samba/CVE-2018-16857-6.patch

From ec9cc4ed5a05490297cde3fcaac50eeeaaca8469 Mon Sep 17 00:00:00 2001
From: Tim Beale <timbeale@catalyst.net.nz>
Date: Tue, 13 Nov 2018 11:49:56 +1300
Subject: [PATCH 14/17] CVE-2018-16857 tests: Sanity-check password lockout
 works with default values

Sanity-check that when we use the default lockOutObservationWindow that
user lockout actually works.

The easiest way to do this is to reuse the _test_login_lockout()
test-case, but stop at the point where we wait for the lockout duration
to expire (because we don't want the test to wait 30 mins).

This highlights a problem currently where the default values don't work.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13683

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 selftest/knownfail.d/password_lockout         |  4 +++
 source4/dsdb/tests/python/password_lockout.py | 30 +++++++++++++++++++
 .../tests/python/password_lockout_base.py     |  6 +++-
 3 files changed, 39 insertions(+), 1 deletion(-)
 create mode 100644 selftest/knownfail.d/password_lockout

diff --git a/selftest/knownfail.d/password_lockout b/selftest/knownfail.d/password_lockout
new file mode 100644
index 00000000000..305bcbdef25
--- /dev/null
+++ b/selftest/knownfail.d/password_lockout
@@ -0,0 +1,4 @@
+samba4.ldap.password_lockout.python\(ad_dc_ntvfs\).__main__.PasswordTestsWithDefaults.test_pso_login_lockout_krb5\(ad_dc_ntvfs\)
+samba4.ldap.password_lockout.python\(ad_dc_ntvfs\).__main__.PasswordTestsWithDefaults.test_pso_login_lockout_ntlm\(ad_dc_ntvfs\)
+samba4.ldap.password_lockout.python\(ad_dc_ntvfs\).__main__.PasswordTestsWithDefaults.test_login_lockout_ntlm\(ad_dc_ntvfs\)
+samba4.ldap.password_lockout.python\(ad_dc_ntvfs\).__main__.PasswordTestsWithDefaults.test_login_lockout_krb5\(ad_dc_ntvfs\)
diff --git a/source4/dsdb/tests/python/password_lockout.py b/source4/dsdb/tests/python/password_lockout.py
index 0022dee21ba..b09a732e179 100755
--- a/source4/dsdb/tests/python/password_lockout.py
+++ b/source4/dsdb/tests/python/password_lockout.py
@@ -1415,6 +1415,36 @@ userPassword: """ + userpass + """
         self._testing_add_user(lockout4ntlm_creds,
                                lockOutObservationWindow=self.lockout_observation_window)
 
+class PasswordTestsWithDefaults(PasswordTests):
+    def setUp(self):
+        # The tests in this class do not sleep, so we can use the default
+        # timeout windows here
+        self.account_lockout_duration = 30 * 60
+        self.lockout_observation_window = 30 * 60
+        super(PasswordTestsWithDefaults, self).setUp()
+
+    # sanity-check that user lockout works with the default settings (we just
+    # check the user is locked out - we don't wait for the lockout to expire)
+    def test_login_lockout_krb5(self):
+        self._test_login_lockout(self.lockout1krb5_creds,
+                                 wait_lockout_duration=False)
+
+    def test_login_lockout_ntlm(self):
+        self._test_login_lockout(self.lockout1ntlm_creds,
+                                 wait_lockout_duration=False)
+
+    # Repeat the login lockout tests using PSOs
+    def test_pso_login_lockout_krb5(self):
+        """Check the PSO lockout settings get applied to the user correctly"""
+        self.use_pso_lockout_settings(self.lockout1krb5_creds)
+        self._test_login_lockout(self.lockout1krb5_creds,
+                                 wait_lockout_duration=False)
+
+    def test_pso_login_lockout_ntlm(self):
+        """Check the PSO lockout settings get applied to the user correctly"""
+        self.use_pso_lockout_settings(self.lockout1ntlm_creds)
+        self._test_login_lockout(self.lockout1ntlm_creds,
+                                 wait_lockout_duration=False)
 
 host_url = "ldap://%s" % host
 
diff --git a/source4/dsdb/tests/python/password_lockout_base.py b/source4/dsdb/tests/python/password_lockout_base.py
index 48a74018624..e8ac46dcd97 100644
--- a/source4/dsdb/tests/python/password_lockout_base.py
+++ b/source4/dsdb/tests/python/password_lockout_base.py
@@ -365,7 +365,7 @@ lockoutThreshold: """ + str(lockoutThreshold) + """
     def tearDown(self):
         super(BasePasswordTestCase, self).tearDown()
 
-    def _test_login_lockout(self, creds):
+    def _test_login_lockout(self, creds, wait_lockout_duration=True):
         username = creds.get_username()
         userpass = creds.get_password()
         userdn = "cn=%s,cn=users,%s" % (username, self.base_dn)
@@ -563,6 +563,10 @@ lockoutThreshold: """ + str(lockoutThreshold) + """
                                   userAccountControl=dsdb.UF_NORMAL_ACCOUNT,
                                   msDSUserAccountControlComputed=dsdb.UF_LOCKOUT)
 
+        # if we're just checking the user gets locked out, we can stop here
+        if not wait_lockout_duration:
+            return
+
         # wait for the lockout to end
         time.sleep(self.account_lockout_duration + 1)
         print(self.account_lockout_duration + 1)
-- 
2.17.1
Package init 2019-12-25 16:07:00 +08:00			`From ec9cc4ed5a05490297cde3fcaac50eeeaaca8469 Mon Sep 17 00:00:00 2001`
			`From: Tim Beale <timbeale@catalyst.net.nz>`
			`Date: Tue, 13 Nov 2018 11:49:56 +1300`
			`Subject: [PATCH 14/17] CVE-2018-16857 tests: Sanity-check password lockout`
			`works with default values`

			`Sanity-check that when we use the default lockOutObservationWindow that`
			`user lockout actually works.`

			`The easiest way to do this is to reuse the _test_login_lockout()`
			`test-case, but stop at the point where we wait for the lockout duration`
			`to expire (because we don't want the test to wait 30 mins).`

			`This highlights a problem currently where the default values don't work.`

			`BUG: https://bugzilla.samba.org/show_bug.cgi?id=13683`

			`Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>`
			`Reviewed-by: Andrew Bartlett <abartlet@samba.org>`
			`---`
			`selftest/knownfail.d/password_lockout \| 4 +++`
			`source4/dsdb/tests/python/password_lockout.py \| 30 +++++++++++++++++++`
			`.../tests/python/password_lockout_base.py \| 6 +++-`
			`3 files changed, 39 insertions(+), 1 deletion(-)`
			`create mode 100644 selftest/knownfail.d/password_lockout`

			`diff --git a/selftest/knownfail.d/password_lockout b/selftest/knownfail.d/password_lockout`
			`new file mode 100644`
			`index 00000000000..305bcbdef25`
			`--- /dev/null`
			`+++ b/selftest/knownfail.d/password_lockout`
			`@@ -0,0 +1,4 @@`
			`+samba4.ldap.password_lockout.python\(ad_dc_ntvfs\).__main__.PasswordTestsWithDefaults.test_pso_login_lockout_krb5\(ad_dc_ntvfs\)`
			`+samba4.ldap.password_lockout.python\(ad_dc_ntvfs\).__main__.PasswordTestsWithDefaults.test_pso_login_lockout_ntlm\(ad_dc_ntvfs\)`
			`+samba4.ldap.password_lockout.python\(ad_dc_ntvfs\).__main__.PasswordTestsWithDefaults.test_login_lockout_ntlm\(ad_dc_ntvfs\)`
			`+samba4.ldap.password_lockout.python\(ad_dc_ntvfs\).__main__.PasswordTestsWithDefaults.test_login_lockout_krb5\(ad_dc_ntvfs\)`
			`diff --git a/source4/dsdb/tests/python/password_lockout.py b/source4/dsdb/tests/python/password_lockout.py`
			`index 0022dee21ba..b09a732e179 100755`
			`--- a/source4/dsdb/tests/python/password_lockout.py`
			`+++ b/source4/dsdb/tests/python/password_lockout.py`
			`@@ -1415,6 +1415,36 @@ userPassword: """ + userpass + """`
			`self._testing_add_user(lockout4ntlm_creds,`
			`lockOutObservationWindow=self.lockout_observation_window)`

			`+class PasswordTestsWithDefaults(PasswordTests):`
			`+ def setUp(self):`
			`+ # The tests in this class do not sleep, so we can use the default`
			`+ # timeout windows here`
			`+ self.account_lockout_duration = 30 * 60`
			`+ self.lockout_observation_window = 30 * 60`
			`+ super(PasswordTestsWithDefaults, self).setUp()`
			`+`
			`+ # sanity-check that user lockout works with the default settings (we just`
			`+ # check the user is locked out - we don't wait for the lockout to expire)`
			`+ def test_login_lockout_krb5(self):`
			`+ self._test_login_lockout(self.lockout1krb5_creds,`
			`+ wait_lockout_duration=False)`
			`+`
			`+ def test_login_lockout_ntlm(self):`
			`+ self._test_login_lockout(self.lockout1ntlm_creds,`
			`+ wait_lockout_duration=False)`
			`+`
			`+ # Repeat the login lockout tests using PSOs`
			`+ def test_pso_login_lockout_krb5(self):`
			`+ """Check the PSO lockout settings get applied to the user correctly"""`
			`+ self.use_pso_lockout_settings(self.lockout1krb5_creds)`
			`+ self._test_login_lockout(self.lockout1krb5_creds,`
			`+ wait_lockout_duration=False)`
			`+`
			`+ def test_pso_login_lockout_ntlm(self):`
			`+ """Check the PSO lockout settings get applied to the user correctly"""`
			`+ self.use_pso_lockout_settings(self.lockout1ntlm_creds)`
			`+ self._test_login_lockout(self.lockout1ntlm_creds,`
			`+ wait_lockout_duration=False)`

			`host_url = "ldap://%s" % host`

			`diff --git a/source4/dsdb/tests/python/password_lockout_base.py b/source4/dsdb/tests/python/password_lockout_base.py`
			`index 48a74018624..e8ac46dcd97 100644`
			`--- a/source4/dsdb/tests/python/password_lockout_base.py`
			`+++ b/source4/dsdb/tests/python/password_lockout_base.py`
			`@@ -365,7 +365,7 @@ lockoutThreshold: """ + str(lockoutThreshold) + """`
			`def tearDown(self):`
			`super(BasePasswordTestCase, self).tearDown()`

			`- def _test_login_lockout(self, creds):`
			`+ def _test_login_lockout(self, creds, wait_lockout_duration=True):`
			`username = creds.get_username()`
			`userpass = creds.get_password()`
			`userdn = "cn=%s,cn=users,%s" % (username, self.base_dn)`
			`@@ -563,6 +563,10 @@ lockoutThreshold: """ + str(lockoutThreshold) + """`
			`userAccountControl=dsdb.UF_NORMAL_ACCOUNT,`
			`msDSUserAccountControlComputed=dsdb.UF_LOCKOUT)`

			`+ # if we're just checking the user gets locked out, we can stop here`
			`+ if not wait_lockout_duration:`
			`+ return`
			`+`
			`# wait for the lockout to end`
			`time.sleep(self.account_lockout_duration + 1)`
			`print(self.account_lockout_duration + 1)`
			`--`
			`2.17.1`