On (08/02/16 17:18), Sumit Bose wrote:
On Mon, Feb 08, 2016 at 04:18:56PM +0100, Lukas Slebodnik wrote:
> On (08/02/16 12:12), Lukas Slebodnik wrote:
> >On (08/02/16 10:48), Jakub Hrozek wrote:
> >>On Mon, Feb 08, 2016 at 10:34:16AM +0100, Pavel Reichl wrote:
> >>>
> >>>
> >>> On 02/05/2016 03:16 PM, Lukas Slebodnik wrote:
> >>> >>
> >>> >The ticket is about "SSSD should be about to display message to
the user when
> >>> >the account in Active Directory is 'locked out'"
> >>> >
> >>> >If the string is not standardized among AD versions
> >>> >than this ticket is NOT solved.
> >>>
> >>> So what do you propose? Rename ticket to contain version of tested AD?
Or should we say user that although we have fix that would work for him it might not work
for all AD versions so we won't provide it?
> >>
> >>It would be nice to mention what we tested with in the commit message.
> >>
> >>>
> >>> Can we ask our QA to test on all AD version they can lay their hands
on?
> >>
> >>Yes, I think we can test 2012 and 2008. Probably not worth testing 2003
> >>anymore.
> >>
> >If you have an access to such machines it would be good to test.
> >I do not have licences :-(.
> >
> >We *might* check with samba AD.
> >It needn't work therefore it should not be a blocker for this patch.
> >But we had some samba AD specific crashed in past which would be good to avoid.
> >
> >Or just check samba source code whether it has such string in code.
> >
> I checked the samba source code and it looks like there
> can be zeros before 775
>
> libcli/util/werror.h:#define WERR_ACCOUNT_LOCKED_OUT W_ERROR(0x00000775)
> source4/dsdb/tests/python/password_lockout.py:
self.assertTrue('00000775' in msg)
> source4/dsdb/tests/python/password_lockout.py:
self.assertTrue('00000775' in msg)
> source4/dsdb/tests/python/password_lockout.py:
self.assertTrue('0000775' in msg)
> source4/dsdb/tests/python/password_lockout.py:
self.assertTrue('0000775' in msg)
> source4/dsdb/tests/python/password_lockout.py:
self.assertTrue('0000775' in msg)
> source4/dsdb/tests/python/password_lockout.py:
self.assertTrue('00000775' in msg)
> source4/dsdb/tests/python/password_lockout.py:
self.assertTrue('00000775' in msg)
> source4/dsdb/tests/python/password_lockout.py:
self.assertTrue('0000775' in msg)
Those are checks which tests some samba behaviour:
source4/dsdb/samdb/ldb_modules/password_hash.c:
...
if (NT_STATUS_EQUAL(status, NT_STATUS_ACCOUNT_LOCKED_OUT)) {
ldb_asprintf_errstring(ldb,
"%08X: check_password: "
"Password change not permitted,
account locked out!",
W_ERROR_V(WERR_ACCOUNT_LOCKED_OUT));
return LDB_ERR_CONSTRAINT_VIOLATION;
}
...
which as far as I can see are not related to error messages during bind.
Thank you for deeper look into the code.
I only did quick grep of samba master and saw two "keywords".
password_lockout and 775.
I agree that we should test how Samba behaves here and which error
messages is send while trying to bind as a locked out user. But I think
it would be sufficient to open a ticket to test it and if Samba behaves
differently we might want to discuss with Samba upstream if this is
expected.
Agree.
I wrote in my previous mail that samab shoudl not be a blocker.
But we should not crash with samba in any case.
LS