[SCM] Samba Shared Repository - branch master updated
Michael Adam
obnox at samba.org
Mon Feb 4 10:55:02 MST 2013
The branch, master has been updated
via dc6c40b samba-tool/domain provision: add support for utf-8 passwords for --adminpass
via 2e7bc87 samba-tool/user setpassword: fix help message
via d60be81 s4:scripting/python: add support for utf-8 passwords from the command line
via ff65500 s3:dbrwap_ctdb: ZERO_STRUCT(rec) just to be sure in traverse_persistent_callback_read()
via 3949854 s3:dbwrap_ctdb: ZERO_STRUCT(rec) just to be sure in traverse_read_callback()
via a09f3a3 s3:dbwrap_ctdb: add "db_context" to "db_record"
via 25bdab9 s3:dbwrap_ctdb: setup result->name in db_open_ctdb()
via 29aeaab lib/dbwrap: talloc_strdup() name in db_open_file()
via 65f2bba lib/util: improve check_password_quality() to handle utf8
via e5ca813 dsdb/util: rework samdb_check_password() to support utf8
via 54cc3b1 dsdb/password_hash: rename variable 'stat' to 'vstat'
via 6eccfc7 dsdb/password_hash: make sure that io->n.cleartext_utf8.data is a null terminated string
via 9292e5b s3: use generate_random_password() instead of generate_random_str()
from c5d991e Revert "selftest: skip smb2.ioctl tests on ntvfs"
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit dc6c40b193e125e8810cf95129fc99f7d4f6db27
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Feb 4 11:41:39 2013 +0100
samba-tool/domain provision: add support for utf-8 passwords for --adminpass
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
Autobuild-User(master): Michael Adam <obnox at samba.org>
Autobuild-Date(master): Mon Feb 4 18:54:32 CET 2013 on sn-devel-104
commit 2e7bc87fa54148655ce13a59bd3274fb6285a579
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Feb 4 13:35:48 2013 +0100
samba-tool/user setpassword: fix help message
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
commit d60be8167b7264dadae7d4735ee5977233d4cea9
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Feb 4 11:41:39 2013 +0100
s4:scripting/python: add support for utf-8 passwords from the command line
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
commit ff65500f2b4f00dad25e342b51373f700d888c6b
Author: Michael Adam <obnox at samba.org>
Date: Mon Feb 4 13:10:34 2013 +0100
s3:dbrwap_ctdb: ZERO_STRUCT(rec) just to be sure in traverse_persistent_callback_read()
Signed-off-by: Michael Adam <obnox at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 394985454970e1eeb9b871bb359fa9f5edc9747b
Author: Michael Adam <obnox at samba.org>
Date: Mon Feb 4 13:09:46 2013 +0100
s3:dbwrap_ctdb: ZERO_STRUCT(rec) just to be sure in traverse_read_callback()
Signed-off-by: Michael Adam <obnox at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit a09f3a35519d5be2a7d37dc2a283f84f6eb4e8cc
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Feb 1 02:48:00 2013 -0500
s3:dbwrap_ctdb: add "db_context" to "db_record"
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
commit 25bdab9c6140a04dfb33e5b4118f45e8d8489d86
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Feb 1 03:14:16 2013 -0500
s3:dbwrap_ctdb: setup result->name in db_open_ctdb()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
commit 29aeaab1d9bf2441f4a3a9f4a8554fa9af2bd5c2
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Feb 1 03:13:35 2013 -0500
lib/dbwrap: talloc_strdup() name in db_open_file()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
commit 65f2bba559a33edb3c352d552aebb259e5e008eb
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Feb 4 08:45:48 2013 +0100
lib/util: improve check_password_quality() to handle utf8
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
commit e5ca813ffb4398faeefc96c224d3b2677e576c7a
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Feb 4 09:19:54 2013 +0100
dsdb/util: rework samdb_check_password() to support utf8
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
commit 54cc3b1f42eba19170e611b0ee0ea464ea4ac604
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Feb 4 09:47:31 2013 +0100
dsdb/password_hash: rename variable 'stat' to 'vstat'
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
commit 6eccfc74cd9a16e96a2b6214b943f5b2f9adfe65
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Feb 4 09:18:59 2013 +0100
dsdb/password_hash: make sure that io->n.cleartext_utf8.data is a null terminated string
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
commit 9292e5b74310632e1f0b4b2b76a9ef4ccae6874e
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Feb 1 13:14:05 2013 +0100
s3: use generate_random_password() instead of generate_random_str()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
-----------------------------------------------------------------------
Summary of changes:
lib/dbwrap/dbwrap_file.c | 7 +-
lib/util/genrand.c | 134 +++++++++++++++++---
lib/util/tests/genrand.c | 5 +-
source3/lib/dbwrap/dbwrap_ctdb.c | 17 +++-
source3/libads/util.c | 6 +-
source3/libnet/libnet_join.c | 8 +-
source3/libsmb/trusts_util.c | 7 +-
source3/utils/net_rpc_join.c | 4 +-
source3/utils/net_rpc_trust.c | 8 +-
source4/dsdb/common/util.c | 21 +++-
source4/dsdb/samdb/ldb_modules/password_hash.c | 33 ++++-
source4/scripting/python/samba/netcmd/user.py | 6 +-
.../scripting/python/samba/provision/__init__.py | 1 +
source4/scripting/python/samba/samdb.py | 3 +-
14 files changed, 212 insertions(+), 48 deletions(-)
Changeset truncated at 500 lines:
diff --git a/lib/dbwrap/dbwrap_file.c b/lib/dbwrap/dbwrap_file.c
index 50e43b7..a3b1737 100644
--- a/lib/dbwrap/dbwrap_file.c
+++ b/lib/dbwrap/dbwrap_file.c
@@ -371,8 +371,13 @@ struct db_context *db_open_file(TALLOC_CTX *mem_ctx,
result->traverse = db_file_traverse;
result->traverse_read = db_file_traverse;
result->persistent = ((tdb_flags & TDB_CLEAR_IF_FIRST) == 0);
- result->name = name;
result->hash_size = 0;
+ result->name = talloc_strdup(result, name);
+ if (result->name == NULL) {
+ DEBUG(0, ("talloc failed\n"));
+ TALLOC_FREE(result);
+ return NULL;
+ }
ctx->locked_record = NULL;
if (!(ctx->dirname = talloc_strdup(ctx, name))) {
diff --git a/lib/util/genrand.c b/lib/util/genrand.c
index 57884ef..3dfaf08 100644
--- a/lib/util/genrand.c
+++ b/lib/util/genrand.c
@@ -298,29 +298,127 @@ _PUBLIC_ uint32_t generate_random(void)
/**
- very basic password quality checker
+ Microsoft composed the following rules (among others) for quality
+ checks. This is an abridgment from
+ http://msdn.microsoft.com/en-us/subscriptions/cc786468%28v=ws.10%29.aspx:
+
+ Passwords must contain characters from three of the following five
+ categories:
+
+ - Uppercase characters of European languages (A through Z, with
+ diacritic marks, Greek and Cyrillic characters)
+ - Lowercase characters of European languages (a through z, sharp-s,
+ with diacritic marks, Greek and Cyrillic characters)
+ - Base 10 digits (0 through 9)
+ - Nonalphanumeric characters: ~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/
+ - Any Unicode character that is categorized as an alphabetic character
+ but is not uppercase or lowercase. This includes Unicode characters
+ from Asian languages.
+
+ Note: for now do not check if the unicode category is
+ alphabetic character
**/
-_PUBLIC_ bool check_password_quality(const char *s)
+_PUBLIC_ bool check_password_quality(const char *pwd)
{
- int has_digit=0, has_capital=0, has_lower=0, has_special=0, has_high=0;
- const char* reals = s;
- while (*s) {
- if (isdigit((unsigned char)*s)) {
- has_digit |= 1;
- } else if (isupper((unsigned char)*s)) {
- has_capital |= 1;
- } else if (islower((unsigned char)*s)) {
- has_lower |= 1;
- } else if (isascii((unsigned char)*s)) {
- has_special |= 1;
- } else {
- has_high++;
+ size_t ofs = 0;
+ size_t num_chars = 0;
+ size_t num_digits = 0;
+ size_t num_upper = 0;
+ size_t num_lower = 0;
+ size_t num_nonalpha = 0;
+ size_t num_unicode = 0;
+ size_t num_categories = 0;
+
+ if (pwd == NULL) {
+ return false;
+ }
+
+ while (true) {
+ const char *s = &pwd[ofs];
+ size_t len = 0;
+ codepoint_t c;
+
+ c = next_codepoint(s, &len);
+ if (c == INVALID_CODEPOINT) {
+ return false;
+ } else if (c == 0) {
+ break;
+ }
+ ofs += len;
+ num_chars += 1;
+
+ if (len == 1) {
+ const char *na = "~!@#$%^&*_-+=`|\\(){}[]:;\"'<>,.?/";
+
+ if (isdigit(c)) {
+ num_digits += 1;
+ continue;
+ }
+
+ if (isupper(c)) {
+ num_upper += 1;
+ continue;
+ }
+
+ if (islower(c)) {
+ num_lower += 1;
+ continue;
+ }
+
+ if (strchr(na, c)) {
+ num_nonalpha += 1;
+ continue;
+ }
+
+ /*
+ * the rest does not belong to
+ * a category.
+ */
+ continue;
}
- s++;
+
+ if (isupper_m(c)) {
+ num_upper += 1;
+ continue;
+ }
+
+ if (islower_m(c)) {
+ num_lower += 1;
+ continue;
+ }
+
+ /*
+ * Note: for now do not check if the unicode category is
+ * alphabetic character
+ *
+ * We would have to import the details from
+ * ftp://ftp.unicode.org/Public/6.3.0/ucd/UnicodeData-6.3.0d1.txt
+ */
+ num_unicode += 1;
+ continue;
+ }
+
+ if (num_digits > 0) {
+ num_categories += 1;
+ }
+ if (num_upper > 0) {
+ num_categories += 1;
+ }
+ if (num_lower > 0) {
+ num_categories += 1;
+ }
+ if (num_nonalpha > 0) {
+ num_categories += 1;
+ }
+ if (num_unicode > 0) {
+ num_categories += 1;
+ }
+
+ if (num_categories >= 3) {
+ return true;
}
- return ((has_digit + has_lower + has_capital + has_special) >= 3
- || (has_high > strlen(reals)/2));
+ return false;
}
/**
diff --git a/lib/util/tests/genrand.c b/lib/util/tests/genrand.c
index 50d77bb..ff608cd 100644
--- a/lib/util/tests/genrand.c
+++ b/lib/util/tests/genrand.c
@@ -41,7 +41,10 @@ static bool test_check_password_quality(struct torture_context *tctx)
torture_assert(tctx, !check_password_quality("BLA"), "multiple upcases password");
torture_assert(tctx, !check_password_quality("123"), "digits only");
torture_assert(tctx, !check_password_quality("matthiéu"), "not enough high symbols");
- torture_assert(tctx, check_password_quality("abcdééàçè"), "valid");
+ torture_assert(tctx, !check_password_quality("abcdééàçè"), "only lower case");
+ torture_assert(tctx, !check_password_quality("abcdééàçè+"), "only lower and symbols");
+ torture_assert(tctx, check_password_quality("abcdééàçè+ढ"), "valid");
+ torture_assert(tctx, check_password_quality("ç+ढ"), "valid");
torture_assert(tctx, check_password_quality("A2e"), "valid");
torture_assert(tctx, check_password_quality("BA2eLi443"), "valid");
return true;
diff --git a/source3/lib/dbwrap/dbwrap_ctdb.c b/source3/lib/dbwrap/dbwrap_ctdb.c
index c96dda2..a6f49b8 100644
--- a/source3/lib/dbwrap/dbwrap_ctdb.c
+++ b/source3/lib/dbwrap/dbwrap_ctdb.c
@@ -475,6 +475,7 @@ static struct db_record *db_ctdb_fetch_locked_transaction(struct db_ctdb_ctx *ct
return NULL;
}
+ result->db = ctx->db;
result->private_data = ctx->transaction;
result->key.dsize = key.dsize;
@@ -1401,11 +1402,14 @@ static void traverse_read_callback(TDB_DATA key, TDB_DATA data, void *private_da
{
struct traverse_state *state = (struct traverse_state *)private_data;
struct db_record rec;
+
+ ZERO_STRUCT(rec);
+ rec.db = state->db;
rec.key = key;
rec.value = data;
rec.store = db_ctdb_store_deny;
rec.delete_rec = db_ctdb_delete_deny;
- rec.private_data = state->db;
+ rec.private_data = NULL;
state->fn(&rec, state->private_data);
state->count++;
}
@@ -1426,11 +1430,13 @@ static int traverse_persistent_callback_read(TDB_CONTEXT *tdb, TDB_DATA kbuf, TD
return 0;
}
+ ZERO_STRUCT(rec);
+ rec.db = state->db;
rec.key = kbuf;
rec.value = dbuf;
rec.store = db_ctdb_store_deny;
rec.delete_rec = db_ctdb_delete_deny;
- rec.private_data = state->db;
+ rec.private_data = NULL;
if (rec.value.dsize <= sizeof(struct ctdb_ltdb_header)) {
/* a deleted record */
@@ -1520,6 +1526,13 @@ struct db_context *db_open_ctdb(TALLOC_CTX *mem_ctx,
return NULL;
}
+ result->name = talloc_strdup(result, name);
+ if (result->name == NULL) {
+ DEBUG(0, ("talloc failed\n"));
+ TALLOC_FREE(result);
+ return NULL;
+ }
+
db_ctdb->transaction = NULL;
db_ctdb->db = result;
diff --git a/source3/libads/util.c b/source3/libads/util.c
index 6a6b42a..2e22bca 100644
--- a/source3/libads/util.c
+++ b/source3/libads/util.c
@@ -35,8 +35,10 @@ ADS_STATUS ads_change_trust_account_password(ADS_STRUCT *ads, char *host_princip
return ADS_ERROR_SYSTEM(ENOENT);
}
- new_password = generate_random_str(talloc_tos(), DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
-
+ new_password = generate_random_password(talloc_tos(),
+ DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH,
+ DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
+
ret = kerberos_set_password(ads->auth.kdc_server, host_principal, password, host_principal, new_password, ads->auth.time_offset);
if (!ADS_ERR_OK(ret)) {
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index d6aa793..3d0a6d3 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -811,7 +811,9 @@ static NTSTATUS libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx,
}
if (!r->in.machine_password) {
- r->in.machine_password = generate_random_str(mem_ctx, DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
+ r->in.machine_password = generate_random_password(mem_ctx,
+ DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH,
+ DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
NT_STATUS_HAVE_NO_MEMORY(r->in.machine_password);
}
@@ -882,7 +884,9 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx,
}
if (!r->in.machine_password) {
- r->in.machine_password = generate_random_str(mem_ctx, DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
+ r->in.machine_password = generate_random_password(mem_ctx,
+ DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH,
+ DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
NT_STATUS_HAVE_NO_MEMORY(r->in.machine_password);
}
diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c
index be1f1f8..0d039bc 100644
--- a/source3/libsmb/trusts_util.c
+++ b/source3/libsmb/trusts_util.c
@@ -52,10 +52,11 @@ NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *m
}
/* Create a random machine account password */
- new_trust_passwd = generate_random_str(mem_ctx, DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
-
+ new_trust_passwd = generate_random_password(mem_ctx,
+ DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH,
+ DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
if (new_trust_passwd == NULL) {
- DEBUG(0, ("talloc_strdup failed\n"));
+ DEBUG(0, ("generate_random_password failed\n"));
return NT_STATUS_NO_MEMORY;
}
diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c
index ed81aac..7167cf9 100644
--- a/source3/utils/net_rpc_join.c
+++ b/source3/utils/net_rpc_join.c
@@ -401,7 +401,9 @@ int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv)
/* Create a random machine account password */
- clear_trust_password = generate_random_str(talloc_tos(), DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
+ clear_trust_password = generate_random_password(talloc_tos(),
+ DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH,
+ DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
E_md4hash(clear_trust_password, md4_trust_password);
/* Set password on machine account */
diff --git a/source3/utils/net_rpc_trust.c b/source3/utils/net_rpc_trust.c
index d15d10c..9060700 100644
--- a/source3/utils/net_rpc_trust.c
+++ b/source3/utils/net_rpc_trust.c
@@ -518,11 +518,11 @@ static int rpc_trust_common(struct net_context *net_ctx, int argc,
}
DEBUG(0, ("Using random trust password.\n"));
- /* FIXME: why only 8 characters work? Would it be possible to use a
- * random binary password? */
- trust_pw = generate_random_str(mem_ctx, 8);
+ trust_pw = generate_random_password(mem_ctx,
+ DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH,
+ DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
if (trust_pw == NULL) {
- DEBUG(0, ("generate_random_str failed.\n"));
+ DEBUG(0, ("generate_random_password failed.\n"));
goto done;
}
} else {
diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c
index 2b96bd4..8e40776 100644
--- a/source4/dsdb/common/util.c
+++ b/source4/dsdb/common/util.c
@@ -1906,19 +1906,30 @@ int samdb_search_for_parent_domain(struct ldb_context *ldb, TALLOC_CTX *mem_ctx,
*
* Result codes from "enum samr_ValidationStatus" (consider "samr.idl")
*/
-enum samr_ValidationStatus samdb_check_password(const DATA_BLOB *password,
+enum samr_ValidationStatus samdb_check_password(const DATA_BLOB *utf8_blob,
const uint32_t pwdProperties,
const uint32_t minPwdLength)
{
+ const char *utf8_pw = (const char *)utf8_blob->data;
+ size_t utf8_len = strlen_m(utf8_pw);
+
/* checks if the "minPwdLength" property is satisfied */
- if (minPwdLength > password->length)
+ if (minPwdLength > utf8_len) {
return SAMR_VALIDATION_STATUS_PWD_TOO_SHORT;
+ }
/* checks the password complexity */
- if (((pwdProperties & DOMAIN_PASSWORD_COMPLEX) != 0)
- && (password->data != NULL)
- && (!check_password_quality((const char *) password->data)))
+ if (!(pwdProperties & DOMAIN_PASSWORD_COMPLEX)) {
+ return SAMR_VALIDATION_STATUS_SUCCESS;
+ }
+
+ if (utf8_len == 0) {
return SAMR_VALIDATION_STATUS_NOT_COMPLEX_ENOUGH;
+ }
+
+ if (!check_password_quality(utf8_pw)) {
+ return SAMR_VALIDATION_STATUS_NOT_COMPLEX_ENOUGH;
+ }
return SAMR_VALIDATION_STATUS_SUCCESS;
}
diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c
index 9bf596c..e9c2bca 100644
--- a/source4/dsdb/samdb/ldb_modules/password_hash.c
+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
@@ -1876,7 +1876,6 @@ static int check_password_restrictions(struct setup_password_fields_io *io)
{
struct ldb_context *ldb;
int ret;
- enum samr_ValidationStatus stat;
ldb = ldb_module_get_ctx(io->ac->module);
@@ -1973,10 +1972,11 @@ static int check_password_restrictions(struct setup_password_fields_io *io)
* It is also in use by "dcesrv_samr_ValidatePassword".
*/
if (io->n.cleartext_utf8 != NULL) {
- stat = samdb_check_password(io->n.cleartext_utf8,
- io->ac->status->domain_data.pwdProperties,
- io->ac->status->domain_data.minPwdLength);
- switch (stat) {
+ enum samr_ValidationStatus vstat;
+ vstat = samdb_check_password(io->n.cleartext_utf8,
+ io->ac->status->domain_data.pwdProperties,
+ io->ac->status->domain_data.minPwdLength);
+ switch (vstat) {
case SAMR_VALIDATION_STATUS_SUCCESS:
/* perfect -> proceed! */
break;
@@ -2203,6 +2203,29 @@ static int setup_io(struct ph_context *ac,
}
}
+ if (io->n.cleartext_utf8 != NULL) {
+ struct ldb_val *cleartext_utf8_blob;
+ char *p;
+
+ cleartext_utf8_blob = talloc(io->ac, struct ldb_val);
+ if (!cleartext_utf8_blob) {
+ return ldb_oom(ldb);
+ }
+
+ *cleartext_utf8_blob = *io->n.cleartext_utf8;
+
+ /* make sure we have a null terminated string */
+ p = talloc_strndup(cleartext_utf8_blob,
+ (const char *)io->n.cleartext_utf8->data,
+ io->n.cleartext_utf8->length);
+ if ((p == NULL) && (io->n.cleartext_utf8->length > 0)) {
+ return ldb_oom(ldb);
+ }
+ cleartext_utf8_blob->data = (uint8_t *)p;
+
+ io->n.cleartext_utf8 = cleartext_utf8_blob;
+ }
+
ret = msg_find_old_and_new_pwd_val(orig_msg, "clearTextPassword",
ac->req->operation,
&io->n.cleartext_utf16,
diff --git a/source4/scripting/python/samba/netcmd/user.py b/source4/scripting/python/samba/netcmd/user.py
index 4667d52..b98ec34 100644
--- a/source4/scripting/python/samba/netcmd/user.py
+++ b/source4/scripting/python/samba/netcmd/user.py
@@ -515,17 +515,17 @@ It is good security practice for the administrator to use the --must-change-at-n
The command may be run from the root userid or another authorized userid. The -H or --URL= option can be used to execute the command against a remote server.
Example1:
-samba-tool user setpassword TestUser1 passw0rd --URL=ldap://samba.samdom.example.com -Uadministrator%passw1rd
+samba-tool user setpassword TestUser1 --newpassword=passw0rd --URL=ldap://samba.samdom.example.com -Uadministrator%passw1rd
Example1 shows how to set the password of user TestUser1 on a remote LDAP server. The --URL parameter is used to specify the remote target server. The -U option is used to pass the username and password of a user that exists on the remote server and is authorized to update the server.
Example2:
-sudo samba-tool user setpassword TestUser2 passw0rd --must-change-at-next-login
+sudo samba-tool user setpassword TestUser2 --newpassword=passw0rd --must-change-at-next-login
Example2 shows how an administrator would reset the TestUser2 user's password to passw0rd. The user is running under the root userid using the sudo command. In this example the user TestUser2 must change their password the next time they logon to the account.
Example3:
-samba-tool user setpassword --filter=samaccountname=TestUser3 --password=passw0rd
+samba-tool user setpassword --filter=samaccountname=TestUser3 --newpassword=passw0rd
Example3 shows how an administrator would reset TestUser3 user's password to passw0rd using the --filter= option to specify the username.
diff --git a/source4/scripting/python/samba/provision/__init__.py b/source4/scripting/python/samba/provision/__init__.py
index 507582b..aac0ee3 100644
--- a/source4/scripting/python/samba/provision/__init__.py
+++ b/source4/scripting/python/samba/provision/__init__.py
@@ -2137,6 +2137,7 @@ def provision(logger, session_info, credentials, smbconf=None,
adminpass = samba.generate_random_password(12, 32)
adminpass_generated = True
else:
+ adminpass = unicode(adminpass, 'utf-8')
adminpass_generated = False
if samdb_fill == FILL_FULL:
diff --git a/source4/scripting/python/samba/samdb.py b/source4/scripting/python/samba/samdb.py
index 0eb5a13..2dfc839 100644
--- a/source4/scripting/python/samba/samdb.py
+++ b/source4/scripting/python/samba/samdb.py
@@ -473,12 +473,13 @@ member: %s
if len(res) > 1:
raise Exception('Matched %u multiple users with filter "%s"' % (len(res), search_filter))
user_dn = res[0].dn
+ pw = unicode('"' + password + '"', 'utf-8').encode('utf-16-le')
setpw = """
dn: %s
changetype: modify
replace: unicodePwd
unicodePwd:: %s
-""" % (user_dn, base64.b64encode(("\"" + password + "\"").encode('utf-16-le')))
+""" % (user_dn, base64.b64encode(pw))
self.modify_ldif(setpw)
--
Samba Shared Repository
More information about the samba-cvs
mailing list