self.lockout2ntlm_ldb = self._readd_user(self.lockout2ntlm_creds,
lockOutObservationWindow=self.lockout_observation_window)
- def _test_userPassword_lockout_with_clear_change(self, creds, other_ldb, method):
- print "Performs a password cleartext change operation on 'userPassword'"
+ def _test_userPassword_lockout_with_clear_change(self, creds, other_ldb, method,
+ initial_lastlogon_relation=None):
# Notice: This works only against Windows if "dSHeuristics" has been set
# properly
username = creds.get_username()
userpass = creds.get_password()
userdn = "cn=%s,cn=users,%s" % (username, self.base_dn)
+ use_kerberos = creds.get_kerberos_state()
+ if use_kerberos == MUST_USE_KERBEROS:
+ lastlogon_relation = 'greater'
+ print "Performs a password cleartext change operation on 'userPassword' using Kerberos"
+ else:
+ lastlogon_relation = 'equal'
+ print "Performs a password cleartext change operation on 'userPassword' using NTLMSSP"
+
+ if initial_lastlogon_relation is not None:
+ lastlogon_relation = initial_lastlogon_relation
+
res = self._check_account(userdn,
badPwdCount=0,
badPasswordTime=("greater", 0),
- lastLogon=('greater', 0),
+ lastLogon=(lastlogon_relation, 0),
lastLogonTimestamp=('greater', 0),
userAccountControl=
dsdb.UF_NORMAL_ACCOUNT,
badPasswordTime = int(res[0]["badPasswordTime"][0])
lastLogon = int(res[0]["lastLogon"][0])
lastLogonTimestamp = int(res[0]["lastLogonTimestamp"][0])
+ if lastlogon_relation == 'greater':
+ self.assertGreater(lastLogon, badPasswordTime)
+ self.assertGreaterEqual(lastLogon, lastLogonTimestamp)
# Change password on a connection as another user
def test_userPassword_lockout_with_clear_change_ntlm_ldap_userAccountControl(self):
self._test_userPassword_lockout_with_clear_change(self.lockout1ntlm_creds,
self.lockout2ntlm_ldb,
- "ldap_userAccountControl")
+ "ldap_userAccountControl",
+ initial_lastlogon_relation='greater')
def test_userPassword_lockout_with_clear_change_ntlm_ldap_lockoutTime(self):
self._test_userPassword_lockout_with_clear_change(self.lockout1ntlm_creds,
self.lockout2ntlm_ldb,
- "ldap_lockoutTime")
+ "ldap_lockoutTime",
+ initial_lastlogon_relation='greater')
def test_userPassword_lockout_with_clear_change_ntlm_samr(self):
self._test_userPassword_lockout_with_clear_change(self.lockout1ntlm_creds,
self.lockout2ntlm_ldb,
- "samr")
+ "samr",
+ initial_lastlogon_relation='greater')
def _test_unicodePwd_lockout_with_clear_change(self, creds, other_ldb):
print "Performs a password cleartext change operation on 'unicodePwd'"
msDSUserAccountControlComputed=0)
badPasswordTime = int(res[0]["badPasswordTime"][0])
lastLogon = int(res[0]["lastLogon"][0])
+ lastLogonTimestamp = int(res[0]["lastLogonTimestamp"][0])
+ self.assertGreater(lastLogonTimestamp, badPasswordTime)
+ self.assertGreaterEqual(lastLogon, lastLogonTimestamp)
# Change password on a connection as another user
badPwdCount=1,
badPasswordTime=("greater", badPasswordTime),
lastLogon=lastLogon,
- lastLogonTimestamp=lastLogon,
+ lastLogonTimestamp=lastLogonTimestamp,
userAccountControl=
dsdb.UF_NORMAL_ACCOUNT,
msDSUserAccountControlComputed=0)
badPwdCount=1,
badPasswordTime=badPasswordTime,
lastLogon=lastLogon,
- lastLogonTimestamp=lastLogon,
+ lastLogonTimestamp=lastLogonTimestamp,
userAccountControl=
dsdb.UF_NORMAL_ACCOUNT,
msDSUserAccountControlComputed=0)
badPwdCount=2,
badPasswordTime=("greater", badPasswordTime),
lastLogon=lastLogon,
- lastLogonTimestamp=lastLogon,
+ lastLogonTimestamp=lastLogonTimestamp,
userAccountControl=
dsdb.UF_NORMAL_ACCOUNT,
msDSUserAccountControlComputed=0)
badPwdCount=2,
badPasswordTime=badPasswordTime,
lastLogon=lastLogon,
- lastLogonTimestamp=lastLogon,
+ lastLogonTimestamp=lastLogonTimestamp,
userAccountControl=
dsdb.UF_NORMAL_ACCOUNT,
msDSUserAccountControlComputed=0)
badPwdCount=3,
badPasswordTime=("greater", badPasswordTime),
lastLogon=lastLogon,
- lastLogonTimestamp=lastLogon,
+ lastLogonTimestamp=lastLogonTimestamp,
lockoutTime=("greater", badPasswordTime),
userAccountControl=
dsdb.UF_NORMAL_ACCOUNT,
badPwdCount=3,
badPasswordTime=badPasswordTime,
lastLogon=lastLogon,
- lastLogonTimestamp=lastLogon,
+ lastLogonTimestamp=lastLogonTimestamp,
lockoutTime=lockoutTime,
userAccountControl=
dsdb.UF_NORMAL_ACCOUNT,
badPwdCount=3,
badPasswordTime=badPasswordTime,
lastLogon=lastLogon,
- lastLogonTimestamp=lastLogon,
+ lastLogonTimestamp=lastLogonTimestamp,
lockoutTime=lockoutTime,
userAccountControl=
dsdb.UF_NORMAL_ACCOUNT,
badPwdCount=3,
badPasswordTime=badPasswordTime,
lastLogon=lastLogon,
- lastLogonTimestamp=lastLogon,
+ lastLogonTimestamp=lastLogonTimestamp,
lockoutTime=lockoutTime,
userAccountControl=
dsdb.UF_NORMAL_ACCOUNT,
badPwdCount=0,
badPasswordTime=badPasswordTime,
lastLogon=lastLogon,
- lastLogonTimestamp=lastLogon,
+ lastLogonTimestamp=lastLogonTimestamp,
lockoutTime=0,
userAccountControl=
dsdb.UF_NORMAL_ACCOUNT,
badPwdCount=0,
badPasswordTime=badPasswordTime,
lastLogon=lastLogon,
- lastLogonTimestamp=lastLogon,
+ lastLogonTimestamp=lastLogonTimestamp,
lockoutTime=0,
userAccountControl=
dsdb.UF_NORMAL_ACCOUNT,
badPwdCount=1,
badPasswordTime=("greater", badPasswordTime),
lastLogon=lastLogon,
- lastLogonTimestamp=lastLogon,
+ lastLogonTimestamp=lastLogonTimestamp,
lockoutTime=0,
userAccountControl=
dsdb.UF_NORMAL_ACCOUNT,
badPwdCount=2,
badPasswordTime=("greater", badPasswordTime),
lastLogon=lastLogon,
- lastLogonTimestamp=lastLogon,
+ lastLogonTimestamp=lastLogonTimestamp,
lockoutTime=0,
userAccountControl=
dsdb.UF_NORMAL_ACCOUNT,
badPwdCount=2,
badPasswordTime=badPasswordTime,
lastLogon=lastLogon,
- lastLogonTimestamp=lastLogon,
+ lastLogonTimestamp=lastLogonTimestamp,
lockoutTime=0,
userAccountControl=
dsdb.UF_NORMAL_ACCOUNT,
badPwdCount=3,
badPasswordTime=("greater", badPasswordTime),
lastLogon=lastLogon,
- lastLogonTimestamp=lastLogon,
+ lastLogonTimestamp=lastLogonTimestamp,
lockoutTime=("greater", badPasswordTime),
userAccountControl=
dsdb.UF_NORMAL_ACCOUNT,
badPwdCount=3, effective_bad_password_count=0,
badPasswordTime=badPasswordTime,
lastLogon=lastLogon,
- lastLogonTimestamp=lastLogon,
+ lastLogonTimestamp=lastLogonTimestamp,
lockoutTime=lockoutTime,
userAccountControl=
dsdb.UF_NORMAL_ACCOUNT,
badPasswordTime=badPasswordTime,
lockoutTime=lockoutTime,
lastLogon=lastLogon,
- lastLogonTimestamp=lastLogon,
+ lastLogonTimestamp=lastLogonTimestamp,
userAccountControl=
dsdb.UF_NORMAL_ACCOUNT,
msDSUserAccountControlComputed=0)
self.assertGreater(lastLogon, badPasswordTime)
+ self.assertGreaterEqual(lastLogon, lastLogonTimestamp)
# Open a second LDB connection with the user credentials. Use the
# command line credentials for informations like the domain, the realm
lastLogon = int(res[0]["lastLogon"][0])
self.assertGreater(lastLogon, badPasswordTime)
+ self.assertGreaterEqual(lastLogon, lastLogonTimestamp)
# The wrong password
creds_lockout.set_password("thatsAcomplPASS1x")
dsdb.UF_NORMAL_ACCOUNT,
msDSUserAccountControlComputed=0)
- lastLogon = int(res[0]["lastLogon"][0])
-
# The correct password after letting the timeout expire
creds_lockout.set_password(userpass)
firstLogon = lastLogon
print "last logon is %d" % lastLogon
self.assertGreater(lastLogon, badPasswordTime)
+ self.assertGreaterEqual(lastLogon, lastLogonTimestamp)
time.sleep(1)
SamDB(url=host_url, credentials=insta_creds(creds), lp=lp)