The branch, master has been updated via fec698d tests/passwords: fix a typo via a523274 tests/dsdb: Verify that only a new ldb affects reads of userPassword via f26a284 dsdb: Only re-query dSHeuristics for userPassword support on modifies from 0619a83 tests/rodc: Check that preload will skip broken users
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit fec698dbfd63e0c63c4fc1fd536839ae39e7077e Author: Garming Sam <garm...@catalyst.net.nz> Date: Wed Apr 13 16:35:53 2016 +1200 tests/passwords: fix a typo Signed-off-by: Garming Sam <garm...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Autobuild-User(master): Garming Sam <garm...@samba.org> Autobuild-Date(master): Tue Apr 19 07:54:35 CEST 2016 on sn-devel-144 commit a523274fb6aa2c25d51a6a865ea084bc94947e08 Author: Garming Sam <garm...@catalyst.net.nz> Date: Mon Feb 22 13:33:01 2016 +1300 tests/dsdb: Verify that only a new ldb affects reads of userPassword BUG: https://bugzilla.samba.org/show_bug.cgi?id=11853 Signed-off-by: Garming Sam <garm...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit f26a2845bd42e580ddeaf0eecc9b46b823a0c6bc Author: Andrew Bartlett <abart...@samba.org> Date: Fri Feb 12 15:53:37 2016 +1300 dsdb: Only re-query dSHeuristics for userPassword support on modifies We keep the database startup value for search behaviour, as to re-check is too expensive. It caused every search to have an additional search to the database. We do not need to check as_system when setting ac->userPassword as this is checked when all password attributes are stripped As userPassword is not written to after fUserPwdSupport is set we do not expose any data that was not already visible. The database overhead was an oversight when this was originally added with 7f171a9e0f9b5945bd16a1330ba0908090659030 in 2010. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11853 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Garming Sam <garm...@catalyst.net.nz> ----------------------------------------------------------------------- Summary of changes: source4/dsdb/samdb/ldb_modules/acl.c | 8 ++- source4/dsdb/tests/python/passwords.py | 91 +++++++++++++++++++++++++++++++++- 2 files changed, 96 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c index 62e560f..2aafc6c 100644 --- a/source4/dsdb/samdb/ldb_modules/acl.c +++ b/source4/dsdb/samdb/ldb_modules/acl.c @@ -55,6 +55,7 @@ struct acl_private { uint64_t cached_schema_metadata_usn; uint64_t cached_schema_loaded_usn; const char **confidential_attrs; + bool userPassword_support; }; struct acl_context { @@ -107,6 +108,8 @@ static int acl_module_init(struct ldb_module *module) NULL, "acl", "search", true); ldb_module_set_private(module, data); + data->userPassword_support = dsdb_user_password_support(module, module, NULL); + mem_ctx = talloc_new(module); if (!mem_ctx) { return ldb_oom(ldb); @@ -1851,8 +1854,9 @@ static int acl_search(struct ldb_module *module, struct ldb_request *req) return ldb_next_request(module, req); } - if (!ac->am_system) { - ac->userPassword = dsdb_user_password_support(module, ac, req); + data = talloc_get_type(ldb_module_get_private(ac->module), struct acl_private); + if (data != NULL) { + ac->userPassword = data->userPassword_support; } ret = acl_search_update_confidential_attrs(ac, data); diff --git a/source4/dsdb/tests/python/passwords.py b/source4/dsdb/tests/python/passwords.py index fb3eee5..db013ea 100755 --- a/source4/dsdb/tests/python/passwords.py +++ b/source4/dsdb/tests/python/passwords.py @@ -87,7 +87,7 @@ class PasswordTests(samba.tests.TestCase): # Get the old "minPwdAge" minPwdAge = self.ldb.get_minPwdAge() - # Set it temporarely to "0" + # Set it temporarily to "0" self.ldb.set_minPwdAge("0") self.base_dn = self.ldb.domain_dn() @@ -912,6 +912,95 @@ userPassword: thatsAcomplPASS4 # Reset the test "dSHeuristics" (reactivate "userPassword" pwd changes) self.ldb.set_dsheuristics("000000001") + def test_modify_dsheuristics_userPassword(self): + print "Performs testing about reading userPassword between dsHeuristic modifies" + + # Make sure userPassword cannot be read + self.ldb.set_dsheuristics("000000000") + + # Open a new connection (with dsHeuristic=000000000) + ldb1 = SamDB(url=host, session_info=system_session(lp), + credentials=creds, lp=lp) + + # Set userPassword to be read + # This setting only affects newer connections (ldb2) + ldb1.set_dsheuristics("000000001") + time.sleep(1) + + m = Message() + m.dn = Dn(ldb1, "cn=testuser,cn=users," + self.base_dn) + m["userPassword"] = MessageElement("thatsAcomplPASS1", FLAG_MOD_REPLACE, + "userPassword") + ldb1.modify(m) + + res = ldb1.search("cn=testuser,cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["userPassword"]) + + # userPassword cannot be read, despite the dsHeuristic setting + self.assertTrue(len(res) == 1) + self.assertFalse("userPassword" in res[0]) + + # Open another new connection (with dsHeuristic=000000001) + ldb2 = SamDB(url=host, session_info=system_session(lp), + credentials=creds, lp=lp) + + # Set userPassword to be unreadable + # This setting does not affect this connection + ldb2.set_dsheuristics("000000000") + time.sleep(1) + + res = ldb2.search("cn=testuser,cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["userPassword"]) + + # Check that userPassword was not stored from ldb1 + self.assertTrue(len(res) == 1) + self.assertFalse("userPassword" in res[0]) + + m = Message() + m.dn = Dn(ldb2, "cn=testuser,cn=users," + self.base_dn) + m["userPassword"] = MessageElement("thatsAcomplPASS2", FLAG_MOD_REPLACE, + "userPassword") + ldb2.modify(m) + + res = ldb2.search("cn=testuser,cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["userPassword"]) + + # userPassword can be read in this connection + # This is regardless of the current dsHeuristics setting + self.assertTrue(len(res) == 1) + self.assertTrue("userPassword" in res[0]) + self.assertEquals(res[0]["userPassword"][0], "thatsAcomplPASS2") + + # Only password from ldb1 is the user's password + creds2 = Credentials() + creds2.set_username("testuser") + creds2.set_password("thatsAcomplPASS1") + creds2.set_domain(creds.get_domain()) + creds2.set_realm(creds.get_realm()) + creds2.set_workstation(creds.get_workstation()) + creds2.set_gensec_features(creds2.get_gensec_features() + | gensec.FEATURE_SEAL) + + try: + SamDB(url=host, credentials=creds2, lp=lp) + except: + self.fail("testuser used the wrong password") + + ldb3 = SamDB(url=host, session_info=system_session(lp), + credentials=creds, lp=lp) + + # Check that userPassword was stored from ldb2 + res = ldb3.search("cn=testuser,cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["userPassword"]) + + # userPassword can be read + self.assertTrue(len(res) == 1) + self.assertTrue("userPassword" in res[0]) + self.assertEquals(res[0]["userPassword"][0], "thatsAcomplPASS2") + + # Reset the test "dSHeuristics" (reactivate "userPassword" pwd changes) + self.ldb.set_dsheuristics("000000001") + def test_zero_length(self): # Get the old "minPwdLength" minPwdLength = self.ldb.get_minPwdLength() -- Samba Shared Repository