tests/passwords: Test that LDAP password changes work for Protected Users

We want to disable SAMR password changes for Protected Users, but need
to ensure that other methods of changing the password still work.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

selftest/knownfail.d/protected_users

@@ -1,3 +1,11 @@
 ^samba4.ldap.password_lockout.python\(ad_dc_slowtests\).__main__.PasswordTestsWithoutSleep.test_ntlm_lockout_protected.ad_dc_slowtests
 ^samba4.ldap.password_lockout.python\(ad_dc_slowtests\).__main__.PasswordTestsWithoutSleep.test_samr_change_password_protected.ad_dc_slowtests
 ^samba4.ldap.password_lockout.python\(ad_dc_slowtests\).__main__.PasswordTestsWithoutSleep.test_samr_set_password_protected.ad_dc_slowtests
+^samba4.ldap.passwords.python\(fl2003dc\).__main__.PasswordTests.test_protected_unicodePwd_clear_change.fl2003dc
+^samba4.ldap.passwords.python\(fl2003dc\).__main__.PasswordTests.test_protected_unicodePwd_clear_set.fl2003dc
+^samba4.ldap.passwords.python\(fl2008dc\).__main__.PasswordTests.test_protected_unicodePwd_clear_change.fl2008dc
+^samba4.ldap.passwords.python\(fl2008dc\).__main__.PasswordTests.test_protected_unicodePwd_clear_set.fl2008dc
+^samba4.ldap.passwords.python\(fl2008r2dc\).__main__.PasswordTests.test_protected_unicodePwd_clear_change.fl2008r2dc
+^samba4.ldap.passwords.python\(fl2008r2dc\).__main__.PasswordTests.test_protected_unicodePwd_clear_set.fl2008r2dc
+^samba4.ldap.passwords.python\(schema_dc\).__main__.PasswordTests.test_protected_unicodePwd_clear_change.schema_dc
+^samba4.ldap.passwords.python\(schema_dc\).__main__.PasswordTests.test_protected_unicodePwd_clear_set.schema_dc

source4/dsdb/tests/python/passwords.py

@@ -24,6 +24,7 @@ import samba.getopt as options
 
 from samba.auth import system_session
 from samba.credentials import Credentials
+from samba.dcerpc import security
 from ldb import SCOPE_BASE, LdbError
 from ldb import ERR_ATTRIBUTE_OR_VALUE_EXISTS
 from ldb import ERR_UNWILLING_TO_PERFORM, ERR_INSUFFICIENT_ACCESS_RIGHTS
@@ -237,6 +238,82 @@ unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS2\"".encode('utf-16-le')).
             self.assertEqual(num, ERR_CONSTRAINT_VIOLATION)
             self.assertTrue('0000052D' in msg)
 
+    def test_protected_unicodePwd_clear_set(self):
+        """Performs a password cleartext set operation on 'unicodePwd' with the user in
+the Protected Users group"""
+
+        user_dn = f'cn=testuser,cn=users,{self.base_dn}'
+
+        # Add the user to the Protected Users group.
+
+        # Search for the Protected Users group.
+        group_dn = Dn(self.ldb,
+                      f'<SID={self.ldb.get_domain_sid()}-'
+                      f'{security.DOMAIN_RID_PROTECTED_USERS}>')
+        try:
+            group_res = self.ldb.search(base=group_dn,
+                                        scope=SCOPE_BASE,
+                                        attrs=['member'])
+        except LdbError as err:
+            self.fail(err)
+
+        # Add the user to the list of members.
+        members = list(group_res[0].get('member', ()))
+        members.append(user_dn)
+
+        m = Message(group_dn)
+        m['member'] = MessageElement(members,
+                                     FLAG_MOD_REPLACE,
+                                     'member')
+        self.ldb.modify(m)
+
+        m = Message()
+        m.dn = Dn(self.ldb, user_dn)
+        m['unicodePwd'] = MessageElement(
+            '"thatsAcomplPASS2"'.encode('utf-16-le'),
+            FLAG_MOD_REPLACE, 'unicodePwd')
+        self.ldb.modify(m)
+
+    def test_protected_unicodePwd_clear_change(self):
+        """Performs a password cleartext change operation on 'unicodePwd' with the user
+in the Protected Users group"""
+
+        user_dn = f'cn=testuser,cn=users,{self.base_dn}'
+
+        # Add the user to the Protected Users group.
+
+        # Search for the Protected Users group.
+        group_dn = Dn(self.ldb,
+                      f'<SID={self.ldb.get_domain_sid()}-'
+                      f'{security.DOMAIN_RID_PROTECTED_USERS}>')
+        try:
+            group_res = self.ldb.search(base=group_dn,
+                                        scope=SCOPE_BASE,
+                                        attrs=['member'])
+        except LdbError as err:
+            self.fail(err)
+
+        # Add the user to the list of members.
+        members = list(group_res[0].get('member', ()))
+        members.append(user_dn)
+
+        m = Message(group_dn)
+        m['member'] = MessageElement(members,
+                                     FLAG_MOD_REPLACE,
+                                     'member')
+        self.ldb.modify(m)
+
+        self.ldb2.modify_ldif(f"""
+dn: cn=testuser,cn=users,{self.base_dn}
+changetype: modify
+delete: unicodePwd
+unicodePwd:: {base64.b64encode('"thatsAcomplPASS1"'.encode('utf-16-le'))
+        .decode('utf8')}
+add: unicodePwd
+unicodePwd:: {base64.b64encode('"thatsAcomplPASS2"'.encode('utf-16-le'))
+        .decode('utf8')}
+""")
+
     def test_dBCSPwd_hash_set(self):
         """Performs a password hash set operation on 'dBCSPwd' which should be prevented"""
         # Notice: Direct hash password sets should never work