The branch, master has been updated
via fec698d tests/passwords: fix a typo
via a523274 tests/dsdb: Verify that only a new ldb affects reads of
userPassword
via f26a284 dsdb: Only re-query dSHeuristics for userPassword support
on modifies
from 0619a83 tests/rodc: Check that preload will skip broken users
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit fec698dbfd63e0c63c4fc1fd536839ae39e7077e
Author: Garming Sam <[email protected]>
Date: Wed Apr 13 16:35:53 2016 +1200
tests/passwords: fix a typo
Signed-off-by: Garming Sam <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
Autobuild-User(master): Garming Sam <[email protected]>
Autobuild-Date(master): Tue Apr 19 07:54:35 CEST 2016 on sn-devel-144
commit a523274fb6aa2c25d51a6a865ea084bc94947e08
Author: Garming Sam <[email protected]>
Date: Mon Feb 22 13:33:01 2016 +1300
tests/dsdb: Verify that only a new ldb affects reads of userPassword
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11853
Signed-off-by: Garming Sam <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit f26a2845bd42e580ddeaf0eecc9b46b823a0c6bc
Author: Andrew Bartlett <[email protected]>
Date: Fri Feb 12 15:53:37 2016 +1300
dsdb: Only re-query dSHeuristics for userPassword support on modifies
We keep the database startup value for search behaviour, as to re-check
is too expensive. It caused every search to have an additional
search to the database.
We do not need to check as_system when setting ac->userPassword
as this is checked when all password attributes are stripped
As userPassword is not written to after fUserPwdSupport is set
we do not expose any data that was not already visible.
The database overhead was an oversight when this was
originally added with 7f171a9e0f9b5945bd16a1330ba0908090659030
in 2010.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11853
Signed-off-by: Andrew Bartlett <[email protected]>
Reviewed-by: Garming Sam <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
source4/dsdb/samdb/ldb_modules/acl.c | 8 ++-
source4/dsdb/tests/python/passwords.py | 91 +++++++++++++++++++++++++++++++++-
2 files changed, 96 insertions(+), 3 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/dsdb/samdb/ldb_modules/acl.c
b/source4/dsdb/samdb/ldb_modules/acl.c
index 62e560f..2aafc6c 100644
--- a/source4/dsdb/samdb/ldb_modules/acl.c
+++ b/source4/dsdb/samdb/ldb_modules/acl.c
@@ -55,6 +55,7 @@ struct acl_private {
uint64_t cached_schema_metadata_usn;
uint64_t cached_schema_loaded_usn;
const char **confidential_attrs;
+ bool userPassword_support;
};
struct acl_context {
@@ -107,6 +108,8 @@ static int acl_module_init(struct ldb_module *module)
NULL, "acl", "search", true);
ldb_module_set_private(module, data);
+ data->userPassword_support = dsdb_user_password_support(module, module,
NULL);
+
mem_ctx = talloc_new(module);
if (!mem_ctx) {
return ldb_oom(ldb);
@@ -1851,8 +1854,9 @@ static int acl_search(struct ldb_module *module, struct
ldb_request *req)
return ldb_next_request(module, req);
}
- if (!ac->am_system) {
- ac->userPassword = dsdb_user_password_support(module, ac, req);
+ data = talloc_get_type(ldb_module_get_private(ac->module), struct
acl_private);
+ if (data != NULL) {
+ ac->userPassword = data->userPassword_support;
}
ret = acl_search_update_confidential_attrs(ac, data);
diff --git a/source4/dsdb/tests/python/passwords.py
b/source4/dsdb/tests/python/passwords.py
index fb3eee5..db013ea 100755
--- a/source4/dsdb/tests/python/passwords.py
+++ b/source4/dsdb/tests/python/passwords.py
@@ -87,7 +87,7 @@ class PasswordTests(samba.tests.TestCase):
# Get the old "minPwdAge"
minPwdAge = self.ldb.get_minPwdAge()
- # Set it temporarely to "0"
+ # Set it temporarily to "0"
self.ldb.set_minPwdAge("0")
self.base_dn = self.ldb.domain_dn()
@@ -912,6 +912,95 @@ userPassword: thatsAcomplPASS4
# Reset the test "dSHeuristics" (reactivate "userPassword" pwd changes)
self.ldb.set_dsheuristics("000000001")
+ def test_modify_dsheuristics_userPassword(self):
+ print "Performs testing about reading userPassword between dsHeuristic
modifies"
+
+ # Make sure userPassword cannot be read
+ self.ldb.set_dsheuristics("000000000")
+
+ # Open a new connection (with dsHeuristic=000000000)
+ ldb1 = SamDB(url=host, session_info=system_session(lp),
+ credentials=creds, lp=lp)
+
+ # Set userPassword to be read
+ # This setting only affects newer connections (ldb2)
+ ldb1.set_dsheuristics("000000001")
+ time.sleep(1)
+
+ m = Message()
+ m.dn = Dn(ldb1, "cn=testuser,cn=users," + self.base_dn)
+ m["userPassword"] = MessageElement("thatsAcomplPASS1",
FLAG_MOD_REPLACE,
+ "userPassword")
+ ldb1.modify(m)
+
+ res = ldb1.search("cn=testuser,cn=users," + self.base_dn,
+ scope=SCOPE_BASE, attrs=["userPassword"])
+
+ # userPassword cannot be read, despite the dsHeuristic setting
+ self.assertTrue(len(res) == 1)
+ self.assertFalse("userPassword" in res[0])
+
+ # Open another new connection (with dsHeuristic=000000001)
+ ldb2 = SamDB(url=host, session_info=system_session(lp),
+ credentials=creds, lp=lp)
+
+ # Set userPassword to be unreadable
+ # This setting does not affect this connection
+ ldb2.set_dsheuristics("000000000")
+ time.sleep(1)
+
+ res = ldb2.search("cn=testuser,cn=users," + self.base_dn,
+ scope=SCOPE_BASE, attrs=["userPassword"])
+
+ # Check that userPassword was not stored from ldb1
+ self.assertTrue(len(res) == 1)
+ self.assertFalse("userPassword" in res[0])
+
+ m = Message()
+ m.dn = Dn(ldb2, "cn=testuser,cn=users," + self.base_dn)
+ m["userPassword"] = MessageElement("thatsAcomplPASS2",
FLAG_MOD_REPLACE,
+ "userPassword")
+ ldb2.modify(m)
+
+ res = ldb2.search("cn=testuser,cn=users," + self.base_dn,
+ scope=SCOPE_BASE, attrs=["userPassword"])
+
+ # userPassword can be read in this connection
+ # This is regardless of the current dsHeuristics setting
+ self.assertTrue(len(res) == 1)
+ self.assertTrue("userPassword" in res[0])
+ self.assertEquals(res[0]["userPassword"][0], "thatsAcomplPASS2")
+
+ # Only password from ldb1 is the user's password
+ creds2 = Credentials()
+ creds2.set_username("testuser")
+ creds2.set_password("thatsAcomplPASS1")
+ creds2.set_domain(creds.get_domain())
+ creds2.set_realm(creds.get_realm())
+ creds2.set_workstation(creds.get_workstation())
+ creds2.set_gensec_features(creds2.get_gensec_features()
+ | gensec.FEATURE_SEAL)
+
+ try:
+ SamDB(url=host, credentials=creds2, lp=lp)
+ except:
+ self.fail("testuser used the wrong password")
+
+ ldb3 = SamDB(url=host, session_info=system_session(lp),
+ credentials=creds, lp=lp)
+
+ # Check that userPassword was stored from ldb2
+ res = ldb3.search("cn=testuser,cn=users," + self.base_dn,
+ scope=SCOPE_BASE, attrs=["userPassword"])
+
+ # userPassword can be read
+ self.assertTrue(len(res) == 1)
+ self.assertTrue("userPassword" in res[0])
+ self.assertEquals(res[0]["userPassword"][0], "thatsAcomplPASS2")
+
+ # Reset the test "dSHeuristics" (reactivate "userPassword" pwd changes)
+ self.ldb.set_dsheuristics("000000001")
+
def test_zero_length(self):
# Get the old "minPwdLength"
minPwdLength = self.ldb.get_minPwdLength()
--
Samba Shared Repository
