Changeset 989 for vendor/current/python

Timestamp:

Nov 25, 2016, 8:04:54 PM (9 years ago)

Author:

Silvan Scherrer

Message:

Samba Server: update vendor to version 4.4.7

Location:

vendor/current/python/samba

Files:

• dbchecker.py (modified) (4 diffs)
• drs_utils.py (modified) (1 diff)
• join.py (modified) (2 diffs)
• netcmd/fsmo.py (modified) (10 diffs)
• netcmd/ldapcmp.py (modified) (1 diff)
• remove_dc.py (modified) (1 diff)
• tests/dcerpc/raw_protocol.py (modified) (1 diff)
• tests/dns_tkey.py (added)
• tests/param.py (modified) (1 diff)
• tests/samba_tool/fsmo.py (added)

vendor/current/python/samba/dbchecker.py

@@ -32 +32 @@
 from samba.descriptor import get_wellknown_sds, get_diff_sds
 from samba.auth import system_session, admin_session
+from samba.netcmd import CommandError
 
 
@@ -196 +197 @@
             self.samdb.delete(dn, controls=controls)
         except Exception, err:
+            if self.in_transaction:
+                raise CommandError("%s : %s" % (msg, err))
             self.report("%s : %s" % (msg, err))
             return False
@@ -208 +211 @@
             self.samdb.modify(m, controls=controls, validate=validate)
         except Exception, err:
+            if self.in_transaction:
+                raise CommandError("%s : %s" % (msg, err))
             self.report("%s : %s" % (msg, err))
             return False
@@ -225 +230 @@
             self.samdb.rename(from_dn, to_dn, controls=controls)
         except Exception, err:
+            if self.in_transaction:
+                raise CommandError("%s : %s" % (msg, err))
             self.report("%s : %s" % (msg, err))
             return False

vendor/current/python/samba/drs_utils.py

@@ -45 +45 @@
 
     binding_options = "seal"
-    if int(lp.get("log level")) >= 5:
+    if lp.log_level() >= 5:
         binding_options += ",print"
     binding_string = "ncacn_ip_tcp:%s[%s]" % (server, binding_options)

vendor/current/python/samba/join.py

@@ -374 +374 @@
         '''make a DRSUAPI connection to the naming master'''
         binding_options = "seal"
-        if int(ctx.lp.get("log level")) >= 4:
+        if ctx.lp.log_level() >= 4:
             binding_options += ",print"
         binding_string = "ncacn_ip_tcp:%s[%s]" % (ctx.server, binding_options)
@@ -811 +811 @@
 
             binding_options = "seal"
-            if int(ctx.lp.get("log level")) >= 5:
+            if ctx.lp.log_level() >= 5:
                 binding_options += ",print"
             repl = drs_utils.drs_Replicate(

vendor/current/python/samba/netcmd/fsmo.py

@@ -32 +32 @@
 from samba.samdb import SamDB
 
-def get_fsmo_roleowner(samdb, roledn):
+def get_fsmo_roleowner(samdb, roledn, role):
     """Gets the owner of an FSMO role
 
     :param roledn: The DN of the FSMO role
+    :param role: The FSMO role
     """
-    res = samdb.search(roledn,
-                       scope=ldb.SCOPE_BASE, attrs=["fSMORoleOwner"])
-    if len(res) == 0:
-        raise CommandError('"%s" does not have a FSMO roleowner' % roledn)
-    master_owner = res[0]["fSMORoleOwner"][0]
-    return master_owner
+    try:
+        res = samdb.search(roledn,
+                           scope=ldb.SCOPE_BASE, attrs=["fSMORoleOwner"])
+    except LdbError, (num, msg):
+        if num == ldb.ERR_NO_SUCH_OBJECT:
+            return "* The '%s' role is not present in this domain" % role
+        raise
+
+    if 'fSMORoleOwner' in res[0]:
+        master_owner = res[0]["fSMORoleOwner"][0]
+        return master_owner
+    else:
+        master_owner = "* The '%s' role does not have an FSMO roleowner" % role
+        return master_owner
 
 
@@ -55 +64 @@
         role_object = "CN=Infrastructure,DC=ForestDnsZones," + forest_dn
 
-    try:
-        res = samdb.search(role_object,
-                           attrs=["fSMORoleOwner"],
-                           scope=ldb.SCOPE_BASE,
-                           controls=["extended_dn:1:1"])
-
-        if 'fSMORoleOwner' in res[0]:
-            try:
-                master_guid = str(misc.GUID(ldb.Dn(samdb,
-                                  res[0]['fSMORoleOwner'][0])
-                                  .get_extended_component('GUID')))
-                master_owner = str(ldb.Dn(samdb, res[0]['fSMORoleOwner'][0]))
-            except LdbError, (num, msg):
-                raise CommandError("GUID not found in partition naming master DN %s : %s \n" %
-                                   (res[0]['fSMORoleOwner'][0], msg))
-    except LdbError, (num, msg):
-        raise CommandError("DNS partion %s not found : %s" % (role, msg))
+    res = samdb.search(role_object,
+                       attrs=["fSMORoleOwner"],
+                       scope=ldb.SCOPE_BASE,
+                       controls=["extended_dn:1:1"])
+
+    if 'fSMORoleOwner' in res[0]:
+        try:
+            master_guid = str(misc.GUID(ldb.Dn(samdb,
+                              res[0]['fSMORoleOwner'][0])
+                              .get_extended_component('GUID')))
+            master_owner = str(ldb.Dn(samdb, res[0]['fSMORoleOwner'][0]))
+        except LdbError, (num, msg):
+            raise CommandError("No GUID found in naming master DN %s : %s \n" %
+                               (res[0]['fSMORoleOwner'][0], msg))
+    else:
+        outf.write("* The '%s' role does not have an FSMO roleowner\n" % role)
+        return False
 
     if role == "domaindns":
@@ -151 +160 @@
     m.dn = ldb.Dn(samdb, "")
     if role == "rid":
-        master_owner = get_fsmo_roleowner(samdb, rid_dn)
+        master_owner = get_fsmo_roleowner(samdb, rid_dn, role)
         m["becomeRidMaster"]= ldb.MessageElement(
             "1", ldb.FLAG_MOD_REPLACE,
             "becomeRidMaster")
     elif role == "pdc":
-        master_owner = get_fsmo_roleowner(samdb, domain_dn)
+        master_owner = get_fsmo_roleowner(samdb, domain_dn, role)
 
         res = samdb.search(domain_dn,
@@ -166 +175 @@
             "becomePdc")
     elif role == "naming":
-        master_owner = get_fsmo_roleowner(samdb, naming_dn)
+        master_owner = get_fsmo_roleowner(samdb, naming_dn, role)
         m["becomeDomainMaster"]= ldb.MessageElement(
             "1", ldb.FLAG_MOD_REPLACE,
             "becomeDomainMaster")
     elif role == "infrastructure":
-        master_owner = get_fsmo_roleowner(samdb, infrastructure_dn)
+        master_owner = get_fsmo_roleowner(samdb, infrastructure_dn, role)
         m["becomeInfrastructureMaster"]= ldb.MessageElement(
             "1", ldb.FLAG_MOD_REPLACE,
             "becomeInfrastructureMaster")
     elif role == "schema":
-        master_owner = get_fsmo_roleowner(samdb, schema_dn)
+        master_owner = get_fsmo_roleowner(samdb, schema_dn, role)
         m["becomeSchemaMaster"]= ldb.MessageElement(
             "1", ldb.FLAG_MOD_REPLACE,
@@ -183 +192 @@
         raise CommandError("Invalid FSMO role.")
 
-    if master_owner != new_owner:
-        try:
-            samdb.modify(m)
-        except LdbError, (num, msg):
-            raise CommandError("Transfer of '%s' role failed: %s" %
-                               (role, msg))
-
-        outf.write("FSMO transfer of '%s' role successful\n" % role)
-        return True
+    if not '*' in master_owner:
+        if master_owner != new_owner:
+            try:
+                samdb.modify(m)
+            except LdbError, (num, msg):
+                raise CommandError("Transfer of '%s' role failed: %s" %
+                                   (role, msg))
+
+            outf.write("FSMO transfer of '%s' role successful\n" % role)
+            return True
+        else:
+            outf.write("This DC already has the '%s' FSMO role\n" % role)
+            return False
     else:
-        outf.write("This DC already has the '%s' FSMO role\n" % role)
+        outf.write("%s\n" % master_owner)
         return False
 
@@ -211 +224 @@
                type=str, metavar="URL", dest="H"),
         Option("--force",
-               help="Force seizing of the role without attempting to transfer first.",
+               help="Force seizing of role without attempting to transfer.",
                action="store_true"),
         Option("--role", type="choice", choices=["rid", "pdc", "infrastructure",
@@ -254 +267 @@
         #first try to transfer to avoid problem if the owner is still active
         seize = False
-        master_owner = get_fsmo_roleowner(samdb, m.dn)
-        if master_owner != serviceName:
-            if force is None:
-                self.message("Attempting transfer...")
-                if not transfer_role(self.outf, role, samdb):
-                    #transfer failed, use the big axe...
-                    seize = True
-                    self.message("Transfer unsuccessful, seizing...")
-                else:
-                    self.message("Not seizing role as transfer was successful")
-
-            if force is not None or seize == True:
-                self.message("Seizing %s FSMO role..." % role)
-                m["fSMORoleOwner"]= ldb.MessageElement(
-                    serviceName, ldb.FLAG_MOD_REPLACE,
-                    "fSMORoleOwner")
-                try:
-                    samdb.modify(m)
-                except LdbError, (num, msg):
-                    raise CommandError("Failed to seize '%s' role: %s" %
-                                       (role, msg))
-                self.outf.write("FSMO seize of '%s' role successful\n" % role)
-                return True
-        else:
-            self.outf.write("This DC already has the '%s' FSMO role\n" % role)
-            return False
+        master_owner = get_fsmo_roleowner(samdb, m.dn, role)
+        if not '*' in master_owner:
+            # if there is a different owner
+            if master_owner != serviceName:
+                # if --force isn't given, attempt transfer
+                if force is None:
+                    self.message("Attempting transfer...")
+                    try:
+                        transfer_role(self.outf, role, samdb)
+                    except:
+                        #transfer failed, use the big axe...
+                        seize = True
+                        self.message("Transfer unsuccessful, seizing...")
+                    else:
+                        self.message("Transfer successful, not seizing role")
+                        return True
+            else:
+                self.outf.write("This DC already has the '%s' FSMO role\n" %
+                                role)
+                return False
+        else:
+            seize = True
+
+        if force is not None or seize == True:
+            self.message("Seizing %s FSMO role..." % role)
+            m["fSMORoleOwner"]= ldb.MessageElement(
+                serviceName, ldb.FLAG_MOD_REPLACE,
+                "fSMORoleOwner")
+            try:
+                samdb.modify(m)
+            except LdbError, (num, msg):
+                raise CommandError("Failed to seize '%s' role: %s" %
+                                   (role, msg))
+            self.outf.write("FSMO seize of '%s' role successful\n" % role)
+            return True
 
     def seize_dns_role(self, role, samdb, credopts, sambaopts,
@@ -300 +322 @@
         #first try to transfer to avoid problem if the owner is still active
         seize = False
-        master_owner = get_fsmo_roleowner(samdb, m.dn)
-        if master_owner != serviceName:
-            if force is None:
-                self.message("Attempting transfer...")
-                if not transfer_dns_role(self.outf, sambaopts, credopts, role,
-                                      samdb):
-                    #transfer failed, use the big axe...
-                    seize = True
-                    self.message("Transfer unsuccessful, seizing...")
-                else:
-                    self.message("Not seizing role as transfer was successful\n")
-
-            if force is not None or seize == True:
-                self.message("Seizing %s FSMO role..." % role)
-                m["fSMORoleOwner"]= ldb.MessageElement(
-                    serviceName, ldb.FLAG_MOD_REPLACE,
-                    "fSMORoleOwner")
-                try:
-                    samdb.modify(m)
-                except LdbError, (num, msg):
-                    raise CommandError("Failed to seize '%s' role: %s" %
-                                       (role, msg))
-                self.outf.write("FSMO seize of '%s' role successful\n" % role)
-                return True
-        else:
-            self.outf.write("This DC already has the '%s' FSMO role\n" % role)
-            return False
+        master_owner = get_fsmo_roleowner(samdb, m.dn, role)
+        if not '*' in master_owner:
+            # if there is a different owner
+            if master_owner != serviceName:
+                # if --force isn't given, attempt transfer
+                if force is None:
+                    self.message("Attempting transfer...")
+                    try:
+                        transfer_dns_role(self.outf, sambaopts, credopts, role,
+                                          samdb)
+                    except:
+                        #transfer failed, use the big axe...
+                        seize = True
+                        self.message("Transfer unsuccessful, seizing...")
+                    else:
+                        self.message("Transfer successful, not seizing role\n")
+                        return True
+            else:
+                self.outf.write("This DC already has the '%s' FSMO role\n" %
+                                role)
+                return False
+        else:
+            seize = True
+
+        if force is not None or seize == True:
+            self.message("Seizing %s FSMO role..." % role)
+            m["fSMORoleOwner"]= ldb.MessageElement(
+                serviceName, ldb.FLAG_MOD_REPLACE,
+                "fSMORoleOwner")
+            try:
+                samdb.modify(m)
+            except LdbError, (num, msg):
+                raise CommandError("Failed to seize '%s' role: %s" %
+                                   (role, msg))
+            self.outf.write("FSMO seize of '%s' role successful\n" % role)
+            return True
+
 
     def run(self, force=None, H=None, role=None,
@@ -389 +421 @@
         forestdns_dn = "CN=Infrastructure,DC=ForestDnsZones," + forest_dn
 
-        infrastructureMaster = get_fsmo_roleowner(samdb, infrastructure_dn)
-        pdcEmulator = get_fsmo_roleowner(samdb, domain_dn)
-        namingMaster = get_fsmo_roleowner(samdb, naming_dn)
-        schemaMaster = get_fsmo_roleowner(samdb, schema_dn)
-        ridMaster = get_fsmo_roleowner(samdb, rid_dn)
-        domaindnszonesMaster = get_fsmo_roleowner(samdb, domaindns_dn)
-        forestdnszonesMaster = get_fsmo_roleowner(samdb, forestdns_dn)
+        infrastructureMaster = get_fsmo_roleowner(samdb, infrastructure_dn,
+                                                  "infrastructure")
+        pdcEmulator = get_fsmo_roleowner(samdb, domain_dn, "pdc")
+        namingMaster = get_fsmo_roleowner(samdb, naming_dn, "naming")
+        schemaMaster = get_fsmo_roleowner(samdb, schema_dn, "schema")
+        ridMaster = get_fsmo_roleowner(samdb, rid_dn, "rid")
+        domaindnszonesMaster = get_fsmo_roleowner(samdb, domaindns_dn,
+                                                  "domaindns")
+        forestdnszonesMaster = get_fsmo_roleowner(samdb, forestdns_dn,
+                                                  "forestdns")
 
         self.message("SchemaMasterRole owner: " + schemaMaster)
@@ -450 +485 @@
             transfer_role(self.outf, "infrastructure", samdb)
             transfer_role(self.outf, "schema", samdb)
-            transfer_dns_role(self.outf, sambaopts, credopts, "domaindns", samdb)
-            transfer_dns_role(self.outf, sambaopts, credopts, "forestdns", samdb)
+            transfer_dns_role(self.outf, sambaopts, credopts,
+                              "domaindns", samdb)
+            transfer_dns_role(self.outf, sambaopts, credopts, "forestdns",
+                              samdb)
         else:
             if role == "domaindns" or role == "forestdns":

vendor/current/python/samba/netcmd/ldapcmp.py

@@ -439 +439 @@
                 "uSNCreated",
                 "uSNLastObjRem",
-                # "whenChanged", # This is implicitly replicated
+                "whenChanged", # This is implicitly replicated, but may diverge on updates of non-replicated attributes
         ]
         self.ignore_attributes = self.non_replicated_attributes

vendor/current/python/samba/remove_dc.py

@@ -177 +177 @@
         for record in records:
             try:
-                values = record["dnsRecord"]
+                orig_values = record["dnsRecord"]
             except KeyError:
-                next
-            orig_num_values = len(values)
+                continue
 
             # Remove references to dnsHostName in A, AAAA, NS, CNAME and SRV
             values = [ ndr_unpack(dnsp.DnssrvRpcRecord, v)
-                       for v in values if not to_remove(v) ]
-
-            if len(values) != orig_num_values:
+                       for v in orig_values if not to_remove(v) ]
+
+            if len(values) != len(orig_values):
                 logger.info("updating %s keeping %d values, removing %s values" \
                             % (record.dn, len(values),
-                               orig_num_values - len(values)))
+                               len(orig_values) - len(values)))
 
                 # This requires the values to be unpacked, so this

vendor/current/python/samba/tests/dcerpc/raw_protocol.py

@@ -2617 +2617 @@
         self.assertNotConnected()
 
+    def test_spnego_auth_pad_ok(self):
+        ndr32 = base.transfer_syntax_ndr()
+
+        tsf1_list = [ndr32]
+        ctx1 = dcerpc.ctx_list()
+        ctx1.context_id = 1
+        ctx1.num_transfer_syntaxes = len(tsf1_list)
+        ctx1.abstract_syntax = samba.dcerpc.mgmt.abstract_syntax()
+        ctx1.transfer_syntaxes = tsf1_list
+        ctx_list = [ctx1]
+
+        c = Credentials()
+        c.set_anonymous()
+        g = gensec.Security.start_client(self.settings)
+        g.set_credentials(c)
+        g.want_feature(gensec.FEATURE_DCE_STYLE)
+        auth_type = dcerpc.DCERPC_AUTH_TYPE_SPNEGO
+        auth_level = dcerpc.DCERPC_AUTH_LEVEL_CONNECT
+        auth_context_id = 2
+        g.start_mech_by_authtype(auth_type, auth_level)
+        from_server = ""
+        (finished, to_server) = g.update(from_server)
+        self.assertFalse(finished)
+
+        auth_info = self.generate_auth(auth_type=auth_type,
+                                       auth_level=auth_level,
+                                       auth_context_id=auth_context_id,
+                                       auth_blob=to_server)
+
+        req = self.generate_bind(call_id=0,
+                                 ctx_list=ctx_list,
+                                 auth_info=auth_info)
+        req_pdu = samba.ndr.ndr_pack(req)
+
+        auth_pad_ok = len(req_pdu)
+        auth_pad_ok -= dcerpc.DCERPC_REQUEST_LENGTH
+        auth_pad_ok -= dcerpc.DCERPC_AUTH_TRAILER_LENGTH
+        auth_pad_ok -= len(to_server)
+
+        auth_info = self.generate_auth(auth_type=auth_type,
+                                       auth_level=auth_level,
+                                       auth_context_id=auth_context_id,
+                                       auth_pad_length=auth_pad_ok,
+                                       auth_blob=to_server)
+
+        req = self.generate_bind(call_id=0,
+                                 ctx_list=ctx_list,
+                                 auth_info=auth_info)
+        self.send_pdu(req)
+        rep = self.recv_pdu()
+        self.verify_pdu(rep, dcerpc.DCERPC_PKT_BIND_ACK, req.call_id)
+        self.assertEquals(rep.u.max_xmit_frag, req.u.max_xmit_frag)
+        self.assertEquals(rep.u.max_recv_frag, req.u.max_recv_frag)
+        self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id)
+        self.assertEquals(rep.u.secondary_address_size, 4)
+        self.assertEquals(rep.u.secondary_address, "%d" % self.tcp_port)
+        self.assertEquals(len(rep.u._pad1), 2)
+        #self.assertEquals(rep.u._pad1, '\0' * 2)
+        self.assertEquals(rep.u.num_results, 1)
+        self.assertEquals(rep.u.ctx_list[0].result,
+                dcerpc.DCERPC_BIND_ACK_RESULT_ACCEPTANCE)
+        self.assertEquals(rep.u.ctx_list[0].reason,
+                dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED)
+        self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32)
+        self.assertNotEquals(len(rep.u.auth_info), 0)
+        a = self.parse_auth(rep.u.auth_info)
+
+        from_server = a.credentials
+        (finished, to_server) = g.update(from_server)
+        self.assertFalse(finished)
+
+        auth_info = self.generate_auth(auth_type=auth_type,
+                                       auth_level=auth_level,
+                                       auth_context_id=auth_context_id,
+                                       auth_blob=to_server)
+        req = self.generate_alter(call_id=0,
+                                  ctx_list=ctx_list,
+                                  assoc_group_id=rep.u.assoc_group_id,
+                                  auth_info=auth_info)
+        req_pdu = samba.ndr.ndr_pack(req)
+
+        auth_pad_ok = len(req_pdu)
+        auth_pad_ok -= dcerpc.DCERPC_REQUEST_LENGTH
+        auth_pad_ok -= dcerpc.DCERPC_AUTH_TRAILER_LENGTH
+        auth_pad_ok -= len(to_server)
+        auth_info = self.generate_auth(auth_type=auth_type,
+                                       auth_level=auth_level,
+                                       auth_context_id=auth_context_id,
+                                       auth_pad_length=auth_pad_ok,
+                                       auth_blob=to_server)
+        req = self.generate_alter(call_id=0,
+                                  ctx_list=ctx_list,
+                                  assoc_group_id=rep.u.assoc_group_id,
+                                  auth_info=auth_info)
+        self.send_pdu(req)
+        rep = self.recv_pdu()
+        self.verify_pdu(rep, dcerpc.DCERPC_PKT_ALTER_RESP, req.call_id)
+        self.assertEquals(rep.u.max_xmit_frag, req.u.max_xmit_frag)
+        self.assertEquals(rep.u.max_recv_frag, req.u.max_recv_frag)
+        self.assertEquals(rep.u.assoc_group_id, req.u.assoc_group_id)
+        self.assertEquals(rep.u.secondary_address_size, 0)
+        self.assertEquals(len(rep.u._pad1), 2)
+        # Windows sends garbage
+        #self.assertEquals(rep.u._pad1, '\0' * 2)
+        self.assertEquals(rep.u.num_results, 1)
+        self.assertEquals(rep.u.ctx_list[0].result,
+                dcerpc.DCERPC_BIND_ACK_RESULT_ACCEPTANCE)
+        self.assertEquals(rep.u.ctx_list[0].reason,
+                dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED)
+        self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32)
+        self.assertNotEquals(len(rep.u.auth_info), 0)
+        a = self.parse_auth(rep.u.auth_info)
+
+        from_server = a.credentials
+        (finished, to_server) = g.update(from_server)
+        self.assertTrue(finished)
+
+        # And now try a request without auth_info
+        req = self.generate_request(call_id = 2,
+                                    context_id=ctx1.context_id,
+                                    opnum=0,
+                                    stub="")
+        self.send_pdu(req)
+        rep = self.recv_pdu()
+        self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id,
+                        auth_length=0)
+        self.assertNotEquals(rep.u.alloc_hint, 0)
+        self.assertEquals(rep.u.context_id, req.u.context_id)
+        self.assertEquals(rep.u.cancel_count, 0)
+        self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint)
+
+        # Now a request with auth_info DCERPC_AUTH_LEVEL_CONNECT
+        auth_info = self.generate_auth(auth_type=auth_type,
+                                       auth_level=auth_level,
+                                       auth_context_id=auth_context_id,
+                                       auth_blob="\x01"+"\x00"*15)
+        req = self.generate_request(call_id = 3,
+                                    context_id=ctx1.context_id,
+                                    opnum=0,
+                                    stub="",
+                                    auth_info=auth_info)
+        self.send_pdu(req)
+        rep = self.recv_pdu()
+        # We don't get an auth_info back
+        self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id,
+                        auth_length=0)
+        self.assertNotEquals(rep.u.alloc_hint, 0)
+        self.assertEquals(rep.u.context_id, req.u.context_id)
+        self.assertEquals(rep.u.cancel_count, 0)
+        self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint)
+
+        self._disconnect("disconnect")
+        self.assertNotConnected()
+
+    def test_spnego_auth_pad_fail_bind(self):
+        ndr32 = base.transfer_syntax_ndr()
+
+        tsf1_list = [ndr32]
+        ctx1 = dcerpc.ctx_list()
+        ctx1.context_id = 1
+        ctx1.num_transfer_syntaxes = len(tsf1_list)
+        ctx1.abstract_syntax = samba.dcerpc.mgmt.abstract_syntax()
+        ctx1.transfer_syntaxes = tsf1_list
+        ctx_list = [ctx1]
+
+        c = Credentials()
+        c.set_anonymous()
+        g = gensec.Security.start_client(self.settings)
+        g.set_credentials(c)
+        g.want_feature(gensec.FEATURE_DCE_STYLE)
+        auth_type = dcerpc.DCERPC_AUTH_TYPE_SPNEGO
+        auth_level = dcerpc.DCERPC_AUTH_LEVEL_CONNECT
+        auth_context_id = 2
+        g.start_mech_by_authtype(auth_type, auth_level)
+        from_server = ""
+        (finished, to_server) = g.update(from_server)
+        self.assertFalse(finished)
+
+        auth_info = self.generate_auth(auth_type=auth_type,
+                                       auth_level=auth_level,
+                                       auth_context_id=auth_context_id,
+                                       auth_blob=to_server)
+
+        req = self.generate_bind(call_id=0,
+                                 ctx_list=ctx_list,
+                                 auth_info=auth_info)
+        req_pdu = samba.ndr.ndr_pack(req)
+
+        auth_pad_ok = len(req_pdu)
+        auth_pad_ok -= dcerpc.DCERPC_REQUEST_LENGTH
+        auth_pad_ok -= dcerpc.DCERPC_AUTH_TRAILER_LENGTH
+        auth_pad_ok -= len(to_server)
+        auth_pad_bad = auth_pad_ok + 1
+        auth_info = self.generate_auth(auth_type=auth_type,
+                                       auth_level=auth_level,
+                                       auth_context_id=auth_context_id,
+                                       auth_pad_length=auth_pad_bad,
+                                       auth_blob=to_server)
+
+        req = self.generate_bind(call_id=0,
+                                 ctx_list=ctx_list,
+                                 auth_info=auth_info)
+        self.send_pdu(req)
+        rep = self.recv_pdu()
+        self.verify_pdu(rep, dcerpc.DCERPC_PKT_BIND_NAK, req.call_id,
+                        auth_length=0)
+        self.assertEquals(rep.u.reject_reason,
+                dcerpc.DCERPC_BIND_NAK_REASON_PROTOCOL_VERSION_NOT_SUPPORTED)
+        self.assertEquals(rep.u.num_versions, 1)
+        self.assertEquals(rep.u.versions[0].rpc_vers, req.rpc_vers)
+        self.assertEquals(rep.u.versions[0].rpc_vers_minor, req.rpc_vers_minor)
+        self.assertEquals(len(rep.u._pad), 3)
+        self.assertEquals(rep.u._pad, '\0' * 3)
+
+        # wait for a disconnect
+        rep = self.recv_pdu()
+        self.assertIsNone(rep)
+        self.assertNotConnected()
+
+    def test_spnego_auth_pad_fail_alter(self):
+        ndr32 = base.transfer_syntax_ndr()
+
+        tsf1_list = [ndr32]
+        ctx1 = dcerpc.ctx_list()
+        ctx1.context_id = 1
+        ctx1.num_transfer_syntaxes = len(tsf1_list)
+        ctx1.abstract_syntax = samba.dcerpc.mgmt.abstract_syntax()
+        ctx1.transfer_syntaxes = tsf1_list
+        ctx_list = [ctx1]
+
+        c = Credentials()
+        c.set_anonymous()
+        g = gensec.Security.start_client(self.settings)
+        g.set_credentials(c)
+        g.want_feature(gensec.FEATURE_DCE_STYLE)
+        auth_type = dcerpc.DCERPC_AUTH_TYPE_SPNEGO
+        auth_level = dcerpc.DCERPC_AUTH_LEVEL_CONNECT
+        auth_context_id = 2
+        g.start_mech_by_authtype(auth_type, auth_level)
+        from_server = ""
+        (finished, to_server) = g.update(from_server)
+        self.assertFalse(finished)
+
+        auth_info = self.generate_auth(auth_type=auth_type,
+                                       auth_level=auth_level,
+                                       auth_context_id=auth_context_id,
+                                       auth_blob=to_server)
+
+        req = self.generate_bind(call_id=0,
+                                 ctx_list=ctx_list,
+                                 auth_info=auth_info)
+        req_pdu = samba.ndr.ndr_pack(req)
+
+        auth_pad_ok = len(req_pdu)
+        auth_pad_ok -= dcerpc.DCERPC_REQUEST_LENGTH
+        auth_pad_ok -= dcerpc.DCERPC_AUTH_TRAILER_LENGTH
+        auth_pad_ok -= len(to_server)
+
+        auth_info = self.generate_auth(auth_type=auth_type,
+                                       auth_level=auth_level,
+                                       auth_context_id=auth_context_id,
+                                       auth_pad_length=auth_pad_ok,
+                                       auth_blob=to_server)
+
+        req = self.generate_bind(call_id=0,
+                                 ctx_list=ctx_list,
+                                 auth_info=auth_info)
+        self.send_pdu(req)
+        rep = self.recv_pdu()
+        self.verify_pdu(rep, dcerpc.DCERPC_PKT_BIND_ACK, req.call_id)
+        self.assertEquals(rep.u.max_xmit_frag, req.u.max_xmit_frag)
+        self.assertEquals(rep.u.max_recv_frag, req.u.max_recv_frag)
+        self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id)
+        self.assertEquals(rep.u.secondary_address_size, 4)
+        self.assertEquals(rep.u.secondary_address, "%d" % self.tcp_port)
+        self.assertEquals(len(rep.u._pad1), 2)
+        #self.assertEquals(rep.u._pad1, '\0' * 2)
+        self.assertEquals(rep.u.num_results, 1)
+        self.assertEquals(rep.u.ctx_list[0].result,
+                dcerpc.DCERPC_BIND_ACK_RESULT_ACCEPTANCE)
+        self.assertEquals(rep.u.ctx_list[0].reason,
+                dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED)
+        self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32)
+        self.assertNotEquals(len(rep.u.auth_info), 0)
+        a = self.parse_auth(rep.u.auth_info)
+
+        from_server = a.credentials
+        (finished, to_server) = g.update(from_server)
+        self.assertFalse(finished)
+
+        auth_info = self.generate_auth(auth_type=auth_type,
+                                       auth_level=auth_level,
+                                       auth_context_id=auth_context_id,
+                                       auth_blob=to_server)
+        req = self.generate_alter(call_id=0,
+                                  ctx_list=ctx_list,
+                                  assoc_group_id=rep.u.assoc_group_id,
+                                  auth_info=auth_info)
+        req_pdu = samba.ndr.ndr_pack(req)
+
+        auth_pad_ok = len(req_pdu)
+        auth_pad_ok -= dcerpc.DCERPC_REQUEST_LENGTH
+        auth_pad_ok -= dcerpc.DCERPC_AUTH_TRAILER_LENGTH
+        auth_pad_ok -= len(to_server)
+        auth_pad_bad = auth_pad_ok + 1
+        auth_info = self.generate_auth(auth_type=auth_type,
+                                       auth_level=auth_level,
+                                       auth_context_id=auth_context_id,
+                                       auth_pad_length=auth_pad_bad,
+                                       auth_blob=to_server)
+        req = self.generate_alter(call_id=0,
+                                  ctx_list=ctx_list,
+                                  assoc_group_id=rep.u.assoc_group_id,
+                                  auth_info=auth_info)
+        self.send_pdu(req)
+        rep = self.recv_pdu()
+        self.verify_pdu(rep, dcerpc.DCERPC_PKT_FAULT, req.call_id,
+                        pfc_flags=req.pfc_flags |
+                        dcerpc.DCERPC_PFC_FLAG_DID_NOT_EXECUTE,
+                        auth_length=0)
+        self.assertNotEquals(rep.u.alloc_hint, 0)
+        self.assertEquals(rep.u.context_id, 0)
+        self.assertEquals(rep.u.cancel_count, 0)
+        self.assertEquals(rep.u.status, dcerpc.DCERPC_NCA_S_PROTO_ERROR)
+        self.assertEquals(len(rep.u._pad), 4)
+        self.assertEquals(rep.u._pad, '\0' * 4)
+
+        # wait for a disconnect
+        rep = self.recv_pdu()
+        self.assertIsNone(rep)
+        self.assertNotConnected()
+
+    def test_ntlmssp_auth_pad_ok(self):
+        ndr32 = base.transfer_syntax_ndr()
+
+        tsf1_list = [ndr32]
+        ctx1 = dcerpc.ctx_list()
+        ctx1.context_id = 1
+        ctx1.num_transfer_syntaxes = len(tsf1_list)
+        ctx1.abstract_syntax = samba.dcerpc.mgmt.abstract_syntax()
+        ctx1.transfer_syntaxes = tsf1_list
+        ctx_list = [ctx1]
+
+        c = Credentials()
+        c.set_anonymous()
+        g = gensec.Security.start_client(self.settings)
+        g.set_credentials(c)
+        g.want_feature(gensec.FEATURE_DCE_STYLE)
+        auth_type = dcerpc.DCERPC_AUTH_TYPE_NTLMSSP
+        auth_level = dcerpc.DCERPC_AUTH_LEVEL_CONNECT
+        auth_context_id = 2
+        g.start_mech_by_authtype(auth_type, auth_level)
+        from_server = ""
+        (finished, to_server) = g.update(from_server)
+        self.assertFalse(finished)
+
+        auth_info = self.generate_auth(auth_type=auth_type,
+                                       auth_level=auth_level,
+                                       auth_context_id=auth_context_id,
+                                       auth_blob=to_server)
+
+        req = self.generate_bind(call_id=0,
+                                 ctx_list=ctx_list,
+                                 auth_info=auth_info)
+        req_pdu = samba.ndr.ndr_pack(req)
+
+        auth_pad_ok = len(req_pdu)
+        auth_pad_ok -= dcerpc.DCERPC_REQUEST_LENGTH
+        auth_pad_ok -= dcerpc.DCERPC_AUTH_TRAILER_LENGTH
+        auth_pad_ok -= len(to_server)
+
+        auth_info = self.generate_auth(auth_type=auth_type,
+                                       auth_level=auth_level,
+                                       auth_context_id=auth_context_id,
+                                       auth_pad_length=auth_pad_ok,
+                                       auth_blob=to_server)
+
+        req = self.generate_bind(call_id=0,
+                                 ctx_list=ctx_list,
+                                 auth_info=auth_info)
+        self.send_pdu(req)
+        rep = self.recv_pdu()
+        self.verify_pdu(rep, dcerpc.DCERPC_PKT_BIND_ACK, req.call_id)
+        self.assertEquals(rep.u.max_xmit_frag, req.u.max_xmit_frag)
+        self.assertEquals(rep.u.max_recv_frag, req.u.max_recv_frag)
+        self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id)
+        self.assertEquals(rep.u.secondary_address_size, 4)
+        self.assertEquals(rep.u.secondary_address, "%d" % self.tcp_port)
+        self.assertEquals(len(rep.u._pad1), 2)
+        #self.assertEquals(rep.u._pad1, '\0' * 2)
+        self.assertEquals(rep.u.num_results, 1)
+        self.assertEquals(rep.u.ctx_list[0].result,
+                dcerpc.DCERPC_BIND_ACK_RESULT_ACCEPTANCE)
+        self.assertEquals(rep.u.ctx_list[0].reason,
+                dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED)
+        self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32)
+        self.assertNotEquals(len(rep.u.auth_info), 0)
+        a = self.parse_auth(rep.u.auth_info)
+
+        from_server = a.credentials
+        (finished, to_server) = g.update(from_server)
+        self.assertTrue(finished)
+
+        auth_pad_ok = 0
+        auth_info = self.generate_auth(auth_type=auth_type,
+                                       auth_level=auth_level,
+                                       auth_context_id=auth_context_id,
+                                       auth_pad_length=auth_pad_ok,
+                                       auth_blob=to_server)
+        req = self.generate_auth3(call_id=0,
+                                  auth_info=auth_info)
+        self.send_pdu(req)
+        self.assertIsConnected()
+
+        # And now try a request without auth_info
+        req = self.generate_request(call_id = 2,
+                                    context_id=ctx1.context_id,
+                                    opnum=0,
+                                    stub="")
+        self.send_pdu(req)
+        rep = self.recv_pdu()
+        self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id,
+                        auth_length=0)
+        self.assertNotEquals(rep.u.alloc_hint, 0)
+        self.assertEquals(rep.u.context_id, req.u.context_id)
+        self.assertEquals(rep.u.cancel_count, 0)
+        self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint)
+
+        # Now a request with auth_info DCERPC_AUTH_LEVEL_CONNECT
+        auth_info = self.generate_auth(auth_type=auth_type,
+                                       auth_level=auth_level,
+                                       auth_context_id=auth_context_id,
+                                       auth_blob="\x01"+"\x00"*15)
+        req = self.generate_request(call_id = 3,
+                                    context_id=ctx1.context_id,
+                                    opnum=0,
+                                    stub="",
+                                    auth_info=auth_info)
+        self.send_pdu(req)
+        rep = self.recv_pdu()
+        # We don't get an auth_info back
+        self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id,
+                        auth_length=0)
+        self.assertNotEquals(rep.u.alloc_hint, 0)
+        self.assertEquals(rep.u.context_id, req.u.context_id)
+        self.assertEquals(rep.u.cancel_count, 0)
+        self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint)
+
+        self._disconnect("disconnect")
+        self.assertNotConnected()
+
+    def test_ntlmssp_auth_pad_fail_auth3(self):
+        ndr32 = base.transfer_syntax_ndr()
+
+        tsf1_list = [ndr32]
+        ctx1 = dcerpc.ctx_list()
+        ctx1.context_id = 1
+        ctx1.num_transfer_syntaxes = len(tsf1_list)
+        ctx1.abstract_syntax = samba.dcerpc.mgmt.abstract_syntax()
+        ctx1.transfer_syntaxes = tsf1_list
+        ctx_list = [ctx1]
+
+        c = Credentials()
+        c.set_anonymous()
+        g = gensec.Security.start_client(self.settings)
+        g.set_credentials(c)
+        g.want_feature(gensec.FEATURE_DCE_STYLE)
+        auth_type = dcerpc.DCERPC_AUTH_TYPE_NTLMSSP
+        auth_level = dcerpc.DCERPC_AUTH_LEVEL_CONNECT
+        auth_context_id = 2
+        g.start_mech_by_authtype(auth_type, auth_level)
+        from_server = ""
+        (finished, to_server) = g.update(from_server)
+        self.assertFalse(finished)
+
+        auth_info = self.generate_auth(auth_type=auth_type,
+                                       auth_level=auth_level,
+                                       auth_context_id=auth_context_id,
+                                       auth_blob=to_server)
+
+        req = self.generate_bind(call_id=0,
+                                 ctx_list=ctx_list,
+                                 auth_info=auth_info)
+        req_pdu = samba.ndr.ndr_pack(req)
+
+        auth_pad_ok = len(req_pdu)
+        auth_pad_ok -= dcerpc.DCERPC_REQUEST_LENGTH
+        auth_pad_ok -= dcerpc.DCERPC_AUTH_TRAILER_LENGTH
+        auth_pad_ok -= len(to_server)
+
+        auth_info = self.generate_auth(auth_type=auth_type,
+                                       auth_level=auth_level,
+                                       auth_context_id=auth_context_id,
+                                       auth_pad_length=auth_pad_ok,
+                                       auth_blob=to_server)
+
+        req = self.generate_bind(call_id=0,
+                                 ctx_list=ctx_list,
+                                 auth_info=auth_info)
+        self.send_pdu(req)
+        rep = self.recv_pdu()
+        self.verify_pdu(rep, dcerpc.DCERPC_PKT_BIND_ACK, req.call_id)
+        self.assertEquals(rep.u.max_xmit_frag, req.u.max_xmit_frag)
+        self.assertEquals(rep.u.max_recv_frag, req.u.max_recv_frag)
+        self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id)
+        self.assertEquals(rep.u.secondary_address_size, 4)
+        self.assertEquals(rep.u.secondary_address, "%d" % self.tcp_port)
+        self.assertEquals(len(rep.u._pad1), 2)
+        #self.assertEquals(rep.u._pad1, '\0' * 2)
+        self.assertEquals(rep.u.num_results, 1)
+        self.assertEquals(rep.u.ctx_list[0].result,
+                dcerpc.DCERPC_BIND_ACK_RESULT_ACCEPTANCE)
+        self.assertEquals(rep.u.ctx_list[0].reason,
+                dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED)
+        self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32)
+        self.assertNotEquals(len(rep.u.auth_info), 0)
+        a = self.parse_auth(rep.u.auth_info)
+
+        from_server = a.credentials
+        (finished, to_server) = g.update(from_server)
+        self.assertTrue(finished)
+
+        auth_pad_bad = 1
+        auth_info = self.generate_auth(auth_type=auth_type,
+                                       auth_level=auth_level,
+                                       auth_context_id=auth_context_id,
+                                       auth_pad_length=auth_pad_bad,
+                                       auth_blob=to_server)
+        req = self.generate_auth3(call_id=0,
+                                  auth_info=auth_info)
+        self.send_pdu(req)
+        rep = self.recv_pdu()
+        self.verify_pdu(rep, dcerpc.DCERPC_PKT_FAULT, req.call_id,
+                        pfc_flags=req.pfc_flags |
+                        dcerpc.DCERPC_PFC_FLAG_DID_NOT_EXECUTE,
+                        auth_length=0)
+        self.assertNotEquals(rep.u.alloc_hint, 0)
+        self.assertEquals(rep.u.context_id, 0)
+        self.assertEquals(rep.u.cancel_count, 0)
+        self.assertEquals(rep.u.status, dcerpc.DCERPC_NCA_S_FAULT_REMOTE_NO_MEMORY)
+        self.assertEquals(len(rep.u._pad), 4)
+        self.assertEquals(rep.u._pad, '\0' * 4)
+
+        # wait for a disconnect
+        rep = self.recv_pdu()
+        self.assertIsNone(rep)
+        self.assertNotConnected()
+
 if __name__ == "__main__":
     global_ndr_print = True

vendor/current/python/samba/tests/param.py

@@ -56 +56 @@
         samba_lp.load_default()
         self.assertRaises(KeyError, samba_lp.__getitem__, "nonexistent")
+
+    def test_log_level(self):
+        samba_lp = param.LoadParm()
+        samba_lp.set("log level", "5 auth:4")
+        self.assertEquals(5, samba_lp.log_level())
+