def _test_rpc_ncaclrpc(self, authTypes, binding, creds, protection,
checkFunction):
def isLastExpectedMessage(msg):
return (msg["type"] == "Authorization"
and msg["Authorization"]["serviceDescription"] == "DCE/RPC"
and msg["Authorization"]["authType"] == authTypes[0] and
msg["Authorization"]["transportProtection"] == protection)
if binding:
binding = "[%s]" % binding
samr.samr("ncalrpc:%s" % binding, self.get_loadparm(), creds)
messages = self.waitForMessages(isLastExpectedMessage)
checkFunction(messages, authTypes, protection)
def test_setUserInfo2_Password(self, password='******'):
self.conn = samr.samr(self.remote_binding_string,
self.get_loadparm(),
self.remote_creds)
self.open_domain_handle()
self.open_user_handle()
password='******'
level = 24
info = samr.UserInfo24()
info.password_expired = 0
info.password = self.init_samr_CryptPassword(password, self.conn.session_key)
# If the server is in FIPS mode, it should reject the password change!
try:
self.conn.SetUserInfo2(self.user_handle, level, info)
except samba.NTSTATUSError as e:
code = ctypes.c_uint32(e.args[0]).value
print(code)
if ((code == ntstatus.NT_STATUS_ACCESS_DENIED) and
(self.lp.weak_crypto == 'disallowed')):
pass
else:
raise
def __auth_samr(self, lp, credentials):
""" SAMR Authentication
Keyword arguments:
lp -- samba configuration file loaded with param.LoadParm
credentials - Credentials object with the username, password, domain
and workstation values set
TODO: Check if user has Administration credentials. Probably something
to do with the uuid
"""
from samba.dcerpc import samr, security
auth_success = False
try:
pipe = samr.samr("ncalrpc:", lp, credentials)
connect_handle = pipe.Connect(None,
security.SEC_FLAG_MAXIMUM_ALLOWED)
#
# TODO Must find a better way!
#
session["samr_u"] = credentials.get_username()
session["samr_p"] = credentials.get_password()
except Exception, e:
self.__reason = str(e)
def __auth_samr(self, lp, credentials):
""" SAMR Authentication
Keyword arguments:
lp -- samba configuration file loaded with param.LoadParm
credentials - Credentials object with the username, password, domain
and workstation values set
TODO: Check if user has Administration credentials. Probably something
to do with the uuid
"""
from samba.dcerpc import samr, security
auth_success = False
try:
pipe = samr.samr("ncalrpc:", lp, credentials)
connect_handle = pipe.Connect(None, security.SEC_FLAG_MAXIMUM_ALLOWED)
#
# TODO Must find a better way!
#
session["samr_u"] = credentials.get_username()
session["samr_p"] = credentials.get_password()
except Exception, e:
self.__reason = str(e)
def setUp(self):
super(UserAccountControlTests, self).setUp()
self.admin_creds = creds
self.admin_samdb = SamDB(url=ldaphost,
session_info=system_session(),
credentials=self.admin_creds, lp=lp)
self.domain_sid = security.dom_sid(self.admin_samdb.get_domain_sid())
self.base_dn = self.admin_samdb.domain_dn()
self.unpriv_user = "******"
self.unpriv_user_pw = "samba123@"
self.unpriv_creds = self.get_creds(self.unpriv_user, self.unpriv_user_pw)
delete_force(self.admin_samdb, "CN=testcomputer-t,OU=test_computer_ou1,%s" % (self.base_dn))
delete_force(self.admin_samdb, "OU=test_computer_ou1,%s" % (self.base_dn))
delete_force(self.admin_samdb, "CN=%s,CN=Users,%s" % (self.unpriv_user, self.base_dn))
self.admin_samdb.newuser(self.unpriv_user, self.unpriv_user_pw)
res = self.admin_samdb.search("CN=%s,CN=Users,%s" % (self.unpriv_user, self.admin_samdb.domain_dn()),
scope=SCOPE_BASE,
attrs=["objectSid"])
self.assertEqual(1, len(res))
self.unpriv_user_sid = ndr_unpack(security.dom_sid, res[0]["objectSid"][0])
self.unpriv_user_dn = res[0].dn
self.samdb = SamDB(url=ldaphost, credentials=self.unpriv_creds, lp=lp)
self.samr = samr.samr("ncacn_ip_tcp:%s[seal]" % host, lp, self.unpriv_creds)
self.samr_handle = self.samr.Connect2(None, security.SEC_FLAG_MAXIMUM_ALLOWED)
self.samr_domain = self.samr.OpenDomain(self.samr_handle, security.SEC_FLAG_MAXIMUM_ALLOWED, self.domain_sid)
self.sd_utils = sd_utils.SDUtils(self.admin_samdb)
self.admin_samdb.create_ou("OU=test_computer_ou1," + self.base_dn)
self.unpriv_user_sid = self.sd_utils.get_object_sid(self.unpriv_user_dn)
mod = "(OA;;CC;bf967a86-0de6-11d0-a285-00aa003049e2;;%s)" % str(self.unpriv_user_sid)
old_sd = self.sd_utils.read_sd_on_dn("OU=test_computer_ou1," + self.base_dn)
self.sd_utils.dacl_add_ace("OU=test_computer_ou1," + self.base_dn, mod)
self.add_computer_ldap("testcomputer-t")
self.sd_utils.modify_sd_on_dn("OU=test_computer_ou1," + self.base_dn, old_sd)
self.computernames = ["testcomputer-0"]
# Get the SD of the template account, then force it to match
# what we expect for SeMachineAccountPrivilege accounts, so we
# can confirm we created the accounts correctly
self.sd_reference_cc = self.sd_utils.read_sd_on_dn("CN=testcomputer-t,OU=test_computer_ou1,%s" % (self.base_dn))
self.sd_reference_modify = self.sd_utils.read_sd_on_dn("CN=testcomputer-t,OU=test_computer_ou1,%s" % (self.base_dn))
for ace in self.sd_reference_modify.dacl.aces:
if ace.type == security.SEC_ACE_TYPE_ACCESS_ALLOWED and ace.trustee == self.unpriv_user_sid:
ace.access_mask = ace.access_mask | security.SEC_ADS_SELF_WRITE | security.SEC_ADS_WRITE_PROP
# Now reconnect without domain admin rights
self.samdb = SamDB(url=ldaphost, credentials=self.unpriv_creds, lp=lp)
def _test_rpc_ncaclrpc(self, authTypes, binding, creds,
protection, checkFunction):
def isLastExpectedMessage(msg):
return (
msg["type"] == "Authorization" and
msg["Authorization"]["serviceDescription"] == "DCE/RPC" and
msg["Authorization"]["authType"] == authTypes[0] and
msg["Authorization"]["transportProtection"] == protection)
if binding:
binding = "[%s]" % binding
samr.samr("ncalrpc:%s" % binding, self.get_loadparm(), creds)
messages = self.waitForMessages(isLastExpectedMessage)
checkFunction(messages, authTypes, protection)
def setUp(self):
super(UserAccountControlTests, self).setUp()
self.admin_creds = creds
self.admin_samdb = SamDB(url=ldaphost,
session_info=system_session(),
credentials=self.admin_creds, lp=lp)
self.domain_sid = security.dom_sid(self.admin_samdb.get_domain_sid())
self.base_dn = self.admin_samdb.domain_dn()
self.unpriv_user = "******"
self.unpriv_user_pw = "samba123@"
self.unpriv_creds = self.get_creds(self.unpriv_user, self.unpriv_user_pw)
delete_force(self.admin_samdb, "CN=testcomputer-t,OU=test_computer_ou1,%s" % (self.base_dn))
delete_force(self.admin_samdb, "OU=test_computer_ou1,%s" % (self.base_dn))
delete_force(self.admin_samdb, "CN=%s,CN=Users,%s" % (self.unpriv_user, self.base_dn))
self.admin_samdb.newuser(self.unpriv_user, self.unpriv_user_pw)
res = self.admin_samdb.search("CN=%s,CN=Users,%s" % (self.unpriv_user, self.admin_samdb.domain_dn()),
scope=SCOPE_BASE,
attrs=["objectSid"])
self.assertEqual(1, len(res))
self.unpriv_user_sid = ndr_unpack(security.dom_sid, res[0]["objectSid"][0])
self.unpriv_user_dn = res[0].dn
self.samdb = SamDB(url=ldaphost, credentials=self.unpriv_creds, lp=lp)
self.samr = samr.samr("ncacn_ip_tcp:%s[seal]" % host, lp, self.unpriv_creds)
self.samr_handle = self.samr.Connect2(None, security.SEC_FLAG_MAXIMUM_ALLOWED)
self.samr_domain = self.samr.OpenDomain(self.samr_handle, security.SEC_FLAG_MAXIMUM_ALLOWED, self.domain_sid)
self.sd_utils = sd_utils.SDUtils(self.admin_samdb)
self.admin_samdb.create_ou("OU=test_computer_ou1," + self.base_dn)
self.unpriv_user_sid = self.sd_utils.get_object_sid(self.unpriv_user_dn)
mod = "(OA;;CC;bf967a86-0de6-11d0-a285-00aa003049e2;;%s)" % str(self.unpriv_user_sid)
old_sd = self.sd_utils.read_sd_on_dn("OU=test_computer_ou1," + self.base_dn)
self.sd_utils.dacl_add_ace("OU=test_computer_ou1," + self.base_dn, mod)
self.add_computer_ldap("testcomputer-t")
self.sd_utils.modify_sd_on_dn("OU=test_computer_ou1," + self.base_dn, old_sd)
self.computernames = ["testcomputer-0"]
# Get the SD of the template account, then force it to match
# what we expect for SeMachineAccountPrivilege accounts, so we
# can confirm we created the accounts correctly
self.sd_reference_cc = self.sd_utils.read_sd_on_dn("CN=testcomputer-t,OU=test_computer_ou1,%s" % (self.base_dn))
self.sd_reference_modify = self.sd_utils.read_sd_on_dn("CN=testcomputer-t,OU=test_computer_ou1,%s" % (self.base_dn))
for ace in self.sd_reference_modify.dacl.aces:
if ace.type == security.SEC_ACE_TYPE_ACCESS_ALLOWED and ace.trustee == self.unpriv_user_sid:
ace.access_mask = ace.access_mask | security.SEC_ADS_SELF_WRITE | security.SEC_ADS_WRITE_PROP
# Now reconnect without domain admin rights
self.samdb = SamDB(url=ldaphost, credentials=self.unpriv_creds, lp=lp)
def get_connection_obj(conf_file):
"""
Get the SAMR connection for the given conf file, via ncalrpc. Reuse cache
where possible.
"""
if conf_file not in CONNECTIONS:
CONNECTIONS[conf_file] = samr.samr('ncalrpc:', conf_file)
return CONNECTIONS[conf_file]
def _connect(self):
try:
self.LdapConn = samba.Ldb("ldap://%s" % self.server_address,lp=self.lp,credentials=self.creds)
self.samrpipe = samr.samr("ncalrpc:%s"% self.server_address, self.lp, credentials=self.creds)
#self.srvsvcpipe = srvsvc.srvsvc('ncalrpc:%s' % self.server_address,credentials=self.creds)
#self.connect_handle = self.samrpipe.Connect(None, security.SEC_FLAG_MAXIMUM_ALLOWED)
self.connect_handle = self.samrpipe.Connect2(None, security.SEC_FLAG_MAXIMUM_ALLOWED)
except ldb.LdbError, (num, msg):
self.SetError(msg,num)
return False;
def setUp(self):
self.rodc_db = SamDB('ldap://%s' % RODC,
credentials=CREDS,
session_info=system_session(LP),
lp=LP)
self.rwdc_db = SamDB('ldap://%s' % RWDC,
credentials=CREDS,
session_info=system_session(LP),
lp=LP)
# Define variables for BasePasswordTestCase
self.lp = LP
self.global_creds = CREDS
self.host = RWDC
self.host_url = 'ldap://%s' % RWDC
self.ldb = SamDB(url='ldap://%s' % RWDC,
session_info=system_session(self.lp),
credentials=self.global_creds,
lp=self.lp)
super(RodcRwdcTests, self).setUp()
self.host = RODC
self.host_url = 'ldap://%s' % RODC
self.ldb = SamDB(url='ldap://%s' % RODC,
session_info=system_session(self.lp),
credentials=self.global_creds,
lp=self.lp)
self.samr = samr.samr("ncacn_ip_tcp:%s[seal]" % self.host, self.lp,
self.global_creds)
self.samr_handle = self.samr.Connect2(
None, security.SEC_FLAG_MAXIMUM_ALLOWED)
self.samr_domain = self.samr.OpenDomain(
self.samr_handle, security.SEC_FLAG_MAXIMUM_ALLOWED,
self.domain_sid)
self.base_dn = self.rwdc_db.domain_dn()
root = self.rodc_db.search(base='',
scope=ldb.SCOPE_BASE,
attrs=['dsServiceName'])
self.service = root[0]['dsServiceName'][0]
self.tag = uuid.uuid4().hex
self.rwdc_dsheuristics = self.rwdc_db.get_dsheuristics()
self.rwdc_db.set_dsheuristics("000000001")
set_auto_replication(RWDC, False)
# make sure DCs are synchronized before the test
self.force_replication()
self.rwdc_dn = get_server_ref_from_samdb(self.rwdc_db)
self.rodc_dn = get_server_ref_from_samdb(self.rodc_db)
def __init__(self,username,password):
self.creds = credentials.Credentials()
self.creds.set_username(username)
self.creds.set_password(password)
self.creds.set_domain(self.WorkGroup)
self.creds.set_workstation("")
self.samdb = SamDB(url='ldap://%s' % self.server_address,session_info=system_session(), credentials=self.creds, lp=self.lp)
self.samrpipe = samr.samr("ncalrpc:%s"% self.server_address, self.lp, credentials=self.creds)
self.connect_handle = self.samrpipe.Connect2(None, security.SEC_FLAG_MAXIMUM_ALLOWED)
self._GetDomainNames()
self._SetCurrentDomain(0)
def __init__(self, username, password):
self.creds = credentials.Credentials()
self.creds.set_username(username)
self.creds.set_password(password)
self.creds.set_domain(self.WorkGroup)
self.creds.set_workstation("")
self.samdb = SamDB(
url="ldap://%s" % self.server_address, session_info=system_session(), credentials=self.creds, lp=self.lp
)
self.samrpipe = samr.samr("ncalrpc:%s" % self.server_address, self.lp, credentials=self.creds)
self.connect_handle = self.samrpipe.Connect2(None, security.SEC_FLAG_MAXIMUM_ALLOWED)
self._GetDomainNames()
self._SetCurrentDomain(0)
def _connect(self):
try:
self.creds = credentials.Credentials()
self.creds.set_username(self.username)
self.creds.set_password(self.password)
#self.creds.set_domain("SAMDOM")
self.creds.set_domain("")
self.creds.set_workstation("")
self.LdapConn = samba.Ldb("ldap://127.0.0.1",lp=self.lp,credentials=self.creds)
self.samrpipe = samr.samr("ncalrpc:", self.lp, self.creds)
self.connect_handle = self.samrpipe.Connect(None, security.SEC_FLAG_MAXIMUM_ALLOWED)
except ldb.LdbError, (num, msg):
self.SetError(msg,num)
return False;
def _connect(self):
try:
self.creds = credentials.Credentials()
self.creds.set_username(self.username)
self.creds.set_password(self.password)
# self.creds.set_domain("SAMDOM")
self.creds.set_domain("")
self.creds.set_workstation("")
self.LdapConn = samba.Ldb("ldap://127.0.0.1", lp=self.lp, credentials=self.creds)
self.samrpipe = samr.samr("ncalrpc:", self.lp, self.creds)
self.connect_handle = self.samrpipe.Connect(None, security.SEC_FLAG_MAXIMUM_ALLOWED)
except ldb.LdbError, (num, msg):
self.SetError(msg, num)
return False
def test_setUserInfo2_Password_Encrypted(self, password='******'):
self.remote_creds.set_smb_encryption(SMB_ENCRYPTION_REQUIRED)
self.conn = samr.samr(self.remote_binding_string,
self.get_loadparm(),
self.remote_creds)
self.open_domain_handle()
self.open_user_handle()
password='******'
level = 24
info = samr.UserInfo24()
info.password_expired = 0
info.password = self.init_samr_CryptPassword(password, self.conn.session_key)
self.conn.SetUserInfo2(self.user_handle, level, info)
def __init__(self, lp):
self.user_list = []
self.group_list = []
#
# TODO Must find a better way!
#
creds = credentials.Credentials()
creds.set_username(session["samr_u"])
creds.set_password(session["samr_p"])
creds.set_domain("")
if request.environ.has_key("REMOTE_HOST"):
creds.set_workstation(request.environ.get("REMOTE_HOST"));
else:
creds.set_workstation("")
self.pipe = samr.samr("ncalrpc:", credentials = creds)
self.connect_handle = self.pipe.Connect2(None, security.SEC_FLAG_MAXIMUM_ALLOWED)
def __init__(self, lp):
self.user_list = []
self.group_list = []
#
# TODO Must find a better way!
#
creds = credentials.Credentials()
creds.set_username(session["samr_u"])
creds.set_password(session["samr_p"])
creds.set_domain("")
if request.environ.has_key("REMOTE_HOST"):
creds.set_workstation(request.environ.get("REMOTE_HOST"))
else:
creds.set_workstation("")
self.pipe = samr.samr("ncalrpc:", credentials=creds)
self.connect_handle = self.pipe.Connect2(
None, security.SEC_FLAG_MAXIMUM_ALLOWED)
def __init__(self, server_address, transport_type, username, password):
self.user_list = []
self.group_list = []
creds = credentials.Credentials()
if (username.count("\\") > 0):
creds.set_domain(username.split("\\")[0])
creds.set_username(username.split("\\")[1])
elif (username.count("@") > 0):
creds.set_domain(username.split("@")[1])
creds.set_username(username.split("@")[0])
else:
creds.set_domain("")
creds.set_username(username)
creds.set_workstation("")
creds.set_password(password)
binding = ["ncacn_np:%s", "ncacn_ip_tcp:%s", "ncalrpc:%s"][transport_type]
self.pipe = samr.samr(binding % (server_address), credentials = creds)
self.connect_handle = self.pipe.Connect2(None, security.SEC_FLAG_MAXIMUM_ALLOWED)
def test_samr_change_password(self):
self.creds.set_kerberos_state(MUST_USE_KERBEROS)
conn = samr.samr("ncacn_np:%s[krb5,seal,smb2]" % os.getenv("SERVER"))
# we want to check whether this gets rejected outright because NTLM is
# disabled, so we don't actually need to encrypt a valid password here
server = lsa.String()
server.string = self.server
username = lsa.String()
username.string = os.getenv("USERNAME")
try:
conn.ChangePasswordUser2(server, username, None, None, True, None, None)
except NTSTATUSError as e:
# changing passwords should be rejected when NTLM is disabled
enum = ctypes.c_uint32(e[0]).value
if enum == ntstatus.NT_STATUS_NTLM_BLOCKED:
self.fail("NTLM is disabled on this server")
elif enum == ntstatus.NT_STATUS_WRONG_PASSWORD:
# expected error case when NTLM is enabled
pass
else:
raise
domains = toArray(samr.EnumDomains(handle, 0, -1))
print "Found %d domains" % len(domains)
for idx, domain in domains:
print "\t%s (%d)" % (display_lsa_string(domain), idx)
for idx, domain in domains:
print "Testing domain %s" % display_lsa_string(domain)
sid = samr.LookupDomain(handle, domain)
dom_handle = test_OpenDomain(samr, handle, sid)
test_domain_ops(samr, dom_handle)
samr.Close(dom_handle)
if len(sys.argv) != 2:
print "Usage: samr.js <BINDING>"
sys.exit(1)
binding = sys.argv[1]
print "Connecting to %s" % binding
try:
samr = samr.samr(binding)
except Exception, e:
print "Failed to connect to %s: %s" % (binding, e.message)
sys.exit(1)
handle = test_Connect(samr)
test_EnumDomains(samr, handle)
samr.Close(handle)
print "All OK"
def setUp(self):
super(SamrTests, self).setUp()
self.conn = samr.samr("ncalrpc:", self.get_loadparm())
def setUp(self):
super(BasePasswordTestCase, self).setUp()
self.global_creds.set_gensec_features(self.global_creds.get_gensec_features() |
gensec.FEATURE_SEAL)
self.template_creds = Credentials()
self.template_creds.set_username("testuser")
self.template_creds.set_password("thatsAcomplPASS1")
self.template_creds.set_domain(self.global_creds.get_domain())
self.template_creds.set_realm(self.global_creds.get_realm())
self.template_creds.set_workstation(self.global_creds.get_workstation())
self.template_creds.set_gensec_features(self.global_creds.get_gensec_features())
self.template_creds.set_kerberos_state(self.global_creds.get_kerberos_state())
# Gets back the basedn
base_dn = self.ldb.domain_dn()
# Gets back the configuration basedn
configuration_dn = self.ldb.get_config_basedn().get_linearized()
res = self.ldb.search(base_dn,
scope=SCOPE_BASE, attrs=["lockoutDuration", "lockOutObservationWindow", "lockoutThreshold"])
if "lockoutDuration" in res[0]:
lockoutDuration = res[0]["lockoutDuration"][0]
else:
lockoutDuration = 0
if "lockoutObservationWindow" in res[0]:
lockoutObservationWindow = res[0]["lockoutObservationWindow"][0]
else:
lockoutObservationWindow = 0
if "lockoutThreshold" in res[0]:
lockoutThreshold = res[0]["lockoutThreshold"][0]
else:
lockoutTreshold = 0
self.addCleanup(self.ldb.modify_ldif, """
dn: """ + base_dn + """
changetype: modify
replace: lockoutDuration
lockoutDuration: """ + str(lockoutDuration) + """
replace: lockoutObservationWindow
lockoutObservationWindow: """ + str(lockoutObservationWindow) + """
replace: lockoutThreshold
lockoutThreshold: """ + str(lockoutThreshold) + """
""")
self.base_dn = self.ldb.domain_dn()
self.account_lockout_duration = 2
self.lockout_observation_window = 2
self.update_lockout_settings(threshold=3, duration=2,
observation_window=2)
# update DC to allow password changes for the duration of this test
self.allow_password_changes()
self.domain_sid = security.dom_sid(self.ldb.get_domain_sid())
self.samr = samr.samr("ncacn_ip_tcp:%s[seal]" % self.host, self.lp, self.global_creds)
self.samr_handle = self.samr.Connect2(None, security.SEC_FLAG_MAXIMUM_ALLOWED)
self.samr_domain = self.samr.OpenDomain(self.samr_handle, security.SEC_FLAG_MAXIMUM_ALLOWED, self.domain_sid)
self.addCleanup(self.delete_ldb_connections)
# (Re)adds the test user accounts
self.lockout1krb5_creds = self.insta_creds(self.template_creds,
username="******",
userpass="******",
kerberos_state=MUST_USE_KERBEROS)
self.lockout1krb5_ldb = self._readd_user(self.lockout1krb5_creds)
self.lockout1ntlm_creds = self.insta_creds(self.template_creds,
username="******",
userpass="******",
kerberos_state=DONT_USE_KERBEROS)
self.lockout1ntlm_ldb = self._readd_user(self.lockout1ntlm_creds)
domains = toArray(samr.EnumDomains(handle, 0, -1))
print "Found {0:d} domains".format(len(domains))
for idx, domain in domains:
print "\t{0!s} ({1:d})".format(display_lsa_string(domain), idx)
for idx, domain in domains:
print "Testing domain {0!s}".format(display_lsa_string(domain))
sid = samr.LookupDomain(handle, domain)
dom_handle = test_OpenDomain(samr, handle, sid)
test_domain_ops(samr, dom_handle)
samr.Close(dom_handle)
if len(sys.argv) != 2:
print "Usage: samr.js <BINDING>"
sys.exit(1)
binding = sys.argv[1]
print "Connecting to {0!s}".format(binding)
try:
samr = samr.samr(binding)
except Exception, e:
print "Failed to connect to {0!s}: {1!s}".format(binding, e.message)
sys.exit(1)
handle = test_Connect(samr)
test_EnumDomains(samr, handle)
samr.Close(handle)
print "All OK"
def setUp(self):
super(BasePasswordTestCase, self).setUp()
self.global_creds.set_gensec_features(
self.global_creds.get_gensec_features() | gensec.FEATURE_SEAL)
self.template_creds = Credentials()
self.template_creds.set_username("testuser")
self.template_creds.set_password("thatsAcomplPASS1")
self.template_creds.set_domain(self.global_creds.get_domain())
self.template_creds.set_realm(self.global_creds.get_realm())
self.template_creds.set_workstation(
self.global_creds.get_workstation())
self.template_creds.set_gensec_features(
self.global_creds.get_gensec_features())
self.template_creds.set_kerberos_state(
self.global_creds.get_kerberos_state())
# Gets back the basedn
base_dn = self.ldb.domain_dn()
# Gets back the configuration basedn
configuration_dn = self.ldb.get_config_basedn().get_linearized()
res = self.ldb.search(base_dn,
scope=SCOPE_BASE,
attrs=[
"lockoutDuration",
"lockOutObservationWindow",
"lockoutThreshold"
])
if "lockoutDuration" in res[0]:
lockoutDuration = res[0]["lockoutDuration"][0]
else:
lockoutDuration = 0
if "lockoutObservationWindow" in res[0]:
lockoutObservationWindow = res[0]["lockoutObservationWindow"][0]
else:
lockoutObservationWindow = 0
if "lockoutThreshold" in res[0]:
lockoutThreshold = res[0]["lockoutThreshold"][0]
else:
lockoutTreshold = 0
self.addCleanup(
self.ldb.modify_ldif, """
dn: """ + base_dn + """
changetype: modify
replace: lockoutDuration
lockoutDuration: """ + str(lockoutDuration) + """
replace: lockoutObservationWindow
lockoutObservationWindow: """ + str(lockoutObservationWindow) + """
replace: lockoutThreshold
lockoutThreshold: """ + str(lockoutThreshold) + """
""")
self.base_dn = self.ldb.domain_dn()
#
# Some test cases sleep() for self.account_lockout_duration
# so allow it to be controlled via the subclass
#
if not hasattr(self, 'account_lockout_duration'):
self.account_lockout_duration = 3
if not hasattr(self, 'lockout_observation_window'):
self.lockout_observation_window = 3
self.update_lockout_settings(
threshold=3,
duration=self.account_lockout_duration,
observation_window=self.lockout_observation_window)
# update DC to allow password changes for the duration of this test
self.allow_password_changes()
self.domain_sid = security.dom_sid(self.ldb.get_domain_sid())
self.samr = samr.samr("ncacn_ip_tcp:%s[seal]" % self.host, self.lp,
self.global_creds)
self.samr_handle = self.samr.Connect2(
None, security.SEC_FLAG_MAXIMUM_ALLOWED)
self.samr_domain = self.samr.OpenDomain(
self.samr_handle, security.SEC_FLAG_MAXIMUM_ALLOWED,
self.domain_sid)
self.addCleanup(self.delete_ldb_connections)
# (Re)adds the test user accounts
self.lockout1krb5_creds = self.insta_creds(
self.template_creds,
username="******",
userpass="******",
kerberos_state=MUST_USE_KERBEROS)
self.lockout1krb5_ldb = self._readd_user(self.lockout1krb5_creds)
self.lockout1ntlm_creds = self.insta_creds(
self.template_creds,
username="******",
userpass="******",
kerberos_state=DONT_USE_KERBEROS)
self.lockout1ntlm_ldb = self._readd_user(self.lockout1ntlm_creds)
def setUp(self):
super(SamrTests, self).setUp()
self.conn = samr.samr("ncalrpc:", self.get_loadparm())
def setUp(self):
self.conn = samr.samr("ncalrpc:", self.get_loadparm())
def setUp(self):
super(BasePasswordTestCase, self).setUp()
self.global_creds.set_gensec_features(self.global_creds.get_gensec_features() |
gensec.FEATURE_SEAL)
self.template_creds = Credentials()
self.template_creds.set_username("testuser")
self.template_creds.set_password("thatsAcomplPASS1")
self.template_creds.set_domain(self.global_creds.get_domain())
self.template_creds.set_realm(self.global_creds.get_realm())
self.template_creds.set_workstation(self.global_creds.get_workstation())
self.template_creds.set_gensec_features(self.global_creds.get_gensec_features())
self.template_creds.set_kerberos_state(self.global_creds.get_kerberos_state())
# Gets back the basedn
base_dn = self.ldb.domain_dn()
# Gets back the configuration basedn
configuration_dn = self.ldb.get_config_basedn().get_linearized()
# Get the old "dSHeuristics" if it was set
dsheuristics = self.ldb.get_dsheuristics()
# Reset the "dSHeuristics" as they were before
self.addCleanup(self.ldb.set_dsheuristics, dsheuristics)
res = self.ldb.search(base_dn,
scope=SCOPE_BASE, attrs=["lockoutDuration", "lockOutObservationWindow", "lockoutThreshold"])
if "lockoutDuration" in res[0]:
lockoutDuration = res[0]["lockoutDuration"][0]
else:
lockoutDuration = 0
if "lockoutObservationWindow" in res[0]:
lockoutObservationWindow = res[0]["lockoutObservationWindow"][0]
else:
lockoutObservationWindow = 0
if "lockoutThreshold" in res[0]:
lockoutThreshold = res[0]["lockoutThreshold"][0]
else:
lockoutTreshold = 0
self.addCleanup(self.ldb.modify_ldif, """
dn: """ + base_dn + """
changetype: modify
replace: lockoutDuration
lockoutDuration: """ + str(lockoutDuration) + """
replace: lockoutObservationWindow
lockoutObservationWindow: """ + str(lockoutObservationWindow) + """
replace: lockoutThreshold
lockoutThreshold: """ + str(lockoutThreshold) + """
""")
m = Message()
m.dn = Dn(self.ldb, base_dn)
self.account_lockout_duration = 2
account_lockout_duration_ticks = -int(self.account_lockout_duration * (1e7))
m["lockoutDuration"] = MessageElement(str(account_lockout_duration_ticks),
FLAG_MOD_REPLACE, "lockoutDuration")
account_lockout_threshold = 3
m["lockoutThreshold"] = MessageElement(str(account_lockout_threshold),
FLAG_MOD_REPLACE, "lockoutThreshold")
self.lockout_observation_window = 2
lockout_observation_window_ticks = -int(self.lockout_observation_window * (1e7))
m["lockOutObservationWindow"] = MessageElement(str(lockout_observation_window_ticks),
FLAG_MOD_REPLACE, "lockOutObservationWindow")
self.ldb.modify(m)
# Set the "dSHeuristics" to activate the correct "userPassword" behaviour
self.ldb.set_dsheuristics("000000001")
# Get the old "minPwdAge"
minPwdAge = self.ldb.get_minPwdAge()
# Reset the "minPwdAge" as it was before
self.addCleanup(self.ldb.set_minPwdAge, minPwdAge)
# Set it temporarely to "0"
self.ldb.set_minPwdAge("0")
self.base_dn = self.ldb.domain_dn()
self.domain_sid = security.dom_sid(self.ldb.get_domain_sid())
self.samr = samr.samr("ncacn_ip_tcp:%s[seal]" % self.host, self.lp, self.global_creds)
self.samr_handle = self.samr.Connect2(None, security.SEC_FLAG_MAXIMUM_ALLOWED)
self.samr_domain = self.samr.OpenDomain(self.samr_handle, security.SEC_FLAG_MAXIMUM_ALLOWED, self.domain_sid)
self.addCleanup(self.delete_ldb_connections)
# (Re)adds the test user accounts
self.lockout1krb5_creds = self.insta_creds(self.template_creds,
username="******",
userpass="******",
kerberos_state=MUST_USE_KERBEROS)
self.lockout1krb5_ldb = self._readd_user(self.lockout1krb5_creds)
self.lockout1ntlm_creds = self.insta_creds(self.template_creds,
username="******",
userpass="******",
kerberos_state=DONT_USE_KERBEROS)
self.lockout1ntlm_ldb = self._readd_user(self.lockout1ntlm_creds)
def setUp(self):
self.conn = samr.samr("ncalrpc:", self.get_loadparm())
creds = credopts.get_credentials(lp)
realm = lp.get('realm')
net = Net(creds)
cldap_ret = net.finddc(domain=realm,
flags=(nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS
| nbt.NBT_SERVER_WRITABLE))
host = cldap_ret.pdc_dns_name
ldb = samdb.SamDB(url='ldap://%s' % host,
lp=lp,
credentials=creds,
session_info=system_session())
domain_sid = security.dom_sid(ldb.get_domain_sid())
s = samr.samr("ncacn_ip_tcp:%s[seal]" % host, lp, creds)
samr_handle = s.Connect2(None, security.SEC_FLAG_MAXIMUM_ALLOWED)
samr_domain = s.OpenDomain(samr_handle, security.SEC_FLAG_MAXIMUM_ALLOWED,
domain_sid)
try:
(rids, _) = s.LookupNames(samr_domain, [lsa.String(opts.name)])
except NTSTATUSError:
print('%s not found!' % opts.name)
exit(1)
samr_user = s.OpenUser(samr_domain, security.SEC_FLAG_MAXIMUM_ALLOWED,
rids.ids[0])
flags = samr.UserInfo16()
flags.acct_flags = samr.ACB_PWNOEXP | samr.ACB_WSTRUST
s.SetUserInfo2(samr_user, 16, flags)
def setUp(self):
super(SamrTests, self).setUp()
self.conn = samr.samr("ncalrpc:", self.get_loadparm())
self.open_samdb()
self.open_domain_handle()
import samba.dcerpc.lsa as lsa
import samba.dcerpc.samr as samr
import samba.dcerpc.winreg as winreg
domname = lsa.String()
domname.string = u'DOMAIN'
con = samr.samr('ncalrpc:', 'samba/etc/smb.conf')
h = con.Connect(0, 0xFFFFFFF)
sid = con.LookupDomain(h, domname)
print sid
con.Close(h)
from samba.tests import RpcInterfaceTestCase
class WinregTests(RpcInterfaceTestCase):
def setUp(self):
self.conn = winreg.winreg('ncalrpc:', self.get_loadparm(),
self.get_credentials())
def testhklm(self):
handle = self.conn.OpenHKLM(
None, winreg.KEY_QUERY_VALUE | winreg.KEY_ENUMERATE_SUB_KEYS)
self.conn.CloseKey(handle)
