From: Stefan Metzmacher Date: Fri, 5 Feb 2016 07:37:53 +0000 (+0100) Subject: s4:dsdb/tests: let password_lockout.py verify more fields in _readd_user() X-Git-Tag: tdb-1.3.10~599 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ca874c200e9672a5180f2457f93db290fe1276a7;p=thirdparty%2Fsamba.git s4:dsdb/tests: let password_lockout.py verify more fields in _readd_user() The results differ depending on Kerberos or NTLMSSP usage and the lockOutObservationWindow. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett --- diff --git a/source4/dsdb/tests/python/password_lockout.py b/source4/dsdb/tests/python/password_lockout.py index db703bb66b8..e080ce114cb 100755 --- a/source4/dsdb/tests/python/password_lockout.py +++ b/source4/dsdb/tests/python/password_lockout.py @@ -298,12 +298,20 @@ userAccountControl: %d time.sleep(0.01) return res - def _readd_user(self, creds): + def _readd_user(self, creds, lockOutObservationWindow=0): username = creds.get_username() userpass = creds.get_password() userdn = "cn=%s,cn=users,%s" % (username, self.base_dn) - # (Re)adds the test user "testuser" with no password atm + use_kerberos = creds.get_kerberos_state() + if use_kerberos == MUST_USE_KERBEROS: + lastlogon_relation = 'greater' + else: + if lockOutObservationWindow == 0: + lastlogon_relation = 'greater' + else: + lastlogon_relation = 'equal' + delete_force(self.ldb, userdn) self.ldb.add({ "dn": userdn, @@ -369,6 +377,7 @@ userPassword: thatsAcomplPASS2 dsdb.UF_PASSWD_NOTREQD, msDSUserAccountControlComputed= dsdb.UF_PASSWORD_EXPIRED) + badPwdCount = int(res[0]["badPwdCount"][0]) badPasswordTime = int(res[0]["badPasswordTime"][0]) # Sets the initial user password with a "special" password change @@ -384,7 +393,7 @@ userPassword: """ + userpass + """ """) res = self._check_account(userdn, - badPwdCount=1, + badPwdCount=badPwdCount, badPasswordTime=badPasswordTime, lastLogon=0, lastLogonTimestamp=('absent', None), @@ -398,31 +407,63 @@ userPassword: """ + userpass + """ self.ldb.enable_account("(sAMAccountName=%s)" % username) res = self._check_account(userdn, - badPwdCount=1, + badPwdCount=badPwdCount, badPasswordTime=badPasswordTime, lastLogon=0, lastLogonTimestamp=('absent', None), userAccountControl= dsdb.UF_NORMAL_ACCOUNT, msDSUserAccountControlComputed=0) + if lockOutObservationWindow != 0: + time.sleep(lockOutObservationWindow + 1) + effective_bad_password_count = 0 + else: + effective_bad_password_count = badPwdCount - # Open a second LDB connection with the user credentials. Use the - # command line credentials for informations like the domain, the realm - # and the workstation. + res = self._check_account(userdn, + badPwdCount=badPwdCount, + effective_bad_password_count=effective_bad_password_count, + badPasswordTime=badPasswordTime, + lastLogon=0, + lastLogonTimestamp=('absent', None), + userAccountControl= + dsdb.UF_NORMAL_ACCOUNT, + msDSUserAccountControlComputed=0) ldb = SamDB(url=host_url, credentials=creds, lp=lp) + if lockOutObservationWindow == 0: + badPwdCount = 0 + effective_bad_password_count = 0 + if use_kerberos == MUST_USE_KERBEROS: + badPwdCount = 0 + effective_bad_password_count = 0 + res = self._check_account(userdn, - badPwdCount=0, + badPwdCount=badPwdCount, + effective_bad_password_count=effective_bad_password_count, badPasswordTime=badPasswordTime, - lastLogon=('greater', 0), - lastLogonTimestamp=('greater', 0), + lastLogon=(lastlogon_relation, 0), + lastLogonTimestamp=('greater', badPasswordTime), userAccountControl= dsdb.UF_NORMAL_ACCOUNT, msDSUserAccountControlComputed=0) lastLogon = int(res[0]["lastLogon"][0]) - self.assertGreater(lastLogon, badPasswordTime) + lastLogonTimestamp = int(res[0]["lastLogonTimestamp"][0]) + if lastlogon_relation == 'greater': + self.assertGreater(lastLogon, badPasswordTime) + self.assertGreaterEqual(lastLogon, lastLogonTimestamp) + + res = self._check_account(userdn, + badPwdCount=badPwdCount, + effective_bad_password_count=effective_bad_password_count, + badPasswordTime=badPasswordTime, + lastLogon=lastLogon, + lastLogonTimestamp=lastLogonTimestamp, + userAccountControl= + dsdb.UF_NORMAL_ACCOUNT, + msDSUserAccountControlComputed=0) return ldb def assertLoginFailure(self, url, creds, lp, errno=ERR_INVALID_CREDENTIALS):