mirror of
https://github.com/samba-team/samba.git
synced 2025-01-22 22:04:08 +03:00
netcmd: Split 'domain passwordsettings' into a super-command
The show and set options are not really related to each other at all, so it makes sense to split the code into 2 separate commands. We also want to add separate sub-commands for PSOs in a subsequent patch. Because of the way the sub-command was implemented previously, it meant that you could specify other command-line options before the 'set' or 'show' keyword, and the command would still be accepted. However, now that it's a super-command 'set'/'show' needs to be specified before any additional arguments, so we need to update the test code to reflect this. Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
This commit is contained in:
parent
0da9dbbf5a
commit
7255e0ced3
@ -1263,18 +1263,10 @@ class cmd_domain_level(Command):
|
||||
else:
|
||||
raise CommandError("invalid argument: '%s' (choose from 'show', 'raise')" % subcommand)
|
||||
|
||||
class cmd_domain_passwordsettings_show(Command):
|
||||
"""Display current password settings for the domain."""
|
||||
|
||||
class cmd_domain_passwordsettings(Command):
|
||||
"""Set password settings.
|
||||
|
||||
Password complexity, password lockout policy, history length,
|
||||
minimum password length, the minimum and maximum password age) on
|
||||
a Samba AD DC server.
|
||||
|
||||
Use against a Windows DC is possible, but group policy will override it.
|
||||
"""
|
||||
|
||||
synopsis = "%prog (show|set <options>) [options]"
|
||||
synopsis = "%prog [options]"
|
||||
|
||||
takes_optiongroups = {
|
||||
"sambaopts": options.SambaOptions,
|
||||
@ -1285,34 +1277,9 @@ class cmd_domain_passwordsettings(Command):
|
||||
takes_options = [
|
||||
Option("-H", "--URL", help="LDB URL for database or target server", type=str,
|
||||
metavar="URL", dest="H"),
|
||||
Option("--quiet", help="Be quiet", action="store_true"),
|
||||
Option("--complexity", type="choice", choices=["on","off","default"],
|
||||
help="The password complexity (on | off | default). Default is 'on'"),
|
||||
Option("--store-plaintext", type="choice", choices=["on","off","default"],
|
||||
help="Store plaintext passwords where account have 'store passwords with reversible encryption' set (on | off | default). Default is 'off'"),
|
||||
Option("--history-length",
|
||||
help="The password history length (<integer> | default). Default is 24.", type=str),
|
||||
Option("--min-pwd-length",
|
||||
help="The minimum password length (<integer> | default). Default is 7.", type=str),
|
||||
Option("--min-pwd-age",
|
||||
help="The minimum password age (<integer in days> | default). Default is 1.", type=str),
|
||||
Option("--max-pwd-age",
|
||||
help="The maximum password age (<integer in days> | default). Default is 43.", type=str),
|
||||
Option("--account-lockout-duration",
|
||||
help="The the length of time an account is locked out after exeeding the limit on bad password attempts (<integer in mins> | default). Default is 30 mins.", type=str),
|
||||
Option("--account-lockout-threshold",
|
||||
help="The number of bad password attempts allowed before locking out the account (<integer> | default). Default is 0 (never lock out).", type=str),
|
||||
Option("--reset-account-lockout-after",
|
||||
help="After this time is elapsed, the recorded number of attempts restarts from zero (<integer> | default). Default is 30.", type=str),
|
||||
]
|
||||
|
||||
takes_args = ["subcommand"]
|
||||
|
||||
def run(self, subcommand, H=None, min_pwd_age=None, max_pwd_age=None,
|
||||
quiet=False, complexity=None, store_plaintext=None, history_length=None,
|
||||
min_pwd_length=None, account_lockout_duration=None, account_lockout_threshold=None,
|
||||
reset_account_lockout_after=None, credopts=None, sambaopts=None,
|
||||
versionopts=None):
|
||||
def run(self, H=None, credopts=None, sambaopts=None, versionopts=None):
|
||||
lp = sambaopts.get_loadparm()
|
||||
creds = credopts.get_credentials(lp)
|
||||
|
||||
@ -1345,170 +1312,227 @@ class cmd_domain_passwordsettings(Command):
|
||||
except Exception as e:
|
||||
raise CommandError("Could not retrieve password properties!", e)
|
||||
|
||||
if subcommand == "show":
|
||||
self.message("Password informations for domain '%s'" % domain_dn)
|
||||
self.message("")
|
||||
if pwd_props & DOMAIN_PASSWORD_COMPLEX != 0:
|
||||
self.message("Password complexity: on")
|
||||
else:
|
||||
self.message("Password complexity: off")
|
||||
if pwd_props & DOMAIN_PASSWORD_STORE_CLEARTEXT != 0:
|
||||
self.message("Store plaintext passwords: on")
|
||||
else:
|
||||
self.message("Store plaintext passwords: off")
|
||||
self.message("Password history length: %d" % pwd_hist_len)
|
||||
self.message("Minimum password length: %d" % cur_min_pwd_len)
|
||||
self.message("Minimum password age (days): %d" % cur_min_pwd_age)
|
||||
self.message("Maximum password age (days): %d" % cur_max_pwd_age)
|
||||
self.message("Account lockout duration (mins): %d" % cur_account_lockout_duration)
|
||||
self.message("Account lockout threshold (attempts): %d" % cur_account_lockout_threshold)
|
||||
self.message("Reset account lockout after (mins): %d" % cur_reset_account_lockout_after)
|
||||
elif subcommand == "set":
|
||||
msgs = []
|
||||
m = ldb.Message()
|
||||
m.dn = ldb.Dn(samdb, domain_dn)
|
||||
pwd_props = int(samdb.get_pwdProperties())
|
||||
|
||||
if complexity is not None:
|
||||
if complexity == "on" or complexity == "default":
|
||||
pwd_props = pwd_props | DOMAIN_PASSWORD_COMPLEX
|
||||
msgs.append("Password complexity activated!")
|
||||
elif complexity == "off":
|
||||
pwd_props = pwd_props & (~DOMAIN_PASSWORD_COMPLEX)
|
||||
msgs.append("Password complexity deactivated!")
|
||||
|
||||
if store_plaintext is not None:
|
||||
if store_plaintext == "on" or store_plaintext == "default":
|
||||
pwd_props = pwd_props | DOMAIN_PASSWORD_STORE_CLEARTEXT
|
||||
msgs.append("Plaintext password storage for changed passwords activated!")
|
||||
elif store_plaintext == "off":
|
||||
pwd_props = pwd_props & (~DOMAIN_PASSWORD_STORE_CLEARTEXT)
|
||||
msgs.append("Plaintext password storage for changed passwords deactivated!")
|
||||
|
||||
if complexity is not None or store_plaintext is not None:
|
||||
m["pwdProperties"] = ldb.MessageElement(str(pwd_props),
|
||||
ldb.FLAG_MOD_REPLACE, "pwdProperties")
|
||||
|
||||
if history_length is not None:
|
||||
if history_length == "default":
|
||||
pwd_hist_len = 24
|
||||
else:
|
||||
pwd_hist_len = int(history_length)
|
||||
|
||||
if pwd_hist_len < 0 or pwd_hist_len > 24:
|
||||
raise CommandError("Password history length must be in the range of 0 to 24!")
|
||||
|
||||
m["pwdHistoryLength"] = ldb.MessageElement(str(pwd_hist_len),
|
||||
ldb.FLAG_MOD_REPLACE, "pwdHistoryLength")
|
||||
msgs.append("Password history length changed!")
|
||||
|
||||
if min_pwd_length is not None:
|
||||
if min_pwd_length == "default":
|
||||
min_pwd_len = 7
|
||||
else:
|
||||
min_pwd_len = int(min_pwd_length)
|
||||
|
||||
if min_pwd_len < 0 or min_pwd_len > 14:
|
||||
raise CommandError("Minimum password length must be in the range of 0 to 14!")
|
||||
|
||||
m["minPwdLength"] = ldb.MessageElement(str(min_pwd_len),
|
||||
ldb.FLAG_MOD_REPLACE, "minPwdLength")
|
||||
msgs.append("Minimum password length changed!")
|
||||
|
||||
if min_pwd_age is not None:
|
||||
if min_pwd_age == "default":
|
||||
min_pwd_age = 1
|
||||
else:
|
||||
min_pwd_age = int(min_pwd_age)
|
||||
|
||||
if min_pwd_age < 0 or min_pwd_age > 998:
|
||||
raise CommandError("Minimum password age must be in the range of 0 to 998!")
|
||||
|
||||
# days -> ticks
|
||||
min_pwd_age_ticks = -int(min_pwd_age * (24 * 60 * 60 * 1e7))
|
||||
|
||||
m["minPwdAge"] = ldb.MessageElement(str(min_pwd_age_ticks),
|
||||
ldb.FLAG_MOD_REPLACE, "minPwdAge")
|
||||
msgs.append("Minimum password age changed!")
|
||||
|
||||
if max_pwd_age is not None:
|
||||
if max_pwd_age == "default":
|
||||
max_pwd_age = 43
|
||||
else:
|
||||
max_pwd_age = int(max_pwd_age)
|
||||
|
||||
if max_pwd_age < 0 or max_pwd_age > 999:
|
||||
raise CommandError("Maximum password age must be in the range of 0 to 999!")
|
||||
|
||||
# days -> ticks
|
||||
if max_pwd_age == 0:
|
||||
max_pwd_age_ticks = -0x8000000000000000
|
||||
else:
|
||||
max_pwd_age_ticks = -int(max_pwd_age * (24 * 60 * 60 * 1e7))
|
||||
|
||||
m["maxPwdAge"] = ldb.MessageElement(str(max_pwd_age_ticks),
|
||||
ldb.FLAG_MOD_REPLACE, "maxPwdAge")
|
||||
msgs.append("Maximum password age changed!")
|
||||
|
||||
if account_lockout_duration is not None:
|
||||
if account_lockout_duration == "default":
|
||||
account_lockout_duration = 30
|
||||
else:
|
||||
account_lockout_duration = int(account_lockout_duration)
|
||||
|
||||
if account_lockout_duration < 0 or account_lockout_duration > 99999:
|
||||
raise CommandError("Maximum password age must be in the range of 0 to 99999!")
|
||||
|
||||
# minutes -> ticks
|
||||
if account_lockout_duration == 0:
|
||||
account_lockout_duration_ticks = -0x8000000000000000
|
||||
else:
|
||||
account_lockout_duration_ticks = -int(account_lockout_duration * (60 * 1e7))
|
||||
|
||||
m["lockoutDuration"] = ldb.MessageElement(str(account_lockout_duration_ticks),
|
||||
ldb.FLAG_MOD_REPLACE, "lockoutDuration")
|
||||
msgs.append("Account lockout duration changed!")
|
||||
|
||||
if account_lockout_threshold is not None:
|
||||
if account_lockout_threshold == "default":
|
||||
account_lockout_threshold = 0
|
||||
else:
|
||||
account_lockout_threshold = int(account_lockout_threshold)
|
||||
|
||||
m["lockoutThreshold"] = ldb.MessageElement(str(account_lockout_threshold),
|
||||
ldb.FLAG_MOD_REPLACE, "lockoutThreshold")
|
||||
msgs.append("Account lockout threshold changed!")
|
||||
|
||||
if reset_account_lockout_after is not None:
|
||||
if reset_account_lockout_after == "default":
|
||||
reset_account_lockout_after = 30
|
||||
else:
|
||||
reset_account_lockout_after = int(reset_account_lockout_after)
|
||||
|
||||
if reset_account_lockout_after < 0 or reset_account_lockout_after > 99999:
|
||||
raise CommandError("Maximum password age must be in the range of 0 to 99999!")
|
||||
|
||||
# minutes -> ticks
|
||||
if reset_account_lockout_after == 0:
|
||||
reset_account_lockout_after_ticks = -0x8000000000000000
|
||||
else:
|
||||
reset_account_lockout_after_ticks = -int(reset_account_lockout_after * (60 * 1e7))
|
||||
|
||||
m["lockOutObservationWindow"] = ldb.MessageElement(str(reset_account_lockout_after_ticks),
|
||||
ldb.FLAG_MOD_REPLACE, "lockOutObservationWindow")
|
||||
msgs.append("Duration to reset account lockout after changed!")
|
||||
|
||||
if max_pwd_age > 0 and min_pwd_age >= max_pwd_age:
|
||||
raise CommandError("Maximum password age (%d) must be greater than minimum password age (%d)!" % (max_pwd_age, min_pwd_age))
|
||||
|
||||
if len(m) == 0:
|
||||
raise CommandError("You must specify at least one option to set. Try --help")
|
||||
samdb.modify(m)
|
||||
msgs.append("All changes applied successfully!")
|
||||
self.message("\n".join(msgs))
|
||||
self.message("Password informations for domain '%s'" % domain_dn)
|
||||
self.message("")
|
||||
if pwd_props & DOMAIN_PASSWORD_COMPLEX != 0:
|
||||
self.message("Password complexity: on")
|
||||
else:
|
||||
raise CommandError("Wrong argument '%s'!" % subcommand)
|
||||
self.message("Password complexity: off")
|
||||
if pwd_props & DOMAIN_PASSWORD_STORE_CLEARTEXT != 0:
|
||||
self.message("Store plaintext passwords: on")
|
||||
else:
|
||||
self.message("Store plaintext passwords: off")
|
||||
self.message("Password history length: %d" % pwd_hist_len)
|
||||
self.message("Minimum password length: %d" % cur_min_pwd_len)
|
||||
self.message("Minimum password age (days): %d" % cur_min_pwd_age)
|
||||
self.message("Maximum password age (days): %d" % cur_max_pwd_age)
|
||||
self.message("Account lockout duration (mins): %d" % cur_account_lockout_duration)
|
||||
self.message("Account lockout threshold (attempts): %d" % cur_account_lockout_threshold)
|
||||
self.message("Reset account lockout after (mins): %d" % cur_reset_account_lockout_after)
|
||||
|
||||
class cmd_domain_passwordsettings_set(Command):
|
||||
"""Set password settings.
|
||||
|
||||
Password complexity, password lockout policy, history length,
|
||||
minimum password length, the minimum and maximum password age) on
|
||||
a Samba AD DC server.
|
||||
|
||||
Use against a Windows DC is possible, but group policy will override it.
|
||||
"""
|
||||
|
||||
synopsis = "%prog <options> [options]"
|
||||
|
||||
takes_optiongroups = {
|
||||
"sambaopts": options.SambaOptions,
|
||||
"versionopts": options.VersionOptions,
|
||||
"credopts": options.CredentialsOptions,
|
||||
}
|
||||
|
||||
takes_options = [
|
||||
Option("-H", "--URL", help="LDB URL for database or target server", type=str,
|
||||
metavar="URL", dest="H"),
|
||||
Option("--quiet", help="Be quiet", action="store_true"),
|
||||
Option("--complexity", type="choice", choices=["on","off","default"],
|
||||
help="The password complexity (on | off | default). Default is 'on'"),
|
||||
Option("--store-plaintext", type="choice", choices=["on","off","default"],
|
||||
help="Store plaintext passwords where account have 'store passwords with reversible encryption' set (on | off | default). Default is 'off'"),
|
||||
Option("--history-length",
|
||||
help="The password history length (<integer> | default). Default is 24.", type=str),
|
||||
Option("--min-pwd-length",
|
||||
help="The minimum password length (<integer> | default). Default is 7.", type=str),
|
||||
Option("--min-pwd-age",
|
||||
help="The minimum password age (<integer in days> | default). Default is 1.", type=str),
|
||||
Option("--max-pwd-age",
|
||||
help="The maximum password age (<integer in days> | default). Default is 43.", type=str),
|
||||
Option("--account-lockout-duration",
|
||||
help="The the length of time an account is locked out after exeeding the limit on bad password attempts (<integer in mins> | default). Default is 30 mins.", type=str),
|
||||
Option("--account-lockout-threshold",
|
||||
help="The number of bad password attempts allowed before locking out the account (<integer> | default). Default is 0 (never lock out).", type=str),
|
||||
Option("--reset-account-lockout-after",
|
||||
help="After this time is elapsed, the recorded number of attempts restarts from zero (<integer> | default). Default is 30.", type=str),
|
||||
]
|
||||
|
||||
def run(self, H=None, min_pwd_age=None, max_pwd_age=None,
|
||||
quiet=False, complexity=None, store_plaintext=None, history_length=None,
|
||||
min_pwd_length=None, account_lockout_duration=None, account_lockout_threshold=None,
|
||||
reset_account_lockout_after=None, credopts=None, sambaopts=None,
|
||||
versionopts=None):
|
||||
lp = sambaopts.get_loadparm()
|
||||
creds = credopts.get_credentials(lp)
|
||||
|
||||
samdb = SamDB(url=H, session_info=system_session(),
|
||||
credentials=creds, lp=lp)
|
||||
|
||||
domain_dn = samdb.domain_dn()
|
||||
msgs = []
|
||||
m = ldb.Message()
|
||||
m.dn = ldb.Dn(samdb, domain_dn)
|
||||
pwd_props = int(samdb.get_pwdProperties())
|
||||
|
||||
if complexity is not None:
|
||||
if complexity == "on" or complexity == "default":
|
||||
pwd_props = pwd_props | DOMAIN_PASSWORD_COMPLEX
|
||||
msgs.append("Password complexity activated!")
|
||||
elif complexity == "off":
|
||||
pwd_props = pwd_props & (~DOMAIN_PASSWORD_COMPLEX)
|
||||
msgs.append("Password complexity deactivated!")
|
||||
|
||||
if store_plaintext is not None:
|
||||
if store_plaintext == "on" or store_plaintext == "default":
|
||||
pwd_props = pwd_props | DOMAIN_PASSWORD_STORE_CLEARTEXT
|
||||
msgs.append("Plaintext password storage for changed passwords activated!")
|
||||
elif store_plaintext == "off":
|
||||
pwd_props = pwd_props & (~DOMAIN_PASSWORD_STORE_CLEARTEXT)
|
||||
msgs.append("Plaintext password storage for changed passwords deactivated!")
|
||||
|
||||
if complexity is not None or store_plaintext is not None:
|
||||
m["pwdProperties"] = ldb.MessageElement(str(pwd_props),
|
||||
ldb.FLAG_MOD_REPLACE, "pwdProperties")
|
||||
|
||||
if history_length is not None:
|
||||
if history_length == "default":
|
||||
pwd_hist_len = 24
|
||||
else:
|
||||
pwd_hist_len = int(history_length)
|
||||
|
||||
if pwd_hist_len < 0 or pwd_hist_len > 24:
|
||||
raise CommandError("Password history length must be in the range of 0 to 24!")
|
||||
|
||||
m["pwdHistoryLength"] = ldb.MessageElement(str(pwd_hist_len),
|
||||
ldb.FLAG_MOD_REPLACE, "pwdHistoryLength")
|
||||
msgs.append("Password history length changed!")
|
||||
|
||||
if min_pwd_length is not None:
|
||||
if min_pwd_length == "default":
|
||||
min_pwd_len = 7
|
||||
else:
|
||||
min_pwd_len = int(min_pwd_length)
|
||||
|
||||
if min_pwd_len < 0 or min_pwd_len > 14:
|
||||
raise CommandError("Minimum password length must be in the range of 0 to 14!")
|
||||
|
||||
m["minPwdLength"] = ldb.MessageElement(str(min_pwd_len),
|
||||
ldb.FLAG_MOD_REPLACE, "minPwdLength")
|
||||
msgs.append("Minimum password length changed!")
|
||||
|
||||
if min_pwd_age is not None:
|
||||
if min_pwd_age == "default":
|
||||
min_pwd_age = 1
|
||||
else:
|
||||
min_pwd_age = int(min_pwd_age)
|
||||
|
||||
if min_pwd_age < 0 or min_pwd_age > 998:
|
||||
raise CommandError("Minimum password age must be in the range of 0 to 998!")
|
||||
|
||||
# days -> ticks
|
||||
min_pwd_age_ticks = -int(min_pwd_age * (24 * 60 * 60 * 1e7))
|
||||
|
||||
m["minPwdAge"] = ldb.MessageElement(str(min_pwd_age_ticks),
|
||||
ldb.FLAG_MOD_REPLACE, "minPwdAge")
|
||||
msgs.append("Minimum password age changed!")
|
||||
|
||||
if max_pwd_age is not None:
|
||||
if max_pwd_age == "default":
|
||||
max_pwd_age = 43
|
||||
else:
|
||||
max_pwd_age = int(max_pwd_age)
|
||||
|
||||
if max_pwd_age < 0 or max_pwd_age > 999:
|
||||
raise CommandError("Maximum password age must be in the range of 0 to 999!")
|
||||
|
||||
# days -> ticks
|
||||
if max_pwd_age == 0:
|
||||
max_pwd_age_ticks = -0x8000000000000000
|
||||
else:
|
||||
max_pwd_age_ticks = -int(max_pwd_age * (24 * 60 * 60 * 1e7))
|
||||
|
||||
m["maxPwdAge"] = ldb.MessageElement(str(max_pwd_age_ticks),
|
||||
ldb.FLAG_MOD_REPLACE, "maxPwdAge")
|
||||
msgs.append("Maximum password age changed!")
|
||||
|
||||
if account_lockout_duration is not None:
|
||||
if account_lockout_duration == "default":
|
||||
account_lockout_duration = 30
|
||||
else:
|
||||
account_lockout_duration = int(account_lockout_duration)
|
||||
|
||||
if account_lockout_duration < 0 or account_lockout_duration > 99999:
|
||||
raise CommandError("Maximum password age must be in the range of 0 to 99999!")
|
||||
|
||||
# minutes -> ticks
|
||||
if account_lockout_duration == 0:
|
||||
account_lockout_duration_ticks = -0x8000000000000000
|
||||
else:
|
||||
account_lockout_duration_ticks = -int(account_lockout_duration * (60 * 1e7))
|
||||
|
||||
m["lockoutDuration"] = ldb.MessageElement(str(account_lockout_duration_ticks),
|
||||
ldb.FLAG_MOD_REPLACE, "lockoutDuration")
|
||||
msgs.append("Account lockout duration changed!")
|
||||
|
||||
if account_lockout_threshold is not None:
|
||||
if account_lockout_threshold == "default":
|
||||
account_lockout_threshold = 0
|
||||
else:
|
||||
account_lockout_threshold = int(account_lockout_threshold)
|
||||
|
||||
m["lockoutThreshold"] = ldb.MessageElement(str(account_lockout_threshold),
|
||||
ldb.FLAG_MOD_REPLACE, "lockoutThreshold")
|
||||
msgs.append("Account lockout threshold changed!")
|
||||
|
||||
if reset_account_lockout_after is not None:
|
||||
if reset_account_lockout_after == "default":
|
||||
reset_account_lockout_after = 30
|
||||
else:
|
||||
reset_account_lockout_after = int(reset_account_lockout_after)
|
||||
|
||||
if reset_account_lockout_after < 0 or reset_account_lockout_after > 99999:
|
||||
raise CommandError("Maximum password age must be in the range of 0 to 99999!")
|
||||
|
||||
# minutes -> ticks
|
||||
if reset_account_lockout_after == 0:
|
||||
reset_account_lockout_after_ticks = -0x8000000000000000
|
||||
else:
|
||||
reset_account_lockout_after_ticks = -int(reset_account_lockout_after * (60 * 1e7))
|
||||
|
||||
m["lockOutObservationWindow"] = ldb.MessageElement(str(reset_account_lockout_after_ticks),
|
||||
ldb.FLAG_MOD_REPLACE, "lockOutObservationWindow")
|
||||
msgs.append("Duration to reset account lockout after changed!")
|
||||
|
||||
if max_pwd_age > 0 and min_pwd_age >= max_pwd_age:
|
||||
raise CommandError("Maximum password age (%d) must be greater than minimum password age (%d)!" % (max_pwd_age, min_pwd_age))
|
||||
|
||||
if len(m) == 0:
|
||||
raise CommandError("You must specify at least one option to set. Try --help")
|
||||
samdb.modify(m)
|
||||
msgs.append("All changes applied successfully!")
|
||||
self.message("\n".join(msgs))
|
||||
|
||||
class cmd_domain_passwordsettings(SuperCommand):
|
||||
"""Manage password policy settings."""
|
||||
|
||||
subcommands = {}
|
||||
subcommands["show"] = cmd_domain_passwordsettings_show()
|
||||
subcommands["set"] = cmd_domain_passwordsettings_set()
|
||||
|
||||
class cmd_domain_classicupgrade(Command):
|
||||
"""Upgrade from Samba classic (NT4-like) database to Samba AD DC database.
|
||||
|
@ -25,6 +25,6 @@ testit "setpassword" $samba_tool user setpassword --configfile=$PREFIX/simple-dc
|
||||
|
||||
testit "setpassword" $samba_tool user setpassword --configfile=$PREFIX/simple-dc/etc/smb.conf testuser --newpassword=testp@ssw0Rd --must-change-at-next-login
|
||||
|
||||
testit "passwordsettings" $samba_tool domain passwordsettings --quiet set --configfile=$PREFIX/simple-dc/etc/smb.conf --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=default --max-pwd-age=default --store-plaintext=on
|
||||
testit "passwordsettings" $samba_tool domain passwordsettings set --quiet --configfile=$PREFIX/simple-dc/etc/smb.conf --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=default --max-pwd-age=default --store-plaintext=on
|
||||
|
||||
exit $failed
|
||||
|
@ -63,7 +63,7 @@ ADMIN_KRB5CCNAME="FILE:$KRB5CCNAME_PATH"
|
||||
export KRB5CCNAME
|
||||
rm -rf $KRB5CCNAME_PATH
|
||||
|
||||
testit "reset password policies beside of minimum password age of 0 days" $VALGRIND $samba_tool domain passwordsettings $ADMIN_LDBMODIFY_CONFIG set --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=0 --max-pwd-age=default || failed=`expr $failed + 1`
|
||||
testit "reset password policies beside of minimum password age of 0 days" $VALGRIND $samba_tool domain passwordsettings set $ADMIN_LDBMODIFY_CONFIG --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=0 --max-pwd-age=default || failed=`expr $failed + 1`
|
||||
|
||||
echo $PASSWORD > $PREFIX/tmppassfile
|
||||
testit "kinit with password" $samba4kinit $enctype --password-file=$PREFIX/tmppassfile --request-pac $USERNAME@$REALM || failed=`expr $failed + 1`
|
||||
@ -253,7 +253,7 @@ rm -f $KRB5CCNAME_PATH
|
||||
testit "kinit with machineaccountccache script" $machineaccountccache $CONFIGURATION $KRB5CCNAME || failed=`expr $failed + 1`
|
||||
test_smbclient "Test machine account login with kerberos ccache" 'ls' "$unc" -k yes || failed=`expr $failed + 1`
|
||||
|
||||
testit "reset password policies" $VALGRIND $samba_tool domain passwordsettings $ADMIN_LDBMODIFY_CONFIG set --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=default --max-pwd-age=default || failed=`expr $failed + 1`
|
||||
testit "reset password policies" $VALGRIND $samba_tool domain passwordsettings set $ADMIN_LDBMODIFY_CONFIG --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=default --max-pwd-age=default || failed=`expr $failed + 1`
|
||||
|
||||
rm -f $PREFIX/tmpccache tmpccfile tmppassfile tmpuserpassfile tmpuserccache tmpkpasswdscript
|
||||
exit $failed
|
||||
|
@ -68,7 +68,7 @@ ADMIN_KRB5CCNAME="FILE:$KRB5CCNAME_PATH"
|
||||
export KRB5CCNAME
|
||||
rm -rf $KRB5CCNAME_PATH
|
||||
|
||||
testit "reset password policies beside of minimum password age of 0 days" $VALGRIND $samba_tool domain passwordsettings $ADMIN_LDBMODIFY_CONFIG set --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=0 --max-pwd-age=default || failed=`expr $failed + 1`
|
||||
testit "reset password policies beside of minimum password age of 0 days" $VALGRIND $samba_tool domain passwordsettings set $ADMIN_LDBMODIFY_CONFIG --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=0 --max-pwd-age=default || failed=`expr $failed + 1`
|
||||
|
||||
cat > $PREFIX/tmpkinitscript <<EOF
|
||||
expect Password for
|
||||
@ -297,7 +297,7 @@ rm -f $KRB5CCNAME_PATH
|
||||
testit "kinit with machineaccountccache script" $machineaccountccache $CONFIGURATION $KRB5CCNAME || failed=`expr $failed + 1`
|
||||
test_smbclient "Test machine account login with kerberos ccache" 'ls' -k yes || failed=`expr $failed + 1`
|
||||
|
||||
testit "reset password policies" $VALGRIND $samba_tool domain passwordsettings $ADMIN_LDBMODIFY_CONFIG set --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=default --max-pwd-age=default || failed=`expr $failed + 1`
|
||||
testit "reset password policies" $VALGRIND $samba_tool domain passwordsettings set $ADMIN_LDBMODIFY_CONFIG --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=default --max-pwd-age=default || failed=`expr $failed + 1`
|
||||
|
||||
### Cleanup
|
||||
|
||||
|
@ -53,7 +53,7 @@ CONFIG="--configfile=$PREFIX/etc/smb.conf"
|
||||
export CONFIG
|
||||
|
||||
testit "reset password policies beside of minimum password age of 0 days" \
|
||||
$VALGRIND $samba_tool domain passwordsettings $CONFIG set --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=0 --max-pwd-age=default || failed=`expr $failed + 1`
|
||||
$VALGRIND $samba_tool domain passwordsettings set $CONFIG --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=0 --max-pwd-age=default || failed=`expr $failed + 1`
|
||||
|
||||
TEST_USERNAME="$(mktemp -u alice-XXXXXX)"
|
||||
TEST_PRINCIPAL="$TEST_USERNAME@$REALM"
|
||||
@ -208,7 +208,7 @@ test_smbclient "Test login with smbclient (ntlm)" \
|
||||
###########################################################
|
||||
|
||||
testit "reset password policies" \
|
||||
$VALGRIND $samba_tool domain passwordsettings $CONFIG set --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=default --max-pwd-age=default || failed=`expr $failed + 1`
|
||||
$VALGRIND $samba_tool domain passwordsettings set $CONFIG --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=default --max-pwd-age=default || failed=`expr $failed + 1`
|
||||
|
||||
testit "delete user" \
|
||||
$VALGRIND $samba_tool user delete $TEST_USERNAME -U"$USERNAME%$PASSWORD" $CONFIG -k no || failed=`expr $failed + 1`
|
||||
|
@ -52,7 +52,7 @@ CONFIG="--configfile=$PREFIX/etc/smb.conf"
|
||||
export CONFIG
|
||||
|
||||
testit "reset password policies beside of minimum password age of 0 days" \
|
||||
$VALGRIND $samba_tool domain passwordsettings $CONFIG set --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=0 --max-pwd-age=default || failed=`expr $failed + 1`
|
||||
$VALGRIND $samba_tool domain passwordsettings set $CONFIG --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=0 --max-pwd-age=default || failed=`expr $failed + 1`
|
||||
|
||||
TEST_USERNAME="samson"
|
||||
TEST_PASSWORD="testPaSS@00%"
|
||||
@ -219,7 +219,7 @@ test_smbclient "Test login with smbclient (ntlm)" \
|
||||
###########################################################
|
||||
|
||||
testit "reset password policies" \
|
||||
$VALGRIND $samba_tool domain passwordsettings $CONFIG set --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=default --max-pwd-age=default || failed=`expr $failed + 1`
|
||||
$VALGRIND $samba_tool domain passwordsettings set $CONFIG --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=default --max-pwd-age=default || failed=`expr $failed + 1`
|
||||
|
||||
testit "delete user" \
|
||||
$VALGRIND $samba_tool user delete $TEST_USERNAME -U"$USERNAME%$PASSWORD" $CONFIG -k no || failed=`expr $failed + 1`
|
||||
|
@ -59,7 +59,7 @@ CONFIG="--configfile=$PREFIX/etc/smb.conf"
|
||||
export CONFIG
|
||||
|
||||
testit "reset password policies beside of minimum password age of 0 days" \
|
||||
$VALGRIND $samba_tool domain passwordsettings $CONFIG set --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=0 --max-pwd-age=default || failed=`expr $failed + 1`
|
||||
$VALGRIND $samba_tool domain passwordsettings set $CONFIG --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=0 --max-pwd-age=default || failed=`expr $failed + 1`
|
||||
|
||||
TEST_USERNAME="$(mktemp -u alice-XXXXXX)"
|
||||
TEST_PASSWORD="testPaSS@00%"
|
||||
@ -194,7 +194,7 @@ testit_expect_failure "try to set a short password (command should not succeed)"
|
||||
$VALGRIND $samba_tool user password -W$DOMAIN "-U$DOMAIN/$TEST_USERNAME%$TEST_PASSWORD" -k no --newpassword="$TEST_PASSWORD_SHORT" && failed=`expr $failed + 1`
|
||||
|
||||
testit "allow short passwords (length 1)" \
|
||||
$VALGRIND $samba_tool domain passwordsettings $CONFIG set --min-pwd-length=1 || failed=`expr $failed + 1`
|
||||
$VALGRIND $samba_tool domain passwordsettings set $CONFIG --min-pwd-length=1 || failed=`expr $failed + 1`
|
||||
|
||||
testit "try to set a short password (command should succeed)" \
|
||||
$VALGRIND $samba_tool user password -W$DOMAIN "-U$DOMAIN/$TEST_USERNAME%$TEST_PASSWORD" -k no --newpassword="$TEST_PASSWORD_SHORT" || failed=`expr $failed + 1`
|
||||
@ -203,16 +203,16 @@ TEST_PASSWORD=$TEST_PASSWORD_SHORT
|
||||
TEST_PASSWORD_NEW="testPaSS@07%"
|
||||
|
||||
testit "require minimum password age of 1 day" \
|
||||
$VALGRIND $samba_tool domain passwordsettings $CONFIG set --min-pwd-age=1 || failed=`expr $failed + 1`
|
||||
$VALGRIND $samba_tool domain passwordsettings set $CONFIG --min-pwd-age=1 || failed=`expr $failed + 1`
|
||||
|
||||
testit "show password settings" \
|
||||
$VALGRIND $samba_tool domain passwordsettings $CONFIG show || failed=`expr $failed + 1`
|
||||
$VALGRIND $samba_tool domain passwordsettings show $CONFIG || failed=`expr $failed + 1`
|
||||
|
||||
testit_expect_failure "try to change password too quickly (command should not succeed)" \
|
||||
$VALGRIND $samba_tool user password -W$DOMAIN "-U$DOMAIN/$TEST_USERNAME%$TEST_PASSWORD" -k no --newpassword="$TEST_PASSWORD_NEW" && failed=`expr $failed + 1`
|
||||
|
||||
testit "reset password policies" \
|
||||
$VALGRIND $samba_tool domain passwordsettings $CONFIG set --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=default --max-pwd-age=default || failed=`expr $failed + 1`
|
||||
$VALGRIND $samba_tool domain passwordsettings set $CONFIG --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=default --max-pwd-age=default || failed=`expr $failed + 1`
|
||||
|
||||
testit "delete user $TEST_USERNAME" \
|
||||
$VALGRIND $samba_tool user delete $TEST_USERNAME -U"$USERNAME%$PASSWORD" $CONFIG -k no || failed=`expr $failed + 1`
|
||||
|
Loading…
x
Reference in New Issue
Block a user