[cifs-protocol] RE: Meaning of ACB_PWNOTREQ / UF_PASSWD_NOTREQD

[Bill Wesse]

Good morning Andrew. Thanks for your question. I have created the below case for you on this matter; one of my colleagues or I will take ownership of this and contact you shortly.

SRX080905600018 [MS-ADTS] 2.2.15 ADS_UF_PASSWD_NOTREQD semantics

Regards,
Bill Wesse
MCSE / Escalation Engineer, US-CSS DSC PROTOCOL TEAM
8055 Microsoft Way
Charlotte, NC 28273
TEL:  +1(980) 776-8200
CELL: +1(704) 661-5438
FAX:  +1(704) 665-9606


-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Thursday, September 04, 2008 11:13 PM
To: Interoperability Documentation Help
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: Meaning of ACB_PWNOTREQ / UF_PASSWD_NOTREQD

In Samba4, we map the userAccountControl flag UF_PASSWD_NOTREQD to the SAMR flag ACB_PWNOTREQ, and we use this to indicate 'no password (or any
password) required for this account'.

That is, when this flag is set, and NULL passwords are permitted (as a global setting 'null passwords = yes' in the smb.conf), we allow any password to operate/log in to the marked account.

However, I'm not sure if this is the meaning Microsoft assigns to this flag.  Could you please clarify AD's behaviour in the situation where this flag is set on an user account?

If this is not the correct way to handle 'no password required for logon', Is there another way to indicate this?

Thanks,

(I want to get this right, or else migrations from Windows domains might open a security hole)

Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.