tests: Add tests for domain pwdHistoryLength

This is not related to PSOs at all, but there's a minor discrepancy
between Windows and Samba password-history-length behaviour that I
noticed during PSO testing.

When the pwdHistoryLength changes from zero to non-zero, Windows
includes the user's current password as invalid immediately, whereas
Samba only includes it as invalid *after* it next changes. It's a
fairly obscure corner-case, and we might not care enough about it to
fix it. However, I've added a test case to highlight the difference and
marked it as a known-fail for now.

I also added a general pwdHistoryLength test case to show that the
basics work (this didn't seem to be tested anywhere else).

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

diff --git a/selftest/knownfail.d/password_settings b/selftest/knownfail.d/password_settings
new file mode 100644 (file)
index 0000000..bbca928
--- /dev/null
+++ b/selftest/knownfail.d/password_settings
@@ -0,0 +1,3 @@
+# highlights a minor corner-case discrepancy between Windows and Samba
+samba4.ldap.password_settings.python.password_settings.PasswordSettingsTestCase.test_domain_pwd_history_zero\(ad_dc_ntvfs\)
+

diff --git a/source4/dsdb/tests/python/password_settings.py b/source4/dsdb/tests/python/password_settings.py
index 7712d2415978a823484a98fa16393e6f036bc315..a5de7fffd69fe28b38db1bce976e01733b33c301 100644 (file)
--- a/source4/dsdb/tests/python/password_settings.py
+++ b/source4/dsdb/tests/python/password_settings.py
@@ -794,4 +794,66 @@ unicodePwd:: %s
 """ % (userdn, password)
         self.ldb.modify_ldif(ldif)
 
+    def set_domain_pwdHistoryLength(self, value):
+        m = ldb.Message()
+        m.dn = ldb.Dn(self.ldb, self.ldb.domain_dn())
+        m["pwdHistoryLength"] = ldb.MessageElement(value, ldb.FLAG_MOD_REPLACE, "pwdHistoryLength")
+        self.ldb.modify(m)
+
+    def test_domain_pwd_history(self):
+        """Non-PSO test for domain's pwdHistoryLength setting"""
+
+        # restore the current pwdHistoryLength setting after the test completes
+        curr_hist_len = str(self.pwd_defaults.history_len)
+        self.addCleanup(self.set_domain_pwdHistoryLength, curr_hist_len)
+
+        self.set_domain_pwdHistoryLength("4")
+        user = self.add_user("testuser")
+
+        initial_pwd = user.get_password()
+        passwords = ["First12#", "Second12#", "Third12#", "Fourth12#"]
+
+        # we should be able to set the password to new values OK
+        for pwd in passwords:
+            self.assert_password_valid(user, pwd)
+
+        # the 2nd time round it should fail because they're in the history now
+        for pwd in passwords:
+            self.assert_password_invalid(user, pwd)
+
+        # but the initial password is now outside the history, so should be OK
+        self.assert_password_valid(user, initial_pwd)
+
+        # if we set the history to zero, all the old passwords should now be OK
+        self.set_domain_pwdHistoryLength("0")
+        for pwd in passwords:
+            self.assert_password_valid(user, pwd)
+
+    def test_domain_pwd_history_zero(self):
+        """Non-PSO test for pwdHistoryLength going from zero to non-zero"""
+
+        # restore the current pwdHistoryLength setting after the test completes
+        curr_hist_len = str(self.pwd_defaults.history_len)
+        self.addCleanup(self.set_domain_pwdHistoryLength, curr_hist_len)
+
+        self.set_domain_pwdHistoryLength("0")
+        user = self.add_user("testuser")
+
+        initial_pwd = user.get_password()
+        self.assert_password_valid(user, "NewPwd12#")
+        # we can set the exact same password again because there's no history
+        self.assert_password_valid(user, "NewPwd12#")
+
+        # There is a difference in behaviour here between Windows and Samba.
+        # When going from zero to non-zero password-history, Windows treats
+        # the current user's password as invalid (even though the password has
+        # not been altered since the setting changed). Whereas Samba accepts
+        # the current password (because it's not in the history until the
+        # *next* time the user's password changes.
+        self.set_domain_pwdHistoryLength("1")
+        self.assert_password_invalid(user, "NewPwd12#")
+
+
+
+