Matthias Dieter Wallnöfer mdw at
Thu Jul 1 09:33:02 MDT 2010

Hi Nadya,

Nadezhda Ivanova wrote:
> Hi Matthias,
> As I explained, you are correct but I do not have the time currently 
> to adapt all the tests this way, but we have to start somewhere.  And 
> the need for it is that I lost half a day wandering what the hell is 
> going on and why I cant run the tests against Windows. Before that was 
> the same with dsHeuristics. Things like that make shared effort very 
> difficult. Since you dont like it as it is, I will not push the patch, 
> but I will make the work this way, because I believe that using 
> a previously modified installation can warp test results, and every 
> test should do its own required configuration. I will let you fix 
> in a way you feel suitable after I push the ACL fix.
Well regarding the "dsHeuristics" - I needed more than one day to figure 
out how they exactly do work. And the "minPwdAge" I encountered earlier 
when working on the "password_hash" LDB module so I immediately knew 
what to change on Windows Server.
> About the access rights:
> Nope, the test still does not pass against Samba 4, I have not pushed 
> the ACL patch yet. Before I do that I take a lot of time to understand 
> the proper behavior, as this is a tricky area. That is why I bother 
> with I did the small change you describe against 
> Windows, and the negative test failed with insufficient access rights 
> instead of unwilling to perform. And I really can't see how this can 
> be another configuration issue. Have you run them against Windows with 
> testuser instead of Administrator?
Yeah, there were errors against Windows Server. The problem is due to 
enhancements of the testsuite after testing against Windows Server - and 
forgot to retest. I've discovered (as you will have too) that on some 
instances there is returned ACCESS_DENIED. I push a patch which adds 
them in a commented out manner which I or you will activate when the ACL 
changes do land in "master".

Greets, Matthias
> Regards,
> Nadya
> On Thu, Jul 1, 2010 at 5:21 PM, Matthias Dieter Wallnöfer 
> <mdw at <mailto:mdw at>> wrote:
>     Hi Nadya,
>     regarding the "minPwdAge": as far as I can tell the SAMR-PASSWORDS
>     tests don't influence it. So I conclude that also s3 stucks with
>     "0" as default value as we do.
>     Well, as already written yesterday I am comfortable with an
>     adaption of all torture password tests but only patching
>     "" alone I really don't see the need for. So if we
>     agree to introduce "minPwdAge" adaptions on all such tests I will
>     adopt this in "".
>     I've also considered your second proposal regarding the user
>     password changes - very strange that you need to modify the ACL.
>     Since for Windows you have only to perform this small change:
>                # FIXME: Reactivate the user credentials when we have
>         user password
>                # change support also on the ACL level in s4
>                creds2.set_username(creds.get_username())
>                creds2.set_password(creds.get_password())
>     ^^^ delete/deactivate this
>                #creds2.set_username("testuser")
>                #creds2.set_password("thatsAcomplPASS1")
>     ^^^ and reactivate this
>     I tried this against s4 and it still doesn't pass. Errors are for
>     example:
>         LdbError: (50, 'LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS
>         - <00002098: insufficient access rights - error in module acl:
>         insufficient access rights (50)> <>')
>     Therefore some LDB module (could be the ACL module, but also the
>     DESCRIPTOR or SAMLDB module on entry creation...) still has some
>     incompatibility which we need to track down.
>     Greets,
>     Matthias
>     Nadezhda Ivanova wrote:
>         Hi Matthias,
>         Attached is my proposed patch to reset minPwdAge so no manual
>         resetting is needed against windows.
>         In addition, when I ran the tests using the credentials of
>         "testuser", as they are supposed to run when ACL checks stop
>         failing, one of your negative tests returned
>         INSIFFUCIENT_ACCESS instead of the expected
>         UNWILLING_TO_PERFORM, so to make it work as expected I gave
>         that user the necessary access right. So what do you think,
>         can I push it?
>         Regards,
>         Nadya

More information about the samba-technical mailing list