diff options
-rw-r--r-- | selftest/knownfail.d/password_lockout | 5 | ||||
-rwxr-xr-x | source4/dsdb/tests/python/password_lockout.py | 47 | ||||
-rw-r--r-- | source4/dsdb/tests/python/password_lockout_base.py | 37 |
3 files changed, 69 insertions, 20 deletions
diff --git a/selftest/knownfail.d/password_lockout b/selftest/knownfail.d/password_lockout new file mode 100644 index 00000000000..a62c7d18fd1 --- /dev/null +++ b/selftest/knownfail.d/password_lockout @@ -0,0 +1,5 @@ +samba4.ldap.password_lockout.python\(ad_dc_ntvfs\).__main__.PasswordTests.test_pso_login_lockout_ntlm\(ad_dc_ntvfs\) +samba4.ldap.password_lockout.python\(ad_dc_ntvfs\).__main__.PasswordTests.test_pso_login_lockout_krb5\(ad_dc_ntvfs\) +samba4.ldap.password_lockout.python\(ad_dc_ntvfs\).__main__.PasswordTests.test_pso_userPassword_lockout_with_clear_change_krb5_ldap_userAccountControl\(ad_dc_ntvfs\) +samba4.ldap.password_lockout.python\(ad_dc_ntvfs\).__main__.PasswordTests.test_pso_userPassword_lockout_with_clear_change_ntlm_ldap_lockoutTime\(ad_dc_ntvfs\) +samba4.ldap.password_lockout.python\(ad_dc_ntvfs\).__main__.PasswordTests.test_pso_userPassword_lockout_with_clear_change_ntlm_samr\(ad_dc_ntvfs\) diff --git a/source4/dsdb/tests/python/password_lockout.py b/source4/dsdb/tests/python/password_lockout.py index 763d7626c9e..99e9ef60044 100755 --- a/source4/dsdb/tests/python/password_lockout.py +++ b/source4/dsdb/tests/python/password_lockout.py @@ -33,6 +33,7 @@ import samba.tests from samba.tests import delete_force from samba.dcerpc import security, samr from samba.ndr import ndr_unpack +from samba.tests.pso import PasswordSettings parser = optparse.OptionParser("password_lockout.py [options] <host>") sambaopts = options.SambaOptions(parser) @@ -590,6 +591,41 @@ userPassword: thatsAcomplPASS2XYZ "samr", initial_lastlogon_relation='greater') + # For PSOs, just test a selection of the above combinations + def test_pso_userPassword_lockout_with_clear_change_krb5_ldap_userAccountControl(self): + self.use_pso_lockout_settings(self.lockout1krb5_creds) + self._test_userPassword_lockout_with_clear_change(self.lockout1krb5_creds, + self.lockout2krb5_ldb, + "ldap_userAccountControl") + + def test_pso_userPassword_lockout_with_clear_change_ntlm_ldap_lockoutTime(self): + self.use_pso_lockout_settings(self.lockout1ntlm_creds) + self._test_userPassword_lockout_with_clear_change(self.lockout1ntlm_creds, + self.lockout2ntlm_ldb, + "ldap_lockoutTime", + initial_lastlogon_relation='greater') + + def test_pso_userPassword_lockout_with_clear_change_ntlm_samr(self): + self.use_pso_lockout_settings(self.lockout1ntlm_creds) + self._test_userPassword_lockout_with_clear_change(self.lockout1ntlm_creds, + self.lockout2ntlm_ldb, + "samr", + initial_lastlogon_relation='greater') + + def use_pso_lockout_settings(self, creds): + # create a PSO with the lockout settings the test cases normally expect + pso = PasswordSettings("lockout-PSO", self.ldb, lockout_attempts=3, + lockout_duration=2) + self.addCleanup(self.ldb.delete, pso.dn) + + userdn = "cn=%s,cn=users,%s" % (creds.get_username(), self.base_dn) + pso.apply_to(userdn) + + # update the global lockout settings to be wildly different to what + # the test cases normally expect + self.update_lockout_settings(threshold=10, duration=600, + observation_window=600) + def _test_unicodePwd_lockout_with_clear_change(self, creds, other_ldb, initial_logoncount_relation=None): print("Performs a password cleartext change operation on 'unicodePwd'") @@ -1012,6 +1048,17 @@ unicodePwd:: """ + base64.b64encode(new_utf16) + """ def test_login_lockout_ntlm(self): self._test_login_lockout(self.lockout1ntlm_creds) + # Repeat the login lockout tests using PSOs + def test_pso_login_lockout_krb5(self): + """Check the PSO lockout settings get applied to the user correctly""" + self.use_pso_lockout_settings(self.lockout1krb5_creds) + self._test_login_lockout(self.lockout1krb5_creds) + + def test_pso_login_lockout_ntlm(self): + """Check the PSO lockout settings get applied to the user correctly""" + self.use_pso_lockout_settings(self.lockout1ntlm_creds) + self._test_login_lockout(self.lockout1ntlm_creds) + def test_multiple_logon_krb5(self): self._test_multiple_logon(self.lockout1krb5_creds) diff --git a/source4/dsdb/tests/python/password_lockout_base.py b/source4/dsdb/tests/python/password_lockout_base.py index 721948ce00f..843eaff1ab2 100644 --- a/source4/dsdb/tests/python/password_lockout_base.py +++ b/source4/dsdb/tests/python/password_lockout_base.py @@ -200,6 +200,20 @@ class BasePasswordTestCase(PasswordTestCase): time.sleep(0.01) return res + def update_lockout_settings(self, threshold, duration, observation_window): + """Updates the global user lockout settings""" + m = Message() + m.dn = Dn(self.ldb, self.base_dn) + account_lockout_duration_ticks = -int(duration * (1e7)) + m["lockoutDuration"] = MessageElement(str(account_lockout_duration_ticks), + FLAG_MOD_REPLACE, "lockoutDuration") + m["lockoutThreshold"] = MessageElement(str(threshold), + FLAG_MOD_REPLACE, "lockoutThreshold") + lockout_observation_window_ticks = -int(observation_window * (1e7)) + m["lockOutObservationWindow"] = MessageElement(str(lockout_observation_window_ticks), + FLAG_MOD_REPLACE, "lockOutObservationWindow") + self.ldb.modify(m) + def _readd_user(self, creds, lockOutObservationWindow=0): username = creds.get_username() userpass = creds.get_password() @@ -308,32 +322,15 @@ replace: lockoutThreshold lockoutThreshold: """ + str(lockoutThreshold) + """ """) - m = Message() - m.dn = Dn(self.ldb, base_dn) - + self.base_dn = self.ldb.domain_dn() self.account_lockout_duration = 2 - account_lockout_duration_ticks = -int(self.account_lockout_duration * (1e7)) - - m["lockoutDuration"] = MessageElement(str(account_lockout_duration_ticks), - FLAG_MOD_REPLACE, "lockoutDuration") - - account_lockout_threshold = 3 - m["lockoutThreshold"] = MessageElement(str(account_lockout_threshold), - FLAG_MOD_REPLACE, "lockoutThreshold") - self.lockout_observation_window = 2 - lockout_observation_window_ticks = -int(self.lockout_observation_window * (1e7)) - - m["lockOutObservationWindow"] = MessageElement(str(lockout_observation_window_ticks), - FLAG_MOD_REPLACE, "lockOutObservationWindow") - - self.ldb.modify(m) + self.update_lockout_settings(threshold=3, duration=2, + observation_window=2) # update DC to allow password changes for the duration of this test self.allow_password_changes() - self.base_dn = self.ldb.domain_dn() - self.domain_sid = security.dom_sid(self.ldb.get_domain_sid()) self.samr = samr.samr("ncacn_ip_tcp:%s[seal]" % self.host, self.lp, self.global_creds) self.samr_handle = self.samr.Connect2(None, security.SEC_FLAG_MAXIMUM_ALLOWED) |