1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-10 01:18:15 +03:00

tests: Add tests for domain pwdHistoryLength

This is not related to PSOs at all, but there's a minor discrepancy
between Windows and Samba password-history-length behaviour that I
noticed during PSO testing.

When the pwdHistoryLength changes from zero to non-zero, Windows
includes the user's current password as invalid immediately, whereas
Samba only includes it as invalid *after* it next changes. It's a
fairly obscure corner-case, and we might not care enough about it to
fix it. However, I've added a test case to highlight the difference and
marked it as a known-fail for now.

I also added a general pwdHistoryLength test case to show that the
basics work (this didn't seem to be tested anywhere else).

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
This commit is contained in:
Tim Beale 2018-05-11 09:29:01 +12:00 committed by Garming Sam
parent c10e1af005
commit b7d1c5aae8
2 changed files with 65 additions and 0 deletions
selftest/knownfail.d
source4/dsdb/tests/python

View File

@ -0,0 +1,3 @@
# highlights a minor corner-case discrepancy between Windows and Samba
samba4.ldap.password_settings.python.password_settings.PasswordSettingsTestCase.test_domain_pwd_history_zero\(ad_dc_ntvfs\)

View File

@ -794,4 +794,66 @@ unicodePwd:: %s
""" % (userdn, password)
self.ldb.modify_ldif(ldif)
def set_domain_pwdHistoryLength(self, value):
m = ldb.Message()
m.dn = ldb.Dn(self.ldb, self.ldb.domain_dn())
m["pwdHistoryLength"] = ldb.MessageElement(value, ldb.FLAG_MOD_REPLACE, "pwdHistoryLength")
self.ldb.modify(m)
def test_domain_pwd_history(self):
"""Non-PSO test for domain's pwdHistoryLength setting"""
# restore the current pwdHistoryLength setting after the test completes
curr_hist_len = str(self.pwd_defaults.history_len)
self.addCleanup(self.set_domain_pwdHistoryLength, curr_hist_len)
self.set_domain_pwdHistoryLength("4")
user = self.add_user("testuser")
initial_pwd = user.get_password()
passwords = ["First12#", "Second12#", "Third12#", "Fourth12#"]
# we should be able to set the password to new values OK
for pwd in passwords:
self.assert_password_valid(user, pwd)
# the 2nd time round it should fail because they're in the history now
for pwd in passwords:
self.assert_password_invalid(user, pwd)
# but the initial password is now outside the history, so should be OK
self.assert_password_valid(user, initial_pwd)
# if we set the history to zero, all the old passwords should now be OK
self.set_domain_pwdHistoryLength("0")
for pwd in passwords:
self.assert_password_valid(user, pwd)
def test_domain_pwd_history_zero(self):
"""Non-PSO test for pwdHistoryLength going from zero to non-zero"""
# restore the current pwdHistoryLength setting after the test completes
curr_hist_len = str(self.pwd_defaults.history_len)
self.addCleanup(self.set_domain_pwdHistoryLength, curr_hist_len)
self.set_domain_pwdHistoryLength("0")
user = self.add_user("testuser")
initial_pwd = user.get_password()
self.assert_password_valid(user, "NewPwd12#")
# we can set the exact same password again because there's no history
self.assert_password_valid(user, "NewPwd12#")
# There is a difference in behaviour here between Windows and Samba.
# When going from zero to non-zero password-history, Windows treats
# the current user's password as invalid (even though the password has
# not been altered since the setting changed). Whereas Samba accepts
# the current password (because it's not in the history until the
# *next* time the user's password changes.
self.set_domain_pwdHistoryLength("1")
self.assert_password_invalid(user, "NewPwd12#")