2 # Blackbox tests for diabing NTLMSSP for ldap client connections
3 # Copyright (c) 2022 Pavel Filipenský <pfilipen@redhat.com>
7 Usage: $0 USERNAME PASSWORD
17 . $
(dirname $0)/subunit.sh
19 samba_testparm
="$BINDIR/testparm"
20 samba_net
="$BINDIR/net"
22 unset GNUTLS_FORCE_FIPS_MODE
24 # Checks that testparm reports: Weak crypto is allowed
25 testit_grep
"testparm.with-weak" "Weak crypto is allowed" $samba_testparm --suppress-prompt $SMB_CONF_PATH 2>&1 || failed
=$
(expr $failed + 1)
27 # We should be allowed to use NTLM for connecting
28 testit
"net_ads_search.ntlm.with-weak" $samba_net ads search
--use-kerberos=off
'(objectCategory=group)' sAMAccountName
-U${USERNAME}%${PASSWORD} || failed
=$
(expr $failed + 1)
30 GNUTLS_FORCE_FIPS_MODE
=1
31 export GNUTLS_FORCE_FIPS_MODE
33 # Checks that testparm reports: Weak crypto is disallowed
34 testit_grep
"testparm.without-weak" "Weak crypto is disallowed" $samba_testparm --suppress-prompt $SMB_CONF_PATH 2>&1 || failed
=$
(expr $failed + 1)
36 # We should not be allowed to use NTLM for connecting
37 testit_expect_failure_grep \
38 "net_ads_search.ntlm.without-weak" \
39 "ads_sasl_spnego_gensec_bind.*failed.for.ldap/.*user.*${USERNAME}.:.An.invalid.parameter." \
40 $samba_net ads search
-d10 --use-kerberos=off
'(objectCategory=group)' sAMAccountName
-U${USERNAME}%${PASSWORD} || failed
=$
(expr $failed + 1)
42 unset GNUTLS_FORCE_FIPS_MODE