[cifs-protocol] Meaning of ACB_PWNOTREQ / UF_PASSWD_NOTREQD

Sebastian Canevari Sebastian.Canevari at microsoft.com
Thu Sep 11 21:32:38 GMT 2008 

3.1.1.7.1

General Password Policy

This policy is referenced from the dbcsPwd and unicodePwd triggers.

The following constraints MUST be satisfied; on error, the server MUST return a processing error. For more information on error codes, see section 3.1.5.

1.      Minimum Password Length Constraint: If all of the following conditions are true, the following constraint MUST be satisfied:
        1.      Conditions:
                1.      The userAccountControl attribute value contains UF_NORMAL_ACCOUNT.
                2.      The objectSid attribute value does not have the DOMAIN_USER_RID_KRBTGT value as the RID.
                3.      The userAccountControl attribute value does NOT contain UF_PASSWD_NOTREQD.
                4.      The Effective-MinimumPasswordLength attribute value (see section 3.1.1.5) is greater than 0.
                5.      The requesting protocol message is a password change (as compared to a password set).
        2.      Constraint:
                At least one of dbcsPwd or unicodePwd MUST be nonzero-length and equal to a value other than the hash of a zero-length string.

2.      Minimum Password Age Constraint: If all of the following conditions are true, the following constraint MUST be satisfied:

        1.      Conditions:
                1.      The userAccountControl attribute contains UF_NORMAL_ACCOUNT.
                2.      At least one of the dbcsPwd or unicodePwd attribute values is present and not equal to a hash value of a zero-length string.
        2.      Constraint:
                The pwdLastSet attribute MUST be less than the current time plus the value of the Effective-MinimumPasswordAge attribute (see section 3.1.1.5).

3.      Password History Length Constraint: If all of the following conditions are true, the following constraints MUST be satisfied:
        1.      Conditions:
                1.      The userAccountControl attribute contains UF_NORMAL_ACCOUNT.
                2.      objectSid does not have the DOMAIN_USER_RID_KRBTGT value as the RID.
                3.      userAccountControl does NOT contain UF_PASSWD_NOTREQD.
                4.      minPwdHistory on the account domain object is greater than 0.
                5.      The requesting protocol message is a password change (as compared to a password set).
        2.      Constraints:
                1.      If the unicodePwd attribute is being updated, the value of the unicodePwd MUST NOT be present in the first N hashes stored in the ntPwdHistory attribute value, where N is the value of the Effective-PasswordHistoryLength attribute (see section 3.1.1.5). For details on how ntPwdHistory is maintained, see section 3.1.1.9.1.
If the dbcsPwd attribute is being updated, the value of the dbcsPwd MUST NOT be present in the first N hashes stored in the lmPwdHistory attribute value, where N is the value of the Effective-PasswordHistoryLength attribute (see section 3.1.1.5). For details on how lmPwdHistory is maintained, see section 3.1.1.9.1



Please let me know if I can be of further help.

Thanks!

Sebastian Canevari
Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM
7100 N Hwy 161, Irving, TX - 75039
"Las Colinas - LC2"
Tel: +1 469 775 7849
e-mail: sebastc at microsoft.com

We're hiring


-----Original Message-----
From: cifs-protocol-bounces+sebastc=microsoft.com at cifs.org [mailto:cifs-protocol-bounces+sebastc=microsoft.com at cifs.org] On Behalf Of Andrew Bartlett
Sent: Thursday, September 04, 2008 10:13 PM
To: Interoperability Documentation Help
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: [cifs-protocol] Meaning of ACB_PWNOTREQ / UF_PASSWD_NOTREQD

In Samba4, we map the userAccountControl flag UF_PASSWD_NOTREQD to the SAMR flag ACB_PWNOTREQ, and we use this to indicate 'no password (or any
password) required for this account'.

That is, when this flag is set, and NULL passwords are permitted (as a global setting 'null passwords = yes' in the smb.conf), we allow any password to operate/log in to the marked account.

However, I'm not sure if this is the meaning Microsoft assigns to this flag.  Could you please clarify AD's behaviour in the situation where this flag is set on an user account?

If this is not the correct way to handle 'no password required for logon', Is there another way to indicate this?

Thanks,

(I want to get this right, or else migrations from Windows domains might open a security hole)

Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.

More information about the cifs-protocol mailing list