1 files changed, 216 insertions, 0 deletions

diff --git a/python/samba/tests/blackbox/bug13653.py b/python/samba/tests/blackbox/bug13653.py
new file mode 100644
index 0000000..215b9fc
--- /dev/null
+++ b/python/samba/tests/blackbox/bug13653.py
@@ -0,0 +1,216 @@
+# Black box tests verify bug 13653
+#
+# Copyright (C) Catalyst.Net Ltd'. 2018
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+"""Blackbox test verifying bug 13653
+
+https://bugzilla.samba.org/show_bug.cgi?id=13653
+
+
+When creating a new user and specifying the local filepath of the sam.ldb DB,
+it's possible to create an account that you can't actually login with.
+
+This only happens if the DB is using encrypted secrets and you specify "ldb://"
+in the sam.ldb path, e.g. "-H ldb://st/ad_dc/private/sam.ldb".
+The user account will be created, but its secrets will not be encrypted.
+Attempts to login as the user will then be rejected due to invalid credentials.
+
+We think this may also cause replication/joins to break.
+
+You do get a warning about "No encrypted secrets key file" when this happens,
+although the reason behind this message is not obvious. Specifying a "tdb://"
+prefix, or not specifying a prefix, works fine.
+
+Example of the problem below using the ad_dc testenv.
+
+addc$ bin/samba-tool user create tdb-user pass12#
+      -H tdb://st/ad_dc/private/sam.ldb
+User 'tdb-user' created successfully
+
+# HERE: using the "ldb://" prefix generates a warning, but the user is still
+# created successfully.
+
+addc$ bin/samba-tool user create ldb-user pass12#
+      -H ldb://st/ad_dc/private/sam.ldb
+No encrypted secrets key file. Secret attributes will not be encrypted or
+decrypted
+
+User 'ldb-user' created successfully
+
+addc$ bin/samba-tool user create noprefix-user pass12#
+      -H st/ad_dc/private/sam.ldb
+User 'noprefix-user' created successfully
+
+addc$ bin/ldbsearch -H ldap://$SERVER -Utdb-user%pass12# '(cn=tdb-user)' dn
+# record 1
+dn: CN=tdb-user,CN=Users,DC=addom,DC=samba,DC=example,DC=com
+
+# Referral
+ref: ldap://addom.samba.example.com/CN=Configuration,DC=addom,DC=samba,
+     DC=example,DC=com
+
+# Referral
+ref: ldap://addom.samba.example.com/DC=DomainDnsZones,DC=addom,DC=samba,
+     DC=example,DC=com
+
+# Referral
+ref: ldap://addom.samba.example.com/DC=ForestDnsZones,DC=addom,DC=samba,
+     DC=example,DC=com
+
+# returned 4 records
+# 1 entries
+# 3 referrals
+
+# HERE: can't login as the user created with "ldb://" prefix
+
+addc$ bin/ldbsearch -H ldap://$SERVER -Uldb-user%pass12# '(cn=ldb-user)' dn
+Wrong username or password: kinit for ldb-user@ADDOM.SAMBA.EXAMPLE.COM failed
+(Client not found in Kerberos database)
+
+Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS
+               -  <8009030C: LdapErr: DSID-0C0904DC,
+                    comment: AcceptSecurityContext error, data 54e, v1db1> <>
+Failed to connect to 'ldap://addc' with backend
+    'ldap': LDAP error 49 LDAP_INVALID_CREDENTIALS
+            -  <8009030C: LdapErr: DSID-0C0904DC,
+               comment: AcceptSecurityContext error, data 54e, v1db1> <>
+Failed to connect to ldap://addc - LDAP error 49 LDAP_INVALID_CREDENTIALS
+    -  <8009030C: LdapErr: DSID-0C0904DC,
+       comment: AcceptSecurityContext error, data 54e, v1db1> <>
+addc$ bin/ldbsearch -H ldap://$SERVER -Unoprefix-user%pass12#
+      '(cn=noprefix-user)' dn
+# record 1
+dn: CN=noprefix-user,CN=Users,DC=addom,DC=samba,DC=example,DC=com
+
+# Referral
+ref: ldap://addom.samba.example.com/CN=Configuration,DC=addom,DC=samba,
+    DC=example,DC=com
+
+# Referral
+ref: ldap://addom.samba.example.com/DC=DomainDnsZones,DC=addom,DC=samba,
+     DC=example,DC=com
+
+# Referral
+ref: ldap://addom.samba.example.com/DC=ForestDnsZones,DC=addom,DC=samba,
+     DC=example,DC=com
+
+# returned 4 records
+# 1 entries
+# 3 referrals
+"""
+
+from samba.tests import (
+    BlackboxTestCase,
+    BlackboxProcessError,
+    delete_force,
+    env_loadparm)
+from samba.credentials import Credentials
+from samba.samdb import SamDB
+from samba.auth import system_session
+import os
+
+
+class Bug13653Tests(BlackboxTestCase):
+
+    # Open a local connection to the SamDB
+    # and load configuration from the OS environment.
+    def setUp(self):
+        super().setUp()
+        self.env = os.environ["TEST_ENV"]
+        self.server = os.environ["SERVER"]
+        self.prefix = os.environ["PREFIX_ABS"]
+        lp = env_loadparm()
+        creds = Credentials()
+        session = system_session()
+        creds.guess(lp)
+        self.ldb = SamDB(session_info=session,
+                         credentials=creds,
+                         lp=lp)
+
+    # Delete the user account created by the test case.
+    # The user name is in self.user
+    def tearDown(self):
+        super().tearDown()
+        try:
+            dn = "CN=%s,CN=Users,%s" % (self.user, self.ldb.domain_dn())
+            delete_force(self.ldb, dn)
+        except Exception as e:
+            # We ignore any exceptions deleting the user in tearDown
+            # this allows the known fail mechanism to work for this test
+            # so the test can be committed before the fix.
+            # otherwise this delete fails with
+            #   Error(11)  unpacking encrypted secret, data possibly corrupted
+            #   or altered
+            pass
+
+    # Delete the user account created by the test case.
+    # The user name is in self.user
+    def delete_user(self):
+        dn = "CN=%s,CN=Users,%s" % (self.user, self.ldb.domain_dn())
+        try:
+            delete_force(self.ldb, dn)
+        except Exception as e:
+            self.fail(str(e))
+
+    def _test_scheme(self, scheme):
+        """Ensure a user can be created by samba-tool with the supplied scheme
+           and that that user can logon."""
+
+        self.delete_user()
+
+        password = self.random_password()
+        db_path = "%s/%s/%s/private/sam.ldb" % (scheme, self.prefix, self.env)
+        try:
+            command =\
+                "samba-tool user create %s %s -H %s" % (
+                    self.user, password, db_path)
+            self.check_run(command)
+
+            ldbsearch = "ldbsearch"
+            if os.path.exists("bin/ldbsearch"):
+                ldbsearch = "bin/ldbsearch"
+            command =\
+                "%s -H ldap://%s/ -U%s%%%s '(cn=%s)' dn" % (
+                    ldbsearch, self.server, self.user, password, self.user)
+            self.check_run(command)
+        except BlackboxProcessError as e:
+            self.fail(str(e))
+
+    def test_tdb_scheme(self):
+        """Ensure a user can be created by samba-tool with the "tbd://" scheme
+           and that that user can logon."""
+
+        self.user = "TDB_USER"
+        self._test_scheme("tdb://")
+
+    def test_mdb_scheme(self):
+        """Ensure a user can be created by samba-tool with the "mdb://" scheme
+           and that that user can logon.
+
+           NOTE: this test is currently in knownfail.d/encrypted_secrets as
+                 sam.ldb is currently a tdb even if the lmdb backend is
+                 selected
+        """
+
+        self.user = "MDB_USER"
+        self._test_scheme("mdb://")
+
+    def test_ldb_scheme(self):
+        """Ensure a user can be created by samba-tool with the "ldb://" scheme
+           and that that user can logon."""
+
+        self.user = "LDB_USER"
+        self._test_scheme("ldb://")