#define AUTH_SESSION_INFO_AUTHENTICATED 0x02 /* Add the user to the 'authenticated users' group */
#define AUTH_SESSION_INFO_SIMPLE_PRIVILEGES 0x04 /* Use a trivial map between users and privilages, rather than a DB */
#define AUTH_SESSION_INFO_UNIX_TOKEN 0x08 /* The returned token must have the unix_token and unix_info elements provided */
+#define AUTH_SESSION_INFO_NTLM 0x10 /* The returned token must have authenticated-with-NTLM flag set */
struct auth_usersupplied_info
{
}
session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS;
+ session_info_flags |= AUTH_SESSION_INFO_NTLM;
if (gensec_security->auth_context && gensec_security->auth_context->generate_session_info) {
nt_status = gensec_security->auth_context->generate_session_info(gensec_security->auth_context, mem_ctx,
server_info,
user_info->client.account_name,
AUTH_SESSION_INFO_UNIX_TOKEN |
- AUTH_SESSION_INFO_DEFAULT_GROUPS,
+ AUTH_SESSION_INFO_DEFAULT_GROUPS |
+ AUTH_SESSION_INFO_NTLM,
session_info);
TALLOC_FREE(server_info);
}
ADD_FLAG(AUTH_SESSION_INFO_DEFAULT_GROUPS);
ADD_FLAG(AUTH_SESSION_INFO_AUTHENTICATED);
ADD_FLAG(AUTH_SESSION_INFO_SIMPLE_PRIVILEGES);
+ ADD_FLAG(AUTH_SESSION_INFO_NTLM);
return m;
}
num_sids++;
}
+ if (session_info_flags & AUTH_SESSION_INFO_NTLM) {
+ sids = talloc_realloc(tmp_ctx, sids, struct dom_sid, num_sids + 1);
+ NT_STATUS_HAVE_NO_MEMORY(sids);
+
+ if (!dom_sid_parse(SID_NT_NTLM_AUTHENTICATION, &sids[num_sids])) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+ num_sids++;
+ }
if (num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(anonymous_sid, &sids[PRIMARY_USER_SID_INDEX])) {
import samba.tests
from samba.tests import delete_force
from samba.dcerpc import samr, security
-from samba.auth import AUTH_SESSION_INFO_DEFAULT_GROUPS, AUTH_SESSION_INFO_AUTHENTICATED, AUTH_SESSION_INFO_SIMPLE_PRIVILEGES
+from samba.auth import AUTH_SESSION_INFO_DEFAULT_GROUPS, AUTH_SESSION_INFO_AUTHENTICATED, AUTH_SESSION_INFO_SIMPLE_PRIVILEGES, AUTH_SESSION_INFO_NTLM
parser = optparse.OptionParser("token_group.py [options] <host>")
session_info_flags = ( AUTH_SESSION_INFO_DEFAULT_GROUPS |
AUTH_SESSION_INFO_AUTHENTICATED |
AUTH_SESSION_INFO_SIMPLE_PRIVILEGES)
+ if creds.get_kerberos_state() == DONT_USE_KERBEROS:
+ session_info_flags |= AUTH_SESSION_INFO_NTLM
+
session = samba.auth.user_session(self.ldb, lp_ctx=lp, dn=self.user_sid_dn,
session_info_flags=session_info_flags)
self.fail(msg="calculated groups don't match against user DN tokenGroups")
def test_pac_groups(self):
+ if creds.get_kerberos_state() == DONT_USE_KERBEROS:
+ self.skipTest("Kerberos disabled, skipping PAC test")
+
settings = {}
settings["lp_ctx"] = lp
settings["target_hostname"] = lp.get("netbios name")
session_info_flags = ( AUTH_SESSION_INFO_DEFAULT_GROUPS |
AUTH_SESSION_INFO_AUTHENTICATED |
AUTH_SESSION_INFO_SIMPLE_PRIVILEGES)
+
+ if creds.get_kerberos_state() == DONT_USE_KERBEROS:
+ session_info_flags |= AUTH_SESSION_INFO_NTLM
+
session = samba.auth.user_session(self.ldb, lp_ctx=lp, dn=self.user_sid_dn,
session_info_flags=session_info_flags)
sidset1 = set(dn_tokengroups)
sidset2 = set(self.user_sids)
+
+ # The SIDs on the DN do not include the NTLM authentication SID
+ sidset2.discard(samba.dcerpc.security.SID_NT_NTLM_AUTHENTICATION)
+
if len(sidset1.difference(sidset2)):
print("token sids don't match")
print("difference : %s" % sidset1.difference(sidset2))
planoldpythontestsuite("ad_dc", "samba.tests.dcerpc.dnsserver", extra_args=['-U"$USERNAME%$PASSWORD"'])
planoldpythontestsuite("ad_dc", "samba.tests.dcerpc.raw_protocol", extra_args=['-U"$USERNAME%$PASSWORD"'])
plantestsuite_loadlist("samba4.ldap.python(ad_dc_ntvfs)", "ad_dc_ntvfs", [python, os.path.join(samba4srcdir, "dsdb/tests/python/ldap.py"), '$SERVER', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN', '$LOADLIST', '$LISTOPT'])
-plantestsuite_loadlist("samba4.tokengroups.python(ad_dc_ntvfs)", "ad_dc_ntvfs:local", [python, os.path.join(samba4srcdir, "dsdb/tests/python/token_group.py"), '$SERVER', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN', '$LOADLIST', '$LISTOPT'])
+plantestsuite_loadlist("samba4.tokengroups.krb5.python(ad_dc_ntvfs)", "ad_dc_ntvfs:local", [python, os.path.join(samba4srcdir, "dsdb/tests/python/token_group.py"), '$SERVER', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN', '-k', 'yes', '$LOADLIST', '$LISTOPT'])
+plantestsuite_loadlist("samba4.tokengroups.ntlm.python(ad_dc_ntvfs)", "ad_dc_ntvfs:local", [python, os.path.join(samba4srcdir, "dsdb/tests/python/token_group.py"), '$SERVER', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN', '-k', 'no', '$LOADLIST', '$LISTOPT'])
plantestsuite("samba4.sam.python(fl2008r2dc)", "fl2008r2dc", [python, os.path.join(samba4srcdir, "dsdb/tests/python/sam.py"), '$SERVER', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN'])
plantestsuite("samba4.sam.python(ad_dc_ntvfs)", "ad_dc_ntvfs", [python, os.path.join(samba4srcdir, "dsdb/tests/python/sam.py"), '$SERVER', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN'])
plantestsuite("samba4.user_account_control.python(ad_dc_ntvfs)", "ad_dc_ntvfs", [python, os.path.join(samba4srcdir, "dsdb/tests/python/user_account_control.py"), '$SERVER', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN'])