--with-cracklib for Samba

Pierre Belanger pbelang1 at oss.cantel.rogers.com
Thu Jan 16 19:45:01 GMT 2003 

Hi,

I need "expert" comments on the following, it's "kind of"
related to "cracklib". I could dig another 3 hours in the
code but I prefer to keep that 3 hours for cracklib ;-)

- rpc_server/srv_samr_nt.c line ~ 2836 & line ~ 2898 :

   /* update the UNIX password */
   if (lp_unix_password_sync() )
     if(!chgpasswd(pdb_get_username(pwd), "",
       plaintext_buf, True)) {
         pdb_free_sam(&pwd);
         return False;
       }
     }
   ZERO_STRUCT(plaintext_buf);

   if(!pdb_update_sam_account(pwd)) {
     pdb_free_sam(&pwd);
     return False;
   }


   [Q] can't we use change_oem_password()?


   From smbd/chgpasswd.c line ~ 986. The only big
   difference is the IS_SAM_UNIX_USER plus the
   "become_root()" before calling pdb_update_sam_account().
   [ My previous words is what I'd need to dig into... ]

   if(lp_unix_password_sync() && IS_SAM_UNIX_USER(hnd)
     && !chgpasswd(pdb_get_username(hnd),
     old_passwd, new_passwd, False)) {
                 return NT_STATUS_ACCESS_DENIED;
         }

         if (!pdb_set_plaintext_passwd (hnd, new_passwd)) {
                 return NT_STATUS_ACCESS_DENIED;
         }

         /* Now write it into the file. */
         become_root();
         ret = pdb_update_sam_account (hnd);
         unbecome_root();

If we can use change_oem_password() in
   rpc_server/srv_samr_nt.c
then I guess we can also remove the following from
smbd/chgpasswd.c ~ line 492 in chgpasswd() since we
already check for this in change_oem_password() :

   /* Take the passed information and test it for minimum criteria */
   /* Minimum password length */
   if (strlen(newpass) < lp_min_passwd_length()) {
         /* too short, must be at least MINPASSWDLENGTH */
     DEBUG(0, ("Password Change: user %s, New password is shorter"
                "than minimum password length = %d\n",
                name, lp_min_passwd_length()));
     return (False); /* inform the user */
   }


If we can't use it, is it because we want to skip the
account_policy_get() in change_oem_password()? I'd also
like to move from smbd/chgpasswd.c line 501 in chgpasswd()

         /* Password is same as old password */
         if (strcmp(oldpass, newpass) == 0) {

to change_oem_password , so all "check / policy to change
passwords would call from the same place".

I hope I was clear enough, "excuse my French!!". No need
to answer me today on this.

Thank you very much,
Pierre B.

More information about the samba-technical mailing list