[PATCH] Patch to implement AD password lockout in Samba's AD DC

Andrew Bartlett abartlet at samba.org
Sat Mar 22 18:06:52 MDT 2014 

On Sat, 2014-03-22 at 23:24 +1300, Andrew Bartlett wrote:
> On Fri, 2014-03-21 at 17:16 +0100, Stefan (metze) Metzmacher wrote:
> > Hi Andrew,
> > 
> > >> I've now tested with Windows and Samba and have a patch series at:
> > >>
> > >> http://git.samba.org/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/metze-master4-abartlet2
> > > 
> > > Updated patches have been pushed!
> > > 
> > > Hopefully we are getting closer.
> > 
> > I merged this together with my branch
> > and the result can be found at
> > 
> > https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-abartlet2
> > 
> > Please have a look at
> > https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=a4a8098f2dd374c1109742637bf180b15099d243
> > and
> > https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=c831e273cfe36c5dff68443391f015c58adf1df7
> > 
> > which I reworked at bit. They require your sign-off to be refreshed.
> 
> These look good, and much clearer.   Signed-off-by: Andrew Bartlett
> <abartlet at samba.org>
> 
> > I need to review and run the tests from
> > https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=a5eb6e1028ae679a327835239c16ca2d896ec17c
> > again in order to decide about
> > https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=56dfed17d70048fefd1b7e10c81103109d6e44c8
> 
> I think this is now covered.

Do be clearer, the in the password_lockout.py test, we use SAMR to
unlock the account, and in that instance the test clearly shows that
values are reset to 0.

> > and
> > https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=5e41a86f5e0421116b15b2a3f9b937ed241a0e3a
> 
> badPwdCount is not reset on a successful LDAP password change.  The
> tests of samr code I've just done show that SAMR password changes also
> don't change that.  I don't currently have good enough tests for what
> happens to the lockoutTime, but to get this far it must not be relevant
> (ie in the past), and for LDAP the test I've just added to
> password_lockout.py shows this patch should be dropped, it doesn't
> actually update lockoutTime.
> 
> > I've started to look at the tests, but I'm not done yet...

BTW, with the patches I sent we pass our own 'make test TESTS=passwords'
on my branch.  Naturally the patches need to be squashed into the
matching commits, but I think we are finally getting very close.

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list