SamDB.enable_account does not work against Windows

Matthias Dieter Wallnöfer mdw at samba.org
Thu Jun 10 06:53:44 MDT 2010 

Nadia,

sorry I seem to have forgotten to tell you that on s4 we do always 
behave as the "fUserPwdSupport" in "dSHeuristics" was set ("000000001" 
should fit). This is since we have always been interpreting the 
"userPassword" as password change attribute (we use it mainly for 
password changes through the Python bindings - function 
SamDB.set_password). So please do set these "dSHeuristics" on your 
Windows Server machine.

Then you should be able to run the tests without further problems.

Matthias

Nadezhda Ivanova wrote:
> Hi Matthias,
> I was trying out your passwords.py tests, and found the following:
> Against Windows, the SamDB.enable_account does not work if the user 
> password has been provided with userPassword attribute instead of 
> unicodePwd. The reason is that Windows treats that case as if the 
> password has not been actually set, and returns UNWILLING_TO_PERFORM 
> when we attempt to unset the ADS_UF_PASSWD_NOTREQD flag. I suspect 
> that the reason for this is as described in 3.1.1.3.1.5 Password 
> Modify Operations. userPassword is only accepted if fUserPwdSupport is 
> true in dsHeuristics, which by default it is not. Why Windows does not 
> return an error is another thing. So I suppose we have 2 options here 
> - use only unicodePwd and secure connections or set fUserPwdSupport if 
> we need to use userPassword. I have not tried the second option yet, 
> the first one I tried and it works. However then some tests in 
> passwords.py start to fail, as the userPassword attribute is no longer 
> present. Actually, when I run passwords.py against Windows, a couple 
> of them fail even if I change nothing.
>
> Since I will rely on these tests to be able to fix the ACL CAR 
> problem, do you think you could make a version that works as expected 
> (e. g. uses the newly created user rather than credentials from the 
> command line) and passes against windows. Send me the patch then and I 
> will push it together with the ACL fix. This would really help.
>
> Regards,
> Nadya

More information about the samba-technical mailing list