From: Tim Beale Date: Mon, 12 Nov 2018 22:49:56 +0000 (+1300) Subject: CVE-2018-16857 tests: Sanity-check password lockout works with default values X-Git-Tag: tdb-1.3.17~592 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=77de8278e4b467b66a477c09945a9bcc6b08b194;p=thirdparty%2Fsamba.git CVE-2018-16857 tests: Sanity-check password lockout works with default values Sanity-check that when we use the default lockOutObservationWindow that user lockout actually works. The easiest way to do this is to reuse the _test_login_lockout() test-case, but stop at the point where we wait for the lockout duration to expire (because we don't want the test to wait 30 mins). This highlights a problem currently where the default values don't work. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13683 Signed-off-by: Tim Beale Reviewed-by: Andrew Bartlett --- diff --git a/selftest/knownfail.d/password_lockout b/selftest/knownfail.d/password_lockout new file mode 100644 index 00000000000..305bcbdef25 --- /dev/null +++ b/selftest/knownfail.d/password_lockout @@ -0,0 +1,4 @@ +samba4.ldap.password_lockout.python\(ad_dc_ntvfs\).__main__.PasswordTestsWithDefaults.test_pso_login_lockout_krb5\(ad_dc_ntvfs\) +samba4.ldap.password_lockout.python\(ad_dc_ntvfs\).__main__.PasswordTestsWithDefaults.test_pso_login_lockout_ntlm\(ad_dc_ntvfs\) +samba4.ldap.password_lockout.python\(ad_dc_ntvfs\).__main__.PasswordTestsWithDefaults.test_login_lockout_ntlm\(ad_dc_ntvfs\) +samba4.ldap.password_lockout.python\(ad_dc_ntvfs\).__main__.PasswordTestsWithDefaults.test_login_lockout_krb5\(ad_dc_ntvfs\) diff --git a/source4/dsdb/tests/python/password_lockout.py b/source4/dsdb/tests/python/password_lockout.py index 14cf00adb90..bc0613b71b1 100755 --- a/source4/dsdb/tests/python/password_lockout.py +++ b/source4/dsdb/tests/python/password_lockout.py @@ -1371,6 +1371,36 @@ userPassword: """ + userpass + """ self._testing_add_user(lockout4ntlm_creds, lockOutObservationWindow=self.lockout_observation_window) +class PasswordTestsWithDefaults(PasswordTests): + def setUp(self): + # The tests in this class do not sleep, so we can use the default + # timeout windows here + self.account_lockout_duration = 30 * 60 + self.lockout_observation_window = 30 * 60 + super(PasswordTestsWithDefaults, self).setUp() + + # sanity-check that user lockout works with the default settings (we just + # check the user is locked out - we don't wait for the lockout to expire) + def test_login_lockout_krb5(self): + self._test_login_lockout(self.lockout1krb5_creds, + wait_lockout_duration=False) + + def test_login_lockout_ntlm(self): + self._test_login_lockout(self.lockout1ntlm_creds, + wait_lockout_duration=False) + + # Repeat the login lockout tests using PSOs + def test_pso_login_lockout_krb5(self): + """Check the PSO lockout settings get applied to the user correctly""" + self.use_pso_lockout_settings(self.lockout1krb5_creds) + self._test_login_lockout(self.lockout1krb5_creds, + wait_lockout_duration=False) + + def test_pso_login_lockout_ntlm(self): + """Check the PSO lockout settings get applied to the user correctly""" + self.use_pso_lockout_settings(self.lockout1ntlm_creds) + self._test_login_lockout(self.lockout1ntlm_creds, + wait_lockout_duration=False) host_url = "ldap://%s" % host diff --git a/source4/dsdb/tests/python/password_lockout_base.py b/source4/dsdb/tests/python/password_lockout_base.py index c2664e9adba..24b066c188d 100644 --- a/source4/dsdb/tests/python/password_lockout_base.py +++ b/source4/dsdb/tests/python/password_lockout_base.py @@ -364,7 +364,7 @@ lockoutThreshold: """ + str(lockoutThreshold) + """ def tearDown(self): super(BasePasswordTestCase, self).tearDown() - def _test_login_lockout(self, creds): + def _test_login_lockout(self, creds, wait_lockout_duration=True): username = creds.get_username() userpass = creds.get_password() userdn = "cn=%s,cn=users,%s" % (username, self.base_dn) @@ -561,6 +561,10 @@ lockoutThreshold: """ + str(lockoutThreshold) + """ userAccountControl=dsdb.UF_NORMAL_ACCOUNT, msDSUserAccountControlComputed=dsdb.UF_LOCKOUT) + # if we're just checking the user gets locked out, we can stop here + if not wait_lockout_duration: + return + # wait for the lockout to end time.sleep(self.account_lockout_duration + 1) print(self.account_lockout_duration + 1)