def test_default_supplementalCredentials(self):
self.add_user()
sc = self.get_supplemental_creds()
# Check that we got all the expected supplemental credentials
# And they are in the expected order.
size = len(sc.sub.packages)
self.assertEquals(4, size)
(pos, package) = get_package(sc, "Primary:Kerberos-Newer-Keys")
self.assertEquals(1, pos)
self.assertEquals("Primary:Kerberos-Newer-Keys", package.name)
(pos, package) = get_package(sc, "Primary:Kerberos")
self.assertEquals(2, pos)
self.assertEquals("Primary:Kerberos", package.name)
(pos, package) = get_package(sc, "Packages")
self.assertEquals(3, pos)
self.assertEquals("Packages", package.name)
(pos, package) = get_package(sc, "Primary:WDigest")
self.assertEquals(4, pos)
self.assertEquals("Primary:WDigest", package.name)
# Check that the WDigest values are correct.
#
digests = ndr_unpack(drsblobs.package_PrimaryWDigestBlob,
binascii.a2b_hex(package.data))
self.check_wdigests(digests)
def test_default_supplementalCredentials(self):
self.add_user()
sc = self.get_supplemental_creds()
# Check that we got all the expected supplemental credentials
# And they are in the expected order.
size = len(sc.sub.packages)
self.assertEquals(3, size)
(pos, package) = get_package(sc, "Primary:Kerberos")
self.assertEquals(1, pos)
self.assertEquals("Primary:Kerberos", package.name)
(pos, package) = get_package(sc, "Packages")
self.assertEquals(2, pos)
self.assertEquals("Packages", package.name)
(pos, package) = get_package(sc, "Primary:WDigest")
self.assertEquals(3, pos)
self.assertEquals("Primary:WDigest", package.name)
# Check that the WDigest values are correct.
#
digests = ndr_unpack(drsblobs.package_PrimaryWDigestBlob,
binascii.a2b_hex(package.data))
self.check_wdigests(digests)
def test_userPassword_cleartext_sha512(self):
self.add_user(clear_text=True,
options=[("password hash userPassword schemes",
"CryptSHA512:rounds=10000")])
sc = self.get_supplemental_creds()
# Check that we got all the expected supplemental credentials
# And they are in the expected order.
size = len(sc.sub.packages)
self.assertEquals(5, size)
(pos, package) = get_package(sc, "Primary:Kerberos")
self.assertEquals(1, pos)
self.assertEquals("Primary:Kerberos", package.name)
(pos, wd_package) = get_package(sc, "Primary:WDigest")
self.assertEquals(2, pos)
self.assertEquals("Primary:WDigest", wd_package.name)
(pos, ct_package) = get_package(sc, "Primary:CLEARTEXT")
self.assertEquals(3, pos)
self.assertEquals("Primary:CLEARTEXT", ct_package.name)
(pos, package) = get_package(sc, "Packages")
self.assertEquals(4, pos)
self.assertEquals("Packages", package.name)
(pos, up_package) = get_package(sc, "Primary:userPassword")
self.assertEquals(5, pos)
self.assertEquals("Primary:userPassword", up_package.name)
# Check that the WDigest values are correct.
#
digests = ndr_unpack(drsblobs.package_PrimaryWDigestBlob,
binascii.a2b_hex(wd_package.data))
self.check_wdigests(digests)
# Check the clear text value is correct.
ct = ndr_unpack(drsblobs.package_PrimaryCLEARTEXTBlob,
binascii.a2b_hex(ct_package.data))
self.assertEquals(USER_PASS.encode('utf-16-le'), ct.cleartext)
# Check that the userPassword hashes are computed correctly
#
up = ndr_unpack(drsblobs.package_PrimaryUserPasswordBlob,
binascii.a2b_hex(up_package.data))
self.checkUserPassword(up, [("{CRYPT}", "6",10000 )])
self.checkNtHash(USER_PASS, up.current_nt_hash.hash)
def test_userPassword_cleartext_sha512(self):
self.add_user(clear_text=True,
options=[("password hash userPassword schemes",
"CryptSHA512:rounds=10000")])
sc = self.get_supplemental_creds()
# Check that we got all the expected supplemental credentials
# And they are in the expected order.
size = len(sc.sub.packages)
self.assertEquals(5, size)
(pos, package) = get_package(sc, "Primary:Kerberos")
self.assertEquals(1, pos)
self.assertEquals("Primary:Kerberos", package.name)
(pos, wd_package) = get_package(sc, "Primary:WDigest")
self.assertEquals(2, pos)
self.assertEquals("Primary:WDigest", wd_package.name)
(pos, ct_package) = get_package(sc, "Primary:CLEARTEXT")
self.assertEquals(3, pos)
self.assertEquals("Primary:CLEARTEXT", ct_package.name)
(pos, package) = get_package(sc, "Packages")
self.assertEquals(4, pos)
self.assertEquals("Packages", package.name)
(pos, up_package) = get_package(sc, "Primary:userPassword")
self.assertEquals(5, pos)
self.assertEquals("Primary:userPassword", up_package.name)
# Check that the WDigest values are correct.
#
digests = ndr_unpack(drsblobs.package_PrimaryWDigestBlob,
binascii.a2b_hex(wd_package.data))
self.check_wdigests(digests)
# Check the clear text value is correct.
ct = ndr_unpack(drsblobs.package_PrimaryCLEARTEXTBlob,
binascii.a2b_hex(ct_package.data))
self.assertEquals(USER_PASS.encode('utf-16-le'), ct.cleartext)
# Check that the userPassword hashes are computed correctly
#
up = ndr_unpack(drsblobs.package_PrimaryUserPasswordBlob,
binascii.a2b_hex(up_package.data))
self.checkUserPassword(up, [("{CRYPT}", "6", 10000)])
self.checkNtHash(USER_PASS, up.current_nt_hash.hash)
def assert_cleartext(self, expect_cleartext, password=None):
"""Checks cleartext is (or isn't) returned as expected"""
sc = self.get_supplemental_creds()
if expect_cleartext:
(pos, ct_package) = get_package(sc, "Primary:CLEARTEXT")
self.assertTrue(ct_package != None, "Failed to retrieve cleartext")
# Check the clear-text value is correct.
ct = ndr_unpack(drsblobs.package_PrimaryCLEARTEXTBlob,
binascii.a2b_hex(ct_package.data))
self.assertEquals(password.encode('utf-16-le'), ct.cleartext)
else:
ct_package = get_package(sc, "Primary:CLEARTEXT")
self.assertTrue(ct_package == None,
"Got cleartext when we shouldn't have")
def assert_cleartext(self, expect_cleartext, password=None):
"""Checks cleartext is (or isn't) returned as expected"""
sc = self.get_supplemental_creds()
if expect_cleartext:
(pos, ct_package) = get_package(sc, "Primary:CLEARTEXT")
self.assertTrue(ct_package != None, "Failed to retrieve cleartext")
# Check the clear-text value is correct.
ct = ndr_unpack(drsblobs.package_PrimaryCLEARTEXTBlob,
binascii.a2b_hex(ct_package.data))
self.assertEquals(password.encode('utf-16-le'), ct.cleartext)
else:
ct_package = get_package(sc, "Primary:CLEARTEXT")
self.assertTrue(ct_package == None,
"Got cleartext when we shouldn't have")
def test_userPassword_sha512(self):
self.add_user(options=[("password hash userPassword schemes",
"CryptSHA512")])
sc = self.get_supplemental_creds()
# Check that we got all the expected supplemental credentials
# And they are in the expected order.
size = len(sc.sub.packages)
self.assertEquals(5, size)
(pos, package) = get_package(sc, "Primary:Kerberos-Newer-Keys")
self.assertEquals(1, pos)
self.assertEquals("Primary:Kerberos-Newer-Keys", package.name)
(pos, package) = get_package(sc, "Primary:Kerberos")
self.assertEquals(2, pos)
self.assertEquals("Primary:Kerberos", package.name)
(pos, wp_package) = get_package(sc, "Primary:WDigest")
self.assertEquals(3, pos)
self.assertEquals("Primary:WDigest", wp_package.name)
(pos, package) = get_package(sc, "Packages")
self.assertEquals(4, pos)
self.assertEquals("Packages", package.name)
(pos, up_package) = get_package(sc, "Primary:userPassword")
self.assertEquals(5, pos)
self.assertEquals("Primary:userPassword", up_package.name)
# Check that the WDigest values are correct.
#
digests = ndr_unpack(drsblobs.package_PrimaryWDigestBlob,
binascii.a2b_hex(wp_package.data))
self.check_wdigests(digests)
# Check that the userPassword hashes are computed correctly
#
up = ndr_unpack(drsblobs.package_PrimaryUserPasswordBlob,
binascii.a2b_hex(up_package.data))
self.checkUserPassword(up, [("{CRYPT}", "6", None)])
self.checkNtHash(USER_PASS, up.current_nt_hash.hash)
def test_userPassword_sha512(self):
self.add_user(options=[("password hash userPassword schemes",
"CryptSHA512")])
sc = self.get_supplemental_creds()
# Check that we got all the expected supplemental credentials
# And they are in the expected order.
size = len(sc.sub.packages)
self.assertEquals(5, size)
(pos, package) = get_package(sc, "Primary:Kerberos-Newer-Keys")
self.assertEquals(1, pos)
self.assertEquals("Primary:Kerberos-Newer-Keys", package.name)
(pos, package) = get_package(sc, "Primary:Kerberos")
self.assertEquals(2, pos)
self.assertEquals("Primary:Kerberos", package.name)
(pos, wp_package) = get_package(sc, "Primary:WDigest")
self.assertEquals(3, pos)
self.assertEquals("Primary:WDigest", wp_package.name)
(pos, package) = get_package(sc, "Packages")
self.assertEquals(4, pos)
self.assertEquals("Packages", package.name)
(pos, up_package) = get_package(sc, "Primary:userPassword")
self.assertEquals(5, pos)
self.assertEquals("Primary:userPassword", up_package.name)
# Check that the WDigest values are correct.
#
digests = ndr_unpack(drsblobs.package_PrimaryWDigestBlob,
binascii.a2b_hex(wp_package.data))
self.check_wdigests(digests)
# Check that the userPassword hashes are computed correctly
#
up = ndr_unpack(drsblobs.package_PrimaryUserPasswordBlob,
binascii.a2b_hex(up_package.data))
self.checkUserPassword(up, [("{CRYPT}", "6",None)])
self.checkNtHash(USER_PASS, up.current_nt_hash.hash)
def test_supplementalCredentials_cleartext(self):
self.add_user(clear_text=True)
sc = self.get_supplemental_creds()
# Check that we got all the expected supplemental credentials
# And they are in the expected order.
size = len(sc.sub.packages)
self.assertEquals(5, size)
(pos, package) = get_package(sc, "Primary:Kerberos-Newer-Keys")
self.assertEquals(1, pos)
self.assertEquals("Primary:Kerberos-Newer-Keys", package.name)
(pos, package) = get_package(sc, "Primary:Kerberos")
self.assertEquals(2, pos)
self.assertEquals("Primary:Kerberos", package.name)
(pos, wd_package) = get_package(sc, "Primary:WDigest")
self.assertEquals(3, pos)
self.assertEquals("Primary:WDigest", wd_package.name)
(pos, package) = get_package(sc, "Packages")
self.assertEquals(4, pos)
self.assertEquals("Packages", package.name)
(pos, ct_package) = get_package(sc, "Primary:CLEARTEXT")
self.assertEquals(5, pos)
self.assertEquals("Primary:CLEARTEXT", ct_package.name)
# Check that the WDigest values are correct.
#
digests = ndr_unpack(drsblobs.package_PrimaryWDigestBlob,
binascii.a2b_hex(wd_package.data))
self.check_wdigests(digests)
# Check the clear text value is correct.
ct = ndr_unpack(drsblobs.package_PrimaryCLEARTEXTBlob,
binascii.a2b_hex(ct_package.data))
self.assertEquals(USER_PASS.encode('utf-16-le'), ct.cleartext)
def test_supplementalCredentials_cleartext(self):
self.add_user(clear_text=True)
sc = self.get_supplemental_creds()
# Check that we got all the expected supplemental credentials
# And they are in the expected order.
size = len(sc.sub.packages)
self.assertEquals(5, size)
(pos, package) = get_package(sc, "Primary:Kerberos-Newer-Keys")
self.assertEquals(1, pos)
self.assertEquals("Primary:Kerberos-Newer-Keys", package.name)
(pos, package) = get_package(sc, "Primary:Kerberos")
self.assertEquals(2, pos)
self.assertEquals("Primary:Kerberos", package.name)
(pos, wd_package) = get_package(sc, "Primary:WDigest")
self.assertEquals(3, pos)
self.assertEquals("Primary:WDigest", wd_package.name)
(pos, package) = get_package(sc, "Packages")
self.assertEquals(4, pos)
self.assertEquals("Packages", package.name)
(pos, ct_package) = get_package(sc, "Primary:CLEARTEXT")
self.assertEquals(5, pos)
self.assertEquals("Primary:CLEARTEXT", ct_package.name)
# Check that the WDigest values are correct.
#
digests = ndr_unpack(drsblobs.package_PrimaryWDigestBlob,
binascii.a2b_hex(wd_package.data))
self.check_wdigests(digests)
# Check the clear text value is correct.
ct = ndr_unpack(drsblobs.package_PrimaryCLEARTEXTBlob,
binascii.a2b_hex(ct_package.data))
self.assertEquals(USER_PASS.encode('utf-16-le'), ct.cleartext)
def test_default_supplementalCredentials(self):
self.add_user()
if not self.lp.get("password hash gpg key ids"):
self.skipTest("No password hash gpg key ids, " +
"Primary:SambaGPG will not be generated")
sc = self.get_supplemental_creds()
# Check that we got all the expected supplemental credentials
# And they are in the expected order.
size = len(sc.sub.packages)
self.assertEquals(5, size)
(pos, package) = get_package(sc, "Primary:Kerberos-Newer-Keys")
self.assertEquals(1, pos)
self.assertEquals("Primary:Kerberos-Newer-Keys", package.name)
(pos, package) = get_package(sc, "Primary:Kerberos")
self.assertEquals(2, pos)
self.assertEquals("Primary:Kerberos", package.name)
(pos, wd_package) = get_package(sc, "Primary:WDigest")
self.assertEquals(3, pos)
self.assertEquals("Primary:WDigest", wd_package.name)
(pos, package) = get_package(sc, "Packages")
self.assertEquals(4, pos)
self.assertEquals("Packages", package.name)
(pos, package) = get_package(sc, "Primary:SambaGPG")
self.assertEquals(5, pos)
self.assertEquals("Primary:SambaGPG", package.name)
# Check that the WDigest values are correct.
#
digests = ndr_unpack(drsblobs.package_PrimaryWDigestBlob,
binascii.a2b_hex(wd_package.data))
self.check_wdigests(digests)
def test_default_supplementalCredentials(self):
self.add_user()
if not self.lp.get("password hash gpg key ids"):
self.skipTest("No password hash gpg key ids, " +
"Primary:SambaGPG will not be generated");
sc = self.get_supplemental_creds()
# Check that we got all the expected supplemental credentials
# And they are in the expected order.
size = len(sc.sub.packages)
self.assertEquals(5, size)
(pos, package) = get_package(sc, "Primary:Kerberos-Newer-Keys")
self.assertEquals(1, pos)
self.assertEquals("Primary:Kerberos-Newer-Keys", package.name)
(pos, package) = get_package(sc, "Primary:Kerberos")
self.assertEquals(2, pos)
self.assertEquals("Primary:Kerberos", package.name)
(pos, wd_package) = get_package(sc, "Primary:WDigest")
self.assertEquals(3, pos)
self.assertEquals("Primary:WDigest", wd_package.name)
(pos, package) = get_package(sc, "Packages")
self.assertEquals(4, pos)
self.assertEquals("Packages", package.name)
(pos, package) = get_package(sc, "Primary:SambaGPG")
self.assertEquals(5, pos)
self.assertEquals("Primary:SambaGPG", package.name)
# Check that the WDigest values are correct.
#
digests = ndr_unpack(drsblobs.package_PrimaryWDigestBlob,
binascii.a2b_hex(wd_package.data))
self.check_wdigests(digests)
def test_userPassword_multiple_hashes_rounds_specified(self):
self.add_user(options=[(
"password hash userPassword schemes",
"CryptSHA512:rounds=5120 CryptSHA256:rounds=2560 CryptSHA512:rounds=5122"
)])
sc = self.get_supplemental_creds()
# Check that we got all the expected supplemental credentials
# And they are in the expected order.
size = len(sc.sub.packages)
self.assertEqual(6, size)
(pos, package) = get_package(sc, "Primary:Kerberos-Newer-Keys")
self.assertEqual(1, pos)
self.assertEqual("Primary:Kerberos-Newer-Keys", package.name)
(pos, package) = get_package(sc, "Primary:Kerberos")
self.assertEqual(2, pos)
self.assertEqual("Primary:Kerberos", package.name)
(pos, wp_package) = get_package(sc, "Primary:WDigest")
self.assertEqual(3, pos)
self.assertEqual("Primary:WDigest", wp_package.name)
(pos, up_package) = get_package(sc, "Primary:userPassword")
self.assertEqual(4, pos)
self.assertEqual("Primary:userPassword", up_package.name)
(pos, package) = get_package(sc, "Packages")
self.assertEqual(5, pos)
self.assertEqual("Packages", package.name)
(pos, package) = get_package(sc, "Primary:SambaGPG")
self.assertEqual(6, pos)
self.assertEqual("Primary:SambaGPG", package.name)
# Check that the WDigest values are correct.
#
digests = ndr_unpack(drsblobs.package_PrimaryWDigestBlob,
binascii.a2b_hex(wp_package.data))
self.check_wdigests(digests)
# Check that the userPassword hashes are computed correctly
# Expect three hashes to be calculated
up = ndr_unpack(drsblobs.package_PrimaryUserPasswordBlob,
binascii.a2b_hex(up_package.data))
self.checkUserPassword(up, [("{CRYPT}", "6", 5120),
("{CRYPT}", "5", 2560),
("{CRYPT}", "6", 5122)])
self.checkNtHash(USER_PASS, up.current_nt_hash.hash)
def test_wDigest_supplementalCredentials(self):
self.creds = Credentials()
self.creds.set_username(os.environ["USERNAME"])
self.creds.set_password(os.environ["PASSWORD"])
self.creds.guess(self.lp)
ldb = SamDB("ldap://" + os.environ["SERVER"],
credentials=self.creds,
lp=self.lp)
self.add_user(ldb=ldb)
sc = self.get_supplemental_creds_drs()
(pos, package) = get_package(sc, "Primary:WDigest")
self.assertEquals("Primary:WDigest", package.name)
# Check that the WDigest values are correct.
#
digests = ndr_unpack(drsblobs.package_PrimaryWDigestBlob,
binascii.a2b_hex(package.data))
self.check_wdigests(digests)
def test_wDigest_supplementalCredentials(self):
self.creds = Credentials()
self.creds.set_username(os.environ["USERNAME"])
self.creds.set_password(os.environ["PASSWORD"])
self.creds.guess(self.lp)
ldb = SamDB("ldap://" + os.environ["SERVER"],
credentials=self.creds,
lp=self.lp)
self.add_user(ldb=ldb)
sc = self.get_supplemental_creds_drs()
(pos, package) = get_package(sc, "Primary:WDigest")
self.assertEquals("Primary:WDigest", package.name)
# Check that the WDigest values are correct.
#
digests = ndr_unpack(drsblobs.package_PrimaryWDigestBlob,
binascii.a2b_hex(package.data))
self.check_wdigests(digests)
