1 files changed, 129 insertions, 0 deletions
diff --git a/python/samba/tests/password_hash_ldap.py b/python/samba/tests/password_hash_ldap.py
new file mode 100644
index 0000000..2657e75
--- /dev/null
+++ b/python/samba/tests/password_hash_ldap.py
@@ -0,0 +1,129 @@
+# Tests for Tests for source4/dsdb/samdb/ldb_modules/password_hash.c
+#
+# Copyright (C) Andrew Bartlett <abartlet@samba.org> 2017
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+"""
+Tests for source4/dsdb/samdb/ldb_modules/password_hash.c
+
+These tests are designed to also run against Windows to confirm the values
+returned from Windows.
+
+To run against Windows:
+Set the following environment variables:
+   PASSWORD=Administrator password
+   USERNAME=Administrator
+   SMB_CONF_PATH=/dev/null
+   PYTHONPATH=bin/python
+   SERVER=Windows server IP
+
+   /usr/bin/python source4/scripting/bin/subunitrun
+       samba.tests.password_hash_ldap.PassWordHashLDAPTests
+       -U"Administrator%adminpassword"
+"""
+
+from samba.tests.password_hash import (
+    PassWordHashTests,
+    get_package,
+    USER_NAME,
+)
+from samba.samdb import SamDB
+from samba.ndr import ndr_unpack
+from samba.dcerpc import drsblobs, drsuapi, misc
+from samba import drs_utils, net
+from samba.credentials import Credentials
+import binascii
+import os
+
+
+def attid_equal(a1, a2):
+    return (a1 & 0xffffffff) == (a2 & 0xffffffff)
+
+
+class PassWordHashLDAPTests(PassWordHashTests):
+
+    # Get the supplemental credentials for the user under test
+    def get_supplemental_creds_drs(self):
+        binding_str = "ncacn_ip_tcp:%s[seal]" % os.environ["SERVER"]
+        dn = "cn=" + USER_NAME + ",cn=users," + self.base_dn
+        drs = drsuapi.drsuapi(binding_str, self.get_loadparm(), self.creds)
+        (drs_handle, supported_extensions) = drs_utils.drs_DsBind(drs)
+
+        req8 = drsuapi.DsGetNCChangesRequest8()
+
+        null_guid = misc.GUID()
+        req8.destination_dsa_guid          = null_guid
+        req8.source_dsa_invocation_id      = null_guid
+        req8.naming_context                = drsuapi.DsReplicaObjectIdentifier()
+        req8.naming_context.dn             = dn
+
+        req8.highwatermark = drsuapi.DsReplicaHighWaterMark()
+        req8.highwatermark.tmp_highest_usn = 0
+        req8.highwatermark.reserved_usn    = 0
+        req8.highwatermark.highest_usn     = 0
+        req8.uptodateness_vector           = None
+        req8.replica_flags                 = (drsuapi.DRSUAPI_DRS_INIT_SYNC |
+                                              drsuapi.DRSUAPI_DRS_PER_SYNC |
+                                              drsuapi.DRSUAPI_DRS_GET_ANC |
+                                              drsuapi.DRSUAPI_DRS_NEVER_SYNCED |
+                                              drsuapi.DRSUAPI_DRS_WRIT_REP)
+        req8.max_object_count         = 402
+        req8.max_ndr_size             = 402116
+        req8.extended_op              = drsuapi.DRSUAPI_EXOP_REPL_OBJ
+        req8.fsmo_info                = 0
+        req8.partial_attribute_set    = None
+        req8.partial_attribute_set_ex = None
+        req8.mapping_ctr.num_mappings = 0
+        req8.mapping_ctr.mappings     = None
+        (level, ctr) = drs.DsGetNCChanges(drs_handle, 8, req8)
+
+        obj_item = ctr.first_object
+        obj = obj_item.object
+
+        sc_blob = None
+
+        for i in range(0, obj.attribute_ctr.num_attributes):
+            attr = obj.attribute_ctr.attributes[i]
+            if attid_equal(attr.attid,
+                           drsuapi.DRSUAPI_ATTID_supplementalCredentials):
+                net_ctx = net.Net(self.creds)
+                net_ctx.replicate_decrypt(drs, attr, 0)
+                sc_blob = attr.value_ctr.values[0].blob
+
+        sc = ndr_unpack(drsblobs.supplementalCredentialsBlob, sc_blob)
+        return sc
+
+    def test_wDigest_supplementalCredentials(self):
+        self.creds = Credentials()
+        self.creds.set_username(os.environ["USERNAME"])
+        self.creds.set_password(os.environ["PASSWORD"])
+        self.creds.guess(self.lp)
+        ldb = SamDB("ldap://" + os.environ["SERVER"],
+                    credentials=self.creds,
+                    lp=self.lp)
+
+        self.add_user(ldb=ldb)
+
+        sc = self.get_supplemental_creds_drs()
+
+        (pos, package) = get_package(sc, "Primary:WDigest")
+        self.assertEqual("Primary:WDigest", package.name)
+
+        # Check that the WDigest values are correct.
+        #
+        digests = ndr_unpack(drsblobs.package_PrimaryWDigestBlob,
+                             binascii.a2b_hex(package.data))
+        self.check_wdigests(digests)