Example #1
0
    def insta_creds(self, template=None, username=None, userpass=None, kerberos_state=None):

        if template is None:
            assert template is not None

        if username is not None:
            assert userpass is not None

        if username is None:
            assert userpass is None

            username = template.get_username()
            userpass = template.get_password()

        if kerberos_state is None:
            kerberos_state = template.get_kerberos_state()

        # get a copy of the global creds or a the passed in creds
        c = Credentials()
        c.set_username(username)
        c.set_password(userpass)
        c.set_domain(template.get_domain())
        c.set_realm(template.get_realm())
        c.set_workstation(template.get_workstation())
        c.set_gensec_features(c.get_gensec_features()
                              | gensec.FEATURE_SEAL)
        c.set_kerberos_state(kerberos_state)
        return c
Example #2
0
    def insta_creds(self,
                    template=None,
                    username=None,
                    userpass=None,
                    kerberos_state=None):

        if template is None:
            assert template is not None

        if username is not None:
            assert userpass is not None

        if username is None:
            assert userpass is None

            username = template.get_username()
            userpass = template.get_password()

        if kerberos_state is None:
            kerberos_state = template.get_kerberos_state()

        # get a copy of the global creds or a the passed in creds
        c = Credentials()
        c.set_username(username)
        c.set_password(userpass)
        c.set_domain(template.get_domain())
        c.set_realm(template.get_realm())
        c.set_workstation(template.get_workstation())
        c.set_gensec_features(c.get_gensec_features() | gensec.FEATURE_SEAL)
        c.set_kerberos_state(kerberos_state)
        return c
Example #3
0
    def insta_creds(self, template=None, username=None, userpass=None, kerberos_state=None):

        if template is None:
            raise ValueError("you need to supply a Credentials template")

        if username is not None and userpass is None:
            raise ValueError(
                "you cannot set creds username without setting a password")

        if username is None:
            assert userpass is None

            username = template.get_username()
            userpass = template.get_password()

        if kerberos_state is None:
            kerberos_state = template.get_kerberos_state()

        # get a copy of the global creds or a the passed in creds
        c = Credentials()
        c.set_username(username)
        c.set_password(userpass)
        c.set_domain(template.get_domain())
        c.set_realm(template.get_realm())
        c.set_workstation(template.get_workstation())
        c.set_gensec_features(c.get_gensec_features()
                              | gensec.FEATURE_SEAL)
        c.set_kerberos_state(kerberos_state)
        return c
Example #4
0
 def get_creds(self, target_username, target_password):
     creds_tmp = Credentials()
     creds_tmp.set_username(target_username)
     creds_tmp.set_password(target_password)
     creds_tmp.set_domain(creds.get_domain())
     creds_tmp.set_realm(creds.get_realm())
     creds_tmp.set_workstation(creds.get_workstation())
     creds_tmp.set_gensec_features(creds_tmp.get_gensec_features() | gensec.FEATURE_SEAL)
     return creds_tmp
Example #5
0
 def get_creds(self, target_username, target_password):
     creds_tmp = Credentials()
     creds_tmp.set_username(target_username)
     creds_tmp.set_password(target_password)
     creds_tmp.set_domain(creds.get_domain())
     creds_tmp.set_realm(creds.get_realm())
     creds_tmp.set_workstation(creds.get_workstation())
     creds_tmp.set_gensec_features(creds_tmp.get_gensec_features()
                                   | gensec.FEATURE_SEAL)
     return creds_tmp
Example #6
0
 def get_ldb_connection(self, target_username, target_password):
     creds_tmp = Credentials()
     creds_tmp.set_username(target_username)
     creds_tmp.set_password(target_password)
     creds_tmp.set_domain(creds.get_domain())
     creds_tmp.set_realm(creds.get_realm())
     creds_tmp.set_workstation(creds.get_workstation())
     creds_tmp.set_gensec_features(creds_tmp.get_gensec_features()
                                   | gensec.FEATURE_SEAL)
     ldb_target = SamDB(url=ldaphost, credentials=creds_tmp, lp=lp)
     return ldb_target
 def get_creds(self, target_username, target_password):
     creds_tmp = Credentials()
     creds_tmp.set_username(target_username)
     creds_tmp.set_password(target_password)
     creds_tmp.set_domain(creds.get_domain())
     creds_tmp.set_realm(creds.get_realm())
     creds_tmp.set_workstation(creds.get_workstation())
     creds_tmp.set_gensec_features(creds_tmp.get_gensec_features()
                                   | gensec.FEATURE_SEAL)
     creds_tmp.set_kerberos_state(DONT_USE_KERBEROS) # kinit is too expensive to use in a tight loop
     return creds_tmp
Example #8
0
 def get_creds(self, target_username, target_password):
     creds_tmp = Credentials()
     creds_tmp.set_username(target_username)
     creds_tmp.set_password(target_password)
     creds_tmp.set_domain(creds.get_domain())
     creds_tmp.set_realm(creds.get_realm())
     creds_tmp.set_workstation(creds.get_workstation())
     creds_tmp.set_gensec_features(creds_tmp.get_gensec_features()
                                   | gensec.FEATURE_SEAL)
     creds_tmp.set_kerberos_state(DONT_USE_KERBEROS) # kinit is too expensive to use in a tight loop
     return creds_tmp
Example #9
0
 def get_ldb_connection(self, target_username, target_password):
     creds_tmp = Credentials()
     creds_tmp.set_username(target_username)
     creds_tmp.set_password(target_password)
     creds_tmp.set_domain(creds.get_domain())
     creds_tmp.set_realm(creds.get_realm())
     creds_tmp.set_workstation(creds.get_workstation())
     creds_tmp.set_gensec_features(creds_tmp.get_gensec_features()
                                   | gensec.FEATURE_SEAL)
     ldb_target = SamDB(url=host, credentials=creds_tmp, lp=lp)
     return ldb_target
Example #10
0
 def get_ldb_connection(self, target_username, target_password):
     creds_tmp = Credentials()
     creds_tmp.set_username(target_username)
     creds_tmp.set_password(target_password)
     creds_tmp.set_domain(creds.get_domain())
     creds_tmp.set_realm(creds.get_realm())
     creds_tmp.set_workstation(creds.get_workstation())
     features = creds_tmp.get_gensec_features() | gensec.FEATURE_SEAL
     creds_tmp.set_gensec_features(features)
     creds_tmp.set_kerberos_state(DONT_USE_KERBEROS)
     ldb_target = SamDB(url=ldaphost, credentials=creds_tmp, lp=lp)
     return ldb_target
Example #11
0
 def get_ldb_connection(self, username, password, ldaphost):
     """Returns an LDB connection using the specified user's credentials"""
     creds = self.get_credentials()
     creds_tmp = Credentials()
     creds_tmp.set_username(username)
     creds_tmp.set_password(password)
     creds_tmp.set_domain(creds.get_domain())
     creds_tmp.set_realm(creds.get_realm())
     creds_tmp.set_workstation(creds.get_workstation())
     features = creds_tmp.get_gensec_features() | gensec.FEATURE_SEAL
     creds_tmp.set_gensec_features(features)
     return samba.tests.connect_samdb(ldaphost, credentials=creds_tmp)
Example #12
0
 def get_ldb_connection(self, target_username, target_password):
     creds_tmp = Credentials()
     creds_tmp.set_username(target_username)
     creds_tmp.set_password(target_password)
     creds_tmp.set_domain(creds.get_domain())
     creds_tmp.set_realm(creds.get_realm())
     creds_tmp.set_workstation(creds.get_workstation())
     creds_tmp.set_gensec_features(creds_tmp.get_gensec_features()
                                   | gensec.FEATURE_SEAL)
     creds_tmp.set_kerberos_state(DONT_USE_KERBEROS) # kinit is too expensive to use in a tight loop
     ldb_target = SamDB(url=ldaphost, credentials=creds_tmp, lp=lp)
     return ldb_target
Example #13
0
 def get_ldb_connection(self, username, password, ldaphost):
     """Returns an LDB connection using the specified user's credentials"""
     creds = self.get_credentials()
     creds_tmp = Credentials()
     creds_tmp.set_username(username)
     creds_tmp.set_password(password)
     creds_tmp.set_domain(creds.get_domain())
     creds_tmp.set_realm(creds.get_realm())
     creds_tmp.set_workstation(creds.get_workstation())
     creds_tmp.set_gensec_features(creds_tmp.get_gensec_features()
                                   | gensec.FEATURE_SEAL)
     return samba.tests.connect_samdb(ldaphost, credentials=creds_tmp)
Example #14
0
 def get_user_and_ldb(self, username, password, hostname=ldaphost):
     """Get a connection for a temporarily user that will vanish as soon as
     the test is over."""
     user = self.ldb.newuser(username, password)
     creds_tmp = Credentials()
     creds_tmp.set_username(username)
     creds_tmp.set_password(password)
     creds_tmp.set_domain(creds.get_domain())
     creds_tmp.set_realm(creds.get_realm())
     creds_tmp.set_workstation(creds.get_workstation())
     creds_tmp.set_gensec_features(creds_tmp.get_gensec_features()
                                   | gensec.FEATURE_SEAL)
     creds_tmp.set_kerberos_state(DONT_USE_KERBEROS)
     ldb_target = SamDB(url=hostname, credentials=creds_tmp, lp=lp)
     self.addCleanup(delete_force, self.ldb, self.get_user_dn(username))
     return (user, ldb_target)
Example #15
0
def make_creds(username, password, kerberos_state=None):
    # use the global CREDS as a template
    c = Credentials()
    c.set_username(username)
    c.set_password(password)
    c.set_domain(CREDS.get_domain())
    c.set_realm(CREDS.get_realm())
    c.set_workstation(CREDS.get_workstation())

    if kerberos_state is None:
        kerberos_state = CREDS.get_kerberos_state()
    c.set_kerberos_state(kerberos_state)

    print '-' * 73
    if kerberos_state == MUST_USE_KERBEROS:
        print "we seem to be using kerberos for %s %s" % (username, password)
    elif kerberos_state == DONT_USE_KERBEROS:
        print "NOT using kerberos for %s %s" % (username, password)
    else:
        print "kerberos state is %s" % kerberos_state

    c.set_gensec_features(c.get_gensec_features() | gensec.FEATURE_SEAL)
    return c
Example #16
0
    def test_modify_dsheuristics_userPassword(self):
        print("Performs testing about reading userPassword between dsHeuristic modifies")

        # Make sure userPassword cannot be read
        self.ldb.set_dsheuristics("000000000")

        # Open a new connection (with dsHeuristic=000000000)
        ldb1 = SamDB(url=host, session_info=system_session(lp),
                     credentials=creds, lp=lp)

        # Set userPassword to be read
        # This setting only affects newer connections (ldb2)
        ldb1.set_dsheuristics("000000001")
        time.sleep(1)

        m = Message()
        m.dn = Dn(ldb1, "cn=testuser,cn=users," + self.base_dn)
        m["userPassword"] = MessageElement("thatsAcomplPASS1", FLAG_MOD_REPLACE,
          "userPassword")
        ldb1.modify(m)

        res = ldb1.search("cn=testuser,cn=users," + self.base_dn,
                          scope=SCOPE_BASE, attrs=["userPassword"])

        # userPassword cannot be read, it wasn't set, instead the
        # password was
        self.assertTrue(len(res) == 1)
        self.assertFalse("userPassword" in res[0])

        # Open another new connection (with dsHeuristic=000000001)
        ldb2 = SamDB(url=host, session_info=system_session(lp),
                     credentials=creds, lp=lp)

        res = ldb2.search("cn=testuser,cn=users," + self.base_dn,
                          scope=SCOPE_BASE, attrs=["userPassword"])

        # Check on the new connection that userPassword was not stored
        # from ldb1 or is not readable
        self.assertTrue(len(res) == 1)
        self.assertFalse("userPassword" in res[0])

        # Set userPassword to be readable
        # This setting does not affect this connection
        ldb2.set_dsheuristics("000000000")
        time.sleep(1)

        res = ldb2.search("cn=testuser,cn=users," + self.base_dn,
                          scope=SCOPE_BASE, attrs=["userPassword"])

        # Check that userPassword was not stored from ldb1
        self.assertTrue(len(res) == 1)
        self.assertFalse("userPassword" in res[0])

        m = Message()
        m.dn = Dn(ldb2, "cn=testuser,cn=users," + self.base_dn)
        m["userPassword"] = MessageElement("thatsAcomplPASS2", FLAG_MOD_REPLACE,
          "userPassword")
        ldb2.modify(m)

        res = ldb2.search("cn=testuser,cn=users," + self.base_dn,
                          scope=SCOPE_BASE, attrs=["userPassword"])

        # Check despite setting it with userPassword support disabled
        # on this connection it should still not be readable
        self.assertTrue(len(res) == 1)
        self.assertFalse("userPassword" in res[0])

        # Only password from ldb1 is the user's password
        creds2 = Credentials()
        creds2.set_username("testuser")
        creds2.set_password("thatsAcomplPASS1")
        creds2.set_domain(creds.get_domain())
        creds2.set_realm(creds.get_realm())
        creds2.set_workstation(creds.get_workstation())
        creds2.set_gensec_features(creds2.get_gensec_features()
                                   | gensec.FEATURE_SEAL)

        try:
            SamDB(url=host, credentials=creds2, lp=lp)
        except:
            self.fail("testuser used the wrong password")

        ldb3 = SamDB(url=host, session_info=system_session(lp),
                     credentials=creds, lp=lp)

        # Check that userPassword was stored from ldb2
        res = ldb3.search("cn=testuser,cn=users," + self.base_dn,
                          scope=SCOPE_BASE, attrs=["userPassword"])

        # userPassword can be read
        self.assertTrue(len(res) == 1)
        self.assertTrue("userPassword" in res[0])
        self.assertEquals(res[0]["userPassword"][0], "thatsAcomplPASS2")

        # Reset the test "dSHeuristics" (reactivate "userPassword" pwd changes)
        self.ldb.set_dsheuristics("000000001")

        ldb4 = SamDB(url=host, session_info=system_session(lp),
                     credentials=creds, lp=lp)

        # Check that userPassword that was stored from ldb2
        res = ldb4.search("cn=testuser,cn=users," + self.base_dn,
                          scope=SCOPE_BASE, attrs=["userPassword"])

        # userPassword can be not be read
        self.assertTrue(len(res) == 1)
        self.assertFalse("userPassword" in res[0])
Example #17
0
    def test_modify_dsheuristics_userPassword(self):
        print("Performs testing about reading userPassword between dsHeuristic modifies")

        # Make sure userPassword cannot be read
        self.ldb.set_dsheuristics("000000000")

        # Open a new connection (with dsHeuristic=000000000)
        ldb1 = SamDB(url=host, session_info=system_session(lp),
                     credentials=creds, lp=lp)

        # Set userPassword to be read
        # This setting only affects newer connections (ldb2)
        ldb1.set_dsheuristics("000000001")
        time.sleep(1)

        m = Message()
        m.dn = Dn(ldb1, "cn=testuser,cn=users," + self.base_dn)
        m["userPassword"] = MessageElement("thatsAcomplPASS1", FLAG_MOD_REPLACE,
          "userPassword")
        ldb1.modify(m)

        res = ldb1.search("cn=testuser,cn=users," + self.base_dn,
                          scope=SCOPE_BASE, attrs=["userPassword"])

        # userPassword cannot be read, despite the dsHeuristic setting
        self.assertTrue(len(res) == 1)
        self.assertFalse("userPassword" in res[0])

        # Open another new connection (with dsHeuristic=000000001)
        ldb2 = SamDB(url=host, session_info=system_session(lp),
                     credentials=creds, lp=lp)

        # Set userPassword to be unreadable
        # This setting does not affect this connection
        ldb2.set_dsheuristics("000000000")
        time.sleep(1)

        res = ldb2.search("cn=testuser,cn=users," + self.base_dn,
                          scope=SCOPE_BASE, attrs=["userPassword"])

        # Check that userPassword was not stored from ldb1
        self.assertTrue(len(res) == 1)
        self.assertFalse("userPassword" in res[0])

        m = Message()
        m.dn = Dn(ldb2, "cn=testuser,cn=users," + self.base_dn)
        m["userPassword"] = MessageElement("thatsAcomplPASS2", FLAG_MOD_REPLACE,
          "userPassword")
        ldb2.modify(m)

        res = ldb2.search("cn=testuser,cn=users," + self.base_dn,
                          scope=SCOPE_BASE, attrs=["userPassword"])

        # userPassword can be read in this connection
        # This is regardless of the current dsHeuristics setting
        self.assertTrue(len(res) == 1)
        self.assertTrue("userPassword" in res[0])
        self.assertEquals(res[0]["userPassword"][0], "thatsAcomplPASS2")

        # Only password from ldb1 is the user's password
        creds2 = Credentials()
        creds2.set_username("testuser")
        creds2.set_password("thatsAcomplPASS1")
        creds2.set_domain(creds.get_domain())
        creds2.set_realm(creds.get_realm())
        creds2.set_workstation(creds.get_workstation())
        creds2.set_gensec_features(creds2.get_gensec_features()
                                   | gensec.FEATURE_SEAL)

        try:
            SamDB(url=host, credentials=creds2, lp=lp)
        except:
            self.fail("testuser used the wrong password")

        ldb3 = SamDB(url=host, session_info=system_session(lp),
                     credentials=creds, lp=lp)

        # Check that userPassword was stored from ldb2
        res = ldb3.search("cn=testuser,cn=users," + self.base_dn,
                          scope=SCOPE_BASE, attrs=["userPassword"])

        # userPassword can be read
        self.assertTrue(len(res) == 1)
        self.assertTrue("userPassword" in res[0])
        self.assertEquals(res[0]["userPassword"][0], "thatsAcomplPASS2")

        # Reset the test "dSHeuristics" (reactivate "userPassword" pwd changes)
        self.ldb.set_dsheuristics("000000001")
Example #18
0
    def setUp(self):
        super(PasswordTests, self).setUp()
        self.ldb = SamDB(url=host, session_info=system_session(lp), credentials=creds, lp=lp)

        # Gets back the basedn
        base_dn = self.ldb.domain_dn()

        # Gets back the configuration basedn
        configuration_dn = self.ldb.get_config_basedn().get_linearized()

        # Get the old "dSHeuristics" if it was set
        dsheuristics = self.ldb.get_dsheuristics()

        # Set the "dSHeuristics" to activate the correct "userPassword" behaviour
        self.ldb.set_dsheuristics("000000001")

        # Reset the "dSHeuristics" as they were before
        self.addCleanup(self.ldb.set_dsheuristics, dsheuristics)

        # Get the old "minPwdAge"
        minPwdAge = self.ldb.get_minPwdAge()

        # Set it temporarily to "0"
        self.ldb.set_minPwdAge("0")
        self.base_dn = self.ldb.domain_dn()

        # Reset the "minPwdAge" as it was before
        self.addCleanup(self.ldb.set_minPwdAge, minPwdAge)

        # (Re)adds the test user "testuser" with no password atm
        delete_force(self.ldb, "cn=testuser,cn=users," + self.base_dn)
        self.ldb.add({
             "dn": "cn=testuser,cn=users," + self.base_dn,
             "objectclass": "user",
             "sAMAccountName": "testuser"})

        # Tests a password change when we don't have any password yet with a
        # wrong old password
        try:
            self.ldb.modify_ldif("""
dn: cn=testuser,cn=users,""" + self.base_dn + """
changetype: modify
delete: userPassword
userPassword: noPassword
add: userPassword
userPassword: thatsAcomplPASS2
""")
            self.fail()
        except LdbError as e:
            (num, msg) = e.args
            self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
            # Windows (2008 at least) seems to have some small bug here: it
            # returns "0000056A" on longer (always wrong) previous passwords.
            self.assertTrue('00000056' in msg)

        # Sets the initial user password with a "special" password change
        # I think that this internally is a password set operation and it can
        # only be performed by someone which has password set privileges on the
        # account (at least in s4 we do handle it like that).
        self.ldb.modify_ldif("""
dn: cn=testuser,cn=users,""" + self.base_dn + """
changetype: modify
delete: userPassword
add: userPassword
userPassword: thatsAcomplPASS1
""")

        # But in the other way around this special syntax doesn't work
        try:
            self.ldb.modify_ldif("""
dn: cn=testuser,cn=users,""" + self.base_dn + """
changetype: modify
delete: userPassword
userPassword: thatsAcomplPASS1
add: userPassword
""")
            self.fail()
        except LdbError as e1:
            (num, _) = e1.args
            self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)

        # Enables the user account
        self.ldb.enable_account("(sAMAccountName=testuser)")

        # Open a second LDB connection with the user credentials. Use the
        # command line credentials for informations like the domain, the realm
        # and the workstation.
        creds2 = Credentials()
        creds2.set_username("testuser")
        creds2.set_password("thatsAcomplPASS1")
        creds2.set_domain(creds.get_domain())
        creds2.set_realm(creds.get_realm())
        creds2.set_workstation(creds.get_workstation())
        creds2.set_gensec_features(creds2.get_gensec_features()
                                                          | gensec.FEATURE_SEAL)
        self.ldb2 = SamDB(url=host, credentials=creds2, lp=lp)
Example #19
0
    def setUp(self):
        super(PasswordTests, self).setUp()
        self.ldb = SamDB(url=host, session_info=system_session(lp), credentials=creds, lp=lp)

        # Gets back the basedn
        base_dn = self.ldb.domain_dn()

        # Gets back the configuration basedn
        configuration_dn = self.ldb.get_config_basedn().get_linearized()

        # permit password changes during this test
        self.allow_password_changes()

        self.base_dn = self.ldb.domain_dn()

        # (Re)adds the test user "testuser" with no password atm
        delete_force(self.ldb, "cn=testuser,cn=users," + self.base_dn)
        self.ldb.add({
             "dn": "cn=testuser,cn=users," + self.base_dn,
             "objectclass": "user",
             "sAMAccountName": "testuser"})

        # Tests a password change when we don't have any password yet with a
        # wrong old password
        try:
            self.ldb.modify_ldif("""
dn: cn=testuser,cn=users,""" + self.base_dn + """
changetype: modify
delete: userPassword
userPassword: noPassword
add: userPassword
userPassword: thatsAcomplPASS2
""")
            self.fail()
        except LdbError as e:
            (num, msg) = e.args
            self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
            # Windows (2008 at least) seems to have some small bug here: it
            # returns "0000056A" on longer (always wrong) previous passwords.
            self.assertTrue('00000056' in msg)

        # Sets the initial user password with a "special" password change
        # I think that this internally is a password set operation and it can
        # only be performed by someone which has password set privileges on the
        # account (at least in s4 we do handle it like that).
        self.ldb.modify_ldif("""
dn: cn=testuser,cn=users,""" + self.base_dn + """
changetype: modify
delete: userPassword
add: userPassword
userPassword: thatsAcomplPASS1
""")

        # But in the other way around this special syntax doesn't work
        try:
            self.ldb.modify_ldif("""
dn: cn=testuser,cn=users,""" + self.base_dn + """
changetype: modify
delete: userPassword
userPassword: thatsAcomplPASS1
add: userPassword
""")
            self.fail()
        except LdbError as e1:
            (num, _) = e1.args
            self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)

        # Enables the user account
        self.ldb.enable_account("(sAMAccountName=testuser)")

        # Open a second LDB connection with the user credentials. Use the
        # command line credentials for informations like the domain, the realm
        # and the workstation.
        creds2 = Credentials()
        creds2.set_username("testuser")
        creds2.set_password("thatsAcomplPASS1")
        creds2.set_domain(creds.get_domain())
        creds2.set_realm(creds.get_realm())
        creds2.set_workstation(creds.get_workstation())
        creds2.set_gensec_features(creds2.get_gensec_features()
                                                          | gensec.FEATURE_SEAL)
        self.ldb2 = SamDB(url=host, credentials=creds2, lp=lp)