def __init__(self, parser): CredentialsOptions.__init__(self, parser) self.no_pass2 = True self.add_option("--simple-bind-dn2", metavar="DN2", action="callback", callback=self._set_simple_bind_dn2, type=str, help="DN to use for a simple bind") self.add_option("--password2", metavar="PASSWORD2", action="callback", help="Password", type=str, callback=self._set_password2) self.add_option("--username2", metavar="USERNAME2", action="callback", type=str, help="Username for second server", callback=self._parse_username2) self.add_option("--workgroup2", metavar="WORKGROUP2", action="callback", type=str, help="Workgroup for second server", callback=self._parse_workgroup2) self.add_option("--no-pass2", action="store_true", help="Don't ask for a password for the second server") self.add_option("--kerberos2", metavar="KERBEROS2", action="callback", type=str, help="Use Kerberos", callback=self._set_kerberos2) self.creds2 = Credentials()
def __init__(self, parser, special_name=None): self.special_name = special_name if special_name is not None: self.section = "Credentials Options (%s)" % special_name else: self.section = "Credentials Options" self.ask_for_password = True self.ipaddress = None self.machine_pass = False optparse.OptionGroup.__init__(self, parser, self.section) self._add_option("--simple-bind-dn", metavar="DN", action="callback", callback=self._set_simple_bind_dn, type=str, help="DN to use for a simple bind") self._add_option("--password", metavar="PASSWORD", action="callback", help="Password", type=str, callback=self._set_password) self._add_option("-U", "--username", metavar="USERNAME", action="callback", type=str, help="Username", callback=self._parse_username) self._add_option("-W", "--workgroup", metavar="WORKGROUP", action="callback", type=str, help="Workgroup", callback=self._parse_workgroup) self._add_option("-N", "--no-pass", action="callback", help="Don't ask for a password", callback=self._set_no_password) self._add_option("-k", "--kerberos", metavar="KERBEROS", action="callback", type=str, help="Use Kerberos", callback=self._set_kerberos) self._add_option("", "--ipaddress", metavar="IPADDRESS", action="callback", type=str, help="IP address of server", callback=self._set_ipaddress) self._add_option("-P", "--machine-pass", action="callback", help="Use stored machine account password", callback=self._set_machine_pass) self.creds = Credentials()
def setUp(self): super(DrsRodcTestCase, self).setUp() self.base_dn = self.ldb_dc1.get_default_basedn() rand = random.randint(1, 10000000) self.ou = "OU=test_drs_rodc%s,%s" % (rand, self.base_dn) self.ldb_dc1.add({"dn": self.ou, "objectclass": "organizationalUnit"}) self.allowed_group = "CN=Allowed RODC Password Replication Group,CN=Users,%s" % self.base_dn self.site = self.ldb_dc1.server_site_name() self.rodc_name = "TESTRODCDRS%s" % rand self.rodc_pass = "******" self.computer_dn = "CN=%s,OU=Domain Controllers,%s" % (self.rodc_name, self.base_dn) self.rodc_ctx = dc_join(server=self.ldb_dc1.host_dns_name(), creds=self.get_credentials(), lp=self.get_loadparm(), site=self.site, netbios_name=self.rodc_name, targetdir=None, domain=None, machinepass=self.rodc_pass) self._create_rodc(self.rodc_ctx) self.rodc_ctx.create_tmp_samdb() self.tmp_samdb = self.rodc_ctx.tmp_samdb rodc_creds = Credentials() rodc_creds.guess(self.rodc_ctx.lp) rodc_creds.set_username(self.rodc_name + '$') rodc_creds.set_password(self.rodc_pass) self.rodc_creds = rodc_creds (self.drs, self.drs_handle) = self._ds_bind(self.dnsname_dc1) (self.rodc_drs, self.rodc_drs_handle) = self._ds_bind(self.dnsname_dc1, rodc_creds)
def create_user_account(self): self.user_pass = samba.generate_random_password(32, 32) self.user_name = USER_NAME self.user_dn = "cn=%s,%s" % (self.user_name, self.ldb.domain_dn()) # remove the account if it exists, this will happen if a previous test # run failed delete_force(self.ldb, self.user_dn) utf16pw = ('"%s"' % get_string(self.user_pass)).encode('utf-16-le') self.ldb.add({ "dn": self.user_dn, "objectclass": "user", "sAMAccountName": "%s" % self.user_name, "userAccountControl": str(UF_NORMAL_ACCOUNT), "unicodePwd": utf16pw }) self.user_creds = Credentials() self.user_creds.guess(self.get_loadparm()) self.user_creds.set_password(self.user_pass) self.user_creds.set_username(self.user_name) self.user_creds.set_workstation(self.machine_name) pass
def create_machine_account(self): self.machine_pass = samba.generate_random_password(32, 32) self.machine_name = MACHINE_NAME self.machine_dn = "cn=%s,%s" % (self.machine_name, self.ldb.domain_dn()) # remove the account if it exists, this will happen if a previous test # run failed delete_force(self.ldb, self.machine_dn) # get unicode str for both py2 and py3 pass_unicode = self.machine_pass.encode('utf-8').decode('utf-8') utf16pw = u'"{}"'.format(pass_unicode).encode('utf-16-le') self.ldb.add({ "dn": self.machine_dn, "objectclass": "computer", "sAMAccountName": "%s$" % self.machine_name, "userAccountControl": str(UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD), "unicodePwd": utf16pw}) self.machine_creds = Credentials() self.machine_creds.guess(self.get_loadparm()) self.machine_creds.set_password(self.machine_pass) self.machine_creds.set_username(self.machine_name + "$") self.machine_creds.set_workstation(self.machine_name)
def upgrade_from_samba3(samba3, logger, targetdir, session_info=None, useeadb=False, dns_backend=None, use_ntvfs=False): """Upgrade from samba3 database to samba4 AD database :param samba3: samba3 object :param logger: Logger object :param targetdir: samba4 database directory :param session_info: Session information """ serverrole = samba3.lp.server_role() domainname = samba3.lp.get("workgroup") realm = samba3.lp.get("realm") netbiosname = samba3.lp.get("netbios name") if samba3.lp.get("ldapsam:trusted") is None: samba3.lp.set("ldapsam:trusted", "yes") # secrets db try: secrets_db = samba3.get_secrets_db() except IOError as e: raise ProvisioningError( "Could not open '%s', the Samba3 secrets database: %s. Perhaps you specified the incorrect smb.conf, --testparm or --dbdir option?" % (samba3.privatedir_path("secrets.tdb"), str(e))) if not domainname: domainname = secrets_db.domains()[0] logger.warning( "No workgroup specified in smb.conf file, assuming '%s'", domainname) if not realm: if serverrole == "ROLE_DOMAIN_BDC" or serverrole == "ROLE_DOMAIN_PDC": raise ProvisioningError( "No realm specified in smb.conf file and being a DC. That upgrade path doesn't work! Please add a 'realm' directive to your old smb.conf to let us know which one you want to use (it is the DNS name of the AD domain you wish to create." ) else: realm = domainname.upper() logger.warning( "No realm specified in smb.conf file, assuming '%s'", realm) # Find machine account and password next_rid = 1000 try: machinepass = secrets_db.get_machine_password(netbiosname) except KeyError: machinepass = None if samba3.lp.get("passdb backend").split(":")[0].strip() == "ldapsam": base_dn = samba3.lp.get("ldap suffix") ldapuser = samba3.lp.get("ldap admin dn") ldappass = secrets_db.get_ldap_bind_pw(ldapuser) if ldappass is None: raise ProvisioningError( "ldapsam passdb backend detected but no LDAP Bind PW found in secrets.tdb for user %s. Please point this tool at the secrets.tdb that was used by the previous installation." ) ldappass = ldappass.decode('utf-8').strip('\x00') ldap = True else: ldapuser = None ldappass = None ldap = False # We must close the direct pytdb database before the C code loads it secrets_db.close() # Connect to old password backend passdb.set_secrets_dir(samba3.lp.get("private dir")) s3db = samba3.get_sam_db() # Get domain sid try: domainsid = passdb.get_global_sam_sid() except passdb.error: raise Exception("Can't find domain sid for '%s', Exiting." % domainname) # Get machine account, sid, rid try: machineacct = s3db.getsampwnam('%s$' % netbiosname) except passdb.error: machinerid = None machinesid = None else: machinesid, machinerid = machineacct.user_sid.split() # Export account policy logger.info("Exporting account policy") policy = s3db.get_account_policy() # Export groups from old passdb backend logger.info("Exporting groups") grouplist = s3db.enum_group_mapping() groupmembers = {} for group in grouplist: sid, rid = group.sid.split() if sid == domainsid: if rid >= next_rid: next_rid = rid + 1 # Get members for each group/alias if group.sid_name_use == lsa.SID_NAME_ALIAS: try: members = s3db.enum_aliasmem(group.sid) groupmembers[str(group.sid)] = members except passdb.error as e: logger.warn( "Ignoring group '%s' %s listed but then not found: %s", group.nt_name, group.sid, e) continue elif group.sid_name_use == lsa.SID_NAME_DOM_GRP: try: members = s3db.enum_group_members(group.sid) groupmembers[str(group.sid)] = members except passdb.error as e: logger.warn( "Ignoring group '%s' %s listed but then not found: %s", group.nt_name, group.sid, e) continue elif group.sid_name_use == lsa.SID_NAME_WKN_GRP: (group_dom_sid, rid) = group.sid.split() if (group_dom_sid != security.dom_sid(security.SID_BUILTIN)): logger.warn( "Ignoring 'well known' group '%s' (should already be in AD, and have no members)", group.nt_name) continue # A number of buggy databases mix up well known groups and aliases. try: members = s3db.enum_aliasmem(group.sid) groupmembers[str(group.sid)] = members except passdb.error as e: logger.warn( "Ignoring group '%s' %s listed but then not found: %s", group.nt_name, group.sid, e) continue else: logger.warn("Ignoring group '%s' %s with sid_name_use=%d", group.nt_name, group.sid, group.sid_name_use) continue # Export users from old passdb backend logger.info("Exporting users") userlist = s3db.search_users(0) userdata = {} uids = {} admin_user = None for entry in userlist: if machinerid and machinerid == entry['rid']: continue username = entry['account_name'] if entry['rid'] < 1000: logger.info(" Skipping wellknown rid=%d (for username=%s)", entry['rid'], username) continue if entry['rid'] >= next_rid: next_rid = entry['rid'] + 1 user = s3db.getsampwnam(username) acct_type = (user.acct_ctrl & (samr.ACB_NORMAL | samr.ACB_WSTRUST | samr.ACB_SVRTRUST | samr.ACB_DOMTRUST)) if acct_type == samr.ACB_SVRTRUST: logger.warn( " Demoting BDC account trust for %s, this DC must be elevated to an AD DC using 'samba-tool domain dcpromo'" % username[:-1]) user.acct_ctrl = (user.acct_ctrl & ~samr.ACB_SVRTRUST) | samr.ACB_WSTRUST elif acct_type == samr.ACB_DOMTRUST: logger.warn( " Skipping inter-domain trust from domain %s, this trust must be re-created as an AD trust" % username[:-1]) continue elif acct_type == (samr.ACB_WSTRUST) and username[-1] != '$': logger.warn( " Skipping account %s that has ACB_WSTRUST (W) set but does not end in $. This account can not have worked, and is probably left over from a misconfiguration." % username) continue elif acct_type == (samr.ACB_NORMAL | samr.ACB_WSTRUST) and username[-1] == '$': logger.warn( " Fixing account %s which had both ACB_NORMAL (U) and ACB_WSTRUST (W) set. Account will be marked as ACB_WSTRUST (W), i.e. as a domain member" % username) user.acct_ctrl = (user.acct_ctrl & ~samr.ACB_NORMAL) elif acct_type == (samr.ACB_NORMAL | samr.ACB_SVRTRUST) and username[-1] == '$': logger.warn( " Fixing account %s which had both ACB_NORMAL (U) and ACB_SVRTRUST (S) set. Account will be marked as ACB_WSTRUST (S), i.e. as a domain member" % username) user.acct_ctrl = (user.acct_ctrl & ~samr.ACB_NORMAL) elif acct_type == 0 and username[-1] != '$': user.acct_ctrl = (user.acct_ctrl | samr.ACB_NORMAL) elif (acct_type == samr.ACB_NORMAL or acct_type == samr.ACB_WSTRUST): pass else: raise ProvisioningError( """Failed to upgrade due to invalid account %s, account control flags 0x%08X must have exactly one of ACB_NORMAL (N, 0x%08X), ACB_WSTRUST (W 0x%08X), ACB_SVRTRUST (S 0x%08X) or ACB_DOMTRUST (D 0x%08X). Please fix this account before attempting to upgrade again """ % (username, user.acct_ctrl, samr.ACB_NORMAL, samr.ACB_WSTRUST, samr.ACB_SVRTRUST, samr.ACB_DOMTRUST)) userdata[username] = user try: uids[username] = s3db.sid_to_id(user.user_sid)[0] except passdb.error: try: uids[username] = pwd.getpwnam(username).pw_uid except KeyError: pass if not admin_user and username.lower() == 'root': admin_user = username if username.lower() == 'administrator': admin_user = username try: group_memberships = s3db.enum_group_memberships(user) for group in group_memberships: if str(group) in groupmembers: if user.user_sid not in groupmembers[str(group)]: groupmembers[str(group)].append(user.user_sid) else: groupmembers[str(group)] = [user.user_sid] except passdb.error as e: logger.warn("Ignoring group memberships of '%s' %s: %s", username, user.user_sid, e) logger.info("Next rid = %d", next_rid) # Check for same username/groupname group_names = set([g.nt_name for g in grouplist]) user_names = set([u['account_name'] for u in userlist]) common_names = group_names.intersection(user_names) if common_names: logger.error("Following names are both user names and group names:") for name in common_names: logger.error(" %s" % name) raise ProvisioningError( "Please remove common user/group names before upgrade.") # Check for same user sid/group sid group_sids = set([str(g.sid) for g in grouplist]) if len(grouplist) != len(group_sids): raise ProvisioningError( "Please remove duplicate group sid entries before upgrade.") user_sids = set(["%s-%u" % (domainsid, u['rid']) for u in userlist]) if len(userlist) != len(user_sids): raise ProvisioningError( "Please remove duplicate user sid entries before upgrade.") common_sids = group_sids.intersection(user_sids) if common_sids: logger.error("Following sids are both user and group sids:") for sid in common_sids: logger.error(" %s" % str(sid)) raise ProvisioningError( "Please remove duplicate sid entries before upgrade.") # Get posix attributes from ldap or the os homes = {} shells = {} pgids = {} if ldap: creds = Credentials() creds.guess(samba3.lp) creds.set_bind_dn(ldapuser) creds.set_password(ldappass) urls = samba3.lp.get("passdb backend").split(":", 1)[1].strip('"') for url in urls.split(): try: ldb_object = Ldb(url, credentials=creds) except ldb.LdbError as e: raise ProvisioningError( "Could not open ldb connection to %s, the error message is: %s" % (url, e)) else: break logger.info("Exporting posix attributes") userlist = s3db.search_users(0) for entry in userlist: username = entry['account_name'] if username in uids.keys(): try: if ldap: homes[username] = get_posix_attr_from_ldap_backend( logger, ldb_object, base_dn, username, "homeDirectory") else: homes[username] = pwd.getpwnam(username).pw_dir except KeyError: pass except IndexError: pass try: if ldap: shells[username] = get_posix_attr_from_ldap_backend( logger, ldb_object, base_dn, username, "loginShell") else: shells[username] = pwd.getpwnam(username).pw_shell except KeyError: pass except IndexError: pass try: if ldap: pgids[username] = get_posix_attr_from_ldap_backend( logger, ldb_object, base_dn, username, "gidNumber") else: pgids[username] = pwd.getpwnam(username).pw_gid except KeyError: pass except IndexError: pass logger.info("Reading WINS database") samba3_winsdb = None try: samba3_winsdb = samba3.get_wins_db() except IOError as e: logger.warn('Cannot open wins database, Ignoring: %s', str(e)) if not (serverrole == "ROLE_DOMAIN_BDC" or serverrole == "ROLE_DOMAIN_PDC"): dns_backend = "NONE" # If we found an admin user, set a fake pw that we will override. # This avoids us printing out an admin password that we won't actually # set. if admin_user: adminpass = generate_random_password(12, 32) else: adminpass = None # Do full provision result = provision(logger, session_info, targetdir=targetdir, realm=realm, domain=domainname, domainsid=domainsid, next_rid=next_rid, dc_rid=machinerid, adminpass=adminpass, dom_for_fun_level=dsdb.DS_DOMAIN_FUNCTION_2003, hostname=netbiosname.lower(), machinepass=machinepass, serverrole=serverrole, samdb_fill=FILL_FULL, useeadb=useeadb, dns_backend=dns_backend, use_rfc2307=True, use_ntvfs=use_ntvfs, skip_sysvolacl=True) result.report_logger(logger) # Import WINS database logger.info("Importing WINS database") if samba3_winsdb: import_wins(Ldb(result.paths.winsdb), samba3_winsdb) # Set Account policy logger.info("Importing Account policy") import_sam_policy(result.samdb, policy, logger) # Migrate IDMAP database logger.info("Importing idmap database") import_idmap(result.idmap, samba3, logger) # Set the s3 context for samba4 configuration new_lp_ctx = s3param.get_context() new_lp_ctx.load(result.lp.configfile) new_lp_ctx.set("private dir", result.lp.get("private dir")) new_lp_ctx.set("state directory", result.lp.get("state directory")) new_lp_ctx.set("lock directory", result.lp.get("lock directory")) # Connect to samba4 backend s4_passdb = passdb.PDB(new_lp_ctx.get("passdb backend")) # Start a new transaction (should speed this up a little, due to index churn) result.samdb.transaction_start() logger.info("Adding groups") try: # Export groups to samba4 backend logger.info("Importing groups") for g in grouplist: # Ignore uninitialized groups (gid = -1) if g.gid != -1: add_group_from_mapping_entry(result.samdb, g, logger) add_ad_posix_idmap_entry(result.samdb, g.sid, g.gid, "ID_TYPE_GID", logger) add_posix_attrs(samdb=result.samdb, sid=g.sid, name=g.nt_name, nisdomain=domainname.lower(), xid_type="ID_TYPE_GID", logger=logger) except: # We need this, so that we do not give even more errors due to not cancelling the transaction result.samdb.transaction_cancel() raise logger.info("Committing 'add groups' transaction to disk") result.samdb.transaction_commit() logger.info("Adding users") # Export users to samba4 backend logger.info("Importing users") for username in userdata: if username.lower() == 'administrator': if userdata[username].user_sid != dom_sid(str(domainsid) + "-500"): logger.error( "User 'Administrator' in your existing directory has SID %s, expected it to be %s" % (userdata[username].user_sid, dom_sid(str(domainsid) + "-500"))) raise ProvisioningError( "User 'Administrator' in your existing directory does not have SID ending in -500" ) if username.lower() == 'root': if userdata[username].user_sid == dom_sid(str(domainsid) + "-500"): logger.warn('User root has been replaced by Administrator') else: logger.warn( 'User root has been kept in the directory, it should be removed in favour of the Administrator user' ) s4_passdb.add_sam_account(userdata[username]) if username in uids: add_ad_posix_idmap_entry(result.samdb, userdata[username].user_sid, uids[username], "ID_TYPE_UID", logger) if (username in homes) and (homes[username] is not None) and \ (username in shells) and (shells[username] is not None) and \ (username in pgids) and (pgids[username] is not None): add_posix_attrs(samdb=result.samdb, sid=userdata[username].user_sid, name=username, nisdomain=domainname.lower(), xid_type="ID_TYPE_UID", home=homes[username], shell=shells[username], pgid=pgids[username], logger=logger) logger.info("Adding users to groups") # Start a new transaction (should speed this up a little, due to index churn) result.samdb.transaction_start() try: for g in grouplist: if str(g.sid) in groupmembers: add_users_to_group(result.samdb, g, groupmembers[str(g.sid)], logger) except: # We need this, so that we do not give even more errors due to not cancelling the transaction result.samdb.transaction_cancel() raise logger.info("Committing 'add users to groups' transaction to disk") result.samdb.transaction_commit() # Set password for administrator if admin_user: logger.info("Setting password for administrator") admin_userdata = s4_passdb.getsampwnam("administrator") admin_userdata.nt_passwd = userdata[admin_user].nt_passwd if userdata[admin_user].lanman_passwd: admin_userdata.lanman_passwd = userdata[admin_user].lanman_passwd admin_userdata.pass_last_set_time = userdata[ admin_user].pass_last_set_time if userdata[admin_user].pw_history: admin_userdata.pw_history = userdata[admin_user].pw_history s4_passdb.update_sam_account(admin_userdata) logger.info( "Administrator password has been set to password of user '%s'", admin_user) if result.server_role == "active directory domain controller": setsysvolacl(result.samdb, result.paths.netlogon, result.paths.sysvol, result.paths.root_uid, result.paths.root_gid, security.dom_sid(result.domainsid), result.names.dnsdomain, result.names.domaindn, result.lp, use_ntvfs)
def test_get_ldbs(self): paths = get_paths(param, None, smb_conf_path) creds = Credentials() lp = env_loadparm() creds.guess(lp) get_ldbs(paths, creds, system_session(), lp)
def _load_samba_environment(retries): """Load the samba configuration vars from smb.conf and the sam.db.""" params = samba.param.LoadParm() params.load_default() netbiosname = params.get("netbios name") hostname = netbiosname.lower() dnsdomain = params.get("realm") dnsdomain = dnsdomain.lower() creds = Credentials() creds.guess(params) creds.set_machine_account(params) samdb_url = params.get('dcerpc_mapiproxy:samdb_url') if samdb_url is None: samdb_url = params.samdb_url() samdb_ldb = None backoff = 0.2 next_retry = 0 while samdb_ldb is None: try: samdb_ldb = SamDBWrapper(url=samdb_url, session_info=system_session(), credentials=creds, lp=params) except ldb.LdbError as ex: number, desc = ex if number == ldb.ERR_OPERATIONS_ERROR: # this is a cannot connect error if retries != 0: next_retry += 1 if next_retry > retries: logger.error( "Maximum samba connection retries reached (%i)" % retries) raise ex logger.warn( "Cannot connect to samba server. Backing off for %.2f seconds" % backoff) time.sleep(backoff) backoff *= 2 if backoff > 60: backoff = 60 else: raise ex domaindn = samdb_ldb.domain_dn() rootdn = domaindn configdn = "CN=Configuration," + rootdn firstorg = None firstorg_basedn = 'CN=Microsoft Exchange,CN=Services,' + configdn res = samdb_ldb.search( base=firstorg_basedn, scope=ldb.SCOPE_ONELEVEL, expression='(objectClass=msExchOrganizationContainer)', attrs=['cn']) if res: if len(res) > 1: logger.warn('More than one exchange organization found') firstorg = res[0]['cn'][0] if not firstorg: raise Exception( "Cannot find first exchange organization in samba database") firstou = None firstou_basedn = "CN=Administrative Groups,CN=%s,%s" % (firstorg, firstorg_basedn) res = samdb_ldb.search(base=firstou_basedn, scope=ldb.SCOPE_ONELEVEL, expression='(objectClass=msExchAdminGroup)', attrs=['cn']) if res: if len(res) > 1: logger.warn('More than one exchange administration group found') firstou = res[0]['cn'][0] if not firstou: raise Exception( "Cannot find exchange first organization unit in samba database") username_mail = False if params.get("auth:usernames are emails") == 'yes': username_mail = True sam_environ = {"samdb_ldb": samdb_ldb, "private_dir": params.get("private dir"), "domaindn": domaindn, "oc_user_basedn": "CN=%s,CN=%s,CN=%s,%s" \ % (firstou, firstorg, netbiosname, domaindn), "firstorgdn": ("CN=%s,CN=Microsoft Exchange,CN=Services,%s" % (firstorg, configdn)), "legacyserverdn": ("/o=%s/ou=%s/cn=Configuration/cn=Servers" "/cn=%s" % (firstorg, firstou, netbiosname)), "hostname": hostname, "dnsdomain": dnsdomain, 'username_mail': username_mail, } return sam_environ
def setUp(self): super(KCCMultisiteLdifTests, self).setUp() self.lp = LoadParm() self.creds = Credentials() self.creds.guess(self.lp)
def setUp(self): super(PasswordTests, self).setUp() self.ldb = SamDB(url=host, session_info=system_session(lp), credentials=creds, lp=lp) # Gets back the basedn base_dn = self.ldb.domain_dn() # Gets back the configuration basedn configuration_dn = self.ldb.get_config_basedn().get_linearized() # Get the old "dSHeuristics" if it was set dsheuristics = self.ldb.get_dsheuristics() # Set the "dSHeuristics" to activate the correct "userPassword" behaviour self.ldb.set_dsheuristics("000000001") # Reset the "dSHeuristics" as they were before self.addCleanup(self.ldb.set_dsheuristics, dsheuristics) # Get the old "minPwdAge" minPwdAge = self.ldb.get_minPwdAge() # Set it temporarily to "0" self.ldb.set_minPwdAge("0") self.base_dn = self.ldb.domain_dn() # Reset the "minPwdAge" as it was before self.addCleanup(self.ldb.set_minPwdAge, minPwdAge) # (Re)adds the test user "testuser" with no password atm delete_force(self.ldb, "cn=testuser,cn=users," + self.base_dn) self.ldb.add({ "dn": "cn=testuser,cn=users," + self.base_dn, "objectclass": "user", "sAMAccountName": "testuser"}) # Tests a password change when we don't have any password yet with a # wrong old password try: self.ldb.modify_ldif(""" dn: cn=testuser,cn=users,""" + self.base_dn + """ changetype: modify delete: userPassword userPassword: noPassword add: userPassword userPassword: thatsAcomplPASS2 """) self.fail() except LdbError as e: (num, msg) = e.args self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) # Windows (2008 at least) seems to have some small bug here: it # returns "0000056A" on longer (always wrong) previous passwords. self.assertTrue('00000056' in msg) # Sets the initial user password with a "special" password change # I think that this internally is a password set operation and it can # only be performed by someone which has password set privileges on the # account (at least in s4 we do handle it like that). self.ldb.modify_ldif(""" dn: cn=testuser,cn=users,""" + self.base_dn + """ changetype: modify delete: userPassword add: userPassword userPassword: thatsAcomplPASS1 """) # But in the other way around this special syntax doesn't work try: self.ldb.modify_ldif(""" dn: cn=testuser,cn=users,""" + self.base_dn + """ changetype: modify delete: userPassword userPassword: thatsAcomplPASS1 add: userPassword """) self.fail() except LdbError as e1: (num, _) = e1.args self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) # Enables the user account self.ldb.enable_account("(sAMAccountName=testuser)") # Open a second LDB connection with the user credentials. Use the # command line credentials for informations like the domain, the realm # and the workstation. creds2 = Credentials() creds2.set_username("testuser") creds2.set_password("thatsAcomplPASS1") creds2.set_domain(creds.get_domain()) creds2.set_realm(creds.get_realm()) creds2.set_workstation(creds.get_workstation()) creds2.set_gensec_features(creds2.get_gensec_features() | gensec.FEATURE_SEAL) self.ldb2 = SamDB(url=host, credentials=creds2, lp=lp)
def add_user(self, options=None, clear_text=False, ldb=None): # set any needed options if options is not None: for (option, value) in options: self.lp.set(option, value) if ldb is None: self.creds = Credentials() self.session = system_session() self.creds.guess(self.lp) self.session = system_session() self.ldb = SamDB(session_info=self.session, credentials=self.creds, lp=self.lp) else: self.ldb = ldb res = self.ldb.search(base=self.ldb.get_config_basedn(), expression="ncName=%s" % self.ldb.get_default_basedn(), attrs=["nETBIOSName"]) self.netbios_domain = res[0]["nETBIOSName"][0] self.dns_domain = self.ldb.domain_dns_name() # Gets back the basedn base_dn = self.ldb.domain_dn() # Gets back the configuration basedn configuration_dn = self.ldb.get_config_basedn().get_linearized() # Get the old "dSHeuristics" if it was set dsheuristics = self.ldb.get_dsheuristics() # Set the "dSHeuristics" to activate the correct "userPassword" # behaviour self.ldb.set_dsheuristics("000000001") # Reset the "dSHeuristics" as they were before self.addCleanup(self.ldb.set_dsheuristics, dsheuristics) # Get the old "minPwdAge" minPwdAge = self.ldb.get_minPwdAge() # Set it temporarily to "0" self.ldb.set_minPwdAge("0") self.base_dn = self.ldb.domain_dn() # Reset the "minPwdAge" as it was before self.addCleanup(self.ldb.set_minPwdAge, minPwdAge) account_control = 0 if clear_text: # get the current pwdProperties pwdProperties = self.ldb.get_pwdProperties() # enable clear text properties props = int(pwdProperties) props |= DOMAIN_PASSWORD_STORE_CLEARTEXT self.ldb.set_pwdProperties(str(props)) # Restore the value on exit. self.addCleanup(self.ldb.set_pwdProperties, pwdProperties) account_control |= UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED # (Re)adds the test user USER_NAME with password USER_PASS # and userPrincipalName UPN delete_force(self.ldb, "cn=" + USER_NAME + ",cn=users," + self.base_dn) self.ldb.add({ "dn": "cn=" + USER_NAME + ",cn=users," + self.base_dn, "objectclass": "user", "sAMAccountName": USER_NAME, "userPassword": USER_PASS, "userPrincipalName": UPN, "userAccountControl": str(account_control) })
def _test_update(self, mech, client_mech=None): """Test GENSEC by doing an exchange with ourselves using GSSAPI against a KDC""" """Start up a client and server GENSEC instance to test things with""" self.gensec_client = gensec.Security.start_client(self.settings) self.gensec_client.set_credentials(self.get_credentials()) self.gensec_client.want_feature(gensec.FEATURE_SEAL) if client_mech is not None: self.gensec_client.start_mech_by_name(client_mech) else: self.gensec_client.start_mech_by_sasl_name(mech) self.gensec_server = gensec.Security.start_server(settings=self.settings, auth_context=auth.AuthContext(lp_ctx=self.lp_ctx)) creds = Credentials() creds.guess(self.lp_ctx) creds.set_machine_account(self.lp_ctx) self.gensec_server.set_credentials(creds) self.gensec_server.want_feature(gensec.FEATURE_SEAL) self.gensec_server.start_mech_by_sasl_name(mech) client_finished = False server_finished = False server_to_client = b"" client_to_server = b"" """Run the actual call loop""" while True: if not client_finished: print("running client gensec_update") (client_finished, client_to_server) = self.gensec_client.update(server_to_client) if not server_finished: print("running server gensec_update") (server_finished, server_to_client) = self.gensec_server.update(client_to_server) if client_finished and server_finished: break self.assertTrue(server_finished) self.assertTrue(client_finished) session_info = self.gensec_server.session_info() test_bytes = b"Hello Server" try: test_wrapped = self.gensec_client.wrap(test_bytes) test_unwrapped = self.gensec_server.unwrap(test_wrapped) except samba.NTSTATUSError as e: self.fail(str(e)) self.assertEqual(test_bytes, test_unwrapped) test_bytes = b"Hello Client" test_wrapped = self.gensec_server.wrap(test_bytes) test_unwrapped = self.gensec_client.unwrap(test_wrapped) self.assertEqual(test_bytes, test_unwrapped) client_session_key = self.gensec_client.session_key() server_session_key = self.gensec_server.session_key() self.assertEqual(client_session_key, server_session_key)
def test_gp_motd(self): local_path = self.lp.cache_path('gpo_cache') guid = '{31B2F340-016D-11D2-945F-00C04FB984F9}' reg_pol = os.path.join(local_path, policies, guid, 'MACHINE/REGISTRY.POL') logger = logging.getLogger('gpo_tests') cache_dir = self.lp.get('cache directory') store = GPOStorage(os.path.join(cache_dir, 'gpo.tdb')) machine_creds = Credentials() machine_creds.guess(self.lp) machine_creds.set_machine_account() # Initialize the group policy extension ext = gp_msgs_ext(logger, self.lp, machine_creds, store) ads = gpo.ADS_STRUCT(self.server, self.lp, machine_creds) if ads.connect(): gpos = ads.get_gpo_list(machine_creds.get_username()) # Stage the Registry.pol file with test data stage = preg.file() e1 = preg.entry() e1.keyname = b'Software\\Policies\\Samba\\Unix Settings\\Messages' e1.valuename = b'motd' e1.type = 1 e1.data = b'Have a lot of fun!' stage.num_entries = 2 e2 = preg.entry() e2.keyname = b'Software\\Policies\\Samba\\Unix Settings\\Messages' e2.valuename = b'issue' e2.type = 1 e2.data = b'Welcome to \\s \\r \\l' stage.entries = [e1, e2] ret = stage_file(reg_pol, ndr_pack(stage)) self.assertTrue(ret, 'Could not create the target %s' % reg_pol) # Process all gpos, with temp output directory with TemporaryDirectory() as dname: ext.process_group_policy([], gpos, dname) motd_file = os.path.join(dname, 'motd') self.assertTrue(os.path.exists(motd_file), 'Message of the day file not created') data = open(motd_file, 'r').read() self.assertEquals(data, e1.data, 'Message of the day not applied') issue_file = os.path.join(dname, 'issue') self.assertTrue(os.path.exists(issue_file), 'Login Prompt Message file not created') data = open(issue_file, 'r').read() self.assertEquals(data, e2.data, 'Login Prompt Message not applied') # Unapply policy, and ensure the test files are removed gp_db = store.get_gplog(machine_creds.get_username()) del_gpos = get_deleted_gpos_list(gp_db, []) ext.process_group_policy(del_gpos, [], dname) data = open(motd_file, 'r').read() self.assertFalse(data, 'Message of the day file not removed') data = open(issue_file, 'r').read() self.assertFalse(data, 'Login Prompt Message file not removed') # Unstage the Registry.pol file unstage_file(reg_pol)
def test_smb_conf_ext(self): local_path = self.lp.cache_path('gpo_cache') guid = '{31B2F340-016D-11D2-945F-00C04FB984F9}' reg_pol = os.path.join(local_path, policies, guid, 'MACHINE/REGISTRY.POL') logger = logging.getLogger('gpo_tests') cache_dir = self.lp.get('cache directory') store = GPOStorage(os.path.join(cache_dir, 'gpo.tdb')) machine_creds = Credentials() machine_creds.guess(self.lp) machine_creds.set_machine_account() ads = gpo.ADS_STRUCT(self.server, self.lp, machine_creds) if ads.connect(): gpos = ads.get_gpo_list(machine_creds.get_username()) entries = [] e = preg.entry() e.keyname = 'Software\\Policies\\Samba\\smb_conf\\template homedir' e.type = 1 e.data = '/home/samba/%D/%U' e.valuename = 'template homedir' entries.append(e) e = preg.entry() e.keyname = 'Software\\Policies\\Samba\\smb_conf\\apply group policies' e.type = 4 e.data = 1 e.valuename = 'apply group policies' entries.append(e) e = preg.entry() e.keyname = 'Software\\Policies\\Samba\\smb_conf\\ldap timeout' e.type = 4 e.data = 9999 e.valuename = 'ldap timeout' entries.append(e) stage = preg.file() stage.num_entries = len(entries) stage.entries = entries ret = stage_file(reg_pol, ndr_pack(stage)) self.assertTrue(ret, 'Failed to create the Registry.pol file') with NamedTemporaryFile(suffix='_smb.conf') as f: copyfile(self.lp.configfile, f.name) lp = LoadParm(f.name) # Initialize the group policy extension ext = gp_smb_conf_ext(logger, lp, machine_creds, store) ext.process_group_policy([], gpos) lp = LoadParm(f.name) template_homedir = lp.get('template homedir') self.assertEquals(template_homedir, '/home/samba/%D/%U', 'template homedir was not applied') apply_group_policies = lp.get('apply group policies') self.assertTrue(apply_group_policies, 'apply group policies was not applied') ldap_timeout = lp.get('ldap timeout') self.assertEquals(ldap_timeout, 9999, 'ldap timeout was not applied') # Remove policy gp_db = store.get_gplog(machine_creds.get_username()) del_gpos = get_deleted_gpos_list(gp_db, []) ext.process_group_policy(del_gpos, []) lp = LoadParm(f.name) template_homedir = lp.get('template homedir') self.assertEquals(template_homedir, self.lp.get('template homedir'), 'template homedir was not unapplied') apply_group_policies = lp.get('apply group policies') self.assertEquals(apply_group_policies, self.lp.get('apply group policies'), 'apply group policies was not unapplied') ldap_timeout = lp.get('ldap timeout') self.assertEquals(ldap_timeout, self.lp.get('ldap timeout'), 'ldap timeout was not unapplied') # Unstage the Registry.pol file unstage_file(reg_pol)
def test_gp_unapply(self): logger = logging.getLogger('gpo_tests') cache_dir = self.lp.get('cache directory') local_path = self.lp.cache_path('gpo_cache') guid = '{31B2F340-016D-11D2-945F-00C04FB984F9}' store = GPOStorage(os.path.join(cache_dir, 'gpo.tdb')) machine_creds = Credentials() machine_creds.guess(self.lp) machine_creds.set_machine_account() ads = gpo.ADS_STRUCT(self.server, self.lp, machine_creds) if ads.connect(): gpos = ads.get_gpo_list(machine_creds.get_username()) gp_extensions = [] gp_extensions.append(gp_krb_ext) gp_extensions.append(gp_scripts_ext) gp_extensions.append(gp_sudoers_ext) # Create registry stage data reg_pol = os.path.join(local_path, policies, '%s/MACHINE/REGISTRY.POL') reg_stage = preg.file() e = preg.entry() e.keyname = b'Software\\Policies\\Samba\\Unix Settings\\Daily Scripts' e.valuename = b'Software\\Policies\\Samba\\Unix Settings' e.type = 1 e.data = b'echo hello world' e2 = preg.entry() e2.keyname = b'Software\\Policies\\Samba\\Unix Settings\\Sudo Rights' e2.valuename = b'Software\\Policies\\Samba\\Unix Settings' e2.type = 1 e2.data = b'fakeu ALL=(ALL) NOPASSWD: ALL' reg_stage.num_entries = 2 reg_stage.entries = [e, e2] # Create krb stage date gpofile = os.path.join(local_path, policies, '%s/MACHINE/MICROSOFT/' \ 'WINDOWS NT/SECEDIT/GPTTMPL.INF') krb_stage = '[Kerberos Policy]\nMaxTicketAge = 99\n' ret = stage_file(gpofile % guid, krb_stage) self.assertTrue(ret, 'Could not create the target %s' % (gpofile % guid)) ret = stage_file(reg_pol % guid, ndr_pack(reg_stage)) self.assertTrue(ret, 'Could not create the target %s' % (reg_pol % guid)) # Process all gpos, with temp output directory remove = [] with TemporaryDirectory() as dname: for ext in gp_extensions: ext = ext(logger, self.lp, machine_creds, store) if type(ext) == gp_krb_ext: ext.process_group_policy([], gpos) ret = store.get_int('kdc:user_ticket_lifetime') self.assertEqual(ret, 99, 'Kerberos policy was not set') elif type(ext) in [gp_scripts_ext, gp_sudoers_ext]: ext.process_group_policy([], gpos, dname) gp_db = store.get_gplog(machine_creds.get_username()) applied_settings = gp_db.get_applied_settings([guid]) for _, fname in applied_settings[-1][-1][str(ext)].items(): self.assertIn(dname, fname, 'Test file not created in tmp dir') self.assertTrue(os.path.exists(fname), 'Test file not created') remove.append(fname) # Unapply policy, and ensure policies are removed gpupdate_unapply(self.lp) for fname in remove: self.assertFalse(os.path.exists(fname), 'Unapply did not remove test file') ret = store.get_int('kdc:user_ticket_lifetime') self.assertNotEqual(ret, 99, 'Kerberos policy was not unapplied') unstage_file(gpofile % guid) unstage_file(reg_pol % guid)
def test_rsop(self): logger = logging.getLogger('gpo_tests') cache_dir = self.lp.get('cache directory') local_path = self.lp.cache_path('gpo_cache') store = GPOStorage(os.path.join(cache_dir, 'gpo.tdb')) machine_creds = Credentials() machine_creds.guess(self.lp) machine_creds.set_machine_account() ads = gpo.ADS_STRUCT(self.server, self.lp, machine_creds) if ads.connect(): gpos = ads.get_gpo_list(machine_creds.get_username()) gp_extensions = [] gp_extensions.append(gp_krb_ext) gp_extensions.append(gp_scripts_ext) gp_extensions.append(gp_sudoers_ext) gp_extensions.append(gp_smb_conf_ext) gp_extensions.append(gp_msgs_ext) # Create registry stage data reg_pol = os.path.join(local_path, policies, '%s/MACHINE/REGISTRY.POL') reg_stage = preg.file() e = preg.entry() e.keyname = b'Software\\Policies\\Samba\\Unix Settings\\Daily Scripts' e.valuename = b'Software\\Policies\\Samba\\Unix Settings' e.type = 1 e.data = b'echo hello world' e2 = preg.entry() e2.keyname = b'Software\\Policies\\Samba\\Unix Settings\\Sudo Rights' e2.valuename = b'Software\\Policies\\Samba\\Unix Settings' e2.type = 1 e2.data = b'fakeu ALL=(ALL) NOPASSWD: ALL' e3 = preg.entry() e3.keyname = 'Software\\Policies\\Samba\\smb_conf\\apply group policies' e3.type = 4 e3.data = 1 e3.valuename = 'apply group policies' e4 = preg.entry() e4.keyname = b'Software\\Policies\\Samba\\Unix Settings\\Messages' e4.valuename = b'issue' e4.type = 1 e4.data = b'Welcome to \\s \\r \\l' reg_stage.num_entries = 4 reg_stage.entries = [e, e2, e3, e4] # Create krb stage date gpofile = os.path.join(local_path, policies, '%s/MACHINE/MICROSOFT/' \ 'WINDOWS NT/SECEDIT/GPTTMPL.INF') krb_stage = '[Kerberos Policy]\nMaxTicketAge = 99\n' for g in [g for g in gpos if g.file_sys_path]: ret = stage_file(gpofile % g.name, krb_stage) self.assertTrue( ret, 'Could not create the target %s' % (gpofile % g.name)) ret = stage_file(reg_pol % g.name, ndr_pack(reg_stage)) self.assertTrue( ret, 'Could not create the target %s' % (reg_pol % g.name)) for ext in gp_extensions: ext = ext(logger, self.lp, machine_creds, store) ret = ext.rsop(g) self.assertEquals( len(ret.keys()), 1, 'A single policy should have been displayed') # Check the Security Extension if type(ext) == gp_krb_ext: self.assertIn('Kerberos Policy', ret.keys(), 'Kerberos Policy not found') self.assertIn('MaxTicketAge', ret['Kerberos Policy'], 'MaxTicketAge setting not found') self.assertEquals(ret['Kerberos Policy']['MaxTicketAge'], '99', 'MaxTicketAge was not set to 99') # Check the Scripts Extension elif type(ext) == gp_scripts_ext: self.assertIn('Daily Scripts', ret.keys(), 'Daily Scripts not found') self.assertIn('echo hello world', ret['Daily Scripts'], 'Daily script was not created') # Check the Sudoers Extension elif type(ext) == gp_sudoers_ext: self.assertIn('Sudo Rights', ret.keys(), 'Sudoers not found') self.assertIn('fakeu ALL=(ALL) NOPASSWD: ALL', ret['Sudo Rights'], 'Sudoers policy not created') # Check the smb.conf Extension elif type(ext) == gp_smb_conf_ext: self.assertIn('smb.conf', ret.keys(), 'apply group policies was not applied') self.assertIn(e3.valuename, ret['smb.conf'], 'apply group policies was not applied') self.assertEquals(ret['smb.conf'][e3.valuename], e3.data, 'apply group policies was not set') # Check the Messages Extension elif type(ext) == gp_msgs_ext: self.assertIn('/etc/issue', ret, 'Login Prompt Message not applied') self.assertEquals(ret['/etc/issue'], e4.data, 'Login Prompt Message not set') unstage_file(gpofile % g.name) unstage_file(reg_pol % g.name) # Check that a call to gpupdate --rsop also succeeds ret = rsop(self.lp) self.assertEquals(ret, 0, 'gpupdate --rsop failed!')
def test_gp_scripts(self): local_path = self.lp.cache_path('gpo_cache') guid = '{31B2F340-016D-11D2-945F-00C04FB984F9}' reg_pol = os.path.join(local_path, policies, guid, 'MACHINE/REGISTRY.POL') logger = logging.getLogger('gpo_tests') cache_dir = self.lp.get('cache directory') store = GPOStorage(os.path.join(cache_dir, 'gpo.tdb')) machine_creds = Credentials() machine_creds.guess(self.lp) machine_creds.set_machine_account() # Initialize the group policy extension ext = gp_scripts_ext(logger, self.lp, machine_creds, store) ads = gpo.ADS_STRUCT(self.server, self.lp, machine_creds) if ads.connect(): gpos = ads.get_gpo_list(machine_creds.get_username()) reg_key = b'Software\\Policies\\Samba\\Unix Settings' sections = { b'%s\\Daily Scripts' % reg_key: '.cron.daily', b'%s\\Monthly Scripts' % reg_key: '.cron.monthly', b'%s\\Weekly Scripts' % reg_key: '.cron.weekly', b'%s\\Hourly Scripts' % reg_key: '.cron.hourly' } for keyname in sections.keys(): # Stage the Registry.pol file with test data stage = preg.file() e = preg.entry() e.keyname = keyname e.valuename = b'Software\\Policies\\Samba\\Unix Settings' e.type = 1 e.data = b'echo hello world' stage.num_entries = 1 stage.entries = [e] ret = stage_file(reg_pol, ndr_pack(stage)) self.assertTrue(ret, 'Could not create the target %s' % reg_pol) # Process all gpos, with temp output directory with TemporaryDirectory(sections[keyname]) as dname: ext.process_group_policy([], gpos, dname) scripts = os.listdir(dname) self.assertEquals( len(scripts), 1, 'The %s script was not created' % keyname.decode()) out, _ = Popen([os.path.join(dname, scripts[0])], stdout=PIPE).communicate() self.assertIn(b'hello world', out, '%s script execution failed' % keyname.decode()) # Remove policy gp_db = store.get_gplog(machine_creds.get_username()) del_gpos = get_deleted_gpos_list(gp_db, []) ext.process_group_policy(del_gpos, []) self.assertEquals(len(os.listdir(dname)), 0, 'Unapply failed to cleanup scripts') # Unstage the Registry.pol file unstage_file(reg_pol)
def setUp(self): super(DsdbFullScanTests, self).setUp() self.lp = samba.tests.env_loadparm() self.creds = Credentials() self.creds.guess(self.lp) self.session = system_session()
def init(self): from samba.provision import ProvisioningError # we will shortly start slapd with ldapi for final provisioning. first # check with ldapsearch -> rootDSE via self.ldap_uri if another # instance of slapd is already running try: ldapi_db = Ldb(self.ldap_uri) ldapi_db.search(base="", scope=SCOPE_BASE, expression="(objectClass=OpenLDAProotDSE)") try: f = open(self.slapd_pid, "r") except IOError as err: if err != errno.ENOENT: raise else: try: p = f.read() finally: f.close() self.logger.info( "Check for slapd process with PID: %s and terminate it manually." % p) raise SlapdAlreadyRunning(self.ldap_uri) except LdbError: # XXX: We should never be catching all Ldb errors pass # Try to print helpful messages when the user has not specified the # path to slapd if self.slapd_path is None: raise ProvisioningError( "Warning: LDAP-Backend must be setup with path to slapd, e.g. --slapd-path=\"/usr/local/libexec/slapd\"!" ) if not os.path.exists(self.slapd_path): self.logger.warning("Path (%s) to slapd does not exist!", self.slapd_path) if not os.path.isdir(self.ldapdir): os.makedirs(self.ldapdir, 0o700) # Put the LDIF of the schema into a database so we can search on # it to generate schema-dependent configurations in Fedora DS and # OpenLDAP schemadb_path = os.path.join(self.ldapdir, "schema-tmp.ldb") try: os.unlink(schemadb_path) except OSError: pass self.schema.write_to_tmp_ldb(schemadb_path) self.credentials = Credentials() self.credentials.guess(self.lp) # Kerberos to an ldapi:// backend makes no sense (we also force EXTERNAL) self.credentials.set_kerberos_state(DONT_USE_KERBEROS) self.credentials.set_username("samba-admin") self.credentials.set_password(self.ldapadminpass) self.credentials.set_forced_sasl_mech("EXTERNAL") self.provision()
def create_credential(lp, other): c = Credentials() c.guess(lp) c.set_gensec_features(other.get_gensec_features()) return c
def _test_samlogon(self, binding, creds, checkFunction): def isLastExpectedMessage(msg): return ( msg["type"] == "Authentication" and msg["Authentication"]["serviceDescription"] == "SamLogon" and msg["Authentication"]["authDescription"] == "network" and msg["Authentication"]["passwordType"] == "NTLMv2" and (msg["Authentication"]["eventId"] == EVT_ID_SUCCESSFUL_LOGON) and (msg["Authentication"]["logonType"] == EVT_LOGON_NETWORK)) if binding: binding = "[schannel,%s]" % binding else: binding = "[schannel]" utf16pw = text_type('"' + self.machinepass + '"').encode('utf-16-le') self.ldb.add({ "dn": self.samlogon_dn, "objectclass": "computer", "sAMAccountName": "%s$" % self.netbios_name, "userAccountControl": str(UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD), "unicodePwd": utf16pw}) machine_creds = Credentials() machine_creds.guess(self.get_loadparm()) machine_creds.set_secure_channel_type(SEC_CHAN_WKSTA) machine_creds.set_password(self.machinepass) machine_creds.set_username(self.netbios_name + "$") netlogon_conn = netlogon.netlogon("ncalrpc:%s" % binding, self.get_loadparm(), machine_creds) challenge = b"abcdefgh" target_info = ntlmssp.AV_PAIR_LIST() target_info.count = 3 domainname = ntlmssp.AV_PAIR() domainname.AvId = ntlmssp.MsvAvNbDomainName domainname.Value = self.domain computername = ntlmssp.AV_PAIR() computername.AvId = ntlmssp.MsvAvNbComputerName computername.Value = self.netbios_name eol = ntlmssp.AV_PAIR() eol.AvId = ntlmssp.MsvAvEOL target_info.pair = [domainname, computername, eol] target_info_blob = ndr_pack(target_info) response = creds.get_ntlm_response(flags=CLI_CRED_NTLMv2_AUTH, challenge=challenge, target_info=target_info_blob) netr_flags = 0 logon_level = netlogon.NetlogonNetworkTransitiveInformation logon = samba.dcerpc.netlogon.netr_NetworkInfo() logon.challenge = [x if isinstance(x,int) else ord(x) for x in challenge] logon.nt = netlogon.netr_ChallengeResponse() logon.nt.length = len(response["nt_response"]) logon.nt.data = [x if isinstance(x,int) else ord(x) for x in response["nt_response"]] logon.identity_info = samba.dcerpc.netlogon.netr_IdentityInfo() (username, domain) = creds.get_ntlm_username_domain() logon.identity_info.domain_name.string = domain logon.identity_info.account_name.string = username logon.identity_info.workstation.string = creds.get_workstation() validation_level = samba.dcerpc.netlogon.NetlogonValidationSamInfo4 result = netlogon_conn.netr_LogonSamLogonEx( os.environ["SERVER"], machine_creds.get_workstation(), logon_level, logon, validation_level, netr_flags) (validation, authoritative, netr_flags_out) = result messages = self.waitForMessages(isLastExpectedMessage, netlogon_conn) checkFunction(messages)
def test_msDSRevealedUsers_using_other_RODC(self): """ Ensure that the machine account is tied to the destination DSA. """ # Create a new identical RODC with just the first letter missing other_rodc_name = self.rodc_name[1:] other_rodc_ctx = DCJoinContext(server=self.ldb_dc1.host_dns_name(), creds=self.get_credentials(), lp=self.get_loadparm(), site=self.site, netbios_name=other_rodc_name, targetdir=None, domain=None, machinepass=self.rodc_pass) self._create_rodc(other_rodc_ctx) other_rodc_creds = Credentials() other_rodc_creds.guess(other_rodc_ctx.lp) other_rodc_creds.set_username(other_rodc_name + '$') other_rodc_creds.set_password(self.rodc_pass) (other_rodc_drs, other_rodc_drs_handle) = self._ds_bind(self.dnsname_dc1, other_rodc_creds) rand = random.randint(1, 10000000) expected_user_attributes = [drsuapi.DRSUAPI_ATTID_lmPwdHistory, drsuapi.DRSUAPI_ATTID_supplementalCredentials, drsuapi.DRSUAPI_ATTID_ntPwdHistory, drsuapi.DRSUAPI_ATTID_unicodePwd, drsuapi.DRSUAPI_ATTID_dBCSPwd] user_name = "test_rodcF_%s" % rand user_dn = "CN=%s,%s" % (user_name, self.ou) self.ldb_dc1.add({ "dn": user_dn, "objectclass": "user", "sAMAccountName": user_name }) # Store some secret on this user self.ldb_dc1.setpassword("(sAMAccountName=%s)" % user_name, 'penguin12#', False, user_name) self.ldb_dc1.add_remove_group_members("Allowed RODC Password Replication Group", [user_name], add_members_operation=True) req10 = self._getnc_req10(dest_dsa=str(other_rodc_ctx.ntds_guid), invocation_id=self.ldb_dc1.get_invocation_id(), nc_dn_str=user_dn, exop=drsuapi.DRSUAPI_EXOP_REPL_SECRET, partial_attribute_set=drs_get_rodc_partial_attribute_set(self.ldb_dc1, self.tmp_samdb), max_objects=133, replica_flags=0) try: (level, ctr) = self.rodc_drs.DsGetNCChanges(self.rodc_drs_handle, 10, req10) self.fail("Successfully replicated secrets to an RODC that shouldn't have been replicated.") except WERRORError as e3: (enum, estr) = e3.args self.assertEqual(enum, 8630) # ERROR_DS_DRA_SECRETS_DENIED req10 = self._getnc_req10(dest_dsa=str(self.rodc_ctx.ntds_guid), invocation_id=self.ldb_dc1.get_invocation_id(), nc_dn_str=user_dn, exop=drsuapi.DRSUAPI_EXOP_REPL_SECRET, partial_attribute_set=drs_get_rodc_partial_attribute_set(self.ldb_dc1, self.tmp_samdb), max_objects=133, replica_flags=0) try: (level, ctr) = other_rodc_drs.DsGetNCChanges(other_rodc_drs_handle, 10, req10) self.fail("Successfully replicated secrets to an RODC that shouldn't have been replicated.") except WERRORError as e4: (enum, estr) = e4.args self.assertEqual(enum, 8630) # ERROR_DS_DRA_SECRETS_DENIED
def test_modify_dsheuristics_userPassword(self): print("Performs testing about reading userPassword between dsHeuristic modifies") # Make sure userPassword cannot be read self.ldb.set_dsheuristics("000000000") # Open a new connection (with dsHeuristic=000000000) ldb1 = SamDB(url=host, session_info=system_session(lp), credentials=creds, lp=lp) # Set userPassword to be read # This setting only affects newer connections (ldb2) ldb1.set_dsheuristics("000000001") time.sleep(1) m = Message() m.dn = Dn(ldb1, "cn=testuser,cn=users," + self.base_dn) m["userPassword"] = MessageElement("thatsAcomplPASS1", FLAG_MOD_REPLACE, "userPassword") ldb1.modify(m) res = ldb1.search("cn=testuser,cn=users," + self.base_dn, scope=SCOPE_BASE, attrs=["userPassword"]) # userPassword cannot be read, despite the dsHeuristic setting self.assertTrue(len(res) == 1) self.assertFalse("userPassword" in res[0]) # Open another new connection (with dsHeuristic=000000001) ldb2 = SamDB(url=host, session_info=system_session(lp), credentials=creds, lp=lp) # Set userPassword to be unreadable # This setting does not affect this connection ldb2.set_dsheuristics("000000000") time.sleep(1) res = ldb2.search("cn=testuser,cn=users," + self.base_dn, scope=SCOPE_BASE, attrs=["userPassword"]) # Check that userPassword was not stored from ldb1 self.assertTrue(len(res) == 1) self.assertFalse("userPassword" in res[0]) m = Message() m.dn = Dn(ldb2, "cn=testuser,cn=users," + self.base_dn) m["userPassword"] = MessageElement("thatsAcomplPASS2", FLAG_MOD_REPLACE, "userPassword") ldb2.modify(m) res = ldb2.search("cn=testuser,cn=users," + self.base_dn, scope=SCOPE_BASE, attrs=["userPassword"]) # userPassword can be read in this connection # This is regardless of the current dsHeuristics setting self.assertTrue(len(res) == 1) self.assertTrue("userPassword" in res[0]) self.assertEquals(res[0]["userPassword"][0], "thatsAcomplPASS2") # Only password from ldb1 is the user's password creds2 = Credentials() creds2.set_username("testuser") creds2.set_password("thatsAcomplPASS1") creds2.set_domain(creds.get_domain()) creds2.set_realm(creds.get_realm()) creds2.set_workstation(creds.get_workstation()) creds2.set_gensec_features(creds2.get_gensec_features() | gensec.FEATURE_SEAL) try: SamDB(url=host, credentials=creds2, lp=lp) except: self.fail("testuser used the wrong password") ldb3 = SamDB(url=host, session_info=system_session(lp), credentials=creds, lp=lp) # Check that userPassword was stored from ldb2 res = ldb3.search("cn=testuser,cn=users," + self.base_dn, scope=SCOPE_BASE, attrs=["userPassword"]) # userPassword can be read self.assertTrue(len(res) == 1) self.assertTrue("userPassword" in res[0]) self.assertEquals(res[0]["userPassword"][0], "thatsAcomplPASS2") # Reset the test "dSHeuristics" (reactivate "userPassword" pwd changes) self.ldb.set_dsheuristics("000000001")
from samba import dsdb from samba.samdb import SamDB from samba.param import LoadParm from samba.auth import system_session from samba.credentials import Credentials if __name__ == '__main__': parser = OptionParser(usage='DN2base64Guid.py dn') (options, args) = parser.parse_args() if len(args) != 1: parser.print_help() sys.exit(2) dn = args[0] lp = LoadParm() creds = Credentials() creds.guess(lp) samdb = SamDB(url='/var/lib/samba/private/sam.ldb', session_info=system_session(), credentials=creds, lp=lp) domain_dn = samdb.domain_dn() res = samdb.search(dn, scope=ldb.SCOPE_BASE, attrs=["objectGuid"]) for msg in res: guid = msg.get("objectGuid", idx=0) print base64.encodestring(guid), sys.exit(0)
def setUp(self): super(LdifImportExportTests, self).setUp() self.lp = LoadParm() self.creds = Credentials() self.creds.guess(self.lp)
def list_dns(): from samba.dcerpc import dnsp, dnsserver server = '127.0.0.1' binding_str = 'ncacn_ip_tcp:%s[sign]' % server cred_data = open('/vapour/dnsquery').read().split(':') creds = Credentials() creds.guess(lp) creds.set_username(cred_data[0]) creds.set_password(cred_data[1].rstrip()) dns_conn = dnsserver.dnsserver(binding_str, lp, creds) zone = get_cur_domain() name = '@' record_type = dnsp.DNS_TYPE_ALL select_flags = dnsserver.DNS_RPC_VIEW_AUTHORITY_DATA buflen, res = dns_conn.DnssrvEnumRecords2( dnsserver.DNS_CLIENT_VERSION_LONGHORN, 0, server, zone, name, None, record_type, select_flags, None, None) record_groups = res.rec result = [] for rec_group in record_groups: group_name = rec_group.dnsNodeName.str for rec in rec_group.records: if rec.wType == dnsp.DNS_TYPE_A: result.append({ 'group_name': group_name, 'type': 'A', 'value': rec.data }) elif rec.wType == dnsp.DNS_TYPE_AAAA: result.append({ 'group_name': group_name, 'type': 'AAAA', 'value': rec.data }) elif rec.wType == dnsp.DNS_TYPE_PTR: result.append({ 'group_name': group_name, 'type': 'PTR', 'value': rec.data.str }) elif rec.wType == dnsp.DNS_TYPE_NS: result.append({ 'group_name': group_name, 'type': 'NS', 'value': rec.data.str }) elif rec.wType == dnsp.DNS_TYPE_CNAME: result.append({ 'group_name': group_name, 'type': 'CNAME', 'value': rec.data.str }) elif rec.wType == dnsp.DNS_TYPE_SOA: result.append({ 'group_name': group_name, 'type': 'SOA', 'value': 'serial=%d, refresh=%d, retry=%d, expire=%d, minttl=%d, ns=%s, email=%s' % (rec.data.dwSerialNo, rec.data.dwRefresh, rec.data.dwRetry, rec.data.dwExpire, rec.data.dwMinimumTtl, rec.data.NamePrimaryServer.str, rec.data.ZoneAdministratorEmail.str) }) elif rec.wType == dnsp.DNS_TYPE_MX: result.append({ 'group_name': group_name, 'type': 'MX', 'value': '%s (%d)' % (rec.data.nameExchange.str, rec.data.wPreference) }) elif rec.wType == dnsp.DNS_TYPE_SRV: result.append({ 'group_name': group_name, 'type': 'SRV', 'value': '%s (%d, %d, %d)' % (rec.data.nameTarget, rec.data.wPort, rec.data.wPriority, rec.data.wWeight) }) elif rec.wType == dnsp.DNS_TYPE_TXT: slist = ['"%s"' % name.str for name in rec.data] result.append({ 'group_name': group_name, 'type': 'TXT', 'value': ','.join(slist) }) return result
def setUp(self): super(BasePasswordTestCase, self).setUp() self.global_creds.set_gensec_features( self.global_creds.get_gensec_features() | gensec.FEATURE_SEAL) self.template_creds = Credentials() self.template_creds.set_username("testuser") self.template_creds.set_password("thatsAcomplPASS1") self.template_creds.set_domain(self.global_creds.get_domain()) self.template_creds.set_realm(self.global_creds.get_realm()) self.template_creds.set_workstation( self.global_creds.get_workstation()) self.template_creds.set_gensec_features( self.global_creds.get_gensec_features()) self.template_creds.set_kerberos_state( self.global_creds.get_kerberos_state()) # Gets back the basedn base_dn = self.ldb.domain_dn() # Gets back the configuration basedn configuration_dn = self.ldb.get_config_basedn().get_linearized() res = self.ldb.search(base_dn, scope=SCOPE_BASE, attrs=[ "lockoutDuration", "lockOutObservationWindow", "lockoutThreshold" ]) if "lockoutDuration" in res[0]: lockoutDuration = res[0]["lockoutDuration"][0] else: lockoutDuration = 0 if "lockoutObservationWindow" in res[0]: lockoutObservationWindow = res[0]["lockoutObservationWindow"][0] else: lockoutObservationWindow = 0 if "lockoutThreshold" in res[0]: lockoutThreshold = res[0]["lockoutThreshold"][0] else: lockoutTreshold = 0 self.addCleanup( self.ldb.modify_ldif, """ dn: """ + base_dn + """ changetype: modify replace: lockoutDuration lockoutDuration: """ + str(lockoutDuration) + """ replace: lockoutObservationWindow lockoutObservationWindow: """ + str(lockoutObservationWindow) + """ replace: lockoutThreshold lockoutThreshold: """ + str(lockoutThreshold) + """ """) self.base_dn = self.ldb.domain_dn() # # Some test cases sleep() for self.account_lockout_duration # so allow it to be controlled via the subclass # if not hasattr(self, 'account_lockout_duration'): self.account_lockout_duration = 3 if not hasattr(self, 'lockout_observation_window'): self.lockout_observation_window = 3 self.update_lockout_settings( threshold=3, duration=self.account_lockout_duration, observation_window=self.lockout_observation_window) # update DC to allow password changes for the duration of this test self.allow_password_changes() self.domain_sid = security.dom_sid(self.ldb.get_domain_sid()) self.samr = samr.samr("ncacn_ip_tcp:%s[seal]" % self.host, self.lp, self.global_creds) self.samr_handle = self.samr.Connect2( None, security.SEC_FLAG_MAXIMUM_ALLOWED) self.samr_domain = self.samr.OpenDomain( self.samr_handle, security.SEC_FLAG_MAXIMUM_ALLOWED, self.domain_sid) self.addCleanup(self.delete_ldb_connections) # (Re)adds the test user accounts self.lockout1krb5_creds = self.insta_creds( self.template_creds, username="******", userpass="******", kerberos_state=MUST_USE_KERBEROS) self.lockout1krb5_ldb = self._readd_user(self.lockout1krb5_creds) self.lockout1ntlm_creds = self.insta_creds( self.template_creds, username="******", userpass="******", kerberos_state=DONT_USE_KERBEROS) self.lockout1ntlm_ldb = self._readd_user(self.lockout1ntlm_creds)
def net_lookup(domain): global cldap_ret net = Net(Credentials()) cldap_ret = net.finddc(domain=domain, flags=(nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS))
def get_anon_creds(self): c = Credentials() c.set_anonymous() return c
def run(): param_samba = { 'basedn': config.get('samba', 'path'), 'pathsamdb': '%s/sam.ldb' % config.get('samba', 'private'), 'adbase': config.get('samba', 'base') } # SAMDB lp = LoadParm() creds = Credentials() creds.guess(lp) samdb_loc = SamDB(url=param_samba['pathsamdb'], session_info=system_session(), credentials=creds, lp=lp) testpawd = GetPasswordCommand() testpawd.lp = lp passwordattr = config.get('common', 'attr_password') allmail = {} # Search all users for user in samdb_loc.search( base=param_samba['adbase'], expression="(&(objectClass=user)(mail=*))", attrs=["mail", "sAMAccountName", "pwdLastSet"]): mail = str(user["mail"]) #replace mail if replace_domain in config if config.getboolean('common', 'replace_domain'): mail = mail.split('@')[0] + '@' + config.get('common', 'domain') pwdlastset = user.get('pwdLastSet', '') #add mail in all mail allmail[mail] = None if str(pwdlastset) != dict_mail_pwdlastset.get(mail, ''): Random.atfork() # Update if password different in dict mail pwdlastset password = testpawd.get_account_attributes( samdb_loc, None, param_samba['basedn'], filter="(sAMAccountName=%s)" % (str(user["sAMAccountName"])), scope=ldb.SCOPE_SUBTREE, attrs=[passwordattr], decrypt=False) if not passwordattr in password: continue password = str(password[passwordattr]) update_password(mail, password, pwdlastset) #delete user found in dict mail pwdlastset but not found in samba listdelete = [] for user in dict_mail_pwdlastset: if not user in allmail: listdelete.append(user) for user in listdelete: del dict_mail_pwdlastset[user] #write new json dict mail password if listdelete: open(filename, 'w').write(json.dumps(dict_mail_pwdlastset))