sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-08-03 04:22:09 +03:00
Code Activity

s4:dsdb/tests: let password_lockout.py test with all combinations of krb5, ntlmssp and lockOutObservationWindow

Browse Source 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Stefan Metzmacher
2016-02-05 08:37:53 +01:00
committed by Andrew Bartlett
parent ca874c200e
commit 72d16f9900
1 changed files with 68 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

102
source4/dsdb/tests/python/password_lockout.py
View File

@ -563,11 +563,25 @@ lockoutThreshold: """ + str(lockoutThreshold) + """
self.samr_handle = self.samr.Connect2(None, security.SEC_FLAG_MAXIMUM_ALLOWED) self.samr_handle = self.samr.Connect2(None, security.SEC_FLAG_MAXIMUM_ALLOWED)
self.samr_domain = self.samr.OpenDomain(self.samr_handle, security.SEC_FLAG_MAXIMUM_ALLOWED, self.domain_sid) self.samr_domain = self.samr.OpenDomain(self.samr_handle, security.SEC_FLAG_MAXIMUM_ALLOWED, self.domain_sid)
self.creds2 = insta_creds() # (Re)adds the test user accounts
self.ldb2 = self._readd_user(self.creds2) self.lockout1krb5_creds = insta_creds(username="lockout1krb5",
userpass="thatsAcomplPASS0",
self.creds3 = insta_creds(username="testuser3", userpass="thatsAcomplPASS1") kerberos_state=MUST_USE_KERBEROS)
self.ldb3 = self._readd_user(self.creds3) self.lockout1krb5_ldb = self._readd_user(self.lockout1krb5_creds)
self.lockout2krb5_creds = insta_creds(username="lockout2krb5",
userpass="thatsAcomplPASS0",
kerberos_state=MUST_USE_KERBEROS)
self.lockout2krb5_ldb = self._readd_user(self.lockout2krb5_creds,
lockOutObservationWindow=self.lockout_observation_window)
self.lockout1ntlm_creds = insta_creds(username="lockout1ntlm",
userpass="thatsAcomplPASS0",
kerberos_state=DONT_USE_KERBEROS)
self.lockout1ntlm_ldb = self._readd_user(self.lockout1ntlm_creds)
self.lockout2ntlm_creds = insta_creds(username="lockout2ntlm",
userpass="thatsAcomplPASS0",
kerberos_state=DONT_USE_KERBEROS)
self.lockout2ntlm_ldb = self._readd_user(self.lockout2ntlm_creds,
lockOutObservationWindow=self.lockout_observation_window)
def _test_userPassword_lockout_with_clear_change(self, creds, other_ldb, method): def _test_userPassword_lockout_with_clear_change(self, creds, other_ldb, method):
print "Performs a password cleartext change operation on 'userPassword'" print "Performs a password cleartext change operation on 'userPassword'"
@ -952,19 +966,34 @@ userPassword: thatsAcomplPASS2XYZ
dsdb.UF_NORMAL_ACCOUNT, dsdb.UF_NORMAL_ACCOUNT,
msDSUserAccountControlComputed=0) msDSUserAccountControlComputed=0)
def test_userPassword_lockout_with_clear_change_ldap_userAccountControl(self): def test_userPassword_lockout_with_clear_change_krb5_ldap_userAccountControl(self):
self._test_userPassword_lockout_with_clear_change(self.creds2, self._test_userPassword_lockout_with_clear_change(self.lockout1krb5_creds,
self.ldb3, self.lockout2krb5_ldb,
"ldap_userAccountControl") "ldap_userAccountControl")
def test_userPassword_lockout_with_clear_change_ldap_lockoutTime(self): def test_userPassword_lockout_with_clear_change_krb5_ldap_lockoutTime(self):
self._test_userPassword_lockout_with_clear_change(self.creds2, self._test_userPassword_lockout_with_clear_change(self.lockout1krb5_creds,
self.ldb3, self.lockout2krb5_ldb,
"ldap_lockoutTime") "ldap_lockoutTime")
def test_userPassword_lockout_with_clear_change_samr(self): def test_userPassword_lockout_with_clear_change_krb5_samr(self):
self._test_userPassword_lockout_with_clear_change(self.creds2, self._test_userPassword_lockout_with_clear_change(self.lockout1krb5_creds,
self.ldb3, self.lockout2krb5_ldb,
"samr")
def test_userPassword_lockout_with_clear_change_ntlm_ldap_userAccountControl(self):
self._test_userPassword_lockout_with_clear_change(self.lockout1ntlm_creds,
self.lockout2ntlm_ldb,
"ldap_userAccountControl")
def test_userPassword_lockout_with_clear_change_ntlm_ldap_lockoutTime(self):
self._test_userPassword_lockout_with_clear_change(self.lockout1ntlm_creds,
self.lockout2ntlm_ldb,
"ldap_lockoutTime")
def test_userPassword_lockout_with_clear_change_ntlm_samr(self):
self._test_userPassword_lockout_with_clear_change(self.lockout1ntlm_creds,
self.lockout2ntlm_ldb,
"samr") "samr")
def _test_unicodePwd_lockout_with_clear_change(self, creds, other_ldb): def _test_unicodePwd_lockout_with_clear_change(self, creds, other_ldb):
@ -1339,14 +1368,20 @@ unicodePwd:: """ + base64.b64encode(new_utf16) + """
dsdb.UF_NORMAL_ACCOUNT, dsdb.UF_NORMAL_ACCOUNT,
msDSUserAccountControlComputed=0) msDSUserAccountControlComputed=0)
def test_unicodePwd_lockout_with_clear_change(self): def test_unicodePwd_lockout_with_clear_change_krb5(self):
return self._test_unicodePwd_lockout_with_clear_change(self.creds2, self.ldb3) self._test_unicodePwd_lockout_with_clear_change(self.lockout1krb5_creds,
self.lockout2krb5_ldb)
def _test_login_lockout(self, creds, use_kerberos): def test_unicodePwd_lockout_with_clear_change_ntlm(self):
self._test_unicodePwd_lockout_with_clear_change(self.lockout1ntlm_creds,
self.lockout2ntlm_ldb)
def _test_login_lockout(self, creds):
username = creds.get_username() username = creds.get_username()
userpass = creds.get_password() userpass = creds.get_password()
userdn = "cn=%s,cn=users,%s" % (username, self.base_dn) userdn = "cn=%s,cn=users,%s" % (username, self.base_dn)
use_kerberos = creds.get_kerberos_state()
# This unlocks by waiting for account_lockout_duration # This unlocks by waiting for account_lockout_duration
if use_kerberos == MUST_USE_KERBEROS: if use_kerberos == MUST_USE_KERBEROS:
lastlogon_relation = 'greater' lastlogon_relation = 'greater'
@ -1377,8 +1412,7 @@ unicodePwd:: """ + base64.b64encode(new_utf16) + """
# Open a second LDB connection with the user credentials. Use the # Open a second LDB connection with the user credentials. Use the
# command line credentials for informations like the domain, the realm # command line credentials for informations like the domain, the realm
# and the workstation. # and the workstation.
creds_lockout = insta_creds(template=creds) creds_lockout = insta_creds(creds)
creds_lockout.set_kerberos_state(use_kerberos)
# The wrong password # The wrong password
creds_lockout.set_password("thatsAcomplPASS1x") creds_lockout.set_password("thatsAcomplPASS1x")
@ -1650,13 +1684,14 @@ unicodePwd:: """ + base64.b64encode(new_utf16) + """
dsdb.UF_NORMAL_ACCOUNT, dsdb.UF_NORMAL_ACCOUNT,
msDSUserAccountControlComputed=0) msDSUserAccountControlComputed=0)
def test_login_lockout_krb5(self):
self._test_login_lockout(self.lockout1krb5_creds)
def test_login_lockout_ntlm(self): def test_login_lockout_ntlm(self):
self._test_login_lockout(self.creds2, DONT_USE_KERBEROS) self._test_login_lockout(self.lockout1ntlm_creds)
def test_login_lockout_kerberos(self): def _test_multiple_logon(self, creds):
self._test_login_lockout(self.creds2, MUST_USE_KERBEROS)
def _test_multiple_logon(self, creds, use_kerberos):
# Test the happy case in which a user logs on correctly, then # Test the happy case in which a user logs on correctly, then
# logs on correctly again, so that the bad password and # logs on correctly again, so that the bad password and
# lockout times are both zero the second time. The lastlogon # lockout times are both zero the second time. The lastlogon
@ -1667,10 +1702,8 @@ unicodePwd:: """ + base64.b64encode(new_utf16) + """
# and the workstation. # and the workstation.
username = creds.get_username() username = creds.get_username()
userdn = "cn=%s,cn=users,%s" % (username, self.base_dn) userdn = "cn=%s,cn=users,%s" % (username, self.base_dn)
creds2 = insta_creds(template=creds)
creds2.set_kerberos_state(use_kerberos)
self.assertEqual(creds2.get_kerberos_state(), use_kerberos)
use_kerberos = creds.get_kerberos_state()
if use_kerberos == MUST_USE_KERBEROS: if use_kerberos == MUST_USE_KERBEROS:
print "Testing multiple logon with Kerberos" print "Testing multiple logon with Kerberos"
lastlogon_relation = 'greater' lastlogon_relation = 'greater'
@ -1678,7 +1711,7 @@ unicodePwd:: """ + base64.b64encode(new_utf16) + """
print "Testing multiple logon with NTLM" print "Testing multiple logon with NTLM"
lastlogon_relation = 'equal' lastlogon_relation = 'equal'
SamDB(url=host_url, credentials=insta_creds(creds2), lp=lp) SamDB(url=host_url, credentials=insta_creds(creds), lp=lp)
res = self._check_account(userdn, res = self._check_account(userdn,
badPwdCount=0, badPwdCount=0,
@ -1696,7 +1729,7 @@ unicodePwd:: """ + base64.b64encode(new_utf16) + """
self.assertGreater(lastLogon, badPasswordTime) self.assertGreater(lastLogon, badPasswordTime)
time.sleep(1) time.sleep(1)
SamDB(url=host_url, credentials=insta_creds(creds2), lp=lp) SamDB(url=host_url, credentials=insta_creds(creds), lp=lp)
res = self._check_account(userdn, res = self._check_account(userdn,
badPwdCount=0, badPwdCount=0,
@ -1714,7 +1747,7 @@ unicodePwd:: """ + base64.b64encode(new_utf16) + """
time.sleep(1) time.sleep(1)
SamDB(url=host_url, credentials=insta_creds(creds2), lp=lp) SamDB(url=host_url, credentials=insta_creds(creds), lp=lp)
res = self._check_account(userdn, res = self._check_account(userdn,
badPwdCount=0, badPwdCount=0,
@ -1725,11 +1758,12 @@ unicodePwd:: """ + base64.b64encode(new_utf16) + """
dsdb.UF_NORMAL_ACCOUNT, dsdb.UF_NORMAL_ACCOUNT,
msDSUserAccountControlComputed=0) msDSUserAccountControlComputed=0)
def test_multiple_logon_ntlm(self): def test_multiple_logon_krb5(self):
self._test_multiple_logon(self.creds2, DONT_USE_KERBEROS) self._test_multiple_logon(self.lockout1krb5_creds)
def test_multiple_logon_ntlm(self):
self._test_multiple_logon(self.lockout1ntlm_creds)
def test_multiple_logon_kerberos(self):
self._test_multiple_logon(self.creds2, MUST_USE_KERBEROS)
def tearDown(self): def tearDown(self):
super(PasswordTests, self).tearDown() super(PasswordTests, self).tearDown()