Attachment #5151 for bug #29058

View | Details | Raw Unified | Return to bug 29058
Collapse All | Expand All

(-)ucs-test/tests/51_samba4/41password_change (-48 / +88 lines)

Lines 34-59	Link Here

echo "----initial connection"

echo "----initial connection"

#wait for the user to be created

#wait for the user to be created

max_i=10

delta_t=1

i=0

i=0

while ! ldbsearch -U "$username%$first_password" -H ldap://localhost "samaccountname=$username" dn 2>&1 | grep -q '^dn:'

while ! ldbsearch -U "$username%$first_password" -H ldap://localhost "sAMAccountName=$username" userPrincipalName 2>&1 | grep -q '^userPrincipalName:'

do

do

	let i="$i"+1

	let i="$i"+1

	if [ "$i" = 10 ]; then

	if [ "$i" = "$max_i" ]; then

		fail_fast 1 "Could not authenticate against samba."

		fail_fast 1 "User not replicated to samba directory within $max_i seconds."

fi

fi

	sleep 1

	sleep "$delta_t"

done

done

echo "User replicated from UDM to Samba after waiting about $(($i * $delta_t)) seconds."

max_i=10

delta_t=1

i=0

i=0

while ! echo "$first_password" | kinit --password-file=STDIN "$username" > /dev/null

while ! command_output=$(echo "$first_password" | kinit --password-file=STDIN "$username" 2>&1)

do

do

	let i="$i"+1

	let i="$i"+1

	if [ "$i" = 10 ]; then

	if [ "$i" = "$max_i" ]; then

		fail_test 1 "Could not authenticate against kinit."

		fail_test 1 "Could not authenticate against kinit. Last command output:"

		echo "$command_output"

		break

		break

fi

fi

	sleep 2

	sleep "$delta_t"

done

done

echo "Authentication against kinit succeeded at attempt $((i+1))."

USER_DN=$(/usr/sbin/univention-directory-manager users/user list --filter uid="$username" | sed -ne 's/^DN: //p')

USER_DN=$(/usr/sbin/univention-directory-manager users/user list --filter uid="$username" | sed -ne 's/^DN: //p')

Lines 64-104	Link Here

samba-tool user setpassword "$username" --newpassword="$second_password"

samba-tool user setpassword "$username" --newpassword="$second_password"

## first check trivial case: Samba4 password must work

## first check trivial case: Samba4 password must work

max_i=10

delta_t=1

i=0

i=0

while ! ldbsearch -U "$username%$second_password" -H ldap://localhost "samaccountname=$username" dn 2>&1 | grep -q '^dn:'

while ! ldbsearch -U "$username%$second_password" -H ldap://localhost "sAMAccountName=$username" dn 2>&1 | grep -q '^dn:'

do

do

	let i="$i"+1

	let i="$i"+1

	if [ "$i" = 10 ]; then

	if [ "$i" = "$max_i" ]; then

		fail_test 1 "Could not authenticate against samba after password change with samba."

		fail_test 1 "Could not authenticate against samba after password change with samba."

		break

		break

fi

fi

	sleep 1

	sleep "$delta_t"

done

done

if [ "$i" -ne 0 ]; then

	echo -n "WARNING: "

fi

echo "Authentication against samba after password change with samba succeeded at attempt $((i+1))."

## second check complex case: UDM password must work after replication

## second check complex case: UDM password must work after replication

max_i=15

delta_t=2

i=0

i=0

while ! output="$(univention-ldapsearch -x -D "$USER_DN" -w "$second_password" 2>&1 )"

while ! output="$(univention-ldapsearch -x -D "$USER_DN" -w "$second_password" 2>&1 )"

do

do

	let i="$i"+1

	let i="$i"+1

	if [ "$i" = 15 ]; then

	if [ "$i" = "$max_i" ]; then

		echo "$output"

		echo "$output"

		fail_test 1 "Could not authenticate against UDM after password change with samba."

100

		fail_test 1 "Could not authenticate against LDAP after password change with samba after $i attempts."

		break

101

		break

fi

102

fi

	sleep 2

103

	sleep "$delta_t"

done

104

done

105

echo "Authentication against LDAP after password change with samba succeeded at attempt $((i+1))."

106

## cross check

107

## cross check

108

max_i=10

109

delta_t=1

i=0

110

i=0

while ! echo "$second_password" | kinit --password-file=STDIN "$username" > /dev/null

111

while ! command_output=$(echo "$second_password" | kinit --password-file=STDIN "$username" 2>&1)

do

112

do

	let i="$i"+1

113

	let i="$i"+1

	if [ "$i" = 10 ]; then

114

	if [ "$i" = "$max_i" ]; then

		fail_test 1 "Could not authenticate against kinit after password change with samba."

115

		fail_test 1 "Could not authenticate against kinit after password change with samba after $i attempts."

116

		echo "$command_output"

		break

117

		break

fi

118

fi

100

	sleep 1

119

	sleep "$delta_t"

101

done

120

done

121

echo "Authentication against kinit after password change with samba succeeded at attempt $((i+1))."

102

122

103

echo "----password change with udm"

123

echo "----password change with udm"

104

#----password change with udm

124

#----password change with udm

Lines 109-208	Link Here

109

fi

129

fi

110

130

111

## first check trivial case: UDM password must work

131

## first check trivial case: UDM password must work

132

max_i=10

133

delta_t=1

112

i=0

134

i=0

113

while ! output="$(univention-ldapsearch -x -D "$USER_DN" -w "$third_password" 2>&1)"

135

while ! output="$(univention-ldapsearch -x -D "$USER_DN" -w "$third_password" 2>&1)"

114

do

136

do

115

	let i="$i"+1

137

	let i="$i"+1

116

	if [ "$i" = 10 ]; then

138

	if [ "$i" = "$max_i" ]; then

117

		echo "$output"

139

		echo "$output"

118

		fail_test 1 "Could not authenticate against UDM after password change with UDM."

140

		fail_test 1 "Could not authenticate against LDAP after password change with UDM after $i attempts."

119

		break

141

		break

120

fi

142

fi

121

	sleep 1

143

	sleep "$delta_t"

122

done

144

done

145

if [ "$i" -ne 0 ]; then

146

	echo -n "WARNING: "

147

fi

148

echo "Authentication against LDAP after password change with UDM succeeded at attempt $((i+1))."

123

149

124

## second check complex case: Samba4 password must work after replication

150

## second check complex case: Samba4 password must work after replication

151

max_i=15

152

delta_t=2

125

i=0

153

i=0

126

while ! ldbsearch -U "$username%$third_password" -H ldap://localhost "samaccountname=$username" dn 2>&1 | grep -q '^dn:'

154

while ! ldbsearch -U "$username%$third_password" -H ldap://localhost "sAMAccountName=$username" dn 2>&1 | grep -q '^dn:'

127

do

155

do

128

	let i="$i"+1

156

	let i="$i"+1

129

	if [ "$i" = 15 ]; then

157

	if [ "$i" = "$max_i" ]; then

130

		fail_test 1 "Could not authenticate against samba after password change with UDM."

158

		fail_test 1 "Could not authenticate against samba after password change with UDM after $i attempts."

131

		break

159

		break

132

fi

160

fi

133

	sleep 2

161

	sleep "$delta_t"

134

done

162

done

163

echo "Authentication against samba after password change with UDM succeeded at attempt $((i+1))."

135

164

136

## cross check

165

## cross check

166

max_i=10

167

delta_t=1

137

i=0

168

i=0

138

while ! output="$(echo "$third_password" | kinit --password-file=STDIN "$username" 2>&1)"

169

while ! output="$(echo "$third_password" | kinit --password-file=STDIN "$username" 2>&1)"

139

do

170

do

140

	let i="$i"+1

171

	let i="$i"+1

141

	if [ "$i" = 10 ]; then

172

	if [ "$i" = "$max_i" ]; then

142

		echo "$output"

173

		echo "$output"

143

		fail_test 1 "Could not authenticate against kinit after password change with UDM."

174

		fail_test 1 "Could not authenticate against kinit after password change with UDM after $i attempts."

144

		break

175

		break

145

fi

176

fi

146

	sleep 1

177

	sleep "$delta_t"

147

done

178

done

179

echo "Authentication against kinit after password change with UDM succeeded at attempt $((i+1))."

148

180

149

echo "----password change with kpasswd"

181

echo "----password change with kpasswd"

150

#----password change with kpassword

182

#----password change with kpassword

183

max_i=20

184

delta_t=5

151

i=0

185

i=0

152

while true

186

while true

153

do

187

do

154

	## in case passwort is not the default one

188

	retval="$(python kpasswd_change_pwd.py -u "$username" -n "$fourth_password" -p "$third_password")"

155

	if [ $(univention-config-registry get server/role) = "domaincontroller_master" -a -e /root/root.secret ];then

156

		echo "Found /root/root.secret, using that secret for Administrator access"

157

		ADMINISTRATOR_PASSWORD="$(cat /root/root.secret)"

158

fi

159

160

	retval="$(python kpasswd_change_pwd.py -u "$username" -r "$ADMINISTRATOR_PASSWORD" -n "$fourth_password" -p "$third_password" -a "$ADMINISTRATOR_USER")"

161

	echo "$retval" | grep "nSoft" || break

189

	echo "$retval" | grep "nSoft" || break

162

	let i="$i"+1

190

	let i="$i"+1

163

	if [ "$i" = 20  ]; then

191

	if [ "$i" = "$max_i" ]; then

164

		echo "Password change with kpasswd: Soft error."

192

		echo "Password change with kpasswd: Soft error."

165

		break

193

		break

166

fi

194

fi

167

	sleep 5

195

	sleep "$delta_t"

168

done

196

done

169

197

170

## first check trivial case: Samba4 password must work

198

## first check trivial case: Samba4 password must work

199

max_i=10

200

delta_t=1

171

i=0

201

i=0

172

while ! ldbsearch -U "$username%$fourth_password" -H ldap://localhost "samaccountname=$username" dn 2>&1 | grep -q '^dn:'

202

while ! ldbsearch -U "$username%$fourth_password" -H ldap://localhost "sAMAccountName=$username" dn 2>&1 | grep -q '^dn:'

173

do

203

do

174

	let i=$i+1

204

	let i=$i+1

175

	if [ "$i" = 10 ]; then

205

	if [ "$i" = "$max_i" ]; then

176

		fail_test 1 "Could not authenticate against samba after password change with kpasswd."

206

		fail_test 1 "Could not authenticate against samba after password change with kpasswd after $i attempts."

177

		break

207

		break

178

fi

208

fi

179

	sleep 1

209

	sleep "$delta_t"

180

done

210

done

211

if [ "$i" -ne 0 ]; then

212

	echo -n "WARNING: "

213

fi

214

echo "Authentication against samba after password change with kpasswd succeeded at attempt $((i+1))."

181

215

182

## second check complex case: UDM password must work after replication

216

## second check complex case: UDM password must work after replication

217

max_i=15

218

delta_t=2

183

i=0

219

i=0

184

while ! output="$(univention-ldapsearch -x -D "$USER_DN" -w "$fourth_password" 2>&1)"

220

while ! output="$(univention-ldapsearch -x -D "$USER_DN" -w "$fourth_password" 2>&1)"

185

do

221

do

186

	let i="$i"+1

222

	let i="$i"+1

187

	if [ "$i" = 15 ]; then

223

	if [ "$i" = "$max_i" ]; then

188

		echo "$output"

224

		echo "$output"

189

		fail_test 1 "Could not authenticate against UDM after password change with kpasswd."

225

		fail_test 1 "Could not authenticate against UDM after password change with kpasswd after $i attempts."

190

		break

226

		break

191

fi

227

fi

192

	sleep 2

228

	sleep "$delta_t"

193

done

229

done

230

echo "Authentication against LDAP after password change with kpasswd succeeded at attempt $((i+1))."

194

231

195

## cross check

232

## cross check

233

max_i=10

234

delta_t=1

196

i=0

235

i=0

197

while ! output="$(echo "$fourth_password" | kinit --password-file=STDIN "$username" 2>&1)"

236

while ! output="$(echo "$fourth_password" | kinit --password-file=STDIN "$username" 2>&1)"

198

do

237

do

199

	let i="$i"+1

238

	let i="$i"+1

200

	if [ "$i" = 10 ]; then

239

	if [ "$i" = "$max_i" ]; then

201

		echo "$output"

240

		echo "$output"

202

		fail_test 1 "Could not authenticate against kinit after password change with kpasswd."

241

		fail_test 1 "Could not authenticate against kinit after password change with kpasswd after $i attempts."

203

		break

242

		break

204

fi

243

fi

205

	sleep 1

244

	sleep "$delta_t"

206

done

245

done

246

echo "Authentication against kinit after password change with kpasswd succeeded at attempt $((i+1))."

207

247

208

exit $RETVAL

248

exit $RETVAL




#!/usr/bin/python 
import pexpect
import tempfile
import sys
import atexit
import univention.config_registry
import random
import subprocess
from optparse import OptionParser
ucr = univention.config_registry.ConfigRegistry()
ucr.load()

def create_ssh_session(username, password):
	known_hosts_file = tempfile.NamedTemporaryFile()
	shell = pexpect.spawn('ssh', ['-o', 'UserKnownHostsFile="%s"' % known_hosts_file.name, "%s@localhost" % adminname,], timeout=10) # logfile=sys.stdout
	status = shell.expect([pexpect.TIMEOUT, '[Pp]assword: ', 'Are you sure you want to continue connecting',])
        del known_hosts_file
	if status == 2: # accept public key
		shell.sendline('yes')
		status = shell.expect([pexpect.TIMEOUT, '[Pp]assword: ',])
	if status == 0: # timeout
		raise Exception('ssh behaved unexpectedly! Output:\n\t%r' % (shell.before,))
	assert (status == 1), "password prompt"
	shell.sendline(password)
	status = shell.expect([pexpect.TIMEOUT, '\$ ','Last login',])
	if status == 0: # timeout
		raise Exception('No shell prompt found! Output:\n\t%r' % (shell.before,))
	assert (status == 1 or status ==2), "shell prompt"
	return shell

if __name__ == "__main__":
	parser = OptionParser()
	parser.add_option("-u", "--username", dest="username")
	parser.add_option("-p", "--password", dest="password")
	parser.add_option("-n", "--newpassword", dest="newpassword")
 	parser.add_option("-r", "--adminpassword", dest="adminpassword")
	parser.add_option("-a", "--adminname", dest="adminname")
	(optionen, args) = parser.parse_args()
	username=optionen.username
	password=optionen.password
	newpassword=optionen.newpassword
	adminpassword=optionen.adminpassword
	adminname=optionen.adminname
	try:
		shell = create_ssh_session(adminname, adminpassword)
	except Exception, e:
		print e # print error
		sys.exit(120)

	ucr = univention.config_registry.ConfigRegistry()
	ucr.load()

	kpasswd = pexpect.spawn('kpasswd', [username], timeout=20) # logfile=sys.stdout
	status = kpasswd.expect([pexpect.TIMEOUT, "%s@%s's Password: " % (username, ucr['kerberos/realm']),])
	if status == 0: # timeout
		print 'kpasswd behaved unexpectedly! Output:\n\t%r' % (kpasswd.before,)
		sys.exit(120)
	assert (status == 1), "password prompt"
	kpasswd.sendline(password)
	status = kpasswd.expect([pexpect.TIMEOUT, 'New password for %s@%s:' % (username, ucr['kerberos/realm']), "kpasswd: krb5_get_init_creds: Preauthentication failed", ])
	if status == 0: # timeout
		print 'kpasswd behaved unexpectedly! Output:\n\t%r' % (kpasswd.before,)
		sys.exit(120)
	elif status == 2: # timeout
		print 'Preauthentication failed!'
		sys.exit(120)
	kpasswd.sendline(newpassword)
	status = kpasswd.expect([pexpect.TIMEOUT, 'Verify password - New password for %s@%s:' % (username, ucr['kerberos/realm']),])
	kpasswd.sendline(newpassword)
	status = kpasswd.expect(['Success : Password changed', pexpect.TIMEOUT,])
	if status != 0:
		sys.exit(1)
	else:
		print 'Password changed for %s to %s' % (username, newpassword)

Return to bug 29058