1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
|
#!/usr/bin/env python3
# Unix SMB/CIFS implementation.
# Copyright (C) Stefan Metzmacher 2020
# Copyright (C) 2021 Catalyst.Net Ltd
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
import sys
import os
import ldb
from ldb import LdbError, ERR_OPERATIONS_ERROR, SCOPE_BASE, SCOPE_SUBTREE
from samba.dcerpc import security
from samba.ndr import ndr_unpack
from samba.samdb import SamDB
from samba import credentials
from samba.tests.krb5.kdc_base_test import KDCBaseTest
sys.path.insert(0, "bin/python")
os.environ["PYTHONUNBUFFERED"] = "1"
global_asn1_print = False
global_hexdump = False
class LdapTests(KDCBaseTest):
"""Test for LDAP authentication using Kerberos credentials stored in a
credentials cache file.
"""
def test_ldap(self):
self._run_ldap_test()
def test_ldap_rename(self):
self._run_ldap_test(rename=True)
def test_ldap_no_pac(self):
self._run_ldap_test(include_pac=False,
expect_anon=True, allow_error=True)
def _run_ldap_test(self, rename=False, include_pac=True,
expect_anon=False, allow_error=False):
# Create a user account and a machine account, along with a Kerberos
# credentials cache file where the service ticket authenticating the
# user are stored.
samdb = self.get_samdb()
mach_name = samdb.host_dns_name()
service = "ldap"
# Create the user account.
user_credentials = self.get_cached_creds(
account_type=self.AccountType.USER,
use_cache=False)
user_name = user_credentials.get_username()
mach_credentials = self.get_dc_creds()
# Talk to the KDC to obtain the service ticket, which gets placed into
# the cache. The machine account name has to match the name in the
# ticket, to ensure that the krbtgt ticket doesn't also need to be
# stored.
(creds, cachefile) = self.create_ccache_with_user(user_credentials,
mach_credentials,
service,
mach_name,
pac=include_pac)
# Remove the cached credentials file.
self.addCleanup(os.remove, cachefile.name)
# Retrieve the user account's SID.
ldb_res = samdb.search(scope=SCOPE_SUBTREE,
expression="(sAMAccountName=%s)" % user_name,
attrs=["objectSid"])
self.assertEqual(1, len(ldb_res))
sid = ndr_unpack(security.dom_sid, ldb_res[0]["objectSid"][0])
if rename:
# Rename the account.
new_name = self.get_new_username()
msg = ldb.Message(user_credentials.get_dn())
msg['sAMAccountName'] = ldb.MessageElement(new_name,
ldb.FLAG_MOD_REPLACE,
'sAMAccountName')
samdb.modify(msg)
# Authenticate in-process to the machine account using the user's
# cached credentials.
# Connect to the machine account and retrieve the user SID.
try:
ldb_as_user = SamDB(url="ldap://%s" % mach_name,
credentials=creds,
lp=self.get_lp())
except LdbError as e:
if not allow_error:
self.fail()
enum, estr = e.args
self.assertEqual(ERR_OPERATIONS_ERROR, enum)
self.assertIn('NT_STATUS_NO_IMPERSONATION_TOKEN', estr)
return
ldb_res = ldb_as_user.search('',
scope=SCOPE_BASE,
attrs=["tokenGroups"])
self.assertEqual(1, len(ldb_res))
token_groups = ldb_res[0]["tokenGroups"]
token_sid = ndr_unpack(security.dom_sid, token_groups[0])
if expect_anon:
# Ensure we got an anonymous token.
self.assertEqual(security.SID_NT_ANONYMOUS, str(token_sid))
token_sid = ndr_unpack(security.dom_sid, token_groups[1])
self.assertEqual(security.SID_NT_NETWORK, str(token_sid))
if len(token_groups) >= 3:
token_sid = ndr_unpack(security.dom_sid, token_groups[2])
self.assertEqual(security.SID_NT_THIS_ORGANISATION,
str(token_sid))
else:
# Ensure that they match.
self.assertEqual(sid, token_sid)
def test_ldap_anonymous(self):
samdb = self.get_samdb()
mach_name = samdb.host_dns_name()
anon_creds = credentials.Credentials()
anon_creds.set_anonymous()
# Connect to the machine account and retrieve the user SID.
ldb_as_user = SamDB(url="ldap://%s" % mach_name,
credentials=anon_creds,
lp=self.get_lp())
ldb_res = ldb_as_user.search('',
scope=SCOPE_BASE,
attrs=["tokenGroups"])
self.assertEqual(1, len(ldb_res))
# Ensure we got an anonymous token.
token_sid = ndr_unpack(security.dom_sid, ldb_res[0]["tokenGroups"][0])
self.assertEqual(security.SID_NT_ANONYMOUS, str(token_sid))
self.assertEqual(len(ldb_res[0]["tokenGroups"]), 1)
if __name__ == "__main__":
global_asn1_print = False
global_hexdump = False
import unittest
unittest.main()
|
