[Patch] myldap-pub.py

Fri Aug 20 07:59:52 MDT 2010

Hi Matthias,
On 08/20/2010 06:55 AM, Matthias Dieter Wallnöfer wrote:
> Lukasz,
>
> Lukasz Zalewski wrote:
>> Hi Matthias
>> On 8/19/2010 7:12 PM, Matthias Dieter Wallnöfer wrote:
>>> Hi Lukasz,
>>>
>>> Lukasz Zalewski wrote:
>>>> I have noticed that when NTpassword is missing the new unicodePwd
>>>> element is set to None. However the account is not disabled, but it
>>>> does not have the empty password either. So does ldbadd process
>>>> generate some random password value if that attribute is missing?
>>>> Should the account be disabled during the import if password
>>>> information is missing?
>>> do you speak from s4 or s3? On s4 I've implemented some restriction that
>>> you can't end without a password on a password set or change. Code taken
>>> from "password_hash.c":
>>>> 1901 /* refuse the change if someone tries to set/change the
>>>> password by
>>>> 1902 * the lanman hash alone and we've deactivated that mechanism. This
>>>> 1903 * would end in an account without any password! */
>>>> 1904 if ((!io->n.cleartext_utf8) && (!io->n.cleartext_utf16)
>>>> 1905 && (!io->n.nt_hash) && (!io->n.lm_hash)) {
>>>> 1906 ldb_asprintf_errstring(ldb,
>>>> 1907 "setup_io: "
>>>> 1908 "The password change/set operations performed using the LAN
>>>> Manager hash alone are deactivated!");
>>>> 1909 return LDB_ERR_UNWILLING_TO_PERFORM;
>>>> 1910 }
>>> If you have the lanman auth mechanism active and you provide only the
>>> lanman hash you are fine without restriction.
>> The ldif was extracted from s3 (using myldap-pub.py) and imported into
>> s4 using (according to metze's recepie):
>> $targetdir/bin/ldbadd -H $targetdir/private/sam.ldb --nosync --verbose
>> --controls=relax:0 --controls=local_oid:1.3.6.1.4.1.7165.4.3.7:0
>> --controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0 myldif.ldif
>>
>> The account information included in the ldif did not contain either LM
>> or NT password and it was successfully imported into s4 (it did
>> contain a foregin domain sid, but i suspect that should not have any
>> impact).
> Yes - but this is possible. You can import an account without any
> password set - it is the same as if you create an account over LDAP
> using the "user" objectClass and don't fill in any password attributes.
> You are not allowed to do anything with it unless you specify a password
> using an administrative password set mechanism.
Yup the account is non-functional, but what confused me was it didn't 
have the diabled account flag set. So my question is shall the script 
explicitly set disabled flag if no hashes are present (or no NT has is 
present) or shall we leave it as it is
> Exports and imports using password attributes are normally only possible
> using plaintext passwords on s4 - unless you use metze's new mechanism
> for skipping the "password_hash" module. Ask him if you prefer that one.
The script is intended to import hashes, rather than plain texp pwds (or 
no passwords) so i believe metze's way is the only way ;)
>
> Matthias
>
>

Luk