1 # Unix SMB/CIFS implementation.
2 # Copyright (C) Andrew Bartlett <abartlet@samba.org> 2017
4 # This program is free software; you can redistribute it and/or modify
5 # it under the terms of the GNU General Public License as published by
6 # the Free Software Foundation; either version 3 of the License, or
7 # (at your option) any later version.
9 # This program is distributed in the hope that it will be useful,
10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 # GNU General Public License for more details.
14 # You should have received a copy of the GNU General Public License
15 # along with this program. If not, see <http://www.gnu.org/licenses/>.
18 """Tests for the Auth and AuthZ logging.
22 from samba
.credentials
import DONT_USE_KERBEROS
23 from samba
.dcerpc
.dcerpc
import AS_SYSTEM_MAGIC_PATH_TOKEN
24 from samba
.dcerpc
import samr
25 import samba
.tests
.auth_log_base
26 from samba
.dcerpc
.windows_event_ids
import (
27 EVT_ID_SUCCESSFUL_LOGON
,
32 class AuthLogTestsNcalrpc(samba
.tests
.auth_log_base
.AuthLogTestBase
):
35 super(AuthLogTestsNcalrpc
, self
).setUp()
36 self
.remoteAddress
= AS_SYSTEM_MAGIC_PATH_TOKEN
39 super(AuthLogTestsNcalrpc
, self
).tearDown()
41 def _test_rpc_ncaclrpc(self
, authTypes
, binding
, creds
,
42 protection
, checkFunction
):
44 def isLastExpectedMessage(msg
):
46 msg
["type"] == "Authorization" and
47 msg
["Authorization"]["serviceDescription"] == "DCE/RPC" and
48 msg
["Authorization"]["authType"] == authTypes
[0] and
49 msg
["Authorization"]["transportProtection"] == protection
)
52 binding
= "[%s]" % binding
54 samr
.samr("ncalrpc:%s" % binding
, self
.get_loadparm(), creds
)
55 messages
= self
.waitForMessages(isLastExpectedMessage
)
56 checkFunction(messages
, authTypes
, protection
)
58 def rpc_ncacn_np_ntlm_check(self
, messages
, authTypes
, protection
):
60 expected_messages
= len(authTypes
)
61 self
.assertEquals(expected_messages
,
63 "Did not receive the expected number of messages")
65 # Check the first message it should be an Authorization
67 self
.assertEquals("Authorization", msg
["type"])
68 self
.assertEquals("DCE/RPC",
69 msg
["Authorization"]["serviceDescription"])
70 self
.assertEquals(authTypes
[1], msg
["Authorization"]["authType"])
71 self
.assertEquals("NONE", msg
["Authorization"]["transportProtection"])
72 self
.assertTrue(self
.is_guid(msg
["Authorization"]["sessionId"]))
74 # Check the second message it should be an Authentication
76 self
.assertEquals("Authentication", msg
["type"])
77 self
.assertEquals("NT_STATUS_OK", msg
["Authentication"]["status"])
78 self
.assertEquals("DCE/RPC",
79 msg
["Authentication"]["serviceDescription"])
80 self
.assertEquals(authTypes
[2],
81 msg
["Authentication"]["authDescription"])
82 self
.assertEquals(EVT_ID_SUCCESSFUL_LOGON
,
83 msg
["Authentication"]["eventId"])
84 self
.assertEquals(EVT_LOGON_NETWORK
,
85 msg
["Authentication"]["logonType"])
87 def test_ncalrpc_ntlm_dns_sign(self
):
89 creds
= self
.insta_creds(template
=self
.get_credentials(),
90 kerberos_state
=DONT_USE_KERBEROS
)
91 self
._test
_rpc
_ncaclrpc
(["NTLMSSP",
95 self
.rpc_ncacn_np_ntlm_check
)
97 def test_ncalrpc_ntlm_dns_seal(self
):
99 creds
= self
.insta_creds(template
=self
.get_credentials(),
100 kerberos_state
=DONT_USE_KERBEROS
)
101 self
._test
_rpc
_ncaclrpc
(["NTLMSSP",
104 "seal", creds
, "SEAL",
105 self
.rpc_ncacn_np_ntlm_check
)