python/samba/tests/password_hash_ldap.py


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133

# Tests for Tests for source4/dsdb/samdb/ldb_modules/password_hash.c
#
# Copyright (C) Andrew Bartlett <abartlet@samba.org> 2017
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
#

"""
Tests for source4/dsdb/samdb/ldb_modules/password_hash.c

These tests are designed to also run against Windows to confirm the values
returned from Windows.

To run against Windows:
Set the following environment variables:
   PASSWORD=Administrator password
   USERNAME=Administrator
   SMB_CONF_PATH=/dev/null
   PYTHONPATH=bin/python
   SERVER=Windows server IP

   /usr/bin/python source4/scripting/bin/subunitrun
       samba.tests.password_hash_ldap.PassWordHashLDAPTests
       -U"Administrator%adminpassword"
"""

from samba.tests.password_hash import (
    PassWordHashTests,
    get_package,
    USER_NAME,
    USER_PASS
)
from samba.samdb import SamDB
from samba.ndr import ndr_unpack
from samba.dcerpc import drsblobs, drsuapi, misc
from samba import drs_utils, net
from samba.credentials import Credentials
import binascii
import os


def attid_equal(a1, a2):
    return (a1 & 0xffffffff) == (a2 & 0xffffffff)


class PassWordHashLDAPTests(PassWordHashTests):

    def setUp(self):
        super(PassWordHashLDAPTests, self).setUp()

    # Get the supplemental credentials for the user under test
    def get_supplemental_creds_drs(self):
        binding_str = "ncacn_ip_tcp:%s[seal]" % os.environ["SERVER"]
        dn = "cn=" + USER_NAME + ",cn=users," + self.base_dn
        drs = drsuapi.drsuapi(binding_str, self.get_loadparm(), self.creds)
        (drs_handle, supported_extensions) = drs_utils.drs_DsBind(drs)

        req8 = drsuapi.DsGetNCChangesRequest8()

        null_guid = misc.GUID()
        req8.destination_dsa_guid          = null_guid
        req8.source_dsa_invocation_id      = null_guid
        req8.naming_context                = drsuapi.DsReplicaObjectIdentifier()
        req8.naming_context.dn             = dn

        req8.highwatermark = drsuapi.DsReplicaHighWaterMark()
        req8.highwatermark.tmp_highest_usn = 0
        req8.highwatermark.reserved_usn    = 0
        req8.highwatermark.highest_usn     = 0
        req8.uptodateness_vector           = None
        req8.replica_flags                 = (drsuapi.DRSUAPI_DRS_INIT_SYNC |
                                              drsuapi.DRSUAPI_DRS_PER_SYNC |
                                              drsuapi.DRSUAPI_DRS_GET_ANC |
                                              drsuapi.DRSUAPI_DRS_NEVER_SYNCED |
                                              drsuapi.DRSUAPI_DRS_WRIT_REP)
        req8.max_object_count         = 402
        req8.max_ndr_size             = 402116
        req8.extended_op              = drsuapi.DRSUAPI_EXOP_REPL_OBJ
        req8.fsmo_info                = 0
        req8.partial_attribute_set    = None
        req8.partial_attribute_set_ex = None
        req8.mapping_ctr.num_mappings = 0
        req8.mapping_ctr.mappings     = None
        (level, ctr) = drs.DsGetNCChanges(drs_handle, 8, req8)

        obj_item = ctr.first_object
        obj = obj_item.object

        sc_blob = None

        for i in range(0, obj.attribute_ctr.num_attributes):
            attr = obj.attribute_ctr.attributes[i]
            if attid_equal(attr.attid,
                           drsuapi.DRSUAPI_ATTID_supplementalCredentials):
                net_ctx = net.Net(self.creds)
                net_ctx.replicate_decrypt(drs, attr, 0)
                sc_blob = attr.value_ctr.values[0].blob

        sc = ndr_unpack(drsblobs.supplementalCredentialsBlob, sc_blob)
        return sc

    def test_wDigest_supplementalCredentials(self):
        self.creds = Credentials()
        self.creds.set_username(os.environ["USERNAME"])
        self.creds.set_password(os.environ["PASSWORD"])
        self.creds.guess(self.lp)
        ldb = SamDB("ldap://" + os.environ["SERVER"],
                    credentials=self.creds,
                    lp=self.lp)

        self.add_user(ldb=ldb)

        sc = self.get_supplemental_creds_drs()

        (pos, package) = get_package(sc, "Primary:WDigest")
        self.assertEqual("Primary:WDigest", package.name)

        # Check that the WDigest values are correct.
        #
        digests = ndr_unpack(drsblobs.package_PrimaryWDigestBlob,
                             binascii.a2b_hex(package.data))
        self.check_wdigests(digests)