tests/rodc: Check SID restriction for SendToSam

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/selftest/knownfail b/selftest/knownfail
index c6047c854455802db1e5110d7c0c49142d809345..6a98cd4b55b35967bc3521964270ef67862614d9 100644 (file)
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -335,3 +335,4 @@
 # We currently don't send referrals for LDAP modify of non-replicated attrs
 ^samba4.ldap.rodc.python\(rodc\).__main__.RodcTests.test_modify_nonreplicated.*
 ^samba4.ldap.rodc_rwdc.python.*.__main__.RodcRwdcTests.test_change_password_reveal_on_demand_kerberos
+^samba4.ldap.rodc_rwdc.python\(rodc\).__main__.RodcRwdcCachedTests.test_login_lockout_not_revealed

diff --git a/source4/dsdb/tests/python/rodc_rwdc.py b/source4/dsdb/tests/python/rodc_rwdc.py
index 87d1257d97f2a3d0ff099c14c572efd763e42e33..b2b5dbdb1a53dd73b60c865623d281ae1553a613 100644 (file)
--- a/source4/dsdb/tests/python/rodc_rwdc.py
+++ b/source4/dsdb/tests/python/rodc_rwdc.py
@@ -283,6 +283,78 @@ class RodcRwdcCachedTests(password_lockout_base.BasePasswordTestCase):
 
         self._test_login_lockout_rodc_rwdc(self.lockout1ntlm_creds, userdn)
 
+    def test_login_lockout_not_revealed(self):
+        '''Test that SendToSam is restricted by preloaded users/groups'''
+
+        username = self.lockout1ntlm_creds.get_username()
+        userpass = self.lockout1ntlm_creds.get_password()
+        userdn = "cn=%s,cn=users,%s" % (username, self.base_dn)
+
+        # Preload but do not add to revealed group
+        preload_rodc_user(userdn)
+
+        self.kerberos = False
+
+        creds = self.lockout1ntlm_creds
+
+        # Open a second LDB connection with the user credentials. Use the
+        # command line credentials for informations like the domain, the realm
+        # and the workstation.
+        creds_lockout = self.insta_creds(creds)
+
+        # The wrong password
+        creds_lockout.set_password("thatsAcomplPASS1x")
+
+        self.assertLoginFailure(self.host_url, creds_lockout, self.lp)
+
+        badPasswordTime = 0
+        logonCount = 0
+        lastLogon = 0
+        lastLogonTimestamp=0
+        logoncount_relation = ''
+        lastlogon_relation = ''
+
+        res = self._check_account(userdn,
+                                  badPwdCount=1,
+                                  badPasswordTime=("greater", badPasswordTime),
+                                  logonCount=logonCount,
+                                  lastLogon=lastLogon,
+                                  lastLogonTimestamp=lastLogonTimestamp,
+                                  userAccountControl=
+                                    dsdb.UF_NORMAL_ACCOUNT,
+                                  msDSUserAccountControlComputed=0,
+                                  msg='lastlogontimestamp with wrong password')
+        badPasswordTime = int(res[0]["badPasswordTime"][0])
+
+        # BadPwdCount on RODC increases alongside RWDC
+        res = self.rodc_db.search(userdn, attrs=['badPwdCount'])
+        self.assertTrue('badPwdCount' in res[0])
+        self.assertEqual(int(res[0]['badPwdCount'][0]), 1)
+
+        # Correct old password
+        creds_lockout.set_password(userpass)
+
+        ldb_lockout = SamDB(url=self.host_url, credentials=creds_lockout, lp=self.lp)
+
+        # Wait for potential SendToSam...
+        time.sleep(5)
+
+        # BadPwdCount on RODC decreases, but not the RWDC
+        res = self._check_account(userdn,
+                                  badPwdCount=1,
+                                  badPasswordTime=badPasswordTime,
+                                  logonCount=(logoncount_relation, logonCount),
+                                  lastLogon=('greater', lastLogon),
+                                  lastLogonTimestamp=lastLogonTimestamp,
+                                  userAccountControl=
+                                    dsdb.UF_NORMAL_ACCOUNT,
+                                  msDSUserAccountControlComputed=0,
+                                  msg='badPwdCount not reset on RWDC')
+
+        res = self.rodc_db.search(userdn, attrs=['badPwdCount'])
+        self.assertTrue('badPwdCount' in res[0])
+        self.assertEqual(int(res[0]['badPwdCount'][0]), 0)
+
     def _test_login_lockout_rodc_rwdc(self, creds, userdn):
         username = creds.get_username()
         userpass = creds.get_password()