Index: ucs-test/tests/51_samba4/41password_change =================================================================== --- ucs-test/tests/51_samba4/41password_change (Revision 38645) +++ ucs-test/tests/51_samba4/41password_change (Arbeitskopie) @@ -34,26 +34,33 @@ echo "----initial connection" #wait for the user to be created +max_i=10 +delta_t=1 i=0 -while ! ldbsearch -U "$username%$first_password" -H ldap://localhost "samaccountname=$username" dn 2>&1 | grep -q '^dn:' +while ! ldbsearch -U "$username%$first_password" -H ldap://localhost "sAMAccountName=$username" userPrincipalName 2>&1 | grep -q '^userPrincipalName:' do let i="$i"+1 - if [ "$i" = 10 ]; then - fail_fast 1 "Could not authenticate against samba." + if [ "$i" = "$max_i" ]; then + fail_fast 1 "User not replicated to samba directory within $max_i seconds." fi - sleep 1 + sleep "$delta_t" done +echo "User replicated from UDM to Samba after waiting about $(($i * $delta_t)) seconds." +max_i=10 +delta_t=1 i=0 -while ! echo "$first_password" | kinit --password-file=STDIN "$username" > /dev/null +while ! command_output=$(echo "$first_password" | kinit --password-file=STDIN "$username" 2>&1) do let i="$i"+1 - if [ "$i" = 10 ]; then - fail_test 1 "Could not authenticate against kinit." + if [ "$i" = "$max_i" ]; then + fail_test 1 "Could not authenticate against kinit. Last command output:" + echo "$command_output" break fi - sleep 2 + sleep "$delta_t" done +echo "Authentication against kinit succeeded at attempt $((i+1))." USER_DN=$(/usr/sbin/univention-directory-manager users/user list --filter uid="$username" | sed -ne 's/^DN: //p') @@ -64,41 +71,54 @@ samba-tool user setpassword "$username" --newpassword="$second_password" ## first check trivial case: Samba4 password must work +max_i=10 +delta_t=1 i=0 -while ! ldbsearch -U "$username%$second_password" -H ldap://localhost "samaccountname=$username" dn 2>&1 | grep -q '^dn:' +while ! ldbsearch -U "$username%$second_password" -H ldap://localhost "sAMAccountName=$username" dn 2>&1 | grep -q '^dn:' do let i="$i"+1 - if [ "$i" = 10 ]; then + if [ "$i" = "$max_i" ]; then fail_test 1 "Could not authenticate against samba after password change with samba." break fi - sleep 1 + sleep "$delta_t" done +if [ "$i" -ne 0 ]; then + echo -n "WARNING: " +fi +echo "Authentication against samba after password change with samba succeeded at attempt $((i+1))." ## second check complex case: UDM password must work after replication +max_i=15 +delta_t=2 i=0 while ! output="$(univention-ldapsearch -x -D "$USER_DN" -w "$second_password" 2>&1 )" do let i="$i"+1 - if [ "$i" = 15 ]; then + if [ "$i" = "$max_i" ]; then echo "$output" - fail_test 1 "Could not authenticate against UDM after password change with samba." + fail_test 1 "Could not authenticate against LDAP after password change with samba after $i attempts." break fi - sleep 2 + sleep "$delta_t" done +echo "Authentication against LDAP after password change with samba succeeded at attempt $((i+1))." ## cross check +max_i=10 +delta_t=1 i=0 -while ! echo "$second_password" | kinit --password-file=STDIN "$username" > /dev/null +while ! command_output=$(echo "$second_password" | kinit --password-file=STDIN "$username" 2>&1) do let i="$i"+1 - if [ "$i" = 10 ]; then - fail_test 1 "Could not authenticate against kinit after password change with samba." + if [ "$i" = "$max_i" ]; then + fail_test 1 "Could not authenticate against kinit after password change with samba after $i attempts." + echo "$command_output" break fi - sleep 1 + sleep "$delta_t" done +echo "Authentication against kinit after password change with samba succeeded at attempt $((i+1))." echo "----password change with udm" #----password change with udm @@ -109,100 +129,120 @@ fi ## first check trivial case: UDM password must work +max_i=10 +delta_t=1 i=0 while ! output="$(univention-ldapsearch -x -D "$USER_DN" -w "$third_password" 2>&1)" do let i="$i"+1 - if [ "$i" = 10 ]; then + if [ "$i" = "$max_i" ]; then echo "$output" - fail_test 1 "Could not authenticate against UDM after password change with UDM." + fail_test 1 "Could not authenticate against LDAP after password change with UDM after $i attempts." break fi - sleep 1 + sleep "$delta_t" done +if [ "$i" -ne 0 ]; then + echo -n "WARNING: " +fi +echo "Authentication against LDAP after password change with UDM succeeded at attempt $((i+1))." ## second check complex case: Samba4 password must work after replication +max_i=15 +delta_t=2 i=0 -while ! ldbsearch -U "$username%$third_password" -H ldap://localhost "samaccountname=$username" dn 2>&1 | grep -q '^dn:' +while ! ldbsearch -U "$username%$third_password" -H ldap://localhost "sAMAccountName=$username" dn 2>&1 | grep -q '^dn:' do let i="$i"+1 - if [ "$i" = 15 ]; then - fail_test 1 "Could not authenticate against samba after password change with UDM." + if [ "$i" = "$max_i" ]; then + fail_test 1 "Could not authenticate against samba after password change with UDM after $i attempts." break fi - sleep 2 + sleep "$delta_t" done +echo "Authentication against samba after password change with UDM succeeded at attempt $((i+1))." ## cross check +max_i=10 +delta_t=1 i=0 while ! output="$(echo "$third_password" | kinit --password-file=STDIN "$username" 2>&1)" do let i="$i"+1 - if [ "$i" = 10 ]; then + if [ "$i" = "$max_i" ]; then echo "$output" - fail_test 1 "Could not authenticate against kinit after password change with UDM." + fail_test 1 "Could not authenticate against kinit after password change with UDM after $i attempts." break fi - sleep 1 + sleep "$delta_t" done +echo "Authentication against kinit after password change with UDM succeeded at attempt $((i+1))." echo "----password change with kpasswd" #----password change with kpassword +max_i=20 +delta_t=5 i=0 while true do - ## in case passwort is not the default one - if [ $(univention-config-registry get server/role) = "domaincontroller_master" -a -e /root/root.secret ];then - echo "Found /root/root.secret, using that secret for Administrator access" - ADMINISTRATOR_PASSWORD="$(cat /root/root.secret)" - fi - - retval="$(python kpasswd_change_pwd.py -u "$username" -r "$ADMINISTRATOR_PASSWORD" -n "$fourth_password" -p "$third_password" -a "$ADMINISTRATOR_USER")" + retval="$(python kpasswd_change_pwd.py -u "$username" -n "$fourth_password" -p "$third_password")" echo "$retval" | grep "nSoft" || break let i="$i"+1 - if [ "$i" = 20 ]; then + if [ "$i" = "$max_i" ]; then echo "Password change with kpasswd: Soft error." break fi - sleep 5 + sleep "$delta_t" done ## first check trivial case: Samba4 password must work +max_i=10 +delta_t=1 i=0 -while ! ldbsearch -U "$username%$fourth_password" -H ldap://localhost "samaccountname=$username" dn 2>&1 | grep -q '^dn:' +while ! ldbsearch -U "$username%$fourth_password" -H ldap://localhost "sAMAccountName=$username" dn 2>&1 | grep -q '^dn:' do let i=$i+1 - if [ "$i" = 10 ]; then - fail_test 1 "Could not authenticate against samba after password change with kpasswd." + if [ "$i" = "$max_i" ]; then + fail_test 1 "Could not authenticate against samba after password change with kpasswd after $i attempts." break fi - sleep 1 + sleep "$delta_t" done +if [ "$i" -ne 0 ]; then + echo -n "WARNING: " +fi +echo "Authentication against samba after password change with kpasswd succeeded at attempt $((i+1))." ## second check complex case: UDM password must work after replication +max_i=15 +delta_t=2 i=0 while ! output="$(univention-ldapsearch -x -D "$USER_DN" -w "$fourth_password" 2>&1)" do let i="$i"+1 - if [ "$i" = 15 ]; then + if [ "$i" = "$max_i" ]; then echo "$output" - fail_test 1 "Could not authenticate against UDM after password change with kpasswd." + fail_test 1 "Could not authenticate against UDM after password change with kpasswd after $i attempts." break fi - sleep 2 + sleep "$delta_t" done +echo "Authentication against LDAP after password change with kpasswd succeeded at attempt $((i+1))." ## cross check +max_i=10 +delta_t=1 i=0 while ! output="$(echo "$fourth_password" | kinit --password-file=STDIN "$username" 2>&1)" do let i="$i"+1 - if [ "$i" = 10 ]; then + if [ "$i" = "$max_i" ]; then echo "$output" - fail_test 1 "Could not authenticate against kinit after password change with kpasswd." + fail_test 1 "Could not authenticate against kinit after password change with kpasswd after $i attempts." break fi - sleep 1 + sleep "$delta_t" done +echo "Authentication against kinit after password change with kpasswd succeeded at attempt $((i+1))." -exit $RETVAL \ No newline at end of file +exit $RETVAL Index: ucs-test/tests/51_samba4/kpasswd_change_pwd.py =================================================================== --- ucs-test/tests/51_samba4/kpasswd_change_pwd.py (Revision 38645) +++ ucs-test/tests/51_samba4/kpasswd_change_pwd.py (Arbeitskopie) @@ -1,63 +1,41 @@ #!/usr/bin/python import pexpect -import tempfile import sys -import atexit import univention.config_registry -import random -import subprocess from optparse import OptionParser -ucr = univention.config_registry.ConfigRegistry() -ucr.load() -def create_ssh_session(username, password): - known_hosts_file = tempfile.NamedTemporaryFile() - shell = pexpect.spawn('ssh', ['-o', 'UserKnownHostsFile="%s"' % known_hosts_file.name, "%s@localhost" % adminname,], timeout=10) # logfile=sys.stdout - status = shell.expect([pexpect.TIMEOUT, '[Pp]assword: ', 'Are you sure you want to continue connecting',]) - del known_hosts_file - if status == 2: # accept public key - shell.sendline('yes') - status = shell.expect([pexpect.TIMEOUT, '[Pp]assword: ',]) - if status == 0: # timeout - raise Exception('ssh behaved unexpectedly! Output:\n\t%r' % (shell.before,)) - assert (status == 1), "password prompt" - shell.sendline(password) - status = shell.expect([pexpect.TIMEOUT, '\$ ','Last login',]) - if status == 0: # timeout - raise Exception('No shell prompt found! Output:\n\t%r' % (shell.before,)) - assert (status == 1 or status ==2), "shell prompt" - return shell - if __name__ == "__main__": parser = OptionParser() parser.add_option("-u", "--username", dest="username") parser.add_option("-p", "--password", dest="password") parser.add_option("-n", "--newpassword", dest="newpassword") - parser.add_option("-r", "--adminpassword", dest="adminpassword") - parser.add_option("-a", "--adminname", dest="adminname") (optionen, args) = parser.parse_args() username=optionen.username password=optionen.password newpassword=optionen.newpassword - adminpassword=optionen.adminpassword - adminname=optionen.adminname - try: - shell = create_ssh_session(adminname, adminpassword) - except Exception, e: - print e # print error - sys.exit(120) - shell.sendline('kpasswd %s' % username) - status = shell.expect([pexpect.TIMEOUT, '[Pp]assword:',]) + ucr = univention.config_registry.ConfigRegistry() + ucr.load() + + kpasswd = pexpect.spawn('kpasswd', [username], timeout=20) # logfile=sys.stdout + status = kpasswd.expect([pexpect.TIMEOUT, "%s@%s's Password: " % (username, ucr['kerberos/realm']),]) if status == 0: # timeout + print 'kpasswd behaved unexpectedly! Output:\n\t%r' % (kpasswd.before,) sys.exit(120) - shell.sendline(password) - status = shell.expect([pexpect.TIMEOUT, 'New password:',]) - shell.sendline(newpassword) - status = shell.expect([pexpect.TIMEOUT, 'New password:',]) - shell.sendline(newpassword) - status = shell.expect(['(?i)success', '(?i)error', pexpect.TIMEOUT,]) - kpasswd_reported_success = status == 0 - print 'changed password for %s to %s' % (username, newpassword) - print 'ENDEbefore:%s' % (shell.before,) - print 'ENDEafter:%s' % (shell.after,) + assert (status == 1), "password prompt" + kpasswd.sendline(password) + status = kpasswd.expect([pexpect.TIMEOUT, 'New password for %s@%s:' % (username, ucr['kerberos/realm']), "kpasswd: krb5_get_init_creds: Preauthentication failed", ]) + if status == 0: # timeout + print 'kpasswd behaved unexpectedly! Output:\n\t%r' % (kpasswd.before,) + sys.exit(120) + elif status == 2: # timeout + print 'Preauthentication failed!' + sys.exit(120) + kpasswd.sendline(newpassword) + status = kpasswd.expect([pexpect.TIMEOUT, 'Verify password - New password for %s@%s:' % (username, ucr['kerberos/realm']),]) + kpasswd.sendline(newpassword) + status = kpasswd.expect(['Success : Password changed', pexpect.TIMEOUT,]) + if status != 0: + sys.exit(1) + else: + print 'Password changed for %s to %s' % (username, newpassword)