python/samba/tests/password_hash_ldap.py

   1 # Tests for Tests for source4/dsdb/samdb/ldb_modules/password_hash.c
   2 #
   3 # Copyright (C) Andrew Bartlett <abartlet@samba.org> 2017
   4 #
   5 # This program is free software; you can redistribute it and/or modify
   6 # it under the terms of the GNU General Public License as published by
   7 # the Free Software Foundation; either version 3 of the License, or
   8 # (at your option) any later version.
   9 #
  10 # This program is distributed in the hope that it will be useful,
  11 # but WITHOUT ANY WARRANTY; without even the implied warranty of
  12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  13 # GNU General Public License for more details.
  14 #
  15 # You should have received a copy of the GNU General Public License
  16 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
  17 #
  18
  19 """
  20 Tests for source4/dsdb/samdb/ldb_modules/password_hash.c
  21
  22 These tests are designed to also run against Windows to confirm the values
  23 returned from Windows.
  24
  25 To run against Windows:
  26 Set the following environment variables:
  27    PASSWORD=Administrator password
  28    USERNAME=Administrator
  29    SMB_CONF_PATH=/dev/null
  30    PYTHONPATH=bin/python
  31    SERVER=Windows server IP
  32
  33    /usr/bin/python source4/scripting/bin/subunitrun
  34        samba.tests.password_hash_ldap.PassWordHashLDAPTests
  35        -U"Administrator%adminpassword"
  36 """
  37
  38 from samba.tests.password_hash import (
  39     PassWordHashTests,
  40     get_package,
  41     USER_NAME,
  42     USER_PASS
  43 )
  44 from samba.samdb import SamDB
  45 from samba.ndr import ndr_unpack
  46 from samba.dcerpc import drsblobs, drsuapi, misc
  47 from samba import drs_utils, net
  48 from samba.credentials import Credentials
  49 import binascii
  50 import os
  51
  52 def attid_equal(a1, a2):
  53     return (a1 & 0xffffffff) == (a2 & 0xffffffff)
  54
  55 class PassWordHashLDAPTests(PassWordHashTests):
  56
  57     def setUp(self):
  58         super(PassWordHashLDAPTests, self).setUp()
  59
  60     # Get the supplemental credentials for the user under test
  61     def get_supplemental_creds_drs(self):
  62         binding_str = "ncacn_ip_tcp:%s[seal]" % os.environ["SERVER"]
  63         dn = "cn=" + USER_NAME + ",cn=users," + self.base_dn
  64         drs = drsuapi.drsuapi(binding_str, self.get_loadparm(), self.creds)
  65         (drs_handle, supported_extensions) = drs_utils.drs_DsBind(drs)
  66
  67         req8 = drsuapi.DsGetNCChangesRequest8()
  68
  69         null_guid = misc.GUID()
  70         req8.destination_dsa_guid          = null_guid
  71         req8.source_dsa_invocation_id      = null_guid
  72         req8.naming_context                = drsuapi.DsReplicaObjectIdentifier()
  73         req8.naming_context.dn             = unicode(dn)
  74
  75         req8.highwatermark = drsuapi.DsReplicaHighWaterMark()
  76         req8.highwatermark.tmp_highest_usn = 0
  77         req8.highwatermark.reserved_usn    = 0
  78         req8.highwatermark.highest_usn     = 0
  79         req8.uptodateness_vector           = None
  80         req8.replica_flags                 = (drsuapi.DRSUAPI_DRS_INIT_SYNC |
  81                                               drsuapi.DRSUAPI_DRS_PER_SYNC |
  82                                               drsuapi.DRSUAPI_DRS_GET_ANC |
  83                                               drsuapi.DRSUAPI_DRS_NEVER_SYNCED |
  84                                               drsuapi.DRSUAPI_DRS_WRIT_REP)
  85         req8.max_object_count         = 402
  86         req8.max_ndr_size             = 402116
  87         req8.extended_op              = drsuapi.DRSUAPI_EXOP_REPL_OBJ
  88         req8.fsmo_info                = 0
  89         req8.partial_attribute_set    = None
  90         req8.partial_attribute_set_ex = None
  91         req8.mapping_ctr.num_mappings = 0
  92         req8.mapping_ctr.mappings     = None
  93         (level, ctr) = drs.DsGetNCChanges(drs_handle, 8, req8)
  94
  95         obj_item = ctr.first_object
  96         obj = obj_item.object
  97
  98         sc_blob = None
  99
 100         for i in range(0, obj.attribute_ctr.num_attributes):
 101             attr = obj.attribute_ctr.attributes[i]
 102             if attid_equal(attr.attid,
 103                            drsuapi.DRSUAPI_ATTID_supplementalCredentials):
 104                 net_ctx = net.Net(self.creds)
 105                 net_ctx.replicate_decrypt(drs, attr, 0)
 106                 sc_blob = attr.value_ctr.values[0].blob
 107
 108
 109         sc = ndr_unpack(drsblobs.supplementalCredentialsBlob, sc_blob)
 110         return sc
 111
 112     def test_wDigest_supplementalCredentials(self):
 113         self.creds = Credentials()
 114         self.creds.set_username(os.environ["USERNAME"])
 115         self.creds.set_password(os.environ["PASSWORD"])
 116         self.creds.guess(self.lp)
 117         ldb = SamDB("ldap://" + os.environ["SERVER"],
 118                     credentials=self.creds,
 119                     lp=self.lp)
 120
 121         self.add_user(ldb=ldb)
 122
 123         sc = self.get_supplemental_creds_drs()
 124
 125         (pos, package) = get_package(sc, "Primary:WDigest")
 126         self.assertEquals("Primary:WDigest", package.name)
 127
 128         # Check that the WDigest values are correct.
 129         #
 130         digests = ndr_unpack(drsblobs.package_PrimaryWDigestBlob,
 131                              binascii.a2b_hex(package.data))
 132         self.check_wdigests(digests)