1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
|
#
# Helper classes for testing Password Settings Objects.
#
# This also tests the default password complexity (i.e. pwdProperties),
# minPwdLength, pwdHistoryLength settings as a side-effect.
#
# Copyright (C) Andrew Bartlett <abartlet@samba.org> 2018
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
import ldb
from ldb import FLAG_MOD_DELETE, FLAG_MOD_ADD, FLAG_MOD_REPLACE
from samba.dcerpc.samr import (DOMAIN_PASSWORD_COMPLEX,
DOMAIN_PASSWORD_STORE_CLEARTEXT)
class TestUser:
def __init__(self, username, samdb, userou=None):
initial_password = "Initial12#"
self.name = username
self.ldb = samdb
self.dn = "CN=%s,%s,%s" % (username, (userou or "CN=Users"),
self.ldb.domain_dn())
# store all passwords that have ever been used for this user, as well
# as a pwd_history that more closely resembles the history on the DC
self.all_old_passwords = [initial_password]
self.pwd_history = [initial_password]
self.ldb.newuser(username, initial_password, userou=userou)
self.ldb.enable_account("(sAMAccountName=%s)" % username)
self.last_pso = None
def old_invalid_passwords(self, hist_len):
"""Returns the expected password history for the DC"""
if hist_len == 0:
return []
# return the last n items in the list
return self.pwd_history[-hist_len:]
def old_valid_passwords(self, hist_len):
"""Returns old passwords that fall outside the DC's expected history"""
# if PasswordHistoryLength is zero, any previous password can be valid
if hist_len == 0:
return self.all_old_passwords[:]
# just exclude our pwd_history if there's not much in it. This can
# happen if we've been using a lower PasswordHistoryLength setting
# previously
hist_len = min(len(self.pwd_history), hist_len)
# return any passwords up to the nth-from-last item
return self.all_old_passwords[:-hist_len]
def update_pwd_history(self, new_password):
"""Updates the user's password history to reflect a password change"""
# we maintain 2 lists: all passwords the user has ever had, and an
# effective password-history that should roughly mirror the DC.
# pwd_history_change() handles the corner-case where we need to
# truncate password-history due to PasswordHistoryLength settings
# changes
if new_password in self.all_old_passwords:
self.all_old_passwords.remove(new_password)
self.all_old_passwords.append(new_password)
if new_password in self.pwd_history:
self.pwd_history.remove(new_password)
self.pwd_history.append(new_password)
def get_resultant_PSO(self):
"""Returns the DN of the applicable PSO, or None if none applies"""
res = self.ldb.search(self.dn, attrs=['msDS-ResultantPSO'])
if 'msDS-ResultantPSO' in res[0]:
return str(res[0]['msDS-ResultantPSO'][0])
else:
return None
def get_password(self):
"""Returns the user's current password"""
# current password in the last item in the list
return self.all_old_passwords[-1]
def set_password(self, new_password):
"""Attempts to change a user's password"""
ldif = """
dn: %s
changetype: modify
delete: userPassword
userPassword: %s
add: userPassword
userPassword: %s
""" % (self.dn, self.get_password(), new_password)
# this modify will throw an exception if new_password doesn't meet the
# PSO constraints (which the test code catches if it's expected to
# fail)
self.ldb.modify_ldif(ldif)
self.update_pwd_history(new_password)
def pwd_history_change(self, old_hist_len, new_hist_len):
"""
Updates the effective password history, to reflect changes on the DC.
When the PasswordHistoryLength applied to a user changes from a low
setting (e.g. 2) to a higher setting (e.g. 4), passwords #3 and #4
won't actually have been stored on the DC, so we need to make sure they
are removed them from our mirror pwd_history list.
"""
# our list may have been tracking more passwords than the DC actually
# stores. Truncate the list now to match what the DC currently has
hist_len = min(new_hist_len, old_hist_len)
if hist_len == 0:
self.pwd_history = []
elif hist_len < len(self.pwd_history):
self.pwd_history = self.pwd_history[-hist_len:]
# corner-case where history-length goes from zero to non-zero. Windows
# counts the current password as being in the history even before it
# changes (Samba only counts it from the next change onwards). We don't
# exercise this in the PSO tests due to this discrepancy, but the
# following check will support the Windows behaviour
if old_hist_len == 0 and new_hist_len > 0:
self.pwd_history = [self.get_password()]
def set_primary_group(self, group_dn):
"""Sets a user's primaryGroupID to be that of the specified group"""
# get the primaryGroupToken of the group
res = self.ldb.search(base=group_dn, attrs=["primaryGroupToken"],
scope=ldb.SCOPE_BASE)
group_id = res[0]["primaryGroupToken"]
# set primaryGroupID attribute of the user to that group
m = ldb.Message()
m.dn = ldb.Dn(self.ldb, self.dn)
m["primaryGroupID"] = ldb.MessageElement(group_id, FLAG_MOD_REPLACE,
"primaryGroupID")
self.ldb.modify(m)
class PasswordSettings:
def default_settings(self, samdb):
"""
Returns a object representing the default password settings that will
take effect (i.e. when no other Fine-Grained Password Policy applies)
"""
pw_attrs = ["minPwdAge", "lockoutDuration", "lockOutObservationWindow",
"lockoutThreshold", "maxPwdAge", "minPwdAge",
"minPwdLength", "pwdHistoryLength", "pwdProperties"]
res = samdb.search(samdb.domain_dn(), scope=ldb.SCOPE_BASE,
attrs=pw_attrs)
self.name = "Defaults"
self.dn = None
self.ldb = samdb
self.precedence = 0
self.complexity = \
int(res[0]["pwdProperties"][0]) & DOMAIN_PASSWORD_COMPLEX
self.store_plaintext = \
int(res[0]["pwdProperties"][0]) & DOMAIN_PASSWORD_STORE_CLEARTEXT
self.password_len = int(res[0]["minPwdLength"][0])
self.lockout_attempts = int(res[0]["lockoutThreshold"][0])
self.history_len = int(res[0]["pwdHistoryLength"][0])
# convert to time in secs
self.lockout_duration = int(res[0]["lockoutDuration"][0]) / -int(1e7)
self.lockout_window =\
int(res[0]["lockOutObservationWindow"][0]) / -int(1e7)
self.password_age_min = int(res[0]["minPwdAge"][0]) / -int(1e7)
self.password_age_max = int(res[0]["maxPwdAge"][0]) / -int(1e7)
def __init__(self, name, samdb, precedence=10, complexity=True,
password_len=10, lockout_attempts=0, lockout_duration=5,
password_age_min=0, password_age_max=60 * 60 * 24 * 30,
history_len=2, store_plaintext=False, container=None):
# if no PSO was specified, return an object representing the global
# password settings (i.e. the default settings, if no PSO trumps them)
if name is None:
return self.default_settings(samdb)
# only PSOs in the Password Settings Container are considered. You can
# create PSOs outside of this container, but it's not recommended
if container is None:
base_dn = samdb.domain_dn()
container = "CN=Password Settings Container,CN=System,%s" % base_dn
self.name = name
self.dn = "CN=%s,%s" % (name, container)
self.ldb = samdb
self.precedence = precedence
self.complexity = complexity
self.store_plaintext = store_plaintext
self.password_len = password_len
self.lockout_attempts = lockout_attempts
self.history_len = history_len
# times in secs
self.lockout_duration = lockout_duration
# lockout observation-window must be <= lockout-duration (the existing
# lockout tests just use the same value for both settings)
self.lockout_window = lockout_duration
self.password_age_min = password_age_min
self.password_age_max = password_age_max
# add the PSO to the DB
self.ldb.add_ldif(self.get_ldif())
def get_ldif(self):
complexity_str = "TRUE" if self.complexity else "FALSE"
plaintext_str = "TRUE" if self.store_plaintext else "FALSE"
# timestamps here are in units of -100 nano-seconds
lockout_duration = -int(self.lockout_duration * (1e7))
lockout_window = -int(self.lockout_window * (1e7))
min_age = -int(self.password_age_min * (1e7))
max_age = -int(self.password_age_max * (1e7))
# all the following fields are mandatory for the PSO object
ldif = """
dn: {0}
objectClass: msDS-PasswordSettings
msDS-PasswordSettingsPrecedence: {1}
msDS-PasswordReversibleEncryptionEnabled: {2}
msDS-PasswordHistoryLength: {3}
msDS-PasswordComplexityEnabled: {4}
msDS-MinimumPasswordLength: {5}
msDS-MinimumPasswordAge: {6}
msDS-MaximumPasswordAge: {7}
msDS-LockoutThreshold: {8}
msDS-LockoutObservationWindow: {9}
msDS-LockoutDuration: {10}
""".format(self.dn, self.precedence, plaintext_str, self.history_len,
complexity_str, self.password_len, min_age, max_age,
self.lockout_attempts, lockout_window, lockout_duration)
return ldif
def apply_to(self, user_group, operation=FLAG_MOD_ADD):
"""Updates this Password Settings Object to apply to a user or group"""
m = ldb.Message()
m.dn = ldb.Dn(self.ldb, self.dn)
m["msDS-PSOAppliesTo"] = ldb.MessageElement(user_group, operation,
"msDS-PSOAppliesTo")
self.ldb.modify(m)
def unapply(self, user_group):
"""Updates this PSO to no longer apply to a user or group"""
# just delete the msDS-PSOAppliesTo attribute (instead of adding it)
self.apply_to(user_group, operation=FLAG_MOD_DELETE)
def set_precedence(self, new_precedence, samdb=None):
if samdb is None:
samdb = self.ldb
ldif = """
dn: %s
changetype: modify
replace: msDS-PasswordSettingsPrecedence
msDS-PasswordSettingsPrecedence: %u
""" % (self.dn, new_precedence)
samdb.modify_ldif(ldif)
self.precedence = new_precedence
|
