passwords.py patch
Nadezhda Ivanova
nivanova at samba.org
Thu Jul 1 09:39:38 MDT 2010
I'll uncomment and push what is needed when I push the access check, seems
faster to me :).
Thanks,
Nadya
On Thu, Jul 1, 2010 at 6:33 PM, Matthias Dieter Wallnöfer <mdw at samba.org>wrote:
> Hi Nadya,
>
> Nadezhda Ivanova wrote:
>
>> Hi Matthias,
>>
>> As I explained, you are correct but I do not have the time currently to
>> adapt all the tests this way, but we have to start somewhere. And the need
>> for it is that I lost half a day wandering what the hell is going on and why
>> I cant run the tests against Windows. Before that was the same with
>> dsHeuristics. Things like that make shared effort very difficult. Since you
>> dont like it as it is, I will not push the patch, but I will make the acl.py
>> work this way, because I believe that using a previously modified
>> installation can warp test results, and every test should do its own
>> required configuration. I will let you fix passwords.py in a way you feel
>> suitable after I push the ACL fix.
>>
> Well regarding the "dsHeuristics" - I needed more than one day to figure
> out how they exactly do work. And the "minPwdAge" I encountered earlier when
> working on the "password_hash" LDB module so I immediately knew what to
> change on Windows Server.
>
> About the access rights:
>> Nope, the test still does not pass against Samba 4, I have not pushed the
>> ACL patch yet. Before I do that I take a lot of time to understand the
>> proper behavior, as this is a tricky area. That is why I bother with
>> passwords.py. I did the small change you describe against Windows, and the
>> negative test failed with insufficient access rights instead of unwilling to
>> perform. And I really can't see how this can be another configuration issue.
>> Have you run them against Windows with testuser instead of Administrator?
>>
> Yeah, there were errors against Windows Server. The problem is due to
> enhancements of the testsuite after testing against Windows Server - and
> forgot to retest. I've discovered (as you will have too) that on some
> instances there is returned ACCESS_DENIED. I push a patch which adds them in
> a commented out manner which I or you will activate when the ACL changes do
> land in "master".
>
> Greets, Matthias
>
>>
>> Regards,
>> Nadya
>>
>>
>>
>>
>> On Thu, Jul 1, 2010 at 5:21 PM, Matthias Dieter Wallnöfer <mdw at samba.org<mailto:
>> mdw at samba.org>> wrote:
>>
>> Hi Nadya,
>>
>> regarding the "minPwdAge": as far as I can tell the SAMR-PASSWORDS
>> tests don't influence it. So I conclude that also s3 stucks with
>> "0" as default value as we do.
>> Well, as already written yesterday I am comfortable with an
>> adaption of all torture password tests but only patching
>> "passwords.py" alone I really don't see the need for. So if we
>> agree to introduce "minPwdAge" adaptions on all such tests I will
>> adopt this in "passwords.py".
>>
>> I've also considered your second proposal regarding the user
>> password changes - very strange that you need to modify the ACL.
>> Since for Windows you have only to perform this small change:
>>
>> # FIXME: Reactivate the user credentials when we have
>> user password
>> # change support also on the ACL level in s4
>> creds2.set_username(creds.get_username())
>> creds2.set_password(creds.get_password())
>>
>> ^^^ delete/deactivate this
>>
>> #creds2.set_username("testuser")
>> #creds2.set_password("thatsAcomplPASS1")
>>
>> ^^^ and reactivate this
>>
>> I tried this against s4 and it still doesn't pass. Errors are for
>> example:
>>
>> LdbError: (50, 'LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS
>> - <00002098: insufficient access rights - error in module acl:
>> insufficient access rights (50)> <>')
>>
>> Therefore some LDB module (could be the ACL module, but also the
>> DESCRIPTOR or SAMLDB module on entry creation...) still has some
>> incompatibility which we need to track down.
>>
>> Greets,
>> Matthias
>>
>>
>> Nadezhda Ivanova wrote:
>>
>> Hi Matthias,
>> Attached is my proposed patch to reset minPwdAge so no manual
>> resetting is needed against windows.
>>
>> In addition, when I ran the tests using the credentials of
>> "testuser", as they are supposed to run when ACL checks stop
>> failing, one of your negative tests returned
>> INSIFFUCIENT_ACCESS instead of the expected
>> UNWILLING_TO_PERFORM, so to make it work as expected I gave
>> that user the necessary access right. So what do you think,
>> can I push it?
>>
>> Regards,
>> Nadya
>>
>>
>>
>>
>
More information about the samba-technical
mailing list