The branch, master has been updated
via 0e40506d21b selftest: add tests for "samba-tool user list
--locked-only"
via 055b4cd50f8 samba-tool: add "samba-tool user list --locked-only"
from b13d4359f2f libgpo: Do not segfault if we don't have a valid
security descriptor
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 0e40506d21b43854bba95e267dead64c506d1ef5
Author: Jule Anger <jan...@samba.org>
Date: Tue Mar 5 10:41:32 2024 +0100
selftest: add tests for "samba-tool user list --locked-only"
Signed-off-by: Jule Anger <jan...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Autobuild-User(master): Jule Anger <jan...@samba.org>
Autobuild-Date(master): Tue Mar 12 10:54:49 UTC 2024 on atb-devel-224
commit 055b4cd50f8aeaac7ce1f3efc5643063025b28a7
Author: Jule Anger <jan...@samba.org>
Date: Fri Mar 1 11:16:26 2024 +0100
samba-tool: add "samba-tool user list --locked-only"
Signed-off-by: Jule Anger <jan...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
docs-xml/manpages/samba-tool.8.xml | 6 ++++++
python/samba/netcmd/user/list.py | 13 ++++++++++++-
python/samba/tests/samba_tool/user.py | 25 +++++++++++++++++++++++++
source4/dsdb/tests/python/password_lockout.py | 16 ++++++++++++++++
4 files changed, 59 insertions(+), 1 deletion(-)
Changeset truncated at 500 lines:
diff --git a/docs-xml/manpages/samba-tool.8.xml
b/docs-xml/manpages/samba-tool.8.xml
index 3471b0e1991..e6c0c08c240 100644
--- a/docs-xml/manpages/samba-tool.8.xml
+++ b/docs-xml/manpages/samba-tool.8.xml
@@ -2598,6 +2598,12 @@
Do not list disabled user accounts.
</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term>--locked-only</term>
+ <listitem><para>
+ Only list locked user accounts.
+ </para></listitem>
+ </varlistentry>
</variablelist>
</refsect3>
diff --git a/python/samba/netcmd/user/list.py b/python/samba/netcmd/user/list.py
index 10605ca68f4..3d16f0ef9d7 100644
--- a/python/samba/netcmd/user/list.py
+++ b/python/samba/netcmd/user/list.py
@@ -42,6 +42,10 @@ class cmd_user_list(Command):
default=False,
action='store_true',
help="Do not list disabled user accounts"),
+ Option("--locked-only",
+ help="Only list locked user accounts",
+ default=False,
+ action='store_true'),
Option("-b", "--base-dn",
help="Specify base DN to use",
type=str),
@@ -64,6 +68,7 @@ class cmd_user_list(Command):
H=None,
hide_expired=False,
hide_disabled=False,
+ locked_only=False,
base_dn=None,
full_dn=False):
lp = sambaopts.get_loadparm()
@@ -87,10 +92,16 @@ class cmd_user_list(Command):
filter_disabled = "(!(userAccountControl:%s:=%u))" % (
ldb.OID_COMPARATOR_AND, dsdb.UF_ACCOUNTDISABLE)
- filter = "(&(objectClass=user)(userAccountControl:%s:=%u)%s%s)" % (
+ filter_locked = ""
+ if locked_only is True:
+ # use lockoutTime=* to filter out accounts without a set
lockoutTime
+ filter_locked = "(&(lockoutTime=*)(!(lockoutTime=0)))"
+
+ filter = "(&(objectClass=user)(userAccountControl:%s:=%u)%s%s%s)" % (
ldb.OID_COMPARATOR_AND,
dsdb.UF_NORMAL_ACCOUNT,
filter_disabled,
+ filter_locked,
filter_expires)
res = samdb.search(search_dn,
diff --git a/python/samba/tests/samba_tool/user.py
b/python/samba/tests/samba_tool/user.py
index ef74858eaec..290d5daebe1 100644
--- a/python/samba/tests/samba_tool/user.py
+++ b/python/samba/tests/samba_tool/user.py
@@ -437,6 +437,31 @@ class UserCmdTestCase(SambaToolCmdTest):
self.assertMatch(out, name,
"user '%s' not found" % name)
+ # Test: samba-tool user list --locked-only
+ # This test does not verify that the command lists the locked user, it just
+ # tests that it does not list unlocked users. The funcional test, which
+ # lists locked users, is located in the 'samba4.ldap.password_lockout' test
+ # in source8/dsdb/tests/python/password_lockout.py
+ def test_list_locked(self):
+ (result, out, err) = self.runsubcmd("user", "list",
+ "-H", "ldap://%s"; %
os.environ["DC_SERVER"],
+ "-U%s%%%s" %
(os.environ["DC_USERNAME"],
+
os.environ["DC_PASSWORD"]),
+ "--locked-only")
+ self.assertCmdSuccess(result, out, err, "Error running list")
+
+ search_filter = ("(&(objectClass=user)(userAccountControl:%s:=%u))" %
+ (ldb.OID_COMPARATOR_AND, dsdb.UF_NORMAL_ACCOUNT))
+
+ userlist = self.samdb.search(base=self.samdb.domain_dn(),
+ scope=ldb.SCOPE_SUBTREE,
+ expression=search_filter,
+ attrs=["samaccountname"])
+
+ for userobj in userlist:
+ name = str(userobj.get("samaccountname", idx=0))
+ self.assertNotIn(name, out,
+ "user '%s' is incorrectly listed as locked" %
name)
def test_list_base_dn(self):
base_dn = "CN=Users"
diff --git a/source4/dsdb/tests/python/password_lockout.py
b/source4/dsdb/tests/python/password_lockout.py
index 78edcce7792..01cf8e02f7b 100755
--- a/source4/dsdb/tests/python/password_lockout.py
+++ b/source4/dsdb/tests/python/password_lockout.py
@@ -11,6 +11,7 @@ import optparse
import sys
import base64
import time
+import subprocess
sys.path.insert(0, "bin/python")
import samba
@@ -489,8 +490,23 @@ unicodePwd:: """ +
base64.b64encode("\"thatsAcomplPASS2x\"".encode('utf-16-le'))
userAccountControl=dsdb.UF_NORMAL_ACCOUNT,
msDSUserAccountControlComputed=dsdb.UF_LOCKOUT)
+ username = res[0]["sAMAccountName"][0]
+ cmd = ["bin/samba-tool", "user", "list", "--locked-only",
+ "-H%s" % self.host_url,
+ "-U%s%%%s" % (global_creds.get_username(),
+ global_creds.get_password())]
+ out = subprocess.check_output(cmd)
+ self.assertIn(username, out)
+
self._reset_by_method(res, method)
+ cmd = ["bin/samba-tool", "user", "list", "--locked-only",
+ "-H%s" % self.host_url,
+ "-U%s%%%s" % (global_creds.get_username(),
+ global_creds.get_password())]
+ out = subprocess.check_output(cmd)
+ self.assertNotIn(username, out)
+
# Here bad password counts are reset without logon success.
res = self._check_account(userdn,
badPwdCount=0,
--
Samba Shared Repository
