s4 password changes
Matthias Dieter Wallnöfer
mdw at samba.org
Tue Aug 17 11:39:26 MDT 2010
Hi abartlet,
I switched back to a password change operation for the two NETLOGON RPCs
and performed afterwards the merge.
I hope you are fine with this.
Matthias
Andrew Bartlett wrote:
> On Tue, 2010-08-17 at 08:19 +0200, Stefan (metze) Metzmacher wrote:
>
>> Hi Nadya,
>>
>>
>>> Here is the wip branch:
>>> http://gitweb.samba.org/?p=nivanova/samba.git;a=shortlog;h=refs/heads/aclsearch
>>>
>>> I started by denying access to anonymous depending on dSHeuristics. The
>>> tests that I wrote to ensure this is correct are passing, but a lot of other
>>> things broke, such as samr tests, lsa, secure channel, ldb tests, because
>>> they were no longer able to read necessary data from the database. I will
>>> send more details later.
>>>
>> I have some comments regarding:
>> s4-samr: Adapted SAMR calls to use system session, with access check for
>> administrator
>>
>> Please implement the SAMR access checks correct, by having an
>> allowed_access mask
>> on the policy handles, and then only check for the needed access bits in
>> each operation.
>>
>> For now I'm fine if we give admins full access and others only read access,
>> but that should be decided at the time we create a policy handle and not
>> on each
>> operation.
>>
> My comment is regarding the change to the NetLogon password/set change
> operations. I don't like that something is changed 'because I can't see
> why abartlet did this'.
>
> I'm sorry if I don't include every detail in every commit message, but
> instead I suggest you ask me, with tests that show that this change is
> required.
>
> In this case, the password change code had been adjusted to seperate the
> concepts of 'password quality check must be passed' from 'this is a
> user-initiated password change'. If you have proof that this is not
> considered a user-initiated password change, then please show me the
> tests.
>
> Thanks,
>
>
More information about the samba-technical
mailing list