mirror of
https://github.com/samba-team/samba.git
synced 2025-01-10 01:18:15 +03:00
tests: Add tests for domain pwdHistoryLength
This is not related to PSOs at all, but there's a minor discrepancy between Windows and Samba password-history-length behaviour that I noticed during PSO testing. When the pwdHistoryLength changes from zero to non-zero, Windows includes the user's current password as invalid immediately, whereas Samba only includes it as invalid *after* it next changes. It's a fairly obscure corner-case, and we might not care enough about it to fix it. However, I've added a test case to highlight the difference and marked it as a known-fail for now. I also added a general pwdHistoryLength test case to show that the basics work (this didn't seem to be tested anywhere else). Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
This commit is contained in:
parent
c10e1af005
commit
b7d1c5aae8
3
selftest/knownfail.d/password_settings
Normal file
3
selftest/knownfail.d/password_settings
Normal file
@ -0,0 +1,3 @@
|
||||
# highlights a minor corner-case discrepancy between Windows and Samba
|
||||
samba4.ldap.password_settings.python.password_settings.PasswordSettingsTestCase.test_domain_pwd_history_zero\(ad_dc_ntvfs\)
|
||||
|
@ -794,4 +794,66 @@ unicodePwd:: %s
|
||||
""" % (userdn, password)
|
||||
self.ldb.modify_ldif(ldif)
|
||||
|
||||
def set_domain_pwdHistoryLength(self, value):
|
||||
m = ldb.Message()
|
||||
m.dn = ldb.Dn(self.ldb, self.ldb.domain_dn())
|
||||
m["pwdHistoryLength"] = ldb.MessageElement(value, ldb.FLAG_MOD_REPLACE, "pwdHistoryLength")
|
||||
self.ldb.modify(m)
|
||||
|
||||
def test_domain_pwd_history(self):
|
||||
"""Non-PSO test for domain's pwdHistoryLength setting"""
|
||||
|
||||
# restore the current pwdHistoryLength setting after the test completes
|
||||
curr_hist_len = str(self.pwd_defaults.history_len)
|
||||
self.addCleanup(self.set_domain_pwdHistoryLength, curr_hist_len)
|
||||
|
||||
self.set_domain_pwdHistoryLength("4")
|
||||
user = self.add_user("testuser")
|
||||
|
||||
initial_pwd = user.get_password()
|
||||
passwords = ["First12#", "Second12#", "Third12#", "Fourth12#"]
|
||||
|
||||
# we should be able to set the password to new values OK
|
||||
for pwd in passwords:
|
||||
self.assert_password_valid(user, pwd)
|
||||
|
||||
# the 2nd time round it should fail because they're in the history now
|
||||
for pwd in passwords:
|
||||
self.assert_password_invalid(user, pwd)
|
||||
|
||||
# but the initial password is now outside the history, so should be OK
|
||||
self.assert_password_valid(user, initial_pwd)
|
||||
|
||||
# if we set the history to zero, all the old passwords should now be OK
|
||||
self.set_domain_pwdHistoryLength("0")
|
||||
for pwd in passwords:
|
||||
self.assert_password_valid(user, pwd)
|
||||
|
||||
def test_domain_pwd_history_zero(self):
|
||||
"""Non-PSO test for pwdHistoryLength going from zero to non-zero"""
|
||||
|
||||
# restore the current pwdHistoryLength setting after the test completes
|
||||
curr_hist_len = str(self.pwd_defaults.history_len)
|
||||
self.addCleanup(self.set_domain_pwdHistoryLength, curr_hist_len)
|
||||
|
||||
self.set_domain_pwdHistoryLength("0")
|
||||
user = self.add_user("testuser")
|
||||
|
||||
initial_pwd = user.get_password()
|
||||
self.assert_password_valid(user, "NewPwd12#")
|
||||
# we can set the exact same password again because there's no history
|
||||
self.assert_password_valid(user, "NewPwd12#")
|
||||
|
||||
# There is a difference in behaviour here between Windows and Samba.
|
||||
# When going from zero to non-zero password-history, Windows treats
|
||||
# the current user's password as invalid (even though the password has
|
||||
# not been altered since the setting changed). Whereas Samba accepts
|
||||
# the current password (because it's not in the history until the
|
||||
# *next* time the user's password changes.
|
||||
self.set_domain_pwdHistoryLength("1")
|
||||
self.assert_password_invalid(user, "NewPwd12#")
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user