svn commit: samba r12505 - in
branches/SAMBA_4_0/source/torture/rpc: .
abartlet at samba.org
abartlet at samba.org
Tue Dec 27 07:48:11 GMT 2005
Author: abartlet
Date: 2005-12-27 07:48:11 +0000 (Tue, 27 Dec 2005)
New Revision: 12505
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=12505
Log:
Cope better with NT_STATUS_PASSWORD_RESTRICTION (due to minimum
password age), and test for the incorrect password error case.
Andrew Bartlett
Modified:
branches/SAMBA_4_0/source/torture/rpc/samr.c
Changeset:
Modified: branches/SAMBA_4_0/source/torture/rpc/samr.c
===================================================================
--- branches/SAMBA_4_0/source/torture/rpc/samr.c 2005-12-26 23:47:19 UTC (rev 12504)
+++ branches/SAMBA_4_0/source/torture/rpc/samr.c 2005-12-27 07:48:11 UTC (rev 12505)
@@ -944,7 +944,9 @@
r.in.lm_cross = &hash6;
status = dcerpc_samr_ChangePasswordUser(p, mem_ctx, &r);
- if (!NT_STATUS_IS_OK(status)) {
+ if (NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION)) {
+ printf("ChangePasswordUser returned: %s perhaps min password age? (not fatal)\n", nt_errstr(status));
+ } else if (!NT_STATUS_IS_OK(status)) {
printf("ChangePasswordUser failed - %s\n", nt_errstr(status));
ret = False;
} else {
@@ -967,7 +969,7 @@
BOOL ret = True;
struct samr_Password lm_verifier;
struct samr_CryptPassword lm_pass;
- struct lsa_AsciiString server, account;
+ struct lsa_AsciiString server, account, account_bad;
char *oldpass = *password;
char *newpass;
uint8_t old_lm_hash[16], new_lm_hash[16];
@@ -1003,8 +1005,46 @@
r.in.password = &lm_pass;
r.in.hash = &lm_verifier;
+ /* Break the verification */
+ lm_verifier.hash[0]++;
+
status = dcerpc_samr_OemChangePasswordUser2(p, mem_ctx, &r);
- if (!NT_STATUS_IS_OK(status)) {
+
+ if (!NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION)
+ && !NT_STATUS_EQUAL(status, NT_STATUS_WRONG_PASSWORD)) {
+ printf("ChangePasswordUser3 failed, should have returned WRONG_PASSWORD (or at least 'PASSWORD_RESTRICTON') for invalid password verifier - %s\n",
+ nt_errstr(status));
+ ret = False;
+ }
+
+ /* This shouldn't be a valid name */
+ account_bad.string = TEST_ACCOUNT_NAME "XX";
+ r.in.account = &account_bad;
+
+ status = dcerpc_samr_OemChangePasswordUser2(p, mem_ctx, &r);
+
+ if (!NT_STATUS_EQUAL(status, NT_STATUS_WRONG_PASSWORD)) {
+ printf("ChangePasswordUser3 failed, should have returned WRONG_PASSWORD for invalid user - %s\n",
+ nt_errstr(status));
+ ret = False;
+ }
+
+ E_deshash(oldpass, old_lm_hash);
+ E_deshash(newpass, new_lm_hash);
+
+ encode_pw_buffer(lm_pass.data, newpass, STR_ASCII);
+ arcfour_crypt(lm_pass.data, old_lm_hash, 516);
+ E_old_pw_hash(new_lm_hash, old_lm_hash, lm_verifier.hash);
+
+ r.in.server = &server;
+ r.in.account = &account;
+ r.in.password = &lm_pass;
+ r.in.hash = &lm_verifier;
+
+ status = dcerpc_samr_OemChangePasswordUser2(p, mem_ctx, &r);
+ if (NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION)) {
+ printf("OemChangePasswordUser2 returned: %s perhaps min password age? (not fatal)\n", nt_errstr(status));
+ } else if (!NT_STATUS_IS_OK(status)) {
printf("OemChangePasswordUser2 failed - %s\n", nt_errstr(status));
ret = False;
} else {
@@ -1071,7 +1111,9 @@
r.in.lm_verifier = &lm_verifier;
status = dcerpc_samr_ChangePasswordUser2(p, mem_ctx, &r);
- if (!NT_STATUS_IS_OK(status)) {
+ if (NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION)) {
+ printf("ChangePasswordUser2 returned: %s perhaps min password age? (not fatal)\n", nt_errstr(status));
+ } else if (!NT_STATUS_IS_OK(status)) {
printf("ChangePasswordUser2 failed - %s\n", nt_errstr(status));
ret = False;
} else {
@@ -1090,7 +1132,7 @@
NTSTATUS status;
struct samr_ChangePasswordUser3 r;
BOOL ret = True;
- struct lsa_String server, account;
+ struct lsa_String server, account, account_bad;
struct samr_CryptPassword nt_pass, lm_pass;
struct samr_Password nt_verifier, lm_verifier;
char *oldpass = *password;
@@ -1116,6 +1158,9 @@
encode_pw_buffer(nt_pass.data, newpass, STR_UNICODE);
arcfour_crypt(nt_pass.data, old_nt_hash, 516);
E_old_pw_hash(new_nt_hash, old_nt_hash, nt_verifier.hash);
+
+ /* Break the verification */
+ nt_verifier.hash[0]++;
r.in.server = &server;
r.in.account = &account;
@@ -1127,6 +1172,48 @@
r.in.password3 = NULL;
status = dcerpc_samr_ChangePasswordUser3(p, mem_ctx, &r);
+ if (!NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION) &&
+ (!NT_STATUS_EQUAL(status, NT_STATUS_WRONG_PASSWORD))) {
+ printf("ChangePasswordUser3 failed, should have returned WRONG_PASSWORD (or at least 'PASSWORD_RESTRICTON') for invalid password verifier - %s\n",
+ nt_errstr(status));
+ ret = False;
+ }
+
+ /* This shouldn't be a valid name */
+ init_lsa_String(&account_bad, talloc_asprintf(mem_ctx, "%sXX", account_string));
+
+ r.in.account = &account_bad;
+ status = dcerpc_samr_ChangePasswordUser3(p, mem_ctx, &r);
+ if (!NT_STATUS_EQUAL(status, NT_STATUS_WRONG_PASSWORD)) {
+ printf("ChangePasswordUser3 failed, should have returned WRONG_PASSWORD for invalid username - %s\n",
+ nt_errstr(status));
+ ret = False;
+ }
+
+ E_md4hash(oldpass, old_nt_hash);
+ E_md4hash(newpass, new_nt_hash);
+
+ E_deshash(oldpass, old_lm_hash);
+ E_deshash(newpass, new_lm_hash);
+
+ encode_pw_buffer(lm_pass.data, newpass, STR_UNICODE);
+ arcfour_crypt(lm_pass.data, old_nt_hash, 516);
+ E_old_pw_hash(new_nt_hash, old_lm_hash, lm_verifier.hash);
+
+ encode_pw_buffer(nt_pass.data, newpass, STR_UNICODE);
+ arcfour_crypt(nt_pass.data, old_nt_hash, 516);
+ E_old_pw_hash(new_nt_hash, old_nt_hash, nt_verifier.hash);
+
+ r.in.server = &server;
+ r.in.account = &account;
+ r.in.nt_password = &nt_pass;
+ r.in.nt_verifier = &nt_verifier;
+ r.in.lm_change = 1;
+ r.in.lm_password = &lm_pass;
+ r.in.lm_verifier = &lm_verifier;
+ r.in.password3 = NULL;
+
+ status = dcerpc_samr_ChangePasswordUser3(p, mem_ctx, &r);
if (NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION)
&& !policy_min_pw_len) {
if (r.out.dominfo) {
@@ -1139,8 +1226,7 @@
ret = False;
}
} else if (NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION)) {
- printf("ChangePasswordUser3 failed: %s unacceptable as new password - %s\n", newpass, nt_errstr(status));
- ret = False;
+ printf("ChangePasswordUser3 returned: %s perhaps min password age? (not fatal)\n", nt_errstr(status));
} else if (!NT_STATUS_IS_OK(status)) {
printf("ChangePasswordUser3 failed - %s\n", nt_errstr(status));
ret = False;
More information about the samba-cvs
mailing list