def __init__(self, parser):
CredentialsOptions.__init__(self, parser)
self.no_pass2 = True
self.add_option("--simple-bind-dn2",
metavar="DN2",
action="callback",
callback=self._set_simple_bind_dn2,
type=str,
help="DN to use for a simple bind")
self.add_option("--password2",
metavar="PASSWORD2",
action="callback",
help="Password",
type=str,
callback=self._set_password2)
self.add_option("--username2",
metavar="USERNAME2",
action="callback",
type=str,
help="Username for second server",
callback=self._parse_username2)
self.add_option("--workgroup2",
metavar="WORKGROUP2",
action="callback",
type=str,
help="Workgroup for second server",
callback=self._parse_workgroup2)
self.add_option("--no-pass2",
action="store_true",
help="Don't ask for a password for the second server")
self.add_option("--kerberos2",
metavar="KERBEROS2",
action="callback",
type=str,
help="Use Kerberos",
callback=self._set_kerberos2)
self.creds2 = Credentials()
def __init__(self, parser, special_name=None):
self.special_name = special_name
if special_name is not None:
self.section = "Credentials Options (%s)" % special_name
else:
self.section = "Credentials Options"
self.ask_for_password = True
self.ipaddress = None
self.machine_pass = False
optparse.OptionGroup.__init__(self, parser, self.section)
self._add_option("--simple-bind-dn", metavar="DN", action="callback",
callback=self._set_simple_bind_dn, type=str,
help="DN to use for a simple bind")
self._add_option("--password", metavar="PASSWORD", action="callback",
help="Password", type=str, callback=self._set_password)
self._add_option("-U", "--username", metavar="USERNAME",
action="callback", type=str,
help="Username", callback=self._parse_username)
self._add_option("-W", "--workgroup", metavar="WORKGROUP",
action="callback", type=str,
help="Workgroup", callback=self._parse_workgroup)
self._add_option("-N", "--no-pass", action="callback",
help="Don't ask for a password",
callback=self._set_no_password)
self._add_option("-k", "--kerberos", metavar="KERBEROS",
action="callback", type=str,
help="Use Kerberos", callback=self._set_kerberos)
self._add_option("", "--ipaddress", metavar="IPADDRESS",
action="callback", type=str,
help="IP address of server",
callback=self._set_ipaddress)
self._add_option("-P", "--machine-pass",
action="callback",
help="Use stored machine account password",
callback=self._set_machine_pass)
self.creds = Credentials()
def setUp(self):
super(DrsRodcTestCase, self).setUp()
self.base_dn = self.ldb_dc1.get_default_basedn()
rand = random.randint(1, 10000000)
self.ou = "OU=test_drs_rodc%s,%s" % (rand, self.base_dn)
self.ldb_dc1.add({"dn": self.ou, "objectclass": "organizationalUnit"})
self.allowed_group = "CN=Allowed RODC Password Replication Group,CN=Users,%s" % self.base_dn
self.site = self.ldb_dc1.server_site_name()
self.rodc_name = "TESTRODCDRS%s" % rand
self.rodc_pass = "******"
self.computer_dn = "CN=%s,OU=Domain Controllers,%s" % (self.rodc_name,
self.base_dn)
self.rodc_ctx = dc_join(server=self.ldb_dc1.host_dns_name(),
creds=self.get_credentials(),
lp=self.get_loadparm(),
site=self.site,
netbios_name=self.rodc_name,
targetdir=None,
domain=None,
machinepass=self.rodc_pass)
self._create_rodc(self.rodc_ctx)
self.rodc_ctx.create_tmp_samdb()
self.tmp_samdb = self.rodc_ctx.tmp_samdb
rodc_creds = Credentials()
rodc_creds.guess(self.rodc_ctx.lp)
rodc_creds.set_username(self.rodc_name + '$')
rodc_creds.set_password(self.rodc_pass)
self.rodc_creds = rodc_creds
(self.drs, self.drs_handle) = self._ds_bind(self.dnsname_dc1)
(self.rodc_drs,
self.rodc_drs_handle) = self._ds_bind(self.dnsname_dc1, rodc_creds)
def create_user_account(self):
self.user_pass = samba.generate_random_password(32, 32)
self.user_name = USER_NAME
self.user_dn = "cn=%s,%s" % (self.user_name, self.ldb.domain_dn())
# remove the account if it exists, this will happen if a previous test
# run failed
delete_force(self.ldb, self.user_dn)
utf16pw = ('"%s"' % get_string(self.user_pass)).encode('utf-16-le')
self.ldb.add({
"dn": self.user_dn,
"objectclass": "user",
"sAMAccountName": "%s" % self.user_name,
"userAccountControl": str(UF_NORMAL_ACCOUNT),
"unicodePwd": utf16pw
})
self.user_creds = Credentials()
self.user_creds.guess(self.get_loadparm())
self.user_creds.set_password(self.user_pass)
self.user_creds.set_username(self.user_name)
self.user_creds.set_workstation(self.machine_name)
pass
def create_machine_account(self):
self.machine_pass = samba.generate_random_password(32, 32)
self.machine_name = MACHINE_NAME
self.machine_dn = "cn=%s,%s" % (self.machine_name, self.ldb.domain_dn())
# remove the account if it exists, this will happen if a previous test
# run failed
delete_force(self.ldb, self.machine_dn)
# get unicode str for both py2 and py3
pass_unicode = self.machine_pass.encode('utf-8').decode('utf-8')
utf16pw = u'"{}"'.format(pass_unicode).encode('utf-16-le')
self.ldb.add({
"dn": self.machine_dn,
"objectclass": "computer",
"sAMAccountName": "%s$" % self.machine_name,
"userAccountControl":
str(UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD),
"unicodePwd": utf16pw})
self.machine_creds = Credentials()
self.machine_creds.guess(self.get_loadparm())
self.machine_creds.set_password(self.machine_pass)
self.machine_creds.set_username(self.machine_name + "$")
self.machine_creds.set_workstation(self.machine_name)
def upgrade_from_samba3(samba3,
logger,
targetdir,
session_info=None,
useeadb=False,
dns_backend=None,
use_ntvfs=False):
"""Upgrade from samba3 database to samba4 AD database
:param samba3: samba3 object
:param logger: Logger object
:param targetdir: samba4 database directory
:param session_info: Session information
"""
serverrole = samba3.lp.server_role()
domainname = samba3.lp.get("workgroup")
realm = samba3.lp.get("realm")
netbiosname = samba3.lp.get("netbios name")
if samba3.lp.get("ldapsam:trusted") is None:
samba3.lp.set("ldapsam:trusted", "yes")
# secrets db
try:
secrets_db = samba3.get_secrets_db()
except IOError as e:
raise ProvisioningError(
"Could not open '%s', the Samba3 secrets database: %s. Perhaps you specified the incorrect smb.conf, --testparm or --dbdir option?"
% (samba3.privatedir_path("secrets.tdb"), str(e)))
if not domainname:
domainname = secrets_db.domains()[0]
logger.warning(
"No workgroup specified in smb.conf file, assuming '%s'",
domainname)
if not realm:
if serverrole == "ROLE_DOMAIN_BDC" or serverrole == "ROLE_DOMAIN_PDC":
raise ProvisioningError(
"No realm specified in smb.conf file and being a DC. That upgrade path doesn't work! Please add a 'realm' directive to your old smb.conf to let us know which one you want to use (it is the DNS name of the AD domain you wish to create."
)
else:
realm = domainname.upper()
logger.warning(
"No realm specified in smb.conf file, assuming '%s'", realm)
# Find machine account and password
next_rid = 1000
try:
machinepass = secrets_db.get_machine_password(netbiosname)
except KeyError:
machinepass = None
if samba3.lp.get("passdb backend").split(":")[0].strip() == "ldapsam":
base_dn = samba3.lp.get("ldap suffix")
ldapuser = samba3.lp.get("ldap admin dn")
ldappass = secrets_db.get_ldap_bind_pw(ldapuser)
if ldappass is None:
raise ProvisioningError(
"ldapsam passdb backend detected but no LDAP Bind PW found in secrets.tdb for user %s. Please point this tool at the secrets.tdb that was used by the previous installation."
)
ldappass = ldappass.decode('utf-8').strip('\x00')
ldap = True
else:
ldapuser = None
ldappass = None
ldap = False
# We must close the direct pytdb database before the C code loads it
secrets_db.close()
# Connect to old password backend
passdb.set_secrets_dir(samba3.lp.get("private dir"))
s3db = samba3.get_sam_db()
# Get domain sid
try:
domainsid = passdb.get_global_sam_sid()
except passdb.error:
raise Exception("Can't find domain sid for '%s', Exiting." %
domainname)
# Get machine account, sid, rid
try:
machineacct = s3db.getsampwnam('%s$' % netbiosname)
except passdb.error:
machinerid = None
machinesid = None
else:
machinesid, machinerid = machineacct.user_sid.split()
# Export account policy
logger.info("Exporting account policy")
policy = s3db.get_account_policy()
# Export groups from old passdb backend
logger.info("Exporting groups")
grouplist = s3db.enum_group_mapping()
groupmembers = {}
for group in grouplist:
sid, rid = group.sid.split()
if sid == domainsid:
if rid >= next_rid:
next_rid = rid + 1
# Get members for each group/alias
if group.sid_name_use == lsa.SID_NAME_ALIAS:
try:
members = s3db.enum_aliasmem(group.sid)
groupmembers[str(group.sid)] = members
except passdb.error as e:
logger.warn(
"Ignoring group '%s' %s listed but then not found: %s",
group.nt_name, group.sid, e)
continue
elif group.sid_name_use == lsa.SID_NAME_DOM_GRP:
try:
members = s3db.enum_group_members(group.sid)
groupmembers[str(group.sid)] = members
except passdb.error as e:
logger.warn(
"Ignoring group '%s' %s listed but then not found: %s",
group.nt_name, group.sid, e)
continue
elif group.sid_name_use == lsa.SID_NAME_WKN_GRP:
(group_dom_sid, rid) = group.sid.split()
if (group_dom_sid != security.dom_sid(security.SID_BUILTIN)):
logger.warn(
"Ignoring 'well known' group '%s' (should already be in AD, and have no members)",
group.nt_name)
continue
# A number of buggy databases mix up well known groups and aliases.
try:
members = s3db.enum_aliasmem(group.sid)
groupmembers[str(group.sid)] = members
except passdb.error as e:
logger.warn(
"Ignoring group '%s' %s listed but then not found: %s",
group.nt_name, group.sid, e)
continue
else:
logger.warn("Ignoring group '%s' %s with sid_name_use=%d",
group.nt_name, group.sid, group.sid_name_use)
continue
# Export users from old passdb backend
logger.info("Exporting users")
userlist = s3db.search_users(0)
userdata = {}
uids = {}
admin_user = None
for entry in userlist:
if machinerid and machinerid == entry['rid']:
continue
username = entry['account_name']
if entry['rid'] < 1000:
logger.info(" Skipping wellknown rid=%d (for username=%s)",
entry['rid'], username)
continue
if entry['rid'] >= next_rid:
next_rid = entry['rid'] + 1
user = s3db.getsampwnam(username)
acct_type = (user.acct_ctrl &
(samr.ACB_NORMAL | samr.ACB_WSTRUST | samr.ACB_SVRTRUST
| samr.ACB_DOMTRUST))
if acct_type == samr.ACB_SVRTRUST:
logger.warn(
" Demoting BDC account trust for %s, this DC must be elevated to an AD DC using 'samba-tool domain dcpromo'"
% username[:-1])
user.acct_ctrl = (user.acct_ctrl
& ~samr.ACB_SVRTRUST) | samr.ACB_WSTRUST
elif acct_type == samr.ACB_DOMTRUST:
logger.warn(
" Skipping inter-domain trust from domain %s, this trust must be re-created as an AD trust"
% username[:-1])
continue
elif acct_type == (samr.ACB_WSTRUST) and username[-1] != '$':
logger.warn(
" Skipping account %s that has ACB_WSTRUST (W) set but does not end in $. This account can not have worked, and is probably left over from a misconfiguration."
% username)
continue
elif acct_type == (samr.ACB_NORMAL
| samr.ACB_WSTRUST) and username[-1] == '$':
logger.warn(
" Fixing account %s which had both ACB_NORMAL (U) and ACB_WSTRUST (W) set. Account will be marked as ACB_WSTRUST (W), i.e. as a domain member"
% username)
user.acct_ctrl = (user.acct_ctrl & ~samr.ACB_NORMAL)
elif acct_type == (samr.ACB_NORMAL
| samr.ACB_SVRTRUST) and username[-1] == '$':
logger.warn(
" Fixing account %s which had both ACB_NORMAL (U) and ACB_SVRTRUST (S) set. Account will be marked as ACB_WSTRUST (S), i.e. as a domain member"
% username)
user.acct_ctrl = (user.acct_ctrl & ~samr.ACB_NORMAL)
elif acct_type == 0 and username[-1] != '$':
user.acct_ctrl = (user.acct_ctrl | samr.ACB_NORMAL)
elif (acct_type == samr.ACB_NORMAL or acct_type == samr.ACB_WSTRUST):
pass
else:
raise ProvisioningError(
"""Failed to upgrade due to invalid account %s, account control flags 0x%08X must have exactly one of
ACB_NORMAL (N, 0x%08X), ACB_WSTRUST (W 0x%08X), ACB_SVRTRUST (S 0x%08X) or ACB_DOMTRUST (D 0x%08X).
Please fix this account before attempting to upgrade again
""" % (username, user.acct_ctrl, samr.ACB_NORMAL, samr.ACB_WSTRUST,
samr.ACB_SVRTRUST, samr.ACB_DOMTRUST))
userdata[username] = user
try:
uids[username] = s3db.sid_to_id(user.user_sid)[0]
except passdb.error:
try:
uids[username] = pwd.getpwnam(username).pw_uid
except KeyError:
pass
if not admin_user and username.lower() == 'root':
admin_user = username
if username.lower() == 'administrator':
admin_user = username
try:
group_memberships = s3db.enum_group_memberships(user)
for group in group_memberships:
if str(group) in groupmembers:
if user.user_sid not in groupmembers[str(group)]:
groupmembers[str(group)].append(user.user_sid)
else:
groupmembers[str(group)] = [user.user_sid]
except passdb.error as e:
logger.warn("Ignoring group memberships of '%s' %s: %s", username,
user.user_sid, e)
logger.info("Next rid = %d", next_rid)
# Check for same username/groupname
group_names = set([g.nt_name for g in grouplist])
user_names = set([u['account_name'] for u in userlist])
common_names = group_names.intersection(user_names)
if common_names:
logger.error("Following names are both user names and group names:")
for name in common_names:
logger.error(" %s" % name)
raise ProvisioningError(
"Please remove common user/group names before upgrade.")
# Check for same user sid/group sid
group_sids = set([str(g.sid) for g in grouplist])
if len(grouplist) != len(group_sids):
raise ProvisioningError(
"Please remove duplicate group sid entries before upgrade.")
user_sids = set(["%s-%u" % (domainsid, u['rid']) for u in userlist])
if len(userlist) != len(user_sids):
raise ProvisioningError(
"Please remove duplicate user sid entries before upgrade.")
common_sids = group_sids.intersection(user_sids)
if common_sids:
logger.error("Following sids are both user and group sids:")
for sid in common_sids:
logger.error(" %s" % str(sid))
raise ProvisioningError(
"Please remove duplicate sid entries before upgrade.")
# Get posix attributes from ldap or the os
homes = {}
shells = {}
pgids = {}
if ldap:
creds = Credentials()
creds.guess(samba3.lp)
creds.set_bind_dn(ldapuser)
creds.set_password(ldappass)
urls = samba3.lp.get("passdb backend").split(":", 1)[1].strip('"')
for url in urls.split():
try:
ldb_object = Ldb(url, credentials=creds)
except ldb.LdbError as e:
raise ProvisioningError(
"Could not open ldb connection to %s, the error message is: %s"
% (url, e))
else:
break
logger.info("Exporting posix attributes")
userlist = s3db.search_users(0)
for entry in userlist:
username = entry['account_name']
if username in uids.keys():
try:
if ldap:
homes[username] = get_posix_attr_from_ldap_backend(
logger, ldb_object, base_dn, username, "homeDirectory")
else:
homes[username] = pwd.getpwnam(username).pw_dir
except KeyError:
pass
except IndexError:
pass
try:
if ldap:
shells[username] = get_posix_attr_from_ldap_backend(
logger, ldb_object, base_dn, username, "loginShell")
else:
shells[username] = pwd.getpwnam(username).pw_shell
except KeyError:
pass
except IndexError:
pass
try:
if ldap:
pgids[username] = get_posix_attr_from_ldap_backend(
logger, ldb_object, base_dn, username, "gidNumber")
else:
pgids[username] = pwd.getpwnam(username).pw_gid
except KeyError:
pass
except IndexError:
pass
logger.info("Reading WINS database")
samba3_winsdb = None
try:
samba3_winsdb = samba3.get_wins_db()
except IOError as e:
logger.warn('Cannot open wins database, Ignoring: %s', str(e))
if not (serverrole == "ROLE_DOMAIN_BDC"
or serverrole == "ROLE_DOMAIN_PDC"):
dns_backend = "NONE"
# If we found an admin user, set a fake pw that we will override.
# This avoids us printing out an admin password that we won't actually
# set.
if admin_user:
adminpass = generate_random_password(12, 32)
else:
adminpass = None
# Do full provision
result = provision(logger,
session_info,
targetdir=targetdir,
realm=realm,
domain=domainname,
domainsid=domainsid,
next_rid=next_rid,
dc_rid=machinerid,
adminpass=adminpass,
dom_for_fun_level=dsdb.DS_DOMAIN_FUNCTION_2003,
hostname=netbiosname.lower(),
machinepass=machinepass,
serverrole=serverrole,
samdb_fill=FILL_FULL,
useeadb=useeadb,
dns_backend=dns_backend,
use_rfc2307=True,
use_ntvfs=use_ntvfs,
skip_sysvolacl=True)
result.report_logger(logger)
# Import WINS database
logger.info("Importing WINS database")
if samba3_winsdb:
import_wins(Ldb(result.paths.winsdb), samba3_winsdb)
# Set Account policy
logger.info("Importing Account policy")
import_sam_policy(result.samdb, policy, logger)
# Migrate IDMAP database
logger.info("Importing idmap database")
import_idmap(result.idmap, samba3, logger)
# Set the s3 context for samba4 configuration
new_lp_ctx = s3param.get_context()
new_lp_ctx.load(result.lp.configfile)
new_lp_ctx.set("private dir", result.lp.get("private dir"))
new_lp_ctx.set("state directory", result.lp.get("state directory"))
new_lp_ctx.set("lock directory", result.lp.get("lock directory"))
# Connect to samba4 backend
s4_passdb = passdb.PDB(new_lp_ctx.get("passdb backend"))
# Start a new transaction (should speed this up a little, due to index churn)
result.samdb.transaction_start()
logger.info("Adding groups")
try:
# Export groups to samba4 backend
logger.info("Importing groups")
for g in grouplist:
# Ignore uninitialized groups (gid = -1)
if g.gid != -1:
add_group_from_mapping_entry(result.samdb, g, logger)
add_ad_posix_idmap_entry(result.samdb, g.sid, g.gid,
"ID_TYPE_GID", logger)
add_posix_attrs(samdb=result.samdb,
sid=g.sid,
name=g.nt_name,
nisdomain=domainname.lower(),
xid_type="ID_TYPE_GID",
logger=logger)
except:
# We need this, so that we do not give even more errors due to not cancelling the transaction
result.samdb.transaction_cancel()
raise
logger.info("Committing 'add groups' transaction to disk")
result.samdb.transaction_commit()
logger.info("Adding users")
# Export users to samba4 backend
logger.info("Importing users")
for username in userdata:
if username.lower() == 'administrator':
if userdata[username].user_sid != dom_sid(str(domainsid) + "-500"):
logger.error(
"User 'Administrator' in your existing directory has SID %s, expected it to be %s"
% (userdata[username].user_sid,
dom_sid(str(domainsid) + "-500")))
raise ProvisioningError(
"User 'Administrator' in your existing directory does not have SID ending in -500"
)
if username.lower() == 'root':
if userdata[username].user_sid == dom_sid(str(domainsid) + "-500"):
logger.warn('User root has been replaced by Administrator')
else:
logger.warn(
'User root has been kept in the directory, it should be removed in favour of the Administrator user'
)
s4_passdb.add_sam_account(userdata[username])
if username in uids:
add_ad_posix_idmap_entry(result.samdb, userdata[username].user_sid,
uids[username], "ID_TYPE_UID", logger)
if (username in homes) and (homes[username] is not None) and \
(username in shells) and (shells[username] is not None) and \
(username in pgids) and (pgids[username] is not None):
add_posix_attrs(samdb=result.samdb,
sid=userdata[username].user_sid,
name=username,
nisdomain=domainname.lower(),
xid_type="ID_TYPE_UID",
home=homes[username],
shell=shells[username],
pgid=pgids[username],
logger=logger)
logger.info("Adding users to groups")
# Start a new transaction (should speed this up a little, due to index churn)
result.samdb.transaction_start()
try:
for g in grouplist:
if str(g.sid) in groupmembers:
add_users_to_group(result.samdb, g, groupmembers[str(g.sid)],
logger)
except:
# We need this, so that we do not give even more errors due to not cancelling the transaction
result.samdb.transaction_cancel()
raise
logger.info("Committing 'add users to groups' transaction to disk")
result.samdb.transaction_commit()
# Set password for administrator
if admin_user:
logger.info("Setting password for administrator")
admin_userdata = s4_passdb.getsampwnam("administrator")
admin_userdata.nt_passwd = userdata[admin_user].nt_passwd
if userdata[admin_user].lanman_passwd:
admin_userdata.lanman_passwd = userdata[admin_user].lanman_passwd
admin_userdata.pass_last_set_time = userdata[
admin_user].pass_last_set_time
if userdata[admin_user].pw_history:
admin_userdata.pw_history = userdata[admin_user].pw_history
s4_passdb.update_sam_account(admin_userdata)
logger.info(
"Administrator password has been set to password of user '%s'",
admin_user)
if result.server_role == "active directory domain controller":
setsysvolacl(result.samdb, result.paths.netlogon, result.paths.sysvol,
result.paths.root_uid, result.paths.root_gid,
security.dom_sid(result.domainsid),
result.names.dnsdomain, result.names.domaindn, result.lp,
use_ntvfs)
def test_get_ldbs(self):
paths = get_paths(param, None, smb_conf_path)
creds = Credentials()
lp = env_loadparm()
creds.guess(lp)
get_ldbs(paths, creds, system_session(), lp)
def _load_samba_environment(retries):
"""Load the samba configuration vars from smb.conf and the sam.db."""
params = samba.param.LoadParm()
params.load_default()
netbiosname = params.get("netbios name")
hostname = netbiosname.lower()
dnsdomain = params.get("realm")
dnsdomain = dnsdomain.lower()
creds = Credentials()
creds.guess(params)
creds.set_machine_account(params)
samdb_url = params.get('dcerpc_mapiproxy:samdb_url')
if samdb_url is None:
samdb_url = params.samdb_url()
samdb_ldb = None
backoff = 0.2
next_retry = 0
while samdb_ldb is None:
try:
samdb_ldb = SamDBWrapper(url=samdb_url,
session_info=system_session(),
credentials=creds,
lp=params)
except ldb.LdbError as ex:
number, desc = ex
if number == ldb.ERR_OPERATIONS_ERROR:
# this is a cannot connect error
if retries != 0:
next_retry += 1
if next_retry > retries:
logger.error(
"Maximum samba connection retries reached (%i)" %
retries)
raise ex
logger.warn(
"Cannot connect to samba server. Backing off for %.2f seconds"
% backoff)
time.sleep(backoff)
backoff *= 2
if backoff > 60:
backoff = 60
else:
raise ex
domaindn = samdb_ldb.domain_dn()
rootdn = domaindn
configdn = "CN=Configuration," + rootdn
firstorg = None
firstorg_basedn = 'CN=Microsoft Exchange,CN=Services,' + configdn
res = samdb_ldb.search(
base=firstorg_basedn,
scope=ldb.SCOPE_ONELEVEL,
expression='(objectClass=msExchOrganizationContainer)',
attrs=['cn'])
if res:
if len(res) > 1:
logger.warn('More than one exchange organization found')
firstorg = res[0]['cn'][0]
if not firstorg:
raise Exception(
"Cannot find first exchange organization in samba database")
firstou = None
firstou_basedn = "CN=Administrative Groups,CN=%s,%s" % (firstorg,
firstorg_basedn)
res = samdb_ldb.search(base=firstou_basedn,
scope=ldb.SCOPE_ONELEVEL,
expression='(objectClass=msExchAdminGroup)',
attrs=['cn'])
if res:
if len(res) > 1:
logger.warn('More than one exchange administration group found')
firstou = res[0]['cn'][0]
if not firstou:
raise Exception(
"Cannot find exchange first organization unit in samba database")
username_mail = False
if params.get("auth:usernames are emails") == 'yes':
username_mail = True
sam_environ = {"samdb_ldb": samdb_ldb,
"private_dir": params.get("private dir"),
"domaindn": domaindn,
"oc_user_basedn": "CN=%s,CN=%s,CN=%s,%s" \
% (firstou, firstorg, netbiosname, domaindn),
"firstorgdn": ("CN=%s,CN=Microsoft Exchange,CN=Services,%s"
% (firstorg, configdn)),
"legacyserverdn": ("/o=%s/ou=%s/cn=Configuration/cn=Servers"
"/cn=%s"
% (firstorg, firstou, netbiosname)),
"hostname": hostname,
"dnsdomain": dnsdomain,
'username_mail': username_mail,
}
return sam_environ
def setUp(self):
super(KCCMultisiteLdifTests, self).setUp()
self.lp = LoadParm()
self.creds = Credentials()
self.creds.guess(self.lp)
def setUp(self):
super(PasswordTests, self).setUp()
self.ldb = SamDB(url=host, session_info=system_session(lp), credentials=creds, lp=lp)
# Gets back the basedn
base_dn = self.ldb.domain_dn()
# Gets back the configuration basedn
configuration_dn = self.ldb.get_config_basedn().get_linearized()
# Get the old "dSHeuristics" if it was set
dsheuristics = self.ldb.get_dsheuristics()
# Set the "dSHeuristics" to activate the correct "userPassword" behaviour
self.ldb.set_dsheuristics("000000001")
# Reset the "dSHeuristics" as they were before
self.addCleanup(self.ldb.set_dsheuristics, dsheuristics)
# Get the old "minPwdAge"
minPwdAge = self.ldb.get_minPwdAge()
# Set it temporarily to "0"
self.ldb.set_minPwdAge("0")
self.base_dn = self.ldb.domain_dn()
# Reset the "minPwdAge" as it was before
self.addCleanup(self.ldb.set_minPwdAge, minPwdAge)
# (Re)adds the test user "testuser" with no password atm
delete_force(self.ldb, "cn=testuser,cn=users," + self.base_dn)
self.ldb.add({
"dn": "cn=testuser,cn=users," + self.base_dn,
"objectclass": "user",
"sAMAccountName": "testuser"})
# Tests a password change when we don't have any password yet with a
# wrong old password
try:
self.ldb.modify_ldif("""
dn: cn=testuser,cn=users,""" + self.base_dn + """
changetype: modify
delete: userPassword
userPassword: noPassword
add: userPassword
userPassword: thatsAcomplPASS2
""")
self.fail()
except LdbError as e:
(num, msg) = e.args
self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
# Windows (2008 at least) seems to have some small bug here: it
# returns "0000056A" on longer (always wrong) previous passwords.
self.assertTrue('00000056' in msg)
# Sets the initial user password with a "special" password change
# I think that this internally is a password set operation and it can
# only be performed by someone which has password set privileges on the
# account (at least in s4 we do handle it like that).
self.ldb.modify_ldif("""
dn: cn=testuser,cn=users,""" + self.base_dn + """
changetype: modify
delete: userPassword
add: userPassword
userPassword: thatsAcomplPASS1
""")
# But in the other way around this special syntax doesn't work
try:
self.ldb.modify_ldif("""
dn: cn=testuser,cn=users,""" + self.base_dn + """
changetype: modify
delete: userPassword
userPassword: thatsAcomplPASS1
add: userPassword
""")
self.fail()
except LdbError as e1:
(num, _) = e1.args
self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
# Enables the user account
self.ldb.enable_account("(sAMAccountName=testuser)")
# Open a second LDB connection with the user credentials. Use the
# command line credentials for informations like the domain, the realm
# and the workstation.
creds2 = Credentials()
creds2.set_username("testuser")
creds2.set_password("thatsAcomplPASS1")
creds2.set_domain(creds.get_domain())
creds2.set_realm(creds.get_realm())
creds2.set_workstation(creds.get_workstation())
creds2.set_gensec_features(creds2.get_gensec_features()
| gensec.FEATURE_SEAL)
self.ldb2 = SamDB(url=host, credentials=creds2, lp=lp)
def add_user(self, options=None, clear_text=False, ldb=None):
# set any needed options
if options is not None:
for (option, value) in options:
self.lp.set(option, value)
if ldb is None:
self.creds = Credentials()
self.session = system_session()
self.creds.guess(self.lp)
self.session = system_session()
self.ldb = SamDB(session_info=self.session,
credentials=self.creds,
lp=self.lp)
else:
self.ldb = ldb
res = self.ldb.search(base=self.ldb.get_config_basedn(),
expression="ncName=%s" %
self.ldb.get_default_basedn(),
attrs=["nETBIOSName"])
self.netbios_domain = res[0]["nETBIOSName"][0]
self.dns_domain = self.ldb.domain_dns_name()
# Gets back the basedn
base_dn = self.ldb.domain_dn()
# Gets back the configuration basedn
configuration_dn = self.ldb.get_config_basedn().get_linearized()
# Get the old "dSHeuristics" if it was set
dsheuristics = self.ldb.get_dsheuristics()
# Set the "dSHeuristics" to activate the correct "userPassword"
# behaviour
self.ldb.set_dsheuristics("000000001")
# Reset the "dSHeuristics" as they were before
self.addCleanup(self.ldb.set_dsheuristics, dsheuristics)
# Get the old "minPwdAge"
minPwdAge = self.ldb.get_minPwdAge()
# Set it temporarily to "0"
self.ldb.set_minPwdAge("0")
self.base_dn = self.ldb.domain_dn()
# Reset the "minPwdAge" as it was before
self.addCleanup(self.ldb.set_minPwdAge, minPwdAge)
account_control = 0
if clear_text:
# get the current pwdProperties
pwdProperties = self.ldb.get_pwdProperties()
# enable clear text properties
props = int(pwdProperties)
props |= DOMAIN_PASSWORD_STORE_CLEARTEXT
self.ldb.set_pwdProperties(str(props))
# Restore the value on exit.
self.addCleanup(self.ldb.set_pwdProperties, pwdProperties)
account_control |= UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED
# (Re)adds the test user USER_NAME with password USER_PASS
# and userPrincipalName UPN
delete_force(self.ldb, "cn=" + USER_NAME + ",cn=users," + self.base_dn)
self.ldb.add({
"dn": "cn=" + USER_NAME + ",cn=users," + self.base_dn,
"objectclass": "user",
"sAMAccountName": USER_NAME,
"userPassword": USER_PASS,
"userPrincipalName": UPN,
"userAccountControl": str(account_control)
})
def _test_update(self, mech, client_mech=None):
"""Test GENSEC by doing an exchange with ourselves using GSSAPI against a KDC"""
"""Start up a client and server GENSEC instance to test things with"""
self.gensec_client = gensec.Security.start_client(self.settings)
self.gensec_client.set_credentials(self.get_credentials())
self.gensec_client.want_feature(gensec.FEATURE_SEAL)
if client_mech is not None:
self.gensec_client.start_mech_by_name(client_mech)
else:
self.gensec_client.start_mech_by_sasl_name(mech)
self.gensec_server = gensec.Security.start_server(settings=self.settings,
auth_context=auth.AuthContext(lp_ctx=self.lp_ctx))
creds = Credentials()
creds.guess(self.lp_ctx)
creds.set_machine_account(self.lp_ctx)
self.gensec_server.set_credentials(creds)
self.gensec_server.want_feature(gensec.FEATURE_SEAL)
self.gensec_server.start_mech_by_sasl_name(mech)
client_finished = False
server_finished = False
server_to_client = b""
client_to_server = b""
"""Run the actual call loop"""
while True:
if not client_finished:
print("running client gensec_update")
(client_finished, client_to_server) = self.gensec_client.update(server_to_client)
if not server_finished:
print("running server gensec_update")
(server_finished, server_to_client) = self.gensec_server.update(client_to_server)
if client_finished and server_finished:
break
self.assertTrue(server_finished)
self.assertTrue(client_finished)
session_info = self.gensec_server.session_info()
test_bytes = b"Hello Server"
try:
test_wrapped = self.gensec_client.wrap(test_bytes)
test_unwrapped = self.gensec_server.unwrap(test_wrapped)
except samba.NTSTATUSError as e:
self.fail(str(e))
self.assertEqual(test_bytes, test_unwrapped)
test_bytes = b"Hello Client"
test_wrapped = self.gensec_server.wrap(test_bytes)
test_unwrapped = self.gensec_client.unwrap(test_wrapped)
self.assertEqual(test_bytes, test_unwrapped)
client_session_key = self.gensec_client.session_key()
server_session_key = self.gensec_server.session_key()
self.assertEqual(client_session_key, server_session_key)
def test_gp_motd(self):
local_path = self.lp.cache_path('gpo_cache')
guid = '{31B2F340-016D-11D2-945F-00C04FB984F9}'
reg_pol = os.path.join(local_path, policies, guid,
'MACHINE/REGISTRY.POL')
logger = logging.getLogger('gpo_tests')
cache_dir = self.lp.get('cache directory')
store = GPOStorage(os.path.join(cache_dir, 'gpo.tdb'))
machine_creds = Credentials()
machine_creds.guess(self.lp)
machine_creds.set_machine_account()
# Initialize the group policy extension
ext = gp_msgs_ext(logger, self.lp, machine_creds, store)
ads = gpo.ADS_STRUCT(self.server, self.lp, machine_creds)
if ads.connect():
gpos = ads.get_gpo_list(machine_creds.get_username())
# Stage the Registry.pol file with test data
stage = preg.file()
e1 = preg.entry()
e1.keyname = b'Software\\Policies\\Samba\\Unix Settings\\Messages'
e1.valuename = b'motd'
e1.type = 1
e1.data = b'Have a lot of fun!'
stage.num_entries = 2
e2 = preg.entry()
e2.keyname = b'Software\\Policies\\Samba\\Unix Settings\\Messages'
e2.valuename = b'issue'
e2.type = 1
e2.data = b'Welcome to \\s \\r \\l'
stage.entries = [e1, e2]
ret = stage_file(reg_pol, ndr_pack(stage))
self.assertTrue(ret, 'Could not create the target %s' % reg_pol)
# Process all gpos, with temp output directory
with TemporaryDirectory() as dname:
ext.process_group_policy([], gpos, dname)
motd_file = os.path.join(dname, 'motd')
self.assertTrue(os.path.exists(motd_file),
'Message of the day file not created')
data = open(motd_file, 'r').read()
self.assertEquals(data, e1.data, 'Message of the day not applied')
issue_file = os.path.join(dname, 'issue')
self.assertTrue(os.path.exists(issue_file),
'Login Prompt Message file not created')
data = open(issue_file, 'r').read()
self.assertEquals(data, e2.data,
'Login Prompt Message not applied')
# Unapply policy, and ensure the test files are removed
gp_db = store.get_gplog(machine_creds.get_username())
del_gpos = get_deleted_gpos_list(gp_db, [])
ext.process_group_policy(del_gpos, [], dname)
data = open(motd_file, 'r').read()
self.assertFalse(data, 'Message of the day file not removed')
data = open(issue_file, 'r').read()
self.assertFalse(data, 'Login Prompt Message file not removed')
# Unstage the Registry.pol file
unstage_file(reg_pol)
def test_smb_conf_ext(self):
local_path = self.lp.cache_path('gpo_cache')
guid = '{31B2F340-016D-11D2-945F-00C04FB984F9}'
reg_pol = os.path.join(local_path, policies, guid,
'MACHINE/REGISTRY.POL')
logger = logging.getLogger('gpo_tests')
cache_dir = self.lp.get('cache directory')
store = GPOStorage(os.path.join(cache_dir, 'gpo.tdb'))
machine_creds = Credentials()
machine_creds.guess(self.lp)
machine_creds.set_machine_account()
ads = gpo.ADS_STRUCT(self.server, self.lp, machine_creds)
if ads.connect():
gpos = ads.get_gpo_list(machine_creds.get_username())
entries = []
e = preg.entry()
e.keyname = 'Software\\Policies\\Samba\\smb_conf\\template homedir'
e.type = 1
e.data = '/home/samba/%D/%U'
e.valuename = 'template homedir'
entries.append(e)
e = preg.entry()
e.keyname = 'Software\\Policies\\Samba\\smb_conf\\apply group policies'
e.type = 4
e.data = 1
e.valuename = 'apply group policies'
entries.append(e)
e = preg.entry()
e.keyname = 'Software\\Policies\\Samba\\smb_conf\\ldap timeout'
e.type = 4
e.data = 9999
e.valuename = 'ldap timeout'
entries.append(e)
stage = preg.file()
stage.num_entries = len(entries)
stage.entries = entries
ret = stage_file(reg_pol, ndr_pack(stage))
self.assertTrue(ret, 'Failed to create the Registry.pol file')
with NamedTemporaryFile(suffix='_smb.conf') as f:
copyfile(self.lp.configfile, f.name)
lp = LoadParm(f.name)
# Initialize the group policy extension
ext = gp_smb_conf_ext(logger, lp, machine_creds, store)
ext.process_group_policy([], gpos)
lp = LoadParm(f.name)
template_homedir = lp.get('template homedir')
self.assertEquals(template_homedir, '/home/samba/%D/%U',
'template homedir was not applied')
apply_group_policies = lp.get('apply group policies')
self.assertTrue(apply_group_policies,
'apply group policies was not applied')
ldap_timeout = lp.get('ldap timeout')
self.assertEquals(ldap_timeout, 9999,
'ldap timeout was not applied')
# Remove policy
gp_db = store.get_gplog(machine_creds.get_username())
del_gpos = get_deleted_gpos_list(gp_db, [])
ext.process_group_policy(del_gpos, [])
lp = LoadParm(f.name)
template_homedir = lp.get('template homedir')
self.assertEquals(template_homedir,
self.lp.get('template homedir'),
'template homedir was not unapplied')
apply_group_policies = lp.get('apply group policies')
self.assertEquals(apply_group_policies,
self.lp.get('apply group policies'),
'apply group policies was not unapplied')
ldap_timeout = lp.get('ldap timeout')
self.assertEquals(ldap_timeout, self.lp.get('ldap timeout'),
'ldap timeout was not unapplied')
# Unstage the Registry.pol file
unstage_file(reg_pol)
def test_gp_unapply(self):
logger = logging.getLogger('gpo_tests')
cache_dir = self.lp.get('cache directory')
local_path = self.lp.cache_path('gpo_cache')
guid = '{31B2F340-016D-11D2-945F-00C04FB984F9}'
store = GPOStorage(os.path.join(cache_dir, 'gpo.tdb'))
machine_creds = Credentials()
machine_creds.guess(self.lp)
machine_creds.set_machine_account()
ads = gpo.ADS_STRUCT(self.server, self.lp, machine_creds)
if ads.connect():
gpos = ads.get_gpo_list(machine_creds.get_username())
gp_extensions = []
gp_extensions.append(gp_krb_ext)
gp_extensions.append(gp_scripts_ext)
gp_extensions.append(gp_sudoers_ext)
# Create registry stage data
reg_pol = os.path.join(local_path, policies, '%s/MACHINE/REGISTRY.POL')
reg_stage = preg.file()
e = preg.entry()
e.keyname = b'Software\\Policies\\Samba\\Unix Settings\\Daily Scripts'
e.valuename = b'Software\\Policies\\Samba\\Unix Settings'
e.type = 1
e.data = b'echo hello world'
e2 = preg.entry()
e2.keyname = b'Software\\Policies\\Samba\\Unix Settings\\Sudo Rights'
e2.valuename = b'Software\\Policies\\Samba\\Unix Settings'
e2.type = 1
e2.data = b'fakeu ALL=(ALL) NOPASSWD: ALL'
reg_stage.num_entries = 2
reg_stage.entries = [e, e2]
# Create krb stage date
gpofile = os.path.join(local_path, policies, '%s/MACHINE/MICROSOFT/' \
'WINDOWS NT/SECEDIT/GPTTMPL.INF')
krb_stage = '[Kerberos Policy]\nMaxTicketAge = 99\n'
ret = stage_file(gpofile % guid, krb_stage)
self.assertTrue(ret,
'Could not create the target %s' % (gpofile % guid))
ret = stage_file(reg_pol % guid, ndr_pack(reg_stage))
self.assertTrue(ret,
'Could not create the target %s' % (reg_pol % guid))
# Process all gpos, with temp output directory
remove = []
with TemporaryDirectory() as dname:
for ext in gp_extensions:
ext = ext(logger, self.lp, machine_creds, store)
if type(ext) == gp_krb_ext:
ext.process_group_policy([], gpos)
ret = store.get_int('kdc:user_ticket_lifetime')
self.assertEqual(ret, 99, 'Kerberos policy was not set')
elif type(ext) in [gp_scripts_ext, gp_sudoers_ext]:
ext.process_group_policy([], gpos, dname)
gp_db = store.get_gplog(machine_creds.get_username())
applied_settings = gp_db.get_applied_settings([guid])
for _, fname in applied_settings[-1][-1][str(ext)].items():
self.assertIn(dname, fname,
'Test file not created in tmp dir')
self.assertTrue(os.path.exists(fname),
'Test file not created')
remove.append(fname)
# Unapply policy, and ensure policies are removed
gpupdate_unapply(self.lp)
for fname in remove:
self.assertFalse(os.path.exists(fname),
'Unapply did not remove test file')
ret = store.get_int('kdc:user_ticket_lifetime')
self.assertNotEqual(ret, 99, 'Kerberos policy was not unapplied')
unstage_file(gpofile % guid)
unstage_file(reg_pol % guid)
def test_rsop(self):
logger = logging.getLogger('gpo_tests')
cache_dir = self.lp.get('cache directory')
local_path = self.lp.cache_path('gpo_cache')
store = GPOStorage(os.path.join(cache_dir, 'gpo.tdb'))
machine_creds = Credentials()
machine_creds.guess(self.lp)
machine_creds.set_machine_account()
ads = gpo.ADS_STRUCT(self.server, self.lp, machine_creds)
if ads.connect():
gpos = ads.get_gpo_list(machine_creds.get_username())
gp_extensions = []
gp_extensions.append(gp_krb_ext)
gp_extensions.append(gp_scripts_ext)
gp_extensions.append(gp_sudoers_ext)
gp_extensions.append(gp_smb_conf_ext)
gp_extensions.append(gp_msgs_ext)
# Create registry stage data
reg_pol = os.path.join(local_path, policies, '%s/MACHINE/REGISTRY.POL')
reg_stage = preg.file()
e = preg.entry()
e.keyname = b'Software\\Policies\\Samba\\Unix Settings\\Daily Scripts'
e.valuename = b'Software\\Policies\\Samba\\Unix Settings'
e.type = 1
e.data = b'echo hello world'
e2 = preg.entry()
e2.keyname = b'Software\\Policies\\Samba\\Unix Settings\\Sudo Rights'
e2.valuename = b'Software\\Policies\\Samba\\Unix Settings'
e2.type = 1
e2.data = b'fakeu ALL=(ALL) NOPASSWD: ALL'
e3 = preg.entry()
e3.keyname = 'Software\\Policies\\Samba\\smb_conf\\apply group policies'
e3.type = 4
e3.data = 1
e3.valuename = 'apply group policies'
e4 = preg.entry()
e4.keyname = b'Software\\Policies\\Samba\\Unix Settings\\Messages'
e4.valuename = b'issue'
e4.type = 1
e4.data = b'Welcome to \\s \\r \\l'
reg_stage.num_entries = 4
reg_stage.entries = [e, e2, e3, e4]
# Create krb stage date
gpofile = os.path.join(local_path, policies, '%s/MACHINE/MICROSOFT/' \
'WINDOWS NT/SECEDIT/GPTTMPL.INF')
krb_stage = '[Kerberos Policy]\nMaxTicketAge = 99\n'
for g in [g for g in gpos if g.file_sys_path]:
ret = stage_file(gpofile % g.name, krb_stage)
self.assertTrue(
ret, 'Could not create the target %s' % (gpofile % g.name))
ret = stage_file(reg_pol % g.name, ndr_pack(reg_stage))
self.assertTrue(
ret, 'Could not create the target %s' % (reg_pol % g.name))
for ext in gp_extensions:
ext = ext(logger, self.lp, machine_creds, store)
ret = ext.rsop(g)
self.assertEquals(
len(ret.keys()), 1,
'A single policy should have been displayed')
# Check the Security Extension
if type(ext) == gp_krb_ext:
self.assertIn('Kerberos Policy', ret.keys(),
'Kerberos Policy not found')
self.assertIn('MaxTicketAge', ret['Kerberos Policy'],
'MaxTicketAge setting not found')
self.assertEquals(ret['Kerberos Policy']['MaxTicketAge'],
'99', 'MaxTicketAge was not set to 99')
# Check the Scripts Extension
elif type(ext) == gp_scripts_ext:
self.assertIn('Daily Scripts', ret.keys(),
'Daily Scripts not found')
self.assertIn('echo hello world', ret['Daily Scripts'],
'Daily script was not created')
# Check the Sudoers Extension
elif type(ext) == gp_sudoers_ext:
self.assertIn('Sudo Rights', ret.keys(),
'Sudoers not found')
self.assertIn('fakeu ALL=(ALL) NOPASSWD: ALL',
ret['Sudo Rights'],
'Sudoers policy not created')
# Check the smb.conf Extension
elif type(ext) == gp_smb_conf_ext:
self.assertIn('smb.conf', ret.keys(),
'apply group policies was not applied')
self.assertIn(e3.valuename, ret['smb.conf'],
'apply group policies was not applied')
self.assertEquals(ret['smb.conf'][e3.valuename], e3.data,
'apply group policies was not set')
# Check the Messages Extension
elif type(ext) == gp_msgs_ext:
self.assertIn('/etc/issue', ret,
'Login Prompt Message not applied')
self.assertEquals(ret['/etc/issue'], e4.data,
'Login Prompt Message not set')
unstage_file(gpofile % g.name)
unstage_file(reg_pol % g.name)
# Check that a call to gpupdate --rsop also succeeds
ret = rsop(self.lp)
self.assertEquals(ret, 0, 'gpupdate --rsop failed!')
def test_gp_scripts(self):
local_path = self.lp.cache_path('gpo_cache')
guid = '{31B2F340-016D-11D2-945F-00C04FB984F9}'
reg_pol = os.path.join(local_path, policies, guid,
'MACHINE/REGISTRY.POL')
logger = logging.getLogger('gpo_tests')
cache_dir = self.lp.get('cache directory')
store = GPOStorage(os.path.join(cache_dir, 'gpo.tdb'))
machine_creds = Credentials()
machine_creds.guess(self.lp)
machine_creds.set_machine_account()
# Initialize the group policy extension
ext = gp_scripts_ext(logger, self.lp, machine_creds, store)
ads = gpo.ADS_STRUCT(self.server, self.lp, machine_creds)
if ads.connect():
gpos = ads.get_gpo_list(machine_creds.get_username())
reg_key = b'Software\\Policies\\Samba\\Unix Settings'
sections = {
b'%s\\Daily Scripts' % reg_key: '.cron.daily',
b'%s\\Monthly Scripts' % reg_key: '.cron.monthly',
b'%s\\Weekly Scripts' % reg_key: '.cron.weekly',
b'%s\\Hourly Scripts' % reg_key: '.cron.hourly'
}
for keyname in sections.keys():
# Stage the Registry.pol file with test data
stage = preg.file()
e = preg.entry()
e.keyname = keyname
e.valuename = b'Software\\Policies\\Samba\\Unix Settings'
e.type = 1
e.data = b'echo hello world'
stage.num_entries = 1
stage.entries = [e]
ret = stage_file(reg_pol, ndr_pack(stage))
self.assertTrue(ret, 'Could not create the target %s' % reg_pol)
# Process all gpos, with temp output directory
with TemporaryDirectory(sections[keyname]) as dname:
ext.process_group_policy([], gpos, dname)
scripts = os.listdir(dname)
self.assertEquals(
len(scripts), 1,
'The %s script was not created' % keyname.decode())
out, _ = Popen([os.path.join(dname, scripts[0])],
stdout=PIPE).communicate()
self.assertIn(b'hello world', out,
'%s script execution failed' % keyname.decode())
# Remove policy
gp_db = store.get_gplog(machine_creds.get_username())
del_gpos = get_deleted_gpos_list(gp_db, [])
ext.process_group_policy(del_gpos, [])
self.assertEquals(len(os.listdir(dname)), 0,
'Unapply failed to cleanup scripts')
# Unstage the Registry.pol file
unstage_file(reg_pol)
def setUp(self):
super(DsdbFullScanTests, self).setUp()
self.lp = samba.tests.env_loadparm()
self.creds = Credentials()
self.creds.guess(self.lp)
self.session = system_session()
def init(self):
from samba.provision import ProvisioningError
# we will shortly start slapd with ldapi for final provisioning. first
# check with ldapsearch -> rootDSE via self.ldap_uri if another
# instance of slapd is already running
try:
ldapi_db = Ldb(self.ldap_uri)
ldapi_db.search(base="",
scope=SCOPE_BASE,
expression="(objectClass=OpenLDAProotDSE)")
try:
f = open(self.slapd_pid, "r")
except IOError as err:
if err != errno.ENOENT:
raise
else:
try:
p = f.read()
finally:
f.close()
self.logger.info(
"Check for slapd process with PID: %s and terminate it manually."
% p)
raise SlapdAlreadyRunning(self.ldap_uri)
except LdbError:
# XXX: We should never be catching all Ldb errors
pass
# Try to print helpful messages when the user has not specified the
# path to slapd
if self.slapd_path is None:
raise ProvisioningError(
"Warning: LDAP-Backend must be setup with path to slapd, e.g. --slapd-path=\"/usr/local/libexec/slapd\"!"
)
if not os.path.exists(self.slapd_path):
self.logger.warning("Path (%s) to slapd does not exist!",
self.slapd_path)
if not os.path.isdir(self.ldapdir):
os.makedirs(self.ldapdir, 0o700)
# Put the LDIF of the schema into a database so we can search on
# it to generate schema-dependent configurations in Fedora DS and
# OpenLDAP
schemadb_path = os.path.join(self.ldapdir, "schema-tmp.ldb")
try:
os.unlink(schemadb_path)
except OSError:
pass
self.schema.write_to_tmp_ldb(schemadb_path)
self.credentials = Credentials()
self.credentials.guess(self.lp)
# Kerberos to an ldapi:// backend makes no sense (we also force EXTERNAL)
self.credentials.set_kerberos_state(DONT_USE_KERBEROS)
self.credentials.set_username("samba-admin")
self.credentials.set_password(self.ldapadminpass)
self.credentials.set_forced_sasl_mech("EXTERNAL")
self.provision()
def create_credential(lp, other):
c = Credentials()
c.guess(lp)
c.set_gensec_features(other.get_gensec_features())
return c
def _test_samlogon(self, binding, creds, checkFunction):
def isLastExpectedMessage(msg):
return (
msg["type"] == "Authentication" and
msg["Authentication"]["serviceDescription"] == "SamLogon" and
msg["Authentication"]["authDescription"] == "network" and
msg["Authentication"]["passwordType"] == "NTLMv2" and
(msg["Authentication"]["eventId"] ==
EVT_ID_SUCCESSFUL_LOGON) and
(msg["Authentication"]["logonType"] == EVT_LOGON_NETWORK))
if binding:
binding = "[schannel,%s]" % binding
else:
binding = "[schannel]"
utf16pw = text_type('"' + self.machinepass + '"').encode('utf-16-le')
self.ldb.add({
"dn": self.samlogon_dn,
"objectclass": "computer",
"sAMAccountName": "%s$" % self.netbios_name,
"userAccountControl":
str(UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD),
"unicodePwd": utf16pw})
machine_creds = Credentials()
machine_creds.guess(self.get_loadparm())
machine_creds.set_secure_channel_type(SEC_CHAN_WKSTA)
machine_creds.set_password(self.machinepass)
machine_creds.set_username(self.netbios_name + "$")
netlogon_conn = netlogon.netlogon("ncalrpc:%s" % binding,
self.get_loadparm(),
machine_creds)
challenge = b"abcdefgh"
target_info = ntlmssp.AV_PAIR_LIST()
target_info.count = 3
domainname = ntlmssp.AV_PAIR()
domainname.AvId = ntlmssp.MsvAvNbDomainName
domainname.Value = self.domain
computername = ntlmssp.AV_PAIR()
computername.AvId = ntlmssp.MsvAvNbComputerName
computername.Value = self.netbios_name
eol = ntlmssp.AV_PAIR()
eol.AvId = ntlmssp.MsvAvEOL
target_info.pair = [domainname, computername, eol]
target_info_blob = ndr_pack(target_info)
response = creds.get_ntlm_response(flags=CLI_CRED_NTLMv2_AUTH,
challenge=challenge,
target_info=target_info_blob)
netr_flags = 0
logon_level = netlogon.NetlogonNetworkTransitiveInformation
logon = samba.dcerpc.netlogon.netr_NetworkInfo()
logon.challenge = [x if isinstance(x,int) else ord(x) for x in challenge]
logon.nt = netlogon.netr_ChallengeResponse()
logon.nt.length = len(response["nt_response"])
logon.nt.data = [x if isinstance(x,int) else ord(x) for x in response["nt_response"]]
logon.identity_info = samba.dcerpc.netlogon.netr_IdentityInfo()
(username, domain) = creds.get_ntlm_username_domain()
logon.identity_info.domain_name.string = domain
logon.identity_info.account_name.string = username
logon.identity_info.workstation.string = creds.get_workstation()
validation_level = samba.dcerpc.netlogon.NetlogonValidationSamInfo4
result = netlogon_conn.netr_LogonSamLogonEx(
os.environ["SERVER"],
machine_creds.get_workstation(),
logon_level, logon,
validation_level, netr_flags)
(validation, authoritative, netr_flags_out) = result
messages = self.waitForMessages(isLastExpectedMessage, netlogon_conn)
checkFunction(messages)
def test_msDSRevealedUsers_using_other_RODC(self):
"""
Ensure that the machine account is tied to the destination DSA.
"""
# Create a new identical RODC with just the first letter missing
other_rodc_name = self.rodc_name[1:]
other_rodc_ctx = DCJoinContext(server=self.ldb_dc1.host_dns_name(),
creds=self.get_credentials(),
lp=self.get_loadparm(), site=self.site,
netbios_name=other_rodc_name,
targetdir=None, domain=None,
machinepass=self.rodc_pass)
self._create_rodc(other_rodc_ctx)
other_rodc_creds = Credentials()
other_rodc_creds.guess(other_rodc_ctx.lp)
other_rodc_creds.set_username(other_rodc_name + '$')
other_rodc_creds.set_password(self.rodc_pass)
(other_rodc_drs, other_rodc_drs_handle) = self._ds_bind(self.dnsname_dc1, other_rodc_creds)
rand = random.randint(1, 10000000)
expected_user_attributes = [drsuapi.DRSUAPI_ATTID_lmPwdHistory,
drsuapi.DRSUAPI_ATTID_supplementalCredentials,
drsuapi.DRSUAPI_ATTID_ntPwdHistory,
drsuapi.DRSUAPI_ATTID_unicodePwd,
drsuapi.DRSUAPI_ATTID_dBCSPwd]
user_name = "test_rodcF_%s" % rand
user_dn = "CN=%s,%s" % (user_name, self.ou)
self.ldb_dc1.add({
"dn": user_dn,
"objectclass": "user",
"sAMAccountName": user_name
})
# Store some secret on this user
self.ldb_dc1.setpassword("(sAMAccountName=%s)" % user_name, 'penguin12#', False, user_name)
self.ldb_dc1.add_remove_group_members("Allowed RODC Password Replication Group",
[user_name],
add_members_operation=True)
req10 = self._getnc_req10(dest_dsa=str(other_rodc_ctx.ntds_guid),
invocation_id=self.ldb_dc1.get_invocation_id(),
nc_dn_str=user_dn,
exop=drsuapi.DRSUAPI_EXOP_REPL_SECRET,
partial_attribute_set=drs_get_rodc_partial_attribute_set(self.ldb_dc1, self.tmp_samdb),
max_objects=133,
replica_flags=0)
try:
(level, ctr) = self.rodc_drs.DsGetNCChanges(self.rodc_drs_handle, 10, req10)
self.fail("Successfully replicated secrets to an RODC that shouldn't have been replicated.")
except WERRORError as e3:
(enum, estr) = e3.args
self.assertEqual(enum, 8630) # ERROR_DS_DRA_SECRETS_DENIED
req10 = self._getnc_req10(dest_dsa=str(self.rodc_ctx.ntds_guid),
invocation_id=self.ldb_dc1.get_invocation_id(),
nc_dn_str=user_dn,
exop=drsuapi.DRSUAPI_EXOP_REPL_SECRET,
partial_attribute_set=drs_get_rodc_partial_attribute_set(self.ldb_dc1, self.tmp_samdb),
max_objects=133,
replica_flags=0)
try:
(level, ctr) = other_rodc_drs.DsGetNCChanges(other_rodc_drs_handle, 10, req10)
self.fail("Successfully replicated secrets to an RODC that shouldn't have been replicated.")
except WERRORError as e4:
(enum, estr) = e4.args
self.assertEqual(enum, 8630) # ERROR_DS_DRA_SECRETS_DENIED
def test_modify_dsheuristics_userPassword(self):
print("Performs testing about reading userPassword between dsHeuristic modifies")
# Make sure userPassword cannot be read
self.ldb.set_dsheuristics("000000000")
# Open a new connection (with dsHeuristic=000000000)
ldb1 = SamDB(url=host, session_info=system_session(lp),
credentials=creds, lp=lp)
# Set userPassword to be read
# This setting only affects newer connections (ldb2)
ldb1.set_dsheuristics("000000001")
time.sleep(1)
m = Message()
m.dn = Dn(ldb1, "cn=testuser,cn=users," + self.base_dn)
m["userPassword"] = MessageElement("thatsAcomplPASS1", FLAG_MOD_REPLACE,
"userPassword")
ldb1.modify(m)
res = ldb1.search("cn=testuser,cn=users," + self.base_dn,
scope=SCOPE_BASE, attrs=["userPassword"])
# userPassword cannot be read, despite the dsHeuristic setting
self.assertTrue(len(res) == 1)
self.assertFalse("userPassword" in res[0])
# Open another new connection (with dsHeuristic=000000001)
ldb2 = SamDB(url=host, session_info=system_session(lp),
credentials=creds, lp=lp)
# Set userPassword to be unreadable
# This setting does not affect this connection
ldb2.set_dsheuristics("000000000")
time.sleep(1)
res = ldb2.search("cn=testuser,cn=users," + self.base_dn,
scope=SCOPE_BASE, attrs=["userPassword"])
# Check that userPassword was not stored from ldb1
self.assertTrue(len(res) == 1)
self.assertFalse("userPassword" in res[0])
m = Message()
m.dn = Dn(ldb2, "cn=testuser,cn=users," + self.base_dn)
m["userPassword"] = MessageElement("thatsAcomplPASS2", FLAG_MOD_REPLACE,
"userPassword")
ldb2.modify(m)
res = ldb2.search("cn=testuser,cn=users," + self.base_dn,
scope=SCOPE_BASE, attrs=["userPassword"])
# userPassword can be read in this connection
# This is regardless of the current dsHeuristics setting
self.assertTrue(len(res) == 1)
self.assertTrue("userPassword" in res[0])
self.assertEquals(res[0]["userPassword"][0], "thatsAcomplPASS2")
# Only password from ldb1 is the user's password
creds2 = Credentials()
creds2.set_username("testuser")
creds2.set_password("thatsAcomplPASS1")
creds2.set_domain(creds.get_domain())
creds2.set_realm(creds.get_realm())
creds2.set_workstation(creds.get_workstation())
creds2.set_gensec_features(creds2.get_gensec_features()
| gensec.FEATURE_SEAL)
try:
SamDB(url=host, credentials=creds2, lp=lp)
except:
self.fail("testuser used the wrong password")
ldb3 = SamDB(url=host, session_info=system_session(lp),
credentials=creds, lp=lp)
# Check that userPassword was stored from ldb2
res = ldb3.search("cn=testuser,cn=users," + self.base_dn,
scope=SCOPE_BASE, attrs=["userPassword"])
# userPassword can be read
self.assertTrue(len(res) == 1)
self.assertTrue("userPassword" in res[0])
self.assertEquals(res[0]["userPassword"][0], "thatsAcomplPASS2")
# Reset the test "dSHeuristics" (reactivate "userPassword" pwd changes)
self.ldb.set_dsheuristics("000000001")
from samba import dsdb
from samba.samdb import SamDB
from samba.param import LoadParm
from samba.auth import system_session
from samba.credentials import Credentials
if __name__ == '__main__':
parser = OptionParser(usage='DN2base64Guid.py dn')
(options, args) = parser.parse_args()
if len(args) != 1:
parser.print_help()
sys.exit(2)
dn = args[0]
lp = LoadParm()
creds = Credentials()
creds.guess(lp)
samdb = SamDB(url='/var/lib/samba/private/sam.ldb', session_info=system_session(), credentials=creds, lp=lp)
domain_dn = samdb.domain_dn()
res = samdb.search(dn, scope=ldb.SCOPE_BASE, attrs=["objectGuid"])
for msg in res:
guid = msg.get("objectGuid", idx=0)
print base64.encodestring(guid),
sys.exit(0)
def setUp(self):
super(LdifImportExportTests, self).setUp()
self.lp = LoadParm()
self.creds = Credentials()
self.creds.guess(self.lp)
def list_dns():
from samba.dcerpc import dnsp, dnsserver
server = '127.0.0.1'
binding_str = 'ncacn_ip_tcp:%s[sign]' % server
cred_data = open('/vapour/dnsquery').read().split(':')
creds = Credentials()
creds.guess(lp)
creds.set_username(cred_data[0])
creds.set_password(cred_data[1].rstrip())
dns_conn = dnsserver.dnsserver(binding_str, lp, creds)
zone = get_cur_domain()
name = '@'
record_type = dnsp.DNS_TYPE_ALL
select_flags = dnsserver.DNS_RPC_VIEW_AUTHORITY_DATA
buflen, res = dns_conn.DnssrvEnumRecords2(
dnsserver.DNS_CLIENT_VERSION_LONGHORN, 0, server, zone, name, None,
record_type, select_flags, None, None)
record_groups = res.rec
result = []
for rec_group in record_groups:
group_name = rec_group.dnsNodeName.str
for rec in rec_group.records:
if rec.wType == dnsp.DNS_TYPE_A:
result.append({
'group_name': group_name,
'type': 'A',
'value': rec.data
})
elif rec.wType == dnsp.DNS_TYPE_AAAA:
result.append({
'group_name': group_name,
'type': 'AAAA',
'value': rec.data
})
elif rec.wType == dnsp.DNS_TYPE_PTR:
result.append({
'group_name': group_name,
'type': 'PTR',
'value': rec.data.str
})
elif rec.wType == dnsp.DNS_TYPE_NS:
result.append({
'group_name': group_name,
'type': 'NS',
'value': rec.data.str
})
elif rec.wType == dnsp.DNS_TYPE_CNAME:
result.append({
'group_name': group_name,
'type': 'CNAME',
'value': rec.data.str
})
elif rec.wType == dnsp.DNS_TYPE_SOA:
result.append({
'group_name':
group_name,
'type':
'SOA',
'value':
'serial=%d, refresh=%d, retry=%d, expire=%d, minttl=%d, ns=%s, email=%s'
% (rec.data.dwSerialNo, rec.data.dwRefresh,
rec.data.dwRetry, rec.data.dwExpire,
rec.data.dwMinimumTtl, rec.data.NamePrimaryServer.str,
rec.data.ZoneAdministratorEmail.str)
})
elif rec.wType == dnsp.DNS_TYPE_MX:
result.append({
'group_name':
group_name,
'type':
'MX',
'value':
'%s (%d)' %
(rec.data.nameExchange.str, rec.data.wPreference)
})
elif rec.wType == dnsp.DNS_TYPE_SRV:
result.append({
'group_name':
group_name,
'type':
'SRV',
'value':
'%s (%d, %d, %d)' % (rec.data.nameTarget, rec.data.wPort,
rec.data.wPriority, rec.data.wWeight)
})
elif rec.wType == dnsp.DNS_TYPE_TXT:
slist = ['"%s"' % name.str for name in rec.data]
result.append({
'group_name': group_name,
'type': 'TXT',
'value': ','.join(slist)
})
return result
def setUp(self):
super(BasePasswordTestCase, self).setUp()
self.global_creds.set_gensec_features(
self.global_creds.get_gensec_features() | gensec.FEATURE_SEAL)
self.template_creds = Credentials()
self.template_creds.set_username("testuser")
self.template_creds.set_password("thatsAcomplPASS1")
self.template_creds.set_domain(self.global_creds.get_domain())
self.template_creds.set_realm(self.global_creds.get_realm())
self.template_creds.set_workstation(
self.global_creds.get_workstation())
self.template_creds.set_gensec_features(
self.global_creds.get_gensec_features())
self.template_creds.set_kerberos_state(
self.global_creds.get_kerberos_state())
# Gets back the basedn
base_dn = self.ldb.domain_dn()
# Gets back the configuration basedn
configuration_dn = self.ldb.get_config_basedn().get_linearized()
res = self.ldb.search(base_dn,
scope=SCOPE_BASE,
attrs=[
"lockoutDuration",
"lockOutObservationWindow",
"lockoutThreshold"
])
if "lockoutDuration" in res[0]:
lockoutDuration = res[0]["lockoutDuration"][0]
else:
lockoutDuration = 0
if "lockoutObservationWindow" in res[0]:
lockoutObservationWindow = res[0]["lockoutObservationWindow"][0]
else:
lockoutObservationWindow = 0
if "lockoutThreshold" in res[0]:
lockoutThreshold = res[0]["lockoutThreshold"][0]
else:
lockoutTreshold = 0
self.addCleanup(
self.ldb.modify_ldif, """
dn: """ + base_dn + """
changetype: modify
replace: lockoutDuration
lockoutDuration: """ + str(lockoutDuration) + """
replace: lockoutObservationWindow
lockoutObservationWindow: """ + str(lockoutObservationWindow) + """
replace: lockoutThreshold
lockoutThreshold: """ + str(lockoutThreshold) + """
""")
self.base_dn = self.ldb.domain_dn()
#
# Some test cases sleep() for self.account_lockout_duration
# so allow it to be controlled via the subclass
#
if not hasattr(self, 'account_lockout_duration'):
self.account_lockout_duration = 3
if not hasattr(self, 'lockout_observation_window'):
self.lockout_observation_window = 3
self.update_lockout_settings(
threshold=3,
duration=self.account_lockout_duration,
observation_window=self.lockout_observation_window)
# update DC to allow password changes for the duration of this test
self.allow_password_changes()
self.domain_sid = security.dom_sid(self.ldb.get_domain_sid())
self.samr = samr.samr("ncacn_ip_tcp:%s[seal]" % self.host, self.lp,
self.global_creds)
self.samr_handle = self.samr.Connect2(
None, security.SEC_FLAG_MAXIMUM_ALLOWED)
self.samr_domain = self.samr.OpenDomain(
self.samr_handle, security.SEC_FLAG_MAXIMUM_ALLOWED,
self.domain_sid)
self.addCleanup(self.delete_ldb_connections)
# (Re)adds the test user accounts
self.lockout1krb5_creds = self.insta_creds(
self.template_creds,
username="******",
userpass="******",
kerberos_state=MUST_USE_KERBEROS)
self.lockout1krb5_ldb = self._readd_user(self.lockout1krb5_creds)
self.lockout1ntlm_creds = self.insta_creds(
self.template_creds,
username="******",
userpass="******",
kerberos_state=DONT_USE_KERBEROS)
self.lockout1ntlm_ldb = self._readd_user(self.lockout1ntlm_creds)
def net_lookup(domain):
global cldap_ret
net = Net(Credentials())
cldap_ret = net.finddc(domain=domain, flags=(nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS))
def get_anon_creds(self):
c = Credentials()
c.set_anonymous()
return c
def run():
param_samba = {
'basedn': config.get('samba', 'path'),
'pathsamdb': '%s/sam.ldb' % config.get('samba', 'private'),
'adbase': config.get('samba', 'base')
}
# SAMDB
lp = LoadParm()
creds = Credentials()
creds.guess(lp)
samdb_loc = SamDB(url=param_samba['pathsamdb'],
session_info=system_session(),
credentials=creds,
lp=lp)
testpawd = GetPasswordCommand()
testpawd.lp = lp
passwordattr = config.get('common', 'attr_password')
allmail = {}
# Search all users
for user in samdb_loc.search(
base=param_samba['adbase'],
expression="(&(objectClass=user)(mail=*))",
attrs=["mail", "sAMAccountName", "pwdLastSet"]):
mail = str(user["mail"])
#replace mail if replace_domain in config
if config.getboolean('common', 'replace_domain'):
mail = mail.split('@')[0] + '@' + config.get('common', 'domain')
pwdlastset = user.get('pwdLastSet', '')
#add mail in all mail
allmail[mail] = None
if str(pwdlastset) != dict_mail_pwdlastset.get(mail, ''):
Random.atfork()
# Update if password different in dict mail pwdlastset
password = testpawd.get_account_attributes(
samdb_loc,
None,
param_samba['basedn'],
filter="(sAMAccountName=%s)" % (str(user["sAMAccountName"])),
scope=ldb.SCOPE_SUBTREE,
attrs=[passwordattr],
decrypt=False)
if not passwordattr in password:
continue
password = str(password[passwordattr])
update_password(mail, password, pwdlastset)
#delete user found in dict mail pwdlastset but not found in samba
listdelete = []
for user in dict_mail_pwdlastset:
if not user in allmail:
listdelete.append(user)
for user in listdelete:
del dict_mail_pwdlastset[user]
#write new json dict mail password
if listdelete:
open(filename, 'w').write(json.dumps(dict_mail_pwdlastset))
