cli_credentials ccache semantics and test changes

simo idra at samba.org
Wed May 23 23:02:59 MDT 2012


On Thu, 2012-05-24 at 13:39 +1000, Andrew Bartlett wrote:
> Simo,
> 
> When making kerberos-related changes were you feel tests are wrong, or
> which require long explanation, I would really appreciate having these
> past me explicitly.  My expertise is available and have a long history
> in this area.
> 
> In this specific case, the command run is:
> 
> testit "reset password policies" $VALGRIND $samba_tool domain
> passwordsettings $PWSETCONFIG set --complexity=default
> --history-length=default --min-pwd-length=default
> --min-pwd-age=default
> --max-pwd-age=default || failed=`expr $failed + 1`
> 
> at this time: PWSETCONFIG=-H ldap://$SERVER -U$USERNAME%$PASSWORD
> 
> That is, a username is explicitly specified.  Therefore, this code
> must
> ignore any credentials cache in the environment.  
> 
> To make this clearer, I've made a patch for the test_passwords.sh test
> to demonstrate correct behaviour in a much clearer way.  I hope you
> can
> understand why this shows the change made was not correct. 
> 
> > We did need the change to make things work with credentials obtained
> > before the samba libraries were called. Without that change we were
> not
> > able to reuse a perfectly valid ccache.
> 
> As I said, I'm very willing to work with you to ensure you retain this
> outcome, however the change made not the correct way to achieve that.
> 
> As I recall, it was related to the way that the realm was passed in to
> the python layer, and it being seen as being specified compared with
> the
> credentials cache only being guessed.  I thought I had suggested
> making
> it possible to specify the exact credentials cache you wanted to use
> at
> the python layer with a new API like creds.set_named_ccache().  We can
> also look at the way the realm specification is handled, particularly
> when it matches the realm in the credentials cache.
> 
> I'm working with Alexander on this now, and hope we can sort it
> shortly.

Something doesn't click here,
are you saying that if I use samba libraries in a program and user/pas
are specified within it, it will just merrily go and blow away my
ccache ?
That sounds quite wrong, especially if that happens with utilities like
the net or samba-tool utilities. Can you elaborate on this ?

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Principal Software Engineer at Red Hat, Inc. <simo at redhat.com>



More information about the samba-technical mailing list