testprogs: Test only what the Heimdal kpasswd test should test

The test_password_settings.sh test does test using different password
settings and is not specific to the kpasswd implementation. This
test tests the kpasswd service.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

diff --git a/selftest/knownfail b/selftest/knownfail
index 2f6a66b85a7685f4222228bbb9fea5c6b51c56f2..10515185d3ff3e9a534861c58c52445249bc3765 100644 (file)
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -142,7 +142,6 @@
 ^samba4.smb2.getinfo.qsec_buffercheck # S4 does not do the BUFFER_TOO_SMALL thingy
 ^samba4.ntvfs.cifs.krb5.base.createx_access.createx_access\(.*\)$
 ^samba4.rpc.lsa.forest.trust #Not fully provided by Samba4
-^samba4.blackbox.kinit\(.*\).kinit with user password for expired password\(.*\) # We need to work out why this fails only during the pw change
 ^samba4.blackbox.upgradeprovision.alpha13.ldapcmp_sd\(none\) # Due to something rewriting the NT ACL on DNS objects
 ^samba4.blackbox.upgradeprovision.alpha13.ldapcmp_full_sd\(none\) # Due to something rewriting the NT ACL on DNS objects
 ^samba4.blackbox.upgradeprovision.release-4-0-0.ldapcmp_sd\(none\) # Due to something rewriting the NT ACL on DNS objects

diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 19a41dc2ece152e17da2f0696173a0cf5db3e0f4..61d9a821058cd088a350b484e219667601c56fce 100755 (executable)
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -393,7 +393,7 @@ if have_heimdal_support:
     plantestsuite("samba4.blackbox.kinit_trust(fl2008r2dc:local)", "fl2008r2dc:local", [os.path.join(bbdir, "test_kinit_trusts_heimdal.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$TRUST_SERVER', '$TRUST_USERNAME', '$TRUST_PASSWORD', '$TRUST_REALM', '$TRUST_DOMAIN', '$PREFIX', "forest", "aes256-cts-hmac-sha1-96"])
     plantestsuite("samba4.blackbox.kinit_trust(fl2003dc:local)", "fl2003dc:local", [os.path.join(bbdir, "test_kinit_trusts_heimdal.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$TRUST_SERVER', '$TRUST_USERNAME', '$TRUST_PASSWORD', '$TRUST_REALM', '$TRUST_DOMAIN', '$PREFIX', "external", "arcfour-hmac-md5"])
     plantestsuite("samba4.blackbox.export.keytab(ad_dc_ntvfs:local)", "ad_dc_ntvfs:local", [os.path.join(bbdir, "test_export_keytab_heimdal.sh"), '$SERVER', '$USERNAME', '$REALM', '$DOMAIN', "$PREFIX", smbclient4])
-    plantestsuite("samba4.blackbox.kpasswd(ad_dc_ntvfs:local)", "ad_dc_ntvfs:local", [os.path.join(bbdir, "test_kpasswd_heimdal.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc_ntvfs", smbclient4])
+    plantestsuite("samba4.blackbox.kpasswd(ad_dc_ntvfs:local)", "ad_dc_ntvfs:local", [os.path.join(bbdir, "test_kpasswd_heimdal.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc_ntvfs"])
 
 plantestsuite("samba4.blackbox.trust_utils(fl2008r2dc:local)", "fl2008r2dc:local", [os.path.join(bbdir, "test_trust_utils.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$TRUST_SERVER', '$TRUST_USERNAME', '$TRUST_PASSWORD', '$TRUST_REALM', '$TRUST_DOMAIN', '$PREFIX', "forest"])
 plantestsuite("samba4.blackbox.trust_utils(fl2003dc:local)", "fl2003dc:local", [os.path.join(bbdir, "test_trust_utils.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$TRUST_SERVER', '$TRUST_USERNAME', '$TRUST_PASSWORD', '$TRUST_REALM', '$TRUST_DOMAIN', '$PREFIX', "external"])

diff --git a/testprogs/blackbox/test_kpasswd_heimdal.sh b/testprogs/blackbox/test_kpasswd_heimdal.sh
index 61d546162aa5de982c30a0a8532845a6360aeb78..7e3daed8467bf26c01d906e6a328ad6e4b8bdd1d 100755 (executable)
--- a/testprogs/blackbox/test_kpasswd_heimdal.sh
+++ b/testprogs/blackbox/test_kpasswd_heimdal.sh
@@ -1,9 +1,11 @@
 #!/bin/sh
-# Blackbox tests for kinit and kerberos integration with smbclient etc
+# Blackbox tests for chainging passwords with kinit and kpasswd
+#
 # Copyright (C) 2006-2007 Jelmer Vernooij <jelmer@samba.org>
 # Copyright (C) 2006-2008 Andrew Bartlett <abartlet@samba.org>
+# Copyright (C) 2016      Andreas Schneider <asn@samba.org>
 
-if [ $# -lt 5 ]; then
+if [ $# -lt 6 ]; then
 cat <<EOF
 Usage: test_passwords.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX SMBCLIENT
 EOF
@@ -16,41 +18,32 @@ PASSWORD=$3
 REALM=$4
 DOMAIN=$5
 PREFIX=$6
-smbclient=$7
-shift 7
+shift 6
 failed=0
 
-samba4bindir="$BINDIR"
-samba4kinit=kinit
-if test -x $BINDIR/samba4kinit; then
-       samba4kinit=$BINDIR/samba4kinit
-fi
+samba_bindir="$BINDIR"
 
-samba_tool="$samba4bindir/samba-tool"
-net_tool="$samba4bindir/net"
-smbpasswd="$samba4bindir/smbpasswd"
-texpect="$samba4bindir/texpect"
-samba4kpasswd=kpasswd
-if test -x $BINDIR/samba4kpasswd; then
-       samba4kpasswd=$BINDIR/samba4kpasswd
-fi
+smbclient="$samba_bindir/smbclient"
+samba_kinit=$samba_bindir/samba4kinit
+samba_kpasswd=$samba_bindir/samba4kpasswd
+
+samba_tool="$samba_bindir/samba-tool"
+net_tool="$samba_bindir/net"
+texpect="$samba_bindir/texpect"
 
 newuser="$samba_tool user create"
-unc="//$SERVER/tmp"
+SMB_UNC="//$SERVER/tmp"
 
 . `dirname $0`/subunit.sh
 . `dirname $0`/common_test_fns.inc
 
 do_kinit() {
-       file="$1"
+       principal="$1"
        password="$2"
        shift
        shift
-       if test -x $BINDIR/samba4kinit; then
-               $samba4kinit --password-file=$file --request-pac $@
-       else
-               echo $password | $samba4kinit $@
-       fi
+       echo $password > $PREFIX/tmppassfile
+       $samba_kinit --password-file=$PREFIX/tmppassfile $principal $@
 }
 
 UID_WRAPPER_ROOT=1
@@ -59,207 +52,166 @@ export UID_WRAPPER_ROOT
 CONFIG="--configfile=$PREFIX/etc/smb.conf"
 export CONFIG
 
-testit "reset password policies beside of minimum password age of 0 days" $VALGRIND $samba_tool domain passwordsettings $CONFIG set --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=0 --max-pwd-age=default || failed=`expr $failed + 1`
+testit "reset password policies beside of minimum password age of 0 days" \
+       $VALGRIND $samba_tool domain passwordsettings $CONFIG set --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=0 --max-pwd-age=default || failed=`expr $failed + 1`
 
-USERPASS=testPaSS@00%
+TEST_USERNAME="$(mktemp -u alice-XXXXXX)"
+TEST_PRINCIPAL="$TEST_USERNAME@$REALM"
+TEST_PASSWORD="testPaSS@00%"
+TEST_PASSWORD_NEW="testPaSS@01%"
+TEST_PASSWORD_SHORT="secret"
+TEST_PASSWORD_WEAK="Supersecret"
 
-testit "create user locally" $VALGRIND $newuser $CONFIG nettestuser $USERPASS $@ || failed=`expr $failed + 1`
+testit "create user locally" \
+       $VALGRIND $newuser $CONFIG $TEST_USERNAME $TEST_PASSWORD || failed=`expr $failed + 1`
 
 KRB5CCNAME="$PREFIX/tmpuserccache"
 export KRB5CCNAME
 
-echo $USERPASS > $PREFIX/tmpuserpassfile
-
-testit "kinit with user password" do_kinit $PREFIX/tmpuserpassfile $USERPASS nettestuser@$REALM   || failed=`expr $failed + 1`
+testit "kinit with user password" \
+       do_kinit $TEST_PRINCIPAL $TEST_PASSWORD || failed=`expr $failed + 1`
 
-test_smbclient "Test login with user kerberos ccache" 'ls' "$unc" -k yes || failed=`expr $failed + 1`
+test_smbclient "Test login with user kerberos ccache" \
+       "ls" "$SMB_UNC" -k yes || failed=`expr $failed + 1`
 
-NEWUSERPASS=testPaSS@01%
-testit "change user password with 'samba-tool user password' (unforced)" $VALGRIND $samba_tool user password -W$DOMAIN -U$DOMAIN/nettestuser%$USERPASS  -k no --newpassword=$NEWUSERPASS $@ || failed=`expr $failed + 1`
+testit "change user password with 'samba-tool user password' (unforced)" \
+       $VALGRIND $samba_tool user password -W$DOMAIN -U$TEST_USERNAME%$TEST_PASSWORD -k no --newpassword=$TEST_PASSWORD_NEW || failed=`expr $failed + 1`
 
-echo $NEWUSERPASS > ./tmpuserpassfile
-testit "kinit with user password" do_kinit ./tmpuserpassfile $NEWUSERPASS nettestuser@$REALM   || failed=`expr $failed + 1`
+TEST_PASSWORD_OLD=$TEST_PASSWORD
+TEST_PASSWORD=$TEST_PASSWORD_NEW
+TEST_PASSWORD_NEW="testPaSS@02%"
 
-test_smbclient "Test login with user kerberos ccache" 'ls' "$unc" -k yes || failed=`expr $failed + 1`
+testit "kinit with user password" \
+       do_kinit $TEST_PRINCIPAL $TEST_PASSWORD || failed=`expr $failed + 1`
 
-#
-# These tests demonstrate that a credential cache in the environment does not
-# override a username/password, even an incorrect one, on the command line
-#
+test_smbclient "Test login with user kerberos ccache" \
+       "ls" "$SMB_UNC" -k yes || failed=`expr $failed + 1`
 
-testit_expect_failure  "Test login with user kerberos ccache, but wrong password specified" $VALGRIND $smbclient //$SERVER/tmp -c 'ls' -k yes -Unettestuser@$REALM%wrongpass && failed=`expr $failed + 1`
-testit_expect_failure  "Test login with user kerberos ccache, but old password specified" $VALGRIND $smbclient //$SERVER/tmp -c 'ls' -k yes -Unettestuser@$REALM%$USERPASS && failed=`expr $failed + 1`
-
-
-USERPASS=$NEWUSERPASS
-WEAKPASS=testpass1
-NEWUSERPASS=testPaSS@02%
-
-# password mismatch check doesn't work yet (kpasswd bug, reported to Love)
-#echo "check that password mismatch gives the right error"
-#cat > ./tmpkpasswdscript <<EOF
-#expect Password
-#password ${USERPASS}\n
-#expect New password
-#send ${WEAKPASS}\n
-#expect New password
-#send ${NEWUSERPASS}\n
-#expect password mismatch
-#EOF
-#
-#testit "change user password with kpasswd" $texpect ./tmpkpasswdscript $samba4kpasswd nettestuser@$REALM || failed=`expr $failed + 1`
+###########################################################
+### check that a short password is rejected
+###########################################################
 
-
-echo "check that a weak password is rejected"
-cat > ./tmpkpasswdscript <<EOF
+cat > $PREFIX/tmpkpasswdscript <<EOF
 expect Password
-password ${USERPASS}\n
+password ${TEST_PASSWORD}\n
 expect New password
-send ${WEAKPASS}\n
-expect New password
-send ${WEAKPASS}\n
-expect Password does not meet complexity requirements
+send ${TEST_PASSWORD_SHORT}\n
+expect Verify password
+send ${TEST_PASSWORD_SHORT}\n
+expect Password too short
 EOF
 
-testit "change to weak user password with kpasswd" $texpect ./tmpkpasswdscript $samba4kpasswd nettestuser@$REALM || failed=`expr $failed + 1`
+testit "kpasswd check short user password" \
+       $texpect $PREFIX/tmpkpasswdscript $samba_kpasswd $TEST_PRINCIPAL || failed=`expr $failed + 1`
+
+###########################################################
+### check that a weak password is rejected
+###########################################################
 
 echo "check that a short password is rejected"
 cat > ./tmpkpasswdscript <<EOF
 expect Password
-password ${USERPASS}\n
-expect New password
-send xx1\n
+password ${TEST_PASSWORD}\n
 expect New password
-send xx1\n
-expect Password too short
+send $TEST_PASSWORD_WEAK\n
+expect Verify password
+send $TEST_PASSWORD_WEAK\n
+expect Password does not meet complexity requirements
 EOF
 
-testit "change to short user password with kpasswd" $texpect ./tmpkpasswdscript $samba4kpasswd nettestuser@$REALM || failed=`expr $failed + 1`
+testit "kpasswd check weak user password" \
+       $texpect $PREFIX/tmpkpasswdscript $samba_kpasswd $TEST_PRINCIPAL || failed=`expr $failed + 1`
 
+###########################################################
+### check that a strong password is accepted
+###########################################################
 
-echo "check that a strong new password is accepted"
 cat > ./tmpkpasswdscript <<EOF
 expect Password
-password ${USERPASS}\n
+password ${TEST_PASSWORD}\n
 expect New password
-send ${NEWUSERPASS}\n
-expect New password
-send ${NEWUSERPASS}\n
+send ${TEST_PASSWORD_NEW}\n
+expect Verify password
+send ${TEST_PASSWORD_NEW}\n
 expect Success
 EOF
 
-testit "change user password with kpasswd" $texpect ./tmpkpasswdscript $samba4kpasswd nettestuser@$REALM || failed=`expr $failed + 1`
+testit "kpasswd change user password" \
+       $texpect $PREFIX/tmpkpasswdscript $samba_kpasswd $TEST_PRINCIPAL || failed=`expr $failed + 1`
 
-test_smbclient "Test login with user kerberos (unforced)" 'ls' "$unc" -k yes -Unettestuser@$REALM%$NEWUSERPASS || failed=`expr $failed + 1`
+TEST_PASSWORD=$TEST_PASSWORD_NEW
+TEST_PASSWORD_NEW="testPaSS@03%"
 
-NEWUSERPASS=testPaSS@03%
+###########################################################
+### Force password change at login
+###########################################################
 
-echo "set password with smbpasswd"
-cat > ./tmpsmbpasswdscript <<EOF
-expect New SMB password:
-send ${NEWUSERPASS}\n
-expect Retype new SMB password:
-send ${NEWUSERPASS}\n
-EOF
+testit "set password on user locally" \
+       $VALGRIND $samba_tool user setpassword $TEST_USERNAME $CONFIG --newpassword=$TEST_PASSWORD_NEW --must-change-at-next-login || failed=`expr $failed + 1`
 
-testit "set user password with smbpasswd" $texpect ./tmpsmbpasswdscript $smbpasswd -L -c $PREFIX/etc/smb.conf nettestuser || failed=`expr $failed + 1`
-USERPASS=$NEWUSERPASS
+TEST_PASSWORD=$TEST_PASSWORD_NEW
+TEST_PASSWORD_NEW="testPaSS@04%"
 
-test_smbclient "Test login with user (ntlm)" 'ls' "$unc" -k no -Unettestuser@$REALM%$NEWUSERPASS || failed=`expr $failed + 1`
+rm -f $PREFIX/tmpuserccache
 
-
-NEWUSERPASS=testPaSS@04%
-testit "set password on user locally" $VALGRIND $samba_tool user setpassword nettestuser $CONFIG --newpassword=$NEWUSERPASS --must-change-at-next-login $@ || failed=`expr $failed + 1`
-USERPASS=$NEWUSERPASS
-
-NEWUSERPASS=testPaSS@05%
-testit "change user password with 'samba-tool user password' (after must change flag set)" $VALGRIND $samba_tool user password -W$DOMAIN -U$DOMAIN/nettestuser%$USERPASS -k no --newpassword=$NEWUSERPASS $@ || failed=`expr $failed + 1`
-USERPASS=$NEWUSERPASS
-
-NEWUSERPASS=testPaSS@06%
-testit "set password on user locally" $VALGRIND $samba_tool user setpassword $CONFIG nettestuser --newpassword=$NEWUSERPASS --must-change-at-next-login $@ || failed=`expr $failed + 1`
-USERPASS=$NEWUSERPASS
-
-NEWUSERPASS=testPaSS@07%
-
-cat > ./tmpkpasswdscript <<EOF
+cat > $PREFIX/tmpkinitscript <<EOF
 expect Password
-password ${USERPASS}\n
-expect New password
-send ${NEWUSERPASS}\n
+password ${TEST_PASSWORD}\n
+expect Changing password
 expect New password
-send ${NEWUSERPASS}\n
+send ${TEST_PASSWORD_NEW}\n
+expect Repeat new password
+send ${TEST_PASSWORD_NEW}\n
 expect Success
 EOF
 
-testit "change user password with kpasswd (after must change flag set)" $texpect ./tmpkpasswdscript $samba4kpasswd nettestuser@$REALM || failed=`expr $failed + 1`
-USERPASS=$NEWUSERPASS
-
-test_smbclient "Test login with user kerberos" 'ls' "$unc" -k yes -Unettestuser@$REALM%$NEWUSERPASS || failed=`expr $failed + 1`
-
-NEWUSERPASS=testPaSS@08%
-testit "set password on user locally" $VALGRIND $samba_tool user setpassword $CONFIG nettestuser --newpassword=$NEWUSERPASS --must-change-at-next-login $@ || failed=`expr $failed + 1`
-USERPASS=$NEWUSERPASS
-
-NEWUSERPASS=testPaSS@09%
-
-cat > ./tmpsmbpasswdscript <<EOF
-expect Old SMB password:
-password ${USERPASS}\n
-expect New SMB password:
-send ${NEWUSERPASS}\n
-expect Retype new SMB password:
-send ${NEWUSERPASS}\n
-EOF
-
-testit "change user password with smbpasswd (after must change flag set)" $texpect ./tmpsmbpasswdscript $smbpasswd -r $SERVER  -c $PREFIX/etc/smb.conf -U nettestuser || failed=`expr $failed + 1`
-
-USERPASS=$NEWUSERPASS
-
-test_smbclient "Test login with user kerberos" 'ls' "$unc" -k yes -Unettestuser@$REALM%$NEWUSERPASS || failed=`expr $failed + 1`
-
-NEWUSERPASS=abcdefg
-testit_expect_failure "try to set a non-complex password (command should not succeed)" $VALGRIND $samba_tool user password -W$DOMAIN "-U$DOMAIN/nettestuser%$USERPASS" -k no --newpassword="$NEWUSERPASS" $@ && failed=`expr $failed + 1`
-
-testit "allow non-complex passwords" $VALGRIND $samba_tool domain passwordsettings set $CONFIG --complexity=off || failed=`expr $failed + 1`
-
-testit "try to set a non-complex password (command should succeed)" $VALGRIND $samba_tool user password -W$DOMAIN "-U$DOMAIN/nettestuser%$USERPASS" -k no --newpassword="$NEWUSERPASS" $@ || failed=`expr $failed + 1`
-USERPASS=$NEWUSERPASS
+testit "kinit and change user password" \
+       $texpect $PREFIX/tmpkinitscript $samba_kinit $TEST_PRINCIPAL || failed=`expr $failed + 1`
 
-test_smbclient "test login with non-complex password" 'ls' "$unc" -k no -Unettestuser@$REALM%$USERPASS || failed=`expr $failed + 1`
+TEST_PASSWORD=$TEST_PASSWORD_NEW
+TEST_PASSWORD_NEW="testPaSS@07%"
 
-NEWUSERPASS=abc
-testit_expect_failure "try to set a short password (command should not succeed)" $VALGRIND $samba_tool user password -W$DOMAIN "-U$DOMAIN/nettestuser%$USERPASS" -k no --newpassword="$NEWUSERPASS" $@ && failed=`expr $failed + 1`
+test_smbclient "Test login with user (kerberos)" \
+       "ls" "$SMB_UNC" -k yes -U$TEST_PRINCIPAL%$TEST_PASSWORD || failed=`expr $failed + 1`
 
-testit "allow short passwords (length 1)" $VALGRIND $samba_tool domain passwordsettings $CONFIG set --min-pwd-length=1 || failed=`expr $failed + 1`
+###########################################################
+### Test kpasswd service via 'net ads password'
+###########################################################
 
-testit "try to set a short password (command should succeed)" $VALGRIND $samba_tool user password -W$DOMAIN "-U$DOMAIN/nettestuser%$USERPASS" -k no --newpassword="$NEWUSERPASS" $@ || failed=`expr $failed + 1`
-USERPASS="$NEWUSERPASS"
+# NOTE: This works with heimdal because the krb5_set_password function tries
+# set_password call first and falls back to change_password if it doesn't
+# succeed.
+testit "change user password with 'net ads password', admin: $DOMAIN/$TEST_USERNAME, target: $TEST_PRINCIPAL" \
+       $VALGRIND $net_tool ads password -W$DOMAIN -U$TEST_PRINCIPAL%$TEST_PASSWORD $TEST_PRINCIPAL "$TEST_PASSWORD_NEW" || failed=`expr $failed + 1`
 
-# test kpasswd via net ads password (change variant)
-NEWUSERPASS="testPaSS@10%"
-testit "change user password with 'net ads password', admin: $DOMAIN/nettestuser, target: nettestuser@$REALM" $VALGRIND $net_tool ads password -W$DOMAIN -Unettestuser@$REALM%$USERPASS nettestuser@$REALM "$NEWUSERPASS" $@ || failed=`expr $failed + 1`
-USERPASS="$NEWUSERPASS"
+TEST_PASSWORD=$TEST_PASSWORD_NEW
+TEST_PASSWORD_NEW="testPaSS@08%"
 
-test_smbclient "Test login with smbclient" 'ls' "$unc" -k no -Unettestuser@$REALM%$NEWUSERPASS || failed=`expr $failed + 1`
+test_smbclient "Test login with smbclient (ntlm)" \
+       "ls" "$SMB_UNC" -k no -U$TEST_PRINCIPAL%$TEST_PASSWORD || failed=`expr $failed + 1`
 
-# test kpasswd via net ads password (admin set variant)
-NEWUSERPASS="testPaSS@11%"
-testit "set user password with 'net ads password', admin: $DOMAIN/$USERNAME, target: nettestuser@$REALM" $VALGRIND $net_tool ads password -W$DOMAIN -U$USERNAME@$REALM%$PASSWORD nettestuser@$REALM "$NEWUSERPASS" $@ || failed=`expr $failed + 1`
-USERPASS="$NEWUSERPASS"
+###########################################################
+### Test kpasswd service via 'net ads password' as admin
+###########################################################
 
-test_smbclient "Test login with smbclient" 'ls' "$unc" -k no -Unettestuser@$REALM%$NEWUSERPASS || failed=`expr $failed + 1`
+testit "set user password with 'net ads password', admin: $DOMAIN/$USERNAME, target: $TEST_PRINCIPAL" \
+       $VALGRIND $net_tool ads password -W$DOMAIN -U$USERNAME@$REALM%$PASSWORD $TEST_PRINCIPAL "$TEST_PASSWORD_NEW" || failed=`expr $failed + 1`
 
-testit "require minimum password age of 1 day" $VALGRIND $samba_tool domain passwordsettings $CONFIG set --min-pwd-age=1 || failed=`expr $failed + 1`
+TEST_PASSWORD=$TEST_PASSWORD_NEW
+TEST_PASSWORD_NEW="testPaSS@07%"
 
-testit "show password settings" $VALGRIND $samba_tool domain passwordsettings $CONFIG show || failed=`expr $failed + 1`
+test_smbclient "Test login with smbclient (ntlm)" \
+       "ls" "$SMB_UNC" -k no -U$TEST_PRINCIPAL%$TEST_PASSWORD || failed=`expr $failed + 1`
 
-NEWUSERPASS="testPaSS@08%"
-testit_expect_failure "try to change password too quickly (command should not succeed)" $VALGRIND $samba_tool user password -W$DOMAIN "-U$DOMAIN/nettestuser%$USERPASS" -k no --newpassword="$NEWUSERPASS" $@ && failed=`expr $failed + 1`
+###########################################################
+### Cleanup
+###########################################################
 
-testit "reset password policies" $VALGRIND $samba_tool domain passwordsettings $CONFIG set --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=default --max-pwd-age=default || failed=`expr $failed + 1`
+testit "reset password policies" \
+       $VALGRIND $samba_tool domain passwordsettings $CONFIG set --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=default --max-pwd-age=default || failed=`expr $failed + 1`
 
-testit "del user" $VALGRIND $samba_tool user delete nettestuser -U"$USERNAME%$PASSWORD" $CONFIG -k no $@ || failed=`expr $failed + 1`
+testit "delete user" \
+       $VALGRIND $samba_tool user delete $TEST_USERNAME -U"$USERNAME%$PASSWORD" $CONFIG -k no  || failed=`expr $failed + 1`
 
-rm -f tmpccfile tmppassfile tmpuserpassfile tmpuserccache tmpkpasswdscript tmpsmbpasswdscript
+rm -f $PREFIX/tmpuserccache $PREFIX/tmpkpasswdscript $PREFIX/tmpkinitscript
 exit $failed