summaryrefslogtreecommitdiff
path: root/python/samba/tests
Commit message (Collapse)AuthorAgeFilesLines
* tests/krb5: Add tests for authentication policiesJoseph Sutton2023-05-183-0/+6591
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Allow specifying whether PA-DATA types are to be checkedJoseph Sutton2023-05-182-50/+61
| | | | | | | | | | | Not all tests are intended to test that the correct PA-DATA types are returned. This parameter allows us to skip checking for cases where we don’t care. View with ‘git show -b’. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Allow server and workstation accounts to perform a SamLogonJoseph Sutton2023-05-181-0/+3
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Allow specifying machine credentials to _test_samlogon()Joseph Sutton2023-05-181-9/+11
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Rename ‘server’ to ‘dc_server’Joseph Sutton2023-05-181-3/+3
| | | | | | | This makes it more clear that this is in fact the DC. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Test that NT_STATUS_ACCOUNT_LOCKED_OUT is returned in KDC reply ↵Joseph Sutton2023-05-181-24/+81
| | | | | | | | | e-data Certain clients rely on this behaviour. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Improve edata checkingJoseph Sutton2023-05-183-24/+71
| | | | | | | | | | | | Instead of guessing based on a heuristic whether we have KERB_ERROR_DATA or METHOD_DATA in the ‘e-data’ field, decode it first as KERB_ERROR_DATA and fall back to METHOD_DATA if that fails. The environment variable EXPECT_NT_STATUS indicates that the KDC supports returning a status code in the e-data field. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Remove unused importJoseph Sutton2023-05-181-1/+0
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* python:tests: Remove unused variablesJoseph Sutton2023-05-161-6/+6
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Improve _test_samr_change_password() methodJoseph Sutton2023-05-052-17/+116
| | | | | | | | | | | | | Instead of using anonymous credentials, we now connect using the passed-in credentials. We now correctly construct nt_password and nt_verifier so as to successfully change the password, instead of having to distinguish between a WRONG_PASSWORD error and an error caused by the password change being disallowed. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Don’t delete silo until all tests have finishedJoseph Sutton2023-05-051-2/+2
| | | | | | | | | It’s possible that we reuse the same silo across multiple tests. In that case, we should not delete it until we are sure we have finished with it. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Add remove_attribute() helper functionJoseph Sutton2023-05-051-0/+8
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Have set_forced_key() also set the NT hashJoseph Sutton2023-05-051-1/+9
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Make _tgs_req() more configurableJoseph Sutton2023-05-051-8/+19
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Make use of check_tgs_reply()Joseph Sutton2023-05-051-1/+1
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Allow specifying an encoded security descriptorJoseph Sutton2023-05-051-3/+4
| | | | | | | | | | | If we get a string, we’ll still assume it’s a DN and create a security descriptor using it. This is useful in cases where we don’t have a DN (e.g., the account is not created yet). Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Rename ‘objectclass’ to use correct caseJoseph Sutton2023-05-051-1/+1
| | | | | | | | This means that tests can now specify values for ‘objectClass’ in additional_details which override the default value. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Rename ‘auth_silo’ to ‘authn_silo’Joseph Sutton2023-05-052-16/+16
| | | | | | | Make it clear that this relates to authentication, not authorization. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Create account cache key only if neededJoseph Sutton2023-05-051-2/+1
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Delete non-resuable accounts as soon as possibleJoseph Sutton2023-05-051-6/+21
| | | | | | | This helps to mitigate Samba’s slow account deletion. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Refactor _test_samlogon()Joseph Sutton2023-05-051-21/+24
| | | | | | | | Move logic specific to the Network logon into that branch, so it’s easier to see what’s going on. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Allow setting a servicePrincipalName on a user accountJoseph Sutton2023-05-051-1/+0
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Fix parameter defaultJoseph Sutton2023-05-051-1/+1
| | | | | | | | Now that add_dollar is honoured for all account types, we don’t want to pass add_dollar=True for user accounts. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Remove unused parameterJoseph Sutton2023-05-051-1/+0
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Test that the salt for a managed service account is computed ↵Joseph Sutton2023-05-051-0/+142
| | | | | | | correctly Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Allow creating managed service accountsJoseph Sutton2023-05-051-0/+8
| | | | | | | These will be useful for testing authentication policies. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Always heed the add_dollar parameterJoseph Sutton2023-05-051-3/+6
| | | | | | | | Not just if the account to be created is a computer. This allows us to create other types of accounts with a trailing dollar. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Remove unused importJoseph Sutton2023-05-051-1/+0
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Remove unneeded assertionsJoseph Sutton2023-05-051-5/+5
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Allow creating an account with an assigned policy or siloJoseph Sutton2023-05-051-1/+11
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Add method to create an authentication policyJoseph Sutton2023-05-051-0/+103
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Generify protected users test methodsJoseph Sutton2023-05-053-49/+56
| | | | | | | | We can reuse them to test accounts restricted authentication in some form or another. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Handle NT hashes being disabledJoseph Sutton2023-05-057-34/+65
| | | | | | | | If NT hashes are disabled, we should not expect the RC4 enctype to be available for non-computer accounts. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Pass client credentials down into kdc_exchange_dictJoseph Sutton2023-05-0512-160/+198
| | | | | | | These are useful inside the test infrastructure. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Remove test for OemChangePasswordUser2()Joseph Sutton2023-05-051-20/+1
| | | | | | | | We don’t implement this anymore (since commit 0f53bfe7230c5e76f7ceb8baf98a9ef38a35356f). Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Split out functions for testing logons and password changesJoseph Sutton2023-05-052-103/+102
| | | | | | | This allows their use for testing other forms of restricted accounts. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* gpo: Group Policy tests require a s3 loadparamDavid Mulder2023-04-281-1/+2
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15225 Signed-off-by: David Mulder <dmulder@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* gpupdate: Deprecate libgpo.get_gpo_listDavid Mulder2023-04-282-7/+1
| | | | | | | | | This is no longer used by gpupdate. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15225 Signed-off-by: David Mulder <dmulder@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* gpupdate: Implement get_gpo_list in pythonDavid Mulder2023-04-281-85/+57
| | | | | | | | | | The ADS code in libgpo is buggy. Rewrite get_gpo_list in python using SamDB. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15225 Signed-off-by: David Mulder <dmulder@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s3/utils: when encoding ace string use "FA", "FR", "FW", "FX" string rightsNoel Power2023-04-283-12/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | prior to this patch rights matching "FA", "FR", "FW", "FX" were outputted as the hex string representing the bit value. While outputting the hex string is perfectly fine, it makes it harder to compare icacls output (which always uses the special string values) Additionally adjust various tests to deal with use of shortcut access masks as sddl format now uses FA, FR, FW & FX strings (like icalcs does) instead of hex representation of the bit mask. adjust samba4.blackbox.samba-tool_ntacl samba3.blackbox.large_acl samba.tests.samba_tool.ntacl samba.tests.ntacls samba.tests.posixacl so various string comparisons of the sddl format now pass Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> [abartlet@samba.org Adapted to new stricter SDDL behaviour around leading zeros in hex numbers, eg 0x001]
* pytest:sddl: show the correct handling of the "FA" SDDL flagAndrew Bartlett2023-04-281-1/+11
| | | | | | | | | | The "FA" flag should map to 0x1f01ff, and 0x1f01ff should be converted back into "FA". This will be fixed over the next couple of commits. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* pytest:sddl Samba had the wrong value for FA, now fix the testsAndrew Bartlett2023-04-281-109/+39
| | | | | | | | | | | | | The tests that were in SddlWindowsFlagsAreDifferent have the behaviour we want, and as we aim for Samba flags no longer being different, we shift them to SddlNonCanonical. The tests in SddlSambaDoesItsOwnThing are removed because they showed Samba's old behaviour around FA. This will create knownfails, which will be fixed by the commit fixing the value of "FA". Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* pytest:sddl: test we only accept normal GUIDsDouglas Bagnall2023-04-281-0/+9
| | | | | | | | By normal GUID, I mean ones like f30e3bbf-9ff0-11d1-b603-0000f80367c1, with four hyphens and no curly braces. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* pytest:sddl: tests around spaces in access flags and SIDsDouglas Bagnall2023-04-281-2/+30
| | | | | | | | | | | | | It turns out that in accesss flags Windows will allow leading spaces and spaces separating flags but not trailing spaces. We choose to follow this in part because we found it happening in the wild in our tests for upgradeprovision until a few commits ago. Windows will also allow spaces in some parts of SIDs. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* pytest:sddl debugging: should_fail test says how it failedDouglas Bagnall2023-04-281-1/+2
| | | | | Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* pytest:sddl: add tests for long DACLs, differing flag interpretationsDouglas Bagnall2023-04-281-0/+121
| | | | | | | | Windows converts hex numbers into flags differently, and has different ideas of what constitutes "FA", and possibly others. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* pytest:sddl: let hex numbers differ in case (0xa == 0xA)Douglas Bagnall2023-04-281-1/+5
| | | | | Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* pytest:sddl: helpers to exchange SDDL strings with Windows testprogramDouglas Bagnall2023-04-281-0/+88
| | | | | Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* pytest:sddl: SDDL strings where Windows behaviour differsDouglas Bagnall2023-04-281-0/+62
| | | | | | | | | | These ones we might want to match. They are understandable behaviours, like matching lowercase flags and coping with whitespace in some places. These tests are set up to document the differences without overwhelming the knownfails. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* pytest:sddl: Add negative tests of unparseable stringsDouglas Bagnall2023-04-281-0/+78
| | | | | Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
View Lorry Controller Status