def test_RenameDstDelOnClose(self):
(lp,creds) = self.prep_creds()
dstdir = "\\dst-subdir"
c1 = libsmb.Conn(os.getenv("SERVER_IP"), "tmp", lp, creds)
c2 = libsmb.Conn(os.getenv("SERVER_IP"), "tmp", lp, creds)
try:
c1.deltree(dstdir)
except:
pass
c1.mkdir(dstdir)
dnum = c1.create(dstdir, DesiredAccess=security.SEC_STD_DELETE)
c1.delete_on_close(dnum,1)
c2.savefile("\\src.txt", b"Content")
with self.assertRaises(NTSTATUSError) as cm:
c2.rename("\\src.txt", dstdir + "\\dst.txt")
if (cm.exception.args[0] != NT_STATUS_DELETE_PENDING):
raise AssertionError("Rename must fail with DELETE_PENDING")
c1.delete_on_close(dnum,0)
c1.close(dnum)
try:
c1.deltree(dstdir)
c1.unlink("\\src.txt")
except:
pass
def connect_unpriv(self):
creds_unpriv = credentials.Credentials()
creds_unpriv.guess(self.lp)
creds_unpriv.set_username(samba.tests.env_get_var_value("USERNAME_UNPRIV"))
creds_unpriv.set_password(samba.tests.env_get_var_value("PASSWORD_UNPRIV"))
self.smb_conn_unpriv = libsmb.Conn(self.server, self.share, self.lp, creds_unpriv)
def test_OpenClose(self):
lp = s3param.get_context()
lp.load(os.getenv("SMB_CONF_PATH"))
creds = credentials.Credentials()
creds.guess(lp)
creds.set_username(os.getenv("USERNAME"))
creds.set_password(os.getenv("PASSWORD"))
c = libsmb.Conn(os.getenv("SERVER_IP"),
"tmp",
lp,
creds,
multi_threaded=True,
force_smb1=True)
mythreads = []
for i in range(3):
t = LibsmbTestCase.OpenClose(c, "test" + str(i), 10)
mythreads.append(t)
for t in mythreads:
t.start()
for t in mythreads:
t.join()
if t.exc:
raise t.exc[0](t.exc[1])
def connect(self, **kwargs):
host = kwargs.get("host")
share = kwargs.get("share")
username = kwargs.get("username")
password = kwargs.get("password")
smb1 = kwargs.get("smb1", False)
self._lp = s3param.get_context()
self._lp.load_default()
self._cred = credentials.Credentials()
self._cred.guess(self._lp)
if username is not None:
self._cred.set_username(username)
if password is not None:
self._cred.set_password(password)
self._host = host
self._share = share
self._smb1 = smb1
self._connection = libsmb.Conn(
host,
share,
self._lp,
self._cred,
force_smb1=smb1,
)
def GenerateSessions():
lp = s3param.get_context()
lp.load('/usr/local/etc/smb4.conf')
creds = credentials.Credentials()
creds.guess(lp)
if args.domain is not None:
creds.set_domain(args.domain)
creds.set_password(args.password)
mythreads = []
c = {}
for i in range(args.count):
if args.increment is None:
creds.set_username(args.user)
else:
creds.set_username(f'{args.user}{args.increment}')
c[i] = libsmb.Conn(args.host, args.share, lp, creds)
t = Open_Close(c[i], "test" + str(i), args.numops)
mythreads.append(t)
for t in mythreads:
t.start()
for t in mythreads:
t.join()
if t.exc:
raise t.exc[0](t.exc[1])
time.sleep(60)
def setUp(self):
super(SMBNotifyTests, self).setUp()
self.server = samba.tests.env_get_var_value("SERVER")
# create an SMB connection to the server
self.lp = s3param.get_context()
self.lp.load(samba.tests.env_get_var_value("SMB_CONF_PATH"))
self.share = samba.tests.env_get_var_value("NOTIFY_SHARE")
creds = credentials.Credentials()
creds.guess(self.lp)
creds.set_username(samba.tests.env_get_var_value("USERNAME"))
creds.set_password(samba.tests.env_get_var_value("PASSWORD"))
strict_checking = samba.tests.env_get_var_value('STRICT_CHECKING', allow_missing=True)
if strict_checking is None:
strict_checking = '1'
self.strict_checking = bool(int(strict_checking))
self.smb_conn = libsmb.Conn(self.server, self.share, self.lp, creds)
self.smb_conn_unpriv = None
try:
self.smb_conn.deltree(test_dir)
except:
pass
self.smb_conn.mkdir(test_dir)
def test_smb(self):
# Create a user account and a machine account, along with a Kerberos
# credentials cache file where the service ticket authenticating the
# user are stored.
user_name = "smbusr"
mach_name = self.dns_host_name
service = "cifs"
share = "tmp"
# Create the user account.
(user_credentials, _) = self.create_account(user_name)
# Talk to the KDC to obtain the service ticket, which gets placed into
# the cache. The machine account name has to match the name in the
# ticket, to ensure that the krbtgt ticket doesn't also need to be
# stored.
(creds, cachefile) = self.create_ccache_with_user(user_credentials,
mach_name,
service)
# Set the Kerberos 5 credentials cache environment variable. This is
# required because the codepath that gets run (gse_krb5) looks for it
# in here and not in the credentials object.
krb5_ccname = os.environ.get("KRB5CCNAME", "")
self.addCleanup(os.environ.__setitem__, "KRB5CCNAME", krb5_ccname)
os.environ["KRB5CCNAME"] = "FILE:" + cachefile.name
# Authenticate in-process to the machine account using the user's
# cached credentials.
# Retrieve the user account's SID.
ldb_res = self.ldb.search(scope=SCOPE_SUBTREE,
expression="(sAMAccountName=%s)" % user_name,
attrs=["objectSid"])
self.assertEqual(1, len(ldb_res))
sid = ndr_unpack(security.dom_sid, ldb_res[0]["objectSid"][0])
# Connect to a share and retrieve the user SID.
s3_lp = s3param.get_context()
s3_lp.load(self.lp.configfile)
min_protocol = s3_lp.get("client min protocol")
self.addCleanup(s3_lp.set, "client min protocol", min_protocol)
s3_lp.set("client min protocol", "NT1")
max_protocol = s3_lp.get("client max protocol")
self.addCleanup(s3_lp.set, "client max protocol", max_protocol)
s3_lp.set("client max protocol", "NT1")
conn = libsmb.Conn(mach_name, share, lp=s3_lp, creds=creds)
(uid, gid, gids, sids, guest) = conn.posix_whoami()
# Ensure that they match.
self.assertEqual(sid, sids[0])
# Remove the cached credentials file.
os.remove(cachefile.name)
def check_refresh_gpo_list(dc_hostname, lp, creds, gpos):
# the SMB bindings rely on having a s3 loadparm
s3_lp = s3param.get_context()
s3_lp.load(lp.configfile)
conn = libsmb.Conn(dc_hostname, 'sysvol', lp=s3_lp, creds=creds, sign=True)
cache_path = lp.cache_path('gpo_cache')
for gpo in gpos:
if not gpo.file_sys_path:
continue
cache_gpo_dir(conn, cache_path, check_safe_path(gpo.file_sys_path))
def setUp(self):
super(SMBTests, self).setUp()
self.server = os.environ["SERVER"]
creds = self.insta_creds(template=self.get_credentials())
# create an SMB connection to the server
lp = s3param.get_context()
lp.load(os.getenv("SMB_CONF_PATH"))
self.smb_conn = libsmb.Conn(self.server, "sysvol", lp, creds)
self.smb_conn.mkdir(test_dir)
def test_SMB1EncryptionRequired(self):
test_dir = 'testing_%d' % random.randint(0, 0xFFFF)
(lp,creds) = self.prep_creds()
creds.set_smb_encryption(SMB_ENCRYPTION_REQUIRED)
c = libsmb.Conn(os.getenv("SERVER_IP"), "tmp",
lp, creds, force_smb1=True)
c.mkdir(test_dir)
c.rmdir(test_dir)
def __init__(self, target_hostname, pipename, creds, impersonation_level, lp):
lp3 = s3param.get_context()
lp3.load(lp.configfile)
self.smbconn = libsmb_samba_internal.Conn(target_hostname, 'IPC$',
credentials=creds, sign=True)
self.smbfid = self.smbconn.create(pipename,
DesiredAccess=0x12019f,
ShareAccess=0x7,
CreateDisposition=1,
CreateOptions=0x400040,
ImpersonationLevel=impersonation_level)
return
def setUp(self):
super(NtaclsBackupRestoreTests, self).setUp()
self.server = os.environ["SERVER"] # addc
samdb_url = 'ldap://' + self.server
self.service = 'test1' # service/share to test
# root path for service
self.service_root = os.path.join(os.environ["LOCAL_PATH"],
self.service)
self.smb_conf_path = os.environ['SMB_CONF_PATH']
self.creds = self.insta_creds(template=self.get_credentials())
self.samdb_conn = samdb.SamDB(url=samdb_url,
session_info=system_session(),
credentials=self.creds,
lp=env_loadparm())
self.dom_sid = security.dom_sid(self.samdb_conn.get_domain_sid())
# helper will load conf into lp, that's how smbd can find services.
self.ntacls_helper = ntacls.NtaclsHelper(self.service,
self.smb_conf_path,
self.dom_sid)
self.lp = self.ntacls_helper.lp
self.smb_conn = libsmb.Conn(self.server,
self.service,
lp=self.lp,
creds=self.creds)
self.smb_helper = ntacls.SMBHelper(self.smb_conn, self.dom_sid)
self.tarfile_path = os.path.join(self.tempdir, 'ntacls-backup.tar.gz')
# an example file tree
self.tree = {
'file0.txt': b'test file0',
'dir1': {
'file1.txt': b'test file1',
'dir2': {} # an empty dir in dir
},
}
self._delete_tarfile()
self.smb_helper.delete_tree()
self.smb_helper.create_tree(self.tree)
self._check_tree()
# keep a copy of ntacls after tree just created
self.original_ntacls = self.smb_helper.get_ntacls()
def connect(self, host=None, share=None, username=None, password=None):
self._lp = s3param.get_context()
self._lp.load_default()
self._cred = credentials.Credentials()
self._cred.guess(self._lp)
if username is not None:
self._cred.set_username(username)
if password is not None:
self._cred.set_password(password)
self._host = host
self._share = share
self._connection = libsmb.Conn(host, share, self._lp, self._cred)
def __init__(self, target_hostname, pipename, creds, impersonation_level, lp):
lp3 = s3param.get_context()
lp3.load(lp.configfile)
saved_signing_state = creds.get_smb_ipc_signing()
creds.set_smb_ipc_signing(SMB_SIGNING_REQUIRED)
self.smbconn = libsmb.Conn(target_hostname, 'IPC$', lp3,
creds=creds, ipc=True)
creds.set_smb_ipc_signing(saved_signing_state)
self.smbfid = self.smbconn.create(pipename,
DesiredAccess=0x12019f,
ShareAccess=0x7,
CreateDisposition=1,
CreateOptions=0x400040,
ImpersonationLevel=impersonation_level)
return
def check_refresh_gpo_list(dc_hostname, lp, creds, gpos):
# the SMB bindings rely on having a s3 loadparm
s3_lp = s3param.get_context()
s3_lp.load(lp.configfile)
# Force signing for the connection
saved_signing_state = creds.get_smb_signing()
creds.set_smb_signing(SMB_SIGNING_REQUIRED)
conn = libsmb.Conn(dc_hostname, 'sysvol', lp=s3_lp, creds=creds)
# Reset signing state
creds.set_smb_signing(saved_signing_state)
cache_path = lp.cache_path('gpo_cache')
for gpo in gpos:
if not gpo.file_sys_path:
continue
cache_gpo_dir(conn, cache_path, check_safe_path(gpo.file_sys_path))
def test_SMB3EncryptionRequired(self):
test_dir = 'testing_%d' % random.randint(0, 0xFFFF)
lp = s3param.get_context()
lp.load(os.getenv("SMB_CONF_PATH"))
creds = credentials.Credentials()
creds.guess(lp)
creds.set_username(os.getenv("USERNAME"))
creds.set_password(os.getenv("PASSWORD"))
creds.set_smb_encryption(SMB_ENCRYPTION_REQUIRED)
c = libsmb.Conn(os.getenv("SERVER_IP"), "tmp", lp, creds)
c.mkdir(test_dir)
c.rmdir(test_dir)
def test_OpenClose(self):
(lp,creds) = self.prep_creds()
c = libsmb.Conn(os.getenv("SERVER_IP"), "tmp",
lp, creds, multi_threaded=True,
force_smb1=True)
mythreads = []
for i in range(3):
t = LibsmbTestCase.OpenClose(c, "test" + str(i), 10)
mythreads.append(t)
for t in mythreads:
t.start()
for t in mythreads:
t.join()
if t.exc:
raise t.exc[0](t.exc[1])
def _run_idmap_nss_test(self, user_creds,
use_kerberos,
remove_pac=False,
expected_error=None,
expected_first_sid=None,
expected_additional_sid=None,
expected_uid=None):
if expected_first_sid is not None:
self.assertIsNotNone(expected_uid)
if expected_additional_sid is not None:
self.assertIsNotNone(expected_uid)
if expected_uid is not None:
self.assertIsNone(expected_error)
if not use_kerberos:
self.assertFalse(remove_pac)
samdb = self.get_samdb()
server_name = self.host
service = 'cifs'
share = 'tmp'
server_creds = self.get_server_creds()
if expected_first_sid is None:
# Retrieve the user account's SID.
user_name = user_creds.get_username()
res = samdb.search(scope=SCOPE_SUBTREE,
expression=f'(sAMAccountName={user_name})',
attrs=['objectSid'])
self.assertEqual(1, len(res))
expected_first_sid = ndr_unpack(security.dom_sid,
res[0].get('objectSid', idx=0))
if use_kerberos:
# Talk to the KDC to obtain the service ticket, which gets placed
# into the cache. The machine account name has to match the name in
# the ticket, to ensure that the krbtgt ticket doesn't also need to
# be stored.
creds, cachefile = self.create_ccache_with_user(
user_creds,
server_creds,
service,
server_name,
pac=not remove_pac)
# Remove the cached creds file.
self.addCleanup(os.remove, cachefile.name)
# Set the Kerberos 5 creds cache environment variable. This is
# required because the codepath that gets run (gse_krb5) looks for
# it in here and not in the creds object.
krb5_ccname = os.environ.get('KRB5CCNAME', '')
self.addCleanup(os.environ.__setitem__, 'KRB5CCNAME', krb5_ccname)
os.environ['KRB5CCNAME'] = 'FILE:' + cachefile.name
else:
creds = user_creds
creds.set_kerberos_state(DONT_USE_KERBEROS)
# Connect to a share and retrieve the user SID.
s3_lp = s3param.get_context()
s3_lp.load(self.get_lp().configfile)
min_protocol = s3_lp.get('client min protocol')
self.addCleanup(s3_lp.set, 'client min protocol', min_protocol)
s3_lp.set('client min protocol', 'NT1')
max_protocol = s3_lp.get('client max protocol')
self.addCleanup(s3_lp.set, 'client max protocol', max_protocol)
s3_lp.set('client max protocol', 'NT1')
try:
conn = libsmb.Conn(server_name, share, lp=s3_lp, creds=creds)
except NTSTATUSError as e:
enum, _ = e.args
self.assertEqual(expected_error, enum)
return
else:
self.assertIsNone(expected_error)
uid, gid, gids, sids, guest = conn.posix_whoami()
# Ensure that they match.
self.assertEqual(expected_first_sid, sids[0])
self.assertNotIn(expected_first_sid, sids[1:-1])
if expected_additional_sid:
self.assertNotEqual(expected_additional_sid, sids[0])
self.assertIn(expected_additional_sid, sids)
self.assertIsNotNone(expected_uid)
self.assertEqual(expected_uid, uid)
def _run_smb_test(self,
rename=False,
include_pac=True,
expect_error=False):
# Create a user account and a machine account, along with a Kerberos
# credentials cache file where the service ticket authenticating the
# user are stored.
samdb = self.get_samdb()
mach_name = samdb.host_dns_name()
service = "cifs"
share = "tmp"
# Create the user account.
user_credentials = self.get_cached_creds(
account_type=self.AccountType.USER, use_cache=False)
user_name = user_credentials.get_username()
mach_credentials = self.get_dc_creds()
mach_credentials = self.get_dc_creds()
# Talk to the KDC to obtain the service ticket, which gets placed into
# the cache. The machine account name has to match the name in the
# ticket, to ensure that the krbtgt ticket doesn't also need to be
# stored.
(creds, cachefile) = self.create_ccache_with_user(user_credentials,
mach_credentials,
service,
mach_name,
pac=include_pac)
# Remove the cached credentials file.
self.addCleanup(os.remove, cachefile.name)
# Retrieve the user account's SID.
ldb_res = samdb.search(scope=SCOPE_SUBTREE,
expression="(sAMAccountName=%s)" % user_name,
attrs=["objectSid"])
self.assertEqual(1, len(ldb_res))
sid = ndr_unpack(security.dom_sid, ldb_res[0]["objectSid"][0])
if rename:
# Rename the account.
new_name = self.get_new_username()
msg = ldb.Message(user_credentials.get_dn())
msg['sAMAccountName'] = ldb.MessageElement(new_name,
ldb.FLAG_MOD_REPLACE,
'sAMAccountName')
samdb.modify(msg)
# Set the Kerberos 5 credentials cache environment variable. This is
# required because the codepath that gets run (gse_krb5) looks for it
# in here and not in the credentials object.
krb5_ccname = os.environ.get("KRB5CCNAME", "")
self.addCleanup(os.environ.__setitem__, "KRB5CCNAME", krb5_ccname)
os.environ["KRB5CCNAME"] = "FILE:" + cachefile.name
# Authenticate in-process to the machine account using the user's
# cached credentials.
# Connect to a share and retrieve the user SID.
s3_lp = s3param.get_context()
s3_lp.load(self.get_lp().configfile)
min_protocol = s3_lp.get("client min protocol")
self.addCleanup(s3_lp.set, "client min protocol", min_protocol)
s3_lp.set("client min protocol", "NT1")
max_protocol = s3_lp.get("client max protocol")
self.addCleanup(s3_lp.set, "client max protocol", max_protocol)
s3_lp.set("client max protocol", "NT1")
try:
conn = libsmb.Conn(mach_name, share, lp=s3_lp, creds=creds)
except NTSTATUSError as e:
if not expect_error:
self.fail()
enum, _ = e.args
self.assertEqual(NT_STATUS_NO_IMPERSONATION_TOKEN, enum)
return
else:
self.assertFalse(expect_error)
(uid, gid, gids, sids, guest) = conn.posix_whoami()
# Ensure that they match.
self.assertEqual(sid, sids[0])
def smb_sysvol_conn(server, lp, creds):
"""Returns an SMB connection to the sysvol share on the DC"""
# the SMB bindings rely on having a s3 loadparm
s3_lp = s3param.get_context()
s3_lp.load(lp.configfile)
return libsmb.Conn(server, "sysvol", lp=s3_lp, creds=creds, sign=True)
