/ usr / lib / python3 / dist-packages / samba / tests / krb5 / [ HOME SHELL ]

Name	Size	Permission	Action
__pycache__	[ DIR ]	drwxr-xr-x
alias_tests.py	7.01 KB	-rw-r--r--
as_canonicalization_tests.py	14.1 KB	-rw-r--r--
as_req_tests.py	10.06 KB	-rw-r--r--
compatability_tests.py	10.3 KB	-rw-r--r--
etype_tests.py	24.97 KB	-rw-r--r--
fast_tests.py	56.11 KB	-rw-r--r--
kcrypto.py	33.52 KB	-rw-r--r--
kdc_base_test.py	72.76 KB	-rw-r--r--
kdc_tests.py	7.35 KB	-rw-r--r--
kdc_tgs_tests.py	108.09 KB	-rw-r--r--
kpasswd_tests.py	39 KB	-rw-r--r--
ms_kile_client_principal_looku...	31.29 KB	-rw-r--r--
raw_testcase.py	168.26 KB	-rw-r--r--
rfc4120_constants.py	7.12 KB	-rw-r--r--
rfc4120_pyasn1.py	45.11 KB	-rw-r--r--
rodc_tests.py	2.52 KB	-rw-r--r--
s4u_tests.py	57.83 KB	-rw-r--r--
salt_tests.py	11.85 KB	-rw-r--r--
simple_tests.py	6.73 KB	-rw-r--r--
spn_tests.py	6.93 KB	-rw-r--r--
test_ccache.py	5.92 KB	-rw-r--r--
test_idmap_nss.py	8.83 KB	-rw-r--r--
test_ldap.py	6.11 KB	-rw-r--r--
test_min_domain_uid.py	4.35 KB	-rw-r--r--
test_rpc.py	4.52 KB	-rw-r--r--
test_smb.py	5.32 KB	-rw-r--r--
xrealm_tests.py	6.76 KB	-rw-r--r--

Code Editor : test_ldap.py

#!/usr/bin/env python3
# Unix SMB/CIFS implementation.
# Copyright (C) Stefan Metzmacher 2020
# Copyright (C) 2021 Catalyst.Net Ltd
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
#

import sys
import os

sys.path.insert(0, "bin/python")
os.environ["PYTHONUNBUFFERED"] = "1"

import ldb

from ldb import LdbError, ERR_OPERATIONS_ERROR, SCOPE_BASE, SCOPE_SUBTREE
from samba.dcerpc import security
from samba.ndr import ndr_unpack
from samba.samdb import SamDB
from samba import credentials

from samba.tests.krb5.kdc_base_test import KDCBaseTest

global_asn1_print = False
global_hexdump = False

class LdapTests(KDCBaseTest):
    """Test for LDAP authentication using Kerberos credentials stored in a
       credentials cache file.
    """

def test_ldap(self):
        self._run_ldap_test()

def test_ldap_rename(self):
        self._run_ldap_test(rename=True)

def test_ldap_no_pac(self):
        self._run_ldap_test(include_pac=False,
                            expect_anon=True, allow_error=True)

def _run_ldap_test(self, rename=False, include_pac=True,
                       expect_anon=False, allow_error=False):
        # Create a user account and a machine account, along with a Kerberos
        # credentials cache file where the service ticket authenticating the
        # user are stored.

samdb = self.get_samdb()

mach_name = samdb.host_dns_name()
        service = "ldap"

# Create the user account.
        user_credentials = self.get_cached_creds(
            account_type=self.AccountType.USER,
            use_cache=False)
        user_name = user_credentials.get_username()

mach_credentials = self.get_dc_creds()

# Talk to the KDC to obtain the service ticket, which gets placed into
        # the cache. The machine account name has to match the name in the
        # ticket, to ensure that the krbtgt ticket doesn't also need to be
        # stored.
        (creds, cachefile) = self.create_ccache_with_user(user_credentials,
                                                          mach_credentials,
                                                          service,
                                                          mach_name,
                                                          pac=include_pac)
        # Remove the cached credentials file.
        self.addCleanup(os.remove, cachefile.name)

# Retrieve the user account's SID.
        ldb_res = samdb.search(scope=SCOPE_SUBTREE,
                               expression="(sAMAccountName=%s)" % user_name,
                               attrs=["objectSid"])
        self.assertEqual(1, len(ldb_res))
        sid = ndr_unpack(security.dom_sid, ldb_res[0]["objectSid"][0])

if rename:
            # Rename the account.

new_name = self.get_new_username()

msg = ldb.Message(user_credentials.get_dn())
            msg['sAMAccountName'] = ldb.MessageElement(new_name,
                                                       ldb.FLAG_MOD_REPLACE,
                                                       'sAMAccountName')
            samdb.modify(msg)

# Authenticate in-process to the machine account using the user's
        # cached credentials.

# Connect to the machine account and retrieve the user SID.
        try:
            ldb_as_user = SamDB(url="ldap://%s" % mach_name,
                                credentials=creds,
                                lp=self.get_lp())
        except LdbError as e:
            if not allow_error:
                self.fail()

enum, estr = e.args
            self.assertEqual(ERR_OPERATIONS_ERROR, enum)
            self.assertIn('NT_STATUS_NO_IMPERSONATION_TOKEN', estr)
            return

ldb_res = ldb_as_user.search('',
                                     scope=SCOPE_BASE,
                                     attrs=["tokenGroups"])
        self.assertEqual(1, len(ldb_res))

token_groups = ldb_res[0]["tokenGroups"]
        token_sid = ndr_unpack(security.dom_sid, token_groups[0])

if expect_anon:
            # Ensure we got an anonymous token.
            self.assertEqual(security.SID_NT_ANONYMOUS, str(token_sid))
            token_sid = ndr_unpack(security.dom_sid, token_groups[1])
            self.assertEqual(security.SID_NT_NETWORK, str(token_sid))
            if len(token_groups) >= 3:
                token_sid = ndr_unpack(security.dom_sid, token_groups[2])
                self.assertEqual(security.SID_NT_THIS_ORGANISATION,
                                 str(token_sid))
        else:
            # Ensure that they match.
            self.assertEqual(sid, token_sid)

def test_ldap_anonymous(self):
        samdb = self.get_samdb()
        mach_name = samdb.host_dns_name()

anon_creds = credentials.Credentials()
        anon_creds.set_anonymous()

# Connect to the machine account and retrieve the user SID.
        ldb_as_user = SamDB(url="ldap://%s" % mach_name,
                            credentials=anon_creds,
                            lp=self.get_lp())
        ldb_res = ldb_as_user.search('',
                                     scope=SCOPE_BASE,
                                     attrs=["tokenGroups"])
        self.assertEqual(1, len(ldb_res))

# Ensure we got an anonymous token.
        token_sid = ndr_unpack(security.dom_sid, ldb_res[0]["tokenGroups"][0])
        self.assertEqual(security.SID_NT_ANONYMOUS, str(token_sid))
        self.assertEqual(len(ldb_res[0]["tokenGroups"]), 1)

if __name__ == "__main__":
    global_asn1_print = False
    global_hexdump = False
    import unittest
    unittest.main()

Urban Research Lab

Urban Research Lab

The Urban Research Lab (URL) at IIIT-Delhi was established in 2020, during a time when the pandemic brought the complexities of urban life more visible than ever. What started as an initiative by faculty and students has grown into a collaborative space for critically exploring and reimagining the urban questions through research, dialogue, and interdisciplinary engagement.