On Mon, Feb 08, 2016 at 04:18:56PM +0100, Lukas Slebodnik wrote:
On (08/02/16 12:12), Lukas Slebodnik wrote:
>On (08/02/16 10:48), Jakub Hrozek wrote:
>>On Mon, Feb 08, 2016 at 10:34:16AM +0100, Pavel Reichl wrote:
>>>
>>>
>>> On 02/05/2016 03:16 PM, Lukas Slebodnik wrote:
>>> >>
>>> >The ticket is about "SSSD should be about to display message to the
user when
>>> >the account in Active Directory is 'locked out'"
>>> >
>>> >If the string is not standardized among AD versions
>>> >than this ticket is NOT solved.
>>>
>>> So what do you propose? Rename ticket to contain version of tested AD? Or
should we say user that although we have fix that would work for him it might not work for
all AD versions so we won't provide it?
>>
>>It would be nice to mention what we tested with in the commit message.
>>
>>>
>>> Can we ask our QA to test on all AD version they can lay their hands on?
>>
>>Yes, I think we can test 2012 and 2008. Probably not worth testing 2003
>>anymore.
>>
>If you have an access to such machines it would be good to test.
>I do not have licences :-(.
>
>We *might* check with samba AD.
>It needn't work therefore it should not be a blocker for this patch.
>But we had some samba AD specific crashed in past which would be good to avoid.
>
>Or just check samba source code whether it has such string in code.
>
I checked the samba source code and it looks like there
can be zeros before 775
libcli/util/werror.h:#define WERR_ACCOUNT_LOCKED_OUT W_ERROR(0x00000775)
source4/dsdb/tests/python/password_lockout.py:
self.assertTrue('00000775' in msg)
source4/dsdb/tests/python/password_lockout.py:
self.assertTrue('00000775' in msg)
source4/dsdb/tests/python/password_lockout.py:
self.assertTrue('0000775' in msg)
source4/dsdb/tests/python/password_lockout.py:
self.assertTrue('0000775' in msg)
source4/dsdb/tests/python/password_lockout.py:
self.assertTrue('0000775' in msg)
source4/dsdb/tests/python/password_lockout.py:
self.assertTrue('00000775' in msg)
source4/dsdb/tests/python/password_lockout.py:
self.assertTrue('00000775' in msg)
source4/dsdb/tests/python/password_lockout.py:
self.assertTrue('0000775' in msg)
Those are checks which tests some samba behaviour:
source4/dsdb/samdb/ldb_modules/password_hash.c:
...
if (NT_STATUS_EQUAL(status, NT_STATUS_ACCOUNT_LOCKED_OUT)) {
ldb_asprintf_errstring(ldb,
"%08X: check_password: "
"Password change not permitted,
account locked out!",
W_ERROR_V(WERR_ACCOUNT_LOCKED_OUT));
return LDB_ERR_CONSTRAINT_VIOLATION;
}
...
which as far as I can see are not related to error messages during bind.
I agree that we should test how Samba behaves here and which error
messages is send while trying to bind as a locked out user. But I think
it would be sufficient to open a ticket to test it and if Samba behaves
differently we might want to discuss with Samba upstream if this is
expected.
bye,
Sumit
>
> LS
> _______________________________________________
> sssd-devel mailing list
> sssd-devel(a)lists.fedorahosted.org
>
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org