selftest: Pass the dcerpc binding object to self.waitForMessages in auth_log
[nivanova/samba-autobuild/.git] / python / samba / tests / auth_log.py
1 # Unix SMB/CIFS implementation.
2 # Copyright (C) Andrew Bartlett <abartlet@samba.org> 2017
3 #
4 # This program is free software; you can redistribute it and/or modify
5 # it under the terms of the GNU General Public License as published by
6 # the Free Software Foundation; either version 3 of the License, or
7 # (at your option) any later version.
8 #
9 # This program is distributed in the hope that it will be useful,
10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
12 # GNU General Public License for more details.
13 #
14 # You should have received a copy of the GNU General Public License
15 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
16 #
17
18 """Tests for the Auth and AuthZ logging.
19 """
20
21 from samba import auth
22 import samba.tests
23 from samba.messaging import Messaging
24 from samba.dcerpc.messaging import MSG_AUTH_LOG, AUTH_EVENT_NAME
25 from samba.dcerpc import srvsvc, dnsserver
26 import time
27 import json
28 import os
29 from samba import smb
30 from samba.samdb import SamDB
31 import samba.tests.auth_log_base
32 from samba.credentials import Credentials, DONT_USE_KERBEROS, MUST_USE_KERBEROS
33 from samba import NTSTATUSError
34 from subprocess import call
35 from ldb import LdbError
36
37 class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
38
39     def setUp(self):
40         super(AuthLogTests, self).setUp()
41         self.remoteAddress = os.environ["CLIENT_IP"]
42
43     def tearDown(self):
44         super(AuthLogTests, self).tearDown()
45
46
47
48     def _test_rpc_ncacn_np(self, authTypes, creds, service,
49                            binding, protection, checkFunction):
50         def isLastExpectedMessage(msg):
51             return (msg["type"] == "Authorization" and
52                     (msg["Authorization"]["serviceDescription"] == "DCE/RPC" or
53                      msg["Authorization"]["serviceDescription"] == service) and
54                     msg["Authorization"]["authType"] == authTypes[0] and
55                     msg["Authorization"]["transportProtection"] == protection)
56
57         if binding:
58             binding = "[%s]" % binding
59
60         if service == "dnsserver":
61             x = dnsserver.dnsserver("ncacn_np:%s%s" % (self.server, binding),
62                                 self.get_loadparm(),
63                                 creds)
64         elif service == "srvsvc":
65             x = srvsvc.srvsvc("ncacn_np:%s%s" % (self.server, binding),
66                               self.get_loadparm(),
67                               creds)
68
69         # The connection is passed to ensure the server
70         # messaging context stays up until all the messages have been received.
71         messages = self.waitForMessages(isLastExpectedMessage, x)
72         checkFunction(messages, authTypes, service, binding, protection)
73
74     def rpc_ncacn_np_ntlm_check(self, messages, authTypes, service,
75                                 binding, protection):
76
77         expected_messages = len(authTypes)
78         self.assertEquals(expected_messages,
79                           len(messages),
80                           "Did not receive the expected number of messages")
81
82         # Check the first message it should be an Authentication
83         msg = messages[0]
84         self.assertEquals("Authentication", msg["type"])
85         self.assertEquals("NT_STATUS_OK", msg["Authentication"]["status"])
86         self.assertEquals("SMB",
87                            msg["Authentication"]["serviceDescription"])
88         self.assertEquals(authTypes[1], msg["Authentication"]["authDescription"])
89
90         # Check the second message it should be an Authorization
91         msg = messages[1]
92         self.assertEquals("Authorization", msg["type"])
93         self.assertEquals("SMB",
94                           msg["Authorization"]["serviceDescription"])
95         self.assertEquals(authTypes[2], msg["Authorization"]["authType"])
96         self.assertEquals("SMB", msg["Authorization"]["transportProtection"])
97
98         # Check the third message it should be an Authentication
99         # if we are expecting 4 messages
100         if expected_messages == 4:
101             def checkServiceDescription(desc):
102                 return (desc == "DCE/RPC" or desc == service)
103
104             msg = messages[2]
105             self.assertEquals("Authentication", msg["type"])
106             self.assertEquals("NT_STATUS_OK", msg["Authentication"]["status"])
107             self.assertTrue(
108                 checkServiceDescription(msg["Authentication"]["serviceDescription"]))
109
110             self.assertEquals(authTypes[3], msg["Authentication"]["authDescription"])
111
112     def rpc_ncacn_np_krb5_check(self, messages, authTypes, service, binding, protection):
113
114         expected_messages = len(authTypes)
115         self.assertEquals(expected_messages,
116                           len(messages),
117                           "Did not receive the expected number of messages")
118
119         # Check the first message it should be an Authentication
120         # This is almost certainly Authentication over UDP, and is probably
121         # returning message too big,
122         msg = messages[0]
123         self.assertEquals("Authentication", msg["type"])
124         self.assertEquals("NT_STATUS_OK", msg["Authentication"]["status"])
125         self.assertEquals("Kerberos KDC",
126                            msg["Authentication"]["serviceDescription"])
127         self.assertEquals(authTypes[1], msg["Authentication"]["authDescription"])
128
129         # Check the second message it should be an Authentication
130         # This this the TCP Authentication in response to the message too big
131         # response to the UDP Authentication
132         msg = messages[1]
133         self.assertEquals("Authentication", msg["type"])
134         self.assertEquals("NT_STATUS_OK", msg["Authentication"]["status"])
135         self.assertEquals("Kerberos KDC",
136                            msg["Authentication"]["serviceDescription"])
137         self.assertEquals(authTypes[2], msg["Authentication"]["authDescription"])
138
139         # Check the third message it should be an Authorization
140         msg = messages[2]
141         self.assertEquals("Authorization", msg["type"])
142         serviceDescription = "SMB"
143         print "binding %s" % binding
144         if binding == "[smb2]":
145             serviceDescription = "SMB2"
146
147         self.assertEquals(serviceDescription,
148                           msg["Authorization"]["serviceDescription"])
149         self.assertEquals(authTypes[3], msg["Authorization"]["authType"])
150         self.assertEquals("SMB", msg["Authorization"]["transportProtection"])
151
152
153     def test_rpc_ncacn_np_ntlm_dns_sign(self):
154         creds = self.insta_creds(template=self.get_credentials(),
155                                  kerberos_state=DONT_USE_KERBEROS)
156         self._test_rpc_ncacn_np(["NTLMSSP",
157                                  "NTLMSSP",
158                                  "NTLMSSP",
159                                  "NTLMSSP"],
160                                 creds, "dnsserver", "sign", "SIGN",
161                                 self.rpc_ncacn_np_ntlm_check)
162
163     def test_rpc_ncacn_np_ntlm_srv_sign(self):
164         creds = self.insta_creds(template=self.get_credentials(),
165                                  kerberos_state=DONT_USE_KERBEROS)
166         self._test_rpc_ncacn_np(["NTLMSSP",
167                                  "NTLMSSP",
168                                  "NTLMSSP",
169                                  "NTLMSSP"],
170                                 creds, "srvsvc", "sign", "SIGN",
171                                 self.rpc_ncacn_np_ntlm_check)
172
173     def test_rpc_ncacn_np_ntlm_dns(self):
174         creds = self.insta_creds(template=self.get_credentials(),
175                                  kerberos_state=DONT_USE_KERBEROS)
176         self._test_rpc_ncacn_np(["ncacn_np",
177                                  "NTLMSSP",
178                                  "NTLMSSP"],
179                                 creds, "dnsserver", "", "SMB",
180                                 self.rpc_ncacn_np_ntlm_check)
181
182     def test_rpc_ncacn_np_ntlm_srv(self):
183         creds = self.insta_creds(template=self.get_credentials(),
184                                  kerberos_state=DONT_USE_KERBEROS)
185         self._test_rpc_ncacn_np(["ncacn_np",
186                                  "NTLMSSP",
187                                  "NTLMSSP"],
188                                 creds, "srvsvc", "", "SMB",
189                                 self.rpc_ncacn_np_ntlm_check)
190
191     def test_rpc_ncacn_np_krb_dns_sign(self):
192         creds = self.insta_creds(template=self.get_credentials(),
193                                  kerberos_state=MUST_USE_KERBEROS)
194         self._test_rpc_ncacn_np(["krb5",
195                                  "ENC-TS Pre-authentication",
196                                  "ENC-TS Pre-authentication",
197                                  "krb5"],
198                                  creds, "dnsserver", "sign", "SIGN",
199                                  self.rpc_ncacn_np_krb5_check)
200
201     def test_rpc_ncacn_np_krb_srv_sign(self):
202         creds = self.insta_creds(template=self.get_credentials(),
203                                  kerberos_state=MUST_USE_KERBEROS)
204         self._test_rpc_ncacn_np(["krb5",
205                                  "ENC-TS Pre-authentication",
206                                  "ENC-TS Pre-authentication",
207                                  "krb5"],
208                                  creds, "srvsvc", "sign", "SIGN",
209                                  self.rpc_ncacn_np_krb5_check)
210
211     def test_rpc_ncacn_np_krb_dns(self):
212         creds = self.insta_creds(template=self.get_credentials(),
213                                  kerberos_state=MUST_USE_KERBEROS)
214         self._test_rpc_ncacn_np(["ncacn_np",
215                                  "ENC-TS Pre-authentication",
216                                  "ENC-TS Pre-authentication",
217                                  "krb5"],
218                                 creds, "dnsserver", "", "SMB",
219                                 self.rpc_ncacn_np_krb5_check)
220
221     def test_rpc_ncacn_np_krb_dns_smb2(self):
222         creds = self.insta_creds(template=self.get_credentials(),
223                                  kerberos_state=MUST_USE_KERBEROS)
224         self._test_rpc_ncacn_np(["ncacn_np",
225                                  "ENC-TS Pre-authentication",
226                                  "ENC-TS Pre-authentication",
227                                  "krb5"],
228                                 creds, "dnsserver", "smb2", "SMB",
229                                 self.rpc_ncacn_np_krb5_check)
230
231     def test_rpc_ncacn_np_krb_srv(self):
232         creds = self.insta_creds(template=self.get_credentials(),
233                                  kerberos_state=MUST_USE_KERBEROS)
234         self._test_rpc_ncacn_np(["ncacn_np",
235                                 "ENC-TS Pre-authentication",
236                                 "ENC-TS Pre-authentication",
237                                 "krb5"],
238                                 creds, "srvsvc", "", "SMB",
239                                 self.rpc_ncacn_np_krb5_check)
240
241     def _test_rpc_ncacn_ip_tcp(self, authTypes, creds, service,
242                                binding, protection, checkFunction):
243         def isLastExpectedMessage(msg):
244             return (msg["type"] == "Authorization" and
245                     msg["Authorization"]["serviceDescription"] == "DCE/RPC" and
246                     msg["Authorization"]["authType"] == authTypes[0] and
247                     msg["Authorization"]["transportProtection"] == protection)
248
249         if binding:
250             binding = "[%s]" % binding
251
252         if service == "dnsserver":
253             conn = dnsserver.dnsserver("ncacn_ip_tcp:%s%s" % (self.server, binding),
254                                        self.get_loadparm(),
255                                        creds)
256         elif service == "srvsvc":
257             conn = srvsvc.srvsvc("ncacn_ip_tcp:%s%s" % (self.server, binding),
258                                  self.get_loadparm(),
259                                  creds)
260
261
262         messages = self.waitForMessages(isLastExpectedMessage, conn)
263         checkFunction(messages, authTypes, service, binding, protection)
264
265     def rpc_ncacn_ip_tcp_ntlm_check(self, messages, authTypes, service,
266                                     binding, protection):
267
268         expected_messages = len(authTypes)
269         self.assertEquals(expected_messages,
270                           len(messages),
271                           "Did not receive the expected number of messages")
272
273         # Check the first message it should be an Authorization
274         msg = messages[0]
275         self.assertEquals("Authorization", msg["type"])
276         self.assertEquals("DCE/RPC",
277                           msg["Authorization"]["serviceDescription"])
278         self.assertEquals(authTypes[1], msg["Authorization"]["authType"])
279         self.assertEquals("NONE", msg["Authorization"]["transportProtection"])
280
281         # Check the second message it should be an Authentication
282         msg = messages[1]
283         self.assertEquals("Authentication", msg["type"])
284         self.assertEquals("NT_STATUS_OK", msg["Authentication"]["status"])
285         self.assertEquals("DCE/RPC",
286                            msg["Authentication"]["serviceDescription"])
287         self.assertEquals(authTypes[2], msg["Authentication"]["authDescription"])
288
289     def rpc_ncacn_ip_tcp_krb5_check(self, messages, authTypes, service,
290                                     binding, protection):
291
292         expected_messages = len(authTypes)
293         self.assertEquals(expected_messages,
294                           len(messages),
295                           "Did not receive the expected number of messages")
296
297         # Check the first message it should be an Authorization
298         msg = messages[0]
299         self.assertEquals("Authorization", msg["type"])
300         self.assertEquals("DCE/RPC",
301                           msg["Authorization"]["serviceDescription"])
302         self.assertEquals(authTypes[1], msg["Authorization"]["authType"])
303         self.assertEquals("NONE", msg["Authorization"]["transportProtection"])
304
305         # Check the second message it should be an Authentication
306         msg = messages[1]
307         self.assertEquals("Authentication", msg["type"])
308         self.assertEquals("NT_STATUS_OK", msg["Authentication"]["status"])
309         self.assertEquals("Kerberos KDC",
310                            msg["Authentication"]["serviceDescription"])
311         self.assertEquals(authTypes[2], msg["Authentication"]["authDescription"])
312
313         # Check the third message it should be an Authentication
314         msg = messages[2]
315         self.assertEquals("Authentication", msg["type"])
316         self.assertEquals("NT_STATUS_OK", msg["Authentication"]["status"])
317         self.assertEquals("Kerberos KDC",
318                            msg["Authentication"]["serviceDescription"])
319         self.assertEquals(authTypes[2], msg["Authentication"]["authDescription"])
320
321     def test_rpc_ncacn_ip_tcp_ntlm_dns_sign(self):
322         creds = self.insta_creds(template=self.get_credentials(),
323                                  kerberos_state=DONT_USE_KERBEROS)
324         self._test_rpc_ncacn_ip_tcp(["NTLMSSP",
325                                      "ncacn_ip_tcp",
326                                      "NTLMSSP"],
327                                      creds, "dnsserver", "sign", "SIGN",
328                                      self.rpc_ncacn_ip_tcp_ntlm_check)
329
330     def test_rpc_ncacn_ip_tcp_krb5_dns_sign(self):
331         creds = self.insta_creds(template=self.get_credentials(),
332                                  kerberos_state=MUST_USE_KERBEROS)
333         self._test_rpc_ncacn_ip_tcp(["krb5",
334                                      "ncacn_ip_tcp",
335                                      "ENC-TS Pre-authentication",
336                                      "ENC-TS Pre-authentication"],
337                                      creds, "dnsserver", "sign", "SIGN",
338                                      self.rpc_ncacn_ip_tcp_krb5_check)
339
340     def test_rpc_ncacn_ip_tcp_ntlm_dns(self):
341         creds = self.insta_creds(template=self.get_credentials(),
342                                  kerberos_state=DONT_USE_KERBEROS)
343         self._test_rpc_ncacn_ip_tcp(["NTLMSSP",
344                                      "ncacn_ip_tcp",
345                                      "NTLMSSP"],
346                                      creds, "dnsserver", "", "SIGN",
347                                      self.rpc_ncacn_ip_tcp_ntlm_check)
348
349     def test_rpc_ncacn_ip_tcp_krb5_dns(self):
350         creds = self.insta_creds(template=self.get_credentials(),
351                                  kerberos_state=MUST_USE_KERBEROS)
352         self._test_rpc_ncacn_ip_tcp(["krb5",
353                                      "ncacn_ip_tcp",
354                                      "ENC-TS Pre-authentication",
355                                      "ENC-TS Pre-authentication"],
356                                      creds, "dnsserver", "", "SIGN",
357                                      self.rpc_ncacn_ip_tcp_krb5_check)
358
359     def test_rpc_ncacn_ip_tcp_ntlm_dns_connect(self):
360         creds = self.insta_creds(template=self.get_credentials(),
361                                  kerberos_state=DONT_USE_KERBEROS)
362         self._test_rpc_ncacn_ip_tcp(["NTLMSSP",
363                                      "ncacn_ip_tcp",
364                                      "NTLMSSP"],
365                                      creds, "dnsserver", "connect", "NONE",
366                                      self.rpc_ncacn_ip_tcp_ntlm_check)
367
368     def test_rpc_ncacn_ip_tcp_krb5_dns_connect(self):
369         creds = self.insta_creds(template=self.get_credentials(),
370                                  kerberos_state=MUST_USE_KERBEROS)
371         self._test_rpc_ncacn_ip_tcp(["krb5",
372                                      "ncacn_ip_tcp",
373                                      "ENC-TS Pre-authentication",
374                                      "ENC-TS Pre-authentication"],
375                                      creds, "dnsserver", "connect", "NONE",
376                                      self.rpc_ncacn_ip_tcp_krb5_check)
377
378     def test_rpc_ncacn_ip_tcp_ntlm_dns_seal(self):
379         creds = self.insta_creds(template=self.get_credentials(),
380                                  kerberos_state=DONT_USE_KERBEROS)
381         self._test_rpc_ncacn_ip_tcp(["NTLMSSP",
382                                      "ncacn_ip_tcp",
383                                      "NTLMSSP"],
384                                      creds, "dnsserver", "seal", "SEAL",
385                                      self.rpc_ncacn_ip_tcp_ntlm_check)
386
387     def test_rpc_ncacn_ip_tcp_krb5_dns_seal(self):
388         creds = self.insta_creds(template=self.get_credentials(),
389                                  kerberos_state=MUST_USE_KERBEROS)
390         self._test_rpc_ncacn_ip_tcp(["krb5",
391                                      "ncacn_ip_tcp",
392                                      "ENC-TS Pre-authentication",
393                                      "ENC-TS Pre-authentication"],
394                                      creds, "dnsserver", "seal", "SEAL",
395                                      self.rpc_ncacn_ip_tcp_krb5_check)
396
397     def test_ldap(self):
398
399         def isLastExpectedMessage(msg):
400             return (msg["type"] == "Authorization" and
401                     msg["Authorization"]["serviceDescription"] == "LDAP" and
402                     msg["Authorization"]["transportProtection"] == "SIGN" and
403                     msg["Authorization"]["authType"] == "krb5")
404
405         self.samdb = SamDB(url="ldap://%s" % os.environ["SERVER"],
406                            lp = self.get_loadparm(),
407                            credentials=self.get_credentials())
408
409         messages = self.waitForMessages(isLastExpectedMessage)
410         self.assertEquals(3,
411                           len(messages),
412                           "Did not receive the expected number of messages")
413
414         # Check the first message it should be an Authentication
415         msg = messages[0]
416         self.assertEquals("Authentication", msg["type"])
417         self.assertEquals("NT_STATUS_OK", msg["Authentication"]["status"])
418         self.assertEquals("Kerberos KDC",
419                            msg["Authentication"]["serviceDescription"])
420         self.assertEquals("ENC-TS Pre-authentication",
421                            msg["Authentication"]["authDescription"])
422
423         # Check the first message it should be an Authentication
424         msg = messages[1]
425         self.assertEquals("Authentication", msg["type"])
426         self.assertEquals("NT_STATUS_OK", msg["Authentication"]["status"])
427         self.assertEquals("Kerberos KDC",
428                            msg["Authentication"]["serviceDescription"])
429         self.assertEquals("ENC-TS Pre-authentication",
430                            msg["Authentication"]["authDescription"])
431
432     def test_ldap_ntlm(self):
433
434         def isLastExpectedMessage(msg):
435             return (msg["type"] == "Authorization" and
436                     msg["Authorization"]["serviceDescription"] == "LDAP" and
437                     msg["Authorization"]["transportProtection"] == "SEAL" and
438                     msg["Authorization"]["authType"] == "NTLMSSP")
439
440         self.samdb = SamDB(url="ldap://%s" % os.environ["SERVER_IP"],
441                            lp = self.get_loadparm(),
442                            credentials=self.get_credentials())
443
444         messages = self.waitForMessages(isLastExpectedMessage)
445         self.assertEquals(2,
446                           len(messages),
447                           "Did not receive the expected number of messages")
448         # Check the first message it should be an Authentication
449         msg = messages[0]
450         self.assertEquals("Authentication", msg["type"])
451         self.assertEquals("NT_STATUS_OK", msg["Authentication"]["status"])
452         self.assertEquals("LDAP",
453                            msg["Authentication"]["serviceDescription"])
454         self.assertEquals("NTLMSSP", msg["Authentication"]["authDescription"])
455
456     def test_ldap_simple_bind(self):
457         def isLastExpectedMessage(msg):
458             return (msg["type"] == "Authorization" and
459                     msg["Authorization"]["serviceDescription"] == "LDAP" and
460                     msg["Authorization"]["transportProtection"] == "TLS" and
461                     msg["Authorization"]["authType"] == "simple bind")
462
463         creds = self.insta_creds(template=self.get_credentials())
464         creds.set_bind_dn("%s\\%s" % (creds.get_domain(),
465                                      creds.get_username()))
466
467         self.samdb = SamDB(url="ldaps://%s" % os.environ["SERVER"],
468                            lp = self.get_loadparm(),
469                            credentials=creds)
470
471         messages = self.waitForMessages(isLastExpectedMessage)
472         self.assertEquals(2,
473                           len(messages),
474                           "Did not receive the expected number of messages")
475
476         # Check the first message it should be an Authentication
477         msg = messages[0]
478         self.assertEquals("Authentication", msg["type"])
479         self.assertEquals("NT_STATUS_OK", msg["Authentication"]["status"])
480         self.assertEquals("LDAP",
481                            msg["Authentication"]["serviceDescription"])
482         self.assertEquals("simple bind",
483                            msg["Authentication"]["authDescription"])
484
485     def test_ldap_simple_bind_bad_password(self):
486         def isLastExpectedMessage(msg):
487             return (msg["type"] == "Authentication" and
488                     msg["Authentication"]["serviceDescription"] == "LDAP" and
489                     msg["Authentication"]["status"]
490                         == "NT_STATUS_WRONG_PASSWORD" and
491                     msg["Authentication"]["authDescription"] == "simple bind")
492
493         creds = self.insta_creds(template=self.get_credentials())
494         creds.set_password("badPassword")
495         creds.set_bind_dn("%s\\%s" % (creds.get_domain(),
496                                      creds.get_username()))
497
498         thrown = False
499         try:
500             self.samdb = SamDB(url="ldaps://%s" % os.environ["SERVER"],
501                                lp = self.get_loadparm(),
502                                credentials=creds)
503         except LdbError:
504             thrown = True
505         self.assertEquals(thrown, True)
506
507         messages = self.waitForMessages(isLastExpectedMessage)
508         self.assertEquals(1,
509                           len(messages),
510                           "Did not receive the expected number of messages")
511
512
513     def test_ldap_simple_bind_bad_user(self):
514         def isLastExpectedMessage(msg):
515             return (msg["type"] == "Authentication" and
516                     msg["Authentication"]["serviceDescription"] == "LDAP" and
517                     msg["Authentication"]["status"]
518                         == "NT_STATUS_NO_SUCH_USER" and
519                     msg["Authentication"]["authDescription"] == "simple bind")
520
521         creds = self.insta_creds(template=self.get_credentials())
522         creds.set_bind_dn("%s\\%s" % (creds.get_domain(), "badUser"))
523
524         thrown = False
525         try:
526             self.samdb = SamDB(url="ldaps://%s" % os.environ["SERVER"],
527                                lp = self.get_loadparm(),
528                                credentials=creds)
529         except LdbError:
530             thrown = True
531         self.assertEquals(thrown, True)
532
533         messages = self.waitForMessages(isLastExpectedMessage)
534         self.assertEquals(1,
535                           len(messages),
536                           "Did not receive the expected number of messages")
537
538
539     def test_ldap_simple_bind_unparseable_user(self):
540         def isLastExpectedMessage(msg):
541             return (msg["type"] == "Authentication" and
542                     msg["Authentication"]["serviceDescription"] == "LDAP" and
543                     msg["Authentication"]["status"]
544                         == "NT_STATUS_NO_SUCH_USER" and
545                     msg["Authentication"]["authDescription"] == "simple bind")
546
547         creds = self.insta_creds(template=self.get_credentials())
548         creds.set_bind_dn("%s\\%s" % (creds.get_domain(), "abdcef"))
549
550         thrown = False
551         try:
552             self.samdb = SamDB(url="ldaps://%s" % os.environ["SERVER"],
553                                lp = self.get_loadparm(),
554                                credentials=creds)
555         except LdbError:
556             thrown = True
557         self.assertEquals(thrown, True)
558
559         messages = self.waitForMessages(isLastExpectedMessage)
560         self.assertEquals(1,
561                           len(messages),
562                           "Did not receive the expected number of messages")
563
564     #
565     # Note: as this test does not expect any messages it will
566     #       time out in the call to self.waitForMessages.
567     #       This is expected, but it will slow this test.
568     def test_ldap_anonymous_access_bind_only(self):
569         # Should be no logging for anonymous bind
570         # so receiving any message indicates a failure.
571         def isLastExpectedMessage( msg):
572             return True
573
574         creds = self.insta_creds(template=self.get_credentials())
575         creds.set_anonymous()
576
577         self.samdb = SamDB(url="ldaps://%s" % os.environ["SERVER"],
578                            lp = self.get_loadparm(),
579                            credentials=creds)
580
581         messages = self.waitForMessages( isLastExpectedMessage)
582         self.assertEquals(0,
583                           len(messages),
584                           "Did not receive the expected number of messages")
585
586     def test_ldap_anonymous_access(self):
587         def isLastExpectedMessage( msg):
588             return (msg["type"] == "Authorization" and
589                     msg["Authorization"]["serviceDescription"]  == "LDAP" and
590                     msg["Authorization"]["transportProtection"] == "TLS" and
591                     msg["Authorization"]["account"] == "ANONYMOUS LOGON" and
592                     msg["Authorization"]["authType"] == "no bind")
593
594         creds = self.insta_creds(template=self.get_credentials())
595         creds.set_anonymous()
596
597         self.samdb = SamDB(url="ldaps://%s" % os.environ["SERVER"],
598                            lp = self.get_loadparm(),
599                            credentials=creds)
600
601         try:
602             res = self.samdb.search(base=self.samdb.domain_dn())
603             self.fail( "Expected an LdbError exception")
604         except LdbError:
605             pass
606
607         messages = self.waitForMessages( isLastExpectedMessage)
608         self.assertEquals(1,
609                           len(messages),
610                           "Did not receive the expected number of messages")
611     def test_smb(self):
612         def isLastExpectedMessage(msg):
613             return (msg["type"] == "Authorization" and
614                     msg["Authorization"]["serviceDescription"] == "SMB" and
615                     msg["Authorization"]["authType"] == "krb5" and
616                     msg["Authorization"]["transportProtection"] == "SMB")
617
618         creds = self.insta_creds(template=self.get_credentials())
619         smb.SMB(self.server,
620                 "sysvol",
621                 lp=self.get_loadparm(),
622                 creds=creds)
623
624         messages = self.waitForMessages(isLastExpectedMessage)
625         self.assertEquals(3,
626                           len(messages),
627                           "Did not receive the expected number of messages")
628         # Check the first message it should be an Authentication
629         msg = messages[0]
630         self.assertEquals("Authentication", msg["type"])
631         self.assertEquals("NT_STATUS_OK", msg["Authentication"]["status"])
632         self.assertEquals("Kerberos KDC",
633                            msg["Authentication"]["serviceDescription"])
634         self.assertEquals("ENC-TS Pre-authentication",
635                            msg["Authentication"]["authDescription"])
636
637         # Check the second message it should be an Authentication
638         msg = messages[1]
639         self.assertEquals("Authentication", msg["type"])
640         self.assertEquals("NT_STATUS_OK", msg["Authentication"]["status"])
641         self.assertEquals("Kerberos KDC",
642                            msg["Authentication"]["serviceDescription"])
643         self.assertEquals("ENC-TS Pre-authentication",
644                            msg["Authentication"]["authDescription"])
645
646     def test_smb_bad_password(self):
647         def isLastExpectedMessage(msg):
648             return (msg["type"] == "Authentication" and
649                     msg["Authentication"]["serviceDescription"]
650                         == "Kerberos KDC" and
651                     msg["Authentication"]["status"]
652                         == "NT_STATUS_WRONG_PASSWORD" and
653                     msg["Authentication"]["authDescription"]
654                         == "ENC-TS Pre-authentication")
655
656         creds = self.insta_creds(template=self.get_credentials())
657         creds.set_password("badPassword")
658
659         thrown = False
660         try:
661             smb.SMB(self.server,
662                     "sysvol",
663                     lp=self.get_loadparm(),
664                     creds=creds)
665         except NTSTATUSError:
666             thrown = True
667         self.assertEquals(thrown, True)
668
669         messages = self.waitForMessages(isLastExpectedMessage)
670         self.assertEquals(1,
671                           len(messages),
672                           "Did not receive the expected number of messages")
673
674
675     def test_smb_bad_user(self):
676         def isLastExpectedMessage(msg):
677             return (msg["type"] == "Authentication" and
678                     msg["Authentication"]["serviceDescription"]
679                         == "Kerberos KDC" and
680                     msg["Authentication"]["status"]
681                         == "NT_STATUS_NO_SUCH_USER" and
682                     msg["Authentication"]["authDescription"]
683                         == "ENC-TS Pre-authentication")
684
685         creds = self.insta_creds(template=self.get_credentials())
686         creds.set_username("badUser")
687
688         thrown = False
689         try:
690             smb.SMB(self.server,
691                     "sysvol",
692                     lp=self.get_loadparm(),
693                     creds=creds)
694         except NTSTATUSError:
695             thrown = True
696         self.assertEquals(thrown, True)
697
698         messages = self.waitForMessages(isLastExpectedMessage)
699         self.assertEquals(1,
700                           len(messages),
701                           "Did not receive the expected number of messages")
702
703     def test_smb_anonymous(self):
704         def isLastExpectedMessage(msg):
705             return (msg["type"] == "Authorization" and
706                     msg["Authorization"]["serviceDescription"] == "SMB" and
707                     msg["Authorization"]["authType"] == "NTLMSSP" and
708                     msg["Authorization"]["account"] == "ANONYMOUS LOGON" and
709                     msg["Authorization"]["transportProtection"] == "SMB")
710
711         server   = os.environ["SERVER"]
712
713         path = "//%s/IPC$" % server
714         auth = "-N"
715         call(["bin/smbclient", path, auth, "-c quit"])
716
717         messages = self.waitForMessages(isLastExpectedMessage)
718         self.assertEquals(3,
719                           len(messages),
720                           "Did not receive the expected number of messages")
721
722         # Check the first message it should be an Authentication
723         msg = messages[0]
724         self.assertEquals("Authentication", msg["type"])
725         self.assertEquals("NT_STATUS_NO_SUCH_USER",
726                           msg["Authentication"]["status"])
727         self.assertEquals("SMB",
728                           msg["Authentication"]["serviceDescription"])
729         self.assertEquals("NTLMSSP",
730                           msg["Authentication"]["authDescription"])
731         self.assertEquals("No-Password",
732                           msg["Authentication"]["passwordType"])
733
734         # Check the second message it should be an Authentication
735         msg = messages[1]
736         self.assertEquals("Authentication", msg["type"])
737         self.assertEquals("NT_STATUS_OK",
738                           msg["Authentication"]["status"])
739         self.assertEquals("SMB",
740                           msg["Authentication"]["serviceDescription"])
741         self.assertEquals("NTLMSSP",
742                           msg["Authentication"]["authDescription"])
743         self.assertEquals("No-Password",
744                           msg["Authentication"]["passwordType"])
745         self.assertEquals("ANONYMOUS LOGON",
746                           msg["Authentication"]["becameAccount"])
747
748     def test_smb_no_krb_spnego(self):
749         def isLastExpectedMessage(msg):
750             return (msg["type"] == "Authorization" and
751                     msg["Authorization"]["serviceDescription"] == "SMB" and
752                     msg["Authorization"]["authType"] == "NTLMSSP" and
753                     msg["Authorization"]["transportProtection"] == "SMB")
754
755         creds = self.insta_creds(template=self.get_credentials(),
756                                  kerberos_state=DONT_USE_KERBEROS)
757         smb.SMB(self.server,
758                 "sysvol",
759                 lp=self.get_loadparm(),
760                 creds=creds)
761
762         messages = self.waitForMessages(isLastExpectedMessage)
763         self.assertEquals(2,
764                           len(messages),
765                           "Did not receive the expected number of messages")
766         # Check the first message it should be an Authentication
767         msg = messages[0]
768         self.assertEquals("Authentication", msg["type"])
769         self.assertEquals("NT_STATUS_OK", msg["Authentication"]["status"])
770         self.assertEquals("SMB",
771                           msg["Authentication"]["serviceDescription"])
772         self.assertEquals("NTLMSSP",
773                           msg["Authentication"]["authDescription"])
774         self.assertEquals("NTLMv2",
775                           msg["Authentication"]["passwordType"])
776
777     def test_smb_no_krb_spnego_bad_password(self):
778         def isLastExpectedMessage(msg):
779             return (msg["type"] == "Authentication" and
780                     msg["Authentication"]["serviceDescription"] == "SMB" and
781                     msg["Authentication"]["authDescription"] == "NTLMSSP" and
782                     msg["Authentication"]["passwordType"] == "NTLMv2" and
783                     msg["Authentication"]["status"]
784                         == "NT_STATUS_WRONG_PASSWORD")
785
786         creds = self.insta_creds(template=self.get_credentials(),
787                                  kerberos_state=DONT_USE_KERBEROS)
788         creds.set_password("badPassword")
789
790         thrown = False
791         try:
792             smb.SMB(self.server,
793                     "sysvol",
794                     lp=self.get_loadparm(),
795                     creds=creds)
796         except NTSTATUSError:
797             thrown = True
798         self.assertEquals(thrown, True)
799
800         messages = self.waitForMessages(isLastExpectedMessage)
801         self.assertEquals(1,
802                           len(messages),
803                           "Did not receive the expected number of messages")
804
805     def test_smb_no_krb_spnego_bad_user(self):
806         def isLastExpectedMessage(msg):
807             return (msg["type"] == "Authentication" and
808                     msg["Authentication"]["serviceDescription"] == "SMB" and
809                     msg["Authentication"]["authDescription"] == "NTLMSSP" and
810                     msg["Authentication"]["passwordType"] == "NTLMv2" and
811                     msg["Authentication"]["status"]
812                         == "NT_STATUS_NO_SUCH_USER")
813
814         creds = self.insta_creds(template=self.get_credentials(),
815                                  kerberos_state=DONT_USE_KERBEROS)
816         creds.set_username("badUser")
817
818         thrown = False
819         try:
820             smb.SMB(self.server,
821                     "sysvol",
822                     lp=self.get_loadparm(),
823                     creds=creds)
824         except NTSTATUSError:
825             thrown = True
826         self.assertEquals(thrown, True)
827
828         messages = self.waitForMessages(isLastExpectedMessage)
829         self.assertEquals(1,
830                           len(messages),
831                           "Did not receive the expected number of messages")
832
833     def test_smb_no_krb_no_spnego_no_ntlmv2(self):
834         def isLastExpectedMessage(msg):
835             return (msg["type"] == "Authorization" and
836                     msg["Authorization"]["serviceDescription"] == "SMB" and
837                     msg["Authorization"]["authType"] == "bare-NTLM" and
838                     msg["Authorization"]["transportProtection"] == "SMB")
839
840         creds = self.insta_creds(template=self.get_credentials(),
841                                  kerberos_state=DONT_USE_KERBEROS)
842         smb.SMB(self.server,
843                 "sysvol",
844                 lp=self.get_loadparm(),
845                 creds=creds,
846                 ntlmv2_auth=False,
847                 use_spnego=False)
848
849         messages = self.waitForMessages(isLastExpectedMessage)
850         self.assertEquals(2,
851                           len(messages),
852                           "Did not receive the expected number of messages")
853         # Check the first message it should be an Authentication
854         msg = messages[0]
855         self.assertEquals("Authentication", msg["type"])
856         self.assertEquals("NT_STATUS_OK", msg["Authentication"]["status"])
857         self.assertEquals("SMB",
858                           msg["Authentication"]["serviceDescription"])
859         self.assertEquals("bare-NTLM",
860                           msg["Authentication"]["authDescription"])
861         self.assertEquals("NTLMv1",
862                           msg["Authentication"]["passwordType"])
863
864     def test_smb_no_krb_no_spnego_no_ntlmv2_bad_password(self):
865         def isLastExpectedMessage(msg):
866             return (msg["type"] == "Authentication" and
867                     msg["Authentication"]["serviceDescription"] == "SMB" and
868                     msg["Authentication"]["authDescription"] == "bare-NTLM" and
869                     msg["Authentication"]["passwordType"] == "NTLMv1" and
870                     msg["Authentication"]["status"]
871                         == "NT_STATUS_WRONG_PASSWORD")
872
873         creds = self.insta_creds(template=self.get_credentials(),
874                                  kerberos_state=DONT_USE_KERBEROS)
875         creds.set_password("badPassword")
876
877         thrown = False
878         try:
879             smb.SMB(self.server,
880                     "sysvol",
881                     lp=self.get_loadparm(),
882                     creds=creds,
883                     ntlmv2_auth=False,
884                     use_spnego=False)
885         except NTSTATUSError:
886             thrown = True
887         self.assertEquals(thrown, True)
888
889
890         messages = self.waitForMessages(isLastExpectedMessage)
891         self.assertEquals(1,
892                           len(messages),
893                           "Did not receive the expected number of messages")
894
895     def test_smb_no_krb_no_spnego_no_ntlmv2_bad_user(self):
896         def isLastExpectedMessage(msg):
897             return (msg["type"] == "Authentication" and
898                     msg["Authentication"]["serviceDescription"] == "SMB" and
899                     msg["Authentication"]["authDescription"] == "bare-NTLM" and
900                     msg["Authentication"]["passwordType"] == "NTLMv1" and
901                     msg["Authentication"]["status"]
902                         == "NT_STATUS_NO_SUCH_USER")
903
904         creds = self.insta_creds(template=self.get_credentials(),
905                                  kerberos_state=DONT_USE_KERBEROS)
906         creds.set_username("badUser")
907
908         thrown = False
909         try:
910             smb.SMB(self.server,
911                     "sysvol",
912                     lp=self.get_loadparm(),
913                     creds=creds,
914                     ntlmv2_auth=False,
915                     use_spnego=False)
916         except NTSTATUSError:
917             thrown = True
918         self.assertEquals(thrown, True)
919
920
921         messages = self.waitForMessages(isLastExpectedMessage)
922         self.assertEquals(1,
923                           len(messages),
924                           "Did not receive the expected number of messages")
925
926     def test_samlogon_interactive(self):
927
928         workstation = "AuthLogTests"
929
930         def isLastExpectedMessage( msg):
931             return (msg["type"] == "Authentication" and
932                     msg["Authentication"]["serviceDescription"]
933                         == "SamLogon" and
934                     msg["Authentication"]["authDescription"]
935                         == "interactive" and
936                     msg["Authentication"]["status"] == "NT_STATUS_OK" and
937                     msg["Authentication"]["workstation"]
938                         == r"\\%s" % workstation)
939
940         server   = os.environ["SERVER"]
941         user     = os.environ["USERNAME"]
942         password = os.environ["PASSWORD"]
943         samlogon = "samlogon %s %s %s %d" % (user, password, workstation, 1)
944
945
946         call(["bin/rpcclient", "-c", samlogon, "-U%", server])
947
948         messages = self.waitForMessages( isLastExpectedMessage)
949         received = len(messages)
950         self.assertIs(True,
951                       (received == 5 or received == 6),
952                       "Did not receive the expected number of messages")
953
954     def test_samlogon_interactive_bad_password(self):
955
956         workstation = "AuthLogTests"
957
958         def isLastExpectedMessage( msg):
959             return (msg["type"] == "Authentication" and
960                     msg["Authentication"]["serviceDescription"]
961                         == "SamLogon" and
962                     msg["Authentication"]["authDescription"]
963                         == "interactive" and
964                     msg["Authentication"]["status"]
965                         == "NT_STATUS_WRONG_PASSWORD" and
966                     msg["Authentication"]["workstation"]
967                         == r"\\%s" % workstation)
968
969         server   = os.environ["SERVER"]
970         user     = os.environ["USERNAME"]
971         password = "badPassword"
972         samlogon = "samlogon %s %s %s %d" % (user, password, workstation, 1)
973
974
975         call(["bin/rpcclient", "-c", samlogon, "-U%", server])
976
977         messages = self.waitForMessages( isLastExpectedMessage)
978         received = len(messages)
979         self.assertIs(True,
980                       (received == 5 or received == 6),
981                       "Did not receive the expected number of messages")
982
983     def test_samlogon_interactive_bad_user(self):
984
985         workstation = "AuthLogTests"
986
987         def isLastExpectedMessage( msg):
988             return (msg["type"] == "Authentication" and
989                     msg["Authentication"]["serviceDescription"]
990                         == "SamLogon" and
991                     msg["Authentication"]["authDescription"]
992                         == "interactive" and
993                     msg["Authentication"]["status"]
994                         == "NT_STATUS_NO_SUCH_USER" and
995                     msg["Authentication"]["workstation"]
996                         == r"\\%s" % workstation)
997
998         server   = os.environ["SERVER"]
999         user     = "badUser"
1000         password = os.environ["PASSWORD"]
1001         samlogon = "samlogon %s %s %s %d" % (user, password, workstation, 1)
1002
1003
1004         call(["bin/rpcclient", "-c", samlogon, "-U%", server])
1005
1006         messages = self.waitForMessages( isLastExpectedMessage)
1007         received = len(messages)
1008         self.assertIs(True,
1009                       (received == 5 or received == 6),
1010                       "Did not receive the expected number of messages")
1011
1012     def test_samlogon_network(self):
1013
1014         workstation = "AuthLogTests"
1015
1016         def isLastExpectedMessage( msg):
1017             return (msg["type"] == "Authentication" and
1018                     msg["Authentication"]["serviceDescription"]
1019                         == "SamLogon" and
1020                     msg["Authentication"]["authDescription"]
1021                         == "network" and
1022                     msg["Authentication"]["status"] == "NT_STATUS_OK" and
1023                     msg["Authentication"]["workstation"]
1024                         == r"\\%s" % workstation)
1025
1026         server   = os.environ["SERVER"]
1027         user     = os.environ["USERNAME"]
1028         password = os.environ["PASSWORD"]
1029         samlogon = "samlogon %s %s %s %d" % (user, password, workstation, 2)
1030
1031
1032         call(["bin/rpcclient", "-c", samlogon, "-U%", server])
1033
1034         messages = self.waitForMessages( isLastExpectedMessage)
1035         received = len(messages)
1036         self.assertIs(True,
1037                       (received == 5 or received == 6),
1038                       "Did not receive the expected number of messages")
1039
1040     def test_samlogon_network_bad_password(self):
1041
1042         workstation = "AuthLogTests"
1043
1044         def isLastExpectedMessage( msg):
1045             return (msg["type"] == "Authentication" and
1046                     msg["Authentication"]["serviceDescription"]
1047                         == "SamLogon" and
1048                     msg["Authentication"]["authDescription"]
1049                         == "network" and
1050                     msg["Authentication"]["status"]
1051                         == "NT_STATUS_WRONG_PASSWORD" and
1052                     msg["Authentication"]["workstation"]
1053                         == r"\\%s" % workstation)
1054
1055         server   = os.environ["SERVER"]
1056         user     = os.environ["USERNAME"]
1057         password = "badPassword"
1058         samlogon = "samlogon %s %s %s %d" % (user, password, workstation, 2)
1059
1060
1061         call(["bin/rpcclient", "-c", samlogon, "-U%", server])
1062
1063         messages = self.waitForMessages( isLastExpectedMessage)
1064         received = len(messages)
1065         self.assertIs(True,
1066                       (received == 5 or received == 6),
1067                       "Did not receive the expected number of messages")
1068
1069     def test_samlogon_network_bad_user(self):
1070
1071         workstation = "AuthLogTests"
1072
1073         def isLastExpectedMessage( msg):
1074             return (msg["type"] == "Authentication" and
1075                     msg["Authentication"]["serviceDescription"]
1076                         == "SamLogon" and
1077                     msg["Authentication"]["authDescription"]
1078                         == "network" and
1079                     msg["Authentication"]["status"]
1080                         == "NT_STATUS_NO_SUCH_USER" and
1081                     msg["Authentication"]["workstation"]
1082                         == r"\\%s" % workstation)
1083
1084         server   = os.environ["SERVER"]
1085         user     = "badUser"
1086         password =  os.environ["PASSWORD"]
1087         samlogon = "samlogon %s %s %s %d" % (user, password, workstation, 2)
1088
1089
1090         call(["bin/rpcclient", "-c", samlogon, "-U%", server])
1091
1092         messages = self.waitForMessages( isLastExpectedMessage)
1093         received = len(messages)
1094         self.assertIs(True,
1095                       (received == 5 or received == 6),
1096                       "Did not receive the expected number of messages")
1097
1098     def test_samlogon_network_mschap(self):
1099
1100         workstation = "AuthLogTests"
1101
1102         def isLastExpectedMessage( msg):
1103             return (msg["type"] == "Authentication" and
1104                     msg["Authentication"]["serviceDescription"]
1105                         == "SamLogon" and
1106                     msg["Authentication"]["authDescription"]
1107                         == "network" and
1108                     msg["Authentication"]["status"] == "NT_STATUS_OK" and
1109                     msg["Authentication"]["passwordType"] == "MSCHAPv2" and
1110                     msg["Authentication"]["workstation"]
1111                         == r"\\%s" % workstation)
1112
1113         server   = os.environ["SERVER"]
1114         user     = os.environ["USERNAME"]
1115         password = os.environ["PASSWORD"]
1116         samlogon = "samlogon %s %s %s %d 0x00010000" % (user, password, workstation, 2)
1117
1118
1119         call(["bin/rpcclient", "-c", samlogon, "-U%", server])
1120
1121         messages = self.waitForMessages( isLastExpectedMessage)
1122         received = len(messages)
1123         self.assertIs(True,
1124                       (received == 5 or received == 6),
1125                       "Did not receive the expected number of messages")
1126
1127     def test_samlogon_network_mschap_bad_password(self):
1128
1129         workstation = "AuthLogTests"
1130
1131         def isLastExpectedMessage( msg):
1132             return (msg["type"] == "Authentication" and
1133                     msg["Authentication"]["serviceDescription"]
1134                         == "SamLogon" and
1135                     msg["Authentication"]["authDescription"]
1136                         == "network" and
1137                     msg["Authentication"]["status"]
1138                         == "NT_STATUS_WRONG_PASSWORD" and
1139                     msg["Authentication"]["passwordType"] == "MSCHAPv2" and
1140                     msg["Authentication"]["workstation"]
1141                         == r"\\%s" % workstation)
1142
1143         server   = os.environ["SERVER"]
1144         user     = os.environ["USERNAME"]
1145         password = "badPassword"
1146         samlogon = "samlogon %s %s %s %d 0x00010000" % (user, password, workstation, 2)
1147
1148
1149         call(["bin/rpcclient", "-c", samlogon, "-U%", server])
1150
1151         messages = self.waitForMessages( isLastExpectedMessage)
1152         received = len(messages)
1153         self.assertIs(True,
1154                       (received == 5 or received == 6),
1155                       "Did not receive the expected number of messages")
1156
1157     def test_samlogon_network_mschap_bad_user(self):
1158
1159         workstation = "AuthLogTests"
1160
1161         def isLastExpectedMessage( msg):
1162             return (msg["type"] == "Authentication" and
1163                     msg["Authentication"]["serviceDescription"]
1164                         == "SamLogon" and
1165                     msg["Authentication"]["authDescription"]
1166                         == "network" and
1167                     msg["Authentication"]["status"]
1168                         == "NT_STATUS_NO_SUCH_USER" and
1169                     msg["Authentication"]["passwordType"] == "MSCHAPv2" and
1170                     msg["Authentication"]["workstation"]
1171                         == r"\\%s" % workstation)
1172
1173         server   = os.environ["SERVER"]
1174         user     = "badUser"
1175         password = os.environ["PASSWORD"]
1176         samlogon = "samlogon %s %s %s %d 0x00010000" % (user, password, workstation, 2)
1177
1178
1179         call(["bin/rpcclient", "-c", samlogon, "-U%", server])
1180
1181         messages = self.waitForMessages( isLastExpectedMessage)
1182         received = len(messages)
1183         self.assertIs(True,
1184                       (received == 5 or received == 6),
1185                       "Did not receive the expected number of messages")
1186
1187     def test_samlogon_schannel_seal(self):
1188
1189         workstation = "AuthLogTests"
1190
1191         def isLastExpectedMessage( msg):
1192             return (msg["type"] == "Authentication" and
1193                     msg["Authentication"]["serviceDescription"]
1194                         == "SamLogon" and
1195                     msg["Authentication"]["authDescription"]
1196                         == "network" and
1197                     msg["Authentication"]["status"] == "NT_STATUS_OK" and
1198                     msg["Authentication"]["workstation"]
1199                         == r"\\%s" % workstation)
1200
1201         server   = os.environ["SERVER"]
1202         user     = os.environ["USERNAME"]
1203         password = os.environ["PASSWORD"]
1204         samlogon = "schannel;samlogon %s %s %s" % (user, password, workstation)
1205
1206
1207         call(["bin/rpcclient", "-c", samlogon, "-U%", server])
1208
1209         messages = self.waitForMessages( isLastExpectedMessage)
1210         received = len(messages)
1211         self.assertIs(True,
1212                       (received == 5 or received == 6),
1213                       "Did not receive the expected number of messages")
1214
1215         # Check the second to last message it should be an Authorization
1216         msg = messages[-2]
1217         self.assertEquals("Authorization", msg["type"])
1218         self.assertEquals("DCE/RPC",
1219                           msg["Authorization"]["serviceDescription"])
1220         self.assertEquals("schannel",  msg["Authorization"]["authType"])
1221         self.assertEquals("SEAL", msg["Authorization"]["transportProtection"])
1222
1223     # Signed logons get promoted to sealed, this test ensures that
1224     # this behaviour is not removed accidently
1225     def test_samlogon_schannel_sign(self):
1226
1227         workstation = "AuthLogTests"
1228
1229         def isLastExpectedMessage( msg):
1230             return (msg["type"] == "Authentication" and
1231                     msg["Authentication"]["serviceDescription"]
1232                         == "SamLogon" and
1233                     msg["Authentication"]["authDescription"]
1234                         == "network" and
1235                     msg["Authentication"]["status"] == "NT_STATUS_OK" and
1236                     msg["Authentication"]["workstation"]
1237                         == r"\\%s" % workstation)
1238
1239         server   = os.environ["SERVER"]
1240         user     = os.environ["USERNAME"]
1241         password = os.environ["PASSWORD"]
1242         samlogon = "schannelsign;samlogon %s %s %s" % (user, password, workstation)
1243
1244
1245         call(["bin/rpcclient", "-c", samlogon, "-U%", server])
1246
1247         messages = self.waitForMessages( isLastExpectedMessage)
1248         received = len(messages)
1249         self.assertIs(True,
1250                       (received == 5 or received == 6),
1251                       "Did not receive the expected number of messages")
1252
1253         # Check the second to last message it should be an Authorization
1254         msg = messages[-2]
1255         self.assertEquals("Authorization", msg["type"])
1256         self.assertEquals("DCE/RPC",
1257                           msg["Authorization"]["serviceDescription"])
1258         self.assertEquals("schannel",  msg["Authorization"]["authType"])
1259         self.assertEquals("SEAL", msg["Authorization"]["transportProtection"])