Nadezhda Ivanova nivanova at
Thu Jul 1 09:04:50 MDT 2010

Hi Matthias,
As I explained, you are correct but I do not have the time currently to
adapt all the tests this way, but we have to start somewhere.  And the need
for it is that I lost half a day wandering what the hell is going on and why
I cant run the tests against Windows. Before that was the same with
dsHeuristics. Things like that make shared effort very difficult. Since you
dont like it as it is, I will not push the patch, but I will make the
work this way, because I believe that using a previously modified
installation can warp test results, and every test should do its own
required configuration. I will let you fix in a way you feel
suitable after I push the ACL fix.

About the access rights:
Nope, the test still does not pass against Samba 4, I have not pushed the
ACL patch yet. Before I do that I take a lot of time to understand the
proper behavior, as this is a tricky area. That is why I bother with I did the small change you describe against Windows, and the
negative test failed with insufficient access rights instead of unwilling to
perform. And I really can't see how this can be another configuration issue.
Have you run them against Windows with testuser instead of Administrator?


On Thu, Jul 1, 2010 at 5:21 PM, Matthias Dieter Wallnöfer <mdw at>wrote:

> Hi Nadya,
> regarding the "minPwdAge": as far as I can tell the SAMR-PASSWORDS tests
> don't influence it. So I conclude that also s3 stucks with "0" as default
> value as we do.
> Well, as already written yesterday I am comfortable with an adaption of all
> torture password tests but only patching "" alone I really don't
> see the need for. So if we agree to introduce "minPwdAge" adaptions on all
> such tests I will adopt this in "".
> I've also considered your second proposal regarding the user password
> changes - very strange that you need to modify the ACL. Since for Windows
> you have only to perform this small change:
>>        # FIXME: Reactivate the user credentials when we have user password
>>        # change support also on the ACL level in s4
>>        creds2.set_username(creds.get_username())
>>        creds2.set_password(creds.get_password())
> ^^^ delete/deactivate this
>>        #creds2.set_username("testuser")
>>        #creds2.set_password("thatsAcomplPASS1")
> ^^^ and reactivate this
> I tried this against s4 and it still doesn't pass. Errors are for example:
>> LdbError: (50, 'LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00002098:
>> insufficient access rights - error in module acl: insufficient access rights
>> (50)> <>')
> Therefore some LDB module (could be the ACL module, but also the DESCRIPTOR
> or SAMLDB module on entry creation...) still has some incompatibility which
> we need to track down.
> Greets,
> Matthias
> Nadezhda Ivanova wrote:
>> Hi Matthias,
>> Attached is my proposed patch to reset minPwdAge so no manual resetting is
>> needed against windows.
>> In addition, when I ran the tests using the credentials of "testuser", as
>> they are supposed to run when ACL checks stop failing, one of your negative
>> tests returned INSIFFUCIENT_ACCESS instead of the expected
>> UNWILLING_TO_PERFORM, so to make it work as expected I gave that user the
>> necessary access right. So what do you think, can I push it?
>> Regards,
>> Nadya

More information about the samba-technical mailing list