python/samba/tests/ntlmdisabled.py

   1 # Tests basic behaviour when NTLM is disabled
   2 #
   3 # Copyright (C) Catalyst IT Ltd. 2017
   4 #
   5 # This program is free software; you can redistribute it and/or modify
   6 # it under the terms of the GNU General Public License as published by
   7 # the Free Software Foundation; either version 3 of the License, or
   8 # (at your option) any later version.
   9 #
  10 # This program is distributed in the hope that it will be useful,
  11 # but WITHOUT ANY WARRANTY; without even the implied warranty of
  12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  13 # GNU General Public License for more details.
  14 #
  15 # You should have received a copy of the GNU General Public License
  16 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
  17 #
  18 from samba.tests import TestCase
  19 import os
  20
  21 import samba
  22 from samba.credentials import Credentials, DONT_USE_KERBEROS, MUST_USE_KERBEROS
  23
  24 from samba import NTSTATUSError, ntstatus
  25 import ctypes
  26
  27 from samba.dcerpc import srvsvc, samr, lsa
  28
  29 """
  30 Tests behaviour when NTLM is disabled
  31 """
  32
  33
  34 class NtlmDisabledTests(TestCase):
  35
  36     def setUp(self):
  37         super().setUp()
  38
  39         self.lp          = self.get_loadparm()
  40         self.server      = os.getenv("SERVER")
  41
  42         self.creds = Credentials()
  43         self.creds.guess(self.lp)
  44         self.creds.set_username(os.getenv("USERNAME"))
  45         self.creds.set_domain(self.server)
  46         self.creds.set_password(os.getenv("PASSWORD"))
  47         self.creds.set_kerberos_state(DONT_USE_KERBEROS)
  48
  49     def test_ntlm_connection(self):
  50         try:
  51             conn = srvsvc.srvsvc("ncacn_np:%s[smb2,ntlm]" % self.server, self.lp, self.creds)
  52
  53             self.assertIsNotNone(conn)
  54         except NTSTATUSError as e:
  55             # NTLM might be blocked on this server
  56             enum = ctypes.c_uint32(e.args[0]).value
  57             if enum == ntstatus.NT_STATUS_NTLM_BLOCKED:
  58                 self.fail("NTLM is disabled on this server")
  59             else:
  60                 raise
  61
  62     def test_samr_change_password(self):
  63         self.creds.set_kerberos_state(MUST_USE_KERBEROS)
  64         conn = samr.samr("ncacn_np:%s[krb5,seal,smb2]" % os.getenv("SERVER"))
  65
  66         # we want to check whether this gets rejected outright because NTLM is
  67         # disabled, so we don't actually need to encrypt a valid password here
  68         server = lsa.String()
  69         server.string = self.server
  70         username = lsa.String()
  71         username.string = os.getenv("USERNAME")
  72
  73         try:
  74             conn.ChangePasswordUser2(server, username, None, None, True, None, None)
  75         except NTSTATUSError as e:
  76             # changing passwords should be rejected when NTLM is disabled
  77             enum = ctypes.c_uint32(e.args[0]).value
  78             if enum == ntstatus.NT_STATUS_NTLM_BLOCKED:
  79                 self.fail("NTLM is disabled on this server")
  80             elif enum == ntstatus.NT_STATUS_WRONG_PASSWORD:
  81                 # expected error case when NTLM is enabled
  82                 pass
  83             else:
  84                 raise