mirror of
https://github.com/samba-team/samba.git
synced 2025-12-17 04:23:50 +03:00
python:tests: let auth_log.py explicitly use --option=clientusekrb5netlogon=no
It also add some additional checks to make sure netlogon with AES was used. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
This commit is contained in:
Stefan Metzmacher
@@ -24,7 +24,7 @@ import sys
|
||||
sys.path.insert(0, 'bin/python')
|
||||
|
||||
import samba.tests
|
||||
from samba.dcerpc import srvsvc, dnsserver
|
||||
from samba.dcerpc import srvsvc, dnsserver, netlogon
|
||||
import os
|
||||
from samba.samba3 import libsmb_samba_internal as libsmb
|
||||
from samba.samba3 import param as s3param
|
||||
@@ -45,6 +45,32 @@ import re
|
||||
|
||||
|
||||
class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
|
||||
netlogon_aes_flags = (
|
||||
netlogon.NETLOGON_NEG_ACCOUNT_LOCKOUT |
|
||||
netlogon.NETLOGON_NEG_PERSISTENT_SAMREPL |
|
||||
netlogon.NETLOGON_NEG_ARCFOUR |
|
||||
netlogon.NETLOGON_NEG_PROMOTION_COUNT |
|
||||
netlogon.NETLOGON_NEG_CHANGELOG_BDC |
|
||||
netlogon.NETLOGON_NEG_FULL_SYNC_REPL |
|
||||
netlogon.NETLOGON_NEG_MULTIPLE_SIDS |
|
||||
netlogon.NETLOGON_NEG_REDO |
|
||||
netlogon.NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL |
|
||||
netlogon.NETLOGON_NEG_SEND_PASSWORD_INFO_PDC |
|
||||
netlogon.NETLOGON_NEG_GENERIC_PASSTHROUGH |
|
||||
netlogon.NETLOGON_NEG_CONCURRENT_RPC |
|
||||
netlogon.NETLOGON_NEG_AVOID_ACCOUNT_DB_REPL |
|
||||
netlogon.NETLOGON_NEG_AVOID_SECURITYAUTH_DB_REPL |
|
||||
netlogon.NETLOGON_NEG_STRONG_KEYS |
|
||||
netlogon.NETLOGON_NEG_TRANSITIVE_TRUSTS |
|
||||
netlogon.NETLOGON_NEG_DNS_DOMAIN_TRUSTS |
|
||||
netlogon.NETLOGON_NEG_PASSWORD_SET2 |
|
||||
netlogon.NETLOGON_NEG_GETDOMAININFO |
|
||||
netlogon.NETLOGON_NEG_CROSS_FOREST_TRUSTS |
|
||||
netlogon.NETLOGON_NEG_SUPPORTS_AES |
|
||||
netlogon.NETLOGON_NEG_AUTHENTICATED_RPC_LSASS |
|
||||
netlogon.NETLOGON_NEG_AUTHENTICATED_RPC)
|
||||
# "0x610FFFFF"
|
||||
netlogon_aes_flags_str = "0x%08X" % netlogon_aes_flags
|
||||
|
||||
def setUp(self):
|
||||
super().setUp()
|
||||
@@ -1129,7 +1155,8 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
|
||||
password = os.environ["PASSWORD"]
|
||||
samlogon = "samlogon %s %s %s %d" % (user, password, workstation, 1)
|
||||
|
||||
call(["bin/rpcclient", "-c", samlogon, "-U%", server])
|
||||
call(["bin/rpcclient", "-c", samlogon, "-U%", server,
|
||||
"--option=clientusekrb5netlogon=no"])
|
||||
|
||||
messages = self.waitForMessages(isLastExpectedMessage)
|
||||
messages = self.remove_netlogon_messages(messages)
|
||||
@@ -1137,6 +1164,11 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
|
||||
self.assertIn(received, [4, 5],
|
||||
"Did not receive the expected number of messages")
|
||||
|
||||
msg = messages[-1]
|
||||
self.assertEqual("Authentication", msg["type"])
|
||||
self.assertEqual(self.netlogon_aes_flags_str,
|
||||
msg["Authentication"]["netlogonNegotiateFlags"])
|
||||
|
||||
def test_samlogon_interactive_bad_password(self):
|
||||
|
||||
workstation = "AuthLogTests"
|
||||
@@ -1161,7 +1193,8 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
|
||||
password = "badPassword"
|
||||
samlogon = "samlogon %s %s %s %d" % (user, password, workstation, 1)
|
||||
|
||||
call(["bin/rpcclient", "-c", samlogon, "-U%", server])
|
||||
call(["bin/rpcclient", "-c", samlogon, "-U%", server,
|
||||
"--option=clientusekrb5netlogon=no"])
|
||||
|
||||
messages = self.waitForMessages(isLastExpectedMessage)
|
||||
messages = self.remove_netlogon_messages(messages)
|
||||
@@ -1169,6 +1202,11 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
|
||||
self.assertIn(received, [4, 5],
|
||||
"Did not receive the expected number of messages")
|
||||
|
||||
msg = messages[-1]
|
||||
self.assertEqual("Authentication", msg["type"])
|
||||
self.assertEqual(self.netlogon_aes_flags_str,
|
||||
msg["Authentication"]["netlogonNegotiateFlags"])
|
||||
|
||||
def test_samlogon_interactive_bad_user(self):
|
||||
|
||||
workstation = "AuthLogTests"
|
||||
@@ -1193,7 +1231,8 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
|
||||
password = os.environ["PASSWORD"]
|
||||
samlogon = "samlogon %s %s %s %d" % (user, password, workstation, 1)
|
||||
|
||||
call(["bin/rpcclient", "-c", samlogon, "-U%", server])
|
||||
call(["bin/rpcclient", "-c", samlogon, "-U%", server,
|
||||
"--option=clientusekrb5netlogon=no"])
|
||||
|
||||
messages = self.waitForMessages(isLastExpectedMessage)
|
||||
messages = self.remove_netlogon_messages(messages)
|
||||
@@ -1201,6 +1240,11 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
|
||||
self.assertIn(received, [4, 5],
|
||||
"Did not receive the expected number of messages")
|
||||
|
||||
msg = messages[-1]
|
||||
self.assertEqual("Authentication", msg["type"])
|
||||
self.assertEqual(self.netlogon_aes_flags_str,
|
||||
msg["Authentication"]["netlogonNegotiateFlags"])
|
||||
|
||||
def test_samlogon_network(self):
|
||||
|
||||
workstation = "AuthLogTests"
|
||||
@@ -1223,7 +1267,8 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
|
||||
password = os.environ["PASSWORD"]
|
||||
samlogon = "samlogon %s %s %s %d" % (user, password, workstation, 2)
|
||||
|
||||
call(["bin/rpcclient", "-c", samlogon, "-U%", server])
|
||||
call(["bin/rpcclient", "-c", samlogon, "-U%", server,
|
||||
"--option=clientusekrb5netlogon=no"])
|
||||
|
||||
messages = self.waitForMessages(isLastExpectedMessage)
|
||||
messages = self.remove_netlogon_messages(messages)
|
||||
@@ -1231,6 +1276,11 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
|
||||
self.assertIn(received, [4, 5],
|
||||
"Did not receive the expected number of messages")
|
||||
|
||||
msg = messages[-1]
|
||||
self.assertEqual("Authentication", msg["type"])
|
||||
self.assertEqual(self.netlogon_aes_flags_str,
|
||||
msg["Authentication"]["netlogonNegotiateFlags"])
|
||||
|
||||
def test_samlogon_network_bad_password(self):
|
||||
|
||||
workstation = "AuthLogTests"
|
||||
@@ -1254,7 +1304,8 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
|
||||
password = "badPassword"
|
||||
samlogon = "samlogon %s %s %s %d" % (user, password, workstation, 2)
|
||||
|
||||
call(["bin/rpcclient", "-c", samlogon, "-U%", server])
|
||||
call(["bin/rpcclient", "-c", samlogon, "-U%", server,
|
||||
"--option=clientusekrb5netlogon=no"])
|
||||
|
||||
messages = self.waitForMessages(isLastExpectedMessage)
|
||||
messages = self.remove_netlogon_messages(messages)
|
||||
@@ -1285,7 +1336,8 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
|
||||
password = os.environ["PASSWORD"]
|
||||
samlogon = "samlogon %s %s %s %d" % (user, password, workstation, 2)
|
||||
|
||||
call(["bin/rpcclient", "-c", samlogon, "-U%", server])
|
||||
call(["bin/rpcclient", "-c", samlogon, "-U%", server,
|
||||
"--option=clientusekrb5netlogon=no"])
|
||||
|
||||
messages = self.waitForMessages(isLastExpectedMessage)
|
||||
messages = self.remove_netlogon_messages(messages)
|
||||
@@ -1293,6 +1345,11 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
|
||||
self.assertIn(received, [4, 5],
|
||||
"Did not receive the expected number of messages")
|
||||
|
||||
msg = messages[-1]
|
||||
self.assertEqual("Authentication", msg["type"])
|
||||
self.assertEqual(self.netlogon_aes_flags_str,
|
||||
msg["Authentication"]["netlogonNegotiateFlags"])
|
||||
|
||||
def test_samlogon_network_mschap(self):
|
||||
|
||||
workstation = "AuthLogTests"
|
||||
@@ -1317,7 +1374,8 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
|
||||
samlogon = "samlogon %s %s %s %d 0x00010000" % (
|
||||
user, password, workstation, 2)
|
||||
|
||||
call(["bin/rpcclient", "-c", samlogon, "-U%", server])
|
||||
call(["bin/rpcclient", "-c", samlogon, "-U%", server,
|
||||
"--option=clientusekrb5netlogon=no"])
|
||||
|
||||
messages = self.waitForMessages(isLastExpectedMessage)
|
||||
messages = self.remove_netlogon_messages(messages)
|
||||
@@ -1325,6 +1383,11 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
|
||||
self.assertIn(received, [4, 5],
|
||||
"Did not receive the expected number of messages")
|
||||
|
||||
msg = messages[-1]
|
||||
self.assertEqual("Authentication", msg["type"])
|
||||
self.assertEqual(self.netlogon_aes_flags_str,
|
||||
msg["Authentication"]["netlogonNegotiateFlags"])
|
||||
|
||||
def test_samlogon_network_mschap_bad_password(self):
|
||||
|
||||
workstation = "AuthLogTests"
|
||||
@@ -1350,7 +1413,8 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
|
||||
samlogon = "samlogon %s %s %s %d 0x00010000" % (
|
||||
user, password, workstation, 2)
|
||||
|
||||
call(["bin/rpcclient", "-c", samlogon, "-U%", server])
|
||||
call(["bin/rpcclient", "-c", samlogon, "-U%", server,
|
||||
"--option=clientusekrb5netlogon=no"])
|
||||
|
||||
messages = self.waitForMessages(isLastExpectedMessage)
|
||||
messages = self.remove_netlogon_messages(messages)
|
||||
@@ -1358,6 +1422,11 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
|
||||
self.assertIn(received, [4, 5],
|
||||
"Did not receive the expected number of messages")
|
||||
|
||||
msg = messages[-1]
|
||||
self.assertEqual("Authentication", msg["type"])
|
||||
self.assertEqual(self.netlogon_aes_flags_str,
|
||||
msg["Authentication"]["netlogonNegotiateFlags"])
|
||||
|
||||
def test_samlogon_network_mschap_bad_user(self):
|
||||
|
||||
workstation = "AuthLogTests"
|
||||
@@ -1383,7 +1452,8 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
|
||||
samlogon = "samlogon %s %s %s %d 0x00010000" % (
|
||||
user, password, workstation, 2)
|
||||
|
||||
call(["bin/rpcclient", "-c", samlogon, "-U%", server])
|
||||
call(["bin/rpcclient", "-c", samlogon, "-U%", server,
|
||||
"--option=clientusekrb5netlogon=no"])
|
||||
|
||||
messages = self.waitForMessages(isLastExpectedMessage)
|
||||
messages = self.remove_netlogon_messages(messages)
|
||||
@@ -1391,6 +1461,11 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
|
||||
self.assertIn(received, [4, 5],
|
||||
"Did not receive the expected number of messages")
|
||||
|
||||
msg = messages[-1]
|
||||
self.assertEqual("Authentication", msg["type"])
|
||||
self.assertEqual(self.netlogon_aes_flags_str,
|
||||
msg["Authentication"]["netlogonNegotiateFlags"])
|
||||
|
||||
def test_samlogon_schannel_seal(self):
|
||||
|
||||
workstation = "AuthLogTests"
|
||||
@@ -1413,7 +1488,8 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
|
||||
password = os.environ["PASSWORD"]
|
||||
samlogon = "schannel;samlogon %s %s %s" % (user, password, workstation)
|
||||
|
||||
call(["bin/rpcclient", "-c", samlogon, "-U%", server])
|
||||
call(["bin/rpcclient", "-c", samlogon, "-U%", server,
|
||||
"--option=clientusekrb5netlogon=no"])
|
||||
|
||||
messages = self.waitForMessages(isLastExpectedMessage)
|
||||
messages = self.remove_netlogon_messages(messages)
|
||||
@@ -1430,6 +1506,11 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
|
||||
self.assertEqual("SEAL", msg["Authorization"]["transportProtection"])
|
||||
self.assertTrue(self.is_guid(msg["Authorization"]["sessionId"]))
|
||||
|
||||
msg = messages[-1]
|
||||
self.assertEqual("Authentication", msg["type"])
|
||||
self.assertEqual(self.netlogon_aes_flags_str,
|
||||
msg["Authentication"]["netlogonNegotiateFlags"])
|
||||
|
||||
# Signed logons get promoted to sealed, this test ensures that
|
||||
# this behaviour is not removed accidentally
|
||||
def test_samlogon_schannel_sign(self):
|
||||
@@ -1455,7 +1536,8 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
|
||||
samlogon = "schannelsign;samlogon %s %s %s" % (
|
||||
user, password, workstation)
|
||||
|
||||
call(["bin/rpcclient", "-c", samlogon, "-U%", server])
|
||||
call(["bin/rpcclient", "-c", samlogon, "-U%", server,
|
||||
"--option=clientusekrb5netlogon=no"])
|
||||
|
||||
messages = self.waitForMessages(isLastExpectedMessage)
|
||||
messages = self.remove_netlogon_messages(messages)
|
||||
@@ -1472,6 +1554,11 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
|
||||
self.assertEqual("SEAL", msg["Authorization"]["transportProtection"])
|
||||
self.assertTrue(self.is_guid(msg["Authorization"]["sessionId"]))
|
||||
|
||||
msg = messages[-1]
|
||||
self.assertEqual("Authentication", msg["type"])
|
||||
self.assertEqual(self.netlogon_aes_flags_str,
|
||||
msg["Authentication"]["netlogonNegotiateFlags"])
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
import unittest
|
||||
|
||||
Reference in New Issue
Block a user