HEX
Server: Apache/2.4.52 (Ubuntu)
System: Linux spn-python 5.15.0-89-generic #99-Ubuntu SMP Mon Oct 30 20:42:41 UTC 2023 x86_64
User: arjun (1000)
PHP: 8.1.2-1ubuntu2.20
Disabled: NONE
$ pwd: /lib/python3/dist-packages/samba/tests/blackbox/__pycache__/
Upload Files
File: //lib/python3/dist-packages/samba/tests/blackbox/__pycache__/bug13653.cpython-310.pyc
o

�/a)�@s`dZddlmZmZmZmZddlmZddlm	Z	ddl
mZddlm
Z
Gdd�de�Zd	S)
a
Blackbox test verifying bug 13653

https://bugzilla.samba.org/show_bug.cgi?id=13653


When creating a new user and specifying the local filepath of the sam.ldb DB,
it's possible to create an account that you can't actually login with.

This only happens if the DB is using encrypted secrets and you specify "ldb://"
in the sam.ldb path, e.g. "-H ldb://st/ad_dc/private/sam.ldb".
The user account will be created, but its secrets will not be encrypted.
Attempts to login as the user will then be rejected due to invalid credentials.

We think this may also cause replication/joins to break.

You do get a warning about "No encrypted secrets key file" when this happens,
although the reason behind this message is not obvious. Specifying a "tdb://"
prefix, or not specifying a prefix, works fine.

Example of the problem below using the ad_dc testenv.

addc$ bin/samba-tool user create tdb-user pass12#
      -H tdb://st/ad_dc/private/sam.ldb
User 'tdb-user' created successfully

# HERE: using the "ldb://" prefix generates a warning, but the user is still
# created successfully.

addc$ bin/samba-tool user create ldb-user pass12#
      -H ldb://st/ad_dc/private/sam.ldb
No encrypted secrets key file. Secret attributes will not be encrypted or
decrypted

User 'ldb-user' created successfully

addc$ bin/samba-tool user create noprefix-user pass12#
      -H st/ad_dc/private/sam.ldb
User 'noprefix-user' created successfully

addc$ bin/ldbsearch -H ldap://$SERVER -Utdb-user%pass12# '(cn=tdb-user)' dn
# record 1
dn: CN=tdb-user,CN=Users,DC=addom,DC=samba,DC=example,DC=com

# Referral
ref: ldap://addom.samba.example.com/CN=Configuration,DC=addom,DC=samba,
     DC=example,DC=com

# Referral
ref: ldap://addom.samba.example.com/DC=DomainDnsZones,DC=addom,DC=samba,
     DC=example,DC=com

# Referral
ref: ldap://addom.samba.example.com/DC=ForestDnsZones,DC=addom,DC=samba,
     DC=example,DC=com

# returned 4 records
# 1 entries
# 3 referrals

# HERE: can't login as the user created with "ldb://" prefix

addc$ bin/ldbsearch -H ldap://$SERVER -Uldb-user%pass12# '(cn=ldb-user)' dn
Wrong username or password: kinit for ldb-user@ADDOM.SAMBA.EXAMPLE.COM failed
(Client not found in Kerberos database)

Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS
               -  <8009030C: LdapErr: DSID-0C0904DC,
                    comment: AcceptSecurityContext error, data 54e, v1db1> <>
Failed to connect to 'ldap://addc' with backend
    'ldap': LDAP error 49 LDAP_INVALID_CREDENTIALS
            -  <8009030C: LdapErr: DSID-0C0904DC,
               comment: AcceptSecurityContext error, data 54e, v1db1> <>
Failed to connect to ldap://addc - LDAP error 49 LDAP_INVALID_CREDENTIALS
    -  <8009030C: LdapErr: DSID-0C0904DC,
       comment: AcceptSecurityContext error, data 54e, v1db1> <>
addc$ bin/ldbsearch -H ldap://$SERVER -Unoprefix-user%pass12#
      '(cn=noprefix-user)' dn
# record 1
dn: CN=noprefix-user,CN=Users,DC=addom,DC=samba,DC=example,DC=com

# Referral
ref: ldap://addom.samba.example.com/CN=Configuration,DC=addom,DC=samba,
    DC=example,DC=com

# Referral
ref: ldap://addom.samba.example.com/DC=DomainDnsZones,DC=addom,DC=samba,
     DC=example,DC=com

# Referral
ref: ldap://addom.samba.example.com/DC=ForestDnsZones,DC=addom,DC=samba,
     DC=example,DC=com

# returned 4 records
# 1 entries
# 3 referrals
�)�BlackboxTestCase�BlackboxProcessError�delete_force�env_loadparm)�Credentials)�SamDB)�system_session)�environcsPeZdZ�fdd�Z�fdd�Zdd�Zdd�Zd	d
�Zdd�Zd
d�Z	�Z
S)�
Bug13653Testscs\tt|���td|_td|_td|_t�}t�}t	�}|�
|�t|||d�|_dS)N�TEST_ENV�SERVER�
PREFIX_ABS)�session_info�credentials�lp)
�superr
�setUpr	�env�server�prefixrrr�guessr�ldb)�selfr�creds�session��	__class__��?/usr/lib/python3/dist-packages/samba/tests/blackbox/bug13653.pyr�s



�zBug13653Tests.setUpc
s\tt|���zd|j|j��f}t|j|�WdSty-}zWYd}~dSd}~ww�NzCN=%s,CN=Users,%s)rr
�tearDown�userr�	domain_dnr�	Exception�r�dn�errrr �s��zBug13653Tests.tearDownc
Cs\d|j|j��f}z	t|j|�WdSty-}z|�t|��WYd}~dSd}~wwr)r!rr"rr#�fail�strr$rrr�delete_user�s��zBug13653Tests.delete_userc
Cs�|��|��}d||j|jf}z d|j||f}|�|�d|j|j||jf}|�|�WdStyK}z|�t	|��WYd}~dSd}~ww)zlEnsure a user can be created by samba-tool with the supplied scheme
           and that that user can logon.z%s/%s/%s/private/sam.ldbz"samba-tool user create %s %s -H %sz1bin/ldbsearch -H ldap://%s/ -U%s%%%s '(cn=%s)' dnN)
r)�random_passwordrrr!�	check_runrrr'r()r�scheme�password�db_path�commandr&rrr�_test_scheme�s$��
����zBug13653Tests._test_schemecC�d|_|�d�dS)zlEnsure a user can be created by samba-tool with the "tbd://" scheme
           and that that user can logon.�TDB_USERztdb://N�r!r0�rrrr�test_tdb_scheme��zBug13653Tests.test_tdb_schemecCr1)a$Ensure a user can be created by samba-tool with the "mdb://" scheme
           and that that user can logon.

           NOTE: this test is currently in knownfail.d/encrypted_secrets as
                 sam.ldb is currently a tdb even if the lmdb backend is
                 selected
        �MDB_USERzmdb://Nr3r4rrr�test_mdb_scheme�s	zBug13653Tests.test_mdb_schemecCr1)zlEnsure a user can be created by samba-tool with the "ldb://" scheme
           and that that user can logon.�LDB_USERzldb://Nr3r4rrr�test_ldb_scheme�r6zBug13653Tests.test_ldb_scheme)�__name__�
__module__�__qualname__rr r)r0r5r8r:�
__classcell__rrrrr
~sr
N)�__doc__�samba.testsrrrr�samba.credentialsr�samba.samdbr�
samba.authr�osr	r
rrrr�<module>sa
@ Telegram