sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-10 01:18:15 +03:00
Code

s4:dsdb/tests: Test Kerberos login with old password fails (but badPwdCount=0)

Browse Source 
This demonstrates the pre-authentication failures with passwords from
the password history don't incremend badPwdCount, similar to the
NTLMSSP and simple bind cases. But it's still an interactive logon,
which doesn't use 'old password allowed period'.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Stefan Metzmacher 2022-02-25 05:16:36 +01:00 committed by Andrew Bartlett
parent 370ba4ad52
commit 28cf6c7067
2 changed files with 4 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
selftest/knownfail.d/test_login_basics_krb5 Normal file
View File

@ -0,0 +1 @@
^samba4.ldap.login_basics.python.*.__main__.BasicUserAuthTests.test_login_basics_krb5

8
source4/dsdb/tests/python/login_basics.py
View File

@ -140,18 +140,16 @@ userPassword: %s
# for Kerberos, logging in with the old password fails
if creds.get_kerberos_state() == MUST_USE_KERBEROS:
self.assertLoginFailure(ldap_url, test_creds, self.lp)
info_msg = 'Test Kerberos login with old password fails'
expectBadPwdTime = ("greater", badPasswordTime)
info_msg = 'Test Kerberos login with old password fails (but badPwdCount=0)'
res = self._check_account(userdn,
badPwdCount=1,
badPasswordTime=expectBadPwdTime,
badPwdCount=0,
badPasswordTime=badPasswordTime,
logonCount=logonCount,
lastLogon=lastLogon,
lastLogonTimestamp=lastLogonTimestamp,
userAccountControl=UF_NORMAL_ACCOUNT,
msDSUserAccountControlComputed=0,
msg=info_msg)
badPasswordTime = int(res[0]["badPasswordTime"][0])
else:
# for NTLM, logging in with the old password succeeds
user_ldb = self.assertLoginSuccess(ldap_url, test_creds, self.lp)