selftest: Run some tests in the ad_dc_no_ntlm environment to show expected behaviour

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

diff --git a/python/samba/tests/samba_tool/user.py b/python/samba/tests/samba_tool/user.py
index 0a1fbfeb82d8b3839e249faadd0655389fce5b86..4563bb2d9a3d32e0a2c51b7a46361576b098b6b2 100644 (file)
--- a/python/samba/tests/samba_tool/user.py
+++ b/python/samba/tests/samba_tool/user.py
@@ -211,6 +211,8 @@ class UserCmdTestCase(SambaToolCmdTest):
         self.assertEqual(nidx, sc.sub.num_packages, "Unknown packages found")
 
     def test_setpassword(self):
+        expect_nt_hash = bool(int(os.environ.get("EXPECT_NT_HASH", "1")))
+
         for user in self.users:
             newpasswd = self.random_password(16)
             (result, out, err) = self.runsubcmd("user", "setpassword",
@@ -278,8 +280,11 @@ class UserCmdTestCase(SambaToolCmdTest):
                              "syncpasswords --no-wait: 'sAMAccountName': %s out[%s]" % (user["name"], out))
             self.assertMatch(out, "# unicodePwd::: REDACTED SECRET ATTRIBUTE",
                              "getpassword '# unicodePwd::: REDACTED SECRET ATTRIBUTE': out[%s]" % out)
-            self.assertMatch(out, "unicodePwd:: %s" % unicodePwd,
-                             "getpassword unicodePwd: out[%s]" % out)
+            if expect_nt_hash:
+                self.assertMatch(out, "unicodePwd:: %s" % unicodePwd,
+                                 "getpassword unicodePwd: out[%s]" % out)
+            else:
+                self.assertNotIn("unicodePwd:: %s" % unicodePwd, out)
             self.assertMatch(out, "# supplementalCredentials::: REDACTED SECRET ATTRIBUTE",
                              "getpassword '# supplementalCredentials::: REDACTED SECRET ATTRIBUTE': out[%s]" % out)
             self.assertMatch(out, "supplementalCredentials:: ",
@@ -301,8 +306,11 @@ class UserCmdTestCase(SambaToolCmdTest):
             self.assertMatch(out, "Got password OK", "getpassword without url")
             self.assertMatch(out, "sAMAccountName: %s" % (user["name"]),
                              "getpassword: 'sAMAccountName': %s out[%s]" % (user["name"], out))
-            self.assertMatch(out, "unicodePwd:: %s" % unicodePwd,
-                             "getpassword unicodePwd: out[%s]" % out)
+            if expect_nt_hash:
+                self.assertMatch(out, "unicodePwd:: %s" % unicodePwd,
+                                 "getpassword unicodePwd: out[%s]" % out)
+            else:
+                self.assertNotIn("unicodePwd:: %s" % unicodePwd, out)
             self.assertMatch(out, "supplementalCredentials:: ",
                              "getpassword supplementalCredentials: out[%s]" % out)
             self._verify_supplementalCredentials(out.replace("\nGot password OK\n", ""))

diff --git a/selftest/knownfail.d/nt-hash-support-gone b/selftest/knownfail.d/nt-hash-support-gone
new file mode 100644 (file)
index 0000000..6cda102
--- /dev/null
+++ b/selftest/knownfail.d/nt-hash-support-gone
@@ -0,0 +1,2 @@
+^samba.tests.samba_tool.user.samba.tests.samba_tool.user.UserCmdTestCase.test_setpassword.ad_dc_no_ntlm:local
+^samba4.ldap.login_basics.python.ad_dc_no_ntlm..__main__.BasicUserAuthTests.test_login_basics_ntlm.ad_dc_no_ntlm

diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index bc3cddbbafbbe0e6c882e9bfefd530403653316b..a01e188bcd177585bcd200b3b19288a83efd5d3b 100755 (executable)
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -928,12 +928,18 @@ for env in ["ad_dc_ntvfs", "ad_dc"]:
     planpythontestsuite(env + ":local", "samba.tests.samba_tool.gpo_exts")
 
 planpythontestsuite("ad_dc_default:local", "samba.tests.samba_tool.processes")
+
 planpythontestsuite("ad_dc_ntvfs:local", "samba.tests.samba_tool.user")
-planpythontestsuite("ad_dc_default:local", "samba.tests.samba_tool.user_wdigest")
-planpythontestsuite("ad_dc:local", "samba.tests.samba_tool.user")
-planpythontestsuite("ad_dc:local", "samba.tests.samba_tool.user_virtualCryptSHA_userPassword")
-planpythontestsuite("ad_dc:local", "samba.tests.samba_tool.user_virtualCryptSHA_gpg")
+for env in ["ad_dc_default:local", "ad_dc_no_ntlm:local"]:
+    planpythontestsuite(env, "samba.tests.samba_tool.user_wdigest")
+for env, nt_hash in [("ad_dc:local", True),
+                     ("ad_dc_no_ntlm:local", False)]:
+    planpythontestsuite(env, "samba.tests.samba_tool.user",
+                        environ={"EXPECT_NT_HASH": int(nt_hash)})
+    planpythontestsuite(env, "samba.tests.samba_tool.user_virtualCryptSHA_userPassword")
+    planpythontestsuite(env, "samba.tests.samba_tool.user_virtualCryptSHA_gpg")
 planpythontestsuite("chgdcpass:local", "samba.tests.samba_tool.user_check_password_script")
+
 planpythontestsuite("ad_dc_default:local", "samba.tests.samba_tool.group")
 planpythontestsuite("ad_dc_default:local", "samba.tests.samba_tool.ou")
 planpythontestsuite("ad_dc_default:local", "samba.tests.samba_tool.computer")
@@ -1377,6 +1383,8 @@ for env in all_fl_envs + ["schema_dc"]:
     plantestsuite("samba4.ldap.possibleInferiors.python(%s)" % env, env, [python, os.path.join(samba4srcdir, "dsdb/samdb/ldb_modules/tests/possibleinferiors.py"), "ldap://$SERVER", '-U"$USERNAME%$PASSWORD"', "-W$DOMAIN"])
     plantestsuite_loadlist("samba4.ldap.secdesc.python(%s)" % env, env, [python, os.path.join(DSDB_PYTEST_DIR, "sec_descriptor.py"), '$SERVER', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN', '$LOADLIST', '$LISTOPT'])
     plantestsuite_loadlist("samba4.ldap.acl.python(%s)" % env, env, ["STRICT_CHECKING=0", python, os.path.join(DSDB_PYTEST_DIR, "acl.py"), '$SERVER', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN', '$LOADLIST', '$LISTOPT'])
+
+for env in all_fl_envs + ["schema_dc", "ad_dc_no_ntlm"]:
     if env != "fl2000dc":
         # This test makes excessive use of the "userPassword" attribute which
         # isn't available on DCs with Windows 2000 domain function level -
@@ -1400,7 +1408,7 @@ for env in ["ad_dc_slowtests"]:
                            extra_args=['-U$DOMAIN/$DC_USERNAME%$DC_PASSWORD'])
 
 # this is a basic sanity-check of Kerberos/NTLM user login
-for env in ["offlinebackupdc", "restoredc", "renamedc", "labdc"]:
+for env in ["offlinebackupdc", "restoredc", "renamedc", "labdc", "ad_dc_no_ntlm"]:
     plantestsuite_loadlist("samba4.ldap.login_basics.python(%s)" % env, env,
                            [python, os.path.join(DSDB_PYTEST_DIR, "login_basics.py"),
                             "$SERVER", '-U"$USERNAME%$PASSWORD"', "-W$DOMAIN", "--realm=$REALM",