The Samba-Bugzilla – Attachment 15032 Details for
Bug 13879
Simple bind doesn't work against an RODC (with non-preloaded users)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Test that fails currently
patch (text/plain), 6.29 KB, created by
Garming Sam
on 2019-04-02 01:08:05 UTC
(
hide
)
Description:
Test that fails currently
Filename:
MIME Type:
Creator:
Garming Sam
Created:
2019-04-02 01:08:05 UTC
Size:
6.29 KB
patch
obsolete
>From f0aa84921e1cc93b068e10d52e9f7b3a0541395b Mon Sep 17 00:00:00 2001 >From: Garming Sam <garming@catalyst.net.nz> >Date: Mon, 1 Apr 2019 15:46:48 +1300 >Subject: [PATCH] rodc: Add tests for simple BIND alongside NTLMSSP binds > >Signed-off-by: Garming Sam <garming@catalyst.net.nz> >--- > source4/dsdb/tests/python/rodc_rwdc.py | 59 ++++++++++++++++---------- > 1 file changed, 37 insertions(+), 22 deletions(-) > >diff --git a/source4/dsdb/tests/python/rodc_rwdc.py b/source4/dsdb/tests/python/rodc_rwdc.py >index c2c41634b8c..debc73d09fb 100644 >--- a/source4/dsdb/tests/python/rodc_rwdc.py >+++ b/source4/dsdb/tests/python/rodc_rwdc.py >@@ -44,7 +44,7 @@ class RodcRwdcTestException(Exception): > pass > > >-def make_creds(username, password, kerberos_state=None): >+def make_creds(username, password, kerberos_state=None, simple_dn=None): > # use the global CREDS as a template > c = Credentials() > c.set_username(username) >@@ -53,6 +53,9 @@ def make_creds(username, password, kerberos_state=None): > c.set_realm(CREDS.get_realm()) > c.set_workstation(CREDS.get_workstation()) > >+ if simple_dn is not None: >+ c.set_bind_dn(simple_dn) >+ > if kerberos_state is None: > kerberos_state = CREDS.get_kerberos_state() > c.set_kerberos_state(kerberos_state) >@@ -1016,10 +1019,14 @@ class RodcRwdcTests(password_lockout_base.BasePasswordTestCase): > "add: userPassword\n" > "userPassword: %s\n" % (user_dn, old_password, new_password)) > >- def try_ldap_logon(self, server, creds, errno=None): >+ def try_ldap_logon(self, server, creds, errno=None, simple=False): > try: >- tmpdb = SamDB('ldap://%s' % server, credentials=creds, >- session_info=system_session(LP), lp=LP) >+ if simple: >+ tmpdb = SamDB('ldaps://%s' % server, credentials=creds, >+ session_info=system_session(LP), lp=LP) >+ else: >+ tmpdb = SamDB('ldap://%s' % server, credentials=creds, >+ session_info=system_session(LP), lp=LP) > if errno is not None: > self.fail("logon failed to fail with ldb error %s" % errno) > except ldb.LdbError as e10: >@@ -1038,19 +1045,23 @@ class RodcRwdcTests(password_lockout_base.BasePasswordTestCase): > if min_pwd_age != 0: > self.rwdc_db.set_minPwdAge('0') > >- def _test_ldap_change_password(self, errno=None): >+ def _test_ldap_change_password(self, errno=None, simple=False): > self.zero_min_password_age() > > dn, username, password = self._new_user() >- creds1 = make_creds(username, password) >+ >+ simple_dn = dn if simple else None >+ >+ creds1 = make_creds(username, password, simple_dn=simple_dn) > > # With NTLM, this should fail on RODC before replication, > # because the user isn't known. >- self.try_ldap_logon(RODC, creds1, ldb.ERR_INVALID_CREDENTIALS) >+ self.try_ldap_logon(RODC, creds1, ldb.ERR_INVALID_CREDENTIALS, >+ simple=simple) > self.force_replication() > > # Now the user is replicated to RODC, so logon should work >- self.try_ldap_logon(RODC, creds1) >+ self.try_ldap_logon(RODC, creds1, simple=simple) > > passwords = ['password#%s' % i for i in range(1, 6)] > for prev, password in zip(passwords[:-1], passwords[1:]): >@@ -1059,40 +1070,40 @@ class RodcRwdcTests(password_lockout_base.BasePasswordTestCase): > # The password has changed enough times to make the old > # password invalid (though with kerberos that doesn't matter). > # For NTLM, the old creds should always fail >- self.try_ldap_logon(RODC, creds1, errno) >- self.try_ldap_logon(RWDC, creds1, errno) >+ self.try_ldap_logon(RODC, creds1, errno, simple=simple) >+ self.try_ldap_logon(RWDC, creds1, errno, simple=simple) > >- creds2 = make_creds(username, password) >+ creds2 = make_creds(username, password, simple_dn=simple_dn) > > # new creds work straight away with NTLM, because although it > # doesn't have the password, it knows the user and forwards > # the query. >- self.try_ldap_logon(RODC, creds2) >- self.try_ldap_logon(RWDC, creds2) >+ self.try_ldap_logon(RODC, creds2, simple=simple) >+ self.try_ldap_logon(RWDC, creds2, simple=simple) > > self.force_replication() > > # After another replication check RODC still works and fails, > # as appropriate to various creds >- self.try_ldap_logon(RODC, creds2) >- self.try_ldap_logon(RODC, creds1, errno) >+ self.try_ldap_logon(RODC, creds2, simple=simple) >+ self.try_ldap_logon(RODC, creds1, errno, simple=simple) > > prev = password > password = 'password#6' > self._change_password(dn, prev, password) >- creds3 = make_creds(username, password) >+ creds3 = make_creds(username, password, simple_dn=simple_dn) > > # previous password should still work. >- self.try_ldap_logon(RWDC, creds2) >- self.try_ldap_logon(RODC, creds2) >+ self.try_ldap_logon(RWDC, creds2, simple=simple) >+ self.try_ldap_logon(RODC, creds2, simple=simple) > > # new password should still work. >- self.try_ldap_logon(RWDC, creds3) >- self.try_ldap_logon(RODC, creds3) >+ self.try_ldap_logon(RWDC, creds3, simple=simple) >+ self.try_ldap_logon(RODC, creds3, simple=simple) > > # old password should still fail (but not on kerberos). >- self.try_ldap_logon(RWDC, creds1, errno) >- self.try_ldap_logon(RODC, creds1, errno) >+ self.try_ldap_logon(RWDC, creds1, errno, simple=simple) >+ self.try_ldap_logon(RODC, creds1, errno, simple=simple) > > def test_ldap_change_password_kerberos(self): > CREDS.set_kerberos_state(MUST_USE_KERBEROS) >@@ -1102,6 +1113,10 @@ class RodcRwdcTests(password_lockout_base.BasePasswordTestCase): > CREDS.set_kerberos_state(DONT_USE_KERBEROS) > self._test_ldap_change_password(ldb.ERR_INVALID_CREDENTIALS) > >+ def test_ldap_change_password_simple_bind(self): >+ CREDS.set_kerberos_state(DONT_USE_KERBEROS) >+ self._test_ldap_change_password(ldb.ERR_INVALID_CREDENTIALS) >+ > def _test_ldap_change_password_reveal_on_demand(self, errno=None): > self.zero_min_password_age() > >-- >2.17.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 13879
: 15032 |
17198
|
17199
|
17200