1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-11 05:18:09 +03:00

tests/rodc: Check SID restriction for SendToSam

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Garming Sam 2017-04-26 16:32:51 +12:00 committed by Andrew Bartlett
parent 7dfe7df6d0
commit 452170db2c
2 changed files with 73 additions and 0 deletions

View File

@ -335,3 +335,4 @@
# We currently don't send referrals for LDAP modify of non-replicated attrs
^samba4.ldap.rodc.python\(rodc\).__main__.RodcTests.test_modify_nonreplicated.*
^samba4.ldap.rodc_rwdc.python.*.__main__.RodcRwdcTests.test_change_password_reveal_on_demand_kerberos
^samba4.ldap.rodc_rwdc.python\(rodc\).__main__.RodcRwdcCachedTests.test_login_lockout_not_revealed

View File

@ -283,6 +283,78 @@ class RodcRwdcCachedTests(password_lockout_base.BasePasswordTestCase):
self._test_login_lockout_rodc_rwdc(self.lockout1ntlm_creds, userdn)
def test_login_lockout_not_revealed(self):
'''Test that SendToSam is restricted by preloaded users/groups'''
username = self.lockout1ntlm_creds.get_username()
userpass = self.lockout1ntlm_creds.get_password()
userdn = "cn=%s,cn=users,%s" % (username, self.base_dn)
# Preload but do not add to revealed group
preload_rodc_user(userdn)
self.kerberos = False
creds = self.lockout1ntlm_creds
# Open a second LDB connection with the user credentials. Use the
# command line credentials for informations like the domain, the realm
# and the workstation.
creds_lockout = self.insta_creds(creds)
# The wrong password
creds_lockout.set_password("thatsAcomplPASS1x")
self.assertLoginFailure(self.host_url, creds_lockout, self.lp)
badPasswordTime = 0
logonCount = 0
lastLogon = 0
lastLogonTimestamp=0
logoncount_relation = ''
lastlogon_relation = ''
res = self._check_account(userdn,
badPwdCount=1,
badPasswordTime=("greater", badPasswordTime),
logonCount=logonCount,
lastLogon=lastLogon,
lastLogonTimestamp=lastLogonTimestamp,
userAccountControl=
dsdb.UF_NORMAL_ACCOUNT,
msDSUserAccountControlComputed=0,
msg='lastlogontimestamp with wrong password')
badPasswordTime = int(res[0]["badPasswordTime"][0])
# BadPwdCount on RODC increases alongside RWDC
res = self.rodc_db.search(userdn, attrs=['badPwdCount'])
self.assertTrue('badPwdCount' in res[0])
self.assertEqual(int(res[0]['badPwdCount'][0]), 1)
# Correct old password
creds_lockout.set_password(userpass)
ldb_lockout = SamDB(url=self.host_url, credentials=creds_lockout, lp=self.lp)
# Wait for potential SendToSam...
time.sleep(5)
# BadPwdCount on RODC decreases, but not the RWDC
res = self._check_account(userdn,
badPwdCount=1,
badPasswordTime=badPasswordTime,
logonCount=(logoncount_relation, logonCount),
lastLogon=('greater', lastLogon),
lastLogonTimestamp=lastLogonTimestamp,
userAccountControl=
dsdb.UF_NORMAL_ACCOUNT,
msDSUserAccountControlComputed=0,
msg='badPwdCount not reset on RWDC')
res = self.rodc_db.search(userdn, attrs=['badPwdCount'])
self.assertTrue('badPwdCount' in res[0])
self.assertEqual(int(res[0]['badPwdCount'][0]), 0)
def _test_login_lockout_rodc_rwdc(self, creds, userdn):
username = creds.get_username()
userpass = creds.get_password()