[SCM] Samba Shared Repository - branch master updated

Noel Power npower at samba.org
Thu May 17 12:29:01 UTC 2018


The branch, master has been updated
       via  83bde8a FIXUP: Improve memory handling on py_net_change_password
       via  e7144f2 python/samba/netcmd:  net.change_password should be passed string
       via  75e1019 s4/libnet: Allow passwords containing non ascii characters to be passed
       via  a8d8c6e testprogs/blackbox: Add test to set and use password with non-ascii
       via  7102732 python/samba: Fix incorrect encode of password
       via  b28b6a4 s4/setup/tests: Add test for non ascii password setting samba-tool
      from  8109857 winbindd: Remove an unused function prototype

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 83bde8a49cf3015c71302fbd209f95006e7535b2
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Thu May 17 06:37:28 2018 +1200

    FIXUP: Improve memory handling on py_net_change_password
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Noel Power <noel.power at suse.com>
    
    Autobuild-User(master): Noel Power <npower at samba.org>
    Autobuild-Date(master): Thu May 17 14:28:19 CEST 2018 on sn-devel-144

commit e7144f2e115f7d446de880a5680c2f2f02dd9467
Author: Noel Power <noel.power at suse.com>
Date:   Wed May 16 16:51:34 2018 +0100

    python/samba/netcmd:  net.change_password should be passed string
    
    password param which in python2 (is str) is incorrectly encoded
    before passing to net.change_password.
    
    python2 - password is either unicode or str, if str we should
              decode to get unicode (and then pass to net.change_password).
    python3 - password is either str or bytes, if bytes then decode
              (and pass as 'str' to net.change_password).
    Signed-off-by: Noel Power <noel.power at suse.com>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 75e1019f6162814eae3edb050d41784179cfa8ab
Author: Noel Power <noel.power at suse.com>
Date:   Wed May 16 16:46:41 2018 +0100

    s4/libnet: Allow passwords containing non ascii characters to be passed
    
    Although we can pass unicode to py_net_change_password unfortunately in
    Python2 unicode strings are encoded with the default encoding (e.g. ascii)
     when extracting the unicode string to buffer.
    In Python3 the default encoding for "s" format is utf8. Use the "es"
    format instead of "s" so we can specify the encoding so behaviour is
    correct in py2/py3.
    
    Signed-off-by: Noel Power <noel.power at suse.com>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit a8d8c6ec439fb64ce33dc2406bb38792050ca3a1
Author: Noel Power <noel.power at suse.com>
Date:   Tue May 15 18:27:23 2018 +0100

    testprogs/blackbox: Add test to set and use password with non-ascii
    
    Signed-off-by: Noel Power <noel.power at suse.com>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 7102732b25dfcd5e6815159e3043eed240e918d3
Author: Noel Power <noel.power at suse.com>
Date:   Mon May 14 13:38:20 2018 +0100

    python/samba: Fix incorrect encode of password
    
    In python2 you can encode a 'str' type which doesn't really make sense
    since it is already bytes (as such). In python3 this isn't possible you
    can't encode bytes or decode strings. Also because you can call encode
    on 'str' in python2 it tries to to what you wanted and it implicity
    calls decode('ascii') before performing the encode. This is why we get
    mention of ascii codec in the error. This patch should future proof for
    python3 also.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13435
    Signed-off-by: Noel Power <noel.power at suse.com>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit b28b6a4565870ac402b3678b4eecfe8e30fb0a73
Author: Noel Power <noel.power at suse.com>
Date:   Mon May 14 13:48:18 2018 +0100

    s4/setup/tests: Add test for non ascii password setting samba-tool
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13435
    Signed-off-by: Noel Power <noel.power at suse.com>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 python/samba/netcmd/user.py                  |  6 ++++--
 python/samba/samdb.py                        |  6 +++++-
 source4/libnet/py_net.c                      | 26 ++++++++++++++++++--------
 source4/setup/tests/blackbox_setpassword.sh  |  2 ++
 testprogs/blackbox/test_password_settings.sh | 17 +++++++++++++++++
 5 files changed, 46 insertions(+), 11 deletions(-)


Changeset truncated at 500 lines:

diff --git a/python/samba/netcmd/user.py b/python/samba/netcmd/user.py
index 4009d63..f211b51 100644
--- a/python/samba/netcmd/user.py
+++ b/python/samba/netcmd/user.py
@@ -54,7 +54,7 @@ from samba.netcmd import (
     SuperCommand,
     Option,
     )
-
+from samba.compat import text_type
 
 try:
     import io
@@ -713,7 +713,9 @@ class cmd_user_password(Command):
                 self.outf.write("Sorry, passwords do not match.\n")
 
         try:
-            net.change_password(password.encode('utf-8'))
+            if not isinstance(password, text_type):
+                password = password.decode('utf8')
+            net.change_password(password)
         except Exception as msg:
             # FIXME: catch more specific exception
             raise CommandError("Failed to change password : %s" % msg)
diff --git a/python/samba/samdb.py b/python/samba/samdb.py
index 424a648..abe434c 100644
--- a/python/samba/samdb.py
+++ b/python/samba/samdb.py
@@ -589,7 +589,11 @@ member: %s
             if len(res) > 1:
                 raise Exception('Matched %u multiple users with filter "%s"' % (len(res), search_filter))
             user_dn = res[0].dn
-            pw = text_type(b'"' + password.encode('utf-8') + b'"', 'utf-8').encode('utf-16-le')
+            if not isinstance(password, text_type):
+                pw = password.decode('utf-8')
+            else:
+                pw = password
+            pw = ('"' + pw + '"').encode('utf-16-le')
             setpw = """
 dn: %s
 changetype: modify
diff --git a/source4/libnet/py_net.c b/source4/libnet/py_net.c
index 0567dbd..65060d5 100644
--- a/source4/libnet/py_net.c
+++ b/source4/libnet/py_net.c
@@ -155,21 +155,26 @@ static PyObject *py_net_change_password(py_net_Object *self, PyObject *args, PyO
 {
 	union libnet_ChangePassword r;
 	NTSTATUS status;
-	TALLOC_CTX *mem_ctx;
-	struct tevent_context *ev;
+	TALLOC_CTX *mem_ctx = NULL;
+	struct tevent_context *ev = NULL;
 	const char *kwnames[] = { "newpassword", "oldpassword", "domain", "username", NULL };
-
+	const char *newpass = NULL;
+	const char *oldpass = NULL;
 	ZERO_STRUCT(r);
-
-	if (!PyArg_ParseTupleAndKeywords(args, kwargs, "s|sss:change_password",
+	if (!PyArg_ParseTupleAndKeywords(args, kwargs, "es|esss:change_password",
 					 discard_const_p(char *, kwnames),
-					 &r.generic.in.newpassword,
-					 &r.generic.in.oldpassword,
+					 "utf8",
+					 &newpass,
+					 "utf8",
+					 &oldpass,
 					 &r.generic.in.domain_name,
 					 &r.generic.in.account_name)) {
 		return NULL;
 	}
 
+	r.generic.in.newpassword = newpass;
+	r.generic.in.oldpassword = oldpass;
+
 	r.generic.level = LIBNET_CHANGE_PASSWORD_GENERIC;
 	if (r.generic.in.account_name == NULL) {
 		r.generic.in.account_name
@@ -190,11 +195,17 @@ static PyObject *py_net_change_password(py_net_Object *self, PyObject *args, PyO
 
 	mem_ctx = talloc_new(ev);
 	if (mem_ctx == NULL) {
+		PyMem_Free(discard_const_p(char, newpass));
+		PyMem_Free(discard_const_p(char, oldpass));
 		PyErr_NoMemory();
 		return NULL;
 	}
 
 	status = libnet_ChangePassword(self->libnet_ctx, mem_ctx, &r);
+
+	PyMem_Free(discard_const_p(char, newpass));
+	PyMem_Free(discard_const_p(char, oldpass));
+
 	if (NT_STATUS_IS_ERR(status)) {
 		PyErr_SetNTSTATUS_and_string(status,
 					     r.generic.out.error_string
@@ -205,7 +216,6 @@ static PyObject *py_net_change_password(py_net_Object *self, PyObject *args, PyO
 	}
 
 	talloc_free(mem_ctx);
-
 	Py_RETURN_NONE;
 }
 
diff --git a/source4/setup/tests/blackbox_setpassword.sh b/source4/setup/tests/blackbox_setpassword.sh
index 8055740..ccc94c3 100755
--- a/source4/setup/tests/blackbox_setpassword.sh
+++ b/source4/setup/tests/blackbox_setpassword.sh
@@ -25,6 +25,8 @@ testit "setpassword" $samba_tool user setpassword --configfile=$PREFIX/simple-dc
 
 testit "setpassword" $samba_tool user setpassword --configfile=$PREFIX/simple-dc/etc/smb.conf testuser --newpassword=testp at ssw0Rd --must-change-at-next-login
 
+testit "setpassword" $samba_tool user setpassword --configfile=$PREFIX/simple-dc/etc/smb.conf testuser --newpassword=Täst123 --must-change-at-next-login
+
 testit "passwordsettings" $samba_tool domain passwordsettings set --quiet --configfile=$PREFIX/simple-dc/etc/smb.conf --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=default --max-pwd-age=default --store-plaintext=on
 
 exit $failed
diff --git a/testprogs/blackbox/test_password_settings.sh b/testprogs/blackbox/test_password_settings.sh
index 49d5126..1edf2bf 100755
--- a/testprogs/blackbox/test_password_settings.sh
+++ b/testprogs/blackbox/test_password_settings.sh
@@ -64,6 +64,7 @@ testit "reset password policies beside of minimum password age of 0 days" \
 TEST_USERNAME="$(mktemp -u alice-XXXXXX)"
 TEST_PASSWORD="testPaSS at 00%"
 TEST_PASSWORD_NEW="testPaSS at 01%"
+TEST_PASSWORD_NON_ASCII="Täst123"
 TEST_PASSWORD_SHORT="secret"
 TEST_PASSWORD_WEAK="Supersecret"
 TEST_PRINCIPAL="$TEST_USERNAME@$REALM"
@@ -106,6 +107,22 @@ testit "kinit with user password" \
 test_smbclient "Test login with user kerberos ccache" \
 	"ls" "$SMB_UNC" -k yes || failed=`expr $failed + 1`
 
+###########################################################
+### Change the users password
+###########################################################
+
+testit "change user (non-ascii) password with 'samba-tool user password' (unforced)" \
+	$VALGRIND $samba_tool user password -W$DOMAIN -U$TEST_USERNAME%$TEST_PASSWORD -k no --newpassword=$TEST_PASSWORD_NON_ASCII || failed=`expr $failed + 1`
+
+TEST_PASSWORD_OLD=$TEST_PASSWORD_NEW
+TEST_PASSWORD=$TEST_PASSWORD_NON_ASCII
+
+testit "kinit with user password" \
+	do_kinit $TEST_PRINCIPAL $TEST_PASSWORD || failed=`expr $failed + 1`
+
+test_smbclient "Test login with user kerberos ccache" \
+	"ls" "$SMB_UNC" -k yes || failed=`expr $failed + 1`
+
 #
 # These tests demonstrate that a credential cache in the environment does not
 # override a username/password, even an incorrect one, on the command line


-- 
Samba Shared Repository



More information about the samba-cvs mailing list