From 1a8ae268d2048b2b2c4df6f7f50f436d0255894b Mon Sep 17 00:00:00 2001 From: Tim Beale Date: Tue, 4 Jul 2017 17:27:27 +1200 Subject: [PATCH] selftest: Add test for password change when NTLM is disabled When NTLM is disabled, the server should reject NTLM-based password changes. Changing the password is a bit complicated from python, but because the server should reject the password change outright with NTLM_BLOCKED, the test doesn't actually need to provide valid credentials. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923 Signed-off-by: Tim Beale Reviewed-by: Andrew Bartlett Reviewed-by: Garming Sam Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri Jul 21 13:54:35 CEST 2017 on sn-devel-144 (cherry picked from commit 4e04f025a0665e2573bdd92efe9ba5aa9dcd82d7) --- python/samba/tests/ntlmauth.py | 46 ++++++++++++++++++++++++++++++------------ selftest/knownfail | 2 ++ 2 files changed, 35 insertions(+), 13 deletions(-) diff --git a/python/samba/tests/ntlmauth.py b/python/samba/tests/ntlmauth.py index 8db1ad09274..a232bf26012 100644 --- a/python/samba/tests/ntlmauth.py +++ b/python/samba/tests/ntlmauth.py @@ -19,13 +19,13 @@ from samba.tests import TestCase import os import samba -from samba.credentials import Credentials, DONT_USE_KERBEROS +from samba.credentials import Credentials, DONT_USE_KERBEROS, MUST_USE_KERBEROS from samba import NTSTATUSError, ntstatus import ctypes from samba import credentials -from samba.dcerpc import srvsvc +from samba.dcerpc import srvsvc, samr, lsa """ Tests basic NTLM authentication @@ -37,24 +37,21 @@ class NtlmAuthTests(TestCase): super(NtlmAuthTests, self).setUp() self.lp = self.get_loadparm() + self.server = os.getenv("SERVER") - + self.creds = Credentials() + self.creds.guess(self.lp) + self.creds.set_username(os.getenv("USERNAME")) + self.creds.set_domain(self.server) + self.creds.set_password(os.getenv("PASSWORD")) + self.creds.set_kerberos_state(DONT_USE_KERBEROS) def tearDown(self): super(NtlmAuthTests, self).tearDown() def test_ntlm_connection(self): - server = os.getenv("SERVER") - - creds = credentials.Credentials() - creds.guess(self.lp) - creds.set_username(os.getenv("USERNAME")) - creds.set_domain(server) - creds.set_password(os.getenv("PASSWORD")) - creds.set_kerberos_state(DONT_USE_KERBEROS) - try: - conn = srvsvc.srvsvc("ncacn_np:%s[smb2,ntlm]" % server, self.lp, creds) + conn = srvsvc.srvsvc("ncacn_np:%s[smb2,ntlm]" % self.server, self.lp, self.creds) self.assertIsNotNone(conn) except NTSTATUSError as e: @@ -65,4 +62,27 @@ class NtlmAuthTests(TestCase): else: raise + def test_samr_change_password(self): + self.creds.set_kerberos_state(MUST_USE_KERBEROS) + conn = samr.samr("ncacn_np:%s[krb5,seal,smb2]" % os.getenv("SERVER")) + + # we want to check whether this gets rejected outright because NTLM is + # disabled, so we don't actually need to encrypt a valid password here + server = lsa.String() + server.string = self.server + username = lsa.String() + username.string = os.getenv("USERNAME") + + try: + conn.ChangePasswordUser2(server, username, None, None, True, None, None) + except NTSTATUSError as e: + # changing passwords is rejected when NTLM is disabled + enum = ctypes.c_uint32(e[0]).value + if enum == ntstatus.NT_STATUS_NTLM_BLOCKED: + self.fail("NTLM is disabled on this server") + elif enum == ntstatus.NT_STATUS_WRONG_PASSWORD: + # expected error case when NTLM is enabled + pass + else: + raise diff --git a/selftest/knownfail b/selftest/knownfail index 1cba331bcf0..f41b99d0e39 100644 --- a/selftest/knownfail +++ b/selftest/knownfail @@ -342,3 +342,5 @@ ^samba.tests.netlogonsvc.python\(fileserver\) # NTLM authentication is (intentionally) disabled in ktest ^samba.tests.ntlmauth.python\(ktest\).ntlmauth.NtlmAuthTests.test_ntlm_connection\(ktest\) +# Disabling NTLM means you can't use samr to change the password +^samba.tests.ntlmauth.python\(ktest\).ntlmauth.NtlmAuthTests.test_samr_change_password\(ktest\) -- 2.11.0