netcmd: Fix passwordsettings --max-pwd-age command

The min_pwd_age and max_pwd_age parameters are both optional and default
to None. However, if we just set the max-pwd-age, then the check
'min_pwd_age >= max_pwd_age' will throw a Python exception because it's
trying to compare an int to NoneType (min_pwd_age). This works on Python 2
but is a problem on Python 3.

We could just add a check that min_pwd_age is not None, but that defeats
the point of having the check if you're only setting either the min or
max age indepedently.

This patch gets the current min/max password age from the DB (in ticks).
If either setting is changed, the ticks will be updated. Then at the end
we check the min is still less than the max (to do this, we convert the
ticks back to days in the interests of readability).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13873

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Apr  5 08:03:08 UTC 2019 on sn-devel-144

diff --git a/python/samba/netcmd/domain.py b/python/samba/netcmd/domain.py
index 2477030b61f3e30e9816a29b4a6ef3ebe64bf06d..b616dba3438697661dcc09e277c0378d5e75eb23 100644 (file)
--- a/python/samba/netcmd/domain.py
+++ b/python/samba/netcmd/domain.py
@@ -1398,6 +1398,10 @@ class cmd_domain_passwordsettings_set(Command):
         m.dn = ldb.Dn(samdb, domain_dn)
         pwd_props = int(samdb.get_pwdProperties())
 
+        # get the current password age settings
+        max_pwd_age_ticks = samdb.get_maxPwdAge()
+        min_pwd_age_ticks = samdb.get_minPwdAge()
+
         if complexity is not None:
             if complexity == "on" or complexity == "default":
                 pwd_props = pwd_props | DOMAIN_PASSWORD_COMPLEX
@@ -1527,8 +1531,14 @@ class cmd_domain_passwordsettings_set(Command):
                                                                ldb.FLAG_MOD_REPLACE, "lockOutObservationWindow")
             msgs.append("Duration to reset account lockout after changed!")
 
-        if max_pwd_age and max_pwd_age > 0 and min_pwd_age >= max_pwd_age:
-            raise CommandError("Maximum password age (%d) must be greater than minimum password age (%d)!" % (max_pwd_age, min_pwd_age))
+        if max_pwd_age or min_pwd_age:
+            # If we're setting either min or max password, make sure the max is
+            # still greater overall. As either setting could be None, we use the
+            # ticks here (which are always set) and work backwards.
+            max_pwd_age = timestamp_to_days(max_pwd_age_ticks)
+            min_pwd_age = timestamp_to_days(min_pwd_age_ticks)
+            if max_pwd_age != 0 and min_pwd_age >= max_pwd_age:
+                raise CommandError("Maximum password age (%d) must be greater than minimum password age (%d)!" % (max_pwd_age, min_pwd_age))
 
         if len(m) == 0:
             raise CommandError("You must specify at least one option to set. Try --help")

diff --git a/selftest/knownfail.d/passwordsettings b/selftest/knownfail.d/passwordsettings
deleted file mode 100644 (file)
index 8e94cef..0000000
--- a/selftest/knownfail.d/passwordsettings
+++ /dev/null
@@ -1 +0,0 @@
-samba.tests.samba_tool.passwordsettings.samba.tests.samba_tool.passwordsettings.PwdSettingsCmdTestCase.test_domain_passwordsettings_pwdage\(ad_dc_default:local\)