python/samba/tests/password_hash_ldap.py


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129

# Tests for Tests for source4/dsdb/samdb/ldb_modules/password_hash.c
#
# Copyright (C) Andrew Bartlett <abartlet@samba.org> 2017
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
#

"""
Tests for source4/dsdb/samdb/ldb_modules/password_hash.c

These tests are designed to also run against Windows to confirm the values
returned from Windows.

To run against Windows:
Set the following environment variables:
   PASSWORD=Administrator password
   USERNAME=Administrator
   SMB_CONF_PATH=/dev/null
   PYTHONPATH=bin/python
   SERVER=Windows server IP

   /usr/bin/python source4/scripting/bin/subunitrun
       samba.tests.password_hash_ldap.PassWordHashLDAPTests
       -U"Administrator%adminpassword"
"""

from samba.tests.password_hash import (
    PassWordHashTests,
    get_package,
    USER_NAME,
)
from samba.samdb import SamDB
from samba.ndr import ndr_unpack
from samba.dcerpc import drsblobs, drsuapi, misc
from samba import drs_utils, net
from samba.credentials import Credentials
import binascii
import os


def attid_equal(a1, a2):
    return (a1 & 0xffffffff) == (a2 & 0xffffffff)


class PassWordHashLDAPTests(PassWordHashTests):

    # Get the supplemental credentials for the user under test
    def get_supplemental_creds_drs(self):
        binding_str = "ncacn_ip_tcp:%s[seal]" % os.environ["SERVER"]
        dn = "cn=" + USER_NAME + ",cn=users," + self.base_dn
        drs = drsuapi.drsuapi(binding_str, self.get_loadparm(), self.creds)
        (drs_handle, supported_extensions) = drs_utils.drs_DsBind(drs)

        req8 = drsuapi.DsGetNCChangesRequest8()

        null_guid = misc.GUID()
        req8.destination_dsa_guid          = null_guid
        req8.source_dsa_invocation_id      = null_guid
        req8.naming_context                = drsuapi.DsReplicaObjectIdentifier()
        req8.naming_context.dn             = dn

        req8.highwatermark = drsuapi.DsReplicaHighWaterMark()
        req8.highwatermark.tmp_highest_usn = 0
        req8.highwatermark.reserved_usn    = 0
        req8.highwatermark.highest_usn     = 0
        req8.uptodateness_vector           = None
        req8.replica_flags                 = (drsuapi.DRSUAPI_DRS_INIT_SYNC |
                                              drsuapi.DRSUAPI_DRS_PER_SYNC |
                                              drsuapi.DRSUAPI_DRS_GET_ANC |
                                              drsuapi.DRSUAPI_DRS_NEVER_SYNCED |
                                              drsuapi.DRSUAPI_DRS_WRIT_REP)
        req8.max_object_count         = 402
        req8.max_ndr_size             = 402116
        req8.extended_op              = drsuapi.DRSUAPI_EXOP_REPL_OBJ
        req8.fsmo_info                = 0
        req8.partial_attribute_set    = None
        req8.partial_attribute_set_ex = None
        req8.mapping_ctr.num_mappings = 0
        req8.mapping_ctr.mappings     = None
        (level, ctr) = drs.DsGetNCChanges(drs_handle, 8, req8)

        obj_item = ctr.first_object
        obj = obj_item.object

        sc_blob = None

        for i in range(0, obj.attribute_ctr.num_attributes):
            attr = obj.attribute_ctr.attributes[i]
            if attid_equal(attr.attid,
                           drsuapi.DRSUAPI_ATTID_supplementalCredentials):
                net_ctx = net.Net(self.creds)
                net_ctx.replicate_decrypt(drs, attr, 0)
                sc_blob = attr.value_ctr.values[0].blob

        sc = ndr_unpack(drsblobs.supplementalCredentialsBlob, sc_blob)
        return sc

    def test_wDigest_supplementalCredentials(self):
        self.creds = Credentials()
        self.creds.set_username(os.environ["USERNAME"])
        self.creds.set_password(os.environ["PASSWORD"])
        self.creds.guess(self.lp)
        ldb = SamDB("ldap://" + os.environ["SERVER"],
                    credentials=self.creds,
                    lp=self.lp)

        self.add_user(ldb=ldb)

        sc = self.get_supplemental_creds_drs()

        (pos, package) = get_package(sc, "Primary:WDigest")
        self.assertEqual("Primary:WDigest", package.name)

        # Check that the WDigest values are correct.
        #
        digests = ndr_unpack(drsblobs.package_PrimaryWDigestBlob,
                             binascii.a2b_hex(package.data))
        self.check_wdigests(digests)