"""Tests for the Auth and AuthZ logging of password changes.
"""
-from samba import auth
import samba.tests
-from samba.messaging import Messaging
from samba.samdb import SamDB
from samba.auth import system_session
-import json
import os
import samba.tests.auth_log_base
from samba.tests import delete_force
from samba.net import Net
-from samba import ntstatus
import samba
from subprocess import call
from ldb import LdbError
USER_NAME = "authlogtestuser"
-USER_PASS = samba.generate_random_password(32,32)
+USER_PASS = samba.generate_random_password(32, 32)
+
class AuthLogPassChangeTests(samba.tests.auth_log_base.AuthLogTestBase):
base_dn = self.ldb.domain_dn()
print("base_dn %s" % base_dn)
- # Gets back the configuration basedn
- configuration_dn = self.ldb.get_config_basedn().get_linearized()
-
# Get the old "dSHeuristics" if it was set
dsheuristics = self.ldb.get_dsheuristics()
# (Re)adds the test user USER_NAME with password USER_PASS
delete_force(self.ldb, "cn=" + USER_NAME + ",cn=users," + self.base_dn)
self.ldb.add({
- "dn": "cn=" + USER_NAME + ",cn=users," + self.base_dn,
- "objectclass": "user",
- "sAMAccountName": USER_NAME,
- "userPassword": USER_PASS
+ "dn": "cn=" + USER_NAME + ",cn=users," + self.base_dn,
+ "objectclass": "user",
+ "sAMAccountName": USER_NAME,
+ "userPassword": USER_PASS
})
# discard any auth log messages for the password setup
def tearDown(self):
super(AuthLogPassChangeTests, self).tearDown()
-
def test_admin_change_password(self):
def isLastExpectedMessage(msg):
- return (msg["type"] == "Authentication" and
- msg["Authentication"]["status"]
- == "NT_STATUS_OK" and
- msg["Authentication"]["serviceDescription"]
- == "SAMR Password Change" and
- msg["Authentication"]["authDescription"]
- == "samr_ChangePasswordUser3")
+ return ((msg["type"] == "Authentication") and
+ (msg["Authentication"]["status"] == "NT_STATUS_OK") and
+ (msg["Authentication"]["serviceDescription"] ==
+ "SAMR Password Change") and
+ (msg["Authentication"]["authDescription"] ==
+ "samr_ChangePasswordUser3"))
- creds = self.insta_creds(template = self.get_credentials())
+ creds = self.insta_creds(template=self.get_credentials())
lp = self.get_loadparm()
net = Net(creds, lp, server=self.server_ip)
username=USER_NAME,
oldpassword=USER_PASS)
-
messages = self.waitForMessages(isLastExpectedMessage)
print("Received %d messages" % len(messages))
self.assertEquals(8,
def test_admin_change_password_new_password_fails_restriction(self):
def isLastExpectedMessage(msg):
- return (msg["type"] == "Authentication" and
- msg["Authentication"]["status"]
- == "NT_STATUS_PASSWORD_RESTRICTION" and
- msg["Authentication"]["serviceDescription"]
- == "SAMR Password Change" and
- msg["Authentication"]["authDescription"]
- == "samr_ChangePasswordUser3")
+ return ((msg["type"] == "Authentication") and
+ (msg["Authentication"]["status"] ==
+ "NT_STATUS_PASSWORD_RESTRICTION") and
+ (msg["Authentication"]["serviceDescription"] ==
+ "SAMR Password Change") and
+ (msg["Authentication"]["authDescription"] ==
+ "samr_ChangePasswordUser3"))
creds = self.insta_creds(template=self.get_credentials())
net.change_password(newpassword=password.encode('utf-8'),
oldpassword=USER_PASS,
username=USER_NAME)
- except Exception as msg:
+ except Exception:
exception_thrown = True
self.assertEquals(True, exception_thrown,
"Expected exception not thrown")
def test_admin_change_password_unknown_user(self):
def isLastExpectedMessage(msg):
- return (msg["type"] == "Authentication" and
- msg["Authentication"]["status"]
- == "NT_STATUS_NO_SUCH_USER" and
- msg["Authentication"]["serviceDescription"]
- == "SAMR Password Change" and
- msg["Authentication"]["authDescription"]
- == "samr_ChangePasswordUser3")
+ return ((msg["type"] == "Authentication") and
+ (msg["Authentication"]["status"] ==
+ "NT_STATUS_NO_SUCH_USER") and
+ (msg["Authentication"]["serviceDescription"] ==
+ "SAMR Password Change") and
+ (msg["Authentication"]["authDescription"] ==
+ "samr_ChangePasswordUser3"))
creds = self.insta_creds(template=self.get_credentials())
net.change_password(newpassword=password.encode('utf-8'),
oldpassword=USER_PASS,
username="badUser")
- except Exception as msg:
+ except Exception:
exception_thrown = True
self.assertEquals(True, exception_thrown,
"Expected exception not thrown")
def test_admin_change_password_bad_original_password(self):
def isLastExpectedMessage(msg):
- return (msg["type"] == "Authentication" and
- msg["Authentication"]["status"]
- == "NT_STATUS_WRONG_PASSWORD" and
- msg["Authentication"]["serviceDescription"]
- == "SAMR Password Change" and
- msg["Authentication"]["authDescription"]
- == "samr_ChangePasswordUser3")
+ return ((msg["type"] == "Authentication") and
+ (msg["Authentication"]["status"] ==
+ "NT_STATUS_WRONG_PASSWORD") and
+ (msg["Authentication"]["serviceDescription"] ==
+ "SAMR Password Change") and
+ (msg["Authentication"]["authDescription"] ==
+ "samr_ChangePasswordUser3"))
creds = self.insta_creds(template=self.get_credentials())
net.change_password(newpassword=password.encode('utf-8'),
oldpassword="badPassword",
username=USER_NAME)
- except Exception as msg:
+ except Exception:
exception_thrown = True
self.assertEquals(True, exception_thrown,
"Expected exception not thrown")
# correctly, so we just check it triggers the wrong password path.
def test_rap_change_password(self):
def isLastExpectedMessage(msg):
- return (msg["type"] == "Authentication" and
- msg["Authentication"]["serviceDescription"]
- == "SAMR Password Change" and
- msg["Authentication"]["status"]
- == "NT_STATUS_WRONG_PASSWORD" and
- msg["Authentication"]["authDescription"]
- == "OemChangePasswordUser2")
+ return ((msg["type"] == "Authentication") and
+ (msg["Authentication"]["serviceDescription"] ==
+ "SAMR Password Change") and
+ (msg["Authentication"]["status"] ==
+ "NT_STATUS_WRONG_PASSWORD") and
+ (msg["Authentication"]["authDescription"] ==
+ "OemChangePasswordUser2"))
username = os.environ["USERNAME"]
server = os.environ["SERVER"]
password = os.environ["PASSWORD"]
server_param = "--server=%s" % server
- creds = "-U%s%%%s" % (username,password)
+ creds = "-U%s%%%s" % (username, password)
call(["bin/net", "rap", server_param,
"password", USER_NAME, "notMyPassword", "notGoingToBeMyPassword",
server, creds, "--option=client ipc max protocol=nt1"])
def test_ldap_change_password(self):
def isLastExpectedMessage(msg):
- return (msg["type"] == "Authentication" and
- msg["Authentication"]["status"]
- == "NT_STATUS_OK" and
- msg["Authentication"]["serviceDescription"]
- == "LDAP Password Change" and
- msg["Authentication"]["authDescription"]
- == "LDAP Modify")
-
- new_password = samba.generate_random_password(32,32)
+ return ((msg["type"] == "Authentication") and
+ (msg["Authentication"]["status"] == "NT_STATUS_OK") and
+ (msg["Authentication"]["serviceDescription"] ==
+ "LDAP Password Change") and
+ (msg["Authentication"]["authDescription"] ==
+ "LDAP Modify"))
+
+ new_password = samba.generate_random_password(32, 32)
self.ldb.modify_ldif(
"dn: cn=" + USER_NAME + ",cn=users," + self.base_dn + "\n" +
"changetype: modify\n" +
"delete: userPassword\n" +
"userPassword: " + USER_PASS + "\n" +
"add: userPassword\n" +
- "userPassword: " + new_password + "\n"
- )
+ "userPassword: " + new_password + "\n")
messages = self.waitForMessages(isLastExpectedMessage)
print("Received %d messages" % len(messages))
def test_ldap_change_password_bad_user(self):
def isLastExpectedMessage(msg):
return (msg["type"] == "Authorization" and
- msg["Authorization"]["serviceDescription"]
- == "LDAP" and
+ msg["Authorization"]["serviceDescription"] == "LDAP" and
msg["Authorization"]["authType"] == "krb5")
- new_password = samba.generate_random_password(32,32)
+ new_password = samba.generate_random_password(32, 32)
try:
self.ldb.modify_ldif(
"dn: cn=" + "badUser" + ",cn=users," + self.base_dn + "\n" +
"delete: userPassword\n" +
"userPassword: " + USER_PASS + "\n" +
"add: userPassword\n" +
- "userPassword: " + new_password + "\n"
- )
+ "userPassword: " + new_password + "\n")
self.fail()
except LdbError as e:
(num, msg) = e.args
def test_ldap_change_password_bad_original_password(self):
def isLastExpectedMessage(msg):
- return (msg["type"] == "Authentication" and
- msg["Authentication"]["status"]
- == "NT_STATUS_WRONG_PASSWORD" and
- msg["Authentication"]["serviceDescription"]
- == "LDAP Password Change" and
- msg["Authentication"]["authDescription"]
- == "LDAP Modify")
-
- new_password = samba.generate_random_password(32,32)
+ return ((msg["type"] == "Authentication") and
+ (msg["Authentication"]["status"] ==
+ "NT_STATUS_WRONG_PASSWORD") and
+ (msg["Authentication"]["serviceDescription"] ==
+ "LDAP Password Change") and
+ (msg["Authentication"]["authDescription"] ==
+ "LDAP Modify"))
+
+ new_password = samba.generate_random_password(32, 32)
try:
self.ldb.modify_ldif(
"dn: cn=" + USER_NAME + ",cn=users," + self.base_dn + "\n" +
"delete: userPassword\n" +
"userPassword: " + "badPassword" + "\n" +
"add: userPassword\n" +
- "userPassword: " + new_password + "\n"
- )
+ "userPassword: " + new_password + "\n")
self.fail()
except LdbError as e1:
(num, msg) = e1.args