summaryrefslogtreecommitdiff
path: root/python
AgeCommit message (Collapse)AuthorFilesLines
2024-06-10python/samba/tests/krb5: Expand test without UF_SMARTCARD_REQUIRED to show ↵Andrew Bartlett1-3/+26
rotation is not done This makes sense as otherwise the user would suddenly not know their password for use when they do not use their smartcard. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10provision: Match Windows 2022 and set ↵Andrew Bartlett2-6/+21
msDS-ExpirePasswordsOnSmartCardOnlyAccounts by default We do this by telling the Domain Functional Level upgrade code that this is a new install. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10selftest: Add test that msDS-ExpirePasswordsOnSmartCardOnlyAccounts=TRUE is setAndrew Bartlett1-0/+10
This assures us that the new provision sets the value by default. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10python/samba/tests/krb5: PKINIT tests of passwords that are naturally expiredAndrew Bartlett1-3/+183
The tests of passwords that will expire in the TGT lifetime fail against windows, we do not see the rotation in that case. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10python/test/krb5: Use assertAlmostEqual in check_ticket_times()Andrew Bartlett1-3/+4
This allows Windows behaviour with clock skew to be allowed for. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10python/tests/krb5: Move check_ticket_times() to kdc_base_test.pyAndrew Bartlett2-30/+30
This will allow other parts of the testsuite to use this helpful function. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10python/samba/krb5: Add test for password rotation on UF_SMARCARD_REQUIRED ↵Andrew Bartlett2-28/+321
accounts This demonstrates behaviour against a server presumed to be in FL 2016 what the impact of the msDS-ExpirePasswordsOnSmartCardOnlyAccounts attribute is. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10python/tests/krb5: Remove unused utf16pw variableAndrew Bartlett1-1/+0
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10python/tests/krb5: Expect AES keys for UF_SMARTCARD_REQUIREDAndrew Bartlett1-1/+1
Windows 2022 at April 2024 has change and now includes the AES keys for accounts with UF_SMARTCARD_REQUIRED, so revert part of the change in b2fe1ea1c6aba116b31a1c803b4e0d36ac1a32ee. (This is an improvement to Windows security). Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10python/samba/tests/krb5: Extend PKINIT tests to show kpasswd still worksAndrew Bartlett1-11/+53
We have had confirmed from MS that this behaviour is both deliberate and required. Possession of the credential is (by the returned PAC containing the NT hash) possession of the password, and it must be possible to change the password to a known value otherwise DPAPI (local keychain) secured by this value can fail on the client. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15045 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10python/samba/tests/krb5: Move get_kpasswd_sname() into raw_testcase() to ↵Andrew Bartlett2-4/+4
allow broader use Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-06python: Add test for checking the SHA256SUMAndreas Schneider1-5/+24
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-06python:netcmd: Create a SHA256SUM file with checksumsAndreas Schneider1-0/+25
This allows to verify the backup tarball contents with: sha256sum -c SHA256SUM Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-06python:netcmd: Only put regular files into the tarballAndreas Schneider1-1/+1
We also have ldapi, other sockets or pipes around, we don't want to add. This will be relevant for adding checksums later. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-06python:tests/dns_tkey: add test_update_tsig_record_access_denied()Stefan Metzmacher1-0/+55
This demonstrates that access_denied is only generated if the client really generates a change in the database. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-06python:tests/dns_base: add get_unpriv_creds() helperStefan Metzmacher1-0/+15
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-06python:tests/dns_tkey: let test_update_tsig_windows() actually pass against ↵Stefan Metzmacher1-14/+18
windows 2022 BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-06python:tests/dns_base: let verify_packet() work against WindowsStefan Metzmacher1-1/+10
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-06python:tests/dns_tkey: test bad and changing tsig algorithmsStefan Metzmacher1-0/+104
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-06python:tests/dns_tkey: add gss.microsoft.com tsig updatesStefan Metzmacher1-0/+59
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-06python:tests/dns_tkey: let us have ↵Stefan Metzmacher2-2/+36
test_update_gss_tsig_tkey_req_{additional,answers}() Also test using the additional record in the answers section. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-06python:tests/dns_tkey: test TKEY with gss-tsig, gss.microsoft.com and ↵Stefan Metzmacher1-2/+19
invalid algorithms BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-06python:tests/dns_base: maintain a dict with tkey related stateStefan Metzmacher3-20/+32
This will allow tests to backup the whole state and mix them. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-06python:tests/dns_base: let dns_transaction_udp() take ↵Stefan Metzmacher1-1/+13
allow_{remaining,truncated}=True BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-06python:tests/dns_base: pass tkey_trans(expected_rcode)Stefan Metzmacher1-1/+5
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-06python:tests/dns_base: let tkey_trans() take tkey_req_in_answersStefan Metzmacher1-3/+8
It's possible to put the additional into the answers section, so we should be able to test that. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-06python:tests/dns_base: let tkey_trans() and sign_packet() take ↵Stefan Metzmacher1-5/+7
algorithm_name as argument BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-06python:tests/dns_tkey: make use of self.assert_echoed_dns_error()Stefan Metzmacher1-10/+4
Failed DNS updates just echo the request flaged as response, all other elements are unchanged. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-06python:tests/dns_base: add self.assert_echoed_dns_error()Stefan Metzmacher1-0/+18
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-06python:tests/dns_base: let dns_transaction_tcp() handle short receivesStefan Metzmacher1-1/+12
With socket_wrapper we only get 1500 byte chunks... BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-06python:tests/dns_base: use ndr_deepcopy() and ndr_pack() in verify_packet()Stefan Metzmacher1-13/+10
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-06python:tests/dns_base: generate a real signature in bad_sign_packet()Stefan Metzmacher1-27/+21
We just destroy the signature bytes but keep the header unchanged. This makes it easier to look at it in wireshark. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-04tests/krb5: Calculate correct gMSA password to fix flapping testJo Sutton1-1/+11
If this test happens to be run in the five minute window prior to the next ten‐hour GKDI interval — about once every one hundred and twenty runs — the ‘current’ password requested from LDAP will actually be the future password, which won’t match what’s in the database. Instead of taking the password from LDAP, calculate it ourselves with expected_gmsa_password_blob(). [330(7038)/334 at 43m51s] samba.tests.krb5.gmsa_tests(ad_dc:local) UNEXPECTED(failure): samba.tests.krb5.gmsa_tests.samba.tests.krb5.gmsa_tests.GmsaTests.test_retrieving_managed_password_triggers_keys_update(ad_dc:local) REASON: Exception: Exception: Traceback (most recent call last): File "/builds/samba-testbase/samba-def-build/bin/python/samba/tests/krb5/gmsa_tests.py", line 1091, in test_retrieving_managed_password_triggers_keys_update self.assertEqual(creds.get_nt_hash(), nt_hash) AssertionError: b'\xcf[\xe8:\xc7-\xd4V\xce\t\xfc\xcd\x06.T\x8a' != b'c\xc5\x97k\x17"G\x1e\x81>\xacV\x9d.*\x14' Signed-off-by: Jo Sutton <josutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Tue Jun 4 20:52:09 UTC 2024 on atb-devel-224
2024-06-04tests/krb5: Reset local database time in a cleaner (and nearly equivalent) ↵Jo Sutton1-4/+2
fashion Signed-off-by: Jo Sutton <josutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-04tests/krb5: Make use of update_password() methodJo Sutton1-2/+2
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-04tests: Check that query_directory lists the reparse tagVolker Lendecke1-0/+20
With the source3/ based clilist.c, we can't test all infolevels where this matters (see callers of get_dirent_ea_size()). But porting the source4 based all-infolevel search code into source3/libsmb or doing this one the reparse point test in the source4 infrastructure to me seems like a lot of effort for moderate gain. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2024-05-31python:smb tests: remove py2 compatibility codeDouglas Bagnall1-11/+7
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-31python/common: remove verbiage about old python versionsDouglas Bagnall1-13/+2
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22tests/krb5: Test that previous keys are counted as current keys following a ↵Jo Sutton2-1/+97
gMSA key rollover Signed-off-by: Jo Sutton <josutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22python:tests: Extract keytab_as_set() function to be usable by other testsJo Sutton1-41/+42
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22python:tests: Manually raise AssertionErrorJo Sutton1-1/+2
This removes the last dependency on ‘self’ in this method. Signed-off-by: Jo Sutton <josutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22python:tests: Rename ‘keytab_as_set’ variable to be distinct from ↵Jo Sutton1-19/+19
keytab_as_set() method Signed-off-by: Jo Sutton <josutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22python:tests: Ignore case for group_name comparisonAndreas Schneider1-1/+2
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22docs-xml: Add smb.conf option 'dns hostname'Andreas Schneider1-0/+1
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22samba-tool: let 'samba-tool domain exportkeytab' take an --only-current-keys ↵Stefan Metzmacher1-2/+7
option Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22samba.tests.dckeytab: add test_export_keytab_change3_update_only_current_keep()Stefan Metzmacher1-0/+49
This tests that only_current_keys=True works. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22s4:libnet_export_keytab: add only_current_keys optionStefan Metzmacher1-2/+2
By default we also export on the old and older passwords... In order to do a kinit with a keytab it might we useful to include only the current keys. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16tests/krb5: Adjust tests to pass against newer Windows versions that include ↵Jo Sutton1-6/+4
ticket checksums in response to AS‐REQs A lot of these tests are going to start failing, so skip them until we’ve implemented the corresponding behaviour for the KDC. Signed-off-by: Jo Sutton <josutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16tests/krb5: Add more tests for gMSAsJo Sutton1-3/+209
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16tests/krb5: Test viewing gMSA passwords after performing simple bindsJo Sutton1-0/+33
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
generated by cgit v1.2.3 (git 2.25.1) at 2026-05-07 00:52:19 +0000