Matthias Dieter Wallnöfer mdw at
Thu Jul 1 08:21:12 MDT 2010

Hi Nadya,

regarding the "minPwdAge": as far as I can tell the SAMR-PASSWORDS tests 
don't influence it. So I conclude that also s3 stucks with "0" as 
default value as we do.
Well, as already written yesterday I am comfortable with an adaption of 
all torture password tests but only patching "" alone I 
really don't see the need for. So if we agree to introduce "minPwdAge" 
adaptions on all such tests I will adopt this in "".

I've also considered your second proposal regarding the user password 
changes - very strange that you need to modify the ACL. Since for 
Windows you have only to perform this small change:
>         # FIXME: Reactivate the user credentials when we have user 
> password
>         # change support also on the ACL level in s4
>         creds2.set_username(creds.get_username())
>         creds2.set_password(creds.get_password())
^^^ delete/deactivate this
>         #creds2.set_username("testuser")
>         #creds2.set_password("thatsAcomplPASS1")
^^^ and reactivate this

I tried this against s4 and it still doesn't pass. Errors are for example:
> <00002098: insufficient access rights - error in module acl: 
> insufficient access rights (50)> <>')
Therefore some LDB module (could be the ACL module, but also the 
DESCRIPTOR or SAMLDB module on entry creation...) still has some 
incompatibility which we need to track down.


Nadezhda Ivanova wrote:
> Hi Matthias,
> Attached is my proposed patch to reset minPwdAge so no manual 
> resetting is needed against windows.
> In addition, when I ran the tests using the credentials of "testuser", 
> as they are supposed to run when ACL checks stop failing, one of your 
> negative tests returned INSIFFUCIENT_ACCESS instead of the expected 
> UNWILLING_TO_PERFORM, so to make it work as expected I gave that user 
> the necessary access right. So what do you think, can I push it?
> Regards,
> Nadya

More information about the samba-technical mailing list