samba.git/source4/dsdb/tests/python/password_settings.py, branch master Unnamed repository; edit this file 'description' to name the repository. dsdb:password_hash: reject password reset with UNWILLING_TO_PERFORM 2026-01-15T01:48:37+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2026-01-11T09:31:04+00:00 49001e81589e8b5e4437b45f25622b07eecc95a5 This is what Windows does: where a password change would cause CONSTRAINT_VIOLATION, a reset causes UNWILLING_TO_PERFORM. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12020 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> 
This is what Windows does: where a password change would cause
CONSTRAINT_VIOLATION, a reset causes UNWILLING_TO_PERFORM.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12020

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
s4:dsdb:tests: Fix assertion messages 2023-10-13T03:50:31+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2023-10-02T01:25:52+00:00 bb77f36f49c7866f8353b68129202a1e7793bc14 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
s4:dsdb:tests: Fix code spelling 2023-08-03T14:31:34+00:00 Andreas Schneider asn@samba.org 2023-08-02T08:44:32+00:00 b29793ffdee5d9b9c1c05830622e80f7faec7670 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
 dsdb: Allow password history and password changes without an NT hash 2022-06-26T22:10:29+00:00 Andrew Bartlett abartlet@samba.org 2022-01-31T01:08:13+00:00 d2a473a7b7471937d1098a11258b875134ad702a We now allow this to be via the ENCTYPE_AES256_CTS_HMAC_SHA1_96 hash instead which allows us to decouple Samba from the unsalted NT hash for organisations that are willing to take this step (for user accounts). (History checking is limited to the last three passwords only, as ntPwdHistory is limited to NT hash values, and the PrimaryKerberosCtr4 package only stores three sets of keys.) Since we don't store a salt per-key, but only a single salt, the check will fail for a previous password if the account was renamed prior to a newer password being set. Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> 
We now allow this to be via the ENCTYPE_AES256_CTS_HMAC_SHA1_96 hash instead
which allows us to decouple Samba from the unsalted NT hash for
organisations that are willing to take this step (for user accounts).

(History checking is limited to the last three passwords only, as
ntPwdHistory is limited to NT hash values, and the PrimaryKerberosCtr4
package only stores three sets of keys.)

Since we don't store a salt per-key, but only a single salt, the check
will fail for a previous password if the account was renamed prior to a
newer password being set.

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
CVE-2020-25722 selftest: Catch possible errors in PasswordSettingsTestCase.test_pso_none_applied() 2021-11-09T19:45:32+00:00 Andrew Bartlett abartlet@samba.org 2021-09-20T02:54:03+00:00 63eb24f0925f0a3d117fc5eb2dc728a5af121f6a This allows future patches to restrict changing the account type without triggering an error. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> 
This allows future patches to restrict changing the account type
without triggering an error.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
pytests: heed assertEquals deprecation warning en-masse 2020-02-07T10:37:37+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2020-02-06T22:02:38+00:00 c247afbda00013bf4821e5a2d4f3166bf31814f0 TestCase.assertEquals() is an alias for TestCase.assertEqual() and has been deprecated since Python 2.7. When we run our tests with in python developer mode (`PYTHONDEVMODE=1 make test`) we get 580 DeprecationWarnings about this. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Noel Power <npower@samba.org> 
TestCase.assertEquals() is an alias for TestCase.assertEqual() and
has been deprecated since Python 2.7.

When we run our tests with in python developer mode (`PYTHONDEVMODE=1
make test`) we get 580 DeprecationWarnings about this.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Noel Power <npower@samba.org>
PY3: change shebang to python3 in source4/dsdb dir 2018-12-14T13:40:20+00:00 Joe Guo joeg@catalyst.net.nz 2018-12-12T00:40:43+00:00 8e3c194453f206152b40fa7a5efb1436b13424e9 Signed-off-by: Joe Guo <joeg@catalyst.net.nz> Reviewed-by: Noel Power <npower@samba.org> 
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Noel Power <npower@samba.org>
python tests: fix format() strings for Python 2.6 2018-09-21T18:04:23+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2018-09-21T01:22:56+00:00 198bcfbac3985e38a705b101d79713831172a64c Python 2.6 wants "{0}".format(x), not "{}".format(x). Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Python 2.6 wants "{0}".format(x), not "{}".format(x).

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Refactor for PEP8 warning E501 line too long 2018-08-17T00:58:28+00:00 Tim Beale timbeale@catalyst.net.nz 2018-07-27T03:27:09+00:00 60b4a1be063888ddac0f484158517aa10b219b5a Add a wrapper function to avoid long lines. This also helps a little to manage/contain the complexity of the code. Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> Signed-off-by: Joe Guo <joeg@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> 
Add a wrapper function to avoid long lines. This also helps
a little to manage/contain the complexity of the code.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Fix PEP8 warning E501 line too long 2018-08-17T00:58:28+00:00 Tim Beale timbeale@catalyst.net.nz 2018-07-27T02:34:16+00:00 68f8a1c2747fd51a633b34dc4301b1f6acae5de6 Mostly involves splitting up long strings or comments so that they span multiple lines. Some place-holder variables have been added in a few places to avoid exceeding 80 chars. Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> 
Mostly involves splitting up long strings or comments so that they
span multiple lines. Some place-holder variables have been added in a
few places to avoid exceeding 80 chars.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>