Univention Bugzilla – Attachment 5151 Details for
Bug 29058
Samba4-Test: Password Wechsel
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch-Vorschlag
41password_change.patch (text/plain), 12.37 KB, created by
Arvid Requate
on 2013-03-25 17:03 CET
(
hide
)
Description:
Patch-Vorschlag
Filename:
MIME Type:
Creator:
Arvid Requate
Created:
2013-03-25 17:03 CET
Size:
12.37 KB
patch
obsolete
>Index: ucs-test/tests/51_samba4/41password_change >=================================================================== >--- ucs-test/tests/51_samba4/41password_change (Revision 38645) >+++ ucs-test/tests/51_samba4/41password_change (Arbeitskopie) >@@ -34,26 +34,33 @@ > > echo "----initial connection" > #wait for the user to be created >+max_i=10 >+delta_t=1 > i=0 >-while ! ldbsearch -U "$username%$first_password" -H ldap://localhost "samaccountname=$username" dn 2>&1 | grep -q '^dn:' >+while ! ldbsearch -U "$username%$first_password" -H ldap://localhost "sAMAccountName=$username" userPrincipalName 2>&1 | grep -q '^userPrincipalName:' > do > let i="$i"+1 >- if [ "$i" = 10 ]; then >- fail_fast 1 "Could not authenticate against samba." >+ if [ "$i" = "$max_i" ]; then >+ fail_fast 1 "User not replicated to samba directory within $max_i seconds." > fi >- sleep 1 >+ sleep "$delta_t" > done >+echo "User replicated from UDM to Samba after waiting about $(($i * $delta_t)) seconds." > >+max_i=10 >+delta_t=1 > i=0 >-while ! echo "$first_password" | kinit --password-file=STDIN "$username" > /dev/null >+while ! command_output=$(echo "$first_password" | kinit --password-file=STDIN "$username" 2>&1) > do > let i="$i"+1 >- if [ "$i" = 10 ]; then >- fail_test 1 "Could not authenticate against kinit." >+ if [ "$i" = "$max_i" ]; then >+ fail_test 1 "Could not authenticate against kinit. Last command output:" >+ echo "$command_output" > break > fi >- sleep 2 >+ sleep "$delta_t" > done >+echo "Authentication against kinit succeeded at attempt $((i+1))." > > USER_DN=$(/usr/sbin/univention-directory-manager users/user list --filter uid="$username" | sed -ne 's/^DN: //p') > >@@ -64,41 +71,54 @@ > samba-tool user setpassword "$username" --newpassword="$second_password" > > ## first check trivial case: Samba4 password must work >+max_i=10 >+delta_t=1 > i=0 >-while ! ldbsearch -U "$username%$second_password" -H ldap://localhost "samaccountname=$username" dn 2>&1 | grep -q '^dn:' >+while ! ldbsearch -U "$username%$second_password" -H ldap://localhost "sAMAccountName=$username" dn 2>&1 | grep -q '^dn:' > do > let i="$i"+1 >- if [ "$i" = 10 ]; then >+ if [ "$i" = "$max_i" ]; then > fail_test 1 "Could not authenticate against samba after password change with samba." > break > fi >- sleep 1 >+ sleep "$delta_t" > done >+if [ "$i" -ne 0 ]; then >+ echo -n "WARNING: " >+fi >+echo "Authentication against samba after password change with samba succeeded at attempt $((i+1))." > > ## second check complex case: UDM password must work after replication >+max_i=15 >+delta_t=2 > i=0 > while ! output="$(univention-ldapsearch -x -D "$USER_DN" -w "$second_password" 2>&1 )" > do > let i="$i"+1 >- if [ "$i" = 15 ]; then >+ if [ "$i" = "$max_i" ]; then > echo "$output" >- fail_test 1 "Could not authenticate against UDM after password change with samba." >+ fail_test 1 "Could not authenticate against LDAP after password change with samba after $i attempts." > break > fi >- sleep 2 >+ sleep "$delta_t" > done >+echo "Authentication against LDAP after password change with samba succeeded at attempt $((i+1))." > > ## cross check >+max_i=10 >+delta_t=1 > i=0 >-while ! echo "$second_password" | kinit --password-file=STDIN "$username" > /dev/null >+while ! command_output=$(echo "$second_password" | kinit --password-file=STDIN "$username" 2>&1) > do > let i="$i"+1 >- if [ "$i" = 10 ]; then >- fail_test 1 "Could not authenticate against kinit after password change with samba." >+ if [ "$i" = "$max_i" ]; then >+ fail_test 1 "Could not authenticate against kinit after password change with samba after $i attempts." >+ echo "$command_output" > break > fi >- sleep 1 >+ sleep "$delta_t" > done >+echo "Authentication against kinit after password change with samba succeeded at attempt $((i+1))." > > echo "----password change with udm" > #----password change with udm >@@ -109,100 +129,120 @@ > fi > > ## first check trivial case: UDM password must work >+max_i=10 >+delta_t=1 > i=0 > while ! output="$(univention-ldapsearch -x -D "$USER_DN" -w "$third_password" 2>&1)" > do > let i="$i"+1 >- if [ "$i" = 10 ]; then >+ if [ "$i" = "$max_i" ]; then > echo "$output" >- fail_test 1 "Could not authenticate against UDM after password change with UDM." >+ fail_test 1 "Could not authenticate against LDAP after password change with UDM after $i attempts." > break > fi >- sleep 1 >+ sleep "$delta_t" > done >+if [ "$i" -ne 0 ]; then >+ echo -n "WARNING: " >+fi >+echo "Authentication against LDAP after password change with UDM succeeded at attempt $((i+1))." > > ## second check complex case: Samba4 password must work after replication >+max_i=15 >+delta_t=2 > i=0 >-while ! ldbsearch -U "$username%$third_password" -H ldap://localhost "samaccountname=$username" dn 2>&1 | grep -q '^dn:' >+while ! ldbsearch -U "$username%$third_password" -H ldap://localhost "sAMAccountName=$username" dn 2>&1 | grep -q '^dn:' > do > let i="$i"+1 >- if [ "$i" = 15 ]; then >- fail_test 1 "Could not authenticate against samba after password change with UDM." >+ if [ "$i" = "$max_i" ]; then >+ fail_test 1 "Could not authenticate against samba after password change with UDM after $i attempts." > break > fi >- sleep 2 >+ sleep "$delta_t" > done >+echo "Authentication against samba after password change with UDM succeeded at attempt $((i+1))." > > ## cross check >+max_i=10 >+delta_t=1 > i=0 > while ! output="$(echo "$third_password" | kinit --password-file=STDIN "$username" 2>&1)" > do > let i="$i"+1 >- if [ "$i" = 10 ]; then >+ if [ "$i" = "$max_i" ]; then > echo "$output" >- fail_test 1 "Could not authenticate against kinit after password change with UDM." >+ fail_test 1 "Could not authenticate against kinit after password change with UDM after $i attempts." > break > fi >- sleep 1 >+ sleep "$delta_t" > done >+echo "Authentication against kinit after password change with UDM succeeded at attempt $((i+1))." > > echo "----password change with kpasswd" > #----password change with kpassword >+max_i=20 >+delta_t=5 > i=0 > while true > do >- ## in case passwort is not the default one >- if [ $(univention-config-registry get server/role) = "domaincontroller_master" -a -e /root/root.secret ];then >- echo "Found /root/root.secret, using that secret for Administrator access" >- ADMINISTRATOR_PASSWORD="$(cat /root/root.secret)" >- fi >- >- retval="$(python kpasswd_change_pwd.py -u "$username" -r "$ADMINISTRATOR_PASSWORD" -n "$fourth_password" -p "$third_password" -a "$ADMINISTRATOR_USER")" >+ retval="$(python kpasswd_change_pwd.py -u "$username" -n "$fourth_password" -p "$third_password")" > echo "$retval" | grep "nSoft" || break > let i="$i"+1 >- if [ "$i" = 20 ]; then >+ if [ "$i" = "$max_i" ]; then > echo "Password change with kpasswd: Soft error." > break > fi >- sleep 5 >+ sleep "$delta_t" > done > > ## first check trivial case: Samba4 password must work >+max_i=10 >+delta_t=1 > i=0 >-while ! ldbsearch -U "$username%$fourth_password" -H ldap://localhost "samaccountname=$username" dn 2>&1 | grep -q '^dn:' >+while ! ldbsearch -U "$username%$fourth_password" -H ldap://localhost "sAMAccountName=$username" dn 2>&1 | grep -q '^dn:' > do > let i=$i+1 >- if [ "$i" = 10 ]; then >- fail_test 1 "Could not authenticate against samba after password change with kpasswd." >+ if [ "$i" = "$max_i" ]; then >+ fail_test 1 "Could not authenticate against samba after password change with kpasswd after $i attempts." > break > fi >- sleep 1 >+ sleep "$delta_t" > done >+if [ "$i" -ne 0 ]; then >+ echo -n "WARNING: " >+fi >+echo "Authentication against samba after password change with kpasswd succeeded at attempt $((i+1))." > > ## second check complex case: UDM password must work after replication >+max_i=15 >+delta_t=2 > i=0 > while ! output="$(univention-ldapsearch -x -D "$USER_DN" -w "$fourth_password" 2>&1)" > do > let i="$i"+1 >- if [ "$i" = 15 ]; then >+ if [ "$i" = "$max_i" ]; then > echo "$output" >- fail_test 1 "Could not authenticate against UDM after password change with kpasswd." >+ fail_test 1 "Could not authenticate against UDM after password change with kpasswd after $i attempts." > break > fi >- sleep 2 >+ sleep "$delta_t" > done >+echo "Authentication against LDAP after password change with kpasswd succeeded at attempt $((i+1))." > > ## cross check >+max_i=10 >+delta_t=1 > i=0 > while ! output="$(echo "$fourth_password" | kinit --password-file=STDIN "$username" 2>&1)" > do > let i="$i"+1 >- if [ "$i" = 10 ]; then >+ if [ "$i" = "$max_i" ]; then > echo "$output" >- fail_test 1 "Could not authenticate against kinit after password change with kpasswd." >+ fail_test 1 "Could not authenticate against kinit after password change with kpasswd after $i attempts." > break > fi >- sleep 1 >+ sleep "$delta_t" > done >+echo "Authentication against kinit after password change with kpasswd succeeded at attempt $((i+1))." > >-exit $RETVAL >\ No newline at end of file >+exit $RETVAL >Index: ucs-test/tests/51_samba4/kpasswd_change_pwd.py >=================================================================== >--- ucs-test/tests/51_samba4/kpasswd_change_pwd.py (Revision 38645) >+++ ucs-test/tests/51_samba4/kpasswd_change_pwd.py (Arbeitskopie) >@@ -1,63 +1,41 @@ > #!/usr/bin/python > import pexpect >-import tempfile > import sys >-import atexit > import univention.config_registry >-import random >-import subprocess > from optparse import OptionParser >-ucr = univention.config_registry.ConfigRegistry() >-ucr.load() > >-def create_ssh_session(username, password): >- known_hosts_file = tempfile.NamedTemporaryFile() >- shell = pexpect.spawn('ssh', ['-o', 'UserKnownHostsFile="%s"' % known_hosts_file.name, "%s@localhost" % adminname,], timeout=10) # logfile=sys.stdout >- status = shell.expect([pexpect.TIMEOUT, '[Pp]assword: ', 'Are you sure you want to continue connecting',]) >- del known_hosts_file >- if status == 2: # accept public key >- shell.sendline('yes') >- status = shell.expect([pexpect.TIMEOUT, '[Pp]assword: ',]) >- if status == 0: # timeout >- raise Exception('ssh behaved unexpectedly! Output:\n\t%r' % (shell.before,)) >- assert (status == 1), "password prompt" >- shell.sendline(password) >- status = shell.expect([pexpect.TIMEOUT, '\$ ','Last login',]) >- if status == 0: # timeout >- raise Exception('No shell prompt found! Output:\n\t%r' % (shell.before,)) >- assert (status == 1 or status ==2), "shell prompt" >- return shell >- > if __name__ == "__main__": > parser = OptionParser() > parser.add_option("-u", "--username", dest="username") > parser.add_option("-p", "--password", dest="password") > parser.add_option("-n", "--newpassword", dest="newpassword") >- parser.add_option("-r", "--adminpassword", dest="adminpassword") >- parser.add_option("-a", "--adminname", dest="adminname") > (optionen, args) = parser.parse_args() > username=optionen.username > password=optionen.password > newpassword=optionen.newpassword >- adminpassword=optionen.adminpassword >- adminname=optionen.adminname >- try: >- shell = create_ssh_session(adminname, adminpassword) >- except Exception, e: >- print e # print error >- sys.exit(120) > >- shell.sendline('kpasswd %s' % username) >- status = shell.expect([pexpect.TIMEOUT, '[Pp]assword:',]) >+ ucr = univention.config_registry.ConfigRegistry() >+ ucr.load() >+ >+ kpasswd = pexpect.spawn('kpasswd', [username], timeout=20) # logfile=sys.stdout >+ status = kpasswd.expect([pexpect.TIMEOUT, "%s@%s's Password: " % (username, ucr['kerberos/realm']),]) > if status == 0: # timeout >+ print 'kpasswd behaved unexpectedly! Output:\n\t%r' % (kpasswd.before,) > sys.exit(120) >- shell.sendline(password) >- status = shell.expect([pexpect.TIMEOUT, 'New password:',]) >- shell.sendline(newpassword) >- status = shell.expect([pexpect.TIMEOUT, 'New password:',]) >- shell.sendline(newpassword) >- status = shell.expect(['(?i)success', '(?i)error', pexpect.TIMEOUT,]) >- kpasswd_reported_success = status == 0 >- print 'changed password for %s to %s' % (username, newpassword) >- print 'ENDEbefore:%s' % (shell.before,) >- print 'ENDEafter:%s' % (shell.after,) >+ assert (status == 1), "password prompt" >+ kpasswd.sendline(password) >+ status = kpasswd.expect([pexpect.TIMEOUT, 'New password for %s@%s:' % (username, ucr['kerberos/realm']), "kpasswd: krb5_get_init_creds: Preauthentication failed", ]) >+ if status == 0: # timeout >+ print 'kpasswd behaved unexpectedly! Output:\n\t%r' % (kpasswd.before,) >+ sys.exit(120) >+ elif status == 2: # timeout >+ print 'Preauthentication failed!' >+ sys.exit(120) >+ kpasswd.sendline(newpassword) >+ status = kpasswd.expect([pexpect.TIMEOUT, 'Verify password - New password for %s@%s:' % (username, ucr['kerberos/realm']),]) >+ kpasswd.sendline(newpassword) >+ status = kpasswd.expect(['Success : Password changed', pexpect.TIMEOUT,]) >+ if status != 0: >+ sys.exit(1) >+ else: >+ print 'Password changed for %s to %s' % (username, newpassword)
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=5151">View the attachment on a separate page</a>.</b>
Actions:
View
|
Diff
Attachments on
bug 29058
: 5151