source3/script/tests/test_ntlm_auth_s3.sh

   1 #!/bin/sh
   2
   3 if [ $# -lt 2 ]; then
   4 cat <<EOF
   5 Usage: test_ntlm_auth_s3.sh PYTHON SRC3DIR NTLM_AUTH
   6 EOF
   7 exit 1;
   8 fi
   9
  10 PYTHON=$1
  11 SRC3DIR=$2
  12 NTLM_AUTH=$3
  13 DOMAIN=$4
  14 USERNAME=$5
  15 PASSWORD=$6
  16 shift 6
  17 ADDARGS="$*"
  18
  19 incdir=`dirname $0`/../../../testprogs/blackbox
  20 . $incdir/subunit.sh
  21
  22 SID=`eval $BINDIR/wbinfo -n $USERNAME | cut -d ' ' -f1`
  23 BADSID=`eval $BINDIR/wbinfo -n $USERNAME | cut -d ' ' -f1 | sed 's/..$//'`
  24
  25 failed=0
  26
  27 test_plaintext_check_output_stdout()
  28 {
  29         tmpfile=$PREFIX/ntlm_commands
  30
  31         cat > $tmpfile <<EOF
  32 $DOMAIN/$USERNAME $PASSWORD
  33 EOF
  34         cmd='$NTLM_AUTH "$@" --require-membership-of=$SID --helper-protocol=squid-2.5-basic < $tmpfile 2>&1'
  35         eval echo "$cmd"
  36         out=`eval $cmd`
  37         ret=$?
  38         rm -f $tmpfile
  39
  40         if [ $ret != 0 ] ; then
  41                 echo "$out"
  42                 echo "command failed"
  43                 false
  44                 return
  45         fi
  46
  47         echo "$out" | grep "OK" >/dev/null 2>&1
  48
  49         if [ $? = 0 ] ; then
  50                 # authenticated .. succeed
  51                 true
  52         else
  53                 echo failed to get successful authentication
  54                 false
  55         fi
  56 }
  57
  58 test_plaintext_check_output_fail()
  59 {
  60         tmpfile=$PREFIX/ntlm_commands
  61
  62         cat > $tmpfile <<EOF
  63 $DOMAIN\\$USERNAME $PASSWORD
  64 EOF
  65         cmd='$NTLM_AUTH "$@" --require-membership-of=$BADSID --helper-protocol=squid-2.5-basic < $tmpfile 2>&1'
  66         eval echo "$cmd"
  67         out=`eval $cmd`
  68         ret=$?
  69         rm -f $tmpfile
  70
  71         if [ $ret != 0 ] ; then
  72                 echo "$out"
  73                 echo "command failed"
  74                 false
  75                 return
  76         fi
  77
  78         echo "$out" | grep "ERR" >/dev/null 2>&1
  79
  80         if [ $? = 0 ] ; then
  81                 # failed to authenticate .. success
  82                 true
  83         else
  84                 echo "incorrectly gave a successful authentication"
  85                 false
  86         fi
  87 }
  88
  89 test_ntlm_server_1_check_output()
  90 {
  91         tmpfile=$PREFIX/ntlm_commands
  92
  93         cat > $tmpfile <<EOF
  94 LANMAN-Challenge: 0123456789abcdef
  95 NT-Response: 25a98c1c31e81847466b29b2df4680f39958fb8c213a9cc6
  96 NT-Domain: TEST
  97 Username: testuser
  98 Request-User-Session-Key: Yes
  99 .
 100 EOF
 101         cmd='$NTLM_AUTH "$@" --helper-protocol=ntlm-server-1  --password=SecREt01< $tmpfile 2>&1'
 102         eval echo "$cmd"
 103         out=`eval $cmd`
 104         ret=$?
 105         rm -f $tmpfile
 106
 107         if [ $ret != 0 ] ; then
 108                 echo "$out"
 109                 echo "command failed"
 110                 false
 111                 return
 112         fi
 113
 114         echo "$out" | grep "User-Session-Key: 3F373EA8E4AF954F14FAA506F8EEBDC4" >/dev/null 2>&1
 115
 116         if [ $? = 0 ] ; then
 117                 # authenticated .. succeed
 118                 true
 119         else
 120                 echo failed to get successful authentication
 121                 false
 122         fi
 123 }
 124
 125 test_ntlm_server_1_check_output_fail()
 126 {
 127         tmpfile=$PREFIX/ntlm_commands
 128
 129         # Break the password with a leading A on the challenge
 130         cat > $tmpfile <<EOF
 131 LANMAN-Challenge: A123456789abcdef
 132 NT-Response: 25a98c1c31e81847466b29b2df4680f39958fb8c213a9cc6
 133 NT-Domain: TEST
 134 Username: testuser
 135 Request-User-Session-Key: Yes
 136 .
 137 EOF
 138         cmd='$NTLM_AUTH "$@" --helper-protocol=ntlm-server-1 --password=SecREt01 < $tmpfile 2>&1'
 139         eval echo "$cmd"
 140         out=`eval $cmd`
 141         ret=$?
 142         rm -f $tmpfile
 143
 144         if [ $ret != 0 ] ; then
 145                 echo "$out"
 146                 echo "command failed"
 147                 false
 148                 return
 149         fi
 150
 151         echo "$out" | grep "Authenticated: No" >/dev/null 2>&1
 152
 153         if [ $? = 0 ] ; then
 154                 # failed to authenticate .. success
 155                 true
 156         else
 157                 echo "incorrectly gave a successful authentication"
 158                 false
 159         fi
 160 }
 161
 162 test_ntlm_server_1_check_winbind_output()
 163 {
 164         tmpfile=$PREFIX/ntlm_commands
 165
 166         # This isn't the correct password
 167         cat > $tmpfile <<EOF
 168 Password: $PASSWORD
 169 NT-Domain: $DOMAIN
 170 Username: $USERNAME
 171 Request-User-Session-Key: Yes
 172 .
 173 EOF
 174         cmd='$NTLM_AUTH "$@" --helper-protocol=ntlm-server-1 --require-membership-of=$SID < $tmpfile 2>&1'
 175         eval echo "$cmd"
 176         out=`eval $cmd`
 177         ret=$?
 178         rm -f $tmpfile
 179
 180         if [ $ret != 0 ] ; then
 181                 echo "$out"
 182                 echo "command failed"
 183                 false
 184                 return
 185         fi
 186
 187         echo "$out" | grep "Authenticated: Yes" >/dev/null 2>&1
 188
 189         if [ $? = 0 ] ; then
 190                 # authenticated .. success
 191                 true
 192         else
 193                 echo "Failed to authenticate the user or match with SID $SID"
 194                 false
 195         fi
 196 }
 197
 198 test_ntlm_server_1_check_winbind_output_wrong_sid()
 199 {
 200         tmpfile=$PREFIX/ntlm_commands
 201
 202         # This isn't the correct password
 203         cat > $tmpfile <<EOF
 204 Password: $PASSWORD
 205 NT-Domain: $DOMAIN
 206 Username: $USERNAME
 207 Request-User-Session-Key: Yes
 208 .
 209 EOF
 210         cmd='$NTLM_AUTH "$@" --helper-protocol=ntlm-server-1 --require-membership-of=$BADSID < $tmpfile 2>&1'
 211         eval echo "$cmd"
 212         out=`eval $cmd`
 213         ret=$?
 214         rm -f $tmpfile
 215
 216         if [ $ret != 0 ] ; then
 217                 echo "$out"
 218                 echo "command failed"
 219                 false
 220                 return
 221         fi
 222
 223         echo "$out" | grep "Authenticated: No" >/dev/null 2>&1
 224
 225         if [ $? = 0 ] ; then
 226                 # failed to authenticate .. success
 227                 true
 228         else
 229                 echo "incorrectly gave a successful authentication"
 230                 false
 231         fi
 232 }
 233
 234 test_ntlm_server_1_check_winbind_output_fail()
 235 {
 236         tmpfile=$PREFIX/ntlm_commands
 237
 238         # This isn't the correct password
 239         cat > $tmpfile <<EOF
 240 LANMAN-Challenge: 0123456789abcdef
 241 NT-Response: 25a98c1c31e81847466b29b2df4680f39958fb8c213a9cc6
 242 NT-Domain: $DOMAIN
 243 Username: $USERNAME
 244 Request-User-Session-Key: Yes
 245 .
 246 EOF
 247         cmd='$NTLM_AUTH "$@" --helper-protocol=ntlm-server-1 < $tmpfile 2>&1'
 248         eval echo "$cmd"
 249         out=`eval $cmd`
 250         ret=$?
 251         rm -f $tmpfile
 252
 253         if [ $ret != 0 ] ; then
 254                 echo "$out"
 255                 echo "command failed"
 256                 false
 257                 return
 258         fi
 259
 260         echo "$out" | grep "Authenticated: No" >/dev/null 2>&1
 261
 262         if [ $? = 0 ] ; then
 263                 # failed to authenticate .. success
 264                 true
 265         else
 266                 echo "incorrectly gave a successful authentication"
 267                 false
 268         fi
 269 }
 270
 271 # This should work even with NTLMv2
 272 testit "ntlm_auth with NTLMSSP gss-spnego-client and gss-spnego server against winbind with require-membership-of" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH --client-username=$USERNAME --client-domain=$DOMAIN --client-password=$PASSWORD --server-use-winbindd --client-helper=gss-spnego-client --server-helper=gss-spnego $ADDARGS --require-membership-of=$SID || failed=`expr $failed + 1`
 273
 274 testit_expect_failure "ntlm_auth against winbindd with failed require-membership-of" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH --client-username=$USERNAME --client-domain=$DOMAIN --client-password=$PASSWORD --server-use-winbindd $ADDARGS --require-membership-of=$BADSID && failed=`expr $failed + 1`
 275 testit_expect_failure "ntlm_auth with NTLMSSP gss-spnego-client and gss-spnego server against winbind with failed require-membership-of" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH --client-username=$USERNAME --client-domain=$DOMAIN --client-password=$PASSWORD --server-use-winbindd --client-helper=gss-spnego-client --server-helper=gss-spnego $ADDARGS --require-membership-of=$BADSID && failed=`expr $failed + 1`
 276
 277 testit "ntlm_auth plaintext authentication with require-membership-of" test_plaintext_check_output_stdout || failed=`expr $failed + 1`
 278 testit "ntlm_auth plaintext authentication with failed require-membership-of" test_plaintext_check_output_fail || failed=`expr $failed + 1`
 279
 280 testit "ntlm_auth ntlm-server-1 with fixed password" test_ntlm_server_1_check_output || failed=`expr $failed + 1`
 281 testit "ntlm_auth ntlm-server-1 with incorrect fixed password" test_ntlm_server_1_check_output_fail || failed=`expr $failed + 1`
 282 testit "ntlm_auth ntlm-server-1 with plaintext password against winbind" test_ntlm_server_1_check_winbind_output || failed=`expr $failed + 1`
 283 testit "ntlm_auth ntlm-server-1 with plaintext password against winbind but wrong sid" test_ntlm_server_1_check_winbind_output_wrong_sid || failed=`expr $failed + 1`
 284 testit "ntlm_auth ntlm-server-1 with incorrect fixed password against winbind" test_ntlm_server_1_check_winbind_output_fail || failed=`expr $failed + 1`
 285
 286 testok $0 $failed