[Samba] LDAP Extended attributes and dsheuristics
Rowland Penny
rpenny at samba.org
Fri Jun 2 08:43:34 UTC 2023
On 30/05/2023 20:04, Andrew Bartlett via samba wrote:
> On Tue, 2023-05-30 at 11:23 -0400, Ben Curtis via samba wrote:
>> Hi all,
>>
>> I can only find posts about extended attributes from ~10 years ago,
>> so
>> I figured I'd ask this here. I get the following error when trying to
>> change passwords on my Samba 4.7 AD via LDAP:
>>
>> ```
>> ldap_exop_passwd(): Passwd modify extended operation failed: Extended
>> Operation(1.3.6.1.4.1.4203.1.11.1) not supported
>> ```
>>
>> Is this feature (1.3.6.1.4.1.4203.1.11.1) still not supported?
>
> This feature has never been seen on Active Directory DCs, and Samba has
> not had a patch for this contributed.
>
> We would welcome such a feature, but note it would need to be quite
> carefully implemented and tested to ensure it honours all the
> appropriate ACLs.
>
I have finally had chance to further investigate this OID, which lead me
to rfc 3062 which appears to date from 2001 and in its contents quite
clearly states:
The operation itself does not provide any security protection to ensure
integrity and/or confidentiality of the information. Use of this
operation is strongly discouraged when privacy protections are not in
place to guarantee confidentiality and may result in the disclosure of
the password to unauthorized parties.
I can find nothing that says that Microsoft uses this OID.
Bearing all this in mind, then if anyone proposes a patch to add this
OID, when there are much more secure ways of changing a users password,
I will not accept it.
I accept that Samba has to work with Unix, but not when it isn't safe.
Rowland
More information about the samba
mailing list