[cifs-protocol] Need some clarification on the User-Change-Password access rights

Josh Curry Josh.Curry at microsoft.com
Wed Jun 30 09:44:27 MDT 2010

Hi Nadya, thank you for your e-mail. A member of the protocol documentation team will be in touch with you soon.

Josh R. Curry
Sr. Support Escalation Engineer | Microsoft

From: didrash at gmail.com [mailto:didrash at gmail.com] On Behalf Of Nadezhda Ivanova
Sent: Wednesday, June 30, 2010 6:31 AM
To: Interoperability Documentation Help; cifs-protocol at samba.org
Subject: Need some clarification on the User-Change-Password access rights

I am currently working on enforcing the User-Change-Password control access right on password change operations in Samba 4, and there are a few things that puzzle me, perhaps you could help. I am testing agains a Win2008 server, domain and forest functional levels are 2008.

The user object class has the following ACE in the defaultSecurityDescriptor:
(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD), OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS)
I created a user and removed these two for the purposes of negative testing. However, when I performed a password change operation(delete and add of unicodePwd), I got CONSTRAINT_VIOLATION error rather than INSUFFICIENT_ACCESS_RIGHTS. I granted the user write property access, but the result was the same.
Alternatively, a user to whom I explicitly denied WP access was able to change their password if they have User-Change-Password.
So my question is:
Is the write access to unicodePwd controlled only by User-Change-Password, and WP is disregarded in this case?
Why is the error returned CONSTRAINT_VIOLATION?

Also, given that by default we this control access right is granted to EVERYONE, this means that the actual line of defence is the changer knowing the original password. If they know the password, it does not matter which account changes the user's password, which makes sense. However, in this case, why bother with checking User-Change-Password at all? It appears that its purpose is to allow a user (or any account for that matter) to change the password even if they do not have WP access on themselves, am I correct?

Best Regards,

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20100630/fa20be14/attachment.html>

More information about the cifs-protocol mailing list