1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-25 06:04:04 +03:00

s4:dsdb/tests: Test Kerberos login with old password fails (but badPwdCount=0)

This demonstrates the pre-authentication failures with passwords from
the password history don't incremend badPwdCount, similar to the
NTLMSSP and simple bind cases. But it's still an interactive logon,
which doesn't use 'old password allowed period'.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Stefan Metzmacher 2022-02-25 05:16:36 +01:00 committed by Andrew Bartlett
parent 370ba4ad52
commit 28cf6c7067
2 changed files with 4 additions and 5 deletions

View File

@ -0,0 +1 @@
^samba4.ldap.login_basics.python.*.__main__.BasicUserAuthTests.test_login_basics_krb5

View File

@ -140,18 +140,16 @@ userPassword: %s
# for Kerberos, logging in with the old password fails # for Kerberos, logging in with the old password fails
if creds.get_kerberos_state() == MUST_USE_KERBEROS: if creds.get_kerberos_state() == MUST_USE_KERBEROS:
self.assertLoginFailure(ldap_url, test_creds, self.lp) self.assertLoginFailure(ldap_url, test_creds, self.lp)
info_msg = 'Test Kerberos login with old password fails' info_msg = 'Test Kerberos login with old password fails (but badPwdCount=0)'
expectBadPwdTime = ("greater", badPasswordTime)
res = self._check_account(userdn, res = self._check_account(userdn,
badPwdCount=1, badPwdCount=0,
badPasswordTime=expectBadPwdTime, badPasswordTime=badPasswordTime,
logonCount=logonCount, logonCount=logonCount,
lastLogon=lastLogon, lastLogon=lastLogon,
lastLogonTimestamp=lastLogonTimestamp, lastLogonTimestamp=lastLogonTimestamp,
userAccountControl=UF_NORMAL_ACCOUNT, userAccountControl=UF_NORMAL_ACCOUNT,
msDSUserAccountControlComputed=0, msDSUserAccountControlComputed=0,
msg=info_msg) msg=info_msg)
badPasswordTime = int(res[0]["badPasswordTime"][0])
else: else:
# for NTLM, logging in with the old password succeeds # for NTLM, logging in with the old password succeeds
user_ldb = self.assertLoginSuccess(ldap_url, test_creds, self.lp) user_ldb = self.assertLoginSuccess(ldap_url, test_creds, self.lp)