passwords.py patch
Matthias Dieter Wallnöfer
mdw at samba.org
Thu Jul 1 09:33:02 MDT 2010
Hi Nadya,
Nadezhda Ivanova wrote:
> Hi Matthias,
> As I explained, you are correct but I do not have the time currently
> to adapt all the tests this way, but we have to start somewhere. And
> the need for it is that I lost half a day wandering what the hell is
> going on and why I cant run the tests against Windows. Before that was
> the same with dsHeuristics. Things like that make shared effort very
> difficult. Since you dont like it as it is, I will not push the patch,
> but I will make the acl.py work this way, because I believe that using
> a previously modified installation can warp test results, and every
> test should do its own required configuration. I will let you fix
> passwords.py in a way you feel suitable after I push the ACL fix.
Well regarding the "dsHeuristics" - I needed more than one day to figure
out how they exactly do work. And the "minPwdAge" I encountered earlier
when working on the "password_hash" LDB module so I immediately knew
what to change on Windows Server.
> About the access rights:
> Nope, the test still does not pass against Samba 4, I have not pushed
> the ACL patch yet. Before I do that I take a lot of time to understand
> the proper behavior, as this is a tricky area. That is why I bother
> with passwords.py. I did the small change you describe against
> Windows, and the negative test failed with insufficient access rights
> instead of unwilling to perform. And I really can't see how this can
> be another configuration issue. Have you run them against Windows with
> testuser instead of Administrator?
Yeah, there were errors against Windows Server. The problem is due to
enhancements of the testsuite after testing against Windows Server - and
forgot to retest. I've discovered (as you will have too) that on some
instances there is returned ACCESS_DENIED. I push a patch which adds
them in a commented out manner which I or you will activate when the ACL
changes do land in "master".
Greets, Matthias
>
> Regards,
> Nadya
>
>
>
> On Thu, Jul 1, 2010 at 5:21 PM, Matthias Dieter Wallnöfer
> <mdw at samba.org <mailto:mdw at samba.org>> wrote:
>
> Hi Nadya,
>
> regarding the "minPwdAge": as far as I can tell the SAMR-PASSWORDS
> tests don't influence it. So I conclude that also s3 stucks with
> "0" as default value as we do.
> Well, as already written yesterday I am comfortable with an
> adaption of all torture password tests but only patching
> "passwords.py" alone I really don't see the need for. So if we
> agree to introduce "minPwdAge" adaptions on all such tests I will
> adopt this in "passwords.py".
>
> I've also considered your second proposal regarding the user
> password changes - very strange that you need to modify the ACL.
> Since for Windows you have only to perform this small change:
>
> # FIXME: Reactivate the user credentials when we have
> user password
> # change support also on the ACL level in s4
> creds2.set_username(creds.get_username())
> creds2.set_password(creds.get_password())
>
> ^^^ delete/deactivate this
>
> #creds2.set_username("testuser")
> #creds2.set_password("thatsAcomplPASS1")
>
> ^^^ and reactivate this
>
> I tried this against s4 and it still doesn't pass. Errors are for
> example:
>
> LdbError: (50, 'LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS
> - <00002098: insufficient access rights - error in module acl:
> insufficient access rights (50)> <>')
>
> Therefore some LDB module (could be the ACL module, but also the
> DESCRIPTOR or SAMLDB module on entry creation...) still has some
> incompatibility which we need to track down.
>
> Greets,
> Matthias
>
>
> Nadezhda Ivanova wrote:
>
> Hi Matthias,
> Attached is my proposed patch to reset minPwdAge so no manual
> resetting is needed against windows.
>
> In addition, when I ran the tests using the credentials of
> "testuser", as they are supposed to run when ACL checks stop
> failing, one of your negative tests returned
> INSIFFUCIENT_ACCESS instead of the expected
> UNWILLING_TO_PERFORM, so to make it work as expected I gave
> that user the necessary access right. So what do you think,
> can I push it?
>
> Regards,
> Nadya
>
>
>
More information about the samba-technical
mailing list