Commit 4e04f025 authored by Tim Beale's avatar Tim Beale Committed by Andrew Bartlett

selftest: Add test for password change when NTLM is disabled

When NTLM is disabled, the server should reject NTLM-based password
changes. Changing the password is a bit complicated from python, but
because the server should reject the password change outright with
NTLM_BLOCKED, the test doesn't actually need to provide valid
credentials.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923Signed-off-by: default avatarTim Beale <timbeale@catalyst.net.nz>
Reviewed-by: default avatarAndrew Bartlett <abartlet@samba.org>
Reviewed-by: default avatarGarming Sam <garming@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Jul 21 13:54:35 CEST 2017 on sn-devel-144
parent 4031b303
......@@ -19,13 +19,13 @@ from samba.tests import TestCase
import os
import samba
from samba.credentials import Credentials, DONT_USE_KERBEROS
from samba.credentials import Credentials, DONT_USE_KERBEROS, MUST_USE_KERBEROS
from samba import NTSTATUSError, ntstatus
import ctypes
from samba import credentials
from samba.dcerpc import srvsvc
from samba.dcerpc import srvsvc, samr, lsa
"""
Tests basic NTLM authentication
......@@ -37,24 +37,21 @@ class NtlmAuthTests(TestCase):
super(NtlmAuthTests, self).setUp()
self.lp = self.get_loadparm()
self.server = os.getenv("SERVER")
self.creds = Credentials()
self.creds.guess(self.lp)
self.creds.set_username(os.getenv("USERNAME"))
self.creds.set_domain(self.server)
self.creds.set_password(os.getenv("PASSWORD"))
self.creds.set_kerberos_state(DONT_USE_KERBEROS)
def tearDown(self):
super(NtlmAuthTests, self).tearDown()
def test_ntlm_connection(self):
server = os.getenv("SERVER")
creds = credentials.Credentials()
creds.guess(self.lp)
creds.set_username(os.getenv("USERNAME"))
creds.set_domain(server)
creds.set_password(os.getenv("PASSWORD"))
creds.set_kerberos_state(DONT_USE_KERBEROS)
try:
conn = srvsvc.srvsvc("ncacn_np:%s[smb2,ntlm]" % server, self.lp, creds)
conn = srvsvc.srvsvc("ncacn_np:%s[smb2,ntlm]" % self.server, self.lp, self.creds)
self.assertIsNotNone(conn)
except NTSTATUSError as e:
......@@ -65,4 +62,27 @@ class NtlmAuthTests(TestCase):
else:
raise
def test_samr_change_password(self):
self.creds.set_kerberos_state(MUST_USE_KERBEROS)
conn = samr.samr("ncacn_np:%s[krb5,seal,smb2]" % os.getenv("SERVER"))
# we want to check whether this gets rejected outright because NTLM is
# disabled, so we don't actually need to encrypt a valid password here
server = lsa.String()
server.string = self.server
username = lsa.String()
username.string = os.getenv("USERNAME")
try:
conn.ChangePasswordUser2(server, username, None, None, True, None, None)
except NTSTATUSError as e:
# changing passwords is rejected when NTLM is disabled
enum = ctypes.c_uint32(e[0]).value
if enum == ntstatus.NT_STATUS_NTLM_BLOCKED:
self.fail("NTLM is disabled on this server")
elif enum == ntstatus.NT_STATUS_WRONG_PASSWORD:
# expected error case when NTLM is enabled
pass
else:
raise
......@@ -342,3 +342,5 @@
^samba.tests.netlogonsvc.python\(fileserver\)
# NTLM authentication is (intentionally) disabled in ktest
^samba.tests.ntlmauth.python\(ktest\).ntlmauth.NtlmAuthTests.test_ntlm_connection\(ktest\)
# Disabling NTLM means you can't use samr to change the password
^samba.tests.ntlmauth.python\(ktest\).ntlmauth.NtlmAuthTests.test_samr_change_password\(ktest\)
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment