10:51:05 +13:00
msg [ " Authorization " ] [ " serviceDescription " ] == " LDAP " and
2023-02-27 14:06:23 +13:00
msg [ " Authorization " ] [ " transportProtection " ] == " SEAL " and
2017-03-14 16:43:06 +13:00
msg [ " Authorization " ] [ " authType " ] == " krb5 " )
self . samdb = SamDB ( url = " ldap:// %s " % os . environ [ " SERVER " ] ,
2018-04-30 10:35:25 +12:00
lp = self . get_loadparm ( ) ,
2017-03-14 16:43:06 +13:00
credentials = self . get_credentials ( ) )
2017-03-24 10:51:05 +13:00
messages = self . waitForMessages ( isLastExpectedMessage )
2020-02-07 11:02:38 +13:00
self . assertEqual ( 3 ,
2017-03-14 16:43:06 +13:00
len ( messages ) ,
" Did not receive the expected number of messages " )
2017-03-24 10:51:05 +13:00
# Check the first message it should be an Authentication
2017-03-14 16:43:06 +13:00
msg = messages [ 0 ]
2020-02-07 11:02:38 +13:00
self . assertEqual ( " Authentication " , msg [ " type " ] )
2023-06-14 15:28:39 +12:00
self . assertEqual ( " NT_STATUS_PROTOCOL_UNREACHABLE " , # RESPONSE_TOO_BIG
msg [ " Authentication " ] [ " status " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual ( " Kerberos KDC " ,
2018-04-30 10:35:25 +12:00
msg [ " Authentication " ] [ " serviceDescription " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual ( " ENC-TS Pre-authentication " ,
2018-04-30 10:35:25 +12:00
msg [ " Authentication " ] [ " authDescription " ] )
2018-06-10 13:00:34 +02:00
self . assertTrue ( msg [ " Authentication " ] [ " duration " ] > 0 )
2020-02-07 11:02:38 +13:00
self . assertEqual (
2023-06-14 15:28:39 +12:00
EVT_ID_UNSUCCESSFUL_LOGON , msg [ " Authentication " ] [ " eventId " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual (
2018-12-13 14:46:31 +13:00
EVT_LOGON_NETWORK , msg [ " Authentication " ] [ " logonType " ] )
2017-03-14 16:43:06 +13:00
2018-04-30 10:35:25 +12:00
# Check the second message it should be an Authentication
2017-03-14 16:43:06 +13:00
msg = messages [ 1 ]
2020-02-07 11:02:38 +13:00
self . assertEqual ( " Authentication " , msg [ " type " ] )
self . assertEqual ( " NT_STATUS_OK " , msg [ " Authentication " ] [ " status " ] )
self . assertEqual ( " Kerberos KDC " ,
2018-04-30 10:35:25 +12:00
msg [ " Authentication " ] [ " serviceDescription " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual ( " ENC-TS Pre-authentication " ,
2018-04-30 10:35:25 +12:00
msg [ " Authentication " ] [ " authDescription " ] )
2018-06-10 13:00:34 +02:00
self . assertTrue ( msg [ " Authentication " ] [ " duration " ] > 0 )
2020-02-07 11:02:38 +13:00
self . assertEqual (
2018-12-13 10:20:28 +13:00
EVT_ID_SUCCESSFUL_LOGON , msg [ " Authentication " ] [ " eventId " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual (
2018-12-13 14:46:31 +13:00
EVT_LOGON_NETWORK , msg [ " Authentication " ] [ " logonType " ] )
2017-03-14 16:43:06 +13:00
def test_ldap_ntlm ( self ) :
2017-03-24 10:51:05 +13:00
def isLastExpectedMessage ( msg ) :
2017-03-14 16:43:06 +13:00
return ( msg [ " type " ] == " Authorization " and
2017-03-24 10:51:05 +13:00
msg [ " Authorization " ] [ " serviceDescription " ] == " LDAP " and
2017-03-14 16:43:06 +13:00
msg [ " Authorization " ] [ " transportProtection " ] == " SEAL " and
msg [ " Authorization " ] [ " authType " ] == " NTLMSSP " )
self . samdb = SamDB ( url = " ldap:// %s " % os . environ [ " SERVER_IP " ] ,
2018-04-30 10:35:25 +12:00
lp = self . get_loadparm ( ) ,
2017-03-14 16:43:06 +13:00
credentials = self . get_credentials ( ) )
2017-03-24 10:51:05 +13:00
messages = self . waitForMessages ( isLastExpectedMessage )
2020-02-07 11:02:38 +13:00
self . assertEqual ( 2 ,
2017-03-14 16:43:06 +13:00
len ( messages ) ,
" Did not receive the expected number of messages " )
# Check the first message it should be an Authentication
msg = messages [ 0 ]
2020-02-07 11:02:38 +13:00
self . assertEqual ( " Authentication " , msg [ " type " ] )
self . assertEqual ( " NT_STATUS_OK " , msg [ " Authentication " ] [ " status " ] )
self . assertEqual ( " LDAP " ,
2018-04-30 10:35:25 +12:00
msg [ " Authentication " ] [ " serviceDescription " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual ( " NTLMSSP " , msg [ " Authentication " ] [ " authDescription " ] )
2018-06-10 13:00:34 +02:00
self . assertTrue ( msg [ " Authentication " ] [ " duration " ] > 0 )
2020-02-07 11:02:38 +13:00
self . assertEqual (
2018-12-13 10:20:28 +13:00
EVT_ID_SUCCESSFUL_LOGON , msg [ " Authentication " ] [ " eventId " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual (
2018-12-13 14:46:31 +13:00
EVT_LOGON_NETWORK , msg [ " Authentication " ] [ " logonType " ] )
2017-03-14 16:43:06 +13:00
def test_ldap_simple_bind ( self ) :
2017-03-24 10:51:05 +13:00
def isLastExpectedMessage ( msg ) :
2017-03-14 16:43:06 +13:00
return ( msg [ " type " ] == " Authorization " and
2017-03-24 10:51:05 +13:00
msg [ " Authorization " ] [ " serviceDescription " ] == " LDAP " and
2017-03-14 16:43:06 +13:00
msg [ " Authorization " ] [ " transportProtection " ] == " TLS " and
msg [ " Authorization " ] [ " authType " ] == " simple bind " )
creds = self . insta_creds ( template = self . get_credentials ( ) )
creds . set_bind_dn ( " %s \\ %s " % ( creds . get_domain ( ) ,
2018-07-30 18:16:12 +12:00
creds . get_username ( ) ) )
2017-03-14 16:43:06 +13:00
self . samdb = SamDB ( url = " ldaps:// %s " % os . environ [ " SERVER " ] ,
2018-04-30 10:35:25 +12:00
lp = self . get_loadparm ( ) ,
2017-03-14 16:43:06 +13:00
credentials = creds )
2017-03-24 10:51:05 +13:00
messages = self . waitForMessages ( isLastExpectedMessage )
2020-02-07 11:02:38 +13:00
self . assertEqual ( 2 ,
2017-03-14 16:43:06 +13:00
len ( messages ) ,
" Did not receive the expected number of messages " )
2017-03-24 10:51:05 +13:00
# Check the first message it should be an Authentication
2017-03-14 16:43:06 +13:00
msg = messages [ 0 ]
2020-02-07 11:02:38 +13:00
self . assertEqual ( " Authentication " , msg [ " type " ] )
self . assertEqual ( " NT_STATUS_OK " , msg [ " Authentication " ] [ " status " ] )
self . assertEqual ( " LDAP " ,
2018-04-30 10:35:25 +12:00
msg [ " Authentication " ] [ " serviceDescription " ] )
2022-01-26 15:53:45 +13:00
self . assertEqual ( " simple bind/TLS " ,
2018-04-30 10:35:25 +12:00
msg [ " Authentication " ] [ " authDescription " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual (
2018-12-13 10:20:28 +13:00
EVT_ID_SUCCESSFUL_LOGON , msg [ " Authentication " ] [ " eventId " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual (
2018-12-13 14:46:31 +13:00
EVT_LOGON_NETWORK_CLEAR_TEXT , msg [ " Authentication " ] [ " logonType " ] )
2017-03-14 16:43:06 +13:00
2017-03-23 12:39:25 +13:00
def test_ldap_simple_bind_bad_password ( self ) :
2017-03-24 10:51:05 +13:00
def isLastExpectedMessage ( msg ) :
2017-03-23 12:39:25 +13:00
return ( msg [ " type " ] == " Authentication " and
2017-03-24 10:51:05 +13:00
msg [ " Authentication " ] [ " serviceDescription " ] == " LDAP " and
2018-04-30 10:35:25 +12:00
( msg [ " Authentication " ] [ " status " ] ==
" NT_STATUS_WRONG_PASSWORD " ) and
2018-12-13 10:20:28 +13:00
( msg [ " Authentication " ] [ " authDescription " ] ==
2022-01-26 15:53:45 +13:00
" simple bind/TLS " ) and
2018-12-13 10:20:28 +13:00
( msg [ " Authentication " ] [ " eventId " ] ==
2018-12-13 14:46:31 +13:00
EVT_ID_UNSUCCESSFUL_LOGON ) and
( msg [ " Authentication " ] [ " logonType " ] ==
EVT_LOGON_NETWORK_CLEAR_TEXT ) )
2017-03-23 12:39:25 +13:00
creds = self . insta_creds ( template = self . get_credentials ( ) )
2017-03-24 10:51:05 +13:00
creds . set_password ( " badPassword " )
2017-03-23 12:39:25 +13:00
creds . set_bind_dn ( " %s \\ %s " % ( creds . get_domain ( ) ,
2018-07-30 18:16:12 +12:00
creds . get_username ( ) ) )
2017-03-23 12:39:25 +13:00
thrown = False
try :
self . samdb = SamDB ( url = " ldaps:// %s " % os . environ [ " SERVER " ] ,
2018-04-30 10:35:25 +12:00
lp = self . get_loadparm ( ) ,
2017-03-23 12:39:25 +13:00
credentials = creds )
except LdbError :
thrown = True
2020-02-07 11:02:38 +13:00
self . assertEqual ( thrown , True )
2017-03-23 12:39:25 +13:00
2017-03-24 10:51:05 +13:00
messages = self . waitForMessages ( isLastExpectedMessage )
2020-02-07 11:02:38 +13:00
self . assertEqual ( 1 ,
2017-03-23 12:39:25 +13:00
len ( messages ) ,
" Did not receive the expected number of messages " )
def test_ldap_simple_bind_bad_user ( self ) :
2017-03-24 10:51:05 +13:00
def isLastExpectedMessage ( msg ) :
2017-03-23 12:39:25 +13:00
return ( msg [ " type " ] == " Authentication " and
2017-03-24 10:51:05 +13:00
msg [ " Authentication " ] [ " serviceDescription " ] == " LDAP " and
2018-04-30 10:35:25 +12:00
( msg [ " Authentication " ] [ " status " ] ==
" NT_STATUS_NO_SUCH_USER " ) and
2018-12-13 10:20:28 +13:00
( msg [ " Authentication " ] [ " authDescription " ] ==
2022-01-26 15:53:45 +13:00
" simple bind/TLS " ) and
2018-12-13 10:20:28 +13:00
( msg [ " Authentication " ] [ " eventId " ] ==
2018-12-13 14:46:31 +13:00
EVT_ID_UNSUCCESSFUL_LOGON ) and
( msg [ " Authentication " ] [ " logonType " ] ==
EVT_LOGON_NETWORK_CLEAR_TEXT ) )
2017-03-23 12:39:25 +13:00
creds = self . insta_creds ( template = self . get_credentials ( ) )
creds . set_bind_dn ( " %s \\ %s " % ( creds . get_domain ( ) , " badUser " ) )
thrown = False
try :
self . samdb = SamDB ( url = " ldaps:// %s " % os . environ [ " SERVER " ] ,
2018-04-30 10:35:25 +12:00
lp = self . get_loadparm ( ) ,
2017-03-23 12:39:25 +13:00
credentials = creds )
except LdbError :
thrown = True
2020-02-07 11:02:38 +13:00
self . assertEqual ( thrown , True )
2017-03-23 12:39:25 +13:00
2017-03-24 10:51:05 +13:00
messages = self . waitForMessages ( isLastExpectedMessage )
2020-02-07 11:02:38 +13:00
self . assertEqual ( 1 ,
2017-03-23 12:39:25 +13:00
len ( messages ) ,
" Did not receive the expected number of messages " )
def test_ldap_simple_bind_unparseable_user ( self ) :
2017-03-24 10:51:05 +13:00
def isLastExpectedMessage ( msg ) :
2017-03-23 12:39:25 +13:00
return ( msg [ " type " ] == " Authentication " and
2017-03-24 10:51:05 +13:00
msg [ " Authentication " ] [ " serviceDescription " ] == " LDAP " and
2018-04-30 10:35:25 +12:00
( msg [ " Authentication " ] [ " status " ] ==
" NT_STATUS_NO_SUCH_USER " ) and
2018-12-13 10:20:28 +13:00
( msg [ " Authentication " ] [ " authDescription " ] ==
2022-01-26 15:53:45 +13:00
" simple bind/TLS " ) and
2018-12-13 10:20:28 +13:00
( msg [ " Authentication " ] [ " eventId " ] ==
2018-12-13 14:46:31 +13:00
EVT_ID_UNSUCCESSFUL_LOGON ) and
( msg [ " Authentication " ] [ " logonType " ] ==
EVT_LOGON_NETWORK_CLEAR_TEXT ) )
2017-03-23 12:39:25 +13:00
creds = self . insta_creds ( template = self . get_credentials ( ) )
creds . set_bind_dn ( " %s \\ %s " % ( creds . get_domain ( ) , " abdcef " ) )
thrown = False
try :
self . samdb = SamDB ( url = " ldaps:// %s " % os . environ [ " SERVER " ] ,
2018-04-30 10:35:25 +12:00
lp = self . get_loadparm ( ) ,
2017-03-23 12:39:25 +13:00
credentials = creds )
except LdbError :
thrown = True
2020-02-07 11:02:38 +13:00
self . assertEqual ( thrown , True )
2017-03-23 12:39:25 +13:00
2017-03-24 10:51:05 +13:00
messages = self . waitForMessages ( isLastExpectedMessage )
2020-02-07 11:02:38 +13:00
self . assertEqual ( 1 ,
2017-03-23 12:39:25 +13:00
len ( messages ) ,
" Did not receive the expected number of messages " )
2017-03-24 11:02:36 +13:00
#
# Note: as this test does not expect any messages it will
# time out in the call to self.waitForMessages.
# This is expected, but it will slow this test.
def test_ldap_anonymous_access_bind_only ( self ) :
# Should be no logging for anonymous bind
# so receiving any message indicates a failure.
2018-04-30 10:35:25 +12:00
def isLastExpectedMessage ( msg ) :
2017-03-24 11:02:36 +13:00
return True
creds = self . insta_creds ( template = self . get_credentials ( ) )
creds . set_anonymous ( )
self . samdb = SamDB ( url = " ldaps:// %s " % os . environ [ " SERVER " ] ,
2018-04-30 10:35:25 +12:00
lp = self . get_loadparm ( ) ,
2017-03-24 11:02:36 +13:00
credentials = creds )
2018-04-30 10:35:25 +12:00
messages = self . waitForMessages ( isLastExpectedMessage )
2020-02-07 11:02:38 +13:00
self . assertEqual ( 0 ,
2017-03-24 11:02:36 +13:00
len ( messages ) ,
" Did not receive the expected number of messages " )
def test_ldap_anonymous_access ( self ) :
2018-04-30 10:35:25 +12:00
def isLastExpectedMessage ( msg ) :
2017-03-24 11:02:36 +13:00
return ( msg [ " type " ] == " Authorization " and
2018-12-17 10:04:42 +13:00
msg [ " Authorization " ] [ " serviceDescription " ] == " LDAP " and
2017-03-24 11:02:36 +13:00
msg [ " Authorization " ] [ " transportProtection " ] == " TLS " and
msg [ " Authorization " ] [ " account " ] == " ANONYMOUS LOGON " and
msg [ " Authorization " ] [ " authType " ] == " no bind " )
creds = self . insta_creds ( template = self . get_credentials ( ) )
creds . set_anonymous ( )
self . samdb = SamDB ( url = " ldaps:// %s " % os . environ [ " SERVER " ] ,
2018-04-30 10:35:25 +12:00
lp = self . get_loadparm ( ) ,
2017-03-24 11:02:36 +13:00
credentials = creds )
try :
2018-04-30 10:35:25 +12:00
self . samdb . search ( base = self . samdb . domain_dn ( ) )
self . fail ( " Expected an LdbError exception " )
2017-03-24 11:02:36 +13:00
except LdbError :
pass
2018-04-30 10:35:25 +12:00
messages = self . waitForMessages ( isLastExpectedMessage )
2020-02-07 11:02:38 +13:00
self . assertEqual ( 1 ,
2017-03-24 11:02:36 +13:00
len ( messages ) ,
" Did not receive the expected number of messages " )
2018-04-30 10:35:25 +12:00
2017-03-14 16:43:06 +13:00
def test_smb ( self ) :
2017-03-24 10:51:05 +13:00
def isLastExpectedMessage ( msg ) :
2017-03-14 16:43:06 +13:00
return ( msg [ " type " ] == " Authorization " and
2019-01-16 11:18:27 +13:00
" SMB " in msg [ " Authorization " ] [ " serviceDescription " ] and
2017-03-24 10:51:05 +13:00
msg [ " Authorization " ] [ " authType " ] == " krb5 " and
2017-03-14 16:43:06 +13:00
msg [ " Authorization " ] [ " transportProtection " ] == " SMB " )
creds = self . insta_creds ( template = self . get_credentials ( ) )
2019-01-16 13:20:12 +13:00
self . smb_connection ( creds )
2017-03-14 16:43:06 +13:00
2017-03-24 10:51:05 +13:00
messages = self . waitForMessages ( isLastExpectedMessage )
2020-02-07 11:02:38 +13:00
self . assertEqual ( 3 ,
2017-03-14 16:43:06 +13:00
len ( messages ) ,
" Did not receive the expected number of messages " )
2017-03-24 10:51:05 +13:00
# Check the first message it should be an Authentication
2017-03-14 16:43:06 +13:00
msg = messages [ 0 ]
2020-02-07 11:02:38 +13:00
self . assertEqual ( " Authentication " , msg [ " type " ] )
2023-06-14 15:28:39 +12:00
self . assertEqual ( " NT_STATUS_PROTOCOL_UNREACHABLE " , # RESPONSE_TOO_BIG
msg [ " Authentication " ] [ " status " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual ( " Kerberos KDC " ,
2018-04-30 10:35:25 +12:00
msg [ " Authentication " ] [ " serviceDescription " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual ( " ENC-TS Pre-authentication " ,
2018-04-30 10:35:25 +12:00
msg [ " Authentication " ] [ " authDescription " ] )
2023-06-14 15:28:39 +12:00
self . assertEqual ( EVT_ID_UNSUCCESSFUL_LOGON ,
2018-12-13 10:20:28 +13:00
msg [ " Authentication " ] [ " eventId " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual ( EVT_LOGON_NETWORK ,
2018-12-13 14:46:31 +13:00
msg [ " Authentication " ] [ " logonType " ] )
2017-03-14 16:43:06 +13:00
# Check the second message it should be an Authentication
msg = messages [ 1 ]
2020-02-07 11:02:38 +13:00
self . assertEqual ( " Authentication " , msg [ " type " ] )
self . assertEqual ( " NT_STATUS_OK " , msg [ " Authentication " ] [ " status " ] )
self . assertEqual ( " Kerberos KDC " ,
2018-04-30 10:35:25 +12:00
msg [ " Authentication " ] [ " serviceDescription " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual ( " ENC-TS Pre-authentication " ,
2018-04-30 10:35:25 +12:00
msg [ " Authentication " ] [ " authDescription " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual ( EVT_ID_SUCCESSFUL_LOGON ,
2018-12-13 10:20:28 +13:00
msg [ " Authentication " ] [ " eventId " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual ( EVT_LOGON_NETWORK ,
2018-12-13 14:46:31 +13:00
msg [ " Authentication " ] [ " logonType " ] )
2017-03-14 16:43:06 +13:00
def test_smb_bad_password ( self ) :
2017-03-24 10:51:05 +13:00
def isLastExpectedMessage ( msg ) :
2017-03-14 16:43:06 +13:00
return ( msg [ " type " ] == " Authentication " and
2018-04-30 10:35:25 +12:00
( msg [ " Authentication " ] [ " serviceDescription " ] ==
" Kerberos KDC " ) and
( msg [ " Authentication " ] [ " status " ] ==
" NT_STATUS_WRONG_PASSWORD " ) and
( msg [ " Authentication " ] [ " authDescription " ] ==
" ENC-TS Pre-authentication " ) )
2017-03-14 16:43:06 +13:00
creds = self . insta_creds ( template = self . get_credentials ( ) )
2019-01-16 12:12:16 +13:00
creds . set_kerberos_state ( MUST_USE_KERBEROS )
2017-03-14 16:43:06 +13:00
creds . set_password ( " badPassword " )
thrown = False
try :
2019-01-16 13:20:12 +13:00
self . smb_connection ( creds )
2017-03-14 16:43:06 +13:00
except NTSTATUSError :
thrown = True
2020-02-07 11:02:38 +13:00
self . assertEqual ( thrown , True )
2017-03-14 16:43:06 +13:00
2017-03-24 10:51:05 +13:00
messages = self . waitForMessages ( isLastExpectedMessage )
2020-02-07 11:02:38 +13:00
self . assertEqual ( 1 ,
2017-03-14 16:43:06 +13:00
len ( messages ) ,
" Did not receive the expected number of messages " )
def test_smb_bad_user ( self ) :
2017-03-24 10:51:05 +13:00
def isLastExpectedMessage ( msg ) :
2017-03-14 16:43:06 +13:00
return ( msg [ " type " ] == " Authentication " and
2018-04-30 10:35:25 +12:00
( msg [ " Authentication " ] [ " serviceDescription " ] ==
" Kerberos KDC " ) and
( msg [ " Authentication " ] [ " status " ] ==
" NT_STATUS_NO_SUCH_USER " ) and
( msg [ " Authentication " ] [ " authDescription " ] ==
2022-01-19 17:25:00 +01:00
" AS-REQ " ) and
2018-12-13 10:20:28 +13:00
( msg [ " Authentication " ] [ " eventId " ] ==
2018-12-13 14:46:31 +13:00
EVT_ID_UNSUCCESSFUL_LOGON ) and
( msg [ " Authentication " ] [ " logonType " ] ==
EVT_LOGON_NETWORK ) )
2017-03-14 16:43:06 +13:00
creds = self . insta_creds ( template = self . get_credentials ( ) )
2019-01-16 12:12:16 +13:00
creds . set_kerberos_state ( MUST_USE_KERBEROS )
2017-03-14 16:43:06 +13:00
creds . set_username ( " badUser " )
thrown = False
try :
2019-01-16 13:20:12 +13:00
self . smb_connection ( creds )
2017-03-14 16:43:06 +13:00
except NTSTATUSError :
thrown = True
2020-02-07 11:02:38 +13:00
self . assertEqual ( thrown , True )
2017-03-14 16:43:06 +13:00
2017-03-24 10:51:05 +13:00
messages = self . waitForMessages ( isLastExpectedMessage )
2020-02-07 11:02:38 +13:00
self . assertEqual ( 1 ,
2017-03-14 16:43:06 +13:00
len ( messages ) ,
" Did not receive the expected number of messages " )
2017-06-20 08:26:45 +02:00
def test_smb1_anonymous ( self ) :
2017-03-24 10:51:05 +13:00
def isLastExpectedMessage ( msg ) :
2017-03-14 16:43:06 +13:00
return ( msg [ " type " ] == " Authorization " and
msg [ " Authorization " ] [ " serviceDescription " ] == " SMB " and
2017-03-24 10:51:05 +13:00
msg [ " Authorization " ] [ " authType " ] == " NTLMSSP " and
2017-03-14 16:43:06 +13:00
msg [ " Authorization " ] [ " account " ] == " ANONYMOUS LOGON " and
msg [ " Authorization " ] [ " transportProtection " ] == " SMB " )
2018-12-17 10:04:42 +13:00
server = os . environ [ " SERVER " ]
2017-03-14 16:43:06 +13:00
path = " // %s /IPC$ " % server
auth = " -N "
2017-06-20 08:26:45 +02:00
call ( [ " bin/smbclient " , path , auth , " -mNT1 " , " -c quit " ] )
2017-03-14 16:43:06 +13:00
2017-03-24 10:51:05 +13:00
messages = self . waitForMessages ( isLastExpectedMessage )
2020-02-07 11:02:38 +13:00
self . assertEqual ( 3 ,
2017-03-14 16:43:06 +13:00
len ( messages ) ,
" Did not receive the expected number of messages " )
# Check the first message it should be an Authentication
msg = messages [ 0 ]
2020-02-07 11:02:38 +13:00
self . assertEqual ( " Authentication " , msg [ " type " ] )
self . assertEqual ( " NT_STATUS_NO_SUCH_USER " ,
2017-03-14 16:43:06 +13:00
msg [ " Authentication " ] [ " status " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual ( " SMB " ,
2017-03-24 10:51:05 +13:00
msg [ " Authentication " ] [ " serviceDescription " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual ( " NTLMSSP " ,
2017-03-24 10:51:05 +13:00
msg [ " Authentication " ] [ " authDescription " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual ( " No-Password " ,
2017-03-24 10:51:05 +13:00
msg [ " Authentication " ] [ " passwordType " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual ( EVT_ID_UNSUCCESSFUL_LOGON ,
2018-12-13 10:20:28 +13:00
msg [ " Authentication " ] [ " eventId " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual ( EVT_LOGON_NETWORK ,
2018-12-13 14:46:31 +13:00
msg [ " Authentication " ] [ " logonType " ] )
2017-03-14 16:43:06 +13:00
# Check the second message it should be an Authentication
msg = messages [ 1 ]
2020-02-07 11:02:38 +13:00
self . assertEqual ( " Authentication " , msg [ " type " ] )
self . assertEqual ( " NT_STATUS_OK " ,
2017-03-14 16:43:06 +13:00
msg [ " Authentication " ] [ " status " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual ( " SMB " ,
2017-03-24 10:51:05 +13:00
msg [ " Authentication " ] [ " serviceDescription " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual ( " NTLMSSP " ,
2017-03-24 10:51:05 +13:00
msg [ " Authentication " ] [ " authDescription " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual ( " No-Password " ,
2017-03-24 10:51:05 +13:00
msg [ " Authentication " ] [ " passwordType " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual ( " ANONYMOUS LOGON " ,
2017-03-24 10:51:05 +13:00
msg [ " Authentication " ] [ " becameAccount " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual ( EVT_ID_SUCCESSFUL_LOGON ,
2018-12-13 10:20:28 +13:00
msg [ " Authentication " ] [ " eventId " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual ( EVT_LOGON_NETWORK ,
2018-12-13 14:46:31 +13:00
msg [ " Authentication " ] [ " logonType " ] )
2017-03-14 16:43:06 +13:00
2017-06-20 08:26:45 +02:00
def test_smb2_anonymous ( self ) :
def isLastExpectedMessage ( msg ) :
return ( msg [ " type " ] == " Authorization " and
msg [ " Authorization " ] [ " serviceDescription " ] == " SMB2 " and
msg [ " Authorization " ] [ " authType " ] == " NTLMSSP " and
msg [ " Authorization " ] [ " account " ] == " ANONYMOUS LOGON " and
msg [ " Authorization " ] [ " transportProtection " ] == " SMB " )
2018-12-17 10:04:42 +13:00
server = os . environ [ " SERVER " ]
2017-06-20 08:26:45 +02:00
path = " // %s /IPC$ " % server
auth = " -N "
call ( [ " bin/smbclient " , path , auth , " -mSMB3 " , " -c quit " ] )
messages = self . waitForMessages ( isLastExpectedMessage )
2020-02-07 11:02:38 +13:00
self . assertEqual ( 3 ,
2017-06-20 08:26:45 +02:00
len ( messages ) ,
" Did not receive the expected number of messages " )
# Check the first message it should be an Authentication
msg = messages [ 0 ]
2020-02-07 11:02:38 +13:00
self . assertEqual ( " Authentication " , msg [ " type " ] )
self . assertEqual ( " NT_STATUS_NO_SUCH_USER " ,
2017-06-20 08:26:45 +02:00
msg [ " Authentication " ] [ " status " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual ( " SMB2 " ,
2017-06-20 08:26:45 +02:00
msg [ " Authentication " ] [ " serviceDescription " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual ( " NTLMSSP " ,
2017-06-20 08:26:45 +02:00
msg [ " Authentication " ] [ " authDescription " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual ( " No-Password " ,
2017-06-20 08:26:45 +02:00
msg [ " Authentication " ] [ " passwordType " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual ( EVT_ID_UNSUCCESSFUL_LOGON ,
2018-12-13 10:20:28 +13:00
msg [ " Authentication " ] [ " eventId " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual ( EVT_LOGON_NETWORK ,
2018-12-13 14:46:31 +13:00
msg [ " Authentication " ] [ " logonType " ] )
2017-06-20 08:26:45 +02:00
# Check the second message it should be an Authentication
msg = messages [ 1 ]
2020-02-07 11:02:38 +13:00
self . assertEqual ( " Authentication " , msg [ " type " ] )
self . assertEqual ( " NT_STATUS_OK " ,
2017-06-20 08:26:45 +02:00
msg [ " Authentication " ] [ " status " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual ( " SMB2 " ,
2017-06-20 08:26:45 +02:00
msg [ " Authentication " ] [ " serviceDescription " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual ( " NTLMSSP " ,
2017-06-20 08:26:45 +02:00
msg [ " Authentication " ] [ " authDescription " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual ( " No-Password " ,
2017-06-20 08:26:45 +02:00
msg [ " Authentication " ] [ " passwordType " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual ( " ANONYMOUS LOGON " ,
2017-06-20 08:26:45 +02:00
msg [ " Authentication " ] [ " becameAccount " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual ( EVT_ID_SUCCESSFUL_LOGON ,
2018-12-13 10:20:28 +13:00
msg [ " Authentication " ] [ " eventId " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual ( EVT_LOGON_NETWORK ,
2018-12-13 14:46:31 +13:00
msg [ " Authentication " ] [ " logonType " ] )
2017-06-20 08:26:45 +02:00
2017-03-14 16:43:06 +13:00
def test_smb_no_krb_spnego ( self ) :
2017-03-24 10:51:05 +13:00
def isLastExpectedMessage ( msg ) :
2017-03-14 16:43:06 +13:00
return ( msg [ " type " ] == " Authorization " and
2019-01-16 11:18:27 +13:00
" SMB " in msg [ " Authorization " ] [ " serviceDescription " ] and
2017-03-14 16:43:06 +13:00
msg [ " Authorization " ] [ " authType " ] == " NTLMSSP " and
msg [ " Authorization " ] [ " transportProtection " ] == " SMB " )
creds = self . insta_creds ( template = self . get_credentials ( ) ,
kerberos_state = DONT_USE_KERBEROS )
2019-01-16 13:20:12 +13:00
self . smb_connection ( creds )
2017-03-14 16:43:06 +13:00
2017-03-24 10:51:05 +13:00
messages = self . waitForMessages ( isLastExpectedMessage )
2020-02-07 11:02:38 +13:00
self . assertEqual ( 2 ,
2017-03-14 16:43:06 +13:00
len ( messages ) ,
" Did not receive the expected number of messages " )
2017-03-24 10:51:05 +13:00
# Check the first message it should be an Authentication
2017-03-14 16:43:06 +13:00
msg = messages [ 0 ]
2020-02-07 11:02:38 +13:00
self . assertEqual ( " Authentication " , msg [ " type " ] )
self . assertEqual ( " NT_STATUS_OK " , msg [ " Authentication " ] [ " status " ] )
2019-01-16 11:18:27 +13:00
self . assertIn ( msg [ " Authentication " ] [ " serviceDescription " ] ,
[ " SMB " , " SMB2 " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual ( " NTLMSSP " ,
2017-03-24 10:51:05 +13:00
msg [ " Authentication " ] [ " authDescription " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual ( " NTLMv2 " ,
2017-03-24 10:51:05 +13:00
msg [ " Authentication " ] [ " passwordType " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual ( EVT_ID_SUCCESSFUL_LOGON ,
2018-12-13 10:20:28 +13:00
msg [ " Authentication " ] [ " eventId " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual ( EVT_LOGON_NETWORK ,
2018-12-13 14:46:31 +13:00
msg [ " Authentication " ] [ " logonType " ] )
2017-03-14 16:43:06 +13:00
def test_smb_no_krb_spnego_bad_password ( self ) :
2017-03-24 10:51:05 +13:00
def isLastExpectedMessage ( msg ) :
2017-03-14 16:43:06 +13:00
return ( msg [ " type " ] == " Authentication " and
2019-01-16 11:18:27 +13:00
" SMB " in msg [ " Authentication " ] [ " serviceDescription " ] and
2017-03-14 16:43:06 +13:00
msg [ " Authentication " ] [ " authDescription " ] == " NTLMSSP " and
msg [ " Authentication " ] [ " passwordType " ] == " NTLMv2 " and
2018-04-30 10:35:25 +12:00
( msg [ " Authentication " ] [ " status " ] ==
2018-12-13 10:20:28 +13:00
" NT_STATUS_WRONG_PASSWORD " ) and
( msg [ " Authentication " ] [ " eventId " ] ==
2018-12-13 14:46:31 +13:00
EVT_ID_UNSUCCESSFUL_LOGON ) and
( msg [ " Authentication " ] [ " logonType " ] ==
EVT_LOGON_NETWORK ) )
2017-03-14 16:43:06 +13:00
creds = self . insta_creds ( template = self . get_credentials ( ) ,
kerberos_state = DONT_USE_KERBEROS )
creds . set_password ( " badPassword " )
thrown = False
try :
2019-01-16 13:20:12 +13:00
self . smb_connection ( creds )
2017-03-14 16:43:06 +13:00
except NTSTATUSError :
thrown = True
2020-02-07 11:02:38 +13:00
self . assertEqual ( thrown , True )
2017-03-14 16:43:06 +13:00
2017-03-24 10:51:05 +13:00
messages = self . waitForMessages ( isLastExpectedMessage )
2020-02-07 11:02:38 +13:00
self . assertEqual ( 1 ,
2017-03-14 16:43:06 +13:00
len ( messages ) ,
" Did not receive the expected number of messages " )
def test_smb_no_krb_spnego_bad_user ( self ) :
2017-03-24 10:51:05 +13:00
def isLastExpectedMessage ( msg ) :
2017-03-14 16:43:06 +13:00
return ( msg [ " type " ] == " Authentication " and
2019-01-16 11:18:27 +13:00
" SMB " in msg [ " Authentication " ] [ " serviceDescription " ] and
2017-03-14 16:43:06 +13:00
msg [ " Authentication " ] [ " authDescription " ] == " NTLMSSP " and
msg [ " Authentication " ] [ " passwordType " ] == " NTLMv2 " and
2018-04-30 10:35:25 +12:00
( msg [ " Authentication " ] [ " status " ] ==
2018-12-13 10:20:28 +13:00
" NT_STATUS_NO_SUCH_USER " ) and
( msg [ " Authentication " ] [ " eventId " ] ==
2018-12-13 14:46:31 +13:00
EVT_ID_UNSUCCESSFUL_LOGON ) and
( msg [ " Authentication " ] [ " logonType " ] ==
EVT_LOGON_NETWORK ) )
2017-03-14 16:43:06 +13:00
creds = self . insta_creds ( template = self . get_credentials ( ) ,
kerberos_state = DONT_USE_KERBEROS )
creds . set_username ( " badUser " )
thrown = False
try :
2019-01-16 13:20:12 +13:00
self . smb_connection ( creds )
2017-03-14 16:43:06 +13:00
except NTSTATUSError :
thrown = True
2020-02-07 11:02:38 +13:00
self . assertEqual ( thrown , True )
2017-03-14 16:43:06 +13:00
2017-03-24 10:51:05 +13:00
messages = self . waitForMessages ( isLastExpectedMessage )
2020-02-07 11:02:38 +13:00
self . assertEqual ( 1 ,
2017-03-14 16:43:06 +13:00
len ( messages ) ,
" Did not receive the expected number of messages " )
def test_smb_no_krb_no_spnego_no_ntlmv2 ( self ) :
2017-03-24 10:51:05 +13:00
def isLastExpectedMessage ( msg ) :
2017-03-14 16:43:06 +13:00
return ( msg [ " type " ] == " Authorization " and
msg [ " Authorization " ] [ " serviceDescription " ] == " SMB " and
msg [ " Authorization " ] [ " authType " ] == " bare-NTLM " and
msg [ " Authorization " ] [ " transportProtection " ] == " SMB " )
creds = self . insta_creds ( template = self . get_credentials ( ) ,
kerberos_state = DONT_USE_KERBEROS )
2019-01-16 13:20:12 +13:00
self . smb_connection ( creds ,
tests: Switchover auth_log from s4 SMB client bindings to s4
The main changes required are:
- we need to use an s3 loadparm instead of the standard s4 lp.
- the s3 SMB bindings don't support the use_spnego/ntlmv2_auth params,
however, we can set these in the loadparm instead, which will get the
SMB client code to do what we want. Instead of passing in boolean
parameters, we need to use yes/no strings that the lp will accept.
(We always set these values because the underlying lp context is
actually global, and setting a value is 'sticky' and will persist
across test cases. These conf settings are only used by the SMB client
code, and so will only affect the SMB test cases).
- For the no_spnego_no_ntlmv2 test cases, we now explicitly force it to
an SMBv1 connection. The s4 bindings only ever supported SMBv1
connections, so this is the same behaviour. The other test cases will
now try to negotiate SMBv2 connections, however, the no_ntlmv2 test
cases are explicitly checking for bare-NTLM (with the s3 bindings, it
now ends up as NTLMSSP by default).
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jan 17 04:47:56 CET 2019 on sn-devel-144
2019-01-16 13:34:29 +13:00
force_smb1 = True ,
ntlmv2_auth = " no " ,
use_spnego = " no " )
2017-03-14 16:43:06 +13:00
2017-03-24 10:51:05 +13:00
messages = self . waitForMessages ( isLastExpectedMessage )
2020-02-07 11:02:38 +13:00
self . assertEqual ( 2 ,
2017-03-14 16:43:06 +13:00
len ( messages ) ,
" Did not receive the expected number of messages " )
2017-03-24 10:51:05 +13:00
# Check the first message it should be an Authentication
2017-03-14 16:43:06 +13:00
msg = messages [ 0 ]
2020-02-07 11:02:38 +13:00
self . assertEqual ( " Authentication " , msg [ " type " ] )
self . assertEqual ( " NT_STATUS_OK " , msg [ " Authentication " ] [ " status " ] )
self . assertEqual ( " SMB " ,
2017-03-24 10:51:05 +13:00
msg [ " Authentication " ] [ " serviceDescription " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual ( " bare-NTLM " ,
2017-03-24 10:51:05 +13:00
msg [ " Authentication " ] [ " authDescription " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual ( " NTLMv1 " ,
2017-03-24 10:51:05 +13:00
msg [ " Authentication " ] [ " passwordType " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual ( EVT_ID_SUCCESSFUL_LOGON ,
2018-12-13 10:20:28 +13:00
msg [ " Authentication " ] [ " eventId " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual ( EVT_LOGON_NETWORK ,
2018-12-13 14:46:31 +13:00
msg [ " Authentication " ] [ " logonType " ] )
2017-03-14 16:43:06 +13:00
def test_smb_no_krb_no_spnego_no_ntlmv2_bad_password ( self ) :
2017-03-24 10:51:05 +13:00
def isLastExpectedMessage ( msg ) :
2017-03-14 16:43:06 +13:00
return ( msg [ " type " ] == " Authentication " and
msg [ " Authentication " ] [ " serviceDescription " ] == " SMB " and
msg [ " Authentication " ] [ " authDescription " ] == " bare-NTLM " and
msg [ " Authentication " ] [ " passwordType " ] == " NTLMv1 " and
2018-04-30 10:35:25 +12:00
( msg [ " Authentication " ] [ " status " ] ==
2018-12-13 10:20:28 +13:00
" NT_STATUS_WRONG_PASSWORD " ) and
( msg [ " Authentication " ] [ " eventId " ] ==
2018-12-13 14:46:31 +13:00
EVT_ID_UNSUCCESSFUL_LOGON ) and
( msg [ " Authentication " ] [ " logonType " ] ==
EVT_LOGON_NETWORK ) )
2017-03-14 16:43:06 +13:00
creds = self . insta_creds ( template = self . get_credentials ( ) ,
kerberos_state = DONT_USE_KERBEROS )
creds . set_password ( " badPassword " )
thrown = False
try :
2019-01-16 13:20:12 +13:00
self . smb_connection ( creds ,
tests: Switchover auth_log from s4 SMB client bindings to s4
The main changes required are:
- we need to use an s3 loadparm instead of the standard s4 lp.
- the s3 SMB bindings don't support the use_spnego/ntlmv2_auth params,
however, we can set these in the loadparm instead, which will get the
SMB client code to do what we want. Instead of passing in boolean
parameters, we need to use yes/no strings that the lp will accept.
(We always set these values because the underlying lp context is
actually global, and setting a value is 'sticky' and will persist
across test cases. These conf settings are only used by the SMB client
code, and so will only affect the SMB test cases).
- For the no_spnego_no_ntlmv2 test cases, we now explicitly force it to
an SMBv1 connection. The s4 bindings only ever supported SMBv1
connections, so this is the same behaviour. The other test cases will
now try to negotiate SMBv2 connections, however, the no_ntlmv2 test
cases are explicitly checking for bare-NTLM (with the s3 bindings, it
now ends up as NTLMSSP by default).
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jan 17 04:47:56 CET 2019 on sn-devel-144
2019-01-16 13:34:29 +13:00
force_smb1 = True ,
ntlmv2_auth = " no " ,
use_spnego = " no " )
2017-03-14 16:43:06 +13:00
except NTSTATUSError :
thrown = True
2020-02-07 11:02:38 +13:00
self . assertEqual ( thrown , True )
2017-03-14 16:43:06 +13:00
2017-03-24 10:51:05 +13:00
messages = self . waitForMessages ( isLastExpectedMessage )
2020-02-07 11:02:38 +13:00
self . assertEqual ( 1 ,
2017-03-14 16:43:06 +13:00
len ( messages ) ,
" Did not receive the expected number of messages " )
def test_smb_no_krb_no_spnego_no_ntlmv2_bad_user ( self ) :
2017-03-24 10:51:05 +13:00
def isLastExpectedMessage ( msg ) :
2017-03-14 16:43:06 +13:00
return ( msg [ " type " ] == " Authentication " and
msg [ " Authentication " ] [ " serviceDescription " ] == " SMB " and
msg [ " Authentication " ] [ " authDescription " ] == " bare-NTLM " and
msg [ " Authentication " ] [ " passwordType " ] == " NTLMv1 " and
2018-04-30 10:35:25 +12:00
( msg [ " Authentication " ] [ " status " ] ==
2018-12-13 10:20:28 +13:00
" NT_STATUS_NO_SUCH_USER " ) and
( msg [ " Authentication " ] [ " eventId " ] ==
2018-12-13 14:46:31 +13:00
EVT_ID_UNSUCCESSFUL_LOGON ) and
( msg [ " Authentication " ] [ " logonType " ] ==
EVT_LOGON_NETWORK ) )
2017-03-14 16:43:06 +13:00
creds = self . insta_creds ( template = self . get_credentials ( ) ,
kerberos_state = DONT_USE_KERBEROS )
creds . set_username ( " badUser " )
thrown = False
try :
2019-01-16 13:20:12 +13:00
self . smb_connection ( creds ,
tests: Switchover auth_log from s4 SMB client bindings to s4
The main changes required are:
- we need to use an s3 loadparm instead of the standard s4 lp.
- the s3 SMB bindings don't support the use_spnego/ntlmv2_auth params,
however, we can set these in the loadparm instead, which will get the
SMB client code to do what we want. Instead of passing in boolean
parameters, we need to use yes/no strings that the lp will accept.
(We always set these values because the underlying lp context is
actually global, and setting a value is 'sticky' and will persist
across test cases. These conf settings are only used by the SMB client
code, and so will only affect the SMB test cases).
- For the no_spnego_no_ntlmv2 test cases, we now explicitly force it to
an SMBv1 connection. The s4 bindings only ever supported SMBv1
connections, so this is the same behaviour. The other test cases will
now try to negotiate SMBv2 connections, however, the no_ntlmv2 test
cases are explicitly checking for bare-NTLM (with the s3 bindings, it
now ends up as NTLMSSP by default).
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jan 17 04:47:56 CET 2019 on sn-devel-144
2019-01-16 13:34:29 +13:00
force_smb1 = True ,
ntlmv2_auth = " no " ,
use_spnego = " no " )
2017-03-14 16:43:06 +13:00
except NTSTATUSError :
thrown = True
2020-02-07 11:02:38 +13:00
self . assertEqual ( thrown , True )
2017-03-14 16:43:06 +13:00
2017-03-24 10:51:05 +13:00
messages = self . waitForMessages ( isLastExpectedMessage )
2020-02-07 11:02:38 +13:00
self . assertEqual ( 1 ,
2017-03-14 16:43:06 +13:00
len ( messages ) ,
" Did not receive the expected number of messages " )
2017-03-24 11:02:36 +13:00
def test_samlogon_interactive ( self ) :
workstation = " AuthLogTests "
2018-04-30 10:35:25 +12:00
def isLastExpectedMessage ( msg ) :
2017-03-24 11:02:36 +13:00
return ( msg [ " type " ] == " Authentication " and
2018-04-30 10:35:25 +12:00
( msg [ " Authentication " ] [ " serviceDescription " ] ==
" SamLogon " ) and
( msg [ " Authentication " ] [ " authDescription " ] ==
" interactive " ) and
2017-03-24 11:02:36 +13:00
msg [ " Authentication " ] [ " status " ] == " NT_STATUS_OK " and
2018-04-30 10:35:25 +12:00
( msg [ " Authentication " ] [ " workstation " ] ==
2018-12-13 10:20:28 +13:00
r " \\ %s " % workstation ) and
( msg [ " Authentication " ] [ " eventId " ] ==
2018-12-13 14:46:31 +13:00
EVT_ID_SUCCESSFUL_LOGON ) and
( msg [ " Authentication " ] [ " logonType " ] ==
EVT_LOGON_INTERACTIVE ) )
2017-03-24 11:02:36 +13:00
2018-12-17 10:04:42 +13:00
server = os . environ [ " SERVER " ]
user = os . environ [ " USERNAME " ]
2017-03-24 11:02:36 +13:00
password = os . environ [ " PASSWORD " ]
samlogon = " samlogon %s %s %s %d " % ( user , password , workstation , 1 )
call ( [ " bin/rpcclient " , " -c " , samlogon , " -U % " , server ] )
2018-04-30 10:35:25 +12:00
messages = self . waitForMessages ( isLastExpectedMessage )
2017-07-10 07:45:16 +12:00
messages = self . remove_netlogon_messages ( messages )
2017-03-24 11:02:36 +13:00
received = len ( messages )
self . assertIs ( True ,
2019-09-27 19:24:18 -07:00
( received == 4 or received == 5 ) ,
2017-03-24 11:02:36 +13:00
" Did not receive the expected number of messages " )
def test_samlogon_interactive_bad_password ( self ) :
workstation = " AuthLogTests "
2018-04-30 10:35:25 +12:00
def isLastExpectedMessage ( msg ) :
2017-03-24 11:02:36 +13:00
return ( msg [ " type " ] == " Authentication " and
2018-04-30 10:35:25 +12:00
( msg [ " Authentication " ] [ " serviceDescription " ] ==
" SamLogon " ) and
( msg [ " Authentication " ] [ " authDescription " ] ==
" interactive " ) and
( msg [ " Authentication " ] [ " status " ] ==
" NT_STATUS_WRONG_PASSWORD " ) and
( msg [ " Authentication " ] [ " workstation " ] ==
2018-12-13 10:20:28 +13:00
r " \\ %s " % workstation ) and
( msg [ " Authentication " ] [ " eventId " ] ==
2018-12-13 14:46:31 +13:00
EVT_ID_UNSUCCESSFUL_LOGON ) and
( msg [ " Authentication " ] [ " logonType " ] ==
EVT_LOGON_INTERACTIVE ) )
2017-03-24 11:02:36 +13:00
2018-12-17 10:04:42 +13:00
server = os . environ [ " SERVER " ]
user = os . environ [ " USERNAME " ]
2017-03-24 11:02:36 +13:00
password = " badPassword "
samlogon = " samlogon %s %s %s %d " % ( user , password , workstation , 1 )
call ( [ " bin/rpcclient " , " -c " , samlogon , " -U % " , server ] )
2018-04-30 10:35:25 +12:00
messages = self . waitForMessages ( isLastExpectedMessage )
2017-07-10 07:45:16 +12:00
messages = self . remove_netlogon_messages ( messages )
2017-03-24 11:02:36 +13:00
received = len ( messages )
self . assertIs ( True ,
2019-09-27 19:24:18 -07:00
( received == 4 or received == 5 ) ,
2017-03-24 11:02:36 +13:00
" Did not receive the expected number of messages " )
def test_samlogon_interactive_bad_user ( self ) :
workstation = " AuthLogTests "
2018-04-30 10:35:25 +12:00
def isLastExpectedMessage ( msg ) :
2017-03-24 11:02:36 +13:00
return ( msg [ " type " ] == " Authentication " and
2018-04-30 10:35:25 +12:00
( msg [ " Authentication " ] [ " serviceDescription " ] ==
" SamLogon " ) and
( msg [ " Authentication " ] [ " authDescription " ] ==
" interactive " ) and
( msg [ " Authentication " ] [ " status " ] ==
" NT_STATUS_NO_SUCH_USER " ) and
( msg [ " Authentication " ] [ " workstation " ] ==
2018-12-13 10:20:28 +13:00
r " \\ %s " % workstation ) and
( msg [ " Authentication " ] [ " eventId " ] ==
2018-12-13 14:46:31 +13:00
EVT_ID_UNSUCCESSFUL_LOGON ) and
( msg [ " Authentication " ] [ " logonType " ] ==
EVT_LOGON_INTERACTIVE ) )
2017-03-24 11:02:36 +13:00
2018-12-17 10:04:42 +13:00
server = os . environ [ " SERVER " ]
user = " badUser "
2017-03-24 11:02:36 +13:00
password = os . environ [ " PASSWORD " ]
samlogon = " samlogon %s %s %s %d " % ( user , password , workstation , 1 )
call ( [ " bin/rpcclient " , " -c " , samlogon , " -U % " , server ] )
2018-04-30 10:35:25 +12:00
messages = self . waitForMessages ( isLastExpectedMessage )
2017-07-10 07:45:16 +12:00
messages = self . remove_netlogon_messages ( messages )
2017-03-24 11:02:36 +13:00
received = len ( messages )
self . assertIs ( True ,
2019-09-27 19:24:18 -07:00
( received == 4 or received == 5 ) ,
2017-03-24 11:02:36 +13:00
" Did not receive the expected number of messages " )
def test_samlogon_network ( self ) :
workstation = " AuthLogTests "
2018-04-30 10:35:25 +12:00
def isLastExpectedMessage ( msg ) :
2017-03-24 11:02:36 +13:00
return ( msg [ " type " ] == " Authentication " and
2018-04-30 10:35:25 +12:00
( msg [ " Authentication " ] [ " serviceDescription " ] ==
" SamLogon " ) and
msg [ " Authentication " ] [ " authDescription " ] == " network " and
2017-03-24 11:02:36 +13:00
msg [ " Authentication " ] [ " status " ] == " NT_STATUS_OK " and
2018-04-30 10:35:25 +12:00
( msg [ " Authentication " ] [ " workstation " ] ==
2018-12-13 10:20:28 +13:00
r " \\ %s " % workstation ) and
( msg [ " Authentication " ] [ " eventId " ] ==
2018-12-13 14:46:31 +13:00
EVT_ID_SUCCESSFUL_LOGON ) and
( msg [ " Authentication " ] [ " logonType " ] ==
EVT_LOGON_NETWORK ) )
2017-03-24 11:02:36 +13:00
2018-12-17 10:04:42 +13:00
server = os . environ [ " SERVER " ]
user = os . environ [ " USERNAME " ]
2017-03-24 11:02:36 +13:00
password = os . environ [ " PASSWORD " ]
samlogon = " samlogon %s %s %s %d " % ( user , password , workstation , 2 )
call ( [ " bin/rpcclient " , " -c " , samlogon , " -U % " , server ] )
2018-04-30 10:35:25 +12:00
messages = self . waitForMessages ( isLastExpectedMessage )
2017-07-10 07:45:16 +12:00
messages = self . remove_netlogon_messages ( messages )
2017-03-24 11:02:36 +13:00
received = len ( messages )
self . assertIs ( True ,
2019-09-27 19:24:18 -07:00
( received == 4 or received == 5 ) ,
2017-03-24 11:02:36 +13:00
" Did not receive the expected number of messages " )
def test_samlogon_network_bad_password ( self ) :
workstation = " AuthLogTests "
2018-04-30 10:35:25 +12:00
def isLastExpectedMessage ( msg ) :
2017-03-24 11:02:36 +13:00
return ( msg [ " type " ] == " Authentication " and
2018-04-30 10:35:25 +12:00
( msg [ " Authentication " ] [ " serviceDescription " ] ==
" SamLogon " ) and
msg [ " Authentication " ] [ " authDescription " ] == " network " and
( msg [ " Authentication " ] [ " status " ] ==
" NT_STATUS_WRONG_PASSWORD " ) and
( msg [ " Authentication " ] [ " workstation " ] ==
2018-12-13 10:20:28 +13:00
r " \\ %s " % workstation ) and
( msg [ " Authentication " ] [ " eventId " ] ==
2018-12-13 14:46:31 +13:00
EVT_ID_UNSUCCESSFUL_LOGON ) and
( msg [ " Authentication " ] [ " logonType " ] ==
EVT_LOGON_NETWORK ) )
2017-03-24 11:02:36 +13:00
2018-12-17 10:04:42 +13:00
server = os . environ [ " SERVER " ]
user = os . environ [ " USERNAME " ]
2017-03-24 11:02:36 +13:00
password = " badPassword "
samlogon = " samlogon %s %s %s %d " % ( user , password , workstation , 2 )
call ( [ " bin/rpcclient " , " -c " , samlogon , " -U % " , server ] )
2018-04-30 10:35:25 +12:00
messages = self . waitForMessages ( isLastExpectedMessage )
2017-07-10 07:45:16 +12:00
messages = self . remove_netlogon_messages ( messages )
2017-03-24 11:02:36 +13:00
received = len ( messages )
self . assertIs ( True ,
2019-09-27 19:24:18 -07:00
( received == 4 or received == 5 ) ,
2017-03-24 11:02:36 +13:00
" Did not receive the expected number of messages " )
def test_samlogon_network_bad_user ( self ) :
workstation = " AuthLogTests "
2018-04-30 10:35:25 +12:00
def isLastExpectedMessage ( msg ) :
return ( ( msg [ " type " ] == " Authentication " ) and
( msg [ " Authentication " ] [ " serviceDescription " ] ==
" SamLogon " ) and
( msg [ " Authentication " ] [ " authDescription " ] == " network " ) and
( msg [ " Authentication " ] [ " status " ] ==
" NT_STATUS_NO_SUCH_USER " ) and
( msg [ " Authentication " ] [ " workstation " ] ==
2018-12-13 10:20:28 +13:00
r " \\ %s " % workstation ) and
( msg [ " Authentication " ] [ " eventId " ] ==
2018-12-13 14:46:31 +13:00
EVT_ID_UNSUCCESSFUL_LOGON ) and
( msg [ " Authentication " ] [ " logonType " ] ==
EVT_LOGON_NETWORK ) )
2017-03-24 11:02:36 +13:00
2018-12-17 10:04:42 +13:00
server = os . environ [ " SERVER " ]
user = " badUser "
2018-04-30 10:35:25 +12:00
password = os . environ [ " PASSWORD " ]
2017-03-24 11:02:36 +13:00
samlogon = " samlogon %s %s %s %d " % ( user , password , workstation , 2 )
call ( [ " bin/rpcclient " , " -c " , samlogon , " -U % " , server ] )
2018-04-30 10:35:25 +12:00
messages = self . waitForMessages ( isLastExpectedMessage )
2017-07-10 07:45:16 +12:00
messages = self . remove_netlogon_messages ( messages )
2017-03-24 11:02:36 +13:00
received = len ( messages )
self . assertIs ( True ,
2019-09-27 19:24:18 -07:00
( received == 4 or received == 5 ) ,
2017-03-24 11:02:36 +13:00
" Did not receive the expected number of messages " )
def test_samlogon_network_mschap ( self ) :
workstation = " AuthLogTests "
2018-04-30 10:35:25 +12:00
def isLastExpectedMessage ( msg ) :
return ( ( msg [ " type " ] == " Authentication " ) and
( msg [ " Authentication " ] [ " serviceDescription " ] ==
" SamLogon " ) and
( msg [ " Authentication " ] [ " authDescription " ] == " network " ) and
( msg [ " Authentication " ] [ " status " ] == " NT_STATUS_OK " ) and
( msg [ " Authentication " ] [ " passwordType " ] == " MSCHAPv2 " ) and
( msg [ " Authentication " ] [ " workstation " ] ==
2018-12-13 10:20:28 +13:00
r " \\ %s " % workstation ) and
( msg [ " Authentication " ] [ " eventId " ] ==
2018-12-13 14:46:31 +13:00
EVT_ID_SUCCESSFUL_LOGON ) and
( msg [ " Authentication " ] [ " logonType " ] ==
EVT_LOGON_NETWORK ) )
2017-03-24 11:02:36 +13:00
2018-12-17 10:04:42 +13:00
server = os . environ [ " SERVER " ]
user = os . environ [ " USERNAME " ]
2017-03-24 11:02:36 +13:00
password = os . environ [ " PASSWORD " ]
2018-04-30 10:35:25 +12:00
samlogon = " samlogon %s %s %s %d 0x00010000 " % (
user , password , workstation , 2 )
2017-03-24 11:02:36 +13:00
call ( [ " bin/rpcclient " , " -c " , samlogon , " -U % " , server ] )
2018-04-30 10:35:25 +12:00
messages = self . waitForMessages ( isLastExpectedMessage )
2017-07-10 07:45:16 +12:00
messages = self . remove_netlogon_messages ( messages )
2017-03-24 11:02:36 +13:00
received = len ( messages )
self . assertIs ( True ,
2019-09-27 19:24:18 -07:00
( received == 4 or received == 5 ) ,
2017-03-24 11:02:36 +13:00
" Did not receive the expected number of messages " )
def test_samlogon_network_mschap_bad_password ( self ) :
workstation = " AuthLogTests "
2018-04-30 10:35:25 +12:00
def isLastExpectedMessage ( msg ) :
return ( ( msg [ " type " ] == " Authentication " ) and
( msg [ " Authentication " ] [ " serviceDescription " ] ==
" SamLogon " ) and
( msg [ " Authentication " ] [ " authDescription " ] == " network " ) and
( msg [ " Authentication " ] [ " status " ] ==
" NT_STATUS_WRONG_PASSWORD " ) and
( msg [ " Authentication " ] [ " passwordType " ] == " MSCHAPv2 " ) and
( msg [ " Authentication " ] [ " workstation " ] ==
2018-12-13 10:20:28 +13:00
r " \\ %s " % workstation ) and
( msg [ " Authentication " ] [ " eventId " ] ==
2018-12-13 14:46:31 +13:00
EVT_ID_UNSUCCESSFUL_LOGON ) and
( msg [ " Authentication " ] [ " logonType " ] ==
EVT_LOGON_NETWORK ) )
2017-03-24 11:02:36 +13:00
2018-12-17 10:04:42 +13:00
server = os . environ [ " SERVER " ]
user = os . environ [ " USERNAME " ]
2017-03-24 11:02:36 +13:00
password = " badPassword "
2018-04-30 10:35:25 +12:00
samlogon = " samlogon %s %s %s %d 0x00010000 " % (
user , password , workstation , 2 )
2017-03-24 11:02:36 +13:00
call ( [ " bin/rpcclient " , " -c " , samlogon , " -U % " , server ] )
2018-04-30 10:35:25 +12:00
messages = self . waitForMessages ( isLastExpectedMessage )
2017-07-10 07:45:16 +12:00
messages = self . remove_netlogon_messages ( messages )
2017-03-24 11:02:36 +13:00
received = len ( messages )
self . assertIs ( True ,
2019-09-27 19:24:18 -07:00
( received == 4 or received == 5 ) ,
2017-03-24 11:02:36 +13:00
" Did not receive the expected number of messages " )
def test_samlogon_network_mschap_bad_user ( self ) :
workstation = " AuthLogTests "
2018-04-30 10:35:25 +12:00
def isLastExpectedMessage ( msg ) :
return ( ( msg [ " type " ] == " Authentication " ) and
( msg [ " Authentication " ] [ " serviceDescription " ] ==
" SamLogon " ) and
( msg [ " Authentication " ] [ " authDescription " ] == " network " ) and
( msg [ " Authentication " ] [ " status " ] ==
" NT_STATUS_NO_SUCH_USER " ) and
( msg [ " Authentication " ] [ " passwordType " ] == " MSCHAPv2 " ) and
( msg [ " Authentication " ] [ " workstation " ] ==
2018-12-13 10:20:28 +13:00
r " \\ %s " % workstation ) and
( msg [ " Authentication " ] [ " eventId " ] ==
2018-12-13 14:46:31 +13:00
EVT_ID_UNSUCCESSFUL_LOGON ) and
( msg [ " Authentication " ] [ " logonType " ] ==
EVT_LOGON_NETWORK ) )
2017-03-24 11:02:36 +13:00
2018-12-17 10:04:42 +13:00
server = os . environ [ " SERVER " ]
user = " badUser "
2017-03-24 11:02:36 +13:00
password = os . environ [ " PASSWORD " ]
2018-04-30 10:35:25 +12:00
samlogon = " samlogon %s %s %s %d 0x00010000 " % (
user , password , workstation , 2 )
2017-03-24 11:02:36 +13:00
call ( [ " bin/rpcclient " , " -c " , samlogon , " -U % " , server ] )
2018-04-30 10:35:25 +12:00
messages = self . waitForMessages ( isLastExpectedMessage )
2017-07-10 07:45:16 +12:00
messages = self . remove_netlogon_messages ( messages )
2017-03-24 11:02:36 +13:00
received = len ( messages )
self . assertIs ( True ,
2019-09-27 19:24:18 -07:00
( received == 4 or received == 5 ) ,
2017-03-24 11:02:36 +13:00
" Did not receive the expected number of messages " )
def test_samlogon_schannel_seal ( self ) :
workstation = " AuthLogTests "
2018-04-30 10:35:25 +12:00
def isLastExpectedMessage ( msg ) :
return ( ( msg [ " type " ] == " Authentication " ) and
( msg [ " Authentication " ] [ " serviceDescription " ] ==
" SamLogon " ) and
( msg [ " Authentication " ] [ " authDescription " ] == " network " ) and
( msg [ " Authentication " ] [ " status " ] == " NT_STATUS_OK " ) and
( msg [ " Authentication " ] [ " workstation " ] ==
2018-12-13 10:20:28 +13:00
r " \\ %s " % workstation ) and
( msg [ " Authentication " ] [ " eventId " ] ==
2018-12-13 14:46:31 +13:00
EVT_ID_SUCCESSFUL_LOGON ) and
( msg [ " Authentication " ] [ " logonType " ] ==
EVT_LOGON_NETWORK ) )
2017-03-24 11:02:36 +13:00
2018-12-17 10:04:42 +13:00
server = os . environ [ " SERVER " ]
user = os . environ [ " USERNAME " ]
2017-03-24 11:02:36 +13:00
password = os . environ [ " PASSWORD " ]
samlogon = " schannel;samlogon %s %s %s " % ( user , password , workstation )
call ( [ " bin/rpcclient " , " -c " , samlogon , " -U % " , server ] )
2018-04-30 10:35:25 +12:00
messages = self . waitForMessages ( isLastExpectedMessage )
2017-07-10 07:45:16 +12:00
messages = self . remove_netlogon_messages ( messages )
2017-03-24 11:02:36 +13:00
received = len ( messages )
self . assertIs ( True ,
2019-09-27 19:24:18 -07:00
( received == 4 or received == 5 ) ,
2017-03-24 11:02:36 +13:00
" Did not receive the expected number of messages " )
# Check the second to last message it should be an Authorization
msg = messages [ - 2 ]
2020-02-07 11:02:38 +13:00
self . assertEqual ( " Authorization " , msg [ " type " ] )
self . assertEqual ( " DCE/RPC " ,
2017-03-24 11:02:36 +13:00
msg [ " Authorization " ] [ " serviceDescription " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual ( " schannel " , msg [ " Authorization " ] [ " authType " ] )
self . assertEqual ( " SEAL " , msg [ " Authorization " ] [ " transportProtection " ] )
2018-04-30 10:35:25 +12:00
self . assertTrue ( self . is_guid ( msg [ " Authorization " ] [ " sessionId " ] ) )
2017-03-24 11:02:36 +13:00
# Signed logons get promoted to sealed, this test ensures that
2018-04-30 10:35:25 +12:00
# this behaviour is not removed accidentally
2017-03-24 11:02:36 +13:00
def test_samlogon_schannel_sign ( self ) :
workstation = " AuthLogTests "
2018-04-30 10:35:25 +12:00
def isLastExpectedMessage ( msg ) :
return ( ( msg [ " type " ] == " Authentication " ) and
( msg [ " Authentication " ] [ " serviceDescription " ] ==
" SamLogon " ) and
( msg [ " Authentication " ] [ " authDescription " ] == " network " ) and
( msg [ " Authentication " ] [ " status " ] == " NT_STATUS_OK " ) and
( msg [ " Authentication " ] [ " workstation " ] ==
2018-12-13 10:20:28 +13:00
r " \\ %s " % workstation ) and
( msg [ " Authentication " ] [ " eventId " ] ==
2018-12-13 14:46:31 +13:00
EVT_ID_SUCCESSFUL_LOGON ) and
( msg [ " Authentication " ] [ " logonType " ] ==
EVT_LOGON_NETWORK ) )
2017-03-24 11:02:36 +13:00
2018-12-17 10:04:42 +13:00
server = os . environ [ " SERVER " ]
user = os . environ [ " USERNAME " ]
2017-03-24 11:02:36 +13:00
password = os . environ [ " PASSWORD " ]
2018-04-30 10:35:25 +12:00
samlogon = " schannelsign;samlogon %s %s %s " % (
user , password , workstation )
2017-03-24 11:02:36 +13:00
call ( [ " bin/rpcclient " , " -c " , samlogon , " -U % " , server ] )
2018-04-30 10:35:25 +12:00
messages = self . waitForMessages ( isLastExpectedMessage )
2017-07-10 07:45:16 +12:00
messages = self . remove_netlogon_messages ( messages )
2017-03-24 11:02:36 +13:00
received = len ( messages )
self . assertIs ( True ,
2019-09-27 19:24:18 -07:00
( received == 4 or received == 5 ) ,
2017-03-24 11:02:36 +13:00
" Did not receive the expected number of messages " )
# Check the second to last message it should be an Authorization
msg = messages [ - 2 ]
2020-02-07 11:02:38 +13:00
self . assertEqual ( " Authorization " , msg [ " type " ] )
self . assertEqual ( " DCE/RPC " ,
2017-03-24 11:02:36 +13:00
msg [ " Authorization " ] [ " serviceDescription " ] )
2020-02-07 11:02:38 +13:00
self . assertEqual ( " schannel " , msg [ " Authorization " ] [ " authType " ] )
self . assertEqual ( " SEAL " , msg [ " Authorization " ] [ " transportProtection " ] )
2018-04-30 09:13:58 +12:00
self . assertTrue ( self . is_guid ( msg [ " Authorization " ] [ " sessionId " ] ) )
2023-06-14 13:47:20 +12:00
if __name__ == ' __main__ ' :
import unittest
unittest . main ( )