search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
ctdb-scripts: Improve update and listing code
[samba4-gss.git] / python / samba / tests / dcerpc / lsa.py
blob355bb1f44409efd7a2509c299fe0f67a7b164090
1 # -*- coding: utf-8 -*-
2 #
3 # Unix SMB/CIFS implementation.
4 # Copyright © Andrew Bartlett <abartlet@samba.org> 2021
5 # Copyright (C) Catalyst IT Ltd. 2017
6 #
7 # This program is free software; you can redistribute it and/or modify
8 # it under the terms of the GNU General Public License as published by
9 # the Free Software Foundation; either version 3 of the License, or
10 # (at your option) any later version.
11 #
12 # This program is distributed in the hope that it will be useful,
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 # GNU General Public License for more details.
16 #
17 # You should have received a copy of the GNU General Public License
18 # along with this program. If not, see <http://www.gnu.org/licenses/>.
19 #
20
21 """Tests for samba.dcerpc.lsa."""
22
23 from samba.dcerpc import lsa
24 from samba.credentials import Credentials
25 from samba.tests import TestCase
26 from samba.dcerpc.security import dom_sid
27 from samba import NTSTATUSError
28 from samba.ntstatus import NT_STATUS_ACCESS_DENIED
29 import samba.tests
30
31 class LsaTests(TestCase):
32
33 def setUp(self):
34 self.lp = self.get_loadparm()
35 self.server = samba.tests.env_get_var_value('SERVER')
36
37 def test_lsa_LookupSids3_multiple(self):
38 machine_creds = Credentials()
39 machine_creds.guess(self.lp)
40 machine_creds.set_machine_account()
41
42 c = lsa.lsarpc(
43 "ncacn_ip_tcp:%s[schannel,seal]" % self.server,
44 self.lp,
45 machine_creds)
46
47 sids = lsa.SidArray()
48 sid = lsa.SidPtr()
49 # Need a set
50 x = dom_sid("S-1-5-7")
51 sid.sid = x
52 sids.sids = [sid]
53 sids.num_sids = 1
54 names = lsa.TransNameArray2()
55 level = lsa.LSA_LOOKUP_NAMES_ALL
56 count = 0
57 lookup_options = lsa.LSA_LOOKUP_OPTION_SEARCH_ISOLATED_NAMES
58 client_revision = lsa.LSA_CLIENT_REVISION_2
59
60 # We want to run LookupSids3 multiple times on the same
61 # connection as we have code to re-use the sam.ldb and we need
62 # to check things work for the second request.
63 (domains, names, count) = c.LookupSids3(sids, names, level, count, lookup_options, client_revision)
64 self.assertEqual(count, 1)
65 self.assertEqual(names.count, 1)
66 self.assertEqual(names.names[0].name.string,
67 "ANONYMOUS LOGON")
68 (domains2, names2, count2) = c.LookupSids3(sids, names, level, count, lookup_options, client_revision)
69 self.assertEqual(count2, 1)
70 self.assertEqual(names2.count, 1)
71 self.assertEqual(names2.names[0].name.string,
72 "ANONYMOUS LOGON")
73
74 # Just looking for any exceptions in the last couple of loops
75 c.LookupSids3(sids, names, level, count, lookup_options, client_revision)
76 c.LookupSids3(sids, names, level, count, lookup_options, client_revision)
77
78 def test_lsa_LookupSids3_multiple_conns(self):
79 machine_creds = Credentials()
80 machine_creds.guess(self.lp)
81 machine_creds.set_machine_account()
82
83 c = lsa.lsarpc(
84 "ncacn_ip_tcp:%s[schannel,seal]" % self.server,
85 self.lp,
86 machine_creds)
87
88 sids = lsa.SidArray()
89 sid = lsa.SidPtr()
90 # Need a set
91 x = dom_sid("S-1-5-7")
92 sid.sid = x
93 sids.sids = [sid]
94 sids.num_sids = 1
95 names = lsa.TransNameArray2()
96 level = lsa.LSA_LOOKUP_NAMES_ALL
97 count = 0
98 lookup_options = lsa.LSA_LOOKUP_OPTION_SEARCH_ISOLATED_NAMES
99 client_revision = lsa.LSA_CLIENT_REVISION_2
100
101 # We want to run LookupSids3, and then again on a new
102 # connection to show that we don't have an issue with the DB
103 # being tied to the wrong connection.
104 (domains, names, count) = c.LookupSids3(sids,
105 names,
106 level,
107 count,
108 lookup_options,
109 client_revision)
110 self.assertEqual(count, 1)
111 self.assertEqual(names.count, 1)
112 self.assertEqual(names.names[0].name.string,
113 "ANONYMOUS LOGON")
114
115 c = lsa.lsarpc(
116 "ncacn_ip_tcp:%s[schannel,seal]" % self.server,
117 self.lp,
118 machine_creds)
119
120 (domains, names, count) = c.LookupSids3(sids,
121 names,
122 level,
123 count,
124 lookup_options,
125 client_revision)
126 self.assertEqual(count, 1)
127 self.assertEqual(names.count, 1)
128 self.assertEqual(names.names[0].name.string,
129 "ANONYMOUS LOGON")
130
131
132 def test_lsa_LookupNames4_LookupSids3_multiple(self):
133 """
134 Test by going back and forward between real DB lookups
135 name->sid->name to ensure the sam.ldb handle is fine once
136 shared
137 """
138
139 machine_creds = Credentials()
140 machine_creds.guess(self.lp)
141 machine_creds.set_machine_account()
142
143 c_normal = lsa.lsarpc(
144 "ncacn_np:%s[seal]" % self.server,
145 self.lp,
146 machine_creds)
147
148 username, domain = c_normal.GetUserName(None, None, None)
149
150 c = lsa.lsarpc(
151 "ncacn_ip_tcp:%s[schannel,seal]" % self.server,
152 self.lp,
153 machine_creds)
154
155 sids = lsa.TransSidArray3()
156 names = [username]
157 level = lsa.LSA_LOOKUP_NAMES_ALL
158 count = 0
159 lookup_options = lsa.LSA_LOOKUP_OPTION_SEARCH_ISOLATED_NAMES
160 client_revision = lsa.LSA_CLIENT_REVISION_2
161 (domains, sids, count) = c.LookupNames4(names,
162 sids,
163 level,
164 count,
165 lookup_options,
166 client_revision)
167
168 # Another lookup on the same connection, will re-used the
169 # server-side implicit state handle on the connection
170 (domains, sids, count) = c.LookupNames4(names,
171 sids,
172 level,
173 count,
174 lookup_options,
175 client_revision)
176
177 self.assertEqual(count, 1)
178 self.assertEqual(sids.count, 1)
179
180 # Now look the SIDs back up
181 names = lsa.TransNameArray2()
182 sid = lsa.SidPtr()
183 sid.sid = sids.sids[0].sid
184 lookup_sids = lsa.SidArray()
185 lookup_sids.sids = [sid]
186 lookup_sids.num_sids = 1
187 level = lsa.LSA_LOOKUP_NAMES_ALL
188 count = 1
189 lookup_options = 0
190 client_revision = lsa.LSA_CLIENT_REVISION_2
191
192 (domains, names, count) = c.LookupSids3(lookup_sids,
193 names,
194 level,
195 count,
196 lookup_options,
197 client_revision)
198 self.assertEqual(count, 1)
199 self.assertEqual(names.count, 1)
200 self.assertEqual(names.names[0].name.string,
201 username.string)
202
203 # And once more just to be sure, just checking for a fault
204 sids = lsa.TransSidArray3()
205 names = [username]
206 level = lsa.LSA_LOOKUP_NAMES_ALL
207 count = 0
208 lookup_options = lsa.LSA_LOOKUP_OPTION_SEARCH_ISOLATED_NAMES
209 client_revision = lsa.LSA_CLIENT_REVISION_2
210 (domains, sids, count) = c.LookupNames4(names,
211 sids,
212 level,
213 count,
214 lookup_options,
215 client_revision)
216
217
218 def test_lsa_LookupNames4_multiple_conns(self):
219 """
220 Test by going back and forward between real DB lookups
221 name->sid->name to ensure the sam.ldb handle is fine once
222 shared
223 """
224
225 machine_creds = Credentials()
226 machine_creds.guess(self.lp)
227 machine_creds.set_machine_account()
228
229 c_normal = lsa.lsarpc(
230 "ncacn_np:%s[seal]" % self.server,
231 self.lp,
232 machine_creds)
233
234 username, domain = c_normal.GetUserName(None, None, None)
235
236 c = lsa.lsarpc(
237 "ncacn_ip_tcp:%s[schannel,seal]" % self.server,
238 self.lp,
239 machine_creds)
240
241 sids = lsa.TransSidArray3()
242 names = [username]
243 level = lsa.LSA_LOOKUP_NAMES_ALL
244 count = 0
245 lookup_options = lsa.LSA_LOOKUP_OPTION_SEARCH_ISOLATED_NAMES
246 client_revision = lsa.LSA_CLIENT_REVISION_2
247 (domains, sids, count) = c.LookupNames4(names,
248 sids,
249 level,
250 count,
251 lookup_options,
252 client_revision)
253
254 c = lsa.lsarpc(
255 "ncacn_ip_tcp:%s[schannel,seal]" % self.server,
256 self.lp,
257 machine_creds)
258
259 sids = lsa.TransSidArray3()
260 names = [username]
261 level = lsa.LSA_LOOKUP_NAMES_ALL
262 count = 0
263 lookup_options = lsa.LSA_LOOKUP_OPTION_SEARCH_ISOLATED_NAMES
264 client_revision = lsa.LSA_CLIENT_REVISION_2
265 (domains, sids, count) = c.LookupNames4(names,
266 sids,
267 level,
268 count,
269 lookup_options,
270 client_revision)
271
272 def test_lsa_LookupNames4_without_schannel(self):
273
274 machine_creds = Credentials()
275 machine_creds.guess(self.lp)
276 machine_creds.set_machine_account()
277
278 c_normal = lsa.lsarpc(
279 "ncacn_np:%s[seal]" % self.server,
280 self.lp,
281 machine_creds)
282
283 username, domain = c_normal.GetUserName(None, None, None)
284
285 sids = lsa.TransSidArray3()
286 names = [username]
287 level = lsa.LSA_LOOKUP_NAMES_ALL
288 count = 0
289 lookup_options = lsa.LSA_LOOKUP_OPTION_SEARCH_ISOLATED_NAMES
290 client_revision = lsa.LSA_CLIENT_REVISION_2
291
292 with self.assertRaises(NTSTATUSError) as e:
293 c_normal.LookupNames4(names,
294 sids,
295 level,
296 count,
297 lookup_options,
298 client_revision)
299 if (e.exception.args[0] != NT_STATUS_ACCESS_DENIED):
300 raise AssertionError("LookupNames4 without schannel must fail with ACCESS_DENIED")
301
302 def test_lsa_LookupSids3_without_schannel(self):
303 machine_creds = Credentials()
304 machine_creds.guess(self.lp)
305 machine_creds.set_machine_account()
306
307 c = lsa.lsarpc(
308 "ncacn_ip_tcp:%s[seal]" % self.server,
309 self.lp,
310 machine_creds)
311
312 sids = lsa.SidArray()
313 sid = lsa.SidPtr()
314 # Need a set
315 x = dom_sid("S-1-5-7")
316 sid.sid = x
317 sids.sids = [sid]
318 sids.num_sids = 1
319 names = lsa.TransNameArray2()
320 level = lsa.LSA_LOOKUP_NAMES_ALL
321 count = 0
322 lookup_options = lsa.LSA_LOOKUP_OPTION_SEARCH_ISOLATED_NAMES
323 client_revision = lsa.LSA_CLIENT_REVISION_2
324
325 with self.assertRaises(NTSTATUSError) as e:
326 c.LookupSids3(sids,
327 names,
328 level,
329 count,
330 lookup_options,
331 client_revision)
332 if (e.exception.args[0] != NT_STATUS_ACCESS_DENIED):
333 raise AssertionError("LookupSids3 without schannel must fail with ACCESS_DENIED")
GSS-enabled samba4