The branch, master has been updated
via 9ee3343 selftest: skip the samba4.rpc.samr.passwords test in
ncacn_np(dc) and s4member environments
via 498f98f s4:torture:rpc:samr: fix password age calculation in
test_ChangePasswordUser3()
via 1a4adcf s4:torture/samr: allow STATUS_PASSWORD_RESTRICTIONS from
ChangePasswordUser
via ce89560 s4:rpc_server/samr: do WRONG_PASSWORD checks after the
complexity checks
via da066ec s4:dsdb/password_hash: do the min password age checks first
via 7c6b10f s4:dsdb/common: only pass the
DSDB_CONTROL_PASSWORD_HASH_VALUES_OID if required
via 18a306e s4:torture:rpc:samr: add debugging of result of (many)
dcerpc_samr_* calls
via 48ac584 s4:dsdb/password_hash: Honor password complexity settings.
via a5e6b05 Revert "s4:dsdb/password_hash: Honor password complexity
settings."
from 914a61d s4:provision: set the correct nTSecurityDescriptor on
CN=Domain Controllers,... (bug #9481)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 9ee3343529d2897e900b8824e49b253cfc53bff9
Author: Michael Adam <[email protected]>
Date: Tue Dec 11 16:13:39 2012 +0100
selftest: skip the samba4.rpc.samr.passwords test in ncacn_np(dc) and
s4member environments
These currently fail in a corner case.
Signed-off-by: Michael Adam <[email protected]>
Reviewed-by: Karolin Seeger <[email protected]>
Autobuild-User(master): Michael Adam <[email protected]>
Autobuild-Date(master): Tue Dec 11 17:56:01 CET 2012 on sn-devel-104
commit 498f98f126de6da5aff7f054a85270f315c7a400
Author: Michael Adam <[email protected]>
Date: Tue Dec 11 13:34:49 2012 +0100
s4:torture:rpc:samr: fix password age calculation in
test_ChangePasswordUser3()
The min_password_age field is the negative of the age.
Pair-Programmed-With: Stefan Metzmacher <[email protected]>
Signed-off-by: Michael Adam <[email protected]>
Signed-off-by: Stefan Metzmacher <[email protected]>
commit 1a4adcfcb31a06fe3eae4e78a502cbfaa092587e
Author: Michael Adam <[email protected]>
Date: Tue Dec 11 13:21:11 2012 +0100
s4:torture/samr: allow STATUS_PASSWORD_RESTRICTIONS from ChangePasswordUser
Pair-Programmed-With: Stefan Metzmacher <[email protected]>
Signed-off-by: Michael Adam <[email protected]>
Signed-off-by: Stefan Metzmacher <[email protected]>
commit ce895609b04380bfc41e4f8fddc84bd2f9324340
Author: Michael Adam <[email protected]>
Date: Tue Dec 11 13:18:00 2012 +0100
s4:rpc_server/samr: do WRONG_PASSWORD checks after the complexity checks
This matches the windows behavior.
Pair-Programmed-With: Stefan Metzmacher <[email protected]>
Signed-off-by: Michael Adam <[email protected]>
Signed-off-by: Stefan Metzmacher <[email protected]>
commit da066ec1d7b1284461ad907a35a94f30819ecbdc
Author: Michael Adam <[email protected]>
Date: Tue Dec 11 13:04:22 2012 +0100
s4:dsdb/password_hash: do the min password age checks first
Pair-Programmed-With: Stefan Metzmacher <[email protected]>
Signed-off-by: Michael Adam <[email protected]>
Signed-off-by: Stefan Metzmacher <[email protected]>
commit 7c6b10fbb05eaa6075f01a4b4f8fb60f42d2dfa7
Author: Stefan Metzmacher <[email protected]>
Date: Mon Dec 10 23:56:47 2012 +0100
s4:dsdb/common: only pass the DSDB_CONTROL_PASSWORD_HASH_VALUES_OID if
required
This should give the password_hash module a chance to detect if the called
was the cleartext password or not.
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Michael Adam <[email protected]>
commit 18a306e2f2d90f6d0c7b5d82272a69d72510ed7c
Author: Michael Adam <[email protected]>
Date: Tue Dec 11 11:42:11 2012 +0100
s4:torture:rpc:samr: add debugging of result of (many) dcerpc_samr_* calls
Pair-Programmed-With: Stefan Metzmacher <[email protected]>
Signed-off-by: Michael Adam <[email protected]>
Signed-off-by: Stefan Metzmacher <[email protected]>
commit 48ac5842dd9f13619d652af1dfe1b04dc79ada7d
Author: Stefan Metzmacher <[email protected]>
Date: Fri Nov 23 11:49:05 2012 +0100
s4:dsdb/password_hash: Honor password complexity settings.
Honor password complexity settings when creating new users.
Without this patch, you could set simple passwords although the complexity
settings were enabled. This was an issue with 'samba-tool user add' and also
when adding new users via Windows' "Active Directory Users and Computers"
MMC Snap-In.
The following scenarios were tested successfully after applying the patch:
-'samba-tool user add' against s4
-'samba-tool user add -H' against a Windows DC
-Adding a new user on a s4 DC using Windows' "Active Directory Users and
Computers" MMC Snap-In.
Please note that this bug was caused by a mistake in the documentation.
Fix bug #9414 - 'samba-tool user add' ignores password complexity settings.
Pair-programmed-with: Karolin Seeger <[email protected]>
Pair-Programmed-With: Michael Adam <[email protected]>
Signed-off-by: Stefan Metzmacher <[email protected]>
Signed-off-by: Michael Adam <[email protected]>
commit a5e6b05edc924bcf7859e5d6b74937ac54347a08
Author: Stefan Metzmacher <[email protected]>
Date: Tue Dec 11 13:08:28 2012 +0100
Revert "s4:dsdb/password_hash: Honor password complexity settings."
This reverts commit f8056b7a6998e002f473b0ad79eee046236a7032.
A better fix will follow.
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Michael Adam <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
selftest/skip | 2 +
source4/dsdb/common/util.c | 18 ++--
source4/dsdb/samdb/ldb_modules/password_hash.c | 35 +++----
source4/rpc_server/samr/samr_password.c | 112 +++++++++++--------
source4/torture/rpc/samr.c | 135 ++++++++++++++++++++++--
5 files changed, 215 insertions(+), 87 deletions(-)
Changeset truncated at 500 lines:
diff --git a/selftest/skip b/selftest/skip
index 66bb85c..2ee5d8e 100644
--- a/selftest/skip
+++ b/selftest/skip
@@ -50,6 +50,8 @@
^samba4.smb2.hold-oplock # Not a test, but a way to block other
clients for a test
^samba4.raw.ping.pong # Needs second server to test
^samba4.rpc.samr.accessmask
+^samba4.rpc.samr.passwords.*ncacn_np\(dc\) # currently fails, possibly config
issue
+^samba4.rpc.samr.passwords.*s4member # currently fails, possibly config
issue
^samba4.raw.scan.eamax
^samba4.smb2.notify
^samba4.smb2.scan
diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c
index 632d5bf..4543003 100644
--- a/source4/dsdb/common/util.c
+++ b/source4/dsdb/common/util.c
@@ -1978,6 +1978,7 @@ NTSTATUS samdb_set_password(struct ldb_context *ldb,
TALLOC_CTX *mem_ctx,
struct ldb_request *req;
struct dsdb_control_password_change_status *pwd_stat = NULL;
int ret;
+ bool hash_values = false;
NTSTATUS status = NT_STATUS_OK;
#define CHECK_RET(x) \
@@ -2013,6 +2014,7 @@ NTSTATUS samdb_set_password(struct ldb_context *ldb,
TALLOC_CTX *mem_ctx,
el = ldb_msg_find_element(msg, "unicodePwd");
el->flags = LDB_FLAG_MOD_REPLACE;
}
+ hash_values = true;
} else {
/* the password wasn't specified correctly */
talloc_free(msg);
@@ -2050,13 +2052,15 @@ NTSTATUS samdb_set_password(struct ldb_context *ldb,
TALLOC_CTX *mem_ctx,
return NT_STATUS_NO_MEMORY;
}
}
- ret = ldb_request_add_control(req,
- DSDB_CONTROL_PASSWORD_HASH_VALUES_OID,
- true, NULL);
- if (ret != LDB_SUCCESS) {
- talloc_free(req);
- talloc_free(msg);
- return NT_STATUS_NO_MEMORY;
+ if (hash_values) {
+ ret = ldb_request_add_control(req,
+
DSDB_CONTROL_PASSWORD_HASH_VALUES_OID,
+ true, NULL);
+ if (ret != LDB_SUCCESS) {
+ talloc_free(req);
+ talloc_free(msg);
+ return NT_STATUS_NO_MEMORY;
+ }
}
ret = ldb_request_add_control(req,
DSDB_CONTROL_PASSWORD_CHANGE_STATUS_OID,
diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c
b/source4/dsdb/samdb/ldb_modules/password_hash.c
index 0f8920c..9bf596c 100644
--- a/source4/dsdb/samdb/ldb_modules/password_hash.c
+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
@@ -1954,6 +1954,19 @@ static int check_password_restrictions(struct
setup_password_fields_io *io)
return LDB_SUCCESS;
}
+ /* Password minimum age: yes, this is a minus. The ages are in negative
100nsec units! */
+ if ((io->u.pwdLastSet - io->ac->status->domain_data.minPwdAge >
io->g.last_set) &&
+ !io->ac->pwd_reset)
+ {
+ ret = LDB_ERR_CONSTRAINT_VIOLATION;
+ ldb_asprintf_errstring(ldb,
+ "%08X: %s - check_password_restrictions: "
+ "password is too young to change!",
+ W_ERROR_V(WERR_PASSWORD_RESTRICTION),
+ ldb_strerror(ret));
+ return ret;
+ }
+
/*
* Fundamental password checks done by the call
* "samdb_check_password".
@@ -2064,17 +2077,6 @@ static int check_password_restrictions(struct
setup_password_fields_io *io)
return ret;
}
- /* Password minimum age: yes, this is a minus. The ages are in negative
100nsec units! */
- if (io->u.pwdLastSet - io->ac->status->domain_data.minPwdAge >
io->g.last_set) {
- ret = LDB_ERR_CONSTRAINT_VIOLATION;
- ldb_asprintf_errstring(ldb,
- "%08X: %s - check_password_restrictions: "
- "password is too young to change!",
- W_ERROR_V(WERR_PASSWORD_RESTRICTION),
- ldb_strerror(ret));
- return ret;
- }
-
return LDB_SUCCESS;
}
@@ -2188,17 +2190,6 @@ static int setup_io(struct ph_context *ac,
& (UF_INTERDOMAIN_TRUST_ACCOUNT | UF_WORKSTATION_TRUST_ACCOUNT
| UF_SERVER_TRUST_ACCOUNT));
- if (!ldb_req_is_untrusted(ac->req) &&
- (io->u.userAccountControl & UF_PASSWD_NOTREQD))
- {
- /* see [MS-ADTS] 2.2.15 */
- /*
- * This seems to only happen for SAMR
- * and not for LDAP clients
- */
- io->u.restrictions = 0;
- }
-
if (ac->userPassword) {
ret = msg_find_old_and_new_pwd_val(orig_msg, "userPassword",
ac->req->operation,
diff --git a/source4/rpc_server/samr/samr_password.c
b/source4/rpc_server/samr/samr_password.c
index 8963b04..5caf4b9 100644
--- a/source4/rpc_server/samr/samr_password.c
+++ b/source4/rpc_server/samr/samr_password.c
@@ -88,34 +88,22 @@ NTSTATUS dcesrv_samr_ChangePasswordUser(struct
dcesrv_call_state *dce_call,
if (lm_pwd) {
D_P16(lm_pwd->hash, r->in.new_lm_crypted->hash,
new_lmPwdHash.hash);
D_P16(new_lmPwdHash.hash, r->in.old_lm_crypted->hash,
checkHash.hash);
- if (memcmp(checkHash.hash, lm_pwd, 16) != 0) {
- return NT_STATUS_WRONG_PASSWORD;
- }
}
/* decrypt and check the new nt hash */
D_P16(nt_pwd->hash, r->in.new_nt_crypted->hash, new_ntPwdHash.hash);
D_P16(new_ntPwdHash.hash, r->in.old_nt_crypted->hash, checkHash.hash);
- if (memcmp(checkHash.hash, nt_pwd, 16) != 0) {
- return NT_STATUS_WRONG_PASSWORD;
- }
/* The NT Cross is not required by Win2k3 R2, but if present
check the nt cross hash */
if (r->in.cross1_present && r->in.nt_cross && lm_pwd) {
D_P16(lm_pwd->hash, r->in.nt_cross->hash, checkHash.hash);
- if (memcmp(checkHash.hash, new_ntPwdHash.hash, 16) != 0) {
- return NT_STATUS_WRONG_PASSWORD;
- }
}
/* The LM Cross is not required by Win2k3 R2, but if present
check the lm cross hash */
if (r->in.cross2_present && r->in.lm_cross && lm_pwd) {
D_P16(nt_pwd->hash, r->in.lm_cross->hash, checkHash.hash);
- if (memcmp(checkHash.hash, new_lmPwdHash.hash, 16) != 0) {
- return NT_STATUS_WRONG_PASSWORD;
- }
}
/* Start a SAM with user privileges for the password change */
@@ -148,6 +136,37 @@ NTSTATUS dcesrv_samr_ChangePasswordUser(struct
dcesrv_call_state *dce_call,
return status;
}
+ /* decrypt and check the new lm hash */
+ if (lm_pwd) {
+ if (memcmp(checkHash.hash, lm_pwd, 16) != 0) {
+ ldb_transaction_cancel(sam_ctx);
+ return NT_STATUS_WRONG_PASSWORD;
+ }
+ }
+
+ if (memcmp(checkHash.hash, nt_pwd, 16) != 0) {
+ ldb_transaction_cancel(sam_ctx);
+ return NT_STATUS_WRONG_PASSWORD;
+ }
+
+ /* The NT Cross is not required by Win2k3 R2, but if present
+ check the nt cross hash */
+ if (r->in.cross1_present && r->in.nt_cross && lm_pwd) {
+ if (memcmp(checkHash.hash, new_ntPwdHash.hash, 16) != 0) {
+ ldb_transaction_cancel(sam_ctx);
+ return NT_STATUS_WRONG_PASSWORD;
+ }
+ }
+
+ /* The LM Cross is not required by Win2k3 R2, but if present
+ check the lm cross hash */
+ if (r->in.cross2_present && r->in.lm_cross && lm_pwd) {
+ if (memcmp(checkHash.hash, new_lmPwdHash.hash, 16) != 0) {
+ ldb_transaction_cancel(sam_ctx);
+ return NT_STATUS_WRONG_PASSWORD;
+ }
+ }
+
/* And this confirms it in a transaction commit */
ret = ldb_transaction_commit(sam_ctx);
if (ret != LDB_SUCCESS) {
@@ -256,9 +275,6 @@ NTSTATUS dcesrv_samr_OemChangePasswordUser2(struct
dcesrv_call_state *dce_call,
E_deshash(new_pass, new_lm_hash);
E_old_pw_hash(new_lm_hash, lm_pwd->hash, lm_verifier.hash);
- if (memcmp(lm_verifier.hash, r->in.hash->hash, 16) != 0) {
- return NT_STATUS_WRONG_PASSWORD;
- }
/* Connect to a SAMDB with user privileges for the password change */
sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx,
@@ -290,6 +306,11 @@ NTSTATUS dcesrv_samr_OemChangePasswordUser2(struct
dcesrv_call_state *dce_call,
return status;
}
+ if (memcmp(lm_verifier.hash, r->in.hash->hash, 16) != 0) {
+ ldb_transaction_cancel(sam_ctx);
+ return NT_STATUS_WRONG_PASSWORD;
+ }
+
/* And this confirms it in a transaction commit */
ret = ldb_transaction_commit(sam_ctx);
if (ret != LDB_SUCCESS) {
@@ -379,8 +400,33 @@ NTSTATUS dcesrv_samr_ChangePasswordUser3(struct
dcesrv_call_state *dce_call,
goto failed;
}
- if (r->in.nt_verifier == NULL) {
- status = NT_STATUS_WRONG_PASSWORD;
+ /* Connect to a SAMDB with user privileges for the password change */
+ sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx,
+ dce_call->conn->dce_ctx->lp_ctx,
+ dce_call->conn->auth_state.session_info, 0);
+ if (sam_ctx == NULL) {
+ return NT_STATUS_INVALID_SYSTEM_SERVICE;
+ }
+
+ ret = ldb_transaction_start(sam_ctx);
+ if (ret != LDB_SUCCESS) {
+ DEBUG(1, ("Failed to start transaction: %s\n",
ldb_errstring(sam_ctx)));
+ return NT_STATUS_TRANSACTION_ABORTED;
+ }
+
+ /* Performs the password modification. We pass the old hashes read out
+ * from the database since they were already checked against the user-
+ * provided ones. */
+ status = samdb_set_password(sam_ctx, mem_ctx,
+ user_dn, NULL,
+ &new_password,
+ NULL, NULL,
+ lm_pwd, nt_pwd, /* this is a user password
change */
+ &reason,
+ &dominfo);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ ldb_transaction_cancel(sam_ctx);
goto failed;
}
@@ -389,6 +435,7 @@ NTSTATUS dcesrv_samr_ChangePasswordUser3(struct
dcesrv_call_state *dce_call,
E_old_pw_hash(new_nt_hash, nt_pwd->hash, nt_verifier.hash);
if (memcmp(nt_verifier.hash, r->in.nt_verifier->hash, 16) != 0) {
+ ldb_transaction_cancel(sam_ctx);
status = NT_STATUS_WRONG_PASSWORD;
goto failed;
}
@@ -408,42 +455,13 @@ NTSTATUS dcesrv_samr_ChangePasswordUser3(struct
dcesrv_call_state *dce_call,
E_deshash(new_pass, new_lm_hash);
E_old_pw_hash(new_nt_hash, lm_pwd->hash,
lm_verifier.hash);
if (memcmp(lm_verifier.hash, r->in.lm_verifier->hash,
16) != 0) {
+ ldb_transaction_cancel(sam_ctx);
status = NT_STATUS_WRONG_PASSWORD;
goto failed;
}
}
}
- /* Connect to a SAMDB with user privileges for the password change */
- sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx,
- dce_call->conn->dce_ctx->lp_ctx,
- dce_call->conn->auth_state.session_info, 0);
- if (sam_ctx == NULL) {
- return NT_STATUS_INVALID_SYSTEM_SERVICE;
- }
-
- ret = ldb_transaction_start(sam_ctx);
- if (ret != LDB_SUCCESS) {
- DEBUG(1, ("Failed to start transaction: %s\n",
ldb_errstring(sam_ctx)));
- return NT_STATUS_TRANSACTION_ABORTED;
- }
-
- /* Performs the password modification. We pass the old hashes read out
- * from the database since they were already checked against the user-
- * provided ones. */
- status = samdb_set_password(sam_ctx, mem_ctx,
- user_dn, NULL,
- &new_password,
- NULL, NULL,
- lm_pwd, nt_pwd, /* this is a user password
change */
- &reason,
- &dominfo);
-
- if (!NT_STATUS_IS_OK(status)) {
- ldb_transaction_cancel(sam_ctx);
- goto failed;
- }
-
/* And this confirms it in a transaction commit */
ret = ldb_transaction_commit(sam_ctx);
if (ret != LDB_SUCCESS) {
diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c
index 7f50ce9..f17f0d7 100644
--- a/source4/torture/rpc/samr.c
+++ b/source4/torture/rpc/samr.c
@@ -665,6 +665,9 @@ static bool test_SetUserPass(struct dcerpc_pipe *p, struct
torture_context *tctx
torture_assert_ntstatus_ok(tctx, dcerpc_samr_SetUserInfo_r(b, tctx, &s),
"SetUserInfo failed");
+ torture_comment(tctx, "(%s:%s) new_password[%s] status[%s]\n",
+ __location__, __FUNCTION__,
+ newpass, nt_errstr(s.out.result));
if (!NT_STATUS_IS_OK(s.out.result)) {
torture_warning(tctx, "SetUserInfo level %u failed - %s\n",
s.in.level, nt_errstr(s.out.result));
@@ -724,6 +727,9 @@ static bool test_SetUserPass_23(struct dcerpc_pipe *p,
struct torture_context *t
torture_assert_ntstatus_ok(tctx, dcerpc_samr_SetUserInfo_r(b, tctx, &s),
"SetUserInfo failed");
+ torture_comment(tctx, "(%s:%s) new_password[%s] status[%s]\n",
+ __location__, __FUNCTION__,
+ newpass, nt_errstr(s.out.result));
if (!NT_STATUS_IS_OK(s.out.result)) {
torture_warning(tctx, "SetUserInfo level %u failed - %s\n",
s.in.level, nt_errstr(s.out.result));
@@ -749,6 +755,9 @@ static bool test_SetUserPass_23(struct dcerpc_pipe *p,
struct torture_context *t
torture_assert_ntstatus_ok(tctx, dcerpc_samr_SetUserInfo_r(b, tctx, &s),
"SetUserInfo failed");
+ torture_comment(tctx, "(%s:%s) new_password[%s] status[%s]\n",
+ __location__, __FUNCTION__,
+ newpass, nt_errstr(s.out.result));
if (!NT_STATUS_EQUAL(s.out.result, NT_STATUS_WRONG_PASSWORD)) {
torture_warning(tctx, "SetUserInfo level %u should have failed
with WRONG_PASSWORD- %s\n",
s.in.level, nt_errstr(s.out.result));
@@ -818,6 +827,9 @@ static bool test_SetUserPassEx(struct dcerpc_pipe *p,
struct torture_context *tc
torture_assert_ntstatus_ok(tctx, dcerpc_samr_SetUserInfo_r(b, tctx, &s),
"SetUserInfo failed");
+ torture_comment(tctx, "(%s:%s) new_password[%s] status[%s]\n",
+ __location__, __FUNCTION__,
+ newpass, nt_errstr(s.out.result));
if (!NT_STATUS_IS_OK(s.out.result)) {
torture_warning(tctx, "SetUserInfo level %u failed - %s\n",
s.in.level, nt_errstr(s.out.result));
@@ -836,6 +848,9 @@ static bool test_SetUserPassEx(struct dcerpc_pipe *p,
struct torture_context *tc
torture_assert_ntstatus_ok(tctx, dcerpc_samr_SetUserInfo_r(b, tctx, &s),
"SetUserInfo failed");
+ torture_comment(tctx, "(%s:%s) new_password[%s] status[%s]\n",
+ __location__, __FUNCTION__,
+ newpass, nt_errstr(s.out.result));
if (!NT_STATUS_EQUAL(s.out.result, NT_STATUS_WRONG_PASSWORD)) {
torture_warning(tctx, "SetUserInfo level %u should have failed
with WRONG_PASSWORD: %s\n",
s.in.level, nt_errstr(s.out.result));
@@ -905,6 +920,9 @@ static bool test_SetUserPass_25(struct dcerpc_pipe *p,
struct torture_context *t
torture_assert_ntstatus_ok(tctx, dcerpc_samr_SetUserInfo_r(b, tctx, &s),
"SetUserInfo failed");
+ torture_comment(tctx, "(%s:%s) new_password[%s] status[%s]\n",
+ __location__, __FUNCTION__,
+ newpass, nt_errstr(s.out.result));
if (!NT_STATUS_IS_OK(s.out.result)) {
torture_warning(tctx, "SetUserInfo level %u failed - %s\n",
s.in.level, nt_errstr(s.out.result));
@@ -923,6 +941,9 @@ static bool test_SetUserPass_25(struct dcerpc_pipe *p,
struct torture_context *t
torture_assert_ntstatus_ok(tctx, dcerpc_samr_SetUserInfo_r(b, tctx, &s),
"SetUserInfo failed");
+ torture_comment(tctx, "(%s:%s) new_password[%s] status[%s]\n",
+ __location__, __FUNCTION__,
+ newpass, nt_errstr(s.out.result));
if (!NT_STATUS_EQUAL(s.out.result, NT_STATUS_WRONG_PASSWORD)) {
torture_warning(tctx, "SetUserInfo level %u should have failed
with WRONG_PASSWORD- %s\n",
s.in.level, nt_errstr(s.out.result));
@@ -1312,10 +1333,16 @@ static bool test_SetUserPass_level_ex(struct
dcerpc_pipe *p,
if (use_setinfo2) {
torture_assert_ntstatus_ok(tctx, dcerpc_samr_SetUserInfo2_r(b,
tctx, &s2),
"SetUserInfo2 failed");
- status = s2.out.result;
+ torture_comment(tctx, "(%s:%s) new_password[%s] status[%s]\n",
+ __location__, __FUNCTION__,
+ newpass, nt_errstr(s2.out.result));
+ status = s2.out.result;
} else {
torture_assert_ntstatus_ok(tctx, dcerpc_samr_SetUserInfo_r(b,
tctx, &s),
"SetUserInfo failed");
+ torture_comment(tctx, "(%s:%s) new_password[%s] status[%s]\n",
+ __location__, __FUNCTION__,
+ newpass, nt_errstr(s.out.result));
status = s.out.result;
}
@@ -1729,8 +1756,13 @@ static bool test_ChangePasswordUser(struct
dcerpc_binding_handle *b,
torture_assert_ntstatus_ok(tctx, dcerpc_samr_ChangePasswordUser_r(b,
tctx, &r),
"ChangePasswordUser failed");
- torture_assert_ntstatus_equal(tctx, r.out.result,
NT_STATUS_WRONG_PASSWORD,
- "ChangePasswordUser failed: expected NT_STATUS_WRONG_PASSWORD
because we broke the LM hash");
+ torture_comment(tctx, "(%s:%s) old_password[%s] new_password[%s]
status[%s]\n",
+ __location__, __FUNCTION__,
+ oldpass, newpass, nt_errstr(r.out.result));
+ if (!NT_STATUS_EQUAL(r.out.result, NT_STATUS_PASSWORD_RESTRICTION)) {
+ torture_assert_ntstatus_equal(tctx, r.out.result,
NT_STATUS_WRONG_PASSWORD,
+ "ChangePasswordUser failed: expected
NT_STATUS_WRONG_PASSWORD because we broke the LM hash");
+ }
/* Unbreak the LM hash */
hash1.hash[0]--;
@@ -1751,8 +1783,13 @@ static bool test_ChangePasswordUser(struct
dcerpc_binding_handle *b,
torture_assert_ntstatus_ok(tctx, dcerpc_samr_ChangePasswordUser_r(b,
tctx, &r),
"ChangePasswordUser failed");
- torture_assert_ntstatus_equal(tctx, r.out.result,
NT_STATUS_WRONG_PASSWORD,
- "expected NT_STATUS_WRONG_PASSWORD because we broke the NT
hash");
+ torture_comment(tctx, "(%s:%s) old_password[%s] new_password[%s]
status[%s]\n",
+ __location__, __FUNCTION__,
+ oldpass, newpass, nt_errstr(r.out.result));
+ if (!NT_STATUS_EQUAL(r.out.result, NT_STATUS_PASSWORD_RESTRICTION)) {
+ torture_assert_ntstatus_equal(tctx, r.out.result,
NT_STATUS_WRONG_PASSWORD,
+ "expected NT_STATUS_WRONG_PASSWORD because we broke the
NT hash");
+ }
/* Unbreak the NT hash */
hash3.hash[0]--;
@@ -1773,8 +1810,13 @@ static bool test_ChangePasswordUser(struct
dcerpc_binding_handle *b,
torture_assert_ntstatus_ok(tctx, dcerpc_samr_ChangePasswordUser_r(b,
tctx, &r),
"ChangePasswordUser failed");
- if (!NT_STATUS_EQUAL(r.out.result, NT_STATUS_WRONG_PASSWORD)) {
- torture_warning(tctx, "ChangePasswordUser failed: expected
NT_STATUS_WRONG_PASSWORD because we broke the LM cross-hash, got %s\n",
nt_errstr(r.out.result));
+ torture_comment(tctx, "(%s:%s) old_password[%s] new_password[%s]
status[%s]\n",
+ __location__, __FUNCTION__,
+ oldpass, newpass, nt_errstr(r.out.result));
+ if (!NT_STATUS_EQUAL(r.out.result, NT_STATUS_WRONG_PASSWORD) &&
+ !NT_STATUS_EQUAL(r.out.result, NT_STATUS_PASSWORD_RESTRICTION))
+ {
+ torture_warning(tctx, "ChangePasswordUser failed: expected
NT_STATUS_WRONG_PASSWORD or NT_STATUS_PASSWORD_RESTRICTION because we broke the
LM cross-hash, got %s\n", nt_errstr(r.out.result));
ret = false;
}
@@ -1797,8 +1839,13 @@ static bool test_ChangePasswordUser(struct
dcerpc_binding_handle *b,
torture_assert_ntstatus_ok(tctx, dcerpc_samr_ChangePasswordUser_r(b,
tctx, &r),
"ChangePasswordUser failed");
- if (!NT_STATUS_EQUAL(r.out.result, NT_STATUS_WRONG_PASSWORD)) {
- torture_warning(tctx, "ChangePasswordUser failed: expected
NT_STATUS_WRONG_PASSWORD because we broke the NT cross-hash, got %s\n",
nt_errstr(r.out.result));
+ torture_comment(tctx, "(%s:%s) old_password[%s] new_password[%s]
status[%s]\n",
+ __location__, __FUNCTION__,
+ oldpass, newpass, nt_errstr(r.out.result));
+ if (!NT_STATUS_EQUAL(r.out.result, NT_STATUS_WRONG_PASSWORD) &&
+ !NT_STATUS_EQUAL(r.out.result, NT_STATUS_PASSWORD_RESTRICTION))
+ {
+ torture_warning(tctx, "ChangePasswordUser failed: expected
NT_STATUS_WRONG_PASSWORD or NT_STATUS_PASSWORD_RESTRICTION because we broke the
NT cross-hash, got %s\n", nt_errstr(r.out.result));
ret = false;
}
@@ -1828,6 +1875,9 @@ static bool test_ChangePasswordUser(struct
dcerpc_binding_handle *b,
torture_assert_ntstatus_ok(tctx, dcerpc_samr_ChangePasswordUser_r(b,
tctx, &r),
"ChangePasswordUser failed");
+ torture_comment(tctx, "(%s:%s) old_password[%s] new_password[%s]
status[%s]\n",
+ __location__, __FUNCTION__,
+ oldpass, newpass, nt_errstr(r.out.result));
if (NT_STATUS_IS_OK(r.out.result)) {
changed = true;
*password = newpass;
@@ -1867,6 +1917,9 @@ static bool test_ChangePasswordUser(struct
dcerpc_binding_handle *b,
torture_assert_ntstatus_ok(tctx, dcerpc_samr_ChangePasswordUser_r(b,
tctx, &r),
"ChangePasswordUser failed");
+ torture_comment(tctx, "(%s:%s) old_password[%s] new_password[%s]
status[%s]\n",
+ __location__, __FUNCTION__,
+ oldpass, newpass, nt_errstr(r.out.result));
if (NT_STATUS_IS_OK(r.out.result)) {
changed = true;
*password = newpass;
@@ -1906,6 +1959,9 @@ static bool test_ChangePasswordUser(struct
dcerpc_binding_handle *b,
torture_assert_ntstatus_ok(tctx, dcerpc_samr_ChangePasswordUser_r(b,
tctx, &r),
"ChangePasswordUser failed");
+ torture_comment(tctx, "(%s:%s) old_password[%s] new_password[%s]
status[%s]\n",
+ __location__, __FUNCTION__,
+ oldpass, newpass, nt_errstr(r.out.result));
if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_PASSWORD_RESTRICTION)) {
torture_comment(tctx, "ChangePasswordUser returned: %s perhaps
min password age? (not fatal)\n", nt_errstr(r.out.result));
} else if (!NT_STATUS_IS_OK(r.out.result)) {
@@ -1931,6 +1987,9 @@ static bool test_ChangePasswordUser(struct
dcerpc_binding_handle *b,
if (changed) {
torture_assert_ntstatus_ok(tctx,
dcerpc_samr_ChangePasswordUser_r(b, tctx, &r),
"ChangePasswordUser failed");
+ torture_comment(tctx, "(%s:%s) old_password[%s]
new_password[%s] status[%s]\n",
+ __location__, __FUNCTION__,
+ oldpass, newpass, nt_errstr(r.out.result));
if (NT_STATUS_EQUAL(r.out.result,
NT_STATUS_PASSWORD_RESTRICTION)) {
torture_comment(tctx, "ChangePasswordUser returned: %s
perhaps min password age? (not fatal)\n", nt_errstr(r.out.result));
} else if (!NT_STATUS_EQUAL(r.out.result,
NT_STATUS_WRONG_PASSWORD)) {
@@ -2008,6 +2067,9 @@ static bool test_OemChangePasswordUser2(struct
dcerpc_pipe *p,
--
Samba Shared Repository
