Bug 13873 - Samba 4.10/Py3: samba-tool domain passwordsettings set --max-pwd-age cmd fails
Summary: Samba 4.10/Py3: samba-tool domain passwordsettings set --max-pwd-age cmd fails
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.10.0
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-03-31 20:28 UTC by Tim Beale
Modified: 2019-05-16 10:03 UTC (History)
2 users (show)

See Also:


Attachments
Fix for v4.10 (13.65 KB, patch)
2019-05-07 05:01 UTC, Tim Beale
abartlet: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Beale 2019-03-31 20:28:20 UTC
Can't set max-pwd-age (Maximum Password Age for the domain) using samba-tool.

As reported on list: 
https://lists.samba.org/archive/samba/2019-March/222100.html

samba-tool domain passwordsettings set --max-pwd-age=270
WARNING: The "server schannel" option is deprecated
ERROR(<class 'TypeError'>): uncaught exception - unorderable types: NoneType() >= int()
  File "bin/python/samba/netcmd/__init__.py", line 185, in _run
    return self.run(*args, **kwargs)
  File "bin/python/samba/netcmd/domain.py", line 1514, in run
    if max_pwd_age and max_pwd_age > 0 and min_pwd_age >= max_pwd_age:

The problem is the command doesn't work using python3. Should be simple to fix. In the meantime, the workaround is to specify min-pwd-age as well as max-pwd-age. E.g.

samba-tool domain passwordsettings set --max-pwd-age=270 --min-pwd-age=default
WARNING: The "server schannel" option is deprecated
Minimum password age changed!
Maximum password age changed!
All changes applied successfully!
Comment 1 Louis 2019-05-06 08:47:41 UTC
Rowland reply on the matter the list. 

n Mon, 6 May 2019 08:57:35 +0200
"L.P.H. van Belle via samba" <samba@lists.samba.org> wrote:

> Hai, 
> 
> Well, i think you found a bug here, i get exact the same. 
> But i found a workaround ;-) 
> 
> We need to verify it. Can someone test this on a source build also
> for this.
> 
> Try this for the error. 
> samba-tool domain passwordsettings show
> samba-tool domain passwordsettings set --max-pwd-age=90
> 
> That errors. 
> 
> And if you try this and set Min + Max age, then it works: 
> 
> kinit Administrator
> samba-tool domain passwordsettings set --max-pwd-age=90
> --min-pwd-age=1 -k yes Minimum password age changed!
> Maximum password age changed!
> All changes applied successfully!
> 
> If some people here can verify it, then we can put it in bugzilla. 
> 

Morning Louis,

It does appear to be a bug ;-)

If you run:

samba-tool domain passwordsettings --help

Amongst the output is this:

  --min-pwd-age=MIN_PWD_AGE
                        The minimum password age (<integer in days> |
                        default).  Default is 1.

Which seems to say, if you don't supply the minimum password age, '1'
will be used, BUT:

The code runs like this:

    def run(self, H=None, min_pwd_age=None,........


        if min_pwd_age is not None:
            if min_pwd_age == "default":
                min_pwd_age = 1
            else:
                min_pwd_age = int(min_pwd_age)

If you haven't supplied the minimum password age, the 'def' will set
it to 'None'.

This means that the code meant to set the minimum password age to '1'
is never run because 'min_pwd_age' is 'None'

I think the code should be:

        if min_pwd_age is None:
            if min_pwd_age == "default":
                min_pwd_age = 1
        else:
            min_pwd_age = int(min_pwd_age)

Rowland
Comment 2 Tim Beale 2019-05-07 04:59:30 UTC
(In reply to Louis from comment #1)
link to relevant mailing-list thread: https://lists.samba.org/archive/samba/2019-May/222911.html
Comment 3 Tim Beale 2019-05-07 05:01:08 UTC
Created attachment 15126 [details]
Fix for v4.10

Attached is the fix for back-porting to 4.10.
CI pass: https://gitlab.com/catalyst-samba/samba/pipelines/60043695
Comment 4 Karolin Seeger 2019-05-14 12:43:56 UTC
Pushed to autobuild-v4-10-test.
Comment 5 Karolin Seeger 2019-05-16 10:03:12 UTC
(In reply to Karolin Seeger from comment #4)
Pushed to v4-10-test.
Closing out bug report.

Thanks!