mirror of
https://github.com/samba-team/samba.git
synced 2025-08-03 04:22:09 +03:00
s4: Add tests and 'must change password' flags in setpassword and newuser
In particular, ensure that we can acutally change the password under these circumstances. Andrew Bartlett
This commit is contained in:
Andrew Bartlett
@ -96,6 +96,20 @@ userAccountControl: %u
|
||||
""" % (user_dn, userAccountControl)
|
||||
self.modify_ldif(mod)
|
||||
|
||||
|
||||
def force_password_change_at_next_login(self, user_dn):
|
||||
"""Force a password change at next login
|
||||
|
||||
:param user_dn: Dn of the account to force password change on
|
||||
"""
|
||||
mod = """
|
||||
dn: %s
|
||||
changetype: modify
|
||||
replace: pwdLastSet
|
||||
pwdLastSet: 0
|
||||
""" % (user_dn)
|
||||
self.modify_ldif(mod)
|
||||
|
||||
def domain_dn(self):
|
||||
# find the DNs for the domain and the domain users group
|
||||
res = self.search("", scope=ldb.SCOPE_BASE,
|
||||
@ -104,7 +118,7 @@ userAccountControl: %u
|
||||
assert(len(res) == 1 and res[0]["defaultNamingContext"] is not None)
|
||||
return res[0]["defaultNamingContext"][0]
|
||||
|
||||
def newuser(self, username, unixname, password):
|
||||
def newuser(self, username, unixname, password, force_password_change_at_next_login=False):
|
||||
"""add a new user record.
|
||||
|
||||
:param username: Name of the new user.
|
||||
@ -145,6 +159,9 @@ userAccountControl: %u
|
||||
except KeyError:
|
||||
pass
|
||||
|
||||
if force_password_change_at_next_login:
|
||||
self.force_password_change_at_next_login(user_dn)
|
||||
|
||||
# modify the userAccountControl to remove the disabled bit
|
||||
self.enable_account(user_dn)
|
||||
except:
|
||||
@ -152,7 +169,7 @@ userAccountControl: %u
|
||||
raise
|
||||
self.transaction_commit()
|
||||
|
||||
def setpassword(self, filter, password, must_change_at_next_login=False):
|
||||
def setpassword(self, filter, password, force_password_change_at_next_login=False):
|
||||
"""Set a password on a user record
|
||||
|
||||
:param filter: LDAP filter to find the user (eg samccountname=name)
|
||||
@ -184,14 +201,8 @@ userPassword:: %s
|
||||
|
||||
self.modify_ldif(setpw)
|
||||
|
||||
if must_change_at_next_login:
|
||||
mod = """
|
||||
dn: %s
|
||||
changetype: modify
|
||||
replace: pwdLastSet
|
||||
pwdLastSet: 0
|
||||
""" % (user_dn)
|
||||
self.modify_ldif(mod)
|
||||
if force_password_change_at_next_login:
|
||||
self.force_password_change_at_next_login(user_dn)
|
||||
|
||||
# modify the userAccountControl to remove the disabled bit
|
||||
self.enable_account(user_dn)
|
||||
|
||||
@ -328,6 +328,7 @@ planperltest "selftest.samba4.pl" none $samba4srcdir/../selftest/test_samba4.pl
|
||||
plantest "blackbox.ndrdump" none $samba4srcdir/librpc/tests/test_ndrdump.sh
|
||||
plantest "blackbox.net" dc $samba4srcdir/utils/tests/test_net.sh "\$SERVER" "\$USERNAME" "\$PASSWORD" "\$DOMAIN"
|
||||
plantest "blackbox.kinit" dc $bbdir/test_kinit.sh "\$SERVER" "\$USERNAME" "\$PASSWORD" "\$REALM" "\$DOMAIN" "$PREFIX" $CONFIGURATION
|
||||
plantest "blackbox.passwords" dc $bbdir/test_passwords.sh "\$SERVER" "\$USERNAME" "\$PASSWORD" "\$REALM" "\$DOMAIN" "$PREFIX" --configfile=st/dc/etc/smb.conf
|
||||
plantest "blackbox.cifsdd" dc $samba4srcdir/client/tests/test_cifsdd.sh "\$SERVER" "\$USERNAME" "\$PASSWORD" "\$DOMAIN"
|
||||
plantest "blackbox.nmblookup" dc $samba4srcdir/utils/tests/test_nmblookup.sh "\$NETBIOSNAME" "\$NETBIOSALIAS" "\$SERVER" "\$SERVER_IP"
|
||||
plantest "blackbox.nmblookup" member $samba4srcdir/utils/tests/test_nmblookup.sh "\$NETBIOSNAME" "\$NETBIOSALIAS" "\$SERVER" "\$SERVER_IP"
|
||||
|
||||
@ -36,6 +36,7 @@ credopts = options.CredentialsOptions(parser)
|
||||
parser.add_option_group(credopts)
|
||||
parser.add_option("--quiet", help="Be quiet", action="store_true")
|
||||
parser.add_option("--unixname", help="Unix Username", type=str)
|
||||
parser.add_option("--must-change-at-next-login", help="Force password to be changed on next login", action="store_true")
|
||||
|
||||
opts, args = parser.parse_args()
|
||||
|
||||
@ -57,4 +58,4 @@ creds = credopts.get_credentials(lp)
|
||||
|
||||
samdb = sambaopts.get_hostconfig().get_samdb(session_info=system_session(),
|
||||
credentials=creds)
|
||||
samdb.newuser(username, opts.unixname, password)
|
||||
samdb.newuser(username, opts.unixname, password, force_password_change_at_next_login=opts.must_change_at_next_login)
|
||||
|
||||
@ -75,5 +75,5 @@ creds = credopts.get_credentials(lp)
|
||||
|
||||
samdb = SamDB(url=lp.get("sam database"), session_info=system_session(),
|
||||
credentials=creds, lp=lp)
|
||||
samdb.setpassword(filter, password, must_change_at_next_login=opts.must_change_at_next_login)
|
||||
samdb.setpassword(filter, password, force_password_change_at_next_login=opts.must_change_at_next_login)
|
||||
|
||||
|
||||
121
testprogs/blackbox/test_passwords.sh
Executable file
121
testprogs/blackbox/test_passwords.sh
Executable file
@ -0,0 +1,121 @@
|
||||
#!/bin/sh
|
||||
# Blackbox tests for kinit and kerberos integration with smbclient etc
|
||||
# Copyright (C) 2006-2007 Jelmer Vernooij <jelmer@samba.org>
|
||||
# Copyright (C) 2006-2008 Andrew Bartlett <abartlet@samba.org>
|
||||
|
||||
if [ $# -lt 5 ]; then
|
||||
cat <<EOF
|
||||
Usage: test_kinit.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX
|
||||
EOF
|
||||
exit 1;
|
||||
fi
|
||||
|
||||
SERVER=$1
|
||||
USERNAME=$2
|
||||
PASSWORD=$3
|
||||
REALM=$4
|
||||
DOMAIN=$5
|
||||
PREFIX=$6
|
||||
shift 6
|
||||
failed=0
|
||||
|
||||
samba4bindir="$BUILDDIR/bin"
|
||||
smbclient="$samba4bindir/smbclient$EXEEXT"
|
||||
samba4kinit="$samba4bindir/samba4kinit$EXEEXT"
|
||||
net="$samba4bindir/net$EXEEXT"
|
||||
rkpty="$samba4bindir/rkpty$EXEEXT"
|
||||
samba4kpasswd="$samba4bindir/samba4kpasswd$EXEEXT"
|
||||
enableaccount="$PYTHON `dirname $0`/../../source4/setup/enableaccount"
|
||||
setpassword="$PYTHON `dirname $0`/../../source4/setup/setpassword"
|
||||
newuser="$PYTHON `dirname $0`/../../source4/setup/newuser"
|
||||
|
||||
. `dirname $0`/subunit.sh
|
||||
|
||||
test_smbclient() {
|
||||
name="$1"
|
||||
cmd="$2"
|
||||
shift
|
||||
shift
|
||||
echo "test: $name"
|
||||
$VALGRIND $smbclient //$SERVER/tmp -c "$cmd" -W "$DOMAIN" $@
|
||||
status=$?
|
||||
if [ x$status = x0 ]; then
|
||||
echo "success: $name"
|
||||
else
|
||||
echo "failure: $name"
|
||||
fi
|
||||
return $status
|
||||
}
|
||||
|
||||
USERPASS=testPaSS@01%
|
||||
|
||||
testit "create user locally" $VALGRIND $newuser nettestuser $USERPASS $@ || failed=`expr $failed + 1`
|
||||
|
||||
KRB5CCNAME="$PREFIX/tmpuserccache"
|
||||
export KRB5CCNAME
|
||||
|
||||
echo $USERPASS > $PREFIX/tmpuserpassfile
|
||||
|
||||
testit "kinit with user password" $samba4kinit --password-file=$PREFIX/tmpuserpassfile --request-pac nettestuser@$REALM || failed=`expr $failed + 1`
|
||||
|
||||
test_smbclient "Test login with user kerberos ccache" 'ls' -k yes || failed=`expr $failed + 1`
|
||||
|
||||
NEWUSERPASS=testPaSS@02%
|
||||
testit "change user password with 'net password change' (unforced)" $VALGRIND $net password change -W$DOMAIN -U$DOMAIN\\nettestuser%$USERPASS -k no $NEWUSERPASS $@ || failed=`expr $failed + 1`
|
||||
|
||||
echo $NEWUSERPASS > ./tmpuserpassfile
|
||||
testit "kinit with user password" $samba4kinit --password-file=./tmpuserpassfile --request-pac nettestuser@$REALM || failed=`expr $failed + 1`
|
||||
|
||||
test_smbclient "Test login with user kerberos ccache" 'ls' -k yes || failed=`expr $failed + 1`
|
||||
|
||||
|
||||
USERPASS=$NEWUSERPASS
|
||||
NEWUSERPASS=testPaSS@03%
|
||||
|
||||
cat > ./tmpkpasswdscript <<EOF
|
||||
expect Password
|
||||
password ${USERPASS}\n
|
||||
expect New password
|
||||
send ${NEWUSERPASS}\n
|
||||
expect New password
|
||||
send ${NEWUSERPASS}\n
|
||||
expect Success
|
||||
EOF
|
||||
|
||||
testit "change user password with kpasswd" $rkpty ./tmpkpasswdscript $samba4kpasswd nettestuser@$REALM || failed=`expr $failed + 1`
|
||||
|
||||
test_smbclient "Test login with user kerberos (unforced)" 'ls' -k yes -Unettestuser@$REALM%$NEWUSERPASS || failed=`expr $failed + 1`
|
||||
|
||||
|
||||
NEWUSERPASS=testPaSS@04%
|
||||
testit "set password on user locally" $VALGRIND $setpassword nettestuser --newpassword=$NEWUSERPASS --must-change-at-next-login $@ || failed=`expr $failed + 1`
|
||||
USERPASS=$NEWUSERPASS
|
||||
|
||||
NEWUSERPASS=testPaSS@05%
|
||||
testit "change user password with 'net password change' (after must change flag set)" $VALGRIND $net password change -W$DOMAIN -U$DOMAIN\\nettestuser%$USERPASS -k no $NEWUSERPASS $@ || failed=`expr $failed + 1`
|
||||
USERPASS=$NEWUSERPASS
|
||||
|
||||
NEWUSERPASS=testPaSS@06%
|
||||
testit "set password on user locally" $VALGRIND $setpassword nettestuser --newpassword=$NEWUSERPASS --must-change-at-next-login $@ || failed=`expr $failed + 1`
|
||||
USERPASS=$NEWUSERPASS
|
||||
|
||||
NEWUSERPASS=testPaSS@07%
|
||||
|
||||
cat > ./tmpkpasswdscript <<EOF
|
||||
expect Password
|
||||
password ${USERPASS}\n
|
||||
expect New password
|
||||
send ${NEWUSERPASS}\n
|
||||
expect New password
|
||||
send ${NEWUSERPASS}\n
|
||||
expect Success
|
||||
EOF
|
||||
|
||||
testit "change user password with kpasswd (after must change flag set)" $rkpty ./tmpkpasswdscript $samba4kpasswd nettestuser@$REALM || failed=`expr $failed + 1`
|
||||
|
||||
test_smbclient "Test login with user kerberos" 'ls' -k yes -Unettestuser@$REALM%$NEWUSERPASS || failed=`expr $failed + 1`
|
||||
|
||||
testit "del user" $VALGRIND $net user delete nettestuser -U"$USERNAME%$PASSWORD" -k no $@ || failed=`expr $failed + 1`
|
||||
|
||||
rm -f tmpccfile tmppassfile tmpuserpassfile tmpuserccache tmpkpasswdscript
|
||||
exit $failed
|
||||
Reference in New Issue
Block a user