Bug 12235 - samba-tool domain provision: Validate password
samba-tool domain provision: Validate password
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Tools
4.5.0rc3
All All
: P5 normal
: ---
Assigned To: Andrew Bartlett
Samba QA Contact
:
Depends on:
Blocks: 11924
  Show dependency treegraph
 
Reported: 2016-09-03 22:44 UTC by Marc Muehlfeld
Modified: 2016-09-06 14:20 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marc Muehlfeld 2016-09-03 22:44:32 UTC
Description:
During the provision of a domain, the password lenght and complexity is checked to late and the setup fails if the rules does not match. The user has to start the process again.




Steps to reproduce:
1. Provision a new domain
   # samba-tool domain provision --use-rfc2307 --interactive
2. During the setup, enter a password that does not match the complexity rules.
   For example: "test" (to short) or "password" (not complex).



Actual results:
samba-tools starts the provisioning process and fails later:

Realm [SAMDOM.EXAMPLE.COM]: 
 Domain [SAMDOM]: 
 Server Role (dc, member, standalone) [dc]: 
 DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: 
 DNS forwarder IP address (write 'none' to disable forwarding) [10.99.0.1]: 
Administrator password: test
Retype password: test
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=samdom,DC=example,DC=com
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
ERROR(ldb): uncaught exception - 0000052D: Constraint violation - check_password_restrictions: the password is too short. It should be equal or longer than 7 characters!
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py", line 461, in run
    nosync=ldap_backend_nosync, ldap_dryrun_mode=ldap_dryrun_mode)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", line 2175, in provision
    skip_sysvolacl=skip_sysvolacl)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", line 1787, in provision_fill
    next_rid=next_rid, dc_rid=dc_rid)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", line 1447, in fill_samdb
    "KRBTGTPASS_B64": b64encode(krbtgtpass.encode('utf-16-le'))
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/common.py", line 55, in setup_add_ldif
    ldb.add_ldif(data, controls)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/__init__.py", line 225, in add_ldif
    self.add(msg, controls)


or

...
Administrator password: password
Retype password: password
...
ERROR(ldb): uncaught exception - 0000052D: Constraint violation - check_password_restrictions: the password does not meet the complexity criteria!





Expected results:
samba-tool should test the length and complexity rules directly after the user enters. If it does not pass, an error should be printed and the user asked again. For example:

Administrator password: test
Retype password: test
ERROR: The password is too short. It must be equal or longer than 7 characters!
Administrator password: password
Retype password: password
ERROR: The password does not meet the complexity criteria!
...