summaryrefslogtreecommitdiff
path: root/source4/dsdb/tests/python
AgeCommit message (Collapse)AuthorFilesLines
2015-12-24dsdb subnets: warn when an IPv6 address is in IPv4 embedding rangeDouglas Bagnall1-0/+32
We fail on these ones, and it isn't immediately obvious why. Windows also fails on *most* of them, but succeeds on "::ffff:0:0" which is a bit strange but there you go. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Thu Dec 24 07:16:25 CET 2015 on sn-devel-144
2015-12-24samldb: ensure subnets have proper net rangesDouglas Bagnall1-0/+288
A subnet name needs to be a valid CIDR address range -- that's the ones that look like 10.9.8.0/22, where the number after the / determines how many bits are in the address suffix. It can be IPv4 or IPv6. There are a few odd constraints (see MS-ADTS v20150630 6.1.1.2.2.2.1 "Subnet Object") -- for example, with IPv4, the implied bit mask can't equal the address. That is, you can't have a subnet named "255.255.255.0/24" in a Windows subnet. This rule does not apply to IPv6. Windows and Samba both make some ensure that subnets have a unique valid name, though unfortunately Windows 2008R2 is rather slack when it comes to IPv6. We follow Windows 2012R2, which roughly follows RFC5952 -- with one caveat: Windows will allow an address like "::ffff:0:1:2", which translates to the IPv4 address "0.1.0.2" using the SIIT translation scheme, and which inet_ntop() would render as "::ffff:0:0.1.0.2". In the Samba implementation we use an inet_pton()/ inet_ntop() round-trip to establish canonicality, so these addresses fail. Windows wisely does not allow the SIIT style addresses (the acronym is widely agreed to be off-by-one in the second letter), and it will regard "::ffff:0:1:2" as simply "::ffff:0:1:2" and allow it. We would like to do that too. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-12-24samba-tool: add sites subnet subcommandsDouglas Bagnall1-0/+76
This allows you to add, remove, or shift subnets. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-12-24python.sites tests: remove excessive transaction managementDouglas Bagnall1-4/+0
These are atomic anyway. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-12-24selftest: Allow sites test to run against a remote ldap:// hostAndrew Bartlett1-4/+1
The previous code was just broken Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-12-24dsdb.tests.sites: don't use global database, tidy long linesDouglas Bagnall1-22/+23
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-12-24dsdb.tests.sites: merge interdependent testsDouglas Bagnall1-5/+2
The delete test deleted the site made by the create test, which worked because "delete" sorts after "create" alphabetically. By themselves, "delete" would fail and "create" would neglect its duty to clean up. This would be an issue if the order of tests changes, if one of the tests is not run, or if another test appears in between. Everything is fine if they give up the pretense of independence. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-12-16CVE-2015-8467: samdb: Match MS15-096 behaviour for userAccountControlAndrew Bartlett1-9/+54
Swapping between account types is now restricted Bug: https://bugzilla.samba.org/show_bug.cgi?id=11552 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Wed Dec 16 16:03:18 CET 2015 on sn-devel-104
2015-12-15password_lockout: test creds.get_kerberos_state()Douglas Bagnall1-0/+1
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Ralph Boehme <slow@samba.org> Autobuild-User(master): Garming Sam <garming@samba.org> Autobuild-Date(master): Tue Dec 15 03:17:52 CET 2015 on sn-devel-104
2015-12-15auth: keep track of lastLogon and lastLogonTimestampDouglas Bagnall1-41/+295
lastLogon is supposed to be updated for every interactive or kerberos login, and (according to testing against Windows2012r2) when the bad password count is non-zero but the lockout time is zero. It is not replicated. lastLogonTimestamp is updated if the old value is more than 14 - random.choice([0, 1, 2, 3, 4, 5]) days old, and it is replicated. The 14 in this calculation is the default, stored as "msDS-LogonTimeSyncInterval", which we offer no interface for changing. The authsam_zero_bad_pwd_count() function is a convenient place to update these values, as it is called upon a successful logon however that logon is performed. That makes the function's name inaccurate, so we rename it authsam_logon_success_accounting(). It also needs to be told whet5her the login is interactive. The password_lockout tests are extended to test lastLogon and lasLogonTimestamp. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Ralph Boehme <slow@samba.org>
2015-12-15password_lockout tests: add assertLoginFailure()Douglas Bagnall1-10/+12
In a few places where a login should fail in a particular way, an actual login success would not have triggered a test failure -- only the wrong kind of login failure was caught. This makes a helper function to deal with them all. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Ralph Boehme <slow@samba.org>
2015-11-06Fix various spelling errorsMathieu Parent1-1/+1
Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Michael Adam <obnox@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Fri Nov 6 13:43:45 CET 2015 on sn-devel-104
2015-03-20dsdb-tests: Give more helpful information about attribute differencesAndrew Bartlett1-1/+3
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2015-03-17dsdb: fix error message in tombstone_reanimation test.Michael Adam1-3/+3
Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2015-03-17dsdb: fix error message in sam testMichael Adam1-1/+1
Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2015-03-16dsdb: fix the user_account_control test.Michael Adam1-1/+1
On my system (Fedora 21) the test fails with: [1(0)/1 at 0s] samba4.user_account_control.python(dc) teardown_env(dc) Traceback (most recent call last): File "/home/obnox/devel/samba/master-push.git/source4/dsdb/tests/python/user_account_control.py", line 23, in <module> from subunit.run import SubunitTestRunner ImportError: No module named subunit.run This fixes it for me. Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Mon Mar 16 20:25:33 CET 2015 on sn-devel-104
2015-03-06tests/sam: Remove unnecessary calls for third party module imports.Jelmer Vernooij1-2/+0
Change-Id: Iaa1af59005eaee7ea79f3260b250a2c948e07532 Signed-off-by: Jelmer Vernooij <jelmer@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-02-03s4-samdb/tests: Assert on expected set of attributes for new User objectKamen Mazdrashki1-0/+60
Change-Id: I225b64ff7492b41852fecb914f464a6c8d504a2c Signed-off-by: Kamen Mazdrashki <kamenim@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Tue Feb 3 07:30:17 CET 2015 on sn-devel-104
2015-02-03s4-dsdb/tests: Assert on expected set of attributes for restored objectsKamen Mazdrashki1-5/+104
Change-Id: I788406d9c3839d108cea508cf2a59488d495f141 Signed-off-by: Kamen Mazdrashki <kamenim@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-02-03s4-dsdb/tests: Do not pre-create LoadParm - connect_samdb_env() will handle itKamen Mazdrashki1-5/+1
Change-Id: I3483c5aa50de2f7aca19e4d7cc4fa49bbe5f889d Signed-off-by: Kamen Mazdrashki <kamenim@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-03s4-dsdb-test: Use common base method for restoring Deleted objectsKamen Mazdrashki1-25/+14
Change-Id: I266b58ced814cf7ea3616862506df5b55f4f1d8c Signed-off-by: Kamen Mazdrashki <kamenim@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-03s4-dsdb/test: Delete any leftover objects in the beginning of Cross-NC testKamen Mazdrashki1-2/+4
This way we ensure that samdb is clean before we make the test Change-Id: I3c6fc94763807394e52b6df41548e9aba8b452c1 Signed-off-by: Kamen Mazdrashki <kamenim@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-03s4-dsdb-test/reanimate: Fix whitespaces according to PEP8Kamen Mazdrashki1-20/+19
Change-Id: I7b46992c80178d40a0531b5afd71a7783068a9dd Signed-off-by: Kamen Mazdrashki <kamenim@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-03s4-dsdb-tests: Move base tests for Tombstone reanimation in ↵Kamen Mazdrashki2-174/+179
tombstone_reanimation module So we have them all in one place. While moving, I have: * inherited from the base class for Tombstone reanimations * replace self.ldb with self.samdb Change-Id: Id3e4f02cc2e0877d736da812c14c91e2311203d2 Signed-off-by: Kamen Mazdrashki <kamenim@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-03s4-dsdb-test: Fix duplicated key in a dictionary in sam.pyKamen Mazdrashki1-2/+2
Change-Id: Ie33d92bd308262d9bfda553d6d5e2cfd98f6d7b3 Signed-off-by: Kamen Mazdrashki <kamenim@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-03s4-dsdb-test: remove trailing ';' in ldap.pyKamen Mazdrashki1-32/+32
Change-Id: I5edc6e017b576791c1575f71a625c49ccc88fe8f Signed-off-by: Kamen Mazdrashki <kamenim@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-03s4-dsdb-test: Fix Undelete tests after subunit upgrade workKamen Mazdrashki1-31/+31
Change-Id: I4712a2a2163a57fde037511afcc1cb7bee05f12e Signed-off-by: Kamen Mazdrashki <kamenim@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-03s4-dsdb-test: Use case insensitive comparison for DNs in undelete testKamen Mazdrashki1-1/+1
Change-Id: I4a009bb7ed58ab857ac74a235bb5f580911f0d92 Signed-off-by: Kamen Mazdrashki <kamenim@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-03s4-dsdb-test: Initial implementation for Tombstone restore test suiteKamen Mazdrashki1-0/+285
Change-Id: Ib35ff930b6e7cee14317328b6fe25b59eec5262c Signed-off-by: Kamen Mazdrashki <kamenim@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-03s4-dsdb: Tests for security checks on undelete operationNadezhda Ivanova1-1/+131
Implemented according to MS-ADTS 3.1.1.5.3.7.1. Unfortunately it appears LC is also necessary, and it is not granted by default to anyone but System and Administrator, so tests had to be done negatively Signed-off-by: Nadezhda Ivanova <nivanova@symas.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Change-Id: Ic03b8fc4e222e7842ec8a9645a1bb33e7df9c438
2015-02-03s4-dsdb-tests: Fix whitespace in deletetest.pyKamen Mazdrashki1-1/+1
Change-Id: Ic2924b0aa9cffd29fe0c857317ccb65ba53a1c21 Signed-off-by: Kamen Mazdrashki <kamenim@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-03s4-dsdb-tests: Make unique object names to test with in deletetestKamen Mazdrashki1-10/+18
This way we can re-run the test again and again Change-Id: I29bd878b77073d94a279c38bd0afc2f0befa6f9d Signed-off-by: Kamen Mazdrashki <kamenim@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-03s4-dsdb-tests: Remove unused method get_ldap_connection()Kamen Mazdrashki1-13/+0
Change-Id: Ie50f77dbba724dbd3c2822de5c2cfff41016fac6 Signed-off-by: Kamen Mazdrashki <kamenim@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-03s4-dsdb-tests: Remove trailing ';' in deletetest.pyKamen Mazdrashki1-2/+2
Change-Id: Ic1ad6bbda55be56cbf7ae78a8ad988b8e479a40c Signed-off-by: Kamen Mazdrashki <kamenim@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-03s4-dsdb-tests: Some tests for deleted objects undelete operationNadezhda Ivanova1-5/+198
Based on MS-ADTS 3.1.1.5.3.7.2 Signed-off-by: Nadezhda Ivanova <nivanova@symas.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Change-Id: I650b315601fce574f9302435f812d1dd4b177e68
2015-01-24s4:dsdb/tests: add test_timevalues1() to verify timestamp valuesStefan Metzmacher1-0/+40
Bug: https://bugzilla.samba.org/show_bug.cgi?id=9810 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Günther Deschner <gd@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Sat Jan 24 20:17:20 CET 2015 on sn-devel-104
2015-01-22dsdb-tests: Clarify that accounts really do fall back to UF_NORMAL_ACCOUNT ↵Andrew Bartlett1-3/+63
if no account set Also confirm what bits have to be ignored, or otherwise processed Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993 Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Thu Jan 22 10:16:42 CET 2015 on sn-devel-104
2015-01-22dsdb-tests: Show that we can not change the primaryGroupID of a DCAndrew Bartlett1-0/+110
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993 Signed-off-by: Garming Sam <garming@catalyst.net.nz> Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-01-22dsdb: Improve userAccountControl handlingAndrew Bartlett1-8/+16
We now always check the ACL and invarient rules using the same function The change to libds is because UF_PARTIAL_SECRETS_ACCOUNT is a flag, not an account type This list should only be of the account exclusive account type bits. Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993 Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-01-22dsdb-tests: Add new test samba4.user_account_control.pythonAndrew Bartlett1-0/+521
This confirms security behaviour of the userAccountControl attribute as well as the behaviour on ADD as well as MODIFY, for every userAccountControl bit. Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993 Change-Id: I8cd0e0b3c8d40e8b8aea844189703c756cc372f0 Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-01-22dsdb-tests: Align sam.py with Windows 2012R2 and uncomment ↵Andrew Bartlett1-82/+68
userAccountControl tests These tests now pass against Samba and Windows 2012R2. Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993 Change-Id: I1d7ba5e6a720b8da88c667bbbf3a4302c54642f4 Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-12-22dsdb: Add tokenGroupsGlobalAndUniversal, tokenGroups, tokenGroupsNoGCAcceptableGarming Sam1-9/+339
This includes additional tests based directly on the docs, rather than simply testing our internal implementation in client and server contexts, that create a user and groups. Bug: https://bugzilla.samba.org/show_bug.cgi?id=11022 Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming-Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Mon Dec 22 17:17:02 CET 2014 on sn-devel-104
2014-11-30Reduce number of places where sys.path is (possibly) updated for external ↵Jelmer Vernooij1-2/+1
module paths. Change-Id: I69d060f27ea090d14405e884d1ce271975358c56 Signed-Off-By: Jelmer Vernooij <jelmer@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Jelmer Vernooij <jelmer@samba.org> Autobuild-Date(master): Sun Nov 30 20:54:04 CET 2014 on sn-devel-104
2014-11-24sam: Use samba.tests.subunitrun.Jelmer Vernooij1-8/+4
Change-Id: Ic2ac4b335cf805ddbd442a065c4eaf6ef2b210d9 Signed-off-by: Jelmer Vernooij <jelmer@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-11-24Use samba.tests.subunitrun in dsdb ldap and ldap_schema tests.Jelmer Vernooij2-39/+50
Change-Id: I51ddc55720a23013a2c6ae20e3225f027348083c Signed-off-by: Jelmer Vernooij <jelmer@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-11-24Use samba.tests.subunitrun in urgent replication test.Jelmer Vernooij1-13/+4
Change-Id: I3e7a32876d557ac376326ab75e851298e874d584 Signed-off-by: Jelmer Vernooij <jelmer@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-11-22ldap: Use samba.tests.subunitrun.Jelmer Vernooij1-19/+6
Change-Id: I872654afb31a5eda8c88aac716f9ce79816e5f05 Signed-off-by: Jelmer Vernooij <jelmer@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-11-22deletetest: use samba.tests.subunitrun.Jelmer Vernooij1-60/+52
Change-Id: I13565c7c14ea186709ce1de9038ef840c5b766b8 Signed-off-by: Jelmer Vernooij <jelmer@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-11-22ldap_syntaxes: Use samba.tests.subunitrun.Jelmer Vernooij1-24/+16
Change-Id: Ib62b747876b4408fdc8ff44e9b4c63578e1a6408 Signed-Off-By: Jelmer Vernooij <jelmer@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-11-22password lockout: Use samba.tests.subunitrun.Jelmer Vernooij1-99/+90
Change-Id: I848099d22acd4a0ce7d589de48eb72e2d180ceae Signed-off-by: Jelmer Vernooij <jelmer@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
generated by cgit v1.2.3 (git 2.25.1) at 2026-05-14 01:57:33 +0000