The branch, master has been updated
via bbacd90 selftest: Add test for smbpasswd against pdb_samba4
via 6acce6e s3-passdb: Fix pdb_samba4 setting of plaintext passwords
via 6bab4a3 s3-passdb: Use DSDB_PASSWORD_BYPASS_LAST_SET flags in
pdb_samba4
via 1a9ee7c dsdb: Allow DSDB_CONTROL_PASSWORD_BYPASS_LAST_SET_OID to be
specified as a flag
from 1f0298d python: Change except: statement to except Exception:
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit bbacd901cda42a0a5c284164c46f750a76fd0c7e
Author: Andrew Bartlett <[email protected]>
Date: Tue Jan 24 19:23:20 2012 +1100
selftest: Add test for smbpasswd against pdb_samba4
Autobuild-User: Andrew Bartlett <[email protected]>
Autobuild-Date: Tue Jan 24 11:05:09 CET 2012 on sn-devel-104
commit 6acce6e5d71743b824a822e9b6f24dcc6d8106ca
Author: Andrew Bartlett <[email protected]>
Date: Tue Jan 24 18:38:09 2012 +1100
s3-passdb: Fix pdb_samba4 setting of plaintext passwords
We were setting a UTF8 password into the UTF16 clearTextPassword.
Converting from CH_UNIX to CH_UTF16 should fix this.
Andrew Bartlett
commit 6bab4a3810f9b42e62d2fe1a9b1544e34893cb50
Author: Andrew Bartlett <[email protected]>
Date: Tue Jan 24 18:37:24 2012 +1100
s3-passdb: Use DSDB_PASSWORD_BYPASS_LAST_SET flags in pdb_samba4
commit 1a9ee7cbd575f3865a2cd8dfe35e3f89ebdec073
Author: Andrew Bartlett <[email protected]>
Date: Tue Jan 24 18:36:49 2012 +1100
dsdb: Allow DSDB_CONTROL_PASSWORD_BYPASS_LAST_SET_OID to be specified as a
flag
-----------------------------------------------------------------------
Summary of changes:
source3/passdb/pdb_samba4.c | 28 +++++++++++++-------
source4/dsdb/common/util.c | 7 +++++
source4/dsdb/common/util.h | 1 +
testprogs/blackbox/test_passwords.sh | 45 +++++++++++++++++++++++++++++++---
4 files changed, 67 insertions(+), 14 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/passdb/pdb_samba4.c b/source3/passdb/pdb_samba4.c
index 8da9b3c..bc3b123 100644
--- a/source3/passdb/pdb_samba4.c
+++ b/source3/passdb/pdb_samba4.c
@@ -357,13 +357,30 @@ static int pdb_samba4_replace_by_sam(struct
pdb_samba4_state *state,
return ret;
}
+ /* If we set a plaintext password, the system will
+ * force the pwdLastSet to now() */
+ if (need_update(sam, PDB_PASSLASTSET)) {
+ dsdb_flags = DSDB_PASSWORD_BYPASS_LAST_SET;
+
+ ret |= pdb_samba4_add_time(msg, "pwdLastSet",
+ pdb_get_pass_last_set_time(sam));
+ }
+
pw = pdb_get_plaintext_passwd(sam);
if (need_update(sam, PDB_PLAINTEXT_PW)) {
+ struct ldb_val pw_utf16;
if (pw == NULL) {
return LDB_ERR_OPERATIONS_ERROR;
}
- ret |= ldb_msg_add_string(msg, "clearTextPassword", pw);
+ if (!convert_string_talloc(msg,
+ CH_UNIX, CH_UTF16,
+ pw, strlen(pw),
+ (void *)&pw_utf16.data,
+ &pw_utf16.length)) {
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+ ret |= ldb_msg_add_value(msg, "clearTextPassword", &pw_utf16,
NULL);
} else {
bool changed_lm_pw = false;
bool changed_nt_pw = false;
@@ -407,15 +424,6 @@ static int pdb_samba4_replace_by_sam(struct
pdb_samba4_state *state,
}
- /* If we set a plaintext password, the system will
- * force the pwdLastSet to now(), and it isn't worth
- * working around this for the real world use cases of
- * pdb_samba4 */
- if (need_update(sam, PDB_PASSLASTSET)) {
- ret |= pdb_samba4_add_time(msg, "pwdLastSet",
-
pdb_get_pass_last_set_time(sam));
- }
-
if (need_update(sam, PDB_PWHISTORY)) {
uint32_t current_hist_len;
const uint8_t *history = pdb_get_pw_history(sam,
¤t_hist_len);
diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c
index 38391a9..814faa6 100644
--- a/source4/dsdb/common/util.c
+++ b/source4/dsdb/common/util.c
@@ -3725,6 +3725,13 @@ int dsdb_request_add_controls(struct ldb_request *req,
uint32_t dsdb_flags)
}
}
+ if (dsdb_flags & DSDB_PASSWORD_BYPASS_LAST_SET) {
+ ret = ldb_request_add_control(req,
DSDB_CONTROL_PASSWORD_BYPASS_LAST_SET_OID, true, NULL);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+ }
+
if (dsdb_flags & DSDB_MODIFY_PARTIAL_REPLICA) {
ret = ldb_request_add_control(req,
DSDB_CONTROL_PARTIAL_REPLICA, false, NULL);
if (ret != LDB_SUCCESS) {
diff --git a/source4/dsdb/common/util.h b/source4/dsdb/common/util.h
index b2f7aa5..5ec19fb 100644
--- a/source4/dsdb/common/util.h
+++ b/source4/dsdb/common/util.h
@@ -38,6 +38,7 @@
#define DSDB_BYPASS_PASSWORD_HASH 0x1000
#define DSDB_SEARCH_NO_GLOBAL_CATALOG 0x2000
#define DSDB_MODIFY_PARTIAL_REPLICA 0x4000
+#define DSDB_PASSWORD_BYPASS_LAST_SET 0x8000
bool is_attr_in_list(const char * const * attrs, const char *attr);
diff --git a/testprogs/blackbox/test_passwords.sh
b/testprogs/blackbox/test_passwords.sh
index ed68665..9e65b30 100755
--- a/testprogs/blackbox/test_passwords.sh
+++ b/testprogs/blackbox/test_passwords.sh
@@ -23,6 +23,7 @@ samba4bindir="$BINDIR"
smbclient="$samba4bindir/smbclient$EXEEXT"
samba4kinit="$samba4bindir/samba4kinit$EXEEXT"
samba_tool="$samba4bindir/samba-tool$EXEEXT"
+smbpasswd="$samba4bindir/smbpasswd$EXEEXT"
rkpty="$samba4bindir/rkpty$EXEEXT"
samba4kpasswd="$samba4bindir/samba4kpasswd$EXEEXT"
newuser="$samba_tool user create"
@@ -50,7 +51,7 @@ export CONFIG
testit "reset password policies beside of minimum password age of 0 days"
$VALGRIND $samba_tool domain passwordsettings $CONFIG set --complexity=default
--history-length=default --min-pwd-length=default --min-pwd-age=0
--max-pwd-age=default || failed=`expr $failed + 1`
-USERPASS=testPaSS@01%
+USERPASS=testPaSS@00%
testit "create user locally" $VALGRIND $newuser $CONFIG nettestuser $USERPASS
$@ || failed=`expr $failed + 1`
@@ -63,7 +64,7 @@ testit "kinit with user password" $samba4kinit
--password-file=$PREFIX/tmpuserpa
test_smbclient "Test login with user kerberos ccache" 'ls' -k yes ||
failed=`expr $failed + 1`
-NEWUSERPASS=testPaSS@02%
+NEWUSERPASS=testPaSS@01%
testit "change user password with 'samba-tool user password' (unforced)"
$VALGRIND $samba_tool user password -W$DOMAIN -U$DOMAIN/nettestuser%$USERPASS
-k no --newpassword=$NEWUSERPASS $@ || failed=`expr $failed + 1`
echo $NEWUSERPASS > ./tmpuserpassfile
@@ -74,7 +75,7 @@ test_smbclient "Test login with user kerberos ccache" 'ls' -k
yes || failed=`exp
USERPASS=$NEWUSERPASS
WEAKPASS=testpass1
-NEWUSERPASS=testPaSS@03%
+NEWUSERPASS=testPaSS@02%
# password mismatch check doesn't work yet (kpasswd bug, reported to Love)
#echo "check that password mismatch gives the right error"
@@ -133,6 +134,21 @@ testit "change user password with kpasswd" $rkpty
./tmpkpasswdscript $samba4kpas
test_smbclient "Test login with user kerberos (unforced)" 'ls' -k yes
-Unettestuser@$REALM%$NEWUSERPASS || failed=`expr $failed + 1`
+NEWUSERPASS=testPaSS@03%
+
+echo "set password with smbpasswd"
+cat > ./tmpsmbpasswdscript <<EOF
+expect New SMB password:
+send ${NEWUSERPASS}\n
+expect Retype new SMB password:
+send ${NEWUSERPASS}\n
+EOF
+
+testit "set user password with smbpasswd" $rkpty ./tmpsmbpasswdscript
$smbpasswd -L -c $PREFIX/dc/etc/smb.conf nettestuser || failed=`expr $failed +
1`
+USERPASS=$NEWUSERPASS
+
+test_smbclient "Test login with user (ntlm)" 'ls' -k no
-Unettestuser@$REALM%$NEWUSERPASS || failed=`expr $failed + 1`
+
NEWUSERPASS=testPaSS@04%
testit "set password on user locally" $VALGRIND $samba_tool user setpassword
nettestuser $CONFIG --newpassword=$NEWUSERPASS --must-change-at-next-login $@
|| failed=`expr $failed + 1`
@@ -163,6 +179,27 @@ USERPASS=$NEWUSERPASS
test_smbclient "Test login with user kerberos" 'ls' -k yes
-Unettestuser@$REALM%$NEWUSERPASS || failed=`expr $failed + 1`
+NEWUSERPASS=testPaSS@08%
+testit "set password on user locally" $VALGRIND $samba_tool user setpassword
$CONFIG nettestuser --newpassword=$NEWUSERPASS --must-change-at-next-login $@
|| failed=`expr $failed + 1`
+USERPASS=$NEWUSERPASS
+
+NEWUSERPASS=testPaSS@09%
+
+cat > ./tmpsmbpasswdscript <<EOF
+expect Old SMB password:
+password ${USERPASS}\n
+expect New SMB password:
+send ${NEWUSERPASS}\n
+expect Retype new SMB password:
+send ${NEWUSERPASS}\n
+EOF
+
+testit "change user password with smbpasswd (after must change flag set)"
$rkpty ./tmpsmbpasswdscript $smbpasswd -r $SERVER -c $PREFIX/dc/etc/smb.conf
-U nettestuser || failed=`expr $failed + 1`
+
+USERPASS=$NEWUSERPASS
+
+test_smbclient "Test login with user kerberos" 'ls' -k yes
-Unettestuser@$REALM%$NEWUSERPASS || failed=`expr $failed + 1`
+
NEWUSERPASS=abcdefg
testit_expect_failure "try to set a non-complex password (command should not
succeed)" $VALGRIND $samba_tool user password -W$DOMAIN
"-U$DOMAIN/nettestuser%$USERPASS" -k no --newpassword="$NEWUSERPASS" $@ &&
failed=`expr $failed + 1`
@@ -192,5 +229,5 @@ testit "reset password policies" $VALGRIND $samba_tool
domain passwordsettings $
testit "del user" $VALGRIND $samba_tool user delete nettestuser
-U"$USERNAME%$PASSWORD" -k no $@ || failed=`expr $failed + 1`
-rm -f tmpccfile tmppassfile tmpuserpassfile tmpuserccache tmpkpasswdscript
+rm -f tmpccfile tmppassfile tmpuserpassfile tmpuserccache tmpkpasswdscript
tmpsmbpasswdscript
exit $failed
--
Samba Shared Repository
