mirror of
https://github.com/samba-team/samba.git
synced 2025-01-25 06:04:04 +03:00
s4:dsdb/tests: Test Kerberos login with old password fails (but badPwdCount=0)
This demonstrates the pre-authentication failures with passwords from the password history don't incremend badPwdCount, similar to the NTLMSSP and simple bind cases. But it's still an interactive logon, which doesn't use 'old password allowed period'. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
parent
370ba4ad52
commit
28cf6c7067
1
selftest/knownfail.d/test_login_basics_krb5
Normal file
1
selftest/knownfail.d/test_login_basics_krb5
Normal file
@ -0,0 +1 @@
|
|||||||
|
^samba4.ldap.login_basics.python.*.__main__.BasicUserAuthTests.test_login_basics_krb5
|
@ -140,18 +140,16 @@ userPassword: %s
|
|||||||
# for Kerberos, logging in with the old password fails
|
# for Kerberos, logging in with the old password fails
|
||||||
if creds.get_kerberos_state() == MUST_USE_KERBEROS:
|
if creds.get_kerberos_state() == MUST_USE_KERBEROS:
|
||||||
self.assertLoginFailure(ldap_url, test_creds, self.lp)
|
self.assertLoginFailure(ldap_url, test_creds, self.lp)
|
||||||
info_msg = 'Test Kerberos login with old password fails'
|
info_msg = 'Test Kerberos login with old password fails (but badPwdCount=0)'
|
||||||
expectBadPwdTime = ("greater", badPasswordTime)
|
|
||||||
res = self._check_account(userdn,
|
res = self._check_account(userdn,
|
||||||
badPwdCount=1,
|
badPwdCount=0,
|
||||||
badPasswordTime=expectBadPwdTime,
|
badPasswordTime=badPasswordTime,
|
||||||
logonCount=logonCount,
|
logonCount=logonCount,
|
||||||
lastLogon=lastLogon,
|
lastLogon=lastLogon,
|
||||||
lastLogonTimestamp=lastLogonTimestamp,
|
lastLogonTimestamp=lastLogonTimestamp,
|
||||||
userAccountControl=UF_NORMAL_ACCOUNT,
|
userAccountControl=UF_NORMAL_ACCOUNT,
|
||||||
msDSUserAccountControlComputed=0,
|
msDSUserAccountControlComputed=0,
|
||||||
msg=info_msg)
|
msg=info_msg)
|
||||||
badPasswordTime = int(res[0]["badPasswordTime"][0])
|
|
||||||
else:
|
else:
|
||||||
# for NTLM, logging in with the old password succeeds
|
# for NTLM, logging in with the old password succeeds
|
||||||
user_ldb = self.assertLoginSuccess(ldap_url, test_creds, self.lp)
|
user_ldb = self.assertLoginSuccess(ldap_url, test_creds, self.lp)
|
||||||
|
Loading…
x
Reference in New Issue
Block a user