Web lists-archives.com

Re: [Samba] samba-tool max-pwd-age error




On Tue, 7 May 2019 17:06:24 +1200
Tim Beale <timbeale@xxxxxxxxxxxxxxx> wrote:

> Apologies, this bug fell through the cracks and the fix never got
> backported to 4.10. I've uploaded the backport to the bug now, it just
> needs a review signoff.
> 
> To recap, it was introduced as a side-effect of switching to Python 3.
> The old code never worked as intended on Python 2, but on Python 3 it
> now throws an exception.
> 
> Rowland, the code in master is correct, as far as I can tell.
> Unfortunately the code is complicated by the fact the tool is trying
> to support changing 9 different settings independently of each other.
> The parameters default to None so that the tool can tell whether or
> not the user specified a given parameter. E.g. if you wanted to
> change the min-pwd-age to 14 days, then later wanted to change the
> account-lockout-duration to 60 minutes, you don't want running the 2nd
> command to reset the min-pwd-age back to the default.
> 

Sorry Tim, but I do not agree ;-)

If you do not supply the minimum password age, then the 'def' sets
'min_pwd_age' to 'None', the code then goes to this:

        if min_pwd_age is not None:
            if min_pwd_age == "default":
                min_pwd_age = 1
            else:
                min_pwd_age = int(min_pwd_age)

It checks if 'min_pwd_age' is supplied (not None) and does something
if it is, though now I look at that code, it depends on the user
supplying either 'default' or a number, there is nothing to check that
what is supplied is valid.
The user could supply anything, what does 'int(anything)' give you ?

If 'min_pwd_age' is 'None', the code above will NOT be run.

I initially supplied what I thought was the fix, but I got that wrong,
it should be:

        if min_pwd_age is None:
            min_pwd_age = 1
        else:
             # put code here to check for valid input
             min_pwd_age = int(min_pwd_age)

As far as I can see, the problem stems from when 'samba-tool domain
passwordsettings' was split up, before this happening, if you didn't
supply something, it was obtained from AD, this meant that
'min_pwd_age' was NEVER 'None'

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba