[PATCH] Patch to implement AD password lockout in Samba's AD DC
Andrew Bartlett
abartlet at samba.org
Sun Mar 16 05:07:51 MDT 2014
On Tue, 2014-03-11 at 19:36 +0100, Stefan (metze) Metzmacher wrote:
> Am 11.03.2014 05:03, schrieb Andrew Bartlett:
> > On Tue, 2014-03-04 at 12:40 +0100, Stefan (metze) Metzmacher wrote:
> >> Am 04.03.2014 02:09, schrieb Andrew Bartlett:
> >>> On Mon, 2014-03-03 at 16:26 +1300, Andrew Bartlett wrote:
> >>>> On Tue, 2014-02-25 at 15:16 +1300, Andrew Bartlett wrote:
> >>>>> On Tue, 2014-02-25 at 09:34 +1300, Andrew Bartlett wrote:
> >>>>>> On Thu, 2014-02-20 at 10:16 +1300, Andrew Bartlett wrote:
> >>>>>>> On Wed, 2014-02-19 at 22:08 +0100, Stefan (metze) Metzmacher wrote:
> >>>>>>>> Hi Andrew,
> >>>>>>>>
> >>>>>>>>>> http://git.samba.org/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/s4-bwdPwdCount-01
> >>>>>>>>>
> >>>>>>>>> I've updated the branch at
> >>>>>>>>>
> >>>>>>>>> git://git.samba.org/abartlet/samba.git s4-badPwdCount-02
> >>>>>>>>>
> >>>>>>>>> http://git.samba.org/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/s4-bwdPwdCount-02
> >>>>>>>>>
> >>>>>>>>> I have also uploaded these to gerrit at
> >>>>>>>>> https://gerrit.sernet.de/#/q/status:open+project:samba+branch:master
> >>>>>>>>> +topic:abartlet/s4-badPwdCount-02,n,z
> >>>>>>>>>
> >>>>>>>>> With the tests now finished, these changes are now ready for master.
> >>>>>>>>>
> >>>>>>>>> I will separately co-ordinate with the Heimdal team and work out how we
> >>>>>>>>> can detect the correct Heimdal version, and look at updating our
> >>>>>>>>> internal Heimdal. (The reality is that only Debian builds against a
> >>>>>>>>> system Heimdal, and we already have another special patch to cope with
> >>>>>>>>> using a modern heimdal).
> >>>>>>>>>
> >>>>>>>>> Please review/push.
> >>>>>>>>
> >>>>>>>> I'll have a look at them in detail tomorrow, but my first impression is that
> >>>>>>>> you should use more helper variables, avoid deep indentation levels (try
> >>>>>>>> to use early returns and avoid } else { if the if section calls return)
> >>>>>>>> and avoid functions calls in the variable declaration section.
> >>>>>>>
> >>>>>>> I would appreciate that in detail, as it is a large patch set and so
> >>>>>>> hard to guess exactly what chunks you feel can be improved.
> >>>>>>>
> >>>>>>> The password_hash change was particularly challenging to do in good
> >>>>>>> style, and practical suggestions for how to improve it would be most
> >>>>>>> welcome.
> >>>>>>>
> >>>>>>>> Were is the password grace period documented in the microsoft docs?
> >>>>>>>
> >>>>>>> http://support.microsoft.com/kb/906305
> >>>>>>
> >>>>>> Just a quick note to say I've seen the (very detailed and specific!)
> >>>>>> reviews in gerrit, but just haven't had a chance to make the required
> >>>>>> changes or to otherwise comment.
> >>>>>
> >>>>> I've addressed most (but certainly not all) of the comments. In short,
> >>>>> I disagree with sending an error when the badPwdCount is updated or not,
> >>>>> but I've addressed most of the extra, other than adding more tests.
> >>>>>
> >>>>> Attached is the diff between the old and new patch series.
> >>>>
> >>>> Any chance we can get at least some of these in to master soon? I know
> >>>> the re-re-re-view process in gerrit must have been frustrating, is there
> >>>> anything I can do to assist?
> >>>>
> >>>> BTW, the 60 min grace thing is also tested in the samlogon test, which
> >>>> already verifies that it only applies to 'network' and not 'interactive'
> >>>> SamLogon calls.
> >>>
> >>> I have addressed as much of the issues raised as I'm able to at the
> >>> moment, and I think it is time to get this series into master.
> >>>
> >>> Can I please have the series in my s4-badPwdCount-02 branch (and in
> >>> gerrit) reviewed and pushed into master please.
> >>
> >> I'm looking at it again now and continue tomorrow.
> >
> > I have again addressed as much of the issues that I can at the moment.
> >
> > To be honest, having worked on this area since October, I'm more than a
> > little exhausted of this area, but I have made another attempt to
> > address as many of the structural concerns as I can. In particular,
> > I've broken out helper functions in auth_sam.c and password_hash.c
> >
> > I have not extended the tests nor done extra tests as suggested - I've
> > found that testing this area is a bottomless pit (hence why they are
> > already so extensive), and I'm just out of time and energy for this.
> > Naturally additional tests are welcome if you or someone else has the
> > time, but I would suggest first we should get our own 'source3' code to
> > pass our own tests again, as a better application of the effort.
> >
> > The issues of formatting I've left alone, and I would ask that if you
> > really want to specify the exact formatting that you please download the
> > patch set with:
> >
> > git fetch https://gerrit.samba.org/samba refs/changes/87/87/6 && git
> > checkout FETCH_HEAD
> >
> > And then re-submit them with the attached script.
> >
> > I do wish we had a sensible way these minor issues could be dealt with
> > directly in the web interface.
> >
> > Finally, I do appreciate your time and patience on this, and know this
> > must be just as frustrating for you as it is for me. If you would
> > prefer I worked with someone else to finish the review work please let
> > me know.
>
> I'll have a look at it tomorrow.
Just following up to the list that metze and I have made some good
progress. I've expanded our tests to cover some of the issues raised,
and found/fixed the resulting failures in our code, and metze has sorted
out the formatting to be to his satisfaction.
The outstanding issue I'll address before I re-push patches tomorrow is
that we fail to update the badPwdCount in the AD DC when we don't have a
password history, when changing a password. This is quite odd, but it's
too late tonight to diagnose that further. I'll work on this more
tomorrow.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list