def test_RenameDstDelOnClose(self): (lp,creds) = self.prep_creds() dstdir = "\\dst-subdir" c1 = libsmb.Conn(os.getenv("SERVER_IP"), "tmp", lp, creds) c2 = libsmb.Conn(os.getenv("SERVER_IP"), "tmp", lp, creds) try: c1.deltree(dstdir) except: pass c1.mkdir(dstdir) dnum = c1.create(dstdir, DesiredAccess=security.SEC_STD_DELETE) c1.delete_on_close(dnum,1) c2.savefile("\\src.txt", b"Content") with self.assertRaises(NTSTATUSError) as cm: c2.rename("\\src.txt", dstdir + "\\dst.txt") if (cm.exception.args[0] != NT_STATUS_DELETE_PENDING): raise AssertionError("Rename must fail with DELETE_PENDING") c1.delete_on_close(dnum,0) c1.close(dnum) try: c1.deltree(dstdir) c1.unlink("\\src.txt") except: pass
def connect_unpriv(self): creds_unpriv = credentials.Credentials() creds_unpriv.guess(self.lp) creds_unpriv.set_username(samba.tests.env_get_var_value("USERNAME_UNPRIV")) creds_unpriv.set_password(samba.tests.env_get_var_value("PASSWORD_UNPRIV")) self.smb_conn_unpriv = libsmb.Conn(self.server, self.share, self.lp, creds_unpriv)
def test_OpenClose(self): lp = s3param.get_context() lp.load(os.getenv("SMB_CONF_PATH")) creds = credentials.Credentials() creds.guess(lp) creds.set_username(os.getenv("USERNAME")) creds.set_password(os.getenv("PASSWORD")) c = libsmb.Conn(os.getenv("SERVER_IP"), "tmp", lp, creds, multi_threaded=True, force_smb1=True) mythreads = [] for i in range(3): t = LibsmbTestCase.OpenClose(c, "test" + str(i), 10) mythreads.append(t) for t in mythreads: t.start() for t in mythreads: t.join() if t.exc: raise t.exc[0](t.exc[1])
def connect(self, **kwargs): host = kwargs.get("host") share = kwargs.get("share") username = kwargs.get("username") password = kwargs.get("password") smb1 = kwargs.get("smb1", False) self._lp = s3param.get_context() self._lp.load_default() self._cred = credentials.Credentials() self._cred.guess(self._lp) if username is not None: self._cred.set_username(username) if password is not None: self._cred.set_password(password) self._host = host self._share = share self._smb1 = smb1 self._connection = libsmb.Conn( host, share, self._lp, self._cred, force_smb1=smb1, )
def GenerateSessions(): lp = s3param.get_context() lp.load('/usr/local/etc/smb4.conf') creds = credentials.Credentials() creds.guess(lp) if args.domain is not None: creds.set_domain(args.domain) creds.set_password(args.password) mythreads = [] c = {} for i in range(args.count): if args.increment is None: creds.set_username(args.user) else: creds.set_username(f'{args.user}{args.increment}') c[i] = libsmb.Conn(args.host, args.share, lp, creds) t = Open_Close(c[i], "test" + str(i), args.numops) mythreads.append(t) for t in mythreads: t.start() for t in mythreads: t.join() if t.exc: raise t.exc[0](t.exc[1]) time.sleep(60)
def setUp(self): super(SMBNotifyTests, self).setUp() self.server = samba.tests.env_get_var_value("SERVER") # create an SMB connection to the server self.lp = s3param.get_context() self.lp.load(samba.tests.env_get_var_value("SMB_CONF_PATH")) self.share = samba.tests.env_get_var_value("NOTIFY_SHARE") creds = credentials.Credentials() creds.guess(self.lp) creds.set_username(samba.tests.env_get_var_value("USERNAME")) creds.set_password(samba.tests.env_get_var_value("PASSWORD")) strict_checking = samba.tests.env_get_var_value('STRICT_CHECKING', allow_missing=True) if strict_checking is None: strict_checking = '1' self.strict_checking = bool(int(strict_checking)) self.smb_conn = libsmb.Conn(self.server, self.share, self.lp, creds) self.smb_conn_unpriv = None try: self.smb_conn.deltree(test_dir) except: pass self.smb_conn.mkdir(test_dir)
def test_smb(self): # Create a user account and a machine account, along with a Kerberos # credentials cache file where the service ticket authenticating the # user are stored. user_name = "smbusr" mach_name = self.dns_host_name service = "cifs" share = "tmp" # Create the user account. (user_credentials, _) = self.create_account(user_name) # Talk to the KDC to obtain the service ticket, which gets placed into # the cache. The machine account name has to match the name in the # ticket, to ensure that the krbtgt ticket doesn't also need to be # stored. (creds, cachefile) = self.create_ccache_with_user(user_credentials, mach_name, service) # Set the Kerberos 5 credentials cache environment variable. This is # required because the codepath that gets run (gse_krb5) looks for it # in here and not in the credentials object. krb5_ccname = os.environ.get("KRB5CCNAME", "") self.addCleanup(os.environ.__setitem__, "KRB5CCNAME", krb5_ccname) os.environ["KRB5CCNAME"] = "FILE:" + cachefile.name # Authenticate in-process to the machine account using the user's # cached credentials. # Retrieve the user account's SID. ldb_res = self.ldb.search(scope=SCOPE_SUBTREE, expression="(sAMAccountName=%s)" % user_name, attrs=["objectSid"]) self.assertEqual(1, len(ldb_res)) sid = ndr_unpack(security.dom_sid, ldb_res[0]["objectSid"][0]) # Connect to a share and retrieve the user SID. s3_lp = s3param.get_context() s3_lp.load(self.lp.configfile) min_protocol = s3_lp.get("client min protocol") self.addCleanup(s3_lp.set, "client min protocol", min_protocol) s3_lp.set("client min protocol", "NT1") max_protocol = s3_lp.get("client max protocol") self.addCleanup(s3_lp.set, "client max protocol", max_protocol) s3_lp.set("client max protocol", "NT1") conn = libsmb.Conn(mach_name, share, lp=s3_lp, creds=creds) (uid, gid, gids, sids, guest) = conn.posix_whoami() # Ensure that they match. self.assertEqual(sid, sids[0]) # Remove the cached credentials file. os.remove(cachefile.name)
def check_refresh_gpo_list(dc_hostname, lp, creds, gpos): # the SMB bindings rely on having a s3 loadparm s3_lp = s3param.get_context() s3_lp.load(lp.configfile) conn = libsmb.Conn(dc_hostname, 'sysvol', lp=s3_lp, creds=creds, sign=True) cache_path = lp.cache_path('gpo_cache') for gpo in gpos: if not gpo.file_sys_path: continue cache_gpo_dir(conn, cache_path, check_safe_path(gpo.file_sys_path))
def setUp(self): super(SMBTests, self).setUp() self.server = os.environ["SERVER"] creds = self.insta_creds(template=self.get_credentials()) # create an SMB connection to the server lp = s3param.get_context() lp.load(os.getenv("SMB_CONF_PATH")) self.smb_conn = libsmb.Conn(self.server, "sysvol", lp, creds) self.smb_conn.mkdir(test_dir)
def test_SMB1EncryptionRequired(self): test_dir = 'testing_%d' % random.randint(0, 0xFFFF) (lp,creds) = self.prep_creds() creds.set_smb_encryption(SMB_ENCRYPTION_REQUIRED) c = libsmb.Conn(os.getenv("SERVER_IP"), "tmp", lp, creds, force_smb1=True) c.mkdir(test_dir) c.rmdir(test_dir)
def __init__(self, target_hostname, pipename, creds, impersonation_level, lp): lp3 = s3param.get_context() lp3.load(lp.configfile) self.smbconn = libsmb_samba_internal.Conn(target_hostname, 'IPC$', credentials=creds, sign=True) self.smbfid = self.smbconn.create(pipename, DesiredAccess=0x12019f, ShareAccess=0x7, CreateDisposition=1, CreateOptions=0x400040, ImpersonationLevel=impersonation_level) return
def setUp(self): super(NtaclsBackupRestoreTests, self).setUp() self.server = os.environ["SERVER"] # addc samdb_url = 'ldap://' + self.server self.service = 'test1' # service/share to test # root path for service self.service_root = os.path.join(os.environ["LOCAL_PATH"], self.service) self.smb_conf_path = os.environ['SMB_CONF_PATH'] self.creds = self.insta_creds(template=self.get_credentials()) self.samdb_conn = samdb.SamDB(url=samdb_url, session_info=system_session(), credentials=self.creds, lp=env_loadparm()) self.dom_sid = security.dom_sid(self.samdb_conn.get_domain_sid()) # helper will load conf into lp, that's how smbd can find services. self.ntacls_helper = ntacls.NtaclsHelper(self.service, self.smb_conf_path, self.dom_sid) self.lp = self.ntacls_helper.lp self.smb_conn = libsmb.Conn(self.server, self.service, lp=self.lp, creds=self.creds) self.smb_helper = ntacls.SMBHelper(self.smb_conn, self.dom_sid) self.tarfile_path = os.path.join(self.tempdir, 'ntacls-backup.tar.gz') # an example file tree self.tree = { 'file0.txt': b'test file0', 'dir1': { 'file1.txt': b'test file1', 'dir2': {} # an empty dir in dir }, } self._delete_tarfile() self.smb_helper.delete_tree() self.smb_helper.create_tree(self.tree) self._check_tree() # keep a copy of ntacls after tree just created self.original_ntacls = self.smb_helper.get_ntacls()
def connect(self, host=None, share=None, username=None, password=None): self._lp = s3param.get_context() self._lp.load_default() self._cred = credentials.Credentials() self._cred.guess(self._lp) if username is not None: self._cred.set_username(username) if password is not None: self._cred.set_password(password) self._host = host self._share = share self._connection = libsmb.Conn(host, share, self._lp, self._cred)
def __init__(self, target_hostname, pipename, creds, impersonation_level, lp): lp3 = s3param.get_context() lp3.load(lp.configfile) saved_signing_state = creds.get_smb_ipc_signing() creds.set_smb_ipc_signing(SMB_SIGNING_REQUIRED) self.smbconn = libsmb.Conn(target_hostname, 'IPC$', lp3, creds=creds, ipc=True) creds.set_smb_ipc_signing(saved_signing_state) self.smbfid = self.smbconn.create(pipename, DesiredAccess=0x12019f, ShareAccess=0x7, CreateDisposition=1, CreateOptions=0x400040, ImpersonationLevel=impersonation_level) return
def check_refresh_gpo_list(dc_hostname, lp, creds, gpos): # the SMB bindings rely on having a s3 loadparm s3_lp = s3param.get_context() s3_lp.load(lp.configfile) # Force signing for the connection saved_signing_state = creds.get_smb_signing() creds.set_smb_signing(SMB_SIGNING_REQUIRED) conn = libsmb.Conn(dc_hostname, 'sysvol', lp=s3_lp, creds=creds) # Reset signing state creds.set_smb_signing(saved_signing_state) cache_path = lp.cache_path('gpo_cache') for gpo in gpos: if not gpo.file_sys_path: continue cache_gpo_dir(conn, cache_path, check_safe_path(gpo.file_sys_path))
def test_SMB3EncryptionRequired(self): test_dir = 'testing_%d' % random.randint(0, 0xFFFF) lp = s3param.get_context() lp.load(os.getenv("SMB_CONF_PATH")) creds = credentials.Credentials() creds.guess(lp) creds.set_username(os.getenv("USERNAME")) creds.set_password(os.getenv("PASSWORD")) creds.set_smb_encryption(SMB_ENCRYPTION_REQUIRED) c = libsmb.Conn(os.getenv("SERVER_IP"), "tmp", lp, creds) c.mkdir(test_dir) c.rmdir(test_dir)
def test_OpenClose(self): (lp,creds) = self.prep_creds() c = libsmb.Conn(os.getenv("SERVER_IP"), "tmp", lp, creds, multi_threaded=True, force_smb1=True) mythreads = [] for i in range(3): t = LibsmbTestCase.OpenClose(c, "test" + str(i), 10) mythreads.append(t) for t in mythreads: t.start() for t in mythreads: t.join() if t.exc: raise t.exc[0](t.exc[1])
def _run_idmap_nss_test(self, user_creds, use_kerberos, remove_pac=False, expected_error=None, expected_first_sid=None, expected_additional_sid=None, expected_uid=None): if expected_first_sid is not None: self.assertIsNotNone(expected_uid) if expected_additional_sid is not None: self.assertIsNotNone(expected_uid) if expected_uid is not None: self.assertIsNone(expected_error) if not use_kerberos: self.assertFalse(remove_pac) samdb = self.get_samdb() server_name = self.host service = 'cifs' share = 'tmp' server_creds = self.get_server_creds() if expected_first_sid is None: # Retrieve the user account's SID. user_name = user_creds.get_username() res = samdb.search(scope=SCOPE_SUBTREE, expression=f'(sAMAccountName={user_name})', attrs=['objectSid']) self.assertEqual(1, len(res)) expected_first_sid = ndr_unpack(security.dom_sid, res[0].get('objectSid', idx=0)) if use_kerberos: # Talk to the KDC to obtain the service ticket, which gets placed # into the cache. The machine account name has to match the name in # the ticket, to ensure that the krbtgt ticket doesn't also need to # be stored. creds, cachefile = self.create_ccache_with_user( user_creds, server_creds, service, server_name, pac=not remove_pac) # Remove the cached creds file. self.addCleanup(os.remove, cachefile.name) # Set the Kerberos 5 creds cache environment variable. This is # required because the codepath that gets run (gse_krb5) looks for # it in here and not in the creds object. krb5_ccname = os.environ.get('KRB5CCNAME', '') self.addCleanup(os.environ.__setitem__, 'KRB5CCNAME', krb5_ccname) os.environ['KRB5CCNAME'] = 'FILE:' + cachefile.name else: creds = user_creds creds.set_kerberos_state(DONT_USE_KERBEROS) # Connect to a share and retrieve the user SID. s3_lp = s3param.get_context() s3_lp.load(self.get_lp().configfile) min_protocol = s3_lp.get('client min protocol') self.addCleanup(s3_lp.set, 'client min protocol', min_protocol) s3_lp.set('client min protocol', 'NT1') max_protocol = s3_lp.get('client max protocol') self.addCleanup(s3_lp.set, 'client max protocol', max_protocol) s3_lp.set('client max protocol', 'NT1') try: conn = libsmb.Conn(server_name, share, lp=s3_lp, creds=creds) except NTSTATUSError as e: enum, _ = e.args self.assertEqual(expected_error, enum) return else: self.assertIsNone(expected_error) uid, gid, gids, sids, guest = conn.posix_whoami() # Ensure that they match. self.assertEqual(expected_first_sid, sids[0]) self.assertNotIn(expected_first_sid, sids[1:-1]) if expected_additional_sid: self.assertNotEqual(expected_additional_sid, sids[0]) self.assertIn(expected_additional_sid, sids) self.assertIsNotNone(expected_uid) self.assertEqual(expected_uid, uid)
def _run_smb_test(self, rename=False, include_pac=True, expect_error=False): # Create a user account and a machine account, along with a Kerberos # credentials cache file where the service ticket authenticating the # user are stored. samdb = self.get_samdb() mach_name = samdb.host_dns_name() service = "cifs" share = "tmp" # Create the user account. user_credentials = self.get_cached_creds( account_type=self.AccountType.USER, use_cache=False) user_name = user_credentials.get_username() mach_credentials = self.get_dc_creds() mach_credentials = self.get_dc_creds() # Talk to the KDC to obtain the service ticket, which gets placed into # the cache. The machine account name has to match the name in the # ticket, to ensure that the krbtgt ticket doesn't also need to be # stored. (creds, cachefile) = self.create_ccache_with_user(user_credentials, mach_credentials, service, mach_name, pac=include_pac) # Remove the cached credentials file. self.addCleanup(os.remove, cachefile.name) # Retrieve the user account's SID. ldb_res = samdb.search(scope=SCOPE_SUBTREE, expression="(sAMAccountName=%s)" % user_name, attrs=["objectSid"]) self.assertEqual(1, len(ldb_res)) sid = ndr_unpack(security.dom_sid, ldb_res[0]["objectSid"][0]) if rename: # Rename the account. new_name = self.get_new_username() msg = ldb.Message(user_credentials.get_dn()) msg['sAMAccountName'] = ldb.MessageElement(new_name, ldb.FLAG_MOD_REPLACE, 'sAMAccountName') samdb.modify(msg) # Set the Kerberos 5 credentials cache environment variable. This is # required because the codepath that gets run (gse_krb5) looks for it # in here and not in the credentials object. krb5_ccname = os.environ.get("KRB5CCNAME", "") self.addCleanup(os.environ.__setitem__, "KRB5CCNAME", krb5_ccname) os.environ["KRB5CCNAME"] = "FILE:" + cachefile.name # Authenticate in-process to the machine account using the user's # cached credentials. # Connect to a share and retrieve the user SID. s3_lp = s3param.get_context() s3_lp.load(self.get_lp().configfile) min_protocol = s3_lp.get("client min protocol") self.addCleanup(s3_lp.set, "client min protocol", min_protocol) s3_lp.set("client min protocol", "NT1") max_protocol = s3_lp.get("client max protocol") self.addCleanup(s3_lp.set, "client max protocol", max_protocol) s3_lp.set("client max protocol", "NT1") try: conn = libsmb.Conn(mach_name, share, lp=s3_lp, creds=creds) except NTSTATUSError as e: if not expect_error: self.fail() enum, _ = e.args self.assertEqual(NT_STATUS_NO_IMPERSONATION_TOKEN, enum) return else: self.assertFalse(expect_error) (uid, gid, gids, sids, guest) = conn.posix_whoami() # Ensure that they match. self.assertEqual(sid, sids[0])
def smb_sysvol_conn(server, lp, creds): """Returns an SMB connection to the sysvol share on the DC""" # the SMB bindings rely on having a s3 loadparm s3_lp = s3param.get_context() s3_lp.load(lp.configfile) return libsmb.Conn(server, "sysvol", lp=s3_lp, creds=creds, sign=True)