From 4e04f025a0665e2573bdd92efe9ba5aa9dcd82d7 Mon Sep 17 00:00:00 2001
From: Tim Beale <timbeale@catalyst.net.nz>
Date: Tue, 4 Jul 2017 17:27:27 +1200
Subject: [PATCH] selftest: Add test for password change when NTLM is disabled

When NTLM is disabled, the server should reject NTLM-based password
changes. Changing the password is a bit complicated from python, but
because the server should reject the password change outright with
NTLM_BLOCKED, the test doesn't actually need to provide valid
credentials.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Jul 21 13:54:35 CEST 2017 on sn-devel-144
---
 python/samba/tests/ntlmauth.py | 46 ++++++++++++++++++++++++----------
 selftest/knownfail             |  2 ++
 2 files changed, 35 insertions(+), 13 deletions(-)

diff --git a/python/samba/tests/ntlmauth.py b/python/samba/tests/ntlmauth.py
index 8db1ad09274..a232bf26012 100644
--- a/python/samba/tests/ntlmauth.py
+++ b/python/samba/tests/ntlmauth.py
@@ -19,13 +19,13 @@ from samba.tests import TestCase
 import os
 
 import samba
-from samba.credentials import Credentials, DONT_USE_KERBEROS
+from samba.credentials import Credentials, DONT_USE_KERBEROS, MUST_USE_KERBEROS
 
 from samba import NTSTATUSError, ntstatus
 import ctypes
 
 from samba import credentials
-from samba.dcerpc import srvsvc
+from samba.dcerpc import srvsvc, samr, lsa
 
 """
 Tests basic NTLM authentication
@@ -37,24 +37,21 @@ class NtlmAuthTests(TestCase):
         super(NtlmAuthTests, self).setUp()
 
         self.lp          = self.get_loadparm()
+        self.server      = os.getenv("SERVER")
 
-
+        self.creds = Credentials()
+        self.creds.guess(self.lp)
+        self.creds.set_username(os.getenv("USERNAME"))
+        self.creds.set_domain(self.server)
+        self.creds.set_password(os.getenv("PASSWORD"))
+        self.creds.set_kerberos_state(DONT_USE_KERBEROS)
 
     def tearDown(self):
         super(NtlmAuthTests, self).tearDown()
 
     def test_ntlm_connection(self):
-        server = os.getenv("SERVER")
-
-        creds = credentials.Credentials()
-        creds.guess(self.lp)
-        creds.set_username(os.getenv("USERNAME"))
-        creds.set_domain(server)
-        creds.set_password(os.getenv("PASSWORD"))
-        creds.set_kerberos_state(DONT_USE_KERBEROS)
-
         try:
-            conn = srvsvc.srvsvc("ncacn_np:%s[smb2,ntlm]" % server, self.lp, creds)
+            conn = srvsvc.srvsvc("ncacn_np:%s[smb2,ntlm]" % self.server, self.lp, self.creds)
 
             self.assertIsNotNone(conn)
         except NTSTATUSError as e:
@@ -65,4 +62,27 @@ class NtlmAuthTests(TestCase):
             else:
                 raise
 
+    def test_samr_change_password(self):
+        self.creds.set_kerberos_state(MUST_USE_KERBEROS)
+        conn = samr.samr("ncacn_np:%s[krb5,seal,smb2]" % os.getenv("SERVER"))
+
+        # we want to check whether this gets rejected outright because NTLM is
+        # disabled, so we don't actually need to encrypt a valid password here
+        server = lsa.String()
+        server.string = self.server
+        username = lsa.String()
+        username.string = os.getenv("USERNAME")
+
+        try:
+            conn.ChangePasswordUser2(server, username, None, None, True, None, None)
+        except NTSTATUSError as e:
+            # changing passwords is rejected when NTLM is disabled
+            enum = ctypes.c_uint32(e[0]).value
+            if enum == ntstatus.NT_STATUS_NTLM_BLOCKED:
+                self.fail("NTLM is disabled on this server")
+            elif enum == ntstatus.NT_STATUS_WRONG_PASSWORD:
+                # expected error case when NTLM is enabled
+                pass
+            else:
+                raise
 
diff --git a/selftest/knownfail b/selftest/knownfail
index 1cba331bcf0..f41b99d0e39 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -342,3 +342,5 @@
 ^samba.tests.netlogonsvc.python\(fileserver\)
 # NTLM authentication is (intentionally) disabled in ktest
 ^samba.tests.ntlmauth.python\(ktest\).ntlmauth.NtlmAuthTests.test_ntlm_connection\(ktest\)
+# Disabling NTLM means you can't use samr to change the password
+^samba.tests.ntlmauth.python\(ktest\).ntlmauth.NtlmAuthTests.test_samr_change_password\(ktest\)
-- 
2.34.1