From: Garming Sam Date: Wed, 26 Apr 2017 04:32:51 +0000 (+1200) Subject: tests/rodc: Check SID restriction for SendToSam X-Git-Tag: ldb-1.1.30~34 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=452170db2cdc9c7cd474d82e46698ec05fc1c651;p=thirdparty%2Fsamba.git tests/rodc: Check SID restriction for SendToSam Signed-off-by: Garming Sam Reviewed-by: Andrew Bartlett --- diff --git a/selftest/knownfail b/selftest/knownfail index c6047c85445..6a98cd4b55b 100644 --- a/selftest/knownfail +++ b/selftest/knownfail @@ -335,3 +335,4 @@ # We currently don't send referrals for LDAP modify of non-replicated attrs ^samba4.ldap.rodc.python\(rodc\).__main__.RodcTests.test_modify_nonreplicated.* ^samba4.ldap.rodc_rwdc.python.*.__main__.RodcRwdcTests.test_change_password_reveal_on_demand_kerberos +^samba4.ldap.rodc_rwdc.python\(rodc\).__main__.RodcRwdcCachedTests.test_login_lockout_not_revealed diff --git a/source4/dsdb/tests/python/rodc_rwdc.py b/source4/dsdb/tests/python/rodc_rwdc.py index 87d1257d97f..b2b5dbdb1a5 100644 --- a/source4/dsdb/tests/python/rodc_rwdc.py +++ b/source4/dsdb/tests/python/rodc_rwdc.py @@ -283,6 +283,78 @@ class RodcRwdcCachedTests(password_lockout_base.BasePasswordTestCase): self._test_login_lockout_rodc_rwdc(self.lockout1ntlm_creds, userdn) + def test_login_lockout_not_revealed(self): + '''Test that SendToSam is restricted by preloaded users/groups''' + + username = self.lockout1ntlm_creds.get_username() + userpass = self.lockout1ntlm_creds.get_password() + userdn = "cn=%s,cn=users,%s" % (username, self.base_dn) + + # Preload but do not add to revealed group + preload_rodc_user(userdn) + + self.kerberos = False + + creds = self.lockout1ntlm_creds + + # Open a second LDB connection with the user credentials. Use the + # command line credentials for informations like the domain, the realm + # and the workstation. + creds_lockout = self.insta_creds(creds) + + # The wrong password + creds_lockout.set_password("thatsAcomplPASS1x") + + self.assertLoginFailure(self.host_url, creds_lockout, self.lp) + + badPasswordTime = 0 + logonCount = 0 + lastLogon = 0 + lastLogonTimestamp=0 + logoncount_relation = '' + lastlogon_relation = '' + + res = self._check_account(userdn, + badPwdCount=1, + badPasswordTime=("greater", badPasswordTime), + logonCount=logonCount, + lastLogon=lastLogon, + lastLogonTimestamp=lastLogonTimestamp, + userAccountControl= + dsdb.UF_NORMAL_ACCOUNT, + msDSUserAccountControlComputed=0, + msg='lastlogontimestamp with wrong password') + badPasswordTime = int(res[0]["badPasswordTime"][0]) + + # BadPwdCount on RODC increases alongside RWDC + res = self.rodc_db.search(userdn, attrs=['badPwdCount']) + self.assertTrue('badPwdCount' in res[0]) + self.assertEqual(int(res[0]['badPwdCount'][0]), 1) + + # Correct old password + creds_lockout.set_password(userpass) + + ldb_lockout = SamDB(url=self.host_url, credentials=creds_lockout, lp=self.lp) + + # Wait for potential SendToSam... + time.sleep(5) + + # BadPwdCount on RODC decreases, but not the RWDC + res = self._check_account(userdn, + badPwdCount=1, + badPasswordTime=badPasswordTime, + logonCount=(logoncount_relation, logonCount), + lastLogon=('greater', lastLogon), + lastLogonTimestamp=lastLogonTimestamp, + userAccountControl= + dsdb.UF_NORMAL_ACCOUNT, + msDSUserAccountControlComputed=0, + msg='badPwdCount not reset on RWDC') + + res = self.rodc_db.search(userdn, attrs=['badPwdCount']) + self.assertTrue('badPwdCount' in res[0]) + self.assertEqual(int(res[0]['badPwdCount'][0]), 0) + def _test_login_lockout_rodc_rwdc(self, creds, userdn): username = creds.get_username() userpass = creds.get_password()