SamDB.enable_account does not work against Windows
Matthias Dieter Wallnöfer
mdw at samba.org
Thu Jun 10 06:53:44 MDT 2010
Nadia,
sorry I seem to have forgotten to tell you that on s4 we do always
behave as the "fUserPwdSupport" in "dSHeuristics" was set ("000000001"
should fit). This is since we have always been interpreting the
"userPassword" as password change attribute (we use it mainly for
password changes through the Python bindings - function
SamDB.set_password). So please do set these "dSHeuristics" on your
Windows Server machine.
Then you should be able to run the tests without further problems.
Matthias
Nadezhda Ivanova wrote:
> Hi Matthias,
> I was trying out your passwords.py tests, and found the following:
> Against Windows, the SamDB.enable_account does not work if the user
> password has been provided with userPassword attribute instead of
> unicodePwd. The reason is that Windows treats that case as if the
> password has not been actually set, and returns UNWILLING_TO_PERFORM
> when we attempt to unset the ADS_UF_PASSWD_NOTREQD flag. I suspect
> that the reason for this is as described in 3.1.1.3.1.5 Password
> Modify Operations. userPassword is only accepted if fUserPwdSupport is
> true in dsHeuristics, which by default it is not. Why Windows does not
> return an error is another thing. So I suppose we have 2 options here
> - use only unicodePwd and secure connections or set fUserPwdSupport if
> we need to use userPassword. I have not tried the second option yet,
> the first one I tried and it works. However then some tests in
> passwords.py start to fail, as the userPassword attribute is no longer
> present. Actually, when I run passwords.py against Windows, a couple
> of them fail even if I change nothing.
>
> Since I will rely on these tests to be able to fix the ACL CAR
> problem, do you think you could make a version that works as expected
> (e. g. uses the newly created user rather than credentials from the
> command line) and passes against windows. Send me the patch then and I
> will push it together with the ACL fix. This would really help.
>
> Regards,
> Nadya
More information about the samba-technical
mailing list