--- /dev/null
+# Unix SMB/CIFS implementation.
+#
+# Copyright (C) Andrew Bartlett <abartlet@samba.org> 2017
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+"""Smoke test for encrypted secrets
+
+A quick test to confirm that the secret attributes are being stored
+encrypted on disk.
+"""
+
+
+import os
+import ldb
+import samba
+from samba.tests import TestCase
+from samba.credentials import Credentials
+from samba.samdb import SamDB
+from samba.auth import system_session
+from samba.ndr import ndr_unpack
+from samba.dcerpc import drsblobs
+
+
+class EncryptedSecretsTests(TestCase):
+
+ def setUp(self):
+ super(EncryptedSecretsTests, self).setUp()
+ self.lp = samba.tests.env_loadparm()
+ self.creds = Credentials()
+ self.session = system_session()
+ self.creds.guess(self.lp)
+ self.session = system_session()
+ self.ldb = SamDB(session_info=self.session,
+ credentials=self.creds,
+ lp=self.lp)
+
+ def test_encrypted_secrets(self):
+ """Test that secret attributes are stored encrypted on disk"""
+ basedn = self.ldb.domain_dn()
+ backend_filename = "%s.ldb" % basedn.upper()
+ backend_subpath = os.path.join("sam.ldb.d",
+ backend_filename)
+ backend_path = self.lp.private_path(backend_subpath)
+ backenddb = ldb.Ldb(backend_path)
+
+ dn = "CN=Administrator,CN=Users,%s" % basedn
+
+ res = backenddb.search(scope=ldb.SCOPE_BASE,
+ base=dn,
+ attrs=["unicodePwd"])
+ self.assertIs(True, len(res) > 0)
+ obj = res[0]
+ blob = obj["unicodePwd"][0]
+ self.assertTrue(len(blob) > 30)
+ # Now verify that the header contains the correct magic value.
+ encrypted = ndr_unpack(drsblobs.EncryptedSecret, blob)
+ magic = 0xca5caded
+ self.assertEquals(magic, encrypted.header.magic)
+
+ def test_required_features(self):
+ """Test that databases are provisioned with encryptedSecrets as a
+ required feature
+ """
+ res = self.ldb.search(scope=ldb.SCOPE_BASE,
+ base="@SAMBA_DSDB",
+ attrs=["requiredFeatures"])
+ self.assertTrue(len(res) > 0)
+ self.assertTrue("requiredFeatures" in res[0])
+ required_features = res[0]["requiredFeatures"]
+ self.assertTrue("encryptedSecrets" in required_features)
--- /dev/null
+# The fl2000dc environment is provisioned with the --plaintext-secrets option
+# running the ecnrypted secrets tests on it and expecting them to fail.
+# verifies that:
+# * --plaintext-secrets option correctly provisions a domain
+# * the dsdb operational module correctly handles unencrypted secrets
+# * secrets are not stored as encrypted text when this option is specified
+^samba.tests.encrypted_secrets.samba.tests.encrypted_secrets.EncryptedSecretsTests.test_encrypted_secrets\(fl2000dc:local\)
+^samba.tests.encrypted_secrets.samba.tests.encrypted_secrets.EncryptedSecretsTests.test_required_features\(fl2000dc:local\)
+
+# Tests that will pass as the remaining patches in the set are added
+^samba.tests.encrypted_secrets.samba.tests.encrypted_secrets.EncryptedSecretsTests.test_encrypted_secrets
+^samba.tests.encrypted_secrets.samba.tests.encrypted_secrets.EncryptedSecretsTests.test_required_features
planoldpythontestsuite("ad_dc",
"samba.tests.password_hash_ldap",
extra_args=['-U"$USERNAME%$PASSWORD"'])
+# Encrypted secrets
+# ensure default provision (ad_dc) and join (vampire_dc)
+# encrypt secret values on disk.
+planoldpythontestsuite("ad_dc:local",
+ "samba.tests.encrypted_secrets",
+ extra_args=['-U"$USERNAME%$PASSWORD"'])
+planoldpythontestsuite("vampire_dc:local",
+ "samba.tests.encrypted_secrets",
+ extra_args=['-U"$USERNAME%$PASSWORD"'])
+# The fl2000dc environment is provisioned with the --plaintext_secrets option
+# so this test will fail, which proves the secrets are not being encrypted.
+# There is an entry in known_fail.d.
+planoldpythontestsuite("fl2000dc:local",
+ "samba.tests.encrypted_secrets",
+ extra_args=['-U"$USERNAME%$PASSWORD"'])
planpythontestsuite("ad_dc_ntvfs:local", "samba.tests.lsa_string")
planoldpythontestsuite("ad_dc_ntvfs",