samba.git/source4/dsdb/tests, branch talloc-2.3.4 Unnamed repository; edit this file 'description' to name the repository. tests/passwords: Add tests for password history with simple binds 2022-05-05T00:27:33+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2022-04-11T04:43:42+00:00 c294f729110f59b68c567bfe2b6da3a297a829a9 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
tests/passwords: Remove unused imports 2022-05-05T00:27:33+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2022-04-11T04:37:10+00:00 08904752bba49039cf90534e6285defa17d23a0b Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
selftest: Rework password_lockout_base.py to allow logon_basics test to be run in ad_dc_no_ntlm 2022-05-05T00:27:33+00:00 Andrew Bartlett abartlet@samba.org 2022-03-31T09:45:40+00:00 a9caf760b6f952461ecd4894b0cab1c2648f1e96 We need to ensure that even if NTLM is disabled, that the test can still bootstrap and fail normally. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> 
We need to ensure that even if NTLM is disabled, that the test
can still bootstrap and fail normally.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
s4:dsdb:tests: Also pass tests if asserted identity is present 2022-04-13T12:59:30+00:00 Andreas Schneider asn@samba.org 2022-01-24T12:04:23+00:00 9b03e31fba7aa726f3c481f18f9e9e5b4c96c381 We should make sure that we use NTLMSSP or Kerberos consistently for the tests and don't mix them. We're also much stricter and symmetric_difference() to check if the sets are actually the same. Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> 
We should make sure that we use NTLMSSP or Kerberos consistently
for the tests and don't mix them.

We're also much stricter and symmetric_difference() to
check if the sets are actually the same.

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
tests/sam: Ensure that Protected Users group cannot be deleted 2022-03-18T11:55:30+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2022-02-02T02:47:05+00:00 bf509bf7df1348f4793a32dea99c9ec3384c9ad0 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
tests/passwords: Test that LDAP password changes work for Protected Users 2022-03-18T11:55:30+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2022-02-09T00:57:47+00:00 410b8b7e06b879ec71b6cfd24b17be90233803a9 We want to disable SAMR password changes for Protected Users, but need to ensure that other methods of changing the password still work. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> 
We want to disable SAMR password changes for Protected Users, but need
to ensure that other methods of changing the password still work.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
tests/password_lockout: Test NTLM and SAMR password changes with Protected Users 2022-03-18T11:55:30+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2022-02-09T00:50:10+00:00 fd765aaa5b319ac997cb82b6fa296e6af2f67db9 Test that NTLM and SAMR password changes cannot be used for Protected Users, and that lockouts are not triggered for attempting to use them. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> 
Test that NTLM and SAMR password changes cannot be used for Protected
Users, and that lockouts are not triggered for attempting to use them.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
selftest: Cope with LM hash not being stored in the tombstone_reanimation test 2022-03-17T01:57:38+00:00 Andrew Bartlett abartlet@samba.org 2022-02-15T23:56:41+00:00 45af51fd6e1fc29dfc682c778ea9e19762892cd2 The removal of LM hash storage changes the expected metadata. We do not need to track these values exactly to prove the behaviour here. This is not due to the changes in password_hash directly, which in update_final_msg() sets DSDB_FLAG_INTERNAL_FORCE_META_DATA to force a push out of the removed attribute to the replication state. However at the stage of a subsequent LDAP Delete there is no longer a lmPwdHistory nor dBCSPwd attribute, in the directory, so there is no subsequent version bump to remove them when building a tombstone. Samba's behaviour is different to that seen by Metze on windows 2022, where he sees dBCSPwd removed (for the no LM store case) but lmPwdHistory kept. We in Samba choose to differ, not storing an ambiguous LM hsitory (of "" values likely), so allowing any version for these two attributes is the sensible choice. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> 
The removal of LM hash storage changes the expected metadata.

We do not need to track these values exactly to prove the
behaviour here.

This is not due to the changes in password_hash directly, which in
update_final_msg() sets DSDB_FLAG_INTERNAL_FORCE_META_DATA to force
a push out of the removed attribute to the replication state.

However at the stage of a subsequent LDAP Delete there is no longer
a lmPwdHistory nor dBCSPwd attribute, in the directory, so there is
no subsequent version bump to remove them when building a tombstone.

Samba's behaviour is different to that seen by Metze on windows 2022,
where he sees dBCSPwd removed (for the no LM store case) but
lmPwdHistory kept.  We in Samba choose to differ, not storing an
ambiguous LM hsitory (of "" values likely), so allowing any version
for these two attributes is the sensible choice.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
rodc: Add tests for simple BIND alongside NTLMSSP binds 2022-03-10T03:16:35+00:00 Garming Sam garming@catalyst.net.nz 2019-04-01T02:46:48+00:00 62fb6c1dc8527db6cf0f08d4d06e8813707f767a BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879 Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
dsdb/tests: add test_login_basics_simple() 2022-03-10T03:16:35+00:00 Stefan Metzmacher metze@samba.org 2022-03-04T20:53:06+00:00 3625d1381592f7af8ec14715c6c2dfa4d9f02676 This demonstrates that 'old password allowed period' also applies to LDAP simple binds and not only to GSS-SPNEGO/NTLMSSP binds. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15001 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
This demonstrates that 'old password allowed period' also
applies to LDAP simple binds and not only to GSS-SPNEGO/NTLMSSP binds.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15001

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>