[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Fri Apr 5 08:04:02 UTC 2019
The branch, master has been updated
via 7a410ccb5f6 netcmd: Fix passwordsettings --max-pwd-age command
via 940306a24a8 netcmd: Add some timestamp conversion helper functions
via b43f997f239 netcmd: Use python constant for -0x8000000000000000
via d247a600845 tests: Add test for setting min/maxPwdAge
from 2da9d7d130c ldb_kv_search: avoid handling uninitialised dn
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 7a410ccb5f6f2958d56fa6f16d8780c69a3830dd
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Wed Apr 3 09:10:55 2019 +1300
netcmd: Fix passwordsettings --max-pwd-age command
The min_pwd_age and max_pwd_age parameters are both optional and default
to None. However, if we just set the max-pwd-age, then the check
'min_pwd_age >= max_pwd_age' will throw a Python exception because it's
trying to compare an int to NoneType (min_pwd_age). This works on Python 2
but is a problem on Python 3.
We could just add a check that min_pwd_age is not None, but that defeats
the point of having the check if you're only setting either the min or
max age indepedently.
This patch gets the current min/max password age from the DB (in ticks).
If either setting is changed, the ticks will be updated. Then at the end
we check the min is still less than the max (to do this, we convert the
ticks back to days in the interests of readability).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13873
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Fri Apr 5 08:03:08 UTC 2019 on sn-devel-144
commit 940306a24a8d14fbb8c76c5a60b3d5f2773873a0
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Tue Apr 2 11:10:41 2019 +1300
netcmd: Add some timestamp conversion helper functions
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13873
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b43f997f2397771b159c49526a36bd2b3467b0ef
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Mon Apr 1 16:42:32 2019 +1300
netcmd: Use python constant for -0x8000000000000000
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13873
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d247a600845fdc6bf232496e8db56cd1d95a3022
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Mon Apr 1 16:32:27 2019 +1300
tests: Add test for setting min/maxPwdAge
Currently setting maxPwdAge doesn't work at all.
While we're adding a test, we might as well assert that minPwdAge
can't be greater than maxPwdAge as well.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13873
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
python/samba/netcmd/domain.py | 56 +++++++++++++++++------
python/samba/tests/samba_tool/passwordsettings.py | 38 +++++++++++++++
2 files changed, 79 insertions(+), 15 deletions(-)
Changeset truncated at 500 lines:
diff --git a/python/samba/netcmd/domain.py b/python/samba/netcmd/domain.py
index 851e7241d15..b616dba3438 100644
--- a/python/samba/netcmd/domain.py
+++ b/python/samba/netcmd/domain.py
@@ -1255,6 +1255,26 @@ class cmd_domain_level(Command):
raise CommandError("invalid argument: '%s' (choose from 'show', 'raise')" % subcommand)
+# In MS AD, setting a timeout to '(never)' corresponds to this value
+NEVER_TIMESTAMP = int(-0x8000000000000000)
+
+
+def timestamp_to_mins(timestamp_str):
+ """Converts a timestamp in -100 nanosecond units to minutes"""
+ # treat a timestamp of 'never' the same as zero (this should work OK for
+ # most settings, and it displays better than trying to convert
+ # -0x8000000000000000 to minutes)
+ if int(timestamp_str) == NEVER_TIMESTAMP:
+ return 0
+ else:
+ return abs(int(timestamp_str)) / (1e7 * 60)
+
+
+def timestamp_to_days(timestamp_str):
+ """Converts a timestamp in -100 nanosecond units to days"""
+ return timestamp_to_mins(timestamp_str) / (60 * 24)
+
+
class cmd_domain_passwordsettings_show(Command):
"""Display current password settings for the domain."""
@@ -1289,18 +1309,14 @@ class cmd_domain_passwordsettings_show(Command):
pwd_hist_len = int(res[0]["pwdHistoryLength"][0])
cur_min_pwd_len = int(res[0]["minPwdLength"][0])
# ticks -> days
- cur_min_pwd_age = int(abs(int(res[0]["minPwdAge"][0])) / (1e7 * 60 * 60 * 24))
- if int(res[0]["maxPwdAge"][0]) == -0x8000000000000000:
- cur_max_pwd_age = 0
- else:
- cur_max_pwd_age = int(abs(int(res[0]["maxPwdAge"][0])) / (1e7 * 60 * 60 * 24))
+ cur_min_pwd_age = timestamp_to_days(res[0]["minPwdAge"][0])
+ cur_max_pwd_age = timestamp_to_days(res[0]["maxPwdAge"][0])
+
cur_account_lockout_threshold = int(res[0]["lockoutThreshold"][0])
+
# ticks -> mins
- if int(res[0]["lockoutDuration"][0]) == -0x8000000000000000:
- cur_account_lockout_duration = 0
- else:
- cur_account_lockout_duration = abs(int(res[0]["lockoutDuration"][0])) / (1e7 * 60)
- cur_reset_account_lockout_after = abs(int(res[0]["lockOutObservationWindow"][0])) / (1e7 * 60)
+ cur_account_lockout_duration = timestamp_to_mins(res[0]["lockoutDuration"][0])
+ cur_reset_account_lockout_after = timestamp_to_mins(res[0]["lockOutObservationWindow"][0])
except Exception as e:
raise CommandError("Could not retrieve password properties!", e)
@@ -1382,6 +1398,10 @@ class cmd_domain_passwordsettings_set(Command):
m.dn = ldb.Dn(samdb, domain_dn)
pwd_props = int(samdb.get_pwdProperties())
+ # get the current password age settings
+ max_pwd_age_ticks = samdb.get_maxPwdAge()
+ min_pwd_age_ticks = samdb.get_minPwdAge()
+
if complexity is not None:
if complexity == "on" or complexity == "default":
pwd_props = pwd_props | DOMAIN_PASSWORD_COMPLEX
@@ -1455,7 +1475,7 @@ class cmd_domain_passwordsettings_set(Command):
# days -> ticks
if max_pwd_age == 0:
- max_pwd_age_ticks = -0x8000000000000000
+ max_pwd_age_ticks = NEVER_TIMESTAMP
else:
max_pwd_age_ticks = -int(max_pwd_age * (24 * 60 * 60 * 1e7))
@@ -1474,7 +1494,7 @@ class cmd_domain_passwordsettings_set(Command):
# minutes -> ticks
if account_lockout_duration == 0:
- account_lockout_duration_ticks = -0x8000000000000000
+ account_lockout_duration_ticks = NEVER_TIMESTAMP
else:
account_lockout_duration_ticks = -int(account_lockout_duration * (60 * 1e7))
@@ -1503,7 +1523,7 @@ class cmd_domain_passwordsettings_set(Command):
# minutes -> ticks
if reset_account_lockout_after == 0:
- reset_account_lockout_after_ticks = -0x8000000000000000
+ reset_account_lockout_after_ticks = NEVER_TIMESTAMP
else:
reset_account_lockout_after_ticks = -int(reset_account_lockout_after * (60 * 1e7))
@@ -1511,8 +1531,14 @@ class cmd_domain_passwordsettings_set(Command):
ldb.FLAG_MOD_REPLACE, "lockOutObservationWindow")
msgs.append("Duration to reset account lockout after changed!")
- if max_pwd_age and max_pwd_age > 0 and min_pwd_age >= max_pwd_age:
- raise CommandError("Maximum password age (%d) must be greater than minimum password age (%d)!" % (max_pwd_age, min_pwd_age))
+ if max_pwd_age or min_pwd_age:
+ # If we're setting either min or max password, make sure the max is
+ # still greater overall. As either setting could be None, we use the
+ # ticks here (which are always set) and work backwards.
+ max_pwd_age = timestamp_to_days(max_pwd_age_ticks)
+ min_pwd_age = timestamp_to_days(min_pwd_age_ticks)
+ if max_pwd_age != 0 and min_pwd_age >= max_pwd_age:
+ raise CommandError("Maximum password age (%d) must be greater than minimum password age (%d)!" % (max_pwd_age, min_pwd_age))
if len(m) == 0:
raise CommandError("You must specify at least one option to set. Try --help")
diff --git a/python/samba/tests/samba_tool/passwordsettings.py b/python/samba/tests/samba_tool/passwordsettings.py
index e29c76c730d..43264b64608 100644
--- a/python/samba/tests/samba_tool/passwordsettings.py
+++ b/python/samba/tests/samba_tool/passwordsettings.py
@@ -444,3 +444,41 @@ class PwdSettingsCmdTestCase(SambaToolCmdTest):
self.assertCmdSuccess(result, out, err)
self.assertEquals(err, "", "Shouldn't be any error messages")
self.assertIn("Minimum password length: %u" % new_len, out)
+
+ def test_domain_passwordsettings_pwdage(self):
+ """Checks the 'set' command for the domain password age (non-PSO)"""
+
+ # check we can set the domain max password age
+ max_pwd_age = self.ldb.get_maxPwdAge()
+ self.addCleanup(self.ldb.set_maxPwdAge, max_pwd_age)
+ max_pwd_args = "--max-pwd-age=270"
+ (result, out, err) = self.runsublevelcmd("domain", ("passwordsettings",
+ "set"), max_pwd_args,
+ "-H", self.server,
+ self.user_auth)
+ self.assertCmdSuccess(result, out, err)
+ self.assertEquals(err, "", "Shouldn't be any error messages")
+ self.assertIn("successful", out)
+ self.assertNotEquals(max_pwd_age, self.ldb.get_maxPwdAge())
+
+ # check we can't set the domain min password age to more than the max
+ min_pwd_age = self.ldb.get_minPwdAge()
+ self.addCleanup(self.ldb.set_minPwdAge, min_pwd_age)
+ min_pwd_args = "--min-pwd-age=271"
+ (result, out, err) = self.runsublevelcmd("domain", ("passwordsettings",
+ "set"), min_pwd_args,
+ "-H", self.server,
+ self.user_auth)
+ self.assertCmdFail(result, "minPwdAge > maxPwdAge should be rejected")
+ self.assertIn("Maximum password age", err)
+
+ # check we can set the domain min password age to less than the max
+ min_pwd_args = "--min-pwd-age=269"
+ (result, out, err) = self.runsublevelcmd("domain", ("passwordsettings",
+ "set"), min_pwd_args,
+ "-H", self.server,
+ self.user_auth)
+ self.assertCmdSuccess(result, out, err)
+ self.assertEquals(err, "", "Shouldn't be any error messages")
+ self.assertIn("successful", out)
+ self.assertNotEquals(min_pwd_age, self.ldb.get_minPwdAge())
--
Samba Shared Repository
More information about the samba-cvs
mailing list