The Samba-Bugzilla – Attachment 13418 Details for
Bug 11923
Request to completely disable NTLM
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
test for this bug backported from master
0001-selftest-Add-test-for-password-change-when-NTLM-is-d.patch (text/plain), 4.46 KB, created by
Andrew Bartlett
on 2017-07-24 02:18:22 UTC
(
hide
)
Description:
test for this bug backported from master
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2017-07-24 02:18:22 UTC
Size:
4.46 KB
patch
obsolete
>From 1a8ae268d2048b2b2c4df6f7f50f436d0255894b Mon Sep 17 00:00:00 2001 >From: Tim Beale <timbeale@catalyst.net.nz> >Date: Tue, 4 Jul 2017 17:27:27 +1200 >Subject: [PATCH] selftest: Add test for password change when NTLM is disabled > >When NTLM is disabled, the server should reject NTLM-based password >changes. Changing the password is a bit complicated from python, but >because the server should reject the password change outright with >NTLM_BLOCKED, the test doesn't actually need to provide valid >credentials. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923 >Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Garming Sam <garming@catalyst.net.nz> > >Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> >Autobuild-Date(master): Fri Jul 21 13:54:35 CEST 2017 on sn-devel-144 > >(cherry picked from commit 4e04f025a0665e2573bdd92efe9ba5aa9dcd82d7) >--- > python/samba/tests/ntlmauth.py | 46 ++++++++++++++++++++++++++++++------------ > selftest/knownfail | 2 ++ > 2 files changed, 35 insertions(+), 13 deletions(-) > >diff --git a/python/samba/tests/ntlmauth.py b/python/samba/tests/ntlmauth.py >index 8db1ad09274..a232bf26012 100644 >--- a/python/samba/tests/ntlmauth.py >+++ b/python/samba/tests/ntlmauth.py >@@ -19,13 +19,13 @@ from samba.tests import TestCase > import os > > import samba >-from samba.credentials import Credentials, DONT_USE_KERBEROS >+from samba.credentials import Credentials, DONT_USE_KERBEROS, MUST_USE_KERBEROS > > from samba import NTSTATUSError, ntstatus > import ctypes > > from samba import credentials >-from samba.dcerpc import srvsvc >+from samba.dcerpc import srvsvc, samr, lsa > > """ > Tests basic NTLM authentication >@@ -37,24 +37,21 @@ class NtlmAuthTests(TestCase): > super(NtlmAuthTests, self).setUp() > > self.lp = self.get_loadparm() >+ self.server = os.getenv("SERVER") > >- >+ self.creds = Credentials() >+ self.creds.guess(self.lp) >+ self.creds.set_username(os.getenv("USERNAME")) >+ self.creds.set_domain(self.server) >+ self.creds.set_password(os.getenv("PASSWORD")) >+ self.creds.set_kerberos_state(DONT_USE_KERBEROS) > > def tearDown(self): > super(NtlmAuthTests, self).tearDown() > > def test_ntlm_connection(self): >- server = os.getenv("SERVER") >- >- creds = credentials.Credentials() >- creds.guess(self.lp) >- creds.set_username(os.getenv("USERNAME")) >- creds.set_domain(server) >- creds.set_password(os.getenv("PASSWORD")) >- creds.set_kerberos_state(DONT_USE_KERBEROS) >- > try: >- conn = srvsvc.srvsvc("ncacn_np:%s[smb2,ntlm]" % server, self.lp, creds) >+ conn = srvsvc.srvsvc("ncacn_np:%s[smb2,ntlm]" % self.server, self.lp, self.creds) > > self.assertIsNotNone(conn) > except NTSTATUSError as e: >@@ -65,4 +62,27 @@ class NtlmAuthTests(TestCase): > else: > raise > >+ def test_samr_change_password(self): >+ self.creds.set_kerberos_state(MUST_USE_KERBEROS) >+ conn = samr.samr("ncacn_np:%s[krb5,seal,smb2]" % os.getenv("SERVER")) >+ >+ # we want to check whether this gets rejected outright because NTLM is >+ # disabled, so we don't actually need to encrypt a valid password here >+ server = lsa.String() >+ server.string = self.server >+ username = lsa.String() >+ username.string = os.getenv("USERNAME") >+ >+ try: >+ conn.ChangePasswordUser2(server, username, None, None, True, None, None) >+ except NTSTATUSError as e: >+ # changing passwords is rejected when NTLM is disabled >+ enum = ctypes.c_uint32(e[0]).value >+ if enum == ntstatus.NT_STATUS_NTLM_BLOCKED: >+ self.fail("NTLM is disabled on this server") >+ elif enum == ntstatus.NT_STATUS_WRONG_PASSWORD: >+ # expected error case when NTLM is enabled >+ pass >+ else: >+ raise > >diff --git a/selftest/knownfail b/selftest/knownfail >index 1cba331bcf0..f41b99d0e39 100644 >--- a/selftest/knownfail >+++ b/selftest/knownfail >@@ -342,3 +342,5 @@ > ^samba.tests.netlogonsvc.python\(fileserver\) > # NTLM authentication is (intentionally) disabled in ktest > ^samba.tests.ntlmauth.python\(ktest\).ntlmauth.NtlmAuthTests.test_ntlm_connection\(ktest\) >+# Disabling NTLM means you can't use samr to change the password >+^samba.tests.ntlmauth.python\(ktest\).ntlmauth.NtlmAuthTests.test_samr_change_password\(ktest\) >-- >2.11.0 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
metze
:
review+
Actions:
View
Attachments on
bug 11923
: 13418