search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3:ntlm_auth: make logs more consistent with length check
[Samba.git] / python / samba / tests / getdcname.py
blobd248b20d25dd27bffe75762149919d73a6e23b2c
1 # Unix SMB/CIFS implementation.
2 # Copyright (C) Andrew Bartlett <abartlet@samba.org> 2018
3 #
4 # This program is free software; you can redistribute it and/or modify
5 # it under the terms of the GNU General Public License as published by
6 # the Free Software Foundation; either version 3 of the License, or
7 # (at your option) any later version.
8 #
9 # This program is distributed in the hope that it will be useful,
10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 # GNU General Public License for more details.
13 #
14 # You should have received a copy of the GNU General Public License
15 # along with this program. If not, see <http://www.gnu.org/licenses/>.
16 #
17
18 """
19 Tests GetDCNameEx calls in NETLOGON
20 """
21
22 from samba import WERRORError, werror
23 import samba.tests
24 import os
25 from samba.credentials import Credentials
26 from samba.dcerpc import netlogon, nbt
27 from samba.dcerpc.misc import GUID
28 from samba.net import Net
29
30 class GetDCNameEx(samba.tests.TestCase):
31
32 def setUp(self):
33 self.lp = samba.tests.env_loadparm()
34 self.creds = Credentials()
35
36 self.netlogon_conn = None
37 self.server = os.environ.get('SERVER')
38 self.realm = os.environ.get('REALM')
39 self.domain = os.environ.get('DOMAIN')
40 self.trust_realm = os.environ.get('TRUST_REALM')
41 self.trust_domain = os.environ.get('TRUST_DOMAIN')
42 self.trust_server = os.environ.get('TRUST_SERVER')
43
44 def _call_get_dc_name(self, domain=None, domain_guid=None,
45 site_name=None, ex2=False, flags=0):
46 if self.netlogon_conn is None:
47 self.netlogon_conn = netlogon.netlogon(f"ncacn_ip_tcp:{self.server}",
48 self.get_loadparm())
49
50 if ex2:
51 return self.netlogon_conn.netr_DsRGetDCNameEx2(self.server,
52 None, 0,
53 domain,
54 domain_guid,
55 site_name,
56 flags)
57 else:
58 return self.netlogon_conn.netr_DsRGetDCNameEx(self.server,
59 domain,
60 domain_guid,
61 site_name,
62 flags)
63
64 def test_get_dc_ex2(self):
65 """Check the most trivial requirements of Ex2 (no domain or site)
66
67 a) The paths are prefixed with two backslashes
68 b) The returned domains conform to the format requested
69 c) The domain matches our own domain
70 """
71 response = self._call_get_dc_name(ex2=True)
72
73 self.assertIsNotNone(response.dc_unc)
74 self.assertTrue(response.dc_unc.startswith('\\\\'))
75 self.assertIsNotNone(response.dc_address)
76 self.assertTrue(response.dc_address.startswith('\\\\'))
77
78 self.assertTrue(response.domain_name.lower() ==
79 self.realm.lower() or
80 response.domain_name.lower() ==
81 self.domain.lower())
82
83 response = self._call_get_dc_name(ex2=True,
84 flags=netlogon.DS_RETURN_DNS_NAME)
85 self.assertEqual(response.domain_name.lower(),
86 self.realm.lower())
87
88 response = self._call_get_dc_name(ex2=True,
89 flags=netlogon.DS_RETURN_FLAT_NAME)
90 self.assertEqual(response.domain_name.lower(),
91 self.domain.lower())
92
93 def test_get_dc_over_winbind_ex2(self):
94 """Check what happens to Ex2 requests after being forwarded to winbind
95
96 a) The paths must still have the same backslash prefixes
97 b) The returned domain does not match our own domain
98 c) The domain matches the format requested
99 """
100 self.assertIsNotNone(self.trust_realm)
101
102 response_trust = self._call_get_dc_name(domain=self.trust_realm,
103 ex2=True)
104 response = self._call_get_dc_name(domain=self.realm,
105 ex2=True)
106
107 self.assertIsNotNone(response_trust.dc_unc)
108 self.assertTrue(response_trust.dc_unc.startswith('\\\\'))
109 self.assertIsNotNone(response_trust.dc_address)
110 self.assertTrue(response_trust.dc_address.startswith('\\\\'))
111
112 self.assertNotEqual(response_trust.dc_unc,
113 response.dc_unc)
114 self.assertNotEqual(response_trust.dc_address,
115 response.dc_address)
116
117 self.assertTrue(response_trust.domain_name.lower() ==
118 self.trust_realm.lower() or
119 response_trust.domain_name.lower() ==
120 self.trust_domain.lower())
121
122 response_trust = self._call_get_dc_name(domain=self.trust_realm,
123 flags=netlogon.DS_RETURN_DNS_NAME,
124 ex2=True)
125 self.assertEqual(response_trust.domain_name.lower(),
126 self.trust_realm.lower())
127
128 response_trust = self._call_get_dc_name(domain=self.trust_realm,
129 flags=netlogon.DS_RETURN_FLAT_NAME,
130 ex2=True)
131 self.assertEqual(response_trust.domain_name.lower(),
132 self.trust_domain.lower())
133
134 def test_get_dc_over_winbind(self):
135 """Test the standard Ex version (not Ex2)
136
137 Ex calls Ex2 anyways, from now on, just test Ex.
138 """
139 self.assertIsNotNone(self.trust_realm)
140
141 response_trust = self._call_get_dc_name(domain=self.trust_realm,
142 flags=netlogon.DS_RETURN_DNS_NAME)
143
144 self.assertIsNotNone(response_trust.dc_unc)
145 self.assertTrue(response_trust.dc_unc.startswith('\\\\'))
146 self.assertIsNotNone(response_trust.dc_address)
147 self.assertTrue(response_trust.dc_address.startswith('\\\\'))
148
149 self.assertEqual(response_trust.domain_name.lower(),
150 self.trust_realm.lower())
151
152 def test_get_dc_over_winbind_with_site(self):
153 """Test the standard Ex version (not Ex2)
154
155 We assume that there is a Default-First-Site-Name site.
156 """
157 self.assertIsNotNone(self.trust_realm)
158
159 site = 'Default-First-Site-Name'
160 response_trust = self._call_get_dc_name(domain=self.trust_realm,
161 site_name=site,
162 flags=netlogon.DS_RETURN_DNS_NAME)
163
164 self.assertIsNotNone(response_trust.dc_unc)
165 self.assertTrue(response_trust.dc_unc.startswith('\\\\'))
166 self.assertIsNotNone(response_trust.dc_address)
167 self.assertTrue(response_trust.dc_address.startswith('\\\\'))
168
169 self.assertEqual(response_trust.domain_name.lower(),
170 self.trust_realm.lower())
171
172 self.assertEqual(site.lower(), response_trust.dc_site_name.lower())
173
174 def test_get_dc_over_winbind_invalid_site(self):
175 """Test the standard Ex version (not Ex2)
176
177 We assume that there is no Invalid-First-Site-Name site.
178 """
179 self.assertIsNotNone(self.trust_realm)
180
181 site = 'Invalid-First-Site-Name'
182 try:
183 response_trust = self._call_get_dc_name(domain=self.trust_realm,
184 site_name=site,
185 flags=netlogon.DS_RETURN_DNS_NAME,
186 ex2=False)
187 self.fail("Failed to give the correct error for incorrect site")
188 except WERRORError as e:
189 enum, estr = e.args
190 if enum != werror.WERR_NO_SUCH_DOMAIN:
191 self.fail("Failed to detect an invalid site name")
192
193 def test_get_dc_over_winbind_invalid_site_ex2(self):
194 """Test the Ex2 version.
195
196 We assume that there is no Invalid-First-Site-Name site.
197 """
198 self.assertIsNotNone(self.trust_realm)
199
200 site = 'Invalid-First-Site-Name'
201 try:
202 response_trust = self._call_get_dc_name(domain=self.trust_realm,
203 site_name=site,
204 flags=netlogon.DS_RETURN_DNS_NAME,
205 ex2=True)
206 self.fail("Failed to give the correct error for incorrect site")
207 except WERRORError as e:
208 enum, estr = e.args
209 if enum != werror.WERR_NO_SUCH_DOMAIN:
210 self.fail("Failed to detect an invalid site name")
211
212 def test_get_dc_over_winbind_empty_string_site(self):
213 """Test the standard Ex version (not Ex2)
214
215 We assume that there is a Default-First-Site-Name site.
216 """
217 self.assertIsNotNone(self.trust_realm)
218
219 site = ''
220 try:
221 response_trust = self._call_get_dc_name(domain=self.trust_realm,
222 site_name=site,
223 flags=netlogon.DS_RETURN_DNS_NAME)
224 except WERRORError as e:
225 self.fail("Unable to get empty string site result: " + str(e))
226
227 self.assertIsNotNone(response_trust.dc_unc)
228 self.assertTrue(response_trust.dc_unc.startswith('\\\\'))
229 self.assertIsNotNone(response_trust.dc_address)
230 self.assertTrue(response_trust.dc_address.startswith('\\\\'))
231
232 self.assertEqual(response_trust.domain_name.lower(),
233 self.trust_realm.lower())
234
235 self.assertIsNotNone(response_trust.dc_site_name)
236 self.assertNotEqual('', response_trust.dc_site_name)
237
238 def test_get_dc_over_winbind_netbios(self):
239 """Supply a NETBIOS trust domain name."""
240 self.assertIsNotNone(self.trust_realm)
241
242 try:
243 response_trust = self._call_get_dc_name(domain=self.trust_domain,
244 flags=netlogon.DS_RETURN_DNS_NAME,
245 ex2=False)
246 except WERRORError as e:
247 self.fail("Failed to succeed over winbind: " + str(e))
248
249 self.assertIsNotNone(response_trust)
250 self.assertEqual(response_trust.domain_name.lower(),
251 self.trust_realm.lower())
252
253 def test_get_dc_over_winbind_with_site_netbios(self):
254 """Supply a NETBIOS trust domain name.
255
256 Sporadically fails because NETBIOS queries do not return site name in
257 winbind. The site check in NETLOGON will trigger and fail the request.
258
259 Currently marked in flapping...
260 """
261 self.assertIsNotNone(self.trust_realm)
262
263 site = 'Default-First-Site-Name'
264 try:
265 response_trust = self._call_get_dc_name(domain=self.trust_domain,
266 site_name=site,
267 flags=netlogon.DS_RETURN_DNS_NAME,
268 ex2=False)
269 except WERRORError as e:
270 self.fail("get_dc_name (domain=%s,site=%s) over winbind failed: %s"
271 % (self.trust_domain, site, e))
272
273 self.assertIsNotNone(response_trust)
274 self.assertEqual(response_trust.domain_name.lower(),
275 self.trust_realm.lower())
276
277 self.assertEqual(site.lower(), response_trust.dc_site_name.lower())
278
279 def test_get_dc_over_winbind_domain_guid(self):
280 """Ensure that we do not reject requests supplied with a NULL GUID"""
281
282 self.assertIsNotNone(self.trust_realm)
283
284 null_guid = GUID()
285 try:
286 response_trust = self._call_get_dc_name(domain=self.trust_realm,
287 domain_guid=null_guid,
288 flags=netlogon.DS_RETURN_DNS_NAME)
289 except WERRORError as e:
290 self.fail("Unable to get NULL domain GUID result: " + str(e))
291
292 self.assertIsNotNone(response_trust.dc_unc)
293 self.assertTrue(response_trust.dc_unc.startswith('\\\\'))
294 self.assertIsNotNone(response_trust.dc_address)
295 self.assertTrue(response_trust.dc_address.startswith('\\\\'))
296
297 self.assertEqual(response_trust.domain_name.lower(),
298 self.trust_realm.lower())
299
300 def test_get_dc_with_site(self):
301 """Test the standard Ex version (not Ex2)
302
303 We assume that there is a Default-First-Site-Name site.
304 """
305
306 site = 'Default-First-Site-Name'
307 response = self._call_get_dc_name(domain=self.realm,
308 site_name=site,
309 flags=netlogon.DS_RETURN_DNS_NAME)
310
311 self.assertIsNotNone(response.dc_unc)
312 self.assertTrue(response.dc_unc.startswith('\\\\'))
313 self.assertIsNotNone(response.dc_address)
314 self.assertTrue(response.dc_address.startswith('\\\\'))
315
316 self.assertEqual(response.domain_name.lower(),
317 self.realm.lower())
318
319 self.assertEqual(site.lower(), response.dc_site_name.lower())
320
321 def test_get_dc_invalid_site(self):
322 """Test the standard Ex version (not Ex2)
323
324 We assume that there is no Invalid-First-Site-Name site.
325 """
326 self.assertIsNotNone(self.realm)
327
328 site = 'Invalid-First-Site-Name'
329 try:
330 response = self._call_get_dc_name(domain=self.realm,
331 site_name=site,
332 flags=netlogon.DS_RETURN_DNS_NAME,
333 ex2=False)
334 self.fail("Failed to give the correct error for incorrect site")
335 except WERRORError as e:
336 enum, estr = e.args
337 if enum != werror.WERR_NO_SUCH_DOMAIN:
338 self.fail("Failed to detect an invalid site name")
339
340 def test_get_dc_invalid_site_ex2(self):
341 """Test the Ex2 version
342
343 We assume that there is no Invalid-First-Site-Name site.
344 """
345
346 site = 'Invalid-First-Site-Name'
347 try:
348 response = self._call_get_dc_name(domain=self.realm,
349 site_name=site,
350 flags=netlogon.DS_RETURN_DNS_NAME,
351 ex2=True)
352 self.fail("Failed to give the correct error for incorrect site")
353 except WERRORError as e:
354 enum, estr = e.args
355 if enum != werror.WERR_NO_SUCH_DOMAIN:
356 self.fail("Failed to detect an invalid site name")
357
358 def test_get_dc_empty_string_site(self):
359 """Test the standard Ex version (not Ex2)
360
361 We assume that there is a Default-First-Site-Name site.
362 """
363
364 site = ''
365 try:
366 response = self._call_get_dc_name(domain=self.realm,
367 site_name=site,
368 flags=netlogon.DS_RETURN_DNS_NAME)
369 except WERRORError as e:
370 self.fail("Unable to get empty string site result: " + str(e))
371
372 self.assertIsNotNone(response.dc_unc)
373 self.assertTrue(response.dc_unc.startswith('\\\\'))
374 self.assertIsNotNone(response.dc_address)
375 self.assertTrue(response.dc_address.startswith('\\\\'))
376
377 self.assertEqual(response.domain_name.lower(),
378 self.realm.lower())
379
380 self.assertIsNotNone(response.dc_site_name)
381 self.assertNotEqual('', response.dc_site_name)
382
383 def test_get_dc_netbios(self):
384 """Supply a NETBIOS domain name."""
385
386 try:
387 response = self._call_get_dc_name(domain=self.domain,
388 flags=netlogon.DS_RETURN_DNS_NAME,
389 ex2=False)
390 except WERRORError as e:
391 self.fail("Failed to succeed over winbind: " + str(e))
392
393 self.assertIsNotNone(response)
394 self.assertEqual(response.domain_name.lower(),
395 self.realm.lower())
396
397 def test_get_dc_with_site_netbios(self):
398 """Supply a NETBIOS domain name."""
399
400 site = 'Default-First-Site-Name'
401 try:
402 response = self._call_get_dc_name(domain=self.domain,
403 site_name=site,
404 flags=netlogon.DS_RETURN_DNS_NAME,
405 ex2=False)
406 except WERRORError as e:
407 self.fail("Failed to succeed over winbind: " + str(e))
408
409 self.assertIsNotNone(response)
410 self.assertEqual(response.domain_name.lower(),
411 self.realm.lower())
412
413 self.assertEqual(site.lower(), response.dc_site_name.lower())
414
415 def test_get_dc_with_domain_guid(self):
416 """Ensure that we do not reject requests supplied with a NULL GUID"""
417
418 null_guid = GUID()
419 response = self._call_get_dc_name(domain=self.realm,
420 domain_guid=null_guid,
421 flags=netlogon.DS_RETURN_DNS_NAME)
422
423 self.assertIsNotNone(response.dc_unc)
424 self.assertTrue(response.dc_unc.startswith('\\\\'))
425 self.assertIsNotNone(response.dc_address)
426 self.assertTrue(response.dc_address.startswith('\\\\'))
427
428 self.assertEqual(response.domain_name.lower(),
429 self.realm.lower())
430
431 def test_get_dc_with_empty_string_domain(self):
432 """Ensure that empty domain resolve to the DC domain"""
433 response = self._call_get_dc_name(domain='',
434 flags=netlogon.DS_RETURN_DNS_NAME)
435
436 self.assertIsNotNone(response.dc_unc)
437 self.assertTrue(response.dc_unc.startswith('\\\\'))
438 self.assertIsNotNone(response.dc_address)
439 self.assertTrue(response.dc_address.startswith('\\\\'))
440
441 self.assertEqual(response.domain_name.lower(),
442 self.realm.lower())
443
444 def test_get_dc_winbind_need_2012r2(self):
445 """Test requiring that we have a FL2012R2 DC as answer
446 """
447 self.assertIsNotNone(self.trust_realm)
448
449 try:
450 response_trust = self._call_get_dc_name(domain=self.trust_realm,
451 flags=netlogon.DS_RETURN_DNS_NAME|netlogon.DS_DIRECTORY_SERVICE_9_REQUIRED)
452 except WERRORError as e:
453 enum, estr = e.args
454 self.fail(f"netr_DsRGetDCNameEx failed: {estr}")
455
456 self.assertIsNotNone(response_trust.dc_unc)
457 self.assertTrue(response_trust.dc_unc.startswith('\\\\'))
458 self.assertIsNotNone(response_trust.dc_address)
459 self.assertTrue(response_trust.dc_address.startswith('\\\\'))
460
461 self.assertEqual(response_trust.domain_name.lower(),
462 self.trust_realm.lower())
463
464 # Now check the CLDAP netlogon response matches the above
465 dc_ip = response_trust.dc_address[2:]
466
467 net = Net(creds=self.creds, lp=self.lp)
468 cldap_netlogon_reply = net.finddc(domain=self.trust_realm, address=dc_ip,
469 flags=(nbt.NBT_SERVER_LDAP |
470 nbt.NBT_SERVER_DS))
471 self.assertTrue(cldap_netlogon_reply.server_type & nbt.NBT_SERVER_DS_9)
472
473 def test_get_dc_direct_need_2012r2_but_not_found(self):
474 """Test requiring that we have a FL2012R2 DC as answer, against the FL2008R2 domain
475
476 This test requires that the DC in the FL2008R2 does not claim
477 to be 2012R2 capable (off by default in Samba)
478
479 """
480 self.assertIsNotNone(self.realm)
481
482
483 try:
484 response = self._call_get_dc_name(domain=self.realm,
485 flags=netlogon.DS_RETURN_DNS_NAME|netlogon.DS_DIRECTORY_SERVICE_9_REQUIRED)
486
487 self.fail("Failed to detect that requirement for 2012R2 was not met")
488 except WERRORError as e:
489 enum, estr = e.args
490 if enum != werror.WERR_NO_SUCH_DOMAIN:
491 self.fail(f"Incorrect error {estr} from GetDcNameEx looking for 2012R2 DC that was not available")
492
493 def test_get_dc_direct_need_web_but_not_found(self):
494 """Test requiring that we (do not) have a AD Web Services on the DC
495
496 This test requires that the DC does not advertise AD Web Services
497
498 This is used as a test that is easy for a modern windows
499 version to fail, as (say) Windows 2022 will succeed for all
500 the DS_DIRECTORY_SERVICE_* flags. Disable AD Web services in
501 services.mmc to run this test successfully.
502
503 """
504 self.assertIsNotNone(self.realm)
505
506
507 try:
508 response = self._call_get_dc_name(domain=self.realm,
509 flags=netlogon.DS_RETURN_DNS_NAME|netlogon.DS_WEB_SERVICE_REQUIRED)
510
511 self.fail("Failed to detect that requirement for Web Services was not met")
512 except WERRORError as e:
513 enum, estr = e.args
514 if enum != werror.WERR_NO_SUCH_DOMAIN:
515 self.fail(f"Incorrect error {estr} from GetDcNameEx looking for AD Web Services enabled DC that should not be available")
516
517 # Now check the CLDAP netlogon response matches the above - that the bit was not set
518 net = Net(creds=self.creds, lp=self.lp)
519 cldap_netlogon_reply = net.finddc(domain=self.realm,
520 flags=(nbt.NBT_SERVER_LDAP |
521 nbt.NBT_SERVER_DS))
522 # We can assert this, even without looking for a particular
523 # DC, as if any DC has WEB_SERVICE we would have got it above.
524 self.assertFalse(cldap_netlogon_reply.server_type & nbt.NBT_SERVER_ADS_WEB_SERVICE)
525
526 def test_get_dc_winbind_need_web_but_not_found(self):
527 """Test requiring that we (do not) have a AD Web Services on the trusted DC
528
529 This test requires that the DC does not advertise AD Web Services
530
531 This is used as a test that is easy for a modern windows
532 version to fail, as (say) Windows 2022 will succeed for all
533 the DS_DIRECTORY_SERVICE_* flags. Disable AD Web services in
534 services.mmc to run this test successfully.
535
536 """
537 self.assertIsNotNone(self.trust_realm)
538
539
540 try:
541 response = self._call_get_dc_name(domain=self.trust_realm,
542 flags=netlogon.DS_RETURN_DNS_NAME|netlogon.DS_WEB_SERVICE_REQUIRED)
543
544 self.fail("Failed to detect that requirement for Web Services was not met")
545 except WERRORError as e:
546 enum, estr = e.args
547 if enum != werror.WERR_NO_SUCH_DOMAIN:
548 self.fail(f"Incorrect error {estr} from GetDcNameEx looking for AD Web Services enabled DC that should not be available")
549
550 # Now check the CLDAP netlogon response matches the above - that the bit was not set
551 net = Net(creds=self.creds, lp=self.lp)
552 cldap_netlogon_reply = net.finddc(domain=self.trust_realm,
553 flags=(nbt.NBT_SERVER_LDAP |
554 nbt.NBT_SERVER_DS))
555 # We can assert this, even without looking for a particular
556 # DC, as if any DC has WEB_SERVICE we would have got it above.
557 self.assertFalse(cldap_netlogon_reply.server_type & nbt.NBT_SERVER_ADS_WEB_SERVICE)
558
559 def test_get_dc_direct_need_2012r2(self):
560 """Test requiring that we have a FL2012R2 DC as answer
561 """
562 self.assertIsNotNone(self.trust_realm)
563
564 self.netlogon_conn = netlogon.netlogon(f"ncacn_ip_tcp:{self.trust_server}",
565 self.get_loadparm())
566
567 response_trust = self._call_get_dc_name(domain=self.trust_realm,
568 flags=netlogon.DS_RETURN_DNS_NAME|netlogon.DS_DIRECTORY_SERVICE_9_REQUIRED)
569
570 self.assertIsNotNone(response_trust.dc_unc)
571 self.assertTrue(response_trust.dc_unc.startswith('\\\\'))
572 self.assertIsNotNone(response_trust.dc_address)
573 self.assertTrue(response_trust.dc_address.startswith('\\\\'))
574
575 self.assertEqual(response_trust.domain_name.lower(),
576 self.trust_realm.lower())
577
578 # Now check the CLDAP netlogon response matches the above
579 dc_ip = response_trust.dc_address[2:]
580
581 net = Net(creds=self.creds, lp=self.lp)
582 cldap_netlogon_reply = net.finddc(domain=self.trust_realm, address=dc_ip,
583 flags=(nbt.NBT_SERVER_LDAP |
584 nbt.NBT_SERVER_DS))
585 self.assertTrue(cldap_netlogon_reply.server_type & nbt.NBT_SERVER_DS_9)
586
587 def test_get_dc_winbind_need_2012r2_but_not_found(self):
588 """Test requiring that we have a FL2012R2 DC as answer, against the FL2008R2 domain
589
590 This test requires that the DC in the FL2008R2 does not claim
591 to be 2012R2 capable (off by default in Samba)
592
593 """
594 self.assertIsNotNone(self.realm)
595
596 self.netlogon_conn = netlogon.netlogon(f"ncacn_ip_tcp:{self.trust_server}",
597 self.get_loadparm())
598
599
600 try:
601 response = self._call_get_dc_name(domain=self.realm,
602 flags=netlogon.DS_RETURN_DNS_NAME|netlogon.DS_DIRECTORY_SERVICE_9_REQUIRED)
603
604 self.fail("Failed to detect requirement for 2012R2 that is not met")
605 except WERRORError as e:
606 enum, estr = e.args
607 if enum != werror.WERR_NO_SUCH_DOMAIN:
608 self.fail("Failed to detect requirement for 2012R2 that is not met")
609
610 # Now check the CLDAP netlogon response matches the above - that the DS_9 bit was not set
611 net = Net(creds=self.creds, lp=self.lp)
612 cldap_netlogon_reply = net.finddc(domain=self.realm,
613 flags=(nbt.NBT_SERVER_LDAP |
614 nbt.NBT_SERVER_DS))
615 self.assertFalse(cldap_netlogon_reply.server_type & nbt.NBT_SERVER_DS_9)
616
617 def test_get_dc_winbind_need_2012r2_but_not_found_fallback(self):
618 """Test requiring that we have a FL2012R2 DC as answer, against the
619 FL2008R2 domain, then trying for just FL2008R2 (to show caching bugs)
620
621 This test requires that the DC in the FL2008R2 does not claim
622 to be 2012R2 capable (off by default in Samba)
623
624 """
625 self.assertIsNotNone(self.realm)
626
627 self.netlogon_conn = netlogon.netlogon(f"ncacn_ip_tcp:{self.trust_server}",
628 self.get_loadparm())
629
630
631 try:
632 response = self._call_get_dc_name(domain=self.realm,
633 flags=netlogon.DS_RETURN_DNS_NAME|netlogon.DS_DIRECTORY_SERVICE_9_REQUIRED)
634
635 self.fail("Failed to detect requirement for 2012R2 that is not met")
636 except WERRORError as e:
637 enum, estr = e.args
638 if enum != werror.WERR_NO_SUCH_DOMAIN:
639 self.fail("Failed to detect requirement for 2012R2 that is not met")
640
641 try:
642 response = self._call_get_dc_name(domain=self.realm,
643 flags=netlogon.DS_RETURN_DNS_NAME|netlogon.DS_DIRECTORY_SERVICE_6_REQUIRED)
644
645 except WERRORError as e:
646 enum, estr = e.args
647 self.fail("Unexpectedly failed to find 2008 DC")
648
649 dc_ip = response.dc_address[2:]
650
651 net = Net(creds=self.creds, lp=self.lp)
652 cldap_netlogon_reply = net.finddc(domain=self.realm, address=dc_ip,
653 flags=(nbt.NBT_SERVER_LDAP |
654 nbt.NBT_SERVER_DS))
655 self.assertTrue(cldap_netlogon_reply.server_type & nbt.NBT_SERVER_FULL_SECRET_DOMAIN_6)
656
657 def test_get_dc_direct_need_2012r2_but_not_found_fallback(self):
658 """Test requiring that we have a FL2012R2 DC as answer, against the
659 FL2008R2 domain, then trying for just FL2008R2 (to show caching bugs)
660
661 This test requires that the DC in the FL2008R2 does not claim
662 to be 2012R2 capable (off by default in Samba)
663
664 """
665 self.assertIsNotNone(self.realm)
666
667 self.netlogon_conn = netlogon.netlogon(f"ncacn_ip_tcp:{self.server}",
668 self.get_loadparm())
669
670
671 try:
672 response = self._call_get_dc_name(domain=self.realm,
673 flags=netlogon.DS_RETURN_DNS_NAME|netlogon.DS_DIRECTORY_SERVICE_9_REQUIRED)
674
675 self.fail("Failed to detect requirement for 2012R2 that is not met")
676 except WERRORError as e:
677 enum, estr = e.args
678 if enum != werror.WERR_NO_SUCH_DOMAIN:
679 self.fail("Failed to detect requirement for 2012R2 that is not met")
680
681 try:
682 response = self._call_get_dc_name(domain=self.realm,
683 flags=netlogon.DS_RETURN_DNS_NAME|netlogon.DS_DIRECTORY_SERVICE_6_REQUIRED)
684
685 except WERRORError as e:
686 enum, estr = e.args
687 self.fail("Unexpectedly failed to find 2008 DC")
688
689 dc_ip = response.dc_address[2:]
690
691 net = Net(creds=self.creds, lp=self.lp)
692 cldap_netlogon_reply = net.finddc(domain=self.realm, address=dc_ip,
693 flags=(nbt.NBT_SERVER_LDAP |
694 nbt.NBT_SERVER_DS))
695 self.assertTrue(cldap_netlogon_reply.server_type & nbt.NBT_SERVER_FULL_SECRET_DOMAIN_6)
696
697 # TODO Thorough tests of domain GUID
698 #
699 # The domain GUID does not seem to be authoritative, and seems to be a
700 # fallback case for renamed domains.
Samba GIT mirror