From a5eb6e1028ae679a327835239c16ca2d896ec17c Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 25 Nov 2013 10:03:05 +1300 Subject: [PATCH] REVIEW/RUN selftest: Add test for password lockout Change-Id: Ia690b83f82b5ad7b02b203ffdecd2e05066b6711 Signed-off-by: Andrew Bartlett --- source4/dsdb/tests/python/password_lockout.py | 1055 +++++++++++++++++ source4/selftest/tests.py | 1 + 2 files changed, 1056 insertions(+) create mode 100755 source4/dsdb/tests/python/password_lockout.py diff --git a/source4/dsdb/tests/python/password_lockout.py b/source4/dsdb/tests/python/password_lockout.py new file mode 100755 index 000000000000..e42f97feb9dc --- /dev/null +++ b/source4/dsdb/tests/python/password_lockout.py @@ -0,0 +1,1055 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- +# This tests the password changes over LDAP for AD implementations +# +# Copyright Matthias Dieter Wallnoefer 2010 +# Copyright Andrew Bartlett 2013 +# +# Notice: This tests will also work against Windows Server if the connection is +# secured enough (SASL with a minimum of 128 Bit encryption) - consider +# MS-ADTS 3.1.1.3.1.5 + +import optparse +import sys +import base64 +import time +import os + +sys.path.insert(0, "bin/python") +import samba +samba.ensure_external_module("testtools", "testtools") +samba.ensure_external_module("subunit", "subunit/python") + +import samba.getopt as options + +from samba.auth import system_session +from samba.credentials import Credentials, DONT_USE_KERBEROS, MUST_USE_KERBEROS +from ldb import SCOPE_BASE, LdbError +from ldb import ERR_ATTRIBUTE_OR_VALUE_EXISTS +from ldb import ERR_UNWILLING_TO_PERFORM, ERR_INSUFFICIENT_ACCESS_RIGHTS +from ldb import ERR_NO_SUCH_ATTRIBUTE +from ldb import ERR_CONSTRAINT_VIOLATION +from ldb import ERR_INVALID_CREDENTIALS +from ldb import Message, MessageElement, Dn +from ldb import FLAG_MOD_ADD, FLAG_MOD_REPLACE, FLAG_MOD_DELETE +from samba import gensec, dsdb +from samba.samdb import SamDB +import samba.tests +from samba.tests import delete_force +from subunit.run import SubunitTestRunner +import unittest +from samba.dcerpc import security, samr +from samba.ndr import ndr_unpack + +parser = optparse.OptionParser("passwords.py [options] ") +sambaopts = options.SambaOptions(parser) +parser.add_option_group(sambaopts) +parser.add_option_group(options.VersionOptions(parser)) +# use command line creds if available +credopts = options.CredentialsOptions(parser) +parser.add_option_group(credopts) +opts, args = parser.parse_args() + +if len(args) < 1: + parser.print_usage() + sys.exit(1) + +host = args[0] + +lp = sambaopts.get_loadparm() +creds = credopts.get_credentials(lp) + +# Force an encrypted connection +creds.set_gensec_features(creds.get_gensec_features() | gensec.FEATURE_SEAL) + +# +# Tests start here +# + +class PasswordTests(samba.tests.TestCase): + + def setUp(self): + super(PasswordTests, self).setUp() + self.ldb = ldb + self.base_dn = ldb.domain_dn() + + # (Re)adds the test user "testuser" with no password atm + delete_force(self.ldb, "cn=testuser,cn=users," + self.base_dn) + self.ldb.add({ + "dn": "cn=testuser,cn=users," + self.base_dn, + "objectclass": "user", + "sAMAccountName": "testuser"}) + + # Tests a password change when we don't have any password yet with a + # wrong old password + try: + self.ldb.modify_ldif(""" +dn: cn=testuser,cn=users,""" + self.base_dn + """ +changetype: modify +delete: userPassword +userPassword: noPassword +add: userPassword +userPassword: thatsAcomplPASS2 +""") + self.fail() + except LdbError, (num, msg): + self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) + # Windows (2008 at least) seems to have some small bug here: it + # returns "0000056A" on longer (always wrong) previous passwords. + self.assertTrue('00000056' in msg) + + # Sets the initial user password with a "special" password change + # I think that this internally is a password set operation and it can + # only be performed by someone which has password set privileges on the + # account (at least in s4 we do handle it like that). + self.ldb.modify_ldif(""" +dn: cn=testuser,cn=users,""" + self.base_dn + """ +changetype: modify +delete: userPassword +add: userPassword +userPassword: thatsAcomplPASS1 +""") + + res = ldb.search("cn=testuser,cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed", + "lockoutTime"]) + self.assertTrue(len(res) == 1) + self.assertTrue("badPwdCount" in res[0]) + self.assertEquals(res[0]["badPwdCount"][0], "1") + self.assertTrue("lockoutTime" not in res[0]) + self.assertTrue("msDS-User-Account-Control-Computed" in res[0]) + self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), 0) + + # Enables the user account + self.ldb.enable_account("(sAMAccountName=testuser)") + + # Open a second LDB connection with the user credentials. Use the + # command line credentials for informations like the domain, the realm + # and the workstation. + creds2 = Credentials() + creds2.set_username("testuser") + creds2.set_password("thatsAcomplPASS1") + creds2.set_domain(creds.get_domain()) + creds2.set_realm(creds.get_realm()) + creds2.set_workstation(creds.get_workstation()) + creds2.set_gensec_features(creds2.get_gensec_features() + | gensec.FEATURE_SEAL) + + self.ldb2 = SamDB(url=host_url, credentials=creds2, lp=lp) + + res = ldb.search("cn=testuser,cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed", + "lockoutTime"]) + self.assertTrue(len(res) == 1) + self.assertTrue("badPwdCount" in res[0]) + self.assertEquals(res[0]["badPwdCount"][0], "0") + self.assertTrue("lockoutTime" not in res[0]) + self.assertTrue("msDS-User-Account-Control-Computed" in res[0]) + self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), 0) + + # (Re)adds the test user "testuser3" with no password atm + delete_force(self.ldb, "cn=testuser3,cn=users," + self.base_dn) + self.ldb.add({ + "dn": "cn=testuser3,cn=users," + self.base_dn, + "objectclass": "user", + "sAMAccountName": "testuser3"}) + + # Tests a password change when we don't have any password yet with a + # wrong old password + try: + self.ldb.modify_ldif(""" +dn: cn=testuser3,cn=users,""" + self.base_dn + """ +changetype: modify +delete: userPassword +userPassword: noPassword +add: userPassword +userPassword: thatsAcomplPASS2 +""") + self.fail() + except LdbError, (num, msg): + self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) + # Windows (2008 at least) seems to have some small bug here: it + # returns "0000056A" on longer (always wrong) previous passwords. + self.assertTrue('00000056' in msg) + + # Sets the initial user password with a "special" password change + # I think that this internally is a password set operation and it can + # only be performed by someone which has password set privileges on the + # account (at least in s4 we do handle it like that). + self.ldb.modify_ldif(""" +dn: cn=testuser3,cn=users,""" + self.base_dn + """ +changetype: modify +delete: userPassword +add: userPassword +userPassword: thatsAcomplPASS1 +""") + + # Enables the user account + self.ldb.enable_account("(sAMAccountName=testuser3)") + + # Open a second LDB connection with the user credentials. Use the + # command line credentials for informations like the domain, the realm + # and the workstation. + creds3 = Credentials() + creds3.set_username("testuser3") + creds3.set_password("thatsAcomplPASS1") + creds3.set_domain(creds.get_domain()) + creds3.set_realm(creds.get_realm()) + creds3.set_workstation(creds.get_workstation()) + creds3.set_gensec_features(creds3.get_gensec_features() + | gensec.FEATURE_SEAL) + self.ldb3 = SamDB(url=host_url, credentials=creds3, lp=lp) + + + self.samr = samr.samr("ncacn_ip_tcp:%s[sign]" % host, lp, creds) + self.samr_handle = self.samr.Connect2(None, security.SEC_FLAG_MAXIMUM_ALLOWED) + self.samr_domain = self.samr.OpenDomain(self.samr_handle, security.SEC_FLAG_MAXIMUM_ALLOWED, security.dom_sid(self.ldb.get_domain_sid())) + + res = ldb.search("cn=testuser,cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["objectSid"]) + self.assertTrue(len(res) == 1) + self.assertTrue("objectSid" in res[0]) + (domain_sid, self.rid) = ndr_unpack( security.dom_sid,res[0]["objectSid"][0]).split() + self.assertEquals(security.dom_sid(self.ldb.get_domain_sid()), domain_sid) + + self.samr_user = self.samr.OpenUser(self.samr_domain, security.SEC_FLAG_MAXIMUM_ALLOWED, self.rid) + + def test_userPassword_lockout_with_clear_change(self): + print "Performs a password cleartext change operation on 'userPassword'" + # Notice: This works only against Windows if "dSHeuristics" has been set + # properly + + # Change password on a connection as another user + + # Wrong old password + try: + self.ldb3.modify_ldif(""" +dn: cn=testuser,cn=users,""" + self.base_dn + """ +changetype: modify +delete: userPassword +userPassword: thatsAcomplPASS1x +add: userPassword +userPassword: thatsAcomplPASS2 +""") + self.fail() + except LdbError, (num, msg): + self.assertTrue('00000056' in msg) + self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) + + res = ldb.search("cn=testuser,cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed", + "lockoutTime"]) + self.assertTrue(len(res) == 1) + self.assertTrue("badPwdCount" in res[0]) + self.assertEquals(res[0]["badPwdCount"][0], "1") + self.assertTrue("lockoutTime" not in res[0]) + self.assertTrue("msDS-User-Account-Control-Computed" in res[0]) + self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), 0) + + + # Correct old password + self.ldb3.modify_ldif(""" +dn: cn=testuser,cn=users,""" + self.base_dn + """ +changetype: modify +delete: userPassword +userPassword: thatsAcomplPASS1 +add: userPassword +userPassword: thatsAcomplPASS2 +""") + + res = ldb.search("cn=testuser,cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed", + "lockoutTime"]) + self.assertTrue(len(res) == 1) + self.assertTrue("badPwdCount" in res[0]) + self.assertEquals(res[0]["badPwdCount"][0], "1") + self.assertTrue("lockoutTime" not in res[0]) + self.assertTrue("msDS-User-Account-Control-Computed" in res[0]) + self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), 0) + + # Wrong old password + try: + self.ldb3.modify_ldif(""" +dn: cn=testuser,cn=users,""" + self.base_dn + """ +changetype: modify +delete: userPassword +userPassword: thatsAcomplPASS1x +add: userPassword +userPassword: thatsAcomplPASS2 +""") + self.fail() + except LdbError, (num, msg): + self.assertTrue('00000056' in msg) + self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) + + res = ldb.search("cn=testuser,cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed", + "lockoutTime"]) + self.assertTrue(len(res) == 1) + self.assertTrue("badPwdCount" in res[0]) + self.assertEquals(res[0]["badPwdCount"][0], "2") + self.assertTrue("lockoutTime" not in res[0]) + self.assertTrue("msDS-User-Account-Control-Computed" in res[0]) + self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), 0) + + print "two failed password change" + + # Wrong old password + try: + self.ldb3.modify_ldif(""" +dn: cn=testuser,cn=users,""" + self.base_dn + """ +changetype: modify +delete: userPassword +userPassword: thatsAcomplPASS1x +add: userPassword +userPassword: thatsAcomplPASS2 +""") + self.fail() + except LdbError, (num, msg): + self.assertTrue('00000056' in msg) + self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) + + res = ldb.search("cn=testuser,cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed", + "lockoutTime"]) + self.assertTrue(len(res) == 1) + self.assertTrue("badPwdCount" in res[0]) + self.assertTrue("lockoutTime" in res[0]) + self.assertEquals(res[0]["badPwdCount"][0], "3") + self.assertNotEquals(res[0]["lockoutTime"][0], "0") + self.assertTrue("msDS-User-Account-Control-Computed" in res[0]) + self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), dsdb.UF_LOCKOUT) + + # Wrong old password + try: + self.ldb3.modify_ldif(""" +dn: cn=testuser,cn=users,""" + self.base_dn + """ +changetype: modify +delete: userPassword +userPassword: thatsAcomplPASS1x +add: userPassword +userPassword: thatsAcomplPASS2 +""") + self.fail() + except LdbError, (num, msg): + self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) + self.assertTrue('00000775' in msg) + + res = ldb.search("cn=testuser,cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed"]) + self.assertTrue(len(res) == 1) + self.assertTrue("badPwdCount" in res[0]) + self.assertTrue("msDS-User-Account-Control-Computed" in res[0]) + self.assertEquals(res[0]["badPwdCount"][0], "3") + self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), dsdb.UF_LOCKOUT) + + # Wrong old password + try: + self.ldb3.modify_ldif(""" +dn: cn=testuser,cn=users,""" + self.base_dn + """ +changetype: modify +delete: userPassword +userPassword: thatsAcomplPASS1x +add: userPassword +userPassword: thatsAcomplPASS2 +""") + self.fail() + except LdbError, (num, msg): + self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) + self.assertTrue('00000775' in msg) + + res = ldb.search("cn=testuser,cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed"]) + self.assertTrue(len(res) == 1) + self.assertTrue("badPwdCount" in res[0]) + self.assertTrue("msDS-User-Account-Control-Computed" in res[0]) + self.assertEquals(res[0]["badPwdCount"][0], "3") + self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), dsdb.UF_LOCKOUT) + + try: + # Correct old password + self.ldb3.modify_ldif(""" +dn: cn=testuser,cn=users,""" + self.base_dn + """ +changetype: modify +delete: userPassword +userPassword: thatsAcomplPASS2 +add: userPassword +userPassword: thatsAcomplPASS2x +""") + self.fail() + except LdbError, (num, msg): + self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) + self.assertTrue('0000775' in msg) + + res = ldb.search("cn=testuser,cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed"]) + self.assertTrue(len(res) == 1) + self.assertTrue("badPwdCount" in res[0]) + self.assertTrue("msDS-User-Account-Control-Computed" in res[0]) + self.assertEquals(res[0]["badPwdCount"][0], "3") + self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), dsdb.UF_LOCKOUT) + + + # Now reset the password, which does NOT change the lockout! + self.ldb.modify_ldif(""" +dn: cn=testuser,cn=users,""" + self.base_dn + """ +changetype: modify +replace: userPassword +userPassword: thatsAcomplPASS2 +""") + + res = ldb.search("cn=testuser,cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed", "lockoutTime"]) + self.assertTrue(len(res) == 1) + self.assertTrue("badPwdCount" in res[0]) + self.assertTrue("lockoutTime" in res[0]) + self.assertTrue("msDS-User-Account-Control-Computed" in res[0]) + self.assertEquals(res[0]["badPwdCount"][0], "3") + self.assertNotEquals(res[0]["lockoutTime"][0], "0") + self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), dsdb.UF_LOCKOUT) + + try: + # Correct old password + self.ldb3.modify_ldif(""" +dn: cn=testuser,cn=users,""" + self.base_dn + """ +changetype: modify +delete: userPassword +userPassword: thatsAcomplPASS2 +add: userPassword +userPassword: thatsAcomplPASS2x +""") + self.fail() + except LdbError, (num, msg): + self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) + self.assertTrue('0000775' in msg) + + res = ldb.search("cn=testuser,cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed", "lockoutTime"]) + self.assertTrue(len(res) == 1) + self.assertTrue("badPwdCount" in res[0]) + self.assertTrue("lockoutTime" in res[0]) + self.assertTrue("msDS-User-Account-Control-Computed" in res[0]) + self.assertEquals(res[0]["badPwdCount"][0], "3") + self.assertNotEquals(res[0]["lockoutTime"][0], "0") + self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), dsdb.UF_LOCKOUT) + + lockoutTime = res[0]["lockoutTime"][0] + + m = Message() + m.dn = Dn(ldb, "cn=testuser,cn=users," + self.base_dn) + m["userAccountControl"] = MessageElement( + str(dsdb.UF_LOCKOUT), + FLAG_MOD_REPLACE, "userAccountControl") + + self.ldb.modify(m) + + # This shows that setting the UF_LOCKOUT flag makes no difference + res = ldb.search("cn=testuser,cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed", + "lockoutTime", "userAccountControl"]) + self.assertTrue(len(res) == 1) + self.assertTrue("badPwdCount" in res[0]) + self.assertEquals(res[0]["badPwdCount"][0], "3") + self.assertTrue("lockoutTime"in res[0]) + self.assertEquals(res[0]["lockoutTime"][0], str(lockoutTime)) + self.assertTrue("userAccountControl" in res[0]) + self.assertTrue(int(res[0]["userAccountControl"][0]) & dsdb.UF_NORMAL_ACCOUNT == dsdb.UF_NORMAL_ACCOUNT) + self.assertTrue("msDS-User-Account-Control-Computed" in res[0]) + self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), dsdb.UF_LOCKOUT) + + # This shows that setting the UF_LOCKOUT flag makes no difference + try: + # Correct old password + self.ldb3.modify_ldif(""" +dn: cn=testuser,cn=users,""" + self.base_dn + """ +changetype: modify +delete: unicodePwd +unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS2\"".encode('utf-16-le')) + """ +add: unicodePwd +unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS2x\"".encode('utf-16-le')) + """ +""") + self.fail() + except LdbError, (num, msg): + self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) + self.assertTrue('0000775' in msg) + + + def test_unicodePwd_lockout_with_clear_change(self): + print "Performs a password cleartext change operation on 'unicodePwd'" + # Notice: This works only against Windows if "dSHeuristics" has been set + # properly + + # Change password on a connection as another user + + # Wrong old password + try: + self.ldb3.modify_ldif(""" +dn: cn=testuser,cn=users,""" + self.base_dn + """ +changetype: modify +delete: unicodePwd +unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS1x\"".encode('utf-16-le')) + """ +add: unicodePwd +unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS2\"".encode('utf-16-le')) + """ +""") + self.fail() + except LdbError, (num, msg): + self.assertTrue('00000056' in msg) + self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) + + res = ldb.search("cn=testuser,cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed", + "lockoutTime"]) + self.assertTrue(len(res) == 1) + self.assertTrue("badPwdCount" in res[0]) + self.assertEquals(res[0]["badPwdCount"][0], "1") + self.assertTrue("lockoutTime" not in res[0]) + self.assertTrue("msDS-User-Account-Control-Computed" in res[0]) + self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), 0) + + # Correct old password + self.ldb3.modify_ldif(""" +dn: cn=testuser,cn=users,""" + self.base_dn + """ +changetype: modify +delete: unicodePwd +unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS1\"".encode('utf-16-le')) + """ +add: unicodePwd +unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS2\"".encode('utf-16-le')) + """ +""") + + res = ldb.search("cn=testuser,cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed", + "lockoutTime"]) + self.assertTrue(len(res) == 1) + self.assertTrue("badPwdCount" in res[0]) + self.assertEquals(res[0]["badPwdCount"][0], "1") + self.assertTrue("lockoutTime" not in res[0]) + self.assertTrue("msDS-User-Account-Control-Computed" in res[0]) + self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), 0) + + # Wrong old password + try: + self.ldb3.modify_ldif(""" +dn: cn=testuser,cn=users,""" + self.base_dn + """ +changetype: modify +delete: unicodePwd +unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS1\"".encode('utf-16-le')) + """ +add: unicodePwd +unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS2\"".encode('utf-16-le')) + """ +""") + self.fail() + except LdbError, (num, msg): + self.assertTrue('00000056' in msg) + self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) + + res = ldb.search("cn=testuser,cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed"]) + self.assertTrue(len(res) == 1) + self.assertTrue("badPwdCount" in res[0]) + self.assertTrue("msDS-User-Account-Control-Computed" in res[0]) + self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), 0) + self.assertEquals(res[0]["badPwdCount"][0], "2") + + print "two failed password change" + + # Wrong old password + try: + self.ldb3.modify_ldif(""" +dn: cn=testuser,cn=users,""" + self.base_dn + """ +changetype: modify +delete: unicodePwd +unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS1x\"".encode('utf-16-le')) + """ +add: unicodePwd +unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS2\"".encode('utf-16-le')) + """ +""") + self.fail() + except LdbError, (num, msg): + self.assertTrue('00000056' in msg) + self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) + + res = ldb.search("cn=testuser,cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed", + "lockoutTime"]) + self.assertTrue(len(res) == 1) + self.assertTrue("badPwdCount" in res[0]) + self.assertEquals(res[0]["badPwdCount"][0], "3") + self.assertTrue("lockoutTime" in res[0]) + self.assertTrue("msDS-User-Account-Control-Computed" in res[0]) + self.assertNotEquals(res[0]["lockoutTime"][0], "0") + self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), dsdb.UF_LOCKOUT) + + # Wrong old password + try: + self.ldb3.modify_ldif(""" +dn: cn=testuser,cn=users,""" + self.base_dn + """ +changetype: modify +delete: unicodePwd +unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS1x\"".encode('utf-16-le')) + """ +add: unicodePwd +unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS2\"".encode('utf-16-le')) + """ +""") + self.fail() + except LdbError, (num, msg): + self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) + self.assertTrue('00000775' in msg) + + res = ldb.search("cn=testuser,cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed", + "lockoutTime"]) + self.assertTrue(len(res) == 1) + self.assertTrue("badPwdCount" in res[0]) + self.assertEquals(res[0]["badPwdCount"][0], "3") + self.assertTrue("lockoutTime" in res[0]) + self.assertTrue("msDS-User-Account-Control-Computed" in res[0]) + self.assertNotEquals(res[0]["lockoutTime"][0], "0") + self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), dsdb.UF_LOCKOUT) + + + # Wrong old password + try: + self.ldb3.modify_ldif(""" +dn: cn=testuser,cn=users,""" + self.base_dn + """ +changetype: modify +delete: unicodePwd +unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS1x\"".encode('utf-16-le')) + """ +add: unicodePwd +unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS2\"".encode('utf-16-le')) + """ +""") + self.fail() + except LdbError, (num, msg): + self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) + self.assertTrue('00000775' in msg) + + res = ldb.search("cn=testuser,cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed"]) + self.assertTrue(len(res) == 1) + self.assertTrue("badPwdCount" in res[0]) + self.assertTrue("msDS-User-Account-Control-Computed" in res[0]) + self.assertEquals(res[0]["badPwdCount"][0], "3") + self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), dsdb.UF_LOCKOUT) + + try: + # Correct old password + self.ldb3.modify_ldif(""" +dn: cn=testuser,cn=users,""" + self.base_dn + """ +changetype: modify +delete: unicodePwd +unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS2\"".encode('utf-16-le')) + """ +add: unicodePwd +unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS2x\"".encode('utf-16-le')) + """ +""") + self.fail() + except LdbError, (num, msg): + self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) + self.assertTrue('0000775' in msg) + + res = ldb.search("cn=testuser,cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed", "lockoutTime"]) + self.assertTrue(len(res) == 1) + self.assertTrue("badPwdCount" in res[0]) + self.assertTrue("lockoutTime" in res[0]) + self.assertTrue("msDS-User-Account-Control-Computed" in res[0]) + self.assertEquals(res[0]["badPwdCount"][0], "3") + self.assertNotEquals(res[0]["lockoutTime"][0], "0") + self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), dsdb.UF_LOCKOUT) + + samr_user = self.samr.OpenUser(self.samr_domain, security.SEC_FLAG_MAXIMUM_ALLOWED, self.rid) + + acb_info = self.samr.QueryUserInfo(samr_user, 16) + self.assertEquals(acb_info.acct_flags, samr.ACB_NORMAL| samr.ACB_AUTOLOCK) + + acb_info.acct_flags = samr.ACB_NORMAL + + # Now reset the lockout, by removing ACB_AUTOLOCK (which removes the lock, despite being a generated attribute) + self.samr.SetUserInfo(samr_user, 16, acb_info) + + res = ldb.search("cn=testuser,cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed", "lockoutTime"]) + self.assertTrue(len(res) == 1) + self.assertTrue("badPwdCount" in res[0]) + self.assertTrue("lockoutTime" in res[0]) + self.assertTrue("msDS-User-Account-Control-Computed" in res[0]) + self.assertEquals(res[0]["badPwdCount"][0], "0") + self.assertEquals(res[0]["lockoutTime"][0], "0") + self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), 0) + + # Correct old password + self.ldb3.modify_ldif(""" +dn: cn=testuser,cn=users,""" + self.base_dn + """ +changetype: modify +delete: unicodePwd +unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS2\"".encode('utf-16-le')) + """ +add: unicodePwd +unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS2x\"".encode('utf-16-le')) + """ +""") + + def _test_login_lockout(self, use_kerberos): + print "Performs a lockout attempt against LDAP using NTLM" + + # Change password on a connection as another user + + # Open a second LDB connection with the user credentials. Use the + # command line credentials for informations like the domain, the realm + # and the workstation. + creds_lockout = Credentials() + creds_lockout.set_username("testuser") + creds_lockout.set_domain(creds.get_domain()) + creds_lockout.set_realm(creds.get_realm()) + creds_lockout.set_workstation(creds.get_workstation()) + creds_lockout.set_gensec_features(creds_lockout.get_gensec_features() + | gensec.FEATURE_SEAL) + creds_lockout.set_kerberos_state(use_kerberos) + + # The wrong password + creds_lockout.set_password("thatsAcomplPASS1x") + + try: + ldb_lockout = SamDB(url=host_url, credentials=creds_lockout, lp=lp) + + except LdbError, (num, msg): + self.assertEquals(num, ERR_INVALID_CREDENTIALS) + + res = ldb.search("cn=testuser,cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed", + "lockoutTime"]) + self.assertTrue(len(res) == 1) + self.assertTrue("badPwdCount" in res[0]) + self.assertEquals(res[0]["badPwdCount"][0], "1") + self.assertTrue("lockoutTime" not in res[0]) + self.assertTrue("msDS-User-Account-Control-Computed" in res[0]) + self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), 0) + + # Correct old password + creds_lockout.set_password("thatsAcomplPASS1") + + ldb_lockout = SamDB(url=host_url, credentials=creds_lockout, lp=lp) + + res = ldb.search("cn=testuser,cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed", + "lockoutTime"]) + self.assertTrue(len(res) == 1) + self.assertTrue("badPwdCount" in res[0]) + self.assertEquals(res[0]["badPwdCount"][0], "0") + self.assertTrue("lockoutTime" not in res[0]) + self.assertTrue("msDS-User-Account-Control-Computed" in res[0]) + self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), 0) + + # The wrong password + creds_lockout.set_password("thatsAcomplPASS1x") + + try: + ldb_lockout = SamDB(url=host_url, credentials=creds_lockout, lp=lp) + + except LdbError, (num, msg): + self.assertEquals(num, ERR_INVALID_CREDENTIALS) + + res = ldb.search("cn=testuser,cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed", + "lockoutTime"]) + self.assertTrue(len(res) == 1) + self.assertTrue("badPwdCount" in res[0]) + self.assertEquals(res[0]["badPwdCount"][0], "1") + self.assertTrue("lockoutTime" not in res[0]) + self.assertTrue("msDS-User-Account-Control-Computed" in res[0]) + self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), 0) + + # The wrong password + creds_lockout.set_password("thatsAcomplPASS1x") + + try: + ldb_lockout = SamDB(url=host_url, credentials=creds_lockout, lp=lp) + self.fail() + + except LdbError, (num, msg): + self.assertEquals(num, ERR_INVALID_CREDENTIALS) + + res = ldb.search("cn=testuser,cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed", + "lockoutTime"]) + self.assertTrue(len(res) == 1) + self.assertTrue("badPwdCount" in res[0]) + self.assertEquals(res[0]["badPwdCount"][0], "2") + self.assertTrue("lockoutTime" not in res[0]) + self.assertTrue("msDS-User-Account-Control-Computed" in res[0]) + self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), 0) + + print "two failed password change" + + # The wrong password + creds_lockout.set_password("thatsAcomplPASS1x") + + try: + ldb_lockout = SamDB(url=host_url, credentials=creds_lockout, lp=lp) + self.fail() + + except LdbError, (num, msg): + self.assertEquals(num, ERR_INVALID_CREDENTIALS) + + res = ldb.search("cn=testuser,cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed", + "lockoutTime"]) + self.assertTrue(len(res) == 1) + self.assertTrue("badPwdCount" in res[0]) + self.assertTrue("lockoutTime" in res[0]) + self.assertTrue("msDS-User-Account-Control-Computed" in res[0]) + self.assertEquals(res[0]["badPwdCount"][0], "3") + self.assertNotEquals(res[0]["lockoutTime"][0], "0") + self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), dsdb.UF_LOCKOUT) + + # The wrong password + creds_lockout.set_password("thatsAcomplPASS1x") + try: + ldb_lockout = SamDB(url=host_url, credentials=creds_lockout, lp=lp) + self.fail() + except LdbError, (num, msg): + self.assertEquals(num, ERR_INVALID_CREDENTIALS) + + res = ldb.search("cn=testuser,cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed", + "lockoutTime"]) + self.assertTrue(len(res) == 1) + self.assertTrue("badPwdCount" in res[0]) + self.assertTrue("lockoutTime" in res[0]) + self.assertTrue("msDS-User-Account-Control-Computed" in res[0]) + self.assertEquals(res[0]["badPwdCount"][0], "3") + self.assertNotEquals(res[0]["lockoutTime"][0], "0") + self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), dsdb.UF_LOCKOUT) + + # The wrong password + creds_lockout.set_password("thatsAcomplPASS1x") + try: + ldb_lockout = SamDB(url=host_url, credentials=creds_lockout, lp=lp) + self.fail() + except LdbError, (num, msg): + self.assertEquals(num, ERR_INVALID_CREDENTIALS) + + res = ldb.search("cn=testuser,cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed", + "lockoutTime"]) + self.assertTrue(len(res) == 1) + self.assertTrue("badPwdCount" in res[0]) + self.assertTrue("msDS-User-Account-Control-Computed" in res[0]) + self.assertTrue("lockoutTime" in res[0]) + self.assertEquals(res[0]["badPwdCount"][0], "3") + self.assertNotEquals(res[0]["lockoutTime"][0], "0") + self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), dsdb.UF_LOCKOUT) + + # The correct password + creds_lockout.set_password("thatsAcomplPASS1") + try: + ldb_lockout = SamDB(url=host_url, credentials=creds_lockout, lp=lp) + self.fail() + except LdbError, (num, msg): + self.assertEquals(num, ERR_INVALID_CREDENTIALS) + + res = ldb.search("cn=testuser,cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed", + "lockoutTime"]) + self.assertTrue(len(res) == 1) + self.assertTrue("badPwdCount" in res[0]) + self.assertTrue("msDS-User-Account-Control-Computed" in res[0]) + self.assertEquals(res[0]["badPwdCount"][0], "3") + self.assertNotEquals(res[0]["lockoutTime"][0], "0") + self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), dsdb.UF_LOCKOUT) + + samr_user = self.samr.OpenUser(self.samr_domain, security.SEC_FLAG_MAXIMUM_ALLOWED, self.rid) + + acb_info = self.samr.QueryUserInfo(samr_user, 16) + self.assertEquals(acb_info.acct_flags, samr.ACB_NORMAL| samr.ACB_AUTOLOCK) + + time.sleep(account_lockout_duration + 1) + + # The correct password after letting the timeout expire + creds_lockout.set_password("thatsAcomplPASS1") + ldb_lockout = SamDB(url=host_url, credentials=creds_lockout, lp=lp) + + res = ldb.search("cn=testuser,cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed", + "lockoutTime"]) + self.assertTrue(len(res) == 1) + self.assertTrue("badPwdCount" in res[0]) + self.assertTrue("msDS-User-Account-Control-Computed" in res[0]) + self.assertEquals(res[0]["badPwdCount"][0], "0") + self.assertTrue("lockoutTime" not in res[0] or res[0]["lockoutTime"][0] == "0") + self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), 0) + + samr_user = self.samr.OpenUser(self.samr_domain, security.SEC_FLAG_MAXIMUM_ALLOWED, self.rid) + + acb_info = self.samr.QueryUserInfo(samr_user, 16) + self.assertEquals(acb_info.acct_flags, samr.ACB_NORMAL) + + # The wrong password + creds_lockout.set_password("thatsAcomplPASS1x") + try: + ldb_lockout = SamDB(url=host_url, credentials=creds_lockout, lp=lp) + self.fail() + except LdbError, (num, msg): + self.assertEquals(num, ERR_INVALID_CREDENTIALS) + + res = ldb.search("cn=testuser,cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed", + "lockoutTime"]) + self.assertTrue(len(res) == 1) + self.assertTrue("badPwdCount" in res[0]) + self.assertTrue("msDS-User-Account-Control-Computed" in res[0]) + self.assertEquals(res[0]["badPwdCount"][0], "1") + self.assertTrue("lockoutTime" not in res[0] or res[0]["lockoutTime"][0] == "0") + self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), 0) + + # The wrong password + creds_lockout.set_password("thatsAcomplPASS1x") + try: + ldb_lockout = SamDB(url=host_url, credentials=creds_lockout, lp=lp) + self.fail() + except LdbError, (num, msg): + self.assertEquals(num, ERR_INVALID_CREDENTIALS) + + res = ldb.search("cn=testuser,cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed", + "lockoutTime"]) + self.assertTrue(len(res) == 1) + self.assertTrue("badPwdCount" in res[0]) + self.assertTrue("msDS-User-Account-Control-Computed" in res[0]) + self.assertEquals(res[0]["badPwdCount"][0], "2") + self.assertTrue("lockoutTime" not in res[0] or res[0]["lockoutTime"][0] == "0") + self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), 0) + + time.sleep(lockout_observation_window + 1) + + # The wrong password + creds_lockout.set_password("thatsAcomplPASS1x") + try: + ldb_lockout = SamDB(url=host_url, credentials=creds_lockout, lp=lp) + self.fail() + except LdbError, (num, msg): + self.assertEquals(num, ERR_INVALID_CREDENTIALS) + + res = ldb.search("cn=testuser,cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed", + "lockoutTime"]) + self.assertTrue(len(res) == 1) + self.assertTrue("badPwdCount" in res[0]) + self.assertTrue("msDS-User-Account-Control-Computed" in res[0]) + self.assertEquals(res[0]["badPwdCount"][0], "1") + self.assertTrue("lockoutTime" not in res[0] or res[0]["lockoutTime"][0] == "0") + self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), 0) + + # The correct password without letting the timeout expire + creds_lockout.set_password("thatsAcomplPASS1") + ldb_lockout = SamDB(url=host_url, credentials=creds_lockout, lp=lp) + + res = ldb.search("cn=testuser,cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed", + "lockoutTime"]) + self.assertTrue(len(res) == 1) + self.assertTrue("badPwdCount" in res[0]) + self.assertTrue("msDS-User-Account-Control-Computed" in res[0]) + self.assertEquals(res[0]["badPwdCount"][0], "0") + self.assertTrue("lockoutTime" not in res[0] or res[0]["lockoutTime"][0] == "0") + self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), 0) + + samr_user = self.samr.OpenUser(self.samr_domain, security.SEC_FLAG_MAXIMUM_ALLOWED, self.rid) + + acb_info = self.samr.QueryUserInfo(samr_user, 16) + self.assertEquals(acb_info.acct_flags, samr.ACB_NORMAL) + + + def test_login_lockout_ntlm(self): + self._test_login_lockout(DONT_USE_KERBEROS) + + + def test_login_lockout_kerberos(self): + self._test_login_lockout(MUST_USE_KERBEROS) + + + def tearDown(self): + super(PasswordTests, self).tearDown() + delete_force(self.ldb, "cn=testuser,cn=users," + self.base_dn) + delete_force(self.ldb, "cn=testuser2,cn=users," + self.base_dn) + delete_force(self.ldb, "cn=testuser3,cn=users," + self.base_dn) + # Close the second LDB connection (with the user credentials) + self.ldb2 = None + +host_url = "ldap://%s" % host + +ldb = SamDB(url=host_url, session_info=system_session(lp), credentials=creds, lp=lp) + +# Gets back the basedn +base_dn = ldb.domain_dn() + +# Gets back the configuration basedn +configuration_dn = ldb.get_config_basedn().get_linearized() + +# Get the old "dSHeuristics" if it was set +dsheuristics = ldb.get_dsheuristics() + +res = ldb.search(base_dn, + scope=SCOPE_BASE, attrs=["lockoutDuration", "lockOutObservationWindow", "lockoutThreshold"]) + +if "lockoutDuration" in res[0]: + lockoutDuration = res[0]["lockoutDuration"][0] +else: + lockoutDuration = 0 + +if "lockoutObservationWindow" in res[0]: + lockoutObservationWindow = res[0]["lockoutObservationWindow"][0] +else: + lockoutObservationWindow = 0 + +if "lockoutThreshold" in res[0]: + lockoutThreshold = res[0]["lockoutThreshold"][0] +else: + lockoutTreshold = 0 + +m = Message() +m.dn = Dn(ldb, base_dn) + +account_lockout_duration = 10 +account_lockout_duration_ticks = -int(account_lockout_duration * (1e7)) + +m["lockoutDuration"] = MessageElement(str(account_lockout_duration_ticks), + FLAG_MOD_REPLACE, "lockoutDuration") + +account_lockout_threshold = 3 +m["lockoutThreshold"] = MessageElement(str(account_lockout_threshold), + FLAG_MOD_REPLACE, "lockoutThreshold") + +lockout_observation_window = 5 +lockout_observation_window_ticks = -int(lockout_observation_window * (1e7)) + +m["lockOutObservationWindow"] = MessageElement(str(lockout_observation_window_ticks), + FLAG_MOD_REPLACE, "lockOutObservationWindow") + +ldb.modify(m) + +# Set the "dSHeuristics" to activate the correct "userPassword" behaviour +ldb.set_dsheuristics("000000001") + +# Get the old "minPwdAge" +minPwdAge = ldb.get_minPwdAge() + +# Set it temporarely to "0" +ldb.set_minPwdAge("0") + +runner = SubunitTestRunner() +rc = 0 +if not runner.run(unittest.makeSuite(PasswordTests)).wasSuccessful(): + rc = 1 + +# Reset the "dSHeuristics" as they were before +ldb.set_dsheuristics(dsheuristics) + +# Reset the "minPwdAge" as it was before +ldb.set_minPwdAge(minPwdAge) + +ldb.modify_ldif(""" +dn: """ + base_dn + """ +changetype: modify +replace: lockoutDuration +lockoutDuration: """ + str(lockoutDuration) + """ +replace: lockoutObservationWindow +lockoutObservationWindow: """ + str(lockoutObservationWindow) + """ +replace: lockoutThreshold +lockoutThreshold: """ + str(lockoutThreshold) + """ +""") + +sys.exit(rc) diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index b3a7d214e5db..364292fb33d0 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -441,6 +441,7 @@ for env in ["dc", "fl2000dc", "fl2003dc", "fl2008r2dc"]: # isn't available on DCs with Windows 2000 domain function level - # therefore skip it in that configuration plantestsuite("samba4.ldap.passwords.python(%s)" % env, env, [python, os.path.join(samba4srcdir, "dsdb/tests/python/passwords.py"), "$SERVER", '-U"$USERNAME%$PASSWORD"', "-W$DOMAIN"]) + plantestsuite("samba4.ldap.password_lockout.python(%s)" % env, env, [python, os.path.join(samba4srcdir, "dsdb/tests/python/password_lockout.py"), "$SERVER", '-U"$USERNAME%$PASSWORD"', "-W$DOMAIN", "--realm=$REALM"]) planpythontestsuite("dc:local", "samba.tests.upgradeprovisionneeddc") planpythontestsuite("plugin_s4_dc:local", "samba.tests.posixacl") -- 2.34.1