Nadezhda Ivanova nivanova at
Thu Jul 1 09:39:38 MDT 2010

I'll uncomment and push what is needed when I push the access check, seems
faster to me :).


On Thu, Jul 1, 2010 at 6:33 PM, Matthias Dieter Wallnöfer <mdw at>wrote:

> Hi Nadya,
> Nadezhda Ivanova wrote:
>> Hi Matthias,
>> As I explained, you are correct but I do not have the time currently to
>> adapt all the tests this way, but we have to start somewhere.  And the need
>> for it is that I lost half a day wandering what the hell is going on and why
>> I cant run the tests against Windows. Before that was the same with
>> dsHeuristics. Things like that make shared effort very difficult. Since you
>> dont like it as it is, I will not push the patch, but I will make the
>> work this way, because I believe that using a previously modified
>> installation can warp test results, and every test should do its own
>> required configuration. I will let you fix in a way you feel
>> suitable after I push the ACL fix.
> Well regarding the "dsHeuristics" - I needed more than one day to figure
> out how they exactly do work. And the "minPwdAge" I encountered earlier when
> working on the "password_hash" LDB module so I immediately knew what to
> change on Windows Server.
>  About the access rights:
>> Nope, the test still does not pass against Samba 4, I have not pushed the
>> ACL patch yet. Before I do that I take a lot of time to understand the
>> proper behavior, as this is a tricky area. That is why I bother with
>> I did the small change you describe against Windows, and the
>> negative test failed with insufficient access rights instead of unwilling to
>> perform. And I really can't see how this can be another configuration issue.
>> Have you run them against Windows with testuser instead of Administrator?
> Yeah, there were errors against Windows Server. The problem is due to
> enhancements of the testsuite after testing against Windows Server - and
> forgot to retest. I've discovered (as you will have too) that on some
> instances there is returned ACCESS_DENIED. I push a patch which adds them in
> a commented out manner which I or you will activate when the ACL changes do
> land in "master".
> Greets, Matthias
>> Regards,
>> Nadya
>> On Thu, Jul 1, 2010 at 5:21 PM, Matthias Dieter Wallnöfer <mdw at<mailto:
>> mdw at>> wrote:
>>    Hi Nadya,
>>    regarding the "minPwdAge": as far as I can tell the SAMR-PASSWORDS
>>    tests don't influence it. So I conclude that also s3 stucks with
>>    "0" as default value as we do.
>>    Well, as already written yesterday I am comfortable with an
>>    adaption of all torture password tests but only patching
>>    "" alone I really don't see the need for. So if we
>>    agree to introduce "minPwdAge" adaptions on all such tests I will
>>    adopt this in "".
>>    I've also considered your second proposal regarding the user
>>    password changes - very strange that you need to modify the ACL.
>>    Since for Windows you have only to perform this small change:
>>               # FIXME: Reactivate the user credentials when we have
>>        user password
>>               # change support also on the ACL level in s4
>>               creds2.set_username(creds.get_username())
>>               creds2.set_password(creds.get_password())
>>    ^^^ delete/deactivate this
>>               #creds2.set_username("testuser")
>>               #creds2.set_password("thatsAcomplPASS1")
>>    ^^^ and reactivate this
>>    I tried this against s4 and it still doesn't pass. Errors are for
>>    example:
>>        LdbError: (50, 'LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS
>>        - <00002098: insufficient access rights - error in module acl:
>>        insufficient access rights (50)> <>')
>>    Therefore some LDB module (could be the ACL module, but also the
>>    DESCRIPTOR or SAMLDB module on entry creation...) still has some
>>    incompatibility which we need to track down.
>>    Greets,
>>    Matthias
>>    Nadezhda Ivanova wrote:
>>        Hi Matthias,
>>        Attached is my proposed patch to reset minPwdAge so no manual
>>        resetting is needed against windows.
>>        In addition, when I ran the tests using the credentials of
>>        "testuser", as they are supposed to run when ACL checks stop
>>        failing, one of your negative tests returned
>>        INSIFFUCIENT_ACCESS instead of the expected
>>        UNWILLING_TO_PERFORM, so to make it work as expected I gave
>>        that user the necessary access right. So what do you think,
>>        can I push it?
>>        Regards,
>>        Nadya

More information about the samba-technical mailing list