selftest: Split samba.tests.samba_tool.user_virtualCryptSHA into GPG and not GPG parts

This allows the userPassword (not GPG) part of the test to run on hosts without
python3-gpg (eg RHEL7) while still testing the userPassword handling.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14424

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit 2c4ecf002a3fbbe8be061814468529c8bd6bb7aa)

4 files changed, 566 insertions, 1 deletions

diff --git a/python/samba/tests/samba_tool/user_virtualCryptSHA_base.py b/python/samba/tests/samba_tool/user_virtualCryptSHA_base.py
new file mode 100644
index 00000000000..e32f8d7343c
--- /dev/null
+++ b/python/samba/tests/samba_tool/user_virtualCryptSHA_base.py
@@ -0,0 +1,118 @@
+# Tests for the samba-tool user sub command reading Primary:userPassword
+#
+# Copyright (C) Andrew Bartlett <abartlet@samba.org> 2017
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+import os
+import time
+import base64
+import ldb
+import samba
+from samba.tests.samba_tool.base import SambaToolCmdTest
+from samba.credentials import Credentials
+from samba.samdb import SamDB
+from samba.auth import system_session
+from samba.ndr import ndr_unpack
+from samba.dcerpc import drsblobs
+from samba import dsdb
+import re
+
+USER_NAME = "CryptSHATestUser"
+HASH_OPTION = "password hash userPassword schemes"
+
+# Get the value of an attribute from the output string
+# Note: Does not correctly handle values spanning multiple lines,
+#       which is acceptable for it's usage in these tests.
+
+
+def _get_attribute(out, name):
+    p = re.compile("^" + name + ":\s+(\S+)")
+    for line in out.split("\n"):
+        m = p.match(line)
+        if m:
+            return m.group(1)
+    return ""
+
+
+class UserCmdCryptShaTestCase(SambaToolCmdTest):
+    """
+    Tests for samba-tool user subcommands generation of the virtualCryptSHA256
+    and virtualCryptSHA512 attributes
+    """
+    users = []
+    samdb = None
+
+    def setUp(self):
+        super(UserCmdCryptShaTestCase, self).setUp()
+
+    def add_user(self, hashes=""):
+        self.lp = samba.tests.env_loadparm()
+
+        # set the extra hashes to be calculated
+        self.lp.set(HASH_OPTION, hashes)
+
+        self.creds = Credentials()
+        self.session = system_session()
+        self.ldb = SamDB(
+            session_info=self.session,
+            credentials=self.creds,
+            lp=self.lp)
+
+        password = self.random_password()
+        self.runsubcmd("user",
+                       "create",
+                       USER_NAME,
+                       password)
+
+    def tearDown(self):
+        super(UserCmdCryptShaTestCase, self).tearDown()
+        self.runsubcmd("user", "delete", USER_NAME)
+
+    def _get_password(self, attributes, decrypt=False):
+        command = ["user",
+                   "getpassword",
+                   USER_NAME,
+                   "--attributes",
+                   attributes]
+        if decrypt:
+            command.append("--decrypt-samba-gpg")
+
+        (result, out, err) = self.runsubcmd(*command)
+        self.assertCmdSuccess(result,
+                              out,
+                              err,
+                              "Ensure getpassword runs")
+        self.assertEqual(err, "", "getpassword")
+        self.assertMatch(out,
+                         "Got password OK",
+                         "getpassword out[%s]" % out)
+        return out
+
+    # Change the just the NT password hash, as would happen if the password
+    # was updated by Windows, the userPassword values are now obsolete.
+    #
+    def _change_nt_hash(self):
+        res = self.ldb.search(expression = "cn=%s" % USER_NAME,
+                              scope      = ldb.SCOPE_SUBTREE)
+        msg = ldb.Message()
+        msg.dn = res[0].dn
+        msg["unicodePwd"] = ldb.MessageElement(b"ABCDEF1234567890",
+                                               ldb.FLAG_MOD_REPLACE,
+                                               "unicodePwd")
+        self.ldb.modify(
+            msg,
+            controls=["local_oid:%s:0" %
+                      dsdb.DSDB_CONTROL_BYPASS_PASSWORD_HASH_OID])
diff --git a/python/samba/tests/samba_tool/user_virtualCryptSHA_gpg.py b/python/samba/tests/samba_tool/user_virtualCryptSHA_gpg.py
new file mode 100644
index 00000000000..25c02d9ac2a
--- /dev/null
+++ b/python/samba/tests/samba_tool/user_virtualCryptSHA_gpg.py
@@ -0,0 +1,261 @@
+# Tests for the samba-tool user sub command reading Primary:userPassword
+#
+# Copyright (C) Andrew Bartlett <abartlet@samba.org> 2017
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+from samba.tests.samba_tool.user_virtualCryptSHA_base import UserCmdCryptShaTestCase, _get_attribute
+
+class UserCmdCryptShaTestCaseGPG(UserCmdCryptShaTestCase):
+    """
+    Tests for samba-tool user subcommands generation of the virtualCryptSHA256
+    and virtualCryptSHA512 attributes
+    """
+
+    # gpg decryption enabled.
+    # both virtual attributes specified, no rounds option
+    # no hashes stored in supplementalCredentials
+    # Should get values
+    def test_gpg_both_hashes_no_rounds(self):
+        self.add_user()
+        out = self._get_password("virtualCryptSHA256,virtualCryptSHA512", True)
+
+        self.assertTrue("virtualCryptSHA256:" in out)
+        self.assertTrue("virtualCryptSHA512:" in out)
+        self.assertTrue("rounds=" not in out)
+
+    # gpg decryption enabled.
+    # SHA256 specified
+    # no hashes stored in supplementalCredentials
+    # No rounds
+    #
+    # Should get values
+    def test_gpg_sha256_no_rounds(self):
+        self.add_user()
+        out = self._get_password("virtualCryptSHA256", True)
+
+        self.assertTrue("virtualCryptSHA256:" in out)
+        self.assertTrue("virtualCryptSHA512:" not in out)
+        self.assertTrue("rounds=" not in out)
+
+    # gpg decryption enabled.
+    # SHA512 specified
+    # no hashes stored in supplementalCredentials
+    # No rounds
+    #
+    # Should get values
+    def test_gpg_sha512_no_rounds(self):
+        self.add_user()
+        out = self._get_password("virtualCryptSHA512", True)
+
+        self.assertTrue("virtualCryptSHA256:" not in out)
+        self.assertTrue("virtualCryptSHA512:" in out)
+        self.assertTrue("rounds=" not in out)
+
+    # gpg decryption enabled.
+    # SHA128 specified, i.e. invalid/unknown algorithm
+    # no hashes stored in supplementalCredentials
+    # No rounds
+    #
+    # Should not get values
+    def test_gpg_invalid_alg_no_rounds(self):
+        self.add_user()
+        out = self._get_password("virtualCryptSHA128", True)
+
+        self.assertTrue("virtualCryptSHA256:" not in out)
+        self.assertTrue("virtualCryptSHA512:" not in out)
+        self.assertTrue("rounds=" not in out)
+
+    # gpg decryption enabled.
+    # both virtual attributes specified, no rounds option
+    # no hashes stored in supplementalCredentials
+    # underlying windows password changed, so plain text password is
+    # invalid.
+    # Should not get values
+    def test_gpg_both_hashes_no_rounds_pwd_changed(self):
+        self.add_user()
+        self._change_nt_hash()
+        out = self._get_password("virtualCryptSHA256,virtualCryptSHA512", True)
+
+        self.assertTrue("virtualCryptSHA256:" not in out)
+        self.assertTrue("virtualCryptSHA512:" not in out)
+        self.assertTrue("rounds=" not in out)
+
+    # gpg decryption enabled.
+    # SHA256 specified, no rounds option
+    # no hashes stored in supplementalCredentials
+    # underlying windows password changed, so plain text password is
+    # invalid.
+    # Should not get values
+    def test_gpg_sha256_no_rounds_pwd_changed(self):
+        self.add_user()
+        self._change_nt_hash()
+        out = self._get_password("virtualCryptSHA256", True)
+
+        self.assertTrue("virtualCryptSHA256:" not in out)
+        self.assertTrue("virtualCryptSHA512:" not in out)
+        self.assertTrue("rounds=" not in out)
+
+    # gpg decryption enabled.
+    # SHA512 specified, no rounds option
+    # no hashes stored in supplementalCredentials
+    # underlying windows password changed, so plain text password is
+    # invalid.
+    # Should not get values
+    def test_gpg_sha512_no_rounds_pwd_changed(self):
+        self.add_user()
+        self._change_nt_hash()
+        out = self._get_password("virtualCryptSHA256", True)
+
+        self.assertTrue("virtualCryptSHA256:" not in out)
+        self.assertTrue("virtualCryptSHA512:" not in out)
+        self.assertTrue("rounds=" not in out)
+
+    # gpg decryption enabled.
+    # both virtual attributes specified, rounds specified
+    # no hashes stored in supplementalCredentials
+    # Should get values reflecting the requested rounds
+    def test_gpg_both_hashes_both_rounds(self):
+        self.add_user()
+        out = self._get_password(
+            "virtualCryptSHA256;rounds=10123,virtualCryptSHA512;rounds=10456",
+            True)
+
+        self.assertTrue("virtualCryptSHA256:" in out)
+        self.assertTrue("virtualCryptSHA512:" in out)
+
+        sha256 = _get_attribute(out, "virtualCryptSHA256")
+        self.assertTrue(sha256.startswith("{CRYPT}$5$rounds=10123$"))
+
+        sha512 = _get_attribute(out, "virtualCryptSHA512")
+        self.assertTrue(sha512.startswith("{CRYPT}$6$rounds=10456$"))
+
+    # gpg decryption enabled.
+    # both virtual attributes specified, rounds specified
+    # invalid rounds for sha256
+    # no hashes stored in supplementalCredentials
+    # Should get values, no rounds for sha256, rounds for sha 512
+    def test_gpg_both_hashes_sha256_rounds_invalid(self):
+        self.add_user()
+        out = self._get_password(
+            "virtualCryptSHA256;rounds=invalid,virtualCryptSHA512;rounds=3125",
+            True)
+
+        self.assertTrue("virtualCryptSHA256:" in out)
+        self.assertTrue("virtualCryptSHA512:" in out)
+
+        sha256 = _get_attribute(out, "virtualCryptSHA256")
+        self.assertTrue(sha256.startswith("{CRYPT}$5$"))
+        self.assertTrue("rounds" not in sha256)
+
+        sha512 = _get_attribute(out, "virtualCryptSHA512")
+        self.assertTrue(sha512.startswith("{CRYPT}$6$rounds=3125$"))
+
+    # gpg decryption enabled.
+    # both virtual attributes specified, rounds specified
+    # both hashes stored in supplementalCredentials, with no rounds
+    # Should get calculated hashed with the correct number of rounds
+    def test_gpg_both_hashes_rounds_stored_hashes(self):
+        self.add_user("CryptSHA512 CryptSHA256")
+
+        out = self._get_password("virtualCryptSHA256;rounds=2561," +
+                                 "virtualCryptSHA512;rounds=5129",
+                                 True)
+
+        self.assertTrue("virtualCryptSHA256:" in out)
+        self.assertTrue("virtualCryptSHA512:" in out)
+        self.assertTrue("rounds=" in out)
+
+        # Should be calculating the hashes
+        # so they should change between calls.
+        sha256 = _get_attribute(out, "virtualCryptSHA256")
+        sha512 = _get_attribute(out, "virtualCryptSHA512")
+
+        out = self._get_password("virtualCryptSHA256;rounds=2561," +
+                                 "virtualCryptSHA512;rounds=5129",
+                                 True)
+        self.assertFalse(sha256 == _get_attribute(out, "virtualCryptSHA256"))
+        self.assertFalse(sha512 == _get_attribute(out, "virtualCryptSHA512"))
+
+        # The returned hashes should specify the correct number of rounds
+        self.assertTrue(sha256.startswith("{CRYPT}$5$rounds=2561"))
+        self.assertTrue(sha512.startswith("{CRYPT}$6$rounds=5129"))
+
+    # gpg decryption enabled.
+    # both virtual attributes specified, rounds specified
+    # both hashes stored in supplementalCredentials, with rounds
+    # Should get values
+    def test_gpg_both_hashes_rounds_stored_hashes_with_rounds(self):
+        self.add_user("CryptSHA512 " +
+                      "CryptSHA256 " +
+                      "CryptSHA512:rounds=5129 " +
+                      "CryptSHA256:rounds=2561")
+
+        out = self._get_password("virtualCryptSHA256;rounds=2561," +
+                                 "virtualCryptSHA512;rounds=5129",
+                                 True)
+
+        self.assertTrue("virtualCryptSHA256:" in out)
+        self.assertTrue("virtualCryptSHA512:" in out)
+        self.assertTrue("rounds=" in out)
+
+        # Should be using the pre computed hash in supplementalCredentials
+        # so it should not change between calls.
+        sha256 = _get_attribute(out, "virtualCryptSHA256")
+        sha512 = _get_attribute(out, "virtualCryptSHA512")
+
+        out = self._get_password("virtualCryptSHA256;rounds=2561," +
+                                 "virtualCryptSHA512;rounds=5129",
+                                 True)
+        self.assertEquals(sha256, _get_attribute(out, "virtualCryptSHA256"))
+        self.assertEquals(sha512, _get_attribute(out, "virtualCryptSHA512"))
+
+        # The returned hashes should specify the correct number of rounds
+        self.assertTrue(sha256.startswith("{CRYPT}$5$rounds=2561"))
+        self.assertTrue(sha512.startswith("{CRYPT}$6$rounds=5129"))
+
+    # gpg decryption enabled.
+    # both virtual attributes specified, rounds specified
+    # both hashes stored in supplementalCredentials, with rounds
+    # number of rounds stored/requested do not match
+    # Should get calculated hashes with the correct number of rounds
+    def test_gpg_both_hashes_rounds_stored_hashes_with_rounds_no_match(self):
+        self.add_user("CryptSHA512 " +
+                      "CryptSHA256 " +
+                      "CryptSHA512:rounds=5129 " +
+                      "CryptSHA256:rounds=2561")
+
+        out = self._get_password("virtualCryptSHA256;rounds=4000," +
+                                 "virtualCryptSHA512;rounds=5000",
+                                 True)
+
+        self.assertTrue("virtualCryptSHA256:" in out)
+        self.assertTrue("virtualCryptSHA512:" in out)
+        self.assertTrue("rounds=" in out)
+
+        # Should be calculating the hashes
+        # so they should change between calls.
+        sha256 = _get_attribute(out, "virtualCryptSHA256")
+        sha512 = _get_attribute(out, "virtualCryptSHA512")
+
+        out = self._get_password("virtualCryptSHA256;rounds=4000," +
+                                 "virtualCryptSHA512;rounds=5000",
+                                 True)
+        self.assertFalse(sha256 == _get_attribute(out, "virtualCryptSHA256"))
+        self.assertFalse(sha512 == _get_attribute(out, "virtualCryptSHA512"))
+
+        # The calculated hashes should specify the correct number of rounds
+        self.assertTrue(sha256.startswith("{CRYPT}$5$rounds=4000"))
+        self.assertTrue(sha512.startswith("{CRYPT}$6$rounds=5000"))
diff --git a/python/samba/tests/samba_tool/user_virtualCryptSHA_userPassword.py b/python/samba/tests/samba_tool/user_virtualCryptSHA_userPassword.py
new file mode 100644
index 00000000000..6c1c6295b85
--- /dev/null
+++ b/python/samba/tests/samba_tool/user_virtualCryptSHA_userPassword.py
@@ -0,0 +1,185 @@
+# Tests for the samba-tool user sub command reading Primary:userPassword
+#
+# Copyright (C) Andrew Bartlett <abartlet@samba.org> 2017
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+from samba.tests.samba_tool.user_virtualCryptSHA_base import UserCmdCryptShaTestCase, _get_attribute
+
+class UserCmdCryptShaTestCaseUserPassword(UserCmdCryptShaTestCase):
+    # gpg decryption not enabled.
+    # both virtual attributes specified, no rounds option
+    # no hashes stored in supplementalCredentials
+    # Should not get values
+    def test_no_gpg_both_hashes_no_rounds(self):
+        self.add_user()
+        out = self._get_password("virtualCryptSHA256,virtualCryptSHA512")
+
+        self.assertTrue("virtualCryptSHA256:" not in out)
+        self.assertTrue("virtualCryptSHA512:" not in out)
+        self.assertTrue("rounds=" not in out)
+
+    # gpg decryption not enabled.
+    # SHA256 specified
+    # no hashes stored in supplementalCredentials
+    # No rounds
+    #
+    # Should not get values
+    def test_no_gpg_sha256_no_rounds(self):
+        self.add_user()
+        out = self._get_password("virtualCryptSHA256")
+
+        self.assertTrue("virtualCryptSHA256:" not in out)
+        self.assertTrue("virtualCryptSHA512:" not in out)
+        self.assertTrue("rounds=" not in out)
+
+    # gpg decryption not enabled.
+    # SHA512 specified
+    # no hashes stored in supplementalCredentials
+    # No rounds
+    #
+    # Should not get values
+    def test_no_gpg_sha512_no_rounds(self):
+        self.add_user()
+        out = self._get_password("virtualCryptSHA512")
+
+        self.assertTrue("virtualCryptSHA256:" not in out)
+        self.assertTrue("virtualCryptSHA512:" not in out)
+        self.assertTrue("rounds=" not in out)
+
+    # gpg decryption not enabled.
+    # SHA128 specified, i.e. invalid/unknown algorithm
+    # no hashes stored in supplementalCredentials
+    # No rounds
+    #
+    # Should not get values
+    def test_no_gpg_invalid_alg_no_rounds(self):
+        self.add_user()
+        out = self._get_password("virtualCryptSHA128")
+
+        self.assertTrue("virtualCryptSHA256:" not in out)
+        self.assertTrue("virtualCryptSHA512:" not in out)
+        self.assertTrue("rounds=" not in out)
+
+    # gpg decryption not enabled.
+    # both virtual attributes specified, no rounds option
+    # both hashes stored in supplementalCredentials
+    # Should get values
+    def test_no_gpg_both_hashes_no_rounds_stored_hashes(self):
+        self.add_user("CryptSHA512 CryptSHA256")
+
+        out = self._get_password("virtualCryptSHA256,virtualCryptSHA512")
+
+        self.assertTrue("virtualCryptSHA256:" in out)
+        self.assertTrue("virtualCryptSHA512:" in out)
+        self.assertTrue("rounds=" not in out)
+
+        # Should be using the pre computed hash in supplementalCredentials
+        # so it should not change between calls.
+        sha256 = _get_attribute(out, "virtualCryptSHA256")
+        sha512 = _get_attribute(out, "virtualCryptSHA512")
+
+        out = self._get_password("virtualCryptSHA256,virtualCryptSHA512")
+        self.assertEquals(sha256, _get_attribute(out, "virtualCryptSHA256"))
+        self.assertEquals(sha512, _get_attribute(out, "virtualCryptSHA512"))
+
+    # gpg decryption not enabled.
+    # both virtual attributes specified, rounds specified
+    # both hashes stored in supplementalCredentials, with not rounds
+    # Should get hashes for the first matching scheme entry
+    def test_no_gpg_both_hashes_rounds_stored_hashes(self):
+        self.add_user("CryptSHA512 CryptSHA256")
+
+        out = self._get_password("virtualCryptSHA256;rounds=2561," +
+                                 "virtualCryptSHA512;rounds=5129")
+
+        self.assertTrue("virtualCryptSHA256:" in out)
+        self.assertTrue("virtualCryptSHA512:" in out)
+        self.assertTrue("rounds=" not in out)
+
+        # Should be using the pre computed hash in supplementalCredentials
+        # so it should not change between calls.
+        sha256 = _get_attribute(out, "virtualCryptSHA256")
+        sha512 = _get_attribute(out, "virtualCryptSHA512")
+
+        out = self._get_password("virtualCryptSHA256,virtualCryptSHA512")
+        self.assertEquals(sha256, _get_attribute(out, "virtualCryptSHA256"))
+        self.assertEquals(sha512, _get_attribute(out, "virtualCryptSHA512"))
+
+    # gpg decryption not enabled.
+    # both virtual attributes specified, rounds specified
+    # both hashes stored in supplementalCredentials, with rounds
+    # Should get values
+    def test_no_gpg_both_hashes_rounds_stored_hashes_with_rounds(self):
+        self.add_user("CryptSHA512 " +
+                      "CryptSHA256 " +
+                      "CryptSHA512:rounds=5129 " +
+                      "CryptSHA256:rounds=2561")
+
+        out = self._get_password("virtualCryptSHA256;rounds=2561," +
+                                 "virtualCryptSHA512;rounds=5129")
+
+        self.assertTrue("virtualCryptSHA256:" in out)
+        self.assertTrue("virtualCryptSHA512:" in out)
+        self.assertTrue("rounds=" in out)
+
+        # Should be using the pre computed hash in supplementalCredentials
+        # so it should not change between calls.
+        sha256 = _get_attribute(out, "virtualCryptSHA256")
+        sha512 = _get_attribute(out, "virtualCryptSHA512")
+
+        out = self._get_password("virtualCryptSHA256;rounds=2561," +
+                                 "virtualCryptSHA512;rounds=5129")
+        self.assertEquals(sha256, _get_attribute(out, "virtualCryptSHA256"))
+        self.assertEquals(sha512, _get_attribute(out, "virtualCryptSHA512"))
+
+        # Number of rounds should match that specified
+        self.assertTrue(sha256.startswith("{CRYPT}$5$rounds=2561"))
+        self.assertTrue(sha512.startswith("{CRYPT}$6$rounds=5129"))
+
+    # gpg decryption not enabled.
+    # both virtual attributes specified, rounds specified
+    # both hashes stored in supplementalCredentials, with rounds
+    # number of rounds stored/requested do not match
+    # Should get the precomputed hashes for CryptSHA512 and CryptSHA256
+    def test_no_gpg_both_hashes_rounds_stored_hashes_with_rounds_no_match(self):
+        self.add_user("CryptSHA512 " +
+                      "CryptSHA256 " +
+                      "CryptSHA512:rounds=5129 " +
+                      "CryptSHA256:rounds=2561")
+
+        out = self._get_password("virtualCryptSHA256;rounds=4000," +
+                                 "virtualCryptSHA512;rounds=5000")
+
+        self.assertTrue("virtualCryptSHA256:" in out)
+        self.assertTrue("virtualCryptSHA512:" in out)
+        self.assertTrue("rounds=" not in out)
+
+        # Should be using the pre computed hash in supplementalCredentials
+        # so it should not change between calls.
+        sha256 = _get_attribute(out, "virtualCryptSHA256")
+        sha512 = _get_attribute(out, "virtualCryptSHA512")
+
+        out = self._get_password("virtualCryptSHA256;rounds=4000," +
+                                 "virtualCryptSHA512;rounds=5000")
+        self.assertEquals(sha256, _get_attribute(out, "virtualCryptSHA256"))
+        self.assertEquals(sha512, _get_attribute(out, "virtualCryptSHA512"))
+
+        # As the number of rounds did not match, should have returned the
+        # first hash of the coresponding scheme
+        out = self._get_password("virtualCryptSHA256," +
+                                 "virtualCryptSHA512")
+        self.assertEquals(sha256, _get_attribute(out, "virtualCryptSHA256"))
+        self.assertEquals(sha512, _get_attribute(out, "virtualCryptSHA512"))
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index e8dbed71a18..73f273d0045 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -695,7 +695,8 @@ planpythontestsuite("ad_dc_default:local", "samba.tests.samba_tool.processes")
 planpythontestsuite("ad_dc_default:local", "samba.tests.samba_tool.user")
 planpythontestsuite("ad_dc_default:local", "samba.tests.samba_tool.user_wdigest")
 planpythontestsuite("ad_dc:local", "samba.tests.samba_tool.user")
-planpythontestsuite("ad_dc:local", "samba.tests.samba_tool.user_virtualCryptSHA")
+planpythontestsuite("ad_dc:local", "samba.tests.samba_tool.user_virtualCryptSHA_userPassword")
+planpythontestsuite("ad_dc:local", "samba.tests.samba_tool.user_virtualCryptSHA_gpg")
 planpythontestsuite("chgdcpass:local", "samba.tests.samba_tool.user_check_password_script")
 planpythontestsuite("ad_dc_default:local", "samba.tests.samba_tool.group")
 planpythontestsuite("ad_dc_default:local", "samba.tests.samba_tool.ou")