def _check_account(self, dn,
badPwdCount=None,
badPasswordTime=None,
+ logonCount=None,
lastLogon=None,
lastLogonTimestamp=None,
lockoutTime=None,
"badPasswordTime",
"lastLogon",
"lastLogonTimestamp",
+ "logonCount",
"lockoutTime",
"userAccountControl",
"msDS-User-Account-Control-Computed"
self.assertTrue(len(res) == 1)
self._check_attribute(res, "badPwdCount", badPwdCount)
self._check_attribute(res, "badPasswordTime", badPasswordTime)
+ self._check_attribute(res, "logonCount", logonCount)
self._check_attribute(res, "lastLogon", lastLogon)
self._check_attribute(res, "lastLogonTimestamp", lastLogonTimestamp)
self._check_attribute(res, "lockoutTime", lockoutTime)
msDSUserAccountControlComputed)
lastLogon = int(res[0]["lastLogon"][0])
+ logonCount = int(res[0]["logonCount"][0])
samr_user = self._open_samr_user(res)
uinfo3 = self.samr.QueryUserInfo(samr_user, 3)
self.assertEquals(uinfo3.acct_flags, expected_acb_info)
self.assertEquals(uinfo3.bad_password_count, expected_bad_password_count)
self.assertEquals(uinfo3.last_logon, lastLogon)
+ self.assertEquals(uinfo3.logon_count, logonCount)
self.assertEquals(uinfo5.acct_flags, expected_acb_info)
self.assertEquals(uinfo5.bad_password_count, effective_bad_password_count)
self.assertEquals(uinfo5.last_logon, lastLogon)
+ self.assertEquals(uinfo5.logon_count, logonCount)
self.assertEquals(uinfo16.acct_flags, expected_acb_info)
self.assertEquals(uinfo21.acct_flags, expected_acb_info)
self.assertEquals(uinfo21.bad_password_count, effective_bad_password_count)
self.assertEquals(uinfo21.last_logon, lastLogon)
+ self.assertEquals(uinfo21.logon_count, logonCount)
# check LDAP again and make sure the samr.QueryUserInfo
# doesn't have any impact.
use_kerberos = creds.get_kerberos_state()
if use_kerberos == MUST_USE_KERBEROS:
+ logoncount_relation = 'greater'
lastlogon_relation = 'greater'
else:
+ logoncount_relation = 'equal'
if lockOutObservationWindow == 0:
lastlogon_relation = 'greater'
else:
res = self._check_account(userdn,
badPwdCount=0,
badPasswordTime=0,
+ logonCount=0,
lastLogon=0,
lastLogonTimestamp=('absent', None),
userAccountControl=
res = self._check_account(userdn,
badPwdCount=0,
badPasswordTime=0,
+ logonCount=0,
lastLogon=0,
lastLogonTimestamp=('absent', None),
userAccountControl=
res = self._check_account(userdn,
badPwdCount=1,
badPasswordTime=("greater", 0),
+ logonCount=0,
lastLogon=0,
lastLogonTimestamp=('absent', None),
userAccountControl=
res = self._check_account(userdn,
badPwdCount=badPwdCount,
badPasswordTime=badPasswordTime,
+ logonCount=0,
lastLogon=0,
lastLogonTimestamp=('absent', None),
userAccountControl=
res = self._check_account(userdn,
badPwdCount=badPwdCount,
badPasswordTime=badPasswordTime,
+ logonCount=0,
lastLogon=0,
lastLogonTimestamp=('absent', None),
userAccountControl=
badPwdCount=badPwdCount,
effective_bad_password_count=effective_bad_password_count,
badPasswordTime=badPasswordTime,
+ logonCount=0,
lastLogon=0,
lastLogonTimestamp=('absent', None),
userAccountControl=
badPwdCount=badPwdCount,
effective_bad_password_count=effective_bad_password_count,
badPasswordTime=badPasswordTime,
+ logonCount=(logoncount_relation, 0),
lastLogon=(lastlogon_relation, 0),
lastLogonTimestamp=('greater', badPasswordTime),
userAccountControl=
dsdb.UF_NORMAL_ACCOUNT,
msDSUserAccountControlComputed=0)
+ logonCount = int(res[0]["logonCount"][0])
lastLogon = int(res[0]["lastLogon"][0])
lastLogonTimestamp = int(res[0]["lastLogonTimestamp"][0])
if lastlogon_relation == 'greater':
badPwdCount=badPwdCount,
effective_bad_password_count=effective_bad_password_count,
badPasswordTime=badPasswordTime,
+ logonCount=logonCount,
lastLogon=lastLogon,
lastLogonTimestamp=lastLogonTimestamp,
userAccountControl=
use_kerberos = creds.get_kerberos_state()
if use_kerberos == MUST_USE_KERBEROS:
+ logoncount_relation = 'greater'
lastlogon_relation = 'greater'
print "Performs a password cleartext change operation on 'userPassword' using Kerberos"
else:
+ logoncount_relation = 'equal'
lastlogon_relation = 'equal'
print "Performs a password cleartext change operation on 'userPassword' using NTLMSSP"
res = self._check_account(userdn,
badPwdCount=0,
badPasswordTime=("greater", 0),
+ logonCount=(logoncount_relation, 0),
lastLogon=(lastlogon_relation, 0),
lastLogonTimestamp=('greater', 0),
userAccountControl=
dsdb.UF_NORMAL_ACCOUNT,
msDSUserAccountControlComputed=0)
badPasswordTime = int(res[0]["badPasswordTime"][0])
+ logonCount = int(res[0]["logonCount"][0])
lastLogon = int(res[0]["lastLogon"][0])
lastLogonTimestamp = int(res[0]["lastLogonTimestamp"][0])
if lastlogon_relation == 'greater':
res = self._check_account(userdn,
badPwdCount=1,
badPasswordTime=("greater", badPasswordTime),
+ logonCount=logonCount,
lastLogon=lastLogon,
lastLogonTimestamp=lastLogonTimestamp,
userAccountControl=
res = self._check_account(userdn,
badPwdCount=1,
badPasswordTime=badPasswordTime,
+ logonCount=logonCount,
lastLogon=lastLogon,
lastLogonTimestamp=lastLogonTimestamp,
userAccountControl=
res = self._check_account(userdn,
badPwdCount=2,
badPasswordTime=("greater", badPasswordTime),
+ logonCount=logonCount,
lastLogon=lastLogon,
lastLogonTimestamp=lastLogonTimestamp,
userAccountControl=
res = self._check_account(userdn,
badPwdCount=3,
badPasswordTime=("greater", badPasswordTime),
+ logonCount=logonCount,
lastLogon=lastLogon,
lastLogonTimestamp=lastLogonTimestamp,
lockoutTime=("greater", badPasswordTime),
res = self._check_account(userdn,
badPwdCount=3,
badPasswordTime=badPasswordTime,
+ logonCount=logonCount,
lastLogon=lastLogon,
lastLogonTimestamp=lastLogonTimestamp,
lockoutTime=lockoutTime,
res = self._check_account(userdn,
badPwdCount=3,
badPasswordTime=badPasswordTime,
+ logonCount=logonCount,
lockoutTime=lockoutTime,
lastLogon=lastLogon,
lastLogonTimestamp=lastLogonTimestamp,
res = self._check_account(userdn,
badPwdCount=3,
badPasswordTime=badPasswordTime,
+ logonCount=logonCount,
lastLogon=lastLogon,
lastLogonTimestamp=lastLogonTimestamp,
lockoutTime=lockoutTime,
res = self._check_account(userdn,
badPwdCount=3,
badPasswordTime=badPasswordTime,
+ logonCount=logonCount,
lastLogon=lastLogon,
lastLogonTimestamp=lastLogonTimestamp,
lockoutTime=lockoutTime,
res = self._check_account(userdn,
badPwdCount=3,
badPasswordTime=badPasswordTime,
+ logonCount=logonCount,
lastLogon=lastLogon,
lastLogonTimestamp=lastLogonTimestamp,
lockoutTime=lockoutTime,
res = self._check_account(userdn,
badPwdCount=3,
badPasswordTime=badPasswordTime,
+ logonCount=logonCount,
lastLogon=lastLogon,
lastLogonTimestamp=lastLogonTimestamp,
lockoutTime=lockoutTime,
res = self._check_account(userdn,
badPwdCount=3,
badPasswordTime=badPasswordTime,
+ logonCount=logonCount,
lockoutTime=lockoutTime,
lastLogon=lastLogon,
lastLogonTimestamp=lastLogonTimestamp,
res = self._check_account(userdn,
badPwdCount=0,
badPasswordTime=badPasswordTime,
+ logonCount=logonCount,
lockoutTime=0,
lastLogon=lastLogon,
lastLogonTimestamp=lastLogonTimestamp,
res = self._check_account(userdn,
badPwdCount=0,
badPasswordTime=badPasswordTime,
+ logonCount=logonCount,
lockoutTime=0,
lastLogon=lastLogon,
lastLogonTimestamp=lastLogonTimestamp,
res = self._check_account(userdn,
badPwdCount=1,
badPasswordTime=("greater", badPasswordTime),
+ logonCount=logonCount,
lockoutTime=0,
lastLogon=lastLogon,
lastLogonTimestamp=lastLogonTimestamp,
res = self._check_account(userdn,
badPwdCount=2,
badPasswordTime=("greater", badPasswordTime),
+ logonCount=logonCount,
lockoutTime=0,
lastLogon=lastLogon,
lastLogonTimestamp=lastLogonTimestamp,
res = self._check_account(userdn,
badPwdCount=0,
badPasswordTime=badPasswordTime,
+ logonCount=logonCount,
lastLogon=lastLogon,
lastLogonTimestamp=lastLogonTimestamp,
lockoutTime=0,
"samr",
initial_lastlogon_relation='greater')
- def _test_unicodePwd_lockout_with_clear_change(self, creds, other_ldb):
+ def _test_unicodePwd_lockout_with_clear_change(self, creds, other_ldb,
+ initial_logoncount_relation=None):
print "Performs a password cleartext change operation on 'unicodePwd'"
username = creds.get_username()
userpass = creds.get_password()
userdn = "cn=%s,cn=users,%s" % (username, self.base_dn)
+ if initial_logoncount_relation is not None:
+ logoncount_relation = initial_logoncount_relation
+ else:
+ logoncount_relation = "greater"
res = self._check_account(userdn,
badPwdCount=0,
badPasswordTime=("greater", 0),
+ logonCount=(logoncount_relation, 0),
lastLogon=("greater", 0),
lastLogonTimestamp=("greater", 0),
userAccountControl=
dsdb.UF_NORMAL_ACCOUNT,
msDSUserAccountControlComputed=0)
badPasswordTime = int(res[0]["badPasswordTime"][0])
+ logonCount = int(res[0]["logonCount"][0])
lastLogon = int(res[0]["lastLogon"][0])
lastLogonTimestamp = int(res[0]["lastLogonTimestamp"][0])
self.assertGreater(lastLogonTimestamp, badPasswordTime)
res = self._check_account(userdn,
badPwdCount=1,
badPasswordTime=("greater", badPasswordTime),
+ logonCount=logonCount,
lastLogon=lastLogon,
lastLogonTimestamp=lastLogonTimestamp,
userAccountControl=
res = self._check_account(userdn,
badPwdCount=1,
badPasswordTime=badPasswordTime,
+ logonCount=logonCount,
lastLogon=lastLogon,
lastLogonTimestamp=lastLogonTimestamp,
userAccountControl=
res = self._check_account(userdn,
badPwdCount=2,
badPasswordTime=("greater", badPasswordTime),
+ logonCount=logonCount,
lastLogon=lastLogon,
lastLogonTimestamp=lastLogonTimestamp,
userAccountControl=
res = self._check_account(userdn,
badPwdCount=2,
badPasswordTime=badPasswordTime,
+ logonCount=logonCount,
lastLogon=lastLogon,
lastLogonTimestamp=lastLogonTimestamp,
userAccountControl=
res = self._check_account(userdn,
badPwdCount=3,
badPasswordTime=("greater", badPasswordTime),
+ logonCount=logonCount,
lastLogon=lastLogon,
lastLogonTimestamp=lastLogonTimestamp,
lockoutTime=("greater", badPasswordTime),
res = self._check_account(userdn,
badPwdCount=3,
badPasswordTime=badPasswordTime,
+ logonCount=logonCount,
lastLogon=lastLogon,
lastLogonTimestamp=lastLogonTimestamp,
lockoutTime=lockoutTime,
res = self._check_account(userdn,
badPwdCount=3,
badPasswordTime=badPasswordTime,
+ logonCount=logonCount,
lastLogon=lastLogon,
lastLogonTimestamp=lastLogonTimestamp,
lockoutTime=lockoutTime,
res = self._check_account(userdn,
badPwdCount=3,
badPasswordTime=badPasswordTime,
+ logonCount=logonCount,
lastLogon=lastLogon,
lastLogonTimestamp=lastLogonTimestamp,
lockoutTime=lockoutTime,
res = self._check_account(userdn,
badPwdCount=0,
badPasswordTime=badPasswordTime,
+ logonCount=logonCount,
lastLogon=lastLogon,
lastLogonTimestamp=lastLogonTimestamp,
lockoutTime=0,
res = self._check_account(userdn,
badPwdCount=0,
badPasswordTime=badPasswordTime,
+ logonCount=logonCount,
lastLogon=lastLogon,
lastLogonTimestamp=lastLogonTimestamp,
lockoutTime=0,
res = self._check_account(userdn,
badPwdCount=1,
badPasswordTime=("greater", badPasswordTime),
+ logonCount=logonCount,
lastLogon=lastLogon,
lastLogonTimestamp=lastLogonTimestamp,
lockoutTime=0,
res = self._check_account(userdn,
badPwdCount=2,
badPasswordTime=("greater", badPasswordTime),
+ logonCount=logonCount,
lastLogon=lastLogon,
lastLogonTimestamp=lastLogonTimestamp,
lockoutTime=0,
res = self._check_account(userdn,
badPwdCount=2,
badPasswordTime=badPasswordTime,
+ logonCount=logonCount,
lastLogon=lastLogon,
lastLogonTimestamp=lastLogonTimestamp,
lockoutTime=0,
res = self._check_account(userdn,
badPwdCount=3,
badPasswordTime=("greater", badPasswordTime),
+ logonCount=logonCount,
lastLogon=lastLogon,
lastLogonTimestamp=lastLogonTimestamp,
lockoutTime=("greater", badPasswordTime),
res = self._check_account(userdn,
badPwdCount=3, effective_bad_password_count=0,
badPasswordTime=badPasswordTime,
+ logonCount=logonCount,
lastLogon=lastLogon,
lastLogonTimestamp=lastLogonTimestamp,
lockoutTime=lockoutTime,
res = self._check_account(userdn,
badPwdCount=3, effective_bad_password_count=0,
badPasswordTime=badPasswordTime,
+ logonCount=logonCount,
lockoutTime=lockoutTime,
lastLogon=lastLogon,
lastLogonTimestamp=lastLogonTimestamp,
def test_unicodePwd_lockout_with_clear_change_ntlm(self):
self._test_unicodePwd_lockout_with_clear_change(self.lockout1ntlm_creds,
- self.lockout2ntlm_ldb)
+ self.lockout2ntlm_ldb,
+ initial_logoncount_relation="equal")
def _test_login_lockout(self, creds):
username = creds.get_username()
use_kerberos = creds.get_kerberos_state()
# This unlocks by waiting for account_lockout_duration
if use_kerberos == MUST_USE_KERBEROS:
+ logoncount_relation = 'greater'
lastlogon_relation = 'greater'
print "Performs a lockout attempt against LDAP using Kerberos"
else:
+ logoncount_relation = 'equal'
lastlogon_relation = 'equal'
print "Performs a lockout attempt against LDAP using NTLM"
res = self._check_account(userdn,
badPwdCount=0,
badPasswordTime=("greater", 0),
+ logonCount=(logoncount_relation, 0),
lastLogon=("greater", 0),
lastLogonTimestamp=("greater", 0),
userAccountControl=
dsdb.UF_NORMAL_ACCOUNT,
msDSUserAccountControlComputed=0)
badPasswordTime = int(res[0]["badPasswordTime"][0])
+ logonCount = int(res[0]["logonCount"][0])
lastLogon = int(res[0]["lastLogon"][0])
firstLogon = lastLogon
lastLogonTimestamp = int(res[0]["lastLogonTimestamp"][0])
res = self._check_account(userdn,
badPwdCount=1,
badPasswordTime=("greater", badPasswordTime),
+ logonCount=logonCount,
lastLogon=lastLogon,
lastLogonTimestamp=lastLogonTimestamp,
userAccountControl=
res = self._check_account(userdn,
badPwdCount=0,
badPasswordTime=badPasswordTime,
+ logonCount=(logoncount_relation, logonCount),
lastLogon=('greater', lastLogon),
lastLogonTimestamp=lastLogonTimestamp,
userAccountControl=
msDSUserAccountControlComputed=0,
msg='LLTimestamp is updated to lastlogon')
+ logonCount = int(res[0]["logonCount"][0])
lastLogon = int(res[0]["lastLogon"][0])
self.assertGreater(lastLogon, badPasswordTime)
self.assertGreaterEqual(lastLogon, lastLogonTimestamp)
res = self._check_account(userdn,
badPwdCount=1,
badPasswordTime=("greater", badPasswordTime),
+ logonCount=logonCount,
lastLogon=lastLogon,
lastLogonTimestamp=lastLogonTimestamp,
userAccountControl=
res = self._check_account(userdn,
badPwdCount=2,
badPasswordTime=("greater", badPasswordTime),
+ logonCount=logonCount,
lastLogon=lastLogon,
lastLogonTimestamp=lastLogonTimestamp,
userAccountControl=
res = self._check_account(userdn,
badPwdCount=3,
badPasswordTime=("greater", badPasswordTime),
+ logonCount=logonCount,
lastLogon=lastLogon,
lastLogonTimestamp=lastLogonTimestamp,
lockoutTime=("greater", badPasswordTime),
res = self._check_account(userdn,
badPwdCount=3,
badPasswordTime=badPasswordTime,
+ logonCount=logonCount,
lastLogon=lastLogon,
lastLogonTimestamp=lastLogonTimestamp,
lockoutTime=lockoutTime,
res = self._check_account(userdn,
badPwdCount=3,
badPasswordTime=badPasswordTime,
+ logonCount=logonCount,
lastLogon=lastLogon,
lastLogonTimestamp=lastLogonTimestamp,
lockoutTime=lockoutTime,
res = self._check_account(userdn,
badPwdCount=3,
badPasswordTime=badPasswordTime,
+ logonCount=logonCount,
lastLogon=lastLogon,
lastLogonTimestamp=lastLogonTimestamp,
lockoutTime=lockoutTime,
res = self._check_account(userdn,
badPwdCount=3, effective_bad_password_count=0,
badPasswordTime=badPasswordTime,
+ logonCount=logonCount,
lockoutTime=lockoutTime,
lastLogon=lastLogon,
lastLogonTimestamp=lastLogonTimestamp,
res = self._check_account(userdn,
badPwdCount=0,
badPasswordTime=badPasswordTime,
+ logonCount=(logoncount_relation, logonCount),
lastLogon=(lastlogon_relation, lastLogon),
lastLogonTimestamp=lastLogonTimestamp,
lockoutTime=0,
msDSUserAccountControlComputed=0,
msg="lastLogon is way off")
+ logonCount = int(res[0]["logonCount"][0])
lastLogon = int(res[0]["lastLogon"][0])
# The wrong password
res = self._check_account(userdn,
badPwdCount=1,
badPasswordTime=("greater", badPasswordTime),
+ logonCount=logonCount,
lockoutTime=0,
lastLogon=lastLogon,
lastLogonTimestamp=lastLogonTimestamp,
res = self._check_account(userdn,
badPwdCount=2,
badPasswordTime=("greater", badPasswordTime),
+ logonCount=logonCount,
lockoutTime=0,
lastLogon=lastLogon,
lastLogonTimestamp=lastLogonTimestamp,
res = self._check_account(userdn,
badPwdCount=2, effective_bad_password_count=0,
badPasswordTime=badPasswordTime,
+ logonCount=logonCount,
lockoutTime=0,
lastLogon=lastLogon,
lastLogonTimestamp=lastLogonTimestamp,
res = self._check_account(userdn,
badPwdCount=1,
badPasswordTime=("greater", badPasswordTime),
+ logonCount=logonCount,
lockoutTime=0,
lastLogon=lastLogon,
lastLogonTimestamp=lastLogonTimestamp,
res = self._check_account(userdn,
badPwdCount=0,
badPasswordTime=badPasswordTime,
+ logonCount=(logoncount_relation, logonCount),
lockoutTime=0,
lastLogon=("greater", lastLogon),
lastLogonTimestamp=lastLogonTimestamp,
use_kerberos = creds.get_kerberos_state()
if use_kerberos == MUST_USE_KERBEROS:
print "Testing multiple logon with Kerberos"
+ logoncount_relation = 'greater'
lastlogon_relation = 'greater'
else:
print "Testing multiple logon with NTLM"
+ logoncount_relation = 'equal'
lastlogon_relation = 'equal'
SamDB(url=host_url, credentials=insta_creds(creds), lp=lp)
res = self._check_account(userdn,
badPwdCount=0,
badPasswordTime=("greater", 0),
+ logonCount=(logoncount_relation, 0),
lastLogon=("greater", 0),
lastLogonTimestamp=("greater", 0),
userAccountControl=
dsdb.UF_NORMAL_ACCOUNT,
msDSUserAccountControlComputed=0)
badPasswordTime = int(res[0]["badPasswordTime"][0])
+ logonCount = int(res[0]["logonCount"][0])
lastLogon = int(res[0]["lastLogon"][0])
lastLogonTimestamp = int(res[0]["lastLogonTimestamp"][0])
firstLogon = lastLogon
res = self._check_account(userdn,
badPwdCount=0,
badPasswordTime=badPasswordTime,
+ logonCount=(logoncount_relation, logonCount),
lastLogon=(lastlogon_relation, lastLogon),
lastLogonTimestamp=lastLogonTimestamp,
userAccountControl=
res = self._check_account(userdn,
badPwdCount=0,
badPasswordTime=badPasswordTime,
+ logonCount=(logoncount_relation, logonCount),
lastLogon=(lastlogon_relation, lastLogon),
lastLogonTimestamp=lastLogonTimestamp,
userAccountControl=