[SCM] Samba Shared Repository - branch master updated

Andrew Bartlett abartlet at samba.org
Tue Jan 24 03:06:02 MST 2012 

The branch, master has been updated
       via  bbacd90 selftest: Add test for smbpasswd against pdb_samba4
       via  6acce6e s3-passdb: Fix pdb_samba4 setting of plaintext passwords
       via  6bab4a3 s3-passdb: Use DSDB_PASSWORD_BYPASS_LAST_SET flags in pdb_samba4
       via  1a9ee7c dsdb: Allow DSDB_CONTROL_PASSWORD_BYPASS_LAST_SET_OID to be specified as a flag
      from  1f0298d python: Change except: statement to except Exception:

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit bbacd901cda42a0a5c284164c46f750a76fd0c7e
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Tue Jan 24 19:23:20 2012 +1100

    selftest: Add test for smbpasswd against pdb_samba4
    
    Autobuild-User: Andrew Bartlett <abartlet at samba.org>
    Autobuild-Date: Tue Jan 24 11:05:09 CET 2012 on sn-devel-104

commit 6acce6e5d71743b824a822e9b6f24dcc6d8106ca
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Tue Jan 24 18:38:09 2012 +1100

    s3-passdb: Fix pdb_samba4 setting of plaintext passwords
    
    We were setting a UTF8 password into the UTF16 clearTextPassword.
    
    Converting from CH_UNIX to CH_UTF16 should fix this.
    
    Andrew Bartlett

commit 6bab4a3810f9b42e62d2fe1a9b1544e34893cb50
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Tue Jan 24 18:37:24 2012 +1100

    s3-passdb: Use DSDB_PASSWORD_BYPASS_LAST_SET flags in pdb_samba4

commit 1a9ee7cbd575f3865a2cd8dfe35e3f89ebdec073
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Tue Jan 24 18:36:49 2012 +1100

    dsdb: Allow DSDB_CONTROL_PASSWORD_BYPASS_LAST_SET_OID to be specified as a flag

-----------------------------------------------------------------------

Summary of changes:
 source3/passdb/pdb_samba4.c          |   28 +++++++++++++-------
 source4/dsdb/common/util.c           |    7 +++++
 source4/dsdb/common/util.h           |    1 +
 testprogs/blackbox/test_passwords.sh |   45 +++++++++++++++++++++++++++++++---
 4 files changed, 67 insertions(+), 14 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/passdb/pdb_samba4.c b/source3/passdb/pdb_samba4.c
index 8da9b3c..bc3b123 100644
--- a/source3/passdb/pdb_samba4.c
+++ b/source3/passdb/pdb_samba4.c
@@ -357,13 +357,30 @@ static int pdb_samba4_replace_by_sam(struct pdb_samba4_state *state,
 		return ret;
         }
 
+	/* If we set a plaintext password, the system will
+	 * force the pwdLastSet to now() */
+	if (need_update(sam, PDB_PASSLASTSET)) {
+		dsdb_flags = DSDB_PASSWORD_BYPASS_LAST_SET;
+		
+		ret |= pdb_samba4_add_time(msg, "pwdLastSet",
+					   pdb_get_pass_last_set_time(sam));
+	}
+
 	pw = pdb_get_plaintext_passwd(sam);
 	if (need_update(sam, PDB_PLAINTEXT_PW)) {
+		struct ldb_val pw_utf16;
 		if (pw == NULL) {
 			return LDB_ERR_OPERATIONS_ERROR;
 		}
 		
-		ret |= ldb_msg_add_string(msg, "clearTextPassword", pw);
+		if (!convert_string_talloc(msg,
+					   CH_UNIX, CH_UTF16,
+					   pw, strlen(pw),
+					   (void *)&pw_utf16.data,
+					   &pw_utf16.length)) {
+			return LDB_ERR_OPERATIONS_ERROR;
+		}
+		ret |= ldb_msg_add_value(msg, "clearTextPassword", &pw_utf16, NULL);
 	} else {
 		bool changed_lm_pw = false;
 		bool changed_nt_pw = false;
@@ -407,15 +424,6 @@ static int pdb_samba4_replace_by_sam(struct pdb_samba4_state *state,
 
 		}
 
-		/* If we set a plaintext password, the system will
-		 * force the pwdLastSet to now(), and it isn't worth
-		 * working around this for the real world use cases of
-		 * pdb_samba4 */
-		if (need_update(sam, PDB_PASSLASTSET)) {
-			ret |= pdb_samba4_add_time(msg, "pwdLastSet",
-						   pdb_get_pass_last_set_time(sam));
-		}
-
 		if (need_update(sam, PDB_PWHISTORY)) {
 			uint32_t current_hist_len;
 			const uint8_t *history = pdb_get_pw_history(sam, &current_hist_len);
diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c
index 38391a9..814faa6 100644
--- a/source4/dsdb/common/util.c
+++ b/source4/dsdb/common/util.c
@@ -3725,6 +3725,13 @@ int dsdb_request_add_controls(struct ldb_request *req, uint32_t dsdb_flags)
 		}
 	}
 
+	if (dsdb_flags & DSDB_PASSWORD_BYPASS_LAST_SET) {
+		ret = ldb_request_add_control(req, DSDB_CONTROL_PASSWORD_BYPASS_LAST_SET_OID, true, NULL);
+		if (ret != LDB_SUCCESS) {
+			return ret;
+		}
+	}
+
 	if (dsdb_flags & DSDB_MODIFY_PARTIAL_REPLICA) {
 		ret = ldb_request_add_control(req, DSDB_CONTROL_PARTIAL_REPLICA, false, NULL);
 		if (ret != LDB_SUCCESS) {
diff --git a/source4/dsdb/common/util.h b/source4/dsdb/common/util.h
index b2f7aa5..5ec19fb 100644
--- a/source4/dsdb/common/util.h
+++ b/source4/dsdb/common/util.h
@@ -38,6 +38,7 @@
 #define DSDB_BYPASS_PASSWORD_HASH	      0x1000
 #define DSDB_SEARCH_NO_GLOBAL_CATALOG	      0x2000
 #define DSDB_MODIFY_PARTIAL_REPLICA	      0x4000
+#define DSDB_PASSWORD_BYPASS_LAST_SET         0x8000
 
 bool is_attr_in_list(const char * const * attrs, const char *attr);
 
diff --git a/testprogs/blackbox/test_passwords.sh b/testprogs/blackbox/test_passwords.sh
index ed68665..9e65b30 100755
--- a/testprogs/blackbox/test_passwords.sh
+++ b/testprogs/blackbox/test_passwords.sh
@@ -23,6 +23,7 @@ samba4bindir="$BINDIR"
 smbclient="$samba4bindir/smbclient$EXEEXT"
 samba4kinit="$samba4bindir/samba4kinit$EXEEXT"
 samba_tool="$samba4bindir/samba-tool$EXEEXT"
+smbpasswd="$samba4bindir/smbpasswd$EXEEXT"
 rkpty="$samba4bindir/rkpty$EXEEXT"
 samba4kpasswd="$samba4bindir/samba4kpasswd$EXEEXT"
 newuser="$samba_tool user create"
@@ -50,7 +51,7 @@ export CONFIG
 
 testit "reset password policies beside of minimum password age of 0 days" $VALGRIND $samba_tool domain passwordsettings $CONFIG set --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=0 --max-pwd-age=default || failed=`expr $failed + 1`
 
-USERPASS=testPaSS at 01%
+USERPASS=testPaSS at 00%
 
 testit "create user locally" $VALGRIND $newuser $CONFIG nettestuser $USERPASS $@ || failed=`expr $failed + 1`
 
@@ -63,7 +64,7 @@ testit "kinit with user password" $samba4kinit --password-file=$PREFIX/tmpuserpa
 
 test_smbclient "Test login with user kerberos ccache" 'ls' -k yes || failed=`expr $failed + 1`
 
-NEWUSERPASS=testPaSS at 02%
+NEWUSERPASS=testPaSS at 01%
 testit "change user password with 'samba-tool user password' (unforced)" $VALGRIND $samba_tool user password -W$DOMAIN -U$DOMAIN/nettestuser%$USERPASS  -k no --newpassword=$NEWUSERPASS $@ || failed=`expr $failed + 1`
 
 echo $NEWUSERPASS > ./tmpuserpassfile
@@ -74,7 +75,7 @@ test_smbclient "Test login with user kerberos ccache" 'ls' -k yes || failed=`exp
 
 USERPASS=$NEWUSERPASS
 WEAKPASS=testpass1
-NEWUSERPASS=testPaSS at 03%
+NEWUSERPASS=testPaSS at 02%
 
 # password mismatch check doesn't work yet (kpasswd bug, reported to Love)
 #echo "check that password mismatch gives the right error"
@@ -133,6 +134,21 @@ testit "change user password with kpasswd" $rkpty ./tmpkpasswdscript $samba4kpas
 
 test_smbclient "Test login with user kerberos (unforced)" 'ls' -k yes -Unettestuser@$REALM%$NEWUSERPASS || failed=`expr $failed + 1`
 
+NEWUSERPASS=testPaSS at 03%
+
+echo "set password with smbpasswd"
+cat > ./tmpsmbpasswdscript <<EOF
+expect New SMB password:
+send ${NEWUSERPASS}\n
+expect Retype new SMB password:
+send ${NEWUSERPASS}\n
+EOF
+
+testit "set user password with smbpasswd" $rkpty ./tmpsmbpasswdscript $smbpasswd -L -c $PREFIX/dc/etc/smb.conf nettestuser || failed=`expr $failed + 1`
+USERPASS=$NEWUSERPASS
+
+test_smbclient "Test login with user (ntlm)" 'ls' -k no -Unettestuser@$REALM%$NEWUSERPASS || failed=`expr $failed + 1`
+
 
 NEWUSERPASS=testPaSS at 04%
 testit "set password on user locally" $VALGRIND $samba_tool user setpassword nettestuser $CONFIG --newpassword=$NEWUSERPASS --must-change-at-next-login $@ || failed=`expr $failed + 1`
@@ -163,6 +179,27 @@ USERPASS=$NEWUSERPASS
 
 test_smbclient "Test login with user kerberos" 'ls' -k yes -Unettestuser@$REALM%$NEWUSERPASS || failed=`expr $failed + 1`
 
+NEWUSERPASS=testPaSS at 08%
+testit "set password on user locally" $VALGRIND $samba_tool user setpassword $CONFIG nettestuser --newpassword=$NEWUSERPASS --must-change-at-next-login $@ || failed=`expr $failed + 1`
+USERPASS=$NEWUSERPASS
+
+NEWUSERPASS=testPaSS at 09%
+
+cat > ./tmpsmbpasswdscript <<EOF
+expect Old SMB password:
+password ${USERPASS}\n
+expect New SMB password:
+send ${NEWUSERPASS}\n
+expect Retype new SMB password:
+send ${NEWUSERPASS}\n
+EOF
+
+testit "change user password with smbpasswd (after must change flag set)" $rkpty ./tmpsmbpasswdscript $smbpasswd -r $SERVER  -c $PREFIX/dc/etc/smb.conf -U nettestuser || failed=`expr $failed + 1`
+
+USERPASS=$NEWUSERPASS
+
+test_smbclient "Test login with user kerberos" 'ls' -k yes -Unettestuser@$REALM%$NEWUSERPASS || failed=`expr $failed + 1`
+
 NEWUSERPASS=abcdefg
 testit_expect_failure "try to set a non-complex password (command should not succeed)" $VALGRIND $samba_tool user password -W$DOMAIN "-U$DOMAIN/nettestuser%$USERPASS" -k no --newpassword="$NEWUSERPASS" $@ && failed=`expr $failed + 1`
 
@@ -192,5 +229,5 @@ testit "reset password policies" $VALGRIND $samba_tool domain passwordsettings $
 
 testit "del user" $VALGRIND $samba_tool user delete nettestuser -U"$USERNAME%$PASSWORD" -k no $@ || failed=`expr $failed + 1`
 
-rm -f tmpccfile tmppassfile tmpuserpassfile tmpuserccache tmpkpasswdscript
+rm -f tmpccfile tmppassfile tmpuserpassfile tmpuserccache tmpkpasswdscript tmpsmbpasswdscript
 exit $failed


-- 
Samba Shared Repository

More information about the samba-cvs mailing list