[SCM] Samba Shared Repository - branch master updated
Garming Sam
garming at samba.org
Tue Apr 19 05:55:02 UTC 2016
The branch, master has been updated
via fec698d tests/passwords: fix a typo
via a523274 tests/dsdb: Verify that only a new ldb affects reads of userPassword
via f26a284 dsdb: Only re-query dSHeuristics for userPassword support on modifies
from 0619a83 tests/rodc: Check that preload will skip broken users
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit fec698dbfd63e0c63c4fc1fd536839ae39e7077e
Author: Garming Sam <garming at catalyst.net.nz>
Date: Wed Apr 13 16:35:53 2016 +1200
tests/passwords: fix a typo
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Garming Sam <garming at samba.org>
Autobuild-Date(master): Tue Apr 19 07:54:35 CEST 2016 on sn-devel-144
commit a523274fb6aa2c25d51a6a865ea084bc94947e08
Author: Garming Sam <garming at catalyst.net.nz>
Date: Mon Feb 22 13:33:01 2016 +1300
tests/dsdb: Verify that only a new ldb affects reads of userPassword
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11853
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f26a2845bd42e580ddeaf0eecc9b46b823a0c6bc
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Feb 12 15:53:37 2016 +1300
dsdb: Only re-query dSHeuristics for userPassword support on modifies
We keep the database startup value for search behaviour, as to re-check
is too expensive. It caused every search to have an additional
search to the database.
We do not need to check as_system when setting ac->userPassword
as this is checked when all password attributes are stripped
As userPassword is not written to after fUserPwdSupport is set
we do not expose any data that was not already visible.
The database overhead was an oversight when this was
originally added with 7f171a9e0f9b5945bd16a1330ba0908090659030
in 2010.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11853
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
-----------------------------------------------------------------------
Summary of changes:
source4/dsdb/samdb/ldb_modules/acl.c | 8 ++-
source4/dsdb/tests/python/passwords.py | 91 +++++++++++++++++++++++++++++++++-
2 files changed, 96 insertions(+), 3 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c
index 62e560f..2aafc6c 100644
--- a/source4/dsdb/samdb/ldb_modules/acl.c
+++ b/source4/dsdb/samdb/ldb_modules/acl.c
@@ -55,6 +55,7 @@ struct acl_private {
uint64_t cached_schema_metadata_usn;
uint64_t cached_schema_loaded_usn;
const char **confidential_attrs;
+ bool userPassword_support;
};
struct acl_context {
@@ -107,6 +108,8 @@ static int acl_module_init(struct ldb_module *module)
NULL, "acl", "search", true);
ldb_module_set_private(module, data);
+ data->userPassword_support = dsdb_user_password_support(module, module, NULL);
+
mem_ctx = talloc_new(module);
if (!mem_ctx) {
return ldb_oom(ldb);
@@ -1851,8 +1854,9 @@ static int acl_search(struct ldb_module *module, struct ldb_request *req)
return ldb_next_request(module, req);
}
- if (!ac->am_system) {
- ac->userPassword = dsdb_user_password_support(module, ac, req);
+ data = talloc_get_type(ldb_module_get_private(ac->module), struct acl_private);
+ if (data != NULL) {
+ ac->userPassword = data->userPassword_support;
}
ret = acl_search_update_confidential_attrs(ac, data);
diff --git a/source4/dsdb/tests/python/passwords.py b/source4/dsdb/tests/python/passwords.py
index fb3eee5..db013ea 100755
--- a/source4/dsdb/tests/python/passwords.py
+++ b/source4/dsdb/tests/python/passwords.py
@@ -87,7 +87,7 @@ class PasswordTests(samba.tests.TestCase):
# Get the old "minPwdAge"
minPwdAge = self.ldb.get_minPwdAge()
- # Set it temporarely to "0"
+ # Set it temporarily to "0"
self.ldb.set_minPwdAge("0")
self.base_dn = self.ldb.domain_dn()
@@ -912,6 +912,95 @@ userPassword: thatsAcomplPASS4
# Reset the test "dSHeuristics" (reactivate "userPassword" pwd changes)
self.ldb.set_dsheuristics("000000001")
+ def test_modify_dsheuristics_userPassword(self):
+ print "Performs testing about reading userPassword between dsHeuristic modifies"
+
+ # Make sure userPassword cannot be read
+ self.ldb.set_dsheuristics("000000000")
+
+ # Open a new connection (with dsHeuristic=000000000)
+ ldb1 = SamDB(url=host, session_info=system_session(lp),
+ credentials=creds, lp=lp)
+
+ # Set userPassword to be read
+ # This setting only affects newer connections (ldb2)
+ ldb1.set_dsheuristics("000000001")
+ time.sleep(1)
+
+ m = Message()
+ m.dn = Dn(ldb1, "cn=testuser,cn=users," + self.base_dn)
+ m["userPassword"] = MessageElement("thatsAcomplPASS1", FLAG_MOD_REPLACE,
+ "userPassword")
+ ldb1.modify(m)
+
+ res = ldb1.search("cn=testuser,cn=users," + self.base_dn,
+ scope=SCOPE_BASE, attrs=["userPassword"])
+
+ # userPassword cannot be read, despite the dsHeuristic setting
+ self.assertTrue(len(res) == 1)
+ self.assertFalse("userPassword" in res[0])
+
+ # Open another new connection (with dsHeuristic=000000001)
+ ldb2 = SamDB(url=host, session_info=system_session(lp),
+ credentials=creds, lp=lp)
+
+ # Set userPassword to be unreadable
+ # This setting does not affect this connection
+ ldb2.set_dsheuristics("000000000")
+ time.sleep(1)
+
+ res = ldb2.search("cn=testuser,cn=users," + self.base_dn,
+ scope=SCOPE_BASE, attrs=["userPassword"])
+
+ # Check that userPassword was not stored from ldb1
+ self.assertTrue(len(res) == 1)
+ self.assertFalse("userPassword" in res[0])
+
+ m = Message()
+ m.dn = Dn(ldb2, "cn=testuser,cn=users," + self.base_dn)
+ m["userPassword"] = MessageElement("thatsAcomplPASS2", FLAG_MOD_REPLACE,
+ "userPassword")
+ ldb2.modify(m)
+
+ res = ldb2.search("cn=testuser,cn=users," + self.base_dn,
+ scope=SCOPE_BASE, attrs=["userPassword"])
+
+ # userPassword can be read in this connection
+ # This is regardless of the current dsHeuristics setting
+ self.assertTrue(len(res) == 1)
+ self.assertTrue("userPassword" in res[0])
+ self.assertEquals(res[0]["userPassword"][0], "thatsAcomplPASS2")
+
+ # Only password from ldb1 is the user's password
+ creds2 = Credentials()
+ creds2.set_username("testuser")
+ creds2.set_password("thatsAcomplPASS1")
+ creds2.set_domain(creds.get_domain())
+ creds2.set_realm(creds.get_realm())
+ creds2.set_workstation(creds.get_workstation())
+ creds2.set_gensec_features(creds2.get_gensec_features()
+ | gensec.FEATURE_SEAL)
+
+ try:
+ SamDB(url=host, credentials=creds2, lp=lp)
+ except:
+ self.fail("testuser used the wrong password")
+
+ ldb3 = SamDB(url=host, session_info=system_session(lp),
+ credentials=creds, lp=lp)
+
+ # Check that userPassword was stored from ldb2
+ res = ldb3.search("cn=testuser,cn=users," + self.base_dn,
+ scope=SCOPE_BASE, attrs=["userPassword"])
+
+ # userPassword can be read
+ self.assertTrue(len(res) == 1)
+ self.assertTrue("userPassword" in res[0])
+ self.assertEquals(res[0]["userPassword"][0], "thatsAcomplPASS2")
+
+ # Reset the test "dSHeuristics" (reactivate "userPassword" pwd changes)
+ self.ldb.set_dsheuristics("000000001")
+
def test_zero_length(self):
# Get the old "minPwdLength"
minPwdLength = self.ldb.get_minPwdLength()
--
Samba Shared Repository
More information about the samba-cvs
mailing list